@RISK: The Consensus Security Vulnerability Alert

Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)

Widely Deployed Software

• (1) CRITICAL: Computer Associates eTrust Secure Content Manager Gateway Multiple Vulnerabilities
• (2) CRITICAL: HP StorageWorks Authentication Buffer Overflow
• (3) HIGH: Skype Executable File Download Security Bypass
• (4) HIGH: Sun Java System Active Server Pages Multiple Vulnerabilities
• (5) HIGH: HP Instant Support ActiveX Control Multiple Vulnerabilities
• (6) HIGH: Akamai Download Manager ActiveX Control Arbitrary File Download
• (7) MODERATE: Apple Safari on Microsoft Windows Blended Remote Code Execution

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)

Third Party Windows Apps

• 08.23.1 - Symantec Backup Exec System Recovery Manager Directory Traversal
• 08.23.2 - Ourgame "GLIEDown2.dll" ServerList Method ActiveX Control Remote Code Execution

Mac Os

• 08.23.3 - Apple Mac OS X CoreGraphics PDF Handling Code Execution
• 08.23.4 - Apple Mac OS X CoreTypes Unsafe Content Warning Weakness
• 08.23.5 - Apple Mac OS X Help Viewer "help:topic" URI Buffer Overflow
• 08.23.6 - Apple Mac OS X CUPS Debug Logging Information Disclosure
• 08.23.7 - Apple Mac OS X iCal ".ics" File Handling Remote Code Execution
• 08.23.8 - Apple Mac OS X AppKit Malformed File Remote Code Execution
• 08.23.9 - Apple Mac OS X International Components for Unicode Information Disclosure
• 08.23.10 - Apple Mac OS X Pixlet Video Multiple Unspecified Memory Corruption Vulnerabilities
• 08.23.11 - Apple Mac OS X AFP Server File Sharing Unauthorized File Access
• 08.23.12 - Apple Mac OS X CoreFoundation CFData Object Handling Code Execution
• 08.23.13 - Apple Mac OS X Apple Type Services PDF Handling Code Execution
• 08.23.14 - Apple Mac OS X CFNetwork SSL Client Certificate Handling Information Disclosure

Solaris

• 08.23.15 - Sun Cluster Global File System Unspecified Security Vulnerability

Unix

• 08.23.16 - imlib2 Library Multiple Buffer Overflow Vulnerabilities

Cross Platform

• 08.23.17 - Adobe Acrobat Reader Unspecified Remote Denial of Service
• 08.23.18 - Pan ".nzb" File Parsing Heap Overflow
• 08.23.19 - VMware VMCI Arbitrary Code Execution
• 08.23.20 - Apple Safari and Microsoft Windows Client-side Code Execution
• 08.23.21 - freeSSHd SFTP "opendir" Buffer Overflow
• 08.23.22 - ikiwiki Blank Password Authentication Bypass
• 08.23.23 - DotNetNuke Prior to 4.8.3 Multiple Remote Vulnerabilites

Web Application - Cross Site Scripting

• 08.23.24 - Calcium "Calcium40.pl" Cross-Site Scripting
• 08.23.25 - Xerox DocuShare Multiple Cross-Site Scripting Vulnerabilities
• 08.23.26 - DotNetNuke "Default.aspx" Cross-Site Scripting

Web Application - SQL Injection

• 08.23.27 - dvbbs "login.asp" Multiple SQL Injection Vulnerabilities
• 08.23.28 - Joomla! and Mambo MambAds Component "ma_cat" Parameter SQL Injection
• 08.23.29 - PsychoStats Multiple SQL Injection Vulnerabilities
• 08.23.30 - TorrentTrader Classic "scrape.php" SQL Injection
• 08.23.31 - BP Blog Multiple SQL Injection Vulnerabilities
• 08.23.32 - ComicShout "news.php" SQL Injection

Web Application

• 08.23.33 - SyntaxCMS "upload.php" Arbitrary File Upload
• 08.23.34 - PicoFlat CMS "pagina" Parameter Local File Include and Directory Traversal Vulnerabilities
• 08.23.35 - LokiCMS "admin.php" Security Bypass
• 08.23.36 - CMSimple Multiple Input Validation Vulnerabilities
• 08.23.37 - meBiblio Multiple Input Validation Vulnerabilities
• 08.23.38 - Booby "renderer" Parameter Multiple Local and Remote File Include Vulnerabilities
• 08.23.39 - SiteXS CMS "adm/visual/upload.php" Arbitrary File Upload

PART I Critical Vulnerabilities

Part I for this issue has been compiled by Rob King at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 23, 2008

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 5549 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

• 08.23.1 - CVE: SYM08-013
• Platform: Third Party Windows Apps
• Title: Symantec Backup Exec System Recovery Manager Directory Traversal
• Description: Symantec Backup Exec System Recovery Manager is an application for system recovery; it is available for Microsoft Windows. The application is exposed to a directory traversal issue because it fails to sufficiently sanitize user-supplied input. Symantec Backup Exec System Recovery Manager versions 7 prior to 7.0.4 and versions 8 prior to 8.0.2 are affected.
• Ref: http://www.symantec.com/avcenter/security/Content/2008.05.28c.html

• 08.23.2 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Ourgame "GLIEDown2.dll" ServerList Method ActiveX Control Remote Code Execution
• Description: Ourgame "GLIEDown2.dll" ActiveX control is exposed to a remote code execution issue because it fails to sufficiently verify user-supplied input. An attacker can exploit this issue to run arbitrary attacker-supplied code in the context of the currently logged-in user. GlobalLink version 2.8.1.2 beta is affected.
• Ref: http://support.microsoft.com/kb/240797

• 08.23.3 - CVE: CVE-2008-1031
• Platform: Mac Os
• Title: Apple Mac OS X CoreGraphics PDF Handling Code Execution
• Description: Apple Mac OS X is exposed to a remote code execution issue affecting CoreGraphics. CoreGraphics improperly initializes an unspecified variable when handling PDF files. This issue can be triggered with a malformed PDF document. Mac OS X version 10.4.11, Mac OS X Server 10.4.11, Mac OS X versions 10.5 - 10.5.2, and Mac OS X Server 10.5 - 10.5.2 are affected.
• Ref: http://www.securityfocus.com/bid/29480

• 08.23.4 - CVE: CVE-2008-1032
• Platform: Mac Os
• Title: Apple Mac OS X CoreTypes Unsafe Content Warning Weakness
• Description: Apple Mac OS X is exposed to a security weakness in CoreTypes because it may not prevent users from opening unsafe file types. Certain content types are not flagged as potentially unsafe when opened manually. Users are not warned prior to opening the file that it may contain malicious content. Versions 10.4.11 and 10.5-10.5.2 for Mac OS X and Mac OS X Server are affected.
• Ref: http://www.securityfocus.com/bid/29481

• 08.23.5 - CVE: CVE-2008-1034
• Platform: Mac Os
• Title: Apple Mac OS X Help Viewer "help:topic" URI Buffer Overflow
• Description: Help Viewer is a Mac OS X application used for browsing help files. The application is exposed to a buffer overflow issue because it fails to perform adequate boundary checks before copying user-supplied data to an insufficiently sized buffer.
• Ref: http://www.kb.cert.org/vuls/id/566875

• 08.23.6 - CVE: CVE-2008-103310.5-10.5.2 for Mac OS X and Mac OS X Server are affected.
• Platform: Mac Os
• Title: Apple Mac OS X CUPS Debug Logging Information Disclosure
• Description: Apple Mac OS X is exposed to an information disclosure issue because it fails to properly validate environment variables used by the CUPS scheduler daemon. This issue may be triggered by printing to a password-protected printer when debug logging is enabled. Versions
• Ref: http://www.securityfocus.com/bid/29484

• 08.23.7 - CVE: CVE-2008-1035
• Platform: Mac Os
• Title: Apple Mac OS X iCal ".ics" File Handling Remote Code Execution
• Description: iCal is a scheduling application for Mac OS X. Apple Mac OS X iCal is exposed to a remote code execution issue when handling malicious iCalendar files (usually .ics). The issue occurs when the application uses freed memory in an insecure manner.
• Ref: http://www.securityfocus.com/bid/29486

• 08.23.8 - CVE: CVE-2008-1028
• Platform: Mac Os
• Title: Apple Mac OS X AppKit Malformed File Remote Code Execution
• Description: Apple Mac OS X is exposed to a remote code execution issue that occurs in AppKit. This issue occurs when processing a malformed document by an application that uses AppKit such as Text Editor. Version 10.4.11 for Mac OS X and Mac OS X Server is affected.
• Ref: http://www.securityfocus.com/bid/29487

• 08.23.9 - CVE: CVE-2008-1036
• Platform: Mac Os
• Title: Apple Mac OS X International Components for Unicode Information Disclosure
• Description: Apple Mac OS X is exposed to an information disclosure issue because it fails to adequately sanitize user-supplied input. The issue affects the International Components for Unicode when handling certain invalid character sequences.
• Ref: http://www.securityfocus.com/bid/29488

• 08.23.10 - CVE: CVE-2008-1577
• Platform: Mac Os
• Title: Apple Mac OS X Pixlet Video Multiple Unspecified Memory Corruption Vulnerabilities
• Description: Apple Mac OS X is exposed to multiple memory corruption issues that occur in Pixlet codec. This issue occurs when a malformed file is processed by the Pixlet codec. Versions 10.4.11 and 10.5-10.5.2 for Mac OS X and Mac OS X Server are affected.
• Ref: http://www.securityfocus.com/bid/29489

• 08.23.11 - CVE: CVE-2008-1027
• Platform: Mac Os
• Title: Apple Mac OS X AFP Server File Sharing Unauthorized File Access
• Description: AFP Server is an application that provides file services, including uploading and downloading files onto users' computers. The application is exposed to an unauthorized file access issue that occurs in the AFP server. This issue occurs because the application allows remote users to gain access to files that are not designated for sharing.
• Ref: http://www.securityfocus.com/bid/29490/info

• 08.23.12 - CVE: CVE-2008-1030
• Platform: Mac Os
• Title: Apple Mac OS X CoreFoundation CFData Object Handling Code Execution
• Description: Apple Mac OS X is exposed to a remote code execution issue affecting CoreFoundation. CoreFoundation improperly handles CFData objects, resulting in memory corruption that allows code execution. Versions 10.4.11 and 10.5-10.5.2 for Mac OS X and Mac OS X Server are affected.
• Ref: http://www.securityfocus.com/bid/29491

• 08.23.13 - CVE: CVE-2008-1575
• Platform: Mac Os
• Title: Apple Mac OS X Apple Type Services PDF Handling Code Execution
• Description: Apple Mac OS X is exposed to a remote code execution issue affecting Apple Type Services (ATS). ATS improperly handles malformed fonts embedded in PDF documents. Mac OS X versions 10.5-10.5.2 are affected.
• Ref: http://www.securityfocus.com/bid/29492

• 08.23.14 - CVE: CVE-2008-1580
• Platform: Mac Os
• Title: Apple Mac OS X CFNetwork SSL Client Certificate Handling Information Disclosure
• Description: Apple Mac OS X is exposed to an information disclosure issue because it improperly responds to client certificate requests from web servers. This issue affects the CFNetwork component, and is triggered when applications utilizing it receive SSL client certificate requests.
• Ref: http://www.securityfocus.com/bid/29493

• 08.23.15 - CVE: Not Available
• Platform: Solaris
• Title: Sun Cluster Global File System Unspecified Security Vulnerability
• Description: Solaris Cluster is a cluster solution based on Sun Solaris. The application is exposed to an unspecified issue that affects the "Global File System". Local unprivileged attackers may exploit this issue to read data from deleted files owned by other users. Sun Cluster version 3.1 for Solaris 8, 9, and 10 on SPARC is affected. Sun Cluster version 3.1 for Solaris 9 and 10 on x86 is affected.
• Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-66-201341-1

• 08.23.16 - CVE: CVE-2008-2426
• Platform: Unix
• Title: imlib2 Library Multiple Buffer Overflow Vulnerabilities
• Description: The imlib2 library is used to view and render various types of images. It is available for UNIX, Linux, and other UNIX-like operating systems. The library is exposed to multiple issues because the application fails to properly bounds check user-supplied data. imlib2 version 1.4.0 is affected.
• Ref: http://www.securityfocus.com/archive/1/492739

• 08.23.17 - CVE: Not Available
• Platform: Cross Platform
• Title: Adobe Acrobat Reader Unspecified Remote Denial of Service
• Description: The Adobe Acrobat Reader package is a PDF file reader available for multiple platforms. The application is exposed to a remote denial of service issue which can be triggered by opening a specially-crafted PDF file.
• Ref: http://www.securityfocus.com/bid/29420

• 08.23.18 - CVE: CVE-2008-2363
• Platform: Cross Platform
• Title: Pan ".nzb" File Parsing Heap Overflow
• Description: Pan is a Usenet newsreader application available for Unix, Linux and other Unix-like operating systems. The application is exposed to a heap-based buffer overflow issue because it fails to perform adequate boundary checks on user-supplied data.
• Ref: https://bugzilla.redhat.com/show_bug.cgi?id=446902

• 08.23.19 - CVE: CVE-2008-2099
• Platform: Cross Platform
• Title: VMware VMCI Arbitrary Code Execution
• Description: VMware products are virtualization applications capable of running virtual machines for a wide variety of operating platforms. Multiple VMware products are exposed to an arbitrary code execution issue affecting Microsoft Windows-based hosts only. This issue occurs on hosts with VMCI enabled.
• Ref: http://www.securityfocus.com/archive/1/492831

• 08.23.20 - CVE: Not Available
• Platform: Cross Platform
• Title: Apple Safari and Microsoft Windows Client-side Code Execution
• Description: A vulnerability has been reported that occurs in Apple Safari on the Microsoft Windows operating system. The issue is due to a combination of security issues in Apple Safari and all versions of Microsoft XP and Vista that will allow executables to be downloaded to a user's computer and executed without prompting.
• Ref: http://blogs.zdnet.com/security/?p=1230

• 08.23.21 - CVE: Not Available
• Platform: Cross Platform
• Title: freeSSHd SFTP "opendir" Buffer Overflow
• Description: freeSSHd is an SSH server for Microsoft Windows. The application is exposed to a buffer overflow issue because it fails to bounds check user-supplied data before copying it into an insufficiently sized buffer. freeSSHd version 1.2.1 is affected.
• Ref: http://www.securityfocus.com/bid/29453

• 08.23.22 - CVE: CVE-2008-0169
• Platform: Cross Platform
• Title: ikiwiki Blank Password Authentication Bypass
• Description: ikiwiki is a wiki application. The application is exposed to an authentication bypass issue when the application is configured to use the "openid" and "passwordauth" plugins. ikiWiki versions between 1.34 and 2.47 are affected.
• Ref: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=483770

• 08.23.23 - CVE: Not Available
• Platform: Cross Platform
• Title: DotNetNuke Prior to 4.8.3 Multiple Remote Vulnerabilites
• Description: DotNetNuke is an open-source framework used to create and deploy web sites. The application is exposed to multiple remote issues. A denial of service issue occurs because the application allows users to run the install/upgrade process. A security bypass issue that is due to a logic error in the application; this issue will allow attackers to upload arbitrary "safe" files to restricted directories. An information disclosure issue. DotNetNuke versions prior to 4.8.2 are affected. Ref: http://www.dotnetnuke.com/News/SecurityPolicy/SecurityBulletinno17/tabid/1162/Default.aspx

• 08.23.24 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Calcium "Calcium40.pl" Cross-Site Scripting
• Description: Calcium is a web-based calendar application implemented in Perl. The application is exposed to a cross-site scripting issue because it fails to sanitize user-supplied input to the "CalendarName" parameter of the "Calcium40.pl" script. Calcium versions 4.0.4 and 3.10 are affected.
• Ref: http://www.securityfocus.com/archive/1/492719

• 08.23.25 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Xerox DocuShare Multiple Cross-Site Scripting Vulnerabilities
• Description: Xerox DocuShare is a document management application that enables remote users to manage, retrieve, and distribute information. It is available for multiple platforms including Unix and Microsoft operating systems. The application is exposed to multiple cross-site scripting issues because it fails to sufficiently sanitize user-supplied data to the "SearchResults", "User" and "Group-#" pages. Xerox DocuShare versions 6 and earlier are affected.
• Ref: http://www.securityfocus.com/archive/1/492766

• 08.23.26 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: DotNetNuke "Default.aspx" Cross-Site Scripting
• Description: DotNetNuke is an open-source framework used to create and deploy web sites. The application is exposed to a cross-site scripting issue because it fails to properly sanitize user-supplied input to the "Default.aspx" script. DotNetNuke version 4.8.3 is affected.
• Ref: http://www.securityfocus.com/archive/1/492793

• 08.23.27 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: dvbbs "login.asp" Multiple SQL Injection Vulnerabilities
• Description: The "dvbbs" program is a web-based bulletin board. The application is exposed to multiple SQL injection issues because it fails to sufficiently sanitize user-supplied data to the "username" and "password" parameters of the "login.asp" script. dvbbs version 8.2 is affected.
• Ref: http://www.securityfocus.com/bid/29429

• 08.23.28 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Joomla! and Mambo MambAds Component "ma_cat" Parameter SQL Injection
• Description: MambAds is a component for the Joomla! and Mambo content managers. The component is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "ma_cat" parameter of the "com_mamads" component before using it in an SQL query. MamAds versions 1.0 RC1 and 1.0 RC1 Beta are affected.
• Ref: http://www.securityfocus.com/bid/29433

• 08.23.29 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: PsychoStats Multiple SQL Injection Vulnerabilities
• Description: PsychoStats is a PHP-based statistics tracker for Half-Life gamers. The application is exposed to multiple SQL injection issues because it fails to sufficiently sanitize user-supplied data to the "username" and "password" parameters of the "login.asp" script.
• Ref: http://www.milw0rm.com/exploits/5699

• 08.23.30 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: TorrentTrader Classic "scrape.php" SQL Injection
• Description: TorrentTrader Classic is a web-based torrent tracking application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "info_hash" parameter of the "scrape.php" script.
• Ref: http://www.securityfocus.com/archive/1/492878

• 08.23.31 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: BP Blog Multiple SQL Injection Vulnerabilities
• Description: BP Blog is an ASP-based application for blogging. The application is exposed to multiple SQL injection issues because it fails to sufficiently sanitize user-supplied input to the following scripts and parameters: "template_permalink.asp" : "id" and "template_archives_cat.asp" : "cat". BP Blog versions 6.0 and earlier are affected.
• Ref: http://www.securityfocus.com/archive/1/492902

• 08.23.32 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: ComicShout "news.php" SQL Injection
• Description: ComicShout is a PHP-based comic application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "news_id" parameter of the "news.php" script before using it in an SQL query. ComicShout version 2.8 is affected.
• Ref: http://www.securityfocus.com/archive/1/492918

• 08.23.33 - CVE: Not Available
• Platform: Web Application
• Title: SyntaxCMS "upload.php" Arbitrary File Upload
• Description: SyntaxCMS is a content manager. The application is exposed to an issue that lets remote attackers upload and execute arbitrary script code because it fails to properly sanitize user-supplied input to the "fckeditor/editor/filemanager/upload/php/upload.php" script. SyntaxCMS version 1.3 is affected.
• Ref: http://www.securityfocus.com/bid/29422

• 08.23.34 - CVE: Not Available
• Platform: Web Application
• Title: PicoFlat CMS "pagina" Parameter Local File Include and Directory Traversal Vulnerabilities
• Description: PicoFlat CMS is a content manager. The application is exposed to a local file include issue and a directory traversal issue because it fails to properly sanitize user-supplied input to the "pagina" parameter of the "index.php" script. PicoFlat CMS version 0.5.9 is affected.
• Ref: http://www.securityfocus.com/bid/29424

• 08.23.35 - CVE: Not Available
• Platform: Web Application
• Title: LokiCMS "admin.php" Security Bypass
• Description: LokiCMS is a PHP-based content manager. The application is exposed to an issue that may allow users to bypass authentication to access administrative facilities of the application. Once the application is compromised, this may facilitate further attacks such as overwriting arbitrary files, injecting malicious PHP code, file includes, and retrieving the administrator's password hash.
• Ref: http://www.securityfocus.com/archive/1/492877

• 08.23.36 - CVE: Not Available
• Platform: Web Application
• Title: CMSimple Multiple Input Validation Vulnerabilities
• Description: CMSimple is a content management system. The application is exposed to multiple input validation issues: a local file include issue affecting the "sl" variable of "index.php", and an arbitrary file upload issue affected the "sl" variable of "index.php".
• Ref: http://www.milw0rm.com/exploits/5700

• 08.23.37 - CVE: Not Available
• Platform: Web Application
• Title: meBiblio Multiple Input Validation Vulnerabilities
• Description: meBiblio is a bibliography building tool. The application is exposed to multiple input validation issues. meBiblio version 0.4.7 is affected.
• Ref: http://www.securityfocus.com/bid/29465

• 08.23.38 - CVE: Not Available
• Platform: Web Application
• Title: Booby "renderer" Parameter Multiple Local and Remote File Include Vulnerabilities
• Description: Booby is a web-based personal information manager that supports bookmarks, calendars, contacts and other information. The application is exposed to multiple local and remote file include issues because it fails to sufficiently sanitize user-supplied input. Booby version 1.0.1 is affected.
• Ref: http://www.securityfocus.com/bid/29469

• 08.23.39 - CVE: Not Available
• Platform: Web Application
• Title: SiteXS CMS "adm/visual/upload.php" Arbitrary File Upload
• Description: SiteXS CMS is a PHP-based content manager. The application is exposed to an issue that lets remote attackers upload and execute arbitrary script code, because the application fails to properly sanitize user-supplied input in the form of file extensions to the "adm/visual/upload.php" script. SiteXS CMS versions 0.1.1 Pre-Alpha and earlier are affected.
• Ref: http://www.securityfocus.com/bid/29497

(c) 2008. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Subscriptions: @RISK is distributed free of charge by the SANS Institute to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.