Summary of Security Items from April 6 through April 12, 2006
The US-CERT Cyber Security Bulletin provides a summary of new and updated vulnerabilities, exploits, trends, and malicious code that have recently been openly reported. Information in the Cyber Security Bulletin is a compilation of open source and US-CERT vulnerability information. As such, the Cyber Security Bulletin includes information published by sources outside of US-CERT and should not be considered the result of US-CERT analysis or as an official report of US-CERT. Although this information does reflect open source reports, it is not an official description and should be used for informational purposes only. The intention of the Cyber Security Bulletin is to serve as a comprehensive directory of pertinent vulnerability reports, providing brief summaries and additional sources for further investigation.
The tables below summarize vulnerabilities that have been reported by various open source organizations or presented in newsgroups and on web sites. Items in bold designate updates that have been made to past entries. Entries are grouped by the operating system on which the reported software operates, and vulnerabilities which affect both Windows and Unix/ Linux Operating Systems are included in the Multiple Operating Systems table. Note, entries in each table are not necessarily vulnerabilities in that operating system, but vulnerabilities in software which operate on some version of that operating system.
Entries may contain additional US-CERT sponsored information, including Common Vulnerabilities and Exposures (CVE) numbers, National Vulnerability Database (NVD) links, Common Vulnerability Scoring System (CVSS) values, Open Vulnerability and Assessment Language (OVAL) definitions, or links to US-CERT Vulnerability Notes. Metrics, values, and information included in the Cyber Security Bulletin which has been provided by other US-CERT sponsored programs, is prepared, managed, and contributed by those respective programs. CVSS values are managed and provided by the US-CERT/ NIST National Vulnerability Database. Links are also provided to patches and workarounds that have been provided by the product’s vendor.
The Risk levels are defined below:
High - Vulnerabilities will be labeled “High” severity if they have a CVSS base score of 7.0-10.0.
Medium - Vulnerabilities will be labeled “Medium” severity if they have a base CVSS score of 4.0-6.9.
Low - Vulnerabilities will be labeled “Low” severity if they have a CVSS base score of 0.0-3.9.
Note that scores provided prior to 11/9/2005 are approximated from only partially available CVSS metric data. Such scores are marked as "Approximated" within NVD. In particular, the following CVSS metrics are only partially available for these vulnerabilities and NVD assumes certain values based on an approximation algorithm: AccessComplexity, Authentication, ConfImpact of 'partial', IntegImpact of 'partial', AvailImpact of 'partial', and the impact biases.
Windows Operating Systems Only
Vendor & Software Name
Description
Common Name
CVSS
Resources
Advanced Communications
Hosting Controller 6.1
A vulnerability has been reported in Hosting Controller that could let remote malicious users disclose sensitive user information.
No workaround or patch available at time of publishing.
A vulnerability has been reported due to insecure default directory ACLs set on the 'SunnComm Shared' directory, which could let a malicious user obtain elevated privileges.
A Cross-Site Scripting vulnerability has been reported in 'cherokee/handler_error.c' due to insufficient sanitization of the 'build_hardcoded_
response_page()' function before returning to users, which could let a remote malicious user execute arbitrary HTML and script code.
Update to version 0.5.1 or later.
Vulnerability can be exploited through a web client; however, a Proof of Concept exploit has been published.
A vulnerability has been reported when automatic database configuration is selected during the configuration process because the database administrator password is stored in the world-readable file '/var/cache/debconf/config.dat' which could lead to the disclosure of sensitive information.
No workaround or patch available at time of publishing.
A vulnerability has been reported in the 'fbgs' script because temporary files are created insecurely when the 'TMPDIR' environment variable isn't defined, which could let a remote malicious user create/overwrite arbitrary files.
No workaround or patch available at time of publishing.
A Cross-Site Scripting vulnerability has been reported due to insufficient sanitization of input passed to the private archive script before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code.
A vulnerability has been reported in the 'su' program when used with the LDAP netgroup feature, which could let a malicious user obtain elevated privileges.
A buffer overflow vulnerability has been reported in the 'http_peek()' function when creating HTTP request headers for retrieving remote playlists, which could let a remote malicious user execute arbitrary code.
Debian Security Advisory,
DSA-1023-1, April 5, 2006
Mandriva Linux Security Advisory MDKSA-2006:065, April 5, 2006
Gentoo Linux Security Advisory, GLSA 200604-04, April 5, 2006
SUSE Security Summary Report Announcement, SUSE-SR:2006:008, April 7, 2006
Ubuntu Security Notice, USN-268-1 April 6, 2006
Manic Web
Manic Web MWNewsletter 1.0 b
Multiple vulnerabilities have been reported: a vulnerability was reported in 'subscribe.php' due to insufficient sanitization of the 'user_name' parameter before saving, which could let a remote malicious user execute arbitrary HTML and script code; an SQL injection vulnerability was reported in 'unsubscripbe.php' due to insufficient sanitization of the 'user_name' parameter before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code; and an SQL injection vulnerability was reported in 'unsubscribe.php' due to insufficient sanitization of the 'user_email' parameter and in 'subscribe.php' due to insufficient sanitization of the 'user_name' and 'user_email' parameters, which could let a remote malicious user execute arbitrary SQL code.
No workaround or patch available at time of publishing.
Vulnerabilities could be exploited with a web client.
Multiple vulnerabilities have been reported due to integer overflow errors in 'libmpdemux/asfheader.c' when handling an ASF file, and in 'libmpdemux/aviheader.c' when parsing the 'indx' chunk in an AVI file, which could let a remote malicious user cause a Denial of Service and potentially compromise a system.
Mandriva Security Advisory, MDKSA-2006:061, March 29, 2006
Ubuntu Security Notice, USN-267-1, April 03, 2006
Debian Security Advisory,
DSA-1027-1, April 6, 2006
SUSE Security Summary Report Announcement, SUSE-SR:2006:008, April 7, 2006
Multiple Vendors
zlib 1.2.2, 1.2.1, 1.2 .0.7, 1.1-1.1.4, 1.0-1.0.9; Ubuntu Linux 5.0 4, powerpc, i386, amd64, 4.1 ppc, ia64, ia32; SuSE Open-Enterprise-Server 9.0, Novell Linux Desktop 9.0, Linux Professional 9.3, x86_64, 9.2, x86_64, 9.1, x86_64, Linux Personal 9.3, x86_64, 9.2, x86_64, 9.1, x86_64, Linux Enterprise Server 9; Gentoo Linux;
FreeBSD 5.4, -RELENG, -RELEASE, -PRERELEASE, 5.3, -STABLE, -RELENG, -RELEASE;
Debian Linux 3.1, sparc, s/390, ppc, mipsel, mips, m68k, ia-64, ia-32, hppa, arm, alpha; zsync 0.4, 0.3-0.3.3, 0.2-0.2.3, 0.1-0.1.6 1, 0.0.1-0.0.6
A buffer overflow vulnerability has been reported due to insufficient validation of input data prior to utilizing it in a memory copy operation, which could let a remote malicious user execute arbitrary code.
Mandriva Security Advisory, MDKSA-2005:124, July 22, 2005
Secunia, Advisory: SA16195, July 25, 2005
Slackware Security Advisory, SSA:2005-
203-03, July 22, 2005
FreeBSD Security Advisory, SA-05:18, July 27, 2005
SUSE Security Announce-
ment, SUSE-SA:2005:043,
July 28, 2005
Gentoo Linux Security Advisory, GLSA 200507-28, July 30, 2005
Gentoo Linux Security Advisory, GLSA 200508-01, August 1, 2005
Trustix Secure Linux Security Advisory, TSLSA-2005-0040, August 5, 2005
Conectiva Linux Announcement, CLSA-2005:997, August 11, 2005
Apple Security Update, APPLE-SA-2005-08-15, August 15, 2005
Turbolinux Security Advisory, TLSA-2005-83, August 18, 2005
SCO Security Advisory, SCOSA-2005.33, August 19, 2005
Debian Security Advisory, DSA 797-1, September 1, 2005
Security Focus, Bugtraq ID: 14340, September 12, 2005
Fedora Legacy Update Advisory, FLSA:162680, September 14, 2005
Debian Security Advisory, DSA 797-2, September 29, 2005
Mandriva Linux Security Advisory, MDKSA-2005:196, October 26, 2005
Ubuntu Security Notice, USN-151-3, October 28, 2005
Ubuntu Security Notice, USN-151-4, November 09, 2005
SCO Security Advisory, SCOSA-2006.6, January 10, 2006
Gentoo Linux Security Advisory, GLSA 200603-18, March 21, 2006
Debian Security Advisory,
DSA-1026-1, April 6, 2006
Mandriva Security Advisory, MDKSA-2006:070, April 10, 2006
Multiple Vendors
Debian Linux 3.1 sparc
Debian Linux 3.1 s/390
Debian Linux 3.1 ppc
Debian Linux 3.1 mipsel
Debian Linux 3.1 mips
Debian Linux 3.1 m68k
Debian Linux 3.1 ia-64
Debian Linux 3.1 ia-32
Debian Linux 3.1 hppa
Debian Linux 3.1 arm
Debian Linux 3.1, amd64, alpha, 3.0, sparc, s/390, ppc, mipsel, mips, m68k, ia-64, ia-32, hppa, arm, alpha;
bsd-games bsd-games 2.12-2.14, 2.9, 2.17
Multiple buffer overflow vulnerabilities have been reported due to insufficient bounds-checking when copying user-supplied input to insufficiently sized memory buffers, which could let a malicious user obtain elevated privileges.
No workaround or patch available at time of publishing.
Currently we are not aware of any exploits for these vulnerabilities.
A race condition vulnerability has been reported in ia32 emulation, that could let local malicious users obtain root privileges or create a buffer overflow.
Trustix Secure Linux Security Advisory,
TSLSA-2005-
0036, July 14, 2005
SUSE Security Announce-
ment, SUSE-SA:2005:044, August 4, 2005
RedHat Security Advisory, RHSA-2005:663-19, September 28, 2005
Debian Security Advisory, DSA 921-1, December 14, 2005
SmoothWall Advisory, March 15, 2006
SGI Security Advisory, 20060402-01-U, April 10, 2006
Multiple Vendors
Linux kernel 2.2.x, 2.4.x, 2.6.x
A buffer overflow vulnerability has been reported in the 'elf_core_dump()' function due to a signedness error, which could let a malicious user execute arbitrary code with ROOT privileges.
Fedora Security
Update Notification,
FEDORA-2005-262, March 28, 2005
Trustix Secure
Linux Security Advisory,
TSLSA-2005-0011, April 5, 2005
Fedora Update Notification
FEDORA-2005-313, April 11, 2005
RedHat Security Advisory, RHSA-2005:366-19, April 19, 2005
Conectiva Linux Security Announcement, CLA-2005:952, May 2, 2005
Fedora Legacy Update Advisory, FLSA:152532, June 4, 1005
SUSE Security Announcement, SUSE-SA:2005:29, June 9, 2005
SGI Security Advisory, 20060402-01-U, April 10, 2006
Multiple Vendors
Linux kernel 2.6.10, 2.6
-test9-CVS,
2.6-test1-
test11, 2.6,
2.6.1-2.6.11; RedHat
Desktop 4.0, Enterprise
Linux WS 4,
ES 4, AS 4
Multiple vulnerabilities have been reported: a vulnerability was reported in the 'shmctl' function, which could let a malicious user obtain sensitive information; a Denial of Service vulnerability was reported in 'nls_ascii.c' due to the use of incorrect table sizes; a race condition vulnerability was reported in the 'setsid()' function; and a vulnerability was reported in the OUTS instruction on the AMD64 and Intel EM64T architecture, which could let a malicious user obtain elevated privileges.
Ubuntu Security Notice, USN-219-1, November 22, 2005
Mandriva Linux Security Advisories, MDKSA-2005:218, 219 & 220, November 30, 2005
SUSE Security Announcement, SUSE-SA:2005:068, December 14, 2005
Conectiva Linux Announcement, CLSA-2006:1059, January 2, 2006
RedHat Security Advisory, RHSA-2006:0140-9, January 19, 2006
RedHat Security Advisories, RHSA-2006:0190-5 & RHSA-2006:0191-9, February 1, 2006
Mandriva Security Advisory, MDKSA-2006:044, February 21, 2006
SmoothWall Advisory, March 15, 2006
SGI Security Advisory, 20060402-01-U, April 10, 2006
Multiple Vendors
Linux kernel 2.6-2.6.14; SuSE Linux Professional 10.0 OSS, Linux Personal 10.0 OSS;
RedHat Fedora Core4
A Denial of Service vulnerability has been reported in 'ptrace.c' when 'CLONE_THREAD' is used due to a missing check of the thread's group ID when trying to determine whether the process is attempting to attach to itself.
Fedora Update Notification,
FEDORA-2005-1104, November 28, 2005
SuSE Security Announcement, SUSE-SA:2005:067, December 6, 2005
SUSE Security Announcement, SUSE-SA:2005:068, December 14, 2005
Mandriva Security Advisory, MDKSA-2006:018, January 20, 2006
Debian Security Advisory,
DSA-1017-1, March 23, 2006
Debian Security Advisory,
DSA-1018-1, March 24, 2006
Debian Security Advisory, DSA 1018-2, April 5, 2006
SGI Security Advisory, 20060402-01-U, April 10, 2006
Multiple Vendors
Linux kernel 2.6-2.6.15
A Denial of Service vulnerability has been reported in the 'time_out_leases()' function because 'printk()' can consume large amounts of kernel log space.
Trustix Secure Linux 3.0, 2.2;
MandrakeSoft Linux Mandrake 2006.0 x86_64, 2006.0, 10.2 x86_64, 10.2; Gentoo Linux;
Debian Linux 3.1, sparc, s/390, ppc, mipsel, mips, m68k, ia-64, ia-32, hppa, arm, amd64, alpha; ClamAV prior to 0.88.1
Multiple vulnerabilities have been reported: a buffer overflow vulnerability was reported in the PE header parser in the 'cli_scanpe()' function, which could let a remote malicious user execute arbitrary code; format string vulnerabilities were reported in 'shared/output.c' in the logging handling, which could let remote malicious user execute arbitrary code; and a remote Denial of Service vulnerability was reported in the 'cli_bitset_test()' function due to an out-of-bounds memory access error.
A vulnerability has been reported because the keyboard focus is not released when xscreensaver starts, which could let a malicious user obtain sensitive information.
The vendor has released version 4.18 of XScreenSaver to address this issue.
Standard applications and network sniffers can be used to exploit this issue.
An integer overflow vulnerability exists in 'scan.c' due to insufficient sanity checks on on the 'bitmap_unit' value, which could let a remote malicious user execute arbitrary code.
SCO Security Advisory, SCOSA-2005.57, December 14, 2005
SCO Security Advisory, SCOSA-2006.5, January 4, 2006
Fedora Legacy Update Advisory, FLSA:152803, January 10, 2006
SGI Security Advisory, 20060403-01-U, April 11, 2006
Multiple Vendors
XFree86 X11R6 4.3 .0,
4.1 .0; X.org X11R6 6.8.2;
RedHat Enterprise Linux WS 2.1, IA64, ES 2.1, IA64, AS 2.1, IA64, Advanced Workstation for the Itanium Processor 2.1, IA64; Gentoo Linux
A buffer overflow vulnerability has been reported in the pixmap processing code, which could let a malicious user execute arbitrary code and possibly obtain superuser privileges.
Fedora Update Notifications,
FEDORA-2005-893 & 894, September 16, 2005
Trustix Secure Linux Security Advisory, TSLSA-2005-0049, September 16, 2005
Debian Security Advisory DSA 816-1, September 19, 2005
Sun(sm) Alert Notification
Sun Alert ID: 101926, September 19, 2005
SUSE Security Announcement, SUSE-SA:2005:056, September 26, 2005
Slackware Security Advisory, SSA:2005-269-02, September 26, 2005
Sun(sm) Alert Notification
Sun Alert ID: 101953, October 3, 2005
SUSE Security Summary Report, SUSE-SR:2005:023, October 14, 2005
Avaya Security Advisory, ASA-2005-218, October 19, 2005
Sun(sm) Alert Notification
Sun Alert ID: 101926, Updated October 24, 2005
NetBSD Security Update, October 31, 2005
SGI Security Advisory, 20060403-01-U, April 11, 2006
Multiple Vendors
xzgv Image Viewer 0.8 0.7, 0.6;
SuSE Linux Professional 10.0 OSS, 9.3 x86_64, 9.3, 9.2 x86_64, 9.2, 9.1 x86_64, 9.1, Linux Personal 10.0 OSS, 9.3 x86_64, 9.3, 9.2 x86_64, 9.2, 9.1 x86_64, 9.1
A buffer overflow vulnerability has been reported when processing JPEG files due to a boundary error, which could let a remote malicious user execute arbitrary code.
Sun(sm) Alert Notification
Sun Alert ID: 102282, April 11, 2006
Sun Microsystems, Inc.
Sun Trusted Solaris 8.0, Solaris 9.0 _x86, 9.0, 8.0 _x86, 8.0
A vulnerability has been reported because the Directory Server rootDN (Distinguished Name) password may be disclosed to malicious users when privileged users run the idsconfig command or certain LDAP commands.
Multiple Operating Systems - Windows/UNIX/Linux/Other
Vendor & Software Name
Description
Common Name
CVSS
Resources
ADOdb
ADOdb 4.70, 4.68, 4.66
An SQL injection vulnerability has been reported due to insufficient sanitization of certain parameters before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.
Gentoo Linux Security Advisory, GLSA 200602-02, February 6, 2006
Debian Security Advisory, DSA-1029, April 8, 2006
Debian Security Advisory,
DSA-1030-1, April 8, 2006
Debian Security Advisory,
DSA-1031-1, April 8, 2006
ADOdb
ADOdb 4.71 & prior
Several vulnerabilities have been reported: a Cross-Site Scripting vulnerability was reported in 'adodb_pager.inc.php' due to insufficient sanitization of the 'next_page' parameter before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code; and a Cross-Site Scripting vulnerability was reported in 'adodb_pager.inc.php' due to the unsafe use of 'PHP_SELF,' which could let a remote malicious user execute arbitrary HTML and script code.
Debian Security Advisory,
DSA-1030-1, April 8, 2006
Debian Security Advisory,
DSA-1031-1, April 8, 2006
Annuaire
Annuaire 1.0
Several vulnerabilities have been reported: a script insertion vulnerability was reported in 'inscription.php' due to insufficient sanitization of the 'COMMENTAIRE' parameter before using, which could let a remote malicious user execute arbitrary HTML and script code; and a vulnerability was reported because it is possible to obtain the full path when certain scripts are accessed directly.
No workaround or patch available at time of publishing.
Vulnerabilities can be exploited through a web client.
Several vulnerabilities have been reported: a Cross-Site Scripting vulnerability was reported due to insufficient sanitization of the 'message' parameter before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code; and an SQL injection vulnerability was reported in 'modules.php' due to insufficient sanitization of the 'id' parameter before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.
No workaround or patch available at time of publishing.
Vulnerabilities can be exploited through a web client; however, a Proof of Concept exploit has been published.
A Cross-Site Scripting vulnerability has been reported in the 'search.php script due to insufficient filtering of HTML code from user-supplied search input before displaying, which could let a remote malicious user execute arbitrary script code.
No workaround or patch available at time of publishing.
Vulnerability can be exploited through a web client.
Several vulnerabilities have been reported: a vulnerability was reported in 'genmessage.php' due to insufficient sanitization of the 'message' parameter before saving, which could let a remote malicious user execute arbitrary HTML and script code; and vulnerabilities were reported in 'docmgmtadd.php' due to insufficient sanitization of the 'description' and 'comment' parameters and in 'gencompanvupd.php' and 'gencompanyadd.php' due to insufficient sanitization of the 'name,' 'address1,' 'address2,' 'city,' 'email,' and 'web' parameters, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing.
Vulnerabilities can be exploited through a web client; however, a Proof of Concept exploit has been published.
A vulnerability has been reported due to insufficient sanitization of the 'name' and 'page' parameters before returning to users, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing.
Vulnerability can be exploited through a web client; however, a Proof of Concept exploit has been published.
A Cross-Site Scripting vulnerability has been reported in 'index.php' due to insufficient sanitization of the 'pic' and 'show' parameters before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing.
Currently we are not aware of any exploits for this vulnerability.
A Cross-Site Scripting vulnerability was reported in the 'banner' parameter due to insufficient sanitization, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing.
Vulnerability can be exploited through a web client; however, a Proof of Concept exploit has been published.
A vulnerability has been reported in the 'buy.php' script because a predictable cookie is used for authentication, which could let a remote malicious user bypass the authentication process.
No workaround or patch available at time of publishing,
Vulnerability can be exploited through a web client.
A file include vulnerability has been reported i 'admin.php,' 'vote.php,' 'view.php,' and 'admin/index.php' due to insufficient sanitization of the 'int_path' parameter, which could let a remote malicious user execute arbitrary PHP code.
No workaround or patch available at time of publishing.
Vulnerability can be exploited through a web client; however, a Proof of Concept exploit has been published.
A Cross-Site Scripting vulnerability has been reported in 'login.php' due to insufficient sanitization of user-supplied input, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing.
Vulnerability can be exploited through a web client; however, a Proof of Concept exploit has been published.
Multiple input validation vulnerabilities have been reported including Cross-Site Scripting and SQL injection due to insufficient sanitization of user-supplied input, which could let a remote malicious user execute arbitrary HTML, script code and SQL code.
No workaround or patch available at time of publishing.
Vulnerabilities can be exploited through a web client; however, Proof of Concept exploits have been published.
Multiple vulnerabilities have been reported: multiple remote Denials of Service vulnerabilities were reported when an invalid response is sent instead of the final ACK packet during the 3-way handshake; a vulnerability was reported due to errors when processing IP packets which causes control cards to reset when a specially crafted IP packet is submitted; a vulnerability was reported due to an error when processing OSPF (Open Shortest Path First) packets which causes control cards to be reset; and a vulnerability was reported in the Cisco Transport Controller (CTC) applet launcher due to 'java.policy' permissions being too broad, which could let a remote malicious user execute arbitrary code.
Cisco Security Advisory, cisco-sa-20060405, April 5, 2006
Clansys
Clansys 1.1
An SQL injection vulnerability has been reported in 'index.php' due to insufficient sanitization of the 'showid' parameter before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.
No workaround or patch available at time of publishing.
Vulnerability can be exploited through a web client; however, a Proof of Concept exploit script, clansys_poc, has been published.
An information disclosure vulnerability has been reported due to improper restrictions to 'admin/connect.inc,' which could lead to the disclosure of sensitive information.
No workaround or patch available at time of publishing.
Vulnerability can be exploited through a web client; however, a Proof of Concept exploit script, adv28-K-159-2006.txt, has been published.
An SQL injection vulnerability has been reported in 'admin.php' due to insufficient sanitization of the 'emal' and 'id' parameters before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.
No workaround or patch available at time of publishing.
There is no exploit code required; however, a Proof of Concept exploit has been published.
An SQL injection vulnerability has been reported in 'viewtopic.php' due to insufficient sanitization of the 'topic' parameter before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.
No workaround or patch available at time of publishing.
Vulnerability can be exploited through a web client; however, a Proof of Concept exploit has been published.
Dokeos SQL Injection
Not Available
Secunia Advisory: SA19604, April 11, 2006
Gallery Project
Gallery 1.x
A Cross-Site Scripting vulnerability has been reported due to insufficient sanitization of unspecified input before using, which could let a remote malicious user execute arbitrary HTML and script code.
Several vulnerabilities have been reported: an HTML injection vulnerability was reported in 'index.php' due to insufficient sanitization of the 'username' parameter before storing in a logfile, which could let a remote malicious user execute arbitrary HTML and script code; and a vulnerability was reported in 'index.php' due to insufficient sanitization when editing the configuration file, which could let a remote malicious user execute arbitrary PHP code.
No workaround or patch available at time of publishing.
Vulnerabilities can be exploited via a web client.
Several vulnerabilities have been reported: a Cross-Site Scripting vulnerability was reported in 'index.php' due to insufficient sanitization of the 'page' parameter before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code; and an SQL injection vulnerability was reported in 'form.php' due to insufficient sanitization of the the 'nom' and 'mail' parameters before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.
No workaround or patch available at time of publishing.
Vulnerability can be exploited through a web client; however, a Proof of Concept exploit has been published.
A Cross-Site Scripting vulnerability has been reported i 'vbugs.php' due to insufficient sanitization of the 'sortorder' parameter before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing.
Vulnerability can be exploited through a web client; however, a Proof of Concept exploit has been published.
A Cross-Site Scripting vulnerability has been reported in 'Index.PHP' due to insufficient sanitization of user-supplied input, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing.
Vulnerability can be exploited through a web client; however, a Proof of Concept exploit has been published.
Several vulnerabilities have been reported: a vulnerability was reported in 'guestbook.pl' due to insufficient sanitization of the 'realname,' 'username,' and 'comments' parameters before using, which could let a remote malicious user execute arbitrary HTML and script code; and a vulnerability was reported in 'guestbook.pl' due to insufficient sanitization of the 'url,' 'city,' 'state,' and 'country' parameters before using, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing.
Vulnerabilities can be exploited via a web client; however, a Proof of Concept exploit has been published.
An SQL injection vulnerability has been reported in 'admin.php' due to insufficient sanitization of the 'id' parameter before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.
No workaround or patch available at time of publishing.
Vulnerability can be exploited through a web client.
An SQL injection vulnerability has been reported in 'index.php' due to insufficient sanitization of the 'topicid' parameter before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.
No workaround or patch available at time of publishing.
Vulnerability can be exploited through a web client; however, a Proof of Concept exploit has been published.
PostNuke Development Team PostNuke 0.761; moodle 1.5.3; Mantis 1.0.0RC4, 0.19.4; Cacti 0.8.6 g; ADOdb 4.68, 4.66; AgileBill 1.4.92 & prior
Several vulnerabilities have been reported: an SQL injection vulnerability was reported in the 'server.php' test script, which could let a remote malicious user execute arbitrary SQL code and PHP script code; and a vulnerability was reported in the 'tests/tmssql.php' text script, which could let a remote malicious user call an arbitrary PHP function.
Security Focus, Bugtraq ID: 16187, February 7, 2006
Security Focus, Bugtraq ID: 16187, February 9, 2006
Debian Security Advisory, DSA-1029, April 8, 2006
Debian Security Advisory,
DSA-1030-1, April 8, 2006
Debian Security Advisory,
DSA-1031-1, April 8, 2006
Multiple Vendors
SQuery SQuery 4.5 & prior; Autonomous LAN Party 0
Multiple remote file-include vulnerabilities have been reported in the 'LibPath' parameter due to insufficient sanitization of user-supplied input, which could let a remote malicious user execute arbitrary PHP code.
No workaround or patch available at time of publishing.
Vulnerability can be exploited through a web client; however, a Proof of Concept exploit script, squery.pl.txt, has been reported.
Several vulnerabilities have been reported: an SQL injection vulnerability was reported due to insufficient sanitization of unspecified input before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code; and a script insertion vulnerability was reported due to insufficient sanitization of the name and body fields when posting a comment, which could let a remote malicious user execute arbitrary HTML and script code.
Mandriva Security Advisory, MDKSA-2006:069, April 10, 2006
Oracle Corporation
Oracle9i Standard Edition 9.2.0.0-10.2.0.3, Oracle9i Personal Edition 9.2.0.0-10.2.0.3, Oracle9i Enterprise Edition 9.2.0.0-10.2.0.3, Oracle10g Standard Edition 9.2.0.0-10.2.0.3, Oracle10g Personal Edition 9.2.0.0-10.2.0.3, Oracle10g Enterprise Edition 9.2.0.0-10.2.0.3
A vulnerability has been reported due to a failure to enforce read-only privileges for user roles, which could let a remote malicious user bypass restriction accesses.
No workaround or patch available at time of publishing.
Vulnerability can be exploited through a web client; however, a Proof of Concept exploit has been published.
Multiple vulnerabilities have been reported: a Cross-Site Scripting vulnerability was reported in the 'phpinfo()' PHP function because only the first 4096 characters of an array request parameter are sanitized before returning to users, which could let a remote malicious user execute arbitrary HTML and script code; a Directory Traversal vulnerability was reported in the 'tempnam()' PHP function due to an error, which could let a remote malicious create arbitrary files; a vulnerability was reported in the 'copy()' PHP function due to an error, which could let a remote malicious create arbitrary files; and a vulnerability was reported in the 'copy()' PHP function because the safe mode mechanism can be bypassed by a remote malicious user.
A vulnerability has been reported in the 'html_entity_decode()' function because it is not binary safe, which could let a remote malicious user obtain sensitive information.
The vulnerability has been fixed in the CVS repository and in version 5.1.3-RC1.
Mandriva Security Advisory, MDKSA-2006:063, April 2, 2006
Trustix Secure Linux Security Advisory #2006-0020, April 7, 2006
PHPKIT
PHPKIT 1.6.1 R2
An SQL injection vulnerability has been reported in 'Include.PHP' due to insufficient sanitization of the 'contentid' parameter before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.
No workaround or patch available at time of publishing.
Vulnerability can be exploited through a web client; however, a Proof of Concept exploit has been published.
Security Tracker Alert ID: 1015888, April 10, 2006
PHPList Mailing List Manager
PHPList Mailing List Manager 2.10.2, 2.10.1, 2.8.12, 2.6 -2.6.4
A file include vulnerability has been reported in 'index.php' due to insufficient sanitization of user-supplied input, which could let a remote malicious user execute arbitrary PHP code.
No workaround or patch available at time of publishing.
Vulnerabilities can be exploited through a web client; however, exploit scripts, PHPList-lfi.php and phplist_2102_incl_xpl, have been published.
Cross-Site Scripting vulnerabilities have been reported due to insufficient sanitization of various scripts in the themes directory, which could let a remote malicious user execute arbitrary HTML and script code.
phpMyAdmin Security Announcement PMASA-2006-1, April 6, 2006
phpMy
Forum
phpMyForum 4.0
Cross-Site Scripting vulnerabilities have been reported in 'index.php' due to insufficient sanitization of user-supplied input, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing.
Vulnerabilities can be exploited through a web client; however, a Proof of Concept exploit has been published.
Cross-Site Scripting vulnerabilities have been reported due to insufficient sanitization of user-supplied input, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing.
Vulnerabilities can be exploited through a web client; however, a Proof of Concept exploit has been published.
A Directory Traversal vulnerability has been reported in 'apps/pbcs.dll/misc' due to insufficient sanitization of the 'url' parameter before using, which could let a remote malicious user obtain sensitive information.
No workaround or patch available at time of publishing.
Vulnerability can be exploited through a web client; however, a Proof of Concept exploit has been published.
A Cross-Site Scripting vulnerability has been reported in the 'PrintFreshPage()' function due to insufficient sanitization of various scripts, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing.
Vulnerability can be exploited through a web client.
Basic Analysis and Security Engine Cross-Site Scripting
A Cross-Site Scripting vulnerability has been reported due to insufficient sanitization of the 'page' parameter before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing.
Vulnerability can be exploited through a web client; however, a Proof of Concept exploit has been reported.
SQL injection vulnerabilities have been reported due to insufficient sanitization of the 'idemID' parameter in 'login.php' and 'memo.php' and in the 'index.php' due to insufficient sanitization of the 'itemgr,' 'ibrandID,' and 'album' parameters, which could let a remote malicious user execute arbitrary SQL code.
No workaround or patch available at time of publishing.
Vulnerabilities can be exploited through a web client; however, Proof of Concept exploits have been published.
A file upload vulnerability has been reported due to insufficient sanitization, which could let a remote malicious user upload and execute arbitrary code.
No workaround or patch available at time of publishing.
Vulnerability can be exploited through a web client; however, a Proof of Concept exploit has been reported.
A file include vulnerability has been reported in 'lire.php' due to insufficient sanitization of user-supplied input, which could let a remote malicious user execute arbitrary PHP code.
No workaround or patch available at time of publishing.
Vulnerability can be exploited through a web client; however, a Proof of Concept exploit has been published.
Multiple Cross-Site Scripting vulnerabilities have been reported in the 'areaID,' 'time,' and 'userID' parameters due to insufficient sanitization before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing.
Vulnerabilities can be exploited through a web client; however, Proof of Concept exploits have been published.
A file include vulnerability has been reported in 'config.php' due to insufficient sanitization of the 'returnpath' parameter, which could let a remote malicious user execute arbitrary PHP code.
No workaround or patch available at time of publishing.
Vulnerability can be exploited through a web client.
A file include vulnerability has been reported in 'Spip_login.PHP' due to insufficient sanitization of user-supplied input, which could let a remote malicious user execute arbitrary PHP code.
No workaround or patch available at time of publishing.
Vulnerability can be exploited through a web client; however, a Proof of Concept exploit has been published.
Several vulnerabilities have been reported: a Cross-Site Scripting vulnerability was reported in 'allgemein_
transfer.php' due to insufficient sanitization of the 'jahr' parameter before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code; and an SQL injection vulnerability was reported in 'index.php' due to insufficient sanitization of the 'SID' parameter before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.
No workaround or patch available at time of publishing.
Vulnerabilities could be exploited with a web client; however, Proof of Concept exploits have been published.
SWSoft Confixx Pro Cross-Site Scripting & SQL Injection
A Cross-Site Scripting vulnerability has been reported in Flash Video due to insufficient sanitization of user-supplied input, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing.
Vulnerability can be exploited through a web client.
Several vulnerabilities have been reported: a Cross-Site Scripting vulnerability was reported in 'register.php' due to insufficient sanitization of the 'newuser_name,' 'newuser_email,' and 'newuser_hp' parameters before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code; and a Cross-Site Scripting vulnerability was reported in 'register.php' due to insufficient sanitization of the 'newuser_realname' and 'newuser_icq' parameters before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing.
Vulnerabilities can be exploited through a web client; however, Proof of Concept exploits have been published.
Cross-Site Scripting vulnerabilities have been reported due to insufficient sanitization of the 'mode' parameter in 'discuss/msgReader' and 'newsItems/viewDepartment' before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing.
Vulnerabilities can be exploited through a web client.
Multiple input validation vulnerabilities have been reported due to insufficient sanitization of user-supplied input, which could let a remote malicious user execute arbitrary code.
No workaround or patch available at time of publishing.
Vulnerabilities can be exploited through a web client; however, Proof of Concept exploits have been reported.
A file include vulnerability has been reported in 'admin.php' due to insufficient sanitization of user-supplied input, which could let a remote malicious user execute arbitrary PHP code.
The vendor has released VWar 1.5.0 R11 to address this issue.
Vulnerability can be exploited through a web client; however, a Proof of Concept exploit has been published.
An SQL injection vulnerability has been reported in 'members.php' due to insufficient sanitization of the 'id' parameter before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.
No workaround or patch available at time of publishing.
Vulnerability can be exploited through a web client; however, a Proof of Concept exploit script, xbrite_poc, has been published.
This section contains wireless vulnerabilities, articles, and malicious code
that has been identified during the current reporting period.
Phishers ring changes with phone scam: A new phishing scam has been identified by security experts that t uses a toll-free telephone number rather than a bogus website to gather online banking passwords from unwary victims.
This section contains brief summaries and links to articles which discuss or present
information pertinent to the cyber security community.
Cybercrime More Widespread, Skillful, Dangerous Than Ever: Based on evidence gathered over the last two years, the Response Team at VeriSign-owned iDefense, is convinced that groups of well-organized mobsters have taken control of a global billion-dollar crime network powered by skillful hackers and money mules targeting known software security weaknesses.
A list of high threat viruses, as reported to various anti-virus vendors and virus incident reporting organizations, has been ranked and categorized in the table below. For the purposes of collecting and collating data, infections involving multiple systems at a single location are considered a single infection. It is therefore possible that a virus has infected hundreds of machines but has only been counted once. With the number of viruses that appear each month, it is possible that a new virus will become widely distributed before the next edition of this publication. To limit the possibility of infection, readers are reminded to update their anti-virus packages as soon as updates become available. The table lists the viruses by ranking (number of sites affected), common virus name, type of virus code (i.e., boot, file, macro, multi-partite, script), trends (based on number of infections reported since last week), and approximate date first found.
Rank
Common Name
Type of Code
Trend
Date
Description
1
Netsky-P
Win32 Worm
Stable
March 2004
A mass-mailing worm that uses its own SMTP engine to send itself to the email addresses it finds when scanning the hard drives and mapped drives. The worm also tries to spread through various file-sharing programs by copying itself into various shared folder.
2
Zafi-B
Win32 Worm
Stable
June 2004
A mass-mailing worm that spreads via e-mail using several different languages, including English, Hungarian and Russian. When executed, the worm makes two copies of itself in the %System% directory with randomly generated file names.
3
Lovgate.w
Win32 Worm
Stable
April 2004
A mass-mailing worm that propagates via by using MAPI as a reply to messages, by using an internal SMTP, by dropping copies of itself on network shares, and through peer-to-peer networks. Attempts to access all machines in the local area network.
4
Mytob.C
Win32 Worm
Stable
March 2004
A mass-mailing worm with IRC backdoor functionality which can also infect computers vulnerable to the Windows LSASS (MS04-011) exploit. The worm will attempt to harvest email addresses from the local hard disk by scanning files.
5
Mytob-GH
Win32 Worm
Stable
November 2005
A variant of the mass-mailing worm that disables security related programs and allows other to access the infected system. This version sends itself to email addresses harvested from the system, forging the sender’s address.
6
Nyxum-D
Win32 Worm
Stable
March 2006
A mass-mailing worm that turns off anti-virus, deletes files, downloads code from the internet, and installs in the registry. This version also harvests emails addresses from the infected machine and uses its own emailing engine to forge the senders address.
7
Netsky-D
Win32 Worm
Stable
March 2004
A simplified variant of the Netsky mass-mailing worm in that it does not contain many of the text strings that were present in NetSky.C and it does not copy itself to shared folders. Netsky.D spreads itself in e-mails as an executable attachment only.
8
Mytob-BE
Win32 Worm
Stable
June 2005
A slight variant of the mass-mailing worm that utilizes an IRC backdoor, LSASS vulnerability, and email to propagate. Harvesting addresses from the Windows address book, disabling antivirus, and modifying data.
9
Mytob-AS
Win32 Worm
Stable
June 2005
A slight variant of the mass-mailing worm that disables security related programs and processes, redirection various sites, and changing registry values. This version downloads code from the net and utilizes its own email engine.
10
Zafi-D
Win32 Worm
Stable
December 2004
A mass-mailing worm that sends itself to email addresses gathered from the infected computer. The worm may also attempt to lower security settings, terminate processes, and open a back door on the compromised computer.
Get Adobe Reader
US-CERT is part of the Department of Homeland Security