Last day to save $500 for SANS San Diego 2013

@RISK: The Consensus Security Vulnerability Alert

Volume: VIII, Issue: 28
July 9, 2009

SANS Newsletters Home

One ActiveX vulnerability plus the big DDoS attack on government and industry and international sites. Alan

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Platform Number of Updates and Vulnerabilities
    • -------------------------- -------------------------------------
    • Windows
    • 2 (#1)
    • Third Party Windows Apps
    • 2
    • Linux
    • 1
    • HP-UX
    • 1
    • Solaris
    • 2
    • Cross Platform
    • 15 (#3, #4, #5)
    • Web Application - Cross Site Scripting
    • 6
    • Web Application - SQL Injection
    • 5
    • Web Application
    • 6
    • Network Device
    • 4 (#2, #6)

******************** Sponsored By HP (SPI Dynamics) *********************

Tool Talk Webcast: HP Tackles Cloud Application Security

In this webcast, participants will learn about: * The three most common delivery platforms for Cloud computing, IaaS, PaaS and SaaS. * How to manage application keys and handle sensitive information for each platform. * How the delivery platforms impact the software development lifecycle * How we expect hackers to approach cloud applications * How HP can help you secure cloud applications

http://www.sans.org/info/45518

*************************************************************************

Table Of Contents
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
Windows
Third Party Windows Apps
Linux
HP-UX
Solaris
Cross Platform
Web Application - Cross Site Scripting
Web Application - SQL Injection
Web Application
Network Device

*********************** Sponsored Links: *****************************

1) Be sure to register now for the Ask The Expert Webcast: Managing Change and Event Monitoring for Sustainable NERC CIP Compliance http://www.sans.org/info/45523

2) SANS Vendor Demo Spotlight: IBM Rational Appscan - Engage more testers earlier in the SDL with Rational Appscan's static & dynamic analysis capabilities. http://www.sans.org/info/45528

3) SANS Recommended Webcast Replay Featuring: Novell ZENworks Endpoint Security Management- A Technical Demonstration http://www.sans.org/info/45533

*************************************************************************

PART I Critical Vulnerabilities

Part I for this issue has been compiled by Rohan Kotian at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Widely Deployed Software
  • (1) CRITICAL: Microsoft Video ActiveX Control Buffer Overflow Vulnerability
  • Affected:
    • Windows XP Service Pack 2 and Windows XP Service Pack 3
    • Windows XP Professional x64 Edition Service Pack 2
    • Windows Server 2003 Service Pack 2
    • Windows Server 2003 x64 Edition Service Pack 2
    • Windows Server 2003 with SP2 for Itanium-based Systems

  • Description: Microsoft Video ActiveX Control "MSVidCtl.dll" is used to connect Microsoft DirectShow filters for their intended use of capturing, recording and playing video and is the main component of Microsoft Windows Media Center. This control has a stack-based buffer overflow vulnerability which can be exploited while reading a specially crafted data file. A malicious web page that instantiates the vulnerable component could trigger this vulnerability and execute arbitrary code with the privileges of the current user. Some technical details are publicly available for this vulnerability, as is a proof-of-concept.

  • Status: Vendor confirmed, no updates available. Users can mitigate the impact of this vulnerability by disabling the affected controls, mentioned in Microsoft Security Advisory (972890), using Microsoft's "killbit" mechanism.

  • References:
  • (3) MODERATE: Photo DVD Maker Buffer Overflow Vulnerability
  • Affected:
    • Photo DVD Maker Professional version 8.02 and prior

  • Description: Photo DVD Maker is a tool used to create photo slide show with music CD or DVD menu and can be watched on TV or online. It has a buffer overflow vulnerability which can be triggered by a specially crafted Photo DVD Maker Professional project (.pdm) files. The specific error is a boundary error while processing a malicious ".pdm" file that has very long "File_Name" string. The unsuspecting user will have to be tricked into opening these malicious files. Successful exploitation might allow an attacker to execute arbitrary code with the context of the logged on user. Some technical details for this vulnerability are publicly available.

  • Status: Vendor not confirmed, no updates available.

  • References:
  • (4) MODERATE: Dillo PNG Processing Integer Overflow Vulnerability
  • Affected:
    • Dillo version 2.1 and prior

  • Description: Dillo is an open source, multi-platform web browser, known for its speed and size. It has an integer overflow vulnerability which can be triggered by a specially crafted PNG image. The specific flaw is an integer overflow error in "Png_datainfo_callback()" function, as it does inadequate checks on the height and width of an image. The unsuspecting user will have to be tricked into visiting a website embedded with these malicious PNG images. Successful exploitation might allow an attacker to execute arbitrary code with the context of the logged on user. Full technical details are publicly available via source code analysis.

  • Status: Vendor confirmed, updates available.

  • References:
  • (5) MODERATE: wxWidgets Integer Overflow Vulnerability
  • Affected:
    • wxWidgets version 2.8.10 and prior

  • Description: wxWidgets is an open source, cross-platform toolkit for creating graphical user interfaces (GUIs). It has an integer overflow vulnerability which can be triggered by a specially crafted JPEG file. The specific flaw is an integer overflow error in "wxImage::Create()"function in src/common/image.cpp while processing a malicious JPEG image file. The unsuspecting user will have to be tricked into opening these malicious files. Successful exploitation might allow an attacker to execute arbitrary code with the context of the logged on user. Full technical details are publicly available via source code analysis.

  • Status: Vendor not confirmed, no updates available.

  • References:
  • (6) LOW: Hitachi Products Multiple Code Execution Vulnerabilities
  • Affected:
    • Cosminexus Application Server Version 5
    • Cosminexus Application Server Standard Version 6
    • Cosminexus Application Server Enterprise Version 6
    • Cosminexus Client Version 6
    • Cosminexus Developer Version 5
    • Cosminexus Developer Standard Version 6
    • Cosminexus Developer Professional Version 6
    • Cosminexus Developer Light Version 6
    • Cosminexus Server - Web Edition Version 4
    • Cosminexus Server - Standard Edition Version 4
    • Cosminexus Studio Version 5
    • Cosminexus Studio - Web Edition Version 4
    • Cosminexus Studio - Standard Edition Version 4
    • Cosminexus/OpenTP1 Web Front-end Set
    • Groupmax Collaboration - Server
    • Hitachi Developer's Kit for Java(TM)
    • Processing Kit for XML
    • uCosminexus Application Server Enterprise
    • uCosminexus Application Server Standard
    • uCosminexus Client
    • uCosminexus Collaboration - Server
    • uCosminexus Developer Standard
    • uCosminexus Developer Professional
    • uCosminexus Developer Light
    • uCosminexus Operator
    • uCosminexus Service Platform
    • uCosminexus Service Architect
    • uCosminexus/OpenTP1 Web Front-end Set
    • Electronic Form Workflow Set
    • Electronic Form Workflow Professional Set
    • Electronic Form Workflow Professional Library Set
    • Electronic Form Workflow Developer Set
    • Electronic Form Workflow Developer Client Set
    • Electronic Form Workflow Standard Set

  • Description: Hitachi, a Japanese company, has been identified with two vulnerabilities in its various products. Specifically these vulnerabilities are in the Cosminexus Processing Kit for XML and the Hitachi Developer's Kit for Java. There is an unspecified error while processing zip files which might give an attacker unauthorized access. The second issue is an unspecified error while processing UTF-8 data which might also allow an attacker unauthorized access. Successful exploitation might allow an attacker to execute arbitrary code. No technical details are provided for these vulnerabilities.

  • Status: Vendor confirmed, updates available.

  • References:
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 28, 2009

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 7228 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

  • 09.28.1 - CVE: CVE-2008-0015
  • Platform: Windows
  • Title: Microsoft Windows "MPEG2TuneRequest" Object Remote Code Execution
  • Description: Microsoft TV Technologies is a component of Windows XP which provides support for digital TV applications. TV Technologies is exposed to a remote code execution issue. This issue affects the "MPEG2TuneRequest" object and can be triggered when the object is instantiated with malformed input through the "data" parameter. Microsoft Windows XP SP3 is affected.
  • Ref: http://www.us-cert.gov/cas/techalerts/TA09-187A.html
  • 09.28.2 - CVE: CVE-2008-0020
  • Platform: Windows
  • Title: Microsoft Windows "msvidctl.dll" ActiveX Control Unspecified Remote Memory Corruption
  • Description: Microsoft Video Control is an ActiveX control provided by the "msvidctl.dll" library file. The control is prone to an unspecified remote memory corruption vulnerability. Windows XP SP3 and Windows Server 2003 are affected.
  • Ref: http://www.microsoft.com/technet/security/advisory/972890.mspx
  • 09.28.3 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Soulseek Peer Search Buffer Overflow
  • Description: Soulseek is a file-sharing application available for Microsoft Windows. The application is exposed to a stack-based buffer overflow issue that occurs because it fails to perform adequate boundary checks on user-supplied data. Specifically, this issue occurs when performing a direct peer file search. Soulseek versions prior to 157 NS 13e and 156c are affected. Ref: http://g-laurent.blogspot.com/2009/07/soulseek-157-ns-13e-156-remote-peer.html
  • 09.28.4 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Avax Vector "avPreview.ocx" ActiveX Control Buffer Overflow
  • Description: Avax Vector is a graphics ActiveX control. The application is exposed to a remote buffer overflow issue because it fails to perform adequate boundary checks on user-supplied data. The vulnerability affects the "PrinterName()" method of the "avPreview.ocx" ActiveX control. Avax Vector ActiveX version 1.3 is affected.
  • Ref: http://www.securityfocus.com/archive/1/504729
  • 09.28.5 - CVE: CVE-2009-1388
  • Platform: Linux
  • Title: Linux Kernel "ptrace_start()" and "do_coredump()" Deadlock Local Denial of Service
  • Description: The Linux kernel is exposed to a local denial of service issue because of a race condition between the "ptrace_start()" and "do_coredump()" functions. The Linux kernel version 2.6.18 is affected.
  • Ref: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-1388
  • 09.28.6 - CVE: CVE-2009-1421
  • Platform: HP-UX
  • Title: HP-UX NFS/ONCplus Unspecified Local Denial of Service
  • Description: HP-UX is prone to a local denial of service vulnerability that stems from an unspecified error in the NFS ONCplus package. HP-UX version B.11.31 is affected.
  • Ref: http://www.securityfocus.com/bid/35547
  • 09.28.7 - CVE: Not Available
  • Platform: Solaris
  • Title: Sun Lightweight Availability Collection Tool File Overwrite
  • Description: Sun Lightweight Availability Collection Tool is a standalone availability collection solution for Sun Solaris platforms. Sun Lightweight Availability Collection Tool is exposed to a race condition. This issue allows an attacker with local access to overwrite arbitrary files. Successful exploits may allow attackers to potentially execute arbitrary code with elevated privileges. Lightweight Availability Collection Tool version 3.0 for Solaris 7, 8, 9 and 10 is affected.
  • Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-66-261408-1
  • 09.28.8 - CVE: Not Available
  • Platform: Solaris
  • Title: Sun OpenSolaris Process File System (proc(4)) Local Denial of Service
  • Description: Sun OpenSolaris is a UNIX-based operating system. OpenSolaris is exposed to a local denial of service issue. Specifically, an unspecified problem in the Process File System (proc(4)) can allow an attacker to trigger a deadlock in the kernel causing the system to panic while processing the "ldt_rewrite_syscall" function. OpenSolaris builds snv_49 through snv_109 are affected.
  • Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-66-258888-1
  • 09.28.9 - CVE: Not Available
  • Platform: Cross Platform
  • Title: wxWidgets "wxImage::Create()" Integer Overflow
  • Description: wxWidgets is a library and API for creating GUI applications on multiple platforms. wxWidgets is exposed to an integer overflow issue because the application fails to ensure that integer values are not overrun. This issue occurs in the "wxImage::Create()" function of the "src/common/image.cpp" source file. wxWidgets version 2.8.10 is affected.
  • Ref: http://www.securityfocus.com/bid/35552
  • 09.28.10 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Apple Safari "reload()" Denial of Service
  • Description: Apple Safari is a web browser available for Mac OS X and Microsoft Windows. Safari is exposed to a denial of service issue because it fails to properly sanitize user-supplied input. Specifically, this issue can be triggered with specially crafted calls to the JavaScript "reload()" function. Safari versions 4.0 and 4.0.1 are affected.
  • Ref: http://marcell-dietl.de/index/adv_safari_4_x_js_reload_dos.php
  • 09.28.11 - CVE: CVE-2009-2295
  • Platform: Cross Platform
  • Title: CamlImages PNG Image Parsing Multiple Integer Overflow Vulnerabilities
  • Description: CamlImages is an open-source image processing library. CamlImages is exposed to multiple integer overflow issues because it fails to properly validate user-supplied input when parsing PNG images. Specifically, the "read_png_file()" and "read_png_file_as_rgb24()" functions do not properly validate the width and height of an image. CamlImages versions 2.2 and earlier are affected.
  • Ref: http://www.securityfocus.com/archive/1/504696
  • 09.28.12 - CVE: CVE-2009-1890
  • Platform: Cross Platform
  • Title: Apache "mod_proxy" Remote Denial Of Service
  • Description: The Apache "mod_proxy" module is prone to a remote denial of service issue. This issue arises due to an unspecified error when "mod_proxy" is used with the reverse proxy configuration. Remote attackers can exploit this issue to cause the proxy process to consume large amounts of CPU resources. Ref: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?r1=790587&r2=790586&pathrev=790587
  • 09.28.13 - CVE: Not Available
  • Platform: Cross Platform
  • Title: IBM Tivoli Identity Manager Multiple Cross-Site Scripting Vulnerabilities
  • Description: Tivoli Identity Manager is a policy-based solution for managing user privileges across heterogeneous IT resources. The application is exposed to multiple cross-site scripting issues because it fails to sufficiently sanitize user-supplied data to the "self-service UI" and "ITIM console" interfaces. Tivoli Identity Manager version 5.0 is affected.
  • Ref: http://www-01.ibm.com/support/docview.wss?uid=swg1IZ54310
  • 09.28.14 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Apple iPhone SMS Application Denial of Service
  • Description: Apple iPhone SMS application is exposed to a denial of service issue. Specifically the issue occurs when a crafted SMS text message is processed by the SMS application. An attacker may exploit the issue to crash the SMS application in iPhone. The issue may be exploited to execute arbitrary code but this has not been confirmed. Ref: http://www.h-online.com/security/Alledged-critical-security-vulnerability-in-iPhone-SMS-application--/news/113680
  • 09.28.15 - CVE: Not Available
  • Platform: Cross Platform
  • Title: XScreenSaver Symbolic Link Local Information Disclosure
  • Description: XScreenSaver is a screen saver application for Linux and Unix systems running the X11 Window System. The application is exposed to a local information disclosure issue. An attacker with local access could potentially exploit this issue to perform symbolic-link attacks and disclose contents of restricted files.
  • Ref: http://isowarez.de/xscreensaver.txt
  • 09.28.16 - CVE: CVE-2009-2294
  • Platform: Cross Platform
  • Title: Dillo "Png_datainfo_callback()" Integer Overflow
  • Description: Dillo is a multi-platform web browser. The software is exposed to an integer overflow issue because it fails to properly bounds check user-supplied input. The problem occurs in the "Png_datainfo_callback()" function when parsing malformed PNG images containing large width and height values. Dillo versions prior to 2.1.1 are affected.
  • Ref: http://www.ocert.org/advisories/ocert-2009-008.html
  • 09.28.17 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Sun Java System Web Server ".jsp" File Information Disclosure
  • Description: Sun Java System Web Server is a web server available for multiple platforms. The application is exposed to a remote information disclosure issue. Specifically an attacker can disclose the contents of the ".jsp" files by appending ":$DATA" to the file extension in the HTTP requests. Sun Java System Web Server versions 6.1 SP10, 6.1 SP11, and 7.0 are affected.
  • Ref: http://isowarez.de/SunOne_Webserver.txt
  • 09.28.18 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Green Dam Youth Escort Change System Time Unauthorized Access
  • Description: Green Dam Youth Escort is a browser plugin that provides content filtering and parental control. It is available for Microsoft Windows. Green Dam Youth Escort is exposed to a security issue that may allow users to change the system time.
  • Ref: http://www.securityfocus.com/bid/35557
  • 09.28.19 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Ruby on Rails "http_authentication.rb" Nil Credentials Authentication Bypass
  • Description: Ruby on Rails is a web application framework for multiple platforms. The application is exposed to an authentication bypass vulnerability because the framework fails to properly enforce access restrictions on certain requests to a site that requires authentication. Specifically, this issue occurs when applications restrict access via HTTP Basic or Digest authentication using the modules in the "http_authentication.rb" source code file. Ruby on Rails version 2.3.2 is affected. Ref: http://n8.tumblr.com/post/117477059/security-hole-found-in-rails-2-3s
  • 09.28.20 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Perl IO::Socket::SSL "verify_hostname_of_cert()" Security Bypass
  • Description: IO::Socket::SSL is a module for Perl used to provide SSL support. The module is exposed to a security bypass issue. Specifically the "verify_hostname_of_cert()" function fails to properly match certificate hostnames when no wildcard is provided. IO::Socket::SSL versions prior to 1.26 are affected.
  • Ref: http://cpansearch.perl.org/src/SULLR/IO-Socket-SSL-1.26/Changes
  • 09.28.21 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Citrix XenCenterWeb Multiple Input Validation Vulnerabilities
  • Description: Citrix XenCenterWeb is a web interface for Citrix XenServer environment management. Citrix XenCenterWeb is exposed to multiple input validation issues. Exploiting these issues could allow an attacker to execute arbitrary code, perform unauthorized actions, steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
  • Ref: http://www.securityfocus.com/archive/1/504764
  • 09.28.22 - CVE: CVE-2009-0667
  • Platform: Cross Platform
  • Title: OCS Inventory NG Agent "Backend.pm" Perl Module Handling Code Execution
  • Description: OCS Inventory NG is an inventory management application. The software includes a client application called "ocsinventory-agent". The application is exposed to an issue that lets local attackers execute arbitrary Perl code. This issue occurs because of an insecure perl module search path for the "Agent/Backend.pm" module. The agent application is initiated via cron, with the "/" directory included by default in the module search path.
  • Ref: http://www.securityfocus.com/bid/35593/references
  • 09.28.23 - CVE: CVE-2009-0903
  • Platform: Cross Platform
  • Title: IBM WebSphere Application Server JAX-WS Application Security Bypass
  • Description: IBM WebSphere Application Server is a web application server available for various operating systems. IBM WebSphere Application Server is exposed to a security bypass issue that occurs for users using JAX-WS applications with a WS-Security policy set at the operational level. WebSphere Application Server versions 7.0 prior to 7.0.0.3 and 6.1.0 prior to 6.1.0.25 are affected.
  • Ref: http://www-01.ibm.com/support/docview.wss?uid=swg1PK87767
  • 09.28.24 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Zoph Unspecified Cross-Site Scripting
  • Description: Zoph is a PHP-based application for managing digital photographs. Zoph is exposed to a cross-site scripting issue because it fails to sufficiently sanitize user-supplied data. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. Zoph versions prior to 0.7.0.6 are affected.
  • Ref: http://sourceforge.net/forum/forum.php?forum_id=974222
  • 09.28.25 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Microsoft Internet Explorer "javascript:" URI in "Refresh" Header Cross-Site Scripting
  • Description: Microsoft Internet Explorer is a web browser for Windows platforms. Microsoft Internet Explorer is exposed to a cross-site scripting issue because the application fails to properly sanitize user-supplied input. The problem occurs when a "Refresh" header contains a "javascript:" URI. Internet Explorer version 6 is affected.
  • Ref: http://www.securityfocus.com/archive/1/504718
  • 09.28.26 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Opera Web Browser "javascript:" URI in "Refresh" Header Cross-Site Scripting
  • Description: Opera Web Browser is a browser that runs on multiple operating systems. Opera Web Browser is exposed to a cross-site scripting issue because the application fails to properly sanitize user-supplied input. The problem occurs when a "Refresh" header contains a "javascript:" URI. Opera version 9.52 is affected.
  • Ref: http://www.securityfocus.com/archive/1/504718
  • 09.28.27 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Google Chrome "javascript:" URI in "Refresh" Header Cross-Site Scripting
  • Description: Google Chrome is a web browser. Google Chrome is exposed to a cross-site scripting issue because the application fails to properly sanitize user-supplied input. The problem occurs when a "Refresh" header contains a "javascript:" URI. Google Chrome version 1.0.154.48 is affected.
  • Ref: http://www.securityfocus.com/archive/1/504723
  • 09.28.28 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Horde "Passwd" Module Cross-Site Scripting
  • Description: The "Passwd" module for Horde provides support for changing passwords via Poppassd, LDAP, Unix expect scripts, the Unix smbpasswd command for SMB/CIFS passwords, Kolab, ADSI, Pine, Serv-U FTP, VMailMgr, vpopmail, and SQL passwords. The application is exposed to a cross-site scripting issue because it fails to sanitize user-supplied input. The vulnerability affects the "backend" parameter of the "main.php" script. Horde "Passwd" module versions prior to 3.1.1 are affected.
  • Ref: http://bugs.horde.org/ticket/8398
  • 09.28.29 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: CMME "admin.php" Parameter Cross-Site Scripting
  • Description: CMME is a PHP-based content manager. The application is exposed to a cross-site scripting issue because it fails to sanitize user-supplied input. Specifically, the issue affects the "username" parameter in the "admin.php" script. CMME versions prior to 1.22 are affected. Ref: http://sourceforge.net/tracker/?func=detail&aid=2500186&group_id=215535&atid=1034058
  • 09.28.30 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Opial "admin/index.php" SQL Injection
  • Description: Opial is a PHP-based content manager for music downloading web sites. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "User Name" textbox when logging in as an administrator via the "admin/index.php" script.
  • Ref: http://www.securityfocus.com/bid/35560
  • 09.28.31 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: ConPresso CMS "detail.php" SQL Injection
  • Description: Conpresso CMS is a PHP-based content manager. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "nr" parameter of the "detail.php" script before using it in an SQL query. Conpresso CMS version 3.4.8 is affected.
  • Ref: http://www.securityfocus.com/bid/35561
  • 09.28.32 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Opial "albumdetail.php" SQL Injection
  • Description: Opial is a PHP-based content manager for music downloading web sites. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "albumid" parameter of the "albumdetail.php" script.
  • Ref: http://www.securityfocus.com/bid/35562
  • 09.28.33 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: ClanSphere Multiple SQL Injection Vulnerabilities
  • Description: ClanSphere is a PHP-based content manager. The application is exposed to multiple unspecified SQL injection issues because it fails to sufficiently sanitize user-supplied data to the following scripts and parameters before using it in an SQL query. Some of these issues affect the "gbook" module. ClanSphere versions prior to 2009.0.1 are affected.
  • Ref: http://www.clansphere.net/index/news/view/id/405/
  • 09.28.34 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Siteframe "document.php" SQL Injection
  • Description: Siteframe is a content manager implemented in PHP. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "id" parameter of the "document.php" script before using it in an SQL query. Siteframe version 3.2.3 is affected.
  • Ref: http://www.securityfocus.com/bid/35597
  • 09.28.35 - CVE: Not Available
  • Platform: Web Application
  • Title: Drupal Cross-Site Scripting, Code Injection and Information Disclosure Vulnerabilities
  • Description: Drupal is a web-based content manager. The application is exposed to multiple security issues. The problem occurs if the current page contains a sortable table, or if the victim is enticed to follow a malicious URI while Drupal page cache is enabled. To exploit this issue an attacker must wait for a victim to enter incorrect login information. Drupal versions 5.x prior to 5.19 and 6.x prior to 6.13 are affected.
  • Ref: http://drupal.org/node/507580
  • 09.28.36 - CVE: Not Available
  • Platform: Web Application
  • Title: phion airlock Remote Command Execution and Denial of Service
  • Description: phion airlock is a web application firewall (WAF). phion airlock is exposed to an input validation issue. Specifically, specially crafted image size parameters in the URI to the airlock Configuration Center may render the system unusable and lead to a crash. Furthermore this vulnerability also allows executing arbitrary system commands via unspecified vectors. phion airlock version 4.1-10.41 is affected.
  • Ref: http://www.h4ck1nb3rg.at/wafs/advisory_phion_airlock_200907.txt
  • 09.28.37 - CVE: Not Available
  • Platform: Web Application
  • Title: art of defence hyperguard Remote Denial of Service
  • Description: art of defence hyperguard is a web application firewall (WAF). hyperguard is available as a plug-in for several web servers including Apache. The application is exposed to a denial of service issue. This issue occurs when the webserver attempts to process a large number of HTTP POST requests with a high "Content-Length" header value and without any content. This will result in a kernel panic. art of defence hyperguard versions prior to 3.1.1-11637, 3.0.3-11636 and 2.5.5-11635 are affected. Ref: http://www.h4ck1nb3rg.at/wafs/advisory_artofdefence_hyperguard_200907.txt
  • 09.28.38 - CVE: Not Available
  • Platform: Web Application
  • Title: Radware AppWall Source Code Information Disclosure
  • Description: Radware AppWallis a web application firewall (WAF). AppWall is exposed to an issue that lets attackers access source code files. Specifically files with the ".inc" extension are affected by this issue. The issue affects AppWall version 1.0.2.6 and Gateway version 4.6.0.2 is affected as well.
  • Ref: http://web.nvd.nist.gov/view/vuln/detail?execution=e1s1
  • 09.28.39 - CVE: Not Available
  • Platform: Web Application
  • Title: ADbNewsSender "path_to_lang" Parameter Local File Include
  • Description: ADbNewsSender is a web-based application used to send newsletters. The application is exposed to a local file include issue because it fails to properly sanitize user-supplied input to the "path_to_lang" parameter of the "maillinglist/setup/step1.php.inc" script. ADbNewsSender versions 1.5.5 and earlier are affected.
  • Ref: http://sourceforge.net/project/shownotes.php?release_id=694644
  • 09.28.40 - CVE: Not Available
  • Platform: Web Application
  • Title: Siteframe "phpinfo.php" Information Disclosure
  • Description: Siteframe is a web-based content manager implemented in PHP. The application is exposed to an information disclosure issue. Specifically, an unauthorized attacker may obtain PHP configuration details via the "phpinfo.php" script. Siteframe version 3.2.3 is affected.
  • Ref: http://www.securityfocus.com/bid/35598
  • 09.28.41 - CVE: Not Available
  • Platform: Network Device
  • Title: Sourcefire 3D Sensor and Defense Center "user.cgi" Security Bypass Vulnerabilities
  • Description: Sourcefire 3D Sensor and Defense Center are network intrusion detection hardware appliances. Both devices support a web-based administrative interface. The web interface is exposed to multiple security bypass issues. Sourcefire 3D Sensor versions prior to 4.8.2 and Sourcefire Defense Center versions prior to 4.8.2 are affected.
  • Ref: http://www.securityfocus.com/archive/1/504694
  • 09.28.42 - CVE: Not Available
  • Platform: Network Device
  • Title: Axesstel MV 410R Multiple Remote Vulnerabilites and Weakness
  • Description: Axesstel MV 410R is a wireless modem. Axesstel MV 410R is exposed to multiple remote issues and a weakness. An attacker can exploit these issues to gain access to valid login credentials, gain access to sensitive information, execute arbitrary code, steal cookie-based authentication credentials and redirect victims to a malicious site.
  • Ref: http://www.securityfocus.com/archive/1/504716
  • 09.28.43 - CVE: Not Available
  • Platform: Network Device
  • Title: Hitachi Multiple Products Remote Code Execution Vulnerabilities
  • Description: Multiple products from Hitachi are exposed to multiple remote code execution issues. Specifically, these issues occur when processing crafted ZIP archives or malicious UTF-8 data. A successful exploit would allow an attacker to execute arbitrary code in the context of the currently logged-in user or cause denial of service conditions.
  • Ref: http://www.securityfocus.com/bid/35589
  • 09.28.44 - CVE: Not Available
  • Platform: Network Device
  • Title: Symbian S60 Multiple Memory Corruption Vulnerabilities
  • Description: Symbian S60 is an operating system for mobile phones. Symbian S60 is exposed to multiple memory corruption issues when handling specially crafted MP4, MP2, h.263 and h.264 files. The following devices are affected: Nokia N96, Nokia E61i and Nokia E71.
  • Ref: http://www.securityfocus.com/archive/1/504757

(c) 2009. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Subscriptions: @RISK is distributed free of charge by the SANS Institute to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.

This course opened my eyes and gave new perspectives of web app penetration testing.
-Ji Lee, Seamless Web

vLive FOR508

Latest Whitepapers

Building and Maintaining a "Certifiable" Workforce
By Robert J. Mavretich

How Can You Build and Leverage SNORT IDS Metrics to Reduce Risk?
By Tim Proffitt

Daisy Chain Authentication
By Courtney Imbert

Latest Tweets

NEW #SANS Survey: Security Analytics & Intelligence 2nd [...]
October 1, 2013 - 6:30 PM

Tips on how to convince your boss to let you train online wi [...]
October 1, 2013 - 6:23 PM

#2 Tip on how 2 convince your boss 2 let u train online: Fle [...]
October 1, 2013 - 3:00 PM

Contact Us

(301) 654-SANS (7267)
Mon-Fri 9am - 8pm EST/EDT
info@sans.org

"It has really been an eye opener concerning the depth of security training & awareness that SANS has to offer."
- Michael Hall, Drivesavers

"It was a great learning experience that helped open my eyes wider. The instructor's knowledge was fantastic."
- Manuja Wikesekera, Melbourne Cricket Club

"The amount of knowledge conveyed and technical diving by practical hands-on was well balanced."
- Aaron Moore, Maricopa County