Summary of Security Items from February 2 through February 8, 2006
The US-CERT Cyber Security Bulletin provides a summary of new and updated vulnerabilities, exploits, trends, and malicious code that have recently been openly reported. Information in the Cyber Security Bulletin is a compilation of open source and US-CERT vulnerability information. As such, the Cyber Security Bulletin includes information published by sources outside of US-CERT and should not be considered the result of US-CERT analysis or as an official report of US-CERT. Although this information does reflect open source reports, it is not an official description and should be used for informational purposes only. The intention of the Cyber Security Bulletin is to serve as a comprehensive directory of pertinent vulnerability reports, providing brief summaries and additional sources for further investigation.
The tables below summarize vulnerabilities that have been reported by various open source organizations or presented in newsgroups and on web sites. Items in bold designate updates that have been made to past entries. Entries are grouped by the operating system on which the reported software operates, and vulnerabilities which affect both Windows and Unix/ Linux Operating Systems are included in the Multiple Operating Systems table. Note, entries in each table are not necessarily vulnerabilities in that operating system, but vulnerabilities in software which operate on some version of that operating system.
Entries may contain additional US-CERT sponsored information, including Common Vulnerabilities and Exposures (CVE) numbers, National Vulnerability Database (NVD) links, Common Vulnerability Scoring System (CVSS) values, Open Vulnerability and Assessment Language (OVAL) definitions, or links to US-CERT Vulnerability Notes. Metrics, values, and information included in the Cyber Security Bulletin which has been provided by other US-CERT sponsored programs, is prepared, managed, and contributed by those respective programs. CVSS values are managed and provided by the US-CERT/ NIST National Vulnerability Database. Links are also provided to patches and workarounds that have been provided by the product’s vendor.
The Risk levels are defined below:
High - Vulnerabilities will be labeled “High” severity if they have a CVSS base score of 7.0-10.0.
Medium - Vulnerabilities will be labeled “Medium” severity if they have a base CVSS score of 4.0-6.9.
Low - Vulnerabilities will be labeled “Low” severity if they have a CVSS base score of 0.0-3.9.
Note that scores provided prior to 11/9/2005 are approximated from only partially available CVSS metric data. Such scores are marked as "Approximated" within NVD. In particular, the following CVSS metrics are only partially available for these vulnerabilities and NVD assumes certain values based on an approximation algorithm: AccessComplexity, Authentication, ConfImpact of 'partial', IntegImpact of 'partial', AvailImpact of 'partial', and the impact biases.
Windows Operating Systems Only
Vendor & Software Name
Description
Common Name
CVSS
Resources
@Mail Webmail 4.3 for Windows
A directory traversal vulnerability has been reported in @Mail Webmail that could let remote malicious users to execute arbitrary code.
A vulnerability has been reported in Internet Explorer, URLMon.DLL, that could let remote malicious users cause a Denial of Service or possibly execute arbitrary code.
No workaround or patch available at time of publishing.
Currently we are not aware of any exploits for this vulnerability.
The Bat! Spoofing
Not Available
Secunia, Advisory: SA18713, February 8, 2006
Symantec
Sygate Management Server 4.1 b1417 and prior
An input validation vulnerability has been reported in Sygate Management Server that could let remote malicious users perform SQL injection or obtain unauthorized access.
A remote Denial of Service vulnerability has been reported in '12cap.c' due to an error when handling L2CAP (Logical Link Control and Adaptation Layer Protocol) layer.
No workaround or patch available at time of publishing.
A Proof of Concept exploit script, hcidump-crash.c, has been published.
Several buffer overflow vulnerabilities have been reported: a vulnerability was reported in bogofilter and bogolexer when character set conversion is performed on invalid input sequences, which could let a remote malicious user cause a Denial of Service; and a vulnerability was reported in bogofilter and bogolexer when processing input that contains overly long words, which could let a remote malicious user cause a Denial of Service.
Bogofilter Security Advisories, bogofilter-SA-2005-01 & 02, January 2, 2006
Ubuntu Security Notice, USN-240-1, January 11, 2006
SuSE Security Summary Report, SUSE-SR:2006:003, February 3, 2006
cPanel, Inc.
cPanel 10
Several vulnerabilities have been reported: a Cross-Site Scripting vulnerability was reported due to insufficient sanitization of unspecified user-supplied input before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code; and a Cross-Site Scripting vulnerability was reported in 'mime/handle.html' due to insufficient sanitization of the 'extension' and 'mime-type' parameters, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing.
There is no exploit code required; however, Proof of Concept exploits have been published.
A buffer overflow vulnerability has been reported in 'conf.c' due to a boundary error in the 'conf_find_file()' function, which could let a malicious user execute arbitrary code.
Security Focus, Bugtraq ID: 15523, November 22, 2005
Ubuntu Security Notice, USN-221-1, December 01, 2005
Gentoo Linux Security Advisory, GLSA 200512-04, December 12, 2005
SUSE Security Announcement, SUSE-SA:2005:070, December 20, 2005
Conectiva Linux Announcement, CLSA-2006:1058, January 2, 2006
Mandriva Security Advisory, MDKSA-2006:020, January 25, 2006
Debian Security Advisory,
DSA-965-1, February 6, 2006
Mailback
mailback.pl 1.3.
A vulnerability has been reported due to insufficient sanitization of the 'subject' parameter before used to construct an email message, which could let a remote malicious user bypass security restrictions.
Currently we are not aware of any exploits for this vulnerability.
Mailback Mail Header Injection
Not Available
Secunia Advisory: SA18748, February 7, 2006
MPlayer
MPlayer 1.0pre7try2
Integer overflow vulnerabilities have been reported in the 'new_demux_packet()' function in 'libmpdemux/
demuxer.h' and the 'demux_asf_read_packet()' function in 'libmpdemux/
demux_asf.c' when allocating memory, which could let a remote malicious user cause a Denial of Service and potentially compromise a system.
No workaround or patch available at time of publishing.
Currently we are not aware of any exploits for this vulnerability.
A buffer overflow vulnerability has been reported in the 'coda_pioctl' function of the 'pioctl.c' file, which could let a malicious user cause a Denial of Service or execute arbitrary code with superuser privileges.
Fedora Security
Update Notification,
FEDORA-2005-262, March 28, 2005
Ubuntu Security Notice, USN-103-1, April 1, 2005
Fedora Update Notification
FEDORA-2005-313, April 11, 2005
RedHat Security Advisory, RHSA-2005:366-19, April 19, 2005
Conectiva Linux Security Announcement, CLA-2005:952, May 2, 2005
Fedora Legacy Update Advisory, FLSA:152532, June 4, 1005
RedHat Security Advisory, RHSA-2005:663-19, September 28, 2005
RedHat Security Advisories, RHSA-2006:0190-5 & RHSA-2006:0191-9, February 1, 2006
Multiple Vendors
Linux Kernel 2.4- 2.4.32
A Denial of Service vulnerability has been reported due to insufficient validation of the return code of a function call in the 'search_binary_handler()' function.
Ubuntu Security Notice, USN-219-1, November 22, 2005
Mandriva Linux Security Advisories, MDKSA-2005:218, 219 & 220, November 30, 2005
SUSE Security Announcement, SUSE-SA:2005:068, December 14, 2005
Conectiva Linux Announcement, CLSA-2006:1059, January 2, 2006
RedHat Security Advisory, RHSA-2006:0140-9, January 19, 2006
RedHat Security Advisories, RHSA-2006:0190-5 & RHSA-2006:0191-9, February 1, 2006
Multiple Vendors
Linux kernel 2.6-2.6.14
Several vulnerabilities have been reported: a Denial of Service vulnerability was reported due to a memory leak in '/security/keys/request_
key_auth.c;' a Denial of Service vulnerability was reported due to a memory leak in '/fs/namei.c' when the 'CONFIG_AUDITSYSCALL' option is enabled; and a vulnerability was reported because the orinoco wireless driver fails to pad data packets with zeroes when increasing the length, which could let a malicious user obtain sensitive information.
Trustix Secure Linux Security Advisory, TSLSA-2005-0057, October 14, 2005
Fedora Update Notifications,
FEDORA-2005-1013, October 20, 2005
RedHat Security Advisory, RHSA-2005:808-14, October 27, 2005
Ubuntu Security Notice, USN-219-1, November 22, 2005
Mandriva Linux Security Advisories, MDKSA-2005:218, 219 & 220, November 30, 2005
SUSE Security Announcement, SUSE-SA:2005:067, December 6, 2005
SUSE Security Announcement, SUSE-SA:2005:068, December 14, 2005
Conectiva Linux Announcement, CLSA-2006:1059, January 2, 2006
RedHat Security Advisory, RHSA-2006:0140-9, January 19, 2006
RedHat Security Advisories, RHSA-2006:0190-5 & RHSA-2006:0191-9, February 1, 2006
Multiple Vendors
Linux kernel 2.6-2.6.14
A Denial of Service vulnerability has been in 'sysctl.c' due to an error when handling the un-registration of interfaces in '/proc/sys/net/ipv4/conf/.'
SUSE Security Announcement, SUSE-SA:2005:050, September 1, 2005
Trustix Secure Linux Security Advisory, TSLSA-2005-0043, September 2, 2005
Mandriva Linux Security Update Advisory, MDKSA-2005:171, October 3, 2005
Mandriva Linux Security Advisories, MDKSA-2005:219 & 220, November 30, 2005
SUSE Security Announcement, SUSE-SA:2005:068, December 14, 2005
Conectiva Linux Announcement, CLSA-2006:1059, January 2, 2006
RedHat Security Advisories, RHSA-2006:0190-5 & RHSA-2006:0191-9, February 1, 2006
Multiple Vendors
Ubuntu Linux 5.10 powerpc, i386, amd64, 5.0 4 powerpc, i386, amd64, 4.1 ppc, ia64, ia32;
Linux kernel 2.6-2.6.15
A vulnerability has been reported in the 'cm-crypt' driver due to a failure to clear memory, which could let a malicious user obtain sensitive information.
Security Tracker Alert ID: 1015521, January 20, 2006
Gentoo Linux Security Advisory, GLSA 200601-16, January 30, 2006
Debian Security Advisory,
DSA-963-1, February 2, 2006
MyQuiz
MyQuiz 1.01
A vulnerability has been reported in 'myquiz.pl' due to insufficient sanitization of the 'ENV{'PATH_INFO'}' variable, which could let a remote malicious user execute arbitrary shell commands.
No workaround or patch available at time of publishing.
A Proof of Concept exploit script, myquiz101.pl.txt, has been published.
MyQuiz Arbitrary Shell Command Execution
Not Available
Secunia Advisory: SA18737, February 6, 2006
NeoCode Solutions
NeoMail
A Cross-Site Scripting vulnerability has been in the 'neomail.pl' script due to insufficient sanitization of the 'date' parameter before displaying the input, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing.
A vulnerability has been reported in the 'rshd' server when storing forwarded credentials due to an unspecified error, which could let a malicious user obtain elevated privileges.
Update to version 0.7.2 or 0.6.6.
Currently we are not aware of any exploits for this vulnerability.
Multiple Operating Systems - Windows / UNIX / Linux / Other
Vendor & Software Name
Description
Common Name
CVSS
Resources
Adobe
Creative Suite 2, Adobe Photoshop CS2, Adobe Illustrator CS2 Creative Suite
A vulnerability has been reported due to insecure default file permissions on installed files and folders, which could let a malicious user obtain elevated privileges
An SQL injection vulnerability has been reported due to insufficient sanitization of certain parameters before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.
Gentoo Linux Security Advisory, GLSA 200602-02, February 6, 2006
Apache Software Foundation
Apache prior to 1.3.35-dev, 2.0.56-dev
A Cross-Site Scripting vulnerability has been reported in the 'Referer' directive in 'mod_imap' due to insufficient sanitization before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code.
The vulnerability has been fixed in version 1.3.35-dev, and 2.0.56-dev.
Security Tracker Alert ID: 1015344, December 13, 2005
OpenPKG Security Advisory, OpenPKG-SA-2005.029, December 14, 2005
Trustix Secure Linux Security Advisory, TSLSA-2005-0074, December 23, 2005
Mandriva Linux Security Advisory, MDKSA-2006:007, January 6, 2006
Ubuntu Security Notice, USN-241-1, January 12, 2006
RedHat Security Advisory, RHSA-2006:0158-4, January 17, 2006
Fedora Security Advisory, FEDORA-2006-052, January 23, 2006
Turbolinux Security Advisory, TLSA-2006-1, January 25, 2006
Gentoo Linux Security Advisory, GLSA 200602-03, February 6, 2006
Blackboard
Blackboard Academic Suite 6.0, Blackboard 6.0, 5.5.1, 5.5, 5.0.2, 5.0
A vulnerability has been reported in the authentication mechanism, which could let a malicious user obtain unauthorized access. NOTE: the vendor has disputed this issue, saying that "This is a customer specific issue related to their Kerberos authentication single sign-on application and not a vulnerability in the Blackboard product."
No workaround or patch available at time of publishing.
Security Focus, Bugtraq ID: 16438, January 31, 2006
Security Focus, Bugtraq ID: 16438, February 7, 2006
Borland
BCB6 ent_upd4
A integer overflow vulnerability has been reported because statements that use the 'sizeof' operator are not correctly compiled, which could let a malicious user execute arbitrary code.
No workaround or patch available at time of publishing.
Currently we are not aware of any exploits for this vulnerability.
Borland Delphi-BCB/Compiler Integer Overflow
Not available
XFocus Security Team Advisory, xfocus-SD-060206, February 6, 2006
Cipher
Trust
IronMail 5.0.1
A remote Denial of Service vulnerability has been reported if configured with 'Denial of Service Protection' enabled when dealing with SYN flood attacks.
The vendor has released an update to address this issue. Contact the vendor for further information.
Security Tracker Alert ID: 1015555, February 1, 2006
Clever Copy
Clever Copy 3.0
An SQL injection vulnerability has been reported in the 'mailarticle.php' script due to insufficient validation of the 'ID' parameter, which could let a remote malicious user execute arbitrary SQL code.
No workaround or patch available at time of publishing.
Exploit details, Clever_Copy_V3_sql.txt, have been published.
Security Tracker Alert ID: 1015590, February 7, 2006
CyberShop ASP
Ultimate E-commerce Script 0
Cross-Site Scripting vulnerabilities have been reported due to insufficient sanitization of user-supplied input, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing.
There is no exploit code required; however, Proof of Concept exploits have been published.
Currently we are not aware of any exploits for this vulnerability
eyeOS PHP Code Execution
Not available
GulfTech Security Research Team Advisory, February 8, 2006
FFmpeg
FFmpeg 0.4.9 -pre1, 0.4.6-0.4.8, FFmpeg CVS
A buffer overflow vulnerability has been reported in the 'avcodec_default_get_buffer()' function of 'utils.c' in libavcodec due to a boundary error, which could let a remote malicious user execute arbitrary code.
Multiple vulnerabilities have been reported: SQL injection vulnerabilities were reported in 'check.php' due to insufficient sanitization of the 'username' parameter during login and in the 'id' parameter in the administration section, which could let a remote malicious user execute arbitrary SQL code; a Cross-Site Scripting vulnerability was reported due to insufficient sanitization of various fields when signing the guestbook, which could let a remote malicious user execute arbitrary HTML and script code; and a vulnerability was reported due to an insecure authentication process, which could let a remote malicious user obtain unauthorized access.
No workaround or patch available at time of publishing.
Security Focus, Bugtraq ID: 16541, February 8, 2006
IBM
Tivoli Access Manager for e-business 5.1.0, 6.0
A Directory Traversal vulnerability has been reported in 'pkmslogout' due to insufficient sanitization of the 'filename' parameter before using to retrieve the page template, which could let a remote malicious user obtain sensitive information.
A file include vulnerability has been reported in 'loudblog/inc/
backend_settings.php' due to insufficient verification of the 'path' parameter before using to include files, which could let a remote malicious user execute arbitrary PHP code.
No workaround or patch available at time of publishing.
A Proof of Concept exploit script, loudblog_04_incl_xpl.php, has been published.
Security Focus, Bugtraq ID: 15773, January 27, 2006
Mozilla Foundation Security Advisory 2006-03, February 1, 2006
RedHat Security Advisories, RHSA-2006-0199 & RHSA-2006:0200-8, February 2, 2006
RedHat Fedora Security Advisories, FEDORA-2006-075 & FEDORA-2006-076, February 3, 2006
Mandriva Security Advisories, MDKSA-2006:036 & MDKSA-2006:037, February 7, 2006
Multiple Vendors
Mozilla Browser 0.8-0.9.9, 0.9.35, 0.9.48, 1.0-1.7.12, Thunderbird 0.x, 1.x, Firefox 0.x, 1.x; SeaMonkey 1.0; RedHat Enterprise Linux WS 4, WS 3, WS 2.1 IA64, WS 2.1, ES 4, ES 3, ES 2.1 IA64, ES 2.1, AS 4, AS 3, AS 2.1 IA64, AS 2.1, Desktop 4.0, 3.0, Advanced Workstation for the Itanium Processor 2.1 IA64, 2.1
Multiple vulnerabilities have been reported: vulnerabilities were reported because temporary variables that are not properly protected are used in the JavaScript engine's garbage collection, which could let a remote malicious user cause a Denial of Service or execute arbitrary code; a vulnerability was reported because a remote malicious user can create HTML that will dynamically change the style of an element from position:relative to position:static; a vulnerability was reported because a remote malicious user can create HTML that invokes the QueryInterface() method of the built-in Location and Navigator objects; a vulnerability was reported in the 'XULDocument.persist()' function due to improper validation of the user-supplied attribute name, which could let a remote malicious user execute arbitrary code; an integer overflow vulnerability was reported in the 'E4X,' 'SVG,' and 'Canvas' features, which could let a remote malicious user execute arbitrary code; a vulnerability was reported in the XML parser because data can be read from locations beyond the end of the buffer, which could lead to a Denial of Service; and a vulnerability was reported because the 'E4X' implementation's internal 'AnyName' object is incorrectly available to web content, which could let a remote malicious user bypass same-origin restrictions.
Mandriva Security Advisories, MDKSA-2006:036 & MDKSA-2006:037, February 7, 2006
Multiple Vendors
PostNuke Development Team PostNuke 0.761; moodle 1.5.3; Mantis 1.0.0RC4, 0.19.4; Cacti 0.8.6 g; ADOdb 4.68, 4.66; AgileBill 1.4.92 & prior
Several vulnerabilities have been reported: an SQL injection vulnerability was reported in the 'server.php' test script, which could let a remote malicious user execute arbitrary SQL code and PHP script code; and a vulnerability was reported in the 'tests/tmssql.php' text script, which could let a remote malicious user call an arbitrary PHP function.
Security Focus, Bugtraq ID: 16187, February 7, 2006
MyBB Group
MyBB (formerly MyBulletinBoard) 1.03
An SQL injection vulnerability has been reported in 'moderation.php' due to insufficient sanitization of the 'posts' parameter before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.
No workaround or patch available at time of publishing.
There is no exploit code required; however, a Proof of Concept exploit has been published.
MyBB 'posts' SQL Injection
Not Available
Secunia Advisory: SA18754, February 8, 2006
NukedWeb
GuestBookHost
SQL injection vulnerabilities have been reported in 'config.php' due to insufficient sanitization of the 'email' and 'password' fields before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.
No workaround or patch available at time of publishing.
Several vulnerabilities have been reported: a vulnerability was reported due to an error when handling dynamic port forwarding when no listen address is specified, which could let a remote malicious user cause "GatewayPorts" to be incorrectly activated; and a vulnerability was reported due to an error when handling GSSAPI credential delegation, which could let a remote malicious user be delegated with GSSAPI credentials.
Fedora Update Notification,
FEDORA-2005-858, September 7, 2005
Trustix Secure Linux Security Advisory, TSLSA-2005-0047, September 9, 2005
Slackware Security Advisory, SSA:2005-251-03, September 9, 2005
Fedora Update Notification,
FEDORA-2005-860, September 12, 2005
RedHat Security Advisory, RHSA-2005:527-16, October 5, 2005
Mandriva Linux Security Update Advisory, MDKSA-2005:172, October 6, 2005
Ubuntu Security Notice, USN-209-1, October 17, 2005
Conectiva Linux Announcement, CLSA-2005:1039, October 19, 2005
Security Focus, Bugtraq ID: 14729, January 10, 2006
Avaya Security Advisory, ASA-2006-033, January 30, 2006
SuSE Security Summary Report, SUSE-SR:2006:003, February 3, 2006
Outblaze Ltd.
Outblaze
A Cross-Site Scripting vulnerability has been reported in 'throw.main' due to insufficient sanitization of the 'file' parameter before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing.
Several vulnerabilities have been reported: an SQL injection vulnerability was reported due to insufficient sanitization of unspecified input before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code; and a Cross-Site Scripting vulnerability was reported due to insufficient sanitization of unspecified input before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code.
Multiple vulnerabilities have been reported: a vulnerability was reported due to insufficient protection of the 'GLOBALS' array, which could let a remote malicious user define global variables; a vulnerability was reported in the 'parse_str()' PHP function when handling an unexpected termination, which could let a remote malicious user enable the 'register_
globals' directive; a Cross-Site Scripting vulnerability was reported in the 'phpinfo()' PHP function due to insufficient sanitization of user-supplied input, which could let a remote malicious user execute arbitrary HTML and script code; and an integer overflow vulnerability was reported in 'pcrelib' due to an error, which could let a remote malicious user corrupt memory.
SUSE Security Summary Report, SUSE-SR:2005:025, November 4, 2005
Turbolinux Security Advisory TLSA-2005-97, November 5, 2005
Fedora Update Notifications,
FEDORA-2005-1061 & 1062, November 8, 2005
RedHat Security Advisories, RHSA-2005:838-3 & RHSA-2005:831-15, November 10, 2005
Gentoo Linux Security Advisory, GLSA 200511-08, November 13, 2005
Mandriva Linux Security Advisory, MDKSA-2005:213, November 16, 2005
SUSE Security Summary Report, SUSE-SR:2005:027, November 18, 2005
Trustix Secure Linux Security Advisory, TSLSA-2005-0062, November 22, 2005
SGI Security Advisory, 20051101-01-U, November 29, 2005
OpenPKG Security Advisory, OpenPKG-SA-2005.027, December 3, 2005
SUSE Security Summary Report, SUSE-SR:2005:029, December 9, 2005
SUSE Security Announcement, SUSE-SA:2005:069, December 14, 2005
Ubuntu Security Notice, USN-232-1, December 23, 2005
Avaya Security Advisory, ASA-2006-037, January 31, 2006
Mandriva Security Advisory, MDKSA-2006:035, February 7, 2006
PHP
PHP 5.1.1, 5.1
Several vulnerabilities have been reported: a vulnerability was reported due to insufficient of the session ID in the session extension before returning to the user, which could let a remote malicious user inject arbitrary HTTP headers; a format string vulnerability was reported in the 'mysqli' extension when processing error messages, which could let a remote malicious user execute arbitrary code; and a vulnerability was reported due to insufficient sanitization of unspecified input that is passed under certain error conditions, which could let a remote malicious user execute arbitrary HTML and script code.
Mandriva Security Advisory, MDKSA-2006:028, February 1, 2006
phpBB Group
phpBB 2.0.1-2.0.19
A vulnerability has been reported in the 'Referer' HTTP header when certain requests are sent for external avatar images and certain BBcode that references external web sites, which could let a remote malicious user obtain sensitive information.
No workaround or patch available at time of publishing.
SQL injection vulnerabilities have been reported in 'index.php' due to insufficient sanitization of the 'par' and 'poll_id' parameters before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.
Multiple Cross-Site Scripting vulnerabilities have been reported due to insufficient sanitization of the 'shout_name' field in 'shoutbox_panel.php' and in the 'comments' field in 'comments_include.php,' which could let a remote malicious user execute arbitrary HTML and script code.
Security Focus, Bugtraq ID: 16429, January 30, 2006
Debian Security Advisory, DSA-964-1, February 3, 2006
PluggedOut
PluggedOut Blog 1.x
Several vulnerabilities have been reported: an SQL injection vulnerability was reported in 'exec.php' due to insufficient sanitization of the 'entryid' parameter before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code; and a Cross-Site Scripting vulnerability was reported in 'problem.php' due to insufficient sanitization of the 'data' parameter before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing.
There is no exploit code required; however, Proof of Concept exploits have been published.
PluggedOut Blog SQL Injection & Cross-Site Scripting
Security Tracker Alert ID: 1015586, February 6, 2006
QNX Software Systems
QNX Neutrino RTOS 6.x
Multiple vulnerabilities have been reported: a vulnerability was reported in the 'crttrap' utility because libraries are loaded insecurely, which could let a malicious user obtain elevated privileges; a format string vulnerability was reported in the 'fontsleuth' utility, which could let a malicious user execute arbitrary code; a vulnerability was reported in the '_ApFindTranslationFile()' function when handling the 'ABLPATH' environment variable due to a boundary error, which could let a malicious user execute arbitrary code; a format string vulnerability was reported when handling the 'ABLANG' environment variable, which could let a remote malicious user execute arbitrary code; a vulnerability was reported in the 'setitem()' function when handling the 'PHOTON_PATH' environment variable due to a boundary error, which could let a malicious user execute arbitrary code; a vulnerability was reported in the 'phfont' utility due to a race condition, which could let a malicious user obtain root privileges; a buffer overflow vulnerability was reported in the 'su' utility due to a boundary error, which could let a malicious user execute arbitrary code; a Denial of Service vulnerability was reported when handling a certain command; a vulnerability was reported in the '/etc/rc.d/rc.local' file due to insecure file permissions, which could let a malicious user obtain root privileges; and a buffer overflow vulnerability was reported in the 'passwd' utility due to a boundary error, which could let a malicious user execute arbitrary code.
No workaround or patch available at time of publishing.
An exploit script, DSR-QNX6.2.1-phfont.sh.txt, for the RTOS's phfont command vulnerability has been published.
Cross-Site Scripting vulnerabilities have been reported due to insufficient sanitization of user-supplied input, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing.
There is no exploit code required; however, Proof of Concept exploits have been published.
Security Focus, Bugtraq ID: 16471, February 2, 2006
Sony Ericsson Mobile Communications AB
Sony Ericsson K600i, T68i, V600i, W800i
A remote Denial of Service vulnerability has been reported in the L2CAP (Logical Link Control and Adaptation Layer Protocol) layer.
No workaround or patch available at time of publishing.
A Proof of Concept exploit script, bluetooth6.c, has been published.
Sony Ericsson Cell Phones Bluetooth L2CAP Denial of Service
Not available
Secunia Advisory: SA18747, February 8, 2006
SPIP
SPIP 1.9.Alpha 1, 1.8.2-d
Several vulnerabilities have been reported: an SQL injection vulnerability was reported in 'forum.php3' due to insufficient sanitization of the 'id_article' and 'id_forum' parameters being using in an SQL query, which could let a remote malicious user execute arbitrary SQL code; and a Cross-Site Scripting vulnerability was reported in 'index.php3' due to insufficient sanitization of the 'lang' parameter before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code.
Seven vulnerabilities have been reported in Sun Java JRE (Java Runtime Environment) due to various unspecified errors in the 'reflection' APIs, which could let a remote malicious user compromise a user's system.
Sun(sm) Alert Notification
Sun Alert ID: 102171, February 7, 2006
Tachyondecay.net
Vanilla Guestbook 1.0. Beta
Multiple input validation vulnerabilities have been reported which could let a remote malicious user execute arbitrary HTML, script code, and SQL code.
No workaround or patch available at time of publishing.
Security Focus, Bugtraq ID: 16464, February 1, 2006
Unknown Domain Shoutbox
Unknown Domain Shoutbox 2005.7.21
Several vulnerabilities have been reported: Cross-Site Scripting vulnerabilities were reported due to insufficient sanitization of the 'Handle' and 'Message' fields, which could let a remote malicious user execute arbitrary HTML and script code; and SQL injection vulnerabilities were reported due to insufficient sanitization of various unspecified parameters before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.
No workaround or patch available at time of publishing.
Security Focus, Bugtraq ID: 16543, February 8, 2006
vwdev
vwdev
An SQL injection vulnerability has been reported due to insufficient validation of the 'UID' parameter before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.
No workaround or patch available at time of publishing.
There is no exploit code required; however, a Proof of Concept exploit has been published.
vwdev SQL Injection
Not Available
Security Tracker Alert ID: 1015594, February 7, 2006
bss-0.6.tar.gz: A L2CAP layer fuzzer designed to assess the security of Bluetooth enabled devices by sending malicious packets.
Mobile email set to explode: According to a report from industry analysts, Datamonitor, mobile email is on the verge of mass adoption. There are roughly 650 million corporate email inboxes worldwide today and at least 35 per cent of which could be mobilized.
This section contains brief summaries and links to articles which discuss or present
information pertinent to the cyber security community.
Cyber Storm Brewing For Homeland Security: The U.S. Department of Homeland Security is attempting to create a perfect storm in cyberspace. They are simulating a series of cyber attacks on critical infrastructure in the private sector and in international, federal and state governments in order to test response. The test is part of larger homeland defense plans and ordered by a presidential directive. It is designed to strengthen communications, coordination and partnerships. The threats are fictitious and take place in a contained, secure environment.
Exploit for QueryInterface Vulnerability in Mozilla: US-CERT is aware of publicly available exploit code for a memory corruption vulnerability in the Mozilla Firefox web browser and Thunderbird mail client.
XML Injection and Code Execution Vulnerabilities in Mozilla Suite: US-CERT is aware of several vulnerabilities in Mozilla. Successful exploitation may allow a remote, unauthenticated attacker to execute arbitrary JavaScript commands with elevated privileges or cause a denial of service condition on a vulnerable system.
Spammed Trojan horse pretends to come from anti-virus company: According to experts at SophosLabs™, a Trojan horse has been spammed out to email addresses disguised as a message from a Finnish anti-virus company. The Troj/Stinx-U Trojan horse has been seen attached to email messages pretending to come from Helsinki-based F-Secure, and can have a subject line chosen from "Firefox Browsing Problem", "Mozilla Browsing Problem", or "Website Browsing Problem".
ID Theft And Internet Fraud Declining? According to a report by Javelin Strategy and Research, incidents of fraud from Internet-based means may be on the decline. In cases where the source of the identity theft was known, only 9 percent were reported to have come from hacking, viruses and phishing. In contrast, a lost or stolen wallet or credit/debit card was the cause of 30 percent of the incidents. The study also found that fraudulent activity is mostly (over 70 percent) conducted offline via phone or mail.
Spyware Triples During 2005: According to anti-spyware developer Webroot, spyware tripled during 2005. At the start of the year Webroot identified only 40,000 traces and the year ended with 400,000 spyware-distributing sites and a global count of 120,000 different traces, or spyware components.
A list of high threat viruses, as reported to various anti-virus vendors and virus incident reporting organizations, has been ranked and categorized in the table below. For the purposes of collecting and collating data, infections involving multiple systems at a single location are considered a single infection. It is therefore possible that a virus has infected hundreds of machines but has only been counted once. With the number of viruses that appear each month, it is possible that a new virus will become widely distributed before the next edition of this publication. To limit the possibility of infection, readers are reminded to update their anti-virus packages as soon as updates become available. The table lists the viruses by ranking (number of sites affected), common virus name, type of virus code (i.e., boot, file, macro, multi-partite, script), trends (based on number of infections reported since last week), and approximate date first found.
Rank
Common Name
Type of Code
Trend
Date
Description
1
Netsky-P
Win32 Worm
Stable
March 2004
A mass-mailing worm that uses its own SMTP engine to send itself to the email addresses it finds when scanning the hard drives and mapped drives. The worm also tries to spread through various file-sharing programs by copying itself into various shared folder.
2
Lovgate.w
Win32 Worm
Stable
April 2004
A mass-mailing worm that propagates via by using MAPI as a reply to messages, by using an internal SMTP, by dropping copies of itself on network shares, and through peer-to-peer networks. Attempts to access all machines in the local area network.
3
Mytob-GH
Win32 Worm
Stable
November 2005
A variant of the mass-mailing worm that disables security related programs and allows other to access the infected system. This version sends itself to email addresses harvested from the system, forging the sender’s address.
4
Netsky-D
Win32 Worm
Stable
March 2004
A simplified variant of the Netsky mass-mailing worm in that it does not contain many of the text strings that were present in NetSky.C and it does not copy itself to shared folders. Netsky.D spreads itself in e-mails as an executable attachment only.
5
Mytob.C
Win32 Worm
Stable
March 2004
A mass-mailing worm with IRC backdoor functionality which can also infect computers vulnerable to the Windows LSASS (MS04-011) exploit. The worm will attempt to harvest email addresses from the local hard disk by scanning files.
6
Mytob-BE
Win32 Worm
Stable
June 2005
A slight variant of the mass-mailing worm that utilizes an IRC backdoor, LSASS vulnerability, and email to propagate. Harvesting addresses from the Windows address book, disabling antivirus, and modifying data.
7
Sober-Z
Win32 Worm
Stable
December 2005
This worm travels as an email attachment, forging the senders address, harvesting addresses from infected machines, and using its own mail engine. It further download code from the internet, installs into the registry, and reduces overall system security.
8
Zafi-B
Win32 Worm
Stable
June 2004
A mass-mailing worm that spreads via e-mail using several different languages, including English, Hungarian and Russian. When executed, the worm makes two copies of itself in the %System% directory with randomly generated file names.
9
Mytob-AS
Win32 Worm
Stable
June 2005
A slight variant of the mass-mailing worm that disables security related programs and processes, redirection various sites, and changing registry values. This version downloads code from the net and utilizes its own email engine.
10
Zafi-D
Win32 Worm
Stable
December 2004
A mass-mailing worm that sends itself to email addresses gathered from the infected computer. The worm may also attempt to lower security settings, terminate processes, and open a back door on the compromised computer.