|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
RISK: The Consensus Security Vulnerability Alert Vol. 6 No. 15
From: The SANS Institute (ConsensusSecurityVulnerabilityAlertsans.org)
Date: Mon Apr 09 2007 - 18:04:01 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Big time risks from Microsoft, from AOL, from Yahoo, and even from
security vendor Kaspersky labs, and Symantec, Hewlett Packard and even
MIT Kerberos also had bad problems uncovered.
*********************************************************************
RISK: The Consensus Security Vulnerability Alert
April 9, 2007 Vol. 6. Week 15
*********************************************************************
RISK is the SANS community's consensus bulletin summarizing the most
important vulnerabilities and exploits identified during the past week
and providing guidance on appropriate actions to protect your systems
(PART I). It also includes a comprehensive list of all new
vulnerabilities discovered in the past week (PART II).
Summary of Updates and Vulnerabilities in this Consensus
Platform Number of Updates and Vulnerabilities
- ------------------------ -------------------------------------
Windows 16 (#1)
Third Party Windows Apps 8 (#2, #3, #4, #7, #10)
Linux 6
Solaris 1
Unix 1
Cross Platform 28 (#5, #6, #9, #11)
Web Application - Cross Site Scripting 5
Web Application - SQL Injection 21 (#8)
Web Application 20
*************************** Sponsored By SANS **************************
Join other security professionals at the SANS Encryption Summit April
23-25 and benefit from an in-depth program aimed at getting you the
information you need to protect your sensitive data.
http://www.sans.org/info/5471
*************************************************************************
SANSFIRE 07 in Washington DC Features the Internet Storm Center Experts
No one knows the newest attacks better than the Internet Storm Center
Incident Handlers, and they are sharing the newest attacks and defenses
in evening sessions during SANSFIRE in Washington DC, July 25-August 7,
2007. Anyone who attends a course can also attend Internet Storm Center
Threat Updates. For a list of courses http://www.sans.org/sansfire07/
If you cannot come to Washington or cant wait that long, SANS award
winning security training is available in more than 70 cities in nine
countries just in the next four months. Better still, you can schedule
SANS training on-site or even take it live online or on demand.
*Complete schedule: http://www.sans.org/training/bylocation/index_all.php
*SANS courses on site at your facility: http://www.sans.org/onsite/
*************************************************************************
Table of Contents
Part I - Critical Vulnerabilities from TippingPoint
(www.tippingpoint.com)
Widely Deployed Software
(1) CRITICAL: Microsoft Windows Multiple GDI Vulnerabilities (MS07-017)
(2) CRITICAL: Yahoo! Messenger Audio Conferencing ActiveX Control Buffer
(3) CRITICAL: Kaspersky Multiple Products Multiple Vulnerabilities
(4) CRITICAL: AOL Nullsoft Winamp Multiple Vulnerabilities
(5) HIGH: Symantec Enterprise Security Manager Authentication Bypass
(6) HIGH: MIT Kerberos Multiple Vulnerabilities
(7) HIGH: HP Mercury Quality Center "SPIDERLib" ActiveX Control Buffer
(8) MODERATE: WordPress "Post_ID" SQL Injection
(9) MODERATE: SAP RFC Library Multiple Vulnerabilities
Other Software
(10) CRITICAL: SolidWorks "sldimdownload" ActiveX Control Remote Code
(11) HIGH: Firebug Mozilla Firefox Extension Remote Code Execution
Exploit
(12) AOL SuperBuddy Exploit
************************ Sponsored Links: ******************************
1) Take the 2007 Log Management Survey and be eligible to win a Nintendo
Wii system. Click here to take the survey. http://www.sans.org/info/5476
2) CALLING ALL SANS ALUMNI!!! Please visit http://www.sans.org/info/5481
to get a 15% discount off any SANS OnDemand course, offer ends April
18th. If you have any questions please email ondemandsans.org.
*************************************************************************
Part II - Comprehensive List of Newly Discovered Vulnerabilities from
Qualys (www.qualys.com)
-- Windows
07.15.1 - Wserve HTTP Server GET Request Buffer Overflow
07.15.2 - Microsoft Windows Unspecified Remote Code Execution
07.15.3 - Microsoft Windows Explorer BMP Image Denial of Service
07.15.4 - Microsoft Windows Vista Neighbor Discovery Spoofing
07.15.5 - Microsoft Windows Vista Teredo UDP Nonce Spoofing Weakness
07.15.6 - Microsoft Windows Vista Teredo Protocol Insecure Connection Weakness
07.15.7 - Microsoft Windows Graphics Rendering Engine EMF File Privilege Escalation
07.15.8 - Microsoft Vista Spoof On Bridge HELLO Packet Security Restriction Bypass
07.15.9 - Microsoft Windows GDI Invalid Window Size Local Privilege Escalation
07.15.10 - Microsoft Windows Vista LLTD Mapper EMIT Packet Remote Denial of Service
07.15.11 - Microsoft Windows Graphics Device Interface Font Rasterizer Local Privilege Escalation
07.15.12 - Microsoft Vista Spoofed LLTD HELLO Packet Security Restriction Bypass
07.15.13 - Microsoft Windows Vista ARP table Entries Denial of Service
07.15.14 - Microsoft Windows Graphics Rendering Engine GDI Local Privilege Escalation
07.15.15 - Microsoft Windows GDI WMF Remote Denial of Service
07.15.16 - Microsoft Windows Vista LLTD Responder Discovery Packet Spoofing
-- Third Party Windows Apps
07.15.17 - Kaspersky AntiVirus SysInfo ActiveX Control Arbitrary File Exfiltration
07.15.18 - Kaspersky Internet Security Suite Klif.SYS Driver Local Heap Overflow
07.15.19 - ACDSee 9.0 Photo Manager Multiple BMP Denial of Service Vulnerabilities
07.15.20 - IrfanView Multiple BMP Denial of Service Vulnerabilities
07.15.21 - FastStone Image Viewer Multiple BMP Denial of Service Vulnerabilities
07.15.22 - SolidWorks SLDimdownload ActiveX Control Arbitrary Code Execution
07.15.23 - Ipswitch WS_FTP Long Site Command Buffer Overflow
07.15.24 - AOL SB.SuperBuddy.1 ActiveX Control Remote Code Execution
-- Linux
07.15.25 - Linux Kernel CapiUtil.c Buffer Overflow
07.15.26 - MIT Kerberos 5 Telnet Daemon Authentication Bypass
07.15.27 - MIT Kerberos Administration Daemon Kadmind Double Free Memory Corruption Vulnerabilities
07.15.28 - Kerberos 5 kadmind Server Stack Based Buffer Overflow
07.15.29 - X.Org libXfont Multiple Integer Overflow Vulnerabilities
07.15.30 - DProxy DNS_Decode_Reverse_Name Buffer Overflow
-- Solaris
07.15.31 - Sun Solaris TCP/IP Kernel Memory Corruption Denial of Service
-- Unix
07.15.32 - X.Org X11 XC-MISC Extension Integer Overflow
-- Cross Platform
07.15.33 - Symantec Enterprise Security Manager Remote Upgrade Remote Code Execution
07.15.34 - VMWare Unspecified Double Free Memory Corruption
07.15.35 - VMware Unspecified Buffer Overflow
07.15.36 - FireBug Cross Zone Scripting
07.15.37 - SAP RFC Library Trusted_System_Security Function Information Disclosure
07.15.38 - SAP RFC Library System_Create_Instance Function Buffer Overflow
07.15.39 - SAP RFC_Set_Reg_Server_Property RFC Function Denial of Service
07.15.40 - IBM Tivoli Business Service Manager NCISETUP.DB and MSI.LOG Password Disclosure
07.15.41 - Metamod-P Safevoid_Vsnprintf() Remote Denial of Service
07.15.42 - ImageMagic XInitImage Multiple Integer Overflow Vulnerabilities
07.15.43 - TinyMUX Fun_Ladd() Buffer Overflow
07.15.44 - Yahoo! Messenger Audio Conferencing ActiveX Control Remote Buffer Overflow
07.15.45 - IrfanView Cursor And Icon ANI Format Handling Remote Buffer Overflow
07.15.46 - IBM Tivoli Provisioning Manager OS Deployment Multiple Unspecified Input Validation Vulnerabilities
07.15.47 - Trolltech QT UTF-8 Sequences Input Validation
07.15.48 - ImageMagic Multiple Integer Overflow Vulnerabilities
07.15.49 - PHP 5 PHP_Stream_Filter_Create() Function Buffer Overflow
07.15.50 - PHP Memory Manager Sign Comparison Multiple Buffer Overflow Vulnerabilities
07.15.51 - HP Mercury Quality Center ActiveX Control Remote Code Execution
07.15.52 - Symantec Norton Personal Firewall 2006 SPBBCDrv Driver Local Denial of Service
07.15.53 - PulseAudio Assert() Remote Denial of Service
07.15.54 - PHP Msg_Receive() Memory Allocation Integer Overflow
07.15.55 - PHP Str_Replace() Integer Overflow
07.15.56 - PHP Imap_Mail_Compose() Function Buffer Overflow
07.15.57 - PHP sqlite_udf_decode_binary() Function Buffer Overflow
07.15.58 - PHP Printf() Function 64bit Casting Multiple Format String Vulnerabilities.
07.15.59 - Hitachi uCosminexus Application Server Session Information Remote Unauthorized Access
07.15.60 - Flyspray Unspecified Security Bypass and Information Disclosure Vulnerabilities
-- Web Application - Cross Site Scripting
07.15.61 - eXV2 CMS Multiple Cross-Site Scripting Vulnerabilities
07.15.62 - HolaCMS Index_CMS.PHP Cross-Site Scripting
07.15.63 - NextPage LivePublish LPEXT.DLL Cross-Site Scripting
07.15.64 - Atlassian JIRA IssueNavigator.JSPA Cross-Site Scripting
07.15.65 - Drake CMS UI.DTA.PHP Cross-Site Scripting
-- Web Application - SQL Injection
07.15.66 - XOOPS WF-Link Module Viewcat.PHP SQL Injection
07.15.67 - XOOPS Jobs Module Index.PHP SQL Injection
07.15.68 - Gazi Okul Sitesi Fotokategori.ASP SQL Injection
07.15.69 - XOOPS Rha7 Downloads Module Visit.PHP SQL Injection
07.15.70 - WordPress Post_ID Parameter SQL Injection
07.15.71 - XOOPS KShop Module Product_Details.PHP SQL Injection
07.15.72 - XOOPS PopnupBlog Module Index.PHP SQL Injection
07.15.73 - XFsection Xoops Module Print.PHP SQL Injection
07.15.74 - Advanced Website Creator Multiple SQL Injection Vulnerabilities
07.15.75 - XOOPS Debaser Module Genre.PHP SQL Injection
07.15.76 - PHP-Fusion Multiple Modules Index.PHP SQL Injection Vulnerabilities
07.15.77 - XOOPS Module Zmagazine Print.PHP SQL Injection
07.15.78 - XOOPS WF-Section Module Print.PHP SQL Injection
07.15.79 - XOOPS RM+Soft Gallery Module Categos.PHP SQL Injection
07.15.80 - XOOPS Module Camportail Show.PHP SQL Injection
07.15.81 - FlexPHPNews News.PHP SQL Injection
07.15.82 - PHP-Fusion Calendar_Panel Module Show_Event.PHP SQL Injection
07.15.83 - XOOPS Multiple Modules ViewCat.PHP SQL Injection Vulnerabilities
07.15.84 - XOOPS Module Lykos Reviews Index.PHP SQL Injection
07.15.85 - XOOPS Module Repository ViewCat.PHP SQL Injection
07.15.86 - Malaika System MyAds Xoops Module Index.PHP SQL Injection
-- Web Application
07.15.87 - Sisplet CMS Komentar.PHP Remote File Include
07.15.88 - phpMyNewsletter Multiple Scripts Authentication Bypass Vulnerabilities
07.15.89 - PHP-Generics _App_Relative_Path Multiple Remote File Include Vulnerabilities
07.15.90 - CodeWand PHPBrowse Include_Stream.Inc.PHP Remote File Include
07.15.91 - Lite-CMS Index.PHP Local File Include
07.15.92 - phpBB Mutant Mutant_Functions.PHP Remote File Include
07.15.93 - AroundMe Multiple Remote File Include Vulnerabilities
07.15.94 - CyBoards PHP Lite Default_Header.PHP Remote File Include
07.15.95 - MyBlog Games.PHP Remote File Include
07.15.96 - MySpeach Multiple Local and Remote File Include Vulnerabilities
07.15.97 - DirectAdmin Logfile HTML Injection
07.15.98 - Really Simple PHP and Ajax Multiple Remote File Include Vulnerabilities
07.15.99 - BT-Sondage Gestion_Sondage.PHP Remote File Include
07.15.100 - MapTools MapLab Params.PHP Remote File Include
07.15.101 - CWB Pro Include_Path Multiple Remote File Include Vulnerabilities
07.15.102 - JCCorp URLShrink Email Parameter Remote Code Execution
07.15.103 - Forum Picture and Meta Tags Module PHPBB_ROOT_PATH Remote File Include
07.15.104 - JSBoard Login.PHP Local File Include
07.15.105 - Drake CMS 404.PHP Local File Include
07.15.106 - MailDwarf Multiple Input Validation Vulnerabilities
*********************************************************************
PART I - Critical Vulnerabilities
Part I for this issue has been compiled by Rob King and Rohit Dhamankar
at TippingPoint, a division of 3Com, as a by-product of that company's
continuous effort to ensure that its intrusion prevention products
effectively block exploits using known vulnerabilities. TippingPoint's
analysis is complemented by input from a council of security managers
from twelve large organizations who confidentially share with SANS the
specific actions they have taken to protect their systems. A detailed
description of the process may be found at
http://www.sans.org/newsletters/cva/#process
*****************************
Widely Deployed Software
*****************************
(1) CRITICAL: Microsoft Windows Multiple GDI Vulnerabilities (MS07-017)
Affected:
Microsoft Windows 2000/XP/Vista
Microsoft Windows Server 2003
Description: Microsoft has issued a security update (MS07-017) earlier
than its monthly patching schedule for the 0-day flaw in the Windows'
handling of animated cursor files. This flaw is being exploited in the
wild. For more details about this 0-day, please refer to the previous
issue of the RISK newsletter. In addition to the ANI issues, the
MS07-017 patch also addresses several locally exploitable
vulnerabilities and a remote denial of service vulnerability in the
Windows GDI graphical subsystem. The remote DoS can be triggered by a
specially-crafted Windows Metafile (WMF) image file, and exploited to
cause a system hang or reboot.
Status: Microsoft confirmed, updates available. Please ensure that the
patch is applied to all the affected systems.
Problems after installing MS07-017 patch:
On Windows XP SP2, some 3rd party applications may not start. Microsoft
has provided mitigation steps here:
http://support.microsoft.com/kb/925902 and
http://support.microsoft.com/kb/935448/
Council Site Actions: All of the responding council sites are taking
action. One site has already pushed the updates. The other sites are
depolying on an expedited basis. One site noted they sent out an
organization-wide notice explaining the threat and asking users to
verify that the patch installs.
References:
Microsoft Security Bulletin
http://www.microsoft.com/technet/security/Bulletin/MS07-017.mspx
Previous RISK Entry
http://www.sans.org/newsletters/risk/display.php?v=6&i=14#widely1
SecurityFocus BID
http://www.securityfocus.com/bid/23194
****************************************************************
(2) CRITICAL: Yahoo! Messenger Audio Conferencing ActiveX Control Buffer Overflow
Affected:
Yahoo Messenger versions released prior to 2007-03-13
Description: The Audio Conferencing ActiveX control shipped by default
with Yahoo! Messenger contains a buffer overflow vulnerability. A
malicious web page that instantiates this control, and specifies large
values for its "socksHostname" and "hostname" properties could exploit
this buffer overflow to execute arbitrary code with the privileges of
the current user. Note that some technical details are publicly
available for this vulnerability.
Status: Yahoo! confirmed, updates available.
Council Site Actions: The affected software and/or configuration are not
in production or widespread use, or are not officially supported at any
of the responding council sites. They reported that no action was
necessary. One site commented that the block Yahoo Messenger.
References:
Yahoo! Security Update
http://messenger.yahoo.com/security_update.php?id=031207
Zero Day Initiative Advisory
http://www.zerodayinitiative.com/advisories/ZDI-07-012.html
SecurityFocus BID
http://www.securityfocus.com/bid/23291
****************************************************************
(3) CRITICAL: Kaspersky Multiple Products Multiple Vulnerabilities
Affected:
Kaspersky Internet Security, Anti-Virus and File Server version 6.0
Description: Several Kaspersky security products contain multiple
vulnerabilities:
(1) Failure to properly handle specially-crafted ARJ archives can lead
to a heap-based buffer overflow in the Kaspersky antivirus engine. A
malicious ARJ archive could be delivered in a variety of ways, including
via email, web pages, or shared directories. Successfully exploiting
this buffer overflow would allow an attacker to execute arbitrary code
with the privileges of the antivirus engine.
(2) The "AxKlProd60.dll" and "AxKLSysInfo" ActiveX controls export a
variety of methods for file manipulation. These functions do not
validate that the calling process has the permission to execute these
functions. A malicious web page that instantiates these controls could
call the "DeleteFile" method to delete arbitrary files with the
privileges of the current user; or call the "StartBatchUploading",
"StartStrBatchUploading", or "StartUploading" to upload arbitrary files
to a remote server.
Status: Kaspersky confirmed, updates available. Users can mitigate the
impact of issue #2 by disabling the affected controls via Microsoft's
"kill bit" mechanism. The affected CLSIDs are
"D9EC22E7-1A86-4F7C-8940-0303AE5D6756" and
"BA61606B-258C-4021-AD27-E07A3F3B91DB".
Council Site Actions: The affected software and/or configuration are not
in production or widespread use, or are not officially supported at any
of the responding council sites. They reported that no action was
necessary.
References:
Kaspersky Security Advisories
http://www.kaspersky.com/technews?id=203038693
http://www.kaspersky.com/technews?id=203038694
Zero Day Initiative Advisories
http://www.zerodayinitiative.com/advisories/ZDI-07-014.html
http://www.zerodayinitiative.com/advisories/ZDI-07-013.html
iDefense Security Advisory
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=504
Microsoft Knowledge Base Article (documents the "kill bit" mechanism)
http://support.microsoft.com/kb/240797
SecurityFocus BID
http://www.securityfocus.com/bid/23325
****************************************************************
(4) HIGH: AOL Nullsoft Winamp Multiple Vulnerabilities
Affected:
AOL Nullsoft Winamp version 5.33 and prior
Description: AOL Nullsoft Winamp, a popular media player for Microsoft
Windows, contains multiple vulnerabilities:
(1) Failure to properly process malformed Matlab Sound File files can
trigger a memory corruption vulnerability. This flaw stems from code in
the "libsndfile.dll" library; it is possible that any application using
this library is vulnerable.
(2) The "in_mod.dll" Winamp plugin contains memory corruption
vulnerabilities in the processing of "S3M" and "IT" files.
Specially-crafted S3M or IT files could trigger these vulnerabilities.
Successfully exploiting these vulnerabilities would allow an attacker
to execute arbitrary code with the privileges of the current user. Note
that, depending on configuration, the vulnerable file types could be
opened without prompting by Winamp. Full technical details and a
proof-of-concept are publicly available for these vulnerabilities.
Status: AOL has not confirmed, no updates available.
References:
Advisories from Piotr Bania
http://www.piotrbania.com/all/adv/nullsoft-winamp-libsndfile-adv.txt
http://www.piotrbania.com/all/adv/nullsoft-winamp-it_module-in_mod-adv.txt
http://www.piotrbania.com/all/adv/nullsoft-winamp-s3m_module-in_mod-adv.txt
Product Home Page
http://www.winamp.com
SecurityFocus BIDs
http://www.securityfocus.com/bid/23351
http://www.securityfocus.com/bid/23350
****************************************************************
(5) HIGH: Symantec Enterprise Security Manager Authentication Bypass
Affected:
Enterprise Security Manager agent all versions prior to 6.5.3
Description: Symantec Enterprise Security Manager is designed to
automate the discovery of vulnerabilities and deviations in the security
policies of e-business applications and servers. The product installs
agents on the servers that are being monitored. This agent contains a
vulnerability in processing "upgrade" requests. The agent does not
verify that the upgrade request has been issued by a trusted source. As
a result, an attacker can directly request the agent to perform an
upgrade and thereby install any malicious program such as a backdoor on
the agent system. Note that the agent runs with SYSTEM/root privileges.
Hence, the vulnerability can be exploited to compromise critical servers
in an enterprise. In order to exploit the flaw, an attacker would
require the knowledge of the protocol between the agent and the ESM
manager.
Status: Symantec has released version 6.5.3 to fix this issue. The ESM
manager needs to be upgraded to version 6.5.3 as well to work with the
6.5.3 agent. A possible workaround is to block the ports 5601/udp and
5601/tcp at the network perimeter.
References:
Symantec Advisory
http://www.symantec.com/avcenter/security/Content/2007.04.05d.html
Product Homepage
http://www.symantec.com/enterprise/products/overview.jsp?pcid=1004&pvid=855_1
SecurityFocus BID
http://www.securityfocus.com/bid/23287
****************************************************************
(6) HIGH: MIT Kerberos Multiple Vulnerabilities
Affected:
MIT Kerberos 5 versions 1.6 and prior
Potentially any system using the MIT implementation of Kerberos.
Description: MIT Kerberos, the reference implementation of the Kerberos
authentication protocol, contains multiple vulnerabilities:
(1) Telnet servers that use Kerberos for authentication contain an
authentication bypass vulnerability. By passing a username beginning
with "-e", an attacker could bypass all authentication and login as
arbitrary users.
(2) The Kerberos Administration Daemon, which runs on the Kerberos
master server, contains a buffer overflow vulnerability. A
specially-crafted Kerberos request could trigger this buffer overflow
and execute arbitrary code with the privileges of the Kerberos
Administration Daemon process (often SYSTEM/root).
(3) The Kerberos Administration Daemon contains a double free
vulnerability. An authenticated attacker could trigger this
vulnerability to execute arbitrary code with the privileges of the
administrative process (often SYSTEM/root).
Note that, since the master server usually contains authentication
information for the entire Kerberos domain, compromising this server
generally leads to compromise of other systems in the same
authentication domain. The technical details are available for these
vulnerabilities. MIT Kerberos is used by a wide variety of operating
systems, including various UNIX and UNIX-like operating systems.
Kerberos authentication may not be enabled by default on affected
systems, lessening the impact of attacks.
Status: MIT confirmed, updates available.
Council Site Actions: The affected software and/or configuration are not
in production or widespread use, or are not officially supported at any
of the responding council sites. They reported that no action was
necessary.
References:
MIT Security Advisories
http://web.mit.edu/Kerberos/advisories/MITKRB5-SA-2007-002-syslog.txt
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2007-001-telnetd.txt
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2007-003.txt
iDefense Security Advisory
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=500
Wikipedia Article on Kerberos
http://en.wikipedia.org/wiki/Kerberos_%28protocol%29
MIT Kerberos Home Page
http://web.mit.edu/Kerberos/
SecurityFocus BIDs
http://www.securityfocus.com/bid/23285
http://www.securityfocus.com/bid/23281
http://www.securityfocus.com/bid/23282
****************************************************************
(7) HIGH: HP Mercury Quality Center "SPIDERLib" ActiveX Control Buffer Overflow
Affected:
HP 9.1.0.4353 and possibly prior
Description: HP Mercury Quality Center is a web-based application that
facilitates software quality testing. Users of this application must
install the "SPIDERLib" ActiveX control. This control contains a buffer
overflow in its handling of its "ProgColor" property. A malicious web
page that instantiates this control could exploit this buffer overflow
to execute arbitrary code with the privileges of the current user. Some
technical details for this vulnerability are publicly available.
Status: HP confirmed, updates available. Users can mitigate the impact
of this vulnerability by disabling the affected control via Microsoft's
"kill bit" mechanism for CLSID "98C53984-8BF8-4D11-9B1C-C324FCA9CADE".
However, doing so will prevent legitimate use of the affected
application.
Council Site Actions: The affected software and/or configuration are not
in production or widespread use, or are not officially supported at any
of the responding council sites. They reported that no action was
necessary.
References:
HP Security Advisory
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00901872
iDefense Security Advisory
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=497
Microsoft Knowledge Base Article (documents the "kill bit" mechanism)
http://support.microsoft.com/kb/240797
Product Home Page
http://www.mercury.com/us/products/quality-center/
SecurityFocus BID
http://www.securityfocus.com/bid/23239
****************************************************************
(8) MODERATE: WordPress "Post_ID" SQL Injection
Affected:
WordPress version 2.1.2 and prior
Description: WordPress, a popular cross-platform blogging suite,
contains an SQL injection vulnerability. An authenticated attacker with
access to a WordPress "contributor", "author", or "editor" account could
trigger this vulnerability. By successfully exploiting this
vulnerability an attacker could execute arbitrary SQL commands against
the backend WordPress database and read arbitrary files with the
privileges of the database process. This vulnerability is exploitable
via WordPress's XML-RPC interface. A working exploit and full technical
details are publicly available for this vulnerability. Note that
WordPress is often installed by hosting providers as a service to their
users; these users will often have the necessary credentials to exploit
this vulnerability.
Status: WordPress has not confirmed, no updates available.
References:
WordPress Security Update Blog Posting
http://wordpress.org/development/2007/04/wordpress-213-and-2010/
Exploit by sidnotsosecure.com
http://downloads.securityfocus.com/vulnerabilities/exploits/23294.pl
WordPress Home Page
http://www.wordpress.org
SecurityFocus BID
http://www.securityfocus.com/bid/23294
****************************************************************
(9) MODERATE: SAP RFC Library Multiple Vulnerabilities
Affected SAP RFC Library versions 6.40 and 7.00 and possibly others
Description: The SAP RFC library, users by most SAP applications to
interface with the main SAP system, contains multiple vulnerabilities:
(1) The "RFC_START_GUI" and "SYSTEM_CREATE_INSTANCE" functions contain
buffer overflow vulnerabilities. Successfully exploiting these buffer
overflows would allow arbitrary code execution with the privileges of
the affected process. No further technical details for these
vulnerabilities are publicly available.
(2) The "RFC_START_PROGRAM" function fails to properly validate certain
requests. A specially-crafted request to this function could bypass
execution restrictions or trigger a buffer overflow, allowing for
arbitrary code execution with the privileges of the affected process.
Additionally, information disclosure and denial-of-service
vulnerabilities have been discovered in the SAP RFC library.
Status: SAP confirmed, updates available.
Council Site Actions: The affected software and/or configuration are not
in production or widespread use, or are not officially supported at any
of the responding council sites. They reported that no action was
necessary.
References:
CYBSEC Security Advisoris (PDF)
http://www.cybsec.com/vuln/CYBSEC-Security_Advisory_SAP_RFC_START_GUI_RFC_Function_Buffer_Overflow.pdf
http://www.cybsec.com/vuln/CYBSEC-Security_Advisory_SAP_SYSTEM_CREATE_INSTANCE_RFC_Function_Buffer_Overflow.pdf
http://cybsec.com/vuln/CYBSEC-Security_Advisory_SAP_RFC_START_PROGRAM_RFC_Function_Multiple_Vulnerabilities.pdf
Vendor Home Page
http://www.sap.com
SecurityFocus BIDs
http://www.securityfocus.com/bid/23304
http://www.securityfocus.com/bid/23307
****************
Other Software
****************
(10) CRITICAL: SolidWorks "sldimdownload" ActiveX Control Remote Code Execution
Affected:
SoldWorks "sldimdownload" ActiveX Control versions prior to 16.0.0.6
Description: SolidWorks is a popular Computer Aided Design (CAD) package
for Microsoft Windows. Its "sldmidownload" ActiveX control contains a
remote code execution vulnerability. A malicious web page that
instantiates this control can invoke this control's "Run" method to run
arbitrary code with the privileges of the current user. Note that some
technical details for this vulnerability are publicly available.
Status: SolidWorks confirmed, updates available. Users can mitigate the
impact of this vulnerability by disabling the affected control via
Microsoft's "kill bit" mechanism for CLSID
"AB6633A8-60A9-4F5D-B66C-ABE268CC3227".
Council Site Actions: The affected software and/or configuration are not
in production or widespread use, or are not officially supported at any
of the responding council sites. They reported that no action was
necessary.
References:
Microsoft Knowledge Base Article (documents the "kill bit" mechanism)
http://support.microsoft.com/kb/240797
Vendor Home Page
http://www.solidworks.com
SecurityFocus BID
http://www.securityfocus.com/bid/23290
****************************************************************
(11) HIGH: Firebug Mozilla Firefox Extension Remote Code Execution
Affected:
FireBug versions prior to 1.03
Description: FireBug is a popular Mozilla Firefox extension providing
in-depth JavaScript debugging support. Failure to properly handle
certain JavaScript constructs can lead to arbitrary JavaScript being
executed without sandbox restrictions. Since there are no sandbox
restrictions, the malicious scripts can execute arbitrary code with the
privileges of the current user. Note that FireBug is not installed by
default. Working exploit code and full technical details are publicly
available for this vulnerability.
Status: Vendor acknowledged, updates available.
Council Site Actions: Only one of the responding council sites is using
the affected software, although it is not officially supported. The
users who are running it have automatic updates turned on, including for
extensions.
References:
GNUCITIZEN Blog Post (includes proofs-of-concept)
http://www.gnucitizen.org/blog/firebug-goes-evil
FireBug Home Page
https://addons.mozilla.org/en-US/firefox/addon/1843
SecurityFocus BID
http://www.securityfocus.com/bid/23315
***********************************************************************
*******
Exploit
*******
(12) EXPLOIT: AOL SuperBuddy Exploit
Description: The AOL SuperBuddy ActiveX control contains a vulnerability
discussed in last week's RISK. A working exploit has been released for
this vulnerability.
References:
Previous RISK Entry
http://www.sans.org/newsletters/risk/display.php?v=6&i=14#widely4
Exploit Code by kradchad and leetpete
http://www.milw0rm.com/exploits/3662
********************************************************************************************
Part II - Comprehensive List of Newly Discovered Vulnerabilities from
Qualys (www.qualys.com)
Week 15, 2007
This list is compiled by Qualys ( www.qualys.com ) as part of that
company's ongoing effort to ensure its vulnerability management web
service tests for all known vulnerabilities that can be scanned. As of
this week Qualys scans for 5412 unique vulnerabilities. For this
special SANS community listing, Qualys also includes vulnerabilities
that cannot be scanned remotely.
07.15.1 CVE: Not Available
Platform: Windows
Title: Wserve HTTP Server GET Request Buffer Overflow
Description: Wserve HTTP Server is a commercially available web server
application. It is exposed to a buffer overflow issue because it fails
to adequately bounds check user-supplied data before copying it to an
insufficiently sized buffer. Wserve HTTP Server version 4.6 is
affected.
Ref: http://www.securityfocus.com/bid/23341
____________________________________________________________________
07.15.2 CVE: Not Available
Platform: Windows
Title: Microsoft Windows Unspecified Remote Code Execution
Description: Microsoft Windows is expsoed to an unspecified remote
code execution issue. Please refer to the advisory for further
details.
Ref: http://research.eeye.com/html/advisories/upcoming/20070327.html
____________________________________________________________________
07.15.3 CVE: Not Available
Platform: Windows
Title: Microsoft Windows Explorer BMP Image Denial of Service
Description: Windows explorer is exposed to a denial of service issue
which occurs when .bmp images are opened in Explorer while the
"details" pane is open and also when viewing the file in "Thumbnails"
view. Windows XP SP1 is affected.
Ref: http://www.securityfocus.com/bid/23321
____________________________________________________________________
07.15.4 CVE: CVE-2007-1532
Platform: Windows
Title: Microsoft Windows Vista Neighbor Discovery Spoofing
Description: Microsoft Windows Vista is exposed to a discovery
spoofing issue. The issue exists when the operating system receives
unsolicited Neighbor Advertisements (NAs). An attacker can exploit
this issue by responding to queries and sending spoofed Neighbor
Advertisements or blindly sending Neighbor Advertisements.
Ref: http://www.securityfocus.com/bid/23293
____________________________________________________________________
07.15.5 CVE: CVE-2007-1533
Platform: Windows
Title: Microsoft Windows Vista Teredo UDP Nonce Spoofing Weakness
Description: Windows Vista Teredo is a protocol transition mechanism
which accommodates IPv6 tunneling over IPv4 Network Address
Translation (NAT) devices. The application is exposed to a nonce
spoofing weakness.
Ref: http://www.securityfocus.com/bid/23301
____________________________________________________________________
07.15.6 CVE: CVE-2007-1535
Platform: Windows
Title: Microsoft Windows Vista Teredo Protocol Insecure Connection
Weakness
Description: Microsoft Windows Vista is expsoed to a weakness due to
insecure Teredo protocol connections. Teredo is a protocol transition
mechanism which accommodates IPv6 tunneling over IPv4 Network Address
Translation (NAT) devices. The documentation states that Teredo
protocol is disabled by default and requires user action in order to
activate. Microsoft Windows Vista is exposed to a weakness which may
result in a false sense of security.
Ref: http://www.securityfocus.com/bid/23267
____________________________________________________________________
07.15.7 CVE: CVE-2007-1212
Platform: Windows
Title: Microsoft Windows Graphics Rendering Engine EMF File Privilege
Escalation
Description: Microsoft Windows graphics device interface (GDI)
provides an intermediate layer for applications to communicate to the
video interface and printer. GDI interacts with device drivers on
behalf of applications. The application is exposed to a local
privilege escalation issue when rendering malformed EMF image files.
Ref: http://www.microsoft.com/technet/security/Bulletin/MS07-017.mspx
____________________________________________________________________
07.15.8 CVE: CVE-2007-1528
Platform: Windows
Title: Microsoft Vista Spoof On Bridge HELLO Packet Security
Restriction Bypass
Description: The Microsoft Vista operating system is exposed to a
security restriction bypass issue because it fails to properly
sanitize user-supplied packet level data. The LLTD protocol operates
over wired (802.3 Ethernet) and wireless (802.11) media. LLTD enables
device discovery via the data-link layer and determines the topology
of a network.
Ref: http://www.securityfocus.com/bid/23280
____________________________________________________________________
07.15.9 CVE: CVE-2006-5586
Platform: Windows
Title: Microsoft Windows GDI Invalid Window Size Local Privilege
Escalation
Description: The Microsoft Windows graphics device interface (GDI)
enables applications to use graphics and formatted text on both the
video display and the printer. The application is exposed to a local
privilege escalation issue because of the way Microsoft Windows
renders layered application window sizes.
Ref: http://www.microsoft.com/technet/security/Bulletin/MS07-017.mspx
____________________________________________________________________
07.15.10 CVE: CVE-2007-1530
Platform: Windows
Title: Microsoft Windows Vista LLTD Mapper EMIT Packet Remote Denial
of Service
Description: The Link Layer Topology Discovery (LLTD) is a protocol,
designed by Microsoft for discovering the topology of the local area
network. Microsoft Windows Vista is exposed to a remote denial of
service issue because the application fails to handle exceptional
conditions.
Ref: http://www.securityfocus.com/bid/23271
____________________________________________________________________
07.15.11 CVE: CVE-2007-1213
Platform: Windows
Title: Microsoft Windows Graphics Device Interface Font Rasterizer
Local Privilege Escalation
Description: Microsoft Windows GDI Font Rasterizer generates TrueType
character bitmaps for monitors and printers. The application is
exposed to a local privilege escalation issue when an uninitialized
function pointer is called during font rasterization.
Ref: http://www.microsoft.com/technet/security/Bulletin/MS07-017.mspx
____________________________________________________________________
07.15.12 CVE: CVE-2007-1527
Platform: Windows
Title: Microsoft Vista Spoofed LLTD HELLO Packet Security Restriction
Bypass
Description: The Microsoft Vista operating system is exposed to a
security restriction bypass issue because it fails to properly
sanitize user-supplied packet level data. The LLTD protocol operates
over wired (802.3 Ethernet) and wireless (802.11) media. LLTD enables
device discovery via the data-link layer and determines the topology
of a network.
Ref: http://www.securityfocus.com/bid/23279
____________________________________________________________________
07.15.13 CVE: CVE-2007-1531
Platform: Windows
Title: Microsoft Windows Vista ARP table Entries Denial of Service
Description: Microsoft Windows Vista is exposed to a denial of service
issue when the operating system receives certain gratuitous ARP
requests. These requests are used to overwrite the ARP table entries
and propagating address change.
Ref: http://www.securityfocus.com/bid/23266
____________________________________________________________________
07.15.14 CVE: CVE-2007-1215
Platform: Windows
Title: Microsoft Windows Graphics Rendering Engine GDI Local Privilege
Escalation
Description: Microsoft Windows Graphics Device Interface (GDI)
provides an intermediate layer for applications to communicate to the
video interface and printer. GDI interacts with device drivers on
behalf of applications. The application is exposed to a privilege
escalation issue due to the mishandling of certain unspecified color
related parameters prior to copying them to an unchecked memory buffer in
the GDI.
Ref: http://www.microsoft.com/technet/security/Bulletin/MS07-017.mspx
____________________________________________________________________
07.15.15 CVE: CVE-2007-1211
Platform: Windows
Title: Microsoft Windows GDI WMF Remote Denial of Service
Description: Microsoft Windows is prone to a remote denial of service
issue because the application fails to perform proper bounds checking
on sensitive message buffers when handling malicious WMF files.
Ref: http://www.microsoft.com/technet/security/Bulletin/MS07-017.mspx
____________________________________________________________________
07.15.16 CVE: CVE-2007-1529
Platform: Windows
Title: Microsoft Windows Vista LLTD Responder Discovery Packet
Spoofing
Description: The Link Layer Topology Discovery (LLTD) protocol is a
protocol designed by Microsoft for discovering the topology of the
local area network. The application is exposed to an issue that
permits an attacker to spoof arbitrary hosts through a network based
race condition.
Ref: http://www.securityfocus.com/bid/23263
____________________________________________________________________
07.15.17 CVE: CVE-2007-1112
Platform: Third Party Windows Apps
Title: Kaspersky AntiVirus SysInfo ActiveX Control Arbitrary File
Exfiltration
Description: Kaspersky AntiVirus is an antivirus application for
desktop and small business computers. The application is exposed to an
arbitrary file exfiltration issue because it contains a file upload
ActiveX control that can be misused by a malicious site. Kaspersky
Anti-Virus 6.0 and Kaspersky Internet Security 6.0 are affected.
Ref:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=504
____________________________________________________________________
07.15.18 CVE: Not Available
Platform: Third Party Windows Apps
Title: Kaspersky Internet Security Suite Klif.SYS Driver Local Heap
Overflow
Description: Kaspersky Internet Security Suite is an application that
provides antivirus, antispyware, firewall, antispam, and Web
protection tools for Microsoft Windows. The application is exposed to a
local heap overflow issue because it fails to perform sufficient
boundary checks on user-supplied data before copying it into an
insufficiently sized buffer. Kaspersky Internet Security Suite version
6.0.1.411 for Microsoft Windows is affected.
Ref:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=505
____________________________________________________________________
07.15.19 CVE: Not Available
Platform: Third Party Windows Apps
Title: ACDSee 9.0 Photo Manager Multiple BMP Denial of Service
Vulnerabilities
Description: ACDSee 9.0 Photo Manager is an application that allows
users to view images. The application is exposed to multiple denial of
service issues due to a failure of the application to properly handle
malformed BMP image files. ACDSee version 9.0 is affected.
Ref: http://www.securityfocus.com/bid/23317
____________________________________________________________________
07.15.20 CVE: Not Available
Platform: Third Party Windows Apps
Title: IrfanView Multiple BMP Denial of Service Vulnerabilities
Description: IrfanView is an application that allows users to view
images. The application is available for Microsoft Windows. It is
expsoed to multiple denial of service issues due to a failure of the
application to properly handle malformed BMP image files. IrfanView
version 3.99 is affected.
Ref: http://www.securityfocus.com/bid/23318
____________________________________________________________________
07.15.21 CVE: Not Available
Platform: Third Party Windows Apps
Title: FastStone Image Viewer Multiple BMP Denial of Service
Vulnerabilities
Description: FastStone Image Viewer is an application that allows
users to view images. The application is exposed to multiple denial of
service issues due to a failure of the application to properly handle
malformed BMP image files. FastStone Image Viewer version 2.9 is
affected.
Ref: http://www.securityfocus.com/bid/23312
____________________________________________________________________
07.15.22 CVE: CVE-2007-1684
Platform: Third Party Windows Apps
Title: SolidWorks SLDimdownload ActiveX Control Arbitrary Code
Execution
Description: The sldimdownload.dll ActiveX control is part of the
Solidworks 3D CAD application. The application is exposed to an issue
that will allow remote attackers to execute arbitrary code on an
affected computer.
Ref: http://www.securityfocus.com/bid/23290
____________________________________________________________________
07.15.23 CVE: CVE-2006-4974
Platform: Third Party Windows Apps
Title: Ipswitch WS_FTP Long Site Command Buffer Overflow
Description: Ipswitch WS_FTP client is an FTP implementation that is
available for Microsoft Windows operating systems. IPswitch WS_FTP is
exposed to a buffer overflow issue because the application fails to
bounds check user-supplied data before copying it into an
insufficiently sized buffer. Ipswitch WS_FTP client version 5.05 is
affected.
Ref: http://www.securityfocus.com/bid/23260
____________________________________________________________________
07.15.24 CVE: CVE-2006-5820
Platform: Third Party Windows Apps
Title: AOL SB.SuperBuddy.1 ActiveX Control Remote Code Execution
Description: AOL SB.SuperBuddy.1 control is exposed to a remote code
execution issue which occurs in the "LinkSBIcons()" function of the
ActiveX control with CLSID. The ActiveX control implements the
IObjectSafety interface and permits websites to invoke the control
under Internet Explorer without any user interaction. AOL Client
Software version 9.0 Security is affected.
Ref: http://www.securityfocus.com/archive/1/464313
____________________________________________________________________
07.15.25 CVE: CVE-2007-1217
Platform: Linux
Title: Linux Kernel CapiUtil.c Buffer Overflow
Description: The Linux kernel is exposed to a local buffer overflow
issue because it fails to properly bounds check user-supplied input
before using in an insufficiently sized buffer. Linux kernel
versions 2.6.9 to 2.6.20 and isdn4k utilities are affected.
Ref: http://www.securityfocus.com/bid/23333
____________________________________________________________________
07.15.26 CVE: CVE-2007-0956
Platform: Linux
Title: MIT Kerberos 5 Telnet Daemon Authentication Bypass
Description: MIT Kerberos 5 is a suite of applications and libraries
designed to implement the Kerberos network authentication protocol.
The application is exposed to an authentication bypass issue because
the application fails to handle specially crafted user names beginning
with "-e". Kerberos 5 versions 1.6 and earlier are affected.
Ref: http://www.kb.cert.org/vuls/id/220816
____________________________________________________________________
07.15.27 CVE: CVE-2007-1216
Platform: Linux
Title: MIT Kerberos Administration Daemon Kadmind Double Free Memory
Corruption Vulnerabilities
Description: MIT Kerberos 5 is a suite of applications and libraries
designed to implement the Kerberos network authentication protocol. The
application is exposed to a double free memory corruption issue. If
certain error conditions occur, a previously freed buffer by the krb5
GSS-API mechanism may be freed again by an application.
Ref: http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2007-003.txt
____________________________________________________________________
07.15.28 CVE: CVE-2007-0957
Platform: Linux
Title: Kerberos 5 kadmind Server Stack Based Buffer Overflow
Description: Kerberos is a network authentication protocol. kadmind
(Kerberos Administration Daemon) is the administration server for
Kerberos networks. The application is exposed to a stack-based buffer
overflow issue because it fails to adequately bounds check
user-supplied data before copying it to an insufficiently sized
buffer. Kerberos versions 1.6 and earlier are affected.
Ref: http://rhn.redhat.com/errata/RHSA-2007-0095.html
____________________________________________________________________
07.15.29 CVE: CVE-2007-1351, CVE-2007-1352
Platform: Linux
Title: X.Org libXfont Multiple Integer Overflow Vulnerabilities
Description: libXfont is the X.Org Xfont library. Some parts are based
on the FreeType code base. The application is exposed to multiple local
integer overflow issues because of a failure to adequately bounds check
user-supplied data. libXfont version 1.2.2 is affected.
Ref: http://rhn.redhat.com/errata/RHSA-2007-0125.html
____________________________________________________________________
07.15.30 CVE: Not Available
Platform: Linux
Title: DProxy DNS_Decode_Reverse_Name Buffer Overflow
Description: Dproxy is a small, freely available caching DNS server.
The application is exposed to a remote buffer overflow issue because
it fails to properly check boundaries on user-supplied data before
copying it to an insufficiently sized buffer. Dproxy version 1.c is
affected.
Ref: http://www.securityfocus.com/bid/23243
____________________________________________________________________
07.15.31 CVE: Not Available
Platform: Solaris
Title: Sun Solaris TCP/IP Kernel Memory Corruption Denial of Service
Description: Sun Solaris running on computers using CMT (Chip
Multi-Threading) processors are exposed to an issue which can result in
a kernel panic. The issue presents itself when handling large volumes
of TCP/IP traffic consisting of rapidly opened and closed TCP
connections. Sun Solaris 10.0 _x86 and Sun Solaris 10.0 are affected.
Ref:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102553-1&searchclause=
____________________________________________________________________
07.15.32 CVE: CVE-2007-1003
Platform: Unix
Title: X.Org X11 XC-MISC Extension Integer Overflow
Description: The X.Org X Windows server is an open-source X Window
System for UNIX, Linux, and variants. It is freely available and
distributed publicly. The application is exposed to a local integer
overflow issue because it fails to adequately bounds check
user-supplied data.
Ref: http://rhn.redhat.com/errata/RHSA-2007-0125.html
____________________________________________________________________
07.15.33 CVE: Not Available
Platform: Cross Platform
Title: Symantec Enterprise Security Manager Remote Upgrade Remote Code
Execution
Description: Symantec Enterprise Security Manager (ESM) is an
application that automates the discovery of vulnerabilities and
deviations in the security policies of mission critical e-business
applications and servers across the enterprise from a single location.
The application is exposed to a remote code execution issue because it
does not verify that upgrades are from trusted sources. Symantec
Enterprise Security Manager version 6.5 is affected.
Ref: http://www.symantec.com/avcenter/security/Content/2007.04.05d.html
____________________________________________________________________
07.15.34 CVE: CVE-2007-1270
Platform: Cross Platform
Title: VMWare Unspecified Double Free Memory Corruption
Description: VMware is software that emulates operating systems. The
application is exposed to a double free memory corruption issue.
VMWare ESX Server 3.0.1 and 3.0 are affected. Please refer to the
advisory for further details.
Ref: http://www.securityfocus.com/bid/23323
____________________________________________________________________
07.15.35 CVE: CVE-2007-1271
Platform: Cross Platform
Title: VMware Unspecified Buffer Overflow
Description: VMWare is virtualization software that allows multiple
virtual machines to run on a single computer. The application is
exposed to an unspecified buffer overflow issue because the
application fails to bounds check user-supplied data before copying it
into an insufficiently sized buffer.
Ref: http://www.securityfocus.com/bid/23322
____________________________________________________________________
07.15.36 CVE: Not Available
Platform: Cross Platform
Title: FireBug Cross Zone Scripting
Description: FireBug is a javascript debugger plug in for Mozilla
Firefox. The application is exposed to a cross zone scripting issue
because the application fails to execute code in the proper security
context. FireBug version 1.01 and 1.02 are affected.
Ref: http://www.securityfocus.com/bid/23315
____________________________________________________________________
07.15.37 CVE: Not Available
Platform: Cross Platform
Title: SAP RFC Library Trusted_System_Security Function Information
Disclosure
Description: SAP RFC Libary provides an interface for SAP Systems. The
application is exposed to an information disclosure issue which
affects the "trusted_system_security()" function. SAP RFC Library 7.00
and SAP RFC Library 6.40 are affected.
Ref: http://www.securityfocus.com/archive/1/464669
____________________________________________________________________
07.15.38 CVE: Not Available
Platform: Cross Platform
Title: SAP RFC Library System_Create_Instance Function Buffer Overflow
Description: SAP RFC Library provides an interface for SAP Systems.
The application is exposed to a buffer overflow issue because it fails
to adequately bounds check user-supplied input before copying it to an
insufficiently sized buffer. This issue affects the
"system_create_instance()" function. Please refer to the advisory for
further details.
Ref: http://www.securityfocus.com/archive/1/464683
____________________________________________________________________
07.15.39 CVE: Not Available
Platform: Cross Platform
Title: SAP RFC_Set_Reg_Server_Property RFC Function Denial of Service
Description: The SAP RFC Library is a component used to call any RFC
Function in an SAP System from an external application. The RFC Library
is expsoed to a remote denial of service issue which resides in the
"RFC_SET_REG_SERVER_PROPERTY()" function.
Ref: http://www.securityfocus.com/archive/1/464685
____________________________________________________________________
07.15.40 CVE: Not Available
Platform: Cross Platform
Title: IBM Tivoli Business Service Manager NCISETUP.DB and MSI.LOG
Password Disclosure
Description: IBM Tivoli Business Service Manager is a tool suite that
helps organize and allocate enterprise IT resources. The application
is exposed to a local password disclosure issue that arises because of
a design error. IBM Tivoli Business Service Manager 4.1 is affected.
Ref: http://www.securityfocus.com/bid/23298
____________________________________________________________________
07.15.41 CVE: Not Available
Platform: Cross Platform
Title: Metamod-P Safevoid_Vsnprintf() Remote Denial of Service
Description: Metamod-P is a DLL broker allowing for the dynamic
management of HalfLife Mods. The application is exposed to a remote
denial of service issue that resides in the "safevoid_vsnprintf()"
function. Specifically, this issue occurs when a user sends an overly
long string as a meta command to the function. Metamod-P version
1.19p29 is affected.
Ref: http://www.securityfocus.com/bid/23299
____________________________________________________________________
07.15.42 CVE: CVE-2007-1667
Platform: Cross Platform
Title: ImageMagic XInitImage Multiple Integer Overflow Vulnerabilities
Description: ImageMagick is an image editing suite that includes a
library and command line utilities supporting numerous image formats,
including SGI. The application is exposed to multiple integer overflow
issues because it fails to properly validate user-supplied data.
Ref: http://rhn.redhat.com/errata/RHSA-2007-0125.html
____________________________________________________________________
07.15.43 CVE: CVE-2007-1655
Platform: Cross Platform
Title: TinyMUX Fun_Ladd() Buffer Overflow
Description: TinyMUX is a text-based game server. The application is
exposed to a stack-based buffer overflow issue because the software
fails to adequately bounds check user-supplied data before copying it
to an insufficiently sized buffer. TinyMUX version 2.4 is affected.
Ref: http://www.securityfocus.com/bid/23292
____________________________________________________________________
07.15.44 CVE: CVE-2007-1680
Platform: Cross Platform
Title: Yahoo! Messenger Audio Conferencing ActiveX Control Remote
Buffer Overflow
Description: Yahoo! Messenger is a freely available chat client
distributed and maintained by Yahoo!. The Audio Conferencing ActiveX
control, which is contained in the "yacscom.dll" library and shipped
with Yahoo! Messenger is exposed to a buffer overflow issue. The
software fails to perform sufficient bounds checking of user-supplied
input before copying it to an insufficiently sized memory buffer.
Yahoo! Messenger versions released prior to March 13, 2007 are
affected.
Ref: http://www.securityfocus.com/bid/23291
____________________________________________________________________
07.15.45 CVE: Not Available
Platform: Cross Platform
Title: IrfanView Cursor And Icon ANI Format Handling Remote Buffer
Overflow
Description: IrfanView is exposed to a buffer overflow issue due to
insufficient format validation, that occurs when handling malformed
ANI cursor or icon files. IrfanView version 3.99 is affected. Please
refer to the advisory for further details.
Ref: http://www.securityfocus.com/bid/23262
____________________________________________________________________
07.15.46 CVE: Not Available
Platform: Cross Platform
Title: IBM Tivoli Provisioning Manager OS Deployment Multiple
Unspecified Input Validation Vulnerabilities
Description: IBM Tivoli Provisioning Manager for OS Deployment is a
network boot server used to manage networked workstations. Tivoli
Provisioning Manager for OS Deployment is exposed to multiple input
validation issues because it fails to adequately handle user-supplied
input. IBM Tivoli Provisioning Manager version 5.1.0.116 is affected.
Ref:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=498
____________________________________________________________________
07.15.47 CVE: CVE-2007-0242
Platform: Cross Platform
Title: Trolltech QT UTF-8 Sequences Input Validation
Description: Trolltech Qt is an application development framework for
the KDE desktop system. It supports windowing, multimedia, and other
functionality. The application is exposed to an input validation issue
due to a failure in the application to properly sanitize user-supplied
input. Qt versions 3.3.8 and 4.2.3 are affected.
Ref: http://www.trolltech.com/company/newsroom/announcements/press.200
7-03-30.9172215350
____________________________________________________________________
07.15.48 CVE: CVE-2007-1797
Platform: Cross Platform
Title: ImageMagic Multiple Integer Overflow Vulnerabilities
Description: ImageMagick is an image editing suite that includes a
library and command line utilities supporting numerous image formats,
including SGI. It is available for a variety of platforms including
Microsoft Windows, UNIX, and UNIX-like operating systems. The
application is exposed to multiple integer overflow issues because it
fails to properly validate user-supplied data. ImageMagick versions
6.3.3-1,2,3 and 9 are affected.
Ref:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=496
____________________________________________________________________
07.15.49 CVE: Not Available
Platform: Cross Platform
Title: PHP 5 PHP_Stream_Filter_Create() Function Buffer Overflow
Description: PHP is a general purpose scripting language that is
especially suited for web development and can be embedded into HTML.
PHP is exposed to a buffer overflow issue because the application
fails to perform boundary checks before copying user-supplied data to
insufficiently sized memory buffers. PHP versions prior to 5.2.1 are
affected.
Ref: http://www.php-security.org/MOPB/MOPB-42-2007.html
____________________________________________________________________
07.15.50 CVE: Not Available
Platform: Cross Platform
Title: PHP Memory Manager Sign Comparison Multiple Buffer Overflow
Vulnerabilities
Description: PHP is a general purpose scripting language that is
especially suited for web development and can be embedded into HTML.
PHP is exposed to multiple buffer overflow issues because the
application fails to perform boundary checks before copying
user-supplied data to insufficiently sized memory buffers. PHP version
5.2.0 is affected.
Ref: http://www.php-security.org/MOPB/MOPB-44-2007.html
____________________________________________________________________
07.15.51 CVE: Not Available
Platform: Cross Platform
Title: HP Mercury Quality Center ActiveX Control Remote Code Execution
Description: HP Mercury Quality Center is a web-based system for
automated software quality assurance. The application is
exposed to a remote code execution issue. HP Mercury Quality Center
versions 8.2 SP1 and 9.0 are affected.
Ref:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=497
____________________________________________________________________
07.15.52 CVE: Not Available
Platform: Cross Platform
Title: Symantec Norton Personal Firewall 2006 SPBBCDrv Driver Local
Denial of Service
Description: Norton Personal Firewall 2006 is exposed to a local
denial of service issue. This issue occurs when attackers supply
specially crafted values through the "NtCreateMutant" or "NtOpenEvent"
arguments of the "SSDT" function of the "SPBBCDrv.sys" driver. Norton
Personal Firewall 2006 versions 9.1.1.7 and 9.1.0.33 are affected.
Ref: http://www.securityfocus.com/archive/1/464456
____________________________________________________________________
07.15.53 CVE: Not Available
Platform: Cross Platform
Title: PulseAudio Assert() Remote Denial of Service
Description: PulseAudio is a sound server for POSIX and Win32 systems.
The application is exposed to a remote denial of service issue which
occurs when a user is sending an amount of data equal to zero. PulseAudio
version 0.9.5 is affected.
Ref: http://aluigi.altervista.org/adv/pulsex-adv.txt
____________________________________________________________________
07.15.54 CVE: Not Available
Platform: Cross Platform
Title: PHP Msg_Receive() Memory Allocation Integer Overflow
Description: PHP is a general purpose scripting language that is
especially suited for web development and can be embedded into HTML.
PHP is exposed to an integer overflow issue because it fails to ensure
that integer values aren't overrun. PHP versions prior to 4.4.5 and
5.2.1 are affected.
Ref: http://www.php-security.org/MOPB/MOPB-43-2007.html
____________________________________________________________________
07.15.55 CVE: Not Available
Platform: Cross Platform
Title: PHP Str_Replace() Integer Overflow
Description: PHP is a general purpose scripting language that is
especially suited for web development and can be embedded into HTML.
PHP is exposed to an integer overflow issue because it fails to ensure
that integer values aren't overrun. PHP versions prior to 4.4.5 and
5.2.1 are affected.
Ref: http://www.php-security.org/MOPB/MOPB-39-2007.html
____________________________________________________________________
07.15.56 CVE: Not Available
Platform: Cross Platform
Title: PHP Imap_Mail_Compose() Function Buffer Overflow
Description: PHP is a general purpose scripting language that is
especially suited for web development and can be embedded into HTML.
PHP is exposed to a buffer overflow issue because the application
fails to perform boundary checks before copying user-supplied data to
insufficiently sized memory buffers. PHP versions prior to 4.4.5 and
5.2.1 are affected.
Ref: http://www.php-security.org/MOPB/MOPB-40-2007.html
____________________________________________________________________
07.15.57 CVE: Not Available
Platform: Cross Platform
Title: PHP sqlite_udf_decode_binary() Function Buffer Overflow
Description: PHP is a general purpose scripting language that is
especially suited for web development and can be embedded into HTML.
PHP is exposed to a buffer overflow issue because the application
fails to perform boundary checks before copying user-supplied data to
insufficiently sized memory buffers. PHP versions prior to 4.4.5 and
5.2.1 are affected.
Ref: http://www.php-security.org/MOPB/MOPB-41-2007.html
____________________________________________________________________
07.15.58 CVE: Not Available
Platform: Cross Platform
Title: PHP Printf() Function 64bit Casting Multiple Format String
Vulnerabilities
Description: PHP is a general purpose scripting language that is
especially suited for web development and can be embedded into HTML.
The application is exposed to multiple format string issues due to a
design error when casting 64 bit variables to 32 bits. PHP versions
prior to 4.4.5 and 5.2.1 running on 64 bit computers are affected.
Ref: http://www.php-security.org/MOPB/MOPB-38-2007.html
____________________________________________________________________
07.15.59 CVE: Not Available
Platform: Cross Platform
Title: Hitachi uCosminexus Application Server Session Information
Remote Unauthorized Access
Description: Hitachi uCosminexus Application Server is a JTEE
compliant environment for running applications. The application server
is exposed to an unauthorized access issue. Please refer to the
advisory for further details.
Ref:
http://www.hitachi-support.com/security_e/vuls_e/HS07-006_e/index-e.html
____________________________________________________________________
07.15.60 CVE: Not Available
Platform: Cross Platform
Title: Flyspray Unspecified Security Bypass and Information Disclosure
Vulnerabilities
Description: FlySpray is a bug tracking system. The application is
exposed to an unspecified security bypass issue and an unspecified
information disclosure issue. FlySpray version 0.9.9 is affected.
Ref: http://www.flyspray.org/fsa:1
____________________________________________________________________
07.15.61 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: eXV2 CMS Multiple Cross-Site Scripting Vulnerabilities
Description: eXV2 CMS is a content management application. The
application is exposed to multiple cross-site scripting issues because
it fails to sanitize user-supplied input to the "set_lang" parameter
of the "archive.php", "article.php", "index.php" and "topics.php"
scripts. eXV2 CMS version 2.0.4.3 is affected.
Ref: http://www.securityfocus.com/bid/23314
____________________________________________________________________
07.15.62 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: HolaCMS Index_CMS.PHP Cross-Site Scripting
Description: HolaCMS is a content management application. The
application is exposed to a cross-site scripting issue because it
fails to properly sanitize user-supplied input to the "acuparam"
parameter of the "index_cms.php" script. HolaCMS version 1.4.10 is
affected.
Ref: http://www.securityfocus.com/archive/1/464572
____________________________________________________________________
07.15.63 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: NextPage LivePublish LPEXT.DLL Cross-Site Scripting
Description: LivePublish is an application used to package documents
into collections which can be accessed and searched via web browsers.
A cross-site scripting issue exists because the application fails to
properly sanitize user-supplied input to the "f" parameter of the
"lpext.dll" file. LivePublish version 2.02 is affected.
Ref: http://www.securityfocus.com/bid/23270
____________________________________________________________________
07.15.64 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: Atlassian JIRA IssueNavigator.JSPA Cross-Site Scripting
Description: Atlassian JIRA is a web portal written in
Java/JavaScript. The application is exposed to a cross-site scripting
issue because it fails to properly sanitize user-supplied input to the
"RequestId" parameter of the "IssueNavigator.jspa" script. Atlassian
JIRA version 3.4.2 is affected.
Ref: http://www.securityfocus.com/bid/23244
____________________________________________________________________
07.15.65 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: Drake CMS UI.DTA.PHP Cross-Site Scripting
Description: Drake CMS is a content management system. The application
is exposed to a cross-site scripting issue because it fails to
properly sanitize user-supplied input to the "desc[][title]" parameter
of the "ui.dta.php" script. Drake CMS version 0.3.7 Beta is affected.
Ref: http://www.securityfocus.com/archive/1/464272
____________________________________________________________________
07.15.66 CVE: Not Available
Platform: Web Application - SQL Injection
Title: XOOPS WF-Link Module Viewcat.PHP SQL Injection
Description: WF-Link is a module for the XOOPS CMS. The application is
exposed to an SQL injection issue because it fails to sufficiently
sanitize user-supplied data to the "cid" parameter of the
"viewcat.php" script before using it in an SQL query.
WF-Link version 1.03 is affected.
Ref: http://www.securityfocus.com/bid/23340
____________________________________________________________________
07.15.67 CVE: Not Available
Platform: Web Application - SQL Injection
Title: XOOPS Jobs Module Index.PHP SQL Injection
Description: Jobs is a module for the XOOPS CMS. The application is
exposed to an SQL injection issue because it fails to sufficiently
sanitize user-supplied data to the "cid" parameter of the "index.php"
script before using it in an SQL query. Jobs Module versions 2.4 and
earlier are affected.
Ref: http://www.securityfocus.com/bid/23344
____________________________________________________________________
07.15.68 CVE: Not Available
Platform: Web Application - SQL Injection
Title: Gazi Okul Sitesi Fotokategori.ASP SQL Injection
Description: Gazi Okul Sitesi is a web application. The application is
exposed to an SQL injection issue because it fails to sufficiently
sanitize user-supplied data to unspecified parameters of the
"fotokategori.asp" script before using it in an SQL query. Gazi Okul
Sitesi version 2007 is affected.
Ref: http://www.securityfocus.com/bid/23316
____________________________________________________________________
07.15.69 CVE: Not Available
Platform: Web Application - SQL Injection
Title: XOOPS Rha7 Downloads Module Visit.PHP SQL Injection
Description: Rha7 Downloads is a module for the XOOPS CMS. The
application is expsoed to an SQL injection issue because it fails to
sufficiently sanitize user-supplied data to the "lid" parameter of the
"visit.php" script before using it in an SQL query. Rha7 Downloads
version 1.0 is affected.
Ref: http://www.securityfocus.com/bid/23320
____________________________________________________________________
07.15.70 CVE: Not Available
Platform: Web Application - SQL Injection
Title: WordPress Post_ID Parameter SQL Injection
Description: WordPress is a freely available application for desktop
publishing. The application is exposed to an SQL injection issue
because it fails to sufficiently sanitize user-supplied data.
WordPress version 2.1.2 is affected.
Ref: http://www.securityfocus.com/bid/23294
____________________________________________________________________
07.15.71 CVE: CVE-2007-1810
Platform: Web Application - SQL Injection
Title: XOOPS KShop Module Product_Details.PHP SQL Injection
Description: KShop is a module for the XOOPS CMS. The application is
exposed to an SQL injection issue because it fails to sufficiently
sanitize user-supplied data to the "id" parameter of the
"product_details.php" script before using it in an SQL query. KShop
version 1.17 is affected.
Ref: http://www.securityfocus.com/bid/23272
____________________________________________________________________
07.15.72 CVE: Not Available
Platform: Web Application - SQL Injection
Title: XOOPS PopnupBlog Module Index.PHP SQL Injection
Description: PopnupBlog is a module for the XOOPS CMS. The application
is exposed to an SQL injection issue because it fails to sufficiently
sanitize user-supplied data to the "postid" parameter of the
"index.php" script before using it in an SQL query.
PopnupBlog version 2.52 is affected.
Ref: http://www.securityfocus.com/bid/23286
____________________________________________________________________
07.15.73 CVE: Not Available
Platform: Web Application - SQL Injection
Title: XFsection Xoops Module Print.PHP SQL Injection
Description: XFsection is a module for XOOPS CMS which simplifies the
handling of existing HTML documents. The application is exposed to an
SQL injection issue because it fails to sufficiently sanitize
user-supplied data to the "articleid" parameter of the "print.php"
script before using it in an SQL query. XFsection versions 1.07 and
earlier are affected.
Ref: http://www.securityfocus.com/bid/23261
____________________________________________________________________
07.15.74 CVE: CVE-2007-1779
Platform: Web Application - SQL Injection
Title: Advanced Website Creator Multiple SQL Injection Vulnerabilities
Description: Advanced Website Creator is a web development
environment. The application is exposed to SQL injection issues
because it fails to sufficiently sanitize user-supplied data before
using it in an SQL query. Advanced Website Creator versions prior to
1.9.0 are affected.
Ref: http://www.securityfocus.com/bid/23268
____________________________________________________________________
07.15.75 CVE: Not Available
Platform: Web Application - SQL Injection
Title: XOOPS Debaser Module Genre.PHP SQL Injection
Description: The XOOPS Debaser Module is a module for XOOPS CMS. The
application is exposed to an SQL injection issue because it fails to
sufficiently sanitize user-supplied data to the "genreid" parameter of
the "genre.php" script before using it in an SQL query. The XOOPS
Debaser Module version 0.92 is affected.
Ref: http://www.securityfocus.com/bid/23253
____________________________________________________________________
07.15.76 CVE: Not Available
Platform: Web Application - SQL Injection
Title: PHP-Fusion Multiple Modules Index.PHP SQL Injection
Vulnerabilities
Description: PHP-Fusion modules are components for the PHP-Fusion
content management system (CMS). The application is exposed to
multiple SQL injection issues because these modules fail to
sufficiently sanitize user-supplied data to the "cid" parameter of the
"index.php" script before using it in an SQL query. PHP-Fusion
Topliste version 1.0 and PHP-Fusion Arcade Module version 1.0 are affected.
Ref: http://www.securityfocus.com/bid/23256
____________________________________________________________________
07.15.77 CVE: Not Available
Platform: Web Application - SQL Injection
Title: XOOPS Module Zmagazine Print.PHP SQL Injection
Description: Zmagazine is a module for XOOPS CMS. The application is
exposed to an SQL injection issue because it fails to sufficiently
sanitize user-supplied data to the "articleid" parameter of the
"print.php" script before using it in an SQL query. Zmagazine version
1.0 is affected.
Ref: http://www.securityfocus.com/bid/23258
____________________________________________________________________
07.15.78 CVE: Not Available
Platform: Web Application - SQL Injection
Title: XOOPS WF-Section Module Print.PHP SQL Injection
Description: The XOOPS WF Section Module is a module for XOOPS CMS.
The application is exposed to an SQL injection issue because it fails
to sufficiently sanitize user-supplied data to the "articleid"
parameter of the "print.php" script before using it in an SQL query.
The XOOPS WF Section Module version 1.01 is affected.
Ref: http://www.securityfocus.com/bid/23259
____________________________________________________________________
07.15.79 CVE: Not Available
Platform: Web Application - SQL Injection
Title: XOOPS RM+Soft Gallery Module Categos.PHP SQL Injection
Description: The XOOPS RM+Soft Gallery Module is a module for XOOPS
CMS. The application is exposed to an SQL injection issue because it
fails to sufficiently sanitize user-supplied data to the "idcat"
parameter of the "categos.php" script before using it in an SQL query.
The XOOPS RM+Soft Gallery Module version 1.0 is affected.
Ref: http://www.securityfocus.com/bid/23250
____________________________________________________________________
07.15.80 CVE: Not Available
Platform: Web Application - SQL Injection
Title: XOOPS Module Camportail Show.PHP SQL Injection
Description: XOOPS Module Camportail is a module for XOOPS CMS. The
application is exposed to an SQL injection issue because it fails to
sufficiently sanitize user-supplied data to the "camid" parameter of
the "show.php" script before using it in an SQL query. XOOPS Module
Camportail version 1.1 is affected.
Ref: http://www.securityfocus.com/bid/23245
____________________________________________________________________
07.15.81 CVE: Not Available
Platform: Web Application - SQL Injection
Title: FlexPHPNews News.PHP SQL Injection
Description: FlexPHPNews is a news management application for
web sites. The application is exposed to an SQL injection issue because
it fails to sufficiently sanitize user-supplied data to the "newsid"
parameter of the "news.php" script before using it in an SQL query.
FlexPHPNews version 0.0.5 is affected.
Ref: http://www.securityfocus.com/bid/23247
____________________________________________________________________
07.15.82 CVE: Not Available
Platform: Web Application - SQL Injection
Title: PHP-Fusion Calendar_Panel Module Show_Event.PHP SQL Injection
Description: PHP Fusion is a content management system (CMS). The
application is exposed to an SQL injection issue because it fails to
sufficiently sanitize user-supplied data to the "m_month" parameter of
the "show_event.php" script before using it in an SQL query. The
affected script is part of the "Calendar Panel" application module.
Ref: http://www.securityfocus.com/bid/23225
____________________________________________________________________
07.15.83 CVE: Not Available
Platform: Web Application - SQL Injection
Title: XOOPS Multiple Modules ViewCat.PHP SQL Injection
Vulnerabilities
Description: XOOPS Modules are components for the XOOPS content
management system (CMS). The application is exposed to multiple SQL
injection issues because these modules fail to sufficiently sanitize
user-supplied data to the "cid" parameter of the "viewcat.php" script
before using it in an SQL query.
Ref: http://www.securityfocus.com/bid/23229
____________________________________________________________________
07.15.84 CVE: Not Available
Platform: Web Application - SQL Injection
Title: XOOPS Module Lykos Reviews Index.PHP SQL Injection
Description: XOOPS Module Lykos Reviews is a module for XOOPS CMS. The
application is exposed to an SQL injection issue because it fails to
sufficiently sanitize user-supplied data to the "uid" parameter of the
"index.php" script before using it in an SQL query. XOOPS Module Lykos
Reviews version 1.00 is affected.
Ref: http://www.securityfocus.com/bid/23232
____________________________________________________________________
07.15.85 CVE: Not Available
Platform: Web Application - SQL Injection
Title: XOOPS Module Repository ViewCat.PHP SQL Injection
Description: XOOPS Module Repository is a module for XOOPS CMS. The
application is exposed to an SQL injection issue because it fails to
sufficiently sanitize user-supplied data to the "cid" parameter of the
"viewcat.php" script before using it in an SQL query.
Ref: http://www.securityfocus.com/bid/23221
____________________________________________________________________
07.15.86 CVE: Not Available
Platform: Web Application - SQL Injection
Title: Malaika System MyAds XOOPS Module Index.PHP SQL Injection
Description: Malaika System MyAds is a module for XOOPS CMS. The
application is exposed to an SQL injection issue because it fails to
sufficiently sanitize user-supplied data to the "cid" parameter of the
"index.php" script before using it in an SQL query.
MyAds versions 2.04jp and prior are affected.
Ref: http://www.securityfocus.com/bid/23212
____________________________________________________________________
07.15.87 CVE: Not Available
Platform: Web Application
Title: Sisplet CMS Komentar.PHP Remote File Include
Description: Sisplet CMS is a content management system. The
application is exposed to a remote file include issue because it fails
to sufficiently sanitize user-supplied input to the "site_path"
parameter of the "komentar.php" script. Sisplet CMS version 05.10 is
affected.
Ref: http://www.securityfocus.com/bid/23334
____________________________________________________________________
07.15.88 CVE: Not Available
Platform: Web Application
Title: phpMyNewsletter Multiple Scripts Authentication Bypass
Vulnerabilities
Description: phpMyNewsletter is a newsletter management application.
The application is exposed to issues which allow an attacker to bypass
authentication. The "index.php" script fails to verify user
authentication prior to allowing configuration information to be
changed. phpMyNewsletter versions 0.8 beta 5 and earlier are affected.
Ref: http://www.securityfocus.com/bid/23342
____________________________________________________________________
07.15.89 CVE: Not Available
Platform: Web Application
Title: PHP-Generics _App_Relative_Path Multiple Remote File Include
Vulnerabilities
Description: PHP Generics is a web-based application for database
development. The application is exposed to multiple remote file
include issues because it fails to sufficiently sanitize user-supplied
input to the "_APP_RELATIVE_PATH" parameter.
PHP Generics version 1.0 beta is affected.
Ref: http://www.securityfocus.com/bid/23328
____________________________________________________________________
07.15.90 CVE: Not Available
Platform: Web Application
Title: CodeWand PHPBrowse Include_Stream.Inc.PHP Remote File Include
Description: PHPBrowse is a folder browsing script. The application is
exposed to a remote file include issue because it fails to
sufficiently sanitize user-supplied input to the "include_path"
parameter of the "include_stream.inc.php" script.
Ref: http://www.securityfocus.com/bid/23329
____________________________________________________________________
07.15.91 CVE: Not Available
Platform: Web Application
Title: Lite-CMS Index.PHP Local File Include
Description: Lite CMS is a content manager. The application is exposed
to a local file include issue because it fails to properly sanitize
user-supplied input to the "p" parameter of the "index.php" script.
Lite CMS version 0.2.1 is affected.
Ref: http://www.securityfocus.com/bid/23330
____________________________________________________________________
07.15.92 CVE: Not Available
Platform: Web Application
Title: phpBB Mutant Mutant_Functions.PHP Remote File Include
Description: Mutant is a portal module for phpBB. The application is
exposed to a remote file include issue because it fails to
sufficiently sanitize user-supplied input to the "phpbb_root_path"
parameter of the "mutant_includes/mutant_functions.php" script. phpBB
version 0.9.2 is affected.
Ref: http://www.securityfocus.com/bid/23319
____________________________________________________________________
07.15.93 CVE: Not Available
Platform: Web Application
Title: AroundMe Multiple Remote File Include Vulnerabilities
Description: AroundMe is a content management system (CMS). The
application is exposed to multiple remote file include issues because
it fails to sufficiently sanitize user-supplied input. AroundMe
version 0.7.7 is affected.
Ref: http://www.securityfocus.com/bid/23303
____________________________________________________________________
07.15.94 CVE: Not Available
Platform: Web Application
Title: CyBoards PHP Lite Default_Header.PHP Remote File Include
Description: CyBoards PHP Lite is a web-based social networking
application. CyBoards PHP Lite is exposed to a remote file include
issue because it fails to properly sanitize user-supplied input to the
"script_path" parameter of "default_header.php". CyBoards PHP Lite
version 1.21 is affected.
Ref: http://www.securityfocus.com/bid/23306
____________________________________________________________________
07.15.95 CVE: Not Available
Platform: Web Application
Title: MyBlog Games.PHP Remote File Include
Description: MyBlog is a content manager. The application is exposed
to a remote file include issue because it fails to sufficiently
sanitize user-supplied input to the "scoreid" parameter of the
"games.php" script. MyBlog versions 1.0 through 1.6 are affected.
Ref: http://www.securityfocus.com/bid/23311
____________________________________________________________________
07.15.96 CVE: Not Available
Platform: Web Application
Title: MySpeach Multiple Local and Remote File Include Vulnerabilities
Description: MySpeach is a text-based chat application. The
application is exposed to multiple local and remote file include
issues. The remote and local file include issues are due to a lack of
proper sanitization of user-supplied input to the "$_COOKIE" variable
of the "chat.php" script. MySpeach version 3.0.7 is affected.
Ref: http://www.securityfocus.com/bid/23302
____________________________________________________________________
07.15.97 CVE: Not Available
Platform: Web Application
Title: DirectAdmin Logfile HTML Injection
Description: DirectAdmin is a web hosting control panel application.
The application is exposed to an HTML injection issue because it fails
to properly sanitize user-supplied input before using it in
dynamically generated content. DirectAdmin version 1.29.3 is affected.
Ref: http://www.securityfocus.com/archive/1/464471
____________________________________________________________________
07.15.98 CVE: Not Available
Platform: Web Application
Title: Really Simple PHP and Ajax Multiple Remote File Include
Vulnerabilities
Description: Really Simple PHP and Ajax is an Ajax enabled framework
for PHP. The application is exposed to multiple remote file include
issues because it fails to properly sanitize user-supplied input
before processing it in a "require()" function call. Really Simple
PHP and Ajax version rspa-2007-03-23 is affected.
Ref: http://www.securityfocus.com/bid/23246
____________________________________________________________________
07.15.99 CVE: Not Available
Platform: Web Application
Title: BT-Sondage Gestion_Sondage.PHP Remote File Include
Description: BT-Sondage is a web-based survey application. The
application is exposed to a remote file include issue because it fails
to sufficiently sanitize user-supplied input to the
"repertoire_visiteur" parameter of the
"utilitaires/gestion_sondage.php" script. BT-Sondage version 1.12 is
affected.
Ref: http://www.securityfocus.com/bid/23248
____________________________________________________________________
07.15.100 CVE: Not Available
Platform: Web Application
Title: MapTools MapLab Params.PHP Remote File Include
Description: MapLab is a suite of web-based tools for managing
MapServer. The application is exposed to a remote file include issue
because it fails to sufficiently sanitize user-supplied input to the
"gszAppPath" parameter of the "/htdocs/gmapfactory/params.php" script.
MapLab version 2.2.1 is affected.
Ref: http://www.securityfocus.com/archive/1/464462
____________________________________________________________________
07.15.101 CVE: Not Available
Platform: Web Application
Title: CWB Pro Include_Path Multiple Remote File Include
Vulnerabilities
Description: CWB PRO is a content management system. The application
is exposed to multiple remote file include issues because it fails to
sufficiently sanitize user-supplied input to the "INCLUDE_PATH"
parameter. CWB PRO version 1.5 is affected.
Ref: http://www.securityfocus.com/bid/23242
____________________________________________________________________
07.15.102 CVE: Not Available
Platform: Web Application
Title: JCCorp URLShrink Email Parameter Remote Code Execution
Description: JCCorp URLshrink is a web-based application that
condenses overly large URLs. The application is exposed to a remote
code execution issue because it fails to properly sanitize
user-supplied input passed to the "email" parameter. JCCorp URLshrink
version 1.3.1 is affected.
Ref: http://www.securityfocus.com/bid/23217
____________________________________________________________________
07.15.103 CVE: Not Available
Platform: Web Application
Title: Forum Picture and Meta Tags Module PHPBB_ROOT_PATH Remote File
Include
Description: Forum Picture and Meta Tags module for phpBB is a tool for
adding a picture and meta tag to individual forums. The application is
exposed to a remote file include issue because it fails to
sufficiently sanitize user-supplied input to the "phpbb_root_path"
parameter of the "MOD_forum_fields_parse.php" script. Forum Picture
version 1.7 is affected.
Ref: http://www.securityfocus.com/bid/23222/references
____________________________________________________________________
07.15.104 CVE: Not Available
Platform: Web Application
Title: JSBoard Login.PHP Local File Include
Description: JSBoard is a content management system. The application
is exposed to a local file include issue because it fails to properly
sanitize user-supplied input to the "table" parameter of the
"login.php" script. JSBoard version 2.0.10 is affected.
Ref: http://www.securityfocus.com/bid/23223
____________________________________________________________________
07.15.105 CVE: Not Available
Platform: Web Application
Title: Drake CMS 404.PHP Local File Include
Description: Drake CMS is a content management system. The application
is exposed to a local file include issue because it fails to properly
sanitize user-supplied input to the "d_private" parameter of the
"404.php" script. Drake CMS version 0.3.7 Beta is affected.
Ref: http://www.securityfocus.com/bid/23215
____________________________________________________________________
07.15.106 CVE: Not Available
Platform: Web Application
Title: MailDwarf Multiple Input Validation Vulnerabilities
Description: MailDwarf is a web mail application implemented in Perl.
The application is exposed to multiple cross-site scripting and input
validation issues. MailDwarf version 3.01 is affected.
Ref: http://www.securityfocus.com/bid/23207
____________________________________________________________________
(c) 2007. All rights reserved. The information contained in this
newsletter, including any external links, is provided "AS IS," with no
express or implied warranty, for informational purposes only. In some
cases, copyright for material in this newsletter may be held by a
party other than Qualys (as indicated herein) and permission to use
such material must be requested from the copyright owner.
Subscriptions: RISK is distributed free of charge to people responsible
for managing and securing information systems and networks. You may
forward this newsletter to others with such responsibility inside or
outside your organization.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)
iD8DBQFGGrql+LUG5KFpTkYRAtK2AKCQGidl7kiLOGzPSSpaPoslRHtKjwCfdw7x
uc7i+GUz7B1VEiFyHbFY6Vw=
=w2gq
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]