@RISK: The Consensus Security Vulnerability Alert

Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)

• (1) CRITICAL: Microsoft Internet Explorer Multiple Vulnerabilities (MS09-054)
• (2) CRITICAL: Microsoft Products GDI+ Multiple Vulnerabilities (MS09-062)
• (3) CRITICAL: Microsoft Active Template Library (ATL) ActiveX Controls Multiple Vulnerabilities (MS09-060)
• (4) CRITICAL: Microsoft Windows ATL COM Initialization Remote Code Execution Vulnerability (MS09-055)
• (5) CRITICAL: Microsoft Windows SMBv2 Multiple Vulnerabilities (MS09-050)
• (6) CRITICAL: Microsoft .NET Framework Multiple Vulnerabilities (MS09-061)
• (7) CRITICAL: Microsoft Indexing Service ActiveX Control Memory Corruption Vulnerability (MS09-057)
• (8) CRITICAL: Microsoft Windows Media Runtime Multiple Vulnerabilities (MS09-051)
• (9) CRITICAL: Microsoft Windows Media Player Heap Overflow Vulnerability (MS09-052)
• (10) MODERATE: Microsoft Local Security Authority Subsystem Denial of Service (MS09-059)
• (11) MODERATE: Microsoft Windows CryptoAPI Multiple Vulnerabilities (MS09-056)

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)

Windows

• 09.43.1 - Microsoft Windows Media Player ASF Processing Vulnerability
• 09.43.2 - Microsoft Windows Media Runtime Remote Code Execution
• 09.43.3 - Microsoft Internet Explorer Multiple Vulnerabilities
• 09.43.4 - Microsoft .NET Common Language Runtime Multiple Vulnerabilities
• 09.43.5 - Microsoft Active Template Library (ATL) for Microsoft Office Remote Code Execution Description:Microsoft Active Template Library (ATL) ActiveX Controls for Microsoft Office are exposed to multiple vulnerabitilities like remote code execution
• 09.43.6 - Microsoft Windows CryptoAPI Spoofing Description:The Windows CryptoAPI is an application programming interface that allows developers to secure applications using cryptography. The Windows CryptioAPI is exposed a spoofing issue because it inc
• 09.43.7 - Microsoft Windows Indexing Service Remote Code Execution
• 09.43.8 - Microsoft Local Security Authority Subsystem Denial of Service

Third Party Windows Apps

• 09.43.9 - Foxit Reader Firefox Plugin Memory Corruption Vulnerability
• 09.43.10 - Pidgin ICQ Message Denial of Service Weakness

UiTV UiPlayer UiCheck.dll "GetUiDllVersion()" Buffer Overflow Vulnerability

• 09.43.11 - Third Party Windows Apps

MAC OS

• 09.43.12 - Adium ICQ Message Denial of Service Weakness

Linux

• 09.43.13 - Fedora update for kernel
• 09.43.14 - Linux Kernel "unix_stream_connect()" Denial of Service Security Issue
• - KDE KPDF Multiple Vulnerabilities

Solaris

• 09.43.16 - Sun Solaris Thunderbird Network Security Services Vulnerabilities

UNIX

• 09.43.17 - CUPS "pdftops" Two Integer Overflow Vulnerabilities
• 09.43.18 - Ubuntu update for libsndfile
• 09.43.19 - Red Hat update for kdegraphics
• 09.43.20 - Fedora update for phpMyAdmin
• 09.43.21 - Sun Solaris libpng Interlaced Images Information Disclosure
• 09.43.22 - Fedora update for perl-Net-OAuth
• 09.43.23 - Debian update for camlimages
• 09.43.24 - Debian update for bugzilla

Cross Platform

• 09.43.25 - Xpdf Multiple Vulnerabilities
• 09.43.26 - Oracle Critical Patch Update Advisory - October 2009
• 09.43.27 - EMC Documentum ApplicationXtender Admin Agent Multiple Vulnerabilities
• 09.43.28 - aria2 "AbstractCommand::onAbort()" Format String Vulnerability
• 09.43.29 - Cisco Unified Presence Denial of Service Vulnerabilities
• 09.43.30 - ZoIPer SIP INVITE Denial of Service Vulnerability
• 09.43.31 - Unbound NSEC3 Signature Validation Bypass Security Issue
• 09.43.32 - Skype Extras Manager component Unspecified Vulnerability

Web Applications Cross Site Scripting

• 09.43.33 - Quick.Cart Cross-Site Request Forgery Vulnerability

Web Application - Cross Site Scripting

• 09.43.34 - Drupal RealName Module Script Insertion Vulnerability
• 09.43.35 - IBM Rational RequisitePro ReqWebHelp Cross-Site Scripting

Web Application

• 09.43.36 - IBM OS/400 HTTP Server mod_proxy Denial of Service
• 09.43.37 - IBM HTTP Server Apache Portable Runtime Integer Overflows
• 09.43.38 - AgoraCart Cross-Site Request Forgery Vulnerability
• 09.43.39 - Drupal Shibboleth Authentication Module Privilege Escalation Security Issue
• 09.43.40 - Django forms Library Regular Expressions Denial of Service Vulnerability
• 09.43.41 - Joomla AjaxChat Component File Inclusion Vulnerability
• 09.43.42 - TYPO3 Random Images Extension Command Execution Vulnerability
• 09.43.43 - Piwik Arbitrary File Creation Vulnerability
• 09.43.44 - PHP GD Extension "_gdGetColors()" Buffer Overflow Vulnerability
• 09.43.45 - Mongoose Source Code Disclosure Vulnerability
• 09.43.46 - NaviCOPA Script Source Disclosure Vulnerability

PART I Critical Vulnerabilities

Part I for this issue has been compiled by Rohan Kotian at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 43, 2009

Week 43, 2009 This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 7553 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely. ______________________________________________________________________

• 09.43.1 - CVE: CVE-2009-2527
• Platform: Windows
• Title: Microsoft Windows Media Player ASF Processing Vulnerability
• Description: Microsoft Windows Media Player is a multimedia application available for the Windows operating system. The Application is prone to a remote code execution issue when handling specially crafted Advanced Systems Format (ASF) files. Microsoft Windows Media Player 6.4 is affected by this issue.
• Ref: http://www.microsoft.com/technet/security/Bulletin/MS09-052.mspx

• 09.43.2 - CVE: CVE-2009-0555, CVE-2009-2525
• Platform: Windows
• Title: Microsoft Windows Media Runtime Remote Code Execution
• Description: Microsoft Windows Media Player is a multimedia application available for the Windows operating system. The Application is prone to a remote code execution issue because it fails to properly bounds check user-supplied input.
• Ref: http://www.microsoft.com/technet/security/Bulletin/MS09-051.mspx

• 09.43.3 - CVE: CVE-2009-1547,CVE-2009-2529,CVE-2009-2530,CVE-2009-2531
• Platform: Windows
• Title: Microsoft Internet Explorer Multiple Vulnerabilities
• Description: Microsoft Internet Explorer (IE) is a Web browser for Microsoft Windows. The Application is exposed to multiple vulnerablities like memory corruption and remote code execution. Sucessfully exploting this issue can allow an attacker to execute arbitrary code. Internet Explorer versions 5.01,6,7 and 8 are affected by this issue.
• Ref: http://www.microsoft.com/technet/security/Bulletin/MS09-054.mspx

• 09.43.4 - CVE: CVE-2009-0090, CVE-2009-0091, CVE-2009-2497
• Platform: Windows
• Title: Microsoft .NET Common Language Runtime Multiple Vulnerabilities
• Description: Microsoft .NET Framework is expoed to a remote code execution issue because they fail to properly handle interfaces when running .NET applications and also because it fails to properly verify .NET applications before running them. Microsoft .Net Framework Versions 1.1 and 2 are affected by this issue.
• Ref: http://www.microsoft.com/technet/security/Bulletin/MS09-061.mspx

• 09.43.5 - CVE: CVE-2009-0901,CVE-2009-2493,CVE-2009-2495
• Platform: Windows
• Title: Microsoft Active Template Library (ATL) for Microsoft Office Remote Code Execution Description:Microsoft Active Template Library (ATL) ActiveX Controls for Microsoft Office are exposed to multiple vulnerabitilities like remote code execution
• Ref: http://www.microsoft.com/technet/security/Bulletin/MS09-060.mspx

• 09.43.6 - CVE: CVE-2009-2510,CVE-2009-2511
• Platform: Windows
• Title: Microsoft Windows CryptoAPI Spoofing Description:The Windows CryptoAPI is an application programming interface that allows developers to secure applications using cryptography. The Windows CryptioAPI is exposed a spoofing issue because it inc
• Ref: http://www.microsoft.com/technet/security/Bulletin/MS09-056.mspx

• 09.43.7 - CVE: CVE-2009-2507
• Platform: Windows
• Title: Microsoft Windows Indexing Service Remote Code Execution
• Description: The Indexing Service catalogs data to facilitate efficient and rapid searching. The application is vulnerable to remote code execution issue beacuse of the use of ActiveX component that is included with it which fails to properly handle Web content. Successfully exploting this issue will allow an attacker to take complete control of an affected system.
• Ref: http://www.microsoft.com/technet/security/Bulletin/MS09-057.mspx

• 09.43.8 - CVE: CVE-2009-2524
• Platform: Windows
• Title: Microsoft Local Security Authority Subsystem Denial of Service
• Description: The Local Security Authority Subsystem Service (LSASS) manages local security, domain authentication and Active Directory service processes. The application is exposed to denial of service issue when processing malformed packets during the authentication process. Successfully exploiting this issue will result in denial of service which causes the affected system to reboot.
• Ref: http://www.microsoft.com/technet/security/Bulletin/MS09-059.mspx

• 09.43.9 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Foxit Reader Firefox Plugin Memory Corruption Vulnerability
• Description: Foxit Reader is a PDF document viewer. Foxit Reader plugin for Firefox "npFoxitReaderPlugin.dll" is vulnerable to a memory corruption issue. Foxit Reader versions 3.1.2.1013 and Mozilla Firefox 3.5.3 are vulnerable. Other versions may also be affected.
• Ref: http://seclists.org/fulldisclosure/2009/Oct/198

• 09.43.10 - CVE: CVE-2009-3615
• Platform: Third Party Windows Apps
• Title: Pidgin ICQ Message Denial of Service Weakness
• Description: Pidgin (formerly named Gaim) is a multi-platform instant messaging client, based on a library named libpurple. An error in the oscar protocol plugin in Pidgin can be exploited to cause a crash via a specially crafted ICQ message. Multiple vendors are affected by this issue.
• Ref: http://www.pidgin.im/news/security/?id=41 https://www.redhat.com/archives/fedora-package-announce/2009-October/msg00603.ht
  ml https://www.redhat.com/archives/fedora-package-announce/2009-October/msg00577.ht
  ml

• 09.43.11 - CVE: CVE-2009-2970
• Platform: UiTV UiPlayer UiCheck.dll "GetUiDllVersion()" Buffer Overflow Vulnerability
• Title: Third Party Windows Apps
• Description: UiPlayer is a video player provided by UITV. The vulnerability is caused due to a boundary error within UiCheck.dll. This can be exploited to cause a stack-based buffer overflow by passing an overly long argument to the "GetUiDllVersion()" ActiveX method. Successful exploitation allows execution of arbitrary code. The vulnerability is reported in UiCheck.dll version 1.0.0.6. Prior versions may also be affected. Multiple vendors are affected by this issue.
• Ref: http://www.nsfocus.com/en/advisories/0901.html

• 09.43.12 - CVE: CVE-2009-3615
• Platform: MAC OS
• Title: Adium ICQ Message Denial of Service Weakness
• Description: Adium is an open source multi-protocol instant messaging (IM) client for Mac OS X that supports many IM networks. A denial of service vulnerability exists in Adium due to an error within the handling of certain oscar protocol messages.
• Ref: http://trac.adium.im/wiki/AdiumVersionHistory#Version1.3.710162009

• 09.43.13 - CVE: CVE-2009-2908,CVE-2009-2909,CVE-2009-2910
• Platform: Linux
• Title: Fedora update for kernel
• Description: The kernel packages contain the Linux kernel, the core of any Linux operating system. The kernel handles the basic functions of the operating system: memory allocation, process allocation, device input and output, etc. Multiple vulnerabilities have been reported in the kernel which can be exploited by malicious, local users to disclose certain system information and potentially gain escalated privileges. Fedora has issued an updated for the kernel to resolve these issues. Ref: https://www.redhat.com/archives/fedora-package-announce/2009-October/msg00483.html

• 09.43.14 - CVE: Not Available
• Platform: Linux
• Title: Linux Kernel "unix_stream_connect()" Denial of Service Security Issue
• Description: The Linux kernel forms the core of any Linux operating system. The kernel handles the basic functions of the operating system: memory allocation, process allocation, device input and output, etc. The kernel is prone to a security issue that is caused due to a deadlock within the "unix_stream_connect()" function in net/unix/af_unix.c, which can be exploited to cause a denial of service by performing certain socket operations. The security issue is confirmed in version 2.6.31.4. Other versions may also be affected.
• Ref: http://patchwork.kernel.org/patch/54678/

• - CVE: CVE-2009-0791, CVE-2009-1188, CVE-2009-3604,CVE-2009-3606, CVE-2009-3608, CVE-2009-3609
• Platform: Linux
• Title: KDE KPDF Multiple Vulnerabilities
• Description: KDE is a graphical desktop environment for Unix workstations. KPDF is a pdf viewer. Multiple integer overflow flaws were discovered in KDE KPDF.
• Ref: https://rhn.redhat.com/errata/RHSA-2009-1502.html

• 09.43.16 - CVE: CVE-2009-2404,CVE-2009-2408
• Platform: Solaris
• Title: Sun Solaris Thunderbird Network Security Services Vulnerabilities
• Description: Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security enabled client and server applications. The application is exposed to a security bypass issue it fails to properly validate the domain name in a signed CA certificate. Sun OpenSolaris build earlier than snv_125; Mozilla Thunderbird earlier than 2.0.0.23 and Mozilla Network Security Services (NSS) earlier than 3.12.3 are affected by this issue.
• Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-66-269468-1

• 09.43.17 - CVE: CVE-2009-3608,CVE-2009-3609
• Platform: UNIX
• Title: CUPS "pdftops" Two Integer Overflow Vulnerabilities
• Description: CUPS (Common UNIX Printing System) is a widely used set of printing utilities for Unix-based systems. The CUPS "pdftops" filter converts Portable Document Format (PDF) files to PostScript. Two integer overflow errors exist in the pdftops program that are caused due to the usage of vulnerable Xpdf code. These can be exploited to cause crashes or potentially execute arbitrary code. Multiple vendors are affected by these vulnerabilities.
• Ref: http://secunia.com/advisories/37051/ https://rhn.redhat.com/errata/RHSA-2009-1513.html https://www.redhat.com/archives/fedora-package-announce/2009-October/msg00597.ht
  ml https://www.redhat.com/archives/fedora-package-announce/2009-October/msg00565.ht
  ml

• 09.43.18 - CVE: CVE-2009-1788,CVE-2009-1791
• Platform: UNIX
• Title: Ubuntu update for libsndfile
• Description: The "libsndfile" library is a C library for reading and writing audio files. Multiple boundary errors exists in the "libsndfile" library functions which can be exploited to cause heap-based buffer overflows via a specially crafted AIFF and VOC files. Successful exploitation of the vulnerabilities may allow execution of arbitrary code. The vulnerabilities are reported in versions prior to 1.0.20.
• Ref: http://www.ubuntu.com/usn/USN-849-1

• 09.43.19 - CVE: CVE-2009-0791,CVE-2009-1188,CVE-2009-3604,CVE-2009-3606,CVE-2009-3608,CVE-2009-3609
• Platform: UNIX
• Title: Red Hat update for kdegraphics
• Description: The kdegraphics packages contain applications for the K Desktop Environment, including KPDF, a viewer for Portable Document Format (PDF) files. Multiple vulnerabilities have been reported in K Desktop Environment KPDF due to the use of vulnerable Xpdf code. These can be exploited by malicious people to potentially compromise a user's system. Red Hat has issued an update for kdegraphics to resolve these issues.
• Ref: https://rhn.redhat.com/errata/RHSA-2009-1502.html https://rhn.redhat.com/errata/RHSA-2009-1512.html

• 09.43.20 - CVE: CVE-2009-3696,CVE-2009-3697
• Platform: UNIX
• Title: Fedora update for phpMyAdmin
• Description: phpMyAdmin is a software tool written in PHP intended to handle the administration of MySQL over the Internet. phpMyAdmin is prone to script insertion vulnerabilities because input passed to various parameters is not properly sanitized before being used. This can be exploited to insert arbitrary HTML and script code, and conduct SQL injection attacks. The vulnerabilities are reported in versions prior to 2.11.9.6 and 3.2.2.1. Fedora has released an update to resolve these issues. Ref: https://www.redhat.com/archives/fedora-package-announce/2009-October/msg00467.html https://www.redhat.com/archives/fedora-package-announce/2009-October/msg00490.html

• 09.43.21 - CVE: CVE-2009-2042
• Platform: UNIX
• Title: Sun Solaris libpng Interlaced Images Information Disclosure
• Description: The libpng packages contain a library of functions for creating and manipulating PNG (Portable Network Graphics) image format files. libpng is prone to a vulnerability that is caused due to an error when processing 1-bit interlaced images. This can be exploited to disclose uninitialised memory via specially crafted images having widths that are not divisible by 8. The vulnerability is reported in versions prior to 1.2.37. Updates to resolve this issue are available for Solaris.
• Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-66-269788-1

• 09.43.22 - CVE: Not Available
• Platform: UNIX
• Title: Fedora update for perl-Net-OAuth
• Description: perl-Net-OAuth is an OAuth protocol support library for Perl. An error in the handling of the authorization process of OAuth Core 1.0 can be exploited to access protected resources by tricking the user to click on a specially crafted link. Fedora has released an update to resolve this issue. Ref: https://www.redhat.com/archives/fedora-package-announce/2009-October/msg00476.html https://www.redhat.com/archives/fedora-package-announce/2009-October/msg00497.html

• 09.43.23 - CVE: CVE-2009-2660, CVE-2009-3296
• Platform: UNIX
• Title: Debian update for camlimages
• Description: CamlImages is an image processing library. CamlImages is prone to multiple vulnerabilities that are caused due to integer overflow errors when processing TIFF and JPEG images and can be exploited to potentially cause heap-based buffer overflows. Successful exploitation of these vulnerabilities allows execution of arbitrary code.
• Ref: http://lists.debian.org/debian-security-announce/2009/msg00234.html

• 09.43.24 - CVE: CVE-2009-3165
• Platform: UNIX
• Title: Debian update for bugzilla
• Description: Bugzilla is a Web based general purpose bug tracking tool. Multiple SQL injection vulnerabilities exist in Bugzilla because certain input passed to web service functions is not properly sanitized. This can be exploited to manipulate SQL queries by injecting SQL code. An information disclosure vulnerability exists if a user logs in immediately after resetting the password, causing the password to appear in the URL. Debian has released an update to resolve these issues.
• Ref: http://www.us.debian.org/security/2009/dsa-1913

• 09.43.25 - CVE: CVE-2009-1188, CVE-2009-3603, CVE-2009-3604,CVE-2009-3606, CVE-2009-3608, CVE-2009-3609
• Platform: Cross Platform
• Title: Xpdf Multiple Vulnerabilities
• Description: Xpdf is an open source PDF viewer. Multiple integer overflow vulnerabilities exist in Xpdf which can be exploited to cause heap-based buffer overflows and allow execution of arbitrary code by tricking a user into opening a specially crafted PDF file. The vulnerabilities are reported in versions prior to 3.02pl4.
• Ref: http://site.pi3.com.pl/adv/xpdf.txt

• 09.43.26 - CVE: CVE-2009-1999, CVE-2009-3407, CVE-2009-1990, CVE-2009-1998,CVE-2009-3399, CVE-2009-3396, CVE-2009-2002, CVE-2009-2625, CVE-2009-0217,CVE-2009-3403, CVE-2009-3406, CVE-2009-3409, CVE-2009-3404, CVE-2009-3405,CVE-2009-3401, CVE-2009-3402, CVE-2009-3397
• Platform: Cross Platform
• Title: Oracle Critical Patch Update Advisory - October 2009
• Description: Oracle released Oracle Critical Patch Update Advisory - October 2009. See the reference for details. Ref: http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2009.html

• 09.43.27 - CVE: CVE-2008-3684, CVE-2008-3685
• Platform: Cross Platform
• Title: EMC Documentum ApplicationXtender Admin Agent Multiple Vulnerabilities
• Description: EMC Documentum is an enterprise content management system. EMC Documentum ApplicationXtender is vulnerable heap-based buffer overflow with the Admin Agent service when receiving crafted packets over TCP port 2606. The application is also vulnerable to an arbitrary file upload due to an input sanitation error in the upload functionality. EMC Documentum ApplicationXtender versions 5.40 SP1 and earlier are vulnerable.
• Ref: http://www.zerodayinitiative.com/advisories/ZDI-08-095 http://www.zerodayinitiative.com/advisories/ZDI-08-096

• 09.43.28 - CVE: CVE-2009-3617
• Platform: Cross Platform
• Title: aria2 "AbstractCommand::onAbort()" Format String Vulnerability
• Description: aria2 is a download utility. It is vulnerable to a format string error in the "AbstractCommand::onAbort()" function. aria2 versions 1.6.1 and earlier are vulnerable. Ref: http://aria2.svn.sourceforge.net/viewvc/aria2/trunk/NEWS?revision=1586

• 09.43.29 - CVE: CVE-2009-2052, CVE-2009-2874
• Platform: Cross Platform
• Title: Cisco Unified Presence Denial of Service Vulnerabilities
• Description: Cisco Unified Presence collects information about a user availability and their communications capabilities. Cisco Unified Presence is vulnerable to a denial of service due to an error in the TimesTenD process when establishing large number of connections to TCP port 16200 or 22794. Also an error exists in the embedded firewall when tracking network connections. Cisco Unified Presence versions prior to 6.0(6) and 7.0(5) are vulnerable.
• Ref: http://www.cisco.com/warp/public/707/cisco-sa-20091014-cup.shtml

• 09.43.30 - CVE: Not Available
• Platform: Cross Platform
• Title: ZoIPer SIP INVITE Denial of Service Vulnerability
• Description: ZoIPer is an Internet communication suite. It is vulnerable to a denial of service issue when processing crafted SIP INVITE messages containing an empty "Call-Info" header. ZoIPer Free version 2.22 library versions 4829 and earlier are vulnerable.
• Ref: http://packetstormsecurity.org/0910-exploits/zoiper_dos.py.txt

• 09.43.31 - CVE: CVE-2009-3602
• Platform: Cross Platform
• Title: Unbound NSEC3 Signature Validation Bypass Security Issue
• Description: Unbound is a validating, recursive, and caching DNS resolver. Unbound is exposed to a security bypass issue beacause of an error while validating NSEC3 records. Unbound versions earlier to 1.3.4 are affected by this issue.
• Ref: http://unbound.net/pipermail/unbound-users/2009-October/000852.html

• 09.43.32 - CVE: Not Available
• Platform: Cross Platform
• Title: Skype Extras Manager component Unspecified Vulnerability
• Description: Skype is a software application that allows users to make voice calls over the Internet. The Application is exposed to an unspecified error in the Extras Manager component. Skype Extras Manager versions earlier than 2.0.0.67 included in Skype for Windows versions earlier than 4.1.0.179.
• Ref: https://developer.skype.com/WindowsSkype/ReleaseNotes

• 09.43.33 - CVE: Not Available
• Platform: Web Applications Cross Site Scripting
• Title: Quick.Cart Cross-Site Request Forgery Vulnerability
• Description: Quick.Cart is a easy to use shopping cart script. The application is exposed to cross-site request forgery attacks because it allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. Quick.Cart version 3.4 is affected by this issue.
• Ref: http://packetstormsecurity.org/0910-exploits/quickcart-xsslfixsrf.txt

• 09.43.34 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Drupal RealName Module Script Insertion Vulnerability
• Description: The RealName module allows the administrator to choose fields from the user profile that will be used to add a "real name" element (method) to a user object. Drupal's RealName module is prone to a script insertion vulnerability because the real name from a user profile is not properly sanitized before being displayed to the user. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious data is being viewed. The vulnerability is reported in versions prior to 6.x-1.3. Other versions may also be affected.
• Ref: http://drupal.org/node/604760

• 09.43.35 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: IBM Rational RequisitePro ReqWebHelp Cross-Site Scripting
• Description: Rational RequisitePro helps project teams to manage requirements, write use cases, improve traceability and strengthen collaboration. Multiple cross-site scripting vulnerabilities exist in RequisitePro because input passed to the "searchWord", "maxHits", "scopedSearch", and "scope" parameters in /ReqWebHelp/basic/searchView.jsp, and to the "operation" parameter in /ReqWebHelp/advanced/workingSet.jsp is not properly sanitized before being returned to the user. IBM Rational RequisitePro 7.x versions are affected with this issue.
• Ref: http://www-01.ibm.com/support/docview.wss?uid=swg1PK83895

• 09.43.36 - CVE: CVE-2008-2364
• Platform: Web Application
• Title: IBM OS/400 HTTP Server mod_proxy Denial of Service
• Description: IBM HTTP Server (IHS) is a Web server based on the Apache Software Foundation's Apache HTTP Server that runs on AIX, HP-UX, Linux, Solaris, Windows NT, and z/OS. A vulnerability in IBM OS/400 HTTP Server is caused due to an error in the "ap_proxy_http_process_response()" function when forwarding interim responses. This can be exploited to consume large amounts of memory by tricking mod_proxy into sending an overly large number of interim responses to the client. Ref: http://www-01.ibm.com/support/docview.wss?uid=nas2f960f9e1d5d7811786257655003c8e7a

• 09.43.37 - CVE: CVE-2009-2412
• Platform: Web Application
• Title: IBM HTTP Server Apache Portable Runtime Integer Overflows
• Description: IBM HTTP Server (IHS) is a Web server based on the Apache Software Foundation's Apache HTTP Server that runs on AIX, HP-UX, Linux, Solaris, Windows NT, and z/OS. IBM HTTP Server is prone to multiple vulnerabilities that are caused due to the application including a vulnerable Apache Portable Runtime version. These can be exploited to cause a denial of service condition.
• Ref: http://www-01.ibm.com/support/docview.wss?uid=swg1PK93225

• 09.43.38 - CVE: Not Available
• Platform: Web Application
• Title: AgoraCart Cross-Site Request Forgery Vulnerability
• Description: AgoraCart is an ecommerce shopping cart software solution. A vulnerability exists in AgoraCart, because the application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform administrative actions, e.g. manipulate a .htaccess file via the protected/manager.cgi script or change the user's password if a logged-in administrative user visits a malicious web site. Version 5.2.005 is vulnerable. Other versions may also be affected.
• Ref: http://holisticinfosec.org/content/view/129/45/

• 09.43.39 - CVE: Not Available
• Platform: Web Application
• Title: Drupal Shibboleth Authentication Module Privilege Escalation Security Issue
• Description: Drupal Shibboleth Authentication Module provides user authentication with Shibboleth (both v1.3 and v2.0) as well as some authorisation features. A privilege escalation vulnerability exists due to an error in the handling of statically granted permissions for Shibboleth sessions. This can be exploited to perform certain actions with escalated privileges by logging-in using a browser that has not been closed by another user after logging-out. The security issue is reported in versions prior to 6.x-3.2 and 5.x-3.4.
• Ref: http://drupal.org/node/604488

• 09.43.40 - CVE: CVE-2009-3695
• Platform: Web Application
• Title: Django forms Library Regular Expressions Denial of Service Vulnerability
• Description: Django is an open source web application framework, written in Python. Django is prone to a vulnerability which is caused due to an error within the regular expressions used for validation of the "EmailField" or "URLField" form fields in Django's forms library. This can be exploited to cause a denial of service due to high CPU consumption via specially crafted email addresses or URLs. The vulnerability is reported in version 1.0 and 1.1. Multiple vendors are affected by this issue.
• Ref: http://www.djangoproject.com/weblog/2009/oct/09/security/ https://www.redhat.com/archives/fedora-package-announce/2009-October/msg00475.ht
  ml https://www.redhat.com/archives/fedora-package-announce/2009-October/msg00473.ht
  ml

• 09.43.41 - CVE: Not Available
• Platform: Web Application
• Title: Joomla AjaxChat Component File Inclusion Vulnerability
• Description: Joomla AjaxChat Component is a browser based chat system for Joomla. It is vulnerable to a file inclusion vulnerability due to insufficient sanitization of input to the "mosConfig_absolute_path" parameter. Joomla AjaxChat Component versions 1.0 and earlier are vulnerable.
• Ref: http://packetstormsecurity.org/0910-exploits/joomlaajaxchat-rfi.txt

• 09.43.42 - CVE: Not Available
• Platform: Web Application
• Title: TYPO3 Random Images Extension Command Execution Vulnerability
• Description: TYPO3 is a web content management framework. It is vulnerable to a remote shell command execution vulnerablity due to insufficient sanitization of input. TYPO3 versions 1.6.4 and earlier are vulnerable.
• Ref: http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-014/

• 09.43.43 - CVE: Not Available
• Platform: Web Application
• Title: Piwik Arbitrary File Creation Vulnerability
• Description: Piwik is an open source web analytics application. It is vulnerable to a file creation vulnerablity due to input passed to the "name" and "HTTP_RAW_POST_DATA" parameters in ofc_upload_image.php is not properly verified to check for file extensions and file contents before being used to create files. Piwik versions 0.4.3 and earlier are vulnerable.
• Ref: http://packetstormsecurity.org/0910-exploits/piwik-upload.txt

• 09.43.44 - CVE: CVE-2009-3546
• Platform: Web Application
• Title: PHP GD Extension "_gdGetColors()" Buffer Overflow Vulnerability
• Description: PHP is a server-side HTML embedded scripting language. The GD Graphics Library Code is vulnerable to a remote buffer overflow due to insufficient sanitization of input. php svn revision 289557 resolves the issue.
• Ref: http://seclists.org/oss-sec/2009/q4/41 http://svn.php.net/viewvc?view=revision&revision=289557

• 09.43.45 - CVE: Not Available
• Platform: Web Application
• Title: Mongoose Source Code Disclosure Vulnerability
• Description: Mongoose is a Windows based HTTP server. It is vulnerable to source code disclosure when handling crafted HTTP requests. Mongoose Web Server versions 2.8 and earlier are vulnerable.
• Ref: http://packetstormsecurity.org/0910-exploits/mongoose-disclose.txt

• 09.43.46 - CVE: Not Available
• Platform: Web Application
• Title: NaviCOPA Script Source Disclosure Vulnerability
• Description: NaviCOPA is a Windows based HTTP server. It is vulnerable to source code disclosure when handling crafted HTTP requests. NAViCOPA versions 3.01.2 and earlier are vulnerable.
• Ref: http://pocoftheday.blogspot.com/2009/10/navicopa-web-server-3012- remote-source.html

(c) 2009. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Subscriptions: @RISK is distributed free of charge by the SANS Institute to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.