The most trusted source for computer security training, certification and research.

@RISK: The Consensus Security Vulnerability Alert

Volume: VII, Issue: 52
December 26, 2008

SANS Newsletters Home

A quiet week - and a sincere wish for a safe and prosperous 2009 for all our readers. Alan

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Platform Number of Updates and Vulnerabilities
    • - ------------------------ -------------------------------------
    • Third Party Windows Apps
    • 5 (#2, #3, #4)
    • Linux
    • 1
    • BSD
    • 1
    • Solaris
    • 2
    • Cross Platform
    • 16 (#1)
    • Web Application - Cross Site Scripting
    • 5
    • Web Application - SQL Injection
    • 23
    • Web Application
    • 27
    • Network Device
    • 3

*************************************************************************

TRAINING UPDATE - - SANS 2009 in Orlando in early march ? the largest security training conference and expo in the world. lots of evening sessions: http://www.sans.org/ - - SANS Security West Las Vegas (1/24-2/01) http://sans.org/securitywest09/ - - Looking for training in your own Community? http://sans.org/community/ For a list of all upcoming events, on-line and live: www.sans.org

*************************************************************************

Table Of Contents
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
Third Party Windows Apps
Linux
BSD
Solaris
Cross Platform
Web Application - Cross Site Scripting
Web Application - SQL Injection
Web Application
Network Device
PART I Critical Vulnerabilities

Part I for this issue has been compiled by Rob King at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Widely Deployed Software
  • (2) HIGH: Trend Micro House Call ActiveX Control Remote Code Execution
  • Affected:
    • Trend Micro House Call ActiveX Control versions prior to 6.6.1285

  • Description: Trend Micro House Call is a popular online-based malware scanning service. Part of its functionality is provided by an ActiveX control. This control contains a memory corruption vulnerability. A specially crafted web page that instantiates this control could trigger this vulnerability, allowing an attacker to execute arbitrary code with the privileges of the current user. Some technical details are publicly available for this vulnerability.

  • Status: Vendor confirmed, updates available. Users can mitigate the impact of this vulnerability by disabling the affected control via Microsoft's "kill bit" mechanism. Note that this could impact normal application functionality.

  • References:
  • (3) MODERATE: FreeSSHd Multiple Buffer Overflows
  • Affected:
    • FreeSSHd versions 1.2.1 and prior

  • Description: FreeSSHd is a free Secure Shell (SSH) server for Microsoft Windows. It also provides Secure File Transfer Protocol (SFTP) services. The SFTP server contains multiple buffer overflows in its handling of user commands. A logged-in user could trigger one of these vulnerabilities by sending an overlong command to the server. Successfully exploiting this code would allow an attacker to execute arbitrary code with the privileges of the vulnerable process. A proof-of- concept is publicly available for these vulnerabilities. Note that attackers must have valid authentication credentials to exploit this vulnerability.

  • Status: Vendor has not confirmed, no updates available.

  • References:
  • (4) LOW: Google Chrome Command Injection Vulnerability
  • Affected:
    • Google Chrome versions 1.0.154.36 and prior

  • Description: Chrome is a popular web browser from Google. It is reported to be vulnerable to a command injection vulnerability due to insufficient sanitization of "chomeHTML" URLs. However, other reports have indicated that this vulnerability may not be exploitable by remote users. Additionally, some reports have indicated that Microsoft Internet Explorer 8 Beta may be vulnerable when Google Chrome is installed. Proofs-of-concept are publicly available for this vulnerability, but no confirmation of exploitability.

  • Status: Vendor has not confirmed, no updates available.

  • References:
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 52, 2008

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 5549 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

  • 08.52.1 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Phoenician Casino "FlashAX" ActiveX Control Remote Buffer Overflow
  • Description: The Phoenician Casino "FlashAX" ActiveX control provides gambling functionality for their online casino. The control is exposed to a stack-based buffer overflow issue because it fails to perform adequate boundary checks on user-supplied input.
  • Ref: http://www.securityfocus.com/bid/32901
  • 08.52.2 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: CoolPlayer Skin File Buffer Overflow
  • Description: CoolPlayer is a media player for the Windows operating system. CoolPlayer is exposed to a buffer overflow issue because it fails to perform adequate boundary checks on user-supplied data. CoolPlayer version 219 is affected.
  • Ref: http://www.securityfocus.com/archive/1/499480
  • 08.52.3 - CVE: CVE-2008-2435
  • Platform: Third Party Windows Apps
  • Title: Trend Micro HouseCall ActiveX Control Remote Code Execution
  • Description: The Trend Micro HouseCall ActiveX control is used to scan for and address malicious code infections. The control is exposed to a remote code execution issue that affects "Housecall_ActiveX.dll". This issue arises because the application allows attackers to dereference previously freed memory though a call to the "notifyOnLoadNative()" function. HouseCall versions 6.51.0.1028 and 6.6.0.1278 are affected.
  • Ref: http://secunia.com/secunia_research/2008-34/
  • 08.52.4 - CVE: CVE-2008-2434
  • Platform: Third Party Windows Apps
  • Title: Trend Micro HouseCall ActiveX Control Library File Remote Code Execution
  • Description: The Trend Micro HouseCall ActiveX control is used to scan for and address malicious code infections. The control is exposed to a remote code execution issue that affects "Housecall_ActiveX.dll". This issue arises because the application allows attackers to download and load arbitrary library files by specifying a custom update server. HouseCall versions 6.51.0.1028 and 6.6.0.1278 are affected.
  • Ref: http://secunia.com/secunia_research/2008-32/
  • 08.52.5 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: freeSSHd SFTP Commands Multiple Remote Buffer Overflow Vulnerabilities
  • Description: freeSSHd is an SSH server for Microsoft Windows. The application is exposed to multiple remote buffer overflow issues because it fails to perform adequate boundary checks on user-supplied data. freeSSHd version 1.2.1 is affected.
  • Ref: http://www.securityfocus.com/archive/1/499486
  • 08.52.6 - CVE: CVE-2008-5086
  • Platform: Linux
  • Title: Ubuntu "libvirt" Local Security Bypass
  • Description: "libvirt" is a toolkit to interact with the virtualization capabilities of recent versions of Linux. The library is exposed to a local security bypass issue. Specifically, the issue is caused by a failure to correctly mark certain operations as read-only.
  • Ref: https://www.redhat.com/archives/libvir-list/2008-December/msg0052 2.html
  • 08.52.7 - CVE: Not Available
  • Platform: BSD
  • Title: FreeBSD netgraph and bluetooth Local Privilege Escalation Vulnerabilities
  • Description: FeeBSD is prone to multiple local privilege escalation vulnerabilities. The issues occur because certain function pointers for the netgraph and bluetooth sockets are not properly initialized. Local attackers can exploit these issues in the context of the kernel. All versions of FreeBSD are affected.
  • Ref: http://www.securityfocus.com/bid/32976
  • 08.52.8 - CVE: Not Available
  • Platform: Solaris
  • Title: Sun Solaris IP Tunnel Param Local Code Execution
  • Description: Sun Solaris is exposed to a local code execution issue because of an error in processing a Solaris IP Tunnel parameter. Attackers can exploit this issue to execute arbitrary code within the context of the kernel on x86 systems.
  • Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-66-242266-1
  • 08.52.9 - CVE: Not Available
  • Platform: Solaris
  • Title: Sun Solaris Name Service Cache Daemon (nscd(1M)) Local Privilege Escalation
  • Description: Sun Solaris is a UNIX-based operating system. Sun Solaris Name Service Cache Daemon (nscd(1M)) is exposed to a local privilege escalation issue. Local unprivileged attackers can exploit this issue to gain access to sensitive information and obtain elevated privileges.
  • Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-66-242006-1
  • 08.52.10 - CVE: Not Available
  • Platform: Cross Platform
  • Title: PDFjam Multiple Insecure Temporary File Creation Vulnerabilities
  • Description: PDFjam is a collection of scripts which provide an interface to the "pdfpages" package for pdfLaTeX. An attacker with local access could potentially exploit these issues to perform symbolic-link attacks, overwriting temporary files in the context of the affected application. PDFjam version 1.20 is affected.
  • Ref: https://bugzilla.novell.com/show_bug.cgi?id=459031
  • 08.52.11 - CVE: Not Available
  • Platform: Cross Platform
  • Title: GpsDrive Multiple Insecure Temporary File Creation Vulnerabilities
  • Description: GpsDrive is a car navigation application. GpsDrive creates temporary files in an insecure manner. These issues affect the "gpsdrive/examples/gpssmswatch" script and the "src/splash.c" and "src/unit_test.c" source files. GpsDrive version 2.10~pre4-6.dfsg-1 is affected.
  • Ref: http://www.securityfocus.com/bid/32887
  • 08.52.12 - CVE: CVE-2008-5679
  • Platform: Cross Platform
  • Title: Opera Web Browser HTML Parsing Heap-Based Remote Code Execution
  • Description: Opera Web Browser is a browser that runs on multiple operating systems. Opera Web Browser is exposed to a heap based memory corruption issue because of a flaw in parsing certain HTML constructs. The flaw may cause the resulting DOM to change and trigger a crash. Please note that additional techniques may be used to inject malicious code. Opera versions prior to 9.63 are affected.
  • Ref: http://www.opera.com/support/kb/view/921/
  • 08.52.13 - CVE: CVE-2008-5343
  • Platform: Cross Platform
  • Title: Sun Java Web Start and Java Plug-in JAR File Privilege Escalation
  • Description: Sun Java Web Start is a utility included in the Java Runtime Environment (JRE). It enables Java applications to launch either from a desktop or from a web page. Sun Java Web Start and Java Plug-in is exposed to a privilege escalation issue. This issue results from the affected applications parsing a JAR file that is also a legitimate GIF image file.
  • Ref: http://rhn.redhat.com/errata/RHSA-2008-1025.html
  • 08.52.14 - CVE: CVE-2008-5499
  • Platform: Cross Platform
  • Title: Adobe Flash Player Unspecified Remote Security
  • Description: Adobe Flash Player is a multimedia application for Microsoft Windows, Mozilla, and Apple technologies. Flash Player is exposed to an unspecified security issue. Remote attackers may exploit this issue by enticing an unsuspecting user into loading a specially crafted SWF file. Flash Player versions prior to 10.0.15.3 and 9.0.152.0 are vulnerable.
  • Ref: http://www.adobe.com/support/security/bulletins/apsb08-24.html
  • 08.52.15 - CVE: Not Available
  • Platform: Cross Platform
  • Title: PHP Python Extension "safe_mode" Restriction Bypass
  • Description: PHP is a general-purpose scripting language that is especially suited for web development and can be embedded into HTML. PHP is exposed to a "safe_mode" restriction bypass issue when the python extension in enabled. PHP version 5.2.5 is affected.
  • Ref: http://www.securityfocus.com/bid/32902
  • 08.52.16 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Irrlicht B3D loader Buffer Overflow
  • Description: Irrlicht is a real-time 3D engine available for multiple platforms. Irrlicht is exposed to a buffer overflow issue because it fails to perform adequate checks on user-supplied input. This issue occurs in the B3D loader. Irrlicht versions prior to 1.5 are affected.
  • Ref: http://irrlicht.sourceforge.net/changes.txt
  • 08.52.17 - CVE: CVE-2008-5659
  • Platform: Cross Platform
  • Title: GNU Classpath "gnu.java.security.util.PRNG" Class Entropy Weakness
  • Description: GNU Classpath is an open-source project that creates essential core class libraries for use with virtual machines and compilers for the java programming language. Classpath is exposed to a weakness that may result in weaker cryptographic security. This issue occurs in the "PRNG.getInstance()" method of the "gnu.java.security.util.PRNG" class. Classpath version 0.97.2 is affected.
  • Ref: http://gcc.gnu.org/bugzilla/show_bug.cgi?id=38417
  • 08.52.18 - CVE: Not Available
  • Platform: Cross Platform
  • Title: ESET Smart Security "epfw.sys" Local Privilege Escalation
  • Description: ESET Smart Security is security software with antivirus, antispam, and firewall protection. ESET Smart Security is exposed to a local privilege escalation issue in the "epfw.sys" driver. The problem occurs in the IOCTL handling code. ESET Smart Security versions 3.0.672 and earlier are affected.
  • Ref: http://www.ntinternals.org/ntiadv0807/ntiadv0807.html
  • 08.52.19 - CVE: Not Available
  • Platform: Cross Platform
  • Title: KnowledgeTree Multiple Unspecified Vulnerabilities
  • Description: KnowledgeTree is an open source document manager. The application is exposed to multiple issues. An attacker can exploit these issues to bypass security restrictions, to view sensitive information, and to steal cookie-based authentication credentials.
  • Ref: http://sourceforge.net/projects/kt-dms/
  • 08.52.20 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Netatalk Printing Request Arbitrary Command Injection
  • Description: Netatalk is an implementation of AppleTalk Protocol Suite. The application is exposed to an arbitrary command injection issue because it fails to sufficiently sanitize certain parameters to the "popen()" call. Netatalk versions prior to 2.0.4-beta2 are affected.
  • Ref: http://sourceforge.net/project/shownotes.php?release_id=648189
  • 08.52.21 - CVE: Not Available
  • Platform: Cross Platform
  • Title: webcamXP URL Directory Traversal
  • Description: webcamXP is a web camera control application. The application is exposed to a directory traversal issue because it fails to sufficiently sanitize user-supplied input. Specifically the application fails to sanitize directory traversal strings contained in the URL. webcamXP version 5.3.2.375 is affected.
  • Ref: http://www.securityfocus.com/bid/32928
  • 08.52.22 - CVE: CVE-2008-5557
  • Platform: Cross Platform
  • Title: PHP "mbstring" Extension Buffer Overflow
  • Description: PHP is a general purpose scripting language that is especially suited for web development and can be embedded into HTML. The "mbstring" extension provides functions for the manipulation of Unicode strings. PHP is exposed to a heap-based buffer overflow issue because it fails to perform boundary checks before copying user-supplied data to insufficiently sized memory buffers. PHP versions 4.3.0 up to and including 5.2.6 are affected.
  • Ref: http://bugs.php.net/bug.php?id=45722
  • 08.52.23 - CVE: CVE-2008-5514
  • Platform: Cross Platform
  • Title: University Of Washington IMAP c-client Buffer Overflow
  • Description: The University of Washington IMAP library is a library implementing the IMAP mail protocol. University of Washington IMAP is exposed to a buffer overflow issue that occurs due to a boundary error within the "rfc822_output_char()" function in the "c-client" library. The University of Washington IMAP library versions prior to 2007e are affected.
  • Ref: http://www.washington.edu/imap/documentation/RELNOTES.html
  • 08.52.24 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Qemu and KVM VNC Server Remote Denial of Service
  • Description: Qemu and KVM are exposed to a remote denial of service issue that affects the VNC server. Specifically, a specially crafted packet may send the vulnerable server process into an infinite loop, resulting in a denial of service condition. This issue is the result of an error in the "protocol_client_msg()" function in the source code file "vnc.c".
  • Ref: http://www.coresecurity.com/content/vnc-remote-dos
  • 08.52.25 - CVE: Not Available
  • Platform: Cross Platform
  • Title: YourPlace 1.0.2 Multiple Remote Vulnerabilities
  • Description: YourPlace is a PHP-based filesystem. The application is exposed to multiple issues. Attackers can exploit these issues to upload and execute arbitrary PHP code within the context of the webserver, execute arbitrary commands and gain unauthorized access to the affected application. YourPlace version 1.0.2 is affected.
  • Ref: http://www.securityfocus.com/bid/32971
  • 08.52.26 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: phpcksec "phpcksec.php" Cross-Site Scripting
  • Description: phpcksec is PHP-based script that tests the security of a webserver. The application is exposed to a cross-site scripting issue because the application fails to sufficiently sanitize user-supplied input to the "path" parameter of the "phpcksec.php" script. phpcksec version 0.2.0 is affected.
  • Ref: http://www.securityfocus.com/bid/32890
  • 08.52.27 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Novell Identity Manager Multiple Cross-Site Scripting Vulnerabilities
  • Description: Novell Identity Manager is an application used for automating identity management tasks. The application is exposed to multiple cross-site scripting issues because it fails to sufficiently sanitize user-supplied input to unspecified parameters related to "Page Navigation" and "UIQuery".
  • Ref: http://support.novell.com/docs/Readmes/InfoDocument/patchbuilder/ readme_5040042.html
  • 08.52.28 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: myPHPscripts Login Session "login.php" Cross-Site Scripting
  • Description: myPHPscripts Login Session is a login script. The application is exposed to a cross-site scripting issue because it fails to sufficiently sanitize user-supplied data to the "user" parameter of the "login.php" script. myPHPscripts Login Session version 2.0 is affected.
  • Ref: http://www.securityfocus.com/bid/32941
  • 08.52.29 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: TYPO3 DR Wiki Extension Unspecified Cross-Site Scripting
  • Description: DR Wiki is an extension for TYPO3. The application is exposed to an unspecified cross-site scripting issue because it fails to properly sanitize user-supplied input. DR Wiki versions prior to 1.7.2 are affected.
  • Ref: http://typo3.org/teams/security/security-bulletins/typo3-20081222 - -3/
  • 08.52.30 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: TYPO3 Vox populi Unspecified Cross-Site Scripting
  • Description: Vox populi is an extension for TYPO3. The application is exposed to an unspecified cross-site scripting issue because it fails to properly sanitize user-supplied input. Vox populi versions prior to 0.3.1 are affected.
  • Ref: http://typo3.org/teams/security/security-bulletins/typo3-20081222 - -4/
  • 08.52.31 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: MyPBS "seasonID" Parameter SQL Injection
  • Description: MyPBS (My PHP Baseball Stats) is a web application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "seasonID" parameter of the "index.php" script before using it in an SQL query. MyPBS version 1.0 is affected.
  • Ref: http://www.securityfocus.com/bid/32930
  • 08.52.32 - CVE: CVE-2008-5609
  • Platform: Web Application - SQL Injection
  • Title: TYPO3 Commerce Extension Unspecified SQL Injection
  • Description: Commerce is an extension for the TYPO3 content manager. The extension is not part of the TYPO3 default installation. The extension is exposed to an SQL injection issue because it fails to sufficiently sanitize input before using it in an SQL query. Commerce versions prior to 0.9.7 are affected.
  • Ref: http://typo3.org/teams/security/security-bulletins/typo3-20081020-2/
  • 08.52.33 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Drupal Views Content Construction Kit SQL Injection
  • Description: Views is a module for Drupal that allows users to control how lists of content are presented on a website. The module is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied input. Drupal Views versions prior to 6.x-2.2 are vulnerable.
  • Ref: http://drupal.org/node/348321
  • 08.52.34 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Tech Articles Joomla! Component
  • Description: Tech Articles is a PHP-based component for the Joomla! content manager. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "item" parameter. Tech Articles version 1.0 is affected.
  • Ref: http://www.joomlaperformance.com/component/option,com_docman/task,cat_view/gid,3
    0/Itemid,39/
  • 08.52.35 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Lizardware CMS
  • Description: Lizardware CMS is a PHP-based content manager. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "user" form field in the "/administrator/index.php" script before using it in an SQL query. Lizardware CMS versions 0.6.0 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/32898
  • 08.52.36 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: TinyMCE "menuID" Parameter SQL Injection
  • Description: TinyMCE is a web-based WYSIWYG editor. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "menuID" parameter of the "index.php" script before using it in an SQL query. TinyMCE version 2.0.1 is affected.
  • Ref: http://www.securityfocus.com/bid/32899
  • 08.52.37 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: r.cms Multiple SQL Injection Vulnerabilities
  • Description: r.cms is a web-based application. The application is exposed to multiple SQL injection issues because it fails to sufficiently sanitize user-supplied data to the "id" parameter of "index.php", "referenzdetail.php" and "produkte.php" scripts. r.cms version 2 is affected.
  • Ref: http://www.securityfocus.com/bid/32900
  • 08.52.38 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: DO-CMS "p" Parameter Multiple SQL Injection Vulnerabilities
  • Description: DO-CMS is a PHP-based content management system. The application is exposed to multiple SQL injection issues because it fails to sufficiently sanitize user-supplied data to "p" parameter of the "index.php" and "page.php" scripts. DO-CMS version 3.0 is affected.
  • Ref: http://www.securityfocus.com/bid/32906
  • 08.52.39 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: EasySiteNetwork Jokes Complete Website "joke.php" SQL Injection
  • Description: EasySiteNetwork Jokes Complete Website is a web-based application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize input to the "id" parameter of the "joke.php" script before using it in an SQL query.
  • Ref: http://www.securityfocus.com/archive/1/499351
  • 08.52.40 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: I-RATER Basic "messages.php" SQL Injection
  • Description: I-RATER Basic is a fee-based web site application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "idp" parameter of the "messages.php" script before using it in an SQL query.
  • Ref: http://www.securityfocus.com/bid/32912
  • 08.52.41 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: 2532|Gigs "index.php" SQL Injection
  • Description: 2532|Gigs is a PHP-based application that allows users to manage events and concerts. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "password" parameter of the "login.php" script. 2532|Gigs version 1.2.2 is affected.
  • Ref: http://www.securityfocus.com/bid/32913
  • 08.52.42 - CVE: CVE-2008-2380
  • Platform: Web Application - SQL Injection
  • Title: Courier-Authlib Non-Latin Character Handling Postgres SQL Injection
  • Description: Courier-Authlib is an authentication library for Courier applications. The library is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data before being used in an SQL query. This issue occurs when processing non-Latin characters. Courier-Authlib versions prior to 0.62.0 are vulnerable.
  • Ref: http://www.courier-mta.org/authlib/changelog.html
  • 08.52.43 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Joomla HBS "com_hbssearch" Joomla! Component "r_type" Parameter SQL Injection
  • Description: Joomla HBS (Joomla Hotel Booking System) "com_hbssearch" is a PHP-based component for the Joomla! content manager. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "r_type" parameter. Joomla HBS "com_hbssearch" version 1.0 is affected.
  • Ref: http://www.securityfocus.com/bid/32951
  • 08.52.44 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Joomla HBS "com_tophotelmodule" Joomla! Component "id" Parameter SQL Injection
  • Description: Joomla HBS (Joomla Hotel Booking System) "com_tophotelmodule" is a PHP-based component for the Joomla! content manager. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "id" parameter. Joomla HBS "com_tophotelmodule" version 1.0 is affected.
  • Ref: http://www.securityfocus.com/bid/32952
  • 08.52.45 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Constructr CMS "show_page" Parameter SQL Injection
  • Description: Constructr CMS is a web-based content management system. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "show_page" parameter. Constructr CMS versions 3.02.5 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/32956
  • 08.52.46 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Userlocator "y" Parameter SQL Injection
  • Description: Userlocator is a web-based application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "y" parameter of the "locator.php" script. Userlocator version 3.0 is affected.
  • Ref: http://www.milw0rm.com/exploits/7530
  • 08.52.47 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: RSS Simple News "news.php" SQL Injection
  • Description: RSS Simple News is a PHP-based news script application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "pid" parameter of the "news.php" script.
  • Ref: http://www.securityfocus.com/bid/32962
  • 08.52.48 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Pligg "check_url.php" SQL Injection
  • Description: Pligg is a PHP-based content manager. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "url" parameter of the "evb/check_url.php" script. Pligg version 9.9.5b is affected.
  • Ref: http://www.securityfocus.com/bid/32970
  • 08.52.49 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Joomla Apps Volunteer Management Component "job_id" Parameter SQL Injection
  • Description: Joomla Apps Volunteer Management is a PHP-based component for the Joomla! content manager. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "job_id" parameter to the "com_volunteer" component. Volunteer Management version 2.0 is affected.
  • Ref: http://www.securityfocus.com/bid/32973
  • 08.52.50 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: SolarCMS "cat" Parameter SQL Injection
  • Description: SolarCMS is a PHP-based content management system. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "cat" parameter of the "index.php" script when called with the "com" parameter set to "Forum". SolarCMS version 0.53.3.8 is affected.
  • Ref: http://www.securityfocus.com/bid/32974
  • 08.52.51 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: MySQL Calendar "username" Parameter SQL Injection
  • Description: MySQL Calendar is a web-based application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. This issue affects the "username" parameter of the "index.php" script. MySQL Calendar versions 1.2 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/32978
  • 08.52.52 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: TYPO3 TU-Clausthal Staff Extension Unspecified SQL Injection
  • Description: TYPO3 TU-Clausthal Staff ("tuc_staff") is an extension for the TYPO3 content manager. The extension is exposed to an SQL injection issue because it fails to sufficiently sanitize input before using it in an SQL-query. TU-Clausthal Staff version 0.3.0 is affected.
  • Ref: http://typo3.org/teams/security/security-bulletins/typo3-20081222-4/
  • 08.52.53 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: TYPO3 WEBERkommunal Facilities Extension Unspecified SQL Injection
  • Description: WEBERkommunal Facilities ("wes_facilities") is an extension for the TYPO3 content manager. The extension is exposed to an SQL injection issue because it fails to sufficiently sanitize input before using it in an SQL-query. WEBERkommunal Facilities version 2.0.0 is affected.
  • Ref: http://typo3.org/teams/security/security-bulletins/typo3-20081222-4/
  • 08.52.54 - CVE: Not Available
  • Platform: Web Application
  • Title: ClaSS "scripts/export.php" Information Disclosure
  • Description: ClaSS is a student tracking and reporting application. The application is exposed to an information disclosure issue because it fails to sufficiently sanitize user-supplied input to the "ftype" parameter in "scripts/export.php". ClaSS versions prior to 0.8.61 are affected.
  • Ref: http://sourceforge.net/project/shownotes.php?release_id=648307
  • 08.52.55 - CVE: Not Available
  • Platform: Web Application
  • Title: Online Keyword Research Tool "download.php" Local File Include
  • Description: Online Keyword Research Tool is a PHP-based keyword search tool. The application is exposed to a local file include issue because it fails to properly sanitize user-supplied input to the "filename" parameter of the "download.php" script.
  • Ref: http://www.securityfocus.com/bid/32932
  • 08.52.56 - CVE: Not Available
  • Platform: Web Application
  • Title: PECL Alternative PHP Cache Local HTML Injection
  • Description: PECL Alternative PHP Cache is a PHP-based content manager. The application is exposed to an HTML injection issue because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
  • Ref: http://www.securityfocus.com/archive/1/499424
  • 08.52.57 - CVE: Not Available
  • Platform: Web Application
  • Title: Extract Website "download.php" Local File Include
  • Description: Extract Website is a web-based application. The application is exposed to a local file include issue because it fails to properly sanitize user-supplied input to the "filename" parameter of the "download.php" script.
  • Ref: http://www.securityfocus.com/bid/32936
  • 08.52.58 - CVE: Not Available
  • Platform: Web Application
  • Title: K&S Shopsystem "images.php" Arbitrary File Upload
  • Description: K&S Shopsystem is a web application. The application is exposed to an issue that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.
  • Ref: http://www.securityfocus.com/bid/32888
  • 08.52.59 - CVE: Not Available
  • Platform: Web Application
  • Title: Drupal Services Module Insecure Signing Multiple Security Vulnerabilities
  • Description: The Service module for the Drupal content manager provides an API for exposing Drupal functions, allowing clients to call server methods to obtain data for local processing. Services versions prior to 5.x-0.92 and 6.x-013 are affected.
  • Ref: http://drupal.org/node/348295
  • 08.52.60 - CVE: Not Available
  • Platform: Web Application
  • Title: ADbNewsSender SQL Injection and Cross-Site Scripting Vulnerabilities
  • Description: ADbNewsSender is a web-based application used to send newsletters. The application is exposed to multiple input validation issues. Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. ADbNewsSender versions prior to 1.5.2 are affected.
  • Ref: http://sourceforge.net/project/shownotes.php?release_id=647876
  • 08.52.61 - CVE: Not Available
  • Platform: Web Application
  • Title: 2532designs 2532|Gigs Local File Include and Arbitrary File Upload Vulnerabilities
  • Description: 2532|Gigs is a PHP-based application that allows users to manage events and concerts. The application is exposed to multiple input validation issues. 2532|Gigs version 1.2.2 is affected.
  • Ref: http://www.securityfocus.com/bid/32911
  • 08.52.62 - CVE: Not Available
  • Platform: Web Application
  • Title: MySQL Calendar Cookie Authentication Bypass
  • Description: MySQL Calendar is web-based calendar application. The application is exposed to an authentication bypass issue because it fails to adequately verify user-supplied input used for cookie-based authentication. MySQL Calendar version 1.1 is affected.
  • Ref: http://www.securityfocus.com/bid/32914
  • 08.52.63 - CVE: Not Available
  • Platform: Web Application
  • Title: Phpclanwebsite Multiple Input Validation Vulnerabilities
  • Description: Phpclanwebsite is a PHP-based content management system. Phpclanwebsite is exposed to multiple issues. Phpclanwebsite versions 1.23.3 Fix Pack #5 is affected.
  • Ref: http://www.securityfocus.com/bid/32915
  • 08.52.64 - CVE: Not Available
  • Platform: Web Application
  • Title: 2532|Gigs "calcss_edit.php" Remote Command Execution
  • Description: 2532|Gigs is a PHP-based application that allows users to manage events and concerts. 2532|Gigs is exposed to an issue that attackers can leverage to execute arbitrary commands. This issue occurs because the application fails to adequately sanitize user-supplied input to the "content" parameter of the "calcss_edit.php" script. 2532|Gigs version 1.2.2 is affected.
  • Ref: http://www.securityfocus.com/bid/32916
  • 08.52.65 - CVE: Not Available
  • Platform: Web Application
  • Title: Gobbl CMS Cookie Authentication Bypass
  • Description: Gobbl CMS is web-based content manager. The application is exposed to an authentication bypass issue because it fails to adequately verify user-supplied input used for cookie-based authentication. Gobbl CMS version 1.0 is affected.
  • Ref: http://www.securityfocus.com/bid/32918
  • 08.52.66 - CVE: Not Available
  • Platform: Web Application
  • Title: MyPHPsite "index.php" Local File Include
  • Description: MyPHPsite is a web application implemented in PHP. The application is exposed to a local file include issue because it fails to properly sanitize user-supplied input to the "mod" parameter of the "index.php" script.
  • Ref: http://www.securityfocus.com/bid/32919
  • 08.52.67 - CVE: Not Available
  • Platform: Web Application
  • Title: Fujitsu-Siemens WebTransactions Unspecified Remote Command Execution
  • Description: Fujitsu-Siemens WebTransactions is a web-based application available for a number of platforms. Fujitsu-Siemens WebTransactions is exposed to an issue that attackers can leverage to execute arbitrary commands. This issue occurs because the "WBPublish.exe" process fails to adequately sanitize user-supplied input passed to a "system()" function call when cleaning up temporary files. WebTransactions versions 6.0, 7.0 and 7.1 are affected.
  • Ref: http://www.securityfocus.com/archive/1/499417
  • 08.52.68 - CVE: Not Available
  • Platform: Web Application
  • Title: PECL Alternative PHP Cache Local Denial of Service
  • Description: PECL Alternative PHP Cache (APC) Extension is an intermediate code cache for PHP. The application is exposed to a local denial of service issue. Specifically, a local user may either fill the cache, or repeatedly delete all files from the cache. This is most likely to be an issue in a shared hosting environment. Alternative PHP Cache versions 3.1.1 and 3.0.19 are affected.
  • Ref: http://www.securityfocus.com/archive/1/499424
  • 08.52.69 - CVE: Not Available
  • Platform: Web Application
  • Title: FreeLyrics "source.php" Information Disclosure
  • Description: FreeLyrics is a PHP-based application that stores artists, song names and lyrics. The application is exposed to an information disclosure issue because it fails to properly restrict what files can be specified through the "p" parameter of the "source.php" script. FreeLyrics version 1.0 is affected.
  • Ref: http://www.securityfocus.com/bid/32946
  • 08.52.70 - CVE: Not Available
  • Platform: Web Application
  • Title: BLOG "image_upload.php" Arbitrary File Upload
  • Description: BLOG is a web application. The application is exposed to an issue that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input. BLOG version 1.55b is affected.
  • Ref: http://www.securityfocus.com/bid/32953
  • 08.52.71 - CVE: Not Available
  • Platform: Web Application
  • Title: ReVou Arbitrary File Upload
  • Description: ReVou is a web-based twitter clone. The application is exposed to an issue that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.
  • Ref: http://www.securityfocus.com/bid/32954
  • 08.52.72 - CVE: Not Available
  • Platform: Web Application
  • Title: Constructr CMS Directory Traversal
  • Description: Constructr CMS is a web-based content management system. The application is exposed to a directory traversal issue because it fails to adequately sanitize user-supplied input. Specifically, the issue affects the "edit_file" parameter of the "template.php" script. Constructr CMS versions 3.02.5 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/32957
  • 08.52.73 - CVE: Not Available
  • Platform: Web Application
  • Title: OneOrZero Arbitrary File Upload
  • Description: OneOrZero is a web-based task-management and helpdesk application. The application is exposed to an issue that lets attackers upload arbitrary files. The issue occurs because the "uploadAttachment()" function of the application fails to adequately sanitize user-supplied input.
  • Ref: http://www.securityfocus.com/bid/32959
  • 08.52.74 - CVE: Not Available
  • Platform: Web Application
  • Title: phpg Multiple Input Validation Vulnerabilities
  • Description: phpg is a PHP-based image gallery. Since it fails to sufficiently sanitize user-supplied data, the application is exposed to multiple input validation issues. phpg version 1.6 is affected.
  • Ref: http://www.securityfocus.com/bid/32963
  • 08.52.75 - CVE: CVE-2008-4303, CVE-2008-4304, CVE-2008-4305
  • Platform: Web Application
  • Title: phpCollab Multiple Input Validation Vulnerabilities
  • Description: phpCollab is a PHP-based collaboration and project management application. The application is exposed to multiple input validation issues. Successfully exploiting these issues may allow an attacker to compromise the application, execute arbitrary PHP code and shell commands, access or modify data, or exploit latent vulnerabilities in the underlying database.
  • Ref: http://www.securityfocus.com/bid/32964
  • 08.52.76 - CVE: Not Available
  • Platform: Web Application
  • Title: Page Flip Image Gallery "getConfig.php" Information Disclosure
  • Description: Page Flip Image Gallery is a photo gallery plugin for WordPress. The application is exposed to an information disclosure issue because it fails to properly restrict what files can be specified through the "book_id" parameter of the "getConfig.php" script. Page Flip Image Gallery version 0.2.2 is affected.
  • Ref: http://www.securityfocus.com/bid/32966
  • 08.52.77 - CVE: Not Available
  • Platform: Web Application
  • Title: Git gitweb "diff.external" Local Privilege Escalation
  • Description: gitweb is a web-based interface to the Git revision control system. The software is exposed to a local privilege escalation issue that occurs because gitweb may execute a command specified as the "diff.external" parameter of a repository. Git versions prior to 1.5.4.7, 1.5.5.6, 1.5.6.6 and 1.6.0.6 are affected.
  • Ref: https://www.redhat.com/archives/fedora-package-announce/2008-December/msg01169.h
    tml
  • 08.52.78 - CVE: Not Available
  • Platform: Web Application
  • Title: Text Lines Rearrange Script "download.php" Information Disclosure
  • Description: Text Lines Rearrange Script is a PHP-based application that rearranges text files. The application is exposed to an information disclosure issue because it fails to properly restrict what files can be specified through the "filename" parameter of the "download.php" script.
  • Ref: http://www.securityfocus.com/bid/32968
  • 08.52.79 - CVE: Not Available
  • Platform: Web Application
  • Title: Merak Mail Server and Webmail Email Message HTML Injection
  • Description: Merak Mail Server and Webmail are mail server applications written for multiple platforms. The applications are exposed to an HTML injection issue because they fail to properly sanitize user-supplied input before using it in dynamically generated content.
  • Ref: http://www.securityfocus.com/bid/32969
  • 08.52.80 - CVE: Not Available
  • Platform: Web Application
  • Title: TYPO3 WEC Discussion Extension SQL Injection and Cross-Site Scripting Vulnerabilities
  • Description: "wec_discussion" is an extension for the TYPO3 content manager. The extension is exposed to multiple SQL injection and cross-site scripting issues because it fails to sufficiently sanitize user-supplied data to certain unspecified parameters."wec_discussion" versions prior to 1.7.1 are affected.
  • Ref: http://typo3.org/teams/security/security-bulletins/typo3-20081222-2/
  • 08.52.81 - CVE: Not Available
  • Platform: Network Device
  • Title: Linksys Wireless-G ADSL Gateway WAG54GS V2.0 Remote Buffer Overflow
  • Description: The Linksys Wireless-G ADSL Gateway is a multi-purpose device which includes a router and an 802.11g wireless access point. Linksys Wireless-G ADSL Gateway WAG54GS V2.0 is susceptible to a remote buffer overflow issue that occurs due to insufficient buffer boundary verification prior to copying user-supplied data. Linksys Wireless-G ADSL Gateway WAG54GS version V2.0 running firmware version 1.02.20 is affected.
  • Ref: http://www.bmgsec.com.au/advisory/44/
  • 08.52.82 - CVE: Not Available
  • Platform: Network Device
  • Title: PowerStrip "pstrip.sys" Local Privilege Escalation
  • Description: PowerStrip is a driver that provides multi-monitor hardware support for several graphics card. PowerStrip is exposed to a local privilege escalation issue in the "pstrip.sys" driver. The problem occurs in the IOCTL handling code. PowerStrip version 3.84 is affected.
  • Ref: http://www.ntinternals.org/ntiadv0810/ntiadv0810.html
  • 08.52.83 - CVE: Not Available
  • Platform: Network Device
  • Title: COMTREND CT-536 and HG-536 Routers Multiple Remote Vulnerabilities
  • Description: The routers are exposed to multiple remote issues. CT-536 and FG-536 firmware A101-302JAZ-C01_R05 is affected.
  • Ref: http://www.securityfocus.com/archive/1/499503

(c) 2008. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Subscriptions: @RISK is distributed free of charge by the SANS Institute to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.

For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/

GIAC certs are concerned with real applications and principles, rather than vendor products and implementations.
-Rob VandenBrink

SANS 2010-sky-c

Contact us: (301) 654-SANS(7267)
Monday - Friday 9am-8pm EST/EDT