QODS ec

Tuesday, July 13, 2004

SEC: @RISK: The Consensus Security Vulnerability Alert Vol. 3 No. 27

Gmail - @RISK: The Consensus Security Vulnerability Alert Vol. 3 No. 27

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

*************************************************************************
@RISK: The Consensus Security Vulnerability Alert
July 12, 2004 Vol. 3. Week 27
*************************************************************************

- -------------------------------------------------------------------------
Summary of the vulnerabilities reported this week
Category - # of Updates & Vulnerabilities
- -------------------------------------------------------------------------
Other Microsoft Products - 1
Third-Part Windows Apps - 6 (#2)
Linux - 1
BSD - 1
UNIX - 1
Cross Platform -12 (#1)
Web Application -11
Network Device - 3
- -------------------------------------------------------------------------

- ---------------------------------------
Table of Contents
- ---------------------------------------

Part I -- Critical Vulnerabilities
from TippingPoint (www.tippingpoint.com)

Widely Deployed Software

(1) MODERATE: MySQL Authentication Bypass Vulnerability

Other Software
(2) MODERATE: Mozilla shell: URI Handler Vulnerability

Update
(3) Internet Explorer Patch Disables ADODB.STREAM ActiveX Control

Part II -- Comprehensive List of Newly Discovered Vulnerabilities
from Qualys (www.qualys.com)

-- Other Microsoft Products
04.27.1 - Microsoft Internet Explorer Script Execution
-- Third Party Windows Apps
04.27.2 - Lotus Domino Server Remote Denial of Service
04.27.3 - WinGate Information Disclosure
04.27.4 - Easy Chat Server Multiple Denial of Service Vulnerabilities
04.27.5 - Fastream NetFile Directory Traversal
04.27.6 - Mozilla Arbitrary File Execution
04.27.7 - Symantec Norton Antivirus Denial of Service
-- Linux
04.27.8 - Linux Kernel Group Ownership Vulnerability
-- BSD
04.27.9 - SSLTelnetd Remote Syslog Format String Vulnerability
-- Unix
04.27.10 - PureFTPd Remote Denial of Service
-- Cross Platform
04.27.11 - Qualcomm Eudora MIME Attachment Spoofing
04.27.12 - Dr. Web Unspecified Buffer Overflow Vulnerability
04.27.13 - Ethereal iSNS, SMB and SNMP Vulnerability
04.27.14 - AppWeb HTTP Server Multiple Vulnerabilities
04.27.15 - IBM Websphere Edge Server Denial of Service
04.27.16 - MySQL Authentication Bypass Vulnerability
04.27.17 - MySQL Password Length Remote Buffer Overflow
04.27.18 - Symantec Brightmail Information Disclosure
04.27.19 - 12Planet Chat Server Cross-Site Scripting
04.27.20 - Multiple Vendor Internet Browser Weaknesses
04.27.21 - Unreal IRCD IP Address Disclosure
04.27.22 - Opera Web Browser Address Bar URL Spoofing
-- Web Application
04.27.23 - jaws Directory Traversal
04.27.24 - Open WebMail Remote Command Execution
04.27.25 - Netegrity IdentityMinder Cross-Site Scripting Vulnerabilities
04.27.26 - SCI Photo Chat Server Cross-Site Scripting
04.27.27 - Centre Online School Software Multiple Vulnerabilities
04.27.28 - Nguyen Guestbook BBCode HTML Injection
04.27.29 - Open WebMail Email Header HTML Injection
04.27.30 - IlohaMail HTML Injection
04.27.31 - BasiliX Webmail Email Header HTML Injection
04.27.32 - Comersus Cart Multiple Vulnerabilities
04.27.33 - NPDS BB HTML Injection
-- Network Device
04.27.34 - Zoom 5560 X3 Modem Backdoor
04.27.35 - Enterasys XSR Router Denial of Service
04.27.36 - Nokia 3560 Handset Text Message Denial of Service

********************** SPONSORED LINKS ********************************
Note: these links may take you to non-SANS sites.

(1) PROPRIETARY INFORMATION? Would you know if proprietary information
has left your network today? FREE WHITEPAPER
http://www.sans.org/info.php?id=512

***********************************************************************
Highlighted Security Training For This Week

SANS largest Fall conference will be in Las Vegas this year - September
28 to October 6. The 400,000 brochures started arriving two weeks ago.
Network Security has seventeen immersion tracks and many special intense
one day programs plus a big vendor expo.
http://www.sans.org/ns2004
***********************************************************************

**************************
Widely Deployed Software
**************************

(1) MODERATE: MySQL Authentication Bypass Vulnerability
Affected:
MySQL versions 4.1.0, 4.1.1, 4.1.2 and early builds of version 5.0

Description: MySQL is a widely used, open-source database with reported
five million installations world-wide. The database runs on a number of
operating systems and is typically deployed as a back-end database for
web applications. The software contains multiple vulnerabilities in its
authentication module, specifically in the "check_scramble_323"
function. An attacker can specify a certain value for the "client
capability" flag, and obtain unauthorized access to the database via a
null password. The attacker can obtain the privileges of any user on the
MySQL server, provided the user name is correctly guessed. The attacker
can also trigger a stack-based buffer overflow by providing an overlong
password string. The overflow may be exploitable on a few platforms to
execute arbitrary code. Note that the flaws cannot be exploited by using
the available MySQL clients. The attacker would have to create a custom
MySQL client. The technical details required to leverage the flaws and
multiple exploits have been publicly posted.

Status: Vendor confirmed. Upgrade to version 4.1.3 and newer builds of
version 5.0. A workaround is to provide access to the MySQL server port
3306/tcp to only trusted hosts in the network.

Council Site Actions: Four of the reporting council sites are running
the affected software. One site is waiting for vendor updates for
products they use. The second site is not widely using MySQL but will
patch the systems during the next regularly scheduled system update
process. The third site chose only to notify their system support group
of the workarounds and let them decide how to proceed. The final site
scanned their network for systems running MySQL on port 3306 shortly
after they received the original advisory. Of the several hundred
systems they found running MySQL, only a handful were running the
affected version. The system administrators of these systems were
advised to move to a non-vulnerable version. A large fraction of the
systems were Linux systems running a Red Hat distribution, which uses
version 3.23.*. They will address some of the vulnerable systems by
downgrading from 4.1.* to 3.23.*, so that they can resume using the
patch process provided by their operating-system vendor.

References:
Posting by Chris Anley
http://archives.neohapsis.com/archives/vulnwatch/2004-q3/0001.html
Posting by bambam (Exploit Code)
http://archives.neohapsis.com/archives/vulnwatch/2004-q3/0003.html
Securiteam Advisory (Exploit Code)
http://www.securiteam.com/exploits/5EP0720DFS.html
Protecting from MySQL Vulnerabilities
http://www.ngssoftware.com/papers/HackproofingMySQL.pdf
MySQL Reference Manual
http://dev.mysql.com/doc/mysql/en/index.html
SecurityFocus BIDs
http://www.securityfocus.com/bid/10655

*******************************
Other Software
*******************************

(2) MODERATE: Mozilla shell: URI Handler Vulnerability
Affected:
Only Windows installations of:
Mozilla version prior to 1.7.1
Firefox version prior to 0.9.2
Thunderbird version prior to 0.7.2

Description: The Mozilla project's Mozilla and Firefox web browsers, and
Thunderbird email client for Windows contain a vulnerability in handling
the "shell:" URIs. A malicious webpage or an HTML email can launch any
executables present on a client system via specially crafted "shell:"
URIs. Note that arbitrary command-line arguments cannot be passed to the
launched executables, which limits the malicious actions an attacker can
perform on the client system. Another attack vector has also been
discussed to exploit this flaw. The "shell:" URL handler invokes various
applications based on the file extension. For example, "shell:my.mp3"
URL will launch the media player. It may be possible to trigger a buffer
overflow in some applications by passing an overlong filename. It is
reported that URL of the form "shell:AAA (over 221 characters).grp"
triggers a buffer overflow in the "grpconv.exe" application. These
buffer overflows may possibly be exploited to execute arbitrary code on
the client system. The technical details required to exploit the
vulnerability have been posted.

Status: Vendor confirmed, patches available. Upgrade to Mozilla 1.7.1,
Firefix 0.9.2 and Thunderbird 0.7.2. It is worthwhile to note that
Mozilla project group fixed the problems within a day of being reported.

Council Site Actions: We were unable to solicit council site input for
this item.

References:
Posting by Josh Perrymon
http://marc.theaimsgroup.com/?l=full-disclosure&m=108921978322597&w=2
Posting by Andreas Sandbald
http://marc.theaimsgroup.com/?l=full-disclosure&m=108923012411803&w=2
Posting by Keith
http://marc.theaimsgroup.com/?l=full-disclosure&m=108933948325768&w=2
Mozilla Advisory
http://www.mozilla.org/security/shell.html
CERT Advisory
http://www.kb.cert.org/vuls/id/927014
Secunia Advisory
http://secunia.com/advisories/12027/
SecurityFocus BID
Not yet available.

********************************
Update
********************************
This section includes the actions taken by Council Sites to mitigate the
vulnerabilities reported in last week's @RISK newsletter. The late
breaking nature of these vulnerabilities did not allow us to solicit
input from the Council Sites at that time.

(3) Internet Explorer Patch Disables ADODB.STREAM ActiveX Control

Microsoft has released a patch for Internet Explorer that disables the
ADODB.STREAM ActiveX control. This control has been utilized in exploit
code for many IE cross-domain vulnerabilities that permit an attacker
to execute arbitrary code on client systems. This control is used
because it supports methods to read and write files on the client
computer. Note that disabling the control may prevent the exploitation
of IE vulnerabilities via currently circulating exploits. However, the
patch does not fix the root cause of the problem - the cross-domain IE
vulnerabilities. Postings show how the existing IE exploit code can be
modified to compromise a patched client system. An example of modified
exploit code has been publicly posted.

Council Site Actions: All reporting council sites have either already
installed the patch or are in the process of evaluating the patch for
installation. One site that is evaluating the patch is waiting to see
whether a patch for the cross-domain vulnerability is released next
week. Another site that is evaluating the patch is also waiting to see
if MS plans to release an actual fix and if so, they would deploy that
instead. Several of the sites said they were evaluating FireFox for
potential replacement of IE.

References:
Microsoft Knowledge Base Article
http://support.microsoft.com/default.aspx?kbid=870669
CERT Advisory
http://www.us-cert.gov/cas/techalerts/TA04-184A.html
Posting by Russ Cooper
http://archives.neohapsis.com/archives/ntbugtraq/2004-q3/0005.html
Posting by Matthew Murphy
http://archives.neohapsis.com/archives/fulldisclosure/2004-07/0111.html
Postings by http-equiv
http://archives.neohapsis.com/archives/fulldisclosure/2004-07/0114.html
http://archives.neohapsis.com/archives/ntbugtraq/2004-q3/0010.html
Postings by Jelmer
http://archives.neohapsis.com/archives/fulldisclosure/2004-07/0131.html
http://archives.neohapsis.com/archives/fulldisclosure/2004-07/0104.html
Modified Exploit Code
Note: Clicking this link will launch an exploit
http://62.131.86.111/security/idiots/malware2k/installer.htm
Previous @RISK Newsletter Postings (IE Vulnerabilities)
http://www.sans.org/newsletters/risk/vol3_25.php (Item #6)
http://www.sans.org/newsletters/risk/vol3_23.php (Item #1)
http://www.sans.org/newsletters/risk/vol3_7.php (Item #4)
http://www.sans.org/newsletters/risk/vol3_13.php (Item #8)

______________________________________________________________________

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities

Week 27 2004

______________________________________________________________________

This list is compiled by Qualys ( www.qualys.com ) as part of that
company's ongoing effort to ensure its vulnerability management web
service tests for all known vulnerabilities that can be scanned. As of
this week Qualys scans for 3528 unique vulnerabilities. For this
special SANS community listing, Qualys also includes vulnerabilities
that cannot be scanned remotely.
______________________________________________________________________

Summary of Updates and Vulnerabilities in this Consensus

Platform Number of Updates and Vulnerabilities

- ------------------------ -------------------------------------

Other Microsoft Products 1
Third Party Windows Apps 6
Linux 1
BSD 1
Unix 1
Cross Platform 12
Web Application 11
Network Device 3

______________________________________________________________________

-- Other Microsoft Products
04.27.1 - Microsoft Internet Explorer Script Execution
-- Third Party Windows Apps
04.27.2 - Lotus Domino Server Remote Denial of Service
04.27.3 - WinGate Information Disclosure
04.27.4 - Easy Chat Server Multiple Denial of Service Vulnerabilities
04.27.5 - Fastream NetFile Directory Traversal
04.27.6 - Mozilla Arbitrary File Execution
04.27.7 - Symantec Norton Antivirus Denial of Service
-- Linux
04.27.8 - Linux Kernel Group Ownership Vulnerability
-- BSD
04.27.9 - SSLTelnetd Remote Syslog Format String Vulnerability
-- Unix
04.27.10 - PureFTPd Remote Denial of Service
-- Cross Platform
04.27.11 - Qualcomm Eudora MIME Attachment Spoofing
04.27.12 - Dr. Web Unspecified Buffer Overflow Vulnerability
04.27.13 - Ethereal iSNS, SMB and SNMP Vulnerability
04.27.14 - AppWeb HTTP Server Multiple Vulnerabilities
04.27.15 - IBM Websphere Edge Server Denial of Service
04.27.16 - MySQL Authentication Bypass Vulnerability
04.27.17 - MySQL Password Length Remote Buffer Overflow
04.27.18 - Symantec Brightmail Information Disclosure
04.27.19 - 12Planet Chat Server Cross-Site Scripting
04.27.20 - Multiple Vendor Internet Browser Weaknesses
04.27.21 - Unreal IRCD IP Address Disclosure
04.27.22 - Opera Web Browser Address Bar URL Spoofing
-- Web Application
04.27.23 - jaws Directory Traversal
04.27.24 - Open WebMail Remote Command Execution
04.27.25 - Netegrity IdentityMinder Cross-Site Scripting Vulnerabilities
04.27.26 - SCI Photo Chat Server Cross-Site Scripting
04.27.27 - Centre Online School Software Multiple Vulnerabilities
04.27.28 - Nguyen Guestbook BBCode HTML Injection
04.27.29 - Open WebMail Email Header HTML Injection
04.27.30 - IlohaMail HTML Injection
04.27.31 - BasiliX Webmail Email Header HTML Injection
04.27.32 - Comersus Cart Multiple Vulnerabilities
04.27.33 - NPDS BB HTML Injection
-- Network Device
04.27.34 - Zoom 5560 X3 Modem Backdoor
04.27.35 - Enterasys XSR Router Denial of Service
04.27.36 - Nokia 3560 Handset Text Message Denial of Service
______________________________________________________________________

04.27.1 CVE: CAN-2004-0549
Platform: Other Microsoft Products
Title: Microsoft Internet Explorer Script Execution
Description: Microsoft Internet Explorer is affected by a security
weakness in the "Shell.Application" object, which may permit malicious
HTML documents the ability to execute script code. All current
versions are affected.
Ref: http://www.kb.cert.org/vuls/id/713878
______________________________________________________________________

04.27.2 CVE: Not Available
Platform: Third Party Windows Apps
Title: Lotus Domino Server Remote Denial of Service
Description: Lotus Domino Server is a suite of collaborative software
tools. It has been reported that Lotus Domino Server is vulnerable to
a denial of service attack. The issue expresses itself when a
specially crafted email is viewed through the web interface. When
viewed, the server will attempt to decode the malicious contents,
resulting in an unhandled exception, thus crashing the server.
Ref: http://www.securityfocus.com/archive/1/367761
______________________________________________________________________

04.27.3 CVE: CAN-2004-0577, CAN-2004-0578
Platform: Third Party Windows Apps
Title: WinGate Information Disclosure
Description: Qbik WinGate is an Internet connection sharing proxy
server. Improper sanitization of the "/" character in the
user-supplied URL exposes an information disclosure issue. WinGate
version 5.2.3 build 901 and version 6.0 beta 2 build 942 are
affected.
Ref: http://www.idefense.com/application/poi/display?id=113&type=vulnerabilities&flashstatus=true
______________________________________________________________________

04.27.4 CVE: Not Available
Platform: Third Party Windows Apps
Title: Easy Chat Server Multiple Denial of Service Vulnerabilities
Description: Easy Chat Server is a web-based chat application for
Windows. It is reported to be vulnerable to a denial of service
condition. The issue exists due to insufficient boundary checking of
the "username" parameter and the number of logins per chat room. Easy
Chat Server versions 1.0, 1.1 and 1.2 are reported to be vulnerable.
Ref: http://archives.neohapsis.com/archives/bugtraq/2004-07/0013.html
______________________________________________________________________

04.27.5 CVE: Not Available
Platform: Third Party Windows Apps
Title: Fastream NetFile Directory Traversal
Description: Fastream NetFile is an FTP and HTTP server implementation
for Windows. The server is reported to be vulnerable to a directory
traversal issue. Due to insufficient sanitization of user-supplied
data, an attacker can create, view and delete arbitrary files outside
the web root. Fastream NetFile FTP/Web server versions 6.7.2.1085 and
earlier are reported to be vulnerable.
Ref: http://archives.neohapsis.com/archives/bugtraq/2004-07/0037.html
______________________________________________________________________

04.27.6 CVE: Not Available
Platform: Third Party Windows Apps
Title: Mozilla Arbitrary File Execution
Description: Windows versions of Mozilla products pass URIs using the
"shell:" scheme to the operating system. It is possible to launch
executables in known locations or trigger the default handlers for
file extensions. Mozilla version 1.7.1, Firefox version 0.9.2 and
Thunderbird version 0.7.2 have been released to fix this issue.
Ref: http://mozilla.org/security/shell.html
______________________________________________________________________

04.27.7 CVE: Not Available
Platform: Third Party Windows Apps
Title: Symantec Norton Antivirus Denial of Service
Description: Symantec Norton Antivirus is reported to be vulnerable to
a denial of service condition. The issue exists when the antivirus
product scans a compressed archive that contains a malicious
executable in each of 49647 or more directories. Norton Antivirus 2003
and 2002 are reported to be vulnerable.
Ref: http://archives.neohapsis.com/archives/bugtraq/2004-07/0089.html
______________________________________________________________________

04.27.8 CVE: CAN-2004-0497
Platform: Linux
Title: Linux Kernel Group Ownership Vulnerability
Description: It is reported that the Linux kernel version 2.6 contains
a flaw which allows users to improperly change the group ownership on
arbitrary files. The issue is only exposed when the kernel NFS server
is active. A remote user may be able to modify the ownership
information of the files inside the "proc" directory.
Ref: http://www.suse.de/de/security/2004_20_kernel.html
______________________________________________________________________

04.27.9 CVE: CAN-2004-0640
Platform: BSD
Title: SSLTelnetd Remote Syslog Format String Vulnerability
Description: SSLTelentd is a utility that implements the telnet
protocol over SSL. Insufficient sanitization in the "syslog()"
function, when called from the "SSL_set_verify()" function, exposes a
format string issue. SSLTelnetd versions 0.13-1 and earlier are
affected.
Ref: http://www.idefense.com/application/poi/display?id=114&type=vulnerabilities
______________________________________________________________________

04.27.10 CVE: Not Available
Platform: Unix
Title: PureFTPd Remote Denial of Service
Description: PureFTPd is an FTP server based on Troll-FTPd. Due to an
issue in the "accept_client()" function, an attacker can cause a
denial of service to legitimate users. PureFTPd versions 1.0.18 and
earlier are affected.
Ref: http://www.gentoo.org/security/en/glsa/glsa-200407-04.xml
______________________________________________________________________

04.27.11 CVE: Not Available
Platform: Cross Platform
Title: Qualcomm Eudora MIME Attachment Spoofing
Description: The Eudora email client is reportedly vulnerable to a
MIME attachment spoofing issue. A user of Eudora could potentially be
tricked into unknowingly sending sensitive files as attachments to
forwarded email. This issue was reported for version 6.1.2 of Eudora.
Ref: http://www.securityfocus.com/archive/1/368157
______________________________________________________________________

04.27.12 CVE: Not Available
Platform: Cross Platform
Title: Dr. Web Unspecified Buffer Overflow Vulnerability
Description: Dr. Web is antivirus software. It has been reported that
an unspecified buffer overflow vulnerability exists in the "scanMail"
function. Version 4.31.4 is known to be vulnerable.
Ref: http://www.securityfocus.com/bid/10628/info/
______________________________________________________________________

04.27.13 CVE: Not Available
Platform: Cross Platform
Title: Ethereal iSNS, SMB and SNMP Vulnerability
Description: Ethereal is a network protocol analyzer. Insufficient
sanitization of malformed iSNS, SMB and SNMP packets can lead to
memory corruption and subsequent denial of service. Ethereal version
0.10.5 has been released to address this issue.
Ref: http://www.ethereal.com/appnotes/enpa-sa-00015.html
______________________________________________________________________

04.27.14 CVE: Not Available
Platform: Cross Platform
Title: AppWeb HTTP Server Multiple Vulnerabilities
Description: Mbedthis Software AppWeb HTTP Server is an embedded web
server solution. It is reportedly vulnerable to multiple security
issues including unauthorized access to restricted web pages and the
ability to view the source code of web CGI scripts. Mbedthis Software
AppWeb HTTP Server versions 1.1.2 and prior were reported to be
vulnerable.
Ref: http://www.mbedthis.com/products/appWeb/doc/newFeatures.html
______________________________________________________________________

04.27.15 CVE: Not Available
Platform: Cross Platform
Title: IBM Websphere Edge Server Denial of Service
Description: IBM Websphere Edge Server is reportedly vulnerable to a
denial of service condition in the "Caching Proxy" component. When
configured in a certain way, the proxy crashes while processing a
specially crafted HTTP GET request. The vendor has released a patch to
address this issue.
Ref: http://www.securityfocus.com/archive/1/368496
______________________________________________________________________

04.27.16 CVE: Not Available
Platform: Cross Platform
Title: MySQL Authentication Bypass Vulnerability
Description: MySQL database server is vulnerable to an authentication
bypass issue. When zero-length password strings are used in
authentication packets, an application logic error is exposed that
leads to successful authentication. This issue is known to exist in
MySQL 4.1 (beta) releases prior to version 4.1.3 and MySQL 5.0
(alpha).
Ref: http://www.nextgenss.com/advisories/mysql-authbypass.txt
______________________________________________________________________

04.27.17 CVE: Not Available
Platform: Cross Platform
Title: MySQL Password Length Remote Buffer Overflow
Description: MySQL is vulnerable to a remotely exploitable stack-based
buffer overflow. Insufficient sanitization of the password length
parameter in the client authentication packet exposes this issue.
MySQL version 4.1 releases prior to 4.1.3 and MySQL version 5.0 are
affected.
Ref: http://www.nextgenss.com/advisories/mysql-authbypass.txt
______________________________________________________________________

04.27.18 CVE: Not Available
Platform: Cross Platform
Title: Symantec Brightmail Information Disclosure
Description: Symantec Brightmail anti-spam is reported to be
vulnerable to an unauthorized message disclosure issue. A remote
attacker can access arbitrary emails by providing a valid value for
the "id" parameter of the "viewMsgDetails.do" script. Symantec
Brightmail anti-spam version 6.0 is reported to be vulnerable.
Ref: http://secunia.com/advisories/12010/
______________________________________________________________________

04.27.19 CVE: Not Available
Platform: Cross Platform
Title: 12Planet Chat Server Cross-Site Scripting
Description: 12Planet Chat Server is a web-based Java chat
application. 12Planet Chat Server version 2.9 is vulnerable to a
cross-site scripting issue due to insufficient sanitization of the
"page" argument in the "one2planet.infolet.InfoServlet" servlet.
Ref: http://www.autistici.org/fdonato/advisory/12PlanetChatServer2.9-a
dv.txt
______________________________________________________________________

04.27.20 CVE: Not Available
Platform: Cross Platform
Title: Multiple Vendor Internet Browser Weaknesses
Description: Internet browsers from multiple vendors are reportedly
vulnerable to a weakness that allows users to commit unintentional
actions. By predicting or influencing user clicks, malicious sites can
trick users into clicking on pop-up dialog boxes. This could be used
to install ActiveX adware/malware objects on the user's machine.
Ref: http://bugzilla.mozilla.org/show_bug.cgi?id=162020
______________________________________________________________________

04.27.21 CVE: Not Available
Platform: Cross Platform
Title: Unreal IRCD IP Address Disclosure
Description: Unreal ircd is a popular IRC server. Due to a weakness in
the algorithm used to cloak IP addresses in "cloak.c", an attacker can
disclose a user's IP address. Unreal ircd versions 3.2 and earlier are
vulnerable.
Ref: http://www.bandecon.com/advisory/unreal.txt
______________________________________________________________________

04.27.22 CVE: Not Available
Platform: Cross Platform
Title: Opera Web Browser Address Bar URL Spoofing
Description: The Opera web browser is vulnerable to an address bar
spoofing issue. This allows an attacker to manipulate the URL
displayed in the address bar when the browser renders a malicious web
page. Opera web browser version 7.52 is reported to be vulnerable.
Ref: http://secunia.com/advisories/12028/
______________________________________________________________________

04.27.23 CVE: Not Available
Platform: Web Application
Title: jaws Directory Traversal
Description: jaws is a content management system for building dynamic
web sites. jaws is vulnerable to a directory traversal issue due to
insufficient user-input sanitization in the "gadget" parameter of the
"index.php" script. jaws version 0.3 is known to be vulnerable.
Ref: http://www.jaws.com.mx/index.php?gadget=blog&action=single_view&id=8
______________________________________________________________________

04.27.24 CVE: Not Available
Platform: Web Application
Title: Open WebMail Remote Command Execution
Description: Open WebMail is a web mail application written in Perl.
Open WebMail is vulnerable to a remote code execution issue in the
"vacation.pl" script. All versions of Open WebMail released before
June 29, 2004 are vulnerable.
Ref: http://sourceforge.net/forum/message.php?msg_id=2640281
______________________________________________________________________

04.27.25 CVE: Not Available
Platform: Web Application
Title: Netegrity IdentityMinder Cross-Site Scripting Vulnerabilities
Description: Netegrity IdentityMinder allows management of user
account information. Due to insufficient sanitization of user-supplied
input, it is vulnerable to multiple cross-site scripting issues. These
can be used to steal cookie-based authentication credentials from
legitimate users. This issue was reported for the Netegrity
IdentityMinder WebEdition 5.x series.
Ref: http://secunia.com/advisories/12000/
______________________________________________________________________

04.27.26 CVE: Not Available
Platform: Web Application
Title: SCI Photo Chat Server Cross-Site Scripting
Description: SCI Java Photo Chat Server supports multimedia pictures,
sounds, and videos. It is vulnerable to a cross-site scripting issue
due to insufficient user-input sanitization. Version 3.4.9 is known to
be vulnerable.
Ref: http://www.securityfocus.com/archive/1/367863
______________________________________________________________________

04.27.27 CVE: Not Available
Platform: Web Application
Title: Centre Online School Software Multiple Vulnerabilities
Description: Centre is a free student management web application for
schools. Centre is vulnerable to multiple issues such as arbitrary
file include, sql injection and directory traversal. Centre version
1.0 is known to be vulnerable.
Ref: http://lists.netsys.com/pipermail/full-disclosure/2004-July/023416.html
______________________________________________________________________

04.27.28 CVE: Not Available
Platform: Web Application
Title: Nguyen Guestbook BBCode HTML Injection
Description: Tri Dung Nguyen Guestbook is a web-based guestbook
application. Due to insufficient user-input sanitization in the BBCode
implementation, an attacker could inject malicious HTML code into the
web site. Guestbook version 1.25 is known to be vulnerable.
Ref: http://www.securityfocus.com/bid/10665
______________________________________________________________________

04.27.29 CVE: Not Available
Platform: Web Application
Title: Open WebMail Email Header HTML Injection
Description: Open WebMail is reported to be vulnerable to an email
header HTML injection issue. This issue is due to a failure of the
application to properly sanitize user-supplied email header strings.
OpenWebmail versions 2.32 and prior are reported to be vulnerable.
Ref: http://secunia.com/advisories/11778/
______________________________________________________________________

04.27.30 CVE: Not Available
Platform: Web Application
Title: IlohaMail HTML Injection
Description: IlohaMail is a webmail package. Insufficient sanitization
of the "Content-Type" header field exposes an HTML injection issue.
IlohaMail versions 0.8.12 and earlier are affected.
Ref: http://xforce.iss.net/xforce/xfdb/16285
______________________________________________________________________

04.27.31 CVE: Not Available
Platform: Web Application
Title: BasiliX Webmail Email Header HTML Injection
Description: BasiliX is a web-based mail application. It is reported
to be vulnerable to an email header HTML injection due to insufficient
sanitization of the email headers. An attacker can exploit this issue
to gain access to an unsuspecting user's cookie based authentication
credentials. Basil versions 1.1.0 and 1.1.1 are reported to be
vulnerable.
Ref: http://www.securityfocus.com/bid/10666
______________________________________________________________________

04.27.32 CVE: Not Available
Platform: Web Application
Title: Comersus Cart Multiple Vulnerabilities
Description: Comersus Cart is an ASP-based e-commerce shopping cart
application. Insufficient sanitization of user-supplied input in the
"message" parameter of certain scripts exposes a cross-site scripting
issue. These scripts are vulnerable:
"store/comersus_customerAuthenticateForm.asp",
"backofficeLite/comersus_backoffice_message.asp" and
"store/comersus_supportError.asp". Comersus Cart version 5.09 is
affected.
Ref: http://archives.neohapsis.com/archives/bugtraq/2004-07/0068.html
______________________________________________________________________

04.27.33 CVE: Not Available
Platform: Web Application
Title: NPDS BB HTML Injection
Description: NPDS BB is a web-based forum. NPDS BB is vulnerable to an
HTML injection issue in the "topic" field due to insufficient
user-input sanitization.
Ref: http://archives.neohapsis.com/archives/bugtraq/2004-07/0072.html
______________________________________________________________________

04.27.34 CVE: Not Available
Platform: Network Device
Title: Zoom 5560 X3 Modem Backdoor
Description: Zoom 5560 X3 Ethernet ADSL modem is reported to contain a
default backdoor account. This account can be accessed by TCP port 254
with the password "DEFAULT".
Ref: http://archives.neohapsis.com/archives/bugtraq/2004-07/0061.html
______________________________________________________________________

04.27.35 CVE: Not Available
Platform: Network Device
Title: Enterasys XSR Router Denial of Service
Description: Enterasys XSR router family has firewall, VPN and
standard router capabilities built in. When these devices process
packets with the IP record route option, they will reportedly crash.
The XSR-1800 series of routers with firmware version 7.0.0.0 are
affected.
Ref: http://www.enterasys.com/support/security/incidents/2004/07/11036.html
______________________________________________________________________

04.27.36 CVE: Not Available
Platform: Network Device
Title: Nokia 3560 Handset Text Message Denial of Service
Description: Nokia 3560 handset is reported to be vulnerable to a
remote denial of service condition. The issue is triggered when a
specially crafted text message is sent to the device.
Ref: http://seclists.org/lists/fulldisclosure/2004/Jul/0350.html
______________________________________________________________________

(c) 2004. All rights reserved. The information contained in this
newsletter, including any external links, is provided "AS IS," with no
express or implied warranty, for informational purposes only. In some
cases, copyright for material in this newsletter may be held by a
party other than Qualys (as indicated herein) and permission to use
such material must be requested from the copyright owner.

==end==

Subscriptions: @RISK is distributed free of charge to people
responsible for managing and securing information systems and networks.
You may forward this newsletter to others with such responsibility
inside or outside your organization.

To subscribe, at no cost, go to https://portal.sans.org where you may
also request subscriptions to any of SANS other free newsletters.

To change your subscription, address, or other information, visit
http://portal.sans.org

Copyright 2004. All rights reserved. No posting or reuse allowed,
other that listed above, without prior written permission.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)

iD8DBQFA8oWl+LUG5KFpTkYRAuvlAJ4tgamaAchpWPKnjTOEbxoq/SNlnACfRCz9
xhewTqjh+rG/C1ysPyxLUXw=
=q5Fo
-----END PGP SIGNATURE-----

1 Comments:

Post a Comment

<< Home


Get Firefox!