Summary of Security Items from January 1 to January 4, 2006
The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. NVD is sponsored by CISA. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available.
Vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:
- High: vulnerabilities with a CVSS base score of 7.0–10.0
- Medium: vulnerabilities with a CVSS base score of 4.0–6.9
- Low: vulnerabilities with a CVSS base score of 0.0–3.9
Entries may include additional information provided by organizations and efforts sponsored by CISA. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletin is compiled from external, open-source reports and is not a direct result of CISA analysis.
Information in the US-CERT Cyber Security Bulletin is a compilation and includes information published by outside sources, therefore the information should not be considered the result of US-CERT analysis. Software vulnerabilities are categorized in the appropriate section reflecting the operating system on which the vulnerability was reported; however, this does not mean that the vulnerability only affects the operating system reported since this information is obtained from open-source information.
This bulletin provides a summary of new or updated vulnerabilities, exploits, trends, viruses, and trojans. Updates to vulnerabilities that appeared in previous bulletins are listed in bold text. The text in the Risk column appears in red for vulnerabilities ranking High. The risks levels applied to vulnerabilities in the Cyber Security Bulletin are based on how the "system" may be impacted. The Recent Exploit/Technique table contains a "Workaround or Patch Available" column that indicates whether a workaround or patch has been published for the vulnerability which the script exploits.
Vulnerabilities
The table below summarizes vulnerabilities that have been identified, even if they are not being exploited. Complete details about patches or workarounds are available from the source of the information or from the URL provided in the section. CVE numbers are listed where applicable. Vulnerabilities that affect both Windows and Unix Operating Systems are included in the Multiple Operating Systems section.
Note: All the information included in the following tables has been discussed in newsgroups and on web sites.
The Risk levels defined below are based on how the system may be impacted:
Note: Even though a vulnerability may allow several malicious acts to be performed, only the highest level risk will be defined in the Risk column.
- High - A high-risk vulnerability is defined as one that will allow an intruder to immediately gain privileged access (e.g., sysadmin or root) to the system or allow an intruder to execute code or alter arbitrary system files. An example of a high-risk vulnerability is one that allows an unauthorized user to send a sequence of instructions to a machine and the machine responds with a command prompt with administrator privileges.
- Medium - A medium-risk vulnerability is defined as one that will allow an intruder immediate access to a system with less than privileged access. Such vulnerability will allow the intruder the opportunity to continue the attempt to gain privileged access. An example of medium-risk vulnerability is a server configuration error that allows an intruder to capture the password file.
- Low - A low-risk vulnerability is defined as one that will provide information to an intruder that could lead to further compromise attempts or a Denial of Service (DoS) attack. It should be noted that while the DoS attack is deemed low from a threat potential, the frequency of this type of attack is very high. DoS attacks against mission-critical nodes are not included in this rating and any attack of this nature should instead be considered to be a "High" threat.
Windows Operating Systems Only | ||||
Vendor & Software Name | Vulnerability - Impact Patches - Workarounds Attack Scripts | Common Name / CVE Reference | Risk | Source |
Acidcat CMS 2.1.13 | A vulnerability has been reported in Acidcat CMS that could let remote malicious users perform SQL injection. A vendor solution is available: There is no exploit code required; however, a Proof of Concept exploit has been published. | Acidcat CMS SQL Injection Vulnerability | Medium | Secunia Advisory: SA18097, December 19, 1005 Security Focus, ID: 15933, December 27, 2005 |
Allinta 2.3.2 and prior | A vulnerability has been reported in Allinta that could let remote malicious users conduct Cross-Site Scripting. A vendor solution is available, contact the vendor for details. There is no exploit code required; however, a Proof of Concept exploit has been published. | Allinta Cross Site Scripting | Medium | Secunia, Advisory: SA18060, December 19, 2005 Security Focus, ID: 15935, December 27, 2005 |
VisNetic Mail Server 8.3.0 build 1 | Multiple vulnerabilities have been reported in VisNetic Mail Server that could let remote malicious uses disclose information, arbitrary code execution, or obtain arbitrary file permissions. A vendor solution is available: There is no exploit code required; however, a Proof of Concept exploit has been published. | VisNetic Mail Server Multiple Vulnerabilities | High | Secunia, Advisory: SA17865, December 27, 2005 |
Dopewars 1.5.7 and prior | A vulnerability has been reported in Dopewars that could let a remote malicious user to execute arbitrary code. A vendor solution is available: Currently we are not aware of any exploits for this vulnerability. | Dopewars Arbitrary Code Execution | High | Security Focus, ID: 16104, December 30, 2005 |
ArcPad 7.0.0.156 | A buffer overflow vulnerability has been reported in ArcPad that could let remote malicious users execute arbitrary code. No workaround or patch available at time of publishing. Currently we are not aware of any exploits for this vulnerability. | ArcPad Arbitrary Code Execution | High | Secunia, Advisory: SA18294, January 4, 2006 |
WorldMail Server 3.0 IMAPd Service 6.1.19.0 | A buffer overflow vulnerability has been reported in WorldMail Server that could let remote malicious users execute arbitrary code. No workaround or patch available at time of publishing. Currently we are not aware of any exploits for this vulnerability. | Eudora WorldMail Server Arbitrary Code Execution | High | Security Tracker, Alert ID: 1015391, December 21, 2005 |
FTGate 4.4 | An input validation vulnerability has been reported in FTGate that could let malicious users conduct Cross-Site Scripting. No workaround or patch available at time of publishing. A Proof of Concept exploit has been published. | FTGate Cross Site Scripting | Medium | Security Tracker, Alert ID: 1015399, December 22, 2005 |
A buffer overflow vulnerability has been reported in GraphOn GoGlobal for Windows that could let a remote malicious user execute arbitrary code or cause a Denial of Service. A vendor solutions is available, contact the vendor for details. A Proof of Concept exploit has been published. | GraphOn GO-Global For Windows Denial of Service or Arbitrary Code Execution | High | Security Focus, ID: 15285, November 2, 2005 Security Focus, ID: 15285, November 21, 2005 | |
PortalApp, SiteEnable 3.3 and prior | A vulnerability has been reported in SiteEnable and PortalApp that could let remote malicious users conduct Cross-Site Scripting. No workaround or patch available at time of publishing. There is no exploit code required; however, a Proof of Concept exploit has been published. | Iatek SiteEnable and PortalApp Cross Site Scripting | Medium | Secunia, Advisory: SA18201, December 22, 2005 |
ProjectApp 3.3 and prior | Multiple vulnerabilities have been reported in ProjectApp that could let remote malicious users conduct Cross-Site Scripting. No workaround or patch available at time of publishing. There is no exploit code required; however, a Proof of Concept exploit has been published. | Iatek ProjectApp Cross Site Scripting | Medium | Secunia, Advisory: SA18199, December 22, 2005 |
IceWarp WebMail, Merak Mail Server 8.3.0.r, Deerfield VisNetic Mail Server 8.3 .0 build 1 | Multiple vulnerabilities have been reported in IceWarp WebMail that could let remote malicious users execute arbitrary code. No workaround or patch available at time of publishing. There is no exploit code required; however, a Proof of Concept exploit has been published. | IceWarp Web Mail Arbitrary Code Execution | High | Security Focus, ID: 16069, December 27, 2005 |
dBpowerAMP Music Converter 11.5 and prior | A buffer overflow vulnerability has been reported in dBpowerAMP Music Converter that could let remote malicious users execute arbitrary code. No workaround or patch available at time of publishing. An exploit has been published. | dBpowerAMP Music Converter Arbitrary Code Execution | High | Security Tracker, Alert ID: 1015415, December 28, 2005 |
Interaction SIP Proxy 3.0.010 | A buffer overflow vulnerability has been reported in Interaction SIP Proxy that could let remote malicious users cause a Denial of Service. A vendor solution is available: A Proof of Concept exploit has been published. | Interaction SIP Proxy Denial of Service | Low | Security Tracker, Alert ID: 1015392, December 21, 2005 |
NetScreen- Security Manager 2004 FP2, FP3 | A vulnerability has been reported in NetScreen-Security Manager that could let remote malicious users cause a Denial of Service. No workaround or patch available at time of publishing. Currently we are not aware of any exploits for this vulnerability. | Juniper NetScreen- Security Manager Denial of Service | Low | Security Focus, ID: 16075, December 28, 2005 |
Golden FTP Server 1.92 | A buffer overflow vulnerability has been reported in Golden FTP Server that could let remote malicious users cause a Denial of Service or execute arbitrary code. No workaround or patch available at time of publishing. Currently we are not aware of any exploits for this vulnerability. | Golden FTP Server Denial of Service or Arbitrary Code Execution | High | Secunia, Advisory: SA18245, December 26, 2005 |
LogiSphere 0.9.9j | A directory traversal vulnerability has been reported in LogiSphere that could let remote malicious users cause a Denial of Service. A vendor solution is available: There is no exploit code required; however, a Proof of Concept exploit has been published. | LogiSphere Denial of Service | Low | Secunia, Advisory: SA17989, December 12, 2005 Security Focus, ID: 15807, December 27, 2005 |
VirusScan Enterprise 8.0i, Common Management Agent 3.X, ePolicy Orchestrator 3.X.X, ProtectionPilot | A vulnerability has been reported in multiple products, Common Management Agent 3.X in NaPrdMgr.exe, that could let local malicious users obtain elevated privileges. A vendor solution is available: There is no exploit code required; however, a Proof of Concept exploit has been published. | McAfee VirusScan Privilege Elevation | Medium | Security Tracker, Alert ID: 1015404, December 23, 2005 |
| This security advisory was published to notify users that systems which are infected with Sober.Z may download and run malicious files beginning on January 6, 2006. A vendor solution is available: | Microsoft Sober.Z Notification | High | Microsoft, Security Advisory 912920, January 3, 2006 |
Windows Meta File (WMF) Graphics Rendering Engine | A vulnerability has been reported in Windows Meta File (WMF) Graphics Rendering Engine could let remote malicious users execute arbitrary code. A vendor solution is available: Currently we are not aware of any exploits for this vulnerability. | Microsoft Windows WMF Rendering Engine Arbitrary Code Execution href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4560">CVE-2005-4560 | High | Microsoft, Security Advisory 912840, December 28, 2005 |
Dev Hound 2.24 and prior | A vulnerability has been reported in Dev Hound that could let remote malicious users disclose information or insert scripts. A vendor solution is available: There is no exploit code required. | Dev Hound Information Disclosure or Script Insertion | Medium | Secunia, Advisory: SA18164, December 22, 2005 |
eFilego 3.01 | Multiple vulnerabilities have been reported in eFileGo that could let remote malicious users to disclose information, cause a Denial of Service, or execute arbitrary commands. No workaround or patch available at time of publishing. A Proof of Concept exploit has been published. | eFileGo Multiple Vulnerabilities | High | Secunia, Advisory: SA18279, January, 2, 2006 |
Spb Kiosk Engine 1.0.0.1 | A vulnerability has been reported in Spb Kiosk Engine that could let local malicious users disclose information, including the administrative password. No workaround or patch available at time of publishing. Currently we are not aware of any exploits for this vulnerability. | Spb Kiosk Engine Information Disclosure | Medium | Security Tracker, Alert ID: 1015413, December 27, 2005 |
AntiVirus | A buffer overflow vulnerability has been reported in Symantec AntiVirus that could let remote malicious users execute arbitrary code. A vendor solution is available: Currently we are not aware of any exploits for this vulnerability. | Symantec Anti Virus Arbitrary Code Execution href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4438">CVE-2005-4438 | High | Symantec, SYM05-027, December 21, 2005 |
Sygate Protection Agent 5.0 build 6144, Enterprise Protection Suite | A vulnerability has been reported in Sygate Protection Agent that could let local malicious users to bypass security restrictions. No workaround or patch available at time of publishing. There is no exploit code required. | Sygate Protection Agent Security Bypassing | Medium | Secunia, Advisory: SA18175, December 22, 2005 |
Tangora Portal CMS 4.0 | A vulnerability has been reported in Tangora Portal CMS that could let remote malicious users conduct Cross-Site Scripting. No workaround or patch available at time of publishing. A Proof of Concept exploit has been published. | Tangora Portal CMS Cross-Site Scripting | Medium | Secunia, Advisory: SA18206, December 22, 2005 |
TUGZip 3.4.0 | A buffer overflow vulnerability has been reported in TUGZip that could let remote malicious users to execute arbitrary code. No workaround or patch available at time of publishing. There is no exploit code required. | TUGZip Arbitrary Code Execution | High | Secunia, Advisory: SA17086, December 30, 2005 |
VMWare 5.5 18007 & prior | A vulnerability has been reported in VMWare that could let remote malicious users execute arbitrary code. A vendor solution is available: Currently we are not aware of any exploits for this vulnerability. | VMware Arbitrary Code Execution | High | Security Tracker, Alert ID: 1015401, December 22, 2005 |
Site News 3.06 and prior, Journal 1.0 and prior, Polls 3.06 and prior, Database Login 1.71 and prior | A vulnerability has been reported in multiple Web Wiz products that could let remote malicious users perform SQL injection. A vendor solution is available. Site News: Journal: Polls: Database Login: There is no exploit code required; however, a Proof of Concept exploit has been published. | Web Wiz Multiple Product SQL Injection | Medium | Secunia, Advisory: SA18263, January 2, 2006 |
CSM Suite 5.0, CSM Appliance | A vulnerability has been reported in CSM Suite and CSM Appliance that could let remote malicious users bypass security restrictions. No workaround or patch available at time of publishing. There is no exploit code required. | WebWasher Security Bypassing | Medium | Security Focus, ID: 16047, December 22, 2005 |
UNIX / Linux Operating Systems Only | ||||
Vendor & Software Name | Vulnerability - Impact Patches - Workarounds Attack Scripts | Common Name / CVE Reference | Risk | Source |
Adaptive Website Framework 2.10 | Several vulnerabilities have been reported: a Cross-Site Scripting vulnerability was reported due to insufficient sanitization of the 'page' parameter before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code; and a path disclosure vulnerability was reported due to insufficient verification of the 'mode' parameter, which could let a remote malicious user obtain sensitive information. No workaround or patch available at time of publishing. There is no exploit code required. | Adaptive Website Framework Cross-Site Scripting & Path Disclosure | Medium | Security Focus, Bugtraq ID: 15937, December 19, 2005 |
Linux 3.1, sparc, s/390, ppc, mipsel, mips, m68k, ia-64, ia-32, hppa, arm, amd64, alpha, 3.0, sparc, s/390, ppc, mipsel, mips, m68k, ia-64, ia-32, hppa, arm, alpha, | A vulnerability has been reported due to the insecure creation of temporary files by 'register-p.sh' and 'register-q.sh,' which could let a malicious user overwrite arbitrary files. Debian: There is no exploit code required. | Medium | Debian Security Advisory, DSA 928-1, December 27, 2005 | |
Dropbear SSH Server prior to 0.47 | A buffer overflow vulnerability has been reported in 'svr_chan Updates available at: Debian: Gentoo: Currently we are not aware of any exploits for this vulnerability. | Dropbear SSH Server Buffer Overflow | High | Secunia Advisory: SA18108, December 19, 2005 Debian Security Advisory, DSA-923-1, December 19, 2005 Gentoo Linux Security Advisory, GLSA 200512-13, December 23, 2005 |
Gentoo Linux , | A vulnerability has been reported in ebuild for pinentry, which could let a malicious user obtain elevated privileges. Gentoo: There is no exploit code required. | Gentoo Pinentry Elevated Privileges | Medium | Gentoo Linux Security Advisory, GLSA 200601-01, January 3, 2006 |
cpio 1.0-1.3, 2.4.2, 2.5, 2.5.90, 2.6 | A vulnerability has been reported when an archive is extracted into a world or group writeable directory because non-atomic procedures are used, which could let a malicious user modify file permissions. Trustix: Mandriva: RedHat: SGI: SCO: Avaya: Conectiva: Ubuntu: Debian: RedHat: SCO: There is no exploit code required. | Medium | Bugtraq, 395703, Trustix Secure Linux Security Advisory, TSLSA-2005-0030, June 24, 2005 Mandriva RedHat Security Advisory, RHSA-2005:378-17, July 21, 2005 SGI Security Advisory, 20050802-01-U, August 15, 2005 SCO Security Advisory, SCOSA-2005.32, August 18, 2005 Avaya Security Advisory, ASA-2005-191, September 6, 2005 Conectiva Linux Announcement, CLSA-2005:1002, September 13, 2005 Ubuntu Security Notice, USN-189-1, September 29, 2005 Debian Security Advisory, DSA 846-1, October 7, 2005 RedHat Security Advisory, RHSA-2005:806-8, November 10, 2005 SCO Security Advisory, SCOSA-2006.2, January 3, 2006 | |
cpio 2.6 | A Directory Traversal vulnerability has been reported when invoking cpio on a malicious archive, which could let a remote malicious user obtain sensitive information. Gentoo: Trustix: Mandriva: SCO: Avaya: Conectiva: Ubuntu: Debian: SCO: A Proof of Concept exploit has been published. | Medium | Bugtraq, Gentoo Linux Security Advisory, GLSA Trustix Secure Mandriva Linux Security Update Advisory, MDKSA2005: SCO Security Advisory, SCOSA-2005.32, August 18, 2005 Avaya Security Advisory, ASA-2005-191, September 6, 2005 Conectiva Linux Announcement, CLSA-2005:1002, September 13, 2005 Ubuntu Security Notice, USN-189-1, September 29, 2005 Debian Security Advisory, DSA 846-1, October 7, 2005 SCO Security Advisory, SCOSA-2006.2, January 3, 2006 | |
cpio 2.6, 2.5 | A Denial of Service vulnerability has been reported due to a buffer overflow when cpio attempts to create an archive containing extremely large files. Mandriva: Ubuntu: Currently we are not aware of any exploits for this vulnerability. | CPIO File Size Stack Denial of Service | Low | Mandriva Linux Security Advisory MDKSA-2005:237, December 23, 2005 Ubuntu Security Notice, USN-234-1, January 02, 2006 |
AIX 5.3 L, 5.3 | A file disclosure vulnerability has been reported in 'getShell' and 'getCommand' which could let a malicious user obtain sensitive information. No workaround or patch available at time of publishing. A Proof of Concept exploit has been published. | IBM AIX GetShell & GetCommand File Disclosure | Medium | XFOCUS Security Team Advisory, xfocus-SD-060101, January 1, 2006 |
AIX 5.3 L, 5.3 | A vulnerability has been reported in 'getShell' and 'getCommand' which could let a malicious user enumerate the existence of files on the computer that they wouldn't ordinarily be able to see. No workaround or patch available at time of publishing. A Proof of Concept exploit has been published. | IBM AIX GetShell & GetCommand File Enumeration | Medium | XFOCUS Security Team Advisory, xfocus-SD-060101, January 1, 2006 |
ImageMagick 6.2.4 .5 | A vulnerability has been reported in the delegate code that is used by various ImageMagick utilities when handling an image filename due to an error, which could let a remote malicious user execute arbitrary commands. No workaround or patch available at time of publishing. There is no exploit code required. | ImageMagick Utilities Image Filename Remote Command Execution | Medium | Secunia Advisory: SA18261, December 30, 2005 |
KETM 0.0.6 | A buffer overflow vulnerability has been reported in 'support.c' when formatting error messages for display, which could let a malicious user execute arbitrary code with group 'games' privileges. Debian: Currently we are not aware of any exploits for this vulnerability. | KETM Buffer Overflow | Medium | Debian Security Advisory DSA 926-1, December 23, 2005 |
LibTIFF 3.4, 3.5.1-3.5.5, 3.5.7, 3.6 .0, 3.6.1, 3.7, 3.7.1 | A buffer overflow vulnerability has been reported in the 'TIFFOpen()' function when opening malformed TIFF files, which could let a remote malicious user execute arbitrary code. Patches available at: Gentoo:
href="http://security.gentoo.org/glsa/glsa-200505-07.xml"> Ubuntu: SuSE: TurboLinux: Debian: SCO: SCO: Currently we are not aware of any exploits for this vulnerability. | High | Gentoo Linux Security Advisory, GLSA 200505-07, May 10, 2005 Ubuntu Security Notice, SUSE Security Summary Report, SUSE-SR:2005:014, Turbolinux Debian Security Advisory, DSA 755-1, July 13, 2005 SCO Security Advisory, SCO Security Advisory, SCOSA-2006.3, January 3, 2006 | |
Bugzilla 2.16-2.16.10, 2.14-2.14.5, 2.12, 2.10, 2.9 | A vulnerability has been reported due to the insecure creation of the 'tmpsyncshadow' temporary file, which could let a malicious user obtain elevated privileges. Patches available at: There is no exploit code required. | Bugzilla Script Insecure Temporary File Creation | Medium | Secunia Advisory: SA18218, December 26, 2005 |
ISC BIND 8.4.4, 8.4.5 | A remote Denial of Service vulnerability exists in the 'q_usedns' array due to in sufficient validation of the length of user-supplied input prior to copying it into static process buffers. This could possibly lead to the execution of arbitrary code. Upgrade available at: Astaro Linux: SCO: Currently we are not aware of any exploits for this vulnerability. | ISC BIND 'Q_UseDNS' Remote Denial of Service CVE Name: | High | US-CERT Vulnerability Note, VU#327633, January 25, 2005 Astaro Security Linux Announcement, February 17, 2005 SCO Security Advisory, SCOSA-2006.1, January 3, 2006 |
Linux kernel 2.6-2.6.14
| Multiple vulnerabilities have been reported: a Denial of Service vulnerability was reported in 'mm/mempolicy.c' when handling the policy system call; a remote Denial of Service vulnerability was reported in 'net/ipv4/fib_ frontend.c' when validating the header and payload of fib_lookup netlink messages; an off-by-one buffer overflow vulnerability was reported in 'kernel/sysctl.c,' which could let a malicious user cause a Denial of Service and potentially execute arbitrary code; and a buffer overflow vulnerability was reported in the DVB (Digital Video Broadcasting) driver subsystem, which could let a malicious user cause a Denial of Service or potentially execute arbitrary code. Upgrades available at: An exploit script has been published. | Linux Kernel Multiple Vulnerabilities | High | Secunia Advisory: SA18216, January 4, 2006 |
MandrakeSoft Linux Mandrake 2006.0 x86_64, 2006.0, 10.2 x86_64, 10.2, 10.1 x86_64, 10.1, | A buffer overflow vulnerability has been reported when handling the HOME environment variable due to a boundary error, which could let a malicious user execute arbitrary code with root privileges. Mandrake: An exploit has been published. | MTink Home Environment Variable Buffer Overflow | High | Security Focus, Bugtraq ID: 16095, December 31, 2005 Mandriva Linux Security Advisory, MDKSA-2005:239, December 31, 2005 |
Network Block Device NBD 2.8-2.8.2, 2.7.5; | A buffer overflow vulnerability has been reported in the 'nbd-server' when handling specially crafted requests, which could let a remote malicious user execute arbitrary code. Upgrades available at: Debian: Gentoo: Currently we are not aware of any exploits for this vulnerability. | Multiple Vendors Network Block Device Server Buffer Overflow | High | Security Focus, Bugtraq ID: 16029, December 21, 2005 Debian Security Advisory, DSA 924-1, December 21, 2005 Gentoo Linux Security Advisory, GLSA 200512-14, December 23, 2006 |
RedHat Fedora Core4, Core3; | A remote Denial of Service vulnerability has been reported when Fetchmail is configured in 'multidrop' mode due to a failure to handle unexpected input. Upgrades available at: Fedora: Mandriva: Ubuntu: There is no exploit code required. | Fetchmail Remote Denial of Service | Low | Security Focus, Bugtraq ID: 15987, December 20, 2005 Fedora Update Notifications Mandriva Linux Security Advisory MDKSA-2005:236, December 23, 2005 Ubuntu Security Notice, USN-233-1 January 02, 2006 |
PHP 5.0 .0-5.0.5, 4.4 .0, 4.3.1 -4.3.11, 4.2-4.2.3, 4.1.0-4.1.2, 4.0 0-4.0.7 | A Denial of Service vulnerability has been reported in the 'sapi_apache2.c' file. PHP 5.1.0 final and 4.4.1 final are not affected by this issue. Please contact the vendor to obtain fixes. Gentoo: Mandriva: Trustix: Ubuntu: There is no exploit code required. | PHP Apache 2 Denial of Service | Low | Security Focus, Bugtraq ID: 15177, October 24, 2005 Gentoo Linux Security Advisory, GLSA 200511-08, November 14, 2005 Mandriva Linux Security Advisory, MDKSA-2005:213, November 16, 2005 Trustix Secure Linux Security Advisory, TSLSA-2005-0062, November 22, 2005 Ubuntu Security Notice, USN-232-1, December 23, 2005 |
PTnet IRCD 1.6, 1.5 | A remote Denial of Service vulnerability has been reported when attempting to open restricted channels. No workaround or patch available at time of publishing. There is no exploit code required. | PTnet IRCD Remote Denial of Service | Low | Security Tracker Alert ID: 1015425, December 30, 2005 |
rssh 2.2-2.2.3, 2.1, 2.0 | A vulnerability has been reported in the 'rssh_chroot_helper' command due to a design error, which could let a malicious user obtain superuser privileges. Upgrades available at: Gentoo: Currently we are not aware of any exploits for this vulnerability. | RSSH CHRoot Directory Superuser Privileges | High | Secunia Advisory: SA18224, December 23, 2005 Gentoo Linux Security Advisory GLSA 200512-15, December 27, 2005 |
Open Server 5.0-5.0.7 | A buffer overflow vulnerability has been reported in termsh, which could let a malicious user execute arbitrary code. No workaround or patch available at time of publishing. An exploit script has been published. | SCO OpenServer Termsh Buffer Overflow | High | Security Focus, Bugtraq ID: 16122, January 3, 2006 |
scponly 4.1 & prior | Several vulnerabilities have been reported: a vulnerability was reported in 'scponlyc' due to a design error, which could let a malicious user execute arbitrary code with root privileges; and a vulnerability was reported due to an error in the validation of user-supplied command line, which could let a malicious user bypass security restrictions. Upgrades available at: Gentoo: There is no exploit code required. | scponly Privilege Escalation & Security Bypass | High | Secunia Advisory: SA18223, December 23, 2005 Gentoo Linux Security Advisory, GLSA 200512-17, December 29, 2005 |
PC NetLink 2.0 | Insecure permissions vulnerabilities have been reported due to a flaw in the 'slsadmin' and 'slsmgr' scripts, which could let a malicious user obtain elevated privileges. Update information available at: http://sunsolve.sun.com/ There is no exploit code required. | Sun Solaris PC NetLink Insecure Permissions | Medium | Sun(sm) Alert Notifications Sun Alert ID: 102117 & 102122, December 23, 2005 |
Open Motif 2.2.3 | Two buffer overflow vulnerabilities have been reported in libUil (User Interface Language): a buffer overflow vulnerability was reported in 'diag_issue_diagnostic()' due to the use of the vsprintf() libc procedure, which could let a remote malicious user execute arbitrary code; and a vulnerability was reported in 'open_source_ Gentoo: Currently we are not aware of any exploits for these vulnerabilities. | High | Security Focus, Bugtraq ID: 15678, December 2, 2005 Gentoo Linux Security Advisory, GLSA 200512-16, December 28, 2005 | |
TkDiff 4.1, 4.0.2, 4.0, 3.0.9 | A vulnerability has been reported due to the insecure creation of temporary files, which could let a remote malicious user modify system/user information or obtain unauthorized access. Upgrades available at: Debian: Mandriva: There is no exploit code required. | TkDiff Insecure Temporary File Creation | Medium | Security Tracker Alert ID: 1015421, December 28, 2005 Debian Security Advisories, DSA 927-1 & 927-2 , December 27, 2005 Mandriva Linux Security Advisory MDKSA-2006:001, January 3, 2006 |
Multiple Operating Systems - Windows / UNIX / Linux / Other | ||||
Vendor & Software Name | Vulnerability - Impact Patches - Workarounds Attack Scripts | Common Name / CVE Reference | Risk | Source |
AdesGuestbook 2.0 | A Cross-Site Scripting vulnerability has been reported in 'read.php' due to insufficient sanitization of the 'totalRows_ No workaround or patch available at time of publishing. A Proof of Concept exploit has been published. | Ades Design AdesGuestbook Cross-Site Scripting | Medium | Secunia Advisory: SA18244, December 30, 2005 |
EPay Enterprise 3.0 | HTML injection vulnerabilities have been reported in 'profile.htm, 'card.htm,' 'bank.htm,' 'subscriptions.htm,' 'send.htm,' 'request.htm,' 'forgot.htm,' 'escrow.htm,' 'donations.htm,' and 'products.htm' due to insufficient sanitization, which could let a remote malicious user execute arbitrary HTML and script code. No workaround or patch available at time of publishing. There is no exploit code required. | AlstraSoft EPay Enterprise Multiple HTML Injection | Medium | Secunia Advisory: SA18153, December 23, 2005 |
Baseline CMS 1.95 | Multiple vulnerabilities have been reported: a Cross-Site Scripting vulnerability was reported in 'Page.asp' due to insufficient sanitization of the 'PageID' and 'SiteNodeID' parameters before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code; and an SQL injection vulnerability was reported in 'Page.asp' due to insufficient sanitization of the 'SideNodeID' parameter before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code. No workaround or patch available at time of publishing. There is no exploit code required; however, Proof of Concept exploits have been published. | Baseline CMS SQL Injection & Cross-Site Scripting | Medium | Security Focus, Bugtraq ID: 15961, December 20, 2005 |
Bitweaver 1.1.1 beta | Multiple vulnerabilities have been reported: an SQL injection vulnerability was reported due to insufficient sanitization of the 'sort_mode,' 'post_id,' and 'blog_id' parameters before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code; a Cross-Site Scripting vulnerability was reported due to insufficient sanitization of the 'sort_mode,' 'post_id,' 'blog_id' and search field parameters in '/users/my_groups.php' before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code; and a path disclosure vulnerability was reported which could let a remote malicious user obtain sensitive information. Upgrades available at: There is no exploit code required; however, Proof of Concept exploits have been published. | Bitweaver Multiple Input Validation | Medium | Security Focus, Bugtraq ID: 15962, December 20, 2005 |
B-Net Software 1.0 | An HTML injection vulnerability has been reported due to insufficient sanitization of various fields when signing the guestbook and sending a message via 'Shoutbox,' which could let a remote malicious user execute arbitrary HTML and script code. No workaround or patch available at time of publishing. There is no exploit code required; however, a Proof of Concept exploit has been published. | B-Net HTML Injection | Medium | Security Focus, Bugtraq ID: 16114, January 2, 2006 |
BZFlag 2.0.4, 2.0.2, 2.0 | A remote Denial of Service vulnerability has been reported when handling callsigns that are not NULL terminated. The vulnerability has reportedly been fixed in the CVS repositories. An exploit script has been published. | BZFlag Remote Denial of Service | Low | Secunia Advisory: SA18238, December 27, 2005 |
Chipmunk Guestbook 1.4 | An HTML injection vulnerability has been reported Input due to insufficient sanitization of the homepage field when signing the guestbook, which could let a remote malicious user execute arbitrary HTML and script code. No workaround or patch available at time of publishing. A Proof of Concept exploit has been published. | Chipmunk GuestBook HTML Injection | Medium | Secunia Advisory: SA18270, January 2, 2006 |
Cisco Firewall Services Module (FWSM) 1.x, 2.x, | A vulnerability has been reported ion the Downloadable IP ACL (Access Control List) feature due to a design error, which could let a malicious user bypass security restrictions. Workaround instructions available at: There is no exploit code required. | Cisco Secure Access Control Server Downloadable IP Access Control List | Medium | Secunia Advisory: SA18141, January 3, 2006 |
Communique 4.0 | A Cross-Site Scripting vulnerability has been reported due to insufficient sanitization of the 'query' parameter when performing a search, which could let a remote malicious user execute arbitrary HTML and script code. No workaround or patch available at time of publishing. There is no exploit code required. | Day Communique Cross-Site Scripting | Medium | Security Focus, Bugtraq ID: 16072, December 27, 2005 |
Dev Web Management System 1.5 | Several vulnerabilities have been reported: an SQL injection vulnerability was reported in 'index.php' and 'getfile.php' due to insufficient sanitization of the 'cat' parameter and in 'download_now.php' due to insufficient sanitization of the 'target' parameter before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code; and a Cross-Site Scripting vulnerability was reported in 'add.php' due to insufficient sanitization of the 'language' array parameter before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code. No workaround or patch available at time of publishing. There is no exploit code required; however, Proof of Concept exploits and an exploit script has been published. | Dev Web Management System Multiple Input Validation | Medium | Security Tracker Alert ID: 1015410, December 25, 2005 |
Direct News 4.9 | An SQL injection vulnerability has been reported in 'index.php' due to insufficient sanitization of the 'setLang' and search module parameter before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code. No workaround or patch available at time of publishing. There is no exploit code required; however, a Proof of Concept exploit has been published. | Direct News SQL Injection | Medium | Security Focus, Bugtraq ID: 15957, December 19, 2005 |
Koobi 5.0 | A script injection vulnerability has been reported because a remote malicious user can nest BBCode URL tags and execute arbitrary HTML and script code. No workaround or patch available at time of publishing. There is no exploit code required; however, a Proof of Concept exploit has been published. | Koobi BBCode URL Tag Script Injection | Medium | Security Focus, Bugtraq ID: 16078, December 28, 2005 |
eggblog 2.0 | Several vulnerabilities have been reported: a path disclosure vulnerability was reported when an invalid 'q' parameter is used by the 'Keyword' and 'Search' fields, which could let a remote malicious user obtain sensitive information; and a Cross-Site Scripting vulnerability has been reported in 'search.php' due to insufficient sanitization of the the 'q' parameter when performing a search, which could let a remote malicious user execute arbitrary HTML and script code. No workaround or patch available at time of publishing. There is no exploit code required. | Epic Designs Eggblog Path Disclosure & Cross-Site Scripting | Medium | Security Focus, Bugtraq ID: 16056, December 23, 2005 |
Ethereal 0.10-0.10.13, 0.9-0.9.16, 0.8.19, 0.8.18, 0.8.13-0.8.15, 0.8.5, 0.8, 0.7.7 | A buffer overflow vulnerability has been reported in the 'dissect_ospf_ v3_address_ Patch available at: Debian: Gentoo: Mandriva: Currently we are not aware of any exploits for this vulnerability. | High | iDefense Security Advisory, December 9, 2005 Debian Security Advisory DSA 920-1, December 13, 2005 Gentoo Linux Security Advisory, GLSA 200512-06, December 14, 2005 Mandriva Linux Security Advisory MDKSA-2005:227, December 15, 2005 Mandriva Linux Security Advisory MDKSA-2006:002, January 3, 2006 | |
Ethereal 0.9.1-0.10.13. | A remote Denial of Service vulnerability has been reported in the IRC and GTP dissectors when a malicious user submits a specially crafted packet. Upgrades available at: Mandriva: Currently we are not aware of any exploits for this vulnerability. | Ethereal IRC & GTP Dissectors Remote Denial of Service | Low | Ethereal Security Advisory, enpa-sa-00022, December 27, 2005 Mandriva Linux Security Advisory MDKSA-2006:002, January 3, 2006 |
UpdateEngine 6.2 | Cross-Site Scripting vulnerabilities have been reported in 'UpdateEngine' due to insufficient sanitization of the 'FUELAP_TEMPLATENAME,' 'EMAIL,' and 'COUNTRYNAME' parameters before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code. No workaround or patch available at time of publishing. There is no exploit code required; however, Proof of Concept exploits have been published. | FatWire UpdateEngine Multiple Cross-Site Scripting | Medium | Security Focus, Bugtraq ID: 16073, December 27, 2005 |
File::ExtAttr 0.2, 0.1 | An off-by-one buffer overflow vulnerability has been reported in 'getfattr()' when the extended attributes of a file are retrieved, which could let a remote malicious user cause a Denial of Service. Upgrades available at: Currently we are not aware of any exploits for this vulnerability. | File::ExtAttr Off-By-One Buffer Overflow | Low | Secunia Advisory: SA18253, January 2, 2006 |
GMailSite 1.0-1.0.4; GFHost 0.4-0.4.2, 0.3, 0.2, 0.1.1 | A vulnerability was reported in 'index.php' due to insufficient verification of the 'Ing' parameter before used to include files, which could let a remote malicious user include arbitrary files from local resources. No workaround or patch available at time of publishing. There is no exploit code required; however, a Proof of Concept exploit has been published. | GFHost / GmailSite File Inclusion | Medium | Secunia Advisory: SA18155, December 29, 2005 |
Business Logic 2.0.6, 2.0, 1.1, 1.0 | Several vulnerabilities have been reported: a Cross-Site Scripting vulnerability was reported in input forms due to insufficient sanitization of unspecified input, which could let a remote malicious user execute arbitrary HTML and script code and inject arbitrary HTTP headers; and an SQL injection vulnerability was reported in input forms due to insufficient sanitization of unspecified input before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code. Patch information available at: There is no exploit code required. | Hitachi Business Logic Input Validation | Medium | Hitachi Security Bulletin, HS05-025, December 27, 2005 |
IDV Directory Viewer 2005.1 b1 | A vulnerability has been reported in 'index.php' due to insufficient sanitization of the 'dir' parameter before used to generate directory listings, which could let a remote malicious user obtain sensitive information. Upgrade available at: | There is no exploit code required. | IDV Directory Viewer Index.PHP Information Disclosure | Medium | Secunia Advisory: SA18298, January 4, 2006 |
BugPort 1.147 & prior | Several vulnerabilities have been reported: an SQL injection vulnerability was reported in 'index.php' due to insufficient sanitization of the 'orderBy,' 'where,' and 'devWhere No workaround or patch available at time of publishing. There is no exploit code required; however, Proof of Concept exploit scripts have been published. | INCOGEN BugPort Cross-Site Scripting, SQL Injection, & Path Disclosure | Medium | Secunia Advisory: SA18282, January 2, 2006 |
Intel Graphics Driver 6.14.10.4308, | A remote Denial of Service vulnerability has been reported in the 'ialmrnt5' display driver when handling overly long text in a text field. No workaround or patch available at time of publishing. A Proof of Concept exploit exploit has been published. | Intel Graphics Accelerator Driver Remote Denial of Service | Low | Secunia Advisory: SA18286, January 3, 2006 |
iPei Guestbook 1.7 & prior | A Cross-Site Scripting vulnerability has been reported in 'index.php' due to insufficient sanitization of user-supplied input, which could let a remote malicious user execute arbitrary HTML and script code. No workaround or patch available at time of publishing. There is no exploit code required. | iPei Guestbook Cross-Site Scripting | Medium | Security Focus, Bugtraq ID: 16092, December 30, 2005 |
PHPenpals 310704 | An SQL injection vulnerability has been reported in 'profile.php' due to insufficient sanitization of the 'personalID' parameter before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code. No workaround or patch available at time of publishing. A Proof of Concept exploit has been published. | PHPenpals SQL Injection | Medium | Secunia Advisory: SA18269, January 2, 2006 |
Kayako SupportSuite 3.0 0.26 | Cross-Site Scripting vulnerabilities have been reported in the 'register,' 'submit,' and 'lostpassword' modules due to insufficient sanitization of the 'Full Name,' 'Email,' Subject,' and 'Registered Email' fields and in 'index.php' due to insufficient sanitization of the 'nav' parameter, which could let a remote malicious user execute arbitrary HTML and script code. No workaround or patch available at time of publishing. There is no exploit code required; however, a Proof of Concept exploit has been published. | Kayako SupportSuite Multiple Cross-Site Scripting | Medium | Security Focus, Bugtraq ID: 16094, December 30, 2005 |
Lighthouse CMS 1.1 | A Cross-Site Scripting vulnerability has been reported due to insufficient sanitization of the 'search' parameter before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code. No workaround or patch available at time of publishing. There is no exploit code required; however, a Proof of Concept exploit has been published. | Lighthouse CMS Cross-Site Scripting | Medium | Security Focus, Bugtraq ID: 15952, December 19, 2005 |
Lizard Cart CMS 1.0.4 | An SQL injection vulnerability has been reported due to insufficient sanitization of the 'id' parameter before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code. No workaround or patch available at time of publishing. There is no exploit code required; however, a Proof of Concept exploit has been published. | Lizard Cart CMS SQL Injection | Medium | Secunia Advisory: SA18297, January 4, 2006 |
Mantis prior to 0.19.4, and 1.0.0rc4 | Multiple remote vulnerabilities have been reported which could let a remote malicious user obtain sensitive information, conduct Cross-Site Scripting, HTML, and SQL injection attacks, and execute arbitrary PHP code. Upgrades available at: Gentoo: There is no exploit code required. | Mantis Multiple Vulnerabilities CVE-2005-4518 | High | Gentoo Linux Security Advisory, GLSA 200512-12, December 22, 2005 |
TinyMCE Compressor 1.0.5 & prior | Several vulnerabilities have been reported: a file disclosure vulnerability was reported due to insufficient sanitization of unspecified input before used to view files, which could let a remote malicious user obtain sensitive information; and a Cross-Site Scripting vulnerability was reported in 'tiny_mce_gzip.php' due to insufficient sanitization of the 'index' parameter before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code. Upgrades available at: There is no exploit code required. | TinyMCE compressor Cross-Site Scripting & File Disclosure | Medium | Hardened-PHP Project Advisory, December 30, 2005 |
MandrakeSoft Linux Mandrake 2006.0 x86_64, 2006.0, 10.2 x86_64, 10.2; | A vulnerability has been reported in Ethereal IRC Protocol Dissector, that could let remote malicious users cause a Denial of Service. Mandriva: Gentoo: SUSE: Conectiva: Mandriva: Currently we are not aware of any exploits for this vulnerability. | Ethereal Denial of Service | Low | Mandriva Linux Security Advisory, MDKSA-2005:193-1, October 26, 2005 Gentoo Linux Security Advisor, GLSA 200510-25, October 30, 2005 SUSE Security Summary Report, SUSE-SR:2005:025, November 4, 2005 Conectiva Security Announcement, CLSA-2005:1043, November 8, 2005 Mandriva Linux Security Advisory MDKSA-2006:002, January 3, 2006 |
NView 4.x; | A vulnerability has been reported in the 'nview' and 'xnview' binaries due to an insecure RPATH configuration, which could let a remote malicious user execute arbitrary code. Gentoo: There is no exploit code required. | XnView / NView Insecure RPATH | Medium | Secunia Advisory: SA18235, December 29, 2005 Gentoo Linux Security Advisory, GLSA 200512-18, December 30, 2005 |
Proxim Wireless AP-700 2.4.11, AP-600 2.4.11, AP-4000 2.4.11, AP-2000 2.4.11; | An authentication bypass vulnerability has been reported due to a hard coded static WEP key, which could let a remote malicious user bypass authentication. Proxim: Avaya: There is no exploit code required. | Multiple Vendor Wireless Access Points Static WEP Key Authentication Bypass | Medium | Avaya Security Advisory, ASA-2005-233, December 15, 2005 Proxim Security Advisory, ASA-2005-3253, December 2, 2005 |
RedHat Fedora Core4, Core3; PHP 5.0.4, 4.3.9 | A remote Denial of Service vulnerability has been reported when parsing EXIF image data contained in corrupt JPEG files. Fedora: RedHat: Mandriva: FedoraLegacy: SGI: OpenPKG: SUSE: Ubuntu: Currently we are not aware of any exploits for this vulnerability. | PHP Group Exif Module Remote Denial of Service | Low | Fedora Update Notifications, RedHat Security Advisory, RHSA-2005:831-15, November 10, 2005 Mandriva Linux Security Advisory, MDKSA-2005:213, November 16, 2005 Fedora Legacy Update Advisory, FLSA:166943, November 28, 2005 SGI Security Advisory, 20051101-01-U, November 29, 2005 OpenPKG Security Advisory, OpenPKG-SA-2005.027, December 3, 2005 SuSE Security Ubuntu Security Notice, USN-232-1, December 23, 2005 |
DevBB 1.0 | An SQL injection vulnerability has been reported in the 'admin/globa.php' script when user-supplied input is passed via cookie data, which could let a remote malicious user execute arbitrary SQL code. No workaround or patch available at time of publishing. There is no exploit code required; however, a Proof of Concept exploit has been published. | MyBB DevBB SQL Injection | Medium | Security Focus, Bugtraq ID: 16082, December 29, 2005 |
MyBulletinBoard PR2 Rev.686 & prior | SQL injection vulnerabilities have been reported due to insufficient sanitization of several scripts, which could let a remote malicious user execute arbitrary SQL code. Updates available at: There is no exploit code required. | MyBB Input Validation
| Medium | Security Tracker Alert ID: 1015407, December 24, 2005 |
phpBook 1.3.2, 1.3, 1.2, 1.1, 1.0 | A vulnerability has been reported due to insufficient sanitization of the 'email' parameter when signing the guestbook, which could let a remote malicious user execute arbitrary PHP code. No workaround or patch available at time of publishing. A Proof of Concept exploit has been published. | NETOnE phpBook Arbitrary PHP Code Execution | High | Secunia Advisory: SA18268, January 2, 2006 |
OaBoard 1.0 | A file include vulnerability was reported in 'forum.php,' which could let a remote malicious user execute arbitrary PHP code. No workaround or patch available at time of publishing. A Proof of Concept exploit has been published. | OABoard Forum Script Remote File Include | High | Security Focus, Bugtraq ID: 16105, January 2, 2006 |
OOApp Guestbook 2.1 | A Cross-Site Scripting vulnerability has been reported in 'home.php' due to insufficient sanitization of the 'page' parameter before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code No workaround or patch available at time of publishing. A Proof of Concept exploit has been published. | OOApp Guestbook Cross-Site Scripting | Medium | Security Focus, Bugtraq ID: 16091, December 30, 2005 |
Oracle Application Server Discussion Forum Portlet | Several vulnerabilities have been reported including Cross-Site Scripting vulnerabilities, HTML injection vulnerabilities and a source code disclosure vulnerability, which could let a remote malicious user execute arbitrary HTML and script code and obtain sensitive information.
No workaround or patch available at time of publishing. There is no exploit code required; however, Proof of Concept exploits have been published. | Oracle Application Server Discussion Forum Portlet Multiple Remote Vulnerabilities | Medium | Security Focus, Bugtraq ID: 16048, December 23, 2005 |
CommonSpot Content Server 4.5 | Several vulnerabilities have been reported: a Cross-Site Scripting vulnerability was reported in 'loader.cfm' due to insufficient sanitization of the 'bNewWindow' parameter before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code; and a vulnerability was reported in 'loader.cfm' when accessed by an invalid 'url' parameter, which could let a remote malicious user obtain sensitive information. No workaround or patch available at time of publishing. A Proof of Concept exploits have been published. | PaperThin CommonSpot Content Server Cross-Site Scripting & Path Disclosure | Medium | Secunia Advisory: SA18257, December 27, 2005 |
PHP 4.0.x, 4.1.x, 4.2.x, 4.3.x, 4.4.x, 5.0.x | Multiple vulnerabilities have been reported: a vulnerability was reported due to insufficient protection of the 'GLOBALS' array, which could let a remote malicious user define global variables; a vulnerability was reported in the 'parse_str()' PHP function when handling an unexpected termination, which could let a remote malicious user enable the 'register_ Upgrades available at: SUSE: TurboLinux: Fedora: RedHat: http://rhn.redhat. Gentoo: Mandriva: SUSE: Trustix: SGI: OpenPKG: Ubuntu: There is no exploit code required. | PHP Multiple Vulnerabilities CVE-2005-3388 | Medium | Secunia Advisory: SA17371, October 31, 2005 SUSE Security Summary Report, SUSE-SR:2005:025, November 4, 2005 Turbolinux Security Advisory TLSA-2005-97, November 5, 2005 Fedora Update Notifications, RedHat Security Advisories, RHSA-2005:838-3 & RHSA-2005:831-15, November 10, 2005 Gentoo Linux Security Advisory, GLSA 200511-08, November 13, 2005 Mandriva Linux Security Advisory, MDKSA-2005:213, November 16, 2005 SUSE Security Summary Report, SUSE-SR:2005:027, November 18, 2005 Trustix Secure Linux Security Advisory, TSLSA-2005-0062, November 22, 2005 SGI Security Advisory, 20051101-01-U, November 29, 2005 OpenPKG Security Advisory, OpenPKG-SA-2005.027, December 3, 2005 SUSE Security Summary Report, SUSE-SR:2005:029, December 9, 2005 SUSE Security Announcement, SUSE-SA:2005:069, December 14, 2005 Ubuntu Security Notice, USN-232-1, December 23, 2005 |
phpBB 2.0.18 & prior | A vulnerability has been reported in the 'url' bbcode tag due to insufficient sanitization before using, which could let a remote malicious user execute arbitrary HTML and script code. Upgrades available at: There is no exploit code required. | PHPBB 'url' bbcode Script Insertion | Medium | Secunia Advisory: SA18252, January 2, 2006 |
phpDocumentor 1.3 RC3 & RC4, 1.2-1.2.3 | File include vulnerabilities have been reported in 'Documentation/tests/bug-559668.php' due to insufficient verification of the 'FORUM[LIB]' parameter and in 'docbuilder/file_dialog.php' due to insufficient verification of the 'root_dir' parameter before used to include files, which could let a remote malicious user execute arbitrary PHP code. No workaround or patch available at time of publishing. There is no exploit code required; however, a Proof of Concept exploit script has been published. | PHPDocumentor File Include | Medium | Security Tracker Alert ID: 1015423, December 29, 2005 |
PHP-Fusion 6.0 0.3 | A Cross-Site Scripting vulnerability has been reported in 'members.php' due to insufficient sanitization of user-supplied input before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code. No workaround or patch available at time of publishing. There is no exploit code required; however, a Proof of Concept exploit has been published. | PHP-Fusion Cross-Site Scripting | Medium | Security Focus, Bugtraq ID: 15931, December 19, 2005 |
PHPjournaler 1.0 | An SQL injection vulnerability has been reported in 'index.php' due to insufficient sanitization of the 'readold' parameter before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code. No workaround or patch available at time of publishing. A Proof of Concept exploit has been published. | PHPJournaler SQL Injection | Medium | Security Focus, Bugtraq ID: 16111, January 2, 2006 |
PHP 5.0 .0- 5.0.5, 4.4.1, 4.4 .0, 4.3-4.3.11, 4.2-4.2.3, 4.1.0-4.1.2, 4.0.6, 4.0.7, RC1-RC3 | A vulnerability has been reported in the 'mb_send_mail()' function due to an input validation error, which could let a remote malicious user inject arbitrary headers to generated email messages.
Upgrades available at: SUSE: Ubuntu: Mandriva: There is no exploit code required. | PHP MB_Send_Mail Arbitrary Header Injection | Medium | Security Focus, Bugtraq ID: 15571, November 25, 2005 SUSE Security Announcement, SUSE-SA:2005:069, December 14, 2005 Ubuntu Security Notice, USN-232-1, December 23, 2005 Mandriva Linux Security Advisory, MDKSA-2005:238, December 27, 2005 |
PHPSurveyor 0.99 | An SQL injection vulnerability has been reported due to insufficient sanitization of the 'sid' parameter before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code. Upgrade available at: There is no exploit code required. | PHPSurveyor SQL Injection | Medium | Secunia Advisory: SA18167, December 28, 2005 |
Primo Cart 1.0 | SQL injection vulnerabilities have been reported in 'user.php' due to insufficient sanitization of the 'email' parameter and in 'search.php' due to insufficient sanitization of the 'q' parameter before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code. No workaround or patch available at time of publishing. There is no exploit code required; however, a Proof of Concept exploit has been published. | Primo Cart SQL Injection | Medium | Secunia Advisory: SA18264, January 2, 2006 |
raSMP 2.0 .0 | An HTML injection vulnerability has been reported due to insufficient sanitization of the 'User-Agent' HTTP header before saving to the database, which could let a remote malicious user execute arbitrary HTML and script code. No workaround or patch available at time of publishing. There is no exploit code required. | raSMP User-Agent HTML Injection | Medium | Security Focus, Bugtraq ID: 16138, January 4, 2006 |
Statistics Counter Service 2.4 | An SQL injection vulnerability has been reported in the user area due insufficient sanitization of unspecified input before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code. Update available at: There is no exploit code required. | Real Web Solution Statistics Counter Service SQL Injection | Medium | Secunia Advisory: SA18158, December 23, 2005 |
Blackberry Enterprise Server for Exchange 4.0 SP1, Enterprise Server for Domino 4.0 | A remote Denial of Service vulnerability has been reported when handling Server Routing Protocol (SRP) packets due to an error. No workaround or patch available at time of publishing. Currently we are not aware of any exploits for this vulnerability. | BlackBerry Enterprise Server Router Component Remote Denial of Service | Low | Security Tracker Alert ID: 1015427, December 31, 2005 |
Blackberry Enterprise Server for Exchange 4.0 SP1, Enterprise Server for Domino 4.0 | A remote Denial of Service vulnerability has been reported when handling malformed TIFF image attachments. No workaround or patch available at time of publishing. Currently we are not aware of any exploits for this vulnerability. | Blackberry Enterprise Server Attachment Service TIFF Attachment Remote Denial of Service | Low | Security Tracker Alert ID: 1015426, December 30, 2005 |
Blackberry Device Software 4.0, Blackberry Desktop Manager, Blackberry 8700r, 8700f, 8700c, 7780, 7750, 7730, 7520, 7290, 7280, 7250, 7230 4.0 , 7230 3.8, 7230 3.7.1 .41, 7130e, 7105t, 7100x, 7100v, 7100t, 7100r, 7100i, 7100g | A remote Denial of Service vulnerability has been reported when handling a malformed JAD (Java Application Description) file. The vendor has addressed this issue in version 4.0.2 of the Blackberry Device Software. Affected users are encouraged to contact their service providers to obtain updated software. There is no exploit code required.
| Blackberry Handheld JAD File Browser Remote Denial of Service | Low | Security Tracker Alert ID: 1015428, December 31, 2005 |
ScozBook 1.1 BETA | An SQL injection vulnerability has been reported due to insufficient sanitization of the 'AdminName' variable, which could let a remote malicious user execute arbitrary SQL code. No workaround or patch available at time of publishing. A Proof of Concept exploit has been published. | ScozNet ScozBook SQL Injection | Medium | Security Focus, Bugtraq ID: 16115, January 2, 2006 |
ShopEngine | A Cross-Site Scripting vulnerability has been reported in 'search.asp' due to insufficient sanitization of the 'EXPS' parameter before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code. No workaround or patch available at time of publishing. There is no exploit code required. | ShopCentrik ShopEngine Cross-Site Scripting | Medium | Security Focus, Bugtraq ID: 16054, December 23, 2005 |
SimpBook 1.0 | An HTML injection vulnerability has been reported due to insufficient sanitization of the 'message' field before storing in the guestbook, which could let a remote malicious user execute arbitrary code. No workaround or patch available at time of publishing. There is no exploit code required. | SimpBook Guestbook HTML Injection | Medium | Secunia Advisory: SA18256, December 26, 2005 |
Valdersoft Shopping Cart 3.0 | A remote file include vulnerability has been reported which could let a remote malicious user execute arbitrary PHP code.
No workaround or patch available at time of publishing. There is no exploit code required; however, a Proof of Concept exploit script has been published. | Valdersoft Shopping Cart Remote File Include | High | Security Focus, Bugtraq ID: 16126, January 3, 2006 |
VBulletin 3.5.2 | An HTML injection vulnerability has been reported due to insufficient sanitization of 'calendar.php' and 'reminder.php' which could let a remote malicious user execute arbitrary HTML and script code. No workaround or patch available at time of publishing. A Proof of Concept exploit has been published. | VBulletin Event Title HTML Injection | Medium | Security Focus, Bugtraq ID: 16116, January 2, 2006 |
VEGO Links Builder 2.0 | An SQL injection vulnerability has been reported due to insufficient sanitization of the 'username' parameter when logging in, which could let a remote malicious user execute arbitrary SQL code. No workaround or patch available at time of publishing. A Proof of Concept exploit has been published. | VEGO Links Builder Login Script SQL Injection | Medium | Security Focus, Bugtraq ID: 16108, January 2, 2006 |
VEGO Web Forum 1.23-1.26, 1.20, 1.10, 1.0 | An SQL injection vulnerability has been reported due to insufficient sanitization of the 'Theme_ID' parameter before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code. No workaround or patch available at time of publishing. There is no exploit code required; however, a Proof of Concept exploit has been published. | VEGO Web Forum SQL Injection | Medium | Security Focus, Bugtraq ID: 16107, January 2, 2006 |
VMWare ESX Server 2.5.2, 2.5, 2.1-2.1.2, 2.0.1 build 6403, 2.0.1, 2.0 build 5257, 2.0 | A vulnerability has been reported in the VMware Management Interface due to an unspecified error, which could let a remote malicious user execute arbitrary code. Patches available at: Currently we are not aware of any exploits for this vulnerability. | VMware ESX Server Management Interface Remote Arbitrary Code Execution | Medium | Security Tracker Alert ID: 1015422, December 29, 2005 |
Cerberus Helpdesk support-center 2.649, cerberus-gui 2.649 | Several vulnerabilities have been reported: an SQL injection vulnerability was reported due to insufficient sanitization of unspecified input before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code; and a Cross-Site Scripting was reported in 'index.php' due to insufficient of the 'kb_ask' parameter before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing. Proof of Concept exploits have been published. | Cerberus Helpdesk Input Validation | Medium | Secunia Advisory: SA18112, December 20, 2005 |
[back to top] Wireless
The section below contains wireless vulnerabilities, articles, and viruses/trojans identified during this reporting period.
- FCC interested in emergency wireless network: The Federal Communications Commission will study the feasibility of constructing a nationwide interoperable wireless network for emergency workers that uses some of the spectrum that TV companies will abandon when they transition to digital television. In a recent report to Congress, the FCC said that providing mobile broadband communications, in addition to upgraded communications equipment and training, could offer emergency responders many important capabilities. Source: http://www.fcw.com/
article91846-01-03-06-Web. - Mobility's Steep Upward Growth Curve For 2006: According to GCR Custom Research's IT Watch enterprise spending survey that was conducted in November 2005, they project an 8.1% jump in spending on mobile and wireless devices for 2006. Source: http://www.mobilepipeline.com/175800385.
Wireless Vulnerabilities
- RIM BlackBerry Vulnerabilities: US-CERT information about multiple vulnerabilities in RIM BlackBerry products has been presented at the 22nd Chaos Communication Congress. Source: http://www.us-cert.gov/current/.
- BlackBerry Enterprise Server Router Component Remote Denial of Service : A remote Denial of Service vulnerability has been reported in the Blackberry Enterprise Server router component.
- Blackberry Enterprise Server Attachment Service TIFF Attachment Remote Denial of Service: A remote Denial of Service vulnerability has been reported when handling malformed TIFF image attachments.
- Blackberry Handheld JAD File Browser Remote Denial of Service: A remote Denial of Service vulnerability has been reported when handling malformed JAD files.
- Multiple Vendor Wireless Access Points Static WEP Key Authentication Bypass: An authentication bypass vulnerability has been reported due to a hard coded static WEP key.
Recent Exploit Scripts/Techniques
The table below contains a sample of exploit scripts and "how to" guides identified during this period. The "Workaround or Patch Available" column indicates if vendors, security vulnerability listservs, or Computer Emergency Response Teams (CERTs) have published workarounds or patches.
Note: At times, scripts/techniques may contain names or content that may be considered offensive.
Date of Script | Script name | Workaround or Patch Available | Script Description |
January 4, 2006 | 20051228.ie_xp_pfv_metafile.pm 20051231.ie_xp_pfv_metafile.pm ie_xp_pfv_metafile.pm | Yes | Exploit for the Microsoft Windows Graphics Rendering Engine WMF SetAbortProc Code Execution vulnerability. |
January 4, 2006 | cijfer-vsczpl.pl.txt cijfer-vscxpl.pl | No | Exploits for the Valdersoft Shopping Cart Remote File Include vulnerability. |
January 4, 2006 | EV0001.txt | No | Exploitation details for the VEGO Web Forum SQL Injection vulnerability. |
January 4, 2006 | EV0002.txt | No | Exploitation details for the VEGO Links Builder Login Script SQL Injection vulnerability. |
January 4, 2006 | EV0003.txt | No | Exploitation details for the OABoard Forum Script Remote File Include vulnerability. |
January 4, 2006 | EV0004.txt | No | Exploitation details for the Chipmunk GuestBook HTML Injection vulnerability. |
January 4, 2006 | EV0005.txt | No | Exploitation details for the PHPenpals SQL Injection vulnerability. |
January 4, 2006 | EV0006.txt | No | Exploitation details for the NETOnE phpBook Arbitrary PHP Code Execution vulnerability. |
January 4, 2006 | EV0007.txt | No | Exploitation details for the Chimera Web Portal System SQL injection & Cross-Site Scripting vulnerabilities. |
January 4, 2006 | EV0008.txt | No | Exploitation details for the inTouch SQL Injection vulnerability. |
January 4, 2006 | EV0009.txt | No | Exploitation details for the PHPJournaler SQL Injection vulnerability. |
January 4, 2006 | EV0010.txt | No | Exploitation details for the B-Net HTML Injection vulnerability. |
January 4, 2006 | EV0011.txt | No | Exploitation details for the ScozNet ScozBook SQL Injection vulnerability. |
January 4, 2006 | set_mempolicy_dos.c | Yes | Exploit for the Linux Kernel SET_MEMPOLICY Local Denial of Service vulnerability. |
January 4, 2006 | termsh.c Openserver_bof.c | No | Exploits for the SCO OpenServer Termsh Buffer vulnerability. |
January 4, 2006 | UBehavior.zip | N/A | Whitepaper that discusses the exploitation of uninitialized data. |
January 4, 2006 | winrar330.c | Yes | Proof of Concept exploit for the WinRAR Buffer Overflow Long Filename vulnerability. |
January 3, 2006 | cijfer-cnxpl.pl.txt | Yes | Exploit for the CuteNews Remote Command Execution vulnerability. |
January 3, 2006 | mozilla_compareto.pm.txt | Yes | Metasploit exploit for the Mozilla Suite/Firefox Remote Buffer Overflow vulnerability. |
January 1, 2006 | 0512-exploits.tgz | N/A | Packet Storm new exploits for December, 2005. |
January 1, 2006 | 2005-exploits.tgz | N/A | Complete comprehensive archive of all exploits posted to Packet Storm for 2005. |
January 1, 2006 | mtink.c | Yes | Exploit for the MTink Home Environment Variable Buffer Overflow vulnerability. |
December 31, 2005 | gmailXSSinject.txt | No | Exploit details for Google's GMailSite Cross-Site Scripting vulnerability. |
December 31, 2005 | kapda-18.txt | Yes | Exploitation details for the Web Wiz Multiple Product SQL Injection vulnerability. |
December 31, 2005 | phpdocumentor_130rc4_ incl_expl.txt phpdocu_130rc4_ incl_xpl.php | No | Script that exploits the PHPDocumentor Remote and Local File Include vulnerability. |
December 29, 2005 | aimsniff-1.0alpha.tar.gz | N/A | A utility for monitoring and archiving AOL Instant Messenger messages across a network that has the ability to do a live dump (actively sniff the network) or read a PCAP file and parse the file for IM messages. |
December 29, 2005 | dBpowerAMPv11.5.txt dMCShell_bof.c | No | Exploit for the Illustrate dBpowerAMP Music Converter and Audio Player Buffer Overflow vulnerability. |
December 29, 2005 | Dev_15_sql_xpl.php.txt Dev_15_sql_xpl.php | No | Exploit for the Dev Web Management System Multiple Input Validation vulnerabilities. |
December 29, 2005 | fiked-0.0.4.tar.bz2 | N/A | A fake IKE daemon that supports just enough of the standards and Cisco extensions to attack commonly found insecure Cisco PSK+XAUTH VPN setups in what could be described as a semi-MitM attack. |
December 29, 2005 | thc-ts201.zip | N/A | Latest release of a phone scanner that features ODBC support so you can import your results intro SQL or Excel Spreadsheets, source code, runs on any DOS emulating operating system. |
December 29, 2005 | translateXSS.txt | No | Proof of Concept for numerous translation websites Cross-Site Scripting vulnerability. |
December 29, 2005 | VirusScanEnterprise8.0i.txt | Yes | Proof of Concept exploit for the McAfee VirusScan Privilege Elevation vulnerability. |
December 27, 2005 | bzflagboom.zip | Yes | Script that exploits the BZFlag Remote Denial of Service vulnerability. |
December 27, 2005 | cerberusHelp.txt | No | Exploitation details for the Cerberus Helpdesk Input Validation vulnerabilities. |
December 27, 2005 | mailenable-imap-examine.py.txt muts_mailenable_ imap_examine.pm.txt | Yes | Proof of Concept exploit for the MailEnable Arbitrary Code Execution vulnerability. |
[back to
top]
name=trends>Trends
- Exploit for Vulnerability in Microsoft Windows Metafile Handling: US-CERT is aware of active exploitation of a vulnerability in how Microsoft Windows handles Windows Metafiles (".wmf"). Several variations of the WMF exploit file have been released that attempt to avoid detection by anti-virus software and intrusion detection and intrusion prevention systems. Source: http://www.us-cert.gov/current/.
- Data security moves front and center in 2005: Financial data leaks left more than 50 million accounts containing credit card information and cases, confidential details at risk. Phishing attacks, targeted Trojan horses and Web-based exploits compromised millions of PCs to create centrally controlled networks known as bot nets. In 2005, the threats of worm epidemics largely subsided. Instead, attacks targeting vulnerabilities in client-side applications--such as Internet browsers and antivirus software--rose. Data on bot networks revealed that those centrally controlled networks of computers remained a large threat. And, attacks targeting the systems of specific people in government and industry have managed to sneak under the radar of security systems that have been honed to detect mass infections. Source: http://www.securityfocus.com/news/11366.
- WMF Infected Site Examples: Websense Security Labs (TM) is actively tracking websites that attempt to infect machines without any end-user intervention by simply visiting a site. Currently there are two types of sites. The first are sites that have been setup by the attackers in order to infect users. In most cases these sites require a lure (such as an email or Instant Message) in order to attract users. These are mostly registered with fraudulent registration detail. The second are sites which have been compromised. Source: http://www.websensesecuritylabs.com/alerts/alert.php?AlertID=391
- December IM Attacks Jump 826 Percent Over '04: According to IMlogic's Threat Center, December 2005 instant message exploits increased 825 percent over December 2004. According to the report, the year's last month saw 241 new threats; down from the 307 in November and the 294 in October. Combined, the three months showed a 13 percent increase in IM threats over the third quarter of 2005.
Source: http://www.securitypipeline.com/news/175800842. - More than 450 Phishing Attacks Used SSL in 2005: The Netcraft Toolbar Community has identified more than 450 confirmed phishing URLs using "https" urls to present a secure connection using the Secure Sockets Layer (SSL). This number is significant for several reasons. Anti-phishing education initiatives have often urged Internet users to look for the SSL "golden lock" as an indicator of a site's legitimacy. Although phishers have been using SSL in attacks for more than a year, the trend seems to have drawn relatively little notice from users and the technology press. Source:
http://news.netcraft.com/archives/2005/12/28/more_than_450_phishing_
attacks_used_ssl_in_2005.html.
name=viruses id="viruses">Viruses/Trojans Top Ten Virus Threats
A list of high threat viruses, as reported to various anti-virus vendors and virus incident reporting organizations, has been ranked and categorized in the table below. For the purposes of collecting and collating data, infections involving multiple systems at a single location are considered a single infection. It is therefore possible that a virus has infected hundreds of machines but has only been counted once. With the number of viruses that appear each month, it is possible that a new virus will become widely distributed before the next edition of this publication. To limit the possibility of infection, readers are reminded to update their anti-virus packages as soon as updates become available. The table lists the viruses by ranking (number of sites affected), common virus name, type of virus code (i.e., boot, file, macro, multi-partite, script), trends (based on number of infections reported since last week), and approximate date first found.
face="Arial, Helvetica, sans-serif">Rank | Common Name | Type of Code |
face="Arial, Helvetica, sans-serif">Trend | Date |
face="Arial, Helvetica, sans-serif">Description |
1 | Netsky-P | Win32 Worm | Stable | March 2004 | A mass-mailing worm that uses its own SMTP engine to send itself to the email addresses it finds when scanning the hard drives and mapped drives. The worm also tries to spread through various file-sharing programs by copying itself into various shared folders. |
2 | Mytob-GH | Win32 Worm | Slight Increase | November 2005 | A variant of the mass-mailing worm that disables security related programs and allows other to access the infected system. This version sends itself to email addresses harvested from the system, forging the sender’s address. |
3 | Netsky-D | Win32 Worm | Stable | March 2004 | A simplified variant of the Netsky mass-mailing worm in that it does not contain many of the text strings that were present in NetSky.C and it does not copy itself to shared folders. Netsky.D spreads itself in e-mails as an executable attachment only. |
4 | Zafi-B | Win32 Worm | Increase | June 2004 | A mass-mailing worm that spreads via e-mail using several different languages, including English, Hungarian and Russian. When executed, the worm makes two copies of itself in the %System% directory with randomly generated file names. |
5 | Sober-Z | Win32 Worm | New | December 2005 | This worm travels as an email attachment, forging the senders address, harvesting addresses from infected machines, and using its own mail engine. It further download code from the internet, installs into the registry, and reduces overall system security. |
6 | Lovgate.w | Win32 Worm | Slight Increase | April 2004 | A mass-mailing worm that propagates via by using MAPI as a reply to messages, by using an internal SMTP, by dropping copies of itself on network shares, and through peer-to-peer networks. Attempts to access all machines in the local area network. |
7 | Mytob.C | Win32 Worm | Increase | March 2004 | A mass-mailing worm with IRC backdoor functionality which can also infect computers vulnerable to the Windows LSASS (MS04-011) exploit. The worm will attempt to harvest email addresses from the local hard disk by scanning files. |
8 | Zafi-D | Win32 Worm | Stable | December 2004 | A mass-mailing worm that sends itself to email addresses gathered from the infected computer. The worm may also attempt to lower security settings, terminate processes, and open a back door on the compromised computer. |
9 | Mytob-BE | Win32 Worm | Decrease | June 2005 | A slight variant of the mass-mailing worm that utilizes an IRC backdoor, LSASS vulnerability, and email to propagate. Harvesting addresses from the Windows address book, disabling anti virus, and modifying data. |
10 | Mytob-AS | Win32 Worm | Decrease | June 2005 | A slight variant of the mass-mailing worm that disables security related programs and processes, redirection various sites, and changing registry values. This version downloads code from the net and utilizes its own email engine. |
Table updated January 4, 2006
Last updated
Please share your thoughts
We recently updated our anonymous product survey; we’d welcome your feedback.