Last day to save $500 for SANS San Diego 2013

@RISK: The Consensus Security Vulnerability Alert

Volume: IX, Issue: 1
January 1, 2010

SANS Newsletters Home

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Platform Number of Updates and Vulnerabilities
    • -------------------------- -------------------------------------
    • Third Party Windows Apps
    • 1
    • Linux
    • 2
    • Cross Platform
    • 8 (#1, #2)
    • Web Application - Cross Site Scripting
    • 24
    • Web Application - SQL Injection
    • 10
    • Web Application
    • 17

*************************************************************************

TRAINING UPDATE

-- SANS Security East 2010, New Orleans, January 10-18, 2010 19 courses. Bonus evening presentations include Top 7 Trends in Incident Response and Computer Forensics, Advanced Forensic Techniques and more

https://www.sans.org/security-east-2010/

-- SANS AppSec 2010, San Francisco, January 29-February 5, 2010 Bonus evening presentations include Social Zombies and Cross-Site AJAX Security

https://www.sans.org/appsec-2010/

-- SANS Phoenix, February 14 -February 20, 2010 Bonus evening presentations include Advanced Forensic Techniques: Catching Hackers on the Wire

https://www.sans.org/phoenix-2010/

-- SANS 2010, Orlando, March 6 - March 15, 2010 38 courses and bonus evening presentations, including Software Security Street Fighting Style

https://www.sans.org/sans-2010/

-- SANS Northern Virginia Bootcamp 2010, April 6-13 https://www.sans.org/reston-2010/

Looking for training in your own community? https://sans.org/community/

Save on On-Demand training (30 full courses)

- See samples at https://www.sans.org/ondemand/

Plus Tokyo, Bangalore, Dublin and Oslo all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org

*************************************************************************

Table Of Contents
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
Third Party Windows Apps
Linux
Cross Platform
Web Application - Cross Site Scripting
Web Application - SQL Injection
Web Application
PART I Critical Vulnerabilities

Part I for this issue has been compiled by Rohan Kotian at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems.

Widely Deployed Software
  • (1) HIGH: BigAnt Instant Messenger Server Buffer Overflow Vulnerability
  • Affected:
    • HUATU SOFTWARE BigAnt IM Server 2.52

  • Description: BigAnt is an enterprise instant messaging system and BigAnt Instant Messenger (IM) Server is its server component. A buffer overflow vulnerability has been reported in BigAnt IM server and it can be triggered by a specially crafted "USV" request to TCP port 6660. The specific flaw is a buffer overflow error in "AntServer.exe" module as it does not perform adequate bounds checking on an incoming overly long "USV" request. Successful exploitation might allow an attacker to execute arbitrary code in the context of the affected application. Full technical details for the vulnerability are publicly available along with a proof-of-concept.

  • Status: Vendor confirmed, no updates available.

  • References:
  • (2) MODERATE: Sun Java System Directory Server Multiple Vulnerabilities
  • Affected:
    • Sun Java System Directory Server Enterprise Edition 6.0
    • Sun Java System Directory Server Enterprise Edition 6.1
    • Sun Java System Directory Server Enterprise Edition 6.2
    • Sun Java System Directory Server Enterprise Edition 6.3

  • Description: Sun Java System Directory Server is an enterprise Lightweight Directory Access Protocol (LDAP) server from Sun Microsystems and is shipped as a component of Directory Server Enterprise Edition (DSEE). Multiple vulnerabilities have been identified in Sun Java System Directory Server which might lead to sensitive information disclosure or denial-of-service. The first issue is an error in Directory Proxy Server that might allow an attacker to run an operation with the privileges of some other clients. The second issue is an error in Directory Proxy Server which can be triggered by specially crafted packets and might lead to an unresponsive server to new client connections. The third issue is an error in Directory Proxy Server which can be triggered by a specially crafted "psearch" client resulting in preventing the affected server from sending results to other "psearch" clients. Very few technical details are available for these vulnerabilities.

  • Status: Vendors confirmed, updates available.

  • References:
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 1, 2010

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 7799 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely. ______________________________________________________________________

  • 09.1.1 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: ReGet Deluxe ".wjr" File Buffer Overflow
  • Description: ReGet is a download manager for Microsoft Windows operating systems. ReGet is exposed to a stack-based buffer overflow issue because if fails to properly sanitize user-supplied input. Specifically the issue occurs when processing specially crafted ".wjr" files. ReGet Deluxe version 5.2 build 330 is affected.
  • Ref: http://www.securityfocus.com/bid/37511
  • 09.1.2 - CVE: CVE-2009-4410
  • Platform: Linux
  • Title: Linux Kernel "fuse_ioctl_copy_user()" Local Denial of Service
  • Description: The Linux kernel is exposed to a local denial of service issue because of an error in a FUSE filesystem IOCTL call. Specifically, the "fuse_ioctl_copy_user()" function in the "fs/fuse/file.c" source file does not properly interact with "kunmap()" from the "kmap" API. Linux kernel version 2.6.29-rc1 till 2.6.31 are affected.
  • Ref: http://permalink.gmane.org/gmane.comp.security.oss.general/2446
  • 09.1.3 - CVE: Not Available
  • Platform: Linux
  • Title: Linux e1000 Driver "Jumbo Frame" Handling Remote Security Bypass
  • Description: The Linux kernel is exposed to a security bypass issue affecting the e1000 network driver. Specifically, this issue is related to the handling of "Jumbo-frames" with an MTU exceeding 1500 bytes. The vulnerable driver fails to properly handle this case, which can result in the second frame being improperly handled as a new, independent frame.
  • Ref: http://permalink.gmane.org/gmane.comp.security.oss.general/2459
  • 09.1.4 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Sun Java System Directory Server Multiple Remote Vulnerabilities
  • Description: Sun Java System Directory Server is an LDAP (Lightweight Directory Access Protocol) server distributed with Directory Server 6.0 Enterprise Edition. Sun Java System Directory Server is exposed to multiple remote issues, including: A remote code execution issue that may allow attackers to run a client operation temporarily with another user's privileges under certain circumstances; A denial of service issue that will cause the server to stop responding to new client connection; A denial of service issue that will prevent the server from sending results to other "psearch" clients. Sun Java System Directory Server Enterprise Edition versions 6.0, 6.1, 6.2, 6.3 and 6,3,1 are affected.
  • Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-66-270789-1
  • 09.1.5 - CVE: Not Available
  • Platform: Cross Platform
  • Title: CoreHTTP CGI Support Remote Command Execution
  • Description: CoreHTTP is an HTTP server implemented in C. It is available for POSIX based operating systems. CoreHTTP is exposed to an issue that attackers can leverage to execute arbitrary commands. This issue occurs because the software fails to adequately sanitize user-supplied input passed as arguments to CGI applications. CoreHTTP version 0.5.3.1 is affected.
  • Ref: http://aconole.brad-x.com/advisories/corehttp.txt
  • 09.1.6 - CVE: CVE-2009-4411
  • Platform: Cross Platform
  • Title: XFS ACL "setfacl" and "getfacl" Symbolic Link Handling Security Bypass
  • Description: XFS is a file system originally developed by SGI. The ACL package includes a number of tools for dealing with access control lists used by XFS. The "setfacl" and "getfacl" utilities included with ACL are exposed to a security bypass issue. Specifically, these utilities will follow symbolic links when called with the "-R" (recursive) option, even in the presence of the "-P" (physical) option. ACL versions 2.2.46 and 2.2.47 are affected.
  • Ref: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=499076
  • 09.1.7 - CVE: CVE-2009-3602
  • Platform: Cross Platform
  • Title: Unbound DNS Server NSEC3 Signature Verification DNS Spoofing
  • Description: Unbound is a validating, recursive, and caching DNS resolver. Unbound is exposed to a DNS spoofing issue because it fails to properly check signatures on NSEC3 records. Unbound versions prior to 1.3.4 are affected.
  • Ref: http://unbound.net/pipermail/unbound-users/2009-October/000852.html
  • 09.1.8 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Kolab Groupware Server Image Upload Form Unspecified
  • Description: Kolab Groupware Server is a Groupware solution for managing emails, appointments, and contacts. The application is exposed to an unspecified issue that arises when data associated with the image upload form is handled. Kolab Groupware Server versions prior to 2.2.3 are affected. Ref: http://files.kolab.org/server/release/kolab-server-2.2.3/sources/release-notes.txt
  • 09.1.9 - CVE: CVE-2009-3295
  • Platform: Cross Platform
  • Title: MIT Kerberos KDC Cross-Realm Referral NULL Pointer Dereference Denial of Service
  • Description: MIT Kerberos is a suite of applications and libraries designed to implement the Kerberos network authentication protocol. MIT Kerberos is exposed to a remote denial of service issue due a NULL pointer dereference condition. This issue occurs when the application processes cross-realm referrals when a client requests a ticket for a host-based service principal name. MIT Kerberos version 5 1.7 is affected.
  • Ref: http://www.securityfocus.com/bid/37486
  • 09.1.10 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Multiple Fujitsu Products SSL Implementation Multiple Remote Vulnerabilities
  • Description: The SSL implementation in multiple Fujitsu products is exposed to multiple issues: A remote buffer overflow issue related to the parsing of SSL certificates; an unspecified security bypass issue related to the handling of SSL certificates, and an unspecified denial of service issue which may allow attackers to exhaust available file descriptors on the vulnerable computer.
  • Ref: http://www.securityfocus.com/bid/37491
  • 09.1.11 - CVE: Not Available
  • Platform: Cross Platform
  • Title: BigAnt IM Server "USV" Request Buffer Overflow
  • Description: BigAnt IM Server is an instant messaging server to be used with the BigAnt Messenger, an enterprise IM system for Windows platforms. The server is exposed to a remote buffer overflow issue because it fails to perform adequate boundary checks on user-supplied input. The issue occurs when the AntServer module (AntServer.exe) handles overly large "USV" requests via TCP port 6660. BigAnt IM Server version 2.52 is affected.
  • Ref: http://www.securityfocus.com/bid/37520
  • 09.1.12 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Joomla! "com_webcamxp" Component "Itemid" Parameter Cross-Site Scripting
  • Description: "com_webcamxp" is a component for the Joomla! content manager. The component is exposed to a cross-site scripting issue because it fails to properly sanitize user-supplied input to the "Itemid" parameter.
  • Ref: http://www.securityfocus.com/bid/37480
  • 09.1.13 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: FreePBX Multiple Cross-Site Scripting and HTML Injection Vulnerabilities
  • Description: FreePBX is a web-based configuration tool for the open-source Asterisk PBX. Since it fails to properly sanitize user-supplied input before using it in dynamically generated content, FreePBX is exposed to multiple issues: A cross-site-scripting issue that affects the "tech" parameter of the "admin/config.php" script when the "display" parameter is set to trunk; HTML injection issues affect the "Zap Channel" and "Add Recording" interfaces. FreePBX version 2.5.2 is affected.
  • Ref: http://www.securityfocus.com/bid/37482
  • 09.1.14 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Webformatique Car Manager Joomla! Component "msg" Parameter Cross-Site Scripting
  • Description: Webformatique Car Manager is a component for the Joomla! content manager. Car Manager is exposed to a cross-site scripting issue because it fails to sanitize user-supplied input to the "msg" parameter of the "com_carman" component.
  • Ref: http://www.securityfocus.com/bid/37458
  • 09.1.15 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Drupal Automated Logout Module Cross-Site Scripting
  • Description: Automated Logout is a PHP-based module for the Drupal content manager. The Automated Logout module is exposed to an unspecified cross-site scripting issue because it fails to properly sanitize user-supplied input before using it in dynamically generated content. Automated Logout 6.x-1.6 and prior versions and Automated Logout 6.x-2.2 and prior versions are affected.
  • Ref: http://drupal.org/node/667094
  • 09.1.16 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: MyBB "myps.php" Cross-Site Scripting
  • Description: MyBB (MyBulletinBoard) is a forum application. MyBB is exposed to a cross-site scripting issue because it fails to sanitize user-supplied input to the "username" parameter of the "myps.php" script. MyBB version 1.4.10 is affected.
  • Ref: http://www.securityfocus.com/bid/37464
  • 09.1.17 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: FlatPress Multiple Cross-Site Scripting Vulnerabilities
  • Description: FlatPress is a web-based blogging application. The application is exposed to multiple cross-site scripting issues because it fails to sufficiently sanitize user-supplied data in the "contact.php", "login.php", and "search.php" scripts. FlatPress version 0.909 is affected.
  • Ref: http://www.securityfocus.com/bid/37471
  • 09.1.18 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Joomla! "com_trabalhe_conosco" Component "Itemid" Parameter Cross-Site Scripting
  • Description: "com_trabalhe_conosco" is a component for the Joomla! content manager. The component is exposed to a cross-site scripting issue because it fails to properly sanitize user-supplied input to the "Itemid" parameter.
  • Ref: http://www.securityfocus.com/bid/37476
  • 09.1.19 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Joomla! "com_facileforms" Component "Itemid" Parameter Cross-Site Scripting
  • Description: "com_facileforms" is a component for the Joomla! content manager. The component is exposed to a cross-site scripting issue because it fails to properly sanitize user-supplied input to the "Itemid" parameter.
  • Ref: http://www.securityfocus.com/bid/37477
  • 09.1.20 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Joomla! "com_jm-recommend" Component "Itemid" Parameter Cross-Site Scripting
  • Description: "com_jm-recommend" is a component for the Joomla! content manager. The component is exposed to a cross-site scripting issue because it fails to properly sanitize user-supplied input to the "Itemid" parameter.
  • Ref: http://www.securityfocus.com/bid/37478
  • 09.1.21 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Joomla! Joomulus Component "tagcloud.swf" Cross-Site Scripting
  • Description: Joomulus is a component for the Joomla! content manager. The Joomulus component is exposed to a cross-site scripting issue because it fails to properly sanitize user-supplied input to the "href" parameter of the "tagcloud.swf" file.
  • Ref: http://www.securityfocus.com/archive/1/508606
  • 09.1.22 - CVE: CVE-2009-4422
  • Platform: Web Application - Cross Site Scripting
  • Title: Aditus Consulting JpGraph Multiple Cross-Site Scripting Vulnerabilities
  • Description: Aditus Consulting JpGraph is a PHP-based library for creating graphs. The application is exposed to multiple cross-site scripting issues because it fails to sanitize user-supplied input. These issues affect the "GetURLArguments()" function in the "jpgraph.php" source file. Attackers can inject arbitrary script code via multiple unspecified parameters to the "csim_in_html_ex1.php" script. Aditus Consulting JpGraph version 3.0.6 is affected.
  • Ref: http://www.securityfocus.com/archive/1/508586
  • 09.1.23 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Best Top List "out.php" Cross-Site Scripting
  • Description: Best Top List is a web-based application. The application is exposed to a cross-site scripting issue because it fails to sanitize user-supplied input to the "url" parameter of the "out.php" script. Best Top List version 2.11 is affected.
  • Ref: http://www.securityfocus.com/bid/37485
  • 09.1.24 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Stash Multiple Cross-Site Scripting Vulnerabilities
  • Description: Stash is a PHP-based content manager for band websites. The application is exposed to multiple cross-site scripting issues because it fails to sufficiently sanitize user-supplied data to the following scripts and parameters: "header.inc.php": "user", "javascript", "sitename" "footer.inc.php": "version", "userid", "pagetitle". Stash version 1.0.3 is affected.
  • Ref: http://www.securityfocus.com/bid/37492
  • 09.1.25 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: phpAuction Multiple Cross-Site Scripting Vulnerabilities
  • Description: phpAuction is a web application. The application is exposed to multiple cross-site scripting issues because it fails to sufficiently sanitize user-supplied data to the "TPL_name" and "TPL_nick" parameters of the "register.php" script.
  • Ref: http://www.securityfocus.com/bid/37501
  • 09.1.26 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: phpInstantGallery "admin.php" Cross-Site Scripting
  • Description: phpInstantGallery is an image gallery application. The application is exposed to a cross-site scripting issue because it fails to sanitize user-supplied input in the "admin.php" script. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. phpInstantGallery version 1.1 is affected.
  • Ref: http://www.securityfocus.com/bid/37502
  • 09.1.27 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Joomla! Q-Personel Component "personel_sira" Parameter Cross-Site Scripting
  • Description: Q-Personel is a component for the Joomla! content manager. The component is exposed to a cross-site scripting issue because it fails to sanitize user-supplied input to the "personel_sira" parameter of the "com_qpersonel" component when the "task" parameter is set to "sirala". Joomla! Q-Personel version 1.0.2(RC2) is affected.
  • Ref: http://www.securityfocus.com/bid/37503
  • 09.1.28 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: MyShoutPro "page" Parameter Cross-Site Scripting
  • Description: MyShoutPro is a PHP-based shout box. The application is exposed to a cross-site scripting issue because it fails to sanitize user-supplied input to the "page" parameter of the "index.php" script. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. MyShoutPro version 1.2 is affected.
  • Ref: http://www.securityfocus.com/bid/37504
  • 09.1.29 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: freeForum "index.php" Cross Site Scripting
  • Description: freeForum is a PHP-based bulletin board. The application is exposed to a cross-site scripting issue because it fails to sanitize user-supplied input in the "index.php" script. freeForum version 1.7 is affected.
  • Ref: http://www.securityfocus.com/bid/37505
  • 09.1.30 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Squito Gallery Multiple Cross-Site Scripting Vulnerabilities
  • Description: Squito Gallery is a web bulletin board application. The application is exposed to multiple cross-site scripting issues because it fails to sufficiently sanitize user-supplied data to the "imagedir" and "page" parameters. Squito Gallery version 1.0 is affected.
  • Ref: http://www.securityfocus.com/bid/37506
  • 09.1.31 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Webring "index.php" Cross-Site Scripting
  • Description: Webring is web-based application. Webring is exposed to a cross-site scripting issue because it fails to sanitize user-supplied input in the "index.php" script. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site.
  • Ref: http://www.securityfocus.com/bid/37507
  • 09.1.32 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: phpPowerCards Multiple Cross-Site Scripting Vulnerabilities
  • Description: phpPowerCards is a postcard application. The application is exposed to multiple cross-site scripting issues because it fails to sanitize user-supplied input to the "archiv", "subcat", and "PHP_SELF" parameters of the "pagenumber.inc.php" script. phpPowerCards version 2.0 is affected.
  • Ref: http://www.securityfocus.com/bid/37508
  • 09.1.33 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: IMG2ASCII "ascii.php" Cross-Site Scripting
  • Description: IMG2ASCII is a PHP program that generates ASCII art from an image file. The application is exposed to a cross-site scripting issue because it fails to sanitize user-supplied input to the "PHP_SELF" parameter of the "ascii.php" script.
  • Ref: http://www.securityfocus.com/bid/37509
  • 09.1.34 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Barbo91 "upload.php" Cross-Site Scripting
  • Description: Barbo91 is a web-based file uploader. The application is exposed to a cross-site scripting issue because it fails to sanitize user-supplied input to the "UploadedFile" parameter of the "upload.php" script.
  • Ref: http://www.securityfocus.com/bid/37512
  • 09.1.35 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: AzDGDatingMedium "l" Parameter Multiple Cross-Site Scripting Vulnerabilities
  • Description: Azerbaijan Development AzDGDatingMedium is a PHP-based web application. The application is exposed to multiple cross-site scripting issues because it fails to sufficiently sanitize user-supplied input to the "l" parameter of the "index.php", "login.php" and "search.php" scripts.
  • Ref: http://www.securityfocus.com/bid/37514
  • 09.1.36 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Woltlab Burning Board Kleinanzeigenmarkt Plugin "catID" Parameter SQL Injection
  • Description: Kleinanzeigenmarkt is a plugin for the Woltlab Burning Board web application. The component is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "catID" CGI parameter before using it an SQL query.
  • Ref: http://www.securityfocus.com/bid/37468
  • 09.1.37 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Joomla! "com_schools" Component "schoolid" Parameter SQL Injection
  • Description: "com_schools" is a PHP-based component for the Joomla! content manager. The "com_schools" component for the Joomla! content manager is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "schoolid" parameter before using it an SQL query.
  • Ref: http://www.securityfocus.com/bid/37469
  • 09.1.38 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Joomla! "com_dhforum" Component "id" Parameter SQL Injection
  • Description: "com_dhforum" is a PHP-based component for the Joomla! content manager. The "com_dhforum" component for the Joomla! content manager is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "id" parameter before using it an SQL query.
  • Ref: http://www.securityfocus.com/bid/37475
  • 09.1.39 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Proverb Web Calendar Cross-Site Scripting and SQL Injection Vulnerabilities
  • Description: Proverb Web Calendar is a PHP-based calendar application. The application is exposed to multiple input validation issues:- Cross-site scripting issue that affects the "month" parameter in the "calendar.php" script, a Cross-site scripting issue that affects the SQL error message, and an SQL injection issue that affects the "year" parameter of the "calendar.php" script. Proverb Web Calendar version 2.1.2a is affected.
  • Ref: http://www.securityfocus.com/bid/37484
  • 09.1.40 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: MAXdev MD-Forum "c" Parameter SQL Injection
  • Description: MAXdev MD-Forum is a forum module for the MDPro content manager. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "c" parameter of the "index.php" script when the "name" parameter is set to "MDForum" and the "file" parameter is set to "index". MAXdev MD-Forum version 2.07 is affected.
  • Ref: http://www.maxdev.com/Article661.phtml
  • 09.1.41 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Calendar Express "catid" Parameter SQL Injection
  • Description: Calendar Express is a PHP-based calendar application. The component is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "catid" parameter of the "year.php" script before using it in an SQL query.
  • Ref: http://www.securityfocus.com/bid/37490
  • 09.1.42 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Joomla! "com_calendario" Component "id" Parameter SQL Injection
  • Description: The "com_calendario" component is a PHP-based application for the Joomla! content manager. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "id" parameter before using it in an SQL query.
  • Ref: http://www.securityfocus.com/bid/37493
  • 09.1.43 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Joomla! BeeHeard Component "category_id" Parameter SQL Injection
  • Description: BeeHeard is a PHP-based component for the Joomla! content manager. The "com_beeheard" component for the Joomla! content manager is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "category_id" parameter before using it in an SQL query.
  • Ref: http://www.securityfocus.com/bid/37495
  • 09.1.44 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Memory Book Component for Joomla! SQL Injection and Arbitrary File Upload Vulnerabilities
  • Description: Memory Book is a component for the Joomla! content manager. The application is exposed to multiple remote issues: An SQL injection issue that affects the "description" field when adding a new event, and an arbitrary file upload issue that affects the "Add Image" section. The uploaded script may be accessed from the "View Events" section when adding a new hosted game. Memory Book version 1.2 is affected.
  • Ref: http://www.securityfocus.com/bid/37496
  • 09.1.45 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: QuickEStore Multiple SQL Injection Vulnerabilities
  • Description: QuickEStore is an e-commerce application implemented in cold fusion. The application is exposed to multiple SQL injection issues because it fails to sufficiently sanitize user-supplied data to the following scripts and parameters: "prodpage.cfm", "CategoryID", "index.cfm", "SubCatID", "proddetail.cfm", "ItemID", "checkout.cfm", "OrderID", "shipping.cfm", "OrderID". QuickEStore version 7.9 is affected.
  • Ref: http://www.securityfocus.com/bid/37516
  • 09.1.46 - CVE: Not Available
  • Platform: Web Application
  • Title: Drupal FAQ Module Unspecified HTML Injection
  • Description: The FAQ module is an application for the Drupal content manager. The module is exposed to an unspecified HTML injection issue because it fails to properly sanitize user-supplied input before using it in dynamically generated content. FAQ versions prior to 5.x-2.14 and 6.x-1.11 are affected.
  • Ref: http://drupal.org/node/666760
  • 09.1.47 - CVE: Not Available
  • Platform: Web Application
  • Title: OpenX Administrative Interface Authentication Bypass
  • Description: OpenX is a web-based ad server. The application is exposed to an authentication bypass issue because it fails to restrict access to its administration interface. OpenX versions 2.8.1 and 2.8.2 are affected.
  • Ref: http://forum.openx.org/index.php?showtopic=503454011
  • 09.1.48 - CVE: Not Available
  • Platform: Web Application
  • Title: XP Book "template/admin_bady.html" Authentication Bypass
  • Description: XP Book is a PHP-based guestbook application. The application is exposed to an authentication-bypass issue because it fails to restrict access to the "template/admin_bady.html" script when the "setting" action is enabled. XP Book version 3.0 is affected.
  • Ref: http://www.securityfocus.com/bid/37461
  • 09.1.49 - CVE: CVE-2009-3305, CVE-2009-4413
  • Platform: Web Application
  • Title: Polipo Multiple Remote Denial of Service Vulnerabilities
  • Description: Polipo is a web proxy application. Polipo is exposed to the following remote denial of service issues: A remote attacker may crash the application by supplying an overly large "Content-Length" header; A remote attacker may crash the application by supplying a malformed "Cache-Control: max-age" value. All versions of Polipo are affected.
  • Ref: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=547047
  • 09.1.50 - CVE: Not Available
  • Platform: Web Application
  • Title: Jax Guestbook "guestbook.admin.php" Authentication Bypass
  • Description: Jax Guestbook is a PHP-based guestbook application. The application is exposed to an authentication bypass issue because it fails to restrict access to the "guestbook.admin.php" script. Jax Guestbook version 3.50 is affected.
  • Ref: http://www.securityfocus.com/bid/37466
  • 09.1.51 - CVE: Not Available
  • Platform: Web Application
  • Title: Pragyan CMS "search.php" Multiple Remote File Include Vulnerabilities
  • Description: Pragyan CMS is a PHP-based content manager. The application is exposed to multiple remote file include issues because it fails to sufficiently sanitize user-supplied input to the "moduleFolder" and "sourceFolder" parameters of the "modules/search/search.php" script. Pragyan CMS version 2.6.4 is affected.
  • Ref: http://www.securityfocus.com/bid/37467
  • 09.1.52 - CVE: Not Available
  • Platform: Web Application
  • Title: PyXML Unspecified Remote Buffer Overflow
  • Description: PyXML is an XML parser for Python. The library is exposed to a remote buffer overflow issue because it fails to perform adequate boundary checks on user-supplied data when parsing XML data. Attackers can exploit this issue to execute arbitrary code within the context of the application that uses the affected library. PyXML version 0.8.4 is affected.
  • Ref: http://www.securityfocus.com/bid/37470
  • 09.1.53 - CVE: Not Available
  • Platform: Web Application
  • Title: Joomla! iF Portfolio Nexus "controller" Parameter Remote File Include
  • Description: iF Portfolio Nexus (com_if_nexus) is a component for the Joomla! content manager. The component is exposed to a remote file include issue because it fails to sufficiently sanitize user-supplied input to the "controller" parameter. .
  • Ref: http://www.securityfocus.com/bid/37473
  • 09.1.54 - CVE: Not Available
  • Platform: Web Application
  • Title: Ampache Unspecified Security Bypass Vulnerabilities
  • Description: Ampache is a web-based audio file manager. Ampache is exposed to multiple unspecified security bypass issues related to the mishandling of "REQUEST" for write operations. Ampache versions prior to 3.5.3 are affected.
  • Ref: http://ampache.org/announce/3_5_3.php
  • 09.1.55 - CVE: Not Available
  • Platform: Web Application
  • Title: MyBB "Avatar" Parameter File Enumeration Information Disclosure
  • Description: MyBB (MyBulletinBoard) is a PHP-based bulletin board application. The application is exposed to a directory traversal issue because it fails to sufficiently sanitize user-supplied input to the "Avatar" parameter when changing a user's avatar. MyBB version 1.4.10 is affected.
  • Ref: http://dev.mybboard.net/issues/617
  • 09.1.56 - CVE: Not Available
  • Platform: Web Application
  • Title: Cybershade CMS "CMS_ROOT" Parameter Multiple Remote File Include Vulnerabilities
  • Description: Cybershade CMS is a PHP-based content manager. The application is exposed to multiple remote file include issues because it fails to sufficiently sanitize user-supplied input to the "CMS_ROOT" parameter of the "core/core.php" and "core/includes.php" scripts. Cybershade CMS version 0.2b is affected.
  • Ref: http://www.securityfocus.com/bid/37497
  • 09.1.57 - CVE: Not Available
  • Platform: Web Application
  • Title: DrBenHur.com DBHcms "dbhcms_core_dir" Parameter Remote File Include
  • Description: DrBenHur.com DBHcms is a PHP-based content manager. The application is exposed to a remote file include issue because it fails to properly sanitize user-supplied input to the "dbhcms_core_dir" parameter of the "index.php" script. DBHcms version 1.1.4 is affected.
  • Ref: http://www.securityfocus.com/archive/1/508614
  • 09.1.58 - CVE: Not Available
  • Platform: Web Application
  • Title: "com_adagency" Joomla! Component "controller" Parameter Local File Include
  • Description: "com_adagency" is a component for the Joomla! content manager. The application is exposed to a local file include issue because it fails to properly sanitize user-supplied input to the "controller" parameter.
  • Ref: http://www.securityfocus.com/bid/37499
  • 09.1.59 - CVE: Not Available
  • Platform: Web Application
  • Title: FreeWebshop 2.2.9 R2 Multiple Remote Vulnerabilities
  • Description: FreeWebshop is a PHP-based shopping application. FreeWebshop is exposed to multiple remote issues. Exploiting these issues could allow an attacker to compromise the application, access or modify data, exploit latent vulnerabilities, gain unauthorized access to the affected application and exploit an information disclosure issue. FreeWebshop.org version 2.2.9 R2 is affected.
  • Ref: http://www.securityfocus.com/archive/1/508640
  • 09.1.60 - CVE: Not Available
  • Platform: Web Application
  • Title: AproxEngine Multiple Remote Input Validation Vulnerabilities
  • Description: AproxEngine is a PHP-based content manager. AproxEngine is exposed to multiple issues. Attackers can exploit these issues to execute arbitrary script code in the context of the web server, compromise the application, obtain sensitive information, steal cookie-based authentication credentials from legitimate users of the site, modify the way the site is rendered, perform certain unauthorized actions in the context of a user, access or modify data, or exploit latent vulnerabilities in the underlying database. AproxEngine versions 5.3.04 and 6.0 are affected.
  • Ref: http://secunia.com/secunia_research/2009-2/
  • 09.1.61 - CVE: Not Available
  • Platform: Web Application
  • Title: dB Masters Multimedia Link Directory Cookie Authentication Bypass
  • Description: dB Masters Multimedia Link Directory is a web-based application. The application is exposed to an authentication bypass issue because it fails to adequately verify user-supplied input used for cookie-based authentication. Specifically, attackers can gain administrative access to the application by setting the "admin_log" cookie parameter to "in" and the "path" parameter to "/".
  • Ref: http://www.securityfocus.com/bid/37517
  • 09.1.62 - CVE: Not Available
  • Platform: Web Application
  • Title: ViewVC Versions Prior to 1.1.3 Multiple Remote Vulnerabilities
  • Description: ViewVC is a web-based interface for CVS and Subversion version control repositories; it is implemented in Python. ViewVC is exposed to multiple security issues: A security issue that involves root listing support of per-root authorization configuration and a security issue in "query.py" involving the "forbidden" authorizer. ViewVC versions prior to 1.1.3 are affected. Ref: http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?view=log&pathrev=HEAD

(c) 2010. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Subscriptions: @RISK is distributed free of charge by the SANS Institute to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.

Excellent conference I have a ton of stuff to bring back to my company and clients.
-John S. Macy, Network Design Associates

SANS Pen Test Hackfest 2013 - Washington

Latest Whitepapers

Building and Maintaining a "Certifiable" Workforce
By Robert J. Mavretich

How Can You Build and Leverage SNORT IDS Metrics to Reduce Risk?
By Tim Proffitt

Daisy Chain Authentication
By Courtney Imbert

Latest Tweets

NEW #SANS Survey: Security Analytics & Intelligence 2nd [...]
October 1, 2013 - 6:30 PM

Tips on how to convince your boss to let you train online wi [...]
October 1, 2013 - 6:23 PM

#2 Tip on how 2 convince your boss 2 let u train online: Fle [...]
October 1, 2013 - 3:00 PM

Contact Us

(301) 654-SANS (7267)
Mon-Fri 9am - 8pm EST/EDT
info@sans.org

"As a security professional, this info is foundational to do a competent job, let alone be successful."
- Michael Foster, Providence Health & Security

"Because of the use of real-world examples it's easier to apply what you learn."
- Danny Hill, Friedkin Companies, Inc.

"SANS is far more in-depth than other training I have attended."
- Frank Rajnai, Sears Canada Inc