Summary of Security Items from January 1 to January 4, 2006

Released
Jan 05, 2006
Document ID
SB06-005

The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. NVD is sponsored by CISA. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available.

Vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

  • High: vulnerabilities with a CVSS base score of 7.0–10.0
  • Medium: vulnerabilities with a CVSS base score of 4.0–6.9
  • Low: vulnerabilities with a CVSS base score of 0.0–3.9

Entries may include additional information provided by organizations and efforts sponsored by CISA. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletin is compiled from external, open-source reports and is not a direct result of CISA analysis. 

Information in the US-CERT Cyber Security Bulletin is a compilation and includes information published by outside sources, therefore the information should not be considered the result of US-CERT analysis. Software vulnerabilities are categorized in the appropriate section reflecting the operating system on which the vulnerability was reported; however, this does not mean that the vulnerability only affects the operating system reported since this information is obtained from open-source information.

This bulletin provides a summary of new or updated vulnerabilities, exploits, trends, viruses, and trojans. Updates to vulnerabilities that appeared in previous bulletins are listed in bold text. The text in the Risk column appears in red for vulnerabilities ranking High. The risks levels applied to vulnerabilities in the Cyber Security Bulletin are based on how the "system" may be impacted. The Recent Exploit/Technique table contains a "Workaround or Patch Available" column that indicates whether a workaround or patch has been published for the vulnerability which the script exploits.
























Wireless
href="#exploits">Recent Exploit Scripts/Techniques
href="#trends">Trends
href="#viruses">Viruses/Trojans


Vulnerabilities

The table below summarizes vulnerabilities that have been identified, even if they are not being exploited. Complete details about patches or workarounds are available from the source of the information or from the URL provided in the section. CVE numbers are listed where applicable. Vulnerabilities that affect both Windows and Unix Operating Systems are included in the Multiple Operating Systems section.

Note: All the information included in the following tables has been discussed in newsgroups and on web sites.

The Risk levels defined below are based on how the system may be impacted:

Note: Even though a vulnerability may allow several malicious acts to be performed, only the highest level risk will be defined in the Risk column.

  • High - A high-risk vulnerability is defined as one that will allow an intruder to immediately gain privileged access (e.g., sysadmin or root) to the system or allow an intruder to execute code or alter arbitrary system files. An example of a high-risk vulnerability is one that allows an unauthorized user to send a sequence of instructions to a machine and the machine responds with a command prompt with administrator privileges.
  • Medium - A medium-risk vulnerability is defined as one that will allow an intruder immediate access to a system with less than privileged access. Such vulnerability will allow the intruder the opportunity to continue the attempt to gain privileged access. An example of medium-risk vulnerability is a server configuration error that allows an intruder to capture the password file.
  • Low - A low-risk vulnerability is defined as one that will provide information to an intruder that could lead to further compromise attempts or a Denial of Service (DoS) attack. It should be noted that while the DoS attack is deemed low from a threat potential, the frequency of this type of attack is very high. DoS attacks against mission-critical nodes are not included in this rating and any attack of this nature should instead be considered to be a "High" threat.









Windows Operating Systems Only

Vendor & Software Name


Vulnerability - Impact
Patches - Workarounds
Attack Scripts

Common Name /
CVE Reference
Risk
Source
Acidcat CMS 2.1.13

A vulnerability has been reported in Acidcat CMS that could let remote malicious users perform SQL injection.

A vendor solution is available:
href="http://www.acidcat.com/acidcat/downloads/acidcat_2_1_14_patch.zip">http://www.acidcat.com/
acidcat/downloads/
acidcat_2_1_14_patch.zip

There is no exploit code required; however, a Proof of Concept exploit has been published.

Acidcat CMS SQL Injection Vulnerability

CVE-2005-4370
CVE-2005-4371

Medium

Secunia Advisory: SA18097, December 19, 1005

Security Focus, ID: 15933, December 27, 2005

Allinta 2.3.2 and prior

A vulnerability has been reported in Allinta that could let remote malicious users conduct Cross-Site Scripting.

A vendor solution is available, contact the vendor for details.

There is no exploit code required; however, a Proof of Concept exploit has been published.

Allinta Cross Site Scripting

CVE-2005-4374

Medium

Secunia, Advisory: SA18060, December 19, 2005

Security Focus, ID: 15935, December 27, 2005

Deerfield

VisNetic Mail Server 8.3.0 build 1

Multiple vulnerabilities have been reported in VisNetic Mail Server that could let remote malicious uses disclose information, arbitrary code execution, or obtain arbitrary file permissions.

A vendor solution is available:
http://www.deerfield.com/
download/visnetic-mailserver/

There is no exploit code required; however, a Proof of Concept exploit has been published.

VisNetic Mail Server Multiple VulnerabilitiesHighSecunia, Advisory: SA17865, December 27, 2005
Dopewars 1.5.7 and prior

A vulnerability has been reported in Dopewars that could let a remote malicious user to execute arbitrary code.

A vendor solution is available:
href="http://prdownloads.sourceforge.net/dopewars/dopewars-1.5.12.exe">http://prdownloads.sourceforge.net/
dopewars/dopewars-1.5.12.exe

Currently we are not aware of any exploits for this vulnerability.

Dopewars Arbitrary Code Execution

CVE-2005-4610

HighSecurity Focus, ID: 16104, December 30, 2005

ESRI

ArcPad 7.0.0.156

A buffer overflow vulnerability has been reported in ArcPad that could let remote malicious users execute arbitrary code.

No workaround or patch available at time of publishing.

Currently we are not aware of any exploits for this vulnerability.

ArcPad Arbitrary Code ExecutionHighSecunia, Advisory: SA18294, January 4, 2006

Eudora

WorldMail Server 3.0 IMAPd Service 6.1.19.0

A buffer overflow vulnerability has been reported in WorldMail Server that could let remote malicious users execute arbitrary code.

No workaround or patch available at time of publishing.

Currently we are not aware of any exploits for this vulnerability.

Eudora WorldMail Server Arbitrary Code Execution

CVE-2005-4267

HighSecurity Tracker, Alert ID: 1015391, December 21, 2005

FTGate Technology

FTGate 4.4

An input validation vulnerability has been reported in FTGate that could let malicious users conduct Cross-Site Scripting.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.

FTGate Cross Site Scripting

CVE-2005-4567
CVE-2005-4568
CVE-2005-4569

MediumSecurity Tracker, Alert ID: 1015399, December 22, 2005

GraphOn GoGlobal for Windows prior to 3.1.0.3270

A buffer overflow vulnerability has been reported in GraphOn GoGlobal for Windows that could let a remote malicious user execute arbitrary code or cause a Denial of Service.

A vendor solutions is available, contact the vendor for details.

A Proof of Concept exploit has been published.

GraphOn GO-Global For Windows Denial of Service or Arbitrary Code Execution
High

Security Focus, ID: 15285, November 2, 2005

Security Focus, ID: 15285, November 21, 2005

Iatek LLC

PortalApp, SiteEnable 3.3 and prior

A vulnerability has been reported in SiteEnable and PortalApp that could let remote malicious users conduct Cross-Site Scripting.

No workaround or patch available at time of publishing.

There is no exploit code required; however, a Proof of Concept exploit has been published.

Iatek SiteEnable and PortalApp Cross Site Scripting

CVE-2005-4482
CVE-2005-4483

MediumSecunia, Advisory: SA18201, December 22, 2005

Iatek LLC

ProjectApp 3.3 and prior

Multiple vulnerabilities have been reported in ProjectApp that could let remote malicious users conduct Cross-Site Scripting.

No workaround or patch available at time of publishing.

There is no exploit code required; however, a Proof of Concept exploit has been published.

Iatek ProjectApp Cross Site Scripting

CVE-2005-4485

MediumSecunia, Advisory: SA18199, December 22, 2005

IceWarp Software

IceWarp WebMail, Merak Mail Server 8.3.0.r, Deerfield VisNetic Mail Server 8.3 .0 build 1

Multiple vulnerabilities have been reported in IceWarp WebMail that could let remote malicious users execute arbitrary code.

No workaround or patch available at time of publishing.

There is no exploit code required; however, a Proof of Concept exploit has been published.

IceWarp Web Mail Arbitrary Code Execution

CVE-2005-4556
CVE-2005-4557
CVE-2005-4558
CVE-2005-4559

HighSecurity Focus, ID: 16069, December 27, 2005

Illustrate

dBpowerAMP Music Converter 11.5 and prior

A buffer overflow vulnerability has been reported in dBpowerAMP Music Converter that could let remote malicious users execute arbitrary code.

No workaround or patch available at time of publishing.

An exploit has been published.

dBpowerAMP Music Converter Arbitrary Code Execution HighSecurity Tracker, Alert ID: 1015415, December 28, 2005

Interactive Intelligence

Interaction SIP Proxy 3.0.010

A buffer overflow vulnerability has been reported in Interaction SIP Proxy that could let remote malicious users cause a Denial of Service.

A vendor solution is available:
http://www.inin.com/
sipproxy/termsandconditions/
termsandconditions.aspx?l=t

A Proof of Concept exploit has been published.

Interaction SIP Proxy Denial of Service

CVE-2005-4466

LowSecurity Tracker, Alert ID: 1015392, December 21, 2005

Juniper

NetScreen- Security Manager 2004 FP2, FP3

A vulnerability has been reported in NetScreen-Security Manager that could let remote malicious users cause a Denial of Service.

No workaround or patch available at time of publishing.

Currently we are not aware of any exploits for this vulnerability.

Juniper NetScreen- Security Manager Denial of Service

CVE-2005-4587

LowSecurity Focus, ID: 16075, December 28, 2005

KMiNT21 Software

Golden FTP Server 1.92

A buffer overflow vulnerability has been reported in Golden FTP Server that could let remote malicious users cause a Denial of Service or execute arbitrary code.

No workaround or patch available at time of publishing.

Currently we are not aware of any exploits for this vulnerability.

Golden FTP Server Denial of Service or Arbitrary Code Execution

CVE-2005-4553

High Secunia, Advisory: SA18245, December 26, 2005
LogiSphere 0.9.9j

A directory traversal vulnerability has been reported in LogiSphere that could let remote malicious users cause a Denial of Service.

A vendor solution is available:
href="http://download.seiz.ch/logisphere/LogiSphere.msi">http://download.seiz.ch/
logisphere/LogiSphere.msi

There is no exploit code required; however, a Proof of Concept exploit has been published.

LogiSphere Denial of Service

CVE-2005-4202

Low

Secunia, Advisory: SA17989, December 12, 2005

Security Focus, ID: 15807, December 27, 2005

McAfee

VirusScan Enterprise 8.0i, Common Management Agent 3.X, ePolicy Orchestrator 3.X.X, ProtectionPilot

A vulnerability has been reported in multiple products, Common Management Agent 3.X in NaPrdMgr.exe, that could let local malicious users obtain elevated privileges.

A vendor solution is available:
http://knowledgemap.nai.com/
KanisaSupportSite/search.do?
cmd=displayKC&externalId
=KBkb45256xml

There is no exploit code required; however, a Proof of Concept exploit has been published.

McAfee VirusScan Privilege Elevation

CVE-2005-4505

MediumSecurity Tracker, Alert ID: 1015404, December 23, 2005

Microsoft

 

This security advisory was published to notify users that systems which are infected with Sober.Z may download and run malicious files beginning on January 6, 2006.

A vendor solution is available:
http://www.microsoft.com/
technet/security/
advisory/912920.mspx

Microsoft Sober.Z NotificationHighMicrosoft, Security Advisory 912920, January 3, 2006

Microsoft

Windows Meta File (WMF) Graphics Rendering Engine

A vulnerability has been reported in Windows Meta File (WMF) Graphics Rendering Engine could let remote malicious users execute arbitrary code.

A vendor solution is available:
http://www.microsoft.com/
technet/security/
advisory/912840.mspx

Available Jan 10th

Currently we are not aware of any exploits for this vulnerability.

Microsoft Windows WMF Rendering Engine Arbitrary Code Execution

href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4560">CVE-2005-4560

High

Microsoft, Security Advisory 912840, December 28, 2005

US-CERT VU#181038

Nexus Concepts

Dev Hound 2.24 and prior

A vulnerability has been reported in Dev Hound that could let remote malicious users disclose information or insert scripts.

A vendor solution is available:
http://www.nexusconcepts.com/
devhound.html

There is no exploit code required.

Dev Hound Information Disclosure or Script Insertion

CVE-2005-4506
CVE-2005-4507
CVE-2005-4508

MediumSecunia, Advisory: SA18164, December 22, 2005

Paq Tool

eFilego 3.01

Multiple vulnerabilities have been reported in eFileGo that could let remote malicious users to disclose information, cause a Denial of Service, or execute arbitrary commands.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.

eFileGo Multiple VulnerabilitiesHighSecunia, Advisory: SA18279, January, 2, 2006

Spb Software House

Spb Kiosk Engine 1.0.0.1

A vulnerability has been reported in Spb Kiosk Engine that could let local malicious users disclose information, including the administrative password.

No workaround or patch available at time of publishing.

Currently we are not aware of any exploits for this vulnerability.

Spb Kiosk Engine Information Disclosure

CVE-2005-4589
CVE-2005-4590

MediumSecurity Tracker, Alert ID: 1015413, December 27, 2005

Symantec

AntiVirus

A buffer overflow vulnerability has been reported in Symantec AntiVirus that could let remote malicious users execute arbitrary code.

A vendor solution is available:
http://securityresponse.symantec.com/
avcenter/security/Content/
2005.12.21b.html

Currently we are not aware of any exploits for this vulnerability.

Symantec Anti Virus Arbitrary Code Execution

href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4438">CVE-2005-4438

High

Symantec, SYM05-027, December 21, 2005

US-CERT VU#305272

Symantec

Sygate Protection Agent 5.0 build 6144, Enterprise Protection Suite

A vulnerability has been reported in Sygate Protection Agent that could let local malicious users to bypass security restrictions.

No workaround or patch available at time of publishing.

There is no exploit code required.

Sygate Protection Agent Security Bypassing

CVE-2005-4525

MediumSecunia, Advisory: SA18175, December 22, 2005

Tangora Software

Tangora Portal CMS 4.0

A vulnerability has been reported in Tangora Portal CMS that could let remote malicious users conduct Cross-Site Scripting.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.

Tangora Portal CMS Cross-Site Scripting

CVE-2005-4497

MediumSecunia, Advisory: SA18206, December 22, 2005
TUGZip 3.4.0

A buffer overflow vulnerability has been reported in TUGZip that could let remote malicious users to execute arbitrary code.

No workaround or patch available at time of publishing.

There is no exploit code required.

TUGZip Arbitrary Code Execution

CVE-2005-4594

HighSecunia, Advisory: SA17086, December 30, 2005

VMWare

VMWare 5.5 18007 & prior

A vulnerability has been reported in VMWare that could let remote malicious users execute arbitrary code.

A vendor solution is available:
http://www.vmware.com/
download

Currently we are not aware of any exploits for this vulnerability.

VMware Arbitrary Code Execution

CVE-2005-4459

High

Security Tracker, Alert ID: 1015401, December 22, 2005

US-CERT VU#856689

Web Wiz

Site News 3.06 and prior, Journal 1.0 and prior, Polls 3.06 and prior, Database Login 1.71 and prior

A vulnerability has been reported in multiple Web Wiz products that could let remote malicious users perform SQL injection.

A vendor solution is available.

Site News:
http://webwizguide.info/
asp/sample_scripts/
site_news_script.asp

Journal:
http://webwizguide.info/
asp/sample_scripts/
journal_application.asp

Polls:
http://webwizguide.info/
asp/sample_scripts/
weekly_poll_script.asp

Database Login:
http://webwizguide.info/
asp/sample_scripts/
database_login_script.asp

There is no exploit code required; however, a Proof of Concept exploit has been published.

Web Wiz Multiple Product SQL Injection

CVE-2005-4606

MediumSecunia, Advisory: SA18263, January 2, 2006

Webwasher

CSM Suite 5.0, CSM Appliance

A vulnerability has been reported in CSM Suite and CSM Appliance that could let remote malicious users bypass security restrictions.

No workaround or patch available at time of publishing.

There is no exploit code required.

WebWasher Security Bypassing

CVE-2005-4514

MediumSecurity Focus, ID: 16047, December 22, 2005

[back to
top]






















































UNIX / Linux Operating Systems Only

Vendor & Software Name


Vulnerability - Impact
Patches - Workarounds
Attack Scripts

Common Name /
CVE Reference
Risk
Source

Adaptive Website Framework

Adaptive Website Framework 2.10

Several vulnerabilities have been reported: a Cross-Site Scripting vulnerability was reported due to insufficient sanitization of the 'page' parameter before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code; and a path disclosure vulnerability was reported due to insufficient verification of the 'mode' parameter, which could let a remote malicious user obtain sensitive information.

No workaround or patch available at time of publishing.

There is no exploit code required.

Adaptive Website Framework Cross-Site Scripting & Path Disclosure

CVE-2005-4372

Medium
Security Focus, Bugtraq ID: 15937, December 19, 2005

Debian

Linux 3.1, sparc, s/390, ppc, mipsel, mips, m68k, ia-64, ia-32, hppa, arm, amd64, alpha, 3.0, sparc, s/390, ppc, mipsel, mips, m68k, ia-64, ia-32, hppa, arm, alpha,
Debian dhis-tools-dns 5.0

A vulnerability has been reported due to the insecure creation of temporary files by 'register-p.sh' and 'register-q.sh,' which could let a malicious user overwrite arbitrary files.

Debian:
http://security.debian.
org/pool/updates/
main/d/dhis-tools-dns/

There is no exploit code required.

DHIS Tools Insecure Temporary File

CVE-2005-3341

 

Medium
Debian Security Advisory, DSA 928-1, December 27, 2005

Dropbear SSH Server

Dropbear SSH Server prior to 0.47

A buffer overflow vulnerability has been reported in 'svr_chan
session.c' due to a buffer allocation error, which could let a remote malicious user execute arbitrary code.

Updates available at:
http://matt.ucc.asn.
au/dropbear/

Debian:
http://www.debian.org/
security/2005/
dsa-923

Gentoo:
http://security.gentoo.
org/glsa/glsa-
200512-13.xml

Currently we are not aware of any exploits for this vulnerability.

Dropbear SSH Server Buffer Overflow

CVE-2005-4178

High

Secunia Advisory: SA18108, December 19, 2005

Debian Security Advisory, DSA-923-1, December 19, 2005

Gentoo Linux Security Advisory, GLSA 200512-13, December 23, 2005

Gentoo

Gentoo Linux ,
Gentoo app-crypt/pinentry 0.7.2 -r1, 0.7.2

A vulnerability has been reported in ebuild for pinentry, which could let a malicious user obtain elevated privileges.

Gentoo:
http://security.gentoo.
org/glsa/glsa-
200601-01.xml

There is no exploit code required.


Gentoo Pinentry Elevated Privileges

CVE-2006-0071


Medium

Gentoo Linux Security Advisory, GLSA 200601-01, January 3, 2006

GNU


cpio 1.0-1.3, 2.4.2, 2.5, 2.5.90, 2.6

A vulnerability has been reported when an archive is extracted into a world or group writeable directory because non-atomic procedures are used, which could let a malicious user modify file permissions.

Trustix:
href="ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/">ftp://ftp.turbolinux.co.
jp/pub/TurboLinux/
TurboLinux/

Mandriva:

href="http://www.mandriva.com/security/advisories">http://www.mandriva.
com/security/
advisories


RedHat:
http://rhn.redhat.
com/errata/RHSA-
2005-378.html


SGI:
ftp://patches.sgi.
com/support/
free/security/
advisories/


SCO:
ftp://ftp.sco.com/
pub/updates/
UnixWare/
SCOSA-2005.32


Avaya:
http://support.avaya.
com/elmodocs2/
security/
ASA-2005-191.pdf


Conectiva:
ftp://atualizacoes.
conectiva.com.br/
10/


Ubuntu:
http://security.ubuntu.
com/ubuntu/pool/
main/c/cpio/


Debian:
http://security.debian.
org/pool/updates/
main/c/cpio/


RedHat:
http://rhn.redhat.
com/errata/RHSA-
2005-806.html


SCO:
ftp://ftp.sco.com/pub/
updates/OpenServer/
SCOSA-2006.2


There is no exploit code required.


CPIO CHMod File Permission Modification


href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1111">CVE-2005-1111


Medium

Bugtraq, 395703,
April 13, 2005

Trustix Secure Linux Security Advisory, TSLSA-2005-0030, June 24, 2005

Mandriva
Linux Security Update Advisory, MDKSA2005:
116, July 12,
2005

RedHat Security Advisory, RHSA-2005:378-17, July 21, 2005

SGI Security Advisory, 20050802-01-U, August 15, 2005

SCO Security Advisory, SCOSA-2005.32, August 18, 2005

Avaya Security Advisory, ASA-2005-191, September 6, 2005

Conectiva Linux Announcement, CLSA-2005:1002, September 13, 2005

Ubuntu Security Notice, USN-189-1, September 29, 2005

Debian Security Advisory, DSA 846-1, October 7, 2005

RedHat Security Advisory, RHSA-2005:806-8, November 10, 2005

SCO Security Advisory, SCOSA-2006.2, January 3, 2006

GNU

cpio 2.6

A Directory Traversal vulnerability has been reported when invoking cpio on a malicious archive, which could let a remote malicious user obtain sensitive information.

Gentoo:
http://security.gentoo.
org/glsa/glsa-
200506-16.xml

Trustix:
href="ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/">ftp://ftp.turbolinux.co.jp/

pub/TurboLinux/
TurboLinux/

Mandriva:

href="http://www.mandriva.com/security/advisories">http://www.mandriva.
com/security/
advisories

SCO:
ftp://ftp.sco.com/pub/
updates/UnixWare/
SCOSA-2005.32

Avaya:
http://support.avaya.
com/elmodocs2/
security/
ASA-2005-191.pdf

Conectiva:
ftp://atualizacoes.
conectiva.com.br/10/

Ubuntu:
http://security.ubuntu.
com/ubuntu/pool/
main/c/cpio/

Debian:
http://security.debian.
org/pool/updates/
main/c/cpio/

SCO:
ftp://ftp.sco.com/pub/
updates/OpenServer/
SCOSA-2006.2

A Proof of Concept exploit has been published.

CPIO Directory Traversal

CVE-2005-1229

 

Medium

Bugtraq,
396429, April 20, 2005

Gentoo Linux Security Advisory, GLSA
200506-16, June 20, 2005

Trustix Secure
Linux Security Advisory, TSLSA-2005-
0030, June 24, 2005

Mandriva Linux Security Update Advisory, MDKSA2005:
116, July 12, 2005

SCO Security Advisory, SCOSA-2005.32, August 18, 2005

Avaya Security Advisory, ASA-2005-191, September 6, 2005

Conectiva Linux Announcement, CLSA-2005:1002, September 13, 2005

Ubuntu Security Notice, USN-189-1, September 29, 2005

Debian Security Advisory, DSA 846-1, October 7, 2005

SCO Security Advisory, SCOSA-2006.2, January 3, 2006

GNU

cpio 2.6, 2.5

A Denial of Service vulnerability has been reported due to a buffer overflow when cpio attempts to create an archive containing extremely large files.

Mandriva:
http://wwwnew.mandriva.
com/security/advisories
?dis=10.2

Ubuntu:
http://security.ubuntu.
com/ubuntu/pool/
main/c/cpio/

Currently we are not aware of any exploits for this vulnerability.


CPIO File Size Stack Denial of Service

CVE-2005-4268


Low

Mandriva Linux Security Advisory MDKSA-2005:237, December 23, 2005

Ubuntu Security Notice, USN-234-1, January 02, 2006

IBM

AIX 5.3 L, 5.3

A file disclosure vulnerability has been reported in 'getShell' and 'getCommand' which could let a malicious user obtain sensitive information.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.

IBM AIX GetShell & GetCommand File Disclosure
Medium

XFOCUS Security Team Advisory, xfocus-SD-060101, January 1, 2006

IBM

AIX 5.3 L, 5.3

A vulnerability has been reported in 'getShell' and 'getCommand' which could let a malicious user enumerate the existence of files on the computer that they wouldn't ordinarily be able to see.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.

IBM AIX GetShell & GetCommand File Enumeration
Medium
XFOCUS Security Team Advisory, xfocus-SD-060101, January 1, 2006

ImageMagick

ImageMagick 6.2.4 .5

A vulnerability has been reported in the delegate code that is used by various ImageMagick utilities when handling an image filename due to an error, which could let a remote malicious user execute arbitrary commands.

No workaround or patch available at time of publishing.

There is no exploit code required.

ImageMagick Utilities Image Filename Remote Command Execution

CVE-2005-4601

Medium
Secunia Advisory: SA18261, December 30, 2005

KETM

KETM 0.0.6

A buffer overflow vulnerability has been reported in 'support.c' when formatting error messages for display, which could let a malicious user execute arbitrary code with group 'games' privileges.

Debian:
http://security.debian.
org/pool/updates/
main/k/ketm/

Currently we are not aware of any exploits for this vulnerability.


KETM Buffer Overflow

CVE-2005-3535


Medium

Debian Security Advisory DSA 926-1, December 23, 2005

LibTIFF


LibTIFF 3.4, 3.5.1-3.5.5, 3.5.7, 3.6 .0, 3.6.1, 3.7, 3.7.1

A buffer overflow vulnerability has been reported in the 'TIFFOpen()' function when opening malformed TIFF files, which could let a remote malicious user execute arbitrary code.


Patches available at:

href="http://bugzilla.remotesensing.org/attachment.cgi?id=238"
target=_blank>http://bugzilla.remotesensing.org/

attachment.cgi?id=238


Gentoo: href="http://security.gentoo.org/glsa/glsa-200505-07.xml">

http://security.gentoo.org/

glsa/glsa-200505-07.xml


Ubuntu:

href="http://security.ubuntu.com/ubuntu/pool/main/t/tiff/">http://security.ubuntu.com/

ubuntu/pool/main/t/tiff/


SuSE:

href="ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/kdelibs3-3.2.1-44.46.i586.rpm"
target=_blank>ftp://ftp.suse.com/pub/suse/


TurboLinux:
ftp://ftp.turbolinux.co.jp/pub/
TurboLinux/TurboLinux/ia32/


Debian:
http://security.debian.org/
pool/updates/main/t/tiff/


SCO:
ftp://ftp.sco.com/pub/
updates/UnixWare/
SCOSA-2005.34


SCO:
ftp://ftp.sco.com/pub/
updates/OpenServer/
SCOSA-2006.3


Currently we are not aware of any exploits for this vulnerability.


LibTIFF TIFFOpen Remote Buffer Overflow


href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1544">CVE-2005-1544

href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1472">CVE-2005-1472


High

Gentoo Linux Security Advisory, GLSA 200505-07, May 10, 2005


Ubuntu Security Notice,
USN-130-1, May 19, 2005


SUSE Security Summary Report, SUSE-SR:2005:014,
June 7, 2005


Turbolinux
Security Advisory, TLSA-2005-72, June 28, 2005


Debian Security Advisory, DSA 755-1, July 13, 2005


SCO Security Advisory,
SCOSA-2005.34,
September 19, 2005


SCO Security Advisory, SCOSA-2006.3, January 3, 2006

Mozilla

Bugzilla 2.16-2.16.10, 2.14-2.14.5, 2.12, 2.10, 2.9

A vulnerability has been reported due to the insecure creation of the 'tmpsyncshadow' temporary file, which could let a malicious user obtain elevated privileges.

Patches available at:
https://bugzilla.mozilla.
org/attachment.cgi
?id=203870

There is no exploit code required.

Bugzilla Script Insecure Temporary File Creation

CVE-2005-4534

Medium
Secunia Advisory: SA18218, December 26, 2005

Multiple Vendors

ISC BIND 8.4.4, 8.4.5

A remote Denial of Service vulnerability exists in the 'q_usedns' array due to in sufficient validation of the length of user-supplied input prior to copying it into static process buffers. This could possibly lead to the execution of arbitrary code.

Upgrade available at:
http://www.isc.org/
index.pl?/sw/bind/

Astaro Linux:
http://www.astaro.org/
showflat.php?Cat=&Number
=55637&page=0&view=
collapsed&sb=5&o=
&fpart=1#55637

SCO:
ftp://ftp.sco.com/pub/
updates/OpenServer/
SCOSA-2006.1

Currently we are not aware of any exploits for this vulnerability.


ISC BIND 'Q_UseDNS' Remote Denial of Service

CVE Name:
CVE-2005-0033


High

US-CERT Vulnerability Note, VU#327633, January 25, 2005

Astaro Security Linux Announcement, February 17, 2005

SCO Security Advisory, SCOSA-2006.1, January 3, 2006

Multiple Vendors

Linux kernel 2.6-2.6.14

 

Multiple vulnerabilities have been reported: a Denial of Service vulnerability was reported in 'mm/mempolicy.c' when handling the policy system call; a remote Denial of Service vulnerability was reported in 'net/ipv4/fib_
frontend.c' when validating the header and payload of fib_lookup netlink messages; an off-by-one buffer overflow vulnerability was reported in 'kernel/sysctl.c,' which could let a malicious user cause a Denial of Service and potentially execute arbitrary code; and a buffer overflow vulnerability was reported in the DVB (Digital Video Broadcasting) driver subsystem, which could let a malicious user cause a Denial of Service or potentially execute arbitrary code.

Upgrades available at:
http://kernel.org/pub/
linux/kernel/v2.6/
linux-2.6.15.tar.bz2

An exploit script has been published.


Linux Kernel Multiple Vulnerabilities

CVE-2005-3358


High

Secunia Advisory: SA18216, January 4, 2006

Multiple Vendors

MandrakeSoft Linux Mandrake 2006.0 x86_64, 2006.0, 10.2 x86_64, 10.2, 10.1 x86_64, 10.1,
MandrakeSoft Corporate Server 3.0 x86_64, 3.0, 2.1 x86_64, 2.1;
Jean-Jacques Sarton mtink 1.0.5

A buffer overflow vulnerability has been reported when handling the HOME environment variable due to a boundary error, which could let a malicious user execute arbitrary code with root privileges.

Mandrake:
http://wwwnew.mandriva.
com/security/advisories?
name=MDKSA-2005:239

An exploit has been published.

MTink Home Environment Variable Buffer Overflow

CVE-2005-4604

High

Security Focus, Bugtraq ID: 16095, December 31, 2005

Mandriva Linux Security Advisory, MDKSA-2005:239, December 31, 2005

Multiple Vendors

Network Block Device NBD 2.8-2.8.2, 2.7.5;
Gentoo Linux;
Debian Linux 3.1, sparc, s/390, ppc, mipsel, mips, m68k, ia-64, ia-32, hppa, arm, amd64, alpha, 3.0, sparc, s/390, ppc, mipsel, mips, m68k, ia-64, ia-32, hppa, arm, alpha

A buffer overflow vulnerability has been reported in the 'nbd-server' when handling specially crafted requests, which could let a remote malicious user execute arbitrary code.

Upgrades available at:
http://prdownloads.sourceforge.
net/nbd/nbd-2.7.6.
tar.bz2?download

Debian:
http://security.debian.
org/pool/updates/
main/n/nbd/

Gentoo:
http://security.gentoo.
org/glsa/glsa-
200512-14.xml

Currently we are not aware of any exploits for this vulnerability.

Multiple Vendors Network Block Device Server Buffer Overflow

CVE-2005-3534

High

Security Focus, Bugtraq ID: 16029, December 21, 2005

Debian Security Advisory, DSA 924-1, December 21, 2005

Gentoo Linux Security Advisory, GLSA 200512-14, December 23, 2006

Multiple Vendors

RedHat Fedora Core4, Core3;
Eric Raymond Fetchmail 6.3.0, 6.2.5 .4, 6.2.5 .2, 6.2.5.1, 6.2.5

A remote Denial of Service vulnerability has been reported when Fetchmail is configured in 'multidrop' mode due to a failure to handle unexpected input.

Upgrades available at:
http://download.berlios.
de/fetchmail/fetchmail-
6.2.5.5.tar.bz2

Fedora:
http://download.fedora.
redhat.com/pub/fedora/
linux/core/updates/

Mandriva:
http://wwwnew.mandriva.
com/security/advisories
?dis=10.2

Ubuntu:
http://security.ubuntu.
com/ubuntu/pool/
main/f/fetchmail/

There is no exploit code required.


Fetchmail Remote Denial of Service

CVE-2005-4348


Low

Security Focus, Bugtraq ID: 15987, December 20, 2005

Fedora Update Notifications
FEDORA-2005-1186 & 1187, December 20, 2005

Mandriva Linux Security Advisory MDKSA-2005:236, December 23, 2005

Ubuntu Security Notice, USN-233-1 January 02, 2006

PHP

PHP 5.0 .0-5.0.5, 4.4 .0, 4.3.1 -4.3.11, 4.2-4.2.3, 4.1.0-4.1.2, 4.0 0-4.0.7

A Denial of Service vulnerability has been reported in the 'sapi_apache2.c' file.

PHP 5.1.0 final and 4.4.1 final are not affected by this issue. Please contact the vendor to obtain fixes.

Gentoo:
http://security.gentoo.
org/glsa/glsa-
200511-08.xml

Mandriva:
http://wwwnew.mandriva.
com/security/advisories
?dis=10.2

Trustix:
http://http.trustix.org/
pub/trustix/updates/

Ubuntu:
http://security.ubuntu.
com/ubuntu/pool/
main/p/php4/

There is no exploit code required.

PHP Apache 2 Denial of Service

CVE-2005-3319

Low

Security Focus, Bugtraq ID: 15177, October 24, 2005

Gentoo Linux Security Advisory, GLSA 200511-08, November 14, 2005

Mandriva Linux Security Advisory, MDKSA-2005:213, November 16, 2005

Trustix Secure Linux Security Advisory, TSLSA-2005-0062, November 22, 2005

Ubuntu Security Notice, USN-232-1, December 23, 2005

PTnet

PTnet IRCD 1.6, 1.5

A remote Denial of Service vulnerability has been reported when attempting to open restricted channels.

No workaround or patch available at time of publishing.

There is no exploit code required.

PTnet IRCD Remote Denial of Service
Low
Security Tracker Alert ID: 1015425, December 30, 2005

rssh

rssh 2.2-2.2.3, 2.1, 2.0

A vulnerability has been reported in the 'rssh_chroot_helper' command due to a design error, which could let a malicious user obtain superuser privileges.

Upgrades available at:
http://prdownloads.sourceforge.
net/rssh/rssh-2.3.1.tar.gz
?download

Gentoo:
http://security.gentoo.
org/glsa/glsa-
200512-15.xml

Currently we are not aware of any exploits for this vulnerability.

RSSH CHRoot Directory Superuser Privileges

CVE-2005-3345

High

Secunia Advisory: SA18224, December 23, 2005

Gentoo Linux Security Advisory GLSA 200512-15, December 27, 2005

SCO

Open Server 5.0-5.0.7

A buffer overflow vulnerability has been reported in termsh, which could let a malicious user execute arbitrary code.

No workaround or patch available at time of publishing.

An exploit script has been published.


SCO OpenServer Termsh Buffer Overflow

CVE-2006-0072


High

Security Focus, Bugtraq ID: 16122, January 3, 2006

scponly

scponly 4.1 & prior

Several vulnerabilities have been reported: a vulnerability was reported in 'scponlyc' due to a design error, which could let a malicious user execute arbitrary code with root privileges; and a vulnerability was reported due to an error in the validation of user-supplied command line, which could let a malicious user bypass security restrictions.

Upgrades available at:
http://sublimation.org/
scponly/scponly-4.2.tgz

Gentoo:
http://security.gentoo.
org/glsa/glsa-
200512-17.xml

There is no exploit code required.

scponly Privilege Escalation & Security Bypass

CVE-2005-4532
CVE-2005-4533

High

Secunia Advisory: SA18223, December 23, 2005

Gentoo Linux Security Advisory, GLSA 200512-17, December 29, 2005

Sun Microsystems, Inc.

PC NetLink 2.0

Insecure permissions vulnerabilities have been reported due to a flaw in the 'slsadmin' and 'slsmgr' scripts, which could let a malicious user obtain elevated privileges.

Update information available at:
http://sunsolve.sun.com/
searchproxy/document.
do?assetkey=1-26-102117-1

http://sunsolve.sun.com/
searchproxy/document.
do?assetkey=1-26-102122-1

There is no exploit code required.

Sun Solaris PC NetLink Insecure Permissions

CVE-2005-4552

Medium
Sun(sm) Alert Notifications
Sun Alert ID: 102117 & 102122, December 23, 2005

The Open Group

Open Motif 2.2.3

Two buffer overflow vulnerabilities have been reported in libUil (User Interface Language): a buffer overflow vulnerability was reported in 'diag_issue_diagnostic()' due to the use of the vsprintf() libc procedure, which could let a remote malicious user execute arbitrary code; and a vulnerability was reported in 'open_source_
file()' due to the use of the strcpy() libc procedure, which could let a remote malicious user execute arbitrary code.

Gentoo:
http://security.gentoo.
org/glsa/glsa-
200512-16.xml

Currently we are not aware of any exploits for these vulnerabilities.

Open Motif libUil Buffer Overflows

href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3964">CVE-2005-3964

High

Security Focus, Bugtraq ID: 15678, December 2, 2005

Gentoo Linux Security Advisory, GLSA 200512-16, December 28, 2005

TkDiff

TkDiff 4.1, 4.0.2, 4.0, 3.0.9

A vulnerability has been reported due to the insecure creation of temporary files, which could let a remote malicious user modify system/user information or obtain unauthorized access.

Upgrades available at:
http://freshmeat.net/
redir/tkdiff/10603/
url_tgz/tkdiff_4_1_1.tar.gz

Debian:
http://security.debian.
org/pool/updates/
main/t/tkdiff/

Mandriva:
http://wwwnew.mandriva.
com/security/advisories
?dis=10.2

There is no exploit code required.

TkDiff Insecure Temporary File Creation

CVE-2005-3343

Medium

Security Tracker Alert ID: 1015421, December 28, 2005

Debian Security Advisories, DSA 927-1 & 927-2 , December 27, 2005

Mandriva Linux Security Advisory MDKSA-2006:001, January 3, 2006

[back to
top]
 





































Multiple Operating Systems - Windows / UNIX / Linux / Other

Vendor & Software Name


Vulnerability - Impact
Patches - Workarounds
Attack Scripts

Common Name /
CVE Reference
Risk
Source

Ades Design

AdesGuestbook 2.0

A Cross-Site Scripting vulnerability has been reported in 'read.php' due to insufficient sanitization of the 'totalRows_
rsRead' parameter before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.

Ades Design AdesGuestbook Cross-Site Scripting

CVE-2005-4596

Medium
Secunia Advisory: SA18244, December 30, 2005

AlstraSoft

EPay Enterprise 3.0

HTML injection vulnerabilities have been reported in 'profile.htm, 'card.htm,' 'bank.htm,' 'subscriptions.htm,' 'send.htm,' 'request.htm,' 'forgot.htm,' 'escrow.htm,' 'donations.htm,' and 'products.htm' due to insufficient sanitization, which could let a remote malicious user execute arbitrary HTML and script code.

No workaround or patch available at time of publishing.

There is no exploit code required.

AlstraSoft EPay Enterprise Multiple HTML Injection

CVE-2005-4530

Medium
Secunia Advisory: SA18153, December 23, 2005

Baseline CMS

Baseline CMS 1.95

Multiple vulnerabilities have been reported: a Cross-Site Scripting vulnerability was reported in 'Page.asp' due to insufficient sanitization of the 'PageID' and 'SiteNodeID' parameters before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code; and an SQL injection vulnerability was reported in 'Page.asp' due to insufficient sanitization of the 'SideNodeID' parameter before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.

No workaround or patch available at time of publishing.

There is no exploit code required; however, Proof of Concept exploits have been published.

Baseline CMS SQL Injection & Cross-Site Scripting
Medium
Security Focus, Bugtraq ID: 15961, December 20, 2005

Bit
weaver

Bitweaver 1.1.1 beta

Multiple vulnerabilities have been reported: an SQL injection vulnerability was reported due to insufficient sanitization of the 'sort_mode,' 'post_id,' and 'blog_id' parameters before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code; a Cross-Site Scripting vulnerability was reported due to insufficient sanitization of the 'sort_mode,' 'post_id,' 'blog_id' and search field parameters in '/users/my_groups.php' before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code; and a path disclosure vulnerability was reported which could let a remote malicious user obtain sensitive information.

Upgrades available at:
http://prdownloads.sourceforge.
net/bitweaver/bitweaver
_1.2.0.tar.gz

There is no exploit code required; however, Proof of Concept exploits have been published.

Bitweaver Multiple Input Validation

CVE-2005-4379
CVE-2005-4380

Medium
Security Focus, Bugtraq ID: 15962, December 20, 2005

B-Net Software

B-Net Software 1.0

An HTML injection vulnerability has been reported due to insufficient sanitization of various fields when signing the guestbook and sending a message via 'Shoutbox,' which could let a remote malicious user execute arbitrary HTML and script code.

No workaround or patch available at time of publishing.

There is no exploit code required; however, a Proof of Concept exploit has been published.

B-Net HTML Injection

CVE-2006-0078

Medium
Security Focus, Bugtraq ID: 16114, January 2, 2006

BZFlag

BZFlag 2.0.4, 2.0.2, 2.0

A remote Denial of Service vulnerability has been reported when handling callsigns that are not NULL terminated.

The vulnerability has reportedly been fixed in the CVS repositories.

An exploit script has been published.

BZFlag Remote Denial of Service

CVE-2005-4584

Low
Secunia Advisory: SA18238, December 27, 2005

Chipmunk Guestbook

Chipmunk Guestbook 1.4

An HTML injection vulnerability has been reported Input due to insufficient sanitization of the homepage field when signing the guestbook, which could let a remote malicious user execute arbitrary HTML and script code.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.

Chipmunk GuestBook HTML Injection

CVE-2006-0069

Medium
Secunia Advisory: SA18270, January 2, 2006

Cisco Systems

Cisco Firewall Services Module (FWSM) 1.x, 2.x,
Cisco Secure ACS 3.x

A vulnerability has been reported ion the Downloadable IP ACL (Access Control List) feature due to a design error, which could let a malicious user bypass security restrictions.

Workaround instructions available at:
http://www.cisco.com/en/
US/products/sw/secursw/
ps2086/products_field_
notice09186a00805bf1c4.shtml

There is no exploit code required.

Cisco Secure Access Control Server Downloadable IP Access Control List
Medium
Secunia Advisory: SA18141, January 3, 2006

Day Software

Communique 4.0

A Cross-Site Scripting vulnerability has been reported due to insufficient sanitization of the 'query' parameter when performing a search, which could let a remote malicious user execute arbitrary HTML and script code.

No workaround or patch available at time of publishing.

There is no exploit code required.

Day Communique Cross-Site Scripting

CVE-2005-4580

Medium
Security Focus, Bugtraq ID: 16072, December 27, 2005

Dev

Dev Web Management System 1.5

Several vulnerabilities have been reported: an SQL injection vulnerability was reported in 'index.php' and 'getfile.php' due to insufficient sanitization of the 'cat' parameter and in 'download_now.php' due to insufficient sanitization of the 'target' parameter before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code; and a Cross-Site Scripting vulnerability was reported in 'add.php' due to insufficient sanitization of the 'language' array parameter before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code.

No workaround or patch available at time of publishing.

There is no exploit code required; however, Proof of Concept exploits and an exploit script has been published.

Dev Web Management System Multiple Input Validation

CVE-2005-4554
CVE-2005-4555

Medium
Security Tracker Alert ID: 1015410, December 25, 2005

Direct New

Direct News 4.9

An SQL injection vulnerability has been reported in 'index.php' due to insufficient sanitization of the 'setLang' and search module parameter before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.

No workaround or patch available at time of publishing.

There is no exploit code required; however, a Proof of Concept exploit has been published.

Direct News SQL Injection

CVE-2005-4527

Medium
Security Focus, Bugtraq ID: 15957, December 19, 2005

Dream4

Koobi 5.0

A script injection vulnerability has been reported because a remote malicious user can nest BBCode URL tags and execute arbitrary HTML and script code.

No workaround or patch available at time of publishing.

There is no exploit code required; however, a Proof of Concept exploit has been published.


Koobi BBCode URL Tag Script Injection

CVE-2005-4588


Medium

Security Focus, Bugtraq ID: 16078, December 28, 2005

Epic Designs

eggblog 2.0

Several vulnerabilities have been reported: a path disclosure vulnerability was reported when an invalid 'q' parameter is used by the 'Keyword' and 'Search' fields, which could let a remote malicious user obtain sensitive information; and a Cross-Site Scripting vulnerability has been reported in 'search.php' due to insufficient sanitization of the the 'q' parameter when performing a search, which could let a remote malicious user execute arbitrary HTML and script code.

No workaround or patch available at time of publishing.

There is no exploit code required.

Epic Designs Eggblog Path Disclosure & Cross-Site Scripting

CVE-2005-4546
CVE-2005-4547

Medium
Security Focus, Bugtraq ID: 16056, December 23, 2005

Ethereal Group

Ethereal 0.10-0.10.13, 0.9-0.9.16, 0.8.19, 0.8.18, 0.8.13-0.8.15, 0.8.5, 0.8, 0.7.7

A buffer overflow vulnerability has been reported in the 'dissect_ospf_ v3_address_
prefix()' function in the OSPF protocol dissector due to a boundary error when converting received binary data to a human readable string, which could let a remote malicious user execute arbitrary code.

Patch available at:
http://anonsvn.ethereal.
com/viewcvs/viewcvs.py/
trunk/epan/dissectors/
packet-ospf.c?rev=
16507&view=markup

Debian:
http://security.debian.
org/pool/updates/
main/e/ethereal/

Gentoo:
http://security.gentoo.
org/glsa/glsa-
200512-06.xml

Mandriva:
http://wwwnew.mandriva.
com/security/advisories
?dis=10.2

Currently we are not aware of any exploits for this vulnerability.


Ethereal OSPF Protocol Dissection Buffer Overflow

CVE-2005-3651

 


High

iDefense Security Advisory, December 9, 2005

Debian Security Advisory DSA 920-1, December 13, 2005

Gentoo Linux Security Advisory, GLSA 200512-06, December 14, 2005

Mandriva Linux Security Advisory MDKSA-2005:227, December 15, 2005

Mandriva Linux Security Advisory MDKSA-2006:002, January 3, 2006

Ethereal Group

Ethereal 0.9.1-0.10.13.

A remote Denial of Service vulnerability has been reported in the IRC and GTP dissectors when a malicious user submits a specially crafted packet.

Upgrades available at:
http://www.ethereal.com/
download.html

Mandriva:
http://wwwnew.mandriva.
com/security/advisories
?dis=10.2

Currently we are not aware of any exploits for this vulnerability.


Ethereal IRC & GTP Dissectors Remote Denial of Service

CVE-2005-4585


Low

Ethereal Security Advisory, enpa-sa-00022, December 27, 2005

Mandriva Linux Security Advisory MDKSA-2006:002, January 3, 2006

FatWire Corporation

UpdateEngine 6.2

Cross-Site Scripting vulnerabilities have been reported in 'UpdateEngine' due to insufficient sanitization of the 'FUELAP_TEMPLATENAME,' 'EMAIL,' and 'COUNTRYNAME' parameters before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code.

No workaround or patch available at time of publishing.

There is no exploit code required; however, Proof of Concept exploits have been published.

FatWire UpdateEngine Multiple Cross-Site Scripting

CVE-2005-4576

Medium
Security Focus, Bugtraq ID: 16073, December 27, 2005

File::ExtAttr

File::ExtAttr 0.2, 0.1

An off-by-one buffer overflow vulnerability has been reported in 'getfattr()' when the extended attributes of a file are retrieved, which could let a remote malicious user cause a Denial of Service.

Upgrades available at:
http://sourceforge.net/project/
showfiles.php?group_id=
153116&package_i d=
169603&release_id=382199

Currently we are not aware of any exploits for this vulnerability.

File::ExtAttr Off-By-One Buffer Overflow

CVE-2006-0077

Low
Secunia Advisory: SA18253, January 2, 2006

GFHost / GmailSite

GMailSite 1.0-1.0.4; GFHost 0.4-0.4.2, 0.3, 0.2, 0.1.1

A vulnerability was reported in 'index.php' due to insufficient verification of the 'Ing' parameter before used to include files, which could let a remote malicious user include arbitrary files from local resources.

No workaround or patch available at time of publishing.

There is no exploit code required; however, a Proof of Concept exploit has been published.


GFHost / GmailSite File Inclusion


Medium

Secunia Advisory: SA18155, December 29, 2005

Hitachi

Business Logic 2.0.6, 2.0, 1.1, 1.0

Several vulnerabilities have been reported: a Cross-Site Scripting vulnerability was reported in input forms due to insufficient sanitization of unspecified input, which could let a remote malicious user execute arbitrary HTML and script code and inject arbitrary HTTP headers; and an SQL injection vulnerability was reported in input forms due to insufficient sanitization of unspecified input before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.

Patch information available at:
http://www.hitachi-support.
com/security_e/vuls_e/
HS05-025_e/01-e.html

There is no exploit code required.

Hitachi Business Logic Input Validation

CVE-2005-4577
CVE-2005-4578
CVE-2005-4579

Medium
Hitachi Security Bulletin, HS05-025, December 27, 2005

IDV Directory Viewer

IDV Directory Viewer 2005.1 b1

A vulnerability has been reported in 'index.php' due to insufficient sanitization of the 'dir' parameter before used to generate directory listings, which could let a remote malicious user obtain sensitive information.

Upgrade available at: |
http://prdownloads.sourceforge.
net/idv/idv-2005_1.zip

There is no exploit code required.

IDV Directory Viewer Index.PHP Information Disclosure
Medium
Secunia Advisory: SA18298, January 4, 2006

INCOGEN

BugPort 1.147 & prior

Several vulnerabilities have been reported: an SQL injection vulnerability was reported in 'index.php' due to insufficient sanitization of the 'orderBy,' 'where,' and 'devWhere
Pair[1][0]' parameters before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code; a Cross-Site Scripting vulnerability was reported in 'index.php' due to insufficient sanitization of unspecified input before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code; and a vulnerability was reported because remote malicious users can obtain sensitive information via an invalid action parameter.

No workaround or patch available at time of publishing.

There is no exploit code required; however, Proof of Concept exploit scripts have been published.

INCOGEN BugPort Cross-Site Scripting, SQL Injection, & Path Disclosure

CVE-2005-4607
CVE-2005-4608
CVE-2005-4609

Medium
Secunia Advisory: SA18282, January 2, 2006

Intel

Intel Graphics Driver 6.14.10.4308,
Intel Graphics Driver

A remote Denial of Service vulnerability has been reported in the 'ialmrnt5' display driver when handling overly long text in a text field.

No workaround or patch available at time of publishing.

A Proof of Concept exploit exploit has been published.

Intel Graphics Accelerator Driver Remote Denial of Service

CVE-2006-0081

Low
Secunia Advisory: SA18286, January 3, 2006

iPei Guestbook

iPei Guestbook 1.7 & prior

A Cross-Site Scripting vulnerability has been reported in 'index.php' due to insufficient sanitization of user-supplied input, which could let a remote malicious user execute arbitrary HTML and script code.

No workaround or patch available at time of publishing.

There is no exploit code required.

iPei Guestbook Cross-Site Scripting

CVE-2005-4597

Medium
Security Focus, Bugtraq ID: 16092, December 30, 2005

Jevontech

PHPenpals 310704

An SQL injection vulnerability has been reported in 'profile.php' due to insufficient sanitization of the 'personalID' parameter before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.

PHPenpals SQL Injection

CVE-2006-0074

Medium
Secunia Advisory: SA18269, January 2, 2006

Kayako

Kayako SupportSuite 3.0 0.26

Cross-Site Scripting vulnerabilities have been reported in the 'register,' 'submit,' and 'lostpassword' modules due to insufficient sanitization of the 'Full Name,' 'Email,' Subject,' and 'Registered Email' fields and in 'index.php' due to insufficient sanitization of the 'nav' parameter, which could let a remote malicious user execute arbitrary HTML and script code.

No workaround or patch available at time of publishing.

There is no exploit code required; however, a Proof of Concept exploit has been published.

Kayako SupportSuite Multiple Cross-Site Scripting
Medium
Security Focus, Bugtraq ID: 16094, December 30, 2005

Lighthouse

Lighthouse CMS 1.1

A Cross-Site Scripting vulnerability has been reported due to insufficient sanitization of the 'search' parameter before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code.

No workaround or patch available at time of publishing.

There is no exploit code required; however, a Proof of Concept exploit has been published.

Lighthouse CMS Cross-Site Scripting
Medium
Security Focus, Bugtraq ID: 15952, December 19, 2005

Lizard Cart

Lizard Cart CMS 1.0.4

An SQL injection vulnerability has been reported due to insufficient sanitization of the 'id' parameter before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.

No workaround or patch available at time of publishing.

There is no exploit code required; however, a Proof of Concept exploit has been published.

Lizard Cart CMS SQL Injection
Medium
Secunia Advisory: SA18297, January 4, 2006

Mantis

Mantis prior to 0.19.4, and 1.0.0rc4

Multiple remote vulnerabilities have been reported which could let a remote malicious user obtain sensitive information, conduct Cross-Site Scripting, HTML, and SQL injection attacks, and execute arbitrary PHP code.

Upgrades available at:
http://prdownloads.sourceforge.
net/mantisbt/mantis-
0.19.4.tar.gz

Gentoo:
http://security.gentoo.
org/glsa/glsa-
200512-12.xml

There is no exploit code required.

High
Gentoo Linux Security Advisory, GLSA 200512-12, December 22, 2005

Moxiecode Systems

TinyMCE Compressor 1.0.5 & prior

Several vulnerabilities have been reported: a file disclosure vulnerability was reported due to insufficient sanitization of unspecified input before used to view files, which could let a remote malicious user obtain sensitive information; and a Cross-Site Scripting vulnerability was reported in 'tiny_mce_gzip.php' due to insufficient sanitization of the 'index' parameter before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code.

Upgrades available at:
http://tinymce.moxiecode.
com/download.php

There is no exploit code required.

TinyMCE compressor Cross-Site Scripting & File Disclosure

CVE-2005-4599
CVE-2005-4600

Medium
Hardened-PHP Project Advisory, December 30, 2005

Multiple Vendors

MandrakeSoft Linux Mandrake 2006.0 x86_64, 2006.0, 10.2 x86_64, 10.2;
Gentoo Linux;
Ethereal Group Ethereal 0.10.1-0.10.13, 0.9-0.9.16, 0.8.19, 0.8.18, 0.8.13-0.8.15, 0.8.5, 0.8, 0.7.7

A vulnerability has been reported in Ethereal IRC Protocol Dissector, that could let remote malicious users cause a Denial of Service.

Mandriva:

href="http://www.mandriva.com/security/advisories">http://www.mandriva.
com/security/
advisories

Gentoo:
http://security.gentoo.
org/glsa/glsa-
200510-25.xml

SUSE:

ftp://ftp.suse.com
/pub/suse/

Conectiva:
ftp://atualizacoes.
conectiva.com.br/
10/

Mandriva:
http://wwwnew.mandriva.
com/security/advisories
?dis=10.2

Currently we are not aware of any exploits for this vulnerability.

Ethereal Denial of Service

CVE-2005-3313

Low

Mandriva Linux Security Advisory, MDKSA-2005:193-1, October 26, 2005

Gentoo Linux Security Advisor, GLSA 200510-25, October 30, 2005

SUSE Security Summary Report, SUSE-SR:2005:025, November 4, 2005

Conectiva Security Announcement, CLSA-2005:1043, November 8, 2005

Mandriva Linux Security Advisory MDKSA-2006:002, January 3, 2006

Multiple Vendors

NView 4.x;
XnView 1.x; Gentoo x11-misc/xnview

A vulnerability has been reported in the 'nview' and 'xnview' binaries due to an insecure RPATH configuration, which could let a remote malicious user execute arbitrary code.

Gentoo:
http://security.gentoo.
org/glsa/glsa-
200512-18.xml

There is no exploit code required.

XnView / NView Insecure RPATH

CVE-2005-4595

Medium

Secunia Advisory: SA18235, December 29, 2005

Gentoo Linux Security Advisory, GLSA 200512-18, December 30, 2005

Multiple Vendors

Proxim Wireless AP-700 2.4.11, AP-600 2.4.11, AP-4000 2.4.11, AP-2000 2.4.11;
Avaya Wireless AP-8 2.5, AP-8, AP-7 2.5, AP-7, AP-6 2.5.4, AP-6 2.5, AP-6, AP-5 2.5.4, AP-5 2.5, AP-5, AP-4 2.5.4, AP-4 2.5, AP-4, AP-3 2.5.4, AP-3 2.5, AP-3

An authentication bypass vulnerability has been reported due to a hard coded static WEP key, which could let a remote malicious user bypass authentication.

Proxim:
http://keygen.proxim.com/
support/cs/Documents/
802.1x_vulnerability.pdf

Avaya:
http://support.avaya.com/
elmodocs2/security/
ASA-2005-233.pdf

There is no exploit code required.

Multiple Vendor Wireless Access Points Static WEP Key Authentication Bypass

CVE-2005-3253

Medium

Avaya Security Advisory, ASA-2005-233, December 15, 2005

Proxim Security Advisory, ASA-2005-3253, December 2, 2005

Multiple Vendors

RedHat Fedora Core4, Core3; PHP 5.0.4, 4.3.9

A remote Denial of Service vulnerability has been reported when parsing EXIF image data contained in corrupt JPEG files.

Fedora:
http://download.fedora.
redhat.com/pub/fedora/
linux/core/updates/

RedHat:
http://rhn.redhat.
com/errata/RHSA-
2005-831.html

Mandriva:
http://wwwnew.mandriva.
com/security/advisories
?dis=10.2

FedoraLegacy:
http://download.
fedoralegacy.org/

SGI:
ftp://patches.sgi.com/
support/free/security/
advisories/

OpenPKG:
http://www.openpkg.
org/

SUSE:

ftp://ftp.suse.com
/pub/suse/

Ubuntu:
http://security.ubuntu.
com/ubuntu/pool/
main/p/php4/

Currently we are not aware of any exploits for this vulnerability.

PHP Group Exif Module Remote Denial of Service

CVE-2005-3353

Low

Fedora Update Notifications,
FEDORA-2005-1061 & 1062, November 8, 2005

RedHat Security Advisory, RHSA-2005:831-15, November 10, 2005

Mandriva Linux Security Advisory, MDKSA-2005:213, November 16, 2005

Fedora Legacy Update Advisory, FLSA:166943, November 28, 2005

SGI Security Advisory, 20051101-01-U, November 29, 2005

OpenPKG Security Advisory, OpenPKG-SA-2005.027, December 3, 2005

SuSE Security
Announcement, SUSE-SA:2005:069, December 14, 2005

Ubuntu Security Notice, USN-232-1, December 23, 2005

MyBB Group

DevBB 1.0

An SQL injection vulnerability has been reported in the 'admin/globa.php' script when user-supplied input is passed via cookie data, which could let a remote malicious user execute arbitrary SQL code.

No workaround or patch available at time of publishing.

There is no exploit code required; however, a Proof of Concept exploit has been published.


MyBB DevBB SQL Injection


Medium

Security Focus, Bugtraq ID: 16082, December 29, 2005

MyBB Group

MyBulletinBoard PR2 Rev.686 & prior

SQL injection vulnerabilities have been reported due to insufficient sanitization of several scripts, which could let a remote malicious user execute arbitrary SQL code.

Updates available at:
http://www.mybboard.
com/downloads.php

There is no exploit code required.

MyBB Input Validation

 

Medium
Security Tracker Alert ID: 1015407, December 24, 2005

NETonE

phpBook 1.3.2, 1.3, 1.2, 1.1, 1.0

A vulnerability has been reported due to insufficient sanitization of the 'email' parameter when signing the guestbook, which could let a remote malicious user execute arbitrary PHP code.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.

NETOnE phpBook Arbitrary PHP Code Execution

CVE-2006-0075

High
Secunia Advisory: SA18268, January 2, 2006

OaBoard

OaBoard 1.0

A file include vulnerability was reported in 'forum.php,' which could let a remote malicious user execute arbitrary PHP code.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.

OABoard Forum Script Remote File Include

CVE-2006-0076

High
Security Focus, Bugtraq ID: 16105, January 2, 2006

OOApp Guestbook

OOApp Guestbook 2.1

A Cross-Site Scripting vulnerability has been reported in 'home.php' due to insufficient sanitization of the 'page' parameter before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.

OOApp Guestbook Cross-Site Scripting

CVE-2005-4598

Medium
Security Focus, Bugtraq ID: 16091, December 30, 2005

Oracle Corporation

Oracle Application Server Discussion Forum Portlet

Several vulnerabilities have been reported including Cross-Site Scripting vulnerabilities, HTML injection vulnerabilities and a source code disclosure vulnerability, which could let a remote malicious user execute arbitrary HTML and script code and obtain sensitive information.

No workaround or patch available at time of publishing.

There is no exploit code required; however, Proof of Concept exploits have been published.

Oracle Application Server Discussion Forum Portlet Multiple Remote Vulnerabilities

CVE-2005-4549
CVE-2005-4550

Medium
Security Focus, Bugtraq ID: 16048, December 23, 2005

PaperThin

CommonSpot Content Server 4.5

Several vulnerabilities have been reported: a Cross-Site Scripting vulnerability was reported in 'loader.cfm' due to insufficient sanitization of the 'bNewWindow' parameter before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code; and a vulnerability was reported in 'loader.cfm' when accessed by an invalid 'url' parameter, which could let a remote malicious user obtain sensitive information.

No workaround or patch available at time of publishing.

A Proof of Concept exploits have been published.

PaperThin CommonSpot Content Server Cross-Site Scripting & Path Disclosure

CVE-2005-4574
CVE-2005-4575

Medium
Secunia Advisory: SA18257, December 27, 2005

PHP

PHP 4.0.x, 4.1.x, 4.2.x, 4.3.x, 4.4.x, 5.0.x

Multiple vulnerabilities have been reported: a vulnerability was reported due to insufficient protection of the 'GLOBALS' array, which could let a remote malicious user define global variables; a vulnerability was reported in the 'parse_str()' PHP function when handling an unexpected termination, which could let a remote malicious user enable the 'register_
globals' directive; a Cross-Site Scripting vulnerability was reported in the 'phpinfo()' PHP function due to insufficient sanitization of user-supplied input, which could let a remote malicious user execute arbitrary HTML and script code; and an integer overflow vulnerability was reported in 'pcrelib' due to an error, which could let a remote malicious user corrupt memory.

Upgrades available at:
http://www.php.net/
get/php-4.4.1.tar.gz

SUSE:

ftp://ftp.suse.com
/pub/suse/

TurboLinux:
ftp://ftp.turbolinux.co.
jp/pub/TurboLinux/
TurboLinux/ia32/

Fedora:
http://download.fedora.
redhat.com/pub/fedora/
linux/core/updates/

RedHat:
http://rhn.redhat.
com/errata/RHSA-
2005-838.html

http://rhn.redhat.
com/errata/RHSA-
2005-831.html

Gentoo:
http://security.gentoo.
org/glsa/glsa-
200511-08.xml

Mandriva:
http://wwwnew.mandriva.
com/security/advisories
?dis=10.2

SUSE:

ftp://ftp.suse.com
/pub/suse/

Trustix:
http://http.trustix.org/
pub/trustix/updates/

SGI:
ftp://patches.sgi.com/
support/free/security/
advisories/

OpenPKG:
http://www.openpkg.
org/

Ubuntu:
http://security.ubuntu.
com/ubuntu/pool/
main/p/php4/

There is no exploit code required.

Medium

Secunia Advisory: SA17371, October 31, 2005

SUSE Security Summary Report, SUSE-SR:2005:025, November 4, 2005

Turbolinux Security Advisory TLSA-2005-97, November 5, 2005

Fedora Update Notifications,
FEDORA-2005-1061 & 1062, November 8, 2005

RedHat Security Advisories, RHSA-2005:838-3 & RHSA-2005:831-15, November 10, 2005

Gentoo Linux Security Advisory, GLSA 200511-08, November 13, 2005

Mandriva Linux Security Advisory, MDKSA-2005:213, November 16, 2005

SUSE Security Summary Report, SUSE-SR:2005:027, November 18, 2005

Trustix Secure Linux Security Advisory, TSLSA-2005-0062, November 22, 2005

SGI Security Advisory, 20051101-01-U, November 29, 2005

OpenPKG Security Advisory, OpenPKG-SA-2005.027, December 3, 2005

SUSE Security Summary Report, SUSE-SR:2005:029, December 9, 2005

SUSE Security Announcement, SUSE-SA:2005:069, December 14, 2005

Ubuntu Security Notice, USN-232-1, December 23, 2005

phpBB Group

phpBB 2.0.18 & prior

A vulnerability has been reported in the 'url' bbcode tag due to insufficient sanitization before using, which could let a remote malicious user execute arbitrary HTML and script code.

Upgrades available at:
http://www.phpbb.com/
downloads.php

There is no exploit code required.

PHPBB 'url' bbcode Script Insertion
Medium
Secunia Advisory: SA18252, January 2, 2006

phpdoc.org

phpDocumentor 1.3 RC3 & RC4, 1.2-1.2.3

File include vulnerabilities have been reported in 'Documentation/tests/bug-559668.php' due to insufficient verification of the 'FORUM[LIB]' parameter and in 'docbuilder/file_dialog.php' due to insufficient verification of the 'root_dir' parameter before used to include files, which could let a remote malicious user execute arbitrary PHP code.

No workaround or patch available at time of publishing.

There is no exploit code required; however, a Proof of Concept exploit script has been published.

PHPDocumentor File Include

CVE-2005-4593

Medium
Security Tracker Alert ID: 1015423, December 29, 2005

PHP-Fusion

PHP-Fusion 6.0 0.3

A Cross-Site Scripting vulnerability has been reported in 'members.php' due to insufficient sanitization of user-supplied input before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code.

No workaround or patch available at time of publishing.

There is no exploit code required; however, a Proof of Concept exploit has been published.

PHP-Fusion Cross-Site Scripting

CVE-2005-4516

Medium
Security Focus, Bugtraq ID: 15931, December 19, 2005

PHPjournaler

PHPjournaler 1.0

An SQL injection vulnerability has been reported in 'index.php' due to insufficient sanitization of the 'readold' parameter before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.

PHPJournaler SQL Injection

CVE-2006-0066

Medium
Security Focus, Bugtraq ID: 16111, January 2, 2006

PHP

PHP 5.0 .0- 5.0.5, 4.4.1, 4.4 .0, 4.3-4.3.11, 4.2-4.2.3, 4.1.0-4.1.2, 4.0.6, 4.0.7, RC1-RC3

A vulnerability has been reported in the 'mb_send_mail()' function due to an input validation error, which could let a remote malicious user inject arbitrary headers to generated email messages.

Upgrades available at:
http://www.php.net/
get/php-5.1.0.tar.bz2/
from/a/mirror

SUSE:

ftp://ftp.suse.com
/pub/suse/

Ubuntu:
http://security.ubuntu.
com/ubuntu/pool/
main/p/php4/

Mandriva:

href="c">http://www.mandriva.
com/security/
advisories

There is no exploit code required.

PHP MB_Send_Mail Arbitrary Header Injection

CVE-2005-3883

Medium

Security Focus, Bugtraq ID: 15571, November 25, 2005

SUSE Security Announcement, SUSE-SA:2005:069, December 14, 2005

Ubuntu Security Notice, USN-232-1, December 23, 2005

Mandriva Linux Security Advisory, MDKSA-2005:238, December 27, 2005

PHPSurveyor

PHPSurveyor 0.99

An SQL injection vulnerability has been reported due to insufficient sanitization of the 'sid' parameter before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.

Upgrade available at:
http://prdownloads.sourceforge.
net/phpsurveyor/phpsurveyor-
0_991.zip?d download

There is no exploit code required.


PHPSurveyor SQL Injection

CVE-2005-4586


Medium

Secunia Advisory: SA18167, December 28, 2005

Primo Place

Primo Cart 1.0

SQL injection vulnerabilities have been reported in 'user.php' due to insufficient sanitization of the 'email' parameter and in 'search.php' due to insufficient sanitization of the 'q' parameter before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.

No workaround or patch available at time of publishing.

There is no exploit code required; however, a Proof of Concept exploit has been published.

Primo Cart SQL Injection

CVE-2006-0068

Medium
Secunia Advisory: SA18264, January 2, 2006

raSMP

raSMP 2.0 .0

An HTML injection vulnerability has been reported due to insufficient sanitization of the 'User-Agent' HTTP header before saving to the database, which could let a remote malicious user execute arbitrary HTML and script code.

No workaround or patch available at time of publishing.

There is no exploit code required.

raSMP User-Agent HTML Injection
Medium
Security Focus, Bugtraq ID: 16138, January 4, 2006

Real Web Solution

Statistics Counter Service 2.4

An SQL injection vulnerability has been reported in the user area due insufficient sanitization of unspecified input before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.

Update available at:
http://www.rws.com.ua/
counter_service_
download.php

There is no exploit code required.

Real Web Solution Statistics Counter Service SQL Injection

CVE-2005-4548

Medium
Secunia Advisory: SA18158, December 23, 2005

Research In Motion

Blackberry Enterprise Server for Exchange 4.0 SP1, Enterprise Server for Domino 4.0

A remote Denial of Service vulnerability has been reported when handling Server Routing Protocol (SRP) packets due to an error.

No workaround or patch available at time of publishing.

Currently we are not aware of any exploits for this vulnerability.

BlackBerry Enterprise Server Router Component Remote Denial of Service

CVE-2005-2342

Low

Security Tracker Alert ID: 1015427, December 31, 2005

US-CERT VU#392920

Research In Motion

Blackberry Enterprise Server for Exchange 4.0 SP1, Enterprise Server for Domino 4.0

A remote Denial of Service vulnerability has been reported when handling malformed TIFF image attachments.

No workaround or patch available at time of publishing.

Currently we are not aware of any exploits for this vulnerability.

Blackberry Enterprise Server Attachment Service TIFF Attachment Remote Denial of Service

CVE-2005-2341

Low

Security Tracker Alert ID: 1015426, December 30, 2005

US-CERT VU#570768

Research in Motion

Blackberry Device Software 4.0, Blackberry Desktop Manager, Blackberry 8700r, 8700f, 8700c, 7780, 7750, 7730, 7520, 7290, 7280, 7250, 7230 4.0 , 7230 3.8, 7230 3.7.1 .41, 7130e, 7105t, 7100x, 7100v, 7100t, 7100r, 7100i, 7100g

A remote Denial of Service vulnerability has been reported when handling a malformed JAD (Java Application Description) file.

The vendor has addressed this issue in version 4.0.2 of the Blackberry Device Software. Affected users are encouraged to contact their service providers to obtain updated software.

There is no exploit code required.

 

Blackberry Handheld JAD File Browser Remote Denial of Service

CVE-2005-2343

Low

Security Tracker Alert ID: 1015428, December 31, 2005

US-CERT VU#829400

ScozNet

ScozBook 1.1 BETA

An SQL injection vulnerability has been reported due to insufficient sanitization of the 'AdminName' variable, which could let a remote malicious user execute arbitrary SQL code.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.

ScozNet ScozBook SQL Injection

CVE-2006-0079

Medium
Security Focus, Bugtraq ID: 16115, January 2, 2006

ShopCentrik

ShopEngine

A Cross-Site Scripting vulnerability has been reported in 'search.asp' due to insufficient sanitization of the 'EXPS' parameter before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code.

No workaround or patch available at time of publishing.

There is no exploit code required.

ShopCentrik ShopEngine Cross-Site Scripting

CVE-2005-4545

Medium
Security Focus, Bugtraq ID: 16054, December 23, 2005

SimpBook

SimpBook 1.0

An HTML injection vulnerability has been reported due to insufficient sanitization of the 'message' field before storing in the guestbook, which could let a remote malicious user execute arbitrary code.

No workaround or patch available at time of publishing.

There is no exploit code required.

SimpBook Guestbook HTML Injection

CVE-2005-4551

Medium
Secunia Advisory: SA18256, December 26, 2005

Valdersoft

Valdersoft Shopping Cart 3.0

A remote file include vulnerability has been reported which could let a remote malicious user execute arbitrary PHP code.

No workaround or patch available at time of publishing.

There is no exploit code required; however, a Proof of Concept exploit script has been published.

Valdersoft Shopping Cart Remote File Include
High
Security Focus, Bugtraq ID: 16126, January 3, 2006

VBulletin

VBulletin 3.5.2

An HTML injection vulnerability has been reported due to insufficient sanitization of 'calendar.php' and 'reminder.php' which could let a remote malicious user execute arbitrary HTML and script code.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.

VBulletin Event Title HTML Injection

CVE-2006-0080

Medium
Security Focus, Bugtraq ID: 16116, January 2, 2006

VEGO Links Builder

VEGO Links Builder 2.0

An SQL injection vulnerability has been reported due to insufficient sanitization of the 'username' parameter when logging in, which could let a remote malicious user execute arbitrary SQL code.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.

VEGO Links Builder Login Script SQL Injection

CVE-2006-0067

Medium
Security Focus, Bugtraq ID: 16108, January 2, 2006

VEGO Web Forum

VEGO Web Forum 1.23-1.26, 1.20, 1.10, 1.0

An SQL injection vulnerability has been reported due to insufficient sanitization of the 'Theme_ID' parameter before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.

No workaround or patch available at time of publishing.

There is no exploit code required; however, a Proof of Concept exploit has been published.

VEGO Web Forum SQL Injection

CVE-2006-0065

Medium
Security Focus, Bugtraq ID: 16107, January 2, 2006

VMWare, Inc.

VMWare ESX Server 2.5.2, 2.5, 2.1-2.1.2, 2.0.1 build 6403, 2.0.1, 2.0 build 5257, 2.0

A vulnerability has been reported in the VMware Management Interface due to an unspecified error, which could let a remote malicious user execute arbitrary code.

Patches available at:
http://www.vmware.com/
download/esx/esx-
201-200512-patch.html

Currently we are not aware of any exploits for this vulnerability.

VMware ESX Server Management Interface Remote Arbitrary Code Execution

CVE-2005-4583

Medium
Security Tracker Alert ID: 1015422, December 29, 2005

WebGroup Media

Cerberus Helpdesk support-center 2.649, cerberus-gui 2.649

Several vulnerabilities have been reported: an SQL injection vulnerability was reported due to insufficient sanitization of unspecified input before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code; and a Cross-Site Scripting was reported in 'index.php' due to insufficient of the 'kb_ask' parameter before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code.

No workaround or patch available at time of publishing.

Proof of Concept exploits have been published.

Cerberus Helpdesk Input Validation

CVE-2005-4427
CVE-2005-4428

Medium
Secunia Advisory: SA18112, December 20, 2005

[back to top] 

Wireless

The section below contains wireless vulnerabilities, articles, and viruses/trojans identified during this reporting period.

  • FCC interested in emergency wireless network: The Federal Communications Commission will study the feasibility of constructing a nationwide interoperable wireless network for emergency workers that uses some of the spectrum that TV companies will abandon when they transition to digital television. In a recent report to Congress, the FCC said that providing mobile broadband communications, in addition to upgraded communications equipment and training, could offer emergency responders many important capabilities. Source: http://www.fcw.com/
    article91846-01-03-06-Web
    .
  • Mobility's Steep Upward Growth Curve For 2006: According to GCR Custom Research's IT Watch enterprise spending survey that was conducted in November 2005, they project an 8.1% jump in spending on mobile and wireless devices for 2006. Source: http://www.mobilepipeline.com/175800385.

Wireless Vulnerabilities

[back to top] 

Recent Exploit Scripts/Techniques

The table below contains a sample of exploit scripts and "how to" guides identified during this period. The "Workaround or Patch Available" column indicates if vendors, security vulnerability listservs, or Computer Emergency Response Teams (CERTs) have published workarounds or patches.

Note: At times, scripts/techniques may contain names or content that may be considered offensive.


























































































































































































Date of Script

(Reverse
face="Arial, Helvetica, sans-serif"> Chronological Order)

Script name

Workaround or Patch Available

Script Description
January 4, 200620051228.ie_xp_pfv_metafile.pm
20051231.ie_xp_pfv_metafile.pm
ie_xp_pfv_metafile.pm

Yes

Exploit for the Microsoft Windows Graphics Rendering Engine WMF SetAbortProc Code Execution vulnerability.
January 4, 2006cijfer-vsczpl.pl.txt
cijfer-vscxpl.pl

No

Exploits for the Valdersoft Shopping Cart Remote File Include vulnerability.
January 4, 2006 EV0001.txt
No

Exploitation details for the VEGO Web Forum SQL Injection vulnerability.
January 4, 2006EV0002.txt
No

Exploitation details for the VEGO Links Builder Login Script SQL Injection vulnerability.
January 4, 2006EV0003.txt
No

Exploitation details for the OABoard Forum Script Remote File Include vulnerability.
January 4, 2006EV0004.txt
No

Exploitation details for the Chipmunk GuestBook HTML Injection vulnerability.
January 4, 2006EV0005.txt
No

Exploitation details for the PHPenpals SQL Injection vulnerability.
January 4, 2006EV0006.txt
No

Exploitation details for the NETOnE phpBook Arbitrary PHP Code Execution vulnerability.
January 4, 2006EV0007.txt
No

Exploitation details for the Chimera Web Portal System SQL injection & Cross-Site Scripting vulnerabilities.
January 4, 2006EV0008.txt
No

Exploitation details for the inTouch SQL Injection vulnerability.
January 4, 2006EV0009.txt
No

Exploitation details for the PHPJournaler SQL Injection vulnerability.
January 4, 2006EV0010.txt
No

Exploitation details for the B-Net HTML Injection vulnerability.
January 4, 2006EV0011.txt
No

Exploitation details for the ScozNet ScozBook SQL Injection vulnerability.
January 4, 2006 set_mempolicy_dos.c
Yes

Exploit for the Linux Kernel SET_MEMPOLICY Local Denial of Service vulnerability.
January 4, 2006termsh.c
Openserver_bof.c

No

Exploits for the SCO OpenServer Termsh Buffer vulnerability.
January 4, 2006UBehavior.zip
N/A

Whitepaper that discusses the exploitation of uninitialized data.
January 4, 2006winrar330.c
Yes

Proof of Concept exploit for the WinRAR Buffer Overflow Long Filename vulnerability.
January 3, 2006cijfer-cnxpl.pl.txt
Yes

Exploit for the CuteNews Remote Command Execution vulnerability.
January 3, 2006 mozilla_compareto.pm.txt
Yes

Metasploit exploit for the Mozilla Suite/Firefox Remote Buffer Overflow vulnerability.
January 1, 2006 0512-exploits.tgz
N/A

Packet Storm new exploits for December, 2005.
January 1, 20062005-exploits.tgz
N/A

Complete comprehensive archive of all exploits posted to Packet Storm for 2005.
January 1, 2006 mtink.c
Yes

Exploit for the MTink Home Environment Variable Buffer Overflow vulnerability.
December 31, 2005 gmailXSSinject.txt
No

Exploit details for Google's GMailSite Cross-Site Scripting vulnerability.
December 31, 2005 kapda-18.txt
Yes

Exploitation details for the Web Wiz Multiple Product SQL Injection vulnerability.
December 31, 2005 phpdocumentor_130rc4_
incl_expl.txt
phpdocu_130rc4_
incl_xpl.php

No

Script that exploits the PHPDocumentor Remote and Local File Include vulnerability.
December 29, 2005 aimsniff-1.0alpha.tar.gz
N/A

A utility for monitoring and archiving AOL Instant Messenger messages across a network that has the ability to do a live dump (actively sniff the network) or read a PCAP file and parse the file for IM messages.
December 29, 2005 dBpowerAMPv11.5.txt
dMCShell_bof.c

No

Exploit for the Illustrate dBpowerAMP Music Converter and Audio Player Buffer Overflow vulnerability.
December 29, 2005 Dev_15_sql_xpl.php.txt
Dev_15_sql_xpl.php

No

Exploit for the Dev Web Management System Multiple Input Validation vulnerabilities.
December 29, 2005 fiked-0.0.4.tar.bz2
N/A

A fake IKE daemon that supports just enough of the standards and Cisco extensions to attack commonly found insecure Cisco PSK+XAUTH VPN setups in what could be described as a semi-MitM attack.
December 29, 2005 thc-ts201.zip
N/A

Latest release of a phone scanner that features ODBC support so you can import your results intro SQL or Excel Spreadsheets, source code, runs on any DOS emulating operating system.
December 29, 2005 translateXSS.txt
No

Proof of Concept for numerous translation websites Cross-Site Scripting vulnerability.
December 29, 2005 VirusScanEnterprise8.0i.txt
Yes

Proof of Concept exploit for the McAfee VirusScan Privilege Elevation vulnerability.
December 27, 2005 bzflagboom.zip
Yes

Script that exploits the BZFlag Remote Denial of Service vulnerability.
December 27, 2005 cerberusHelp.txt
No

Exploitation details for the Cerberus Helpdesk Input Validation vulnerabilities.
December 27, 2005 mailenable-imap-examine.py.txt
muts_mailenable_
imap_examine.pm.txt

Yes

Proof of Concept exploit for the MailEnable Arbitrary Code Execution vulnerability.



[back to
top]

name=trends>Trends


  • Exploit for Vulnerability in Microsoft Windows Metafile Handling: US-CERT is aware of active exploitation of a vulnerability in how Microsoft Windows handles Windows Metafiles (".wmf"). Several variations of the WMF exploit file have been released that attempt to avoid detection by anti-virus software and intrusion detection and intrusion prevention systems. Source: http://www.us-cert.gov/current/.

  • Data security moves front and center in 2005: Financial data leaks left more than 50 million accounts containing credit card information and cases, confidential details at risk. Phishing attacks, targeted Trojan horses and Web-based exploits compromised millions of PCs to create centrally controlled networks known as bot nets. In 2005, the threats of worm epidemics largely subsided. Instead, attacks targeting vulnerabilities in client-side applications--such as Internet browsers and antivirus software--rose. Data on bot networks revealed that those centrally controlled networks of computers remained a large threat. And, attacks targeting the systems of specific people in government and industry have managed to sneak under the radar of security systems that have been honed to detect mass infections. Source: http://www.securityfocus.com/news/11366.

  • WMF Infected Site Examples: Websense Security Labs (TM) is actively tracking websites that attempt to infect machines without any end-user intervention by simply visiting a site. Currently there are two types of sites. The first are sites that have been setup by the attackers in order to infect users. In most cases these sites require a lure (such as an email or Instant Message) in order to attract users. These are mostly registered with fraudulent registration detail. The second are sites which have been compromised. Source: http://www.websensesecuritylabs.com/alerts/alert.php?AlertID=391

  • December IM Attacks Jump 826 Percent Over '04: According to IMlogic's Threat Center, December 2005 instant message exploits increased 825 percent over December 2004. According to the report, the year's last month saw 241 new threats; down from the 307 in November and the 294 in October. Combined, the three months showed a 13 percent increase in IM threats over the third quarter of 2005.
    Source: http://www.securitypipeline.com/news/175800842.

  • More than 450 Phishing Attacks Used SSL in 2005: The Netcraft Toolbar Community has identified more than 450 confirmed phishing URLs using "https" urls to present a secure connection using the Secure Sockets Layer (SSL). This number is significant for several reasons. Anti-phishing education initiatives have often urged Internet users to look for the SSL "golden lock" as an indicator of a site's legitimacy. Although phishers have been using SSL in attacks for more than a year, the trend seems to have drawn relatively little notice from users and the technology press. Source:
    http://news.netcraft.com/archives/2005/12/28/more_than_450_phishing_
    attacks_used_ssl_in_2005.html
    .


href="#top">[back to top]

name=viruses id="viruses">Viruses/Trojans

Top Ten Virus Threats

A list of high threat viruses, as reported to various anti-virus vendors and virus incident reporting organizations, has been ranked and categorized in the table below. For the purposes of collecting and collating data, infections involving multiple systems at a single location are considered a single infection. It is therefore possible that a virus has infected hundreds of machines but has only been counted once. With the number of viruses that appear each month, it is possible that a new virus will become widely distributed before the next edition of this publication. To limit the possibility of infection, readers are reminded to update their anti-virus packages as soon as updates become available. The table lists the viruses by ranking (number of sites affected), common virus name, type of virus code (i.e., boot, file, macro, multi-partite, script), trends (based on number of infections reported since last week), and approximate date first found.














face="Arial, Helvetica, sans-serif">Rank


Common Name


Type of Code


face="Arial, Helvetica, sans-serif">Trend


Date

face="Arial, Helvetica, sans-serif">Description
1Netsky-PWin32 WormStableMarch 2004A mass-mailing worm that uses its own SMTP engine to send itself to the email addresses it finds when scanning the hard drives and mapped drives. The worm also tries to spread through various file-sharing programs by copying itself into various shared folders.
2Mytob-GHWin32 WormSlight IncreaseNovember 2005A variant of the mass-mailing worm that disables security related programs and allows other to access the infected system. This version sends itself to email addresses harvested from the system, forging the sender’s address.
3Netsky-DWin32 WormStableMarch 2004A simplified variant of the Netsky mass-mailing worm in that it does not contain many of the text strings that were present in NetSky.C and it does not copy itself to shared folders. Netsky.D spreads itself in e-mails as an executable attachment only.
4Zafi-BWin32 WormIncreaseJune 2004A mass-mailing worm that spreads via e-mail using several different languages, including English, Hungarian and Russian. When executed, the worm makes two copies of itself in the %System% directory with randomly generated file names.
5Sober-ZWin32 WormNewDecember 2005This worm travels as an email attachment, forging the senders address, harvesting addresses from infected machines, and using its own mail engine. It further download code from the internet, installs into the registry, and reduces overall system security.
6Lovgate.wWin32 WormSlight IncreaseApril 2004A mass-mailing worm that propagates via by using MAPI as a reply to messages, by using an internal SMTP, by dropping copies of itself on network shares, and through peer-to-peer networks. Attempts to access all machines in the local area network.
7Mytob.CWin32 WormIncreaseMarch 2004A mass-mailing worm with IRC backdoor functionality which can also infect computers vulnerable to the Windows LSASS (MS04-011) exploit. The worm will attempt to harvest email addresses from the local hard disk by scanning files.
8Zafi-DWin32 WormStableDecember 2004A mass-mailing worm that sends itself to email addresses gathered from the infected computer. The worm may also attempt to lower security settings, terminate processes, and open a back door on the compromised computer.
9Mytob-BEWin32 WormDecreaseJune 2005A slight variant of the mass-mailing worm that utilizes an IRC backdoor, LSASS vulnerability, and email to propagate. Harvesting addresses from the Windows address book, disabling anti virus, and modifying data.
10Mytob-ASWin32 WormDecreaseJune 2005A slight variant of the mass-mailing worm that disables security related programs and processes, redirection various sites, and changing registry values. This version downloads code from the net and utilizes its own email engine.

Table updated January 4, 2006


[back to
top]


 


 

 


Last updated


Please share your thoughts

We recently updated our anonymous product survey; we’d welcome your feedback.