@RISK: The Consensus Security Vulnerability Alert

Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)

Widely Deployed Software

• (1) HIGH: Google Chrome Remote Code Execution Vulnerability
• (2) MODERATE: Novell Netware NFS Portmapper and RPC Module Buffer Overflow Vulnerability
• (3) MODERATE: KeyWorks KeyHelp Module ActiveX Control Buffer Overflow Vulnerability
• (4) MODERATE: IBM Installation Manager 'iim://' URI Handling Code Execution Vulnerability
• (5) LOW: FireFTP Firefox Extension SFTP Command Manipulation Vulnerability

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)

Third Party Windows Apps

• 09.40.1 - OpenSAML "use" Key Certificate Validation Security Bypass
• 09.40.2 - KeyWorks KeyHelp Module "keyhelp.ocx" ActiveX Control Remote Buffer Overflow
• 09.40.3 - Black Ice Printer Driver Resource Toolkit ActiveX Control Multiple Remote Vulnerabilities
• 09.40.4 - HP LoadRunner XUpload.ocx ActiveX Control "MakeHttpRequest()" Arbitrary File Download

Linux

• 09.40.5 - Linux Kernel KVM "kvm_emulate_hypercall()" Local Denial of Service

Solaris

• 09.40.6 - Sun Solaris Trusted Extensions Common Desktop Environment Local Privilege Escalation

Aix

• 09.40.7 - IBM AIX "nfs_portmon" Authentication Bypass
• 09.40.8 - IBM AIX "gssd" Kerberos Credential Cache Local Unauthorized Access

Cross Platform

• 09.40.9 - nginx WebDAV Multiple Directory Traversal Vulnerabilities
• 09.40.10 - Cisco IOS Authentication Proxy for HTTP(S) Authentication Bypass
• 09.40.11 - Cisco IOS Zone-Based Policy Firewall SIP Inspection Denial of Service
• 09.40.12 - Cisco IOS H.323 Denial of Service
• 09.40.13 - Cisco IOS Specially Crafted Encryption Packet Denial of Service
• 09.40.14 - Cisco IOS Object Group Access Control List Bypass
• 09.40.15 - Cisco Unified Communications Manager SIP Message Denial of Service
• 09.40.16 - Cisco IOS Software Internet Key Exchange Resource Exhaustion Denial of Service
• 09.40.17 - Cisco Unified Communications Manager Express Extension Mobility Buffer Overflow
• 09.40.18 - Cisco IOS SIP Message Denial of Service
• 09.40.19 - Cisco IOS Software Tunnels Multiple Denial of Service Vulnerabilities
• 09.40.20 - Cisco IOS NTPv4 Reply Packet Remote Denial of Service
• 09.40.21 - Avast! Antivirus "aswMon2.sys" Driver Local Privilege Escalation
• 09.40.22 - Lyris ListManager Multiple Remote Vulnerabilities
• 09.40.23 - OpenSAML URI Handling Remote Buffer Overflow
• 09.40.24 - Newt Text Box Content Processing Remote Buffer Overflow
• 09.40.25 - Code-Crafters Ability Mail Server IMAP FETCH Request Remote Denial of Service
• 09.40.26 - Cisco Application Control Engine (ACE) XML Gateway IP Address Information Disclosure
• 09.40.27 - html2ps "include file" Server Side Include Directive Directory Traversal
• 09.40.28 - Merkaartor Insecure Temporary File Creation
• 09.40.29 - HP Remote Graphics Software (RGS) Sender Unauthorized Access
• 09.40.30 - FireFTP Firefox Extension Double Quotes Security Bypass
• 09.40.31 - IBM Informix Dynamic Server JDBC Long Password Remote Denial of Service
• 09.40.32 - IBM DB2 Multiple Unspecified Security Vulnerabilities
• 09.40.33 - Adobe Photoshop Elements Active File Monitor Service Local Privilege Escalation

Web Application - Cross Site Scripting

• 09.40.34 - IBM Lotus Connections "simpleSearch.do" Cross-Site Scripting
• 09.40.35 - e107 News Email Referer Header Cross-Site Scripting
• 09.40.36 - E107 "CAPTCHA" Security Bypass Vulnerability and Multiple Cross- Site Scripting Vulnerabilities
• 09.40.37 - e107 eCaptcha Unspecified Cross-Site Scripting
• 09.40.38 - IBM Tivoli Composite Application Manager for WebSphere Unspecified Cross-Site Scripting

Web Application - SQL Injection

• 09.40.39 - Vastal I-Tech Agent Zone SQL Injection
• 09.40.40 - Joomla!/Mambo Tupinambis Component SQL Injection
• 09.40.41 - Joomla! Fastball Component SQL Injection
• 09.40.42 - iCRM Basic Joomla! Component Security Bypass and SQL Injection Vulnerabilities

Web Application

• 09.40.43 - OSSIM SQL Injection, Cross-Site Scripting and Unauthorized Access Vulnerabilities
• 09.40.44 - Drupal Markdown Preview Module Live Preview HTML Injection
• 09.40.45 - Drupal Meta tags (Nodewords) Module Unauthorized Access
• 09.40.46 - Drupal Bibliography Module Biblio Item HTML Injection
• 09.40.47 - Xen pygrub Local Authentication Bypass
• 09.40.48 - IBM Lotus Quickr Multiple HTML Injection Vulnerabilities
• 09.40.49 - Juniper Networks JUNOS JWeb Multiple Cross-Site Scripting and HTML Injection Vulnerabilities
• 09.40.50 - Interspire Knowledge Manager "p" Parameter Directory Traversal
• 09.40.51 - FlatPress "userid" Parameter Local File Include

Network Device

• 09.40.52 - BlackBerry Device Software Browser Dialog Box Certificate Mismatch Weakness

PART I Critical Vulnerabilities

Part I for this issue has been compiled by Rohan Kotian at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 40, 2009

Week 40, 2009 This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 7480 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

• 09.40.1 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: OpenSAML "use" Key Certificate Validation Security Bypass
• Description: OpenSAML is an HTTP client API available for Microsoft Windows. OpenSAML is exposed to a security bypass issue because of an error in verifying website certificates. Specifically the application fails to validate the "use" tag of the "keyDescripor" element. OpenSAML versions prior to 2.2.1 are affected.
• Ref: http://shibboleth.internet2.edu/secadv/secadv_20090817a.txt

• 09.40.2 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: KeyWorks KeyHelp Module "keyhelp.ocx" ActiveX Control Remote Buffer Overflow
• Description: KeyWorks KeyHelp Module is an ActiveX control help module. The module is exposed to a remote stack-based buffer overflow issue because it fails to perform adequate boundary checks on user-supplied input. The problem occurs in the "JumpMappedID()" and "JumpURL()" methods of "keyhelp.ocx".
• Ref: http://support.microsoft.com/kb/240797

• 09.40.3 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Black Ice Printer Driver Resource Toolkit ActiveX Control Multiple Remote Vulnerabilities
• Description: Black Ice Printer Driver Resource Toolkit ActiveX Control provides functions used to control print jobs. It is included with printer drivers developed by Black Ice Software. A remote attacker can exploit these issues by enticing an unsuspecting user to view a malicious HTML page.
• Ref: http://www.blackice.com/Newsletters/NEW20904.htm

• 09.40.4 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: HP LoadRunner XUpload.ocx ActiveX Control "MakeHttpRequest()" Arbitrary File Download
• Description: HP LoadRunner is a performance testing tool. HP LoadRunner Persits.XUpload.2 ActiveX control is exposed to an issue that can allow malicious files to be downloaded and saved to arbitrary locations on an affected computer. This issue occurs because the application fails to validate user-supplied data. HP LoadRunner version 9.5 is affected.
• Ref: http://www.securityfocus.com/bid/36550

• 09.40.5 - CVE: CVE-2009-3290
• Platform: Linux
• Title: Linux Kernel KVM "kvm_emulate_hypercall()" Local Denial of Service
• Description: The Linux kernel is exposed to a local denial of service issue. The issues affects the "kvm_emulate_hypercall()" in the "arch/x86/kvm/x86.c" source file of the Kernel-based Virtual Machine (KVM). Specifically, local guest operating system users may gain access to memory management unit (MMU) hypercalls from ring 0. Linux kernel versions 2.6.25-rc1 through 2.6.30 are affected.
• Ref: http://www.securityfocus.com/bid/36511

• 09.40.6 - CVE: Not Available
• Platform: Solaris
• Title: Sun Solaris Trusted Extensions Common Desktop Environment Local Privilege Escalation
• Description: Sun Solaris Trusted Extensions Common Desktop Environment (CDE) is exposed to a local privilege escalation issue. This issue results from an unspecified error. A local attacker can exploit the vulnerability to run arbitrary code with superuser privileges, resulting in a complete compromise.
• Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-66-267488-1

• 09.40.7 - CVE: Not Available
• Platform: Aix
• Title: IBM AIX "nfs_portmon" Authentication Bypass
• Description: IBM AIX is a Unix-based operating system. AIX is exposed to an authentication bypass issue because the "nfs_portmon" tunable isn't used correctly in an NFSv4 filesystem. Successfully exploiting this issue will allow attackers to gain unauthorized access to network shares that are protected by "nfs_portmon". IBM AIX versions 5.3 and 6.1 are affected. Ref: http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=4795&myns=paix53&mync=E

• 09.40.8 - CVE: Not Available
• Platform: Aix
• Title: IBM AIX "gssd" Kerberos Credential Cache Local Unauthorized Access
• Description: IBM AIX is a Unix-based operating system. AIX is exposed to an unauthorized access issue because of an error in the kernel's NFSv4 implementation. This issue affects the Kerberos credential cache. The "usr/sbin/gssd" command is vulnerable.
• Ref: http://aix.software.ibm.com/aix/efixes/security/nfs4_advisory.asc

• 09.40.9 - CVE: Not Available
• Platform: Cross Platform
• Title: nginx WebDAV Multiple Directory Traversal Vulnerabilities
• Description: The "nginx" program is an HTTP server and mail proxy server. The software is exposed to multiple directory traversal issues because it fails to sufficiently sanitize user-supplied input. Specifically, the server fails to verify the WebDAV "MOVE" and "COPY" methods when it is compiled with the "http_dav_module" module. nginx versions 0.7.61 and 0.7.62 are affected.
• Ref: http://www.securityfocus.com/archive/1/506662

• 09.40.10 - CVE: CVE-2009-2863
• Platform: Cross Platform
• Title: Cisco IOS Authentication Proxy for HTTP(S) Authentication Bypass
• Description: Cisco IOS is exposed to a remote authentication bypass issue because the software fails to properly enforce authentication. The problem occurs when IOS software is configured with Authentication Proxy for HTTP(S), Web Authentication, or the consent feature. Specifically, when a valid authentication session exists, subsequent sessions will be accepted as valid regardless of the credentials given. Ref: http://www.cisco.com/en/US/products/products_security_advisory09186a0080af8132.shtml

• 09.40.11 - CVE: CVE-2009-2867
• Platform: Cross Platform
• Title: Cisco IOS Zone-Based Policy Firewall SIP Inspection Denial of Service
• Description: Cisco IOS is exposed to a remote denial of service issue that occurs when Cisco IOS is configured to use Cisco IOS Zone-Based Policy Firewall SIP inspection. Specifically, devices running Cisco IOS fail to handle specially crafted SIP transit packets. Ref: http://www.cisco.com/en/US/products/products_security_advisory09186a0080af8130.shtml

• 09.40.12 - CVE: CVE-2009-2866
• Platform: Cross Platform
• Title: Cisco IOS H.323 Denial of Service
• Description: Cisco IOS is exposed to a remote denial of service issue that occurs when Cisco IOS handles a specially crafted H.323 packet. H.323 is the ITU standard for multimedia communications over IP. An attacker can exploit this issue to cause the affected device to reload, denying service to legitimate users. Ref: http://www.cisco.com/en/US/products/products_security_advisory09186a0080af811a.shtml

• 09.40.13 - CVE: CVE-2009-2871
• Platform: Cross Platform
• Title: Cisco IOS Specially Crafted Encryption Packet Denial of Service
• Description: Cisco IOS is exposed to a remote denial of service issue that occurs when a device is configured to use SSLVPN and SSH. Specifically, the software fails to handle specially crafted TCP packets. An attacker can exploit this issue by submitting a specially crafted TCP packet via TCP port 443 or 22. Ref: http://www.cisco.com/en/US/products/products_security_advisory09186a0080af811c.shtml#iosxe

• 09.40.14 - CVE: CVE-2009-2862
• Platform: Cross Platform
• Title: Cisco IOS Object Group Access Control List Bypass
• Description: Cisco IOS is exposed to a security bypass issue. An attacker can exploit this issue to bypass access control lists (ACLs) based on an object group. An attacker can exploit this issue to gain access to restricted resources, which may aid in further attacks. Ref: http://www.cisco.com/en/US/products/products_security_advisory09186a0080af8119.shtml

• 09.40.15 - CVE: CVE-2009-2864
• Platform: Cross Platform
• Title: Cisco Unified Communications Manager SIP Message Denial of Service
• Description: Cisco Unified Communications Manager (CUCM) is a software-based call-processing component of the Cisco IP telephony solution. The application was formerly named Unified CallManager. CUCM is exposed to a denial of service issue when handling specially crafted SIP messages.
• Ref: http://www.cisco.com/warp/public/707/cisco-sa-20090923-cm.shtml

• 09.40.16 - CVE: CVE-2009-2868
• Platform: Cross Platform
• Title: Cisco IOS Software Internet Key Exchange Resource Exhaustion Denial of Service
• Description: Cisco IOS is exposed to a remote denial of service issue in the Internet Key Exchange (IKE) implementation. This issue occurs when the certificate-based authentication method is used. An attacker can exploit this issue to consume all available Phase 1 security associations, which may prevent new IPSec sessions from being established.
• Ref: http://www.cisco.com/warp/public/707/cisco-sa-20090923-ipsec.shtml

• 09.40.17 - CVE: CVE-2009-2865
• Platform: Cross Platform
• Title: Cisco Unified Communications Manager Express Extension Mobility Buffer Overflow
• Description: Cisco Unified Communications Manager Express is the call processing component of an IP telephony solution that is integrated into Cisco IOS. The Extension Mobility feature provides phone mobility services. The login section of the Extension Mobility feature is exposed to a buffer overflow issue. Attackers can exploit this issue to execute arbitrary code or to cause denial of service conditions.
• Ref: http://www.cisco.com/warp/public/707/cisco-sa-20090923-cme.shtml

• 09.40.18 - CVE: CVE-2009-2870
• Platform: Cross Platform
• Title: Cisco IOS SIP Message Denial of Service
• Description: Cisco IOS is exposed to a denial of service issue when the Cisco Unified Border Element feature is enabled. This issue occurs when handling specially crafted SIP messages. An attacker can exploit this issue by submitting specially crafted SIP messages via TCP port 5060 or 5061 or via UDP port 5060.
• Ref: http://www.cisco.com/warp/public/707/cisco-sa-20090923-sip.shtml

• 09.40.19 - CVE: CVE-2009-2872, CVE-2009-2873
• Platform: Cross Platform
• Title: Cisco IOS Software Tunnels Multiple Denial of Service Vulnerabilities
• Description: Cisco IOS is exposed to multiple remote denial of service vulnerabilities. The problems occur in devices that are configured for GRE, IPinIP, Generic Packet Tunneling in IPv6 or IPv6 over IP tunnels, and Cisco Express Forwarding. The problem occurs when handling malformed packets. Ref: http://www.cisco.com/en/US/products/products_security_advisory09186a0080af8115.shtml

• 09.40.20 - CVE: CVE-2009-2869
• Platform: Cross Platform
• Title: Cisco IOS NTPv4 Reply Packet Remote Denial of Service
• Description: Network Time Protocol (NTP) is a time synchronization protocol for networks. Cisco IOS is exposed to a remote denial of service issue that occurs when devices supporting NTPv4 create NTP reply packets.
• Ref: http://www.cisco.com/warp/public/707/cisco-sa-20090923-ntp.shtml

• 09.40.21 - CVE: Not Available
• Platform: Cross Platform
• Title: Avast! Antivirus "aswMon2.sys" Driver Local Privilege Escalation
• Description: Avast! Antivirus is an application that provides virus protection. Avast! Antivirus is exposed to a local privilege escalation issue that occurs because the "aswMov2.sys" driver fails to sufficiently sanitize user-supplied input passed to IOCTL 0xB2C80018. Avast! Antivirus version 4.8.1351.0 is affected.
• Ref: http://www.securityfocus.com/archive/1/506681

• 09.40.22 - CVE: Not Available
• Platform: Cross Platform
• Title: Lyris ListManager Multiple Remote Vulnerabilities
• Description: Lyris ListManager is a mailing list application. The application is exposed to multiple security issues. Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, obtain sensitive information, access or modify data, or exploit latent vulnerabilities in the underlying database.
• Ref: http://www.securityfocus.com/bid/36509

• 09.40.23 - CVE: Not Available
• Platform: Cross Platform
• Title: OpenSAML URI Handling Remote Buffer Overflow
• Description: OpenSAML is an open source library. OpenSAML is exposed to a remote buffer buffer issue because it fails to perform adequate boundary checks on user-supplied input before copying it to an insufficiently sized buffer. This issue occurs when handling specially crafted URI. OpenSAML versions prior to 1.1.3 are affected.
• Ref: http://shibboleth.internet2.edu/secadv/secadv_20090826.txt

• 09.40.24 - CVE: CVE-2009-2905
• Platform: Cross Platform
• Title: Newt Text Box Content Processing Remote Buffer Overflow
• Description: Newt is a programming library that provides color text mode widget-based user interfaces. Newt is exposed to a remote buffer overflow issue that occurs because it fails to perform adequate boundary checks on user-supplied data. This issue affects text box content rendering.
• Ref: http://www.securityfocus.com/bid/36515

• 09.40.25 - CVE: Not Available
• Platform: Cross Platform
• Title: Code-Crafters Ability Mail Server IMAP FETCH Request Remote Denial of Service
• Description: Code-Crafters Ability Mail Server is a mail server for Mircosoft Windows 98, Me, NT, 2000, XP, and 2003. The application fails to properly handle IMAP FETCH requests. After receiving a specially crafted request, the application may fail to respond to legitimate requests. Ability Mail Server versions prior to 2.70 are affected.
• Ref: http://www.securityfocus.com/bid/36519

• 09.40.26 - CVE: Not Available
• Platform: Cross Platform
• Title: Cisco Application Control Engine (ACE) XML Gateway IP Address Information Disclosure
• Description: Cisco Application Control Engine (ACE) XML Gateway enables web-based services to be deployed with XML and SOAP. The application is exposed to a local information disclosure issue because it doesn't have a handler for HTTP OPTIONS message handling errors. Attackers can leverage this issue to obtain IP addresses of the application's clients. ACE XML Gateway and ACE Web Application Firewall versions prior to 6.1 are affected.
• Ref: http://www.cisco.com/warp/public/707/cisco-sr-20090925-axg.shtml

• 09.40.27 - CVE: Not Available
• Platform: Cross Platform
• Title: html2ps "include file" Server Side Include Directive Directory Traversal
• Description: The "html2ps" program is used for converting HTML to PostScript; it is implemented in Perl. The application is exposed to a directory traversal issue because it fails to sufficiently sanitize user-supplied input to the "include file" server-side include directive embedded in HTML content. html2ps version 1.0 beta 5 is affected.
• Ref: http://www.securityfocus.com/bid/36524

• 09.40.28 - CVE: Not Available
• Platform: Cross Platform
• Title: Merkaartor Insecure Temporary File Creation
• Description: Merkaartor is a mapping application. The application creates temporary files in an insecure manner. This issue occurs when creating log files in the "/tmp" directory. An attacker with local access could potentially exploit this issue to perform symbolic link attacks to overwrite arbitrary attacker specified files. Merkaartor version 0.14 is affected.
• Ref: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=548546

• 09.40.29 - CVE: CVE-2009-2683
• Platform: Cross Platform
• Title: HP Remote Graphics Software (RGS) Sender Unauthorized Access
• Description: HP Remote Graphics Software (RGS) is a remote desktop application. The software is exposed to an unspecified unauthorized access vulnerability that affects the RGS Sender. Remote attackers may exploit this issue to gain unauthorized access and compromise the affected computer. RGS versions 5.1.3 through 5.2.6 are affected.
• Ref: http://www.securityfocus.com/archive/1/506783

• 09.40.30 - CVE: Not Available
• Platform: Cross Platform
• Title: FireFTP Firefox Extension Double Quotes Security Bypass
• Description: FireFTP is an extension for Firefox. It is used as a client to connect to FTP servers. The application is exposed to a security bypass issue. Specifically, the issue occurs because the application fails to escape quotes from specially crafted filenames. An attacker may perform unauthorized SFTP operations or entice a user to download and overwrite files in the Mozilla Firefox installation directory. FireFTP version 1.0.5 is affected.
• Ref: http://vuln.sg/fireftp105-en.html

• 09.40.31 - CVE: Not Available
• Platform: Cross Platform
• Title: IBM Informix Dynamic Server JDBC Long Password Remote Denial of Service
• Description: IBM Informix Dynamic Server is an application server that runs on various platforms. The application is exposed to a remote denial of service issue that presents itself when the application processes long passwords via JDBC connection. Passwords of length which is more than 512 bytes may cause a memory corruption with assertion failure or instance crash. IBM Informix Dynamic Server versions prior to IDS 10.00.xC11, 11.10.xC4, and 11.50.xC5 are affected.
• Ref: http://www-01.ibm.com/support/docview.wss?uid=swg1IC61195

• 09.40.32 - CVE: Not Available
• Platform: Cross Platform
• Title: IBM DB2 Multiple Unspecified Security Vulnerabilities
• Description: IBM DB2 is a database manager. The application is exposed to multiple remote issues. An attacker can exploit some of these issues to perform unauthorized actions. The impact of other issues is currently unknown. IBM DB2 versions DB2 9.1 prior to FP8 and DB2 9.5 prior to FP4 are affected.
• Ref: http://www-01.ibm.com/support/docview.wss?uid=swg21386689

• 09.40.33 - CVE: Not Available
• Platform: Cross Platform
• Title: Adobe Photoshop Elements Active File Monitor Service Local Privilege Escalation
• Description: Adobe Photoshop Elements is a digital photograph editing application. Photoshop Elements is exposed to a local privilege escalation issue because the application has insufficient protections in a security descriptor. Specifically, members of the "users" group may apply certain actions to the "Active File Monitor" service, including "stop", "start", and "config". Photoshop Elements version 8 is affected.
• Ref: http://retrogod.altervista.org/9sg_adobe_pe_local.html

• 09.40.34 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: IBM Lotus Connections "simpleSearch.do" Cross-Site Scripting
• Description: IBM Lotus Connections is a web-based application used for sharing information between coworkers, partners, and customers. The application is exposed to a cross-site scripting issue because it fails to sufficiently sanitize user-supplied input. Specifically, this issue affects the "name" parameter of the "/profiles/html/simpleSearch.do" script. IBM Lotus Connections version 2.0.1 is affected.
• Ref: http://www-01.ibm.com/support/docview.wss?uid=swg24024414

• 09.40.35 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: e107 News Email Referer Header Cross-Site Scripting
• Description: The "e107" program is a PHP-based content manager. The application is exposed to a cross-site scripting issue because the application fails to sufficiently sanitize the HTTP "Referer" header supplied to the "news" parameter of the "email.php" script when sending news to email.
• Ref: http://www.securityfocus.com/archive/1/506704

• 09.40.36 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: E107 "CAPTCHA" Security Bypass Vulnerability and Multiple Cross- Site Scripting Vulnerabilities
• Description: E107 is PHP-based content manager. The application is exposed to a security-bypass issue that allows CAPTCHA security mechanism. This issue affects the forgotten password page, registration page and the send link to news page. The application is exposed to multiple cross-site scripting issues. An attacker could exploit the cross-site scripting issues. to execute arbitrary script code in the context of the affected website.
• Ref: http://www.securityfocus.com/archive/1/506741

• 09.40.37 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: e107 eCaptcha Unspecified Cross-Site Scripting
• Description: eCaptcha is a CAPTCHA module for the e107 content manager. The application is exposed to a cross-site scripting issue because the application fails to sufficiently sanitize user-supplied input to an unspecified field of the eCaptcha module.
• Ref: http://www.securityfocus.com/archive/1/506791

• 09.40.38 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: IBM Tivoli Composite Application Manager for WebSphere Unspecified Cross-Site Scripting
• Description: IBM Tivoli Composite Application Manager for WebSphere is a web-based application used to provide real time problem detection, analysis and repair. The application is exposed to an unspecified cross-site scripting issue because it fails to sufficiently sanitize user-supplied input. IBM Tivoli Composite Application Manager for WebSphere version 6.1.0 is affected.
• Ref: http://www.securityfocus.com/bid/36550

• 09.40.39 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Vastal I-Tech Agent Zone SQL Injection
• Description: Agent Zone is a PHP-based real estate application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "id" parameter of the "view_listing.php" script before using it in an SQL query.
• Ref: http://www.securityfocus.com/bid/36503

• 09.40.40 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Joomla!/Mambo Tupinambis Component SQL Injection
• Description: Tupinambis ("com_tupinambis") is a component for the Joomla! and Mambo content managers. The component is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "proyecto" parameter of the "tupinambis" component before using it in an SQL query. Tupinambis version 1.0 is affected.
• Ref: http://www.securityfocus.com/bid/36511

• 09.40.41 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Joomla! Fastball Component SQL Injection
• Description: Fastball ("com_fastball") is a component for the Joomla! content manager. The component is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "league" parameter of the "com_fastball" component before using it in an SQL query. Fastball version 1.2 is affected.
• Ref: http://www.securityfocus.com/archive/1/506704

• 09.40.42 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: iCRM Basic Joomla! Component Security Bypass and SQL Injection Vulnerabilities
• Description: iCRM Basic is a PHP-based component for the Joomla! content manager. The application is exposed to multiple security issues. Exploiting the security bypass issue may allow an attacker to bypass certain security restrictions and perform unauthorized actions. iCRM Basic version 1.4.2.31 is affected.
• Ref: http://www.securityfocus.com/bid/36533

• 09.40.43 - CVE: Not Available
• Platform: Web Application
• Title: OSSIM SQL Injection, Cross-Site Scripting and Unauthorized Access Vulnerabilities
• Description: OSSIM (Open Source Security Information Management) is a compilation of common security tools that are managed in a web console. The application is exposed to multiple input validation issues. Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. OSSIM versions prior to 2.1.2 are affected.
• Ref: http://www.securityfocus.com/archive/1/506663

• 09.40.44 - CVE: Not Available
• Platform: Web Application
• Title: Drupal Markdown Preview Module Live Preview HTML Injection
• Description: Markdown Preview is a module for the Drupal content manager. The application is exposed to an HTML injection issue because it fails to properly sanitize user-supplied input to the "live preview" pane before viewing it in a webpage. Markdown version 6.x is affected.
• Ref: http://drupal.org/node/585790

• 09.40.45 - CVE: Not Available
• Platform: Web Application
• Title: Drupal Meta tags (Nodewords) Module Unauthorized Access
• Description: The Meta tags (Nodewords) module for Drupal provides meta tags based on node titles. The application is exposed to an unauthorized access vulnerability because it fails to adequately enforce access permissions. Meta tags (Nodewords) versions prior to 6.x-1.1 are affected.
• Ref: http://drupal.org/node/585710

• 09.40.46 - CVE: Not Available
• Platform: Web Application
• Title: Drupal Bibliography Module Biblio Item HTML Injection
• Description: Bibliography is a PHP-based component for the Drupal content manager. The application is exposed to an HTML injection issue because it fails to properly sanitize user-supplied input to the "title" text of the Biblio content before displaying it in a user's browser. Bibliography version 6.x-1.6 is affected.
• Ref: http://www.securityfocus.com/bid/36521

• 09.40.47 - CVE: Not Available
• Platform: Web Application
• Title: Xen pygrub Local Authentication Bypass
• Description: Xen is an open source hypervisor or virtual machine monitor. The "pygrub" utility is a boot loader used by Xen to boot guest domains. Xen is exposed to a local authentication bypass issue that occurs when the "grub.conf" file is configured with password protection; pygrub fails to properly validate the password at boot time. Xen versions 3.0.3, 3.3.0, and 3.3.1 are affected.
• Ref: https://bugzilla.redhat.com/show_bug.cgi?id=525740

• 09.40.48 - CVE: Not Available
• Platform: Web Application
• Title: IBM Lotus Quickr Multiple HTML Injection Vulnerabilities
• Description: IBM Lotus Quickr is web-based collaboration software. The application is exposed to multiple HTML injection issues because it fails to sufficiently sanitize user-supplied input to document names and other properties. Lotus Quickr services version 8.1.0 for the WebSphere Portal is affected.
• Ref: http://www.securityfocus.com/bid/36527/references

• 09.40.49 - CVE: Not Available
• Platform: Web Application
• Title: Juniper Networks JUNOS JWeb Multiple Cross-Site Scripting and HTML Injection Vulnerabilities
• Description: Juniper Networks JUNOS is exposed to multiple cross-site scripting and HTML injection issues because it fails to sufficiently sanitize user-supplied data to the JWeb (Juniper Web Management). Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials and to control how the site is rendered to the user; other attacks are also possible.
• Ref: http://www.securityfocus.com/bid/36537

• 09.40.50 - CVE: Not Available
• Platform: Web Application
• Title: Interspire Knowledge Manager "p" Parameter Directory Traversal
• Description: Interspire Knowledge Manager is a web-based application. The application is exposed to a directory traversal issue because it fails to sufficiently sanitize user-supplied input to the "p" parameter of the "/admin/de/dialog/file_manager.php" script. Knowledge Manager version 5 is affected.
• Ref: http://www.securityfocus.com/bid/36541

• 09.40.51 - CVE: Not Available
• Platform: Web Application
• Title: FlatPress "userid" Parameter Local File Include
• Description: FlatPress is PHP-based web log application. The application is exposed to a local file include issue because it fails to properly sanitize user-supplied input to the "userid" parameter of the "fp-includes/core/core.users.php" script. FlatPress versions 0.804 through 0.812.1 are affected.
• Ref: http://www.securityfocus.com/archive/1/506816

• 09.40.52 - CVE: Not Available
• Platform: Network Device
• Title: BlackBerry Device Software Browser Dialog Box Certificate Mismatch Weakness
• Description: The BlackBerry Device Software Web browser is prone to a weakness that may cause affected users to trust malicious sites. Specifically, this issue arises from a design error and presents itself because the browser does not handle domain names in a proper manner. An attacker can create a website with a certificate for a domain name that is the same as a trusted domain but contains a NULL character. All versions of the BlackBerry Device Software prior to 4.5.0.173, 4.6.0.303, 4.6.1.309, 4.7.0.179, and 4.7.1.57 are affected. Ref: http://www.blackberry.com/btsc/dynamickc.do?externalId=KB19552&sliceID=1&command=show&forward=nonthreadedKC&kcId=KB19552

(c) 2009. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Subscriptions: @RISK is distributed free of charge by the SANS Institute to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.