@RISK: The Consensus Security Vulnerability Alert

Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys

• (1) MEDIUM: RealNetworks RealPlayer Multiple Vulnerabilities

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)

Third Party Windows Apps

• 11.49.1 - Schneider Electric Vijeo products Multiple Vulnerabilities

Linux

• 11.49.2 - Red Hat Enterprise Linux NFSv4 Mount Local Denial of Service
• 11.49.3 - Ubuntu Update Manager Multiple Vulnerabilities

Novell

• 11.49.4 - Novell Netware "XNFS.NLM" Component "xdrDecodeString()" Remote Buffer Overflow

Cross Platform

• 11.49.5 - Dovecot SSL Certificate "Common Name" Field Validation Security Bypass
• 11.49.6 - ZABBIX "only_hostid" Parameter SQL Injection
• 11.49.7 - Apache HTTP Server "mod_proxy" Reverse Proxy Security Bypass
• 11.49.8 - Celery Argument Processing Local Privilege Escalation
• 11.49.9 - Virtual Vertex Muster Web Interface Directory Traversal
• 11.49.10 - Final Draft Multiple Remote Stack Buffer Overflow Vulnerabilities
• 11.49.11 - lighttpd "http_auth.c" Remote Denial of Service

Web Application - Cross Site Scripting

• 11.49.12 - SPIP "exec_aide_index_dist()" Function Cross-Site Scripting

Web Application

• 11.49.13 - LimeSurvey Survey Text Field HTML Injection
• 11.49.14 - Mahara Reply To Message Information Disclosure
• 11.49.15 - Gitblit Source Code Repository Authentication Bypass
• 11.49.16 - webERP Multiple Vulnerabilities
• 11.49.17 - Dolibarr Multiple Cross-Site Scripting and SQL Injection Vulnerabilities
• 11.49.18 - PmWiki "PageListSort()" Function PHP Code Injection
• 11.49.19 - Multiple Horde Products Private Tasks Security Bypass
• 11.49.20 - One Click Orgs Multiple Security Vulnerabilities
• 11.49.21 - MyBB Multiple Security Vulnerabilities
• 11.49.22 - MediaWiki Multiple Information Disclosure Vulnerabilities
• 11.49.23 - Apache MyFaces EL Expression Evaluation Security Bypass
• 11.49.24 - CodeIgniter "CI_Security" Class "xss_clean()" Filter Security Bypass

Network Device

• 11.49.25 - Multiple Routers UPnP WAN Interface Remote Unauthorized Access

Hardware

• 11.49.26 - IBM System Storage TS3100 and TS3200 Tape Library Express Security Bypass

PART I Critical Vulnerabilities

PART I Critical Vulnerabilities Part I for this issue has been compiled by Josh Bronson at TippingPoint, a division of HP, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/risk/#process

*************************************************************

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 44, 2011

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com) This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 12729 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely. ______________________________________________________________________

• 11.49.1 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Schneider Electric Vijeo products Multiple Vulnerabilities
• Description: Vijeo Historian, CitectHistorian and CitectSCADA Reports are data historian products. These applications are exposed to multiple issues. A cross-site scripting issue occurs because the applications fail to properly sanitize HTTP requests. A directory traversal issue occurs because the applications fail to sufficiently sanitize unspecified user-supplied input. Multiple buffer overflow issues in the third party TeeChart ActiveX control allow a remote attacker using social engineering to cause a denial of service or execute arbitrary code. Vijeo Historian V4.30 and earlier, CitectHistorian V4.30 and earlier, CitectSCADA Reports V4.10 and earlier are affected.
• Ref: http://www.scada.schneider-electric.com/sites/scada/en/login/historian-vulnerabi
  lity.page http://www.us-cert.gov/control_systems/pdf/ICSA-11-307-01.pdf

• 11.49.2 - CVE: CVE-2011-4324
• Platform: Linux
• Title: Red Hat Enterprise Linux NFSv4 Mount Local Denial of Service
• Description: Red Hat Enterprise Linux is exposed to a local denial of service issue. Specifically, the issue occurs when creating a file with the "mknod(2)" syscall on a NFSv4 mount. Red Hat Enterprise Linux 5 is affected.
• Ref: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-4324 http://www.securityfocus.com/bid/50798/references

• 11.49.3 - CVE: CVE-2011-3152,CVE-2011-3154
• Platform: Linux
• Title: Ubuntu Update Manager Multiple Vulnerabilities
• Description: Ubuntu Update Manager is a package manager. The application is exposed to multiple security issues. A security issue is caused by an insecure temporary directory creation. A signature verification bypass issue occured because the application incorrectly extracted the downloaded upgrade tarball before verifying its GPG signature. Ubuntu version 11.10, 11.04, 10.10, 10.04 LTS and 8.04 LTS are affected.
• Ref: http://www.ubuntu.com/usn/usn-1284-1/

• 11.49.4 - CVE: CVE-2011-4191
• Platform: Novell
• Title: Novell Netware "XNFS.NLM" Component "xdrDecodeString()" Remote Buffer Overflow
• Description: Netware is a network operating system from Novell. The application is exposed to a remote buffer overflow issue. This issue occurs in the "xdrDecodingString()" function of the "XnfS.NLM" component when handling specially crafted UDP datagrams. NetWare 6.5 SP8 is vulnerable.
• Ref: http://download.novell.com/Download?buildid=Cfw1tDezgbw~

• 11.49.5 - CVE: Not Available
• Platform: Cross Platform
• Title: Dovecot SSL Certificate "Common Name" Field Validation Security Bypass
• Description: Dovecot is a mail server application for Linux and UNIX-like operating systems. The application is exposed to a security bypass issue because it fails to properly validate SSL certificates. Specifically, the application fails to properly match the "Common Name" field in the certificate to the hostname of a requested server. Dovecot versions prior to 2.0.16 are vulnerable.
• Ref: http://www.dovecot.org/list/dovecot-news/2011-November/000200.html http://www.securityfocus.com/bid/50709/discuss

• 11.49.6 - CVE: Not Available
• Platform: Cross Platform
• Title: ZABBIX "only_hostid" Parameter SQL Injection
• Description: ZABBIX is an IT monitoring system available for multiple operating platforms. The application is exposed to a SQL injection issue because it fails to sufficiently sanitize user-supplied data submitted to the "only_hostid" parameter of the "popup.php" script. ZABBIX versions 1.8.3 and 1.8.4 are vulnerable.
• Ref: https://support.zabbix.com/browse/ZBX-4385

• 11.49.7 - CVE: CVE-2011-4317
• Platform: Cross Platform
• Title: Apache HTTP Server "mod_proxy" Reverse Proxy Security Bypass
• Description: Apache HTTP Server an HTTP web server application. The application is exposed to a security bypass issue in the "mod_proxy" component. Specifically, when using the "RewriteRule" or "ProxyPassMatch" directives to configure a reverse proxy, it may be possible to disclose the internal servers due to the failure in handling a crafted URL containing a scheme. Apache HTTP Server versions 2.0.x through 2.0.64 and 2.2.x through 2.2.21 are affected.
• Ref: https://community.qualys.com/blogs/securitylabs/tags/cve-2011-4317

• 11.49.8 - CVE: Not Available
• Platform: Cross Platform
• Title: Celery Argument Processing Local Privilege Escalation
• Description: Celery is a task queue manager based on distributed message passing. The application is exposed to a local privilege escalation issue because it fails to handle certain arguments of the daemon process. Specifically, files may be created with insecure permissions. Celery 2.4 series prior to 2.4.4, 2.3 series prior to 2.3.4, 2.2 series prior to 2.2.8 and 2.1 are vulnerable.
• Ref: https://github.com/ask/celery/blob/master/docs/sec/CELERYSA-0001.txt http://www.securityfocus.com/bid/50825/references

• 11.49.9 - CVE: Not Available
• Platform: Cross Platform
• Title: Virtual Vertex Muster Web Interface Directory Traversal
• Description: Virtual Vertex Muster is a web management server. The application is exposed to a directory traversal issue because it fails to sufficiently sanitize directory traversal sequences (....) from a URI request submitted to its web interface. Virtual Vertex Muster 6.1.6 is vulnerable and other versions may also be affected.
• Ref: http://www.security-assessment.com/files/documents/advisory/Muster-Arbitrary_Fil
  e_Download.pdf http://www.securityfocus.com/bid/50841/references

• 11.49.10 - CVE: Not Available
• Platform: Cross Platform
• Title: Final Draft Multiple Remote Stack Buffer Overflow Vulnerabilities
• Description: Final Draft is scriptwriting software. The application is exposed to multiple remote stack-based buffer overflow issues because it fails to perform adequate boundary checks on user-supplied input. Specifically, these issues affect the ".fdx" and ".fdxt" files when processing XML tag elements. Final Draft 8.0 is vulnerable and prior versions may also be affected.
• Ref: http://security-assessment.com/files/documents/advisory/Final_Draft-Multiple_Sta
  ck_Buffer_Overflows.pdf http://www.securityfocus.com/bid/50850/references

• 11.49.11 - CVE: CVE-2011-4362
• Platform: Cross Platform
• Title: lighttpd "http_auth.c" Remote Denial of Service
• Description: lighttpd is an open source web server application. lighttpd is exposed to a remote denial of service issue when it runs with the "mod_auth" module loaded. Specifically, this issue occurs because of a signedness error in the "http_auth.c" source file that triggers an out-of-bounds memory read operation. lighttpd versions before 1.4.30 are vulnerable.
• Ref: http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2011_01.txt

• 11.49.12 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: SPIP "exec_aide_index_dist()" Function Cross-Site Scripting
• Description: SPIP is a website publishing application implemented in PHP. The application is exposed to a cross-site scripting issue because it fails to properly sanitize user-supplied input submitted to the "aide" parameter of the "exec_aide_index_dist()" function in the "ecrire/exec/aide_index.php" script. SPIP versions 1.9.2, 2.0.16 and 2.1.11 are affected and other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/50728/references http://xforce.iss.net/xforce/xfdb/71361

• 11.49.13 - CVE: Not Available
• Platform: Web Application
• Title: LimeSurvey Survey Text Field HTML Injection
• Description: LimeSurvey is a PHP-based survey application. The application is exposed to an HTML injection issue because it fails to sufficiently sanitize user-supplied input submitted to the text field of surveys. The input will be used as a tooltip for browsing survey results. LimeSurvey 1.91+ Build 11343-20111108 is vulnerable and prior versions may also be affected.
• Ref: http://sourceforge.net/projects/limesurvey/files/1._LimeSurvey_stable/1.91%2B/ http://www.securityfocus.com/bid/50696/discuss

• 11.49.14 - CVE: CVE-2011-2774
• Platform: Web Application
• Title: Mahara Reply To Message Information Disclosure
• Description: Mahara is a web-based portfolio application. The application is exposed to an information disclosure issue that affects the reply-to message functionality. Specifically, this issue occurs because the application fails to properly handle the "replyto" parameter. This allows an attacker to gain access to private user information by modifying the affected parameter. Versions prior to Mahara 1.4.1 are vulnerable.
• Ref: https://launchpad.net/mahara/+milestone/1.4.1

• 11.49.15 - CVE: Not Available
• Platform: Web Application
• Title: Gitblit Source Code Repository Authentication Bypass
• Description: Gitblit is a software repository application. Gitblit is exposed to a remote authentication bypass issue. This issue occurs because the application fails to properly validate login credentials before cloning a source code repository. Versions prior to Gitblit 0.7.0 are vulnerable.
• Ref: http://gitblit.com/releases.html

• 11.49.16 - CVE: Not Available
• Platform: Web Application
• Title: webERP Multiple Vulnerabilities
• Description: webERP is a Web-based application implemented in PHP. The application is exposed to multiple input validation issues. An information disclosure issue affects the application because it assigns improper permissions to the "phpinfo.php" script stored in the Web root. Multiple SQL injection issues affect the "reportid" GET parameter of the "ReportMaker.php" script and the "ReportID" POST parameter of the "FormMaker.php" script. Multiple cross-site scripting issues affect the application because it fails to sufficiently sanitize user-supplied input. webERP 4.0.5 is vulnerable and prior versions may also be affected.
• Ref: http://www.securityfocus.com/archive/1/520561 http://www.securityfocus.com/bid/50713/references

• 11.49.17 - CVE: Not Available
• Platform: Web Application
• Title: Dolibarr Multiple Cross-Site Scripting and SQL Injection Vulnerabilities
• Description: Dolibarr is a company/foundation activity management application implemented in PHP. The application is exposed to multiple issues because it fails to sufficiently sanitize user-supplied input. Multiple SQL injection issues affect the following scripts and parameters: "user/index.php" : "sortfield", "sortorder", "sall", "user/group/index.php" : "sortfield", "sortorder", "sall", "user/info.php" : "id", "user/perms.php" : "id", "user/param_ihm.php" : "id", "user/note.php" : "id", "user/fiche.php" : "id", "admin/boxes.php" : "rowid". Multiple cross-site scripting issues affect the following scripts and parameters: "admin/ihm.php" : "optioncss", "user/home.php" : "optioncss", "index.php", "admin/boxes.php", "comm/clients.php", "commande/index.php". Dolibarr 3.1.0 RC is vulnerable and prior versions may also be affected.
• Ref: http://www.securityfocus.com/archive/1/520619

• 11.49.18 - CVE: CVE-2011-4453
• Platform: Web Application
• Title: PmWiki "PageListSort()" Function PHP Code Injection
• Description: PmWiki is a PHP-based wiki application. The application is exposed to an issue that lets attackers inject arbitrary PHP code. The issue occurs because the application fails to sanitize the input passed to the "PageListSort()" function of the "scripts/pagelist.php" script. PmWiki versions 2.0.0 to 2.2.34 are vulnerable and other versions may also be affected.
• Ref: http://www.pmwiki.org/wiki/PmWiki/ChangeLog#v2235 http://www.securityfocus.com/archive/1/520631

• 11.49.19 - CVE: Not Available
• Platform: Web Application
• Title: Multiple Horde Products Private Tasks Security Bypass
• Description: The Horde Project creates Open Source applications based on PHP and the Horde Framework. Multiple Horde Products are exposed to a security bypass issue due to a failure to restrict access to private tasks. This allows an attacker to view details of tasks through the API. Horde Groupware versions prior to 4.0.4, Horde Groupware Webmail Edition versions prior to 4.0.4 and Horde Nag versions prior to 3.0.6 are affected.
• Ref: http://lists.horde.org/archives/announce/2011/000723.html http://lists.horde.org/archives/announce/2011/000724.html http://lists.horde.org/archives/announce/2011/000725.html http://www.securityfocus.com/bid/50800/references

• 11.49.20 - CVE: Not Available
• Platform: Web Application
• Title: One Click Orgs Multiple Security Vulnerabilities
• Description: One Click Orgs is a simple voting system. The application is exposed to multiple security issues. An HTML injection issue occurs because the application fails to properly sanitize user-supplied input to the "Description" field. An open redirection issue occurs because the applicatin fails to properly sanitize user-supplied input to the "return_to" field. A URI open email relay issue occurs because the application fails to prevent malicious users from sending unsolicited emails to unsuspecting victims. A denial of service issue occurs because the application allows users to modify the email addresses of the other org members. One Click Orgs version 1.2.1 is vulnerable.
• Ref: http://dmcdonald.net/?page_id=43

• 11.49.21 - CVE: Not Available
• Platform: Web Application
• Title: MyBB Multiple Security Vulnerabilities
• Description: MyBB (MyBulletinBoard) is a forum application implemented in PHP. The application is exposed to multiple security issues. A cross-site scripting issue affects the "username" field. A cross-site request forgery issue exists because the application does not properly validate HTTP requests. An unspecified issue exists because of an unknown error related to unparsed user avatar in the buddy list. Versions prior to MyBB 1.6.5 are vulnerable.
• Ref: http://blog.mybb.com/2011/11/25/mybb-1-6-5-released-feature-update-security-main
  tenance-release/

• 11.49.22 - CVE: Not Available
• Platform: Web Application
• Title: MediaWiki Multiple Information Disclosure Vulnerabilities
• Description: MediaWiki is a media and image content wiki application. The application is exposed to multiple information disclosure issues. Attackers can identify the titles of pages on a private wiki because the "preliminaryChecks()" function fails to properly verify requests when the "curid" parameter is set. Attackers can identify the presence of a file on a private wiki because the application fails to properly check read permissions before handling certain AJAX requests. MediaWiki 1.17.0 is vulnerable and prior versions may also be affected.
• Ref: http://lists.wikimedia.org/pipermail/mediawiki-announce/2011-November/000104.htm
  l

• 11.49.23 - CVE: CVE-2011-4359
• Platform: Web Application
• Title: Apache MyFaces EL Expression Evaluation Security Bypass
• Description: Apache MyFaces is used to create server-side GUI web applications. The application is exposed to a security bypass issue. This issue occurs because of an error when handling parameters in a Java Bean. Specifically, parameters may be evaluated as an EL (Expression Language) expression. Note: To exploit this issue, "includeViewParameters" must be set to "true" in the Java Bean. Apache MyFaces versions 2.1.x prior to 2.1.5 are affected and other versions may also be affected.
• Ref: https://issues.apache.org/jira/browse/MYFACES-3405 http://www.securityfocus.com/bid/50848/references

• 11.49.24 - CVE: CVE-2011-4025
• Platform: Web Application
• Title: CodeIgniter "CI_Security" Class "xss_clean()" Filter Security Bypass
• Description: CodeIgniter is a PHP-based framework for building web applications. The application is exposed to a security bypass issue. This issue occurs because of design and implementation errors in the "CI_Security" class. Specifically, these errors exist in the "xss_clean()" filter function that provides XSS protection and the "_remove_evil_attributes()" function. Attackers can bypass the "xss_clean()" filter by exploiting this issue. EllisLab CodeIgniter 2.0.3 is affected.
• Ref: http://www.securityfocus.com/archive/1/520676 http://www.securityfocus.com/bid/50847/references

• 11.49.25 - CVE:CVE-2011-4506,CVE-2011-4505,CVE-2011-4504,CVE-2011-4503,CVE-2011-4502,CVE-2011-4501,CVE-2011-4500,CVE-2011-4499
• Platform: Network Device
• Title: Multiple Routers UPnP WAN Interface Remote Unauthorized Access
• Description: Universal Plug and Play (UPnP) is a networking protocol mostly used for personal computing devices to discover and communicate with each other and the Internet. Multiple UPnp enabled router devices are exposed to an unauthorized access issue. This issue occurs because the devices incorrectly accept UPnP requests over the "AddPortMapping" and "DeletePortMapping" WAN interfaces. Cisco Linksys WRT54G firmware version prior to 4.30.5, Cisco Linksys WRT54GS v1 through v3 firmware versions prior to 4.71.1, Cisco Linksys WRT54GS v4 firmware versions prior to 1.06.1, Cisco Linksys WRT54GX firmware 2.00.05, Edimax BR-6104K prior to 3.25, Edimax 6114Wg Canyon-Tech CN-WF512 firmware version 1.83, Canyon-Tech CN-WF514 firmware version 2.08, Sitecom WL-153 prior to firmware 1.39, Sitecom WL-111, Sweex LB000021 firmware version 3.15, ZyXEL P-330W, SpeedTouch 5x6 firmware versions prior to 6.2.29, Thomson TG585 firmware versions prior to 7.4.3.2 are affected.
• Ref: http://www.upnp-hacks.org/devices.html http://www.securityfocus.com/bid/50810/references http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4506 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4505

• 11.49.26 - CVE: CVE-2011-1372
• Platform: Hardware
• Title: IBM System Storage TS3100 and TS3200 Tape Library Express Security Bypass
• Description: IBM System Storage TS3100 and TS3200 Tape Library Express are backup solutions. The applications are exposed to a security bypass issue that affects the authentication mechanism. Specifically, this issue may give attackers access to the library administration. IBM System Storage TS3100 and TS3200 Tape Library Express versions prior to A.60 are vulnerable.
• Ref: http://www-01.ibm.com/support/docview.wss?uid=ssg1S1003938

(c) 2011. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit https://www.sans.org/account