>
> **************************************************************
> ***********
> @RISK: The Consensus Security Vulnerability Alert
> November 3, 2005
> Vol. 4. Week 44
> **************************************************************
> ***********
>
> **************************
> Widely Deployed Software
> **************************
>
> (1) HIGH: PHP Remote Code Execution Vulnerability
> Affected:
> PHP4 version 4.4.0 and prior
> PHP5 version 5.0.5 and prior
>
> Description: PHP is a package installed on a large number of web
> servers and used by multiple content management and bulletin board
> software packages. If "register_globals" directive is on, an attacker
> with permissions to upload files to the web server can overwrite PHP
> "GLOBALS" array. This can lead to execution of arbitrary PHP code. The
> discoverers have reported that PHP code based on Pear-PHP and
> vBulletin
> is vulnerable.
>
> Status: PHP has released version 4.4.1 for PHP4. The new version also
> fixes a cross site scripting vulnerability. A workaround is to disable
> the "register_globals" option.
>
> References:
> Postings by Stefan Essar
> http://www.hardened-php.net/advisory_202005.79.html
> http://www.hardened-php.net/globals-problem
> http://www.hardened-php.net/advisory_192005.78.htm l
> http://www.hardened-php.net/advisory_182005.77.html
> Vendor Homepage
> http://www.php.net/
> SecurityFocus BID
> http://www.securityfocus.com/bid/15250
> http://www.securityfocus.com/bid/15249
> http://www.securityfocus.com/bid/15248
>
> ********************************************************************
>
> (2) HIGH: phpBB Remote Code Execution
> Affected:
> phpBB version 2.0.17 and prior
>
> Description: phpBB is a widely-used bulletin board software package.
> Reports indicate that phpBB security checks that unregister the global
> variables can be easily bypassed in multiple ways. Additionally, the
> software contains several improperly initialized variables.
> These flaws
> could allow an attacker to execute arbitrary PHP code. Note that the
> Santy worm targeted similar vulnerabilities in this software
> last year.
> The posted advisory includes complete technical details.
>
> Status: phpBB 2.0.18 has been released.
>
> References:
> Posting by Stefan Essar
> http://www.hardened-php.net/advisory_172005.75.html
> Vendor Announcement
> http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=336756
> SecurityFocus BID
> http://www.securityfocus.com/bid/15246
>
> **************************************************************
> **********
>
> (3) MODERATE: Cisco IOS System Timers Heap Overflow
> Affected:
> Cisco devices running IOS
>
> Description: A researcher recently described a heap-based
> overflow flaw
> in IOS IPv6 processing that could be exploited to execute
> arbitrary code
> on a vulnerable Cisco device. Specifically, the arbitrary
> code execution
> was reported to be plausible when the operating system timers executed
> the instructions in the overwritten heap memory. The Cisco patch
> enhances the general IOS security by minimizing the probability of
> arbitrary code execution via OS timers. Hence, this patch should be
> applied to all IOS devices.
>
> Status: Cisco has made patches available for 12.0 as well as 12.2 IOS
> trains. Note that no new vulnerability in Cisco IOS has been
> announced.
> Cisco has already issued patches for the IPv6 processing flaw.
>
> References:
> Cisco Security Advisory
> http://www.cisco.com/warp/public/707/cisco-sa-20051102-timers.shtml
> Previous @RISK Newsletter Postings
> http://www.sans.org/newsletters/risk/display.php?v=4&i=30#exploit2
> SecurityFocus BID
> http://www.securityfocus.com/bid/15275
>
>
> ****************************************************************
>
> ______________________________________________________________________
>
> 05.44.1 CVE: Not Available
> Platform: Other Microsoft Products
> Title: Internet Explorer Java Applet Denial of Service
> Description: Microsoft Internet Explorer is affected by a denial of
> service vulnerability. This issue arises because the application fails
> to handle exceptional conditions in a proper manner. This issue only
> presents itself when the J2SE Java runtime environment is installed.
> An attacker may exploit this issue by enticing a user to visit a
> malicious site, resulting in a denial of service condition in the
> application.
> Ref:
> http://security-protocols.com/modules.php?name=News&file=artic
> le&sid=3027
> ______________________________________________________________________
>
> 05.44.2 CVE: Not Available
> Platform: Other Microsoft Products
> Title: Internet Explorer Malformed HTML Parsing Denial of Service
> Description: Microsoft Internet Explorer is vulnerable to a denial of
> service issue when it fails to properly handle malformed HTML content.
> Ref: http://www.securityfocus.com/bid/15268
> ______________________________________________________________________
>
> ______________________________________________________________________
>
> 05.44.19 CVE: Not Available
> Platform: Cross Platform
> Title: PHP parse_str register_globals Activation Weakness
> Description: PHP is a general-purpose scripting language for web
> development and can be embedded into HTML. PHP is susceptible to a
> weakness in the "parse_str" function that allows attackers to
> re-enable the "register_globals" directive. PHP version 4.4.1 is
> released to fix this issue.
> Ref: http://www.php.net/release_4_4_1.php
> ______________________________________________________________________
>
> 05.44.20 CVE: Not Available
> Platform: Cross Platform
> Title: PHP File Upload GLOBAL Variable Overwrite
> Description: PHP is susceptible to a vulnerability that allows
> attackers to overwrite the GLOBAL variable. By exploiting this issue,
> remote attackers may be able to overwrite the GLOBAL variable. This
> may allow attackers to further exploit latent vulnerabilities in PHP
> scripts. PHP versions earlier than 4.4.1 are vulnerable.
> Ref: http://www.php.net/release_4_4_1.php
> ______________________________________________________________________
>
>
> 05.44.23 CVE: Not Available
> Platform: Web Application
> Title: PHPBB Multiple Unspecified Vulnerabilities
> Description: PHPBB is a bulletin board system. It is prone to multiple
> unspecified vulnerabilities due to insufficient sanitization of
> user-supplied data, however the causes and impacts of other issues
> were not specified. PHPBB versions 2.0.17 and ealier are vulnerable.
> Ref: http://www.securityfocus.com/bid/15246/discuss
> ______________________________________________________________________
>
> 05.44.25 CVE: Not Available
> Platform: Web Application
> Title: phpBB Global Variable Deregistration Bypass Vulnerabilities
> Description: phpBB is a bulletin board system written in PHP. It is
> reported to be vulnerable to SQL injection, HTML injection and
> cross-site scripting issues due to improper deregistration of global
> variables. phpBB version 2.0.17 and earlier are reported to be
> vulnerable.
> Ref: http://www.securityfocus.com/bid/15243
> ______________________________________________________________________
>