อ่านเจอ เลยเอามาฝากมั่ง
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
A very tough week for vulnerable web sites using Microsoft IIS and for
worried Internet Explorer users concerned about whether keystroke
loggers were installed on their systems to steal credit cards and
passwords. The biggest issue facing the web site victims is whether to
go public to warn individual users that they might have been exploited.
Those who don’t warn their users risk both reputational and legal
liability. Those who do tell are also at risk. The entire debacle
reminds us of the enormous danger created when a software vendor
persuades thousands of clients that installing a web site is so easy
"anyone can do it." When that same vendor doesn’t take responsibility
for securing the systems installed by “anyone,” lots of people are put
at risk. (#6 in Part I) Lotus Notes users also were busy patching their
systems quickly this week. (#2 in Part I)
Jeff Kirby from Cornell University graciously suggested an improved
design for @RISK bringing more of the timely information to the front
and pushing the static information to the back, plus other improvements.
Tell us if you like it or you would rather we return to the old design.
Alan
@RISK: The Consensus Security Vulnerability Alert
June 28, 2004 Vol. 3. Week 25
Summary of the vulnerabilities reported this week
Category - # of Updates & Vulnerabilities
Windows - 1 (#6)
Other Microsoft Products - 1
Third Party Windows Apps - 2 (#2)
Linux - 7 (#5)
Solaris - 2 (#1, #3)
UNIX - 4
Novell - 1
Cross Platform - 3
Web Application - 8 (#4)
Network Device - 6 (#1)
Table of Contents
Part I – Critical Vulnerabilities
from TippingPoint (www.tippingpoint.com)
- – Widely Deployed Software
(1) MODERATE: ISC DHCP Buffer Overflow Vulnerabilities
(2) MODERATE: IBM Lotus Notes URI Handling Vulnerability - – Other Software
(3) HIGH: rlprd Format String Vulnerability
(4) MODERATE: PHP-Nuke Journal Module SQL Injection
(5) MODERATE: Asterisk Logging Format String Vulnerabilities - – Incident Notes
(6) Server and Internet Explorer Exploitation
Part II – Comprehensive List of Newly Discovered Vulnerabilities
from Qualys (www.qualys.com)
- – Other Microsoft Products
04.25.1 - Internet Explorer Non-FQDN URL Address Zone Bypass - – Third Party Windows Apps
04.25.2 - ZoneAlarm Mobile Code Filter Bypass
04.25.3 - Lotus Notes URL Handler Remote Code Execution - – Linux
04.25.4 - Asterisk PBX Logging Format String Vulnerabilities
04.25.5 - Sup Remote Syslog Format String Vulnerability
04.25.6 - TildeSlash Monit Authentication Buffer Overflow
04.25.7 - ISC DHCPD vsnprintf() Buffer Overflow
04.25.8 - gzexe Temporary File Command Execution
04.25.9 - Linux Kernel IEEE 1394 Integer Overflow Vulnerability
04.25.10 - Linux Kernel Broadcom 5820 Cryptonet Driver Integer
Overflow - – Solaris
04.25.11 - Basic Security Module Denial of Service Vulnerability
04.25.12 - Sun StorEdge ESM Unspecified Privilege Escalation
Vulnerability - – Unix
04.25.13 - rssh Information Disclosure Vulnerability
04.25.14 - Multiple ircd Socket Dequeuing Denial of Service
04.25.15 - rlpr Multiple Vulnerabilities
04.25.16 - Radius SNMP Remote Denial of Service - – Novell
04.25.17 - Novell iChain SNMP Information Disclosure - – Cross Platform
04.25.18 - Epic Games Unreal Engine Memory Corruption
04.25.19 - ISC DHCPD Logging Buffer Overflow
04.25.20 - giFT-FastTrack Remote Denial of Service - – Web Application
04.25.21 - www-sql Include Command Buffer Overflow
04.25.22 - ASP-Rider Cookie Administrative Access Vulnerability
04.25.23 - osTicket Remote Command Execution
04.25.24 - SqWebMail Email Header HTML Injection
04.25.25 - ArbitroWeb Cross-Site Scripting vulnerability
04.25.26 - PHP-Nuke Multiple Vulnerabilities
04.25.27 - php-exec-dir Command Access Restriction Bypass
04.25.28 - VBulletin HTML Injection Vulnerability - – Network Device
04.25.29 - Infoblox DNS One Script Injection Vulnerability
04.25.30 - netHSM Passphrase Information Disclosure
04.25.31 - Netgear FVS318 Router Denial of Service
04.25.32 - D-Link AirPlus DHCP Log HTML Injection
04.25.33 - BT Voyager 2000 SNMP Information Disclosure
04.25.34 - 3Com SuperStack Web Interface Denial of Service
________ Highlighted Security Training For This Week _________________
SANS largest Fall conference will be in Las Vegas this year - September
28 to October 6. The brochures will arrive in a week or so with
seventeen immersion tracks and special one day programs and a big vendor
expo.
http://www.sans.org/ns2004
Part I – Critical Vulnerabilities – from TippingPoint
Widely Deployed Software
(1) MODERATE: ISC DHCP Buffer Overflow Vulnerabilities
Affected: DHCP daemon versions 3.0.1rc12 and 3.0.1rc13
Description: ISC’s freely redistributable implementation of DHCP
protocol includes a DHCP server, a DHCP client and a DHCP relay agent.
This DHCP implementation ships with many operating systems and
networking products. Specifically, the DHCP server, contains the
following buffer overflows:
(1) A malicious client can trigger a buffer overflow via DHCP “DISCOVER"
or “REQUEST” packets that contain multiple “hostname” options. The
"hostname” option allows a DHCP client to provide its host name to the
DHCP server, which is logged by the server. The problem occurs because
a malicious client can send multiple “hostname” options in a DHCP
packet. The multiple hostnames are concatenated that leads to
overflowing a fixed size buffer. This stack-based buffer overflow can
be exploited to cause a DoS to the DHCP server, and possibly execute
arbitrary code on the server with root privileges.
(2) The “vsnprint” and “vsprintf” C functions copy variable arguments
into a buffer according to a specified format string, with the
difference that the “vsnprintf” function does bounds checking on the
number of bytes copied, whereas “vsprintf” does not. On certain
platforms “vsnprintf” support is not available. Hence, on these
platforms the DHCP server may contain buffer overflows due to the lack
of bounds checking on the client-supplied data.
The technical details required to exploit these vulnerabilities have
been posted. Note that in order to exploit the flaws remotely, an
attacker may need to correctly guess the range of IP addresses being
leased by the targeted DHCP server.
Status: Vendor confirmed, upgrade to version 3.0.1rc14. For a complete
list of vulnerable vendors, please refer to the CERT advisory. A
workaround is to block access to the DHCP server (port 67/udp) at the
network perimeter.
Council Site Actions: The affected software or version of software is
not in production or widespread use at any of the council sites. They
reported that no action was necessary.
References:
CERT Advisory and Vulnerability Notes
http://www.us-cert.gov/cas/techalerts/TA04-174A.html
http://www.kb.cert.org/vuls/id/317350
http://www.kb.cert.org/vuls/id/654390
RFCs
http://www.ietf.org/rfc/rfc2131.txt (DHCP)
http://www.ietf.org/rfc/rfc1533.txt (DHCP Options)
Product Homepage
http://www.isc.org/sw/dhcp
SecurityFocus BIDs
http://www.securityfocus.com/bid/10590
http://www.securityfocus.com/bid/10591
(2) MODERATE: IBM Lotus Notes URI Handling Vulnerability
Affected: Lotus Notes version 6.0.3 and 6.5
Description: The Lotus Notes software suite is designed to provide users
a single access point to frequently used applications like e-mail,
calendar, instant messaging and web browser. The software installs a URI
handler that interprets URIs beginning with “notes:”. This URI handler
contains a remote command injection vulnerability. The problem occurs
because the URI handler passes the “notes:” URI as an argument to the
"notes.exe" program without sufficient sanitization. A malicious webpage
or an email may exploit this flaw to invoke the “notes.exe” program with
additional command-line options. The posted advisory shows how the
command-line options can be used to run malicious DLLs, which may lead
to the client compromise.
Status: Vendor confirmed, upgrade to version 6.0.4 or 6.5.2. A
workaround is to remove the “registry key” for the “notes:” URI handler.
Another possible workaround is to block access to the ports 139/tcp and
445/tcp at the network perimeter, which will prevent access to the
attacker specified Lotus notes configuration file.
Council Site Actions: Only two of the reporting council sites are
running the affected software. One site has already implemented the work
around. They will deploy the patch during their next regularly scheduled
system update process. The second site only has a handful of systems
running the affected software. They believe the maintainers of their
Lotus Notes installations stay up-to-date with patches. They also block
ports 139 and 445 at their network security perimeters. Given these two
conditions, they don’t plan further action at this time.
References:
Posting by Jouko Pynnonen
http://archives.neohapsis.com/archives/ful…04-06/0894.html
IBM Advisory
http://www-1.ibm.com/support/docview.wss?r…uid=swg21169510
Lotus Notes Homepage
http://www.lotus.com/products/product4.nsf…s/noteshomepage
SecurityFocus BID
http://www.securityfocus.com/bid/10600
Other Software
(3) HIGH: rlprd Format String Vulnerability
Affected: rlpr version 2.0.4
Description: rlpr package includes printing utilities that offer
enhanced functions compared to the “lpr”, “lprm” and “lpq” programs on
UNIX platforms. The rlprd server is a proxy that runs between the "rlpr"
clients and the standard “lpd” printers. This server, which runs on port
7290/tcp by default, contains a format string vulnerability. An
unauthenticated attacker can trigger the flaw by specifying a format
string such as “%1” in the first 64 bytes of data to the server. The
flaw can be exploited to execute arbitrary code with the rlprd
privileges. An exploit has been publicly posted.
Status: Vendor confirmed, patches available.
Council Site Actions: Only one of the reporting council sites is running
the affected software, but only on a handful of systems. The only
action they have planned at this time is to scan their network to see
if any machines have open connections on port TCP 7290. They don’t
believe that their Debian administrators would select rlprd as the
default printer daemon.
References:
Posting by Jaguar
http://www.securityfocus.com/archive/1/367…21/2004-06-27/0
Exploit Code
www.felinemenace.org/exploits/rlprd.py
Debian Advisory
http://www.nl.debian.org/security/2004/dsa-524
rlpr Manual
http://smokeping.planetmirror.com/pub/hpfr…r-2.02.man.html
SecurityFocus BID
http://www.securityfocus.com/bid/10578
(4) MODERATE: PHP-Nuke Journal Module SQL Injection
Affected: PHP-Nuke version 7.x
Description: PHP-Nuke, a popular open-source portal, contains a SQL
injection vulnerability in the “Journal” module’s “search.php” script.
An attacker can exploit the flaw by specifying arbitrary SQL statements
in the script’s “forwhat” parameter. This may lead to the back-end
database and/or the portal compromise. The posted advisory shows how to
craft an HTTP query to extract the portal administrator password’s md5
hash.
Status: Vendor not confirmed, no patches available.
Council Site Actions: Only two of the reporting council sites are
running the affected software. One site plans no action at this time
since the number of affected systems is very low and the system owners
are typically good at keeping the systems up to date. The second site
plans to install the patches during their next regularly scheduled
system update process. In the mean time, they have notified their UNIX
support team.
References:
Posting by Janek Vind
http://archives.neohapsis.com/archives/ful…04-06/0739.html
Secunia Advisory
http://secunia.com/advisories/11920
Vendor Homepage
http://phpnuke.org/
SecurityFocus BID
Not yet available.
(5) MODERATE: Asterisk Logging Format String Vulnerabilities
Affected: Asterisk version 0.7.x
Description: Asterisk, a Linux based open-source telephony software,
contains multiple format string vulnerabilities in its logging
functions. The flaws may be exploited to crash the Asterisk server and
possibly execute arbitrary code. A proof-of-concept exploit has been
publicly posted.
Status: Vendor confirmed, upgrade to version 0.9.0
Council Site Actions:The affected software or version of software is not
in production or widespread use at any of the council sites. They
reported that no action was necessary.
References:
Vendor Homepage
http://www.asterisk.org
PoC Exploit
http://downloads.securityfocus.com/vulnera…k_fmt_string.pl
SecurityFocus BID
http://www.securityfocus.com/bid/10569
Incident Notes
(6) IIS Server and Internet Explorer Exploitation
Multiple IIS servers have been reportedly compromised. These compromised
servers are being used to install malware on the connecting clients by
exploiting the Internet Explorer vulnerabilities. It is not entirely
clear if the IIS servers were compromised by exploiting the "PCT SSL"
buffer overflow (fixed in MS04-011 patch), or due to an yet unpublished
flaw. The Internet Explorer vulnerabilities being exploited have been
discussed in a previous issue of the @RISK newsletter. Note that no
patch is yet available for these IE vulnerabilities.
Council Site Actions: None of the reporting council sites saw additional
activity as the result of this exploit release. They have not changed
from their original plans to install the patches, once they are
released, during their normal systems update process.
References:
Analysis by Symantec
http://tms.symantec.com/documents/040624-A…rverReports.pdf
http://tms.symantec.com/documents/040617-A…nCompromise.pdf
Analysis by LURHQ
http://www.lurhq.com/berbew.html
SANS Handler’s Diary
http://www.incidents.org/diary.php?date=20…b771d6e79184649
http://isc.incidents.org/diary.php?date=20…a8fec565956c0d1
Microsoft Incident Notes
http://www.microsoft.com/security/incident…nload_ject.mspx
Previous @RISK Newsletter Postings
http://www.sans.org/newsletters/risk/vol3_23.php (Item #1)
http://www.sans.org/newsletters/risk/vol3_15.php (Item #1)
Part II – Comprehensive List for Week 24 2004 – from Qualys
04.25.1 CVE: Not Available
Platform: Other Microsoft Products
Title: Internet Explorer Non-FQDN URL Address Zone Bypass
Description: An issue with Microsoft Internet Explorer (IE) has been
reported that would allow malicious web-sites to bypass the zone
security settings. A specially crafted non-FQDN URL will trick IE into
browsing content with less restrictive settings. All current versions
of IE are reported to be vulnerable.
Ref: http://www.securityfocus.com/archive/1/366490
04.25.2 CVE: Not Available
Platform: Third Party Windows Apps
Title: ZoneAlarm Mobile Code Filter Bypass
Description: ZoneAlarm Pro is a firewall for Microsoft Windows. It
supports a “Mobile Code” filter designed to block potentially
dangerous active web content. The “Mobile Code” filter fails to
analyze active content from web sites that are viewed using the HTTPS
protocol. ZoneAlarm Pro version 5.0.590.015 is affected.
Ref: http://www.kurczaba.com/securityadvisories/0406214.htm
04.25.3 CVE: CAN-2004-0480
Platform: Third Party Windows Apps
Title: Lotus Notes URL Handler Remote Code Execution
Description: Lotus Notes, a groupware application, has been identified
to be vulnerable to a URL handler issue. Lotus Notes URL handlers are
subject to an input sanitization weakness. A specially crafted URL,
when followed, will execute attacker supplied DLL code. Current
versions of Lotus Notes are reported to be vulnerable.
Ref: http://seclists.org/lists/fulldisclosure/2004/Jun/0799.html
04.25.4 CVE: Not Available
Platform: Linux
Title: Asterisk PBX Logging Format String Vulnerabilities
Description: Asterisk is a PBX system developed for Linux. It has been
revealed that Asterisk is subject to multiple format string
vulnerabilities. The problem is found in its insufficient sanitization
inside of its logging functions. Asterisk versions 0.7.0 through 0.7.2
have been reported to be vulnerable.
Ref: http://www.penguin-skills.com/index.php?action=view&id=99
04.25.5 CVE: CAN-2004-0451
Platform: Linux
Title: Sup Remote Syslog Format String Vulnerability
Description: Sup is an application that allows collections of files to
be synchronized across multiple systems. It is vulnerable to a
remotely exploitable format string vulnerability. The issue exists due
to insecure usage of the “syslog()” function. Attackers exploiting
this weakness could to execute arbitrary code. Debian Linux version
3.0 and Sup version 1.8 are reported to be vulnerable.
Ref: http://archives.neohapsis.com/archives/bug…04-06/0361.html
04.25.6 CVE: Not Available
Platform: Linux
Title: TildeSlash Monit Authentication Buffer Overflow
Description: TildeSlash is a system and network monitoring utility. It
is reported that TildeSlash is vulnerable to a stack based buffer
overflow during authentication handling. The issue exists due to
improper length validation of the “username” field. TildeSlash Monit
versions 4.2 and prior are reported to be vulnerable.
Ref: http://www.securityfocus.com/bid/10581/info/
04.25.7 CVE: CAN-2004-0461
Platform: Linux
Title: ISC DHCPD vsnprintf() Buffer Overflow
Description: ISC DHCPD is reported vulnerable to remotely exploitable
buffer overflows. This issue expresses itself when DHCPD discards the
size argument from the “vsnprintf()” library call on systems that lack
the “vsnprintf()” function. Successful exploitation of this issue may
lead to a denial of service or remote code execution. This issue is
reported to affect ISC DHCPD versions 3.0.1rc12 and 3.0.1rc13.
Ref: http://www.us-cert.gov/cas/techalerts/TA04-174A.html
04.25.8 CVE: Not Available
Platform: Linux
Title: gzexe Temporary File Command Execution
Description: GNU gzexe is reportedly vulnerable to a privilege
escalation issue. If the creation of a temporary file fails when using
gzexe, instead of bailing out, it executes the command given as
argument. An attacker could thereby have an unsuspecting user execute
an arbitrary file when decompression fails this way. This issue was
reported for version 1.3.3 of gzip.
Ref: http://article.gmane.org/gmane.linux.gentoo.announce/376
04.25.9 CVE: Not Available
Platform: Linux
Title: Linux Kernel IEEE 1394 Integer Overflow Vulnerability
Description: The IEEE 1394 driver implements access to the IEEE 1394
high speed serial bus. The Linux kernel driver for IEEE 1394 is
subject to an integer overflow vulnerability. Successful exploitation
could lead to system crash, or possible arbitrary code execution. The
driver is included in the latest stable versions of the 2.4 and 2.6
branches.
Ref: http://secunia.com/advisories/11931/
04.25.10 CVE: Not Available
Platform: Linux
Title: Linux Kernel Broadcom 5820 Cryptonet Driver Integer Overflow
Description: The Broadcom Cryptonet BCM5820 is a hardware cryptography
accelerator device. The bcm5820 Linux kernel driver contains an
integer overflow vulnerability that could lead to a system crash, or
possible code execution. Redhat 8 with Linux kernel 2.4.20 is known to
include the vulnerable driver.
Ref: http://secunia.com/advisories/11936/
04.25.11 CVE: Not Available
Platform: Solaris
Title: Solaris Basic Security Module Denial of Service Vulnerability
Description: Local unprivileged users may be able to panic Solaris
systems with Basic Security Module (BSM) enabled causing a denial of
service. This issue can only occur on systems where BSM has been
configured to audit the Administrative audit class “ad” or the
System-Wide Administration audit class “as”.
Ref: http://sunsolve.sun.com/pub-cgi/retrieve.p…c=fsalert/57497
04.25.12 CVE: Not Available
Platform: Solaris
Title: Sun StorEdge ESM Unspecified Privilege Escalation
Vulnerability
Description: A local unprivileged user may be able to gain
unauthorized root access on systems with Sun StorEdge Enterprise
Storage Manager (ESM) 2.1 installed. This issue only occurs when a
non-root user has been assigned the “ESMUser” role on the management
station.
Ref: http://sunsolve.sun.com/pub-cgi/retrieve.p…c=fsalert/57581
04.25.13 CVE: Not Available
Platform: Unix
Title: rssh Information Disclosure Vulnerability
Description: rssh is a shell that restricts users to utilizing scp or
sftp. When a user inside the chroot jail uses a wildcard to copy all
files in a directory, an error message is returned for all files that
exist outside the chroot jail. This will allow the user to identify
files outside of the chroot environment. rssh versions 2.0 to 2.1.x
are affected.
Ref: http://www.securityfocus.com/archive/1/366691
04.25.14 CVE: Not Available
Platform: Unix
Title: Multiple ircd Socket Dequeuing Denial of Service
Description: Due to faulty logic in the socket dequeuing mechanism
used in “hybrid 7” and the derivated “ircd-ratbox”, it is possible to
severely lag an IRC server using a low-bandwidth denial of service
attack. ircd-hybrid versions 7.0.1 and earlier, ircd-ratbox versions
1.5.1 and earlier, and ircd-ratbox versions 2.0rc6 and earlier are
known to be vulnerable.
Ref: http://www.securityfocus.com/archive/1/366486
04.25.15 CVE: CAN-2004-0393, CAN-2004-0454
Platform: Unix
Title: rlpr Multiple Vulnerabilities
Description: rlpr is a utility to print files on remote sites to a
local printer. Insufficient sanitization of user supplied data in the
"msg()" function exposes format string and buffer overflow
vulnerabilities. rlpr versions 2.04 and prior are affected by these
issues.
Ref: http://felinemenace.org/advisories/rlprd
04.25.16 CVE: CAN-2004-0576
Platform: Unix
Title: Radius SNMP Remote Denial of Service
Description: GNU Radius is an authentication and accounting server
that includes support for Simple Network Management Protocol (SNMP).
By sending a specially crafted SNMP packet with an invalid Object ID
(OID), an attacker can crash the server resulting in a denial of
service condition. The Radius server is only vulnerable if it was
compiled with the “-enable-snmp” option. GNU Radius version 1.1 is
known to be vulnerable.
Ref: http://www.idefense.com/application/poi/di…vulnerabilities
04.25.17 CVE: Not Available
Platform: Novell
Title: Novell iChain SNMP Information Disclosure
Description: Novell iChain Server is a security product for managing
network security access controls. iChain implements a web server with
limited functionality. The iChain server uses the “public” community
string for read-only access. A remote attacker could leverage this to
gather sensitive information.
Ref: http://support.novell.com/cgi-bin/search/s…d.cgi?/10080762.
htm
04.25.18 CVE: Not Available
Platform: Cross Platform
Title: Epic Games Unreal Engine Memory Corruption
Description: Epic Games Unreal Engine is a 3D game engine used by
"Unreal" and other games. Insufficient sanitization of user supplied
input via the “secure” query in the UDP packet causes memory
corruption, leading to a denial of service.
Ref: http://aluigi.altervista.org/adv/unsecure-adv.txt
04.25.19 CVE: CAN-2004-0460
Platform: Cross Platform
Title: ISC DHCPD Logging Buffer Overflow
Description: ISC DHCPD has been reported to be subject to a remotely
exploitable buffer overflow vulnerability. The issue presents itself
when DHCPD logs hostname options provided by DHCP clients. Correctly
exploited this vulnerability would allow the execution of attacker
supplied code. ISC DHCPD versions 3.0.1rc12 and 3.0.1rc13 have been
reported to be vulnerable.
Ref: http://www.us-cert.gov/cas/techalerts/TA04-174A.html
04.25.20 CVE: Not Available
Platform: Cross Platform
Title: giFT-FastTrack Remote Denial of Service
Description: giFT-FastTrack is a module for the giFT file sharing
daemon. Insufficient sanitization of user supplied input in
"string_sep()" function of the “src/fst_http_header.c” file causes the
application to crash. giFT-FastTrack versions 0.8.6 and earlier are
affected.
Ref: http://gift-fasttrack.berlios.de/
04.25.21 CVE: CAN-2004-0455
Platform: Web Application
Title: www-sql Include Command Buffer Overflow
Description: www-sql is a web-based application that translates
database contents into HTML documents for remote viewing. It is
reportedly vulnerable to a buffer overflow condition in its remote CGI
script include functionality. Properly exploited, this could allow a
malicious user to execute arbitrary code. www-sql version 0.5.7 has
been reported to be vulnerable.
Ref: http://www.securityfocus.com/advisories/6876
04.25.22 CVE: Not Available
Platform: Web Application
Title: ASP-Rider Cookie Administrative Access Vulnerability
Description: ASP-Rider is a weblogging application. Insufficient
sanitization of malformed cookies exposes an issue that allows a
remote attacker to gain administrative access. ASP-Rider version 1.6
is affected.
Ref: http://www.securitytracker.com/alerts/2004/Jun/1010549.html
04.25.23 CVE: Not Available
Platform: Web Application
Title: osTicket Remote Command Execution
Description: osTicket is an open source support ticket system. It is
vulnerable to a remote command execution attack. An attacker can
attach a malicious PHP script to a ticket and then make an HTTP
request to execute it.
Ref: http://www.securityfocus.com/archive/1/366686
04.25.24 CVE: Not Available
Platform: Web Application
Title: SqWebMail Email Header HTML Injection
Description: SqWebMail is reportedly vulnerable to an HTML injection
issue. This is due to insufficient sanitization of user-supplied email
header strings. This can be used by an attacker to execute malicious
scripts in a victim’s browser when an email message with full headers
is viewed. SqWebMail version 4.0.4.20040524 is reported to be
vulnerable.
Ref: http://www.securityfocus.com/archive/1/366595
04.25.25 CVE: Not Available
Platform: Web Application
Title: ArbitroWeb Cross-Site Scripting vulnerability
Description: ArbitroWeb is an anonymous web surfing proxy written in
PHP. ArbitroWeb is vulnerable to a cross-site scripting issue in its
rawURL URI parameter. ArbitroWeb versions 0.5 and 0.6 are known to be
vulnerable.
Ref: http://www.securityfocus.com/archive/1/366757
04.25.26 CVE: Not Available
Platform: Web Application
Title: PHP-Nuke Multiple Vulnerabilities
Description: PHP-Nuke is reportedly vulnerable to multiple security
issues including cross-site scripting, script injection and SQL
injection attacks. These issues occur due to insufficient user-input
sanitization in various PHP scripts in the package. All current
versions of the package are reported to be vulnerable.
Ref: http://www.waraxe.us/index.php?modname=sa&id=33
04.25.27 CVE: Not Available
Platform: Web Application
Title: php-exec-dir Command Access Restriction Bypass
Description: php-exec-dir is a patch that allows PHP to specify a
directory that contains binary files. PHP will not be able to execute
files outside of this directory. Insufficient sanitization of the ";"
character allows malicious users to execute files outside of the
specified directory. All current versions are affected.
Ref: http://secunia.com/advisories/11928/
04.25.28 CVE: Not Available
Platform: Web Application
Title: VBulletin HTML Injection Vulnerability
Description: VBulletin is a PHP based bulletin board application. An
HTML injection vulnerability exists due to insufficient sanitization
of user supplied input in the “newreply.php” and "newthread.php"
scripts. VBulletin version 3.0.1 is vulnerable and other versions may
be affected as well.
Ref: http://archives.neohapsis.com/archives/bug…04-06/0386.html
04.25.29 CVE: Not Available
Platform: Network Device
Title: Infoblox DNS One Script Injection Vulnerability
Description: The Infoblox DNS One network device provides a web
interface to manage DNS and DHCP services. It is reportedly vulnerable
to a script injection issue. This is due to insufficient sanitization
of the “HOSTNAME” and “CLIENTID” options of DHCP requests. Scripts
injected in this manner will be saved in the device log and executed
when the log is viewed by the administrator.
Ref: http://www.securityfocus.com/archive/1/366506
04.25.30 CVE: Not Available
Platform: Network Device
Title: netHSM Passphrase Information Disclosure
Description: nCipher Network Hardware Security Module (netHSM) is
reportedly vulnerable to a password disclosure issue. Passphrases
entered in the front-panel of the device are appended to the system
log. With improper physical security, an attacker could harvest the
passwords from the device. This issue is fixed in netHSM firmware
version 2.1.12cam5.
Ref: http://www.ncipher.com/support/advisories/advisory10.htm
04.25.31 CVE: Not Available
Platform: Network Device
Title: Netgear FVS318 Router Denial of Service
Description: It has been reported that the FVS318 router has a denial
of service issue in its web administration interface. The problem lies
in its handling of concurrent TCP connections. After seven connections
the router will stop accepting additional connections, thus denying
legitimate users access.
Ref: http://www.securityfocus.com/archive/1/366601
04.25.32 CVE: Not Available
Platform: Network Device
Title: D-Link AirPlus DHCP Log HTML Injection
Description: D-Link AirPlus is a wireless broadband router series. It
is reported to be vulnerable to an HTML injection issue. Malicious
HTML scripts injected into the DHCP log will be executed when the
administrator views the log files. D-Link Dl-704 firmware version
2.60b2 and DI-614+ versions 2.18 and prior are reported to be
vulnerable.
Ref: http://www.securityfocus.com/archive/1/366615
04.25.33 CVE: Not Available
Platform: Network Device
Title: BT Voyager 2000 SNMP Information Disclosure
Description: BT Voyager 2000 Wireless ADSL Router is prone to an
information disclosure issue. It is reported that the “public” SNMP
community string with OID “23.2.3.1.6.5.1” contains the plaintext
password to the administrative interface. All current firmware
versions are reported to be affected.
Ref: http://www.securityfocus.com/archive/1/366…20/2004-06-26/0
04.25.34 CVE: Not Available
Platform: Network Device
Title: 3Com SuperStack Web Interface Denial of Service
Description: 3Com SuperStack switches are vulnerable to a denial of
service issue due to a failure in handling specially crafted packets.
SuperStack 3 Switch 4400 (3C17203, 3C17204), SuperStack 3 Switch 4400
SE (3C17206), SuperStack 3 Switch 4400 PWR (3C17205), SuperStack 3
Switch 4400 FX (3C17210) are known to be vulnerable.
Ref: http://secunia.com/advisories/11934/