@RISK: The Consensus Security Vulnerability Alert

Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)

• (1) CRITICAL: Adobe Acrobat and Reader JavaScript Method Buffer Overflow Vulnerability (APSB09-04)
• (2) CRITICAL: Autonomy KeyView SDK "wp6sr.dll" Buffer Overflow Vulnerability
• (3) MODERATE: GNOME glib Base64 Functions Mutiple Integer Overflow Vulnerabilities
• (4) MODERATE: PPLive Multiple URI Handlers Code Execution Vulnerabilities

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)

Third Party Windows Apps

• 09.12.1 - POP Peeper "Date" Remote Buffer Overflow
• 09.12.2 - Multiple SlySoft Products Driver IOCTL Request Multiple Local Buffer Overflow Vulnerabilities
• 09.12.3 - GeoVision LiveAudio ActiveX Control Remote Code Execution
• 09.12.4 - Rosoft Media Player "rml" File Buffer Overflow
• 09.12.5 - Serv-U FTP Server "MKD" Command Directory Traversal
• 09.12.6 - WinAsm Studio ".wap" Project File Heap-Based Buffer Overflow
• 09.12.7 - JustSystems Ichitaro Unspecified Code Execution
• 09.12.8 - Symantec PCAnywhere Local Format String
• 09.12.9 - Talkative IRC "PRIVMSG" Buffer Overflow

Linux

• 09.12.10 - Linux Kernel "/proc/net/rt_cache" Remote Denial of Service
• 09.12.11 - Mandriva perl-MDK-Common Unspecified Privilege Escalation

Solaris

• 09.12.12 - Sun Solaris Doors Kernel Functionality Multiple Vulnerabilities
• 09.12.13 - Sun Solaris Keysock Kernel Module Local Denial of Service
• 09.12.14 - Sun Solaris UFS File System Multiple Local Denial of Service Vulnerabilities
• 09.12.15 - Sun Solaris Kerberos Incremental Propagation Remote Denial Of Service

Cross Platform

• 09.12.16 - Sun xVM VirtualBox Local Privilege Escalation
• 09.12.17 - Cisco Unified Communications Manager PAB Synchronizer Privilege Escalation
• 09.12.18 - Sun Java System Communications Express Multiple HTML Injection Vulnerabilities
• 09.12.19 - PostgreSQL Conversion Encoding Remote Denial of Service
• 09.12.20 - DASH ".profile" Local Privilege Escalation
• 09.12.21 - Apple iTunes Information Disclosure and Denial of Service Vulnerabilities
• 09.12.22 - Radiator Multiple Remote Denial of Service Vulnerabilities
• 09.12.23 - JDKChat Malformed Command Remote Integer Overflow
• 09.12.24 - IBM WebSphere Application Server WAR File Information Disclosure
• 09.12.25 - Evolution Data Server "ntlm_challenge()" Memory Contents Information Disclosure
• 09.12.26 - Rapid Leech Upload Function Multiple Remote Input Validation Vulnerabilities
• 09.12.27 - Gretech GOM Encoder ".srt" File Remote Buffer Overflow
• 09.12.28 - VLC Media Player Web Interface "input" Parameter Remote Buffer Overflow
• 09.12.29 - Serv-U "SMNT" Command Remote Denial of Service Vulnerabilities
• 09.12.30 - PPLive URI Handlers "LoadModule" Parameter Multiple Remote Code Execution Vulnerabilities
• 09.12.31 - Google Chrome Single Thread Alert Out of Bounds Memory Access
• 09.12.32 - Autonomy KeyView Module Unspecified Buffer Overflow
• 09.12.33 - WeeChat IRC Message Remote Denial of Service
• 09.12.34 - AWStats "awstats.pl" Multiple Path Disclosure

Web Application - Cross Site Scripting

• 09.12.35 - TikiWiki "tiki-galleries.php" Cross-Site Scripting
• 09.12.36 - TikiWiki "tiki-list_file_gallery.php" Cross-Site Scripting
• 09.12.37 - TikiWiki "tiki-listpages.php" Cross-Site Scripting
• 09.12.38 - TikiWiki "tiki-orphan_pages.php" Cross-Site Scripting
• 09.12.39 - PTK Arbitrary Command Execution and Cross-Site Scripting Vulnerabilities
• 09.12.40 - Multiple EditeurScripts Products "msg" Parameter Cross-Site Scripting
• 09.12.41 - BLOG:CMS Unspecified Cross-Site Scripting
• 09.12.42 - A.CMS Unspecified Cross-Site Scripting
• 09.12.43 - Access Analyzer CGI Unspecified Cross-Site Scripting
• 09.12.44 - ejabberd MUC Logs Cross-Site Scripting
• 09.12.45 - Sun Java System Messenger Express "error" Parameter Cross-Site Scripting
• 09.12.46 - MTCMS WYSIWYG Editor "install.cgi" Cross-Site Scripting

Web Application - SQL Injection

• 09.12.47 - OpenPHPnuke SQLite Abstraction Layer SQL Injection
• 09.12.48 - Maarch Login Page SQL Injection
• 09.12.49 - Bricolage Unspecified SQL Injection
• 09.12.50 - Kim Websites "login.php" SQL Injection
• 09.12.51 - OpenCart "order" Parameter SQL Injection
• 09.12.52 - Beerwin's PHPLinkAdmin Remote File Include and Multiple SQL Injection Vulnerabilities
• 09.12.53 - phpComasy "index.php" SQL Injection
• 09.12.54 - GDL "node" Parameter SQL Injection
• 09.12.55 - PHPRunner "SearchField" Parameter SQL Injection
• 09.12.56 - WordPress fMoblog Plugin "id" Parameter SQL Injection

Web Application

• 09.12.57 - Traidnt UP "uploadcp/files.php" Insecure Cookie Authentication Bypass
• 09.12.58 - Drupal Forward Module Flood Control API Open Email Relay
• 09.12.59 - ModSecurity Multiple Remote Denial of Service Vulnerabilities
• 09.12.60 - Trellis Desk SQL Injection and Cross-Site Scripting Vulnerabilities
• 09.12.61 - PhpMySport Multiple Cross-Site Scripting and SQL Injection Vulnerabilities
• 09.12.62 - YAP "index.php" Local File Include
• 09.12.63 - Cryptographp "index.php" Local File Include
• 09.12.64 - cPanel Legacy File Manager File Name HTML Injection
• 09.12.65 - PHP Pro Bid "includes/class_image.php" Remote File Include
• 09.12.66 - Social Site Generator Multiple Information Disclosure Vulnerabilities
• 09.12.67 - Mega File Hosting Script "cross.php" Remote File Include
• 09.12.68 - Pivot "refkey" Arbitrary File Deletion

Network Device

• 09.12.69 - HP Multiple LaserJet Printers Cross-Site Request Forgery

PART I Critical Vulnerabilities

Part I for this issue has been compiled by Rohan Kotian at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 12, 2009

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 6724 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

• 09.12.1 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: POP Peeper "Date" Remote Buffer Overflow
• Description: POP Peeper is an email notifier for Microsoft Windows. The application is exposed to a buffer overflow issue because it fails to properly bounds check user-supplied data before copying it into an insufficiently sized memory buffer. Specifically, if a server response contains an overly large string in the "Date" header, a stack-based buffer overflow occurs. POP Peeper version 3.4.0.0 is affected.
• Ref: http://www.securityfocus.com/archive/1/501701

• 09.12.2 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Multiple SlySoft Products Driver IOCTL Request Multiple Local Buffer Overflow Vulnerabilities
• Description: SlySoft develops products used to copy various types of media, available for Microsoft Windows. The applications are exposed to multiple local buffer overflow issues because they fail to properly validate user-space input to IOCTL requests. These issues affect the "Irp" object of calls made to the "ElbyCDIO.sys" driver version 6.0.2.0. SlySoft AnyDVD version 6.5.2.2, SlySoft Virtual CloneDrive version 5.4.2.3, SlySoft CloneDVD version 2.9.2.0, and SlySoft CloneCD version 5.3.1.3 are affected.
• Ref: http://www.securityfocus.com/archive/1/501713

• 09.12.3 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: GeoVision LiveAudio ActiveX Control Remote Code Execution
• Description: GeoVision LiveAudio ActiveX Control is an ActiveX control used to provide audio support for remote cameras. The control is exposed to a remote code execution issue because of an error in the "GetAudioPlayingTime()" function. GeoVision LiveAudio ActiveX Control version 7.0 is affected.
• Ref: http://www.securityfocus.com/archive/1/501773

• 09.12.4 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Rosoft Media Player "rml" File Buffer Overflow
• Description: Rosoft Media Player is a multimedia player available for Microsoft Windows. The application is exposed to a buffer overflow issue because it fails to perform adequate checks on user-supplied input. Specifically, the issue occurs when parsing specially crafted ".rml" files.
• Ref: http://www.securityfocus.com/archive/1/501845

• 09.12.5 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Serv-U FTP Server "MKD" Command Directory Traversal
• Description: Serv-U FTP server is designed for use with Microsoft Windows operating systems. The application is exposed to a directory traversal issue because it fails to sufficiently sanitize user-supplied input, specifically, directory traversal strings (..) passed to the "MKD" command. Serv-U FTP server version 7.4.0.1 is affected.
• Ref: http://www.securityfocus.com/bid/34125

• 09.12.6 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: WinAsm Studio ".wap" Project File Heap-Based Buffer Overflow
• Description: WinAsm Studio is an assembly language IDE for the Microsoft Windows operating system. WinAsm Studio is exposed to a heap-based buffer overflow issue because it fails to perform adequate checks on user-supplied input. This issue can be triggered with a specially crafted ".wap" project file containing an excessively long value within the "[FILES]" section. WinAsm Studio version 5.1.5.0 is affected.
• Ref: http://www.securityfocus.com/bid/34132

• 09.12.7 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: JustSystems Ichitaro Unspecified Code Execution
• Description: Ichitaro is a word processor available for Microsoft Windows. The application is exposed to an unspecified code execution issue. Few details are available regarding this issue. Ichitaro versions 2008 and earlier are affected.
• Ref: http://www.securityfocus.com/bid/34138

• 09.12.8 - CVE: CVE-2009-0538
• Platform: Third Party Windows Apps
• Title: Symantec PCAnywhere Local Format String
• Description: Symantec PCAnywhere is a remote administration application for Microsoft Windows. PCAnywhere is exposed to a local format string issue due to a failure to sufficiently sanitize user supplied data. PCAnywhere versions 12.0, 12.1 and 12.5 are affected.
• Ref: http://www.symantec.com/avcenter/security/Content/2009.03.17.html

• 09.12.9 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Talkative IRC "PRIVMSG" Buffer Overflow
• Description: Talkative IRC is a chat client for the IRC protocol. It is designed for Microsoft Windows operating systems. Talkative IRC is exposed to a buffer overflow issue that occurs when the client handles a malformed server prefix for the "PRIVMSG" command from a malicious server. Talkative IRC version 0.4.4.16 is affected.
• Ref: http://www.securityfocus.com/bid/34141

• 09.12.10 - CVE: CVE-2009-0778
• Platform: Linux
• Title: Linux Kernel "/proc/net/rt_cache" Remote Denial of Service
• Description: The Linux kernel is exposed to a remote denial of service issue related to the handling of routed network traffic. The software fails to properly flush the "/proc/net/rt_cache" file under some configurations. Specifically, cache entries for "REJECT" routes may not be properly removed. Linux kernel versions prior to 2.6.25 are affected.
• Ref: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-0778

• 09.12.11 - CVE: Not Available
• Platform: Linux
• Title: Mandriva perl-MDK-Common Unspecified Privilege Escalation
• Description: Mandriva perl-MDK-Common is exposed to an unspecified privilege escalation issue because it fails to sufficiently validate user supplied input. Specifically, this issue is the result of Mandriva tools writing special characters to configuration files. An attacker may exploit this issue to gain elevated privileges.
• Ref: http://www.securityfocus.com/bid/34089

• 09.12.12 - CVE: Not Available
• Platform: Solaris
• Title: Sun Solaris Doors Kernel Functionality Multiple Vulnerabilities
• Description: The Doors subsystem of the Solaris kernel is exposed to multiple issues. An attacker may exploit these issues to execute arbitrary code in the context of the Solaris kernel or cause denial of service conditions. Solaris8, Solaris9, Solaris10 and OpenSolaris based on builds snv_01 through snv_93 are affected on both x86 and SPARC platforms.
• Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-66-242486-1

• 09.12.13 - CVE: Not Available
• Platform: Solaris
• Title: Sun Solaris Keysock Kernel Module Local Denial of Service
• Description: Sun Solaris is a UNIX-based operating system. The Solaris keysock kernel module is exposed to a local denial of service issue that occurs when local privileged attackers create specially malformed "PF_KEY" sockets. The kernel fails to properly handle these new sockets, resulting in a system panic.
• Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-66-253568-1

• 09.12.14 - CVE: Not Available
• Platform: Solaris
• Title: Sun Solaris UFS File System Multiple Local Denial of Service Vulnerabilities
• Description: Sun Solaris is a UNIX-based operating system. Sun Solaris is exposed to multiple denial of service issues in the UFS filesystem. The issues are related to the "ufs_getpage()" and "ufs_putpage()" routines.
• Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-66-254628-1

• 09.12.15 - CVE: Not Available
• Platform: Solaris
• Title: Sun Solaris Kerberos Incremental Propagation Remote Denial Of Service
• Description: Sun Solaris Kerberos is a network authentication protocol. The application is exposed to a denial of service issue. An attacker may exploit this issue to prevent incremental propagation of messages from master to slave Key Distribution Center (KDC) servers, resulting in denial of service conditions. Solaris 10 and OpenSolaris based on builds snv_01 through snv_110 are affected.
• Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-66-249926-1

• 09.12.16 - CVE: CVE-2009-0876
• Platform: Cross Platform
• Title: Sun xVM VirtualBox Local Privilege Escalation
• Description: Sun xVM VirtualBox is an open-source virtualization application available for various operating systems. Sun xVM VirtualBox is exposed to a local privilege escalation issue. Local unprivileged attackers who are authorized to run VirtualBox can exploit this issue to execute arbitrary commands with superuser privileges. Sun xVM VirtualBox versions 2.0 and 2.1 are affected.
• Ref: http://bugs.gentoo.org/show_bug.cgi?id=260331

• 09.12.17 - CVE: CVE-2009-0632
• Platform: Cross Platform
• Title: Cisco Unified Communications Manager PAB Synchronizer Privilege Escalation
• Description: Cisco Unified Communications Manager (CUCM) is a software-based call-processing component of the Cisco IP telephony solution. The application was formerly named Unified CallManager. CUCM is exposed to a remote privilege escalation issue that occurs in the Cisco IP Phone Personal Address Book (PAB) feature. Attackers can exploit this issue to gain administrative access to the affected device and completely compromise it. Ref: http://www.cisco.com/en/US/products/products_security_advisory09186a0080a8643c.shtml

• 09.12.18 - CVE: Not Available
• Platform: Cross Platform
• Title: Sun Java System Communications Express Multiple HTML Injection Vulnerabilities
• Description: Sun Java System Communications Express is a web client for the Sun Java Communications Suite. It provides calendaring, task management, and access to browser-based email. The application is exposed to multiple HTML injection issues because it fails to sufficiently sanitize user-supplied data to the "Full Name" page header and message "Subject" form fields.
• Ref: http://www.securityfocus.com/archive/1/501672

• 09.12.19 - CVE: Not Available
• Platform: Cross Platform
• Title: PostgreSQL Conversion Encoding Remote Denial of Service
• Description: PostgreSQL is an open-source relational database suite. It is available for UNIX, Linux, and variants, as well as Apple Mac OS X and Microsoft Windows operating systems. PostgreSQL is exposed to a remote denial of service issue that occurs when handling conversion encoding, and can result in a stack overflow.
• Ref: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=517405

• 09.12.20 - CVE: CVE-2009-0854
• Platform: Cross Platform
• Title: DASH ".profile" Local Privilege Escalation
• Description: DASH is a POSIX-compliant implementation of "/bin/sh". DASH is exposed to a local issue that results in code execution with elevated privileges. This issue occurs because it insecurely reads ".profile" files from a local user's current working directory when it is used as a login shell.
• Ref: http://www.securityfocus.com/bid/34092

• 09.12.21 - CVE: CVE-2009-0016, CVE-2009-0143
• Platform: Cross Platform
• Title: Apple iTunes Information Disclosure and Denial of Service Vulnerabilities
• Description: Apple iTunes is a media player for Microsoft Windows and Apple MAC OS X. The application is exposed to multiple issues. Successfully exploiting these issues may allow the attacker to obtain sensitive information or cause the affected application to crash, denying service to legitimate users. Apple iTunes versions prior to 8.1 are affected.
• Ref: http://www.fortiguardcenter.com/advisory/FGA-2009-11.html

• 09.12.22 - CVE: Not Available
• Platform: Cross Platform
• Title: Radiator Multiple Remote Denial of Service Vulnerabilities
• Description: Radiator is a RADIUS server available for multiple platforms. The application is exposed to multiple issues. Successfully exploiting these issues will allow attackers to crash the server, denying service to legitimate users. Radiator versions prior to 4.4 are affected.
• Ref: http://www.open.com.au/radiator/history.html

• 09.12.23 - CVE: Not Available
• Platform: Cross Platform
• Title: JDKChat Malformed Command Remote Integer Overflow
• Description: JDKChat is a chat server application available for Unix, Linux and other Unix-like operating systems. The software is exposed to an integer overflow issue because the application fails to perform adequate boundary checks on users-supplied data. The vulnerability occurs when the application handles malformed commands. JDKChat version 1.5 is affected.
• Ref: http://www.securityfocus.com/bid/34102

• 09.12.24 - CVE: CVE-2009-0824
• Platform: Cross Platform
• Title: IBM WebSphere Application Server WAR File Information Disclosure
• Description: IBM WebSphere Application Server (WAS) is an application server used for service-oriented architecture. WAS is exposed to an information disclosure issue. Specifically, web-based applications may disclose application-specific files contained within the WAR file. WAS versions 5.1.0, 6.0.2, 6.1, and 7.0 are affected.
• Ref: http://www-01.ibm.com/support/docview.wss?uid=swg27014463

• 09.12.25 - CVE: CVE-2009-0582
• Platform: Cross Platform
• Title: Evolution Data Server "ntlm_challenge()" Memory Contents Information Disclosure
• Description: Evolution Data Server is an application that offers email, address book, and calendar functions for users of the GNOME desktop. The application is exposed to an information disclosure issue that can allow attackers to obtain contents of a portion of the memory. Specifically, the issue occurs because the NTLM SASL authentication mechanism does not properly validate the server's challenge packets in the "ntlm_challenge()" function of the "camel/camel-sasl-ntlm.c" file. Evolution Data Server version 2.45.5 is affected.
• Ref: http://support.avaya.com/elmodocs2/security/ASA-2009-087.htm

• 09.12.26 - CVE: Not Available
• Platform: Cross Platform
• Title: Rapid Leech Upload Function Multiple Remote Input Validation Vulnerabilities
• Description: Rapid Leech is a server-side script for uploading and downloading files from multiple third-party download sites. The application is exposed to multiple input validation issues. Exploiting these issues could allow an attacker to view and execute arbitrary local files within the context of the webserver, and steal cookie-based authentication credentials; this may aid in further attacks.
• Ref: http://www.securityfocus.com/archive/1/501854

• 09.12.27 - CVE: Not Available
• Platform: Cross Platform
• Title: Gretech GOM Encoder ".srt" File Remote Buffer Overflow
• Description: Gretech GOM Encoder is a video transcoder application. GOM Encoder is exposed to a remote heap-based buffer overflow issue because it fails to perform adequate checks on user-supplied input when transcoding videos with embedded subtitles. Specifically, this issue occurs when the "Preview/ Set Segment" function parses malformed ".srt" files. GOM Encoder versions 1.0.0.11 and earlier are affected.
• Ref: http://security.bkis.vn/?p=352

• 09.12.28 - CVE: Not Available
• Platform: Cross Platform
• Title: VLC Media Player Web Interface "input" Parameter Remote Buffer Overflow
• Description: VLC Media Player is a media player application available for a number of platforms. VLC Media Player supports a web-based interface. The web interface is exposed to a remote stack-based buffer overflow issue because it fails to perform adequate boundary checks on user-supplied data. VLC Media Player version 0.9.8a is affected.
• Ref: http://www.securityfocus.com/bid/34126

• 09.12.29 - CVE: Not Available
• Platform: Cross Platform
• Title: Serv-U "SMNT" Command Remote Denial of Service Vulnerabilities
• Description: Serv-U is a file server application. Serv-U is exposed to a remote denial of service issue. Specifically, this issue occurs when processing an excessively large "SMNT" command. Successfully exploiting this issue will allow attackers to deny service to legitimate users. Serv-U version 7.4.0.1 is affected.
• Ref: http://www.securityfocus.com/bid/34127

• 09.12.30 - CVE: Not Available
• Platform: Cross Platform
• Title: PPLive URI Handlers "LoadModule" Parameter Multiple Remote Code Execution Vulnerabilities
• Description: PPLive is a peer-to-peer streaming video application. PPLive is exposed to multiple remote code execution issues because it fails to sufficiently sanitize user-supplied input when handling multiple URIs. Specifically, a URI containing the "/LoadModule" command line parameter may specify an arbitrary, remote library file which will be loaded and executed within the context of the vulnerable application. PPLive version 1.9.21 is affected.
• Ref: http://www.securityfocus.com/bid/34128

• 09.12.31 - CVE: Not Available
• Platform: Cross Platform
• Title: Google Chrome Single Thread Alert Out of Bounds Memory Access
• Description: Google Chrome is a web browser. Google Chrome is exposed to an issue that allows access to out-of-bounds memory. The problem occurs because the application fails to perform adequate boundary checks on user-supplied data. Specifically, when the application processes an "alert()" function call with a single excessively long parameter, out-of-bounds memory is accessed. Google Chrome version 1.0.154.48 is affected.
• Ref: http://www.securityfocus.com/bid/34130

• 09.12.32 - CVE: CVE-2008-4564
• Platform: Cross Platform
• Title: Autonomy KeyView Module Unspecified Buffer Overflow
• Description: Autonomy KeyView is a component used in multiple applications. It adds high-speed filtering, high-fidelity viewing, and exporting of documents to web-ready HTML or valid XML. Autonomy KeyView module is exposed to an unspecified buffer overflow issue because it fails to perform adequate boundary checks on user-supplied data before copying it to insufficiently sized buffers. Multiple products using the KeyView module are affected. Ref: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=774

• 09.12.33 - CVE: CVE-2009-0661
• Platform: Cross Platform
• Title: WeeChat IRC Message Remote Denial of Service
• Description: WeeChat is an IRC client application. HydraIRC is exposed to a denial of service issue. This issue when handling special characters containd in an IRC message. An attacker may exploit this issue to crash the application, resulting in a denial of service condition. WeeChat versions prior to 0.2.6.1 are affected.
• Ref: http://weechat.flashtux.org/

• 09.12.34 - CVE: CVE-2006-3682
• Platform: Cross Platform
• Title: AWStats "awstats.pl" Multiple Path Disclosure
• Description: AWStats is an application that provides statistics on server traffic. It is implemented in Perl. AWStats is exposed to a path disclosure issue. Specifically, by passing invalid input to the "config" parameter of the "awstats.pl" script an attacker may trigger an error message disclosing installation paths. AWStats version 6.5 (build 1.857) and prior are affected and WebGUI Runtime Environment versions prior to 0.9.0 are also affected.
• Ref: http://www.plainblack.com/bugs/tracker/8964

• 09.12.35 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: TikiWiki "tiki-galleries.php" Cross-Site Scripting
• Description: TikiWiki is a freely-available PHP-based wiki application. The application is exposed to a cross-site scripting issue because it fails to sufficiently sanitize user-supplied input in the "PATH_INFO" PHP parameter of the "tiki-galleries.php" script. TikiWiki versions 2.2 through to 3.0 beta1 are affected.
• Ref: http://www.securityfocus.com/archive/1/501702

• 09.12.36 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: TikiWiki "tiki-list_file_gallery.php" Cross-Site Scripting
• Description: TikiWiki is a freely-available PHP-based wiki application. The application is exposed to a cross-site scripting issue because it fails to sufficiently sanitize user-supplied input to the "PATH_INFO" PHP parameter of the "tiki-list_file_gallery.php" script. TikiWiki versions 2.2 through to 3.0 beta1 are affected.
• Ref: http://www.securityfocus.com/bid/34106

• 09.12.37 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: TikiWiki "tiki-listpages.php" Cross-Site Scripting
• Description: TikiWiki is a freely-available PHP-based wiki application. The application is exposed to a cross-site scripting issue because it fails to sufficiently sanitize user-supplied input to the "PATH_INFO" PHP parameter of the "tiki-listpages.php" script. TikiWiki versions 2.2 through to 3.0 beta1 are affected.
• Ref: http://www.securityfocus.com/archive/1/501702

• 09.12.38 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: TikiWiki "tiki-orphan_pages.php" Cross-Site Scripting
• Description: TikiWiki is a freely-available PHP-based wiki application. The application is exposed to a cross-site scripting issue because it fails to sufficiently sanitize user-supplied input to the "PATH_INFO" PHP parameter of the "tiki-orphan_pages.php" script. TikiWiki versions 2.2 through to 3.0 beta1 are affected.
• Ref: http://www.securityfocus.com/archive/1/501702

• 09.12.39 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: PTK Arbitrary Command Execution and Cross-Site Scripting Vulnerabilities
• Description: PTK is a web-based graphical interface for the Sleuthkit Interface computer forensics tool. PTK is eposed to an issue that lets attackers execute arbitrary commands because it fails to properly sanitize user-supplied input. PTK versions 1.0.1 up to and including 1.0.4 are affected.
• Ref: http://www.kb.cert.org/vuls/id/845747

• 09.12.40 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Multiple EditeurScripts Products "msg" Parameter Cross-Site Scripting
• Description: EsBaseAdmin and EsPartenaires are web-based applications implemented in PHP. Multiple EditeurScripts products are exposed to a cross-site scripting issue because they fail to sufficiently sanitize user-supplied input to the "msg" parameter of the "login.php" script. EsBaseAdmin version 2.1 and EsPartenaires version 1.0 are affected.
• Ref: http://www.securityfocus.com/bid/34112

• 09.12.41 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: BLOG:CMS Unspecified Cross-Site Scripting
• Description: BLOG:CMS is a content management system implemented in PHP. The application is exposed to an unspecified cross-site scripting issue because it fails to sufficiently sanitize user-supplied input. BLOG:CMS versions prior to 4.2.0 are affected.
• Ref: http://www.securityfocus.com/archive/1/501776

• 09.12.42 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: A.CMS Unspecified Cross-Site Scripting
• Description: A.CMS is a content management system implemented in PHP. The application is exposed to an unspecified cross-site scripting issue because it fails to sufficiently sanitize user-supplied input. A.CMS versions prior to 1.23 are affected.
• Ref: http://www.securityfocus.com/archive/1/501777

• 09.12.43 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Access Analyzer CGI Unspecified Cross-Site Scripting
• Description: Access Analyzer CGI is a Perl-based application that allows users to view web access logs. The application is exposed to an unspecified cross-site scripting issue because it fails to sufficiently sanitize user-supplied input. Access Analyzer CGI version 3.8.1 is affected.
• Ref: http://jvn.jp/en/jp/JVN23558374/index.html

• 09.12.44 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: ejabberd MUC Logs Cross-Site Scripting
• Description: ejabberd is a fault tolerant technology for large scale instant messaging applications. The application is exposed to a cross-site scripting issue because it fails to sufficiently sanitize user-supplied input to the MUC logs. ejabberd versions prior to 2.0.4 are affected. Ref: http://www.process-one.net/en/ejabberd/release_notes/release_note_ejabberd_204

• 09.12.45 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Sun Java System Messenger Express "error" Parameter Cross-Site Scripting
• Description: Sun Java System Messenger Express is a webmail application. The application is exposed to a cross-site scripting issue because it fails to properly sanitize user-supplied input to the "error" parameter of the "index.html" page. Sun Java System Messenger Express version 6.3-0.15 is affected.
• Ref: http://www.securityfocus.com/bid/34140

• 09.12.46 - CVE: CVE-2008-6448
• Platform: Web Application - Cross Site Scripting
• Title: MTCMS WYSIWYG Editor "install.cgi" Cross-Site Scripting
• Description: MTCMS WYSIWYG Editor is a web-based application implemented in Perl. MTCMS WYSIWYG Editor is exposed to a cross-site scripting issue because it fails to sufficiently sanitize user-supplied input. This issue affects an unspecified parameter of the "install.cgi" script.
• Ref: http://jvn.jp/en/jp/JVN21312708/index.html

• 09.12.47 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: OpenPHPnuke SQLite Abstraction Layer SQL Injection
• Description: OpenPHPnuke is a PHP-based content manager. OpenPHPnuke is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. This issue occurs in the SQLite database abstraction layer. OpenPHPnuke versions prior to 2.4.16 are affected.
• Ref: http://www.securityfocus.com/bid/34088

• 09.12.48 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Maarch Login Page SQL Injection
• Description: Maarch is a PHP-based framework application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "login" parameter of the "login.php" script. Maarch versions prior to 3.0 are affected.
• Ref: http://www.maarch.org/maarch_wiki/Maarch_Framework_3/Changelog_EN

• 09.12.49 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Bricolage Unspecified SQL Injection
• Description: Bricolage is a content management system. It is implemented in Perl and it is available for Linux and Unix platforms. Bricolage is exposed to an SQL injection issue because it fails to sufficiently sanitize input before using it in an SQL-query for stories, media, and templates. Bricolage versions prior to 1.10.7 are affected.
• Ref: http://www.securityfocus.com/bid/34110

• 09.12.50 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Kim Websites "login.php" SQL Injection
• Description: Kim Websites is a content management system implemented in PHP. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "username" field of the "login.php" script. Kim Websites version 1.0 is affected.
• Ref: http://www.securityfocus.com/bid/34116

• 09.12.51 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: OpenCart "order" Parameter SQL Injection
• Description: OpenCart is a shopping cart application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "order" parameter. OpenCart version 1.1.8 is affected. Ref: http://www.ngenuity.org/wordpress/2009/03/10/ngenuity-2009-005-opencart-order-by-blind-sql-injection/

• 09.12.52 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Beerwin's PHPLinkAdmin Remote File Include and Multiple SQL Injection Vulnerabilities
• Description: Beerwin's PHPLinkAdmin is a PHP-based web application. The application is exposed to multiple input validation issues. A successful exploit may allow an attacker to execute malicious code within the context of the web server process, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Beerwin's PHPLinkAdmin version 1.0 is affected.
• Ref: http://www.securityfocus.com/bid/34129

• 09.12.53 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: phpComasy "index.php" SQL Injection
• Description: phpComasy is a content manager implemented in PHP. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "entry_id" parameter of the "index.php" script. phpComasy version 0.9 is affected.
• Ref: http://www.securityfocus.com/bid/34131

• 09.12.54 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: GDL "node" Parameter SQL Injection
• Description: GDL (Ganesha Digital Library) is a PHP-based digital library application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "node" parameter of the "gdl.php" script when the "mod" parameter is set to "browse". GDL versions 4.0 and 4.2 are affected.
• Ref: http://www.securityfocus.com/bid/34144

• 09.12.55 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: PHPRunner "SearchField" Parameter SQL Injection
• Description: PHPRunner is a PHP code generator available for Microsoft Windows. The application generates scripts that are exposed to an SQL injection issue because they fail to sufficiently sanitize user-supplied data to the "SearchField" parameter before using it in an SQL query. PHPRunner version 4.2 is affected.
• Ref: http://www.securityfocus.com/archive/1/501894

• 09.12.56 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: WordPress fMoblog Plugin "id" Parameter SQL Injection
• Description: fMoblog is a plugin for the WordPress web-based publishing application; it allows users to post images and descriptions from a cell phone. The plugin is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "id" parameter of the "index.php" script when the "page_id" parameter is set, before using the data in an SQL query. fMoblog version 2.1 is affected.
• Ref: http://www.securityfocus.com/bid/34147

• 09.12.57 - CVE: Not Available
• Platform: Web Application
• Title: Traidnt UP "uploadcp/files.php" Insecure Cookie Authentication Bypass
• Description: Traidnt UP is a web-based application implemented in PHP. The application is exposed to an authentication bypass issue affecting the "uploadcp/files.php" script. Specifically, the script will allow actions to be taken as an administrator if the "trupuser" cookie parameter is set to any value. Traidnt UP version 2.0 is affected.
• Ref: http://www.securityfocus.com/bid/34087

• 09.12.58 - CVE: Not Available
• Platform: Web Application
• Title: Drupal Forward Module Flood Control API Open Email Relay
• Description: Drupal Forward module allows users to forward a link to a specific node on a website. Drupal Forward module is exposed to an open-email relay issue because the application fails to properly implement the Drupal flood control API. Drupal Forward versions prior to 5.x-1.19 and 6.x-1.0 are affected.
• Ref: http://drupal.org/node/398564

• 09.12.59 - CVE: Not Available
• Platform: Web Application
• Title: ModSecurity Multiple Remote Denial of Service Vulnerabilities
• Description: ModSecurity is an Apache module that provides firewall protection for web applications. The module is exposed to multiple issues: a denial of service issue that affects the module when the PDF XSS option is enabled, and an unspecified error exists in the module that could crash the Apache "httpd" process by sending crafted multipart content with a missing part header name. ModSecurity versions prior to 2.5.9 are affected.
• Ref: http://sourceforge.net/project/shownotes.php?release_id=667542

• 09.12.60 - CVE: Not Available
• Platform: Web Application
• Title: Trellis Desk SQL Injection and Cross-Site Scripting Vulnerabilities
• Description: Trellis Desk is a PHP-based helpdesk application. Z1Exchange is exposed to an SQL injection issue and a cross-site scripting issue because it fails to sufficiently sanitize user-supplied data. Specifically, the issues affect the "keywords" parameter of the "sources/article.php" script. Trellis Desk version 1.0 is affected.
• Ref: http://www.securityfocus.com/archive/1/501707

• 09.12.61 - CVE: Not Available
• Platform: Web Application
• Title: PhpMySport Multiple Cross-Site Scripting and SQL Injection Vulnerabilities
• Description: PhpMySport is a PHP-based sports management application. Since it fails to adequately sanitize user-supplied input, the application is exposed to multiple issues. Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. PhpMySport version 1.4 is affected.
• Ref: http://www.securityfocus.com/bid/34101

• 09.12.62 - CVE: Not Available
• Platform: Web Application
• Title: YAP "index.php" Local File Include
• Description: YAP is a PHP based web application. The application is exposed to a local file include issue because it fails to properly sanitize user-supplied input to the "page" parameter of the "index.php" script. YAP version 1.1.1 is affected.
• Ref: http://www.securityfocus.com/bid/34117

• 09.12.63 - CVE: Not Available
• Platform: Web Application
• Title: Cryptographp "index.php" Local File Include
• Description: Cryptographp is a PHP-based CAPTCHA system. The application is exposed to a local file include issue because it fails to properly sanitize user-supplied input to the "cfg" parameter. Cryptographp version 1.4 is affected.
• Ref: http://www.securityfocus.com/bid/34122

• 09.12.64 - CVE: Not Available
• Platform: Web Application
• Title: cPanel Legacy File Manager File Name HTML Injection
• Description: cPanel is a web-hosting control panel implemented in PHP. The application is exposed to an HTML-injection issue because it fails to properly sanitize user-supplied input before using it in dynamically generated content. This issue occurs in the file manager and legacy file manager components. cPanel version 11.24.4 is affected.
• Ref: http://www.securityfocus.com/archive/1/501886

• 09.12.65 - CVE: Not Available
• Platform: Web Application
• Title: PHP Pro Bid "includes/class_image.php" Remote File Include
• Description: PHP Pro Bid is a PHP-based auction application. The application is exposed to a remote file include issue because it fails to sufficiently sanitize user-supplied input to the "fileExtension" parameter of the "includes/class_image.php" script. PHP Pro Bid version 6.05 is affected.
• Ref: http://www.securityfocus.com/bid/34145

• 09.12.66 - CVE: CVE-2008-6420
• Platform: Web Application
• Title: Social Site Generator Multiple Information Disclosure Vulnerabilities
• Description: Social Site Generator is a web-based social networking application. The application is exposed to multiple information disclosure issues because it fails to properly restrict which files can be specified through the following scripts and parameters: "filedload.php": "file", "webadmin/download.php" : "file" and "webadmin/download_file.php".
• Ref: http://www.securityfocus.com/bid/34149

• 09.12.67 - CVE: Not Available
• Platform: Web Application
• Title: Mega File Hosting Script "cross.php" Remote File Include
• Description: Mega File Hosting Script is a PHP-based application for uploading files onto a web server. The application is exposed to a remote file include issue because it fails to sufficiently sanitize user-supplied input to the "url" parameter of the "cross.php" script. Mega File Hosting Script version 1.2 is affected.
• Ref: http://www.securityfocus.com/bid/34157

• 09.12.68 - CVE: Not Available
• Platform: Web Application
• Title: Pivot "refkey" Arbitrary File Deletion
• Description: Pivot is a web-based application implemented in PHP. The application is exposed to an issue that lets attackers delete arbitrary files in the context of the web server process. Specifically, the "refkey" parameter of the "extensions/bbclone_tools/count.php" script allows attackers to delete arbitrary files on the computer in the context of the server application.
• Ref: http://www.securityfocus.com/bid/34160

• 09.12.69 - CVE: Not Available
• Platform: Network Device
• Title: HP Multiple LaserJet Printers Cross-Site Request Forgery
• Description: HP LaserJet printers are network-attached printers. The devices' embedded web server is exposed to a cross-site request forgery issue that may allow attackers to change a device's configuration and perform other unauthorized actions. HP LaserJet M1522n MFP and HP Color LaserJet 2605dtn are affected. Ref: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01684566

(c) 2009. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Subscriptions: @RISK is distributed free of charge by the SANS Institute to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.