@RISK: The Consensus Security Vulnerability Alert

Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)

Widely Deployed Software

• (1) CRITICAL: Mozilla Products Memory Corruption Vulnerability
• (2) CRITICAL: Sun Java Web Start Multiple Vulnerabilities
• (3) CRITICAL: Oracle WebLogic Apache Connector Buffer Overflow
• (4) EXPLOIT: Multiple DNS Cache Poisoning Exploits Affected; Most major DNS implementations, including BIND and Microsoft DNS

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)

Windows

• 08.30.1 - Microsoft Windows Vista Shutdown Button Local Security Bypass

Third Party Windows Apps

• 08.30.2 - PPMate PPMedia Class ActiveX Control Remote Buffer Overflow
• 08.30.3 - MediaMonkey URI Handling Multiple Denial of Service Vulnerabilities
• 08.30.4 - BitComet URI Handling Remote Denial of Service
• 08.30.5 - QuickPlayer ".m3u" File Buffer Overflow

Mac Os

• 08.30.6 - Mozilla Firefox Mac OS X GIF Rendering Memory Corruption

Linux

• 08.30.7 - Debian OpenSSH SELinux Privilege Escalation
• 08.30.8 - zypp-refresh-patches wrapper XML Repository Corruption

Cross Platform

• 08.30.9 - Oracle Weblogic Server Apache Connector Remote Buffer Overflow
• 08.30.10 - IBM WebSphere Application Server "PropFilePasswordEncoder" Unspecified Vulnerability
• 08.30.11 - HP Select Identity Bidrectional LDAP Connector Remote Unauthorized Access
• 08.30.12 - F-PROT Antivirus CHM File Remote Denial of Service
• 08.30.13 - F-PROT Antivirus Multiple File Processing Remote Denial of Service Vulnerabilities
• 08.30.14 - Velocity Security Management System HTTP Server Directory Traversal
• 08.30.15 - Spring Framework Multiple Remote Vulnerabilities
• 08.30.16 - CGI::Session "CGISESSID" Cookie Value Directory Traversal
• 08.30.17 - OpenLink Virtuoso Multiple Denial Of Service Vulnerabilities
• 08.30.18 - SmbClientParser Perl Module Remote Command Execution

Web Application - Cross Site Scripting

• 08.30.19 - IBS "username" Parameter Cross-Site Scripting
• 08.30.20 - LunarNight Laboratory WebProxy Cross-Site Scripting
• 08.30.21 - phpFreeChat "demo21_with_hardocded_urls.php" Cross-Site Scripting
• 08.30.22 - MoinMoin "AdvancedSearch.py" Multiple Cross-Site Scripting Vulnerabilities

Web Application - SQL Injection

• 08.30.23 - phpHoo3 "phpHoo3.php" SQL Injection
• 08.30.24 - AlstraSoft Video Share Enterprise "album.php" SQL Injection
• 08.30.25 - AlstraSoft Article Manager Pro "contact_author.php" SQL Injection
• 08.30.26 - Arctic Issue Tracker "filter" Parameter SQL Injection
• 08.30.27 - preCMS "id" Parameter SQL Injection
• 08.30.28 - HockeySTATS Online "index.php" Multiple SQL Injection Vulnerabilities
• 08.30.29 - Joomla! and Mambo DT Register Component "eventId" Parameter SQL Injection
• 08.30.30 - AlstraSoft Affiliate Network Pro "pgm" Parameter SQL Injection
• 08.30.31 - tplSoccerSite Multiple SQL Injection Vulnerabilities
• 08.30.32 - Def_Blog "article" Parameter Multiple SQL Injection Vulnerabilities
• 08.30.33 - Siteframe "folder.php" SQL Injection
• 08.30.34 - Aprox CMS Engine "index.php" SQL Injection
• 08.30.35 - PHPFootball "show.php" SQL Injection
• 08.30.36 - Zoph Multiple SQL Injection Vulnerabilities

Web Application

• 08.30.37 - Claroline Multiple Unspecified Security Vulnerabilities
• 08.30.38 - Community CMS "include.php" Remote File Include
• 08.30.39 - Afuse "afuse.c" Shell Command Injection
• 08.30.40 - Galatolo WebManager Cookie Authentication Bypass
• 08.30.41 - PhotoPost vBGallery "upload.php" Arbitrary File Upload
• 08.30.42 - PHPizabi "v_cron_proc.php" Arbitrary Script Injection Vulnerabilities
• 08.30.43 - Evaria ECMS "DOCUMENT_ROOT" Parameter Multiple Remote File Include Vulnerabilities
• 08.30.44 - OpenPro "search_wA.php" Remote File Include
• 08.30.45 - Simple Machines Forum Multiple Unspecified "html-tag" and Random Generator Seeding Vulnerabilities
• 08.30.46 - FormEncode "chained_validators" Class Security Bypass
• 08.30.47 - CreaCMS Multiple Remote File Include Vulnerabilities
• 08.30.48 - Lemon CMS "browser.php" Local File Include
• 08.30.49 - Stash Cookie Authentication Bypass
• 08.30.50 - SWAT 4 Multiple Denial of Service Vulnerabilities
• 08.30.51 - phpScheduleIt "useLogonName" Security Bypass

PART I Critical Vulnerabilities

Part I for this issue has been compiled by Rob King at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 30, 2008

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 5549 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

• 08.30.1 - CVE: Not Available
• Platform: Windows
• Title: Microsoft Windows Vista Shutdown Button Local Security Bypass
• Description: Microsoft Windows is exposed to a local security bypass issue. The problem occurs when the security option "Shutdown: Allow system to be shutdown without having to log on" is disabled, and the power management setting "When I press the power button" is set to "Shut Down". Windows Vista SP1 is affected.
• Ref: http://www.securityfocus.com/archive/1/494533

• 08.30.2 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: PPMate PPMedia Class ActiveX Control Remote Buffer Overflow
• Description: PPMate is a peer-to-peer video streaming application. The application is exposed to a heap-based buffer overflow issue because it fails to perform adequate boundary checks on user-supplied input. PPMate version 2.3.1.93 is affected.
• Ref: http://support.microsoft.com/kb/240797

• 08.30.3 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: MediaMonkey URI Handling Multiple Denial of Service Vulnerabilities
• Description: MediaMonkey is an audio player. It is available for Microsoft Windows platforms. The application is exposed to two denial of service issues because it fails to properly handle certain URIs. The issues can be triggered by overly long ".m3u" or ".pcast" URIs. MediaMonkey version 3.0.3 is affected.
• Ref: http://www.securityfocus.com/bid/30251

• 08.30.4 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: BitComet URI Handling Remote Denial of Service
• Description: BitComet is a BitTorrent/HTTP/FTP download management application available for Microsoft Windows. The application is exposed to a denial of service issue because it fails to properly handle batch files containing an excessively large URI. BitComet version 1.02 is affected.
• Ref: http://www.securityfocus.com/bid/30255

• 08.30.5 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: QuickPlayer ".m3u" File Buffer Overflow
• Description: QuickPlayer is a media player application for Windows. The application is exposed to a buffer overflow issue because it fails to perform adequate boundary checks on user-supplied input. This issue occurs when the application fails to handle overly large URIs in ".m3u" files. QuickPlayer version 1.3 is affected.
• Ref: http://www.securityfocus.com/bid/30252

• 08.30.6 - CVE: CVE-2008-2934
• Platform: Mac Os
• Title: Mozilla Firefox Mac OS X GIF Rendering Memory Corruption
• Description: Mozilla Firefox is a browser available for multiple platforms. The application is exposed to a memory corruption issue in Mozilla graphics code for handling GIF files on Mac OS X platform. Firefox version 3.0 is affected.
• Ref: http://www.mozilla.org/security/announce/2008/mfsa2008-36.html

• 08.30.7 - CVE: Not Available
• Platform: Linux
• Title: Debian OpenSSH SELinux Privilege Escalation
• Description: Debian Linux can be configured to utilize SELinux extensions. OpenSSH may also be configured to utilize SELinux, and to interface with the role-based privilege system. The application is exposed to an SELinux privilege escalation issue due to a flaw in its OpenSSH package.
• Ref: http://www.securityfocus.com/bid/30276

• 08.30.8 - CVE: CVE-2008-3187
• Platform: Linux
• Title: zypp-refresh-patches wrapper XML Repository Corruption
• Description: The zypp-refresh-patches wrapper is used by various online update applets in openSUSE to check for new software updates. The application is exposed to a weakness that may allow attackers to corrupt XML repositories. This issue occurs because the application accepts new repository keys without verifying certificates.
• Ref: http://www.securityfocus.com/bid/30293

• 08.30.9 - CVE: Not Available
• Platform: Cross Platform
• Title: Oracle Weblogic Server Apache Connector Remote Buffer Overflow
• Description: Oracle Weblogic Server (formerly known as BEA WebLogic Server) is an enterprise application server product distributed by Oracle. The application is exposed to a remote buffer overflow issue because the application fails to perform adequate boundary checks on user-supplied data. This issue affects the Apache Connector.
• Ref: http://www.securityfocus.com/bid/30273

• 08.30.10 - CVE: Not Available
• Platform: Cross Platform
• Title: IBM WebSphere Application Server "PropFilePasswordEncoder" Unspecified Vulnerability
• Description: IBM WebSphere Application Server is a utility designed to facilitate the creation of various enterprise web applications. The application is exposed to an unspecified issue that affects the "PropFilePasswordEncoder" utility. WebSphere Application Server versions prior to 5.1.1.19 are affected.
• Ref: http://www-1.ibm.com/support/docview.wss?uid=swg27006879#51119

• 08.30.11 - CVE: CVE-2008-1665
• Platform: Cross Platform
• Title: HP Select Identity Bidrectional LDAP Connector Remote Unauthorized Access
• Description: HP Select Identity (HPSI) Active Directory Bidirectional LDAP Connector is exposed to an unauthorized access issue. HP Select Identity Active Directory Bidirectional LDAP Connector versions 2.20, 2.20.001, 2.20.002 and 2.30 are affected.
• Ref: http://www.securityfocus.com/bid/30250

• 08.30.12 - CVE: Not Available
• Platform: Cross Platform
• Title: F-PROT Antivirus CHM File Remote Denial of Service
• Description: F-PROT Antivirus is an antivirus application available for multiple operating systems. The application is exposed to a remote denial of service issue because it fails to properly handle malformed CHM files. F-PROT Antivirus engine versions prior to 4.4.4 are affected.
• Ref: http://www.f-prot.com/download/ReleaseNotesWindows.txt

• 08.30.13 - CVE: Not Available
• Platform: Cross Platform
• Title: F-PROT Antivirus Multiple File Processing Remote Denial of Service Vulnerabilities
• Description: F-PROT Antivirus is an antivirus application available for multiple operating systems. The application is exposed to multiple remote denial of service issues because it fails to properly handle malformed files. F-PROT Antivirus engine versions prior to 4.4.4 are affected.
• Ref: http://www.f-prot.com/download/ReleaseNotesWindows.txt

• 08.30.14 - CVE: Not Available
• Platform: Cross Platform
• Title: Velocity Security Management System HTTP Server Directory Traversal
• Description: Velocity Security Management System is a management application for physical security devices such as door controls and alarms. The application is exposed to a directory traversal issue because it fails to sufficiently sanitize user-supplied input. This issue occurs in the application's HTTP server. Velocity Security Management System version 1.0 is affected.
• Ref: http://www.securityfocus.com/archive/1/494422

• 08.30.15 - CVE: Not Available
• Platform: Cross Platform
• Title: Spring Framework Multiple Remote Vulnerabilities
• Description: Spring Framework is a layered Java/J2EE application framework. The application is exposed to two security issues. Attackers can exploit these issues to gain unauthorized access to files on the web server or compromise the affected application.
• Ref: http://www.springsource.com/securityadvisory

• 08.30.16 - CVE: Not Available
• Platform: Cross Platform
• Title: CGI::Session "CGISESSID" Cookie Value Directory Traversal
• Description: CGI::Session is a session manager library implemented in Perl. The library is exposed to a directory traversal issue because it fails to sufficiently sanitize user-supplied input to the "CGISESSID" cookie value in "Session.pm". CGI::Session versions 3.94, 3.95 and 4.33 are affected.
• Ref: http://vuln.sg/cgisession433-en.html

• 08.30.17 - CVE: Not Available
• Platform: Cross Platform
• Title: OpenLink Virtuoso Multiple Denial Of Service Vulnerabilities
• Description: OpenLink Virtuoso is an open-source object-relational SQL database. The application is exposed to multiple remote denial of service issues because it fails to properly handle certain types of queries. OpenLink Virtuoso version 5.0.6 is affected.
• Ref: http://sourceforge.net/project/shownotes.php?release_id=614029

• 08.30.18 - CVE: Not Available
• Platform: Cross Platform
• Title: SmbClientParser Perl Module Remote Command Execution
• Description: The SmbClientParser perl module is an API used to access Samba resources using "smbclient". The module is exposed to a remote command execution issue because it fails to sufficiently sanitize user-supplied data. An attacker could exploit this issue by enticing an unsuspecting user to use a tool created with this module to scan a shared folder that contains a folder with a specially crafted name. Filesys::SmbClientParser version 2.7 is affected.
• Ref: http://www.securityfocus.com/archive/1/494536

• 08.30.19 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: IBS "username" Parameter Cross-Site Scripting
• Description: IBS is an accounting application for Internet service providers. The application is exposed to a cross-site scripting issue because it fails to sanitize user-supplied input to the "username" parameter of the "interface/ibs/admin/index.php" script. IBS version 0.15 is affected.
• Ref: http://www.securityfocus.com/bid/30270

• 08.30.20 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: LunarNight Laboratory WebProxy Cross-Site Scripting
• Description: LunarNight Laboratory WebProxy is a Perl-based proxy. The application is exposed to a cross-site scripting issue because it fails to properly sanitize user-supplied input before using it in dynamically generated content. LunarNight Laboratory WebProxy versions prior to 1.7.9 are affected.
• Ref: http://www.securityfocus.com/bid/30283

• 08.30.21 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: phpFreeChat "demo21_with_hardocded_urls.php" Cross-Site Scripting
• Description: phpFreeChat is a chat application. The application is exposed to a cross-site scripting issue because it fails to sanitize user-supplied input to the "demo21_with_hardcoded_urls.php" script. phpFreeChat version 1.1 is affected.
• Ref: http://www.securityfocus.com/bid/30292

• 08.30.22 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: MoinMoin "AdvancedSearch.py" Multiple Cross-Site Scripting Vulnerabilities
• Description: MoinMoin is a freely available, open-source wiki written in Python. It is available for UNIX and Linux platforms. The application is exposed to multiple cross-site scripting issues because it fails to sanitize user-supplied input. These issues affect various parameters of the "macro/AdvancedSearch.py" script. MoinMoin versions 1.7.0 and 1.6.3 are affected.
• Ref: http://moinmo.in/SecurityFixes

• 08.30.23 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: phpHoo3 "phpHoo3.php" SQL Injection
• Description: phpHoo3 is a link database. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "viewCat" parameter of the "phpHoo3.php" script file before using it in an SQL query.
• Ref: http://www.securityfocus.com/bid/30271

• 08.30.24 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: AlstraSoft Video Share Enterprise "album.php" SQL Injection
• Description: AlstraSoft Video Share Enterprise is a web-based video sharing application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "UID" parameter of the "album.php" script before using it in an SQL query.
• Ref: http://www.securityfocus.com/bid/30272

• 08.30.25 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: AlstraSoft Article Manager Pro "contact_author.php" SQL Injection
• Description: AlstraSoft Article Manager Pro is a PHP-based content management application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "userid" parameter of the "contact_author.php" script before using it in an SQL query.
• Ref: http://www.securityfocus.com/bid/30274

• 08.30.26 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Arctic Issue Tracker "filter" Parameter SQL Injection
• Description: Arctic Issue Tracker is a web-based application for tracking tasks. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Specifically, it fails to properly sanitize the "filter" parameter of the "index.php" script. Arctic Issue Tracker version v2.0.0 is affected.
• Ref: http://www.securityfocus.com/bid/30277

• 08.30.27 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: preCMS "id" Parameter SQL Injection
• Description: preCMS is a web-based content manager. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Specifically, it fails to properly sanitize the "id" parameter of the "index.php" script. preCMS version v.1 is affected.
• Ref: http://www.securityfocus.com/bid/30278

• 08.30.28 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: HockeySTATS Online "index.php" Multiple SQL Injection Vulnerabilities
• Description: HockeySTATS Online is a PHP-based hockey statistics tracking application. The application is exposed to multiple SQL injection issues because it fails to sufficiently sanitize user-supplied data to the "id" and "divid" parameters of the "index.php" script before using it in an SQL query. HockeySTATS Online Basic and Advanced version 2.0 is affected.
• Ref: http://www.securityfocus.com/bid/30248

• 08.30.29 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Joomla! and Mambo DT Register Component "eventId" Parameter SQL Injection
• Description: DT Register is a PHP-based component for the Mambo and Joomla! content managers used for managing event registrations. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "eventId" parameter of the "com_dtregister" component before using it in an SQL query.
• Ref: http://www.securityfocus.com/bid/30256

• 08.30.30 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: AlstraSoft Affiliate Network Pro "pgm" Parameter SQL Injection
• Description: AlstraSoft Affiliate Network Pro is a web-based affiliate marketing solution. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
• Ref: http://www.securityfocus.com/bid/30259

• 08.30.31 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: tplSoccerSite Multiple SQL Injection Vulnerabilities
• Description: tplSoccerSite is a web-based soccer stats application. The application is exposed to multiple SQL injection issues because it fails to sufficiently sanitize user-supplied data. tplSoccerSite version 1.0 is affected.
• Ref: http://www.securityfocus.com/bid/30260

• 08.30.32 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Def_Blog "article" Parameter Multiple SQL Injection Vulnerabilities
• Description: Def_Blog is a web-log application. The application is exposed to multiple SQL injection issues because it fails to sufficiently sanitize user-supplied data to the "article" parameter of the "comaddok.php" and "comlook.php" scripts. Def_Blog version 1.0.3 is affected.
• Ref: http://www.securityfocus.com/bid/30289

• 08.30.33 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Siteframe "folder.php" SQL Injection
• Description: Siteframe is a content manager. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "id" parameter of the "folder.php" script before using it in an SQL query.
• Ref: http://www.securityfocus.com/bid/30294

• 08.30.34 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Aprox CMS Engine "index.php" SQL Injection
• Description: phpHoo3 is a link database. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "id" parameter of the "index.php" script before using it in an SQL query. Aprox CMS Engine version 5.1.0.4 is affected.
• Ref: http://www.securityfocus.com/bid/30295

• 08.30.35 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: PHPFootball "show.php" SQL Injection
• Description: PHPFootball is a web-based management application for football leagues. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "dbtable" parameter of the "show.php" script before using it in an SQL query. PHPFootball version 1.6 is affected.
• Ref: http://www.securityfocus.com/bid/30296

• 08.30.36 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Zoph Multiple SQL Injection Vulnerabilities
• Description: Zoph is a PHP-based application for managing digital photographs. The application is exposed to multiple SQL injection issues because it fails to sufficiently sanitize user-supplied data. Zoph versions prior to 0.7.0.5 are affected.
• Ref: http://sourceforge.net/project/shownotes.php?group_id=69353&relea se_id=614672

• 08.30.37 - CVE: Not Available
• Platform: Web Application
• Title: Claroline Multiple Unspecified Security Vulnerabilities
• Description: Claroline is a PHP-based online educational platform. The application is exposed to multiple unspecified issues. Claroline version 1.8.9 is affected.
• Ref: http://www.securityfocus.com/archive/1/494539

• 08.30.38 - CVE: Not Available
• Platform: Web Application
• Title: Community CMS "include.php" Remote File Include
• Description: Community CMS is a PHP-based content manager. The application is exposed to a remote file include issue because it fails to sufficiently sanitize user-supplied input to the "root" parameter of the "include.php" script. Community CMS version 0.1 is affected.
• Ref: http://www.securityfocus.com/archive/1/494503

• 08.30.39 - CVE: CVE-2008-2232
• Platform: Web Application
• Title: Afuse "afuse.c" Shell Command Injection
• Description: Afuse is an auto mounting file system implemented in user-space. The application is exposed to a command injection issue in the "afuse.c" file. Specifically, the application fails to sanitize metacharacters in a user-supplied filename. Afuse version 2.0-2 is affected.
• Ref: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=490921

• 08.30.40 - CVE: Not Available
• Platform: Web Application
• Title: Galatolo WebManager Cookie Authentication Bypass
• Description: Galatolo WebManager is a PHP-based content manager. The application is exposed to an authentication bypass issue because it fails to adequately verify user-supplied input used for cookie-based authentication. Galatolo WebManager version 1.3a is affected.
• Ref: http://www.securityfocus.com/bid/30247

• 08.30.41 - CVE: Not Available
• Platform: Web Application
• Title: PhotoPost vBGallery "upload.php" Arbitrary File Upload
• Description: PhotoPost vBGallery is a PHP-based photo sharing application for the vBulletin forum. The application is exposed to an issue that lets remote attackers upload and execute arbitrary script code because it fails to properly sanitize user-supplied input to the "upload.php" script. PhotoPost vBGallery version v2.4.2 is affected.
• Ref: http://www.securityfocus.com/bid/30249

• 08.30.42 - CVE: Not Available
• Platform: Web Application
• Title: PHPizabi "v_cron_proc.php" Arbitrary Script Injection Vulnerabilities
• Description: PHPizabi is a PHP-based content manager. The application is exposed to two issues that allow attackers to execute arbitrary script code because it fails to properly sanitize user-supplied input to the "CONF["CRON_LOGFILE"]" and "CONF["LOCALE_LONG_DATE_TIME"]" parameters of the "system/v_cron_proc.php" script. PHPizabi version 0.848b C1 HFP1 is affected.
• Ref: http://www.securityfocus.com/bid/30257

• 08.30.43 - CVE: Not Available
• Platform: Web Application
• Title: Evaria ECMS "DOCUMENT_ROOT" Parameter Multiple Remote File Include Vulnerabilities
• Description: ECMS is a web-based content management system. The application is exposed to multiple remote file include issues because it fails to sufficiently sanitize user-supplied input to the "DOCUMENT_ROOT" parameter of the following scripts: "index.php" and "eprint.php". ECMS version 1.1 is affected.
• Ref: http://www.securityfocus.com/bid/30262

• 08.30.44 - CVE: Not Available
• Platform: Web Application
• Title: OpenPro "search_wA.php" Remote File Include
• Description: OpenPro is a web-based application. The application is exposed to a remote file include issue because it fails to sufficiently sanitize user-supplied input to the "LIBPATH" parameter of the "search_wA.php" script. OpenPro version 1.3.1 is affected.
• Ref: http://www.securityfocus.com/bid/30264

• 08.30.45 - CVE: CVE-2008-3073, CVE-2008-3072
• Platform: Web Application
• Title: Simple Machines Forum Multiple Unspecified "html-tag" and Random Generator Seeding Vulnerabilities
• Description: Simple Machines Forum is web-based forum software. Simple Machines Forum is exposed to multiple unspecified issues. An unspecified issue arises due to the use of "html-tag"; and an issue is due to improper seeding of the random number generator. Simple Machines Forum versions prior to 1.0.13 and 1.1.5 are affected.
• Ref: http://www.securityfocus.com/bid/30271

• 08.30.46 - CVE: Not Available
• Platform: Web Application
• Title: FormEncode "chained_validators" Class Security Bypass
• Description: FormEncode is a validation and form generation package; it is implemented in Python. The application is exposed to an issue that may allow users to bypass certain filters. FormEncode version 1.0 is affected.
• Ref: http://sourceforge.net/tracker/index.php?func=detail&aid=1925164&group_i
  d=91231&atid=596416

• 08.30.47 - CVE: Not Available
• Platform: Web Application
• Title: CreaCMS Multiple Remote File Include Vulnerabilities
• Description: CreaCMS is a PHP-based content manager. The application is exposed to multiple remote file include issues because it fails to sufficiently sanitize user-supplied input. CreaCMS version 1 is affected.
• Ref: http://www.securityfocus.com/bid/30284

• 08.30.48 - CVE: Not Available
• Platform: Web Application
• Title: Lemon CMS "browser.php" Local File Include
• Description: Lemon CMS is a content manager. The application is exposed to a local file include issue because it fails to properly sanitize user-supplied input to the "dir" parameter of the "lemon_includes/FCKeditor/editor/filemanager/browser/browser.php" script. Lemon CMS version 1.10 is affected.
• Ref: http://www.securityfocus.com/bid/30285

• 08.30.49 - CVE: Not Available
• Platform: Web Application
• Title: Stash Cookie Authentication Bypass
• Description: Stash is a PHP-based content manager specifically for managing band web sites. The application is exposed to an authentication bypass issue because it fails to adequately verify user-supplied input used for cookie-based authentication. Stash version 1.0.3 is affected.
• Ref: http://www.securityfocus.com/bid/30286

• 08.30.50 - CVE: Not Available
• Platform: Web Application
• Title: SWAT 4 Multiple Denial of Service Vulnerabilities
• Description: SWAT 4 is a first-person shooter computer game. The application is exposed to multiple remote denial of service issues because it fails to properly handle certain input. SWAT version 4 1.1 is affected.
• Ref: http://www.securityfocus.com/bid/30299

• 08.30.51 - CVE: Not Available
• Platform: Web Application
• Title: phpScheduleIt "useLogonName" Security Bypass
• Description: phpScheduleIt is a web-based reservation and scheduling system. The application is exposed to an issue that gives an attacker unauthorized access to administration areas of the application because the software fails to properly restrict access in an unspecified script. phpScheduleIt versions up to and including 1.2.9 are affected.
• Ref: http://www.securityfocus.com/bid/30300

(c) 2008. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Subscriptions: @RISK is distributed free of charge by the SANS Institute to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.