NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > SANS> 2008

RISK: The Consensus Security Vulnerability Alert Vol. 7 No. 30

From: The SANS Institute (ConsensusSecurityVulnerabilityAlertsans.org)
Date: Thu Jul 24 2008 - 18:25:27 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The critical problems this week are all web-related: Firefox &
Thunderbird, Sun Java Web Start, and Oracle WebLogic (formerly BEA
WebLogic) Apache Connector.

Alan
*************************************************************************
RISK: The Consensus Security Vulnerability Alert
July 24, 2008 Vol. 7. Week 30
*************************************************************************
RISK is the SANS community's consensus bulletin summarizing the most
important vulnerabilities and exploits identified during the past week
and providing guidance on appropriate actions to protect your systems
(PART I). It also includes a comprehensive list of all new
vulnerabilities discovered in the past week (PART II).

Summary of Updates and Vulnerabilities in this Consensus
Platform Number of Updates and Vulnerabilities
- ------------------------ -------------------------------------
Windows 1
Third Party Windows Apps 4
Mac Os 1
Linux 2
Cross Platform 10 (#1, #2, #3, #4)
Web Application - Cross Site Scripting 4
Web Application - SQL Injection 14
Web Application 15

********************** Sponsored By Rapid7 Inc. *************************

NeXpose Unified Vulnerability Management, a comprehensive solution that
accurately discovers vulnerabilities in Web applications, databases, and
networks, adds new advanced features addressing performance,
productivity and compliance. Quickly scan large address spaces, directly
integrate with Microsoft Active Directory/LDAP and Kerberos and specify
compensating controls in compliance-based scans. Get more information
and a free 20 day evaluation.
http://www.sans.org/info/30983

*************************************************************************
TRAINING UPDATE
- - Las Vegas (9/28-10/6) http://www.sans.org/ns2008 NETWORK SECURITY 2008
- - Boston (8/9-8/16) http://www.sans.org/boston08/
- - Virginia Beach (8/21-8/29): http://www.sans.org/vabeach08/
- - Chicago (9/3-9/10) http://www.sans.org/chicago08 AUDIT & COMPLIANCE
- - and in 100 other cites and on line any time: www.sans.org
*************************************************************************

Table Of Contents
Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)

Widely Deployed Software
(1) CRITICAL: Mozilla Products Memory Corruption Vulnerability
(2) CRITICAL: Sun Java Web Start Multiple Vulnerabilities
(3) CRITICAL: Oracle WebLogic Apache Connector Buffer Overflow
(4) EXPLOIT: Multiple DNS Cache Poisoning Exploits

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from
Qualys (www.qualys.com)

-- Windows
08.30.1 - Microsoft Windows Vista Shutdown Button Local Security Bypass
-- Third Party Windows Apps
08.30.2 - PPMate PPMedia Class ActiveX Control Remote Buffer Overflow
08.30.3 - MediaMonkey URI Handling Multiple Denial of Service Vulnerabilities
08.30.4 - BitComet URI Handling Remote Denial of Service
08.30.5 - QuickPlayer ".m3u" File Buffer Overflow
-- Mac Os
08.30.6 - Mozilla Firefox Mac OS X GIF Rendering Memory Corruption
-- Linux
08.30.7 - Debian OpenSSH SELinux Privilege Escalation
08.30.8 - zypp-refresh-patches wrapper XML Repository Corruption
-- Cross Platform
08.30.9 - Oracle Weblogic Server Apache Connector Remote Buffer Overflow
08.30.10 - IBM WebSphere Application Server "PropFilePasswordEncoder" Unspecified
08.30.11 - HP Select Identity Bidrectional LDAP Connector Remote Unauthorized Access
08.30.12 - F-PROT Antivirus CHM File Remote Denial of Service
08.30.13 - F-PROT Antivirus Multiple File Processing Remote Denial of Service Vulnerabilities
08.30.14 - Velocity Security Management System HTTP Server Directory Traversal
08.30.15 - Spring Framework Multiple Remote Vulnerabilities
08.30.16 - CGI::Session "CGISESSID" Cookie Value Directory Traversal
08.30.17 - OpenLink Virtuoso Multiple Denial Of Service Vulnerabilities
08.30.18 - SmbClientParser Perl Module Remote Command Execution
-- Web Application - Cross Site Scripting
08.30.19 - IBS "username" Parameter Cross Site Scripting
08.30.20 - LunarNight Laboratory WebProxy Cross Site Scripting
08.30.21 - phpFreeChat "demo21_with_hardocded_urls.php" Cross Site Scripting
08.30.22 - MoinMoin "AdvancedSearch.py" Multiple Cross-Site Scripting Vulnerabilities
-- Web Application - SQL Injection
08.30.23 - phpHoo3 "phpHoo3.php" SQL Injection
08.30.24 - AlstraSoft Video Share Enterprise "album.php" SQL Injection
08.30.25 - AlstraSoft Article Manager Pro "contact_author.php" SQL Injection
08.30.26 - Arctic Issue Tracker "filter" Parameter SQL Injection
08.30.27 - preCMS "id" Parameter SQL Injection
08.30.28 - HockeySTATS Online "index.php" Multiple SQL Injection Vulnerabilities
08.30.29 - Joomla! and Mambo DT Register Component "eventId" Parameter SQL Injection
08.30.30 - AlstraSoft Affiliate Network Pro "pgm" Parameter SQL Injection
08.30.31 - tplSoccerSite Multiple SQL Injection Vulnerabilities
08.30.32 - Def_Blog "article" Parameter Multiple SQL Injection Vulnerabilities
08.30.33 - Siteframe "folder.php" SQL Injection
08.30.34 - Aprox CMS Engine "index.php" SQL Injection
08.30.35 - PHPFootball "show.php" SQL Injection
08.30.36 - Zoph Multiple SQL Injection Vulnerabilities
-- Web Application
08.30.37 - Claroline Multiple Unspecified Security Vulnerabilities
08.30.38 - Community CMS "include.php" Remote File Include
08.30.39 - Afuse "afuse.c" Shell Command Injection
08.30.40 - Galatolo WebManager Cookie Authentication Bypass
08.30.41 - PhotoPost vBGallery "upload.php" Arbitrary File Upload
08.30.42 - PHPizabi "v_cron_proc.php" Arbitrary Script Injection Vulnerabilities
08.30.43 - Evaria ECMS "DOCUMENT_ROOT" Parameter Multiple Remote File Include Vulnerabilities
08.30.44 - OpenPro "search_wA.php" Remote File Include
08.30.45 - Simple Machines Forum Multiple Unspecified "html-tag" and Random Generator Seeding Vulnerabilities
08.30.46 - FormEncode "chained_validators" Class Security Bypass
08.30.47 - CreaCMS Multiple Remote File Include Vulnerabilities
08.30.48 - Lemon CMS "browser.php" Local File Include
08.30.49 - Stash Cookie Authentication Bypass
08.30.50 - SWAT 4 Multiple Denial of Service Vulnerabilities
08.30.51 - phpScheduleIt "useLogonName" Security Bypass

______________________________________________________________________

PART I Critical Vulnerabilities

Part I for this issue has been compiled by Rob King at TippingPoint, a
division of 3Com, as a by-product of that company's continuous effort
to ensure that its intrusion prevention products effectively block
exploits using known vulnerabilities. TippingPoint's analysis is
complemented by input from a council of security managers from twelve
large organizations who confidentially share with SANS the specific
actions they have taken to protect their systems. A detailed description
of the process may be found at
http://www.sans.org/newsletters/cva/#process

*****************************
Widely Deployed Software
*****************************

(1) CRITICAL: Mozilla Products Memory Corruption Vulnerability
Affected:
Mozilla Firefox versions prior to 3.0.1
Mozilla Thunderbird versions prior to 2.0.0.16
Mozilla SeaMonkey versions prior to 1.1.11

Description: Products based on the Mozilla codebase, including the
popular Firefox web browser, contain a memory corruption vulnerability.
A specially crafted web page containing a script that manipulates CSS
objects could trigger this vulnerability. Successfully exploiting this
vulnerability would allow an attacker to execute arbitrary code with the
privileges of the current user. Full technical details are publicly
available for this vulnerability via various advisories and through
source code analysis. Note that Thunderbird is not believed to be
vulnerable in its default configuration.

Status: Vendor confirmed, updates available.

References:
Zero Day Initiative Advisory
http://zerodayinitiative.com/advisories/ZDI-08-044/
Mozilla Security Advisory
http://www.mozilla.org/security/announce/2008/mfsa2008-34.html
Mozilla Home Page
http://www.mozilla.org
SecurityFocus BID
http://www.securityfocus.com/bid/29802

***************************************************

(2) CRITICAL: Sun Java Web Start Multiple Vulnerabilities
Affected:
Sun Java Runtime Environment versions 6u7 and prior

Description: Java Web Start is a technology using Sun's Java Runtime
Environment to automatically launch applications distributed via the
web. It contains multiple vulnerabilities in its handling of these
applications. A specially crafted Java applet using Java Web Start could
trigger one of these vulnerabilities, leading to arbitrary code
execution with the privileges of the current user, or modify arbitrary
files with the privileges of the current user. Depending upon
configuration, Java Web Start applets may be launched upon receipt. Java
Web Start is installed by default on all Apple Mac OS X systems, as well
as many Unix, Unix-like, and Linux-based operating systems, and a large
number of Microsoft Windows systems. Some technical details are publicly
available for these vulnerabilities.

Status: Vendor confirmed, updates available.

References:
Zero Day Initiative Advisories
http://zerodayinitiative.com/advisories/ZDI-08-043/
http://zerodayinitiative.com/advisories/ZDI-08-042/
Sun Security Advisory
http://sunsolve.sun.com/search/document.do?assetkey=1-26-238905-1
Sun Java Home Page
http://java.sun.com/
SecurityFocus BID
http://www.securityfocus.com/bid/30148

***************************************************

(3) CRITICAL: Oracle WebLogic Apache Connector Buffer Overflow
Affected:
Oracle WebLogic Server versions 10.x and prior

Description: Oracle WebLogic (formerly BEA WebLogic) contains a buffer
overflow in its "mod_wl" Apache module. An overlong HTTP POST request
to a sever using this module could trigger this buffer overflow,
allowing an attacker to execute arbitrary code with the privileges of
the vulnerable process. Full technical details and a proof-of-concept
exploit are publicly available for this vulnerability.

Status: Vendor has not confirmed, no updates available.

References:
Proof-of-Concept
http://milw0rm.com/exploits/6089
Product Home Pages
http://edocs.bea.com/wls/docs70/plugins/apache.html
http://www.bea.com/framework.jsp?CNT=index.htm&FP=/content/products/weblogic/server
SecurityFocus BID
http://www.securityfocus.com/bid/30273

***************************************************

(4) EXPLOIT: Multiple DNS Cache Poisoning Exploits
Affected;
Most major DNS implementations, including BIND and Microsoft DNS

Description: The DNS flaw discussed in a previous edition of RISK has
had its technical details disclosed and several working exploits
published. The full details of the exploit were originally going to be
initially disclosed at the Black Hat information security conference,
but were released early. Several exploits have been published, including
at least two for the popular Metasploit exploit framework. An attacker
who used one of these exploits could poison a target DNS server's cache,
allowing the attacker to return falsified responses to users' queries.
This could result in an attacker redirecting users to malicious hosts
for further exploitation, or for an attacker to steal sensitive
information.

Status: Vendors confirmed, updates available. Users are urged to apply
updates and patches as quickly as possible.

References:
Metasploit Exploit Modules
http://metasploit.com/dev/trac/browser/framework3/trunk/modules/auxiliary/spoof/dns/bailiwicked_domain.rb
http://metasploit.com/dev/trac/browser/framework3/trunk/modules/auxiliary/spoof/dns/bailiwicked_host.rb
Metasploit Home Page
http://metasploit.com
Proof-of-Concept
http://milw0rm.com/exploits/6123
Previous RISK Entry
http://www.sans.org/newsletters/risk/display.php?v=7&i=28#widely3

*******************************************************

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 30, 2008
This list is compiled by Qualys ( www.qualys.com ) as part of that
company's ongoing effort to ensure its vulnerability management web
service tests for all known vulnerabilities that can be scanned. As of
this week Qualys scans for 5549 unique vulnerabilities. For this special
SANS community listing, Qualys also includes vulnerabilities that cannot
be scanned remotely.

______________________________________________________________________

08.30.1 CVE: Not Available
Platform: Windows
Title: Microsoft Windows Vista Shutdown Button Local Security Bypass
Description: Microsoft Windows is exposed to a local security bypass
issue. The problem occurs when the security option "Shutdown: Allow
system to be shutdown without having to log on" is disabled, and the
power management setting "When I press the power button" is set to
"Shut Down". Windows Vista SP1 is affected.
Ref: http://www.securityfocus.com/archive/1/494533
______________________________________________________________________

08.30.2 CVE: Not Available
Platform: Third Party Windows Apps
Title: PPMate PPMedia Class ActiveX Control Remote Buffer Overflow
Description: PPMate is a peer-to-peer video streaming application. The
application is exposed to a heap-based buffer overflow issue because
it fails to perform adequate boundary checks on user-supplied input.
PPMate version 2.3.1.93 is affected.
Ref: http://support.microsoft.com/kb/240797
______________________________________________________________________

08.30.3 CVE: Not Available
Platform: Third Party Windows Apps
Title: MediaMonkey URI Handling Multiple Denial of Service
Vulnerabilities
Description: MediaMonkey is an audio player. It is available for
Microsoft Windows platforms. The application is exposed to two denial
of service issues because it fails to properly handle certain URIs.
The issues can be triggered by overly long ".m3u" or ".pcast" URIs.
MediaMonkey version 3.0.3 is affected.
Ref: http://www.securityfocus.com/bid/30251
______________________________________________________________________

08.30.4 CVE: Not Available
Platform: Third Party Windows Apps
Title: BitComet URI Handling Remote Denial of Service
Description: BitComet is a BitTorrent/HTTP/FTP download management
application available for Microsoft Windows. The application is
exposed to a denial of service issue because it fails to properly
handle batch files containing an excessively large URI. BitComet
version 1.02 is affected.
Ref: http://www.securityfocus.com/bid/30255
______________________________________________________________________

08.30.5 CVE: Not Available
Platform: Third Party Windows Apps
Title: QuickPlayer ".m3u" File Buffer Overflow
Description: QuickPlayer is a media player application for Windows.
The application is exposed to a buffer overflow issue because it fails
to perform adequate boundary checks on user-supplied input. This issue
occurs when the application fails to handle overly large URIs in
".m3u" files. QuickPlayer version 1.3 is affected.
Ref: http://www.securityfocus.com/bid/30252
______________________________________________________________________

08.30.6 CVE: CVE-2008-2934
Platform: Mac Os
Title: Mozilla Firefox Mac OS X GIF Rendering Memory Corruption
Description: Mozilla Firefox is a browser available for multiple
platforms. The application is exposed to a memory corruption issue in
Mozilla graphics code for handling GIF files on Mac OS X platform.
Firefox version 3.0 is affected.
Ref: http://www.mozilla.org/security/announce/2008/mfsa2008-36.html
______________________________________________________________________

08.30.7 CVE: Not Available
Platform: Linux
Title: Debian OpenSSH SELinux Privilege Escalation
Description: Debian Linux can be configured to utilize SELinux
extensions. OpenSSH may also be configured to utilize SELinux, and to
interface with the role-based privilege system. The application is
exposed to an SELinux privilege escalation issue due to a flaw in its
OpenSSH package.
Ref: http://www.securityfocus.com/bid/30276
______________________________________________________________________

08.30.8 CVE: CVE-2008-3187
Platform: Linux
Title: zypp-refresh-patches wrapper XML Repository Corruption
Description: The zypp-refresh-patches wrapper is used by various
online update applets in openSUSE to check for new software updates.
The application is exposed to a weakness that may allow attackers to
corrupt XML repositories. This issue occurs because the application
accepts new repository keys without verifying certificates.
Ref: http://www.securityfocus.com/bid/30293
______________________________________________________________________

08.30.9 CVE: Not Available
Platform: Cross Platform
Title: Oracle Weblogic Server Apache Connector Remote Buffer Overflow
Description: Oracle Weblogic Server (formerly known as BEA WebLogic
Server) is an enterprise application server product distributed by
Oracle. The application is exposed to a remote buffer overflow issue
because the application fails to perform adequate boundary checks on
user-supplied data. This issue affects the Apache Connector.
Ref: http://www.securityfocus.com/bid/30273
______________________________________________________________________

08.30.10 CVE: Not Available
Platform: Cross Platform
Title: IBM WebSphere Application Server "PropFilePasswordEncoder"
Unspecified Vulnerability
Description: IBM WebSphere Application Server is a utility designed to
facilitate the creation of various enterprise web applications. The
application is exposed to an unspecified issue that affects the
"PropFilePasswordEncoder" utility. WebSphere Application Server
versions prior to 5.1.1.19 are affected.
Ref: http://www-1.ibm.com/support/docview.wss?uid=swg27006879#51119
______________________________________________________________________

08.30.11 CVE: CVE-2008-1665
Platform: Cross Platform
Title: HP Select Identity Bidrectional LDAP Connector Remote
Unauthorized Access
Description: HP Select Identity (HPSI) Active Directory Bidirectional
LDAP Connector is exposed to an unauthorized access issue. HP Select
Identity Active Directory Bidirectional LDAP Connector versions 2.20,
2.20.001, 2.20.002 and 2.30 are affected.
Ref: http://www.securityfocus.com/bid/30250
______________________________________________________________________

08.30.12 CVE: Not Available
Platform: Cross Platform
Title: F-PROT Antivirus CHM File Remote Denial of Service
Description: F-PROT Antivirus is an antivirus application available
for multiple operating systems. The application is exposed to a remote
denial of service issue because it fails to properly handle malformed
CHM files. F-PROT Antivirus engine versions prior to 4.4.4 are
affected.
Ref: http://www.f-prot.com/download/ReleaseNotesWindows.txt
______________________________________________________________________

08.30.13 CVE: Not Available
Platform: Cross Platform
Title: F-PROT Antivirus Multiple File Processing Remote Denial of
Service Vulnerabilities
Description: F-PROT Antivirus is an antivirus application available for
multiple operating systems. The application is exposed to multiple
remote denial of service issues because it fails to properly handle
malformed files. F-PROT Antivirus engine versions prior to 4.4.4 are
affected.
Ref: http://www.f-prot.com/download/ReleaseNotesWindows.txt
______________________________________________________________________

08.30.14 CVE: Not Available
Platform: Cross Platform
Title: Velocity Security Management System HTTP Server Directory
Traversal
Description: Velocity Security Management System is a management
application for physical security devices such as door controls and
alarms. The application is exposed to a directory traversal issue
because it fails to sufficiently sanitize user-supplied input. This
issue occurs in the application's HTTP server. Velocity Security
Management System version 1.0 is affected.
Ref: http://www.securityfocus.com/archive/1/494422
______________________________________________________________________

08.30.15 CVE: Not Available
Platform: Cross Platform
Title: Spring Framework Multiple Remote Vulnerabilities
Description: Spring Framework is a layered Java/J2EE application
framework. The application is exposed to two security issues.
Attackers can exploit these issues to gain unauthorized access to
files on the web server or compromise the affected application.
Ref: http://www.springsource.com/securityadvisory
______________________________________________________________________

08.30.16 CVE: Not Available
Platform: Cross Platform
Title: CGI::Session "CGISESSID" Cookie Value Directory Traversal
Description: CGI::Session is a session manager library implemented in
Perl. The library is exposed to a directory traversal issue because it
fails to sufficiently sanitize user-supplied input to the "CGISESSID"
cookie value in "Session.pm". CGI::Session versions 3.94, 3.95 and
4.33 are affected.
Ref: http://vuln.sg/cgisession433-en.html
______________________________________________________________________

08.30.17 CVE: Not Available
Platform: Cross Platform
Title: OpenLink Virtuoso Multiple Denial Of Service Vulnerabilities
Description: OpenLink Virtuoso is an open-source object-relational SQL
database. The application is exposed to multiple remote denial of
service issues because it fails to properly handle certain types of
queries. OpenLink Virtuoso version 5.0.6 is affected.
Ref: http://sourceforge.net/project/shownotes.php?release_id=614029
______________________________________________________________________

08.30.18 CVE: Not Available
Platform: Cross Platform
Title: SmbClientParser Perl Module Remote Command Execution
Description: The SmbClientParser perl module is an API used to access
Samba resources using "smbclient". The module is exposed to a remote
command execution issue because it fails to sufficiently sanitize
user-supplied data. An attacker could exploit this issue by enticing
an unsuspecting user to use a tool created with this module to scan a
shared folder that contains a folder with a specially crafted name.
Filesys::SmbClientParser version 2.7 is affected.
Ref: http://www.securityfocus.com/archive/1/494536
______________________________________________________________________

08.30.19 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: IBS "username" Parameter Cross-Site Scripting
Description: IBS is an accounting application for Internet service
providers. The application is exposed to a cross-site scripting issue
because it fails to sanitize user-supplied input to the "username"
parameter of the "interface/ibs/admin/index.php" script. IBS version
0.15 is affected.
Ref: http://www.securityfocus.com/bid/30270
______________________________________________________________________

08.30.20 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: LunarNight Laboratory WebProxy Cross-Site Scripting
Description: LunarNight Laboratory WebProxy is a Perl-based proxy. The
application is exposed to a cross-site scripting issue because it fails
to properly sanitize user-supplied input before using it in dynamically
generated content. LunarNight Laboratory WebProxy versions prior to
1.7.9 are affected.
Ref: http://www.securityfocus.com/bid/30283
______________________________________________________________________

08.30.21 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: phpFreeChat "demo21_with_hardocded_urls.php" Cross-Site
Scripting
Description: phpFreeChat is a chat application. The application is
exposed to a cross-site scripting issue because it fails to sanitize
user-supplied input to the "demo21_with_hardcoded_urls.php" script.
phpFreeChat version 1.1 is affected.
Ref: http://www.securityfocus.com/bid/30292
______________________________________________________________________

08.30.22 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: MoinMoin "AdvancedSearch.py" Multiple Cross-Site Scripting
Vulnerabilities
Description: MoinMoin is a freely available, open-source wiki written
in Python. It is available for UNIX and Linux platforms. The
application is exposed to multiple cross-site scripting issues because
it fails to sanitize user-supplied input. These issues affect various
parameters of the "macro/AdvancedSearch.py" script. MoinMoin versions
1.7.0 and 1.6.3 are affected.
Ref: http://moinmo.in/SecurityFixes
______________________________________________________________________

08.30.23 CVE: Not Available
Platform: Web Application - SQL Injection
Title: phpHoo3 "phpHoo3.php" SQL Injection
Description: phpHoo3 is a link database. The application is exposed to
an SQL injection issue because it fails to sufficiently sanitize
user-supplied data to the "viewCat" parameter of the "phpHoo3.php"
script file before using it in an SQL query.
Ref: http://www.securityfocus.com/bid/30271
______________________________________________________________________

08.30.24 CVE: Not Available
Platform: Web Application - SQL Injection
Title: AlstraSoft Video Share Enterprise "album.php" SQL Injection
Description: AlstraSoft Video Share Enterprise is a web-based video
sharing application. The application is exposed to an SQL injection
issue because it fails to sufficiently sanitize user-supplied data to
the "UID" parameter of the "album.php" script before using it in an
SQL query.
Ref: http://www.securityfocus.com/bid/30272
______________________________________________________________________

08.30.25 CVE: Not Available
Platform: Web Application - SQL Injection
Title: AlstraSoft Article Manager Pro "contact_author.php" SQL
Injection
Description: AlstraSoft Article Manager Pro is a PHP-based content
management application. The application is exposed to an SQL injection
issue because it fails to sufficiently sanitize user-supplied data to
the "userid" parameter of the "contact_author.php" script before using
it in an SQL query.
Ref: http://www.securityfocus.com/bid/30274
______________________________________________________________________

08.30.26 CVE: Not Available
Platform: Web Application - SQL Injection
Title: Arctic Issue Tracker "filter" Parameter SQL Injection
Description: Arctic Issue Tracker is a web-based application for
tracking tasks. The application is exposed to an SQL injection issue
because it fails to sufficiently sanitize user-supplied data before
using it in an SQL query. Specifically, it fails to properly sanitize
the "filter" parameter of the "index.php" script. Arctic Issue Tracker
version v2.0.0 is affected.
Ref: http://www.securityfocus.com/bid/30277
______________________________________________________________________

08.30.27 CVE: Not Available
Platform: Web Application - SQL Injection
Title: preCMS "id" Parameter SQL Injection
Description: preCMS is a web-based content manager. The application is
exposed to an SQL injection issue because it fails to sufficiently
sanitize user-supplied data before using it in an SQL query.
Specifically, it fails to properly sanitize the "id" parameter of the
"index.php" script. preCMS version v.1 is affected.
Ref: http://www.securityfocus.com/bid/30278
______________________________________________________________________

08.30.28 CVE: Not Available
Platform: Web Application - SQL Injection
Title: HockeySTATS Online "index.php" Multiple SQL Injection
Vulnerabilities
Description: HockeySTATS Online is a PHP-based hockey statistics
tracking application. The application is exposed to multiple SQL
injection issues because it fails to sufficiently sanitize
user-supplied data to the "id" and "divid" parameters of the
"index.php" script before using it in an SQL query. HockeySTATS Online
Basic and Advanced version 2.0 is affected.
Ref: http://www.securityfocus.com/bid/30248
______________________________________________________________________

08.30.29 CVE: Not Available
Platform: Web Application - SQL Injection
Title: Joomla! and Mambo DT Register Component "eventId" Parameter SQL
Injection
Description: DT Register is a PHP-based component for the Mambo and
Joomla! content managers used for managing event registrations. The
application is exposed to an SQL injection issue because it fails to
sufficiently sanitize user-supplied data to the "eventId" parameter of
the "com_dtregister" component before using it in an SQL query.
Ref: http://www.securityfocus.com/bid/30256
______________________________________________________________________

08.30.30 CVE: Not Available
Platform: Web Application - SQL Injection
Title: AlstraSoft Affiliate Network Pro "pgm" Parameter SQL Injection
Description: AlstraSoft Affiliate Network Pro is a web-based affiliate
marketing solution. The application is exposed to an SQL injection
issue because it fails to sufficiently sanitize user-supplied data
before using it in an SQL query.
Ref: http://www.securityfocus.com/bid/30259
______________________________________________________________________

08.30.31 CVE: Not Available
Platform: Web Application - SQL Injection
Title: tplSoccerSite Multiple SQL Injection Vulnerabilities
Description: tplSoccerSite is a web-based soccer stats application.
The application is exposed to multiple SQL injection issues because it
fails to sufficiently sanitize user-supplied data. tplSoccerSite
version 1.0 is affected.
Ref: http://www.securityfocus.com/bid/30260
______________________________________________________________________

08.30.32 CVE: Not Available
Platform: Web Application - SQL Injection
Title: Def_Blog "article" Parameter Multiple SQL Injection
Vulnerabilities
Description: Def_Blog is a web-log application. The application is
exposed to multiple SQL injection issues because it fails to
sufficiently sanitize user-supplied data to the "article" parameter of
the "comaddok.php" and "comlook.php" scripts. Def_Blog version 1.0.3 is
affected.
Ref: http://www.securityfocus.com/bid/30289
______________________________________________________________________

08.30.33 CVE: Not Available
Platform: Web Application - SQL Injection
Title: Siteframe "folder.php" SQL Injection
Description: Siteframe is a content manager. The application is
exposed to an SQL injection issue because it fails to sufficiently
sanitize user-supplied data to the "id" parameter of the "folder.php"
script before using it in an SQL query.
Ref: http://www.securityfocus.com/bid/30294
______________________________________________________________________

08.30.34 CVE: Not Available
Platform: Web Application - SQL Injection
Title: Aprox CMS Engine "index.php" SQL Injection
Description: phpHoo3 is a link database. The application is exposed to
an SQL injection issue because it fails to sufficiently sanitize
user-supplied data to the "id" parameter of the "index.php" script
before using it in an SQL query. Aprox CMS Engine version 5.1.0.4 is
affected.
Ref: http://www.securityfocus.com/bid/30295
______________________________________________________________________

08.30.35 CVE: Not Available
Platform: Web Application - SQL Injection
Title: PHPFootball "show.php" SQL Injection
Description: PHPFootball is a web-based management application for
football leagues. The application is exposed to an SQL injection issue
because it fails to sufficiently sanitize user-supplied data to the
"dbtable" parameter of the "show.php" script before using it in an SQL
query. PHPFootball version 1.6 is affected.
Ref: http://www.securityfocus.com/bid/30296
______________________________________________________________________

08.30.36 CVE: Not Available
Platform: Web Application - SQL Injection
Title: Zoph Multiple SQL Injection Vulnerabilities
Description: Zoph is a PHP-based application for managing digital
photographs. The application is exposed to multiple SQL injection
issues because it fails to sufficiently sanitize user-supplied data.
Zoph versions prior to 0.7.0.5 are affected.
Ref: http://sourceforge.net/project/shownotes.php?group_id=69353&relea
se_id=614672
______________________________________________________________________

08.30.37 CVE: Not Available
Platform: Web Application
Title: Claroline Multiple Unspecified Security Vulnerabilities
Description: Claroline is a PHP-based online educational platform. The
application is exposed to multiple unspecified issues. Claroline
version 1.8.9 is affected.
Ref: http://www.securityfocus.com/archive/1/494539
______________________________________________________________________

08.30.38 CVE: Not Available
Platform: Web Application
Title: Community CMS "include.php" Remote File Include
Description: Community CMS is a PHP-based content manager. The
application is exposed to a remote file include issue because it fails
to sufficiently sanitize user-supplied input to the "root" parameter
of the "include.php" script. Community CMS version 0.1 is affected.
Ref: http://www.securityfocus.com/archive/1/494503
______________________________________________________________________

08.30.39 CVE: CVE-2008-2232
Platform: Web Application
Title: Afuse "afuse.c" Shell Command Injection
Description: Afuse is an auto mounting file system implemented in
user-space. The application is exposed to a command injection issue in
the "afuse.c" file. Specifically, the application fails to sanitize
metacharacters in a user-supplied filename. Afuse version 2.0-2 is
affected.
Ref: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=490921
______________________________________________________________________

08.30.40 CVE: Not Available
Platform: Web Application
Title: Galatolo WebManager Cookie Authentication Bypass
Description: Galatolo WebManager is a PHP-based content manager. The
application is exposed to an authentication bypass issue because it
fails to adequately verify user-supplied input used for cookie-based
authentication. Galatolo WebManager version 1.3a is affected.
Ref: http://www.securityfocus.com/bid/30247
______________________________________________________________________

08.30.41 CVE: Not Available
Platform: Web Application
Title: PhotoPost vBGallery "upload.php" Arbitrary File Upload
Description: PhotoPost vBGallery is a PHP-based photo sharing
application for the vBulletin forum. The application is exposed to an
issue that lets remote attackers upload and execute arbitrary script
code because it fails to properly sanitize user-supplied input to the
"upload.php" script. PhotoPost vBGallery version v2.4.2 is affected.
Ref: http://www.securityfocus.com/bid/30249
______________________________________________________________________

08.30.42 CVE: Not Available
Platform: Web Application
Title: PHPizabi "v_cron_proc.php" Arbitrary Script Injection
Vulnerabilities
Description: PHPizabi is a PHP-based content manager. The application
is exposed to two issues that allow attackers to execute arbitrary
script code because it fails to properly sanitize user-supplied input
to the "CONF["CRON_LOGFILE"]" and "CONF["LOCALE_LONG_DATE_TIME"]"
parameters of the "system/v_cron_proc.php" script. PHPizabi version
0.848b C1 HFP1 is affected.
Ref: http://www.securityfocus.com/bid/30257
______________________________________________________________________

08.30.43 CVE: Not Available
Platform: Web Application
Title: Evaria ECMS "DOCUMENT_ROOT" Parameter Multiple Remote File
Include Vulnerabilities
Description: ECMS is a web-based content management system. The
application is exposed to multiple remote file include issues because
it fails to sufficiently sanitize user-supplied input to the
"DOCUMENT_ROOT" parameter of the following scripts: "index.php" and
"eprint.php". ECMS version 1.1 is affected.
Ref: http://www.securityfocus.com/bid/30262
______________________________________________________________________

08.30.44 CVE: Not Available
Platform: Web Application
Title: OpenPro "search_wA.php" Remote File Include
Description: OpenPro is a web-based application. The application is
exposed to a remote file include issue because it fails to
sufficiently sanitize user-supplied input to the "LIBPATH" parameter
of the "search_wA.php" script. OpenPro version 1.3.1 is affected.
Ref: http://www.securityfocus.com/bid/30264
______________________________________________________________________

08.30.45 CVE: CVE-2008-3073, CVE-2008-3072
Platform: Web Application
Title: Simple Machines Forum Multiple Unspecified "html-tag" and
Random Generator Seeding Vulnerabilities
Description: Simple Machines Forum is web-based forum software.
Simple Machines Forum is exposed to multiple unspecified issues. An
unspecified issue arises due to the use of "html-tag"; and an issue
is due to improper seeding of the random number generator. Simple
Machines Forum versions prior to 1.0.13 and 1.1.5 are affected.
Ref: http://www.securityfocus.com/bid/30271
______________________________________________________________________

08.30.46 CVE: Not Available
Platform: Web Application
Title: FormEncode "chained_validators" Class Security Bypass
Description: FormEncode is a validation and form generation package;
it is implemented in Python. The application is exposed to an issue
that may allow users to bypass certain filters. FormEncode version 1.0
is affected.
Ref: http://sourceforge.net/tracker/index.php?func=detail&aid=1925164&group_id=91231&atid=596416
______________________________________________________________________

08.30.47 CVE: Not Available
Platform: Web Application
Title: CreaCMS Multiple Remote File Include Vulnerabilities
Description: CreaCMS is a PHP-based content manager. The application
is exposed to multiple remote file include issues because it fails to
sufficiently sanitize user-supplied input. CreaCMS version 1 is
affected.
Ref: http://www.securityfocus.com/bid/30284
______________________________________________________________________

08.30.48 CVE: Not Available
Platform: Web Application
Title: Lemon CMS "browser.php" Local File Include
Description: Lemon CMS is a content manager. The application is
exposed to a local file include issue because it fails to properly
sanitize user-supplied input to the "dir" parameter of the
"lemon_includes/FCKeditor/editor/filemanager/browser/browser.php"
script. Lemon CMS version 1.10 is affected.
Ref: http://www.securityfocus.com/bid/30285
______________________________________________________________________

08.30.49 CVE: Not Available
Platform: Web Application
Title: Stash Cookie Authentication Bypass
Description: Stash is a PHP-based content manager specifically for
managing band web sites. The application is exposed to an
authentication bypass issue because it fails to adequately verify
user-supplied input used for cookie-based authentication. Stash
version 1.0.3 is affected.
Ref: http://www.securityfocus.com/bid/30286
______________________________________________________________________

08.30.50 CVE: Not Available
Platform: Web Application
Title: SWAT 4 Multiple Denial of Service Vulnerabilities
Description: SWAT 4 is a first-person shooter computer game. The
application is exposed to multiple remote denial of service issues
because it fails to properly handle certain input. SWAT version 4 1.1
is affected.
Ref: http://www.securityfocus.com/bid/30299
______________________________________________________________________

08.30.51 CVE: Not Available
Platform: Web Application
Title: phpScheduleIt "useLogonName" Security Bypass
Description: phpScheduleIt is a web-based reservation and scheduling
system. The application is exposed to an issue that gives an attacker
unauthorized access to administration areas of the application because
the software fails to properly restrict access in an unspecified
script. phpScheduleIt versions up to and including 1.2.9 are affected.
Ref: http://www.securityfocus.com/bid/30300
______________________________________________________________________

(c) 2008. All rights reserved. The information contained in this
newsletter, including any external links, is provided "AS IS," with no
express or implied warranty, for informational purposes only. In some
cases, copyright for material in this newsletter may be held by a
party other than Qualys (as indicated herein) and permission to use
such material must be requested from the copyright owner.

Subscriptions: RISK is distributed free of charge by the SANS Institute
to people responsible for managing and securing information systems and
networks. You may forward this newsletter to others with such
responsibility inside or outside your organization.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)

iEYEARECAAYFAkiJCGAACgkQ+LUG5KFpTkZ45QCfSI4AbtHjjpBd3H6TjJ8e6qGR
gWwAn3eU9d2j/YOdVKdkev8UKD0vQ8jU
=igwS
-----END PGP SIGNATURE-----

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]