The most trusted source for computer security training, certification and research.

@RISK: The Consensus Security Vulnerability Alert

Volume: VIII, Issue: 17
April 23, 2009

SANS Newsletters Home

This week it is Firefox, Thunderbird and the Blackberry that have announced critical security problems. The first two have vulnerabilities related to memory corruption, cross-site scripting, cross-site request forgery, script injection, bypass same origin policy, information disclosure and url spoofing. The Blackberry problem is in handling pdf attachments. Alan

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Platform Number of Updates and Vulnerabilities
    • - ------------------------ -------------------------------------
    • Other Microsoft Products
    • 4 (#3)
    • Third Party Windows Apps
    • 7 (#2)
    • Linux
    • 11 (#4)
    • Solaris
    • 1
    • Aix
    • 1
    • Unix
    • 2
    • Novell
    • 1
    • Cross Platform
    • 22 (#1, #5, #6, #7)
    • Web Application - Cross Site Scripting
    • 11
    • Web Application - SQL Injection
    • 20
    • Web Application
    • 38
    • Network Device
    • 5

*************************************************************************

TRAINING UPDATE - - Toronto 5/5-5/13 (15 courses) http://www.sans.org/toronto09/event.php - - SANSFIRE in Baltimore 6/13-6/20 (24 long courses, 12 short courses) http://www.sans.org/sansfire09/event.php - - New Orleans 5/5-5/10 (6 courses) http://www.sans.org/securityeast09/event.php - -- Plus San Diego, Amsterdam and more, too. See www.sans.org - - Log Management Summit in Washington 4/5-4/7 http://www.sans.org/logmgtsummit09/ - - Looking for training in your own community? http://sans.org/community/ For a list of all upcoming events, on-line and live: www.sans.org

*************************************************************************

Table Of Contents
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
Other Microsoft Products
Third Party Windows Apps
Linux
Solaris
Aix
Unix
Novell
Cross Platform
Web Application - Cross Site Scripting
Web Application - SQL Injection
Web Application
Network Device
PART I Critical Vulnerabilities

Part I for this issue has been compiled by Rohan Kotian at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Widely Deployed Software
  • (2) CRITICAL: BlackBerry Attachment Service PDF distiller Multiple Vulnerabilities
  • Affected:
    • BlackBerry Enterprise Server version 4.1 Service Pack 3 (4.1.3) through 4.1 Service Pack 6 (4.1.6)
    • BlackBerry Professional Software 4.x

  • Description: The Research In Motion BlackBerry is a popular mobile telephone and messaging device. The BlackBerry handheld devices are integrated with an enterprise's messaging infrastructure through BlackBerry Enterprise Server. This server software and the professional software version of BlackBerry have vulnerabilities in the BlackBerry Attachment Service, a service used to view different file formats. The errors are within the PDF distiller component of the Attachment Service. A specially crafted PDF file opened on BlackBerry could trigger this vulnerability. Successful exploitation can lead to arbitrary code execution. Note that a user must first open the PDF on a BlackBerry mobile device for exploitation to occur. No technical details publicly available.

  • Status: Vendor confirmed, updates available.

  • References:
  • (3) HIGH: Microsoft Whale IAG ActiveX Control Multiple Buffer Overflow Vulnerabilities
  • Affected:
    • Microsoft Intelligent Application Gateway 2007 prior to 3.7 SP2

  • Description: Microsoft Whale Intelligent Application Gateway (IAG) is a VPN solution that provides secure remote access to corporate networks remotely. It installs with "WhlMgr.dll" ActiveX control, which has been identified with multiple stack based buffer overflows. ActiveX control is identified by CLSID:8D9563A9-8D5F-459B-87F2-BA842255CB9A. The specific errors are in the "CheckForUpdates()" and "UpdateComponents()" methods while passing specially crafted arguments to them. A malicious web page that instantiated this control could exploit these vulnerabilities to execute arbitrary code with the privileges of the current user. The user will have to be enticed to visit these malicious pages.

  • Status: Vendor confirmed, updates available.

  • References:
  • (4) HIGH: Linux Kernel CIFS Session Setup Buffer Overflow Vulnerability
  • Affected:
    • Linux Kernel versions 2.6.x

  • Description: Linux kernel is prone to a buffer overflow vulnerability which could be used by attackers to cause a denial-of-service condition or execute arbitrary code on the affected system. The issue is that the handling of unicode string area alignment is wrong in "decode_unicode_ssetup()". This cascaded with the improper buffer sizing for the Common Internet File System (CIFS) serverDomain string can lead to a buffer overflow condition. Technical details for these vulnerabilities are available via source code analysis.

  • Status: Vendor confirmed, no updates available.

  • References:
  • (5) MODERATE: HP StorageWorks Storage Mirroring Multiple Vulnerabilities
  • Affected:
    • HP StorageWorks Storage Mirroring Software 5.1
    • HP StorageWorks Storage Mirroring Software 5.0

  • Description: HP StorageWorks is a popular storage management system. Its Storage Mirroring software is vulnerable to remote code execution and denial-of-service attacks. There are unspecified errors which can be used to cause a denial-of-service condition, gain unauthorized access, and execute arbitrary code on the vulnerable system. No other details are provided for these vulnerabilities as yet.

  • Status: Vendor confirmed, updates available.

  • References:
  • (6) MODERATE: Xpdf JBIG2 Processing Multiple Vulnerabilities
  • Affected:
    • Xpdf versions prior to 3.02pl3

  • Description: Xpdf is a Portable Document Format (PDF) viewer for the X Window System and Motiff. It is open source and runs on almost any Unix-like operating system. Multiple vulnerabilities have been identified in Xpdf which could be triggered by processing a specially crafted PDF file that contain JBIG2 data. There is a buffer overflow error while decoding JBIG2 symbol dictionary segments. There are multiple integer and buffer overflows in the JBIG2 decoder. All these errors stem from "xpdf/JBIG2Stream.cc" file when processing a malicious PDF file. Successful exploitation might lead to arbitrary code execution. Note that, depending on the application and configuration, PDF documents may be opened automatically upon download. Technical details for these vulnerabilities are available via source code analysis.

  • Status: Vendor confirmed, updates available.

  • References:
  • (7) MODERATE: cTorrent and dTorrent Buffer Overflow Vulnerability
  • Affected:
    • dTorrent dTorrent 3.3.2
    • cTorrent cTorrent 1.3.4

  • Description: cTorrent is a BitTorrent Client written in C and C++ programming languages and runs on most of Linux based variants. dTorrent is the enhanced version of cTorrent. Both cTorrent and dTorrent have buffer overflow vulnerabilities which can be triggered by a specially crafted torrent file. The specific error is in the "btFiles::BuildFromMI()" function in btfiles.cpp while processing a malicious torrent file. By tricking the user to open a malicious torrent file, an attacker might crash the affected application or execute arbitrary code. Technical details for these vulnerabilities are available via source code analysis and a proof of concept is publicly available.

  • Status: Vendor confirmed, no updates available.

  • References:
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 17, 2009

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 6937 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

  • 09.17.1 - CVE: CVE-2007-2238
  • Platform: Other Microsoft Products
  • Title: Microsoft IAG 2007 ActiveX Control Multiple Stack-Based Buffer Overflow Vulnerabilities
  • Description: Microsoft Intelligent Application Gateway (IAG) 2007 is an application server for Microsoft Windows. It includes a Client Components ActiveX control. The ActiveX control is exposed to multiple stack-based buffer overflow issues because it fails to perform adequate boundary checks on user-supplied data. IAG 2007 versions prior to 3.7 SP2 are affected.
  • Ref: http://www.kb.cert.org/vuls/id/789121
  • 09.17.2 - CVE: Not Available
  • Platform: Other Microsoft Products
  • Title: Microsoft Windows Media Player MIDI File Denial of Service
  • Description: Microsoft Windows Media Player is a multimedia application available for the Windows operating system. The application is exposed to a denial of service issue when processing a malformed MIDI file. This issue is caused by an error in the "quartz.dll" library file when handling files with malformed header data.
  • Ref: http://www.securityfocus.com/bid/34585
  • 09.17.3 - CVE: Not Available
  • Platform: Other Microsoft Products
  • Title: Microsoft GDI+ Plugin PNG File Infinite Loop Denial of Service
  • Description: Microsoft GDI+ (graphics device interface) enables applications to use graphics and formatted text on the video display and on printers. The GDI+ plugin is exposed to a denial of service issue. When processing a malformed PNG file, a malformed header with a "btChunkLen" value of 0xfffffff4 will trigger an infinite loop.
  • Ref: http://www.securityfocus.com/bid/34586
  • 09.17.4 - CVE: Not Available
  • Platform: Other Microsoft Products
  • Title: Microsoft Windows Media Player WAV File Multiple Denial of Service Vulnerabilities
  • Description: Microsoft Windows Media Player is a multimedia application available for the Windows operating system. The application is exposed to multiple denial of service issues when processing a malformed WAV file. These issues stem from errors in the "quartz.dll" library file.
  • Ref: http://www.securityfocus.com/bid/34587
  • 09.17.5 - CVE: CVE-2008-1107
  • Platform: Third Party Windows Apps
  • Title: Danske Bank Danske e-Sec Control Module ActiveX Control Buffer Overflow
  • Description: Danske Bank Danske e-Sec Control Module ActiveX control ships with Danske Bank Danske Netbetaling application. Danske Bank Danske e-Sec Control Module ActiveX control is exposed to a buffer overflow issue because it fails to bounds check user-supplied data before copying it into an insufficiently sized buffer. Danske e-Sec Control Module ActiveX control (DanskeSikker.ocx) version 3.1.0.48 is affected.
  • Ref: http://www.securityfocus.com/archive/1/502725
  • 09.17.6 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Apollo "m3u" Playlist File Heap Buffer Overflow
  • Description: Apollo is a multimedia player available for Microsoft Windows. Apollo is exposed to a buffer overflow issue because it fails to bounds check user-supplied data before copying it into an insufficiently sized buffer. Specifically, the application fails to handle specially crafted ".m3u" playlist files. Apollo version 37zz is affected.
  • Ref: http://www.securityfocus.com/bid/34554
  • 09.17.7 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Elecard AVC HD Player ".xpl" File Remote Stack Buffer Overflow
  • Description: Elecard AVC HD Player is a multimedia player application available for Microsoft Windows. Elecard AVC HD Player is exposed to a remote stack-based buffer overflow issue because it fails to perform adequate checks on user-supplied input. Specifically, this issue occurs when processing an ".xpl" playlist file that contains a specially crafted header.
  • Ref: http://www.securityfocus.com/bid/34560
  • 09.17.8 - CVE: CVE-2009-1257
  • Platform: Third Party Windows Apps
  • Title: MagicISO CCD/Cue File Heap Overflow
  • Description: Magic ISO Maker is a CD/DVD image-handling application for Microsoft Windows. MagicISO is exposed to a heap overflow issue that may be triggered by a malicious ".ccd" or ".cue" file. Specifically, the issue occurs because the application fails to check the boundary conditions before copying the data.
  • Ref: http://www.securityfocus.com/bid/34574
  • 09.17.9 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: 1by1 ".m3u" File Remote Stack Buffer Overflow
  • Description: 1by1 is a multimedia player for Microsoft Windows. The application is exposed to a remote stack-based buffer overflow issue because it fails to perform adequate checks on user-supplied input. Specifically, this issue occurs when opening a ".m3u" playlist file that contains excessive data. 1by1 version 1.67 is affected.
  • Ref: http://www.securityfocus.com/bid/34618
  • 09.17.10 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Groovy Media Player ".m3u" File Remote Stack Buffer Overflow
  • Description: Groovy Media Player is a multimedia player for Microsoft Windows. The application is exposed to a remote stack-based buffer overflow issue because it fails to perform adequate checks on user-supplied input. Specifically, this issue occurs when opening a ".m3u" playlist file that contains excessive data. Groovy Media Player version 1.1.0 is affected.
  • Ref: http://www.securityfocus.com/bid/34621
  • 09.17.11 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Trend Micro OfficeScan Client Denial of Service
  • Description: Trend Micro OfficeScan is a virus scanning application for the Windows operating system. The OfficeScan Client is exposed to a denial of service issue because it fails to handle exceptional conditions. Specifically, the application may crash when attempting to scan nested subdirectories with excessively large names. OfficeScan version 8.0 SP1 is affected.
  • Ref: http://www.securityfocus.com/archive/1/502847
  • 09.17.12 - CVE: CVE-2009-1185
  • Platform: Linux
  • Title: udev Netlink Message Validation Local Privilege Escalation
  • Description: The "udev" application helps users manage the "/dev" directory and provides persistent device names. The application is exposed to a local privilege escalation issue because it fails to properly handle netlink messages. Specifically, this issue is the result of a failure to properly validate netlink message senders.
  • Ref: http://www.securityfocus.com/bid/34536
  • 09.17.13 - CVE: CVE-2009-1186
  • Platform: Linux
  • Title: udev Path Encoding Local Denial of Service
  • Description: The "udev" application helps users manage the "/dev" directory and provides persistent device names. It is available for Linux. The application is exposed to a local denial of service issue which is the result of a buffer-overflow error when encoding paths. This issue affects udev as shipped with Ubuntu Linux releases.
  • Ref: http://www.securityfocus.com/bid/34539
  • 09.17.14 - CVE: CVE-2008-6598
  • Platform: Linux
  • Title: WANPIPE Multiple Unspecified Race Condition Vulnerabilities
  • Description: WANPIPE is a networking driver for the Linux operating system. WANPIPE is exposed to multiple unspecified race condition issues. WANPIPE versions prior to 3.3.6 are affected.
  • Ref: http://freshmeat.net/projects/wanpipe/releases/276026
  • 09.17.15 - CVE: Not Available
  • Platform: Linux
  • Title: Linux Kernel "kill_something_info()" Local Denial of Service
  • Description: The Linux kernel 2.6.24 introduced "PID namespaces", a mechanism for creating sets of tasks with isolated process IDs. The Linux kernel is exposed to a local denial of service issue because it fails to restrict signals sent using the "kill" command with the process ID parameter "-1" to processes within the current PID namespace. The Linux Kernel versions 2.6.24 through 2.6.27.12 are affected.
  • Ref: http://lkml.org/lkml/2008/7/23/148
  • 09.17.16 - CVE: Not Available
  • Platform: Linux
  • Title: Linux Kernel "inet6_hashtables.c" NULL Pointer Dereference Denial of Service
  • Description: The Linux kernel is exposed to a local denial of service issue. This vulnerability stems from a potential NULL-pointer dereference exception of a recycled TIMEWAIT pointer in the "ipv6/inet6_hashtables.c" source file. Linux kernel version 2.6.27 is affected. Ref: http://xorl.wordpress.com/2009/04/21/linux-kernel-net_ns-ipv6-null-pointer-dereference/
  • 09.17.17 - CVE: Not Available
  • Platform: Linux
  • Title: Linux Kernel CIFS "decode_unicode_ssetup()" Remote Buffer Overflow
  • Description: The Linux Kernel is exposed to a buffer overflow issue because it fails to perform adequate boundary checks on user-supplied data. Specifically, it fails to allocate sufficient memory for Unicode string conversion of "serverDomain" strings when starting CIFS (Common Internet File System) sessions. This error occurs in the "decode_unicode_ssetup()" function in the "fs/cifs/sess.c" source file. Ref: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=27b87fe52baba0a55e9723030e76fce94fabcea4
  • 09.17.18 - CVE: Not Available
  • Platform: Linux
  • Title: Linux Kernel CIFS "serverDomain" Remote Buffer Overflow
  • Description: The Linux Kernel is exposed to a buffer overflow issue because it fails to perform adequate boundary checks on user-supplied data. Specifically, it fails to allocate sufficient memory for Unicode string conversion when processing CIFS (Common Internet File System) "serverDomain" data sent by malicious servers. Ref: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=27b87fe52baba0a55e9723030e76fce94fabcea4
  • 09.17.19 - CVE: Not Available
  • Platform: Linux
  • Title: Debian apt Repository Signature Verification
  • Description: Debian apt is a package manager. apt is exposed to a signature verification issue that occurs because the application fails to properly verify repository signatures. Specifically, apt uses the "gpgv" to verify packages but only checks the "GOODSIG" return value instead of the "VALIDSIG" value. apt versions prior to 0.7.21 are affected.
  • Ref: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=433091
  • 09.17.20 - CVE: Not Available
  • Platform: Linux
  • Title: SLURM "sbcast" and "strigger" Group Permissions Local Privilege Escalation
  • Description: SLURM (Simple Linux Utility for Resource Management) is a system application for the Linux platform. SLURM is exposed to a privilege escalation issue due to a failure to properly drop group privileges. Specifically, "sbcast" and "strigger" fail to properly establish supplementary group privileges, and may instead inherit privileges from the "slurmd" and "slurmctld" daemon processes. These permissions are then used to write to files. SLURM versions prior to 1.3.14 are affected.
  • Ref: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=524980
  • 09.17.21 - CVE: Not Available
  • Platform: Linux
  • Title: Debian git-core DEC Alpha & MIPS Local Privilege Escalation
  • Description: Debian's git-core package provides the git revision control system. The package is exposed to a local privilege escalation issue because it fails to sufficiently validate user-supplied data. Specifically, certain files in "/usr/share/git-core/templates/" were owned by a non-root user.
  • Ref: http://www.securityfocus.com/bid/34644
  • 09.17.22 - CVE: CVE-2009-1265
  • Platform: Linux
  • Title: Linux Kernel Frame Size Integer Overflow Remote Information Disclosure
  • Description: The Linux Kernel is exposed to a remote information disclosure issue due to an integer overflow error which may result in an excessively large buffer being allocated. Linux Kernel versions prior to 2.6.30-rc1 are affected.
  • Ref: http://bugzilla.kernel.org/show_bug.cgi?id=10423
  • 09.17.23 - CVE: Not Available
  • Platform: Solaris
  • Title: Sun OpenSolaris SCTP Sockets Local Denial of Service
  • Description: Sun OpenSolaris is a UNIX-based operating system. OpenSolaris is exposed to a local denial of service issue. Specifically, an unspecified problem occurs in the SCTP sockets that can allow local users to panic the system, effectively denying service to legitimate users. OpenSolaris builds snv_106 through snv_107 are affected.
  • Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-66-257331-1
  • 09.17.24 - CVE: Not Available
  • Platform: Aix
  • Title: IBM AIX "usr/sbin/muxatmd" Local Buffer Overflow
  • Description: IBM AIX is a UNIX-based operating system. IBM AIX is exposed to a buffer overflow issue because it fails to perform adequate boundary checks on user-supplied data. This issue affects the "/usr/sbin/muxatmd" command. Specifically, the command is concatenated with ".pid" extension and is later passed to a static buffer without validating the length of the data. AIX versions 5.2, 5.3 and 6.1 are affected. Ref: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=784
  • 09.17.25 - CVE: CVE-2009-0163
  • Platform: Unix
  • Title: CUPS "_cupsImageReadTIFF()" Integer Overflow
  • Description: CUPS (Common UNIX Printing System) is a widely used set of printing utilities for UNIX-based systems. CUPS is exposed to an integer overflow issue because it fails to perform adequate boundary checks on user-supplied TIFF image sizes before using them to allocate memory buffers. Specifically, this issue is caused by a calculation error in the function "_cupsImageReadTIFF()". CUPS versions prior to 1.3.10 are affected.
  • Ref: http://www.cups.org/str.php?L3031
  • 09.17.26 - CVE: CVE-2008-6603
  • Platform: Unix
  • Title: MoinMoin "acl_hierarchic" ACL Security Bypass
  • Description: MoinMoin is a freely available, open-source wiki written in Python. It is available for UNIX and Linux platforms. The application is exposed to a security bypass issue because it fails to properly handle the "acl_hierarchic" attribute. If the attribute is set to "True", ACL rules may be bypassed. MoinMoin versions 1.6.2 and 1.7 are affected.
  • Ref: http://moinmo.in/SecurityFixes
  • 09.17.27 - CVE: CVE-2009-1294. CVE-2009-1293
  • Platform: Novell
  • Title: Novell Teaming User Enumeration Weakness and Multiple Cross-Site Scripting Vulnerabilities
  • Description: Novell Teaming is a collaboration and conferencing application for enterprises. The application is exposed to multiple remote issues. A remote attacker can exploit the user-enumeration weakness to enumerate valid usernames and then perform brute-force attacks; other attacks are also possible. Novell Teaming version 1.0.3 is affected.
  • Ref: http://www.securityfocus.com/archive/1/502704
  • 09.17.28 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Zervit "http.c" Remote Buffer Overflow
  • Description: Zervit is a web server for Microsoft Windows and Linux. Zervit is exposed to a remote buffer overflow issue. Specifically, the issue occurs when handling an HTTP request for a file which does not exist on the server. This error occurs in the "http.c" source code file. Zervit version 0.2 is affected.
  • Ref: http://www.securityfocus.com/archive/1/502693
  • 09.17.29 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Sun Java System Directory Server Information Disclosure
  • Description: Sun Java System Directory Server is an LDAP (Lightweight Directory Access Protocol) server distributed with multiple Sun products. The "Online Help" component of the application is exposed to a remote information disclosure issue because it may allow remote or local unprivileged users to determine the existence of files on a vulnerable computer. This issue may also allow attackers to gain access to a file's contents. Sun Java System Directory Server Enterprise Edition version 5 and Sun Java System Directory Server version 5.2 are affected.
  • Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-66-255848-1
  • 09.17.30 - CVE: CVE-2009-0946
  • Platform: Cross Platform
  • Title: FreeTypeMultiple Integer Overflow Vulnerabilities
  • Description: FreeType is an open-source font-handling library. FreeType is exposed to multiple issues because it fails to properly validate user-supplied input. An attacker may exploit these issues by enticing victims into processing specially crafted fonts. Successful exploits may allow attackers to execute arbitrary code in the context of applications that use the affected library. FreeType version 2.3.9 is affected.
  • Ref: https://bugzilla.redhat.com/show_bug.cgi?id=491384
  • 09.17.31 - CVE: Not Available
  • Platform: Cross Platform
  • Title: MiniWeb Remote Buffer Overflow
  • Description: MiniWeb is a web server for Microsoft Windows and Linux. MiniWeb is exposed to a remote buffer overflow issue. Specifically, the issue occurs when handling an HTTP request for a URI which includes a long sequence of "/" characters.
  • Ref: http://www.securityfocus.com/archive/1/502737
  • 09.17.32 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Apache Geronimo Application Server Multiple Remote Vulnerabilities
  • Description: Apache Geronimo is the J2EE server project of the Apache Software Foundation. Apache Geronimo Application Server is exposed to multiple remote issues. Attackers can exploit these issues to gain access to sensitive information, upload arbitrary files, execute arbitrary script code, steal cookie-based authentication credentials and perform certain administrative actions. Apache Geronimo versions 2.1 to 2.1.3 are affected.
  • Ref: http://www.securityfocus.com/archive/1/502733
  • 09.17.33 - CVE: Not Available
  • Platform: Cross Platform
  • Title: MiniWeb Source Code Information Disclosure
  • Description: MiniWeb is a web server for Microsoft Windows and Linux. The application is exposed to an issue that lets attackers access source code because it fails to properly sanitize user-supplied input.
  • Ref: http://www.securityfocus.com/archive/1/502736
  • 09.17.34 - CVE: CVE-2009-0146, CVE-2009-0147, CVE-2009-0166,CVE-2009-0799, CVE-2009-0800, CVE-2009-1179, CVE-2009-1180,CVE-2009-1181, CVE-2009-1182, CVE-2009-1183, CVE-2009-1187,CVE-2009-1188
  • Platform: Cross Platform
  • Title: xpdf JBIG2 Processing Multiple Security Vulnerabilities
  • Description: Xpdf is a PDF rendering library. The library is exposed to multiple security issues. The problems occur when processing specially malformed JBIG2 files. Exploiting these issues may allow remote attackers to execute arbitrary code in the context of the affected application. Failed exploit attempts will likely cause denial of service conditions.
  • Ref: http://www.kb.cert.org/vuls/id/196617
  • 09.17.35 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Zervit HTTP Server Directory Traversal
  • Description: Zervit is an HTTP server. Zervit is exposed to a directory traversal issue because it fails to sufficiently sanitize user-supplied input. Exploiting this issue will allow an attacker to view arbitrary local files within the context of the webserver. Information harvested may aid in launching further attacks. Zervit version 0.2 is affected.
  • Ref: http://www.securityfocus.com/bid/34570
  • 09.17.36 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Avast! Antivirus RAR File Scan Evasion
  • Description: Avast! Antivirus is a virus scanning application. The product's scan engine is exposed to an issue that may allow certain compressed archives to go undetected. The vulnerability occurs because the software fails to properly inspect specially crafted "RAR" files.
  • Ref: http://www.securityfocus.com/archive/1/502820
  • 09.17.37 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Multiple BitDefender Security Products RAR File Scan Evasion
  • Description: BitDefender provides security products for home and enterprise use. BitDefender security products scan engine is exposed to an issue that may allow certain compressed archives to go uninspected. The vulnerability occurs because the software fails to properly inspect specially crafted "RAR" files.
  • Ref: http://www.securityfocus.com/archive/1/502748
  • 09.17.38 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Multiple ESET Antivirus Products RAR File Scan Evasion
  • Description: ESET provides a number of virus scanning applications for multiple platforms. Multiple ESET products are exposed to an issue that may allow certain compressed archives to go undetected. The vulnerability occurs because the software fails to properly inspect specially crafted "RAR" files.
  • Ref: http://www.securityfocus.com/archive/1/502760
  • 09.17.39 - CVE: Not Available
  • Platform: Cross Platform
  • Title: cTorrent and dTorrent Torrent File Buffer Overflow
  • Description: cTorrent and dTorrent are Peer to Peer file sharing applications. The applications are exposed to a remote buffer overflow issue because they fail to properly bounds check user-supplied input before copying it to an insufficiently sized memory buffer. This issue occurs when handling a specially crafted Torrent file. cTorrent version 1.3.4 and dTorrent version 3.3.2 are affected.
  • Ref: http://www.securityfocus.com/bid/34584
  • 09.17.40 - CVE: Not Available
  • Platform: Cross Platform
  • Title: ntop Access Log "access.log" File Permissions
  • Description: ntop is an application used to show network traffic usage. The application is exposed to a file permissions security issue. Specifically, this issue occurs because the application creates the "access.log" file with world writable permissions. ntop version 3.3.9 is affected.
  • Ref: https://bugs.launchpad.net/ubuntu/+source/ntop/+bug/325393
  • 09.17.41 - CVE: CVE-2009-0716, CVE-2009-0717, CVE-2009-0718
  • Platform: Cross Platform
  • Title: HP StorageWorks Storage Mirroring Software Multiple Remote Vulnerabilities
  • Description: HP StorageWorks Storage Mirroring Software (SWSM) is a host-based replication and failover solution for enterprises. HP StorageWorks Storage Mirroring Software (SWSM) is exposed to multiple issues. SWSM versions prior to 5.1.1.1090.15 are affected.
  • Ref: http://www.securityfocus.com/bid/34611
  • 09.17.42 - CVE: CVE-2009-0715
  • Platform: Cross Platform
  • Title: HP Storage Essentials Secure NaviCLI Unspecified Remote Privilege Escalation
  • Description: HP Storage Essentials is a storage management application for the enterprise. HP Storage Essentials is exposed to an unspecified remote privilege escalation issue. This issue affects applications running Secure NaviCLI. Storage Essentials versions 6.0.2, 6.0.3, and 6.0.4 are affected.
  • Ref: http://www.securityfocus.com/archive/1/502829
  • 09.17.43 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Zervit HTTP Server Malformed URI Remote Denial of Service
  • Description: Zervit is a webserver for Microsoft Windows and Linux. The application is exposed to a denial of service issue because it fails to adequately sanitize user-supplied input. This issue occurs when handling malformed URIs that contain unexpected sequences of "//." characters. Zervit version 0.3 is affected.
  • Ref: http://www.securityfocus.com/bid/34637
  • 09.17.44 - CVE: CVE-2009-1357
  • Platform: Cross Platform
  • Title: Sun Java System Delegated Administrator HTTP Response Splitting
  • Description: Sun Java System Delegated Administrator is a provisioning toolset for LDAP directories used by Communications Suite applications. The software is exposed to an HTTP response splitting issue because it fails to sufficiently sanitize input to the "HELP_PAGE" parameter of the "/da/DA/Login" script before using it in HTTP headers.
  • Ref: http://www.coresecurity.com/content/sun-delegated-administrator
  • 09.17.45 - CVE: CVE-2009-1239
  • Platform: Cross Platform
  • Title: IBM DB2 JOIN Predicate Application Order Information Disclosure
  • Description: IBM DB2 is a database management system. DB2 is exposed to an information disclosure issue caused by an error in handling certain SQL predicates. Specifically, this issue is the result of an error in the application order of INNER JOIN and OUTER JOIN predicates in certain SQL queries. DB2 Fixpack versions prior to 7 are vulnerable.
  • Ref: http://www-01.ibm.com/support/docview.wss?uid=swg1JR31886
  • 09.17.46 - CVE: CVE-2008-6601
  • Platform: Cross Platform
  • Title: Epona IP Address Information Disclosure
  • Description: Epona is set of tools for IRC networks. Epona is exposed to an information disclosure issue due to an unspecified error. An attacker can exploit this vulnerability to retrieve the IP address of other users. Information obtained may aid in further attacks. Epona versions prior to 1.5rc3 are affected.
  • Ref: http://freshmeat.net/projects/epona/releases/276088
  • 09.17.47 - CVE: CVE-2009-1303, CVE-2009-1306, CVE-2009-1307,CVE-2009-1308, CVE-2009-1309, CVE-2009-1312, CVE-2009-1311,CVE-2009-1302, CVE-2009-1304, CVE-2009-1305, CVE-2009-1310
  • Platform: Cross Platform
  • Title: Mozilla Firefox/Thunderbird/SeaMonkey MFSA 2009 -14 through -22 Multiple Remote Vulnerabilities
  • Description: The Mozilla Foundation has released multiple advisories regarding security issues in Firefox, Thunderbird, and SeaMonkey. The following vulnerabilities have been addressed: 1. MFSA 2009-14: Multiple remote memory corruption vulnerabilities affect Firefox, Thunderbird, and SeaMonkey. 2. MFSA 2009-16: A vulnerability affects Firefox, Thunderbird and SeaMonkey that can be exploited to mitigate content injection attacks. 3. MFSA 2009-17: Multiple vulnerabilities that affect when an Adobe Flash file is loaded with the "view-source: scheme". 4. MFSA 2009-18: A vulnerability that allows attackers to inject arbitrary script into sites via XBL bindings. 5. MFSA 2009-19: Multiple remote code execution vulnerabilities. 6. MFSA 2009-20: A vulnerability in Firefox can be exploited to execute a SearchForm javascript: URI in the context of the currently open page. 7. MFSA 2009-21: An information disclosure vulnerability affects Firefox and SeaMonkey. 8. MFSA 2009-22: A cross-site scripting vulnerability affects Firefox and SeaMonkey.
  • Ref: http://www.mozilla.org/security/announce/2009/mfsa2009-17.html
  • 09.17.48 - CVE: Not Available
  • Platform: Cross Platform
  • Title: 010 Editor File Parsing Multiple Buffer Overflow Vulnerabilities
  • Description: 010 Editor is a text and hex editor. It also supports custom templates that are used to parse different file formats. The application is exposed to multiple stack-based buffer overflow issues because it fails to perform adequate boundary checks on user-supplied input. These issues occur when the application opens malicious template and script files containing overly long strings. 010 Editor versions prior to 3.0.5 are affected.
  • Ref: http://security.bkis.vn/?p=580
  • 09.17.49 - CVE: CVE-2009-1191
  • Platform: Cross Platform
  • Title: Apache "mod_proxy_ajp" Information Disclosure
  • Description: "mod_proxy_ajp" is a module for Apache to handle AJP13 protocol packets. The module is exposed to a remote information disclosure issue that occurs when handling crafted HTTP POST requests. Successful exploit can allow an attacker to disclose sensitive response data for the request sent by another user. "mod_proxy_ajp" version 2.2.1 is affected.
  • Ref: https://issues.apache.org/bugzilla/show_bug.cgi?id=46949
  • 09.17.50 - CVE: CVE-2008-6600
  • Platform: Web Application - Cross Site Scripting
  • Title: XMLPortal Search Feature Cross-Site Scripting
  • Description: XMLPortal is a web-based portal application implemented in Java. The application is exposed to a cross-site scripting issue because it fails to sufficiently sanitize user-supplied input to the search feature. XMLPortal version 3.0 is affected.
  • Ref: http://osvdb.org/ref/44/xmlportal-xss.txt
  • 09.17.51 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Phorum Multiple Cross-Site Scripting Vulnerabilities
  • Description: Phorum is a PHP-based web forum application. Phorum is exposed to multiple cross-site scripting issues because it fails to sufficiently sanitize user-supplied input. An attacker could exploit these vulnerabilities to perform cross-site scripting attacks on unsuspecting users in the context of the affected site. Phorum version 5.2.10 and 5.2-dev are affected.
  • Ref: http://www.securityfocus.com/archive/1/502728
  • 09.17.52 - CVE: CVE-2009-0307
  • Platform: Web Application - Cross Site Scripting
  • Title: BlackBerry Enterprise Server MDS Connection Service Cross-Site Scripting
  • Description: BlackBerry Enterprise Server MDS Connection Service enables requests from intranet applications. The application is exposed to a cross-site scripting issue because it fails to sufficiently sanitize user-supplied input. This issue is related to malformed URIs used in administering the MDS Connection Service via the BlackBerry Administration Service. BlackBerry Enterprise Server versions prior to 4.1.6 MR5 are affected. Ref: http://www.blackberry.com/btsc/dynamickc.do?externalId=KB17969&sliceID=1&command=show&forward=nonthreadedKC&kcId=KB17969
  • 09.17.53 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: WebCollab "tasks.php" Cross-Site Scripting
  • Description: WebCollab is a web-based application implemented in PHP. The application is exposed to a cross-site scripting issue because it fails to sufficiently sanitize user-supplied input to the "selection" parameter of the "tasks.php" script when the "action" parameter is set to "todo". WebCollab version 2.40 is affected.
  • Ref: http://sourceforge.net/project/shownotes.php?release_id=676245&gr oup_id=75945
  • 09.17.54 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Nuke Evolution Xtreme "player.php" Cross-Site Scripting
  • Description: Nuke Evolution Xtreme is a PHP-based web application. The application is exposed to a cross-site scripting issue because it fails to sufficiently sanitize user-supplied input to the "defaultVisualExt" parameter of the "player.php" script. Nuke Evolution Xtreme version 2.0.7 is affected.
  • Ref: http://www.securityfocus.com/bid/34594
  • 09.17.55 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Red Hat Stronghold Web Server Cross-Site Scripting
  • Description: Stronghold is an HTTP server. The application is exposed to a cross-site scripting issue because it fails to sufficiently sanitize user-supplied input to the webroot page. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site and to steal cookie-based authentication credentials. Stronghold version 2.3 is affected.
  • Ref: http://www.securityfocus.com/archive/1/502799
  • 09.17.56 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Online Photo Pro "section" Parameter Cross-Site Scripting
  • Description: Online Photo Pro is a PHP-based web application used for online photo catalog. The application is exposed to a cross-site scripting issue because it fails to sufficiently sanitize user-supplied input to the "section" parameter of the "index.php" script. Online Photo Pro version 2.0 is affected.
  • Ref: http://www.securityfocus.com/bid/34625
  • 09.17.57 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Online Contact Manager Multiple Cross-Site Scripting Vulnerabilities
  • Description: Online Contact Manager is a PHP-based application used to store and retrieve contact information. The application is exposed to multiple cross-site scripting issues because it fails to sufficiently sanitize user-supplied data. Online Contact Manager version 3.0 is affected.
  • Ref: http://www.securityfocus.com/bid/34626
  • 09.17.58 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: MoinMoin "AttachFile.py" Multiple Cross-Site Scripting Vulnerabilities
  • Description: MoinMoin is a freely available, open-source wiki written in Python. It is available for UNIX and Linux platforms. The application is exposed to multiple cross-site scripting issues because it fails to sufficiently sanitize user-supplied data to multiple parameters in the "action/AttachFile.py" script. MoinMoin version 1.8.2 is affected.
  • Ref: http://hg.moinmo.in/moin/1.8/rev/269a1fbc3ed7
  • 09.17.59 - CVE: CVE-2007-6726
  • Platform: Web Application - Cross Site Scripting
  • Title: Dojo Multiple Cross-Site Scripting Vulnerabilities
  • Description: Dojo is a freely available, open-source JavaScript toolkit used for building web applications. The application is exposed to multiple cross-site scripting issues because it fails to sufficiently sanitize user-supplied data. These issues affect the "xip_client.html" and "xip_server.html" scripts in "src/io/". Dojo versions 0.4.1 and 0.4.2 are affected.
  • Ref: https://issues.apache.org/struts/browse/WW-2134
  • 09.17.60 - CVE: CVE-2008-6681
  • Platform: Web Application - Cross Site Scripting
  • Title: Dojo "dijit.Editor" Cross-Site Scripting
  • Description: Dojo is a freely available, open-source JavaScript toolkit used for building web applications. The "dijit.Editor" component of the application is exposed to a cross-site scripting issue because it fails to sufficiently sanitize user-supplied input to XML entities in a TEXTAREA element. Dojo versions prior to 1.1 are affected.
  • Ref: http://trac.dojotoolkit.org/ticket/2140
  • 09.17.61 - CVE: CVE-2008-6594, CVE-2008-6595
  • Platform: Web Application - SQL Injection
  • Title: TYPO3 pmk_rssnewsexport and cm_rdfexport Extensions Unspecified SQL Injection
  • Description: TYPO3 pmk_rssnewsexport and cm_rdfexport Extensions are extensions for the TYPO3 content manager. These extensions are not part of the TYPO3 default installation. The extensions are exposed to an SQL injection issue because they fail to sufficiently sanitize input before using it in an SQL query.
  • Ref: http://www.securityfocus.com/bid/34544/references
  • 09.17.62 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Geeklog "usersettings.php" SQL Injection
  • Description: Geeklog is a web application implemented in PHP. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data processed by the "savepreferences()" function in "usersettings.php" before using it in SQL queries. Geeklog version 1.5.2 and earlier are affected.
  • Ref: http://www.securityfocus.com/archive/1/502729
  • 09.17.63 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: cpCommerce "document.php" SQL Injection
  • Description: cpCommerce is an e-commerce application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "id_document" parameter of the "document.php" script. cpCommerce version 1.2.8 is affected.
  • Ref: http://www.securityfocus.com/bid/34556
  • 09.17.64 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: NetHoteles Multiple SQL Injection Vulnerabilities
  • Description: NetHoteles is a web-based rental management application implemented in PHP. The application is exposed to multiple SQL injection issues because it fails to sufficiently sanitize user-supplied data to the "Username" and "Password" textboxes when logging in to the application through the "admin/" and "superadmin/" scripts. NetHoteles versions 2.0 and 3.0 are affected.
  • Ref: http://www.securityfocus.com/bid/34557
  • 09.17.65 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: NetHoteles "ficha.php" SQL Injection
  • Description: NetHoteles is a web-based rental management application implemented in PHP. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "id_establecimiento" parameter of the "ficha.php" script before using it in SQL queries. NetHoteles version 3.0 is affected.
  • Ref: http://www.securityfocus.com/bid/34561
  • 09.17.66 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: chCounter "counter/stats/index.php" SQL Injection
  • Description: chCounter is a PHP-based counter application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "username" and "password" parameters of the "counter/stats/index.php" script. chCounter version 3.1.3 is affected.
  • Ref: http://www.securityfocus.com/bid/34572
  • 09.17.67 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Online Guestbook Pro "ogp_show.php" SQL Injection
  • Description: Online Guestbook Pro is a PHP-based guestbook application. Online Guestbook Pro is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "display" parameter of the "ogp_show.php" script.
  • Ref: http://www.securityfocus.com/bid/34592
  • 09.17.68 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Hot Project "authenticate.php" Multiple SQL Injection Vulnerabilities
  • Description: Hot Project is a web-based project management application implemented in PHP. The application is exposed to multiple SQL injection issues because it fails to sufficiently sanitize user-supplied data to the "memail" and "mpassword" parameters of the "authenticate.php" script before using it in an SQL query. Hot Project version 7 is affected.
  • Ref: http://www.securityfocus.com/bid/34593
  • 09.17.69 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: WysGui "settings.php" SQL Injection
  • Description: WysGui is a content management system implemented in PHP. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "admin_pages" cookie parameter of the "body_mods/admin_panel/settings.php" script. WysGui version 1.2 BETA is affected.
  • Ref: http://www.securityfocus.com/bid/34603
  • 09.17.70 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: EZ Webitor "login.php" SQL Injection
  • Description: EZ Webitor is a web page editing application implemented in PHP. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "username" and "password" parameters of the "login.php" script.
  • Ref: http://www.securityfocus.com/bid/34604
  • 09.17.71 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Creasito "checkuser.php" SQL Injection
  • Description: Creasito is an e-commerce content management application implemented in PHP. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "username" parameter of the "admin/checkuser.php" and "checkuser.php" scripts. Creasito version 1.3.16 is affected.
  • Ref: http://www.securityfocus.com/archive/1/502818
  • 09.17.72 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Seditio Events Plugin "c" Parameter SQL Injection
  • Description: Seditio Events is an event and calendar tracking plugin for the Seditio content management application. The plugin is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "c" parameter before using it in an SQL query. Seditio Events version 1.0 is affected.
  • Ref: http://www.securityfocus.com/bid/34608
  • 09.17.73 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: e107 "usersettings.php" SQL Injection
  • Description: e107 CMS is a web-based content management system implemented in PHP. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "extended_user_fields" of the "usersettings.php" script before using it in an SQL query. e107 CMS version 0.7.15 is affected.
  • Ref: http://www.securityfocus.com/bid/34614
  • 09.17.74 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: FunGamez Local File Include and SQL Injection Vulnerabilities
  • Description: FunGamez is a PHP-based game site management application. The application is exposed to multiple input validation issues. The attacker can exploit the local file include vulnerability using directory traversal strings to view and execute arbitrary local files within the context of the webserver process. Information harvested may aid in further attacks.
  • Ref: http://www.securityfocus.com/archive/1/502816
  • 09.17.75 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: PastelCMS Local File Include and SQL Injection Vulnerabilities
  • Description: PastelCMS is a PHP-based content management application. The application is exposed to multiple input validation issues. An attacker can exploit the local file include vulnerability using directory traversal strings to view or execute local files within the context of the web server process. PastelCMS version 0.8.0 is affected.
  • Ref: http://www.securityfocus.com/bid/34635
  • 09.17.76 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: CRE Loaded "product_info.php" SQL Injection
  • Description: CRE Loaded is a web-based e-commerce application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "products_id" parameter of the "product_info.php" script before using it in an SQL query. CRE Loaded version 6.2 is affected.
  • Ref: http://www.securityfocus.com/bid/34640
  • 09.17.77 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: I-RATER Platinum "platinumadmin.html" SQL Injection
  • Description: I-RATER Platinum is a photo-rating application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "username" parameter of the "platinumadmin.html" script. I-RATER Platinum 4 is affected.
  • Ref: http://www.securityfocus.com/bid/34645
  • 09.17.78 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: I-RATER Photo Rating Script Pro "admin/login.php" SQL Injection
  • Description: I-RATER Photo Rating Script Pro is a web-based application implemented in PHP. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "username" parameter of the "admin/login.php" script.
  • Ref: http://www.securityfocus.com/bid/34646
  • 09.17.79 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Quick.CMS.Lite 'id' Parameter SQL Injection
  • Description: Quick.Cms.Lite is a PHP-based content manager. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "id" parameter of the "index.php" script before using it in an SQL query.
  • Ref: http://www.securityfocus.com/bid/34647
  • 09.17.80 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: VS Panel "showcat.php" SQL Injection
  • Description: VS Panel is a PHP-based web application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "Cat_ID" field of the "showcat.php" script. VS Panel version 7.3.6 is affected.
  • Ref: http://www.securityfocus.com/bid/34648
  • 09.17.81 - CVE: Not Available
  • Platform: Web Application
  • Title: @Mail and @Mail WebMail Email Body HTML Injection
  • Description: @Mail and @Mail WebMail are web-based applications used to access email via a web page or wireless device. @Mail and @Mail WebMail are exposed to an HTML injection issue because the applications fail to properly sanitize user-supplied input contained in the email body before using it in dynamically generated content.
  • Ref: http://terra.calacode.com/mail/docs/changelog.html
  • 09.17.82 - CVE: Not Available
  • Platform: Web Application
  • Title: Job2C Profile Arbitrary File Upload
  • Description: Job2C is a job board application. The application is exposed to an issue that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input before uploading files via the user profile section of the application. Job2C version 4.2 is affected.
  • Ref: http://www.securityfocus.com/bid/34535
  • 09.17.83 - CVE: Not Available
  • Platform: Web Application
  • Title: Job2C "adtype" Parameter Multiple Local File Include Vulnerabilities
  • Description: Job2C is a job board application implemented in PHP. The application is exposed to multiple local file include issues because it fails to properly sanitize user-supplied input to the "adtype" parameter of the "windetail.php" and "detail.php" scripts. Job2C version 4.2 is affected.
  • Ref: http://www.securityfocus.com/bid/34537
  • 09.17.84 - CVE: Not Available
  • Platform: Web Application
  • Title: FreeWebShop "startmodules.inc.php" Local File Include
  • Description: FreeWebShop is a shopping cart application implemented in PHP. The application is exposed to a local file include issue because it fails to properly sanitize user-supplied input to the "lang_file" parameter of the "startmodules.inc.php" script. FreeWebShop version 2.2.9 R2 is affected.
  • Ref: http://www.securityfocus.com/bid/34538
  • 09.17.85 - CVE: Not Available
  • Platform: Web Application
  • Title: CCK Comment Reference Edit Form HTML Injection
  • Description: CCK Comment Reference module is a Drupal module that allows administrators to define node fields that are references to comments. The application is exposed to an HTML injection issue because it fails to sanitize user-supplied input to the "candidate title" when displaying the node edit form. CCK versions prior to 6.x-1.2 are affected.
  • Ref: http://www.securityfocus.com/bid/34547
  • 09.17.86 - CVE: Not Available
  • Platform: Web Application
  • Title: Apache ActiveMQ Web Console Multiple Unspecified HTML Injection Vulnerabilities
  • Description: Apache ActiveMQ is a Message Broker and Enterprise Integration Patterns provider. It is implemented in Java and available for a number of platforms. The application is exposed to multiple HTML injection issues because it fails to sufficiently sanitize user-supplied data. These issues affect unspecified scripts in the "admin" directory of the Web Console. Apache ActiveMQ version 5.2.0 is affected.
  • Ref: http://www.securityfocus.com/archive/1/502726
  • 09.17.87 - CVE: Not Available
  • Platform: Web Application
  • Title: Online Password Manager Insecure Cookie Authentication Bypass
  • Description: Online Password Manager is a web application implemented in PHP. Online Password Manager is exposed to an authentication bypass issue because it fails to adequately verify user-supplied input used for cookie-based authentication. Specifically, attackers can gain access to the application by setting the "auth" cookie parameter to a valid user name. Online Password Manager version 4.1 is affected.
  • Ref: http://www.securityfocus.com/bid/34555
  • 09.17.88 - CVE: Not Available
  • Platform: Web Application
  • Title: GScripts.net DNS Tools "dig.php" Remote Command Execution
  • Description: GScripts.net DNS Tools is a collection of PHP scripts which provide a web-based interface for common network tools. DNS Tools is exposed to an issue that attackers can leverage to execute arbitrary commands. This issue occurs because the application fails to adequately sanitize user-supplied input to the "ns" parameter of the "dig.php" script.
  • Ref: http://www.securityfocus.com/bid/34559
  • 09.17.89 - CVE: Not Available
  • Platform: Web Application
  • Title: razorCMS 0.3RC2 Multiple Vulnerabilities
  • Description: razorCMS is a content management system implemented in PHP. razorCMS is exposed to multiple issues. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. razorCMS version 0.3RC2 is affected.
  • Ref: http://archives.neohapsis.com/archives/fulldisclosure/2009-04/016 3.html
  • 09.17.90 - CVE: CVE-2008-6629, CVE-2008-6628
  • Platform: Web Application
  • Title: WEBBDOMAIN WebShop SQL Injection and Cros-Site Scripting Vulnerabilities
  • Description: WEBBDOMAIN WebShop is an PHP-based web application. Since it fails to sufficiently sanitize user-supplied data, WebShop is exposed to multiple input validation issues. Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. WebShop version 1.02 is affected.
  • Ref: http://www.securityfocus.com/bid/34567
  • 09.17.91 - CVE: Not Available
  • Platform: Web Application
  • Title: SMA-DB "theme/format.php" Multiple Remote File Include Vulnerabilities
  • Description: SMA-DB is a PHP-based web application. The application is exposed to multiple remote file include issues because it fails to sufficiently sanitize user-supplied input. SMA-DB version 0.3.13 is affected.
  • Ref: http://www.securityfocus.com/bid/34569
  • 09.17.92 - CVE: Not Available
  • Platform: Web Application
  • Title: SPIP Security Bypass and Arbitrary File Upload
  • Description: SPIP is a website publishing application implemented in PHP. SPIP is exposed to multiple security bypass issues and an arbitrary file upload vulnerability because the application fails to adequately sanitize user-supplied input. SPIP versions prior to 2.0.7 and 1.9.2h are affected. Ref: http://archives.rezo.net/spip-ann.mbox/200904.mbox/%3Cfa0db4f80904131433p4235a82fn39be0d58b410f836@mail.gmail.com%3E
  • 09.17.93 - CVE: Not Available
  • Platform: Web Application
  • Title: eLitius "admin/manage-admin.php" Authentication Bypass
  • Description: eLitius is a web-based application implemented in PHP. The application is exposed to an authentication bypass issue. Specifically, this issue occurs because the application fails to restrict access to the "admin/manage-admin.php" script. The script may be used to change the administrator's password and email address. eLitius version 1.0 is affected.
  • Ref: http://www.securityfocus.com/bid/34577
  • 09.17.94 - CVE: Not Available
  • Platform: Web Application
  • Title: Tiny Blogr "class.eport.php" Authentication Bypass
  • Description: Tiny Blogr is a web-log application implemented in PHP. The application is exposed to an authentication bypass issue. Specifically, this issue occurs because the application fails to sufficiently sanitize user-supplied input to the "Username" and "Password" textboxes of the "class.eport.php" script. Tiny Blogr version 1.0.0 rc4 is affected.
  • Ref: http://www.securityfocus.com/bid/34581
  • 09.17.95 - CVE: Not Available
  • Platform: Web Application
  • Title: eLitius "manage-admin.php" Unauthorized Access
  • Description: eLitius is a PHP-based affiliates application. The software is exposed to an unauthorized access issue because it allows attackers to change the administrator's password through the "manage-admin.php" script. eLitius version 1.0 is affected.
  • Ref: http://www.securityfocus.com/bid/34564
  • 09.17.96 - CVE: Not Available
  • Platform: Web Application
  • Title: Malleo "admin.php" Local File Include
  • Description: Malleo is a PHP-based content manager. The application is exposed to a local file include issue because it fails to properly sanitize user-supplied input to the "module" parameter of the "admin.php" script. Malleo version 1.2.3 is affected.
  • Ref: http://www.securityfocus.com/archive/1/502763
  • 09.17.97 - CVE: Not Available
  • Platform: Web Application
  • Title: Clantiger Clan CMS SQL Injection and HTML Injection Vulnerabilities
  • Description: Clantiger Clan CMS is a content management application for gaming clans; it is implemented in PHP. The application is exposed to multiple input validation issues. The attacker may exploit the SQL-injection issues to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Clantiger Clan CMS version 1.1.1 is affected.
  • Ref: http://www.securityfocus.com/archive/1/502766
  • 09.17.98 - CVE: Not Available
  • Platform: Web Application
  • Title: e-cart "admin/editor/image.php" Arbitrary File Upload
  • Description: e-cart is a PHP-based shopping cart application. The application is exposed to an issue that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input before uploading files through the "admin/editor/image.php" script.
  • Ref: http://www.securityfocus.com/bid/34590
  • 09.17.99 - CVE: Not Available
  • Platform: Web Application
  • Title: Online Email Manager Insecure Cookie Authentication Bypass
  • Description: Online Email Manager is a web application implemented in PHP. Online Email Manager is exposed to an authentication bypass issue because it fails to adequately verify user-supplied input used for cookie-based authentication. Specifically, attackers can gain administrative access to the application by setting the "auth" cookie parameter to "admin" and the "path" parameter to "/". Online Email Manager version 2.0 is affected.
  • Ref: http://www.securityfocus.com/bid/34591
  • 09.17.100 - CVE: Not Available
  • Platform: Web Application
  • Title: webSPELL BBCode HTML Injection
  • Description: webSPELL is a gaming CMS implemented in PHP. The application is exposed to an HTML injection issue because it fails to sufficiently sanitize user-supplied input. Specifically, BBCode "img" tags aren't properly sanitized. By sending a specially crafted input to a site, an attacker can exploit this issue to execute arbitrary HTML and script code and perform arbitrary actions as the victim user when the data is viewed. webSPELL version 4.2.0c is affected.
  • Ref: http://www.securityfocus.com/bid/34595
  • 09.17.101 - CVE: Not Available
  • Platform: Web Application
  • Title: Flatnux Arbitrary File Upload and Multiple Local File Include Vulnerabilities
  • Description: Flatnux is a PHP-based application that allows users to manage events and concerts. The application is exposed to multiple input validation issues. An attacker can exploit these issues to upload arbitrary files onto the webserver, execute arbitrary local files within the context of the webserver, and obtain sensitive information. Flatnux version 2009-03-27 is affected.
  • Ref: http://www.securityfocus.com/bid/34599
  • 09.17.102 - CVE: Not Available
  • Platform: Web Application
  • Title: Horde IMP and Groupware Webmail Cached PGP Key Spoofing
  • Description: Horde IMP (Internet Messaging Program) is a PHP-based application that supports IMAP and POP3 webmail access. Horde Groupware Webmail Edition is a web-based communication suite for email, calendar, and task management. Horde IMP and Groupware Webmail are exposed to a PGP key spoofing issue because they cache PGP keys from local address books. IMP versions prior to 4.3.4 and Groupware Webmail Edition 1.1 through 1.2.2 are affected.
  • Ref: http://cvs.horde.org/co.php/imp/docs/CHANGES?r=1.699.2.383
  • 09.17.103 - CVE: Not Available
  • Platform: Web Application
  • Title: Multi-lingual E-Commerce System Local File Include and Arbitrary File Upload Vulnerabilities
  • Description: Multi-lingual E-Commerce System is a web-based application implemented in PHP. The application is exposed to multiple input validation issues. An attacker can exploit these issues to upload arbitrary files onto the web server, execute arbitrary local files within the context of the web server, and obtain sensitive information. Multi-lingual E-Commerce System version 0.2 is affected.
  • Ref: http://www.securityfocus.com/archive/1/502798
  • 09.17.104 - CVE: Not Available
  • Platform: Web Application
  • Title: Adam Patterson Address Book "upload-file.php" Arbitrary File Upload
  • Description: Adam Patterson Address Book is an application implemented in PHP. The application is exposed to an issue that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input before uploading files via the "upload-file.php" script. Address Book version 2.5 is affected.
  • Ref: http://www.securityfocus.com/bid/34601
  • 09.17.105 - CVE: Not Available
  • Platform: Web Application
  • Title: WB News Insecure Cookie Authentication Bypass
  • Description: WB News is a web application implemented in PHP. The application is exposed to an authentication bypass issue because it fails to adequately verify user-supplied input used for cookie-based authentication. WB News version 2.1.2 is affected.
  • Ref: http://www.securityfocus.com/bid/34609
  • 09.17.106 - CVE: Not Available
  • Platform: Web Application
  • Title: TotalCalendar "config.php" Remote File Include
  • Description: TotalCalendar is a web-based application implemented in PHP. The application is exposed to a remote file include issue because it fails to sufficiently sanitize user-supplied input to the "inc_dir" parameter of the "config.php" script. TotalCalendar version 2.4 is affected.
  • Ref: http://www.securityfocus.com/bid/34617
  • 09.17.107 - CVE: Not Available
  • Platform: Web Application
  • Title: TotalCalendar "manage_users.php" Remote Password Change
  • Description: TotalCalendar is web-based application implemented in PHP. The application is exposed to an issue that may permit attackers to change the password of arbitrary users. Exploiting this issue may allow attackers to gain unauthorized access to the affected application. Successful exploits will result in a complete compromise of victims' accounts. TotalCalendar version 2.4 is affected.
  • Ref: http://www.securityfocus.com/bid/34619
  • 09.17.108 - CVE: Not Available
  • Platform: Web Application
  • Title: SunGard Banner Student "twbkwbis.P_SecurityQuestion" HTML Injection
  • Description: SunGard Banner Student a web application implemented in ASP. The application is exposed to an HTML injection issue because it fails to sufficiently sanitize user-supplied input. Specifically, this issue affects password security questions submitted via the 'New Question' text field to the "twbkwbis.P_SecurityQuestion" script. Banner Student version 7.4 is affected.
  • Ref: http://www.securityfocus.com/archive/1/502810
  • 09.17.109 - CVE: Not Available
  • Platform: Web Application
  • Title: Web Scribble Solutions webClassifieds Insecure Cookie Authentication Bypass
  • Description: Web Scribble Solutions webClassifieds is a web application implemented in PHP. The application is exposed to an authentication bypass issue because it fails to adequately verify user-supplied input used for cookie-based authentication. Specifically, attackers can gain administrative access to the application by setting the "sAuth" cookie parameter to the user ID of an administrator and the "path" parameter to "/".
  • Ref: http://www.securityfocus.com/bid/34622
  • 09.17.110 - CVE: Not Available
  • Platform: Web Application
  • Title: TotalCalendar "cms_detect.php" Local File Include
  • Description: TotalCalendar is a web-based application implemented in PHP. The application is exposed to a local file include issue because it fails to properly sanitize user-supplied input to the "include" parameter of the "cms_detect.php" script. TotalCalendar version 2.4 is affected.
  • Ref: http://www.securityfocus.com/bid/34634
  • 09.17.111 - CVE: Not Available
  • Platform: Web Application
  • Title: Dokeos "whoisonline.php" Remote Code Execution
  • Description: Dokeos is a PHP-based application for online learning. The application is exposed to an issue that attackers can leverage to execute arbitrary code. This issue occurs because the software fails to adequately sanitize user-supplied input to the "whoisonline.php" script before using it in a call to "create_function()". Dokeos version 1.8.5 is affected.
  • Ref: http://www.securityfocus.com/bid/34633
  • 09.17.112 - CVE: Not Available
  • Platform: Web Application
  • Title: NotFTP "config.php" Local File Include
  • Description: NotFTP is a web-based file transfer application implemented in PHP. The application is exposed to a local file include issue because it fails to properly sanitize user-supplied input to the "languages" parameter of the "config.php" script. NotFTP version 1.3.1 is affected.
  • Ref: http://www.securityfocus.com/bid/34636
  • 09.17.113 - CVE: Not Available
  • Platform: Web Application
  • Title: MixedCMS 1.0 Beta Multiple Remote Vulnerabilities
  • Description: MixedCMS is a PHP-based content manager. The application is exposed to mulitple remote issues. An attacker can exploit these issues to upload and execute arbitrary script code on an affected computer with the privileges of the webserver process, view or execute arbitrary local files, or gain unauthorized access to the affected application. MixedCMS version 1.0 Beta is affected.
  • Ref: http://www.securityfocus.com/archive/1/502862
  • 09.17.114 - CVE: Not Available
  • Platform: Web Application
  • Title: Adam Patterson Addess Book Multiple Script Authentication Bypass
  • Description: Adam Patterson Address Book is an application implemented in PHP. The application is exposed to an issue that allows an attacker to bypass authentication and gain unauthorized access to the affected application. This issue occurs because user authentication is not properly enforced for all scripts. Address Book version 2.5 is affected.
  • Ref: http://www.securityfocus.com/bid/34652
  • 09.17.115 - CVE: CVE-2008-6602
  • Platform: Web Application
  • Title: Download Center Lite Unspecified Security
  • Description: Download Center Lite is a web-based application implemented in PHP. Download Center Lite is exposed to an unspecified issue. Download Center Lite versions prior to 2.1 are affected.
  • Ref: http://freshmeat.net/projects/download-center-lite/releases/275651
  • 09.17.116 - CVE: CVE-2009-1275
  • Platform: Web Application
  • Title: Apache Tiles Cross-Site Scripting and Information Disclosure Vulnerabilities
  • Description: Apache Tiles is a Java based framework used to simplify the development of web application user interfaces. It is included in Apache Struts and other products. Apache Tiles is exposed to cross-site scripting and information-disclosure issues because it fails to sanitize user-supplied input. The issues arise when the application evaluates Expression Language (EL) expressions twice. Apache Tiles versions 2.1.0 and 2.1.1 are affected. Ref: http://svn.apache.org/viewvc/tiles/framework/trunk/src/site/apt/security/security-bulletin-1.apt?revision=741913
  • 09.17.117 - CVE: Not Available
  • Platform: Web Application
  • Title: SAP cFolders Cross-Site Scripting and HTML Injection Vulnerabilities
  • Description: cFolders (Collaboration Folders) is the SAP web-based application used for information sharing. The application is exposed to multiple cross-site scripting and HTML-injection issues because it fails to sufficiently sanitize user-supplied data.
  • Ref: http://dsecrg.com/pages/vul/show.php?id=121
  • 09.17.118 - CVE: Not Available
  • Platform: Web Application
  • Title: eLitius "database-backup.php" Information Disclosure
  • Description: eLitius is a PHP-based application used to manage an affiliate program. The application is exposed to an information disclosure issue. Specifically, an unauthorized attacker may download the database of the application via the "admin/database-backup.php" script. eLitius version 1.0 is affected.
  • Ref: http://www.securityfocus.com/bid/34659
  • 09.17.119 - CVE: Not Available
  • Platform: Network Device
  • Title: Unspecified Fortinet Security Products Archive File Scan Evasion
  • Description: Fortinet provides security applications and appliances. Unspecified Fortinet security products are exposed to an issue that may allow certain compressed archives to go uninspected. The vulnerability occurs because the software fails to properly inspect specially crafted archive files.
  • Ref: http://www.securityfocus.com/archive/1/502758
  • 09.17.120 - CVE: Not Available
  • Platform: Network Device
  • Title: Linksys WVC54GCA Wireless-G "SetupWizard.exe" Information Disclosure
  • Description: Linksys WVC54GCA Wireless-G Internet Home Monitoring Camera is exposed to an information disclosure issue. The device can be controlled remotely via a management interface that transmits data via UDP port 916. During an initial setup using "SetupWizard.exe", the device sends the configuration data to the client in a secure manner. The packets contain sensitive information such as username, password, wireless SSID, WEP key, WEP password, WPA key, and DNS server. Once the authentication credentials are sent, the admin username and password can be disclosed from the memory dump of the "SetupWizard.exe" process. Linksys WVC54GCA Wireless-G Internet Home Monitoring Camera firmware versions 1.00R22 and 1.00R24 are affected.
  • Ref: http://www.linksysbycisco.com/US/en/products/WVC54GCA
  • 09.17.121 - CVE: Not Available
  • Platform: Network Device
  • Title: Addonics NAS Adapter "bts.cgi" Multiple Buffer Overflow Vulnerabilities
  • Description: Addonics NAS Adapter is a network storage device. NAS Adapter includes an embedded webserver. NAS Adapter is exposed to multiple buffer overflow issues because it fails to perform adequate checks on user-supplied input.
  • Ref: http://www.securityfocus.com/bid/34607
  • 09.17.122 - CVE: Not Available
  • Platform: Network Device
  • Title: Linksys WRT54GC "administration.cgi" Access Validation
  • Description: The Linksys WRT54GC is a Wi-Fi networking router. The device is exposed to an access validation issue because of a lack of authentication when users access the "administration.cgi" CGI application. Specifically, remote attackers may use this script to set a new administrator password. Linksys WRT54GC running firmware version 1.05.7 is affected.
  • Ref: http://www.securityfocus.com/archive/1/502800
  • 09.17.123 - CVE: Not Available
  • Platform: Network Device
  • Title: Linksys WVC54GCA Wireless-G "/img/main.cgi" Information Disclosure
  • Description: Linksys WVC54GCA Wireless-G Internet Home Monitoring Camera is exposed to an information disclosure issue. The issue affects the "next_file" parameter of the "/img/main.cgi" script. An attacker may retrieve contents of arbitrary file from the same directory where the "main.cgi" file is located. Linksys WVC54GCA Wireless-G Internet Home Monitoring Camera firmware versions 1.00R22 and 1.00R24 are affected.
  • Ref: http://www.linksysbycisco.com/US/en/products/WVC54GCA

(c) 2009. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Subscriptions: @RISK is distributed free of charge by the SANS Institute to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.

The SANS Security Windows track was the best training course I've ever had, far surpassing my already high expectations. Seriously!
-Derek Lidbom, Trone

SANS Security West 2010

Contact us: (301) 654-SANS(7267)
Monday - Friday 9am-8pm EST/EDT