@RISK: The Consensus Security Vulnerability Alert

Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)

• (1) CRITICAL: Adobe Shockwave Player Multiple Vulnerabilities
• (2) HIGH: BlackBerry Desktop Software Lotus Notes Intellisync ActiveX Control Vulnerability
• (3) HIGH: Sun Java Runtime Environment Multiple Vulnerabilities
• (4) HIGH: Symantec Altiris ConsoleUtilities ActiveX Control Buffer Overflow Vulnerability
• (5) HIGH: IBM Tivoli Storage Manager Multiple Vulnerabilities
• (6) HIGH: Multiple Vendor Hummingbird STR Service Buffer Overflow Vulnerability
• (7) HIGH: RhinoSoft Serv-U File Server Buffer Overflow Vulnerability

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)

Third Party Windows Apps

• 09.45.1 - Multiple Vendor Hummingbird STR Service Buffer Overflow
• 09.45.2 - Avast! Antivirus "aavmKer4.sys" Driver Local Privilege Escalation
• 09.45.3 - Multiple Panda Products Insecure Program File Permissions Local Privilege Escalation
• 09.45.4 - Multiple Symantec Altiris Products ActiveX Control Buffer Overflow
• 09.45.5 - Novell eDirectory NULL Base DN Denial Of Service
• 09.45.6 - Research In Motion BlackBerry Desktop Manager ActiveX Control Remote Code Execution

Linux

• 09.45.7 - SUSE Linux "scsi_discovery tool" Insecure Temporary File Creation
• 09.45.8 - Linux Kernel "pipe.c" Local Privilege Escalation

BSD

• 09.45.9 - OpenBSD "getsockopt(2)" Remote Denial of Service
• 09.45.10 - OpenBSD and NetBSD "printf(1)" Format String Parsing Denial of Service
• 09.45.11 - Multiple BSD Distributions "printf(3)" Memory Corruption

Solaris

• 09.45.12 - Sun Solaris "xscreensaver(1)" From JDS Local Information Disclosure

Cross Platform

• 09.45.13 - Opera Web Browser prior to 10.01 Multiple Security Vulnerabilities
• 09.45.14 - Mozilla Firefox Floating Point Conversion Heap Overflow
• 09.45.15 - Mozilla FireFox Download Manager World Writable File Local Privilege Escalation Vulnerability
• 09.45.16 - Mozilla Firefox Form History Information Disclosure
• 09.45.17 - Mozilla Firefox JavaScript Web-Workers Remote Code Execution
• 09.45.18 - Mozilla Firefox and SeaMonkey "libpr0n" GIF Parser Heap-Based Buffer Overflow
• 09.45.19 - Mozilla Firefox and SeaMonkey Proxy Auto-Configuration File Remote Code Execution
• 09.45.20 - Mozilla Firefox XPCOM Utility Chrome Privilege Escalation
• 09.45.21 - Mozilla Firefox "document.getSelect" Cross-Domain Information Disclosure
• 09.45.22 - Mozilla Firefox and Seamonkey Download Filename Spoofing
• 09.45.23 - Mozilla Firefox Multiple Remote Memory Corruption Vulnerabilities
• 09.45.24 - Mozilla Firefox Remote Memory Corruption
• 09.45.25 - Mozilla Firefox Remote Memory Corruption
• 09.45.26 - Cherokee Directory Traversal
• 09.45.27 - Mozilla Firefox Multiple Remote Memory Corruption Vulnerabilities
• 09.45.28 - F-Secure Products PDF Files Scan Evasion
• 09.45.29 - IBM Runtimes for Java Technology "XML4J" Component Unspecified Vulnerability

Web Application - Cross Site Scripting

• 09.45.30 - Drupal FAQ Ask Module URI Redirection and Cross-Site Scripting Vulnerabilities
• 09.45.31 - TYPO3 Apache Solr Search Extension Unspecified Cross-Site Scripting
• 09.45.32 - Mahara Resume Blocktype Cross-Site Scripting
• 09.45.33 - TFTgallery "sample" Parameter Cross-Site Scripting

Web Application - SQL Injection

• 09.45.34 - PunBB "pun_attachment" extension SQL Injection
• 09.45.35 - TYPO3 Flagbit Filebase Extension Unspecified SQL Injection

Web Application

• 09.45.36 - Drupal LDAP Integration Cross-Site Scripting and Authentication Bypass Vulnerabilities
• 09.45.37 - Drupal OpenSocial Shindig-Integrator Module HTML Injection
• 09.45.38 - Drupal CCK Comment Reference Module Node Title Security Bypass Vulnerability
• 09.45.39 - Drupal Workflow Module Multiple HTML Injection Vulnerabilities
• 09.45.40 - Drupal Storm Module "storminvoiceitem" Security Bypass
• 09.45.41 - CubeCart "admin.php" Authentication Bypass
• 09.45.42 - "com_jumi" Component for Joomla! Backdoor
• 09.45.43 - Mahara Admin Password Reset Security Bypass
• 09.45.44 - Serv-U Web Client HTTP Request Remote Buffer Overflow
• 09.45.45 - TFTgallery "album" Parameter Directory Traversal

Network Device

• 09.45.46 - SEIL/X Series and SEIL/B1 Buffer Overflow and Denial of Service Vulnerabilities

Hardware

• 09.45.47 - Multiple Intel Desktop Board Models Bitmap Processing Buffer Overflow

PART I Critical Vulnerabilities

Part I for this issue has been compiled by Rohan Kotian at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems.

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 45, 2009

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 7571 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

• 09.45.1 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Multiple Vendor Hummingbird STR Service Buffer Overflow
• Description: The Hummingbird STR service (STRsvc.exe) used in products by multiple vendors is exposed to a buffer overflow issue because it fails to properly bounds check user-supplied data before copying it into an insufficiently sized memory buffer. The vulnerability arises in the "STRlib.dll" module when the application handles a packet containing an excessive amount of data. EMC Documentum eRoom versions 7.4.2 and earlier and Open Text Search Server version 6.0 and 6.1 are affected by this issue. OpenText Search Server 6.1 and OpenText Search Server 6.0 and EMC Documentum eRoom 7.4.1 are affected by this issue.
• Ref: http://www.zerodayinitiative.com/advisories/ZDI-09-074/

• 09.45.2 - CVE: CVE-2009-3523
• Platform: Third Party Windows Apps
• Title: Avast! Antivirus "aavmKer4.sys" Driver Local Privilege Escalation
• Description: Avast! Antivirus is an application that provides virus protection. The application is exposed to a local privilege escalation issue because the "aavmKer4.sys" driver fails to sufficiently sanitize user-supplied input passed to IOCTL 0xb2d6000c and 0xb2d60034. Avast! Antivirus versions earlier than 4.8.1356 are affected by this issue.
• Ref: http://www.ntinternals.org/ntiadv0904/ntiadv0904.html

• 09.45.3 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Multiple Panda Products Insecure Program File Permissions Local Privilege Escalation
• Description: Panda develops antivirus products. The applications are exposed to a local privilege escalation issue because they install program files with "Everyone:F" permissions. Panda Global Protection 2010 and Panda Internet Security 2010 are affected by this issue.
• Ref: http://www.securityfocus.com/archive/1/507615

• 09.45.4 - CVE: CVE-2009-3031
• Platform: Third Party Windows Apps
• Title: Multiple Symantec Altiris Products ActiveX Control Buffer Overflow
• Description: Symantec Altiris Deployment Solution is software for deploying and managing servers, desktops, notebooks, thin clients, and handheld devices from a centralized location. The applications are exposed to a buffer overflow issue which occurs because the applications use an ActiveX control provided by "AeXNSConsoleUtilities.dll" that fails to properly validate user-supplied input to the "BrowseandSaveFile()" method.
• Ref: http://sotiriu.de/adv/NSOADV-2009-001.txt http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fi
  d=security_advisory&pvid=security_advisory&year=2009&suid=20091102_0
  0

• 09.45.5 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Novell eDirectory NULL Base DN Denial Of Service
• Description: Novell eDirectory is a directory service that is used to centrally manage computer resources on a network. eDirectory is exposed to a denial of service issue when the NDSD process handles specially crafted search requests containing a NULL base DN. Novell eDirectory versions earlier than 8.8.5 ftf1 and eDirectory 8.7.3.10 ftf2 are affected by this issue.
• Ref: http://www.novell.com/support/viewContent.do?externalId=7004721

• 09.45.6 - CVE: CVE-2009-0306
• Platform: Third Party Windows Apps
• Title: Research In Motion BlackBerry Desktop Manager ActiveX Control Remote Code Execution
• Description: Research In Motion BlackBerry Desktop Manager is used to synchronize smartphones and desktop computers. BlackBerry Desktop Manager is exposed to a remote code execution issue which occurs in Lotus Notes Intellisync ActiveX control provided by "Inresobject.dll". BlackBerry Desktop Manager versions earlier than 5.0.1 are affected by this issue.
• Ref: http://www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&extern
  alId=KB19701

• 09.45.7 - CVE: CVE-2009-1297
• Platform: Linux
• Title: SUSE Linux "scsi_discovery tool" Insecure Temporary File Creation
• Description: SUSE Linux creates temporary files in an insecure manner. The issue occurs in the "iscsi_discovery" tool. An attacker with local access could potentially exploit this issue to perform symbolic link attacks to overwrite arbitrary attacker-specified files. openSUSE versions 10.3 through 11.1 and SUSE Linux Enterprise (SLE) versions 10 SP2 and 11 are affected by this issue.
• Ref: http://www.securityfocus.com/bid/36887

• 09.45.8 - CVE: CVE-2009-3547
• Platform: Linux
• Title: Linux Kernel "pipe.c" Local Privilege Escalation
• Description: Linux kernel is exposed to a local privilege escalation issue due to a NULL pointer dereference condition. This issue occurs in the "pipe_read_open()", "pipe_write_open()" and "pipe_rdwr_open()" functions of the 'pipe.c' source file.
• Ref: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-3547 http://lkml.org/lkml/2009/10/14/184

• 09.45.9 - CVE: Not Available
• Platform: BSD
• Title: OpenBSD "getsockopt(2)" Remote Denial of Service
• Description: OpenBSD is exposed to a remote denial of service issue. This issue occurs in the "getsockopt(2)" function with any of the IP_AUTH_LEVEL, IP_ESP_TRANS_LEVEL, IP_ESP_NETWORK_LEVEL and IP_IPCOMP_LEVEL options. Successsfully exploiting this issue may crash the kernel. OpenBSD version 4.6 and earlier are affected by this issue.
• Ref: http://marc.info/?l=openbsd-cvs&m=125676466108709&w=2

• 09.45.10 - CVE: Not Available
• Platform: BSD
• Title: OpenBSD and NetBSD "printf(1)" Format String Parsing Denial of Service
• Description: OpenBSD and NetBSD are exposed to a denial of service vulnerability because they fail to properly parse format strings containing multiple widths or precisions to the "printf(1)" function. OpenBSD version 4.6 and NetBSD version 5.0.1 are affected by this issue.
• Ref: http://securityreason.com/achievement_securityalert/69

• 09.45.11 - CVE: Not Available
• Platform: BSD
• Title: Multiple BSD Distributions "printf(3)" Memory Corruption
• Description: Multiple BSD distributions are exposed to a memory corruption issue because the software fails to properly bounds check data used as an array index in the "printf(3)" function of the "libc/gdtoa" library. OpenBSD version 4.5 and NetBSD version 5.0 are affected by this issue.
• Ref: http://securityreason.com/achievement_securityalert/69

• 09.45.12 - CVE: Not Available
• Platform: Solaris
• Title: Sun Solaris "xscreensaver(1)" From JDS Local Information Disclosure
• Description: "xscreensaver(1)" is a screen saver for Linux and Unix systems running the X11 Window System. "xscreensaver(1)" in Solaris Trusted Extensions is prone to a local information disclosure issue because when a user chooses to lock the screen from the Java Desktop System (JDS) menu, the screen may not lock when using "xscreensaver-demo". Successfully exploiting this issue may allow an attacker with local access to obtain restricted content.
• Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-66-270809-1

• 09.45.13 - CVE: Not Available
• Platform: Cross Platform
• Title: Opera Web Browser prior to 10.01 Multiple Security Vulnerabilities
• Description: Opera Web Browser is a browser that runs on multiple operating systems. The application is exposed to a remote code execution issue due to memory corruption when handling crafted domain names, a security issue related to Web fonts that may allow an attacker to display arbitrary domain names in the address field, and a security bypass issue that may allow an attacker to execute scripts in the feed subscription page. Opera versions earlier than 10.01 are affected by this issue.
• Ref: http://www.opera.com/support/kb/view/938/ http://www.opera.com/support/kb/view/939/ http://www.opera.com/support/kb/view/940/

• 09.45.14 - CVE: CVE-2009-1563
• Platform: Cross Platform
• Title: Mozilla Firefox Floating Point Conversion Heap Overflow
• Description: Mozilla Firefox is a web browser. The application is exposed to a heap-based buffer overflow issue because it fails to perform adequate boundary checks on user-supplied data due to an error in array indexing in the string to floating point conversion routines.
• Ref: http://www.mozilla.org/security/announce/2009/mfsa2009-59.html

• 09.45.15 - CVE: CVE-2009-3274
• Platform: Cross Platform
• Title: Mozilla FireFox Download Manager World Writable File Local Privilege Escalation Vulnerability
• Description: Mozilla Firefox is a web browser available for multiple operating systems. The application is exposed to a local privilege escalation issue because it uses predictable names when downloading and saving files to the downloads folder.
• Ref: http://www.mozilla.org/security/announce/2009/mfsa2009-53.html

• 09.45.16 - CVE: CVE-2009-3370
• Platform: Cross Platform
• Title: Mozilla Firefox Form History Information Disclosure
• Description: Mozilla Firefox is a web browser. The application is exposed to an information disclosure issue because form history data from web content and the smart location bar can be harvested and a specially crafted web page can synthesize mouse movements and key-press events to auto-populate form fields with history entries.
• Ref: http://www.mozilla.org/security/announce/2009/mfsa2009-52.html

• 09.45.17 - CVE: CVE-2009-3371
• Platform: Cross Platform
• Title: Mozilla Firefox JavaScript Web-Workers Remote Code Execution
• Description: Mozilla Firefox is a browser available for various platforms. The application is exposed to a remote code execution issue which occurs in the creation of JavaScript web workers and may allow attackers to create a set objects whereby the memory could be freed prior to the use of the object.
• Ref: http://www.mozilla.org/security/announce/2009/mfsa2009-54.html

• 09.45.18 - CVE: CVE-2009-3373
• Platform: Cross Platform
• Title: Mozilla Firefox and SeaMonkey "libpr0n" GIF Parser Heap-Based Buffer Overflow
• Description: Mozilla Firefox is a web browser. SeaMonkey is an open-source browser, email client, newsgroup client, IRC chat client, and HTML editor. The applications are exposed to a heap-based buffer overflow issue because they fail to perform adequate boundary checks on user-supplied data in the "libpr0n" GIF image parser, when handling color map changes in the "gif_image_header" section of the parser.
• Ref: http://www.mozilla.org/security/announce/2009/mfsa2009-56.html

• 09.45.19 - CVE: CVE-2009-3372
• Platform: Cross Platform
• Title: Mozilla Firefox and SeaMonkey Proxy Auto-Configuration File Remote Code Execution
• Description: Mozilla Firefox and SeaMonkey are web browser applications. Mozilla Firefox and SeaMonkey are exposed to a remote code execution issue that arises when parsing specially crafted regular expressions contained in Proxy Auto configuration (PAC) files.
• Ref: http://www.mozilla.org/security/announce/2009/mfsa2009-55.html

• 09.45.20 - CVE: CVE-2009-3374
• Platform: Cross Platform
• Title: Mozilla Firefox XPCOM Utility Chrome Privilege Escalation
• Description: Mozilla Firefox and SeaMonkey are browsers. Firefox and SeaMonkey are prone to a privilege escalation issue in the browser's sidebar and FeedWriter.
• Ref: http://www.mozilla.org/security/announce/2009/mfsa2009-57.html

• 09.45.21 - CVE: CVE-2009-3375
• Platform: Cross Platform
• Title: Mozilla Firefox "document.getSelect" Cross-Domain Information Disclosure
• Description: Mozilla Firefox is a web browsers available for multiple platforms. A cross-domain information disclosure issue occurs because text within a selection on a web page can be read by JavaScript in a different domain using the "document.getSelection" function.
• Ref: http://www.mozilla.org/security/announce/2009/mfsa2009-61.html http://support.avaya.com/css/P8/documents/100067493

• 09.45.22 - CVE: CVE-2009-3376
• Platform: Cross Platform
• Title: Mozilla Firefox and Seamonkey Download Filename Spoofing
• Description: Mozilla Firefox and Seamonkey are web browser applications available for multiple platforms. Mozilla Firefox and Seamonkey are exposed to a spoofing issue that may allow an attacker to trick a user into downloading an executable file when the user expects a non-executable file.
• Ref: https://bugzilla.mozilla.org/show_bug.cgi?id=511521 http://www.mozilla.org/security/announce/2009/mfsa2009-62.html

• 09.45.23 - CVE: CVE-2009-3383,CVE-2009-3382,CVE-2009-3381,CVE-2009-3380
• Platform: Cross Platform
• Title: Mozilla Firefox Multiple Remote Memory Corruption Vulnerabilities
• Description: Mozilla Firefox is a browser available for various platforms. The application is exposed to multiple remote memory corruption vulnerabilities that occur due to unspecified errors. Mozilla Firefox 3.5.3, 3.5.2, 3.5.1 and 3.5 are affected by this issue.
• Ref: http://www.mozilla.org/security/announce/2009/mfsa2009-64.html

• 09.45.24 - CVE: CVE-2009-3377
• Platform: Cross Platform
• Title: Mozilla Firefox Remote Memory Corruption
• Description: Mozilla Firefox is a browser available for various platforms. The application is exposed to a remote memory corruption issue that occurs in the "liboggz" library due to an unspecified error. Mozilla Firefox 3.5.3, 3.5.2, 3.5.1 and 3.5 are affected by this issue.
• Ref: http://www.mozilla.org/security/announce/2009/mfsa2009-63.html

• 09.45.25 - CVE: CVE-2009-3378
• Platform: Cross Platform
• Title: Mozilla Firefox Remote Memory Corruption
• Description: Mozilla Firefox is a browser available for various platforms. The application is exposed to a remote memory corruption issue that occurs in the "liboggplay" library due to an error related to referencing memory that has already been freed. The issue arises when the application handles specially-crafted ".ogg" files.
• Ref: http://www.mozilla.org/security/announce/2009/mfsa2009-63.html

• 09.45.26 - CVE: Not Available
• Platform: Cross Platform
• Title: Cherokee Directory Traversal
• Description: Cherokee is an HTTP webserver available for multiple platforms. The application is exposed to a directory traversal issue because it fails to sufficiently sanitize user-supplied input. Cherokee versions 0.5.4 and earlier are affected by this issue.
• Ref: http://freetexthost.com/ncyss3plli

• 09.45.27 - CVE: CVE-2009-3379
• Platform: Cross Platform
• Title: Mozilla Firefox Multiple Remote Memory Corruption Vulnerabilities
• Description: Mozilla Firefox is a browser available for various platforms. The application is exposed to multiple remote memory corruption vulnerabilities that occur due to NULL pointer dereference and other memory management errors when the application handles specially-crafted audio and video files.
• Ref: http://www.mozilla.org/security/announce/2009/mfsa2009-63.html

• 09.45.28 - CVE: Not Available
• Platform: Cross Platform
• Title: F-Secure Products PDF Files Scan Evasion
• Description: F-Secure develops antivirus, firewall, and other security products. Multiple F-Secure products are exposed to an issue that may allow certain files to bypass the scan engine because the software fails to properly inspect specially crafted "PDF' files.
• Ref: http://www.g-sec.lu/fsecure-pdf-bypass.html http://www.f-secure.com/en_EMEA/support/security-advisory/fsc-2009-3.html

• 09.45.29 - CVE: Not Available
• Platform: Cross Platform
• Title: IBM Runtimes for Java Technology "XML4J" Component Unspecified Vulnerability
• Description: IBM Runtimes for Java Technology is a Java application. The application is exposed to an unspecified vulnerability which affects the "XML4J" component. IBM Runtimes version 5.0 for Java Technology is affected by this issue.
• Ref: http://www-01.ibm.com/support/docview.wss?uid=swg1IZ63920

• 09.45.30 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Drupal FAQ Ask Module URI Redirection and Cross-Site Scripting Vulnerabilities
• Description: FAQ Ask is a module for the Drupal content manager. The module is exposed to a remote URI redirection issue and a cross-site scripting issue because it fails to sufficiently sanitize user-supplied input.
• Ref: http://drupal.org/node/617444

• 09.45.31 - CVE: CVE-2009-3821
• Platform: Web Application - Cross Site Scripting
• Title: TYPO3 Apache Solr Search Extension Unspecified Cross-Site Scripting
• Description: Apache Solr Search "solr" is an extension for the TYPO3 content manager. The extension is exposed to an unspecified cross-site scripting issue because it fails to properly sanitize user-supplied input. Apache Solr Search version 1.0.1 is affected by this issue. Ref: http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-014/

• 09.45.32 - CVE: CVE-2009-3299
• Platform: Web Application - Cross Site Scripting
• Title: Mahara Resume Blocktype Cross-Site Scripting
• Description: Mahara is a web-based portfolio application. The application is exposed to a cross-site scripting issue because it fails to sufficiently sanitize user-supplied input. Mahara versions earlier than 1.0.13 and 1.1.7 are affected by this issue.
• Ref: http://mahara.org/interaction/forum/topic.php?id=1170

• 09.45.33 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: TFTgallery "sample" Parameter Cross-Site Scripting
• Description: TFTgallery is a PHP-based application. The application is exposed to a cross-site scripting issue because it fails to sufficiently sanitize user-supplied input specifically the "sample" parameter of the "settings.php" script. TFTgallery version 0.13 is affected by this issue.
• Ref: http://www.securityfocus.com/bid/36898

• 09.45.34 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: PunBB "pun_attachment" extension SQL Injection
• Description: The "pun_attachment" extension for PunBB allows files to be attached to forum posts. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "secure_str" parameter of the "misc.php" script before using it an SQL query. "pun_attachment" version 1.0.2 is affected by this issue.
• Ref: http://bbs.wolvez.org/post/248/

• 09.45.35 - CVE: CVE-2009-3820
• Platform: Web Application - SQL Injection
• Title: TYPO3 Flagbit Filebase Extension Unspecified SQL Injection
• Description: Flagbit Filebase ('fb_filebase') is an extension for the TYPO3 content manager. The extension is exposed to an SQL injection issue because it fails to sufficiently sanitize input before using it in an SQL query. Flagbit Filebase version 0.1.0 is affected by this issue.
• Ref: http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-014/

• 09.45.36 - CVE: Not Available
• Platform: Web Application
• Title: Drupal LDAP Integration Cross-Site Scripting and Authentication Bypass Vulnerabilities
• Description: The LDAP Integration module allows users to authenticate against LDAP servers. The application is exposed to an HTML Injection issue which occurs because the software fails to properly sanitize the user-defined server name before displaying it in the administration pages, an authentication bypass issue within the access rules for user management and an authentication bypass issue when the application fails to implement proper access restrictions. Drupal LDAP Integration 6.x-1.0-beta1 and Drupal LDAP Integration 5.x-1.4 are affected by this issue.
• Ref: http://drupal.org/node/617386

• 09.45.37 - CVE: Not Available
• Platform: Web Application
• Title: Drupal OpenSocial Shindig-Integrator Module HTML Injection
• Description: OpenSocial Shindig-Integrator is a PHP based module for the Drupal content manager. The OpenSocial Shindig-Integrator module is exposed to an unspecified HTML injection issue because it fails to properly sanitize user-supplied input before using it in dynamically generated content. OpenSocial Shindig-Integrator versions earlier than 6.x-2.1 are affected by this issue.
• Ref: http://drupal.org/node/617422

• 09.45.38 - CVE: Not Available
• Platform: Web Application
• Title: Drupal CCK Comment Reference Module Node Title Security Bypass Vulnerability
• Description: CCK Comment Reference is a module for Drupal content manager. The module is exposed to a security bypass issue that may allow attackers with insufficient privileges to access comments through the autocomplete path that the module provides. CCK Comment Reference versions earlier than 5.x-1.2 and 6.x-1.3 are affected by this issue.
• Ref: http://drupal.org/node/617380

• 09.45.39 - CVE: Not Available
• Platform: Web Application
• Title: Drupal Workflow Module Multiple HTML Injection Vulnerabilities
• Description: Workflow is a module for the Drupal content manager that defines flexible process management systems. The module is exposed to multiple HTML injection vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content. Workflow versions earlier than 5.x-2.4 and 6.x-1.2 are affected by this issue.
• Ref: http://drupal.org/node/617456

• 09.45.40 - CVE: Not Available
• Platform: Web Application
• Title: Drupal Storm Module "storminvoiceitem" Security Bypass
• Description: Storm is a module for Drupal content manager. The module is exposed to a security bypass issue that may allow attackers with insufficient privileges to view node titles. This issue occurs because nodes of type "storminvoiceitem" do not always respect access permissions. Storm versions earlier than 6.x-1.25 are affected by this issue.
• Ref: http://drupal.org/node/617494

• 09.45.41 - CVE: Not Available
• Platform: Web Application
• Title: CubeCart "admin.php" Authentication Bypass
• Description: CubeCart is a web-based e-commerce application implemented in PHP. The application is exposed to an authentication bypass issue because it fails to adequately verify user-supplied input used for authentication. This issue affects the "_g" parameter of the "admin.php" script. CubeCart versions earlier than 4.3.5 are affected by this issue.
• Ref: http://www.securityfocus.com/archive/1/507594

• 09.45.42 - CVE: Not Available
• Platform: Web Application
• Title: "com_jumi" Component for Joomla! Backdoor
• Description: "com_jumi" is a component for the Mambo/Joomla! content managers. "com_jumi" is exposed to a backdoor issue in the "modules/mod_mainmenu/tmpl/.config.php" script that has an "eval()" command that is called with a user-supplied parameter as an argument. "com_jumi" version 2.0.5 is affected by this issue.
• Ref: http://www.juniper.net/security/auto/vulnerabilities/vuln36883.html

• 09.45.43 - CVE: CVE-2009-3298
• Platform: Web Application
• Title: Mahara Admin Password Reset Security Bypass
• Description: Mahara is a web-based portfolio application. The application is exposed to a security bypass issue related to the password reset feature which may allow an institution administrator to reset the password of the site administrator in certain cases. Mahara versions earlier than 1.0.13 and 1.1.7 are affected by this issue.
• Ref: http://mahara.org/interaction/forum/topic.php?id=1169

• 09.45.44 - CVE: Not Available
• Platform: Web Application
• Title: Serv-U Web Client HTTP Request Remote Buffer Overflow
• Description: Serv-U Web Client is a browser-based file transfer application. The application is exposed to a remote buffer overflow issue because it fails to perform adequate boundary checks on user-supplied data. The issue occurs when handling overly long session cookies. Serv-U Web Client version 9.0.0.5 affected by this issue.
• Ref: http://www.rangos.de/ServU-ADV.txt

• 09.45.45 - CVE: Not Available
• Platform: Web Application
• Title: TFTgallery "album" Parameter Directory Traversal
• Description: TFTgallery is a PHP-based application. The application is exposed to a directory traversal issue because it fails to sufficiently sanitize user-supplied input to the "album" parameter of the "index.php" script. TFTgallery version 0.13 is affected by this issue.
• Ref: http://www.securityfocus.com/bid/36899

• 09.45.46 - CVE: Not Available
• Platform: Network Device
• Title: SEIL/X Series and SEIL/B1 Buffer Overflow and Denial of Service Vulnerabilities
• Description: SEIL/X Series and SEIL/B1 are wired/wireless routers. The devices are exposed a buffer overflow issue in the URL filtering function and a denial of service issue in the NAT function. SEIL/X1 versions 2.40 to 2.51, SEIL/X2 versions 2.40 to 2.51 and SEIL/B1 versions 2.40 to 2.51 are affected by this issue.
• Ref: http://jvn.jp/en/jp/JVN06362164/index.html http://jvn.jp/en/jp/JVN13011682/index.html http://www.seil.jp/seilseries/security/2009/a00669.php http://www.seil.jp/seilseries/security/2009/a00674.php

• 09.45.47 - CVE: Not Available
• Platform: Hardware
• Title: Multiple Intel Desktop Board Models Bitmap Processing Buffer Overflow
• Description: Multiple Intel Desktop Board models are exposed to a buffer overflow vulnerability because they fail to properly bounds check user-supplied data. This issue occurs in unspecified bitmap processing code. Ref: http://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00020&languageid=en-fr

(c) 2009. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Subscriptions: @RISK is distributed free of charge by the SANS Institute to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.