The most trusted source for computer security training, certification and research.

@RISK: The Consensus Security Vulnerability Alert

Volume: VIII, Issue: 16
April 16, 2009

SANS Newsletters Home

Oracle and Microsoft have announced very critical bugs. Alan

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Platform Number of Updates and Vulnerabilities
    • - ------------------------ -------------------------------------
    • Windows
    • 6 (#3, #11, #12)
    • Microsoft Office
    • 1 (#2)
    • Other Microsoft Products
    • 8 (#1, #5, #6, #9 )
    • Third Party Windows Apps
    • 9 (#7, #8)
    • Linux
    • 1
    • BSD
    • 1
    • Solaris
    • 1
    • Cross Platform
    • 20 (#4, #10)
    • Web Application - Cross Site Scripting
    • 11
    • Web Application - SQL Injection
    • 15
    • Web Application
    • 22
    • Network Device
    • 3

*************************************************************************

TRAINING UPDATE - - Toronto 5/5-5/13 (15 courses) http://www.sans.org/toronto09/event.php - - SANSFIRE in Baltimore 6/13-6/20 (24 long courses, 12 short courses) http://www.sans.org/sansfire09/event.php - - New Orleans 5/5-5/10 (6 courses) http://www.sans.org/securityeast09/event.php - - Washington DC (Tyson's Corner) 4/14-4/22 (5 long courses and 8 short courses) http://www.sans.org/tysonscorner09/event.php - -- Plus San Diego, Amsterdam and more, too. See www.sans.org - - Log Management Summit in Washington 4/5-4/7 http://www.sans.org/logmgtsummit09/ - - Looking for training in your own community? http://sans.org/community/ For a list of all upcoming events, on-line and live: www.sans.org

*************************************************************************

Table Of Contents
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
Windows
Microsoft Office
Other Microsoft Products
Third Party Windows Apps
Linux
BSD
Solaris
Cross Platform
Web Application - Cross Site Scripting
Web Application - SQL Injection
Web Application
Network Device

********************* SPONSORED LINK **********************************

1) Complete Firewall Security Audits in 25% of the time with Tufin. Learn how and get your free shirt. http://www.sans.org/info/42588

*************************************************************************

PART I Critical Vulnerabilities

Part I for this issue has been compiled by Rohan Kotian at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Widely Deployed Software
  • (1) CRITICAL: Microsoft Internet Explorer Multiple Vulnerabilities (MS09-014)
  • Affected:
    • Microsoft Internet Explorer 7.0
    • Microsoft Internet Explorer 6.0 SP1
    • Microsoft Internet Explorer 6.0
    • Microsoft Internet Explorer 5.0.1 SP4 and prior
    • Microsoft Windows XP
    • Microsoft Windows Server 2003
    • Microsoft Windows Vista
    • Microsoft Windows Server 2008
    • Microsoft Windows 2000

  • Description: There are multiple vulnerabilities that have been identified in Microsoft Internet Explorer. The first issue is an error in the way Internet Explorer locates and open files on the system. This could cause the Internet Explorer to load downloaded files from the desktop rather than the Windows system. The second issue is an error in Windows Internet application programming interface (WinInet), which doesn't correctly use the NTLM credential-reflection protection, when a victim connects to an attacker's server via HTTP protocol. This could cause the user's credentials to be reflected back to the attacker. The third issue exists because of the manner in which Internet Explorer handles transition while navigating between Web pages. This error might lead to memory corruption which might cause arbitrary code execution. The fourth issue is due to an error when Internet Explorer accesses an object that has not been deleted or correctly initialized. This could lead to memory corruption with successful exploitation leading to arbitrary code execution. The fifth issue is also a memory corruption error due the way Internet Explorer accesses an object that has not been deleted or properly initialized. The sixth issue is also a memory corruption error due the way Internet Explorer accesses an object that has not been deleted or properly initialized. In both the cases successful exploitation may lead to arbitrary code execution. And in all the cases, the attacker will have to entice the user in some way to visit the website with the malicious web page.

  • Status: Vendor confirmed, updates available.

  • References:
  • (2) CRITICAL: Microsoft Excel Multiple Vulnerabilities (MS09-009)
  • Affected:
    • Microsoft Office Excel 2000 SP 3
    • Microsoft Office Excel 2002 SP 3
    • Microsoft Office Excel 2003 SP 3
    • Microsoft Office Excel 2007 SP 1
    • Microsoft Office 2004 for Mac
    • Microsoft Office 2008 for Mac
    • Microsoft Office Excel Viewer 2003 SP 3
    • Microsoft Office Excel Viewer

  • Description: Microsoft Excel, a spreadsheet-application from Microsoft, contains multiple vulnerabilities in its parsing of Excel documents. The first issue is a memory corruption error in "excel.exe" while parsing specially crafted excel documents. The specific error is caused due to improper calculation of memory, which depends on a particular offset and a two-byte value in the document. Successful exploitation might lead to arbitrary code execution. The second issue is the one that is already discussed in http://www.sans.org/newsletters/risk/display.php?v=8&i=9#widely1. The vendor has provided a patch for it in the latest release. User interaction is needed to exploit these vulnerabilities since, in most configurations; users will be prompted before opening the potentially malicious Excel files. Some technical details are publicly disclosed.

  • Status: Vendor confirmed, updates available.

  • References:
  • (3) CRITICAL: Microsoft Windows HTTP Services Multiple Vulnerabilities (MS09-013)
  • Affected:
    • Microsoft Windows 2000 SP 4
    • Microsoft Windows XP SP 2
    • Microsoft Windows XP SP 3
    • Microsoft Windows XP Professional x64 Edition
    • Microsoft Windows XP Professional x64 Edition SP 2
    • Microsoft Windows Server 2003 SP 1
    • Microsoft Windows Server 2003 SP 2
    • Microsoft Windows Server 2003 x64 Edition
    • Microsoft Windows Server 2003 x64 Edition SP 2
    • Microsoft Windows Server 2003 SP1 (Itanium-based Systems)
    • Microsoft Windows Server 2003 SP2 (Itanium-based Systems)
    • Microsoft Windows Vista
    • Microsoft Windows Vista SP 1
    • Microsoft Windows Vista x64 Edition
    • Microsoft Windows Vista x64 Edition SP 1
    • Microsoft Windows Server 2008 (32-bit Systems)
    • Microsoft Windows Server 2008 (x64-based Systems)
    • Microsoft Windows Server 2008 (Itanium-based Systems)

  • Description: Microsoft Windows HTTP Services (WinHTTP), which provides developers with an HTTP client API to send requests to other HTTP servers via HTTP protocol, has got multiple vulnerabilities. The first issue is an error due to the way the WinHTTP Services handle specific values returned from a remote web server without proper validation. This could ultimately lead to remote code execution. An attacker needs to entice the victim to visit the malicious web server. The second issue is an error caused due to lack of proper checks of the distinguished name in the digital certificate by the WinHTTP Services. The combination of DNS spoofing with this vulnerability could allow an attacker to spoof a digital certificate of a Web Site that uses WinHTTP services. The third issue is caused due to WinHTTP services not correctly handling NTLM credential-reflection protections when a user connects to an attacker's web server. This could cause the user's credentials to be reflected back to the attacker. An attacker needs to entice the victim to visit the malicious web server to carry out this attack.

  • Status: Vendor confirmed, updates available.

  • References:
  • (5) CRITICAL: Microsoft Windows WordPad and Office Converters Multiple Vulnerabilities (MS09-010)
  • Affected:
    • Microsoft Windows 2000 SP 4
    • Microsoft Windows XP SP 2
    • Microsoft Windows XP SP 3
    • Microsoft Windows XP Professional x64 Edition
    • Microsoft Windows XP Professional x64 Edition SP 2
    • Microsoft Windows Server 2003 SP 1
    • Microsoft Windows Server 2003 SP 2
    • Microsoft Windows Server 2003 x64 Edition
    • Microsoft Windows Server 2003 x64 Edition SP 2
    • Microsoft Windows Server 2003 SP1 (Itanium-based Systems)
    • Microsoft Windows Server 2003 SP2 (Itanium-based Systems)
    • Microsoft Office Word 2000 SP 3
    • Microsoft Office Word 2002 SP 3
    • Microsoft Office Converter Pack

  • Description: WordPad, a simple text editor, is a default component of Microsoft Windows. Text converters in WordPad allow users who do not have Microsoft Office Word installed to open documents in Microsoft Windows Write (.wri) and Microsoft Office Word 6.0, Microsoft Office Word 97, 2000, 2002 (.doc) file formats. WordPad and the Office Text converters have multiple vulnerabilities which can be triggered by opening a specially crafted Word 6 file, or Word 97 document, or WordPerfect 6.x document. The first issue is a memory corruption error in WordPad and Office Text converters, specifically in Word 6 converter, while processing malformed Word 6 file. The second issue is memory corruption vulnerability in Microsoft WordPad while parsing specially crafted Word 97 document. The user needs to open the malformed Word 97 document with the affected version of WordPad for this vulnerability to work. The third issue is stack corruption vulnerability in WordPerfect 6.x Converter included in Microsoft Office Word 2000 while parsing a specially crafted WordPerfect 6.x document. The user needs to open the malformed WordPerfect document with Microsoft Office Word 2000 for this vulnerability to work. The fourth issue is buffer overflow vulnerability in WordPad while parsing a specially crafted Word 97 document. The user needs to open the malformed Word 97 document with the affected version of WordPad for this vulnerability to work. Some technical details are publicly available.

  • Status: Vendor confirmed, updates available.

  • References:
  • (6) CRITICAL: Microsoft DirectShow MJPEG Decompression Remote Code Execution Vulnerability (MS09-011)
  • Affected:
    • Microsoft DirectX 9.0*
    • Microsoft DirectX 8.1
    • Microsoft Windows 2000 SP 4
    • Microsoft Windows 2000 SP 4
    • Microsoft Windows XP SP 2
    • Microsoft Windows XP SP 3
    • Microsoft Windows XP Professional x64 Edition
    • Microsoft Windows XP Professional x64 Edition SP 2
    • Microsoft Windows Server 2003 SP 1
    • Microsoft Windows Server 2003 SP 2
    • Microsoft Windows Server 2003 x64 Edition
    • Microsoft Windows Server 2003 x64 Edition SP 2
    • Microsoft Windows Server 2003 SP1 (Itanium-based System)
    • Microsoft Windows Server 2003 SP2 (Itanium-based System)

  • Description: Microsoft DirectShow is the architecture for streaming media produced by Microsoft which provides for capture and playback of multimedia streams. It has a vulnerability while processing specially crafted MJPEG files. The issue is caused due to an error while decompressing the MJPEG content of these specially crafted MJPEG files. Successful exploitation can lead to arbitrary code execution. To carry out this attack, an attacker needs to trick the user into opening the malformed MJPEG file, or the user into receiving a specially crafted streaming content from a Website. Another attack vector is via e-mail, wherein the attacker sends media file, with the malformed MJPEG file embedded in it, as an e-mail attachment and coaxes the user to open the file.

  • Status: Vendor confirmed, updates available.

  • References:
  • (7) HIGH: SAP GUI KWEdit ActiveX Control "SaveDocumentAs()" Insecure Method Vulnerability
  • Affected:
    • SAP GUI 6.40 Patch 29
    • SAP GUI 7.10 Patch 5

  • Description: SAP GUI is a graphical user interface (GUI) to the SAP Enterprise Resource Planning application. Part of its functionality is provided via KWEdit ActiveX Control. This control contains a possible remote code execution vulnerability in its handling of input. The specific error is that KWEdit ActiveX control (KWEDIT.DLL) has an insecure method "SaveDocumentAs()". This method saves an HTML document to a specified location. When this is used in combination with "OpenDocument()" method an attacker can disclose the contents of some arbitrary files or execute arbitrary code with the privileges of the logged on user. The vendor's patch to this vulnerability is to effectively set a killbit for the ActiveX control.

  • Status: Vendor confirmed, updates available.

  • References:
  • (8) HIGH: EMC RepliStor Remote Buffer Overflow Vulnerability
  • Affected:
    • EMC RepliStor 6.2 SP4 and earlier
    • EMC RepliStor 6.3 SP1 and earlier

  • Description: EMC RepliStor provides data recovery and protection for Microsoft Windows platforms. It is exposed to a heap based buffer overflow vulnerability. The specific issue is a buffer overflow error in "ctrlservice.exe" and "rep_srv.exe" services. By sending a specially crafted message to those services over TCP a remote attacker can trigger this vulnerability. No authentication is required to carry out this attack. Successful exploitation might lead to arbitrary code execution.

  • Status: Vendor confirmed, updates available.

  • References:
  • (9) MODERATE: Microsoft ISA server and Forefront TMG Multiple Vulnerabilities (MS09-016)
  • Affected:
    • Microsoft Forefront Threat Management Gateway (Medium Business Edition)
    • Microsoft Internet Security and Acceleration Server 2004 Standard Edition SP 3
    • Microsoft Internet Security and Acceleration Server 2004 Enterprise Edition SP 3
    • Microsoft Internet Security and Acceleration Server 2006
    • Microsoft Internet Security and Acceleration Server 2006 Supportability Update
    • Microsoft Internet Security and Acceleration Server 2006 SP 1

  • Description: Microsoft Internet Security and Acceleration Server (ISA Server) is a firewalling and security product designed to publish server systems securely. Microsoft Forefront Threat Management Gateway (TMG) is the latest version of ISA server. Both the ISA server and the Forefront TMG have two vulnerabilities which could be exploited to cause a denial-of-service condition or execute arbitrary code. The first issue is an error in the way that a firewall engine handles a TCP session state for Web proxy or Web publishing listeners. This could lead to not used open connections that might eventually lead to a denial-of-service condition. The second issue is caused due to improper input validation in "cookieauth.dll", which is an HTML forms authentication component in ISA Server or Forefront TMG. This could be exploited to carry out cross site scripting attacks, which could lead to running a malicious code on another user's machine, or spoofing, or information disclosure. An attacker will have to convince the user to follow a specially crafted URL sent in an e-mail or Instant Messenger message, to carry out this attack.

  • Status: Vendor confirmed, updates available.

  • References:
  • (10) MODERATE: DivX Web Player 'STRF' Chunk Processing Buffer Overflow Vulnerability
  • Affected:
    • DivX Web Player 1.4.2 7

  • Description: DivX Web Player is a media player that is used to play HD-quality DivX video in a web browser. There is a heap-based buffer overflow vulnerability in the player which can be triggered via a specially crafted DivX file. The specific issue is an signedness error while processing Stream Format (STRF) chunks within a DivX file. An attacker will have to trick the victim to either visit the website with the malicious DivX file or open the malicious file sent as an email attachment. Successful exploitation may lead to arbitrary code execution.

  • Status: Vendor confirmed, updates available.

  • References:
  • (11) LOW: Microsoft Windows SearchPath Elevation of Privilege Vulnerability (MS09-015)
  • Affected:
    • Microsoft Windows 2000 SP 4
    • Microsoft Windows XP SP 2
    • Microsoft Windows XP SP 3
    • Microsoft Windows XP Professional x64 Edition
    • Microsoft Windows XP Professional x64 Edition SP 2
    • Microsoft Windows Server 2003 SP 1
    • Microsoft Windows Server 2003 SP 2
    • Microsoft Windows Server 2003 x64 Edition
    • Microsoft Windows Server 2003 x64 Edition SP 2
    • Microsoft Windows Server 2003 SP1 (Itanium)
    • Microsoft Windows Server 2003 SP2 (Itanium)
    • Microsoft Windows Vista
    • Microsoft Windows Vista SP 1
    • Microsoft Windows Vista x64 Edition
    • Microsoft Windows Vista x64 Edition SP 1
    • Microsoft Windows Server 2008 (32-bit)
    • Microsoft Windows Server 2008 (x64)
    • Microsoft Windows Server 2008 (Itanium)

  • Description: Microsoft Windows SearchPath function is used to search a specified file in a specified path. There is an Elevation of Privilege vulnerability in this function. The specific error is due to the way the SearchPath function in Windows locates and opens files on the system. As a result of this error Internet Explorer could open a specially crafted file from the desktop. There is a blended attack wherein files that are downloaded on the user's system without their notice, might be loaded unintentionally by Internet Explorer from the desktop rather than the Windows system. Successful exploitation might allow an attacker to execute arbitrary code.

  • Status: Vendor confirmed, updates available.

  • References:
  • (12) LOW: Microsoft Windows Multiple Elevation of Privilege Vulnerabilities (MS09-012)
  • Affected:
    • Microsoft Windows 2000 SP 4
    • Microsoft Windows XP SP 2
    • Microsoft Windows XP SP 3
    • Microsoft Windows XP Professional x64 Edition
    • Microsoft Windows XP Professional x64 Edition SP 2
    • Microsoft Windows Server 2003 SP 1
    • Microsoft Windows Server 2003 SP 2
    • Microsoft Windows Server 2003 x64 Edition
    • Microsoft Windows Server 2003 x64 Edition SP 2
    • Microsoft Windows Server 2003 SP1 (Itanium)
    • Microsoft Windows Server 2003 SP2 (Itanium)
    • Microsoft Windows Vista
    • Microsoft Windows Vista SP 1
    • Microsoft Windows Vista x64 Edition
    • Microsoft Windows Vista x64 Edition SP 1
    • Microsoft Windows Server 2008 (32-bit)
    • Microsoft Windows Server 2008 (x64)
    • Microsoft Windows Server 2008 (Itanium)

  • Description: Multiple Elevation of Privilege Vulnerabilities has been identified in Microsoft Windows. The first issue is an error in Microsoft Distributed Transaction Coordinator (MSDTC) transaction facility, since it leaves the NetworkService token open to be impersonated by any process that calls into it. The second issue is an error caused due to improper isolation of processes running under the NetworkService or LocalService accounts by Windows Management Instrumentation (WMI) provider. This could allow an attacker to gain elevated privileges. The third issue is caused due improper isolation of processes running under the NetworkService or LocalService accounts by RPCSS service. This could allow an attacker to gain elevated privileges and possible code execution. The fourth issue is an error caused due to Windows placing incorrect access control lists (ACLs) on threads in the current ThreadPool. This could also lead to elevated privileges and possible code execution. Technical details are available for them.

  • Status: Vendor confirmed, updates available.

  • References:
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 16, 2009

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 6903 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

  • 09.16.1 - CVE: CVE-2009-0078
  • Platform: Windows
  • Title: Microsoft Windows WMI Service Isolation Local Privilege Escalation
  • Description: Microsoft Windows is exposed to a privilege escalation issue that occurs because the Windows Management Instrumentation (WMI) fails to properly isolate processes that run under the NetworkService or LocalService accounts. Specifically, a process running in the context of the NetworkService or LocalService account may gain access to resources in processes that run in the same context (NetworkService or LocalService) but also hold SYSTEM tokens and can elevate their privileges.
  • Ref: http://www.microsoft.com/technet/security/Bulletin/MS09-012.mspx
  • 09.16.2 - CVE: CVE-2009-0079
  • Platform: Windows
  • Title: Microsoft Windows RPCSS Service Isolation Local Privilege Escalation
  • Description: Microsoft Windows is exposed to a privilege escalation issue that occurs because the RPCSS service fails to properly isolate processes that run under the NetworkService or LocalService accounts. Windows XP SP2 and Windows Server 2003 are affected.
  • Ref: http://www.microsoft.com/technet/security/Bulletin/MS09-012.mspx
  • 09.16.3 - CVE: CVE-2009-0080
  • Platform: Windows
  • Title: Microsoft Windows Thread Pool ACL Local Privilege Escalation
  • Description: Microsoft Windows is exposed to a privilege escalation issue that occurs because Windows places incorrect access control lists (ACLs) on threads in the current ThreadPool. Specifically, a process running in the context of the NetworkService or LocalService account may gain access to resources in processes that run in the same context (NetworkService or LocalService) but also hold SYSTEM tokens and can elevate their privileges. Windows Vista and Windows Server 2008 are affected.
  • Ref: http://www.microsoft.com/technet/security/Bulletin/MS09-012.mspx
  • 09.16.4 - CVE: Not Available
  • Platform: Windows
  • Title: Microsoft Windows "atapi.sys" Local Privilege Escalation
  • Description: Microsoft Windows is exposed to a local privilege escalation issue because it fails to adequately handle user-supplied input. This vulnerability occurs because the kernel fails to properly validate user-mode data. This issue affects the "atapi.sys" driver. Ref: http://www.avertlabs.com/research/blog/index.php/2009/04/09/windows-kernel-again-found-vulnerable/
  • 09.16.5 - CVE: Not Available
  • Platform: Windows
  • Title: Microsoft WinHTTP Server Name Mismatch Certificate Validation Security Bypass
  • Description: Microsoft Windows HTTP Services (WinHTTP) is an HTTP client API available for Microsoft Windows. WinHTTP is exposed to a security bypass issue because of an error in verifying website certificates. Specifically, the problem stems from a server name mismatch.
  • Ref: http://www.microsoft.com/technet/security/Bulletin/MS09-013.mspx
  • 09.16.6 - CVE: CVE-2009-0550
  • Platform: Windows
  • Title: Microsoft Windows NTLM Credential Reflection Remote Code Execution
  • Description: Microsoft Windows HTTP Services (WinHTTP) is an HTTP client API. Microsoft WinINet is an internet API. Both APIs are available for Microsoft Windows. The software is exposed to an issue that could let attackers replay NTLM (NT LAN Manager) credentials. This issue occurs because the affected APIs fail to properly opt in to NTLM credential reflection protections.
  • Ref: http://www.microsoft.com/technet/security/Bulletin/MS09-014.mspx
  • 09.16.7 - CVE: CVE-2009-0088
  • Platform: Microsoft Office
  • Title: Microsoft Word 2000 WordPerfect Converter Remote Code Execution
  • Description: Microsoft Word 2000 is exposed to a remote code execution issue because it fails to properly validate an unspecified string when parsing a WordPerfect document. This issue can be triggered when Word 2000 is used to open a specially crafted WordPerfect 6.x file. Ref: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=782
  • 09.16.8 - CVE: Not Available
  • Platform: Other Microsoft Products
  • Title: Microsoft Internet Explorer File Download Denial of Service
  • Description: Microsoft Internet Explorer is a browser available for multiple platforms. The browser is exposed to a remote denial of service issue. Specifically, this issue arises when specially-crafted file data is sent to users. The file data sent to users reportedly bypasses the normal file-save dialog, and contains approximately 800 kilobytes of randomized data.
  • Ref: http://www.securityfocus.com/bid/34478
  • 09.16.9 - CVE: CVE-2009-0552
  • Platform: Other Microsoft Products
  • Title: Microsoft Internet Explorer Uninitialized Memory Remote Code Execution
  • Description: Microsoft Internet Explorer is a browser for the Windows operating system. Internet Explorer is exposed to a remote code execution issue that arises when the application tries to access objects that have not been initialized or have been deleted.
  • Ref: http://www.microsoft.com/technet/security/Bulletin/MS09-014.mspx
  • 09.16.10 - CVE: CVE-2009-0086
  • Platform: Other Microsoft Products
  • Title: Microsoft WinHTTP Integer Underflow Memory Corruption Remote Code Execution
  • Description: Microsoft Windows HTTP Services (WinHTTP) is an HTTP client API for the Windows operating system. WinHTTP is exposed to a remote code execution issue because the software fails to handle malicious server responses. This issue stems from an integer underflow error.
  • Ref: http://www.microsoft.com/technet/security/Bulletin/MS09-013.mspx
  • 09.16.11 - CVE: CVE-2009-0551
  • Platform: Other Microsoft Products
  • Title: Microsoft Internet Explorer Page Transition Remote Code Execution
  • Description: Microsoft Internet Explorer is a browser for the Windows operating system. Internet Explorer is exposed to a remote code execution issue because it may corrupt memory when navigating between webpages. Attackers can exploit this issue by enticing an unsuspecting user into opening a specially crafted page.
  • Ref: http://www.microsoft.com/technet/security/Bulletin/MS09-014.mspx
  • 09.16.12 - CVE: CVE-2009-0235
  • Platform: Other Microsoft Products
  • Title: Microsoft WordPad Word 97 Converter Remote Code Execution
  • Description: Microsoft WordPad is a simple text editor supplied with most versions of Microsoft windows. WordPad Text Converters are components installed by default so that some applications can open Word documents if Word isn't installed. WordPad is exposed to a remote code execution issue because of a stack-based buffer overflow that may result in corrupted memory.
  • Ref: http://www.microsoft.com/technet/security/Bulletin/MS09-010.mspx
  • 09.16.13 - CVE: CVE-2009-0077
  • Platform: Other Microsoft Products
  • Title: Microsoft ISA Server and Forefront Threat Management Gateway Denial of Service
  • Description: Microsoft ISA Server and Forefront Threat Management Gateway are exposed to a remote denial of service issue that occurs because the software fails to handle session states correctly, which can lead to orphaned open sessions.
  • Ref: http://www.microsoft.com/technet/security/Bulletin/MS09-016.mspx
  • 09.16.14 - CVE: CVE-2009-0553
  • Platform: Other Microsoft Products
  • Title: Microsoft Internet Explorer Uninitialized Memory Remote Code Execution
  • Description: Microsoft Internet Explorer is a browser for the Windows operating system. Internet Explorer is exposed to a remote code execution issue that arises when the application tries to access objects that have not been initialized or have been deleted.
  • Ref: http://www.microsoft.com/technet/security/Bulletin/MS09-014.mspx
  • 09.16.15 - CVE: CVE-2009-0554
  • Platform: Other Microsoft Products
  • Title: Microsoft Internet Explorer Uninitialized Memory Remote Code Execution
  • Description: Microsoft Internet Explorer is a browser for the Windows operating system. Internet Explorer is exposed to a remote code execution issue that arises when the application tries to access objects that have not been initialized or have been deleted.
  • Ref: http://www.microsoft.com/technet/security/Bulletin/MS09-014.mspx
  • 09.16.16 - CVE: CVE-2009-1119
  • Platform: Third Party Windows Apps
  • Title: EMC RepliStor Multiple Remote Heap Based Buffer Overflow Vulnerabilities
  • Description: EMC RepliStor provides data recovery and protection for Microsoft Windows platforms. The application is exposed to multiple remote heap-based buffer overflow issues because it fails to perform adequate boundary checks on user-supplied input before using it in an insufficiently sized buffer. The vulnerabilities occur when handling malformed data sent over unspecified TCP ports to the "ctrlservice.exe" and "rep_srv.exe" processes. RepliStor version 6.2 SP5 (and earlier) and version 6.3 SP2 (and earlier) are affected.
  • Ref: http://www.securityfocus.com/archive/1/502575
  • 09.16.17 - CVE: CVE-2007-4514
  • Platform: Third Party Windows Apps
  • Title: HP ProCurve Manager and ProCurve Manager Plus Unauthorized Access
  • Description: HP ProCurve Manager and ProCurve Manager Plus are management tools for ProCurve hardware devices. The applications are available for Microsoft Windows. The applications are exposed to an unspecified unauthorized access issue. Remote and local attackers may exploit this issue to gain unauthorized access to data.
  • Ref: http://www.securityfocus.com/bid/34451
  • 09.16.18 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Mini-stream Software RM-MP3 Converter
  • Description: Mini-stream Software provides multimedia applications for for Microsoft Windows platforms. Mini-stream Software RM-MP3 Converter is exposed to a remote stack-based buffer overflow issue because it fails to perform adequate checks on user-supplied input.
  • Ref: http://www.securityfocus.com/bid/34514
  • 09.16.19 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: SWF Opener Buffer Overflow
  • Description: SWF Opener is an application for viewing SWF animation files. SWF Opener is exposed to a remote buffer overflow issue because it fails to adequately bounds check user-supplied data before copying it to an insufficiently sized memory buffer. SWF Opener version 1.3 is affected.
  • Ref: http://www.securityfocus.com/bid/34459
  • 09.16.20 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Chance-i DiViS-Web DVR System ActiveX Control "AddSiteEx()" Buffer Overflow
  • Description: Chance-i DiViS-Web DVR System ActiveX control for digital video playback. The application is exposed to a heap-based buffer overflow issue because it fails to bounds check user-supplied data before copying it into an insufficiently sized buffer.
  • Ref: http://dsecrg.com/pages/vul/show.php?id=135
  • 09.16.21 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Xilisoft Video Converter Wizard ".CUE" File Stack Buffer Overflow
  • Description: Xilisoft Video Converter Wizard is a media file converter for Microsoft Windows. Xilisoft Video Converter Wizard is exposed to a stack-based buffer overflow issue because it fails to perform adequate checks on user-supplied input. Specifically, the issue occurs when parsing a specially crafted ".cue" file. Xilisoft Video Converter Wizard version 3 is affected.
  • Ref: http://www.securityfocus.com/bid/34472
  • 09.16.22 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: FTPDMIN "RNFR" Command Buffer Overflow
  • Description: FTPDMIN is an FTP server application for Microsoft Windows platforms. The software is exposed to a buffer overflow issue caused by a boundary error within the "RNFR" command.
  • Ref: http://www.securityfocus.com/archive/1/502621
  • 09.16.23 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Multiple Mini-stream Software Products ".m3u" File Remote Stack Buffer Overflow
  • Description: Mini-stream Software provides multimedia applications for Microsoft Windows platforms. Multiple Mini-stream Software products are exposed to a remote stack-based buffer overflow issue because they fail to perform adequate checks on user-supplied input. Specifically, this issue occurs when opening a ".m3u" playlist file that contains an excessively long URI string.
  • Ref: http://www.securityfocus.com/bid/34494
  • 09.16.24 - CVE: CVE-2008-4830
  • Platform: Third Party Windows Apps
  • Title: SAP AG SAPgui KWEdit ActiveX Control Insecure Method Remote Code Execution
  • Description: SAP AG SAPgui is a graphical user interface (GUI) included in various SAP applications. SAPgui KWEdit ActiveX control is exposed to a remote code execution issue because the KWEdit control (provided by "KWEDIT.DLL") includes a method called "OpenDocument()" that allows an attacker to download and execute arbitrary files on the victim's computer in the context of the application running the affected control (typically Internet Explorer).
  • Ref: http://secunia.com/secunia_research/2008-56/
  • 09.16.25 - CVE: Not Available
  • Platform: Linux
  • Title: Linux Kernel CIFS Remote Buffer Overflow
  • Description: The Linux Kernel is prone to a buffer overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data. Specifically, it fails to allocate sufficient memory for Unicode string conversion when processing the "nativeFileSystem" field of CIFS (Common Internet File System) trees. This error occurs in the "CIFSTCon()" function in the "fs/cifs/connect.c" source file. Linux Kernel version 2.6.29 is affected. Ref: http://lists.samba.org/archive/linux-cifs-client/2009-April/004322.html
  • 09.16.26 - CVE: Not Available
  • Platform: BSD
  • Title: OpenBSD PF Remote Denial of Service
  • Description: PF is a packet-filtering package that is integrated into the operating system's kernel. It originated in OpenBSD, and has since been ported to multiple other operating systems since, including FreeBSD. OpenBSD's PF is exposed to a remote denial of service issue that occurs due to a NULL pointer dereference error when translating specially crafted IP datagrams. OpenBSD versions 4.3, 4.4 and 4.5 are affected.
  • Ref: http://www.openbsd.org/security.html
  • 09.16.27 - CVE: CVE-2009-0793
  • Platform: Solaris
  • Title: Sun Solaris xscreensaver(1) Information Disclosure
  • Description: xscreensaver(1) is a screensaver with desktop-locking functionality. This feature is designed to prevent access to the desktop by users who don't have valid credentials. Sun Solaris xscreensaver(1) is exposed to an information disclosure issue. Specifically, this issue allows popup windows to appear through the locked screen. Solaris versions 8. 9, 10 and OpenSolaris are affected.
  • Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-66-255308-1
  • 09.16.28 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Gretech GOM Player ".srt" File Remote Buffer Overflow
  • Description: Gretech GOM Player is a multimedia player application. GOM Player is exposed to a remote stack-based buffer overflow issue because it fails to perform adequate checks on user-supplied input. Specifically, this issue occurs when the "srt2smi.exe" application parses malformed ".srt" files. GOM Player version 2.1.16.4613 is affected.
  • Ref: http://security.bkis.vn/?p=501
  • 09.16.29 - CVE: Not Available
  • Platform: Cross Platform
  • Title: IBM Lotus Domino IMAP Server Remote Denial of Service
  • Description: IBM Lotus Domino IMAP server is exposed to a remote denial of service issue because the software fails to properly handle certain email attachments. Specifically, the service crashes when handling email messages containing RFC822 attachments that include specially-crafted root entities. IBM Lotus Domino versions 8.5 and 8.0.2.1 are affected.
  • Ref: http://www-01.ibm.com/support/docview.wss?uid=swg21381562
  • 09.16.30 - CVE: CVE-2009-0196
  • Platform: Cross Platform
  • Title: Ghostscript
  • Description: Ghostscript is a set of tools and libraries for handling Portable Document Format (PDF) and PostScript files. Ghostscript is exposed to a remote heap-based buffer overflow issue because it fails to properly bounds check user-supplied input before copying it into a finite-sized buffer. Ghostscript version 8.64 is affected.
  • Ref: http://secunia.com/secunia_research/2009-21/
  • 09.16.31 - CVE: Not Available
  • Platform: Cross Platform
  • Title: ClamAV Prior to 0.95.1 Multiple Remote Denial of Service Vulnerabilities
  • Description: ClamAV is cross-platform security software providing antivirus, antispyware, and firewalling capabilities for both enterprise and endpoint-based systems. The application is exposed to multiple denial of service issues. ClamAV versions prior to 0.95.1 are affected.
  • Ref: https://wwws.clamav.net/bugzilla/show_bug.cgi?id=1553
  • 09.16.32 - CVE: CVE-2009-1267, CVE-2009-1268, CVE-2009-1269
  • Platform: Cross Platform
  • Title: Wireshark Prior to 1.0.7 Multiple Denial Of Service Vulnerabilities
  • Description: Wireshark (formerly Ethereal) is an application for analyzing network traffic; it is available for Microsoft Windows and UNIX-like operating systems. Wireshark is exposed to multiple issues. Wireshark versions prior to 1.0.7 are affected.
  • Ref: http://www.wireshark.org/security/wnpa-sec-2009-02.html
  • 09.16.33 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Mongoose HTTP Server Directory Traversal
  • Description: Mongoose is an HTTP server. Mongoose is exposed to a directory traversal issue because it fails to sufficiently sanitize user-supplied input. Mongoose version 2.4 is affected.
  • Ref: http://www.securityfocus.com/archive/1/502648
  • 09.16.34 - CVE: CVE-2009-1244
  • Platform: Cross Platform
  • Title: VMware Multiple Hosted Products Display Function Code Execution
  • Description: Multiple VMware hosted products are exposed to code execution issue due to a problem in the virtual machine display function. An attacker in the guest operating system can exploit this issue to execute arbitrary code in the host system.
  • Ref: http://www.securityfocus.com/bid/34471
  • 09.16.35 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Chance-i DiViS DVR System Web Server Directory Traversal
  • Description: Chance-i DiViS DVR System web server is a web server. Chance-i DiViS DVR System web server is exposed to a directory traversal issue because the application fails to sufficiently sanitize user-supplied input. Chance-i DiViS DVR System web server version 2.0 is affected.
  • Ref: http://www.securityfocus.com/archive/1/502604
  • 09.16.36 - CVE: Not Available
  • Platform: Cross Platform
  • Title: PHP cURL "safe_mode" and "open_basedir" Restriction Bypass
  • Description: PHP is a general-purpose scripting language that is especially suited for web development and can be embedded into HTML. PHP is exposed to a "safe_mode" and "open_basedir" restriction bypass issue. This vulnerability would be an issue in shared-hosting configurations where multiple users can create and execute arbitrary PHP script code, with the "safe_mode" and "open_basedir" restrictions assumed to isolate the users from each other. PHP version 5.2.9 is affected.
  • Ref: http://securityreason.com/achievement_securityalert/61
  • 09.16.37 - CVE: CVE-2009-0159
  • Platform: Cross Platform
  • Title: NTP "ntpq" Stack Buffer Overflow
  • Description: NTP is a NTP is a package of network-time related tools and daemons. It includes "ntpq", which is used to query remote NTPd services. The software is exposed to a stack-based buffer overflow issue caused by a boundary error within the "cookedprint()" function in the "ntpq/ntpq.c" source file.
  • Ref: http://bugs.pardus.org.tr/show_bug.cgi?id=9532
  • 09.16.38 - CVE: Not Available
  • Platform: Cross Platform
  • Title: IBM Rational ClearCase UCM-CQ Information Disclosure
  • Description: IBM Rational ClearCase is an application for software configuration management. The application is exposed to a local information disclosure issue. Specifically, when a user runs the "ps - -ef" command, UCM-CQ may disclose the database username and password. IBM Rational ClearCase version 7.0.1.2 is affected.
  • Ref: http://www-01.ibm.com/support/docview.wss?uid=swg1PK75832
  • 09.16.39 - CVE: CVE-2009-0681
  • Platform: Cross Platform
  • Title: PGP Desktop "pgpdisk.sys" Local Denial of Service
  • Description: PGP Desktop is an encryption application. PGP Desktop is exposed to a local denial of service issue in the "pgpdisk.sys" driver. This issue occurs because the driver fails to sufficiently validate user-supplied data associated with the Irp object. PGP Desktop versions prior to 9.10 are affected.
  • Ref: http://www.securityfocus.com/archive/1/502633
  • 09.16.40 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Octopussy Versions Prior to 0.9.5.8 Unspecified Vulnerability
  • Description: Octopussy is a log analyzer, alerter and reporter application. The application is exposed to an unspecified issue. Octopussy versions prior to 0.9.5.8 are affected.
  • Ref: http://freshmeat.net/projects/octopussy/releases/275561
  • 09.16.41 - CVE: CVE-2009-0892
  • Platform: Cross Platform
  • Title: IBM WebSphere Application Server Forced Logout Session Hijacking
  • Description: IBM WebSphere Application Server (WAS) is an application server used for service-oriented architecture. The application is exposed to a session hijacking issue that is related to the "forced logout" feature. WebSphere Application Server versions prior to 6.1.0.23 and 7.0.0.3 are vulnerable.
  • Ref: http://xforce.iss.net/xforce/xfdb/49499
  • 09.16.42 - CVE: CVE-2009-1172
  • Platform: Cross Platform
  • Title: IBM WebSphere Application Server "UsernameToken" Unspecified Security
  • Description: IBM WebSphere Application Server is a utility designed to facilitate the creation of various enterprise web applications. IBM WebSphere Application Server is exposed to an unspecified security issue that affects the JAX-RPC WS-Security runtime in the Web Services Security component. WebSphere Application Server versions prior to 6.1.0.23 and 7.0.0.3 are affected.
  • Ref: http://www-01.ibm.com/support/docview.wss?uid=swg27014463
  • 09.16.43 - CVE: CVE-2009-1174
  • Platform: Cross Platform
  • Title: IBM WebSphere Application Server XML Digital Signature Unspecified Security
  • Description: IBM WebSphere Application Server is a utility designed to facilitate the creation of various enterprise web applications. WebSphere Application Server is exposed to an unspecified security issue that affects the XML Digital Signature Specification in the Web Services Security component. WebSphere Application Server versions prior to 7.0.0.3 are affected.
  • Ref: http://www-01.ibm.com/support/docview.wss?uid=swg27014463
  • 09.16.44 - CVE: Not Available
  • Platform: Cross Platform
  • Title: TeX Live ".bib" File Buffer Overflow
  • Description: TeX Live is a suite of applications that facilitate the implementation of a comprehensive TeX system. TeX Live is available for various platforms. The application is exposed to a heap-based buffer overflow issue because it fails to perform adequate boundary checks on user-supplied data. This issue occurs when handling malicious BibTeX (.bib) files. TeX Live 20080816 is affected.
  • Ref: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=520920
  • 09.16.45 - CVE: CVE-2009-1215
  • Platform: Cross Platform
  • Title: GNU screen Insecure Temporary File Creation
  • Description: GNU screen is a full screen window manager application. The application uses temporary files in an insecure manner. An attacker with local access could perform symbolic-link attacks, overwriting arbitrary files in the context of the affected application. Specifically, this issue affects the "/tmp/screen-exchange" file. GNU screen version 4.0.3 is affected.
  • Ref: http://www.openwall.com/lists/oss-security/2009/03/25/7
  • 09.16.46 - CVE: CVE-2009-1232
  • Platform: Cross Platform
  • Title: Mozilla Firefox XUL Parser Start Tags Denial of Service
  • Description: Mozilla Firefox is a browser available for multiple platforms. The browser is exposed to a remote denial of service issue. Specifically, the issue occurs when parsing a malicious XML document containing a long series of start-tags and no corresponding end-tags. This causes memory corruption and crashes the browser. Mozilla Firefox versions 3.0.1 through 3.0.8 are affected.
  • Ref: https://bugzilla.mozilla.org/show_bug.cgi?id=485941
  • 09.16.47 - CVE: CVE-2008-5259
  • Platform: Cross Platform
  • Title: DivX Web Player "STRF" Chunk Processing Remote Buffer Overflow
  • Description: DivX Web Player is a freely available application for watching DivX-encoded video content. It is included with software provided by DivX Inc. The application is exposed to a heap-based buffer overflow issue because it fails to perform adequate boundary checks on user-supplied input. This issue occurs when the application handles "STRF" (Stream Format) chunks. DivX Web Player version 1.4.2.7 is affected.
  • Ref: http://secunia.com/secunia_research/2008-57/
  • 09.16.48 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: LinPHA 1.3.4 Multiple Cross-Site Scripting Vulnerabilities
  • Description: LinPHA is a PHP-based image gallery application. The application is exposed to multiple cross-site scripting issues because it fails to sufficiently sanitize user-supplied input data. LinPHA version 1.3.4 is affected.
  • Ref: http://www.securityfocus.com/bid/34422
  • 09.16.49 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: net2ftp Multiple Cross-Site Scripting Vulnerabilities
  • Description: net2ftp is a web-based FTP client. The program is exposed to multiple cross-site scripting issues because it fails to properly sanitize user-supplied input. Specifically, the issues present themselves because the "validateGenericInput" function uses an incorrect regular expression to extract characters. net2ftp versions 0.98 and earlier are affected.
  • Ref: http://www.securityfocus.com/archive/1/502571
  • 09.16.50 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: IBM Tivoli Continuous Data Protection for Files Cross-Site Scripting
  • Description: IBM Tivoli Continuous Data Protection for Files is a real-time, continuous data protection solution for file servers and user endpoints. The application is exposed to a cross-site scripting issue because it fails to sufficiently sanitize user-supplied input to the "reason" parameter of "login/FilepathLogin.html". IBM Tivoli Continuous Data Protection for Files version 3.1.4.0 is affected. Ref: http://www.insight-tech.org/index.php?p=IBM-Tivoli-Continuous-Data-Protection-for-Files-version-3-1-4-0---XSS
  • 09.16.51 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: MoziloCMS Local File Include and Cross-Site Scripting Vulnerabilities
  • Description: MoziloCMS is a web-based content management system implemented in PHP. The application is exposed to multiple issues because it fails to properly sanitize user-supplied input. MoziloCMS version 1.11 is affected.
  • Ref: http://www.securityfocus.com/bid/34474
  • 09.16.52 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: HP Deskjet 6840 "refresh_rate.htm" Cross-Site Scripting
  • Description: HP Deskjet 6840 are a color inkjet printers containing a built-in web administration application. The application is exposed to a cross-site scripting issue because it fails to sufficiently sanitize user-supplied input to the "refresh_rate.htm" script. This vulnerability requires that the data be submitted via POST requests.
  • Ref: http://www.securityfocus.com/archive/1/502620
  • 09.16.53 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: DotNetNuke PayPal IPN "paypalipn.aspx" Cross-Site Scripting
  • Description: DotNetNuke is an open-source framework used to create and deploy web sites. The application is exposed to a cross-site scripting issue because it fails to properly sanitize user-supplied input in the "WebsiteadminSalespaypalipn.aspx" script. DotNetNuke versions prior to 4.9.3 are affected. Ref: http://www.dotnetnuke.com/News/SecurityPolicy/Securitybulletinno25/tabid/1260/Default.aspx
  • 09.16.54 - CVE: CVE-2008-6571
  • Platform: Web Application - Cross Site Scripting
  • Title: LinPHA Prior to 1.3.4 Multiple Cross-Site Scripting Vulnerabilities
  • Description: LinPHA is a PHP-based image gallery. The application is exposed to multiple cross-site scripting issues because it fails to sufficiently sanitize user-supplied input data. LinPHA versions prior to 1.3.4 are affected. Ref: http://sourceforge.net/tracker/?func=detail&aid=1939188&group_id=64772&atid=508614
  • 09.16.55 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: ASP Product Catalog "search.asp" Cross-Site Scripting
  • Description: ASP Product Catalog is a web-based application implemented in ASP. The application is exposed to a cross-site scripting issue because it fails to sufficiently sanitize user-supplied input to the "keywords" parameter of the "search.asp" script. ASP Product Catalog 1.0 Beta 1 is vulnerable; other versions may also be vulnerable.
  • Ref: http://www.securityfocus.com/bid/34504
  • 09.16.56 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Banshee DAAP Extension "apps/web/vs_diag.cgi" Cross-Site Scripting
  • Description: Banshee DAAP Extension is an extension for the Banshee media player. The application is exposed to a cross-site scripting issue because it fails to sufficiently sanitize user-supplied input to the "apps/web/vs_diag.cgi" script. DAAP Extension for Banshee version 1.4.2 is affected.
  • Ref: http://bugzilla.gnome.org/show_bug.cgi?id=577270
  • 09.16.57 - CVE: CVE-2009-0237
  • Platform: Web Application - Cross Site Scripting
  • Title: Microsoft ISA Server and Forefront Threat Management Gateway Cross-Site Scripting
  • Description: Microsoft ISA (Internet Security and Acceleration) Server and Forefront Threat Management Gateway (TMG) are prone to a cross-site scripting vulnerability because the software fails to sufficiently validate user-supplied input. Specifically, this issue affects the "cookieauth.dll" library.
  • Ref: http://www.microsoft.com/technet/security/Bulletin/MS09-016.mspx
  • 09.16.58 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Zazzle Store Builder Multiple Cross-Site Scripting Vulnerabilities
  • Description: Zazzle Store Builder is a web-based application. The application is exposed to multiple cross-site scripting issues because it fails to sufficiently sanitize user-supplied input to the "gridPage" and "gridSort" parameters of the "include/zstore.php" script. Zazzle Store Builder version 1.0.2 is affected.
  • Ref: http://holisticinfosec.org/content/view/102/45/
  • 09.16.59 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Aqua CMS 1.1 Multiple SQL Injection Vulnerabilities
  • Description: Aqua CMS is a PHP-based content manager. The application is exposed to multiple SQL injection issues affecting the following scripts and parameters: "/droplets/functions/base.php": "userSID" and "/admin/index.php": "username". Aqua CMS version 1.1 is affected.
  • Ref: http://www.securityfocus.com/bid/34516
  • 09.16.60 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: RQMS Multiple SQL Injection Vulnerabilities
  • Description: RQMS (RASH Quote Management System) is a PHP-based quotation management application. The application is exposed to multiple SQL injection issues. A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. RQMS versions 1.2.1 and 1.2.2 are affected.
  • Ref: http://www.securityfocus.com/bid/34518
  • 09.16.61 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: BackendCMS "main.asp" SQL Injection
  • Description: BackendCMS is a content manager implemented in ASP. The application is exposed to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data to the "id" parameter of the "main.asp" script before using it in an SQL query. BackendCMS version 5.0 is affected.
  • Ref: http://www.securityfocus.com/bid/34455
  • 09.16.62 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Geeklog "SEC_authenticate()" SQL Injection
  • Description: Geeklog is a web application implemented in PHP. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Specifically, this issue occurs because data taken from HTTP authentication headers may be passed without validation to the "SEC_authenticate()" function in the "system/lib-security.php" source file. Geeklog versions 1.5.2 and earlier are affected.
  • Ref: http://www.securityfocus.com/archive/1/502579
  • 09.16.63 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: WebFileExplorer "body.asp" SQL Injection
  • Description: WebFileExplorer is a file management application implemented in ASP. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "id" parameter of the "body.asp" script before using it in an SQL query. WebFileExplorer version 3.1 is affected.
  • Ref: http://www.securityfocus.com/bid/34462
  • 09.16.64 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: XIGLA Absolute Form Processor XE "login.asp" SQL Injection
  • Description: Absolute Form Processor XE is an ASP-based web application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "username" input field of the "login.asp" script before using it in an SQL query. Absolute Form Processor XE version 1.5 is affected.
  • Ref: http://www.securityfocus.com/bid/34463
  • 09.16.65 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: My Dealer CMS "admin/login.php" Multiple SQL Injection Vulnerabilities
  • Description: My Dealer CMS is a web-based content manager implemented in PHP. The application is exposed to multiple SQL injection issues because it fails to sufficiently sanitize user-supplied data to the "Username" and "Password" textboxes when logging in to the application through the "admin/login.php" script. My Dealer CMS version 2.0 is affected.
  • Ref: http://www.securityfocus.com/bid/34464
  • 09.16.66 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Dynamic Flash Forum Multiple SQL Injection Vulnerabilities
  • Description: Dynamic Flash Forum is a PHP-based web forum application. The application is exposed to multiple SQL injection issues. A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Dynamic Flash Forum version 1.0 Beta is affected.
  • Ref: http://www.securityfocus.com/archive/1/502606
  • 09.16.67 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Loggix Project "post.php" SQL Injection
  • Description: Loggix Project is a PHP and MySQL based content management system. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "refer_id" parameter of the "modules/comment/post.php" script before using it in an SQL query. Loggix Project version 9.4.5 isaffected.
  • Ref: http://www.securityfocus.com/archive/1/502609
  • 09.16.68 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: w3bcms Guestbook Module "index.inc.php" SQL Injection
  • Description: w3bcms is a PHP-based content manager. The guestbook module is eposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "spam_id" parameter of the "book/index.inc.php" script.
  • Ref: http://www.securityfocus.com/bid/34477
  • 09.16.69 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: SilverStripe "filename" Parameter SQL Injection
  • Description: SilverStripe is a PHP-based content manager. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "filename" parameter of the "File::find()" function before using it in an SQL query. SilverStripe versions prior to 2.3.1 are affected.
  • Ref: http://open.silverstripe.com/ticket/3721
  • 09.16.70 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: People-Trak Login SQL Injection
  • Description: People-Trak is a web-based application implemented in ASP. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "username" parameter of the "index.asp" script when the "fuseaction" parameter is set to "login".
  • Ref: http://www.securityfocus.com/bid/34491
  • 09.16.71 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: e107 User Journals Plugin "userjournals.php" SQL Injection
  • Description: User Journals is a plugin for the e107 CMS content manager. The plugin is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data submitted as the blog ID to the "userjournals.php" script before using it in an SQL query. User Journals versions 0.7 through 0.8 are affected.
  • Ref: http://www.securityfocus.com/bid/34495
  • 09.16.72 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: FreznoShop "product_details.php" SQL Injection
  • Description: FreznoShop is a web-based shopping cart application implemented in PHP. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "id" parameter of the "product_details.php" script before using it in an SQL query. FreznoShop version 1.3.0 is affected.
  • Ref: http://www.securityfocus.com/bid/34496
  • 09.16.73 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Multiple XEngineSoft Products Login Parameters Multiple SQL Injection Vulnerabilities
  • Description: XEngineSoft produces a number of PHP-based web applications. The applications are exposed to multiple SQL injection issues because they fail to sufficiently sanitize user-supplied data provided to the "Username" and "Password" form fields.
  • Ref: http://www.securityfocus.com/bid/34493
  • 09.16.74 - CVE: Not Available
  • Platform: Web Application
  • Title: Xplode "module_wrapper.asp" SQL Injection and Cross-Site Scripting Vulnerabilities
  • Description: Xplode is an ASP-based content manager. Xplode is exposed to an SQL injection issue and a cross-site scripting issue because it fails to sufficiently sanitize user-supplied data. Specifically, the cross-site scripting issue affects the "SearchString" parameter and the SQL-injection issue affects the "wrap_script" parameter in the "module_wrapper.asp" script.
  • Ref: http://www.securityfocus.com/bid/34419
  • 09.16.75 - CVE: Not Available
  • Platform: Web Application
  • Title: OpenGoo Multiple Cross-Site Scripting and HTML Injection Vulnerabilities
  • Description: OpenGoo is a web-based application implemented in PHP. The application is exposed to multiple cross-site scripting and HTML injection issues because it fails to sufficiently sanitize user-supplied data. OpenGoo versions 1.3 and 1.3.1 are affected.
  • Ref: http://www.securityfocus.com/bid/34428
  • 09.16.76 - CVE: Not Available
  • Platform: Web Application
  • Title: SASPCMS SQL Injection and Cross-Site Scripting Vulnerabilities
  • Description: SASPCMS (Simple ASP CMS) is an ASP-based content manager. SASPCMS is exposed to multiple input validation issues because it fails to sufficiently sanitize user-supplied data. SASPCMS version 0.9 is affected.
  • Ref: http://www.securityfocus.com/archive/1/502558
  • 09.16.77 - CVE: Not Available
  • Platform: Web Application
  • Title: Joomla! cmimarketplace Component "viewit" Parameter Directory Traversal
  • Description: cmimarketplace is a component for the Joomla! content management system. The application is exposed to a directory traversal issue because it fails to sufficiently sanitize user-supplied input to the "viewit" parameter of the "index.php" script. cmimarketplace version 0.1 is affected.
  • Ref: http://www.securityfocus.com/bid/34431
  • 09.16.78 - CVE: Not Available
  • Platform: Web Application
  • Title: Photo-Graffix "mp3upload.htm" Arbitrary File Upload
  • Description: Photo-Graffix is a Flash-based multimedia gallery application. The application is exposed to an issue that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input before uploading files with the "mp3upload.htm" script. Photo-Graffix version 3.4 is affected.
  • Ref: http://www.securityfocus.com/bid/34434
  • 09.16.79 - CVE: Not Available
  • Platform: Web Application
  • Title: Photo-Graffix "wmprocess.php" Local File Include
  • Description: Photo-Graffix is a Flash-based multimedia gallery application. The application is exposed to a local file include issue because it fails to properly sanitize user-supplied input to the "tdir" parameter of the "wmprocess.php" script. Photo-Graffix version 3.4 is affected.
  • Ref: http://www.securityfocus.com/bid/34436
  • 09.16.80 - CVE: Not Available
  • Platform: Web Application
  • Title: IBM BladeCenter Advanced Management Module Multiple Remote Vulnerabilities
  • Description: IBM BladeCenter Advanced Management Module is a web application for managing BladeCenter hardware devices. The application is exposed to multiple remote issues. BladeCenter Advanced Management Module versions prior to 1.42U are affected. Ref: http://www-947.ibm.com/systems/support/supportsite.wss/docdisplay?lndocid=MIGR-5076204&brandind=5000020
  • 09.16.81 - CVE: Not Available
  • Platform: Web Application
  • Title: AdaptBB Multiple Input Validation Vulnerabilities
  • Description: AdaptBB is a web-based application implemented in PHP. The application is exposed to multiple input validation issues. AdaptBB version 1.0 Beta is affected.
  • Ref: http://www.securityfocus.com/bid/34452
  • 09.16.82 - CVE: Not Available
  • Platform: Web Application
  • Title: PowerCHM HTML File Stack Buffer Overflow
  • Description: PowerCHM is an application used to generate Windows help files. The application is exposed to a stack-based buffer overflow issue because it fails to perform adequate boundary checks on user-supplied input. This issue occurs when the application fails to handle malformed HTML files that contain an excessively long "href" tag. PowerCHM version 5.7 is affected.
  • Ref: http://www.securityfocus.com/bid/34517
  • 09.16.83 - CVE: Not Available
  • Platform: Web Application
  • Title: Cisco Subscriber Edge Services Manager Cross-Site Scripting and HTML Injection Vulnerabilities
  • Description: Cisco Subscriber Edge Services Manager is a set of networking tools used to manage subscriber services on Service Selection Gateway (SSG)-enabled networks. The application is exposed to an unspecified cross-site scripting issue and an unspecified HTML injection vulnerability because it fails to sufficiently sanitize user-supplied data.
  • Ref: http://www.xc0re.net/index.php?p=1_17_Cisco-Subscriber-Edge-Servi ces-Manager-Multiple-Vulnerabilities
  • 09.16.84 - CVE: Not Available
  • Platform: Web Application
  • Title: Jamroom "t" Parameter Local File Include
  • Description: Jamroom is a web-based media content manager for artists. The application is exposed to a local file include issue because it fails to properly sanitize user-supplied input to the "t" parameter of the "index.php" script. Jamroom versions 3.1.2, 3.2.3, 3.2.4, 3.2.5, 3.2.6 and 4.0.2 are affected.
  • Ref: http://www.securityfocus.com/bid/34511
  • 09.16.85 - CVE: Not Available
  • Platform: Web Application
  • Title: AbleSpace Multiple Input Validation Vulnerabilities
  • Description: AbleSpace is a PHP-based web application. The application is exposed to multiple input validation issues because it fails to sufficiently sanitize user-supplied input. AbleSpace version 1.0 is affected.
  • Ref: http://www.securityfocus.com/archive/1/502670
  • 09.16.86 - CVE: Not Available
  • Platform: Web Application
  • Title: Redaxscript "language" Parameter Local File Include
  • Description: Redaxscript is a web-based content management system implemented in PHP. The application is exposed to a local file include issue because it fails to properly sanitize user-supplied input to the "language" parameter of the "index.php" script. Redaxscript version 0.2.0 is affected.
  • Ref: http://www.securityfocus.com/bid/34476
  • 09.16.87 - CVE: Not Available
  • Platform: Web Application
  • Title: Flatnuke "level" Parameter Unauthorized Access
  • Description: Flatnuke is a PHP-based content manager that uses flat text files instead of a database. The application is exposed to an unauthorized access issue because it fails to adequately verify user-supplied input before granting administrative credentials. Flatnuke version 2.7.1 is affected.
  • Ref: http://www.securityfocus.com/bid/34486
  • 09.16.88 - CVE: Not Available
  • Platform: Web Application
  • Title: HTML Email Creator HTML Tags Multiple Buffer Overflow Vulnerabilities
  • Description: HTML Email Creator is an application that allows users to create HTML emails. HTML Email Creator is exposed to multiple remote buffer overflow issues because it fails to perform adequate checks on user-supplied input. HTML Email Creator version 2.1 build 668 is affected.
  • Ref: http://www.securityfocus.com/bid/34487
  • 09.16.89 - CVE: Not Available
  • Platform: Web Application
  • Title: X10Media Automatic MP3 Search Engine "admin/admin.php" Unauthorized Access
  • Description: X10Media Automatic MP3 Search Engine is a PHP-based MP3 search application. The application is exposed to an access validation issue because it fails to properly restrict access to the "admin/admin.php" script.
  • Ref: http://www.securityfocus.com/bid/34489
  • 09.16.90 - CVE: Not Available
  • Platform: Web Application
  • Title: Yellow Duck Weblog "include/languages/check.php" Local File Include
  • Description: Yellow Duck Weblog is a web-based application implemented in PHP. The application is exposed to a local file include issue because it fails to properly sanitize user-supplied input to the "lang" parameter of the "include/languages/check.php" script. Yellow Duck Weblog version 2.1.0 is affected.
  • Ref: http://www.securityfocus.com/bid/34492
  • 09.16.91 - CVE: Not Available
  • Platform: Web Application
  • Title: Revista Multiple Input Validation Vulnerabilities
  • Description: Revista is a Spanish PHP magazine editor. The application is exposed to multiple issues because it fails to adequately sanitize user-supplied input. Revista version 1.1.2 is affected.
  • Ref: http://www.securityfocus.com/bid/34505
  • 09.16.92 - CVE: Not Available
  • Platform: Web Application
  • Title: NanoCMS "/data/pagesdata.txt" Password Hash Information Disclosure
  • Description: NanoCMS is a web-based content manager. The application is exposed to an information disclosure issue because it fails to properly restrict access to the "/data/pagesdata.txt" script. Attackers can exploit the issue to gain access to user names and password hashes. NanoCMS version 0.4_final is affected.
  • Ref: http://www.madirish.net/vulnerabilities/nanocms
  • 09.16.93 - CVE: Not Available
  • Platform: Web Application
  • Title: GuestCal "lang" Parameter Local File Include
  • Description: GuestCal is a web-based calendar application implemented in PHP. The application is exposed to a local file include issue because it fails to properly sanitize user-supplied input to the "lang" parameter of the "index.php" script. This is the result of an error in the "includes/ini.inc.php" source file. GuestCal version 2.1 is affected.
  • Ref: http://www.securityfocus.com/bid/34519
  • 09.16.94 - CVE: CVE-2009-1285
  • Platform: Web Application
  • Title: phpMyAdmin Configuration File PHP Code Injection
  • Description: phpMyAdmin is a PHP-based web application. phpMyAdmin is exposed to an issue that lets attackers inject arbitrary PHP code. The issue occurs because the application fails to properly sanitize user-supplied input to the setup script. phpMyAdmin 3.x versions prior to 3.1.3.2 are affected.
  • Ref: http://www.phpmyadmin.net/home_page/security/PMASA-2009-4.php
  • 09.16.95 - CVE: Not Available
  • Platform: Web Application
  • Title: WikkaWiki Security Bypass
  • Description: WikkaWiki is a wiki application implemented in PHP. WikkaWiki is exposed to a security bypass issue that occurs when certain HTTP requests are processed. Specifically, this issue arises because the application fails to perform access validation checks and carries out attacker-specified actions when an administrative user subsequently views the malicious content. WikkaWiki version 1.1.6.6 is affected.
  • Ref: http://www.securityfocus.com/bid/34528
  • 09.16.96 - CVE: CVE-2009-1155, CVE-2009-1156, CVE-2009-1157,CVE-2009-1158, CVE-2009-1159, CVE-2009-1160
  • Platform: Network Device
  • Title: Cisco PIX and ASA Multiple Denial of Service, ACL Bypass, and Authentication Bypass Vulnerabilities
  • Description: Cisco PIX Security Appliance and ASA 5500 Series Adaptive Security Appliance are security devices. The appliances are exposed to multiple security issues. Ref: http://www.cisco.com/en/US/products/products_security_advisory09186a0080a994f6.shtml#@ID
  • 09.16.97 - CVE: Not Available
  • Platform: Network Device
  • Title: Linksys WRT160N Wireless Router Cross-Site Request Forgery
  • Description: The Linksys WRT160N wireless router is a network device designed for home use. The router is exposed to a cross-site request forgery issue. Attackers can exploit this issue by tricking a victim into visiting a malicious webpage. Linksys WRT160N running firmware version 1.02.2 is affected.
  • Ref: http://holisticinfosec.org/content/view/109/45/
  • 09.16.98 - CVE: Not Available
  • Platform: Network Device
  • Title: Nortel Application Gateway 2000 "adminDownloads.htm" Password Disclosure
  • Description: Nortel Application Gateway 2000 provides users with voice and data applications on Nortel IP phones. Nortel Application Gateway 2000 is exposed to a password disclosure issue due to a design error. Specifically, the device fails to restrict access to the HTML source code contained in the "adminDownload.htm" script. The script contains the password of the administrator.
  • Ref: http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&id=865005

(c) 2009. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Subscriptions: @RISK is distributed free of charge by the SANS Institute to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.

SANS and their instructors bring "real-world" experience to the InfoSec Industry. It is really nice to receive useful training without the vendor spin.
-Marc Dolce, Core Business Technology Solutions

SANS 2010-sky-c

Contact us: (301) 654-SANS(7267)
Monday - Friday 9am-8pm EST/EDT