NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > SANS> 2008

RISK: The Consensus Security Vulnerability Alert Vol. 7 No. 34

From: The SANS Institute (ConsensusSecurityVulnerabilityAlertsans.org)
Date: Thu Aug 21 2008 - 22:19:59 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

A very light week - but another critical vulnerability in a back-up
product - this time in a tool from Symantec Veritas. You can be sure the
attackers know how many flaws there are and how rarely back-up software
is patched.
Alan
*************************************************************************
RISK: The Consensus Security Vulnerability Alert
August 21, 2008 Vol. 7. Week 34
*************************************************************************
RISK is the SANS community's consensus bulletin summarizing the most
important vulnerabilities and exploits identified during the past week
and providing guidance on appropriate actions to protect your systems
(PART I). It also includes a comprehensive list of all new
vulnerabilities discovered in the past week (PART II).

Summary of Updates and Vulnerabilities in this Consensus
Platform Number of Updates and Vulnerabilities
- ------------------------ -------------------------------------
Other Microsoft Products 1 (#3)
Third Party Windows Apps 5 (#1, #4)
Linux 6
Unix 1
Cross Platform 15 (#2)
Web Application - Cross Site Scripting 7
Web Application - SQL Injection 11
Web Application 16
Network Device 1

********************** Sponsored By Sourcefire, Inc. ********************

Best of Open Source Security (BOSS) Conference
February 8-10, 2009, Flamingo_Las Vegas

Be sure to register the first IT security conference dedicated to
promoting open source security (OSS) technologies and the commercial
products that embrace them.

This long overdue conference will bring together passionate OSS
advocates and vendors under the same roof to share ideas and
experiences.

For more information, visit http://www.sans.org/info/31958

*************************************************************************
TRAINING UPDATE:
SANS NETWORK SECURITY 2008 - LAS VEGAS September 28-October 6.
Fifty courses including the much sought after new penetration testing
and secure coding courses. A big exhibit; a big evening program. By far
the best value on security education. Discount deadline September 3.
http://www.sans.org/ns2008

ADDITIONAL TRAINING UPDATE
- - Boston (8/9-8/16) http://www.sans.org/boston08/
- - Virginia Beach (8/21-8/29): http://www.sans.org/vabeach08/
- - Chicago (9/3-9/10) http://www.sans.org/chicago08 AUDIT & COMPLIANCE
- - and in 100 other cites and on line any time: www.sans.org
*************************************************************************

Table Of Contents
Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)

Widely Deployed Software
(1) CRITICAL: Symantec Veritas Storage Foundation Authentication Bypass
(2) HIGH: Opera Multiple Vulnerabilities
(3) HIGH: Microsoft Visual Studio MaskedEdit ActiveX Control Buffer Overflow
(4) HIGH: Ipswitch WS_FTP Client and Server Multiple Vulnerabilities

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from
Qualys (www.qualys.com)

-- Other Microsoft Products
08.34.1 - Microsoft Visual Studio "Msmask32.ocx" ActiveX Control Remote Buffer Overflow
-- Third Party Windows Apps
08.34.2 - FlashGet FTP "PWD" Response Remote Buffer Overflow
08.34.3 - Symantec Storage Foundation for Windows Security Update Circumvention
08.34.4 - Maya Studio eo-video Playlist File Buffer Overflow
08.34.5 - Ipswitch WS_FTP Client Format String
08.34.6 - Ipswitch WS_FTP Server Message Response Buffer Overflow
-- Linux
08.34.7 - Red Hat Network Satellite Server "manzier.pxt" User Information Disclosure
08.34.8 - HP Linux Imaging and Printing System Privilege Escalation And Denial of Service Vulnerabilities
08.34.9 - Yelp Invalid URI Format String
08.34.10 - Openwsman Multiple Remote Security Vulnerabilities
08.34.11 - Red Hat yum-rhn-plugin RHN Updates Denial of Service
08.34.12 - Linux Kernel "dccp_setsockopt_change()" Remote Denial of Service
-- Unix
08.34.13 - Sympa "sympa.pl" Insecure Temporary File Creation
-- Cross Platform
08.34.14 - Sun Java System Web Proxy Server FTP Subsystem Denial of Service
08.34.15 - Postfix Local Information Disclosure and Local Privilege Escalation Vulnerabilities
08.34.16 - HAVP "sockethandler.cpp" Client Connect Infinite Loop Denial of Service
08.34.17 - xine-lib 1.1.14 Multiple Remote Buffer Overflow Vulnerabilities
08.34.18 - xine-lib OGG Processing Remote Denial of Service
08.34.19 - MicroWorld Technologies MailScan Multiple Remote Vulnerabilities
08.34.20 - Neon Digest Authentication Null Pointer Exception Denial of Service
08.34.21 - GnuTLS "gnutls_handshake()" Function Remote Denial of Service
08.34.22 - VLC Media Player "demuxtta.c" TTA File Handling Buffer Overflow
08.34.23 - ESET Smart Security "easdrv.sys" Local Privilege Escalation
08.34.24 - EchoVNC Remote Buffer Overflow
08.34.25 - Attachmate Reflection for Secure IT Multiple Unspecified Security Vulnerabilities
08.34.26 - OllyDBG "ollydbg.ini" Debug Argument Local Buffer Overflow
08.34.27 - SWIMAGE Encore Master Password Information Disclosure
08.34.28 - VMware Workstation "hcmon.sys" Local Denial of Service
-- Web Application - Cross Site Scripting
08.34.29 - Navboard Multiple Local File Include and Cross-Site Scripting Vulnerabilities
08.34.30 - Openfire "login.jsp" Cross-Site Scripting
08.34.31 - Mambo Multiple Cross-Site Scripting Vulnerabilities
08.34.32 - FlexCMS "inc-core-admin-editor-previouscolorsjs.php" Cross-Site Scripting
08.34.33 - AWStats "awstats.pl" Cross-Site Scripting
08.34.34 - Ovidentia "index.php" Cross-Site Scripting
08.34.35 - Sun Java System Portal Server Portlets Cross-Site Scripting
-- Web Application - SQL Injection
08.34.36 - PHP Realty "dpage.php" SQL Injection
08.34.37 - PHP-Fusion "readmore.php" SQL Injection
08.34.38 - E-Shop Shopping Cart Script "search_results.php" SQL Injection
08.34.39 - ZEEJOBSITE "bannerclick.php" SQL Injection
08.34.40 - FipsCMS "forum/neu.asp" SQL Injection
08.34.41 - phpArcadeScript "cat" Parameter SQL Injection
08.34.42 - Quick Poll "code.php" SQL Injection
08.34.43 - PromoProducts "view_product.php" Multiple SQL Injection Vulnerabilities
08.34.44 - PHPBasket "pro_id" Parameter SQL Injection
08.34.45 - NewsHOWLER Cookie Data SQL Injection
08.34.46 - cyberBB Multiple SQL Injection Vulnerabilities
-- Web Application
08.34.47 - Gelato CMS "classes/imgsize.php" Local File Include
08.34.48 - Meet#Web "root_path" Parameter Multiple Remote File Include Vulnerabilities
08.34.49 - Ventrilo "type 0" Packet NULL Pointer Dereference Denial of Service
08.34.50 - Freeway Multiple Input Validation Vulnerabilities
08.34.51 - Cardinal CMS "upload.php" Arbitrary File Upload
08.34.52 - Nukeviet "admin/login.php" Cookie Authentication Bypass
08.34.53 - YapBB "class_yapbbcooker.php" Remote File Include
08.34.54 - CyBoards PHP Lite Multiple Remote Vulnerabilities
08.34.55 - dotCMS "id" Parameter Multiple Local File Include Vulnerabilities
08.34.56 - mUnky "index.php" Remote Code Execution
08.34.57 - Harmoni Versions Prior to 1.6.0 Cross-Site Request Forgery and Security Bypass Vulnerabilities
08.34.58 - PHPizabi "id" Parameter Local File Include
08.34.59 - XNova Project XNova "todofleetcontrol.php" Remote File Include
08.34.60 - VidiScript Remote File Upload
08.34.61 - PHP Live Helper Multiple Input Validation Vulnerabilities
08.34.62 - Freeway "language" Parameter Multiple Local File Include Vulnerabilities
-- Network Device
08.34.63 - Nokia 6131 Multiple Vulnerabilities

************************** Sponsored Links: ****************************

1) Listen to industry leaders discuss issues and solutions - Penetration
Testing and Ethical Hacking Summit September 17.
http://www.sans.org/info/31963

2) Attend the Forensics and Incident Response Summit October 13-14 in
Las Vegas to learn about the latest tools and techniques.
http://www.sans.org/info/31968
*************************************************************************

PART I Critical Vulnerabilities
Part I for this issue has been compiled by Rob King at TippingPoint, a
division of 3Com, as a by-product of that company's continuous effort
to ensure that its intrusion prevention products effectively block
exploits using known vulnerabilities. TippingPoint's analysis is
complemented by input from a council of security managers from twelve
large organizations who confidentially share with SANS the specific
actions they have taken to protect their systems. A detailed description
of the process may be found at
http://www.sans.org/newsletters/cva/#process

*****************************
Widely Deployed Software
*****************************

(1) CRITICAL: Symantec Veritas Storage Foundation Authentication Bypass
Affected:
Symantec Veritas Storage Foundation versions 5.1 and prior

Description: Symantec Veritas Storage Foundation is a popular enterprise
storage management system. Its management console exports a Remote
Procedure Call (RPC) interface that exposes several scheduling
functions. This RPC interface can be accessed using NULL authentication,
meaning any user can connect and execute these procedures. Calling these
procedures would allow an attacker to execute arbitrary code with the
privileges of the vulnerable process (usually SYSTEM). This
vulnerability represents another exploitation vector for an issue
discussed in a previous edition of RISK. That vector was patched and
is no longer vulnerable. Technical details are publicly available for
this vulnerability.

Status: Vendor confirmed, updates available.

References:
Zero Day Initiative Advisory
http://zerodayinitiative.com/advisories/ZDI-08-052/
TippingPoint DVLabs Advisory (previous vector)
http://dvlabs.tippingpoint.com/advisory/TPTI-07-08
Previous RISK Entry
https://www2.sans.org/newsletters/risk/display.php?v=6&i=24#widely3
Symantec Security Advisory
http://www.symantec.com/avcenter/security/Content/2008.08.14a.html
SecurityFocus BID
http://www.securityfocus.com/bid/30596

******************************************************************

(2) HIGH: Opera Multiple Vulnerabilities
Affected:
Opera versions prior to 9.52

Description: Opera is a popular cross-platform web browser and internet
application suite. It contains multiple vulnerabilities in its handling
of a variety of user inputs. A malicious web page or RSS feed could
exploit these vulnerabilities to execute arbitrary code with the
privileges of the current user, perform cross-site-scripting attacks,
retrieve sensitive information, or spoof website locations. Some
technical details for these vulnerabilities are publicly available.

Status: Vendor confirmed, updates available.

References:
Opera Security Advisories
http://www.opera.com/support/search/view/892/
http://www.opera.com/support/search/view/893/
http://www.opera.com/support/search/view/894/
http://www.opera.com/support/search/view/895/
http://www.opera.com/support/search/view/896/
http://www.opera.com/support/search/view/897/
Opera Home Page
http://www.opera.com/
SecurityFocus BID
http://www.securityfocus.com/bid/30768

******************************************************************

(3) HIGH: Microsoft Visual Studio MaskedEdit ActiveX Control Buffer Overflow
Affected:
Microsoft Visual Studio MaskedEdit ActiveX control versions prior to 6.0.48.18

Description: The MaskedEdit ActiveX control, a component of Microsoft
Visual Studio, contains a buffer overflow vulnerability in its handling
of its "mask" parameter. A specially crafted web page that instantiates
this control could trigger this vulnerability, allowing an attacker to
execute arbitrary code with the privileges of the current user. A
proof-of-concept is publicly available for this vulnerability, as are
technical details.

Status: Vendor confirmed, updates available. Users can mitigate the
impact of this vulnerability by disabling the affected control via
Microsoft's "kill bit" mechanism, using CLSID
"C932BA85-4374-101B-A56C-00AA003668DC". Note that this may affect normal
application functionality.

References:
Proof-of-Concept
http://downloads.securityfocus.com/vulnerabilities/exploits/30674.js
Microsoft Knowledge Base Article (details the "kill bit" mechanism)
http://support.microsoft.com/kb/240797
MaskedEdit Documentation
http://msdn.microsoft.com/en-us/library/11405hcf(VS.71).aspx
Product Home Page
http://msdn.microsoft.com/en-us/vstudio/default.aspx
SecurityFocus BID
http://www.securityfocus.com/bid/30674

******************************************************************

(4) HIGH: Ipswitch WS_FTP Client and Server Multiple Vulnerabilities
Affected:
Ipswitch WS_FTP Pro versions 8.0.3 and prior

Description: Ipswitch WS_FTP is a popular File Transfer Protocol (FTP)
client and server for Microsoft Windows. The server contains a buffer
overflow vulnerability in its handling of user responses. An attacker
could exploit this vulnerability to execute arbitrary code with the
privileges of the vulnerable process (often SYSTEM). Also, the client
contains a format string flaw in its parsing of server responses; a
malicious server could exploit this vulnerability to execute arbitrary
code with the privileges of the current user. Note that the user would
have to connect to a malicious server to be vulnerable. A
proof-of-concept for the client side vulnerability is publicly
available.

Status: Vendor has not confirmed, no updates available.

References:
Proof-of-Concept
http://downloads.securityfocus.com/vulnerabilities/exploits/30720.py
Product Home Page
http://www.ipswitchft.com/
SecurityFocus BIDs
http://www.securityfocus.com/bid/30720
http://www.securityfocus.com/bid/30728

*******************************************************

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 34, 2008

This list is compiled by Qualys ( www.qualys.com ) as part of that
company's ongoing effort to ensure its vulnerability management web
service tests for all known vulnerabilities that can be scanned. As of
this week Qualys scans for 5549 unique vulnerabilities. For this special
SANS community listing, Qualys also includes vulnerabilities that cannot
be scanned remotely.
______________________________________________________________________

08.34.1 CVE: Not Available
Platform: Other Microsoft Products
Title: Microsoft Visual Studio "Msmask32.ocx" ActiveX Control Remote
Buffer Overflow
Description: Microsoft Visual Studio is a suite of software
development tools. The MaskedEdit ActiveX control is a part of this
suite. The application is exposed to a stack-based buffer overflow
issue because it fails to perform adequate boundary checks on
user-supplied input. "Msmask32.ocx" version 6.0.81.69 is affected.
Ref: http://support.microsoft.com/kb/240797
______________________________________________________________________

08.34.2 CVE: Not Available
Platform: Third Party Windows Apps
Title: FlashGet FTP "PWD" Response Remote Buffer Overflow
Description: FlashGet is a freeware download manager for Microsoft
Windows. The application is exposed to a stack-based buffer overflow
issue because it fails to properly validate the "PWD" response in FTP
connections before copying it into an insufficiently sized buffer.
FlashGet version 1.9 is affected.
Ref: http://www.securityfocus.com/bid/30685
______________________________________________________________________

08.34.3 CVE: Not Available
Platform: Third Party Windows Apps
Title: Symantec Storage Foundation for Windows Security Update
Circumvention
Description: Symantec Storage Foundation for Windows is a networked
storage management tool. The application is exposed to a security
update circumvention issue in the Volume Manager Scheduler Service.
Storage Foundation for Windows versions 5.0, 5.0 RP1, and 5.1 are
affected.
Ref: http://www.securityfocus.com/archive/1/495487
______________________________________________________________________

08.34.4 CVE: Not Available
Platform: Third Party Windows Apps
Title: Maya Studio eo-video Playlist File Buffer Overflow
Description: eo-video is a media player for Microsoft Windows
platforms. The application is exposed to a buffer overflow issue
because it fails to perform adequate boundary checks on user-supplied
input. The issue arises when the application handles a playlist (.eop)
file with a large string value in the "<name>" field. eo-video version
1.36 is affected.
Ref: http://www.securityfocus.com/bid/30717
______________________________________________________________________

08.34.5 CVE: Not Available
Platform: Third Party Windows Apps
Title: Ipswitch WS_FTP Client Format String
Description: Ipswitch WS_FTP client is an FTP implementation that is
available for Microsoft Windows operating systems. The application is
exposed to a format string issue because it fails to properly sanitize
user-supplied input before passing it as the format specifier to a
formatted-printing function.
Ref: http://www.securityfocus.com/bid/30720
______________________________________________________________________

08.34.6 CVE: Not Available
Platform: Third Party Windows Apps
Title: Ipswitch WS_FTP Server Message Response Buffer Overflow
Description: Ipswitch WS_FTP is an FTP implementation that is
available for Microsoft Windows operating systems. The application is
exposed to a remote buffer overflow issue because it fails to perform
adequate boundary-checks on user-supplied data.
Ref: http://www.securityfocus.com/bid/30728
______________________________________________________________________

08.34.7 CVE: CVE-2008-2369
Platform: Linux
Title: Red Hat Network Satellite Server "manzier.pxt" User Information
Disclosure
Description: Red Hat Network Satellite Server is a server application
that allows users to perform Red Hat Network updates on computers that
are not directly attached to the Internet. The application is exposed
to an information disclosure issue because it ships with a hard-coded
authentication key.
Ref: http://rhn.redhat.com/errata/RHSA-2008-0630.html
______________________________________________________________________

08.34.8 CVE: CVE-2008-2940, CVE-2008-2941
Platform: Linux
Title: HP Linux Imaging and Printing System Privilege Escalation And
Denial of Service Vulnerabilities
Description: HP Linux Imaging and Printing System (HPLIP) is a Linux
based application to print, scan, and fax with HP inkjet and laser
based printers. The application is exposed to the multiple issues: a
privilege escalation issue occurs in the alert-mailing functionality
of the application; and a local denial of service issue exists in the
"hpssd" message parser. HPLIP version 1.6.7 is affected.
Ref: http://rhn.redhat.com/errata/RHSA-2008-0818.html
______________________________________________________________________

08.34.9 CVE: CVE-2008-3533
Platform: Linux
Title: Yelp Invalid URI Format String
Description: Yelp is a Gnome's help program. The application is
exposed to a remote format string issue because it fails to properly
sanitize user-supplied input before including it in the
format-specifier argument of a formatted-printing function. Yelp
version 2.23.1 is affected.
Ref: http://bugzilla.gnome.org/show_bug.cgi?id=546364
______________________________________________________________________

08.34.10 CVE: CVE-2008-2234, CVE-2008-2233
Platform: Linux
Title: Openwsman Multiple Remote Security Vulnerabilities
Description: Openwsman is a system management platform that implements
the Web Services Management protocol (WS-Management). The application
is exposed to multiple remote security issues. Two buffer overflow
issues affect the basic HTTP authentication decoding mechanism, and an
SSL session replay vulnerability may affect some clients.
Ref: http://www.securityfocus.com/bid/30694
______________________________________________________________________

08.34.11 CVE: CVE-2008-3270
Platform: Linux
Title: Red Hat yum-rhn-plugin RHN Updates Denial of Service
Description: The yum-rhn-plugin allows the yum package manager to access
the Red Hat Network (RHN) for package updates. The plugin is exposed to
a denial of service issue because it fails to adequately validate SSL
certifcates against configured trusted CA certificates when
communicating with an RHN server.
Ref: http://rhn.redhat.com/errata/RHSA-2008-0815.html
______________________________________________________________________

08.34.12 CVE: CVE-2008-3276
Platform: Linux
Title: Linux Kernel "dccp_setsockopt_change()" Remote Denial of Service
Description: The Linux kernel is exposed to a remote denial of service
issue because it fails to properly handle user-supplied input. This
issue occurs because of inadequate checks in the
"dccp_setsockopt_change()" function of the "net/dccp/proto.c" source
file. Linux kernel versions since 2.6.17-rc1 are affected.
Ref: http://permalink.gmane.org/gmane.comp.security.oss.general/814
______________________________________________________________________

08.34.13 CVE: Not Available
Platform: Unix
Title: Sympa "sympa.pl" Insecure Temporary File Creation
Description: Sympa is open-source mailing list software. Sympa creates
temporary files in an insecure manner. The issue occurs because
sympa.pl creates files in an insecure manner when the
"--make_alias_file" option is used. Sympa version 5.4.3 is affected.
Ref: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=494969
______________________________________________________________________

08.34.14 CVE: Not Available
Platform: Cross Platform
Title: Sun Java System Web Proxy Server FTP Subsystem Denial of Service
Description: Sun Java System Web Proxy Server is a proxy server for
enterprises. The application is exposed to a denial of service issue
caused by an unspecified error in the FTP subsystem. Sun Java System
Web Proxy Server versions 4.0 through 4.0.5 for SPARC, x86, Linux,
Windows and HP-UX platforms are affected.
Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-66-240327-1

______________________________________________________________________

08.34.15 CVE: CVE-2008-2936, CVE-2008-2937
Platform: Cross Platform
Title: Postfix Local Information Disclosure and Local Privilege
Escalation Vulnerabilities
Description: Postfix is exposed to multiple local issues. Successfully
exploiting these issues will allow attackers to gain access to
sensitive information or execute arbitrary commands with superuser
privileges. Postfix versions prior to 2.5.4 Patchlevel 4 are affected.
Ref: http://rhn.redhat.com/errata/RHSA-2008-0839.html
______________________________________________________________________

08.34.16 CVE: CVE-2008-3688
Platform: Cross Platform
Title: HAVP "sockethandler.cpp" Client Connect Infinite Loop Denial of
Service
Description: HAVP (HTTP Anti Virus Proxy) is an HTTP proxy intended to
be used with ClamAV to provide anti-virus scanning. The application is
exposed to a remote denial of service issue because unresponsive
servers can trigger an infinite loop. HAVP version 0.88 is affected.
Ref:
https://sourceforge.net/mailarchive/message.php?msg_name=487CDF51.5060201%40endian.com
______________________________________________________________________

08.34.17 CVE: Not Available
Platform: Cross Platform
Title: xine-lib 1.1.14 Multiple Remote Buffer Overflow Vulnerabilities
Description: The "xine" application is a media player; "xine-lib" is
the core library for applications that use xine. The library is
exposed to multiple remote buffer overflow issues because it fails to
perform adequate boundary checks on user-supplied input. "xine-lib"
versions prior to 1.1.15 are affected.
Ref:
http://hg.debian.org/hg/xine-lib/xine-lib?cmd=changeset;node=268c1c1639d7
______________________________________________________________________

08.34.18 CVE: CVE-2008-3231
Platform: Cross Platform
Title: xine-lib OGG Processing Remote Denial of Service
Description: The "xine" application is a media player; "xine-lib" is
the core library for applications that use xine. The issue occurs when
processing specially-crafted OGG media files. "xine-lib" versions
prior to 1.1.15 are affected.
Ref: http://www.openwall.com/lists/oss-security/2008/07/13/3
______________________________________________________________________

08.34.19 CVE: Not Available
Platform: Cross Platform
Title: MicroWorld Technologies MailScan Multiple Remote
Vulnerabilities
Description: MailScan is an AntiVirus/AntiSpam solution for mail
servers and is available for Microsoft Windows. The application is
exposed to multiple remote issues that occur in the web-based
administration console ("Server.exe") listening on TCP port 10043 by
default. MailScan version 5.6.a espatch1 is affected.
Ref: http://www.securityfocus.com/archive/1/495502
______________________________________________________________________

08.34.20 CVE: Not Available
Platform: Cross Platform
Title: Neon Digest Authentication Null Pointer Exception Denial of
Service
Description: Neon is an HTTP and WebDAV client library. The library is
exposed to a remote denial of service issue that occurs in the digest
authentication mechanism. This issue occurs in the "merge_paths()"
function of the "src/ne_uri.c" source file. Neon versions 0.28.0
through 0.28.2 are affected.
Ref: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=476571
______________________________________________________________________

08.34.21 CVE: CVE-2008-2377
Platform: Cross Platform
Title: GnuTLS "gnutls_handshake()" Function Remote Denial of Service
Description: GNU Transport Layer Security Library (GnuTLS) is a
library that implements the TLS 1.0 and SSL 3.0 protocols. The
application is exposed to a remote denial of service issue that
affects the "gnutls_handshake()" function and arises due to a design
error.
Ref: http://www.gnu.org/software/gnutls/
______________________________________________________________________

08.34.22 CVE: Not Available
Platform: Cross Platform
Title: VLC Media Player "demuxtta.c" TTA File Handling Buffer Overflow
Description: VLC is a cross-platform media player that can be used to
serve streaming data. The application is exposed to a heap-based
buffer overflow issue because it fails to perform adequate boundary
checks on user-supplied input. This occurs within the "demuxtta.c"
source file. VLC media player version 0.8.6i is affected.
Ref: http://www.orange-bat.com/adv/2008/adv.08.16.txt
______________________________________________________________________

08.34.23 CVE: Not Available
Platform: Cross Platform
Title: ESET Smart Security "easdrv.sys" Local Privilege Escalation
Description: ESET Smart Security is security software which integrates
anti-virus, anti-spam and a firewall. ESET Smart Security is exposed
to a local privilege escalation issue in the "easdrv.sys" driver. The
problem occurs because the driver fails to check input and output
pointers with the ProbeForRead or ProbeForWrite functions. ESET Smart
Security version 3.0.667.0 is affected.
Ref: http://www.eset.com/smartsecurity/
______________________________________________________________________

08.34.24 CVE: Not Available
Platform: Cross Platform
Title: EchoVNC Remote Buffer Overflow
Description: EchoVNC is a VNC client that allows remote users to
access desktops as if they are local users. It uses EchoServer as a
packet relay server. EchoVNC is affected by a remote buffer overflow
issue because the application fails to properly validate user-supplied
data before copying it into insufficiently sized buffers. EchoVNC for
Linux versions prior to 1.1.2 is affected.
Ref: http://www.securityfocus.com/bid/30722
______________________________________________________________________

08.34.25 CVE: Not Available
Platform: Cross Platform
Title: Attachmate Reflection for Secure IT Multiple Unspecified
Security Vulnerabilities
Description: Attachmate Reflection for Secure IT is a set of Secure
Shell clients and servers for Windows and UNIX platforms. The
application is exposed to multiple security vulnerabilities that stem
from unspecified errors. Secure IT UNIX Client and Server 7.0 versions
prior to Service Pack 1 (SP1) are affected.
Ref:
http://support.attachmate.com/techdocs/2374.html#Security_Updates_in_7.0_SP1
______________________________________________________________________

08.34.26 CVE: Not Available
Platform: Cross Platform
Title: OllyDBG "ollydbg.ini" Debug Argument Local Buffer Overflow
Description: OllyDBG is a debugging application. OllyDBG is exposed to
a local buffer overflow issue because it fails to perform adequate
boundary checks on user-supplied input. The issue affects the
"Argument" data supplied to "ollydbg.ini", and may be triggered when
the application processes data in excess of 262 bytes. OllyDBG v1.10 is affected.
Ref: http://www.securityfocus.com/bid/30733
______________________________________________________________________

08.34.27 CVE: Not Available
Platform: Cross Platform
Title: SWIMAGE Encore Master Password Information Disclosure
Description: SWIMAGE Encore is an application for automating server,
remote desktop and client deployments. This product consists of a server
application and a client application (Conductor.exe). An information
disclosure issue exists because the application fails to securely remove
authentication credentials from memory.
Ref: http://www.kb.cert.org/vuls/id/778427
______________________________________________________________________

08.34.28 CVE: Not Available
Platform: Cross Platform
Title: VMware Workstation "hcmon.sys" Local Denial of Service
Description: VMware Workstation is virtualization software that
supports multiple operating platforms. VMware Workstation is exposed
to a local denial of service issue because the application fails to
handle pointer data sent from usermode with "METHOD_NEITHER". VMware
Workstation version 6.0.0.45731 is affected.
Ref: http://www.securityfocus.com/bid/30737
______________________________________________________________________

08.34.29 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: Navboard Multiple Local File Include and Cross-Site Scripting
Vulnerabilities
Description: Navboard is a PHP-based forum application. The
application is exposed to multiple input validation issues. Multiple
local file include issues affect the "module" parameter of the
"admin_modules.php" and "modules.php" scripts. A cross-site
scripting issue affects the "module" parameter of the "modules.php"
script. Navboard version 16 is affected.
Ref: http://www.securityfocus.com/bid/30687
______________________________________________________________________

08.34.30 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: Openfire "login.jsp" Cross-Site Scripting
Description: Openfire is a freely available instant-messaging server
available for various platforms. The application is exposed to
cross-site scripting attacks because it fails to sufficiently sanitize
user-supplied input to the "type" parameter of the "login.jsp" script.
Openfire version 3.5.2 is affected.
Ref: http://www.igniterealtime.org/issues/browse/JM-629
______________________________________________________________________

08.34.31 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: Mambo Multiple Cross-Site Scripting Vulnerabilities
Description: Mambo is a PHP-based content manager. The application is
exposed to multiple cross-site scripting issues because it fails to
sanitize user-supplied input. Mambo version 4.6.2 is affected.
Ref: http://www.securityfocus.com/archive/1/495507
______________________________________________________________________

08.34.32 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: FlexCMS "inc-core-admin-editor-previouscolorsjs.php" Cross-Site
Scripting
Description: FlexCMS is a PHP-based content manager. The application is
exposed to a cross-site scripting issue because it fails to properly
sanitize user-supplied input to the "PreviousColorsString" parameter of
the "inc-core-admin-editor-previouscolorsjs.php" script. FlexCMS version
2.5 is affected.
Ref: http://www.securityfocus.com/archive/1/495508
______________________________________________________________________

08.34.33 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: AWStats "awstats.pl" Cross-Site Scripting
Description: AWStats is Perl-based application that provides
statistics on server traffic. The application is exposed to a
cross-site scripting issue because it fails to properly sanitize
user-supplied input to the "awstats.pl" script. AWStats version
6.8 is affected.
Ref:
http://sourceforge.net/tracker/index.php?func=detail&aid=2001151&group_id=13764&atid=113764
______________________________________________________________________

08.34.34 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: Ovidentia "index.php" Cross-Site Scripting
Description: Ovidentia is a content manager. The application is
exposed to cross-site scripting attacks because it fails to
sufficiently sanitize user-supplied input to the "field" parameter of
the "index.php" script. Ovidentia version 6.6.5 is affected.
Ref: http://www.securityfocus.com/archive/1/495562
______________________________________________________________________

08.34.35 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: Sun Java System Portal Server Portlets Cross-Site Scripting
Description: Sun Java System Portal Server is a Java-based framework
for developing web applications. Some unspecified Portlets bundled
with Sun Java System Portal Server are exposed to a cross-site
scripting issue because it fails to properly sanitize user-supplied
input. Sun Java System Portal Server versions 7.0 and 7.1 are
affected.
Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-66-239308-1
______________________________________________________________________

08.34.36 CVE: Not Available
Platform: Web Application - SQL Injection
Title: PHP Realty "dpage.php" SQL Injection
Description: PHP Realty is a real estate classified advertising
application. The application is exposed to an SQL injection issue
because it fails to sufficiently sanitize user-supplied data to the
"docID" parameter of the "dpage.php" script before using it in an SQL
query.
Ref: http://www.securityfocus.com/bid/30678
______________________________________________________________________

08.34.37 CVE: Not Available
Platform: Web Application - SQL Injection
Title: PHP-Fusion "readmore.php" SQL Injection
Description: PHP-Fusion is a content management application. The
application is exposed to an SQL injection issue because it fails to
sufficiently sanitize user-supplied data to the "news_id" parameter of
the "readmore.php" script before using it in an SQL query. PHP-Fusion
version 4.01 is affected.
Ref: http://www.securityfocus.com/bid/30680
______________________________________________________________________

08.34.38 CVE: Not Available
Platform: Web Application - SQL Injection
Title: E-Shop Shopping Cart Script "search_results.php" SQL Injection
Description: E-Shop Shopping Cart Script is an e-commerce application.
The application is exposed to an SQL injection issue because it fails
to sufficiently sanitize user-supplied data to the "cid" parameter of
the "search_results.php" script before using it in an SQL query.
Ref: http://www.securityfocus.com/bid/30692
______________________________________________________________________

08.34.39 CVE: Not Available
Platform: Web Application - SQL Injection
Title: ZEEJOBSITE "bannerclick.php" SQL Injection
Description: ZEEJOBSITE is PHP-based job recruitment application. The
application is exposed to an SQL injection issue because it fails to
sufficiently sanitize user-supplied data to the "adid" parameter of
the "bannerclick.php" script before using it in an SQL query.
ZEEJOBSITE version 2.0 is affected.
Ref: http://www.securityfocus.com/bid/30711
______________________________________________________________________

08.34.40 CVE: Not Available
Platform: Web Application - SQL Injection
Title: FipsCMS "forum/neu.asp" SQL Injection
Description: fipsCMS is a content manager implemented in ASP. The
application is exposed to an SQL injection issue because it fails to
sufficiently sanitize user-supplied data to the "kat" parameter of the
"forum/neu.asp" script file before using it in an SQL query. fipsCMS
version 2.1 is affected.
Ref: http://www.securityfocus.com/bid/30712
______________________________________________________________________

08.34.41 CVE: Not Available
Platform: Web Application - SQL Injection
Title: phpArcadeScript "cat" Parameter SQL Injection
Description: phpArcadeScript is a PHP-based web application. The
application is exposed to an SQL injection issue because it fails to
sufficiently sanitize user-supplied data to the "cat" parameter of the
"index.php" script before using it in an SQL query. phpArcadeScript
version 4.0 is affected.
Ref: http://www.securityfocus.com/bid/30714
______________________________________________________________________

08.34.42 CVE: Not Available
Platform: Web Application - SQL Injection
Title: Quick Poll "code.php" SQL Injection
Description: Quick Poll is voting software. The application is exposed
to an SQL injection issue because it fails to sufficiently sanitize
user-supplied data to the "id" parameter of the "code.php" script
before using it in an SQL query.
Ref: http://www.securityfocus.com/bid/30724
______________________________________________________________________

08.34.43 CVE: Not Available
Platform: Web Application - SQL Injection
Title: PromoProducts "view_product.php" Multiple SQL Injection
Vulnerabilities
Description: PromoProducts is a web-based application. The application
is exposed to multiple SQL injection issues because it fails to
sufficiently sanitize user-supplied data to the "sub_cat" and
"product_id" parameters of the "view_product" script before using it
in an SQL query.
Ref: http://packetstormsecurity.org/0808-exploits/promoproducts-sql.txt
______________________________________________________________________

08.34.44 CVE: Not Available
Platform: Web Application - SQL Injection
Title: PHPBasket "pro_id" Parameter SQL Injection
Description: PHPBasket is a PHP-based shopping cart application. The
application is exposed to an SQL injection issue because it fails to
sufficiently sanitize user-supplied data to the "pro_id" parameter of
the "product.php" script before using it in an SQL query.
Ref: http://www.securityfocus.com/bid/30726
______________________________________________________________________

08.34.45 CVE: Not Available
Platform: Web Application - SQL Injection
Title: NewsHOWLER Cookie Data SQL Injection
Description: NewsHOWLER is a PHP-based news posting application. The
application is exposed to an SQL injection issue because it fails to
sufficiently sanitize user-supplied data contained in cookies before
using it in an SQL query.
Ref: http://www.securityfocus.com/bid/30732
______________________________________________________________________

08.34.46 CVE: Not Available
Platform: Web Application - SQL Injection
Title: cyberBB Multiple SQL Injection Vulnerabilities
Description: cyberBB is a web-based forum application. The application
is exposed to multiple SQL injection issues because it fails to
sufficiently sanitize user-supplied data.
Ref: http://www.securityfocus.com/bid/30734
______________________________________________________________________

08.34.47 CVE: Not Available
Platform: Web Application
Title: Gelato CMS "classes/imgsize.php" Local File Include
Description: Gelato CMS is a content manager. The application is
exposed to a local file include issue because it fails to properly
sanitize user-supplied input to the "img" parameter of the
"classes/imgsize.php" script. Gelato CMS version 0.95 is affected.
Ref: http://www.securityfocus.com/bid/30672
______________________________________________________________________

08.34.48 CVE: Not Available
Platform: Web Application
Title: Meet#Web "root_path" Parameter Multiple Remote File Include
Vulnerabilities
Description: Meet#Web is a PHP-based content manager. The application
is exposed to multiple remote file include issues because it fails to
sufficiently sanitize user-supplied input to the "root_path"
parameter. Meet#Web version 0.8 is affected.
Ref: http://www.securityfocus.com/bid/30673
______________________________________________________________________

08.34.49 CVE: Not Available
Platform: Web Application
Title: Ventrilo "type 0" Packet NULL Pointer Dereference Denial of
Service
Description: Ventrilo is a voice chat application. The application is
exposed to a denial of service issue when handling packets sent to TCP
port 3784. This issue occurs when handling a "type 0" packet
containing an incorrect version followed by a packet containing
malicious data. Ventrilo version 3.0.2 is affected.
Ref: http://www.securityfocus.com/archive/1/495448
______________________________________________________________________

08.34.50 CVE: Not Available
Platform: Web Application
Title: Freeway Multiple Input Validation Vulnerabilities
Description: Freeway is an open source e-commerce platform. The
application is exposed to multiple issues because it fails to properly
sanitize user-supplied input. Freeway version 1.4.1.171 is affected.
Ref: http://sourceforge.net/project/shownotes.php?release_id=619467
______________________________________________________________________

08.34.51 CVE: Not Available
Platform: Web Application
Title: Cardinal CMS "upload.php" Arbitrary File Upload
Description: Cardinal CMS is a PHP-based content manager. The
application is exposed to an issue that lets remote attackers upload
and execute arbitrary script code on an affected computer with the
privileges of the web server process. The issue occurs because the
software fails to properly sanitize user-supplied input in the
"/html/news_fckeditor/editor/filemanager/upload/php/upload.php"
script. Cardinal CMS version 1.2 is affected.
Ref: http://www.securityfocus.com/bid/30677
______________________________________________________________________

08.34.52 CVE: Not Available
Platform: Web Application
Title: Nukeviet "admin/login.php" Cookie Authentication Bypass
Description: Nukeviet is a PHP-based content manager. The application
is exposed to an authentication bypass issue because it fails to
adequately verify user-supplied input used for cookie-based
authentication. This issue affects the "admin/login.php" script.
Nukeviet version 2.0 Beta is affected.
Ref: http://www.securityfocus.com/bid/30681
______________________________________________________________________

08.34.53 CVE: Not Available
Platform: Web Application
Title: YapBB "class_yapbbcooker.php" Remote File Include
Description: YapBB is a bulletin board. The application is exposed to
a remote file include issue because it fails to properly sanitize
user-supplied input to the "cfgIncludeDirectory" parameter of the
"include/class_yapbbcooker.php" script. YapBB version 1.2 Beta2 is
affected.
Ref: http://www.securityfocus.com/bid/30686
______________________________________________________________________

08.34.54 CVE: Not Available
Platform: Web Application
Title: CyBoards PHP Lite Multiple Remote Vulnerabilities
Description: CyBoards PHP Lite is a web-based message board
application. The application is exposed to multiple issues. An
attacker may exploit these issues to execute arbitrary server-side
script code on an affected computer in the context of the web server
process. CyBoards PHP Lite version 1.21 is affected.
Ref: http://www.securityfocus.com/bid/30688
______________________________________________________________________

08.34.55 CVE: Not Available
Platform: Web Application
Title: dotCMS "id" Parameter Multiple Local File Include
Vulnerabilities
Description: dotCMS is a Java-based content manager. The application
is exposed to multiple local file include issues because it fails to
properly sanitize user-supplied input to the "id" parameter of the
"index.dot" and "/macros/macros_detail.dot" scripts. dotCMS version
1.6 is affected.
Ref: http://www.securityfocus.com/bid/30703
______________________________________________________________________

08.34.56 CVE: Not Available
Platform: Web Application
Title: mUnky "index.php" Remote Code Execution
Description: mUnky is a web-based content management application. The
application is exposed to a remote code execution issue because it
fails to properly sanitize user-supplied data.
Ref: http://www.securityfocus.com/archive/1/495503
______________________________________________________________________

08.34.57 CVE: Not Available
Platform: Web Application
Title: Harmoni Versions Prior to 1.6.0 Cross-Site Request Forgery and
Security Bypass Vulnerabilities
Description: Harmoni is an application framework implemented in PHP.
Harmoni is exposed to multiple remote issues. An attacker can exploit
these issues to gain unauthorized access to the affected application,
create new user accounts and delete arbitrary content within the
context of the affected application. Other attacks are also possible.
Harmoni versions prior to 1.6.0 are affected.
Ref: http://www.securityfocus.com/bid/30706
______________________________________________________________________

08.34.58 CVE: Not Available
Platform: Web Application
Title: PHPizabi "id" Parameter Local File Include
Description: PHPizabi is a social-networking platform. The application
is exposed to a local file include issue because it fails to properly
sanitize user-supplied input to the "id" parameter of the "index.php"
script when the "L" parameter is set to "blogs.search". PHPizabi
version 0.848b C1 HFP3 is affected.
Ref: http://www.securityfocus.com/bid/30707
______________________________________________________________________

08.34.59 CVE: Not Available
Platform: Web Application
Title: XNova Project XNova "todofleetcontrol.php" Remote File Include
Description: XNova is a PHP-based application. The application is
exposed to a remote file include issue because it fails to properly
sanitize user-supplied input to the "xnova_root_path" parameter of the
"todofleetcontrol.php" script. XNova versions 0.8 SP1 and earlier are
affected.
Ref: http://www.securityfocus.com/bid/30715
______________________________________________________________________

08.34.60 CVE: Not Available
Platform: Web Application
Title: VidiScript Remote File Upload
Description: VidiScript is PHP-based video sharing software. The
application is exposed to an issue that allows an attacker to upload
arbitrary script code and execute it in the context of the web server
process. If successful, the attacker may gain unauthorized access or
escalate privileges; other attacks are also possible.
Ref: http://www.securityfocus.com/bid/30721
______________________________________________________________________

08.34.61 CVE: Not Available
Platform: Web Application
Title: PHP Live Helper Multiple Input Validation Vulnerabilities
Description: PHP Live Helper is a customer support application. The
application is exposed to multiple issues because it fails to
sufficiently sanitize user-supplied data. PHP Live Helper versions
prior to 2.1.0 are affected.
Ref: http://www.securityfocus.com/archive/1/495542
______________________________________________________________________

08.34.62 CVE: Not Available
Platform: Web Application
Title: Freeway "language" Parameter Multiple Local File Include
Vulnerabilities
Description: Freeway is an open source e-commerce application. The
application is exposed to multiple local file include issues because
it fails to properly sanitize user-supplied input to the "language"
parameter. Freeway version 1.4.1.171 is affected.
Ref: http://www.securityfocus.com/archive/1/495549
______________________________________________________________________

08.34.63 CVE: Not Available
Platform: Network Device
Title: Nokia 6131 Multiple Vulnerabilities
Description: Nokia 6131 is a mobile telephone device. Nokia 6131 is
exposed to multiple remote issues. A URI spoofing issue arises when an
NFC Data Exchange Format (NDEF) Smart Poster displays a URI together
with descriptive text. A remote denial of service issue affects the
NDEF record parser. A remote denial of service issue affects the
NDEF telephone and SMS URI handler.
Ref: http://www.securityfocus.com/archive/1/495545
______________________________________________________________________

(c) 2008. All rights reserved. The information contained in this
newsletter, including any external links, is provided "AS IS," with no
express or implied warranty, for informational purposes only. In some
cases, copyright for material in this newsletter may be held by a
party other than Qualys (as indicated herein) and permission to use
such material must be requested from the copyright owner.

Subscriptions: RISK is distributed free of charge by the SANS Institute
to people responsible for managing and securing information systems and
networks. You may forward this newsletter to others with such
responsibility inside or outside your organization.

For a free subscription, (and for free posters) or to update a current
subscription, visit http://portal.sans.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)

iEYEARECAAYFAkiuK5YACgkQ+LUG5KFpTkaf/QCghZOcMhZcPGvwQsYXrRhTzg/t
y30An1vlpLOXTmrx2xv0hs4DD7Kg48IT
=1d83
-----END PGP SIGNATURE-----

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]