The most trusted source for computer security training, certification and research.

@RISK: The Consensus Security Vulnerability Alert

Volume: VI, Issue: 33
August 13, 2007

SANS Newsletters Home

Cisco products running IOS and EMC's VMware Workstation were the most critical problem areas this week, but Symantec Norton Security products and HP OpenView products were not far behind. In other words nearly every medium to large computer-using organization in the world has major vulnerabilities to fix this week.

Alan

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Platform Number of Updates and Vulnerabilities
    • - -------------------------------------------------------------------------
    • Windows
    • 1
    • Other Microsoft Products
    • 4 (#5)
    • Third Party Windows Apps
    • 3 (#2, #4)
    • Linux
    • 5
    • HP-UX
    • 1 (#8)
    • Aix
    • 1
    • Cross Platform
    • 14 (#3, #7)
    • Web Application - Cross Site Scripting
    • 8
    • Web Application - SQL Injection
    • 9
    • Web Application
    • 18
    • Network Device
    • 2 (#1, #6)

******************* Sponsored By Sourcefire, Inc. ***********************

Hackers are keeping up with their training. Are you? Whether you're looking to take a Sourcefire® or SNORT® class or gain full certification, Sourcefire offers a wide selection of courses for your convenience. Learn how to get the most from your Snort or Sourcefire system. Contact Sourcefire Training today at 734.743.6550 or go to http://www.sans.org/info/13671

*************************************************************************

Table Of Contents
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
Windows
Other Microsoft Products
Third Party Windows Apps
Linux
HP-UX
Aix
Cross Platform
Web Application - Cross Site Scripting
Web Application - SQL Injection
Web Application
Network Device

*************************************************************************

SECURITY TRAINING UPDATE SANS Network Security 2007 (September 22-30, in Las Vegas) is the largest fall conference on cybersecurity with more than 40 courses and wonderful evening sessions and a big vendor exposition. Most importantly, it brings together the top rated teachers in cybersecurity in the world. How good are they? Here's what past attendees said: "This course has valuable information that can be implemented immediately in the work place." (Christopher O'Brien, Booz Allen Hamilton) "The quality of teachers, speakers, and even attendees is far superior to any other training event I've attended." (Corinne Cook, Jeppesen) "SANS provides by far the most in-depth security training with the true experts in the field as instructors." (Mark Smith, Costco Wholesale) Registration information: http://www.sans.org/ns2007/

*************************************************************************

PART I Critical Vulnerabilities

Part I for this issue has been compiled by Rob King at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Widely Deployed Software
  • (2) CRITICAL: VMware ActiveX Control Multiple Remote Command Execution Vulnerabilities
  • Affected:
    • VMware Workstation version 6.0 and possibly prior

  • Description: VMware Workstation, a popular hardware virtualization system for Intel-architecture based systems, installs "VIELIB.DLL". This library exports several vulnerable ActiveX controls. These ActiveX controls do not properly validate input to several methods that are used to run commands. A web page that instantiates one of these controls could use these methods to execute arbitrary commands with the privileges of the current user. Multiple proofs-of-concept and full technical details are publicly available for these vulnerabilities.

  • Status: VMware has not confirmed, no updates available. Users can mitigate the impact of these vulnerabilities by disabling the affected controls via Microsoft's "kill bit" mechanism for CLSIDs 7B9C5422-39AA-4C21-BEEF-645E42EB4529 and 0F748FDE-0597-443C-8596-71854C5EA20A.

  • References:
  • (4) HIGH: Symantec Norton Multiple Products ActiveX Controls Buffer Overflow
  • Affected:
    • Products using the "NACOMUI.DLL" ActiveX controls. Products known to use
    • this control include:
    • Symantec Norton Antivirus 2006
    • Symantec Norton Internet Security 2006
    • Symantec Norton System Works

  • Description: The "NACOMUI.DLL" library, installed by several Symantec Norton products, exports two ActiveX controls that contain buffer overflow vulnerabilities. A malicious web page that instantiates one of these controls could exploit these buffer overflows to execute arbitrary code with the privileges of the current user. Some technical details are publicly available for this vulnerability. Note that reusable exploit code, targeting arbitrary ActiveX controls, is widely available and easily adapted to attack these controls.

  • Status: Symantec confirmed, updates available. Users can mitigate the impact of this vulnerability by disabling the affected controls via Microsoft's "kill bit" mechanism.

  • References:
  • (5) MODERATE: Microsoft DirectX SDK ActiveX Control Buffer Overflow
  • Affected:
    • Microsoft DirectX SDK version 6.0 and prior

  • Description: Microsoft DirectX is a high-speed media framework for Microsoft Windows. The DirectX System Development Kit (SDK), used to develop software using DirectX, installs an ActiveX control that contains a buffer overflow vulnerability. A malicious web page that instantiates this control could exploit this buffer overflow to execute arbitrary code with the privileges of the current user. Full technical details and a proof-of-concept are publicly available for this vulnerability. Note that this vulnerability affects only the SDK; DirectX runtime installations are otherwise unaffected.

  • Status: Microsoft has not confirmed, no updates available. Users can mitigate the impact of this vulnerability by disabling the vulnerable control via Microsoft's "kill bit" mechanism for CLSID 201EA564-A6F6-11D1-811D-00C04FB6BD36.

  • References:
  • (6) MODERATE: Astaro Security Gateway Multiple Vulnerabilities
  • Affected:
    • Astaro Security Gateway versions 7.x

  • Description: Astaro Security Gateway, a popular security product, contains multiple vulnerabilities. The first vulnerability could allow an attacker to create a denial of service condition; depending on network configuration, this could block all network traffic transiting the device. The second vulnerability could allow an attacker to bypass email scanning services by sending an overlong message. Such messages could contain malware that would avoid detection. Some technical details are publicly available for these vulnerabilities.

  • Status: Astaro has not confirmed, no updates available.

  • References:
  • (7) LOW: Asterisk Denial of Service
  • Affected:
    • Asterisk versions prior to 1.4.20

  • Description: Asterisk is a popular open source telephony platform. A flaw in the handling of certain requests in the "chan_skinny" component can lead to a denial-of-service condition. Technical details are available for this vulnerability, both in the official advisory, and via source code analysis. Note that an attacker would need authentication to exploit this vulnerability. Note that successfully exploiting this vulnerability could lead to disruption of telephone service, including emergency telephone services.

  • Status: Asterisk confirmed, updates available.

  • References:
Other Software
  • (8) MODERATE: HP Controller for Cisco Local Director (ldconn) Buffer Overflow
  • Affected:
    • HP Controller for Cisco Local Director (ldconn), all versions

  • Description: Cisco Local Director is a network load balancing solution. Systems running HP's HP-UX operating system interface with this service via the HP Controller for Cisco Local Director service, known as "ldconn". If installed, this service listens by default on TCP port 17781. Sending an overly long string to this service will trigger a buffer overflow, and successfully exploiting this overflow would allow an attacker to execute arbitrary code with the privileges of the service (usually root). Because this service is run by the "Internet Super Server" (inetd), it will automatically restart upon termination, allowing essentially unlimited attempts at exploitation. Some technical details for this vulnerability are publicly available.

  • Status: Vendor confirmed, no updates available. HP has stated that this tool is obsolete and its use should be discontinued. Additionally the version of HP-UX upon which this vulnerability was confirmed is no longer officially supported. It is believed, however, that more recent versions of the operating system are also vulnerable.

  • References:
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 33, 2007

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 5549 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

  • 07.33.1 - CVE: Not Available
  • Platform: Windows
  • Title: Microsoft Windows Explorer JPG File Denial of Service
  • Description: Microsoft Windows Explorer is exposed to a denial of service issue. The problem occurs when the application is used to open a folder containing a malicious JPG file. Windows Explorer on Microsoft Windows XP is affected.
  • Ref: http://www.securityfocus.com/archive/1/475655
  • 07.33.2 - CVE: Not Available
  • Platform: Other Microsoft Products
  • Title: Microsoft August 2007 Advance Notification Multiple Vulnerabilities
  • Description: Microsoft has released advance notification that the vendor will be releasing nine security bulletins on August 14, 2007. The highest severity rating for these issues is "Critical".
  • Ref: http://www.microsoft.com/technet/security/bulletin/ms07-aug.mspx
  • 07.33.3 - CVE: Not Available
  • Platform: Other Microsoft Products
  • Title: Microsoft Windows Media Player AU Divide-By-Zero Denial of Service
  • Description: Microsoft Windows Media Player is a multimedia application available for the Microsoft Windows operating system. The application is exposed to a denial of service issue when processing a malformed AU file, and a divide-by-zero exception can occur causing the affected application to crash. Microsoft Windows Media Player version 11 is affected.
  • Ref: http://www.securityfocus.com/bid/25236
  • 07.33.4 - CVE: Not Available
  • Platform: Other Microsoft Products
  • Title: Microsoft Internet Explorer Position:Relative Denial of Service
  • Description: Microsoft Internet Explorer is exposed to a denial of service issue because the application fails to handle certain HTML code. The issue occurs when the application processes a malicious page containing a "position:relative" CSS property inside "style" HTML tags applied to a table element with a single input field. Internet Explorer 6 is affected.
  • Ref: http://www.securityfocus.com/bid/25222
  • 07.33.5 - CVE: Not Available
  • Platform: Other Microsoft Products
  • Title: Microsoft Windows Calendar ICS File Denial of Service
  • Description: Microsoft Windows Calendar is a calendar application available for the Microsoft Windows Vista operating system. The application is exposed to a denial of service issue when handling malformed ICS files.
  • Ref: http://www.securityfocus.com/archive/1/475534
  • 07.33.7 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Chilkat ASP String ActiveX Control CKString.DLL Arbitrary File Overwrite
  • Description: Chilkat ASP String is an ActiveX control that allows users to manipulate and evaluate string data. The ActiveX control is exposed to an issue that lets attackers overwrite arbitrary files on the victim's computer in the context of the vulnerable application using the ActiveX control (typically Internet Explorer). This issue occurs because the application fails to sanitize user-supplied input to the "SaveToFile" method of the "CkString.dll" library. Chilkat ASP String version 1.1 is affected.
  • Ref: http://support.microsoft.com/kb/240797
  • 07.33.8 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Xunlei Web Thunder ThunderServer.webThunder.1 ActiveX AddCategory File Download
  • Description: Xunlei Web ThunderThunderServer.WebThunder.1 ActiveX control is exposed to an arbitary file download issue. The affected control provides the "addcategory" method that may be manipulated to exploit this issue.
  • Ref: http://support.microsoft.com/kb/240797
  • 07.33.9 - CVE: CVE-2007-3851
  • Platform: Linux
  • Title: Linux Kernel i965 Chipsets Insecure Batchbuffer Local Privilege Escalation
  • Description: The Linux kernel is exposed to a local privilege escalation issue due to a design error. Linux kernel versions prior to 2.6.22.2 are affected.
  • Ref: http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.22.2
  • 07.33.10 - CVE: CVE-2007-3843
  • Platform: Linux
  • Title: Linux Kernel CIFS Local Security Bypass Weakness
  • Description: The Linux kernel is exposed to a security bypass issue that arises because the kernel improperly defines certain signing options when the Common Internet File System (CIFS) is mounted. Linux kernel versions prior to 2.6.23-rc1 are affected.
  • Ref: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=246595
  • 07.33.11 - CVE: Not Available
  • Platform: Linux
  • Title: Linux Kernel AACRAID Driver Local Security Bypass
  • Description: The Linux kernel is exposed to a security bypass issue due to a failure of the driver to properly require administrative access to IOCTL commands. This allows non-superuser users to issue administrative SCSI commands to affected devices. Linux kernel versions prior to 2.6.23-rc2 are affected. Ref: http://kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.23-rc2
  • 07.33.12 - CVE: CVE-2007-3381
  • Platform: Linux
  • Title: GNOME Display Manager G_Strsplit Function Local Denial of Service
  • Description: GNOME Display Manager (GDM) is a utility harnessed by GNOME to manage various functions when interfacing with X. The "gdmchooser" program provides XDMCP (X Display Manager Control Protocol) functionality to GDM. This protocol allows a user to interact with remote systems via the local X11 display. The application is exposed to a local denial of service because the application fails to handle NULL values returned by the "g_strsplit()" functions. GNOME Display Manager versions prior to 2.14.13, 2.16.7, 2.18.4 and 2.19.5 are affected.
  • Ref: http://ftp.acc.umu.se/pub/GNOME/sources/gdm/2.19/gdm-2.19.5.news
  • 07.33.13 - CVE: Not Available
  • Platform: Linux
  • Title: Linux Kernel TIF_SINGLESTEP Check Local Denial of Service
  • Description: The Linux kernel is exposed to a denial of service issue that presents itself when handling singlestep int80 system-calls. This issue has been addressed by making the "TIF_SINGLESTEP" check done on the return from the syscall, versus before it. Linux kernel versions prior to 2.6.21.7 are affected.
  • Ref: http://www.securityfocus.com/bid/25200
  • 07.33.14 - CVE: Not Available
  • Platform: HP-UX
  • Title: Hewlett Packard HP-UX LDCCONN Remote Buffer Overflow
  • Description: HP-UX is a Unix-based operating platform that includes the HP Controller for Cisco Local Director package. This package allows the operating system to interface with Cisco Local Director. HP-UX is exposed to a remote buffer overflow issue because it fails to perform adequate boundary checks on user-supplied input. HP-UX version 11.11i is affected.
  • Ref: http://www.securityfocus.com/archive/1/475766
  • 07.33.15 - CVE: Not Available
  • Platform: Aix
  • Title: IBM RMPVC Command Local Buffer Overflow
  • Description: IBM AIX is exposed to a local buffer overflow issue as it can be triggered by sending 16 or more characters through the "port logical name" argument of the "rmpvc" command. IBM AIX version 4.3 is affected.
  • Ref: http://www-1.ibm.com/support/docview.wss?uid=isg1IY93393
  • 07.33.16 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Adobe Actionscript SecurityErrorEvent Security Bypass
  • Description: Adobe Actionscript is an object-oriented language that allows users to develop Adobe Flash files. This issue occurs because the application allows Flash movies compiled by Actionscript to connect to arbitrary TCP ports on hosts running a vulnerable version of Flash. Adobe Flash Player 9.0.47.0 and Adobe ActionScript 3 are affected.
  • Ref: http://www.securityfocus.com/archive/1/475961
  • 07.33.17 - CVE: Not Available
  • Platform: Cross Platform
  • Title: ZyXEL ZyWALL 2 Multiple Remote Vulnerabilities
  • Description: ZyXEL ZyWALL 2 is a firewall device that provides VPN and firewall services. The application is exposed to multiple remote issues that affect the management interface. ZyWALL 2 running with firmware version V3.62(WK.6) is affected.
  • Ref: http://www.louhi.fi/advisory/zyxel_070810.txt
  • 07.33.18 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Systrace Multiple System Call Wrappers Concurrency Vulnerabilities
  • Description: Systrace is an access control system for multiple operating platforms. Sysjail is a containment facility that utilizes the Systrace framework. Sudo is a privilege management tool; an unreleased, CVS only, prerelease version of Sudo include a monitor mode based on Systrace. The application is exposed to multiple concurrency issues due to its implementation of system call wrappers. Sudo monitor mode and Sysjail utilize this functionality.
  • Ref: http://www.watson.org/~robert/2007woot/
  • 07.33.19 - CVE: Not Available
  • Platform: Cross Platform
  • Title: CerbNG Multiple System Call Wrappers Concurrency Vulnerabilities
  • Description: CerbNG is a framework for managing and logging rule-based control of system calls. It is available for FreeBSD. The application is exposed multiple concurrency issues due to its implementation of system call wrappers. This results in race conditions that can be described by two categories. Cerb CerbNG versions 0.1, 0.2, 0.3 and 0.4 are affected.
  • Ref: http://www.watson.org/~robert/2007woot/
  • 07.33.20 - CVE: CVE-2007-3872
  • Platform: Cross Platform
  • Title: Hewlett Packard OpenView OVTrace Multiple Remote Buffer Overflow Vulnerabilities
  • Description: HP OpenView is a network management application available for multiple operating platforms. OVTrace Shared Trace Service is used to log the actions of OpenView components for debug potential problems. The application is exposed to multiple remote buffer overflow issues because it fails to perform adequate boundary checks on user-supplied input.
  • Ref: http://www.securityfocus.com/archive/1/475966
  • 07.33.21 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Cisco IOS and Unified Communications Manager Multiple Voice Vulnerabilities
  • Description: Cisco IOS and Unified Communications Manager are exposed to multiple denial of service and code execution issues. The issue documented by Cisco Bug ID CSCsi80102 is the only issue affecting Cisco Unified Communications Manager (CUCM). Ref: http://www.cisco.com/en/US/products/products_security_advisory09186a0080899653.shtml
  • 07.33.22 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Cisco IOS Secure Copy Security Bypass
  • Description: Cisco IOS (Internetwork Operating System) is an operating system commonly used on Cisco routers and network switches. The application is exposed to a remote security bypass issue because the software fails to properly validate user privileges during a secure copy. See Cisco Bug ID CSCsc19259. Ref: http://www.cisco.com/en/US/products/products_security_advisory09186a0080899636.shtml
  • 07.33.23 - CVE: Not Available
  • Platform: Cross Platform
  • Title: ASSP ASSP.PL Unspecified
  • Description: ASSP is an Anti-Spam SMTP Proxy Server available for multiple operating platforms. The application is exposed to an unspecified issue that affects the "assp.pl" script.
  • Ref: http://sourceforge.net/forum/forum.php?forum_id=722845
  • 07.33.24 - CVE: Not Available
  • Platform: Cross Platform
  • Title: CISCO IOS NHRP Remote Buffer Overflow
  • Description: Cisco IOS (Internetwork Operating System) is the operating system used on Cisco devices. Next Hop Resolution Protocol (NHRP) is a Dynamic Multipoint Virtual Private Network (DMVPN) component used for resolving Layer 2 to Layer 3 traffic on Nonbroadcast Multiaccess (NBMA) networks. The application is exposed to a remote buffer overflow issue because it fails to perform adequate boundary checks on user-supplied data. Cisco IOS version 12.0 through 12.4 are affected. Ref: http://www.cisco.com/en/US/products/products_security_advisory09186a008089963b.shtml
  • 07.33.25 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Help Center Live Administration Multiple Security Bypass Vulnerabilities
  • Description: Help Center Live is a support application to enable instant messaging on a vendor's web site. The application is exposed to multiple security bypass issues because the application fails to properly restrict administrative pages from unprivileged users. Help Center Live version 2.1.3a is affected.
  • Ref: http://www.securityfocus.com/bid/25225
  • 07.33.26 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Asterisk Skinny Channel Driver Remote Denial of Service
  • Description: Asterisk is a private branch exchange (PBX) application available for Linux, BSD, and Mac OS X platforms. The application is exposed to a remote denial of service issue because the application fails to properly handle certain specially crafted packets. Asterisk Open Source versions prior to 1.4.10, AsteriskNOW pre-release versions prior to beta7, Asterisk Appliance Developer Kit versions prior to 0.7.0 and s800i (Asterisk Appliance) versions prior to 1.0.3 are affected.
  • Ref: http://downloads.digium.com/pub/asa/ASA-2007-019.pdf
  • 07.33.27 - CVE: Not Available
  • Platform: Cross Platform
  • Title: KDE Konqueror SetInterval Function Address Bar URI Spoofing
  • Description: KDE Konqueror is a browser and file manager for the KDE desktop environment. The application is exposed to a URI spoofing issue because the application fails to sufficiently sanitize user-supplied data. Konqueror version 3.5.7 is affected.
  • Ref: http://www.securityfocus.com/archive/1/475689
  • 07.33.28 - CVE: Not Available
  • Platform: Cross Platform
  • Title: PHP MSQL_Connect Buffer Overflow
  • Description: PHP is a general-purpose scripting language that is especially suited for web development and can be embedded into HTML. The application is exposed to a buffer overflow issue because it fails to properly bounds check user-supplied input. PHP version 5.2.3 is affected.
  • Ref: http://www.securityfocus.com/archive/1/475660
  • 07.33.29 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Mozilla Firefox Encoded Status Bar Spoofing Weakness
  • Description: Mozilla Firefox is exposed to a weakness that may allow the attacker to obfuscate a malicious link. This issue occurs because the application allows an attacker to display spoofed content in the status bar. Mozilla FireFox version 2.0.0.6 is affected.
  • Ref: http://www.securityfocus.com/archive/1/475467
  • 07.33.30 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: WebCart Multiple Unspecified Cross-Site Scripting Vulnerabilities
  • Description: WebCart is a web-based shopping cart. The software is exposed to multiple unspecified cross-site scripting issues because it fails to sanitize user input to multiple unspecified scripts. WebCart versions 2.30 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/25261
  • 07.33.31 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: KnowledgeTree Open Source Multiple Unspecified Cross-Site Scripting Vulnerabilities
  • Description: KnowledgeTree Open Source is a document manager. The software is exposed to multiple unspecified cross-site scripting issues because it fails to sanitize user-input to multiple unspecified scripts. KnowledgeTree Open Source versions prior to 3.4.2 are affected.
  • Ref: http://support.ktdms.com/browse/KTS-2178
  • 07.33.32 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Cisco Unified MeetingPlace Web Conference Multiple Cross-Site Scripting Vulnerabilities
  • Description: Cisco Unified MeetingPlace Web Conference is a web conferencing application that allows users to schedule online meetings, attend online meetings and access meeting materials. The application is exposed to multiple cross-site scripting issues that occur because the application fails to sufficiently sanitize user-supplied input to the Success Template (STPL) and Failure Template (FTPL) parameters when specifying the return template of a user request. See Cisco bug ID CSCsi33940.
  • Ref: http://www.cisco.com/warp/public/707/cisco-sr-20070808-mp.shtml
  • 07.33.33 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: C-SAM OneWallet Forget Password Cross-Site Scripting
  • Description: OneWallet is an electronic wallet for storing credit card numbers and other personal information. OneWallet is available for PDAs, mobile phones, and personal computers. The application is exposed to a cross-site scripting issue because it fails to properly sanitize user-supplied input to the web admin interface. OneWallet version 210_07062007;1.0 is affected.
  • Ref: http://www.securityfocus.com/archive/1/475732
  • 07.33.34 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Xu Yiyang WordPress Multiple Themes S Parameter Cross-Site Scripting
  • Description: These themes are addons for the WordPress publishing platform. Multiple themes for WordPress are exposed to a cross-site scripting issue because they fail to properly sanitize user-supplied input to the "s" parameter of the "index.php" installation script. Unnamed theme 1.0.0.2, 1.02 Special Edition and Blue Memories theme 1.5.0 are affected.
  • Ref: http://www.securityfocus.com/bid/25215
  • 07.33.35 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Visionera AB VisionProject Multiple Cross-Site Scripting Vulnerabilities
  • Description: VisionProject is a web-based application, which is used to track issues and provide customer support. The application is exposed to multiple cross-site scripting issues because it fails to properly sanitize user-supplied input. VisionProject version 3.1 and earlier are affected. Ref: http://pridels-team.blogspot.com/2007/08/visionproject-multiple-xss-vuln.html
  • 07.33.36 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: snif Index.PHP Multiple Cross-Site Scripting Vulnerabilities
  • Description: The "snif" (simple and nice index file) is a script for managing web site download directories. The script is exposed to multiple cross-site scripting issues because it fails to sanitize user-supplied input. These issues affect the "path" and "download" parameters of the "index.php" script. snif version 1.5.2 is affected.
  • Ref: http://www.securityfocus.com/bid/25212
  • 07.33.37 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: CONTENTdm Search.PHP Cross-Site Scripting
  • Description: CONTENTdm is a web-based collection management application. The application is exposed to a cross-site scripting issue because the application fails to properly sanitize user-supplied input to "search.php".
  • Ref: http://www.securityfocus.com/archive/1/475543
  • 07.33.38 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: SAS Hotel Management System Admin.ASP Multiple SQL Injection Vulnerabilities
  • Description: SAS Hotel Management System is an ASP-based application for handling hotel reservations. The application is exposed to multiple SQL injection issues because it fails to sufficiently sanitize user-supplied data to the "username and password" fields of the "admin.asp" script before using it in an SQL query.
  • Ref: http://www.securityfocus.com/archive/1/475929
  • 07.33.39 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Prozilla Cat Parameter SQL Injection
  • Description: Prozilla is a PHP-based application for creating websites. The application is exposed to an SQL injection issue because it fails to properly sanitize user-supplied input to the "cat" parameter of the "directory.php" script before using it in an SQL query.
  • Ref: http://www.securityfocus.com/bid/25209
  • 07.33.40 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Cartweaver Details.CFM SQL Injection
  • Description: Cartweaver is a web-based e-commerce application. The application is implemented in ASP, PHP and Cold Fusion. The application is exposed to an SQL injection issue because it fails to properly sanitize user-supplied input to the "ProdID" parameter of the "Details.cfm" script before using it in an SQL query.
  • Ref: http://www.securityfocus.com/bid/25210
  • 07.33.41 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Envolution News Module Topic Parameter SQL Injection
  • Description: Envolution is a framework to build ERP/CRM/CMS solutions. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "topic" parameter of the "News" module before using it in an SQL query. Envolution version 1.1.0 is affected.
  • Ref: http://www.securityfocus.com/bid/25203
  • 07.33.42 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: LANAI CMS Multiple SQL Injection Vulnerabilities
  • Description: LANAI CMS is a PHP-based content management system. The application is exposed to multiple SQL injection issues because it fails to sufficiently sanitize user-supplied. LANAI CMS version 1.2.14 is affected.
  • Ref: http://www.securityfocus.com/archive/1/475447
  • 07.33.43 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Gallery In A Box Index.ASP SQL Injection
  • Description: Gallery In A Box is a web-based photo, video and audio clip gallery application implemented in ASP. The application is exposed to a SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "username" and "Password" parameters of the "admin_console/index.asp" script before using it in an SQL query.
  • Ref: http://www.securityfocus.com/bid/25194
  • 07.33.44 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Next Gen Portfolio Manager Default.ASP Multiple SQL Injection Vulnerabilities
  • Description: Next Gen Portfolio Manager is a web-based application implemented in ASP. The application is exposed to multiple SQL injection issues because it fails to sufficiently sanitize user-supplied data to the "Users_Email" and "Users_Password" parameters of the "default.asp" script before using it in an SQL query.
  • Ref: http://www.securityfocus.com/bid/25195
  • 07.33.45 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Aceboard Recherche.PHP SQL Injection
  • Description: Aceboard is a web-based forum application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to an unspecified field of the "recherche.php" script before using it in an SQL query.
  • Ref: http://www.securityfocus.com/bid/25197
  • 07.33.46 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: auraCMS Forum Module Pilih.ASP SQL Injection
  • Description: auraCMS is an ASP-based content management system. The application is exposed to an SQL injection because it fails to sufficiently sanitize user-supplied data to the "id" parameter of the "pilih.asp" script. auraCMS version 2.0 is affected.
  • Ref: http://www.securityfocus.com/bid/25202
  • 07.33.47 - CVE: Not Available
  • Platform: Web Application
  • Title: Mapos-Scripts.de WebNews Multiple Remote File Include Vulnerabilities
  • Description: WebNews is a PHP-based news application. The application is exposed to multiple remote file include issues because it fails to sufficiently sanitize user-supplied input to the "config[root_ordner]" parameter of the "index.php", "news.php" and "feed.php" scripts. WebNews version 1.1 is affected.
  • Ref: http://www.securityfocus.com/archive/1/475956
  • 07.33.48 - CVE: Not Available
  • Platform: Web Application
  • Title: GSWTK Multiple System Call Wrappers Concurrency Vulnerabilities
  • Description: GSWKT (Generic Software Wrappers Toolkit) facilitates the wrapping of closed-source application system calls to enable access control limitations and intrusion detection. The application is exposed to multiple concurrency issues because of its implementation of system call wrappers. GSWKT version 1.6.3 is affected.
  • Ref: http://www.watson.org/~robert/2007woot/
  • 07.33.49 - CVE: Not Available
  • Platform: Web Application
  • Title: Mapos-Scripts.de File Uploader Multiple Remote File Include Vulnerabilities
  • Description: File Uploader is a PHP-based application that allows users to upload files onto a web server. The application is exposed to multiple remote file include issues because it fails to sufficiently sanitize user-supplied input to the "config[root_ordner]" parameter of "index.php" and "datei.php" scripts. File Uploader version 1.1 is affected.
  • Ref: http://www.securityfocus.com/archive/1/475957
  • 07.33.50 - CVE: Not Available
  • Platform: Web Application
  • Title: Coppermine Photo Gallery YABBSE.INC.PHP Remote File Include
  • Description: Coppermine Photo Gallery is a photo-gallery application. The application is exposed to a remote file include issue because it fails to sufficiently sanitize user-supplied input to the "sourcedir" parameter of the "yabbse.php" script. Coppermine version 1.3.1 is affected.
  • Ref: http://www.securityfocus.com/bid/25243
  • 07.33.51 - CVE: Not Available
  • Platform: Web Application
  • Title: NcasterCMS Archive.PHP Remote File Include
  • Description: NcasterCMS is a PHP-based content manager. The application is exposed to a remote file include issue because it fails to sufficiently sanitize user-supplied input to the "adminfolder" parameter of the "archive.php" script. NcasterCMS version 1.7.2 is affected.
  • Ref: http://www.securityfocus.com/bid/25248
  • 07.33.52 - CVE: Not Available
  • Platform: Web Application
  • Title: Dersimiz Haber Ekleme Modulu Yorumkaydet.ASP Multiple HTML Injection Vulnerabilities
  • Description: Dersimiz Haber Ekleme Modulu is a web-based application implemented in ASP. The application is exposed to multiple HTML injection issues because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
  • Ref: http://www.securityfocus.com/bid/25250
  • 07.33.53 - CVE: Not Available
  • Platform: Web Application
  • Title: Mapos-Scripts.de Gastebuch Index.PHP Remote File Include
  • Description: Gastebuch is a PHP-based guestbook application. The application is exposed to a remote file include issue because it fails to properly sanitize user-supplied input to the "config[root_ordner]" parameter of the "index.php". Gastebuch version 1.5 is affected.
  • Ref: http://www.securityfocus.com/archive/1/475950
  • 07.33.54 - CVE: Not Available
  • Platform: Web Application
  • Title: Mapos-Scripts.de Shoutbox Shoutbox.PHP Remote File Include
  • Description: Mapos-Scripts.de Shoutbox is a PHP-based message application. The application is exposed to a remote file include issue because it fails to sufficiently sanitize user-supplied input to the "root" parameter of the "shoutbox.php" script. Shoutbox version 1.0 is affected.
  • Ref: http://www.securityfocus.com/archive/1/475960
  • 07.33.55 - CVE: Not Available
  • Platform: Web Application
  • Title: Mapos-Scripts.de Bilder Galerie Index.PHP Remote File Include
  • Description: Mapos-Scripts.de Bilder Galerie is a PHP-based web application. The application is exposed to a remote file include issue because it fails to sufficiently sanitize user-supplied input to the "config[root_ordner]" parameter of the "index.php" script. Bilder Galerie version 1.0 is affected.
  • Ref: http://www.securityfocus.com/archive/1/475952
  • 07.33.56 - CVE: Not Available
  • Platform: Web Application
  • Title: FrontAccounting Config.PHP Remote File Include
  • Description: FrontAccounting is a web-based accounts management application. The application is exposed to a remote file include issue because it fails to sufficiently sanitize user-supplied input to the "path_to_root" parameter of the "config.php" script. FrontAccounting version 1.12 is affected.
  • Ref: http://www.securityfocus.com/bid/25229
  • 07.33.57 - CVE: Not Available
  • Platform: Web Application
  • Title: S9Y Serendipity Entries Plugin Security Bypass
  • Description: Serendipity is a web-log application. S9Y Serendipity is exposed to a security bypass issue because the application fails to properly prevent users from accessing restricted settings. The application allows users with valid passwords to entries to modify certain restricted properties. Versions prior to S9Y Serendipity 1.1.4 and 1.2-Beta5 are affected.
  • Ref: http://www.securityfocus.com/bid/25235
  • 07.33.58 - CVE: Not Available
  • Platform: Web Application
  • Title: VietPHP Multiple Remote File Include Vulnerabilities
  • Description: VietPHP is a content management system (CMS). The application is exposed to multiple remote file include issues that occur because the application fails to sufficiently sanitize user-supplied input to the "language" parameters of the "index.php" and "admin/index.php" scripts, and the "dirpath" parameter of the "_functions.php" script.
  • Ref: http://www.securityfocus.com/archive/1/475758
  • 07.33.59 - CVE: Not Available
  • Platform: Web Application
  • Title: CreAr.de PHPNews Change_Action.PHP Remote File Include
  • Description: CreAr.de PHPNews is a web-based news management application. The application is exposed to a remote file include issue because it fails to sufficiently sanitize user-supplied input to the "format_menue" parameter of the "admin/inc/change_action.php" script. PHPNews version 0.93 is affected.
  • Ref: http://www.securityfocus.com/bid/25223
  • 07.33.60 - CVE: Not Available
  • Platform: Web Application
  • Title: Camera Life Unspecified Denial of Service
  • Description: Camera Life is a web-based photo gallery application implemented in PHP and SQL. The application is exposed to an unspecified denial of service issue. Camera Life version 2.6 is affected.
  • Ref: http://www.securityfocus.com/bid/25220
  • 07.33.61 - CVE: Not Available
  • Platform: Web Application
  • Title: PhpHostBot Login.PHP Remote File Include
  • Description: PhpHostBot is a PHP-based application for creating and managing client accounts for web hosting. The application is exposed to a remote file include issue because it fails to sufficiently sanitize user-supplied input to the "svr_rootscript" parameter of the "order/login.php" script. PhpHostBot version 1.06 is affected.
  • Ref: http://www.securityfocus.com/bid/25221
  • 07.33.62 - CVE: Not Available
  • Platform: Web Application
  • Title: Live for Speed Single Player Replay File Buffer Overflow
  • Description: Live for Speed is an online racing simulator. The application is exposed to a buffer overflow issue because it fails to properly bounds check user-supplied data before copying it into an insufficiently sized buffer. Live for Speed demo versions S1 and S2 are affected.
  • Ref: http://www.securityfocus.com/bid/25208
  • 07.33.63 - CVE: Not Available
  • Platform: Web Application
  • Title: Live for Speed PLY File Buffer Overflow
  • Description: Live for Speed is an online racing simulator. The application is exposed to a buffer overflow issue because it fails to properly bounds check user-supplied data before copying it into an insufficiently sized buffer. The issue occurs when parsing specially crafted "ply" files with a malformed "plate number" field containing more than 1000 bytes of data. Live for Speed versions S1, S2 and Demo are affected.
  • Ref: http://www.securityfocus.com/bid/25206
  • 07.33.64 - CVE: Not Available
  • Platform: Web Application
  • Title: J! Reactions comPath Remote File Include
  • Description: J! Reactions is a commenting system component for Joomla!. The application is exposed to a remote file include issue because it fails to sufficiently sanitize user-supplied input to the "comPath" parameter of the "langset.php" script. J! Reactions version 1.8.1 is affected.
  • Ref: http://www.securityfocus.com/archive/1/475544
  • 07.33.65 - CVE: Not Available
  • Platform: Network Device
  • Title: BlueCat Networks Adonis TFTP Remote Privilege Escalation
  • Description: BlueCat Networks Adonis is a DHCP (Dynamic Host Configuration Protocol) and DNS (Domain Name System) appliance. BlueCat Networks Proteus is an IP address management appliance. The Adonis appliance is exposed to a remote privilege escalation issue that occurs when Proteus appliances are used to upload files to an affected Adonis appliance for TFTP download. Adonis version 5.0.2.8 is affected.
  • Ref: http://www.securityfocus.com/archive/1/475667

(c) 2007. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Subscriptions: @RISK is distributed free of charge by the SANS Institute to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.

Absolutely wonderful, both in presentation and content
-Don Seymour, TerpSys

SEC401@SANS 2010

Contact us: (301) 654-SANS(7267)
Monday - Friday 9am-8pm EST/EDT