@RISK: The Consensus Security Vulnerability Alert

Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)

• (1) CRITICAL: Google Chrome Graphics Rendering Integer Overflow Affected: Google Chrome versions 1.x
• (2) CRITICAL: Apple CUPS PDF Handling Buffer Overflow
• (3) HIGH: HP OpenView Network Node Manager Remote Remote Code Execution

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)

Third Party Windows Apps

• 09.19.1 - Symantec WinFax Pro "DCCFAXVW.DLL" Heap Buffer Overflow
• 09.19.2 - Mercury Audio Player ".m3u" File Remote Stack Buffer Overflow
• 09.19.3 - BaoFeng Storm ActiveX Control "OnBeforeVideoDownload()" Buffer Overflow
• 09.19.4 - Beatport Player ".m3u" File Remote Stack Buffer Overflow
• 09.19.5 - RM Downloader ".smi" File Buffer Overflow
• 09.19.6 - EW-MusicPlayer ".m3u" File Remote Stack Buffer Overflow
• 09.19.7 - Grabit "NZB" File Remote Stack Buffer Overflow
• 09.19.8 - Bmxplay "BMX" File Remote Buffer Overflow
• 09.19.9 - 32bit FTP "banner" Remote Buffer Overflow
• 09.19.10 - 32bit FTP "CWD" Response Remote Buffer Overflow
• 09.19.11 - Sorinara Streaming Audio Player ".m3u" File Remote Stack Buffer Overflow

Linux

• 09.19.12 - IPsec-Tools Prior to 0.7.2 Multiple Remote Denial Of Service Vulnerabilities
• 09.19.13 - Ubuntu Apport Local Arbitrary File Deletion
• 09.19.14 - Linux Kernel "ptrace_attach()" Local Privilege Escalation
• 09.19.15 - schroot "/tmp/shm" Local Denial of Service

Unix

• 09.19.16 - GnuTLS Prior to 2.6.6 Multiple Remote Vulnerabilities
• 09.19.17 - CUPS and Xpdf JBIG2 Symbol Dictionary Processing Heap Buffer Overflow
• 09.19.18 - ClamAV "clamav-milter" Initscript File Permission

Cross Platform

• 09.19.19 - Multiple Trend Micro Products RAR/ZIP/CAB Files Scan Evasion
• 09.19.20 - Multiple ESET Products CAB File Scan Evasion
• 09.19.21 - Adobe Acrobat and Reader Unspecified Remote Heap Memory Corruption
• 09.19.22 - Mpegable Player ".YUV" File Remote Stack Buffer Overflow
• 09.19.23 - Baby Web Server URL File Disclosure
• 09.19.24 - McAfee Products RAR/ZIP Files Scan Evasion
• 09.19.25 - SCO UnixWare IGMP Driver Unspecified Denial Of Service
• 09.19.26 - Google Chrome "throw()" function Null Pointer Dereference Remote Denial of Service
• 09.19.27 - Adobe Flash Media Server Unspecified RPC Call Privilege Escalation
• 09.19.28 - libwmf WMF Image File Remote Code Execution
• 09.19.29 - Addonics NAS Adapter FTP Server Multiple Command Remote Buffer Overflow Vulnerabilities
• 09.19.30 - iPassConnect Local Privilege Escalation
• 09.19.31 - IBM Tivoli Storage Manager Multiple Vulnerabilities
• 09.19.32 - Openfire jabber:iq:auth "passwd_change" Remote Password Change
• 09.19.33 - Cscope Multiple Stack-Based Buffer Overflow Vulnerabilities
• 09.19.34 - HP OpenView Network Node Manager Remote Unspecified Code Execution
• 09.19.35 - Quick 'n Easy Mail Server SMTP Request Remote Denial of Service
• 09.19.36 - Quagga Autonomous System Number Remote Denial of Service
• 09.19.37 - IceWarp Merak Mail Server "Forgot Password" Input Validation
• 09.19.38 - Cscope "find.c" Stack Based Buffer Overflow
• 09.19.39 - Nucleus Kernel Recovery for Mac and Novell Multiple Buffer Overflow Vulnerabilities
• 09.19.40 - Mitel Nupoint Messenger Authentication Credentials Information Disclosure

Web Application - Cross Site Scripting

• 09.19.41 - @Mail "admin.php" Cross-Site Scripting Vulnerabilities
• 09.19.42 - Coppermine Photo Gallery "css" Parameter Cross-Site Scripting
• 09.19.43 - Jetty Cross-Site Scripting and Information Disclosure Vulnerabilities
• 09.19.44 - IceWarp Merak Mail Server "cleanHTML()" Function Cross-Site Scripting
• 09.19.45 - Glassfish Enterprise Server Multiple Cross-Site Scripting Vulnerabilities
• 09.19.46 - IceWarp Merak Mail Server "item.php" Cross-Site Scripting
• 09.19.47 - Woodstock 404 Error Page Cross-Site Scripting
• 09.19.48 - VerliAdmin "index.php" Multiple Cross-Site Scripting Vulnerabilities

Web Application - SQL Injection

• 09.19.49 - ProjectCMS "sn" Parameter SQL Injection
• 09.19.50 - eLitius "banner-details.php" SQL Injection
• 09.19.51 - News Page Drupal Module Unspecified SQL Injection
• 09.19.52 - Tiger DMS Login SQL Injection
• 09.19.53 - BluSky CMS "index.php" SQL Injection
• 09.19.54 - IceWarp Merak Mail Server Groupware Component Multiple SQL Injection Vulnerabilities

Web Application

• 09.19.55 - S-CMS "plugin.php" Local File Include
• 09.19.56 - Zubrag Smart File Download "download.php" File Download Security Bypass
• 09.19.57 - Exif Drupal Module HTML Injection
• 09.19.58 - Drupal Node Access User Reference Module Security Bypass
• 09.19.59 - Drupal HTML Injection and Information Disclosure Vulnerabilities
• 09.19.60 - LimeSurvey "/admin/remotecontrol" Remote Code Execution
• 09.19.61 - Gowon Designs Leap Multiple Input Validation Vulnerabilities
• 09.19.62 - MiniTwitter Security Bypass and SQL Injection Vulnerabilities
• 09.19.63 - Golabi CMS "Common/ImageVer.php" Authentication Bypass
• 09.19.64 - MyBB 1.4.5 Multiple Security Vulnerabilities
• 09.19.65 - pecio cms "index.php" Local File Include
• 09.19.66 - AGTC MyShop Insecure Cookie Authentication Bypass
• 09.19.67 - Million Dollar Text Links Administrative Interface Authentication Bypass
• 09.19.68 - eLitius Arbitrary File Upload and Authentication Bypass Vulnerabilities
• 09.19.69 - PHP Site Lock Cookie Authentication Bypass
• 09.19.70 - ProjectCMS Multiple Input Validation Vulnerabilities
• 09.19.71 - TemaTres SQL Injection and Cross-Site Scripting Vulnerabilities
• 09.19.72 - LinkBase Users Menu HTML Injection

PART I Critical Vulnerabilities

Part I for this issue has been compiled by Rob King at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 19, 2009

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 5549 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

• 09.19.1 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Symantec WinFax Pro "DCCFAXVW.DLL" Heap Buffer Overflow
• Description: Symantec WinFax Pro is a faxing application available for Microsoft Windows. The application is exposed to a heap-based buffer overflow issue. Specifically, this issue stems from a boundary condition in the "AppendFax()" function of the "DCCFAXVW.DLL" ActiveX control. Symantec WinFax Pro version 10.03 is affected.
• Ref: http://www.securityfocus.com/archive/1/503074

• 09.19.2 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Mercury Audio Player ".m3u" File Remote Stack Buffer Overflow
• Description: Mercury Audio Player is a multimedia player for Microsoft Windows. The application is exposed to a remote stack-based buffer overflow issue because it fails to perform adequate checks on user-supplied input. Specifically, this issue occurs when opening a ".m3u" playlist file that contains excessive data. Mercury Audio Player version 1.21 is affected.
• Ref: http://www.securityfocus.com/bid/34788

• 09.19.3 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: BaoFeng Storm ActiveX Control "OnBeforeVideoDownload()" Buffer Overflow
• Description: BaoFeng Storm is a multimedia player. The control is exposed to a buffer overflow issue because it fails to perform adequate boundary checks on user-supplied input. An attacker can exploit this issue to execute arbitrary code in the context of the application using the ActiveX control (typically Internet Explorer).
• Ref: http://support.microsoft.com/kb/240797

• 09.19.4 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Beatport Player ".m3u" File Remote Stack Buffer Overflow
• Description: Beatport Player is a multimedia player for Microsoft Windows. The application is exposed to a remote stack-based buffer overflow issue because it fails to perform adequate checks on user-supplied input. Specifically, this issue occurs when opening a ".m3u" playlist file that contains excessive data. Beatport Player version 1.0.0.283 is affected.
• Ref: http://www.securityfocus.com/bid/34793

• 09.19.5 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: RM Downloader ".smi" File Buffer Overflow
• Description: RM Downloader is a download management application for the Windows operating system. RM Downloader is exposed to a buffer overflow issue because it fails to perform adequate boundary checks on user-supplied data. This issue occurs when handling specially crafted ".smi" files.
• Ref: http://www.securityfocus.com/bid/34794

• 09.19.6 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: EW-MusicPlayer ".m3u" File Remote Stack Buffer Overflow
• Description: EW-MusicPlayer is a multimedia player for Microsoft Windows. The application is exposed to a remote stack-based buffer overflow issue because it fails to perform adequate checks on user-supplied input. Specifically, this issue occurs when opening a ".m3u" playlist file that contains excessive data. EW-MusicPlayer version 0.8 is affected.
• Ref: http://www.securityfocus.com/bid/34806

• 09.19.7 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Grabit "NZB" File Remote Stack Buffer Overflow
• Description: Grabit is a usenet content downloader for Microsoft Windows. The application is exposed to a remote stack-based buffer overflow issue because it fails to perform adequate checks on user-supplied input. Specifically, this issue occurs when opening a "NZB" file that contains excessive data. Grabit version 1.7.2 beta 3 is affected.
• Ref: http://www.securityfocus.com/archive/1/503184

• 09.19.8 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Bmxplay "BMX" File Remote Buffer Overflow
• Description: Bmxplay is a multimedia player for Microsoft Windows. The application is exposed to a remote buffer overflow issue because it fails to perform adequate checks on user-supplied input. Specifically, this issue occurs when opening a "BMX" file that contains excessive data. Bmxplay version 0.4 is affected.
• Ref: http://www.securityfocus.com/bid/34810

• 09.19.9 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: 32bit FTP "banner" Remote Buffer Overflow
• Description: 32bit FTP client is an FTP implementation that is available for Microsoft Windows operating systems. 32bit FTP is exposed to a buffer overflow issue because it fails to properly perform adequate boundary checks on user-supplied data. The vulnerability occurs when handling an excessively large banner. 32bit FTP version 09.04.24 is affected.
• Ref: http://www.securityfocus.com/bid/34822

• 09.19.10 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: 32bit FTP "CWD" Response Remote Buffer Overflow
• Description: 32bit FTP client is an FTP implementation that is available for Microsoft Windows operating systems. 32bit FTP is exposed to a buffer overflow issue because it fails to properly perform adequate boundary checks on user-supplied data. The vulnerability occurs when handling an excessively large "CWD" response. 32bit FTP version 09.04.24 is affected.
• Ref: http://www.securityfocus.com/bid/34838

• 09.19.11 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Sorinara Streaming Audio Player ".m3u" File Remote Stack Buffer Overflow
• Description: Sorinara Streaming Audio Player is a multimedia player available for Microsoft Windows. The application is exposed to a remote stack-based buffer overflow issue because it fails to perform adequate checks on user-supplied input. Specifically, this issue occurs when opening an extended ".m3u" playlist file that contains excessive data. Sorinara Streaming Audio Player version 0.9 is affected.
• Ref: http://www.securityfocus.com/bid/34842

• 09.19.12 - CVE: Not Available
• Platform: Linux
• Title: IPsec-Tools Prior to 0.7.2 Multiple Remote Denial Of Service Vulnerabilities
• Description: IPsec-Tools is a port of KAME's IPsec utilities for the Linux-2.6 IPsec implementation. IPsec-Tools is affected by multiple remote issues. A successful attack allows a remote attacker to cause the application to crash or to consume excessive memory, denying further service to legitimate users. IPsec-Tools versions prior to 0.7.2 are affected.
• Ref: http://www.securityfocus.com/archive/1/503078

• 09.19.13 - CVE: CVE-2009-1295
• Platform: Linux
• Title: Ubuntu Apport Local Arbitrary File Deletion
• Description: Apport is a crash reporting system available for the Ubuntu Linux distribution. Apport is exposed to a local denial of service issue. Specifically, Apport deletes crash report files in an unsafe manner.
• Ref: http://www.securityfocus.com/bid/34776

• 09.19.14 - CVE: Not Available
• Platform: Linux
• Title: Linux Kernel "ptrace_attach()" Local Privilege Escalation
• Description: The Linux kernel is exposed to a local privilege escalation issue. Specifically, the issue can be triggered by calling "ptrace_attach()" to the task in the middle of the "execve()" system call. The attacker can exploit this issue to execute arbitrary code with superuser privileges, resulting in a complete compromise of the affected computer. Linux kernel version 2.6.29 is affected. Ref: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=cad81bc2529ab8c62b6fdc83a1c0c7f4a87209eb

• 09.19.15 - CVE: Not Available
• Platform: Linux
• Title: schroot "/tmp/shm" Local Denial of Service
• Description: schroot is tool that allows to run commands or a shell in a chroot environment. schroot is exposed to a local denial of service issue that occurs because the application creates a new "tmpfs" filesystem for every chroot and acts as "/dev/shm". schroot version 1.2.2 is affected.
• Ref: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=526788

• 09.19.16 - CVE: CVE-2009-1416, CVE-2009-1415, CVE-2009-1417
• Platform: Unix
• Title: GnuTLS Prior to 2.6.6 Multiple Remote Vulnerabilities
• Description: GNU Transport Layer Security Library (GnuTLS) is a library that implements the TLS 1.0 and SSL 3.0 protocols. It is maintained by GNU and is available for UNIX and Linux variants. The application is exposed to multiple issues. An attacker can exploit these issues to potentially execute arbitrary code, trigger denial of service conditions, carry out attacks against data signed with weak signatures, and cause clients to accept expired or invalid certificates from servers. GnuTLS versions prior to 2.6.6 are affected. Ref: http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3516

• 09.19.17 - CVE: CVE-2009-0195
• Platform: Unix
• Title: CUPS and Xpdf JBIG2 Symbol Dictionary Processing Heap Buffer Overflow
• Description: CUPS (Common UNIX Printing System) is a widely used set of printing utilities for UNIX-based systems. Xpdf is a PDF rendering library. CUPS and Xpdf are exposed to a remote heap-based buffer overflow issue because they fail to properly bounds check user-supplied input before copying it into a finite-sized buffer. Xpdf versions 3.02pl2 and earlier, and CUPS versions 1.3.9 and earlier are affected.
• Ref: http://www.securityfocus.com/archive/1/502759

• 09.19.18 - CVE: Not Available
• Platform: Unix
• Title: ClamAV "clamav-milter" Initscript File Permission
• Description: ClamAV is an open-source antivirus for UNIX-like systems. "clamav-milter" is an email scanner for Sendmail. The application is exposed to an a file permission security issue. Specifically, this issue affects the "clamav-milter" initscript and occurs because it modifies the ownership of current-working-directory to the "clamav" user. ClamAV version 0.95.1 is affected.
• Ref: http://www.securityfocus.com/bid/34818

• 09.19.19 - CVE: Not Available
• Platform: Cross Platform
• Title: Multiple Trend Micro Products RAR/ZIP/CAB Files Scan Evasion
• Description: Trend Micro develops antivirus, antispyware, and firewalling capabilities for both enterprise and endpoint-based systems. The applications are exposed to an issue that may allow certain compressed archives to bypass the scan engine. The vulnerability occurs because the software fails to properly inspect specially crafted "RAR", "ZIP", and "CAB" files.
• Ref: http://www.securityfocus.com/archive/1/503078

• 09.19.20 - CVE: Not Available
• Platform: Cross Platform
• Title: Multiple ESET Products CAB File Scan Evasion
• Description: ESET provides a number of virus scanning applications for multiple platforms. Multiple ESET products are exposed to an issue that may allow certain compressed archives to bypass the scan engine. The vulnerability occurs because the application fails to properly inspect specially crafted "CAB" files. ESET products prior to Update 4036 are affected. Ref: http://blog.zoller.lu/2009/04/nod32-eset-cab-generic-evasion-limited.html

• 09.19.21 - CVE: Not Available
• Platform: Cross Platform
• Title: Adobe Acrobat and Reader Unspecified Remote Heap Memory Corruption
• Description: Adobe Acrobat and Reader are applications for handling PDF files; they are available for multiple platforms. Acrobat and Reader are exposed to a remote heap-based memory corruption issue because they fail to sufficiently sanitize user-supplied input.
• Ref: http://www.securityfocus.com/bid/34768

• 09.19.22 - CVE: Not Available
• Platform: Cross Platform
• Title: Mpegable Player ".YUV" File Remote Stack Buffer Overflow
• Description: Mpegable Player is a multimedia player. The application is exposed to a remote stack-based buffer overflow issue because it fails to perform adequate checks on user-supplied input. Specifically, this issue occurs when opening malformed ".YUV" media files. Mpegable Player version 2.12 is affected.
• Ref: http://www.securityfocus.com/bid/34770

• 09.19.23 - CVE: Not Available
• Platform: Cross Platform
• Title: Baby Web Server URL File Disclosure
• Description: Baby Web Server is a webserver application available for Microsoft Windows. Baby Web Server is exposed to an issue that lets attackers obtain potentially sensitive information because it fails to properly sanitize user-supplied input to the URL. Baby Web Server version 2.7.2 is affected.
• Ref: http://www.securityfocus.com/bid/34772

• 09.19.24 - CVE: CVE-2009-1348
• Platform: Cross Platform
• Title: McAfee Products RAR/ZIP Files Scan Evasion
• Description: McAfee develops antivirus, antispyware, and firewalling products. Multiple McAfee products are exposed to an issue that may allow certain compressed archives to bypass the scan engine. The vulnerability occurs because the software fails to properly inspect specially crafted "RAR" and "ZIP" files. The issue affects all McAfee software that uses DAT files. Ref: https://kc.mcafee.com/corporate/index?page=content&id=SB10001&actp=LIST_RECENT

• 09.19.25 - CVE: Not Available
• Platform: Cross Platform
• Title: SCO UnixWare IGMP Driver Unspecified Denial Of Service
• Description: SCO UnixWare is exposed to a denial of service issue caused by an unspecified error in the IGMP driver. SCO UnixWare version 7.1.4 Maintenance Pack 4 is affected.
• Ref: ftp://ftp.sco.com/pub/unixware7/714/security/p535283/p535283.txt

• 09.19.26 - CVE: Not Available
• Platform: Cross Platform
• Title: Google Chrome "throw()" function Null Pointer Dereference Remote Denial of Service
• Description: Google Chrome is a web browser. The application is exposed to a remote denial of service issue caused by a NULL-pointer deference in the "throw()" JavaScript function. Google Chrome version 1.0.154.53 is affected.
• Ref: http://www.securityfocus.com/bid/34786

• 09.19.27 - CVE: CVE-2009-1365
• Platform: Cross Platform
• Title: Adobe Flash Media Server Unspecified RPC Call Privilege Escalation
• Description: Adobe Flash Media Server provides streaming media and a development environment for creating and delivering media applications. Flash Media Server is exposed to an issue that allows attackers to gain elevated privileges by executing server-side ActionScripts by invoking an unspecified RPC (Remote Procedures Call). Flash Media Streaming Server or Flash Media Interactive Server versions prior to 3.5.2 and 3.0.4 are affected.
• Ref: http://www.adobe.com/support/security/bulletins/apsb09-05.html

• 09.19.28 - CVE: CVE-2009-1364
• Platform: Cross Platform
• Title: libwmf WMF Image File Remote Code Execution
• Description: libwmf is a library for reading and converting Windows Metafile Format (WMF) vector graphics. libwmf is exposed to a remote code execution issue due to a NULL-pointer dereference condition.
• Ref: http://www.securityfocus.com/bid/34792

• 09.19.29 - CVE: Not Available
• Platform: Cross Platform
• Title: Addonics NAS Adapter FTP Server Multiple Command Remote Buffer Overflow Vulnerabilities
• Description: Addonics NAS Adapter is a network storage device. NAS Adapter includes an embedded FTP server. NAS Adapter is exposed to multiple remote buffer overflow issues because the application fails to sufficiently sanitize user-supplied arguments to multiple FTP commands. NASU2FW41 (Loader 1.17) is affected.
• Ref: http://www.securityfocus.com/archive/1/503146

• 09.19.30 - CVE: Not Available
• Platform: Cross Platform
• Title: iPassConnect Local Privilege Escalation
• Description: iPassConnect is an application used to simplify remote and mobile connectivity across different platforms and access technologies. iPassConnect is exposed to a local privilege escalation issue. The application can be configured to start programs after connecting to a network in global context. iPassConnect versions 3.51, 3.60, and 3.66 are affected.
• Ref: http://www.securityfocus.com/bid/34801

• 09.19.31 - CVE: CVE-2008-4828
• Platform: Cross Platform
• Title: IBM Tivoli Storage Manager Multiple Vulnerabilities
• Description: IBM Tivoli Storage Manager is an application for automated backup and recovery of data. The application is exposed to multiple issues. Attackers can exploit these issues to cause a denial of service condition, to execute arbitrary code, and to read, copy, edit, or delete files on a victim's computer.
• Ref: http://secunia.com/secunia_research/2008-55/

• 09.19.32 - CVE: Not Available
• Platform: Cross Platform
• Title: Openfire jabber:iq:auth "passwd_change" Remote Password Change
• Description: Openfire is a freely available instant-messaging server available for various platforms. The application is exposed to an issue that may permit attackers to change the password of arbitrary users. This issue occurs because the application fails to properly verify jabber:iq:auth "passwd_change" requests. Openfire versions prior to 3.6.4 are affected.
• Ref: http://www.igniterealtime.org/issues/browse/JM-1532

• 09.19.33 - CVE: CVE-2009-0148
• Platform: Cross Platform
• Title: Cscope Multiple Stack-Based Buffer Overflow Vulnerabilities
• Description: Cscope is a source code browsing and analysis tool available for a number of platforms. Cscope is exposed to multiple stack-based buffer overflow issues because it fails to perform adequate checks on user-supplied input. These issues result from incorrect usage of the "sprintf()" function. Cscope versions prior to 15.7a are affected.
• Ref: https://bugzilla.redhat.com/show_bug.cgi?id=490667

• 09.19.34 - CVE: CVE-2009-0720
• Platform: Cross Platform
• Title: HP OpenView Network Node Manager Remote Unspecified Code Execution
• Description: HP OpenView Network Node Manager (NNM) is a fault-management application for IP networks. The application is exposed to a remote code execution issue caused by an unspecified error. Successfully exploiting this issue allows an attacker to execute arbitrary code with the privileges of the user running the affected application. NNM versions 7.01, 7.51, and 7.53 are affected.
• Ref: http://www.securityfocus.com/archive/1/503212

• 09.19.35 - CVE: Not Available
• Platform: Cross Platform
• Title: Quick 'n Easy Mail Server SMTP Request Remote Denial of Service
• Description: Quick 'n Easy Mail Server is a mail server for Microsoft Windows. The application fails to properly handle SMTP requests containing excessive amounts of data. After receiving multiple such requests, the application may fail to respond to legitimate SMTP requests. Quick 'n Easy Mail Server version 3.3 is affected.
• Ref: http://www.securityfocus.com/bid/34814

• 09.19.36 - CVE: Not Available
• Platform: Cross Platform
• Title: Quagga Autonomous System Number Remote Denial of Service
• Description: Quagga is a routing software suite for multiple Unix platforms, including Linux and BSD. Quagga is exposed to a remote denial of service issue that affects the Border Gateway Protocol (BGP) daemon. Specifically, this issue is due to a failure to handle certain 4 byte ASN (Autonomous System Number) values in AS (Autonomous System) prefixes. Quagga version 0.99.11 is affected.
• Ref: http://marc.info/?l=quagga-dev&m=123364779626078&w=2

• 09.19.37 - CVE: CVE-2009-1469
• Platform: Cross Platform
• Title: IceWarp Merak Mail Server "Forgot Password" Input Validation
• Description: IceWarp Mail Server is a commercially available mail server implemented for Windows and Linux platforms. The application is exposed to an input validation issue. The problem occurs because the application improperly uses client-side data when performing a "Forgot Password" function.
• Ref: http://www.securityfocus.com/archive/1/503227

• 09.19.38 - CVE: Not Available
• Platform: Cross Platform
• Title: Cscope "find.c" Stack Based Buffer Overflow
• Description: Cscope is a tool for analyzing source code; it is available for a number of platforms. Cscope is exposed to a stack-based buffer overflow issue because it fails to perform adequate checks on user-supplied input. Specifically, this issue is triggered when searching a source code file including excessively long function or symbol names, and affects the "find.c" source code file. Cscope versions prior to 15.6 are affected.
• Ref: https://bugzilla.redhat.com/show_bug.cgi?id=499174

• 09.19.39 - CVE: Not Available
• Platform: Cross Platform
• Title: Nucleus Kernel Recovery for Mac and Novell Multiple Buffer Overflow Vulnerabilities
• Description: Nuclues provides Kernel Recovery Software for multiple platforms for file recovery. Multiple Nuclues Kernel Recovery Software are exposed to multiple remote stack-based buffer overflow issues because they fail to perform adequate checks on user-supplied input. Kernel Recovery for Novell version 4.03 and for Macintosh version 4.04 are affected.
• Ref: http://www.securityfocus.com/bid/34846

• 09.19.40 - CVE: Not Available
• Platform: Cross Platform
• Title: Mitel Nupoint Messenger Authentication Credentials Information Disclosure
• Description: Mitel Nupoint Messenger is a messaging application. It uses IMAP or MAPI connections through the NuPoint MAPI server to communicate with MS Exchange 2003 or 2007. The server application is exposed to an information disclosure issue because it sends usernames and passwords in clear text. Mitel Nupoint Messenger R3 and R11 are affected.
• Ref: http://www.kb.cert.org/vuls/id/576996

• 09.19.41 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: @Mail "admin.php" Cross-Site Scripting Vulnerabilities
• Description: @Mail is a webmail application. The application is exposed to a cross-site scripting issue because it fails to properly sanitize user-supplied input to the "type" and "func" parameters in the "webadmin/admin.php" script. @Mail version 5.61 is affected.
• Ref: http://www.securityfocus.com/bid/34762

• 09.19.42 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Coppermine Photo Gallery "css" Parameter Cross-Site Scripting
• Description: Coppermine Photo Gallery is a PHP-based image gallery. The application is exposed to a cross-site scripting issue because it fails to properly handle user-supplied input to the 'css' parameter of the "docs/showdoc.php" script. Coppermine Photo Gallery versions prior to 1.4.22 are affected.
• Ref: http://forum.coppermine-gallery.net/index.php/topic,59237.0.html

• 09.19.43 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Jetty Cross-Site Scripting and Information Disclosure Vulnerabilities
• Description: Jetty is a Java-based web server available for various operating systems. The application is exposed to multiple remote issues. Attackers may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, and obtain sensitive information. Jetty versions 6.1.16 and earlier are affected.
• Ref: http://jira.codehaus.org/browse/JETTY-1004

• 09.19.44 - CVE: CVE-2009-1467
• Platform: Web Application - Cross Site Scripting
• Title: IceWarp Merak Mail Server "cleanHTML()" Function Cross-Site Scripting
• Description: IceWarp Merak Mail Server is a commercially available mail server. IceWarp Merak Mail Server is exposed to a cross-site scripting issue because the application fails to properly sanitize user-supplied input. This issue affects the "cleanHTML()" function of the "html/webmail/server/inc/tools.php" script.
• Ref: http://www.securityfocus.com/archive/1/503225

• 09.19.45 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Glassfish Enterprise Server Multiple Cross-Site Scripting Vulnerabilities
• Description: Glassfish Enterprise Server is a web application framework. The software is exposed to multiple cross-site scripting issues because it fails to properly sanitize user-supplied input. Glassfish Enterprise Server version 2.1 is affected. Ref: https://glassfish.dev.java.net/servlets/ReadMsg?list=cvs&msgNo=29668

• 09.19.46 - CVE: CVE-2009-1467
• Platform: Web Application - Cross Site Scripting
• Title: IceWarp Merak Mail Server "item.php" Cross-Site Scripting
• Description: IceWarp Merak Mail Server is a commercially available mail server. IceWarp Merak Mail Server is exposed to a cross-site scripting issue because the application fails to properly sanitize user-supplied input. This issue affects the "cleanHTML()" function of the "html/webmail/server/inc/rss/rss.php" script.
• Ref: http://www.securityfocus.com/archive/1/503229

• 09.19.47 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Woodstock 404 Error Page Cross-Site Scripting
• Description: Woodstock is an web component library for the Glassfish application framework. Woodstock is exposed to a cross-site scripting issue because it fails to sufficiently sanitize user-supplied URI data when generating a 404 error page. Specifically, this issue can be exploited by submitting a UTF-7 encoded URI to the vulnerable application. Woodstock version 4.2 is affected.
• Ref: https://woodstock.dev.java.net/servlets/ReadMsg?list=cvs&msgNo=4041

• 09.19.48 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: VerliAdmin "index.php" Multiple Cross-Site Scripting Vulnerabilities
• Description: VerliAdmin is an administration tool for VerliHub, which is a Direct Connect protocol server. The application is exposed to multiple cross-site scripting issues because it fails to properly sanitize user-supplied input to the "nick" and "q" parameters in the "index.php" script. VerliAdmin versions 0.3.7 and 0.3.8 are affected.
• Ref: http://www.securityfocus.com/bid/34845

• 09.19.49 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: ProjectCMS "sn" Parameter SQL Injection
• Description: ProjectCMS is a content manager implemented in PHP. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "sn" parameter of the "index.php" script before using it in an SQL query.
• Ref: http://www.securityfocus.com/archive/1/503079

• 09.19.50 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: eLitius "banner-details.php" SQL Injection
• Description: eLitius is a PHP-based web application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "id" parameter of the "banner-details.php" script. eLitius version 1.0 is affected.
• Ref: http://www.securityfocus.com/bid/34769

• 09.19.51 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: News Page Drupal Module Unspecified SQL Injection
• Description: News Page is a module for the Drupal content manager. The application is exposed to an unspecified SQL injection issue because it fails to sufficiently sanitize user-supplied data. News Page versions prior to 5.x-1.2 are affected.
• Ref: http://www.securityfocus.com/bid/34777

• 09.19.52 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Tiger DMS Login SQL Injection
• Description: Tiger DMS is a download manager application implemented in PHP. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "username" and "password" parameters when authenticating via the "login.php" script.
• Ref: http://www.securityfocus.com/bid/34775

• 09.19.53 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: BluSky CMS "index.php" SQL Injection
• Description: BluSky CMS is a PHP-based content manager. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "news_id" field of the "index.php" script.
• Ref: http://www.securityfocus.com/bid/34811

• 09.19.54 - CVE: CVE-2009-1468
• Platform: Web Application - SQL Injection
• Title: IceWarp Merak Mail Server Groupware Component Multiple SQL Injection Vulnerabilities
• Description: IceWarp Merak Mail Server is a commercially available mail server. The application is exposed to multiple SQL injection issues because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. These issues affect the web-based Groupware component and can be exploited by sending a specially-crafted search query to "server/webmail.php" script. IceWarp Merak Mail Server version 9.4.1 is affected.
• Ref: http://www.redteam-pentesting.de/en/advisories/rt-sa-2009-003/-ic ewarp-webmail-server-sql-injection-in-groupware-component

• 09.19.55 - CVE: Not Available
• Platform: Web Application
• Title: S-CMS "plugin.php" Local File Include
• Description: Flatchat is a web-based chat application. The application is exposed to a local file include issue because it fails to properly sanitize user-supplied input to the "page" parameter of the "plugin.php" script. S-CMS version 1.1 Stable is affected.
• Ref: http://www.securityfocus.com/bid/34771

• 09.19.56 - CVE: Not Available
• Platform: Web Application
• Title: Zubrag Smart File Download "download.php" File Download Security Bypass
• Description: Zubrag Smart File Download is a PHP-based web application that allows visitors to download files. The application is exposed to an issue that lets attackers bypass intended security restrictions. The issue occurs because the application fails to adequately sanitize user-supplied input to the "f" parameter of the "download.php" script. Smart File Download version 1.3 is affected.
• Ref: http://www.securityfocus.com/bid/34773

• 09.19.57 - CVE: Not Available
• Platform: Web Application
• Title: Exif Drupal Module HTML Injection
• Description: Exif is a module for the Drupal content manager. The module is exposed to an HTML injection issue because it fails to sanitize user-supplied input contained in EXIF (Exchangeable Image File Format) image metadata before including it in generated web pages. Exif versions 5.x prior to 5.x-1.2 and Exif 6.x-1.x-dev versions prior to the April 13th 2009 release are affected.
• Ref: http://drupal.org/node/448958

• 09.19.58 - CVE: Not Available
• Platform: Web Application
• Title: Drupal Node Access User Reference Module Security Bypass
• Description: The Node Access User Reference module for the Drupal content manager provides automatic access control to nodes. The module is exposed to a security bypass issue because the module incorrectly interprets an empty user reference field as a reference to the anonymous user, and allows non logged in visitors to view or modify the node. Drupal Node Access versions prior to 5.x-2.0-beta4 and 6.x-2.0-beta6 are affected.
• Ref: http://drupal.org/node/449030

• 09.19.59 - CVE: Not Available
• Platform: Web Application
• Title: Drupal HTML Injection and Information Disclosure Vulnerabilities
• Description: Drupal is a web-based content management system. The application is exposed to multiple security issues. An attacker may leverage these issues to gain access to potentially sensitive information, execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials or control how the site is rendered to the user; other attacks are also possible. Drupal versions prior to 5.17 and 6.11 are affected.
• Ref: http://drupal.org/node/449078

• 09.19.60 - CVE: Not Available
• Platform: Web Application
• Title: LimeSurvey "/admin/remotecontrol" Remote Code Execution
• Description: LimeSurvey is a PHP-based survey application. The application is exposed to an issue that attackers can leverage to execute arbitrary code. This issue occurs is due to an unspecified error affecting the "/admin/remotecontrol/" script. LimeSurvey versions 1.80RC4, 1.80, 1.80+, 1.81, and 1.81+ are affected.
• Ref: http://www.limesurvey.org/content/view/169/1/lang,en/

• 09.19.61 - CVE: Not Available
• Platform: Web Application
• Title: Gowon Designs Leap Multiple Input Validation Vulnerabilities
• Description: Gowon Designs Leap is a PHP-based content manager. The application is exposed to multiple input validation issues. Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, execute arbitrary script code in the context of the webserver process, compromise the application, obtain sensitive information, access or modify data, or exploit latent vulnerabilities in the underlying database implementation. Leap version 0.1.4 is affected.
• Ref: http://www.securityfocus.com/archive/1/503089

• 09.19.62 - CVE: Not Available
• Platform: Web Application
• Title: MiniTwitter Security Bypass and SQL Injection Vulnerabilities
• Description: MiniTwitter is a PHP-based application. The application is exposed to multiple security issues. The attacker can exploit the SQL-injection issue by manipulating the SQL query logic to carry out unauthorized actions on the underlying database. MiniTwitter version 0.2 Beta is affected.
• Ref: http://www.securityfocus.com/archive/1/503155

• 09.19.63 - CVE: Not Available
• Platform: Web Application
• Title: Golabi CMS "Common/ImageVer.php" Authentication Bypass
• Description: Golabi CMS is a PHP-based content manager. The application is exposed to an authentication bypass issue caused by a design error when handling sessions. Specifically, an attacker can start an administrator's session by setting the "svar" session parameter to "InstallStep" in the "Common/ImageVer.php" script. Golabi CMS version 1.0.1 is affected.
• Ref: http://www.securityfocus.com/bid/34797

• 09.19.64 - CVE: Not Available
• Platform: Web Application
• Title: MyBB 1.4.5 Multiple Security Vulnerabilities
• Description: MyBB (MyBulletinBoard) is a PHP-based bulletin board application. MyBB is exposed to multiple security issues, including an HTML-injection issue and an unspecified issue. The HTML injection issue affects the avatar URI field in the "admin/modules/user/users.php" script. MyBB version 1.4.5 is affected. Ref: http://blog.mybboard.net/2009/05/03/mybb-146-released-security-update/

• 09.19.65 - CVE: Not Available
• Platform: Web Application
• Title: pecio cms "index.php" Local File Include
• Description: pecio cms is a PHP-based content manager. The application is exposed to a local file include issue because it fails to properly sanitize user-supplied input to the "language" parameter of the "index.php" script. pecio cms version 1.1.5 is affected.
• Ref: http://www.securityfocus.com/bid/34802

• 09.19.66 - CVE: Not Available
• Platform: Web Application
• Title: AGTC MyShop Insecure Cookie Authentication Bypass
• Description: AGTC MyShop is a web application implemented in PHP. The application is exposed to an authentication bypass issue because it fails to adequately verify user-supplied input used for cookie-based authentication. Specifically, attackers can gain administrative access to the application by setting the "log_accept" cookie parameter to "correcto" and the "path" parameter to "/". AGTC MyShop version 3.2b is affected.
• Ref: http://www.securityfocus.com/bid/34808

• 09.19.67 - CVE: Not Available
• Platform: Web Application
• Title: Million Dollar Text Links Administrative Interface Authentication Bypass
• Description: Million Dollar Text Links is a web-based application implemented in PHP. The application is exposed to an authentication bypass issue that occurs because the application fails to restrict access to administrative scripts, including "admin.home.php". Million Dollar Text Links version 1.0 is affected.
• Ref: http://www.securityfocus.com/bid/34809

• 09.19.68 - CVE: Not Available
• Platform: Web Application
• Title: eLitius Arbitrary File Upload and Authentication Bypass Vulnerabilities
• Description: eLitius is a web-based application implemented in PHP. The application is exposed to an issue that lets remote attackers upload and execute arbitrary code because it fails to properly sanitize user-supplied files. The application is also exposed to an authentication bypass issue. eLitius version 1.0 is affected.
• Ref: http://www.securityfocus.com/bid/34813

• 09.19.69 - CVE: Not Available
• Platform: Web Application
• Title: PHP Site Lock Cookie Authentication Bypass
• Description: PHP Site Lock is a PHP-based authentication application. The application is exposed to an authentication bypass issue because it fails to adequately verify user-supplied input used for cookie-based authentication. PHP Site Lock version 2.0 is affected.
• Ref: http://www.securityfocus.com/bid/34815

• 09.19.70 - CVE: Not Available
• Platform: Web Application
• Title: ProjectCMS Multiple Input Validation Vulnerabilities
• Description: ProjectCMS is a content manager implemented in PHP. The application is exposed to multiple issues. An attacker can exploit these issues to upload and execute arbitrary PHP code in the context of the webserver process, obtain sensitive information, or delete an arbitrary directory. ProjectCMS versions prior to 1.2 Beta are affected.
• Ref: http://www.securityfocus.com/archive/1/503211

• 09.19.71 - CVE: Not Available
• Platform: Web Application
• Title: TemaTres SQL Injection and Cross-Site Scripting Vulnerabilities
• Description: TemaTres is a web application to manage documentation languages. TemaTres is exposed to multiple input validation issues. Reports indicate additional unspecified scripts and parameters are vulnerable to cross-site scripting attacks. TemaTres version 1.0.3 is affected.
• Ref: http://www.securityfocus.com/archive/1/503252

• 09.19.72 - CVE: Not Available
• Platform: Web Application
• Title: LinkBase Users Menu HTML Injection
• Description: LinkBase is a PHP-based application fweb application. The application is exposed to an HTML injection issue because it fails to sufficiently sanitize user-supplied input. Specifically, this issue affects the user registration script. LinkBase version 2.0 is affected.
• Ref: http://www.securityfocus.com/bid/34844

(c) 2009. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Subscriptions: @RISK is distributed free of charge by the SANS Institute to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.