|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
RISK: The Consensus Security Vulnerability Alert Vol. 7 No. 7
From: The SANS Institute (ConsensusSecurityVulnerabilityAlertsans.org)
Date: Thu Feb 14 2008 - 19:35:28 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
What a Week!
Vulnerabilities on the most critical list this week: 1 Microsoft, 2
Apple, 1 Novell, 1 Symantec, and 2 Adobe and 1 ClamAV. Add 9 more
"high" criticality vulnerabilities and 3 of moderate criticality and you
have the most challenging security week in many months.
Note how many of these vulnerabilities are NOT patched by Microsoft's
automatic updaters. Too many companies are not updating applications
other than Windows products. That's more than dangerous.
Alan
*************************************************************************
RISK: The Consensus Security Vulnerability Alert
Feb 14, 2008 Vol. 7. Week 7
*************************************************************************
RISK is the SANS community's consensus bulletin summarizing the most
important vulnerabilities and exploits identified during the past week
and providing guidance on appropriate actions to protect your systems
(PART I). It also includes a comprehensive list of all new
vulnerabilities discovered in the past week (PART II).
Summary of Updates and Vulnerabilities in this Consensus
Platform Number of Updates and Vulnerabilities
- ------------------------ -------------------------------------
Microsoft Windows 3 (#1, #9, #11)
Other Microsoft Products 3 (#10, #11, #12, #13, #14, #18)
Third Party Windows Apps 20 (#3, #4, #7, #16)
Mac OS 2 (#2, #19)
Linux 2
BSD 1
Novell 2
Cross Platform 13 (#5, #6, #8, #15, #17, #20)
Web Application - Cross Site Scripting 14
Web Application - SQL Injection 24
Web Application 23
Network Device 1
*************************** Sponsored By SANS ***************************
SANS returns to Denver, Colorado, for SANS Rocky Mountain Bootcamp 2008
June 8-13. A special feature of this event is the evening hands-on lab
sessions where senior faculty members will guide you through using the
tools presented in class. This may be the most intense and productive
learning environment you ever experience!
http://www.sans.org/info/23438
*************************************************************************
TRAINING UPDATE
Where can you find the newest Penetration Testing techniques,
Application Pen Testing, Hacker Exploits, Secure Web Application
Development, Security Essentials, Forensics, Wireless, Auditing, CISSP,
and SANS' other top-rated courses?
- - SANS 2008 in Orlando (4/18-4/25) SANS' biggest program with myriad
bonus sessions and a huge exhibition of security products:
http://www.sans.org/sans2008
- - Washington DC (Tyson's) 3/24-3/31 http://www.sans.org/tysonscorner08
- - Prague (2/18-2/23): http://www.sans.org/prague08
- - San Diego (5/9-5/16) http://www.sans.org/securitywest08
- - Toronto (5/10-5/16) http://www.sans.org/toronto08
- - and in 100 other cites and on line any-time: www.sans.org
*************************************************************************
Table Of Contents
Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)
Widely Deployed Software
(1) CRITICAL: Microsoft Windows WebDAV Mini-Redirector Heap Overflow (MS08-007)
(2) CRITICAL: Apple Mac OS X Multiple Vulnerabilities (Security Update 2008-001)
(3) CRITICAL: Apple QuickTime ActiveX Control Multiple Vulnerabilities
(4) CRITICAL: Novell Client "NWSPOOL.DLL" Buffer Overflow
(5) CRITICAL: Symantec Backup Exec System Recovery Manager Arbitrary File Upload
(6) CRITICAL: Adobe Reader Multiple Vulnerabilities
(7) CRITICAL: Adobe Flash Media Server Multiple Vulnerabilities
(8) CRITICAL: ClamAV Multiple Vulnerabilities
(9) HIGH: Microsoft OLE Memory Corruption (MS08-008)
(10) HIGH: Microsoft Word Memory Corruption (MS08-009)
(11) HIGH: Microsoft Internet Explorer Multiple Vulnerabilities (MS08-010)
(12) HIGH: Microsoft Office Publisher Multiple Vulnerabilities (MS08-012)
(13) HIGH: Microsoft Office Memory Corruption (MS08-013)
(14) HIGH: Microsoft Works Converter Multiple Vulnerabilities (MS08-011)
(15) HIGH: IBM DB2 Universal Database Administration Server Memory Corruption
(16) HIGH: SAP SAPlpd and SAPSprint Multiple Vulnerabilities
(17) HIGH: Sun Java Runtime Environment Multiple Vulnerabilities
(18) MODERATE: Microsoft Internet Information Services ASP Remote Code Execution (MS08-006)
(19) MODERATE: Apple iPhoto Format Photocast Format String Vulnerability
(20) MODERATE: MPlayer Multiple Vulnerabilities
************************** SPONSORED LINK *************************
1) Learn about testing network security and encryption technology.
Complimentary Tested with Spirent Security Testing Seminar.
http://www.sans.org/info/23928
*********************************************************************
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from
Qualys (www.qualys.com)
-- Other Microsoft Products
08.7.1 - Microsoft February 2008 Advance Notification Multiple Vulnerabilities
-- Third Party Windows Apps
08.7.2 - Titan FTP Server USER/PASS Commands Buffer Overflow
08.7.3 - Ipswitch WS_FTP SFTP Opendir Command Buffer Overflow
08.7.4 - Facebook Photo Uploader 4 ActiveX Control "ExtractIptc/ExtractExif" Buffer Overflow Vulnerabilities
08.7.5 - Aurigma Image Uploader ActiveX Controls "ExtractIptc/ExtractExif" Buffer Overflow Vulnerabilities
08.7.6 - Yahoo! Music JukeBox MediaGrid "mediagrid.dll" ActiveX Control Remote Buffer Overflow
08.7.7 - Yahoo! Music JukeBox "datagrid.dll" ActiveX Control Remote Buffer Overflow
08.7.8 - Namo Web Editor "NamoInstaller.dll" ActiveX Control Remote Buffer Overflow
08.7.9 - Yahoo! Music Jukebox AddImage Function ActiveX Remote Buffer Overflow
08.7.10 - Xlight FTP Server LDAP Blank Password Authentication Bypass
08.7.11 - Print Manager Plus PQCore Remote Denial of Service
08.7.12 - Titan FTP Server DELE Command Remote Buffer Overflow
08.7.13 - SAPlpd Multiple Remote Vulnerabilities
08.7.14 - WinCom LPD Total Multiple Buffer Overflow Vulnerabilities and Authentication Bypass
08.7.15 - Nero Media Player M3U Buffer Overflow
08.7.16 - Symantec Backup Exec System Recovery Manager FileUpload Class Unauthorized File Upload
08.7.17 - GlobalLink "HanGamePlugincn18.dll" ActiveX Control Buffer Overflow
08.7.18 - dBpowerAMP Audio Player M3U Buffer Overflow
08.7.19 - Symantec Altiris Notification Server Agents Shatter Attack Privilege Escalation
08.7.20 - Symantec Ghost Solution Suite ARP Spoofing Authentication Bypass
08.7.21 - Check Point VPN SecureClient/SecuRemote Local Login Credentials Information Disclosure
-- Mac Os
08.7.22 - Apple iPhoto Photocast Subscription Remote Format String
-- Linux
08.7.23 - MPlayer "demux_audio.c" Remote Stack-Based Buffer Overflow
08.7.24 - MPlayer "demux_mov.c" Remote Code Execution
-- BSD
08.7.25 - OpenBSD PRNG DNS Cache Poisoning and Predictable IP ID Weakness
-- Novell
08.7.26 - Novell Netmail IMAP "AUTHENTICATE GSSAPI" Buffer Overflow
08.7.27 - Novell Challenge Response Client Local Clipboard Disclosure Weakness
-- Cross Platform
08.7.28 - IBM DB2 Universal Database Server 8.2 Prior To Fixpak 16 Multiple Local Vulnerabilities
08.7.29 - Rasterbar Software libtorrent "bdecode_recursive()" Remote Denial of Service
08.7.30 - Avaya Distributed Office IP Tables Remote Denial of Service
08.7.31 - Ipswitch FTP Log Server Denial of Service
08.7.32 - HP OpenView Network Node Manager Unspecified Denial of Service
08.7.33 - dBpowerAMP Audio Player M3U Buffer Overflow Vulnerability
08.7.34 - Adobe Reader Multiple Unspecified Security Vulnerabilities
08.7.35 - KAME Project IPv6 IPComp Header Denial of Service
08.7.36 - Sun Java RunTime Environment Read and Write Permission Multiple Privilege Escalation Vulnerabilities
08.7.37 - TCL/TK Tk Toolkit "ReadImage()" GIF File Buffer Overflow
08.7.38 - WS_FTP Server Manager Authentication Bypass and Information Disclosure Vulnerabilities
08.7.39 - TinTin++ and WinTin++ "#chat" Command Multiple Security Vulnerabilities
08.7.40 - HP Select Identity 4.20 and Prior Unspecified Remote Unauthorized Access
-- Web Application - Cross Site Scripting
08.7.41 - Domain Trader "catalog.php" Cross-Site Scripting
08.7.42 - WP-Footnotes WordPress Plugin Multiple Remote Vulnerabilities
08.7.43 - Novell GroupWise WebAccess Multiple Cross-Site Scripting Vulnerabilities
08.7.44 - CruxCMS "search.php" Cross-Site Scripting
08.7.45 - IBM OS/400 HTTP Server Expect Header Cross-Site Scripting
08.7.46 - HispaH Youtube Clone "load_message.php" Cross-Site Scripting
08.7.47 - AstroSoft HelpDesk Multiple Cross-Site Scripting Vulnerabilities
08.7.48 - DevTracker Module For bcoos and E-xoops Multiple Cross-Site Scripting Vulnerabilities
08.7.49 - RaidenHTTPD Prior to 2.0.22 Unspecified Cross-Site Scripting
08.7.50 - MyNews "hash" Parameter Cross-Site Scripting
08.7.51 - Pagetool "search_term" Parameter Cross-Site Scripting
08.7.52 - Webmin Search Feature Cross-Site Scripting
08.7.53 - IBM WebSphere Edge Server Caching Proxy Cross-Site Scripting
08.7.54 - LinPHA Multiple Cross-Site Scripting Vulnerabilities
-- Web Application - SQL Injection
08.7.55 - Archimede Net 2000 "E-Guest_show.php" SQL Injection
08.7.56 - The Everything Development Engine "index.pl" SQL Injection
08.7.57 - phpShop "index.php" SQL Injection
08.7.58 - WordPress Plugin Wordspew SQL Injection
08.7.59 - Joomla! mosDirectory Component "catid" Parameter SQL Injection
08.7.60 - WordPress Plugin ShiftThis Newsletter SQL Injection
08.7.61 - Simple OS CMS "login.php" SQL Injection
08.7.62 - Codice CMS "login.php" SQL Injection
08.7.63 - A-Blog Cross-Site Scripting Vulnerability and SQL-Injection
08.7.64 - Joomla! and Mambo com_marketplace Component "catid" Parameter SQL Injection
08.7.65 - iTechBids Gold "bidhistory.php" SQL Injection
08.7.66 - Awesom! for Joomla! and Mambo SQL Injection
08.7.67 - Joomla! and Mambo "com_shambo2" Component SQL Injection
08.7.68 - Joomla! and Mambo SOBI2 Component SQL Injection
08.7.69 - RMSOFT Gallery System For XOOPS "images.php" SQL Injection
08.7.70 - All Club CMS "index.php" SQL Injection
08.7.71 - photokorn "pic" Parameter SQL Injection
08.7.72 - Astanda Directory Project "detail.php" SQL Injection
08.7.73 - Joomla! and Mambo com_downloads Component "filecatid" Parameter SQL Injection
08.7.74 - Joomla! and Mambo YNews Component 'id' Parameter SQL Injection
08.7.75 - Mihalism Multi Host "users.php" SQL Injection
08.7.76 - osCommerce "customer_testimonials.php" SQL Injection
08.7.77 - Joomla! and Mambo com_sermon Component "gid" Parameter SQL Injection
08.7.78 - Joomla! and Mambo com_doc Component "sid" Parameter SQL Injection
-- Web Application
08.7.79 - LightBlog "cp_upload_image.php" Arbitrary File Upload
08.7.80 - Joomla! and Mambo NeoReferences Component 'catid' Parameter SQL Injection
08.7.81 - IRIX "lpsched" Remote Command Execution
08.7.82 - iTechClassifieds "ViewCat.php" Input Validation
08.7.83 - DMSGuestbook Multiple Input Validation Vulnerabilities
08.7.84 - Gelato CMS "Comments.php" HTML Injection
08.7.85 - Anon Proxy Server Remote Authentication Buffer Overflow
08.7.86 - BlogPHP "index.php" SQL Injection Vulnerability and Cross-Site Scripting
08.7.87 - Openads Delivery Engine Remote Code Execution
08.7.88 - Textpattern 4.0.5 Multiple Security Vulnerabilities
08.7.89 - Magnolia CE "ActivationHandler" URL Security Bypass
08.7.90 - Portail Web Php "site_path" Multiple Remote File Include Vulnerabilities
08.7.91 - Download Management for PHP-Fusion Multiple Local File Include Vulnerabilities
08.7.92 - VHD Web Pack "index.php" Local File Include
08.7.93 - XOOPS "lang" Parameter Local File Include
08.7.94 - Mailman "list templates" and "list info" Multiple HTML Injection Vulnerabilities
08.7.95 - ocumentum Products "dmclTrace.jsp" Arbitrary File Overwrite
08.7.96 - WordPress "wp-admin/options.php" Remote Code Execution
08.7.97 - OpenSiteAdmin "path" Multiple Remote File Include Vulnerabilities
08.7.98 - HP Storage Essentials SRM Unspecified Remote Unauthorized Access
08.7.99 - WordPress "xmlrpc.php" Post Edit Unauthorized Access
08.7.100 - mini-pub "sFileName" Parameter Multiple Input Validation Vulnerabilities
08.7.101 - MODx HTML Injection Vulnerability and Multiple Cross-Site Scripting Vulnerabilities
-- Network Device
08.7.102 - MicroTik RouterOS SNMP SET Denial of Service
______________________________________________________________________
PART I Critical Vulnerabilities
Part I for this issue has been compiled by Rob King at TippingPoint, a
division of 3Com, as a by-product of that company's continuous effort
to ensure that its intrusion prevention products effectively block
exploits using known vulnerabilities. TippingPoint's analysis is
complemented by input from a council of security managers from twelve
large organizations who confidentially share with SANS the specific
actions they have taken to protect their systems. A detailed description
of the process may be found at
http://www.sans.org/newsletters/cva/#process
*****************************
Widely Deployed Software
*****************************
(1) CRITICAL: Microsoft Windows WebDAV Mini-Redirector Heap Overflow (MS08-007)
Affected:
Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Vista
Description: Web Distributed Authoring and Versioning, known as WebDAV,
is a protocol allowing filesystem-like access to resources exported via
HTTP. The WebDAV mini-redirector is a kernel-level resource in Microsoft
Windows that allows systems to transparently access WebDAV resources.
The WebDAV mini-redirector contains a heap-based buffer overflow in its
handling of WebDAV traffic. A malicious WebDAV server could exploit this
vulnerability, allowing an attacker to execute arbitrary code with
SYSTEM privileges. Note that WebDAV resources can be accessed by
clicking links on web pages or email messages. Technical details are
publicly available for this vulnerability.
Status: Microsoft confirmed, updates available.
References:
Microsoft Security Bulletin
http://www.microsoft.com/technet/security/bulletin/ms08-007.mspx
Hex Blog Post (contains technical details)
http://hexblog.com/2008/02/mrxdavsys_and_hexrays.html
Wikipedia Article on WebDAV
http://en.wikipedia.org/wiki/WebDAV
SecurityFocus BID
http://www.securityfocus.com/bid/27670
***************************************************
(2) CRITICAL: Apple Mac OS X Multiple Vulnerabilities (Security Update 2008-001)
Affected:
Apple Mac OS X versions prior to 10.5.2
Description: Apple has released Security Update 2008-001, addressing
multiple vulnerabilities in Mac OS X. Vulnerabilities in URL handling,
photocasts and web page rendering can lead to arbitrary code execution
with the privileges of the current user. Flaws in the handling of
network accessible filesystems can lead to arbitrary code execution with
root or kernel level privileges. Additional vulnerabilities can lead to
denials-of-service or privilege escalation. Some technical details are
available via source code analysis, and technical details for other
vulnerabilities are publicly available.
Status: Apple confirmed, updates available.
References:
Apple Security Bulletin
http://docs.info.apple.com/article.html?artnum=307430
***************************************************
(3) CRITICAL: Apple QuickTime ActiveX Control Multiple Vulnerabilities
Affected:
Apple QuickTime ActiveX Control versions prior to 7.4.1
Description: Apple QuickTime is Apple's streaming media framework,
available for both Apple Mac OS X and Microsoft WIndows. On Microsoft
Windows, some functionality is provided by an ActiveX control. This
ActiveX control contains multiple vulnerabilities in its handling of
parameters passed to various methods. A malicious web page that
instantiates this control could exploit one of these vulnerabilities to
execute arbitrary code with the privileges of the current user. Full
technical details and a proof-of-concept are publicly available for
these vulnerabilities. Note that the affected control is installed along
with Apple iTunes and Apple Safari.
Status: Apple has not confirmed, no updates available. Users can
mitigate the impact of this vulnerability by disabling the affected
control via Microsoft's "kill bit" mechanism using CLSID
"02BF25D5-8C17-4B23-BC80-D3488ABDDC6B". Note that this may affect normal
application functionality.
References:
Posting by Laurent Gaffie
http://www.securityfocus.com/archive/1/488045
Microsoft Knowledge Base Article (details the "kill bit" mechanism)
http://support.microsoft.com/kb/240797
Apple QuickTime Home Page
http://www.apple.com/quicktime
***************************************************
(4) CRITICAL: Novell Client "NWSPOOL.DLL" Buffer Overflow
Affected:
Novell Client versions prior to 4.91 update 2
Description: The Novell Client for Microsoft Windows allows Windows
users to access services provided by Novell servers. The client contains
a Remote Procedure Call (RPC) interface that is exposed by default.
Various methods exported by this interface contain buffer overflow
vulnerabilities. A specially crafted call to one of these methods would
allow an attacker to exploit these vulnerabilities and execute arbitrary
code with SYSTEM privileges. Novell had patched this vulnerability, but
it was discovered that the patch contains a logical flaw re-exposing the
original vulnerability. The original vulnerability was discussed in an
earlier edition of RISK.
Status: Novell confirmed, updates available.
References:
Zero Day Initiative Advisory
http://www.zerodayinitiative.com/advisories/ZDI-08-005.html
Zero Day Initiative Advisory for the original vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-07-045.html
Novell Update Information
http://download.novell.com/Download?buildid=SszG22IIugM~
Previous RISK Entry
http://www.sans.org/newsletters/risk/display.php?v=6&i=32#widely3
SecurityFocus BID
http://www.securityfocus.com/bid/27741
***************************************************
(5) CRITICAL: Symantec Backup Exec System Recovery Manager Arbitrary File Upload
Affected:
Symantec Backup System Recovery Manager versions prior to 7.0.3
Description: Symantec Backup Exec System Recovery Manager is a popular
enterprise backup component. It contains a web-based administration
interface. This interface provides facilities to upload files to the
server. The file upload component fails to properly validate the paths
given to it by users. A specially crafted request would allow an
attacker to upload an arbitrary file to any location on the
administration server. The administration server runs with SYSTEM
privileges and this vulnerability can be leveraged to run arbitrary code
with SYSTEM privileges. A proof-of-concept is publicly available for
this vulnerability.
Status: Symantec confirmed, updates available.
References:
Zero Day Initiative Advisory
http://zerodayinitiative.com/advisories/ZDI-08-003.html
Symantec Security Advisory
http://www.symantec.com/avcenter/security/Content/2008.02.04.html
Proof-of-Concept
http://milw0rm.com/exploits/5078
Vendor Home Page
http://www.symantec.com
SecurityFocus BID
http://www.securityfocus.com/bid/27487
***************************************************
(6) CRITICAL: Adobe Reader Multiple Vulnerabilities
Affected:
Adobe Reader versions prior to 8.1.2
Description: Adobe Reader is Adobe's reader for the Portable Document
Format (PDF). Reader contains multiple vulnerabilities in its handling
of JavaScript embedded in PDF documents. A specially crafted PDF
containing calls to certain JavaScript functions could exploit these
vulnerabilities, allowing an attacker to execute arbitrary code with the
privileges of the current user. Note that PDF documents are generally
viewed upon receipt, and without further user action. Several
proofs-of-concept are publicly available for these vulnerabilities, and
these vulnerabilities are being actively exploited in the wild.
Status: Adobe confirmed, updates available.
References:
Zero Day Initiative Advisory
http://zerodayinitiative.com/advisories/ZDI-08-004.html
Adobe Security Advisory
http://www.adobe.com/support/security/advisories/apsa08-01.html
iDefense Security Advisories
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=655
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=657
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=656
Proofs-of-Concept
https://www.immunityinc.com/downloads/immpartners/acrobat.tgz
https://www.immunityinc.com/downloads/immpartners/acrobatfull.tgz
Adobe Update Information
http://kb.adobe.com/selfservice/viewContent.do?externalId=kb403079&sliceId=1
SecurityFocus BID
http://www.securityfocus.com/bid/27641
***************************************************
(7) CRITICAL: Adobe Flash Media Server Multiple Vulnerabilities
Affected:
Adobe Flash Media Server versions prior to 2.0.5
Description: Adobe Flash Media Server is Adobe's media and data server.
It contains multiple vulnerabilities in its handling of user requests.
A specially crafted Real Time Messaging Protocol (RTMP) message sent to
the server could trigger one of several vulnerabilities. Successfully
exploiting these vulnerabilities would allow an attacker to execute
arbitrary code with the privileges of the vulnerable process (usually
SYSTEM). Some technical details are publicly available for these
vulnerabilities.
Status: Adobe confirmed, updates available.
References:
Adobe Security Advisory
http://www.adobe.com/support/security/bulletins/apsb08-03.html
iDefense Security Advisories
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=663
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=662
Wikipedia Article on the Real Time Messaging Protocol
http://en.wikipedia.org/wiki/Real_Time_Messaging_Protocol
Product Home Page
http://www.adobe.com/products/flashmediaserver/
SecurityFocus BID
http://www.securityfocus.com/bid/27762
***************************************************
(8) CRITICAL: ClamAV Multiple Vulnerabilities
Affected:
ClamAV versions prior to 0.92.1
Description: ClamAV is a popular open source antivirus system. It
contains multiple vulnerabilities in its parsing of executables. A
specially crafted Portable Executable (PE) file or executable file
compressed with the MEW application could trigger a memory corruption
vulnerability. Successfully exploiting these vulnerabilities would allow
an attacker to execute arbitrary code with the privileges of the
vulnerable process. Note that, on systems using ClamAV to scan email,
it is sufficient for exploitation to have an email transit the system;
no user interaction is necessary. Technical details for these
vulnerabilities are available via source code analysis.
Status: ClamAV confirmed, updates available.
References:
ClamAV Release Notes
http://sourceforge.net/project/shownotes.php?release_id=575703
iDefense Security Advisoriy
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=658
ClamAV Home Page
http://www.clamav.net/
SecurityFocus BID
http://www.securityfocus.com/bid/27751
***************************************************
(9) HIGH: Microsoft OLE Memory Corruption (MS08-008)
Affected:
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Vista
Microsoft Visual Basic 6.0
Description: Microsoft Object Linking and Embedding (OLE) is Microsoft
Windows component used for application communication and control. It is
related to the ActiveX suite of technologies. OLE contains a flaw in its
handling of certain user requests. A specially crafted web page could
exploit this flaw, leading to a memory corruption. Successfully
exploiting this vulnerability would allow an attacker to execute
arbitrary code with the privileges of the current user.
Status: Microsoft confirmed, updates available.
References:
Microsoft Security Bulletin
http://www.microsoft.com/technet/security/bulletin/ms08-008.mspx
SecurityFocus BID
http://www.securityfocus.com/bid/27661
***************************************************
(10) HIGH: Microsoft Word Memory Corruption (MS08-009)
Affected:
Microsoft Office 2000
Microsoft Office XP
Microsoft Office 2003
Microsoft Office Word Viewer 2003
Description: Microsoft Word contains a flaw in its handling of certain
Word documents. A specially crafted Word document could trigger a memory
corruption vulnerability in Word. Successfully exploiting this
vulnerability would allow an attacker to execute arbitrary code with the
privileges of the current user. Note that on recent versions of
Microsoft Office, Word documents are not opened upon receipt without
user interaction. Some technical details are publicly available for this
vulnerability.
Status: Microsoft confirmed, updates available.
References:
Microsoft Security Bulletin
http://www.microsoft.com/technet/security/Bulletin/MS08-009.mspx
Reversemode Advisory
http://www.securityfocus.com/archive/1/488071
SecurityFocus BID
http://www.securityfocus.com/bid/27656
***************************************************
(11) HIGH: Microsoft Internet Explorer Multiple Vulnerabilities (MS08-010)
Affected:
Microsoft Internet Explorer versions 7 and prior
Description: Microsoft Internet Explorer contains multiple
vulnerabilities in its handling of a variety of web page elements, image
formats, and ActiveX controls. A specially crafted web page containing
one of these objects could trigger a memory corruption vulnerability.
Successfully exploiting one of these vulnerabilities would allow an
attacker to execute arbitrary code with the privileges of the current
user.
Status: Microsoft confirmed, updates available.
References:
Microsoft Security Bulletin
http://www.microsoft.com/technet/security/bulletin/ms08-010.mspx
Zero Day Initiative Advisory
http://zerodayinitiative.com/advisories/ZDI-08-006.html
iDefense Security Advisory
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=661
SecurityFocus BIDs
http://www.securityfocus.com/bid/27666
http://www.securityfocus.com/bid/27668
http://www.securityfocus.com/bid/27689
***************************************************
(12) HIGH: Microsoft Office Publisher Multiple Vulnerabilities (MS08-012)
Affected:
Microsoft Office 2000
Microsoft Office XP
Microsoft Office 2003
Description: Microsoft Office Publisher contains multiple
vulnerabilities in its handling of Publisher files. A specially crafted
Publisher file could trigger a memory corruption vulnerability upon
opening. Some technical details are publicly available for this
vulnerability. Note that on recent versions of Microsoft Office,
Publisher files are not opened upon receipt without user intervention.
Status: Microsoft confirmed, updates available.
References:
Microsoft Security Bulletin
http://www.microsoft.com/technet/security/Bulletin/MS08-012.mspx
SecurityFocus BIDs
http://www.securityfocus.com/bid/27740
http://www.securityfocus.com/bid/27739
***************************************************
(13) HIGH: Microsoft Office Memory Corruption (MS08-013)
Affected:
Microsoft Office 2000
Microsoft Office XP
Microsoft Office 2003
Microsoft Office 2004 for Mac
Description: Microsoft Office allows document authors to embed objects
in documents. A document with a specially crafted embedded object could
trigger a memory corruption vulnerability in Office. Successfully
exploiting this vulnerability would allow an attacker to execute
arbitrary code with the privileges of the current user. Note that on
recent versions of Microsoft Office, documents are not opened upon
receipt without user intervention.
Status: Microsoft confirmed, updates available.
References:
Microsoft Security Bulletin
http://www.microsoft.com/technet/security/Bulletin/MS08-013.mspx
SecurityFocus BID
http://www.securityfocus.com/bid/27738
***************************************************
(14) HIGH: Microsoft Works Converter Multiple Vulnerabilities (MS08-011)
Affected:
Microsoft Office 2003
Microsoft Works 8
Microsoft Works Suite 2005
Description: The Microsoft Works Converter is used to convert documents
created by Microsoft Works into other formats. It contains multiple
flaws in its handling of invalid Works documents. A specially crafted
Works document could trigger one of these flaws, leading to a memory
corruption vulnerability. Successfully exploiting this vulnerability
would allow an attacker to execute arbitrary code with the privileges
of the current user. Note that on recent versions of Microsoft Office,
documents are not opened upon receipt without user intervention.
Status: Microsoft confirmed, updates available.
References:
Microsoft Security Bulletin
http://www.microsoft.com/technet/security/Bulletin/MS08-011.mspx
iDefense Security Advisories
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=659
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=660
SecurityFocus BIDs
http://www.securityfocus.com/bid/27657
http://www.securityfocus.com/bid/27658
http://www.securityfocus.com/bid/27659
***************************************************
(15) HIGH: IBM DB2 Universal Database Administration Server Memory Corruption
Affected:
IBM DB2 Universal Database versions prior to 9 Fix Pack 4
Description: IBM DB2 Universal Database (DB2) is IBM's enterprise
database. It provides an administrative interface (known as the
Administration Server). The Administration Server contains a memory
corruption vulnerability due to a failure to validate client input. A
specially crafted request could trigger this vulnerability, and it is
believed that this vulnerability might allow remote code execution with
the privileges of the vulnerable process. Some technical details are
available for this vulnerability. Note that an additional local
privilege escalation vulnerability was also found in the main DB2
system.
Status: IBM confirmed, updates available. Users can mitigate the impact
of this vulnerability by blocking access to TCP port 523 at the network
perimeter, if possible.
References:
iDefense Security Advisory
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=654
IBM Support Documents
http://www-1.ibm.com/support/docview.wss?uid=swg21256235
http://www-1.ibm.com/support/docview.wss?uid=swg21255572
SecurityFocus BID
http://www.securityfocus.com/bid/27596
***************************************************
(16) HIGH: SAP SAPlpd and SAPSprint Multiple Vulnerabilities
Affected:
SAP SAPSprint versions prior to 1018
SAP SAPlpd versions 6.28 and prio
SAP GUI versions 7.10 and prior
Description: SAP SAPSprint and SAPlpd are printing components used in
the SAP GUI interface to the SAP system. SAPlpd is a server for the Line
Printer Daemon Protocol, and SAPSprint is a newer service designed to
replace SAPlpd. These products contain multiple vulnerabilities. An
attacker who sent a specially crafted request to one of these components
could trigger one of these vulnerabilities, allowing the attacker to
execute arbitrary code with the privileges of the current user. Multiple
proofs-of-concept are publicly available for these vulnerabilities.
Status: SAP confirmed, updates available.
References:
Advisory from Luigi Auriemma (includes proofs-of-concept)
http://lists.grok.org.uk/pipermail/full-disclosure/2008-February/060042.html
Posting by Robert Ingruber
http://www.securityfocus.com/archive/1/487575
Wikipedia Article on the Line Printer Daemon Protocol
http://en.wikipedia.org/wiki/Line_Printer_Daemon_protocol
SAP Home Page
http://www.sap.com/usa/index.epx
SecurityFocus BID
http://www.securityfocus.com/bid/27613
***************************************************
(17) HIGH: Sun Java Runtime Environment Multiple Vulnerabilities
Affected:
Sun Java Runtime Environment versions prior to 6 Update 1
Sun Java Development Kit versions prior to 6 Update 1
Description: Sun's Java Runtime Environment contains multiple
vulnerabilities in its handling of Java applets and applications. A
specially crafted applet or application could bypass the normal sandbox
provided by the runtime environment. Bypassing the sandbox environment
would allow an otherwise untrusted applet or application to modify files
or execute arbitrary commands with the privileges of the current user.
Note that Java applets embedded in web pages are often run without first
prompting the user. Sun's Java Runtime Environment is installed on Apple
Mac OS X and many Unix, Linux, and Unix-like systems by default. It is
also installed on a large number of Microsoft Windows systems.
Status: Sun confirmed, updates available.
References:
Sun Security Advisory
http://sunsolve.sun.com/search/document.do?assetkey=1-66-231261-1
Sun Java Home Page
http://java.sun.com
SecurityFocus BID
http://www.securityfocus.com/bid/27650
***************************************************
(18) MODERATE: Microsoft Internet Information Services ASP Remote Code Execution (MS08-006)
Affected:
Microsoft Windows XP
Microsoft Windows Server 2003
Description: Microsoft Active Server Pages (ASP) is a Microsoft
technology for dynamically generating web pages. A flaw in the handling
of certain ASP functions could trigger a remote code execution
vulnerability on a vulnerable server. Note that an attacker would need
access to upload or otherwise insert ASP code into a web page. Note that
ASP.NET is not affected by this vulnerability, and the vulnerable
versions of the software are not installed by default on recent versions
of Microsoft Windows. Note that a proof-of-concept for this
vulnerability is available to members of Immunity Security's Partners'
Program.
Status: Microsoft confirmed, updates available.
References;
Microsoft Security Bulletin
http://www.microsoft.com/technet/security/bulletin/ms08-006.mspx
Proof-of-Concept
https://www.immunityinc.com/downloads/immpartners/iisasp.py
SecurityFocus BID
http://www.securityfocus.com/bid/27676
***************************************************
(19) MODERATE: Apple iPhoto Format Photocast Format String Vulnerability
Affected:
Apple iPhoto versions prior to 7.1.2
Description: Apple iPhoto, Apple's photo management application,
contains a vulnerability in its handling of "photocasts", or syndicated
collections of photos. A specially crafted photocast could trigger this
vulnerability, allowing an attacker to execute arbitrary code with the
privileges of the current user. Note that the victim must explicitly
subscribe to a malicious photocast to be vulnerable.
Status: Apple confirmed, updates available.
References:
Apple Security Advisory
http://docs.info.apple.com/article.html?artnum=307398
Product Home Page
http://www.apple.com/ilife/iphoto
SecurityFocus BID
http://www.securityfocus.com/bid/27636
***************************************************
(20) MODERATE: MPlayer Multiple Vulnerabilities
Affected:
MPlayer versions 1.0rc2 and prior
Description: MPlayer is a popular cross-platform media player, used
predominately on Linux, Unix, and Unix-like systems. It contains
multiple vulnerabilities in its processing of media files. A specially
crafted movie or audio file could trigger one of these vulnerabilities.
Successfully exploiting one of these vulnerabilities would allow an
attacker to execute arbitrary code with the privileges of the current
user. Note that, depending on configuration, media content may be opened
upon receipt, without user intervention. MPlayer is installed by default
on numerous Linux distributions. A proof-of-concept for these
vulnerabilities is publicly available, and full technical details are
available via source code analysis.
Status: MPlayer has has confirmed, updates available.
References:
CORE Security Advisories
http://www.coresecurity.com/?action=item&id=2102
http://www.coresecurity.com/?action=item&id=2103
Proof-of-Concept
http://downloads.securityfocus.com/vulnerabilities/exploits/27499.py
MPlayer Home Page
http://www.mplayerhq.hu
SecurityFocus BIDs
http://www.securityfocus.com/bid/27499
http://www.securityfocus.com/bid/27441
**********************************************************
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 7, 2008
This list is compiled by Qualys ( www.qualys.com ) as part of that
company's ongoing effort to ensure its vulnerability management web
service tests for all known vulnerabilities that can be scanned. As of
this week Qualys scans for 5549 unique vulnerabilities. For this special
SANS community listing, Qualys also includes vulnerabilities that cannot
be scanned remotely.
______________________________________________________________________
08.6.1 CVE: Not Available
Platform: Third Party Windows Apps
Title: Hero Super Player 3000 M3U Buffer Overflow
Description: Hero Super Player 3000 is a media player application for
the Windows operating system. The application is exposed to a buffer
overflow issue because it fails to perform adequate boundary checks on
user-supplied input. This issue occurs when the application handles a
specially crafted .M3U file and the user clicks the "DelUnselect"
button.
Ref: http://www.securityfocus.com/bid/27478
______________________________________________________________________
08.6.2 CVE: Not Available
Platform: Third Party Windows Apps
Title: MailBee Objects "MailBee.dll" ActiveX Control Multiple Insecure
Method Vulnerabilities
Description: MailBee Objects is a set of components for sending,
receiving, and managing email. The application is exposed to mulitple
issues that allows attackers to create or overwrite arbitrary data
with the privileges of the application using the control (typically
Internet Explorer). MailBee Objects version 5.5 is affected.
Ref: http://support.microsoft.com/kb/240797
______________________________________________________________________
08.6.3 CVE: Not Available
Platform: Third Party Windows Apps
Title: Namo Web Editor "NamoInstaller.dll" ActiveX Control Arbitrary
Command Execution
Description: Namo Web Editor ActiveSquare is an ActiveX control. The
control is exposed to an issue that lets attackers execute arbitrary
commands. "NamoInstaller.dll" version 3.0.0.1 of the Namo Web Editor
ActiveSquare 6 control is affected.
Ref: http://support.microsoft.com/kb/240797
______________________________________________________________________
08.6.4 CVE: Not Available
Platform: Third Party Windows Apps
Title: Persits Software XUpload "AddFile()" Method ActiveX Control
Remote Buffer Overflow
Description: The XUpload ActiveX control allows users to upload files
to a server. The application is exposed to a buffer overflow issue
because it fails to perform adequate boundary checks on user-supplied
input. "xupload.ocx" 3.0.0.4 of XUpload version 3.0 is affected.
Ref: http://support.microsoft.com/kb/240797
______________________________________________________________________
08.6.5 CVE: Not Available
Platform: Third Party Windows Apps
Title: Chilkat Email "ChilkatCert.dll" ActiveX Control Insecure Method
Description: Chilkat Email is an ActiveX control for sending and
receiving email. The control is exposed to an issue that allows
attackers to create or overwrite arbitrary data with the privileges of
the application using it (typically Internet Explorer). This issue
affects the "SaveLastError" attribute of the "ChilkatCert.dll" ActiveX
control. "ChilkatCert.dll" library of the Chilkat Email ActiveX
control version 7.8 is affected.
Ref: http://support.microsoft.com/kb/240797
______________________________________________________________________
08.6.6 CVE: Not Available
Platform: Third Party Windows Apps
Title: SafeNET High Assurance Remote and SoftRemote IPSecDrv.SYS Local
Privilege Escalation
Description: SafeNET High Assurance Remote and SoftRemote are security
carrier-grade VPN applications that include FIPS technology, device
authentication, and the Advanced Encryption Standard (AES) algorithm.
The application is exposed to a local privilege escalation issue
because a user-definable offset is used in an indirect system call.
"IPSecDrv.sys" version 10.4.0.12 when running on Windows operating
systems is affected. The driver is included with SafeNET HighAssurance
Remote and SafeNET HighAssurance SoftRemote. This issue may also
affect other versions as well as versions running on other operating
platforms.
Ref: http://www.securityfocus.com/bid/27496
______________________________________________________________________
08.6.7 CVE: Not Available
Platform: Third Party Windows Apps
Title: LSrunasE and Supercrypt RC4 Weak Encryption
Description: LSrunasE and Supercrypt are utilities used to run
commands under a different user account within Windows batch scripts.
The application is exposed to a weak encryption issue due to insecure
usage of the RC4 encryption algorithm. The issue occurs because the
application uses the same keystream to generate encrypted data.
LSrunasE version 1.0 and Supercrypt version 1.0 is affected.
Ref: http://www.securityfocus.com/bid/27500
______________________________________________________________________
08.6.8 CVE: CVE-2008-0064
Platform: Third Party Windows Apps
Title: GFL SDK Library Buffer Overflow
Description: GFL SDK is an image library for developers. The library
is exposed to a buffer overflow issue because it fails to perform
adequate boundary checks on user-supplied data. Specifically, the
error arises in the "libgfl280.dll" file when the library processes
RGBE files. GFL SDK version 2.870 is affected. XnView versions 1.91
and 1.92 that use the library and NConvert 4.85 are also affected.
Ref: http://secunia.com/secunia_research/2008-1/advisory/
______________________________________________________________________
08.6.9 CVE: CVE-2007-5602
Platform: Third Party Windows Apps
Title: SwiftView ActiveX Control and Browser Plugin Stack-Based Buffer
Overflow
Description: SwiftView is an application used to print or view PCL,
HPGL, and TIFF files. The application is exposed to a stack-based
buffer overflow issue. This issue affects the ActiveX control
provided by "svocx.ocx". The browser plugin version of the application
is also affected.
Ref: http://www.kb.cert.org/vuls/id/639169
______________________________________________________________________
08.6.10 CVE: Not Available
Platform: Third Party Windows Apps
Title: MySpace Uploader "MySpaceUploader.ocx" ActiveX Control Buffer
Overflow
Description: MySpace Uploader ActiveX Control lets MySpace users
upload files to the server.
The control is exposed to a buffer overflow issue because it fails to
perform adequate boundary checks on user-supplied data. This issue
affects the "Action" property of the "MySpaceUploader.ocx" library.
MySpace Uploader ActiveX Control versions 1.0.0.4 and 1.0.0.5 are
affected.
Ref: http://support.microsoft.com/kb/240797
______________________________________________________________________
08.6.11 CVE: Not Available
Platform: Third Party Windows Apps
Title: Facebook Photo Uploader 4 "ImageUploader4.1.ocx" ActiveX
Control Buffer Overflow
Description: Facebook Photo Uploader ActiveX control lets Facebook
users upload album and image files to the server. The control is
exposed to a buffer overflow issue because it fails to perform
adequate boundary checks on user-supplied data. This issue affects the
"Action" property of the "ImageUploader4.1.ocx" library. The
"ImageUploader4.1.ocx" version 4.5.57.0 is affected.
Ref: http://support.microsoft.com/kb/240797
______________________________________________________________________
08.6.12 CVE: Not Available
Platform: Third Party Windows Apps
Title: Aurigma Image Uploader "ImageUploader4.ocx" ActiveX Control
Buffer Overflow
Description: Aurigma Image Uploader ActiveX Control lets users manage
and upload images to a server. The control is exposed to a buffer
overflow issue because it fails to perform adequate boundary checks on
user-supplied data. This issue affects the "Action" property of the
"ImageUploader4.ocx" library. Image Uploader version 4.5.70.0 is
affected.
Ref: http://support.microsoft.com/kb/240797
______________________________________________________________________
08.6.13 CVE: Not Available
Platform: Third Party Windows Apps
Title: Chilkat FTP "ChilkatCert.dll" ActiveX Control Insecure Method
Description: Chilkat FTP is an ActiveX control for sending and
receiving files. The control is exposed to an issue that allows
attackers to create or overwrite arbitrary data with the privileges of
the application using it (typically Internet Explorer). This issue
affects the "SavePkcs8File" attribute of the "ChilkatCert.dll" ActiveX
control. Chilkat FTP ActiveX version 2.0 is affected.
Ref: http://support.microsoft.com/kb/240797
______________________________________________________________________
08.6.14 CVE: Not Available
Platform: Third Party Windows Apps
Title: UltraVNC VNCViewer "ClientConnection.cpp" Remote Buffer
Overflow
Description: UltraVNC is a client/server remote access suite that
allows remote users to access desktops as though they are local users.
It was formerly known as UltrVNC. The application is exposed to a
remote buffer overflow issue due to a failure of the application to
properly validate user-supplied string lengths before copying them
into static process buffers. UltraVNC version 1.0.2 and UltraVNC 104
release candidates released prior to January 25, 2008 are affected.
Ref: http://forum.ultravnc.info/viewtopic.php?t=11850
______________________________________________________________________
08.6.15 CVE: CVE-2007-4770, CVE-2007-4771
Platform: Linux
Title: International Components for Unicode Library (libicu) Multiple
Memory Corruption Vulnerabilities
Description: The International Components for Unicode (libicu) is a
freely-available library for handling Unicode data in applications.
The library is exposed to multiple memory corruption issues. The
International Components for Unicode versions 3.8.1 and earlier are
affected.
Ref: https://bugzilla.redhat.com/show_bug.cgi?id=429025
______________________________________________________________________
08.6.16 CVE: CVE-2007-6151
Platform: Linux
Title: Linux Kernel "isdn_common.c" Local Buffer Overflow
Description: The Linux kernel is exposed to a local buffer overflow
issue because it fails to properly bounds check user-supplied input
before copying it into an insufficiently sized buffer. This issue
occurs in the the "isdn_ioctl()" function in the "isdn_common.c"
source file. The struct "iocts" is not NULL terminated, which can
allow specially-crafted IOCTL data to overrun a memory buffer. Linux
kernel versions prior to 2.6.25 are affected.
Ref:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=eafe1aa37e6ec2d56f14732b5240c4dd09f0613a
______________________________________________________________________
08.6.17 CVE: CVE-2007-6694
Platform: Linux
Title: Linux Kernel PowerPC "chrp/setup.c" NULL Pointer Dereference
Denial of Service
Description: The Linux kernel is exposed to a local denial of service
issue. This issue occurs in the "chrp_show_cpuinfo()" function of the
"chrp/setup.c" source file. Specifically, a NULL-pointer dereference
exception occurs when the "of_get_property()" function fails. When a
failure does occur, the "strcmp()" function is called, which causes
the kernel to access a dereferenced pointer. Linux kernel versions
2.4.21 through 2.6.18-53 running on the PowerPC architecture are
affected.
Ref: http://rhn.redhat.com/errata/RHSA-2008-0055.html
______________________________________________________________________
08.6.18 CVE: CVE-2007-4130
Platform: Linux
Title: Linux Kernel Page Faults Using NUMA Local Denial of Service
Description: The Linux kernel is exposed to a local denial of service
issue because it fails to properly handle certain page faults when
using NUMA (Non-Uniform Memory Access) methods. This issue arises when
invalid bitmasks are processed by the "set_mempolicy()" function in
the "mm/mempolicy.c" source file during page faults. Linux kernel
versions 2.6.9 and earlier are affected.
Ref: http://rhn.redhat.com/errata/RHSA-2008-0055.html
______________________________________________________________________
08.6.19 CVE: Not Available
Platform: Aix
Title: IBM AIX "piox25.c/piox25remote.sh" Local Buffer Overflow
Description: AIX is a UNIX operating system from IBM. The application
is exposed to a local buffer overflow issue because it fails to
perform adequate boundary checks on user-supplied input. Specifically
the issue can be triggered by supplying overly long input to
"piox25.c" and "piox25remote.sh".
Ref: http://www-1.ibm.com/support/docview.wss?uid=isg1IZ13739
______________________________________________________________________
08.6.20 CVE: Not Available
Platform: Unix
Title: PatchLink Update Multiple Insecure Temporary File Creation
Vulnerabilities
Description: PatchLink Update is an application for managing patches
and vulnerabilities in a medium to large sized enterprise. The
"logtrimmer" log rotation utility and the "rebootTask" script create
temporary files with predictable filenames in an insecure manner.
Ref: http://www.securityfocus.com/archive/1/487103
______________________________________________________________________
08.6.21 CVE: Not Available
Platform: Cross Platform
Title: IrfanView FPX File Remote Memory Corruption
Description: IrfanView is an image viewer that supports multiple file
formats. The application is exposed to a remote memory corruption
issue because it fails to handle specially crafted ".FPX" files.
IrfanView version 4.10 is affected.
Ref: http://www.securityfocus.com/bid/27479
______________________________________________________________________
08.6.22 CVE: Not Available
Platform: Cross Platform
Title: IBM Hardware Management Console Pegasus CIM Server Denial of
Service
Description: IBM Hardware Management Console enables an administrator
to manage the configuration and operation of partitions in a computer
and to monitor the computer for hardware problems. IBM Hardware
Management Console is exposed to a denial of service issue due to an
unspecified error in the Pegasus CIM Server. Hardware Management
Console version V7 R3.2.0 is affected.
Ref:
https://www14.software.ibm.com/webapp/set2/sas/f/hmc/power6/install/v7.Readme.html#specific
______________________________________________________________________
08.6.23 CVE: Not Available
Platform: Cross Platform
Title: IBM Informix Storage Manager Multiple Buffer Overflow
Vulnerabilities
Description: IBM Informix Dynamic Server is an application server that
runs on various platforms. Informix Storage Manager (ISM) is
distributed as part of IBM Informix Dynamic Server (IDS). The
application is exposed to multiple buffer overflow issues because it
fails to properly bounds-check user-supplied data. IBM Informix
Dynamic Server versions 10.00.xC8, 11.10.xC2 and earlier on Microsoft
Windows platforms are affected.
Ref: http://www-1.ibm.com/support/docview.wss?uid=swg21294211
______________________________________________________________________
08.6.24 CVE: Not Available
Platform: Cross Platform
Title: Firebird Username Remote Buffer Overflow
Description: Firebird is a relational database that runs on Windows,
Linux, and UNIX systems. The application is exposed to a remote
buffer overflow issue because it fails to properly check boundaries on
user-supplied data before using it in a finite-sized buffer. The
problem occurs when the application processes usernames and can be
exploited by remote attackers to cause a stack overflow by supplying a
specially-crafted, overly long username. Firebird versions 2.1 Beta 2,
2.0.3, 2.0.2, 2.0.0, 1.0.3, 2.1 Beta 1, 2.1 Alpha 1, 2.0.1 and 1.5.4
are affected.
Ref:
http://sourceforge.net/project/shownotes.php?group_id=9028&release_id=570816
______________________________________________________________________
08.6.25 CVE: CVE-2008-0387
Platform: Cross Platform
Title: Firebird Relational Database "protocol.cpp" XDR Protocol Remote
Memory Corruption
Description: Firebird is a Relational Database Management System
(RDBMS) available for multiple operating systems. The application is
exposed to an integer overflow issue because it fails to ensure that
integer values aren't overrun.
Ref: http://www.securityfocus.com/archive/1/487173
______________________________________________________________________
08.6.26 CVE: CVE-2008-0386
Platform: Cross Platform
Title: Xdg-Utils "xdg-open" and "xdg-email" Multiple Remote Command
Execution Vulnerabilities
Description: Xdg-Utils is a set of utilities allowing various
applications to easily integrate with the free desktop configurations.
The application is exposed to multiple remote command execution issues
because it fails to sufficiently sanitize user-supplied data to the
"xdg-open" and "xdg-email" shell scripts.
Ref: http://www.securityfocus.com/bid/27528
______________________________________________________________________
08.6.27 CVE: Not Available
Platform: Cross Platform
Title: Gnumeric XLS HLINK Opcode Handling Remote Arbitrary Code
Execution
Description: Gnumeric is an open-source spreadsheet application. The
application is exposed to a remote arbitrary code execution issue due
to integer overflow and signedness errors when the application tries
to process the XLS HLINK opcodes. Specifically the
"excel_read_HLINK()" function in "plugins/excel/ms-excel-read.c" is
affected. Gnumeric version 1.6.3 is affected.
Ref: http://bugzilla.gnome.org/show_bug.cgi?id=505330
______________________________________________________________________
08.6.28 CVE: Not Available
Platform: Cross Platform
Title: Sun Java RunTime Environment XML Parsing Unspecified
Description: Sun Java Runtime Environment (JRE) is exposed to an
unspecified issue that can occur when parsing malicious XML content.
This issue affects trusted Java applications running on sites that
have the "external general entities" property set to FALSE. JDK and
JRE versions 6 Update 3 and earlier are affected.
Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-66-231246-1
______________________________________________________________________
08.6.29 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: Tripwire Enterprise Login Page Cross-Site Scripting
Description: Tripwire Enterprise is a configuration audit and control
system. The application is exposed to a cross-site scripting issue
because it fails to properly sanitize user-supplied input to the
application's web-based server management login page. Tripwire
Enterprise version 7.0 is affected.
Ref: http://www.securityfocus.com/archive/1/487229
______________________________________________________________________
08.6.30 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: SunGard Banner Student "add1" Parameter Cross-Site Scripting
Description: Banner is a software suite for administering colleges and
other institutions. Banner Student is an information system for
students, prospects, and faculty. The application is exposed to
cross-site scripting attacks because it fails to sufficiently sanitize
user-supplied input to the emergency contact address field "add1" of
the "ss/bwgkoemr.P_UpdateEmrgContacts" script. Banner Student version
7.3 is affected.
Ref: http://www.securityfocus.com/archive/1/487250
______________________________________________________________________
08.6.31 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: Yamaha RT Series Routers Cross-Site Request Forgery
Description: Yamaha routers are network devices designed for home and
small-office setups. Multiple Yamaha routers are exposed to a
cross-site request forgery issue. Attackers exploit this issue by
tricking a user into visiting a malicious web page. Yamaha routers
in the RT and SRT series are affected.
Ref: http://www.securityfocus.com/bid/27491
______________________________________________________________________
08.6.32 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: Endian Firewall "userlist.php" Cross-Site Scripting
Description: Endian Firewall is a threat management appliance that
protects users from spam, viruses and various other threats. The
application is exposed to a cross-site scripting issue because it
fails to sufficiently sanitize user-supplied input. Specifically, the
web interface fails to sanitize user-supplied data to the "psearch"
parameter of the "userslist.php" script. Endian Firewall version 2.1.2
is affected.
Ref: http://www.securityfocus.com/bid/27477
______________________________________________________________________
08.6.33 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: Mambo MOStlyCE Module "connector.php" Cross-Site Scripting
Description: MOStlyCE is a WYSIWYG editor module included with the
Mambo content manager. The application is exposed to a cross-site
scripting issue because it fails to properly sanitize user-supplied
input to the "Command" parameter of the
"mambots/editors/mostlyce/jscripts/tiny_mce/filemanager/connectors/php/connector.php"
script. MOStlyCE version 2.4 included with Mambo 4.6.3 is affected.
Ref: http://www.securityfocus.com/archive/1/487128
______________________________________________________________________
08.6.34 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: eTicket "index.php" Cross-Site Scripting
Description: eTicket is an open-source support-ticket system based on
osTicket. The application is exposed to cross-site scripting attacks
because it fails to sufficiently sanitize user-supplied input to the
"index.php" script. eTicket version 1.5.6-RC4 is affected.
Ref: http://www.securityfocus.com/archive/1/487133
______________________________________________________________________
08.6.35 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: Drake CMS "index.php" Cross-Site Scripting
Description: Drake CMS is a content manager. The application is
exposed to a cross-site scripting issue because it fails to properly
sanitize user-supplied input to the "option" parameter of the
"index.php" script. Drake CMS version 0.4.9 is affected.
Ref:
http://www.digitrustgroup.com/advisories/web-application-security-drake_cms.html
______________________________________________________________________
08.6.36 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: trixbox "index.php" Multple Cross-Site Scripting
Vulnerabilities
Description: trixbox (formerly AsteriskHome) is a line of
Asterisk-based IP-PBX products. The application is exposed to multiple
cross-site scripting issues because it fails to properly sanitize
user-supplied input to the "user/index.php" and "maint/index.php"
scripts. trixbox version 2.4.2.0 is affected.
Ref:
http://www.digitrustgroup.com/advisories/web-application-security-trixbox.html
______________________________________________________________________
08.6.37 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: F5 BIG-IP Application Security Manager "report_type" Cross-Site
Scripting
Description: F5 BIG-IP Application Security Manager is a web and
operational infrastructure security product module for BIG-IP. The web
management interface is exposed to a cross-site scripting issue
because it fails to properly sanitize user-supplied input to the
"report_type" parameter of the "rep_request.php" script. F5 BIG-IP
Application Security Manager version 9.4.3 is affected.
Ref: http://www.securityfocus.com/archive/1/487118
______________________________________________________________________
08.6.38 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: Nucleus CMS "action.php" Cross-Site Scripting
Description: Nucleus CMS is a web-based content manager. The
application is exposed to a cross-site scripting issue because it
fails to properly sanitize user-supplied input to the "action.php"
script. Nucleus CMS version 3.31 is affected.
Ref: http://www.securityfocus.com/archive/1/487255
______________________________________________________________________
08.6.39 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: AmpJuke "index.php" Cross-Site Scripting
Description: AmpJuke is a PHP-based, music streaming application. The
application is exposed to a cross-site scripting issue because it
fails to properly sanitize user-supplied input to the "limit"
parameter of the "index.php" script. AmpJuke version 0.7.0 is
affected.
Ref: http://www.securityfocus.com/archive/1/487258
______________________________________________________________________
08.6.40 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: Hal Networks Multiple Products Cross-Site Scripting
Vulnerabilities
Description: Hal Networks products provide shopping cart functionality
using various technologies. The application is exposed to cross-site
scripting issue because they fail to properly sanitize user-supplied
input to unspecified parameters.
Ref: http://www.securityfocus.com/bid/27513
______________________________________________________________________
08.6.41 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: webSPELL "index.php" Cross-Site Scripting
Description: webSPELL is a PHP-based content manager. The application
is exposed to a cross-site scripting issue because it fails to
properly sanitize user-supplied input to the "sort" parameter of the
"index.php" script. webSPELL version 4.01.02 is affected.
Ref: http://www.securityfocus.com/archive/1/487312
______________________________________________________________________
08.6.42 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: Mercantec SoftCart Multiple Parameters Multiple Cross-Site
Scripting Vulnerabilities
Description: Mercantec SoftCart is a shopping-cart application. The
application is exposed to multiple cross-site scripting issues because
it fails to sanitize user-supplied input. These issues affected the
"License_Plate", "License_State", "Ticket_Date", and "Ticket_Number"
parameters of "SoftCart.exe". Mercantec SoftCart version 5.1.2.2 is
affected.
Ref: http://www.securityfocus.com/bid/27524
______________________________________________________________________
08.6.43 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: OpenBSD bgplg "cmd" Parameter Cross-Site Scripting
Description: OpenBSD bgplg is a CGI script used to for web-based
read-only access to limited Border Gateway Protocol daemon (bgpd(8))
information. The application is exposed to a cross-site scripting
issue because it fails to properly sanitize user-supplied input to the
"cmd" parameter script. bgplg shipped with OpenBSD version 4.1 is
affected.
Ref: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/bgplg/bgplg.c
______________________________________________________________________
08.6.44 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: Livelink ECM UTF-7 Cross-Site Scripting
Description: Livelink ECM is an enterprise content management system.
The application is exposed to a cross-site scripting issue because it
fails to sufficiently sanitize user-supplied input. The application
fails to set the HTTP Content-Type "charset" in the response header or
HTML body, which allows remote attackers to inject arbitrary UTF-7
script code. Livelink ECM versions up to and including 9.7.0 are
affected.
Ref: http://www.withdk.com/2008/01/31/livelink-utf-7-xss-vulnerability/
______________________________________________________________________
08.6.45 CVE: CVE-2008-0178
Platform: Web Application - Cross Site Scripting
Title: Liferay Enterprise Portal User-Agent HTTP Header Cross-Site Scripting
Description: Liferay Enterprise Portal is a Java-based web portal for
enterprises. The application is exposed to a cross-site scripting
issue because it fails to sufficiently sanitize user-supplied input to
the "Enterprise Admin Session Monitoring" portion of the application.
Specifically, the application fails to sanitize the HTTP "User-Agent"
header, which allows remote attackers to inject arbitrary script code.
Liferay Enterprise Portal version 4.3.6 is affected.
Ref: http://www.kb.cert.org/vuls/id/326065
______________________________________________________________________
08.6.46 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: Uniwin eCart Professional "rp" Cross-Site Scripting
Vulnerabilities
Description: Uniwin eCart Professional is a shopping cart application
implemented in ASP. The application is exposed to multiple cross-site
scripting issues because it fails to sufficiently sanitize
user-supplied input to the "rp" parameter in the "cartView.asp" script and
multiple unspecified scripts. Uniwin eCart Professional versions prior
to 2.0.16 are affected.
Ref: http://www.securityfocus.com/bid/27560
______________________________________________________________________
08.6.47 CVE: Not Available
Platform: Web Application - SQL Injection
Title: Bigware Shop "main_bigware_53.tpl.php" SQL Injection
Description: Bigware Shop is a PHP-based ecommerce application. The
application is exposed to an SQL injection issue because it fails to
sufficiently sanitize user-supplied data to the "pollid" parameter of
the "main_bigware_53.tpl.php" script before using it in an SQL query.
Bigware Shop version 2.0 is affected.
Ref: http://www.securityfocus.com/bid/27489
______________________________________________________________________
08.6.48 CVE: Not Available
Platform: Web Application - SQL Injection
Title: Mambo LaiThai Multiple SQL Injection And Unspecified
Vulnerabilities
Description: Mambo LaiThai is a Thai implementation of the Mambo
content manager. The application is exposed to multiple issues. Mambo
LaiThai version 4.5.5 is affected.
Ref: http://sourceforge.net/project/shownotes.php?release_id=571300
______________________________________________________________________
08.6.49 CVE: Not Available
Platform: Web Application - SQL Injection
Title: WordPress Plugin fGallery SQL Injection
Description: WebPress is a web-based publishing application
implemented in PHP. fGallery plugin for WordPress provides image
gallery functionality. The plugin is exposed to an SQL injection issue
because it fails to sufficiently sanitize user-supplied data to the
"album" parameter of the "fim_rss.php" script before using it in an
SQL query. fGallery version 2.4.1 is affected.
Ref: http://www.securityfocus.com/bid/27464
______________________________________________________________________
08.6.50 CVE: Not Available
Platform: Web Application - SQL Injection
Title: WordPress Plugin WP-Cal SQL Injection
Description: WebPress is a web-based publishing application. WP-Cal
plugin for WordPress provides calendar functionality. The plugin is
exposed to an SQL injection issue because it fails to sufficiently
sanitize user-supplied data to the "user" parameter of the
"wp-forum.php" script before using it in an SQL query. WP-Cal version
0.3 is affected.
Ref: http://www.securityfocus.com/bid/27465
______________________________________________________________________
08.6.51 CVE: Not Available
Platform: Web Application - SQL Injection
Title: phpIP Management Multiple SQL Injection Vulnerabilities
Description: phpIP Management is a web-based IP address management
application. The application is exposed to multiple SQL injection
issues because it fails to sufficiently sanitize user-supplied data.
phpIP Management version 4.3.2 is affected.
Ref: http://www.securityfocus.com/bid/27468
______________________________________________________________________
08.6.52 CVE: Not Available
Platform: Web Application - SQL Injection
Title: Joomla com_fq Component "index.php" SQL Injection
Description: com_fq is a faq component module for Joomla! content
manager. The application is exposed to an SQL injection issue because
it fails to sufficiently sanitize user-supplied data to the "listid"
parameter of the "index.php" script before using it in an SQL query.
Ref: http://www.securityfocus.com/bid/27501
______________________________________________________________________
08.6.53 CVE: Not Available
Platform: Web Application - SQL Injection
Title: Mambo Newsletter Component "Itemid" Parameter SQL Injection
Description: Mambo is a PHP-based content manager. The Newsletter
component of the application is exposed to an SQL injection issue
because it fails to sufficiently sanitize user-supplied data to the
"Itemid" parameter of "index.php" before using it in an SQL query.
Mambo version 4.5 is affected.
Ref: http://www.securityfocus.com/bid/27502
______________________________________________________________________
08.6.54 CVE: Not Available
Platform: Web Application - SQL Injection
Title: Joomla! com_mamml Component "index.php" SQL Injection
Description: Joomla com_mamml is a module for the Joomla! content
manager. The application is exposed to an SQL injection issue because
it fails to sufficiently sanitize user-supplied data to the "listid"
parameter of the "index.php" script before using it in an SQL query.
Ref: http://www.securityfocus.com/bid/27503
______________________________________________________________________
08.6.55 CVE: Not Available
Platform: Web Application - SQL Injection
Title: WordPress Plugin wp-AdServe SQL Injection
Description: WebPress is a web-based publishing application
implemented in PHP. wp-AdServe plugin for WordPress provides
advertising server functionality. The plugin is exposed to an SQL
injection issue because it fails to sufficiently sanitize
user-supplied data to the "id" parameter of the "adclick.php" script
before using it in an SQL query. wp-AdServe version 0.2 is affected.
Ref: http://wordpress.org/extend/plugins/adserve/
______________________________________________________________________
08.6.56 CVE: Not Available
Platform: Web Application - SQL Injection
Title: Mambo/Joomla Glossary "com_glossary" Component SQL Injection
Description: Mambo and Joomla are PHP-based content managers. The
"com_glossary" component for Mambo/Joomla is exposed to an SQL
injection issue because it fails to sufficiently sanitize
user-supplied data before using it in an SQL query. Specifically, this
issue affects the "catid" parameter. "com_glossary" version 2.0 is
affected.
Ref: http://www.securityfocus.com/bid/27505
______________________________________________________________________
08.6.57 CVE: Not Available
Platform: Web Application - SQL Injection
Title: Coppermine Photo Gallery Multiple SQL Injection Vulnerabilities
Description: Coppermine Photo Gallery is a web-based, photo gallery
application. The application is exposed to multiple SQL injection
issues because it fails to sufficiently sanitize user-supplied data to
unspecified parameters of the "reviewcom.php" and "util.php" scripts
before using it in an SQL query. Coppermine Photo Gallery versions
prior to 1.4.15 are affected.
Ref: http://coppermine-gallery.net/forum/index.php?topic=50103.0
______________________________________________________________________
08.6.58 CVE: Not Available
Platform: Web Application - SQL Injection
Title: Mambo/Joomla "com_musepoes" Component "aid" Parameter SQL
Injection
Description: Mambo and Joomla are PHP-based content managers. The
"com_musepoes" component for Mambo/Joomla is exposed to an SQL
injection issue because it fails to sufficiently sanitize
user-supplied data to the "aid" parameter before using it in an SQL
query.
Ref: http://www.securityfocus.com/bid/27507
______________________________________________________________________
08.6.59 CVE: Not Available
Platform: Web Application - SQL Injection
Title: Mambo/Joomla "com_buslicense" Component "aid" Parameter SQL
Injection
Description: Mambo and Joomla are PHP-based content managers. The
"com_buslicense" component for Mambo/Joomla is exposed to an SQL
injection issue because it fails to sufficiently sanitize
user-supplied data to the "aid" parameter before using it in an SQL
query.
Ref: http://www.securityfocus.com/bid/27508
______________________________________________________________________
08.6.60 CVE: Not Available
Platform: Web Application - SQL Injection
Title: Joomla! com_recipes Component "id" Parameter SQL Injection
Description: The com_recipes component is a recipe module for the
Joomla! content manager. The application is exposed to an SQL
injection issue because it fails to sufficiently sanitize
user-supplied data to the "id" parameter of the "index.php" script
before using it in an SQL query.
Ref: http://www.securityfocus.com/bid/27519
______________________________________________________________________
08.6.61 CVE: Not Available
Platform: Web Application - SQL Injection
Title: Joomla! EstateAgent Component "index.php" SQL Injection
Description: The Joomla! EstateAgent component is a module for the
Joomla! content manager. The application is exposed to an SQL
injection issue because it fails to sufficiently sanitize
user-supplied data to the "objid" parameter of the "index.php" script
before using it in an SQL query.
Ref: http://www.securityfocus.com/bid/27520
______________________________________________________________________
08.6.62 CVE: Not Available
Platform: Web Application - SQL Injection
Title: Joomla! com_jokes Component "cat" Parameter SQL Injection
Description: The "com_jokes" component is a module for the Joomla!
content manager. The application is exposed to a SQL injection issue
because it fails to sufficiently sanitize user-supplied data to the
"cat" parameter of the "index.php" script before using it in an SQL
query.
Ref: http://www.securityfocus.com/bid/27522
______________________________________________________________________
08.6.63 CVE: Not Available
Platform: Web Application - SQL Injection
Title: ibProArcade "overwrite_order" Parameter SQL Injection
Description: ibProArcade is a PHP-based arcade system. The application
is exposed to an SQL injection issue because it fails to sufficiently
sanitize user-supplied data to the "overwrite_order" parameter of the
"index.php" script before using it in an SQL query. ibProArcade
version 3.3.0 is affected.
Ref: http://www.securityfocus.com/bid/27523
______________________________________________________________________
08.6.64 CVE: Not Available
Platform: Web Application - SQL Injection
Title: WordPress WassUp Plugin "spy.php" SQL Injection
Description: WassUp is a WordPress plugin for tracking website
statistics. The plugin is exposed to an SQL injection issue because it
fails to sufficiently sanitize user-supplied data to the "to_date"
parameter of the "spy.php" script before using it in an SQL query.
WassUp version 1.4.3 is affected.
Ref: http://www.securityfocus.com/bid/27525
______________________________________________________________________
08.6.65 CVE: Not Available
Platform: Web Application - SQL Injection
Title: ELOG "logbook" HTML Injection
Description: ELOG is a web-log application written for use on
Microsoft Windows and Linux/Unix platforms. The application is exposed
to an HTML injection issue because it fails to properly sanitize
user-supplied input to the "logbook" script. ELOG versions prior to
2.7.2 are affected.
Ref: http://midas.psi.ch/elog/download/ChangeLog
______________________________________________________________________
08.6.66 CVE: Not Available
Platform: Web Application - SQL Injection
Title: DeltaScripts PHP Links "vote.php" SQL Injection
Description: DeltaScripts PHP Links is a web-based link directory. The
application is exposed to an SQL injection issue because it fails to
sufficiently sanitize user-supplied data to the "id" parameter of the
"vote.php" script before using it in an SQL query. PHP Links versions
1.3 and earlier are affected.
Ref: http://www.securityfocus.com/bid/27530
______________________________________________________________________
08.6.67 CVE: Not Available
Platform: Web Application - SQL Injection
Title: Joomla! and Mambo com_restaurant Component "id" Parameter SQL
Injection
Description: The "com_restaurant" component is a restaurant module for
the Joomla! and Mambo content managers. The application is exposed to
an SQL injection issue because it fails to sufficiently sanitize
user-supplied data to the "id" parameter of the "com_restaurant"
component before using it in an SQL query.
Ref: http://www.securityfocus.com/bid/27551
______________________________________________________________________
08.6.68 CVE: Not Available
Platform: Web Application - SQL Injection
Title: Joomla! and Mambo AkoGallery Component "id" Parameter SQL
Injection
Description: The AkoGallery component is a module for the Joomla! and
Mambo content managers. The application is exposed to an SQL injection
issue because it fails to sufficiently sanitize user-supplied data to
the "id" parameter of "com_akogallery" before using it in an SQL
query.
Ref: http://www.securityfocus.com/bid/27557
______________________________________________________________________
08.6.69 CVE: Not Available
Platform: Web Application - SQL Injection
Title: Joomla! and Mambo Catalog Component "id" Parameter SQL
Injection
Description: CatalogShop is a third-party, e-commerce component for
Mambo and Joomla!. The application is exposed to an SQL injection
issue because it fails to sufficiently sanitize user-supplied data to
the "id" parameter of "index.php" when the "option" parameter is set
to "com_catalogshop". CatalogShop version 1.0 b1 is affected.
Ref: http://www.securityfocus.com/bid/27558
______________________________________________________________________
08.6.70 CVE: Not Available
Platform: Web Application
Title: Smart Publisher "/admin/op/disp.php" Remote Code Execution
Description: Smart Publisher is a PHP-based application that allows
users to develop and publish static and dynamic web sites. The
application is exposed to an issue that lets remote attackers execute
arbitrary code because it fails to properly sanitize user-supplied
input to the "filedata" parameter of the "/admin/op/disp.php" script.
Smart Publisher version 1.0.1 is affected.
Ref: http://www.securityfocus.com/bid/27488
______________________________________________________________________
08.6.71 CVE: Not Available
Platform: Web Application
Title: Bubbling Library "dispatcher.php" Multiple Local File Include
Vulnerabilities
Description: Bubbling Library provides a set of plugins for building
event-driven web applications. The application is exposed to multiple
local file include issues because it fails to properly sanitize
user-supplied input to the "uri" parameter. Bubbling Library version
1.32 is affected.
Ref: http://www.securityfocus.com/bid/27482
______________________________________________________________________
08.6.72 CVE: Not Available
Platform: Web Application
Title: VB Marketing "tseekdir.cgi" Local File Include
Description: VB Marketing is web-based application implemented in
Perl. The application is exposed to a local file include issue because
it fails to properly sanitize user-supplied input to the "location"
parameter of the "tseekdir.cgi" script.
Ref: http://www.securityfocus.com/bid/27475
______________________________________________________________________
08.6.73 CVE: Not Available
Platform: Web Application
Title: phpMyClub "page_courante" Parameter Local File Include
Description: phpMyClub is a PHP-based content manager (CMS) designed
for sport associations. The application is exposed to a local file
include issue because it fails to properly sanitize user-supplied
input to the "page_courante" parameter. phpMyClub version 0.0.1 is
affected.
Ref: http://www.securityfocus.com/bid/27480
______________________________________________________________________
08.6.74 CVE: Not Available
Platform: Web Application
Title: ClanSphere "install.php" Local File Include
Description: Clansphere is a PHP-based content manager. The
application is exposed to a local file include issue because it fails
to properly sanitize user-supplied input to the "lang" parameter of
the "install.php" script. ClanSphere version 2007.4.4 is affected.
Ref: http://www.securityfocus.com/archive/1/487132
______________________________________________________________________
08.6.75 CVE: Not Available
Platform: Web Application
Title: Mambo MOStlyCE Module Image Manager Utility Arbitrary File
Upload
Description: MOStlyCE is a WYSIWYG editor module included with the Mambo
content manager. The application is exposed to an arbitrary file upload
issue because it fails to sufficiently sanitize user-supplied input. The
issue occurs when the module's "Image Manager" utility is installed.
MOStlyCE version 2.4 included with Mambo version 4.6.3 is affected.
Ref: http://www.securityfocus.com/archive/1/487128
______________________________________________________________________
08.6.76 CVE: Not Available
Platform: Web Application
Title: ASPired2Protect Login Page Authentication Bypass
Description: ASPired2Protect is an ASP-based file protection system
with an Access database. The application is exposed to an
authentication bypass issue because it fails to adequately check
user-supplied input to the Login page.
Ref: http://www.securityfocus.com/archive/1/487137
______________________________________________________________________
08.6.77 CVE: Not Available
Platform: Web Application
Title: CandyPress Multiple Input Validation Vulnerabilities
Description: CandyPress is an ASP-based, e-commerce application. The
application is exposed to multiple input validation issues because it
fails to properly sanitize user-supplied input. CandyPress version
4.1.1.26 is affected.
Ref: http://www.securityfocus.com/archive/1/487058
______________________________________________________________________
08.6.78 CVE: Not Available
Platform: Web Application
Title: WebCalendar Multiple HTML Injection and Cross-Site Scripting
Vulnerabilities
Description: WebCalendar is a web-based calendar implemented in PHP.
The application is exposed to multiple HTML injection and cross-site
scripting issues because the application fails to properly sanitize
user-supplied input before using it in dynamically generated content.
WebCalendar version 1.1.6 is affected.
Ref:
http://www.digitrustgroup.com/advisories/web-application-security-webcalendar.html
______________________________________________________________________
08.6.79 CVE: Not Available
Platform: Web Application
Title: Gerd Tentler Simple Forum Multiple Input Validation
Vulnerabilities
Description: Gerd Tentler Simple Forum is web-based forum software.
The application is exposed to multiple input validation issues because
it fails to sufficiently sanitize user-supplied input. Simple Forum
version 3.2 is affected.
Ref: http://www.milw0rm.com/exploits/4989
______________________________________________________________________
08.6.80 CVE: Not Available
Platform: Web Application
Title: Bubbling Library Multiple Local File Include Vulnerabilities
Description: Bubbling Library provides a set of plug-ins for building
event-driven web applications. The application is exposed to multiple
local file include issues because it fails to properly sanitize
user-supplied input data. Bubbling Library version 1.32 is affected.
Ref: http://www.securityfocus.com/bid/27466
______________________________________________________________________
08.6.81 CVE: Not Available
Platform: Web Application
Title: phpCMS "parser/parser.php" Local File Include
Description: phpCMS is a PHP-based content manager. The application is
exposed to a local file include issue because it fails to properly
sanitize user-supplied input to the "file" parameter of the
"parser/parser.php" script. phpCMS version 1.2.2 is affected.
Ref: http://www.securityfocus.com/archive/1/487251
______________________________________________________________________
08.6.82 CVE: Not Available
Platform: Web Application
Title: Connectix Boards "part_userprofile.php" Remote File Include
Description: Connectix Boards is a PHP-based forum application. The
application is exposed to a remote file include issue because it fails
to properly sanitize user-supplied input to the "template_path"
parameter of the "templates/Official/part_userprofile.php" script.
Connectix Boards versions 0.8.1 and 0.8.2 are affected.
Ref: http://www.securityfocus.com/bid/27506
______________________________________________________________________
08.6.83 CVE: Not Available
Platform: Web Application
Title: Coppermine Photo Gallery "showdoc.php" Multiple Cross-Site
Scripting Vulnerabilities
Description: Coppermine Photo Gallery is a web-based, photo gallery
application. The application is exposed to multiple cross-site
scripting issues because it fails to properly sanitize user-supplied
input to the "h" and "t" parameters of the "docs/showdoc.php" script.
Coppermine Photo Gallery versions prior to 1.4.15 are affected.
Ref: http://coppermine-gallery.net/forum/index.php?topic=50103.0
______________________________________________________________________
08.6.84 CVE: Not Available
Platform: Web Application
Title: Coppermine Photo Gallery Multiple Remote Command Execution
Vulnerabilities
Description: Coppermine Photo Gallery is a web-based, photo gallery
application. The application is exposed to multiple issues that
attackers can leverage to execute arbitrary commands. These issues
occur because the application fails to adequately sanitize
user-supplied input. Coppermine Photo Gallery versions prior to 1.4.15
are affected.
Ref: http://coppermine-gallery.net/forum/index.php?topic=50103.0
______________________________________________________________________
08.6.85 CVE: Not Available
Platform: Web Application
Title: SQLiteManager "confirm.php" Remote File Include
Description: SQLiteManager is a web-based application for managing
SQLite databases. The application is exposed to a remote file include
issue because it fails to properly sanitize user-supplied input to the
"spaw_root" parameter of the "spaw/dialogs/confirm.php" script.
SQLiteManager version 1.2.0 is affected.
Ref: http://www.securityfocus.com/bid/27515
______________________________________________________________________
08.6.86 CVE: Not Available
Platform: Web Application
Title: DeltaScripts PHP Links "smarty.php" Remote File Include
Description: DeltaScripts PHP Links is a web-based link directory. The
application is exposed to a remote file include issue because it fails
to properly sanitize user-supplied input to the
"full_path_to_public_program" parameter of the "includes/smarty.php"
script. PHP Links versions 1.3 and earlier are affected.
Ref: http://www.securityfocus.com/bid/27529
______________________________________________________________________
08.6.87 CVE: Not Available
Platform: Web Application
Title: ChronoEngine ChronoForms mosConfig_Absolute_Path Multiple
Remote File Include Vulnerabilities
Description: ChronoEngine ChronoForms is a component for the Joomla!
content manager. The application is exposed to multiple remote file
include issues because it fails to sufficiently sanitize user-supplied
input to the "mosConfig_absolute_path" parameter. ChronoForms version
2.3.5 is affected.
Ref: http://www.securityfocus.com/bid/27531
______________________________________________________________________
08.6.88 CVE: Not Available
Platform: Web Application
Title: VirtueMart Information Disclosure
Description: VirtueMart is a web-based shopping application. The
application is exposed to an information disclosure issue because it
fails to properly sanitize user-supplied input to an unspecified
parameter when viewing a product. The parameter is then used in the
script to read a template file. VirtueMart versions 1.0.13a and
earlier are affected.
Ref:
http://virtuemart.net/index.php?option=com_content&task=view&id=275&Itemid=127
______________________________________________________________________
08.6.89 CVE: Not Available
Platform: Web Application
Title: Mindmeld "MM_GLOBALS["home"]" Multiple Remote File Include
Vulnerabilities
Description: Mindmeld is a knowledge-sharing system. The application
is exposed to multiple remote file include issues because it fails to
sufficiently sanitize user-supplied input to the "MM_GLOBALS["home"]"
parameter. Mindmeld version 1.2.0.10 is affected.
Ref: http://www.securityfocus.com/bid/27538
______________________________________________________________________
08.6.90 CVE: Not Available
Platform: Web Application
Title: sflog! "index.php" Multiple Local File Include Vulnerabilities
Description: sflog! is a PHP-based, web log application. The
application is exposed to multiple local file include issues because
it fails to properly sanitize user-supplied input to the "permalink"
and "section" parameters of the "index.php" script. sflog! version
0.96 is affected.
Ref: http://www.securityfocus.com/archive/1/487368
______________________________________________________________________
08.6.91 CVE: Not Available
Platform: Web Application
Title: Drupal OpenID Module "claimed_id" Provider Spoofing
Description: OpenID is a decentralized authentication system. An
OpenID module is available for Drupal. The OpenID module is exposed to
an issue that allows attackers to set up malicious OpenID Providers to
spoof a legitimate OpenID Authority. This issue occurs because the
module fails to adequately verify "claimed_id" values returned by an
OpenID Provider. OpenID versions prior to 5.x-1.1 are affected.
Ref: http://drupal.org/node/216022
______________________________________________________________________
08.6.92 CVE: Not Available
Platform: Web Application
Title: Drupal Secure Site Module Authentication Bypass
Description: Drupal is a content manager. The Secure Site module is a
third-party add-on that allows HTTP-based authentication for
Drupal-based web sites. The application is exposed to an authentication
bypass issue because of an error in the IP-authentication feature.
Secure Site for Drupal versions 5.x and 4.7.x are affected.
Ref: http://drupal.org/node/216019
______________________________________________________________________
08.6.93 CVE: Not Available
Platform: Web Application
Title: Drupal Comment Upload Module Upload Validation Function
Arbitrary File Upload
Description: The Drupal Comment Upload module is a module for
Drupal content management that allows users to attach files to
comments. The application is exposed to an arbitrary file upload issue
because it fails to sufficiently sanitize user-supplied input. The
issue exists in the upload validation function when handling incorrect
data.
Ref: http://drupal.org/node/216024
______________________________________________________________________
08.6.94 CVE: Not Available
Platform: Web Application
Title: Drupal Project Issue Tracking Module Multiple Input Validation
Vulnerabilities
Description: Drupal is a content manager. The Project Issue Tracking
module is a third-party add-on that provides issue tracking
functionality for Drupal-based web sites. The module is exposed to
multiple input validation issues because it fails to adequately
sanitize user-supplied input.
Ref: http://drupal.org/node/216063
______________________________________________________________________
08.6.95 CVE: CVE-2008-0180
Platform: Web Application
Title: Liferay Enterprise Portal User Profile Greeting HTML Injection
Description: Liferay Enterprise Portal is a web-based portal
application implemented in Java. The application is exposed to an HTML
injection issue because it fails to properly sanitize user-supplied
input to the "Greeting" form field parameter located in the user
profile. Liferay Enterprise Portal versions prior to 4.4.0 and 4.3.7
are affected.
Ref: http://www.kb.cert.org/vuls/id/732449
______________________________________________________________________
08.6.96 CVE: CVE-2008-0179
Platform: Web Application
Title: Liferay Enterprise Portal "User-Agent" HTTP Header Script
Injection
Description: Liferay Enterprise Portal is a Java-based web portal for
enterprises. The application is exposed to a script injection issue
because it fails to properly sanitize user-supplied input.
Specifically, the user-supplied input from the "User-Agent" HTTP
header isn't sanitized when the application uses it to generate
"Forgot Password" emails. Liferay Enterprise Portal versions prior to
4.4.0 and 4.3.7 are affected.
Ref: http://www.kb.cert.org/vuls/id/888209
______________________________________________________________________
08.6.97 CVE: CVE-2008-0181
Platform: Web Application
Title: Liferay Enterprise Portal Admin Portlet Shutdown Message HTML
Injection
Description: Liferay Enterprise Portal is a web-based portal
implemented in Java. The application is exposed to an HTML injection
issue because it fails to properly sanitize user-supplied input to the
message displayed to all users when the application is shut down.
Liferay Enterprise Portal version 4.4.0 and versions 4.3.7 and earlier are
affected.
Ref: http://www.kb.cert.org/vuls/id/217825
______________________________________________________________________
08.6.98 CVE: Not Available
Platform: Web Application
Title: Nilsons Blogger "comments.php" Local File Include
Description: Nilsons Blogger is a web-based blogging application. The
application is exposed to a local file include issue because it fails
to properly sanitize user-supplied input to the "thispost" parameter
of the "comments.php" script. Nilsons Blogger version 0.11 is
affected.
Ref: http://www.securityfocus.com/archive/1/487384
______________________________________________________________________
08.6.99 CVE: Not Available
Platform: Network Device
Title: Cisco PIX/ASA Enable Login Prompt Privilege Escalation
Description: Cisco PIX and ASA security appliances are potentially
exposed to a privilege escalation issue. This issue occurs when users
with privilege level 0 attempt to connect to vulnerable devices
locally through the console, or remotely via telnet. Cisco PIX/ASA
operating system Finesse versions 7.1 and 7.2 are affected.
Ref: http://www.securityfocus.com/archive/1/486959
______________________________________________________________________
08.6.100 CVE: Not Available
Platform: Network Device
Title: 2Wire Routers "H04_POST" Access Validation
Description: 2Wire routers are network devices designed for home and
small-office setups. Multiple 2Wire routers are exposed to an access
validation issue because they fail to adequately authenticate users
prior to performing certain actions. This issue occurs when the
devices handle "xslt" requests for the "H04_POST" page that contain
arbitrary "PASSWORD" parameter data and a valid user name passed to
the "PASSWORD_CONF" parameter. 2Wire routers that have the "H04_POST"
page are affected.
Ref: http://www.securityfocus.com/bid/27516
______________________________________________________________________
(c) 2008. All rights reserved. The information contained in this
newsletter, including any external links, is provided "AS IS," with no
express or implied warranty, for informational purposes only. In some
cases, copyright for material in this newsletter may be held by a party
other than Qualys (as indicated herein) and permission to use such
material must be requested from the copyright owner.
Subscriptions: RISK is distributed free of charge by the SANS Institute
to people responsible for managing and securing information systems and
networks. You may forward this newsletter to others with such
responsibility inside or outside your organization.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
iEYEARECAAYFAke02RQACgkQ+LUG5KFpTka1yQCeMG/Nv2vbXrCWVD/P+AGEX9zA
ZikAoIveZU8ScSpYkMnpu/DiB4E79sa3
=zPRg
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]