@RISK: The Consensus Security Vulnerability Alert

Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys

• (1) HIGH: Apple Safari Multiple Vulnerabilities
• (2) MEDIUM: Foxit Reader ActiveX Control Buffer Overflow

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)

Other Microsoft Products

• 11.31.1 - Internet Explorer EUC-JP Encoded Characters Cross-Site Scripting

Third Party Windows Apps

• 11.31.2 - Foxit Reader "FoxitReaderOCX" ActiveX Control "OpenFile()" Buffer Overflow
• 11.31.3 - Kingsoft Antivirus "KisKrnl.sys" Driver Local Privilege Escalation
• 11.31.4 - CiscoKits CCNA TFTP Server Long Filename Remote Denial of Service
• 11.31.5 - Download Accelerator Plus ".m3u" File Buffer Overflow
• 11.31.6 - Computer Associates ARCserve D2D "homepageServlet" Servlet Information Disclosure

Linux

• 11.31.7 - SystemTap Multiple Local Privilege Escalation Vulnerabilities
• 11.31.8 - IcedTea6 and IcedTea-Web Information Disclosure and Security Bypass Vulnerabilities

Cross Platform

• 11.31.9 - Apple Safari Multiple Security Vulnerabilities
• 11.31.10 - Likewise Open lsassd Service SQL Injection
• 11.31.11 - BusyBox "udhcpc" Shell Characters in Response Remote Code Execution
• 11.31.12 - FreeRADIUS Revoked Certificate Authentication Bypass Vulnerability
• 11.31.13 - OpenSAML XML Signature Wrapping Security Vulnerability
• 11.31.14 - ClamAV Hash Manager Off-By-One Denial of Service
• 11.31.15 - ICQ Profile HTML Injection Vulnerability

Web Application - Cross Site Scripting

• 11.31.16 - Tiki Wiki CMS Groupware "snarf_ajax.php" Cross-Site Scripting
• 11.31.17 - Koha OPAC Multiple Cross-Site Scripting Vulnerabilities

Web Application - SQL Injection Vulnerability

• 11.31.18 - vBulletin "messagegroupid" Parameter SQL Injection

Web Application - SQL Injection

• 11.31.19 - ExtCalendar "username" and "password" SQL Injection Vulnerabilities

Web Application

• 11.31.20 - PRADO "TActiveFileUpload.php" Directory Traversal Vulnerability
• 11.31.21 - Free Help Desk Multiple Unspecified Vulnerabilities
• 11.31.22 - cgit HTML Injection Vulnerability
• 11.31.23 - phpMyAdmin Multiple Remote Vulnerabilities
• 11.31.24 - Musicbox Cross-Site Scripting and SQL Injection Vulnerabilities
• 11.31.25 - ManageEngine ServiceDesk Plus Local Privilege Escalation

Hardware

• 11.31.26 - Cisco SA 500 Series Appliances Web Management Interface SQL Injection
• 11.31.27 - Dlink DPH 150SE/E/F1 IP Phones Multiple Remote Vulnerabilities

PART I Critical Vulnerabilities

PART I Critical Vulnerabilities Part I for this issue has been compiled by Josh Bronson at TippingPoint, a division of HP, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/risk/#process

*************************************************************

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 27, 2011

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com) This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 11861 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely. ______________________________________________________________________

• 11.31.1 - CVE: Not Available
• Platform: Other Microsoft Products
• Title: Internet Explorer EUC-JP Encoded Characters Cross-Site Scripting
• Description: Microsoft Internet Explorer is a Web browser for Windows platforms. The application is exposed to a cross-site scripting issue. Specifically, the issue occurs because the application fails to properly sanitize input passed via EUC-JP encoded characters. Internet Explorer versions 6 and 7 are vulnerable.
• Ref: http://www.securityfocus.com/bid/48888/discuss

• 11.31.2 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Foxit Reader "FoxitReaderOCX" ActiveX Control "OpenFile()" Buffer Overflow
• Description: Foxit Reader is a P2P client for the Microsoft Windows operating platform. Foxit Reader is exposed to a buffer overflow issue because the application fails to perform adequate boundary checks on user-supplied data. This issue affects the "OpenFile()" method of the "FoxitReaderOCX" ActiveX control when passing excessively large amounts of data through the "strfilePath" parameter. Foxit Reader 5.0.1.0523 is vulnerable and other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/48836/references

• 11.31.3 - CVE: Not Available2011.7.8.913 is vulnerable and other versions may also be affected.
• Platform: Third Party Windows Apps
• Title: Kingsoft Antivirus "KisKrnl.sys" Driver Local Privilege Escalation
• Description: Kingsoft Antivirus is a security application for Microsoft Windows platforms. The application is exposed to a local privilege escalation issue. This issue affects the "NtQueryValueKey" function of the "KisKrnl.sys" driver, and is due to a failure to properly bounds check the "ResultLength" buffer. Kingsoft Antivirus
• Ref: http://www.securityfocus.com/bid/48867/references

• 11.31.4 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: CiscoKits CCNA TFTP Server Long Filename Remote Denial of Service
• Description: CiscoKits CCNA TFTP Server is a trivial FTP server application. The application is exposed to a remote denial of service issue. This issue occurs when an overly long filename is provided to the "read" command request. CiscoKits CCNA TFTP Server 1.0 is affected and other versions may also be vulnerable.
• Ref: http://www.securityfocus.com/bid/48868/discuss

• 11.31.5 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Download Accelerator Plus ".m3u" File Buffer Overflow
• Description: Download Accelerator Plus is an application used to accelerate file downloads. The application is exposed to a buffer overflow issue because it fails to perform adequate checks on user-supplied input. Specifically, this issue occurs when processing a ".m3u" file. Download Accelerator Plus 9.7 is vulnerable and other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/48871/references

• 11.31.6 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Computer Associates ARCserve D2D "homepageServlet" Servlet Information Disclosure
• Description: Computer Associates ARCserve D2D is a disk-based backup solution. The application is exposed to an information-disclosure vulnerability that affects the "homepageServlet" servlet. An unauthenticated attacker can exploit this issue to obtain the "username" and "password" of the administrator by sending a specially crafted RPC (Remote Procedure Call) request to the affected servlet. The RPC request will contain a message to the "getLocalHost()" procedure. Computer Associates ARCServe D2D r15 is vulnerable.
• Ref: http://retrogod.altervista.org/9sg_ca_d2dii.html

• 11.31.7 - CVE: CVE-2011-2503,CVE-2011-2502
• Platform: Linux
• Title: SystemTap Multiple Local Privilege Escalation Vulnerabilities
• Description: SystemTap is an application for Linux that is used for gathering system information. The SystemTap runtime tool (staprun) is exposed to multiple local privilege escalation issues. When a request is made for ad hoc module instrumentation via user space probing with a user specified module path, the tool fails to properly enforce the module's path sanity check. A race condition issue exists in the tool when loading modules. Specifically, there is a time gap between performing the module sanity checks and actually loading the module. SystemTap 1.4.6 and SystemTap 1.3.9 are affected.
• Ref: http://www.securityfocus.com/bid/48886/references

• 11.31.8 - CVE: CVE-2011-2514,CVE-2011-2513
• Platform: Linux
• Title: IcedTea6 and IcedTea-Web Information Disclosure and Security Bypass Vulnerabilities
• Description: IcedTea6 is a project based on OpenJDK6. IcedTea-Web is a web browser plug-in implementation of Java Web Start. The applications are exposed to multiple issues. An information disclosure issue exists in the Java Network Launching Protocol (JNLP). IcedTea-Web is exposed to a security bypass issue that exists in the Java Network Launching Protocol (JNLP). IcedTea6 versions 1.9.x prior to 1.9.9, 1.8.x prior to 1.8.9, IcedTea-Web versions 1.1.x prior to 1.1.1, 1.0.x prior to 1.0.4 are vulnerable.
• Ref: http://www.securityfocus.com/bid/48829/discuss

• 11.31.9 - CVE:CVE-2011-1797,CVE-2011-1462,CVE-2011-1457,CVE-2011-1453,CVE-2011-1288,CVE-2011-0255,CVE-2011-0254,CVE-2011-0253,CVE-2011-0240,CVE-2011-0238,CVE-2011-0237,CVE-2011-0235,CVE-2011-0234,CVE-2011-0233,CVE-2011-0232,CVE-2011-0225,CVE-2011-0222,CVE-2011-0221
• Platform: Cross Platform
• Title: Apple Safari Multiple Security Vulnerabilities
• Description: Apple Safari is a web browser available for Mac OS X and Microsoft Windows. Safari is exposed to multiple security issues that have been addressed in Apple security advisory APPLE-SA-2011-07-20-1. Safari 5.1 and 5.0.6 running on Apple Mac OS X, Windows 7, XP and Vista are affected.
• Ref: http://lists.apple.com/archives/security-announce/2011/Jul/msg00002.html

• 11.31.10 - CVE: CVE-2011-2467
• Platform: Cross Platform
• Title: Likewise Open lsassd Service SQL Injection
• Description: Likewise Open is an authentication solution for Unix and Linux operating systems. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the unspecified parameter of the "lsassd" service before using it in an SQL query. Likewise Open 5.4, 6.0, 6.1 are affected.
• Ref: http://www.likewise.com/community/index.php/forums/viewannounce/1212_6/

• 11.31.11 - CVE: Not Available
• Platform: Cross Platform
• Title: BusyBox "udhcpc" Shell Characters in Response Remote Code Execution
• Description: "udhcpc" is a DHCP client utility which is distributed in the BusyBox application. The client is exposed to a remote code execution issue because it fails to properly escape certain shell meta-characters from DHCP server responses, such as the "hostname" parameter passed in the option "0x0c". BusyBox 1.18.5 is affected.
• Ref: http://www.securityfocus.com/bid/48879/references

• 11.31.12 - CVE: CVE-2011-2701
• Platform: Cross Platform
• Title: FreeRADIUS Revoked Certificate Authentication Bypass Vulnerability
• Description: FreeRADIUS is an open source implementation of the RADIUS protocol for authentication. The application is exposed to an authentication bypass issue because it allows attackers to use revoked certificates to gain authenticated access to the FreeRADIUS server. This issue occurs in the "ocsp_check()" function of the "rlm_ear_tls.c" source file. Specifically when the "OCSP_basic_verify()" function validates the certificate, it fails to check if the certificate has been revoked. FreeRADIUS versions 2.1.11 and earlier are vulnerable.
• Ref: https://www.dfn-cert.de/informationen/Sicherheitsbulletins/dsb-2011-01.html

• 11.31.13 - CVE: CVE-2011-1411
• Platform: Cross Platform
• Title: OpenSAML XML Signature Wrapping Security Vulnerability
• Description: OpenSAML is an open source library for the Security Assertion Markup Language (SAML) standard. OpenSAML is exposed to a security issue involving XML signature wrapping. This issue occurs in the XML message signing tool, which is used in place of the TLS mechanism when validating certain queries. OpenSAML prior to V2.5.1 are affected.
• Ref: http://shibboleth.internet2.edu/secadv/secadv_20110725.txt

• 11.31.14 - CVE: Not Available
• Platform: Cross Platform
• Title: ClamAV Hash Manager Off-By-One Denial of Service
• Description: ClamAV is a multiplatform toolkit used for scanning email messages for viruses. The application is exposed to a denial of service issue due to an off-by-one error in the "cli_hm_scan()" function of the "libclamav/matcher-hash.c" source file. This issue occurs in the hash manager of the application when scanning certain hashes of malicious messages. Versions prior to ClamAV 0.97.2 are vulnerable.
• Ref: http://www.securityfocus.com/bid/48891/discuss

• 11.31.15 - CVE: Not Available
• Platform: Cross Platform
• Title: ICQ Profile HTML Injection Vulnerability
• Description: ICQ is an instant messaging client. The application is exposed to an HTML injection issue because it fails to properly sanitize user-supplied input to a user's profile. Successful exploits will allow attacker-supplied HTML and script code to run in the context of the browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible. ICQ 7.5 and prior running on Windows are vulnerable.
• Ref: http://noptrix.net/advisories/icq_cli_xss.txt

• 11.31.16 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Tiki Wiki CMS Groupware "snarf_ajax.php" Cross-Site Scripting
• Description: Tiki Wiki CMS Groupware is a PHP-based database management application. The application is exposed to a cross-site scripting issue because it fails to sufficiently sanitize user-supplied data submitted to the "ajax" parameter of the "snarf_ajax.php" script. Tiki Wiki CMS Groupware 7.0 is vulnerable; other versions may also be affected.
• Ref: http://www.htbridge.ch/advisory/xss_in_tiki_wiki_cms_groupware.html

• 11.31.17 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Koha OPAC Multiple Cross-Site Scripting Vulnerabilities
• Description: Koha is a web-based library management system implemented in perl. The application is exposed to multiple cross-site scripting issues in its OPAC (Online Public Access Catalog) interface because it fails to properly sanitize user-supplied input submitted to the following scripts: "opac-downloadcart.pl","opac-addbybiblionumber.pl", "opac-downloadshelf.pl", "opac-review.pl", "opac-sendshelf.pl", "opac-serial-issues.pl". Koha version 3.2.9 and earlier, 3.4.1 and earlier are vulnerable.
• Ref: http://www.securityfocus.com/archive/1/519000

• 11.31.18 - CVE: Not Available
• Platform: Web Application - SQL Injection Vulnerability
• Title: vBulletin "messagegroupid" Parameter SQL Injection
• Description: vBulletin is a content manager implemented in PHP. vBulletin is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data submitted to the "messagegroupid" parameter of the "socialgroupmessage.php" script before using it in an SQL query. vBulletin versions 4.0.1 through 4.1.3 are vulnerable; other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/48826/references

• 11.31.19 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: ExtCalendar "username" and "password" SQL Injection Vulnerabilities
• Description: ExtCalendar is a powerful multi user web-based calendar application. The application is exposed to multiple SQL injection issues because the application fails to sufficiently sanitize user-supplied data passed to the "username" and "password" cookie parameters before using it in an SQL query. ExtCalendar 2.0 is vulnerable; other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/48870/discuss

• 11.31.20 - CVE: Not Available
• Platform: Web Application
• Title: PRADO "TActiveFileUpload.php" Directory Traversal Vulnerability
• Description: PRADO is a Web application implemented in PHP. The application is exposed to a directory traversal issue because it fails to sufficiently sanitize user-supplied input passed to the "TActiveFileUpload.php" script. PRADO 3.1.3 and prior versions are affected.
• Ref: http://code.google.com/p/prado3/issues/detail?id=349

• 11.31.21 - CVE: Not Available
• Platform: Web Application
• Title: Free Help Desk Multiple Unspecified Vulnerabilities
• Description: Free Help Desk is a Web-based help desk system. The application is exposed to multiple unspecified issues. Free Help Desk versions prior to 1.1b are vulnerable.
• Ref: http://www.securityfocus.com/bid/48864/discuss

• 11.31.22 - CVE: Not Available
• Platform: Web Application
• Title: cgit HTML Injection Vulnerability
• Description: cgit is a file repository application. The application is exposed to an HTML injection issue because it fails to properly sanitize user-supplied requests. Specifically, the file name is displayed in the rename hint. Versions prior to cgit 0.9.0.2-2 are vulnerable.
• Ref: http://www.securityfocus.com/bid/48866/discuss

• 11.31.23 - CVE: CVE-2011-2643,CVE-2011-2642
• Platform: Web Application
• Title: phpMyAdmin Multiple Remote Vulnerabilities
• Description: phpMyAdmin is a PHP-based Web application. phpMyAdmin is exposed to multiple issues. An HTML injection issue affects the "table name" field of the "table print view" script. A local file include issue affects the "MIME-type" transformation parameter. A local file include issue exists because the application fails to sanitize user-supplied input passed to the "PMA_createTargetTable" function of the "libraries/server_synchronize_lib.php" script. A security issue exists in the "Swekey" authentication may allow attackers overwrite session variables. phpMyAdmin versions prior to 3.3.10.3 and 3.4.3.2 are affected.
• Ref: http://www.phpmyadmin.net/home_page/security/PMASA-2011-9.php http://www.phpmyadmin.net/home_page/security/PMASA-2011-10.php http://www.phpmyadmin.net/home_page/security/PMASA-2011-11.php http://www.phpmyadmin.net/home_page/security/PMASA-2011-12.php

• 11.31.24 - CVE: Not Available
• Platform: Web Application
• Title: Musicbox Cross-Site Scripting and SQL Injection Vulnerabilities
• Description: Musicbox is a web-based application for hosting a music site. It is implemented in PHP. The application is exposed to multiple issues. A SQL injection issue affects the "show" parameter of the "index.php" script. A cross-site scripting issue affects the "term" parameter of the "index.php" script. Musicbox 3.7 is affected; other versions may also be vulnerable.
• Ref: http://www.securityfocus.com/bid/48881/references

• 11.31.25 - CVE: Not Available
• Platform: Web Application
• Title: ManageEngine ServiceDesk Plus Local Privilege Escalation
• Description: The ManageEngine Applications Manager is a web-based availability and performance monitoring application. ManageEngine is exposed to a local privilege escalation issue. Specifically, the application fails to sanitize data supplied to the "module" parameter of the "BackupSchedule.do" script. ManageEngine ServiceDesk Plus 8 is vulnerable; other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/48882/references

• 11.31.26 - CVE: CVE-2011-2546
• Platform: Hardware
• Title: Cisco SA 500 Series Appliances Web Management Interface SQL Injection
• Description: Cisco SA 500 series appliances provide security solutions. The devices are exposed to an unspecified SQL injection issue because they fail to sufficiently sanitize user-supplied data before using it in an SQL query. Cisco SA520, Cisco SA520W and Cisco SA540 are affected.
• Ref: http://www.cisco.com/en/US/products/products_security_advisory09186a0080b8915e.s
  html

• 11.31.27 - CVE: Not Available
• Platform: Hardware
• Title: Dlink DPH 150SE/E/F1 IP Phones Multiple Remote Vulnerabilities
• Description: Dlink DPH IP phones are wireless IP phones. Dlink DPH IP phones are exposed to multiple remote issues. An authentication bypass issue may allow attackers to obtain device configuration files including the administrators password. An arbitrary file upload issue exists in the web management interface and may allow an attacker to upload configuration files to the affected device. An unauthorized access issue may allow attackers to modify the messages shown on the devices' LCD displays. A denial of service issue may allow attackers to reboot the affected device. Dlink DPH 150SE, Dlink DPH 150E, Dlink DPH 150F1 are affected.
• Ref: http://www.securityfocus.com/bid/48894/references

(c) 2011. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit https://www.sans.org/account