@RISK: The Consensus Security Vulnerability Alert

Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)

• (1) CRITICAL: Apple Mac OS X Multiple Vulnerabilities (Security Update 2009-001)
• (2) HIGH: FreeBSD telnetd Remote Code Execution Vulnerability
• (3) LOW: Microsoft XML Core Services XMLHttpRequest Information Disclosure
• (4) LOW: Symantec Veritas NetBackup "vnet" Remote Escalation of Privilege vulnerability

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)

Other Microsoft Products

• 09.8.1 - Microsoft XML Core Services XMLHttpRequest "SetCookie2" Header Information Disclosure

Third Party Windows Apps

• 09.8.2 - Symantec Endpoint Protection "Smc.exe" Local Denial of Service
• 09.8.3 - RimArts Becky! Internet Mail Return Receipt Remote Buffer Overflow
• 09.8.4 - GeoVision LiveX ActiveX Control "SnapShotToFile()" Arbitrary File Overwrite

Mac Os

• 09.8.5 - Apple Mac OS X 2009-001 Multiple Security Vulnerabilities
• 09.8.6 - Apple Mac OS X SMB File System Remote Denial of Service
• 09.8.7 - Apple Mac OS X Xterm Local Privilege Escalation
• 09.8.8 - Apple Mac OS X SMB Component Unspecified Buffer Overflow
• (both - Apple Mac OS X Pixlet Video Handling Remote Code Execution
• 09.8.11 - Apple Mac OS X CoreText Unicode String Handling Heap Based Buffer Overflow

Linux

• 09.8.12 - Linux Kernel KProbe Memory Corruption
• 09.8.13 - SUSE blinux Buffer Overflow
• 09.8.14 - Ubuntu xorg-driver-fglrx "LD_LIBRARY_PATH" Remote Command Execution

BSD

• 09.8.15 - FreeBSD "telnetd" Daemon Remote Code Execution

Cross Platform

• 09.8.16 - Geovision Digital Video Surveillance System Directory Traversal
• 09.8.17 - W3C Amaya "CheckUniqueName()" Multiple Stack Based Buffer Overflow Vulnerabilities
• 09.8.18 - GE Fanuc iFIX Insecure Authentication Multiple Unauthorized Access Vulnerabilities
• 09.8.19 - pam-krb5 Local Privilege Escalation
• 09.8.20 - pam-krb5 "KRB5CCNAME" Environment Variable Local Privilege Escalation
• 09.8.21 - Net-SNMP "snmpUDPDomain.c" Remote Information Disclosure
• 09.8.22 - Sun Java System Directory Server Directory Proxy Server JDBC Backend Denial of Service
• 09.8.23 - python-fedora Security Bypass
• 09.8.24 - TPTEST "pwd" Remote Stack Buffer Overflow
• 09.8.25 - UniversalIndentGUI "SettingsPaths.cpp" Insecure Temporary File Creation
• 09.8.26 - Ruby "OCSP_basic_verify()" X.509 Certificate Verification
• 09.8.27 - Google Chrome XMLHttpRequest Cookie Information Disclosure
• 09.8.28 - University of Washington IMAP c-client Remote Format String
• 09.8.29 - Transmission Connection Timeout Remote Denial of Service

Web Application - Cross Site Scripting

• 09.8.30 - Drupal Troll Module "Form API" Cross-Site Request Forgery
• 09.8.31 - FAST ESP Cross-Site Scripting
• 09.8.32 - Jojo CMS Multiple Cross-Site Scripting Vulnerabilities
• 09.8.33 - Samizdat Multiple Cross-Site Scripting Vulnerabilities
• 09.8.34 - Openfiler "redirect" Parameter Cross-Site Scripting

Web Application - SQL Injection

• 09.8.35 - Bloggeruniverse "editcomments.php" SQL Injection
• 09.8.36 - Scripts Den Dating Website Script "searchmatch.php" SQL Injection
• 09.8.37 - InselPhoto "search.php" SQL Injection
• 09.8.38 - Calendarix Multiple SQL Injection Vulnerabilities
• 09.8.39 - MemHT Portal "deletenewpm" Parameter SQL Injection
• 09.8.40 - SAS Hotel Management System "myhotel_info.asp" SQL Injection
• 09.8.41 - Free Joke Script Multiple SQL Injection Vulnerabilities
• 09.8.42 - IdeaCart Local File Include and SQL Injection Vulnerabilities
• 09.8.43 - Vlinks "forum/page.php" SQL Injection
• 09.8.44 - BlogIt! Multiple SQL Injection Vulnerabilities
• 09.8.45 - CMS Faethon "info.php" SQL Injection
• 09.8.46 - BlogWrite "print.php" SQL Injection
• 09.8.47 - Grestul Multiple SQL Injection Vulnerabilities
• 09.8.48 - pHNews "header.php" SQL Injection
• 09.8.49 - S-CMS SQL Injection and Cookie Authentication Bypass Vulnerabilities

Web Application

• 09.8.50 - Drupal Ajax Checklist Module Unspecified HTML Injection
• 09.8.51 - SkaDate "photo" Arbitrary File Upload
• 09.8.52 - Dacio's CMS Cross-Site Scripting and Multiple SQL Injection Vulnerabilities
• 09.8.53 - Graugon Gallery Multiple Security Vulnerabilities
• 09.8.54 - Drupal Advertisement Module Multiple HTML Injection Vulnerabilities
• 09.8.55 - Poppler Multiple Denial of Service Vulnerabilities
• 09.8.56 - RavenNuke Multiple Input Validation Vulnerabilities
• 09.8.57 - NovaBoard Multiple Remote Vulnerabilities
• 09.8.58 - InselPhoto Photo Description Field HTML Injection
• 09.8.59 - PowerMovieList Multiple SQL Injection and Cross-Site Scripting Vulnerabilities
• 09.8.60 - Baran CMS Multiple Input Validation Vulnerabilities
• 09.8.61 - EsFaq "questions.php" SQL Injection
• 09.8.62 - ea-gBook "inc_ordner" Parameter Remote File Include
• 09.8.63 - simplePMS PHP Code Injection and Local File Include Vulnerabilities
• 09.8.64 - ClipBucket "dwnld.php" Directory Traversal
• 09.8.65 - YACS "update_trailer.php" Remote File Include
• 09.8.66 - WikkaWiki "backlinks" Handler Information Disclosure
• 09.8.67 - WebKit XMLHttpRequest Cookie Information Disclosure

Network Device

• 09.8.68 - Nokia N95 "setAttributeNode()" Denial of Service

PART I Critical Vulnerabilities

Part I for this issue has been compiled by Rohan Kotian at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 8, 2009

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 5549 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

• 09.8.1 - CVE: CVE-2009-0419
• Platform: Other Microsoft Products
• Title: Microsoft XML Core Services XMLHttpRequest "SetCookie2" Header Information Disclosure
• Description: Microsoft XML Core Services (MSXML) is a software component that allows multiple programming languages to support XML-based communication. MSXML is exposed to an information disclosure issue because it fails to properly protect sensitive cookie data with the "HTTPOnly" protection mechanism.
• Ref: https://bugzilla.mozilla.org/show_bug.cgi?id=380418

• 09.8.2 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Symantec Endpoint Protection "Smc.exe" Local Denial of Service
• Description: Symantec Endpoint Protection is a desktop security application that includes antivirus and firewall functionality. Endpoint Protection is exposed to a local denial of service issue. Specifically, this issue lies in the "Smc.exe" executable and occurs because the software fails to handle malformed command-line parameters. Endpoint Protection version 11.0.4000 is affected.
• Ref: http://www.securityfocus.com/archive/1/500964

• 09.8.3 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: RimArts Becky! Internet Mail Return Receipt Remote Buffer Overflow
• Description: RimArts Becky! Internet Mail is an e-mail client for Microsoft Windows. Becky! Internet Mail is exposed to a remote buffer overflow issue because it fails to perform adequate bounds checks on user-supplied input. Becky! Internet Mail versions prior to 2.50 are affected.
• Ref: http://jvn.jp/en/jp/JVN29641290/index.html

• 09.8.4 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: GeoVision LiveX ActiveX Control "SnapShotToFile()" Arbitrary File Overwrite
• Description: GeoVision LiveX is an ActiveX control for displaying information in graphs on a web page. The application is exposed to an issue that allows attackers to overwrite files with arbitrary, attacker-supplied content. GeoVision LiveX ActiveX control versions 7000, 8120 and 8200 are affected.
• Ref: http://support.microsoft.com/kb/240797

• 09.8.5 - CVE: CVE-2009-0009, CVE-2009-0020, CVE-2009-0142,CVE-2009-0011, CVE-2009-0012, CVE-2009-0013, CVE-2009-0014,CVE-2009-0015, CVE-2009-0017, CVE-2009-0018, CVE-2009-0019,CVE-2009-0137, CVE-2009-0138, CVE-2009-0139, CVE-2009-0140,CVE-2009-0141
• Platform: Mac Os
• Title: Apple Mac OS X 2009-001 Multiple Security Vulnerabilities
• Description: Apple Mac OS X is exposed to multiple security issues that have been addressed in Security Update 2009-001. The security update addresses a total of 16 new vulnerabilities that affect the AFP server, movie playing, Resource Manager, Certificate Assistant, CoreText, "dscl", Folder Manager, FSEvents, csregprinter, Remote Apple Event Viewer, Safari, SMB File System, and XTerm components of Mac OS X.
• Ref: http://support.apple.com/kb/ht3438

• 09.8.6 - CVE: CVE-2009-0140
• Platform: Mac Os
• Title: Apple Mac OS X SMB File System Remote Denial of Service
• Description: Apple Mac OS X SMB File System is prone to a remote denial of service vulnerability when handling SMB file system names. An attacker that can trick an unsuspecting victim into connecting to a malicious SMB server can exploit this issue to cause the affected computer to shutdown.
• Ref: http://support.apple.com/kb/ht3438

• 09.8.7 - CVE: CVE-2009-0141
• Platform: Mac Os
• Title: Apple Mac OS X Xterm Local Privilege Escalation
• Description: Apple Mac OS X is prone to a local privilege escalation vulnerability. This issue affects the XTerm terminal application when used in conjunction with Luit, which provides multilanguage support. Specifically, this issue results from XTerm creating tty devices without access restrictions. Mac OS X versions 10.4.11 and 10.5.6 are affected.
• Ref: http://support.apple.com/kb/ht3438

• 09.8.8 - CVE: CVE-2009-0139
• Platform: Mac Os
• Title: Apple Mac OS X SMB Component Unspecified Buffer Overflow
• Description: Apple Mac OS X is exposed to a buffer overflow issue that occurs in the SMB component. Attackers can exploit this issue by enticing an unsuspecting user to connect to a malicious SMB server. OS X versions 10.5.6 and OS X Server 10.5.6 are affected.
• Ref: http://support.apple.com/kb/ht3438

• (both - CVE: CVE-2009-000910.4.11 and client and server) are affected.
• Platform: Mac Os
• Title: Apple Mac OS X Pixlet Video Handling Remote Code Execution
• Description: Apple Mac OS X is exposed to a code execution issue because it fails to perform adequate boundary checks on user-supplied data. Specifically, a memory corruption vulnerability occurs when handling movies encoded with the Pixlet codec. Mac OS X versions
• Ref: http://support.apple.com/kb/ht3438

• 09.8.11 - CVE: CVE-2009-0012
• Platform: Mac Os
• Title: Apple Mac OS X CoreText Unicode String Handling Heap Based Buffer Overflow
• Description: Apple Mac OS X is prone to a heap-based buffer overflow vulnerability that affects the CoreText component. Attackers can exploit this issue by enticing an unsuspecting user to handle maliciously crafted Unicode strings, such as when viewing a maliciously crafted web page. Apple Mac OS X versions 10.5.6 and OS X Server 10.5.6 are vulnerable.
• Ref: http://support.apple.com/kb/ht3438

• 09.8.12 - CVE: Not Available
• Platform: Linux
• Title: Linux Kernel KProbe Memory Corruption
• Description: KProbes are a mechanism used to monitor and debug Linux kernel operations. KProbes are exposed to a memory corruption issue because of a failure to handle certain fault conditions. This issue affects the function "do_page_fault()" in the "arch/x86/mm/fault.c" source code file. Linux kernel versions prior to 2.6.28.5 are affected.
• Ref: http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.28.5

• 09.8.13 - CVE: CVE-2009-0310
• Platform: Linux
• Title: SUSE blinux Buffer Overflow
• Description: The SUSE blinux (sbl) package is a screen reader for the Linux console which supports braille displays. The sbl package is exposed to a buffer overflow issue because it fails to perform adequate boundary checks on user-supplied data. Specifically, this issue occurs due to a failure to handle incoming data and authentication strings.
• Ref: http://www.securityfocus.com/bid/33794

• 09.8.14 - CVE: Not Available
• Platform: Linux
• Title: Ubuntu xorg-driver-fglrx "LD_LIBRARY_PATH" Remote Command Execution
• Description: Ubuntu xorg-driver-fglrx (FireGL and Radeon for X) is a driver for ATI video cards for the X11 window system. The package is exposed to a remote command execution issue because it creates unsafe environment variables. This problem occurs because the current working directory is prepended to the "LD_LIBRARY_PATH" list by the script "/etc/X11/Xsession.d/10fglrx". Ubuntu version 8.10 is affected. Ref: https://bugs.launchpad.net/ubuntu/+source/linux-restricted-modules-2.6.24/+bug/323327

• 09.8.15 - CVE: Not Available
• Platform: BSD
• Title: FreeBSD "telnetd" Daemon Remote Code Execution
• Description: FreeBSD is exposed to a remote code execution issue that exists in the "telnetd" daemon. This issue occurs because the application fails to sufficiently sanitize user-supplied "LD_* " environment variables when executing "/bin/login". FreeBSD version 7.0-RELEASE is affected.
• Ref: http://security.freebsd.org/advisories/FreeBSD-SA-09:05.telnetd.asc

• 09.8.16 - CVE: Not Available
• Platform: Cross Platform
• Title: Geovision Digital Video Surveillance System Directory Traversal
• Description: Geovision Digital Video Surveillance System is a surveillance camera application. Geovision Digital Video Surveillance System is exposed to a directory traversal issue because the application fails to sufficiently sanitize user-supplied input.
• Ref: http://www.securityfocus.com/archive/1/500858

• 09.8.17 - CVE: CVE-2008-6005
• Platform: Cross Platform
• Title: W3C Amaya "CheckUniqueName()" Multiple Stack Based Buffer Overflow Vulnerabilities
• Description: W3C Amaya is a freely available web browser and editor that runs on multiple platforms. Amaya is exposed to multiple stack-based buffer overflow issues because it fails to perform adequate checks on user-supplied input. Amaya versions prior to 11.1 are vulnerable.
• Ref: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=507587#15

• 09.8.18 - CVE: CVE-2009-0216
• Platform: Cross Platform
• Title: GE Fanuc iFIX Insecure Authentication Multiple Unauthorized Access Vulnerabilities
• Description: GE Fanuc iFIX is an HMI/SCADA client/server application. iFIX is exposed to multiple issues that could let attackers gain unauthorized access because it handles authentication in an insecure manner. GE Fanuc iFIX versions up to and including 5.0 are affected.
• Ref: http://www.kb.cert.org/vuls/id/310355

• 09.8.19 - CVE: CVE-2009-0360
• Platform: Cross Platform
• Title: pam-krb5 Local Privilege Escalation
• Description: Pluggable authentication modules (PAM) provide a standard interface to a variety of authentication mechanisms. The pam-krb5 library is used to provide a PAM interface to the Kerberos authentication system. The library is exposed to a local privilege escalation issue because of a failure to properly handle setuid processes. This issue is reported to affect the pam-krb5 module as shipped with Debian, Ubuntu and Gentoo Linux releases.
• Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-66-252767-1

• 09.8.20 - CVE: CVE-2009-0361
• Platform: Cross Platform
• Title: pam-krb5 "KRB5CCNAME" Environment Variable Local Privilege Escalation
• Description: Pluggable authentication modules (PAM) provide a standard interface to a variety of authentication mechanisms. Russ Allbery maintains a pam-krb5 library which provides a PAM interface to Kerberos authentication systems. The pam-krb5 library is exposed to a local privilege escalation issue because of a failure to properly handle setuid processes. pam-krb5 versions prior to 3.13 are affected.
• Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-66-252767-1

• 09.8.21 - CVE: CVE-2008-6123
• Platform: Cross Platform
• Title: Net-SNMP "snmpUDPDomain.c" Remote Information Disclosure
• Description: Net-SNMP is a set of tools and libraries used for deploying the SNMP protocol. The application is exposed to a remote information disclosure issue because it fails to properly parse "hosts.allow" and "hosts.deny" TCP Wrappers rules. This issue stems from mishandling source and destination IP addresses. Net-SNMP version 5.4.2.1 is affected.
• Ref: https://bugzilla.redhat.com/show_bug.cgi?id=485211

• 09.8.22 - CVE: Not Available
• Platform: Cross Platform
• Title: Sun Java System Directory Server Directory Proxy Server JDBC Backend Denial of Service
• Description: Sun Java System Directory Server is an LDAP (Lightweight Directory Access Protocol) server distributed with multiple Sun products. The Directory Proxy Server is a component of Sun Java System Directory Server Enterprise Edition. The Directory Proxy Server is exposed to a denial of service issue that occurs due to unspecified error.
• Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-66-251086-1

• 09.8.23 - CVE: Not Available
• Platform: Cross Platform
• Title: python-fedora Security Bypass
• Description: python-fedora is a set of python modules used for building Fedora Services. One of the modules provides functionality for authenticating and verifying user credentials against FAS2 (Fedora Account System 2). python-fedora is affected by a security bypass vulnerability because of an error in the "fedora.client.AccountSystem().verify_password()" method. The issue causes the method to return "True" for arbitrary username and password combination.
• Ref: http://www.securityfocus.com/bid/33762

• 09.8.24 - CVE: Not Available
• Platform: Cross Platform
• Title: TPTEST "pwd" Remote Stack Buffer Overflow
• Description: TPTEST is network performance testing software available for a number of platforms. The TPTEST server is exposed to a remote stack-based buffer overflow issue. Specifically, this issue occurs due to a failure to handle excessive data supplied by the client as the "pwd" argument. TPTEST version 3.1.7 is affected.
• Ref: http://www.securityfocus.com/bid/33785

• 09.8.25 - CVE: Not Available
• Platform: Cross Platform
• Title: UniversalIndentGUI "SettingsPaths.cpp" Insecure Temporary File Creation
• Description: UniversalIndentGUI is a tool for creating indented, more readable code. The application creates temporary files with a fixed name in the "SettingsPaths::init()" function of the "SettingsPaths.cpp" source file. UniversalIndentGUI versions prior to 1.0.2 are vulnerable. Ref: http://universalindent.svn.sourceforge.net/viewvc/universalindent/trunk/src/SettingsPaths.cpp?r1=893&r2=901

• 09.8.26 - CVE: Not Available
• Platform: Cross Platform
• Title: Ruby "OCSP_basic_verify()" X.509 Certificate Verification
• Description: Ruby is an object oriented scripting language. Ruby is exposed to an issue related to the handling of the Online Certificate Status Protocol (OSCP), used to obtain the revocation status of x.509 certificates. This error occurs in the "ext/openssl/ossl_ocsp.c" source code file. Ruby versions 1.8.7 and 1.9.1 are affected.
• Ref: http://redmine.ruby-lang.org/issues/show/1091

• 09.8.27 - CVE: CVE-2009-0411
• Platform: Cross Platform
• Title: Google Chrome XMLHttpRequest Cookie Information Disclosure
• Description: Google Chrome is a web browser. Chrome is exposed to an information disclosure issue because cookies marked "HTTPOnly" are readable by JavaScript through the XMLHttpRequest API. An attacker can exploit this to bypass the "HTTPOnly" flag security restrictions to gain access to cookie data. Chrome versions prior to 1.0.154.46 are affected.
• Ref: http://www.securityfocus.com/bid/33773

• 09.8.28 - CVE: Not Available
• Platform: Cross Platform
• Title: University of Washington IMAP c-client Remote Format String
• Description: The University of Washington IMAP library is an implementation of the IMAP mail protocol. c-client is exposed to a remote format string issue because of incorrect usage of "printf()"-type functions, allowing format specifiers to be supplied directly to vulnerable functions from external data. IMAP version 2007d is affected.
• Ref: http://www.securityfocus.com/bid/33795

• 09.8.29 - CVE: Not Available
• Platform: Cross Platform
• Title: Transmission Connection Timeout Remote Denial of Service
• Description: Transmission is a multi-platform BitTorrent client. The application is exposed to a remote denial of service issue. Specifically, the application fails to enforce a timeout on incoming connections. Transmission version 1.41 is affected.
• Ref: http://trac.transmissionbt.com/ticket/1810

• 09.8.30 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Drupal Troll Module "Form API" Cross-Site Request Forgery
• Description: The Drupal Troll module is a troll management tools for community sites. The application is exposed to a cross-site request forgery issue because it fails to properly implement the Drupal Form API.
• Ref: http://drupal.org/node/372903

• 09.8.31 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: FAST ESP Cross-Site Scripting
• Description: FAST ESP is an enterprise search platform. The application is exposed to a cross-site scripting issue because it fails to sufficiently sanitize user-supplied input to an unspecified parameter of the management interface. FAST ESP version 5.1.5 is affected.
• Ref: http://www.securityfocus.com/bid/33750

• 09.8.32 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Jojo CMS Multiple Cross-Site Scripting Vulnerabilities
• Description: Jojo CMS is a PHP-based content manager. The application is exposed to multiple cross-site scripting issues because it fails to properly sanitize user-supplied input. Specifically, these issues affect the "Mail Address" or "Username" textboxes of the "forgot-password" page. Jojo CMS version 1.0 RC1 is affected.
• Ref: http://www.securityfocus.com/bid/33757

• 09.8.33 - CVE: CVE-2009-0359
• Platform: Web Application - Cross Site Scripting
• Title: Samizdat Multiple Cross-Site Scripting Vulnerabilities
• Description: Samizdat is a framework for building collaboration and open publishing websites. The application is exposed to multiple cross-site scripting issues because it fails to properly sanitize user-supplied input. Samizdat versions prior to 0.6.2 are vulnerable.
• Ref: http://www.securityfocus.com/archive/1/500961

• 09.8.34 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Openfiler "redirect" Parameter Cross-Site Scripting
• Description: Openfiler is open-source storage software. The application is exposed to a cross-site scripting issue because it fails to sufficiently sanitize user-supplied input. This issue affects the "redirect" parameter of the "index.html" script. Openfiler version 2.3 is affected.
• Ref: http://www.securityfocus.com/bid/33778

• 09.8.35 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Bloggeruniverse "editcomments.php" SQL Injection
• Description: Bloggeruniverse is a web-based blogging application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "id" parameter of the "editcomments.php" script before using the data in an SQL query. Bloggeruniverse beta version 2 is affected.
• Ref: http://www.securityfocus.com/bid/33744

• 09.8.36 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Scripts Den Dating Website Script "searchmatch.php" SQL Injection
• Description: Dating Website Script is an online dating script implemented in PHP. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "txtlookgender" parameter of the "searchmatch.php" script before using the data in an SQL query. Dating Website Script version 9.01 is affected.
• Ref: http://www.securityfocus.com/bid/33746

• 09.8.37 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: InselPhoto "search.php" SQL Injection
• Description: InselPhoto is a web-based application implemented in PHP. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "query" parameter of the "search.php" script before using the data in an SQL query. InselPhoto version 1.1 is affected.
• Ref: http://www.securityfocus.com/bid/33748

• 09.8.38 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Calendarix Multiple SQL Injection Vulnerabilities
• Description: Calendarix is a web-based calendar implemented in PHP. The application is exposed to multiple SQL injection issues because it fails to sufficiently sanitize user-supplied data to the "login" parameter in the "cal_login.php" and "admin/cal_login.php" scripts. Calendarix Advanced version 1.8.20081228 and Calendarix Basic version 0.8.20080808 are affected.
• Ref: https://bugs.edge.launchpad.net/poppler/+bug/320181

• 09.8.39 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: MemHT Portal "deletenewpm" Parameter SQL Injection
• Description: MemHT Portal is a PHP-based content management system. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "deletenewpm" parameter of the "pages/putmsg/index.php" script before using it in an SQL query. MemHT Portal version 4.0.1 is affected.
• Ref: http://www.securityfocus.com/bid/33789

• 09.8.40 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: SAS Hotel Management System "myhotel_info.asp" SQL Injection
• Description: SAS Hotel Management System is an ASP-based application for handling hotel reservations. The application is prone to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "id" parameter of the "myhotel_info.asp" script before using it in an SQL query.
• Ref: http://www.securityfocus.com/bid/33790

• 09.8.41 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Free Joke Script Multiple SQL Injection Vulnerabilities
• Description: Free Joke Script is a web-based application implemented in PHP. The application is exposed to multiple SQL injection issues because it fails to sufficiently sanitize user-supplied data to the "cat_id" parameter of the "joke-archives.php" script and the login field of the login section. Free Joke Script version 1.0 is affected.
• Ref: http://www.securityfocus.com/bid/33760

• 09.8.42 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: IdeaCart Local File Include and SQL Injection Vulnerabilities
• Description: IdeaCart is a PHP-based ecommerce application. The application is exposed to multiple input validation issues. An attacker can exploit the local file include vulnerability using directory traversal strings to view or execute local files within the context of the web server process. IdeaCart version 0.02 is affected.
• Ref: http://www.securityfocus.com/bid/33765

• 09.8.43 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Vlinks "forum/page.php" SQL Injection
• Description: Vlinks is a PHP-based link directory application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "id" parameter of the "forum/page.php" script. Vlinks version 1.1.6 is affected.
• Ref: http://www.securityfocus.com/bid/33766

• 09.8.44 - CVE: CVE-2009-0337
• Platform: Web Application - SQL Injection
• Title: BlogIt! Multiple SQL Injection Vulnerabilities
• Description: BlogIt! is a web-log application implemented in ASP. The application is exposed to multiple SQL injection issues because it fails to sufficiently sanitize user-supplied data to the "month" and "year" parameters of the "index.asp" script before using it in an SQL query.
• Ref: http://www.securityfocus.com/bid/33771

• 09.8.45 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: CMS Faethon "info.php" SQL Injection
• Description: CMS Faethon is a PHP-based content manager. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "item" parameter of the "info.php" script before using the data in an SQL query. CMS Faethon version 2.2.0 is affected.
• Ref: http://www.securityfocus.com/bid/33775

• 09.8.46 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: BlogWrite "print.php" SQL Injection
• Description: BlogWrite is a web-based application implemented in PHP. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "id" parameter of the "print.php" script before using it in an SQL query. BlogWrite version 0.91 is affected.
• Ref: http://www.securityfocus.com/bid/33776

• 09.8.47 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Grestul Multiple SQL Injection Vulnerabilities
• Description: Grestul is a web-based application implemented in PHP. The application is exposed to multiple SQL injection issues because it fails to sufficiently sanitize user-supplied data to the "grestul[username]" and "grestul[passcode]" cookie parameters of the "admin/index.php" script. Grestul version 1.0.6 is affected.
• Ref: http://www.securityfocus.com/bid/33792

• 09.8.48 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: pHNews "header.php" SQL Injection
• Description: pHNews is a web-based application implemented in PHP. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "mod" parameter of the "header.php" script before using it in an SQL query. pHNews alpha version 1 is affected.
• Ref: http://www.securityfocus.com/bid/33797

• 09.8.49 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: S-CMS SQL Injection and Cookie Authentication Bypass Vulnerabilities
• Description: S-CMS is a web-based application implemented in PHP. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "id" parameter of the "admin/delete_page.php" script file before using it in an SQL query. S-CMS version 1.1 Stable is affected.
• Ref: http://www.securityfocus.com/bid/33799

• 09.8.50 - CVE: CVE-2008-5999
• Platform: Web Application
• Title: Drupal Ajax Checklist Module Unspecified HTML Injection
• Description: Ajax Checklist is a PHP-based component for Drupal. It is used to add dynamic checklists into nodes. The application is exposed to an unspecified HTML injection issue because it fails to properly sanitize user-supplied input to node pages before using the input in dynamically generated content. Ajax Checklist versions prior to 5.x-1.1 are affected.
• Ref: http://drupal.org/node/312968

• 09.8.51 - CVE: Not Available
• Platform: Web Application
• Title: SkaDate "photo" Arbitrary File Upload
• Description: SkaDate is a web-based dating application implemented in PHP. The application is exposed to an issue that lets attackers upload arbitrary files. The issue occurs because the software fails to adequately sanitize file extensions before uploading photos onto the web server. SkaDate version 7 is affected.
• Ref: http://www.securityfocus.com/bid/33742

• 09.8.52 - CVE: Not Available
• Platform: Web Application
• Title: Dacio's CMS Cross-Site Scripting and Multiple SQL Injection Vulnerabilities
• Description: Dacio's CMS is a PHP-based content manager. The application is exposed to mulitple issues, since it fails to adequately sanitize user-supplied input. Dacio's CMS version 1.08 is affected.
• Ref: http://www.milw0rm.com/exploits/8042

• 09.8.53 - CVE: Not Available
• Platform: Web Application
• Title: Graugon Gallery Multiple Security Vulnerabilities
• Description: Graugon Gallery is a web-based image gallery application. The application is exposed to multiple input validation issues because it fails to sufficiently sanitize user-supplied data.
• Ref: http://www.securityfocus.com/bid/33745

• 09.8.54 - CVE: Not Available
• Platform: Web Application
• Title: Drupal Advertisement Module Multiple HTML Injection Vulnerabilities
• Description: The Drupal Advertisement Module is a module for the Drupal content management system. The module is exposed to multiple HTML injection issues because it fails to properly sanitize user-supplied input before using it in dynamically generated content. Advertisement module versions prior to 5.x-1.7 and 6.x-1.0-rc1 are affected.
• Ref: http://drupal.org/node/372977

• 09.8.55 - CVE: Not Available
• Platform: Web Application
• Title: Poppler Multiple Denial of Service Vulnerabilities
• Description: Poppler is a library that provides a programming interface for rendering PDF files. The library is based on the Xpdf-3.0 codebase. Poppler is exposed to multiple denial of service issues when handling certain PDF files. The issues stem from an uninitialized memory access error in the "FormWidgetChoice::loadDefaults()" function and an error in the "JBIG2Stream::readSymbolDictSeg()" function. Poppler versions prior to 0.10.4 are affected.
• Ref: https://bugs.edge.launchpad.net/poppler/+bug/320181

• 09.8.56 - CVE: Not Available
• Platform: Web Application
• Title: RavenNuke Multiple Input Validation Vulnerabilities
• Description: RavenNuke is a PHP-based content manager. RavenNuke is originally based on PHP-Nuke. The application is exposed to multiple input validation issues. An attacker can exploit these issues to execute arbitrary code within the context of the web server, compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, or obtain sensitive information. RavenNuke versions prior to 2.30.01 are vulnerable.
• Ref: http://www.securityfocus.com/archive/1/500988

• 09.8.57 - CVE: Not Available
• Platform: Web Application
• Title: NovaBoard Multiple Remote Vulnerabilities
• Description: NovaBoard is a message board application implemented in PHP. The application is exposed to multiple remote issues. NovaBoard version 1.0.0 is affected.
• Ref: http://www.securityfocus.com/bid/33788

• 09.8.58 - CVE: Not Available
• Platform: Web Application
• Title: InselPhoto Photo Description Field HTML Injection
• Description: InselPhoto is a web-based application implemented in PHP. InselPhoto is exposed to an HTML injection issue because it fails to sufficiently sanitize user-supplied input. This issue affects photo descriptions on uploaded photos. Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials and to control how the site is rendered to the user; other attacks are also possible. InselPhoto version 1.1 is affected.
• Ref: http://www.securityfocus.com/bid/33783

• 09.8.59 - CVE: Not Available
• Platform: Web Application
• Title: PowerMovieList Multiple SQL Injection and Cross-Site Scripting Vulnerabilities
• Description: PowerMovieList is a movie database application implemented in PHP. The application is exposed to multiple input validation issues. Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
• Ref: http://www.securityfocus.com/bid/33786

• 09.8.60 - CVE: Not Available
• Platform: Web Application
• Title: Baran CMS Multiple Input Validation Vulnerabilities
• Description: Baran CMS is web-based content management system implemented in ASP. The application is exposed to multiple issues because it fails to properly sanitize user-supplied input. Baran CMS version 1.0 is affected.
• Ref: http://www.securityfocus.com/bid/33764

• 09.8.61 - CVE: CVE-2008-6016
• Platform: Web Application
• Title: EsFaq "questions.php" SQL Injection
• Description: EsFaq is a web-based FAQ application implemented in PHP. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "cid" parameter of the "questions.php" script before using it in an SQL query. EsFaq version 2.0 is affected.
• Ref: http://www.securityfocus.com/bid/33770

• 09.8.62 - CVE: Not Available
• Platform: Web Application
• Title: ea-gBook "inc_ordner" Parameter Remote File Include
• Description: ea-gBook is a PHP-based web application. The application is exposed to a remote file include issue because it fails to sufficiently sanitize user-supplied input to the "inc_ordner" parameter of the "index_inc.php" script. ea-gBook version 0.1 is affected.
• Ref: http://www.securityfocus.com/bid/33774

• 09.8.63 - CVE: Not Available
• Platform: Web Application
• Title: simplePMS PHP Code Injection and Local File Include Vulnerabilities
• Description: simplePMS is a PHP-based content manager. The application is exposed to multiple input validation issues because it fails to properly sanitize user-supplied input. simplePMS version 0.1.3a is affected.
• Ref: http://www.securityfocus.com/bid/33780

• 09.8.64 - CVE: Not Available
• Platform: Web Application
• Title: ClipBucket "dwnld.php" Directory Traversal
• Description: ClipBucket is a web-based video sharing application implemented in PHP. The application is exposed to a directory traversal issue because it fails to sufficiently sanitize user-supplied input to the "file" parameter of the "dwnld.php" script. ClipBucket version 1.7 is affected.
• Ref: http://www.securityfocus.com/bid/33781

• 09.8.65 - CVE: Not Available
• Platform: Web Application
• Title: YACS "update_trailer.php" Remote File Include
• Description: YACS (Yet Another Community System) is a PHP-based web application. The application is exposed to a remote file include issue because it fails to sufficiently sanitize user-supplied input to the "context[path_to_root]" parameter of the "yacs/scripts/update_trailer.php" script. YACS version 8.11 is affected.
• Ref: http://www.securityfocus.com/bid/33791

• 09.8.66 - CVE: Not Available
• Platform: Web Application
• Title: WikkaWiki "backlinks" Handler Information Disclosure
• Description: WikkaWiki is a wiki application implemented in PHP. The application is exposed to an information disclosure issue because it fails to properly restrict access to certain restricted content. WikkaWiki versions prior to 1.1.6.6 are affected.
• Ref: http://www.securityfocus.com/bid/33793

• 09.8.67 - CVE: CVE-2008-6059
• Platform: Web Application
• Title: WebKit XMLHttpRequest Cookie Information Disclosure
• Description: WebKit is an open source web browser engine available for a number of platforms. WebKit is exposed to an information disclosure issue because cookies marked "HTTPOnly" are readable by JavaScript through the XMLHttpRequest API. WebKit versions prior to r38566 are vulnerable. Ref: http://trac.webkit.org/changeset/38566/trunk/WebCore/xml/XMLHttpRequest.cpp

• 09.8.68 - CVE: Not Available
• Platform: Network Device
• Title: Nokia N95 "setAttributeNode()" Denial of Service
• Description: Nokia N95 is a smartphone. Nokia N95 is exposed to a denial of service issue that occurs in the device's web browser. This issue affects the "setAttributeNode()" method. A successful exploit of this issue allows remote attackers to crash the browser on the affected device, denying service to legitimate users.
• Ref: http://www.securityfocus.com/archive/1/500954

(c) 2009. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Subscriptions: @RISK is distributed free of charge by the SANS Institute to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.