@RISK: The Consensus Security Vulnerability Alert

Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys

• (1) HIGH: IBM Tivoli Storage Manager Client Remote Script Execution

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)

Windows

• 10.52.1 - Microsoft Windows Remote Access Phonebook Executable Loading Arbitrary Code Execution

Third Party Windows Apps

• 10.52.2 - SolarFTP Multiple Commands Remote Denial of Service Vulnerabilities
• 10.52.3 - Real Networks RealPlayer ActiveX control Cross-Zone Scripting
• 10.52.4 - Word Splash Pro ".wsl" File Buffer Overflow
• 10.52.5 - Skype "wab32.dll" DLL Loading Arbitrary Code Execution
• 10.52.6 - Microsoft WMI Administrative Tools ActiveX Control Remote Code Execution

Cross Platform

• 10.52.7 - IBM Tivoli Storage Manager Client Multiple Remote Vulnerabilities
• 10.52.8 - HP OpenVMS Integrity Server Unspecified Local Privilege Escalation
• 10.52.9 - BlackBerry Desktop Software Information Disclosure
• 10.52.10 - Opera Web Browser Prior to 11.00 Multiple Security Vulnerabilities
• 10.52.11 - Alt-N WebAdmin Remote Source Code Information Disclosure
• 10.52.12 - Apple Time Capsule and AirPort Base Station DHCP Reply Remote Denial of Service
• 10.52.13 - Adobe Photoshop DLL Loading Arbitrary Code Execution
• 10.52.14 - Apple Mobile Safari "decodeURI()" Remote Denial of Service
• 10.52.15 - HP StorageWorks Storage Mirroring Unspecified Remote Code Execution
• 10.52.16 - VMware ESXi Update Installer Unauthorized Access

Web Application - Cross Site Scripting

• 10.52.17 - HP Discovery and Dependency Mapping Inventory Cross-Site Scripting
• 10.52.18 - Real Networks RealPlayer "HTML" Files Cross-Domain Scripting
• 10.52.19 - WordPress Embedded Video Plugin "lembedded-video.php" Cross-Site Scripting
• 10.52.20 - MyBB "member.php" and "newreply.php" Multiple Cross-Site Scripting Vulnerabilities

• - - Softbiz PHP Joke Site Software Multiple SQL Injection Vulnerabilities Description: Softbiz PHP Joke Site Software is a PHP-based web application. The application is exposed to multiple SQL injection issues because it fails to sufficiently sani

Web Application

• 10.52.22 - WordPress "cformsII" Plugin CAPTCHA Security Bypass
• 10.52.23 - Symantec Endpoint Protection Reporting Module "fw_charts.php" Remote Code Execution
• 10.52.24 - S9Y Serendipity "manager.php" Arbitrary File Upload
• 10.52.25 - Hycus CMS Multiple Input Validation Vulnerabilities
• 10.52.26 - REstate Real Estate Script HTML Injection
• 10.52.27 - Ecava IntegraXor "file_name" Parameter Directory Traversal
• 10.52.28 - Injader Multiple Input Validation Vulnerabilities

PART I Critical Vulnerabilities

PART I Critical Vulnerabilities Part I for this issue has been compiled by Josh Bronson at TippingPoint, a division of HP, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/risk/#process

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 52, 2010

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com) This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 10705 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely. ______________________________________________________________________

• 10.52.1 - CVE: Not Available
• Platform: Windows
• Title: Microsoft Windows Remote Access Phonebook Executable Loading Arbitrary Code Execution
• Description: Microsoft Windows is exposed to an issue that lets attackers execute arbitrary code. The issue arises because Remote Access Phonebook ("rasphone.exe") loads the HTML Help binary ("hh.exe") in an insecure manner.
• Ref: http://www.securityfocus.com/bid/45404

• 10.52.2 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: SolarFTP Multiple Commands Remote Denial of Service Vulnerabilities
• Description: SolarFTP is an FTP server available for Microsoft Windows. SolarFTP is exposed to multiple remote denial of service issues because the application fails to properly handle specially crafted FTP commands. SolarFTP 2.0 is affected.
• Ref: http://www.securityfocus.com/bid/45460

• 10.52.3 - CVE: CVE-2010-4396
• Platform: Third Party Windows Apps
• Title: Real Networks RealPlayer ActiveX control Cross-Zone Scripting
• Description: Real Networks RealPlayer is an application that allows users to play various media formats. The application is exposed to a cross-zone scripting issue that occurs in the ActiveX control. Windows RealPlayer SP versions 1.1.5 and prior and RealPlayer Enterprise versions 2.1.2 and prior are affected.
• Ref: http://www.zerodayinitiative.com/advisories/ZDI-10-275/

• 10.52.4 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Word Splash Pro ".wsl" File Buffer Overflow
• Description: Word Splash Pro is puzzle creator software available for Microsoft Windows. Word Splash Pro is exposed to a buffer overflow issue because it fails to perform adequate checks on user-supplied input. Word Splash Pro version 9.5 is affected.
• Ref: http://www.securityfocus.com/bid/45517

• 10.52.5 - CVE: CVE-2010-3136
• Platform: Third Party Windows Apps
• Title: Skype "wab32.dll" DLL Loading Arbitrary Code Execution
• Description: Skype is a peer-to-peer communications software that supports Internet-based voice communications. Skype is exposed to an issue that allows attackers to execute arbitrary code.
• Ref: http://blog.metasploit.com/2010/08/exploiting-dll-hijacking-flaws.html

• 10.52.6 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Microsoft WMI Administrative Tools ActiveX Control Remote Code Execution
• Description: Microsoft WMI Administrative Tools is an application created by Microsoft to manage WMI scripts. The application is exposed to a remote code execution issue. Microsoft WMI Administrative Tools version 1.1 is affected.
• Ref: http://www.kb.cert.org/vuls/id/725596

• 10.52.7 - CVE: Not Available
• Platform: Cross Platform
• Title: IBM Tivoli Storage Manager Client Multiple Remote Vulnerabilities
• Description: IBM Tivoli Storage Manager is an application for automated backup and recovery of data. IBM Tivoli Storage Manager Client is exposed to multiple issues.
• Ref: http://www.kryptoslogic.com/advisories/2010/kryptoslogic-ibm-tivoli-dsmtca.txt

• 10.52.8 - CVE: CVE-2010-4110
• Platform: Cross Platform
• Title: HP OpenVMS Integrity Server Unspecified Local Privilege Escalation
• Description: OpenVMS is a mainframe like operating system originally developed by Digital. HP OpenVMS is exposed to an unspecified local privilege escalation issue in the Integrity Server. HP OpenVMS Itanium versions 8.3, 8.3-1H1 and 8.4 are affected.
• Ref: http://www.securityfocus.com/archive/1/515264

• 10.52.9 - CVE: CVE-2010-2603
• Platform: Cross Platform
• Title: BlackBerry Desktop Software Information Disclosure
• Description: BlackBerry Desktop Software is an application that allows users to synchronize contacts, calendars and emails. The application is exposed to an information disclosure issue because it uses insufficient encryption to generate database backup files.
• Ref: http://www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&extern
  alId=KB24764

• 10.52.10 - CVE: Not Available
• Platform: Cross Platform
• Title: Opera Web Browser Prior to 11.00 Multiple Security Vulnerabilities
• Description: Opera is a cross-platform web browser. The application is exposed to multiple security issues. An attacker can exploit these issues to trick users into downloading malicious content or to gain potentially sensitive information. Opera versions prior to 11.00 are affected.
• Ref: http://www.opera.com/docs/changelogs/unix/1100/

• 10.52.11 - CVE: Not Available
• Platform: Cross Platform
• Title: Alt-N WebAdmin Remote Source Code Information Disclosure
• Description: Alt-N WebAdmin is an optional component for MDaemon and RelayFax that allows remote administration. The application is exposed to an information disclosure issue because it fails to properly sanitize user-supplied input. Alt-N WebAdmin version 3.3.3, U-Mail version 9.8 for Windows and U-Mail GateWay version 9.8 for Windows are affected.
• Ref: http://www.securityfocus.com/bid/45476

• 10.52.12 - CVE: CVE-2010-1804, CVE-2010-0039, CVE-2009-2189
• Platform: Cross Platform
• Title: Apple Time Capsule and AirPort Base Station DHCP Reply Remote Denial of Service
• Description: Apple Time Capsule is a wireless backup application for Mac OS X. Apple AirPort Base Station is a wireless network device for sharing network resources. Apple Time Capsule and AirPort Base Station are exposed to a remote denial of service vulnerability because of an implementation issue in the network bridge. Apple Time Capsule and AirPort Base Station running firmware versions prior to 7.5.2 are affected.
• Ref: http://www.securityfocus.com/bid/45491

• 10.52.13 - CVE: Not Available
• Platform: Cross Platform
• Title: Adobe Photoshop DLL Loading Arbitrary Code Execution
• Description: Adobe Photoshop is an application that allows users to view and edit various graphic formats. Adobe Photoshop is exposed to an issue that lets attackers execute arbitrary code. The issue arises because the application searches for an unspecified Dynamic Link Library file in the current working directory. Adobe Photoshop CS5 versions 12.0.1 and earlier are affected.
• Ref: http://www.adobe.com/support/downloads/detail.jsp?ftpID=4949

• 10.52.14 - CVE: Not Available
• Platform: Cross Platform
• Title: Apple Mobile Safari "decodeURI()" Remote Denial of Service
• Description: Apple Mobile Safari is a web browser for Apple's mobile devices, such as iPhone, iPad, and iPod touch. Apple Mobile Safari is exposed to a remote denial of service issue when handling specially crafted webpages.
• Ref: http://www.securityfocus.com/bid/45516

• 10.52.15 - CVE: CVE-2010-4116
• Platform: Cross Platform
• Title: HP StorageWorks Storage Mirroring Unspecified Remote Code Execution
• Description: HP StorageWorks Storage Mirroring is a replication and failover solution for enterprises. HP StorageWorks Storage Mirroring is exposed to an unspecified remote code execution issue. HP StorageWorks Storage Mirroring versions 5 through 5.2.2.1771.1 are affected.
• Ref: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02660122

• 10.52.16 - CVE: CVE-2010-4573
• Platform: Cross Platform
• Title: VMware ESXi Update Installer Unauthorized Access
• Description: VMware ESXi is a virtualization application. ESXi is exposed to an unauthorized access issue. The problem occurs when a ESXi 3.5 or 4.0 installation with a modified SFCB configuration file is upgraded to ESXi 4.1. ESXi version 4.1 is affected.
• Ref: http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=dis
  playKC&externalId=1031761

• 10.52.17 - CVE: CVE-2010-4114
• Platform: Web Application - Cross Site Scripting
• Title: HP Discovery and Dependency Mapping Inventory Cross-Site Scripting
• Description: HP Discovery and Dependency Mapping Inventory (DDMI) is an application for managing assets. HP DDMI is prone to an unspecified cross-site scripting issue because it fails to sanitize user-supplied input. DDMI versions 2.5x, 7.5x, and 7.6x running on Windows are affected.
• Ref: http://www.securityfocus.com/archive/1/515286

• 10.52.18 - CVE: CVE-2010-4388
• Platform: Web Application - Cross Site Scripting
• Title: Real Networks RealPlayer "HTML" Files Cross-Domain Scripting
• Description: Real Networks RealPlayer is an application that allows users to play various media formats. Real Networks RealPlayer is exposed to a cross-domain scripting issue that affects the "Upsell.html", "Main.html" and "Custsupport.html" scripts when handling local HTML files.
• Ref: http://www.zerodayinitiative.com/advisories/ZDI-10-277/

• 10.52.19 - CVE: CVE-2010-4277
• Platform: Web Application - Cross Site Scripting
• Title: WordPress Embedded Video Plugin "lembedded-video.php" Cross-Site Scripting
• Description: Embedded Video is a plugin for Wordpress. The Processing Embed plugin is exposed to a cross-site scripting issue because it fails to properly sanitize user-supplied input of the "lembedded-video.php" script.
• Ref: http://www.securityfocus.com/bid/45486

• 10.52.20 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: MyBB "member.php" and "newreply.php" Multiple Cross-Site Scripting Vulnerabilities
• Description: MyBB (MyBulletinBoard) is a forum application. MyBB is exposed to multiple cross-site scripting issues because it fails to sanitize user-supplied input. MyBB versions 1.6 and prior are affected.
• Ref: http://blog.mybb.com/2010/12/15/mybb-1-6-1-release-1-4-14-update/

• - - CVE: Not Available Platform: Web Application SQL Injection
• Title: Softbiz PHP Joke Site Software Multiple SQL Injection Vulnerabilities Description: Softbiz PHP Joke Site Software is a PHP-based web application. The application is exposed to multiple SQL injection issues because it fails to sufficiently sani
• Ref: http://www.securityfocus.com/bid/45478

• 10.52.22 - CVE: Not Available
• Platform: Web Application
• Title: WordPress "cformsII" Plugin CAPTCHA Security Bypass
• Description: WordPress "cformsII" plugin is an application for deploying Ajax driven contact forms in WordPress pages. The application is exposed to a security bypass issue that occurs in the CAPTCHA authentication routine.
• Ref: http://seclists.org/fulldisclosure/2010/Dec/375

• 10.52.23 - CVE: CVE-2010-0114
• Platform: Web Application
• Title: Symantec Endpoint Protection Reporting Module "fw_charts.php" Remote Code Execution
• Description: Symantec Endpoint Protection (SEP) is a security application. SEP clients are paired to a specific SEP server for obtaining updates. Symantec Endpoint Protection reporting module is exposed to a remote code execution issue because it fails to properly validate requests for generating charts. Symantec Endpoint Protection versions prior to 11.0 RU6 MP1 are affected.
• Ref: http://www.zerodayinitiative.com/advisories/ZDI-10-291/

• 10.52.24 - CVE: Not Available
• Platform: Web Application
• Title: S9Y Serendipity "manager.php" Arbitrary File Upload
• Description: Serendipity is a web-log application. The application is exposed to an issue that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately verify file extensions before uploading files to the web server. Serendipity version 1.5.4 is affected.
• Ref: http://www.securityfocus.com/bid/45525

• 10.52.25 - CVE: Not Available
• Platform: Web Application
• Title: Hycus CMS Multiple Input Validation Vulnerabilities
• Description: Hycus CMS is a PHP-based content management application. The application is exposed to multiple issues. Hycus CMS version 1.0.3 is affected.
• Ref: http://www.htbridge.ch/advisory/lfi_in_hycus_cms.html

• 10.52.26 - CVE: Not Available
• Platform: Web Application
• Title: REstate Real Estate Script HTML Injection
• Description: REstate Real Estate Script is a web-based application. The application is exposed to an HTML injection issue because it fails to properly sanitize user-supplied input.
• Ref: http://www.securityfocus.com/bid/45533

• 10.52.27 - CVE: Not Available
• Platform: Web Application
• Title: Ecava IntegraXor "file_name" Parameter Directory Traversal
• Description: Ecava IntegraXor is web-based HMI/SCADA software. Ecava IntegraXor is exposed to a directory traversal issue because it fails to sufficiently sanitize user-supplied input via an "open" request to the "file_name" parameter. IntegraXor version 3.6.4000.0 is affected.
• Ref: http://aluigi.org/adv/integraxor_1-adv.txt

• 10.52.28 - CVE: Not Available
• Platform: Web Application
• Title: Injader Multiple Input Validation Vulnerabilities
• Description: Injader is a content manager. Injader is exposed to multiple input validation issues. Exploiting these issues could allow an attacker to steal cookie based authentication credentials, compromise the application, access or modify data or exploit latent vulnerabilities in the underlying database. Injader version 2.4.4 is affected.
• Ref: http://www.htbridge.ch/advisory/xss_vulnerability_in_injader_cms.html

(c) 2010. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Subscriptions: @RISK is distributed free of charge by the SANS Institute to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization. For a free subscription or to update a current subscription, visit http://portal.sans.org/