Weekly Vulnerabilities Reports > January 23 to 29, 2006

Overview

62 new vulnerabilities reported during this period, including 1 critical vulnerabilities and 19 high severity vulnerabilities. This weekly summary report vulnerabilities in 45 products from 40 vendors including BEA, Oracle, Freebsd, E Post Corporation, and Linux. Vulnerabilities are notably categorized as "SQL Injection", "Cross-site Scripting", "Path Traversal", "Improper Input Validation", and "Improper Authentication".

  • 50 reported vulnerabilities are remotely exploitables.
  • 1 reported vulnerabilities have public exploit available.
  • 6 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 59 reported vulnerabilities are exploitable by an anonymous user.
  • BEA has the most reported vulnerabilities, with 11 reported vulnerabilities.
  • Claroline has the most reported critical vulnerabilities, with 1 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

1 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2006-01-25 CVE-2006-0411 Claroline Unspecified vulnerability in Claroline 1.7.2

claro_init_local.inc.php in Claroline 1.7.2 uses guessable session cookies (MD5 hash of connection time), which allows remote attackers to hijack sessions and possibly gain administrative privileges.

10.0

19 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2006-01-23 CVE-2006-0036 Linux Multiple Security vulnerability in Linux Kernel 2.6.14

ip_nat_pptp in the PPTP NAT helper (netfilter/ip_nat_helper_pptp.c) in Linux kernel 2.6.14, and other versions, allows remote attackers to cause a denial of service (memory corruption or crash) via an inbound PPTP_IN_CALL_REQUEST packet that causes a null pointer to be used in an offset calculation.

7.8
2006-01-27 CVE-2006-0464 Ideosoft Design SQL-Injection vulnerability in Ideocontent Manager

Multiple SQL injection vulnerabilities in index.php in IdeoContent Manager allow remote attackers to execute arbitrary SQL commands via the (1) goto_id or (2) mid parameter.

7.5
2006-01-27 CVE-2006-0462 Andonet SQL Injection vulnerability in Andonet Blog 2004.09.02

SQL injection vulnerability in comentarios.php in AndoNET Blog 2004.09.02 allows remote attackers to execute arbitrary SQL commands via the entrada parameter.

7.5
2006-01-27 CVE-2006-0057 Microsoft Unspecified vulnerability in Microsoft IE and Internet Explorer

Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to bypass the Kill bit settings for dangerous ActiveX controls via unknown vectors involving crafted HTML, which can expose the browser to attacks that would otherwise be prevented by the Kill bit setting.

7.5
2006-01-27 CVE-2006-0448 E Post Corporation Remote vulnerability in E-Post MailServer

Multiple directory traversal vulnerabilities in (1) EPSTIMAP4S.EXE and (2) SPA-IMAP4S.EXE in the IMAP service in E-Post Mail 4.05 and SPA-PRO Mail 4.05 allow remote attackers to (a) list arbitrary directories or cause a denial of service via the LIST command; or create arbitrary files via the (b) APPEND, (c) COPY, or (d) RENAME commands.

7.5
2006-01-27 CVE-2006-0447 E Post Corporation Remote vulnerability in E-Post Corporation Mail Server, Smtp Server and Spa-Pro Mail Atsolomon

Multiple buffer overflows in E-Post Mail Server 4.10 and SPA-PRO Mail @Solomon 4.00 allow remote attackers to execute arbitrary code via a long username to the (1) AUTH PLAIN or (2) AUTH LOGIN SMTP commands, which is not properly handled by (a) EPSTRS.EXE or (b) SPA-RS.EXE; (3) a long username in the APOP POP3 command, which is not properly handled by (c) EPSTPOP4S.EXE or (d) SPA-POP3S.EXE; (4) a long IMAP DELETE command, which is not properly handled by (e) EPSTIMAP4S.EXE or (f) SPA-IMAP4S.EXE.

7.5
2006-01-26 CVE-2006-0441 Karjasoft Buffer Overflow vulnerability in Karjasoft Sami FTP Server 2.0.1

Stack-based buffer overflow in Sami FTP Server 2.0.1 allows remote attackers to execute arbitrary code via a long USER command, which triggers the overflow when the log is viewed.

7.5
2006-01-26 CVE-2006-0435 Oracle Unspecified vulnerability in Oracle Application Server and Http Server

Unspecified vulnerability in Oracle PL/SQL (PLSQL), as used in Database Server DS 9.2.0.7 and 10.1.0.5, Application Server 1.0.2.2, 9.0.4.2, 10.1.2.0.2, 10.1.2.1.0, and 10.1.3.0.0, E-Business Suite and Applications 11.5.10, and Collaboration Suite 10.1.1, 10.1.2.0, 10.1.2.1, and 9.0.4.2, allows attackers to bypass the PLSQLExclusion list and access excluded packages and procedures, aka Vuln# PLSQL01.

7.5
2006-01-25 CVE-2006-0428 Oracle Multiple vulnerability in Oracle Weblogic Portal 8.1

Unspecified vulnerability in BEA WebLogic Portal 8.1 SP3 through SP5, when using Web Services Remote Portlets (WSRP), allows remote attackers to access restricted web resources via crafted URLs.

7.5
2006-01-25 CVE-2006-0426 BEA Multiple vulnerability in BEA Weblogic Server 8.1

BEA WebLogic Server and WebLogic Express 8.1 through SP4, when configuration auditing is enabled and a password change occurs, stores the old and new passwords in cleartext in the DefaultAuditRecorder.log file, which could allow attackers to gain privileges.

7.5
2006-01-25 CVE-2006-0423 Oracle Multiple vulnerability in Oracle Weblogic Portal 8.1

BEA WebLogic Portal 8.1 through SP3 stores the password for the RDBMS Authentication provider in cleartext in the config.xml file, which allows attackers to gain privileges.

7.5
2006-01-25 CVE-2006-0418 Topcmm Computing Remote Code Injection Weakness in 123 Flash Chat

Eval injection vulnerability in 123 Flash Chat Server 5.0 and 5.1 allows attackers to execute arbitrary code via a crafted username.

7.5
2006-01-25 CVE-2006-0417 Mywebland SQL Injection vulnerability in miniBloggie Login.PHP

SQL injection vulnerability in login.php in miniBloggie 1.0 and earlier, when gpc_magic_quotes is disabled, allows remote attackers to execute arbitrary SQL commands and bypass authentication via the (1) username and (2) password parameters.

7.5
2006-01-25 CVE-2006-0413 Newsphp SQL Injection vulnerability in Newsphp

Multiple SQL injection vulnerabilities in index.php in NewsPHP allow remote attackers to execute arbitrary SQL commands via the (1) discuss, (2) tim, (3) id, (4) last, and (5) limit parameter.

7.5
2006-01-25 CVE-2006-0412 Gencbeyin WEB Programlama SQL Injection vulnerability in Gencbeyin web Programlama Cybershop

SQL injection vulnerability in CyberShop allows remote attackers to execute arbitrary SQL commands and bypass authentication via the username parameter in a login action.

7.5
2006-01-25 CVE-2006-0403 E Moblog SQL Injection vulnerability in E-Moblog 1.3

Multiple SQL injection vulnerabilities in e-moBLOG 1.3 allow remote attackers to execute arbitrary SQL commands via the (1) monthy parameter to index.php or (2) login parameter to admin/index.php.

7.5
2006-01-25 CVE-2006-0402 Jason Geiger SQL Injection vulnerability in Zoph 0.3.3/0.4

SQL injection vulnerability in Zoph before 0.5pre1 allows remote attackers to execute arbitrary SQL commands.

7.5
2006-01-26 CVE-2006-0436 HP Unspecified vulnerability in HP Hp-Ux 11.00/11.11/11.4

Unspecified vulnerability in HP HP-UX B.11.00, B.11.04, and B.11.11 allows local users to gain privileges via unknown attack vectors.

7.2
2006-01-25 CVE-2006-0408 SUN Local Privilege Escalation vulnerability in SUN Grid Engine 6.0

rsh utility in Sun Grid Engine (SGE) before 6.0u7_1 allows local users to gain privileges and execute arbitrary code via unspecified vectors, possibly involving command line arguments.

7.2

36 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2006-01-26 CVE-2006-0444 Phpclanwebsite Input Validation vulnerability in PHPclanwebsite 1.23.1

SQL injection vulnerability in index.php in Phpclanwebsite (aka PCW) 1.23.1 allows remote attackers to execute arbitrary SQL commands via the (1) par parameter in the post function on the forum page and possibly the (2) poll_id parameter on the poll page.

6.8
2006-01-27 CVE-2006-0446 Webwork Remote Arbitrary Command Execution vulnerability in Webwork 2.1.3/2.2Pre1

Unspecified vulnerability in WeBWorK 2.1.3 and 2.2-pre1 allows remote privileged attackers to execute arbitrary commands as the web server via unknown attack vectors.

6.5
2006-01-25 CVE-2006-0422 BEA Multiple vulnerability in BEA Weblogic Server 6.1/7.0/8.1

Multiple unspecified vulnerabilities in BEA WebLogic Server and WebLogic Express 8.1 through SP4, 7.0 through SP6, and 6.1 through SP7 allow remote attackers to access MBean attributes or cause an unspecified denial of service via unknown attack vectors.

6.4
2006-01-25 CVE-2006-0419 BEA Denial-Of-Service vulnerability in BEA Weblogic Server 7.0/8.1/9.0

BEA WebLogic Server and WebLogic Express 9.0, 8.1 through SP5, and 7.0 through SP6 allows anonymous binds to the embedded LDAP server, which allows remote attackers to read user entries or cause a denial of service (unspecified) via a large number of connections.

6.4
2006-01-27 CVE-2006-0450 Phpbb Group Denial-Of-Service vulnerability in phpBB

phpBB 2.0.19 and earlier allows remote attackers to cause a denial of service (application crash) by (1) registering many users through profile.php or (2) using search.php to search in a certain way that confuses the database.

5.0
2006-01-27 CVE-2006-0449 E Post Corporation Remote vulnerability in E-Post MailServer

Early termination vulnerability in the IMAP service in E-Post Mail 4.05 and SPA-PRO Mail 4.05 allows remote attackers to cause a denial of service (infinite loop) by sending an APPEND command and disconnecting before the expected amount of data is sent.

5.0
2006-01-26 CVE-2006-0440 Text Rider Unspecified vulnerability in Text Rider Text Rider 2.4

Text Rider 2.4 allows attackers to bypass authentication and upload files without providing a valid password by obtaining the MD5 hash of the password (possibly via another vulnerability that reads it from a data file), then including the hash in a cookie.

5.0
2006-01-26 CVE-2006-0439 Text Rider Remote Security vulnerability in Text Rider Text Rider 2.4

Text Rider 2.4 stores sensitive data in the data directory under the web document root with insufficient access control, which allows remote attackers to obtain usernames and password hashes by directly accessing data/userlist.txt.

5.0
2006-01-26 CVE-2006-0434 Phpxplorer Path Traversal vulnerability in PHPxplorer

Directory traversal vulnerability in action.php in phpXplorer allows remote attackers to read arbitrary files via ".." (dot dot) sequences and null bytes in the sAction parameter, a different vulnerability than CVE-2006-0244.

5.0
2006-01-25 CVE-2006-0430 BEA Multiple vulnerability in BEA Weblogic Server 7.0/8.1/9.0

Certain configurations of BEA WebLogic Server and WebLogic Express 9.0, 8.1 through SP5, and 7.0 through SP6, when connection filters are enabled, cause the server to run more slowly, which makes it easier for remote attackers to cause a denial of service (server slowdown).

5.0
2006-01-25 CVE-2006-0425 Oracle Multiple vulnerability in Oracle Weblogic Portal 8.1

BEA WebLogic Portal 8.1 through SP4 allows remote attackers to obtain the source for a deployment descriptor file via unknown vectors.

5.0
2006-01-25 CVE-2006-0420 BEA Denial-Of-Service vulnerability in BEA Weblogic Server 7.0/8.1

BEA WebLogic Server and WebLogic Express 8.1 through SP4 and 7.0 through SP6 does not properly handle when servlets use relative forwarding, which allows remote attackers to cause a denial of service (slowdown) via unknown attack vectors that cause "looping stack overflow errors."

5.0
2006-01-25 CVE-2006-0381 Freebsd Remote Denial Of Service vulnerability in Freebsd 5.3/5.4/6.0

A logic error in the IP fragment cache functionality in pf in FreeBSD 5.3, 5.4, and 6.0, and OpenBSD, when a 'scrub fragment crop' or 'scrub fragment drop-ovl' rule is being used, allows remote attackers to cause a denial of service (crash) via crafted packets that cause a packet fragment to be inserted twice.

5.0
2006-01-25 CVE-2006-0416 Sleeperchat Improper Authentication vulnerability in Sleeperchat

SleeperChat 0.3f and earlier allows remote attackers to bypass authentication and create new entries via the txt parameter to (1) chat_no.php and (2) chat_if.php.

5.0
2006-01-25 CVE-2006-0414 TOR Information Disclosure And Denial of Service vulnerability in Trac

Tor before 0.1.1.20 allows remote attackers to identify hidden services via a malicious Tor server that attempts a large number of accesses of the hidden service, which eventually causes a circuit to be built through the malicious server.

5.0
2006-01-25 CVE-2006-0410 John LIM SQL Injection vulnerability in John LIM Adodb 4.66/4.68/4.70

SQL injection vulnerability in ADOdb before 4.71, when using PostgreSQL, allows remote attackers to execute arbitrary SQL commands via unspecified attack vectors involving binary strings.

5.0
2006-01-25 CVE-2006-0406 Mybulletinboard Information Disclosure vulnerability in Mybulletinboard 1.0.2

search.php in MyBB 1.0.2 allows remote attackers to obtain sensitive information via a certain search request that reveals the table prefix in a SQL error message, possibly due to invalid parameters.

5.0
2006-01-25 CVE-2006-0405 Libtiff Denial of Service vulnerability in Libtiff 3.8.0

The TIFFFetchShortPair function in tif_dirread.c in libtiff 3.8.0 allows remote attackers to cause a denial of service (application crash) via a crafted TIFF image that triggers a NULL pointer dereference, possibly due to changes in type declarations and/or the TIFFVSetField function.

5.0
2006-01-25 CVE-2006-0404 Mike Macgirvin Information Disclosure vulnerability in Mike Macgirvin Note-A-Day Weblog 2.2

Note-A-Day Weblog 2.2 stores sensitive data under the web document root with insufficient access control, which allows remote attackers to obtain sensitive information via a direct request to archive/.phpass-admin, which contains encrypted passwords.

5.0
2006-01-24 CVE-2006-0321 Fetchmail Improper Input Validation vulnerability in Fetchmail 6.3.0/6.3.1

fetchmail 6.3.0 and other versions before 6.3.2 allows remote attackers to cause a denial of service (crash) via crafted e-mail messages that cause a free of an invalid pointer when fetchmail bounces the message to the originator or local postmaster.

5.0
2006-01-23 CVE-2006-0037 Linux Multiple Security vulnerability in Linux Kernel 2.6.14

ip_nat_pptp in the PPTP NAT helper (netfilter/ip_nat_helper_pptp.c) in Linux kernel 2.6.14, and other versions, allows local users to cause a denial of service (memory corruption or crash) via a crafted outbound packet that causes an incorrect offset to be calculated from pointer arithmetic when non-linear SKBs (socket buffers) are used.

4.9
2006-01-25 CVE-2006-0421 BEA Multiple vulnerability in BEA WebLogic

By design, BEA WebLogic Server and WebLogic Express 7.0 and 6.1, when creating multiple domains from the same WebLogic instance on the same machine, allows administrators of any created domain to access other created domains, which could allow administrators to gain privileges that were not intended.

4.6
2006-01-25 CVE-2006-0225 Openbsd Unspecified vulnerability in Openbsd Openssh

scp in OpenSSH 4.2p1 allows attackers to execute arbitrary commands via filenames that contain shell metacharacters or spaces, which are expanded twice.

4.6
2006-01-25 CVE-2006-0224 Libast Local Buffer Overflow vulnerability in Eterm LibAST Library

Buffer overflow in Library of Assorted Spiffy Things (LibAST) 0.6.1 and earlier, as used in Eterm and possibly other software, allows local users to execute arbitrary code as the utmp user via a long -X command line argument (alternative configuration file name).

4.6
2006-01-27 CVE-2006-0466 Goldstag Cross-Site Scripting vulnerability in Goldstag Content Management System

Cross-site scripting (XSS) vulnerability in search.asp in Goldstag Content Management System allows remote attackers to inject arbitrary web script or HTML via the text parameter.

4.3
2006-01-27 CVE-2006-0465 Active121 Cross-Site Scripting vulnerability in Site Manager

Cross-site scripting (XSS) vulnerability in risultati_ricerca.php in active121 Site Manager allows remote attackers to inject arbitrary web script or HTML via the cerca parameter.

4.3
2006-01-27 CVE-2006-0463 Ideosoft Design Cross-Site Scripting vulnerability in Ideocontent Manager

Cross-site scripting (XSS) vulnerability in IdeoContent Manager allows remote attackers to inject arbitrary web script or HTML via the (1) goto_id parameter to index.php or (2) page parameter to news_full.php.

4.3
2006-01-27 CVE-2006-0461 Pmachine HTML Injection vulnerability in Pmachine Expressionengine 1.4.1

Cross-site scripting (XSS) vulnerability in core.input.php in ExpressionEngine 1.4.1 allows remote attackers to inject arbitrary web script or HTML via HTTP_REFERER (referer).

4.3
2006-01-26 CVE-2006-0443 Cheesyblog HTML Injection vulnerability in Cheesyblog 1.0

Cross-site scripting (XSS) vulnerability in archive.php in CheesyBlog 1.0 allows remote attackers to inject arbitrary web script or HTML via the (1) realname and (2) comment parameters, or (3) via a javascript URI in the url parameter, when adding a comment.

4.3
2006-01-26 CVE-2006-0442 Mybb Cross-Site Scripting vulnerability in Mybb 1.0.2

Multiple cross-site scripting (XSS) vulnerabilities in usercp.php in MyBulletinBoard (MyBB) 1.02 allow remote attackers to inject arbitrary web script or HTML via the (1) notepad parameter in a notepad action and (2) signature parameter in an editsig action.

4.3
2006-01-25 CVE-2006-0415 Sleeperchat Cross-Site Scripting vulnerability in SleeperChat

Cross-site scripting (XSS) vulnerability in index.php in SleeperChat 0.3f and earlier allows remote attackers to inject arbitrary web script or HTML via the pseudo parameter.

4.3
2006-01-25 CVE-2006-0409 Pixelpost HTML Injection vulnerability in Pixelpost Photoblog 1.4.3

Cross-site scripting (XSS) vulnerability in index.php in Pixelpost Photoblog 1.4.3 allows remote attackers to inject arbitrary web script or HTML via the "Add Comment" field in a comment popup.

4.3
2006-01-25 CVE-2006-0407 Azbb HTML Injection vulnerability in AZ Bulletin Board

Cross-site scripting (XSS) vulnerability in post.php in AZ Bulletin Board (AZbb) 1.1.00 and earlier allows remote attackers to inject arbitrary web script or HTML via the (1) nickname parameter and (2) an iframe tag in the topic parameter.

4.3
2006-01-23 CVE-2006-0378 Netrix Cross-Site Scripting vulnerability in Netrix X-Site Manager Product_Details.PHP

Cross-site scripting (XSS) vulnerability in Netrix X-Site Manager allows remote attackers to inject arbitrary web script or HTML via the product_id parameter, as originally demonstrated for a custom mp3players_details.php program.

4.3
2006-01-26 CVE-2006-0445 Phpclanwebsite Input Validation vulnerability in PHPclanwebsite 1.23.1

index.php in Phpclanwebsite 1.23.1 allows remote authenticated users to obtain the installation path by specifying an invalid file name to the uploader page, as demonstrated by "\", which will display the full path of uploader.php.

4.0
2006-01-25 CVE-2006-0424 BEA Multiple vulnerability in BEA Weblogic Server 6.1/7.0/8.1

BEA WebLogic Server and WebLogic Express 8.1 through SP4, 7.0 through SP6, and 6.1 through SP7 allows remote authenticated guest users to read the server log and obtain sensitive configuration information.

4.0

6 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2006-01-25 CVE-2006-0432 BEA Multiple vulnerability in BEA Weblogic Server 9.0

Unspecified vulnerability in BEA WebLogic Server and WebLogic Express 9.0, when an Administrator uses the WebLogic Administration Console to add custom security policies, causes incorrect policies to be created, which prevents the server from properly protecting JNDI resources.

2.1
2006-01-25 CVE-2006-0431 BEA Multiple vulnerability in BEA Weblogic Server 8.1

Unspecified vulnerability in BEA WebLogic Server and WebLogic Express 8.1 SP5 allows untrusted applications to obtain the server's SSL identity via unknown attack vectors.

2.1
2006-01-25 CVE-2006-0429 BEA Multiple vulnerability in BEA Weblogic Server 9.0

BEA WebLogic Server and WebLogic Express 9.0 causes new security providers to appear active even if they have not been activated by a server reboot, which could cause an administrator to perform inappropriate, security-relevant actions.

2.1
2006-01-25 CVE-2006-0427 BEA Multiple vulnerability in BEA Weblogic Server 8.1/9.0

Unspecified vulnerability in BEA WebLogic Server and WebLogic Express 9.0 and 8.1 through SP5 allows malicious EJBs or servlet applications to decrypt system passwords, possibly by accessing functionality that should have been restricted.

2.1
2006-01-25 CVE-2006-0380 Freebsd Local Kernel Memory Disclosure vulnerability in Freebsd 5.4/6.0

A logic error in FreeBSD kernel 5.4-STABLE and 6.0 causes the kernel to calculate an incorrect buffer length, which causes more data to be copied to userland than intended, which could allow local users to read portions of kernel memory.

2.1
2006-01-25 CVE-2006-0379 Freebsd Local Kernel Memory Disclosure vulnerability in Freebsd 5.4/6.0

FreeBSD kernel 5.4-STABLE and 6.0 does not completely initialize a buffer before making it available to userland, which could allow local users to read portions of kernel memory.

2.1