@RISK: The Consensus Security Vulnerability Alert

Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)

• (1) HIGH: Google Chrome Memory Corruption and Security Bypass Vulnerabilities
• (2) HIGH: Multiple Vendor 'rpc.pcnfsd' Integer Overflow Vulnerability
• (3) HIGH: Apple Mac OS X Java Multiple Remote Code Execution Vulnerabilities
• (4) MODERATE: Ziproxy Image Parsing Multiple Integer Overflow Vulnerabilities
• (5) MODERATE: Microsoft Windows Canonical Display Driver Remote Code Execution Vulnerability

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)

Windows

• 10.22.1 - Microsoft Windows Canonical Display Driver Remote Code Execution

Third Party Windows Apps

• 10.22.2 - Attachmate Reflection X ActiveX Control "ControlID" Buffer Overflow
• 10.22.3 - yPlay ".mp3" File Remote Buffer Overflow
• 10.22.4 - Pico MP3 Player Multiple Remote Buffer Overflow Vulnerabilities
• 10.22.5 - Sonique ".pls" File Remote Buffer Overflow
• 10.22.6 - Rumba FTP Client "FTPSFtp.dll" ActiveX Control Buffer Overflow
• 10.22.7 - SyncBack Profile File Remote Buffer Overflow
• 10.22.8 - SnugServer FTP Directory Traversal
• 10.22.9 - Open&Compact FTP Server Multiple Command Remote Denial of Service Vulnerabilities

Mac Os

• 10.22.10 - Apple Mac OS X Java "mediaLibImage" Object Handling Remote Code Execution
• 10.22.11 - Apple Mac OS X Java Window Drawing Handling Remote Code Execution

Linux

• 10.22.12 - Linux Kernel Btrfs Cloned File Security Bypass
• 10.22.13 - Linux Mint "mintUpdate" Insecure Temporary File Creation
• 10.22.14 - Linux Kernel GFS2 File Attribute Security Bypass

HP-UX

• 10.22.15 - HP-UX ONCplus Unspecified Remote Privilege Escalation

Solaris

• 10.22.16 - Sun Solaris Nested Directory Tree Local Denial of Service
• 10.22.17 - Sun Solaris "in.ftpd" Long Command Handling Security
• 10.22.18 - Sun Solaris Multiple libc Numeric Conversion Functions Buffer Overflow Vulnerabilities

Cross Platform

• 10.22.19 - TeamViewer Remote Buffer Overflow
• 10.22.20 - Orbit Downloader Metalink File Directory Traversal
• 10.22.21 - Dell OpenManage "file" Parameter URI Redirection
• 10.22.22 - e107 BBCode Arbitrary PHP Code Execution
• 10.22.23 - McAfee Email Gateway "systemWebAdminConfig.do" Remote Security Bypass
• 10.22.24 - Oracle MySQL DROP TABLE MyISAM Symbolic Link Local Security Bypass
• 10.22.25 - SwiFTP "STOR" Command Remote Buffer Overflow
• 10.22.26 - SquirrelMail "mail_fetch" Remote Information Disclosure
• 10.22.27 - Perl Safe Module "reval()" and "rdo()" Restriction Bypass Vulnerabilities
• 10.22.28 - 3Com Intelligent Management Center Multiple Vulnerabilities
• 10.22.29 - PostgreSQL "RESET ALL" Unauthorized Access
• 10.22.30 - FileCOPA FTP Server Directory Traversal
• 10.22.31 - ClamAV "cli_pdf()" PDF File Processing Denial of Service
• 10.22.32 - IBM WebSphere Application Server "response.sendRedirect" Remote Denial of Service
• 10.22.33 - IBM WebSphere Application Server JAX-RPC WS-Security/JAX-WS Runtime Security Bypass
• 10.22.34 - IBM WebSphere Application Server Nodeagent/Deployment Manager Remote Denial of Service
• 10.22.35 - SolarWinds TFTP Server "Read" Request (Opcode 0x01) Denial of Service
• 10.22.36 - DotNetNuke Remote Arbitrary File Upload
• 10.22.37 - Kingsoft Webshield "KAVSafe.sys" Driver IOCTL Handling Local Privilege Escalation
• 10.22.38 - Apache Axis2 "xsd" Parameter Directory Traversal
• 10.22.39 - Ziproxy Image Parsing Multiple Integer Overflow Vulnerabilities
• 10.22.40 - Simple:Press Plugin for WordPress Security Bypass and Arbitrary File Upload Vulnerabilities
• 10.22.41 - TinyBrowser Remote File Upload
• 10.22.42 - Python "rgbimg" Module ZSIZE Value Buffer Underflow
• 10.22.43 - Python "rgbimg" Module "rv" Array Buffer Overflow
• 10.22.44 - Python "rgbimg" RLE Decoder Multiple Buffer Overflow Vulnerabilities
• 10.22.45 - Google Chrome prior to 5.0.375.55 Multiple Security Vulnerabilities
• 10.22.46 - Ghostscript "./Encoding/" Search Path Local Privilege Escalation
• 10.22.47 - HP TestDirector for Quality Center Unauthorized Access

Web Application - Cross Site Scripting

• 10.22.48 - FunkGallery "index.php" Cross-Site Scripting
• 10.22.49 - Shopzilla Affiliate Script PHP "search.php" Cross-Site Scripting
• 10.22.50 - Caucho Resin Professional "resin-admin/digest.php" Multiple Cross-Site Scripting Vulnerabilities
• 10.22.51 - ManageEngine ADAudit Plus "reportList" Parameter Cross-Site Scripting
• 10.22.52 - PHP F1 Max's Site Protector "index.php" Cross-Site Scripting
• 10.22.53 - SoftDirec "delete_confirm.php" Cross-Site Scripting
• 10.22.54 - Drupal download_count Module Cross-Site Scripting
• 10.22.55 - Private Message Module For Drupal Delete User Cross-Site Request Forgery
• 10.22.56 - User Queue Module For Drupal Delete User Cross-Site Request Forgery
• 10.22.57 - Drupal External Link Page Module Cross-Site Scripting
• 10.22.58 - StivaSoft Stiva SHOPPING CART "demo.php" Cross-Site Scripting
• 10.22.59 - Triburom "forum.php" Cross-Site Scripting
• 10.22.60 - Apache Axis2 "engagingglobally" Cross-Site Scripting
• 10.22.61 - NPDS Revolution "admin.php" Cross-Site Request Forgery
• 10.22.62 - Cacti Multiple Cross-Site Scripting Vulnerabilities
• 10.22.63 - gpEasy CMS "editing_files.php" Cross-Site Scripting
• 10.22.64 - PHP Calendar Multiple Cross-Site Scripting Vulnerabilities
• 10.22.65 - U.S.Robotics USR5463 Firmware "/cgi-bin/setup_ddns.exe" Cross-Site Request Forgery
• 10.22.66 - Mono "EnableViewStateMac" Cross-Site Scripting
• 10.22.67 - ManageEngine ADManager Plus "computerName" Parameter Cross-Site Scripting

Web Application - SQL Injection

• 10.22.68 - Debliteck DBCMS "article.php" SQL Injection
• 10.22.69 - MigasCMS "function.php" SQL Injection
• 10.22.70 - Debliteck DBCMS "section.php" SQL Injection
• 10.22.71 - Web 2.0 Social Network Freunde Community System "user.php" SQL Injection
• 10.22.72 - MoME CMS Login "username" Field SQL Injection
• 10.22.73 - Renista CMS "Default.aspx" SQL Injection
• 10.22.74 - Specialized Data Systems Parent Connect Multiple SQL Injection Vulnerabilities
• 10.22.75 - ConPresso CMS "firma.php" SQL Injection
• 10.22.76 - PSI CMS "index.php" Multiple SQL Injection Vulnerabilities
• 10.22.77 - ECShop "search.php" SQL Injection
• 10.22.78 - NITRO Web Gallery "PictureId" Parameter SQL Injection
• 10.22.79 - WebAsyst Shop-Script "index.php" SQL Injection
• 10.22.80 - cyberhost "default.asp" SQL Injection
• 10.22.81 - BLOX CMS "c" Parameter SQL Injection
• 10.22.82 - WebAsyst "blog_id" parameter SQL Injection
• 10.22.83 - CU Village CMS Site "index.php" SQL Injection

Web Application

• 10.22.84 - DataTrack System "Home.aspx" HTML Injection
• 10.22.85 - Battle Scrypt "upload.php" Remote Arbitrary File Upload
• 10.22.86 - Wordpress Import Drupal Module Unauthorized Access
• 10.22.87 - Drupal CAPTCHA Module Description HTML Injection
• 10.22.88 - Drupal Heartbeat Module Multiple HTML Injection Vulnerabilities
• 10.22.89 - Drupal Menu Block Split Module HTML Injection
• 10.22.90 - Drupal Weather Underground Module Block Subject HTML Injection
• 10.22.91 - Drupal osCommerce Module HTML Injection
• 10.22.92 - Drupal Comment Page Module Multiple HTML Injection Vulnerabilities
• 10.22.93 - Drupal Comment Page Module Security Bypass
• 10.22.94 - Snipe Gallery "cfg_admin_path" Parameter Multiple Remote File Include Vulnerabilities
• 10.22.95 - Drupal Rotor Banner Module Multiple HTML Injection Vulnerabilities
• 10.22.96 - Panels Module For Drupal Arbitrary PHP Code Execution
• 10.22.97 - Drupal Storm Project HTML Injection
• 10.22.98 - Drupal Simplenews Module Subscribe To Newsletters Security Bypass
• 10.22.99 - U.S.Robotics USR5463 Firmware "setup_ddns.exe" HTML Injection
• 10.22.100 - Drupal False Account Detector Module Multiple Cross-Site Scripting and SQL Injection Vulnerabilities
• 10.22.101 - Horde IMP Remote Information Disclosure
• 10.22.102 - Spaw Editor "spawfm" Module Arbitrary File Upload
• 10.22.103 - DotNetNuke User Messaging Module HTML Injection
• 10.22.104 - Lisk CMS "id" Parameter Multiple Cross-Site Scripting and SQL Injection Vulnerabilities
• 10.22.105 - phpBB "posting.php" Unspecified Security
• 10.22.106 - Alibaba Clone Script SQL Injection and Cross-Site Scripting
• 10.22.107 - JV2 Folder Gallery "gallery.php" Remote File Include
• 10.22.108 - Webby HTTP GET Request Buffer Overflow
• 10.22.109 - BigACE Cross-Site Request Forgery and HTML Injection Vulnerabilities
• 10.22.110 - OpenForum "saveAsAttachment()" Method Arbitrary File Creation

Network Device

• 10.22.111 - D-Link DI-724P+ Router "wlap.htm" HTML Injection
• , - Cisco DPC2100 Multiple Security Bypass and Cross-Site Request Forgery Vulnerabilities

PART I Critical Vulnerabilities

Part I for this issue has been compiled by Josh Bronson at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 22, 2010

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com) Week 22, 2010 This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 9546 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely. ______________________________________________________________________

• 10.22.1 - CVE: CVE-2009-3678
• Platform: Windows
• Title: Microsoft Windows Canonical Display Driver Remote Code Execution
• Description: Microsoft Windows is exposed to a remote code execution issue that affects the Canonical Display Driver. The vulnerable code resides in the "cdd.dll" library file. Specifically, the vulnerable driver fails to properly parse information passed from user to kernel space.
• Ref: http://www.microsoft.com/technet/security/advisory/2028859.mspx

• 10.22.2 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Attachmate Reflection X ActiveX Control "ControlID" Buffer Overflow
• Description: Attachmate Reflection X is an ActiveX control that provides terminal functionality for remote systems. The Attachmate Reflection X control is exposed to a buffer overflow issue because it fails to perform adequate boundary checks on user-supplied data. Attachmate Reflection X versions 13.0 and 14.0 and Attachmate Reflection Standard Suite 2008 are affected
• Ref: http://support.microsoft.com/kb/240797

• 10.22.3 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: yPlay ".mp3" File Remote Buffer Overflow
• Description: yPlay is a media player for Microsoft Windows. yPlay is exposed to a remote buffer overflow issue because it fails to perform adequate checks on user-supplied input. Specifically, this issue occurs when opening a specially crafted ".mp3" file. yPlay version 1.0.76 is affected.
• Ref: http://www.securityfocus.com/bid/40301/references

• 10.22.4 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Pico MP3 Player Multiple Remote Buffer Overflow Vulnerabilities
• Description: Pico MP3 Player is an MP3 player for Microsoft Windows. Pico MP3 Player is exposed to multiple remote buffer overflow issues because it fails to perform adequate checks on user-supplied input. Specifically, these issues occur when opening specially crafted ".mp3" and ".pls" files. Pico MP3 Player version 1.0 is affected.
• Ref: http://www.securityfocus.com/bid/40303/references

• 10.22.5 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Sonique ".pls" File Remote Buffer Overflow
• Description: Sonique is a media player for Microsoft Windows. Sonique is exposed to a remote buffer overflow issue because it fails to perform adequate checks on user-supplied input. Specifically, this issue occurs when opening a specially crafted ".pls" file. Sonique version 2.0 Beta Build 103 is affected.
• Ref: http://www.securityfocus.com/bid/40306/references

• 10.22.6 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Rumba FTP Client "FTPSFtp.dll" ActiveX Control Buffer Overflow
• Description: Rumba FTP client is an FTP client for Microsoft Windows. The "FTPSFtp.dll" ActiveX control is exposed to a buffer overflow issue because it fails to perform adequate boundary checks on user-supplied data to the "OpenSession()" method. The issue affects Rumba FTP client version 4.2.0.0.
• Ref: http://support.microsoft.com/kb/240797

• 10.22.7 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: SyncBack Profile File Remote Buffer Overflow
• Description: SyncBack is a backup application. SyncBack is exposed to a remote stack-based buffer overflow issue because it fails to perform adequate checks on user-supplied input. Specifically, this issue occurs when importing profiles from specially crafted ".sps" or ".zip" files. SyncBack version 3.2.20 is affected.
• Ref: http://www.2brightsparks.com/freeware/changes.html

• 10.22.8 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: SnugServer FTP Directory Traversal
• Description: SnugServer is a Windows based FTP server. The application is exposed to a directory traversal issue because it fails to sufficiently sanitize directory traversal strings from user-supplied commands. SnugServer version 4.3.0.126 is affected.
• Ref: http://www.securityfocus.com/bid/40313/references

• 10.22.9 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Open&Compact FTP Server Multiple Command Remote Denial of Service Vulnerabilities
• Description: Open&Compact FTP Server is an FTP server available for Microsoft Windows. The application is exposed to a multiple denial of service issues because the application fails to perform adequate boundary checks on user-supplied data to the FTP commands. Open&Compact FTP Server version 1.2 is affected.
• Ref: http://www.securityfocus.com/bid/40366/references

• 10.22.10 - CVE: CVE-2010-0538
• Platform: Mac Os
• Title: Apple Mac OS X Java "mediaLibImage" Object Handling Remote Code Execution
• Description: Apple Mac OS X is exposed to an issue that lets attackers run arbitrary code because the software fails to properly handle Java applets containing malicious "mediaLibImage" objects. Memory can become corrupted because of an out-of-bounds error in the "com.sun.medialib.mlib" package. This issue affects Mac OS X 10.6.3 and prior versions.
• Ref: http://www.securityfocus.com/bid/40238/info

• 10.22.11 - CVE: CVE-2010-0539
• Platform: Mac Os
• Title: Apple Mac OS X Java Window Drawing Handling Remote Code Execution
• Description: Apple Mac OS X is exposed to an issue that lets attackers run arbitrary code because the software fails to properly handle window drawing in specially crafted Java applets. This issue occurs because of an unspecified signedness error. Successful exploits will allow an attacker to run arbitrary code in the context of the affected software.
• Ref: http://www.securityfocus.com/bid/40240

• 10.22.12 - CVE: Not Available
• Platform: Linux
• Title: Linux Kernel Btrfs Cloned File Security Bypass
• Description: The Linux Kernel is exposed to a security bypass issue that affects the Btrfs filesystem implementation. Specifically, this issue affects the "btrfs_ioctl_clone()" IOCTL which fails to verify if the source file descriptor has been opened for reading before it was copied.
• Ref: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/579585

• 10.22.13 - CVE: Not Available
• Platform: Linux
• Title: Linux Mint "mintUpdate" Insecure Temporary File Creation
• Description: LinuxMint is a GNU/Linux desktop distribution. The LinuxMint "mintUpdate" tool creates temporary files in the "/tmp/mintUpdate/" directory in an insecure manner. Successfully mounting a symlink attack may allow the attacker to delete or corrupt sensitive files, which may result in a denial of service.
• Ref: http://www.securityfocus.com/bid/40296

• 10.22.14 - CVE: Not Available
• Platform: Linux
• Title: Linux Kernel GFS2 File Attribute Security Bypass
• Description: The Linux kernel is exposed to a security bypass issue affecting the GFS2 file system. Specifically, the "setflags" IOCTL fails to properly verify file ownership when setting file attributes. This issue affects the "do_gfs2_set_flags()" function in the "fs/gfs2/file.c" source code file.
• Ref: http://www.linux-archive.org/cluster-development/375481-gfs2-fix-permissions-che
  cking-setflags-ioctl.html

• 10.22.15 - CVE: CVE-2010-1039
• Platform: HP-UX
• Title: HP-UX ONCplus Unspecified Remote Privilege Escalation
• Description: HP-UX is a UNIX based operating system. The ONCplus package provides distributed applications such as NFS, AutoFS, CacheFS, and NIS. The application is exposed to an unspecified remote privilege escalation issue. HP-UX versions B.11.11, B.11.23, and B.11.31 running NFS/ONCplus B.11.31_09 are affected.
• Ref: http://www.securityfocus.com/archive/1/511342

• 10.22.16 - CVE: Not Available
• Platform: Solaris
• Title: Sun Solaris Nested Directory Tree Local Denial of Service
• Description: Sun Solaris is exposed to a local denial of service issue because it fails to properly handle deeply nested directories with certain filesystem commands. Specifically, when running the "rm" and "find" commands on a directory that is nested 8000 or more times, a segfault occurs. Other commands may also be affected. Sun Solaris 10 is affected.
• Ref: http://securityreason.com/achievement_securityalert/85

• 10.22.17 - CVE: Not Available
• Platform: Solaris
• Title: Sun Solaris "in.ftpd" Long Command Handling Security
• Description: Sun Solaris "in.ftpd" FTP server is exposed to a security issue that allows attackers to perform cross-site request forgery attacks. The issue stems from an error in processing long FTP commands. The application truncates an overly long FTP command and interprets the remaining string as a new FTP command. Sun Solaris 10 version 10/09 and OpenSolaris version 2009.06 are affected.
• Ref: http://www.securityfocus.com/bid/40320/references

• 10.22.18 - CVE: Not Available
• Platform: Solaris
• Title: Sun Solaris Multiple libc Numeric Conversion Functions Buffer Overflow Vulnerabilities
• Description: Sun Solaris is exposed to a buffer overflow issue affecting multiple functions in the libc library. This issue affects the "econvert()" and "fconvert()" functions called by "ecvt()" and "fcvt()", respectively. Similar functions may also be affected. Solaris 10 is affected.
• Ref: http://securityreason.com/achievement_securityalert/86

• 10.22.19 - CVE: Not Available
• Platform: Cross Platform
• Title: TeamViewer Remote Buffer Overflow
• Description: TeamViewer is a remote desktop sharing application available for multiple operating systems. TeamViewer is exposed to a remote buffer overflow issue because it fails to perform adequate boundary checks on user-supplied data. This issue occurs when handling a maliciously crafted large string sent to the listening network port of the application. TeamViewer version 5.0.8232 is affected.
• Ref: http://www.securityfocus.com/bid/40242

• 10.22.20 - CVE: Not Available
• Platform: Cross Platform
• Title: Orbit Downloader Metalink File Directory Traversal
• Description: Orbit Downloader is a downloading application for music, video and other files. Orbit Downloader is exposed to a directory traversal issue because the application fails to sufficiently sanitize user-supplied input. Specifically, the application fails to sanitize directory-traversal strings (../) from the "name" attribute of the "file" element in the metalink files. Orbit Downloader versions 3.0.0.4 and 3.0.0.5 are affected.
• Ref: http://www.securityfocus.com/bid/40245

• 10.22.21 - CVE: Not Available
• Platform: Cross Platform
• Title: Dell OpenManage "file" Parameter URI Redirection
• Description: Dell OpenManage is a collection of network and systems management applications. OpenManage is exposed to an open redirection issue because it fails to properly sanitize user-supplied input to the "file" parameter of the "servlet/HelpViewer" application. OpenManage versions 5.5 and 6.2 are affected.
• Ref: http://www.securityfocus.com/bid/40247

• 10.22.22 - CVE: Not Available
• Platform: Cross Platform
• Title: e107 BBCode Arbitrary PHP Code Execution
• Description: e107 is a PHP-based content manager. e107 is exposed to a remote PHP code execution issue because it fails to properly restrict access to BBCode functionality. Specifically, attackers can bypass access restrictions by accessing certain scripts indirectly. e107 versions 0.7.20 and prior are affected.
• Ref: http://www.php-security.org/2010/05/19/mops-2010-035-e107-bbcode-remote-php-code
  -execution-vulnerability/index.html

• 10.22.23 - CVE: Not Available
• Platform: Cross Platform
• Title: McAfee Email Gateway "systemWebAdminConfig.do" Remote Security Bypass
• Description: McAfee Email Gateway (formerly IronMail) is an email gateway security application. The application is exposed to a security bypass issue. Specifically, the "admin/systemWebAdminConfig.do" script fails to properly perform user-profile checks. McAfee Email Gateway version 6.7.1 is affected.
• Ref: http://www.cybsec.com/vuln/cybsec_advisory_2010_0501_Ironmail_Advisory_Web_Acces
  s_Broken.pdf

• 10.22.24 - CVE: CVE-2010-1626
• Platform: Cross Platform
• Title: Oracle MySQL DROP TABLE MyISAM Symbolic Link Local Security Bypass
• Description: Oracle MySQL is an open source SQL database available for multiple operating systems. MySQL is exposed to a security bypass issue because of an error when handling symbolic links between MyISAM files. MySQL versions prior to 5.1.46 are affected.
• Ref: http://lists.mysql.com/commits/104639

• 10.22.25 - CVE: Not Available
• Platform: Cross Platform
• Title: SwiFTP "STOR" Command Remote Buffer Overflow
• Description: SwiFTP is an FTP server that runs on the Android platform. SwiFTP is exposed to a remote buffer overflow issue because it fails to perform adequate boundary checks on user-supplied input to the "stor" command. SwiFTP version 1.11 is affected.
• Ref: http://www.securityfocus.com/bid/40265

• 10.22.26 - CVE: Not Available
• Platform: Cross Platform
• Title: SquirrelMail "mail_fetch" Remote Information Disclosure
• Description: SquirrelMail is a webmail application implemented in PHP. SquirrelMail is exposed to an information disclosure issue because it fails to properly validate requests to the "mail_fetch" component. SquirrelMail 1.4.x versions are affected.
• Ref: http://conference.hitb.org/hitbsecconf2010dxb/materials/D1%20-%20Laurent%20Oudot
  %20-%20Improving%20the%20Stealthiness%20of%20Web%20Hacking.pdf#page=69

• 10.22.27 - CVE: CVE-2010-1168, CVE-2010-1974, CVE-2010-1447
• Platform: Cross Platform
• Title: Perl Safe Module "reval()" and "rdo()" Restriction Bypass Vulnerabilities
• Description: Perl is a general purpose scripting language. Safe is a module for Perl which allows the isolated compilation and execution of additional Perl code within a Perl application. The Perl Safe module is exposed to multiple restriction bypass issues. Specifically, Safe may fail to wrap code returned by the "reval()" and "rdo()" functions. Safe versions prior to 2.27 are affected.
• Ref: http://permalink.gmane.org/gmane.comp.security.oss.general/2932

• 10.22.28 - CVE: Not Available
• Platform: Cross Platform
• Title: 3Com Intelligent Management Center Multiple Vulnerabilities
• Description: 3Com Intelligent Management Center is a network management application. The application is exposed to multiple issues because it fails to sufficiently sanitize user-supplied input. 3Com Intelligent Management Center versions 3.3 SP1 and 3.3.9 are affected.
• Ref: http://www.procheckup.com/vulnerability_manager/vulnerabilities/pr10-01

• 10.22.29 - CVE: CVE-2010-1975
• Platform: Cross Platform
• Title: PostgreSQL "RESET ALL" Unauthorized Access
• Description: PostgreSQL is an open source relational database. PostgreSQL is exposed to an unauthorized access issue because it fails to restrict the use of the "RESET ALL" operation when called through a "ALTER USER" or "ALTER DATABASE" statement.
• Ref: http://www.postgresql.org/docs/current/static/release-8-3-11.html

• 10.22.30 - CVE: Not Available
• Platform: Cross Platform
• Title: FileCOPA FTP Server Directory Traversal
• Description: FileCOPA FTP Server is a Windows-based FTP server. The application is exposed to a directory traversal issue because it fails to sufficiently sanitize directory traversal strings from user-supplied commands. FileCOPA FTP Server version 5.02 is affected.
• Ref: http://www.securityfocus.com/bid/40312

• 10.22.31 - CVE: Not Available
• Platform: Cross Platform
• Title: ClamAV "cli_pdf()" PDF File Processing Denial of Service
• Description: ClamAV is a multi platform toolkit used for scanning email messages for viruses. ClamAV is exposed to a denial of service issue because it fails to handle crafted PDF files. This error occurs in the "cli_pdf()" function of the "libclamav/pdf.c" source code file. Versions prior to ClamAV 0.96.1 are affected.
• Ref: https://wwws.clamav.net/bugzilla/show_bug.cgi?id=2016

• 10.22.32 - CVE: CVE-2010-0776, CVE-2010-0777
• Platform: Cross Platform
• Title: IBM WebSphere Application Server "response.sendRedirect" Remote Denial of Service
• Description: IBM WebSphere Application Server (WAS) is an application server used for service oriented architecture. WAS is exposed to a remote denial of service issue. Specifically, this issue is caused by an error related to calling the "response.sendRedirect" function with "Transfer-Encoding" set to "chunked". This issue can be triggered by a crafted GET request. WebSphere Application Server versions 6.0, 6.1 and 7.0 are affected.
• Ref: http://xforce.iss.net/xforce/xfdb/58556

• 10.22.33 - CVE: CVE-2010-0774
• Platform: Cross Platform
• Title: IBM WebSphere Application Server JAX-RPC WS-Security/JAX-WS Runtime Security Bypass
• Description: IBM WebSphere Application Server (WAS) is available for various operating systems. WAS is exposed to a security bypass issue that occurs when using JAX-RPC WS-Security and JAX-WS runtime. The application fails to handle specially crafted WebServices PKCS#7 and PKIPath tokens. WebSphere Application Server prior to 6.0.2.41, 6.1.0.31 and 7.0.0.11 are affected.
• Ref: http://xforce.iss.net/xforce/xfdb/58554

• 10.22.34 - CVE: CVE-2010-0775
• Platform: Cross Platform
• Title: IBM WebSphere Application Server Nodeagent/Deployment Manager Remote Denial of Service
• Description: IBM WebSphere Application Server (WAS) is available for various operating systems. WAS is exposed to a remote denial of service issue related to the Nodeagent and Deployment Manager components. IBM WebSphere Application Server versions prior to WAS 6.0.2.41, 6.1.0.31 and 7.0.0.11 are affected.
• Ref: http://xforce.iss.net/xforce/xfdb/58555

• 10.22.35 - CVE: Not Available
• Platform: Cross Platform
• Title: SolarWinds TFTP Server "Read" Request (Opcode 0x01) Denial of Service
• Description: SolarWinds TFTP Server is a Trivial File Transfer Protocol server available for Microsoft Windows platforms. The application is exposed to a denial of service issue because it fails to handle maliciously crafted "Read" (opcode 0x01) requests. SolarWinds TFTP Server version 10.4.0.10 is affected.
• Ref: http://www.securityfocus.com/bid/40333

• 10.22.36 - CVE: Not Available
• Platform: Cross Platform
• Title: DotNetNuke Remote Arbitrary File Upload
• Description: DotNetNuke is an open source framework for creating and deploying websites. The application is exposed to a remote arbitrary file upload issue because it fails to sufficiently sanitize user-supplied input. Specifically, a malicious PHP file whose name is appended with a ";name.jpg" type extension can be uploaded through the "fcklinkgallery.aspx" script.
• Ref: http://www.securityfocus.com/bid/40341

• 10.22.37 - CVE: Not Available
• Platform: Cross Platform
• Title: Kingsoft Webshield "KAVSafe.sys" Driver IOCTL Handling Local Privilege Escalation
• Description: The Webshield component of Kingsoft protects a user's browser against malware. Kingsoft Webshield is exposed to a local privilege escalation issue because the "KAVSafe.sys" driver fails to properly validate IOCTL requests to the "DeviceIoControl" win32 call using the "0x830020d4" IoControlCode value. The issue affects Kingsoft Webshield version 3.5.1.2.
• Ref: http://www.securityfocus.com/bid/40342/references

• 10.22.38 - CVE: Not Available
• Platform: Cross Platform
• Title: Apache Axis2 "xsd" Parameter Directory Traversal
• Description: Apache Axis2 is a Web Services/SOAP/WSDL engine. Apache Axis2 is exposed to a directory traversal issue because it fails to sufficiently sanitize user-supplied input to the "xsd" parameter. Apache Axis2 version 1.4.1 is affected.
• Ref: http://www.securityfocus.com/bid/40343

• 10.22.39 - CVE: CVE-2010-1513
• Platform: Cross Platform
• Title: Ziproxy Image Parsing Multiple Integer Overflow Vulnerabilities
• Description: Ziproxy is a forwarding proxy server that also compresses data. Ziproxy is exposed to multiple integer overflow issues because it fails to properly validate user-supplied data when parsing PNG and JPG images. Specifically, these issues arise in the "jpg2bitmap()" and "png2bitmap()" functions of the "src/image.c" source file. Ziproxy version 3.0 is affected.
• Ref: http://secunia.com/secunia_research/2010-75/

• 10.22.40 - CVE: Not Available
• Platform: Cross Platform
• Title: Simple:Press Plugin for WordPress Security Bypass and Arbitrary File Upload Vulnerabilities
• Description: Simple:Press is a forum plugin for the WordPress publishing application. Simple:Press is exposed to multiple issues. 1) A security bypass issue that affects the TinyBrowser component that allows users to upload arbitrary files without proper permission. 2) A security issue in the TinyBrowser component that allows attackers to upload files with multiple extensions. 3) A security issue that allows attackers to upload files with multiple extensions as avatars. Simple:Press versions prior to 4.1.3 are affected.
• Ref: http://simple-press.com/support-forum/simplepress-forum-4-1/spf-v4-1-3-security-
  release-now-available/

• 10.22.41 - CVE: Not Available
• Platform: Cross Platform
• Title: TinyBrowser Remote File Upload
• Description: TinyBrowser is a file browser built for the TinyMCE WYSIWYG content editor. TinyBrowser is exposed to an issue that lets attackers upload arbitrary files because it fails to adequately limit the types of files that can be uploaded. Attackers can execute their uploaded script through the "type" parameter of the "tinybrowser/upload.php" script.
• Ref: http://www.securityfocus.com/bid/40358

• 10.22.42 - CVE: CVE-2009-4134
• Platform: Cross Platform
• Title: Python "rgbimg" Module ZSIZE Value Buffer Underflow
• Description: Python is an interpreted, dynamic object oriented programming language that is available for many operating systems. Python's "rgbimg" module is exposed to a buffer underflow issue because the application fails to perform adequate boundary checks on user-supplied data. This issue occurs because the application fails to properly check if the "ZSIZE" value is less than or equal to "4".
• Ref: https://bugzilla.redhat.com/show_bug.cgi?id=541698#c9

• 10.22.43 - CVE: CVE-2010-1449
• Platform: Cross Platform
• Title: Python "rgbimg" Module "rv" Array Buffer Overflow
• Description: Python is an interpreted, dynamic object oriented programming language that is available for many operating systems. Python's "rgbimg" module is exposed to a buffer overflow issue because the application fails to perform adequate boundary checks on user-supplied data. This issue occurs when handling a specially crafted image.
• Ref: https://bugzilla.redhat.com/show_bug.cgi?id=541698#c9

• 10.22.44 - CVE: CVE-2010-1450
• Platform: Cross Platform
• Title: Python "rgbimg" RLE Decoder Multiple Buffer Overflow Vulnerabilities
• Description: Python is an interpreted, dynamic object oriented programming language that is available for many operating systems. Python's "rgbimg" module is exposed to multiple buffer overflow issues because the application fails to perform adequate boundary checks on user-supplied data. Successful exploits may allow attackers to execute arbitrary code in the context of applications using the vulnerable Python module.
• Ref: https://bugzilla.redhat.com/show_bug.cgi?id=541698#c9

• 10.22.45 - CVE: Not Available
• Platform: Cross Platform
• Title: Google Chrome prior to 5.0.375.55 Multiple Security Vulnerabilities
• Description: Google Chrome is a web browser for multiple platforms. Google Chrome is exposed to multiple issues. 1) An unspecified issue caused by an error in canonicalizing URIs. 2) A URI spoofing issue related to "unload" event handlers. 3) A memory corruption issue related to the "Safe Browsing" feature. 4) A security bypass issue affecting the whitelist mode plugin blocker. 5) A memory corruption error related to drag and drop behavior. 6) An unspecified issue affecting JavaScript execution within the "extension" context. Chrome versions prior to 5.0.375.55 are affected.
• Ref: http://googlechromereleases.blogspot.com/2010/05/stable-channel-update.html

• 10.22.46 - CVE: Not Available
• Platform: Cross Platform
• Title: Ghostscript "./Encoding/" Search Path Local Privilege Escalation
• Description: Ghostscript is a set of tools and libraries for handling Portable Document Format (PDF) and PostScript files. The application is exposed to a local privilege escalation issue. Specifically, "./Encoding/" is part of the application's execution path. Ghostscript version 8.64 is affected.
• Ref: http://bugs.ghostscript.com/show_bug.cgi?id=691316

• 10.22.47 - CVE: CVE-2010-1959
• Platform: Cross Platform
• Title: HP TestDirector for Quality Center Unauthorized Access
• Description: HP TestDirector for Quality Center is a quality management solution for Software QA professionals. HP TestDirector for Quality Center is exposed to an unauthorized access issue. The cause of this issue is unknown. HP TestDirector for Quality Center version 9.2 Patch7 and earlier versions running on AIX, Linux and Solaris are affected.
• Ref: http://www.securityfocus.com/bid/40371/references

• 10.22.48 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: FunkGallery "index.php" Cross-Site Scripting
• Description: FunkGallery is an image gallery application implemented in PHP. The application is exposed to a cross-site scripting issue because it fails to sanitize user-supplied input to the "gll" parameter of the "index.php" script.
• Ref: http://www.securityfocus.com/bid/40239/references

• 10.22.49 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Shopzilla Affiliate Script PHP "search.php" Cross-Site Scripting
• Description: Shopzilla Affiliate Script PHP is a web-based application implemented in PHP. The application is exposed to a cross-site scripting issue because it fails to sanitize user-supplied input to the "s" parameter of the "search.php" script.
• Ref: http://www.securityfocus.com/bid/40246/references

• 10.22.50 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Caucho Resin Professional "resin-admin/digest.php" Multiple Cross-Site Scripting Vulnerabilities
• Description: Caucho Resin Professional is an open source application server available for multiple operating platforms. The application is exposed to multiple cross-site scripting issues because it fails to properly sanitize user-supplied input to the "digest_realm" and "digest_username" parameters of the "resin-admin/digest.php" script. Resin Professional version 3.1.5 is affected.
• Ref: http://www.securityfocus.com/archive/1/511341

• 10.22.51 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: ManageEngine ADAudit Plus "reportList" Parameter Cross-Site Scripting
• Description: ManageEngine ADAudit Plus is an Active Directory auditing and reporting application. ManageEngine ADAudit Plus is exposed to a cross-site scripting issue because it fails to sufficiently sanitize user-supplied input to the "reportList" parameter of the "jsp/audit/reports/ExportReport.jsp" script. ManageEngine ADAudit Plus version 4.0.0 build 4043 is affected.
• Ref: http://www.securityfocus.com/bid/40253

• 10.22.52 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: PHP F1 Max's Site Protector "index.php" Cross-Site Scripting
• Description: PHP F1 Max's Site Protector is a PHP-based user authentication application. The application is exposed to a cross-site scripting issue because it fails to sanitize user-supplied input to the "index.php" script.
• Ref: http://www.securityfocus.com/bid/40267

• 10.22.53 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: SoftDirec "delete_confirm.php" Cross-Site Scripting
• Description: SoftDirec is a PHP-based repository application. SoftDirec is exposed to a cross-site scripting issue because it fails to properly sanitize user-supplied input to the "id" parameter of the "softdirec/library/delete_confirm.php" script. SoftDirec version 1.05 is affected.
• Ref: http://www.securityfocus.com/bid/40269

• 10.22.54 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Drupal download_count Module Cross-Site Scripting
• Description: download_count is a module for Drupal content manager. The module is exposed to a cross-site scripting issue because it fails to properly sanitize unspecified input before displaying it in a user's browser. download_count versions 5.x-1.0 and 6.x-1.3 are affected.
• Ref: http://drupal.org/node/803728

• 10.22.55 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Private Message Module For Drupal Delete User Cross-Site Request Forgery
• Description: Private Message is a module for the Drupal content manager. Private Message is exposed to a cross-site request forgery issue affecting the "delete message" form. Versions prior to Private Message 6.x are affected.
• Ref: http://drupal.org/node/803728

• 10.22.56 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: User Queue Module For Drupal Delete User Cross-Site Request Forgery
• Description: User Queue is a module for the Drupal content manager. User Queue is exposed to a cross-site request forgery issue affecting the "delete user" functionality. Versions prior to User Queue 6.x-1.1 are affected.
• Ref: http://drupal.org/node/803840

• 10.22.57 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Drupal External Link Page Module Cross-Site Scripting
• Description: External Link Page is a PHP-based module for the Drupal content manager. The module is exposed to a cross-site scripting issue because it fails to properly sanitize unspecified input in its administrator page. Versions prior to External Link Page 6.x-1.2 and 5.x-1.0 are affected.
• Ref: http://drupal.org/node/803766

• 10.22.58 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: StivaSoft Stiva SHOPPING CART "demo.php" Cross-Site Scripting
• Description: Stiva SHOPPING CART is a shopping cart application. The application is exposed to a cross-site scripting issue because it fails to sanitize user-supplied input to the "cat" parameter of the "demo.php" script. Stiva SHOPPING CART version 1.0 is affected.
• Ref: http://www.securityfocus.com/bid/40310

• 10.22.59 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Triburom "forum.php" Cross-Site Scripting
• Description: Triburom is a PHP-based web forum application. The application is exposed to a cross-site scripting issue because it fails to sanitize user-supplied input to the "cat" parameter of the "forum.php" script.
• Ref: http://www.securityfocus.com/bid/40316

• 10.22.60 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Apache Axis2 "engagingglobally" Cross-Site Scripting
• Description: Apache Axis2 is a Web Services/SOAP/WSDL engine. The application is exposed to a cross-site scripting issue because it fails to properly sanitize user-supplied input. Specifically, the "modules" parameter of the "axis2-admin/engagingglobally" script is vulnerable. Apache Axis2 version 1.4.1 is affected.
• Ref: http://www.procheckup.com/vulnerability_manager/vulnerabilities/pr10-03

• 10.22.61 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: NPDS Revolution "admin.php" Cross-Site Request Forgery
• Description: NPDS Revolution is a web application implemented in PHP. The software is exposed to a cross-site request forgery issue because it fails to properly verify the source of HTTP requests. Specifically, this issue affects the "admin.php" script. NPDS Revolution version 10.02 is affected.
• Ref: http://www.securityfocus.com/archive/1/511399

• 10.22.62 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Cacti Multiple Cross-Site Scripting Vulnerabilities
• Description: Cacti is a frontend to RRDTool. It is implemented in PHP and uses an SQL backend database. The application is exposed to multiple cross-site scripting issues because it fails to sufficiently sanitize user-supplied input to the "hostname", "host_id", and "description" parameters of unspecified scripts. Cacti versions prior to 0.8.7f are affected.
• Ref: http://www.securityfocus.com/archive/1/511393

• 10.22.63 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: gpEasy CMS "editing_files.php" Cross-Site Scripting
• Description: gpEasy CMS is a PHP-based content manager. The application is exposed to a cross-site scripting issue because it fails to sanitize user-supplied input to the "gpcontent" parameter of the "include/tool/editing_files.php" script. Versions prior to gpEasy CMS 1.6.3 are affected.
• Ref: http://www.securityfocus.com/archive/1/511388

• 10.22.64 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: PHP Calendar Multiple Cross-Site Scripting Vulnerabilities
• Description: PHP-Calendar is a PHP-based web application. The application is exposed to multiple cross-site scripting issues because it fails to sanitize user-supplied input to the "description" and "lastaction" parameters of unspecified scripts. PHP-Calendar version 2.0 Beta6 is affected.
• Ref: http://www.vupen.com/english/advisories/2010/1202

• 10.22.65 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: U.S.Robotics USR5463 Firmware "/cgi-bin/setup_ddns.exe" Cross-Site Request Forgery
• Description: U.S.Robotics USR5463 firmware is a web-based router management application. The software is exposed to a cross-site request forgery issue because it fails to properly verify the source of HTTP requests. Specifically, this issue affects the "/cgi-bin/setup_ddns.exe" script. U.S.Robotics USR5463 firmware versions 0.01 through 0.06 are affected.
• Ref: http://www.securityfocus.com/bid/40348

• 10.22.66 - CVE: CVE-2010-1459
• Platform: Web Application - Cross Site Scripting
• Title: Mono "EnableViewStateMac" Cross-Site Scripting
• Description: Mono is a web server application. The application is exposed to a cross-site scripting weakness because it does not allow a user to enable the "EnableViewStateMac" property. The issue affects versions prior to Mono 2.6.4.
• Ref: http://www.mono-project.com/Vulnerabilities#ASP.NET_View_State_Cross-Site_Script
  ing

• 10.22.67 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: ManageEngine ADManager Plus "computerName" Parameter Cross-Site Scripting
• Description: ManageEngine ADManager Plus is an Active Directory reporting and management application. ADManager Plus is exposed to a cross-site scripting issue because it fails to sufficiently sanitize user-supplied input to the "computerName" parameter of the "jsp/admin/tools/remote_share.jsp" script. ManageEngine ADManager Plus version 4.4.0 is affected.
• Ref: http://www.securityfocus.com/bid/40355/references

• 10.22.68 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Debliteck DBCMS "article.php" SQL Injection
• Description: Debliteck DBCMS is a PHP-based content manager. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied input to the "id" parameter of the "article.php" script before using it in an SQL query. DBCMS version 2.01 is affected.
• Ref: http://www.securityfocus.com/bid/40250

• 10.22.69 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: MigasCMS "function.php" SQL Injection
• Description: MigasCMS is a PHP-based content manager. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied input to the "categ" parameter of the "function.php" script before using it in an SQL query. MigasCMS version 1.0 is affected.
• Ref: http://www.securityfocus.com/bid/40256/references

• 10.22.70 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Debliteck DBCMS "section.php" SQL Injection
• Description: Debliteck DBCMS is a PHP-based content manager. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied input to the "id" parameter of the "section.php" script before using it in an SQL query.
• Ref: http://www.securityfocus.com/bid/40259

• 10.22.71 - CVE: CVE-2010-1923
• Platform: Web Application - SQL Injection
• Title: Web 2.0 Social Network Freunde Community System "user.php" SQL Injection
• Description: Web 2.0 Social Network Freunde Community System is a PHP-based social networking application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "id" parameter of the "cms/user.php" script before using it in an SQL query.
• Ref: http://www.securityfocus.com/bid/40264/references

• 10.22.72 - CVE: NOT SET YET
• Platform: Web Application - SQL Injection
• Title: MoME CMS Login "username" Field SQL Injection
• Description: MoME CMS is a content management application implemented in PHP. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data. This issue affects the application's login functionality. Specifically, the "username" field is not properly sanitized before it is used in an SQL query. MoME CMS version 0.8.5 is affected.
• Ref: http://www.securityfocus.com/bid/40266

• 10.22.73 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Renista CMS "Default.aspx" SQL Injection
• Description: Renista CMS is a web-based content management system. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied input to the "id" parameter of the "rtl/Default.aspx" script.
• Ref: http://www.securityfocus.com/bid/40299

• 10.22.74 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Specialized Data Systems Parent Connect Multiple SQL Injection Vulnerabilities
• Description: Specialized Data Systems Parent Connect is an ASP-based student reporting application. The application is exposed to multiple SQL injection issues because it fails to sufficiently sanitize user-supplied input. These issues affect the "password" field of the application's login page, and the "Link Accounts" form. Parent Connect version 2010.4.11 is affected.
• Ref: http://www.securityfocus.com/bid/40324

• 10.22.75 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: ConPresso CMS "firma.php" SQL Injection
• Description: ConPresso CMS is a PHP-based content management system. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied input to the "id" parameter of the "firma.php" script. ConPresso version 4.0.7 is affected.
• Ref: http://www.securityfocus.com/bid/40335

• 10.22.76 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: PSI CMS "index.php" Multiple SQL Injection Vulnerabilities
• Description: PSI CMS is a PHP-based content management system. The application is exposed to multiple SQL injection issues because it fails to sufficiently sanitize user-supplied data to the "page", "subj", and "subpage" parameters of the "index.php" script. PSI CMS version 0.3.1 is affected.
• Ref: http://www.securityfocus.com/bid/40337

• 10.22.77 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: ECShop "search.php" SQL Injection
• Description: ECShop is a PHP-based web application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied input to the "encode" parameter of the "search.php" script.
• Ref: http://www.securityfocus.com/bid/40338

• 10.22.78 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: NITRO Web Gallery "PictureId" Parameter SQL Injection
• Description: NITRO Web Gallery is a PHP-based image gallery. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "PictureId" parameter before using it in an SQL query.
• Ref: http://www.securityfocus.com/bid/40350/references

• 10.22.79 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: WebAsyst Shop-Script "index.php" SQL Injection
• Description: WebAsyst Shop-Script is a PHP-based web application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied input to the "blog_id" parameter of the "index.php" script.
• Ref: http://www.securityfocus.com/bid/40349

• 10.22.80 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: cyberhost "default.asp" SQL Injection
• Description: cyberhost is an ASP-based domain and sales hosting application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "id" parameter of the "default.asp" script before using it in an SQL query.
• Ref: http://www.securityfocus.com/bid/40357/references

• 10.22.81 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: BLOX CMS "c" Parameter SQL Injection
• Description: BLOX CMS is a content management system. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied input to the "c" parameter of the "app/classifieds/rentals" script.
• Ref: http://www.securityfocus.com/bid/40359/references

• 10.22.82 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: WebAsyst "blog_id" parameter SQL Injection
• Description: WebAsyst is a PHP-based web application suite. WebAsyst is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied input to the "blog_id" parameter of the "index.php" script.
• Ref: http://www.securityfocus.com/bid/40362/references

• 10.22.83 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: CU Village CMS Site "index.php" SQL Injection
• Description: CU Village CMS Site is a PHP-based content manager. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "print_view" parameter of the "index.php" script before using it in an SQL query. CMS Site version 1.0 is affected.
• Ref: http://www.securityfocus.com/bid/40360/references

• 10.22.84 - CVE: Not Available
• Platform: Web Application
• Title: DataTrack System "Home.aspx" HTML Injection
• Description: DataTrack System is an ASP-based service and support management system. DataTrack System is exposed to an HTML injection issue because it fails to sufficiently sanitize user-supplied input. Specifically, this issue affects the "Work_Order_Summary" parameter of the "Home.aspx" script when the "CurrentPage" parameter is set to "0". DataTrack System version 3.5.8019.4 is affected.
• Ref: http://cross-site-scripting.blogspot.com/2010/05/datatrack-system-35-persistent-
  xss.html

• 10.22.85 - CVE: Not Available
• Platform: Web Application
• Title: Battle Scrypt "upload.php" Remote Arbitrary File Upload
• Description: Battle Scrypt is a PHP-based voting script. The application is exposed to a remote arbitrary file upload issue because it fails to sufficiently sanitize user-supplied input. Specifically, a malicious PHP file named with a ".jpg" extension can be uploaded through the "upload.php" script and run through the "images/uploads/" directory.
• Ref: http://www.securityfocus.com/bid/40254/references

• 10.22.86 - CVE: Not Available
• Platform: Web Application
• Title: Wordpress Import Drupal Module Unauthorized Access
• Description: Wordpress Import is a module for the Drupal content manager. Wordpress Import is exposed to an unauthorized access issue that allows unauthorized users to upload arbitrary files and import data from a remote WXR file. This issue arises because the application fails to implement sufficient access controls on the WXR file import form. Versions of Wordpress Import prior to 6.x-2.1 are affected.
• Ref: http://drupal.org/node/803484

• 10.22.87 - CVE: Not Available
• Platform: Web Application
• Title: Drupal CAPTCHA Module Description HTML Injection
• Description: CAPTCHA is a Drupal module that allows users to add a CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) challenge to forms. The module is exposed to an HTML injection issue because it fails to properly sanitize the CAPTCHA description before displaying it in a user's browser. CAPTCHA versions prior to 5.x-3.3 and 6.x-2.2 are affected.
• Ref: http://drupal.org/node/803566

• 10.22.88 - CVE: Not Available
• Platform: Web Application
• Title: Drupal Heartbeat Module Multiple HTML Injection Vulnerabilities
• Description: Heartbeat is a module for the Drupal content manager. The application is exposed to multiple HTML injection issues because it fails to sufficiently sanitize user-supplied data. Specifically, issues occur when processing "shouts", "comments", and "heartbeat_messages". Versions prior to Heartbeat version 6.x-4.9 are affected.
• Ref: http://drupal.org/node/803570

• 10.22.89 - CVE: Not Available
• Platform: Web Application
• Title: Drupal Menu Block Split Module HTML Injection
• Description: Menu Block Split is a module for the Drupal content management system. The module is exposed to an HTML injection issue because it fails to properly sanitize user-supplied input to the subject of a block. Menu Block Split versions 6.x-2.1 and 5.x-2.1 are affected.
• Ref: http://www.securityfocus.com/bid/40271

• 10.22.90 - CVE: Not Available
• Platform: Web Application
• Title: Drupal Weather Underground Module Block Subject HTML Injection
• Description: Weather Underground is a Drupal module that retrieves and displays weather information. The module is exposed to an HTML injection issue because it fails to properly sanitize the block subject before displaying it in a user's browser. Weather Underground version 6.x-2.0 is affected.
• Ref: http://drupal.org/node/803728

• 10.22.91 - CVE: Not Available
• Platform: Web Application
• Title: Drupal osCommerce Module HTML Injection
• Description: osCommerce is a module for Drupal content manager. The module is exposed to an HTML injection issue because it fails to properly sanitize the "Title for manufacturers block" configuration field before displaying it in a user's browser. osCommerce version 6.x-1.0 is affected.
• Ref: http://drupal.org/node/803728

• 10.22.92 - CVE: Not Available
• Platform: Web Application
• Title: Drupal Comment Page Module Multiple HTML Injection Vulnerabilities
• Description: Comment Page is a module for Drupal content manager. The module is exposed to multiple HTML injection issues because it fails to properly sanitize some content before displaying it in a user's browser. Comment Page versions 5.x-1.1 and 6.x-1.1 are affected.
• Ref: http://drupal.org/node/803728

• 10.22.93 - CVE: Not Available
• Platform: Web Application
• Title: Drupal Comment Page Module Security Bypass
• Description: Comment Page is a module for Drupal content manager. The module is exposed to a security bypass issue because it incorrectly uses drupal_access_denied function and uses a non-existing "admin comments" permission as access argument to its administration page. Comment Page versions 5.x-1.1 and 6.x-1.1 are affected.
• Ref: http://drupal.org/node/803728

• 10.22.94 - CVE: Not Available
• Platform: Web Application
• Title: Snipe Gallery "cfg_admin_path" Parameter Multiple Remote File Include Vulnerabilities
• Description: Snipe Gallery is a web-based application implemented in PHP. The application is exposed to multiple remote file include issues because it fails to properly sanitize user-supplied input to the "cfg_admin_path" parameter of the "image.php" and "gallery.php" scripts. The issues affect Snipe Gallery versions 3.1.4 and prior.
• Ref: http://www.securityfocus.com/bid/40279/references

• 10.22.95 - CVE: Not Available
• Platform: Web Application
• Title: Drupal Rotor Banner Module Multiple HTML Injection Vulnerabilities
• Description: Rotor Banner is an image upload module for the Drupal content manager. The module is exposed to multiple HTML injection issue because it fails to properly sanitize user-supplied input to the "srs", "title" and "alt" image attributes. Rotor Banner versions prior to 5.x-1.8 and 6.x-2.5 are affected.
• Ref: http://drupal.org/node/803930

• 10.22.96 - CVE: Not Available
• Platform: Web Application
• Title: Panels Module For Drupal Arbitrary PHP Code Execution
• Description: Panels is a module for the Drupal content manager for creating customized layouts. The Mini panels module is included with the Panels module. Mini panels is exposed to an issue that lets attackers execute arbitrary PHP code because it fails to sufficiently restrict user access. Attackers with "create mini panels" permissions can execute arbitrary PHP code on the server through the import functionality. Versions of Panels prior to 6.x-3.4 are affected.
• Ref: http://drupal.org/node/803952

• 10.22.97 - CVE: Not Available
• Platform: Web Application
• Title: Drupal Storm Project HTML Injection
• Description: Storm is a billing and project management module for the Drupal content manager. Storm is exposed to an HTML injection issue because it fails to properly sanitize user-supplied data. Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials. Storm versions prior to 6.x-1.33 are affected.
• Ref: http://drupal.org/node/803770

• 10.22.98 - CVE: Not Available
• Platform: Web Application
• Title: Drupal Simplenews Module Subscribe To Newsletters Security Bypass
• Description: Simplenews is a module for the Drupal content manager. The module is exposed to a security bypass issue because it fails to properly restrict access to sensitive functions. Specifically, attackers with "subscribe to newsletter" permissions may edit subscriptions associated with arbitrary users. Versions prior to Simplenews 6.x-1.2 are affected.
• Ref: http://drupal.org/node/803772

• 10.22.99 - CVE: Not Available
• Platform: Web Application
• Title: U.S.Robotics USR5463 Firmware "setup_ddns.exe" HTML Injection
• Description: U.S.Robotics USR5463 firmware is a web-based router management application. The application is exposed to an HTML injection issue because it fails to sufficiently sanitize user-supplied input to the routers DDNS (Dynamic Domain Name Server) setup page "cgi-bin/setup_ddns.exe". U.S.Robotics firmware USR5463 version 0.06 is affected.
• Ref: http://www.securityfocus.com/archive/1/511370

• 10.22.100 - CVE: Not Available
• Platform: Web Application
• Title: Drupal False Account Detector Module Multiple Cross-Site Scripting and SQL Injection Vulnerabilities
• Description: The False Account Detector module for Drupal gives sites the ability to localize content. The module is exposed to multiple unspecified cross-site scripting and SQL injection issues because the application fails to properly sanitize user-supplied input related to received cookies.
• Ref: http://drupal.org/node/803728

• 10.22.101 - CVE: Not Available
• Platform: Web Application
• Title: Horde IMP Remote Information Disclosure
• Description: Horde IMP (Internet Messaging Program) is a PHP-based application that supports IMAP and POP3 webmail access. The application is exposed to an information disclosure issue because it fails to properly validate requests.
• Ref: http://conference.hitb.org/hitbsecconf2010dxb/materials/D1%20-%20Laurent%20Oudot
  %20-%20Improving%20the%20Stealthiness%20of%20Web%20Hacking.pdf#page=74

• 10.22.102 - CVE: Not Available
• Platform: Web Application
• Title: Spaw Editor "spawfm" Module Arbitrary File Upload
• Description: Spaw Editor is a web-based HTML editor available for multiple platforms. The application is exposed to an issue that lets attackers upload arbitrary files because it fails to adequately sanitize user-supplied files before uploading them onto the web server. Specifically, users may upload files which contain unsafe extensions. The following versions of Spaw Editor are affected: Spaw Editor 1.0, Spaw Editor PHP Edition 2.0 and Spaw Editor .NET Edition 2.0.
• Ref: http://www.securityfocus.com/bid/40295/references

• 10.22.103 - CVE: Not Available
• Platform: Web Application
• Title: DotNetNuke User Messaging Module HTML Injection
• Description: DotNetNuke is an open source framework for creating and deploying websites. The application is exposed to an HTML injection issue because it fails to properly sanitize user-supplied input before displaying it in a browser. Specifically, this issue affects messages generated in the user messaging module. DotNetNuke 5.3.0 through 5.4.1 are affected.
• Ref: http://www.dotnetnuke.com/News/SecurityPolicy/Securitybulletinno36/tabid/1552/De
  fault.aspx

• 10.22.104 - CVE: Not Available
• Platform: Web Application
• Title: Lisk CMS "id" Parameter Multiple Cross-Site Scripting and SQL Injection Vulnerabilities
• Description: Lisk CMS is a PHP-based content management application. The application is exposed to multiple issues because it fails to sanitize user-supplied input. Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, control how the site is rendered to the user. Lisk CMS version 4.4 is affected.
• Ref: http://www.htbridge.ch/advisory/sql_injection_vulnerability_in_lisk_cms_1.html

• 10.22.105 - CVE: CVE-2010-1630
• Platform: Web Application
• Title: phpBB "posting.php" Unspecified Security
• Description: phpBB is a PHP-based online bulletin board. The application is exposed to an unspecified security issue that affects the "posting.php" script. The issue is related to the use of a "forum id" when posting global announcements. Versions prior to phpBB 3.0.5 are affected.
• Ref: http://www.securityfocus.com/bid/40323

• 10.22.106 - CVE: Not Available
• Platform: Web Application
• Title: Alibaba Clone Script SQL Injection and Cross-Site Scripting
• Description: Alibaba Clone Script is a PHP-based online trading script. The application is exposed to the following issues because it fails to sufficiently sanitize user-supplied input. A cross-site scripting issue affects the "errmsg" parameter of the "gen_confirm.php" script. An SQL injection issue affects the "cid" parameter of the "cat_sell.php" script.
• Ref: http://www.securityfocus.com/bid/40336/references

• 10.22.107 - CVE: Not Available
• Platform: Web Application
• Title: JV2 Folder Gallery "gallery.php" Remote File Include
• Description: JV2 Folder Gallery is an image gallery implemented in PHP. The application is exposed to a remote file include issue because it fails to sufficiently sanitize user-supplied input to the "lang_file" parameter of the "gallery/gallery.php" script. This issue affects version 3.1.
• Ref: http://www.securityfocus.com/bid/40339/references

• 10.22.108 - CVE: Not Available
• Platform: Web Application
• Title: Webby HTTP GET Request Buffer Overflow
• Description: Webby is an HTTP server implemented in Ruby. Webby is exposed to a remote buffer overflow issue because it fails to perform adequate boundary checks on user-supplied input. This issue occurs when handling a specially crafted HTTP "GET" request. Webby version 1.01 is affected.
• Ref: http://www.securityfocus.com/archive/1/511428

• 10.22.109 - CVE: Not Available
• Platform: Web Application
• Title: BigACE Cross-Site Request Forgery and HTML Injection Vulnerabilities
• Description: BigACE is a PHP-based content manager. The application is exposed to multiple remote issues. Cross-site request forgery issues affect the "$_SERVER["HTTP_REFERER"]" and "$_SERVER["SERVER_NAME"]" parameters. BigACE versions prior to 2.7.2 are affected.
• Ref: http://www.securityfocus.com/archive/1/511417

• 10.22.110 - CVE: Not Available
• Platform: Web Application
• Title: OpenForum "saveAsAttachment()" Method Arbitrary File Creation
• Description: OpenForum integrated web server and wiki application. The application is exposed to an issue that can allow remote attackers to create arbitrary files through the "saveAsAttachment()" method. User-supplied input passed through POST requests can specify that a malicious Sugar ".sjs" file be created outside of the webroot. OpenForum version 2.2 b005 is affected.
• Ref: http://www.securityfocus.com/bid/40364/references

• 10.22.111 - CVE: Not Available
• Platform: Network Device
• Title: D-Link DI-724P+ Router "wlap.htm" HTML Injection
• Description: D-Link DI-724P+ is a router. The router is exposed to an HTML injection issue. The device's web-based administration tool fails to sanitize user-supplied input to the "wlap.htm" script before storing it in the "wireless" properties section.
• Ref: http://seclists.org/fulldisclosure/2010/May/262

• , - CVE: CVE-2010-2025 CVE-2010-2026
• Platform: Network Device
• Title: Cisco DPC2100 Multiple Security Bypass and Cross-Site Request Forgery Vulnerabilities
• Description: The Cisco DPC2100 (formerly Scientific Atlanta DPC2100) is a cable modem and router device for home use. The device is exposed to multiple issues. 1) Multiple security bypass issues exist because the device fails to adequately restrict access to sensitive administrative functions. 2) Multiple cross-site request forgery issues affect unspecified scripts and parameters. Firmware versions prior to version 2.0.2.r1256-100324as are affected. Ref: http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0322.html

(c) 2010. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.