Last day to save $500 for SANS San Diego 2013

@RISK: The Consensus Security Vulnerability Alert

Volume: IX, Issue: 11
March 11, 2010

SANS Newsletters Home

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Summary of Updates and Vulnerabilities in this Consensus
    • Platform Number of Updates and Vulnerabilities
    • - ------------------------ -------------------------------------
    • Windows
    • 1
    • Microsoft Office
    • 7 (#2, #3)
    • Other Microsoft Products
    • 1 (#1)
    • Third Party Windows Apps
    • 3 (#9, #10)
    • Linux
    • 1
    • Cross Platform
    • 1 (#4, #5, #6, #7, #8)
    • Web Application - Cross Site Scripting 6
    • Web Application - SQL Injection 9
    • Web Application
    • 12

*************** Sponsored By Trusted Computer Solutions ****************

Is your IT organization struggling to keep your enterprise servers in compliance with security policy? Could your organization pass a surprise security audit today? Security Blanket performs fast, consistent, and repeatable operating system lock down to industry or custom security settings in minutes, not days. Audit ready, all the time! Try Security Blanket for FREE.

http://www.sans.org/info/56073

*************************************************************************

TRAINING UPDATE

-- SANS Northern Virginia Bootcamp 2010, April 6-13 Bonus evening presentations include Safe Surfing: How to Surf the Net Without Getting PWND

http://www.sans.org/reston-2010/

-- SANS Security West 2010, San Diego, May 7-15, 2010 23 courses. Bonus evening presentations include Killer Bee: Exploiting ZigBee and the Kinetic World

http://www.sans.org/security-west-2010/

-- SANSFIRE 2010, Baltimore, June 6-14, 2010 38 courses. Bonus evening presentations include Software Security Street Fighting Style and The Verizon Data Breach Investigations Report

http://www.sans.org/sansfire-2010/

-- SANSFIRE Rocky Mountain 2010, Denver, July 12-17, 2010 8 courses. Bonus evening presentations include Hiding in Plain Sight: Forensic Techniques to Counter the Advanced Persistent Threat

http://www.sans.org/rocky-mountain-2010/

-- SANS Boston 2010, June 6-14, 2010 11 courses

http://www.sans.org/boston-2010/

Looking for training in your own community? http://sans.org/community/

Save on On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/spring09.php

Plus Dubai, Geneva, Toronto, Singapore and Brisbane all in the next 90 days. For a list of all upcoming events, on-line and live: www.sans.org

*************************************************************************

Table Of Contents
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
Windows
Microsoft Office
Other Microsoft Products
Third Party Windows Apps
Linux
Cross Platform
Web Application - Cross Site Scripting
Web Application - SQL Injection
Web Application

**************************** Sponsored Links: **************************

1) Get real-world forensic techniques from industry-recognized experts at the 2010 European Community Digital Forensics & Incident Response Summit April 19-20 in London. http://www.sans.org/info/56078

2) Rediscover Orlando and hear about Process Control Security issues. Process Control & SCADA Summit March 29-30. http://www.sans.org/info/56083

*************************************************************************

PART I Critical Vulnerabilities

PART I Critical Vulnerabilities Part I for this issue has been compiled by Rohan Kotian and Joshua Bronson at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Widely Deployed Software
  • (1) CRITICAL: Microsoft Internet Explorer 'iepeers.dll' Remote Code Execution Vulnerability
  • Affected:
    • Microsoft Windows 2000 Service Pack 4
    • Windows XP Service Pack 2 and Windows XP Service Pack 3
    • Windows XP Professional x64 Edition Service Pack 2
    • Windows Server 2003 Service Pack 2
    • Windows Server 2003 x64 Edition Service Pack 2
    • Windows Server 2003 with SP2 for Itanium-based Systems
    • Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2
    • Windows Vista x64 Edition , Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition and Service Pack 2
    • Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2
    • Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2
    • Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2
    • Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4
    • Internet Explorer 6 for Windows XP Service Pack 2, Windows XP Service Pack 3, and Windows XP Professional x64 Edition Service Pack 2
    • Internet Explorer 6 for Windows Server 2003 Service Pack 2, Windows Server 2003 with SP2 for Itanium-based Systems, and Windows Server 2003 x64 Edition Service Pack 2
    • Internet Explorer 7 for Windows XP Service Pack 2, Windows XP Service Pack 3, and Windows XP Professional x64 Edition Service Pack 2
    • Internet Explorer 7 for Windows Server 2003 Service Pack 2, Windows Server 2003 with SP2 for Itanium-based Systems, and Windows Server 2003 x64 Edition Service Pack 2
    • Internet Explorer 7 in Windows Vista, Windows Vista Service Pack 1, Windows Vista Service Pack 2, Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2
    • Internet Explorer 7 in Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2
    • Internet Explorer 7 in Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2
    • Internet Explorer 7 in Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2
    • Description:
    • A vulnerability has been identified in ipeers.dll, a library used by
    • Microsoft Internet Explorer. By enticing the user to visit a specially
    • crafted page, an attacker can execute arbitrary code with the
    • permissions of the currently logged-in user. The vulnerability exists
    • because it is possible for the vulnerable software to use a pointer
    • reference after it is freed. Microsoft has reported targeted attacks
    • attempting to exploit this vulnerability. Full technical details for
    • this vulnerability via a public proof-of-concept.

  • Status: Vendor confirmed, no updates available.

  • References:
  • (3) HIGH: Microsoft Windows Movie Maker Buffer Overflow Vulnerability (MS10-016)
  • Affected:
    • Windows XP Service Pack 2 and Windows XP Service Pack 3
    • Windows XP Professional x64 Edition Service Pack 2
    • Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2
    • Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2
    • Windows 7 for 32-bit Systems
    • Windows 7 for x64-based Systems
    • Microsoft Producer 2003
    • Movie Maker 2.1
    • Movie Maker 2.6
    • Movie Maker 6.0

  • Description: windows Movie Maker is a video editing and creating, and audio editing software from Microsoft and is included by default in most of Windows Operating Systems. A buffer overflow vulnerability has been identified in Windows Movie Maker, which can be triggered by a specially crafted Movie Maker or Producer 2003 project files. The issue is a boundary error in the "IsValidWMToolsStream()" function caused by inadequate bounds checking on values of the size read from a malicious file. Successful exploitation might allow an attacker to execute arbitrary code in the context of the affected application. User interaction in order to carry out this attack, in that the user has to be convinced to open the malicious file. Some technical details of the vulnerability are publicly available.

  • Status: Vendor confirmed, updates available.

  • References:
  • (4) HIGH: Autonomy KeyView Module OLE Document Processing Integer Overflow Vulnerability
  • Affected:
    • Symantec Mail Security for SMTP 5.0.1
    • Symantec Mail Security for SMTP 5.0
    • Symantec Mail Security for Microsoft Exchange 6.0.9
    • Symantec Mail Security for Microsoft Exchange 6.0.8
    • Symantec Mail Security for Microsoft Exchange 6.0.7
    • Symantec Mail Security for Microsoft Exchange 6.0.6
    • Symantec Mail Security for Microsoft Exchange 5.0.13
    • Symantec Mail Security for Microsoft Exchange 5.0.12
    • Symantec Mail Security for Microsoft Exchange 5.0.11
    • Symantec Mail Security for Microsoft Exchange 5.0.10 .382
    • Symantec Mail Security for Microsoft Exchange 5.0.10
    • Symantec Mail Security for Domino 8.0.2
    • Symantec Mail Security for Domino 8.0.1
    • Symantec Mail Security for Domino 7.5.8
    • Symantec Mail Security for Domino 7.5.7
    • Symantec Mail Security for Domino 7.5.6
    • Symantec Mail Security for Domino 7.5.3 25
    • Symantec Mail Security for Domino 8.0
    • Symantec Mail Security for Domino 7.5.5.32
    • Symantec Mail Security for Domino 7.5.4.29
    • Symantec Mail Security for Domino 7.5.3.25
    • Symantec IM Manager 8.4
    • Symantec IM Manager 8.3
    • Symantec Data Loss Prevention Endpoint Agents 9.0.2
    • Symantec Data Loss Prevention Endpoint Agents 8.1
    • Symantec Data Loss Prevention Endpoint Agents 10.0
    • Symantec Data Loss Prevention Detection Servers for Windows 9.0.2
    • Symantec Data Loss Prevention Detection Servers for Windows 8.1.1
    • Symantec Data Loss Prevention Detection Servers for Windows 10.0
    • Symantec Data Loss Prevention Detection Servers for Linux 9.0.2
    • Symantec Data Loss Prevention Detection Servers for Linux 8.1.1
    • Symantec Data Loss Prevention Detection Servers for Linux 10.0
    • Symantec Data Loss Prevention Detection Servers 7.2 37
    • Symantec Data Loss Prevention Detection Servers 7.2
    • Symantec Brightmail Gateway 8.0.2
    • Symantec Brightmail Gateway 8.0.1
    • Symantec Brightmail Gateway 8.0
    • IBM Lotus Notes 8.5

  • Description: Autonomy KeyView Software Developer's Kit (SDK) is a collection of many file parsing libraries and is used by many popular vendors such as Lotus Notes and Symantec. This SDK is used to automatically parse and display different document formats, such as PowerPoint, Excel, Word, as well as other OLE document formats. An integer overflow vulnerability has been identified in Autonomy's KeyView Filter SDK which can be triggered by a specially crafted OLE document. The issue is caused by an integer overflow error in the "kvolefio.dll" while processing OLE document, since the software doesn't perform adequate input validation checks while reading integer value from a file. This integer is used to calculate the amount of memory required to be allocated, and if the supplied value is large it will result in an overflow. Successful exploitation might allow an attacker to execute arbitrary code in the context of the affected application. Some technical details for the vulnerability are publicly available.

  • Status: Vendor confirmed, updates available.

  • References:
  • (5) HIGH: Opera Web Browser "Content-Length" Header Buffer Overflow Vulnerability
  • Affected:
    • Opera versions 10.50 and prior

  • Description: Opera is a popular cross-platform web browser. A buffer overflow vulnerability has been identified in Opera which can be triggered by specially crafted HTTP response. The specific flaw is caused by an error in the way Opera handles HTTP responses that contain an overly large number in the "Content-Length" header field. Successful exploitation might allow an attacker to execute arbitrary code in the context of the logged on user. Full technical details for the vulnerability are publicly available along with a proof-of-concept.

  • Status: Vendor confirmed, updates available.

  • References:
  • (6) HIGH: Authentium Command On Demand ActiveX Control Multiple Vulnerabilities
  • Affected:
    • Authentium CSS Web Installer 1.4.9508 .605
    • Authentium Command On Demand Online Scan 0

  • Description: Authentium Command On Demand is a web-based free virus scanner and it scans for more than half a million threats on the Internet daily. Multiple buffer overflow vulnerabilities have been identified in the CSS Web Installer ActiveX control that is present in Authentium Command On Demand online scanner. The issues are caused by buffer overflow errors in the "InstallProduct()", "InstallProduct1()" or "InstallProduct2()" methods, while processing arguments passed to these methods. A specially crafted web page, which contains overlong arguments passed to the vulnerable methods, can be used to trigger these vulnerabilities. Successful exploitation might allow an attacker to execute arbitrary code in the context of the affected application. Full technical details for these vulnerabilities are publicly available along with proof-of-concepts.

  • Status: Vendor not confirmed, no updates available. Users can mitigate the impact of this vulnerability by disabling the vulnerable control via Microsoft's kill bit mechanisms for CLSID 6CCE3920-3183-4B3D-808A-B12EB769DE12. Note that this may affect normal application functionality.

  • References:
  • (7) HIGH: Hewlett-Packard Performance Insight Remote Command Execution Vulnerability
  • Affected:
    • HP OpenView Performance Insight 5.1.2
    • HP OpenView Performance Insight 5.1.1
    • HP OpenView Performance Insight 5.4
    • HP OpenView Performance Insight 5.2
    • HP OpenView Performance Insight 5.1
    • HP OpenView Performance Insight 5.0
    • HP HP Performance Insight 5.4
    • HP HP Performance Insight 5.3

  • Description: HP Performance software is a solution that is used to measure, compare and possibly improve the performance of the systems and networks in a service. A remote command execution vulnerability has been identified in HP Performance Insight and it can be triggered by a specially crafted requests. The issue is caused by inadequate input validation and authentication of the requests to the "helpmanager" servlet running on the server. An attacker can exploit this vulnerability to execute arbitrary commands by uploading malicious JSP pages. Authentication is not required to exploit this vulnerability. Some technical details for the vulnerability are publicly available.

  • Status: Vendors confirmed, updates available.

  • References:
  • (9) MODERATE: Yahoo! Player Playlist Processing Buffer Overflow Vulnerability
  • Affected:
    • Yahoo! Player 1.5.01.409
    • Yahoo! Player 1.0

  • Description: A buffer overflow vulnerability has been identified in Yahoo! Player. The specific flaw is caused by a boundary error while processing playlists, such as ".m3u", ".pls", entries. A specially crafted .m3u or .pls file with overlong entries, when loaded by an affected player, can be used to trigger this vulnerability. Successful exploitation might allow an attacker to execute arbitrary code in the context of the affected application. Full technical details for the vulnerability are publicly available along with proof-of-concept.

  • Status: Vendor not confirmed, no updates available.

  • References:
  • (10) MODERATE: VLC Media Player Bookmark Handling Buffer Overflow Vulnerability
  • Affected:
    • VideoLAN VLC media player 1.0.5
    • VideoLAN VLC media player 1.0.3
    • VideoLAN VLC media player 1.0.2
    • VideoLAN VLC media player 1.0.1
    • VideoLAN VLC media player 1.0

  • Description: VLC media player is an open source, cross-platform media player developed by the VideoLAN project. A buffer overflow vulnerability has been identified in VLC media player. A specially crafted .mp3 file, when loaded by a vulnerable player, can be used to trigger this vulnerability. The specific flaw is caused by boundary errors while creating bookmarks while playing a malicious media file. Successful exploitation might lead to system access or denial-of-service condition. Full technical details and proof-of-concept for this vulnerability are publicly available.

  • Status: Vendor not confirmed, no updates available.

  • References:
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 11, 2010

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com) Week 11, 2010 This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 8177 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely. ______________________________________________________________________

  • 10.11.2 - CVE: CVE-2010-0257
  • Platform: Microsoft Office
  • Title: Microsoft Excel Document Parsing Remote Code Execution (CVE-2010-0257)
  • Description: Microsoft Excel is a spreadsheet application that is part of the Microsoft Office suite. Excel is exposed to a remote code execution issue when parsing a specially crafted Excel (.xls) file. Loading a malformed file can corrupt memory.
  • Ref: http://www.microsoft.com/technet/security/Bulletin/MS10-017.mspx
  • 10.11.3 - CVE: CVE-2010-0258
  • Platform: Microsoft Office
  • Title: Microsoft Excel Object Type Confusion Remote Code Execution
  • Description: Microsoft Excel is a spreadsheet application that is part of the Microsoft Office suite. Excel is prone to a remote code execution vulnerability when parsing a specially crafted Excel (.xls) file. Loading a malformed file can corrupt memory.
  • Ref: http://www.microsoft.com/technet/security/Bulletin/MS10-017.mspx
  • 10.11.4 - CVE: CVE-2010-0260
  • Platform: Microsoft Office
  • Title: Microsoft Excel MDXTUPLE Record Remote Heap Buffer Overflow
  • Description: Microsoft Excel is a spreadsheet application that is part of the Microsoft Office suite. Excel is exposed to a remote heap-based buffer overflow issue when parsing a specially crafted Excel (.xls) file. This issue is related to the parsing of MDXTUPLE records contained in Excel files.
  • Ref: http://www.microsoft.com/technet/security/Bulletin/MS10-017.mspx
  • 10.11.5 - CVE: CVE-2010-0261
  • Platform: Microsoft Office
  • Title: Microsoft Excel MDXSET Record Remote Heap Buffer Overflow
  • Description: Microsoft Excel is a spreadsheet application that is part of the Microsoft Office suite. Excel is exposed to a remote heap-based buffer overflow issue when parsing a specially crafted Excel (.xls) file. This issue is related to the parsing of MDXSET records contained in Excel files.
  • Ref: http://www.microsoft.com/technet/security/Bulletin/MS10-017.mspx
  • 10.11.6 - CVE: CVE-2010-0262
  • Platform: Microsoft Office
  • Title: Microsoft Excel FNGROUPNAME Record Remote Code Execution
  • Description: Microsoft Excel is a spreadsheet application that is part of the Microsoft Office suite. Excel is exposed to a remote code execution issue when parsing a specially crafted Excel (.xls) file. This issue is related to the parsing of FNGROUPNAME records contained in Excel files.
  • Ref: http://www.microsoft.com/technet/security/Bulletin/MS10-017.mspx
  • 10.11.7 - CVE: CVE-2010-0263
  • Platform: Microsoft Office
  • Title: Microsoft Excel XLSX File Parsing Remote Code Execution
  • Description: Microsoft Excel is a spreadsheet application that is part of the Microsoft Office suite. Excel is exposed to a remote code execution issue when parsing a specially crafted (XLXS) Excel file.
  • Ref: http://www.microsoft.com/technet/security/Bulletin/MS10-017.mspx
  • 10.11.8 - CVE: CVE-2010-0264
  • Platform: Microsoft Office
  • Title: Microsoft Excel DbOrParamQry Record Remote Code Execution
  • Description: Microsoft Excel is a spreadsheet application that is part of the Microsoft Office suite. Excel is exposed to a remote code execution issue when parsing a specially crafted Excel (.xls) file. This issue is related to the parsing of DbOrParamQry records contained in Excel files.
  • Ref: http://www.microsoft.com/technet/security/Bulletin/MS10-017.mspx
  • 10.11.9 - CVE: CVE-2010-0806
  • Platform: Other Microsoft Products
  • Title: Microsoft Internet Explorer Remote Code Execution (CVE-2010-0806)
  • Description: Microsoft Internet Explorer is a browser for the Windows operating system. Internet Explorer is exposed to a remote code execution issue that occurs because an invalid pointer may attempt to access an object after it has been deleted.
  • Ref: http://www.kb.cert.org/vuls/id/744549
  • 10.11.10 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Yahoo! Player Playlist Processing Buffer Overflow
  • Description: Yahoo! Player is a multimedia player available for Microsoft Windows. Yahoo! Player is exposed to a stack-based buffer overflow issue because it fails to bounds check user-supplied data before copying it into an insufficiently sized buffer. Yahoo! Player versions 1.5.01.409 and 1.0 are affected.
  • Ref: http://www.securityfocus.com/bid/38581
  • 10.11.11 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: WinSmMuPl ".mp3" File Remote Buffer Overflow
  • Description: WinSmMuPl is a music player for Microsoft Windows. WinSmMuPl is exposed to a remote buffer overflow issue because it fails to perform adequate checks on user-supplied input. Specifically, this issue occurs when opening a crafted ".mp3" file. WinSmMuPl version 1.2.5 is affected.
  • Ref: http://www.securityfocus.com/bid/38584
  • 10.11.12 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: TopDownloads MP3 Player ".mp3" File Remote Buffer Overflow
  • Description: TopDownloads MP3 Player is a media player available for Microsoft Windows. TopDownloads MP3 Player is exposed to a remote buffer overflow issue because it fails to perform adequate checks on user-supplied input. TopDownloads MP3 Player version 1.0 is affected.
  • Ref: http://www.exploit-db.com/exploits/11652
  • 10.11.13 - CVE: Not Available
  • Platform: Linux
  • Title: Linux Kernel Video Output Status Local Denial of Service
  • Description: The Linux kernel is exposed to a local denial of service issue. The issue stems from an error while reading the status of video output devices on certain ThinkPad platforms and can be triggered by reading "/proc/acpi/ibm/video". Linux kernel versions prior to 2.6.34-rc1 on certain ThinkPad platforms are affected.
  • Ref: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=565790
  • 10.11.14 - CVE: Not Available
  • Platform: Cross Platform
  • Title: SpamAssassin Milter Plugin "mlfi_envrcpt()" Remote Arbitrary Command Injection
  • Description: SpamAssassin is a mail filter designed to identify and process spam. SpamAssassin Milter Plugin is a plugin for the Sendmail Milter library that pipes all incoming email through SpamAssassin. The application is exposed to a remote command injection issue because it fails to adequately sanitize user-supplied input to the "RCPT TO" SMTP command. SpamAssassin Milter Plugin version 0.3.1 is affected.
  • Ref: http://seclists.org/fulldisclosure/2010/Mar/140
  • 10.11.15 - CVE: CVE-2010-0434
  • Platform: Cross Platform
  • Title: Apache Subrequest Handling Information Disclosure
  • Description: Apache server is exposed to an information disclosure issue. Specifically the issue arises during the handling of headers in sub requests. This issue presents itself when multi-threaded Multi-Processing Mode (MPM) is used, potentially allowing a thread to obtain unauthorized access to sensitive memory. Apache versions prior to 2.2.15 are affected.
  • Ref: http://httpd.apache.org/security/vulnerabilities_22.html
  • 10.11.16 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Perforce Server User Workspace Directory Traversal
  • Description: Perforce Server is a revision control system. Perforce Server is exposed to a directory traversal issue due to an authorization failure in the application and inadequate access control to user workspaces. Perforce Server version 2009.2 is affected.
  • Ref: http://www.securityfocus.com/bid/38586
  • 10.11.17 - CVE: Not Available2009.2 is affected.
  • Platform: Cross Platform
  • Title: Perforce Server Journal and Log File Information Disclosure
  • Description: Perforce Server is a revision control system. Perforce Server is exposed to an information disclosure issue that occurs because the application's journal, log file and other unspecified files are installed world readable by default. Perforce Server version
  • Ref: http://www.securityfocus.com/bid/38590
  • 10.11.18 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Perforce Server Unauthorized Password Change Security Bypass
  • Description: Perforce Server is a revision control system. The application is exposed to a security bypass issue related to the password change feature. An authenticated attacker can initiate a change password session and then substitute another username to complete the change.
  • Ref: http://www.securityfocus.com/bid/38591
  • 10.11.19 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Perforce Socket Hijacking
  • Description: Perforce Server is a revision control system. Perforce is exposed to an issue that allows local attackers to hijack sockets. Specifically, Perforce fails to bind sockets with the "SO_EXCLUSIVEADDRUSE" option. Since Perforce binds sockets for a "wildcard" address, a malicious local application that binds the same port using a specific address will gain precedence over Perforce for incoming connections.
  • Ref: http://www.securityfocus.com/bid/38594
  • 10.11.20 - CVE: Not Available
  • Platform: Cross Platform
  • Title: QuickZip ZIP File Remote Buffer Overflow
  • Description: QuickZip is a file compression/extraction application. The application is exposed to a remote buffer overflow issue because it fails to perform adequate boundary checks on user-supplied data. The issue occurs when handling specially crafted ZIP files.
  • Ref: http://www.securityfocus.com/bid/38602
  • 10.11.21 - CVE: CVE-2010-0728
  • Platform: Cross Platform
  • Title: Samba "CAP_DAC_OVERRIDE" File Permissions Security Bypass
  • Description: Samba allows users to share files and printers between operating systems on UNIX and Windows platforms. Samba is exposed to an issue that may allow attackers to bypass certain security restrictions. This issue occurs because the Samba daemon inherits the CAP_DAC_OVERRIDE capabilities. Samba versions 3.3.11, 3.4.6 and 3.5.0 are affected.
  • Ref: https://bugzilla.samba.org/show_bug.cgi?id=7222
  • 10.11.22 - CVE: CVE-2010-0447
  • Platform: Cross Platform
  • Title: HP Performance Insight Remote Command Execution
  • Description: HP Performance Insight is an application for managing network data. HP Performance Insight is exposed to a remote command execution issue. An attacker can exploit this issue to execute commands with SYSTEM level privileges. Successful exploits will completely compromise affected computers.
  • Ref: http://www.zerodayinitiative.com/advisories/ZDI-10-026/
  • 10.11.23 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Limited Shell Multiple Local Security Bypass Vulnerabilities
  • Description: Limited Shell is a shell implemented in Python. The application is exposed to multiple local security bypass issues because it fails to properly verify unspecified commands. Limited Shell versions prior to 0.9.9 are affected.
  • Ref: http://lshell.ghantoos.org/Changelog
  • 10.11.24 - CVE: Not Available
  • Platform: Cross Platform
  • Title: PostgreSQL JOIN Hashtable Size Integer Overflow Denial of Service
  • Description: PostgreSQL is an open source relational database suite. It is available for UNIX, Linux and their variants, Apple Mac OS X and Microsoft Windows. PostgreSQL is exposed to a remote denial of service issue because it fails to properly validate user-supplied data before using it in memory allocation calculations.
  • Ref: http://git.postgresql.org/gitweb?p=postgresql.git;a=commitdiff;h=64b057e6823655f
    b6c5d1f24a28f236b94dd6c54
  • 10.11.25 - CVE: CVE-2010-0624
  • Platform: Cross Platform
  • Title: GNU Tar and GNU Cpio Remote Buffer Overflow
  • Description: GNU Tar and GNU Cpio are applications for managing archive files. The applications are exposed to a heap-based buffer overflow issue in the client implementation for the remote mag tape protocol because it fails to perform adequate boundary checks on user-supplied data. GNU Tar versions prior to 1.23 and GNU Cpio versions prior to 2.11 are affected.
  • Ref: http://www.agrs.tu-berlin.de/index.php?id=78327
  • 10.11.26 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Max Network Technology BBSMAX
  • Description: Max Network Technology BBSMAX is an ASPX-based forum application. The application is exposed to a cross-site scripting issue because it fails to properly sanitize user-supplied input to the "action" parameter of the "post.aspx" script. Max Network Technology BBSMAX version 4.2 is affected.
  • Ref: http://www.securityfocus.com/archive/1/509905
  • 10.11.27 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Croogo CMS Contact Module Multiple Cross-Site Scripting Vulnerabilities
  • Description: Croogo CMS is a PHP-based content manager. The application is exposed to multiple cross-site scripting issues because it fails to properly sanitize user-supplied input to the "title" and "subject" fields of the "Contact" module. Croogo CMS versions prior to 1.2.1 are affected.
  • Ref: http://webvuln.com/advisories/009.croogo_1.2.xss.txt
  • 10.11.28 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: ASPCode CMS "default.asp" Multiple Cross-Site Scripting Vulnerabilities
  • Description: ASPCode CMS is an ASP-based content management system. The application is exposed to multiple cross-site scripting issues. A cross-site scripting issue affects the "Email" field of the "default.asp" script when the "ma1" parameter is set to "forgotpass". Multiple cross-site scripting issues affect the "ma1", "tag", and "ma2" parameters of the "default.asp" script. ASPCode CMS version 1.5.8 is affected.
  • Ref: http://www.securityfocus.com/bid/38601
  • 10.11.29 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: eGroupware Cross-Site Scripting and Remote Command Execution Vulnerabilities
  • Description: eGroupWare is a web-based groupware application implemented in PHP. The application is exposed to multiple issues: A cross-site scripting issue that affects the "lang" parameter of the "login.php" script; A remote command execution issue that affects the "spellchecker_lang" parameter of the "phpgwapi/js/fckeditor/editor/dialog/fck_spellerpages/spellerpages/server-scripts/spellchecker.php" script. eGroupware versions prior to 1.6.003 are affected.
  • Ref: http://www.egroupware.org/news?category_id=95&item=93
  • 10.11.30 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: IBM ENOVIA SmarTeam "LoginPage.aspx" Cross-Site Scripting
  • Description: IBM ENOVIA SmarTeam is a lifecycle management application. The application is exposed to a cross-site scripting issue because it fails to sufficiently sanitize user-supplied input to the "errMsg" parameter of the "WebEditor/Authentication/LoginPage.aspx" script.
  • Ref: http://www.securityfocus.com/archive/1/509975
  • 10.11.31 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: PHP File Sharing System "cam" Parameter Cross-Site Scripting
  • Description: PHP File Sharing System is web-based application to manage a system's files remotely. The application is exposed to a cross-site scripting issue because it fails to properly sanitize user-supplied input to the "cam" parameter of the "index.php" script. PHP File Sharing System version 1.5.1 is affected.
  • Ref: http://www.securityfocus.com/bid/38627
  • 10.11.32 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: dev4u "go_target.php" SQL Injection
  • Description: dev4u is a PHP-based content manager. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied input to the "kontent_id" parameter of the "go_target.php" script before using it in an SQL query.
  • Ref: http://www.securityfocus.com/bid/38577
  • 10.11.33 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Pre E-Learning Portal
  • Description: Pre E-Learning Portal is an ASP-based web application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied input to the "course_ID" parameter of the "search_result.asp" script before using it in an SQL query.
  • Ref: http://www.securityfocus.com/bid/38582
  • 10.11.34 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Bild Flirt System "index.php" SQL Injection
  • Description: Bild Flirt System is a PHP-based content manager. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied input to the "id" parameter of the "index.php" script before using it in an SQL query. Bild Flirt System version 2.0 is affected.
  • Ref: http://www.securityfocus.com/bid/38585
  • 10.11.35 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Bigforum "profil.php" SQL Injection
  • Description: Bigforum is a PHP-based forum application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied input to the "id" parameter of the "profil.php" script before using it in an SQL query. Bigforum version 4.5 is affected.
  • Ref: http://www.securityfocus.com/bid/38597
  • 10.11.36 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: WILD CMS "page.php" SQL Injection
  • Description: WILD CMS is a content manager implemented in PHP. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied input to the "page_id" parameter of the "page.php" script before using it in an SQL query.
  • Ref: http://www.securityfocus.com/archive/1/509973
  • 10.11.37 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Joomla! "com_hezacontent" Component "id" Parameter SQL Injection
  • Description: The "com_hezacontent" application is a PHP-based component for the Joomla! content manager. The component is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "id" parameter before using it in an SQL query. "com_hezacontent" version 1.0 is affected.
  • Ref: http://www.securityfocus.com/bid/38618
  • 10.11.38 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: NUs "Nus.php" SQL Injection
  • Description: NUs is a PHP-based news management application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied input to the "id" parameter of the "Nus.php" script before using it in an SQL query. NUs version 1.02 is affected.
  • Ref: http://www.securityfocus.com/bid/38620
  • 10.11.39 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: MH Products kleinanzeigenmarkt "search.php" SQL Injection
  • Description: MH Products kleinanzeigenmarkt is a web-based application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "c" parameter of the "search.php" script before using the data in an SQL query.
  • Ref: http://www.securityfocus.com/bid/38622
  • 10.11.40 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: RSStatic "index.php" SQL Injection
  • Description: RSStatic is an RSS feed reader implemented in PHP. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied input to the "maxarticles" parameter of the "index.php" script.
  • Ref: http://www.securityfocus.com/bid/38623
  • 10.11.41 - CVE: Not Available
  • Platform: Web Application
  • Title: phpCOIN "mod" Parameter Local File Include
  • Description: phpCOIN is a PHP-based shopping application designed for integration into an existing website. The application is exposed to a local file include issue because it fails to properly sanitize user-supplied input to the "mod" parameter of the "mod.php" script. phpCOIN version 1.2.1 is affected.
  • Ref: http://www.securityfocus.com/bid/38576
  • 10.11.42 - CVE: Not Available
  • Platform: Web Application
  • Title: Croogo CMS "Contact" Module HTML Injection
  • Description: Croogo CMS is a CakePHP based content manager. Croogo CMS is exposed to an HTML injection issue because it fails to properly sanitize user-supplied input to the "title" and "subject" fields of the "Contact" module. Croogo CMS versions prior to 1.2.1 are affected.
  • Ref: http://www.securityfocus.com/bid/38583
  • 10.11.43 - CVE: Not Available
  • Platform: Web Application
  • Title: Perforce P4Web Hidden Control Security Bypass
  • Description: Perforce P4Web is a web-based revision control system available for Mac OS X, Unix, and Microsoft Windows operating platforms. The application is exposed to a security bypass issue because it fails to properly enforce security restrictions. Specifically, actions that the current user is not authorized to perform are hidden in the web interface.
  • Ref: http://www.securityfocus.com/bid/38589
  • 10.11.44 - CVE: Not Available
  • Platform: Web Application
  • Title: Perforce P4Web Weak Session Cookie Session Hijacking
  • Description: Perforce P4Web is a web-based revision control system available for Mac OS X, Unix and Microsoft Windows operating platforms. The application is exposed to a session hijacking issue because it uses predictable values for session IDs. Specifically, the application uses the base64 encoded username of the user as a session token.
  • Ref: http://www.securityfocus.com/bid/38595
  • 10.11.45 - CVE: Not Available
  • Platform: Web Application
  • Title: Tribisur "index.php" Local File Include
  • Description: Tribisur is a PHP-based portal application. The application is exposed to a local file include issue because it fails to properly sanitize user-supplied input to the "theme" field of the "index.php" script. Tribisur version 2.0 is affected.
  • Ref: http://www.securityfocus.com/bid/38596
  • 10.11.46 - CVE: Not Available
  • Platform: Web Application
  • Title: PhpBB "feed.php" Security Bypass
  • Description: PhpBB is a web-based forum application. The application is exposed to a security-bypass issue because it fails to properly enforce security restrictions in the "feed.php" script. To exploit this issue, "feeds" must be enabled for forums or topics. PhpBB version 3.0.7 is affected.
  • Ref: http://www.securityfocus.com/bid/38599
  • 10.11.47 - CVE: Not Available
  • Platform: Web Application
  • Title: KDPics "admin/index.php" Authentication Bypass
  • Description: KDPics is a PHP-based photo management application. The application is exposed to an issue that lets an attacker add an administrative user because it fails to adequately secure access to administrative functions of the "admin/index.php" script. KDPics version 1.18 is affected.
  • Ref: http://www.securityfocus.com/bid/36803
  • 10.11.48 - CVE: Not Available
  • Platform: Web Application
  • Title: TikiWiki Versions Prior to 4.2 Multiple Unspecified Vulnerabilities
  • Description: TikiWiki is a PHP-based groupware and content manager. TikiWiki is exposed to multiple unspecified issues: 1) An unspecified SQL injection issue. 2) An unspecified authentication bypass issue that affects the "user_logout()" method. 3) An unspecified issue that exists that is related to the Standard Remember method for persistent login. TikiWiki versions prior to 4.2 are affected.
  • Ref: http://www.securityfocus.com/bid/38608
  • 10.11.49 - CVE: Not Available
  • Platform: Web Application
  • Title: wh-em.com upload Insecure Cookie Authentication Bypass
  • Description: wh-em.com upload is an upload application implemented in PHP. The application is exposed to an authentication bypass issue because it fails to adequately verify user-supplied input used for cookie-based authentication. Specifically, attackers can gain administrative access to the application by setting the "whem_Name" and "whem_Password" cookie parameters to static values. wh-em.com upload version 7.0 is affected.
  • Ref: http://www.securityfocus.com/bid/38610
  • 10.11.50 - CVE: Not Available
  • Platform: Web Application
  • Title: Php Toys Micro Upload "microUpload.php" Remote File Upload
  • Description: Php Toys Micro Upload is a PHP-based upload script. The application is exposed to a remote file upload issue because it fails to sufficiently sanitize user-supplied input to the "microUpload.php" script.
  • Ref: http://www.securityfocus.com/bid/38614
  • 10.11.51 - CVE: Not Available
  • Platform: Web Application
  • Title: MediaWiki "thumb.php" Security Bypass
  • Description: MediaWiki is a media and image content wiki application. The application is exposed to a security bypass issue that affects the "thumb.php" script. Attackers may bypass security restrictions configured by the "img_auth.php" file (or a similar method). MediaWiki versions after 1.15 and prior to MediaWiki 1.15.2 are affected.
  • Ref: http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-March/000088.html
  • 10.11.52 - CVE: Not Available
  • Platform: Web Application
  • Title: MediaWiki "CSS validation" Information Disclosure
  • Description: MediaWiki is a media and image content wiki application. The application is exposed to an information disclosure issue because it fails to prevent editors from posting image links to external sites. Viewing image links to external sites can allow for the capture of wiki users' IP addresses and may aid in further attacks. MediaWiki versions prior to 1.15.2 are affected.
  • Ref: http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-March/000088.html

(c) 2010. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Subscriptions: @RISK is distributed free of charge by the SANS Institute to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.

Since I am fresh out of college this was a definite eye opener. This course was very valuable in that it gives a view of most tools available for auditing networks.
-Ryan Awai, Eisner LLP

SEC505: Securing Windows and Resisting Malware

Latest Whitepapers

Building and Maintaining a "Certifiable" Workforce
By Robert J. Mavretich

How Can You Build and Leverage SNORT IDS Metrics to Reduce Risk?
By Tim Proffitt

Daisy Chain Authentication
By Courtney Imbert

Latest Tweets

NEW #SANS Survey: Security Analytics & Intelligence 2nd [...]
October 1, 2013 - 6:30 PM

Tips on how to convince your boss to let you train online wi [...]
October 1, 2013 - 6:23 PM

#2 Tip on how 2 convince your boss 2 let u train online: Fle [...]
October 1, 2013 - 3:00 PM

Contact Us

(301) 654-SANS (7267)
Mon-Fri 9am - 8pm EST/EDT
info@sans.org

"This has been a great way to get working knowledge that would have taken years of experience to learn."
- Josh Carlson, Nelnet

"SANS is a great place to enhance your technical and hands-on skills and tools. I thoroughly recommend it."
- Aaron Waugh, Datacom NZ Ltd

"SANS always provides you what you need to become a better security professional at the right price."
- Rasik Vekaria, BP