@RISK: The Consensus Security Vulnerability Alert

Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys

• (1) MEDIUM: ProFTPD Backdoor Unauthorized Access Vulnerability
• (2) MEDIUM: Nullsoft Winamp Multiple Security Vulnerabilities

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)

Windows

• 10.49.1 - Microsoft Windows User Access Control (UAC) Bypass Local Privilege Escalation

Microsoft Office

• 10.49.2 - Microsoft Outlook File Attachment Denial of Service

Third Party Windows Apps

• 10.49.3 - Google Desktop "schannel.dll" DLL Loading Arbitrary Code Execution
• 10.49.4 - Winamp Prior to 5.6 Multiple Vulnerabilities

Linux

• 10.49.5 - Linux Kernel "inotify_init()" Memory Leak Local Denial of Service
• 10.49.6 - Linux Kernel Unix Sockets Local Denial of Service
• 10.49.7 - Linux Kernel "hmid_ds structure" Local Information Disclosure
• 10.49.8 - Linux Kernel Econet Protocol Multiple Local Issues
• 10.49.9 - Linux Kernel Information Disclosure Issue
• 10.49.10 - Linux Kernel TIOCGICOUNT Information Disclosure Issue
• 10.49.11 - Red Hat Enterprise MRG Messaging and Grid Security Bypass Issue

BSD

• 10.49.12 - NetBSD "udp6_output()" Remote Denial of Service Issue

Cross Platform

• 10.49.13 - Xen "blkback/blktap/netback" Leaked Kernel Thread Local Denial of Service
• 10.49.14 - Fedora "Dracut" Package Insecure File Permissions Issue
• 10.49.15 - xine-lib "asfheader.c" Remote Memory Corruption
• 10.49.16 - CA Internet Security Suite 2010 "KmxSbx.sys" Local Privilege Escalation
• 10.49.17 - collectd "cu_rrd_create_file()" Remote Denial of Service
• 10.49.18 - Lightweight Rich Text Editor Plugin for jQuery
• 10.49.19 - Apache Archiva Cross-Site Request Forgery Issue
• 10.49.20 - Xen "fixup_page_fault()" Denial of Service
• 10.49.21 - Orbis CMS "fileman_file_upload.php" Arbitrary File Upload Issue

Web Application - Cross Site Scripting

• 10.49.22 - SimpLISTic SQL "email.cgi" Cross-Site Scripting
• 10.49.23 - MCG GuestBook Multiple Cross-Site Scripting Vulnerabilities
• 10.49.24 - Register Plus "wp-login.php" Multiple Cross-Site Scripting Vulnerabilities
• 10.49.25 - WordPress Register Plus "wp-login.php" Multiple Cross-Site Scripting Issues
• 10.49.26 - Diferior "views/post.php" Cross-Site Scripting
• 10.49.27 - eSyndiCat Directory Software Multiple Cross-Site Scripting Vulnerabilities
• 10.49.28 - phpMyAdmin Database Search Cross-Site Scripting Issue

Web Application - SQL Injection Issue

• 10.49.29 - JE Ajax Event Calendar "event_id" Parameter SQL Injection

Web Application - SQL Injection

• 10.49.30 - FreeTicket "contact.php" Multiple SQL Injection Vulnerabilities
• 10.49.31 - SiteEngine "comments.php" SQL Injection Issue
• 10.49.32 - Wernhart Guestbook Multiple SQL Injection Vulnerabilities
• 10.49.33 - Site2Nite Big Truck Broker "news_default.asp" SQL Injection
• 10.49.34 - E-lokaler CMS Admin Login Multiple SQL Injection Vulnerabilities
• 10.49.35 - SmartBox "page_id" Parameter SQL Injection
• 10.49.36 - MicroNetSoft RV Dealer Websites Multiple SQL Injection Vulnerabilities

Web Application

• 10.49.37 - MemHT Portal "User-Agent" HTTP Header HTML Injection
• 10.49.38 - DaDaBIK HTML Injection
• 10.49.39 - PHP Web Scripts Easy Banner Free Multiple SQL Injection and HTML Injection Vulnerabilities

Network Device

• 10.49.40 - D-Link DIR-300 WiFi Key Security Bypass Issue

PART I Critical Vulnerabilities

Part I for this issue has been compiled by Josh Bronson at TippingPoint, a division of HP, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/risk/#process

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 49, 2010

Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com) This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 10603 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

• 10.49.1 - CVE: Not Available
• Platform: Windows
• Title: Microsoft Windows User Access Control (UAC) Bypass Local Privilege Escalation
• Description: Microsoft Windows is exposed to a local privilege escalation issue that affects the "RtlQueryRegistryValues()" API function. Specifically, the size of the output value may be returned as either UNICODE_STRING or ULONG size, while the actual returned buffer size is determined by registry key type.
• Ref: http://www.kb.cert.org/vuls/id/529673

• 10.49.2 - CVE: Not Available
• Platform: Microsoft Office
• Title: Microsoft Outlook File Attachment Denial of Service
• Description: Microsoft Outlook is an email client for Microsoft Windows platforms. The application is exposed to a denial of service issue because it fails to properly handle certain email attachments. A file without extension can trigger the issue when clicked in a preview pane. Microsoft Outlook 2007 SP2 is affected.
• Ref: http://www.csis.dk/en/csis/news/3073/

• 10.49.3 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Google Desktop "schannel.dll" DLL Loading Arbitrary Code Execution
• Description: Google Desktop is a freely available application that allows users to search the contents of their computer. The application is exposed to an issue that lets attackers execute arbitrary code. The issue arises because the application searches for the "schannel.dll" Dynamic Link Library file in the current working directory. Google Desktop version 5.9.1005.12335 is affected.
• Ref: http://blogs.technet.com/b/msrc/archive/2010/08/21/microsoft-security-advisory-2
  269637-released.aspx

• 10.49.4 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Winamp Prior to 5.6 Multiple Vulnerabilities
• Description: Nullsoft Winamp is a media player for Microsoft Windows. Winamp is exposed to multiple issues. Successful exploits will allow attackers to execute arbitrary code in the context of the application or cause denial of service. Winamp versions prior to 5.6 are affected.
• Ref: http://secunia.com/secunia_research/2010-127/

• 10.49.5 - CVE: Not Available
• Platform: Linux
• Title: Linux Kernel "inotify_init()" Memory Leak Local Denial of Service
• Description: The Linux kernel is exposed to a local denial of service issue. Specifically, the issue occurs due to a memory leak in the "inotify_init()" system call of the "fs/notify/inotify/inotify_user.c" file.
• Ref: http://www.securityfocus.com/bid/45036

• 10.49.6 - CVE: CVE-2010-4249
• Platform: Linux
• Title: Linux Kernel Unix Sockets Local Denial of Service
• Description: The Linux kernel is exposed to a local denial of service issue when handling specially crafted UNIX sockets. Linux kernel version 2.6.35 is affected.
• Ref: https://bugzilla.redhat.com/show_bug.cgi?id=656756

• 10.49.7 - CVE: CVE-2010-4072
• Platform: Linux
• Title: Linux Kernel "hmid_ds structure" Local Information Disclosure
• Description: The Linux kernel is exposed to a local information disclosure issue that affects the "ipc/shm.c" source file. This issue occurs because the "shmid_ds" structure is copied to user space with the second and third field being uninitialized.
• Ref: http://git.kernel.org/?p=linux/kernel/git/eugeneteo/linux-2.6-cve-tagged.git;a=c
  ommit;h=3af54c9bd9e6f14f896aac1bb0e8405ae0bc7a44

• 10.49.8 - CVE: CVE-2010-3850,CVE-2010-3849,CVE-2010-3848
• Platform: Linux
• Title: Linux Kernel Econet Protocol Multiple Local Issues
• Description: The Linux kernel is exposed to multiple local issues that affect the Econet protocol.
• Ref: http://www.securityfocus.com/bid/45072

• 10.49.9 - CVE: CVE-2010-4073
• Platform: Linux
• Title: Linux Kernel Information Disclosure Issue
• Description: The Linux kernel is exposed to an information disclosure issue that may allow users to read uninitialized stack memory. Specifically, the kernel fails to clear the "reserved" members of the memory before allowing a user to use the affected structure.
• Ref: https://bugzilla.redhat.com/show_bug.cgi?id=648658

• 10.49.10 - CVE: CVE-2010-4074
• Platform: Linux
• Title: Linux Kernel TIOCGICOUNT Information Disclosure Issue
• Description: The Linux kernel is exposed to an information disclosure issue. This issue affects the "TIOCGICOUNT" device and may allow users to read uninitialized stack memory. Specifically, the kernel fails to clear the "reserved" members of the "serial_ircounter_struct" before allowing a user to use the affected structure.
• Ref: http://www.securityfocus.com/bid/45074

• 10.49.11 - CVE: CVE-2010-4179
• Platform: Linux
• Title: Red Hat Enterprise MRG Messaging and Grid Security Bypass Issue
• Description: Red Hat Enterprise MRG (Messaging, Realtime, and Grid) and Grid are realtime IT infrastructure for enterprise computing. Red Hat Enterprise MRG Messaging and Grid are exposed to a security bypass issue. This issue is due to inadequate access control between "cumin" process and the Condor QMF plugin.
• Ref: http://www.securityfocus.com/bid/45113

• 10.49.12 - CVE: Not Available
• Platform: BSD
• Title: NetBSD "udp6_output()" Remote Denial of Service Issue
• Description: NetBSD is an open-source BSD UNIX operating system. NetBSD is exposed to a remote denial of service issue. Specifically, the "udp6_output()" function may attempt to release packet options even if they were never created, leading to a NULL pointer dereference error.
• Ref: http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2010-013.txt.asc

• 10.49.13 - CVE: CVE-2010-3699
• Platform: Cross Platform
• Title: Xen "blkback/blktap/netback" Leaked Kernel Thread Local Denial of Service
• Description: Xen is an open-source hypervisor or virtual machine monitor. Xen is exposed to a denial of service issue because it fails to properly remove a guest's references to the host device. This issue affects the "blkback", "blktap", and "netback" kernel device drivers.
• Ref: http://www.securityfocus.com/bid/45039

• 10.49.14 - CVE: CVE-2010-4176
• Platform: Cross Platform
• Title: Fedora "Dracut" Package Insecure File Permissions Issue
• Description: Dracut is a generic, modular initramfs-generation tool. The Fedora "Dracut" package is exposed to an insecure file permissions issue. Specifically, this issue occurs because the Dracut-generated initramfs scripts create the "/dev/systty" device file with insecure permissions.
• Ref: http://www.securityfocus.com/bid/45046

• 10.49.15 - CVE: Not Available
• Platform: Cross Platform
• Title: xine-lib "asfheader.c" Remote Memory Corruption
• Description: The xine-lib library allows various media players to play multiple media formats. The xine-lib library is exposed to a memory corruption issue that occurs because the application uses an uninitialized variable. xine-lib versions prior to 1.1.19 are affected.
• Ref: http://www.securityfocus.com/bid/45047

• 10.49.16 - CVE: Not Available
• Platform: Cross Platform
• Title: CA Internet Security Suite 2010 "KmxSbx.sys" Local Privilege Escalation
• Description: CA Internet Security Suite 2010 is an Internet security application. CA Internet Security Suite is exposed to a local privilege escalation issue that affects the "KmxSbx.sys" file when handling the "0x88000080" IOCTL call. CA Internet Security Suite 2010 version 6.2.0.22 is affected.
• Ref: http://www.securityfocus.com/bid/45071

• 10.49.17 - CVE: Not Available
• Platform: Cross Platform
• Title: collectd "cu_rrd_create_file()" Remote Denial of Service
• Description: collectd is a system performance monitoring application. collectd is exposed to a remote denial of service issue that affects the "RRDtool" and "RRDCacheD" plugins. An attacker can exploit this issue to crash the service, resulting in a denial of service. collectd versions prior to 4.9.4 and 4.10.2 are affected.
• Ref: http://collectd.org/news.shtml#news86

• 10.49.18 - CVE: Not Available
• Platform: Cross Platform
• Title: Lightweight Rich Text Editor Plugin for jQuery
• Description: Lightweight Rich Text Editor is a plugin for jQuery. The application is exposed to a file upload issue because the application fails to properly sanitize user-supplied input to the "uploader.php" script. Lightweight Rich Text Editor version 1.2 is affected.
• Ref: http://www.securityfocus.com/bid/45085

• 10.49.19 - CVE: CVE-2010-3449
• Platform: Cross Platform
• Title: Apache Archiva Cross-Site Request Forgery Issue
• Description: Apache Archiva is data repository management software. Apache Archiva is exposed to a cross-site request forgery issue because the application does not properly validate the origin of requests. The following versions are affected: Archiva versions 1.0 through 1.0.3, Archiva versions 1.1 through 1.1.4, Archiva versions 1.2 through 1.2.2, Archiva versions 1.3 through 1.3.1
• Ref: http://www.securityfocus.com/bid/45095

• 10.49.20 - CVE: Not Available
• Platform: Cross Platform
• Title: Xen "fixup_page_fault()" Denial of Service
• Description: Xen is a hypervisor or virtual machine monitor. Xen is exposed to a denial of service issue. This issue occurs because the "fixup_page_fault()" function in the "xen/arch/arch/x86/traps.c" script fails to properly validate the memory addresses used for indirect access.
• Ref: http://www.securityfocus.com/bid/45099

• 10.49.21 - CVE: CVE-2010-4313
• Platform: Cross Platform
• Title: Orbis CMS "fileman_file_upload.php" Arbitrary File Upload Issue
• Description: Orbis CMS is a PHP-based content manager. The application is exposed to a file upload issue because the application fails to properly sanitize user-supplied input to the "fileman_file_upload.php" script. Orbis CMS version 1.0.2 is affected.
• Ref: http://www.securityfocus.com/bid/45103

• 10.49.22 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: SimpLISTic SQL "email.cgi" Cross-Site Scripting
• Description: SimpLISTic SQL is a PHP-based link manager. The application is exposed to a cross-site scripting issue because it fails to properly sanitize user-supplied input to the "email" parameter of the "email.cgi" script. SimpLISTic SQL version 2.0 is affected.
• Ref: http://www.securityfocus.com/archive/1/514885

• 10.49.23 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: MCG GuestBook Multiple Cross-Site Scripting Vulnerabilities
• Description: MCG GuestBook is a guestbook application. The application is exposed to multiple cross-site scripting issues because it fails to sanitize user-supplied input. MCG GuestBook version 1.0 is affected.
• Ref: http://evuln.com/vulns/144/description.html

• 10.49.24 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Register Plus "wp-login.php" Multiple Cross-Site Scripting Vulnerabilities
• Description: Register Plus is a plugin for WordPress. WordPress is a web-based publishing application. The application is exposed to multiple cross-site scripting issues because it fails to sanitize user-supplied input. Register Plus version 3.5.1 is affected.
• Ref: http://www.securityfocus.com/archive/1/514903

• 10.49.25 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: WordPress Register Plus "wp-login.php" Multiple Cross-Site Scripting Issues
• Description: Register Plus is a plugin for WordPress. WordPress is a web-based publishing application implemented in PHP. The application is exposed to multiple cross-site scripting issues because it fails to sanitize user-supplied input. Register Plus version 3.5.1 is affected.
• Ref: http://www.securityfocus.com/bid/45069

• 10.49.26 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Diferior "views/post.php" Cross-Site Scripting
• Description: Diferior is a PHP-based content management system. The application is exposed to a cross-site scripting issue because it fails to sufficiently sanitize user-supplied input to the "post_content" variable of the "views/post.php" script. Diferior version 8.03 is affected.
• Ref: http://www.securityfocus.com/bid/45088

• 10.49.27 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: eSyndiCat Directory Software Multiple Cross-Site Scripting Vulnerabilities
• Description: eSyndiCat Directory Software is a web application. The application is exposed to multiple cross-site scripting issues. eSyndiCat Directory Software version 2.3 is affected.
• Ref: http://www.securityfocus.com/bid/45093

• 10.49.28 - CVE: CVE-2010-4329
• Platform: Web Application - Cross Site Scripting
• Title: phpMyAdmin Database Search Cross-Site Scripting Issue
• Description: phpMyAdmin is a web-based administration interface for MySQL databases. It is implemented in PHP. phpMyAdmin is exposed to a cross-site scripting issue because it fails to sufficiently sanitize user-supplied data to an unspecified parameter in the database search script when spoofed requests are sent. phpMyAdmin versions prior to 3.3.8.1 and 2.11.11.1 are affected.
• Ref: http://www.securityfocus.com/bid/45100

• 10.49.29 - CVE: Not Available
• Platform: Web Application - SQL Injection Issue
• Title: JE Ajax Event Calendar "event_id" Parameter SQL Injection
• Description: JE Ajax Event Calendar is a component for the Joomla content manager. The JE Ajax Event Calendar "com_jeajaxeventcalendar" component for Joomla is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "event_id" parameter in the "index.php" script before using it in an SQL query.
• Ref: http://www.securityfocus.com/bid/45050

• 10.49.30 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: FreeTicket "contact.php" Multiple SQL Injection Vulnerabilities
• Description: FreeTicket is a web-based application. FreeTicket is exposed to multiple SQL injection issues because it fails to sufficiently sanitize user-supplied data passed to the "id" and "email" parameters of the "contact.php" script. FreeTicket version 1.0.0 is affected.
• Ref: http://www.securityfocus.com/archive/1/514890

• 10.49.31 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: SiteEngine "comments.php" SQL Injection Issue
• Description: SiteEngine is a PHP-based content manager. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "module" parameter of the "comments.php" script before using it in an SQL query. SiteEngine version 7.1 is affected.
• Ref: http://www.securityfocus.com/bid/45056

• 10.49.32 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Wernhart Guestbook Multiple SQL Injection Vulnerabilities
• Description: Wernhart Guestbook is a web-based application. Wernhart Guestbook is exposed to multiple SQL injection issues because it fails to sufficiently sanitize user-supplied data passed to the "LastName" parameter of the "insert.phtml" script and certain unspecified parameters to the "insert.phtml" and "select.phtml" scripts. Wernhart Guestbook version 2001.03.28 is affected.
• Ref: http://www.securityfocus.com/bid/45084

• 10.49.33 - CVE: Not Available
• Platform: Web Application - SQL Injection Issue
• Title: Site2Nite Big Truck Broker "news_default.asp" SQL Injection
• Description: Site2Nite Big Truck Broker is an ASP-based web application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "txtSiteId" parameter of the "news_default.asp" script before using it in an SQL query.
• Ref: http://www.securityfocus.com/bid/45077

• 10.49.34 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: E-lokaler CMS Admin Login Multiple SQL Injection Vulnerabilities
• Description: E-lokaler CMS is a content management application. The application is exposed to multiple SQL injection issues because it fails to sufficiently sanitize user-supplied data to the "Username" and "Password" fields of the "admin" script. E-lokaler CMS 2 is affected.
• Ref: http://packetstormsecurity.org/files/view/96177/elokalercms-sql.txt

• 10.49.35 - CVE: Not Available
• Platform: Web Application - SQL Injection Issue
• Title: SmartBox "page_id" Parameter SQL Injection
• Description: SmartBox is a PHP-based content manager. The application is exposed to an SQL injection issue because it fails to properly sanitize user-supplied input before using it in an SQL query. Specifically, the application fails to sanitize data supplied to the "page_id" parameter of the "page.php" script.
• Ref: http://www.securityfocus.com/bid/45101

• 10.49.36 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: MicroNetSoft RV Dealer Websites Multiple SQL Injection Vulnerabilities
• Description: MicroNetSoft RV Dealer Websites is an RV dealership website implemented in ASP. MicroNetSoft RV Dealer Websites is exposed to multiple SQL injection issues because it fails to sufficiently sanitize user-supplied data.
• Ref: http://www.securityfocus.com/bid/45089

• 10.49.37 - CVE: Not Available
• Platform: Web Application
• Title: MemHT Portal "User-Agent" HTTP Header HTML Injection
• Description: MemHT Portal is a content manager. The application is exposed to an HTML injection issue because it fails to properly sanitize user-supplied input to the "User-Agent" HTTP Header in the "inc/inc_getinfo.php" script. MemHT Portal version 4.0.1 is affected.
• Ref: http://www.memht.com/news_149_MemHT-Portal-4-0-2.html

• 10.49.38 - CVE: Not Available
• Platform: Web Application
• Title: DaDaBIK HTML Injection
• Description: DaDaBIK is a PHP-based application that allows users to create customizable front-end database interfaces. The module is exposed to an HTML injection issue because it fails to properly sanitize user-supplied input to the "html content" content type field or "rich_editor" field type field. DaDaBIK version 4.3 beta3 is affected.
• Ref: https://bugzilla.redhat.com/show_bug.cgi?id=656756

• 10.49.39 - CVE: Not Available2009.05.18 is affected.
• Platform: Web Application
• Title: PHP Web Scripts Easy Banner Free Multiple SQL Injection and HTML Injection Vulnerabilities
• Description: Easy Banner is a banner exchange application. The application is exposed to multiple issues because it fails to sufficiently sanitize user-supplied data. Easy Banner Free version
• Ref: http://www.securityfocus.com/archive/1/514908

• 10.49.40 - CVE: Not Available
• Platform: Network Device
• Title: D-Link DIR-300 WiFi Key Security Bypass Issue
• Description: The D-Link DIR-300 is a wireless router. The D-Link DIR-300 wireless router is exposed to a security bypass issue. This issue occurs because device allows unauthorized users to modify the WiFi key.
• Ref: http://www.securityfocus.com/bid/45038

(c) 2010. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Subscriptions: @RISK is distributed free of charge by the SANS Institute to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization. For a free subscription or to update a current subscription, visit http://portal.sans.org/