|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
RISK: The Consensus Security Vulnerability Alert Vol. 8 No. 23
From: The SANS Institute (ConsensusSecurityVulnerabilityAlertsans.org)
Date: Thu Jun 04 2009 - 23:03:55 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Microsoft DirectX DirectShow, Apple QuickTime and Apple iTunes are the
top priorities this week.
Alan
*************************************************************************
RISK: The Consensus Security Vulnerability Alert
June 4, 2009 Vol. 8. Week 23
*************************************************************************
RISK is the SANS community's consensus bulletin summarizing the most
important vulnerabilities and exploits identified during the past week
and providing guidance on appropriate actions to protect your systems
(PART I). It also includes a comprehensive list of all new
vulnerabilities discovered in the past week (PART II).
Summary of Updates and Vulnerabilities in this Consensus
Platform Number of Updates and Vulnerabilities
- ------------------------ -------------------------------------
Windows 2
Third Party Windows Apps 4 (#1, #5)
Mac Os 1 (#3)
Linux 3
Unix 1 (#6)
Cross Platform 31 (#2, #4, #7)
Web Application - Cross Site Scripting 7
Web Application - SQL Injection 7
Web Application 11
Network Device 2
************************ Sponsored By Sourcefire, Inc. ******************
Your Network Security Isn't Good Enough Anymore
Today's threats-and networks-are dynamic. Unfortunately most network
security systems are not.
Join Martin Roesch, Founder and CTO of Sourcefire(r) and Creator of
Snort(r), in a series of seminars, as he shows why network security must
include full network visibility, relevant context, and automated impact
assessment to be effective.
More information http://www.sans.org/info/44289
*************************************************************************
TRAINING UPDATE
- - SANSFIRE in Baltimore 6/13-6/20 (24 long courses, 12 short courses)
http://www.sans.org/sansfire09/event.php
- - Rocky Mountain SANS, July 7-13 (6 full-length hands-on courses)
http://www.sans.org/rockymnt2009/event.php
- - SANS Boston, Aug 2-9 (6 full-length hands-on courses)
https://www.sans.org/boston09/index.php
- - National Forensiscs Summit, July 6-14
http://www.sans.org/forensics09_summit/
Looking for training in your own community? http://sans.org/community/
Save 25% on all On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/spring09.php
Plus Amsterdam, London, Dubai, Riyahd, Cairo, Melbourne, Canberra, and
Singapore all in the next 90 days. For a list of all upcoming events,
on-line and live: www.sans.org
*************************************************************************
Table Of Contents
Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)
Widely Deployed Software
(1) CRITICAL: Microsoft DirectX DirectShow Remote Code Execution Vulnerability
(2) CRITICAL: Apple QuickTime Multiple Vulnerabilities
(3) CRITICAL: Apple iTunes Multiple Protocol Handlers Buffer Overflow Vulnerability
(4) CRITICAL: Apple Terminal Window Resize command Integer Overflow vulnerability
(5) CRITICAL: SafeNet SoftRemote IKE service Buffer Overflow Vulnerability
(6) HIGH: CUPS Multiple Integer Overflow Vulnerabilities and Denial of Service Vulnerability
(7) MODERATE: IBM WebSphere MQ Buffer Overflow Vulnerability
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
-- Windows
09.23.1 - Microsoft Windows Desktop Wall Paper System Parameter Local Denial of Service
09.23.2 - Microsoft Windows "win32k.sys" Local Denial of Service
-- Third Party Windows Apps
09.23.3 - Citrix Password Manager Secondary Credentials Local Information Disclosure
09.23.4 - Microsoft DirectX DirectShow QuickTime Video Remote Code Execution
09.23.5 - ICQ "ICQToolBar.dll" Denial of Service
09.23.6 - Safenet SoftRemote IKE Service Remote Stack Buffer Overflow
-- Mac Os
09.23.7 - Apple Mac OS X Terminal Window Resize Command Integer Overflow
-- Linux
09.23.8 - Linux Kernel "splice(2)" Double Lock Local Denial of Service
09.23.9 - strongSwan IKE Request Multiple Remote Denial of Service Vulnerabilities
09.23.10 - Linux Kernel "e1000/e1000_main.c" Remote Denial of Service
-- Unix
09.23.11 - CUPS '"cups/ipp.c" NULL Pointer Dereference Denial of Service
-- Cross Platform
09.23.12 - pam_krb5 Existing/Non-Existing Username Enumeration Weakness
09.23.13 - IBM Hardware Management Console (HMC) Shared Memory Unspecified Vulnerability
09.23.14 - Apache "Options" and "AllowOverride" Directives Security Bypass
09.23.15 - libsndfile Audio Data Multiple Denial of Service Vulnerabilities
09.23.16 - Mozilla Firefox "keygen" HTML Tag Denial of Service
09.23.17 - IBM WebSphere Partner Gateway "bcgarchive" Information Disclosure
09.23.18 - Pinnacle Hollywood FX ".hfz" File Handling Remote Denial of Service
09.23.19 - OpenSSL "dtls1_retrieve_buffered_fragment()" DTLS Packet Denial of Service
09.23.20 - Ston3D S3DPlayer Web and StandAlone "system.openURL()" Remote Command Injection
09.23.21 - VMware Products Descheduled Time Accounting Driver Denial Of Service
09.23.22 - Multiple Avira AntiVir Products RAR/CAB/ZIP/LH File Scan Evasion
09.23.23 - SonicWALL SSL-VPN "cgi-bin/welcome/VirtualOffice" Remote Format String
09.23.24 - Adobe Acrobat Stack Exhaustion Denial of Service
09.23.25 - Xvid Video Codec Macroblock Number Heap Buffer Overflow
09.23.26 - Apple iTunes "itms:" URI Stack Buffer Overflow
09.23.27 - Xvid Video Codec DirectShow Initialization Logic Heap Buffer Overflow
09.23.28 - Apple QuickTime Sorenson 3 Video File Remote Memory Corruption
09.23.29 - Apple QuickTime FLC Compression File Heap Overflow
09.23.30 - Apple QuickTime PSD Image Buffer Overflow
09.23.31 - Apple QuickTime User Atom Data Size Uninitialized Memory Access Remote Code Execution
09.23.32 - Apple QuickTime MS ADPCM Audio File Heap Buffer Overflow
09.23.33 - Apple QuickTime PICT Image Heap Overflow
09.23.34 - Apple QuickTime JP2 Image Handling Heap Buffer Overflow
09.23.35 - Apple QuickTime Image Description Atom Sign Extension
09.23.36 - Apple QuickTime Clipping Region (CRGN) Atom Types Heap Overflow
09.23.37 - IBM WebSphere MQ Remote Buffer Overflow
09.23.38 - IBM DB2 Denial of Service And Security Bypass Vulnerabilities
09.23.39 - GStreamer gst-plugins-good "gstpngdec.c" PNG Output Buffer Integer Overflow
09.23.40 - OpenSSL "ChangeCipherSpec" DTLS Packet Denial of Service
09.23.41 - Multiple ACDSee Products TIFF File Remote Buffer Overflow
09.23.42 - Multiple ACDSee Products Font File Remote Buffer Overflow
-- Web Application - Cross Site Scripting
09.23.43 - Vanillla "ajax/updatecheck.php" Cross-Site Scripting
09.23.44 - Lussumo Vanilla "updatecheck.php" Cross Site Scripting
09.23.45 - PRTG Traffic Grapher "Monitor_Bandwidth" Cross Site Scripting
09.23.46 - Simple Machines Forum "image/bmp" MIME Type Cross-Site Scripting
09.23.47 - Achievo Multiple Cross Site Scripting Vulnerabilities
09.23.48 - eliteCMS Arbitrary File Upload and Cross Site Scripting Vulnerabilities
09.23.49 - PHP-Nuke Downloads Module "query" Parameter Cross Site Scripting
-- Web Application - SQL Injection
09.23.50 - PHP-Nuke "main/tracking/userLog.php" SQL Injection
09.23.51 - AgoraGroups Joomla! Component "id" Parameter SQL Injection
09.23.52 - phpBugTracker "include.php" SQL Injection
09.23.53 - Arab Portal "X-Forwarded-for" Header SQL Injection
09.23.54 - ZeusCart "maincatid" Parameter SQL Injection
09.23.55 - OCS Inventory NG Server Multiple SQL Injection Vulnerabilities
09.23.56 - Joomla! Juser Component "id" Parameter SQL Injection
-- Web Application
09.23.57 - Easy PX 41 CMS "fiche" Parameter Local File Include
09.23.58 - SiteX "THEME_FOLDER" Parameter Multiple Local File Include Vulnerabilities
09.23.59 - Drupal Ajax Session Module Multiple Input Validation Vulnerabilities
09.23.60 - ATutor "documentation/index.php" URL Handling Phishing
09.23.61 - Drupal Embedded Media Field Module Create Content Multiple HTML Injection Vulnerabilities
09.23.62 - Phorum "image/bmp" MIME Type HTML Injection
09.23.63 - Woltlab Burning Board "image/bmp" MIME Type HTML-Injection
09.23.64 - Joomla! JVideo! Component 'user_id' Parameter SQL Injection
09.23.65 - AlstraSoft Article Manager Pro "article/register.php" Remote File Upload
09.23.66 - Unclassified NewsBoard Multiple Remote Vulnerabilities
09.23.67 - Joomla! Prior to 1.5.11 Multiple Cross Site Scripting Vulnerabilities
-- Network Device
09.23.68 - Linksys WAG54G2 Web Management Console Remote Arbitrary Shell Command Injection
09.23.69 - Asmax Ar-804gu Router "script" Remote Arbitrary Shell Command Injection
______________________________________________________________________
PART I Critical Vulnerabilities
Part I for this issue has been compiled by Rohan Kotian at TippingPoint,
a division of 3Com, as a by-product of that company's continuous effort
to ensure that its intrusion prevention products effectively block
exploits using known vulnerabilities. TippingPoint's analysis is
complemented by input from a council of security managers from twelve
large organizations who confidentially share with SANS the specific
actions they have taken to protect their systems. A detailed description
of the process may be found at
http://www.sans.org/newsletters/cva/#process
*****************************
Widely Deployed Software
*****************************
(1) CRITICAL: Microsoft DirectX DirectShow Remote Code Execution Vulnerability
Affected:
DirectX 7.0 on Microsoft Windows 2000 Service Pack 4
DirectX 8.1 on Microsoft Windows 2000 Service Pack 4
DirectX 9.0x on Microsoft Windows 2000 Service Pack 4
DirectX 9.0x on Windows XP Service Pack 2 and Windows XP Service Pack 3
DirectX 9.0x on Windows XP Professional x64 Edition Service Pack 2
DirectX 9.0x on Windows Server 2003 Service Pack 2
DirectX 9.0x on Windows Server 2003 x64 Edition Service Pack 2
DirectX 9.0x on Windows Server 2003 with SP2 for Itanium-based Systems
Description: Microsoft DirectX is a multimedia framework for its Windows
operating system. The DirectShow, a component of Microsoft DirectX, is
used for streaming media on Windows with the ability to capture and
playback high quality streams. There is vulnerability in Microsoft's
quartz.dll, a part of Microsoft DirectShow platform, in the way it
processes QuickTime format files. A specially crafted malicious
QuickTime file when opened by a Windows Media Player can trigger this
vulnerability. The media playback plug-ins of browsers can also be used
as an attack vector wherein an attacker creates a webpage that uses that
feature to play the malicious QuickTime file. Successful exploitation
will lead to arbitrary code execution. Note that all the versions of
Windows Vista and Windows Server 2008 are not affected by this issue.
Technical details of the vulnerability are not publicly available.
Status: Vendor confirmed, no updates available.
References:
Microsoft Security Advisory (971778)
http://www.microsoft.com/technet/security/advisory/971778.mspx
Security Research & Defense : New vulnerability in quartz.dll QuickTime parsing
http://blogs.technet.com/srd/archive/2009/05/28/new-vulnerability-in-quicktime-parsing.aspx
Product HomePage
http://msdn.microsoft.com/en-us/directx/default.aspx
SecurityFocus BID
http://www.securityfocus.com/bid/35139
*************************************************************
(2) CRITICAL: Apple QuickTime Multiple Vulnerabilities
Affected:
Apple QuickTime player prior to 7.6.2
Description: QuickTime is Apple's streaming media framework for their
Mac OS X operating systems and also for Microsoft's Windows operating
systems. It contains multiple vulnerabilities in its handling of a
variety of media and image files. The specific flaws include a)
vulnerability in the decompression of a delta-encoded chunk, b) heap
overflow vulnerabilities while parsing malformed .PSD image file, PICT
files in .qts, Jopen2000 image files c) heap overflow vulnerability
while parsing Clipping Region atom types in QuickTime movie files.
Successful exploitation may lead to arbitrary code execution with the
privileges of the current user. Most QuickTime supported files are
opened upon receipt without any prompts to the user. QuickTime is
installed by default on all Apple Mac OS systems, and is installed as
part of a variety of Apple products for Microsoft Windows, including
iTunes. Some technical details are available for these vulnerabilities.
Status: Vendor confirmed, updates available.
References:
Zero Day Initiative Advisories
http://zerodayinitiative.com/advisories/ZDI-09-025
http://zerodayinitiative.com/advisories/ZDI-09-026
http://zerodayinitiative.com/advisories/ZDI-09-027
http://zerodayinitiative.com/advisories/ZDI-09-028
http://zerodayinitiative.com/advisories/ZDI-09-029
http://zerodayinitiative.com/advisories/ZDI-09-030
Apple Security Advisory
http://support.apple.com/kb/HT3591
Product Home Page
http://www.apple.com/quicktime
SecurityFocus BIDs
http://www.securityfocus.com/bid/35161
http://www.securityfocus.com/bid/35164
http://www.securityfocus.com/bid/35165
http://www.securityfocus.com/bid/35166
http://www.securityfocus.com/bid/35167
http://www.securityfocus.com/bid/35168
*************************************************************
(3) CRITICAL: Apple iTunes Multiple Protocol Handlers Buffer Overflow Vulnerability
Affected:
Apple iTunes versions prior to 8.2
Description: iTunes is a digital media player by Apple Inc, used for
music and media management. There is a stack overflow vulnerability in
the URI handlers associated with the iTunes. The specific vulnerable
URI handlers are "itms", "itmss", "daap", "pcast", and "itpc", and one
reaches the exploit condition when URL's are processed via these
protocol handlers. Successful exploitation might lead to arbitrary code
execution under the context of the logged in user. Technical details
for this vulnerability are available in the form of publicly disclosed
Proof-of-Concept. In order to exploit, an attacker will have to entice
the unsuspecting user to visit the website hosting the malicious page.
Status: Vendor confirmed, updates available.
References:
TippingPoint DVLabs Security Advisory
http://dvlabs.tippingpoint.com/advisory/TPTI-09-03
Apple Security Advisory
http://support.apple.com/kb/HT3592
Wikipedia article on iTunes
http://en.wikipedia.org/wiki/ITunes
Product HomePage
http://www.apple.com/itunes/
SecurityFocus BID
http://www.securityfocus.com/bid/35157/
*************************************************************
(4) CRITICAL: Apple Terminal Window Resize command Integer Overflow vulnerability
Affected:
Apple Mac OS X Server 10.5.6 and prior
Apple Mac OS X 10.5.6 and prior
Description: Apple Terminal is a terminal emulator, included in Apple's
Mac OS X operating system, which allows the user to use the command line
interface to interact with the operating system. There is an integer
overflow vulnerability in the handling of Terminal window sizes. The
specific flaw is in the Terminal.app while handling an xterm escape
sequence 'CSI[4', a sequence that handles window resizing. A very low
negative value to (x,y) size might result in an integer overflow leading
to memory corruption. Successful exploitation might allow an attacker
to execute arbitrary code with the privileges of the logged in user. In
order to exploit, an attacker will have to entice the unsuspecting user
to visit the website hosting the malicious page.
Status: Vendor confirmed, updates available.
References:
TippingPoint DVLabs Security Advisory
http://dvlabs.tippingpoint.com/advisory/TPTI-09-04
Apple Security Advisory
http://support.apple.com/kb/HT3549
Wikipedia Article on Apple Terminal
http://en.wikipedia.org/wiki/Apple_Terminal
Product HomePage
http://www.apple.com/macosx/
SecurityFocus BID
http://www.securityfocus.com/bid/35182
*************************************************************
(5) CRITICAL: SafeNet SoftRemote IKE service Buffer Overflow Vulnerability
Affected:
SafeNet SoftRemote versions prior to 10.8.6
Description: SafeNet is a supplier of encryption technologies that
protect identities, provide secure communications and secure
intellectual property. SafeNet SoftRemote is remote access client
application from SafeNet, used for connecting users to corporate Virtual
Private Networks (VPN) remotely. There is a stack-based overflow
vulnerability in some installations of SoftRemote. The specific flaw is
in the "ireIke.exe" service, since the process does not handle long
requests adequately. This service listens on UDP port 62514. An
attacker, by sending an overly long request sent to UDP port 62514, can
exploit this vulnerability and execute arbitrary code with SYSTEM
credentials. Authentication is not required to carry out this attack.
Status: Vendor has confirmed, updates available.
References:
Zero Day Initiative Advisories
http://zerodayinitiative.com/advisories/ZDI-09-024
Product HomePage
http://www.safenet-inc.com/products/vpn/softRemote.asp
SecurityFocus BID
http://www.securityfocus.com/bid/35154
*************************************************************
(6) HIGH: CUPS Multiple Integer Overflow Vulnerabilities and Denial of Service Vulnerability
Affected:
CUPS 1.1.x
CUPS 1.3.x
Description: CUPS is the Common UNIX Printing System, and is the
standard printing system on a variety of UNIX, Unix-like, and Linux
operating systems. It is an open source printing system developed by
Apple for Mac OS X and is their default printer. Multiple integer
overflow vulnerabilities were identified in the CUPS "pdftops" filter,
which is used to convert PDF files into PostScript. A specially crafted
PDF file, if printed, would either crash the "pdftops" or execute
arbitrary code as the "lp" user. The denial-of-service vulnerability is
in the function "ippReadIO()", in "cups/ipp.c", while processing a
specially crafted Internet Printing Protocol (IPP) that has two
consecutive "IPP_TAG_UNSUPPORTED" tags. Full technical details are
publicly available on these vulnerabilities, via source code analysis.
Status: Vendor has confirmed, updates available.
References:
Red Hat Bugzilla Bug 491840
https://bugzilla.redhat.com/show_bug.cgi?id=491840
Core Security Technologies Advisory
http://www.coresecurity.com/content/AppleCUPS-null-pointer-vulnerability
Product HomePage
http://www.cups.org
SecurityFocus BID's
http://www.securityfocus.com/bid/35195
http://www.securityfocus.com/bid/35169
*************************************************************
(7) MODERATE: IBM WebSphere MQ Buffer Overflow Vulnerability
Affected:
WebSphere MQ prior to 6.0.2.7
WebSphere MQ prior to 7.0.1.0
Description: IBM WebSphere MQ is a family of network communication
software from IBM to provide connectivity and integration between
independent and non-concurrent applications on distributed systems.
There is a buffer overflow vulnerability in WebSphere MQ which can allow
attackers to compromise the vulnerable system. The flaw is in the way
the MQ server processes inbound data on a client connection, and a
specially crafted client request can be used to cause the buffer to
overflow. The attackers might need valid authentication under some
conditions to exploit this vulnerability. Successful exploitation might
lead to arbitrary code execution.
Status: Vendor has confirmed, updates available.
References:
IBM WebSphere MQ Security Vulnerability
http://www-01.ibm.com/support/docview.wss?uid=swg21386826
IBM WebSphere MQ planned maintenance release dates
http://www-01.ibm.com/support/docview.wss?uid=swg27006309#1
Wikipedia Article on IBM WebSphere MQ
http://en.wikipedia.org/wiki/IBM_WebSphere_MQ
Product HomePage
http://www-01.ibm.com/software/integration/wmq/
SecurityFocus BID's
http://www.securityfocus.com/bid/35170
*************************************************************
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 23, 2009
This list is compiled by Qualys ( www.qualys.com ) as part of that
company's ongoing effort to ensure its vulnerability management web
service tests for all known vulnerabilities that can be scanned. As of
this week Qualys scans for 7070 unique vulnerabilities. For this special
SANS community listing, Qualys also includes vulnerabilities that cannot
be scanned remotely.
______________________________________________________________________
09.23.1 CVE: Not Available
Platform: Windows
Title: Microsoft Windows Desktop Wall Paper System Parameter Local
Denial of Service
Description: Microsoft Windows is exposed to a local denial of service
issue because the operating system fails to perform adequate boundary
checks on user-supplied data. This issue occurs when handling an
excessively large Desktop wallpaper system parameter. Windows XP SP3
is affected.
Ref: http://www.securityfocus.com/bid/35120
______________________________________________________________________
09.23.2 CVE: Not Available
Platform: Windows
Title: Microsoft Windows "win32k.sys" Local Denial of Service
Description: Microsoft Windows is prone to a local denial of service
vulnerability. This issue affects the "win32k.sys" system file.
Attackers may exploit this issue to crash the affected computer,
denying service to legitimate users. Given the nature of this issue,
attackers may also be able to run arbitrary code with SYSTEM-level
privileges, but this has not been confirmed. Windows Vista and Windows
Server 2003 are affected.
Ref: http://bugtraq.ru/cgi-bin/forum.mcgi?type=sb&b=2&m=152274
______________________________________________________________________
09.23.3 CVE: Not Available
Platform: Third Party Windows Apps
Title: Citrix Password Manager Secondary Credentials Local Information
Disclosure
Description: Citrix Password Manager is an single sign on application
for Microsoft Windows. The application is exposed to a local
information disclosure issue. Specifically, local attackers may
exploit this issue to access stored secondary credentials despite
configured security policies. Password Manager versions prior to 4.6
SP1 are affected.
Ref: http://support.citrix.com/article/CTX120743
______________________________________________________________________
09.23.4 CVE: CVE-2009-1379
Platform: Third Party Windows Apps
Title: Microsoft DirectX DirectShow QuickTime Video Remote Code
Execution
Description: Microsoft DirectX is a multimedia API for Microsoft
Windows. DirectShow is a component of DirectX used for streaming
media. DirectX is exposed to a remote code execution issue because the
DirectShow component fails to properly handle QuickTime media files.
Successfully exploiting this issue allows the attacker to execute
arbitrary code in the context of the user running the application that
uses DirectX.
Ref:
http://rt.openssl.org/Ticket/Display.html?id=1923&user=guest&pass=guest
______________________________________________________________________
09.23.5 CVE: Not Available
Platform: Third Party Windows Apps
Title: ICQ "ICQToolBar.dll" Denial of Service
Description: ICQ is an instant messaging client. ICQ is exposed to a
denial of service issue because the application fails to perform
adequate boundary checks on user-supplied data. Specifically, the
issue occurs in the "ICQToolBar.dll" file when processing specially
crafted ".url" files. ICQ version 6.5 is affected.
Ref: http://www.securityfocus.com/archive/1/503935
______________________________________________________________________
09.23.6 CVE: Not Available
Platform: Third Party Windows Apps
Title: Safenet SoftRemote IKE Service Remote Stack Buffer Overflow
Description: Safenet SoftRemote is a remote access client available
for Microsoft Windows. The application is exposed to a remote
stack-based buffer overflow issue because it fails to properly
bounds check user-supplied data before copying it into an
insufficiently sized memory buffer. Safenet SoftRemote versions prior
to 10.8.6 are affected.
Ref: http://www.zerodayinitiative.com/advisories/ZDI-09-024/
______________________________________________________________________
09.23.7 CVE: CVE-2009-1717
Platform: Mac Os
Title: Apple Mac OS X Terminal Window Resize Command Integer Overflow
Description: Apple Mac OS X is exposed to an integer overflow issue
affecting the Terminal application. This issue occurs because Terminal
fails to handle malformed arguments to the "CSI[4" xterm window
resizing command. Successful exploits will allow attacker-supplied
code to run in the context of the user running the affected
application.
Ref: http://support.apple.com/kb/HT3549
______________________________________________________________________
09.23.8 CVE: Not Available
Platform: Linux
Title: Linux Kernel "splice(2)" Double Lock Local Denial of Service
Description: The Linux kernel is exposed to a local denial of service
issue because of a race condition in the "splice(2)" system call. The
issue stems from a potential deadlock when double-locking inode
mutexes in preparation for copy operations between pipes. The locks
are not explicitly ordered, which may cause the kernel to crash when
it tries to unlock inodes that were locked out of order.
Ref: http://permalink.gmane.org/gmane.comp.security.oss.general/1809
______________________________________________________________________
09.23.9 CVE: Not Available
Platform: Linux
Title: strongSwan IKE Request Multiple Remote Denial of Service
Vulnerabilities
Description: strongSwan is an open-source implementation of an IPSec
VPN for Linux. Since it fails to properly handle certain IKE packets,
the application is prone to multiple remote denial of service issues.
strongSwan versions prior to 4.3.1 and 4.2.15 are affected.
Ref: http://download.strongswan.org/patches/04_swapped_ts_check_patch/
______________________________________________________________________
09.23.10 CVE: CVE-2009-1385
Platform: Linux
Title: Linux Kernel "e1000/e1000_main.c" Remote Denial of Service
Description: The Linux kernel is exposed to a remote denial of service
issue. Specifically, the issue exists in the "e1000_clean_rx_irq()"
function of the "e1000/e1000_main.c" file due to an incorrect length
check. The problem occurs when E1000 tries to strip the cyclic
redundancy check (CRC) from a frame by subtracting four bytes from the
length of the frame.
Ref:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=ea30e11970a96cfe5e32c03a29332554573b4a10
______________________________________________________________________
09.23.11 CVE: CVE-2009-0949
Platform: Unix
Title: CUPS '"cups/ipp.c" NULL Pointer Dereference Denial of Service
Description: CUPS (Common UNIX Printing System) is a widely used set
of printing utilities for UNIX-based systems. The application is
exposed to a denial of service issue caused by a NULL-pointer
dereference that occurs in the "ippReadIO()" function of the
"cups/ipp.c" source file. An attacker can exploit this issue to crash
the affected application, denying service to legitimate users.
Ref: http://www.securityfocus.com/archive/1/504032
______________________________________________________________________
09.23.12 CVE: CVE-2009-1384
Platform: Cross Platform
Title: pam_krb5 Existing/Non-Existing Username Enumeration Weakness
Description: Pluggable authentication modules (PAM) provide a standard
interface to various authentication mechanisms. The "pam-krb5" library
is used to provide a PAM interface to the Kerberos authentication
system. The application is exposed to a username-enumeration weakness
because it displays different responses to login attempts, depending
on whether or not the username exists. pam_krb5 version 2.2.14 is
affected.
Ref: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-1384
______________________________________________________________________
09.23.13 CVE: Not Available
Platform: Cross Platform
Title: IBM Hardware Management Console (HMC) Shared Memory Unspecified Vulnerability
Description: IBM Hardware Management Console (HMC) enables an
administrator to manage the configuration and operation of partitions
in a computer and to monitor the computer for hardware problems. The
application is exposed to an unspecified issue that occurs when
migrating a shared memory partition to a target system which has a
shared memory pool configured with redundant paging VIOS (Virtual I/O
Server) partitions. HMC 7 Release 3.4.0 Service Pack 2 is affected.
Ref:
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=4671&myns=phmc&mync=E
______________________________________________________________________
09.23.14 CVE: CVE-2009-1195
Platform: Cross Platform
Title: Apache "Options" and "AllowOverride" Directives Security Bypass
Description: Apache is an HTTP server available for various operating
systems. The application is exposed to a security bypass issue related
to the handling of configuration directives. This issue occurs when
the "AllowOverride" and "Options" directives are used to restrict the
ability of local users to execute scripts through the webserver.
Apache versions prior to 2.2.9 are affected.
Ref: https://bugzilla.redhat.com/show_bug.cgi?id=489436
______________________________________________________________________
09.23.15 CVE: Not Available
Platform: Cross Platform
Title: libsndfile Audio Data Multiple Denial of Service
Vulnerabilities
Description: libsndfile is a library used for reading and writing audio
files. libsndfile is exposed to multiple denial of service issues due
to a division-by-zero error. Exploiting these issues may allow
attackers to crash the application that uses the affected library,
denying service to legitimate users. libsndfile version 1.0.20 is
affected.
Ref: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=530831
______________________________________________________________________
09.23.16 CVE: Not Available
Platform: Cross Platform
Title: Mozilla Firefox "keygen" HTML Tag Denial of Service
Description: Mozilla Firefox is a browser available for multiple
platforms. The browser is exposed to a remote denial of service issue
caused by a design error. Specifically, the "keygen" tag has an
automatic submission feature, which may allow attackers to cause the
application to fall into an infinite loop with the JavaScript
"onload()" function.
Ref:
http://blog.zoller.lu/2009/04/advisory-firefox-denial-of-service.html
______________________________________________________________________
09.23.17 CVE: CVE-2009-0897
Platform: Cross Platform
Title: IBM WebSphere Partner Gateway "bcgarchive" Information
Disclosure
Description: IBM WebSphere Partner Gateway (WPG) is a
business-to-business tool for use with WebSphere Application Server.
WPG is exposed to an information disclosure issue because it uses a
DB2 instance ID insecurely to execute the "bcgarchive" archive script.
WPG versions 6.1.0 and 6.1.1 are affected.
Ref: http://www-01.ibm.com/support/docview.wss?uid=swg21366016
______________________________________________________________________
09.23.18 CVE: CVE-2009-1744
Platform: Cross Platform
Title: Pinnacle Hollywood FX ".hfz" File Handling Remote Denial of
Service
Description: Pinnacle Hollywood FX is a video transition module for
Pinnacle Studio, a video editor. The application is exposed to a
remote denial of service issue because it fails to handle specially
crafted ".hfz" (Hollywood FX Compressed Archive) files. This issue
occurs in the "InstallHFZ.exe" binary file. Pinnacle Hollywood FX
version 6 is affected.
Ref: http://www.securityfocus.com/bid/35137
______________________________________________________________________
09.23.19 CVE: CVE-2009-1379
Platform: Cross Platform
Title: OpenSSL "dtls1_retrieve_buffered_fragment()" DTLS Packet Denial
of Service
Description: OpenSSL is an open-source implementation of the SSL
protocol that is used by a number of other projects, including but not
restricted to Apache, Sendmail, and Bind. OpenSSL is exposed to a
remote denial of service issue because it fails to handle malformed
data. Specifically, this issue affects the
"dtls1_retrieve_buffered_fragment()" function of the "ssl/d1_both.c"
source file and may be triggered when an OpenSSL client receives a
malformed DTLS packet from a malicious server. OpenSSL version 1.0.0
Beta 2 is affected.
Ref:
http://rt.openssl.org/Ticket/Display.html?id=1923&user=guest&pass=guest
______________________________________________________________________
09.23.20 CVE: Not Available
Platform: Cross Platform
Title: Ston3D S3DPlayer Web and StandAlone "system.openURL()" Remote
Command Injection
Description: S3DPlayer Web and StandAlone are multimedia players
available for Microsoft Windows, Linux and Mac OS X. S3DPlayer Web and
StandAlone are exposed to a remote command injection issue that occurs
in the scripting interface. Specifically, the application fails to
sufficiently sanitize user-supplied input to the "sURL" parameter of
the "system.openURL()" function.
Ref: http://www.securityfocus.com/archive/1/503887
______________________________________________________________________
09.23.21 CVE: CVE-2009-1805
Platform: Cross Platform
Title: VMware Products Descheduled Time Accounting Driver Denial Of
Service
Description: Multiple VMware products are exposed to a denial of
service issue. The issue stems from an unspecified error in the VMware
Descheduled Time Accounting driver. An unprivileged attacker in a
guest operating system could exploit this issue to cause
denial of service conditions in the affected virtual machine.
Ref: http://www.vmware.com/security/advisories/VMSA-2009-0007.html
______________________________________________________________________
09.23.22 CVE: Not Available
Platform: Cross Platform
Title: Multiple Avira AntiVir Products RAR/CAB/ZIP/LH File Scan
Evasion
Description: Avira AntiVir products provide antivirus, antispyware,
and firewalling capabilities for both enterprise and endpoint-based
systems. Multiple AntiVir products are exposed to an issue that may
allow certain compressed archives to bypass the scan engine. The issue
occurs because the software fails to properly inspect specially
crafted "ZIP", "CAB", "RAR", and "LH" files.
Ref: http://www.securityfocus.com/archive/1/503914
______________________________________________________________________
09.23.23 CVE: Not Available
Platform: Cross Platform
Title: SonicWALL SSL-VPN "cgi-bin/welcome/VirtualOffice" Remote Format
String
Description: SonicWALL SSL-VPN devices are hardware appliances for
network security. The devices include a web-based administration
interface. The devices are exposed to a remote format string issue
because they fail to properly validate user-supplied input before
passing it as the format specifier to a formatted-printing function.
Ref: http://www.securityfocus.com/archive/1/503913
______________________________________________________________________
09.23.24 CVE: Not Available
Platform: Cross Platform
Title: Adobe Acrobat Stack Exhaustion Denial of Service
Description: Adobe Acrobat is exposed to a denial of service issue
because the application fails to perform adequate boundary checks on
user-supplied data. A stack exhaustion occurs when handling a
specially crafted PDF file containing specially malformed JavaScript.
Adobe Acrobat version 9.1.1 is affected.
Ref: http://www.securityfocus.com/bid/35148
______________________________________________________________________
09.23.25 CVE: CVE-2009-0893
Platform: Cross Platform
Title: Xvid Video Codec Macroblock Number Heap Buffer Overflow
Description: The Xvid video compression codec available for a number
of operating systems. The codec is exposed to a heap-based buffer
overflow issue because it fails to perform adequate boundary checks on
user-supplied data. Specifically, this issue occurs due to a failure
to handle macroblock values in maliciously crafted video files. Xvid
versions prior to 1.2.2 are affected.
Ref: http://www.securityfocus.com/bid/35156
______________________________________________________________________
09.23.26 CVE: CVE-2009-0950
Platform: Cross Platform
Title: Apple iTunes "itms:" URI Stack Buffer Overflow
Description: Apple iTunes is a media player for Microsoft Windows and
Apple MAC OS X. The application is exposed to a stack-based buffer
overflow issue because it fails to perform adequate boundary checks
before copying user-supplied data to an insufficiently-sized buffer.
This issue can occur when iTunes parses specially crafted "itms:"
URIs.
Ref: http://www.securityfocus.com/bid/35157
______________________________________________________________________
09.23.27 CVE: CVE-2009-0894
Platform: Cross Platform
Title: Xvid Video Codec DirectShow Initialization Logic Heap Buffer
Overflow
Description: The Xvid video compression codec available for a number
of operating systems. The DirectShow component of the Xvid codec is
exposed to a heap-based buffer overflow issue because it fails to
properly handle error conditions. Specifically, this issue occurs due
to a failure to properly handle error conditions which may occur when
setting up the rendering pipeline. Xvid versions prior to 1.2.2 are
affected.
Ref: http://www.securityfocus.com/bid/35158
______________________________________________________________________
09.23.28 CVE: CVE-2009-0188
Platform: Cross Platform
Title: Apple QuickTime Sorenson 3 Video File Remote Memory Corruption
Description: Apple QuickTime is a media player that supports multiple
file formats. The application is exposed to a memory corruption issue
when opening a specially crafted Sorenson 3 video file. Apple
QuickTime running on Microsoft Windows Vista, Windows XP SP3, and Mac
OS X is affected.
Ref: http://www.securityfocus.com/archive/1/504007
______________________________________________________________________
09.23.29 CVE: CVE-2009-0951
Platform: Cross Platform
Title: Apple QuickTime FLC Compression File Heap Overflow
Description: Apple QuickTime is a media player that supports multiple
file formats. The application is exposed to a heap-based buffer
overflow issue when opening a specially crafted FLC compression file.
Apple QuickTime running on Microsoft Windows Vista, Windows XP SP3,
and Mac OS X is affected.
Ref: http://www.securityfocus.com/archive/1/504023
______________________________________________________________________
09.23.30 CVE: CVE-2009-0952
Platform: Cross Platform
Title: Apple QuickTime PSD Image Buffer Overflow
Description: Apple QuickTime is a media player that supports multiple
file formats. The application is exposed to a buffer overflow issue
when processing a compressed PSD image. Apple QuickTime running on
Microsoft Windows Vista, Windows XP SP3, and Mac OS X is affected.
Ref: http://www.securityfocus.com/archive/1/504024
______________________________________________________________________
09.23.31 CVE: CVE-2009-0956
Platform: Cross Platform
Title: Apple QuickTime User Atom Data Size Uninitialized Memory Access
Remote Code Execution
Description: Apple QuickTime is a media player that supports multiple
file formats. The application is exposed to a remote code execution
issue when opening a specially crafted movie file. This issue is
caused by a failure to properly handle a user atom data size of zero,
and may lead to the access of uninitialized memory. Apple QuickTime
running on Microsoft Windows Vista, Windows XP SP3, and Mac OS X is
affected.
Ref: http://support.apple.com/kb/HT3591
______________________________________________________________________
09.23.32 CVE: CVE-2009-0185
Platform: Cross Platform
Title: Apple QuickTime MS ADPCM Audio File Heap Buffer Overflow
Description: Apple QuickTime is a media player that supports multiple
file formats. The application is exposed to a heap-based buffer
overflow issue when opening a specially crafted MS ADPCM-encoded audio
file. Apple QuickTime running on Microsoft Windows Vista, Windows XP
SP3, and Mac OS X is affected.
Ref: http://www.securityfocus.com/archive/1/504006
______________________________________________________________________
09.23.33 CVE: Not Available
Platform: Cross Platform
Title: Apple QuickTime PICT Image Heap Overflow
Description: Apple QuickTime is a media player that supports multiple
file formats. The application is exposed to a heap-based buffer
overflow issue when processing a specially crafted PICT image. Apple
QuickTime running on Microsoft Windows Vista, Windows XP SP3, and Mac
OS X are affected.
Ref: http://www.securityfocus.com/bid/35160
______________________________________________________________________
09.23.34 CVE: CVE-2009-0957
Platform: Cross Platform
Title: Apple QuickTime JP2 Image Handling Heap Buffer Overflow
Description: Apple QuickTime is a media player that supports multiple
file formats. The application is exposed to a heap-based buffer
overflow issue when opening a specially crafted JP2 image file. Apple
QuickTime running on Microsoft Windows Vista, Windows XP SP3, and Mac
OS X is affected.
Ref: http://www.securityfocus.com/archive/1/504027
______________________________________________________________________
09.23.35 CVE: CVE-2009-0955
Platform: Cross Platform
Title: Apple QuickTime Image Description Atom Sign Extension
Description: Apple QuickTime is a media player that supports multiple
file formats. The application is exposed to an issue that occurs
because the bit width of a number is increased without changing its
sign. Apple QuickTime running on Microsoft Windows Vista, Windows XP
SP3, and Mac OS X is affected.
Ref:
http://roeehay.blogspot.com/2009/06/apple-quicktime-image-description-atom.html
______________________________________________________________________
09.23.36 CVE: CVE-2009-0954
Platform: Cross Platform
Title: Apple QuickTime Clipping Region (CRGN) Atom Types Heap Overflow
Description: Apple QuickTime is a media player that supports multiple
file formats. The application is exposed to a heap-based buffer
overflow issue when processing specially crafted Clipping Region
(CRGN) atom types contained in a movie file. Apple QuickTime running
on Microsoft Windows Vista and Windows XP SP3 is affected.
Ref: http://www.securityfocus.com/archive/1/504026
______________________________________________________________________
09.23.37 CVE: Not Available
Platform: Cross Platform
Title: IBM WebSphere MQ Remote Buffer Overflow
Description: IBM WebSphere MQ is a commercially available messaging
engine for enterprises. WebSphere MQ is exposed to a buffer overflow
issue because it fails to properly bounds check user-supplied data
before copying it into an insufficiently sized memory buffer. A
specially crafted client request can be used to trigger this
vulnerability. WebSphere MQ versions 6.x (prior to 6.0.2.7) and 7.x
(prior to 7.0.1.0) are affected.
Ref: http://www-01.ibm.com/support/docview.wss?uid=swg27006309#1
______________________________________________________________________
09.23.38 CVE: Not Available
Platform: Cross Platform
Title: IBM DB2 Denial of Service and Security Bypass Vulnerabilities
Description: IBM DB2 is a database manager. The application is exposed
to multiple issues. Successful exploits may allow attackers to bypass
certain security restrictions or to crash the application, causing a
denial of service condition. DB2 versions prior to 9.5 Fixpak 4 and
9.1 Fixpack 7 are affected.
Ref: http://www-01.ibm.com/support/docview.wss?uid=swg21386689
______________________________________________________________________
09.23.39 CVE: Not Available
Platform: Cross Platform
Title: GStreamer gst-plugins-good "gstpngdec.c" PNG Output Buffer
Integer Overflow
Description: GStreamer is a library for constructing graphs of
media-handling components; "gst-plugins-good" is a collection of
plugins for GStreamer. The "gst-plugins-good" package is exposed to an
integer overflow issue because the software fails to perform adequate
boundary checks on user-supplied data before using it to allocate
memory buffers. This issue occurs when calculating the output buffer
size for a malformed or large PNG image file and affects the
"gstpngdec.c" source file. gst-plugins-good version 0.10.15 is
affected.
Ref:
http://cgit.freedesktop.org/gstreamer/gst-plugins-good/commit/?id=d9544bcc44adcef769cbdf7f6453e140058a3adc
______________________________________________________________________
09.23.40 CVE: CVE-2009-1386
Platform: Cross Platform
Title: OpenSSL "ChangeCipherSpec" DTLS Packet Denial of Service
Description: OpenSSL is an open-source implementation of the SSL
protocol that is used by a number of other projects, including but not
restricted to Apache, Sendmail, and Bind. It is commonly found on
Linux and Unix systems. OpenSSL is exposed to a denial of service
issue caused by a NULL-pointer dereference condition. This issue
occurs when the "ChangeCipherSpec" DTLS packet is received before the
"ClientHello" DTLS packet. OpenSSL versions prior to 0.9.8i are
affected.
Ref:
http://rt.openssl.org/Ticket/Display.html?id=1679&user=guest&pass=guest
______________________________________________________________________
09.23.41 CVE: Not Available
Platform: Cross Platform
Title: Multiple ACDSee Products TIFF File Remote Buffer Overflow
Description: ACDSee products are applications designed to manage and
edit digital photographs. Multiple ACDSee applications are exposed to
a remote buffer overflow issue because they fail to perform adequate
checks on user-supplied input. Specifically, this issue occurs when
processing a malformed TIFF image file. ACDSee Photo Manager versions
9.x, 10.x, 11.x, 2008, and 2009 and ACDSee Pro Photo Manager 2.5 are
affected.
Ref: http://www.vupen.com/english/advisories/2009/1471
______________________________________________________________________
09.23.42 CVE: Not Available
Platform: Cross Platform
Title: Multiple ACDSee Products Font File Remote Buffer Overflow
Description: ACDSee products are applications designed to manage and
edit digital photographs. Multiple ACDSee applications are exposed to
a remote buffer overflow issue because they fail to perform adequate
checks on user-supplied input. Specifically, this issue occurs when
processing a malformed font file. ACDSee Photo Manager versions 9.x,
10.x, 11.x, 2008, and 2009 and ACDSee Pro Photo Manager version 2.5
are affected.
Ref: http://www.securityfocus.com/archive/1/504009
______________________________________________________________________
09.23.43 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: Vanillla "ajax/updatecheck.php" Cross-Site Scripting
Description: Vanilla is a PHP-based discussion forum. The application
is exposed to a cross-site scripting issue because it fails to
properly sanitize user-supplied input to the "RequestName" parameter
of the "ajax/updatecheck.php" script. Vanilla versions 1.1.5 and 1.1.7
are affected.
Ref: http://www.securityfocus.com/archive/1/503847
______________________________________________________________________
09.23.44 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: Lussumo Vanilla "updatecheck.php" Cross-Site Scripting
Description: Vanilla is a PHP-based discussion forum. The application
is exposed to a cross-site scripting issue because it fails to
sanitize user-supplied input. This issue affects the "RequestName"
parameter of the "ajax/updatecheck.php" script. Vanilla versions prior
to 1.1.8 are affected.
Ref:
http://gsasec.blogspot.com/2009/05/vanilla-v117-cross-site-scripting.html
______________________________________________________________________
09.23.45 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: PRTG Traffic Grapher "Monitor_Bandwidth" Cross-Site Scripting
Description: PRTG Traffic Grapher is used to monitor network traffic
and bandwidth usage. The application is exposed to a cross-site
scripting issue because it fails to sanitize user-supplied input. This
issue affects the "Monitor_Bandwidth" function. PRTG Traffic Grapher
version 6.2.2.977 is affected.
Ref: http://www.securityfocus.com/archive/1/503865
______________________________________________________________________
09.23.46 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: Simple Machines Forum "image/bmp" MIME Type Cross-Site
Scripting
Description: Simple Machines Forum (SMF) is an open-source web forum
that is written in PHP. It will run on most UNIX and Linux variants as
well as Microsoft Windows. The application is exposed to a cross-site
scripting issue because it fails to properly sanitize user-supplied
images identified as "image/bmp" MIME types. This issue occurs because
the Internet Explorer browser identifies uploaded images as
"text/html" instead.
Ref: http://www.securityfocus.com/archive/1/503867
______________________________________________________________________
09.23.47 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: Achievo Multiple Cross-Site Scripting Vulnerabilities
Description: Achievo is a web-based resource management tool. The
application is exposed to multiple cross-site scripting issues because
it fails to sufficiently sanitize user-supplied data. Achievo version
1.3.4 is affected.
Ref: http://www.securityfocus.com/archive/1/503920
______________________________________________________________________
09.23.48 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: eliteCMS Arbitrary File Upload and Cross-Site Scripting
Vulnerabilities
Description: eliteCMS is a web-based content manager. The application
is exposed to multiple issues. Attackers can exploit these issues to
steal cookie information, execute arbitrary client-side scripts in the
context of the browser, upload and execute arbitrary files in the
context of the webserver, and launch other attacks. eliteCMS version
1.01 is affected.
Ref: http://www.securityfocus.com/bid/35155
______________________________________________________________________
09.23.49 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: PHP-Nuke Downloads Module "query" Parameter Cross-Site
Scripting
Description: PHP-Nuke is a PHP-based content management system.
PHP-Nuke is exposed to a cross-site scripting issue because it fails
to sanitize user-supplied input. This issue affects the "query"
parameter of the "modules.php" script when called with the "name"
parameter set to "Downloads" and the "d_op" parameter set to "search".
PHP-Nuke version 8.0 is affected.
Ref:
http://archives.neohapsis.com/archives/fulldisclosure/2009-06/0024.html
______________________________________________________________________
09.23.50 CVE: Not Available
Platform: Web Application - SQL Injection
Title: PHP-Nuke "main/tracking/userLog.php" SQL Injection
Description: PHP-Nuke is a web forum implemented in PHP. PHP-Nuke is
exposed to an SQL injection issue because it fails to sufficiently
sanitize user-supplied data to the HTTP Referrer header parameter of
the "main/tracking/userLog.php" script before using it an SQL query.
PHP-Nuke version 8.0.0 is affected.
Ref: http://www.securityfocus.com/archive/1/503845
______________________________________________________________________
09.23.51 CVE: Not Available
Platform: Web Application - SQL Injection
Title: AgoraGroups Joomla! Component "id" Parameter SQL Injection
Description: The AgoraGroups module is a component of the Agora plugin
for the Joomla! content manager. AgoraGroups is exposed to an SQL
injection issue because it fails to sufficiently sanitize
user-supplied data to the "id" parameter before using it an SQL query.
AgoraGroups version 0.3.5.3 is affected.
Ref: http://www.securityfocus.com/bid/35118
______________________________________________________________________
09.23.52 CVE: Not Available
Platform: Web Application - SQL Injection
Title: phpBugTracker "include.php" SQL Injection
Description: phpBugTracker is a web-based bug tracker. phpBugTracker
is exposed to an SQL injection issue because it fails to sufficiently
sanitize user-supplied data to the "username" parameter of the
"include.php" script before using it an SQL query. phpBugTracker
versions 1.0.4 and earlier are affected.
Ref: http://www.securityfocus.com/bid/35125
______________________________________________________________________
09.23.53 CVE: Not Available
Platform: Web Application - SQL Injection
Title: Arab Portal "X-Forwarded-for" Header SQL Injection
Description: Arab Portal is a web-based application. The application
is exposed to an SQL injection issue because it fails to sufficiently
sanitize user-supplied data to the "X-Forwarded-for" header before
using it an SQL query. Arab Portal version 2.2 is affected.
Ref: http://www.securityfocus.com/bid/35149
______________________________________________________________________
09.23.54 CVE: Not Available
Platform: Web Application - SQL Injection
Title: ZeusCart "maincatid" Parameter SQL Injection
Description: ZeusCart is an ecommerce application. The application is
exposed to an SQL injection issue because it fails to sufficiently
sanitize user-supplied data to the "maincatid" parameter of the
"index.php" script before using it in an SQL query. ZeusCart version
2.3 is affected.
Ref: http://www.securityfocus.com/bid/35151
______________________________________________________________________
09.23.55 CVE: Not Available
Platform: Web Application - SQL Injection
Title: OCS Inventory NG Server Multiple SQL Injection Vulnerabilities
Description: OCS Inventory NG is an inventory management application.
The application is exposed to multiple SQL injection issues because it
fails to sufficiently sanitize user-supplied data. OCS Inventory NG
Server versions prior to 1.02.1 are affected.
Ref: http://www.securityfocus.com/archive/1/503936
______________________________________________________________________
09.23.56 CVE: Not Available
Platform: Web Application - SQL Injection
Title: Joomla! Juser Component "id" Parameter SQL Injection
Description: JUser is a user-registration component for the Joomla!
content manager. The application is exposed to an SQL injection issue
because it fails to sufficiently sanitize user-supplied data to the
"id" parameter of the "com_juser" component before using it an SQL
query. JUser version 2.0.4 is affected.
Ref: http://www.securityfocus.com/bid/35160
______________________________________________________________________
09.23.57 CVE: Not Available
Platform: Web Application
Title: Easy PX 41 CMS "fiche" Parameter Local File Include
Description: Easy PX 41 CMS is a PHP-based web application. The
application is exposed to a local file include issue because it fails
to properly sanitize user-supplied input to the "fiche" parameter of
the "index.php" script. Easy PX 41 CMS version 09.00.00B1 is affected.
Ref: http://www.securityfocus.com/bid/35119
______________________________________________________________________
09.23.58 CVE: Not Available
Platform: Web Application
Title: SiteX "THEME_FOLDER" Parameter Multiple Local File Include
Vulnerabilities
Description: SiteX is a content management system (CMS). The
application is eposed to multiple local file include vulnerabilities
because it fails to properly sanitize user-supplied input to the
"THEME_FOLDER" parameter. SiteX version 0.7.4.418 is affected.
Ref: http://www.securityfocus.com/bid/35122
______________________________________________________________________
09.23.59 CVE: Not Available
Platform: Web Application
Title: Drupal Ajax Session Module Multiple Input Validation
Vulnerabilities
Description: Ajax Session is a module for the Drupal content manager.
The application is exposed to multiple cross-site scripting and
cross-site request forgery issues because it fails to sufficiently
sanitize user-supplied input to unspecified parameters of unspecified
pages. Ajax Session version 5.x-1.0 is affected.
Ref: http://drupal.org/node/474452
______________________________________________________________________
09.23.60 CVE: Not Available
Platform: Web Application
Title: ATutor "documentation/index.php" URL Handling Phishing
Description: ATutor i a PHP-based content manager. ATutor is exposed
to an issue that can aid in phishing attacks. This issue occurs
because the application fails to sufficiently sanitize user-supplied
input to the "p" parameter of the "documentation/index.php" script
before being linked to a frameset. ATutor version 1.6.2 is affected.
Ref: http://websvn.atrc.utoronto.ca/websvn/wsvn/Atutor/?rev=8490&sc=1
______________________________________________________________________
09.23.61 CVE: Not Available
Platform: Web Application
Title: Drupal Embedded Media Field Module Create Content Multiple HTML
Injection Vulnerabilities
Description: Embedded Media Field is a module for the Drupal content
manager. The module is exposed to multiple HTML injection issues
because it fails to properly sanitize user-supplied input before using
it in dynamically generated content. Specifically, issues affect the
"Help text", "Custom thumbnail label", and "Custom thumbnail
description" fields when creating content with the affected module.
Embedded Media Field version 6.x-1.0 is affected.
Ref: http://drupal.org/node/372836
______________________________________________________________________
09.23.62 CVE: Not Available
Platform: Web Application
Title: Phorum "image/bmp" MIME Type HTML Injection
Description: Phorum is a PHP-based web forum application. The
application is exposed to an HTML injection issue because it fails to
properly sanitize user-supplied images identified as "image/bmp" MIME
types. This issue occurs because the Internet Explorer browser
identifies uploaded images as "text/html" instead.
Ref: http://www.securityfocus.com/archive/1/503867
______________________________________________________________________
09.23.63 CVE: Not Available
Platform: Web Application
Title: Woltlab Burning Board "image/bmp" MIME Type HTML Injection
Description: Woltlab Burning Board is an open-source web forum. The
application is exposed to an HTML injection issue because it fails to
properly sanitize user-supplied images identified as "image/bmp" MIME
types. This issue occurs because the Internet Explorer browser
identifies uploaded images as "text/html" instead. Burning Board
versions 3.0.8 and earlier and Burning Board Lite versions 2.0.1 and
earlier are affected.
Ref: http://www.securityfocus.com/archive/1/503867
______________________________________________________________________
09.23.64 CVE: Not Available
Platform: Web Application
Title: Joomla! JVideo! Component "user_id" Parameter SQL Injection
Description: JVideo! is a video-sharing module for the Joomla! content
manager. The application is exposed to an SQL injection issue because
it fails to sufficiently sanitize user-supplied data to the "user_id"
parameter of the "com_jvideo" component before using it an SQL query.
Ref: http://www.securityfocus.com/bid/35146
______________________________________________________________________
09.23.65 CVE: Not Available
Platform: Web Application
Title: AlstraSoft Article Manager Pro "article/register.php" Remote
File Upload
Description: AlstraSoft Article Manager Pro is a PHP-based content
manager for articles. The application is exposed to a remote file
upload issue because it fails to sufficiently sanitize user-supplied
input. This issue affects the "article/register.php" file when
registering a new user.
Ref: http://www.securityfocus.com/bid/35177
______________________________________________________________________
09.23.66 CVE: Not Available
Platform: Web Application
Title: Unclassified NewsBoard Multiple Remote Vulnerabilities
Description: Unclassified NewsBoard is a bulletin board system
implemented in PHP. The application is exposed to multiple issues. A
successful attack will compromise the application and may help in
further attacks. NewsBoard version 1.6.4 is affected.
Ref: http://www.securityfocus.com/bid/35183
______________________________________________________________________
09.23.67 CVE: Not Available
Platform: Web Application
Title: Joomla! Prior to 1.5.11 Multiple Cross-Site Scripting
Vulnerabilities
Description: Joomla! is a PHP-based content manager. Joomla! is
exposed to multiple cross-site scripting issues because it fails to
sufficiently sanitize user-supplied input. These issues affect the
"com_user" component, "JA_Purity" template, and the administrative
panel in the "Site client" sub-project of the application. Joomla!
versions prior to 1.5.11 are affected.
Ref:
http://developer.joomla.org/security/news/296-20090602-core-japurity-xss.html
______________________________________________________________________
09.23.68 CVE: Not Available
Platform: Network Device
Title: Linksys WAG54G2 Web Management Console Remote Arbitrary Shell
Command Injection
Description: Linksys WAG54G2 is a wireless router. The router is
exposed to a remote command injection issue because it fails to
adequately sanitize user-supplied input data. Specifically, the
software fails to properly sanitize input to the "c4_ping_ipaddr"
parameter of the "setup.cgi" script in the management console. Linksys
WAG54G2 with firmware version V1.00.10 is affected.
Ref: http://www.securityfocus.com/archive/1/503934
______________________________________________________________________
09.23.69 CVE: Not Available
Platform: Network Device
Title: Asmax Ar-804gu Router "script" Remote Arbitrary Shell Command
Injection
Description: Asmax Ar-804gu is a router for small or home office
users. The router is exposed to a remote command injection issue
because it fails to adequately restrict access to a maintenance
script. This issue affects the "system" parameter of "cgi-bin/script"
of the device's web-based management interface. Asmax Ar-804gu with
firmware version 66.34.1 is affected.
Ref: http://www.securityfocus.com/archive/1/503946
______________________________________________________________________
(c) 2009. All rights reserved. The information contained in this
newsletter, including any external links, is provided "AS IS," with no
express or implied warranty, for informational purposes only. In some
cases, copyright for material in this newsletter may be held by a
party other than Qualys (as indicated herein) and permission to use
such material must be requested from the copyright owner.
Subscriptions: RISK is distributed free of charge by the SANS Institute
to people responsible for managing and securing information systems and
networks. You may forward this newsletter to others with such
responsibility inside or outside your organization.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
iEYEARECAAYFAkoolJkACgkQ+LUG5KFpTkZU6gCdHhJnP1RZh5FlatsqJHNhxD45
IxUAnjiLMK6+Rz7Do3WAmJml6Tibm9pm
=UUW8
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]