Summary of Security Items from December 1 through December 7, 2005
Information in the US-CERT Cyber Security Bulletin is a compilation and includes information published by outside sources, therefore the information should not be considered the result of US-CERT analysis. Software vulnerabilities are categorized in the appropriate section reflecting the operating system on which the vulnerability was reported; however, this does not mean that the vulnerability only affects the operating system reported since this information is obtained from open-source information.
This bulletin provides a summary of new or updated vulnerabilities, exploits, trends, viruses, and trojans. Updates to vulnerabilities that appeared in previous bulletins are listed in bold text. The text in the Risk column appears in red for vulnerabilities ranking High. The risks levels applied to vulnerabilities in the Cyber Security Bulletin are based on how the "system" may be impacted. The Recent Exploit/Technique table contains a "Workaround or Patch Available" column that indicates whether a workaround or patch has been published for the vulnerability which the script exploits.
The table below summarizes vulnerabilities that have been identified, even if they are not being exploited. Complete details about patches or workarounds are available from the source of the information or from the URL provided in the section. CVE numbers are listed where applicable. Vulnerabilities that affect both Windows and Unix Operating Systems are included in the Multiple Operating Systems section.
Note: All the information included in the following tables has been discussed in newsgroups and on web sites.
The Risk levels defined below are based on how the system may be impacted:
Note: Even though a vulnerability may allow several malicious acts to be performed, only the highest level risk will be defined in the Risk column.
High - A high-risk vulnerability is defined as one that will allow an intruder to immediately gain privileged access (e.g., sysadmin or root) to the system or allow an intruder to execute code or alter arbitrary system files. An example of a high-risk vulnerability is one that allows an unauthorized user to send a sequence of instructions to a machine and the machine responds with a command prompt with administrator privileges.
Medium - A medium-risk vulnerability is defined as one that will allow an intruder immediate access to a system with less than privileged access. Such vulnerability will allow the intruder the opportunity to continue the attempt to gain privileged access. An example of medium-risk vulnerability is a server configuration error that allows an intruder to capture the password file.
Low - A low-risk vulnerability is defined as one that will provide information to an intruder that could lead to further compromise attempts or a Denial of Service (DoS) attack. It should be noted that while the DoS attack is deemed low from a threat potential, the frequency of this type of attack is very high. DoS attacks against mission-critical nodes are not included in this rating and any attack of this nature should instead be considered to be a "High" threat.
Multiple vulnerabilities have been reported in Shopping Cart that could let remote malicious users conduct Cross-Site Scripting or execute arbitrary code.
No workaround or patch available at time of publishing.
There is no exploit code required; however, a Proof of Concept exploit script has been published.
An input validation vulnerability has been reported in Citrix MetaFrame Secure Access Manager that could let remote malicious users conduct Cross-Site Scripting.
Multiple vulnerabilities have been reported in IMail Server and Collaboration Suite that could let remote malicious users cause a Denial of Service or execute arbitrary code.
A vulnerability has been reported in Internet Explorer that could let remote malicious users disclose information. Specifically, importing CSS files may allow for cross domain security restriction bypassing.
No workaround or patch available at time of publishing.
A Proof of Concept exploit script has been published.
Microsoft Internet Explorer Information Disclosure
A vulnerability has been reported in Windows that could let local malicious users perform a Denial of Service. NOTE: This issue has been disputed by third parties.
No workaround or patch available at time of publishing.
An exploit has been published.
Microsoft Windows CreateRemote
Thread Denial of Service
A buffer overflow vulnerability has been reported in the 'APPFLUENT_HOME' environment variable when handling a malformed value, which could let a malicious user execute arbitrary code.
No workaround or patch available at time of publishing.
Security Focus, Bugtraq ID: 15666, December 1, 2005
Daniel Stenberg
curl 7.12-7.15, 7.11.2
A buffer overflow vulnerability has been reported due to insufficient bounds checks on user-supplied data before using in a finite sized buffer, which could let a local/remote malicious user execute arbitrary code.
Security Focus, Bugtraq ID: 15756, December 7, 2005
Easy Search System
Easy Search System 1.1
A Cross-Site Scripting vulnerability has been reported in 'search.cgi' due to insufficient sanitization of the 'q' parameter before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing.
There is no exploit code required; however a Proof of Concept exploit has been published.
Security Focus, Bugtraq ID: 15705, December 5, 2005
Edgewall Software
Trac 0.9
An SQL injection vulnerability has been reported in the ticket query module due to insufficient sanitization of the 'group' parameter before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.
Security Tracker Alert ID: 1015302, December 1, 2005
Edgewall Software
Trac 0.9.1, 0.9, 0.8.1- 0.8.4, 0.7.1
An SQL injection vulnerability has been reported in the search module due to insufficient sanitization of user-supplied input before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.
Security Focus, Bugtraq ID: 15720, December 5, 2005
GNU
Mailman 2.1-2.1.5, 2.0-2.0.14
A remote Denial of Service vulnerability has been reported in 'Scrubber.py' due to a failure to handle exception conditions when Python fails to process an email file attachment that contains utf8 characters in its filename.
Revision 2: The binary files of HPSBUX01164 will resolve the issue for the core TCP/IP in B.11.11, B.11.22, and B.11.23. The binary files of HPSBUX01164 will resolve NOT resolve the issue for IPSec. B.11.00 and B.11.04 are NOT vulnerable. The recommended workaround is to modify /etc/rc.config.d/nddconf and reboot.
Hewlett Packard Company
Security Advisory, HPSBUX
01137,
April 24, 2005
Hewlett Packard Company
Security
Advisory,
HPSBUX
01137:
SSRT5954 rev.1, May 25, 2005
Hewlett Packard Company
Security Advisory,
HPSBUX
01137:
SSRT5954 rev.2, June 1, 2005
Avaya Security Bulletin,
ASA-2005-160, July 15, 2005
HP Security Bulletin, HPSBUX0
1137 rev 4,
July 19, 2005
HP Security Bulletin, HPSBUX0
1137 rev 6, December 5, 2005
IBM
AIX 5.1-5.3
A vulnerability has been reported in the 'umountall' command due to an unspecified error with regards to the absolute path. The impact was not specified.
Security Focus, Bugtraq ID: 15523, November 22, 2005
Ubuntu Security Notice, USN-221-1, December 01, 2005
libpng
pnmtopng 2.38, 2.37.3-2.37.6
A buffer overflow vulnerability has been reported in 'Alphas_Of
_Color' due to insufficient bounds checking of user-supplied data prior to copying it to an insufficiently sized memory buffer, which could let a remote malicious user execute arbitrary code.
Security Focus, Bugtraq ID: 15427, November 15, 2005
Debian Security Advisory, DSA 904-1, November 21, 2005
Ubuntu Security Notice, USN-218-1, November 21, 2005
Mandriva Linux Security Advisory, MDKSA-2005:217, November 30, 2005
SUSE Security Summary Report Announcement, SUSE-SR:2005:028, December 2, 2005
Mozilla.org
Firefox 0.x, 1.x
Multiple vulnerabilities have been reported: a vulnerability was reported due to an error because untrusted events generated by web content are delivered to the browser user interface; a vulnerability was reported because scripts in XBL controls can be executed even when JavaScript has been disabled; a vulnerability was reported because remote malicious users can execute arbitrary code by tricking the user into using the 'Set As Wallpaper' context menu on an image URL that is really a javascript; a vulnerability was reported in the 'Install
Trigger.install()' function due to an error in the callback function, which could let a remote malicious user execute arbitrary code; a vulnerability was reported due to an error when handling 'data:' URL that originates from the sidebar, which could let a remote malicious user execute arbitrary code; an input validation vulnerability was reported in the 'InstallVersion.compareTo()' function when handling unexpected JavaScript objects, which could let a remote malicious user execute arbitrary code; a vulnerability was reported because it is possible for a remote malicious user to steal information and possibly execute arbitrary code by using standalone applications such as Flash and QuickTime to open a javascript: URL; a vulnerability was reported due to an error when handling DOM node names with different namespaces, which could let a remote malicious user execute arbitrary code; and a vulnerability was reported due to insecure cloning of base objects, which could let a remote malicious user execute arbitrary code.
Ubuntu Security Notices, USN-157-1 & 157-2 August 1& 2, 2005
SUSE Security Announcement, SUSE-SA:2005:045, August 11, 2005
Debian Security Advisory, DSA 775-1, August 15, 2005
SGI Security Advisory, 20050802-01-U, August 15, 2005
Debian Security Advisory, DSA 777-1, August 17, 2005
Debian Security Advisory, DSA 779-1, August 20, 2005
Debian Security Advisory, DSA 781-1, August 23, 2005
Gentoo Linux Security Advisory, GLSA 200507-24, August 26, 2005
Mandriva Linux Security Update Advisory, MDKSA-2005:127-1, August 26, 2005
Slackware Security Advisory, SSA:2005-085-01, August 28, 2005
Debian Security Advisory, DSA 779-2, September 1, 2005
Debian Security Advisory, DSA 810-1, September 13, 2005
Fedora Legacy Update Advisory, FLSA:160202, September 14, 2005
HP Security Bulletin, HPSBOV01229, September 19, 2005
HP Security Bulletin,
HPSBUX01230, October 3, 2005
Ubuntu Security Notice, USN-155-3, October 04, 2005
Sun(sm) Alert Notification
Sun Alert ID: 101952, October 17, 2005
SUSE Security Summary Report, SUSE-SR:2005:028, December 2, 2005
Multiple Vendors
Xpdf 3.0 pl2 & pl3, 3.0 1, 3.00, 2.0-2.03, 1.0 0, 1.0 0a, 0.90-0.93; RedHat Fedora Core4, Core3, Enterprise Linux WS 4, WS 3, WS 2.1 IA64, WS 2.1, ES 4, ES 3, ES 2.1 IA64, 2.1, Enterprise Linux AS 4, AS 3, 2.1 IA64, 2.1, Desktop 4.0, 3.0, Advanced Workstation for the Itanium Processor 2.1 IA64, 2.1; teTeX 2.0.1, 2.0; Poppler poppler 0.4.2;
KDE kpdf 0.5, KOffice 1.4.2
; PDFTOHTML DFTOHTML 0.36
Multiple vulnerabilities have been reported: a heap-based buffer overflow vulnerability was reported in the 'DCTStream::read
BaselineSOF()' function in 'xpdf/Stream.cc' when copying data from a PDF file, which could let a remote malicious user potentially execute arbitrary code; a buffer overflow vulnerability was reported in the 'DCTStream::read
ProgressiveSOF()' function in 'xpdf/Stream.cc' when copying data from a PDF file, which could let a remote malicious user potentially execute arbitrary code; a buffer overflow vulnerability was reported in the 'StreamPredictor::
StreamPredictor()' function in 'xpdf/Stream.cc' when using the 'numComps' value to calculate the memory size, which could let a remote malicious user potentially execute arbitrary code; and a vulnerability was reported in the 'JPXStream:
:readCodestream()' function in 'xpdf/JPXStream.cc' when using the 'nXTiles' and 'nYTiles' values from a PDF file to copy data from the file into allocated memory, which could let a remote malicious user potentially execute arbitrary code.
Several vulnerabilities have been reported: a vulnerability was reported in the 'index.lok' lock file when indexing music files due to the insecure creation of temporary files, which could let a remote malicious user overwrite arbitrary files; and a Directory Traversal vulnerability was reported when processing certain CGI parameters and cookie values due to an input validation error, which could let a remote malicious user obtain sensitive information.
Cross-Site Scripting vulnerabilities have been reported in the 'HTTP_HOST' variable and certain scripts in the libraries directory due to insufficient sanitization before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code.
SUSE Security Announcement, SUSE-SA:2005:029, June 9, 2005
RedHat Security Advisory, RHSA-2005:514-46, October 5, 2005
Mandriva Linux Security Advisory, MDKSA-2005:220, November 30, 2005
Multiple Vendors
SuSE Linux Professional
9.3, x86_64,
9.2, x86_64, Linux Personal 9.3, x86_64; Linux kernel
2.6-2.6.12
A buffer overflow vulnerability has been reported in the XFRM network architecture code due to insufficient validation of user-supplied input, which could let a malicious user execute arbitrary code.
SUSE Security Announcement, SUSE-SA:2005:067, December 6, 2005
Multiple Vendors
Trustix Secure Linux 3.0, 2.2, Secure Enterprise Linux 2.0, SuSE Novell Linux Desktop 9.0, Linux Professional 9.3 x86_64, 9.3, 9.2 x86_64, 9.2, 9.1 x86_64, 9.1, Linux Personal 9.3 x86_64, 9.3, 9.2 x86_64, 9.2, 9.1 x86_64, 9.1, Linux Enterprise Server for S/390 9.0, Linux Enterprise Server 9; 2.6-2.6.12 .4
A Denial of Service vulnerability has been reported due to a failure to handle malformed compressed files.
SUSE Security Announcement, SUSE-SA:2005:050, September 1, 2005
Trustix Secure Linux Security Advisory, TSLSA-2005-0043, September 2, 2005
Mandriva Linux Security Update Advisory, MDKSA-2005:171, October 3, 2005
Mandriva Linux Security Advisories, MDKSA-2005:219 & 220, November 30, 2005
Multiple Vendors
Ubuntu Linux 5.10 powerpc, i386, amd64, 5.0 4 powerpc, i386, amd64, 4.1 ppc, ia64, ia32;
TouchTunes Rhapsody,
TouchTunes Maestro;
SuSE UnitedLinux 1.0, Novell Linux Desktop 9.0, Linux Professional 10.0 OSS, 10.0, 9.3 x86_64, 9.3, 9.2 x86_64, 9.2, 9.1 x86_64, 9.1, 9.0 x86_64, 9.0, Linux Personal 10.0 OSS, 9.3 x86_64, 9.3, 9.2 x86_64, 9.2, 9.1 x86_64, 9.1, 9.0 x86_64, 9.0, Linux Enterprise Server 9, 8, Linux Desktop 1.0;
RedHat Fedora Core4, Core3, Enterprise Linux WS 4, WS 3, WS 2.1 IA64, WS 2.1, ES 4, ES 3, 2.1 IA64, 2.1, AS 4, AS 3, AS 2.1 IA64, 2.1, Desktop 4.0, 3.0, Advanced Workstation for the Itanium Processor 2.1 IA64, 2.1; GTK+ 2.8.6, 2.6.4, 2.4.14, 2.4.13, 2.4.10, 2.4.9, 2.4.1, 2.2.4, 2.2.3;
GNOME GdkPixbuf 0.22;
Gentoo Linux ; Ardour 0.99
Multiple vulnerabilities have been reported: an integer overflow vulnerability was reported in '/gtk+/gdk-pixbuf/io-xpm.c' due to the insufficient validation of the 'n_col' value before using to allocate memory, which could let a remote malicious user execute arbitrary code; a remote Denial of Service vulnerability was reported in '/gtk+/gdk-pixbuf/io-xpm.c' when processing an XPM file that contains a large number of colors; and an integer overflow vulnerability was reported in '/gtk+/gdk-pixbuf/io-xpm.c' when performing calculations using the height, width, and colors of a XPM file, which could let a remote malicious user execute arbitrary code or cause a Denial of Service.
Security Focus Bugtraq IDs: 15226 & 15228, October 28, 2005
Debian Security Advisory DSA 877-1, October 28, 2005
SUSE Security Summary Report, SUSE-SR:2005:025, November 4, 2005
Gentoo Linux Security Advisory, GLSA 200511-05, November 6, 2005
SUSE Security Summary Report, SUSE-SR:2005:027, November 18, 2005
SUSE Security Summary Report, SUSE-SR:2005:028, December 2, 2005
Multiple Vendors
GNU gnump3d 2.9-2.9.5;
Gentoo Linux
A Cross-Site Scripting vulnerability has been reported due to insufficient sanitization of user-supplied input, which could let a remote malicious user execute arbitrary HTML and script code.
SUSE Security Announce-
ment,
SUSE-SA:
2005:
018, March 24, 2005
Fedora Security
Update Notification,
FEDORA-2005-262, March 28, 2005
Conectiva Linux Security Announce-
ment,
CLA-2005:945,
March 31, 2005
Fedora Update Notification
FEDORA-2005-313, April 11, 2005
RedHat Security Advisory,
RHSA-2005:366-21, August 9, 2005
RedHat Security Advisory, RHSA-2005:663-19, September 28, 2005
Mandriva Linux Security Advisories, MDKSA-2005:218 & 219, November 30, 2005
Multiple Vendors
Linux Kernel
2.6 up to & including
2.6.12-rc4
Several vulnerabilities have been reported: a vulnerability was reported in raw character devices (raw.c) because the wrong function is called before passing an ioctl to the block device, which crosses security boundaries by making kernel address space accessible from user space; and a vulnerability was reported in the 'pkt_ioctl' function in the 'pktcdvd' block device ioctl handler
(pktcdvd.c) because the wrong function is called before passing an ioctl to the block device, which could let a malicious user execute arbitrary code.
Mandriva Linux Security Update Advisory, MDKSA-2005:110, July 1, 2005
RedHat Security Advisory,
RHSA-2005
:420-24,
Updated
August 9, 2005
Conectiva Linux Announcement, CLSA-2005:999, August 17, 2005
Mandriva Linux Security Advisory, MDKSA-2005:219, November 30, 2005
Multiple Vendors
Linux kernel
2.6-2.6.11
A vulnerability has been reported in the '/sys' file system due to a mismanagement of integer signedness, which could let a malicious user cause a Denial of Service and potentially execute arbitrary code.
RedHat Security Advisory, RHSA-2005:366-19, April 19, 2005
SUSE Security Announce-
ment, SUSE-SA:2005:044, August 4, 2005
Mandriva Linux Security Advisory, MDKSA-2005:218, November 30, 2005
Multiple Vendors
Linux Kernel 2.4.x, 2.6 prior to 2.6.11.11
A vulnerability has been reported in the Linux kernel in the Radionet Open Source Environment (ROSE) implementation in the 'rose_rt_ioctl()' function due to insufficient validation of a new routes' ndigis argument. The impact was not specified.
An integer overflow vulnerability has been reported in the 'scsi_ioctl.c' kernel driver due to insufficient sanitization of the 'sg_scsi_ioctl' function, which could let a malicious user execute arbitrary code.
Fedora Update Notifications,
FEDORA-2005-013 & 014, January 10, 2005
SUSE Security Announcement, SUSE-SA:2005:003, January 21, 2005
RedHat Security Advisory, RHSA-2005:092-14, February 18, 2005
SUSE Security Announcement, SUSE-SA:2005:010, February 25, 2005
Mandriva Linux Security Advisory, MDKSA-2005:218, November 30, 2005
Multiple Vendors
Linux kernel 2.6.10, 2.6
-test9-CVS,
2.6-test1-
test11, 2.6,
2.6.1-2.6.11; RedHat
Desktop 4.0, Enterprise
Linux WS 4,
ES 4, AS 4
Multiple vulnerabilities have been reported: a vulnerability was reported in the 'shmctl' function, which could let a malicious user obtain sensitive information; a Denial of Service vulnerability was reported in 'nls_ascii.c' due to the use of incorrect table sizes; a race condition vulnerability was reported in the 'setsid()' function; and a vulnerability was reported in the OUTS instruction on the AMD64 and Intel EM64T architecture, which could let a malicious user obtain elevated privileges.
Security Focus, Bugtraq ID: 14791, September 9, 2005
Ubuntu Security Notice, USN-178-1, September 09, 2005
Mandriva Linux Security Update Advisory, MDKSA-2005:171, October 3, 2005
RedHat Security Advisory, RHSA-2005:514-46, October 5, 2005
Mandriva Linux Security Advisories, MDKSA-2005:219 & 220, November 30, 2005
Multiple Vendors
Linux kernel 2.6.8-2.6.10, 2.4.21
Several vulnerabilities have been reported: a buffer overflow vulnerability was reported in 'msg_control' when copying 32 bit contents, which could let a malicious user obtain root privileges and execute arbitrary code; and a vulnerability was reported in the 'raw_sendmsg()' function, which could let a malicious user obtain sensitive information or cause a Denial of Service.
Ubuntu Security Notice, USN-178-1, September 09, 2005
Trustix Secure Linux Security Advisory, TSLSA-2005-0049, September 16, 2005
Fedora Update Notifications,
FEDORA-2005-905 & 906, September 22, 2005
RedHat Security Advisory, RHSA-2005:663-19, September 28, 2005
Mandriva Linux Security Update Advisory, MDKSA-2005:171, October 3, 2005
RedHat Security Advisory, RHSA-2005:514-46, October 5, 2005
Mandriva Linux Security Advisories, MDKSA-2005:219 & 220, November 30, 2005
Multiple Vendors
Linux kernel 2.6-2.6.12 .1
A vulnerability has been reported due to insufficient authorization before accessing a privileged function, which could let a malicious user bypass IPSEC policies.
Ubuntu Security Notice, USN-219-1, November 22, 2005
Mandriva Linux Security Advisories, MDKSA-2005:218, 219 & 220, November 30, 2005
Multiple Vendors
Linux kernel 2.6-2.6.13.1
A Denial of Service vulnerability has been reported due to an omitted call to the 'sockfd_put()' function in the 32-bit compatible 'routing_ioctl()' function.
Security Tracker Alert ID: 1014944, September 21, 2005
Ubuntu Security Notice, USN-187-1, September 25, 2005
Mandriva Linux Security Advisories, MDKSA-2005:218, 219, 220, November 30, 2005
SUSE Security Announcement, SUSE-SA:2005:067, December 6, 2005
Multiple Vendors
Linux kernel 2.6-2.6.14
Several vulnerabilities have been reported: a Denial of Service vulnerability was reported due to a memory leak in '/security/keys/request_
key_auth.c;' a Denial of Service vulnerability was reported due to a memory leak in '/fs/namei.c' when the 'CONFIG_AUDITSYSCALL' option is enabled; and a vulnerability was reported because the orinoco wireless driver fails to pad data packets with zeroes when increasing the length, which could let a malicious user obtain sensitive information.
Trustix Secure Linux Security Advisory, TSLSA-2005-0057, October 14, 2005
Fedora Update Notifications,
FEDORA-2005-1013, October 20, 2005
RedHat Security Advisory, RHSA-2005:808-14, October 27, 2005
Ubuntu Security Notice, USN-219-1, November 22, 2005
Mandriva Linux Security Advisories, MDKSA-2005:218, 219 & 220, November 30, 2005
SUSE Security Announcement, SUSE-SA:2005:067, December 6, 2005
Multiple Vendors
Linux kernel 2.6-2.6.14
Several vulnerabilities have been reported: a Denial of Service vulnerability was reported when handling asynchronous USB access via usbdevio; and a Denial of Service vulnerability was reported in the 'ipt_recent.c' netfilter module due to an error in jiffies comparison.
RedHat Security Advisory, RHSA-2005:514-46, October 5, 2005
Ubuntu Security Notice, USN-219-1, November 22, 2005
Mandriva Linux Security Advisories, MDKSA-2005:218, 219 & 220, November 30, 2005
SUSE Security Announcement, SUSE-SA:2005:067, December 6, 2005
Multiple Vendors
Linux Kernel 2.6-2.6.14
Multiple vulnerabilities have been reported: a Denial of Service vulnerability was reported in the 'sys_set_
mempolicy' function when a malicious user submits a negative first argument; a Denial of Service vulnerability was reported when threads are sharing memory mapping via 'CLONE_VM'; a Denial of Service vulnerability was reported in 'fs/exec.c' when one thread is tracing another thread that shares the same memory map; a Denial of Service vulnerability was reported in 'mm/ioremap.c' when performing a lookup of a non-existent page; a Denial of Service vulnerability was reported in the HFS and HFS+ (hfsplus) modules; and a remote Denial of Service vulnerability was reported due to a race condition in 'ebtables.c' when running on a SMP system that is operating under a heavy load.
A vulnerability has been reported due to the way console keyboard mapping is handled, which could let a malicious user modify the console keymap to include scripted macro commands.
Security Focus, Bugtraq ID: 15122, October 17, 2005
Mandriva Linux Security Advisories, MDKSA-2005:218, 219 & 220, November 30, 2005
Multiple Vendors
Linux kernel 2.6-2.6.14; SuSE Linux Professional 10.0 OSS, Linux Personal 10.0 OSS;
RedHat Fedora Core4
A Denial of Service vulnerability has been reported in 'ptrace.c' when 'CLONE_THREAD' is used due to a missing check of the thread's group ID when trying to determine whether the process is attempting to attach to itself.
Security Focus, Bugtraq ID: 15625, November 29, 2005
Fedora Update Notification,
FEDORA-2005-1104, November 28, 2005
SuSE Security Announcement, SUSE-SA:2005:067, December 6, 2005
Multiple Vendors
Linux kernel
2.6-2.6.12 .1
Several vulnerabilities have been reported: a Denial of Service vulnerability was reported due to an error when handling key rings; and a Denial of Service vulnerability was reported in the 'KE YCTL_JOIN_SESSION
_KEYRING' operation due to an error when attempting to join a key management session.
SUSE Security Announcement, SUSE-SA:2005:067, December 6, 2005
Multiple Vendors
Turbolinux
Server 10.0, 8.0, Desktop 10.0, Turbolinux
Home
Appliance
Server 1.0 Workgroup Edition,
Hosting Edition; Trustix Secure Linux 3.0, 2.2, Secure Enterprise
Linux 2.0; Sun Solaris 10.0 _x86, 10.0, 9.0 _x86 Update 2, 9.0 _x86,
9.0, Sun SEAM 1.0-1.0.2;
SuSE Linux Professional
9.3 x86_64,
9.3, Linux Personal 9.3 x86_64, 9.3;
RedHat
Fedora Core3 & 4, Advanced Workstation for the Itanium Processor 2.1; MIT Kerberos 5 5.0 -1.4.1
& prior;
Gentoo Linux
Multiple vulnerabilities have been reported: a remote Denial of Service vulnerability was reported when a malicious user submits a specially crafted TCP connection that causes the Key Distribution Center (KDC) to attempt to free random memory; a buffer overflow vulnerability was reported in KDC due to a boundary error when a specially crafted TCP or UDP request is submitted, which could let a remote malicious user execute arbitrary code; and a vulnerability was reported in 'krb/recvauth.c' which could let a remote malicious user execute arbitrary code.
Ubuntu Security Notice, USN-219-1, November 22, 2005
Mandriva Linux Security Advisories, MDKSA-2005:218 & 219, November 30, 2005
SUSE Security Announcement, SUSE-SA:2005:067, December 6, 2005
Multiple Vendors
Ubuntu Linux 5.0 4 powerpc, i386, amd64, 4.1 ppc, ia64, ia32;
Linux kernel 2.6.10, rc2, 2.6.8, rc1
A remote Denial of Service vulnerability has been reported in the kernel driver for compressed ISO file systems when attempting to mount a malicious compressed ISO image.
A buffer overflow vulnerability has been reported due to insufficient bounds checking of user-supplied data prior to copying it to an insufficiently sized memory buffer, which could let a remote malicious user execute arbitrary code.
A format string vulnerability has been reported in 'Perl_sv_
vcatpvfnl' due to a failure to properly handle format specifiers in formatted printing functions, which could let a remote malicious user cause a Denial of Service.
A vulnerability has been reported due to insufficient sanitization of user-supplied data passed through a URI, which could let a remote malicious user execute arbitrary code.
Several vulnerabilities have been reported: a Cross-Site Scripting vulnerability has been reported in 'libraries/auth/
cookie.auth.lib.php' due to insufficient sanitization, which could let a remote malicious user execute arbitrary HTML and script code; and a Cross-Site Scripting vulnerability has been reported in 'error.php' due to insufficient sanitization of the 'error' parameter, which could let a remote malicious user execute arbitrary HTML and script code.
Debian Security Advisory, DSA 880-1, November 2, 2005
SUSE Security Summary Report, SUSE-SR:2005:025, November 4, 2005
SUSE Security Announcement, SUSE-SA:2005:066, November 18, 2005
SUSE Security Summary Report, SUSE-SR:2005:028, December 2, 2005
phpMyAdmin
phpMyAdmin 2.7 .0-beta1, 2.7
A vulnerability has been reported in the register_globals emulation layer in 'grab_
globals.php' because the 'import_blacklist' variable is not properly protected, which could let a remote malicious user execute arbitrary HTML and script code and include arbitrary files.
Several vulnerabilities have been reported: a vulnerability was reported due to insufficient verification of certain configuration parameters, which could let a remote malicious user include arbitrary files; and a Cross-Site Scripting vulnerability was reported in 'left.php,' 'queryframe.php,' and 'server_databases.php' due to insufficient sanitization of unspecified input, which could let a remote malicious user execute arbitrary HTML and script code.
Gentoo Linux Security Advisory, GLSA 200510-21, October 25, 2005
Debian Security Advisory, DSA 880-1, November 2, 2005
SUSE Security Summary Report, SUSE-SR:2005:025, November 4, 2005
SUSE Security Announcement, SUSE-SA:2005:066, November 18, 2005
SUSE Security Summary Report, SUSE-SR:2005:028, December 2, 2005
SAMEDIA
LandShop 0.6.3
SQL injection vulnerabilities have been reported in 'ls.php' due to insufficient sanitization of the 'start,' 'search_order,' 'search_type,' 'search_area,' and 'keyword' parameters before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.
No workaround or patch available at time of publishing.
There is no exploit code required; however, Proof of Concept exploit scripts have been published.
A vulnerability has been reported in the Communications Services Delegated Administrator due to an unspecified error, which could let a remote malicious user obtain sensitive information.
SUSE Security Summary Report, Announcement ID: SUSE-SR:2005:024, October 21, 2005
SUSE Security Summary Report, SUSE-SR:2005:028, December 2, 2005
Sylpheed
Sylpheed 2.0-2.0.3, 1.0.0-1.0.5
A buffer overflow vulnerability has been reported in 'ldif.c' due to a boundary error in the 'ldif_
get_line()' function when importing a LDIF file into the address book, which could let a remote malicious user obtain unauthorized access.
Fedora Update Notification,
FEDORA-2005-1063, November 9, 2005
Gentoo Linux Security Advisory, GLSA 200511-13, November 15, 2005
Debian Security Advisory, DSA 906-1, November 22, 2005
Debian Security Advisory, DSA 908-1, November 23, 2005
SUSE Security Summary Report, SUSE-SR:2005:028, December 2, 2005
The Open Group
Open Motif 2.2.3
Two buffer overflow vulnerabilities have been reported in libUil (User Interface Language): a buffer overflow vulnerability was reported in 'diag_issue_
diagnostic()' due to the use of the vsprintf() libc procedure, which could let a remote malicious user execute arbitrary code; and a vulnerability was reported in 'open_source_file()' due to the use of the strcpy() libc procedure, which could let a remote malicious user execute arbitrary code.
No workaround or patch available at time of publishing.
Currently we are not aware of any exploits for these vulnerabilities.
A Cross-Site Scripting vulnerability has been reported in '1search.cgi' due to insufficient sanitization of the 'q' parameter before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing.
There is no exploit code required; however, a Proof of Concept exploit has been published.
Security Focus, Bugtraq ID: 15712, December 5, 2005
88Script
Event Calendar 2.0
An SQL injection vulnerability has been reported in 'index.php' due to insufficient sanitization of the 'm' parameter before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.
No workaround or patch available at time of publishing.
There is no exploit code required; however, a Proof of Concept exploit has been published.
Security Focus, Bugtraq ID: 15658, November 30, 2005
Alisveristr
E-commerce
SQL injection vulnerabilities have been reported in the commerce login due to insufficient sanitization of user-supplied input before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.
No workaround or patch available at time of publishing.
There is no exploit code required; however a Proof of Concept exploit has been published.
Security Focus, Bugtraq ID: 15699, December 3, 2005
All Time Flash Dreamer
FileLister 0.51
A Cross-Site Scripting vulnerability has been reported in 'definesearch.jsp' due to insufficient sanitization of the 'searchwhat' parameter before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing.
Security Focus, Bugtraq ID: 15732, December 6, 2005
Atlantis Knowledge Base
Atlantis Knowledge Base 3.0
An SQL injection vulnerability has been reported due to insufficient sanitization of the 'searchStr' parameter when performing a search before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.
No workaround or patch available at time of publishing.
Security Focus Bugtraq ID: 15654, November 30, 2005
Atlassian Software Systems
Atlassian Confluence 2.0.1 build 321
A Cross-Site Scripting vulnerability has been reported due to insufficient sanitization of the 'searchQuery' parameter when performing a search before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing.
Avaya Security Advisory, ASA-2005-231, November 30, 2005
Check Point Software
SecureClient NG with Application Intelligence R56,
SecureClient NG FP1, 4.1, 4.0
A vulnerability has been reported due to a failure to securely implement remote administrator-provided policies, which could let a remote malicious user bypass security policies.
No workaround or patch available at time of publishing.
There is no exploit code required; however, a Proof of Concept exploit has been published.
An HTTP injection vulnerability has been reported in the '/level/14/exec/buffers/
assigned/' and '/level/14/exec/
buffers/all' scripts, which could let a remote malicious user execute arbitrary HTML and script code.
Security Focus, Bugtraq ID: 15602, November 28, 2005
Cisco Security Advisory, cisco-sa-20051201-http, December 1, 2005
DoceboLMS
DoceboLMS 2.0.4
Several vulnerabilities have been reported: a Directory Traversal vulnerability was reported in the 'connector.php' script due to insufficient validation of the 'Type' parameter, which could let a remote malicious user obtain sensitive information; and an input validation vulnerability was reported in the file upload handling due to insufficient verification of the file extension of valid images, which could let a remote malicious user execute arbitrary PHP code.
No workaround or patch available at time of publishing.
There is no exploit code required; however, a Proof of Concept exploit script has been published.
Security Tracker Alert ID: 1015308, December 5, 2005
Dotclear
Dotclear 1.2.2, 1.2.1
An SQL injection vulnerability has been reported in 'session.php' due to insufficient sanitization of '/inc/session.php' before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.
Zone-H Research Team Security Advisory, ZRCSA-200504, November 30, 2005
Drupal
Drupal 4.6-4.6.3, 4.5-4.5.5
Multiple vulnerabilities have been reported: an input validation vulnerability was reported when filtering HTML code, which could let a remote malicious user inject arbitrary JavaScript code; an input validation vulnerability was reported due to an error in the attachment handling, which could let a remote malicious user upload a malicious image and inject arbitrary HTTP headers; and a vulnerability was reported in the 'access user profile' permission can a remote malicious user can bypass it.
A Cross-Site Scripting vulnerability has been reported in 'password.asp' due to insufficient sanitization of the 'result' parameter before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing.
There is no exploit code required; however, a Proof of Concept exploit has been published.
DuWare DuPortalPro Cross-Site Scripting
Medium
Security Focus, Bugtraq ID: 15731, December 6, 2005
Several vulnerabilities have been reported: a vulnerability was reported due to the way an unverified user supplied argument is used to redirect a user after the user has submitted a file download rating, which could let a remote malicious user redirected users to an untrusted (fake) site; and a vulnerability was reported due to the way users are prevented from submitting multiple ratings for a file download, which could let a remote malicious user bypass security restrictions and submit multiple votes.
No workaround or patch available at time of publishing.
There is no exploit code required; however, a Proof of Concept exploit has been published.
e107 Website System Redirection & Voting Manipulation
Multiple vulnerabilities have been reported: a vulnerability was reported in 'titles.php' due to insufficient sanitization of the 'let' parameter before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code; an SQL injection vulnerability was reported due to insufficient sanitization of user-supplied input before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code; a vulnerability was reported in the 'Manage Images' functionality due to an input validation error, which could let a remote malicious user upload valid images with an arbitrary file extension inside the web root; and a vulnerability was reported in 'phpinfo.php' because a remote malicious user can obtain sensitive information.
The vendor has released a fix to resolve these issues.
There is no exploit code required; however, Proof of Concept exploits and an exploit script have been published.
eFiction Input Validation
Medium
Secunia Advisory: SA17777, November 28, 2005
Security Focus, Bugtraq ID: 15568, December 6, 2005
Extreme Corporate
Extreme Search Corporate Edition 6.0
A Cross-Site Scripting vulnerability has been reported in 'extremesearch.php' due to insufficient sanitization of the 'search' before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing.
There is no exploit code required; however, a Proof of Concept exploit has been published.
Security Focus, Bugtraq ID: 15675, December 1, 2005
FaqRing
FaqRing 3.0
An SQL injection vulnerability has been reported in 'answer.php' due to insufficient sanitization of the 'id' parameter before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.
No workaround or patch available at time of publishing.
There is no exploit code required; however, a Proof of Concept exploit has been published.
A Directory Traversal vulnerability has been reported due to an input validation error when extracting compressed '.jar' archives, which could let a remote malicious user obtain sensitive information.
No workaround or patch available at time of publishing.
A buffer overflow vulnerability has been reported in the 'avcodec_default_get_buffer()' function of 'utils.c' in libavcodec due to a boundary error, which could let a remote malicious user execute arbitrary code.
SQL injection vulnerabilities have been reported in 'search_result.php' due to insufficient sanitization of the 'haystack' parameter and in 'print_me.php' due to insufficient sanitization of the 'ckey' parameter before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.
No workaround or patch available at time of publishing.
There is no exploit code required; however a Proof of Concept exploit has been published.
Security Focus, Bugtraq ID: 15700, December 3, 2005
Hobosworld
HobSR
SQL injection vulnerabilities have been reported in 'view.php' due to insufficient sanitization of the 'arrange' parameter before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.
No workaround or patch available at time of publishing.
There is no exploit code required; however, a Proof of Concept exploit has been published.
An HTML injection vulnerability has been reported due to insufficient sanitization of user-supplied input before using in dynamically generated content, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing.
There is no exploit code required; however, a Proof of Concept exploit script has been published.
Security Tracker Alert ID: 1015315, December 6, 2005
Horde Project
Horde 2.2-2.2.8
A Cross-Site Scripting vulnerability has been reported due to insufficient sanitization of unspecified parameters before returning to the user in error messages, which could let a remote malicious user execute arbitrary HTML and script code.
Gentoo Linux Security Advisory, GLSA 200511-20, November 22, 2005
Debian Security Advisory DSA 914-1, December 1, 2005
Inkscape
Inkscape 0.41
A vulnerability has been reported in 'ps2epsi.sh' due to the insecure creation of a temporary file, which could let a malicious user create/overwrite arbitrary files.
Ubuntu Security Notice, USN-223-1, December 05, 2005
Debian Security Advisory, DSA 916-1, December 7, 2005
Instant Photo Gallery
Instant Photo Gallery 1.0
SQL injection vulnerabilities have been reported in 'portfolio.php' due to insufficient sanitization of the 'cat_id' parameter and in 'content.php' due to insufficient sanitization of the 'cid' parameter before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.
No workaround or patch available at time of publishing.
There is no exploit code required; however, Proof of Concept exploits have been published.
A Cross-Site Scripting vulnerability has been reported in 'search.jsp' due to insufficient of the 'q' parameter before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing.
There is no exploit code required; however a Proof of Concept exploit has been published.
Security Focus, Bugtraq ID: 15687, December 2, 2005
Mambo
Mambo Site Server 4.0.14, 4.0.12 RC1-RC3, BETA & BETA 2, 4.0.10-4.0.12, 4.0
A remote file include vulnerability has been reported due to insufficient sanitization of user-supplied input, which could let a remote malicious user execute arbitrary remote PHP code.
The vendor has released a patch addressing this issue. Users are advised to contact the vendor for more information on obtaining the appropriate patch.
An exploit script has been published.
Reports indicate that a bot is propagating in the wild by exploiting this vulnerability.
A vulnerability has been reported in the user language option due to insufficient verification of user-supplied input before used in an 'eval()' call, which could let a remote malicious user execute arbitrary PHP code.
Warm Links 1.0, Hot Links SQL 3.1, Hot Links Pro 3.0, Amazon Search Directory 1.0
A Cross-Site Scripting vulnerability has been reported in 'search.cgi' due to insufficient sanitization of the 'search' parameter before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing.
There is no exploit code required.
Mr CGI Guy Multiple Software Search.CGI Cross-Site Scripting
Security Focus, Bugtraq ID: 15708, December 5, 2005
Multiple Vendors
Insyde BIOS V190; AWARD BIOS Modular 4.50 pg
A vulnerability has been reported due to a failure to clear the keyboard buffer after reading the BIOS password during the system startup process, which could let a remote malicious user obtain the BIOS password.
No workaround or patch available at time of publishing.
Currently we are not aware of any exploits for this vulnerability.
Security Focus, Bugtraq ID: 15751, December 6, 2005
Multiple Vendors
Ubuntu Linux 5.10 powerpc, i386, amd64;
Inkscape 0.42, 0.41
A buffer overflow vulnerability has been reported in the SVG importer due to a boundary error, which could let a remote malicious user execute arbitrary code.
Two buffer overflow vulnerabilities have been reported in Telnet: a buffer overflow vulnerability was reported in the 'slc_add_reply()' function when a large number of specially crafted LINEMODE Set Local Character (SLC) commands is submitted, which could let a remote malicious user execute arbitrary code; and a buffer overflow vulnerability was reported in the 'env_opt_add()' function, which could let a remote malicious user execute arbitrary code.
A vulnerability has been reported that affects certain configurations of IPSec when configured to employ Encapsulating Security Payload (ESP) in tunnel mode with only confidentiality and systems that use Authentication Header (AH) for integrity protection, which could let a remote malicious user obtain plaintext IP datagrams and potentially sensitive information.
Hitachi advises affected users to use the AH protocol workaround to mitigate this issue.
Fedora Update Notifications,
FEDORA-2005-1061 & 1062, November 8, 2005
RedHat Security Advisory, RHSA-2005:831-15, November 10, 2005
Mandriva Linux Security Advisory, MDKSA-2005:213, November 16, 2005
Fedora Legacy Update Advisory, FLSA:166943, November 28, 2005
SGI Security Advisory, 20051101-01-U, November 29, 2005
OpenPKG Security Advisory, OpenPKG-SA-2005.027, December 3, 2005
Multiple Vendors
University of Kansas Lynx 2.8.6 dev.1-dev.13, 2.8.5 dev.8, 2.8.5 dev.2-dev.5, 2.8.5, 2.8.4 rel.1, 2.8.4, 2.8.3 rel.1, 2.8.3 pre.5, 2.8.3 dev2x, 2.8.3 dev.22, 2.8.3, 2.8.2 rel.1, 2.8.1, 2.8, 2.7;
RedHat Enterprise Linux WS 4, WS 3, 2.1, ES 4, ES 3, ES 2.1, AS 4, AS 3, AS 2.1,
RedHat Desktop 4.0, 3.0,
RedHat Advanced Workstation for the Itanium Processor 2.1 IA64
A buffer overflow vulnerability has been reported in the 'HTrjis()' function when handling NNTP article headers, which could let a remote malicious user execute arbitrary code.
Ubuntu: http://security.ubuntu.
com/ubuntu/pool/
main/l/lynx/
(Note: Ubuntu advisory USN-206-1 was previously released to address this vulnerability, however, the fixes contained an error that caused lynx to crash.)
Gentoo Linux Security Advisory, GLSA 200510-15, October 17, 2005
Ubuntu Security Notice, USN-206-1, October 17, 2005
RedHat Security Advisory, RHSA-2005:803-4, October 17, 2005
Fedora Update Notifications,
FEDORA-2005-993 & 994, October 17, 2005
Mandriva Linux Security Update Advisory, MDKSA-2005:186, October 18, 2005
Conectiva Linux Announcement, CLSA-2005:1037, October 19, 2005
Trustix Secure Linux Security Advisory, TSLSA-2005-0059, October 21, 2005
SGI Security Advisory, 20051003-01-U, October 26, 2005
Mandriva Linux Security Advisory, MDKSA-2005:186-1, October 26, 2005
Debian Security Advisories, DSA 874-1 & 876-1, October 27, 2005
Ubuntu Security Notice, USN-206-2, October 29, 2005
SUSE Security Summary Report, SUSE-SR:2005:025, November 4, 2005
Slackware Security Advisory, SSA:2005-310-03, November 7, 2005
SCO Security Advisory, SCOSA-2005.47, November 8, 2005
OpenPKG Security Advisory, OpenPKG-SA-2005.026, December 3, 2005
MultiTech
MultiVOIP
A buffer overflow vulnerability has been reported in the SIP packet INVITE field when a string is greater than 60 characters, which could let a remote malicious user cause a Denial of Service or execute arbitrary code.
It has been reported that this issue was addressed in version x.08 of the software.
Currently we are not aware of any exploits for this vulnerability.
SecurityLab Technologies, Inc. Advisory, December 5, 2005
MXChange
MXChange 0.2 .0-pre3-pre10
Several vulnerabilities have been reported: a Cross-Site Scripting vulnerability was reported due to insufficient sanitization of unspecified input, which could let a remote malicious user execute arbitrary HTML and script code; and an SQL injection vulnerability was reported due to insufficient sanitization of unspecified input before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.
A buffer overflow vulnerability has been reported due to insufficient bounds checking of data that is supplied as an argument in a user-defined function, which could let a remote malicious user execute arbitrary code.
This issue is reportedly addressed in MySQL versions 4.0.25, 4.1.13, and 5.0.7-beta available at: http://dev.mysql.com
/downloads/
Mandriva Linux Security Update Advisory, MDKSA-2005:163, September 12, 2005
Ubuntu Security Notice, USN-180-1, September 12, 2005
Debian Security Advisories, DSA 829-1 & 831-1, September 30, 2005
SUSE Security Summary Report,
SUSE-SR:2005:021, September 30, 2005
Debian Security Advisory, DSA 833-1, October 1, 2005
Conectiva Linux Announcement, CLSA-2005:1023, October 6, 2005
Ubuntu Security Notice, USN-180-2, December 05, 2005
NetArt Media
Blog System 1.2 & prior
SQL injection vulnerabilities have been reported in 'index.php' due to insufficient sanitization of the 'cat' parameter and in 'blog.php' due to insufficient sanitization of the 'note' parameter before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.
No workaround or patch available at time of publishing.
There is no exploit code required; however, a Proof of Concept exploit has been published.
Security Focus, Bugtraq ID: 15719, December 5, 2005
NetArt Media
Cars Portal 1.1
SQL injection vulnerabilities have been reported in 'index.php' due to insufficient sanitization of the 'page' and 'car' parameters before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.
No workaround or patch available at time of publishing.
There is no exploit code required; however, a Proof of Concept exploit script has been published.
A vulnerability has been reported in the 'evl_data' private directory due to insufficient access controls, which could let a remote malicious user obtain sensitive information.
An SQL injection vulnerability has been reported in 'nikki.php' due to insufficient sanitization of the 'day_id' parameter before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.
No workaround or patch available at time of publishing.
There is no exploit code required; however, a Proof of Concept exploit has been published.
Multiple vulnerabilities have been reported: a vulnerability was reported due to insufficient protection of the 'GLOBALS' array, which could let a remote malicious user define global variables; a vulnerability was reported in the 'parse_str()' PHP function when handling an unexpected termination, which could let a remote malicious user enable the 'register_
globals' directive; a Cross-Site Scripting vulnerability was reported in the 'phpinfo()' PHP function due to insufficient sanitization of user-supplied input, which could let a remote malicious user execute arbitrary HTML and script code; and an integer overflow vulnerability was reported in 'pcrelib' due to an error, which could let a remote malicious user corrupt memory.
SUSE Security Summary Report, SUSE-SR:2005:025, November 4, 2005
Turbolinux Security Advisory TLSA-2005-97, November 5, 2005
Fedora Update Notifications,
FEDORA-2005-1061 & 1062, November 8, 2005
RedHat Security Advisories, RHSA-2005:838-3 & RHSA-2005:831-15, November 10, 2005
Gentoo Linux Security Advisory, GLSA 200511-08, November 13, 2005
Mandriva Linux Security Advisory, MDKSA-2005:213, November 16, 2005
SUSE Security Summary Report, SUSE-SR:2005:027, November 18, 2005
Trustix Secure Linux Security Advisory, TSLSA-2005-0062, November 22, 2005
SGI Security Advisory, 20051101-01-U, November 29, 2005
OpenPKG Security Advisory, OpenPKG-SA-2005.027, December 3, 2005
PHP-Fusion
PHP-Fusion 6.0.109
An SQL injection vulnerability has been reported in 'messages.php' due to insufficient sanitization of the 'srch_text' parameter before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.
No workaround or patch available at time of publishing.
There is no exploit code required; however a Proof of Concept exploit has been published.
An HTTP response splitting vulnerability has been reported in 'Header_HTTP_Inc.php' due to insufficient sanitization of user-supplied input, which could lead to a false sense of trust.
SUSE Security Summary Report, SUSE-SR:2005:028, December 2, 2005
phpMyChat
phpMyChat 0.14.6
Cross-Site Scripting vulnerabilities have been reported due to insufficient sanitization of user-supplied input, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing.
There is no exploit code required; however, a Proof of Concept exploit has been published.
Security Focus, Bugtraq ID: 15679, December 2, 2005
PHPX
PHPX 3.5-3.5.9
An SQL injection vulnerability has been reported when logging into the administration section due to insufficient sanitization of the 'username' field before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code
No workaround or patch available at time of publishing.
There is no exploit code required; however, a Proof of Concept exploit script has been published.
Security Tracker Alert ID: 1015300, December 1, 2005
Pineapple Technologies
Lore 1.5.4
An SQL injection vulnerability has been reported in 'article.php' due to insufficient sanitization of the 'id' parameter before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.
No workaround or patch available at time of publishing.
There is no exploit code required; however, a Proof of Concept exploit has been published.
Several vulnerabilities have been reported: an SQL injection vulnerability was reported in 'search.php' due to insufficient sanitization of the 'firstname,' 'lastname,' and 'location' parameters before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code; and a Cross-Site Scripting vulnerability was reported in 'search.php' due to insufficient sanitization of the 'firstname,' 'lastname,' and 'location' parameters before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing.
An SQL injection vulnerability was reported was reported in 'index.php' due to insufficient sanitization of the 'categoryid,' 'entryid,' 'year,' 'month,' and 'day' parameters before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.
No workaround or patch available at time of publishing.
A Cross-Site Scripting vulnerability has been reported in the search feature due to insufficient sanitization of the 'REQ' parameter before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing.
An SQL injection vulnerability has been reported in the 'HTTP_USER_AGENT' header due to insufficient sanitization before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.
An unspecified code execution vulnerability has been reported which could let a remote malicious user execute arbitrary code.
No workaround or patch available at time of publishing.
Currently we are not aware of any exploits for this vulnerability.
Real Networks RealPlayer Unspecified Remote Code Execution
High
eEye Digital Security, EEYEB-20051130, November 30, 2005
Relative Real Estate Systems
Relative Real Estate Systems 1.2
An SQL injection vulnerability has been reported in 'index.php' due to insufficient sanitization of the 'mls' parameter before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.
No workaround or patch available at time of publishing.
There is no exploit code required; however, a Proof of Concept exploit has been published.
Security Focus, Bugtraq ID: 15714, December 5, 2005
Sapid CMS
Sapid CMS 1.2.3 RC2, 1.2.3
A vulnerability has been reported in the 'usr/system/insert_file.php,' 'usr/system/insert_image.php,' 'usr/system/insert_link.php,' 'usr/system/insert_qcfile.php,' and 'usr/system/edit.php' scripts due to insufficient access controls, which could let an unauthenticated remote malicious user upload files or images to a vulnerable system.
NetClassifieds Standard Edition 1.9.6 .3, Professional Edition 1.5.1, Premium Edition 1.0.1, Free Edition 1.0.1
An SQL injection vulnerability has been reported in 'ViewCat.php' and 'gallery.php' due to insufficient sanitization of the 'CatID' parameter and in 'ViewItem.php' due to insufficient sanitization of the 'ItemNum' parameter before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.
No workaround or patch available at time of publishing.
There is no exploit code required; however, a Proof of Concept exploit has been published.
A format string vulnerability has been reported in 'Dosyslog' due to insufficient sanitization of user-supplied input, which could let a remote malicious user cause a Denial of Service or execute arbitrary code.
DMA Security Advisory, DMA2005-1202a, December 2, 2005
Sony
SunnComm MediaMax 5.0.21.0
A vulnerability has been reported due to insecure default directory ACLs set on the 'SunnComm Shared' directory, which could let a malicious user obtain elevated privileges.
An SQL injection vulnerability has been reported in 'index.php' due to insufficient sanitization of the 'poll,' 'category,' and 'ctg' parameters before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.
Security Focus, Bugtraq ID: 15582, December 1, 2005
SugarCRM
Sugar Suite 4.0 beta, 3.5
A local and remote file include vulnerability has been reported in 'acceptDecline.php,' which could let a remote malicious user obtain unauthorized access.
No workaround or patch available at time of publishing.
A Proof of Concept exploit script has been published.
Several vulnerabilities have been reported: a vulnerability was reported due to an unspecified error, which could let a malicious untrusted applet read/ write local files or execute local applications; three unspecified vulnerabilities were reported with the use of 'reflection' APIs error, which could let a malicious untrusted applet read/write local files or execute local applications; and a vulnerability was reported in the Java Management Extensions (JMX) implementation, which could let a malicious untrusted applet read/ write local files or execute local applications.
Sun ONE Application Server 7.0 UR2 Upgrade Standard, 7.0 UR2 Standard Edition, 7.0 UR1 Standard Edition, ONE Application Server 7.0 Standard Edition, Java System Application Server Enterprise Edition 8.1 2005Q1RHEL2.1/
RHEL3, 8.1 2005 Q1, Java System Application Server 7.0 2004Q2 R2 Standard, 7.0 2004Q2 R2 Enterprise, 7.0 2004Q2 R1Standard, 7.0 2004Q2 R1Enterprise, 7.0 Standard Edition, 7.0 Enterprise Edition, 7.0 2004Q2
A man-in-the-middle vulnerability has been reported when the reverse SSL proxy plug-in is used with a supported Web server.
Sun(sm) Alert Notification
Sun Alert ID: 102012, December 5, 2005
Tradesoft
Content Management System
SQL injection vulnerabilities have been reported due to insufficient sanitization of user-supplied input before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.
No workaround or patch available at time of publishing.
Security Focus, Bugtraq ID: 15661, December 1, 2005
W2B
phpForumPro 2.2
SQL injection vulnerabilities have been reported in 'index.php' due to insufficient sanitization of the 'parent' and 'day' parameters before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.
No workaround or patch available at time of publishing.
Security Focus, Bugtraq ID: 15736, December 6, 2005
W3C
Libwww 5.4
Multiple unspecified vulnerabilities have been reported including a buffer overflow and vulnerabilities related to the handling of multipart/byteranges content. The impact was not specified.
Fedora Update Notifications,
FEDORA- 2005-952 & 953, October 7, 2005
Mandriva Linux Security Advisory, MDKSA-2005:210, November 10, 2005
Ubuntu Security Notice, USN-220-1, December 01, 2005
Web
Calendar
WebCalendar 1.0.1
An HTTP response splitting vulnerability has been reported in 'Layers_Toggle.php' due to insufficient sanitization, which could let a remote malicious user influence or misrepresent how Web content is served, cached or interpreted.
An SQL injection vulnerability has been reported in 'functions.php' due to insufficient sanitization of user-supplied input before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.
No workaround or patch available at time of publishing.
There is no exploit code required; however, a Proof of Concept exploit has been published.
Security Focus, Bugtraq ID: 15717, December 5, 2005
Web4Future Inc.
Web4Future eDating Professional 5.0 & prior
SQL injection vulnerabilities have been reported in 'index.php' due to insufficient sanitization of the 's,' 'pg,' and 'sortb' parameters; in 'gift.php' due to insufficient sanitization of the 'cid' parameter; and in 'articles.php' due to insufficient sanitization of the 'fq.php,' and 'cat' parameters before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.
No workaround or patch available at time of publishing.
Several vulnerabilities have been reported:an SQL injection vulnerability was reported in 'comentarii.php' due to insufficient sanitization of the 'idp' parameter before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code; and a vulnerability was reported in 'arhiva.php' due to insufficient verification of the 'dir' parameter before used to list files & directories, which could let a remote malicious user obtain sensitive information.
No workaround or patch available at time of publishing.
There is no exploit code required.
Web4Future Portal Solutions Information Disclosure & SQL Injection
Several vulnerabilities have been reported: SQL injection vulnerabilities were reported due to insufficient sanitization of 'export_handler.php,' 'activity_log.php,' 'admin_handler.php,' and 'edit_template.php' before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code; and a vulnerability was reported in 'export_handler.php' due to insufficient verification of the 'id' and 'format' parameters before used to save data files, which could let a remote malicious user overwrite saved data files.
No workaround or patch available at time of publishing.
Security Focus, Bugtraq ID: 15606, December 1, 2005
Widget Press
Widget Property 1.1.19
SQL injection vulnerabilities have been reported in 'property.php' due to insufficient sanitization of the 'property_id,' 'zip_code,' 'property_type_id,' 'price,' and 'city_id' parameters before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.
No workaround or patch available at time of publishing.
There is no exploit code required; however Proof of Concept exploits have been published.
Security Focus, Bugtraq ID: 15701, December 5, 2005
WinEgg
DropShell
WinEgg
DropShell 1.7 (Remote Access Trojan)
Multiple remote buffer overflow vulnerabilities have been reported: a buffer overflow vulnerability was reported that affects the HTTP server when a GET request is provided that contains excessive data, which could let a remote malicious user execute arbitrary code; and two buffer overflow vulnerabilities were reported that affect the FTP server when FTP commands are provided that contain excessively long arguments, which could let a remote malicious user execute arbitrary code.
No workaround or patch available at time of publishing.
A Proof of Concept exploit script has been published.
Security Focus, Bugtraq ID: 15682, December 2, 2005
WSN Knowledge Base
WSN Knowledge Base 1.2 .0
SQL injection vulnerabilities have been reported in 'index.php' due to insufficient sanitization of the 'catid,' 'perpage,' 'ascdesc,' and 'orderlinks' parameters and in 'comments.php' due to insufficient sanitization of the 'id' parameter before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.
No workaround or patch available at time of publishing.
There is no exploit code required; however, Proof of Concept exploits have been published.
Security Focus, Bugtraq ID: 15656, November 30, 2005
Xaraya
Xaraya 1.0 RC1-RC4
A Directory Traversal vulnerability has been reported in the 'index.php' script 'module' parameter, which could let a remote malicious user obtain sensitive information.
Security Focus, Bugtraq ID: 15623, November 29, 2005
Security Focus, Bugtraq ID: 15623, December 1, 2005
Zen Cart Team
Zen Shopping Cart 1.2.6 d
An SQL injection vulnerability has been reported in 'admin/password_forgotten. php' due to insufficient sanitization of the 'admin_email' parameter before using an SQL query, which could let a remote malicious user execute arbitrary SQL code.
The section below contains wireless vulnerabilities, articles, and viruses/trojans identified during this reporting period.
Mobile Anti-Virus: Now or Later? Experts point to gathering clouds of viruses and Trojans but the fact is that security architects, particularly those in the United States, have little to fear for now.
Employees are introducing smartphones and PDAs into the corporate network at the same time the number of smartphone Trojans and viruses is rising. Malware writers are experimenting with new propagation methods and more malicious payloads. Source: http://www.mobilepipeline.com/
174403206;jsessionid=5VLIYULCKOEGYQSNDBOCKH0CJUMEKJVN.
Bluetooth roadmap updated but UWB wars could scupper it: The Bluetooth Special Interest Group, which controls the development of the short range wireless standard, will publish an updated roadmap that defines plans up to the third quarter of 2007 shortly. The focus will be on interoperability with UltraWideBand (UWB). Source: http://www.theregister.com/2005/12/06/bluetooth_roadmap/.
Wireless Hackers 101: Attacks on wireless LANs (WLANs) and wireless-enabled laptops are a quick and easy way for hackers to steal data and enter the corporate network. IT departments must have a pre-emptive plan of action to prevent these malicious and illegal attacks, which compromise an organization’s data privacy and can wreak havoc on network infrastructure. Source: http://www.esecurityplanet.com/prevention/article.php/3568071.
The table below contains a sample of exploit scripts and "how to" guides identified during this period. The "Workaround or Patch Available" column indicates if vendors, security vulnerability listservs, or Computer Emergency Response Teams (CERTs) have published workarounds or patches.
Note: At times, scripts/techniques may contain names or content that may be considered offensive.
Date of Script
(Reverse Chronological Order)
Script name
Workaround or Patch Available
Script Description
December 7, 2005
appfluent_db_ids_exp.c
No
Exploit for the Appfluent Technology Database Buffer Overflow vulnerability.
December 7, 2005
BluePIMped.txt
N/A
A write up on the exploitation of the Widcomm BTStackServer used for Bluetooth connectivity.
December 7, 2005
john-1.6.39w-mmx.zip
N/A
A fast password cracker, currently available for many flavors of Unix (11 are officially supported, not counting different architectures), DOS, Win32, and BeOS. Its primary purpose is to detect weak Unix passwords, but a number of other hash types are supported as well.
December 7, 2005
sobexsrv.pl.txt
No
Exploit for the Sobexsrv Dosyslog Remote Format String vulnerability.
December 7, 2005
SugarSuite_poc
No
Proof of Concept exploit for the SugarCRM Sugar Suite Remote and Local File Include vulnerability.
December 6, 2005
docebo_204_xpl.php
No
Proof of Concept exploit for the DoceboLMS Arbitrary File Upload Vulnerability.
December 6, 2005
horde-imp_html-inj-poc.pl
No
Proof of Concept exploit for the Horde IMP Email Attachments HTML Injection Vulnerability.
December 3, 2005
iwar-0.06.tar.gz
N/A
A war dialer written for Unix type (Linux/OpenBSD/etc) operating systems.
December 3, 2005
iwar-0.06-DOS.zip
N/A
A war dialer written for Unix type (Linux/OpenBSD/etc) operating systems.
December 3, 2005
pbnj-1.10.tar.bz2
N/A
A network tool that can be used to give an overview of a machine or multiple machines and includes the details about the services running on them.
December 3, 2005
perl-format-string.txt
N/A
Whitepaper that discusses the attack and impact details of recent discussions surrounding format string exploitation in perl.
December 3, 2005
StackBasedOverflows-Windows-Part3.pdf
N/A
Writing Stack Based Overflows on Windows - Part III: Walking through a stack based overflow and writing an exploit for a local overflow.
December 3, 2005
StackBasedOverflows-Windows-Part4.pdf
N/A
Writing Stack Based Overflows on Windows - Part IV: Shellcode creation and exploitation an application remotely.
December 3, 2005
StackOverflow-Examples.txt
N/A
Source code for all the examples used in tutorials 1 through 4 of 'Writing Stack Based Overflows On Windows'.
December 2, 2005
n13SQL.php.txt
No
Exploit for the N-13 News SQL Injection vulnerability.
December 2, 2005
phpX_359_xpl.php
phpx_359_xpl.txt
No
Proof of Concept exploit for the PHPX SQL Injection vulnerability.
December 2, 2005
webCalSQL.txt
No
Exploit details for the WebCalendar SQL Injection vulnerability.
December 2, 2005
WinEggDropShell_bof.py
AD20051202.txt
No
Proof of Concept exploit for the WinEggDropShell Multiple Remote Buffer Overflow vulnerabilities.
December 2, 2005
xarayaDOS.txt
No
Exploit details for the Xaraya Directory Traversal vulnerability.
December 2, 2005
zencart_126d_xpl.php
zencart_126d_xpl.html
No
Proof of Concept exploit for the Zen Cart SQL Injection vulnerability.
December 1, 2005
55k7-msdtc.c
msdtc.cpp
Yes
Proof of Concept exploit for the Windows MSDTC and COM+ Privilege Elevation, Arbitrary Code Execution, or Denial of Service vulnerability.
December 1, 2005
gdsexploit.html
No
Proof of Concept exploit for the Microsoft Internet Explorer CSS Import Cross-Domain Restriction Bypass Vulnerability.
December 1, 2005
guppy459_xpl.txt
No
Script that exploits the GuppY Remote File Include & Command Execution vulnerabilities.
December 1, 2005
ieDoS.pm.txt
Yes
Exploit for the Windows MSDTC and COM+ Privilege Elevation, Arbitrary Code Execution, or Denial of Service vulnerability.
December 1, 2005
phgrafx.txt
No
Script that exploits the QNX Phgrafx Buffer Overflow vulnerability.
December 1, 2005
win_dos.c
winCreateExp.txt
No
Exploit for the Microsoft Windows CreateRemoteThread Local Denial of Service vulnerability.
Automatic Update Functionality in Sober.X Worm:US-CERT is aware of functionality that could allow the mass-mailing worm known as "W32/Sober.X" to automatically update itself. W32/Sober.X is a bi-lingual (English and German) mass-mailing worm that utilizes its own SMTP engine to propagate. Source: http://www.us-cert.gov/current/.
Perl programs providing user-controlled I/O format strings may contain format string vulnerabilities: Programs written in Perl may contain many of the same types of format string vulnerabilities that programs written in C can contain. US-CERT VU#946969
Exploit for Vulnerability in Microsoft Internet Explorer window() object: US-CERT is aware of a vulnerability in the way Microsoft Internet Explorer handles requests to the window() object. Source: http://www.us-cert.gov/current/
Reports of IRS Phishing Emails: US-CERT has received reports of a phishing email scam that attempts to convince the user that it is from the Internal Revenue Service (IRS) by using a spoofed "From" address of "tax-refunds@irs.gov". Source: http://www.us-cert.gov/current/.
Trojans target unpatched IE flaw: Several Trojan horses that exploit an unpatched flaw in Internet Explorer have been discovered. According to Sophos two exploits, Clunky-B and Delf-LT, could allow malicious code to be executed remotely on a user's PC.
These Trojans could "download anything, including a 'banker Trojan' that gives up your bank details."
Source: http://news.zdnet.co.uk/0,39020330,39240189,00.htm
November breaks all malware records: According to the antivirus firm, Sophos, November was the worst month for malware since records began in the mid-1980s. They detected 1,940 new pieces of malware in the past month, and have seen a 48 per cent increase in threats over the year. Source: http://www.vnunet.com/vnunet/news/2147200/november-biggest-ever-malware.
Holiday spam could reach one billion emails: According to email security vendor, MailFrontier, the number of spam and phishing messages could top 1 billion this Christmas.
Last year 750 million emails were sent over the Christmas period, with both bogus sales offers and phishing attacks. Source: http://www.vnunet.com/vnunet/news/2147012/holiday-spam-reach-billion.
IT spending overtaken by compliance issues: According to Gartner, money spent on IT to ensure compliance with regulations will outweigh money spent on new technologies. The research, which assessed trends that will impact people, business and the IT industry, found that this pattern will continue through until 2010, with regulatory compliance IT spending growing at twice the rate of general IT spending. Source: http://www.vnunet.com/crn/news/2147155/spending-overtaken-compliance.
Cyber criminals gather on forgotten Web sites: According to security experts, cyber criminals selling programs to hack into computers and stolen bank account numbers are moving to abandoned Web sites where their activities are harder to track. Dormant Web sites no longer monitored by administrators have in effect created hundreds of online bazaars for criminals. Source: http://www.msnbc.msn.com/id/10284366/from/RSS/.
A list of high threat viruses, as reported to various anti-virus vendors and virus incident reporting organizations, has been ranked and categorized in the table below. For the purposes of collecting and collating data, infections involving multiple systems at a single location are considered a single infection. It is therefore possible that a virus has infected hundreds of machines but has only been counted once. With the number of viruses that appear each month, it is possible that a new virus will become widely distributed before the next edition of this publication. To limit the possibility of infection, readers are reminded to update their anti-virus packages as soon as updates become available. The table lists the viruses by ranking (number of sites affected), common virus name, type of virus code (i.e., boot, file, macro, multi-partite, script), trends (based on number of infections reported since last week), and approximate date first found.
Rank
Common Name
Type of Code
Trend
Date
Description
1
Netsky-P
Win32 Worm
Stable
March 2004
A mass-mailing worm that uses its own SMTP engine to send itself to the email addresses it finds when scanning the hard drives and mapped drives. The worm also tries to spread through various file-sharing programs by copying itself into various shared folders.
2
Netsky-D
Win32 Worm
Slight Increase
March 2004
A simplified variant of the Netsky mass-mailing worm in that it does not contain many of the text strings that were present in NetSky.C and it does not copy itself to shared folders. Netsky.D spreads itself in e-mails as an executable attachment only.
3
Sober-Z
Win32 Worm
New
December 2005
A mass-mailing worm that harvests addresses from infected machines, forges the senders email, and utilizes its own mail engine.
4
Mytob-GH
Win32 Worm
Stable
November 2005
A variant of the mass-mailing worm that disables security related programs and allows other to access the infected system. This version sends itself to email addresses harvested from the system, forging the sender’s address.
5
Mytob.C
Win32 Worm
Increase
March 2004
A mass-mailing worm with IRC backdoor functionality which can also infect computers vulnerable to the Windows LSASS (MS04-011) exploit. The worm will attempt to harvest email addresses from the local hard disk by scanning files.
6
Mytob-BE
Win32 Worm
Decrease
June 2005
A slight variant of the mass-mailing worm that utilizes an IRC backdoor, LSASS vulnerability, and email to propagate. Harvesting addresses from the Windows address book, disabling antivirus, and modifying data.
7
Zafi-D
Win32 Worm
Slight Increase
December 2004
A mass-mailing worm that sends itself to email addresses gathered from the infected computer. The worm may also attempt to lower security settings, terminate processes, and open a back door on the compromised computer.
8
Lovgate.w
Win32 Worm
Slight Decrease
April 2004
A mass-mailing worm that propagates via by using MAPI as a reply to messages, by using an internal SMTP, by dropping copies of itself on network shares, and through peer-to-peer networks. Attempts to access all machines in the local area network.
9
Mytob-GH
Win32 Worm
New
December 2005
This email worm turns off anti-virus and opens infected systems to remote connections. It further harvests email addresses from infected machines, and forges the senders address.
10
Zafi-B
Win32 Worm
Slight Decrease
June 2004
A mass-mailing worm that spreads via e-mail using several different languages, including English, Hungarian and Russian. When executed, the worm makes two copies of itself in the %System% directory with randomly generated file names.
Get Adobe Reader
US-CERT is part of the Department of Homeland Security
