@RISK: The Consensus Security Vulnerability Alert

Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)

• (1) HIGH: Novell ZENworks Configuration Management Preboot Service Remote Code Execution Vulnerability
• (2) MEDIUM: Novell eDirectory Buffer Overflow
• (3) MEDIUM: Adobe Photoshop Multiple File Types Buffer Overflow Vulnerabilities

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)

Third Party Windows Apps

• 10.23.1 - Muziic Player ".mp3" File Remote Buffer Overflow
• 10.23.2 - Home FTP Server Cross-Site Request Forgery
• 10.23.3 - Brekeke PBX "pbx/gate" Cross-Site Request Forgery
• 10.23.4 - emesene "/tmp/emsnpic" Insecure Temporary File Creation
• 10.23.5 - Zip Explorer ".zar" File Buffer Overflow
• 10.23.6 - Xftp "LIST" Response Remote Buffer Overflow
• 10.23.7 - JustSystems Ichitaro Character Attributes Processing Remote Code Execution
• 10.23.8 - Audiotran ".pls" File Remote Buffer Overflow
• 10.23.9 - Microsoft Internet Explorer CSS "expression" Remote Denial of Service

Linux

• 10.23.10 - Linux Kernel "knfsd" "current->mm" Modifier Local Denial of Service
• 10.23.11 - Red Hat Client Tools "loginAuth.pkl" Local Security Bypass

BSD

• 10.23.12 - FreeBSD jail(8) Local Security Bypass

Aix

• 10.23.13 - IBM Communications Server for AIX Remote Denial of Service

Unix

• 10.23.14 - Exim MBX Locking Insecure Temporary File Creation

Novell

• 10.23.15 - Novell Access Manager Identity Server X.509 Authentication Security Bypass
• 10.23.16 - Novell ZENworks Configuration Management Preboot Service Stack Buffer Overflow

Cross Platform

• 10.23.17 - Python "audioop" Module Integer Overflow
• 10.23.18 - TheGreenBow VPN Client Stack Buffer Overflow
• 10.23.19 - Adobe Photoshop Multiple File Types Remote Code Execution
• 10.23.20 - EMC Avamar "gsan" Service Denial of Service
• 10.23.21 - Mozilla Firefox Error Handling Information Disclosure
• 10.23.22 - FreeBSD OPIE "__opiereadrec()" Off By One Heap Memory Corruption
• 10.23.23 - Nemesis Player ".nsp" File Remote Denial of Service
• 10.23.24 - Home FTP Server Directory Traversal
• 10.23.25 - nginx Directory Traversal
• 10.23.26 - Ghostscript Insecure Temporary File Creation
• 10.23.27 - VLC Media Player Multiple Media File Formats Buffer Overflow
• 10.23.28 - nginx Space String Remote Source Code Disclosure
• 10.23.29 - IBM Lotus Connections Multiple
• 10.23.30 - IBM DB2 prior to 9.7 Fix Pack 2 Multiple Security Vulnerabilities
• 10.23.31 - Exim Sticky Mail Directory Local Privilege Escalation
• 10.23.32 - DM Database Server "SP_DEL_BAK_EXPIRED" Memory Corruption
• 10.23.33 - Websense "Via" HTTP Header Web Filtering Security Bypass
• 10.23.34 - Ghostscript "gs_init.ps" With "-P-" Flag Search Path Local Privilege Escalation
• 10.23.35 - SBLIM-SFCB Multiple Buffer Overflow Vulnerabilities
• 10.23.36 - Winamp AVI File RIFF Data Remote Denial of Service
• 10.23.37 - Accoria Rock Web Server Multiple Security

Web Application - Cross Site Scripting

• 10.23.38 - GetSimple CMS "components.php" Cross-Site Scripting
• 10.23.39 - RuubikCMS "index.php" Cross-Site Scripting
• 10.23.40 - md5 Encryption Decryption PHP Script "index.php" Cross-Site Scripting
• 10.23.41 - PHPCalendar Calendar Script Multiple Cross-Site Scripting
• 10.23.42 - BackLinkSpider Multiple Cross-Site Scripting Vulnerabilities
• 10.23.43 - ZoneCheck "zc.cgi" Cross-Site Scripting
• 10.23.44 - MediaWiki CSS Input Cross-Site Scripting
• 10.23.45 - Toronja CMS "index.php" Cross-Site Scripting
• 10.23.46 - CMScout Cross-Site Scripting
• 10.23.47 - wsCMS "news.php" Cross-Site Scripting
• 10.23.48 - Zeeways eBay Clone Auction Script "signinform.php" Cross-Site Scripting
• 10.23.49 - Smart Statistics "smart_statistics_admin.php" Cross-Site Scripting
• 10.23.50 - dotDefender Log Viewer Cross-Site Scripting
• 10.23.51 - Datetopia Match Agency BiZ Multiple Cross-Site Scripting Vulnerabilities

Web Application - SQL Injection

• 10.23.52 - 360 Web Manager "webpages-form-led-edit.php" SQL Injection
• 10.23.53 - Multi Shop CMS "pages.php" SQL Injection
• 10.23.54 - BackLinkSpider "cat_id" Parameter SQL Injection
• 10.23.55 - MultiShopCMS Multi Vendor Mall Multiple SQL Injection Vulnerabilities
• 10.23.56 - Toronja CMS Multiple SQL Injection Vulnerabilities
• 10.23.57 - osCommerce Visitor Web Stats Add-On "Accept-Language" Header SQL Injection
• 10.23.58 - ImpressPages CMS "admin.php" Multiple SQL Injection Vulnerabilities
• 10.23.59 - Fusebox "CatDisplay" Parameter SQL Injection
• 10.23.60 - wsCMS Multiple SQL Injection
• 10.23.61 - YourArcadeScript "username" Parameter SQL Injection
• 10.23.62 - TermiSBloG Multiple SQL Injection

Web Application

• 10.23.63 - razorCMS "admin/index.php" HTML Injection
• 10.23.64 - Nuked-Klan Search Request Denial of Service
• 10.23.65 - CiviCRM Multiple HTML Injection Vulnerabilities
• 10.23.66 - Layout CMS SQL-Injection and Cross-Site Scripting Vulnerabilities
• 10.23.67 - GR Board "page.php" Remote File Include
• 10.23.68 - Symphony "mode" Parameter Local File Include
• 10.23.69 - Plugin Gallery For Nucleus Remote File Include and SQL Injection Vulnerabilities
• 10.23.70 - NP_Twitter Nucleus Plugin "DIR_NUCLEUS" Remote File Include
• 10.23.71 - Clearsite "header.php" Remote File Include
• 10.23.72 - PHP Mysqlnd Extension Information Disclosure and Multiple Buffer Overflow Vulnerabilities
• 10.23.73 - x10media Image Hosting Script "create_image_gallery.php" Arbitrary File Upload
• 10.23.74 - Visitor Logger "banned.php" Remote File Include
• 10.23.75 - E107 Persian "usersettings.php" HTML Injection
• 10.23.76 - CMS Made Simple Cross-Site Scripting and Cross-Site Request Forgery Vulnerabilities
• 10.23.77 - EvoCam HTTP GET Request Buffer Overflow

Network Device

• 10.23.78 - Apple iPhone PIN Authentication Security Bypass
• 10.23.79 - Cisco Network Building Mediator System Configuration File multiple vulnerabilities
• 10.23.80 - NETGEAR WG602v4 Administrator Password Remote Stack Buffer Overflow

PART I Critical Vulnerabilities

PART I Critical Vulnerabilities Part I for this issue has been compiled by Josh Bronson at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 23, 2010

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com) This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 9555 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely. ______________________________________________________________________

• 10.23.1 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Muziic Player ".mp3" File Remote Buffer Overflow
• Description: Muziic Player is a multimedia player for Microsoft Windows. The application is exposed to a remote buffer overflow issue because it fails to perform adequate checks on user-supplied input. Specifically, this issue occurs when parsing a specially crafted ".mp3" file that contains excessive data. Muziic Player version 2.0 is affected.
• Ref: http://www.securityfocus.com/bid/40379/references

• 10.23.2 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Home FTP Server Cross-Site Request Forgery
• Description: Home FTP Server is an FTP server for the Windows operating system. Home FTP Server is exposed to a cross-site request forgery issue. This issue occurs because the application allows an attacker to perform certain actions using an HTTP request without validating the request. Home FTP Server version 1.10.3 (build 144) is affected.
• Ref: http://cross-site-scripting.blogspot.com/2010/05/home-ftp-server-1102143-cross-s
  ite.html

• 10.23.3 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Brekeke PBX "pbx/gate" Cross-Site Request Forgery
• Description: Brekeke PBX is a PBX application for the Windows operating system. Brekeke PBX is exposed to a cross-site request forgery issue affecting the "pbx/gate" script. This issue occurs because the application allows attackers to perform certain actions using an HTTP request without validating the request. Brekeke PBX version 2.4.4.8 is affected.
• Ref: http://cross-site-scripting.blogspot.com/2010/05/brekeke-pbx-2448-cross-site-req
  uest.html

• 10.23.4 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: emesene "/tmp/emsnpic" Insecure Temporary File Creation
• Description: emesene is an instant messenger for the Windows Live Messenger network. emesene creates temporary files in the "/tmp/emsnpic/" directory in an insecure manner. Specifically, it uses a predictable temporary filename to store pictures. emesene version 1.6.1 is affected.
• Ref: http://www.securityfocus.com/bid/40455/references

• 10.23.5 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Zip Explorer ".zar" File Buffer Overflow
• Description: Zip Explorer is a file compression/extraction application for the Windows operating system. The application is exposed to a buffer overflow issue because it fails to perform adequate boundary checks on user-supplied data. This issue occurs when parsing a specially crafted ".zar" file that contains excessive data. Zip Explorer version 7.0 is affected.
• Ref: http://www.securityfocus.com/bid/40462

• 10.23.6 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Xftp "LIST" Response Remote Buffer Overflow
• Description: Xftp is an SFTP and FTP file transfer program for Windows platforms. The application is exposed to a stack-based buffer overflow issue because it fails to properly validate the filenames sent as response to the "LIST" command in FTP connections before copying it into an insufficiently sized buffer. Xftp version 3.0 Build 239 is affected.
• Ref: http://www.securityfocus.com/bid/40470/references

• 10.23.7 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: JustSystems Ichitaro Character Attributes Processing Remote Code Execution
• Description: Ichitaro is a word processor available for Microsoft Windows. The application is exposed to a remote code execution issue. The issue is due an unspecified error when processing character attributes from a specially crafted document. Ichitaro version 2009 is affected.
• Ref: http://jvn.jp/en/jp/JVN17293765/index.html

• 10.23.8 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Audiotran ".pls" File Remote Buffer Overflow
• Description: Audiotran is a media player for the Windows operating system. Audiotran is exposed to a remote buffer overflow issue because it fails to perform adequate checks on user-supplied input. Specifically, this issue occurs when opening a specially crafted ".pls" file. Audiotran version 1.4.1 is affected.
• Ref: http://www.securityfocus.com/bid/40478

• 10.23.9 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Microsoft Internet Explorer CSS "expression" Remote Denial of Service
• Description: Microsoft Internet Explorer is a web browser available for Microsoft Windows. Internet Explorer is exposed to a remote denial of service issue. This issue occurs when handling web pages that contain a specially crafted CSS "expression". Internet Explorer versions 6, 7, and 8 are affected.
• Ref: http://www.securityfocus.com/archive/1/511585

• 10.23.10 - CVE: Not Available
• Platform: Linux
• Title: Linux Kernel "knfsd" "current->mm" Modifier Local Denial of Service
• Description: The Linux kernel is exposed to a local denial of service issue due to a NULL pointer deference condition that occurs in the "knfsd" component. This issue occurs when using the component to export "shmemfs" objects and run strict over commits. Specifically, the component fails to check if the "current->> mm" parameter is set to NULL before accessing it.
• Ref: https://bugzilla.redhat.com/show_bug.cgi?id=595970

• 10.23.11 - CVE: CVE-2010-1439
• Platform: Linux
• Title: Red Hat Client Tools "loginAuth.pkl" Local Security Bypass
• Description: Red Hat Client Tools (rhn-client-tools) provide programs and libraries that allow the system to receive software updates from the Red Hat Network. Red Hat rhn-client-tools is exposed to a local security bypass issue. This issue occurs because the application sets insecure permissions on the "loginAuth.pkl" file, which is used to store session credentials for authenticating connections to the Red Hat Network servers.
• Ref: http://www.securityfocus.com/bid/40492/references

• 10.23.12 - CVE: CVE-2010-2022
• Platform: BSD
• Title: FreeBSD jail(8) Local Security Bypass
• Description: Jail environments allow administrators to limit the ability of processes to interact with resources located outside of the configured environment. Jail is exposed to a local security bypass issue because the utility does not change the current working directory while imprisoning a process and allows descendants to access the directory. FreeBSD version 8.0 is affected.
• Ref: http://www.securityfocus.com/bid/40399

• 10.23.13 - CVE: Not Available
• Platform: Aix
• Title: IBM Communications Server for AIX Remote Denial of Service
• Description: IBM Communications Server provides a enterprise networking solution for AIX. IBM Communications Server for AIX is exposed to a remote denial of service issue that occurs when handling APPC (Advanced Program-to-Program Communications) packets with a GDSID variable of a small length value. IBM Communications Server for AIX versions 6.3.1 and earlier are affected.
• Ref: http://www-01.ibm.com/support/docview.wss?uid=swg1IZ68810

• 10.23.14 - CVE: CVE-2010-2024
• Platform: Unix
• Title: Exim MBX Locking Insecure Temporary File Creation
• Description: Exim is a mail transfer agent application available for Linux and Unix operating systems. The application creates temporary files in an insecure manner. Specifically, a race condition exists when temporary files are created. This issue affects the "MBX locking" feature of Exim. Exim versions prior to 4.72 RC2 are affected.
• Ref: http://bugs.exim.org/show_bug.cgi?id=989

• 10.23.15 - CVE: CVE-2009-4879
• Platform: Novell
• Title: Novell Access Manager Identity Server X.509 Authentication Security Bypass
• Description: Novell Access Manager is an application that provides single sign on for all corporate web applications. The application is exposed to a security bypass issue because it fails to properly restrict access for disabled accounts. Novell Access Manager versions prior to 3.1 SP1 are affected.
• Ref: http://www.novell.com/documentation/novellaccessmanager31/accessmanager_readme/d
  ata/accessmanager_readme.html#bktec02

• 10.23.16 - CVE: Not Available
• Platform: Novell
• Title: Novell ZENworks Configuration Management Preboot Service Stack Buffer Overflow
• Description: Novell ZENworks Configuration Management is an IT management application. ZENworks Configuration Management is exposed to a stack-based buffer overflow issue that affects the Preboot Service (novell-pbserv.exe), which is listening on TCP port 998 by default. ZENworks Configuration Management versions prior to 10.3 are affected.
• Ref: http://www.securityfocus.com/archive/1/511600

• 10.23.17 - CVE: CVE-2010-1634
• Platform: Cross Platform
• Title: Python "audioop" Module Integer Overflow
• Description: Python is an interpreted, dynamic object oriented programming language that is available for many operating systems. The "audioop" module for Python is exposed to multiple integer overflow issues that affect the "ulaw2lin()", "alam2lin()", "adpcm2lin()" and "lin2lin()" functions. Specifically, the application fails to perform adequate boundary checks on an integer value before using it to reference a buffer.
• Ref: https://bugzilla.redhat.com/show_bug.cgi?id=590690

• 10.23.18 - CVE: CVE-2010-0392
• Platform: Cross Platform
• Title: TheGreenBow VPN Client Stack Buffer Overflow
• Description: TheGreenBow VPN Client is an IPsec VPN client that sets up a secure channel for data transport. The application is exposed to a stack-based buffer overflow issue because it fails to perform adequate boundary checks on user supplied data. This issue occurs when the application processes certain sections of "tgb" files, and can be exploited by passing an overly long string to the "OpenScriptAfterUp" section. TheGreenBow VPN Client versions 4.65.003 and 4.51.001 are affected.
• Ref: http://www.senseofsecurity.com.au/advisories/SOS-10-001.pdf

• 10.23.19 - CVE: CVE-2010-1296
• Platform: Cross Platform
• Title: Adobe Photoshop Multiple File Types Remote Code Execution
• Description: Adobe Photoshop is an application that allows users to view and edit various graphic formats. Adobe Photoshop is exposed to multiple remote code execution issues. These issues occur when handling specially crafted ASL, ABR, or GRD files. Adobe Photoshop version CS4 11.01 is affected.
• Ref: http://www.adobe.com/support/security/bulletins/apsb10-13.html

• 10.23.20 - CVE: CVE-2010-1919
• Platform: Cross Platform
• Title: EMC Avamar "gsan" Service Denial of Service
• Description: EMC Avamar is a backup application available for multiple platforms. EMC Avamar is exposed to a denial of service issue. The application fails to properly process messages sent through an unspecified TCP port, causing the "gsan" service to hang. Avamar versions prior to 5.0 SP1 are affected.
• Ref: http://www.securityfocus.com/archive/1/511477

• 10.23.21 - CVE: Not Available
• Platform: Cross Platform
• Title: Mozilla Firefox Error Handling Information Disclosure
• Description: Mozilla Firefox is a web browser available for various platforms. Firefox is exposed to a remote information disclosure issue because the application allows attackers to discover the destination URL of a redirection using the "window.onerror" handler. Mozilla Firefox versions 3.6.3 and 3.5.9 are affected.
• Ref: http://soroush.secproject.com/blog/2010/05/cross-site-url-hijacking-by-using-err
  or-object-in-mozilla-firefox/

• 10.23.22 - CVE: CVE-2010-1938
• Platform: Cross Platform
• Title: FreeBSD OPIE "__opiereadrec()" Off By One Heap Memory Corruption
• Description: OPIE is a one time password system for BSD and Linux platforms. The application is exposed to an off by one memory corruption issue because it fails to properly bounds check user-supplied data before copying it into a memory buffer. OPIE supplied with FreeBSD versions 6.x, 7.x, and 8.x are affected.
• Ref: http://securityreason.com/achievement_securityalert/87

• 10.23.23 - CVE: Not Available
• Platform: Cross Platform
• Title: Nemesis Player ".nsp" File Remote Denial of Service
• Description: Nemesis Player is a multimedia player. The application is exposed to a remote denial of service issue when handling specially crafted ".nsp" files. Nemesis Player versions 1.1 Beta and 2.0 are affected.
• Ref: http://www.securityfocus.com/bid/40413

• 10.23.24 - CVE: Not Available
• Platform: Cross Platform
• Title: Home FTP Server Directory Traversal
• Description: Home FTP Server is a FTP server. The application is exposed to a directory traversal issue because it fails to sufficiently sanitize input from user-supplied commands. The issue affects the "RETR", "STOR" and "DELE" commands. Home FTP Server version 1.10.2.143 is affected.
• Ref: http://www.securityfocus.com/bid/40419

• 10.23.25 - CVE: Not Available
• Platform: Cross Platform
• Title: nginx Directory Traversal
• Description: nginx is a HTTP server, reverse proxy and mail proxy server. nginx is exposed to a directory traversal issue because it fails to sufficiently sanitize user supplied input. nginx versions 0.6.36 and earlier are affected.
• Ref: http://www.securityfocus.com/bid/40420/references

• 10.23.26 - CVE: Not Available
• Platform: Cross Platform
• Title: Ghostscript Insecure Temporary File Creation
• Description: Ghostscript is a set of tools and libraries for handling Portable Document Format and PostScript files. The application creates temporary files in an insecure manner. Specifically, the application creates a file in "/tmp" without the "O_EXCL" mode. Ghostscript version 8.64 is affected.
• Ref: http://www.securityfocus.com/bid/40426/references

• 10.23.27 - CVE: Not Available
• Platform: Cross Platform
• Title: VLC Media Player Multiple Media File Formats Buffer Overflow
• Description: VLC media player is a cross-platform media player that can be used to serve streaming data. The application is exposed to a buffer overflow issue because it fails to perform adequate boundary checks on user-supplied input. This issue occurs when handling multiple common media file formats. Specifically, the issue can be triggered with a specially crafted ".avi", ".mpg", ".mp4", ".asf" or ".mov" file. VLC media player version 1.0.6 is affected.
• Ref: http://www.securityfocus.com/bid/40428/references

• 10.23.28 - CVE: Not Available
• Platform: Cross Platform
• Title: nginx Space String Remote Source Code Disclosure
• Description: nginx is an HTTP server, reverse proxy, and mail proxy server. The application is exposed to a source code disclosure issue because it fails to properly sanitize user-supplied input. Specifically, an attacker can obtain the source code of a file by providing a "%20" string at the end of the filename in an HTTP request. nginx versions prior to 0.8.36 are affected.
• Ref: http://www.securityfocus.com/archive/1/509420

• 10.23.29 - CVE: Not Available
• Platform: Cross Platform
• Title: IBM Lotus Connections Multiple
• Description: IBM Lotus Connections is social collaboration software for business. The application is exposed to multiple security issues. Cross-site scripting issues affect the "create" and "edit" forms in the Community component, the "verbiage" parameter in the Bookmarks component and the mobile Blogs component. Information disclosure issues exist because the Bookmarklet popup window and "Top Updates" links in the Homepage component use HTTP when "force SSL" is enabled. An open redirection issue occurs because the application fails to properly sanitize unspecified user-supplied input. IBM Lotus Connections prior to 2.5.0 Fix Pack 2 (2.5.0.2) are affected.
• Ref: http://www-01.ibm.com/support/docview.wss?uid=swg21431472

• 10.23.30 - CVE: CVE-2010-0472
• Platform: Cross Platform
• Title: IBM DB2 prior to 9.7 Fix Pack 2 Multiple Security Vulnerabilities
• Description: IBM DB2 is a database manager. The application is exposed to multiple issues. A denial of service issue affects the Tivoli monitoring agent. An issue with an unspecified impact arises due to system granted privileges not being regenerated on views. Unauthorized users may access Monitor Administrative Views in "SYSIBMADM SCHEMA". IBM DB2 versions 9.2 prior to Fix Pack 2 (9.7.2) are affected.
• Ref: http://www-01.ibm.com/support/docview.wss?uid=swg21432298

• 10.23.31 - CVE: CVE-2010-2023
• Platform: Cross Platform
• Title: Exim Sticky Mail Directory Local Privilege Escalation
• Description: Exim is a mail transfer agent application available for Linux and Unix operating systems. The application is exposed to a local privilege escalation issue. Specifically, the application may follow hard links when delivering mail to mailbox files. This issue can be exploited when Exim is configured to use a world writable mail directory which has the "sticky bit" set. Since this issue requires that the sticky bit is set, attackers may only target users who do not have pre-existing mailbox files. Exim versions prior to 4.72 RC2 are affected.
• Ref: http://www.securityfocus.com/bid/40451/references

• 10.23.32 - CVE: Not Available
• Platform: Cross Platform
• Title: DM Database Server "SP_DEL_BAK_EXPIRED" Memory Corruption
• Description: DM Database Server is a database application. DM Database Server is exposed to a remote memory corruption issue that affects the "CALL SP_DEL_BAK_EXPIRED" function when a large string is passed to the first argument.
• Ref: http://www.securityfocus.com/archive/1/511559

• 10.23.33 - CVE: Not Available
• Platform: Cross Platform
• Title: Websense "Via" HTTP Header Web Filtering Security Bypass
• Description: Websense is a web filtering application. The application is exposed to a security bypass issue because it fails to properly enforce filtering rules. Specifically, HTTP requests which include the "Via" header are not filtered or logged. Websense Enterprise version 6.3.3 is affected.
• Ref: http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0376.html

• 10.23.34 - CVE: Not Available
• Platform: Cross Platform
• Title: Ghostscript "gs_init.ps" With "-P-" Flag Search Path Local Privilege Escalation
• Description: Ghostscript is a set of tools and libraries for handling Portable Document Format and PostScript files. The application is exposed to a local privilege escalation issue. Specifically, the "gs_init.ps" file is executed in the current directory first, even if the "-P-" option is used to explicitly prevent this. Ghostscript version 8.64 is affected.
• Ref: http://www.securityfocus.com/archive/1/511578

• 10.23.35 - CVE: Not Available
• Platform: Cross Platform
• Title: SBLIM-SFCB Multiple Buffer Overflow Vulnerabilities
• Description: SBLIM-SFCB (Small Footprint CIM Broker) is a CIM server. The application is exposed to multiple security issues. A heap based buffer overflow issue exists because the application does not properly verify the size value provided via the "Content-Length" header. A heap-based buffer overflow issue exists due to an integer overflow error when receiving an overly large value in the "Content-Length" header. SBLIM-SFCB versions prior to 1.3.8 are affected.
• Ref: http://sourceforge.net/tracker/index.php?func=detail&aid=3001915&group_i
  d=128809&atid=712784

• 10.23.36 - CVE: Not Available
• Platform: Cross Platform
• Title: Winamp AVI File RIFF Data Remote Denial of Service
• Description: NullSoft Winamp is a media player application. The application is exposed to a remote denial of service issue when handling specially crafted AVI files. Specifically, the application fails to handle files which are missing RIFF header data. This issue can also be triggered by zero length files. NullSoft Winamp versions prior to 5.572 are affected.
• Ref: http://www.securityfocus.com/archive/1/511577

• 10.23.37 - CVE: Not Available
• Platform: Cross Platform
• Title: Accoria Rock Web Server Multiple Security
• Description: Accoria Rock Web Server is an HTTP server for Unix and Linux platforms. Accoria Rock Web Server is exposed to multiple security issues that affect the web-based administrative interface. Rock Web Server version 1.4.7 is affected.
• Ref: http://www.kb.cert.org/vuls/id/245081

• 10.23.38 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: GetSimple CMS "components.php" Cross-Site Scripting
• Description: GetSimple CMS is a PHP-based content management system. GetSimple CMS is exposed to a cross-site scripting issue because it fails to sufficiently sanitize user-supplied input to the "val[]" parameter of the "/admin/components.php" script. GetSimple CMS version 2.01 is affected.
• Ref: http://www.securityfocus.com/archive/1/511458

• 10.23.39 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: RuubikCMS "index.php" Cross-Site Scripting
• Description: RuubikCMS is a PHP-based content management tool. RuubikCMS is exposed to a cross-site scripting issue because it fails to properly sanitize user supplied input to the "description" parameter of the "ruubikcms/cms/index.php" script. RuubikCMS version 1.0.3 is affected.
• Ref: http://www.securityfocus.com/archive/1/511460

• 10.23.40 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: md5 Encryption Decryption PHP Script "index.php" Cross-Site Scripting
• Description: md5 Encryption Decryption PHP Script is a script for decrypting md5 strings. md5 Encryption Decryption PHP Script is exposed to a cross-site scripting issue because it fails to sufficiently sanitize user supplied input to the "index.php" script.
• Ref: http://www.securityfocus.com/bid/40381/references

• 10.23.41 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: PHPCalendar Calendar Script Multiple Cross-Site Scripting
• Description: PHPCalendar Calendar Script is PHP-based web application. The application is exposed to multiple cross-site scripting issues because it fails to sanitize user-supplied input to the "install.php" script and the "cat" parameter of the "product_list.php" script.
• Ref: http://www.securityfocus.com/bid/40391/references

• 10.23.42 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: BackLinkSpider Multiple Cross-Site Scripting Vulnerabilities
• Description: BackLinkSpider is a PHP-based link exchange application. BackLinkSpider is exposed to multiple cross-site scripting issues because it fails to properly sanitize user-supplied input to the "cat_id", "siteid" and "cat_name" parameters of the "links.php" script. BackLinkSpider version 1.3.1774.0 is affected.
• Ref: http://www.securityfocus.com/bid/40400/references

• 10.23.43 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: ZoneCheck "zc.cgi" Cross-Site Scripting
• Description: ZoneCheck is a DNS zone checking tool. ZoneCheck is exposed to a cross-site scripting issue because it fails to sufficiently sanitize user-supplied input to the "ns" parameter of the "zc.cgi" script when the "zone" parameter is set to any value. ZoneCheck version 2.1.0 is affected.
• Ref: http://www.securityfocus.com/bid/40404/references

• 10.23.44 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: MediaWiki CSS Input Cross-Site Scripting
• Description: MediaWiki is a PHP-based wiki application. The application is exposed to a cross-site scripting issue because it fails to sanitize user-supplied input. Specifically, the issue affects the CSS input. MediaWiki versions prior to 1.15.4 and 1.16.0beta3 are affected.
• Ref: http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-May/000091.html

• 10.23.45 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Toronja CMS "index.php" Cross-Site Scripting
• Description: Toronja CMS is a PHP-based content management system. The application is exposed to a cross-site scripting issue because it fails to sanitize user-supplied input to the "txt_filtro" parameter of the "index.php" script.
• Ref: http://www.securityfocus.com/bid/40424

• 10.23.46 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: CMScout Cross-Site Scripting
• Description: CMScout is a PHP-based content manager. The application is exposed to a cross-site scripting issue because it fails to sufficiently sanitize user-supplied data to the "search" field.
• Ref: http://www.securityfocus.com/bid/40442/references

• 10.23.47 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: wsCMS "news.php" Cross-Site Scripting
• Description: wsCMS is a PHP-based content manager. wsCMS is exposed to a cross-site scripting issue because it fails to properly sanitize user-supplied input to the "id" parameter of the "news.php" script.
• Ref: http://www.securityfocus.com/bid/40447/references

• 10.23.48 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Zeeways eBay Clone Auction Script "signinform.php" Cross-Site Scripting
• Description: Zeeways eBay Clone Auction Script is a web-based application. The application is exposed to a cross-site scripting issue because it fails to sanitize user-supplied input to the "msg" parameter of the "signinform.php" script.
• Ref: http://www.securityfocus.com/bid/40452

• 10.23.49 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Smart Statistics "smart_statistics_admin.php" Cross-Site Scripting
• Description: Smart Statistics is a PHP-based website statistics script. The application is exposed to a cross-site scripting issue because it fails to sufficiently sanitize user-supplied input to the "name" parameter of the "smart_statistics_admin.php" script. Smart Statistics version 1.0 is affected.
• Ref: http://www.securityfocus.com/bid/40468/references

• 10.23.50 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: dotDefender Log Viewer Cross-Site Scripting
• Description: dotDefender is a website security application. dotDefender is exposed to a cross-site scripting issue because it fails to properly sanitize user-supplied input. Specifically, the application is vulnerable when the log viewer displays HTTP headers. dotDefender version 4.0 is affected.
• Ref: http://www.securityfocus.com/bid/40484/references

• 10.23.51 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Datetopia Match Agency BiZ Multiple Cross-Site Scripting Vulnerabilities
• Description: Datetopia Match Agency BiZ is a PHP-based online dating application. The application is exposed to multiple cross-site scripting issues because it fails to sufficiently sanitize user-supplied data. These issues affect the "details_var" parameter of the "smilies_popup.php" script and the "profile_id" parameter of the "manage_pictures.php" script.
• Ref: http://www.securityfocus.com/bid/40488/references

• 10.23.52 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: 360 Web Manager "webpages-form-led-edit.php" SQL Injection
• Description: 360 Web Manager is a PHP-based content manager. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "IDFM" parameter of the "/adm/content/webpages/webpages-form-led-edit.php" script before using it in an SQL query. 360 Web Manager version 3.0 is affected.
• Ref: http://www.securityfocus.com/archive/1/511461

• 10.23.53 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Multi Shop CMS "pages.php" SQL Injection
• Description: Multi Shop CMS is a PHP-based content management system. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "id" parameter of the "pages.php" script before using it in an SQL query.
• Ref: http://www.securityfocus.com/bid/40388

• 10.23.54 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: BackLinkSpider "cat_id" Parameter SQL Injection
• Description: BackLinkSpider is a PHP-based link exchange application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "cat_id" parameter of the "links.php" script before using it in an SQL query.
• Ref: http://www.securityfocus.com/bid/40398/references

• 10.23.55 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: MultiShopCMS Multi Vendor Mall Multiple SQL Injection Vulnerabilities
• Description: MultiShopCMS Multi Vendor Mall is a PHP-based e-commerce platform. The application is exposed to multiple SQL injection issues because it fails to sufficiently sanitize user-supplied data to the "itemid" and "storeid" parameters of the "itemdetail.php" and "shop.php" scripts respectively.
• Ref: http://www.securityfocus.com/bid/40402/references

• 10.23.56 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Toronja CMS Multiple SQL Injection Vulnerabilities
• Description: Toronja CMS is a PHP-based content management system. The application is exposed to multiple SQL injection issues because it fails to sufficiently sanitize user-supplied data to the "ncategoria1" parameter of the "index.php" and "interior.php" scripts before using it in an SQL query.
• Ref: http://www.securityfocus.com/bid/40421

• 10.23.57 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: osCommerce Visitor Web Stats Add-On "Accept-Language" Header SQL Injection
• Description: Visitor Web Stats is an osCommerce add on implemented in PHP. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "Accept Language" header.
• Ref: http://www.securityfocus.com/archive/1/511511

• 10.23.58 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: ImpressPages CMS "admin.php" Multiple SQL Injection Vulnerabilities
• Description: ImpressPages CMS is a PHP-based content management system. The application is exposed to multiple SQL injection issues because it fails to sufficiently sanitize user-supplied data to the "sort_field" and "page_size" fields of the "admin.php" script. ImpressPages CMS version 1.0.4 is affected.
• Ref: http://www.impresspages.org/cms/forum/viewtopic.php?f=5&t=125

• 10.23.59 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Fusebox "CatDisplay" Parameter SQL Injection
• Description: Fusebox is a framework for building ColdFusion and PHP web applications. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "CatDisplay" parameter of the "ProductList.cfm" script before using it in an SQL query.
• Ref: http://www.securityfocus.com/bid/40439/references

• 10.23.60 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: wsCMS Multiple SQL Injection
• Description: wsCMS is a PHP-based content manager. The application is exposed to multiple SQL injection issues because it fails to sufficiently sanitize user-supplied data and parameters before using it in an SQL query.
• Ref: http://www.securityfocus.com/bid/40443/references

• 10.23.61 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: YourArcadeScript "username" Parameter SQL Injection
• Description: YourArcadeScript is a PHP-based web application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "username" parameter of the "includes/saveregister.php" script before using it in an SQL query. YourArcadeScript version 2.0b1 is affected.
• Ref: http://www.securityfocus.com/bid/40459/references

• 10.23.62 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: TermiSBloG Multiple SQL Injection
• Description: TermiSBloG is a PHP-based web log application. The application is exposed to multiple SQL injection issues because it fails to sufficiently sanitize user-supplied data to the "id" parameter of the "kategori.php" and "oku.php" scripts. TermiSBloG version 1.0 is affected.
• Ref: http://www.securityfocus.com/bid/40466/references

• 10.23.63 - CVE: Not Available
• Platform: Web Application
• Title: razorCMS "admin/index.php" HTML Injection
• Description: razorCMS is a PHP-based content manager. The application is exposed to an HTML injection issue because it fails to sufficiently sanitize user-supplied input. Specifically, this issue affects data submitted through the "content" field of the "admin/index.php" script. razorCMS version 1.0 Stable is affected.
• Ref: http://www.htbridge.ch/advisory/xss_vulnerability_in_razorcms.html

• 10.23.64 - CVE: Not Available
• Platform: Web Application
• Title: Nuked-Klan Search Request Denial of Service
• Description: Nuked-Klan is a PHP-based content management system. The application is exposed to a denial of service issue because the search functionality fails to properly handle multiple search requests. Nuked-Klan versions 1.7.7 and SP4 are affected.
• Ref: http://www.securityfocus.com/bid/40394

• 10.23.65 - CVE: Not Available
• Platform: Web Application
• Title: CiviCRM Multiple HTML Injection Vulnerabilities
• Description: CiviCRM is a PHP-based customer relationship manager. CiviCRM is exposed to multiple HTML injection issues because it fails to properly sanitize user-supplied input. CiviCRM version 3.1 Beta 1 is affected.
• Ref: http://www.securityfocus.com/bid/40406

• 10.23.66 - CVE: Not Available
• Platform: Web Application
• Title: Layout CMS SQL-Injection and Cross-Site Scripting Vulnerabilities
• Description: Layout CMS is a PHP-based web application. The application is exposed to an SQL injection issue and a cross-site scripting issue because it fails to properly sanitize user-supplied input to the "id" parameter of the "preview.php" script. Layout CMS version 1.0 is affected.
• Ref: http://www.securityfocus.com/bid/40415/references

• 10.23.67 - CVE: Not Available
• Platform: Web Application
• Title: GR Board "page.php" Remote File Include
• Description: GR Board is a web-based application. The application is exposed to a remote file include issue because it fails to sufficiently sanitize user-supplied input to the "theme" parameter of the "page.php" script. GR Board version 1.8.6.1 is affected.
• Ref: http://www.securityfocus.com/bid/40437

• 10.23.68 - CVE: Not Available
• Platform: Web Application
• Title: Symphony "mode" Parameter Local File Include
• Description: Symphony is a PHP-based content management system. The application is exposed to a local file include issue because it fails to properly sanitize user-supplied input to the "mode" parameter of the "index.php" script. Symphony version 2.0.7 is affected.
• Ref: http://www.securityfocus.com/bid/40441

• 10.23.69 - CVE: Not Available
• Platform: Web Application
• Title: Plugin Gallery For Nucleus Remote File Include and SQL Injection Vulnerabilities
• Description: Plugin Gallery for Nucleus is a PHP-based web application. The application is exposed to multiple input validation issues. 1) A remote file include issue that affects the "DIR_NUCLEUS" parameter of the "nucleus/plugins/NP_gallery.php" script. 2) An SQL injection issue that affects the "id" parameter of the "index.php" script when "action" is set to "plugin", "name" is set to "gallery", and "type" is set to "album".
• Ref: http://www.securityfocus.com/bid/40448

• 10.23.70 - CVE: Not Available
• Platform: Web Application
• Title: NP_Twitter Nucleus Plugin "DIR_NUCLEUS" Remote File Include
• Description: NP_Twitter is a plugin for the Nucleus content management system. The application is exposed to a remote file include issue because it fails to sufficiently sanitize user-supplied input to the "DIR_PLUGINS" parameter of the "nucleus/plugins/NP_Twitter.php" script. NP_Twitter versions 0.8 and 0.9 are affected.
• Ref: http://www.securityfocus.com/bid/40453/references

• 10.23.71 - CVE: Not Available
• Platform: Web Application
• Title: Clearsite "header.php" Remote File Include
• Description: Clearsite is a network monitoring application implemented in PHP. The application is exposed to a remote file include issue because it fails to sufficiently sanitize user-supplied input to the "$cs_base_path" parameter of the "header.php" script.
• Ref: http://www.securityfocus.com/archive/1/511507

• 10.23.72 - CVE: Not Available
• Platform: Web Application
• Title: PHP Mysqlnd Extension Information Disclosure and Multiple Buffer Overflow Vulnerabilities
• Description: PHP is a general purpose scripting language that is suited for web development and can be embedded into HTML. The Mysqlnd extension, or native driver, is a replacement for the MySQL client library (libmysql). The PHP Mysqlnd extension is exposed to multiple security issues. 1) An information disclosure issue affects the "php_mysqlnd_ok_read()" function. 2) The "message_len" field in network packets is not properly verified, allowing heap memory to be harvested. 3) A heap-based buffer overflow issue that affects the "php_mysqlnd_rset_header_read()" function because the header size of a network packet is not properly verified. 4) A heap-based buffer overflow issue that affects the "php_mysqlnd_read_error_from_line()" function because it fails to properly calculate the size of a memory buffer. 5) A stack-based buffer overflow issue that affects the "php_mysqlnd_auth_write()" function because it fails to properly validate usernames or database names. PHP versions 5.3 through 5.3.2 are affected
• Ref: http://www.securityfocus.com/bid/40461/references

• 10.23.73 - CVE: Not Available
• Platform: Web Application
• Title: x10media Image Hosting Script "create_image_gallery.php" Arbitrary File Upload
• Description: x10media Image Hosting Script is a PHP-based script for hosting images. The application is exposed to an issue that lets attackers upload arbitrary files because it fails to adequately sanitize user-supplied input before uploading it onto the web server. This issue affects the "74rG37_H057/create_image_gallery.php" script.
• Ref: http://www.securityfocus.com/bid/40463/references

• 10.23.74 - CVE: Not Available
• Platform: Web Application
• Title: Visitor Logger "banned.php" Remote File Include
• Description: Visitor Logger is a PHP-based website visitors logging script. The application is exposed to a remote file include issue because it fails to properly sanitize user-supplied input to the "VL_include_path" parameter of the "banned.php" script.
• Ref: http://www.securityfocus.com/bid/40469

• 10.23.75 - CVE: Not Available
• Platform: Web Application
• Title: E107 Persian "usersettings.php" HTML Injection
• Description: E107 Persian is a PHP-based content manager. The application is exposed to an HTML injection issue because it fails to sufficiently sanitize user-supplied input. Specifically, this issue affects data submitted through the "signature" field of the "usersettings.php" script.
• Ref: http://www.securityfocus.com/bid/40477/references

• 10.23.76 - CVE: Not Available
• Platform: Web Application
• Title: CMS Made Simple Cross-Site Scripting and Cross-Site Request Forgery Vulnerabilities
• Description: CMS Made Simple is a PHP-based content manager. The application is exposed to multiple issues. 1) Multiple cross-site scripting issues occur because application fails to sufficiently sanitize input. 2) A cross-site request forgery issue affects the "Changes Group Permission" module. Specifically, the application fails to sufficiently check permissions when performing certain tasks. CMS Made Simple versions 1.7.1 and earlier are affected.
• Ref: http://www.securityfocus.com/bid/40483

• 10.23.77 - CVE: Not Available
• Platform: Web Application
• Title: EvoCam HTTP GET Request Buffer Overflow
• Description: EvoCam is an HTTP server application available for Mac OS X. EvoCam is exposed to a remote buffer overflow issue because it fails to perform adequate boundary checks on user-supplied input. The issue occurs when handling a specially crafted HTTP "GET" request. EvoCam versions 3.6.6 and 3.6.7 are affected.
• Ref: http://www.securityfocus.com/bid/40489

• 10.23.78 - CVE: Not Available
• Platform: Network Device
• Title: Apple iPhone PIN Authentication Security Bypass
• Description: Apple iPhone is exposed to a security bypass issue due to a failure to restrict access to locked devices. When a device is protected with a PIN code, it will normally require the PIN to be entered before communicating through a physical USB connection. However, this check is not properly performed when the device is connected while powered off and then powered on. iPhone 3GS devices are affected.
• Ref: http://images.apple.com/iphone/business/docs/iPhone_Security_Overview.pdf

• 10.23.79 - CVE: CVE-2010-0600, CVE-2010-0599, CVE-2010-0595,CVE-2010-0596, CVE-2010-0598
• Platform: Network Device
• Title: Cisco Network Building Mediator System Configuration File multiple vulnerabilities
• Description: Cisco Network Building Mediator is a family of hardware networking devices. Cisco Network Building Mediator (NBM) is exposed to multiple issues. 1) An information disclosure issue that occurs because the device allows unauthorized users to read one of the system configuration files. 2) A remote privilege escalation issue because it fails to sufficiently protect device configuration details. 3) A remote information disclosure issue because it fails to encrypt sensitive information transmitted over the network. 4) A remote information disclosure issue because it fails to encrypt sensitive information transmitted over the network. 5) A remote authentication bypass issue that occurs because the device assigns default credentials to several predefined user accounts on the device including the administrator's user account. Network Building Mediator products running software releases prior to 3.1.1 are affected.
• Ref: http://www.cisco.com/en/US/products/products_security_advisory09186a0080b2c518.s
  html#@ID

• 10.23.80 - CVE: Not Available
• Platform: Network Device
• Title: NETGEAR WG602v4 Administrator Password Remote Stack Buffer Overflow
• Description: The NETGEAR WG602v4 is a wireless-access-point hardware device. The device supports a web-based administrative interface. The device is exposed to a remote stack-based buffer overflow issue because it fails to perform adequate boundary checks on user-supplied data.
• Ref: http://www.securityfocus.com/archive/1/511555

(c) 2010. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.