Last day to save $500 for SANS San Diego 2013

@RISK: The Consensus Security Vulnerability Alert

Volume: IX, Issue: 8
February 18, 2010

SANS Newsletters Home

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Summary of Updates and Vulnerabilities in this Consensus
    • Platform Number of Updates and Vulnerabilities
    • - ------------------------ -------------------------------------
    • Third Party Windows Apps
    • 2
    • Linux
    • 3
    • Cross Platform
    • 15 (#1, #2, #3, #4, 5)
    • Web Application - Cross Site Scripting
    • 5
    • Web Application - SQL Injection 10
    • Web Application
    • 8
    • Network Device
    • 3 (#6)

******************* Sponsored By Lightwave Security ********************* Download our NEW Whitepaper: Continuous Compliance in the PCI World SecureAware® helps retailers create and oversee a corporate program of data security excellence and PCI compliance. Automated IT-GRC solutions are now used by leading organizations to integrate Governance, Risk Management, and Compliance for many regulatory mandates including PCI, SOX (COBIT), and HIPAA. http://www.sans.org/info/55069

************************************************************************* TRAINING UPDATE - -- SANS 2010, Orlando, March 6 - March 15, 2010 38 courses and bonus evening presentations, including Software Security Street Fighting Style http://www.sans.org/sans-2010/ - -- SANS Northern Virginia Bootcamp 2010, April 6-13 Bonus evening presentations include Safe Surfing: How to Surf the Net Without Getting PWND http://www.sans.org/reston-2010/ - -- SANS Security West 2010, San Diego, May 7-15, 2010 23 courses. Bonus evening presentations include Killer Bee: Exploiting ZigBee and the Kinetic World http://www.sans.org/security-west-2010/ - -- SANSFIRE 2010, Baltimore, June 6-14, 2010 38 courses http://www.sans.org/sansfire-2010/ Looking for training in your own community? http://sans.org/community/ Save on On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/spring09.php Plus Bangalore, Dublin, Dubai, Toronto and Singapore all in the next 90 days. For a list of all upcoming events, on-line and live: www.sans.org *************************************************************************

Table Of Contents
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
Third Party Windows Apps
Linux
Cross Platform
Web Application - Cross Site Scripting
Web Application - SQL Injection
Web Application
Network Device

**************************** Sponsored Link: ****************************

1) Listen to ETM LogRhythm in the Hotseat - SIEM 2.0 Interview with Chris Petersen at http://www.sans.org/info/55074

*************************************************************************

PART I Critical Vulnerabilities

PART I Critical Vulnerabilities Part I for this issue has been compiled by Rohan Kotian at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Widely Deployed Software
  • (1) HIGH: Adobe Reader and Acrobat Multiple Vulnerabilities (APSB10-07)
  • Affected:
    • Adobe Reader 9.3 and earlier versions for Windows, Macintosh, and UNIX
    • Adobe Acrobat 9.3 and earlier versions for Windows and Macintosh

  • Description: Adobe Acrobat is a program designed to create, manage and view Portable Document Format (PDF) and Adobe Reader is designed to only view and print PDF's. Both Adobe reader and Acrobat have been reported to have two vulnerabilities. The first issue is a cross domain vulnerability and it actually affects multiple adobe products including Adobe Reader and Acrobat. The flaw can allow attackers to subvert the domain sandbox restrictions and make cross-domain requests via unspecified vectors. The second flaw is caused by an unspecified error and it can be exploited by an attacker to cause a denial-of-service condition or execute arbitrary code remotely. Technical details for these vulnerabilities are not available publicly.

  • Status: Vendor confirmed, updates available.

  • References:
  • (2) HIGH: Google Chrome Multiple Vulnerabilities
  • Affected:
    • Google Chrome versions prior to 4.0.249.89

  • Description: Google Chrome, a web browser developed by Google, is the fourth most popular web browser with 5.22% usage share among all the web browsers. Multiple vulnerabilities have been identified in Google chrome which can lead to information disclosure, remote code execution, data leakage, and phishing attacks. The first issue is caused by errors in DNS and the way proxy lists are interpreted and this could lead to disclosure of sensitive data. The second issue is caused by a integer overflow errors in the v8 engine. The third issue is caused by an error in the way "<ruby>" tags are processed. The fourth issue is an error in the way "href" in "iframe" tags are processed and this might lead to disclosure of redirection targets. The fifth issue is an error in the password manager since it incorrectly pre-fills the HTTP authentication dialog box of one domain with credentials of another domain, and this might lead to a phishing issue. The last issue is an integer overflow error in the way sandbox message is deserialized and this might lead to remote code execution. Full technical details are publicly available via source code analysis.

  • Status: Vendor confirmed, updates available.

  • References:
  • (3) HIGH: OpenOffice.org Multiple Vulnerabilities
  • Affected:
    • OpenOffice.org 3.x

  • Description: OpenOffice.org is a popular open source office suite. It is included by default in most Unix, Unix-like, and Linux operating system distributions and is also available for Microsoft Windows and Mac OS X. It contains multiple vulnerabilities in its handling of different documents. The first issue is caused due to its use of a 3rd party library (libxml2) which is known to be vulnerable according to CVE-2006-4339 and it might lead to improper verification of signatures. The second issue is caused due to the use of third party libraries (libxmlsec) which are prone to XML signature HMAC truncation authentication bypass issue. The third flaw is an error in the MSVC Runtime according to CVE-2009-2493, and is shipped with OpenOffice.org. The fourth issue is caused by an error in the way OpenOffice.org processes malformed XPM file, which can also be embedded in other file formats. The fifth issue is caused by improper handling of malicious GIF files, which can also be embedded in other documents. The sixth issue is caused by an error in the way OpenOffice.org processes malformed Word documents. Details on these vulnerabilities is available via source code analysis.

  • Status: Vendor confirmed, updates available.

  • References:
  • (4) MODERATE: Adobe Flash Player Multiple Vulnerabilities (APSB10-06)
  • Affected:
    • Adobe Flash Player 10.0.42.34 and earlier
    • Adobe AIR 1.5.3.9120 and earlier

  • Description: Adobe Flash Player is a multimedia application used to play Flash media files for Microsoft Windows, Mozilla, and Apple technologies. Two vulnerabilities have been reported in Adobe Flash Player. The first issue is a cross domain vulnerability and it actually affects multiple adobe products including Adobe Flash Player. The flaw can allow attackers to subvert the domain sandbox restrictions and make cross-domain requests via unspecified vectors. The second issue is a denial-of-service flaw caused by unspecified errors and it could be triggered by a specially crafted .SWF file. Some technical details for these vulnerabilities are available publicly.

  • Status: Vendor confirmed, updates available.

  • References:
  • (5) MODERATE: Juniper Installer Service Buffer Overflow Vulnerability
  • Affected:
    • Juniper Networks Juniper Installer Service 1.0

  • Description: Juniper Installer service is a manual installer from Juniper Networks that needs to be installed by a user with Administrative rights on the PC. It is used to allow a user with no Administrative rights to install client components that require Administrative rights. A buffer overflow vulnerability has been identified in Juniper Installer Service. The specific flaw is in the "DSSETUPSERVICE_CMD_UNINSTALL" command as it does not perform adequate checks on the user supplied inputs. Thus a specially crafted "DSSETUPSERVICE_CMD_UNINSTALL" command with an overly large string can be used to trigger this vulnerability. An attacker needs to have access to "\Device\\LanmanRedirector\\%SERVERNAME%\\pipe\\NeoterisSetupService" named pipe to carry out this attack. Successful exploitation might allow an attacker to execute arbitrary code in the context of the affected application. Some technical details for the vulnerability are publicly available.

  • Status: Vendors confirmed, updates available.

  • References:
  • (6) MODERATE: Cisco IronPort Multiple Vulnerabilities
  • Affected:
    • Cisco IronPort Encryption Appliance 6.5 versions prior to 6.5.2
    • Cisco IronPort Encryption Appliance 6.2 versions prior to 6.2.9.1
    • Cisco IronPort PostX MAP versions prior to 6.2.9.1

  • Description: Cisco IronPort is an email and web security appliance. Three vulnerabilities have been identified in Cisco IronPort, two of which are information disclosure vulnerabilities and the third is an remote code execution vulnerabilities. The information disclosure vulnerabilities are caused by unspecified errors in the administrative interface and the WebSafe DistributorServlet of HTTPS server that is embedded on the Cisco IronPort Encryption Appliance. The last issue is caused by an unspecified error in the HTTPS server that is embedded on the Cisco IronPort Encryption Appliance. Successful exploitation in this case might lead to arbitrary code execution. Technical details for these vulnerabilities are not available publicly.

  • Status: Vendor confirmed, updates available.

  • References:
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 8, 2010

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com) Week 08, 2010 This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 8007 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely. ______________________________________________________________________

  • 10.8.1 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Mini-Stream Software CastRipper ".asx" File Remote Stack Buffer Overflow
  • Description: CastRipper is an audio stream ripper available for Microsoft Windows. The application is exposed to a remote stack-based buffer overflow issue because it fails to perform adequate checks on user-supplied input. Specifically, this issue occurs when opening a ".asx" playlist file that contains excessive data. CastRipper version 2.50.70 is affected.
  • Ref: http://www.securityfocus.com/bid/38221
  • 10.8.2 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: AIMP ".m3u" File Remote Stack Buffer Overflow
  • Description: AIMP is a multimedia player available for Microsoft Windows. The application is exposed to a remote stack-based buffer overflow issue because it fails to perform adequate checks on user-supplied input. Specifically, this issue occurs when opening a ".m3u" playlist file that contains excessive data. AIMP version 2.51 is affected.
  • Ref: http://www.securityfocus.com/bid/38215
  • 10.8.3 - CVE: Not Available
  • Platform: Linux
  • Title: Linux Kernel "selinux_bprm_committing_creds()" Security Bypass
  • Description: The Linux kernel is exposed to a security bypass issue. Specifically, the "selinux_bprm_committing_creds()" function incorrectly passes "rlim->rlim_cur" to the "update_rlimit_cpu()" function, which expects the "RLIMIT_CPU" limit. This error occurs in the "security/selinux/hooks.c" source file. Linux kernel versions prior to 2.6.32.8 are affected. Ref: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=17740d89785aeb4143770923d67c293849414710;hp=45d28b097280a78893ce25a5d0db41e6a2717853
  • 10.8.4 - CVE: Not Available
  • Platform: Linux
  • Title: Linux Kernel "net/ipv6/ip6_output.c" NULL Pointer Dereference Denial of Service
  • Description: The Linux kernel is exposed to a local denial of service issue that affects the "ip6_dst_lookup_tail()" function in the "net/ipv6/ip6_output.c" source file. This issue is triggered when an IFF_TUN ("/dev/net/tun") device has 1024 IPv6 neighbors. Ref: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e550dfb0c2c31b6363aa463a035fc9f8dcaa3c9b
  • 10.8.5 - CVE: Not Available
  • Platform: Linux
  • Title: gnome-screensaver Unlock Dialog Race Condition Lock Bypass
  • Description: The "gnome-screensaver" screensaver is included with the Gnome Window Manager. The screensaver's desktop locking feature is designed to prevent users without valid credentials from accessing the desktop. The screensaver is exposed to an issue that allows an attacker who has physical console access to bypass the user's locked screen. gnome-screensaver versions prior to 2.28.1 are affected.
  • Ref: https://bugzilla.gnome.org/show_bug.cgi?id=598476
  • 10.8.6 - CVE: Not Available
  • Platform: Cross Platform
  • Title: RSLinx EDS File Remote Stack Buffer Overflow
  • Description: RSLinx is a communication server. The application is exposed to a remote stack-based buffer overflow issue because it fails to perform adequate boundary checks on user-supplied input. This issue occurs when handling a specially crafted EDS file. Specifically, a stack overflow occurs when passing a large "DescText" entry into the "wsprintf()" function. RSLinx Lite version 2.31.00 is affected. Ref: http://jbrownsec.blogspot.com/2010/02/reverse-engineering-file-formats.html
  • 10.8.7 - CVE: CVE-2010-0445
  • Platform: Cross Platform
  • Title: HP OpenView Network Node Manager Remote Command Execution
  • Description: HP OpenView Network Node Manager (NNM) is a fault management application for IP networks. NNM is exposed to a remote command execution issue. An attacker can exploit this issue to execute commands with SYSTEM level privileges.
  • Ref: http://www.openview.hp.com/products/nnm/
  • 10.8.8 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Accellion File Transfer Appliance Multiple Remote Vulnerabilities
  • Description: Accellion File Transfer Appliance is a device for receiving and delivering large files. The device is exposed to multiple remote issues. 1) A privilege escalation issue occurs in the "acsh" prompt screen when logged in as an administrative user. 2) A privilege escalation issue occurs because the application allows an unauthorized user to execute the "/usr/local/bin/admin.pl" script as a root user. 3) A directory traversal issue affects the "lang" parameter of the "web_client_user_guide.html" script. 4) An HTML injection issue affects the "username" field of the administration interface. 5) A remote command injection issue affects the administrative interface. Ref: http://seclists.org/fulldisclosure/2010/Feb/att-189/accellionmulti.txt
  • 10.8.9 - CVE: CVE-2010-0556
  • Platform: Cross Platform
  • Title: Google Chrome prior to 4.0.249.89 Multiple Security Vulnerabilities
  • Description: Google Chrome is a web browser for multiple platforms. The browser is exposed to multiple issues. 1) Multiple integer overflow issues affect the browser. 2) Multiple information disclosure issues affect the application. 3) A code execution issue arises when the application handles a specially crafted "<ruby>" tag. 4) An unspecified issue arises when domain names are displayed in HTTP authentication dialogs. Chrome versions prior to 4.0.249.89 are affected.
  • Ref: http://www.vsecurity.com/resources/advisory/20100215-1/
  • 10.8.10 - CVE: Not Available
  • Platform: Cross Platform
  • Title: PHP "session_save_path()" "safe_mode" Restriction Bypass
  • Description: PHP is a general purpose scripting language that is especially suited for web development and can be embedded into HTML. PHP is exposed to a "safe_mode" restriction bypass issue. Successful exploits could allow an attacker to write session files in arbitrary directories. This issue occurs because the "session_save_path()" function fails to properly handle crafted parameters, allowing attackers to use "../" directory-traversal sequences to specify arbitrary local directories. PHP versions 5.2.12 and 5.3.1 are affected.
  • Ref: http://securityreason.com/achievement_securityalert/82
  • 10.8.11 - CVE: Not Available
  • Platform: Cross Platform
  • Title: SAP J2EE Engine Core Unspecified Phishing
  • Description: SAP J2EE Engine Core is a Java virtual machine implementation. J2EE Engine Core is exposed to an issue that can aid in phishing attacks. SAP J2EE Engine Core versions prior to the following are affected: J2EE Engine Core 6.40 SP26, J2EE Engine Core 7.00 SP02, J2EE Engine Core 7.01 SP07 and J2EE Engine Core 7.02 SP03.
  • Ref: http://www.securityfocus.com/archive/1/509500
  • 10.8.12 - CVE: CVE-2010-0446
  • Platform: Cross Platform
  • Title: HP DreamScreen Unspecified Information Disclosure
  • Description: DreamScreen is a web-enabled digital photo frame that displays multiple forms of digital content. The device is exposed to an unspecified remote information disclosure issue when it is connected to a network. DreamScreen 100 and 130 running firmware versions prior to 1.6.0.0 are affected.
  • Ref: http://www.securityfocus.com/archive/1/509507
  • 10.8.13 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Kunena Prior to 1.5.7 Multiple Security Vulnerabilities
  • Description: Kunena (com_kunena) is a forum component for the Joomla! content manager. It is implemented in PHP. The application is exposed to multiple issues. 1) Previewing/posting messages is detected as an attack by the firewall. 2) The "E-mail Administrators" option sends messages to users who receive system messages. 3) The "Report to Moderator" feature may mail all users in custom groups. 4) Online statistics reveal hidden users to registered users. 5) The "category ID" value may not be checked when a user posts to an existing thread. Kunena versions prior to 1.5.7 are affected. Ref: http://www.kunena.com/blog/19-developer-blog/51-kunena-157-security-release-now-available
  • 10.8.14 - CVE: CVE-2009-3960
  • Platform: Cross Platform
  • Title: Adobe BlazeDS Information Disclosure
  • Description: Adobe BlazeDS is a Java based messaging server. BlazeDS is exposed to an information disclosure issue. Specifically, attackers may access files readable by the server process running BlazeDS. The issue can occur when processing incoming requests, XML external entity references and injected tags. BlazeDS 3.2 and earlier versions are affected.
  • Ref: http://www.adobe.com/support/security/bulletins/apsb10-05.html
  • 10.8.15 - CVE: CVE-2010-0186
  • Platform: Cross Platform
  • Title: Adobe Flash Player and AIR Unspecified Cross-Domain Scripting
  • Description: Adobe Flash Player is a multimedia application for Microsoft Windows, Mozilla and Apple technologies. Adobe AIR is a cross-platform runtime for developing internet applications on the desktop. Flash Player and AIR are exposed to an unspecified cross-domain scripting issue. A remote attacker may be able to execute script code in the context of a targeted domain. Flash Player versions prior to 10.0.45.2 and AIR versions prior to 1.5.3.1930 are affected.
  • Ref: http://www.adobe.com/support/security/bulletins/apsb10-06.html
  • 10.8.16 - CVE: CVE-2010-0187
  • Platform: Cross Platform
  • Title: Adobe Flash Player and AIR (CVE-2010-0187) Unspecified Denial of Service
  • Description: Adobe Flash Player is a multimedia application for Microsoft Windows, Mozilla and Apple technologies. Adobe AIR is a cross-platform runtime for developing internet applications on the desktop. The applications are exposed to an unspecified denial of service issue. Flash Player versions prior to 10.0.45.2 and AIR versions prior to 1.5.3.1930 are affected.
  • Ref: http://www.adobe.com/support/security/bulletins/apsb10-06.html
  • 10.8.17 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Cisco Collaboration Server Source Code Disclosure Vulnerabilities
  • Description: Cisco Collaboration Server is an application and collaboration server. The product has been discontinued by the vendor. Cisco Collaboration Server is exposed to multiple issues that may allow remote attackers to obtain source code, which may aid them in further attacks. Specifically, these issues arise when a file is requested from the server but the parts of the file name or path are replaced with their hexadecimal equivalents or a NULL byte or other hexadecimal characters are appended to the file name. Cisco Collaboration Server version 5 is affected.
  • Ref: http://www.securityfocus.com/bid/38202
  • 10.8.18 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Squid Web Proxy Cache HTCP Request Processing Remote Denial of Service
  • Description: Squid Web Proxy Cache is an open source proxy server available for a number of platforms. The application is exposed to a remote denial of service issue that occurs when processing specially crafted HTCP (Hypertext Caching Protocol) packets. An attacker can exploit this issue to crash the affected application, denying service to legitimate users.
  • Ref: http://www.squid-cache.org/Advisories/SQUID-2010_2.txt
  • 10.8.19 - CVE: Not Available
  • Platform: Cross Platform
  • Title: KDE Screensaver Unlock Dialog Race Condition Lock Bypass
  • Description: KDE is a desktop environment for the X window system; it includes a screensaver application. The screensaver's desktop locking feature is designed to prevent users without valid credentials from accessing the desktop. The screensaver is exposed to an issue that allows an attacker who has physical console access to bypass the user's locked screen. KDE version 4.4.0 is affected.
  • Ref: http://bugs.kde.org/show_bug.cgi?id=217882
  • 10.8.20 - CVE: Not Available
  • Platform: Cross Platform
  • Title: OpenOffice Prior to 3.2 Multiple Remote Code Execution Vulnerabilities
  • Description: OpenOffice is a suite of office applications for multiple operating platforms. OpenOffice is exposed to multiple remote code execution issues. 1) An integer overflow error occurs when processing XMP data. 2) A heap-based buffer overflow error occurs when processing GIF data. 3) An integer-underflow error leading to a heap-based buffer overflow can be triggered when parsing "sprmTDefTable" records in Microsoft Word documents. 4) A heap-based buffer overflow can be triggered when parsing "sprmTSetBrc" records in Word documents. OpenOffice versions prior to 3.2 are affected.
  • Ref: http://www.openoffice.org/security/cves/CVE-2009-2950.html
  • 10.8.21 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Coppermine Photo Gallery "upload.php" Cross-Site Scripting
  • Description: Coppermine Photo Gallery is a web-based application implemented in PHP. The application is exposed to a cross-site scripting issue because it fails to sanitize user-supplied input to the "upload.php" script. Coppermine Photo Gallery versions prior to 2.4.26 are affected.
  • Ref: http://forum.coppermine-gallery.net/index.php/topic,63510.0.html
  • 10.8.22 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: vBulletin Multiple Cross-Site Scripting Vulnerabilities
  • Description: vBulletin is a web-based forum application implemented in PHP. The application is exposed to multiple cross-site scripting issues because it fails to sufficiently sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. vBulletin versions 3.0.0 through 3.5.4 are affected.
  • Ref: http://www.securityfocus.com/bid/38179
  • 10.8.23 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Joomla! sh404SEF Component URI Cross-Site Scripting
  • Description: The sh404SEF application is a component for the Joomla! content manager. The component is exposed to a cross-site scripting issue because it fails to properly sanitize user-supplied input to the URI. sh404SEF versions prior to 1.0.20 Beta Build 237 are affected.
  • Ref: http://dev.anything-digital.com/sh404SEF/
  • 10.8.24 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Cisco Collaboration Server "LoginPage.jhtml" Cross-Site Scripting
  • Description: Cisco Collaboration Server is an application and collaboration server. The product has been discontinued by the vendor. The application is exposed to a cross-site scripting issue because it fails to sanitize user-supplied input to the "dest" parameter of the "LoginPage.jhtml" script. Cisco Collaboration Server version 5 is affected.
  • Ref: http://www.securityfocus.com/bid/38201
  • 10.8.25 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: RSA SecurID WebID Cross-Site Scripting
  • Description: RSA SecurID is a commercial product, which provides local and remote authentication to restrict unauthorized access to resources on a host. WebID provides web-based authentication. The application is exposed to a cross-site scripting issue that affects WebID because it fails to sanitize user-supplied input to the "postdata" parameter of the "IISWebAgentIF.dll" script.
  • Ref: http://www.securityfocus.com/bid/38207
  • 10.8.26 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Newgen OmniDocs "ForceChangePassword.jsp" SQL Injection
  • Description: Newgen OmniDocs is a web-based application implemented in Java. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied input to an unspecified parameter of the "ForceChangePassword.jsp" script before using it in an SQL query.
  • Ref: http://www.securityfocus.com/bid/38188
  • 10.8.27 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: CommodityRentals Books/eBooks Rental Software "index.php" SQL Injection
  • Description: CommodityRentals Books/eBooks Rental Software is a PHP-based web application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied input to the "cat_id" parameter of the "index.php" script before using it in an SQL query. The vulnerability can be triggered when the "view" parameter is set to "gamecatalog".
  • Ref: http://www.securityfocus.com/bid/38189
  • 10.8.28 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Joomla "com_zcalendar" Component "eid" Parameter SQL Injection
  • Description: The "com_zcalendar" application is a PHP-based component for the Joomla! content manager. The component is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "eid" parameter before using it in an SQL query.
  • Ref: http://www.securityfocus.com/bid/38192
  • 10.8.29 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Joomla! AWD Wall Component "cbuser" Parameter SQL Injection
  • Description: AWD Wall ("com_awdwall") is a PHP-based component for the Joomla! content manager. The component is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "cbuser" parameter before using it in an SQL query. AWD Wall version 1.5 is affected. Ref: http://jeffchannell.com/Joomla/awd-wall-15-blind-sql-injection-vulnerability.html
  • 10.8.30 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Joomla! "com_jbook" Component "Itemid" Parameter SQL Injection
  • Description: The "com_jbook" application is a PHP-based component for the Joomla! content manager. The component is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "Itemid" parameter before using it in an SQL query.
  • Ref: http://www.securityfocus.com/bid/38199
  • 10.8.31 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Joomla! JQuarks Component SQL Injection
  • Description: The JQuarks application is a PHP-based component for the Joomla! content manager. The component is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
  • Ref: http://www.iptechinside.com/labs/news/show/6
  • 10.8.32 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Qualiteam X-Cart "cart.php" SQL Injection
  • Description: X-Cart is a web-based shopping cart application implemented in PHP and integrated with a MySQL database backend. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied input to the "productid" HTTP POST parameter of the "cart.php" script before using it in an SQL query. Qualiteam X-Cart version 4.0.13 is affected.
  • Ref: http://www.securityfocus.com/bid/38205
  • 10.8.33 - CVE: CVE-2009-2949, CVE-2009-2950, CVE-2009-3301,CVE-2009-3302
  • Platform: Web Application - SQL Injection
  • Title: CommodityRentals Vacation Rental Software "index.php" SQL Injection
  • Description: CommodityRentals Vacation Rental Software is a PHP-based web application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied input to the "rental_id" parameter of the "index.php" script before using it in an SQL query.
  • Ref: http://www.securityfocus.com/bid/38208
  • 10.8.34 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Joomla! "com_acmisc" Component "Itemid" Parameter SQL Injection
  • Description: The "com_acmisc" application is a PHP-based component for the Joomla! content manager. The component is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "Itemid" parameter before using it in an SQL query.
  • Ref: http://www.securityfocus.com/bid/38210
  • 10.8.35 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Alqatari "lesson.php" SQL Injection
  • Description: Alqatari is a web application implemented in PHP. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied input to the "id" parameter of the "lesson.php" script before using it in an SQL query. Alqatari version 1.0 is affected.
  • Ref: http://www.securityfocus.com/bid/38216
  • 10.8.36 - CVE: Not Available
  • Platform: Web Application
  • Title: Drupal Graphviz Filter Module Arbitrary Command Execution
  • Description: The Graphviz Filter is a module for the Drupal content manager. The application is exposed to an issue that lets attackers execute arbitrary commands because it fails to properly sanitize user-supplied input to the "@command" option in node body. The issue can be exploited by users with the privileges to create content using a Graphviz input filter. Graphviz versions 6.x-1.x prior to 6.x-1.6 and Graphviz versions 5.x-1.x prior to 5.x-1.3 are affected.
  • Ref: http://drupal.org/node/710854
  • 10.8.37 - CVE: Not Available
  • Platform: Web Application
  • Title: SAP WebDynpro Runtime Unspecified HTML Injection
  • Description: SAP WebDynpro Runtime is a user-interface technology based on the Model View Controller (MVC). The application is exposed to an HTML injection issue because it fails to sufficiently sanitize user-supplied input to an unspecified script.
  • Ref: http://www.securityfocus.com/archive/1/509499
  • 10.8.38 - CVE: Not Available
  • Platform: Web Application
  • Title: vBulletin 2.3 Cross-Site Scripting and SQL Injection Vulnerabilities
  • Description: vBulletin is a web-based bulletin board implemented in PHP. Since it fails to sufficiently sanitize user-supplied input, the application is exposed to multiple input validation issues: 1) an SQL injection issue that affects the "s" parameter of the "calendar.php" script, and 2) a cross-site scripting issue that can be triggered by a crafted email. vBulletin version 2.3 is affected.
  • Ref: http://www.securityfocus.com/bid/38180
  • 10.8.39 - CVE: Not Available
  • Platform: Web Application
  • Title: Interspire Knowledge Manager "callback.snipshot.php" Arbitrary File Creation
  • Description: Interspire Knowledge Manager is a knowledge management application implemented in PHP. The application is exposed to an issue that allows attackers to create arbitrary files on a vulnerable computer. Specifically, the "admin/de/dialog/callback.snipshot.php" script trusts data passed via GET requests to overwrite $SESSION variables. Knowledge Manager version 5.1.3 is affected.
  • Ref: http://seclists.org/fulldisclosure/2010/Feb/57
  • 10.8.40 - CVE: Not Available
  • Platform: Web Application
  • Title: Joomla! Webee Component SQL Injection and HTML Injection Vulnerabilities
  • Description: Webee is a component for the Joomla! content manager. Since it fails to sufficiently sanitize user-supplied data, the application is exposed to multiple issues: 1) HTML-injection issues, and 2) An SQL injection issue that affects the "articleId" parameter. Webee version 1.1.1 is vulnerable to all of these issues and Webee 1.2 is affected by the SQL injection issue. Ref: http://jeffchannell.com/Joomla/webee-111-multiple-vulnerabilities.html
  • 10.8.41 - CVE: CVE-2009-4232
  • Platform: Web Application
  • Title: Joomla! Kide Shoutbox Security Bypass
  • Description: Kide Shoutbox is a component for the Joomla! content manager. Kide Shoutbox is exposed to a security bypass issue because it fails to properly verify the identity of a user when posting messages. An attacker can bypass the "Only to registered users" setting and post messages as an arbitrary user. Kide Shoutbox component version 0.4.6 is affected.
  • Ref: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4232
  • 10.8.42 - CVE: Not Available
  • Platform: Web Application
  • Title: Joomla! EasyBook Component Multiple HTML Injection Vulnerabilities
  • Description: EasyBook is a guestbook component for the Joomla! content manager. The application is exposed to multiple HTML injection issues because it fails to properly sanitize user-supplied input before using it in dynamically generated content. These issues affect the Skype/Yahoo username field, AIM/MSN username field, website URL field, and the BBCode [img] tag. Joomla! EasyBook component version 2.0.0rc4 is affected. Ref: http://jeffchannell.com/Joomla/easybook-200rc4-multiple-xss-vulnerabilities.html
  • 10.8.43 - CVE: Not Available
  • Platform: Web Application
  • Title: Joomla! F!BB Component SQL Injection and HTML Injection Vulnerabilities
  • Description: F!BB is a component for the Joomla! content manager. Since it fails to sufficiently sanitize user-supplied data, the component is exposed to multiple issues: 1) HTML injection issues that affect the ICQ, MSN, and AIM profile fields, and 2) an SQL injection issue that affects the "searchuser" parameter. F!BB version 1.96 is affected.
  • Ref: http://docs.joomla.org/Vulnerable_Extensions_List
  • 10.8.44 - CVE: CVE-2010-0143
  • Platform: Network Device
  • Title: Cisco IronPort Encryption Appliance Administration Interface Information Disclosure
  • Description: Cisco IronPort Encryption Appliance is a gateway device for email encryption. IronPort Encryption Appliance is exposed to an information disclosure issue that affects the device's administration interface. IronPort Encryption Appliance 6.5 (prior to 6.5.2), IronPort Encryption Appliance 6.2 (prior to 6.2.9.1), and IronPort PostX MAP (prior to 6.2.9.1) are affected. Ref: http://www.cisco.com/warp/public/707/cisco-sa-20100210-ironport.shtml
  • 10.8.45 - CVE: CVE-2010-0145
  • Platform: Network Device
  • Title: Cisco IronPort Encryption Appliance HTTPS Server Unspecified Remote Code Execution
  • Description: Cisco IronPort Encryption Appliance is an email-encryption gateway for use with IronPort appliances. The device is exposed to a remote code execution issue affecting the embedded HTTPS server. An attacker can exploit this issue to execute arbitrary code with SYSTEM level privileges. Successful exploits will completely compromise affected computers. Ref: http://www.cisco.com/warp/public/707/cisco-sa-20100210-ironport.shtml
  • 10.8.46 - CVE: Not Available
  • Platform: Network Device
  • Title: Cisco IronPort Encryption Appliance WebSafe Servlet Information Disclosure
  • Description: Cisco IronPort Encryption Appliance is an email-encryption gateway for use with IronPort appliances. IronPort Encryption Appliance is exposed to an information disclosure issue that affects the WebSafe servlet. IronPort Encryption Appliance 6.5 (prior to 6.5.2), IronPort Encryption Appliance 6.2 (prior to 6.2.9.1), and IronPort PostX MAP (prior to 6.2.9.1) are affected. Ref: http://www.cisco.com/warp/public/707/cisco-amb-20100210-ironport.shtml

(c) 2010. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Subscriptions: @RISK is distributed free of charge by the SANS Institute to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.

This was by far the best course I have ever taken.
-Peter Lombars, Intrucom Inc.

SANS Technology Institute

Latest Whitepapers

Building and Maintaining a &quot;Certifiable&quot; Workforce
By Robert J. Mavretich

How Can You Build and Leverage SNORT IDS Metrics to Reduce Risk?
By Tim Proffitt

Daisy Chain Authentication
By Courtney Imbert

Latest Tweets

NEW #SANS Survey: Security Analytics & Intelligence 2nd [...]
October 1, 2013 - 6:30 PM

Tips on how to convince your boss to let you train online wi [...]
October 1, 2013 - 6:23 PM

#2 Tip on how 2 convince your boss 2 let u train online: Fle [...]
October 1, 2013 - 3:00 PM

Contact Us

(301) 654-SANS (7267)
Mon-Fri 9am - 8pm EST/EDT
info@sans.org

"It has really been an eye opener concerning the depth of security training & awareness that SANS has to offer."
- Michael Hall, Drivesavers

"It was a great learning experience that helped open my eyes wider. The instructor's knowledge was fantastic."
- Manuja Wikesekera, Melbourne Cricket Club

"Just amazing content and instruction, it's really a 'must do' for any info sec professional."
- Mark Austin, PHH Mortgage