@RISK: The Consensus Security Vulnerability Alert

Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)

• (1) CRITICAL: Apple Safari Multiple Vulnerabilities
• (2) HIGH: RhinoSoft Serv-U FTP Server TEA Decoder Buffer Overflow Vulnerability
• (3) MODERATE: Microsoft Windows SMB Packet Denial of Service Vulnerability
• (4) MODERATE: GIMP Image Parsing Integer Overflow Vulnerability

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)

Windows

• 09.47.1 - Microsoft Windows "KeAccumulateTicks()" SMB2 Packet Remote Denial of Service

Third Party Windows Apps

• 09.47.2 - Yahoo! Messenger
• 09.47.3 - XM Easy Personal FTP Server "NLST" Command Remote Denial of Service
• 09.47.4 - XM Easy Personal FTP Server "APPE' and 'DELE" Commands Remote Denial of Service Vulnerabilities
• 09.47.5 - Avast! Antivirus 'aswRsr.sys' Driver Local Privilege Escalation
• 09.47.6 - Home FTP Server "SITE INDEX' Command Remote Denial of Service
• 09.47.7 - HP Discovery and Dependency Mapping Inventory Unspecified Remote Code Execution
• 09.47.8 - Home FTP Server 'MKD' Command Directory Traversal
• 09.47.9 - Kaspersky Anti-Virus "kl1.sys" Driver Local Privilege Escalation
• 09.47.10 - HP OpenView Network Node Manager "ovdbrun.exe" Denial of Service

Linux

• 09.47.11 - Linux Kernel"megaraid_as" Local Privilege Escalation
• 09.47.12 - Linux Kernel KVM "KVM_MAX_MCE_BANKS" Memory Corruption
• 09.47.13 - Linux Kernel "hfc_usb.c" Local Privilege Escalation

Solaris

• 09.47.14 - Sun Solaris TCP Sockets Local Denial Of Service

Unix

• 09.47.15 - CUPS File Descriptors Handling Remote Denial Of Service

Novell

• 09.47.16 - Novell eDirectory "/dhost/modules?I:" Buffer Overflow

Cross Platform

• 09.47.17 - Apple Safari Shortcut Menu Options Information Disclosure
• 09.47.18 - Webkit Multiple Remote Code Execution, Denial of Service, and Information Disclosure Vulnerabilities
• 09.47.19 - WebKit Resource Load Callback Information Disclosure Weakness
• 09.47.20 - WebKit Preflight Request Same Origin Policy Bypass
• 09.47.21 - GIMP BMP Image Parsing Integer Overflow
• 09.47.22 - Adobe Flash Player Same Origin Policy Bypass
• 09.47.23 - IBM WebSphere Application Server Administrative Console HTML Injection
• 09.47.24 - ngIRCd SSL/TLS Support MOTD Request Multiple Denial Of Service Vulnerabilities
• 09.47.25 - libexif "exif-entry.c" Tag Format Conversion Heap Buffer Overflow Vulnerability
• 09.47.26 - Sun VirtualBox Guest Additions Local Denial Of Service Vulnerability
• 09.47.27 - FFmpeg TCP/UDP Memory Leak Denial Of ServiceVulnerability
• 09.47.28 - PHP "symlink()" "open_basedir" Restriction Bypass
• 09.47.29 - Wikipedia Toolbar Remote Code Execution
• 09.47.30 - Apple Safari CSS Denial of Service
• 09.47.31 - GIMP PSD Image Parsing Integer Overflow
• 09.47.32 - Novell eDirectory "/dhost/httpstk;submit" Multiple Stack Buffer Overflow Vulnerabilities

Web Application - Cross Site Scripting

• 09.47.33 - Apple Mac OS X Apache HTTP TRACE Cross-Site Scripting
• 09.47.34 - phpMyFAQ Search Page Cross-Site Scripting
• 09.47.35 - Alteon OS BBI Cross-Site Request Forgery and HTML Injection Vulnerabilities

Web Application - SQL Injection

• 09.47.36 - Multiple JiRo's Products "files/login.asp" Multiple SQL Injection Vulnerabilities
• 09.47.37 - ActiveWebSoftwares Active Bids "default.asp" SQL Injection

Web Application

• 09.47.38 - Drupal RootCandy Theme URI Value HTML Injection
• 09.47.39 - Drupal AddToAny Node Title HTML Injection
• 09.47.40 - Drupal Web Services Module Authentication Bypass
• 09.47.41 - HP ProCurve Switch Management Interface Multiple HTML Injection Vulnerabilities
• 09.47.42 - Wordpress "wp-admin/includes/file.php" Arbitrary File Upload
• 09.47.43 - UseBB BBcode Parsing Remote Denial Of Service
• 09.47.44 - Wordpress Unspecified Cross-Site Scripting
• 09.47.45 - XOOPS Profile Activation Security Bypass Vulnerability
• 09.47.46 - PHD Help Desk Multiple Cross-Site Scripting Vulnerabilities
• 09.47.47 - SemanticScuttle Prior to 0.94.1 Multiple Unspecified Cross-Site Scripting Vulnerabilities
• 09.47.48 - Joomla! eZine Component "d4m_ajax_pagenav.php" Remote File Include

Network Device

• 09.47.49 - NETGEAR WNDAP330 Management Frame Remote Denial of Service
• 09.47.50 - McAfee Network Security Manager Information Disclosure
• 09.47.51 - Linksys WAP4400N Association Request Remote Denial of Service

PART I Critical Vulnerabilities

Part I for this issue has been compiled by Rohan Kotian at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems.

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 47, 2009

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 7616 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

• 09.47.1 - CVE: CVE-2009-3676
• Platform: Windows
• Title: Microsoft Windows "KeAccumulateTicks()" SMB2 Packet Remote Denial of Service
• Description: Microsoft Windows is exposed to a remote denial of service issue. Specifically the issue occurs in the "KeAccumulateTicks()" function due to an infinite loop, because of which crafted SMB2 packets may cause the affected system to crash. Successful exploitation of this issue requires enticing an unsuspecting user to connect to a malicious SMB server. Microsoft Windows versions 7 and 2008 R2 are affected by this issue.
• Ref: http://www.microsoft.com/technet/security/advisory/977544.mspx

• 09.47.2 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Yahoo! Messenger
• Description: Yahoo! Messenger is an instant messaging application. The application is exposed to a denial of service issue because of a NULL-pointer dereference error which affects the "RegisterMe()" method of the ActiveX control. Yahoo! Messenger version 9.0.0.2162 is affected by this issue.
• Ref: http://support.microsoft.com/kb/240797 http://www.securityfocus.com/archive/1/507818

• 09.47.3 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: XM Easy Personal FTP Server "NLST" Command Remote Denial of Service
• Description: XM Easy Personal FTP Server is an FTP server for Microsoft Windows. The application is exposed to a remote denial of service issue that occurs when handling a large amounts of data passed to the "NLST" command. XM Easy Personal FTP Server version 5.8.0 is affected by this issue.
• Ref: http://www.securityfocus.com/bid/37008/

• 09.47.4 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: XM Easy Personal FTP Server "APPE' and 'DELE" Commands Remote Denial of Service Vulnerabilities
• Description: XM Easy Personal FTP Server is an FTP server for Microsoft Windows. The server is exposed to a remote denial of service issue that occurs when handling large amounts of data passed to the "APPE" and "DELE" commands.XM Easy Personal FTP Server versions 5.8.0 is affected by this issue.
• Ref: http://www.securityfocus.com/archive/1/507853

• 09.47.5 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Avast! Antivirus 'aswRsr.sys' Driver Local Privilege Escalation
• Description: Avast! Antivirus is an application that provides virus protection. Avast! Antivirus is exposed to a local privilege escalation issue because the "aswRdr.sys" driver fails to sufficiently sanitize user-supplied input passed to IOCTL 0x80002024. Avast! Antivirus version 4.8.1356 is affected by this issue.
• Ref: http://www.securityfocus.com/archive/1/507891

• 09.47.6 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Home FTP Server "SITE INDEX' Command Remote Denial of Service
• Description: Home FTP Server is an FTP server for computers running Microsoft Windows. The application is exposed to a remote denial of service issue because it fails to handle user-supplied input. Specifically, the server fails to properly handle multiple "SITE INDEX" commands.
• Ref: http://www.securityfocus.com/archive/1/507893

• 09.47.7 - CVE: CVE-2009-3841
• Platform: Third Party Windows Apps
• Title: HP Discovery and Dependency Mapping Inventory Unspecified Remote Code Execution
• Description: HP Discovery and Dependency Mapping Inventory (DDMI) is an application for managing assets. The application is exposed to a remote code execution issue due to an unspecified error. HP Discovery and Dependency Mapping Inventory versions 2.5x, 7.5x, and 7.60 running on Windows are affected by this issue. Ref: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01861595

• 09.47.8 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Home FTP Server 'MKD' Command Directory Traversal
• Description: Home FTP Server is designed for use with Microsoft Windows operating systems. The application is exposed to a directory traversal issue because it fails to sufficiently sanitize directory traversal strings (..) passed to the "MKD" command. Home FTP Server version 1.10.1.139 is affected by this issue.
• Ref: http://www.securityfocus.com/archive/1/507932

• 09.47.9 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Kaspersky Anti-Virus "kl1.sys" Driver Local Privilege Escalation
• Description: Kaspersky Anti-Virus is an application that provides virus protection. The application is exposed to a local privilege escalation issue because the "kl1.sys" driver fails to sufficiently sanitize user-supplied input passed to IOCTL 0x0022c008. Kaspersky Anti-Virus 2010 version 9.0.0.463 is affected by this issue.
• Ref: http://www.securityfocus.com/archive/1/507933

• 09.47.10 - CVE: CVE-2009-3840
• Platform: Third Party Windows Apps
• Title: HP OpenView Network Node Manager "ovdbrun.exe" Denial of Service
• Description: HP OpenView Network Node Manager (NNM) is a fault management application for IP networks. The application is exposed to a remote denial of service issue that occurs in the "ovdbrun.exe" service listening on TCP port 2690 (default), that occurs when handling a specially crafted network packet containing an invalid error code. NNM versions 7.51 and 7.53 are affected by this issue.
• Ref: http://www.coresecurity.com/content/openview_nnm_internaldb_dos

• 09.47.11 - CVE: Not Available
• Platform: Linux
• Title: Linux Kernel"megaraid_as" Local Privilege Escalation
• Description: The Linux kernel is exposed to a local privilege escalation issue because the "megaraid_sas" driver has world writable permissions on the "dbg_lvl" and "poll_mode_io" attributes. Ref: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=66dca9b8c50b5e59d3bea8b21cee5c6dae6c9c46

• 09.47.12 - CVE: Not Available
• Platform: Linux
• Title: Linux Kernel KVM "KVM_MAX_MCE_BANKS" Memory Corruption
• Description: The Linux kernel is exposed to a memory corruption issue that affects the Kernel-based Virtual Machine (KVM). Specifically, the kernel allocates only 32 MCE banks, but it allows the userspace to fill up 255 MCE banks during setup.Linux kernel version earlier than 2.6.32-rc7 are affected by this issue. Ref: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=a9e38c3e01ad242fe2a625354cf065c34b01e3aa http://www.kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.32-rc7

• 09.47.13 - CVE: Not Available
• Platform: Linux
• Title: Linux Kernel "hfc_usb.c" Local Privilege Escalation
• Description: Linux kernel is exposed to a local privilege escalation issue that is caused by a read buffer overflow in the "collect_rx_frame()" function of the "drivers/isdn/hisax/hfc_usb.c" source file. Linux kernel versions earlier than 2.6.32-rc7 are affected by this issue. Ref: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=286e633ef0ff5bb63c07b4516665da8004966fec http://www.kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.32-rc7

• 09.47.14 - CVE: Not Available
• Platform: Solaris
• Title: Sun Solaris TCP Sockets Local Denial Of Service
• Description: Sun Solaris is exposed to a local denial of service issue in TCP sockets.
• Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-66-266488-1

• 09.47.15 - CVE: CVE-2009-3553
• Platform: Unix
• Title: CUPS File Descriptors Handling Remote Denial Of Service
• Description: CUPS (Common UNIX Printing System) is a widely used set of printing utilities for UNIX-based systems. The application is exposed to a denial of service issue caused by a use-after-free error. CUPS version 1.3.7 is affected by this issue.
• Ref: https://bugzilla.redhat.com/show_bug.cgi?id=530111

• 09.47.16 - CVE: Not Available
• Platform: Novell
• Title: Novell eDirectory "/dhost/modules?I:" Buffer Overflow
• Description: Novell eDirectory is software for identity management and security. The application is exposed to a buffer overflow issue because it fails to perform adequate boundary checks on user-supplied data. Specifically the issue occurs when a malformed HTTP request to "/dhost/modules?I:" is processed. Novell eDirectory version 8.8 SP5 is affected by this issue.
• Ref: http://www.securityfocus.com/archive/1/507812

• 09.47.17 - CVE: CVE-2009-2842
• Platform: Cross Platform
• Title: Apple Safari Shortcut Menu Options Information Disclosure
• Description: Apple Safari is a web browser available for Mac OS X and Microsoft Windows. The application is exposed to an information disclosure issue that affects shortcut menu options. Specifically, page navigations on a malicious website that are initiated via the "Open Image in New Tab", "Open Image in New Window", or "Open Link in New Tab" shortcut menu options may target a local file. Safari versions earlier than 4.0.4 are affected by this issue.
• Ref: http://support.apple.com/kb/HT3949

• 09.47.18 - CVE: CVE-2009-3384
• Platform: Cross Platform
• Title: Webkit Multiple Remote Code Execution, Denial of Service, and Information Disclosure Vulnerabilities
• Description: WebKit is a browser framework used in multiple applications, including Apple Safari and Google Chrome browsers. WebKit is exposed to multiple remote code execution, denial of service, and information disclosure vulnerabilities. The problem occurs in WebKit's handling of FTP directory listings.
• Ref: http://www.securityfocus.com/bid/36995/

• 09.47.19 - CVE: CVE-2009-2841
• Platform: Cross Platform
• Title: WebKit Resource Load Callback Information Disclosure Weakness
• Description: WebKit is a browser framework used in multiple applications, including Apple Safari and Google Chrome browsers. WebKit is exposed to a remote information disclosure weakness because it does not properly issue a resource load callback to determine if the resource should be loaded, resulting in possibly unwanted requests to remote servers.
• Ref: http://www.securityfocus.com/bid/36996/info

• 09.47.20 - CVE: CVE-2009-2816
• Platform: Cross Platform
• Title: WebKit Preflight Request Same Origin Policy Bypass
• Description: WebKit is a browser framework used in multiple applications, including Apple Safari and Google Chrome browsers. WebKit is exposed to an issue that lets an attacker bypass the same origin policy because, prior to accessing resources with a different origin than the current domain, WebKit sends a preflight request to the latter server that contains custom HTTP headers. Ref: http://googlechromereleases.blogspot.com/2009/11/stable-update-fix-google-chrome-not.html

• 09.47.21 - CVE: CVE-2009-1570
• Platform: Cross Platform
• Title: GIMP BMP Image Parsing Integer Overflow
• Description: GIMP is an image manipulation program. The application is exposed to an integer overflow issue in the "ReadImage()" function in the "plug-ins/file-bmp/bmp-read.c" file. GIMP version 2.6.7 is affected by this issue. Ref: http://git.gnome.org/cgit/gimp/commit/?id=e3afc99b2fa7aeddf0dba4778663160a5bc682d3

• 09.47.22 - CVE: Not Available
• Platform: Cross Platform
• Title: Adobe Flash Player Same Origin Policy Bypass
• Description: Adobe Flash Player is a multimedia application for multiple platforms. The application is exposed to a issue that lets an attacker bypass the same origin policy. Flash content uploaded to a malicious server can permit interaction with the origin domain.
• Ref: http://www.foregroundsecurity.com/MyBlog/

• 09.47.23 - CVE: CVE-2009-2747
• Platform: Cross Platform
• Title: IBM WebSphere Application Server Administrative Console HTML Injection
• Description: IBM WebSphere Application Server (WAS) is an application server used for service-oriented architecture. WAS is exposed to an HTML injection issue because it fails to properly sanitize user-supplied input. IBM WebSphere Application Server versions earlier than 6.1.0.29 and 7.0.0.7 are affected by this issue.
• Ref: http://xforce.iss.net/xforce/xfdb/54229

• 09.47.24 - CVE: Not Available
• Platform: Cross Platform
• Title: ngIRCd SSL/TLS Support MOTD Request Multiple Denial Of Service Vulnerabilities
• Description: ngIRCd is an IRC (Internet Relay Chat) daemon available for various platforms, including Windows and UNIX. The application is exposed to multiple denial of service vulnerabilities when the server is running with SSL/TLS support because of errors in the "Conn_GetCipherInfo() and "Conn_UsesSSL()" functions in the "src/ngircd/conn.c" source file. ngIRCd 13 through ngIRCd 14 are affected by this issue. Ref: http://arthur.barton.de/cgi-bin/gitweb.cgi?p=ngircd.git;a=commit;h=627b0b713c52406e50c84bb9459e7794262920a2

• 09.47.25 - CVE: Not Available
• Platform: Cross Platform
• Title: libexif "exif-entry.c" Tag Format Conversion Heap Buffer Overflow Vulnerability
• Description: The "libexif" library is a freely available library that is used to read and write exif data. The library is exposed to a heap-based buffer overflow issue because it fails to perform adequate boundary checks on user-supplied data. Specifically, the "exif_entry_fix()" function in "libexif/exif-entry.c" fails to perform adequate boundary checks. Ref: http://sourceforge.net/mailarchive/message.php?msg_name=20091113072359.GA22681%40coneharvesters.com

• 09.47.26 - CVE: Not Available
• Platform: Cross Platform
• Title: Sun VirtualBox Guest Additions Local Denial Of Service Vulnerability
• Description: Sun VirtualBox is open source virtualization software. Guest Additions are installed inside the guest operating system. The application is exposed to a local denial of service issue that may allow an attacker to consume all kernel resources in the guest operating system. Sun xVM VirtualBox Guest Additions 1.6,2.1 and 2.2 releases; Sun xVM VirtualBox Guest Additions versions 2.0.10 and earlier and 3.0.8 and earlier are affected by this issue.
• Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-66-271149-1

• 09.47.27 - CVE: CVE-2008-4869
• Platform: Cross Platform
• Title: FFmpeg TCP/UDP Memory Leak Denial Of ServiceVulnerability
• Description: FFmpeg is an application used to record, convert, and stream audio and video. The application is exposed to a denial of service issue due to an unspecified memory leak error related to TCP/UDP handling. FFmpeg version 0.4.9 is affected by this issue.
• Ref: http://www.securityfocus.com/bid/37026

• 09.47.28 - CVE: Not Available
• Platform: Cross Platform
• Title: PHP "symlink()" "open_basedir" Restriction Bypass
• Description: PHP is a general purpose scripting language that is especially suited for web development and can be embedded into HTML. PHP is exposed to an "open_basedir" restriction bypass vulnerability. PHP version 5.2.11 and 5.3.0 are affected by this issue.
• Ref: http://securityreason.com/achievement_exploitalert/14

• 09.47.29 - CVE: Not Available
• Platform: Cross Platform
• Title: Wikipedia Toolbar Remote Code Execution
• Description: Wikipedia Toolbar is an add-on for Mozilla Firefox. The application is exposed to a remote code execution issue because it fails to properly sanitize input to the "eval()" function call. Wikipedia Toolbar version 0.5.9 is affected by this issue. Ref: https://addons.mozilla.org/en-US/firefox/addons/versions/6401#version-0.5.9.2

• 09.47.30 - CVE: Not Available
• Platform: Cross Platform
• Title: Apple Safari CSS Denial of Service
• Description: Apple Safari is a web browser available for Mac OS X and Microsoft Windows. The application is exposed to a denial of service issue because it fails to handle exceptional conditions. Safari version 4.0.3 for Windows is affected by this issue.
• Ref: http://www.securityfocus.com/bid/37039

• 09.47.31 - CVE: CVE-2009-3909
• Platform: Cross Platform
• Title: GIMP PSD Image Parsing Integer Overflow
• Description: GIMP is a program for manipulating images. The application is exposed to an integer overflow issue in the "read_channel_data()" function in the "plug-ins/file-psd/psd-load.c" file. GIMP version 2.6.7 is affected by this issue. Ref: http://git.gnome.org/cgit/gimp/commit/?id=0e440cb6d4d6ee029667363d244aff61b154c33c http://git.gnome.org/cgit/gimp/commit/?id=9cc8d78ff33b7a36852b74e64b427489cad44d0e

• 09.47.32 - CVE: Not Available
• Platform: Cross Platform
• Title: Novell eDirectory "/dhost/httpstk;submit" Multiple Stack Buffer Overflow Vulnerabilities
• Description: Novell eDirectory is software for identity management and security. The application is exposed to multiple stack-based buffer overflow vulnerabilities because it fails to perform adequate boundary checks on user-supplied data. Specifically, the issues occur when excessive data is passed via the "sadminpwd" and "verifypwd" parameters of an HTTP request to "/dhost/httpstk;submit". Novell eDirectory 8.8 SP5 is affected by this issue.
• Ref: http://www.securityfocus.com/archive/1/507926/

• 09.47.33 - CVE: CVE-2009-2823
• Platform: Web Application - Cross Site Scripting
• Title: Apple Mac OS X Apache HTTP TRACE Cross-Site Scripting
• Description: Apple Mac OS X Apache server is exposed to a cross-site scripting issue. The issue occurs because the server supports and responds to the HTTP TRACE request by default. Mac OS X and Mac OS X Server versions 10.5.8 and earlier and Mac OS X 10.6.1 and Mac OS X Server 10.6.1 and earlier are affected by this issue.
• Ref: http://support.apple.com/kb/HT3937

• 09.47.34 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: phpMyFAQ Search Page Cross-Site Scripting
• Description: phpMyFAQ is a PHP-based FAQ script. The application is exposed to an unspecified cross-site scripting issue because it fails to properly sanitize user-supplied input. phpMyFAQ versions earlier than 2.5.2 and 2.0.17 are affected by this issue.
• Ref: http://www.phpmyfaq.de/advisory_2009-09-01.php

• 09.47.35 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Alteon OS BBI Cross-Site Request Forgery and HTML Injection Vulnerabilities
• Description: Alteon OS BBI (Browser Based Interface) allows users to access switch information and statistics and to perform switch configurations over the internet. The application is exposed to a cross-site request forgery issue that may allow attackers to perform administrative actions, an HTML injection issue which affects the SSH login parameter, and multiple HTML injection a vulnerabilities that affect various unspecified static parameters.
• Ref: http://www.securityfocus.com/archive/1/507892

• 09.47.36 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Multiple JiRo's Products "files/login.asp" Multiple SQL Injection Vulnerabilities
• Description: Multiple JiRo's products are exposed to multiple SQL injection vulnerabilities because they fail to sufficiently sanitize user-supplied data before using it in an SQL query. These issues affect the "admin" and "password" parameters of the "file/login.asp" script when logging in as an administrator. JBS 2.0 and JBSX are affected by this issue.
• Ref: http://www.securityfocus.com/bid/37045

• 09.47.37 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: ActiveWebSoftwares Active Bids "default.asp" SQL Injection
• Description: ActiveWebSoftwares Active Bids is a web-based application implemented in ASP. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "catid" parameter of the "default.asp" script before using it in an SQL query.
• Ref: http://www.securityfocus.com/bid/37047

• 09.47.38 - CVE: Not Available
• Platform: Web Application
• Title: Drupal RootCandy Theme URI Value HTML Injection
• Description: RootCandy is a PHP-based theme for the Drupal content manager's administration section. The application is exposed to a HTML injection issue because it fails to properly sanitize user-supplied input to a URI value in an unspecified field before displaying it in a user's browser. RootCandy versions prior to 6.x-1.5 are affected by this issue.
• Ref: http://drupal.org/node/630168

• 09.47.39 - CVE: Not Available
• Platform: Web Application
• Title: Drupal AddToAny Node Title HTML Injection
• Description: AddToAny provides a share button for the Drupal content manager. The application is exposed to an HTML injection issue because it fails to properly sanitize user-supplied input to the node title in an unspecified field before displaying it in a user's browser.
• Ref: http://drupal.org/node/630208

• 09.47.40 - CVE: Not Available
• Platform: Web Application
• Title: Drupal Web Services Module Authentication Bypass
• Description: Web Services is a module for the Drupal content manager. The module is exposed to an authentication bypass issue because it fails to perform adequate access checks.
• Ref: http://drupal.org/node/630244

• 09.47.41 - CVE: Not Available
• Platform: Web Application
• Title: HP ProCurve Switch Management Interface Multiple HTML Injection Vulnerabilities
• Description: The HP ProCurve Switch web management interface is exposed to multiple HTML injection vulnerabilities which may allow an attacker to inject arbitrary JavaScript and HTML into the "Organization Name" and "Organization Unit" fields of the "Security -> SSL" portion of the web interface, as well as multiple unspecified fields related to the SSL certificate.
• Ref: http://www.securityfocus.com/bid/37001/

• 09.47.42 - CVE: Not Available
• Platform: Web Application
• Title: Wordpress "wp-admin/includes/file.php" Arbitrary File Upload
• Description: Wordpress is PHP-based blogging application. The application is exposed to an issue that lets attackers upload arbitrary files because the application fails to adequately sanitize user-supplied input before uploading files via the "wp-admin/includes/file.php" script. Wordpress versions 2.8.5 and earlier are affected by this issue. Ref: http://wordpress.org/development/2009/11/wordpress-2-8-6-security-release/ http://www.securityfocus.com/archive/1/507819

• 09.47.43 - CVE: Not Available
• Platform: Web Application
• Title: UseBB BBcode Parsing Remote Denial Of Service
• Description: UseBB is a forum application implemented in PHP. The application is exposed to a remote denial of service issue caused by an error in parsing malformed BBcode input. UseBB versions earlier than 1.0.10 are affected by this issue
• Ref: http://www.usebb.net/community/topic-2388.html

• 09.47.44 - CVE: Not Available
• Platform: Web Application
• Title: Wordpress Unspecified Cross-Site Scripting
• Description: Wordpress is a web-based blogging application. The application is exposed to an unspecified cross-site scripting issue because it fails to properly sanitize user-supplied input before using it in dynamically generated content. Wordpress versions earlier than 2.8.6 are affected by this issue. Ref: http://wordpress.org/development/2009/11/wordpress-2-8-6-security-release/

• 09.47.45 - CVE: Not Available
• Platform: Web Application
• Title: XOOPS Profile Activation Security Bypass Vulnerability
• Description: XOOP is a PHP-based content manager. The application is exposed to a security bypass issue because it fails to properly verify "activation_type" permissions when resending of activation email is requested. XOOPS versions earlier than 2.4.1 are affected by this issue.
• Ref: http://www.xoops.org/modules/news/article.php?storyid=5096

• 09.47.46 - CVE: Not Available
• Platform: Web Application
• Title: PHD Help Desk Multiple Cross-Site Scripting Vulnerabilities
• Description: PHD Help Desk is a PHP-based help desk application. The application is exposed to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data to scripts and parameters. PHD Help Desk version 1.43 is affected by this issue.
• Ref: http://secunia.com/advisories/37375/

• 09.47.47 - CVE: Not Available
• Platform: Web Application
• Title: SemanticScuttle Prior to 0.94.1 Multiple Unspecified Cross-Site Scripting Vulnerabilities
• Description: SemanticScuttle is a social bookmarking application written in PHP. The application is exposed to multiple unspecified cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. SemanticScuttle versions earlier than 0.94.1 are affected by this issue. Ref: http://semanticscuttle.svn.sourceforge.net/viewvc/semanticscuttle/branches/0.94.1/ChangeLog?view=markup&pathrev=471

• 09.47.48 - CVE: Not Available
• Platform: Web Application
• Title: Joomla! eZine Component "d4m_ajax_pagenav.php" Remote File Include
• Description: eZine is a component for the Joomla! content manager. The component is exposed to a remote file include issue because it fails to sufficiently sanitize user-supplied input to the "GLOBALS[mosConfig_absolute_path]" parameter of the "d4m_ajax_pagenav.php" script. eZine version 2.1 is affected by this issue.
• Ref: http://securityreason.com/exploitalert/7454

• 09.47.49 - CVE: CVE-2009-0052
• Platform: Network Device
• Title: NETGEAR WNDAP330 Management Frame Remote Denial of Service
• Description: NETGEAR WNDAP330 is a wireless router. NETGEAR WNDAP330 is exposed to a denial of service issue because it fails to properly parse malformed reserved management frames. WNDAP330 with firmware version 2.1.11 is affected by this issue.
• Ref: http://kb.netgear.com/app/answers/detail/a_id/12199 http://archives.neohapsis.com/archives/bugtraq/current/0070.html

• 09.47.50 - CVE: CVE-2009-3566
• Platform: Network Device
• Title: McAfee Network Security Manager Information Disclosure
• Description: McAfee Network Security Manager is an intrusion prevention appliance. McAfee Network Security Manager is exposed to an information disclosure vulnerability because it fails to properly protect sensitive cookie data with the "HTTPOnly" protection mechanism. McAfee Network Security Manager version 5.1.7.7 is affected by this issue.
• Ref: http://www.secureworks.com/ctu/advisories/files/SWRX-2009-002.pdf https://kc.mcafee.com/corporate/index?page=content&id=SB10005

• 09.47.51 - CVE: CVE-2007-5475
• Platform: Network Device
• Title: Linksys WAP4400N Association Request Remote Denial of Service
• Description: Linksys WAP4400N wireless access point devices are exposed to a denial of service issue because they fail to adequately verify user-supplied input. Linksys WAP4400N devices running firmware version 1.2.17 are affected by this issue.
• Ref: http://www.securityfocus.com/archive/1/507781

(c) 2009. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Subscriptions: @RISK is distributed free of charge by the SANS Institute to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.