NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > SANS> 2009

RISK: The Consensus Security Vulnerability Alert Vol. 8 No. 41

From: The SANS Institute (ConsensusSecurityVulnerabilityAlertsans.org)
Date: Thu Oct 08 2009 - 13:46:17 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

******************************************************************
RISK: The Consensus Security Vulnerability Alert
Oct 08th, 2009 Vol. 8. Week 41
******************************************************************

RISK is the SANS community's consensus bulletin summarizing the most
important vulnerabilities and exploits identified during the past week
and providing guidance on appropriate actions to protect your systems
(PART I). It also includes a comprehensive list of all new
vulnerabilities discovered in the past week (PART II).

Summary of Updates and Vulnerabilities in this Consensus

Platform Number of Updates and Vulnerabilities

- ------------------------ -------------------------------------

Windows 1
Other Microsoft Products 1
Third Party Windows Apps 2 (#2)
Mac Os 1
Linux 3
BSD 3
Solaris 1
Novell 1
Cross Platform 13 (#3)
Web Application - Cross Site Scripting 5
Web Application - SQL Injection 2
Web Application 10 (#1, #4, #5)
Network Device 3

************************ Sponsored By Q1 Labs **************************

** THE SECURITY MANAGEMENT EVOLUTION: WHATS NEXT? **

GET THE WHITE PAPER NOW:
http://www.sans.org/info/49348

Respected industry analyst firm Enterprise Strategy Group (ESG) provides
a unique perspective on the evolution of security information and event
management (SIEM) solutions from niche firewall log analyzers to highly
strategic security management solutions. How can organizations like
yours identify and leverage the newest, most sophisticated tools in the
next phase of the Evolution?

*************************************************************************
TRAINING UPDATE
- SCADA Security Summit, Stockholm, Oct. 27-30,
http://www.sans.org/euscada09_summit/
- SANS Chicago North Shore, Oct. 26-Nov. 2,
http://www.sans.org/chicago09/
- SANS San Francisco, November 9-14,
http://www.sans.org/sanfrancisco09
- SANS CDI, Washington DC, Dec. 11-18,
http://www.sans.org/cyber-defense-initiative-2009
Looking for training in your own community? http://sans.org/community/
Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/spring09.php
Plus London, Tokyo, Dubai, Sydney Hong Kong, and Vancouver, all in the
next 90 days. ÊFor a list of all upcoming events, on-line and live:
www.sans.org
*************************************************************************

Table Of Contents
Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)
Widely Deployed Software
(1) HIGH: Google Apps "googleapps.url.mailto" URI handling Command Injection Vulnerability
(2) HIGH: AOL SuperBuddy ActiveX Control Remote Code Execution Vulnerability
(3) HIGH: IBM Informix Products Setnet32 Utility Processing Buffer Overflow Vulnerability
(4) HIGH: Omni-NFS Enterprise Multiple Buffer Overflow Vulnerabilities
(5) HIGH: IBM AIX 'rpc.cmsd' Calendar Daemon Buffer Overflow Vulnerability

**************************** Sponsored Links: **************************
1) Register Today and receive 10% off for SANS vLive course SEC542, Web
App Penetration Testing and Ethical Hacking, November 2nd - November
9th. Please use the code Risk542 when registering.
http://www.sans.org/info/49353

2) Free SANS Audiocast!!! Security Buzz from MX Logic, Episode 37
featuring Scott Chasin, CTO of MX Logic & Erik Boles, Senior Systems
Engineer, sponsored by MX Logic
http://www.sans.org/info/49358

3) REGISTER NOW for the upcoming webcast: Ask the Expert Webcast: Top
10 Ways to Get the Most Out of Your Log Data
http://www.sans.org/info/49363
*************************************************************************

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from
Qualys (www.qualys.com)

-- Windows
09.41.1 - IBM Installation Manager "iim://" URI Handling Remote Code Execution
-- Other Microsoft Products
09.41.2 - Internet Explorer X.509 Certificate Common Name Encoding Multiple Security Bypass Vulnerabilities
-- Third Party Windows Apps
09.41.3 - EMC Captiva PixTools Distributed Imaging ActiveX Control Multiple Insecure Method Vulnerabilities
09.41.4 - AOL SuperBuddy ActiveX Control Remote Code Execution
-- Mac Os
09.41.5 - VMware Fusion Local Denial Of Service
-- Linux
09.41.6 - Red Hat Enterprise Linux OpenSSH "ChrootDirectory" Option Local Privilege Escalation
09.41.7 - BackupPC "ClientNameAlias()" Security Bypass
09.41.8 - Linux Kernel 64-bit Kernel Register Memory Leak Local Information Disclosure
-- BSD
09.41.9 - FreeBSD Pipes "close()" Function Local Privilege Escalation
09.41.10 - FreeBSD "devfs" and "VFS" Interaction NULL Pointer Dereference
09.41.11 - OpenBSD XMM Exceptions Local Denial of Service
-- Solaris
09.41.12 - Sun Solaris IP(7P) Module and STREAMS Framework Local Denial Of Service
-- Novell
09.41.13 - Novell NetWare NFS Portmapper and RPC Module Stack Buffer Overflow Vulnerability
-- Cross Platform
09.41.14 - Drupal Shared Sign On Module Cross-Site Request Forgery and Session Fixation Vulnerabilities
09.41.15 - Google Chrome "dtoa()" Remote Code Execution
09.41.16 - Samba setuid "mount.cifs" Verbose Option Information Disclosure
09.41.17 - OSISoft PI System Encryption Security Bypass
09.41.18 - PHP "tempname()" "safe_mode" Restriction-Bypass
09.41.19 - PHP "posix_mkfifo()" "open_basedir" Restriction Bypass
09.41.20 - ELinks "entity_cache" HTML File Off By One Buffer Overflow
09.41.21 - VMware Fusion Local Privilege Escalation
09.41.22 - Serv-U "SITE SET TRANSFERPROGRESS ON" Command Remote Denial of Service
09.41.23 - IBM Informix Products Setnet32 Utility ".nfx" File Buffer Overflow
09.41.24 - Wireshark ERF File Remote Code Execution
09.41.25 - Apache HTTP Server Solaris Event Port Pollset Support Remote Denial Of Service
09.41.26 - Palm WebOS Multiple Unspecified Vulnerabilities
-- Web Application - Cross Site Scripting
09.41.27 - Novell eDirectory "dconserv.dlm" Cross-Site Scripting
09.41.28 - Kayako SupportSuite and eSupport "functions_ticketsui.php" Cross Site Scripting
09.41.29 - SugarCRM Unspecified Cross Site Scripting
09.41.30 - X-Cart Email Subscription
09.41.31 - AfterLogic WebMail Pro Multiple Cross Site Scripting Vulnerabilities
-- Web Application - SQL Injection
09.41.32 - Joomla! Soundset Component "cat_id" Parameter SQL Injection
09.41.33 - Joomla! CB Resume Builder "group_id" Parameter SQL Injection
-- Web Application
09.41.34 - Samba Oplock Break Notification Remote Denial of Service
09.41.35 - Drupal XML Sitemap Link Paths HTML Injection
09.41.36 - Drupal Browscap Module User Agent Strings HTML Injection
09.41.37 - Drupal Organic Groups "Group Nodes" HTML Injection
09.41.38 - Drupal Bibliography Module Unspecified HTML Injection
09.41.39 - Drupal Boost Module Arbitrary Directory Creation
09.41.40 - Google Apps "googleapps.url.mailto" Handler Command Injection
09.41.41 - Drupal Service Links Component Content Type Names HTML Injection
09.41.42 - Symantec SecurityExpressions Audit and Compliance Server Cross Site Scripting Vulnerability
09.41.43 - Symantec SecurityExpressions Audit and Compliance Server Error Message HTML Injection
-- Network Device
09.41.44 - Open Handset Alliance Malformed Application Remote Denial Of Service
09.41.45 - Palm WebOS Email Arbitrary Script Injection
09.41.46 - Linksys WRT54GC Router Cross-Site Request Forgery
______________________________________________________________________

PART I Critical Vulnerabilities
Part I for this issue has been compiled by Rohan Kotian at TippingPoint,
a division of 3Com, as a by-product of that company's continuous effort
to ensure that its intrusion prevention products effectively block
exploits using known vulnerabilities. TippingPoint's analysis is
complemented by input from a council of security managers from twelve
large organizations who confidentially share with SANS the specific
actions they have taken to protect their systems. A detailed description
of the process may be found at
http://www.sans.org/newsletters/cva/#process

*****************************
Widely Deployed Software
*****************************

(1) HIGH: Google Apps "googleapps.url.mailto" URI handling Command Injection Vulnerability
Affected:
Google Apps 1.x

Description: Google Apps, a service from Google for using several Google
products including Gmail, Google Calendar, Google Talk, Docs with custom
domain names, is vulnerable to remote command injection vulnerability.
A specially crafted web page can used to trigger this vulnerability. The
specific flaw is an error in "googleapps.exe" in the way it handles
arguments e.g. "--renderer-path" argument received via the
"googleapps.url.mailto:" URI. Successful exploitation might allow an
attacker to execute malicious binaries or applications from a remote
location. Technical details for this vulnerability are publicly
available along with a Proof-of-Concept.

Status: Vendor not confirmed, no updates available.

References:
Retrogod Security Advisory
http://retrogod.altervista.org/9sg_google_apps_uri.html
Wikipedia Article on Google Apps
http://en.wikipedia.org/wiki/Google_Apps
Product Home Page
http://www.google.com/apps/
SecurityFocus BID
http://www.securityfocus.com/bid/36581

*************************************************************

(2) HIGH: AOL SuperBuddy ActiveX Control Remote Code Execution Vulnerability
Affected:
AOL versions 9.x
AOL SuperBuddy ActiveX 9.x

Description: The "SuperBuddy" ActiveX control, shipped with American
Online (AOL) software package, has been identified with a vulnerability
which could be triggered by a malicious web page that instantiates this
control. The specific flaw is a memory corruption error in the
"SetSuperBuddy()" ActiveX method in the "Sb.SuperBuddy.1" (sb.dll)
ActiveX control. By passing malformed arguments to "SetSuperBuddy()"
ActiveX method, an attacker might exploit this vulnerability. Successful
exploitation might allow an attacker to execute arbitrary code in the
context of the logged on user. Full technical details for this
vulnerability are publicly available along with a Proof-of-Concept.

Status: Vendor has not confirmed, no updates available. Users can
mitigate the impact of this vulnerability by disabling the control via
Microsoft's "kill bit" mechanism for CLSID
189504B8-50D1-4AA8-B4D6-95C8F58A6414.

References:
Microsoft Knowledge Base Article (details the "kill bit" mechanism)
http://support.microsoft.com/kb/240797
Vendor Home Page
http://www.aol.com/
SecurityFocus BID
http://www.securityfocus.com/bid/36580

*************************************************************

(3) HIGH: IBM Informix Products Setnet32 Utility Processing Buffer Overflow Vulnerability
Affected:
IBM Informix CSDK 3.50
IBM Informix Connect 3.0

Description: IBM Informix Client Software Development Kit (CSDK) is used
for packaging application programming interfaces (APIs) that are used
for developing applications for Informix servers. IBM Informix Connect
is a runtime connectivity product that has the libraries of IBM Informix
CSDK. A buffer overflow vulnerability has been discovered in IBM
Informix CSDK and IBM Informix Connect, which can be triggered by a
specially crafted ".nfx" file. The specific flaw is a boundary error in
SetNet32 utility in the way it processes an ".nfx" file that has a
malformed field e.g. an over long "Hotlist" entry. Successful
exploitation might allow an attacker to execute arbitrary code.
Technical details for the vulnerability are publicly available via a
public exploit.

Status: Vendor not confirmed, no updates available.

References:
Retrogod Security Advisory http://retrogod.altervista.org/9sg_ibm_setnet32.html
Product Home Page
http://www-01.ibm.com/software/data/informix/tools/csdk/
SecurityFocus BID
http://www.securityfocus.com/bid/36588

*************************************************************

(4) HIGH: Omni-NFS Enterprise Multiple Buffer Overflow Vulnerabilities
Affected:
Xlink Technologies Omni-NFS Server 5.2

Description: Omni-NFS Enterprise from Xlink Technologies is a popular
NFS (Network File System) solution for integrating files from Windows
or UNIX platform. Multiple buffer overflow vulnerabilities have been
reported in Omni-NFS Enterprise, which can be triggered by a specially
crafted FTP request or response. The first issue is a boundary error in
"ntpd.exe" in the way it handles FTP requests to TCP port 21. The second
issue is a boundary error in "wftp.exe" in the way it processes FTP
responses from a malicious FTP server. In both the cases successful
exploitation might allow an attacker to execute arbitrary code in the
context of the user running the vulnerable application. Technical
details for this vulnerability are publicly available via the public
proof-of-concepts.

Status: Vendor not confirmed, no updates available.

References:
Metasploit Exploits
http://trac.metasploit.com/browser/framework3/trunk/modules/exploits/windows/ftp/xlink_server.rb
http://trac.metasploit.com/browser/framework3/trunk/modules/exploits/windows/ftp/xlink_client.rb
Product Home Page
http://www.xlink.com/nfs_products/Omni-NFS_Enterprise2000/NFS_Enterprise_2000.aspx
SecurityFocus BID
http://www.securityfocus.com/bid/36608

*************************************************************

(5) HIGH: IBM AIX 'rpc.cmsd' Calendar Daemon Buffer Overflow Vulnerability
Affected:
IBM Virtual I/O Server (VIOS) 2.x
IBM Virtual I/O Server (VIOS) 1.x
IBM AIX 6.1
IBM AIX 5.3
IBM AIX 5.2

Description: IBM AIX (Advanced Interactive eXecutive) an operating
system from IBM is a UNIX operating system based on System V running on
the PowerPC (PPC) architecture. A buffer overflow vulnerability has been
identified in IBM AIX which can be triggered by sending a specially
crafted request to Calendar Manager Service Daemon "rpc.cmsd". The
specific flaw is a buffer overflow error in calendar daemon library
"libcsa.a" since it doesn't handle requests with overly long argument
for remote procedure 21 to "rpc.cmsd". Successful exploitation might
allow an attacker to execute arbitrary code with superuser privileges.
Some technical details for the vulnerability are publicly available.

Status: Vendor confirmed, updates available.

References:
iDefense Labs Security Advisory
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=825
Wikipedia Article on IBM AIX
http://en.wikipedia.org/wiki/IBM_AIX
Product Home Page
http://www-1.ibm.com/servers/aix/
SecurityFocus BID
http://www.securityfocus.com/bid/36615

*************************************************************

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from
Qualys (www.qualys.com)
Week 41, 2009

This list is compiled by Qualys ( www.qualys.com ) as part of that
company's ongoing effort to ensure its vulnerability management web
service tests for all known vulnerabilities that can be scanned. As of
this week Qualys scans for 7499 unique vulnerabilities. For this special
SANS community listing, Qualys also includes vulnerabilities that cannot
be scanned remotely.

______________________________________________________________________

09.41.1 CVE: CVE-2009-3518
Platform: Windows
Title: IBM Installation Manager "iim://" URI Handling Remote Code
Execution
Description: IBM Installation Manager is an application that allows
users to install, update, modify or uninstall applications. IBM
Installation Manager is exposed to a remote code-execution
vulnerability. The application is exposed to this vulnerability
because it fails to handle specially crafted "iim://" URIs. The IBM
Rational Robot and IBM Rational Team Concert which include IBM
Installation Manager are affected.
Ref: http://www.securityfocus.com/bid/36549
______________________________________________________________________

09.41.2 CVE: Not Available
Platform: Other Microsoft Products
Title: Internet Explorer X.509 Certificate Common Name Encoding
Multiple Security Bypass Vulnerabilities
Description: Microsoft Internet Explorer is a browser available for
Microsoft Windows. Microsoft Internet Explorer is exposed to multiple
security bypass issues. Internet Explorer is exposed to multiple
security bypass issues because it fails to properly handle encoded
values in X.509 certificates.
Ref: http://ioactive.com/pdfs/PKILayerCake.pdf
______________________________________________________________________

09.41.3 CVE: Not Available
Platform: Third Party Windows Apps
Title: EMC Captiva PixTools Distributed Imaging ActiveX Control
Multiple Insecure Method Vulnerabilities
Description: EMC Captiva ISIS PixTools is a suite of software toolkits
used for scanning, viewing and processing images. The ActiveX control
is exposed to multiple insecure method issues and affects the
"SetLogFileName()" and "WriteToLog()" methods of the ActiveX control
identified by CLSID:00200338-3D33-4FFC-AC20-67AA234325F3. EMC Captiva
ISIS PixTools PDIControl.dll version 2.2.3160.0 is affected.
Ref:
http://www.vupen.com/exploits/EMC_Captiva_PixTools_PDIControl_ActiveX_Remote_Code_Execution_Exploit_2808214.php
______________________________________________________________________

09.41.4 CVE: Not Available
Platform: Third Party Windows Apps
Title: AOL SuperBuddy ActiveX Control Remote Code Execution
Description: AOL SuperBuddy ActiveX control is used for streaming
audio files in browsers. The ActiveX control is exposed to a remote
code execution issue due to a memory-corruption issue that can be
triggered by manipulating parameters to the "SetSuperBuddy" method of
the "Sb.SuperBuddy.1" ActiveX control ("sb.dll"). AOL version 9.1 is
affected.
Ref: http://www.securityfocus.com/archive/1/506889
______________________________________________________________________

09.41.5 CVE: Not Available
Platform: Mac Os
Title: VMware Fusion Local Denial Of Service
Description: VMware Fusion is a virtualization solution that allows
users to run various guest operating systems on a host running Apple
Mac OS X. The application is exposed to a denial of service issue due
to an unspecified integer overflow issue in the vmx86 kernel
extension.VMware Fusion versions earlier than 2.0.6 build 196839 are
affected.
Ref:
http://lists.vmware.com/pipermail/security-announce/2009/000066.html
______________________________________________________________________

09.41.6 CVE: CVE-2009-2904
Platform: Linux
Title: Red Hat Enterprise Linux OpenSSH "ChrootDirectory" Option Local
Privilege Escalation
Description: Red Hat Enterprise Linux is a Linux distribution. The
distribution includes the OpenSSH SSH (Secure Shell) protocol
implementation. Red Hat Enterprise Linux is exposed to a local
privilege escalation issue because it fails to enforce sufficient
restrictions on user-supplied data. Red Hat Enterprise Linux version
5.4 is affected.
Ref: https://bugzilla.redhat.com/show_bug.cgi?id=522141
______________________________________________________________________

09.41.7 CVE: CVE-2009-3369
Platform: Linux
Title: BackupPC "ClientNameAlias()" Security Bypass
Description: BackupPC is a remote backup application. The application
is exposed to a security bypass issue because it fails to restrict
access in a multi-user configuration to the "ClientNameAlias()"
function in the "CgiUserConfigEdit" script. BackupPC 3.1.0 is
vulnerable.
Ref: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3369
______________________________________________________________________

09.41.8 CVE: Not Available
Platform: Linux
Title: Linux Kernel 64-bit Kernel Register Memory Leak Local
Information Disclosure
Description: The Linux kernel is exposed to a local information
disclosure issue that exists in the "ia32entry.s" assembly file.
Specifically, the kernel allows 32-bit processes to access registers
"R8" up to "R15" by temporarily switching itself into 64-bit mode.
This will allow users to view sensitive information from previous
processes.
Ref:
http://git.kernel.org/?p=linux/kernel/git/x86/linux-2.6-tip.git;a=commitdiff;h=24e35800cdc4350fc34e2bed37b608a9e13ab3b6
______________________________________________________________________

09.41.9 CVE: Not Available
Platform: BSD
Title: FreeBSD Pipes "close()" Function Local Privilege Escalation
Description: FreeBSD is prone to a local privilege-escalation
vulnerability. FreeBSD is exposed to this issue because of a race
condition in the pipe "close()" code related to kqueues. The race
condition will cause a NULL pointer exception in the kernel, which may
cause a kernel memory corruption.
Ref: http://security.freebsd.org/patches/SA-09:13/
______________________________________________________________________

09.41.10 CVE: Not Available
Platform: BSD
Title: FreeBSD "devfs" and "VFS" Interaction NULL Pointer Dereference
Description: FreeBSD is a BSD-based operating system. FreeBSD is
exposed to a local NULL-pointer dereference issue caused by an
unspecified error related to the interaction between "devfs" (device
file system) and "VSF" (Virtual File System) support. FreeBSD versions
6.4 and earlier and 7.2 and earlier are affected.
Ref: http://www.securityfocus.com/archive/1/506917
______________________________________________________________________

09.41.11 CVE: Not Available
Platform: BSD
Title: OpenBSD XMM Exceptions Local Denial of Service
Description: OpenBSD is exposed to a local denial of service issue.
The issue arises because of the manner in which the operating system
handles XMM exceptions. OpenBSD versions 4.4, 4.5 and 4.6 on i386 are
affected.
Ref: http://www.securityfocus.com/bid/36589
______________________________________________________________________

09.41.12 CVE: Not Available
Platform: Solaris
Title: Sun Solaris IP(7P) Module and STREAMS Framework Local Denial Of
Service
Description: Sun Solaris is exposed to a local denial of service issue
in the IP(7P) module and STREAMS Framework. Successful exploitation
may allow an unprivileged local user to leak kernel memory, eventually
causing the system to hang.
Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-66-263388-1
(login required)
______________________________________________________________________

09.41.13 CVE: Not Available
Platform: Novell
Title: Novell NetWare NFS Portmapper and RPC Module Stack Buffer
Overflow Vulnerability
Description: Novell NetWare is a network operating system. Novell
NetWare is exposed to a remote stack buffer overflow issue because it
fails to perform adequate boundary checks on user-supplied. This issue
occurs when handling CALLIT RPC calls containing specially crafted
length fields. Novell NetWare 6.5 SP8 is vulnerable.
Ref: http://www.securityfocus.com/bid/36564
______________________________________________________________________

09.41.14 CVE: Not Available
Platform: Cross Platform
Title: Drupal Shared Sign On Module Cross-Site Request Forgery and
Session Fixation Vulnerabilities
Description: The Shared Sign On module for Drupal provides single
sign-on support for multiple Drupal sites. The module is exposed to a
cross-site request-forgery issue and a session fixation issue.
Ref: http://drupal.org/node/592488
______________________________________________________________________

09.41.15 CVE: CVE-2009-0689
Platform: Cross Platform
Title: Google Chrome "dtoa()" Remote Code Execution
Description: Google Chrome is a web browser. Chrome is exposed to a
remote code execution issue. Specifically, this issue arises when the
V8 JavaScript engine parses strings into floating point numbers using
the "dtoa()" function. The attacker can exploit this issue by enticing
an unsuspecting victim to view a malicious webpage. Google Chrome
versions prior to Chrome 3.0.195.24 are affected.
Ref:
http://googlechromereleases.blogspot.com/2009/09/stable-channel-update_30.html
______________________________________________________________________

09.41.16 CVE: CVE-2009-2948
Platform: Cross Platform
Title: Samba setuid "mount.cifs" Verbose Option Information Disclosure
Description: Samba is a freely available file- and printer-sharing
application maintained and developed by the Samba Development Team.
Samba allows users to share files and printers between operating
systems on UNIX and Windows platforms. Samba is exposed to an
information disclosure issue because it fails to properly validate
access privileges when "mount.cifs" is installed as setuid. Samba
versions prior to 3.4.2, 3.3.8, 3.2.15, and 3.0.37 are affected.
Ref: http://www.samba.org/samba/security/CVE-2009-2948.html
______________________________________________________________________

09.41.17 CVE: CVE-2009-0209
Platform: Cross Platform
Title: OSISoft PI System Encryption Security Bypass
Description: OSISoft PI System is an operational, event and real time
data management SCADA System.OSISoft PI System is exposed to a
security-bypass issue. The application is exposed to this because of
an encryption issue in the default authentication process.
Ref: http://www.securityfocus.com/bid/36553
______________________________________________________________________

09.41.18 CVE: Not Available
Platform: Cross Platform
Title: PHP "tempname()" "safe_mode" Restriction-Bypass
Description: PHP is a general-purpose scripting language that is
especially suited for web development and can be embedded into HTML.
PHP is exposed to a "safe_mode" restriction-bypass issue. Successful
exploits could allow an attacker to access files in unauthorized
locations or create files in any writable directory. The problem
occurs because the restriction is not properly checked in the
"tempname()" function in the "ext/standard/file.c" source file. PHP
versions 5.2.11 and 5.3.0 are affected.
Ref: http://securityreason.com/securityalert/6601
______________________________________________________________________

09.41.19 CVE: Not Available
Platform: Cross Platform
Title: PHP "posix_mkfifo()" "open_basedir" Restriction Bypass
Description: PHP is a general-purpose scripting language that is
especially suited for web development and can be embedded into HTML.
PHP is exposed to an "open_basedir" restriction bypass
vulnerability.PHP is exposed to restriction bypass issue because of
the "posix_mkfifo()" function in the "ext/posix/posix.c" source file
that will allow a local attacker to create files that will bypass, for
example, ".htaccess" or safe_mode restrictions. PHP versions 5.2.11
and 5.3.0 are affected.
Ref: http://www.securityfocus.com/bid/36554
______________________________________________________________________

09.41.20 CVE: CVE-2008-7224
Platform: Cross Platform
Title: ELinks "entity_cache" HTML File Off By One Buffer Overflow
Description: ELinks is a character-mode browser based on lynx. ELinks
is exposed to a off-by-one buffer overflow issue that exists in the
"entity_cache" because the application fails to accurately reference
the last element of a buffer. This issue occurs when handling the
internal cache of string representations for HTML special entities.
ELinks versions prior to 0.11.4 are affected.
Ref: http://www.securityfocus.com/bid/36574/references
______________________________________________________________________

09.41.21 CVE: CVE-2009-3281
Platform: Cross Platform
Title: VMware Fusion Local Privilege Escalation
Description: VMware Fusion is a virtualization solution that allows
users to run various guest operating systems on a host running Apple
Mac OS X. The application is exposed to a privilege escalation issue
due to an unspecified file permission problem in the vmx86 kernel
extension. This issue may allow local unprivileged users of the host
system to execute code in the host system kernel context. Fusion
versions prior to 2.0.6 build 196839 are affected.
Ref: http://www.securityfocus.com/archive/1/506891
______________________________________________________________________

09.41.22 CVE: Not Available
Platform: Cross Platform
Title: Serv-U "SITE SET TRANSFERPROGRESS ON" Command Remote Denial of
Service
Description: Serv-U is a file server application. The application is
exposed to a remote denial of service issue when processing specially
crafted "SITE SET TRANSFERPROGRESS ON" commands. Serv-U versions
7.0.0.1 through 8.2.0.3 are affected.
Ref: http://www.serv-u.com/releasenotes/
______________________________________________________________________

09.41.23 CVE: Not Available
Platform: Cross Platform
Title: IBM Informix Products Setnet32 Utility ".nfx" File Buffer
Overflow
Description: IBM Informix Client Software Development Kit (CSDK) and
IBM Informix Connect contain APIs and libraries that are used to
develop applications.The applications are exposed to a buffer overflow
issue because they fail to adequately bounds check user-supplied data
before copying it into an insufficiently sized buffer. An integer
overflow occurs when processing ".nfx" files that contain an overly
large value for "HostList" entry. IBM Informix Client Software
Development Kit (CSDK) 3.5, IBM Informix Connect 3.x are affected.
Ref: http://www.securityfocus.com/bid/36588/
______________________________________________________________________

09.41.24 CVE: Not Available
Platform: Cross Platform
Title: Wireshark ERF File Remote Code Execution
Description: Wireshark (formerly Ethereal) is an application for
analyzing network traffic; it is available for Microsoft Windows and
for UNIX-like operating systems. Wireshark is exposed to a remote code
execution issue that arises when the application handling specially
crafted ERF files. Specifically the application allocates an
excessively large buffer, resulting in an integer-overflow.
Ref:
http://anonsvn.wireshark.org/viewvc/trunk/wiretap/erf.c?view=markup&pathrev=29364
______________________________________________________________________

09.41.25 CVE: CVE-2009-2699
Platform: Cross Platform
Title: Apache HTTP Server Solaris Event Port Pollset Support Remote
Denial Of Service
Description: Apache is an HTTP server available for various operating
systems. The Apache HTTP server is exposed to a remote denial of
service issue because of faulty error handling. This issue occurs in
Solaris "Event Port" pollset support in the "poll/unix/port.c" source
file. Apache HTTP Server versions prior to 2.2.14 on Solaris platforms
are affected.
Ref: https://issues.apache.org/bugzilla/show_bug.cgi?id=47645
______________________________________________________________________

09.41.26 CVE: Not Available
Platform: Cross Platform
Title: Palm WebOS Multiple Unspecified Vulnerabilities
Description: Palm WebOS is a smartphone platform based on Linux. The
application is exposed to multiple unspecified issues. One of the
issues is related to Webkit development. Palm WebOS versions 1.2.0 and
earlier are affected.
Ref:
http://kb.palm.com/wps/portal/kb/na/pre/p100eww/sprint/solutions/article/50607_en.html#121
______________________________________________________________________

09.41.27 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: Novell eDirectory "dconserv.dlm" Cross-Site Scripting
Description: Novell eDirectory is an LDAP directory service that is
used to centrally manage computer resources on a network. The
application is exposed to a cross-site scripting issue because it
fails to sufficiently sanitize user-supplied input. This issue affects
the "dconserv.dlm" script. eDirectory version 8.8 SP 5 is affected.
Ref: http://www.securityfocus.com/archive/1/506857
______________________________________________________________________

09.41.28 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: Kayako SupportSuite and eSupport "functions_ticketsui.php"
Cross Site Scripting
Description: Kayako SupportSuite and eSupport are web-based support
applications. The applications are exposed to a cross site scripting
issue because they fail to sufficiently sanitize user-supplied input
to unspecified scripts and parameters related to the staff control
panel. This issue is caused by an error in the
"modules/tickets/functions_ticketsui.php" script file. Kayako
SupportSuite and eSupport versions 3.60.04 and earlier are affected.
Ref:
http://blog.kayako.com/2009/09/security-bulletin-supportsuite-and-esupport/
______________________________________________________________________

09.41.29 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: SugarCRM Unspecified Cross Site Scripting
Description: SugarCRM is a PHP-based web application. The application
is exposed to a cross-site scripting issue because it fails to
sufficiently sanitize user-supplied input to an unspecified parameter.
SugarCRM versions 5.2.0i and earlier, 5.0.0l and earlier, and 4.5.1p
and earlier are affected.
Ref: http://www.sugarcrm.com/forums/showthread.php?t=52401
______________________________________________________________________

09.41.30 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: X-Cart Email Subscription
Description: X-Cart is a PHP-based shopping cart application. X-Cart
is exposed to a cross-site scripting issue that exists in the email
subscription component because the application fails to sufficiently
sanitize user-supplied input. This issue affects the "email" parameter
of the "home.php" script.
Ref: http://www.securityfocus.com/bid/36601
______________________________________________________________________

09.41.31 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: AfterLogic WebMail Pro Multiple Cross Site Scripting
Vulnerabilities
Description: AfterLogic WebMail Pro is used as an ASP-based front-end
for an existing mail server. The application is exposed to multiple
cross-site scripting issues because it fails to sufficiently sanitize
user-supplied data to the "HistoryKey" and "HistoryStorageObjectName"
HTTP POST parameters of the "history-storage.aspx" script. WebMail Pro
versions 4.7.10 and earlier are affected.
Ref: http://www.securityfocus.com/bid/36605
______________________________________________________________________

09.41.32 CVE: Not Available
Platform: Web Application - SQL Injection
Title: Joomla! Soundset Component "cat_id" Parameter SQL Injection
Description: Soundset is a PHP-based component for the Joomla! content
manager. The component is exposed to a SQL injection issue because it
fails to sufficiently sanitize user-supplied data to the "cat_id"
parameter of the "com_soundset" component before using it an SQL
query. Successfully exploiting this issue may allow an attacker to
compromise the application, access or modify data, or exploit latent
vulnerabilities in the underlying database. Joomla! Soundset version
1.0 is affected with is issue.
Ref: http://www.securityfocus.com/bid/36597
______________________________________________________________________

09.41.33 CVE: Not Available
Platform: Web Application - SQL Injection
Title: Joomla! CB Resume Builder "group_id" Parameter SQL Injection
Description: CB Resume Builder ("com_cbresumebuilder") is a PHP-based
component for the Joomla! content manager. The component is exposed to
an SQL injection issue because it fails to sufficiently sanitize
user-supplied data to the "group_id" parameter of the
"com_cbresumebuilder" component before using it an SQL query.
Ref: http://www.securityfocus.com/bid/36598
______________________________________________________________________

09.41.34 CVE: Not Available
Platform: Web Application
Title: Samba Oplock Break Notification Remote Denial of Service
Description: Samba is a freely available file and printer sharing
application maintained and developed by the Samba Development Team.
Samba is exposed to a remote denial of service issue when the
application unexpectedly receives an "oplock" break notification SMB
request, the Samba daemon ("smbd") consumes an excessive amount of CPU
resources and stops responding. Samba versions prior to 3.4.2, 3.3.8,
3.2.15, and 3.0.37 are affected.
Ref: http://www.securityfocus.com/archive/1/36573
______________________________________________________________________

09.41.35 CVE: Not Available
Platform: Web Application
Title: Drupal XML Sitemap Link Paths HTML Injection
Description: XML Sitemap is a PHP-based component for the Drupal
content manager. The application is exposed to an HTML injection issue
because it fails to properly sanitize user-supplied input to the link
path before displaying it in a user's browser. XML Sitemap versions
prior to 5.x-1.7 are affected.
Ref: http://drupal.org/node/591724
______________________________________________________________________

09.41.36 CVE: Not Available
Platform: Web Application
Title: Drupal Browscap Module User Agent Strings HTML Injection
Description: Browscap is a module for the Drupal content manager. The
application is exposed to an HTML-injection issue because the
application fails to sanitize "user agent" strings before displaying
them in reports. Drupal Browsecap versions earlier than 6.x-1.1 and
5.x-1.1 are affected.
Ref: http://www.securityfocus.com/bid/36557
______________________________________________________________________

09.41.37 CVE: Not Available
Platform: Web Application
Title: Drupal Organic Groups "Group Nodes" HTML Injection
Description: Organic Group is a PHP-based component for the Drupal
content manager. The application is exposed to an HTML injection issue
because it fails to properly sanitize user-supplied input before
displaying group nodes. Organic Groups versions prior to 6.x-1.4,
5.x-8.1, and 5.x-7.4 are affected.
Ref: http://drupal.org/node/592358
______________________________________________________________________

09.41.38 CVE: Not Available
Platform: Web Application
Title: Drupal Bibliography Module Unspecified HTML Injection
Description: Bibliography is a PHP-based component for the Drupal
content manager.The application is exposed to an HTML injection issue
because it fails to properly sanitize user-supplied input to
unspecified components of the Biblio content before displaying it in a
user's browser.Drupal Bibliography versions earlier than 6.x-1.7 are
vulnerable.
Ref: http://www.securityfocus.com/bid/36560
______________________________________________________________________

09.41.39 CVE: Not Available
Platform: Web Application
Title: Drupal Boost Module Arbitrary Directory Creation
Description: Boost is a module for the Drupal content manager. The
module is exposed to an issue that allows attackers to create
arbitrary directories. An unauthorized user can exploit this issue to
create arbitrary directories within the context of the webserver.
Boost versions prior to 6.x-1.03 are affected.
Ref: http://drupal.org/node/592490
______________________________________________________________________

09.41.40 CVE: Not Available
Platform: Web Application
Title: Google Apps "googleapps.url.mailto" Handler Command Injection
Description: Google Apps is a set of applications and web based
services. Google Apps is exposed to issues that lets attackers inject
commands through a protocol handler. The application is exposed to
this issue because an attacker may trick a victim into following a
malicious URI through a browser and the URU would contain the
"googleapps.url.mailto" handler and arbitrary commands to be run
locally. Google Apps version 1.1.110.6031 when used with Microsoft
Internet Explorer 7 and Google Chrome 2.0.172.43 are affected.
Ref: http://www.securityfocus.com/archive/1/506888
______________________________________________________________________

09.41.41 CVE: Not Available
Platform: Web Application
Title: Drupal Service Links Component Content Type Names HTML
Injection
Description: Service Links is a PHP-based component for the Drupal
content manager. The application is exposed to an HTML injection issue
because it fails to properly sanitize user-supplied input before
displaying content type names. Drupal Service Links version 6.x-1.0 is
vulnerable.
Ref: http://www.securityfocus.com/bid/36584
______________________________________________________________________

09.41.42 CVE: CVE-2009-3029
Platform: Web Application
Title: Symantec SecurityExpressions Audit and Compliance Server Cross
Site Scripting Vulnerability
Description: Symantec SecurityExpressions Audit and Compliance Server
is an ASP-based audit and compliance application. The application is
exposed to a cross-site scripting issue because it fails to
sufficiently sanitize user-supplied input to the console and may allow
attackers to manipulate error messages. Successfully exploiting this
issue can allow an attacker to execute arbitrary script code in the
browser of an unsuspecting user in the context of the affected site.
This may let the attacker steal cookie-based authentication
credentials and launch other attacks. SecurityExpressions Audit and
Compliance Server versions 4.1.1 and earlier are affected.
Ref:
http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20091006_00
______________________________________________________________________

09.41.43 CVE: CVE-2009-3030
Platform: Web Application
Title: Symantec SecurityExpressions Audit and Compliance Server Error
Message HTML Injection
Description: Symantec SecurityExpressions Audit and Compliance Server
is an ASP-based audit and compliance application. The application is
exposed to an HTML injection issue because it fails to properly
sanitize user-supplied input to the link path before displaying it in
a user's browser. SecurityExpressions Audit and Compliance Server
versions 4.1.1 and prior are affected.
Ref:
http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20091006_00
______________________________________________________________________

09.41.44 CVE: Not Available
Platform: Network Device
Title: Open Handset Alliance Malformed Application Remote Denial Of
Service
Description: Open Handset Alliance Android (previously Google Android)
is a software stack and operating system for mobile phones. The
software is exposed to a denial of service issue when handling
malicious applications containing a specially crafted vulnerable API
function.
Ref: http://www.securityfocus.com/archive/1/506948
______________________________________________________________________

09.41.45 CVE: Not Available
Platform: Network Device
Title: Palm WebOS Email Arbitrary Script Injection
Description: Palm WebOS is a smartphone platform based on Linux. The
device's email application is exposed to an arbitrary script injection
issue because it fails to properly sanitize user-supplied input. Palm
WebOS versions earlier than WebOS 1.2 are affected with this issue.
Ref:
http://tlhsecurity.blogspot.com/2009/10/palm-pre-webos-11-remote-file-access.html
______________________________________________________________________

09.41.46 CVE: Not Available
Platform: Network Device
Title: Linksys WRT54GC Router Cross-Site Request Forgery
Description: The Linksys WRT54GC router is a network device designed
for home use. The router is exposed to a cross-site request-forgery
issue that affects the "diagnostics.cgi" script and possibly other
scripts. The router is exposed to this issue because attackers can
exploit this issue by tricking a victim into visiting a malicious
webpage and the page will consist of specially crafted script code
designed to perform some action on the attacker's behalf. Linksys
WRT54GC with firmware version 1.01.5 and 1.00.7 is vulnerable.
Ref:
http://venturolab.pl/index.php/2009/09/30/opis-bledu-w-routerze-linksys-wrt54gc/
______________________________________________________________________

(c) 2009. All rights reserved. The information contained in this
newsletter, including any external links, is provided "AS IS," with no
express or implied warranty, for informational purposes only. In some
cases, copyright for material in this newsletter may be held by a
party other than Qualys (as indicated herein) and permission to use
such material must be requested from the copyright owner.

Subscriptions: RISK is distributed free of charge by the SANS Institute
to people responsible for managing and securing information systems and
networks. You may forward this newsletter to others with such
responsibility inside or outside your organization.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)

iEYEARECAAYFAkrOLjYACgkQ+LUG5KFpTkaFVgCgmtDHwYewT4xTzGGSff0aUNw7
EJIAn2kx8UJ6iDhnO4MstElkMAgcqOHG
=6my1
-----END PGP SIGNATURE-----

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]