@RISK: The Consensus Security Vulnerability Alert

Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)

• (1) MODERATE: Free Download Manager Multiple Remote Buffer Overflow Vulnerabilities
• (2) MODERATE: Ghostscript PostScript Identifier Remote Stack Buffer Overflow Vulnerability
• (3) MODERATE: IrfanView PSD File Handling Multiple Buffer Overflow Vulnerabilities

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)

Third Party Windows Apps

• 10.21.1 - X.Org "libxext" "_XAllocID" Function Denial of Service
• 10.21.2 - DJ Studio Pro ".pls" File Remote Buffer Overflow
• 10.21.3 - SmallFTPD "DELE" Command Remote Denial Of Service
• 10.21.4 - Shellzip ZIP Archive Stack Buffer Overflow
• 10.21.5 - S.O.M.PL ".m3u" File Buffer Overflow

Unix

• 10.21.6 - KDE KGet Security Bypass and Directory Traversal Vulnerabilities

Cross Platform

• 10.21.7 - Oracle MySQL Malformed Packet Handling Remote Denial of Service
• 10.21.8 - Ghostscript PostScript Identifier Remote Stack Buffer Overflow
• 10.21.9 - IrfanView ".psd" File Handling Remote Buffer Overflow
• 10.21.10 - IrfanView RLE Compressed ".psd" File Remote Buffer Overflow
• 10.21.11 - Oracle MySQL "COM_FIELD_LIST" Command Buffer Overflow
• 10.21.12 - Ghostscript PostScript Infinite Recursion Remote Memory Corruption
• 10.21.13 - HP Systems Insight Manager Unspecified Unauthorized Access
• 10.21.14 - Oracle MySQL "COM_FIELD_LIST" Command Packet Security Bypass
• 10.21.15 - Palo Alto Networks Firewall Interface "editUser.esp" HTML Injection
• 10.21.16 - POE-Component-IRC "r" Command Injection
• 10.21.17 - Zervit HTTP Server Source Code Information Disclosure
• 10.21.18 - aria2 Metalink File Handling Directory Traversal
• 10.21.19 - Free Download Manager Multiple Remote Buffer Overflow
• 10.21.20 - HP MFP Digital Sending Software Local Unauthorized Access
• 10.21.21 - Free Download Manager Metalink File Directory Traversal
• 10.21.22 - PHP File Uploader Remote File Upload
• 10.21.23 - Mathematica "/tmp/MathLink" Symlink Attack Local Privilege Escalation
• 10.21.24 - PHP "ext/phar/stream.c" and "ext/phar/dirstream.c" Multiple Format String Vulnerabilities
• 10.21.25 - TYPSoft FTP Server "RETR" Command Remote Denial Of Service
• 10.21.26 - Fujitsu Interstage Application Server Servlet Component Security
• 10.21.27 - NEC CapsSuite Small Edition PatchMeister Remote Denial of Service
• 10.21.28 - WebSAM DeploymentManager Denial of Service issue
• 10.21.29 - SpringSource tc Server JMX Interface Authentication Security Bypass
• 10.21.30 - PostgreSQL Multiple Security Vulnerabilities
• 10.21.31 - Hitachi Multiple XMAP3 Products Code Execution
• 10.21.32 - Hitachi TP1/Message Control Malformed Packet Denial Of Service
• 10.21.33 - Hitachi Web Server with SSL Enabled Remote Denial of Service
• 10.21.34 - Hitachi Collaboration Common Utility Unspecified Stack Buffer Overflow
• 10.21.35 - Hitachi Web Server SSL Certificate Revocation Security Bypass
• 10.21.36 - MIT Kerberos GSS-API Checksum NULL Pointer Dereference Denial of Service

Web Application - Cross Site Scripting

• 10.21.37 - HP Insight Control Server Migration for Windows Cross-Site Scripting
• 10.21.38 - C99Shell "Ch99.php" Cross-Site Scripting
• 10.21.39 - NPDS Revolution "topic" Parameter Cross-Site Scripting
• 10.21.40 - PHP Banner Exchange "signupconfirm.php" Cross-Site Scripting
• 10.21.41 - RuubikCMS "index.php" Cross Site Scripting
• 10.21.42 - Planet Script "idomains.php" Cross-Site Scripting
• 10.21.43 - NPDS Revolution "download.php" Cross-Site Scripting
• 10.21.44 - Serialsystem "list" Parameter Cross-Site Scripting

Web Application - SQL Injection

• 10.21.45 - Invision Power Board Multiple SQL Injection
• 10.21.46 - Cacti "rra_id" Parameter SQL Injection
• 10.21.47 - Cype CMS "index.php" SQL Injection
• 10.21.48 - NPDS Revolution "download.php" SQL Injection
• 10.21.49 - UCStats "stats.php" SQL Injection
• 10.21.50 - SphereCMS "downloads.php" SQL Injection
• 10.21.51 - phpGroupWare Multiple Unspecified SQL Injection
• 10.21.52 - Link Bid Script "links.php" SQL Injection
• 10.21.53 - Press Release Script "page.php" SQL Injection
• 10.21.54 - Platnik Multiple SQL Injection Vulnerabilities
• 10.21.55 - e107 "usersettings.php" SQL Injection
• 10.21.56 - Alibaba Clone Platinum Multiple SQL Injection
• 10.21.57 - Al3jeb Script "login.php" Multiple SQL Injection Vulnerabilities
• 10.21.58 - NettApp AS Webace CMS "NewsId" Parameter SQL Injection
• 10.21.59 - chillyCMS "show.site.php" SQL Injection
• 10.21.60 - WebJaxe "administration.php" SQL Injection
• 10.21.61 - JE CMS "categoryid" Parameter SQL Injection

Web Application

• 10.21.62 - TomatoCMS Multiple Web Application Issues
• 10.21.63 - Drupal AutoAssign Role Module Node Access Security Bypass
• 10.21.64 - Drupal Bibliography Module HTML Injection
• 10.21.65 - Drupal Services Module Session ID Authentication Security Bypass
• 10.21.66 - MiniWebsvr URI Directory Traversal
• 10.21.67 - IDevSpot SoftDirec "delete_confirm.php" HTML Injection
• 10.21.68 - Invision Power Board BBCode HTML Injection
• 10.21.69 - Invision Power Board Remote Image File Disclosure
• 10.21.70 - phpGroupWare Unspecified Local File Include
• 10.21.71 - Weatimages "index.php" Information Disclosure
• 10.21.72 - File Thingie Remote Security Bypass
• 10.21.73 - Invision Power Board Unspecified BBCode HTML Injection
• 10.21.74 - LinPHA Remote Command Execution
• 10.21.75 - CMSQlite SQL Injection and Local File Include Vulnerabilities
• 10.21.76 - PonVFTP Insecure Cookie Authentication Bypass
• 10.21.77 - Blaze Apps SQL Injection and HTML Injection Vulnerabilities
• 10.21.78 - NPDS Revolution "stats.php" HTML Injection
• 10.21.79 - TS Special Edition Unauthorized-Access and Security Bypass

Network Device

• 10.21.80 - Cisco PGW 2200 Softswitch Multiple Denial of Service Vulnerabilities

Hardware

• 10.21.81 - Hitachi Multiple EUR Products Code Execution

PART I Critical Vulnerabilities

Part I for this issue has been compiled by Joshua Bronson at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 21, 2010

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com) Week 21, 2010 This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 9524 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely. ______________________________________________________________________

• 10.21.1 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: X.Org "libxext" "_XAllocID" Function Denial of Service
• Description: The "libxext" library is an X Window System client interface to several extensions of the X protocol. The library is exposed to a remote denial of service issue that arises in the "_XAllocID" function due to a race condition error and affects applications that use the X shared memory extensions. "libxext" 6 versions 1.0.3, 1.0.4 and 1.0.5 are affected.
• Ref: http://cgit.freedesktop.org/xorg/lib/libXext/commit/?id=956fd30e1046e5779ac0b6c0
  7ec4f0e87250869a

• 10.21.2 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: DJ Studio Pro ".pls" File Remote Buffer Overflow
• Description: DJ Studio Pro is a media player for the Windows operating system. DJ Studio Pro is exposed to a remote buffer overflow issue because it fails to perform adequate checks on user-supplied input. DJ Studio Pro version 5.1.6.5.2 is affected.
• Ref: http://www.securityfocus.com/bid/40144/references

• 10.21.3 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: SmallFTPD "DELE" Command Remote Denial Of Service
• Description: SmallFTPD is an FTP server available for Microsoft Windows. The application is exposed to a remote denial of service issue because it fails to handle repeated connections which pass excessive data to the "DELE" command. SmallFTPD version 1.0.3 is affected.
• Ref: http://www.securityfocus.com/bid/40180/references

• 10.21.4 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Shellzip ZIP Archive Stack Buffer Overflow
• Description: Shellzip is a file compression/extraction application for the Windows operating system. The application is exposed to a stack-based buffer overflow issue because it fails to perform adequate boundary checks on user-supplied data. This issue occurs when the application processes a ZIP archive that contains a file with a specially crafted filename. Shellzip version v3.0 Beta 3 is affected.
• Ref: http://www.exploit-db.com/exploits/12621

• 10.21.5 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: S.O.M.PL ".m3u" File Buffer Overflow
• Description: S.O.M.PL is a multimedia player available for Microsoft Windows. The application is exposed to a buffer overflow issue because it fails to perform adequate checks on user-supplied input. Specifically, this issue occurs when opening a specially crafted ".m3u" file. S.O.M.PL version 1.0 is affected.
• Ref: http://www.securityfocus.com/bid/40210/references

• 10.21.6 - CVE: CVE-2010-1000, CVE-2010-1511
• Platform: Unix
• Title: KDE KGet Security Bypass and Directory Traversal Vulnerabilities
• Description: KDE (K Desktop Environment) is a desktop for Unix variants. KDE is exposed to multiple issues affecting KGet. A directory traversal issue exists in KGet because it does not properly sanitize the "name" attribute of the "file" element in metalink files. A security bypass issue exists in KGet because it downloads files without the user's acknowledgment, overwriting existing files of the same name. KGet version 2.4.2 that is included in KDE 4.4.2 is affected.
• Ref: http://secunia.com/secunia_research/2010-69/

• 10.21.7 - CVE: CVE-2010-1849
• Platform: Cross Platform
• Title: Oracle MySQL Malformed Packet Handling Remote Denial of Service
• Description: MySQL is an open source SQL database available for multiple operating systems. MySQL is exposed to a remote denial of service issue that occurs when handling a packet that is larger than the maximum packet size. MySQL versions prior to 5.1.47 are affected.
• Ref: http://dev.mysql.com/doc/refman/5.1/en/news-5-1-47.html

• 10.21.8 - CVE: CVE-2010-1869
• Platform: Cross Platform
• Title: Ghostscript PostScript Identifier Remote Stack Buffer Overflow
• Description: Ghostscript is a set of tools and libraries for handling Portable Document Format and PostScript files. Ghostscript is exposed to a remote stack-based buffer overflow issue because it fails to properly bounds check user supplied input before copying it into a finite sized buffer. Ghostscript versions 8.64 and 8.70 are affected.
• Ref: http://bugs.ghostscript.com/show_bug.cgi?id=691295

• 10.21.9 - CVE: CVE-2010-1509
• Platform: Cross Platform
• Title: IrfanView ".psd" File Handling Remote Buffer Overflow
• Description: IrfanView is an image viewer that supports multiple file formats. IrfanView is exposed to a remote buffer overflow issue because it fails to properly bounds check user-supplied input before copying it to an insufficiently sized memory buffer. Successful exploits allow remote attackers to execute arbitrary code in the context of the vulnerable application. IrfanView version 4.25 is affected.
• Ref: http://secunia.com/secunia_research/2010-41

• 10.21.10 - CVE: CVE-2010-1510
• Platform: Cross Platform
• Title: IrfanView RLE Compressed ".psd" File Remote Buffer Overflow
• Description: IrfanView is an image viewer that supports multiple file formats. IrfanView is exposed to a remote buffer overflow issue because it fails to properly bounds check user supplied input before copying it to an insufficiently sized memory buffer. IrfanView version 4.25 is affected.
• Ref: http://irfanview.com/main_history.htm

• 10.21.11 - CVE: CVE-2010-1850
• Platform: Cross Platform
• Title: Oracle MySQL "COM_FIELD_LIST" Command Buffer Overflow
• Description: MySQL is an open source SQL database available for multiple operating systems. MySQL is exposed to a buffer overflow issue because if fails to perform adequate boundary checks on user-supplied data. This issue occurs when handling a long table name argument passed to the "COM_FILED_LIST" command packet. MySQL versions prior to 5.1.47 are affected.
• Ref: http://dev.mysql.com/doc/refman/5.1/en/news-5-1-47.html

• 10.21.12 - CVE: Not Available
• Platform: Cross Platform
• Title: Ghostscript PostScript Infinite Recursion Remote Memory Corruption
• Description: Ghostscript is a set of tools and libraries for handling Portable Document Format (PDF) and PostScript files. Ghostscript is exposed to a remote memory corruption issue because it fails to properly handle crafted PostScript files.
• Ref: http://www.securityfocus.com/archive/1/511243

• 10.21.13 - CVE: CVE-2010-1556
• Platform: Cross Platform
• Title: HP Systems Insight Manager Unspecified Unauthorized Access
• Description: HP Systems Insight Manager (SIM) is a tool for managing HP servers. SIM is exposed to an unspecified unauthorized access issue. HP Systems Insight Manager versions 5.3, 5.3 Update 1 and 6.0 are affected.
• Ref: http://www.securityfocus.com/bid/40111/references

• 10.21.14 - CVE: CVE-2010-1848
• Platform: Cross Platform
• Title: Oracle MySQL "COM_FIELD_LIST" Command Packet Security Bypass
• Description: MySQL is an open source SQL database application available for multiple operating platforms. MySQL is exposed to a security bypass issue that occurs because the application fails to sufficiently validate the table name included in the "COM_FIELD_LIST" command packet. Versions prior to 5.1.47 are affected.
• Ref: http://dev.mysql.com/doc/refman/5.1/en/news-5-1-47.html

• 10.21.15 - CVE: CVE-2010-0475
• Platform: Cross Platform
• Title: Palo Alto Networks Firewall Interface "editUser.esp" HTML Injection
• Description: Palo Alto Networks Firewall Interface is a web-based firewall management application. The application is exposed to an HTML injection issue because it fails to sufficiently sanitize user-supplied input to the "role" parameter of the "esp/editUser.esp" script.
• Ref: http://www.securityfocus.com/archive/1/511251

• 10.21.16 - CVE: Not Available
• Platform: Cross Platform
• Title: POE-Component-IRC "r" Command Injection
• Description: POE-Component-IRC is an event-driven IRC client module. POE-Component-IRC is exposed to a command injection issue because it fails to properly filter the carriage return character "r" in IRC messages before sending them to the IRC server. POE-Component-IRC versions prior to 6.32 are affected.
• Ref: http://cpansearch.perl.org/src/HINRIK/POE-Component-IRC-6.32/Changes

• 10.21.17 - CVE: Not Available
• Platform: Cross Platform
• Title: Zervit HTTP Server Source Code Information Disclosure
• Description: Zervit is an HTTP server. Zervit is exposed to an issue that lets attackers access source code files. Specifically, an HTTP request for a specific file followed by a "%20" character can disclose the source code of the file instead of returning the page to the client. Zervit version 0.4 is affected.
• Ref: http://www.securityfocus.com/bid/40132

• 10.21.18 - CVE: CVE-2010-1512
• Platform: Cross Platform
• Title: aria2 Metalink File Handling Directory Traversal
• Description: The "aria2" program is a client application that is used to download files via a number of protocols. It is available for multiple operating systems. The application is exposed to a directory traversal issue because it fails to sufficiently sanitize user-supplied input. aria2 version 1.9.1 build2 is affected.
• Ref: http://secunia.com/secunia_research/2010-71/

• 10.21.19 - CVE: CVE-2010-0998
• Platform: Cross Platform
• Title: Free Download Manager Multiple Remote Buffer Overflow
• Description: Free Download Manager is a download accelerator and manager. The application is exposed to multiple remote buffer overflow issues because it fails to perform adequate boundary checks on user supplied input. A stack-based buffer over overflow issue exists that can be triggered when opening folders in "Site Explorer", processing FTP URIs and handling redirects. Free Download Manager versions prior to 3.0 build 852 are affected.
• Ref: http://www.securityfocus.com/bid/40146

• 10.21.20 - CVE: CVE-2010-1558
• Platform: Cross Platform
• Title: HP MFP Digital Sending Software Local Unauthorized Access
• Description: HP MFP Digital Sending Software is a digital document management application available for Microsoft Windows. MFP Digital Sending Software is exposed to a local unauthorized access issue. Attackers can exploit this issue to access the "Send to e-mail" function of HP Multifunctional Peripheral devices controlled by the application. MFP Digital Sending Software versions prior to 4.18.3 are affected.
• Ref: http://www.securityfocus.com/archive/1/511283

• 10.21.21 - CVE: CVE-2010-0999
• Platform: Cross Platform
• Title: Free Download Manager Metalink File Directory Traversal
• Description: Free Download Manager is a download accelerator and manager. The application is exposed to a security issue because it fails to properly sanitize user supplied input from metalink files. Free Download Manager versions prior to 3.0 build 852 are affected.
• Ref: http://secunia.com/secunia_research/2010-67/

• 10.21.22 - CVE: Not Available
• Platform: Cross Platform
• Title: PHP File Uploader Remote File Upload
• Description: PHP File Uploader is a file upload script. PHP File Uploader is exposed to an issue that lets attackers upload arbitrary files because it fails to adequately limit the types of files that can be uploaded. Attackers can execute their uploaded script through the "PHPFileUploader/_uploads/" directory.
• Ref: http://www.securityfocus.com/bid/40159

• 10.21.23 - CVE: Not Available
• Platform: Cross Platform
• Title: Mathematica "/tmp/MathLink" Symlink Attack Local Privilege Escalation
• Description: Mathematica is a technical application and environment. The application is exposed to a local privilege escalation issue. Specifically, the issue occurs because the application uses "/tmp/MathLink" directory and overwrites files within the directory. Mathematica version 7 is affected.
• Ref: http://www.securityfocus.com/bid/40169

• 10.21.24 - CVE: Not Available
• Platform: Cross Platform
• Title: PHP "ext/phar/stream.c" and "ext/phar/dirstream.c" Multiple Format String Vulnerabilities
• Description: PHP is a general purpose scripting language. PHP is exposed to multiple format string issues because it fails to properly sanitize user-supplied input before passing it as the format specifier to a formatted printing function. PHP versions 5.3 through 5.3.2 are affected.
• Ref: http://php-security.org/2010/05/14/mops-2010-025-php-phar_wrapper_open_dir-forma
  t-string-vulnerability/index.html

• 10.21.25 - CVE: Not Available
• Platform: Cross Platform
• Title: TYPSoft FTP Server "RETR" Command Remote Denial Of Service
• Description: TYPSoft FTP Server is an FTP server available for Microsoft Windows. The application is exposed to a remote denial of service issue because it fails to handle repeated connections which pass excessive data to the "RETR" command. TYPSoft FTP Server version 1.10 is affected.
• Ref: http://www.securityfocus.com/bid/40181

• 10.21.26 - CVE: Not Available
• Platform: Cross Platform
• Title: Fujitsu Interstage Application Server Servlet Component Security
• Description: Fujitsu Interstage Application Server is a Java based application server that includes Tomcat Servlet Services. The application is exposed to security issue that affects the Servlet component because the application fails to properly process requests.
• Ref: http://www.fujitsu.com/global/support/software/security/products-f/interstage-20
  1001e.html

• 10.21.27 - CVE: Not Available
• Platform: Cross Platform
• Title: NEC CapsSuite Small Edition PatchMeister Remote Denial of Service
• Description: CapsSuite Small Edition PatchMeister is a patch management solution. The application is exposed to a remote denial of service issue due to an unspecified error when handling network packets. CapsSuite Small Edition PatchMeister versions 2.0 Update 2 and earlier are affected.
• Ref: http://www.securityfocus.com/bid/40190

• 10.21.28 - CVE: Not Available
• Platform: Cross Platform
• Title: WebSAM DeploymentManager Denial of Service issue
• Description: WebSAM DeploymentManager is a software distribution management solution. The application is exposed to a denial of service issue because it fails to properly handle malicious network packets sent to port 56010, resulting in an unspecified error. WebSAM DeploymentManager version 5.13 is affected.
• Ref: http://www.securityfocus.com/bid/40196/references

• 10.21.29 - CVE: CVE-2010-1454
• Platform: Cross Platform
• Title: SpringSource tc Server JMX Interface Authentication Security Bypass
• Description: SpringSource tc Server is an enterprise release of Apache Tomcat, a Java based web server. SpringSource tc Server is exposed to a security bypass issue because of an error in "com.springsource.tcserver.serviceability.rmi.JmxSocketListener". SpringSource tc Server runtime versions prior to 6.0.20.D and 6.0.25.A-SR01 are affected.
• Ref: http://www.securityfocus.com/archive/1/511307

• 10.21.30 - CVE: CVE-2010-1169, CVE-2010-1170
• Platform: Cross Platform
• Title: PostgreSQL Multiple Security Vulnerabilities
• Description: PostgreSQL is an open source database system. The application is exposed to multiple remote issues. A security bypass issue in "Safe.pm" and PL/Perl may allow an authenticated attacker to execute arbitrary Perl scripts on the database server, if PL/Perl is installed and enabled. An issue exists in the "pltcl_modules" table due to insecure permissions. PostgreSQL versions prior to 8.4.4; 8.3.11; 8.2.17; 8.1.21; 8.0.25 and 7.4.29 are affected.
• Ref: http://www.postgresql.org/support/security

• 10.21.31 - CVE: Not Available
• Platform: Cross Platform
• Title: Hitachi Multiple XMAP3 Products Code Execution
• Description: Multiple Hitachi XMAP3 products are exposed to an unspecified code execution issue. The issue can be exploited by enticing a user to visit a crafted site using Internet Explorer. An attacker can exploit this issue to execute arbitrary code within the context of Internet Explorer.
• Ref: http://www.securityfocus.com/bid/40218

• 10.21.32 - CVE: Not Available
• Platform: Cross Platform
• Title: Hitachi TP1/Message Control Malformed Packet Denial Of Service
• Description: Hitachi TP1/Message Control and uCosminexus TP1/Message Control are exposed to an unspecified denial of service issue because they fail to properly handle crafted packets.
• Ref: http://www.securityfocus.com/bid/40222/references

• 10.21.33 - CVE: Not Available
• Platform: Cross Platform
• Title: Hitachi Web Server with SSL Enabled Remote Denial of Service
• Description: Hitachi Web Server is a web application server available for multiple operating systems. Hitachi Web Server is exposed to a denial of service issue when it is configured to use Secure Sockets Layer.
• Ref: http://www.securityfocus.com/bid/40223

• 10.21.34 - CVE: Not Available
• Platform: Cross Platform
• Title: Hitachi Collaboration Common Utility Unspecified Stack Buffer Overflow
• Description: Hitachi Collaboration Common Utility is a component of multiple Hitachi products. The application is exposed to a stack-based buffer overflow issue caused by an unspecified error.
• Ref: http://www.securityfocus.com/bid/40224/references

• 10.21.35 - CVE: Not Available
• Platform: Cross Platform
• Title: Hitachi Web Server SSL Certificate Revocation Security Bypass
• Description: Hitachi Web Server is a web application server available for multiple operating systems. Hitachi Web Server is exposed to a security bypass issue affecting Secure Socket Layer certificate revocation lists.
• Ref: http://www.securityfocus.com/bid/40226

• 10.21.36 - CVE: CVE-2010-1321
• Platform: Cross Platform
• Title: MIT Kerberos GSS-API Checksum NULL Pointer Dereference Denial of Service
• Description: MIT Kerberos is a suite of applications and libraries designed to implement the Kerberos network authentication protocol. It is freely available and operates on numerous platforms. MIT Kerberos is exposed to a remote denial of service issue caused by a NULL pointer dereference. This issue occurs when the application processes invalid GSS-API tokens in the "src/lib/gssapi/krb5/accept_sec_context.c" source file. MIT Kerberos version 5 1.8.1 is affected.
• Ref: http://www.securityfocus.com/archive/1/511331

• 10.21.37 - CVE: CVE-2010-1557
• Platform: Web Application - Cross Site Scripting
• Title: HP Insight Control Server Migration for Windows Cross-Site Scripting
• Description: HP Insight Control is used to migrate data and applications from one server to another. The server is exposed to an unspecified cross-site scripting issue because it fails to properly sanitize user-supplied input. This issue affects HP Insight Control server migration version 6.0 on Microsoft Windows.
• Ref: http://www.securityfocus.com/archive/1/511270

• 10.21.38 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: C99Shell "Ch99.php" Cross-Site Scripting
• Description: C99Shell is a helper application for servers. C99Shell is exposed to a cross-site scripting issue because the application fails to sufficiently sanitize user-supplied input to the "directory" parameter of the "Ch99.php" script. C99Shell version 1.0 pre-release build 16 is affected.
• Ref: http://www.securityfocus.com/bid/40134

• 10.21.39 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: NPDS Revolution "topic" Parameter Cross-Site Scripting
• Description: NPDS Revolution is a web application implemented in PHP. NPDS Revolution is exposed to a cross-site scripting issue because it fails to sufficiently sanitize user-supplied input to the "topic" parameter of the "viewtopic.php" script. NPDS Revolution version 10.02 is affected.
• Ref: http://www.securityfocus.com/archive/1/511286

• 10.21.40 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: PHP Banner Exchange "signupconfirm.php" Cross-Site Scripting
• Description: PHP Banner Exchange is a banner management system. PHP Banner Exchange is exposed to a cross-site scripting issue because it fails to sufficiently sanitize user-supplied input to the "bannerurl" parameter of the "signupconfirm.php" script. PHP Banner Exchange version 1.2 is affected.
• Ref: http://www.securityfocus.com/bid/40165

• 10.21.41 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: RuubikCMS "index.php" Cross Site Scripting
• Description: RuubikCMS is a PHP based content management tool. RuubikCMS is exposed to a cross-site scripting issue because it fails to properly sanitize user-supplied input to the "p" parameter of the "cms/index.php" script. RuubikCMS version 1.0.3 is affected.
• Ref: http://www.securityfocus.com/bid/40171

• 10.21.42 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Planet Script "idomains.php" Cross-Site Scripting
• Description: Planet Script is a website hosting management system. Planet Script is exposed to a cross-site scripting issue because it fails to sufficiently sanitize user-supplied input to the "ext" parameter of the "idomains.php" script. Planet Script versions 1.3 and earlier are affected.
• Ref: http://www.securityfocus.com/bid/40203

• 10.21.43 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: NPDS Revolution "download.php" Cross-Site Scripting
• Description: NPDS Revolution is a web application. NPDS Revolution is exposed to a cross-site scripting issue because it fails to sufficiently sanitize user-supplied input to the "did" parameter of the "download.php" script. NPDS Revolution version 10.02 is affected.
• Ref: http://www.securityfocus.com/archive/1/511322

• 10.21.44 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Serialsystem "list" Parameter Cross-Site Scripting
• Description: Serialsystem is a web application. Serialsystem is exposed to a cross-site scripting issue because it fails to sufficiently sanitize user-supplied input to the "src" attribute of the "list" parameter. Serialsystem version 1.0.4 BETA is affected.
• Ref: http://www.securityfocus.com/bid/40236/references

• 10.21.45 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Invision Power Board Multiple SQL Injection
• Description: Invision Power Board is a web-based forum application. The application is exposed to multiple SQL injection issues because it fails to sufficiently sanitize user-supplied data to the "m.member_id" and "search_term" parameters. Invision Power Board version 3.0.1 is affected.
• Ref: http://www.securityfocus.com/bid/40136/references

• 10.21.46 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Cacti "rra_id" Parameter SQL Injection
• Description: Cacti is a web-based frontend application for RRDTool (round-robin database tool). RRDTool is used to handle time series data such as network bandwidth, temperatures, and CPU load. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "rra_id" GET parameter of the "graph.php" script before using it in an SQL query. Cacti version 0.8.7e is affected.
• Ref: http://www.php-security.org/2010/05/13/mops-2010-023-cacti-graph-viewer-sql-inje
  ction-vulnerability/index.html

• 10.21.47 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Cype CMS "index.php" SQL Injection
• Description: Cype CMS PHP-based content management system. The application is exposed to an SQL injection issue because it fails to properly sanitize user-supplied input to the "index.php" script before using it in an SQL query.
• Ref: http://www.securityfocus.com/bid/40154/references

• 10.21.48 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: NPDS Revolution "download.php" SQL Injection
• Description: NPDS Revolution is a web application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "sortby" parameter of the "download.php" script before using it in an SQL query. NPDS Revolution version 10.02 is affected.
• Ref: http://www.securityfocus.com/archive/1/511287

• 10.21.49 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: UCStats "stats.php" SQL Injection
• Description: UCStats is a statistics generation program for Half-Life and its mods. UCStats is exposed to an SQL injection issue because it fails to properly sanitize user-supplied input to the "page" parameter of the "stats.php" script before using it in an SQL query. UCStats 1.1 is affected.
• Ref: http://www.securityfocus.com/bid/40158/references

• 10.21.50 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: SphereCMS "downloads.php" SQL Injection
• Description: SphereCMS is a content manager implemented in PHP. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied input to the "cat" parameter of the "downloads.php" script before using it in an SQL query. SphereCMS version 1.0.4 is affected.
• Ref: http://www.securityfocus.com/bid/40162/references

• 10.21.51 - CVE: CVE-2010-0404
• Platform: Web Application - SQL Injection
• Title: phpGroupWare Multiple Unspecified SQL Injection
• Description: phpGroupWare is a web-based application. The application is exposed to multiple SQL injection issues because it fails to sufficiently sanitize user-supplied data to unspecified parameters before using it in SQL queries. phpGroupWare versions prior to 0.9.16.016 are affected.
• Ref: http://www.securityfocus.com/bid/40168/references

• 10.21.52 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Link Bid Script "links.php" SQL Injection
• Description: Link Bid Script is a PHP-based bid for position directory application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "id" parameter of the "links.php" script before using it in an SQL query.
• Ref: http://www.securityfocus.com/bid/40170/references

• 10.21.53 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Press Release Script "page.php" SQL Injection
• Description: Press Release Script is a PHP-based platform for launching content driven websites. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "id" parameter of the "page.php" script before using it in an SQL query.
• Ref: http://www.securityfocus.com/bid/40172/references

• 10.21.54 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Platnik Multiple SQL Injection Vulnerabilities
• Description: Platnik is a PHP-based insurance document and information application for the Polish Department of Social Insurance. The application is exposed to multiple SQL injection issues because it fails to sufficiently sanitize user-supplied data to the "filter" and "okres pracy" fields. Platnik version 8.01.001 is affected.
• Ref: http://www.securityfocus.com/bid/40201

• 10.21.55 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: e107 "usersettings.php" SQL Injection
• Description: e107 is a PHP-based web application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "loginname" parameter of the "usersettings.php" script before using it in an SQL query. e107 version 0.7.20 is affected.
• Ref: http://php-security.org/2010/05/16/mops-2010-031-e107-usersettings-loginname-sql
  -injection-vulnerability/index.html

• 10.21.56 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Alibaba Clone Platinum Multiple SQL Injection
• Description: Alibaba Clone Platinum Script is a PHP-based B2B trading marketplace script. The application is exposed to multiple SQL injection issues because it fails to sufficiently sanitize user-supplied data.
• Ref: http://www.securityfocus.com/bid/40206

• 10.21.57 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Al3jeb Script "login.php" Multiple SQL Injection Vulnerabilities
• Description: Al3jeb Script is a web-based application. The application is exposed to multiple SQL injection issues because it fails to sufficiently sanitize user-supplied data to the "username" and "password" fields of the "login.php" script.
• Ref: http://www.securityfocus.com/bid/40208/references

• 10.21.58 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: NettApp AS Webace CMS "NewsId" Parameter SQL Injection
• Description: NettApp AS Webace CMS is a PHP-based content manager. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "NewsId" parameter of the "pfNewsDetail.php" script before using it in an SQL query.
• Ref: http://www.securityfocus.com/bid/40209

• 10.21.59 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: chillyCMS "show.site.php" SQL Injection
• Description: chillyCMS is a PHP-based content manager. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "mod" parameter of the "core/show.site.php" script before using it in an SQL query. chillyCMS version 1.1.2 is affected.
• Ref: http://www.securityfocus.com/bid/40220/references

• 10.21.60 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: WebJaxe "administration.php" SQL Injection
• Description: WebJaxe is a content management application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "id_contribution" parameter of the "partie_administrateur/administration.php" script before using it in an SQL query. WebJaxe version 1.01 is affected.
• Ref: http://www.securityfocus.com/bid/40225

• 10.21.61 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: JE CMS "categoryid" Parameter SQL Injection
• Description: JE CMS is a PHP-based content management application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "categoryid" parameter of the "index.php" script before using it in an SQL query. JE CMS version 1.1 is affected.
• Ref: http://www.securityfocus.com/bid/40231/references

• 10.21.62 - CVE: Not Available
• Platform: Web Application
• Title: TomatoCMS Multiple Web Application Issues
• Description: TomatoCMS is a content manager. The application is exposed to multiple issues because it fails to sufficiently sanitize user-supplied input data. An HTML injection issue affects the following parameters/scripts: 1) the "content" parameter of the "index.php/admin/poll/add" script, 2) the "meta" parameter of the "index.php/admin/category/add" script, 3) the "keyword" parameter of the "index.php/admin/tag/add" script, and 4) the "title", "subTitle", and "author" parameters of the "index.php/admin/news/article/add" script. TomatoCMS versions prior to 2.0.5 are affected.
• Ref: http://www.securityfocus.com/bid/40108/references

• 10.21.63 - CVE: Not Available
• Platform: Web Application
• Title: Drupal AutoAssign Role Module Node Access Security Bypass
• Description: AutoAssign Role is a module for the Drupal content manager to provide automatic assignments of roles when accounts are created. The module is exposed to a security bypass issue because it fails to properly implement the Drupal node access API. AutoAssign Role versions prior to 6.x-1.2 are affected.
• Ref: http://drupal.org/node/797216

• 10.21.64 - CVE: Not Available
• Platform: Web Application
• Title: Drupal Bibliography Module HTML Injection
• Description: Bibliography is a PHP-based component for the Drupal content manager. Drupal Bibliography module is exposed to an HTML injection issue because it fails to properly sanitize user-supplied input. Attackers require the "administer biblio" permission to exploit this issue. Bibliography module versions 5.x-1.17 and earlier and 6.x-1.9 and earlier are affected.
• Ref: http://drupal.org/node/797192

• 10.21.65 - CVE: Not Available
• Platform: Web Application
• Title: Drupal Services Module Session ID Authentication Security Bypass
• Description: Services is a module for the Drupal content manager to provide an API for exposing Drupal functions, allowing clients to call server methods to obtain data for local processing. The module is exposed to a security bypass issue because it fails to properly restrict access to sensitive features. Services versions prior to 6.x-2.1 are affected.
• Ref: http://drupal.org/node/797268

• 10.21.66 - CVE: Not Available
• Platform: Web Application
• Title: MiniWebsvr URI Directory Traversal
• Description: MiniWebsvr is a web application server. The application is exposed to a directory traversal issue because it fails to sufficiently sanitize user-supplied input. MiniWebsvr version 0.0.10 is affected.
• Ref: http://www.securityfocus.com/bid/40133/references

• 10.21.67 - CVE: Not Available
• Platform: Web Application
• Title: IDevSpot SoftDirec "delete_confirm.php" HTML Injection
• Description: IDevSpot SoftDirec is a software repository script. IDevSpot SoftDirec is exposed to an HTML injection issue because it fails to properly sanitize user-supplied input to the "id" parameter of the "library/delete_confirm.php" script. IDevSpot SoftDirec version 1.09 is affected.
• Ref: http://www.securityfocus.com/bid/40135/references

• 10.21.68 - CVE: Not Available
• Platform: Web Application
• Title: Invision Power Board BBCode HTML Injection
• Description: Invision Power Board is a web-based forum application. The application is exposed to an HTML injection issue because it fails to sufficiently sanitize user-supplied input. Specifically, unspecified BBCode tags aren't properly sanitized. Invision Power Board versions 2.3.6 and 3.0.5 are affected.
• Ref: http://community.invisionpower.com/topic/306221-ipboard-236-and-305-security-upd
  ate/

• 10.21.69 - CVE: Not Available
• Platform: Web Application
• Title: Invision Power Board Remote Image File Disclosure
• Description: Invision Power Board is a web-based forum application. It is implemented in PHP. The application is exposed to a file disclosure issue. Invision Power Board version 3.0.5 is affected.
• Ref: http://community.invisionpower.com/topic/308032-ipboard-305-security-update/

• 10.21.70 - CVE: CVE-2010-0403
• Platform: Web Application
• Title: phpGroupWare Unspecified Local File Include
• Description: phpGroupWare is a web-based application. The application is exposed to an unspecified local file include issue because it fails to properly sanitize user-supplied input. An attacker can exploit this issue to view files and execute local scripts in the context of the web server process. phpGroupWare versions prior to 0.9.16.016 are affected.
• Ref: http://www.securityfocus.com/bid/40167

• 10.21.71 - CVE: Not Available
• Platform: Web Application
• Title: Weatimages "index.php" Information Disclosure
• Description: Weatimages is a PHP-based online photo album management tool. The application is exposed to an information disclosure issue. Specifically, the application fails to properly sanitize user-supplied input to the "path" parameter of the "index.php" script before using it to list directories. Weatimages version 1.7.2 is affected.
• Ref: http://www.securityfocus.com/bid/40182/references

• 10.21.72 - CVE: Not Available
• Platform: Web Application
• Title: File Thingie Remote Security Bypass
• Description: File Thingie is a web-based file manager. File Thingie is exposed to a security bypass issue. Specifically even if the application is set as not to accept PHP files, an attacker can upload arbitrary files and rename them to PHP. File Thingie version 2.5.5 is affected.
• Ref: http://www.securityfocus.com/bid/40186

• 10.21.73 - CVE: Not Available
• Platform: Web Application
• Title: Invision Power Board Unspecified BBCode HTML Injection
• Description: Invision Power Board is a web-based forum application. The application is exposed to an unspecified HTML injection issue because it fails to sufficiently sanitize user-supplied input. The issue is related to handling BBCode tags. Invision Power Board version 3.0.5 is affected.
• Ref: http://community.invisionpower.com/topic/310713-ipboard-30x-security-patch-relea
  sed/

• 10.21.74 - CVE: Not Available
• Platform: Web Application
• Title: LinPHA Remote Command Execution
• Description: LinPHA is a PHP-based image gallery. LinPHA is exposed to an issue that attackers can leverage to execute arbitrary commands. This issue occurs because the software fails to adequately sanitize user-supplied input passed to the "full_convert_path" parameter of the "rotate.php" script. LinPHA versions 1.3.2 and earlier are affected.
• Ref: http://www.securityfocus.com/bid/40191/references

• 10.21.75 - CVE: Not Available
• Platform: Web Application
• Title: CMSQlite SQL Injection and Local File Include Vulnerabilities
• Description: CMSQlite is a PHP-based content management application. The application is exposed to multiple issues. 1) An SQL injection issue because the application fails to sufficiently sanitize user-supplied data to the "c" parameter of the "index.php" script. 2) A local file include issue because the application fails to properly sanitize user-supplied input to the "mod" parameter of the "index.php" script. CMSQlite version 1.2 is affected.
• Ref: http://php-security.org/2010/05/15/mops-2010-030-cmsqlite-mod-parameter-local-fi
  le-inclusion-vulnerability/index.html

• 10.21.76 - CVE: Not Available
• Platform: Web Application
• Title: PonVFTP Insecure Cookie Authentication Bypass
• Description: PonVFTP is a web-based application. The application is exposed to an authentication bypass issue because it fails to adequately verify user-supplied input used for cookie-based authentication. Specifically, attackers can gain administrative access to the application by setting the "username" cookie parameter to "admin".
• Ref: http://www.securityfocus.com/bid/40207

• 10.21.77 - CVE: Not Available
• Platform: Web Application
• Title: Blaze Apps SQL Injection and HTML Injection Vulnerabilities
• Description: Blaze Apps is a web-based content management system. The application is exposed to multiple issues. 1) An HTML injection issue that occurs because it fails to sufficiently sanitize user-supplied input to the "uxAddPostTextbox" parameter of the "addpost.ascx.vb" script. 2) Multiple SQL injection issues. Blaze Apps versions 1.4.0.051909 and earlier are affected.
• Ref: http://www.securityfocus.com/archive/1/509040

• 10.21.78 - CVE: Not Available
• Platform: Web Application
• Title: NPDS Revolution "stats.php" HTML Injection
• Description: NPDS Revolution is a web application. The application is exposed to an HTML injection issue because it fails to properly sanitize user-supplied input to the "theme" parameter of the "stats.php" script. NPDS Revolution version 10.02 is affected.
• Ref: http://www.securityfocus.com/archive/1/511326

• 10.21.79 - CVE: Not Available
• Platform: Web Application
• Title: TS Special Edition Unauthorized-Access and Security Bypass
• Description: TS Special Edition is a PHP-based forum application. TS Special Edition is exposed to an unauthorized access issue and page restriction security bypass issue because the application fails to implement access controls in a proper manner. Specifically, the "userdetails.php" and "details.php" scripts are affected. TS Special Edition version 7.0 is affected.
• Ref: http://www.securityfocus.com/bid/40234/references

• 10.21.80 - CVE: CVE-2010-0601, CVE-2010-0602, CVE-2010-0603,CVE-2010-0604, CVE-2010-1561, CVE-2010-1562, CVE-2010-1563,CVE-2010-1567, CVE-2010-1565
• Platform: Network Device
• Title: Cisco PGW 2200 Softswitch Multiple Denial of Service Vulnerabilities
• Description: Cisco PGW 2200 Softswitch products are voice and data call routing devices. Cisco PGW 2200 Softswitch products are exposed to multiple remote denial of service issues.
• Ref: http://www.cisco.com/en/US/products/products_security_advisory09186a0080b2c519.s
  html

• 10.21.81 - CVE: Not Available
• Platform: Hardware
• Title: Hitachi Multiple EUR Products Code Execution
• Description: Hitachi Multiple EUR Products are exposed to an unspecified code execution issue. The issue can be exploited by enticing a user to visit a crafted site using Internet Explorer.
• Ref: http://www.securityfocus.com/bid/40216/references

(c) 2010. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Subscriptions: @RISK is distributed free of charge by the SANS Institute to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.