Summary of Security Items from December 8 through December 14, 2005
Information in the US-CERT Cyber Security Bulletin is a compilation and includes information published by outside sources, therefore the information should not be considered the result of US-CERT analysis. Software vulnerabilities are categorized in the appropriate section reflecting the operating system on which the vulnerability was reported; however, this does not mean that the vulnerability only affects the operating system reported since this information is obtained from open-source information.
This bulletin provides a summary of new or updated vulnerabilities, exploits, trends, viruses, and trojans. Updates to vulnerabilities that appeared in previous bulletins are listed in bold text. The text in the Risk column appears in red for vulnerabilities ranking High. The risks levels applied to vulnerabilities in the Cyber Security Bulletin are based on how the "system" may be impacted. The Recent Exploit/Technique table contains a "Workaround or Patch Available" column that indicates whether a workaround or patch has been published for the vulnerability which the script exploits.
The table below summarizes vulnerabilities that have been identified, even if they are not being exploited. Complete details about patches or workarounds are available from the source of the information or from the URL provided in the section. CVE numbers are listed where applicable. Vulnerabilities that affect both Windows and Unix Operating Systems are included in the Multiple Operating Systems section.
Note: All the information included in the following tables has been discussed in newsgroups and on web sites.
The Risk levels defined below are based on how the system may be impacted:
Note: Even though a vulnerability may allow several malicious acts to be performed, only the highest level risk will be defined in the Risk column.
High - A high-risk vulnerability is defined as one that will allow an intruder to immediately gain privileged access (e.g., sysadmin or root) to the system or allow an intruder to execute code or alter arbitrary system files. An example of a high-risk vulnerability is one that allows an unauthorized user to send a sequence of instructions to a machine and the machine responds with a command prompt with administrator privileges.
Medium - A medium-risk vulnerability is defined as one that will allow an intruder immediate access to a system with less than privileged access. Such vulnerability will allow the intruder the opportunity to continue the attempt to gain privileged access. An example of medium-risk vulnerability is a server configuration error that allows an intruder to capture the password file.
Low - A low-risk vulnerability is defined as one that will provide information to an intruder that could lead to further compromise attempts or a Denial of Service (DoS) attack. It should be noted that while the DoS attack is deemed low from a threat potential, the frequency of this type of attack is very high. DoS attacks against mission-critical nodes are not included in this rating and any attack of this nature should instead be considered to be a "High" threat.
A directory traversal vulnerability has been reported in CF_Nuke that could let remote malicious users conduct Cross-Site Scripting or disclose information.
No workaround or patch available at time of publishing.
There is no exploit code required; however, a Proof of Concept exploit has been published.
CF_Nuke Cross-Site Scripting or Information Disclosure
V1.3 Updated to note availability of Microsoft Knowledge Base Article 909596 and to clarify an issue affecting Windows 2000 SP4 customers, also updates of file versions.
V1.4 Updated to note complications of the DirectX 8.1 update on machines running DirectX 9.
V2.0 Updated to advise customers that a
new version of the security update is available for select systems.
Currently we are not aware of any exploits for this vulnerability.
Microsoft DirectX DirectShow Arbitrary Code Execution
Security Tracker, Alert ID: 1015333, December 8, 2005
Microsoft
Internet Explorer
A vulnerability has been reported in Internet Explorer, by mismatched DOM objects, that could let remote malicious users to obtain unauthorized access.
Microsoft, Security Bulletin MS05-055, December 13, 2005
Microsoft
Windows 2000 SP3 & SP4, Windows XP 64-Bit Edition SP1
(Itanium), Windows XP 64-Bit Edition Version 2003
(Itanium), Windows Server 2003, Windows Server 2003 for Itanium-based
Systems
A buffer overflow vulnerability exists when handling Server Message Block (SMB) traffic, which could let a remote malicious user execute arbitrary code.
Microsoft Windows NT 4.0 has also been found vulnerable to the issue; however, this platform is no longer publicly supported by Microsoft. A patch is available for customers that have an active end-of-life support agreement including extended Windows NT 4.0 support. Information regarding the end-of-life support agreement can be found at the following location: http://www.microsoft.com/
presspass/features/2004/
dec04/12-03NTSupport.asp
V1.1 Revised to advise of Knowledge Base Article 896427, detailing a potential issue encountered after installing this update.
A vulnerability has been reported because a remote malicious user can hide a 'File Download' dialog box underneath a new browser window and entice a user into double clicking a specific area in the window, which could lead to the remote arbitrary code execution.
A vulnerability has been reported due to insecure default directory ACLs set on the 'SunnComm Shared' directory, which could let a malicious user obtain elevated privileges.
A vulnerability has been reported in Perl due to a failure to correctly drop privileges, which could let a remote malicious user obtain elevated privileges. Note: The impact depends on how a Perl application is written to use the affected Perl functionality.
No workaround or patch available at time of publishing.
Currently we are not aware of any exploits for this vulnerability.
A Cross-Site Scripting vulnerability has been reported in 'search.php' due to insufficient sanitization of the 'keywords' parameter before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing.
A buffer overflow vulnerability has been reported due to insufficient bounds checks on user-supplied data before using in a finite sized buffer, which could let a local/remote malicious user execute arbitrary code.
Security Focus, Bugtraq ID: 15756, December 7, 2005
Mandriva Linux Security Advisory, MDKSA-2005:224, December 8, 2005
Fedora Update Notifications,
FEDORA-2005-1129 & 1130, December 8, 2005
Debian Security Advisory, DSA 919-1, December 12, 2005
DRZES HMS
DRZES HMS 3.2
Several vulnerabilities have been reported: a Cross-Site Scripting vulnerability was reported in 'login.php' due to insufficient sanitization of user-supplied input before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code; and an SQL injection vulnerability was reported in the ' invoiceID' parameter due to insufficient sanitization, which could let a remote malicious user execute arbitrary SQL code.
No workaround or patch available at time of publishing.
There is no exploit code required; however, a Proof of Concept exploit script has been published.
Security Focus, Bugtraq ID: 15766, December 7, 2005
Horde Project
Mnemo 2.0.2
HTML injection vulnerabilities have been reported due to insufficient sanitization of the notepad name and other note data fields, which could let a remote malicious user execute arbitrary HTML and script code.
Security Focus, Bugtraq ID: 15803, December 12, 2005
Horde Project
Turba Contact Manager 2.0.4
HTML injection vulnerabilities have been reported due to insufficient sanitization of the address book name and certain contact data fields, which could let a remote malicious user execute arbitrary HTML and script code.
Security Focus, Bugtraq ID: 15802, December 12, 2005
Horde Project
Horde Application Framework 3.0-3.0.7
HTML injection vulnerabilities have been reported due to insufficient sanitization of unspecified input, which could let a remote malicious user execute arbitrary HTML and script code.
HTML injection vulnerabilities have been reported due to insufficient sanitization of the calendar name and certain event data fields, which could let a remote malicious user execute arbitrary HTML and script code.
HTML injection vulnerabilities have been reported due to insufficient sanitization of certain tasklist names and task data fields, which could let a remote malicious user execute arbitrary HTML and script code.
Security Focus, Bugtraq ID: 15523, November 22, 2005
Ubuntu Security Notice, USN-221-1, December 01, 2005
Gentoo Linux Security Advisory, GLSA 200512-04, December 12, 2005
Mike Neuman
osh 1.7
A buffer overflow vulnerability has been reported in 'main.c' due to an error when handling environment variable substitutions, which could let a remote malicious user execute arbitrary with superuser privileges.
Debian Security Advisory, DSA 918-1, December 9, 2005
Mike Neuman
osh 1.7
A buffer overflow vulnerability exists in 'main.c' due to insufficient bounds checking in the 'iopen()' function, which could let a remote malicious user execute arbitrary code.
Debian Security Advisory, DSA 918-1, December 9, 2005
Mozilla.org
Firefox 0.x, 1.x
Multiple vulnerabilities have been reported: a vulnerability was reported due to an error because untrusted events generated by web content are delivered to the browser user interface; a vulnerability was reported because scripts in XBL controls can be executed even when JavaScript has been disabled; a vulnerability was reported because remote malicious users can execute arbitrary code by tricking the user into using the 'Set As Wallpaper' context menu on an image URL that is really a javascript; a vulnerability was reported in the 'Install
Trigger.install()' function due to an error in the callback function, which could let a remote malicious user execute arbitrary code; a vulnerability was reported due to an error when handling 'data:' URL that originates from the sidebar, which could let a remote malicious user execute arbitrary code; an input validation vulnerability was reported in the 'InstallVersion.compareTo()' function when handling unexpected JavaScript objects, which could let a remote malicious user execute arbitrary code; a vulnerability was reported because it is possible for a remote malicious user to steal information and possibly execute arbitrary code by using standalone applications such as Flash and QuickTime to open a javascript: URL; a vulnerability was reported due to an error when handling DOM node names with different namespaces, which could let a remote malicious user execute arbitrary code; and a vulnerability was reported due to insecure cloning of base objects, which could let a remote malicious user execute arbitrary code.
Ubuntu Security Notices, USN-157-1 & 157-2 August 1& 2, 2005
SUSE Security Announcement, SUSE-SA:2005:045, August 11, 2005
Debian Security Advisory, DSA 775-1, August 15, 2005
SGI Security Advisory, 20050802-01-U, August 15, 2005
Debian Security Advisory, DSA 777-1, August 17, 2005
Debian Security Advisory, DSA 779-1, August 20, 2005
Debian Security Advisory, DSA 781-1, August 23, 2005
Gentoo Linux Security Advisory, GLSA 200507-24, August 26, 2005
Mandriva Linux Security Update Advisory, MDKSA-2005:127-1, August 26, 2005
Slackware Security Advisory, SSA:2005-085-01, August 28, 2005
Debian Security Advisory, DSA 779-2, September 1, 2005
Debian Security Advisory, DSA 810-1, September 13, 2005
Fedora Legacy Update Advisory, FLSA:160202, September 14, 2005
HP Security Bulletin, HPSBOV01229, September 19, 2005
HP Security Bulletin,
HPSBUX01230, October 3, 2005
Ubuntu Security Notice, USN-155-3, October 04, 2005
Sun(sm) Alert Notification
Sun Alert ID: 101952, October 17, 2005
SUSE Security Summary Report, SUSE-SR:2005:028, December 2, 2005
Mandriva Linux Security Advisory, MDKSA-2005:226, December 12, 2005
Multiple Vendors
Xpdf 3.0 pl2 & pl3, 3.0 1, 3.00, 2.0-2.03, 1.0 0, 1.0 0a, 0.90-0.93; RedHat Fedora Core4, Core3, Enterprise Linux WS 4, WS 3, WS 2.1 IA64, WS 2.1, ES 4, ES 3, ES 2.1 IA64, 2.1, Enterprise Linux AS 4, AS 3, 2.1 IA64, 2.1, Desktop 4.0, 3.0, Advanced Workstation for the Itanium Processor 2.1 IA64, 2.1; teTeX 2.0.1, 2.0; Poppler poppler 0.4.2;
KDE kpdf 0.5, KOffice 1.4.2 ; PDFTOHTML DFTOHTML 0.36
Multiple vulnerabilities have been reported: a heap-based buffer overflow vulnerability was reported in the 'DCTStream::read
BaselineSOF()' function in 'xpdf/Stream.cc' when copying data from a PDF file, which could let a remote malicious user potentially execute arbitrary code; a buffer overflow vulnerability was reported in the 'DCTStream::read
ProgressiveSOF()' function in 'xpdf/Stream.cc' when copying data from a PDF file, which could let a remote malicious user potentially execute arbitrary code; a buffer overflow vulnerability was reported in the 'StreamPredictor::
StreamPredictor()' function in 'xpdf/Stream.cc' when using the 'numComps' value to calculate the memory size, which could let a remote malicious user potentially execute arbitrary code; and a vulnerability was reported in the 'JPXStream:
:readCodestream()' function in 'xpdf/JPXStream.cc' when using the 'nXTiles' and 'nYTiles' values from a PDF file to copy data from the file into allocated memory, which could let a remote malicious user potentially execute arbitrary code.
Fedora Update Notifications,
FEDORA-2005-1007 & 1013, October 20, 2005
Security Focus, Bugtraq ID: 15156, October 31, 2005
Ubuntu Security Notice, USN-219-1, November 22, 2005
SUSE Security Announcement, SUSE-SA:2005:067, December 6, 2005
SUSE Security Announcement, SUSE-SA:2005:068, December 14, 2005
Multiple Vendors
Linux kernel 2.6-2.6.15
An integer overflow vulnerability has been reported in 'INVALIDATE_INODE_
PAGES2' which could lead to a Denial of Service and possibly execution of arbitrary code.
Cross-Site Scripting vulnerabilities have been reported in the 'HTTP_HOST' variable and certain scripts in the libraries directory due to insufficient sanitization before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code.
phpMyAdmin security announcement PMASA-2005-8, December 5, 2005
Gentoo Linux Security Advisory, GLSA 200512-03, December 12, 2005
Multiple Vendors
RedHat Enterprise Linux WS 3, ES 3, AS 3, Desktop 3.0;
Linux kernel 2.4-2.4.28
A Denial of Service vulnerability has been reported in the 'find_target' function due to a failure to properly handle unexpected conditions when attempting to handle a NULL return value from another function.
SUSE Security Announce-
ment, SUSE-SA:2005:044, August 4, 2005
Ubuntu Security Notice, USN-187-1, September 25, 2005
RedHat Security Advisory, RHSA-2005:663-19, September 28, 2005
Debian Security Advisories, DSA 921-1 & 922-1, December 14, 2005
Multiple Vendors
SuSE Linux Professional
9.3, x86_64,
9.2, x86_64, Linux Personal 9.3, x86_64; Linux kernel
2.6-2.6.12
A buffer overflow vulnerability has been reported in the XFRM network architecture code due to insufficient validation of user-supplied input, which could let a malicious user execute arbitrary code.
Trustix Secure Linux Bugfix Advisory, 2005-0068, December 12, 2005
Multiple Vendors
Trustix Secure Linux 3.0, 2.2, Secure Enterprise Linux 2.0, SuSE Novell Linux Desktop 9.0, Linux Professional 9.3 x86_64, 9.3, 9.2 x86_64, 9.2, 9.1 x86_64, 9.1, Linux Personal 9.3 x86_64, 9.3, 9.2 x86_64, 9.2, 9.1 x86_64, 9.1, Linux Enterprise Server for S/390 9.0, Linux Enterprise Server 9; 2.6-2.6.12 .4
A Denial of Service vulnerability has been reported due to a failure to handle malformed compressed files.
Security Focus, Bugtraq ID: 15536, November 22, 2005
Ubuntu Security Notice, USN-219-1, November 22, 2005
Debian Security Advisory, DSA 922-1, December 14, 2005
Multiple Vendors
Ubuntu Linux 5.0 4 powerpc, i386, amd64, 4.1 ppc, ia64, ia32;
Linux kernel 2.6.10, 2.6.8
A vulnerability was reported has been reported in the 'mmap()' function because memory maps can be created with a start address after the end address, which could let a malicious user cause a Denial of Service or potentially obtain elevated privileges.
A vulnerability has been reported in the
authentication daemon because access is granted to accounts that are already deactivated, which could let a remote malicious user obtain unauthorized access.
A race condition vulnerability has been reported in ia32 emulation, that could let local malicious users obtain root privileges or create a buffer overflow.
Trustix Secure Linux Security Advisory,
TSLSA-2005-
0036, July 14, 2005
SUSE Security Announce-
ment, SUSE-SA:2005:044, August 4, 2005
RedHat Security Advisory, RHSA-2005:663-19, September 28, 2005
Debian Security Advisory, DSA 921-1, December 14, 2005
Multiple Vendors
Linux kernel
2.6 prior to 2.6.12.1
A vulnerability has been reported in the 'restore_sigcontext()' function due to a failure to restrict access to the 'ar.rsc' register, which could let a malicious user cause a Denial of Service or obtain elevated privileges.
SUSE Security Announce-
ment, SUSE-SA:2005:044, August 4, 2005
RedHat Security Advisory, RHSA-2005:663-19, September 28, 2005
RedHat Security Advisory, RHSA-2005:514-46, October 5, 2005
Debian Security Advisories, DSA 921-1 & 922-1, December 14, 2005
Multiple Vendors
Linux kernel
2.6-2.6.11
A vulnerability has been reported in the '/sys' file system due to a mismanagement of integer signedness, which could let a malicious user cause a Denial of Service and potentially execute arbitrary code.
RedHat Security Advisory, RHSA-2005:366-19, April 19, 2005
SUSE Security Announce-
ment, SUSE-SA:2005:044, August 4, 2005
Mandriva Linux Security Advisory, MDKSA-2005:218, November 30, 2005
Debian Security Advisory, DSA 922-1, December 14, 2005
Multiple Vendors
Linux Kernel 2.4.x, 2.6 prior to 2.6.11.11
A vulnerability has been reported in the Linux kernel in the Radionet Open Source Environment (ROSE) implementation in the 'rose_rt_ioctl()' function due to insufficient validation of a new routes' ndigis argument. The impact was not specified.
Security Focus, Bugtraq ID: 14791, September 9, 2005
Ubuntu Security Notice, USN-178-1, September 09, 2005
Mandriva Linux Security Update Advisory, MDKSA-2005:171, October 3, 2005
RedHat Security Advisory, RHSA-2005:514-46, October 5, 2005
Mandriva Linux Security Advisories, MDKSA-2005:219 & 220, November 30, 2005
SUSE Security Announcement, SUSE-SA:2005:068, December 14, 2005
Multiple Vendors
Linux kernel 2.6.8-2.6.10, 2.4.21
Several vulnerabilities have been reported: a buffer overflow vulnerability was reported in 'msg_control' when copying 32 bit contents, which could let a malicious user obtain root privileges and execute arbitrary code; and a vulnerability was reported in the 'raw_sendmsg()' function, which could let a malicious user obtain sensitive information or cause a Denial of Service.
Ubuntu Security Notice, USN-219-1, November 22, 2005
Mandriva Linux Security Advisories, MDKSA-2005:218, 219 & 220, November 30, 2005
SUSE Security Announcement, SUSE-SA:2005:068, December 14, 2005
Multiple Vendors
Linux kernel 2.6-2.6.13.1
A Denial of Service vulnerability has been reported due to an omitted call to the 'sockfd_put()' function in the 32-bit compatible 'routing_ioctl()' function.
Security Tracker Alert ID: 1014944, September 21, 2005
Ubuntu Security Notice, USN-187-1, September 25, 2005
Mandriva Linux Security Advisories, MDKSA-2005:218, 219, 220, November 30, 2005
SUSE Security Announcement, SUSE-SA:2005:067, December 6, 2005
SUSE Security Announcement, SUSE-SA:2005:068, December 14, 2005
Multiple Vendors
Linux kernel 2.6-2.6.14
Several vulnerabilities have been reported: a Denial of Service vulnerability was reported due to a memory leak in '/security/keys/request_
key_auth.c;' a Denial of Service vulnerability was reported due to a memory leak in '/fs/namei.c' when the 'CONFIG_AUDITSYSCALL' option is enabled; and a vulnerability was reported because the orinoco wireless driver fails to pad data packets with zeroes when increasing the length, which could let a malicious user obtain sensitive information.
Trustix Secure Linux Security Advisory, TSLSA-2005-0057, October 14, 2005
Fedora Update Notifications,
FEDORA-2005-1013, October 20, 2005
RedHat Security Advisory, RHSA-2005:808-14, October 27, 2005
Ubuntu Security Notice, USN-219-1, November 22, 2005
Mandriva Linux Security Advisories, MDKSA-2005:218, 219 & 220, November 30, 2005
SUSE Security Announcement, SUSE-SA:2005:067, December 6, 2005
SUSE Security Announcement, SUSE-SA:2005:068, December 14, 2005
Multiple Vendors
Linux kernel 2.6-2.6.14
Several vulnerabilities have been reported: a Denial of Service vulnerability was reported when handling asynchronous USB access via usbdevio; and a Denial of Service vulnerability was reported in the 'ipt_recent.c' netfilter module due to an error in jiffies comparison.
RedHat Security Advisory, RHSA-2005:514-46, October 5, 2005
Ubuntu Security Notice, USN-219-1, November 22, 2005
Mandriva Linux Security Advisories, MDKSA-2005:218, 219 & 220, November 30, 2005
SUSE Security Announcement, SUSE-SA:2005:067, December 6, 2005
SUSE Security Announcement, SUSE-SA:2005:068, December 14, 2005
Multiple Vendors
Linux Kernel 2.6-2.6.14
Multiple vulnerabilities have been reported: a Denial of Service vulnerability was reported in the 'sys_set_
mempolicy' function when a malicious user submits a negative first argument; a Denial of Service vulnerability was reported when threads are sharing memory mapping via 'CLONE_VM'; a Denial of Service vulnerability was reported in 'fs/exec.c' when one thread is tracing another thread that shares the same memory map; a Denial of Service vulnerability was reported in 'mm/ioremap.c' when performing a lookup of a non-existent page; a Denial of Service vulnerability was reported in the HFS and HFS+ (hfsplus) modules; and a remote Denial of Service vulnerability was reported due to a race condition in 'ebtables.c' when running on a SMP system that is operating under a heavy load.
A vulnerability has been reported due to the way console keyboard mapping is handled, which could let a malicious user modify the console keymap to include scripted macro commands.
Security Focus, Bugtraq ID: 15122, October 17, 2005
Mandriva Linux Security Advisories, MDKSA-2005:218, 219 & 220, November 30, 2005
Fedora Update Notification,
FEDORA-2005-1138, December 13, 2005
Multiple Vendors
Linux kernel 2.6-2.6.14; SuSE Linux Professional 10.0 OSS, Linux Personal 10.0 OSS;
RedHat Fedora Core4
A Denial of Service vulnerability has been reported in 'ptrace.c' when 'CLONE_THREAD' is used due to a missing check of the thread's group ID when trying to determine whether the process is attempting to attach to itself.
Fedora Update Notification,
FEDORA-2005-1104, November 28, 2005
SuSE Security Announcement, SUSE-SA:2005:067, December 6, 2005
SUSE Security Announcement, SUSE-SA:2005:068, December 14, 2005
Multiple Vendors
Linux kernel 2.6-2.6.15
A Denial of Service vulnerability has been reported in the 'time_out_leases()' function because 'printk()' can consume large amounts of kernel log space.
Security Focus, Bugtraq ID: 15625, November 29, 2005
Fedora Update Notification,
FEDORA-2005-1104, November 28, 2005
SuSE Security Announcement, SUSE-SA:2005:067, December 6, 2005
Trustix Secure Linux Security Advisory, TSLSA-2005-0070, December 9, 2005
SUSE Security Announcement, SUSE-SA:2005:068, December 14, 2005
Multiple Vendors
MandrakeSoft Multi Network Firewall 2.0, Linux Mandrake 2006.0 x86_64, 2006.0, 10.2 x86_64, 10.2, Corporate Server 3.0 x86_64, 3.0;
GNU wget 1.10;
Daniel Stenberg curl 7.14.1, 7.13.1, 7.13, 7.12.1- 7.12.3, 7.11- 7.11.2, 7.10.6- 7.10.8
A buffer overflow vulnerability has been reported due to insufficient validation of user-supplied NTLM user name data, which could let a remote malicious user execute arbitrary code.
Ubuntu Security Notice, USN-219-1, November 22, 2005
Mandriva Linux Security Advisories, MDKSA-2005:218 & 219, November 30, 2005
SUSE Security Announcement, SUSE-SA:2005:067, December 6, 2005
Debian Security Advisory, DSA 922-1, December 14, 2005
Multiple Vendors
Ubuntu Linux 5.0 4 powerpc, i386, amd64, 4.1 ppc, ia64, ia32;
Linux kernel 2.6.10, rc2, 2.6.8, rc1
A remote Denial of Service vulnerability has been reported in the kernel driver for compressed ISO file systems when attempting to mount a malicious compressed ISO image.
A format string vulnerability has been reported in 'Perl_sv_
vcatpvfnl' due to a failure to properly handle format specifiers in formatted printing functions, which could let a remote malicious user cause a Denial of Service.
Mandriva Linux Security Advisory, MDKSA-2005:225, December 8, 2005
SUSE Security Summary Report, SUSE-SR:2005:029, December 9, 2005
Trustix Secure Linux Security Advisory, TSLSA-2005-0070, December 9, 2005
Ubuntu Security Notice, USN-222-2, December 12, 2005
Fedora Update Notifications,
FEDORA-2005-1144 & 1145, December 14, 2005
MySQL Auction
MySQL Auction 3.0
A Cross-Site Scripting vulnerability has been reported due to insufficient sanitization of the 'keyword' parameter when performing a search, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing.
Several vulnerabilities have been reported: a remote Denial of Service vulnerability was reported when handling IKE packets that have an invalid 3DES key length; and a remote Denial of Service vulnerability was reported when handling certain specially crafted IKE packets.
CERT-FI & NISCC Joint Vulnerability Advisory, November 15, 2005
Astaro Security Linux Update, November 16, 2005
Fedora Update Notifications,
FEDORA-2005-1092 & 1093, November 21, 2005
Gentoo Linux Security Advisory, GLSA 200512-04, December 12, 2005
OpenVPN
OpenVPN 2.0-2.0.2
Several vulnerabilities have been reported: a format string vulnerability was reported in 'options.c' when handling command options in the 'foreign_option()' function, which could let a remote malicious user execute arbitrary code; and a remote Denial of Service vulnerability was reported due to a NULL pointer dereferencing error in the OpenVPN server when running in TCP mode.
OpenPKG Security Advisory, OpenPKG-
SA-2005.023, November 2, 2005
SUSE Security Summary Report,
SUSE-SR:2005:
025, November 4, 2005
Debian Security Advisory,
DSA 885-1, November 7, 2005
Gentoo Linux Security Advisory, GLSA
200511-07, November 7, 2005
Mandriva Linux Security Advisory, MDKSA-2005:206, November 8, 2005
Mandriva Linux Security Advisory, MDKSA-2005:206-1, December 9, 2005
phpMyAdmin
phpMyAdmin 2.7 .0-beta1, 2.7
A vulnerability has been reported in the register_globals emulation layer in 'grab_
globals.php' because the 'import_blacklist' variable is not properly protected, which could let a remote malicious user execute arbitrary HTML and script code and include arbitrary files.
Gentoo Linux Security Advisory, GLSA 200512-03, December 12, 2005
SCO
Unixware 7.1.4, 7.1.3
A buffer overflow vulnerability has been reported in 'UIDAdmin' when processing excessive data, which could let a malicious user obtain superuser privileges.
SCO Security Advisory, SCOSA-2005.54, December 12, 2005
Scout Portal Toolkit
Scout Portal Toolkit 1.3.1
Several vulnerabilities have been reported: a Cross-Site Scripting vulnerability was reported due to insufficient sanitization of user-supplied input before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code; and an SQL injection vulnerability was reported due to insufficient sanitization of user-supplied input before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.
No workaround or patch available at time of publishing.
There is no exploit code required; however, Proofs of Concept exploit scripts have been published.
Security Focus, Bugtraq ID: 15818, December 12, 2005
Sun Microsystems, Inc.
Solaris 10.0 _x86, 10.0
A vulnerability has been reported when running Sun Update Connection Services due to an unspecified error which could let a malicious user obtain knowledge of the configured web proxy password.
SUSE Security Summary Report, SUSE-SR:2005:023, October 14, 2005
Mandriva Linux Security Update Advisory, MDKSA-2005:189 & 194, October 21 & 26, 2005
Slackware Security Advisory, SSA:2005-310-06, November 7, 2005
Conectiva Linux Announcement, CLSA-2005:1046, November 21, 2005
RedHat Security Advisory, RHSA-2005:848-6 & 850-5, December 6, 2005
Fedora Update Notifications,
FEDORA-2005-1112 & 1115, December 8, 2005
Zope
Zope 2.6-2.8.1
A vulnerability has been reported in 'docutils' due to an unspecified error and affects all instances which exposes 'Restructured Text' functionality via the web. The impact was not specified.
A Cross-Site Scripting vulnerability has been reported in 'Cal_make.PL' due to insufficient sanitization of the 'p0' parameter before displaying input, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing.
There is no exploit code required; however, a Proof of Concept exploit script has been published.
Security Focus, Bugtraq ID: 15765, December 7, 2005
Apache Software Foundation
Apache prior to 1.3.35-dev, 2.0.56-dev
A Cross-Site Scripting vulnerability has been reported in the 'Referer' directive in 'mod_imap' due to insufficient sanitization before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code.
The vulnerability has been fixed in version 1.3.35-dev, and 2.0.56-dev.
Security Tracker Alert ID: 1015340, December 11, 2005
Arab Portal System
Arab Portal System 2.0 beta 2
An SQL injection vulnerability has been reported in 'link.php' due to insufficient sanitization of the 'PHPSESSID' parameter before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.
No workaround or patch available at time of publishing.
There is no exploit code required; however, a Proof of Concept exploit script has been published.
A Cross-Domain vulnerability has been reported in 'frameset.jsp' due to a design error, which could let a remote malicious user obtain sensitive information or hijack sessions.
No workaround or patch available at time of publishing.
There is no exploit code required; however, a Proof of Concept exploit has been published.
Magic List Professional 2.5, Magic Forum Personal 2.5, Magic Book Professional 2.0
Multiple input validation vulnerabilities have been reported due to insufficient sanitization of user-supplied input, which could let a remote malicious user execute arbitrary HTML, script code, and SQL code.
No workaround or patch available at time of publishing.
There is no exploit code required; however, Proof of Concept exploits have been published.
Security Focus, Bugtraq ID: 15774, December 8, 2005
CFMagic
Magic Book Professional 2.0
A Cross-Site Scripting vulnerability has been reported due to insufficient sanitization of the 'StartRow' parameter before returning the user, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing.
There is no exploit code required; however, a Proof of Concept exploit has been published.
A Cross-Site Scripting vulnerability has been reported in the login page due to insufficient sanitization of user-supplied input, which could let a remote malicious user execute arbitrary HTML and script code.
A vulnerability has been reported due to insufficient sanitization of user-supplied input, which could let a remote malicious user execute arbitrary code.
Security Focus, Bugtraq ID: 15790, December 9,2005
CourseForum Technologies
ProjectForum 4.7
Cross-Site Scripting vulnerabilities have been reported in various pages and error messages due to insufficient sanitization, which could let a remote malicious user execute arbitrary HTML and script code; and a remote Denial of Service vulnerability has been reported in the 'pageid' parameter due to a boundary error when sending a POST request.
No workaround or patch available at time of publishing.
There is no exploit code required; however, a Proof of Concept exploit script has been published.
CourseForum Technologies ProjectForum Cross-Site Scripting & Denial of Service
Medium
Security Focus, Bugtraq ID: 15850, December 14, 2005
Dell
TrueMobile 2300 Firmware 5.1.1 .6, 3.0.08
A vulnerability has been reported in the 'apply.cgi' page of the router's web management interface due to an access control error, which could let a remote malicious user bypass authentication.
No workaround or patch available at time of publishing.
iDEFENSE Labs Security Advisories, December 7, 2005
DoceboLMS
DoceboLMS 2.0.4
Several vulnerabilities have been reported: a Directory Traversal vulnerability was reported in the 'connector.php' script due to insufficient validation of the 'Type' parameter, which could let a remote malicious user obtain sensitive information; and an input validation vulnerability was reported in the file upload handling due to insufficient verification of the file extension of valid images, which could let a remote malicious user execute arbitrary PHP code.
Security Tracker Alert ID: 1015308, December 5, 2005
Security Focus, Bugtraq ID: 15744 & 15742, December 13, 2005
DreamLevels
Dream Poll 3.0 final
An SQL injection vulnerability has been reported in 'view_results.php' due to insufficient sanitization of the 'id' parameter before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.
No workaround or patch available at time of publishing.
There is no exploit code required; however, a Proof of Concept exploit script has been published.
Security Focus, Bugtraq ID: 15849, December 14, 2005
Envolution Software
Envolution
Several vulnerabilities have been reported: a Cross-Site Scripting vulnerability was reported in the News module due to insufficient filtering of HTML code, which could let a remote malicious user execute arbitrary scripting code; and an SQL injection vulnerability was reported when a remote malicious user submits specially crafted parameter values, which could lead to the execution of arbitrary SQL code.
No workaround or patch available at time of publishing.
There is no exploit code required; however, Proof of Concept exploit scripts have been published.
A buffer overflow vulnerability has been reported in the 'dissect_ospf_
v3_address_
prefix()' function in the OSPF protocol dissector due to a boundary error when converting received binary data to a human readable string, which could let a remote malicious user execute arbitrary code.
Debian Security Advisory DSA 920-1, December 13, 2005
Gentoo Linux Security Advisory, GLSA 200512-06, December 14, 2005
EveryAuction
EveryAuction 1.53
A Cross-Site Scripting vulnerability has been reported in 'auction.pl' due to insufficient sanitization of the 'searchstring' parameter before returning to the user, which could let a remote malicious user execute arbitrary SQL code.
No workaround or patch available at time of publishing.
Security Focus, Bugtraq ID: 15824, December 13, 2005
FFmpeg
FFmpeg 0.4.9 -pre1, 0.4.6-0.4.8, FFmpeg CVS
A buffer overflow vulnerability has been reported in the 'avcodec_default_
get_buffer()' function of 'utils.c' in libavcodec due to a boundary error, which could let a remote malicious user execute arbitrary code.
Ubuntu Security Notice, USN-230-1, December 14, 2005
First4Internet
CodeSupport
A vulnerability has been reported due to a failure to verify that the source of remote content is from a trusted source before downloading, which could let a remote malicious user execute arbitrary code.
Microsoft Security Bulletin MS05-054, December 13, 2005
FlatNuke
FlatNuke 2.5.6
A vulnerability has been reported in the 'read' module due to insufficient validation of the 'id' parameter, which could let a remote malicious user obtain elevated privileges and execute arbitrary PHP code.
No workaround or patch available at time of publishing.
There is no exploit code required; however, a Proof of Concept exploit script has been published.
Security Tracker Alert ID: 1015339, December 11, 2005
Francisco Burzi
PHP-Nuke 7.6-7.9, 7.0-7.3
A content filtering bypass vulnerability has been reported which could let a remote malicious user bypass filters and carry out HTML injection and Cross-Site Scripting attacks.
No workaround or patch available at time of publishing.
There is no exploit code required; however, Proof of Concept exploit scripts have been published.
A vulnerability has been reported in the 'node' URI parameter of the 'OvCgi/connectedNodes.ovpl' script, which could let a remote malicious user execute arbitrary code.
Revision 3:
Added PHSS_33783.
Added preliminary files for OV NNM 7.01, 6.4, 6.2
Revision 4:
Corrected files are available via ftp:
README_HPSBMA01224_
rev1.txt
NNM6.2_HP-UX_CGI_Script_Point_
Release_rev1.tar
NNM6.2_HP-UX_CGI_Script_Point_
Release_rev1.tar
Revision 5: Added PHSS_33842, PSOV_03430, and NNM_01110.
Changed revision numbering (6.20, 6.4x instead of
6.2,6.4, 6.40, 6.41).
Portcullis Security Advisory, 05-014, August 25, 2005
HP Security Advisory, HPSBMA01224, August 26, 2005
HP Security Advisory, HPSBMA01224 REVISION: 3, September 13, 2005
HP Security Advisory, HPSBMA01224 REVISION: 4, September 19, 2005
HP Security Advisory, HPSBMA01224 REVISION: 5, October 4, 2005
Security Focus, Bugtraq ID: 14662, December 8, 2005
Jamit Software
Job Board 2.4.1
An SQL injection vulnerability has been reported in 'index.php' due to insufficient sanitization of the 'cat' parameter before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.
No workaround or patch available at time of publishing.
There is no exploit code required; however, a Proof of Concept exploit script has been published.
A HTML injection vulnerability has been reported in 'GuestServer.cgi' due to insufficient sanitization before using in dynamically generated content, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing.
Security Focus, Bugtraq ID: 15861, December 14, 2005
Lyris
List Manager 8.8 a, 8.0, 7.0, 6.0, 5.0
Multiple vulnerabilities have been reported: a vulnerability was reported in the 'pw' parameter in the web interface when subscribing a new user to the mailing list due to insufficient sanitization before inserting in the processing queue as a command message, which could let a remote malicious user execute arbitrary list administration commands; an SQL query vulnerability was reported in '/read/attachment' due to insufficient sanitization before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code; an SQL vulnerability was reported in certain parameters due to insufficient sanitization before used as a column name to the ORDER BY command in a SQL query, which could let a remote malicious user execute arbitrary SQL code; a vulnerability was reported in the MSDE version of ListManager because a weak default password is used for the database after installation, which could let a remote malicious user obtain sensitive information; a vulnerability was reported because certain versions allow access to the 'status' module of the 'TCLHTTPd' service, which could let a remote malicious user obtain sensitive information; a vulnerability was reported in the 'TCLHTTPd' service because the source of arbitrary TML scripts on the server can be viewed; and a vulnerability was reported because the entire CGI environment is included into a HTML hidden variable of the error page when a non-existent page is requested.
Some of these vulnerabilities have reportedly been fixed in version 8.9b.
Flash Media Server Professional Edition 2.0,
Flash Media Server Origin Edition 2.0, Flash Media Server Edge Edition 2.0, Flash Media Server Developer Edition 2.0
A Denial of Service vulnerability has been reported due to an error in the Administration Service (FMSAdmin.exe) when handling received data.
No workaround or patch available at time of publishing.
There is no exploit code required; however, a Proof of Concept exploit has been published.
Macromedia Flash Media Server Administration Service Denial of Service
Security Focus, Bugtraq ID: 15822, December 13, 2005
Mambo
Mambo Site Server 4.0.14, 4.0.12 RC1-RC3, BETA & BETA 2, 4.0.10-4.0.12, 4.0
A remote file include vulnerability has been reported due to insufficient sanitization of user-supplied input, which could let a remote malicious user execute arbitrary remote PHP code.
The vendor has released a patch addressing this issue. Users are advised to contact the vendor for more information on obtaining the appropriate patch.
Security Focus, Bugtraq ID: 15461, November 16, 2005
Security Focus, Bugtraq ID: 15461, November 21, 2005
Security Focus, Bugtraq ID: 15461, November 24, 2005
Security Focus, Bugtraq ID: 15461, December 5, 2005
Security Focus, Bugtraq ID: 15461, December 9, 2005
Mantis
Mantis 1.x
A Cross-Site Scripting vulnerability has been reported in 'view_filters_page.php' due to insufficient sanitization of the 'target_field' parameter before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing.
There is no exploit code required; however, a Proof of Concept exploit script has been published.
Several vulnerabilities have been reported: a vulnerability was reported in 'index.php' due to insufficient verification of the 'language' parameter before used to include files, which could let a remote malicious users include arbitrary files; a vulnerability was reported in 'show.php' due to insufficient sanitization of the 'id,' 'rand,' and 'start' parameters and in 'index.php' due to insufficient sanitization of the 'album' parameter before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code; and a Cross-Site Scripting vulnerability was reported due to insufficient sanitization of certain parameters when performing a search, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing.
There is no exploit code required; however, Proof of Concept exploit scripts have been published.
A Cross-Site Scripting vulnerability has been reported in inline style attributes due to insufficient sanitization of user-supplied input, which could let a remote malicious user execute arbitrary HTML and script code.
Security Focus, Bugtraq ID: 15024, October 6, 2005
SUSE Security Summary Report, SUSE-SR:2005:027, November 18, 2005
SUSE Security Summary Report, SUSE-SR:2005:029, December 9, 2005
MilliScripts
MilliScripts 1.4
A Cross-Site Scripting vulnerability has been reported in 'register.php' due to insufficient sanitization of the 'domainname' parameter before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing.
There is no exploit code required; however, a Proof of Concept exploit script has been published.
A vulnerability was reported due to insufficient sanitization of the 'eval()' call, which could let a remote malicious user execute arbitrary PHP code.
Trustix Secure Linux Security Advisory, TSLSA-2005-0036, July 14, 2005
SGI Security Advisory, 20050703-01-U, July 15, 2005
Gentoo Linux Security Advisory, GLSA 200507-15, July 15, 2005
Debian Security Advisory, DSA 789-1, August 29, 2005
SUSE Security Announcement, SUSE-SA:2005:049, August 30, 2005
Security Focus, Bugtraq ID: 14088, November 7, 2005
Security Focus, Bugtraq ID: 14088, November 23, 2005
HP Security Bulletin, HPSBTU02083, December 9, 2005
MyBB Group
MyBulletinBoard 1.0 PR2, RC1-RC4
Several vulnerabilities have been reported: SQL injection vulnerabilities were reported due to insufficient sanitization of unspecified input before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code; and unspecified vulnerabilities were reported which could compromise a vulnerable MyBB installation.
An SQL injection vulnerability has been reported in 'index.php' due to insufficient sanitization of the 'cat' parameter before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.
No workaround or patch available at time of publishing.
Security Focus, Bugtraq ID: 15801, December 12, 2005
Nortel Networks
SSL VPN 4.2.1.6
A vulnerability has been reported in 'tunnelform.yaws' due to insufficient sanitization of the 'a' parameter before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing.
There is no exploit code required; however, a Proof of Concept exploit script has been published.
SEC-CONSULT Security Advisory 20051212-0, December 10, 2005
OpenSSH
OpenSSH 4.1, 4.0, p1
Several vulnerabilities have been reported: a vulnerability was reported due to an error when handling dynamic port forwarding when no listen address is specified, which could let a remote malicious user cause "GatewayPorts" to be incorrectly activated; and a vulnerability was reported due to an error when handling GSSAPI credential delegation, which could let a remote malicious user be delegated with GSSAPI credentials.
PGP Desktop Professional 9.0.3 Build 2932, 9.0
PGP Desktop Home 8.0
A vulnerability has been reported when using the Wipe Free Space tool because data contained in the slack space of files on a NTFS drive is not correctly wiped, which could lead to the disclosure of sensitive information.
No workaround or patch available at time of publishing.
There is no exploit code required; however, the Slacker tool may be used to exploit this vulnerability.
PGP Desktop Wipe Free Space Assistant Improper Disk Wipe
A Cross-Site Scripting vulnerability has been reported in 'DisplayResults.php' due to insufficient sanitization of the 'sKeywords parameter before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing.
There is no exploit code required; however, Proof of Concept exploit scripts have been published.
Security Focus, Bugtraq ID: 15841, December 13, 2005
PHP
PHP 4.0.x, 4.1.x, 4.2.x, 4.3.x, 4.4.x, 5.0.x
Multiple vulnerabilities have been reported: a vulnerability was reported due to insufficient protection of the 'GLOBALS' array, which could let a remote malicious user define global variables; a vulnerability was reported in the 'parse_str()' PHP function when handling an unexpected termination, which could let a remote malicious user enable the 'register_
globals' directive; a Cross-Site Scripting vulnerability was reported in the 'phpinfo()' PHP function due to insufficient sanitization of user-supplied input, which could let a remote malicious user execute arbitrary HTML and script code; and an integer overflow vulnerability was reported in 'pcrelib' due to an error, which could let a remote malicious user corrupt memory.
SUSE Security Summary Report, SUSE-SR:2005:025, November 4, 2005
Turbolinux Security Advisory TLSA-2005-97, November 5, 2005
Fedora Update Notifications,
FEDORA-2005-1061 & 1062, November 8, 2005
RedHat Security Advisories, RHSA-2005:838-3 & RHSA-2005:831-15, November 10, 2005
Gentoo Linux Security Advisory, GLSA 200511-08, November 13, 2005
Mandriva Linux Security Advisory, MDKSA-2005:213, November 16, 2005
SUSE Security Summary Report, SUSE-SR:2005:027, November 18, 2005
Trustix Secure Linux Security Advisory, TSLSA-2005-0062, November 22, 2005
SGI Security Advisory, 20051101-01-U, November 29, 2005
OpenPKG Security Advisory, OpenPKG-SA-2005.027, December 3, 2005
SUSE Security Summary Report, SUSE-SR:2005:029, December 9, 2005
SUSE Security Announcement, SUSE-SA:2005:069, December 14, 2005
PHP Web Scripts
Ad Manager Pro 2.0
An SQL injection vulnerability has been reported in 'Advertiser_statistic.php' due to insufficient sanitization of user-supplied input before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.
No workaround or patch available at time of publishing.
There is no exploit code required; however, a Proof of Concept exploit script has been published.
Security Focus, Bugtraq ID: 15847, December 14, 2005
PHP Web Scripts
Link Up Gold 2.5
Cross-Site Scripting vulnerabilities have been reported in 'tell_friend.php' due to insufficient sanitization of the 'link' parameter and in 'search.php' due to insufficient sanitization of the 'phrase[0]' parameter, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing.
Security Focus, Bugtraq ID: 15843, December 13, 2005
phpCOIN
phpCOIN 1.2.2
A Cross-Site Scripting vulnerability has been reported in 'Coin_CFG.php' due to insufficient sanitization before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.
No workaround or patch available at time of publishing.
There is no exploit code required; however, a Proof of Concept exploit script has been published.
Security Focus, Bugtraq ID: 15830, December 13, 2005
phpCOIN
phpCOIN 1.2.2
A file include vulnerability has been reported in 'config.php' due to insufficient sanitization of user-supplied input, which could let a remote malicious user execute arbitrary PHP code.
No workaround or patch available at time of publishing.
There is no exploit code required; however, a Proof of Concept exploit script has been published.
A vulnerability has been reported in the 'mb_send_mail()' function due to an input validation error, which could let a remote malicious user inject arbitrary headers to generated email messages.
Security Focus, Bugtraq ID: 15571, November 25, 2005
SUSE Security Announcement, SUSE-SA:2005:069, December 14, 2005
PhpWeb
Gallery
PhpWebGallery 1.5.1
SQL injection vulnerabilities have been reported in 'comments.php' due to insufficient sanitization of the 'sort_by' and 'items_number' parameters and in 'picture.php' due to insufficient sanitization of the 'image_id' parameter before using in an SQL query, which could let a remote malicious user execute arbitrary SQL.
No workaround or patch available at time of publishing.
There is no exploit code required; however, a Proof of Concept exploit script has been published.
Security Focus, Bugtraq ID: 15837, December 13, 2005
Plogger
Plogger Beta 2
Several vulnerabilities have been reported: an SQL injection vulnerability was reported due to insufficient of the 'page' and 'id' parameters before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code; and a Cross-Site Scripting vulnerability was reported due to insufficient sanitization of the 'level' and 'searchterms' parameters before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing.
There is no exploit code required; however, a Proof of Concept exploit script has been published.
Security Focus, Bugtraq ID: 15839, December 13, 2005
PowerDev
EncapsGallery 1.0
An SQL injection vulnerability has been reported in 'gallery.php' due to insufficient sanitization of the 'id' parameter, which could let a remote malicious user execute arbitrary SQL code.
No workaround or patch available at time of publishing.
There is no exploit code required; however, a Proof of Concept exploit script has been published.
Security Focus, Bugtraq ID: 15836, December 13, 2005
QNX Software Systems Ltd.
RTOS 4.25
A vulnerability has been reported in the 'dhcp.client' program because it has suid root permissions, which could let a remote malicious user change the assigned IP addresses of network interfaces and potentially cause a Denial of Service.
No workaround or patch available at time of publishing.
Currently we are not aware of any exploits for this vulnerability.
Security Focus, Bugtraq ID: 15785, December 9, 2005
Simple Machines
SMF 1.1 rc1
An SQL injection vulnerability has been reported in 'memberlist.php' due to insufficient sanitization of user-supplied input before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.
No workaround or patch available at time of publishing.
There is no exploit code required; however, a Proof of Concept exploit script has been published.
A vulnerability has been reported in the 'name' parameter when adding a new topic due to insufficient sanitization, which could let a remote malicious user execute arbitrary PHP code.
No workaround or patch available at time of publishing.
There is no exploit code required; however, a Proof of Concept exploit script has been published.
Security Tracker Alert ID: 1015323, December 7, 2005
Snipe Gallery
Snipe Gallery 3.1.4
Several vulnerabilities have been reported: SQL injection vulnerabilities were reported in 'image.php' due to insufficient sanitization of the 'image_id' parameter and in 'view.php' due to insufficient sanitization of the 'gallery_id' parameter before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code; and a Cross-Site Scripting vulnerability has been reported in 'search.php' due to insufficient sanitization 'keyword' parameter before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing.
There is no exploit code required; however, Proof of Concept exploit scripts have been published.
Multiple input validation vulnerabilities have been reported due to insufficient sanitization of user-supplied input, which could let a remote malicious user inject arbitrary HTML, script code, or SQL code.
SQL injection vulnerabilities have been reported in the login page due to insufficient validation of the 'username' and password' fields and in 'index.php' due to insufficient verification of the 'id' parameter, which could let a remote malicious user execute arbitrary SQL code.
Security Tracker Alert ID: 1015352, December 13, 2005
UseBB
UseBB 0.6 a, 0.6, 0.5.1 a, 0.5.1
A Cross-Site Scripting vulnerability has been reported in '$_SERVER['PHP_SELF']' due to insufficient sanitization before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code.
Several vulnerabilities have been reported: a Cross-Site vulnerability has been reported in 'index.php' due to insufficient sanitization of the 'batch' parameter and when performing a detailed search due to insufficient sanitization of the 'title' parameter, which could let a remote malicious user execute arbitrary HTML and script code; and a vulnerability was reported because it is possible to obtain the full path to 'search.php' when accessed by an invalid 'by' parameter.
No workaround or patch available at time of publishing.
There is no exploit code required; however, Proof of Concept exploit scripts have been published.
An SQL injection vulnerability has been reported due to insufficient sanitization of user-supplied input before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.
Security Focus, Bugtraq ID: 15776, December 12, 2005
WHM
Complete
Solution
WHMComplete
Solution 2.1
A Cross-Site Scripting vulnerability has been reported in 'knowledgebase.php' due to insufficient sanitization of the 'search' parameter before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing.
Security Focus, Bugtraq ID: 15856, December 14, 2005
WikkaWiki
WikkaWiki 1.1.6.0
A Cross-Site Scripting vulnerability has been reported in 'TextSearch.PHP' due to insufficient sanitization of the 'phrase' parameter before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing.
There is no exploit code required; however, a Proof of Concept exploit scrip has been published.
A buffer overflow vulnerability has been reported in the 'AddressFromAtPtr()' function due to a boundary error when copying the hostname portion of an e-mail address to a 256-byte buffer, which could let a malicious user execute arbitrary code.
The section below contains wireless vulnerabilities, articles, and viruses/trojans identified during this reporting period.
Bluetooth to unify wireless functionalities: The Bluetooth Special Interest Group is planning to co-operate more closely with the Wi-Fi, Ultra-wideband (UWB) and Near Field Communications (NFC) wireless standards.
The initiative seeks to combine technologies, functionalities and user interfaces to make them more straightforward for end users. Source: http://www.vnunet.com/vnunet/news/2147476/bluetooth-seeks-unify-wireless
Enterprise Mobility Spending To Triple By 2008: Study: According to a report released by the market research firm, Visiongain, spending by enterprises to support wireless and mobile initiatives will almost triple between now and 2008. The study indicated that mobile and wireless spending by enterprises totaled about $50 billion in 2005. That figure will increase to more than $130 billion by the end of 2008. The spending covers hardware, software and services. Source: http://www.mobilepipeline.com/showArticle.jhtml?articleID=175000717.
Next-Gen Wi-Fi Could Appear By Late 2006: Study: According to a study by ABI Research, the pieces are falling into place for the next-generation 802.11n Wi-Fi standard to be ratified and chipsets could appear by the end of 2006.
The new standard will provide speeds in excess of Ethernet networking speeds. Source: http://www.mobilepipeline.com/showArticle.jhtml?articleID=
175002343.
The table below contains a sample of exploit scripts and "how to" guides identified during this period. The "Workaround or Patch Available" column indicates if vendors, security vulnerability listservs, or Computer Emergency Response Teams (CERTs) have published workarounds or patches.
Note: At times, scripts/techniques may contain names or content that may be considered offensive.
Date of Script
(Reverse Chronological Order)
Script name
Workaround or Patch Available
Script Description
December 14, 2005
appfluent.txt
No
Exploit for the Appfluent Technology Database Buffer Overflow vulnerability.
December 14, 2005
Bios.Information.Leakage.txt
N/A
Whitepaper that discusses information leakage and password extraction from a BIOS.
December 14, 2005
fireburn.txt
Yes
Proof of Concept exploit for Firefox 1.0.4 for the InstallVersion.compareTo() vulnerability.
December 14, 2005
lyris_attachment_mssql.pm.txt
Yes
Exploit for the ListManager SQL Injection vulnerability.
December 14, 2005
sugar_suite_40beta.txt
No
Exploit for the SugarCRM Sugar Suite Remote & Local File Include vulnerabilities.
December 13, 2005
mmap_deadlock.c
Yes
Proof of Concept Denial of Service exploit for the Linux Kernel Integer Overflow vulnerability.
Trojan circulates as fake McAfee patch: A new Trojan is circulating that masquerades as a patch for McAfee's antivirus software.
Emails have been spammed out pretending to be a security update for a virus called 'Kongos 31' which does not exist. The email contains a link to a web page hosted in the US that looks very similar to the McAfee download page. Source: http://www.vnunet.com/vnunet/news/2147531/trojan-circulates-fake-mcafee.
Cyber Security Tip ST05-019,
Preventing and Responding to Identity Theft: Identity theft, or identity fraud, is a crime that can have
substantial financial and emotional consequences. Take precautions
with personal information; and if you become a victim, act immediately
to minimize the damage. Identity theft, or identity fraud, is a crime that can have
substantial financial and emotional consequences. Take precautions with personal information; and if you become a victim, act immediately to minimize the damage. Source: http://www.us-cert.gov/cas/tips/ST05-019.html
Cross Domain Vulnerability in Internet Explorer: US-CERT is aware of a cross domain violation in Internet Explorer. This may allow a script in one domain to access web content in a different domain. Source: http://www.us-cert.gov/current/.
New SSL certificates coming: In an effort to reduce phishing and to help build online trust, security companies and browser makers are working together to design "high assurance" SSL certificates. Source: http://www.securityfocus.com/brief/77.
E-Mail Spills Corporate Secrets: According to a study released by Radicati Group, six percent of workers admitted that they've E-mailed confidential company information to someone they shouldn't have and 62% said they've used their personal accounts for business purposes to circumvent controls placed on their business accounts. Source: http://www.informationweek.com/security/showArticle.jhtml?articleID=174918812.
Sober code cracked: Antivirus companies they have cracked an algorithm that was being used by the Sober worm to "communicate" with its author. The latest variant of the Sober worm caused havoc in November by duping users into executing it by masking itself as e-mails from the FBI and CIA. Source: http://news.com.com/Sober+code+cracked/2100-7349_3-5989094.html?tag=nl.
Rootkits Making More Spyware, Adware Stick: According to F-Secure, the sharp rise in rootkits is due to spyware and adware vendors trying to prevent their wares from being easily uninstalled. Since October the most common rootkit in the wild is the one used by the Apropos spyware program.
Source: http://www.techweb.com/wire/security/174907374;jsessionid=WRE35TOIAV2
AUQSNDBECKH0CJUMEKJVN.
Study: Unchecked Software Piracy Could Cost Nations Hundreds of Billions Of Dollars: According to a study conducted by International Data Corp, without a crackdown on global software piracy, countries stand to lose hundreds of billions of dollars in economic growth and tax revenues and millions of new jobs.
Cutting piracy by 10 percent over four years would generate 2.4 million new jobs in information technology, boost economic growth by $400 billion and increase tax revenues worldwide by $67 billion. Source: http://internetweek.cmp.com/security/174907328.
A list of high threat viruses, as reported to various anti-virus vendors and virus incident reporting organizations, has been ranked and categorized in the table below. For the purposes of collecting and collating data, infections involving multiple systems at a single location are considered a single infection. It is therefore possible that a virus has infected hundreds of machines but has only been counted once. With the number of viruses that appear each month, it is possible that a new virus will become widely distributed before the next edition of this publication. To limit the possibility of infection, readers are reminded to update their anti-virus packages as soon as updates become available. The table lists the viruses by ranking (number of sites affected), common virus name, type of virus code (i.e., boot, file, macro, multi-partite, script), trends (based on number of infections reported since last week), and approximate date first found.
Rank
Common Name
Type of Code
Trend
Date
Description
1
Netsky-P
Win32 Worm
Stable
March 2004
A mass-mailing worm that uses its own SMTP engine to send itself to the email addresses it finds when scanning the hard drives and mapped drives. The worm also tries to spread through various file-sharing programs by copying itself into various shared folders.
2
Netsky-D
Win32 Worm
Stable
March 2004
A simplified variant of the Netsky mass-mailing worm in that it does not contain many of the text strings that were present in NetSky.C and it does not copy itself to shared folders. Netsky.D spreads itself in e-mails as an executable attachment only.
3
Sober-Z
Win32 Worm
Stable
December 2005
A mass-mailing worm that harvests addresses from infected machines, forges the senders email, and utilizes its own mail engine.
4
Mytob-GH
Win32 Worm
Stable
November 2005
A variant of the mass-mailing worm that disables security related programs and allows other to access the infected system. This version sends itself to email addresses harvested from the system, forging the sender’s address.
5
Mytob.C
Win32 Worm
Stable
March 2004
A mass-mailing worm with IRC backdoor functionality which can also infect computers vulnerable to the Windows LSASS (MS04-011) exploit. The worm will attempt to harvest email addresses from the local hard disk by scanning files.
6
Mytob-BE
Win32 Worm
Stable
June 2005
A slight variant of the mass-mailing worm that utilizes an IRC backdoor, LSASS vulnerability, and email to propagate. Harvesting addresses from the Windows address book, disabling antivirus, and modifying data.
7
Zafi-D
Win32 Worm
Stable
December 2004
A mass-mailing worm that sends itself to email addresses gathered from the infected computer. The worm may also attempt to lower security settings, terminate processes, and open a back door on the compromised computer.
8
Lovgate.w
Win32 Worm
Stable
April 2004
A mass-mailing worm that propagates via by using MAPI as a reply to messages, by using an internal SMTP, by dropping copies of itself on network shares, and through peer-to-peer networks. Attempts to access all machines in the local area network.
9
Mytob-GH
Win32 Worm
Stable
December 2005
This email worm turns off anti-virus and opens infected systems to remote connections. It further harvests email addresses from infected machines, and forges the senders address.
10
Zafi-B
Win32 Worm
Stable
June 2004
A mass-mailing worm that spreads via e-mail using several different languages, including English, Hungarian and Russian. When executed, the worm makes two copies of itself in the %System% directory with randomly generated file names.