NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > SANS> 2008

RISK: The Consensus Security Vulnerability Alert Vol. 7 No. 12

From: The SANS Institute (ConsensusSecurityVulnerabilityAlertsans.org)
Date: Thu Mar 20 2008 - 15:26:23 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

A week without no critical Microsoft vulnerabilities. Apple and Sun had
system level vulnerabilities reported this week but most of the reports
of vulnerabilities rated critical and high danger are for applications:
CA ArcServe (backup), IBM Informix (database), Business Objects
(business intelligence), F-Secure (security). And web application
vulnerabilities are continuing to grow out of control. If you buy or
build custom applications, try to come to the Web Application Security
Summit (http://www.sans.org/appsec08_summit) and/or the Pen Testing
Summit (http://www.sans.org/pentesting08_summit ) in Las Vegas in late
May. You'll find out what actually works in reducing application
vulnerabilities.

Alan
*************************************************************************
RISK: The Consensus Security Vulnerability Alert
March 20, 2008 Vol. 7. Week 12
*************************************************************************

RISK is the SANS community's consensus bulletin summarizing the most
important vulnerabilities and exploits identified during the past week
and providing guidance on appropriate actions to protect your systems
(PART I). It also includes a comprehensive list of all new
vulnerabilities discovered in the past week (PART II).

Summary of Updates and Vulnerabilities in this Consensus
Platform Number of Updates and Vulnerabilities
- ------------------------ -------------------------------------

Other Microsoft Products 1
Third Party Windows Apps 9 (#5, #7, #10)
Mac Os 2 (#2)
Solaris 2
Unix 2 (#11)
Cross Platform 23 (#1, #3, #4, #6, #8, #9)
Web Application - Cross Site Scripting 13
Web Application - SQL Injection 18
Web Application 18
Network Device 2

*************************************************************************
TRAINING UPDATE
Where can you find the newest Penetration Testing techniques,
Application Pen Testing, Hacker Exploits, Secure Web Application
Development, Security Essentials, Forensics, Wireless, Auditing, CISSP,
and SANS' other top-rated courses?
- - SANS 2008 in Orlando (4/18-4/25) SANS' biggest program with myriad
bonus sessions and a huge exhibition of security products:
http://www.sans.org/sans2008
- - Washington DC (Tyson's) 3/24-3/31 http://www.sans.org/tysonscorner08
- - San Diego (5/9-5/16) http://www.sans.org/securitywest08
- - Toronto (5/10-5/16) http://www.sans.org/toronto08
- - and in 100 other cites and on line any-time: www.sans.org

*************************************************************************

Table Of Contents
Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)

Widely Deployed Software
(1) CRITICAL: IBM Informix Dynamic Server Multiple Vulnerabilities
(2) CRITICAL: Apple Mac OS Multiple Vulnerabilities
(3) CRITICAL: Apple Safari Multiple Vulnerabilities
(4) CRITICAL: Asterisk Multiple Vulnerabilities
(5) HIGH: Alt-N MDaemon IMAP Command Handling Buffer Overflow
(6) HIGH: MIT Kerberos Multiple Vulnerabilities
(7) HIGH: BusinessObjects Report Viewer ActiveX Control Buffer Overflow
(8) HIGH: F-Secure Multiple Archive Handling Vulnerabilities
(9) HIGH: CUPS CGI Handling Buffer Overflow
(10) HIGH: CA BrightStor ARCserve Backup ActiveX Control Buffer Overflow
(11) MODERATE: Sun Solaris NIS+ RPC Handling Vulnerability

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from
Qualys (www.qualys.com)

-- Other Microsoft Products
08.12.1 - Microsoft Internet Explorer CreateTextRange.text Denial of Service
-- Third Party Windows Apps
08.12.2 - Cisco User-Changeable Password (UCP) "CSuserCGI.exe" Multiple Remote Vulnerabilities
08.12.3 - McAfee Framework ePolicy Orchestrator "_naimcomn_Log" Remote Format String Vulnerability
08.12.4 - Alt-N MDaemon IMAP Server FETCH Command Remote Buffer Overflow
08.12.5 - CA BrightStor "AddColumn()" ListCtrl.ocx ActiveX Control Buffer Overflow
08.12.6 - Home FTP Server Remote Denial of Service
08.12.7 - Registry Pro "epRegPro.ocx" ActiveX Control Insecure Method And Buffer Overflow Vulnerabilities
08.12.8 - BusinessObjects "RptViewerAX" ActiveX Control Stack Based Buffer Overflow
08.12.9 - HTTP File Upload ActiveX Control Arbitrary File and Directory Deletion
08.12.10 - Check Point VPN-1 IP Address Collision Denial of Service
-- Mac Os
08.12.11 - Apple Mac OS X 2008-002 Multiple Security Vulnerabilities
08.12.12 - Apple Mac OS X Server Wiki Server Directory Traversal
-- Solaris
08.12.13 - Sun Solaris "rpc.metad" Remote Denial of Service
08.12.14 - Sun Solaris 10 XScreenSaver(1) Locked Screen Bypass
-- Unix
08.12.15 - SCO UnixWare pkgadd Local Privilege Escalation
08.12.16 - CUPS CGI Interface Remote Buffer Overflow
-- Cross Platform
08.12.17 - SurgeMail IMAP LIST Command Remote Buffer Overflow
08.12.18 - Rosoft Media Player RML File Stack-Based Buffer Overflow
08.12.19 - XnView Command-Line Arguments Buffer Overflow
08.12.20 - VLC Media Player Subtitle Parsing Buffer Overflow
08.12.21 - Lighttpd mod_userdir Information Disclosure
08.12.22 - IBM WebSphere MQ for HP NonStop Security Bypass
08.12.23 - ZABBIX File Checksum Request Denial of Service
08.12.24 - Cisco CiscoWorks Internetwork Performance Monitor Unspecified Remote Command Execution
08.12.25 - Novell GroupWise Windows Client API Shared Folder Email Information Disclosure
08.12.26 - MG-SOFT Net Inspector Multiple Remote Vulnerabilities
08.12.27 - BootManage TFTP Server "filename" Remote Buffer Overflow
08.12.28 - VLC Media Player "Subtitle" Buffer Overflow
08.12.29 - VMware Server 1.0.5 and Workstation 6.0.3 Multiple Vulnerabilities
08.12.30 - 7-Zip Unspecified Archive Handling
08.12.31 - bzip2 Unspecified File Handling
08.12.32 - Info-ZIP UnZip "inflate_dynamic()" Remote Code Execution
08.12.33 - VMware Products Multiple Vulnerabilities
08.12.34 - Apple Safari Prior to 3.1 Multiple Security Vulnerabilities
08.12.35 - MIT Kerberos5 kadmind Excessive File Descriptors Multiple Remote Code Execution Vulnerabilities
08.12.36 - MIT Kerberos 5 KDC Multiple Memory Corruption Based Information Disclosure Vulnerabilities
08.12.37 - Asterisk RTP Codec Payload Handling Multiple Buffer Overflow Vulnerabilities
08.12.38 - Asterisk Call Authentication Security Bypass
08.12.39 - Asterisk Logger and Manager Format String Vulnerabilities
-- Web Application - Cross Site Scripting
08.12.40 - SNewsCMS "search.php" Cross-Site Scripting
08.12.41 - Nagios Prior to 2.11 Unspecified Cross-Site Scripting
08.12.42 - Download Center Multiple Cross-Site Scripting Vulnerabilities
08.12.43 - Jeebles Directory Multiple Cross-Site Scripting Vulnerabilities
08.12.44 - onlinetools.org EasyImageCatalogue Multiple Cross-Site Scripting Vulnerabilities
08.12.45 - ClanSphere "index.php" Multiple Cross-Site Scripting Vulnerabilities
08.12.46 - eWeather "chart" Parameter Cross-Site Scripting
08.12.47 - cfnetgs "index.php" Cross-Site Scripting
08.12.48 - RSA WebID "IISWebAgentIF.dll" Cross-Site Scripting
08.12.49 - Imperva SecureSphere Cross-Site Scripting
08.12.50 - phpstats "phpstats.php" Cross-Site Scripting
08.12.51 - webSPELL "index.php" Cross-Site Scripting
08.12.52 - eForum "busca.php" Multiple Cross-Site Scripting Vulnerabilities
-- Web Application - SQL Injection
08.12.53 - eXV2 Viso Module "kid" Parameter SQL Injection
08.12.54 - eXV2 CMS WebChat Module "roomid" Parameter SQL Injection
08.12.55 - auraCMS "HTTP_X_FORWARDED_FOR" SQL Injection
08.12.56 - eXV2 "eBlog" Module "blog_id" Parameter SQL Injection
08.12.57 - eXV2 MyAnnonces Module "lid" Parameter SQL Injection
08.12.58 - MAXdev My eGallery Module For Xoops "gid" Parameter SQL Injection
08.12.59 - Fully Modded PHPBB2 "kb.php" SQL Injection
08.12.60 - bamaGalerie "viewcat.php" SQL Injection
08.12.61 - XOOPS MyTutorials Module "printpage.php" SQL Injection
08.12.62 - EasyGallery "index.php" Multiple SQL Injection and Cross-Site Scripting Vulnerabilities
08.12.63 - LaGarde StoreFront "SearchResults.aspx" SQL Injection
08.12.64 - Virtual Support Office-XP "MyIssuesView.asp" SQL Injection
08.12.65 - Joomla! and Mambo "com_guide" Component "category" Parameter SQL Injection
08.12.66 - phpBP "id" Parameter SQL Injection
08.12.67 - XOOPS Dictionary Module "print.php" SQL Injection
08.12.68 - Joomla! and Mambo Acajoom Component "mailingid" Parameter SQL Injection
08.12.69 - KAPhotoservice "album.asp" SQL Injection
08.12.70 - Easy-Clanpage "id" Parameter SQL Injection
-- Web Application
08.12.71 - Multiple Time Sheets "tab" Parameter Multiple Input Validation Vulnerabilities
08.12.72 - DB2 Monitoring Console Multiple Unspecified Security Bypass Vulnerabilities
08.12.73 - Uberghey CMS "index.php" Multiple Local File Include Vulnerabilities
08.12.74 - Travelsized CMS "index.php" Multiple Local File Include Vulnerabilities
08.12.75 - Acyhost "index.php" Remote File Include
08.12.76 - EasyCalendar SQL Injection and Cross-Site Scripting Vulnerabilities
08.12.77 - Polymita Technologies Multiple Products Cross-Site Scripting Vulnerabilities
08.12.78 - Roundup XML-RPC Server Security Bypass
08.12.79 - Roundup Unspecified Security Vulnerabilities
08.12.80 - Edior CMS "search.php" Directory Traversal
08.12.81 - PBSite Multiple Input Validation Vulnerabilities
08.12.82 - Exero CMS "theme" Parameter Multiple Local File Include Vulnerabilities
08.12.83 - WEBalbum "photo_add.php" Security Bypass
08.12.84 - PHPauction "include_path" Parameter Multiple Remote File Include Vulnerabilities
08.12.85 - Strawberry "html.php" Remote Code Execution
08.12.86 - TUTOS "cmd.php" Remote Command Execution
08.12.87 - cPanel List Directories and Folders Information Disclosure
08.12.88 - xine-lib "sdpplin_parse()" Remote Buffer Overflow
-- Network Device
08.12.89 - RaidSonic NAS-4220-B Encryption Key Disclosure
08.12.90 - F-Secure Multiple Products Multiple Remote Archive Handling Vulnerabilities
______________________________________________________________________

PART I Critical Vulnerabilities
Part I for this issue has been compiled by Rob King at TippingPoint, a
division of 3Com, as a by-product of that company's continuous effort
to ensure that its intrusion prevention products effectively block
exploits using known vulnerabilities. TippingPoint's analysis is
complemented by input from a council of security managers from twelve
large organizations who confidentially share with SANS the specific
actions they have taken to protect their systems. A detailed description
of the process may be found at
http://www.sans.org/newsletters/cva/#process

*****************************
Widely Deployed Software
*****************************

(1) CRITICAL: IBM Informix Dynamic Server Multiple Vulnerabilities
Affected:
IBM Informix Dynamic Server

Description: IBM Informix Dynamic Server is a popular enterprise
database management system. It contains multiple vulnerabilities in the
handling of user login requests. An overlong password or database path
parameter could trigger a buffer overflow vulnerability. Successfully
exploiting one of these buffer overflows would allow an attacker to
execute arbitrary code with the privileges of the vulnerable process.
Note that both of these vulnerabilities can be exploited without
authentication. Some technical details for these vulnerabilities are
publicly available.

Status: IBM confirmed, updates available. Users can mitigate the impact
of these vulnerabilities by blocking access to TCP port 1526 at the
network perimeter.

References:
Zero Day Initiative Security Advisories
http://zerodayinitiative.com/advisories/ZDI-08-012/
http://zerodayinitiative.com/advisories/ZDI-08-011/
IBM Security Advisories
http://www-1.ibm.com/support/docview.wss?uid=swg1IC55207
http://www-1.ibm.com/support/docview.wss?uid=swg1IC55208
http://www-1.ibm.com/support/docview.wss?uid=swg1IC55209
http://www-1.ibm.com/support/docview.wss?uid=swg1IC55210
Product Home Page
http://www-306.ibm.com/software/data/informix/ids/
SecurityFocus BID
http://www.securityfocus.com/bid/28198

**********************************************************

(2) CRITICAL: Apple Mac OS Multiple Vulnerabilities
Affected:
Apple Mac OS X versions 10.5.x

Description: Apple Mac OS contains multiple vulnerabilities in a variety
of subsystems and components. These vulnerabilities range in severity
from remote code execution to denials-of-service, cross-site-scripting,
and information disclosure. In some cases, these vulnerabilities are
related to third-party products included in Mac OS X, while others are
specific to the operating system. Some technical details are publicly
available for these vulnerabilities.

Status: Apple confirmed, updates available.

References:
Apple Security Advisory
http://docs.info.apple.com/article.html?artnum=307562
SecurityFocus BIDs
http://www.securityfocus.com/bid/28278
http://www.securityfocus.com/bid/28307
http://www.securityfocus.com/bid/28320

**********************************************************

(3) CRITICAL: Apple Safari Multiple Vulnerabilities
Affected:
Apple Safari versions prior to 3.1

Description: Safari is Apple's web browser for Mac OS X and Microsoft
Windows. It contains multiple vulnerabilities in its handling of a
variety of inputs. Most of these vulnerabilities can lead to
cross-site-scripting vulnerabilities, but at least one vulnerabilities
has been shown to lead to arbitrary code execution with the privilege
of the current user. These vulnerabilities could be exploited by a
malicious web page. Some technical details are publicly available for
these vulnerabilities. Both Safari for Mac OS X and Microsoft WIndows
are affected.

Status: Apple confirmed, updates available.

References:
Apple Security Advisory
http://docs.info.apple.com/article.html?artnum=307563
Safari Home Page
http://www.apple.com/safari/download/
SecurityFocus BID
http://www.securityfocus.com/bid/28290
http://www.securityfocus.com/bid/28326
http://www.securityfocus.com/bid/28332

**********************************************************

(4) CRITICAL: Asterisk Multiple Vulnerabilities
Affected:
Asterisk versions 1.4.17 and prior

Description: Asterisk is a popular open source Internet telephony
engine. It is widely used to provide Voice-over-Internet-Protocol (VoIP)
services. It contains multiple vulnerabilities in its handling of
various user requests. By exploiting these vulnerabilities, users can
execute arbitrary code with the privileges of the vulnerable process,
bypass call authentication mechanisms, and create a denial-of-service
condition. Note that exploiting this vulnerabilities may interfere with
telephony services, including emergency services. At least one
proof-of-concept for these vulnerabilities is publicly available and
further details are available via source code analysis.

Status: Vendor confirmed, updates available.

References:
Asterisk Security Advisories
http://downloads.digium.com/pub/security/AST-2008-001.html
http://downloads.digium.com/pub/security/AST-2008-002.html
http://downloads.digium.com/pub/security/AST-2008-003.html
http://downloads.digium.com/pub/security/AST-2008-004.html
http://downloads.digium.com/pub/security/AST-2008-005.html
Vendor Home Page
http://www.asterisk.org/
SecurityFocus BIDs
http://www.securityfocus.com/bid/28308
http://www.securityfocus.com/bid/28316
http://www.securityfocus.com/bid/26928
http://www.securityfocus.com/bid/28310
http://www.securityfocus.com/bid/28311

**********************************************************

(5) HIGH: Alt-N MDaemon IMAP Command Handling Buffer Overflow
Affected:
Alt-N MDaemon IMAP server versions 9.6.4 and prior

Description: MDaemon is a popular mail suite for Microsoft Windows
systems. It contains a flaw in its handling of certain Internet Message
Access Protocol (IMAP) commands. A specially crafted request could lead
to a buffer overflow. Successfully exploiting this buffer overflow would
allow an attacker to execute arbitrary code with the privileges of the
vulnerable process (often SYSTEM). Note that authentication is required
to exploit this vulnerability. A proof-of-concept is publicly available
for this vulnerability.

Status: Vendor has not confirmed, no updates available.

References:
Proof-of-Concept
http://downloads.securityfocus.com/vulnerabilities/exploits/28245.py
Vendor Home Page
http://www.altn.com/
SecurityFocus BID
http://www.securityfocus.com/bid/28245

**********************************************************

(6) HIGH: MIT Kerberos Multiple Vulnerabilities
Affected:
MIT Kerberos versions 5.x

Description: MIT Kerberos is the reference implementation of the
Kerberos authentication protocol, a protocol used for secure
authentication across potentially insecure networks. The implementation
from MIT contains several flaws in its handling of user requests. A
specially crafted request could result in a denial-of-service condition
or potential disclosure of user authentication credentials. At least one
of the reported vulnerabilities is believed to be exploitable for remote
code execution, but this has not been confirmed. Systems running
Kerberos generally have copies of numerous users' authentication
credentials, meaning that exploitation of a Kerberos server can lead to
subsequent exploitation of other systems. Full technical details for
these vulnerabilities is publicly available via source code analysis.
MIT's implementation of Kerberos is used as the basis of numerous other
Kerberos implementations, and is the default Kerberos implementation on
most Linux systems.

Status: MIT confirmed, updates available.

References:
MIT Security Advisories
http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2008-001.txt
http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2008-002.txt
Product Home Page
http://web.mit.edu/kerberos/www/
Wikipedia Article on the Kerberos Protocol
http://en.wikipedia.org/wiki/Kerberos_%28protocol%29
SecurityFocus BIDs
http://www.securityfocus.com/bid/26750
http://www.securityfocus.com/bid/28303
http://www.securityfocus.com/bid/28302

**********************************************************

(7) HIGH: BusinessObjects Report Viewer ActiveX Control Buffer Overflow
Affected:
BusinessObjects versions 6.x

Description: BusinessObjects provides reporting and business management
software to enterprises. It distributes an ActiveX control with some of
its software known as "RptViewerAX". This control contains a buffer
overflow vulnerability in its handling of user requests. A specially
crafted web page that instantiates this control could trigger this
buffer overflow. Successfully exploiting this buffer overflow would
allow an attacker to execute arbitrary code with the privileges of the
current user. Some technical details are publicly available for this
vulnerability.

Status: BusinessObjects confirmed, updates available. Users can mitigate
the impact of this vulnerability by disabling the affected control via
Microsoft's "kill bit" mechanism using CLSID
"B20D9D6A-0DEC-4d76-9BEF-175896006B4A".

References:
US-CERT Security Advisory
http://www.kb.cert.org/vuls/id/329673
BusinessObjects Update Information
http://support.businessobjects.com/downloads/service_packs/default.asp
Microsoft Knowledge Base Article (documents the "kill bit" mechanism)
http://support.microsoft.com/kb/240797
SecurityFocus BID
http://www.securityfocus.com/bid/28292

**********************************************************

(8) HIGH: F-Secure Multiple Archive Handling Vulnerabilities
Affected:
F-Secure Message Security Gateway
F-Secure Anti-Virus
F-Secure Internet Gateway
F-Secure Internet Security

Description: Multiple F-Secure products have been discovered to have
vulnerabilities in their handling of archive files. A specially crafted
archive file could exploit one of these vulnerabilities to create a
denial-of-service condition. It is thought that at least one of these
vulnerabilities could lead to remote code execution, but this is
unconfirmed. Note that it may be possible to exploit these
vulnerabilities simply by having mail or other files transit a
vulnerable system, requiring no interaction. Several proof-of-concept
archive files are publicly available.

Status: F-Secure confirmed, updates available.

References:
F-Secure Security Advisory
secure.com/security/fsc-2008-2.shtml
Proof-of-Concept
http://www.ee.oulu.fi/research/ouspg/protos/testing/c10/archive/
Secunia Security Advisory
http://secunia.com/advisories/29397/
SecurityFocus BIDs
http://www.securityfocus.com/bid/28282

**********************************************************

(9) HIGH: CUPS CGI Handling Buffer Overflow
Affected:
CUPS versions 1.3.5 and prior

Description: CUPS is the Common Unix Printing System. It is used to
provide printer services on a variety of Unix, Unix-like, and Linux
systems and is the default printing system on Mac OS X systems. It
contains a flaw in its handling of shared printer management requests.
A specially crafted request to the remote management application could
trigger a buffer overflow vulnerability, allowing an attacker to execute
arbitrary code with the privileges of the vulnerable process. Note that
this vulnerability is remotely exploitable only on machines sharing
printers over the network. Technical details are publicly available via
source code analysis.

Status: CUPS confirmed, updates available.

References:
iDefense Security Advisory
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=674
Product Home Page
http://www.cups.org/
SecurityFocus BIDs
http://www.securityfocus.com/bid/28307
http://www.securityfocus.com/bid/28334

**********************************************************

(10) HIGH: CA BrightStor ARCserve Backup ActiveX Control Buffer Overflow
Affected:
CA BrightStor ARCserve Backup for Laptops and Desktops versions r11.5 and prior

Description: CA BrightStor ARCserv Backup is a popular backup
application. Part of its functionality in its Desktops and Laptops
edition is provided by an ActiveX control. This control contains a
buffer overflow vulnerability in its "AddColumn" method. A specially
crafted web page that instantiates this control could trigger this
buffer overflow vulnerability, allowing an attacker to execute arbitrary
code with the privileges of the current user. A proof-of-concept for
this vulnerability is publicly available.

Status: Vendor has not confirmed, no updates available. Users can
mitigate the impact of this vulnerability by disabling the affected
control via Microsoft's "kill bit" mechanism using CLSID
"BF6EFFF3-4558-4C4C-ADAF-A87891C5F3A3". Note that this may effect normal
application functionality.

References:
Proof-of-Concept
http://milw0rm.com/exploits/5264
Microsoft Knowledge Base Article (documents the "kill bit" mechanism)
http://support.microsoft.com/kb/240797
Vendor Home Page
http://www.ca.com/
SecurityFocus BID
http://www.securityfocus.com/bid/28268

**********************************************************

(11) MODERATE: Sun Solaris NIS+ RPC Handling Vulnerability
Affected:
Sun Solaris versions 10 and prior

Description: Solaris is Sun's UNIX-based operating system. NIS+ is the
Network Information Service (formerly known as the "Yellow Pages"
service), a service providing distributed system details (such as
usernames and passwords) across networks. It was commonly used to share
configuration information and authenticate users in the past, but is now
used mostly in legacy applications. The 'rpc.ypupdated' daemon provides
a Remote Procedure Call (RPC) interface to the NIS+ database. When this
daemon is started in "insecure" mode, it fails to properly handle
certain requests. A specially crafted request can lead to a new user
being added to the NIS+ database, including a user with root privileges.
This can allow total compromise of any system running this daemon in
insecure mode. This daemon is not run by default. This vulnerability was
initially discovered in 1999 and found to affect multiple UNIX operating
system vendors. It is unknown if this vulnerability was fixed in past
versions of Solaris and then reintroduced, or has been present since its
initial discovery on other operating systems. Multiple proofs-of-concept
are publicly available.

Status: Sun has not confirmed, no updates available. Users can mitigate
the impact of this vulnerability by running the affected daemon in
"secure" mode.

References:
Proof-of-Concept (binary file link)
http://www.securityfocus.com/data/vulnerabilities/exploits/1749.tar.gz
Wikipedia Article on NIS+
http://en.wikipedia.org/wiki/Network_Information_Service
Wikipedia Article on RPC
http://en.wikipedia.org/wiki/http://en.wikipedia.org/wiki/Open_Network_Computing_Remote_Procedure_Call
Solaris Home Page
http://www.sun.com/solaris
SecurityFocus BID
http://www.securityfocus.com/bid/1749

**********************************************************

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 12, 2008
This list is compiled by Qualys ( www.qualys.com ) as part of that
company's ongoing effort to ensure its vulnerability management web
service tests for all known vulnerabilities that can be scanned. As of
this week Qualys scans for 5549 unique vulnerabilities. For this special
SANS community listing, Qualys also includes vulnerabilities that cannot
be scanned remotely.

08.12.1 CVE: Not Available
Platform: Other Microsoft Products
Title: Microsoft Internet Explorer CreateTextRange.text Denial of
Service
Description: Microsoft Internet Explorer is exposed to a denial of
service issue because the application fails to handle certain
JavaScript code. The issue occurs when the application processes a
malicious page containing a "CreateTextRange" call, and then
repeatedly setting the "text" property to large values.
Ref: http://www.securityfocus.com/archive/1/489741
______________________________________________________________________

08.12.2 CVE: CVE-2008-0532, CVE-2008-0533
Platform: Third Party Windows Apps
Title: Cisco User-Changeable Password (UCP) "CSuserCGI.exe" Multiple
Remote Vulnerabilities
Description: Cisco User-Changeable Password (UCP) is a web-based
server application. It provides the ability for users to change their
ACS password. The application is exposed to multiple remote issues.
These issues affect the "CSuserCGI.exe" binary. UCP versions prior to
4.2 when running on the Microsoft Windows platform are affected.
Ref: http://www.securityfocus.com/archive/1/489460
______________________________________________________________________

08.12.3 CVE: Not Available
Platform: Third Party Windows Apps
Title: McAfee Framework ePolicy Orchestrator "_naimcomn_Log" Remote
Format String Vulnerability
Description: McAfee Framework is an application framework used to
build McAfee products such as ePolicy Orchestrator. The application is
exposed to a remote format string issue because it fails to properly
sanitize user-supplied input before passing it as the format-specifier
argument during a call to "vsnwprintf()". McAfee Framework version
2.6.0.569 and McAfee ePolicy Orchestrator version 4.0 are affected.
Ref: http://www.securityfocus.com/archive/1/489476
______________________________________________________________________

08.12.4 CVE: Not Available
Platform: Third Party Windows Apps
Title: Alt-N MDaemon IMAP Server FETCH Command Remote Buffer Overflow
Description: Alt-N MDaemon is a Microsoft Windows-based mail server
product. The application is exposed to a remote buffer overflow issue
because the application fails to perform adequate boundary checks on
user-supplied data prior to copying it into an insufficiently sized
buffer. Alt-N MDaemon version 9.6.4 is affected.
Ref: http://www.securityfocus.com/bid/28245
______________________________________________________________________

08.12.5 CVE: Not Available
Platform: Third Party Windows Apps
Title: CA BrightStor "AddColumn()" ListCtrl.ocx ActiveX Control Buffer
Overflow
Description: The Unicenter DSM r11 List Control ATX ActiveX control
included with CA BrightStor ARCserve Backup is exposed to a buffer
overflow issue because it fails to bounds check user-supplied data
before copying it into an insufficiently sized buffer. Unicenter DSM
r11 List Control ATX version 11.2.3.1895 on CA BrightStor ARCserve
Backup r11.5 is affected.
Ref: http://support.microsoft.com/kb/240797
______________________________________________________________________

08.12.6 CVE: Not Available
Platform: Third Party Windows Apps
Title: Home FTP Server Remote Denial of Service
Description: Home FTP Server is an FTP server implementation for
computers running Microsoft Windows. The application is exposed to a
remote denial of service issue.
Ref: http://www.securityfocus.com/archive/1/489706
______________________________________________________________________

08.12.7 CVE: Not Available
Platform: Third Party Windows Apps
Title: Registry Pro "epRegPro.ocx" ActiveX Control Insecure Method And
Buffer Overflow Vulnerabilities
Description: Registry Pro "epRegPro.ocx" ActiveX control is exposed to
two issues. The first is an insecure method issue that allows attackers
to delete arbitrary registry keys from user's machines in the context
of the application using the ActiveX control. The second is a buffer
overflow issue that occurs because the application fails to bounds check
user-supplied data before copying it into an insufficiently sized
buffer.
Ref: http://www.securityfocus.com/bid/28287
______________________________________________________________________

08.12.8 CVE: CVE-2007-6254
Platform: Third Party Windows Apps
Title: BusinessObjects "RptViewerAX" ActiveX Control Stack-Based
Buffer Overflow
Description: BusinessObjects is an enterprise-level collaborative
productivity and data management system. The application is exposed to
a stack-based buffer overflow issue that affects the "RptViewerAX.dll"
dynamic-link library.
Ref: http://www.kb.cert.org/vuls/id/329673
______________________________________________________________________

08.12.9 CVE: Not Available
Platform: Third Party Windows Apps
Title: HTTP File Upload ActiveX Control Arbitrary File and Directory
Deletion
Description: HTTP File Upload is an ActiveX control to allow extra
functionality for websites that want users to upload files. The
ActiveX control is exposed to an issue that lets attackers delete
arbitrary files or directories on affected computers. HTTP File Upload
ActiveX Control version 6.0.0.35 is affected.
Ref: http://support.microsoft.com/kb/240797
______________________________________________________________________

08.12.10 CVE: Not Available
Platform: Third Party Windows Apps
Title: Check Point VPN-1 IP Address Collision Denial of Service
Description: Check Point VPN-1 SecureClient/SecuRemote client for
Microsoft Windows is a VPN (Virtual Private Network) application used
to securely connect remote computers to enterprise networks. The
application is exposed to a denial of service issue that can result in
information disclosure because it fails to adequately handle IP
address collisions.
Ref: http://www.kb.cert.org/vuls/id/992585
______________________________________________________________________

08.12.11 CVE: CVE-2008-0044, CVE-2008-0045, CVE-2008-0048,
CVE-2008-0049, CVE-2008-0057, CVE-2008-0097, CVE-2008-0046,
CVE-2008-0051, CVE-2008-0052, CVE-2008-0053, CVE-2008-0054,
CVE-2008-0055, CVE-2008-0056, CVE-2008-0058, CVE-2008-0059,
CVE-2008-0060, CVE-2008-0987, CVE-2008-0988, CVE-2008-0989,
CVE-2008-0990, CVE-2008-0992, CVE-2008-0993, CVE-2008-0994,
CVE-2008-0995, CVE-2008-0996, CVE-2008-0998, CVE-2008-0999
Platform: Mac Os
Title: Apple Mac OS X 2008-002 Multiple Security Vulnerabilities
Description: Apple Mac OS X is exposed to multiple security issues.
Apple Mac OS X versions 10.4.11, 10.4.11 Server, 10.5.2, 10.5.2 Server
and earlier are affected.
Ref: http://docs.info.apple.com/article.html?artnum=307430
______________________________________________________________________

08.12.12 CVE: CVE-2008-1000
Platform: Mac Os
Title: Apple Mac OS X Server Wiki Server Directory Traversal
Description: Mac OS X Server 10.5 (Leopard) provides a Wiki Server
used for collaborative website creation. The application is exposed to
a directory traversal issue because it fails to sufficiently sanitize
user-supplied input data. Wiki Server from Mac OS X Server version
10.5 is affected.
Ref: http://www.coresecurity.com/?action=item&id=2189
______________________________________________________________________

08.12.13 CVE: Not Available
Platform: Solaris
Title: Sun Solaris "rpc.metad" Remote Denial of Service
Description: The "rpc.metad" daemon is an RPC (Remote Procedure Call)
application used for managing metadevice diskset information. The
application is exposed to a denial of service issue because it fails
to handle specially-crafted network data. "rpc.metad" on Solaris 10
operating systems is affected.
Ref: http://www.securityfocus.com/bid/28261
______________________________________________________________________

08.12.14 CVE: Not Available
Platform: Solaris
Title: Sun Solaris 10 XScreenSaver(1) Locked Screen Bypass
Description: XScreenSaver(1) is a screen saver with desktop-locking
functionality. This feature is designed to prevent access to the
desktop by users without valid credentials. The application is exposed
to an issue that lets local attackers bypass a user's locked screen.
Solaris 10 Java Desktop System (JDS) on both Solaris and x86 platforms
is affected.
Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-66-234661-1
______________________________________________________________________

08.12.15 CVE: Not Available
Platform: Unix
Title: SCO UnixWare pkgadd Local Privilege Escalation
Description: The pkgadd utility transfers and installs software packages
and patches from distribution media or directories. SCO UnixWare pkgadd
may allow local attackers to gain elevated privileges. This issue
arises due to an input validation error. SCO UnixWare version 7.1.4 is
affected.
Ref: http://www.securityfocus.com/bid/28236
______________________________________________________________________

08.12.16 CVE: CVE-2008-0047
Platform: Unix
Title: CUPS CGI Interface Remote Buffer Overflow
Description: CUPS, Common UNIX Printing System, is a widely used set
of printing utilities for UNIX-based systems. The application is
exposed to a remote buffer overflow issue because it fails to properly
bounds check user-supplied data before copying it to an insufficiently
sized memory buffer. CUPS version 1.3.5 is affected.
Ref:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=674
______________________________________________________________________

08.12.17 CVE: Not Available
Platform: Cross Platform
Title: SurgeMail IMAP LIST Command Remote Buffer Overflow
Description: SurgeMail is a commercial email application that contains
an IMAP server; it runs on multiple platforms. The application is
exposed to a remote buffer overflow issue because it fails to properly
bounds check user-supplied input. SurgeMail version 3.8k4-4 is
affected.
Ref: http://www.securityfocus.com/bid/28260
______________________________________________________________________

08.12.18 CVE: Not Available
Platform: Cross Platform
Title: Rosoft Media Player RML File Stack-Based Buffer Overflow
Description: Rosoft Media Player is an application that plays various
media supported by ACM Codecs that are installed on the same computer.
The application is exposed to a stack-based buffer overflow issue
because it fails to perform adequate boundary checks on user-supplied
input. Rosoft Media Player version 4.1.8 is affected.
Ref: http://www.securityfocus.com/archive/1/489657
______________________________________________________________________

08.12.19 CVE: Not Available
Platform: Cross Platform
Title: XnView Command-Line Arguments Buffer Overflow
Description: XnView is a photo viewer available for multiple
platforms. The application is exposed to a buffer overflow issue
because the application fails to bounds check user-supplied data
before copying it into an insufficiently sized buffer. XnView version
1.92.1 is affected.
Ref: http://www.securityfocus.com/archive/1/489658
______________________________________________________________________

08.12.20 CVE: Not Available
Platform: Cross Platform
Title: VLC Media Player Subtitle Parsing Buffer Overflow
Description: VLC is a cross-platform media player that can be used to
serve streaming data. The application is exposed to a buffer overflow
issue because it fails to perform adequate boundary checks on
user-supplied input. VLC versions 0.8.6c through 0.8.6e are affected.
Ref: http://www.securityfocus.com/bid/28251
______________________________________________________________________

08.12.21 CVE: CVE-2008-1270
Platform: Cross Platform
Title: Lighttpd mod_userdir Information Disclosure
Description: The "lighttpd" program is an open-source webserver
application. The application is exposed to an issue that may allow
attackers to access sensitive information because the application
fails to properly handle exceptional conditions. lighttpd version
1.4.18 is affected.
Ref: http://www.lighttpd.net/2008/3/10/1-4-19-made-in-germany
______________________________________________________________________

08.12.22 CVE: Not Available
Platform: Cross Platform
Title: IBM WebSphere MQ for HP NonStop Security Bypass
Description: IBM WebSphere MQ for HP NonStop is a commercially
available messaging engine for enterprises. The application is exposed
to a security bypass issue because it fails to properly
restrict access to certain functionality. IBM WebSphere MQ versions
prior to 5.3 are affected.
Ref: http://www-1.ibm.com/support/docview.wss?uid=swg21297035
______________________________________________________________________

08.12.23 CVE: Not Available
Platform: Cross Platform
Title: ZABBIX File Checksum Request Denial of Service
Description: ZABBIX is an IT monitoring system available for multiple
operating platforms. The application is exposed to a denial of service
issue while handling specially-crafted file checksum requests.
Specifically, the vulnerability occurs when passing a device node such
as "/dev/zero" or "/dev/urandom" to the "vifs.file.cksum" request.
Ref: http://www.securityfocus.com/archive/1/489506
______________________________________________________________________

08.12.24 CVE: CVE-2008-1157
Platform: Cross Platform
Title: Cisco CiscoWorks Internetwork Performance Monitor Unspecified
Remote Command Execution
Description: Internetwork Performance Monitor (IPM) is a trouble
shooting component within the CiscoWorks LAN Management Solution (LMS)
bundle. The application is exposed to a remote command execution issue
because the application contains a process, which allows a command
shell to be bounded to a randomly selected TCP port. Internetwork
Performance Monitor version 2.6 is affected.
Ref: http://www.securityfocus.com/archive/1/489555
______________________________________________________________________

08.12.25 CVE: CVE-2008-1330
Platform: Cross Platform
Title: Novell GroupWise Windows Client API Shared Folder Email
Information Disclosure
Description: Novell GroupWise is a cross-platform collaborative
software product. The application is exposed to an information
disclosure issue and affects the handling of shared folders. Novell
GroupWise versions 6.5 and 7 are affected.
Ref:
https://secure-support.novell.com/KanisaPlatform/Publishing/732/3263374_f.SAL_Public.html
______________________________________________________________________

08.12.26 CVE: Not Available
Platform: Cross Platform
Title: MG-SOFT Net Inspector Multiple Remote Vulnerabilities
Description: Net Inspector is a fault management application. The
application is exposed to multiple remote issues. Net Inspector
version 6.5.0.828 is affected.
Ref: http://aluigi.altervista.org/adv/netinsp-adv.txt
______________________________________________________________________

08.12.27 CVE: Not Available
Platform: Cross Platform
Title: BootManage TFTP Server "filename" Remote Buffer Overflow
Description: BootManage TFTP Server is a Trivial FTP server
implemented in the BootManage Administrator. The application is
exposed to a buffer overflow issue because it fails to properly
bounds check user-supplied data before storing it in a finite-sized
memory buffer. BootManage TFTP Server version 1.99 is vulnerable;
other versions may also be affected.
Ref: http://aluigi.altervista.org/adv/bootixtftpd-adv.txt
______________________________________________________________________

08.12.28 CVE: Not Available
Platform: Cross Platform
Title: VLC Media Player "Subtitle" Buffer Overflow
Description: VLC is a cross-platform media player that can be used to
serve streaming data. The application is exposed to a buffer overflow
issue because it fails to perform adequate boundary checks on
user-supplied input. This issue occurs when copying the "Subtitle"
parameter to the "buffer_text2" buffer in ParseSSA. VLC media player
version 0.8.6e is affected.
Ref: http://www.securityfocus.com/archive/1/489698
______________________________________________________________________

08.12.29 CVE: Not Available
Platform: Cross Platform
Title: VMware Server 1.0.5 and Workstation 6.0.3 Multiple
Vulnerabilities
Description: VMware Server and Workstation are virtualization
applications capable of running virtual machines for a wide variety of
operating platforms. The applications are exposed to multiple
issues. VMware Server versions prior to 1.0.5 and VMware Workstation
versions prior to 6.0.3 are affected.
Ref: http://www.vmware.com/support/ws6/doc/releasenotes_ws6.html#603
______________________________________________________________________

08.12.30 CVE: Not Available
Platform: Cross Platform
Title: 7-Zip Unspecified Archive Handling
Description: 7-Zip is a freely-available archiving and compression
utility by Igor Pavlov. The application is exposed to a remote archive
handling issue due to the failure of the application to properly
handle malformed archive files. 7-Zip versions prior to 4.57 are
affected.
Ref:
https://www.cert.fi/haavoittuvuudet/joint-advisory-archive-formats.html
______________________________________________________________________

08.12.31 CVE: Not Available
Platform: Cross Platform
Title: bzip2 Unspecified File Handling
Description: The bzip2 application is a freely-available compression
utility by Julian Seward. The application is exposed to a remote file
handling issue due to the failure of the application to properly
handle malformed bzip2 files. bzip2 version 1.0.4 is affected.
Ref:
https://www.cert.fi/haavoittuvuudet/joint-advisory-archive-formats.html
______________________________________________________________________

08.12.32 CVE: CVE-2008-0888
Platform: Cross Platform
Title: Info-ZIP UnZip "inflate_dynamic()" Remote Code Execution
Description: Info-ZIP UnZip is a utility used to decompress ZIP files.
It is freely available for many platforms including UNIX and UNIX-like
operating systems. The application is exposed to a remote code
execution issue when parsing malformed ZIP files. This issue occurs
due to a design error. UnZip version 5.52 is affected.
Ref: http://www.securityfocus.com/bid/28288
______________________________________________________________________

08.12.33 CVE: CVE-2007-5618, CVE-2008-1364, CVE-2008-1340
Platform: Cross Platform
Title: VMware Products Multiple Vulnerabilities
Description: VMware products are virtualization applications capable
of running virtual machines for a wide variety of operating platforms.
The applications are exposed to multiple issues.
Ref: http://www.securityfocus.com/bid/28289
______________________________________________________________________

08.12.34 CVE: CVE-2008-1011, CVE-2008-1010, CVE-2008-1009,
CVE-2008-1008, CVE-2008-1007, CVE-2008-1006, CVE-2008-1005,
CVE-2008-1004, CVE-2008-1003, CVE-2008-1002, CVE-2008-1001,
CVE-2008-0050
Platform: Cross Platform
Title: Apple Safari Prior to 3.1 Multiple Security Vulnerabilities
Description: Apple Safari is a web browser available for Mac OS X and
Microsoft Windows. The application is exposed to multiple security
issues.
Ref: http://docs.info.apple.com/article.html?artnum=307563
______________________________________________________________________

08.12.35 CVE: CVE-2008-0947, CVE-2008-0948
Platform: Cross Platform
Title: MIT Kerberos5 kadmind Excessive File Descriptors Multiple
Remote Code Execution Vulnerabilities
Description: Kerberos is a network-authentication protocol; "kadmind"
(Kerberos Administration Daemon) is the administration server for
Kerberos networks. The application is exposed to multiple remote code
execution issues due to array over-runs in the RPC library
"libgssprc".
Ref: http://www.securityfocus.com/archive/1/489762
______________________________________________________________________

08.12.36 CVE: CVE-2008-0062, CVE-2008-0063
Platform: Cross Platform
Title: MIT Kerberos 5 KDC Multiple Memory Corruption Based Information
Disclosure Vulnerabilities
Description: MIT Kerberos 5 KDC is a suite of applications and
libraries designed to implement the Kerberos network-authentication
protocol. It is freely available and operates on numerous platforms.
The application is exposed to multiple information disclosure issues
when configured to support Kerberos 4. The issues occur when
processing malformed krb4 messages. MIT Kerberos 5 version 1.6.3 KDC
is affected.
Ref: http://www.kb.cert.org/vuls/id/895609
______________________________________________________________________

08.12.37 CVE: CVE-2008-1289
Platform: Cross Platform
Title: Asterisk RTP Codec Payload Handling Multiple Buffer Overflow
Vulnerabilities
Description: Asterisk is a private branch exchange (PBX) application
available for Linux, BSD, and Mac OS X platforms. The application is
exposed to multiple buffer overflow issues because it fails to perform
adequate boundary checks on user-supplied data before copying it to
insufficiently-sized buffers.
Ref: http://downloads.digium.com/pub/security/AST-2008-002.html
______________________________________________________________________

08.12.38 CVE: CVE-2008-1332
Platform: Cross Platform
Title: Asterisk Call Authentication Security Bypass
Description: Asterisk is a private branch exchange (PBX) application
available for Linux, BSD, and Mac OS X platforms. The application is
exposed to a security bypass issue because calls with the invalid "FROM"
header are sent to the context specified in the general section of the
"sip.conf" configuration file.
Ref: http://downloads.digium.com/pub/security/AST-2008-003.html
______________________________________________________________________

08.12.39 CVE: CVE-2008-1333
Platform: Cross Platform
Title: Asterisk Logger and Manager Format String Vulnerabilities
Description: Asterisk is a private branch exchange (PBX) application
available for Linux, BSD, and Mac OS X platforms. The application is
exposed to multiple format string issues because it fails to properly
sanitize user-supplied input before including it in the
format-specifier argument of a formatted-printing function. Asterisk
Open Source versions prior to 1.6.0-beta6 are affected.
Ref: http://downloads.digium.com/pub/security/AST-2008-004.html
______________________________________________________________________

08.12.40 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: SNewsCMS "search.php" Cross-Site Scripting
Description: SNewsCMS is a web-based content manager implemented in
PHP. The application is exposed to a cross-site scripting issue
because it fails to properly sanitize user-supplied input to the
"query" parameter of the "search.php" script. SNewsCMS versions 2.3
and 2.4 are affected.
Ref: http://www.securityfocus.com/archive/1/489686
______________________________________________________________________

08.12.41 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: Nagios Prior to 2.11 Unspecified Cross-Site Scripting
Description: Nagios is an open-source application designed to monitor
networks and services for interruptions and to notify administrators
when various events occur. The software is exposed to an unspecified
cross-site scripting issue because it fails to sanitize user-supplied
input. Nagios versions prior to 2.11 are affected.
Ref: http://www.nagios.org/development/changelog.php
______________________________________________________________________

08.12.42 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: Download Center Multiple Cross-Site Scripting Vulnerabilities
Description: Download Center is a PHP-based application used to manage
file downloads. The application is exposed to multiple cross-site
scripting issues because it fails to sufficiently sanitize
user-supplied input. Download Center version 1.2 is affected.
Ref: http://www.securityfocus.com/bid/28219
______________________________________________________________________

08.12.43 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: Jeebles Directory Multiple Cross-Site Scripting Vulnerabilities
Description: Jeebles Directory is a PHP-based file organizer. The
application is exposed to multiple cross-site scripting issues because
it fails to sufficiently sanitize user-supplied input.
Ref: http://www.securityfocus.com/bid/28221
______________________________________________________________________

08.12.44 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: onlinetools.org EasyImageCatalogue Multiple Cross-Site
Scripting Vulnerabilities
Description: onlinetools.org EasyImageCatalogue is a web-based
image gallery application implemented in PHP. The application is
exposed to multiple cross-site scripting issues because it fails to
sanitize user-supplied input. EasyImageCatalogue version 1.31 is
affected.
Ref: http://www.securityfocus.com/bid/28164
______________________________________________________________________

08.12.45 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: ClanSphere "index.php" Multiple Cross-Site Scripting
Vulnerabilities
Description: ClanSphere is a PHP-based content manager. The
application is exposed to multiple cross-site scripting issues because
it fails to sufficiently sanitize user-supplied input to the
"mod" parameter of the "index.php" and the "debug.php" scripts.
ClanSphere version 2008 is affected.
Ref: http://www.securityfocus.com/bid/28224
______________________________________________________________________

08.12.46 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: eWeather "chart" Parameter Cross-Site Scripting
Description: eWeather is a weather module for the PHP-Nuke content
manager. The application is exposed to a cross-site scripting issue
because the application fails to properly sanitize user-supplied
input. This issue occurs in the "chart" parameter of the "eWeather"
module.
Ref: http://www.securityfocus.com/archive/1/489504
______________________________________________________________________

08.12.47 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: cfnetgs "index.php" Cross-Site Scripting
Description: cfnetgs is a web-based photo gallery application. The
application is exposed to a cross-site scripting issue because it
fails to properly sanitize user-supplied input to the "directory"
parameter of the "index.php" script. cfnetgs version 0.24 is affected.
Ref: http://www.securityfocus.com/bid/28267
______________________________________________________________________

08.12.48 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: RSA WebID "IISWebAgentIF.dll" Cross-Site Scripting
Description: RSA WebID is a web authentication framework. The
application is exposed to a cross-site scripting issue because it
fails to properly sanitize user-supplied input to the "postdata"
parameter in conjunction with the "IISWebAgentIF.dll" library. RSA
WebID version 5.3 is affected.
Ref: http://www.securityfocus.com/archive/1/489691
______________________________________________________________________

08.12.49 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: Imperva SecureSphere Cross-Site Scripting
Description: Imperva SecureSphere is an application-data security
appliance used to monitor and audit application and database activity.
The application is exposed to a cross-site scripting issue because it
fails to properly sanitize user-supplied input. Imperva SecureSphere
version 5.0 is affected.
Ref: http://www.securityfocus.com/bid/28279
______________________________________________________________________

08.12.50 CVE: CVE-2008-0125
Platform: Web Application - Cross Site Scripting
Title: phpstats "phpstats.php" Cross-Site Scripting
Description: phpstats is a web-based tool for creating statistical
information about a file tree. The application is exposed to a
cross-site scripting issue because it fails to properly sanitize
user-supplied input to the "baseDir" parameter of the "phpstats.php"
script. phpstats version 0.1_alpha is affected.
Ref: http://www.securityfocus.com/archive/1/489722
______________________________________________________________________

08.12.51 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: webSPELL "index.php" Cross-Site Scripting
Description: webSPELL is a PHP-based content manager. The application
is exposed to a cross-site scripting issue because it fails to
properly sanitize user-supplied input to the "board" parameter of the
"index.php" script. webSPELL version 4.01.02 is affected.
Ref: http://www.securityfocus.com/bid/28294
______________________________________________________________________

08.12.52 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: eForum "busca.php" Multiple Cross-Site Scripting
Vulnerabilities
Description: eForum is a PHP-based, flat-file web forum. The
application is exposed to multiple cross-site scripting issues because
the application fails to sufficiently sanitize user-supplied input to
the "busca" and "link" parameters of the "busca.php" script. eForum
version 0.4 is affected.
Ref: http://www.securityfocus.com/archive/1/489738
______________________________________________________________________

08.12.53 CVE: Not Available
Platform: Web Application - SQL Injection
Title: eXV2 Viso Module "kid" Parameter SQL Injection
Description: The Viso module is a component for the eXV2 content
manager. The application is exposed to user-supplied data of the "kid"
parameter. eXV2 Viso Module version 2.03 is affected.
Ref: http://www.securityfocus.com/bid/28255
______________________________________________________________________

08.12.54 CVE: Not Available
Platform: Web Application - SQL Injection
Title: eXV2 CMS WebChat Module "roomid" Parameter SQL Injection
Description: WebChat is a PHP-based chat module for the eXV2 content
management system. The application is exposed to an SQL
injection issue because it fails to sufficiently sanitize
user-supplied data to the "roomid" parameter of the
"modules/WebChat/index.php" script before using it in an SQL query.
WebChat version 1.60 is affected.
Ref: http://www.securityfocus.com/bid/28256
______________________________________________________________________

08.12.55 CVE: Not Available
Platform: Web Application - SQL Injection
Title: auraCMS "HTTP_X_FORWARDED_FOR" SQL Injection
Description: auraCMS is a PHP-based content manager. The application is
exposed to an SQL injection issue because it fails to sufficiently
sanitize user-supplied input in the "HTTP_X_FORWARDED_FOR" variable of
an HTTP request. This issue occurs in the "online.php" script. AuraCMS
versions 2.0, 2.1 and 2.2.1 are affected.
Ref: http://www.securityfocus.com/bid/28257
______________________________________________________________________

08.12.56 CVE: Not Available
Platform: Web Application - SQL Injection
Title: eXV2 "eBlog" Module "blog_id" Parameter SQL Injection
Description: The "eBlog" module is a PHP-based blogging component for
the eXV2 content manager. The application is exposed to an SQL
injection issue because it fails to sufficiently sanitize
user-supplied data to the "blog_id" parameter of the "eBlog" module
before using it in an SQL query. "eBlog" module version 1.200 is affected.
Ref: http://www.securityfocus.com/bid/28223
______________________________________________________________________

08.12.57 CVE: Not Available
Platform: Web Application - SQL Injection
Title: eXV2 MyAnnonces Module "lid" Parameter SQL Injection
Description: MyAnnonces is a PHP-based plugin for the eXV2 content
manager. The application is exposed to an SQL injection issue because
it fails to sufficiently sanitize user-supplied data to the "lid"
parameter of the "MyAnnonces" module before using it in an SQL query.
Ref: http://www.securityfocus.com/bid/28254
______________________________________________________________________

08.12.58 CVE: Not Available
Platform: Web Application - SQL Injection
Title: MAXdev My eGallery Module for XOOPS "gid" Parameter SQL
Injection
Description: MAXdev My eGallery module is a PHP-based component for
the XOOPS content manager. The application is exposed to an SQL
injection issue because it fails to sufficiently sanitize
user-supplied data to the "gid" parameter of the
"my_egallery/index.php" module before using it in an SQL query. My
eGallery version 3.04 is affected.
Ref: http://www.securityfocus.com/bid/28220
______________________________________________________________________

08.12.59 CVE: Not Available
Platform: Web Application - SQL Injection
Title: Fully Modded PHPBB2 "kb.php" SQL Injection
Description: Fully Modded PHPBB2 is a modification to PHPBB2 that
allows users to store information about their vehicle. PHPBB2 is an
open-source forum application implemented in PHP. The application is
exposed to an SQL injection issue because it fails to sufficiently
sanitize user-supplied data to the "k" parameter of the "kb.php"
script before using it in an SQL query.
Ref: http://www.securityfocus.com/archive/1/489468
______________________________________________________________________

08.12.60 CVE: Not Available
Platform: Web Application - SQL Injection
Title: bamaGalerie "viewcat.php" SQL Injection
Description: bamaGalerie is a photo gallery module for the exV2
content manager. The application is exposed to an SQL injection issue
because it fails to sufficiently sanitize user-supplied data to the
"cid" parameter of the "viewcat.php" script before using it in an SQL
query.
Ref: http://www.securityfocus.com/bid/28229
______________________________________________________________________

08.12.61 CVE: Not Available
Platform: Web Application - SQL Injection
Title: XOOPS MyTutorials Module "printpage.php" SQL Injection
Description: MyTutorials is a PHP-based component for the XOOPS
content manager. The application is exposed to an SQL injection issue
because it fails to sufficiently sanitize user-supplied data to the
"tid" parameter of the "printpage.php" script before using it in an
SQL query.
Ref: http://www.securityfocus.com/bid/28230
______________________________________________________________________

08.12.62 CVE: Not Available
Platform: Web Application - SQL Injection
Title: EasyGallery "index.php" Multiple SQL Injection and Cross-Site
Scripting Vulnerabilities
Description: EasyGallery is a web-based photo album application
implemented in PHP. The application is exposed to multiple input
validation issues because it fails to sufficiently sanitize
user-supplied data to the "index.php" script. EasyGallery version
5.0tr is affected.
Ref: http://www.securityfocus.com/archive/1/489583
______________________________________________________________________

08.12.63 CVE: Not Available
Platform: Web Application - SQL Injection
Title: LaGarde StoreFront "SearchResults.aspx" SQL Injection
Description: StoreFront is an e-commerce shopping cart. The
application is exposed to an SQL injection issue because it fails to
sufficiently sanitize user-supplied data to the "CategoryId" parameter
of the "SearchResults.aspx" script. StoreFront 6 versions prior to
Service Pack 8 are affected.
Ref:
http://support.storefront.net/storefront6/kbase/kbview.aspx?kbID=454
______________________________________________________________________

08.12.64 CVE: Not Available
Platform: Web Application - SQL Injection
Title: Virtual Support Office-XP "MyIssuesView.asp" SQL Injection
Description: Virtual Support Office-XP is a web-based helpdesk
application written in ASP. The application is exposed to an SQL
injection issue because it fails to sufficiently sanitize
user-supplied data to the "Issue_ID" parameter of the
"MyIssuesView.asp" script before using it in an SQL query.
Ref: http://www.securityfocus.com/archive/1/489545
______________________________________________________________________

08.12.65 CVE: Not Available
Platform: Web Application - SQL Injection
Title: Joomla! and Mambo "com_guide" Component "category" Parameter
SQL Injection
Description: The "guide" component is a plug-in for the Joomla! and
Mambo content managers. The component is exposed to an SQL injection
issue because it fails to sufficiently sanitize user-supplied data to
the "category" parameter of the "com_guide" component before using it
in an SQL query.
Ref: http://www.securityfocus.com/bid/28269
______________________________________________________________________

08.12.66 CVE: Not Available
Platform: Web Application - SQL Injection
Title: phpBP "id" Parameter SQL Injection
Description: phpBP is a web-based content management system
implemented in PHP. The component is exposed to an SQL injection issue
because it fails to sufficiently sanitize user-supplied data to the
"id" parameter of the "/includes/functions/banners-external.php"
script before using it in an SQL query. phpBP version RC3 (2.204) FIX4
is affected.
Ref: http://www.securityfocus.com/bid/28272
______________________________________________________________________

08.12.67 CVE: Not Available
Platform: Web Application - SQL Injection
Title: XOOPS Dictionary Module "print.php" SQL Injection
Description: Dictionary is a PHP-based component for the XOOPS content
manager. The application is exposed to an SQL injection issue because
it fails to sufficiently sanitize user-supplied data to the "id"
parameter of the "print.php" script before using it in an SQL query.
Ref: http://www.securityfocus.com/bid/28275
______________________________________________________________________

08.12.68 CVE: Not Available
Platform: Web Application - SQL Injection
Title: Joomla! and Mambo Acajoom Component "mailingid" Parameter SQL
Injection
Description: The Acajoom component is a plugin for the Joomla! and
Mambo content managers. The component is exposed to an SQL injection
issue because it fails to sufficiently sanitize user-supplied data to
the "mailingid" parameter of the "com_acajoom" component before using
it in an SQL query. Acajoom version 1.1.5 is affected.
Ref: http://www.securityfocus.com/bid/28305
______________________________________________________________________

08.12.69 CVE: Not Available
Platform: Web Application - SQL Injection
Title: KAPhotoservice "album.asp" SQL Injection
Description: KAPhotoservice is a web-based application for ordering
photograph prints. The application is exposed to an SQL injection
issue because it fails to sufficiently sanitize user-supplied data to
the "albumid" parameter of the "album.asp" script before using it in
an SQL query.
Ref: http://www.securityfocus.com/bid/28306
______________________________________________________________________

08.12.70 CVE: Not Available
Platform: Web Application - SQL Injection
Title: Easy-Clanpage "id" Parameter SQL Injection
Description: Easy-Clanpage is a web-based content management system.
The application is exposed to an SQL injection issue because it fails
to sufficiently sanitize user-supplied data to the "id" parameter
before using it in an SQL query. Easy-Clanpage version 2.2 is
affected.
Ref: http://www.securityfocus.com/bid/28309
______________________________________________________________________

08.12.71 CVE: Not Available
Platform: Web Application
Title: Multiple Time Sheets "tab" Parameter Multiple Input Validation
Vulnerabilities
Description: Multiple Time Sheets (MTS) is a time tracking application
implemented in PHP. The application is exposed to multiple input
validation issues. Multiple Time Sheets version 5.0 is affected.
Ref: http://www.securityfocus.com/archive/1/489689
______________________________________________________________________

08.12.72 CVE: Not Available
Platform: Web Application
Title: DB2 Monitoring Console Multiple Unspecified Security Bypass
Vulnerabilities
Description: DB2 Monitoring Console is an open-source, web-based
console application used for developing software projects around IBM's
DB2 database. The application is exposed to multiple unspecified
issues. DB2 Monitoring Console versions prior to 2.2.25 are affected.
Ref:
http://sourceforge.net/project/shownotes.php?release_id=583793&group_id=211760
______________________________________________________________________

08.12.73 CVE: Not Available
Platform: Web Application
Title: Uberghey CMS "index.php" Multiple Local File Include
Vulnerabilities
Description: Uberghey CMS is a PHP-based content management
application. The application is exposed to multiple local file include
issues because it fails to properly sanitize user-supplied input to
the "page_id" and "language" parameters in the "index.php" script.
Uberghey CMS version 0.3.1 is affected.
Ref: http://www.securityfocus.com/archive/1/489451
______________________________________________________________________

08.12.74 CVE: Not Available
Platform: Web Application
Title: Travelsized CMS "index.php" Multiple Local File Include
Vulnerabilities
Description: Travelsized CMS is a content management system
implemented in PHP. The application is exposed to multiple local file
include issues because it fails to properly sanitize user-supplied
input. Travelsized CMS version 0.4.1 is affected.
Ref: http://www.securityfocus.com/archive/1/489457
______________________________________________________________________

08.12.75 CVE: Not Available
Platform: Web Application
Title: Acyhost "index.php" Remote File Include
Description: Acyhost is a web-based application. The application is
exposed to a remote file include issue because it fails to
sufficiently sanitize user-supplied input to the "sayfa" parameter of
the "index.php" script.
Ref: http://www.securityfocus.com/bid/28231
______________________________________________________________________

08.12.76 CVE: Not Available
Platform: Web Application
Title: EasyCalendar SQL Injection and Cross-Site Scripting
Vulnerabilities
Description: EasyCalendar is a web-based calendar application. The
application is exposed to multiple input validation issues.
EasyCalendar version 4.0tr is affected.
Ref: http://www.securityfocus.com/archive/1/489689
______________________________________________________________________

08.12.77 CVE: Not Available
Platform: Web Application
Title: Polymita Technologies Multiple Products Cross-Site Scripting
Vulnerabilities
Description: Polymita BPM-Suite is a web-based application suite used
to manage business processes. The application is exposed to multiple
cross-site scripting issues because it fails to sanitize
user-supplied input to the "_q" and "lucene_index_field_value"
parameters when a search operation is carried out. Polymita BPM-Suite
and Polymita CollagePortal are affected.
Ref: http://www.securityfocus.com/bid/28237
______________________________________________________________________

08.12.78 CVE: Not Available
Platform: Web Application
Title: Roundup XML-RPC Server Security Bypass
Description: Roundup is an issue-tracking system. It is implemented in
Python. The application is exposed to a security bypass issue that
stems from an access validation error. Roundup version 1.4.4 is
affected.
Ref:
http://sourceforge.net/tracker/index.php?func=detail&aid=1907211&group_id=31577&atid=402788
______________________________________________________________________

08.12.79 CVE: Not Available
Platform: Web Application
Title: Roundup Unspecified Security Vulnerabilities
Description: Roundup is an issue-tracking system. The application is
exposed to multiple unspecified issues. Roundup versions prior to
1.4.4 are affected.
Ref:
http://roundup.cvs.sourceforge.net/roundup/roundup/CHANGES.txt?view=markup&content-type=text/vnd.viewcvs-markup&revision=HEAD
______________________________________________________________________

08.12.80 CVE: Not Available
Platform: Web Application
Title: Edior CMS "search.php" Directory Traversal
Description: Edior CMS is a content-management application implemented
in PHP. The application is exposed to a directory traversal issue
because it fails to sufficiently sanitize user-supplied input data.
Edior CMS version 3.0 is affected.
Ref: http://www.securityfocus.com/archive/1/489498
______________________________________________________________________

08.12.81 CVE: Not Available
Platform: Web Application
Title: PBSite Multiple Input Validation Vulnerabilities
Description: PBSite is a web-based forum application implemented in
PHP. The application is exposed to multiple input validation issues
because it fails to properly sanitize user-supplied input.
Ref: http://www.securityfocus.com/bid/28269
______________________________________________________________________

08.12.82 CVE: Not Available
Platform: Web Application
Title: Exero CMS "theme" Parameter Multiple Local File Include
Vulnerabilities
Description: Exero CMS is a PHP-based content manager. The application
is exposed to multiple local file include issues because it fails to
properly sanitize user-supplied input to the "theme" parameter. Exero
CMS version 1.0.1 is affected.
Ref: http://www.securityfocus.com/bid/28273
______________________________________________________________________

08.12.83 CVE: Not Available
Platform: Web Application
Title: WEBalbum "photo_add.php" Security Bypass
Description: WEBalbum is a web-based photo album implemented in PHP.
The application is exposed to a security bypass issue because the
application fails to restrict access to the "photo_add.php". WEBalbum
version 2.0 is affected.
Ref: http://www.securityfocus.com/bid/28280
______________________________________________________________________

08.12.84 CVE: Not Available
Platform: Web Application
Title: PHPauction "include_path" Parameter Multiple Remote File
Include Vulnerabilities
Description: PHPauction is a web-based auctioning application. The
application is exposed to multiple remote file include issues because
it fails to sufficiently sanitize user-supplied input to the
"include_path" parameter of the following scripts:
"includes/converter.inc.php", "includes/messages.inc.php" and
"includes/settings.inc.php". PHPauction version 2.51 is affected.
Ref: http://www.securityfocus.com/bid/28284
______________________________________________________________________

08.12.85 CVE: Not Available
Platform: Web Application
Title: Strawberry "html.php" Remote Code Execution
Description: Strawberry is a web-based news application implemented
in PHP. It is formerly known as CuteNews. The application is exposed
to a remote code execution issue because it fails to properly sanitize
user-supplied data.
Ref: http://www.securityfocus.com/bid/27160
______________________________________________________________________

08.12.86 CVE: Not Available
Platform: Web Application
Title: TUTOS "cmd.php" Remote Command Execution
Description: TUTOS (The Ultimate Team Organization Software) is a
PHP-based application that allows users to manage teams or groups. The
application is exposed to a remote command execution issue because it
fails to sufficiently sanitize user-supplied data to the "cmd"
parameter of the "cmd.php" script. TUTOS version 1.3 is affected.
Ref: http://www.securityfocus.com/bid/27169
______________________________________________________________________

08.12.87 CVE: Not Available
Platform: Web Application
Title: cPanel List Directories and Folders Information Disclosure
Description: cPanel is a web-hosting control panel implemented in PHP.
The application is exposed to an information disclosure issue because
the application fails to sufficiently sanitize user-supplied input to
the "showtree" parameter of the "frontend/x/diskusage/index.html"
script.
Ref: http://www.securityfocus.com/archive/1/489747
______________________________________________________________________

08.12.88 CVE: CVE-2008-0073
Platform: Web Application
Title: xine-lib "sdpplin_parse()" Remote Buffer Overflow
Description: The "xine-lib" library allows various media players to
play various media formats. The library is exposed to a remote buffer
overflow issue that occurs because it fails to perform adequate
boundary checks on user-supplied data. xine-lib version 1.1.10.1 is
affected.
Ref: http://secunia.com/secunia_research/2008-10/advisory/
______________________________________________________________________

08.12.89 CVE: Not Available
Platform: Network Device
Title: RaidSonic NAS-4220-B Encryption Key Disclosure
Description: RaidSonic NAS-4220-B is a Network Attached Storage (NAS)
device that can hold up to two SATA hard drives. The device uses a
Linux-based operating system. NS-4220-B is exposed to this issue
because the key used by the device to encrypt hard drive data is
stored insecurely in the configuration partitions of each drive.
NAS-4220-B running firmware version 2.6.0-n(2007-10-11) is affected.
Ref: http://www.securityfocus.com/archive/1/489690
______________________________________________________________________

08.12.90 CVE: Not Available
Platform: Network Device
Title: F-Secure Multiple Products Multiple Remote Archive Handling
Vulnerabilities
Description: Multiple F-Secure products are exposed to multiple remote
archive handling issues due to the failure of these applications to
properly handle malformed archive files.
Ref: http://www.securityfocus.com/archive/1/489706
______________________________________________________________________

(c) 2008. All rights reserved. The information contained in this
newsletter, including any external links, is provided "AS IS," with no
express or implied warranty, for informational purposes only. In some
cases, copyright for material in this newsletter may be held by a party
other than Qualys (as indicated herein) and permission to use such
material must be requested from the copyright owner.

Subscriptions: RISK is distributed free of charge by the SANS Institute
to people responsible for managing and securing information systems and
networks. You may forward this newsletter to others with such
responsibility inside or outside your organization.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)

iEYEARECAAYFAkfiubkACgkQ+LUG5KFpTkZlvgCfYXkqkY2xdsWhxA3xvuKZdqZG
AiwAn2tsCQrgdjGi9hljLIhhaXzvP+D/
=LjYd
-----END PGP SIGNATURE-----

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]