@RISK: The Consensus Security Vulnerability Alert

Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)

• (1) CRITICAL: Apple Mac OS X Multiple Vulnerabilities (Security Update 2009-005)
• (2) HIGH: BigAnt Messenger Server Buffer Overflow Vulnerability
• (3) HIGH: Nginx URL Processing Buffer Underflow Vulnerability
• (4) MODERATE: FFmpeg VMD File Processing Integer Overflow Vulnerability
• (5) MODERATE: httpdx Format String Vulnerability

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)

Windows

• 09.38.1 - Microsoft Windows RDP Connection Denial of Service

Third Party Windows Apps

• 09.38.2 - FTPShell Client "CWD" Command Remote Buffer Overflow
• 09.38.3 - Altirix eXpress NS SC Download ActiveX Control Arbitrary File Download
• 09.38.4 - Zoom Player Pro Malformed MIDI File Integer Overflow
• 09.38.5 - PowerISO Buffer Overflow
• 09.38.6 - DataWizard FtpXQ Remote Denial of Service
• 09.38.7 - FileCOPA FTP Server "NOOP" Command Denial of Service
• 09.38.8 - Novell GroupWise Client "gxmim1.dll" ActiveX Control Buffer Overflow
• 09.38.9 - BRS WebWeaver "Scripts" Security Bypass
• 09.38.10 - EasyMail Objects "emimap4.dll" ActiveX Control Remote Code Execution

Mac Os

• 09.38.11 - Apple Mac OS X Alias Manager Buffer Overflow
• 09.38.12 - Apple Mac OS X CarbonCore Memory Corruption
• 09.38.13 - Apple Mac OS X ColorSync Heap-Based Buffer Overflow
• 09.38.14 - Apple Mac OS X CoreGraphics Heap-Based Buffer Overflow
• 09.38.15 - Apple Mac OS X ImageIO Multiple Memory Corruption Vulnerabilities
• 09.38.16 - Apple Mac OS X Launch Services Security Bypass
• 09.38.17 - Apple Mac OS X Launch Services Remote Code Execution
• 09.38.18 - Apple Mac OS X SMB Security Bypass
• 09.38.19 - Apple Xsan Admin Error Message Information Disclosure

Linux

• 09.38.20 - Linux Kernel AppleTalk Driver IP Over DDP Remote Denial of Service
• 09.38.21 - GNU Troff pdfroff Insecure Temporary File Creation and Arbitrary File Access Vulnerabilities
• 09.38.22 - Linux Kernel Intel 32bit Emulation Mode Local Denial of Service

HP-UX

• 09.38.23 - HP-UX bootpd Unspecified Remote Denial of Service

BSD

• 09.38.24 - FreeBSD "kqueue" Unspecified NULL Pointer Dereference

Solaris

• 09.38.25 - Sun Solaris lx Branded Zones Local Denial Of Service
• 09.38.26 - GNU "w(1)" Utility Local Privilege Escalation

Unix

• 09.38.27 - CUPS USB backend Local Heap-Based Buffer Overflow

Cross Platform

• 09.38.28 - GNOME glib Symbolic Link Arbitrary File Access
• 09.38.29 - PostgreSQL Multiple Security Vulnerabilities
• 09.38.30 - Apple QuickTime Multiple Arbitrary Code Execution Vulnerabilities
• 09.38.31 - aria2 "DHTRoutingTableDeserializer::deserialize()" Buffer Overflow
• 09.38.32 - Media Player Classic ".mid" File Processing Integer Overflow
• 09.38.33 - Mozilla Firefox MFSA 2009-47, -48, -49, -50, -51 Multiple Vulnerabilities
• 09.38.34 - Pidgin Yahoo Instant Messenger Protocol Link Denial of Service
• 09.38.35 - Pidgin "protocols/jabber/auth.c" JABBER Server XMPP Specifications Man In The Middle
• 09.38.36 - Mozilla Bugzilla URL Password Information Disclosure
• 09.38.37 - Dovecot Sieve Plugin Multiple Unspecified Buffer Overflow Vulnerabilities
• 09.38.38 - nginx HTTP Request Remote Buffer Overflow
• (login - HP StorageWorks Products Remote Management Interface Remote Denial of Service
• 09.38.40 - Cerberus FTP Server Long Command Remote Denial of Service
• 09.38.41 - Proland Protector Plus Insecure Program File Permissions Local Privilege Escalation
• 09.38.42 - VLC Media Player CUE File Buffer Overflow
• 09.38.43 - Kyocera Mita Scanner File Utility Multiple Remote Vulnerabilities
• 09.38.44 - BigAnt IM Server HTTP GET Request Buffer Overflow
• 09.38.45 - Wireshark 1.2.1 Multiple Vulnerabilities
• 09.38.46 - Google Chrome prior to 3.0.195.21 Multiple Security Vulnerabilities
• 09.38.47 - Opera Unspecified Security Bypass

Web Application - Cross Site Scripting

• 09.38.48 - Xapian Omega Search Query Exception Handling Cross-Site Scripting
• 09.38.49 - Drupal BUEditor Live Preview Cross-Site Scripting
• 09.38.50 - Apple Mac OS X Wiki Server Cross-Site Scripting
• 09.38.51 - Multiple Horde Products Cross-Site Scripting Vulnerabilities and File Overwrite
• 09.38.52 - NatterChat Multiple Cross-Site Scripting Vulnerabilities
• 09.38.53 - Mega File Hosting Script "emaillinks.php" Cross-Site Scripting
• 09.38.54 - TuttoPHP Morris Guestbook "view.php" Cross-Site Scripting

Web Application - SQL Injection

• 09.38.55 - Joomla! TPDugg Component "id" Parameter SQL Injection
• 09.38.56 - Joomla! Joomloc Component "id" Parameter SQL Injection
• 09.38.57 - Mambo Hestar Component "id" Parameter SQL Injection
• 09.38.58 - Joomla! Lucy Games Component "gameid" Parameter SQL Injection
• 09.38.59 - Nicecoder iDesk "download.php" SQL Injection
• 09.38.60 - Joomla! "com_pressrelease" Component "id" Parameter SQL Injection
• 09.38.61 - Joomla! "com_speech" Component "id" Parameter SQL Injection
• 09.38.62 - Joomla! "com_mediaalert" Component "id" Parameter SQL Injection
• 09.38.63 - Mozilla Bugzilla "Bug.search()" WebService Function SQL Injection
• 09.38.64 - Mozilla Bugzilla "Bug.create()" WebService Function SQL Injection
• 09.38.65 - Serendipity Freetag Plugin SQL Injection
• 09.38.66 - Joomla! AlphaUserPoints Component "username2points" Parameter SQL Injection
• 09.38.67 - PHP Pro Bid "auction_details.php" SQL Injection
• 09.38.68 - NetArt Media iBoutique.MALL "cat" Parameter SQL Injection
• 09.38.69 - Joomla! djCatalog Component Multiple SQL Injection Vulnerabilities
• 09.38.70 - Joomla! TurtuShout Component SQL Injection

Web Application

• 09.38.71 - Kitware GCC-XML "find_flags" Script Insecure Temporary File Creation
• 09.38.72 - Drupal Node2Node Module Multiple Unspecified Vulnerabilities
• 09.38.73 - Drupal Node Browser Module Multiple Unspecified Vulnerabilities
• 09.38.74 - Drupal Subdomain Manager Module Multiple Unspecified Vulnerabilities
• 09.38.75 - Drupal Quota by Role Module Multiple Unspecified Vulnerabilities
• 09.38.76 - Drupal REST API Module Multiple Unspecified Vulnerabilities
• 09.38.77 - Webservice-DIC yoyaku_41 Remote Arbitrary Command Injection
• 09.38.78 - Ventrilo Multiple Denial Of Service Vulnerabilities
• 09.38.79 - Fedora puppet Package Insecure File Permissions
• 09.38.80 - Joomla! Hotel Booking System Multiple Cross-Site Scripting and SQL Injection Vulnerabilities
• 09.38.81 - Planet HTML Injection
• 09.38.82 - TGS Content Management Multiple Input Validation Vulnerabilities
• 09.38.83 - eFront "database.php" Remote File Include
• 09.38.84 - Best Practical Solutions RT "Custom Field" HTML Injection

Network Device

• 09.38.85 - Apple iPhone and iPod touch UIKit Deleted Password Character Information Disclosure
• 09.38.86 - Apple iPhone prior to 3.1 SMS Message NULL Pointer Dereference
• 09.38.87 - Apple iPhone and iPod Touch MobileMail Component Delete Mail Access Validation
• 09.38.88 - Apple iPhone and iPod Touch MP3 and AAC File Heap Buffer Overflow
• 09.38.89 - Apple iPhone and iPod touch Safari Referer Header Information Disclosure
• 09.38.90 - Apple iPhone and iPod Touch Recovery Mode Command Parsing Heap Buffer Overflow
• 09.38.91 - Apple iPhone and iPod touch Exchange Support Component Security Bypass
• 09.38.92 - Siemens Gigaset SE361 WLAN Data Flood Denial of Service
• 09.38.93 - Apple iPhone and iPod touch Email SSL Certificate Validation Information Disclosure
• 09.38.94 - Apple iPhone Safari "tel:" URI Handling Remote Denial of Service
• 09.38.95 - 3Com Wireless 8760 Dual-Radio 11a/b/g PoE Web Administration Authentication Bypass
• 09.38.96 - Belkin F5D7632-4V6 Wireless G Router Multiple Authentication Bypass Vulnerabilities
• 09.38.97 - IP3 NetAccess Local Privilege Escalation

PART I Critical Vulnerabilities

Part I for this issue has been compiled by Rohan Kotian at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 38, 2009

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 7439 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

• 09.38.1 - CVE: Not Available
• Platform: Windows
• Title: Microsoft Windows RDP Connection Denial of Service
• Description: Remote Desktop Protocol (RDP) is a protocol that allows users to have remote access to another user's desktop. Microsoft Windows is exposed to a remote denial of service issue that occurs when the operating system handles several RDP connection requests. Windows Vista and Windows 7 are affected.
• Ref: http://www.securityfocus.com/archive/1/506381

• 09.38.2 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: FTPShell Client "CWD" Command Remote Buffer Overflow
• Description: FTPShell Client is an FTP client available for Microsoft Windows. The application is exposed to a remote buffer overflow issue because it fails to perform adequate boundary checks on user-supplied data. This issue occurs when handling a specially crafted "CWD" command. FTPShell Client version 4.1 RC2 is affected.
• Ref: http://www.securityfocus.com/bid/36327

• 09.38.3 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Altirix eXpress NS SC Download ActiveX Control Arbitrary File Download
• Description: Altirix eXpress NS SC Download is a component for the Alitris Express Notification Server. Altirix eXpress NS SC Download is exposed to an issue that can allow malicious files to be downloaded and saved to arbitrary locations on an affected computer. This issue occurs because the application fails to validate user-supplied data. Altirix eXpress NS SC Download ActiveX control version 6.0.0.1418 is affected.
• Ref: http://www.securityfocus.com/bid/36346

• 09.38.4 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Zoom Player Pro Malformed MIDI File Integer Overflow
• Description: Zoom Player Pro is a media player available for Microsoft Windows. The application is exposed to an integer overflow issue because it fails to perform adequate boundary checks on user-supplied data. This vulnerability occurs when handling malformed MIDI files. Zoom Player Pro versions 5.0.2 and 6.0.0 are affected.
• Ref: http://www.securityfocus.com/bid/36347

• 09.38.5 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: PowerISO Buffer Overflow
• Description: PowerISO is an ISO, BIN, NRG, IMG, and DAA file-archiving application for various Microsoft Windows platforms. PowerISO is exposed to a buffer overflow issue because it fails to perform adequate boundary checks on user-supplied data. This issue occurs when handling specially crafted files. PowerISO version 4.0 is affected.
• Ref: http://www.securityfocus.com/bid/36387

• 09.38.6 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: DataWizard FtpXQ Remote Denial of Service
• Description: FtpXQ is an FTP server for Microsoft Windows. The application is exposed to a denial of service issue when handling user-supplied data. Specifically, the issue arises when an attacker sends a large amount of string values such as "./A" subsequent to successful authentication. FtpXQ version 3.0 is affected.
• Ref: http://www.securityfocus.com/bid/36391

• 09.38.7 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: FileCOPA FTP Server "NOOP" Command Denial of Service
• Description: FileCOPA FTP Server is an FTP server application available for Microsoft Windows. The software is exposed to a denial of service issue because it fails to handle several specially crafted "NOOP" commands. FileCOPA FTP Server version 5.01 is affected.
• Ref: http://www.securityfocus.com/bid/36397

• 09.38.8 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Novell GroupWise Client "gxmim1.dll" ActiveX Control Buffer Overflow
• Description: Novell GroupWise Client allows users to access Novell services from remote computers. Novell GroupWise Client is exposed to a buffer overflow issue because it fails to perform adequate boundary checks on user-supplied data. The vulnerability affects the "SetFontFace()" method of the "gxmim1.dll" ActiveX control. Novell GroupWise Client version 7.0.3.1294 is affected.
• Ref: http://www.securityfocus.com/bid/36398

• 09.38.9 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: BRS WebWeaver "Scripts" Security Bypass
• Description: BRS WebWeaver is a webserver application for Microsoft Windows platforms. BRS WebWeaver is exposed to a security bypass issue because it fails to properly validate user-supplied input. Attackers can access executable scripts via the "%instaldir%/scripts" directory. BRS WebWeaver version 1.33 is affected.
• Ref: http://www.securityfocus.com/bid/36399

• 09.38.10 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: EasyMail Objects "emimap4.dll" ActiveX Control Remote Code Execution
• Description: EasyMail Objects is an application that provides email sending/receiving for ActiveX applications. EasyMail Objects ActiveX control is exposed to a remote code execution issue because the application fails to properly sanitize user-supplied data. The issue occurs in the "LicenseKey" property of the "emimap4.dll" ActiveX control. EasyMail Objects version 6.0.2.0 is affected.
• Ref: http://support.microsoft.com/kb/240797

• 09.38.11 - CVE: CVE-2009-2800
• Platform: Mac Os
• Title: Apple Mac OS X Alias Manager Buffer Overflow
• Description: Alias Manager is a component of the Apple Mac OS X operating system. Alias Manager is exposed to a buffer overflow issue when handling specially crafted alias files. Successfully exploiting this issue may allow attackers to execute arbitrary code within the context of the application.
• Ref: http://www.securityfocus.com/bid/36354

• 09.38.12 - CVE: CVE-2009-280310.5.8 and earlier are affected.
• Platform: Mac Os
• Title: Apple Mac OS X CarbonCore Memory Corruption
• Description: CarbonCore is a component of the Apple Mac OS X operating system. The application is exposed to a memory corruption issue when handling files with a maliciously crafted resource fork. Mac OS X versions 10.4.11 and earlier; Mac OS X Server versions 10.4.11 and earlier; Mac OS X versions 10.5.8 and earlier and Mac OS X Server
• Ref: http://www.securityfocus.com/bid/36355

• 09.38.13 - CVE: CVE-2009-2804
• Platform: Mac Os
• Title: Apple Mac OS X ColorSync Heap-Based Buffer Overflow
• Description: ColorSync is a component of the Apple Mac OS X operating system. ColorSync is exposed to a heap-based buffer overflow issue caused by an integer overflow. An attacker can exploit this issue by tricking a victim into opening a maliciously crafted image with an embedded ColorSync profile.
• Ref: http://www.securityfocus.com/bid/36357

• 09.38.14 - CVE: CVE-2009-2805
• Platform: Mac Os
• Title: Apple Mac OS X CoreGraphics Heap-Based Buffer Overflow
• Description: CoreGraphics is a component of the Apple Mac OS X operating system. CoreGraphics is exposed to a heap-based buffer overflow issue caused by an integer overflow. An attacker can exploit this issue by tricking a victim into opening a PDF file containing a maliciously crafted JBIG2 stream.
• Ref: http://www.securityfocus.com/bid/36358

• 09.38.15 - CVE: CVE-2009-2809
• Platform: Mac Os
• Title: Apple Mac OS X ImageIO Multiple Memory Corruption Vulnerabilities
• Description: ImageIO is a component of the Apple Mac OS X operating system. ImageIO is exposed to multiple memory-corruption issues when handling maliciously crafted PixarFilm encoded TIFF images. An attacker can exploit these issues by tricking a victim into opening a malicious file.
• Ref: http://www.securityfocus.com/bid/36359

• 09.38.16 - CVE: CVE-2009-2811
• Platform: Mac Os
• Title: Apple Mac OS X Launch Services Security Bypass
• Description: Launch Services is a component of the Apple Mac OS X operating system. The Launch Services component is exposed to an issue that may allow attackers to bypass certain security warnings. Specifically, the application may not warn a user before opening potentially unsafe ".fileloc" files. Mac OS X versions 10.5.8 and earlier and Mac OS X Server versions 10.5.8 and earlier are affected.
• Ref: http://www.securityfocus.com/bid/36360

• 09.38.17 - CVE: CVE-2009-2812
• Platform: Mac Os
• Title: Apple Mac OS X Launch Services Remote Code Execution
• Description: Launch Services is a component of the Apple Mac OS X operating system. The Launch Services component is exposed to a remote code execution issue. Specifically, a design error exists in the component when handling exported document types and may cause a safe file extension to be associated with an unsafe Uniform Type Identifier (UTI). Mac OS X versions 10.5.8 and earlier and Mac OS X Server versions 10.5.8 and earlier are affected.
• Ref: http://www.securityfocus.com/bid/36361

• 09.38.18 - CVE: CVE-2009-2813
• Platform: Mac Os
• Title: Apple Mac OS X SMB Security Bypass
• Description: SMB is a component of the Apple Mac OS X operating system that facilitates the Windows File Sharing functionality. The SMB component is exposed to an issue that may allow attackers to bypass certain security restrictions. Specifically, the issue is due to an unchecked error condition in Samba. The error may cause folders to be shared unexpectedly allowing a user who does not have a configured home directory to access the contents of the file system through sharing functionality (the Windows File Sharing service).
• Ref: http://www.securityfocus.com/bid/36363

• 09.38.19 - CVE: CVE-2009-2201
• Platform: Mac Os
• Title: Apple Xsan Admin Error Message Information Disclosure
• Description: Apple Xsan is a storage area network (SAN) application for Mac OS X. Xsan is exposed to an information disclosure issue affecting the Xsan Admin component. Specifically, password data may be included in error messages displayed when Xsan is accessed remotely via Apple Screen Sharing. Xsan versions prior to 2.2 are affected.
• Ref: http://www.securityfocus.com/bid/36385

• 09.38.20 - CVE: CVE-2009-2903
• Platform: Linux
• Title: Linux Kernel AppleTalk Driver IP Over DDP Remote Denial of Service
• Description: The Linux Kernel is exposed to a remote denial of service issue in the AppleTalk driver. Specifically, a memory leak occurs when the driver processes IP over DDP (Datagram Delivery Protocol) packets. Linux Kernel versions 2.6.31 and earlier are affected.
• Ref: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-2903

• 09.38.21 - CVE: Not Available
• Platform: Linux
• Title: GNU Troff pdfroff Insecure Temporary File Creation and Arbitrary File Access Vulnerabilities
• Description: GNU Troff (groff) is a document-formatting utility used on Linux systems. groff is exposed to multiple local issues that exist in the pdfroff tool. Successfully exploiting these issues may allow attackers to mount symlink attacks, which may allow the attacker to delete or corrupt sensitive files.
• Ref: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=538330

• 09.38.22 - CVE: CVE-2009-2707
• Platform: Linux
• Title: Linux Kernel Intel 32bit Emulation Mode Local Denial of Service
• Description: The Linux kernel is exposed to a local denial of service issue due to an unspecified error. Attackers can exploit this issue to crash the affected kernel, resulting in a denial of service condition.
• Ref: http://www.securityfocus.com/bid/36393

• 09.38.23 - CVE: CVE-2009-2679
• Platform: HP-UX
• Title: HP-UX bootpd Unspecified Remote Denial of Service
• Description: HP-UX is exposed to a remote denial of service issue. Exploiting this issue allows remote attackers to trigger denial of service conditions. HP-UX versions B.11.11, B.11.23, and B.11.31 running bootpd are affected.
• Ref: http://www.securityfocus.com/bid/36395

• 09.38.24 - CVE: Not Available
• Platform: BSD
• Title: FreeBSD "kqueue" Unspecified NULL Pointer Dereference
• Description: FreeBSD is a BSD-based operating system. FreeBSD is exposed to a local NULL-pointer dereference issue due to an unspecified error affecting "kqueue". A local attacker can exploit this issue to execute arbitrary code with superuser privileges or crash an affected kernel, denying service to legitimate users. FreeBSD versions 6.4 and earlier are affected.
• Ref: http://www.securityfocus.com/archive/1/506449

• 09.38.25 - CVE: Not Available
• Platform: Solaris
• Title: Sun Solaris lx Branded Zones Local Denial Of Service
• Description: Sun Solaris is a UNIX-based operating system. Sun Solaris is exposed to a local denial of service issue in the lx branded zones. A local unprivileged user may be able to exploit this issue to cause the local system to panic, effectively denying service to legitimate users.
• Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-66-266228-1

• 09.38.26 - CVE: Not Available
• Platform: Solaris
• Title: GNU "w(1)" Utility Local Privilege Escalation
• Description: The "w(1)" utility is a command-line application that provides a summary of every currently logged-in user. The "w(1)" utility is exposed to a local privilege escalation issue because it fails to properly bounds check user-supplied data before copying it into an inadequately sized memory buffer. Solaris 8, Solaris 9, Solaris 10 and OpenSolaris based on builds snv_01 through snv_123 are affected.
• Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-66-266348-1

• 09.38.27 - CVE: CVE-2009-2807
• Platform: Unix
• Title: CUPS USB backend Local Heap-Based Buffer Overflow
• Description: CUPS (Common UNIX Printing System) is a widely used set of printing utilities for UNIX-based systems. CUPS is exposed to a local heap-based buffer overflow issue because the application fails to perform adequate boundary checks on user-supplied data. This issue occurs in the CUPS USB backend.
• Ref: http://www.securityfocus.com/bid/36350

• 09.38.28 - CVE: Not Available
• Platform: Cross Platform
• Title: GNOME glib Symbolic Link Arbitrary File Access
• Description: The GNOME glib library is a general-purpose utility library. The application is exposed to an arbitrary file access issue that occurs in the "file_copy_fallback()" function of the "gfile.c" source file. Local attackers can exploit this issue to gain access to sensitive information or overwrite files on the affected computer.
• Ref: https://bugzilla.gnome.org/show_bug.cgi?id=593406

• 09.38.29 - CVE: Not Available
• Platform: Cross Platform
• Title: PostgreSQL Multiple Security Vulnerabilities
• Description: PostgreSQL is an open-source relational database suite. It is available for UNIX, Linux, their variants, Apple Mac OS X, and Microsoft Windows. PostgreSQL is exposed to multiple security issues. Attackers can exploit these issues to shut down affected servers, perform certain actions with elevated privileges, and bypass authentication mechanisms to perform unauthorized actions.
• Ref: https://bugzilla.redhat.com/show_bug.cgi?id=522085#c1

• 09.38.30 - CVE: CVE-2009-2202, CVE-2009-2203, CVE-2009-2798,CVE-2009-2799
• Platform: Cross Platform
• Title: Apple QuickTime Multiple Arbitrary Code Execution Vulnerabilities
• Description: Apple QuickTime is a media player that supports multiple file formats. QuickTime is exposed to multiple remote issues that may allow remote attackers to execute arbitrary code or carry out denial of service attacks. QuickTime versions prior to 7.6.4 are affected on Windows 7, Vista, and XP, and Mac OS X platforms.
• Ref: http://www.securityfocus.com/archive/1/506388

• 09.38.31 - CVE: Not Available
• Platform: Cross Platform
• Title: aria2 "DHTRoutingTableDeserializer::deserialize()" Buffer Overflow
• Description: aria2 is a client application used to download files via a number of protocols. It is available for multiple operating systems. aria2 is exposed to a buffer overflow issue because it fails to perform adequate boundary checks on user-supplied data before copying it to insufficiently sized buffers. aria2 versions prior to 1.2.0 are affected.
• Ref: https://qa.mandriva.com/show_bug.cgi?id=52840

• 09.38.32 - CVE: Not Available
• Platform: Cross Platform
• Title: Media Player Classic ".mid" File Processing Integer Overflow
• Description: Media Player Classic is a media player that supports multiple file formats.The application is exposed to an integer overflow issue because it fails to properly bounds check user-supplied input. The issue occurs when the application handles specially crafted ".mid" files. Media Player Classic version 6.4.9 is affected.
• Ref: http://www.securityfocus.com/bid/36333

• 09.38.33 - CVE: CVE-2009-3079, CVE-2009-3078, CVE-2009-3077,CVE-2009-3076, CVE-2009-3069, CVE-2009-3070, CVE-2009-3071,CVE-2009-3072, CVE-2009-3073, CVE-2009-3074, CVE-2009-3075
• Platform: Cross Platform
• Title: Mozilla Firefox MFSA 2009-47, -48, -49, -50, -51 Multiple Vulnerabilities
• Description: The Mozilla Foundation has released multiple advisories to address issues in Firefox. Mozilla Firefox is exposed to the following issues: 1) multiple memory corruption issues in the browser engine, 2) a weakness when adding or removing modules with "pkcs11.addmodule" or "pkcs11.deletemodule" results in a dialog not displaying sufficient information, 3) a remote code execution issue exists because the columns of a XUL tree element can be manipulated to point to freed memory, 4) an issue affects the browser because the default font used to render the location bar would improperly display certain Unicode characters with a tall line-height, and 5) a privilege escalation issue affects the "BrowserFeedWriter" because it could be leveraged to run JavaScript code from web pages with chrome privileges.
• Ref: http://www.zerodayinitiative.com/advisories/ZDI-09-065/

• 09.38.34 - CVE: CVE-2009-3025
• Platform: Cross Platform
• Title: Pidgin Yahoo Instant Messenger Protocol Link Denial of Service
• Description: Pidgin is a multiplatform instant messaging client that supports multiple messaging protocols. Pidgin is exposed to a denial of service issue because it fails to properly handle malformed links sent via the Yahoo Instant Messenger protocol.
• Ref: http://www.securityfocus.com/bid/36367

• 09.38.35 - CVE: CVE-2009-3026
• Platform: Cross Platform
• Title: Pidgin "protocols/jabber/auth.c" JABBER Server XMPP Specifications Man In The Middle
• Description: Pidgin is a multiplatform instant messaging application. Pidgin is exposed to a man-in-the-middle issue that occurs because the application does not require the TLS/SSL preference to be enabled when connecting to older Jabber servers that do not follow the XMPP specification. Pidgin version 2.6.0 is affected.
• Ref: http://www.securityfocus.com/bid/36368

• 09.38.36 - CVE: CVE-2009-3166
• Platform: Cross Platform
• Title: Mozilla Bugzilla URL Password Information Disclosure
• Description: Bugzilla is a freely available, open-source bug tracker available for Linux, UNIX, and Microsoft Windows. The application is exposed to an information disclosure issue. Specifically when a user resets their password and logs in, the password would appear in the URL of the browser. This means that the password will be displayed in the webserver logs and Referer header. Bugzilla versions 3.4rc1 through 3.4.1 are affected.
• Ref: https://bugzilla.mozilla.org/show_bug.cgi?id=508189

• 09.38.37 - CVE: Not Available
• Platform: Cross Platform
• Title: Dovecot Sieve Plugin Multiple Unspecified Buffer Overflow Vulnerabilities
• Description: Dovecot is a mail-server application for Linux and UNIX-like operating systems. Dovecot Sieve plugin is exposed to multiple buffer overflow issues due to unspecified errors. Successful exploits may allow attackers to execute arbitrary code within the context of the affected application or to cause denial of service conditions. Dovecot Sieve plugin versions prior to 1.1.7 and 1.0.4 are affected.
• Ref: http://www.dovecot.org/list/dovecot-news/2009-September/000135.ht ml

• 09.38.38 - CVE: CVE-2009-2629
• Platform: Cross Platform
• Title: nginx HTTP Request Remote Buffer Overflow
• Description: nginx is an HTTP server and mail proxy server. nginx is exposed to a remote buffer overflow issue because the application fails to perform adequate boundary checks on user-supplied data. The issue occurs when handling certain HTTP requests.
• Ref: http://www.kb.cert.org/vuls/id/180065

• (login - CVE: Not Available01868405&admit=109447627+1253119966800+28353475 Required)
• Platform: Cross Platform
• Title: HP StorageWorks Products Remote Management Interface Remote Denial of Service
• Description: HP StorageWorks products are used for protection of data. HP StorageWorks products are exposed to a remote denial of service issue due to an unspecified error in the Remote Management Interface.
• Ref: http://www13.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c

• 09.38.40 - CVE: Not Available
• Platform: Cross Platform
• Title: Cerberus FTP Server Long Command Remote Denial of Service
• Description: Cerberus FTP Server is an FTP server available for Microsoft Windows. The application is exposed to a denial of service issue when an overly large string is sent as a command. An attacker can exploit this issue to terminate the affected application, denying service to legitimate users. Cerberus FTP Server version 3.0.3 is affected.
• Ref: http://www.securityfocus.com/bid/36390

• 09.38.41 - CVE: Not Available
• Platform: Cross Platform
• Title: Proland Protector Plus Insecure Program File Permissions Local Privilege Escalation
• Description: Proland Protector Plus is an anti-virus application available for Microsoft Windows. The application is exposed to a local privilege escalation issue because the application installs its own program files with "Everyone - Full Control" permissions. Protector Plus 2009 for Windows Desktops 8.0.E03; Windows Server 8.0.E03 and Protector Plus Professional 9.1.001 are affected.
• Ref: http://www.securityfocus.com/archive/1/506479

• 09.38.42 - CVE: Not Available
• Platform: Cross Platform
• Title: VLC Media Player CUE File Buffer Overflow
• Description: VLC is a cross-platform media player that can be used to serve streaming data. VLC is exposed to a buffer overflow issue because it fails to perform adequate boundary checks on user-supplied input. This issue occurs when handling specially crafted ".cue" files. VLC media player versions prior to 0.9.6 are affected.
• Ref: http://www.securityfocus.com/bid/36403

• 09.38.43 - CVE: CVE-2008-7113, CVE-2008-7112, CVE-2008-7111
• Platform: Cross Platform
• Title: Kyocera Mita Scanner File Utility Multiple Remote Vulnerabilities
• Description: Kyocera Mita Scanner File Utility is an application that allows users to save scanned images on a PC or AT-compatible PC. The application is exposed to multiple remote issues. The attacker can exploit these issues to obtain sensitive information, bypass access control restrictions, upload malicious files to vulnerable computers, or create denial of service conditions. Kyocera Mita Scanner File Utility version 3.3.0.1 is affected.
• Ref: http://www.securityfocus.com/archive/1/495772

• 09.38.44 - CVE: Not Available
• Platform: Cross Platform
• Title: BigAnt IM Server HTTP GET Request Buffer Overflow
• Description: BigAnt IM Server is an instant messaging server application to be used with the BigAnt Messenger, an enterprise IM system for Windows platforms. The server is exposed to a remote buffer overflow issue because it fails to perform adequate boundary checks on user-supplied input. The issue occurs when the server handles HTTP GET requests containing an excessive amount of string values.
• Ref: http://www.securityfocus.com/bid/36407

• 09.38.45 - CVE: Not Available
• Platform: Cross Platform
• Title: Wireshark 1.2.1 Multiple Vulnerabilities
• Description: Wireshark (formerly Ethereal) is an application for analyzing network traffic; it is available for Microsoft Windows and for UNIX-like operating systems. Wireshark is exposed to multiple issues when handling certain types of packets and protocols in varying conditions. Wireshark versions 0.99.6 through 1.2.1 are affected.
• Ref: http://www.wireshark.org/security/wnpa-sec-2009-06.html

• 09.38.46 - CVE: Not Available
• Platform: Cross Platform
• Title: Google Chrome prior to 3.0.195.21 Multiple Security Vulnerabilities
• Description: Google Chrome is web browser for multiple platforms. The application is exposed to multiple issues. Attackers can exploit these issues to bypass the same-origin policy and to render arbitrary HTML and script code in the context of the affected websites. Google Chrome versions prior to 3.0.195.21 are affected.
• Ref: http://googlechromereleases.blogspot.com/2009/09/stable-channel-u pdate.html

• 09.38.47 - CVE: Not Available
• Platform: Cross Platform
• Title: Opera Unspecified Security Bypass
• Description: Opera is a web browser available for various operating systems. The application is exposed to an unspecified security bypass issue that occurs when executing script code while previewing RSS and ATOM feeds. The issue may allow attacker-supplied script code to perform certain actions with elevated privileges and manipulate arbitrary feeds in the Opera browser. Opera versions 9 and 10 are affected.
• Ref: http://securethoughts.com/2009/09/exploiting-chrome-and-operas-in built-atomrss-reader-with-script-execution-and-more/

• 09.38.48 - CVE: CVE-2009-2947
• Platform: Web Application - Cross Site Scripting
• Title: Xapian Omega Search Query Exception Handling Cross-Site Scripting
• Description: Xapian is a search library available for a number of platforms. Xapian Omega is a web-based indexing and searching application. The application is exposed to a cross-site scripting issue because it fails to sufficiently sanitize user-supplied input. Specifically, this issue occurs when displaying exceptions caused by crafted search queries. Xapian Omega versions 0.9.9 and 1.0.7 are affected.
• Ref: http://www.securityfocus.com/bid/36317

• 09.38.49 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Drupal BUEditor Live Preview Cross-Site Scripting
• Description: BUEditor is a text editor module for the Drupal content manager. The application is exposed to a cross-site scripting issue because it fails to sufficiently sanitize user-supplied data. This issue occurs in the "Live Preview" feature.
• Ref: http://www.securityfocus.com/bid/36320

• 09.38.50 - CVE: CVE-2009-2814
• Platform: Web Application - Cross Site Scripting
• Title: Apple Mac OS X Wiki Server Cross-Site Scripting
• Description: Wiki Server is a server application for Apple Mac OS X to host wiki pages. The application is exposed to a cross-site scripting issue because it fails to sanitize user-supplied input. Specifically the issue occurs when handling search requests that contain non UTF-8 encoded data. Mac OS X Server versions 10.5.8 and earlier are affected.
• Ref: http://www.securityfocus.com/bid/36364

• 09.38.51 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Multiple Horde Products Cross-Site Scripting Vulnerabilities and File Overwrite
• Description: Horde is a PHP-based framework for developing web applications. Since multiple Horde applications fail to sanitize user-supplied input, they are exposed to multiple input validation issues. An attacker can exploit the file overwrite vulnerability to alter potentially sensitive local files in the context of the webserver user.
• Ref: http://marc.info/?l=horde-announce&m=125292339907481&w=2

• 09.38.52 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: NatterChat Multiple Cross-Site Scripting Vulnerabilities
• Description: NatterChat is a web-based chat system implemented in ASP. The application is exposed to multiple cross-site scripting issues because it fails to sanitize user-supplied input to the following scripts and parameters: "register.asp": "txtUsername" and "room_new.asp": "txtRoomName". NatterChat version 1.12 is affected.
• Ref: http://www.securityfocus.com/bid/36402

• 09.38.53 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Mega File Hosting Script "emaillinks.php" Cross-Site Scripting
• Description: Mega File Hosting Script is a PHP-based application for uploading files onto a webserver. The application is exposed to a cross-site scripting issue because it fails to sufficiently sanitize user-supplied input to the "emaillinks.php" script. Mega File Hosting Script version 1.2 is affected.
• Ref: http://www.securityfocus.com/bid/36413

• 09.38.54 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: TuttoPHP Morris Guestbook "view.php" Cross-Site Scripting
• Description: Morris Guestbook is a PHP-based web application. The application is exposed to a cross-site scripting issue because it fails to sufficiently sanitize user-supplied input to the "pagina" parameter of the "view.php" script.
• Ref: http://www.securityfocus.com/bid/36415

• 09.38.55 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Joomla! TPDugg Component "id" Parameter SQL Injection
• Description: TPDugg is a PHP-based component for the Joomla! content manager. The component is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "id" parameter of the "com_tpdugg" component before using it in an SQL query. TPDugg version 1.1 is affected.
• Ref: http://www.templateplazza.com/

• 09.38.56 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Joomla! Joomloc Component "id" Parameter SQL Injection
• Description: Joomloc is a PHP-based accommodation management component for the Joomla! content manager. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "id" parameter of the "com_joomloc" component before using it in an SQL query.
• Ref: http://www.securityfocus.com/bid/36322

• 09.38.57 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Mambo Hestar Component "id" Parameter SQL Injection
• Description: Hestar is a PHP-based component for the Mambo content manager. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "id" parameter of the "com_hestar" component before using it in an SQL query.
• Ref: http://www.securityfocus.com/bid/36324

• 09.38.58 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Joomla! Lucy Games Component "gameid" Parameter SQL Injection
• Description: Lucy Games is a PHP-based component for the Joomla! content manager. The component is exposed to an SQL-injection issue because it fails to sufficiently sanitize user-supplied data to the "gameid" parameter of the "com_lucygames" component before using it in an SQL query. Lucy Games version 1.5.4 is affected.
• Ref: http://www.securityfocus.com/bid/36334

• 09.38.59 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Nicecoder iDesk "download.php" SQL Injection
• Description: Nicecoder iDesk is a web-based customer support application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "cat_id" parameter of the "download.php" script before using it in an SQL query.
• Ref: http://www.securityfocus.com/bid/36348

• 09.38.60 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Joomla! "com_pressrelease" Component "id" Parameter SQL Injection
• Description: "com_pressrelease" is a PHP-based component for the Joomla! content manager. The component is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "id" parameter of the component before using it in an SQL query.
• Ref: http://www.securityfocus.com/bid/36351

• 09.38.61 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Joomla! "com_speech" Component "id" Parameter SQL Injection
• Description: "com_speech" is a PHP-based component for Joomla! The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "id" parameter before using it in an SQL query.
• Ref: http://www.securityfocus.com/bid/36352

• 09.38.62 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Joomla! "com_mediaalert" Component "id" Parameter SQL Injection
• Description: "com_mediaalert" is a PHP-based component for the Joomla! content manager. The component is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "id" parameter of the component before using it in an SQL query.
• Ref: http://www.securityfocus.com/bid/36356

• 09.38.63 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Mozilla Bugzilla "Bug.search()" WebService Function SQL Injection
• Description: Bugzilla is a freely available, open source bug tracker available for Linux, UNIX, and Microsoft Windows. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data before using it an SQL query. This issue affects the "Bug.search()" WebService function. Bugzilla versions 3.3.2 to 3.4.1 and 3.5 are affected.
• Ref: https://bugzilla.mozilla.org/show_bug.cgi?id=515191

• 09.38.64 - CVE: CVE-2009-3125
• Platform: Web Application - SQL Injection
• Title: Mozilla Bugzilla "Bug.create()" WebService Function SQL Injection
• Description: Bugzilla is a freely available, open source bug tracker available for Linux, UniX, and Microsoft Windows. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. This issue affects the "Bug.create()" WebService function. Bugzilla versions 2.23.4 through 3.0.8; 3.1.1 through 3.2.4 and 3.3.1 through 3.4.1 are affected.
• Ref: https://bugzilla.mozilla.org/show_bug.cgi?id=515191

• 09.38.65 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Serendipity Freetag Plugin SQL Injection
• Description: Freetag is a plugin for the Serendipity weblog. It displays tag names specified in a URL in the browser. The component is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to an unspecified "GET" variable before using it in an SQL query. Serendipity Freetag plugin versions prior to 3.08 are affected.
• Ref: http://www.dovecot.org/list/dovecot-news/2009-September/000135.ht ml

• 09.38.66 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Joomla! AlphaUserPoints Component "username2points" Parameter SQL Injection
• Description: AlphaUserPoints is a PHP-based component for the Joomla! content manager. The component is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "username2points" parameter of the "assets/ajax/checkusername" script before using it in an SQL query.
• Ref: http://www.securityfocus.com/bid/36383

• 09.38.67 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: PHP Pro Bid "auction_details.php" SQL Injection
• Description: PHP Pro Bid is a web-based auction application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "auction_id" parameter of the "auction_details.php" script before using it in an SQL query.
• Ref: http://www.securityfocus.com/bid/36389

• 09.38.68 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: NetArt Media iBoutique.MALL "cat" Parameter SQL Injection
• Description: NetArt Media iBoutique.MALL is a web-based application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "cat" parameter of the "index.php" script before using it in an SQL query. iBoutique.MALL version 1.2 is affected.
• Ref: http://www.securityfocus.com/bid/36404

• 09.38.69 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Joomla! djCatalog Component Multiple SQL Injection Vulnerabilities
• Description: The djCatalog component is a PHP-based application for the Joomla! content manager. The application is exposed to multiple SQL injection issues because it fails to sufficiently sanitize user-supplied data to the "id" and "cid" parameters of the "com_djcatalog" component before using it in an SQL query.
• Ref: http://www.securityfocus.com/bid/36412

• 09.38.70 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Joomla! TurtuShout Component SQL Injection
• Description: TurtuShout is a PHP-based component for the Joomla! content manager. The component is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "Name" field before using it in an SQL query. TurtuShout version 0.11 is affected.
• Ref: http://www.securityfocus.com/bid/36414

• 09.38.71 - CVE: CVE-2008-4957
• Platform: Web Application
• Title: Kitware GCC-XML "find_flags" Script Insecure Temporary File Creation
• Description: GCC-XML is an application for generating an XML description of C++ code from GCC's internal representation. The application creates temporary files in an insecure manner. Specifically, the issue affects the "find_flags" script. Successfully mounting a symlink attack may allow the attacker to delete or corrupt sensitive files, which may result in a denial of service.
• Ref: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496391

• 09.38.72 - CVE: Not Available
• Platform: Web Application
• Title: Drupal Node2Node Module Multiple Unspecified Vulnerabilities
• Description: Node2Node is a node relationship module for the Drupal content manager. The Node2Node module is exposed to multiple unspecified issues.
• Ref: http://drupal.org/node/572852

• 09.38.73 - CVE: Not Available
• Platform: Web Application
• Title: Drupal Node Browser Module Multiple Unspecified Vulnerabilities
• Description: Node Browser is a module for the Drupal content manager. The Node Browser module is exposed to multiple unspecified issues.
• Ref: http://drupal.org/node/572852

• 09.38.74 - CVE: Not Available
• Platform: Web Application
• Title: Drupal Subdomain Manager Module Multiple Unspecified Vulnerabilities
• Description: Subdomain Manager is a module for the Drupal content manager. The Subdomain Manager module is exposed to multiple unspecified issues.
• Ref: http://drupal.org/node/572852

• 09.38.75 - CVE: Not Available
• Platform: Web Application
• Title: Drupal Quota by Role Module Multiple Unspecified Vulnerabilities
• Description: Quota by role is a module for the Drupal content manager. The Quota by role module is exposed to multiple unspecified issues.
• Ref: http://drupal.org/node/572852

• 09.38.76 - CVE: Not Available
• Platform: Web Application
• Title: Drupal REST API Module Multiple Unspecified Vulnerabilities
• Description: REST API is a module for the Drupal content manager. The REST API module is exposed to multiple unspecified issues.
• Ref: http://drupal.org/node/572852

• 09.38.77 - CVE: Not Available
• Platform: Web Application
• Title: Webservice-DIC yoyaku_41 Remote Arbitrary Command Injection
• Description: yoyaku_41 is an application from Webservice-DIC to manage conference room reservations. The application is exposed to a remote command injection issue because it fails to adequately sanitize user-supplied input data. yoyaku_41 versions 1.10 and prior are affected.
• Ref: http://jvn.jp/en/jp/JVN05857667/index.html

• 09.38.78 - CVE: Not Available
• Platform: Web Application
• Title: Ventrilo Multiple Denial Of Service Vulnerabilities
• Description: Ventrilo is a voice chat application. The application is exposed to multiple denial of service issues. An attacker may exploit these issues to crash the affected application, denying service to legitimate users. Ventrilo version 3.0.5 is affected.
• Ref: http://aluigi.altervista.org/adv/ventrilomemset-adv.txt

• 09.38.79 - CVE: Not Available
• Platform: Web Application
• Title: Fedora puppet Package Insecure File Permissions
• Description: Mantis is a web-based bug tracker. It is written in PHP and supported by a MySQL database. The Debian Mantis package is exposed to an insecure file permissions issue. Specifically, this issue occurs because the application creates the "/var/log/puppet" file with insecure permissions.
• Ref: http://www.securityfocus.com/bid/36378

• 09.38.80 - CVE: Not Available
• Platform: Web Application
• Title: Joomla! Hotel Booking System Multiple Cross-Site Scripting and SQL Injection Vulnerabilities
• Description: Hotel Booking System is a hotel management component for the Joomla! content manager. Since it fails to adequately sanitize user-supplied input, the application is exposed to multiple issues. Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
• Ref: http://leveltensolutions.com/forum.html?func=view&catid=23&id=172

• 09.38.81 - CVE: CVE-2009-2937
• Platform: Web Application
• Title: Planet HTML Injection
• Description: Planet is a web-based feed aggregator. Planet is exposed to an HTML injection issue because the application fails to properly sanitize user-supplied input from feeds before using it in dynamically generated content. Planet version 2.0 is affected.
• Ref: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=546178

• 09.38.82 - CVE: CVE-2009-2929, CVE-2009-2928
• Platform: Web Application
• Title: TGS Content Management Multiple Input Validation Vulnerabilities
• Description: TGS Content Management is a PHP-based content manager. The application is exposed to multiple input validation issues because it fails to sufficiently sanitize user-supplied data. Exploiting these issues could allow the attacker to obtain sensitive information, steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
• Ref: http://www.securityfocus.com/bid/36401

• 09.38.83 - CVE: Not Available
• Platform: Web Application
• Title: eFront "database.php" Remote File Include
• Description: eFront is a content manager. The application is exposed to a remote file include issue because it fails to sufficiently sanitize user-supplied input to the "path" parameter of the "libraries/database.php" script. eFront versions 3.5.4 and earlier are affected.
• Ref: http://www.securityfocus.com/bid/36411

• 09.38.84 - CVE: Not Available
• Platform: Web Application
• Title: Best Practical Solutions RT "Custom Field" HTML Injection
• Description: RT (Request Tracker) is a web-based issue tracking system. RT is exposed to an HTML injection issue because the application fails to properly sanitize user-supplied input from user-supplied data before using it in dynamically generated content. Specifically, this issue can be exploited through "Custom Field" values. RT versions 3.6.x prior to 3.6.9 and RT versions 3.8.x prior to 3.8.5 are affected.
• Ref: http://lists.bestpractical.com/pipermail/rt-announce/2009-Septemb er/000173.html

• 09.38.85 - CVE: CVE-2009-2796
• Platform: Network Device
• Title: Apple iPhone and iPod touch UIKit Deleted Password Character Information Disclosure
• Description: Apple iPhone is a mobile phone that runs on the ARM architecture. Apple iPod touch is a portable music player that also contains the Safari browser. Apple iPhone and iPod touch are exposed to an information disclosure issue in the UIKit component. If a masked password character is deleted, and the deletion is undone, the unmasked character is briefly displayed. iPhone versions OS 1.0 through 3.0.1 and iPhone OS for iPod touch versions 1.1 through 3.0 are affected.
• Ref: http://www.securityfocus.com/bid/36335

• 09.38.86 - CVE: CVE-2009-2815
• Platform: Network Device
• Title: Apple iPhone prior to 3.1 SMS Message NULL Pointer Dereference
• Description: Apple iPhone is a mobile phone that runs on the ARM architecture. Apple iPhone is exposed to a NULL pointer dereference issue when handling specially crafted SMS arrival notifications. Successfully exploiting this issue may allow attackers to cause the affected service to become unresponsive; effectively denying service. iPhone OS versions 1.0 through 3.0.1 are affected.
• Ref: http://www.securityfocus.com/bid/36336

• 09.38.87 - CVE: CVE-2009-2207
• Platform: Network Device
• Title: Apple iPhone and iPod Touch MobileMail Component Delete Mail Access Validation
• Description: Apple iPhone is a mobile phone that runs on the ARM architecture. Apple iPod touch is a portable music player that also contains the Safari browser. The devices are exposed to an access validation issue that exists in the MobileMail component. Specifically, deleted mail is displayed by the Spotlight search application. iPhone OS versions 1.0 through 3.0.1 and iPhone OS for iPod touch versions 1.1 through 3.0 are affected.
• Ref: http://www.securityfocus.com/bid/36337

• 09.38.88 - CVE: CVE-2009-2206
• Platform: Network Device
• Title: Apple iPhone and iPod Touch MP3 and AAC File Heap Buffer Overflow
• Description: Apple iPhone is a mobile phone that runs on the ARM architecture. Apple iPod touch is a portable music player that also contains the Safari browser. The devices are exposed to a heap-based buffer overflow issue which is triggered when handling crafted AAC or MP3 files. This issue affects the CoreAudio component of the vulnerable devices. iPhone OS versions 1.0 through 3.0.1 and iPhone OS for iPod touch versions 1.1 through 3.0 are affected.
• Ref: http://www.trapkit.de/advisories/TKADV2009-007.txt

• 09.38.89 - CVE: CVE-2009-2797
• Platform: Network Device
• Title: Apple iPhone and iPod touch Safari Referer Header Information Disclosure
• Description: Apple iPhone is a mobile phone that runs on the ARM architecture. Apple iPod touch is a portable music player that also contains the Safari browser. Apple iPhone and iPod touch are exposed to an information disclosure vulnerability in the Safari browser. iPhone OS versions 1.0 through 3.0.1 and iPhone OS for iPod touch versions 1.1 through 3.0 are affected.
• Ref: http://www.securityfocus.com/bid/36339

• 09.38.90 - CVE: CVE-2009-2795
• Platform: Network Device
• Title: Apple iPhone and iPod Touch Recovery Mode Command Parsing Heap Buffer Overflow
• Description: Apple iPhone is a mobile phone that runs on the ARM architecture. Apple iPod touch is a portable music player that also contains the Safari browser. Apple iPhone and iPod touch are exposed to a heap-based buffer overflow issue because the device fails to perform adequate boundary checks on user-supplied data. The vulnerability affects the Recovery Mode command parsing mechanism. iPhone OS versions 1.0 through 3.0.1 and iPhone OS for iPod touch versions 1.1 through 3.0 are affected.
• Ref: http://www.securityfocus.com/bid/36341

• 09.38.91 - CVE: CVE-2009-2794
• Platform: Network Device
• Title: Apple iPhone and iPod touch Exchange Support Component Security Bypass
• Description: Apple iPhone is a mobile phone that runs on the ARM architecture. Apple iPod touch is a portable music player that also contains the Safari browser. The devices are exposed to a security bypass issue that affects the Exchange Support component. This issue is triggered when the "Require Passcode" configuration setting is higher than the "Maximum inactivity time lock" configuration setting, and may allow an attacker with access to the device to bypass intended security restrictions when connecting to a Microsoft Exchange server. iPhone OS versions 1.0 through 3.0.1 and iPhone OS for iPod touch versions 1.1 through 3.0 are affected.
• Ref: http://www.securityfocus.com/bid/36342

• 09.38.92 - CVE: Not Available
• Platform: Network Device
• Title: Siemens Gigaset SE361 WLAN Data Flood Denial of Service
• Description: Siemens Gigaset SE361 WLAN is a wireless router. The device is exposed to a denial of service issue because it fails to adequately handle a flood of data sent via TCP port 1723. Successful exploits will cause the affected device to crash and reboot, denying service to legitimate users.
• Ref: http://www.securityfocus.com/archive/1/506414

• 09.38.93 - CVE: Not Available
• Platform: Network Device
• Title: Apple iPhone and iPod touch Email SSL Certificate Validation Information Disclosure
• Description: Apple iPhone is a mobile phone that runs on the ARM architecture. Apple iPod touch is a portable music player that also contains the Safari browser. The devices are exposed to an information disclosure issue that affects their email application because the software fails to adequately validate SSL certificates. Apple iPod Touch versions prior to 3.1.1 and Apple iPhone versions prior to 3.1 are affected.
• Ref: http://www.securityfocus.com/archive/1/506428

• 09.38.94 - CVE: Not Available
• Platform: Network Device
• Title: Apple iPhone Safari "tel:" URI Handling Remote Denial of Service
• Description: Apple iPhone is a mobile phone that runs on the ARM architecture. The Safari browser on the Apple iPhone is exposed to a denial of service issue that occurs when the browser handles a specially crafted "tel:" URI, which contains an excessive amount of string values. A URI containing 100,000 bytes is sufficient to trigger this vulnerability. Apple iPhone version 3.0.1 is affected.
• Ref: http://www.securityfocus.com/bid/36386

• 09.38.95 - CVE: Not Available
• Platform: Network Device
• Title: 3Com Wireless 8760 Dual-Radio 11a/b/g PoE Web Administration Authentication Bypass
• Description: The 3Com Wireless 8760 Dual-Radio 11a/b/g PoE is a Wi-Fi networking router. The device is exposed to an authentication bypass issue because of a lack of authentication when users access the web administration interface. Specifically, if a legitimate administrator has authenticated to the web interface, additional users are granted access to the interface without needing to authenticate.
• Ref: http://www.securityfocus.com/archive/1/506486

• 09.38.96 - CVE: CVE-2008-7115
• Platform: Network Device
• Title: Belkin F5D7632-4V6 Wireless G Router Multiple Authentication Bypass Vulnerabilities
• Description: The Belkin F5D7632-4V6 Wireless G Router is a Wi-Fi networking router. The device is exposed to an issue because of a lack of authentication when users access the following scripts: "statusprocess.exe", "system_all.exe", and "cgi-bin/restore.exe". Belkin F5D7632-4V6 running firmware version 6.01.08 is affected.
• Ref: http://www.securityfocus.com/bid/36406

• 09.38.97 - CVE: Not Available
• Platform: Network Device
• Title: IP3 NetAccess Local Privilege Escalation
• Description: IP3 NetAccess devices are rack-mounted network devices that are designed for hotels and hotspots. They have SSH and web management interfaces. IP3 NetAccess is exposed to a local privilege escalation issue because it fails to sanitize user-supplied data. Specifically, an attacker can execute arbitrary commands through the "ping" menu option.
• Ref: http://www.securityfocus.com/bid/36410

(c) 2009. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Subscriptions: @RISK is distributed free of charge by the SANS Institute to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.