Last day to save $500 for SANS San Diego 2013

@RISK: The Consensus Security Vulnerability Alert

Volume: VIII, Issue: 49
December 3, 2009

SANS Newsletters Home

Nothing huge this week.

Alan

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Summary of Updates and Vulnerabilities in this Consensus
    • Platform Number of Updates and Vulnerabilities
    • -------------------------- ----------------------------------------
    • Third Party Windows Apps
    • 3
    • Linux
    • 5
    • BSD
    • 1
    • Solaris
    • 1
    • Cross Platform
    • 6 (#1, #2, #3, #4)
    • Web Application - Cross Site Scripting
    • 10
    • Web Application - SQL Injection
    • 10
    • Web Application
    • 8

*********** Sponsored By Faronics Corporation ***********

How Much is Outdated Security Costing You?

LEARN MORE: https://www.sans.org/info/51639

No single solution is enough to block modern malware threats. Zero-day attacks, "mutating" viruses, or targeted attacks are all high-risk situations that can lead to the high costs and potential headaches of repairing a compromised IT system. A layered security approach includes application whitelisting solutions like Faronics Anti-Executable to provide full protection.

*************************************************************************

TRAINING UPDATE

Two cool new items: (1) SANS India - India's leading industries recently awakening to the fact that cybersecurity is a survival skill and asked SANS to bring its courses over. If you live in India or have ties to the country, we'd love your help in making sure the right courses are offered and for the right folks. Email Suresh at SMustapha@sans.org. The current test plan is posted at: https://www.sans.org/info/51273

(2) Effective presentation class being tested in Washington https://www.sans.org/security-training/technical-communication-and-presentation-
skills-security-professionals-1422-mid

-- SANS CDI, Washington DC, December 11-18, 24 courses, bonus evening presentations, including Future Trends in Network Security

https://www.sans.org/cyber-defense-initiative-2009

-- SANS Security East 2010, New Orleans, January 10-18, 2010 19 courses, bonus evening presentations: Top 7 Trends in Incident Response and Computer Forensics, Advanced Forensic Techniques and more https://www.sans.org/security-east-2010/

-- SANS AppSec 2010, San Francisco, January 29-February 5, 2010 https://www.sans.org/appsec-2010/

-- SANS Phoenix, February 14 -February 20, 2010 https://www.sans.org/phoenix-2010/

-- SANS 2010, Orlando, March 6 - March 15, 2010 https://www.sans.org/sans-2010/

Looking for training in your own community? https://sans.org/community/

Save on On-Demand training (30 full courses) - See samples at: https://www.sans.org/ondemand

Plus Ottawa, Tokyo and Bangalore all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org

*************************************************************************

Table Of Contents
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
Third Party Windows Apps
Linux
BSD
Solaris
Cross Platform
Web Application - Cross Site Scripting
Web Application - SQL Injection
Web Application
PART I Critical Vulnerabilities

Part I for this issue has been compiled by Rohan Kotian at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems.

Widely Deployed Software
  • (1) HIGH: BlackBerry Products Attachment Service PDF Distiller Multiple Vulnerabilities
  • Affected:
    • Research In Motion Blackberry Professional Software 4.1.4
    • Research In Motion Blackberry Enterprise Server 4.1.7
    • Research In Motion Blackberry Enterprise Server 4.1.6 MR5
    • Research In Motion Blackberry Enterprise Server 4.1.6 MR4
    • Research In Motion Blackberry Enterprise Server 4.1.6
    • Research In Motion Blackberry Enterprise Server 4.1.5
    • Research In Motion Blackberry Enterprise Server 4.1.4
    • Research In Motion Blackberry Enterprise Server 4.1.3
    • Research In Motion Blackberry Enterprise Server 5.0

  • Description: The Research In Motion BlackBerry is a popular mobile telephone and messaging device. The BlackBerry handheld devices are integrated with an enterprise's messaging infrastructure through BlackBerry Enterprise Server. This server software and the professional software version of BlackBerry have unspecified vulnerabilities in the BlackBerry Attachment Service, a service used to view different file formats. The errors are within the PDF distiller component of the Attachment Service. A specially crafted PDF file opened on BlackBerry Smartphone could trigger this vulnerability and cause memory corruption. Successful exploitation can lead to arbitrary code execution. Note that a user must first open the PDF on a BlackBerry mobile device for exploitation to occur. No technical details publicly available.

  • Status: Vendor confirmed, updates available.

  • References:
  • (2) HIGH: Novell eDirectory Heap Overflow Vulnerability
  • Affected:
    • Novell eDirectory 8.7.3.10 ftf1 and prior for All Platforms
    • Novell eDirectory 8.8.5 ftf1 and prior for All Platforms

  • Description: Novell's eDirectory, a multi-platform directory service, allows businesses to manage identities and secure access to network resources within a network. It has been reported that Novell eDirectory is exposed to heap-based buffer overflow and it can be triggered by a specially crafted service request. The security flaw is caused by inadequate checks done by the application while processing incoming NDS Verb 0x1 service requests. A very large integer in the request can result in an integer wrap eventually leading to overflow condition. Successful exploitation might allow an attacker to execute arbitrary code in the context of the affected application. Some technical details of the vulnerability are publicly available.

  • Status: Vendors confirmed, updates available.

  • References:
  • (3) MEDIUM: Roxio Creator Image Parsing Integer Overflow Vulnerability
  • Affected:
    • Roxio Easy Media Creator 9.0.136
    • Roxio Creator 2010

  • Description: Roxio Creator, a division of Sonic Solutions, is used to capture, save and share photos, audio and video files. An integer overflow vulnerability has been reported in Roxio Creator and this vulnerability can be triggered by a specially crafted image. The issue is due to an error in the product while allocating memory for an image based on its dimension. Successful exploitation might allow an attacker to execute arbitrary code in the context of the logged on user. Some technical details for the vulnerability are publicly available.

  • Status: Vendor confirmed, updates available.

  • References:
  • (4) MEDIUM: MuPDF Multiple Buffer Overflow Vulnerabilities
  • Affected:
    • MUPDF
    • SumatraPDF 1.x

  • Description: MuPDF is a lightweight PDF parsing application and is used by SumatraPDF, an open-source PDF viewer for Windows. It has been reported that MuPDF is exposed to multiple buffer overflow vulnerabilities which can be triggered by a specially crafted PDF file. The flaw is due to buffer overflow errors in pdf_loadtype4shade()", "pdf_loadtype5shade()", "pdf_loadtype6shade()", and "pdf_loadtype7shade()" functions in"pdf_shade4.c". Since SumatraPDF uses the vulnerable MuPDF library it also is vulnerable. Successful exploitation might lead to arbitrary code execution under the context of the logged in user. User interaction is required in that the victim must either visit a malicious site or open a malicious file. Full technical details for vulnerabilities are publicly available via source code analysis.

  • Status: Vendor confirmed, updates available.

  • References:
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 49, 2009

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 7702 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely. ______________________________________________________________________

  • 09.49.1 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: CA eTrust PestPatrol Anti-Spyware "ppctl.dl" ActiveX Control Remote Buffer Overflow
  • Description: CA eTrust PestPatrol Anti-Spyware is used to identify and remove spyware applications from affected computers. It is also called CA Anti-Spyware. The application is exposed to a remote stack-based buffer overflow issue because it fails to perform adequate boundary checks on user-supplied input. "ppctl.dll" version 5.6.7.9 is affected. Ref: http://www.fortiguard.com/encyclopedia/vulnerability/ca.etrust.pestpatrol.ppctl.dll.activex.access.html
  • 09.49.2 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Robo-FTP Client Server Response Handling Unspecified Remote Buffer Overflow
  • Description: Robo-FTP Client is an FTP client available for Microsoft Windows. The application is exposed to a remote buffer overflow issue because it fails to perform adequate boundary checks on user-supplied data. This issue occurs when handling unspecified server response data. Robo-FTP Client version 3.6.17 is affected.
  • Ref: http://www.securityfocus.com/bid/37143
  • 09.49.3 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Haihaisoft Universal Player "URL" Property ActiveX Control Buffer Overflow
  • Description: Haihaisoft Universal Player is an application that provides email sending/receiving for ActiveX applications. Haihaisoft Universal Player is exposed to a buffer overflow issue because it fails to perform adequate boundary checks on user-supplied data. The vulnerability affects the "URL" property of the ActiveX control contained in "MyActiveX.ocx". Haihaisoft Universal Player version 1.4.8.0 is affected.
  • Ref: http://www.shinnai.net/exploits/ZzLsi6TIfSuVPh1kPHmP.txt
  • 09.49.4 - CVE: CVE-2009-4031
  • Platform: Linux
  • Title: Linux Kernel KVM Large SMP Instruction Local Denial of Service
  • Description: The Linux kernel is exposed to a local denial of service vulnerability that affects the Kernel based Virtual Machine (KVM). Specifically, handling SMP (symmetric multiprocessing) instructions with lengths greater than 15 bytes may introduce latencies in scheduling. This issue is the result of errors in the "decode_cache" structure contained in the "arch/x86/include/asm/kvm_emulate.h" source code file and the "do_insn_fetch()" function contained in the "arch/x86/kvm/emulate.c" source code file. Ref: http://git.kernel.org/?p=linux/kernel/git/avi/kvm.git;a=commitdiff;h=e42d9b8141d1f54ff72ad3850bb110c95a5f3b88
  • 09.49.5 - CVE: CVE-2009-3894
  • Platform: Linux
  • Title: Dag Wieers Dstat "sys.path" Search Path Local Privilege Escalation
  • Description: Dag Wieers Dstat is a resource viewer. The application is exposed to a local privilege escalation issue because it includes the current working directory and the "profile" subdirectory in the Python "sys.path". Dstat versions prior to 0.7.0 are affected.
  • Ref: http://bugs.gentoo.org/show_bug.cgi?id=293497
  • 09.49.6 - CVE: CVE-2009-4112
  • Platform: Linux
  • Title: Cacti "Linux - Get Memory Usage" Remote Command Execution
  • Description: Cacti is a complete frontend for the RRDTool. It is implemented in PHP and employs an SQL backend database. Cacti is exposed to an issue that attackers can leverage to execute arbitrary commands. This issue occurs because the software fails to adequately sanitize user-supplied input to the "Input String" field when configuring the "Data Input Method" option for the "Linux - Get Memory Usage" feature.
  • Ref: http://archives.neohapsis.com/archives/fulldisclosure/2009-11/0292.html
  • 09.49.7 - CVE: Not Available
  • Platform: Linux
  • Title: Linux Kernel "drivers/char/n_tty.c" NULL Pointer Dereference Denial of Service
  • Description: The Linux kernel is exposed to a local denial of service issue that affects the "n_tty_close()" function in the "drivers/char/n_tty.c" source file. Linux kernel version 2.6.31.5 is affected. Ref: http://xorl.wordpress.com/2009/11/30/linux-kernel-tty-null-pointer-dereference-race-condition/
  • 09.49.8 - CVE: CVE-2009-4026, CVE-2009-4027
  • Platform: Linux
  • Title: Linux Kernel "net/mac80211/" Multiple Remote Denial of Service
  • Description: The Linux Kernel is exposed to multiple remote denial of service issues affecting the "mac80211" driver.
  • Ref: http://permalink.gmane.org/gmane.comp.security.oss.general/2388
  • 09.49.9 - CVE: Not Available
  • Platform: BSD
  • Title: FreeBSD "execl()" Local Privilege Escalation
  • Description: FreeBSD is exposed to a local privilege escalation vulnerability due to a design flaw affecting the "execl()" function in conjunction with the "environ" global variable. The "execl()" function is used to replace the current process image with a new process image. Local attackers can exploit this issue to execute arbitrary code with root privileges. FreeBSD 7.1-RELEASE and 8.0-RELEASE are affected.
  • Ref: http://www.securityfocus.com/archive/1/508146
  • 09.49.10 - CVE: Not Available
  • Platform: Solaris
  • Title: Sun Solaris LDAP Client Configuration Cache Daemon Local Denial of Service
  • Description: Sun Solaris is an operating system developed by Sun Microsystems. Sun Solaris is exposed to a local denial of service issue that affects the LDAP client configuration cache daemon. An attacker can exploit this issue to cause the LDAP "ldap_cachemgr" daemon to terminate, denying service to legitimate users. Solaris 8, Solaris 9, Solaris 10 and OpenSolaris builds snv_01 through snv_77 are affected.
  • Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-66-231402-1
  • 09.49.11 - CVE: CVE-2009-4018
  • Platform: Cross Platform
  • Title: PHP "proc_open()" "safe_mode_protected_env_var" Restriction Bypass
  • Description: PHP is a general purpose scripting language that is especially suited for web development and can be embedded into HTML. PHP is exposed to a safe_mode restriction bypass issue that occurs because environment variables specified for "proc_open" are passed without being checked. This allows the "safe_mode_allowed_env_vars" and "same_mode_protected_env_vars" settings to be bypassed. PHP versions prior to 5.3.1 are affected.
  • Ref: http://www.php.net/ChangeLog-5.php#5.3.1
  • 09.49.12 - CVE: CVE-2009-2631
  • Platform: Cross Platform
  • Title: Multiple Vendor Clientless SSL VPN Products Same Origin Policy Bypass
  • Description: Clientless SSL VPN products provide browser based access to resources, typically intranet sites, without using a traditional VPN client. Clientless SSL VPN products from multiple vendors are exposed to an issue that allows attackers to bypass the same origin policy.
  • Ref: http://www.kb.cert.org/vuls/id/261869
  • 09.49.13 - CVE: CVE-2009-4055
  • Platform: Cross Platform
  • Title: Asterisk RTP Comfort Noise Processing Remote Denial of Service
  • Description: Asterisk is a private branch exchange (PBX) application available for Linux, BSD, and Mac OS X platforms. Asterisk is exposed to a remote denial of service issue because it fails to properly handle malformed RTP comfort noise data.
  • Ref: http://downloads.asterisk.org/pub/security/AST-2009-010.html
  • 09.49.14 - CVE: Not Available
  • Platform: Cross Platform
  • Title: IBM WebSphere Portal Cross-Site Scripting and Unspecified Security Vulnerabilities
  • Description: IBM WebSphere Portal provides portal solutions. The application is exposed to multiple issues. An attacker may leverage the cross-site scripting issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site and steal cookie-based authentication credentials. IBM WebSphere Portal versions prior to 6.1.0.3 are affected.
  • Ref: http://www-01.ibm.com/support/docview.wss?uid=swg27014411
  • 09.49.15 - CVE: Not Available
  • Platform: Cross Platform
  • Title: RT Session Fixation Design Error
  • Description: RT is an enterprise level trouble ticketing application. The application is exposed to a session fixation issue caused by a design error when handling sessions. Attackers can exploit this issue to hijack a user's session and gain unauthorized access to the affected application. RT versions 3.0.0 up to and including 3.8.5 are affected. Ref: http://lists.bestpractical.com/pipermail/rt-announce/2009-November/000176.html
  • 09.49.16 - CVE: Not Available
  • Platform: Cross Platform
  • Title: BlackBerry Attachment Service PDF Distiller Multiple Remote Code Execution Vulnerabilities
  • Description: BlackBerry Attachment Service is a component of BlackBerry Enterprise Server and BlackBerry Professional Software; it is used to process email attachments. BlackBerry Attachment Service is exposed to multiple remote code execution issues that occur when the service's PDF distiller tries to process specially crafted PDF files. Ref: http://www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB19860
  • 09.49.17 - CVE: CVE-2009-4074
  • Platform: Web Application - Cross Site Scripting
  • Title: Microsoft Internet Explorer 8 Cross-Site Scripting Filter Cross-Site Scripting
  • Description: Microsoft Internet Explorer is a web browser for Windows platforms. Internet Explorer 8 includes a cross-site scripting filter component that monitors requests and identifies and sanitizes potentially malicious traffic containing script code. Internet Explorer is exposed to a cross-site scripting issue due to a design flaw in the browser's cross-cite scripting filter. Internet Explorer 8 is affected to this issue.
  • Ref: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4074
  • 09.49.18 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: DotNetNuke Cross-Site Scripting and Information Disclosure Vulnerabilities
  • Description: DotNetNuke is an open source framework for creating and deploying websites. The application is exposed to multiple issues. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. Ref: http://www.dotnetnuke.com/News/SecurityPolicy/securitybulletinno31/tabid/1450/Default.aspx
  • 09.49.19 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Ruby on Rails "strip_tags()" Non-Printable Character Cross-Site Scripting
  • Description: Ruby on Rails is a web application framework available for multiple platforms. The application is exposed to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input. Specifically, the "strip_tags()" function fails to handle some non-printable ASCII characters, which may then be evaluated by some browsers. Ruby on Rails versions prior to 2.3.5 are affected. Ref: http://groups.google.com/group/rubyonrails-security/browse_thread/thread/4d4f71f2aef4c0ab?pli=1
  • 09.49.20 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Joomla! ProofReader Component Cross-Site Scripting
  • Description: Joomla! is a web-based content manager. The application is exposed to a cross-site scripting issue because it fails to properly sanitize user-supplied input to URIs before including them in error pages. ProofReader versions 1.0 RC9 and earlier are affected.
  • Ref: http://websecurity.com.ua/3482/
  • 09.49.21 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Joomla! 404 Error Page Cross-Site Scripting
  • Description: Joomla! is a PHP-based content manager. The application is exposed to a cross-site scripting issue because it fails to sanitize user-supplied input. This issue occurs in the 404 error page. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. Joomla! versions 1.5.x prior to 1.5.12 are affected.
  • Ref: http://www.securityfocus.com/bid/37148
  • 09.49.22 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Apache Tomcat 404 Error Page Cross-Site Scripting
  • Description: Apache Tomcat is a Java-based web server application available for multiple operating systems. The application is exposed to a cross-site scripting issue because it fails to sanitize user-supplied input. This issue occurs in the 404 error page. Apache Tomcat version 3.2.1 is affected.
  • Ref: http://websecurity.com.ua/3114
  • 09.49.23 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Power Phlogger Cross-site Scripting
  • Description: Power Phlogger is a website statistics tool. The application is exposed to a cross-site scripting issue because it fails to sanitize user-supplied input to the "dspStats.php" script. Power Phlogger version 2.2.5 is affected.
  • Ref: http://www.websecurity.com.ua/1845
  • 09.49.24 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: SmartMedia Module for XOOPS "categoryid" Parameter Cross-Site Scripting
  • Description: The SmartMedia module is a PHP-based component for the XOOPS content manager. The component is exposed to a cross-site scripting issue because it fails to properly sanitize user-supplied input to the "categoryid" parameter of the "folder.php" script before using it in dynamically generated content. SmartMedia version 0.85 Beta is affected.
  • Ref: http://www.securityfocus.com/bid/37156
  • 09.49.25 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: TYPO3 [AN] Search it! Component Cross-Site Scripting
  • Description: TYPO3 [AN] Search it! ('an_searchit') is an extension for the TYPO3 content manager. The extension is exposed to an unspecified cross-site scripting issue because it fails to properly sanitize user-supplied input. TYPO3 [AN] Search it! versions 2.4.1 and earlier are affected. Ref: http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-017/
  • 09.49.26 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: TYPO3 Direct Mail Extension Cross-Site Scripting
  • Description: Direct Mail is an extension for the TYPO3 content manager. The extension is exposed to a cross-site scripting issue because it fails to properly sanitize user-supplied input. This issue affects the administrator newsletter configurations. Direct Mail versions prior to 2.6.5 are affected. Ref: http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-018/
  • 09.49.27 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Joomla! Google Calendar Component "gcid" Parameter SQL Injection
  • Description: Google Calendar ("com_gcalendar") is a PHP-based Google calendar integration component for the Joomla! content manager. The component is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "gcid" parameter before using it an SQL query. Joomla! Google Calendar component version 1.1.2 is affected.
  • Ref: http://www.securityfocus.com/bid/37134
  • 09.49.28 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: LyftenBloggie Joomla! Component "pid" Parameter SQL Injection
  • Description: LyftenBloggie is a PHP-based component for the Joomla! content manager. The component is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "author" parameter of the "com_lyftenbloggie" component before using it an SQL query. LyftenBloggie version 1.0.4 is affected.
  • Ref: http://www.securityfocus.com/bid/37140
  • 09.49.29 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: GCalendar Joomla! Component "gcid" Parameter SQL Injection
  • Description: GCalendar is a PHP-based component for the Joomla! content manager. The component is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "gcid" parameter of the "com_gcalendar" component before using it an SQL query. GCalendar version 2.1.4 is affected.
  • Ref: http://www.securityfocus.com/bid/37141
  • 09.49.30 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: phpBazar "classified.php" SQL Injection
  • Description: phpBazar is a web-based application for classified ads and matchmaking. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "catid" parameter of the "classified.php" script before using it in an SQL query. phpBazar version 2.1.1 fix is affected.
  • Ref: http://www.securityfocus.com/bid/37144
  • 09.49.31 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: MusicGallery Joomla! Component "id" Parameter SQL Injection
  • Description: MusicGallery is a PHP-based component for the Joomla! content manager. The component is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "id" parameter of the "com_musicgallery" component before using it an SQL query.
  • Ref: http://www.securityfocus.com/bid/37146
  • 09.49.32 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Content Module for XOOPS "id" Parameter SQL Injection
  • Description: The Content module is a PHP-based component for the XOOPS content manager. The component is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "id" parameter of the "index.php" script before using it in an SQL query. Content version 0.5 is affected.
  • Ref: http://www.securityfocus.com/bid/37155
  • 09.49.33 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Joomla! Quick News Component "newsid" Parameter SQL Injection
  • Description: Quick News is a PHP-based component for the Joomla! content manager. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "newsid" parameter of the "com_quicknews" component before using it an SQL query. Ref: http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-017/
  • 09.49.34 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: TYPO3 Calendar Base Extension Unspecified SQL Injection
  • Description: Calendar Base ("cal") is an extension for the TYPO3 content manager. The extension is exposed to an SQL injection issue because it fails to sufficiently sanitize input before using it in an SQL query. Calendar Base versions 1.2.0 and earlier are affected. Ref: http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-019/
  • 09.49.35 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: TYPO3 TW Productfinder Extension Unspecified SQL Injection
  • Description: TW Productfinder is an extension for the TYPO3 content manager. The extension is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied input before using it in an SQL query. TW Productfinder versions 0.0.2 and earlier are affected. Ref: http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-017/
  • 09.49.36 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: TYPO3 Trips Extension Unspecified SQL Injection
  • Description: TYPO3 Trips ("mchtrips") is an extension for the TYPO3 content manager. The extension is exposed to an unspecified SQL injection issue because it fails to sufficiently sanitize input before using it in an SQL query. TYPO3 Trips versions prior to 2.0.1 are affected. Ref: http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-017/
  • 09.49.37 - CVE: Not Available
  • Platform: Web Application
  • Title: phpBazar "admin/admin.php" Authentication Bypass
  • Description: phpBazar is a web-based classified ad and match making application. The application is exposed to an authentication bypass issue because it fails to restrict access to its administration panel. Specifically, this issue affects the "admin/admin.php" script. phpBazar versions 2.1.1 and 2.0.1 are affected.
  • Ref: http://www.securityfocus.com/bid/37132
  • 09.49.38 - CVE: Not Available
  • Platform: Web Application
  • Title: SugarCRM Versions 5.2.0j and 5.5.0.RC2 Multiple Remote Vulnerabilities
  • Description: SugarCRM is a PHP-based web application. SugarCRM is exposed to multiple remote issues. Exploiting these issues could allow an attacker to gain unauthorized access to the affected application, gain access to sensitive information, execute arbitrary PHP code, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. SugarCRM versions 5.2.0j and 5.5.0.RC2 are affected.
  • Ref: http://www.waraxe.us/advisory-76.html
  • 09.49.39 - CVE: Not Available
  • Platform: Web Application
  • Title: AWStats Multiple Unspecified Security Vulnerabilities
  • Description: AWStats is a Perl-based application that provides statistics on server traffic. The application is exposed to multiple security issues related to a security key in the "awredir.pl" script and a certain parameter sanitizing function.
  • Ref: http://awstats.sourceforge.net/docs/awstats_changelog.txt
  • 09.49.40 - CVE: Not Available
  • Platform: Web Application
  • Title: Elxis "filename" Parameter Directory Traversal
  • Description: Elxis is a PHP-based content manager. The application is exposed to a directory traversal issue because it fails to sufficiently sanitize user-supplied input to the "filename" parameter of the "feedcreator.class.php" script.
  • Ref: http://www.securityfocus.com/bid/37158
  • 09.49.41 - CVE: Not Available
  • Platform: Web Application
  • Title: Ciamos "module_path" Parameter Remote File Include
  • Description: Ciamos is a content manager. Ciamos is exposed to a remote file include issue because it fails to sufficiently sanitize user-supplied input to the "module_path" parameter of the "index.php" script. Ciamos versions 0.9.5 and earlier are affected.
  • Ref: http://www.exploit-db.com/exploits/10259
  • 09.49.42 - CVE: Not Available
  • Platform: Web Application
  • Title: TYPO3 Simple download-system (kk_downloader) Unspecified Information Disclosure
  • Description: Simple download-system with counter and categories (kk_downloader) is an extension for the TYPO3 content manager. The extension is exposed to an unspecified information disclosure issue. Simple download-system with counter and categories (kk_downloader) versions prior to 1.2.2 are affected. Ref: http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-017/
  • 09.49.43 - CVE: Not Available
  • Platform: Web Application
  • Title: TYPO3 Automatic Base Tags for RealUrl Extension Cache Spoofing
  • Description: TYPO3 Automatic Base Tags for RealUrl is a third party extension for the TYPO3 content manager. The application is prone to an unspecified cache spoofing vulnerability. Automatic Base Tags for RealUrl version 1.0.0 is affected. Ref: http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-017/
  • 09.49.44 - CVE: Not Available
  • Platform: Web Application
  • Title: TYPO3 simple Glossar Extension Unspecified Cross-Site Scripting and SQL Injection Vulnerabilities
  • Description: TYPO3 simple Glossar ("simple_glossar") is an extension for the TYPO3 content manager. The extension is exposed to a cross-site scripting issue and an SQL injection issue because it fails to properly sanitize user-supplied input. simple Glossar version 1.0.3 is affected. Ref: http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-017/

(c) 2009. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Subscriptions: @RISK is distributed free of charge by the SANS Institute to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.

The perfect balance of theory and hands on experience.
-James d. Perry II, University of Tennessee

vLive FOR508

Latest Whitepapers

Building and Maintaining a "Certifiable" Workforce
By Robert J. Mavretich

How Can You Build and Leverage SNORT IDS Metrics to Reduce Risk?
By Tim Proffitt

Daisy Chain Authentication
By Courtney Imbert

Latest Tweets

NEW #SANS Survey: Security Analytics & Intelligence 2nd [...]
October 1, 2013 - 6:30 PM

Tips on how to convince your boss to let you train online wi [...]
October 1, 2013 - 6:23 PM

#2 Tip on how 2 convince your boss 2 let u train online: Fle [...]
October 1, 2013 - 3:00 PM

Contact Us

(301) 654-SANS (7267)
Mon-Fri 9am - 8pm EST/EDT
info@sans.org

"This has been a great way to get working knowledge that would have taken years of experience to learn."
- Josh Carlson, Nelnet

"Just amazing content and instruction, it's really a 'must do' for any info sec professional."
- Mark Austin, PHH Mortgage

"Expertise of the trainer is impressive, real life situations explained, very good manuals. Best training ever!"
- Jerry Robles de Medina, Godo CU