@RISK: The Consensus Security Vulnerability Alert

Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)

• (1) HIGH: Motorola Timbuktu Pro Buffer Overflow Vulnerability
• (2) HIGH: HP OpenView Network Node Manager Buffer Overflow Vulnerability
• (3) HIGH: Unisys Business Information Server Buffer Overflow Vulnerability
• (4) MODERATE: VLC Media Player Buffer Overflow Vulnerability
• (5) MODERATE: Baofeng Storm Buffer Overflow Vulnerability

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)

Third Party Windows Apps

• 09.27.1 - Green Dam Youth Escort "SurfGd.dll" URI Processing Remote Stack Buffer Overflow
• 09.27.2 - Green Dam Youth Escort Filter File Processing Stack Buffer Overflow

Linux

• 09.27.3 - Palm webOS Prior to 1.0.4 Multiple Unspecified Vulnerabilities
• 09.27.4 - Linux Kernel "kvm_arch_vcpu_ioctl_set_sregs()" Local Denial of Service

BSD

• 09.27.5 - NetBSD "hack(6)" Multiple Privilege Escalation Vulnerabilities

Solaris

• 09.27.6 - Sun Solaris "auditconfig(1M)" Command Local Privilege Escalation
• 09.27.7 - Sun Solaris Virtual Network Terminal Server Daemon Unauthorized Access
• 09.27.8 - Sun Solaris Kernel "udp(7p)" Remote Denial of Service
• 09.27.9 - Sun Solaris Network File System Version 4 (NFSv4) Unauthorized Network Access

Cross Platform

• 09.27.10 - Cisco Adaptive Security Appliance Web VPN FTP or CIFS Authentication Form Phishing
• 09.27.11 - Cisco ASA Appliance WebVPN DOM Wrapper Cross-Site Scripting
• 09.27.12 - Cisco Physical Access Gateway Malformed Packet Remote Denial of Service
• 09.27.13 - Cisco Video Surveillance Stream Manager Firmware Denial of Service
• 09.27.14 - Cisco ASA Appliance HTML Rewriting Security Bypass
• 09.27.15 - Apple Safari "CFCharacterSetInitInlineBuffer()" Remote Denial Of Service
• 09.27.16 - Apple Safari "file://" Protocol Handler Information Disclosure and Denial of Service
• 09.27.17 - RT "ShowConfigTab" Security Bypass
• 09.27.18 - Unisys Business Information Server Remote Stack Buffer Overflow
• 09.27.19 - Motorola Timbuktu Pro "PlughNTCommand" Named Pipe Remote Stack Buffer Overflow
• 09.27.20 - VLC Media Player "smb://" URI Handling Remote Buffer Overflow
• 09.27.21 - Tor Denial of Service and DNS Spoofing Vulnerabilities
• 09.27.22 - aMSN SSL Certificate Validation Security Bypass
• 09.27.23 - Gizmo5 for Linux MSN Authentication SSL Certificate Validation Security Bypass
• 09.27.24 - Trillian MSN Authentication SSL Certificate Validation Security Bypass
• 09.27.25 - Multiple BSD Distributions "gdtoa/misc.c" Memory Corruption
• 09.27.26 - BaoFeng Storm Playlist File Buffer Overflow
• 09.27.27 - MySQL Connector/Net SSL Certificate Validation Security Bypass
• 09.27.28 - Apple QuickTime Malformed ".mpg" File Denial of Service
• 09.27.29 - Apple QuickTime Malformed ".mov" File Null Pointer Dereference Denial of Service
• 09.27.30 - Apple QuickTime ".mov" File Denial of Service
• 09.27.31 - Sun Java System Access Manager Cross-Domain Controller (CDC) Cross-Site Scripting
• 09.27.32 - Pidgin OSCAR Protocol Web Message Denial of Service
• 09.27.33 - TSEP Multiple Remote Vulnerabilities

Web Application - Cross Site Scripting

• 09.27.34 - Tribiq CMS Multiple Local File Include and Cross-Site Scripting Vulnerabilities
• 09.27.35 - MyBB Multiple Cross-Site Scripting Vulnerabilities
• 09.27.36 - Sun Java Web Console Cross-Site Scripting
• 09.27.37 - phpMyAdmin "db" Parameter Cross-Site Scripting
• 09.27.38 - Mahara Multiple Unspecified Cross-Site Scripting Vulnerabilities
• 09.27.39 - Joomla! Cross-Site Scripting and Information Disclosure Vulnerabilities

Web Application - SQL Injection

• 09.27.40 - Joomla! "com_amocourse" Component "catid" Parameter SQL Injection
• 09.27.41 - Joomla! PinME Component "task" Parameter SQL Injection
• 09.27.42 - MDPro Survey Module "pollID" Parameter SQL Injection
• 09.27.43 - PHP-Address Book Multiple SQL Injection Vulnerabilities
• 09.27.44 - Joomla! joomla-php Component "id" Parameter SQL Injection
• 09.27.45 - osTicket Staff Username SQL Injection
• 09.27.46 - Joomla! K2 Component "category" Parameter SQL Injection
• 09.27.47 - Joomla! BookFlip Component "book_id" Parameter SQL Injection
• 09.27.48 - FireStats Unspecified SQL Injection
• 09.27.49 - Simple Machines Forum Member Awards "index.php" SQL Injection
• 09.27.50 - WordPress Related Sites Plugin "guid" Parameter SQL Injection

Web Application

• 09.27.51 - Glossword "index.php" Local File Include
• 09.27.52 - PinME! Joomla! Component Arbitrary File Upload
• 09.27.53 - PHPEcho CMS SQL Injection and HTML Injection Vulnerabilities
• 09.27.54 - IBM Rational ClearQuest CQWeb Server Cross-Site Scripting and Information Disclosure Vulnerabilities
• 09.27.55 - Net-SNMP GETBULK Divide By Zero Remote Denial of Service
• 09.27.56 - 2Bgal "admin/phpinfo.php" Information Disclosure
• 09.27.57 - LightOpenCMS "smarty.php" Local File Include
• 09.27.58 - cPanel "lastvisit.html" Arbitrary File Disclosure
• 09.27.59 - DM Albums "album.php" Remote File Include
• 09.27.60 - Mahara "Artefact" in Saved View Information Disclosure
• 09.27.61 - BIGACE Web CMS "cmd" Parameter Local File Include
• 09.27.62 - phpMyAdmin SQL bookmark HTML Injection

Network Device

• 09.27.63 - Cisco Video Surveillance 2500 Series IP Cameras Remote Information Disclosure

PART I Critical Vulnerabilities

Part I for this issue has been compiled by Rohan Kotian at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 27, 2009

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 7205 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

• 09.27.1 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Green Dam Youth Escort "SurfGd.dll" URI Processing Remote Stack Buffer Overflow
• Description: Green Dam Youth Escort is a content filtering and parental control browser plugin. It is available for Microsoft Windows. The application is exposed to a remote stack-based buffer overflow issue. Specifically, this issue occurs when the application processes an oversized URI. This issue affects the "SurfGd.dll" library file.
• Ref: http://www.cse.umich.edu/~jhalderm/pub/gd/

• 09.27.2 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Green Dam Youth Escort Filter File Processing Stack Buffer Overflow
• Description: Green Dam Youth Escort is a content filtering and parental control browser plugin. It is available for Microsoft Windows. The application is exposed to a stack-based buffer overflow issue because it fails to properly sanitize data read from filter data files.
• Ref: http://www.cse.umich.edu/~jhalderm/pub/gd/

• 09.27.3 - CVE: Not Available
• Platform: Linux
• Title: Palm webOS Prior to 1.0.4 Multiple Unspecified Vulnerabilities
• Description: Palm webOS is a smartphone platform based on Linux. Palm webOS is exposed to multiple unspecified issues. Palm webOS versions prior to 1.0.4 are affected.
• Ref: http://www.securityfocus.com/bid/35528

• 09.27.4 - CVE: Not Available
• Platform: Linux
• Title: Linux Kernel "kvm_arch_vcpu_ioctl_set_sregs()" Local Denial of Service
• Description: The Linux kernel is exposed to a local denial of service issue. Specifically, the issue affects the KVM implementation and occurs when invalid "cr3" values are passed to the kernel from a userspace caller. This can lead to a null-pointer exception when the affected KVM process next calls "KVM_RUN". Ref: http://sourceforge.net/tracker/?func=detail&atid=893831&aid=2687641&group_id=180599

• 09.27.5 - CVE: Not Available
• Platform: BSD
• Title: NetBSD "hack(6)" Multiple Privilege Escalation Vulnerabilities
• Description: Hack ("hack(6)") is a game that ships with NetBSD. The application is exposed to multiple privilege escalation issues due to buffer overflow issues in its setgid "/usr/games/hack" binary. Specifically, the "gethdate()" function contains a stack-based buffer overflow that can be exploited via the "PATH" environment variable. Ref: http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2009-007.txt.asc

• 09.27.6 - CVE: Not Available
• Platform: Solaris
• Title: Sun Solaris "auditconfig(1M)" Command Local Privilege Escalation
• Description: Sun Solaris is exposed to a local privilege escalation issue when executing the "auditconfig(1M)" command. Specifically, an attacker with RBAC execution profile that specifies additional privileges for auditconfig(1M) such as the "Audit Control" profile, may execute arbitrary code with privileges specified in the RBAC profile.
• Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-66-262088-1

• 09.27.7 - CVE: Not Available
• Platform: Solaris
• Title: Sun Solaris Virtual Network Terminal Server Daemon Unauthorized Access
• Description: Sun Solaris is a UNIX-based operating system. Sun Logical Domain is a specially allocated partition of system resources that facilitates creation of virtual machines called domains in "LDoms" terminology. The Virtual Network Terminal Server daemon is a server that supports connections to the Logical Domains ("LDoms") consoles. Sun Solaris is exposed to an unspecified local unauthorized access issue that affects Virtual Network Terminal Server daemon ("vntsd(1M)") for Logical Domains.
• Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-66-262708-1

• 09.27.8 - CVE: Not Available
• Platform: Solaris
• Title: Sun Solaris Kernel "udp(7p)" Remote Denial of Service
• Description: Sun Solaris is an operating system. The application is exposed to an unspecified denial of service issue that affects Solaris kernel "udp(7p)". Specifically, the issue was introduced by patch regression and may be triggered only on systems running Solaris Trusted Extensions. Solaris 10 and OpenSolaris based upon builds snv_90 through snv_108 are affected.
• Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-66-262048-1

• 09.27.9 - CVE: Not Available
• Platform: Solaris
• Title: Sun Solaris Network File System Version 4 (NFSv4) Unauthorized Network Access
• Description: Sun Solaris Network File System Version 4 (NFSv4) "nfs_portmon" Tunable is prone to a vulnerability that can allow an attacker to gain unauthorized access to network resources. The issue occurs because of a configuration error. Solaris 10 and OpenSolaris based upon builds snv_01 through snv_118 are affected.
• Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-66-262668-1

• 09.27.10 - CVE: CVE-2009-1203
• Platform: Cross Platform
• Title: Cisco Adaptive Security Appliance Web VPN FTP or CIFS Authentication Form Phishing
• Description: Cisco Adaptive Security Appliance (ASA) is a security appliance which includes a Web VPN component. The Web VPN component tracks the URI it is filtering by passing it as a CGI parameter in an obfuscated form. In case the URI is for an FTP or CIFS server which requires authentication, the appliance presents an authentication form to the end user. Adaptive Security Appliance versions prior to 8.0.4.34 and 8.1.2.25 are affected.
• Ref: http://tools.cisco.com/security/center/viewAlert.x?alertId=18536

• 09.27.11 - CVE: CVE-2009-1201
• Platform: Cross Platform
• Title: Cisco ASA Appliance WebVPN DOM Wrapper Cross-Site Scripting
• Description: Cisco ASA (Adaptive Security Appliance) appliances provide security services such as a firewall, intrusion prevention system, and virtual private networking. The WebVPN component of Cisco ASA is exposed to a cross-site scripting issue because it fails to sufficiently sanitize user-supplied input. Cisco ASA versions 8.0.(4), 8.1.2 and 8.2.1 are affected.
• Ref: http://tools.cisco.com/security/center/viewAlert.x?alertId=18373

• 09.27.12 - CVE: CVE-2009-1163
• Platform: Cross Platform
• Title: Cisco Physical Access Gateway Malformed Packet Remote Denial of Service
• Description: Cisco Physical Access Gateway is a physical access control solution developed by Cisco. Cisco Physical Access Gateway is exposed to a denial of service issue when handling specially crafted TCP packets sent to TCP port 443. In order to exploit this issue a 3-way handshake must occur. Cisco Physical Access Gateway versions prior to 1.1 are affected. Ref: http://www.cisco.com/en/US/products/products_security_advisory09186a0080ad0f8b.shtml

• 09.27.13 - CVE: CVE-2009-2045
• Platform: Cross Platform
• Title: Cisco Video Surveillance Stream Manager Firmware Denial of Service
• Description: Cisco Video Surveillance Stream Manager software provides management and administration for Cisco Video products. Cisco Video Surveillance Stream Manager firmware is exposed to a denial of service issue when handling specially crafted network packets sent to UDP port 37000. Ref: http://www.cisco.com/en/US/products/products_applied_mitigation_bulletin09186a0080ad1002.html

• 09.27.14 - CVE: CVE-2009-1202
• Platform: Cross Platform
• Title: Cisco ASA Appliance HTML Rewriting Security Bypass
• Description: Cisco ASA (Adaptive Security Appliance) appliances provide security services such as a firewall, intrusion prevention system, and virtual private networking. Cisco ASA is exposed to a security bypass issue because it fails to properly validate user supplied URIs. Specifically if the attacker modifies the initial characters of the encoded URI from "00" to "01", the attacker can bypass the rewrite rules. Cisco ASA versions 8.0.(4), 8.1.2 and 8.2.1 are affected.
• Ref: http://www.securityfocus.com/archive/1/504516

• 09.27.15 - CVE: Not Available
• Platform: Cross Platform
• Title: Apple Safari "CFCharacterSetInitInlineBuffer()" Remote Denial Of Service
• Description: Apple Safari is a web browser available for multiple operating platforms. The browser is exposed to a denial of service issue that stems from a NULL-pointer dereference. This affects the "CFCharacterSetInitInlineBuffer()" function contained in the "CoreFoundation.dll" library file and is triggered when the application processes a URI fragment containing a high bit character in the common protocol handler. Apple Safari versions prior to 4 are affected.
• Ref: http://www.securityfocus.com/archive/1/504479

• 09.27.16 - CVE: Not Available
• Platform: Cross Platform
• Title: Apple Safari "file://" Protocol Handler Information Disclosure and Denial of Service
• Description: Apple Safari is a web browser available for Mac OS X and Microsoft Windows. Apple Safari is exposed to an information disclosure and denial of service issue because it fails to properly sanitize user-supplied input. This issue affects the "file://" protocol handler. Safari versions prior to 4.0 running on Apple Mac OS X 10.5.6 and on Microsoft Windows XP and Vista are affected.
• Ref: http://www.securityfocus.com/archive/1/504480

• 09.27.17 - CVE: Not Available
• Platform: Cross Platform
• Title: RT "ShowConfigTab" Security Bypass
• Description: RT is an enterprise-level trouble ticketing application. RT is exposed to a security bypass issue because it fails to restrict access to global "RT at a Glance" configuration settings. An authenticated attacker with the "ShowConfigTab" privilege could alter configurations that should be restricted to "SuperUser" privileges. Ref: http://lists.bestpractical.com/pipermail/rt-announce/2009-June/000170.html

• 09.27.18 - CVE: CVE-2009-1628
• Platform: Cross Platform
• Title: Unisys Business Information Server Remote Stack Buffer Overflow
• Description: Unisys Business Information Server (formerly known as MAPPER) is product for information management. The application is exposed to a remote stack-based buffer overflow issue because it fails to properly bounds check user-supplied data before copying it into an insufficiently sized memory buffer. A specially crafted TCP packet can be used to trigger this vulnerability. Business Information Server versions 10 and 10.1 are affected.
• Ref: http://www.securityfocus.com/archive/1/504551

• 09.27.19 - CVE: CVE-2009-1394
• Platform: Cross Platform
• Title: Motorola Timbuktu Pro "PlughNTCommand" Named Pipe Remote Stack Buffer Overflow
• Description: Motorola Timbuktu Pro is a remote-control application available for Microsoft Windows and Apple Macintosh computers. It was previously marketed as a Netopia product. The application is prone to a remote stack-based buffer overflow issue because it fails to properly bounds-check user-supplied data before copying it into an insufficiently sized memory buffer. This issue affects the "PlughNTCommand" named pipe. Timbuktu Pro versions prior to 8.6.7 for Windows are affected. Ref: http://www.netopia.com/software/products/tb2/win/upgrade_version_8.html

• 09.27.20 - CVE: Not Available
• Platform: Cross Platform
• Title: VLC Media Player "smb://" URI Handling Remote Buffer Overflow
• Description: VLC Media Player is a media player for a number of platforms. The application has a web-based interface. The application is exposed to a remote stack-based buffer overflow issue because it fails to perform adequate boundary checks on user-supplied data. VLC Media Player version 0.9.9 for Windows is affected. Ref: http://git.videolan.org/?p=vlc.git;a=commit;h=e60a9038b13b5eb805a76755efc5c6d5e080180f

• 09.27.21 - CVE: Not Available
• Platform: Cross Platform
• Title: Tor Denial of Service and DNS Spoofing Vulnerabilities
• Description: Tor is an implementation of second-generation Onion Routing, a connection-oriented anonymizing communication service. Tor uses the DH (Diffie-Hellman) key-exchange protocol to create ephemeral keys for encryption when communicating with servers in the Tor network. The Tor network uses random paths through Tor routers to obscure the origin, destination, and contents of TCP-based network communication. Tor versions prior to 0.2.0.35 are affected.
• Ref: http://archives.seul.org/or/announce/Jun-2009/msg00000.html

• 09.27.22 - CVE: Not Available
• Platform: Cross Platform
• Title: aMSN SSL Certificate Validation Security Bypass
• Description: aMSN is a chat client available for multiple operating systems. aMSN is exposed to a security bypass issue that occurs because it fails to properly validate SSL certificates when connecting to an MSN server. aMSN version 0.97.2 is affected.
• Ref: http://www.securityfocus.com/archive/1/504570

• 09.27.23 - CVE: Not Available
• Platform: Cross Platform
• Title: Gizmo5 for Linux MSN Authentication SSL Certificate Validation Security Bypass
• Description: Gizmo5 is a chat client available for multiple operating systems. The application is exposed to a security bypass issue that occurs because it fails to properly validate SSL certificates when connecting to an MSN server. Gizmo5 for Linux version 3.1.0.79 is affected.
• Ref: http://www.securityfocus.com/archive/1/504572

• 09.27.24 - CVE: Not Available
• Platform: Cross Platform
• Title: Trillian MSN Authentication SSL Certificate Validation Security Bypass
• Description: Trillian is a chat client available for multiple operating systems. The application is exposed to a security bypass issue that occurs because it fails to properly validate SSL certificates when connecting to an MSN server. Trillian version 3.1 is affected.
• Ref: http://www.securityfocus.com/archive/1/504573

• 09.27.25 - CVE: CVE-2009-0689
• Platform: Cross Platform
• Title: Multiple BSD Distributions "gdtoa/misc.c" Memory Corruption
• Description: Multiple BSD distributions are exposed to a memory corruption issue due to a failure to properly bounds check data used as an array index. This issue affects the "gdtoa/misc.c" source code file. This issue can be triggered by calling formatted print functions with crafted arguments.
• Ref: http://securityreason.com/achievement_securityalert/63

• 09.27.26 - CVE: Not Available
• Platform: Cross Platform
• Title: BaoFeng Storm Playlist File Buffer Overflow
• Description: BaoFeng Storm is a multimedia player. The application is exposed to a buffer overflow issue because it fails to perform adequate checks on user-supplied input. Specifically, the issue occurs when parsing a specially crafted ".smpl" file. BaoFeng Storm version 3.09.62 is affected.
• Ref: http://www.securityfocus.com/bid/35512

• 09.27.27 - CVE: Not Available
• Platform: Cross Platform
• Title: MySQL Connector/Net SSL Certificate Validation Security Bypass
• Description: MySQL Connector/Net is an ADO.Net provider that allows .Net applications to connect with MySQL servers. MySQL Connector/Net is exposed to a security bypass issue that occurs because it fails to properly validate SSL certificates when connecting to an MySQL server. MySQL Connector/Net versions prior to 6.0.4 are affected.
• Ref: http://bugs.mysql.com/bug.php?id=38700

• 09.27.28 - CVE: Not Available
• Platform: Cross Platform
• Title: Apple QuickTime Malformed ".mpg" File Denial of Service
• Description: Apple QuickTime is a media player that supports multiple file formats. The application is exposed to a denial of service issue that occurs when performing a read operation on a malformed ".mpg" file.
• Ref: http://www.securityfocus.com/bid/35520

• 09.27.29 - CVE: Not Available
• Platform: Cross Platform
• Title: Apple QuickTime Malformed ".mov" File Null Pointer Dereference Denial of Service
• Description: Apple QuickTime is a media player that supports multiple file formats. The application is exposed to a denial of service issue that stems from a NULL-pointer dereference that occurs when handling a malformed ".mov" video file.
• Ref: http://www.securityfocus.com/bid/35522

• 09.27.30 - CVE: Not Available
• Platform: Cross Platform
• Title: Apple QuickTime ".mov" File Denial of Service
• Description: Apple QuickTime is a media player that supports multiple file formats. The application is exposed to a denial of service issue because it fails to properly handle specially crafted ".mov" files.
• Ref: http://www.securityfocus.com/bid/35523

• 09.27.31 - CVE: Not Available
• Platform: Cross Platform
• Title: Sun Java System Access Manager Cross-Domain Controller (CDC) Cross-Site Scripting
• Description: Sun Java System Access Manager is an application for managing secure access to web applications. The application is exposed to an unspecified cross-site scripting vulnerability that affects the Cross-Domain Controller (CDC) because it fails to sufficiently sanitize user-supplied input. Sun Java System Access Manager versions 6, 7 and 7.1 are affected.
• Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-66-256568-1

• 09.27.32 - CVE: CVE-2009-1889
• Platform: Cross Platform
• Title: Pidgin OSCAR Protocol Web Message Denial of Service
• Description: Pidgin is a multiplatform instant messaging client that supports multiple messaging protocols. Pidgin is exposed to a denial of service issue because it fails to properly validate user-supplied input. This issue affects the application's OSCAR (Open System for CommunicAtion in Realtime) implementation, which is used by AOL ICQ and AOL AIM. Pidgin versions 2.4.0 through 2.5.7 are affected.
• Ref: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-1889

• 09.27.33 - CVE: Not Available
• Platform: Cross Platform
• Title: TSEP Multiple Remote Vulnerabilities
• Description: TSEP (The Search Engine Project) is an open-source search engine. The application is exposed to multiple issues. An attacker could exploit to steal cookie-based authentication credentials, compromise the application, obtain sensitive information, execute arbitrary local scripts, access or modify data, or exploit latent vulnerabilities in the underlying database.
• Ref: http://www.securityfocus.com/bid/35539

• 09.27.34 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Tribiq CMS Multiple Local File Include and Cross-Site Scripting Vulnerabilities
• Description: Tribiq CMS is a PHP-based content manager. Since it fails to properly sanitize user-supplied input, the application is exposed to multiple issues. Tribiq CMS version 5.0.12c is affected.
• Ref: http://www.securityfocus.com/bid/35484

• 09.27.35 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: MyBB Multiple Cross-Site Scripting Vulnerabilities
• Description: MyBB (MyBulletinBoard) is a forum application. The application is exposed to multiple cross-site scripting issues because it fails to sufficiently sanitize user-supplied data to the unspecified parameters in the "Archive" and "Attachment" features of the application. Note that in order to exploit the issue in the "Archive" feature, an attacker requires moderator permissions. MyBB versions prior to 1.4.8 are affected. Ref: http://blog.mybboard.net/2009/06/26/mybb-148-released-maintenance-security-release/

• 09.27.36 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Sun Java Web Console Cross-Site Scripting
• Description: Sun Java Web Console is a web-based management tool for the Solaris operating system. The application is exposed to an unspecified cross-site scripting issue because it fails to sufficiently sanitize user-supplied input.
• Ref: http://www.securityfocus.com/bid/35513

• 09.27.37 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: phpMyAdmin "db" Parameter Cross-Site Scripting
• Description: phpMyAdmin is a web-based administration interface for MySQL databases. phpMyAdmin is exposed to a cross-site scripting issue because it fails to sufficiently sanitize user-supplied data to the "db" parameter of the "MAINT_3_2_0/index.php" script.
• Ref: http://www.securityfocus.com/bid/35531

• 09.27.38 - CVE: CVE-2009-2170
• Platform: Web Application - Cross Site Scripting
• Title: Mahara Multiple Unspecified Cross-Site Scripting Vulnerabilities
• Description: Mahara is a web-based portfolio application. The application is exposed to multiple cross-site scripting issues because it fails to sufficiently sanitize user-supplied data to an unspecified parameter of the artefact chooser for "one resume field" blocktype. Additional, unspecified scripts and parameters may also be vulnerable. Mahara versions prior to 1.0.12 and 1.1.5 are affected.
• Ref: http://www.securityfocus.com/bid/35534

• 09.27.39 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Joomla! Cross-Site Scripting and Information Disclosure Vulnerabilities
• Description: Joomla! is a PHP-based content manager. The application is exposed to multiple remote issues. Attackers may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, and obtain sensitive information. Joomla! versions prior to 1.5.12 are affected. Ref: http://www.joomla.org/announcements/release-news/5242-joomla-1512-released.html

• 09.27.40 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Joomla! "com_amocourse" Component "catid" Parameter SQL Injection
• Description: The "com_amocourse" component is a PHP-based application for the Joomla! content manager. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "catid" parameter of the "com_amocourse" component before using it an SQL query.
• Ref: http://www.securityfocus.com/bid/35489

• 09.27.41 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Joomla! PinME Component "task" Parameter SQL Injection
• Description: The PinME component is a PHP-based application for the Joomla! content manager. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "task" parameter of the "com_pinboard" component before using it an SQL query.
• Ref: http://www.securityfocus.com/bid/35493

• 09.27.42 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: MDPro Survey Module "pollID" Parameter SQL Injection
• Description: The Survey module provides survey functionality for the MDPro content manager. The module is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "pollID" parameter when called with the "op" parameter set to "results" before using the data in an SQL query.
• Ref: http://www.securityfocus.com/bid/35495

• 09.27.43 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: PHP-Address Book Multiple SQL Injection Vulnerabilities
• Description: PHP-Address Book is web-based address and phone book implemented in PHP. PHP-Address Book is exposed to multiple SQL injection issues because it fails to sufficiently sanitize user-supplied data. PHP-Address Book version 4.0.1 is affected.
• Ref: http://www.securityfocus.com/bid/35511

• 09.27.44 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Joomla! joomla-php Component "id" Parameter SQL Injection
• Description: joomla-php is a component for the Joomla! content manager. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "id" parameter of the "com_php" component before using it an SQL query.
• Ref: http://www.securityfocus.com/bid/35515

• 09.27.45 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: osTicket Staff Username SQL Injection
• Description: osTicket is a PHP-based application for customer support. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "staff username" field when logging in as an administrator. osTicket versions prior to 1.6 RC5 are affected.
• Ref: http://www.securityfocus.com/archive/1/504615

• 09.27.46 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Joomla! K2 Component "category" Parameter SQL Injection
• Description: K2 is a content construction component for the Joomla! content manager. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "category" parameter of the "com_k2" component before using it an SQL query. K2 version 1.0.1 Beta is affected.
• Ref: http://www.securityfocus.com/bid/35517

• 09.27.47 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Joomla! BookFlip Component "book_id" Parameter SQL Injection
• Description: BookFlip is a component for the Joomla! content manager. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "book_id" parameter of the "com_bookflip" component before using it an SQL query. BookFlip version 2.1 is affected.
• Ref: http://www.securityfocus.com/bid/35519

• 09.27.48 - CVE: CVE-2009-2144
• Platform: Web Application - SQL Injection
• Title: FireStats Unspecified SQL Injection
• Description: FireStats is a PHP-based website statistics application for WordPress. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. FireStats versions prior to 1.6.2 are affected.
• Ref: http://firestats.cc/wiki/ChangeLog#a1.6.2-stable13062009

• 09.27.49 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Simple Machines Forum Member Awards "index.php" SQL Injection
• Description: Member Awards is an awards module for Simple Machines Forum. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "index.php" script before using it in an SQL query. Member Awards version 1.0.2 is affected.
• Ref: http://www.securityfocus.com/bid/35536

• 09.27.50 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: WordPress Related Sites Plugin "guid" Parameter SQL Injection
• Description: Related Sites is a plugin for WordPress. The plugin is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "guid" parameter of the "BTE_RW_webajax.php" script before using the data in an SQL query. Related Sites version 2.1 is affected.
• Ref: http://www.securityfocus.com/bid/35538

• 09.27.51 - CVE: Not Available
• Platform: Web Application
• Title: Glossword "index.php" Local File Include
• Description: Glossword is a web-based application to create a multilingual online dictionary. The application is exposed to a local file include issue because it fails to properly sanitize user-supplied input to the "t" parameter of the "index.php" script. Glossword version 1.8.11 is affected.
• Ref: http://www.securityfocus.com/archive/1/504480

• 09.27.52 - CVE: Not Available
• Platform: Web Application
• Title: PinME! Joomla! Component Arbitrary File Upload
• Description: PinME! is an image board component for the Joomla! and Mambo content management systems. PinME! is exposed to an issue that lets attackers upload arbitrary files. The issue occurs because the component fails to adequately validate user-supplied input before uploading files. This issue is triggered when files with a ".php.jpg" extension are uploaded.
• Ref: http://www.securityfocus.com/bid/35485

• 09.27.53 - CVE: Not Available
• Platform: Web Application
• Title: PHPEcho CMS SQL Injection and HTML Injection Vulnerabilities
• Description: PHPEcho CMS is a PHP-based web application. The application is exposed to multiple input validation issues. PHPEcho CMS version 2.0-rc3 is affected.
• Ref: http://www.securityfocus.com/bid/35488

• 09.27.54 - CVE: Not Available
• Platform: Web Application
• Title: IBM Rational ClearQuest CQWeb Server Cross-Site Scripting and Information Disclosure Vulnerabilities
• Description: IBM Rational ClearQuest is a web-based application used for software change management. CQWeb Server is the application's webserver component. The application is exposed to multiple remote issues. IBM Rational ClearQuest versions prior to 7.0.0.6 and 7.0.1.5 are affected.
• Ref: http://www-01.ibm.com/support/docview.wss?uid=swg1PK77030

• 09.27.55 - CVE: CVE-2009-1887
• Platform: Web Application
• Title: Net-SNMP GETBULK Divide By Zero Remote Denial of Service
• Description: Net-SNMP is an SNMP (Simple Network Management Protocol) package that includes multiple applications. Net-SNMP is exposed to a remote denial of service issue because it fails to handle malformed "GETBULK" SNMP requests. Specifically, the application may crash with a divide-by-zero error. Net-SNMP as distributed with Red Hat Enterprise Linux 3 is affected.
• Ref: https://bugzilla.redhat.com/show_bug.cgi?id=506903

• 09.27.56 - CVE: Not Available
• Platform: Web Application
• Title: 2Bgal "admin/phpinfo.php" Information Disclosure
• Description: 2BGal is a web-based photo gallery implemented in PHP. The application is exposed to an information disclosure issue. Specifically, an unauthorized attacker may disclose PHP configuration details via the "admin/phpinfo.php" script. 2Bgal version 3.1.2 is affected.
• Ref: http://www.securityfocus.com/bid/35503

• 09.27.57 - CVE: Not Available
• Platform: Web Application
• Title: LightOpenCMS "smarty.php" Local File Include
• Description: LightOpenCMS is a PHP-based content management system. LightOpenCMS is exposed to a local file include issue because it fails to properly sanitize user-supplied input to the "cwd" parameter of the "/locms/smarty.php" script. LightOpenCMS version 0.1 pre-alpha is affected.
• Ref: http://www.securityfocus.com/bid/35497

• 09.27.58 - CVE: Not Available
• Platform: Web Application
• Title: cPanel "lastvisit.html" Arbitrary File Disclosure
• Description: cPanel is a web-hosting control panel implemented in PHP. The application is exposed to a local file disclosure issue because it fails to adequately validate user-supplied input. This issue affects the "domain" parameter of the "frontend/x3/stats/lastvisit.html" page.
• Ref: http://www.securityfocus.com/bid/35518

• 09.27.59 - CVE: Not Available
• Platform: Web Application
• Title: DM Albums "album.php" Remote File Include
• Description: DM Albums is a PHP-based image gallery plugin for WordPress. DM Albums can also be run as an independent web application. The application is exposed to a remote file-include issue because it fails to sufficiently sanitize user-supplied input to the "SECURITY_FILE" parameter of the "album.php" script. DM Albums version 1.9.2 is affected.
• Ref: http://www.securityfocus.com/bid/35521

• 09.27.60 - CVE: CVE-2009-2171
• Platform: Web Application
• Title: Mahara "Artefact" in Saved View Information Disclosure
• Description: Mahara is a web-based portfolio application. The application is exposed to an information disclosure issue because it fails to properly check user permissions before performing certain actions. Specifically, permission checks are not properly performed when arbitrary "artefacts" are saved within a specified "view". Mahara versions prior to 1.1.5 are affected.
• Ref: http://mahara.org/interaction/forum/topic.php?id=753

• 09.27.61 - CVE: Not Available
• Platform: Web Application
• Title: BIGACE Web CMS "cmd" Parameter Local File Include
• Description: BIGACE Web CMS is a content manager implemented in PHP. The application is exposed to a local file include issue because it fails to properly sanitize user-supplied input to the "cmd" parameter of the "index.php" script. BIGACE Web CMS version 2.6 is affected.
• Ref: http://www.securityfocus.com/bid/35537

• 09.27.62 - CVE: Not Available
• Platform: Web Application
• Title: phpMyAdmin SQL bookmark HTML Injection
• Description: phpMyAdmin is a web-based administration interface for MySQL databases. The application is exposed to an HTML injection issue because it fails to properly sanitize user-supplied input before using it in dynamically generated content. Specifically, this issue can be exploited through a crafted SQL bookmark. phpMyAdmin versions prior to 3.2.0.1 are affected.
• Ref: http://www.phpmyadmin.net/home_page/security/PMASA-2009-5.php

• 09.27.63 - CVE: CVE-2009-2046
• Platform: Network Device
• Title: Cisco Video Surveillance 2500 Series IP Cameras Remote Information Disclosure
• Description: Cisco Video Surveillance 2500 Series IP Cameras are remote video camera devices. The devices are exposed to an information disclosure issue that affects the embedded web server. Authenticated attackers may exploit this issue to view arbitrary files on the affected devices. Cisco Video Surveillance versions prior to 2500 Series IP Camera firmware 2.1 are affected.
• Ref: http://www.securityfocus.com/bid/35478/references

(c) 2009. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Subscriptions: @RISK is distributed free of charge by the SANS Institute to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.