Last day to save $500 for SANS San Diego 2013

@RISK: The Consensus Security Vulnerability Alert

Volume: VIII, Issue: 13
March 26, 2009

SANS Newsletters Home

Unpatched, critical vulnerability reported in the core of nearly all versions of Windows. Plus patched critical vulnerabilities in Adobe Reader and Acrobat and HP OpenView. Alan

PS. If you are working in application security (perhaps taking on the cool new job of application security manager) and are trying to learn which tools work best for finding flaws or blocking attacks, try to get a seat at the Washington DC workshop where feds and financial users will share their experiences in using nearly all the popular application security tools (white box, black box, firewalls). Register at http://www.sans.org/appsec09_summit/ And a similar workshop on log management at http://www.sans.org/logmgtsummit09

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Platform Number of Updates and Vulnerabilities
    • - ------------------------ -------------------------------------
    • Third Party Windows Apps
    • 9 (#1, #6)
    • Mac Os
    • 5
    • Linux
    • 3
    • HP-UX
    • 1
    • BSD
    • 2
    • Cross Platform
    • 15 (#2, #3, #4, #5)
    • Web Application - Cross Site Scripting
    • 3
    • Web Application - SQL Injection
    • 14
    • Web Application
    • 13
    • Network Device
    • 3

*********** Sponsored By Qualys ***********

Qualys presents these popular PCI resources to help your organization show proven ROI and help automate compliance initiatives. "PCI Compliance Current & Future Trends" webcast: http://www.sans.org/info/41143 COSEC Compliance Through Security Poster: http://www.sans.org/info/41148 "4 Steps to Automate IT Security Compliance" whitepaper: http://www.sans.org/info/41153

*************************************************************************

TRAINING UPDATE - - Phoenix 3/23-3/30 (5 courses) http://www.sans.org/phoenix09/ - - Washington DC (Tyson's Corner) 4/14-4/22 (5 long courses and 8 short courses) http://www.sans.org/tysonscorner09/event.php - - Log Management Summit in Washington 4/5-4/7 http://www.sans.org/logmgtsummit09/ - - Plus Calgary, New Orleans, San Diego and more... - - Looking for training in your own Community? http://sans.org/community/ For a list of all upcoming events, on-line and live: www.sans.org

*************************************************************************

Table Of Contents
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
Third Party Windows Apps
Mac Os
Linux
HP-UX
BSD
Cross Platform
Web Application - Cross Site Scripting
Web Application - SQL Injection
Web Application
Network Device

******************** SPONSORED LINKS **********************************

1) CA Identity Lifecycle Management - View this 4 minute demo at: http://www.sans.org/info/41158

2) Cisco Systems Cisco Enterprise Policy Manager - View this 15 minute demo at: http://www.sans.org/info/41188

3) Damballa, Inc. Failsafe - View this 24 minute demo at: http://www.sans.org/info/41193

*************************************************************************

PART I Critical Vulnerabilities

Part I for this issue has been compiled by Rohan Kotian at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Widely Deployed Software
  • (1) CRITICAL: Microsoft GDIPlus EMF 'GpFont.SetData()' Buffer Overflow Vulnerability
  • Affected:
    • Microsoft Windows XP Professional SP2
    • Microsoft Windows XP Professional SP1
    • Microsoft Windows XP Professional
    • Microsoft Windows XP Media Center Edition SP2
    • Microsoft Windows XP Media Center Edition SP1
    • Microsoft Windows XP Media Center Edition
    • Microsoft Windows XP Home SP2
    • Microsoft Windows XP Home SP1
    • Microsoft Windows XP Home
    • Microsoft Windows XP Gold 0
    • Microsoft Windows XP 0
    • Microsoft Office XP SP2 and prior

  • Description: Graphics Device Interface (GDI) is an application programming interface by Microsoft Windows. It's a core operating system component responsible for representing graphical objects. Microsoft Windows GDI has integer overflow vulnerability in gdiplus.dll while processing Enhanced Metafile (EMF) files. Possible vectors to exploit the flaw are: (a) Create a webpage containing a malicious WMF or EMF image file, and entice an attacker to visit his webpage. (b) Send an email with a specially crafted EMF image file attachment and convincing the user to view it or (c) embedding the malicious image file in an Office document and convincing the user to open it. Successful exploitation might lead to code execution or denial-of-service. Technical details about the vulnerability are publicly available.

  • Status: Vendor not yet confirmed, no updates available.

  • References:
  • (2) CRITICAL: Adobe Reader and Acrobat JBIG2 Processing Multiple Vulnerabilities (APSA09-04)
  • Affected:
    • Adobe Acrobat Standard 8.1.3 and prior
    • Adobe Acrobat Standard 7.0.8 and prior
    • Adobe Acrobat Standard 9
    • Adobe Acrobat Standard 8.1 and prior
    • Adobe Acrobat Standard 7.1
    • Adobe Acrobat Reader (UNIX) 7.0.1 and prior
    • Adobe Acrobat Reader 8.1.3 and prior
    • Adobe Acrobat Reader 7.0.9 and prior
    • Adobe Acrobat Reader 9
    • Adobe Acrobat Reader 8.1 and prior
    • Adobe Acrobat Reader 7.1
    • Adobe Acrobat Professional 8.1.3 and prior
    • Adobe Acrobat Professional 7.0.9 and prior
    • Adobe Acrobat Professional 9
    • Adobe Acrobat Professional 8.1 and prior
    • Adobe Acrobat Professional 7.1
    • Adobe Acrobat 7.0.3 and prior

  • Description: Adobe Acrobat is a program designed to create, manage and view Portable Document Format (PDF) and Adobe Reader is designed to only view and print PDF's. Both Adobe Acrobat and Reader have buffer overflow vulnerabilities while handling JBIG2 streams inside a PDF file. JBIG2 is an image encoding standard for encoding bi-level images. One of the flaws is due to a four byte value which represents the number of values in a table and is used to allocate a buffer. This value is taken from the file without adequate checking and a specially crafted PDF file can be used to overflow the buffer. The other flaw is due to a malformed JBIG2 symbol dictionary segment contained in a malicious PDF file. There are still some other unspecified errors in the processing of this JBIG2 streams. Potential vectors of attack are sending the malicious PDF document as an email attachment, or enticing the victim to visit the website that has malicious document - which can be achieved via iframes, or placing the document on a file share. In either case the attacker has to convince the victim to open the files. Successful exploitation can lead to code execution. Some technical details are publicly available.

  • Status: Vendor confirmed, updates available.

  • References:
  • (4) HIGH: Multiple Mozilla Products Memory Corruption Vulnerability
  • Affected:
    • Mozilla Firefox version 3.0.x
    • Mozilla SeaMonkey version 1.1.15 and prior

  • Description: Products from the Mozilla Foundation, like its popular Firefox web browser and internet suite SeaMonkey are vulnerable to memory corruption. While processing specially crafted Extensible Stylesheet Language Transformations (XSLT) there is an error within the "txMozillaXSLTProcessor::TransformToDoc()" function, which could either cause a denial of service or potentially execute arbitrary code. User interaction is needed where the victim has to visit the malicious webpage. Technical details are available for this vulnerability along with a public proof of concept.

  • Status: Vendor not confirmed, no updates available.

  • References:
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 13, 2009

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 6792 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

  • 09.13.1 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: CDex "ogg" File Buffer Overflow
  • Description: CDex is a CD audio extractor and multimedia player available for Microsoft Windows. The application is exposed to a buffer overflow issue because it fails to perform adequate checks on user-supplied input. Specifically, the issue occurs when parsing specially crafted ".ogg" (Ogg Vorbis) files. CDex version 1.70 (Beta 2) is affected.
  • Ref: http://www.securityfocus.com/archive/1/501928
  • 09.13.2 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Icarus "PGN" File Remote Stack Buffer Overflow
  • Description: Icarus is a client application for the Internet Chess Club, available for Microsoft Windows. Icarus is exposed to a remote stack-based buffer overflow issue because it fails to perform adequate checks on user-supplied input. Specifically, this issue occurs when parsing malformed ".pgn" (Portable Game Notation) files. Icarus version 2.0 is affected.
  • Ref: http://www.securityfocus.com/bid/34167
  • 09.13.3 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Internet Explorer Unspecified Remote Code Execution
  • Description: Internet Explorer is a browser for the Microsoft Windows operating system. Internet Explorer is exposed to a remote code execution issue caused by an unspecified error. Attackers can exploit this issue by enticing an unsuspecting user into opening a specially crafted webpage. Ref: http://dvlabs.tippingpoint.com/blog/2009/03/18/pwn2own-2009-day-1---safari-internet-explorer-and-firefox-taken-down-by-four-zero-day-exploits
  • 09.13.4 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: BS.Player ".bsl" File Hostname Remote Buffer Overflow
  • Description: BS.Player is a multimedia player available for Microsoft Windows. The player is exposed to a remote stack-based buffer overflow vulnerability because it fails to perform adequate checks on user-supplied input. Specifically, this issue occurs when parsing excessively large hostnames contained in a ".bsl" file.
  • Ref: http://www.securityfocus.com/archive/1/502016
  • 09.13.5 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: POP Peeper "From" Mail Header Remote Buffer Overflow
  • Description: POP Peeper is an email notifier for Microsoft Windows. The application is exposed to a buffer overflow issue because it fails to properly bounds check user-supplied data before copying it into an insufficiently sized memory buffer. Specifically, if a server response contains an overly large string in a "From" mail header, then a stack-based buffer overflow occurs. POP Peeper version 3.4.0.0 is affected.
  • Ref: http://www.securityfocus.com/bid/34192
  • 09.13.6 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Orbit Downloader ActiveX Control "download()" Method Arbitrary File Delete
  • Description: Orbit Downloader is a peer-to-peer ActiveX control for Microsoft Windows. The ActiveX control is exposed to an issue that lets attackers delete arbitrary files on the affected computer. Orbit Downloader version 2.8.7 is affected.
  • Ref: http://www.waraxe.us/advisory-73.html
  • 09.13.7 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Sysax Multi Server FTP "DELE" Directory Traversal
  • Description: Sysax Multi Server is an SSH and FTP server for Microsoft Windows platforms. The application is exposed to a directory traversal issue because it fails to sufficiently sanitize user-supplied input. This issue affects FTP "DELE" commands. An authenticated attacker may delete arbitrary files outside of the FTP server root directory. Sysax Multi Server version 4.3 is affected.
  • Ref: http://www.securityfocus.com/bid/34209
  • 09.13.8 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: eXeScope File Handling Remote Buffer Overflow
  • Description: eXeScope is used to analyze, display information, and rewrite resources of executable files. eXeScope is exposed to a remote buffer overflow issue because it fails to perform adequate checks on user-supplied input. Specifically, this issue occurs when parsing executable files containing large amounts of data. eXeScope version 6.50 is affected.
  • Ref: http://www.securityfocus.com/bid/34219
  • 09.13.9 - CVE: CVE-2009-0215
  • Platform: Third Party Windows Apps
  • Title: IBM Access Support ActiveX Control "GetXMLValue()" Buffer Overflow
  • Description: IBM Access Support ActiveX control is an ActiveX control that allows users to collect system information. The application is exposed to a buffer overflow issue because it fails to bounds check user-supplied data before copying it into an insufficiently sized buffer. Successfully exploiting this issue allows remote attackers to execute arbitrary code in the context of the application using the ActiveX control (typically Internet Explorer).
  • Ref: http://www.kb.cert.org/vuls/id/340420
  • 09.13.10 - CVE: Not Available
  • Platform: Mac Os
  • Title: Apple Safari Unspecified Remote Code Execution Variant
  • Description: Apple Safari is a browser for the Mac OS X operating system. Safari is exposed to a remote code execution issue caused by an unspecified error. Attackers can exploit this issue by enticing an unsuspecting user into opening a specially crafted webpage. Ref: http://dvlabs.tippingpoint.com/blog/2009/03/18/pwn2own-2009-day-1---safari-internet-explorer-and-firefox-taken-down-by-four-zero-day-exploits
  • 09.13.11 - CVE: Not Available
  • Platform: Mac Os
  • Title: Apple Safari Unspecified Remote Code Execution
  • Description: Apple Safari is a browser for the Mac OS X operating system. Safari is exposed to a remote code execution issue caused by an unspecified error. Attackers can exploit this issue by enticing an unsuspecting user into opening a specially crafted webpage. Attackers can exploit this issue to execute arbitrary code in the context of the user running the browser. Ref: http://dvlabs.tippingpoint.com/blog/2009/03/18/pwn2own-2009-day-1---safari-internet-explorer-and-firefox-taken-down-by-four-zero-day-exploits
  • 09.13.12 - CVE: Not Available
  • Platform: Mac Os
  • Title: Apple Mac OS X AppleTalk Zip-Notify Remote Buffer Overflow
  • Description: Apple Mac OS X is exposed to a remote buffer overflow issue in AppleTalk because the application fails to perform adequate boundary checks on user-supplied data. The vulnerability occurs when handling a "ZIP-Notify" message. Mac OS X versions 10.5.1 and 10.5.2 are affected.
  • Ref: http://www.securityfocus.com/bid/34201
  • 09.13.13 - CVE: Not Available
  • Platform: Mac Os
  • Title: Apple Mac OS X Kernel Memory Multiple Local Information Disclosure Vulnerabilities
  • Description: The Apple Mac OS X kernel is exposed to multiple information disclosure issues. Attackers may leverage these issues to leak kernel memory so as to harvest sensitive information or to cause denial of service conditions.
  • Ref: http://www.securityfocus.com/bid/34202
  • 09.13.14 - CVE: Not Available10.5.6 are affected.
  • Platform: Mac Os
  • Title: Apple Mac OS X HFS Plus Local Privilege Escalation
  • Description: Apple Mac OS X is exposed to a local privilege escalation issue that is related to the handling of HFS Plus formatted disk images. Mac OS X versions 10.4.8 through 10.4.11 and 10.5.0 through
  • Ref: http://www.securityfocus.com/bid/34203
  • 09.13.15 - CVE: Not Available
  • Platform: Linux
  • Title: system-config-printer Package Romanian Translation Insecure Configuration Weakness
  • Description: The "system-config-printer" package is exposed to a security weakness that may result in unsafe printer configurations. This issue occurs because both "Allow printing for everyone except these users" and "Deny printing for everyone except these users" are translated by the application to "Permite imprimarea pentru toata lumea mai putin acesti utilizatori", which is the opposite of "Deny printing for everyone except these users".
  • Ref: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=519217
  • 09.13.16 - CVE: Not Available
  • Platform: Linux
  • Title: Linux Kernel nfsd "CAP_MKNOD" Unauthorized Access
  • Description: The Linux Kernel is exposed to an unauthorized access issue that can occur when users with certain capabilities connect to the "nfsd" service. Specifically, this issue occurs because the software fails to strip the "CAP_MKNOD" capability from a remote user. The attacker can exploit this issue to perform privileged operations on a vulnerable computer; this may aid in further attacks. Ref: http://groups.google.com/group/fa.linux.kernel/browse_thread/thread/665b99fdc970bee3
  • 09.13.17 - CVE: CVE-2009-0787
  • Platform: Linux
  • Title: Linux Kernel "ecryptfs_write_metadata_to_contents()" Information Disclosure
  • Description: Linux Kernel is exposed to an information disclosure issue because it fails to properly initialize certain memory before using using it in a user-accessible operation. This issue affects the "ecryptfs_write_metadata_to_contents()" function. The Linux Kernel versions 2.6.28 through 2.6.28.8 are affected.
  • Ref: http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.28.9
  • 09.13.18 - CVE: CVE-2009-0207
  • Platform: HP-UX
  • Title: HP-UX VERITAS File System and VERITAS Oracle Disk Manager Local Privilege Escalation
  • Description: HP-UX is a UNIX-based operating system. HP-UX is exposed to a local privilege escalation issue that occurs in the VERITAS File System (VRTSvxfs) and VERITAS Oracle Disk Manager (VRTSodm) components. Local attackers can exploit this issue to gain superuser privileges, completely compromising affected computers.
  • Ref: http://www.securityfocus.com/bid/34226
  • 09.13.19 - CVE: CVE-2009-1041
  • Platform: BSD
  • Title: FreeBSD "ktimer" Local Privilege Escalation
  • Description: FreeBSD is exposed to a local privilege escalation issue because it fails to adequately bounds check user-supplied data. An integer value that specifies which timer a process wishes to operate on is not properly validated.
  • Ref: http://www.securityfocus.com/archive/1/502047
  • 09.13.20 - CVE: Not Available
  • Platform: BSD
  • Title: FreeBSD "kenv" Local Denial of Service
  • Description: FreeBSD is prone to a local denial of service vulnerability. This issue is related to the "kenv()" system call, used to set and view kernel environment variables. Specifically, when asked to dump environment variables, kenv allocates memory based on user-supplied parameters. If called with large parameters the kernel will attempt to allocate excessive amounts of memory, resulting in a kernel panic.
  • Ref: http://www.securityfocus.com/bid/34198
  • 09.13.21 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Chasys Media Player ".pls" File Remote Buffer Overflow
  • Description: Chasys Media Player is a multimedia player application. Chasys Media Player is exposed to a remote stack-based buffer overflow issue because it fails to perform adequate checks on user-supplied input. Specifically, this issue occurs when parsing malformed ".pls" files containing excessively long file name strings. Chasys Media Player version 1.1 is affected.
  • Ref: http://www.jpcha2.com/index.php
  • 09.13.22 - CVE: CVE-2009-0927
  • Platform: Cross Platform
  • Title: Adobe Acrobat and Reader Unspecified JavaScript Method Remote Code Execution
  • Description: Adobe Acrobat and Reader are applications for handling PDF files; they are available for multiple platforms. Acrobat and Reader are exposed to a remote code execution issue because they fail to sufficiently sanitize user-supplied input. This issue affects an unspecified JavaScript method. Adobe Acrobat and Reader versions 7.1 and prior, 8.1.2 and prior, and 9 are affected.
  • Ref: http://www.adobe.com/support/security/bulletins/apsb09-04.html
  • 09.13.23 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Mozilla Firefox Unspecified Remote Code Execution
  • Description: Mozilla Firefox is a web browser for multiple operating systems. Firefox is exposed to a remote code execution issue caused by an unspecified error. Attackers can exploit this issue by enticing an unsuspecting user into opening a specially crafted webpage. Ref: http://dvlabs.tippingpoint.com/blog/2009/03/18/pwn2own-2009-day-1---safari-internet-explorer-and-firefox-taken-down-by-four-zero-day-exploits
  • 09.13.24 - CVE: CVE-2009-0583, CVE-2009-0584
  • Platform: Cross Platform
  • Title: Ghostscript Multiple Input Validation and Integer Overflow Vulnerabilities
  • Description: Ghostscript is a set of tools and libraries for Portable Document Format (PDF) and PostScript files. Ghostscript is exposed to multiple remote issues in the International Color Consortium Profile Format library. Successful exploits will allow attacker-supplied code to run in the context of the victim.
  • Ref: https://bugzilla.redhat.com/show_bug.cgi?id=487742
  • 09.13.25 - CVE: CVE-2009-0581, CVE-2009-0733, CVE-2009-0723
  • Platform: Cross Platform
  • Title: Little CMS Memory Leak and Multiple Memory Corruption Vulnerabilities
  • Description: Little CMS is an open-source color-management engine that has been ported to various platforms. The software is exposed to multiple issues. Attackers may leverage these issues to execute arbitrary code in the context of the application. Little CMS version 1.17 is affected.
  • Ref: http://www.securityfocus.com/archive/1/502018
  • 09.13.26 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Cascade Server XLST Processing Remote Command Execution
  • Description: Cascade Server is a web-based content management system implemented in Java. Cascade Server is exposed to an issue that attackers can leverage to execute arbitrary commands. This issue occurs because the application fails to adequately validate user-supplied data used as XSLT stylesheets.
  • Ref: http://www.securityfocus.com/archive/1/501981
  • 09.13.27 - CVE: Not Available
  • Platform: Cross Platform
  • Title: SW-HTTPD Incomplete HTTP Request Remote Denial of Service
  • Description: SW-HTTPD is an HTTP server for Linux and Unix platforms. The application is exposed to a remote denial of service vulnerability because it fails to handle user-supplied input. Attackers can exploit this issue by sending incomplete HTTP requests to the application. Child processes created for these requests will hang, eventually exhausting system resources and leaving the server unable to handle new requests. SW-HTTP version 0.1 is affected.
  • Ref: http://www.securityfocus.com/bid/34188
  • 09.13.28 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Sun Java System Identity Manager Multiple Vulnerabilities
  • Description: Sun Java System Identity Manager (IDM) is a web-based application. The application is exposed to multiple issues. Successful exploits may allow attackers to obtain sensitive information, execute arbitrary script code in the browser of an unsuspecting user in the context of a site, perform unauthorized actions, or gain unauthorized access to the affected application.
  • Ref: http://blogs.sun.com/security/entry/sun_alert_253267_sun_java
  • 09.13.29 - CVE: CVE-2009-0920
  • Platform: Cross Platform
  • Title: HP OpenView Network Node Manager "OvAcceptLang" Parameter Heap Buffer Overflow
  • Description: HP OpenView Network Node Manager is a fault-management application for IP networks. The application is exposed to a heap-based buffer overflow issue because it fails to adequately bounds check user-supplied input before copying it to insufficiently sized buffers. Specifically, the issue occurs when an overly large string is passed to "Toolbar.exe" application with a large "OvAcceptLang" parameter via an HTTP request. HP OpenView Network Node Manager versions 7.51, 7.53 and 7.53 with patch NNM_01195 are affected.
  • Ref: http://www.securityfocus.com/archive/1/502054
  • 09.13.30 - CVE: CVE-2009-0921
  • Platform: Cross Platform
  • Title: HP OpenView Network Node Manager "Accept-Language" HTTP Header Heap Buffer Overflow
  • Description: HP OpenView Network Node Manager is a fault-management application for IP networks. The application is exposed to a heap-based buffer overflow issue because it fails to adequately bounds check user-supplied input before copying it to insufficiently sized buffers. Specifically, the issue occurs when an overly excessively large "Accept-Language" HTTP header. HP OpenView Network Node Manager versions 7.51, 7.53 and 7.53 with patch NNM_01195 are affected.
  • Ref: http://www.openview.hp.com/products/nnm/
  • 09.13.31 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Drupal CCK Field Privacy Module Security Bypass
  • Description: The CCK Field Privacy module for Drupal gives granular access control to field labels in nodes. The module is exposed to a security bypass issue that may allow attackers to gain access to sensitive areas of the application. CCK Field Privacy versions prior to 6.x-1.1 are affected.
  • Ref: http://drupal.org/node/409626
  • 09.13.32 - CVE: CVE-2009-0364
  • Platform: Cross Platform
  • Title: WebCit Mini_Calendar Component Format String
  • Description: WebCit is a web-based administration front-end for the Citadel groupware server. WebCit is exposed to a remote format string issue because it fails to sufficiently sanitize user-supplied input before using it in a formatted-printing function. This issue occurs in the application's "mini_calendar" component.
  • Ref: http://www.securityfocus.com/bid/34206
  • 09.13.33 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Padl nss_ldap "/etc/nss_ldapd.conf" Local Information Disclosure
  • Description: Padl nss_ldap is a library that allows access to X.500 and LDAP directory servers. The library is exposed to an information disclosure issue because it stores authentication credentials in an insecure manner. Specifically, this issue occurs because authentication credentials may be stored in the "/etc/nss-ldapd.conf" configuration file, which by default is world readable.
  • Ref: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=520476
  • 09.13.34 - CVE: CVE-2009-0928, CVE-2009-0193, CVE-2009-1061,CVE-2009-1062
  • Platform: Cross Platform
  • Title: Adobe Acrobat and Reader JBIG2 Image Processing Multiple Remote Code Execution Vulnerabilities
  • Description: Adobe Acrobat and Reader are applications for handling PDF files. The applications are exposed to multiple remote code execution issues. An attacker can exploit these issues to execute arbitrary code with the privileges of the user running the application or crash the application, denying service to legitimate users. Adobe Acrobat and Reader versions 7.1.0, 8.1.3, 9.0.0, and earlier are affected.
  • Ref: http://www.adobe.com/support/security/bulletins/apsb09-04.html
  • 09.13.35 - CVE: Not Available
  • Platform: Cross Platform
  • Title: IncrediMail Script Execution Vulnerabilities
  • Description: IncrediMail is a mail client application. The application is exposed to multiple script execution issues because it fails to sanitize user-supplied input. Specifically, the issues occur because the "Reply" and "Forward" functions of the application do not properly handle the mail content. IncrediMail version 5.86 is affected.
  • Ref: http://www.securityfocus.com/bid/34231
  • 09.13.36 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Tasklist Drupal Module Multiple Unspecified Cross-Site Scripting Vulnerabilities
  • Description: Tasklist is a module for the Drupal content management system. The application is exposed to multiple cross-site scripting issues because it fails to sufficiently sanitize user-supplied input to unspecified parameters of unspecified pages.
  • Ref: http://drupal.org/node/406482
  • 09.13.37 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: PHP Classifieds Arbitrary File Upload and Cross-Site Scripting Vulnerabilities
  • Description: PHP Classifieds is a web-based application. The application is exposed to an issue that lets attackers upload and execute arbitrary code. The issue occurs because the software fails to properly sanitize user-supplied input in the "upload_video.php" script. Specifically, the software fails to properly verify file extensions before uploading files onto the web server. PHP Classifieds version 7.3 is affected.
  • Ref: http://www.securityfocus.com/bid/34222
  • 09.13.38 - CVE: CVE-2008-6476
  • Platform: Web Application - Cross Site Scripting
  • Title: BlogEngine.NET "search.aspx" Cross-Site Scripting
  • Description: BlogEngine.NET is a is an ASP-based web application. The application is exposed to a cross-site scripting issue because it fails to sufficiently sanitize user-supplied input to the "q" parameter of the "search.aspx" script. BlogEngine.NET version 1.4 is affected.
  • Ref: http://www.securityfocus.com/bid/34227
  • 09.13.39 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Tasklist Drupal Module Unspecified SQL Injection
  • Description: Tasklist is a module for the Drupal content management system. The application is exposed to an unspecified SQL injection issue because it fails to sufficiently sanitize user-supplied data. A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
  • Ref: http://drupal.org/node/406488
  • 09.13.40 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: DeluxeBB "misc.php" SQL Injection
  • Description: DeluxeBB is a web-based bulletin board application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "qorder" field of the "misc.php" script. DeluxeBB versions 1.3 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/34174
  • 09.13.41 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: YABSoft Advanced Image Hosting Script "gallery_list.php" SQL Injection
  • Description: Advanced Image Hosting Script is an image-hosting application implemented in PHP. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "gal" parameter of the "gallery_list.php" script before using it in an SQL query. Advanced Image Hosting Script version 2.3 is affected.
  • Ref: http://www.securityfocus.com/bid/34176
  • 09.13.42 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: FacilCMS Multiple SQL Injection and Information Disclosure Vulnerabilities
  • Description: FacilCMS is a web-based content manager implemented in PHP. The application is exposed to an information disclosure issue that affects the "phpinfo.php" script. The application is also exposed to multiple SQL injection issues because it fails to sufficiently sanitize user-supplied data. FacilCMS version 0.1RC2 is affected.
  • Ref: http://www.securityfocus.com/bid/34177
  • 09.13.43 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: WBB3 rGallery "userID" Parameter SQL Injection
  • Description: WBB3 rGallery is a PHP-based photo gallery application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "userID" parameter. WBB3 rGallery version 1.2.3 is affected.
  • Ref: http://www.securityfocus.com/bid/34194
  • 09.13.44 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: SuperNews "valor.php" SQL Injection
  • Description: SuperNews is a PHP-based news application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "noticia" parameter of the "valor.php" script. SuperNews version 1.5 is affected.
  • Ref: http://www.milw0rm.com/exploits/8255
  • 09.13.45 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: X-BLC "get_read.php" Parameter SQL Injection
  • Description: X-BLC is a PHP-based content manager. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "section" parameter of the "include/get_read.php" script. X-BLC version 0.2.0 is affected.
  • Ref: http://www.securityfocus.com/bid/34197
  • 09.13.46 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Codice CMS "index.php" SQL Injection
  • Description: Codice CMS is a PHP-based content manager. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "tag" parameter of the "index.php" script. Codice CMS version 2 is affected.
  • Ref: http://www.securityfocus.com/bid/34208
  • 09.13.47 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Syzygy CMS SQL Injection and Local File Include Vulnerabilities
  • Description: Syzygy CMS is a PHP-based content manager. The application is exposed to multiple issues. The attacker can exploit these issues using directory traversal strings to execute local script code in the context of the application. This may allow the attacker to obtain sensitive information that may aid in further attacks. Syzygy CMS version 0.3 is affected.
  • Ref: http://www.securityfocus.com/bid/34210
  • 09.13.48 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Free Arcade Script SQL Injection and Arbitrary File Upload Vulnerabilities
  • Description: Free Arcade Script is an application for managing arcade games. The application is exposed to multiple remote issues. Exploiting these issues could allow an attacker to compromise the application, upload arbitrary files, execute arbitrary code, access or modify data, or exploit latent vulnerabilities in the underlying database. Free Arcade Script version 1.0 is affected.
  • Ref: http://www.securityfocus.com/bid/34212
  • 09.13.49 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: PHPizabi "notepad_body" Parameter SQL Injection
  • Description: PHPizabi is a social networking platform. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "notepad_body" parameter of the "index.php" script before using it in an SQL query. PHPizabi version 0.848b C1 HFP1 is affected.
  • Ref: http://www.securityfocus.com/archive/1/502087
  • 09.13.50 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: PHPCMS2008 "ask/search_ajax.php" SQL Injection
  • Description: PHPCMS2008 is a PHP-based content management system. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "q" field of the "ask/search_ajax.php" script. PHPCMS2008 versions prior to 2009.03.17 are affected.
  • Ref: http://www.securityfocus.com/bid/34225
  • 09.13.51 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: SurfMyTv Script "view.php" SQL Injection
  • Description: SurfMyTv Script is a PHP-based television entertainment script. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "id" parameter of the "view.php" script. SurfMyTv Script version 1.0 is affected.
  • Ref: http://www.securityfocus.com/bid/34230
  • 09.13.52 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Comparison Engine Power "product.comparision.php" SQL Injection
  • Description: Comparison Engine Power is a web-based marketing and product comparison script. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Specifically, it fails to properly sanitize the "cat" parameter of the "product.comparision.php" script. Comparison Engine Power version 1.0 is affected.
  • Ref: http://www.securityfocus.com/bid/34232
  • 09.13.53 - CVE: Not Available
  • Platform: Web Application
  • Title: Sitecore CMS Security Databases Information Disclosure
  • Description: Sitecore CMS is web-based content manager. The application is exposed to an information disclosure issue. Specifically, an unauthorized attacker may retrieve data from security databases using the web service. Sitecore CMS versions prior to 5.3.2 rev. 090212 are affected.
  • Ref: http://www.securityfocus.com/archive/1/501929
  • 09.13.54 - CVE: Not Available
  • Platform: Web Application
  • Title: IBM Rational AppScan Enterprise Exported Report Information Disclosure
  • Description: IBM Rational AppScan Enterprise is a web-based tool for scanning and reporting vulnerabilities. The application is exposed to an unspecified information disclosure issue that may allow users to gain unauthorized access to exported report files. Rational AppScan Enterprise versions prior to 5.5 Fix Pack 1 are affected.
  • Ref: http://www-01.ibm.com/support/docview.wss?uid=swg1PK79991
  • 09.13.55 - CVE: Not Available
  • Platform: Web Application
  • Title: Umbraco CMS Administrative Pages Unauthorized Access
  • Description: Umbraco CMS is a content management system implemented in ASP. Umbraco CMS is exposed to an access validation issue. An attacker can exploit this issue to gain unauthorized access to unspecified administrative pages of the affected application. Umbraco CMS version 3 is affected.
  • Ref: http://www.securityfocus.com/bid/34166
  • 09.13.56 - CVE: Not Available
  • Platform: Web Application
  • Title: Drupal Plus 1 Module Cross-Site Request Forgery
  • Description: Plus 1 is a voting module for the Drupal content management system. Plus 1 is exposed to a cross-site request forgery issue. Attackers may exploit this issue to cause victims to unknowingly vote for attacker-specified content. Plus 1 versions prior to 6.x-2.6 are affected.
  • Ref: http://www.securityfocus.com/bid/34168
  • 09.13.57 - CVE: Not Available
  • Platform: Web Application
  • Title: Content Construction Kit (CCK) Drupal Module User and Node References HTML Injection
  • Description: Content Construction Kit (CCK) is a module for the Drupal content management system. The application is exposed to an HTML injection issue because it fails to sanitize user-supplied input to the "nodereference" and "userreference" modules. Specifically, the titles of candidate referenced nodes and the names of candidate referenced users are not properly sanitized. CCK versions prior to 6.x-2.2 are affected.
  • Ref: http://drupal.org/node/406520
  • 09.13.58 - CVE: Not Available
  • Platform: Web Application
  • Title: Bloginator Insecure Cookie Authentication Bypass
  • Description: Bloginator is a web-log application. Bloginator is exposed to an authentication bypass issue because it fails to adequately verify user-supplied input used for cookie-based authentication. Specifically, the application uses the single hard-coded value "identifyYourself=you are identified" for all validation cookies. Bloginator version 1A is affected.
  • Ref: http://www.securityfocus.com/bid/34187
  • 09.13.59 - CVE: Not Available
  • Platform: Web Application
  • Title: Pixie CMS SQL Injection and Cross-Site Scripting Vulnerabilities
  • Description: Pixie CMS is PHP-based content manager. Pixie CMS is exposed to an SQL injection issue and a cross-site scripting issue because it fails to sufficiently sanitize user-supplied data. Specifically, the cross-site scripting issue affects the "x" parameter and the SQL-injection issue affects the HTTP "Referer" header.
  • Ref: http://www.securityfocus.com/bid/34189
  • 09.13.60 - CVE: Not Available
  • Platform: Web Application
  • Title: ExpressionEngine Avtaar Name HTML Injection
  • Description: ExpressionEngine is a web-based application. The application is exposed to an HTML injection issue because it fails to properly sanitize user-supplied input before using it in dynamically generated content. Specifically, the issue affects the avatar name. ExpressionEngine versions 1.6.4 to 1.6.6 are affected.
  • Ref: http://www.securityfocus.com/bid/34193
  • 09.13.61 - CVE: Not Available
  • Platform: Web Application
  • Title: Piwik "archive.sh" Unauthorized Access
  • Description: Piwik is an application for web analytics. The application is exposed to an unauthorized access issue because it fails to adequately limit access to a script that contains a secret API key. Specifically, the "archive.sh" script is located by default in a publicly accessible node of the document root. Piwik version 0.2.32 is affected.
  • Ref: http://www.securityfocus.com/archive/1/501928
  • 09.13.62 - CVE: Not Available
  • Platform: Web Application
  • Title: Pluck "module_pages_site.php" Parameter Local File Include
  • Description: Pluck is a PHP-based content manager. The application is exposed to a local file include issue because it fails to properly sanitize user-supplied input to the "post" parameter of the "module_pages_site.php" script. Pluck version 4.6.1 is affected.
  • Ref: http://www.securityfocus.com/bid/34207
  • 09.13.63 - CVE: Not Available
  • Platform: Web Application
  • Title: PHPizabi "modules/chat/dac.php" Local File Include
  • Description: PHPizabi is a social-networking platform. The application is exposed to a local file include issue because it fails to properly sanitize user-supplied input to the "sendChatData" parameter of the "modules/chat/dac.php" script. PHPizabi version 0.848b C1 HFP1-3 is affected.
  • Ref: http://www.securityfocus.com/bid/34213
  • 09.13.64 - CVE: Not Available
  • Platform: Web Application
  • Title: Rittal CMC-TC Processing Unit II Cross Site Scripting and HTML Injection Vulnerabilities
  • Description: Rittal CMC-TC Processing Unit II is a hardware device used to monitor remote temperature sensors, and supports a web-based administration interface. The web interface is exposed to a multiple input validation issues. CMC-TC Processing Unit II versions prior to 2.60a are affected.
  • Ref: http://www.securityfocus.com/archive/1/502046
  • 09.13.65 - CVE: Not Available
  • Platform: Web Application
  • Title: Jinzora "name" Parameter Local File Include
  • Description: Jinzora is a PHP-based application that allows users to stream media over the internet. The application is exposed to a local file include issue because it fails to properly sanitize user-supplied input to the "name" parameter of the "index.php" script. Jinzora version 2.8 is affected.
  • Ref: http://www.securityfocus.com/bid/34224
  • 09.13.66 - CVE: Not Available
  • Platform: Network Device
  • Title: Rittal CMC-TC Processing Unit II Administrator Session ID Security Bypass
  • Description: Rittal CMC-TC Processing Unit II is a hardware device used to monitor remote temperature sensors; it supports a web-based administration interface. The device's web interface is exposed to an issue that can allow an attacker to predict the administrator session ID. The session ID is is based on login time. The CMC-TC Processing Unit II versions 2.45 and 2.60a are affected.
  • Ref: http://www.securityfocus.com/archive/1/502046
  • 09.13.67 - CVE: Not Available
  • Platform: Network Device
  • Title: Siemens Gigaset SE461 WiMAX Router Request Denial of Service
  • Description: Gigaset SE461 WiMAX router is a wireless device by Siemens. The device is exposed to a denial of service issue because it fails to adequately handle malformed requests. Specifically, the device will crash when processing specially crafted requests on TCP port 53.
  • Ref: http://www.securityfocus.com/bid/34220
  • 09.13.68 - CVE: Not Available
  • Platform: Network Device
  • Title: ZyXEL G570S Crafted HTTP Requests Multiple Vulnerabilities
  • Description: ZyXEL G570S is a wireless access point. The device is exposed to multiple issues. Attackers can exploit these issues to bypass certain security restrictions, cause a denial of service condition, or disclose sensitive information.
  • Ref: http://www.securityfocus.com/bid/34221

(c) 2009. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Subscriptions: @RISK is distributed free of charge by the SANS Institute to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.

I have no idea how I was doing my job without this information.
-Jonathon Turner, Paycom Payroll

NetWars - Cyber Range

Latest Whitepapers

Building and Maintaining a "Certifiable" Workforce
By Robert J. Mavretich

How Can You Build and Leverage SNORT IDS Metrics to Reduce Risk?
By Tim Proffitt

Daisy Chain Authentication
By Courtney Imbert

Latest Tweets

NEW #SANS Survey: Security Analytics & Intelligence 2nd [...]
October 1, 2013 - 6:30 PM

Tips on how to convince your boss to let you train online wi [...]
October 1, 2013 - 6:23 PM

#2 Tip on how 2 convince your boss 2 let u train online: Fle [...]
October 1, 2013 - 3:00 PM

Contact Us

(301) 654-SANS (7267)
Mon-Fri 9am - 8pm EST/EDT
info@sans.org

"As a security professional, this info is foundational to do a competent job, let alone be successful."
- Michael Foster, Providence Health & Security

"SANS is a great place to enhance your technical and hands-on skills and tools. I thoroughly recommend it."
- Aaron Waugh, Datacom NZ Ltd

"SANS always provides you what you need to become a better security professional at the right price."
- Rasik Vekaria, BP