Summary of Security Items from January 1 to January 4, 2006
Information in the US-CERT Cyber Security Bulletin is a compilation and includes information published by outside sources, therefore the information should not be considered the result of US-CERT analysis. Software vulnerabilities are categorized in the appropriate section reflecting the operating system on which the vulnerability was reported; however, this does not mean that the vulnerability only affects the operating system reported since this information is obtained from open-source information.
This bulletin provides a summary of new or updated vulnerabilities, exploits, trends, viruses, and trojans. Updates to vulnerabilities that appeared in previous bulletins are listed in bold text. The text in the Risk column appears in red for vulnerabilities ranking High. The risks levels applied to vulnerabilities in the Cyber Security Bulletin are based on how the "system" may be impacted. The Recent Exploit/Technique table contains a "Workaround or Patch Available" column that indicates whether a workaround or patch has been published for the vulnerability which the script exploits.
The table below summarizes vulnerabilities that have been identified, even if they are not being exploited. Complete details about patches or workarounds are available from the source of the information or from the URL provided in the section. CVE numbers are listed where applicable. Vulnerabilities that affect both Windows and Unix Operating Systems are included in the Multiple Operating Systems section.
Note: All the information included in the following tables has been discussed in newsgroups and on web sites.
The Risk levels defined below are based on how the system may be impacted:
Note: Even though a vulnerability may allow several malicious acts to be performed, only the highest level risk will be defined in the Risk column.
High - A high-risk vulnerability is defined as one that will allow an intruder to immediately gain privileged access (e.g., sysadmin or root) to the system or allow an intruder to execute code or alter arbitrary system files. An example of a high-risk vulnerability is one that allows an unauthorized user to send a sequence of instructions to a machine and the machine responds with a command prompt with administrator privileges.
Medium - A medium-risk vulnerability is defined as one that will allow an intruder immediate access to a system with less than privileged access. Such vulnerability will allow the intruder the opportunity to continue the attempt to gain privileged access. An example of medium-risk vulnerability is a server configuration error that allows an intruder to capture the password file.
Low - A low-risk vulnerability is defined as one that will provide information to an intruder that could lead to further compromise attempts or a Denial of Service (DoS) attack. It should be noted that while the DoS attack is deemed low from a threat potential, the frequency of this type of attack is very high. DoS attacks against mission-critical nodes are not included in this rating and any attack of this nature should instead be considered to be a "High" threat.
Multiple vulnerabilities have been reported in VisNetic Mail Server that could let remote malicious uses disclose information, arbitrary code execution, or obtain arbitrary file permissions.
Security Tracker, Alert ID: 1015399, December 22, 2005
GraphOn GoGlobal for Windows prior to 3.1.0.3270
A buffer overflow vulnerability has been reported in GraphOn GoGlobal for Windows that could let a remote malicious user execute arbitrary code or cause a Denial of Service.
A vendor solutions is available, contact the vendor for details.
A Proof of Concept exploit has been published.
GraphOn GO-Global For Windows Denial of Service or Arbitrary Code Execution
High
Security Focus, ID: 15285, November 2, 2005
Security Focus, ID: 15285, November 21, 2005
Iatek LLC
PortalApp, SiteEnable 3.3 and prior
A vulnerability has been reported in SiteEnable and PortalApp that could let remote malicious users conduct Cross-Site Scripting.
No workaround or patch available at time of publishing.
There is no exploit code required; however, a Proof of Concept exploit has been published.
Iatek SiteEnable and PortalApp Cross Site Scripting
A buffer overflow vulnerability has been reported in Golden FTP Server that could let remote malicious users cause a Denial of Service or execute arbitrary code.
No workaround or patch available at time of publishing.
Currently we are not aware of any exploits for this vulnerability.
Golden FTP Server Denial of Service or Arbitrary Code Execution
A vulnerability has been reported in multiple products, Common Management Agent 3.X in NaPrdMgr.exe, that could let local malicious users obtain elevated privileges.
Security Tracker, Alert ID: 1015404, December 23, 2005
Microsoft
This security advisory was published to notify users that systems which are infected with Sober.Z may download and run malicious files beginning on January 6, 2006.
Multiple vulnerabilities have been reported in eFileGo that could let remote malicious users to disclose information, cause a Denial of Service, or execute arbitrary commands.
No workaround or patch available at time of publishing.
A Proof of Concept exploit has been published.
eFileGo Multiple Vulnerabilities
High
Secunia, Advisory: SA18279, January, 2, 2006
Spb Software House
Spb Kiosk Engine 1.0.0.1
A vulnerability has been reported in Spb Kiosk Engine that could let local malicious users disclose information, including the administrative password.
No workaround or patch available at time of publishing.
Currently we are not aware of any exploits for this vulnerability.
Several vulnerabilities have been reported: a Cross-Site Scripting vulnerability was reported due to insufficient sanitization of the 'page' parameter before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code; and a path disclosure vulnerability was reported due to insufficient verification of the 'mode' parameter, which could let a remote malicious user obtain sensitive information.
No workaround or patch available at time of publishing.
A vulnerability has been reported due to the insecure creation of temporary files by 'register-p.sh' and 'register-q.sh,' which could let a malicious user overwrite arbitrary files.
Debian Security Advisory, DSA 928-1, December 27, 2005
Dropbear SSH Server
Dropbear SSH Server prior to 0.47
A buffer overflow vulnerability has been reported in 'svr_chan
session.c' due to a buffer allocation error, which could let a remote malicious user execute arbitrary code.
Gentoo Linux Security Advisory, GLSA 200601-01, January 3, 2006
GNU
cpio 1.0-1.3, 2.4.2, 2.5, 2.5.90, 2.6
A vulnerability has been reported when an archive is extracted into a world or group writeable directory because non-atomic procedures are used, which could let a malicious user modify file permissions.
Trustix Secure Linux Security Advisory, TSLSA-2005-0030, June 24, 2005
Mandriva
Linux Security Update Advisory, MDKSA2005:
116, July 12,
2005
RedHat Security Advisory, RHSA-2005:378-17, July 21, 2005
SGI Security Advisory, 20050802-01-U, August 15, 2005
SCO Security Advisory, SCOSA-2005.32, August 18, 2005
Avaya Security Advisory, ASA-2005-191, September 6, 2005
Conectiva Linux Announcement, CLSA-2005:1002, September 13, 2005
Ubuntu Security Notice, USN-189-1, September 29, 2005
Debian Security Advisory, DSA 846-1, October 7, 2005
RedHat Security Advisory, RHSA-2005:806-8, November 10, 2005
SCO Security Advisory, SCOSA-2006.2, January 3, 2006
GNU
cpio 2.6
A Directory Traversal vulnerability has been reported when invoking cpio on a malicious archive, which could let a remote malicious user obtain sensitive information.
Mandriva Linux Security Advisory MDKSA-2005:237, December 23, 2005
Ubuntu Security Notice, USN-234-1, January 02, 2006
IBM
AIX 5.3 L, 5.3
A file disclosure vulnerability has been reported in 'getShell' and 'getCommand' which could let a malicious user obtain sensitive information.
No workaround or patch available at time of publishing.
A Proof of Concept exploit has been published.
IBM AIX GetShell & GetCommand File Disclosure
Medium
XFOCUS Security Team Advisory, xfocus-SD-060101, January 1, 2006
IBM
AIX 5.3 L, 5.3
A vulnerability has been reported in 'getShell' and 'getCommand' which could let a malicious user enumerate the existence of files on the computer that they wouldn't ordinarily be able to see.
No workaround or patch available at time of publishing.
A Proof of Concept exploit has been published.
IBM AIX GetShell & GetCommand File Enumeration
Medium
XFOCUS Security Team Advisory, xfocus-SD-060101, January 1, 2006
ImageMagick
ImageMagick 6.2.4 .5
A vulnerability has been reported in the delegate code that is used by various ImageMagick utilities when handling an image filename due to an error, which could let a remote malicious user execute arbitrary commands.
No workaround or patch available at time of publishing.
A buffer overflow vulnerability has been reported in 'support.c' when formatting error messages for display, which could let a malicious user execute arbitrary code with group 'games' privileges.
A buffer overflow vulnerability has been reported in the 'TIFFOpen()' function when opening malformed TIFF files, which could let a remote malicious user execute arbitrary code.
A vulnerability has been reported due to the insecure creation of the 'tmpsyncshadow' temporary file, which could let a malicious user obtain elevated privileges.
A remote Denial of Service vulnerability exists in the 'q_usedns' array due to in sufficient validation of the length of user-supplied input prior to copying it into static process buffers. This could possibly lead to the execution of arbitrary code.
US-CERT Vulnerability Note, VU#327633, January 25, 2005
Astaro Security Linux Announcement, February 17, 2005
SCO Security Advisory, SCOSA-2006.1, January 3, 2006
Multiple Vendors
Linux kernel 2.6-2.6.14
Multiple vulnerabilities have been reported: a Denial of Service vulnerability was reported in 'mm/mempolicy.c' when handling the policy system call; a remote Denial of Service vulnerability was reported in 'net/ipv4/fib_
frontend.c' when validating the header and payload of fib_lookup netlink messages; an off-by-one buffer overflow vulnerability was reported in 'kernel/sysctl.c,' which could let a malicious user cause a Denial of Service and potentially execute arbitrary code; and a buffer overflow vulnerability was reported in the DVB (Digital Video Broadcasting) driver subsystem, which could let a malicious user cause a Denial of Service or potentially execute arbitrary code.
A buffer overflow vulnerability has been reported when handling the HOME environment variable due to a boundary error, which could let a malicious user execute arbitrary code with root privileges.
A buffer overflow vulnerability has been reported in the 'nbd-server' when handling specially crafted requests, which could let a remote malicious user execute arbitrary code.
Security Focus, Bugtraq ID: 16029, December 21, 2005
Debian Security Advisory, DSA 924-1, December 21, 2005
Gentoo Linux Security Advisory, GLSA 200512-14, December 23, 2006
Multiple Vendors
RedHat Fedora Core4, Core3;
Eric Raymond Fetchmail 6.3.0, 6.2.5 .4, 6.2.5 .2, 6.2.5.1, 6.2.5
A remote Denial of Service vulnerability has been reported when Fetchmail is configured in 'multidrop' mode due to a failure to handle unexpected input.
Security Focus, Bugtraq ID: 15177, October 24, 2005
Gentoo Linux Security Advisory, GLSA 200511-08, November 14, 2005
Mandriva Linux Security Advisory, MDKSA-2005:213, November 16, 2005
Trustix Secure Linux Security Advisory, TSLSA-2005-0062, November 22, 2005
Ubuntu Security Notice, USN-232-1, December 23, 2005
PTnet
PTnet IRCD 1.6, 1.5
A remote Denial of Service vulnerability has been reported when attempting to open restricted channels.
No workaround or patch available at time of publishing.
There is no exploit code required.
PTnet IRCD Remote Denial of Service
Low
Security Tracker Alert ID: 1015425, December 30, 2005
rssh
rssh 2.2-2.2.3, 2.1, 2.0
A vulnerability has been reported in the 'rssh_chroot_helper' command due to a design error, which could let a malicious user obtain superuser privileges.
Security Focus, Bugtraq ID: 16122, January 3, 2006
scponly
scponly 4.1 & prior
Several vulnerabilities have been reported: a vulnerability was reported in 'scponlyc' due to a design error, which could let a malicious user execute arbitrary code with root privileges; and a vulnerability was reported due to an error in the validation of user-supplied command line, which could let a malicious user bypass security restrictions.
Gentoo Linux Security Advisory, GLSA 200512-17, December 29, 2005
Sun Microsystems, Inc.
PC NetLink 2.0
Insecure permissions vulnerabilities have been reported due to a flaw in the 'slsadmin' and 'slsmgr' scripts, which could let a malicious user obtain elevated privileges.
Sun(sm) Alert Notifications
Sun Alert ID: 102117 & 102122, December 23, 2005
The Open Group
Open Motif 2.2.3
Two buffer overflow vulnerabilities have been reported in libUil (User Interface Language): a buffer overflow vulnerability was reported in 'diag_issue_diagnostic()' due to the use of the vsprintf() libc procedure, which could let a remote malicious user execute arbitrary code; and a vulnerability was reported in 'open_source_
file()' due to the use of the strcpy() libc procedure, which could let a remote malicious user execute arbitrary code.
Security Focus, Bugtraq ID: 15678, December 2, 2005
Gentoo Linux Security Advisory, GLSA 200512-16, December 28, 2005
TkDiff
TkDiff 4.1, 4.0.2, 4.0, 3.0.9
A vulnerability has been reported due to the insecure creation of temporary files, which could let a remote malicious user modify system/user information or obtain unauthorized access.
A Cross-Site Scripting vulnerability has been reported in 'read.php' due to insufficient sanitization of the 'totalRows_
rsRead' parameter before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing.
HTML injection vulnerabilities have been reported in 'profile.htm, 'card.htm,' 'bank.htm,' 'subscriptions.htm,' 'send.htm,' 'request.htm,' 'forgot.htm,' 'escrow.htm,' 'donations.htm,' and 'products.htm' due to insufficient sanitization, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing.
There is no exploit code required.
AlstraSoft EPay Enterprise Multiple HTML Injection
Multiple vulnerabilities have been reported: a Cross-Site Scripting vulnerability was reported in 'Page.asp' due to insufficient sanitization of the 'PageID' and 'SiteNodeID' parameters before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code; and an SQL injection vulnerability was reported in 'Page.asp' due to insufficient sanitization of the 'SideNodeID' parameter before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.
No workaround or patch available at time of publishing.
There is no exploit code required; however, Proof of Concept exploits have been published.
Baseline CMS SQL Injection & Cross-Site Scripting
Medium
Security Focus, Bugtraq ID: 15961, December 20, 2005
Bit
weaver
Bitweaver 1.1.1 beta
Multiple vulnerabilities have been reported: an SQL injection vulnerability was reported due to insufficient sanitization of the 'sort_mode,' 'post_id,' and 'blog_id' parameters before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code; a Cross-Site Scripting vulnerability was reported due to insufficient sanitization of the 'sort_mode,' 'post_id,' 'blog_id' and search field parameters in '/users/my_groups.php' before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code; and a path disclosure vulnerability was reported which could let a remote malicious user obtain sensitive information.
Security Focus, Bugtraq ID: 15962, December 20, 2005
B-Net Software
B-Net Software 1.0
An HTML injection vulnerability has been reported due to insufficient sanitization of various fields when signing the guestbook and sending a message via 'Shoutbox,' which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing.
There is no exploit code required; however, a Proof of Concept exploit has been published.
An HTML injection vulnerability has been reported Input due to insufficient sanitization of the homepage field when signing the guestbook, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing.
A vulnerability has been reported ion the Downloadable IP ACL (Access Control List) feature due to a design error, which could let a malicious user bypass security restrictions.
Cisco Secure Access Control Server Downloadable IP Access Control List
Medium
Secunia Advisory: SA18141, January 3, 2006
Day Software
Communique 4.0
A Cross-Site Scripting vulnerability has been reported due to insufficient sanitization of the 'query' parameter when performing a search, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing.
Security Focus, Bugtraq ID: 16072, December 27, 2005
Dev
Dev Web Management System 1.5
Several vulnerabilities have been reported: an SQL injection vulnerability was reported in 'index.php' and 'getfile.php' due to insufficient sanitization of the 'cat' parameter and in 'download_now.php' due to insufficient sanitization of the 'target' parameter before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code; and a Cross-Site Scripting vulnerability was reported in 'add.php' due to insufficient sanitization of the 'language' array parameter before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing.
There is no exploit code required; however, Proof of Concept exploits and an exploit script has been published.
Dev Web Management System Multiple Input Validation
Security Tracker Alert ID: 1015410, December 25, 2005
Direct New
Direct News 4.9
An SQL injection vulnerability has been reported in 'index.php' due to insufficient sanitization of the 'setLang' and search module parameter before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.
No workaround or patch available at time of publishing.
There is no exploit code required; however, a Proof of Concept exploit has been published.
Security Focus, Bugtraq ID: 15957, December 19, 2005
Dream4
Koobi 5.0
A script injection vulnerability has been reported because a remote malicious user can nest BBCode URL tags and execute arbitrary HTML and script code.
No workaround or patch available at time of publishing.
There is no exploit code required; however, a Proof of Concept exploit has been published.
Security Focus, Bugtraq ID: 16078, December 28, 2005
Epic Designs
eggblog 2.0
Several vulnerabilities have been reported: a path disclosure vulnerability was reported when an invalid 'q' parameter is used by the 'Keyword' and 'Search' fields, which could let a remote malicious user obtain sensitive information; and a Cross-Site Scripting vulnerability has been reported in 'search.php' due to insufficient sanitization of the the 'q' parameter when performing a search, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing.
A buffer overflow vulnerability has been reported in the 'dissect_ospf_ v3_address_
prefix()' function in the OSPF protocol dissector due to a boundary error when converting received binary data to a human readable string, which could let a remote malicious user execute arbitrary code.
Ethereal Security Advisory, enpa-sa-00022, December 27, 2005
Mandriva Linux Security Advisory MDKSA-2006:002, January 3, 2006
FatWire Corporation
UpdateEngine 6.2
Cross-Site Scripting vulnerabilities have been reported in 'UpdateEngine' due to insufficient sanitization of the 'FUELAP_TEMPLATENAME,' 'EMAIL,' and 'COUNTRYNAME' parameters before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing.
There is no exploit code required; however, Proof of Concept exploits have been published.
Security Focus, Bugtraq ID: 16073, December 27, 2005
File::ExtAttr
File::ExtAttr 0.2, 0.1
An off-by-one buffer overflow vulnerability has been reported in 'getfattr()' when the extended attributes of a file are retrieved, which could let a remote malicious user cause a Denial of Service.
A vulnerability was reported in 'index.php' due to insufficient verification of the 'Ing' parameter before used to include files, which could let a remote malicious user include arbitrary files from local resources.
No workaround or patch available at time of publishing.
There is no exploit code required; however, a Proof of Concept exploit has been published.
GFHost / GmailSite File Inclusion
Medium
Secunia Advisory: SA18155, December 29, 2005
Hitachi
Business Logic 2.0.6, 2.0, 1.1, 1.0
Several vulnerabilities have been reported: a Cross-Site Scripting vulnerability was reported in input forms due to insufficient sanitization of unspecified input, which could let a remote malicious user execute arbitrary HTML and script code and inject arbitrary HTTP headers; and an SQL injection vulnerability was reported in input forms due to insufficient sanitization of unspecified input before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.
Hitachi Security Bulletin, HS05-025, December 27, 2005
IDV Directory Viewer
IDV Directory Viewer 2005.1 b1
A vulnerability has been reported in 'index.php' due to insufficient sanitization of the 'dir' parameter before used to generate directory listings, which could let a remote malicious user obtain sensitive information.
IDV Directory Viewer Index.PHP Information Disclosure
Medium
Secunia Advisory: SA18298, January 4, 2006
INCOGEN
BugPort 1.147 & prior
Several vulnerabilities have been reported: an SQL injection vulnerability was reported in 'index.php' due to insufficient sanitization of the 'orderBy,' 'where,' and 'devWhere
Pair[1][0]' parameters before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code; a Cross-Site Scripting vulnerability was reported in 'index.php' due to insufficient sanitization of unspecified input before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code; and a vulnerability was reported because remote malicious users can obtain sensitive information via an invalid action parameter.
No workaround or patch available at time of publishing.
There is no exploit code required; however, Proof of Concept exploit scripts have been published.
A Cross-Site Scripting vulnerability has been reported in 'index.php' due to insufficient sanitization of user-supplied input, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing.
Security Focus, Bugtraq ID: 16092, December 30, 2005
Jevontech
PHPenpals 310704
An SQL injection vulnerability has been reported in 'profile.php' due to insufficient sanitization of the 'personalID' parameter before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.
No workaround or patch available at time of publishing.
Cross-Site Scripting vulnerabilities have been reported in the 'register,' 'submit,' and 'lostpassword' modules due to insufficient sanitization of the 'Full Name,' 'Email,' Subject,' and 'Registered Email' fields and in 'index.php' due to insufficient sanitization of the 'nav' parameter, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing.
There is no exploit code required; however, a Proof of Concept exploit has been published.
Kayako SupportSuite Multiple Cross-Site Scripting
Medium
Security Focus, Bugtraq ID: 16094, December 30, 2005
Lighthouse
Lighthouse CMS 1.1
A Cross-Site Scripting vulnerability has been reported due to insufficient sanitization of the 'search' parameter before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing.
There is no exploit code required; however, a Proof of Concept exploit has been published.
Lighthouse CMS Cross-Site Scripting
Medium
Security Focus, Bugtraq ID: 15952, December 19, 2005
Lizard Cart
Lizard Cart CMS 1.0.4
An SQL injection vulnerability has been reported due to insufficient sanitization of the 'id' parameter before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.
No workaround or patch available at time of publishing.
There is no exploit code required; however, a Proof of Concept exploit has been published.
Lizard Cart CMS SQL Injection
Medium
Secunia Advisory: SA18297, January 4, 2006
Mantis
Mantis prior to 0.19.4, and 1.0.0rc4
Multiple remote vulnerabilities have been reported which could let a remote malicious user obtain sensitive information, conduct Cross-Site Scripting, HTML, and SQL injection attacks, and execute arbitrary PHP code.
Gentoo Linux Security Advisory, GLSA 200512-12, December 22, 2005
Moxiecode Systems
TinyMCE Compressor 1.0.5 & prior
Several vulnerabilities have been reported: a file disclosure vulnerability was reported due to insufficient sanitization of unspecified input before used to view files, which could let a remote malicious user obtain sensitive information; and a Cross-Site Scripting vulnerability was reported in 'tiny_mce_gzip.php' due to insufficient sanitization of the 'index' parameter before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code.
Mandriva Linux Security Advisory, MDKSA-2005:193-1, October 26, 2005
Gentoo Linux Security Advisor, GLSA 200510-25, October 30, 2005
SUSE Security Summary Report, SUSE-SR:2005:025, November 4, 2005
Conectiva Security Announcement, CLSA-2005:1043, November 8, 2005
Mandriva Linux Security Advisory MDKSA-2006:002, January 3, 2006
Multiple Vendors
NView 4.x;
XnView 1.x; Gentoo x11-misc/xnview
A vulnerability has been reported in the 'nview' and 'xnview' binaries due to an insecure RPATH configuration, which could let a remote malicious user execute arbitrary code.
An authentication bypass vulnerability has been reported due to a hard coded static WEP key, which could let a remote malicious user bypass authentication.
Fedora Update Notifications,
FEDORA-2005-1061 & 1062, November 8, 2005
RedHat Security Advisory, RHSA-2005:831-15, November 10, 2005
Mandriva Linux Security Advisory, MDKSA-2005:213, November 16, 2005
Fedora Legacy Update Advisory, FLSA:166943, November 28, 2005
SGI Security Advisory, 20051101-01-U, November 29, 2005
OpenPKG Security Advisory, OpenPKG-SA-2005.027, December 3, 2005
SuSE Security
Announcement, SUSE-SA:2005:069, December 14, 2005
Ubuntu Security Notice, USN-232-1, December 23, 2005
MyBB Group
DevBB 1.0
An SQL injection vulnerability has been reported in the 'admin/globa.php' script when user-supplied input is passed via cookie data, which could let a remote malicious user execute arbitrary SQL code.
No workaround or patch available at time of publishing.
There is no exploit code required; however, a Proof of Concept exploit has been published.
MyBB DevBB SQL Injection
Medium
Security Focus, Bugtraq ID: 16082, December 29, 2005
MyBB Group
MyBulletinBoard PR2 Rev.686 & prior
SQL injection vulnerabilities have been reported due to insufficient sanitization of several scripts, which could let a remote malicious user execute arbitrary SQL code.
Security Tracker Alert ID: 1015407, December 24, 2005
NETonE
phpBook 1.3.2, 1.3, 1.2, 1.1, 1.0
A vulnerability has been reported due to insufficient sanitization of the 'email' parameter when signing the guestbook, which could let a remote malicious user execute arbitrary PHP code.
No workaround or patch available at time of publishing.
Security Focus, Bugtraq ID: 16105, January 2, 2006
OOApp Guestbook
OOApp Guestbook 2.1
A Cross-Site Scripting vulnerability has been reported in 'home.php' due to insufficient sanitization of the 'page' parameter before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code
No workaround or patch available at time of publishing.
Security Focus, Bugtraq ID: 16091, December 30, 2005
Oracle Corporation
Oracle Application Server Discussion Forum Portlet
Several vulnerabilities have been reported including Cross-Site Scripting vulnerabilities, HTML injection vulnerabilities and a source code disclosure vulnerability, which could let a remote malicious user execute arbitrary HTML and script code and obtain sensitive information.
No workaround or patch available at time of publishing.
There is no exploit code required; however, Proof of Concept exploits have been published.
Oracle Application Server Discussion Forum Portlet Multiple Remote Vulnerabilities
Security Focus, Bugtraq ID: 16048, December 23, 2005
PaperThin
CommonSpot Content Server 4.5
Several vulnerabilities have been reported: a Cross-Site Scripting vulnerability was reported in 'loader.cfm' due to insufficient sanitization of the 'bNewWindow' parameter before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code; and a vulnerability was reported in 'loader.cfm' when accessed by an invalid 'url' parameter, which could let a remote malicious user obtain sensitive information.
No workaround or patch available at time of publishing.
A Proof of Concept exploits have been published.
PaperThin CommonSpot Content Server Cross-Site Scripting & Path Disclosure
Multiple vulnerabilities have been reported: a vulnerability was reported due to insufficient protection of the 'GLOBALS' array, which could let a remote malicious user define global variables; a vulnerability was reported in the 'parse_str()' PHP function when handling an unexpected termination, which could let a remote malicious user enable the 'register_
globals' directive; a Cross-Site Scripting vulnerability was reported in the 'phpinfo()' PHP function due to insufficient sanitization of user-supplied input, which could let a remote malicious user execute arbitrary HTML and script code; and an integer overflow vulnerability was reported in 'pcrelib' due to an error, which could let a remote malicious user corrupt memory.
SUSE Security Summary Report, SUSE-SR:2005:025, November 4, 2005
Turbolinux Security Advisory TLSA-2005-97, November 5, 2005
Fedora Update Notifications,
FEDORA-2005-1061 & 1062, November 8, 2005
RedHat Security Advisories, RHSA-2005:838-3 & RHSA-2005:831-15, November 10, 2005
Gentoo Linux Security Advisory, GLSA 200511-08, November 13, 2005
Mandriva Linux Security Advisory, MDKSA-2005:213, November 16, 2005
SUSE Security Summary Report, SUSE-SR:2005:027, November 18, 2005
Trustix Secure Linux Security Advisory, TSLSA-2005-0062, November 22, 2005
SGI Security Advisory, 20051101-01-U, November 29, 2005
OpenPKG Security Advisory, OpenPKG-SA-2005.027, December 3, 2005
SUSE Security Summary Report, SUSE-SR:2005:029, December 9, 2005
SUSE Security Announcement, SUSE-SA:2005:069, December 14, 2005
Ubuntu Security Notice, USN-232-1, December 23, 2005
phpBB Group
phpBB 2.0.18 & prior
A vulnerability has been reported in the 'url' bbcode tag due to insufficient sanitization before using, which could let a remote malicious user execute arbitrary HTML and script code.
File include vulnerabilities have been reported in 'Documentation/tests/bug-559668.php' due to insufficient verification of the 'FORUM[LIB]' parameter and in 'docbuilder/file_dialog.php' due to insufficient verification of the 'root_dir' parameter before used to include files, which could let a remote malicious user execute arbitrary PHP code.
No workaround or patch available at time of publishing.
There is no exploit code required; however, a Proof of Concept exploit script has been published.
Security Tracker Alert ID: 1015423, December 29, 2005
PHP-Fusion
PHP-Fusion 6.0 0.3
A Cross-Site Scripting vulnerability has been reported in 'members.php' due to insufficient sanitization of user-supplied input before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing.
There is no exploit code required; however, a Proof of Concept exploit has been published.
Security Focus, Bugtraq ID: 15931, December 19, 2005
PHPjournaler
PHPjournaler 1.0
An SQL injection vulnerability has been reported in 'index.php' due to insufficient sanitization of the 'readold' parameter before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.
No workaround or patch available at time of publishing.
A vulnerability has been reported in the 'mb_send_mail()' function due to an input validation error, which could let a remote malicious user inject arbitrary headers to generated email messages.
Security Focus, Bugtraq ID: 15571, November 25, 2005
SUSE Security Announcement, SUSE-SA:2005:069, December 14, 2005
Ubuntu Security Notice, USN-232-1, December 23, 2005
Mandriva Linux Security Advisory, MDKSA-2005:238, December 27, 2005
PHPSurveyor
PHPSurveyor 0.99
An SQL injection vulnerability has been reported due to insufficient sanitization of the 'sid' parameter before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.
SQL injection vulnerabilities have been reported in 'user.php' due to insufficient sanitization of the 'email' parameter and in 'search.php' due to insufficient sanitization of the 'q' parameter before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.
No workaround or patch available at time of publishing.
There is no exploit code required; however, a Proof of Concept exploit has been published.
An HTML injection vulnerability has been reported due to insufficient sanitization of the 'User-Agent' HTTP header before saving to the database, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing.
There is no exploit code required.
raSMP User-Agent HTML Injection
Medium
Security Focus, Bugtraq ID: 16138, January 4, 2006
Real Web Solution
Statistics Counter Service 2.4
An SQL injection vulnerability has been reported in the user area due insufficient sanitization of unspecified input before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.
A remote Denial of Service vulnerability has been reported when handling a malformed JAD (Java Application Description) file.
The vendor has addressed this issue in version 4.0.2 of the Blackberry Device Software. Affected users are encouraged to contact their service providers to obtain updated software.
There is no exploit code required.
Blackberry Handheld JAD File Browser Remote Denial of Service
An SQL injection vulnerability has been reported due to insufficient sanitization of the 'AdminName' variable, which could let a remote malicious user execute arbitrary SQL code.
No workaround or patch available at time of publishing.
Security Focus, Bugtraq ID: 16115, January 2, 2006
ShopCentrik
ShopEngine
A Cross-Site Scripting vulnerability has been reported in 'search.asp' due to insufficient sanitization of the 'EXPS' parameter before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing.
Security Focus, Bugtraq ID: 16054, December 23, 2005
SimpBook
SimpBook 1.0
An HTML injection vulnerability has been reported due to insufficient sanitization of the 'message' field before storing in the guestbook, which could let a remote malicious user execute arbitrary code.
No workaround or patch available at time of publishing.
A remote file include vulnerability has been reported which could let a remote malicious user execute arbitrary PHP code.
No workaround or patch available at time of publishing.
There is no exploit code required; however, a Proof of Concept exploit script has been published.
Valdersoft Shopping Cart Remote File Include
High
Security Focus, Bugtraq ID: 16126, January 3, 2006
VBulletin
VBulletin 3.5.2
An HTML injection vulnerability has been reported due to insufficient sanitization of 'calendar.php' and 'reminder.php' which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing.
Security Focus, Bugtraq ID: 16116, January 2, 2006
VEGO Links Builder
VEGO Links Builder 2.0
An SQL injection vulnerability has been reported due to insufficient sanitization of the 'username' parameter when logging in, which could let a remote malicious user execute arbitrary SQL code.
No workaround or patch available at time of publishing.
Security Focus, Bugtraq ID: 16108, January 2, 2006
VEGO Web Forum
VEGO Web Forum 1.23-1.26, 1.20, 1.10, 1.0
An SQL injection vulnerability has been reported due to insufficient sanitization of the 'Theme_ID' parameter before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.
No workaround or patch available at time of publishing.
There is no exploit code required; however, a Proof of Concept exploit has been published.
A vulnerability has been reported in the VMware Management Interface due to an unspecified error, which could let a remote malicious user execute arbitrary code.
Several vulnerabilities have been reported: an SQL injection vulnerability was reported due to insufficient sanitization of unspecified input before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code; and a Cross-Site Scripting was reported in 'index.php' due to insufficient of the 'kb_ask' parameter before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing.
The section below contains wireless vulnerabilities, articles, and viruses/trojans identified during this reporting period.
FCC interested in emergency wireless network: The Federal Communications Commission will study the feasibility of constructing a nationwide interoperable wireless network for emergency workers that uses some of the spectrum that TV companies will abandon when they transition to digital television. In a recent report to Congress, the FCC said that providing mobile broadband communications, in addition to upgraded communications equipment and training, could offer emergency responders many important capabilities. Source: http://www.fcw.com/
article91846-01-03-06-Web.
Mobility's Steep Upward Growth Curve For 2006: According to GCR Custom Research's IT Watch enterprise spending survey that was conducted in November 2005, they project an 8.1% jump in spending on mobile and wireless devices for 2006. Source: http://www.mobilepipeline.com/175800385.
Wireless Vulnerabilities
RIM BlackBerry Vulnerabilities: US-CERT information about multiple vulnerabilities in RIM BlackBerry products has been presented at the 22nd Chaos Communication Congress. Source: http://www.us-cert.gov/current/.
The table below contains a sample of exploit scripts and "how to" guides identified during this period. The "Workaround or Patch Available" column indicates if vendors, security vulnerability listservs, or Computer Emergency Response Teams (CERTs) have published workarounds or patches.
Note: At times, scripts/techniques may contain names or content that may be considered offensive.
Script that exploits the PHPDocumentor Remote and Local File Include vulnerability.
December 29, 2005
aimsniff-1.0alpha.tar.gz
N/A
A utility for monitoring and archiving AOL Instant Messenger messages across a network that has the ability to do a live dump (actively sniff the network) or read a PCAP file and parse the file for IM messages.
December 29, 2005
dBpowerAMPv11.5.txt
dMCShell_bof.c
No
Exploit for the Illustrate dBpowerAMP Music Converter and Audio Player Buffer Overflow vulnerability.
December 29, 2005
Dev_15_sql_xpl.php.txt
Dev_15_sql_xpl.php
No
Exploit for the Dev Web Management System Multiple Input Validation vulnerabilities.
December 29, 2005
fiked-0.0.4.tar.bz2
N/A
A fake IKE daemon that supports just enough of the standards and Cisco extensions to attack commonly found insecure Cisco PSK+XAUTH VPN setups in what could be described as a semi-MitM attack.
December 29, 2005
thc-ts201.zip
N/A
Latest release of a phone scanner that features ODBC support so you can import your results intro SQL or Excel Spreadsheets, source code, runs on any DOS emulating operating system.
December 29, 2005
translateXSS.txt
No
Proof of Concept for numerous translation websites Cross-Site Scripting vulnerability.
December 29, 2005
VirusScanEnterprise8.0i.txt
Yes
Proof of Concept exploit for the McAfee VirusScan Privilege Elevation vulnerability.
December 27, 2005
bzflagboom.zip
Yes
Script that exploits the BZFlag Remote Denial of Service vulnerability.
December 27, 2005
cerberusHelp.txt
No
Exploitation details for the Cerberus Helpdesk Input Validation vulnerabilities.
Exploit for Vulnerability in Microsoft Windows Metafile Handling: US-CERT is aware of active exploitation of a vulnerability in how Microsoft Windows handles Windows Metafiles (".wmf"). Several variations of the WMF exploit file have been released that attempt to avoid detection by anti-virus software and intrusion detection and intrusion prevention systems. Source: http://www.us-cert.gov/current/.
Data security moves front and center in 2005: Financial data leaks left more than 50 million accounts containing credit card information and cases, confidential details at risk. Phishing attacks, targeted Trojan horses and Web-based exploits compromised millions of PCs to create centrally controlled networks known as bot nets. In 2005, the threats of worm epidemics largely subsided. Instead, attacks targeting vulnerabilities in client-side applications--such as Internet browsers and antivirus software--rose. Data on bot networks revealed that those centrally controlled networks of computers remained a large threat. And, attacks targeting the systems of specific people in government and industry have managed to sneak under the radar of security systems that have been honed to detect mass infections. Source: http://www.securityfocus.com/news/11366.
WMF Infected Site Examples: Websense Security Labs (TM) is actively tracking websites that attempt to infect machines without any end-user intervention by simply visiting a site. Currently there are two types of sites. The first are sites that have been setup by the attackers in order to infect users. In most cases these sites require a lure (such as an email or Instant Message) in order to attract users. These are mostly registered with fraudulent registration detail. The second are sites which have been compromised. Source: http://www.websensesecuritylabs.com/alerts/alert.php?AlertID=391
December IM Attacks Jump 826 Percent Over '04: According to IMlogic's Threat Center, December 2005 instant message exploits increased 825 percent over December 2004. According to the report, the year's last month saw 241 new threats; down from the 307 in November and the 294 in October. Combined, the three months showed a 13 percent increase in IM threats over the third quarter of 2005.
Source: http://www.securitypipeline.com/news/175800842.
More than 450 Phishing Attacks Used SSL in 2005: The Netcraft Toolbar Community has identified more than 450 confirmed phishing URLs using "https" urls to present a secure connection using the Secure Sockets Layer (SSL). This number is significant for several reasons. Anti-phishing education initiatives have often urged Internet users to look for the SSL "golden lock" as an indicator of a site's legitimacy. Although phishers have been using SSL in attacks for more than a year, the trend seems to have drawn relatively little notice from users and the technology press. Source:
http://news.netcraft.com/archives/2005/12/28/more_than_450_phishing_
attacks_used_ssl_in_2005.html.
A list of high threat viruses, as reported to various anti-virus vendors and virus incident reporting organizations, has been ranked and categorized in the table below. For the purposes of collecting and collating data, infections involving multiple systems at a single location are considered a single infection. It is therefore possible that a virus has infected hundreds of machines but has only been counted once. With the number of viruses that appear each month, it is possible that a new virus will become widely distributed before the next edition of this publication. To limit the possibility of infection, readers are reminded to update their anti-virus packages as soon as updates become available. The table lists the viruses by ranking (number of sites affected), common virus name, type of virus code (i.e., boot, file, macro, multi-partite, script), trends (based on number of infections reported since last week), and approximate date first found.
Rank
Common Name
Type of Code
Trend
Date
Description
1
Netsky-P
Win32 Worm
Stable
March 2004
A mass-mailing worm that uses its own SMTP engine to send itself to the email addresses it finds when scanning the hard drives and mapped drives. The worm also tries to spread through various file-sharing programs by copying itself into various shared folders.
2
Mytob-GH
Win32 Worm
Slight Increase
November 2005
A variant of the mass-mailing worm that disables security related programs and allows other to access the infected system. This version sends itself to email addresses harvested from the system, forging the sender’s address.
3
Netsky-D
Win32 Worm
Stable
March 2004
A simplified variant of the Netsky mass-mailing worm in that it does not contain many of the text strings that were present in NetSky.C and it does not copy itself to shared folders. Netsky.D spreads itself in e-mails as an executable attachment only.
4
Zafi-B
Win32 Worm
Increase
June 2004
A mass-mailing worm that spreads via e-mail using several different languages, including English, Hungarian and Russian. When executed, the worm makes two copies of itself in the %System% directory with randomly generated file names.
5
Sober-Z
Win32 Worm
New
December 2005
This worm travels as an email attachment, forging the senders address, harvesting addresses from infected machines, and using its own mail engine. It further download code from the internet, installs into the registry, and reduces overall system security.
6
Lovgate.w
Win32 Worm
Slight Increase
April 2004
A mass-mailing worm that propagates via by using MAPI as a reply to messages, by using an internal SMTP, by dropping copies of itself on network shares, and through peer-to-peer networks. Attempts to access all machines in the local area network.
7
Mytob.C
Win32 Worm
Increase
March 2004
A mass-mailing worm with IRC backdoor functionality which can also infect computers vulnerable to the Windows LSASS (MS04-011) exploit. The worm will attempt to harvest email addresses from the local hard disk by scanning files.
8
Zafi-D
Win32 Worm
Stable
December 2004
A mass-mailing worm that sends itself to email addresses gathered from the infected computer. The worm may also attempt to lower security settings, terminate processes, and open a back door on the compromised computer.
9
Mytob-BE
Win32 Worm
Decrease
June 2005
A slight variant of the mass-mailing worm that utilizes an IRC backdoor, LSASS vulnerability, and email to propagate. Harvesting addresses from the Windows address book, disabling anti virus, and modifying data.
10
Mytob-AS
Win32 Worm
Decrease
June 2005
A slight variant of the mass-mailing worm that disables security related programs and processes, redirection various sites, and changing registry values. This version downloads code from the net and utilizes its own email engine.