Last day to save $500 for SANS San Diego 2013

@RISK: The Consensus Security Vulnerability Alert

Volume: VII, Issue: 28
July 10, 2008

SANS Newsletters Home

This was the worst week of 2008: Two unpatched Microsoft zero-days, the big DNS problem/patch, and remote code execution bugs in Novell eDirectory and Sun's JRE. Alan

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Windows
    • 2 (#6)
    • Microsoft Office
    • 2 (#1, #2)
    • Other Microsoft Products
    • 2 (#7, #8)
    • Third Party Windows Apps
    • 2
    • Linux
    • 6
    • Novell
    • 1 (#4)
    • Cross Platform
    • 8 (#3, #5)
    • Web Application - Cross Site Scripting
    • 4
    • Web Application - SQL Injection
    • 16
    • Web Application
    • 26
    • Network Device
    • 1
    • Network Device
    • 2

************************** Sponsored By SANS ****************************

Virtualization has become one of the most widely deployed IT tools across the enterprise. Join other professionals at the Virtualization Security Summit August 7-8. Hear what your peers are doing in this space and what the best tools are to address Virtualization Security.

http://www.sans.org/info/30623

*************************************************************************

TRAINING SCHEDULE UPDATE

- - SANSFIRE 2008 in Washington DC (7/22-7/31) SANS' biggest summer program http://www.sans.org/sansfire08/

- - Boston (8/9-8/17) http://www.sans.org/boston08/

- - Virginia Beach (8/21-8/29) http://www.sans.org/vabeach08/

Plus 100 other cites and on line any time: www.sans.org

*************************************************************************

Table Of Contents
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
Windows
Microsoft Office
Other Microsoft Products
Third Party Windows Apps
Linux
Novell
Cross Platform
Web Application - Cross Site Scripting
Web Application - SQL Injection
Web Application
Network Device

*************************** Sponsored Links: **************************

1) Beyond Traditional Security: Blend Proactive and Reactive Security to Protect the Enterprise - Learn More

http://www.sans.org/info/30628

*************************************************************************

PART I Critical Vulnerabilities

Part I for this issue has been compiled by Rob King at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Widely Deployed Software
  • (1) CRITICAL: Microsoft Office Access ActiveX Control Remote Code Execution (0day)
  • Affected:
    • Microsoft Office Access 2000
    • Microsoft Office Access 2002
    • Microsoft Office Access 2003
    • Microsoft Access Snapshot Viewer

  • Description: The Access component of Microsoft Office provides some of its functionality through an ActiveX control. This control contains a flaw in its handling of user input. A malicious web page that instantiated this control could trigger this flaw. Successfully exploiting this flaw would allow an attacker to execute arbitrary code with the privileges of the current user. Proof-of-concept code for this vulnerability is publicly available, and it is believed that this vulnerability is being actively exploited in the wild.

  • Status: Microsoft confirmed, no updates available. Users can mitigate the impact of this vulnerability by disabling the affected control via Microsoft's "kill bit" mechanism using CLSIDs "F0E42D50-368C-11D0-AD81-00A0C90DC8D9", "F0E42D60-368C-11D0-AD81-00A0C90DC8D9", and "F2175210-368C-11D0-AD81-00A0C90DC8D9".

  • References:
  • (4) CRITICAL: Novell eDirectory Integer Overflow
  • Affected:
    • Novell eDirectory versions prior to 8.8.2 ftf2

  • Description: eDirectory is Novell's implementation of the Lightweight Directory Access Protocol (LDAP). It contains an integer overflow in its handling of certain user inputs. A specially crafted user input could trigger this integer overflow. Successfully exploiting this overflow would allow an attacker to execute arbitrary code with the privileges of the vulnerable process. Some technical details are publicly available for this vulnerability.

  • Status: Vendor confirmed, updates available.

  • References:
  • (6) MODERATE: Microsoft Windows Saved Search Remote Code Execution (MS08-038)
  • Affected:
    • Microsoft Windows Vista
    • Microsoft Windows Server 2008

  • Description: Microsoft Windows allows users to save filesystem search criteria, so that these criteria can be used later to repeat the given search. A flaw in the saving of searches can trigger a remote code execution vulnerability. A specially crafted saved search file could trigger this vulnerability, allowing an attacker to execute arbitrary code with the privileges of the current user. Note that significant user interaction is required to exploit this vulnerability: a user must open a malicious save file and subsequently save it again.

  • Status: Vendor confirmed, updates available.

  • References:
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 28, 2008

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 5549 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

  • 08.28.1 - CVE: CVE-2008-1435
  • Platform: Windows
  • Title: Microsoft Windows Explorer saved-search File Remote Code Execution
  • Description: Saved-search file is a file type that allows a user to save search parameters. Microsoft Windows Explorer is exposed to a remote code execution issue. This issue occurs when parsing malformed saved-search files.
  • Ref: http://www.microsoft.com/technet/security/Bulletin/MS08-038.mspx
  • 08.28.2 - CVE: CVE-2008-1454
  • Platform: Windows
  • Title: Microsoft Windows DNS Server Cache Poisoning
  • Description: Microsoft Windows DNS servers are prone to a vulnerability that lets attackers poison DNS caches. Specifically, this occurs because the software fails to properly handle responses containing data outside of their authority.
  • Ref: http://www.microsoft.com/technet/security/Bulletin/MS08-037.mspx
  • 08.28.3 - CVE: Not Available
  • Platform: Microsoft Office
  • Title: Microsoft Word Unspecified Remote Code Execution
  • Description: Microsoft Word is exposed to an unspecified remote code execution issue. This issue may allow remote attackers to execute arbitrary code on a vulnerable computer. The vulnerability arises when the application processes a specially crafted Word document (.doc).
  • Ref: http://www.microsoft.com/en/us/default.aspx
  • 08.28.4 - CVE: CVE-2008-2247
  • Platform: Microsoft Office
  • Title: Microsoft Outlook Web Access for Exchange Server Email Field Cross-Site Scripting
  • Description: Microsoft Outlook Web Access (OWA) for Exchange Server is exposed to a cross-site scripting issue because the application fails to properly sanitize user-supplied input. This issue can occur because certain email fields aren't sufficiently validated when email is opened from a client OWA session.
  • Ref: http://www.microsoft.com/technet/security/bulletin/MS08-039.mspx
  • 08.28.5 - CVE: CVE-2008-2463
  • Platform: Other Microsoft Products
  • Title: Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download
  • Description: Snapshot Viewer for Microsoft Access is an ActiveX control that allows users to view snapshots created with Microsoft Access. The ActiveX control is exposed to an issue that can cause malicious files to be downloaded and saved to arbitrary locations on an affected computer.
  • Ref: http://www.microsoft.com/technet/security/advisory/955179.mspx
  • 08.28.6 - CVE: CVE-2008-0107
  • Platform: Other Microsoft Products
  • Title: Microsoft SQL Server On-Disk Data Structures Remote Memory Corruption
  • Description: Microsoft SQL Server is exposed to a remote memory corruption issue because it fails to perform adequate boundary checks when handling user-supplied query strings. The issue occurs when the server handles specially crafted data structures in on-disk files.
  • Ref: http://www.microsoft.com/technet/security/Bulletin/MS08-040.mspx
  • 08.28.7 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: ServerView "SnmpGetMibValues.exe" Multiple Unspecified Buffer Overflow Vulnerabilities
  • Description: ServerView is a server management software suite that provides remote access via a web interface. The web interface is exposed to multiple unspecified buffer overflow issues because the software fails to properly bounds check user-supplied data. ServerView version 4.60.07 is affected.
  • Ref: http://www.securityfocus.com/bid/30081
  • 08.28.8 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Download Accelerator Plus ".m3u" File Buffer Overflow
  • Description: Download Accelerator Plus is a download manager available for Microsoft Windows. The application is exposed to a buffer overflow issue because it fails to perform adequate boundary checks on user-supplied input. This issue occurs when the application fails to handle malformed ".m3u" files.
  • Ref: http://www.securityfocus.com/bid/30138
  • 08.28.9 - CVE: CVE-2008-1676
  • Platform: Linux
  • Title: Red Hat Certificate System rhpki-common Security Bypass Weakness
  • Description: Red Hat Certificate System (RHCS) is an enterprise-level Public Key Infrastructure (PKI) deployment manager. The application is exposed to a security bypass weakness due to a flaw in rhpki-common (Red Hat PKI Common Framework) when handling Extensions in certificate signing requests (CSR).
  • Ref: http://rhn.redhat.com/errata/RHSA-2008-0500.html
  • 08.28.10 - CVE: CVE-2008-2812
  • Platform: Linux
  • Title: Linux Kernel TTY Operations NULL Pointer Dereference Denial of Service Vulnerabilities
  • Description: The Linux kernel is exposed to multiple local denial of service issues. These issues are due to potential NULL-pointer dereference exception errors in TTY operations. Linux kernel versions prior to 2.6.25.10 are affected.
  • Ref: http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.25.10
  • 08.28.11 - CVE: Not Available
  • Platform: Linux
  • Title: Linux Kernel x86_64 ptrace Local Memory Corruption
  • Description: The Linux Kernel is exposed to a memory corruption issue affecting x86_64 ptrace because it fails to properly bounds check user-supplied input. The issue affects the "sys32_ptrace()" function of the "ptrace.c" source file when user-supplied data causes the reference count of a structure in the function to overflow. Linux Kernel versions prior to 2.6.25.10 are affected. Ref: http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.25.y.git;a=commitdiff;h=1e9a615bfce7996ea4d815d45d364b47ac6a74e8
  • 08.28.12 - CVE: CVE-2007-6389
  • Platform: Linux
  • Title: Gnome Screensaver Local Information Disclosure
  • Description: The Gnome Screensaver application contains a feature that lets users leave messages for the account owner that will be displayed when the screen is unlocked. The application is exposed to a local information disclosure issue. Gnome Screensaver version 2.20.0 is affected.
  • Ref: http://www.securityfocus.com/bid/30096
  • 08.28.13 - CVE: CVE-2008-2374
  • Platform: Linux
  • Title: BlueZ SDP Payload Processing Multiple Buffer Overflow Vulnerabilities
  • Description: BlueZ is a Bluetooth protocol stack for Linux. The application is exposed to multiple buffer overflow issues because it fails to properly bounds check user-supplied data in the "src/sdp.c" file. BlueZ versions 3.34 and earlier are affected.
  • Ref: http://article.gmane.org/gmane.linux.bluez.devel/15809/
  • 08.28.14 - CVE: CVE-2008-2931
  • Platform: Linux
  • Title: Linux Kernel "do_change_type()" Local Security Bypass
  • Description: The Linux kernel is exposed to a local security bypass issue. By default, the "mount" command restricts mountpoint type changes to superusers. However the "do_change_type()" routine fails to use "capable(CAPS_SYS_ADMIN)" to verify user permissions prior to performing changes. Linux kernel versions 2.6.15-rc1 through 2.6.21 are affected.
  • Ref: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-2931
  • 08.28.15 - CVE: Not Available
  • Platform: Novell
  • Title: Novell eDirectory "ds.dlm" Module Integer Overflow
  • Description: Novell eDirectory is an X.500 compatible directory service software product for centrally-managing access to resources on multiple servers and computers within a given network. The software is exposed to an issue in the "ds.dlm" module. Novell eDirectory versions 8.7.3 and 8.8 for all platforms are affected. Ref: http://www.novell.com/support/viewContent.do?externalId=3694858&sliceId=1
  • 08.28.16 - CVE: CVE-2008-2430
  • Platform: Cross Platform
  • Title: VLC Media Player WAV File Buffer Overflow
  • Description: VLC is a cross-platform media player that can be used to serve streaming data. The application is exposed to a buffer overflow issue because it fails to perform adequate boundary checks on user-supplied input. The issue stems from an integer overflow while parsing overly large "fmt" chunks. VLC media player version 0.8.6h is affected.
  • Ref: http://www.securityfocus.com/archive/1/493849
  • 08.28.17 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Opera Web Browser Remote Code Execution and Information Disclosure Vulnerabilities
  • Description: Opera Web Browser is a browser that runs on multiple operating systems. The application is exposed to multiple security issues. The first issue is a remote code execution issue that occurs due to an unspecified error. The second issue is an information disclosure issue that exists because of errors in certain canvas functions that can cause the canvas to be constructed with data from random memory. Opera versions prior to 9.51 are affected.
  • Ref: http://www.opera.com/support/search/view/887/
  • 08.28.18 - CVE: CVE-2008-2942
  • Platform: Cross Platform
  • Title: Mercurial "patch.py" Directory Traversal
  • Description: Mercurial is a source control management system available for multiple operating platforms. The application is exposed to a directory traversal issue because it fails to adequately sanitize user-supplied input. This issue occurs due to an error in "patch.py" when specially crafted patch files are imported into the system. Mercurial version 1.0.1 is affected.
  • Ref: https://issues.rpath.com/browse/RPL-2633
  • 08.28.19 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Panda ActiveScan Unspecified Remote Code Execution
  • Description: Panda ActiveScan is a browser plug-in that scans computers for various threats. The application is exposed to an unspecified remote code execution issue. Due to the nature of this application, it is likely that attackers would exploit this issue by enticing an unsuspecting user to follow a link or visit a malicious site. Panda ActiveScan version 2.0 is affected.
  • Ref: http://www.securityfocus.com/bid/30086
  • 08.28.20 - CVE: CVE-2008-2371
  • Platform: Cross Platform
  • Title: PCRE Regular Expression Heap-Based Buffer Overflow
  • Description: PCRE is a set of functions that implement regular-expression pattern matching using the same syntax and semantics as Perl 5. The application is exposed to a heap-based buffer overflow issue. The library fails to properly validate user-supplied input before copying data to an internal memory buffer. PCRE versions up to and including 7.7 are affected. Ref: http://ftp.gnome.org/pub/GNOME/sources/glib/2.16/glib-2.16.4.changes
  • 08.28.21 - CVE: Not Available
  • Platform: Cross Platform
  • Title: WeFi Log Files Local Information Disclosure
  • Description: WeFi is a WiFi hot spot connectivity client for Windows and Mac OS X. The application is exposed to a local information disclosure issue because it fails to securely store sensitive data. WeFi version 3.2.1.4.1 is affected.
  • Ref: http://www.securityfocus.com/bid/30088
  • 08.28.22 - CVE: CVE-2008-2950
  • Platform: Cross Platform
  • Title: Poppler PDF Rendering Library Page Class Remote Code Execution
  • Description: The Poppler PDF rendering library provides a programming interface for rendering PDF files. The library is based on the Xpdf-3.0 codebase. The application is exposed to a remote code execution issue because it fails to properly initialize a memory pointer while processing PDF files. Poppler version 0.8.4 is affected.
  • Ref: http://www.securityfocus.com/archive/1/493980
  • 08.28.23 - CVE: Not Available
  • Platform: Cross Platform
  • Title: OllyDBG and ImpREC Export Name Buffer Overflow
  • Description: OllyDBG is a debugging application and ImpREC is a PE (Portable Executable) file unpacker. The application is exposed to a buffer overflow issue because they fail to perform adequate boundary checks on user-supplied input. The issue occurs when exporting "name" buffers. OllyDBG v1.10 is affected, and ImpREC v1.7f is affected.
  • Ref: http://www.securityfocus.com/bid/30139
  • 08.28.24 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Drupal Organic Groups Cross-Site Scripting And Information Disclosure Vulnerabilities
  • Description: Organic Groups is a Drupal module to create and manage groups. The application is exposed to multiple issues. The following versions are affected: Organic Groups 5.x versions prior to 5.x-7.3, and Organic Groups 6.x versions prior to 6.x-1.0-RC1.
  • Ref: http://drupal.org/node/277873
  • 08.28.25 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: FreeStyle Wiki Unspecified Cross-Site Scripting
  • Description: FreeStyle Wiki is a wiki clone implemented in Perl. The application is expsoed to a cross-site scripting issue because it fails to sanitize user-supplied input to an unspecified parameter. FreeStyle Wiki versions 3.6.2 and earlier and versions 3.6.3 dev3 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/30071
  • 08.28.26 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Kasseler CMS "cid" parameter Cross-Site Scripting
  • Description: Kasseler CMS is a PHP-based content management application. The application is exposed to a cross-site scripting issue because it fails to sanitize user-supplied input from the "cid" parameter of the "Files" module, as passed via "index.php". Kasseler CMS version 1.3.0 is affected.
  • Ref: http://www.securityfocus.com/bid/30095
  • 08.28.27 - CVE: CVE-2008-2991
  • Platform: Web Application - Cross Site Scripting
  • Title: Adobe RoboHelp Server Help Errors Log Cross-Site Scripting
  • Description: Adobe RoboHelp Server is an application for developing, managing, and deploying online help systems. The application is exposed to a cross-site scripting issue because it fails to properly sanitize user-supplied input. This issue affects the "Report_API.asp", "Report_Template.asp", and "SQL_Lib.asp" scripts that are associated with the RoboHelp Help Errors log.
  • Ref: http://www.adobe.com/support/security/bulletins/apsb08-16.html
  • 08.28.28 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: XChangeboard "newThread.php" SQL Injection
  • Description: XChanegboard is a web-based forum application. The application is exposed to an SQL injection issue because it fails to properly sanitize user-supplied input to the "boardID" parameter in the "newThread.php" script before using it in an SQL query. XChangeboard version 1.70 is affected.
  • Ref: http://www.securityfocus.com/bid/30059
  • 08.28.29 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Joomla! and Mambo Brightcode Weblinks Component "catid" Parameter SQL Injection
  • Description: Brightcode Weblinks is a plugin for displaying links with the Joomla! and Mambo content managers. It requires the Web Links module. The component is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "catid" parameter of the "com_brightweblinks" component before using it in an SQL query.
  • Ref: http://www.securityfocus.com/bid/30060
  • 08.28.30 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Joomla! and Mambo "com_is" Component Multiple SQL Injection Vulnerabilities
  • Description: "com_is" is a component for the Mambo and Joomla! content managers. The application is exposed to multiple SQL injection issues because it fails to sufficiently sanitize user-supplied data to the "marka" and "motor" parameters of the "com_is" component before using it in an SQL query. "com_is" component version 1.0.1 is affected.
  • Ref: http://www.securityfocus.com/bid/30063
  • 08.28.31 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Joomla! and Mambo QuickTime VR Component "room_id" Parameter SQL Injection
  • Description: QuickTime VR is a component for the Mambo and Joomla! content managers. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "room_id" parameter of the "com_vr" component before using it in an SQL query. QuickTime VR version 0.1 is affected.
  • Ref: http://www.milw0rm.com/exploits/5994
  • 08.28.32 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: WebBlizzard CMS "index.php" SQL Injection
  • Description: WebBlizzard CMS is a content-management application. The application is exposed to an SQL injection issue because it fails to properly sanitize user-supplied input to the "page" parameter in the "index.php" script before using it in an SQL query.
  • Ref: http://www.securityfocus.com/bid/30074
  • 08.28.33 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: phpwebnews "index.php" SQL Injection
  • Description: phpwebnews is a web-based news application. The application is exposed to an SQL injection issue because it fails to properly sanitize user-supplied input to the "id_kat" parameter of the "index.php" script before using it in an SQL query. phpwebnews version 0.2 is affected.
  • Ref: http://www.securityfocus.com/bid/30079
  • 08.28.34 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: phpwebnews "bukutamu.php" SQL Injection
  • Description: phpwebnews is a web-based news application. The application is prone to an SQL injection issue because it fails to properly sanitize user-supplied input to the "det" parameter of the "bukutamu.php" script before using it in an SQL query. phpwebnews version 0.2 is affected.
  • Ref: http://www.securityfocus.com/bid/30080
  • 08.28.35 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Xpoze "user.html" SQL Injection
  • Description: Xpoze is a web-based application for presenting and selling photos. The application is exposed to an SQL injection issue because it fails to properly sanitize user-supplied input to the "uid" parameter in the "user.html" script before using it in an SQL query. Xpoze Pro version 3.06 is affected.
  • Ref: http://www.securityfocus.com/bid/30101
  • 08.28.36 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: BlognPlus "index.php" Multiple SQL Injection Vulnerabilities
  • Description: BlognPlus is a web-based application. The application is exposed to multiple SQL injection issues because it fails to sufficiently sanitize user-supplied data to the "p", "e", "d", and "m" parameters of the "index.php" script before using the affected parameters in an SQL query. BlognPlus versions up to and including 2.5.5 are affected.
  • Ref: http://www.securityfocus.com/bid/30104
  • 08.28.37 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: SmartPPC "directory.php" SQL Injection
  • Description: SmartPPC is a web-based, pay-per-click search engine script. The application is exposed to an SQL injection issue because it fails to properly sanitize user-supplied input to the "idDirectory" parameter of the "directory.php" script before using it in an SQL query.
  • Ref: http://www.securityfocus.com/bid/30111
  • 08.28.38 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: PHP-Nuke 4ndvddb Module "id" Parameter SQL Injection
  • Description: 4ndvddb is a DVD database module for PHP-Nuke. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "id" parameter of the "4ndvddb" module before using it in an SQL query. 4ndvddb version 0.91 is affected.
  • Ref: http://www.securityfocus.com/archive/1/494013
  • 08.28.39 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Triton CMS Pro "X-Forwarded-For" Header SQL Injection
  • Description: Triton CMS Pro is a web-based content manager. The application is exposed to an SQL injection issue because it fails to properly sanitize user-supplied input to the "X-Forwarded-For" header value in the "index.php" script before using it in an SQL query. Triton CMS Pro version 1.06 is affected.
  • Ref: http://www.securityfocus.com/bid/30122
  • 08.28.40 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Lastminute Script "index.php" SQL Injection
  • Description: Lastminute Script is a tourism agency application. The application is exposed to an SQL injection issue because it fails to properly sanitize user-supplied input to the "cid" parameter of the "index.php" script before using it in an SQL query. Lastminute Script version 4.0 is affected.
  • Ref: http://www.securityfocus.com/bid/30127
  • 08.28.41 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Mole Group Hotel Script "index.php" SQL Injection
  • Description: Mole Group Hotel Script is a web-based application for managing room rentals. The application is exposed to an SQL injection issue because it fails to properly sanitize user-supplied input to the "file" parameter of the "index.php" script before using it in an SQL query.
  • Ref: http://www.securityfocus.com/bid/30128
  • 08.28.42 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Mole Group Real Estate Script "index.php" SQL Injection
  • Description: Mole Group Real Estate Script is a web-based application for managing property sales. The application is exposed to an SQL injection issue because it fails to properly sanitize user-supplied input to the "listing_id" parameter of the "index.php" script before using it in an SQL query.
  • Ref: http://www.securityfocus.com/bid/30129
  • 08.28.43 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: BrewBlogger "logincheck.inc.php" SQL Injection
  • Description: BrewBlogger is a PHP-based blogging application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "loginUsername" parameter of the "logincheck.inc.php" script before using it in an SQL query. BrewBlogger version 2.1.0.1 is affected.
  • Ref: http://www.securityfocus.com/bid/30133
  • 08.28.44 - CVE: Not Available
  • Platform: Web Application
  • Title: CMS little "index.php" Local File Include
  • Description: CMS little is a PHP-based content manager. The application is exposed to a local file include issue because it fails to properly sanitize user-supplied input to the "template" parameter of the "index.php" script. CMS little version 0.0.1 is affected.
  • Ref: http://www.securityfocus.com/bid/30061
  • 08.28.45 - CVE: Not Available
  • Platform: Web Application
  • Title: phPortal Multiple Remote File Include Vulnerabilities
  • Description: phPortal is a PHP-based content manager. The application is exposed to multiple remote file include issues because it fails to sufficiently sanitize user-supplied input. phPortal version 1.2 Beta is affected.
  • Ref: http://www.securityfocus.com/bid/30064
  • 08.28.46 - CVE: Not Available
  • Platform: Web Application
  • Title: Drupal Outline Designer Module "outline_designer.module" Security Bypass
  • Description: Outline Designer is a Drupal module which provides a visual way of structuring book contents. The application is exposed to a security bypass issue. Specifically, the code in the "outline_designer.module" file fails to properly validate the "uid" value in the "_outline_designer_ajax()" function. Outline Designer versions prior to 5.x-1.4 are affected.
  • Ref: http://drupal.org/node/277883
  • 08.28.47 - CVE: Not Available
  • Platform: Web Application
  • Title: Drupal Taxonomy Autotagger Module Multiple Input Validation Vulnerabilities
  • Description: The Taxonomy Autotagger is a module for the Drupal CMS. The application is exposed to SQL injection and HTML injection issues. The SQL injection issue exists because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. The HTML injection vulnerability is caused by failure to properly sanitize posts by users before returning them to the browser. Taxonomy Autotagger versions prior to 5.x-1.8 are affected.
  • Ref: http://drupal.org/node/277877
  • 08.28.48 - CVE: Not Available
  • Platform: Web Application
  • Title: Drupal Tinytax taxonomy block Module HTML Injection
  • Description: Tinytax taxonomy block is a module for Drupal, an open-source content manager that is available for a number of platforms. The application is exposed to an HTML injection issue because it fails to properly sanitize user-supplied input before using it in dynamically generated content. Tinytax taxonomy block versions prior to 5.x-1.10-1 are affected.
  • Ref: http://drupal.org/node/277879
  • 08.28.49 - CVE: Not Available
  • Platform: Web Application
  • Title: pHNews "comments.php" Local File Include
  • Description: pHNews is a web-based CMS. The application is exposed to a local file include issue because it fails to properly sanitize user-supplied input to the "template" parameter of the "modules/comments.php" script.
  • Ref: http://www.securityfocus.com/bid/30084
  • 08.28.50 - CVE: Not Available
  • Platform: Web Application
  • Title: 1024 CMS Multiple Remote and Local File Include Vulnerabilities
  • Description: 1024 CMS is a PHP-based content manager. The application is exposed to multiple issues because it fails to properly sanitize user-supplied input. 1024 CMS versions 1.4.3 and 1.4.4 RFC are affected.
  • Ref: http://www.securityfocus.com/archive/1/493958
  • 08.28.51 - CVE: Not Available
  • Platform: Web Application
  • Title: Joomla! and Mambo altas Component "index.php" Multiple SQL Injection Vulnerabilities
  • Description: altas is a component for the Joomla! and Mambo content managers. The application is exposed to multiple SQL injection issues because it fails to sufficiently sanitize user-supplied data to the "ano" and "mes" parameters of the "com_altas" component before using it in an SQL query. altas version 1 is affected.
  • Ref: http://www.securityfocus.com/bid/30092
  • 08.28.52 - CVE: Not Available
  • Platform: Web Application
  • Title: Joomla! and Mambo DBQuery Component "mosConfig_absolute_path" Remote File Include
  • Description: DBQuery is a component for the Joomla! and Mambo content managers. The application is exposed to a remote file include issue because it fails to sufficiently sanitize user-supplied input to the "mosConfig_absolute_path" parameter of the component's "classesDBQadmincommon.class.php" script. DBQuery version 1.4.1 is affected.
  • Ref: http://www.securityfocus.com/bid/30093
  • 08.28.53 - CVE: Not Available
  • Platform: Web Application
  • Title: THELIA Arbitrary File Upload and Authentication Bypass Vulnerabilities
  • Description: THELIA is a PHP-based, e-commerce application. The application is exposed to an issue that lets remote attackers upload and execute arbitrary code because it fails to properly sanitize user-supplied files. THELIA version 1.3.5 is affected.
  • Ref: http://www.securityfocus.com/bid/30094
  • 08.28.54 - CVE: Not Available
  • Platform: Web Application
  • Title: Youngzsoft CMailServer "mvmail.asp" Multiple Buffer Overflow Vulnerabilities
  • Description: CMailServer is a web-based mail server application for Windows. The application is exposed to multiple buffer overflow issues because it fails to properly bounds-check user-supplied data. CMailServer version 5.4.6 is affected.
  • Ref: http://www.securityfocus.com/bid/30098
  • 08.28.55 - CVE: Not Available
  • Platform: Web Application
  • Title: ImperialBB Remote File Upload
  • Description: ImperialBB is a forum software. The application is exposed to an arbitrary file upload issue. Attackers can upload arbitrary files to a web server hosting ImperialBB by changing the "mime-type" to "image/gif" when uploading a file through the User Control Panel. ImperialBB versions up to and including 2.3.5 are affected.
  • Ref: http://www.securityfocus.com/bid/30100
  • 08.28.56 - CVE: Not Available
  • Platform: Web Application
  • Title: ContentNow Multiple Remote Vulnerabilities
  • Description: ContentNow is a web-based application. The application is exposed to two issues because it fails to sanitize user-supplied input. Two cross-site scripting issues affect the "upload/file/language_menu.php" script, and an arbitrary file upload issue affects the "upload.php" script. ContentNow version 1.4.1 is affected.
  • Ref: http://www.securityfocus.com/bid/30102
  • 08.28.57 - CVE: Not Available
  • Platform: Web Application
  • Title: fuzzylime (cms) "rss.php" Local File Include
  • Description: fuzzylime (cms) is a web-based content management system. The application is exposed to a local file include issue because it fails to properly sanitize user-supplied input to the "p" parameter of the "rss.php" script. fuzzylime (cms) versions 3.01a and 3.01 are affected.
  • Ref: http://www.securityfocus.com/bid/30103
  • 08.28.58 - CVE: Not Available
  • Platform: Web Application
  • Title: YourPlace Unspecified Authentication Bypass
  • Description: YourPlace is a PHP-based file system. The application is exposed to an unspecified authentication-bypass issue. YourPlace version 1.0 is affected.
  • Ref: http://www.securityfocus.com/bid/30106
  • 08.28.59 - CVE: Not Available
  • Platform: Web Application
  • Title: Simple Machine Forum Prior to 1.1.5 and 1.0.13 Multiple Unspecified Vulnerabilities
  • Description: Simple Machine Forum is a PHP-based content manager. The application is exposed to multiple unspecified issues including: an unspecified input validation issue affecting "topic" parameter, and an unspecified security issue involving HTML tags. Simple Machine Forum versions prior to 1.1.5 and 1.0.13 are affected. Ref: http://www.simplemachines.org/community/index.php?P=c3696c2022b54fa50c5f341bf5710aa3&topic=236816.0
  • 08.28.60 - CVE: Not Available
  • Platform: Web Application
  • Title: DodosMail "dodosmail.php" Local File Include
  • Description: DodosMail is a PHP-based application that allows users to send email via web-form. The application is exposed to a local file include issue because it fails to properly sanitize user-supplied input to the "dodosmail_header_file" parameter of the "dodosmail.php" script. DodosMail version 2.5 is affected.
  • Ref: http://www.securityfocus.com/bid/30112
  • 08.28.61 - CVE: Not Available
  • Platform: Web Application
  • Title: MyBB Prior to 1.2.13 Multiple Unspecified Vulnerabilities
  • Description: MyBB (MyBulletinBoard) is a bulletin board application. The application is exposed to multiple remote issues including: an unspecified "high risk" issue, and an unspecified "medium-risk" issue. MyBB versions prior to 1.2.13 are affected.
  • Ref: http://community.mybboard.net/showthread.php?tid=31666
  • 08.28.62 - CVE: Not Available
  • Platform: Web Application
  • Title: Zoph Cross-Site Scripting and SQL Injection Vulnerabilities
  • Description: Zoph is a PHP-based application for managing digital photographs. The application is exposed to multiple input validation issues because it fails to sufficiently sanitize user-supplied data. Zoph version 0.7.2.1 is affected.
  • Ref: http://www.securityfocus.com/bid/30116
  • 08.28.63 - CVE: Not Available
  • Platform: Web Application
  • Title: WebXell Editor "upload_pictures.php" Arbitrary File Upload
  • Description: WebXell Editor is a web-based spreadsheet application. The application is exposed to an issue that lets remote attackers upload and execute arbitrary script code on an affected computer with the privileges of the web server process. This issue occurs because the application fails to sanitize user-supplied data contained in files before uploading them to the web server through the "upload_pictures.php" script. WebXell Editor version 0.1.3 is affected.
  • Ref: http://www.securityfocus.com/bid/30117
  • 08.28.64 - CVE: Not Available
  • Platform: Web Application
  • Title: fuzzylime (cms) "blog.php" Local File Include
  • Description: fuzzylime (cms) is a web-based content management system. The application is exposed to a local file include issue because it fails to properly sanitize user-supplied input to the "file" parameter of the "blog.php" script. fuzzylime (cms) version 3.01a is affected.
  • Ref: http://www.securityfocus.com/bid/30121
  • 08.28.65 - CVE: Not Available
  • Platform: Web Application
  • Title: Neutrino Atomic Edition Authentication Bypass
  • Description: Neutrino Atomic Edition is PHP-based blogging software. The application is exposed to an authentication bypass issue. An attacker can create malicious HTTP GET requests to exploit this issue. Specifically, the "action" parameter of the "index.php" script can be used to access legitimate administrative functions of the application such as "create", "read" and "delete" and execute arbitrary commands. Neutrino Atomic Edition version 0.8.4 is affected.
  • Ref: http://www.securityfocus.com/bid/30123
  • 08.28.66 - CVE: Not Available
  • Platform: Web Application
  • Title: Joomla! Prior to v1.5.4 Multiple Unauthorized Access Vulnerabilities
  • Description: Joomla! is a PHP-based content manager. The application is exposed to multiple unauthorized access issues including: an unspecified error in the LDAP mechanism, and an unspecified error in the file-caching mechanism. Joomla! versions prior to 1.5.4 are affected.
  • Ref: http://www.joomla.org/content/view/5180/1/
  • 08.28.67 - CVE: Not Available
  • Platform: Web Application
  • Title: vBulletin "adminlog.php" Request Logging HTML Injection
  • Description: vBulletin is a PHP-based content manager. The application is exposed to an HTML injection issue because it fails to properly sanitize user-supplied input before using it in dynamically generated content. vBulletin versions prior to 3.7.2 PL1 and 3.6.10 PL3 are affected.
  • Ref: http://www.securityfocus.com/archive/1/494049
  • 08.28.68 - CVE: Not Available
  • Platform: Web Application
  • Title: Boonex Dolphin Multiple Remote File Include Vulnerabilities
  • Description: Dolphin is a PHP-based application for creating online communities. The application is exposed to multiple remote file include issues because it fails to sufficiently sanitize user-supplied input. Dolphin version 6.1.2 is affected.
  • Ref: http://www.securityfocus.com/bid/30136
  • 08.28.69 - CVE: Not Available
  • Platform: Web Application
  • Title: trixbox "langChoice" Local File Include
  • Description: trixbox (formerly Asterisk@Home) is an Asterisk-based IP-PBX product. The application is exposed to a local file include issue because it fails to properly sanitize user-supplied input to the "langChoice" parameter of the "/user/index.php" script. trixbox CE version 2.6.1 is affected.
  • Ref: http://www.securityfocus.com/bid/30135
  • 08.28.70 - CVE: Not Available
  • Platform: Network Device
  • Title: F5 FirePass SSL VPN SNMP Daemon Remote Denial of Service
  • Description: FirePass is a SSL VPN appliance. The device is exposed to a denial of service issue that affects the SNMP daemon. Traversing OID branch "hrSWInstalled" in HOST-RESOURCES-MIB (OID 1.3.6.1.2.1.25.6) can cause the daemon to crash.
  • Ref: http://www.securityfocus.com/archive/1/493950

(c) 2008. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Subscriptions: @RISK is distributed free of charge by the SANS Institute to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.

Topical information that can immediately be applied and shared in the workplace.
-Blair Campbell, Bank of Nova Scotia

Securing the Internet of Things - San Francisco

Latest Whitepapers

Building and Maintaining a "Certifiable" Workforce
By Robert J. Mavretich

How Can You Build and Leverage SNORT IDS Metrics to Reduce Risk?
By Tim Proffitt

Daisy Chain Authentication
By Courtney Imbert

Latest Tweets

NEW #SANS Survey: Security Analytics & Intelligence 2nd [...]
October 1, 2013 - 6:30 PM

Tips on how to convince your boss to let you train online wi [...]
October 1, 2013 - 6:23 PM

#2 Tip on how 2 convince your boss 2 let u train online: Fle [...]
October 1, 2013 - 3:00 PM

Contact Us

(301) 654-SANS (7267)
Mon-Fri 9am - 8pm EST/EDT
info@sans.org

"This has been a great way to get working knowledge that would have taken years of experience to learn."
- Josh Carlson, Nelnet

"Because of the use of real-world examples it's easier to apply what you learn."
- Danny Hill, Friedkin Companies, Inc.

"Expertise of the trainer is impressive, real life situations explained, very good manuals. Best training ever!"
- Jerry Robles de Medina, Godo CU