@RISK: The Consensus Security Vulnerability Alert

Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)

Widely Deployed Software

• (1) HIGH: Google Apps "googleapps.url.mailto" URI handling Command Injection Vulnerability
• (2) HIGH: AOL SuperBuddy ActiveX Control Remote Code Execution Vulnerability
• (3) HIGH: IBM Informix Products Setnet32 Utility Processing Buffer Overflow Vulnerability
• (4) HIGH: Omni-NFS Enterprise Multiple Buffer Overflow Vulnerabilities
• (5) HIGH: IBM AIX 'rpc.cmsd' Calendar Daemon Buffer Overflow Vulnerability

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)

Windows

• 09.41.1 - IBM Installation Manager "iim://" URI Handling Remote Code Execution

Other Microsoft Products

• 09.41.2 - Internet Explorer X.509 Certificate Common Name Encoding Multiple Security Bypass Vulnerabilities

Third Party Windows Apps

• 09.41.3 - EMC Captiva PixTools Distributed Imaging ActiveX Control Multiple Insecure Method Vulnerabilities
• 09.41.4 - AOL SuperBuddy ActiveX Control Remote Code Execution

Mac Os

• 09.41.5 - VMware Fusion Local Denial Of Service

Linux

• 09.41.6 - Red Hat Enterprise Linux OpenSSH "ChrootDirectory" Option Local Privilege Escalation
• 09.41.7 - BackupPC "ClientNameAlias()" Security Bypass
• 09.41.8 - Linux Kernel 64-bit Kernel Register Memory Leak Local Information Disclosure

BSD

• 09.41.9 - FreeBSD Pipes "close()" Function Local Privilege Escalation
• 09.41.10 - FreeBSD "devfs" and "VFS" Interaction NULL Pointer Dereference
• 09.41.11 - OpenBSD XMM Exceptions Local Denial of Service

Solaris

• 09.41.12 - Sun Solaris IP(7P) Module and STREAMS Framework Local Denial Of Service

Novell

• 09.41.13 - Novell NetWare NFS Portmapper and RPC Module Stack Buffer Overflow Vulnerability

Cross Platform

• 09.41.14 - Drupal Shared Sign On Module Cross-Site Request Forgery and Session Fixation Vulnerabilities
• 09.41.15 - Google Chrome "dtoa()" Remote Code Execution
• 09.41.16 - Samba setuid "mount.cifs" Verbose Option Information Disclosure
• 09.41.17 - OSISoft PI System Encryption Security Bypass
• 09.41.18 - PHP "tempname()" "safe_mode" Restriction-Bypass
• 09.41.19 - PHP "posix_mkfifo()" "open_basedir" Restriction Bypass
• 09.41.20 - ELinks "entity_cache" HTML File Off By One Buffer Overflow
• 09.41.21 - VMware Fusion Local Privilege Escalation
• 09.41.22 - Serv-U "SITE SET TRANSFERPROGRESS ON" Command Remote Denial of Service
• 09.41.23 - IBM Informix Products Setnet32 Utility ".nfx" File Buffer Overflow
• 09.41.24 - Wireshark ERF File Remote Code Execution
• 09.41.25 - Apache HTTP Server Solaris Event Port Pollset Support Remote Denial Of Service
• 09.41.26 - Palm WebOS Multiple Unspecified Vulnerabilities

Web Application - Cross Site Scripting

• 09.41.27 - Novell eDirectory "dconserv.dlm" Cross-Site Scripting
• 09.41.28 - Kayako SupportSuite and eSupport "functions_ticketsui.php" Cross Site Scripting
• 09.41.29 - SugarCRM Unspecified Cross Site Scripting
• 09.41.30 - X-Cart Email Subscription
• 09.41.31 - AfterLogic WebMail Pro Multiple Cross Site Scripting Vulnerabilities

Web Application - SQL Injection

• 09.41.32 - Joomla! Soundset Component "cat_id" Parameter SQL Injection
• 09.41.33 - Joomla! CB Resume Builder "group_id" Parameter SQL Injection

Web Application

• 09.41.34 - Samba Oplock Break Notification Remote Denial of Service
• 09.41.35 - Drupal XML Sitemap Link Paths HTML Injection
• 09.41.36 - Drupal Browscap Module User Agent Strings HTML Injection
• 09.41.37 - Drupal Organic Groups "Group Nodes" HTML Injection
• 09.41.38 - Drupal Bibliography Module Unspecified HTML Injection
• 09.41.39 - Drupal Boost Module Arbitrary Directory Creation
• 09.41.40 - Google Apps "googleapps.url.mailto" Handler Command Injection
• 09.41.41 - Drupal Service Links Component Content Type Names HTML Injection
• 09.41.42 - Symantec SecurityExpressions Audit and Compliance Server Cross Site Scripting Vulnerability
• 09.41.43 - Symantec SecurityExpressions Audit and Compliance Server Error Message HTML Injection

Network Device

• 09.41.44 - Open Handset Alliance Malformed Application Remote Denial Of Service
• 09.41.45 - Palm WebOS Email Arbitrary Script Injection
• 09.41.46 - Linksys WRT54GC Router Cross-Site Request Forgery

PART I Critical Vulnerabilities

Part I for this issue has been compiled by Rohan Kotian at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 41, 2009

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 7499 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

• 09.41.1 - CVE: CVE-2009-3518
• Platform: Windows
• Title: IBM Installation Manager "iim://" URI Handling Remote Code Execution
• Description: IBM Installation Manager is an application that allows users to install, update, modify or uninstall applications. IBM Installation Manager is exposed to a remote code-execution vulnerability. The application is exposed to this vulnerability because it fails to handle specially crafted "iim://" URIs. The IBM Rational Robot and IBM Rational Team Concert which include IBM Installation Manager are affected.
• Ref: http://www.securityfocus.com/bid/36549

• 09.41.2 - CVE: Not Available
• Platform: Other Microsoft Products
• Title: Internet Explorer X.509 Certificate Common Name Encoding Multiple Security Bypass Vulnerabilities
• Description: Microsoft Internet Explorer is a browser available for Microsoft Windows. Microsoft Internet Explorer is exposed to multiple security bypass issues. Internet Explorer is exposed to multiple security bypass issues because it fails to properly handle encoded values in X.509 certificates.
• Ref: http://ioactive.com/pdfs/PKILayerCake.pdf

• 09.41.3 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: EMC Captiva PixTools Distributed Imaging ActiveX Control Multiple Insecure Method Vulnerabilities
• Description: EMC Captiva ISIS PixTools is a suite of software toolkits used for scanning, viewing and processing images. The ActiveX control is exposed to multiple insecure method issues and affects the "SetLogFileName()" and "WriteToLog()" methods of the ActiveX control identified by CLSID:00200338-3D33-4FFC-AC20-67AA234325F3. EMC Captiva ISIS PixTools PDIControl.dll version 2.2.3160.0 is affected. Ref: http://www.vupen.com/exploits/EMC_Captiva_PixTools_PDIControl_ActiveX_Remote_Code_Execution_Exploit_2808214.php

• 09.41.4 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: AOL SuperBuddy ActiveX Control Remote Code Execution
• Description: AOL SuperBuddy ActiveX control is used for streaming audio files in browsers. The ActiveX control is exposed to a remote code execution issue due to a memory-corruption issue that can be triggered by manipulating parameters to the "SetSuperBuddy" method of the "Sb.SuperBuddy.1" ActiveX control ("sb.dll"). AOL version 9.1 is affected.
• Ref: http://www.securityfocus.com/archive/1/506889

• 09.41.5 - CVE: Not Available
• Platform: Mac Os
• Title: VMware Fusion Local Denial Of Service
• Description: VMware Fusion is a virtualization solution that allows users to run various guest operating systems on a host running Apple Mac OS X. The application is exposed to a denial of service issue due to an unspecified integer overflow issue in the vmx86 kernel extension.VMware Fusion versions earlier than 2.0.6 build 196839 are affected. Ref: http://lists.vmware.com/pipermail/security-announce/2009/000066.html

• 09.41.6 - CVE: CVE-2009-2904
• Platform: Linux
• Title: Red Hat Enterprise Linux OpenSSH "ChrootDirectory" Option Local Privilege Escalation
• Description: Red Hat Enterprise Linux is a Linux distribution. The distribution includes the OpenSSH SSH (Secure Shell) protocol implementation. Red Hat Enterprise Linux is exposed to a local privilege escalation issue because it fails to enforce sufficient restrictions on user-supplied data. Red Hat Enterprise Linux version 5.4 is affected.
• Ref: https://bugzilla.redhat.com/show_bug.cgi?id=522141

• 09.41.7 - CVE: CVE-2009-3369
• Platform: Linux
• Title: BackupPC "ClientNameAlias()" Security Bypass
• Description: BackupPC is a remote backup application. The application is exposed to a security bypass issue because it fails to restrict access in a multi-user configuration to the "ClientNameAlias()" function in the "CgiUserConfigEdit" script. BackupPC 3.1.0 is vulnerable.
• Ref: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3369

• 09.41.8 - CVE: Not Available
• Platform: Linux
• Title: Linux Kernel 64-bit Kernel Register Memory Leak Local Information Disclosure
• Description: The Linux kernel is exposed to a local information disclosure issue that exists in the "ia32entry.s" assembly file. Specifically, the kernel allows 32-bit processes to access registers "R8" up to "R15" by temporarily switching itself into 64-bit mode. This will allow users to view sensitive information from previous processes. Ref: http://git.kernel.org/?p=linux/kernel/git/x86/linux-2.6-tip.git;a=commitdiff;h=24e35800cdc4350fc34e2bed37b608a9e13ab3b6

• 09.41.9 - CVE: Not Available
• Platform: BSD
• Title: FreeBSD Pipes "close()" Function Local Privilege Escalation
• Description: FreeBSD is prone to a local privilege-escalation vulnerability. FreeBSD is exposed to this issue because of a race condition in the pipe "close()" code related to kqueues. The race condition will cause a NULL pointer exception in the kernel, which may cause a kernel memory corruption.
• Ref: http://security.freebsd.org/patches/SA-09:13/

• 09.41.10 - CVE: Not Available
• Platform: BSD
• Title: FreeBSD "devfs" and "VFS" Interaction NULL Pointer Dereference
• Description: FreeBSD is a BSD-based operating system. FreeBSD is exposed to a local NULL-pointer dereference issue caused by an unspecified error related to the interaction between "devfs" (device file system) and "VSF" (Virtual File System) support. FreeBSD versions 6.4 and earlier and 7.2 and earlier are affected.
• Ref: http://www.securityfocus.com/archive/1/506917

• 09.41.11 - CVE: Not Available
• Platform: BSD
• Title: OpenBSD XMM Exceptions Local Denial of Service
• Description: OpenBSD is exposed to a local denial of service issue. The issue arises because of the manner in which the operating system handles XMM exceptions. OpenBSD versions 4.4, 4.5 and 4.6 on i386 are affected.
• Ref: http://www.securityfocus.com/bid/36589

• 09.41.12 - CVE: Not Available
• Platform: Solaris
• Title: Sun Solaris IP(7P) Module and STREAMS Framework Local Denial Of Service
• Description: Sun Solaris is exposed to a local denial of service issue in the IP(7P) module and STREAMS Framework. Successful exploitation may allow an unprivileged local user to leak kernel memory, eventually causing the system to hang.
• Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-66-263388-1 (login required)

• 09.41.13 - CVE: Not Available
• Platform: Novell
• Title: Novell NetWare NFS Portmapper and RPC Module Stack Buffer Overflow Vulnerability
• Description: Novell NetWare is a network operating system. Novell NetWare is exposed to a remote stack buffer overflow issue because it fails to perform adequate boundary checks on user-supplied. This issue occurs when handling CALLIT RPC calls containing specially crafted length fields. Novell NetWare 6.5 SP8 is vulnerable.
• Ref: http://www.securityfocus.com/bid/36564

• 09.41.14 - CVE: Not Available
• Platform: Cross Platform
• Title: Drupal Shared Sign On Module Cross-Site Request Forgery and Session Fixation Vulnerabilities
• Description: The Shared Sign On module for Drupal provides single sign-on support for multiple Drupal sites. The module is exposed to a cross-site request-forgery issue and a session fixation issue.
• Ref: http://drupal.org/node/592488

• 09.41.15 - CVE: CVE-2009-0689
• Platform: Cross Platform
• Title: Google Chrome "dtoa()" Remote Code Execution
• Description: Google Chrome is a web browser. Chrome is exposed to a remote code execution issue. Specifically, this issue arises when the V8 JavaScript engine parses strings into floating point numbers using the "dtoa()" function. The attacker can exploit this issue by enticing an unsuspecting victim to view a malicious webpage. Google Chrome versions prior to Chrome 3.0.195.24 are affected. Ref: http://googlechromereleases.blogspot.com/2009/09/stable-channel-update_30.html

• 09.41.16 - CVE: CVE-2009-2948
• Platform: Cross Platform
• Title: Samba setuid "mount.cifs" Verbose Option Information Disclosure
• Description: Samba is a freely available file- and printer-sharing application maintained and developed by the Samba Development Team. Samba allows users to share files and printers between operating systems on UNIX and Windows platforms. Samba is exposed to an information disclosure issue because it fails to properly validate access privileges when "mount.cifs" is installed as setuid. Samba versions prior to 3.4.2, 3.3.8, 3.2.15, and 3.0.37 are affected.
• Ref: http://www.samba.org/samba/security/CVE-2009-2948.html

• 09.41.17 - CVE: CVE-2009-0209
• Platform: Cross Platform
• Title: OSISoft PI System Encryption Security Bypass
• Description: OSISoft PI System is an operational, event and real time data management SCADA System.OSISoft PI System is exposed to a security-bypass issue. The application is exposed to this because of an encryption issue in the default authentication process.
• Ref: http://www.securityfocus.com/bid/36553

• 09.41.18 - CVE: Not Available
• Platform: Cross Platform
• Title: PHP "tempname()" "safe_mode" Restriction-Bypass
• Description: PHP is a general-purpose scripting language that is especially suited for web development and can be embedded into HTML. PHP is exposed to a "safe_mode" restriction-bypass issue. Successful exploits could allow an attacker to access files in unauthorized locations or create files in any writable directory. The problem occurs because the restriction is not properly checked in the "tempname()" function in the "ext/standard/file.c" source file. PHP versions 5.2.11 and 5.3.0 are affected.
• Ref: http://securityreason.com/securityalert/6601

• 09.41.19 - CVE: Not Available
• Platform: Cross Platform
• Title: PHP "posix_mkfifo()" "open_basedir" Restriction Bypass
• Description: PHP is a general-purpose scripting language that is especially suited for web development and can be embedded into HTML. PHP is exposed to an "open_basedir" restriction bypass vulnerability.PHP is exposed to restriction bypass issue because of the "posix_mkfifo()" function in the "ext/posix/posix.c" source file that will allow a local attacker to create files that will bypass, for example, ".htaccess" or safe_mode restrictions. PHP versions 5.2.11 and 5.3.0 are affected.
• Ref: http://www.securityfocus.com/bid/36554

• 09.41.20 - CVE: CVE-2008-7224
• Platform: Cross Platform
• Title: ELinks "entity_cache" HTML File Off By One Buffer Overflow
• Description: ELinks is a character-mode browser based on lynx. ELinks is exposed to a off-by-one buffer overflow issue that exists in the "entity_cache" because the application fails to accurately reference the last element of a buffer. This issue occurs when handling the internal cache of string representations for HTML special entities. ELinks versions prior to 0.11.4 are affected.
• Ref: http://www.securityfocus.com/bid/36574/references

• 09.41.21 - CVE: CVE-2009-3281
• Platform: Cross Platform
• Title: VMware Fusion Local Privilege Escalation
• Description: VMware Fusion is a virtualization solution that allows users to run various guest operating systems on a host running Apple Mac OS X. The application is exposed to a privilege escalation issue due to an unspecified file permission problem in the vmx86 kernel extension. This issue may allow local unprivileged users of the host system to execute code in the host system kernel context. Fusion versions prior to 2.0.6 build 196839 are affected.
• Ref: http://www.securityfocus.com/archive/1/506891

• 09.41.22 - CVE: Not Available
• Platform: Cross Platform
• Title: Serv-U "SITE SET TRANSFERPROGRESS ON" Command Remote Denial of Service
• Description: Serv-U is a file server application. The application is exposed to a remote denial of service issue when processing specially crafted "SITE SET TRANSFERPROGRESS ON" commands. Serv-U versions 7.0.0.1 through 8.2.0.3 are affected.
• Ref: http://www.serv-u.com/releasenotes/

• 09.41.23 - CVE: Not Available
• Platform: Cross Platform
• Title: IBM Informix Products Setnet32 Utility ".nfx" File Buffer Overflow
• Description: IBM Informix Client Software Development Kit (CSDK) and IBM Informix Connect contain APIs and libraries that are used to develop applications.The applications are exposed to a buffer overflow issue because they fail to adequately bounds check user-supplied data before copying it into an insufficiently sized buffer. An integer overflow occurs when processing ".nfx" files that contain an overly large value for "HostList" entry. IBM Informix Client Software Development Kit (CSDK) 3.5, IBM Informix Connect 3.x are affected.
• Ref: http://www.securityfocus.com/bid/36588/

• 09.41.24 - CVE: Not Available
• Platform: Cross Platform
• Title: Wireshark ERF File Remote Code Execution
• Description: Wireshark (formerly Ethereal) is an application for analyzing network traffic; it is available for Microsoft Windows and for UNIX-like operating systems. Wireshark is exposed to a remote code execution issue that arises when the application handling specially crafted ERF files. Specifically the application allocates an excessively large buffer, resulting in an integer-overflow. Ref: http://anonsvn.wireshark.org/viewvc/trunk/wiretap/erf.c?view=markup&pathrev=29364

• 09.41.25 - CVE: CVE-2009-2699
• Platform: Cross Platform
• Title: Apache HTTP Server Solaris Event Port Pollset Support Remote Denial Of Service
• Description: Apache is an HTTP server available for various operating systems. The Apache HTTP server is exposed to a remote denial of service issue because of faulty error handling. This issue occurs in Solaris "Event Port" pollset support in the "poll/unix/port.c" source file. Apache HTTP Server versions prior to 2.2.14 on Solaris platforms are affected.
• Ref: https://issues.apache.org/bugzilla/show_bug.cgi?id=47645

• 09.41.26 - CVE: Not Available
• Platform: Cross Platform
• Title: Palm WebOS Multiple Unspecified Vulnerabilities
• Description: Palm WebOS is a smartphone platform based on Linux. The application is exposed to multiple unspecified issues. One of the issues is related to Webkit development. Palm WebOS versions 1.2.0 and earlier are affected. Ref: http://kb.palm.com/wps/portal/kb/na/pre/p100eww/sprint/solutions/article/50607_en.html#121

• 09.41.27 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Novell eDirectory "dconserv.dlm" Cross-Site Scripting
• Description: Novell eDirectory is an LDAP directory service that is used to centrally manage computer resources on a network. The application is exposed to a cross-site scripting issue because it fails to sufficiently sanitize user-supplied input. This issue affects the "dconserv.dlm" script. eDirectory version 8.8 SP 5 is affected.
• Ref: http://www.securityfocus.com/archive/1/506857

• 09.41.28 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Kayako SupportSuite and eSupport "functions_ticketsui.php" Cross Site Scripting
• Description: Kayako SupportSuite and eSupport are web-based support applications. The applications are exposed to a cross site scripting issue because they fail to sufficiently sanitize user-supplied input to unspecified scripts and parameters related to the staff control panel. This issue is caused by an error in the "modules/tickets/functions_ticketsui.php" script file. Kayako SupportSuite and eSupport versions 3.60.04 and earlier are affected. Ref: http://blog.kayako.com/2009/09/security-bulletin-supportsuite-and-esupport/

• 09.41.29 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: SugarCRM Unspecified Cross Site Scripting
• Description: SugarCRM is a PHP-based web application. The application is exposed to a cross-site scripting issue because it fails to sufficiently sanitize user-supplied input to an unspecified parameter. SugarCRM versions 5.2.0i and earlier, 5.0.0l and earlier, and 4.5.1p and earlier are affected.
• Ref: http://www.sugarcrm.com/forums/showthread.php?t=52401

• 09.41.30 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: X-Cart Email Subscription
• Description: X-Cart is a PHP-based shopping cart application. X-Cart is exposed to a cross-site scripting issue that exists in the email subscription component because the application fails to sufficiently sanitize user-supplied input. This issue affects the "email" parameter of the "home.php" script.
• Ref: http://www.securityfocus.com/bid/36601

• 09.41.31 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: AfterLogic WebMail Pro Multiple Cross Site Scripting Vulnerabilities
• Description: AfterLogic WebMail Pro is used as an ASP-based front-end for an existing mail server. The application is exposed to multiple cross-site scripting issues because it fails to sufficiently sanitize user-supplied data to the "HistoryKey" and "HistoryStorageObjectName" HTTP POST parameters of the "history-storage.aspx" script. WebMail Pro versions 4.7.10 and earlier are affected.
• Ref: http://www.securityfocus.com/bid/36605

• 09.41.32 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Joomla! Soundset Component "cat_id" Parameter SQL Injection
• Description: Soundset is a PHP-based component for the Joomla! content manager. The component is exposed to a SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "cat_id" parameter of the "com_soundset" component before using it an SQL query. Successfully exploiting this issue may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Joomla! Soundset version 1.0 is affected with is issue.
• Ref: http://www.securityfocus.com/bid/36597

• 09.41.33 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Joomla! CB Resume Builder "group_id" Parameter SQL Injection
• Description: CB Resume Builder ("com_cbresumebuilder") is a PHP-based component for the Joomla! content manager. The component is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "group_id" parameter of the "com_cbresumebuilder" component before using it an SQL query.
• Ref: http://www.securityfocus.com/bid/36598

• 09.41.34 - CVE: Not Available
• Platform: Web Application
• Title: Samba Oplock Break Notification Remote Denial of Service
• Description: Samba is a freely available file and printer sharing application maintained and developed by the Samba Development Team. Samba is exposed to a remote denial of service issue when the application unexpectedly receives an "oplock" break notification SMB request, the Samba daemon ("smbd") consumes an excessive amount of CPU resources and stops responding. Samba versions prior to 3.4.2, 3.3.8, 3.2.15, and 3.0.37 are affected.
• Ref: http://www.securityfocus.com/archive/1/36573

• 09.41.35 - CVE: Not Available
• Platform: Web Application
• Title: Drupal XML Sitemap Link Paths HTML Injection
• Description: XML Sitemap is a PHP-based component for the Drupal content manager. The application is exposed to an HTML injection issue because it fails to properly sanitize user-supplied input to the link path before displaying it in a user's browser. XML Sitemap versions prior to 5.x-1.7 are affected.
• Ref: http://drupal.org/node/591724

• 09.41.36 - CVE: Not Available
• Platform: Web Application
• Title: Drupal Browscap Module User Agent Strings HTML Injection
• Description: Browscap is a module for the Drupal content manager. The application is exposed to an HTML-injection issue because the application fails to sanitize "user agent" strings before displaying them in reports. Drupal Browsecap versions earlier than 6.x-1.1 and 5.x-1.1 are affected.
• Ref: http://www.securityfocus.com/bid/36557

• 09.41.37 - CVE: Not Available
• Platform: Web Application
• Title: Drupal Organic Groups "Group Nodes" HTML Injection
• Description: Organic Group is a PHP-based component for the Drupal content manager. The application is exposed to an HTML injection issue because it fails to properly sanitize user-supplied input before displaying group nodes. Organic Groups versions prior to 6.x-1.4, 5.x-8.1, and 5.x-7.4 are affected.
• Ref: http://drupal.org/node/592358

• 09.41.38 - CVE: Not Available
• Platform: Web Application
• Title: Drupal Bibliography Module Unspecified HTML Injection
• Description: Bibliography is a PHP-based component for the Drupal content manager.The application is exposed to an HTML injection issue because it fails to properly sanitize user-supplied input to unspecified components of the Biblio content before displaying it in a user's browser.Drupal Bibliography versions earlier than 6.x-1.7 are vulnerable.
• Ref: http://www.securityfocus.com/bid/36560

• 09.41.39 - CVE: Not Available
• Platform: Web Application
• Title: Drupal Boost Module Arbitrary Directory Creation
• Description: Boost is a module for the Drupal content manager. The module is exposed to an issue that allows attackers to create arbitrary directories. An unauthorized user can exploit this issue to create arbitrary directories within the context of the webserver. Boost versions prior to 6.x-1.03 are affected.
• Ref: http://drupal.org/node/592490

• 09.41.40 - CVE: Not Available
• Platform: Web Application
• Title: Google Apps "googleapps.url.mailto" Handler Command Injection
• Description: Google Apps is a set of applications and web based services. Google Apps is exposed to issues that lets attackers inject commands through a protocol handler. The application is exposed to this issue because an attacker may trick a victim into following a malicious URI through a browser and the URU would contain the "googleapps.url.mailto" handler and arbitrary commands to be run locally. Google Apps version 1.1.110.6031 when used with Microsoft Internet Explorer 7 and Google Chrome 2.0.172.43 are affected.
• Ref: http://www.securityfocus.com/archive/1/506888

• 09.41.41 - CVE: Not Available
• Platform: Web Application
• Title: Drupal Service Links Component Content Type Names HTML Injection
• Description: Service Links is a PHP-based component for the Drupal content manager. The application is exposed to an HTML injection issue because it fails to properly sanitize user-supplied input before displaying content type names. Drupal Service Links version 6.x-1.0 is vulnerable.
• Ref: http://www.securityfocus.com/bid/36584

• 09.41.42 - CVE: CVE-2009-3029
• Platform: Web Application
• Title: Symantec SecurityExpressions Audit and Compliance Server Cross Site Scripting Vulnerability
• Description: Symantec SecurityExpressions Audit and Compliance Server is an ASP-based audit and compliance application. The application is exposed to a cross-site scripting issue because it fails to sufficiently sanitize user-supplied input to the console and may allow attackers to manipulate error messages. Successfully exploiting this issue can allow an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. SecurityExpressions Audit and Compliance Server versions 4.1.1 and earlier are affected. Ref: http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20091006_00

• 09.41.43 - CVE: CVE-2009-3030
• Platform: Web Application
• Title: Symantec SecurityExpressions Audit and Compliance Server Error Message HTML Injection
• Description: Symantec SecurityExpressions Audit and Compliance Server is an ASP-based audit and compliance application. The application is exposed to an HTML injection issue because it fails to properly sanitize user-supplied input to the link path before displaying it in a user's browser. SecurityExpressions Audit and Compliance Server versions 4.1.1 and prior are affected. Ref: http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20091006_00

• 09.41.44 - CVE: Not Available
• Platform: Network Device
• Title: Open Handset Alliance Malformed Application Remote Denial Of Service
• Description: Open Handset Alliance Android (previously Google Android) is a software stack and operating system for mobile phones. The software is exposed to a denial of service issue when handling malicious applications containing a specially crafted vulnerable API function.
• Ref: http://www.securityfocus.com/archive/1/506948

• 09.41.45 - CVE: Not Available
• Platform: Network Device
• Title: Palm WebOS Email Arbitrary Script Injection
• Description: Palm WebOS is a smartphone platform based on Linux. The device's email application is exposed to an arbitrary script injection issue because it fails to properly sanitize user-supplied input. Palm WebOS versions earlier than WebOS 1.2 are affected with this issue. Ref: http://tlhsecurity.blogspot.com/2009/10/palm-pre-webos-11-remote-file-access.html

• 09.41.46 - CVE: Not Available
• Platform: Network Device
• Title: Linksys WRT54GC Router Cross-Site Request Forgery
• Description: The Linksys WRT54GC router is a network device designed for home use. The router is exposed to a cross-site request-forgery issue that affects the "diagnostics.cgi" script and possibly other scripts. The router is exposed to this issue because attackers can exploit this issue by tricking a victim into visiting a malicious webpage and the page will consist of specially crafted script code designed to perform some action on the attacker's behalf. Linksys WRT54GC with firmware version 1.01.5 and 1.00.7 is vulnerable. Ref: http://venturolab.pl/index.php/2009/09/30/opis-bledu-w-routerze-linksys-wrt54gc/

(c) 2009. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Subscriptions: @RISK is distributed free of charge by the SANS Institute to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.