The most trusted source for computer security training, certification and research.

@RISK: The Consensus Security Vulnerability Alert

Volume: VI, Issue: 1
January 2, 2007

SANS Newsletters Home

A light week, but Novell Netmail users should upgrade right away and Quicktime users need to avoid careless browsing until Apple fixes the problem there.

SANS 2007 - with 53 hands-on immersion training courses and a big product expo - will be in San Diego this year. Full schedule of courses: http://www.sans.org/sans2007/event.php

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Third Party Windows Apps
    • 4
    • Linux
    • 1
    • Novell
    • 2 (#2)
    • Apple (#1)
    • Cross Platform
    • 8
    • Web Application - Cross Site Scripting
    • 5
    • Web Application - SQL Injection
    • 14
    • Web Application
    • 32 (#3)

************************ Sponsored By SANS ******************************

Interested in enhancing your knowledge after attending a SANS training event? The solution is the OnDemand Bundle for $379! An online training and assessment system that reinforces the concepts taught in the classroom. For more information email ondemand@sans.org or call (301) 654-7267.

*************************************************************************

Table Of Contents
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
Third Party Windows Apps
Linux
Novell
Cross Platform
Web Application - Cross Site Scripting
Web Application - SQL Injection
Web Application
PART I Critical Vulnerabilities

Part I for this issue has been compiled by Rob King and Rohit Dhamankar at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Widely Deployed Software
  • (1) CRITICAL: Apple QuickTime RTSP URL Handler Buffer Overflow
  • Affected:
    • QuickTime version 7.1.3 and possibly prior on Mac OS and Windows platforms

  • Description: Apple QuickTime, a widely used media player, contains a stack-based buffer overflow in handling RTSP URLs. The overflow has been discovered by the "Month of Apple Bugs" project, and can be triggered by a specially crafted RTSP URL that is 300 bytes or longer. A malicious webpage or a media file can exploit this flaw to execute arbitrary code on a user's system. Note that systems using QuickTime as the default media player can be compromised upon browsing to a malicious webpage without any user interaction. Exploit code has been publicly posted.

  • Status: Apple has not confirmed, no patches available. A workaround is to disable the RTSP URL handler.

  • References:
Other Software
  • (3) CRITICAL: Cacti cmd.php Remote Command Execution and SQL Injection Vulnerabilities
  • Affected:
    • Cacti version 0.8.6i

  • Description: Cacti is a popularly used network graphics software package on UNIX. Cacti contains remote command execution and SQL injection vulnerabilities in its "cmd.php" script. An attacker can exploit these flaws to execute arbitrary commands on a web server running Cacti. Exploit code has been publicly posted.

  • Status: Vendor not confirmed, no patches available. A workaround is to ensure that cmd.php script is not accessible via web requests. Council Site Summary: The affected software and/or configuration are not in production or widespread use, or are not officially supported at any of the council sites. They reported that no action was necessary.

  • References:
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 1, 2007

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 5321 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely. 07.1.1 CVE: Not Available Platform: Third Party Windows Apps Title: FTPRush Host Field Local Buffer Overflow Description: FTPRush is an FTP client available for Microsoft Windows. It is prone to a local buffer overflow vulnerability due to insufficient bounds checking on the Host field in the client GUI. FTPRush version 1.0.0.610 is reportedly vulnerable. Ref: http://www.securityfocus.com/bid/21714

  • 07.1.1 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: FTPRush Host Field Local Buffer Overflow
  • Description: FTPRush is an FTP client available for Microsoft Windows. It is prone to a local buffer overflow vulnerability due to insufficient bounds checking on the Host field in the client GUI. FTPRush version 1.0.0.610 is reportedly vulnerable.
  • Ref: http://www.securityfocus.com/bid/21714
  • 07.1.2 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: LANMessenger Information Request Mechanism Denial of Service
  • Description: LANMessenger is a UPD instant messenger application. It is affected by a denial of service issue due to an unspecified error in the information request mechanism. LANMessenger versions prior to 1.5.1.2 are affected.
  • Ref: http://www.securityfocus.com/bid/21715/info
  • 07.1.3 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: WikiReader URL Field Local Buffer Overflow
  • Description: WikiReader is a utility that allows you to open WikiPedia articles via Microsoft Windows applications. It is exposed to a local buffer overflow issue because it fails to adequately bounds check user-supplied input data to an insufficiently sized buffer. The problem occurs when data supplied to the URL field in the client GUI is greater than 16635 bytes. The application will crash when the data is processed. This issue affects version 1.12.
  • Ref: http://www.securityfocus.com/bid/21718
  • 07.1.4 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: acFTP Server Multiple Remote Denial of Service Vulnerabilities
  • Description: acFTP is an open source FTP server application for the Microsoft Windows operating systems. It is exposed to multiple remote denial of service issues because the application fails to properly handle user-supplied input. These issues affect version 1.5.
  • Ref: http://www.securityfocus.com/bid/21767
  • 07.1.5 - CVE: Not Available
  • Platform: Linux
  • Title: KSirc IRC Client Remote PRIVMSG Buffer Overflow
  • Description: KSirc is the default IRC client included with the KDE desktop environment. It is exposed to a remote buffer overflow vulnerability. The issue arises when the client handles excessive string data. Specifically, this issue is triggered when PRIVMSG messages containing excessively long content of approximately 2500 bytes are received by affected clients. When the "stdout_read()" method of the "KSircIOController" class attempts to process this data, a buffer will be overrun with attacker-supplied data. KSirc 1.3.12 is affected.
  • Ref: http://www.securityfocus.com/bid/21790
  • 07.1.6 - CVE: Not Available
  • Platform: Novell
  • Title: Novell Netmail IMAP Verb Literal Heap Overflow
  • Description: Novell Netmail is an email and calendaring system. It is prone to a remotely exploitable buffer overflow vulnerability caused by a lack of bounds checking on literals that are appended to IMAP verbs. Novell NetMail versions 3.52 D and earlier are vulnerable.
  • Ref: http://www.novell.com/support/search.do?cmd=displayKC&externalId=3096026&
    ;sliceId=SAL_Public
  • 07.1.7 - CVE: Not Available
  • Platform: Novell
  • Title: Novell Netmail IMAP APPEND Denial of Service
  • Description: Novell Netmail is an email and calendaring system. Insufficient sanitization of the IMAP APPEND argument exposes the application to a denial of service issue. Please refer to the attached advisory for a list of affected versions.
  • Ref: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=455
  • 07.1.8 - CVE: Not Available
  • Platform: Cross Platform
  • Title: OpenSER Parse_Expression Remote Buffer Overflow
  • Description: OpenSER is an open source SIP (session initiation protocol) server available for multiple operating systems. It is prone to a remote buffer overflow issue because the software fails to perform adequate bounds checks on user-supplied input to the "str" parameter of the "parse_expression()" routine. OpenSER version 1.1.0 is vulnerable and other versions may also be affected.
  • Ref: http://www.securityfocus.com/bid/21706
  • 07.1.9 - CVE: CVE-2006-6425
  • Platform: Cross Platform
  • Title: Novell Netmail IMAP APPEND Buffer Overflow
  • Description: Novell Netmail is an email and calendaring system. It is prone to a remotely exploitable buffer overflow vulnerability due to insufficient bounds checking on a client supplied IMAP APPEND parameter. Novell Netmail versions 3.52 D and prior are reportedly vulnerable.
  • Ref: http://www.novell.com/support/search.do?cmd=displayKC&externalId=3096026&
    ;sliceId=SAL_Public
  • 07.1.11 - CVE: Not Available
  • Platform: Cross Platform
  • Title: W3M SSL Certificate Format String
  • Description: W3M is a console based web browser. W3M is available for UNIX/Linux and Windows operating systems. It is exposed to a format string vulnerability. This issue can occur when the browser processes SSL certificates that include format specifiers. Version 0.5.1 is affected.
  • Ref: http://www.securityfocus.com/bid/21735
  • 07.1.12 - CVE: CVE-2006-6698
  • Platform: Cross Platform
  • Title: GConf Temporary Directory Creation Denial of Service
  • Description: GConf is a user preference storing application for multiple windows managers. It is prone to a local denial of service vulnerability that occurs in the "gconf_get_daemon_dir" routine of "gconf-internals.c". GConf versions 2.7 and 2.8 are reportedly vulnerable.
  • Ref: http://www.securityfocus.com/bid/21762
  • 07.1.13 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Novell Netmail Multiple Services Unspecified Stack Buffer Overflow Vulnerabilities
  • Description: Novell Netmail is an email and calendaring system. It is prone to multiple unspecified stack based buffer overflow vulnerabilities due to insufficient bounds checking in the "SMTP", "POP3", "IMAP" and "HTTP" services. Novell Netmail versions 3.52e-ftfi and prior are reportedly vulnerable.
  • Ref: http://www.securityfocus.com/bid/21773
  • 07.1.14 - CVE: Not Available
  • Platform: Cross Platform
  • Title: DB Hub Remote Denial of Service
  • Description: DB Hub is a open source fork of the Open DC Hub application. It is vulnerable to a remote denial of service issue due to a memory corruption flaw when it attempts to process specially crafted network traffic. DB Hub version 0.3 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/21791
  • 07.1.15 - CVE: Not Available
  • Platform: Cross Platform
  • Title: OpenSER OSP Module Validateospheader Function Buffer Overflow
  • Description: OpenSER is an open source SIP server. The OpenSER OSP Module is prone to a buffer overflow vulnerability that exists in the "validateospheader()" function when validating OSP headers. An attacker may exploit this vulnerability by manipulating the OSP headers, ultimately resulting in memory corruption. Versions 1.1.0 and prior are reportedly vulnerable.
  • Ref: http://www.securityfocus.com/bid/21801
  • 07.1.16 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: a-blog Unspecified Cross-Site Scripting Vulnerability
  • Description: The "a-blog" application is a web log program. It is exposed to a cross-site scripting issue because it fails to properly sanitize user-supplied input to unspecified parameters and scripts. Version 2.1.c is affected.
  • Ref: http://www.securityfocus.com/bid/21716
  • 07.1.17 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: TimberWolf ShowNews.PHP Cross Site Scripting
  • Description: TimberWolf is a web-based content management system. It is prone to a cross site scripting vulnerability due to insufficient sanitization of the "nid" parameter of the "shownews.php" script. TimberWolf version 1.2.2 is reportedly vulnerable.
  • Ref: http://www.securityfocus.com/bid/21733
  • 07.1.18 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: PHP Live! Multiple Cross-Site Scripting Vulnerabilities
  • Description: PHP Live! is a customer support application. It is exposed to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input to the URI parameters of multiple scripts. Version 3.2.2 is affected.
  • Ref: http://www.securityfocus.com/bid/21737
  • 07.1.19 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: PNAmazu Cross-Site Scripting
  • Description: PNAmazu is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. PNAmazu versions prior to 2006.12.23 are vulnerable.
  • Ref: http://www.securityfocus.com/bid/21759
  • 07.1.20 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: PHP ICalendar Multiple Cross-Site Scripting Vulnerabilities
  • Description: PHP icalendar is a web-based calendar application. It is exposed to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input to the URI parameters of multiple scripts. PHP iCalendar versions 2.0 b, 2.23 rc1, 2.22 and 1.1 are affected.
  • Ref: http://www.securityfocus.com/bid/21792
  • 07.1.21 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Enthrallweb eCars Types.ASP SQL Injection
  • Description: Enthrallweb eCars is a web-based automobile dealership application. Insufficient sanitization of the "type_id" parameter of the "Types.asp" script exposes the application to an SQL injection issue. eCars version 1.0 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/21748
  • 07.1.22 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Enthrallweb ePages Actualpic.ASP SQL Injection
  • Description: Enthrallweb ePages is a web-based directory. Insufficient sanitization of the "Biz_ID" parameter of the "actualpic.asp" script exposes the application to a SQL injection issue. All current versions are affected.
  • Ref: http://www.securityfocus.com/bid/21750
  • 07.1.23 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Enthrallweb ePhotos SubLevel2.ASP SQL Injection
  • Description: Enthrallweb ePhotos is a web-based photo gallery. Insufficient sanitization of the "SUB_ID" parameter of the "subLevel2.asp" script exposes the application to a SQL injection issue. All current versions are affected.
  • Ref: http://www.securityfocus.com/bid/21742
  • 07.1.24 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Hitachi Soumu Workflow Multiple Unspecified SQL Injection Vulnerabilities
  • Description: Hitachi Soumu Workflow is an application for workflow productivity. Unspecified parameters and scripts are vulnerable to SQL injection attacks because the application fails to properly sanitize user-supplied input. Hitachi Soumu Workflow versions 3.0 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/21704
  • 07.1.25 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Ixprim CMS IXM_IXPNews.PHP SQL Injection
  • Description: Ixprim CMS is a content manager. It is exposed to an SQL injection issue because it fails to properly sanitize user-supplied input to the "story_id" parameter of the "ixm_ixpnews.php" script. Version 1.2 is affected.
  • Ref: http://www.securityfocus.com/bid/21710
  • 07.1.26 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Efkan Forum Grup Variable SQL Injection Vulnerability
  • Description: Efkan Forum is a web-based forum application. Insufficient sanitization of the "grup" parameter of the "default.asp" script exposes the appliction to a SQL injection issue. All current versions are affected.
  • Ref: http://www.securityfocus.com/archive/1/455205
  • 07.1.27 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Chatwm SelGruFra.ASP SQL Injection
  • Description: Chatwm is a web-based chat application. It is exposed to multiple SQL injection issues because it fails to properly sanitize user-supplied input to the "txtUse" and "txtPas" variables of the "SelGruFra.asp" script. Chatwm version 1.0 is affected.
  • Ref: http://www.securityfocus.com/bid/21732
  • 07.1.28 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Netbula Anyboard User Login SQL Injection
  • Description: Netbula Anyboard is a forum application. Insufficient sanitization of user supplied input exposes the application to an SQL injection issue. Netbula Anyboard version 9.9.5.6 is affected.
  • Ref: http://www.securityfocus.com/bid/21734
  • 07.1.29 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Mxmania File Upload Manager Detail.ASP SQL Injection
  • Description: Mxmania File Upload Manager is a web site utility for uploading and managing files. It is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "ID" parameter of the "detail.asp" script file. Mxmania File Upload Manager versions prior to 1.0.6 are vulnerable.
  • Ref: http://www.securityfocus.com/bid/21754
  • 07.1.30 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: The Classified Ad System Default.ASP SQL Injection
  • Description: The Classified Ad System is a content management system. It is exposed to an SQL injection vulnerability because it fails to sufficiently sanitize user-supplied data to the "main" parameter of the "default.asp" script file. Version 1.0 is affected.
  • Ref: http://www.securityfocus.com/bid/21758
  • 07.1.31 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Calendar MX Basic Calendar_Detail.ASP SQL Injection
  • Description: Calendar MX Basic is a web-based calendar application. Insufficient sanitization of the "ID" parameter of the "calendar_detail.asp" script exposes the application to an SQL injection issue. Calendar MX Basic versions 1.0.2 and prior are vulnerable.
  • Ref: http://www.securityfocus.com/bid/21763
  • 07.1.32 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: PHP-Update Guestadd.PHP Multiple SQL Injection Vulnerabilities
  • Description: PHP-Update is a web-based application for remote administration of a web-site. It is exposed to multiple SQL injection issues because it fails to properly sanitize user-supplied input to the "newmessage", "newname", "newwebsite", and "newemail" parameters of the "guestadd.php" script. PHP-Update version 2.7 is vulnerable and other versions may also be affected.
  • Ref: http://www.securityfocus.com/bid/21772
  • 07.1.33 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: EnthrallWeb Ananda Real Estate List.ASP SQL Injection
  • Description: Ananda Real Estate is a web-based real estate management application. It is affected by an SQL injection issue due to insufficient sanitization of the "agent" parameter of the "list.asp" script. Ananda Real Estate version 3.4 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/21771
  • 07.1.34 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: dmxREADY Secure Login Manager Multiple SQL Injection Vulnerabilities
  • Description: dmxREADY Secure Login Manager is affected by multiple SQL injection issues due to insufficient sanitization of the "sent" parameter of the "login.asp", "content.asp", "members.asp" and "inc_secureloginmanager.asp" scripts. dmxREADY version 1.0 is affected.
  • Ref: http://www.securityfocus.com/bid/21788
  • 07.1.35 - CVE: Not Available
  • Platform: Web Application
  • Title: eNdonesia Multiple Scripts Multiple Input Validation Vulnerabilities
  • Description: eNdonesia is a web portal application. It is exposed to multiple input validation issues because it fails to sufficiently sanitize user-supplied input. eNdonesia version 8.4 is vulnerable and other versions may also be affected.
  • Ref: http://www.securityfocus.com/bid/21333
  • 07.1.36 - CVE: Not Available
  • Platform: Web Application
  • Title: EnthrallWeb Multiple Products Myprofile.ASP Arbitrary User Password Change
  • Description: EnthrallWeb produces multiple web-based applications. The "myprofile.asp" is prone to an unspecified vulnerability that may permit attackers to change arbitrary passwords. Multiple versions are reportedly vulnerable.
  • Ref: http://www.securityfocus.com/bid/21739
  • 07.1.37 - CVE: Not Available
  • Platform: Web Application
  • Title: Logahead UNU Edition _Widged.PHP Arbitrary File Upload
  • Description: Logahead UNU edition is a blog application. It is exposed to an arbitrary file upload vulnerability because it fails to sufficiently sanitize user-supplied input to the "_widged.php" script when uploading arbitrary files. Logahead version 1.0 is affected.
  • Ref: http://www.securityfocus.com/bid/21743
  • 07.1.38 - CVE: Not Available
  • Platform: Web Application
  • Title: My_eGallery Module DisplayCategory.PHP Remote File Include
  • Description: The My_eGallery Module is an image gallery application for myPHPNuke. It is vulnerable to a remote file include issue due to insufficient sanitization of user-supplied input to the "basepath" parameter of the "displayCategory.php" script. My_eGallery Module version 2.5.6 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/21744
  • 07.1.39 - CVE: Not Available
  • Platform: Web Application
  • Title: Newsletter MX admin_mail_adressee.ASP SQL Injection
  • Description: Newsletter MX is a web-based newsletter application. It is exposed to an SQL injection vulnerability because it fails to properly sanitize user-supplied input to the "ID" parameter of "admin_mail_adressee.asp". Newsletter MX version 1.0.2 is affected.
  • Ref: http://www.securityfocus.com/bid/21746/
  • 07.1.40 - CVE: Not Available
  • Platform: Web Application
  • Title: PHPBuilder HTM2PHP.PHP Directory Traversal
  • Description: PHPBuilder is a content management system. It is exposed to a directory traversal vulnerability because it fails to properly sanitize user-supplied input to the "filename" parameter of the "htm2php.php" script. PHPBuilder version 0.0.2 is affected.
  • Ref: http://www.securityfocus.com/bid/21703/info
  • 07.1.41 - CVE: Not Available
  • Platform: Web Application
  • Title: Intertianews Inertianews_Main.PHP Remote File Include
  • Description: Intertianews is a web-based news script. It is prone to a remote file include issue because it fails to sufficiently sanitize user-supplied input to the "inews_path" parameter of the "inertianews_main.php" script. Intertianews version 0.02b is vulnerable and other versions may also be affected.
  • Ref: http://www.securityfocus.com/bid/21713
  • 07.1.42 - CVE: Not Available
  • Platform: Web Application
  • Title: Xt-News Multiple Input Validation Vulnerabilities
  • Description: XT-News is a web-based news script. Insufficient sanitization of user-supplied input exposes the application to multiple cross-site scripting and SQL injection issues. All current versions are affected.
  • Ref: http://www.securityfocus.com/bid/21719
  • 07.1.43 - CVE: Not Available
  • Platform: Web Application
  • Title: Keep It Simple Guest Book Authenticate.PHP Remote File Include
  • Description: Keep It Simple Guest Book (KISGB) is a guestbook application. It is prone to a remote file include issue because it fails to sufficiently sanitize user-supplied input to the "default_path_for_themes" parameter of the "authenticate.php" script. Keep It Simple Guest Book versions 5.1.1 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/bid/21721
  • 07.1.44 - CVE: Not Available
  • Platform: Web Application
  • Title: Okul Merkezi Portal Page Variable Remote File Include
  • Description: Okul Merkezi Portal is a web-based portal application. It is exposed to a remote file include issue because it fails to sufficiently sanitize user-supplied input to the "page" parameter of the "ataturk.php" script. Okul Merkezi Portal version 1.0 is affected.
  • Ref: http://www.securityfocus.com/bid/21730
  • 07.1.45 - CVE: Not Available
  • Platform: Web Application
  • Title: FishyShoop Administrative Bypass
  • Description: FishyShoop is a web-based shopping cart application. It is vulnerable to an administrative access issue due to insufficient checks on user-supplied POST data. FishyShoop version 0.930 beta is vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/455260
  • 07.1.46 - CVE: Not Available
  • Platform: Web Application
  • Title: VBulletin SWF Script Injection Vulnerability
  • Description: vBulletin is a web-based bulletin board. Insufficient sanitization of user-supplied input exposes the application to a SWF script injection issue. All current versions are affected.
  • Ref: http://www.securityfocus.com/bid/21736
  • 07.1.47 - CVE: Not Available
  • Platform: Web Application
  • Title: phpbbXtra Archive_Topic.PHP Remote File Include
  • Description: phpbbXtra is a web-based bulletin board. It is vulnerable to a remote file include issue due to insufficient sanitization of user-supplied input to the "phpbb_root_path" parameter of the "archive_topic.php" script. phpbbXtra version 2.0 is vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/455304
  • 07.1.48 - CVE: Not Available
  • Platform: Web Application
  • Title: Shadowed Portal Include.PHP Remote File Include
  • Description: Shadowed Portal is a web-based bulletin board application. It is vulnerable to a remote file include issue due to insufficient sanitization of user-supplied input to the "mod_root" parameter of the "include.php" script. Shadowed Portal version 5.7 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/21753
  • 07.1.49 - CVE: Not Available
  • Platform: Web Application
  • Title: Made Simple Comment Form HTML Injection
  • Description: CMS Made Simple is a content management system. It is prone to an HTML injection vulnerability due to insufficient input sanitization of the comment form when submitting user comments. CMS Made Simple version 1.0.2 is reportedly vulnerable.
  • Ref: http://www.securityfocus.com/bid/21756
  • 07.1.50 - CVE: Not Available
  • Platform: Web Application
  • Title: Ciberia Content Federator Maquetacion_Socio.PHP Remote File Include
  • Description: Ciberia Content Federator is a web-based blog application. Insufficient sanitization of the "path" parameter of the "maquetacion_socio.php" script exposes the application to a remote file include issue. Ciberia Content Federator version 1.0 is affected.
  • Ref: http://www.securityfocus.com/bid/21757
  • 07.1.51 - CVE: CVE-2006-5282
  • Platform: Web Application
  • Title: SH-News Misc.PHP Remote File Include
  • Description: SH-News is a web-based news manager application. It is vulnerable to a remote file include issue due to insufficient sanitization of user-supplied input to the "news_cfg[path]" parameter of the "misc.php" script. SH-News version 0.93 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/21761
  • 07.1.52 - CVE: Not Available
  • Platform: Web Application
  • Title: Luckybot DIR Parameter Multiple Remote File Include Vulnerabilities
  • Description: Multiple remote file include vulnerabilities affect Luckybot because the application fails to properly sanitize user-supplied input to the "dir" parameter of the "run.php" and "classes/ircbot.class.php" scripts before using it in a PHP "include()" function call. Luckybot version 3 is vulnerable and other versions may also be affected.
  • Ref: http://www.securityfocus.com/bid/21765
  • 07.1.53 - CVE: Not Available
  • Platform: Web Application
  • Title: phpCMS Class.Cache_PHPCMS.PHP Remote File Include
  • Description: phpCMS is a content management system. Insufficient sanitization of the "PHPCMS_INCLUDEPATH" parameter of the "includes/class.cache_phpcms.php" script exposes the application to a remote file include issue. phpCMS version 1.1.7 is affected.
  • Ref: http://www.securityfocus.com/bid/21768
  • 07.1.54 - CVE: Not Available
  • Platform: Web Application
  • Title: Irokez CMS Multiple Remote File Include Vulnerabilities
  • Description: Irokez CMS is a content management application. It is exposed to multiple remote file include issues because the application fails to properly sanitize user-supplied input before using it in a PHP "include()" function call. Versions 0.7.1 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/21769
  • 07.1.55 - CVE: Not Available
  • Platform: Web Application
  • Title: MTCMS Admin_Settings.PHP Remote File Include
  • Description: MTCMS is a web-based content manager application. It is vulnerable to a remote file include issue due to insufficient sanitization of user-supplied input to the "ins_file" parameter of the "admin/admin_settings.php" script. MTCMS version 2.0 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/21770
  • 07.1.56 - CVE: Not Available
  • Platform: Web Application
  • Title: Open Newsletter Settings.PHP Authentication Bypass
  • Description: Open Newsletter is a web-based application. It is exposed to an authentication bypass issue because the software fails to perform sufficient authentication checking in the "settings.php" script. As a result, sensitive information may be disclosed. Versions 2.0 thru 2.5 are affected.
  • Ref: http://www.securityfocus.com/bid/21775
  • 07.1.57 - CVE: Not Available
  • Platform: Web Application
  • Title: BE IT EasyPartner Joomla! Component Multiple Remote File Include Vulnerabilities
  • Description: BE IT EasyPartner is a component for the Joomla! content management system. Insufficient sanitization of use-supplied input exposes the application to multiple remote file include issues. BE IT EasyPartner version 0.0.9 beta is affected.
  • Ref: http://www.securityfocus.com/bid/21776
  • 07.1.58 - CVE: Not Available
  • Platform: Web Application
  • Title: Wordpress Template.PHP HTML Injection
  • Description: Wordpress is a blog application. It is vulnerable to an HTML injection issue due to insufficient sanitization of user-supplied input to the "file" parameter of the "template.php" script. Wordpress versions 2.0.5 and earlier are vulnerable.
  • Ref: http://michaeldaw.org/
  • 07.1.59 - CVE: Not Available
  • Platform: Web Application
  • Title: myPHPCalendar Cal_Dir Parameter Multiple Remote File Include Vulnerabilities
  • Description: myPHPCalendar is a content management system. It is exposed to multiple remote file include vulnerabilities because it fails to sufficiently sanitize user-supplied input to the "cal_dir" parameter of various scripts. myPHPCalendar version 10.1 is vulnerable and other versions may also be affected.
  • Ref: http://www.securityfocus.com/bid/21785
  • 07.1.60 - CVE: Not Available
  • Platform: Web Application
  • Title: Hosting Controller FolderManager.ASPX Directory Traversal
  • Description: Hosting Controller is a set of hosting automation tools. It is prone to a directory traversal vulnerability due to insufficient sanitization of the "BrowsePath" parameter of the "FolderManager.ASPX" script. Hosting Controller version 7C is reportedly vulnerable.
  • Ref: http://www.securityfocus.com/bid/21786
  • 07.1.61 - CVE: Not Available
  • Platform: Web Application
  • Title: AlstraSoft Web Host Directory Administrator Password Change
  • Description: Web Host Directory is a web hosting directory and comparison application. It is prone to a vulnerability that may permit attackers to change the administrative password simply by navigating to the "admin/config" page. AlstraSoft Web Host Directory version 1.2 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/21787
  • 07.1.62 - CVE: Not Available
  • Platform: Web Application
  • Title: PHP-Update Admin Upload.PHP Arbitrary File Upload Vulnerability
  • Description: PHP-Update is a content management system. It is exposed to an arbitrary file upload vulnerability because it fails to sufficiently sanitize user-supplied input to the "admin/upload.php" script. Versions 2.7 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/21789
  • 07.1.63 - CVE: Not Available
  • Platform: Web Application
  • Title: Yrch! Plug.inc.PHP Remote File Include
  • Description: Yrch! is a web directory hierarchy application. Insufficient sanitization of the "path" parameter of the "plug.inc.php" script exposes the application to a remote file include issue. Yrch! versions 1.0 and prior are vulnerable.
  • Ref: http://www.securityfocus.com/bid/21794
  • 07.1.64 - CVE: Not Available
  • Platform: Web Application
  • Title: Fantastic News Multiple Remote File Include Vulnerabilities
  • Description: Fantastic News is a news reader. It is exposed to multiple remote file include vulnerabilities because it fails to sufficiently sanitize user-supplied input to the "CONFIG" parameter of the "archive.php" and "headlines.php" scripts. Fantastic News 2.1.4 is affected.
  • Ref: http://www.securityfocus.com/bid/21796
  • 07.1.65 - CVE: Not Available
  • Platform: Web Application
  • Title: Limbo CMS Event Module Remote File Include
  • Description: Limbo CMS event module is a component of the Limbo content management system. Insufficient sanitization of the "lm_absolute_path" parameter of the "mod_eventcal.php" script exposes the application to a remote file include issue. Limbo CMS event module version 1.0 is affected.
  • Ref: http://www.securityfocus.com/bid/21798
  • 07.1.66 - CVE: Not Available
  • Platform: Web Application
  • Title: Cacti CMD.PHP Remote Command Execution
  • Description: Cacti is exposed to a remote command execution vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input. Cacti versions 0.8.6i and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/21799

(c) 2007. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Subscriptions: @RISK is distributed free of charge to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.

SANS is the ultimate security training program, bar none. It is the most intensive and informative security conference available. It's a must have for infosec professionals.
-Aaron Despain, TriWest Healthcare Alliance

SANSFIRE 2010

Contact us: (301) 654-SANS(7267)
Monday - Friday 9am-8pm EST/EDT