@RISK: The Consensus Security Vulnerability Alert

Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)

• (1) CRITICAL: Adobe Shockwave Player Pointer Overwrite Vulnerability
• (2) HIGH: Google Chrome HTTP Response Buffer Overflow Vulnerability
• (3) HIGH: Foxit Reader JPEG2000/JBIG Decoder Multiple Vulnerabilities
• (4) MODERATE: Bopup Communication Server Buffer Overflow Vulnerability

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)

Other Microsoft Products

• 09.26.1 - Microsoft Internet Explorer HTML Attribute JavaScript URI Security Bypass

Third Party Windows Apps

• 09.26.2 - Edraw PDF Viewer Component Active X Control Arbitrary File Overwrite
• 09.26.3 - DESlock+ "dlpcrypt.sys" Local Privilege Escalation

Linux

• 09.26.4 - Linux Kernel "/proc/iomem" Sparc64 Local Denial of Service
• 09.26.5 - PCSC-Lite Local Insecure File Permissions

BSD

• 09.26.6 - NetBSD "pam_unix" Root Password Change Local Security Bypass Weakness
• 09.26.7 - NetBSD "proplib" Library XML Processing Null Pointer Exception Denial of Service

Solaris

• 09.26.8 - Sun Solaris Event Port API Multiple Local Denial of Service Vulnerabilities
• 09.26.9 - Sun Solaris Ultra-SPARC T2 Crypto Provider Device Driver Local Denial of service
• 09.26.10 - Sun Solaris Cassini Gigabit-Ethernet Device Driver Remote Denial of Service
• 09.26.11 - Sun Solaris "IP(7P)" Multicast Reception Local Denial of Service

Cross Platform

• 09.26.12 - Multiple Browser Web Proxy Redirect Handling Man In The Middle
• 09.26.13 - Mozilla Firefox "nsViewManager.cpp" Denial of Service
• 09.26.14 - IBM DB2 DAS Server Buffer Overflow
• 09.26.15 - IBM DB2 Universal Database Server "INSTALL_JAR" Arbitrary File Overwrite
• 09.26.16 - Multiple Browsers Cached Certificate HTTP Site Spoofing
• 09.26.17 - Apache Tomcat XML Parser Information Disclosure
• 09.26.18 - OpenSSL "dtls1_retrieve_buffered_fragment()" DTLS Packet Denial of Service
• 09.26.19 - IBM AIX "rpc.ttdbserver" Remote Buffer Overflow
• 09.26.20 - Citrix Secure Gateway Denial of Service
• 09.26.21 - Citrix NetScaler Access Gateway Default Configuration Unauthorized Access
• 09.26.22 - IrfanView "TIFF" File Handling Remote Integer Overflow
• 09.26.23 - Apple iPhone Call Approval Dialog Security Bypass
• 09.26.24 - ClamAV CAB File Scan Evasion
• 09.26.25 - Multiple F-PROT Products RAR/ARJ/LHA/LZH File Scan Evasion
• 09.26.26 - Apple iPhone and iPod touch MPEG-4 Video Codec Denial of Service
• 09.26.27 - Apple iPhone and iPod touch Mail Client Information Disclosure Weakness
• 09.26.28 - PHP Multiple Functions "safe_mode" Restriction Bypass
• 09.26.29 - Apple iPhone and iPod touch Configuration Profile Handling Information Disclosure
• 09.26.30 - PHP "exif_read_data()" JPEG Image Processing Denial of Service
• 09.26.31 - Foxit Reader JPEG2000 Negative Stream Offset Remote Memory Corruption
• 09.26.32 - Foxit Reader JPEG2000 Header Decoding Memory Corruption
• 09.26.33 - Apple iPhone and iPod touch ICMP Echo Request Remote Denial of Service
• 09.26.34 - Apple iPhone and iPod touch "HTMLSelectElement" Denial of Service
• 09.26.35 - Apple iPhone and iPod touch Untrusted Certificate Exception Information Disclosure
• 09.26.36 - Apple iPhone and iPod touch Safari Search History Information Disclosure
• 09.26.37 - LibTIFF "LZWDecodeCompat()" Remote Buffer Underflow
• 09.26.38 - strongSwan Crafted X.509 Certificate Multiple Remote Denial of Service Vulnerabilities
• 09.26.39 - Mozilla Thudnerbird/Seamonkey Multipart Alternative Message Memory Corruption
• 09.26.40 - Google Chrome HTTP Response Handling Remote Code Execution
• 09.26.41 - Google Chrome SSL renegotiation Remote Denial of Service
• 09.26.42 - Nagios "statuswml.cgi" Remote Arbitrary Shell Command Injection
• 09.26.43 - Adobe Shockwave Player Unspecified Security
• 09.26.44 - Basic Analysis and Security Engine "readRoleCookie()" Authentication Bypass
• 09.26.45 - XEmacs Multiple Integer Overflow Vulnerabilities

Web Application - Cross Site Scripting

• 09.26.46 - Apple Safari "parent/top" Cross-Domain Scripting
• 09.26.47 - DirectAdmin
• 09.26.48 - Kasseler CMS Arbitrary File Disclosure Vulnerability and Cross- Site Scripting

Web Application - SQL Injection

• 09.26.49 - Shop-Script Pro "current_currency" Parameter SQL Injection
• 09.26.50 - Softbiz Ads "image.php" SQL Injection
• 09.26.51 - MyBB "birthdayprivacy" Parameter SQL Injection
• 09.26.52 - Joomla! and Mambo Tickets Component "id" Parameter SQL Injection
• 09.26.53 - Zen Cart "admin/sqlpatch.php" SQL Injection

Web Application

• 09.26.54 - fuzzylime (cms) Multiple Local File Include and Arbitrary File Overwrite Vulnerabilities
• 09.26.55 - GForge SQL Injection and Cross-Site Scripting Vulnerabilities
• 09.26.56 - CMS Buzz Multiple Security Vulnerabilities
• 09.26.57 - geccBBlite "postatoda" Parameter Multiple HTML Injection Vulnerabilities
• 09.26.58 - phpDatingClub "search.php" Cross-Site Scripting and SQL Injection Vulnerabilities
• 09.26.59 - Campsite Multiple Remote Input Validation Vulnerabilities
• 09.26.60 - Acajoom Component for Mambo/Joomla! Backdoor
• 09.26.61 - Zen Cart "record_company.php" Remote Code Execution
• 09.26.62 - Movable Type Cross-Site Scripting and Security Bypass Vulnerabilities

PART I Critical Vulnerabilities

Part I for this issue has been compiled by Rohan Kotian at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 26, 2009

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 7154 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

• 09.26.1 - CVE: Not Available
• Platform: Other Microsoft Products
• Title: Microsoft Internet Explorer HTML Attribute JavaScript URI Security Bypass
• Description: Microsoft Internet Explorer is a web browser available for Microsoft Windows. The browser is exposed to a security bypass issue because it fails to properly enforce restrictions on script behavior. Internet Explorer 7 and later restrict the ability to execute "javascript:" URIs via the attributes of certain HTML elements. Ref: http://www.80vul.com/ie8/Multiple%20Exploiting%20IE8IE7%20XSS%20Vulnerability.txt

• 09.26.2 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Edraw PDF Viewer Component Active X Control Arbitrary File Overwrite
• Description: Edraw PDF Viewer Component is an ActiveX control used to display PDF documents. The application is exposed to an issue that allows attackers to overwrite arbitrary local files. Specifically, the "FtpDownloadFile()" method of the "pdfviewer.ocx" ActiveX control will overwrite files in an insecure manner. PDF Viewer Component versions prior to 3.2.0.126 are affected. Ref: http://archives.neohapsis.com/archives/fulldisclosure/2009-06/0198.html

• 09.26.3 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: DESlock+ "dlpcrypt.sys" Local Privilege Escalation
• Description: DESlock+ is data protection software for Microsoft Windows. The application is exposed to a local privilege escalation issue because it fails to properly restrict access to kernel memory pointers from user-space applications using the "dlpcrypt.sys" device driver. This may allow unprivileged users to acquire process tokens with kernel-level privileges. DESlock+ version 4.0.2 is affected.
• Ref: http://www.digit-labs.org/files/otherstuff/deslock/

• 09.26.4 - CVE: CVE-2009-1914
• Platform: Linux
• Title: Linux Kernel "/proc/iomem" Sparc64 Local Denial of Service
• Description: The Linux kernel is prone to a local denial of service vulnerability. This issue presents itself because certain structures are not properly initialized. The problem resides in the "pci_register_iommu_region()" function of the "arch/sparc/kernel/pci_common.c" source file. Linux kernel versions 2.6.22-rc1 through 2.6.29 on the sparc64 architecture are affected.
• Ref: http://www.openwall.com/lists/oss-security/2009/06/03/3

• 09.26.5 - CVE: Not Available
• Platform: Linux
• Title: PCSC-Lite Local Insecure File Permissions
• Description: PCSC-Lite is a Linux implementation of the SCard API (PC/SC), used for smart card interaction. The application is exposed to a local insecure file permissions issue. The "/var/run/pcscd.events" directory is created with world-writable permissions (0777).
• Ref: https://bugzilla.redhat.com/show_bug.cgi?id=503211

• 09.26.6 - CVE: Not Available
• Platform: BSD
• Title: NetBSD "pam_unix" Root Password Change Local Security Bypass Weakness
• Description: NetBSD is prone to a local security bypass weakness because the software fails to properly check permissions when modifying the root password. Specifically, this issue affects the "pam_unix" authentication module. Local attackers with knowledge of the current root password may exploit this issue to modify the root password via the "passwd" command, which may lead to elevated privileges or aid in further attacks.
• Ref: http://www.securityfocus.com/bid/35465

• 09.26.7 - CVE: Not Available
• Platform: BSD
• Title: NetBSD "proplib" Library XML Processing Null Pointer Exception Denial of Service
• Description: The "proplib" library in NetBSD provides an interface for creating and manipulating property lists. Drivers may use "proplib" for user-to-kernel communication. The "proplib" library is exposed to a remote denial of service issue because it fails to properly process certain XML data. Specifically, undefined elements in an external XML form may cause a NULL-pointer dereference.
• Ref: http://www.securityfocus.com/bid/35466

• 09.26.8 - CVE: Not Available
• Platform: Solaris
• Title: Sun Solaris Event Port API Multiple Local Denial of Service Vulnerabilities
• Description: Sun Solaris is an operating system developed by Sun Microsystems. Solaris is exposed to two local denial of service issues that affect the Event Port API. These issues occur due to unspecified race condition errors. An attacker can exploit these issues to cause a system panic, denying service to legitimate users. Solaris 10 and OpenSolaris builds snv_01 through snv_106 are affected.
• Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-66-260449-1

• 09.26.9 - CVE: Not Available
• Platform: Solaris
• Title: Sun Solaris Ultra-SPARC T2 Crypto Provider Device Driver Local Denial of service
• Description: Sun Solaris is a UNIX-based operating system. Solaris is exposed to a local denial of service issue. An unspecified problem occurs in the Solaris Ultra-SPARC T2 crypto provider device driver (n2cp(7D)) that can allow a local attacker to crash the system, denying service to legitimate users. Solaris 10 and OpenSolaris based upon builds snv_54 through snv_112 are affected.
• Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-66-258828-1

• 09.26.10 - CVE: Not Available
• Platform: Solaris
• Title: Sun Solaris Cassini Gigabit-Ethernet Device Driver Remote Denial of Service
• Description: Sun Solaris is exposed to a remote denial of service issue. The issue occurs in the Solaris TCP/IP networking stack when the Cassini Gigabit-Ethernet Device Driver ("ce(7D)") processes jumbo frames and hardware checksumming is enabled. Solaris 10 and OpenSolaris snv_01 through snv_82, and snv_111 through snv_117 are affected.
• Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-66-257008-1

• 09.26.11 - CVE: Not Available
• Platform: Solaris
• Title: Sun Solaris "IP(7P)" Multicast Reception Local Denial of Service
• Description: Sun Solaris is a UNIX-based operating system. Solaris is exposed to a local denial of service issue. Specifically, an unspecified problem in "IP(7P)" multicast reception may allow a local attacker to cause the kernel to leak memory, denying service to legitimate users. Solaris 10 and OpenSolaris based upon builds snv_67 through snv_93 are affected.
• Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-66-262408-1

• 09.26.12 - CVE: CVE-2009-2061, CVE-2009-2062, CVE-2009-2063
• Platform: Cross Platform
• Title: Multiple Browser Web Proxy Redirect Handling Man In The Middle
• Description: Multiple web browsers are prone to a man-in-the-middle vulnerability. Specifically, this issue occurs because the software fails to properly handle proxy-redirect messages provided when attempting an SSL-encrypted connection. A proxy may respond with a plaintext HTTP 302 redirect message to redirect HTTPS requests to arbitrary URIs. Mozilla Firefox versions prior to 3.0.10; Apple Safari versions prior to 3.2.2 and Opera versions prior to 9.25 are affected
• Ref: http://research.microsoft.com/apps/pubs/default.aspx?id=79323

• 09.26.13 - CVE: CVE-2009-2043
• Platform: Cross Platform
• Title: Mozilla Firefox "nsViewManager.cpp" Denial of Service
• Description: Mozilla Firefox is a browser available for multiple platforms. The browser is exposed to a remote denial of service issue that occurs in the "nsViewManager.cpp" source file. A NULL-pointer exception can cause the browser to crash. This issue is related to interaction with TinyMCE or Clearspace. Firefox versions 3.0.2 through 3.0.10 are affected.
• Ref: https://bugzilla.redhat.com/show_bug.cgi?id=488570

• 09.26.14 - CVE: CVE-2008-6821
• Platform: Cross Platform
• Title: IBM DB2 DAS Server Buffer Overflow
• Description: IBM DB2 is a database server designed to run on various platforms, including Linux, AIX, Solaris, and Microsoft Windows. IBM DB2 Universal Database is exposed to a remote buffer overflow issue because the application fails to perform adequate boundary checks on user-supplied data. The issue resides in the DAS server.
• Ref: http://www-01.ibm.com/support/docview.wss?uid=swg21318189

• 09.26.15 - CVE: CVE-2008-2154
• Platform: Cross Platform
• Title: IBM DB2 Universal Database Server "INSTALL_JAR" Arbitrary File Overwrite
• Description: IBM DB2 Universal Database Server is a database server designed to run on various platforms, including Linux, AIX, Solaris, and Microsoft Windows. The application is exposed to an issue that could permit an attacker to overwrite arbitrary local files. This issue is due to an error in the "INSTALL_JAR" application and may be exploited through unspecified procedure calls.
• Ref: http://www-01.ibm.com/support/docview.wss?uid=swg21318189

• 09.26.16 - CVE: CVE-2009-2069, CVE-2009-2070, CVE-2009-2071,CVE-2009-2072
• Platform: Cross Platform
• Title: Multiple Browsers Cached Certificate HTTP Site Spoofing
• Description: Multiple browsers are exposed to an issue that may allow attackers to spoof arbitrary HTTPS sites. This issue occurs because the application display a cached certificate for 4xx and 5xx Connect response returned by a proxy server. An attacker can exploit this issue by performing a man-in-the-middle attack by letting the browser obtain a valid certificate from a site and then redirecting the browser to a 502 error page.
• Ref: http://www.securityfocus.com/bid/35411

• 09.26.17 - CVE: CVE-2009-0783
• Platform: Cross Platform
• Title: Apache Tomcat XML Parser Information Disclosure
• Description: Apache Tomcat is a Java-based webserver for multiple operating systems. The application is exposed to an information disclosure issue that occurs because the application allows a web application to replace the XML parser to process "web.xml", "context.xml" and ".tld" files. Specifically, an application that is loaded first can specify an alternative XML parser that will be used by all subsequently loaded pages on the Tomcat instance.
• Ref: http://tomcat.apache.org/security-6.html

• 09.26.18 - CVE: CVE-2009-1387
• Platform: Cross Platform
• Title: OpenSSL "dtls1_retrieve_buffered_fragment()" DTLS Packet Denial of Service
• Description: OpenSSL is an open-source implementation of the SSL protocol that is used by a number of other projects, including but not restricted to Apache, Sendmail, and Bind. It is commonly found on Linux and UNIX systems. OpenSSL is exposed to a denial of service issue caused by a NULL-pointer dereference condition. This issue occurs when crafted DTLS handshake packets are received out of sequence. The issue occurs in the "dtls1_retrieve_buffered_fragment()" function of the "ssl/d1_both.c" source code file. OpenSSL versions prior to 1.0.0 Beta 2 are affected.
• Ref: http://cvs.openssl.org/chngview?cn=17958

• 09.26.19 - CVE: Not Available
• Platform: Cross Platform
• Title: IBM AIX "rpc.ttdbserver" Remote Buffer Overflow
• Description: IBM AIX is a UNIX-based operating system. AIX is exposed to a remote buffer overflow issue because the application fails to perform adequate boundary checks on user-supplied data. The vulnerability occurs in the ToolTalk library "libbtt.a". In order to exploit this issue the "rpc.ttdserver" process must be enabled in the "/etc/inetd.conf" configuration file.
• Ref: http://risesecurity.org/advisories/RISE-2009001.txt

• 09.26.20 - CVE: Not Available
• Platform: Cross Platform
• Title: Citrix Secure Gateway Denial of Service
• Description: Citrix Secure Gateway allows users to securely access Citrix MetaFrame servers from outside a corporate network. The application is exposed to a denial of service issue. A remote attacker can exploit this issue to cause a crash due to CPU exhaustion by sending a specially-crafted request. Citrix Secure Gateway versions 3.1 and earlier are affected.
• Ref: http://support.citrix.com/article/CTX121172

• 09.26.21 - CVE: Not Available
• Platform: Cross Platform
• Title: Citrix NetScaler Access Gateway Default Configuration Unauthorized Access
• Description: Citrix NetScaler is an appliance that accelerates the performance of applications. Access Gateway is a secure remote application access solution. The application is exposed to an issue that can result in unauthorized access to network resources. The issue occurs due to configuration error.
• Ref: http://support.citrix.com/article/CTX118770

• 09.26.22 - CVE: Not Available
• Platform: Cross Platform
• Title: IrfanView "TIFF" File Handling Remote Integer Overflow
• Description: IrfanView is an image viewer that supports multiple file formats. IrfanView is exposed to a remote integer overflow issue because it fails to properly bounds check user-supplied input before copying it to an insufficiently sized memory buffer. This issue occurs when handling malformed "TIFF" files and specifically arises when resampling certain 1 BPP images. IrfanView versions prior to 4.25 are affected.
• Ref: http://www.securityfocus.com/bid/35423

• 09.26.23 - CVE: CVE-2009-0961
• Platform: Cross Platform
• Title: Apple iPhone Call Approval Dialog Security Bypass
• Description: Apple iPhone is a mobile phone that runs on the ARM architecture. It supports "tel:" URIs that launch the phone application. iPhone is exposed to a security bypass issue that may cause a call to be placed automatically. The problem occurs if an application causes an alert to appear while the Mail's call-approval dialog is shown. iPhone OS versions 1.0 through 2.2.1 are affected.
• Ref: http://www.securityfocus.com/archive/1/504403

• 09.26.24 - CVE: Not Available
• Platform: Cross Platform
• Title: ClamAV CAB File Scan Evasion
• Description: ClamAV is cross-platform security software providing antivirus, antispyware, and firewalling capabilities for both enterprise and endpoint-based systems. ClamAV is exposed to an issue that may allow certain compressed archives to bypass the scan engine. The issue occurs because the application fails to properly inspect specially crafted "CAB" files. Specifically, the application fails to properly parse the file size stored in a CAB header. ClamAV versions prior to 0.95.2 are affected.
• Ref: http://blog.zoller.lu/2009/05/advisory-clamav-generic-bypass.html

• 09.26.25 - CVE: Not Available
• Platform: Cross Platform
• Title: Multiple F-PROT Products RAR/ARJ/LHA/LZH File Scan Evasion
• Description: F-PROT develops a range of antivirus products. Multiple F-PROT products are exposed to an issue that may allow certain compressed archives to bypass the scan engine. The issue occurs because the software fails to properly inspect specially crafted TAR, ARJ, or LHA/LZH archive files.
• Ref: http://www.securityfocus.com/archive/1/504401

• 09.26.26 - CVE: CVE-2009-0959
• Platform: Cross Platform
• Title: Apple iPhone and iPod touch MPEG-4 Video Codec Denial of Service
• Description: Apple iPhone is a mobile phone that runs on the ARM architecture. Apple iPod touch is a portable music player that also contains the Safari browser. iPhone and iPod touch are exposed to a denial of service issue that affects the MPEG-4 video codec and arises when the devices handle a specially crafted MPEG-4 video file. The vulnerability stems from an input validation error.
• Ref: http://www.securityfocus.com/bid/35433

• 09.26.27 - CVE: CVE-2009-0960
• Platform: Cross Platform
• Title: Apple iPhone and iPod touch Mail Client Information Disclosure Weakness
• Description: Apple iPhone is a mobile phone that runs on the ARM architecture. Apple iPod touch is a portable music player that also contains the Safari browser. Apple iPhone and iPod touch are prone to an information disclosure weakness. The mail client of Apple iPhone and iPod touch automatically downloads images contained in an HTML email and does not provide functionality to disable this behavior.
• Ref: http://www.securityfocus.com/bid/35434

• 09.26.28 - CVE: Not Available
• Platform: Cross Platform
• Title: PHP Multiple Functions "safe_mode" Restriction Bypass
• Description: PHP is a general-purpose scripting language that is especially suited for web development and can be embedded into HTML. PHP is exposed to "safe_mode" restriction bypass vulnerability. Successful exploits could allow an attacker to execute arbitrary code. PHP versions 5.2.9 and 5.2.10 are affected.
• Ref: http://bugs.php.net/bug.php?id=45997

• 09.26.29 - CVE: CVE-2009-1679
• Platform: Cross Platform
• Title: Apple iPhone and iPod touch Configuration Profile Handling Information Disclosure
• Description: Apple iPhone is a mobile phone that runs on the ARM architecture. Apple iPod touch is a portable music player that also contains the Safari browser. Apple iPhone and iPod touch are expsoed to an information disclosure issue. This issue arises when a configuration profile is installed that may overwrite the passcode security policy already set via Exchange ActiveSync with a weaker policy. Apple iPhone and iPod touch Prior to Version 3.0 are affected.
• Ref: http://www.securityfocus.com/bid/35436

• 09.26.30 - CVE: Not Available
• Platform: Cross Platform
• Title: PHP "exif_read_data()" JPEG Image Processing Denial of Service
• Description: PHP is a general purpose scripting language that is especially suited for web development and can be embedded into HTML. PHP is exposed to a remote denial of service issue that is triggered when an application processes a JPEG image file through a call to the "exif_read_data()" function. PHP versions prior to 5.2.10 are affected.
• Ref: http://www.php.net/releases/5_2_10.php

• 09.26.31 - CVE: CVE-2009-0690, CVE-2009-0691
• Platform: Cross Platform
• Title: Foxit Reader JPEG2000 Negative Stream Offset Remote Memory Corruption
• Description: Adobe Reader and Acrobat are applications for handling PDF files. Foxit Reader is exposed to a remote memory-corruption issue that affects the JPEG2000 / JBIG decoder plugin. Specifically, this issue occurs when opening a PDF file which includes a malicious JPEG2000 stream containing a negative stream offset. This can result in the application reading data from an invalid memory address. Foxit Reader versions prior to 3.0 Build 1817 are affected.
• Ref: http://www.foxitsoftware.com/pdf/reader/security.htm#0602

• 09.26.32 - CVE: CVE-2009-0690, CVE-2009-0691
• Platform: Cross Platform
• Title: Foxit Reader JPEG2000 Header Decoding Memory Corruption
• Description: Adobe Reader and Acrobat are applications for handling PDF files. Foxit Reader is exposed to a remote memory corruption issue. This issue affects the JPEG2000 / JBIG decoder plugin. Specifically, the application fails to properly handle an unspecified error caused when processing JPEG2000 header data contained in a crafted PDF file. This can result in the application accessing invalid memory addresses. Foxit Reader versions prior to 3.0 Build 1817 are affected.
• Ref: http://www.kb.cert.org/vuls/id/251793

• 09.26.33 - CVE: CVE-2009-1683
• Platform: Cross Platform
• Title: Apple iPhone and iPod touch ICMP Echo Request Remote Denial of Service
• Description: Apple iPhone is a mobile phone that runs on the ARM architecture. Apple iPod touch is a portable music player that also contains the Safari browser. iPhone and iPod touch are exposed to a denial of service issue. Specifically, this issue occurs because the device fails to handle maliciously constructed ICMP echo requests. The vulnerability stems from a logic error.
• Ref: http://support.apple.com/kb/HT3639

• 09.26.34 - CVE: CVE-2009-1692
• Platform: Cross Platform
• Title: Apple iPhone and iPod touch "HTMLSelectElement" Denial of Service
• Description: Apple iPhone is a mobile phone that runs on the ARM architecture. Apple iPod touch is a portable music player that also contains the Safari browser. iPhone and iPod touch are exposed to a denial of service issue that affects the WebKit component and is caused by a memory consumption issue when the device handles a maliciously crafted webpage containing a "HTMLSelectElement" object with a large length attribute.
• Ref: http://support.apple.com/kb/HT3639

• 09.26.35 - CVE: CVE-2009-0958
• Platform: Cross Platform
• Title: Apple iPhone and iPod touch Untrusted Certificate Exception Information Disclosure
• Description: Apple iPhone is a mobile phone that runs on the ARM architecture. Apple iPod touch is a portable music player that also contains the Safari browser. iPhone and iPod touch are exposed to an information disclosure issue when an untrusted Exchange server certificate is accepted. The exception is stored on a per-hostname basis, which will cause subsequent connections to the Exchange server to be accepted without repeating the certificate validation process.
• Ref: http://www.securityfocus.com/bid/35447

• 09.26.36 - CVE: CVE-2009-1680
• Platform: Cross Platform
• Title: Apple iPhone and iPod touch Safari Search History Information Disclosure
• Description: Apple iPhone is a mobile phone that runs on the ARM architecture. Apple iPod touch is a portable music player that also contains the Safari browser. iPhone and iPod touch are exposed to an information disclosure issue. The search history from the Safari browser is not cleared as expected via the "Settings" application.
• Ref: http://www.securityfocus.com/bid/35448

• 09.26.37 - CVE: Not Available
• Platform: Cross Platform
• Title: LibTIFF "LZWDecodeCompat()" Remote Buffer Underflow
• Description: LibTIFF is a library for reading and manipulating Tag Image File Format (TIFF) files. It is freely available for Unix and Unix-like operating systems as well as Microsoft Windows. The library is exposed to a remote buffer underflow issue because it fails to perform adequate boundary checks on user-supplied data. LibTIFF version 3.8.2 is affected.
• Ref: http://www.openwall.com/lists/oss-security/2009/06/22/1

• 09.26.38 - CVE: Not Available
• Platform: Cross Platform
• Title: strongSwan Crafted X.509 Certificate Multiple Remote Denial of Service Vulnerabilities
• Description: strongSwan is an open-source implementation of an IPSec VPN for Linux. Since it fails to properly handle certain requests, the application is exposed to multiple remote denial of service issues. strongSwan versions prior to 2.8.10, 4.3.2 and 4.2.16 are affected.
• Ref: http://download.strongswan.org/patches/06_asn1_time_patch/strongs wan-4.3.x_asn1_time.readme

• 09.26.39 - CVE: Not Available
• Platform: Cross Platform
• Title: Mozilla Thudnerbird/Seamonkey Multipart Alternative Message Memory Corruption
• Description: Mozilla Thunderbird and Seamonkey are prone to a vulnerability when handling malformed multipart/alternative email messages with a text/enhanced part. This can cause an application crash. The issue may also be exploitable to execute arbitrary code.
• Ref: http://www.mozilla.org/security/announce/2009/mfsa2009-33.html

• 09.26.40 - CVE: CVE-2009-2121
• Platform: Cross Platform
• Title: Google Chrome HTTP Response Handling Remote Code Execution
• Description: Google Chrome is a web browser. Google Chrome is exposed to a remote code execution issue. Specifically, this issue results from a buffer overflow condition that arises when the application handles malformed HTTP responses from a server. This issue can result in memory corruption because user-supplied data from the responses is copied to a finite-sized buffer without bounds checking. Chrome versions prior to 2.0.172.33 are affected. Ref: http://googlechromereleases.blogspot.com/2009/06/stable-beta-update-security-fix.html

• 09.26.41 - CVE: Not Available
• Platform: Cross Platform
• Title: Google Chrome SSL renegotiation Remote Denial of Service
• Description: Google Chrome is a web browser. The application is exposed to a remote denial of service issue because it fails to properly handle certificate errors during SSL renegotiation. The issue can be exploited via crafted HTTPS responses. Google Chrome versions prior to 2.0.172.33 are affected. Ref: http://googlechromereleases.blogspot.com/2009/06/stable-beta-update-security-fix.html

• 09.26.42 - CVE: Not Available
• Platform: Cross Platform
• Title: Nagios "statuswml.cgi" Remote Arbitrary Shell Command Injection
• Description: Nagios is a monitoring system used for solving IT infrastructure problems. Nagios is exposed to a remote command injection issue because it fails to adequately sanitize user-supplied input data. Specifically, the issue affects the "ping" parameter of the "statuswml.cgi" script. Nagios versions prior to 3.1.1 are affected.
• Ref: http://tracker.nagios.org/view.php?id=15

• 09.26.43 - CVE: CVE-2009-186011.5.0.600 for Microsoft Windows platforms are affected.
• Platform: Cross Platform
• Title: Adobe Shockwave Player Unspecified Security
• Description: Adobe Shockwave Player is a multimedia player available for multiple platforms. Shockwave Player is exposed to an issue that allows remote attackers to compromise an affected computer. This issue is caused by an unspecified backwards compatibility issue with Shockwave Player 10 content. Shockwave Player versions prior to
• Ref: http://www.adobe.com/support/security/bulletins/apsb09-08.html

• 09.26.44 - CVE: Not Available
• Platform: Cross Platform
• Title: Basic Analysis and Security Engine "readRoleCookie()" Authentication Bypass
• Description: Basic Analysis and Security Engine (BASE) provides a web front-end to query and analyze alerts coming from a SNORT IDS system. Basic Analysis And Security Engine (BASE) is exposed to an authentication bypass issue that occurs in the "readRoleCookie()" function of the "includes/base_auth.inc.php" script. Specifically, the application fails to sufficiently validate "user", "role" or passwords against the application's database. BASE version 1.2.4 is affected.
• Ref: http://www.securityfocus.com/archive/1/504487

• 09.26.45 - CVE: Not Available
• Platform: Cross Platform
• Title: XEmacs Multiple Integer Overflow Vulnerabilities
• Description: XEmacs is an open-source text editor and application development system. Since it fails to properly validate user-supplied input and performs insufficient boundary checks, XEmacs is exposed to multiple integer-overflow issues. An attacker may exploit these issues by enticing victims into processing specially crafted image files. XEmacs version 21.4.22 is affected.
• Ref: http://www.securityfocus.com/bid/35473

• 09.26.46 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Apple Safari "parent/top" Cross-Domain Scripting
• Description: Apple Safari is a web browser available for Mac OS X and Microsoft Windows. Safari is exposed to a cross-domain scripting issue because of an issue in the separation of JavaScript contexts. A remote attacker may be able to overwrite the "parent/top" of an embedded document from a different security zone. Ref: http://www.thespanner.co.uk/2009/06/19/minor-safari-cross-domain-bug/

• 09.26.47 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: DirectAdmin
• Description: DirectAdmin is a web site administration panel implemented in PHP. The application is exposed to a cross-site scripting issue because it fails to properly sanitize user-supplied input to the "view" parameter of the "CMD_REDIRECT" script. DirectAdmin versions 1.33.6 and earlier are affected. Ref: http://pridels-team.blogspot.com/2009/06/directadmin-v1336-xss-vuln.html

• 09.26.48 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Kasseler CMS Arbitrary File Disclosure Vulnerability and Cross- Site Scripting
• Description: Kasseler CMS is a PHP-based content manager. The application is exposed to the following input validation issues. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
• Ref: http://www.securityfocus.com/bid/35457

• 09.26.49 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Shop-Script Pro "current_currency" Parameter SQL Injection
• Description: Shop-Script Pro is an ecommerce application implemented in PHP. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "current_currency" parameter of the "index.php" script before using it in an SQL query.
• Ref: http://www.securityfocus.com/bid/35429

• 09.26.50 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Softbiz Ads "image.php" SQL Injection
• Description: Softbiz Ads is a PHP-based advertisement application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "size_id" parameter of the "image.php" script before using it in an SQL query.
• Ref: http://www.securityfocus.com/bid/35453

• 09.26.51 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: MyBB "birthdayprivacy" Parameter SQL Injection
• Description: MyBB (MyBulletinBoard) is a forum application implemented in PHP. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "birthdayprivacy" parameter of the "usercp.php" script before using it in an SQL query. MyBB versions prior to 1.4.7 are exposed. Ref: http://blog.mybboard.net/2009/06/15/mybb-147-released-security-update/

• 09.26.52 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Joomla! and Mambo Tickets Component "id" Parameter SQL Injection
• Description: Tickets is a PHP-based component for the Joomla! and Mambo content managers. Tickets is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "id" parameter of the "com_tickets" component before using it in an SQL query. Tickets versions 0.1 and 2.1 are affected.
• Ref: http://www.milw0rm.com/exploits/8999

• 09.26.53 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Zen Cart "admin/sqlpatch.php" SQL Injection
• Description: Zen Cart is an ecommerce application implemented in PHP. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "admin/sqlpatch.php" script used in conjunction with the "password_forgotten.php" script, before using it in an SQL query.
• Ref: http://www.securityfocus.com/bid/35468

• 09.26.54 - CVE: Not Available
• Platform: Web Application
• Title: fuzzylime (cms) Multiple Local File Include and Arbitrary File Overwrite Vulnerabilities
• Description: "fuzzylime (cms)" is a web-based content manager implemented in PHP. The application is exposed to multiple input validation issues. An attacker can exploit these issues to overwrite arbitrary files, execute arbitrary local script code and gain access to sensitive information. fuzzylime (cms) version 3.03a is affected.
• Ref: http://www.securityfocus.com/bid/35418/info

• 09.26.55 - CVE: Not Available
• Platform: Web Application
• Title: GForge SQL Injection and Cross-Site Scripting Vulnerabilities
• Description: GForge is a PHP-based application for managing source code. Since it fails to sufficiently sanitize user-supplied data, the application is exposed to multiple unspecified input validation issues that include SQL injection and cross-site scripting vulnerabilities. GForge versions 4.5.14 and 4.7rc2 are affected.
• Ref: http://www.securityfocus.com/archive/1/504403

• 09.26.56 - CVE: Not Available
• Platform: Web Application
• Title: CMS Buzz Multiple Security Vulnerabilities
• Description: CMS Buzz is a PHP-based content manager. The application is exposed to multiple issues. Attackers can leverage these issues to execute arbitrary HTML or script code in the context of the affected site or access certain administrative functions.
• Ref: http://www.securityfocus.com/archive/1/504448

• 09.26.57 - CVE: Not Available
• Platform: Web Application
• Title: geccBBlite "postatoda" Parameter Multiple HTML Injection Vulnerabilities
• Description: geccBBlite is a PHP-based web application. The application is exposed to multiple HTML injection issues because it fails to sufficiently sanitize user-supplied input. Specifically, these issues affect the "postatoda" parameter of the "scrivi.php" and "rispondi.php" scripts. An attacker can supply arbitrary HTML and script code that will run in the context of a user's browser when the user views the data.
• Ref: http://groups.csail.mit.edu/pag/ardilla/

• 09.26.58 - CVE: Not Available
• Platform: Web Application
• Title: phpDatingClub "search.php" Cross-Site Scripting and SQL Injection Vulnerabilities
• Description: phpDatingClub is a PHP-based dating application. The application is exposed to multiple input validation issues. A successful exploit may allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. phpDatingClub version 3.7 is affected.
• Ref: http://www.securityfocus.com/bid/35454

• 09.26.59 - CVE: Not Available
• Platform: Web Application
• Title: Campsite Multiple Remote Input Validation Vulnerabilities
• Description: Campsite is a web-based content manager implemented in PHP. The application is exposed to multiple input validation issues. A remote attacker can exploit these issues to obtain cookie-based authentication credentials or other sensitive information or to execute malicious PHP code in the browser of an unsuspecting user in the context of the affected site, or in the context of the web server process. Campsite version 3.3.0 RC1 is affected.
• Ref: http://www.securityfocus.com/bid/35456

• 09.26.60 - CVE: Not Available
• Platform: Web Application
• Title: Acajoom Component for Mambo/Joomla! Backdoor
• Description: Acajoom is a mailing list component for the Mambo/Joomla! content managers. Acajoom is exposed to a backdoor issue. The backdoor resides in the "install.acajoom.php" and "self.acajoom.php" scripts. The "self.acajoom.php" script contains an "eval()" command which is called with a user-supplied parameter as an argument. Acajoom version 3.2.6 is affected.
• Ref: http://www.securityfocus.com/archive/1/504460

• 09.26.61 - CVE: Not Available
• Platform: Web Application
• Title: Zen Cart "record_company.php" Remote Code Execution
• Description: Zen Cart is a PHP-based e-commerce application. The application is exposed to an issue that attackers can leverage to execute arbitrary code. This issue occurs in the "admin/record_company.php" script. Specifically, the application fails to sufficiently sanitize user-supplied input to the "frmdt_content" parameter of the "record_company_image" array. Zen Cart version 1.3.8 is affected.
• Ref: http://www.zen-cart.com/forum/showthread.php?t=130161

• 09.26.62 - CVE: Not Available
• Platform: Web Application
• Title: Movable Type Cross-Site Scripting and Security Bypass Vulnerabilities
• Description: Movable Type is a web-log application written in PERL and PHP. The application is exposed to an unspecified cross-site scripting issues because it fails to sufficiently sanitize user-supplied input. The application is also exposed to a security bypass issue. This issue affects the "mt-wizard.cgi" script. Movable Type versions prior to 4.26 are affected. Ref: http://www.movabletype.org/documentation/appendices/release-notes/426.html

(c) 2009. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Subscriptions: @RISK is distributed free of charge by the SANS Institute to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.