Last day to save $500 for SANS San Diego 2013

@RISK: The Consensus Security Vulnerability Alert

Volume: IX, Issue: 5
January 28, 2010

SANS Newsletters Home

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Platform Number of Updates and Vulnerabilities
    • -------------------------- -------------------------------------
    • Other Microsoft Products
    • 7 (#1)
    • Third Party Windows Apps
    • 3
    • Linux
    • 2
    • Cross Platform
    • 26 (#2, #3, #4, #5, #6)
    • Web Application - Cross Site Scripting
    • 3
    • Web Application - SQL Injection
    • 15
    • Web Application
    • 13
    • Network Device
    • 3

**************************************************************************

TRAINING UPDATE

-- SANS AppSec 2010, San Francisco, January 29-February 5, 2010 8 courses and bonus evening presentations, including Social Zombies: Your Friends Want to Eat Your Brains

https://www.sans.org/appsec-2010/

-- SANS Phoenix, February 14 -February 20, 2010 6 courses and bonus evening presentations, including The Art of Incident Response and Advanced Forensic Techniques: Catching Hackers on the Wire

https://www.sans.org/phoenix-2010/

-- SANS 2010, Orlando, March 6 - March 15, 2010 38 courses and bonus evening presentations, including Software Security Street Fighting Style

https://www.sans.org/sans-2010/

-- SANS Northern Virginia Bootcamp 2010, April 6-13 Bonus evening presentations include Safe Surfing: How to Surf the Net Without Getting PWND

https://www.sans.org/reston-2010/

-- SANS Security West 2010, San Diego, May 7-15, 2010 23 courses. Bonus evening presentations include Killer Bee: Exploiting ZigBee and the Kinetic World

https://www.sans.org/security-west-2010/

Looking for training in your own community?

https://sans.org/community/

Save on On-Demand training (30 full courses) - See samples at https://www.sans.org/ondemand

Plus Tokyo, Bangalore, Oslo and Dublin all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

*************************************************************************

Table Of Contents
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
Other Microsoft Products
Third Party Windows Apps
Linux
Cross Platform
Web Application - Cross Site Scripting
Web Application - SQL Injection
Web Application
Network Device
PART I Critical Vulnerabilities

Part I for this issue has been compiled by Rohan Kotian at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems.

  • (1) CRITICAL: Microsoft Internet Explorer Multiple Vulnerabilities (MS10-002)
  • Affected:
    • Microsoft Windows 2000 Service Pack 4
    • Microsoft Windows 2000 Service Pack 4
    • Windows XP Service Pack 2 and Windows XP Service Pack 3
    • Windows XP Professional x64 Edition Service Pack 2
    • Windows Server 2003 Service Pack 2
    • Windows Server 2003 x64 Edition Service Pack 2
    • Windows Server 2003 with SP2 for Itanium-based Systems
    • Windows XP Service Pack 2 and Windows XP Service Pack 3
    • Windows XP Professional x64 Edition Service Pack 2
    • Windows Server 2003 Service Pack 2
    • Windows Server 2003 x64 Edition Service Pack 2
    • Windows Server 2003 with SP2 for Itanium-based Systems
    • Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2
    • Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2
    • Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2**
    • Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2**
    • Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2
    • Windows XP Service Pack 2 and Windows XP Service Pack 3
    • Windows XP Professional x64 Edition Service Pack 2
    • Windows Server 2003 Service Pack 2
    • Windows Server 2003 x64 Edition Service Pack 2
    • Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2
    • Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2
    • Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2**
    • Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2**
    • Windows 7 for 32-bit Systems
    • Windows 7 for x64-based Systems
    • Windows Server 2008 R2 for x64-based Systems**
    • Windows Server 2008 R2 for Itanium-based Systems
    • Microsoft Internet Explorer 5.x
    • Microsoft Internet Explorer 6.x
    • Microsoft Internet Explorer 7.x
    • Microsoft Internet Explorer 8.x

  • Description: Microsoft Internet Explorer contains multiple vulnerabilities in its handling of HTML objects and cached content. A specially crafted web page could trigger one of these vulnerabilities using specially crafted HTML or scripts. The first flaw is a XSS filter bypass vulnerability caused by an error in Internet Explorer 8 in the way it disables HTML attributes in a filtered HTTP response data. Successful exploitation might lead to information disclosure. The second flaw is caused by an error in Internet Explorer in the way it handles specially crafted URL. There are four Uninitialized Memory Corruption vulnerabilities in Internet Explorer caused by Internet Explorer inappropriately accessing objects that have not been initialized or that have been deleted. There two more HTML Object Memory Corruption vulnerabilities caused by Internet Explorer attempting to access incorrectly initialized memory. Successful exploitation in the cases of these vulnerabilities might allow an attacker to execute arbitrary code in the context of logged-on user. Some technical details are publicly available for some of these vulnerabilities.

  • Status: Vendor confirmed, updates available.

  • References:
  • (2) HIGH: Google Chrome Multiple Vulnerabilities
  • Affected:
    • Google Chrome versions prior to 4.0.249.78

  • Description: Google Chrome, a web browser from Google, is the fourth most popular browser with 4.63% usage share among all the web browsers. Multiple vulnerabilities have been reported in Google Chrome in the way it handles various inputs. The vulnerabilities reported include information disclosure, cross-domain scripting, memory corruption errors, cross-domain access, and security bypass. Successful exploitation of some of the vulnerabilities might allow an attacker to execute arbitrary code. Full technical details for these vulnerabilities are publicly available via source code analysis.

  • Status: Vendors confirmed, updates available.

  • References:
  • (3) HIGH: CiscoWorks Internetwork Performance Monitor Buffer Overflow Vulnerability
  • Affected:
    • CiscoWorks IPM versions 2.6

  • Description: CiscoWorks Internetwork Performance Monitor (IPM) is a troubleshooting application primarily used for evaluating network response time and availability. A buffer overflow vulnerability has been reported in CiscoWorks IPM. The specific flaw is caused by a boundary error while processing Common Object Request Broker Architecture (CORBA) GIOP requests. A specially crafted getProcessName GIOP request can be used to trigger this vulnerability. Authentication is not required to carry out this attack. Successful exploitation might allow an attacker to execute arbitrary code in the context of the affected application. Some technical details for the vulnerability are publicly available.

  • Status: Vendors confirmed, no updates available.

  • References:
  • (5) MODERATE: IBM Lotus Domino Buffer Overflow Vulnerability
  • Affected:
    • IBM Lotus Domino 8.x

  • Description: Lotus Domino is a popular enterprise groupware and mail system developed by IBM. A buffer overflow vulnerability has been reported in IBM Lotus Domino. A specially crafted LDAP message can be used to trigger this vulnerability and cause a heap overflow. The flaw is caused by a boundary error while processing specially crafted LDAP messages. Successful exploitation might lead to a denial-of-service condition or system compromise. Full technical details for the vulnerability are publicly available along with proof-of-concept.

  • Status: Vendors confirmed, no updates available.

  • References:
  • (6) MODERATE: InterBase SMP 2009 Multiple Vulnerabilities
  • Affected:
    • InterBase SMP 2009 9.0.3.437

  • Description: InterBase SMP 2009 is a relational database management system (RDBMS) from Embarcadero Technologies. Two buffer overflow vulnerabilities have been reported in Interbase SMP 2009. The flaws are boundary errors caused by inadequate bounds checking while processing specially crafted packets to TCP port 3050. Successful exploitation might lead to a denial-of-service condition or allow an attacker to execute arbitrary code in the context of the affected application. Technical details for these vulnerabilities are not available publicly.

  • Status: Vendors confirmed, no updates available.

  • References:
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 5, 2010

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 7880 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely. ______________________________________________________________________

  • 10.5.1 - CVE: CVE-2010-0027
  • Platform: Other Microsoft Products
  • Title: Microsoft Internet Explorer URI Validation Remote Code Execution
  • Description: Microsoft Internet Explorer is a browser for the Windows operating system. Internet Explorer is exposed to a remote code execution issue. Specifically, when the application validates a URI, the code that is used to validate the URI can be used to execute binaries on a victim's computer.
  • Ref: http://www.microsoft.com/technet/security/Bulletin/MS10-002.mspx
  • 10.5.2 - CVE: CVE-2010-0244
  • Platform: Other Microsoft Products
  • Title: Microsoft Internet Explorer (CVE-2010-0244) Uninitialized Memory Remote Code Execution
  • Description: Microsoft Internet Explorer is a browser for the Windows operating system. Internet Explorer is exposed to a remote code execution issue that arises when the browser displays a malicious webpage. This issue occurs because of an error when accessing an object that has been incorrectly initialized or deleted.
  • Ref: http://www.microsoft.com/technet/security/Bulletin/MS10-002.mspx
  • 10.5.3 - CVE: CVE-2010-0245
  • Platform: Other Microsoft Products
  • Title: Microsoft Internet Explorer (CVE-2010-0245) Uninitialized Memory Remote Code Execution
  • Description: Microsoft Internet Explorer is a browser for the Windows operating system. Internet Explorer is exposed to a remote code execution issue that arises when the browser displays a malicious web page. This issue occurs because of an error when accessing an object that has been incorrectly initialized or deleted.
  • Ref: http://www.zerodayinitiative.com/advisories/ZDI-10-013/
  • 10.5.4 - CVE: CVE-2010-0247
  • Platform: Other Microsoft Products
  • Title: Microsoft Internet Explorer (CVE-2010-0247) Uninitialized Memory Remote Code Execution
  • Description: Microsoft Internet Explorer is a browser for the Windows operating system. Internet Explorer is exposed to a remote code execution issue that arises when the browser displays a malicious web page. This issue occurs because of an error when accessing an object that has been incorrectly initialized or deleted.
  • Ref: http://www.microsoft.com/technet/security/Bulletin/MS10-002.mspx
  • 10.5.5 - CVE: CVE-2010-0248
  • Platform: Other Microsoft Products
  • Title: Microsoft Internet Explorer (CVE-2010-0248) Uninitialized Memory Remote Code Execution
  • Description: Microsoft Internet Explorer is a browser for the Windows operating system. Internet Explorer is exposed to a remote code execution issue that arises when the browser displays a malicious web page. This issue occurs because of an error when accessing an object that has been incorrectly initialized or deleted.
  • Ref: http://www.zerodayinitiative.com/advisories/ZDI-10-014/
  • 10.5.6 - CVE: CVE-2010-0246
  • Platform: Other Microsoft Products
  • Title: Microsoft Internet Explorer (CVE-2010-0246) Uninitialized Memory Remote Code Execution
  • Description: Microsoft Internet Explorer is a browser for the Windows operating system. Internet Explorer is exposed to a remote code execution issue that arises when the browser displays a malicious web page. This issue occurs because of an error when accessing an object that has been incorrectly initialized or deleted.
  • Ref: http://www.zerodayinitiative.com/advisories/ZDI-10-012/
  • 10.5.7 - CVE: Not Available
  • Platform: Other Microsoft Products
  • Title: Microsoft Internet Explorer Unspecified Information Disclosure
  • Description: Microsoft Internet Explorer is a browser for the Windows operating system. The browser is exposed to an unspecified information disclosure issue. Ref: http://www.networkworld.com/news/2010/012510-researcher-to-reveal-more-internet.html
  • 10.5.8 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: RadASM ".mnu" File Buffer Overflow
  • Description: RadASM is an assembly language IDE for the Microsoft Windows operating system. RadASM is exposed to a buffer overflow issue because it fails to perform adequate checks on user-supplied input. Specifically, a maliciously constructed ".mnu" file may corrupt memory. RadASM version 2.2.1.5 is affected.
  • Ref: http://www.securityfocus.com/bid/37914
  • 10.5.9 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Windows Live Messenger ActiveX Control "RichUploadControlContextData" Buffer Overflow
  • Description: Windows Live Messenger is an instant messaging application for Microsoft Windows. It includes an ActiveX control. Windows Live Messenger is exposed to a buffer overflow issue because it fails to perform adequate boundary checks on user-supplied data. The vulnerability affects the "RichUploadControlContextData" method of the ActiveX control provided by the file "Microsoft.Live.Folders.RichUpload.3.dll". Windows Live Messenger 2009 on Windows XP, Vista, and 7 is affected.
  • Ref: http://support.microsoft.com/kb/240797
  • 10.5.10 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Rising Antivirus Multiple IOCTL Request Handling Local Privilege Escalation Vulnerabilities
  • Description: Rising Antivirus is a security product available for Microsoft Windows. The application is exposed to multiple local privilege escalation issues because the "RsNTGdi.sys", "HookCont.sys", "HookSys.sys", "HOOKREG.sys", and "HookNtos.sys" drivers fail to properly validate user-space input.
  • Ref: http://www.securityfocus.com/bid/37951
  • 10.5.11 - CVE: Not Available
  • Platform: Linux
  • Title: Linux Kernel ATI Radeon Drivers Local Privilege Escalation
  • Description: Linux kernel is exposed to a local privilege escalation issue that is caused by a memory access error. Specifically, some open source ATI Radeon drivers may be used to write to arbitrary memory locations with kernel privileges. This issue stems from an error when handling "FRAG" and "TILE" registers.
  • Ref: http://permalink.gmane.org/gmane.comp.security.oss.general/2515
  • 10.5.12 - CVE: CVE-2010-0291
  • Platform: Linux
  • Title: Linux Kernel CVE-2010-0291 "mmap()" and "mremap()" Multiple Denial of Service Vulnerabilities
  • Description: The Linux kernel is exposed to multiple denial of service issues when mapping memory addresses. These issues occur in multiple architectures, affecting the "mmap" subsystem. Multiple patches affecting approximately 58 source files have been rolled into one release to address assorted problems. Because of the complexity of these issues and their interrelated nature, one CVE identifier has been assigned. The Linux kernel version 2.6.32.4 is affected.
  • Ref: https://bugzilla.redhat.com/show_bug.cgi?id=556703
  • 10.5.13 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Embarcadero Technologies InterBase SMP 2009 Multiple Stack Buffer Overflow Vulnerabilities
  • Description: Embarcadero Technologies InterBase SMP 2009 is a scalable database application available for multiple operating systems. The application is exposed to multiple stack-based buffer overflow issues because it fails to perform adequate boundary checks on user-supplied data. Specifically, two unspecified issues occur when the application processes specially crafted packets via TCP port 3050. InterBase SMP 2009 version 9.0.3.437 for Microsoft Windows is affected.
  • Ref: http://www.securityfocus.com/bid/37916
  • 10.5.14 - CVE: CVE-2010-0315
  • Platform: Cross Platform
  • Title: Google Chrome Style Sheet Redirection Information Disclosure
  • Description: Google Chrome is a web browser. Chrome is exposed to a remote information disclosure issue that occurs because the application allows attackers to discover a redirect target URL for a victims session. An attacker can exploit this issue by placing a malicious site URL in the HREF attribute of a stylesheet link element and then reading the "document.stylsheet[0].href" property value. Ref: http://nomoreroot.blogspot.com/2010/01/little-bug-in-safari-and-google-chrome.html
  • 10.5.15 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Xerox WorkCentre Network Controller Directory Structure Unauthorized Access
  • Description: Xerox WorkCentre is a web capable printer and photocopier. WorkCentre is exposed to an issue that can result in unauthorized access to the Network Controller directory structure when processing a specially crafted PostScript (".ps") file.
  • Ref: http://www.xerox.com/downloads/usa/en/c/cert_XRX10-001_v1.0.pdf
  • 10.5.16 - CVE: CVE-2010-0137
  • Platform: Cross Platform
  • Title: Cisco IOS XR SSH Protocol Implementation Remote Denial of Service
  • Description: Cisco IOS XR is a microkernel based operating system for various Cisco devices. Cisco IOS XR is exposed to a remote denial of service issue in the SSH server implementation. Specifically, this issue occurs when the SSH server handles specially crafted SSH version 2 packets.
  • Ref: http://www.cisco.com/warp/public/707/cisco-sa-20100120-xr-ssh.shtml
  • 10.5.17 - CVE: CVE-2010-0138
  • Platform: Cross Platform
  • Title: Cisco CiscoWorks Internetwork Performance Monitor CORBA GIOP Remote Buffer Overflow
  • Description: Internetwork Performance Monitor (IPM) is a troubleshooting component within the CiscoWorks LAN Management Solution bundle. IPM is exposed to a remote buffer overflow issue because it fails to properly bounds check user-supplied data. Specifically, the issue is triggered when processing Common Object Request Broker Architecture GIOP requests. CiscoWorks IPM versions 2.6 and earlier for Microsoft Windows are affected.
  • Ref: http://www.securityfocus.com/archive/1/509070
  • 10.5.18 - CVE: CVE-2009-4241, CVE-2009-4242, CVE-2009-4243,CVE-2009-4244, CVE-2009-4245, CVE-2009-4257, CVE-2009-4248,CVE-2009-4247, CVE-2009-4246
  • Platform: Cross Platform
  • Title: Multiple RealNetworks Products Multiple Remote Vulnerabilities
  • Description: RealPlayer SP, RealPlayer, and Helix Player are media player applications available for Microsoft Windows, Mac OS X, and Linux. The applications are exposed to multiple issues. A remote attacker could exploit these issues by crafting a file and enticing an unsuspecting user to open it using a vulnerable application. The following versions are affected: RealPlayer SP 1.0.0 through 1.0.1; RealPlayer 11 11.0.0 through 11.0.5; RealPlayer 10.5 6.0.12.1040 through 6.0.12.163, 6.0.12.1675, 6.0.12.1698, and 6.0.12.1741; RealPlayer 10 and 10.1; Helix Player 11.0.0 through 11.0.2.
  • Ref: http://www.zerodayinitiative.com/advisories/ZDI-10-006/
  • 10.5.19 - CVE: CVE-2010-0015
  • Platform: Cross Platform
  • Title: glibc and eglibc "nis/nss_nis/nis-pwd.c" Remote Information Disclosure
  • Description: The "glibc" and "eglibc" libraries are implementations of the GNU C library. The libraries are exposed to a remote information disclosure issue because they fail to properly restrict access to encrypted passwords. Specifically, functions in the "nis/nss_nis/nis-pwd.c" source file incorrectly combine data from the NIS maps "passwd" and "passwd.adjuct.byname". glibc version 2.7 and eglibc version 2.10.2 are affected.
  • Ref: http://www.openwall.com/lists/oss-security/2010/01/07/3
  • 10.5.20 - CVE: CVE-2009-2624
  • Platform: Cross Platform
  • Title: GNU Gzip Dynamic Huffman Decompression Remote Code Execution
  • Description: Gzip is a compression utility. The application is exposed to a remote code execution issue when handling specially crafted ".zip" files. This issue may occur when decompressing specially crafted blocks compressed by dynamic Huffman codes.
  • Ref: http://www.securityfocus.com/bid/37888
  • 10.5.21 - CVE: CVE-2010-0001
  • Platform: Cross Platform
  • Title: GNU gzip LZW Compression Remote Integer Overflow
  • Description: GNU gzip is a command line data stream compressor and archiver. GNU gzip is exposed to a remote integer underflow issue because it fails to sufficiently validate an integer value before using it to index an array. The vulnerability occurs when expanding archive files compressed with the Lempel-Ziv-Welch compression algorithm.
  • Ref: http://www.securityfocus.com/bid/37886
  • 10.5.22 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Sun Java System Web Server Digest Authentication Remote Buffer Overflow
  • Description: Sun Java System Web Server is an HTTP server. The application is exposed to a remote buffer overflow issue because it fails to perform adequate boundary checks on user-supplied data. Specifically the issue occurs when processing the HTTP Authorization header using the digest method. Sending an overly long value may result in a heap-based buffer overflow. Sun Java System Web Server version 7.0 Update 7 is affected. Ref: http://intevydis.blogspot.com/2010/01/sun-java-system-web-server-70u7-digest.html
  • 10.5.23 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Sun Java System Directory Server LDAP Search Request Denial of Service
  • Description: Sun Java System Directory Server is an LDAP server distributed with Directory Server 7.0 Enterprise Edition. Directory Server is exposed to a denial of service issue that affects the Directory Server process ("ns-slapd" and "slapd.exe"). The issue arises when processing specially crafted LDAP search requests.
  • Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-66-275711-1
  • 10.5.24 - CVE: Not Available
  • Platform: Cross Platform
  • Title: SAP BusinessObjects Multiple Input Validation Vulnerabilities
  • Description: SAP BusinessObjects is an enterprise level collaborative system for managing productivity and data. SAP BusinessObjects is exposed to multiple input validation issues because it fails to sufficiently sanitize user-supplied input. BusinessObjects versions XI 3.x (12.x) are affected. Ref: http://www.procheckup.com/vulnerability_manager/vulnerabilities/pr09-02
  • 10.5.25 - CVE: not available
  • Platform: Cross Platform
  • Title: Tor Directory Authorities Directory Queries Remote Information Disclosure
  • Description: Tor is an implementation of second generation onion routing, a connection oriented anonymous communication service. TOR is exposed to an information disclosure issue that occurs because the bridge directory authorities disclose each tracked identity when responding to "dbg-stability.txt" directory queries. TOR versions prior to 0.2.1.22 are affected.
  • Ref: http://archives.seul.org/or/talk/Jan-2010/msg00161.html
  • 10.5.26 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Sun Java System Web Server "admin" Server Denial of Service
  • Description: Sun Java System Web Server is an HTTP server. The application is exposed to a denial of service issue that affects the admin server. The issue arises in "/opt/sun/webserver7/lib/libns-httpd40.so" due to a NULL pointer dereference error when processing specially crafted requests. Sun Java System Web Server version 7.0 Update 6 is affected. Ref: http://intevydis.blogspot.com/2010/01/sun-java-system-web-server-70-admin.html
  • 10.5.27 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Sun Java System Web Server WebDAV Format String
  • Description: Sun Java System Web Server is an HTTP server. The application is exposed to a remote format string issue because it fails to properly sanitize user-supplied input before passing it as the format specifier to a formatted printing function. The issue arises in the "webservd" process when handling specially crafted WebDAV requests. Sun Java System Web Server version 7.0 Update 6 is affected.
  • Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-66-275850-1
  • 10.5.28 - CVE: Not Available
  • Platform: Cross Platform
  • Title: IntelliTamper "defer" Attribute Handling Remote Buffer Overflow
  • Description: IntelliTamper is a spider application for scanning web sites. IntelliTamper is exposed to a buffer overflow issue because the application fails to perform adequate boundary checks on user-supplied data. This vulnerability occurs when the application parses HTML documents that contain overly large values for the "defer" attribute of a "script" element. IntelliTamper versions 2.07 and 2.08 are affected.
  • Ref: http://www.securityfocus.com/bid/37912
  • 10.5.29 - CVE: Not Available
  • Platform: Cross Platform
  • Title: IBM Lotus Domino Web Access Prior to 229.131 Unspecified Security
  • Description: IBM Lotus Domino Web Access or iNotes facilitates web access to Domino based mail, calendar, schedule, to-do lists, contact lists, and notebooks for Lotus Domino users. The application is exposed to an unspecified issue. IBM Lotus Domino Web Access versions 8.0.2 prior to Hotfix 229.131 are affected.
  • Ref: http://www-01.ibm.com/support/docview.wss?uid=swg27017776
  • 10.5.30 - CVE: CVE-2010-0314
  • Platform: Cross Platform
  • Title: Apple Safari Style Sheet Redirection Information Disclosure
  • Description: Apple Safari is a web browser. Safari is exposed to a remote information disclosure issue that occurs because the application allows attackers to discover a redirect target URL for a victim's session. Ref: http://nomoreroot.blogspot.com/2010/01/little-bug-in-safari-and-google-chrome.html
  • 10.5.31 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Oracle WebLogic Server Node Manager "beasvc.exe" Remote Command Execution
  • Description: Oracle WebLogic Server is an enterprise application server. WebLogic Server is exposed to an issue that attackers can leverage to execute arbitrary commands. Specifically, the Network Manager utility "beasvc.exe" will accept connections without requiring authentication. Oracle WebLogic Server version 10.3.2 is affected. Ref: http://intevydis.blogspot.com/2010/01/oracle-weblogic-1032-node-manager-fun.html
  • 10.5.32 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Authentium SafeCentral Local Privilege Escalation
  • Description: Authentium SafeCentral is a security application to protect against identity theft. SafeCentral is exposed to a local privilege escalation issue that occurs when handling IOCTL requests for the "DeviceShDev" device in the "shdrv.sys" file. Specifically, the handler function for "IRP_MJ_DEVICE_CONTROL" processes a user-controlled pointer that may allow an attacker to escalate privileges. SafeCentral versions 2.6 and earlier are affected.
  • Ref: http://digit-labs.org/files/otherstuff/unsafecentral/
  • 10.5.33 - CVE: CVE-2009-2901
  • Platform: Cross Platform
  • Title: Apache Tomcat Directory Host Appbase Authentication Bypass
  • Description: Apache Tomcat is a Java-based Web server for multiple operating systems. The Web server is exposed to an authentication bypass issue. Specifically, under certain circumstances when the application autodeploys files and directories, it does so without proper security constraints. Tomcat versions 5.5.0 through 5.5.28 and 6.0.0 through 6.0.20 are affected.
  • Ref: http://svn.apache.org/viewvc?view=revision&revision=892815
  • 10.5.34 - CVE: Not Available
  • Platform: Cross Platform
  • Title: MySQL with yaSSL SSL Certificate Handling Remote Stack Buffer Overflow
  • Description: MySQL is an open source SQL database available for multiple operating systems. yaSSL is an SSL library implementation. MySQL when compiled with yaSSL is exposed to a remote buffer overflow issue because it fails to perform adequate boundary checks on user-supplied data. Specifically, the issue is triggered when processing crafted SSL certificates. MySQL version 5.5.0-ms2 is affected. Ref: http://intevydis.blogspot.com/2010/01/mysq-yassl-stack-overflow.html
  • 10.5.35 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Google Chrome prior to 4.0.249.78 Multiple Security Vulnerabilities
  • Description: Google Chrome is a web browser for multiple platforms. The browser is prone to multiple issues: 1) A pop-up blocker bypass issue that may allow attackers to open arbitrary pop-up windows in the browser; 2) A cross-domain information disclosure issue that arises due to a design error; 3) An issue related to memory handling arises in the pop-up block menu; 4) An unspecified issue relating to the use of XMLHttpRequest with directories affects the applications; 5) An input validation issue in shortcuts affects the browser; 6) Multiple memory-corruption issues that arise in the renderer and are related to drawing on canvases; 7) A memory corruption issue arises when the application decodes images; 8) An unspecified issue associated with the HTTP Referer field affects the application; 9) An unspecified cross-domain access issue that affects the browser; and 10) An unspecified deserialization error arises when Bitmap files are handled; and 11) A nested URL may crash the browser. Chrome Versions prior to 4.0.249.78 are affected.
  • Ref: http://secunia.com/secunia_research/2009-65/
  • 10.5.36 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Support Incident Tracker Blank Password Authentication Bypass
  • Description: Support Incident Tracker (SiT!) is an open source web application for tracking technical support requests. The software is exposed to an authentication bypass issue. Specifically, the issue allows attackers to gain access as an existing LDAP user by supplying a blank password. SiT! versions prior to 3.51 are affected.
  • Ref: http://sitracker.org/wiki/ReleaseNotes351
  • 10.5.37 - CVE: CVE-2009-4606
  • Platform: Cross Platform
  • Title: South River Technologies WebDrive Security Descriptor Local Privilege Escalation
  • Description: South River Technologies WebDrive is a fileserver application. The application is exposed to a local privilege escalation issue because it fails to properly implement security descriptors. WebDrive version 9.02 is affected.
  • Ref: http://www.securityfocus.com/bid/37955
  • 10.5.38 - CVE: Not Available
  • Platform: Cross Platform
  • Title: NetSupport Manager Denial of Service
  • Description: NetSupport Manager is a remote control and management application available for multiple platforms. NetSupport Manager is exposed to a denial of service issue that may be triggered when a user telnets to a port that the application listens on and then presses the "enter" key twice. NetSupport Manager versions prior to 10.60.0006 are affected.
  • Ref: http://www.securityfocus.com/archive/1/509177
  • 10.5.39 - CVE: CVE-2009-4612
  • Platform: Web Application - Cross Site Scripting
  • Title: Jetty JSP Snoop Page Multiple Cross-Site Scripting Vulnerabilities
  • Description: Jetty is a Java-based web server available for various operating systems. The application is exposed to multiple cross-site scripting issues because it fails to sufficiently sanitize user-supplied data to the "PATH_INFO" parameter of the following scripts: "jspsnoop/", "jspsnoop/ERROR/" and "jspsnoop/IOException/".
  • Ref: http://www.ush.it/team/ush/hack-jetty6x7x/jetty-adv.txt
  • 10.5.40 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: PunBB "viewtopic.php" Cross-Site Scripting
  • Description: PunBB is a PHP-based forum application. The application is exposed to a cross-site scripting issue because it fails to sanitize user-supplied input to the "pid" parameter of the "viewtopic.php" script. PunBB version 1.3 is affected.
  • Ref: http://www.securityfocus.com/bid/37930
  • 10.5.41 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Joomla! 3D Cloud "tagcloud.swf" Cross-Site Scripting
  • Description: 3D Cloud is a component for the Joomla! content manager. The component is exposed to a cross-site scripting issue because it fails to properly sanitize user-supplied input to the "href" parameter of the "tagcloud.swf" file.
  • Ref: http://www.securityfocus.com/archive/1/509173
  • 10.5.42 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: OpenX SQL Injection
  • Description: OpenX is a web-based ad server. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "q" parameter of the "index.php" script before using it in an SQL query. OpenX version 2.6.1 is affected.
  • Ref: http://www.securityfocus.com/bid/37913
  • 10.5.43 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: PHPMySpace Gold "gid" Parameter SQL Injection
  • Description: PHPMySpace Gold is a social networking application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "gid" parameter of the "index.php" script when the "act" parameter is set to "play_game". PHPMySpace Gold version 8.0 is affected.
  • Ref: http://www.securityfocus.com/bid/37881
  • 10.5.44 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Joomla! "com_acprojects" Component SQL Injection
  • Description: The "com_acprojects" application is a PHP-based component for the Joomla! content manager. The component is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "Itemid" parameter before using it in an SQL query.
  • Ref: http://www.securityfocus.com/bid/37897
  • 10.5.45 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Joomla! "com_book" Component "cid[]" Parameter SQL Injection
  • Description: "com_book" is a component for the Joomla! content manager. The component is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "cid[]" parameter of the "com_book" component before using it in an SQL query.
  • Ref: http://www.securityfocus.com/bid/37907
  • 10.5.46 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: NetArt Media Blog System "blog.php" SQL Injection
  • Description: Blog System is a web-based blogging portal. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "note" parameter of the "blog.php" script. Blog System version 1.x is affected.
  • Ref: http://www.securityfocus.com/bid/37911
  • 10.5.47 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Joomla! Game Server Component "grp" Parameter SQL Injection
  • Description: Game Server is a PHP-based component for the Joomla! content manager. The component is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "grp" parameter of the "com_gameserver" component before using it an SQL query.
  • Ref: http://www.securityfocus.com/bid/37920
  • 10.5.48 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Joomla! "com_biographies" Component "id" Parameter SQL Injection
  • Description: The "com_biographies" application is a PHP-based component for the Joomla! content manager. The component is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "biobookid" parameter before using it in an SQL query.
  • Ref: http://www.securityfocus.com/bid/37920
  • 10.5.49 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Joomla! Mochigames Component "cid" Parameter SQL Injection
  • Description: The Mochigames application is a PHP-based component for the Joomla! content manager. The component is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "cid" parameter of "com_mochigames" before using it in an SQL query.
  • Ref: http://www.securityfocus.com/bid/37931
  • 10.5.50 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Joomla! JbPublishDownFp Component "cid" Parameter SQL Injection
  • Description: The JbPublishDownFp application is a PHP-based component for the Joomla! content manager. The component is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "cid" parameter of "com_jbpublishdownfp" before using it in an SQL query.
  • Ref: http://www.securityfocus.com/bid/37932
  • 10.5.51 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Joomla! "com_gurujibook" Component "id" Parameter SQL Injection
  • Description: The "com_gurujibook" application is a PHP-based component for the Joomla! content manager. The component is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "bookid" parameter before using it in an SQL query.
  • Ref: http://www.securityfocus.com/bid/37933
  • 10.5.52 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Joomla! "com_gameserver" Component "id" Parameter SQL Injection
  • Description: The "com_gameserver" application is a PHP-based component for the Joomla! content manager. The component is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "grp" parameter before using it in an SQL query.
  • Ref: http://www.securityfocus.com/bid/37934
  • 10.5.53 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Joomla! JBDiary Component Multiple SQL Injection Vulnerabilities
  • Description: The JBDiary component is a PHP-based application for the Joomla! content manager. The application is exposed to multiple SQL injection issues because it fails to sufficiently sanitize user-supplied data to the "newyear" and "newmonth" parameters before using them in an SQL query.
  • Ref: http://www.securityfocus.com/bid/37936
  • 10.5.54 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Joomla! "com_ContentBlogList" Component Multiple SQL Injection Vulnerabilities
  • Description: The "com_ContentBlogList" component is a PHP-based application for the Joomla! content manager. The application is exposed to multiple SQL injection issues because it fails to sufficiently sanitize user-supplied data to the "searchword", "id" and "section_id" parameters before using them in an SQL query.
  • Ref: http://www.securityfocus.com/bid/37937
  • 10.5.55 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Joomla! "com_casino" Component "id" Parameter SQL Injection
  • Description: The "com_casino" application is a PHP-based component for the Joomla! content manager. The component is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "id" parameter before using it in an SQL query.
  • Ref: http://www.securityfocus.com/bid/37938
  • 10.5.56 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: VirtueMart Multiple SQL Injection Vulnerabilities
  • Description: VirtueMart is a web-based shopping application for the Joomla content management system. VirtueMart is exposed to multiple SQL injection issues because it fails to sufficiently sanitize user-supplied data. One of the issues affects the "order_status_id" parameter while others are unspecified.
  • Ref: http://www.securityfocus.com/bid/37963
  • 10.5.57 - CVE: Not Available
  • Platform: Web Application
  • Title: phpBB Forum ID Security Bypass
  • Description: phpBB is a web application. phpBB is exposed to a security bypass issue because it fails to properly verify the forum ID when performing actions on a forum post. phpBB versions prior to 3.0.5 are affected.
  • Ref: http://www.phpbb.com/community/viewtopic.php?f=14&p=9764445
  • 10.5.58 - CVE: Not Available
  • Platform: Web Application
  • Title: Drupal Control Panel Module HTML Injection
  • Description: Control Panel is a PHP-based component for the Drupal content manager. The module is exposed to an HTML injection issue because it fails to properly sanitize user-supplied input. To exploit this issue, an attacker must have the "administer blocks" permission. Control Panel versions 5.x-1.5 (and prior) and 6.x-1.2 (and prior) are affected.
  • Ref: http://drupal.org/node/690718
  • 10.5.59 - CVE: Not Available
  • Platform: Web Application
  • Title: Drupal Recent Comments Module HTML Injection
  • Description: Recent Comments is a PHP-based component for the Drupal content manager. The module is exposed to an HTML injection issue because it fails to properly sanitize user-supplied input. Specifically, the issue affects the title of the "Recent Comments" block in custom block title interface. Recent Comments versions 5.x-1.2 (and prior) and versions 6.x-1.0 (and prior) are affected.
  • Ref: http://drupal.org/node/690734
  • 10.5.60 - CVE: Not Available
  • Platform: Web Application
  • Title: cPanel and WHM "failurl" Parameter HTTP Response Splitting
  • Description: cPanel and WHM are web hosting control panels. cPanel and WHM are exposed to an HTTP response splitting issue that affects the "failurl" parameter of the login page. cPanel version 11.25 and WHM version 11.25 are affected.
  • Ref: http://www.securityfocus.com/bid/37902
  • 10.5.61 - CVE: Not Available
  • Platform: Web Application
  • Title: SilverStripe HTML Injection and Cross-Site Scripting Vulnerabilities
  • Description: SilverStripe is a PHP-based content manager. The application is exposed to multiple input validation issues. An HTML injection issue affects the "CommenterURL" parameter of the "PostCommentForm" comment posting mechanism. A cross-site scripting issue affects the "Search" parameter of the "forums/search/index.php" script. SilverStripe versions prior to 2.3.5 are affected.
  • Ref: http://www.securityfocus.com/bid/37923/references
  • 10.5.62 - CVE: CVE-2009-4611
  • Platform: Web Application
  • Title: Jetty Terminal Escape Sequence in Logs Command Injection
  • Description: Jetty is a Java-based web server available for various operating systems. Jetty is exposed to a command injection issue because it fails to adequately sanitize user-supplied input written to logfiles via HTTP Content Length headers. Specifically, the software fails to properly filter escape sequences before writing to logfiles.
  • Ref: http://www.ush.it/team/ush/hack-jetty6x7x/jetty-adv.txt
  • 10.5.63 - CVE: Not Available
  • Platform: Web Application
  • Title: boastMachine Arbitrary File Upload
  • Description: boastMachine is a web-based forum application. The application is exposed to an issue that lets attackers upload arbitrary files because it fails to adequately sanitize file extensions before uploading the file to the web server through the "files.php" script. boastMachine version 3.1 is affected.
  • Ref: http://www.securityfocus.com/bid/37940
  • 10.5.64 - CVE: Not Available
  • Platform: Web Application
  • Title: Open Media Collectors Database Multiple Local File Include Vulnerabilities
  • Description: Open Media Collectors Database (OpenDb) is a PHP-based inventory application. The application is exposed to multiple local file include issues because it fails to properly sanitize user-supplied input to the following scripts and parameters: "begin.inc.php", "_OPENDB_THEME" and "site_plugin.php", "site_plugin_classname". OpenDb version 1.5.0.4 is affected.
  • Ref: http://www.securityfocus.com/bid/37941
  • 10.5.65 - CVE: CVE-2009-2901
  • Platform: Web Application
  • Title: Apache Tomcat WAR File Directory Traversal
  • Description: Apache Tomcat is a Java-based web server available for multiple operating systems. Tomcat is exposed to a directory traversal issue because the application fails to sufficiently sanitize user-supplied input. Specifically, the application fails to sanitize directory traversal strings (../) from WAR files. Tomcat versions 5.5.0 through 5.5.28 and 6.0.0 through 6.0.20 are affected.
  • Ref: http://svn.apache.org/viewvc?view=revision&revision=902650
  • 10.5.66 - CVE: CVE-2009-2902
  • Platform: Web Application
  • Title: Apache Tomcat Host Working Directory WAR File Directory Traversal
  • Description: Apache Tomcat is a Java-based web server available for multiple operating systems. Tomcat is exposed to a directory traversal issue because the application fails to sufficiently sanitize user-supplied input. Specifically, the application fails to sanitize directory-traversal strings (../) from WAR files. Tomcat versions 5.5.0 through 5.5.28 and 6.0.0 through 6.0.20 are affected.
  • Ref: http://svn.apache.org/viewvc?view=revision&revision=902650
  • 10.5.67 - CVE: CVE-2009-2902
  • Platform: Web Application
  • Title: Kayako SupportSuite "staff/index.php" Multiple HTML Injection Vulnerabilities
  • Description: Kayako SupportSuite is a web-based support suite. The application is exposed to multiple HTML injection issues because it fails to properly sanitize user-supplied input before using it in dynamically generated content. These issues affect the "subject" and "contents" parameters of the "staff/index.php" script when the "_m" parameter is set to "knowledgebase" and the "_a" parameter is set to "insertquestion". SupportSuite version 3.60.04 is affected.
  • Ref: http://archives.neohapsis.com/archives/bugtraq/2010-01/0212.html
  • 10.5.68 - CVE: Not Available
  • Platform: Web Application
  • Title: TinyBrowser Joomla! Component "folders.php" Local File Include
  • Description: TinyBrowser is a component for the Joomla! content manager. The component is exposed to a local file include issue because it fails to properly sanitize user-supplied input to the "plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/folders.php" script.
  • Ref: http://www.securityfocus.com/bid/37956
  • 10.5.69 - CVE: Not Available
  • Platform: Web Application
  • Title: e107 Unspecified Remote
  • Description: e107 is a PHP-based content manager. The application is exposed to an unspecified remote issue that may allow remote attackers to gain unauthorized access to a vulnerable computer in the context of the underlying web server. e107 versions prior to 0.7.17 are affected.
  • Ref: http://e107.org/comment.php?comment.news.856
  • 10.5.70 - CVE: Not Available
  • Platform: Network Device
  • Title: Xerox WorkCentre Multiple Unspecified Authentication Bypass Vulnerabilities
  • Description: Xerox WorkCentre is a web capable printer and photocopier. The device is exposed to multiple authentication bypass issues because it fails to restrict access to sensitive functions. These issues affect the "Network Controller" and "Web Server" components.
  • Ref: http://www.xerox.com/downloads/usa/en/c/cert_XRX10-002_v1.0.pdf
  • 10.5.71 - CVE: Not Available
  • Platform: Network Device
  • Title: IBM Datapower XS40 Malformed ICMP Packet Denial of Service
  • Description: IBM Datapower XS40 is a device that provides security to XML web services. The device is exposed to a denial of service issue because it fails to handle malformed ICMP packets sent to the QLOGIC network interface. IBM Datapower XS40 firmware version 3.7.2.1 is affected.
  • Ref: http://www-01.ibm.com/support/docview.wss?rs=2362&uid=swg1IC61364
  • 10.5.72 - CVE: Not Available
  • Platform: Network Device
  • Title: Novatel Wireless MiFi 2352 Password Information Disclosure
  • Description: MiFi 2352 is a device that provides wireless Internet access. The device is exposed to an information disclosure issue. Specifically, the device stores passwords in the "config.xml.sav" or "config.xml.save" XML file that can be accessed by an unauthenticated user through the HTTP protocol. MiFi 2352 access point firmware version 11.47.17 is affected. Ref: http://www.securitybydefault.com/2010/01/vulnerabilidad-en-modemrouter-3g.html

(c) 2010. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Subscriptions: @RISK is distributed free of charge by the SANS Institute to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.

SANS is without a doubt the best technical training organization out there. If I had to limit my training budget to one course per year, it would be from SANS.
-Anthony DiMarco, Osteotech, Inc.

Forensics 572

Latest Whitepapers

Building and Maintaining a "Certifiable" Workforce
By Robert J. Mavretich

How Can You Build and Leverage SNORT IDS Metrics to Reduce Risk?
By Tim Proffitt

Daisy Chain Authentication
By Courtney Imbert

Latest Tweets

NEW #SANS Survey: Security Analytics & Intelligence 2nd [...]
October 1, 2013 - 6:30 PM

Tips on how to convince your boss to let you train online wi [...]
October 1, 2013 - 6:23 PM

#2 Tip on how 2 convince your boss 2 let u train online: Fle [...]
October 1, 2013 - 3:00 PM

Contact Us

(301) 654-SANS (7267)
Mon-Fri 9am - 8pm EST/EDT
info@sans.org

"As a security professional, this info is foundational to do a competent job, let alone be successful."
- Michael Foster, Providence Health & Security

"The amount of knowledge conveyed and technical diving by practical hands-on was well balanced."
- Aaron Moore, Maricopa County

"SANS is a great place to enhance your technical and hands-on skills and tools. I thoroughly recommend it."
- Aaron Waugh, Datacom NZ Ltd