Summary of Security Items from February 9 through February 15, 2006
The US-CERT Cyber Security Bulletin provides a summary of new and updated vulnerabilities, exploits, trends, and malicious code that have recently been openly reported. Information in the Cyber Security Bulletin is a compilation of open source and US-CERT vulnerability information. As such, the Cyber Security Bulletin includes information published by sources outside of US-CERT and should not be considered the result of US-CERT analysis or as an official report of US-CERT. Although this information does reflect open source reports, it is not an official description and should be used for informational purposes only. The intention of the Cyber Security Bulletin is to serve as a comprehensive directory of pertinent vulnerability reports, providing brief summaries and additional sources for further investigation.
The tables below summarize vulnerabilities that have been reported by various open source organizations or presented in newsgroups and on web sites. Items in bold designate updates that have been made to past entries. Entries are grouped by the operating system on which the reported software operates, and vulnerabilities which affect both Windows and Unix/ Linux Operating Systems are included in the Multiple Operating Systems table. Note, entries in each table are not necessarily vulnerabilities in that operating system, but vulnerabilities in software which operate on some version of that operating system.
Entries may contain additional US-CERT sponsored information, including Common Vulnerabilities and Exposures (CVE) numbers, National Vulnerability Database (NVD) links, Common Vulnerability Scoring System (CVSS) values, Open Vulnerability and Assessment Language (OVAL) definitions, or links to US-CERT Vulnerability Notes. Metrics, values, and information included in the Cyber Security Bulletin which has been provided by other US-CERT sponsored programs, is prepared, managed, and contributed by those respective programs. CVSS values are managed and provided by the US-CERT/ NIST National Vulnerability Database. Links are also provided to patches and workarounds that have been provided by the product’s vendor.
The Risk levels are defined below:
High - Vulnerabilities will be labeled “High” severity if they have a CVSS base score of 7.0-10.0.
Medium - Vulnerabilities will be labeled “Medium” severity if they have a base CVSS score of 4.0-6.9.
Low - Vulnerabilities will be labeled “Low” severity if they have a CVSS base score of 0.0-3.9.
Note that scores provided prior to 11/9/2005 are approximated from only partially available CVSS metric data. Such scores are marked as "Approximated" within NVD. In particular, the following CVSS metrics are only partially available for these vulnerabilities and NVD assumes certain values based on an approximation algorithm: AccessComplexity, Authentication, ConfImpact of 'partial', IntegImpact of 'partial', AvailImpact of 'partial', and the impact biases.
Windows Operating Systems Only
Vendor & Software Name
Description
Common Name
CVSS
Resources
eStara
Softphone 3.0.1.14, 3.0.1.46, 3.0.1.47
Multiple vulnerabilities have been reported in Smartphone that could let remote malicious users to cause a Denial of Service.
No workaround or patch available at time of publishing.
A Proof of Concept exploit has been published.
eStara Softphone Multiple Denial of Service
Not Available
Security Focus, ID: 16629, February 14, 2006
GAsoft
GA's Forum
An input validation vulnerability has been reported in GA's Forum that could let remote malicious users perform SQL injection.
No workaround or patch available at time of publishing.
A buffer overflow vulnerability has been reported in Windows Media Player, bitmap handling, that could let remote malicious users execute arbitrary code.
Windows Media Player XP, 2000, and Server 2003 various versions
A buffer overflow vulnerability has been reported in Windows Media Player, plugin for non-Microsoft browsers, that could let remote malicious users execute arbitrary code.
Security Focus, Bugtraq ID: 16654, February 14, 2006
Datapark
Search
DataparkSearch Engine 4.16-4.36
A Cross-Site Scripting vulnerability has been reported in the Search template due to insufficient sanitization before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code.
Security Focus, Bugtraq ID: 16572, February 9, 2006
DocMGR
DocMGR 0.54.2 & prior
A file include vulnerability has been reported in 'process.php' due to insufficient verification of the 'includeModule' and 'siteModInfo' parameters before using to include files, which could let a remote malicious user obtain sensitive information and compromise a system.
No workaround or patch available at time of publishing.
There is no exploit code required; however, a Proof of Concept exploit script, docmgr_0542_
incl_xpl.php, has been published.
Security Focus, Bugtraq ID: 16601, February 13, 2006
GnuPG
GnuPG / gpg prior to 1.4.2.1
A vulnerability has been reported because 'gpgv' exits with a return code of 0 even if the detached signature file did not carry any signature (if 'gpgv" or "gpg --verify' is used), which could let a remote malicious user bypass security restrictions.
A vulnerability has been reported in the IP reassembly code, which could let a remote malicious user enumerate the existence of simulated Honeyd hosts.
Currently we are not aware of any exploits for this vulnerability.
Honeyd IP Reassembly Remote Virtual Host Detection
Not Available
Security Focus, Bugtraq ID: 16595, February 13, 2006
Horde Project
Kronolith 2.0.5, 2.0.4
HTML injection vulnerabilities have been reported due to insufficient sanitization of the calendar name and certain event data fields, which could let a remote malicious user execute arbitrary HTML and script code.
Security Focus, Bugtraq ID: 16584, February 8, 2006
Image
Magick
ImageMagick 6.2.4 .5
A vulnerability has been reported in the delegate code that is used by various ImageMagick utilities when handling an image filename due to an error, which could let a remote malicious user execute arbitrary commands; and a format string vulnerability has been reported when handling filenames received via command line arguments, which could let a remote malicious user execute arbitrary code.
Ubuntu Security Notice, USN-246-1, January 24, 2006
Debian Security Advisory,
DSA-957-1, January 26, 2006
Mandriva Security Advisory, MDKSA-2006:024, January 26, 2006
Gentoo Linux Security Advisory, GLSA 200602-06, February 13, 2006
RedHat Security Advisory, RHSA-2006:0178-4, February 14, 2006
Isode
M-Vault Server 11.3
A vulnerability has been reported due to an error in the LDAP server when handling certain requests, which could let a malicious user cause a Denial of Service and possibly execute arbitrary code.
No workaround or patch available at time of publishing.
A buffer overflow vulnerability has been reported in 'png_set_strip
_alpha()' when handling a PNG image file that contains alpha channels, which could let a remote malicious user cause a Denial of Service and potentially compromise a system.
RedHat Security Advisory, RHSA-2006:0205-4, February 13, 2006
Multiple Vendors
Linux kernel 2.6-2.6.15
An integer overflow vulnerability has been reported in 'INVALIDATE_
INODE_PAGES2' which could lead to a Denial of Service and possibly execution of arbitrary code.
Fedora Update Notification,
FEDORA-2005-1138, December 13, 2005
Mandriva Security Advisory, MDKSA-2006:018, January 20, 2006
SUSE Security Announcement, SUSE-SA:2006:006, February 9, 2006
Multiple Vendors
OpenSSH 3.x, 4.x; RedHat Fedora Core3 & Core4
A vulnerability has been reported in 'scp' when performing copy operations that use filenames due to the insecure use of the 'system()' function, which could let a malicious user obtain elevated privileges.
Security Focus, Bugtraq ID: 16369, January 24, 2006
Fedora Security Advisory, FEDORA-2006-056, January 24, 2006
Trustix Secure Linux Security Advisory, TSLSA-2006-0004, January 27, 2006
Security Focus, Bugtraq ID: 16369, January 31, 2006
Secunia Advisory: SA18798, February 13, 2006
SUSE Security Announcement, SUSE-SA:2006:008, February 14, 2006
Multiple Vendors
Linux kernel 2.6.10, 2.6
-test9-CVS,
2.6-test1-
test11, 2.6,
2.6.1-2.6.11; RedHat
Desktop 4.0, Enterprise
Linux WS 4,
ES 4, AS 4
Multiple vulnerabilities have been reported: a vulnerability was reported in the 'shmctl' function, which could let a malicious user obtain sensitive information; a Denial of Service vulnerability was reported in 'nls_ascii.c' due to the use of incorrect table sizes; a race condition vulnerability was reported in the 'setsid()' function; and a vulnerability was reported in the OUTS instruction on the AMD64 and Intel EM64T architecture, which could let a malicious user obtain elevated privileges.
Trustix Secure Linux Security Advisory, 2006-0006, February 10, 2006
Ubuntu Security Notice, USN-250-1, February 13, 2006
Multiple Vendors
Linux kernel 2.6-2.6.14
Multiple vulnerabilities have been reported: a Denial of Service vulnerability was reported in 'mm/mempolicy.c' when handling the policy system call; a remote Denial of Service vulnerability was reported in 'net/ipv4/fib_
frontend.c' when validating the header and payload of fib_lookup netlink messages; an off-by-one buffer overflow vulnerability was reported in 'kernel/sysctl.c,' which could let a malicious user cause a Denial of Service and potentially execute arbitrary code; and a buffer overflow vulnerability was reported in the DVB (Digital Video Broadcasting) driver subsystem, which could let a malicious user cause a Denial of Service or potentially execute arbitrary code.
SUSE Security Announcement, SUSE-SA:2006:006, February 9, 2006
Multiple Vendors
Linux kernel 2.6-2.6.14 .4; SuSE Linux Professional 10.0 OSS, 10.0, Linux Personal 10.0 OSS
A vulnerability has been reported in the NFS implementation due to insufficient validation of remote user privileges before setting ACLs, which could let a remote malicious user bypass access controls.
Security Focus, Bugtraq ID: 16283, January 17, 2006
RedHat Security Advisory, RHSA-2006:0101-9, January 17, 2006
Ubuntu Security Notice, USN-244-1, January 18, 2006
SUSE Security Announcement, SUSE-SA:2006:006, February 9, 2006
Multiple Vendors
RedHat Enterprise Linux WS 4, ES 4, AS 4, Desktop 4.0; GNU Libtasn1 prior to 1.2.10,
GnuTLS prior to 1.2.10
A remote Denial of Service vulnerability has been reported due to improper decoding of DER encoded data. This could possibly lead to the execution of arbitrary code.
Security Tracker Alert ID: 1015612, February 11, 2006
RedHat Security Advisory, RHSA-2006:0207-01, February 10, 2006
Fedora Update Notification,
FEDORA-2006-107, February 10, 2006
Mandriva Security Advisory, MDKSA-2006:039, February 13, 2006
NeoMail
NeoMail 1.28
A vulnerability has been reported in 'neomail-prefs.pl' due to insufficient validation of the Session ID in the 'addfolder()' and 'deletefolder()' parameters, which could let a remote malicious user bypass certain security restrictions.
Several vulnerabilities have been reported: a remote Denial of Service vulnerability was reported in the SQL logging facility; and a vulnerability was reported in the 'pam_get_item()' due to a double-free error in the authentication and authentication token alteration code when handling a pointer, which could let a remote malicious user cause a Denial of Service and potentially execute arbitrary code.
A format string vulnerability has been reported in 'powerd.c' when logging input received via the 'WHATIDO' command, which could let a remote malicious user execute arbitrary code.
No workaround or patch available at time of publishing.
An exploit script, gexp-powerd.c, has been published.
An information disclosure vulnerability has been reported in 'PATH_INFO' when it contains multiple '/' at the beginning, which could let a remote malicious user obtain sensitive information.
No workaround or patch available at time of publishing.
A vulnerability has been reported in the 'rshd' server when storing forwarded credentials due to an unspecified error, which could let a malicious user obtain elevated privileges.
Security Tracker Alert ID: 1015591, February 7, 2006
Ubuntu Security Notice, USN-247-1, February 09, 2006
scponly
scponly 4.1 & prior
Several vulnerabilities have been reported: a vulnerability was reported in 'scponlyc' due to a design error, which could let a malicious user execute arbitrary code with root privileges; and a vulnerability was reported due to an error in the validation of user-supplied command line, which could let a malicious user bypass security restrictions.
Gentoo Linux Security Advisory, GLSA 200512-17, December 29, 2005
Debian Security Advisory,
DSA-969-1, February 13, 2006
Siteframe
Siteframe Beaumont 5.0.1
A Cross-Site Scripting vulnerability has been reported in 'search.php' due to insufficient sanitization of the 'q' parameter before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing.
There is no exploit code required; however, a Proof of Concept exploit has been published.
Security Focus, Bugtraq ID: 16596, February 13, 2006
Sun Microsystems, Inc.
Solaris 10.0 _x86, 10.0
A vulnerability has been reported in 'in.rexecd' due to an unspecified error, which could let a malicious user execute arbitrary commands with elevated privileges on Kerberos systems.
SuSE Security Announcement, SUSE-SA:2006:005, January 25, 2006
Debian Security Advisory,
DSA-975-1, February 15, 2006
SuSE
Novell Linux Desktop 9.0, Linux Professional 10.0 OSS, 9.3 x86_64, 9.3, 9.2 x86_64, 9.2, 9.1 x86_64, 9.1, 9.0 x86_64, 9.0, Linux Personal 10.0 OSS, .3 x86_64, 9.3, 9.2 x86_64, 9.2, 9.1 x86_64, 9.1, 9.0 x86_64, 9.0
A vulnerability has been reported because LD sometimes leaves empty RPATH components in certain binaries, which could let a malicious execute arbitrary code.
SuSE Security Announcement, SUSE-SA:2006:007, February 10, 2006
Virtual Hosting Control System
Virtual Hosting Control System 2.4.7 .1, 2.4.6 .2, 2.2
Multiple vulnerabilities have been reported: a Cross-Site Scripting vulnerability was reported in the login page due to insufficient sanitization of the username field before storing in the admin log, which could let a remote malicious user execute arbitrary HTML and script code; a vulnerability was reported in the 'gui/admin/change
_password.php' script due to insufficient validation of the user's password before allowing the password to be changed, which could let a remote malicious user bypass authentication; a vulnerability was reported in 'gui/include/login.php' due to insufficient termination of the 'check_login()' function when the user session validation fails, which could let a remote malicious bypass authentication; and a vulnerability was reported in the 'gui/admin/add_user.php' script due to insufficient validation of user's rights before allowing admin users to be added, which could let a remote malicious user add new admin users to the system.
Patches available (this does not fix the 'gui/admin/chang
e_password.php' script vulnerabilities)
There is no exploit code required; however, Proof of Concept exploits and an exploit script, rs_vhcs_simple_poc.html, have been published.
Virtual Hosting Control System Multiple Input Validation & Access Validation
Multiple Operating Systems - Windows / UNIX / Linux / Other
Vendor & Software Name
Description
Common Name
CVSS
Resources
2200net Calendar
2200net Calendar 1.2
SQL injection vulnerabilities have been reported in 'main.php' due to insufficient sanitization of the 'username' and 'password' fields during login and the 'fm_data[id]' parameter before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.
No workaround or patch available at time of publishing.
Several vulnerabilities have been reported: a vulnerability was reported in the loaders script, (load_*.php) due to insufficient sanitization of user-supplied input, which could let a remote malicious user obtain sensitive information; and a vulnerability was reported due to insufficient sanitization of the filenames of uploaded files, which could let a remote malicious user execute arbitrary PHP code.
Security Focus, Bugtraq ID: 16603, February 13, 2005
Chain Reaction Edition
CRE Loaded 6.15
A vulnerability has been reported in the '/admin/htmlarea/popups/
file/files.php' script due to insufficient authentication, which could let a remote malicious user upload/create/delete arbitrary files.
A vulnerability has been reported when the devices have been configured to authenticate users against an external TACACS+ server but an external TACACS+ server is not specified in the configuration using the tacacs-server host command, which could let a remote malicious user obtain unauthorized access to devices or obtain elevated privileges.
Cisco Security Advisory, cisco-SA-20060215, February 15, 2006
Clever Copy
Clever Copy 2.0 a, 2.0
An HTTP injection vulnerability has been reported due to insufficient sanitization of the 'Referer' and 'X-Forwarded-For' HTTP headers before using, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing.
There is no exploit code required; however, a Proof of Concept exploit has been published.
An SQL injection vulnerability has been reported in 'index.php' due to insufficient sanitization of user-supplied input before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.
The vendor has released a hotfix to address this issue. Contact the vendor for further information.
Security Focus, Bugtraq ID: 15956, December 19, 2005
Security Focus, Bugtraq ID: 15956, February 8, 2006
CPAINT
CPAINT prior to 2.0.3
A Cross-Site Scripting vulnerability has been reported due to insufficient sanitization of the 'cpaint_
response_type' parameter in a script using the affected library, which could let a remote malicious user execute arbitrary HTML and script code.
GulfTech Security Research Team Advisory, February 9, 2006
CPG-Nuke
Dragonfly CMS 9.0.6 .1
A file include vulnerability has been reported in the 'install.php' script due to insufficient validation of the 'newlang' parameter and in the 'installlang' cookie parameter, which could let a remote malicious user execute arbitrary PHP code.
There is no exploit code required; however, a Proof of Concept exploit scripts, cpg_dragonfly_exploit.php and dragonfly9.0.6.1_incl_xpl.html, have been published.
Security Tracker Alert ID: 1015601, February 8, 2006
David Barrett
QwikiWiki 1.5
A Cross-Site Scripting vulnerability has been reported in 'search.php' due to insufficient sanitization of the 'query' parameter before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing.
There is no exploit code required; however, a Proof of Concept exploit has been published.
Security Focus, Bugtraq ID: 16638, February 14, 2006
DeltaScripts
PHP Classifieds 6.20
An SQL injection vulnerability has been reported in 'member_login.php' due to insufficient sanitization of the 'username' and 'password' parameters before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.
Security Focus, Bugtraq ID: 16642, February 14, 2005
Dotproject
Dotproject 2.0.1, 2.0
Several vulnerabilities have been reported: a file include vulnerability was reported in 'baseDir' parameter in '/includes/db_adodb.php,' '/includes/db_connect.php,' '/includes/session.php,' '/modules/admin/
vw_usr_roles.php,' '/modules/public/calendar.php,' and '/modules/public/
date_format.php' due to insufficient verification before using to include files, which could let a remote malicious user execute arbitrary code; a file include vulnerability was reported in the 'dPconfig[root_dir]' parameter in '/modules/projects/gantt.php,' '/modules/projects/gantt2.php,' '/modules/projects/vw_files.php,' and '/modules/tasks/gantt.php' due to insufficient verification before using to include files, which could let a remote malicious user execute arbitrary code; a vulnerability was reported when accessing '/docs/phpinfo.php' and '/docs/check.php' which could lead to the disclosure of system configuration information; and a vulnerability was reported when PHP 'display_errors' is enabled and '/db/' directory files are accessed with certain parameters, which could let a remote malicious user obtain sensitive information.
No workaround or patch available at time of publishing.
There is no exploit code required; however, Proof of Concept exploits have been published.
Dotproject File Include & Information Disclosure
Not Available
Secunia Advisory: SA18879, February 15, 2006
e107.org
e107 website system 0.x
HTML injection vulnerabilities have been reported due to insufficient sanitization of certain BBcode before using, which could let a remote malicious user execute arbitrary HTML and script code.
Several vulnerabilities have been reported: a Directory Traversal vulnerability was reported due to insufficient sanitization of user-supplied input, which could let a remote malicious user obtain sensitive information; and a file include vulnerability was reported due to insufficient sanitization of user-supplied input, which could let a remote malicious user include arbitrary files.
The vendor has released an update to address this issue. Please contact the vendor for further information.
There is no exploit code required; however, a Proof of Concept exploit has been published.
Security Focus, Bugtraq ID: 16580, February 13, 2006
Fortinet
FortiOS 3.0 beta, 2.8 MR10
Several vulnerabilities have been reported: a vulnerability was reported because the URL blocking functionality can be bypassed, which could let a remote malicious user bypass antivirus protection; and a vulnerability was reported because the virus scanning functionality can be bypassed when FTP files are sent under certain conditions.
No workaround or patch available at time of publishing.
There is no exploit code required; however, Proof of Concept exploit scripts, http_req.pl and Fortinet-url.txt, have been published.
A Cross-Site Scripting vulnerability has been reported in 'header.php' due to insufficient sanitization of the 'pagetitle' parameter before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing.
There is no exploit code required; however, a Proof of Concept exploit has been published.
Security Focus, Bugtraq ID: 16608, February 13, 2006
Hinton Design
phphd 1.0
Multiple vulnerabilities have been reported: an SQL injection vulnerability was reported in 'check.php' due to insufficient sanitization of the 'username' parameter during login and other unspecified parameters, which could let a remote malicious user execute arbitrary SQL code; a vulnerability was reported in 'check.php' due to an error in the authentication process, which could let a remote malicious user bypass the authentication process; and a Cross-Site Scripting vulnerability was reported in 'add.php' due to insufficient sanitization of unspecified parameters before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing.
Multiple vulnerabilities have been reported: an SQL injection vulnerability was reported in the 'username' parameter due to insufficient sanitization before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code; a vulnerability was reported in 'check.php' due to an error in the authentication process, which could let a remote malicious user obtain unauthorized access; a Cross-Site Scripting vulnerability was reported in 'link_edited.php' and 'link_added.php' due to insufficient sanitization before using, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing.
Multiple vulnerabilities have been reported: an SQL injection vulnerability was reported in 'check.php' due to insufficient sanitization of the 'username' parameter during login before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code; a vulnerability was reported in 'check.php' due to an error in the authentication process, which could let a remote malicious user bypass the authentication process; and a Cross-Site Scripting vulnerability was reported in the administration section due to insufficient sanitization of unspecified parameters and scripts before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing.
Hitachi Business Logic - Container 03-00-/B, 03-00, 02-03
Several vulnerabilities have been reported: a Cross-Site Scripting vulnerability was reported due to insufficient sanitization of unspecified input before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code; and an SQL injection vulnerability was reported due to insufficient sanitization of unspecified input before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.
HS06-002, Hitachi Security Advisory, February 13, 2006
HiveMail
HiveMail 1.2.2, 1.3 RC1, 1.3 Beta 1, 1.3
Several vulnerabilities have been reported: a vulnerability was reported in 'addressbook.update.php' due to insufficient sanitization of the 'contactgroupid' parameter, in 'addressbook.add.php' due to insufficient sanitization of the 'messageid' parameter, in 'folders.update.php' due to insufficient sanitization of the 'folderid' parameter, and in the 'calendar.event.php,' index.php,' 'pop.download.php,' 'read.bounce.php,' 'rules.block.php' and 'language.php' scripts due to insufficient sanitization, which could let a remote malicious user execute arbitrary PHP code; and a Cross-Site Scripting and SQL injection vulnerability was reported due to insufficient sanitization of the '$_SERVER['PHP_SELF']' references, which could let a remote malicious user execute arbitrary HTML, script code, and SQL code.
No workaround or patch available at time of publishing.
Proof of Concept exploits have been published.
HiveMail Multiple Vulnerabilities
Not Available
GulfTech Security Research Team Advisory, February 10, 2006
IBM
Domino Web Access 6.5.1-6.5.4, 6.0.1-6.0.5, 7.0, 6.5, 6.0
Multiple vulnerabilities have been reported: a vulnerability was reported because attached files can be opened in the context of the site if the user clicks on it, which could lead to the execution of arbitrary JavaScript code; a vulnerability was reported due to insufficient sanitization of the email subject before displaying to the user as the browser title, which could lead to the execution of arbitrary JavaScript; a vulnerability was reported because it is possible to bypass certain security checks related to 'javascript:' URLs, which could lead to the execution of arbitrary JavaScript code; a vulnerability was reported due to insufficient sanitization of the attachment filename before displaying to the user, which could lead to the execution of arbitrary JavaScript; and a remote Denial of Service vulnerability was reported in the LDAP service when processing bind requests due to a NULL pointer dereference.
Multiple vulnerabilities have been reported: a vulnerability was reported in 'kvarcve.dll' when constructing the full pathname of a compressed file to check for its existence before extracting it from a ZIP archive, which could let a remote malicious user execute arbitrary code; a vulnerability was reported in 'uudrdr.dll' when handling 'UUE' files that contain an encoded file with an overly long filename, which could let a remote malicious user execute arbitrary code; a Directory Traversal vulnerability was reported in 'kvarcve.dll' when generating the preview of a compressed file from ZIP, UUE, and TAR archives, which could let a remote malicious user delete arbitrary files; a vulnerability was reported in the 'TAR' reader when extracting files from a TAR archive that contain a long filename, which could let a remote malicious user execute arbitrary code; a vulnerability was reported in the HTML speed reader due to a boundary error, which could let a remote malicious user execute arbitrary code; and a vulnerability was reported in the HTML speed reader when checking if a link references a local file due to a boundary error, which could let a remote malicious user execute arbitrary code.
These issues have been addressed in Lotus Notes versions 6.5.5 and 7.0.1. Please contact the vendor to obtain fixes.
Currently we are not aware of any exploits for these vulnerabilities.
Multiple vulnerabilities have been reported: a vulnerability was reported in the 'dir.php' and 'readfolder.php' scripts because a remote malicious user can obtain sensitive information; a Cross-Site Scripting vulnerability was reported in 'index.php' due to insufficient sanitization of the 'bgcol' parameter before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code; and a vulnerability was reported in 'admin.upload.php' due to insufficient sanitization of the file extension, which could let a remote malicious user upload arbitrary files.
No workaround or patch available at time of publishing.
A remote Denial of Service vulnerability has been reported in user registration.
No workaround or patch available at time of publishing.
There is no exploit code required; however, a Proof of Concept exploit script, IPB_sedXPL.pl, has been published.
Invision Power Board User Registration Remote Denial of Service
Not Available
Security Focus, Bugtraq ID: 16616, February 14, 2006
Lawrence Osiris
DB_eSession 1.0.2
An SQL injection vulnerability was reported due to insufficient sanitization of the 'deleteSession()' function before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.
No workaround or patch available at time of publishing.
There is no exploit code required; however, a Proof of Concept exploit has been published.
Lawrence Osiris DB_eSession SQL Injection
Not Available
Security Focus, Bugtraq ID: 16598, February 13, 2006
LinPHA
LinPHA 0.9.0-0.9.4, 1.0
A vulnerability has been reported in 'docs/index.php' due to insufficient verification of the 'lang' parameter before used to include files, which could let a remote malicious user include arbitrary files and execute arbitrary PHP code.
No workaround or patch available at time of publishing.
A Proof of Concept exploit script, linpha_10_local.txt, has been published.
A Cross-Site Scripting vulnerability has been reported in 'config_defaults
_inc.php' due to insufficient sanitization, which could let a remote malicious user execute arbitrary HTML and script code.
Security Focus, Bugtraq ID: 16561, February 9, 2006
Mantis
Mantis 1.00rc4 & prior
Multiple input validation vulnerabilities have been reported including Cross-Site Scripting in 'view_all_set.php,' 'manage_user_page.php,' and 'proj_doc_delete.php' and SQL injection in 'manage_user_page.php' due to insufficient sanitization of user-supplied input, which could let a remote malicious user execute arbitrary HTML, script code, and SQL code.
There is no exploit code required; however, Proof of Concept exploits have been published.
Mantis Multiple Input Validation
Not Available
BuHa Security-Advisory #7, February 14, 2006
Metamail
Metamail 2.7
A buffer overflow vulnerability has been reported when handling boundary headers within email messages, which could let a remote malicious user execute arbitrary code.
No workaround or patch available at time of publishing.
Security Focus, Bugtraq ID: 16611, February 13, 2006
Multiple Vendors
Flyspray 0.9.7;
Enterprise Groupware Systems EGS 1.0 rc4
A file include vulnerability has been reported in the ADODBPath due to insufficient sanitization of user-supplied input, which could let a remote malicious user include arbitrary files.
No workaround or patch available at time of publishing.
There is no exploit code required; however, Proof of Concept exploit scripts, egs_10rc4_php5_
incl_xpl.php and flyspray_097_php5
_incl_xpl.php, have been published.
Security Focus, Bugtraq ID: 16618, February 14, 2006
Multiple Vendors
SSH Communications SSH Tectia Server 4.4.0 (A & T), 4.3.6 (A & T) & prior, SSH Secure Shell Server 3.2.9 & prior; Attachmate
WRQ Reflection for Secure IT UNIX Server version 6.0, Windows Server version 6.0
A vulnerability has been reported in the SFTP component during logging of accessed file names due to an unspecified error, which could let a remote malicious user execute arbitrary code.
A remote Denial of Service vulnerability has been report in the 'squid_redirect' script when handling URLs that contain a large number of forward slashes.
Security Focus, Bugtraq ID: 16558, February 9, 2006
Debian Security Advisory,
DSA-966-1, February 9, 2006
Multiple Vendors
Elog Web Logbook prior to 2.5.7 r1558-4;
Debian Linux 3.1, sparc, s/390, ppc, mipsel, mips, m68k, ia-64, ia-32, hppa, arm, amd64, alpha
Multiple vulnerabilities have been reported: several buffer overflow vulnerabilities were reported in 'elogd.c' due to a boundary error, which could let a remote malicious user cause a Denial of Service and possibly execute arbitrary code; a buffer overflow vulnerability was reported in 'elogd.c' when writing to the log file, which could let a remote malicious user cause a Denial of Service or possibly execute arbitrary code; a vulnerability was reported in 'elog.c' and 'elogd.c' because different responses are generated depending on whether or a username is valid, which could let a remote malicious user obtain sensitive information; and a remote Denial of Service vulnerability was reported in 'elogd.c' when handling the 'fail' parameter.
Debian Security Advisory,
DSA-967-1, February 10, 2006
Multiple Vendors
PostNuke Development Team PostNuke 0.761; moodle 1.5.3; Mantis 1.0.0RC4, 0.19.4; Cacti 0.8.6 g; ADOdb 4.68, 4.66; AgileBill 1.4.92 & prior
Several vulnerabilities have been reported: an SQL injection vulnerability was reported in the 'server.php' test script, which could let a remote malicious user execute arbitrary SQL code and PHP script code; and a vulnerability was reported in the 'tests/tmssql.php' text script, which could let a remote malicious user call an arbitrary PHP function.
Security Focus, Bugtraq ID: 16621, February 14, 2006
Nicecoder
indexu 5.0.1, 5.0
A file include vulnerability has been reported in 'Application.PHP' due to insufficient verification of the 'base_path' parameter, which could let a remote malicious user execute arbitrary code.
No workaround or patch available at time of publishing.
There is no exploit code required; however, a Proof of Concept exploit has been published.
Several vulnerabilities have been reported: a vulnerability was reported in the Bluetooth stack when handling certain requests, which could lead to a remote Denial of Service or a 'System Error' message displayed; and a remote Denial of Service vulnerability was reported in the Bluetooth stack when handling short malformed L2CAP packets.
No workaround or patch available at time of publishing.
Exploit scripts, loop.sh and replay_l2cap_packet
_nokiaN70.c, have been
Nokia Cell Phones Bluetooth Denials of Service
Not Available
Secunia Advisory: SA18724, February 14, 2006
OTRS
OTRS (Open Ticket Request System) 2.0.0-2.0.3, 1.3.2, 1.0 .0
Several vulnerabilities have been reported: an SQL injection vulnerability was reported in the 'login' function due to insufficient sanitization of the 'login' parameter before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code; an SQL injection vulnerability was reported in the 'AgentTicketPlain' function due to insufficient sanitization of the 'TicketID' and 'ArticleID' parameters before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code; a Cross-Site Scripting vulnerability was reported due to insufficient sanitization of HTML email attachments before displaying, which could let a remote malicious user execute arbitrary HTML and script code; and a Cross-Site Scripting vulnerability was reported in 'index.pl' due to insufficient sanitization of the 'QueueID' and 'Action' parameters before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code.
OTRS Security Advisory, OSA-2005-01, November 22, 2005
SUSE Security Summary Report, SUSE-SR:2005:030, December 16, 2005
Debian Security Advisory,
DSA-973-1, February 15, 2006
Papoo
Papoo 2.1.2
Cross-Site Scripting vulnerabilities have been reported in new account registration due to insufficient sanitization of the username field, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing.
There is no exploit code required; however, Proof of Concept exploits have been published.
Security Focus, Bugtraq ID: 16573, February 9, 2006
PHP iCalendar
PHP iCalendar 2.0.1, 2.1, 2.0
A file include vulnerability has been reported in 'functions/template.php' due to insufficient verification of the 'file' parameter and in 'serach.php' due to insufficient verification of the 'getdate' parameter, which could let a remote malicious user execute arbitrary PHP code.
A Cross-Site Scripting vulnerability has been reported due to insufficient sanitization of the 'URL' field, which could let a remote malicious user execute arbitrary HTML and script code.
Security Focus, Bugtraq ID: 16615, February 14, 2006
PHP-MySQL Timesheet
PHP-MySQL Timesheet 2.0, 1.0
SQL injection vulnerabilities have been reported due to insufficient sanitization of the 'yr,' 'month,' 'day,' and 'job' parameters before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.
No workaround or patch available at time of publishing.
A vulnerability has been reported in 'prepend.php' due to insufficient verification of the '_PX_config[manager_path]' parameter before using to include files, which could let a remote malicious user include arbitrary files.
No workaround or patch available at time of publishing.
Security Focus, Bugtraq ID: 16662, February 15, 2006
PostgreSQL
PostgreSQL 8.1.2, 8.1.1, 8.1
Several vulnerabilities have been reported: a vulnerability was reported in the 'SET ROLE" command when previous role settings are restored after an error, which could let a malicious user obtain superuser privileges; and a Denial of Service vulnerability was reported due to an error in the 'SET SESSION AUTHORIZATION' command if compiled with 'Asserts' enabled.
An SQL injection vulnerability has been reported in 'index.php' due to insufficient sanitization before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.
No workaround or patch available at time of publishing.
There is no exploit code required; however, a Proof of Concept exploit and an exploit script, PwsPHP_SQL_
Inj.php, have been published.
Security Focus, Bugtraq ID: 16567, February 9, 2006
Reamday Enterprises
Magic Calendar Lite 1.02
An SQL injection vulnerability has been reported in 'cms/index.php' due to insufficient sanitization of the 'total_login' and 'total_password' parameters before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.
No workaround or patch available at time of publishing.
Several vulnerabilities have been reported: a file include vulnerability was reported in 'preview.php' due to insufficient verification on of the 'php_script_path' parameter before using to include files, which could let a remote malicious user include arbitrary files; and a vulnerability was reported in 'profile.php' due to insufficient initialization of the '$passwd,' '$admin_password,' '$new_passwd,' and '$confirm_passwd' variables, which could let a remote malicious user change the administrator's password.
No workaround or patch available at time of publishing.
There is no exploit code required.
Reamday Enterprises Magic News Lite File Include & Profile Update
Multiple vulnerabilities have been reported regarding the overwriting of application variables due to insufficient initialization of various application variables, which could let a remote malicious user obtain administrative access.
No workaround or patch available at time of publishing.
Security Focus, Bugtraq ID: 16665, February 15, 2006
Research In Motion
Blackberry Enterprise Server for Novell Groupwise 4.0, SP1-SP3, Blackberry Enterprise Server for Exchange 4.0, SP1-SP3, 3.6.1, 3.6 SP4 Hot Fix 2, 3.6 SP 1a, 3.6, Blackberry Enterprise Server for Domino 4.0, SP1-SP3, 2.2 SP4 Hot Fix 2, 2.2 SP4, SP3a, SP2a, SP2, 2.2
A buffer overflow vulnerability has been reported in the BlackBerry Attachment Service when processing a malformed Word document, which could let a remote malicious user execute arbitrary code.
Currently we are not aware of any exploits for this vulnerability.
BlackBerry Enterprise Server Malformed Word Attachment Buffer Overflow
Not Available
Black Knowledge Base Article, KB-04791, February 9, 2006
Roberto Butti
CALimba 0.99.2 beta & prior
SQL injection vulnerabilities have been reported in 'rb/cls/rb_auth.php' due to insufficient sanitization of the 'login' and 'password' parameters before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.
No workaround or patch available at time of publishing.
An SQL injection vulnerability has been reported in '/modules/messages
/pmlite.php' due to insufficient sanitization of the 'to_userid' parameter before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.
No workaround or patch available at time of publishing.
Currently we are not aware of any exploits for this vulnerability.
Several vulnerabilities have been reported: a vulnerability was reported in the 'FCKEDITOR' connector because it is possible to upload arbitrary files, which could let a remote malicious user execute arbitrary PHP code; and a vulnerability was reported in 'class.forumposts.php' due to insufficient verification of the 'bbPath[path]' parameter and in 'forumpoll
renderer.php' due to insufficient verification of the 'xoopsConfig
[language] parameter, which could let a remote malicious user include arbitrary files.
Multiple vulnerabilities have been reported: a vulnerability was reported in 'edituser.php' due to insufficient credential validation, which could let a remote malicious user modify data; SQL injection vulnerabilities were reported in several unspecified parameters before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code; and a Cross-Site Scripting vulnerability was reported in the Registration Form due to insufficient sanitization of the UserName field before saving, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing.
Security Focus, Bugtraq ID: 16630, February 14, 2006
scriptme
SmE GB Host 1.21
An SQL injection vulnerability has been reported in 'login.php' due to insufficient sanitization of user-supplied input, which could let a remote malicious user execute arbitrary SQL code.
No workaround or patch available at time of publishing.
There is no exploit code required.
Scriptme SmE GB Host SQL Injection
Not Available
Security Focus, Bugtraq ID: 16609, February 13, 2006
scriptme
SmE GB Host 1.21, SmE Blog Host 0
A Cross-Site Scripting vulnerability has been reported in the BBcode URL tag due to insufficient sanitization of user-supplied input, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing.
Security Focus, Bugtraq ID: 16585, February 13, 2006
Softcomplex
PHP Event Calendar 1.5
An HTML injection vulnerability has been reported due to insufficient sanitization of the 'username' and 'password' fields when updating user information before storing, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing.
Security Focus, Bugtraq ID: 16588, February 13, 2006
Solucija
sNews 1.3
Multiple input validation vulnerabilities have been reported due to insufficient sanitization of unspecified input, which could let a remote malicious user execute arbitrary HTML, script code, and SQL code.
No workaround or patch available at time of publishing.
There is no exploit code required; however, Proof of Concept exploits have been published.
Security Focus, Bugtraq ID: 16647, February 14, 2006
SPIP
SPIP 1.8.2g & prior
Several vulnerabilities have been reported: a vulnerability was reported in 'spip_rss.php' due to insufficient validation of user-supplied input, which could let a remote malicious user execute arbitrary PHP code; and an SQL injection vulnerability was reported in 'spip_acces_doc.php3' due to insufficient validation of the 'file' parameter, which could let a remote malicious user execute arbitrary SQL code.
No workaround or patch available at time of publishing.
There is no exploit code required; however, Proof of Concept exploits and an exploit script, spip_182g_shell_
inj_xpl.php, have been published.
Seven vulnerabilities have been reported in Sun Java JRE (Java Runtime Environment) due to various unspecified errors in the 'reflection' APIs, which could let a remote malicious user compromise a user's system.
Sun ONE Directory Server 5.2 patch 3 & patch 4, 5.2, 5.2 2005Q1, Java System Directory Server 5.2 2004Q2, 5.2 2003Q4,
Sun Java System Directory Server 5.2
A remote Denial of Service vulnerability has been reported due to a failure to handle malformed network traffic.
No workaround or patch available at time of publishing.
There is no exploit code required; however, a Proof of Concept exploit has been published.
Sun ONE Directory Server Remote Denial of Service
Not Available
Security Focus, Bugtraq ID: 16550, February 10, 2006
supersmash
brothers
IPB Army System 2.1 & prior
An SQL injection vulnerability has been reported in 'army.php' due to insufficient sanitization of the 'userstat' parameter before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.
No workaround or patch available at time of publishing.
There is no exploit code required; however, exploit scripts, ipb_army_
2.1_sql_expl.php and ArmySystem
v2.1.txt, have been published.
IPB Army System SQL Injection
Not Available
Security Focus, Bugtraq ID: 16606, February 13, 2006
Valve Software
CSTRIKE Dedicated Server 1.6 Windows, CSTRIKE Dedicated Server 1.6 Linux
A remote Denial of Service vulnerability has been reported in the CSTRIKE dedicated server.
No workaround or patch available at time of publishing.
An exploit scripts, csdos.pl and halfLifeDoS.txt , have been published.
Valve Software Half-Life CSTRIKE Server Remote Denial of Service
Security Focus, Bugtraq ID: 16560, February 9, 2006
WordPress
WordPress 2.0
An HTML injection vulnerability has been reported in the Comment Post section due to insufficient sanitization, which could let a remote malicious user execute arbitrary HTML and script code. This vulnerability has been disputed by the vendor.
No workaround or patch available at time of publishing.
There is no exploit code required; however, a Proof of Concept exploit has been published.
Security Focus, Bugtraq ID: 16656, February 15, 2006
XMB Forum
XMB Forum 1.9-1.9.3, 1.8, SP1-SP3
Multiple input validation vulnerabilities have been reported including Cross-SIte Scripting and SQL injection vulnerabilities due to insufficient sanitization of user-supplied input, which could let a remote malicious user execute arbitrary HTML, script code, and SQL code.
No workaround or patch available at time of publishing.
There is no exploit code required; however, a Proof of Concept exploit has been published.
XMB Forum Multiple Input Validation
Not Available
Security Focus, Bugtraq ID: 16604, February 13, 2006
Xpdf
Xpdf 3.01
A heap-based buffer overflow vulnerability has been reported when handling PDF splash images with overly large dimensions, which could let a remote malicious user execute arbitrary code.
This section contains wireless vulnerabilities, articles, and malicious code that has been identified during the current reporting period.
BlackBerry Enterprise Server Malformed Word Attachment Buffer Overflow: A corrupt Microsoft Word (.doc) file opened on a BlackBerry® wireless device could potentially provide a means to execute arbitrary code on the BlackBerry Attachment Service component of the BlackBerry Enterprise Server.
RSA turns everyday gadgets into security tokens: RSA Security is expected to announce a new user authentication method designed to replace traditional security tokens with cell phones, PDAs and other devices loaded with RSA's SecurID algorithm.
Wi-Fi for dummies: The average user has no idea of the risks associated with public Wi-Fi hotspots. The article discusses some simple tips to keep network access secure.
This section contains brief summaries and links to articles which discuss or present
information pertinent to the cyber security community.
Spyware remains rampant as Winamp exploited:According to a new study by the University of Washington, one in twenty executables on the Internet contain spyware.The study, which sampled more than 20 million Internet addresses, also found other disturbing trends. Among them: one in 62 Internet domains contains "drive-by download attacks," which try to force spyware onto the user's computer simply by visiting the website.
Worms use Google to hunt for victims:According to McAfee's senior vice president for Risk Management, malware authors are increasingly starting to create digital pests that use the Google search engine to find their next victim.
This automated vulnerability detection is the latest trend in a technique that is know as "Google hacking". Google hacking is a technique where online criminals use search engines to find sensitive information on the internet.
Hackers look for holes in hosted applications: According to co-founder and chief hacking officer of enterprise security specialist at eEye, hosted web applications could soon become a target for e-criminals as they gain in popularity among enterprise users. Because hosted applications are run by a third party, research firms are not able to audit that software for vulnerabilities.
A list of high threat viruses, as reported to various anti-virus vendors and virus incident reporting organizations, has been ranked and categorized in the table below. For the purposes of collecting and collating data, infections involving multiple systems at a single location are considered a single infection. It is therefore possible that a virus has infected hundreds of machines but has only been counted once. With the number of viruses that appear each month, it is possible that a new virus will become widely distributed before the next edition of this publication. To limit the possibility of infection, readers are reminded to update their anti-virus packages as soon as updates become available. The table lists the viruses by ranking (number of sites affected), common virus name, type of virus code (i.e., boot, file, macro, multi-partite, script), trends (based on number of infections reported since last week), and approximate date first found.
Rank
Common Name
Type of Code
Trend
Date
Description
1
Netsky-P
Win32 Worm
Stable
March 2004
A mass-mailing worm that uses its own SMTP engine to send itself to the email addresses it finds when scanning the hard drives and mapped drives. The worm also tries to spread through various file-sharing programs by copying itself into various shared folder.
2
Lovgate.w
Win32 Worm
Stable
April 2004
A mass-mailing worm that propagates via by using MAPI as a reply to messages, by using an internal SMTP, by dropping copies of itself on network shares, and through peer-to-peer networks. Attempts to access all machines in the local area network.
3
Mytob-GH
Win32 Worm
Stable
November 2005
A variant of the mass-mailing worm that disables security related programs and allows other to access the infected system. This version sends itself to email addresses harvested from the system, forging the sender’s address.
4
Netsky-D
Win32 Worm
Stable
March 2004
A simplified variant of the Netsky mass-mailing worm in that it does not contain many of the text strings that were present in NetSky.C and it does not copy itself to shared folders. Netsky.D spreads itself in e-mails as an executable attachment only.
5
Mytob.C
Win32 Worm
Stable
March 2004
A mass-mailing worm with IRC backdoor functionality which can also infect computers vulnerable to the Windows LSASS (MS04-011) exploit. The worm will attempt to harvest email addresses from the local hard disk by scanning files.
6
Mytob-BE
Win32 Worm
Stable
June 2005
A slight variant of the mass-mailing worm that utilizes an IRC backdoor, LSASS vulnerability, and email to propagate. Harvesting addresses from the Windows address book, disabling antivirus, and modifying data.
7
Sober-Z
Win32 Worm
Stable
December 2005
This worm travels as an email attachment, forging the senders address, harvesting addresses from infected machines, and using its own mail engine. It further download code from the internet, installs into the registry, and reduces overall system security.
8
Zafi-B
Win32 Worm
Stable
June 2004
A mass-mailing worm that spreads via e-mail using several different languages, including English, Hungarian and Russian. When executed, the worm makes two copies of itself in the %System% directory with randomly generated file names.
9
Mytob-AS
Win32 Worm
Stable
June 2005
A slight variant of the mass-mailing worm that disables security related programs and processes, redirection various sites, and changing registry values. This version downloads code from the net and utilizes its own email engine.
10
Zafi-D
Win32 Worm
Stable
December 2004
A mass-mailing worm that sends itself to email addresses gathered from the infected computer. The worm may also attempt to lower security settings, terminate processes, and open a back door on the compromised computer.
Get Adobe Reader
US-CERT is part of the Department of Homeland Security
