@RISK: The Consensus Security Vulnerability Alert

Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)

• (1) HIGH: Microsoft IIS WebDAV Authentication Bypass Vulnerability
• (2) HIGH: Network Time Protocol 'ntpd' Autokey Buffer Overflow Vulnerability
• (3) MODERATE: Libsndfile VOC and AIFF Processing Buffer Overflow Vulnerabilities
• (4) MODERATE: D-Link MPEG4 Viewer ActiveX Control Multiple Buffer Overflow Vulnerabilities

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)

Third Party Windows Apps

• 09.21.1 - Sun Java Runtime Environment ActiveX Control Multiple Remote Buffer Overflow Vulnerabilities
• 09.21.2 - McAfee GroupShield for Microsoft Exchange X-header Scan Evasion
• 09.21.3 - DigiMode Maya Malformed "m3u" and "m3l" Playlist Files Buffer Overflow
• 09.21.4 - Audioactive Player ".m3u" File Remote Buffer Overflow
• 09.21.5 - D-Link MPEG4 Viewer ActiveX Control Multiple Heap Buffer Overflow Vulnerabilities
• 09.21.6 - Microsoft IIS Unicode Requests to WebDAV Multiple Authentication Bypass Vulnerabilities
• 09.21.7 - httpdx Multiple Commands Remote Denial Of Service Vulnerabilities
• 09.21.8 - AOL Radio AmpX ActiveX Control "ConvertFile()" Buffer Overflow

Mac Os

• 09.21.9 - Apple Mac OS X Disk Image Stack Buffer Overflow
• 09.21.10 - Apple Mac OS X Launch Services Denial of Service
• 09.21.11 - Apple Mac OS X QuickDraw PICT Handling Memory Corruption
• 09.21.12 - Apple Mac OS X PICT Image Handling Integer Overflow
• 09.21.13 - Apple Mac OS X SpotLight Multiple Memory Corruption Vulnerabilities
• 09.21.14 - Apple Mac OS X Local "login" Privilege Escalation
• 09.21.15 - Apple Mac OS X Disk Image Multiple Memory Corruption Vulnerabilities
• 09.21.16 - Apple Mac OS X Compact Font Format (CFF) Heap Based Buffer Overflow
• 09.21.17 - Apple Mac OS X Telnet Stack Overflow
• 09.21.18 - Apple Mac OS X Help Viewer Cascading Style Sheets Remote Code Execution
• 09.21.19 - Apple Mac OS X CFNetwork "Set-Cookie" Headers Information Disclosure
• 09.21.20 - Apple Mac OS X Help Viewer HTML Document Remote Code Execution
• 09.21.21 - Apple Mac OS X CFNetwork HTTP Header Handling Heap Buffer Overflow
• 09.21.22 - Apple Mac OS X Kernel Workqueue Local Privilege Escalation
• 09.21.23 - Apple Mac OS X CoreGraphics PDF Handling Multiple Memory Corruption Vulnerabilities
• 09.21.24 - Apple Mac OS X CoreGraphics PDF Handling Heap Overflow
• 09.21.25 - Apple Mac OS X International Components for Unicode Invalid Byte Sequence Handling
• 09.21.26 - Apple Mac OS X iChat Disabled SSL Connection Information Disclosure

Linux

• 09.21.27 - Linux Kernel NFS "MAY_EXEC" Security Bypass
• 09.21.28 - Linux Kernel CIFS String Conversion Multiple Vulnerabilities
• 09.21.29 - Linux Kernel KVM Port 0x80 Local Denial of Service

Solaris

• 09.21.30 - Sun Solaris 9 "fstat(2)" System Call Local Denial of Service

Cross Platform

• 09.21.31 - Multiple Mr. CGI Guy Products Cookie Authentication Bypass
• 09.21.32 - Pinnacle Studio ".hfz" File Directory Traversal
• 09.21.33 - Sendmail "X-header" Remote Heap Buffer Overflow
• 09.21.34 - HP Data Protector Express Local Unspecified Privilege Escalation
• 09.21.35 - Xen "hypervisor_callback()" Guest Local Denial Of Service
• 09.21.36 - Cyrus SASL "sasl_encode64()" Remote Buffer Overflow
• 09.21.37 - Nortel Contact Center Manager Administration Password Disclosure
• 09.21.38 - Nortel Networks Contact Center Administration CCMA Cookie Authentication Bypass
• 09.21.39 - libsndfile VOC and AIFF Processing Buffer Overflow Vulnerabilities
• 09.21.40 - HP Remote Graphics Software RGS Sender Unauthorized Access
• 09.21.41 - Xerox WorkCentre Webserver Unspecified Remote Command Execution
• 09.21.42 - Eggdrop "ctcpbuf" Remote Denial of Service
• 09.21.43 - Multiple Harland Scripts Products Remote Command Execution and Input Validation Vulnerabilities
• 09.21.44 - Oracle Outside In Multiple Buffer Overflow Vulnerabilities
• 09.21.45 - OpenSSL DTLS Packets Multiple Denial of Service Vulnerabilities
• 09.21.46 - NetDecision TFTP Server Directory Traversal
• 09.21.47 - Multiple Avira AntiVir Products PDF File Scan Evasion
• 09.21.48 - Multiple BitDefender Security Products PDF File Scan Evasion
• 09.21.49 - Mereo Malformed URI Remote Denial Of Service
• 09.21.50 - SLiM Insecure X Authority File Local Authentication Bypass
• 09.21.51 - NTP "ntpd" Autokey Stack Buffer Overflow
• 09.21.52 - OCS Inventory NG Existing/Non-Existing Username Enumeration Weakness
• 09.21.53 - VidShare Pro Arbitrary File Upload
• 09.21.54 - NSD "packet.c" Off-By-One Buffer Overflow

Web Application - Cross Site Scripting

• 09.21.55 - Answer And Question Script Cross-Site Scripting and Multiple SQL Injection Vulnerabilities
• 09.21.56 - Cacti "data_input.php" Cross-Site Scripting
• 09.21.57 - CGI RESCUE Trees Cross-Site Scripting
• 09.21.58 - Drupal Content Construction Kit Module Multiple Cross-Site Scripting Vulnerabilities
• 09.21.59 - activeCollab "re_route" Parameter Cross-Site Scripting
• 09.21.60 - HP System Management Homepage Unspecified Cross-Site Scripting

Web Application - SQL Injection

• 09.21.61 - SubmitterScript Admin Login SQL Injection
• 09.21.62 - Dream Windows Max CMS "admin_manager.asp" SQL Injection
• 09.21.63 - Family Connections "member" Parameter SQL Injection
• 09.21.64 - Scripts for Sites EZ Hot or Not "viewcomments.php" SQL Injection
• 09.21.65 - My Game Script "admin.php" SQL Injection
• 09.21.66 - tenfourzero.net Shutter Multiple SQL Injection Vulnerabilities
• 09.21.67 - Business Community Script SQL Injection and Unauthorized Access Vulnerabilities
• 09.21.68 - Dream Windows Max CMS "inc/ajax.asp" SQL Injection
• 09.21.69 - Mlffat "supervisor" Cookie SQL Injection
• 09.21.70 - PHPenpals "mail.php" SQL Injection
• 09.21.71 - PHP Dir Submit Admin Login SQL Injection
• 09.21.72 - Pc4Uploader "code.php" SQL Injection
• 09.21.73 - Online Rent "index.php" SQL Injection
• 09.21.74 - Coppermine Photo Gallery Multiple SQL Injection Vulnerabilities
• 09.21.75 - DGNews "id" Parameter SQL Injection
• 09.21.76 - Creative Web Solutions Multiple level CMS SQL Injection Vulnerabilities
• 09.21.77 - Joomla! com_gsticketsystem "catid" Parameter SQL Injection
• 09.21.78 - Dog Pedigree Online Database Authentication Bypass and Multiple SQL Injection Vulnerabilities

Web Application

• 09.21.79 - Strawberry Remote Command Execution and Local File Include Vulnerabilities
• 09.21.80 - Matt Wright FormMail HTTP Response Splitting and Cross-Site Scripting Vulnerabilities
• 09.21.81 - Ascad Networks Password Protector SD Cookie Authentication Bypass
• 09.21.82 - Drupal LoginToboggan Module Unauthorized Access
• 09.21.83 - Drupal UTF-7 "book-export-html.tpl.php" HTML Injection
• 09.21.84 - Drupal Feed Block Module HTML Injection
• 09.21.85 - Drupal "Printer, e-mail and PDF versions" Module HTML Injection
• 09.21.86 - beLive "arch.php" Local File Include
• 09.21.87 - Template Monster Clone "edituser.php" Remote Password Change
• 09.21.88 - Jieqi CMS "mirrorfile.php" Remote PHP Code Injection
• 09.21.89 - ArtForms Joomla! Component "mosConfig_absolute_path" Multiple Remote File Include Vulnerabilities
• 09.21.90 - Custom T-shirt Design Script SQL Injection and Cross-Site Scripting Vulnerabilities
• 09.21.91 - Rama Zaiten CMS "download.php" Local File Disclosure
• 09.21.92 - collector.ch myColex SQL Injection and Cross-Site Scripting Vulnerabilities
• 09.21.93 - collector.ch myGesuad SQL Injection and Cross-Site Scripting Vulnerabilities
• 09.21.94 - Pluck "angpref" Parameter Multiple Local File Include Vulnerabilities
• 09.21.95 - Flyspeck CMS Remote Password Change Vulnerability and Local File Include
• 09.21.96 - ClanWeb "save.php" Remote Password Change
• 09.21.97 - Douran Portal Multiple Input Validation Vulnerabilities
• 09.21.98 - Namad "SecureDownloads.aspx" Arbitrary File Download
• 09.21.99 - PAD Site Scripts Cookie Authentication Bypass
• 09.21.100 - MyPic "dir" Parameter Directory Traversal

Network Device

• 09.21.101 - D-Link DIR-628 Router "CAPTCHA" Security Bypass Weakness

PART I Critical Vulnerabilities

Part I for this issue has been compiled by Rohan Kotian at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 21, 2009

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 7030 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

• 09.21.1 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Sun Java Runtime Environment ActiveX Control Multiple Remote Buffer Overflow Vulnerabilities
• Description: Sun Java Runtime Environment includes an ActiveX control used to download and execute Java applications. The control is exposed to multiple remote buffer overflow issues because it fails to perform adequate boundary checks on user-supplied data. Java Runtime Environment 6 Update 13 is affected.
• Ref: http://www.shinnai.net/xplits/TXT_mhxRKrtrPLyAHRFNm7QR.html

• 09.21.2 - CVE: CVE-2009-1491
• Platform: Third Party Windows Apps
• Title: McAfee GroupShield for Microsoft Exchange X-header Scan Evasion
• Description: McAfee GroupShield for Microsoft Exchange is a virus-scanning application for the Exchange mail server. The application is exposed to an issue that may allow certain email messages to bypass the scan engine. The issue occurs because the software fails to properly inspect "X-header" email headers.
• Ref: http://www.nmrc.org/~thegnome/blog/apr09/

• 09.21.3 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: DigiMode Maya Malformed "m3u" and "m3l" Playlist Files Buffer Overflow
• Description: DigiMode Maya is a free media player available for Microsoft Windows. DigiMode Maya is exposed to a buffer overflow issue because it fails to bounds check user-supplied data before copying it into an insufficiently sized buffer. Specifically, the application fails to handle specially crafted ".m3u" and ".m3l" playlist files. DigiMode Maya version 1.0.2 is affected.
• Ref: http://www.securityfocus.com/bid/34960

• 09.21.4 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Audioactive Player ".m3u" File Remote Buffer Overflow
• Description: Audioactive Player is a multimedia player available for Microsoft Windows. The application is exposed to a remote buffer overflow issue because it fails to perform adequate checks on user-supplied input. Specifically, this issue occurs when opening a ".m3u" playlist file that contains excessive data. Audioactive Player version 1.93b is affected.
• Ref: http://www.securityfocus.com/bid/34987

• 09.21.5 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: D-Link MPEG4 Viewer ActiveX Control Multiple Heap Buffer Overflow Vulnerabilities
• Description: D-Link MPEG4 Viewer is an ActiveX control for use with D-Link digital cameras. The ActiveX control is exposed to multiple heap-based buffer overflow issues because it fails to perform adequate boundary checks on user-supplied data. These issues affect the "SetFilePath()" and "SetClientCookie()" methods in the control provided by "csviewer.ocx". MPEG4 Viewer version 2.11.918.2006 is affected.
• Ref: http://support.microsoft.com/kb/240797

• 09.21.6 - CVE: CVE-2009-1535
• Platform: Third Party Windows Apps
• Title: Microsoft IIS Unicode Requests to WebDAV Multiple Authentication Bypass Vulnerabilities
• Description: Microsoft Internet Information Service (IIS) is a webserver available for Microsoft Windows. Since it fails to restrict access to certain WebDAV resources, IIS is exposed to multiple authentication bypass issues. Microsoft IIS version 6.0 is affected.
• Ref: http://www.kb.cert.org/vuls/id/787932

• 09.21.7 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: httpdx Multiple Commands Remote Denial Of Service Vulnerabilities
• Description: httpdx is an HTTP/FTP server for Microsoft Windows. httpdx is exposed to multiple remote denial of service issues because it fails to perform adequate boundary checks on user-supplied data passed to the following commands: "USER", "PASS" and "CWD". httpdx version 0.5b is affected.
• Ref: http://www.securityfocus.com/bid/35006

• 09.21.8 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: AOL Radio AmpX ActiveX Control "ConvertFile()" Buffer Overflow
• Description: AOL Radio AmpX ActiveX control is used for streaming audio files in browsers. The ActiveX control is exposed to a stack-based buffer overflow issue because it fails to perform adequate boundary checks on user-supplied input. "AmpX.dll" version 2.4.0.6 is affected.
• Ref: http://support.microsoft.com/kb/240797

• 09.21.9 - CVE: CVE-2009-0150
• Platform: Mac Os
• Title: Apple Mac OS X Disk Image Stack Buffer Overflow
• Description: Apple Mac OS X is prone to a stack-based buffer overflow vulnerability that affects the Disk Images component. An attacker can exploit these issues by enticing a user into mounting a specially crafted sparse disk image. A successful exploit will allow attacker-supplied content to execute in the context of the victim mounting the image, or to cause a denial of service.
• Ref: http://www.securityfocus.com/bid/34972

• 09.21.10 - CVE: CVE-2009-0156
• Platform: Mac Os
• Title: Apple Mac OS X Launch Services Denial of Service
• Description: Launch Services is a component for Mac OS X. The service decides what to do when a document is double clicked. The Launch Services component is exposed to a denial of service issue caused by an out of bounds memory read. An attacker can exploit this issue by tricking a victim into downloading a malicious Mach-O executable.
• Ref: http://www.securityfocus.com/bid/34932

• 09.21.11 - CVE: CVE-2009-0160
• Platform: Mac Os
• Title: Apple Mac OS X QuickDraw PICT Handling Memory Corruption
• Description: QuickDraw is the legacy drawing program for Mac OS X. The QuickDraw component is exposed to a memory corruption issue because the software fails to sufficiently validate PICT image data. An attacker can exploit this issue by tricking a victim into opening a specially crafted PICT image file.
• Ref: http://www.securityfocus.com/bid/34937

• 09.21.12 - CVE: CVE-2009-0010
• Platform: Mac Os
• Title: Apple Mac OS X PICT Image Handling Integer Overflow
• Description: Apple Mac OS X is prone to an integer overflow vulnerability when handling PICT image files. A specially crafted PICT image file may exploit an integer overflow, ultimately triggering a heap overflow. An attacker can exploit this issue by tricking a victim into opening a malicious PICT image file.
• Ref: http://www.zerodayinitiative.com/advisories/ZDI-09-021/

• 09.21.13 - CVE: CVE-2009-0944
• Platform: Mac Os
• Title: Apple Mac OS X SpotLight Multiple Memory Corruption Vulnerabilities
• Description: SpotLight is a search component of Apple Mac OS X. The SpotLight component is exposed to multiple memory corruption issues in the Microsoft Office SpotLight Importer. An attacker can exploit these issues by tricking a victim into opening a specially crafted Microsoft Office file.
• Ref: http://www.securityfocus.com/bid/34939

• 09.21.14 - CVE: Not Available
• Platform: Mac Os
• Title: Apple Mac OS X Local "login" Privilege Escalation
• Description: Apple Mac OS X is prone to a local privilege escalation vulnerability in "system_cmds". The problem occurs because the "login" command may start an interactive shell (after successful authentication) with the system default privileges. This may allow a local attacker to gain elevated privileges, which may aid in further attacks.
• Ref: http://www.securityfocus.com/bid/34941

• 09.21.15 - CVE: CVE-2009-0149
• Platform: Mac Os
• Title: Apple Mac OS X Disk Image Multiple Memory Corruption Vulnerabilities
• Description: Apple Mac OS X is exposed to multiple memory corruption vulnerabilities. An attacker can exploit these issues by tricking a victim into mounting a specially crafted disk image. A successful exploit will allow attacker-supplied content to execute in the context of the victim mounting the image.
• Ref: http://www.securityfocus.com/bid/34942

• 09.21.16 - CVE: CVE-2009-0154
• Platform: Mac Os
• Title: Apple Mac OS X Compact Font Format (CFF) Heap Based Buffer Overflow
• Description: Apple Mac OS X is exposed to a heap-based buffer overflow issue that affects the Apple Type Services component when handling Compact Font Format (CFF) fonts. An attacker can exploit this issue by enticing an unsuspecting user to view a document containing a maliciously crafted CFF font.
• Ref: http://www.securityfocus.com/bid/34947

• 09.21.17 - CVE: CVE-2009-0158
• Platform: Mac Os
• Title: Apple Mac OS X Telnet Stack Overflow
• Description: Apple Mac OS X is exposed to a stack-based buffer overflow issue because it fails to properly bounds check user-supplied data. The problem occurs when the telnet command is used to connect to a malicious server that contains a very long canonical name in its DNS address record. An attacker can exploit this issue by tricking a victim into connecting to the malicious server.
• Ref: http://www.securityfocus.com/bid/34948

• 09.21.18 - CVE: CVE-2009-0942
• Platform: Mac Os
• Title: Apple Mac OS X Help Viewer Cascading Style Sheets Remote Code Execution
• Description: Apple Mac OS X is exposed to a remote code execution issue because the software fails to sufficiently validate Cascading Style Sheet (CSS) references supplied in URIs opened by the Help Viewer. An attacker can exploit this issue by enticing an unsuspecting victim to open a malicious "help:" URI.
• Ref: http://www.securityfocus.com/bid/34950

• 09.21.19 - CVE: CVE-2009-0144
• Platform: Mac Os
• Title: Apple Mac OS X CFNetwork "Set-Cookie" Headers Information Disclosure
• Description: Apple Mac OS X is exposed to an information disclosure issue because the CFNetwork component may send secure cookie data over unencrypted HTTP requests. This issue occurs because the CFNetwork component may parse non-RFC-compliant "Set-Cookie" headers in a manner that causes sensitive cookie data to be sent in unencrypted HTTP requests.
• Ref: http://www.securityfocus.com/bid/34951

• 09.21.20 - CVE: CVE-2009-0943
• Platform: Mac Os
• Title: Apple Mac OS X Help Viewer HTML Document Remote Code Execution
• Description: Apple Mac OS X is exposed to a remote code execution issue because the software fails to sufficiently validate paths used to reference HTML documents in registered help books. An attacker can exploit this issue by enticing an unsuspecting victim to open a malicious "help:" URI.
• Ref: http://www.securityfocus.com/bid/34952

• 09.21.21 - CVE: CVE-2009-0157
• Platform: Mac Os
• Title: Apple Mac OS X CFNetwork HTTP Header Handling Heap Buffer Overflow
• Description: CFNetwork is a framework that provides a library of network protocols for Apple Mac OS X. The CFNetwork component is exposed to a heap-based buffer overflow issue because it fails to properly bounds check user-supplied input before using it in an insufficiently sized buffer. Specifically, this occurs when handling overly long HTTP headers.
• Ref: http://www.securityfocus.com/archive/1/499315

• 09.21.22 - CVE: CVE-2008-1517
• Platform: Mac Os
• Title: Apple Mac OS X Kernel Workqueue Local Privilege Escalation
• Description: Apple Mac OS X is exposed to a local privilege escalation issue affecting the kernel. This problem stems from an index error in the handling of kernel workqueues and affects the "workqueue_additem()" and "workqueue_removeitem()" functions. A local attacker may exploit this issue to set the effective userid of attacker-controlled processes to root or the attacker may modify kernel code in memory.
• Ref: http://www.securityfocus.com/archive/1/503487

• 09.21.23 - CVE: CVE-2009-0145
• Platform: Mac Os
• Title: Apple Mac OS X CoreGraphics PDF Handling Multiple Memory Corruption Vulnerabilities
• Description: CoreGraphics is a graphics rendering API for Apple Mac OS X. CoreGraphics is exposed to multiple memory corruption issues. An attacker can exploit these issues by tricking a victim into opening a specially crafted PDF file.
• Ref: http://www.securityfocus.com/bid/34962

• 09.21.24 - CVE: CVE-2009-0155
• Platform: Mac Os
• Title: Apple Mac OS X CoreGraphics PDF Handling Heap Overflow
• Description: CoreGraphics is a graphics-rendering API for Apple Mac OS X. CoreGraphics is exposed to a heap-based buffer overflow issue caused by an integer overflow. An attacker can exploit this issue by tricking a victim into opening a specially crafted PDF file.
• Ref: http://www.securityfocus.com/bid/34965

• 09.21.25 - CVE: CVE-2009-0153
• Platform: Mac Os
• Title: Apple Mac OS X International Components for Unicode Invalid Byte Sequence Handling
• Description: Apple Mac OS X is exposed to an information disclosure issue because the International Components for Unicode component may incorrectly convert some invalid byte sequences to Unicode. This may result in attempts to filter or sanitize encoded data being bypassed.
• Ref: http://www.securityfocus.com/bid/34974

• 09.21.26 - CVE: CVE-2009-0152
• Platform: Mac Os
• Title: Apple Mac OS X iChat Disabled SSL Connection Information Disclosure
• Description: Apple Mac OS X is prone to an information disclosure vulnerability because the iChat component may transmit sensitive information in plaintext format. This issue occurs because the iChat component will automatically disable Secure Sockets Layer (SSL) communication for AOL Instant Messenger accounts when it can't connect. Subsequent communication will be transmitted in plaintext format until SSL communication is manually re-enabled.
• Ref: http://www.securityfocus.com/bid/34973

• 09.21.27 - CVE: Not Available
• Platform: Linux
• Title: Linux Kernel NFS "MAY_EXEC" Security Bypass
• Description: The Linux Kernel is exposed to a security bypass issue. This issue affects the NFS (Network File System) implementation. Specifically, this issue occurs because the software fails to properly check the "MAY_EXEC" permission when "atomic open" is permitted. An attacker may be able to exploit this vulnerability to bypass security restrictions and execute applications.
• Ref: http://permalink.gmane.org/gmane.comp.security.oss.general/1751

• 09.21.28 - CVE: Not Available
• Platform: Linux
• Title: Linux Kernel CIFS String Conversion Multiple Vulnerabilities
• Description: The Linux Kernel is exposed to multiple issues that occur due to string processing errors in the CIFS (Common Internet File System) implementation. An attacker may be able to exploit these issues by constructing and sending malicious network data to the affected computer. Linux Kernel version 2.6.29 is affected. Ref: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=69f801fcaa03be83d58c564f00913b7c172808e4

• 09.21.29 - CVE: Not Available
• Platform: Linux
• Title: Linux Kernel KVM Port 0x80 Local Denial of Service
• Description: The Linux kernel is exposed to a local denial of service issue that affects the KVM implementation and occurs when the guest machine accesses port 0x80 on the host machine. The vulnerability exists in the "svm_hardware_setup()" function of the "arch/x86/kvm/svm.c" file. Linux kernel versions prior to 2.6.30-rc6 are vulnerable. Ref: http://kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.30-rc6

• 09.21.30 - CVE: Not Available
• Platform: Solaris
• Title: Sun Solaris 9 "fstat(2)" System Call Local Denial of Service
• Description: Sun Solaris is a UNIX-based operating system. Solaris 9 is exposed to a local denial of service issue caused by an unspecified error related to the "fstat(2)" system call. Attackers may exploit this issue to panic a system, denying service to legitimate users. Solaris 9 is affected.
• Ref: http://www.securityfocus.com/bid/34979

• 09.21.31 - CVE: Not Available
• Platform: Cross Platform
• Title: Multiple Mr. CGI Guy Products Cookie Authentication Bypass
• Description: Mr. CGI Guy supports a number of web applications. Multiple applications are exposed to an authentication bypass issue because they fail to adequately verify user-supplied input used for cookie-based authentication.
• Ref: http://www.securityfocus.com/bid/34969

• 09.21.32 - CVE: Not Available
• Platform: Cross Platform
• Title: Pinnacle Studio ".hfz" File Directory Traversal
• Description: Pinnacle Studio is a video editing application. The application is exposed to a directory traversal issue because it fails to sufficiently sanitize user-supplied input in the form of Hollywood FX Compressed Archive (".hfz") files. Specially crafted archives containing directory traversal characters ("../") may allow attackers to access or overwrite local files via the application's "InstallHFZ.exe" script. Pinnacle Studio version 12 is affected.
• Ref: http://www.securityfocus.com/archive/1/503476

• 09.21.33 - CVE: CVE-2009-1490
• Platform: Cross Platform
• Title: Sendmail "X-header" Remote Heap Buffer Overflow
• Description: Sendmail is a mail transfer agent (MTA) available for BSD, Linux, and other Unix-like operating systems. The application is exposed to a heap-based buffer overflow issue because it fails to adequately bounds check user-supplied input before copying it to an insufficiently sized buffer. Specifically, the issue occurs when handling an excessively large "X-header" mail header, such as "X-Testing". Sendmail versions prior to 8.13.2 are affected.
• Ref: http://www.sendmail.org/releases/8.13.2

• 09.21.34 - CVE: CVE-2009-0714
• Platform: Cross Platform
• Title: HP Data Protector Express Local Unspecified Privilege Escalation
• Description: HP Data Protector Express is a backup and recovery solution. HP Data Protector Express is exposed to a local privilege escalation issue. Local attackers can exploit this issue to execute arbitrary code with escalated privileges or cause denial of service conditions. Successfully exploiting this issue may result in the complete compromise of affected computers. HP Data Protector Express and SSE 3.x prior to build 47065, and HP Data Protector Express and SSE version 4.x prior to build 46537 are affected. Ref: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01697543

• 09.21.35 - CVE: Not Available
• Platform: Cross Platform
• Title: Xen "hypervisor_callback()" Guest Local Denial Of Service
• Description: Xen is an open-source hypervisor or virtual machine monitor. Xen is exposed to a denial of service issue because the software fails to properly do checks in "hypervisor_callback()". Specifically, the interrupted code's code selector is not properly checked which can lead to a segfault. Jumping to an address between "ecrit" and "scrit" symbols is sufficient to exploit this issue. Ref: http://lists.xensource.com/archives/html/xen-devel/2009-05/msg00561.html

• 09.21.36 - CVE: CVE-2009-0688
• Platform: Cross Platform
• Title: Cyrus SASL "sasl_encode64()" Remote Buffer Overflow
• Description: Cyrus SASL is a library for adding authentication support to various protocols. The library is exposed to a buffer overflow issue because it fails to properly bounds check user-supplied data before copying it into an insufficiently sized memory buffer. Specifically, the issue resides in the "sasl_encode64()" function. Cyrus SASL versions prior to 2.1.23 are affected.
• Ref: http://www.kb.cert.org/vuls/id/238019

• 09.21.37 - CVE: Not Available
• Platform: Cross Platform
• Title: Nortel Contact Center Manager Administration Password Disclosure
• Description: Nortel Contact Center is a suite of applications including Manager Administration and Manager Server. Manager Administration is exposed to a password disclosure issue. The Contact Center Manager Server provides a SOAP interface. An attacker can send a specially crafted SOAP request to the interface, causing Manager Administration to return the password for the attacker-specified account. Ref: http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&DocumentOID=905808&poid=

• 09.21.38 - CVE: Not Available
• Platform: Cross Platform
• Title: Nortel Networks Contact Center Administration CCMA Cookie Authentication Bypass
• Description: Nortel Networks Contact Center is a suite of applications including Manager Administration and Manger Server. The software is exposed to an authentication bypass issue because it fails to adequately verify user-supplied input used for cookie-based authentication. Specifically, this issue affects session values stored in cookies. CCMA version 6.0 is affected. Ref: http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&DocumentOID=905698

• 09.21.39 - CVE: Not Available
• Platform: Cross Platform
• Title: libsndfile VOC and AIFF Processing Buffer Overflow Vulnerabilities
• Description: The "libsndfile" library is a C library for reading and writing audio files. The library is exposed to multiple buffer overflow issues because it fails to perform adequate boundary checks on user-supplied data. The issues occur when processing VOC and AIFF files and can be exploited to overflow heap-based buffers. libsndfile veriosns prior to 1.0.20 are affected.
• Ref: http://trapkit.de/advisories/TKADV2009-006.txt

• 09.21.40 - CVE: CVE-2009-0721
• Platform: Cross Platform
• Title: HP Remote Graphics Software RGS Sender Unauthorized Access
• Description: HP Remote Graphics Software (RGS) is remote desktop connection solution. The applications are exposed to an unspecified unauthorized access issue that affects the RGS Sender when running Easy Login. HP Remote Graphics Software (RGS) versions 4.0.0 through 5.2.4 are affected. Ref: http://www11.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c01731970&admit=109447626+1242773600874+28353475

• 09.21.41 - CVE: Not Available
• Platform: Cross Platform
• Title: Xerox WorkCentre Webserver Unspecified Remote Command Execution
• Description: Xerox WorkCentre is a web-capable printer and photocopier. WorkCentre is exposed to an unspecified remote command execution issue because it fails to sanitize user-supplied input. This issue occurs in the webserver. An attacker can exploit this issue to execute arbitrary commands with the privileges of the webserver; this may aid in further attacks.
• Ref: http://www.securityfocus.com/bid/34984

• 09.21.42 - CVE: Not Available
• Platform: Cross Platform
• Title: Eggdrop "ctcpbuf" Remote Denial of Service
• Description: Eggdrop is an open-source, multiplatform IRC (Internet Relay Chat) bot designed for IRC channel administration and maintenance. The application is exposed to a denial of service issue because it fails to adequately verify user-supplied input. Specifically, this issue is due to an error in the SA25276 patch to the "src/mod/server.mod/servmsg.c" source file, and can be triggered if "ctcpbuf" is set to NULL. Eggdrop versions prior to 1.6.19+ctcpfix are affected.
• Ref: http://www.securityfocus.com/archive/1/503574

• 09.21.43 - CVE: Not Available
• Platform: Cross Platform
• Title: Multiple Harland Scripts Products Remote Command Execution and Input Validation Vulnerabilities
• Description: Multiple Harland Scripts products are exposed to multiple input validation issues. The applications are exposed to an issue that allows attackers to execute arbitrary remote commands because they fail to adequately sanitize user-supplied input.
• Ref: http://www.milw0rm.com/exploits/8699

• 09.21.44 - CVE: CVE-2009-1009 CVE-2009-1010 CVE-2009-1011
• Platform: Cross Platform
• Title: Oracle Outside In Multiple Buffer Overflow Vulnerabilities
• Description: Oracle Outside In is a document-conversion engine used in a number of third-party applications, including Good Mobile Messaging Server. Since it fails to properly bounds check user-supplied input, Outside In is exposed to multiple buffer overflow issues. Ref: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=801

• 09.21.45 - CVE: Not Available
• Platform: Cross Platform
• Title: OpenSSL DTLS Packets Multiple Denial of Service Vulnerabilities
• Description: OpenSSL is an open-source implementation of the SSL protocol that is used by a number of other projects, including but not restricted to Apache, Sendmail, and Bind. OpenSSL is exposed to multiple issues. A denial of service issue occurs because the application doesn't have any limitation to the number of DTLS records with a future epoch and also when the application tries to handle a large number of out-of-sequence DLTS handshake messages. Specifically, the issue occurs in the "ssl/d1_both.c" file.
• Ref: http://cvs.openssl.org/chngview?cn=18188

• 09.21.46 - CVE: CVE-2009-1378, CVE-2009-1377
• Platform: Cross Platform
• Title: NetDecision TFTP Server Directory Traversal
• Description: NetDecision TFTP Server is a Windows-based TFTP server application used to download and upload files. The application is exposed to a directory traversal issue because it fails to sufficiently sanitize user-supplied input in the Trivial File Transfer Protocol (TFTP) requests. NetDecision TFTP Server version 4.2 is affected. Ref: http://www.princeofnigeria.org/blogs/index.php/2009/05/17/netdecision-tftp-server-4-2-tftp-directo?blog=1

• 09.21.47 - CVE: Not Available
• Platform: Cross Platform
• Title: Multiple Avira AntiVir Products PDF File Scan Evasion
• Description: Avira AntiVir products provide antivirus, antispyware, and firewalling capabilities for both enterprise and endpoint-based systems. Multiple Avira AntiVir products are exposed to an issue that may allow certain specially formatted PDF files to bypass the scan engine. The vulnerability occurs because the software fails to properly inspect specially crafted PDF container files. Ref: http://blog.zoller.lu/2009/04/advisory-avira-antivir-generic-evasion.html

• 09.21.48 - CVE: Not Available
• Platform: Cross Platform
• Title: Multiple BitDefender Security Products PDF File Scan Evasion
• Description: BitDefender provides security products for home and enterprise use. BitDefender security products' scan engine is exposed to an issue that may allow certain files to go uninspected. The issue occurs because the software fails to properly inspect specially-crafted PDF files. Ref: http://blog.zoller.lu/2009/04/advisory-bitdefender-generic-evasion.html

• 09.21.49 - CVE: Not Available
• Platform: Cross Platform
• Title: Mereo Malformed URI Remote Denial Of Service
• Description: Mereo is a webserver for Microsoft Windows platforms. The application is exposed to a denial of service issue because it fails to adequately sanitize user-supplied input when handling malformed URIs that contain unexpected sequences of "//." characters. Mereo version 1.8.0 is affected.
• Ref: http://www.securityfocus.com/bid/35014

• 09.21.50 - CVE: Not Available
• Platform: Cross Platform
• Title: SLiM Insecure X Authority File Local Authentication Bypass
• Description: SLiM (Simple Login Manager) is a desktop-independent graphical login manager derived from Login.app. The application is exposed to a local authentication bypass issue because it creates the X Authority file in an insecure manner. Specifically, the application creates a secret cookie within the X Authority file that can be easily replicated by an attacker, and used to manipulate X sessions of other users. SLiM version 1.3.0 is affected.
• Ref: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=529306

• 09.21.51 - CVE: CVE-2009-1252
• Platform: Cross Platform
• Title: NTP "ntpd" Autokey Stack Buffer Overflow
• Description: NTP (Network Time Protocol) is a package of network tools and daemons, including "ntpd", used by client computers to synchronize date and time with a reference server. The daemon is exposed to a stack-based buffer overflow issue caused by a boundary error in the "crypto_recv()" function in the "ntpd/ntp_crypto.c" source file.
• Ref: http://www.kb.cert.org/vuls/id/853097

• 09.21.52 - CVE: Not Available
• Platform: Cross Platform
• Title: OCS Inventory NG Existing/Non-Existing Username Enumeration Weakness
• Description: OCS Inventory NG is an application for managing inventory. The application is exposed to a username-enumeration weakness because it displays different responses to login attempts, depending on whether or not the username exists. Specifically, if the username exists, the application responds with a "Password error" message. If the username doesn't exist, the application responds with a "User not registered" message. OCS Inventory NG version 1.01 is affected.
• Ref: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=529344

• 09.21.53 - CVE: Not Available
• Platform: Cross Platform
• Title: VidShare Pro Arbitrary File Upload
• Description: VidShare Pro is a video sharing application. The application is exposed to an issue that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input before uploading files to the web server. The attacker can exploit this issue to upload arbitrary code and execute it in the context of the web server process.
• Ref: http://www.securityfocus.com/bid/35024

• 09.21.54 - CVE: Not Available
• Platform: Cross Platform
• Title: NSD "packet.c" Off-By-One Buffer Overflow
• Description: NSD is a name server. NSD is exposed to an off-by-one buffer overflow issue because the application fails to perform adequate boundary checks on user-supplied data. The vulnerability occurs in the "packet_read_query_section()" function of the "packet.c" source file. NSD versions prior to 3.2.2 are affected.
• Ref: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=529418

• 09.21.55 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Answer And Question Script Cross-Site Scripting and Multiple SQL Injection Vulnerabilities
• Description: Easy Scripts Answer And Question Script is a PHP-based web application. the application is exposed to multiple issues, because it fails to adequately sanitize user-supplied input. Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
• Ref: http://www.securityfocus.com/bid/34975

• 09.21.56 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Cacti "data_input.php" Cross-Site Scripting
• Description: Cacti is a complete frontend to RRDTool. It is implemented in PHP and employs an SQL backend database. The application is exposed to a cross-site scripting issue because it fails to sufficiently sanitize user-supplied input to the "action" parameter of the "data_input.php" script. Cacti versions prior to 0.8.7b are affected.
• Ref: http://bugs.cacti.net/view.php?id=1245

• 09.21.57 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: CGI RESCUE Trees Cross-Site Scripting
• Description: Trees is a web-based bulletin board. The application is exposed to a cross-site scripting issue because it fails to sufficiently sanitize user-supplied input to an unspecified parameter. Trees versions prior to 2.11 are affected.
• Ref: http://www.securityfocus.com/bid/34999

• 09.21.58 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Drupal Content Construction Kit Module Multiple Cross-Site Scripting Vulnerabilities
• Description: Content Construction Kit is a module for Drupal and used to add custom fields to nodes. The application is exposed to multiple cross-site scripting issues because it fails to sufficiently sanitize user-supplied data. Specifically, the issues affect the following fields: "Title field label" and "Body field label". Content Construction Kit version 6.x-2.2 is affected.
• Ref: http://lampsecurity.org/drupal-cck-xss-vulnerability

• 09.21.59 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: activeCollab "re_route" Parameter Cross-Site Scripting
• Description: activeCollab is a web-based project management and collaboration tool. The application is exposed to a cross-site scripting issue because it fails to sanitize user-supplied input. Specifically, the issue affects the "re_route" parameter of the login page. activeCollab version 2.1 is affected. Ref: http://pridels-team.blogspot.com/2009/05/activecollab-xss-and-full-path.html

• 09.21.60 - CVE: CVE-2009-1418
• Platform: Web Application - Cross Site Scripting
• Title: HP System Management Homepage Unspecified Cross-Site Scripting
• Description: HP System Management Homepage is a web-based for managing individual ProLiant and Integrity servers. The application is exposed to a cross-site scripting issue because it fails to sufficiently sanitize user-supplied input.
• Ref: http://www.securityfocus.com/bid/35031

• 09.21.61 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: SubmitterScript Admin Login SQL Injection
• Description: SubmitterScript is a web-based application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "username" and "password" parameters of the "admin/index.php" script. SubmitterScript version 2 is affected.
• Ref: http://www.securityfocus.com/bid/34970

• 09.21.62 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Dream Windows Max CMS "admin_manager.asp" SQL Injection
• Description: Dream Windows Max CMS is a web-based application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "m_username" parameter of the "admin/admin_manager.asp" script before using it in an SQL query. Max CMS version 2.0 is affected.
• Ref: http://www.securityfocus.com/archive/1/503474

• 09.21.63 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Family Connections "member" Parameter SQL Injection
• Description: Family Connections is a web-based application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "member" parameter of the "profile.php" script. Family Connections version 1.9 is affected.
• Ref: http://www.securityfocus.com/bid/34935

• 09.21.64 - CVE: CVE-2008-6776
• Platform: Web Application - SQL Injection
• Title: Scripts for Sites EZ Hot or Not "viewcomments.php" SQL Injection
• Description: Scripts for Sites EZ Hot or Not is a web application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "phid" parameter of the "viewcomments.php" script before using it in an SQL query.
• Ref: http://www.securityfocus.com/bid/34943

• 09.21.65 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: My Game Script "admin.php" SQL Injection
• Description: My Game Script is a PHP-based web application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "username" parameter of the "admin.php" script. My Game Script version 2.0 is affected.
• Ref: http://www.securityfocus.com/bid/34963

• 09.21.66 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: tenfourzero.net Shutter Multiple SQL Injection Vulnerabilities
• Description: tenfourzero.net Shutter is a photo-sharing application. The application is exposed to multiple SQL injection issues because it fails to sufficiently sanitize user-supplied data to the "albumID", "tagID", and "photoID" parameters of the "index.php" script before using it in an SQL query. Shutter version 0.1.1 is affected.
• Ref: http://www.securityfocus.com/archive/1/503493

• 09.21.67 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Business Community Script SQL Injection and Unauthorized Access Vulnerabilities
• Description: Business Community Script is a web-based application implemented in PHP. The application is exposed to multiple remote issues. Exploiting these issues could allow an attacker to gain unauthorized administrative access to the application, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
• Ref: http://www.securityfocus.com/bid/34976

• 09.21.68 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Dream Windows Max CMS "inc/ajax.asp" SQL Injection
• Description: Dream Windows Max CMS is a web-based application implemented in ASP. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "id" parameter of the "inc/ajax.asp" script before using it in an SQL query. Max CMS version 2.0 is affected.
• Ref: http://www.securityfocus.com/bid/34981

• 09.21.69 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Mlffat "supervisor" Cookie SQL Injection
• Description: Mlffat is a web-based application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "supervisor" cookie parameter in the "panel/index.php" script before using it in an SQL query. Mlffat version 2.1 is affected.
• Ref: http://www.securityfocus.com/bid/34982

• 09.21.70 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: PHPenpals "mail.php" SQL Injection
• Description: PHPenpals is a PHP-based web application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "ID" parameter of the "mail.php" script. PHPenpals version 1.1 is affected.
• Ref: http://www.securityfocus.com/bid/34996

• 09.21.71 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: PHP Dir Submit Admin Login SQL Injection
• Description: PHP Dir Submit is a directory submission script. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "Username" and "Password" parameters when logging in as an administrator.
• Ref: http://www.securityfocus.com/bid/35003

• 09.21.72 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Pc4Uploader "code.php" SQL Injection
• Description: Pc4Uploader is a file uploading application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "id" parameter of the "code.php" script. Pc4Uploader version 9.0 is affected.
• Ref: http://www.securityfocus.com/bid/35004

• 09.21.73 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Online Rent "index.php" SQL Injection
• Description: Online Rent is a web-based application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "pid" parameter of the "index.php" script before using it in an SQL query. Online Rent version 5.0 is affected.
• Ref: http://www.securityfocus.com/bid/35005

• 09.21.74 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Coppermine Photo Gallery Multiple SQL Injection Vulnerabilities
• Description: Coppermine Photo Gallery is a web-based photo gallery application. The application is exposed to multiple SQL injection issues because it fails to sufficiently sanitize user-supplied data. Coppermine Photo Gallery version 1.4.22 is affected.
• Ref: http://www.securityfocus.com/bid/35009

• 09.21.75 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: DGNews "id" Parameter SQL Injection
• Description: DGNews is a PHP-based news script. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "id" parameter of the "berita.php" script before using it in an SQL query. DGNews version 3.0 is affected.
• Ref: http://www.securityfocus.com/bid/35016

• 09.21.76 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Creative Web Solutions Multiple level CMS SQL Injection Vulnerabilities
• Description: Creative Web Solutions Multiple level CMS is a content management application. The application is exposed to multiple SQL injection issues because it fails to sufficiently sanitize user-supplied data. Malicious SQL data may be supplied through a specially-crafted username or password.
• Ref: http://www.securityfocus.com/bid/35018

• 09.21.77 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Joomla! com_gsticketsystem "catid" Parameter SQL Injection
• Description: com_gsticketsystem is a plugin for the Joomla! content manager. The module is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "catid" parameter of the before using it an SQL query.
• Ref: http://www.securityfocus.com/bid/35025

• 09.21.78 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Dog Pedigree Online Database Authentication Bypass and Multiple SQL Injection Vulnerabilities
• Description: Dog Pedigree Online Database is a web-based application. The application is exposed to multiple SQL injection issues because it fails to sufficiently sanitize user-supplied data. These issues affect the "id" parameter of the "details.php" script, and the "uid" parameter in the "init()" function of the "users.php.inc" source file. Dog Pedigree Online Database beta versions prior to 1.2 are affected.
• Ref: http://www.securityfocus.com/archive/1/503582

• 09.21.79 - CVE: Not Available
• Platform: Web Application
• Title: Strawberry Remote Command Execution and Local File Include Vulnerabilities
• Description: Strawberry is a web-based news application implemented in PHP. It is formerly known as CuteNews. Strawberry is exposed to a remote command execution issue and a local file include issue because the application fails to properly sanitize user-supplied input. Attackers can inject arbitrary commands into the "inc/mod/ipban.mdu" file. This file may then be executed as a local script via the "do" parameter of the "index.php" script.
• Ref: http://www.securityfocus.com/bid/34971

• 09.21.80 - CVE: Not Available
• Platform: Web Application
• Title: Matt Wright FormMail HTTP Response Splitting and Cross-Site Scripting Vulnerabilities
• Description: FormMail is a widely-used web-based e-mail gateway, which allows form-based input to be emailed to a specified user. It is written in Perl and will run on most Linux and Unix variants, in addition to Microsoft Windows operating systems. The application is exposed to multiple input validation issues. FormMail version 1.92 is affected.
• Ref: http://www.ush.it/team/ush/hack-formmail_192/adv.txt

• 09.21.81 - CVE: Not Available
• Platform: Web Application
• Title: Ascad Networks Password Protector SD Cookie Authentication Bypass
• Description: Ascad Networks Password Protector SD is a PHP-based web application. The application is exposed to an authentication bypass issue because it fails to adequately verify user-supplied input used for cookie-based authentication. Attackers can exploit the issue by setting the "c7portal" and "cookname" cookie parameters to "admin" and the "path" parameter to "/". Password Protector SD version 1.3.1 is affected.
• Ref: http://www.securityfocus.com/bid/34930

• 09.21.82 - CVE: Not Available
• Platform: Web Application
• Title: Drupal LoginToboggan Module Unauthorized Access
• Description: The LoginToboggan module for Drupal allows users to create a personal web page summary. The application is exposed to an unauthorized access issue because it fails to adequately limit access to blocked users in certain circumstances. Specifically, the application includes a setting that allows users to log in with either their usernames or email addresses. LoginToboggan versions prior to 6.x-1.5 are affected.
• Ref: http://drupal.org/node/461662

• 09.21.83 - CVE: Not Available
• Platform: Web Application
• Title: Drupal UTF-7 "book-export-html.tpl.php" HTML Injection
• Description: Drupal is a content management system. The application is exposed to an HTML injection issue because it fails to properly sanitize user-supplied input before using it in dynamically generated content. Specifically, UTF-7 encoded data is not properly sanitized in the "book-export-html.tpl.php" script.
• Ref: http://www.vbdrupal.org/forum/showthread.php?p=9971#post9971

• 09.21.84 - CVE: Not Available
• Platform: Web Application
• Title: Drupal Feed Block Module HTML Injection
• Description: Feed Block is a news-feed module for Drupal content manager. The module is exposed to an HTML injection issue because it fails to properly sanitize user-supplied input before using it in dynamically generated content. Specifically, the issue affects the "aggregator" items. Feed Block versions prior to 6.x-1.1 are affected.
• Ref: http://drupal.org/node/461706

• 09.21.85 - CVE: Not Available
• Platform: Web Application
• Title: Drupal "Printer, e-mail and PDF versions" Module HTML Injection
• Description: "Printer, e-mail and PDF versions" is a module for Drupal that allows users to generate printer-friendly versions of any node. The module is exposed to an HTML injection issue because it fails to properly sanitize user-supplied input before using it in dynamically generated content. Specifically, the application fails to filter dangerous byte sequences in content that may be interpreted as UTF-7 characters by certain browsers such as Internet Explorer 6 and 7.
• Ref: http://drupal.org/node/461674

• 09.21.86 - CVE: Not Available
• Platform: Web Application
• Title: beLive "arch.php" Local File Include
• Description: beLive is a PHP-based application. The application is exposed to a local file include issue because it fails to properly sanitize user-supplied input to the "arch" parameter of the "arch.php" script. beLive version 0.2.3 is affected.
• Ref: http://www.milw0rm.com/exploits/8680

• 09.21.87 - CVE: Not Available
• Platform: Web Application
• Title: Template Monster Clone "edituser.php" Remote Password Change
• Description: Template Monster Clone is a PHP-based application. The application is exposed to an issue that may permit attackers to change the password of arbitrary administrator users. Attackers may exploit this issue by submitting an HTTP POST request containing malicious data to the "edituser.php" script.
• Ref: http://www.securityfocus.com/bid/34977

• 09.21.88 - CVE: Not Available
• Platform: Web Application
• Title: Jieqi CMS "mirrorfile.php" Remote PHP Code Injection
• Description: Jieqi CMS is a PHP-based content manager. The application is exposed to an issue that attackers can leverage to execute arbitrary PHP code in the context of the application. This issue occurs because the application lets attackers create file on the web server with arbitrary PHP code by using the "mirrorfile.php" script and its parameters. Jieqi CMS versions 1.5 and earlier are affected .
• Ref: http://www.securityfocus.com/bid/34983

• 09.21.89 - CVE: Not Available
• Platform: Web Application
• Title: ArtForms Joomla! Component "mosConfig_absolute_path" Multiple Remote File Include Vulnerabilities
• Description: ArtForms is a component for the Joomla! content manager. The application is exposed to multiple remote file include vulnerabilities because it fails to properly sanitize user-supplied input to the "mosConfig_absolute_path" parameter of the following scripts: "assets/captcha/includes/captchaform/imgcaptcha.php", "assets/captcha/includes/captchaform/mp3captcha.php" and "assets/captcha/includes/captchatalk/swfmovie.php". ArtForms version 2.1b7 is affected.
• Ref: http://www.securityfocus.com/bid/34986

• 09.21.90 - CVE: Not Available
• Platform: Web Application
• Title: Custom T-shirt Design Script SQL Injection and Cross-Site Scripting Vulnerabilities
• Description: Custom T-shirt Design Script is a PHP-based web application. Since it fails to sufficiently sanitize user-supplied data, the application is exposed to multiple input validation issues. Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
• Ref: http://www.securityfocus.com/bid/34992

• 09.21.91 - CVE: Not Available
• Platform: Web Application
• Title: Rama Zaiten CMS "download.php" Local File Disclosure
• Description: Rama Zaiten CMS is a content manager. The application is exposed to a local file disclosure issue because it fails to adequately validate user-supplied input. This issue affects the "file" parameter of the "download.php" script. Rama Zaiten CMS versions 0.9.5 through 0.9.8 are affected.
• Ref: http://www.securityfocus.com/bid/34995

• 09.21.92 - CVE: Not Available
• Platform: Web Application
• Title: collector.ch myColex SQL Injection and Cross-Site Scripting Vulnerabilities
• Description: collector.ch's myColex is a PHP-based web application. Since it fails to sufficiently sanitize user-supplied data, the application is exposed to multiple input validation issues. myColex version 1.4.2 is affected.
• Ref: http://www.securityfocus.com/bid/34997

• 09.21.93 - CVE: Not Available
• Platform: Web Application
• Title: collector.ch myGesuad SQL Injection and Cross-Site Scripting Vulnerabilities
• Description: collector.ch's myGesuad is a PHP-based web application. Since it fails to sufficiently sanitize user-supplied data, the application is exposed to multiple input-validation issues. myGesuad version 0.9.14 is affected.
• Ref: http://www.securityfocus.com/bid/34995

• 09.21.94 - CVE: Not Available
• Platform: Web Application
• Title: Pluck "angpref" Parameter Multiple Local File Include Vulnerabilities
• Description: Pluck is a PHP-based content manager. The application is exposed to multiple local file include issues because it fails to properly sanitize user-supplied input to the "langpref" parameter of the following scripts: "contactform/module_info.php", "blog/module_info.php" and "albums/module_info.php". Pluck version 4.6.2 is affected.
• Ref: http://www.securityfocus.com/bid/35007

• 09.21.95 - CVE: Not Available
• Platform: Web Application
• Title: Flyspeck CMS Remote Password Change Vulnerability and Local File Include
• Description: Flyspeck CMS is a PHP-based application. The application is exposed to multiple security issues. An attacker can exploit the password-change issue to gain unauthorized access to the affected application. Flyspeck CMS version 6.8 is affected.
• Ref: http://www.securityfocus.com/bid/35011

• 09.21.96 - CVE: Not Available
• Platform: Web Application
• Title: ClanWeb "save.php" Remote Password Change
• Description: ClanWeb is a PHP-based content manager. The application is exposed to an issue that may permit attackers to change the password of arbitrary administrator users. An attacker may exploit this issue by submitting an HTTP POST request containing malicious data to the "save.php" script. ClanWeb version 1.4.2 is affected.
• Ref: http://www.securityfocus.com/bid/35012

• 09.21.97 - CVE: Not Available
• Platform: Web Application
• Title: Douran Portal Multiple Input Validation Vulnerabilities
• Description: Douran Portal is a content manager. The application is exposed to multiple issues. Attackers can exploit these issues to upload and execute arbitrary PHP code in the context of the web server process or obtain sensitive information. Douran Portal version 3.9.0.23 is affected.
• Ref: http://www.securityfocus.com/bid/35013

• 09.21.98 - CVE: Not Available
• Platform: Web Application
• Title: Namad "SecureDownloads.aspx" Arbitrary File Download
• Description: Namad is a web-based application implemented in ASP. The application is exposed to an issue that lets attackers download arbitrary files. The issue occurs because the application fails to sufficiently sanitize user-supplied input to the "FileName" parameter of the "SecureDownloads.aspx" script. Namad version 2.0.0.0 is affected.
• Ref: http://www.securityfocus.com/bid/35026

• 09.21.99 - CVE: Not Available
• Platform: Web Application
• Title: PAD Site Scripts Cookie Authentication Bypass
• Description: PAD Site Scripts is a PHP-based web application. The application is exposed to an authentication bypass issue because it fails to adequately verify user-supplied input used for cookie-based authentication. Attackers can exploit the issue by setting the "authuser" cookie parameter to the username of a valid user and the "path" parameter to "/". PAD Site Scripts version 3.6 is affected.
• Ref: http://www.securityfocus.com/bid/35027

• 09.21.100 - CVE: Not Available
• Platform: Web Application
• Title: MyPic "dir" Parameter Directory Traversal
• Description: MyPic is a PHP-based photo gallery application. The application is exposed to a directory traversal issue because it fails to sufficiently sanitize user-supplied input to the "dir" parameter. MyPic version 2.1 is affected.
• Ref: http://www.securityfocus.com/bid/35030

• 09.21.101 - CVE: Not Available
• Platform: Network Device
• Title: D-Link DIR-628 Router "CAPTCHA" Security Bypass Weakness
• Description: D-Link DIR-628 router is exposed to a security bypass weakness because it does not properly sanitize user-supplied input. Specifically, the firmware fails to check whether an "auth_id" and "auth_code" values are provided or not. An attacker can provide just a valid MD5 hash of the password as a parameter to the "post_login.xml" script and get authenticated. Ref: http://www.sourcesec.com/2009/05/12/d-link-captcha-partially-broken/

(c) 2009. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Subscriptions: @RISK is distributed free of charge by the SANS Institute to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.