@RISK: The Consensus Security Vulnerability Alert

Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)

• (1) HIGH: Apple iTunes Playlist File Processing Buffer Overflow Vulnerability
• (2) HIGH: VLC Media Player Multiple Buffer Overflow Vulnerabilities
• (3) MODERATE: Cisco IOS Multiple Vulnerabilities

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)

Third Party Windows Apps

• 09.39.1 - Notepad++ "C" and "CPP" File Handling Remote Stack Buffer Overflow
• 09.39.2 - Adobe Shockwave Player ActiveX Control "PlayerVersion" Property Remote Buffer Overflow
• 09.39.3 - Quiksoft EasyMail "AddAttachment()" Method ActiveX Control Buffer Overflow
• 09.39.4 - BakBone NetVault Backup "npvmgr.exe" Remote Denial of Service

Linux

• 09.39.5 - Linux Kernel "find_ie()" Function Remote Denial of Service
• 09.39.6 - Linux Kernel "perf_counter_open()" Local Buffer Overflow
• 09.39.7 - Debian and Ubuntu Postfix Insecure Temporary File Creation
• 09.39.8 - Linux kernel "O_EXCL" NFSv4 Privilege Escalation

HP-UX

• 09.39.9 - HP-UX RBAC Unspecified Local Unauthorized Access

BSD

• 09.39.10 - NetBSD "IRET" General Protection Fault Handling Local Privilege Escalation

Solaris

• 09.39.11 - Sun Solaris iSCSI Management Commands Local Privilege Escalation
• 09.39.12 - Sun Solaris Cluster Local Privilege Escalation
• 09.39.13 - Sun Solaris XScreenSaver X Resize and Rotate Local Information Disclosure

Unix

• 09.39.14 - GNU glibc "strfmon()" Function Integer Overflow Weakness

Cross Platform

• 09.39.15 - HP ProCurve Identity Driven Manager (IDM) Unspecified Privilege Escalation
• 09.39.16 - FFmpeg "vmd_read_header()" VMD File Integer Overflow
• 09.39.17 - Changetrack Local Privilege Escalation
• 09.39.18 - nginx Proxy DNS Cache Domain Spoofing
• 09.39.19 - VLC Media Player Multiple Remote Stack Buffer Overflow Vulnerabilities
• 09.39.20 - PHP 5.2.10 and Prior Versions Multiple Vulnerabilities
• 09.39.21 - Avaya Intuity Audix LX Multiple Remote Vulnerabilities
• 09.39.22 - Interchange Search Request Information Disclosure
• 09.39.23 - Xerver Web Administration Authentication Bypass
• 09.39.24 - IBM WebSphere Application Server Unspecified Remote Denial of Service
• 09.39.25 - IBM WebSphere Application Server Local Information Disclosure
• 09.39.26 - FFmpeg Version 0.5 Multiple Remote Vulnerabilities
• 09.39.27 - Apple iTunes ".pls" File Buffer Overflow

Web Application - Cross Site Scripting

• 09.39.28 - Novell GroupWise WebAccess Cross-Site Scripting
• 09.39.29 - IBM WebSphere Application Server Eclipse Help Cross Site Scripting
• 09.39.30 - Xerver Administration Interface "currentPath" Parameter Cross- Site Scripting

Web Application - SQL Injection

• 09.39.31 - MyBB "search.php" SQL Injection
• 09.39.32 - Joomla! JBudgetsMagic "bid" Parameter SQL Injection
• 09.39.33 - Joomla! Survey Manager Component SQL Injection
• 09.39.34 - SaphpLesson "CLIENT_IP" Parameter SQL Injection
• 09.39.35 - Joomla! Foobla Suggestions Component "idea_id" Parameter SQL Injection
• 09.39.36 - Joomla! Foobla RSS Feed Creator Component "id" Parameter SQL Injection
• 09.39.37 - CF Shopkart "ItemID" Parameter SQL Injection
• 09.39.38 - nePHP Publisher SQL Login SQL Injection
• 09.39.39 - JForJoomla JReservation Joomla! Component "pid" Parameter SQL Injection
• 09.39.40 - Zainu "album_id" Parameter SQL Injection
• 09.39.41 - Joomla! MyRemote Video Gallery "user_id" Parameter SQL Injection
• 09.39.42 - Joomla! "com_jinc" Component 'newsid' Parameter SQL Injection
• 09.39.43 - MaxWebPortal "forum.asp" SQL Injection
• 09.39.44 - Joomla! SportFusion Component SQL Injection
• 09.39.45 - Vastal I-Tech MMORPG "view_news.php" SQL Injection
• 09.39.46 - Joomla! JoomlaFacebook Component SQL Injection
• 09.39.47 - Vastal I-Tech Cosmetics Zone "view_products.php" SQL Injection

Web Application

• 09.39.48 - MyBB Multiple Vulnerabilities
• 09.39.49 - Drupal Date Module "date" CCK Field HTML Injection
• 09.39.50 - Drupal Comment RSS Module Node Title Access Unauthorized Access
• 09.39.51 - Drupal OpenID Module Access Validation and Security Bypass Vulnerabilities
• 09.39.52 - Drupal Arbitrary File Upload and Session Fixation Vulnerabilities
• 09.39.53 - "com_album" Joomla! Component Local File Include
• 09.39.54 - OpenSiteAdmin "pages/pageHeader.php" Remote File Include
• 09.39.55 - "com_koesubmit" Mambo/Joomla! Component "koesubmit.php" Remote File Include
• 09.39.56 - Check Point Connectra "/Login/Login" Arbitrary Script Injection
• 09.39.57 - NetCitadel Firewall Builder Script Generation Insecure Temporary File Creation
• 09.39.58 - Vastal I-Tech DVD Zone "mag_id" Parameter Cross-Site Scripting and SQL Injection Vulnerabilities

Network Device

• 09.39.59 - Qnap Storage Devices Unauthorized Access Vulnerability and Security Weakness

PART I Critical Vulnerabilities

Part I for this issue has been compiled by Rohan Kotian at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 39, 2009

Qualys (www.qualys.com) Week 39, 2009 This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 7461 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

• 09.39.1 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Notepad++ "C" and "CPP" File Handling Remote Stack Buffer Overflow
• Description: Notepad++ is a text editor available for Microsoft Windows. The application is exposed to a stack-based buffer overflow issue because it fails to perform adequate boundary checks on user-supplied input. Specifically, this issue occurs when crafted "C" or "CPP" files are opened with the vulnerable application. Notepad++ version 5.4.5 is affected.
• Ref: http://www.securityfocus.com/bid/36426

• 09.39.2 - CVE: Not Available11.5.1.601 is affected.
• Platform: Third Party Windows Apps
• Title: Adobe Shockwave Player ActiveX Control "PlayerVersion" Property Remote Buffer Overflow
• Description: Adobe Shockwave Player is a multimedia player application. It is available as an ActiveX control for the Microsoft Windows platform. The Shockwave Player ActiveX control is exposed to a remote buffer overflow issue because the application fails to perform adequate boundary checks on user-supplied data. Specifically, this issue is triggered when excessive data is passed to the "PlayerVersion" property of the control. Shockwave Player version
• Ref: http://support.microsoft.com/kb/240797

• 09.39.3 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Quiksoft EasyMail "AddAttachment()" Method ActiveX Control Buffer Overflow
• Description: EasyMail is an application that provides email sending/receiving for ActiveX applications. Quiksoft EasyMail is exposed to a buffer overflow issue because it fails to perform adequate boundary checks on user-supplied data. An attacker can exploit this issue by enticing an unsuspecting user to view a malicious HTML page. Quiksoft EasyMail version 6 is affected.
• Ref: http://www.securityfocus.com/archive/1/506543

• 09.39.4 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: BakBone NetVault Backup "npvmgr.exe" Remote Denial of Service
• Description: NetVault Backup is a data backup and recovery solution. It is available for most popular platforms. NetVault Backup is exposed to a remote denial of service issue that affects the "npvmgr.exe" process. NetVault Backup version 8.22 Build 29 is affected.
• Ref: http://www.securityfocus.com/bid/36489

• 09.39.5 - CVE: Not Available
• Platform: Linux
• Title: Linux Kernel "find_ie()" Function Remote Denial of Service
• Description: The Linux Kernel is exposed to a remote denial of service issue that occurs in the "find_ie()" function. Specifically, the "len" parameter of type "zize_t" is used as a loop counter and can be underflowed. Successful exploits will cause the affected kernel to fall into an infinite loop, denying service to legitimate users.
• Ref: http://permalink.gmane.org/gmane.comp.security.oss.general/2109

• 09.39.6 - CVE: Not Available
• Platform: Linux
• Title: Linux Kernel "perf_counter_open()" Local Buffer Overflow
• Description: The Linux kernel is exposed to a local buffer overflow issue because it fails to perform adequate boundary checks on user-supplied data. This issue occurs in the "perf_copy_attr()" function in the "perf_counter.c" source file. Specifically, this issue can be triggered by passing crafted data to the "perf_counter_open()" system call. The Linux Kernel versions 2.6.31-rc1 through 2.6.31 are affected. Ref: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=b3e62e35058fc744ac794611f4e79bcd1c5a4b83

• 09.39.7 - CVE: CVE-2009-2939
• Platform: Linux
• Title: Debian and Ubuntu Postfix Insecure Temporary File Creation
• Description: Postfix is an open source MTA. Postfix creates "/var/spool/postfix/pid" in an insecure manner. Successfully mounting a symlink attack may allow the attacker to delete or corrupt sensitive files, which may result in a denial of service. Other attacks may also be possible. Postfix version 2.5.5 on Debian 4.0 (and later) and Ubuntu 6.06 LTS (and later) are affected.
• Ref: http://permalink.gmane.org/gmane.comp.security.oss.general/2135

• 09.39.8 - CVE: Not Available
• Platform: Linux
• Title: Linux kernel "O_EXCL" NFSv4 Privilege Escalation
• Description: The Linux kernel is exposed to a local privilege escalation issue that occurs in the "do_open_lookup()" function of the "nfsproc.c" source file. Specifically, a lingering world-writable setuid file from a previously failed create may execute with the permissions of the user running a series of creates with the O_EXCL functionality on a NFSv4 file system. Linux kernel versions prior to 2.6.19-rc6 are affected. Ref: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=af85852d

• 09.39.9 - CVE: CVE-2009-2682
• Platform: HP-UX
• Title: HP-UX RBAC Unspecified Local Unauthorized Access
• Description: HP-UX is a Unix-based operating system. HP-UX is exposed to an unspecified unauthorized access issue. Attackers can exploit this issue to access restricted files and directories. This may lead to various attacks. HP-UX versions B.11.23 and B.11.31 are affected.
• Ref: http://www.securityfocus.com/archive/1/506646

• 09.39.10 - CVE: CVE-2009-2793
• Platform: BSD
• Title: NetBSD "IRET" General Protection Fault Handling Local Privilege Escalation
• Description: NetBSD is prone to a local privilege-escalation vulnerability affecting the kernel. This issue occurs because the software fails to properly handle "General Protection Fault" exceptions raised by the "IRET" (return from interrupt) instruction. The "IRET" instruction is used to return from interrupt or exception handling routines, and includes a context switch during which control is passed between the kernel and user mode processes. Ref: http://blog.cr0.org/2009/09/cve-2009-2793-iret-gp-on-pre-commit.html

• 09.39.11 - CVE: Not Available
• Platform: Solaris
• Title: Sun Solaris iSCSI Management Commands Local Privilege Escalation
• Description: Sun Solaris is exposed to a local privilege escalation issue when executing the iSCSI management ("iscsiadm(1M)" and "iscsitadm(1M)") commands. Specifically, an attacker with an RBAC execution profile that specifies additional privileges for these commands such as the "File System Management" profile may execute arbitrary code with privileges specified in the RBAC profile. Solaris 10 and OpenSolaris based upon builds snv_28 through snv_109 are affected.
• Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-66-261849-1

• 09.39.12 - CVE: Not Available
• Platform: Solaris
• Title: Sun Solaris Cluster Local Privilege Escalation
• Description: Solaris Cluster is a cluster solution based on Sun Solaris. Sun Solaris Cluster is exposed to an unspecified local privilege escalation issue that affects the "clsetup(1CL))" configuration utility. A local attacker can exploit this vulnerability to run arbitrary code with superuser privileges, resulting in a complete compromise. Sun Solaris Cluster version 3.2 is affected.
• Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-66-267148-1

• 09.39.13 - CVE: Not Available
• Platform: Solaris
• Title: Sun Solaris XScreenSaver X Resize and Rotate Local Information Disclosure
• Description: XScreenSaver is a screen saver for Linux and Unix systems running the X11 Window System. XScreenSaver is exposed to a local information disclosure issue because the application may display portions of a locked desktop after being resized. The vulnerability affects an X(5) display running the Xorg(1) X server (or Xnewt(1M) on Sun Ray) with the X Resize and Rotate ("RandR") extension loaded. Solaris 10 and OpenSolaris based upon builds snv_01 through snv_111 are affected.
• Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-66-249646-1 (Login required)

• 09.39.14 - CVE: Not Available
• Platform: Unix
• Title: GNU glibc "strfmon()" Function Integer Overflow Weakness
• Description: GNU glibc is exposed to an integer overflow weakness because the software fails to ensure that integer values are not overrun. This issue can be triggered by passing excessive values as the "left precision" or "right precision" components of the format string parameter passed to "strfmon()". This weakness occurs in the "__vstrfmon_l()" function located in the "libc/stdlib/strfmon_l.c" source code file. GNU glibc versions 2.10.1 and earlier are affected.
• Ref: http://securityreason.com/achievement_securityalert/67

• 09.39.15 - CVE: CVE-2009-2681
• Platform: Cross Platform
• Title: HP ProCurve Identity Driven Manager (IDM) Unspecified Privilege Escalation
• Description: HP ProCurve Identity Driven Manager (IDM) is a plug-in for HP ProCurve Manager Plus. It facilitates management of policy-based network access. The software is exposed to an unspecified privilege escalation issue that could allow a local attacker to gain elevated privileges and compromise a computer.
• Ref: http://www.securityfocus.com/bid/36462

• 09.39.16 - CVE: Not Available
• Platform: Cross Platform
• Title: FFmpeg "vmd_read_header()" VMD File Integer Overflow
• Description: FFmpeg is an open-source solution for handling audio and video data. The application is exposed to an integer overflow issue that exists in the "vmd_read_header()" of the "libavformat/sierravmd.c" source file. FFmpeg version 0.5 is affected. Ref: http://git.ffmpeg.org/?p=ffmpeg;a=commit;h=ebbccbaa5e925c2ddb212559f82c29ef526cc17e

• 09.39.17 - CVE: CVE-2009-3233
• Platform: Cross Platform
• Title: Changetrack Local Privilege Escalation
• Description: Changetrack is an automated utility used to track file changes. Changetrack is exposed to a local privilege escalation issue due to a failure to sufficiently sanitize input. Specifically, this issue is triggered when Changetrack accesses a file name containing shell metacharacters. Changetrack version 4.3 is affected.
• Ref: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=546791

• 09.39.18 - CVE: Not Available
• Platform: Cross Platform
• Title: nginx Proxy DNS Cache Domain Spoofing
• Description: nginx is a high performance web server and proxy server. It is available for a number of platforms. nginx is exposed to an issue that may allow domain-spoofing. This issue is the result of a failure to properly compare domain names when referencing the DNS cache. Specifically, when comparing a domain name to one in the DNS cache, nginx only checks that the crc32 checksum of the two domains is the same and that the shorter of the two domains is a prefix of the longer.
• Ref: http://www.securityfocus.com/archive/1/506543

• 09.39.19 - CVE: Not Available
• Platform: Cross Platform
• Title: VLC Media Player Multiple Remote Stack Buffer Overflow Vulnerabilities
• Description: VLC is a cross-platform media player. VLC media player is exposed to multiple stack-based buffer overflow issues because it fails to perform adequate boundary checks on user-supplied data. Attackers can exploit these issues to execute arbitrary code in the context of the affected application or crash the application, denying service to legitimate users. VLC media player version 1.0.1 is affected. Ref: http://git.videolan.org/?p=vlc.git;a=commit;h=c5b02d011b8c634d041167f4d2936b55eca4d18d

• 09.39.20 - CVE: Not Available
• Platform: Cross Platform
• Title: PHP 5.2.10 and Prior Versions Multiple Vulnerabilities
• Description: PHP is a general purpose scripting language that is especially suited for web development and can be embedded into HTML. PHP is exposed to multiple security issues. An unspecified error occurs in "php_openssl_apply_verification_policy" and "imagecolortransparent()". PHP versions 5.2.10 and earlier are affected.
• Ref: http://www.php.net/releases/5_2_11.php

• 09.39.21 - CVE: Not Available
• Platform: Cross Platform
• Title: Avaya Intuity Audix LX Multiple Remote Vulnerabilities
• Description: Avaya Intuity Audix LX is a voice mail system. Avaya Intuity Audix LX is exposed to multiple remote issues. Attackers can exploit these issues to execute arbitrary commands with the privileges of "vexvm" on the underlying system, steal cookie-based authentication credentials, execute arbitrary script code and perform administrative tasks. Other attacks are also possible.
• Ref: http://www.securityfocus.com/bid/36450

• 09.39.22 - CVE: Not Available
• Platform: Cross Platform
• Title: Interchange Search Request Information Disclosure
• Description: Interchange is an ecommerce application implemented in Perl. The application is exposed to a remote information disclosure issue which allows attackers to view arbitrary tables. This issue can be triggered by submitting a crafted search request to the application. versions prior to the following are affected: "Interchange 5.4.4", "Interchange 5.6.2" and "Interchange 5.7.2".
• Ref: http://ftp.icdevgroup.org/interchange/5.6/ANNOUNCEMENT-5.6.2.txt

• 09.39.23 - CVE: Not Available
• Platform: Cross Platform
• Title: Xerver Web Administration Authentication Bypass
• Description: Xerver is a Java-based HTTP and FTP server application. It is available for a number of platforms. The application is exposed to an authentication bypass issue due to a failure to restrict access to the web-based administrative interface. By default, the administrative interface can be accessed on TCP port 32123 and requires no authentication. Xerver version 4.32 is affected.
• Ref: http://www.securityfocus.com/bid/36454

• 09.39.24 - CVE: CVE-2009-2744
• Platform: Cross Platform
• Title: IBM WebSphere Application Server Unspecified Remote Denial of Service
• Description: IBM WebSphere Application Server (WAS) is exposed to a remote denial of service issue. This issue is the result of an error introduced in Fixpacks 6.1.0.23 and 6.1.0.25. WAS versions 6.1.0.23 and 6.1.0.25 are affected.
• Ref: http://xforce.iss.net/xforce/xfdb/53344

• 09.39.25 - CVE: CVE-2009-2743
• Platform: Cross Platform
• Title: IBM WebSphere Application Server Local Information Disclosure
• Description: IBM, WebSphere Application Server (WAS) is an application server used for service oriented architecture. WAS is exposed to an information disclosure issue due to a certain exception occurring after using the "wsadmin" script and configuring the JAAAS-J2C the JAAS-J2C Authentication Data. WAS versions prior to 6.1.0.27 are affected.
• Ref: http://xforce.iss.net/xforce/xfdb/53342

• 09.39.26 - CVE: Not Available
• Platform: Cross Platform
• Title: FFmpeg Version 0.5 Multiple Remote Vulnerabilities
• Description: FFmpeg is an application used to record, convert, and stream audio and video. The application is exposed to multiple remote issues. Attackers may leverage these issues to execute arbitrary code in the context of the application or crash the application. FFmpeg version 0.5 is affected. Ref: http://src.chromium.org/viewvc/chrome/trunk/deps/third_party/ffmpeg/?view=log

• 09.39.27 - CVE: CVE-2009-2817
• Platform: Cross Platform
• Title: Apple iTunes ".pls" File Buffer Overflow
• Description: Apple iTunes is a media player for Microsoft Windows and Apple MAC OS X. Apple iTunes is exposed to a buffer overflow issue because it fails to adequately bounds check user-supplied data before copying it into an insufficiently sized buffer. Specifically, the issue occurs when processing ".pls" files. Apple iTunes versions prior to 9.0.1 are affected.
• Ref: http://www.securityfocus.com/bid/36478

• 09.39.28 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Novell GroupWise WebAccess Cross-Site Scripting
• Description: Novell GroupWise WebAccess is a secure mobile option for GroupWise collaboration software. The application is exposed to a cross-site scripting issue because it fails to sufficiently sanitize user-supplied input to the "User.Theme.index" parameter. The issue affects the following: GroupWise versions 7.0 up to and including 7.03 HP3 and GroupWise versions 8.0 up to and including 8.0.0 HP2 are affected. Ref: http://www.novell.com/support/viewContent.do?externalId=7004410&sliceId=1

• 09.39.29 - CVE: CVE-2009-2742
• Platform: Web Application - Cross Site Scripting
• Title: IBM WebSphere Application Server Eclipse Help Cross Site Scripting
• Description: IBM WebSphere Application Server (WAS) is an application server used for service oriented architecture. WAS is exposed to a cross-site scripting issue because it fails to properly sanitize user-supplied input. This issue affects Eclipse Help. WAS versions prior to 6.1.0.27 are affected. Ref: http://www-01.ibm.com/support/docview.wss?rs=180&uid=swg27004980#ver61

• 09.39.30 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Xerver Administration Interface "currentPath" Parameter Cross- Site Scripting
• Description: Xerver is a Java-based HTTP and FTP server application. It is available for a number of platforms. The application is exposed to a cross-site scripting issue because it fails to sanitize user-supplied input. This issue affects the "currentPath" parameter of the applications administrative interface when called with the "action" parameter set to "chooseDirectory". Xerver version 4.32 is affected.
• Ref: http://www.securityfocus.com/bid/36457

• 09.39.31 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: MyBB "search.php" SQL Injection
• Description: MyBB is a PHP-based forum application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data in the "search.php" script before using it in an SQL query. MyBB version 1.4.8 is affected.
• Ref: http://www.securityfocus.com/bid/36460

• 09.39.32 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Joomla! JBudgetsMagic "bid" Parameter SQL Injection
• Description: JBudgetsMagic is a component for Joomla! content manager. The component is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "bid" parameter of the "com_jbudgetsmagic" component before using it in an SQL query. JBudgetsMagic versions 0.3.0 to 0.4.0 are affected.
• Ref: http://www.securityfocus.com/bid/36461

• 09.39.33 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Joomla! Survey Manager Component SQL Injection
• Description: Survey Manager ("com_surveymanager") is a component for Joomla! content manager. The component is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "stype" parameter of the "com_surveymanager" component before using it in an SQL query. Survey Manager version 1.5.0 is affected.
• Ref: http://www.securityfocus.com/bid/36464

• 09.39.34 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: SaphpLesson "CLIENT_IP" Parameter SQL Injection
• Description: SaphpLesson is a web-based tutoring application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "CLIENT_IP" parameter before using it in an SQL query. SaphpLesson version 4.3 is affected.
• Ref: http://www.securityfocus.com/bid/36422

• 09.39.35 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Joomla! Foobla Suggestions Component "idea_id" Parameter SQL Injection
• Description: Foobla Suggestion is a PHP-based component for the Joomla! content manager. The component is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "idea_id" parameter of the "com_foobla_suggestions" component before using it an SQL query. Foobla Suggestions version 1.5.11 is affected.
• Ref: http://www.securityfocus.com/bid/36425

• 09.39.36 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Joomla! Foobla RSS Feed Creator Component "id" Parameter SQL Injection
• Description: Foobla RSS Feed Creator is a PHP-based component for the Joomla! content manager. The component is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "id" parameter of the "com_jlord_rss" component before using it an SQL query.
• Ref: http://www.securityfocus.com/bid/36427

• 09.39.37 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: CF Shopkart "ItemID" Parameter SQL Injection
• Description: CF Shopkart is a web-based ecommerce application implemented in ColdFusion. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "ItemID" parameter of the "index.cfm" script before using it in an SQL query. CF Shopkart version 5.4 beta is affected.
• Ref: http://www.securityfocus.com/bid/36442

• 09.39.38 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: nePHP Publisher SQL Login SQL Injection
• Description: nePHP Publisher is PHP-based web site publishing application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "login" and "password" parameters when logging in as an administrator. nePHP Publisher version 3.5.9 is affected.
• Ref: http://www.securityfocus.com/bid/36444

• 09.39.39 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: JForJoomla JReservation Joomla! Component "pid" Parameter SQL Injection
• Description: JForJoomla JReservation is a PHP-based component for the Joomla! content manager. The component is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "pid" parameter of the "com_jreservation" component before using it an SQL query.
• Ref: http://www.securityfocus.com/bid/36446

• 09.39.40 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Zainu "album_id" Parameter SQL Injection
• Description: Zainu is a PHP-based music video site creation application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "album_id" parameter of the "index.php" script before using it in an SQL query. Zainu version 1.0 is affected.
• Ref: http://www.securityfocus.com/bid/36453

• 09.39.41 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Joomla! MyRemote Video Gallery "user_id" Parameter SQL Injection
• Description: MyRemote Video Gallery is a component for the Joomla! content manager. The component is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "user_id" parameter of the "com_mytube" component before using it in an SQL query. MyRemote Video Gallery version 1.0 Beta is affected.
• Ref: http://www.securityfocus.com/bid/36470

• 09.39.42 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Joomla! "com_jinc" Component 'newsid' Parameter SQL Injection
• Description: JINC (Joomla! Integrated Newsletters Component) is a PHP-based component for the Joomla! content manager. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "newsid" parameter of the "com_jinc" component before using it an SQL query.
• Ref: http://www.securityfocus.com/bid/36471

• 09.39.43 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: MaxWebPortal "forum.asp" SQL Injection
• Description: MaxWebPortal is a PHP-based forum application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "FORUM_ID" parameter of the "forum.asp" script before using it in an SQL query.
• Ref: http://www.securityfocus.com/bid/36480

• 09.39.44 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Joomla! SportFusion Component SQL Injection
• Description: SportFusion ("com_sportfusion") is a component for the Joomla! content manager. The component is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "cid[0]" parameter of the "com_sportfusion" component before using it in an SQL query. SportFusion versions 0.2.2 and 0.2.3 are affected.
• Ref: http://www.securityfocus.com/bid/36481

• 09.39.45 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Vastal I-Tech MMORPG "view_news.php" SQL Injection
• Description: MMORPG is a PHP-based application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "news_id" parameter of the "view_news.php" script before using it in an SQL query.
• Ref: http://www.securityfocus.com/bid/36483

• 09.39.46 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Joomla! JoomlaFacebook Component SQL Injection
• Description: JoomlaFacebook ("com_facebook") is a component for the Joomla! content manager. The component is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "id" parameter of the "com_facebook" component before using it in an SQL query.
• Ref: http://www.securityfocus.com/bid/36484

• 09.39.47 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Vastal I-Tech Cosmetics Zone "view_products.php" SQL Injection
• Description: Cosmetics Zone is a PHP-based application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "sub_id" parameter of the "view_products.php" script before using it in an SQL query.
• Ref: http://www.securityfocus.com/bid/36485

• 09.39.48 - CVE: Not Available
• Platform: Web Application
• Title: MyBB Multiple Vulnerabilities
• Description: MyBB is a PHP-based bulletin board. Since it fails to adequately sanitize user-supplied input, the application is exposed to the multiple issues. Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. MyBB versions 1.4.8 and 1.2 are affected. Ref: http://blog.mybboard.net/2009/09/21/mybb-1-4-9-released-security-update/

• 09.39.49 - CVE: Not Available
• Platform: Web Application
• Title: Drupal Date Module "date" CCK Field HTML Injection
• Description: Date is a PHP-based component for the Drupal content manager. The application is exposed to an HTML injection issue because it fails to properly sanitize user-supplied input to the "date" CCK field when setting the page title. Date versions prior to 6.x-2.4 and 5.x-2.8 are affected.
• Ref: http://drupal.org/node/579144

• 09.39.50 - CVE: Not Available
• Platform: Web Application
• Title: Drupal Comment RSS Module Node Title Access Unauthorized Access
• Description: Comment RSS is a module for the Drupal content manager. The module is exposed to an unauthorized access issue that occurs when adding a link to the node title. When adding a link the application fails to enforce certain access permissions, allowing attackers to gain access to sensitive information.
• Ref: http://drupal.org/node/579280

• 09.39.51 - CVE: Not Available
• Platform: Web Application
• Title: Drupal OpenID Module Access Validation and Security Bypass Vulnerabilities
• Description: Drupal is a PHP-based content manager. OpenID is an open authentication platform. The Drupal OpenID module is exposed to multiple issues. Attackers may exploit these issues to gain unauthorized access to user accounts or to bypass intended security restrictions and attempt cross-site request forgery attacks. Drupal OpenID Module versions 5.x-1.x prior to 5.x-1.3 and Drupal versions 6.x prior to 6.14 are affected.
• Ref: http://drupal.org/node/579482

• 09.39.52 - CVE: Not Available
• Platform: Web Application
• Title: Drupal Arbitrary File Upload and Session Fixation Vulnerabilities
• Description: Drupal is a content management application. The application is exposed to multiple remote issues. An attacker can exploit these issues to upload arbitrary files onto the webserver, hijack arbitrary sessions and gain unauthorized access to the affected application. The session fixation vulnerability affects Drupal 5.x and the arbitrary file upload vulnerability affects Drupal 6.x.
• Ref: http://drupal.org/node/579482

• 09.39.53 - CVE: Not Available
• Platform: Web Application
• Title: "com_album" Joomla! Component Local File Include
• Description: com_album is a component for the Joomla! content manager. The application is exposed to a local file include issue because it fails to properly sanitize user-supplied input to the "target" parameter of the "com_album" component. com_album version 1.14 is affected.
• Ref: http://www.securityfocus.com/bid/36441

• 09.39.54 - CVE: Not Available
• Platform: Web Application
• Title: OpenSiteAdmin "pages/pageHeader.php" Remote File Include
• Description: OpenSiteAdmin lets users create a content management system for websites. The application is exposed to a remote file include issue because it fails to sufficiently sanitize user-supplied input to the "path" parameter of the "pages/pageHeader.php" script. OpenSiteAdmin version 0.9.7 BETA is affected.
• Ref: http://www.securityfocus.com/bid/36445

• 09.39.55 - CVE: Not Available
• Platform: Web Application
• Title: "com_koesubmit" Mambo/Joomla! Component "koesubmit.php" Remote File Include
• Description: "com_koesubmit" is module for the Mambo and Joomla! content managers. The "com_koesubmit" Mambo/Joomla! component is exposed to a remote file include issue because it fails to sufficiently sanitize user-supplied input to the "mosConfig_absolute_path" parameter of the "koesubmit.php" script. "com_koesubmit" version 1.0.0 is affected.
• Ref: http://www.securityfocus.com/bid/36447

• 09.39.56 - CVE: Not Available
• Platform: Web Application
• Title: Check Point Connectra "/Login/Login" Arbitrary Script Injection
• Description: Check Point Connectra is an SSL-VPN appliance that allows users to access remote resources via a web browser. The device's web-based interface application is exposed to an arbitrary script injection issue because it fails to properly sanitize user-supplied input to the "vpid_prefix" parameter of the "/Login/Login" script.
• Ref: http://www.securityfocus.com/archive/1/506620

• 09.39.57 - CVE: Not Available
• Platform: Web Application
• Title: NetCitadel Firewall Builder Script Generation Insecure Temporary File Creation
• Description: Firewall Builder is a tool for configuring and managing firewalls. The application creates temporary files in an insecure manner. This issue occurs when the application generates static routing configuration scripts. Firewall Builder versions 3.0.4, 3.0.5, and 3.0.6 are affected. Ref: http://blog.fwbuilder.org/2009/09/firewall-builder-v307-released.html

• 09.39.58 - CVE: Not Available
• Platform: Web Application
• Title: Vastal I-Tech DVD Zone "mag_id" Parameter Cross-Site Scripting and SQL Injection Vulnerabilities
• Description: DVD Zone is a web application implemented in PHP. The application is exposed to an SQL injection issue and a cross-site scripting issue because it fails to sufficiently sanitize user-supplied data. Specifically, these issues affect the "mag_id" parameter of the "view_mag.php" script.
• Ref: http://www.securityfocus.com/bid/36487

• 09.39.59 - CVE: Not Available
• Platform: Network Device
• Title: Qnap Storage Devices Unauthorized Access Vulnerability and Security Weakness
• Description: Qnap Storage Devices are network-based storage solutions. The devices are exposed to multiple issues. An attacker can exploit the unauthorized access issue to decrypt the hard disk by using the key stored in flash memory. TS-239 Pro and TS-639 Pro firmware versions 3.1.1 0815, 3.1.0 0627, and 2.1.7 0613 are affected. Ref: http://www.baseline-security.de/downloads/BSC-Qnap_Crypto_Backdoor-CVE-2009-3200.txt

(c) 2009. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Subscriptions: @RISK is distributed free of charge by the SANS Institute to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.