@RISK: The Consensus Security Vulnerability Alert

Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys

• (1) HIGH: Microsoft Active Directory "BROWSER ELECTION" Buffer Overflow
• (2) HIGH: Oracle Java Multiple Vulnerabilities

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)

Windows

• 11.8.1 - Microsoft Windows Multiple Shell Graphics Buffer Overflow Vulnerabilities

Third Party Windows Apps

• 11.8.2 - Microsoft Active Directory "BROWSER ELECTION" Buffer Overflow
• 11.8.3 - A1 Website Download "fwpuclnt.dll" DLL Loading Arbitrary Code Execution

Linux

• 11.8.4 - Linux Kernel "fs/btrfs/ioctl.c" Local Privilege Escalation
• 11.8.5 - Linux Kernel "security_filter_rule_init()" Local Security Bypass
• 11.8.6 - Ubuntu iTALC Private Keys Security Bypass

Novell

• 11.8.7 - Novell Open Enterprise Server iPrint Unspecified Remote Code Execution

Cross Platform

• 11.8.8 - OpenSSL OCSP Stapling "ClientHello" Handshake Message Parsing Security
• 11.8.9 - MIT Kerberos KDC Principal Name LDAP Request NULL Pointer Denial of Service
• 11.8.10 - Adobe Flash Player Remote Memory Corruption
• 11.8.11 - Real Networks RealPlayer "OpenURLinPlayerBrowser" Method Remote Cross-Domain Scripting
• 11.8.12 - IDA Pro Mach-O loader Buffer Overflow
• 11.8.13 - Pidgin "Libpurple" Cipher API Information Disclosure
• 11.8.14 - Adobe Shockwave Player Unspecified Memory Corruption Remote Code Execution
• 11.8.15 - IBM Lotus Connections Login Module Unspecified Issue
• 11.8.16 - phpMyAdmin Bookmark Security Bypass
• 11.8.17 - IBM Lotus Domino Remote Console Security Bypass
• 11.8.18 - OpenLDAP Multiple Security Bypass Vulnerabilities
• 11.8.19 - PHP Exif Extension "exif_read_data()" Function Remote Denial of Service
• 11.8.20 - CuteZip ".zip" File Buffer Overflow
• 11.8.21 - Oracle Java SE and Java for Business Remote Security Vulnerability

Web Application - Cross Site Scripting

• 11.8.22 - Adobe ColdFusion Multiple Cross-Site Scripting Vulnerabilities
• 11.8.23 - Ruby on Rails Cross-Site Scripting and Cross Request Forgery Vulnerabilities
• 11.8.24 - PHPXref "nav.html" Cross-Site Scripting
• 11.8.25 - CGI:IRC "nonjs" Interface Cross-Site Scripting
• 11.8.26 - Apache Continuum Cross-Site Scripting
• 11.8.27 - Photopad Multiple Cross Site Scripting Vulnerabilities

Web Application - SQL Injection

• 11.8.28 - WP Forum Server for WordPress Multiple SQL Injection Vulnerabilities

Web Application

• 11.8.29 - WordPress Enable Media Replace Plugin SQL Injection and Arbitrary File Upload Vulnerabilities
• 11.8.30 - Invision Power Board IP.Board "forum password system" Information Disclosure
• 11.8.31 - Smarty Template Engine "$smarty.template" PHP Code Injection
• 11.8.32 - phpMyBitTorrent "id" Parameter SQL Injection

PART I Critical Vulnerabilities

PART I Critical Vulnerabilities Part I for this issue has been compiled by Josh Bronson at TippingPoint, a division of HP, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/risk/#process

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 8, 2011

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com) This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 10919 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

• 11.8.1 - CVE: Not Available
• Platform: Windows
• Title: Microsoft Windows Multiple Shell Graphics Buffer Overflow Vulnerabilities
• Description: Microsoft Windows is exposed to multiple buffer overflow issues that affect the Windows Shell Graphics processor. An attacker can exploit these issues by enticing an unsuspecting user to open or preview a specially crafted BMP image.
• Ref: http://www.securityfocus.com/archive/1/516411

• 11.8.2 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Microsoft Active Directory "BROWSER ELECTION" Buffer Overflow
• Description: Microsoft Active Directory is an LDAP (Lightweight Directory Access Protocol) implementation distributed with multiple Windows operating systems. Active Directory is exposed to a remote heap-based buffer overflow issue because the application fails to perform adequate boundary checks on user-supplied data. Active Directory on Windows Server 2003 is affected.
• Ref: http://seclists.org/fulldisclosure/2011/Feb/285

• 11.8.3 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: A1 Website Download "fwpuclnt.dll" DLL Loading Arbitrary Code Execution
• Description: A1 Website Download is a download management application. The application is exposed to an issue that lets attackers execute arbitrary code. The issue arises because the application searches for the "fwpuclnt.dll" Dynamic Link Library file in the current working directory. A1 Website Download version 2.3.3 is affected.
• Ref: http://www.microsoft.com/technet/security/advisory/2269637.mspx

• 11.8.4 - CVE: Not Available
• Platform: Linux
• Title: Linux Kernel "fs/btrfs/ioctl.c" Local Privilege Escalation
• Description: The Linux kernel is exposed to a local privilege escalation issue because of an integer overflow error. This issue affects the "btrfs_ioctl_space_info()" function of the "fs/btrfs/ioctl.c" source file. Specifically, an integer truncation error occurs when typecasting a value, resulting in a heap overflow.
• Ref: http://marc.info/?l=linux-kernel&m=129726078708425&w=2

• 11.8.5 - CVE: CVE-2011-0006
• Platform: Linux
• Title: Linux Kernel "security_filter_rule_init()" Local Security Bypass
• Description: The Linux kernel is exposed to a local security bypass issue because the return value for the "security_filter_rule_init()" function can permit some Linux Security Modules (LSM) to be ignored. Specifically, an empty rule causes all remaining rules to be ignored. Linux kernel versions prior to 2.6.32.28 are affected.
• Ref: https://bugzilla.redhat.com/show_bug.cgi?id=667912

• 11.8.6 - CVE: CVE-2011-0724
• Platform: Linux
• Title: Ubuntu iTALC Private Keys Security Bypass
• Description: iTALC is an application that allows users to view and control computers on a network. Ubuntu iTALC is exposed to a security bypass issue because the private key shipped with Edubuntu is not regenerated for iTALC clients once the operating system is installed.
• Ref: http://www.securityfocus.com/bid/46346

• 11.8.7 - CVE: CVE-2010-4328
• Platform: Novell
• Title: Novell Open Enterprise Server iPrint Unspecified Remote Code Execution
• Description: Novell Open Enterprise Server is a suite of networking applications. Novell Open Enterprise Server is exposed to an unspecified remote code execution issue in the iPrint LPD component. Novell Open Enterprise Server versions 2.0.2 and 2.0.3 are affected.
• Ref: http://www.novell.com/support/viewContent.do?externalId=7007858

• 11.8.8 - CVE: CVE-2011-0014
• Platform: Cross Platform
• Title: OpenSSL OCSP Stapling "ClientHello" Handshake Message Parsing Security
• Description: OpenSSL is an open source implementation of the SSL protocol that is used by a number of other projects, including but not limited to Apache, Sendmail and Bind. It is commonly found on Linux and UNIX systems. OpenSSL is exposed to a security issue that affects Online Certificate Status Protocol (OCSP) stapling. OpenSSL versions 0.9.8h through 0.9.8q and 1.0.0 through 1.0.0c are affected.
• Ref: http://www.openssl.org/news/secadv_20110208.txt

• 11.8.9 - CVE: CVE-2011-0282, CVE-2011-0281, CVE-2011-0283
• Platform: Cross Platform
• Title: MIT Kerberos KDC Principal Name LDAP Request NULL Pointer Denial of Service
• Description: MIT Kerberos is a suite of applications and libraries designed to implement the Kerberos network authentication protocol. It is freely available and operates on numerous platforms. MIT Kerberos is exposed to a remote denial of service issue caused by a NULL-pointer dereference error.
• Ref: http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-002.txt

• 11.8.10 - CVE: CVE-2011-0558, CVE-2011-0559, CVE-2011-0560,CVE-2011-0561, CVE-2011-0571, CVE-2011-0572, CVE-2011-0573,CVE-2011-0574, CVE-2011-0575, CVE-2011-0577, CVE-2011-0578,CVE-2011-0607, CVE-2011-0608
• Platform: Cross Platform
• Title: Adobe Flash Player Remote Memory Corruption
• Description: Adobe Flash Player is a multimedia application for Microsoft Windows, Mozilla and Apple technologies. Adobe Flash Player is exposed to a remote memory corruption issue and multiple other issues. These vulnerabilities could cause the application to crash and could potentially allow an attacker to take control of the affected system. Flash Player versions prior to 10.2.152.21 are affected.
• Ref: http://www.adobe.com/support/security/bulletins/apsb11-02.html

• 11.8.11 - CVE: CVE-2011-0694
• Platform: Cross Platform
• Title: Real Networks RealPlayer "OpenURLinPlayerBrowser" Method Remote Cross-Domain Scripting
• Description: Real Networks RealPlayer SP is a media player available for multiple platforms. Real Networks RealPlayer is exposed to a remote cross-domain scripting issue that affects the temporary name usage feature included in the application.
• Ref: http://service.real.com/realplayer/security/02082011_player/en/

• 11.8.12 - CVE: Not Available
• Platform: Cross Platform
• Title: IDA Pro Mach-O loader Buffer Overflow
• Description: IDA Pro is a debugger and disassembler available for multiple operating platforms. The application is exposed to a buffer overflow issue because it fails to properly bounds check user-supplied data before copying it into an insufficiently sized buffer. IDA Pro versions 5.7 and 6.0 are affected.
• Ref: https://www.hex-rays.com/vulnfix.shtml

• 11.8.13 - CVE: Not Available
• Platform: Cross Platform
• Title: Pidgin "Libpurple" Cipher API Information Disclosure
• Description: Pidgin is a multi-platform instant messaging (IM) client that supports multiple messaging protocols. Libpurple is a library used to provide IM functionality. Pidgin is exposed to an information disclosure issue that affects the "md5_uninit()", "md4_uninit()", "des_uninit()", "des3_uninit()", "rc4_uninit()" and "purple_cipher_context_destroy()" functions of the "libpurple/cipher.c" file. Pidgin libpurple versions prior to 2.7.10 are affected.
• Ref: http://www.pidgin.im/news/security/?id=50

• 11.8.14 - CVE: CVE-2010-2587, CVE-2010-2588, CVE-2010-2589,CVE-2010-4092, CVE-2010-4093, CVE-2010-4187, CVE-2010-4188,CVE-2010-4189, CVE-2010-4190, CVE-2010-4191, CVE-2010-4192,CVE-2010-4193, CVE-2010-4194, CVE-2010-4195, CVE-2010-4196,CVE-2010-4306, CVE-2010-4307,
• Platform: Cross Platform
• Title: Adobe Shockwave Player Unspecified Memory Corruption Remote Code Execution
• Description: Adobe Shockwave Player is a multimedia player application. Adobe Shockwave Player is exposed to a remote code execution issue because of an unspecified memory corruption error. Adobe Shockwave Player versions prior to 11.5.9.620 are affected.
• Ref: http://www.adobe.com/support/security/bulletins/apsb11-01.html

• 11.8.15 - CVE: Not Available
• Platform: Cross Platform
• Title: IBM Lotus Connections Login Module Unspecified Issue
• Description: IBM Lotus Connections is social collaboration software for business. IBM Lotus Connections is exposed to an unspecified issue that affects the login module.
• Ref: https://www-304.ibm.com/support/docview.wss?uid=swg21462435

• 11.8.16 - CVE: CVE-2011-0987
• Platform: Cross Platform
• Title: phpMyAdmin Bookmark Security Bypass
• Description: phpMyAdmin is a web-based administration interface for MySQL databases. phpMyAdmin is exposed to a security bypass issue that affects bookmarks. An SQL query stored in a bookmark may be executed by other users. phpMyAdmin versions prior to 3.3.9.2 and 2.11.11.3 are affected.
• Ref: http://www.phpmyadmin.net/home_page/security/PMASA-2011-2.php

• 11.8.17 - CVE: CVE-2011-0920
• Platform: Cross Platform
• Title: IBM Lotus Domino Remote Console Security Bypass
• Description: Remote Console is an IBM Lotus Domino application that provides administrative features. IBM Lotus Domino remote console is exposed to a security bypass issue that occurs when a certain unsupported configuration contains specially crafted UNC-share path names.
• Ref: http://www-01.ibm.com/support/docview.wss?uid=swg21461514

• 11.8.18 - CVE: Not Available
• Platform: Cross Platform
• Title: OpenLDAP Multiple Security Bypass Vulnerabilities
• Description: OpenLDAP is an implementation of the Lightweight Directory Access Protocol. OpenLDAP is exposed to multiple security bypass issues. Successfully exploiting these issues will allow attackers to bypass security restrictions and perform unauthorized actions. OpenLDAP versions prior to 2.4.24 are affected.
• Ref: http://www.openldap.org/its/index.cgi/Software%20Bugs?id=6607

• 11.8.19 - CVE: Not Available
• Platform: Cross Platform
• Title: PHP Exif Extension "exif_read_data()" Function Remote Denial of Service
• Description: PHP is a general purpose scripting language that is suited for web development and can be embedded into HTML. The Exif extension provides functions for the manipulation of Unicode strings. PHP is exposed to a denial of service issue that affects the Exif extension. PHP versions 5.3.5 and earlier are affected.
• Ref: http://www.securityfocus.com/bid/46365/references

• 11.8.20 - CVE: Not Available
• Platform: Cross Platform
• Title: CuteZip ".zip" File Buffer Overflow
• Description: CuteZip is a file compression application. The application is exposed to a buffer overflow issue because it fails to perform adequate boundary checks on user-supplied input. Specifically, this issue occurs because the application fails to check the length of an archive when opening a specially crafted ".zip" file. CuteZip version 2.1 build 9.24.1 is affected.
• Ref: http://www.securityfocus.com/bid/46375

• 11.8.21 - CVE: CVE-2010-4452, CVE-2010-4454, CVE-2010-4471,CVE-2010-4462, CVE-2010-4463, CVE-2010-4465, CVE-2010-4467,CVE-2010-4469, CVE-2010-4473, CVE-2010-4422
• Platform: Cross Platform
• Title: Oracle Java SE and Java for Business Remote Security Vulnerability
• Description: Oracle Java SE and Java for Business are exposed to a remote issue in the Java Runtime Environment. For further information, please refer to the link below:-
• Ref: http://www.oracle.com/technetwork/topics/security/javacpufeb2011-304611.html

• 11.8.22 - CVE: CVE-2011-0580, CVE-2011-0581, CVE-2011-0582,CVE-2011-0583, CVE-2011-0584
• Platform: Web Application - Cross Site Scripting
• Title: Adobe ColdFusion Multiple Cross-Site Scripting Vulnerabilities
• Description: Adobe ColdFusion is software for developing web applications. The application is exposed to multiple cross-site scripting issues because it fails to sufficiently sanitize user-supplied input.
• Ref: http://www.adobe.com/support/security/bulletins/apsb11-04.html

• 11.8.23 - CVE: CVE-2011-0447,CVE-2011-0446
• Platform: Web Application - Cross Site Scripting
• Title: Ruby on Rails Cross-Site Scripting and Cross Request Forgery Vulnerabilities
• Description: Ruby on Rails is a web application framework for multiple platforms. The application is exposed to multiple issues. A cross-site scripting issue affects the application because it fails to validate user-supplied data to the "name" or "email" parameters of the "mail_to" helper when the ":encode => :javascript" option is set. A cross-site request forgery issue affects the application because it fails to check valid AJAX and API requests.
• Ref: http://groups.google.com/group/rubyonrails-security/browse_thread/thread/f02a48e
  de8315f81

• 11.8.24 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: PHPXref "nav.html" Cross-Site Scripting
• Description: PHPXref is a developer tool for working on large PHP projects. PHPXref is exposed to a cross-site scripting issue because it fails to sufficiently sanitize user-supplied input. This issue affects the "nav.html" script. PHPXref versions prior to 0.7 are affected.
• Ref: http://www.securityfocus.com/bid/46302

• 11.8.25 - CVE: CVE-2011-0050
• Platform: Web Application - Cross Site Scripting
• Title: CGI:IRC "nonjs" Interface Cross-Site Scripting
• Description: CGI:IRC is a web-based IRC client application implemented in Perl. It is available for UNIX, Linux, and other UNIX-like operating systems. The application is exposed to a cross-site scripting issue because it fails to sufficiently sanitize user-supplied input to the "R" parameter of the "nonjs" interface. CGI:IRC versions prior to 0.5.10 are affected.
• Ref: http://www.securityfocus.com/bid/46303

• 11.8.26 - CVE: CVE-2011-0533
• Platform: Web Application - Cross Site Scripting
• Title: Apache Continuum Cross-Site Scripting
• Description: Apache Continuum is an enterprise-ready continuous integration server. Apache Continuum is exposed to a cross-site scripting issue because it fails to properly sanitize user-supplied input to the "request" parameter of the "Continuum project" page. Apache Continuum versions 1.3.6 and 1.4.0 (Beta) are affected.
• Ref: http://continuum.apache.org/security.html

• 11.8.27 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Photopad Multiple Cross Site Scripting Vulnerabilities
• Description: Photopad is a web-based photo gallery. The application is exposed to multiple cross-site scripting issues because it fails to properly sanitize user-supplied input to the following scripts and parameters: "files.php": "id" and "data[title]"; "gallery.php": "id". Photopad version 1.2.0 is affected.
• Ref: http://www.htbridge.ch/advisory/multiple_xss_vulnerabilities_in_photopad.html

• 11.8.28 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: WP Forum Server for WordPress Multiple SQL Injection Vulnerabilities
• Description: WP Forum Server is a forum plugin for WordPress. The application is exposed to an SQL injection issue because it fails to properly sanitize input in the "id" parameter of the "wp-content/plugins/forum-server/wpf-post.php" script and the "search_max" parameter of the "index.php" script. WP Forum Server version 1.6.5 is affected.
• Ref: http://www.htbridge.ch/advisory/sql_injection_in_wp_forum_server_wordpress_plugi
  n_1.html

• 11.8.29 - CVE: Not Available
• Platform: Web Application
• Title: WordPress Enable Media Replace Plugin SQL Injection and Arbitrary File Upload Vulnerabilities
• Description: Enable Media Replace is a PHP-based plug-in for the WordPress blogging application. The application is exposed to multiple input validation issues because it fails to sufficiently sanitize user-supplied data, Enable Media Replace version 2.3 is affected.
• Ref: http://www.securityfocus.com/bid/46286

• 11.8.30 - CVE: Not Available
• Platform: Web Application
• Title: Invision Power Board IP.Board "forum password system" Information Disclosure
• Description: Invision Power Board (IP.Board) is a community forum. The application is exposed to an information disclosure issue because of an error in the forum password system. IP.Board versions prior to 3.1.4 are affected.
• Ref: http://community.invisionpower.com/topic/331785-ipboard-30x-31x-security-update-
  and-mobile-api-update/

• 11.8.31 - CVE: Not Available
• Platform: Web Application
• Title: Smarty Template Engine "$smarty.template" PHP Code Injection
• Description: Smarty Template Engine is a template-based content manager. The application is exposed to an issue that lets attackers inject arbitrary PHP code. The issue occurs because the application fails to sanitize the input passed to the "$smarty.template" variable before using it in a compiled PHP file. Smarty Template Engine versions prior to 3.0.7 are affected.
• Ref: http://code.google.com/p/smarty-php/source/browse/trunk/distribution/change_log.
  txt

• 11.8.32 - CVE: Not Available
• Platform: Web Application
• Title: phpMyBitTorrent "id" Parameter SQL Injection
• Description: phpMyBitTorrent is a web-based BitTorrent tracker. The application is exposed to an SQL injection issue because it fails to properly sanitize user-supplied input before using it in an SQL query. phpMyBitTorrent version 2.0.4 is affected.
• Ref: http://www.securityfocus.com/bid/46372

(c) 2011. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Subscriptions: @RISK is distributed free of charge by the SANS Institute to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization. For a free subscription or to update a current subscription, visit http://portal.sans.org/