NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > SANS> current

RISK: The Consensus Security Vulnerability Alert Vol. 7 No. 22

From: The SANS Institute (ConsensusSecurityVulnerabilityAlertsans.org)
Date: Thu May 29 2008 - 20:20:49 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Some of this week's critical vulnerabilities are particularly troubling.
Adobe Flash is being actively exploited and no patch is available.
Multiple flaws in Apple OS X (versions prior to 10.5.3) can enable
unauthorized remote control of Macs. IBM SameTime - being used in many
sensitive military organizations - has a buffer overflow that will allow
remote code execution. EMC, the leader in storage systems and owner of
RSA and VMWare, has been selling backup software with multiple critical
vulnerabilities.

All are troubling, but Adobe's problems are likely to be affecting the
most people. There is also a rumor that some Adobe product, when
upgraded to a newer safer version, leaves the older vulnerable
executables (unpatched) on the computer and doesn't tell the user. Has
any RISK reader checked this? Can you share your results with us? If
true, it's very important. Email apallersans.org.
Alan
*************************************************************************
RISK: The Consensus Security Vulnerability Alert
May 29, 2008 Vol. 7. Week 22
*************************************************************************
RISK is the SANS community's consensus bulletin summarizing the most
important vulnerabilities and exploits identified during the past week
and providing guidance on appropriate actions to protect your systems
(PART I). It also includes a comprehensive list of all new
vulnerabilities discovered in the past week (PART II).

Summary of Updates and Vulnerabilities in this Consensus
Platform Number of Updates and Vulnerabilities
- ------------------------ -------------------------------------
Third Party Windows Apps 3 (#3, #6, #7)
Apple 1 (#2)
Linux 2
Cross Platform 5 (#1, #4, #5, #8)
Web Application - Cross Site Scripting 6
Web Application - SQL Injection 11
Web Application 14
Network Device 1

*************************************************************************
TRAINING UPDATE
Where can you find the newest Penetration Testing techniques,
Application Pen Testing, Hacker Exploits, Secure Web Application
Development, Security Essentials, Forensics, Wireless, Auditing, both
new Pen Testing courses, CISSP, and SANS' other top-rated courses plus
evening sessions with Internet Storm Center handlers.
- - SANSFIRE 2008 in Washington DC (7/22-7/31) SANS' biggest summer program
      with many bonus sessions and a big exhibition of security products:
      http://www.sans.org/info/26774
- - London (6/2-6/7) and Amsterdam (6/16-6/21) and Brussels (6/16-6/21)
      http://www.sans.org/secureeurope08
- - Denver (6/7-6/13) http://www.sans.org/rockymnt2008/
- - Singapore (6/30-7/5) http://www.sans.org/singapore08/
- - Boston (8/9-8/16) http://www.sans.org/boston08/
- - and in 100 other cites and on line any time: www.sans.org
*************************************************************************

Table Of Contents
Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)
Widely Deployed Software

(1) CRITICAL: Adobe Flash Player Remote Code Execution Vulnerability
(2) CRITICAL: Apple Mac OS X Multiple Vulnerabilities (Security Update 2008-003)
(3) CRITICAL: Cerulean Studios Trillian Multiple Vulnerabilities
(4) CRITICAL: IBM Lotus Sametime Community Services Multiplexer Buffer Overflow
(5) CRITICAL: EMC AlphaStor Multiple Vulnerabilities
(6) HIGH: Creative Software AutoUpdate Engine ActiveX Control Buffer Overflow
(7) HIGH: Alt-N MDaemon IMAP Server FETCH Command Handling Buffer Overflow
(8) HIGH: Samba SMB Response Handling Memory Corruption Vulnerability

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from
Qualys (www.qualys.com)

-- Third Party Windows Apps
08.22.1 - eMule Plus Unspecified Security
08.22.2 - Core FTP "LIST" Command Directory Traversal
08.22.3 - Lenovo System Update SSL Certificate Validation Security Bypass
-- Linux
08.22.4 - Linux Kernel Unspecified Security Issue
08.22.5 - Linux Kernel SPARC "mmap()" Denial of Service
-- Cross Platform
08.22.6 - libpam-pgsql "pam_pgsql.c" Authentication Bypass
08.22.7 - SaraB DAR Encryption Ciphers Local Information Disclosure
08.22.8 - Adobe Flash Player SWF File Unspecified Remote Code Execution
08.22.9 - Samba "lib/util_sock.c" Buffer Overflow
08.22.10 - OpenSSL Multiple Denial of Service Vulnerabilities
-- Web Application - Cross Site Scripting
08.22.11 - SAFARI Montage "forgotPW.php" Multiple Cross-Site Scripting Vulnerabilities
08.22.12 - Sun Java System Web Server Advanced Search Mechanism Cross-Site Scripting
08.22.13 - PCPIN Chat "inc/url_redirection.inc.php" Cross-Site Scripting
08.22.14 - Horde Kronolith Multiple Cross-Site Scripting Vulnerabilities
08.22.15 - miniCWB "connector.php" Multiple Cross-Site Scripting Vulnerabilities
08.22.16 - Tr Script News "news.php" Cross-Site Scripting
-- Web Application - SQL Injection
08.22.17 - e107 BLOG Engine "macgurublog.php" SQL Injection
08.22.18 - WordPress Upload File Plugin "wp-uploadfile.php" SQL Injection
08.22.19 - DZOIC Handshakes "fname" Parameter SQL Injection
08.22.20 - RoomPHPlanning "resaopen.php" SQL Injection
08.22.21 - Xomol CMS "index.php" SQL Injection
08.22.22 - AbleSpace "adv_cat.php" SQL Injection
08.22.23 - Excuse Online "pwd.asp" SQL Injection
08.22.24 - phpFix Multiple SQL Injection Vulnerabilities
08.22.25 - ClassSystem Multiple SQL Injection Vulnerabilities and Arbitrary File Upload
08.22.26 - RoomPHPlanning "weekview.php" SQL Injection
08.22.27 - RevokeBB "search" Parameter SQL Injection
-- Web Application
08.22.28 - WWW File Share Pro Unspecified Arbitrary File Upload
08.22.29 - AbleDating "search_results.php" Multiple Input Validation Vulnerabilities
08.22.30 - Xerox WorkCentre Unspecified HTML Injection
08.22.31 - Sava CMS SQL Injection and Cross-Site Scripting Vulnerabilities
08.22.32 - Cerberus Helpdesk Controller Authentication Information Disclosure
08.22.33 - Quate CMS Multiple Input Validation Vulnerabilities
08.22.34 - phpRaider phpbb3 Bridge "phpbb3.functions.php" Remote File Include
08.22.35 - plusPHP Short URL Multi-User Script Remote File Include
08.22.36 - Xomol CMS "index.php" Local File Include
08.22.37 - Zina "index.php" Multiple Input Validation Vulnerabilities
08.22.38 - Mambo Prior to 4.6.4 Multiple Input Validation Vulnerabilities
08.22.39 - OneCMS "load" Parameter Local File Include
08.22.40 - Campus Bulletin Board SQL Injection and Cross-Site Scripting Vulnerabilities
08.22.41 - RoomPHPlanning "userform.php" Unauthorized Access
-- Network Device
08.22.42 - BT Home Hub Administrator Password Information Disclosure

______________________________________________________________________

PART I Critical Vulnerabilities
Part I for this issue has been compiled by Rob King at TippingPoint, a
division of 3Com, as a by-product of that company's continuous effort
to ensure that its intrusion prevention products effectively block
exploits using known vulnerabilities. TippingPoint's analysis is
complemented by input from a council of security managers from twelve
large organizations who confidentially share with SANS the specific
actions they have taken to protect their systems. A detailed description
of the process may be found at
http://www.sans.org/newsletters/cva/#process

*****************************
Widely Deployed Software
*****************************

(1) CRITICAL: Adobe Flash Player Remote Code Execution Vulnerability
Affected:
Adobe Flash Player versions 9.0.115.0 and prior
Adobe Flash Player versions 9.0.124.0 and prior on some platforms

Description: Adobe Flash Player is the most popular rich web content
player on the Internet, installed by default on all Microsoft Windows
and Apple Mac OS X systems. It is also often included in Unix and Linux
systems. It contains a remote code execution vulnerability in its
handling of Flash files. A specially crafted Flash file could trigger
this vulnerability, allowing an attacker to execute arbitrary code with
the privileges of the current user. While there are very few technical
details publicly available at the present time, this vulnerability is
being exploited in the wild. Flash content is displayed by default in
most web browser configurations. There are some reports of advertising
networks being co-opted to serve malicious Flash content. Currently,
only Flash Player on Microsoft Windows is being exploited; it is
suspected that this vulnerability affects Flash Player on other
platforms.

Status: Adobe confirmed, no updates available. Users are advised to
disable their Flash player installation if possible.

References:
Adobe Blog Posting
http://blogs.adobe.com/psirt/2008/05/potential_flash_player_issue.html
Secunia Advisory
http://secunia.com/advisories/30404/
SecurityFocus BID
http://www.securityfocus.com/bid/28695

****************************************************

(2) CRITICAL: Apple Mac OS X Multiple Vulnerabilities (Security Update 2008-003)
Affected:
Apple Mac OS X versions prior to 10.5.3

Description: Apple Mac OS X contains multiple vulnerabilities in several
of its components. Flaws in the handling of user and network requests,
and several file, document, and media formats, can lead to arbitrary
remote code execution with the privileges of the vulnerable process.
Other logical flaws in the handling of authentication can lead to
arbitrary information disclosure. Additional issues include
cross-site-scripting and denial-of-service vulnerabilities. Several of
these vulnerabilities stem from flaws in included third-party
applications and components. Note that this update also addresses the
Adobe Flash vulnerability discussed above.

Status: Vendor confirmed, updates available.

References:
Apple Security Advisory
http://support.apple.com/kb/HT1897
SecurityFocus BID
http://www.securityfocus.com/bid/29412

****************************************************

(3) CRITICAL: Cerulean Studios Trillian Multiple Vulnerabilities
Affected:
Cerulean Studios Trillian versions prior to 3.1.10.0

Description: Trillian is a multi-protocol instant messaging application
from Cerulean Studios. It contains multiple vulnerabilities in its
handling of several instant messaging protocols, as well as a
vulnerability in its parsing of HTML. A specially crafted AIM or MSN
message or HTML IMG tag could trigger one of several buffer overflow or
memory corruption vulnerabilities. Successfully exploiting one of these
vulnerabilities would allow an attacker to execute arbitrary code with
the privileges of the current user. Some technical details are publicly
available for these vulnerabilities.

Status: Vendor confirmed, updates available.

References:
Zero Day Initiative Advisories
http://zerodayinitiative.com/advisories/ZDI-08-029/
http://zerodayinitiative.com/advisories/ZDI-08-030/
http://zerodayinitiative.com/advisories/ZDI-08-031/
Vendor Home Page
http://www.ceruleanstudios.com/
SecurityFocus BID
http://www.securityfocus.com/bid/29330

****************************************************

(4) CRITICAL: IBM Lotus Sametime Community Services Multiplexer Buffer Overflow
Affected:
IBM Lotus Sametime versions prior to 8.0.1

Description: IBM Lotus Sametime is an enterprise instant messaging and
conferencing application. It contains a buffer overflow in its
"Community Services Multiplexer" component. A specially crafted request
to the Sametime server could trigger this buffer overflow, allowing an
attacker to execute arbitrary code with the privileges of the vulnerable
process. Full technical details and a proof-of-concept are publicly
available for this vulnerability.

Status: Vendor confirmed, updates available.

References:
Zero Day Initiative Advisory
http://zerodayinitiative.com/advisories/ZDI-08-028/
Proof-of-Concept
http://downloads.securityfocus.com/vulnerabilities/exploits/29328.pl
IBM Security Advisory
http://www-1.ibm.com/support/docview.wss?rs=463&uid=swg21303920
Product Home Page
http://www-306.ibm.com/software/lotus/sametime/
SecurityFocus BID
http://www.securityfocus.com/bid/29328

****************************************************

(5) CRITICAL: EMC AlphaStor Multiple Vulnerabilities
Affected:
AlphaStor versions 3.1 SP1 and prior

Description: EMC AlphaStor is a popular enterprise storage management
application. It contains multiple vulnerabilities in its handling of
user requests. Its Server Agent and Library Manager components contain
multiple buffer overflow vulnerabilities. A specially crafted request
to one of these components could trigger one of these buffer overflows,
allowing an attacker to execute arbitrary code with the privileges of
the vulnerable process (usually SYSTEM). No authentication is required
to exploit these vulnerabilities. Some technical details are publicly
available for these vulnerabilities.

Status: Vendor confirmed, updates available. Users are advised to block
TCP ports 3500 and 41025 at the network perimeter, if possible.

References:
iDefense Security Advisories
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=702
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=703
Product Home Page
http://www.emc.com/products/detail/software/alphastor.htm
SecurityFocus BID
Not yet available.

****************************************************

(6) HIGH: Creative Software AutoUpdate Engine ActiveX Control Buffer Overflow
Affected:
Creative Labs AutoUpdate Engine ActiveX Control

Description: Several Creative Labs products include automatic update
functionality. This functionality is provided by the AutoUpdate Engine
ActiveX control. This control contains a buffer overflow in its handling
of its 'cachefolder' property. A specially crafted web page that
exploits this vulnerability could execute arbitrary code with the
privileges of the current user. Full technical details and a
proof-of-concept are publicly available for this vulnerability.

Status: Vendor has not confirmed, no updates available. Users can
mitigate the impact of this vulnerability by disabling the affected
control via Microsoft's "kill bit" mechanism, using CLSID
"0A5FD7C5-A45C-49FC-ADB5-9952547D5715".

References:
Proof-of-Concept
http://milw0rm.com/exploits/5681
US-CERT Vulnerability Note
http://www.kb.cert.org/vuls/id/501843
Microsoft Knowledge Base Article (details the "kill bit" mechanism)
http://support.microsoft.com/kb/240797
SecurityFocus BID
Not yet available.

****************************************************

(7) HIGH: Alt-N MDaemon IMAP Server FETCH Command Handling Buffer Overflow
Affected:
Alt-N MDaemon versions 9.6.4 and prior

Description: MDaemon is a popular email server from Alt-N. Its IMAP
component contains a buffer overflow in its handling of the IMAP "FETCH"
command. A specially crafted FETCH request could trigger this buffer
overflow. Successfully exploiting this vulnerability would allow an
attacker to execute arbitrary code with the privileges of the vulnerable
process, usually SYSTEM. Note that authentication is required to exploit
this vulnerability. Full technical details and a proof-of-concept are
publicly available for this vulnerability.

Status: Vendor has not confirmed, no updates available.

References:
Proof-of-Concept
http://downloads.securityfocus.com/vulnerabilities/exploits/28245.py
Vendor Home Page
http://www.altn.com/
SecurityFocus BID
http://www.securityfocus.com/bid/28245

****************************************************

(8) HIGH: Samba SMB Response Handling Memory Corruption Vulnerability
Affected:
Samba versions 3.0.0 to 3.0.29

Description: Samba is a popular open source application that provides
both server and client implementations of the Server Message Block (SMB)
and Common Internet Filesystem (CIFS) protocol stacks, allowing
non-Windows systems to access or provide Microsoft Windows-style
services. Samba contains a flaw in its handling of server responses. A
specially crafted server response could trigger a memory corruption
vulnerability, allowing an attacker to execute arbitrary code with the
privileges of the current user. Exploitation would require an attacker
to convince a user to connect to a malicious SMB server. Full technical
details for this vulnerability are publicly available via source code
analysis.

Status: Samba confirmed, updates available.

References:
Samba Security Advisory
http://www.samba.org/samba/security/CVE-2008-1105.html
Wikipedia Article on SMB/CIFS
http://en.wikipedia.org/wiki/Server_Message_Block
Samba Home Page
http://www.samba.org
SecurityFocus BID
http://www.securityfocus.com/bid/29404

**********************************************************

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 22, 2008

This list is compiled by Qualys ( www.qualys.com ) as part of that
company's ongoing effort to ensure its vulnerability management web
service tests for all known vulnerabilities that can be scanned. As of
this week Qualys scans for 5549 unique vulnerabilities. For this special
SANS community listing, Qualys also includes vulnerabilities that cannot
be scanned remotely.

______________________________________________________________________

08.22.1 CVE: Not Available
Platform: Third Party Windows Apps
Title: eMule Plus Unspecified Security
Description: eMule Plus is a file sharing utility for the Microsoft
Windows platform. The application is exposed to an unspecified issue
that occurs when the application performs "staticservers.dat"
processing. emule plus versions prior to 1.2d are affected.
Ref: http://sourceforge.net/project/shownotes.php?release_id=600155
______________________________________________________________________

08.22.2 CVE: Not Available
Platform: Third Party Windows Apps
Title: Core FTP "LIST" Command Directory Traversal
Description: Core FTP is an FTP client for Windows. The application is
exposed to a directory traversal issue because it fails to
sufficiently sanitize user-supplied input data. Core FTP LE/PRO
version 2.1 Build 1565 is affected.
Ref: http://vuln.sg/coreftp211565-en.html
______________________________________________________________________

08.22.3 CVE: Not Available
Platform: Third Party Windows Apps
Title: Lenovo System Update SSL Certificate Validation Security Bypass
Description: Lenovo System Update is an automated tool for downloading
and installing software updates. The application is exposed to a
security bypass issue. The issue occurs because the application fails
to properly check SSL certificates. Lenovo System Update version 3
(Version 3.13.0005, Build date 2008-1-3) is affected.
Ref: http://www.security-objectives.com/advisories/SECOBJADV-2008-01.txt
______________________________________________________________________

08.22.4 CVE: Not Available
Platform: Linux
Title: Linux Kernel Unspecified Security Issue
Description: The Linux kernel is exposed to an issue that stems from
an unspecified error. This issue affects versions prior to Linux
kernel 2.6.25.4.
Ref: http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.25.4
______________________________________________________________________

08.22.5 CVE: CVE-2008-2137
Platform: Linux
Title: Linux Kernel SPARC "mmap()" Denial of Service
Description: The Linux kernel is exposed to a denial of service issue
when memory address mapping is performed on SPARC-based computers. The
issue occurs in the "sparc_mmap_check()" function when checking
"mmap()" virtual address ranges. Linux kernel versions prior to
2.6.25.3 are affected.
Ref: http://kerneltrap.org/mailarchive/git-commits-head/2008/5/8/1760604
______________________________________________________________________

08.22.6 CVE: Not Available
Platform: Cross Platform
Title: libpam-pgsql "pam_pgsql.c" Authentication Bypass
Description: libpam-pgsql is a PAM module to authenticate using a
PostgreSQL database. The application is exposed to an issue that may
let attackers authenticate without a valid password. Specifically,
the function "pam_sm_authenticate()" in the "pam_pgsql.c" file allows
attackers to bypass authentication when a "SIGINT" signal is sent
during the authentication process. libpam-pgsql versions 0.6.3 and
earlier are affected.
Ref: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=481970
______________________________________________________________________

08.22.7 CVE: Not Available
Platform: Cross Platform
Title: SaraB DAR Encryption Ciphers Local Information Disclosure
Description: SaraB is an automatic backup solution. The application is
exposed to an information disclosure issue. Specifically, this issue
arises because encryption ciphers are passed to DAR as a command line
argument. SaraB versions prior to 0.2.4 are affected.
Ref: http://www.securityfocus.com/bid/29364
______________________________________________________________________

08.22.8 CVE: Not Available
Platform: Cross Platform
Title: Adobe Flash Player SWF File Unspecified Remote Code Execution
Description: Adobe Flash Player is an application for playing Flash
media files. The application is exposed to an unspecified remote
code execution issue when processing specially-crafted SWF files.
Adobe Flash Player versions 9.0.115.0 and 9.0.124.0 are affected.
Ref: http://www.kb.cert.org/vuls/id/395473
______________________________________________________________________

08.22.9 CVE: CVE-2008-1105
Platform: Cross Platform
Title: Samba "lib/util_sock.c" Buffer Overflow
Description: Samba is a suite of software that provides file and print
services for "SMB/CIFS" clients. It is available for multiple
operating platforms. The application is exposed to a remote heap-based
buffer overflow issue because it fails to properly bounds check
user-supplied data before copying it to an insufficiently sized
buffer. Samba versions 3.0.28a and 3.0.29 are affected.
Ref: http://secunia.com/secunia_research/2008-20/advisory/
______________________________________________________________________

08.22.10 CVE: CVE-2008-0891, CVE-2008-1672
Platform: Cross Platform
Title: OpenSSL Multiple Denial of Service Vulnerabilities
Description: OpenSSL is an open-source implementation of the SSL
protocol that is used by a number of other projects, including but not
restricted to Apache, Sendmail, and Bind. It is commonly found on
Linux and UNIX systems. The application is exposed to multiple denial
of service issues. OpenSSL versions 0.9.8f and 0.9.8g are affected.
Ref: http://www.openssl.org/news/secadv_20080528.txt
______________________________________________________________________

08.22.11 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: SAFARI Montage "forgotPW.php" Multiple Cross-Site Scripting
Vulnerabilities
Description: SAFARI Montage is a multimedia server application that
supports video-on-demand (VOD) technology. The server is exposed to
multiple cross-site scripting issues because it fails to sanitize
user-supplied input to the "school" and "email" parameters of the
"SAFARI/montage/forgotPW.php" script.
Ref:
http://www.digitrustgroup.com/advisories/web-application-security-safari-montage.html
______________________________________________________________________

08.22.12 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: Sun Java System Web Server Advanced Search Mechanism Cross-Site
Scripting
Description: Sun Java System Web Server is an enterprise-level
webserver application. The application is exposed to a cross-site
scripting issue because it fails to properly sanitize unspecified
user-supplied input to the advanced search mechanism. Sun Java System
Web Server versions 6.1 and 7.0 for SPARC, x86, Linux, Windows, HP-UX
and AIX platforms are affected.
Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-66-236481-1
______________________________________________________________________

08.22.13 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: PCPIN Chat "inc/url_redirection.inc.php" Cross-Site Scripting
Description: PCPIN Chat is a web-based instant messaging application.
The application is exposed to a cross-site scripting issue because it
fails to sufficiently sanitize unspecified user-supplied input to the
"/inc/url_redirection.inc.php" script. PCPIN Chat versions prior to
6.11 are affected.
Ref: http://www.securityfocus.com/archive/1/492563
______________________________________________________________________

08.22.14 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: Horde Kronolith Multiple Cross-Site Scripting Vulnerabilities
Description: Kronolith is a web-based calendar system. It uses the
Horde Application Framework. The application is exposed to multiple
cross-site scripting issues because it fails to sanitize user-supplied
input to the "timestamp" parameter of the "week.php", "workweek.php"
and "day.php" scripts as well as the "horde" parameter.
Ref: http://www.securityfocus.com/bid/29365
______________________________________________________________________

08.22.15 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: miniCWB "connector.php" Multiple Cross-Site Scripting
Vulnerabilities
Description: miniCWB is a PHP-based content manager. The application
is exposed to multiple cross-site scripting issues because it fails to
sanitize user-supplied input. The following parameters of the
"/javascript/editor/editor/filemanager/browser/mcpuk/connectors/php/connector.php"
script are affected: "errcontent" and "fckphp_config[Debug_SERVER]".
miniCWB version 2.1.1 is affected.
Ref: http://www.securityfocus.com/archive/1/492581
______________________________________________________________________

08.22.16 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: Tr Script News "news.php" Cross-Site Scripting
Description: Tr Script News is a news script. The application is
exposed to a cross-site scripting issue because it fails to
sufficiently sanitize unspecified user-supplied input to the "nb"
parameter of the "news.php" script when the "mode" parameter is set to
"voir". Tr Script News version 2.1 is affected.
Ref: http://www.securityfocus.com/bid/29388
______________________________________________________________________

08.22.17 CVE: Not Available
Platform: Web Application - SQL Injection
Title: e107 BLOG Engine "macgurublog.php" SQL Injection
Description: e107 BLOG Engine is a blog plugin for the e107 content
manager. The application is exposed to an SQL injection issue because
it fails to sufficiently sanitize user-supplied data to the "uid"
parameter of the "macgurublog.php" script before using it in an SQL
query. e107 BLOG Engine version 2.2 is affected.
Ref: http://www.securityfocus.com/archive/1/492506
______________________________________________________________________

08.22.18 CVE: Not Available
Platform: Web Application - SQL Injection
Title: WordPress Upload File Plugin "wp-uploadfile.php" SQL Injection
Description: WordPress is a PHP-based content manager. The
application's Upload File plugin is exposed to an SQL injection issue
because it fails to sufficiently sanitize user-supplied data to the
"f_id" parameter of the "/wp-uploadfile.php" script before using it in
an SQL query.
Ref: http://www.securityfocus.com/archive/1/492578
______________________________________________________________________

08.22.19 CVE: Not Available
Platform: Web Application - SQL Injection
Title: DZOIC Handshakes "fname" Parameter SQL Injection
Description: DZOIC Handshakes is a PHP-based social networking
application. The application is exposed to an SQL injection issue
because it fails to sufficiently sanitize user-supplied data to the
"fname" parameter of the "index.php" script when a member search is
being performed. DZOIC Handshakes version 3.5 is affected.
Ref: http://www.securityfocus.com/archive/1/492556
______________________________________________________________________

08.22.20 CVE: Not Available
Platform: Web Application - SQL Injection
Title: RoomPHPlanning "resaopen.php" SQL Injection
Description: RoomPHPlanning is a PHP-based scheduling application. The
application is exposed to an SQL injection issue because it fails to
sufficiently sanitize user-supplied data to the "idresa" parameter of
the "resaopen.php" script before using it in an SQL query.
RoomPHPlanning version 1.5 is affected.
Ref: http://www.securityfocus.com/bid/29354
______________________________________________________________________

08.22.21 CVE: Not Available
Platform: Web Application - SQL Injection
Title: Xomol CMS "index.php" SQL Injection
Description: Xomol CMS is a PHP-based content manager. The application
is exposed to an SQL injection issue because it fails to sufficiently
sanitize user-supplied data to the "email" HTTP POST parameter of the
"index.php" script before using it in an SQL query. Xomol CMS version
1 is affected.
Ref: http://www.securityfocus.com/bid/29358
______________________________________________________________________

08.22.22 CVE: Not Available
Platform: Web Application - SQL Injection
Title: AbleSpace "adv_cat.php" SQL Injection
Description: AbleSpace is a community and dating script. The
application is exposed to an SQL injection issue because it fails to
sufficiently sanitize user-supplied data to the "cat_id" parameter of
the "adv_cat.php" script. AbleSpace version 1.0 is affected.
Ref: http://www.securityfocus.com/archive/1/492576
______________________________________________________________________

08.22.23 CVE: Not Available
Platform: Web Application - SQL Injection
Title: Excuse Online "pwd.asp" SQL Injection
Description: Excuse Online is a web-based application implemented in
ASP. The application is exposed to an SQL injection issue because it
fails to sufficiently sanitize user-supplied data to the "pID"
parameter of the "pwd.asp" script before using it in an SQL query.
Ref: http://www.securityfocus.com/archive/1/492580
______________________________________________________________________

08.22.24 CVE: Not Available
Platform: Web Application - SQL Injection
Title: phpFix Multiple SQL Injection Vulnerabilities
Description: phpFix is a web-based application. The application is
exposed to multiple SQL injection issues because it fails to
sufficiently sanitize user-supplied data to the following scripts and
parameters: "browse.php: kind" and "00_pass.php: account". phpFix
version 2.0 is affected.
Ref: http://www.securityfocus.com/archive/1/492582
______________________________________________________________________

08.22.25 CVE: Not Available
Platform: Web Application - SQL Injection
Title: ClassSystem Multiple SQL Injection Vulnerabilities and
Arbitrary File Upload
Description: ClassSystem is a web-based application. The application
is exposed to multiple input validation issues because it fails to
sufficiently sanitize user-supplied input. ClassSystem versions 2 and
2.3 are affected.
Ref: http://www.securityfocus.com/archive/1/492583
______________________________________________________________________

08.22.26 CVE: Not Available
Platform: Web Application - SQL Injection
Title: RoomPHPlanning "weekview.php" SQL Injection
Description: RoomPHPlanning is a PHP-based reservations application.
The application is exposed to an SQL injection issue because it fails
to sufficiently sanitize user-supplied data to the "idroom" parameter
of the "weekview.php" script before using it in an SQL query.
RoomPHPlanning version 1.5 is affected.
Ref: http://www.securityfocus.com/archive/1/492636
______________________________________________________________________

08.22.27 CVE: Not Available
Platform: Web Application - SQL Injection
Title: RevokeBB "search" Parameter SQL Injection
Description: RevokeBB is a PHP-based bulletin board application. The
application is exposed to an SQL injection issue because it fails to
sufficiently sanitize user-supplied data to the "search" parameter of
the "/inc/acts/search.module.php" script before using it in an SQL
query. RevokeBB version 1.0 RC11 is affected.
Ref: http://www.securityfocus.com/bid/29393
______________________________________________________________________

08.22.28 CVE: Not Available
Platform: Web Application
Title: WWW File Share Pro Unspecified Arbitrary File Upload
Description: WWW File Share Pro is an application that allows file
sharing within a browser. The application is exposed to an issue that
lets attackers upload arbitrary files. The application fails to verify
file extensions and may allow arbitrary scripts to run. WWW File Share
Pro version 5.30 is affected.
Ref: http://www.securityfocus.com/archive/1/492416
______________________________________________________________________

08.22.29 CVE: Not Available
Platform: Web Application
Title: AbleDating "search_results.php" Multiple Input Validation
Vulnerabilities
Description: AbleDating is a PHP-based application for setting up a
dating site. Since it fails to sanitize user-supplied input data, the
application is exposed to multiple input validation issues.
AbleDating version 2.4 is affected.
Ref: http://www.securityfocus.com/archive/1/492478
______________________________________________________________________

08.22.30 CVE: Not Available
Platform: Web Application
Title: Xerox WorkCentre Unspecified HTML Injection
Description: Xerox WorkCentre is a web-capable printer and
photocopier. The application is exposed to an unspecified HTML
injection issue because it fails to sanitize user-supplied input.
Xerox WorkCentre versions 7132, 7228, 7235 and 7245 are affected.
Ref: http://www.securityfocus.com/bid/29345
______________________________________________________________________

08.22.31 CVE: Not Available
Platform: Web Application
Title: Sava CMS SQL Injection and Cross-Site Scripting Vulnerabilities
Description: Sava CMS is a web-based content manager. Since it fails
to sufficiently sanitize user-supplied data, the application is
exposed to multiple input-validation issues. Sava CMS versions prior
to 5.0.122 are affected.
Ref: http://www.securityfocus.com/bid/29346
______________________________________________________________________

08.22.32 CVE: Not Available
Platform: Web Application
Title: Cerberus Helpdesk Controller Authentication Information
Disclosure
Description: Cerberus Helpdesk is a PHP-based email application. The
application is exposed to an information disclosure issue because of
an authentication error on certain web pages. The issue occurs when
accessing pages that aren't integrated with the application's web
interface.
Ref:
http://www.cerb4.com/blog/2008/05/15/important-security-patch-40-build-599/
______________________________________________________________________

08.22.33 CVE: Not Available
Platform: Web Application
Title: Quate CMS Multiple Input Validation Vulnerabilities
Description: Quate CMS is a PHP-based content manager. The application
is exposed to multiple input validation issues because it fails to
adequately sanitize user-supplied input. Quate CMS version 0.3.4 is
affected.
Ref: http://www.securityfocus.com/archive/1/492512
______________________________________________________________________

08.22.34 CVE: Not Available
Platform: Web Application
Title: phpRaider phpbb3 Bridge "phpbb3.functions.php" Remote File
Include
Description: phpRaider is a web-based raid manager for MMORPGs
(Massive Multiplayer Online Role Playing Game). The application is
exposed to a remote file include issue in the phpbb3 bridge
functionality because it fails to sufficiently sanitize user-supplied
input to the "pConfig_auth[phpbb_path]" parameter of the
"authentication/phpbb3/phpbb3.functions.php" script. phpRaider version
1.0.7 is affected.
Ref: http://www.securityfocus.com/bid/29356
______________________________________________________________________

08.22.35 CVE: Not Available
Platform: Web Application
Title: plusPHP Short URL Multi-User Script Remote File Include
Description: plusPHP Short URL Multi-User Script is a web-based
application. The application is exposed to a remote file include issue
because it fails to sufficiently sanitize user-supplied input to the
"_pages_dir" parameter of the "plus.php" script. plusPHP Short URL
Multi-User Script version 1.6 is affected.
Ref: http://www.securityfocus.com/bid/29357
______________________________________________________________________

08.22.36 CVE: Not Available
Platform: Web Application
Title: Xomol CMS "index.php" Local File Include
Description: Xomol CMS is a PHP-based content manager. The application
is exposed to a local file include issue because it fails to properly
sanitize user-supplied input to the "op" parameter of the "index.php"
script. Xomol CMS version 1 is affected.
Ref: http://www.securityfocus.com/bid/29359
______________________________________________________________________

08.22.37 CVE: Not Available
Platform: Web Application
Title: Zina "index.php" Multiple Input Validation Vulnerabilities
Description: Zina is an application that allows users to view and play
MP3 files through their browser. The application is exposed to
multiple input validation issues. Zina version 1.0rc3 is affected.
Ref: http://www.securityfocus.com/archive/1/492593
______________________________________________________________________

08.22.38 CVE: Not Available
Platform: Web Application
Title: Mambo Prior to 4.6.4 Multiple Input Validation Vulnerabilities
Description: Mambo is a PHP-based content manager. The application is
exposed to multiple input validation issues because it fails to
properly sanitize user-supplied input. Mambo versions prior to 4.6.4
are affected.
Ref: http://forum.mambo-foundation.org/showthread.php?t=11799
______________________________________________________________________

08.22.39 CVE: Not Available
Platform: Web Application
Title: OneCMS "load" Parameter Local File Include
Description: OneCMS is a content management system. The application is
exposed to a local file include issue because it fails to properly
sanitize user-supplied input to the "load" parameter of the
"install_mod.php" script when the "act" parameter is set to "go".
Ref: http://www.securityfocus.com/bid/29374
______________________________________________________________________

08.22.40 CVE: Not Available
Platform: Web Application
Title: Campus Bulletin Board SQL Injection and Cross-Site Scripting
Vulnerabilities
Description: Campus Bulletin Board is a web-based bulletin board
application implemented in ASP. Since it fails to sufficiently
sanitize user-supplied data, the application is exposed to multiple
input validation issues. Campus Bulletin Board version 3.4 is
affected.
Ref: http://www.securityfocus.com/archive/1/492586
______________________________________________________________________

08.22.41 CVE: Not Available
Platform: Web Application
Title: RoomPHPlanning "userform.php" Unauthorized Access
Description: RoomPHPlanning is a PHP-based scheduling application. The
application is exposed to an unauthorized access issue because it
fails to adequately limit access to administrative scripts used for
created accounts. RoomPHPlanning version 1.5 is affected.
Ref: http://www.securityfocus.com/bid/29377
______________________________________________________________________

08.22.42 CVE: Not Available
Platform: Network Device
Title: BT Home Hub Administrator Password Information Disclosure
Description: BT Home Hub is a wireless router developed by BT. BT Home
Hub is exposed to an information disclosure issue. BT Home Hub
firmware version 6.2.6.E is affected.
Ref: http://www.securityfocus.com/bid/29388
______________________________________________________________________

(c) 2008. All rights reserved. The information contained in this
newsletter, including any external links, is provided "AS IS," with no
express or implied warranty, for informational purposes only. In some
cases, copyright for material in this newsletter may be held by a
party other than Qualys (as indicated herein) and permission to use
such material must be requested from the copyright owner.

Subscriptions: RISK is distributed free of charge by the SANS Institute
to people responsible for managing and securing information systems and
networks. You may forward this newsletter to others with such
responsibility inside or outside your organization.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)

iEYEARECAAYFAkg/TKIACgkQ+LUG5KFpTkaLpQCgpQqE2rRJ4KkGtc4C0y3fOAFM
P/8AnAoIbp10Qr/OrL4/ErV6m5VWV4Y0
=DMet
-----END PGP SIGNATURE-----

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]