Last day to save $500 for SANS San Diego 2013

@RISK: The Consensus Security Vulnerability Alert

Volume: VIII, Issue: 30
July 23, 2009

SANS Newsletters Home

The Adobe FLASH and PDF problem is real and won't be solved for another week. Makes sense to figure out a way to get universal updates to your user base, quickly, after the announcement. Sad that Microsoft's Windows updates don't cover 3rd party software. They considered doing it and dropped the idea - probably worried about support and liability concerns.

Alan

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Platform Number of Updates and Vulnerabilities
    • -------------------------- -------------------------------------
    • Third Party Windows Apps
    • 3 (#3)
    • Linux
    • 2
    • BSD
    • 1
    • Solaris
    • 4
    • Novell
    • 2 (#4)
    • Cross Platform
    • 21 (#1, #2, #5, #6, #7)
    • Web Application - Cross Site Scripting
    • 2
    • Web Application - SQL Injection
    • 5
    • Web Application
    • 8
    • Network Device
    • 1

*************************************************************************

TRAINING UPDATE

- - SANS Network Security, San Diego Sept. 14-22; the Fall's biggest security training conference-- 20 full length courses and 16 short courses plus a big exhibition http://www.sans.org/ns2009 - - SANS Boston, Aug 2-9 (6 full-length hands-on courses) https://www.sans.org/boston09/index.php - - The Virtualization and Cloud Security Summit on August 17-18 in Washington; courses in the following days http://www.sans.org/info/43118 Looking for training in your own community? http://sans.org/community/ Save on On-Demand training (30 full courses) - See samples at:

http://www.sans.org/ondemand/spring09.php Plus Tokyo, London, Ottawa, Canberra, and Kuala Lumpur, all in the next 90 days. For a list of all upcoming events, on-line and live: www.sans.org

*************************************************************************

Table Of Contents
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
Third Party Windows Apps
Linux
BSD
Solaris
Novell
Cross Platform
Web Application - Cross Site Scripting
Web Application - SQL Injection
Web Application
Network Device

************************* Sponsored Links: ****************************

1) WEBCAST: How Browser Exploits Lead to Web 2.0 Hacking with keynote from IDC http://www.sans.org/info/46259

2) SANS Vendor Demo Spotlight: Websense Hosted Email & Web Security - Secure your Web 2.0 world. Easily control who/what/how/where users can access internet and email data. http://www.sans.org/info/46264

*************************************************************************

PART I Critical Vulnerabilities

Part I for this issue has been compiled by Rohan Kotian at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Widely Deployed Software
  • (1) CRITICAL: Adobe Acrobat/Reader and Adobe Flash Player Remote Code Execution Vulnerability
  • Affected:
    • Adobe Reader 9.1.2
    • Adobe Acrobat Standard 9.x
    • Adobe Acrobat Reader 9.x
    • Adobe Acrobat Professional 9.x
    • Adobe Flash Player 10.x
    • Adobe Flash Player 9.x

  • Description: Adobe Acrobat and Adobe Reader is the most popular software for creating and viewing Portable Document Format (PDF) files. Adobe Flash Player is a multimedia application used for viewing animations on web browsers. There is a vulnerability in Adobe Flash Player and Adobe Acrobat/Reader which could be triggered by opening a specially crafted a specially crafted Flash (SWF) file or a PDF file containing a malicious Flash (SWF) animation. The specific flaw lies in the "flash9f.dll" and "authplay.dll" modules. Successful exploitation might lead to a denial-of-service condition or compromise of the affected system. Note that, depending upon configuration, PDF documents may be opened by the vulnerable applications upon receipt without first prompting the user. Reports indicate that this vulnerability is being actively exploited in the wild.

  • Status: Vendor confirmed, no updates available yet. The vendor will provide an update for Flash Player v9 and v10 by 30th July 2009 and for Adobe Reader and Acrobat v9.1.2 by 31st July 2009.

  • References:
  • (3) HIGH: Google Chrome JavaScript Regular Expressions Memory Corruption Vulnerability
  • Affected:
    • Google Chrome versions prior to 2.0.172.37

  • Description: Google Chrome, a web browser from Google, is the fourth most popular browser with 1.8% usage share among all the web browsers. It has got a memory corruption vulnerability which can be triggered while parsing a specially crafted web page. The specific flaw is caused due to inadequate checks while processing regular expressions in JavaScript in a web page. The users will have to be tricked into visiting the website that hosts such a web page, typically by persuading them to click on the links in e-mail messages or in P2P messages. Successful exploitation might lead to memory corruption and possibly heap based buffer overflow followed by arbitrary code execution. Full technical details are publicly available.

  • Status: Vendor confirmed, updates available.

  • References:
  • (4) HIGH: Novell Privileged User Manager Remote Library Injection Vulnerability
  • Affected:
    • Novell Privileged User Manager 2.2

  • Description: Novell Privileged User Manager is used to deliver SuperUSer Privilege Management for all UNIX/Linux Environments. A vulnerability has been reported in it, whereby an attacker can load arbitrary libraries or modules over the network and possibly compromise the vulnerable system. The specific flaw is caused due to improper implementation of "spf" RPC call within the "unifid.exe" service, a service that binds on port 29010. Successful exploitation might eventually allow an attacker to execute arbitrary code under the context of the service. Authentication is not required to exploit this vulnerability.

  • Status: Vendor confirmed, updates available.

  • References:
  • (5) HIGH: Common Data Format Multiple Vulnerabilities
  • Affected:
    • NASA Goddard Space Flight Center CDF version 3.2.4 and prior

  • Description: Common Data Format (CDF) is a conceptual data abstraction developed by NASA and is used for storing and manipulating multi dimensional data sets. Multiple memory corruption vulnerabilities have been identified which can be triggered by parsing a specially crafted CDF file. One of the flaw is an array indexing error in the "ReadAEDRList64()" function caused due to inadequate checks on the part of CDF reading program while parsing a CDF file. There are other yet unspecified memory corruption errors in functions such as "SearchForRecord_r_64()", "LastRecord64()", "CDFsel64()" and etc. Successful exploitation might allow an attacker to execute arbitrary code execution. Technical details for one of the vulnerabilities are publicly available.

  • Status: Vendor confirmed, updates available.

  • References:
  • (6) MODERATE: Akamai Download Manager Redswoosh Downloads Buffer Overflow Vulnerability
  • Affected:
    • Akamai Download Manager versions prior to 2.2.4.8

  • Description: The Akamai Download Manager is a popular download management application from Akamai. It has got a buffer overflow vulnerability which could be triggered by a specially crafted HTTP response. The specific flaw is caused due to a boundary error in manager.exe while handling Redswoosh, a peer-to-peer content delivery technology, downloads. Successful exploitation might allow an attacker to execute arbitrary code in the context of the logged on user. The users will have to be tricked into visiting the website that hosts such a web page, typically by persuading them to click on the links in e-mail messages or in P2P messages. Some technical details for this vulnerability are publicly available.

  • Status: Vendor confirmed, updates available. Users can mitigate the impact of this vulnerability by disabling the affected controls via Microsoft's "killbit" mechanism for CLSIDs "4871A87A-BFDD-4106-8153-FFDE2BAC2967", "2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B", "FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1 "

  • References:
  • (7) LOW: Armed Assault Multiple Vulnerabilities
  • Affected:
    • Armed Assault version 1.14 and prior
    • Armed Assault II version 1.02 and prior

  • Description: Armed Assault is a tactical military shooter war game developed by Bohemia Interactive. Multiple vulnerabilities have been identified in Armed Assault which might lead to a denial-of-service condition or even arbitrary code execution. The first issue is caused due to an error in the handling of the last field of the join packet. The second issue is a format string error while processing the nickname or the datafile field of a specially crafted join packet. The third issue is an error caused due to inadequate checks on the voice data packets sent to port 2305. Technical details for these vulnerabilities are publicly available along with proof-of-concepts.

  • Status: Vendor confirmed, updates available.

  • References:
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 30, 2009

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 7288 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

  • 09.30.1 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Google Chrome Javascript Regular Expression Handling Remote Code Execution
  • Description: Google Chrome is a web browser. Chrome is exposed to a remote code execution issue. Specifically, this issue stems from a heap overflow condition that arises when the application handles malformed Javascript regular expressions. Chrome versions prior to 2.0.172.37 are affected. Ref: http://googlechromereleases.blogspot.com/2009/07/stable-beta-updte-bug-fixes.html
  • 09.30.2 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Google Chrome Privilege Escalation Weakness
  • Description: Google Chrome is web browser for Microsoft Windows. Google Chrome is exposed to a weakness that may allow attackers to escalate privileges subsequent to carrying out a successful code execution attack against a renderer (tab) process. The issue arises because a compromised renderer (tab) process can cause the browser process to allocate very large memory buffers. Chrome versions prior to 2.0.172.37 are affected. Ref: http://googlechromereleases.blogspot.com/2009/07/stable-beta-update-bug-fixes.html
  • 09.30.3 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: iDefense COMRaider ActiveX Control Multiple Insecure Method Vulnerabilities
  • Description: iDefense COMRaider is an ActiveX fuzzing utility. The iDefense COMRaider ActiveX control is exposed to multiple insecure method issues. An attacker can exploit these issues by enticing an unsuspecting victim to visit a malicious HTML page.
  • Ref: http://www.securityfocus.com/archive/1/505042
  • 09.30.4 - CVE: Not Available
  • Platform: Linux
  • Title: Linux Kernel "tun_chr_pool()" NULL Pointer Dereference
  • Description: The Linux kernel is exposed to a local NULL pointer dereference issue. This vulnerability stems from an error in the "tun_chr_poll" function in the "tun.c" file. The issue arises because the code uses the "tun" pointer before checking it for a NULL value. The check exists in the source code but is not reflected in the compiled code. This is because the compiler assumes a fault will occur when dereferencing the pointer and the check is not needed. Linux kernel version 2.6.30 is affected.
  • Ref: http://lkml.org/lkml/2009/7/6/19
  • 09.30.5 - CVE: Not Available
  • Platform: Linux
  • Title: Linux Kernel SGI GRU Driver Off By One
  • Description: Linux Kernel is exposed to an off by one issue that may allow attackers to trigger a denial of service condition. Specifically, this issue occurs in "drivers/misc/sgi-gru/gruprocfs.c" source file of the SGI GRU driver. The flaw can be exploited to overwrite a NULL-byte at any arbitrary location in kernel memory. Ref: http://xorl.wordpress.com/2009/07/21/linux-kernel-sgi-gru-driver-off-by-one-overwrite/
  • 09.30.6 - CVE: Not Available
  • Platform: BSD
  • Title: FreeBSD "PECOFF_SUPPORT" Local Denial of Service
  • Description: FreeBSD is prone to a local denial of service vulnerability. This issue affects the "PECOFF_SUPPORT" kernel option, which is used to provide support for portable executable (PE) binary files. Specifically, this issue may lead to a kernel panic when attempting to load a maliciously constructed binary file. FreeBSD version 7.2 is affected.
  • Ref: http://www.securityfocus.com/bid/35739
  • 09.30.7 - CVE: Not Available
  • Platform: Solaris
  • Title: Sun Solaris SCTP Packet Processing Remote Denial of Service
  • Description: Sun Solaris is exposed to a remote denial of service issue. The denial of service issue exists in the SCTP "sctp(7P)" packet processing routines. Exploiting this issue allows attackers to panic the vulnerable system, effectively denying service to legitimate users. Solaris 10 and OpenSolaris snv_01 through snv_119 are affected.
  • Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-66-253608-1
  • 09.30.8 - CVE: Not Available
  • Platform: Solaris
  • Title: Sun Solaris NFS Version 4 Kernel Module Local Denial of Service
  • Description: Sun Solaris is a UNIX based operating system. The Solaris NFSv4 kernel module is exposed to an unspecified local denial of service issue. Local attackers may exploit this issue to panic an NFSv4 client system, denying service to legitimate users. Sun Solaris 10 and OpenSolaris based upon builds snv_102 through snv_119 are affected.
  • Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-66-262788-1
  • 09.30.9 - CVE: Not Available
  • Platform: Solaris
  • Title: Sun Solaris IP Filter (ipf(5)) Remote Denial of Service
  • Description: Sun Solaris is exposed to a remote denial of service issue that occurs in Solaris IP Filter (ipfilter(5)). Solaris 10 and OpenSolaris snv_45 through snv_110 are affected.
  • Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-66-260951-1
  • 09.30.10 - CVE: Not Available
  • Platform: Solaris
  • Title: Sun Solaris XScreenSaver Local Information Disclosure
  • Description: XScreenSaver is a screen saver for Linux and Unix systems running the X11 Window System. Solaris XScreenSaver program is exposed to a local information disclosure issue. Solaris 8, Solaris 9, Solaris 10 and OpenSolaris Operating Systems are affected.
  • Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-66-264048-1
  • 09.30.11 - CVE: Not Available
  • Platform: Novell
  • Title: Novell Access Manager Administration Console Information Disclosure
  • Description: Novell Access Manager is an application that provides a single sign on feature for all corporate web applications. The application is exposed to a remote unspecified information disclosure issue that may allow an attacker to access system files from the Administration Console. Novell Access Manager versions prior to 3.1 SP1 are affected. Ref: http://www.novell.com/documentation/novellaccessmanager31/accessmanager_readme/data/accessmanager_readme.html#bktec02
  • 09.30.12 - CVE: Not Available
  • Platform: Novell
  • Title: Novell Privileged User Manager Remote Library Injection
  • Description: Novell Privileged User Manager is an application used to manage super users across an enterprise. The application is exposed to a remote library injection issue due to an unspecified error. Novell Privileged User Manager 2.2.0 is affected.
  • Ref: http://www.novell.com/support/viewContent.do?externalId=7003640
  • 09.30.13 - CVE: CVE-2009-2048
  • Platform: Cross Platform
  • Title: Cisco Unified Contact Center Express (CCX) Arbitrary Script Injection
  • Description: Cisco Unified Contact Center Express (CCX) is a call center application. The application is exposed to an arbitrary script injection issue because it fails to sanitize user-supplied input to the web-based administration interface. This issue affects both the Customer Response Solutions (CRS) and Unified IP Interactive Voice Response (Unified IP IVR) products. Ref: http://www.cisco.com/en/US/products/products_security_advisory09186a0080ae04b2.shtml#@ID
  • 09.30.14 - CVE: CVE-2009-2479
  • Platform: Cross Platform
  • Title: Mozilla Firefox 3.5 Unicode Data Remote Stack Buffer Overflow
  • Description: Mozilla Firefox is a web browser available for various platforms. Firefox is exposed to a remote stack based buffer overflow issue that can be triggered by malicious JavaScript code operating on strings containing Unicode data. Firefox version 3.5 is affected. Ref: http://blog.mozilla.com/security/2009/07/19/milw0rm-9158-stack-overflow-crash-not-exploitable-cve-2009-2479/
  • 09.30.15 - CVE: Not Available
  • Platform: Cross Platform
  • Title: FCKeditor.Java Infinite Loop Denial of Service
  • Description: FCKeditor is an online text/DHTML editor. FCKeditor.Java allows integrating FCKeditor with Java applications. FCKeditor.Java is exposed to a remote denial of service issue because it fails to properly handle request parameters that contain "ctrl" characters. FCKeditor.Java versions prior to 2.4.2 are affected.
  • Ref: http://dev.fckeditor.net/ticket/3902
  • 09.30.16 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Sun Ray Server Software "utdmsession" Command Security Bypass
  • Description: Sun Ray Server Software is an application used to deliver virtual Windows, Linux or Solaris OS desktop to Sun Ray clients. The application is exposed to a security bypass issue. Specifically the "utdmsession" command may allow unauthorized access to Sun Ray sessions of other users. Sun Ray Server Software version 4.0 is affected.
  • Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-66-252226-1
  • 09.30.17 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Sun Ray Server Multiple Vulnerabilities
  • Description: Sun Ray server is a proxy server developed by Sun Microsystems. Sun Ray server is exposed to multiple issues. Sun Ray Server Software version 4.0 for Solaris 10 is affected.
  • Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-66-253889-1
  • 09.30.18 - CVE: CVE-2009-2348
  • Platform: Cross Platform
  • Title: Open Handset Alliance Android Permission Verification Multiple Security Bypass Vulnerabilities
  • Description: Open Handset Alliance Android (previously Google Android) is a software stack and operating system for mobile phones. Android is exposed to multiple security bypass issues because permission checks may be bypassed by applications when they access camera and audio resources. All Open Handset Alliance Android 1.5 CRBxx versions are affected.
  • Ref: http://www.securityfocus.com/archive/1/505012
  • 09.30.19 - CVE: Not Available
  • Platform: Cross Platform
  • Title: MightSOFT Audio Editor Pro MP3 File Unspecified Memory Corruption
  • Description: MightSOFT Audio Editor Pro is an audio data editor for Microsoft Windows platforms. Audio Editor Pro is exposed to an unspecified memory corruption issue. An attacker can exploit this issue by tricking a victim into opening a malicious MP3 file to execute arbitrary code and to cause denial of service conditions.
  • Ref: http://www.securityfocus.com/bid/35719
  • 09.30.20 - CVE: CVE-2009-1894
  • Platform: Cross Platform
  • Title: PulseAudio setuid Local Privilege Escalation
  • Description: PulseAudio is a sound server available for various platforms. PulseAudio is exposed to a local privilege escalation issue because it does not drop privileges after being installed setuid root.
  • Ref: http://www.securityfocus.com/archive/1/505052
  • 09.30.21 - CVE: Not Available
  • Platform: Cross Platform
  • Title: SAP NetWeaver Password Information Disclosure
  • Description: SAP NetWeaver is a platform for enterprise applications. The software is exposed to an information disclosure issue because it fails to properly secure communication channels between clients and servers. Specifically, SAP GUI clients and ABAP application servers use the "Dynamic Information and Action Gateway" (DIAG) and "Remote Function Call" (RFC) protocols to transmit authentication credentials.
  • Ref: http://www.securityfocus.com/bid/35729
  • 09.30.22 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Multiple RadScripts Products Cross-Site Scripting and SQL Injection Vulnerabilities
  • Description: Multiple RadScripts products are exposed to an SQL injection issue and multiple cross-site scripting issues because they fail to sufficiently sanitize user-supplied data. Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
  • Ref: http://www.securityfocus.com/bid/35730
  • 09.30.23 - CVE: CVE-2009-2533
  • Platform: Cross Platform
  • Title: RealNetworks Helix Server "RTSP" Remote Denial of Service
  • Description: RealNetworks Helix Server is a multiformat, cross-platform streaming server. The application is exposed to a remote denial of service issue because it fails to properly handle invalid requests. Specifically, the issue occurs when the "rmserver" process receives multiple "RTSP (SET_PARAMETER)" requests with no content in the "DataConvertBuffer" parameter. Helix Server and Helix Mobile Server versions prior to 13.0.0 are affected.
  • Ref: http://www.coresecurity.com/content/real-helix-dna
  • 09.30.24 - CVE: CVE-2009-2534
  • Platform: Cross Platform
  • Title: RealNetworks Helix Server "SETUP" Remote Denial of Service
  • Description: RealNetworks Helix Server is a multiformat, cross-platform streaming server. The application is exposed to a remote denial of service issue because it fails to properly handle invalid requests. Specifically, the issue occurs when the server receives a "SETUP" request in which the "/" character is absent from the request line. Helix Server and Helix Mobile Server versions prior to 13.0.0 are affected.
  • Ref: http://www.coresecurity.com/content/real-helix-dna
  • 09.30.25 - CVE: Not Available
  • Platform: Cross Platform
  • Title: NOS getPlus Download Manager Insecure File Permissions Local Privilege Escalation
  • Description: NOS Microsystems getPlus Download Manager is an application that manages file downloads over the Internet. The application is exposed to a local privilege escalation issue that stems from a design error. This vulnerability occurs because the application assigns insecure file permissions to certain applications during installation.
  • Ref: http://retrogod.altervista.org/9sg_adobe_local.html
  • 09.30.26 - CVE: CVE-2009-0904
  • Platform: Cross Platform
  • Title: IBM WebSphere Application Server Stax XMLStreamWrite Security Bypass
  • Description: IBM WebSphere Application Server (WAS) is available for various operating systems. WAS is exposed to a security bypass issue that occurs when using IBM Stax XMLStreamWriter. Specifically, the service fails to properly validate XML encodings. WAS versions 6.1.0 prior to 6.1.0.25 are affected.
  • Ref: http://www-01.ibm.com/support/docview.wss?uid=swg1PK84015
  • 09.30.27 - CVE: Not Available
  • Platform: Cross Platform
  • Title: DD-WRT Web Management Interface Remote Arbitrary Shell Command Injection
  • Description: DD-WRT is a modification of the original Linksys Firmware for supporting simple Radius Authentication. DD-WRT is exposed to a remote command injection issue because it fails to adequately sanitize user-supplied input data. This issue affects the web-based management interface CGI application. DD-WRT version v24-sp1 is affected.
  • Ref: http://www.securityfocus.com/bid/35744
  • 09.30.28 - CVE: Not Available
  • Platform: Cross Platform
  • Title: KMPlayer ".srt" File Remote Buffer Overflow
  • Description: KMPlayer is a media player. KMPlayer is exposed to a remote stack based buffer overflow issue because it fails to perform adequate checks on user-supplied input. Specifically, this issue occurs when the application parses ".srt" subtitle files containing excessive data. KMPlayer version 2.9.4.1433 is affected.
  • Ref: http://www.securityfocus.com/bid/35745
  • 09.30.29 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Wireshark 1.2.0 Multiple Vulnerabilities
  • Description: Wireshark (formerly Ethereal) is an application for analyzing network traffic; it is available for Microsoft Windows and UNIX-like operating systems. Wireshark is exposed to multiple issues when handling certain types of packets and protocols in varying conditions. Multiple vulnerabilities in AFS, Infiniband, Bluetooth L2CAP, RADIUS, MIOP and sFlow dissectors may be used to crash the application or use excessive memory and CPU, resulting in denial of service conditions. Wireshark versions 0.9.2 up to and including 1.2.0 are affected.
  • Ref: http://www.wireshark.org/security/wnpa-sec-2009-04.html
  • 09.30.30 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Common Data Format Library Multiple Memory Corruption Vulnerabilities
  • Description: The Common Data Format (CDF) is a data format for the storage and manipulation of scalar and multidimensional data. The CDF library is exposed to multiple memory corruption issues. A successful attack will allow attacker-supplied code to run in the context of the victim opening the file. Failed exploit attempts will result in a denial of service condition. CDF version 3.2.4 is affected.
  • Ref: http://cdf.gsfc.nasa.gov/html/CDF_changesnote2.html
  • 09.30.31 - CVE: Not Available
  • Platform: Cross Platform
  • Title: ZNC File Upload Directory Traversal
  • Description: ZNC is a bouncer application for Internet Relay Chat (IRC). The application is exposed to a directory traversal issue because it fails to sufficiently sanitize user-supplied input before uploading files onto the web server. Specifically, the application allows any authenticated user to upload files using "dcc send *status". ZNC versions prior to 0.072 are affected. Ref: http://znc.svn.sourceforge.net/viewvc/znc?view=rev&sortby=rev&sortdir=down&revision=1570
  • 09.30.32 - CVE: CVE-2009-1194, CVE-2009-2462, CVE-2009-2463,CVE-2009-2464, CVE-2009-2465, CVE-2009-2466, CVE-2009-2467,CVE-2009-2468, CVE-2009-2469, CVE-2009-2471, CVE-2009-2472
  • Platform: Cross Platform
  • Title: Mozilla Firefox MFSA 2009-34, -35, -36, -37, -39, -40 Multiple Vulnerabilities
  • Description: The Mozilla Foundation has released the multiple advisories to address vulnerabilities in Firefox: 1. MFSA-2009-34 Crashes with evidence of memory corruption: This advisory addresses a number of crashes in Firefox and Thunderbird. These crashes may be due to memory corruption, resulting in a potential for the execution of arbitrary code. 2. MFSA-2009-35 Crash and remote code execution during Flash player unloading: This advisory addresses a vulnerability (CVE-2009-2467) that occurs during Flash player unloading. The issue can be triggered by a malicious Web page that presents a slow script dialog. 3. MFSA-2009-36 Heap/integer overflows in font glyph rendering libraries:- This advisory addresses heap and integer overflow vulnerabilities in the font glyph rendering libraries used by Firefox. 4. MFSA-2009-37 Crash and remote code execution using watch and __defineSetter__ on SVG element: This advisory addresses a vulnerability (CVE-2009-2469) that occurs when a specific value is set on properties for watch and __defineSetter__ functions for SVG elements. 5. MFSA-2009-39 setTimeout loses XPCNativeWrappers: This advisory addresses a vulnerability (CVE-2009-2471) in setTimeout. The problem occurs when setTimeout is called with object parameters that should be protected with XPCNativeWrappers but will instead fail to keep the affected object wrapped when the new function is compiled prior to execution. 6. MFSA-2009-40 Multiple cross origin wrapper bypasses: This advisory addresses multiple issues (CVE-2009-2472) that may allow cross-origin wrapper bypasses. The issues can be exploited to allow objects that should be protected by a XPCCrossOriginWrapper to be constructed without the wrapper. The vulnerabilities are fixed in Firefox 3.0.12 and 3.5.1.
  • Ref: http://www.mozilla.org/security/announce/2009/mfsa2009-35.html
  • 09.30.33 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Adobe Acrobat, Reader and Flash Player Unspecified
  • Description: Adobe Acrobat and Reader are applications for handling PDF files; Adobe Flash Player is a multimedia application. They are available for multiple platforms. Adobe Acrobat, Reader and Flash Player are exposed to an unspecified issue. Adobe Reader and Acrobat version 9.1.2 and Adobe Flash Player versions 9 and 10 are affected. Ref: http://blogs.adobe.com/psirt/2009/07/potential_adobe_reader_and_fla.html
  • 09.30.34 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: YourFreeWorld Programs Rating Script Multiple Cross-Site Scripting Vulnerabilities
  • Description: Programs Rating Script is a web-based application. The application is exposed to multiple cross-site scripting issues because it fails to sufficiently sanitize user-supplied data. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site.
  • Ref: http://www.securityfocus.com/bid/35746
  • 09.30.35 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: WordPress Comment Author URI Cross-Site Scripting
  • Description: WordPress allows users to generate news pages and web-logs dynamically; it is implemented in PHP with a MySQL database. The application is exposed to a cross-site scripting issue because it fails to properly sanitize user-supplied input to comment author's URIs when they are displayed in the administrator pages. WordPress versions prior to 2.8.2 are affected.
  • Ref: http://wordpress.org/development/2009/07/wordpress-2-8-2/
  • 09.30.36 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: WordPress My Category Order Plugin "parentID" Parameter SQL Injection
  • Description: My Category Order is a plugin for the WordPress web-based publishing application; it allows an explicit ordering for post categories. The plugin is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "parentID" parameter of the "post-new.php" script when the "page" parameter is set to "mycategoryorder" and the "mode" parameter is set to "act_OrderCategories", before using the data in an SQL query. My Category Order version 2.8 is affected.
  • Ref: http://www.securityfocus.com/bid/35704
  • 09.30.37 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: PHPLive! "request.php" SQL Injection
  • Description: PHPLive! is a live support solution. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "x" parameter of the "request.php" script. PHPLive! versions 3.2.1 and 3.2.2 are affected.
  • Ref: http://www.securityfocus.com/bid/35718
  • 09.30.38 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: db Masters Multimedia Content Manager "id" Parameter SQL Injection
  • Description: db Masters Multimedia Content Manager is a web-based application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "id" parameter of the "index.php" script before using it in an SQL query. db Masters Multimedia Content Manager version 4.5 is affected.
  • Ref: http://www.securityfocus.com/bid/35720
  • 09.30.39 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Joomla! Jobline Component "search" Parameter SQL Injection
  • Description: Jobline is a component for the Joomla! content manager. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "search" parameter of the "com_jobline" component before using it an SQL query. Jobline version 1.1.3.1 is affected.
  • Ref: http://www.securityfocus.com/bid/35728
  • 09.30.40 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: E-Xoopport MyAnnonces "lid" Parameter SQL Injection
  • Description: E-Xoopport MyAnnonces is an announcement module for the E-Xoopport content manager. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "lid" parameter when the "pa" parameter is set to "viewannonces".
  • Ref: http://www.securityfocus.com/bid/35744
  • 09.30.41 - CVE: Not Available
  • Platform: Web Application
  • Title: Drupal Submitted By "submitted by" Text HTML Injection
  • Description: Submitted By is a PHP-based component for the Drupal content manager. The application is exposed to an HTML injection issue because it fails to properly sanitize user-supplied input to the "submitted by" text before displaying it in a user's web browser.
  • Ref: http://drupal.org/node/519246
  • 09.30.42 - CVE: Not Available
  • Platform: Web Application
  • Title: Drupal Image Assist Module HTML Injection and Information Disclosure Vulnerabilities
  • Description: Drupal is a web-based content manager. Image Assist is a module for Drupal that allows users to upload and insert images inline into web content. The application is exposed to multiple security issues. An attacker may leverage these issues to obtain potentially sensitive information, execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, or control how the site is rendered to the user; other attacks are also possible.
  • Ref: http://www.securityfocus.com/bid/35710
  • 09.30.43 - CVE: Not Available
  • Platform: Web Application
  • Title: Battle Blog SQL Injection and HTML Injection Vulnerabilities
  • Description: Battle Blog is a web application implemented in ASP. The application is exposed to multiple input validation issues. Battle Blog version 1.25 is affected. Ref: http://full-discl0sure.blogspot.com/2009/07/battle-blog-sqlhtml-injection.html
  • 09.30.44 - CVE: Not Available
  • Platform: Web Application
  • Title: HTMLDOC "html" File Handling Remote Stack Buffer Overflow
  • Description: HTMLDOC converts HTML files into indexed HTML, PDF, or PostScript formats. The application is exposed to a stack-based buffer overflow issue because it fails to perform adequate boundary checks on user-supplied input. This issue arises in the "set_page_size()" function when a specially crafted ".html" file is processed.
  • Ref: http://www.securityfocus.com/bid/35727
  • 09.30.45 - CVE: Not Available
  • Platform: Web Application
  • Title: GraFX MiniCWB "LANG" Parameter Multiple Remote File Include Vulnerabilities
  • Description: GraFX MiniCWB is a PHP-based content manager. The application is exposed to multiple remote file-include issues because it fails to sufficiently sanitize user-supplied input. MiniCWB version 2.3.0 is affected.
  • Ref: http://www.securityfocus.com/bid/35738
  • 09.30.46 - CVE: CVE-2009-2312, CVE-2009-2429
  • Platform: Web Application
  • Title: McAfee SmartFilter Multiple Information Disclosure Vulnerabilities
  • Description: McAfee SmartFilter is a web filtering application. SmartFilter is exposed to multiple information-disclosure issues. Specifically, the application fails to restrict access to the "config.txt" and the "admin_backup.xml" files. SmartFilter version 4.2.1.00 is affected. Ref: http://archives.neohapsis.com/archives/fulldisclosure/2009-03/0314.html
  • 09.30.47 - CVE: Not Available
  • Platform: Web Application
  • Title: phpDirectorySource SQL Injection and Cross Site Scripting Vulnerabilities
  • Description: phpDirectorySource is a web-based application. Since it fails to sufficiently sanitize user-supplied data, the application is exposed to multiple unspecified input validation issue, including an SQL injection issue and a cross-site scripting issue. These issues affect the "st" parameter of the "search.php" script.
  • Ref: http://www.securityfocus.com/bid/35760
  • 09.30.48 - CVE: Not Available
  • Platform: Web Application
  • Title: phpGroupWare Multiple Input Validation Vulnerabilities
  • Description: phpGroupWare is a web-based application implemented in PHP. Since it fails to sufficiently sanitize user-supplied data, the application is exposed to multiple input validation issues. phpGroupWare version 0.9.16.12 is affected.
  • Ref: http://www.securityfocus.com/bid/35761
  • 09.30.49 - CVE: CVE-2009-2047
  • Platform: Network Device
  • Title: Cisco Unified Contact Center Express CRS Administration Interface Directory Traversal
  • Description: Cisco Unified Contact Center Express provides routing and call treatment for communication channels. Cisco Unified Contact Center Express is exposed to a directory traversal issue because it fails to properly sanitize user-supplied input. This issue occurs in the Customer Response Solution (CRS) Administration interface. Ref: http://www.cisco.com/en/US/products/products_security_advisory09186a0080ae04b2.shtml#@ID

(c) 2009. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Subscriptions: @RISK is distributed free of charge by the SANS Institute to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.

Consistently some of the best training available. It is apparent that SANS updates their course content and SANS instructors are established experts in the field.
-Ryan Macfarlane, FBI

Community SANS Training

Latest Whitepapers

Building and Maintaining a "Certifiable" Workforce
By Robert J. Mavretich

How Can You Build and Leverage SNORT IDS Metrics to Reduce Risk?
By Tim Proffitt

Daisy Chain Authentication
By Courtney Imbert

Latest Tweets

NEW #SANS Survey: Security Analytics & Intelligence 2nd [...]
October 1, 2013 - 6:30 PM

Tips on how to convince your boss to let you train online wi [...]
October 1, 2013 - 6:23 PM

#2 Tip on how 2 convince your boss 2 let u train online: Fle [...]
October 1, 2013 - 3:00 PM

Contact Us

(301) 654-SANS (7267)
Mon-Fri 9am - 8pm EST/EDT
info@sans.org

"It has really been an eye opener concerning the depth of security training & awareness that SANS has to offer."
- Michael Hall, Drivesavers

"It was a great learning experience that helped open my eyes wider. The instructor's knowledge was fantastic."
- Manuja Wikesekera, Melbourne Cricket Club

"The perfect balance of theory and hands-on experience."
- James D. Perry II, University of Tennessee