@RISK: The Consensus Security Vulnerability Alert

Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)

• (1) HIGH: OpenOffice.org Word Document parsing Multiple Vulnerabilities
• (2) MODERATE: Microsoft IIS FTPd Buffer Overflow Vulnerability
• (3) MODERATE: MailEnable 'MEHTTPS.EXE' Buffer Overflow Vulnerability
• (4) MODERATE: Sun Solaris 'sockfs' HTTP Request Denial of Service Vulnerability

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)

Windows

• 09.36.1 - MailEnable "MEHTTPS.EXE" Stack-Based Buffer Overflow

Other Microsoft Products

• 09.36.2 - Microsoft IIS FTPd Remote Buffer Overflow

Third Party Windows Apps

• 09.36.3 - Symantec Altiris Deployment Solution "DBManager" Authentication Bypass
• 09.36.4 - Symantec Altiris Deployment Solution "Aclient" Local Privilege Escalation
• 09.36.5 - Nokia Multimedia Player Remote Denial of Service
• 09.36.6 - SmartVMD ActiveX Control "VideoMovementDetection.dll" Buffer Overflow

Linux

• 09.36.7 - Linux Kernel Multiple Protocols Local Information Disclosure Vulnerabilities
• 09.36.8 - Linux Kernel "drivers/char/tty_ldisc.c" NULL Pointer Dereference Denial of Service
• 09.36.9 - Red Hat GNOME Display Manager Security Bypass

Solaris

• 09.36.10 - Sun Solaris "sockfs" Kernel Module Remote Denial of Service

Cross Platform

• 09.36.11 - Symantec Altiris Deployment Solution Authentication Handshake Race Condition Security
• 09.36.12 - IBM WebSphere Commerce Unspecified Information Disclosure
• 09.36.13 - Cisco Unified Communications Manager Multiple Denial of Service Vulnerabilities
• 09.36.14 - Symantec Altiris Deployment Solution File Transfer Authentication Bypass
• 09.36.15 - IBM WebSphere Application Server wsadmin Security Bypass
• 09.36.16 - IBM Websphere Server Weak Password Obfuscation Denial of Service
• 09.36.17 - IBM WebSphere Application Server "ibm-portlet-ext.xmi" Security Bypass
• 09.36.18 - IBM WebSphere Application Server Migration Component Trace Information Disclosure
• 09.36.19 - IBM WebSphere Application Server for z/OS File Permission
• 09.36.20 - Multiple Symantec Products Email Handling Denial of Service
• 09.36.21 - IBM WebSphere Application Server Single Sign On Security Bypass
• 09.36.22 - IBM WebSphere Application Server SCA Security Bypass
• 09.36.23 - IBM WebSphere Commerce Before 6.0.0.7 Multiple Unspecified Security Vulnerabilities
• 09.36.24 - IBM WebSphere Application Server "CSIv2" Security Bypass
• 09.36.25 - Xerox WorkCentre Web Services Extensible Interface Platform Unauthorized Access
• 09.36.26 - ikiwiki "teximg" Plugin Insecure TeX Commands Information Disclosure
• 09.36.27 - SolarWinds TFTP Server Option Acknowledgement Request Denial of Service
• 09.36.28 - Hitachi Groupmax Scheduler Server Unauthorized Access
• 09.36.29 - Google Chrome "Math.Random()" Random Number Generation
• 09.36.30 - OpenOffice Prior to 3.1.1 Multiple Unspecified Security Vulnerabilities
• 09.36.31 - SILC Toolkit Encoded OID Format String
• 09.36.32 - SILC Toolkit "command.c" Multiple Format String Vulnerabilities
• 09.36.33 - SILC Toolkit HTTP Server Format String
• 09.36.34 - Apple iPhone and iPod touch Mobile Safari Alert Remote Denial of Service
• 09.36.35 - Dnsmasq TFTP Service Remote NULL-Pointer Dereference
• 09.36.36 - VMware Studio Virtual Appliance Web Interface File Upload Directory Traversal
• 09.36.37 - OpenOffice Word Document Table Parsing Multiple Heap Based Buffer Overflow Vulnerabilities
• 09.36.38 - Opera Web Browser prior to 10 Multiple Security Vulnerabilities
• 09.36.39 - Templating for JavaServer Faces Technology Multiple Information Disclosure Vulnerabilities
• 09.36.40 - GreenSQL Firewall WHERE Clause Secuity Bypass

Web Application - Cross Site Scripting

• 09.36.41 - VideoGirls Multiple Cross-Site Scripting Vulnerabilities
• 09.36.42 - BigACE "public/index.php" Cross-Site Scripting
• 09.36.43 - SquirrelMail Form Submissions Cross-Site Request Forgery
• 09.36.44 - 68 Classifieds Multiple Cross-Site Scripting Vulnerabilities
• 09.36.45 - MKPortal Multiple Modules Cross-Site Scripting Vulnerabilities

Web Application - SQL Injection

• 09.36.46 - Simple CMS "index.php" SQL Injection
• 09.36.47 - TurnkeyForms Web Hosting Directory Login SQL Injection
• 09.36.48 - PHP-Fusion "downloads.php" SQL Injection
• 09.36.49 - Joomla! DigiFolio Component "id" Parameter SQL Injection
• 09.36.50 - OpenAutoClassifieds SQL Injection Vulnerabilities
• 09.36.51 - FlexCMS "CookieUsername" Cookie Parameter SQL Injection
• 09.36.52 - PHP-Fusion "Download System mSF" module SQL Injection
• 09.36.53 - Joomla! Art Portal Component "portalid" Parameter SQL Injection
• 09.36.54 - Joomla! Game Server Component "id" Parameter SQL Injection
• 09.36.55 - phpBB Prime Quick Style "user_permissions" Parameter SQL Injection

Web Application

• 09.36.56 - TotalCalendar SQL Injection and Local File Include Vulnerabilities
• 09.36.57 - Drupal Ajax Table Module Security Bypass and HTML Injection Vulnerabilities
• 09.36.58 - Drupal Go - url redirects Multiple HTML Injection and Arbitrary Code Execution Vulnerabilities
• 09.36.59 - Sphider "conf.php" Remote Command Execution
• 09.36.60 - PHP-Fusion Multiple Information Disclosure Vulnerabilities
• 09.36.61 - OpenAutoClassifieds Arbitrary File Upload
• 09.36.62 - OpenAutoClassifieds "paycalc.php" Path Disclosur
• 09.36.63 - Basic PHP Events Lister 2 Multiple Administrative Scripts Authentication Bypass Vulnerabilities
• 09.36.64 - phpAuction "phpinfo.php" Information Disclosure
• 09.36.65 - phpAuction "lan" Parameter Remote File Include
• 09.36.66 - Agora "action" Parameter Local File Include
• 09.36.67 - Datalife Engine "api.class.php" Remote File Include
• 09.36.68 - MKPortal Multiple BBCode HTML Injection Vulnerabilities

Network Device

• 09.36.69 - Hitachi Device Manager IPv6 Security Bypass

PART I Critical Vulnerabilities

Part I for this issue has been compiled by Rohan Kotian at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 36, 2009

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 7394 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

• 09.36.1 - CVE: Not Available
• Platform: Windows
• Title: MailEnable "MEHTTPS.EXE" Stack-Based Buffer Overflow
• Description: MailEnable is a commercially available mail server for the Microsoft Windows platform. The application is exposed to a stack-based buffer overflow issue because it fails to bounds check user-supplied data before copying it into an insufficiently sized buffer. This issue occurs when a specially crafted encoded 64base string is sent to the "MEHTTPS.EXE" service. MailEnable version 1.52 is affected.
• Ref: http://www.securityfocus.com/bid/36197

• 09.36.2 - CVE: Not Available
• Platform: Other Microsoft Products
• Title: Microsoft IIS FTPd Remote Buffer Overflow
• Description: Microsoft Internet Information Service (IIS) is a webserver available for Microsoft Windows. The application is exposed to a remote buffer overflow issue because it fails to perform adequate boundary checks on user-supplied data. The vulnerability occurs when handling specially crafted input to the application's FTP server. IIS versions 5.0 and 6.0 are affected.
• Ref: http://www.kb.cert.org/vuls/id/276653

• 09.36.3 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Symantec Altiris Deployment Solution "DBManager" Authentication Bypass
• Description: Symantec Altiris Deployment Solution is software for deploying and managing servers, desktops, notebooks, thin clients, and handheld devices from a centralized location. It is available for Microsoft Windows. Symantec Altiris Deployment Solution is exposed to an issue that allows an attacker to bypass authentication and gain unauthorized access to the affected application. Altiris Deployment Solution versions 6.9 prior to 6.9 SP3 Build 430 are affected. Ref: http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20090826_00

• 09.36.4 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Symantec Altiris Deployment Solution "Aclient" Local Privilege Escalation
• Description: Symantec Altiris Deployment Solution is software for deploying and managing servers, desktops, notebooks, thin clients, and handheld devices from a centralized location. Symantec Altiris Deployment Solution is exposed to a local privilege escalation issue that occurs in the "Aclient" client graphical user interface (GUI). Altiris Deployment Solution versions 6.9 prior to 6.9 SP3 Build 430 are affected. Ref: http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20090826_00

• 09.36.5 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Nokia Multimedia Player Remote Denial of Service
• Description: Nokia Multimedia Player is a media player for Microsoft Windows. Nokia Multimedia Player is exposed to a remote denial of service issue that occurs when the application handles a specially-crafted ".npl" file. Nokia Multimedia Player version 1.1 is affected.
• Ref: http://www.securityfocus.com/bid/36215

• 09.36.6 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: SmartVMD ActiveX Control "VideoMovementDetection.dll" Buffer Overflow
• Description: SmartVMD is an application for video motion detection. The ActiveX control is exposed to a buffer overflow issue because it fails to perform adequate boundary checks on user-supplied input. The issue affects the "StartVideoSaving()" function of the "VideoMovementDetection.dll" control. SmartVMD version 1.3 is affected.
• Ref: http://support.microsoft.com/kb/240797

• 09.36.7 - CVE: Not Available
• Platform: Linux
• Title: Linux Kernel Multiple Protocols Local Information Disclosure Vulnerabilities
• Description: The Linux kernel is exposed to multiple local information disclosure issues because it fails to properly clear certain structure members before sending them to user space. Successful exploits will disclose a certain amount of kernel stack memory. Local attackers can exploit these issues to obtain sensitive information that may lead to further attacks. Ref: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e84b90ae5eb3c112d1f208964df1d8156a538289

• 09.36.8 - CVE: Not Available
• Platform: Linux
• Title: Linux Kernel "drivers/char/tty_ldisc.c" NULL Pointer Dereference Denial of Service
• Description: The Linux kernel is exposed to a local denial of service isue that affects the "tty_ldisc_restore()" and "tty_ldisc_hangup()" functions in the "drivers/char/tty_ldisc.c" source file. Linux kernel version 2.6.26 is affected.
• Ref: http://lkml.org/lkml/2009/8/20/68

• 09.36.9 - CVE: CVE-2009-2697
• Platform: Linux
• Title: Red Hat GNOME Display Manager Security Bypass
• Description: GNOME Display Manager (GDM) is a display manager for the X Windows System. The Red Hat GNOME Display Manager package is exposed to an issue that may create a false sense of security. Specifically, the package is built without TCP wrappers support. This may cause an administrator to incorrectly assume that access restrictions are in place. Red Hat Enterprise Linux Desktop (v.5 client) and Red Hat Enterprise Linux (v.5 server) are affected.
• Ref: http://www.securityfocus.com/bid/36219

• 09.36.10 - CVE: Not Available
• Platform: Solaris
• Title: Sun Solaris "sockfs" Kernel Module Remote Denial of Service
• Description: Sun Solaris is a UNIX-based operating system. Sun Solaris is exposed to a remote denial of service issue because of an error in the "sockfs" kernel module. A remote unprivileged attacker can exploit this issue by sending specially-crafted HTTP requests to an affected computer. Solaris 10 and OpenSolaris based upon builds snv_41 or later are affected.
• Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-66-265888-1

• 09.36.11 - CVE: Not Available
• Platform: Cross Platform
• Title: Symantec Altiris Deployment Solution Authentication Handshake Race Condition Security
• Description: Symantec Altiris Deployment Solution is software for deploying and managing servers, desktops, notebooks, thin clients, and handheld devices from a centralized location. It is available for Microsoft Windows. The "AClient" client application is exposed to a race-condition security issue. Successful exploits will allow the attacker to execute malicious commands with SYSTEM-level privileges. This may lead to a complete compromise of the affected computer. Altiris Deployment Solution versions 6.9 prior to 6.9 SP3 Build 430 are affected. Ref: http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20090826_00

• 09.36.12 - CVE: CVE-2009-2094
• Platform: Cross Platform
• Title: IBM WebSphere Commerce Unspecified Information Disclosure
• Description: IBM WebSphere Commerce is an e-commerce application. The application is exposed to an unspecified information disclosure issue when trace is enabled. Attackers can exploit this issue to harvest sensitive information that may lead to further attacks, including brute-force attacks against user accounts. IBM WebSphere Commerce versions prior to 6.0.0.8 are affected. Ref: http://publib.boulder.ibm.com/infocenter/wchelp/v6r0m0/index.jsp?topic=/com.ibm.commerce.admin.doc/refs/rig_new_and_changed.htm

• 09.36.13 - CVE: CVE-2009-2050, CVE-2009-2051, CVE-2009-2052,CVE-2009-2053, CVE-2009-2054
• Platform: Cross Platform
• Title: Cisco Unified Communications Manager Multiple Denial of Service Vulnerabilities
• Description: Cisco Unified Communications Manager (CUCM) is a software-based call-processing component of the Cisco IP telephony solution. The application was formerly named Unified CallManager. Cisco Unified Communications Manager is exposed to multiple denial of service issues. An attacker can exploit these issues to cause denial of service conditions in the affected application.
• Ref: http://www.securityfocus.com/archive/1/506119

• 09.36.14 - CVE: Not Available
• Platform: Cross Platform
• Title: Symantec Altiris Deployment Solution File Transfer Authentication Bypass
• Description: Symantec Altiris Deployment Solution is software for deploying and managing servers, desktops, notebooks, thin clients, and handheld devices from a centralized location. It is available for Microsoft Windows. The application is exposed to an authentication bypass issue because of a race condition. Specifically, when files are transferred from the server to a client, an attacker may make repeated connections to the port used so as to intercept the content of the files. Altiris Deployment Solution versions prior to 6.9 SP3 Build 430 are affected. Ref: http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20090826_00

• 09.36.15 - CVE: CVE-2009-2090
• Platform: Cross Platform
• Title: IBM WebSphere Application Server wsadmin Security Bypass
• Description: IBM WebSphere Application Server (WAS) is available for various operating systems. WAS is exposed to a security bypass issue that affects wsadmin in the System Management/Repository component. WAS versions 7.0 prior to 7.0.0.5 are affected.
• Ref: http://www-01.ibm.com/support/docview.wss?uid=swg27014463

• 09.36.16 - CVE: Not Available
• Platform: Cross Platform
• Title: IBM Websphere Server Weak Password Obfuscation Denial of Service
• Description: IBM WebSphere Application Server (WAS) is a commercial web application server, which runs on a number of platforms including Linux and Unix variants and Microsoft Windows operating environments. IBM WebSphere Application Server is exposed to a denial of service issue that occurs because the application uses insecure password obfuscation in web services. Specifically, the weak password is stored in the "ibm-webservicesclient-bind.xml" file and can be manipulated by a local attacker.
• Ref: http://www-01.ibm.com/support/docview.wss?uid=swg27007951

• 09.36.17 - CVE: CVE-2009-2092
• Platform: Cross Platform
• Title: IBM WebSphere Application Server "ibm-portlet-ext.xmi" Security Bypass
• Description: IBM WebSphere Application Server (WAS) is a web application server available for various operating systems. WAS is exposed to a security bypass issue due to a failure to properly read the "portlet serving enable" parameter. WAS versions 7.0 prior to 7.0.0.5 are affected.
• Ref: http://www-01.ibm.com/support/docview.wss?uid=swg27014463

• 09.36.18 - CVE: CVE-2009-2089
• Platform: Cross Platform
• Title: IBM WebSphere Application Server Migration Component Trace Information Disclosure
• Description: IBM WebSphere Application Server (WAS) is an application server used for service-oriented architecture. WAS is exposed to an information disclosure issue affecting the Migration component. Specifically, when WAS is migrated from version 6.1 to 7.0 when tracing is enabled, authenticated attackers can view the trace file to obtain sensitive information. WAS versions prior to 6.1.0.25 and 7.0.0.5 are affected.
• Ref: http://www-01.ibm.com/support/docview.wss?uid=swg27014463

• 09.36.19 - CVE: CVE-2009-2091
• Platform: Cross Platform
• Title: IBM WebSphere Application Server for z/OS File Permission
• Description: IBM WebSphere Application Server (WAS) is an application server used for service-oriented architecture. The application is exposed to a file permission security issue due to a failure to securely set permissions on files created during application deployment. WAS versions 7.0 prior to 7.0.0.5 for z/OS are affected.
• Ref: http://www-01.ibm.com/support/docview.wss?uid=swg27014463

• 09.36.20 - CVE: Not Available
• Platform: Cross Platform
• Title: Multiple Symantec Products Email Handling Denial of Service
• Description: Multiple Symantec products are exposed to a remote denial of service issue that occurs when processing a specially crafted email message. The message will require a significant amount of time to process, eventually causing the client to lose connection with the mail server. When the client reconnects, an attempt to process the message would occur again, repeating the cycle until the message is deleted from the server. Ref: http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20090826_01

• 09.36.21 - CVE: CVE-2009-2088
• Platform: Cross Platform
• Title: IBM WebSphere Application Server Single Sign On Security Bypass
• Description: IBM WebSphere Application Server (WAS) is a web application server available for various operating systems. WAS is exposed to a security bypass issue that stems from a design error in the Single Sign-On (SSO) with SPENEGO implementation. WAS versions 7.0 prior to 7.0.0.5 and 6.1 prior to 6.1.0.25 are affected.
• Ref: http://www.securityfocus.com/bid/36158

• 09.36.22 - CVE: CVE-2009-0906
• Platform: Cross Platform
• Title: IBM WebSphere Application Server SCA Security Bypass
• Description: IBM WebSphere Application Server (WAS) is available for various operating systems. WAS is exposed to a security bypass issue because of an unspecified error in the Service Component Architecture (SCA) feature pack. WebSphere Application Server SCA versions 1.0 prior to 1.0.0.3 are affected.
• Ref: http://www-01.ibm.com/support/docview.wss?rs=180&uid=swg27004980

• 09.36.23 - CVE: CVE-2008-6973
• Platform: Cross Platform
• Title: IBM WebSphere Commerce Before 6.0.0.7 Multiple Unspecified Security Vulnerabilities
• Description: IBM WebSphere Commerce is an ecommerce application. The application is exposed to multiple unspecified security issues. Commerce versions prior to 6.0.0.7 are affected.
• Ref: http://publib.boulder.ibm.com/infocenter/wchelp/v6r0m0/index.jsp? topic=/com.ibm.commerce.admin.doc/refs/rig_new_and_changed.htm

• 09.36.24 - CVE: CVE-2009-2085
• Platform: Cross Platform
• Title: IBM WebSphere Application Server "CSIv2" Security Bypass
• Description: IBM WebSphere Application Server (WAS) is a web application server available for various operating systems. WAS is exposed to a security bypass issue caused by an unspecified error when CSIv2 Security is configured with Identity Assertion. Attackers can exploit this issue via vectors related to Enterprise Java Beans. WAS versions 7.0 prior to 7.0.0.5 and 6.1.0 prior to 6.1.0.25 are affected.
• Ref: http://www-01.ibm.com/support/docview.wss?rs=180&uid=swg27004980

• 09.36.25 - CVE: Not Available
• Platform: Cross Platform
• Title: Xerox WorkCentre Web Services Extensible Interface Platform Unauthorized Access
• Description: Xerox WorkCentre is a web-capable printer and photocopier. WorkCentre is exposed to an issue that can result in unauthorized access. This issue occurs when SSL is not enabled on the affected device. A remote attacker can exploit this issue to gain unauthorized access to the device's configuration settings and possibly customer passwords.
• Ref: http://www.securityfocus.com/bid/36177

• 09.36.26 - CVE: CVE-2009-2944
• Platform: Cross Platform
• Title: ikiwiki "teximg" Plugin Insecure TeX Commands Information Disclosure
• Description: ikiwiki is a wiki compiler. The application is exposed to an information disclosure issue. Specifically, an unauthorized attacker may execute certain insecure TeX commands via the "teximg" plugin to read arbitrary local files. ikiwiki versions prior to 3.1415926 and 2.53.4 are affected.
• Ref: http://ikiwiki.info/security/#index35h2

• 09.36.27 - CVE: Not Available
• Platform: Cross Platform
• Title: SolarWinds TFTP Server Option Acknowledgement Request Denial of Service
• Description: SolarWinds TFTP Server is a TFTP server application for Microsoft Windows platforms. The software is exposed to a denial of service issue because it fails to handle crafted Option Acknowledgement (OACK) requests. SolarWinds TFTP Server versions 9.2.0.111 and earlier are affected.
• Ref: http://www.securityfocus.com/bid/36182

• 09.36.28 - CVE: Not Available
• Platform: Cross Platform
• Title: Hitachi Groupmax Scheduler Server Unauthorized Access
• Description: Hitachi Groupmax Scheduler Server is prone to a vulnerability that can result in unauthorized access. A remote attacker can exploit this vulnerability to bypass security restrictions and gain unauthorized access to privileged data.
• Ref: http://jvndb.jvn.jp/en/contents/2009/JVNDB-2009-001931.html

• 09.36.29 - CVE: Not Available
• Platform: Cross Platform
• Title: Google Chrome "Math.Random()" Random Number Generation
• Description: Google Chrome is a browser. Chrome is exposed to a security issue that may cause weak random numbers to be generated. This issue occurs in the "Math.random()" random number implementation included in the application. Specifically, the application uses a two-stream version of the Marsinglia MWC algorithm, which may allow an attacker to detect the log-in state of the random number generator. Chrome version 3.0 Beta is affected.
• Ref: http://www.securityfocus.com/bid/36185

• 09.36.30 - CVE: Not Available
• Platform: Cross Platform
• Title: OpenOffice Prior to 3.1.1 Multiple Unspecified Security Vulnerabilities
• Description: OpenOffice is a suite of office applications for multiple operating platforms. OpenOffice is exposed to multiple security issues. OpenOffice versions prior to 3.1.1 are affected.
• Ref: http://www.openoffice.org/servlets/ReadMsg?list=announce&msgNo=398

• 09.36.31 - CVE: Not Available
• Platform: Cross Platform
• Title: SILC Toolkit Encoded OID Format String
• Description: SILC (Secure Internet Live Conferencing) is a protocol that provides secure conferencing services in the Internet. SILC Toolkit implements the protocol for developers to include in other projects. SILC Toolkit is exposed to a format string issue because it fails to use the correct type as a format specifier to a formatted-printing function. This issue occurs in the ASN1 module when encoding an OID. SILC Toolkit versions prior to 1.1.8 are affected.
• Ref: http://www.securityfocus.com/bid/36192

• 09.36.32 - CVE: Not Available
• Platform: Cross Platform
• Title: SILC Toolkit "command.c" Multiple Format String Vulnerabilities
• Description: SILC (Secure Internet Live Conferencing) is a protocol that provides secure conferencing services. SILC Toolkit implements the protocol for developers to include in other projects. SILC Toolkit is exposed to multiple format-string issues because it fails to properly sanitize user-supplied input before passing it as the format specifier to a formatted-printing function. SILC Toolkit versions prior to 1.1.10 are affected. Ref: http://git.silcnet.org/gitweb/?p=silc.git;a=commitdiff;h=8cb801cf6482666818e721822ce81c81ec818908

• 09.36.33 - CVE: Not Available
• Platform: Cross Platform
• Title: SILC Toolkit HTTP Server Format String
• Description: SILC (Secure Internet Live Conferencing) is a protocol that provides secure conferencing services in the Internet. SILC Toolkit implements the protocol for developers to include in other projects. SILC Toolkit is exposed to a format string issue because it fails to use the correct type as a format specifier to a formatted-printing function. This issue occurs when the application's HTTP server is enabled. SILC Toolkit versions prior to 1.1.9 are affected.
• Ref: http://www.securityfocus.com/bid/36195

• 09.36.34 - CVE: Not Available
• Platform: Cross Platform
• Title: Apple iPhone and iPod touch Mobile Safari Alert Remote Denial of Service
• Description: Apple iPhone is a mobile phone that runs on the ARM architecture. Apple iPod touch is a portable music player that also contains the Safari browser. iPhone and iPod touch are exposed to a denial of service issue that occurs when viewing a malicious Web page that displays an alert containing several newline characters.
• Ref: http://www.securityfocus.com/bid/36195

• 09.36.35 - CVE: CVE-2009-2958
• Platform: Cross Platform
• Title: Dnsmasq TFTP Service Remote NULL-Pointer Dereference
• Description: Dnsmasq is a DNS server that includes an integrated DHCP server. Dnsmasq is exposed to a NULL-pointer dereference issue when the TFTP service is enabled. The problem occurs because the application dereferences a pointer before checking if it has a NULL value. The TFTP service must be enabled for this issue to be exploitable; this is not the default. Dnsmasq versions prior to 2.50 are affected.
• Ref: http://www.coresecurity.com/content/dnsmasq-vulnerabilities

• 09.36.36 - CVE: CVE-2009-2968
• Platform: Cross Platform
• Title: VMware Studio Virtual Appliance Web Interface File Upload Directory Traversal
• Description: VMware Studio is an application that allows users to create, configure, and deploy VMware virtual applications and appliances. Virtual appliances created with VMware Studio contain an in-guest management agent with a web console. The application is exposed to a directory traversal issue because it fails to sufficiently sanitize user-supplied input. VMware Studio version 2.0 beta is affected.
• Ref: http://www.securityfocus.com/archive/1/506191

• 09.36.37 - CVE: CVE-2009-0200, CVE-2009-0201
• Platform: Cross Platform
• Title: OpenOffice Word Document Table Parsing Multiple Heap Based Buffer Overflow Vulnerabilities
• Description: OpenOffice is a suite of office applications for multiple operating platforms. OpenOffice is exposed to multiple issues. Remote attackers can exploit these issues by enticing victims into opening maliciously crafted files. Successful exploits may allow attackers to execute arbitrary code within the context of the affected application. Failed exploit attempts will likely result in a denial of service. OpenOffice versions prior to 3.1.1 are affected.
• Ref: http://www.securityfocus.com/archive/1/506195

• 09.36.38 - CVE: Not Available
• Platform: Cross Platform
• Title: Opera Web Browser prior to 10 Multiple Security Vulnerabilities
• Description: Opera Web Browser is a browser that runs on multiple operating systems. Opera is exposed to multiple security issues. Successful exploits may allow attackers to perform spoofing and man-in-the-middle attacks or impersonate trusted servers, which will aid in further attacks. Opera Web Browser versions prior to Opera 10 are affected.
• Ref: http://www.opera.com/docs/changelogs/windows/1000/

• 09.36.39 - CVE: Not Available
• Platform: Cross Platform
• Title: Templating for JavaServer Faces Technology Multiple Information Disclosure Vulnerabilities
• Description: Templating for JavaServer Faces Technology is a plugin for Java Servers which allows users to develop webpages. Templating for JavaServer Faces Technology is exposed to multiple information disclosure issues. Successful exploits will allow authenticated attackers to obtain potentially sensitive information that may aid in further attacks.
• Ref: http://www.opera.com/docs/changelogs/windows/1000/

• 09.36.40 - CVE: CVE-2008-6992
• Platform: Cross Platform
• Title: GreenSQL Firewall WHERE Clause Secuity Bypass
• Description: GreenSQL Firewall is a database firewall application. GreenSQL Firewall is exposed to a security bypass issue that occurs because the application allows attackers to bypass the SQL injection protection via a WHERE clause. Specifically if the clause contains an expression such as "x=y=z", an attacker can bypass SQL injection protection.
• Ref: http://bugs.mysql.com/bug.php?id=39337

• 09.36.41 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: VideoGirls Multiple Cross-Site Scripting Vulnerabilities
• Description: VideoGirls is a PHP-based application. The application is exposed to multiple cross-site scripting issues because it fails to sufficiently sanitize user-supplied data. Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials.
• Ref: http://www.securityfocus.com/bid/36168

• 09.36.42 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: BigACE "public/index.php" Cross-Site Scripting
• Description: BigACE is a PHP-based content manager. The application is exposed to a cross-site scripting issue because it fails to sufficiently sanitize user-supplied input to the "id" parameter of the "public/index.php" script. BigACE version 2.6 is affected. Ref: http://bigace.cvs.sourceforge.net/viewvc/bigace/BIGACE/CORE/public/index.php?revision=1.22&view=markup

• 09.36.43 - CVE: CVE-2009-2964
• Platform: Web Application - Cross Site Scripting
• Title: SquirrelMail Form Submissions Cross-Site Request Forgery
• Description: SquirrelMail is a web-based email client. SquirrelMail is exposed to a cross-site request forgery issue that affects every form submission. An attacker can exploit this issue to inject malicious content into user preferences or possibly send emails without user consent. Other attacks are also possible. SquirrelMail version 1.4.19 is affected.
• Ref: http://www.squirrelmail.org/security/issue/2009-08-12

• 09.36.44 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: 68 Classifieds Multiple Cross-Site Scripting Vulnerabilities
• Description: 68 Classifieds is a PHP-based classifieds script. The application is exposed to multiple cross-site scripting issues because it fails to sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. 68 Classifieds version 4.1 is affected.
• Ref: http://www.securityfocus.com/bid/36208

• 09.36.45 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: MKPortal Multiple Modules Cross-Site Scripting Vulnerabilities
• Description: MKPortal is a PHP-based content manager. Multiple modules of MKPortal are exposed to multiple cross-site scripting issues because it fails to sufficiently sanitize user-supplied data. Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials.
• Ref: http://www.securityfocus.com/bid/36216

• 09.36.46 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Simple CMS "index.php" SQL Injection
• Description: Simple CMS is a content manager. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "page" parameter of the "index.php" script before using it in an SQL query.
• Ref: http://www.securityfocus.com/bid/36162

• 09.36.47 - CVE: CVE-2008-6941
• Platform: Web Application - SQL Injection
• Title: TurnkeyForms Web Hosting Directory Login SQL Injection
• Description: TurnkeyForms Web Hosting Directory is a web-based application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "password" textbox when authenticating via the login script.
• Ref: http://www.securityfocus.com/bid/36166

• 09.36.48 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: PHP-Fusion "downloads.php" SQL Injection
• Description: PHP-Fusion is a PHP-based content manager. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "page_id" parameter of the "downloads.php" script before using it in an SQL query. PHP-Fusion versions 6.01.15.4 and earlier are affected.
• Ref: http://www.securityfocus.com/bid/36167

• 09.36.49 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Joomla! DigiFolio Component "id" Parameter SQL Injection
• Description: DigiFolio is a PHP-based component for the Joomla! content manager. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "id" parameter of the "com_digifolio" component before using it an SQL query. DigiFolio version 1.52 is affected.
• Ref: http://www.securityfocus.com/bid/36172

• 09.36.50 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: OpenAutoClassifieds SQL Injection Vulnerabilities
• Description: OpenAutoClassifieds is a web-based classifieds application for vehicles. The application is exposed to multiple SQL injection issues because it fails to sufficiently sanitize user-supplied data. OpenAutoClassifieds versions prior to 1.6.0 are affected. Ref: http://openautoclassifieds.com/wiki/doku.php/Changelog#version_v1.6.0

• 09.36.51 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: FlexCMS "CookieUsername" Cookie Parameter SQL Injection
• Description: FlexCMS is a web-based content manager implemented in PHP. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "CookieUsername" cookie parameter before using it an SQL query. FlexCMS versions 2.5 and earlier are affected.
• Ref: http://www.securityfocus.com/bid/36179

• 09.36.52 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: PHP-Fusion "Download System mSF" module SQL Injection
• Description: PHP-Fusion is a PHP-based content manager. "Download System mSF" is a module for PHP-Fusion. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "view_id" parameter of the "screen.php" script before using it in an SQL query.
• Ref: http://www.securityfocus.com/bid/36180

• 09.36.53 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Joomla! Art Portal Component "portalid" Parameter SQL Injection
• Description: Art Portal is a PHP-based component for the Joomla! content manager. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "portalid" parameter of the "com_artportal" component before using it an SQL query. Art Portal version 1.0 is affected.
• Ref: http://www.securityfocus.com/bid/36206

• 09.36.54 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Joomla! Game Server Component "id" Parameter SQL Injection
• Description: Game Server is a PHP-based component for the Joomla! content manager. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "id" parameter of the "com_gameserver" component before using it an SQL query.
• Ref: http://www.securityfocus.com/bid/36213

• 09.36.55 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: phpBB Prime Quick Style "user_permissions" Parameter SQL Injection
• Description: Prime Quick Style is a style switcher for phpBB. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "user_permissions" parameter of the "ucp.php" script before using it in an SQL query.
• Ref: http://www.phpbb.com/community/viewtopic.php?f=70&t=692625

• 09.36.56 - CVE: Not Available
• Platform: Web Application
• Title: TotalCalendar SQL Injection and Local File Include Vulnerabilities
• Description: TotalCalendar is PHP-based calendar application. The application is exposed to multiple issues. The attacker can exploit this vulnerability using directory traversal strings to execute local script code in the context of the application. TotalCalendar version 2.4 is affected.
• Ref: http://www.securityfocus.com/bid/36161

• 09.36.57 - CVE: Not Available
• Platform: Web Application
• Title: Drupal Ajax Table Module Security Bypass and HTML Injection Vulnerabilities
• Description: Ajax Table is a module for creating AJAX-refreshable tables for the Drupal content manager. The application is exposed to multiple issues because it fails to sanitize user-supplied input. Attackers may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, control how the site is rendered to the user, or perform unauthorized actions; other attacks may also be possible. Ajax Table version 5.x is affected.
• Ref: http://drupal.org/node/560298

• 09.36.58 - CVE: Not Available
• Platform: Web Application
• Title: Drupal Go - url redirects Multiple HTML Injection and Arbitrary Code Execution Vulnerabilities
• Description: The "Go - url redirects" module is for adding redirected URLs for the Drupal content manager. The application is exposed to multiple input validation issues. An attacker can exploit these issues to execute arbitrary script code within the context of the browser, steal cookie-based authentication credentials, and execute arbitrary PHP code within the context of the webserver.
• Ref: http://drupal.org/node/560346

• 09.36.59 - CVE: Not Available
• Platform: Web Application
• Title: Sphider "conf.php" Remote Command Execution
• Description: Sphider is a PHP-based search engine. Sphider is exposed to an issue that attackers can leverage to execute arbitrary commands. This issue occurs because the software fails to adequately sanitize user-supplied input to the "_index_pdf" parameter in the "conf.php" script. Sphider versions 1.3.4 and earlier are affected.
• Ref: http://www.securityfocus.com/bid/36170

• 09.36.60 - CVE: Not Available
• Platform: Web Application
• Title: PHP-Fusion Multiple Information Disclosure Vulnerabilities
• Description: PHP-Fusion is a PHP-based content manager. The application is exposed to multiple information disclosure issues that affect "members.php" and "messages.php" scripts. Attackers can exploit these issues to harvest sensitive information that may lead to further attacks.
• Ref: http://www.securityfocus.com/bid/36171

• 09.36.61 - CVE: Not Available
• Platform: Web Application
• Title: OpenAutoClassifieds Arbitrary File Upload
• Description: OpenAutoClassifieds is a web-based classifieds application for vehicles. OpenAutoClassifieds is exposed to an issue that lets attackers upload arbitrary files because the application fails to adequately validate user-supplied input. Specifically, this issue affects the "checkAllowedExt()" function which doesn't check file extensions in a proper manner and allows arbitrary files to be uploaded through the profile image upload functionality. OpenAutoClassifieds versions prior to 1.6.0 are affected. Ref: http://openautoclassifieds.com/wiki/doku.php/Changelog#version_v1.6.0

• 09.36.62 - CVE: Not Available
• Platform: Web Application
• Title: OpenAutoClassifieds "paycalc.php" Path Disclosur
• Description: OpenAutoClassifieds is a web-based classifieds application for vehicles. OpenAutoClassifieds is exposed to a path disclosure issue when invalid data is submitted. Specifically, when specially crafted input is submitted to the "paycalc.php" script, the file path is returned in an error message. OpenAutoClassifieds versions prior to 1.6.0 are affected. Ref: http://openautoclassifieds.com/wiki/doku.php/Changelog#version_v1.6.0

• 09.36.63 - CVE: Not Available
• Platform: Web Application
• Title: Basic PHP Events Lister 2 Multiple Administrative Scripts Authentication Bypass Vulnerabilities
• Description: Basic PHP Events Lister 2 is a PHP-based web application. The application is exposed to multiple authentication bypass issues because it fails to perform adequate authentication checks. Specifically, the application fails to restrict access to the "admin/reset.php" and "admin/user_add.php" administrative scripts. Basic PHP Events Lister version 2.0 is affected.
• Ref: http://www.securityfocus.com/bid/36198

• 09.36.64 - CVE: CVE-2008-6999
• Platform: Web Application
• Title: phpAuction "phpinfo.php" Information Disclosure
• Description: phpAuction is a web-based application. The application is exposed to an information disclosure issue. Specifically, an unauthorized attacker may obtain PHP configuration details via the "phpinfo.php" script. The attacker can exploit this issue to harvest sensitive information that may lead to further attacks.
• Ref: http://www.securityfocus.com/bid/36210

• 09.36.65 - CVE: CVE-2008-7000
• Platform: Web Application
• Title: phpAuction "lan" Parameter Remote File Include
• Description: phpAuction is a web application. The application is exposed to a remote file include issue because it fails to sufficiently sanitize user-supplied input to the "lan" parameter of the "index.php" script. An attacker can exploit this issue to execute malicious PHP code in the context of the webserver process. phpAuction version 3.2 is affected.
• Ref: http://www.securityfocus.com/bid/36211

• 09.36.66 - CVE: Not Available
• Platform: Web Application
• Title: Agora "action" Parameter Local File Include
• Description: Agora is a module for the Joomla! content manager. The application is exposed to a local file include issue because it fails to properly sanitize user-supplied input to the "action" parameter. Agora version 3.0.0b is affected.
• Ref: http://www.securityfocus.com/bid/36207

• 09.36.67 - CVE: Not Available
• Platform: Web Application
• Title: Datalife Engine "api.class.php" Remote File Include
• Description: Datalife Engine is a content manager. The application is exposed to a remote file include issue because it fails to sufficiently sanitize user-supplied input to the "dle_config_api" parameter of the "engine/api/api.class.php" script. Datalife Engine version 8.2 is affected.
• Ref: http://www.securityfocus.com/bid/36212

• 09.36.68 - CVE: Not Available
• Platform: Web Application
• Title: MKPortal Multiple BBCode HTML Injection Vulnerabilities
• Description: MKPortal is a PHP-based content manager. The application is exposed to multiple HTML injection issues because it fails to sufficiently sanitize user-supplied input. Specifically, BBCode "img" and "url" tags aren't properly sanitized.
• Ref: http://www.securityfocus.com/bid/36218

• 09.36.69 - CVE: Not Available
• Platform: Network Device
• Title: Hitachi Device Manager IPv6 Security Bypass
• Description: Hitachi Device Manager and JP1/HiCommand are a series of software products used to monitor and manage data storage infrastructures. The applications are exposed to a security bypass issue because of an unspecified error related to IPv6 functionality. Attackers may exploit this issue to bypass intended access restrictions. Ref: http://www.hitachi.co.jp/Prod/comp/soft1/security/info/vuls/HS09-013/index.html

(c) 2009. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Subscriptions: @RISK is distributed free of charge by the SANS Institute to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside