NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > SANS> 2009

RISK: The Consensus Security Vulnerability Alert Vol. 8 No. 30

From: The SANS Institute (ConsensusSecurityVulnerabilityAlertsans.org)
Date: Thu Jul 23 2009 - 13:26:13 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The Adobe FLASH and PDF problem is real and won't be solved for another
week. Makes sense to figure out a way to get universal updates to your
user base, quickly, after the announcement. Sad that Microsoft's
Windows updates don't cover 3rd party software. They considered doing
it and dropped the idea - probably worried about support and liability
concerns.

Alan
*************************************************************************
RISK: The Consensus Security Vulnerability Alert
July 23, 2009 Vol. 8. Week 30
*************************************************************************
RISK is the SANS community's consensus bulletin summarizing the most
important vulnerabilities and exploits identified during the past week
and providing guidance on appropriate actions to protect your systems
(PART I). It also includes a comprehensive list of all new
vulnerabilities discovered in the past week (PART II).

Summary of Updates and Vulnerabilities in this Consensus
Platform Number of Updates and Vulnerabilities
- ------------------------ -------------------------------------
Third Party Windows Apps 3 (#3)
Linux 2
BSD 1
Solaris 4
Novell 2 (#4)
Cross Platform 21 (#1, #2, #5, #6, #7)
Web Application - Cross Site Scripting 2
Web Application - SQL Injection 5
Web Application 8
Network Device 1

************************* Sponsored By Symantec *************************

Ponemon Report: Data Loss During Downsizing According to a research
study conducted by the Ponemon Institute, more than half of ex-employees
admit to stealing company data. Download this report to view survey
results and to see how you can protect your organization from being so
vulnerable. Download report at http://www.sans.org/info/46254
*************************************************************************
TRAINING UPDATE
- - SANS Network Security, San Diego Sept. 14-22;
     the Fall's biggest security training conference-- 20 full length
     courses and 16 short courses plus a big exhibition
         http://www.sans.org/ns2009
- - SANS Boston, Aug 2-9 (6 full-length hands-on courses)
     https://www.sans.org/boston09/index.php
- - The Virtualization and Cloud Security Summit on August 17-18 in
       Washington; courses in the following days
       http://www.sans.org/info/43118
Looking for training in your own community? http://sans.org/community/
Save on On-Demand training (30 full courses) - See samples at
       http://www.sans.org/ondemand/spring09.php
Plus Tokyo, London, Ottawa, Canberra, and Kuala Lumpur, all in the next
90 days. For a list of all upcoming events, on-line and live:
www.sans.org
*************************************************************************

Table Of Contents
Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)

Widely Deployed Software
(1) CRITICAL: Adobe Acrobat/Reader and Adobe Flash Player Remote Code Execution Vulnerability
(2) HIGH: Mozilla Products Multiple Vulnerabilities
(3) HIGH: Google Chrome JavaScript Regular Expressions Memory Corruption Vulnerability
(4) HIGH: Novell Privileged User Manager Remote Library Injection Vulnerability
(5) HIGH: Common Data Format Multiple Vulnerabilities
(6) MODERATE: Akamai Download Manager Redswoosh Downloads Buffer Overflow Vulnerability
(7) LOW: Armed Assault Multiple Vulnerabilities

************************* Sponsored Links: ****************************

1) WEBCAST: How Browser Exploits Lead to Web 2.0 Hacking with keynote from IDC
http://www.sans.org/info/46259

2) SANS Vendor Demo Spotlight: Websense Hosted Email & Web Security -
Secure your Web 2.0 world. Easily control who/what/how/where users can
access internet and email data.
http://www.sans.org/info/46264
*************************************************************************

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from
Qualys (www.qualys.com)

-- Third Party Windows Apps
09.30.1 - Google Chrome Javascript Regular Expression Handling Remote Code Execution
09.30.2 - Google Chrome Privilege Escalation Weakness
09.30.3 - iDefense COMRaider ActiveX Control Multiple Insecure Method Vulnerabilities
-- Linux
09.30.4 - Linux Kernel "tun_chr_pool()" NULL Pointer Dereference
09.30.5 - Linux Kernel SGI GRU Driver Off By One
-- BSD
09.30.6 - FreeBSD "PECOFF_SUPPORT" Local Denial of Service
-- Solaris
09.30.7 - Sun Solaris SCTP Packet Processing Remote Denial of Service
09.30.8 - Sun Solaris NFS Version 4 Kernel Module Local Denial of Service
09.30.9 - Sun Solaris IP Filter (ipf(5)) Remote Denial of Service
09.30.10 - Sun Solaris XScreenSaver Local Information Disclosure
-- Novell
09.30.11 - Novell Access Manager Administration Console Information Disclosure
09.30.12 - Novell Privileged User Manager Remote Library Injection
-- Cross Platform
09.30.13 - Cisco Unified Contact Center Express (CCX) Arbitrary Script Injection
09.30.14 - Mozilla Firefox 3.5 Unicode Data Remote Stack Buffer Overflow
09.30.15 - FCKeditor.Java Infinite Loop Denial of Service
09.30.16 - Sun Ray Server Software "utdmsession" Command Security Bypass
09.30.17 - Sun Ray Server Multiple Vulnerabilities
09.30.18 - Open Handset Alliance Android Permission Verification Multiple Security Bypass Vulnerabilities
09.30.19 - MightSOFT Audio Editor Pro MP3 File Unspecified Memory Corruption
09.30.20 - PulseAudio setuid Local Privilege Escalation
09.30.21 - SAP NetWeaver Password Information Disclosure
09.30.22 - Multiple RadScripts Products Cross-Site Scripting and SQL Injection Vulnerabilities
09.30.23 - RealNetworks Helix Server "RTSP" Remote Denial of Service
09.30.24 - RealNetworks Helix Server "SETUP" Remote Denial of Service
09.30.25 - NOS getPlus Download Manager Insecure File Permissions Local Privilege Escalation
09.30.26 - IBM WebSphere Application Server Stax XMLStreamWrite Security Bypass
09.30.27 - DD-WRT Web Management Interface Remote Arbitrary Shell Command Injection
09.30.28 - KMPlayer ".srt" File Remote Buffer Overflow
09.30.29 - Wireshark 1.2.0 Multiple Vulnerabilities
09.30.30 - Common Data Format Library Multiple Memory Corruption Vulnerabilities
09.30.31 - ZNC File Upload Directory Traversal
09.30.32 - Mozilla Firefox MFSA 2009-34, -35, -36, -37, -39, -40 Multiple Vulnerabilities
09.30.33 - Adobe Acrobat, Reader and Flash Player Unspecified
-- Web Application - Cross Site Scripting
09.30.34 - YourFreeWorld Programs Rating Script Multiple Cross-Site Scripting Vulnerabilities
09.30.35 - WordPress Comment Author URI Cross-Site Scripting
-- Web Application - SQL Injection
09.30.36 - WordPress My Category Order Plugin "parentID" Parameter SQL Injection
09.30.37 - PHPLive! "request.php" SQL Injection
09.30.38 - db Masters Multimedia Content Manager "id" Parameter SQL Injection
09.30.39 - Joomla! Jobline Component "search" Parameter SQL Injection
09.30.40 - E-Xoopport MyAnnonces "lid" Parameter SQL Injection
-- Web Application
09.30.41 - Drupal Submitted By "submitted by" Text HTML Injection
09.30.42 - Drupal Image Assist Module HTML Injection and Information Disclosure Vulnerabilities
09.30.43 - Battle Blog SQL Injection and HTML Injection Vulnerabilities
09.30.44 - HTMLDOC "html" File Handling Remote Stack Buffer Overflow
09.30.45 - GraFX MiniCWB "LANG" Parameter Multiple Remote File Include Vulnerabilities
09.30.46 - McAfee SmartFilter Multiple Information Disclosure Vulnerabilities
09.30.47 - phpDirectorySource SQL Injection and Cross Site Scripting Vulnerabilities
09.30.48 - phpGroupWare Multiple Input Validation Vulnerabilities
-- Network Device
09.30.49 - Cisco Unified Contact Center Express CRS Administration Interface Directory Traversal
______________________________________________________________________

PART I Critical Vulnerabilities
Part I for this issue has been compiled by Rohan Kotian at TippingPoint,
a division of 3Com, as a by-product of that company's continuous effort
to ensure that its intrusion prevention products effectively block
exploits using known vulnerabilities. TippingPoint's analysis is
complemented by input from a council of security managers from twelve
large organizations who confidentially share with SANS the specific
actions they have taken to protect their systems. A detailed description
of the process may be found at
http://www.sans.org/newsletters/cva/#process

*****************************
Widely Deployed Software
*****************************

(1) CRITICAL: Adobe Acrobat/Reader and Adobe Flash Player Remote Code Execution Vulnerability
Affected:
Adobe Reader 9.1.2
Adobe Acrobat Standard 9.x
Adobe Acrobat Reader 9.x
Adobe Acrobat Professional 9.x
Adobe Flash Player 10.x
Adobe Flash Player 9.x

Description: Adobe Acrobat and Adobe Reader is the most popular software
for creating and viewing Portable Document Format (PDF) files. Adobe
Flash Player is a multimedia application used for viewing animations on
web browsers. There is a vulnerability in Adobe Flash Player and Adobe
Acrobat/Reader which could be triggered by opening a specially crafted
a specially crafted Flash (SWF) file or a PDF file containing a
malicious Flash (SWF) animation. The specific flaw lies in the
"flash9f.dll" and "authplay.dll" modules. Successful exploitation might
lead to a denial-of-service condition or compromise of the affected
system. Note that, depending upon configuration, PDF documents may be
opened by the vulnerable applications upon receipt without first
prompting the user. Reports indicate that this vulnerability is being
actively exploited in the wild.

Status: Vendor confirmed, no updates available yet. The vendor will
provide an update for Flash Player v9 and v10 by 30th July 2009 and for
Adobe Reader and Acrobat v9.1.2 by 31st July 2009.

References:
Adobe Security Advisory
http://www.adobe.com/support/security/advisories/apsa09-03.html
Adobe Product Security Incident Response Team (PSIRT)
http://blogs.adobe.com/psirt/
Vendor Home Page
http://www.adobe.com/
SecurityFocus BID
http://www.securityfocus.com/bid/35759

*************************************************************

(2) HIGH: Mozilla Products Multiple Vulnerabilities
Affected:
Mozilla Firefox versions 3.x
Mozilla Thunderbird versions 2.x

Description: Mozilla Firefox web browser and Mozilla Thunderbird email
client which are based on the Mozilla suite of applications contain
multiple vulnerabilities. These vulnerabilities could be triggered by a
malicious web page or email message and might lead to arbitrary code
execution with the privileges of the current user. There are memory
corruption errors in the JavaScript and browser engines, in handling of
multiple RDF files in XUL tree, in handling certain data in Base64
function, in construction of documents, in handling of Flash plug-in,
in handling SVG element. There are some vulnerabilities caused due to
boundary errors in some font glyph rendering libraries. There is an
error in the way "setTimeout()" is invoked with certain object
parameters. One of issue might also lead to cross site scripting
attacks. The technical details required to craft exploit code are
included in the Mozilla bug repository.

Status: Vendor confirmed, updates available.

References:
Mozilla Security Advisories
http://www.mozilla.org/security/announce/2009/mfsa2009-34.html
http://www.mozilla.org/security/announce/2009/mfsa2009-35.html
http://www.mozilla.org/security/announce/2009/mfsa2009-36.html
http://www.mozilla.org/security/announce/2009/mfsa2009-37.html
http://www.mozilla.org/security/announce/2009/mfsa2009-39.html
http://www.mozilla.org/security/announce/2009/mfsa2009-40.html
Vendor Home Page
http://www.mozilla.com/en-US/
SecurityFocus BID
http://www.securityfocus.com/bid/35758

*************************************************************

(3) HIGH: Google Chrome JavaScript Regular Expressions Memory Corruption Vulnerability
Affected:
Google Chrome versions prior to 2.0.172.37

Description: Google Chrome, a web browser from Google, is the fourth
most popular browser with 1.8% usage share among all the web browsers.
It has got a memory corruption vulnerability which can be triggered
while parsing a specially crafted web page. The specific flaw is caused
due to inadequate checks while processing regular expressions in
JavaScript in a web page. The users will have to be tricked into
visiting the website that hosts such a web page, typically by persuading
them to click on the links in e-mail messages or in P2P messages.
Successful exploitation might lead to memory corruption and possibly
heap based buffer overflow followed by arbitrary code execution. Full
technical details are publicly available.

Status: Vendor confirmed, updates available.

References:
Google Chrome Security Release
http://googlechromereleases.blogspot.com/2009/07/stable-beta-update-bug-fixes.html
Wikipedia Article on Google Chrome
http://en.wikipedia.org/wiki/Google_Chrome
Product Home Page
http://www.google.com/chrome
SecurityFocus BID
http://www.securityfocus.com/bid/35722

*************************************************************

(4) HIGH: Novell Privileged User Manager Remote Library Injection Vulnerability
Affected:
Novell Privileged User Manager 2.2

Description: Novell Privileged User Manager is used to deliver SuperUSer
Privilege Management for all UNIX/Linux Environments. A vulnerability
has been reported in it, whereby an attacker can load arbitrary
libraries or modules over the network and possibly compromise the
vulnerable system. The specific flaw is caused due to improper
implementation of "spf" RPC call within the "unifid.exe" service, a
service that binds on port 29010. Successful exploitation might
eventually allow an attacker to execute arbitrary code under the context
of the service. Authentication is not required to exploit this
vulnerability.

Status: Vendor confirmed, updates available.

References:
Novell Security Advisory
http://www.novell.com/support/viewContent.do?externalId=7003640
Zero Day Initiative Advisory
http://www.zerodayinitiative.com/advisories/ZDI-09-046/
Product Home Page
http://www.novell.com/products/privilegedusermanager/
SecurityFocus BID's
http://www.securityfocus.com/bid/35752

*************************************************************

(5) HIGH: Common Data Format Multiple Vulnerabilities
Affected:
NASA Goddard Space Flight Center CDF version 3.2.4 and prior

Description: Common Data Format (CDF) is a conceptual data abstraction
developed by NASA and is used for storing and manipulating multi
dimensional data sets. Multiple memory corruption vulnerabilities have
been identified which can be triggered by parsing a specially crafted
CDF file. One of the flaw is an array indexing error in the
"ReadAEDRList64()" function caused due to inadequate checks on the part
of CDF reading program while parsing a CDF file. There are other yet
unspecified memory corruption errors in functions such as
"SearchForRecord_r_64()", "LastRecord64()", "CDFsel64()" and etc.
Successful exploitation might allow an attacker to execute arbitrary
code execution. Technical details for one of the vulnerabilities are
publicly available.

Status: Vendor confirmed, updates available.

References:
INFIGO IS Security Advisory (#INFIGO-2009-07-09)
http://www.infigo.hr/en/in_focus/advisories/INFIGO-2009-07-09
CDF Change Logs - CDF V3.3.0
http://cdf.gsfc.nasa.gov/html/CDF_changesnote2.html
Product Home Page
http://cdf.gsfc.nasa.gov/
SecurityFocus BID's
http://www.securityfocus.com/bid/35754

*************************************************************

(6) MODERATE: Akamai Download Manager Redswoosh Downloads Buffer Overflow Vulnerability
Affected:
Akamai Download Manager versions prior to 2.2.4.8

Description: The Akamai Download Manager is a popular download
management application from Akamai. It has got a buffer overflow
vulnerability which could be triggered by a specially crafted HTTP
response. The specific flaw is caused due to a boundary error in
manager.exe while handling Redswoosh, a peer-to-peer content delivery
technology, downloads. Successful exploitation might allow an attacker
to execute arbitrary code in the context of the logged on user. The
users will have to be tricked into visiting the website that hosts such
a web page, typically by persuading them to click on the links in e-mail
messages or in P2P messages. Some technical details for this
vulnerability are publicly available.

Status: Vendor confirmed, updates available. Users can mitigate the
impact of this vulnerability by disabling the affected controls via
Microsoft's "killbit" mechanism for CLSIDs
"4871A87A-BFDD-4106-8153-FFDE2BAC2967",
"2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B",
"FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1 "

References:
Akamai Security Advisory
http://www.akamai.com/html/support/security.html
iDefense Advisory
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=813
Microsoft Knowledge Base Article (details the "killbit" mechanism)
http://support.microsoft.com/kb/240797
Vendor Home Page
http://www.akamai.com/
SecurityFocus BID
http://www.securityfocus.com/bid/35778

*************************************************************

(7) LOW: Armed Assault Multiple Vulnerabilities
Affected:
Armed Assault version 1.14 and prior
Armed Assault II version 1.02 and prior

Description: Armed Assault is a tactical military shooter war game
developed by Bohemia Interactive. Multiple vulnerabilities have been
identified in Armed Assault which might lead to a denial-of-service
condition or even arbitrary code execution. The first issue is caused
due to an error in the handling of the last field of the join packet.
The second issue is a format string error while processing the nickname
or the datafile field of a specially crafted join packet. The third
issue is an error caused due to inadequate checks on the voice data
packets sent to port 2305. Technical details for these vulnerabilities
are publicly available along with proof-of-concepts.

Status: Vendor confirmed, updates available.

References:
Wikipedia Article on Armed Assault
http://en.wikipedia.org/wiki/ArmA:_Armed_Assault
Vendor Home Page
http://www.bistudio.com/
Secunia Advisory
http://secunia.com/advisories/35900/

*************************************************************

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 30, 2009
This list is compiled by Qualys ( www.qualys.com ) as part of that
company's ongoing effort to ensure its vulnerability management web
service tests for all known vulnerabilities that can be scanned. As of
this week Qualys scans for 7288 unique vulnerabilities. For this special
SANS community listing, Qualys also includes vulnerabilities that cannot
be scanned remotely.
______________________________________________________________________

09.30.1 CVE: Not Available
Platform: Third Party Windows Apps
Title: Google Chrome Javascript Regular Expression Handling Remote
Code Execution
Description: Google Chrome is a web browser. Chrome is exposed to a
remote code execution issue. Specifically, this issue stems from a
heap overflow condition that arises when the application handles
malformed Javascript regular expressions. Chrome versions prior to
2.0.172.37 are affected.
Ref:
http://googlechromereleases.blogspot.com/2009/07/stable-beta-updte-bug-fixes.html
______________________________________________________________________

09.30.2 CVE: Not Available
Platform: Third Party Windows Apps
Title: Google Chrome Privilege Escalation Weakness
Description: Google Chrome is web browser for Microsoft Windows.
Google Chrome is exposed to a weakness that may allow attackers to
escalate privileges subsequent to carrying out a successful
code execution attack against a renderer (tab) process. The issue
arises because a compromised renderer (tab) process can cause the
browser process to allocate very large memory buffers. Chrome versions
prior to 2.0.172.37 are affected.
Ref:
http://googlechromereleases.blogspot.com/2009/07/stable-beta-update-bug-fixes.html
______________________________________________________________________

09.30.3 CVE: Not Available
Platform: Third Party Windows Apps
Title: iDefense COMRaider ActiveX Control Multiple Insecure Method
Vulnerabilities
Description: iDefense COMRaider is an ActiveX fuzzing utility. The
iDefense COMRaider ActiveX control is exposed to multiple insecure
method issues. An attacker can exploit these issues by enticing an
unsuspecting victim to visit a malicious HTML page.
Ref: http://www.securityfocus.com/archive/1/505042
______________________________________________________________________

09.30.4 CVE: Not Available
Platform: Linux
Title: Linux Kernel "tun_chr_pool()" NULL Pointer Dereference
Description: The Linux kernel is exposed to a local NULL pointer
dereference issue. This vulnerability stems from an error in the
"tun_chr_poll" function in the "tun.c" file. The issue arises because
the code uses the "tun" pointer before checking it for a NULL
value. The check exists in the source code but is not reflected in the
compiled code. This is because the compiler assumes a fault will occur
when dereferencing the pointer and the check is not needed. Linux
kernel version 2.6.30 is affected.
Ref: http://lkml.org/lkml/2009/7/6/19
______________________________________________________________________

09.30.5 CVE: Not Available
Platform: Linux
Title: Linux Kernel SGI GRU Driver Off By One
Description: Linux Kernel is exposed to an off by one issue that may
allow attackers to trigger a denial of service condition.
Specifically, this issue occurs in "drivers/misc/sgi-gru/gruprocfs.c"
source file of the SGI GRU driver. The flaw can be exploited to
overwrite a NULL-byte at any arbitrary location in kernel memory.
Ref:
http://xorl.wordpress.com/2009/07/21/linux-kernel-sgi-gru-driver-off-by-one-overwrite/
______________________________________________________________________

09.30.6 CVE: Not Available
Platform: BSD
Title: FreeBSD "PECOFF_SUPPORT" Local Denial of Service
Description: FreeBSD is prone to a local denial of service
vulnerability. This issue affects the "PECOFF_SUPPORT" kernel option,
which is used to provide support for portable executable (PE) binary
files. Specifically, this issue may lead to a kernel panic when
attempting to load a maliciously constructed binary file. FreeBSD
version 7.2 is affected.
Ref: http://www.securityfocus.com/bid/35739
______________________________________________________________________

09.30.7 CVE: Not Available
Platform: Solaris
Title: Sun Solaris SCTP Packet Processing Remote Denial of Service
Description: Sun Solaris is exposed to a remote denial of service
issue. The denial of service issue exists in the SCTP "sctp(7P)" packet
processing routines. Exploiting this issue allows attackers to panic the
vulnerable system, effectively denying service to legitimate users.
Solaris 10 and OpenSolaris snv_01 through snv_119 are affected.
Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-66-253608-1
______________________________________________________________________

09.30.8 CVE: Not Available
Platform: Solaris
Title: Sun Solaris NFS Version 4 Kernel Module Local Denial of Service
Description: Sun Solaris is a UNIX based operating system. The Solaris
NFSv4 kernel module is exposed to an unspecified local denial of
service issue. Local attackers may exploit this issue to panic an
NFSv4 client system, denying service to legitimate users. Sun Solaris
10 and OpenSolaris based upon builds snv_102 through snv_119 are
affected.
Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-66-262788-1
______________________________________________________________________

09.30.9 CVE: Not Available
Platform: Solaris
Title: Sun Solaris IP Filter (ipf(5)) Remote Denial of Service
Description: Sun Solaris is exposed to a remote denial of service
issue that occurs in Solaris IP Filter (ipfilter(5)). Solaris 10 and
OpenSolaris snv_45 through snv_110 are affected.
Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-66-260951-1
______________________________________________________________________

09.30.10 CVE: Not Available
Platform: Solaris
Title: Sun Solaris XScreenSaver Local Information Disclosure
Description: XScreenSaver is a screen saver for Linux and Unix systems
running the X11 Window System. Solaris XScreenSaver program is exposed
to a local information disclosure issue. Solaris 8, Solaris 9, Solaris
10 and OpenSolaris Operating Systems are affected.
Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-66-264048-1
______________________________________________________________________

09.30.11 CVE: Not Available
Platform: Novell
Title: Novell Access Manager Administration Console Information
Disclosure
Description: Novell Access Manager is an application that provides
a single sign on feature for all corporate web applications. The
application is exposed to a remote unspecified information disclosure
issue that may allow an attacker to access system files from the
Administration Console. Novell Access Manager versions prior to 3.1
SP1 are affected.
Ref:
http://www.novell.com/documentation/novellaccessmanager31/accessmanager_readme/data/accessmanager_readme.html#bktec02
______________________________________________________________________

09.30.12 CVE: Not Available
Platform: Novell
Title: Novell Privileged User Manager Remote Library Injection
Description: Novell Privileged User Manager is an application used to
manage super users across an enterprise. The application is exposed to
a remote library injection issue due to an unspecified error. Novell
Privileged User Manager 2.2.0 is affected.
Ref: http://www.novell.com/support/viewContent.do?externalId=7003640
______________________________________________________________________

09.30.13 CVE: CVE-2009-2048
Platform: Cross Platform
Title: Cisco Unified Contact Center Express (CCX) Arbitrary Script
Injection
Description: Cisco Unified Contact Center Express (CCX) is a call
center application. The application is exposed to an arbitrary script
injection issue because it fails to sanitize user-supplied input to
the web-based administration interface. This issue affects both the
Customer Response Solutions (CRS) and Unified IP Interactive Voice
Response (Unified IP IVR) products.
Ref:
http://www.cisco.com/en/US/products/products_security_advisory09186a0080ae04b2.shtml#ID
______________________________________________________________________

09.30.14 CVE: CVE-2009-2479
Platform: Cross Platform
Title: Mozilla Firefox 3.5 Unicode Data Remote Stack Buffer Overflow
Description: Mozilla Firefox is a web browser available for various
platforms. Firefox is exposed to a remote stack based buffer overflow
issue that can be triggered by malicious JavaScript code operating on
strings containing Unicode data. Firefox version 3.5 is affected.
Ref:
http://blog.mozilla.com/security/2009/07/19/milw0rm-9158-stack-overflow-crash-not-exploitable-cve-2009-2479/
______________________________________________________________________

09.30.15 CVE: Not Available
Platform: Cross Platform
Title: FCKeditor.Java Infinite Loop Denial of Service
Description: FCKeditor is an online text/DHTML editor. FCKeditor.Java
allows integrating FCKeditor with Java applications. FCKeditor.Java is
exposed to a remote denial of service issue because it fails to
properly handle request parameters that contain "ctrl" characters.
FCKeditor.Java versions prior to 2.4.2 are affected.
Ref: http://dev.fckeditor.net/ticket/3902
______________________________________________________________________

09.30.16 CVE: Not Available
Platform: Cross Platform
Title: Sun Ray Server Software "utdmsession" Command Security Bypass
Description: Sun Ray Server Software is an application used to deliver
virtual Windows, Linux or Solaris OS desktop to Sun Ray clients. The
application is exposed to a security bypass issue. Specifically the
"utdmsession" command may allow unauthorized access to Sun Ray
sessions of other users. Sun Ray Server Software version 4.0 is
affected.
Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-66-252226-1
______________________________________________________________________

09.30.17 CVE: Not Available
Platform: Cross Platform
Title: Sun Ray Server Multiple Vulnerabilities
Description: Sun Ray server is a proxy server developed by Sun
Microsystems. Sun Ray server is exposed to multiple issues. Sun Ray
Server Software version 4.0 for Solaris 10 is affected.
Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-66-253889-1
______________________________________________________________________

09.30.18 CVE: CVE-2009-2348
Platform: Cross Platform
Title: Open Handset Alliance Android Permission Verification Multiple
Security Bypass Vulnerabilities
Description: Open Handset Alliance Android (previously Google Android)
is a software stack and operating system for mobile phones. Android is
exposed to multiple security bypass issues because permission checks
may be bypassed by applications when they access camera and audio
resources. All Open Handset Alliance Android 1.5 CRBxx versions are
affected.
Ref: http://www.securityfocus.com/archive/1/505012
______________________________________________________________________

09.30.19 CVE: Not Available
Platform: Cross Platform
Title: MightSOFT Audio Editor Pro MP3 File Unspecified Memory
Corruption
Description: MightSOFT Audio Editor Pro is an audio data editor for
Microsoft Windows platforms. Audio Editor Pro is exposed to an
unspecified memory corruption issue. An attacker can exploit this
issue by tricking a victim into opening a malicious MP3 file to
execute arbitrary code and to cause denial of service conditions.
Ref: http://www.securityfocus.com/bid/35719
______________________________________________________________________

09.30.20 CVE: CVE-2009-1894
Platform: Cross Platform
Title: PulseAudio setuid Local Privilege Escalation
Description: PulseAudio is a sound server available for various
platforms. PulseAudio is exposed to a local privilege escalation issue
because it does not drop privileges after being installed setuid root.
Ref: http://www.securityfocus.com/archive/1/505052
______________________________________________________________________

09.30.21 CVE: Not Available
Platform: Cross Platform
Title: SAP NetWeaver Password Information Disclosure
Description: SAP NetWeaver is a platform for enterprise applications.
The software is exposed to an information disclosure issue because it
fails to properly secure communication channels between clients and
servers. Specifically, SAP GUI clients and ABAP application servers
use the "Dynamic Information and Action Gateway" (DIAG) and "Remote
Function Call" (RFC) protocols to transmit authentication credentials.
Ref: http://www.securityfocus.com/bid/35729
______________________________________________________________________

09.30.22 CVE: Not Available
Platform: Cross Platform
Title: Multiple RadScripts Products Cross-Site Scripting and SQL
Injection Vulnerabilities
Description: Multiple RadScripts products are exposed to an SQL
injection issue and multiple cross-site scripting issues because they
fail to sufficiently sanitize user-supplied data. Exploiting these
issues could allow an attacker to steal cookie-based authentication
credentials, compromise the application, access or modify data, or
exploit latent vulnerabilities in the underlying database.
Ref: http://www.securityfocus.com/bid/35730
______________________________________________________________________

09.30.23 CVE: CVE-2009-2533
Platform: Cross Platform
Title: RealNetworks Helix Server "RTSP" Remote Denial of Service
Description: RealNetworks Helix Server is a multiformat,
cross-platform streaming server. The application is exposed to a
remote denial of service issue because it fails to properly handle
invalid requests. Specifically, the issue occurs when the "rmserver"
process receives multiple "RTSP (SET_PARAMETER)" requests with no
content in the "DataConvertBuffer" parameter. Helix Server and Helix
Mobile Server versions prior to 13.0.0 are affected.
Ref: http://www.coresecurity.com/content/real-helix-dna
______________________________________________________________________

09.30.24 CVE: CVE-2009-2534
Platform: Cross Platform
Title: RealNetworks Helix Server "SETUP" Remote Denial of Service
Description: RealNetworks Helix Server is a multiformat,
cross-platform streaming server. The application is exposed to a
remote denial of service issue because it fails to properly handle
invalid requests. Specifically, the issue occurs when the server
receives a "SETUP" request in which the "/" character is absent from
the request line. Helix Server and Helix Mobile Server versions prior
to 13.0.0 are affected.
Ref: http://www.coresecurity.com/content/real-helix-dna
______________________________________________________________________

09.30.25 CVE: Not Available
Platform: Cross Platform
Title: NOS getPlus Download Manager Insecure File Permissions Local
Privilege Escalation
Description: NOS Microsystems getPlus Download Manager is an
application that manages file downloads over the Internet. The
application is exposed to a local privilege escalation issue that
stems from a design error. This vulnerability occurs because the
application assigns insecure file permissions to certain applications
during installation.
Ref: http://retrogod.altervista.org/9sg_adobe_local.html
______________________________________________________________________

09.30.26 CVE: CVE-2009-0904
Platform: Cross Platform
Title: IBM WebSphere Application Server Stax XMLStreamWrite Security
Bypass
Description: IBM WebSphere Application Server (WAS) is available for
various operating systems. WAS is exposed to a security bypass issue
that occurs when using IBM Stax XMLStreamWriter. Specifically, the
service fails to properly validate XML encodings. WAS versions 6.1.0
prior to 6.1.0.25 are affected.
Ref: http://www-01.ibm.com/support/docview.wss?uid=swg1PK84015
______________________________________________________________________

09.30.27 CVE: Not Available
Platform: Cross Platform
Title: DD-WRT Web Management Interface Remote Arbitrary Shell Command
Injection
Description: DD-WRT is a modification of the original Linksys Firmware
for supporting simple Radius Authentication. DD-WRT is exposed to a
remote command injection issue because it fails to adequately sanitize
user-supplied input data. This issue affects the web-based management
interface CGI application. DD-WRT version v24-sp1 is affected.
Ref: http://www.securityfocus.com/bid/35744
______________________________________________________________________

09.30.28 CVE: Not Available
Platform: Cross Platform
Title: KMPlayer ".srt" File Remote Buffer Overflow
Description: KMPlayer is a media player. KMPlayer is exposed to a
remote stack based buffer overflow issue because it fails to perform
adequate checks on user-supplied input. Specifically, this issue
occurs when the application parses ".srt" subtitle files containing
excessive data. KMPlayer version 2.9.4.1433 is affected.
Ref: http://www.securityfocus.com/bid/35745
______________________________________________________________________

09.30.29 CVE: Not Available
Platform: Cross Platform
Title: Wireshark 1.2.0 Multiple Vulnerabilities
Description: Wireshark (formerly Ethereal) is an application for
analyzing network traffic; it is available for Microsoft Windows and
UNIX-like operating systems. Wireshark is exposed to multiple issues
when handling certain types of packets and protocols in varying
conditions. Multiple vulnerabilities in AFS, Infiniband, Bluetooth
L2CAP, RADIUS, MIOP and sFlow dissectors may be used to crash the
application or use excessive memory and CPU, resulting in denial of
service conditions. Wireshark versions 0.9.2 up to and including 1.2.0
are affected.
Ref: http://www.wireshark.org/security/wnpa-sec-2009-04.html
______________________________________________________________________

09.30.30 CVE: Not Available
Platform: Cross Platform
Title: Common Data Format Library Multiple Memory Corruption
Vulnerabilities
Description: The Common Data Format (CDF) is a data format for the
storage and manipulation of scalar and multidimensional data. The CDF
library is exposed to multiple memory corruption issues. A successful
attack will allow attacker-supplied code to run in the context of the
victim opening the file. Failed exploit attempts will result in a
denial of service condition. CDF version 3.2.4 is affected.
Ref: http://cdf.gsfc.nasa.gov/html/CDF_changesnote2.html
______________________________________________________________________

09.30.31 CVE: Not Available
Platform: Cross Platform
Title: ZNC File Upload Directory Traversal
Description: ZNC is a bouncer application for Internet Relay Chat
(IRC). The application is exposed to a directory traversal issue
because it fails to sufficiently sanitize user-supplied input before
uploading files onto the web server. Specifically, the application
allows any authenticated user to upload files using "dcc send
*status". ZNC versions prior to 0.072 are affected.
Ref:
http://znc.svn.sourceforge.net/viewvc/znc?view=rev&sortby=rev&sortdir=down&revision=1570
______________________________________________________________________

09.30.32 CVE: CVE-2009-1194, CVE-2009-2462, CVE-2009-2463,
CVE-2009-2464, CVE-2009-2465, CVE-2009-2466, CVE-2009-2467,
CVE-2009-2468, CVE-2009-2469, CVE-2009-2471, CVE-2009-2472
Platform: Cross Platform
Title: Mozilla Firefox MFSA 2009-34, -35, -36, -37, -39, -40 Multiple
Vulnerabilities
Description: The Mozilla Foundation has released the multiple
advisories to address vulnerabilities in Firefox:
1. MFSA-2009-34 Crashes with evidence of memory corruption: This
advisory addresses a number of crashes in Firefox and Thunderbird.
These crashes may be due to memory corruption, resulting in a
potential for the execution of arbitrary code.

2. MFSA-2009-35 Crash and remote code execution during Flash player
unloading: This advisory addresses a vulnerability (CVE-2009-2467)
that occurs during Flash player unloading. The issue can be triggered
by a malicious Web page that presents a slow script dialog.
3. MFSA-2009-36 Heap/integer overflows in font glyph rendering
libraries:- This advisory addresses heap and integer overflow
vulnerabilities in the font glyph rendering libraries used by Firefox.

4. MFSA-2009-37 Crash and remote code execution using watch and
__defineSetter__ on SVG element: This advisory addresses a
vulnerability (CVE-2009-2469) that occurs when a specific value is
set on properties for watch and __defineSetter__ functions for SVG
elements.

5. MFSA-2009-39 setTimeout loses XPCNativeWrappers: This advisory
addresses a vulnerability (CVE-2009-2471) in setTimeout. The problem
occurs when setTimeout is called with object parameters that should be
protected with XPCNativeWrappers but will instead fail to keep the
affected object wrapped when the new function is compiled prior to
execution.

6. MFSA-2009-40 Multiple cross origin wrapper bypasses: This advisory
addresses multiple issues (CVE-2009-2472) that may allow cross-origin
wrapper bypasses. The issues can be exploited to allow objects that
should be protected by a XPCCrossOriginWrapper to be constructed
without the wrapper.

The vulnerabilities are fixed in Firefox 3.0.12 and 3.5.1.
Ref: http://www.mozilla.org/security/announce/2009/mfsa2009-35.html
______________________________________________________________________

09.30.33 CVE: Not Available
Platform: Cross Platform
Title: Adobe Acrobat, Reader and Flash Player Unspecified
Description: Adobe Acrobat and Reader are applications for handling
PDF files; Adobe Flash Player is a multimedia application. They are
available for multiple platforms. Adobe Acrobat, Reader and Flash
Player are exposed to an unspecified issue. Adobe Reader and Acrobat
version 9.1.2 and Adobe Flash Player versions 9 and 10 are affected.
Ref:
http://blogs.adobe.com/psirt/2009/07/potential_adobe_reader_and_fla.html
______________________________________________________________________

09.30.34 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: YourFreeWorld Programs Rating Script Multiple Cross-Site
Scripting Vulnerabilities
Description: Programs Rating Script is a web-based application. The
application is exposed to multiple cross-site scripting issues because
it fails to sufficiently sanitize user-supplied data. An attacker may
leverage these issues to execute arbitrary script code in the browser
of an unsuspecting user in the context of the affected site.
Ref: http://www.securityfocus.com/bid/35746
______________________________________________________________________

09.30.35 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: WordPress Comment Author URI Cross-Site Scripting
Description: WordPress allows users to generate news pages and
web-logs dynamically; it is implemented in PHP with a MySQL database.
The application is exposed to a cross-site scripting issue because it
fails to properly sanitize user-supplied input to comment author's
URIs when they are displayed in the administrator pages. WordPress
versions prior to 2.8.2 are affected.
Ref: http://wordpress.org/development/2009/07/wordpress-2-8-2/
______________________________________________________________________

09.30.36 CVE: Not Available
Platform: Web Application - SQL Injection
Title: WordPress My Category Order Plugin "parentID" Parameter SQL
Injection
Description: My Category Order is a plugin for the WordPress web-based
publishing application; it allows an explicit ordering for post
categories. The plugin is exposed to an SQL injection issue because it
fails to sufficiently sanitize user-supplied data to the "parentID"
parameter of the "post-new.php" script when the "page" parameter is
set to "mycategoryorder" and the "mode" parameter is set to
"act_OrderCategories", before using the data in an SQL query. My
Category Order version 2.8 is affected.
Ref: http://www.securityfocus.com/bid/35704
______________________________________________________________________

09.30.37 CVE: Not Available
Platform: Web Application - SQL Injection
Title: PHPLive! "request.php" SQL Injection
Description: PHPLive! is a live support solution. The application is
exposed to an SQL injection issue because it fails to sufficiently
sanitize user-supplied data to the "x" parameter of the "request.php"
script. PHPLive! versions 3.2.1 and 3.2.2 are affected.
Ref: http://www.securityfocus.com/bid/35718
______________________________________________________________________

09.30.38 CVE: Not Available
Platform: Web Application - SQL Injection
Title: db Masters Multimedia Content Manager "id" Parameter SQL
Injection
Description: db Masters Multimedia Content Manager is a web-based
application. The application is exposed to an SQL injection issue
because it fails to sufficiently sanitize user-supplied data to the
"id" parameter of the "index.php" script before using it in an SQL
query. db Masters Multimedia Content Manager version 4.5 is affected.
Ref: http://www.securityfocus.com/bid/35720
______________________________________________________________________

09.30.39 CVE: Not Available
Platform: Web Application - SQL Injection
Title: Joomla! Jobline Component "search" Parameter SQL Injection
Description: Jobline is a component for the Joomla! content manager.
The application is exposed to an SQL injection issue because it fails
to sufficiently sanitize user-supplied data to the "search" parameter
of the "com_jobline" component before using it an SQL query. Jobline
version 1.1.3.1 is affected.
Ref: http://www.securityfocus.com/bid/35728
______________________________________________________________________

09.30.40 CVE: Not Available
Platform: Web Application - SQL Injection
Title: E-Xoopport MyAnnonces "lid" Parameter SQL Injection
Description: E-Xoopport MyAnnonces is an announcement module for the
E-Xoopport content manager. The application is exposed to an SQL
injection issue because it fails to sufficiently sanitize
user-supplied data to the "lid" parameter when the "pa" parameter is
set to "viewannonces".
Ref: http://www.securityfocus.com/bid/35744
______________________________________________________________________

09.30.41 CVE: Not Available
Platform: Web Application
Title: Drupal Submitted By "submitted by" Text HTML Injection
Description: Submitted By is a PHP-based component for the Drupal
content manager. The application is exposed to an HTML injection issue
because it fails to properly sanitize user-supplied input to the
"submitted by" text before displaying it in a user's web browser.
Ref: http://drupal.org/node/519246
______________________________________________________________________

09.30.42 CVE: Not Available
Platform: Web Application
Title: Drupal Image Assist Module HTML Injection and Information
Disclosure Vulnerabilities
Description: Drupal is a web-based content manager. Image Assist is a
module for Drupal that allows users to upload and insert images inline
into web content. The application is exposed to multiple security
issues. An attacker may leverage these issues to obtain potentially
sensitive information, execute arbitrary script code in the browser of
an unsuspecting user in the context of the affected site, steal
cookie-based authentication credentials, or control how the site is
rendered to the user; other attacks are also possible.
Ref: http://www.securityfocus.com/bid/35710
______________________________________________________________________

09.30.43 CVE: Not Available
Platform: Web Application
Title: Battle Blog SQL Injection and HTML Injection Vulnerabilities
Description: Battle Blog is a web application implemented in ASP. The
application is exposed to multiple input validation issues. Battle
Blog version 1.25 is affected.
Ref:
http://full-discl0sure.blogspot.com/2009/07/battle-blog-sqlhtml-injection.html
______________________________________________________________________

09.30.44 CVE: Not Available
Platform: Web Application
Title: HTMLDOC "html" File Handling Remote Stack Buffer Overflow
Description: HTMLDOC converts HTML files into indexed HTML, PDF, or
PostScript formats. The application is exposed to a stack-based buffer
overflow issue because it fails to perform adequate boundary checks on
user-supplied input. This issue arises in the "set_page_size()"
function when a specially crafted ".html" file is processed.
Ref: http://www.securityfocus.com/bid/35727
______________________________________________________________________

09.30.45 CVE: Not Available
Platform: Web Application
Title: GraFX MiniCWB "LANG" Parameter Multiple Remote File Include
Vulnerabilities
Description: GraFX MiniCWB is a PHP-based content manager. The
application is exposed to multiple remote file-include issues because
it fails to sufficiently sanitize user-supplied input. MiniCWB version
2.3.0 is affected.
Ref: http://www.securityfocus.com/bid/35738
______________________________________________________________________

09.30.46 CVE: CVE-2009-2312, CVE-2009-2429
Platform: Web Application
Title: McAfee SmartFilter Multiple Information Disclosure
Vulnerabilities
Description: McAfee SmartFilter is a web filtering application.
SmartFilter is exposed to multiple information-disclosure issues.
Specifically, the application fails to restrict access to the
"config.txt" and the "admin_backup.xml" files. SmartFilter version
4.2.1.00 is affected.
Ref:
http://archives.neohapsis.com/archives/fulldisclosure/2009-03/0314.html
______________________________________________________________________

09.30.47 CVE: Not Available
Platform: Web Application
Title: phpDirectorySource SQL Injection and Cross Site Scripting
Vulnerabilities
Description: phpDirectorySource is a web-based application. Since it
fails to sufficiently sanitize user-supplied data, the application is
exposed to multiple unspecified input validation issue, including an
SQL injection issue and a cross-site scripting issue. These issues
affect the "st" parameter of the "search.php" script.
Ref: http://www.securityfocus.com/bid/35760
______________________________________________________________________

09.30.48 CVE: Not Available
Platform: Web Application
Title: phpGroupWare Multiple Input Validation Vulnerabilities
Description: phpGroupWare is a web-based application implemented in
PHP. Since it fails to sufficiently sanitize user-supplied data, the
application is exposed to multiple input validation issues.
phpGroupWare version 0.9.16.12 is affected.
Ref: http://www.securityfocus.com/bid/35761
______________________________________________________________________

09.30.49 CVE: CVE-2009-2047
Platform: Network Device
Title: Cisco Unified Contact Center Express CRS Administration
Interface Directory Traversal
Description: Cisco Unified Contact Center Express provides routing and
call treatment for communication channels. Cisco Unified Contact
Center Express is exposed to a directory traversal issue because it
fails to properly sanitize user-supplied input. This issue occurs in
the Customer Response Solution (CRS) Administration interface.
Ref:
http://www.cisco.com/en/US/products/products_security_advisory09186a0080ae04b2.shtml#ID
______________________________________________________________________

(c) 2009. All rights reserved. The information contained in this
newsletter, including any external links, is provided "AS IS," with no
express or implied warranty, for informational purposes only. In some
cases, copyright for material in this newsletter may be held by a
party other than Qualys (as indicated herein) and permission to use
such material must be requested from the copyright owner.

Subscriptions: RISK is distributed free of charge by the SANS Institute
to people responsible for managing and securing information systems and
networks. You may forward this newsletter to others with such
responsibility inside or outside your organization.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)

iEYEARECAAYFAkpoon0ACgkQ+LUG5KFpTkawZACfTrfdRFJE0w+8qY6EE9JxkN1H
2V4An3PN1a/vIRZNtoRB4BOmbZ02W5lT
=M702
-----END PGP SIGNATURE-----

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]