Summary of Security Items from May 4 through May 10, 2005
The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded in the past week. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores.
Vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:
- High: vulnerabilities with a CVSS base score of 7.0–10.0
- Medium: vulnerabilities with a CVSS base score of 4.0–6.9
- Low: vulnerabilities with a CVSS base score of 0.0–3.9
Entries may include additional information provided by organizations and efforts sponsored by CISA. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletin is compiled from external, open-source reports and is not a direct result of CISA analysis.
Information
in the US-CERT Cyber Security Bulletin is a compilation and includes information
published by outside sources, so the information should not be considered the
result of US-CERT analysis. Software vulnerabilities are categorized in the
appropriate section reflecting the operating system on which the vulnerability
was reported; however, this does not mean that the vulnerability only affects
the operating system reported since this information is obtained from
open-source information.
This bulletin
provides a summary of new or updated vulnerabilities, exploits, trends, viruses,
and trojans. Updates to vulnerabilities that
appeared in previous bulletins are listed in bold
text. The text in the Risk column appears in red for vulnerabilities
ranking High. The risks levels applied to
vulnerabilities in the Cyber Security Bulletin are based on how the "system" may
be impacted. The Recent Exploit/Technique table contains a "Workaround or Patch
Available" column that indicates whether a workaround or patch has been
published for the vulnerability which the script exploits.
name=vulns> face="Arial, Helvetica, sans-serif">Vulnerabilities
class=style46>The table belowsummarizes vulnerabilities that have been identified, even if they are not being
exploited. Complete details about patches or workarounds are available from the
source of the information or from the URL provided in the section. CVE numbers
are listed where applicable. Vulnerabilities that affect both
Windows and Unix Operating Systems are included in the Multiple
Operating Systems section.
Note: All the information included in the following tables
has been discussed in newsgroups and on web sites.
The Risk levels
defined below are based on how the system may be impacted:
- High - A
high-risk vulnerability is defined as one that will allow an intruder to
immediately gain privileged access (e.g., sysadmin or root) to the system or
allow an intruder to execute code or alter arbitrary system files. An example
of a high-risk vulnerability is one that allows an unauthorized user to send a
sequence of instructions to a machine and the machine responds with a command
prompt with administrator privileges. - Medium - A
medium-risk vulnerability is defined as one that will allow an intruder
immediate access to a system with less than privileged access. Such
vulnerability will allow the intruder the opportunity to continue the attempt
to gain privileged access. An example of medium-risk vulnerability is a server
configuration error that allows an intruder to capture the password
file. - Low - A
low-risk vulnerability is defined as one that will provide information to an
intruder that could lead to further compromise attempts or a Denial of Service
(DoS) attack. It should be noted that while the DoS attack is deemed low from
a threat potential, the frequency of this type of attack is very high. DoS
attacks against mission-critical nodes are not included in this rating and any
attack of this nature should instead be considered to be a "High"
threat.
[back to
top]
size=-2>
id=other name=other>Multiple Operating Systems - Windows / UNIX / Linux / Other | ||||
Vendor & Software Name | Vulnerability - Impact Patches - Workarounds Attacks Scripts | Common Name / CVE Reference |
face="Arial, Helvetica, sans-serif">Risk |
face="Arial, Helvetica, sans-serif">Source |
Advanced Guestbook 2.3.1 | A vulnerability has been reported in the 'index.php' entry parameter No workaround or patch available at time of publishing. There is no exploit code required; however, Proofs of Concept exploits | Advanced Guestbook 'Index.PHP' SQL Injection | High | Security Focus, 13548, May 9, 2005 |
iTunes 4.2 .72, 4.5-4.7.1 | A buffer overflow vulnerability has been reported in MPEG-4 file Updates available at:
link="#999999">
face="Arial, Helvetica">Currently we are not aware | Low/ High (High if arbitrary code can be executed) | Apple Security Advisory, APPLE-SA-2005-05-09, May 9, 2005 | |
BirdBlog 1.0 .0, 1.1 .0, 1.2 .0, 1.2.1, 1.3 .0 | A vulnerability has been reported in BB code due to insufficient sanitization, which could let a remote malicious user execute arbitrary JavaScript code. Upgrades available at: Currently we are not aware of any exploits for this | BirdBlog BB Code Arbitrary JavaScript Execution | High | Secunia Advisory, SA15206, May 3, 2005 |
CJ Ultra Plus 1.0.3, 1.0.4 | A vulnerability has been reported in the 'out.php' script due to insufficient sanitization of the 'perm' variable, which could let a remote malicious user execute arbitrary SQL code. No workaround or patch available at time of publishing. There is no exploit code required; however, a Proof of Concept exploit | High | Secunia Advisory, | |
CodeThatShoppingCart 1.3.1 | Several vulnerabilities have been reported: a Cross-Site Scripting and SQL injection vulnerability was reported in 'catalog.php' due to insufficient sanitization of the 'id' parameter, which could let a remote malicious user execute arbitrary HTML and script code or arbitrary SQL code; and a vulnerability was reported in the 'config.ini' file due to insecure storage of user credentials, which could let a remote malicious user obtain sensitive information. No workaround or patch available at time of publishing. There is no exploit code required; however, Proofs of Concept exploits | CodeThat.com CodeThat ShoppingCart Multiple Input Validation | Medium/ High (High if arbitrary code can be executed) | Secunia Advisory, SA15251, May 9, 2005 |
Easy Message Board | A vulnerability was reported in the 'easymsgb.pl' script due to No workaround or patch available at time of publishing. There is no exploit code required; however, Proofs of Concept exploits | Easy Message Board Directory Traversal & Remote Command Execution | Medium/ High (High if arbitrary code can be executed) | SoulBlack Security Research, May 8, 2005 |
e107 website system 0.617 | Multiple vulnerabilities have been reported: a vulnerability was reported in 'search.php' due to insufficient verification of the 'search_info[0][sfile]' parameter, which could let a remote malicious user execute arbitrary code; a vulnerability was reported in the 'request.php' script due to insufficient verification of input before used to view files, which could let a remote malicious user obtain sensitive information; a vulnerability was reported in the 'forum_viewforum.php' script due to insufficient sanitization of input before used in an SQL query, which could let a remote malicious user execute arbitrary SQL code; and a vulnerability was reported due to errors in the use of 'extract(),' which could let a remote malicious user obtain administrative privileges. No workaround or patch available at time of publishing. There is no exploit code required; however, Proofs of Concept exploits | e107 Multiple Vulnerabilities | Medium/ High (High if administrative privileges can be obtained or if arbitrary code | Secunia Advisory, SA15282, May 10, 2005 |
FishCart 3.1 | Several vulnerabilities have been reported: a Cross-Site Scripting No workaround or patch available at time of publishing. There is no exploit code required; however, Proofs of Concept exploits | FishNet FishCart Multiple Cross-Site Scripting & SQL | High | Secunia Advisory, SA15242, May 4, 2005 |
PHP-Nuke 0.75 -RC3, 0.726 -3, 1.0, 2.5, 3.0, 4.0, 4.3, 4.4, 4.4.1 a, | A vulnerability has been reported due to insufficient input validation of double hex-encoded potentially dangerous characters, which could let a remote malicious user execute arbitrary code. No workaround or patch available at time of publishing. Proofs of Concept exploits have been published. | Francisco Burzi PHP Nuke Double Hex Encoded Input Validation | High | Security Focus, 13557, May 9, 2005 |
Fusion SBX 1.2 & prior | A vulnerability has been reported in 'index.php' because the 'extract()' function is used insecurely, which could let a remote malicious user bypass authentication and execute arbitrary code. No workaround or patch available at time of publishing. There is no exploit code required. | Fusion SBX Authentication Bypass & Arbitrary Code Execution | Medium/ High (High if arbitrary code can be executed) | Secunia Advisory, SA15257, May 10, 2005 |
Gossamer Threads Links 2.x, 2.2 .x, Links-SQL 3.0 | A Cross-Site Scripting vulnerability has been reported in the Update available at:
href=" http://www.gossamer-threads.com/scripts/links-sql/download.htm"> There is no exploit code required; however, a Proof of Concept exploit | High | Security Tracker Alert, 1013891, May 5, 2005 | |
ArticleLive 2005 | Multiple vulnerabilities have been reported which could let a remote No workaround or patch available at time of publishing. There is no exploit code required; however, Proofs of Concept exploits | High | Security Focus, 13493, May 4, 2005 | |
Invision Power Board 1.x, 2.x | Several vulnerabilities have been reported: a Cross-Site vulnerability Upgrades available at: An exploit script has been published. | Invision Power Cross-Site Scripting & SQL Injection | High | GulfTech Security |
JGS-Portal 3.0.1 | A vulnerability has been reported in 'jgs_portal.php' due to Upgrade available at: A Proof of Concept exploit has been published. | JGS-Portal ID Variable SQL Injection | High | Security Tracker Alert, 1013866, May 3, 2005 |
Subject Search Server 1.1 | A Cross-Site Scripting vulnerability has been reported due to No workaround or patch available at time of publishing. There is no exploit code required. | Kryloff Technologies Subject Search Server 'Search For' Cross-Site Scripting | High | Secunia Advisory, SA15288, May 10, 2005 |
LibTomCrypt 1.0-1.0.2 | A vulnerability has been reported in the signature generation The vendor reports that LibTomCrypt version 1.03 will be released on Currently we are not aware of any exploits for this | LibTomCrypt Valid Signature Generation | Medium | Secunia Advisory, SA15233, May 4, 2005 |
MegaBook 2.0, 2.1 | A Cross-Site Scripting vulnerability has been reported due to No workaround or patch available at time of publishing. There is no exploit code required; however, Proofs of Concept exploits | MegaBook Cross-Site Scripting | High | Security Focus, 13522, May 5, 2005 |
MidiCart PHP Shopping Cart | Multiple vulnerabilities have been reported: SQL injection vulnerabilities were reported due to insufficient sanitization of the 'SearchString' parameter in 'Search_list.php,' the 'MainGroup' parameter in 'Item_List.PHP,' the 'SecondGroup' parameter in ' Item_List.PHP,' the 'Code_No' parameter in 'Item_Show.PHP,' which could let a remote malicious user execute arbitrary SQL code; and Cross-Site Scripting vulnerabilities were reported due to insufficient sanitization of the 'SearchString' parameter in'Search_List.php,' the 'SecondGroup' parameter in 'Item_list.php,' the 'Maingroup' parameter in 'Item_list.php,' which could let a remote malicious user execute arbitrary HTML and script code. No workaround or patch available at time of publishing. There is no exploit code required; however, Proofs of Concept exploits | MidiCart PHP Shopping Cart SQL Injection & Cross-Site Scripting | High | hackgen- 2005-#004, May 5, 2005 |
Firefox 1.x, 0.x, | A vulnerability exists because a website can inject content into another site's window if the target name of the window is known, which could let a remote malicious user spoof the content of websites Gentoo:
href="http://security.gentoo.org/glsa/glsa-200503-10.xml"> Fedora:
href="http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/"> Gentoo:
href="http://security.gentoo.org/glsa/glsa-200503-30.xml"> Slackware: RedHat: SGI: A Proof of Concept exploit has been published. Vulnerability has appeared in the press and other public media. | Medium | Secunia SA13129, December 8, 2004 Gentoo Linux Security Advisory GLSA 200503-10, March 4, 2005 Fedora Update Notifications, Fedora Update Notifications, Gentoo Linux Security Advisory, GLSA 200503-30, March 25, 2005 Slackware Security Advisory, March 28, 2005 RedHat Security Advisory, RHSA-2005:384-11, April 28, 2005 SGI Security Advisory, 20050501-01-U, May 5, 2005 | |
Mozilla Browser 1.0-1.0.2, 1.1-1.7.6, Firefox 0.8-0.10.1, 1.0.1, 1.0.2; | Multiple vulnerabilities have been reported: a vulnerability was reported in the 'EMBED' tag for non-installed plugins when processing the 'PLUGINSPAGE' attribute due to an input validation error, which could let a remote malicious user execute arbitrary code; a vulnerability was reported because blocked popups that are opened through the GUI incorrectly run with 'chrome' privileges, which could let a remote malicious user execute arbitrary code; a vulnerability was reported because the global scope of a window or tab are not cleaned properly before navigating to a new web site, which could let a remote malicious user execute arbitrary code; a vulnerability was reported because the URL of a 'favicons' icon for a web site isn't verified before changed via JavaScript, which could let a remote malicious user execute arbitrary code with elevated privileges; a vulnerability was reported because the search plugin action URL is not properly verified before used to perform a search, which could let a remote malicious user execute arbitrary code; a vulnerability was reported due to the way links are opened in a sidebar when using the '_search' target, which could let a remote malicious user execute arbitrary code; several input validation vulnerabilities were reported when handling invalid type parameters passed to 'InstallTrigger' and 'XPInstall' related objects, which could let a remote malicious user execute arbitrary code; and vulnerabilities were reported due to insufficient validation of DOM nodes in certain privileged UI code, which could let a remote malicious user execute arbitrary code. Upgrades available at:
href="http://www.mozilla.org/products/mozilla1.x/" Gentoo:
href="http://security.gentoo.org/glsa/glsa-200504-18.xml"> RedHat:
href="http://rhn.redhat.com/errata/RHSA-2005-383.html">
href="http://rhn.redhat.com/errata/RHSA-2005-386.html">http://rhn.redhat.com/errata/ TurboLinux: SUSE: RedHat: SGI: There is no exploit code required. | Mozilla Suite / Firefox Multiple Vulnerabilities
href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0752">CAN-2005-0752
| High | Mozilla Foundation Security Advisories, 2005-35 - 2005-41, April 16, Gentoo Linux Security Advisory, GLSA 200504-18, April 19, 2005 RedHat Security Advisories, RHSA-2005:383-07 & RHSA-2005-386., Turbolinux Security Advisory, TLSA-2005-49, April 21, 2005 SUSE Security Announcement, SUSE-SA:2005:028, April 27, 2005 RedHat Security Advisory, RHSA-2005:384-11, April 28, 2005 SGI Security Advisory, 20050501-01-U, May 5, 2005 |
Mozilla Suite prior to 1.7.6, Firefox prior to 1.0.2 | A vulnerability has been reported when processing drag and drop operations due to insecure XUL script loading, which could let a remote malicious user execute arbitrary code. Mozilla Browser: Firefox: Fedora: Gentoo:
href="http://security.gentoo.org/glsa/glsa-200503-30.xml">
href="http://security.gentoo.org/glsa/glsa-200503-30.xml">http://security.gentoo.org Slackware:
href="http://slackware.com/security/viewer.php?l=slackware-security&y=2005&m=slackware-security.000123"> RedHat: SGI: A Proof of Concept exploit has been published. | High | Mozilla Foundation Security Advisory 2005-32, March 23, 2005 RedHat Security Advisory, RHSA-2005:384-11, April 28, 2005 SGI Security Advisory, 20050501-01-U, May 5, 2005 | |
Firefox 1.0 | A vulnerability exists in the XPCOM implementation that could let a remote malicious user execute arbitrary code. The exploit can be automated in conjunction with other reported vulnerabilities so no user interaction is required. A fixed version (1.0.1) is available at:
href="http://www.mozilla.org/products/firefox/all.html">http://www.mozilla.org/products/ Fedora: Gentoo:
href="http://security.gentoo.org/glsa/glsa-200503-30.xml"> SGI: A Proof of Concept exploit has been published. | High | Security Tracker Alert ID: 1013301, February 25, 2005 Gentoo Linux Security Advisory GLSA 200503-30. March 25, 2005 SGI Security Advisory, 20050501-01-U, May 5, 2005 | |
Firefox Preview Release, 0.8, 0.9 rc, 0.9-0.9.3, 0.10, 0.10.1, | Several vulnerabilities have been reported: a vulnerability was Workaround: Proofs of Concept exploit scripts have been published. | High | Secunia Advisory, | |
Mozilla 0.x, 1.0, 1.1, 1.2, 1.3, 1.4, 1.5, 1.6, 1.7.x Mozilla Firefox 0.x Mozilla Thunderbird 0.x | Multiple vulnerabilities exist in Firefox, Mozilla and Thunderbird that Mozilla: Update to version 1.7.5:
href="http://www.mozilla.org/products/mozilla1.x/ "> Firefox: Update to version 1.0:
href="http://www.mozilla.org/products/firefox/"> Thunderbird: Update to version 1.0:
href="http://www.mozilla.org/products/thunderbird/"> Fedora:
href="http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/"> Slackware:
href="http://slackware.com/security/viewer.php?l=slackware-security&y=2005&m=slackware-security.000123"> RedHat: SGI: Currently we are not aware of any exploits for these | Mozilla Firefox,
href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0141">CAN-2005-0141 | Medium/ High (High if arbitrary code can be executed) | Mozilla Foundation Security Advisory 2005-01, 03, 04, 07, 08, 09, 10, Fedora Update Notification, Slackware Security Advisory, SSA:2005-085-01, March 27, 2005 RedHat Security Advisory, RHSA-2005:384-11, April 28, 2005 SGI Security Advisory, 20050501-01-U, May 5, 2005 |
Mozilla 1.7.x and prior Mozilla Firefox 1.x and prior Mozilla Thunderbird 1.x and prior Netscape Netscape 7.2 | Multiple vulnerabilities exist in Firefox, Mozilla and Thunderbird. Firefox: Update to version 1.0.1:
href="http://www.mozilla.org/products/firefox/"> Mozilla: Thunderbird: Fedora update for Firefox:
href="http://download.fedora.redhat.com/pub/fedora/linux/core/updates/"> Red Hat:
href="http://rhn.redhat.com/errata/RHSA-2005-176.html"> Gentoo: SUSE: Fedora:
href="http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/"> Gentoo:
href="http://security.gentoo.org/glsa/glsa-200503-30.xml">
href="http://security.gentoo.org/glsa/glsa-200503-30.xml">http://security.gentoo.org/ Slackware: SGI: Currently we are not aware of any exploits for these | Mozilla / Firefox / Thunderbird Multiple Vulnerabilities
href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0255">CAN-2005-0255 | High | Mozilla Foundation Security Advisories 2005-14, 15, 17, 18, 19, 20, 21, Red Hat RHSA-2005:176-11, March 1, 2005 Gentoo, GLSA 200503-10, March 4, 2005 SUSE Security Announcement, SUSE-SA:2005:016, March 16, 2005 Fedora Update Notification, Gentoo Linux Security Advisory, GLSA 200503-30 & GLSA 200503-032, Slackware Security Advisory, SSA:2005-085-01, March 27, 2005 SGI Security Advisory, 20050501-01-U, May 5, 2005 |
Mozilla Firefox 1.0 and 1.0.1 | A vulnerability exists that could let remote malicious users conduct Gentoo:
href="http://security.gentoo.org/glsa/glsa-200503-30.xml"> RedHat: SGI: A Proof of Concept exploit has been published. | High | Secunia SA14406, March 1, 2005 Gentoo Linux Security Advisory, GLSA 200503-30, March 25, 2005 RedHat Security Advisory, RHSA-2005:384-11, April 28, 2005 SGI Security Advisory, 20050501-01-U, May 5, 2005 | |
Maximo Self Service 4.0, 5.0 | A vulnerability has been reported in the 'maximo_installation' directory because files are not recognized as server-side executable scripts, which could let a remote malicious user obtain sensitive information. No workaround or patch available at time of publishing. There is no exploit code required. | MRO Maximo Self Service Script Disclosure | Medium | Security Focus, 13508, May 5, 2005 |
Mozilla Firefox 1.0; Gentoo Linux; Thunderbird 0.6, 0.7- 0.7.3, 0.8, | There are multiple vulnerabilities in Mozilla Firefox. A remote user A fix is available via the CVS repository Fedora:
href="ftp://aix.software.ibm.com/aix/efixes/security/perl58x.tar.Z"> Red Hat:
href="http://rhn.redhat.com/errata/RHSA-2005-176.html"> Gentoo: Thunderbird:
href="http://download.mozilla.org/?product=thunderbird-1.0.2&os=win Gentoo:
href="http://security.gentoo.org/glsa/glsa-200503-30.xml"> RedHat: SGI: A Proof of Concept exploit has been published. | Mozilla Firefox Multiple Vulnerabilities
href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0230">CAN-2005-0230 | High | Security Tracker Alert ID: 1013108, February 8, 2005 Fedora Update Notification, Red Hat RHSA-2005:176-11, March 1, 2005 Gentoo, GLSA 200503-10, March 4, 2005 Security Focus, 12468, March 22, 2005 Gentoo Linux Security Advisory, GLSA 200503-30, March 25, 2005 RedHat Security Advisory, RHSA-2005:384-11, April 28, 2005 SGI Security Advisory, 20050501-01-U, May 5, 2005 |
Mozilla.org Mozilla Browser 1.7.6, Firefox 1.0.1, 1.0.2; K-Meleon | A vulnerability has been reported in the javascript implementation due The vendor has issued a fix, available via CVS. RedHat:
href="http://rhn.redhat.com/errata/RHSA-2005-383.html">
href="http://rhn.redhat.com/errata/RHSA-2005-386.html">http://rhn.redhat.com/errata/ Slackware:
href="http://www.mozilla.org/projects/security/known-vulnerabilities.html"> TurboLinux: SUSE: RedHat: SGI: There is no exploit code required; however, a Proof of Concept exploit | Medium | Security Tracker Alert, 1013635, April 4, 2005 Security Focus, 12988, April 16, 2005 RedHat Security Advisories, RHSA-2005:383-07 & RHSA-2005:386-08, Turbolinux Security Advisory, TLSA-2005-49, April 21, 2005 Slackware Security Advisory, SSA:2005-111-04, April 22, 2005 SUSE Security Announcement, SUSE-SA:2005:028, April 27, 2005 RedHat Security Advisory, RHSA-2005:384-11, April 28, 2005 SGI Security Advisory, 20050501-01-U, May 5, 2005 | |
IETF RFC 2406: IPSEC | A vulnerability has been reported that affects certain configurations No workaround or patch available at time of publishing. Currently we are not aware of any exploits for this | Medium | NISCC Vulnerability Advisory, IPSEC - 004033, May 9, 2005 | |
MPlayer 1.0pre6 & prior; Xine 0.9.9-1.0; Peachtree Linux release | Several vulnerabilities have been reported: a buffer overflow Patches available at: Gentoo:
href="http://security.gentoo.org/glsa/glsa-200504-19.xml"> Patches available at: Gentoo: SUSE: Slackware: Ubuntu: Currently we are not aware of any exploits for these | High | Security Tracker Alert, 1013771, April 20, 2005 Gentoo Linux Security Advisory, Peachtree Linux Security Notice, Xine Security Announcement, Gentoo Linux Security Advisory, SUSE Security Summary Report, Slackware Security Ubuntu Security Notice, USN-123-1, | |
Multiple (See advisory | A vulnerability exists that affects implementations of the Transmission List of updates available at: NetBSD:
href="ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2004-006-kernel/netbsd-1-6/"> SCO:
href="ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.14">
href="ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2005.9">ftp://ftp.sco.com/pub/updates/ SGI:
href="http://www.sgi.com/support/security/"> SCO:
href="ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2005.3"> SCO: Proofs of Concept exploits have been published. | Low/High (High if arbitrary code can be executed) | NISCC Vulnerability Advisory, 236929, US-CERT Technical Cyber Security Alert TA04-111A href="http://www.us-cert.gov/cas/techalerts/TA04-111A.html"> SGI Security Advisory, 20040905-01-P, SCO Security Advisory, SCOSA-2005.3, March 1, 2005 SCO Security Advisory, SCOSA-2005.14, May 5, 2005 | |
Net56 Browser Based File Manager 1.0 | A vulnerability has been reported due to insufficient password No workaround or patch available at time of publishing. There is no exploit code required. | Net56 Browser Based File Manager Authentication Bypass | Medium | Security Focus, 13547, May 9, 2005 |
Remote File Manager 1.0 | A remote Denial of Service vulnerability has been reported due to an No workaround or patch available at time of publishing. There is no exploit code required. | NiteEnterprises Remote File Manager Denial of Service | Low | Secunia Advisory, SA15299, May 9, 2005 |
NukeSentinel 2.1.3, 2.1.4 | A vulnerability has been reported due to insufficient input validation of hex-encoded potentially dangerous characters, which could let a remote malicious user execute arbitrary code. No workaround or patch available at time of publishing. Proofs of Concept exploits have been published. | NukeScripts NukeSentinel Input Validation | High | Security Focus, 13556, May 9, 2005 |
Oracle10g Application Server 10.1.0.3.1, 10.1 .0.3, 10.1 .0.2, | A vulnerability has been reported because 'create job' privileges can This issue has reportedly been addressed in the There is no exploit code required; however, a Proof of Concept exploit | Oracle 10g 'DBMS_Scheduler' Elevated Privileges | Medium | Red Database Security Advisory, May 5, 2005 |
Oracle10g Enterprise Edition 9.0.4 .0, 10.1.0.4, 10.1 .0.3.1, 10.1 | A vulnerability has been reported in the Fine Grained Audit (FGA) functionality because it can be inadvertently disabled, which could lead to a false sense of security. It is reported that this issue is addressed for Oracle Database 10g, by There is no exploit code required; however, a Proof of Concept exploit | Oracle 9i/10g Database Fine Grained Audit Logging | Medium | Red Database Security Advisory, May 5, 2005 |
Notes mod | An SQL injection vulnerability has been reported in the The vendor has addressed this issue in There is no exploit code required; however, a Proof of Concept exploit | High | GulfTech Security Research Team Advisory, April 28, 2005 Security Focus, 13417, May 10, 2005 | |
PHP Advanced Transfer Manager 1.21 | A vulnerability has been reported due to the way file uploads are No workaround or patch available at time of publishing. There is no exploit code required; however, Proofs of Concept exploits | PHP Advanced Transfer Manager Arbitrary File Upload | High | Secunia Advisory, |
PHP 4.0-4.0.7, 4.0.7 RC1-RC3, 4.1 .0-4.1.2, 4.2 .0-4.2.3, 4.3-4.3.8, | A vulnerability exists in the 'open_basedir' directory setting due to a Ubuntu:
href="http://security.ubuntu.com/ubuntu/pool/main/p/php4/"> FedoraLegacy:
href="http://download.fedoralegacy.org/redhat/">http://download.fedoralegacy.org RedHat: SGI: There is no exploit code required; however, a Proof of Concept exploit | Medium | Security Tracker Alert ID, 1011984, October 28, 2004 Ubuntu Security Notice, USN-66-1, January 20, 2005 Ubuntu Security Notice, USN-66-2, February 17, 2005 Fedora Legacy Update Advisory, FLSA:2344, March 7, 2005 RedHat Security Advisory, RHSA-2005:405-06, April 28, 2005 SGI Security Advisory, 20050501-01-U, May 5, 2005 | |
PHP prior to 5.0.4; Peachtree Linux release 1 | Multiple Denial of Service vulnerabilities have been reported in Upgrade available at: Ubuntu: Slackware: Debian: SUSE: Gentoo: Mandrake:
href="http://www.mandrakesecure.net/en/ftp.php"> Peachtree:
href="http://peachtree.burdell.org/updates/"> TurboLinux: RedHat: SGI: Currently we are not aware of any exploits for these | Low | iDEFENSE Security Advisory, Ubuntu Security Notice, USN-105-1, April 05, 2005 Slackware Security Advisory, SSA:2005- Debian Security Advisory, DSA 708-1, April 15, 2005 SUSE Security Announcement, SUSE-SA:2005:023, April 15, 2005 Gentoo Linux Security Advisory, GLSA 200504-15, April 18, 2005 Mandriva Linux Security Update Advisory, MDKSA-2005:072, April 19, 2005 Peachtree Linux Security Notice, PLSN-0001, April 21, 2005 Turbolinux Security Advisory, TLSA-2005-50, April 28, 2005 RedHat Security Advisory, RHSA-2005:405-06, April 28, 2005 SGI Security Advisory, 20050501-01-U, May 5, 2005 | |
phpBB prior to 2.0.15 | A vulnerability has been reported in 'includes/bbcode.php' due to Update available at: Currently we are not aware of any exploits for this | phpBB 'bbcode.php' Input Validation | High | Security Tracker Alert, 1013918, May 9, 2005 |
SiteStudio 1.6 Patch 1, 1.6 Final | A vulnerability has been reported because user-supplied HTML and script code may be able to access properties of the site, which could let a remote malicious user execute arbitrary code. Patch information available at: There is no exploit code required. | Positive Software Corporation SiteStudio HTML Injection | High | Security Focus, 13554, May 9, 2005 |
H-Sphere Winbox 2.4.2, 2.4.3 | A vulnerability has been reported in application log files due to the storage of user account information in plaintext, which could let a remote malicious user obtain sensitive information. Upgrades available at: There is no exploit code required. | Positive Software Corporation H-Sphere Winbox Sensitive Logfile Content Disclosure | Medium | EXPL-A-2005-007 exploitlabs.com Advisory, May 9, 2005 |
PunBB 1.0, RC1&RC2, beta1-beta3, alpha, 1.0.1, 1.1-1.1.5, | Two vulnerabilities have been reported: a vulnerability was reported in the 'profile.php' script due to insufficient sanitization, which could let a remote malicious user obtain administrative access; and a Cross-Site Scripting vulnerability has been reported due to insufficient sanitization os user-supplied input, which could let a remote malicious user execute arbitrary HTML and script code. Upgrades available at: There is no exploit code required; however, a Proof of Concept exploit | High | Secunia Advisory, Security Focus, 13071, May 9, 2005 | |
PunBB 1.2.3 | A vulnerability has been reported due to insufficient validation of the 'email' and 'Jabber' fields, which could let a remote malicious user execute arbitrary code. Upgrade available at: There is no exploit code required; however, a Proof of Concept exploit | High | Security Tracker Alert, 1013446, March 16, 2005 Security Focus, 12828, May 9, 2005 | |
PwsPHP 1.2.1, 1.2.2 Final, 1.2.2 | Multiple vulnerabilities have been reported: Cross-Site Scripting Upgrades available at: There is no exploit code required; however, Proofs of Concept exploits | Medium/ High (High if arbitrary code can be executed) | Secunia Advisory, SA15315, May 10, 2005 | |
RealPlayer G2, 6.0 Win32, 6.0, 7.0 Win32, 7.0 Unix, 7.0 Mac, 8.0 Win32, | A vulnerability has been reported when a specially crafted media file is opened, which could let a remote malicious user execute arbitrary code. No workaround or patch available at time of publishing. Currently we are not aware of any exploits for this vulnerability. | RealNetworks RealPlayer Unspecified Code Execution | High | eEye Digital Security Advisory, EEYEB-20050504, May 5, 2005 |
Remote Cart | A Cross-Site Scripting vulnerability has been reported in the No workaround or patch available at time of publishing. A Proof of Concept exploit has been published. | Remote Cart Cross-Site Scripting | High | Security Tracker Alert, 1013903, May 6, 2005 |
AT-Lite .8, AutoTheme 1.7 | A vulnerability has been reported in 'modules/Blocks/pnadmin.php'. The impact was not specified. Temporary fix available at: There is no exploit code required. | Spidean AutoTheme for PostNuke Blocks Module | Not Specified | Security Tracker Alert, 1013908, May 6, 2005 |
OpenOffice 1.1.4, 2.0 Beta | A vulnerability has been reported due to a heap overflow when a specially crafted malformed '.doc' file is opened, which could lead to a Denial of Service or execution of arbitrary code. Fedora: Gentoo: SUSE: RedHat:
href="http://rhn.redhat.com/errata/RHSA-2005-375.html"> SGI: Mandriva: Ubuntu: Currently we are not aware of any exploits for this | Low/ High (High if arbitrary code can be executed) | Security Focus, 13092, Fedora Update Notification, Gentoo Linux Security Advisory, GLSA 200504-13, April 15, 2005 SUSE Security Announcement, SUSE-SA:2005:025, April 19, 2005 RedHat Security Advisory, RHSA-2005:375-07, April 25, 2005 SGI Security Advisory, 20050501-01-U, May 5, 2005 Mandriva Linux Security Update Advisory, MDKSA-2005:082, May 6, Ubuntu Security Notice, USN-121-1, May 06, | |
StorEdge 6130 Array | A vulnerability has been reported Sun in StorEdge 6130 controller arrays with a serial number in the range of 0451AWF00G - 0513AWF00J, which could let a local/remote malicious user obtain unauthorized access. Sun recommends that customers contact their Sun authorized service There is no exploit code required. | Sun StorEdge 6130 Array Unauthorized Access | Medium | Sun(sm) Alert Notification, 57771, May 5, 2005 |
NukeET 3.0, NukeET 3.1 | A Cross-Site Scripting vulnerability has been reported in the Patch available at: A Proof of Concept exploit has been published. | Tru-Zone NukeET Base64 Codigo Variable Cross-Site | High | Security Focus, 13570, May 10, 2005 |
Web Crossing 5.0 09FEB04, 5.0 | A Cross-Site Scripting vulnerability has been reported due to No workaround or patch available at time of publishing. There is no exploit code required; however, a Proof of Concept exploit | WebCrossing 'WebX' Cross-Site Scripting | High | Secunia Advisory, SA15218, May 3, 2005 |
Web Forum 1.6-1.62 | An SQL injection vulnerability has been reported in 'View_User.php' due to insufficient sanitization, which could let a remote malicious user execute arbitrary SQL code. No workaround or patch available at time of publishing. There is no exploit code required; however, a Proof of Concept exploit | WowBB 'View_User.PHP' SQL Injection | High | Security Focus, 13569, May 10, 2005 |
[back to
top]
size=-2>
Recent
Exploit Scripts/Techniques
The table belowcontains a sample of exploit scripts and "how to" guides identified during this
period. The "Workaround or Patch Available" column indicates if vendors,
security vulnerability listservs, or Computer Emergency Response Teams (CERTs)
have published workarounds or patches.
Note: At times,
scripts/techniques may contain names or content that may be considered
offensive.
Date of | Script name | Workaround or Patch Available | Script Description |
May 9, 2005 | datatrac_dos.c | No | Script that exploits the DataTrac Remote Denial of Service vulnerability. |
May 9, 2005 | ethereal-SMB-DoS.c | Yes | Script that exploits the Ethereal Multiple Remote Protocol Dissector Vulnerabilities. |
May 8, 2005 | 4d_Webstar_exp.c | No | Script that exploits the 4D WebStar Tomcat Plugin Remote Buffer Overflow vulnerability. |
May 8, 2005 | yourinfo.zip cheese.txt ffrc.txt | Yes | Scripts that exploit the Mozilla Firefox Install Method Remote Arbitrary Code Execution vulnerability. |
May 7, 2005 | dc_BKForum_4.txt | No | Example exploit URL for the BK Forum SQL Injection Vulnerability. |
May 7, 2005 | dc_metabid_sqlinj.txt | No | Example exploit URL for the Metalinks MetaBid Three SQL Injection Vulnerabilities. |
May 7, 2005 | dc_metacart_eshop8_sqlinj.txt dc_metacart_sqling.txt dc_MetaCart2PayPal_sqlinj.txt dc_MetaCart2SQL_sqlinj.txt | No | Example exploit URLs for the Metalinks MetaCart Multiple SQL Injection Vulnerabilities. |
May 7, 2005 | dc_phpcoin.txt | No | Example exploit URL for the phpCOIN Multiple SQL Injection vulnerability. |
May 7, 2005 | invision.php | Yes | Script that exploits the Invision Power SQL Injection vulnerability. |
May 7, 2005 | StorePortal2.63_sqlinj.txt | No | Example exploit URL for the Media Online Store Portal SQL Injection Vulnerability. |
May 7, 2005 | tripp_test.1c.tar.gz | N/A | A utility that rewrites outgoing IP packets that is useful for performing replay attacks, altering your own OS fingerprint, or for bypassing remote firewalls. |
May 7, 2005 | yaggs.c | N/A | Sniffer for "Gadu Gadu", which is a chat program in the style of MS Messenger/Yahoo Messenger, but aimed at Poland / Polish-speaking people. |
May 5, 2005 | ethereal-0.10.11.tar.gz | N/A | A GTK+-based network protocol analyzer, or sniffer, that lets you capture and interactively browse the contents of network frames. |
May 4, 2005 | dSMTP_fmt.c | No | Script that exploits the NetWin DMail DSMTP Remote Format String vulnerability. |
May 2, 2005 | WebRoot.pl | N/A | A bruteforce directory/file scanner that looks for files and directories on a website which might contain interesting data, but which are not referenced anywhere on the site (for example, include-files and database files located under the webroot). |
April 28, 2005 | rkhunter-1.2.4.tar.gz | N/A | Rootkit Hunter scans files and systems for known and unknown rootkits, backdoors, and sniffers. |
face="Arial, Helvetica, sans-serif" size=-2>[back to
top]
name=trends>Trends
- Spear phishers evade usual spam defenses: A
new method called 'spear phishing' that evades traditional anti-phishing
defenses is being used by Internet scammers. Spear phishing is more specific,
because it typically targets a handful of people who are employees of an
organization. In one method, the phisher harvests specific email addresses,
either through a phone call or through a company website, and then sends four
or five employees a message from a spoofed address purporting to be part of
their IT or human resources department. With a spoofed internal address,
spear-phishing emails appear to come from within a company and people tend to
be more trusting. Source: href="http://www.stuff.co.nz/stuff/0,2106,3274129a28,00.html">http://www.stuff.co.nz/stuff/0,2106,3274129a28,00.html. - U.S. most vulnerable to identity theft:
According to a report published by a Boston, Mass.-based research firm, Aite
Group, the United States is the most prone to identify theft among developed
countries. Identity theft occurs seven times more frequently in the U.S. than
in other industrialized regions, like the United Kingdom. Additionally, in
continental Western Europe and Japan, identity theft is a non-event. Report
summary: href="http://www.aitegroup.com/reports/200504043.php">http://www.aitegroup.com/reports/200504043.php.
style="FONT-SIZE: 12pt"> Source: href="http://www.financetech.com/news/showArticle.jhtml?articleID=162600200">http://www.financetech.com/news/showArticle.jhtml?articleID=162600200 - Identity theft is top problem according to
executive: According to a top executive at the computer security
firm, McAfee Inc., the biggest computer security issues facing consumers and
businesses today are identity and information theft. Hackers are no longer
interested in breaking into computer systems and causing them to crash.
Instead, they now want to keep a system up and running so they can steal
information from it or use it as a launching pad for attacks against other
computers. Source: href="http://www.canada.com/technology/story.html?id=d4a55ba3-85e3-4399-847c-dddc35af62c3">http://www.canada.com/technology/story.html?id=d4a55ba3-85e3-4399-847c-dddc35af62c3. - Fraudsters deploy botnets to sustain phishing
attacks: Botnets controlled by fraudsters are running their own
Domain Name System (DNS) nameservers on compromised computers. The technique
can keep phishing sites accessible longer by making the nameservers a widely
distributed moving target amongst thousands of compromised machines within a
bot network. Source: href="http://news.netcraft.com/archives/2005/05/04/fraudsters_deploy_botnets_as_dns_servers_to_sustain_phishing_attacks.html">http://news.netcraft.com/archives/2005/05/04/fraudsters_deploy_botnets_as_dns_servers_
to_sustain_phishing_attacks.html. - Users
untouched by mobile viruses despite hype: According to WDSGlobal, the
threat of mobile phone viruses has been exaggerated. WDSGlobal, which handles
100,000 specialist data support calls every month, found that less than 10 of
the 275,000 calls received in the first quarter of 2005 related to mobile
phone viruses. The company handles second-line support for data problems and
would be the first contacted with mobile data virus issues. Source: href="http://www.theregister.co.uk/2005/05/05/mobile_virus_hype_debunked/">http://www.theregister.co.uk/2005/05/05/mobile_virus_hype_debunked/.
name=viruses>Viruses/Trojans
Top Ten Virus Threats
A list of high threat
viruses, as reported to various anti-virus vendors and virus incident reporting
organizations, has been ranked and categorized in the table below. For the
purposes of collecting and collating data, infections involving multiple systems
at a single location are considered a single infection. It is therefore possible
that a virus has infected hundreds of machines but has only been counted once.
With the number of viruses that appear each month, it is possible that a new
virus will become widely distributed before the next edition of this
publication. To limit the possibility of infection, readers are reminded to
update their anti-virus packages as soon as updates become available. The table
lists the viruses by ranking (number of sites affected), common virus name, type
of virus code (i.e., boot, file, macro, multi-partite, script), trends (based on
number of infections reported since last week), and approximate date first
found.
face="Arial, Helvetica, sans-serif">Rank | Common Name | Type of Code |
face="Arial, Helvetica, sans-serif">Trends |
face="Arial, Helvetica, sans-serif">Date |
1 | Netsky-P | Win32 Worm | Stable | March 200 face="Arial, Helvetica, sans-serif">4 |
2 | Bagle-BJ | Win32 Worm | Stable | January 2005 |
3 | Zafi-D | Win32 Worm | Stable | December 2004 |
4 | Netsky-Q | Win32 Worm | Stable | March 2004 |
5 | Zafi-B | Win32 Worm | Stable | June 2004 |
6 | Netsky-D | Win32 Worm | Stable | March 2004 |
7 | Netsky-Z | Win32 Worm | Stable | April 2004 |
8 | Netsky-B | Win32 Worm | Stable | February 2004 |
9 | Bagle-AU | Win32 Worm | Stable | October 2004 |
10 | Bagle.BB | Win32 Worm | Stable | September 2004 |
face="Arial, Helvetica, sans-serif">Table Updated May 10,
2005
Viruses or Trojans Considered to be a High Level of
Threat
- Oscabot:
face="Arial, Helvetica, sans-serif">A Trojan continued to spread among America
Online instant messaging clients, and installs its backdoor on the infected PC
when trusting users click on a link within the line "Check out this" or "i
thought youd wanna see this" from a buddy on their AIM contact list. The
Trojan doesn't spread automatically when users download and run the file
linked in the instant message. Instead, it opens a port and listens for
instructions on IRC (Internet Relay Channel); the attacker must specifically
order each infected machine to start spreading. Source: href="http://www.techweb.com/wire/security/163100341">http://www.techweb.com/wire/security/163100341
The following table
provides, in alphabetical order, a list of new viruses, variations of previously
encountered viruses, and Trojans that have been discovered during the period
covered by this bulletin. This information has been compiled from the following
anti-virus vendors: Sophos, Trend Micro, Symantec, McAfee, Network Associates,
Central Command, F-Secure, Kaspersky Labs, MessageLabs, Panda Software, Computer
Associates, and The WildList Organization International. Users should keep
anti-virus software up to date and should contact their anti-virus vendors to
obtain specific information on the Trojans and Trojan variants that anti-virus
software detects.
NOTE: At
times, viruses and Trojans may contain names or content that may be considered
offensive.
updated
Please share your thoughts
We recently updated our anonymous product survey; we’d welcome your feedback.