NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > SANS> 2010

RISK: The Consensus Security Vulnerability Alert Vol. 9 No. 10

From: The SANS Institute (ConsensusSecurityVulnerabilityAlertsans.org)
Date: Thu Mar 04 2010 - 14:34:12 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

******************************************************************
RISK: The Consensus Security Vulnerability Alert
Mar 04th, 2010 Vol. 9. Week 10
******************************************************************

RISK is the SANS community's consensus bulletin summarizing the most
important vulnerabilities and exploits identified during the past week
and providing guidance on appropriate actions to protect your systems
(PART I). It also includes a comprehensive list of all new
vulnerabilities discovered in the past week (PART II).

Summary of Updates and Vulnerabilities in this Consensus

Platform Number of Updates and Vulnerabilities
- ------------------------ -------------------------------------

Windows 1
Other Microsoft Products 1 (#4)
Third Party Windows Apps 6 (#1)
Linux 4
AIX 1
Cross Platform 24 (#2, #3, #5)
Web Application - Cross Site Scripting 15
Web Application - SQL Injection 22
Web Application 21
Network Device 1

*********************** Sponsored By Splunk *********************

Forrester Webcast: SIM Overview and Market Drivers
Based on user surveys and first-hand inquiries, Forrester Security and
Compliance Analyst John Kindervag provides an overview of what issues
are driving SIM adoption and some of the key capabilities end users
should look for when evaluating a SIM solution. Mark Seward, Director
of Marketing at Splunk, then highlights the ways Splunk customers are
approaching Security and Compliance to be more flexible and proactive
than traditional SIM and Log Management approaches often allow.

Watch it now: http://www.sans.org/info/55794
******************************************************************
TRAINING UPDATE
-- SANS 2010, Orlando, March 6 - March 15, 2010
38 courses and bonus evening presentations, including Software
Security Street Fighting Style
http://www.sans.org/sans-2010/
-- SANS Northern Virginia Bootcamp 2010, April 6-13
Bonus evening presentations include Safe Surfing: How to Surf the Net
Without Getting PWND
http://www.sans.org/reston-2010/
-- SANS Security West 2010, San Diego, May 7-15, 2010
23 courses. Bonus evening presentations include Killer Bee:
Exploiting ZigBee and the Kinetic World
http://www.sans.org/security-west-2010/
-- SANSFIRE 2010, Baltimore, June 6-14, 2010
38 courses. Bonus evening presentations include Software Security
Street Fighting Style and The Verizon Data Breach Investigations
Report
http://www.sans.org/sansfire-2010/
-- SANSFIRE Rocky Mountain 2010, Denver, July 12-17, 2010
8 courses. Bonus evening presentations include Hiding in Plain Sight:
Forensic techniques to Counter the Advanced Persistent Threat
http://www.sans.org/rocky-mountain-2010/
-- SANS Boston 2010, June 6-14, 2010
11 courses
http://www.sans.org/boston-2010/
Looking for training in your own community? http://sans.org/community/
Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/spring09.php
Plus Dublin, Dubai, Geneva, Toronto and Singapore all in the next 90 days.
For a list of all upcoming events, on-line and live: www.sans.org
*************************************************************************

Table Of Contents
Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)
Widely Deployed Software
(1) HIGH: IBM Lotus iNotes ActiveX Control Buffer Overflow Vulnerability
(2) HIGH: IBM Informix Multiple Buffer Overflow Vulnerabilities
(3) HIGH: Multiple Vendor "librpc.dll" Signedness Error Code Execution Vulnerability
(4) MODERATE: Microsoft Internet Explorer VBScript Windows Help Code Execution Vulnerability
(5) MODERATE: Modo 401 LXO Processing Integer Overflow Vulnerability

********************** Sponsored Links: *************************

1) Attend an Online Demo of iPrism Web Filter and Get a $20 Amazon Giftcard!
http://www.sans.org/info/55799

2) Register for Department of Homeland Security Control Systems Cyber
Security Trainings. SANS Process Control and SCADA Summit March 29-30.
http://www.sans.org/info/55804

3) SANS Inquires... Which information security products, services and
providers would you like to hear more about? Answer a short 3 question
survey and be automatically entered to win a $50 Amazon gift card.
http://www.sans.org/info/55809
******************************************************************

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from
Qualys (www.qualys.com)

-- Windows
10.10.1 - Microsoft Windows Unspecified Denial of Service
-- Other Microsoft Products
10.10.2 - Microsoft Internet Explorer "winhlp32.exe" "MsgBox()" Stack-Based Buffer Overflow
-- Third Party Windows Apps
10.10.3 - Google Picasa JPEG Image Processing Integer Overflow
10.10.4 - MediaCoder ".m3u" File Remote Buffer Overflow
10.10.5 - DateV "DVBSExeCall.ocx" ActiveX Control Remote Command Execution
10.10.6 - Domino Web Access ActiveX Control Unspecified Buffer Overflow
10.10.7 - Multiple Vendor "librpc.dll" Stack Buffer Overflow
10.10.8 - ProSSHD "scp_get()" Buffer Overflow
-- Linux
10.10.9 - Linux Kernel TSB I-TLB Load Local Privilege Escalation
10.10.10 - Linux Kernel "devtmpfs" Insecure Root Directory Permission
10.10.11 - Linux Kernel KVM Segment Selector Loading Local Privilege Escalation
10.10.12 - Linux Kernel "dvb_net_ule()" Remote Denial of Service
-- AIX
10.10.13 - IBM AIX LDAP Login Local Denial of Service
-- Cross Platform
10.10.14 - WebKit Image Decoder Memory Allocation Remote Code Execution
10.10.15 - EMC HomeBase Server Directory Traversal Remote Code Execution
10.10.16 - MochaSoft FTPDisc "get" Request Remote Denial of Service
10.10.17 - cronie "crontab" Symbolic Link Local Privilege Escalation
10.10.18 - Zhang Boyang FTP Server Remote Denial of Service
10.10.19 - Kojoney "urllib.urlopen()" Remote Denial of Service
10.10.20 - TIBCO Administrator
10.10.21 - Weekly Archive by Node Type Module Weekly Summary Security Bypass
10.10.22 - Apple Safari Style Tag Remote Memory Corruption
10.10.23 - Symantec Altiris Deployment Solution "dbmanager.exe" Denial of Service
10.10.24 - VKPlayer ".mid" File Processing Buffer Overflow
10.10.25 - Asterisk CIDR Notation in Access Rule Remote Security Bypass
10.10.26 - XMail Insecure Temporary File Creation
10.10.27 - Hitachi JP1/Cm2/Network Node Manager Insecure File Permissions
10.10.28 - PHP LCG entropy Unspecified Security
10.10.29 - PHP "tempnam()" "safe_mode" Validation Restriction Bypass
10.10.30 - Todd Miller Sudo "runas_default" Local Privilege Escalation
10.10.31 - FileExecutive Multiple Remote Vulnerabilities
10.10.32 - Apple Safari "background" attribute Remote Denial of Service
10.10.33 - IBM Domino Web Access Prior to 229.281 Unspecified Security Vulnerabilities
10.10.34 - IBM Informix Dynamic Server "librpc.dll" Multiple Buffer Overflow Vulnerabilities
10.10.35 - Reductive Labs Puppet "/tmp" Insecure File Permissions Vulnerabilities
10.10.36 - MochaSoft FTPDisc Multiple Remote Denial of Service Vulnerabilities
10.10.37 - Libpng "png_decompress_chunk()" Function Denial of Service
-- Web Application - Cross Site Scripting
10.10.38 - TRUC "login_reset_password_page.php" Cross-Site Scripting
10.10.39 - WebKit "window.open()" method Cross-Domain Scripting
10.10.40 - Computer Associates eHealth Performance Manager Web Interface Cross-Site Scripting
10.10.41 - Softbiz Jobs "sbad_type" Parameter Cross-Site Scripting
10.10.42 - MySmartBB Multiple Cross-Site Scripting Vulnerabilities
10.10.43 - Sawmill Unspecified Cross-Site Scripting
10.10.44 - Multiple IBM Products Login Page Cross-Site Scripting
10.10.45 - tDiary TrackBack Transmission Plugin Cross-Site Scripting
10.10.46 - Hitachi Multiple Products Unspecified Cross-Site Scripting
10.10.47 - ARISg "wflogin.jsp" Cross-Site Scripting
10.10.48 - Oracle Siebel "loyalty_enu/start.swe" Cross-Site Scripting
10.10.49 - ExtCalendar "upgrade.php" Cross-Site Scripting
10.10.50 - MarketGate Package for Eshbel Priority ERP "Referer" Parameter Cross-Site Scripting
10.10.51 - Discuz! "uid" Parameter Cross-Site Scripting
10.10.52 - Sparta Systems TrackWise EQMS Multiple Cross-Site Scripting Vulnerabilities
-- Web Application - SQL Injection
10.10.53 - Pre Multi-Vendor E-Commerce Solution "detail.php" SQL Injection
10.10.54 - MASA2EL Music City "index.php" Multiple SQL Injection Vulnerabilities
10.10.55 - Softbiz Jobs "moredetails.php" SQL Injection
10.10.56 - Bispage Content Manager Admin Page SQL Injection
10.10.57 - Softbiz Auktios Multiple SQL Injection Vulnerabilities
10.10.58 - HD FLV Player Component for Joomla! "id" Parameter SQL Injection
10.10.59 - shortCMS "printview.php" SQL Injection
10.10.60 - Softbiz Classifieds PLUS Script Multiple SQL Injection Vulnerabilities
10.10.61 - GameScript "index.php" SQL Injection
10.10.62 - JSK Internet WebAdministrator "download.php" SQL Injection
10.10.63 - Softbiz Recipes Portal and Link Directory Script "showcats.php" SQL Injection
10.10.64 - Entry Level CMS "index.php" SQL Injection
10.10.65 - Pre Classified Listings "signup.asp" SQL Injection
10.10.66 - SLAED CMS SQL Injection
10.10.67 - Joomla! "com_yanc" Component "listid" Parameter SQL Injection
10.10.68 - Uiga Fan Club and Personal Portal "id" Parameter SQL Injection
10.10.69 - Blax Blog "girisyap.php" SQL Injection
10.10.70 - Uiga Fan Club Login Multiple SQL Injection Vulnerabilities
10.10.71 - Scriptsfeed Business Directory Software
10.10.72 - 1024 CMS "id" Parameter SQL Injection
10.10.73 - My Little Forum "contact.php" SQL Injection
10.10.74 - Phptroubleticket "vedi_faq.php" SQL Injection
-- Web Application
10.10.75 - WikyBlog Multiple Remote Input Validation Vulnerabilities
10.10.76 - SilverStripe Multiple Remote Vulnerabilities
10.10.77 - PHP F1 Max's Photo Album "admin.php" Arbitrary File Upload
10.10.78 - OpenInferno OI.Blogs Multiple Local File Include Vulnerabilities
10.10.79 - Facebook-style Statuses Module User Status Security Bypass
10.10.80 - PBoard "upload/index.php" Remote File Upload
10.10.81 - Article Friendly Security Bypass
10.10.82 - Newbie CMS Insecure Cookie Authentication Bypass
10.10.83 - Arab Cart "showimg.php" Cross-Site Scripting and SQL Injection Vulnerabilities
10.10.84 - Ceondo InDefero Unauthorized Access
10.10.85 - Website Baker "framework/class.wb.php" Security Bypass
10.10.86 - TYPO3 OpenID Module Backend User Account Security Bypass
10.10.87 - Crawlability vBSEO "vbseo.php" Local File Include
10.10.88 - Orbital Viewer ".orb" File Stack-Based Buffer Overflow
10.10.89 - Nemo Multiple File Attachments Mail Form "upload.php" Arbitrary File Upload
10.10.90 - Open Educational System "CONF_INCLUDE_PATH" Parameter Multiple Remote File Include Vulnerabilities
10.10.91 - SLAED CMS Remote File Upload
10.10.92 - SLAED CMS Multiple Remote File Include Vulnerabilities
10.10.93 - SLAED CMS Installation Script Unauthorized Access
10.10.94 - Article Friendly "filename" Parameter Local File Include
10.10.95 - DeDeCMS
-- Network Device
10.10.96 - TrendNet TV-IP110W Missing Authentication Check Security Bypass
______________________________________________________________________

PART I Critical Vulnerabilities
Part I for this issue has been compiled by Rohan Kotian at TippingPoint,
a division of 3Com, as a by-product of that company's continuous effort
to ensure that its intrusion prevention products effectively block
exploits using known vulnerabilities. TippingPoint's analysis is
complemented by input from a council of security managers from twelve
large organizations who confidentially share with SANS the specific
actions they have taken to protect their systems. A detailed description
of the process may be found at
http://www.sans.org/newsletters/cva/#process

*****************************
Widely Deployed Software
*****************************

(1) HIGH: IBM Lotus iNotes ActiveX Control Buffer Overflow Vulnerability
Affected:
IBM Lotus iNotes versions prior to 8.5
IBM Lotus iNotes versions prior to 7.0.4

Description: IBM Lotus iNotes, formerly known as Lotus Domino Web
Access, is a popular Web-based email software for enterprises. It
enables users to manage business information both online and offline.
Part of Lotus iNotes's web-based functionality is provided by Lotus
iNotes ActiveX Control and this is reported to contain a buffer
overflow vulnerability. A specially crafted web page that instantiates
this ActiveX control can be used to trigger this vulnerability. The
specific flaw resides in the dwa8.dll, dwa8w.dll libraries caused by
inadequate boundary checks on the length of user-controlled URL. An
attacker can pass an overly long URL to the function and trigger the
vulnerability which might also lead to remote code execution. Some
technical details for the vulnerability are publicly available.

Status: Vendor confirmed, updates available. Users can mitigate the
impact of this vulnerability by disabling the vulnerable control via
Microsoft's kill bit mechanisms for CLSID
{3BFFE033-BF43-11d5-A271-00A024A51325,
983A9C21-8207-4B58-BBB8-0EBC3D7C5505,
E008A543-CEFB-4559-912F-C27C2B89F13B,
75AA409D-05F9-4f27-BD53-C7339D4B1D0A}.
Note that this may affect normal application functionality

References:
iDefense Labs Security Advisory
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=857
IBM Security Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg21421808
Microsoft Knowledge Base Article (details the "kill bit" mechanism)
http://support.microsoft.com/kb/240797
Product Home Page
http://www-01.ibm.com/software/lotus/products/inotes/
SecurityFocus BID
http://www.securityfocus.com/bid/38457

*************************************************************

(2) HIGH: IBM Informix Multiple Buffer Overflow Vulnerabilities
Affected:
IBM Informix IDS 11.10.xC2
IBM Informix IDS 11.10
IBM Informix IDS 10.00.xC8
IBM Informix IDS 10.00.xC7W1
IBM Informix IDS 10.00.xC11
IBM Informix IDS 10.0.xC4
IBM Informix IDS 10.0

Description: IBM Informix Dynamic Server (IDS) is a Relational Database
Management System from IBM Software Group and is known for its high
online transaction processing performance. Multiple stack-based buffer
overflow vulnerabilities have been reported in IBM Informix Database
Server. The flaw resides in "librpc.dll", which is a RPC protocol
parsing library used by ISM Portmapper service "portmap.exe" and listens
on default TCP port 36890. The flaw is caused by inadequate bounds
checking on the user supplied data. Successful exploitation might allow
an attacker to execute arbitrary code remotely. Some technical details
for the vulnerability are available publicly.

Status: Vendor confirmed, updates available.

References:
Zero Day Initiative Advisory
http://www.zerodayinitiative.com/advisories/ZDI-10-022
Wikipedia Article on IBM Informix Dynamic Server
http://en.wikipedia.org/wiki/IBM_Informix_Dynamic_Server
Product Home Page
http://www-01.ibm.com/software/data/informix/
SecurityFocus BID
http://www.securityfocus.com/bid/38471

*************************************************************

(3) HIGH: Multiple Vendor "librpc.dll" Signedness Error Code Execution Vulnerability
Affected:
IBM Informix IDS 9.40 .UC3
IBM Informix IDS 9.40 .UC2
IBM Informix IDS 9.40 .UC1
IBM Informix IDS 9.3
IBM Informix IDS 9.40 xC7
IBM Informix IDS 9.40 .xD8
IBM Informix IDS 9.40 .UC5
IBM Informix IDS 9.40 .TC5
IBM Informix IDS 9.4
IBM Informix IDS 7.31 .xD9
IBM Informix IDS 7.31 .xD8
IBM Informix IDS 7.3
IBM Informix IDS 11.10.xC4
IBM Informix IDS 11.10.xC2
IBM Informix IDS 11.10
IBM Informix IDS 10.00.xC8
IBM Informix IDS 10.00.xC7W1
IBM Informix IDS 10.00.xC11
IBM Informix IDS 10.0.xC4
IBM Informix IDS 10.0
IBM Informix IDS 10.0
EMC Legato Networker 7.3.2
EMC Legato Networker 7.2.1
EMC Legato Networker 7.2 build 172
EMC Legato Networker 7.2
EMC Legato Networker 7.1.3
EMC Legato Networker 7.0
EMC Legato Networker 6.0 x

Description: A signedness error has been reported within "librpc.dll",
which is an RPC protocol parsing library utilized by ISM Portmapper
service "portmap.exe". This service by default is bound to TCP port
36890. Multiple vendors like IBM Informix Dynamic Server (IDS) and EMC
Legato Networker utilize this library and are hence vulnerable to this
vulnerability. The issue is caused by inadequate signedness check on the
user supplied parameter sizes. A specially crafted RPC packet sent to
TCP port 36890 can trigger this vulnerability. Successful exploitation
might allow an attacker to execute arbitrary code in the context of the
SYSTEM user. Some details for the vulnerability are available publicly.

Status: Vendors confirmed, updates available.

References:
Zero Day Initiative Advisory
http://www.zerodayinitiative.com/advisories/ZDI-10-023
Products' Home Pages
http://www.emc.com/products/detail/software/networker.htm
http://www-01.ibm.com/software/data/informix/
SecurityFocus BID
http://www.securityfocus.com/bid/38472

*************************************************************

(4) MODERATE: Microsoft Internet Explorer VBScript Windows Help Code Execution Vulnerability
Affected:
Microsoft Windows 2000 Service Pack 4
Windows XP Service Pack 2, Windows XP Service Pack 3, and Windows XP
Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 2, Windows Server 2003 with SP2 for
Itanium-based Systems, and Windows Server 2003 x64 Edition Service Pack 2

Description: A vulnerability has been identified in VBScript, a
scripting language supported by Microsoft Internet Explorer like
JavaScript. A specially crafted web page in addition to certain activity
can trigger this vulnerability. The specific flaw is caused because it
is possible to invoke winhlp32.exe from VBScript "MsgBox()" function
through Internet Explorer. Thus one can execute or open arbitrary help
(.hlp) files which are usually unsafe files. In order for an attack to
be successful the user will have to be tricked into pressing the
function key F1 while the specially crafted web page displays the dialog
box. Full technical details for the vulnerability are publicly available
along with a proof-of-concept.

Status: Vendor confirmed, no updates available.

References:
Microsoft Security Advisory
http://www.microsoft.com/technet/security/advisory/981169.mspx
Maurycy Prodeus Vulnerability Write Up
http://isec.pl/vulnerabilities/isec-0027-msgbox-helpfile-ie.txt
Product Home Page
http://www.microsoft.com/ie/
SecurityFocus BID
http://www.securityfocus.com/bid/38463

*************************************************************

(5) MODERATE: Modo 401 LXO Processing Integer Overflow Vulnerability
Affected:
Luxology Modo 401 - Windows

Description: Modo 401 is a 3D modeling, painting, animating and
rendering software package from Luxology LLC designed to create
different models. An integer overflow vulnerability has been identified
in Modo 401. A specially crafted LaserMaster Font ".LXO" file can be
used to trigger this vulnerability. The specific flaw is caused by a
boundary error in the function "Swap4" in "valet4.dll" in the way it
processes LXO files. Successful exploitation might allow an attacker to
execute arbitrary code in the context of the vulnerable application.
Some technical details for the vulnerability are publicly available.

Status: Vendor not confirmed, no updates available.

References:
CoreLabs Research Security Advisory
http://www.coresecurity.com/content/luxology-modo-lxo-vulnerability
Vendor Home Page
http://www.luxology.com/
SecurityFocus BID
http://www.securityfocus.com/bid/38460

*************************************************************

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from
Qualys (www.qualys.com)
Week 10, 2010
This list is compiled by Qualys ( www.qualys.com ) as part of that
company's ongoing effort to ensure its vulnerability management web
service tests for all known vulnerabilities that can be scanned. As of
this week Qualys scans for 8115 unique vulnerabilities. For this special
SANS community listing, Qualys also includes vulnerabilities that cannot
be scanned remotely.
______________________________________________________________________

10.10.1 CVE: Not Available
Platform: Windows
Title: Microsoft Windows Unspecified Denial of Service
Description: Microsoft Windows is exposed to an unspecified denial of
service issue. Attackers can exploit this issue to crash an affected
computer with a Blue Screen of Death error, denying service to
legitimate users.
Ref:
http://www.scmagazineus.com/malta-researchers-find-windows-bug-that-crashes-pcs/article/164439/
______________________________________________________________________

10.10.2 CVE: Not Available
Platform: Other Microsoft Products
Title: Microsoft Internet Explorer "winhlp32.exe" "MsgBox()"
Stack-Based Buffer Overflow
Description: Microsoft Internet Explorer is a browser for the Windows
operating system. Internet Explorer is exposed to a remote stack-based
buffer overflow issue because it fails to properly bounds check
user-supplied input. This issue affects the "winhlp32.exe" binary, and
can be triggered when overly long input is passed to the "helpfile"
parameter of a "MsgBox()" generated with VBscript.
Ref: http://isec.pl/vulnerabilities/isec-0027-msgbox-helpfile-ie.txt
______________________________________________________________________

10.10.3 CVE: Not Available
Platform: Third Party Windows Apps
Title: Google Picasa JPEG Image Processing Integer Overflow
Description: Google Picasa is a graphics application available for
Microsoft Windows. Picasa is exposed to a remote integer overflow
issue that occurs when processing JPEG image files. The issue affects
the "PicasaPhotoViewer.exe" application and may results in a
heap-based buffer overflow.
Ref: http://www.securityfocus.com/bid/38384
______________________________________________________________________

10.10.4 CVE: Not Available
Platform: Third Party Windows Apps
Title: MediaCoder ".m3u" File Remote Buffer Overflow
Description: MediaCoder is a media file transcoder available for
Microsoft Windows. MediaCoder is exposed to a remote buffer overflow
issue because it fails to perform adequate checks on user-supplied
input. Specifically, this issue occurs when opening a specially
crafted ".m3u" file. MediaCoder version 0.7.3.4605 is affected.
Ref: http://www.securityfocus.com/bid/38405
______________________________________________________________________

10.10.5 CVE: Not Available
Platform: Third Party Windows Apps
Title: DateV "DVBSExeCall.ocx" ActiveX Control Remote Command
Execution
Description: DateV is a security application. The DateV
"DVBSExeCall.ocx" ActiveX control is exposed to a remote command
execution issue that affects the "ExecuteExe()" method of the ActiveX
control. An attacker can exploit this issue by enticing an
unsuspecting user to view a malicious web page.
Ref: http://support.microsoft.com/kb/240797
______________________________________________________________________

10.10.6 CVE: Not Available
Platform: Third Party Windows Apps
Title: Domino Web Access ActiveX Control Unspecified Buffer Overflow
Description: IBM Lotus Domino is a client/server product designed for
collaborative working environments. Domino Server supports email,
scheduling, instant messaging and data driven applications. Web
Access is a browser-based client for Lotus Domino. Domino Web Access
is also known as Lotus iNotes. The application is exposed to a buffer
overflow issue because it fails to perform adequate boundary checks on
user-supplied data. Domino Web Access version 6.5, Domino Web Access
versions 7.0 prior to 7.0.4, and Domino Web Access versions 8.0 prior
to 8.0.2FP4 Hotfix 229.281 are affected.
Ref:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=857
______________________________________________________________________

10.10.7 CVE: CVE-2009-2754
Platform: Third Party Windows Apps
Title: Multiple Vendor "librpc.dll" Stack Buffer Overflow
Description: "librpc.dll" is an RPC protocol parsing library used by
the ISM portmapper service "portmap.exe". The "librpc.dll" RPC
protocol parsing library is exposed to a remote stack-based buffer
overflow issue because it fails to perform adequate boundary checks on
user-supplied data. The vulnerability occurs because of a signedness
error when handling unspecified parameter sizes during authentication
via TCP port 36890. IBM Informix IDS and EMC Legato Networker are
affected.
Ref: http://www.zerodayinitiative.com/advisories/ZDI-10-023/
______________________________________________________________________

10.10.8 CVE: Not Available
Platform: Third Party Windows Apps
Title: ProSSHD "scp_get()" Buffer Overflow
Description: ProSSHD is an SSH client and server available for
Microsoft Windows. ProSSHD is exposed to a buffer overflow issue
because it fails to perform adequate boundary checks on user-supplied
data. This issue occurs when handling a specially crafted SCP GET
command. ProSSHD version v1.2 20090726 is affected.
Ref: http://www.securityfocus.com/bid/38487
______________________________________________________________________

10.10.9 CVE: Not Available
Platform: Linux
Title: Linux Kernel TSB I-TLB Load Local Privilege Escalation
Description: Linux kernel is exposed to a local privilege escalation
issue because it allows attackers to execute code in nonexecutable
mappings. Specifically, the TSB I-tlb load code tries to use an
"andcc" operation to verify the "_PAGE_EXEC_4U" bit. However, when
performing this bit operation, it will almost always return true when
it shouldn't in some cases.
Ref: http://marc.info/?l=linux-sparc&m=126662196902830&w=2
______________________________________________________________________

10.10.10 CVE: CVE-2010-0299
Platform: Linux
Title: Linux Kernel "devtmpfs" Insecure Root Directory Permission
Description: The "devtmpfs" program is a kernel component that is used
to create the device filesystem when the system boots. The Linux
kernel is exposed to an issue that lets attackers create files as the
superuser. This issue occurs because the root directory of "devtmpfs"
is incorrectly set at mode 1777 instead of 0755.
Ref: http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.32.7
______________________________________________________________________

10.10.11 CVE: CVE-2010-0419
Platform: Linux
Title: Linux Kernel KVM Segment Selector Loading Local Privilege
Escalation
Description: The Linux kernel is exposed to a privilege escalation
issue affecting the Kernel-based Virtual Machine (KVM). Specifically,
local users can exploit this issue to bypass permission checks when
segment selectors are loaded. Linux kernel versions prior to 2.6.32-rc4
are affected.
Ref: https://bugzilla.redhat.com/show_bug.cgi?id=563463
______________________________________________________________________

10.10.12 CVE: Not Available
Platform: Linux
Title: Linux Kernel "dvb_net_ule()" Remote Denial of Service
Description: The Linux kernel is exposed to a remote denial of service
issue affecting the Unidirectional Lightweight Encapsulation (ULE)
implementation. ULE is used to encapsulate IP datagrams over MPEG-2
transport streams and is described by RFC 4326. ULE is commonly used
by, for example, satellite internet traffic. This issue occurs in the
"dvb_net_ule()" function of the "drivers/media/dvb/dvb-core/dvb_net.c"
source code file.
Ref: https://bugzilla.redhat.com/show_bug.cgi?id=569237
______________________________________________________________________

10.10.13 CVE: Not Available
Platform: Aix
Title: IBM AIX LDAP Login Local Denial of Service
Description: IBM AIX is exposed to a local denial of service issue. An
attacker can exploit this issue to prevent LDAP authenticated users
from logging in, and denying service to legitimate users.
Ref:
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=4956&myns=paix53&mync=E
______________________________________________________________________

10.10.14 CVE: CVE-2010-0659
Platform: Cross Platform
Title: WebKit Image Decoder Memory Allocation Remote Code Execution
Description: WebKit is an application development framework designed
to allow browsers to render web pages. The application is exposed to a
remote code execution issue because it fails to properly handle a
memory allocation failure when decoding images. Specifically, this
issue is triggered when processing a GIF file that specifies a large
size.
Ref: http://trac.webkit.org/changeset/52833
______________________________________________________________________

10.10.15 CVE: CVE-2010-0620
Platform: Cross Platform
Title: EMC HomeBase Server Directory Traversal Remote Code Execution
Description: EMC HomeBase Server is the server component of the
HomeBase backup and restore product. HomeBase Server is exposed to a
remote code execution issue because it fails to properly sanitize
user-supplied data. Specifically, attackers may use
directory traversal sequences (../) to upload malicious content to
arbitrary files.
Ref: http://www.zerodayinitiative.com/advisories/ZDI-10-020/
______________________________________________________________________

10.10.16 CVE: Not Available
Platform: Cross Platform
Title: MochaSoft FTPDisc "get" Request Remote Denial of Service
Description: MochaSoft FTPDisc is an FTP Server available for the
Apple iPhone and iPod touch. The application is exposed to a remote
denial of service issue because it fails to handle crafted "get"
requests. MochaSoft FTPDisc version 1.0 is affected.
Ref: http://www.securityfocus.com/bid/38382
______________________________________________________________________

10.10.17 CVE: CVE-2010-0424
Platform: Cross Platform
Title: cronie "crontab" Symbolic Link Local Privilege Escalation
Description: The "cronie" tool runs specified programs at scheduled
times. The application is exposed to a local privilege escalation
issue that stems from a race condition in the crontab when setting the
"mtime" and "atime" values of temporary files.
cronie versions prior to 1.4.4 are affected.
Ref: http://www.securityfocus.com/bid/38391
______________________________________________________________________

10.10.18 CVE: Not Available
Platform: Cross Platform
Title: Zhang Boyang FTP Server Remote Denial of Service
Description: Zhang Boyang FTP Server is an FTP Server available for
the Apple iPhone and iPod touch. The application is exposed to a
remote denial of service issue because it fails to handle crafted TCP
packets. Zhang Boyang FTP Server version 1.0 is affected.
Ref: http://www.securityfocus.com/bid/38389
______________________________________________________________________

10.10.19 CVE: Not Available
Platform: Cross Platform
Title: Kojoney "urllib.urlopen()" Remote Denial of Service
Description: Kojoney is a low level interaction honeypot that emulates
an SSH server. The application is exposed to a remote denial of
service issue because it fails to validate user-supplied URIs when
emulating the "wget" and "curl" commands. Kojoney versions prior to
0.0.4.2 are affected.
Ref: http://www.securityfocus.com/archive/1/509713
______________________________________________________________________

10.10.20 CVE: CVE-2010-0683
Platform: Cross Platform
Title: TIBCO Administrator
Description: TIBCO Administrator is a component found in multiple TBCO
products. It is used to provide authenticated administration services.
The application is exposed to a security bypass issue because it fails
to properly enforce privileges. This issue affects the
"TIBRepoServer5.jar" file. TIBCO Administrator versions 5.4.0 through
5.6.0 are affected.
Ref:
http://www.tibco.com/multimedia/security_advisory_administrator_tcm8-10685.txt
______________________________________________________________________

10.10.21 CVE: Not Available
Platform: Cross Platform
Title: Weekly Archive by Node Type Module Weekly Summary Security
Bypass
Description: Weekly Archive by Node Type is a module for the Drupal
content manager. The module is exposed to a security bypass issue in
the weekly summary listings. Specifically, the module fails to
construct SQL queries that respect the node access restriction. This
will allow attackers to view nodes that are restricted by the
node access module.
Ref: http://drupal.org/node/724286
______________________________________________________________________

10.10.22 CVE: Not Available
Platform: Cross Platform
Title: Apple Safari Style Tag Remote Memory Corruption
Description: Apple Safari is a web browser. Safari is exposed to a
remote memory corruption issue that can be triggered by an HTML
document containing a "style" tag surrounding malformed data. Safari
version 4.0.4 is affected.
Ref: http://www.securityfocus.com/bid/38398
______________________________________________________________________

10.10.23 CVE: Not Available
Platform: Cross Platform
Title: Symantec Altiris Deployment Solution "dbmanager.exe" Denial of
Service
Description: Symantec Altiris Deployment Solution is software for
deploying and managing servers, desktops, notebooks, thin clients and
handheld devices from a centralized location. Symantec Altiris
Deployment Solution is exposed to a remote denial of service issue.
Specifically the issue occurs in the "dbmanager.exe" file due to a
use-after-free error that can dereference invalid memory. Symantec
Altiris Deployment Solution version 6.9 SP3 build 430 is affected.
Ref: http://www.securityfocus.com/bid/38410
______________________________________________________________________

10.10.24 CVE: Not Available
Platform: Cross Platform
Title: VKPlayer ".mid" File Processing Buffer Overflow
Description: VKPlayer is a media player that supports multiple file
formats. The application is exposed to a buffer overflow issue because
it fails to perform adequate checks on user-supplied input.
Specifically, this issue occurs when the application parses malformed
".mid" files. VKPlayer version 1.0 is affected.
Ref: http://www.securityfocus.com/bid/38423
______________________________________________________________________

10.10.25 CVE: Not Available
Platform: Cross Platform
Title: Asterisk CIDR Notation in Access Rule Remote Security Bypass
Description: Asterisk is an open source PBX application available for
multiple operating platforms. Asterisk is exposed to a security bypass
issue because it fails to properly enforce "permit=" and "deny=" rules
in access control lists (ACL).
Ref: http://downloads.asterisk.org/pub/security/AST-2010-003.html
______________________________________________________________________

10.10.26 CVE: Not Available
Platform: Cross Platform
Title: XMail Insecure Temporary File Creation
Description: XMail is a mail server for various platforms including
Linux, FreeBSD, OpenBSD, NetBSD, Mac OS X, Solaris and Microsoft
Windows. The application creates temporary files in an insecure
manner. XMail versions prior to 1.27 are affected.
Ref: http://www.xmailserver.org/ChangeLog.html#feb_25__2010_v_1_27
______________________________________________________________________

10.10.27 CVE: Not Available
Platform: Cross Platform
Title: Hitachi JP1/Cm2/Network Node Manager Insecure File Permissions
Description: Hitachi JP1/Cm2/Network Node Manager is used to manage a
network from a single console. Hitachi JP1/Cm2/Network Node Manager
Remote Console is exposed to a security issue because it sets insecure
file permissions. Successful exploitation allows an attacker to obtain
sensitive information or gain escalated privileges.
Ref:
http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS10-002/index.html
______________________________________________________________________

10.10.28 CVE: Not Available
Platform: Cross Platform
Title: PHP LCG entropy Unspecified Security
Description: PHP is a general purpose scripting language that is
especially suited for web development and can be embedded into HTML.
PHP is exposed to an unspecified security issue that affects LCG
entropy. PHP versions prior to 5.2.13 are affected.
Ref: http://samy.pl/phpwn/
______________________________________________________________________

10.10.29 CVE: Not Available
Platform: Cross Platform
Title: PHP "tempnam()" "safe_mode" Validation Restriction Bypass
Description: PHP is a general purpose scripting language that is
especially suited for web development and can be embedded into HTML.
PHP is exposed to a "safe_mode" restriction bypass issue. Successful
exploits could allow an attacker to access files in unauthorized
locations or create files in writable directories. PHP versions 5.2.12
and earlier are affected.
Ref: http://www.php.net/releases/5_2_13.php
______________________________________________________________________

10.10.30 CVE: CVE-2010-0427
Platform: Cross Platform
Title: Todd Miller Sudo "runas_default" Local Privilege Escalation
Description: Todd Miller "sudo" is a widely used Linux/Unix command
that allows users to securely run commands as the superuser or as
other users. The utility is exposed to a local privilege escalation
issue when "runas_default" is used. "sudo" versions prior to 1.6.9p21
are affected.
Ref: http://www.securityfocus.com/bid/38432
______________________________________________________________________

10.10.31 CVE: Not Available
Platform: Cross Platform
Title: FileExecutive Multiple Remote Vulnerabilities
Description: FileExecutive is a file manager. The application is
exposed to multiple remote issues: 1) A cross-site request forgery
issue may allow attackers to add new administrator users and edit
administrator credentials. 2) An arbitrary file upload issue
affects the "index.php" script. 3) An arbitrary file disclosure issue
affects the "file" parameter of the "download.php" script. 4) A
path disclosure issue affects the "dir" parameter of the
"listdir.php" script. FileExecutive version 1.0.0 is affected.
Ref: http://www.securityfocus.com/bid/38433
______________________________________________________________________

10.10.32 CVE: Not Available
Platform: Cross Platform
Title: Apple Safari "background" attribute Remote Denial of Service
Description: Apple Safari is a web browser. Apple Safari is exposed to
a remote denial of service issue. Specifically, the issue arises when
the browser processes an HTML file with excessive amounts of string
values supplied via the "background" attribute of the HTML <body> tag.
Safari versions 4.0.4 and 4.0.3 are affected.
Ref: http://www.securityfocus.com/bid/38447
______________________________________________________________________

10.10.33 CVE: Not Available
Platform: Cross Platform
Title: IBM Domino Web Access Prior to 229.281 Unspecified Security
Vulnerabilities
Description: IBM Domino Web Access facilitates web access to
Domino-based mail, calendar, schedule, to-do lists, contact lists and
notebooks for Lotus Domino users. Domino Web Access is also known as
Lotus iNotes. The application is exposed to multiple unspecified
issues that affect the "Ultralite" component of Domino Web Access. IBM
Lotus Domino Web Access version 8.0.2 FP4 prior to Hotfix 229.281 is
affected.
Ref: http://www-01.ibm.com/support/docview.wss?uid=swg27018109
______________________________________________________________________

10.10.34 CVE: CVE-2009-2753
Platform: Cross Platform
Title: IBM Informix Dynamic Server "librpc.dll" Multiple Buffer
Overflow Vulnerabilities
Description: IBM Informix Dynamic Server is an application server that
runs on various platforms. IBM Informix Dynamic Server is exposed to a
stack-based buffer overflow issue and a heap-based buffer overflow
issue because the application fails to perform adequate
boundary checks on user-supplied data. These issues affect the
"librpc.dll" library which is used by ISM Portmapper service
("portmap.exe") listening on TCP port 36890 by default.
Ref: http://www.zerodayinitiative.com/advisories/ZDI-10-022/
______________________________________________________________________

10.10.35 CVE: CVE-2010-0156
Platform: Cross Platform
Title: Reductive Labs Puppet "/tmp" Insecure File Permissions
Vulnerabilities
Description: Puppet is a configuration management system. Puppet is
exposed to multiple insecure file permission issues. Specifically,
these issues occur because the application creates the multiple files
in the "/tmp" directory with insecure permissions.
Ref: https://bugzilla.redhat.com/show_bug.cgi?id=502881
______________________________________________________________________

10.10.36 CVE: Not Available
Platform: Cross Platform
Title: MochaSoft FTPDisc Multiple Remote Denial of Service
Vulnerabilities
Description: MochaSoft FTPDisc is an FTP Server available for the
Apple iPhone and iPod touch. The application is exposed to multiple
remote denial of service issues because it fails to handle crafted
"USER", "CWD" and "DELE" requests. MochaSoft FTPDisc version 1.0 is
affected.
Ref: http://www.securityfocus.com/bid/38475
______________________________________________________________________

10.10.37 CVE: CVE-2010-0205
Platform: Cross Platform
Title: Libpng "png_decompress_chunk()" Function Denial of Service
Description: The "libpng" library is a PNG reference library. The
library is exposed to a remote denial of service issue. Specifically,
when parsing PNG files containing highly compressed ancillary chunks,
the "png_decompress_chunk()" function in the affected library can
consume an excessive amount of resources. libpng versions prior to
1.4.1, 1.2.43, and 1.0.53 are affected.
Ref: http://www.kb.cert.org/vuls/id/576029
______________________________________________________________________

10.10.38 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: TRUC "login_reset_password_page.php" Cross-Site Scripting
Description: TRUC is a web-based application for tracking requirements
and use cases. It is implemented in PHP. The application is exposed to
a cross-site scripting issue because it fails to sanitize
user-supplied input to the "error" parameter of the
"login_reset_password_page.php' script. TRUC version 0.11.0 is
affected.
Ref: http://www.securityfocus.com/bid/38445
______________________________________________________________________

10.10.39 CVE: CVE-2010-0661
Platform: Web Application - Cross Site Scripting
Title: WebKit "window.open()" method Cross-Domain Scripting
Description: WebKit is a browser framework used in multiple
applications, including Apple Safari and Google Chrome browsers. The
application is exposed to a cross-domain scripting issue because it
fails to properly enforce the same origin policy. This issue affects
the "window.open()" function of the
"WebCore/bindings/v8/custom/V8DOMWindowCustom.cpp" source file. WebKit
versions prior to r52401 are affected.
Ref:
http://googlechromereleases.blogspot.com/2010/01/stable-channel-update_25.html
______________________________________________________________________

10.10.40 CVE: CVE-2010-0640
Platform: Web Application - Cross Site Scripting
Title: Computer Associates eHealth Performance Manager Web Interface
Cross-Site Scripting
Description: Computer Associates eHealth Performance Manager is an
application for managing the performance of network applications and
services. The application is exposed to a cross-site scripting issue
because it fails to sanitize user-supplied input. This issue affects
the application's web interface. Computer Associates eHealth
Performance Manager version 6.0.x, 6.1.x, and 6.2.x are affected.
Ref: http://seclists.org/fulldisclosure/2010/Feb/415
______________________________________________________________________

10.10.41 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: Softbiz Jobs "sbad_type" Parameter Cross-Site Scripting
Description: Softbiz Jobs is a PHP-based script for job recruitment.
The application is exposed to a cross-site scripting issue because it
fails to sanitize user-supplied input to the "sbad_type" parameter of
the "addad.php" script.
Ref: http://www.securityfocus.com/bid/38383
______________________________________________________________________

10.10.42 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: MySmartBB Multiple Cross-Site Scripting Vulnerabilities
Description: MySmartBB is a bulletin board application implemented in
PHP. The application is exposed to multiple cross-site scripting
issues because it fails to sufficiently sanitize user-supplied data
supplied via various PHP predefined variables. MySmartBB version 1.7.0
is affected.
Ref: http://www.securityfocus.com/bid/38385
______________________________________________________________________

10.10.43 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: Sawmill Unspecified Cross-Site Scripting
Description: Sawmill is a log analysis and reporting application. The
application is exposed to an unspecified cross-site scripting issue
because it fails to sanitize user-supplied input. Sawmill versions
prior to 7.2.18 are affected.
Ref: http://www.sawmill.net/version_history7.html
______________________________________________________________________

10.10.44 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: Multiple IBM Products Login Page Cross-Site Scripting
Description: IBM Lotus Web Content Management is a suite of web-based
applications for Windows, Unix and Sun platforms. IBM WebSphere
Portal is a content manager for enterprises. IBM Lotus Quickr is a
web-based collaboration software designed for sharing documents and
media. The applications are exposed to a cross-site scripting issue
because it fails to sanitize user-supplied input to the login page.
Ref: http://trac.webkit.org/changeset/52833
______________________________________________________________________

10.10.45 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: tDiary TrackBack Transmission Plugin Cross-Site Scripting
Description: tDiary is a web-based diary application implemented in
Ruby. The application is exposed to a cross-site scripting attacks
because it fails to sufficiently sanitize user-supplied input to an
unspecified parameter of the TrackBack transmission ("tb-send.rb")
module. tDiary versions prior to 2.2.3 are affected.
Ref: http://www.securityfocus.com/bid/38413
______________________________________________________________________

10.10.46 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: Hitachi Multiple Products Unspecified Cross-Site Scripting
Description: Multiple Hitachi products are exposed to a cross-site
scripting issue because they fail to properly sanitize user-supplied
input. An attacker may leverage this issue to execute arbitrary
script code in the browser of an unsuspecting user in the context of
the affected site.
Ref:
http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS10-001/index.html
______________________________________________________________________

10.10.47 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: ARISg "wflogin.jsp" Cross-Site Scripting
Description: ARISg is a Java-based application for drug reporting
(pharmacovigilance). The application is exposed to a cross-site
scripting issue because it fails to sanitize user-supplied input to
the "errmsg" parameter of the "wflogin.jsp" script. ARISg version 5.0
is affected.
Ref: http://www.securityfocus.com/archive/1/509758
______________________________________________________________________

10.10.48 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: Oracle Siebel "loyalty_enu/start.swe" Cross-Site Scripting
Description: Oracle Siebel is a customer relationship management
application. The application is exposed to a cross-site scripting
issue because it fails to sanitize user-supplied input to the URI of
the "htim_enu/start.swe" page. Oracle Siebel versions 7.7 and 7.8 are
affected.
Ref: http://www.securityfocus.com/archive/1/509774
______________________________________________________________________

10.10.49 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: ExtCalendar "upgrade.php" Cross-Site Scripting
Description: ExtCalendar is a PHP-based web calendar application. The
application is exposed to a cross-site scripting issue because it
fails to sanitize user-supplied input to the "html_footer()" function
of the "upgrade.php" script before using it in an SQL query.
ExtCalendar version 2.0 beta is affected.
Ref: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4928.php
______________________________________________________________________

10.10.50 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: MarketGate Package for Eshbel Priority ERP "Referer" Parameter
Cross-Site Scripting
Description: The MarketGate Package for Eshbel Priority ERP is an
application suite for businesses. The application is exposed to a
cross-site scripting issue because it fails to sanitize user-supplied
input to the HTTP Referer field of the "priorSysMan.htm" script before
using it in an SQL query.
Ref: http://www.securityfocus.com/archive/1/509792
______________________________________________________________________

10.10.51 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: Discuz! "uid" Parameter Cross-Site Scripting
Description: Discuz! is web-based forum software. The application is
exposed to a cross-site scripting issue because it fails to properly
sanitize user-supplied input to the "uid" parameter of the
"eccredit.php" script. Discuz! version 6.0.0 is affected.
Ref: http://www.securityfocus.com/archive/1/509800
______________________________________________________________________

10.10.52 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: Sparta Systems TrackWise EQMS Multiple Cross-Site Scripting
Vulnerabilities
Description: Sparta Systems TrackWise EQMS is a web-based quality
management solution. The application is exposed to multiple cross-site
scripting issues because it fails to properly sanitize user-supplied
input. An attacker may leverage these issues to execute arbitrary
script code in the browser of an unsuspecting user in the context of
the affected site.
Ref: http://www.securityfocus.com/archive/1/509792/30/0/threaded
______________________________________________________________________

10.10.53 CVE: Not Available
Platform: Web Application - SQL Injection
Title: Pre Multi-Vendor E-Commerce Solution "detail.php" SQL Injection
Description: Pre Multi-Vendor E-Commerce Solution is a PHP-based web
application. The application is exposed to an SQL injection issue
because it fails to sufficiently sanitize user-supplied input to the
"prodid" parameter of the "detail.php" script before using it in an
SQL query.
Ref: http://www.securityfocus.com/bid/38377
______________________________________________________________________

10.10.54 CVE: Not Available
Platform: Web Application - SQL Injection
Title: MASA2EL Music City "index.php" Multiple SQL Injection
Vulnerabilities
Description: MASA2EL Music City is a PHP-based web application. The
application is exposed to multiple SQL injection issues because it
fails to sufficiently sanitize user-supplied input. MASA2EL Music City
version 1.0 is affected.
Ref: http://www.securityfocus.com/bid/38378
______________________________________________________________________

10.10.55 CVE: Not Available
Platform: Web Application - SQL Injection
Title: Softbiz Jobs "moredetails.php" SQL Injection
Description: Softbiz Jobs is a PHP-based script for job recruitment.
The application is exposed to an SQL injection issue because it fails
to sufficiently sanitize user-supplied data to the "sblink_id"
parameter of the "moredetails.php" script before using it in an SQL
query.
Ref: http://www.securityfocus.com/bid/38390
______________________________________________________________________

10.10.56 CVE: Not Available
Platform: Web Application - SQL Injection
Title: Bispage Content Manager Admin Page SQL Injection
Description: Bispage Content Manager is an ASPX-based application for
developing websites. The application is exposed to an SQL injection
issue because it fails to sufficiently sanitize user-supplied input to
the "User Name" and "Password" fields of the "admin" page before using
it in an SQL query.
Ref: http://www.securityfocus.com/bid/38392
______________________________________________________________________

10.10.57 CVE: Not Available
Platform: Web Application - SQL Injection
Title: Softbiz Auktios Multiple SQL Injection Vulnerabilities
Description: Softbiz Auktios is a PHP-based web application. The
application is exposed to multiple SQL injection issues because it
fails to sufficiently sanitize user-supplied input.
Ref: http://www.securityfocus.com/bid/38399
______________________________________________________________________

10.10.58 CVE: Not Available
Platform: Web Application - SQL Injection
Title: HD FLV Player Component for Joomla! "id" Parameter SQL
Injection
Description: HD FLV Player is a component for the Joomla! content
manager. The application is exposed to an SQL injection issue because
it fails to sufficiently sanitize user-supplied data to the "id"
parameter of "com_hdflvplayer" before using it in an SQL query.
Ref: http://www.securityfocus.com/bid/38401
______________________________________________________________________

10.10.59 CVE: Not Available
Platform: Web Application - SQL Injection
Title: shortCMS "printview.php" SQL Injection
Description: shortCMS is a content manager implemented in PHP. The
application is exposed to an SQL injection issue because it fails to
sufficiently sanitize user-supplied input to the "pvid" parameter of
the "printview.php" script before using it in an SQL query. shortCMS
version 1.11F (B) is affected.
Ref: http://www.securityfocus.com/bid/38403
______________________________________________________________________

10.10.60 CVE: Not Available
Platform: Web Application - SQL Injection
Title: Softbiz Classifieds PLUS Script Multiple SQL Injection
Vulnerabilities
Description: The Softbiz Classifieds PLUS script is a PHP-based web
application. The application is exposed to multiple SQL injection
issues because it fails to sufficiently sanitize user-supplied input.
Ref: http://www.securityfocus.com/bid/38407
______________________________________________________________________

10.10.61 CVE: Not Available
Platform: Web Application - SQL Injection
Title: GameScript "index.php" SQL Injection
Description: GameScript is a PHP-based content manager for online
games. The application is exposed to an SQL injection issue because it
fails to sufficiently sanitize user-supplied input to the "id"
parameter of the "index.php" script when the "action" parameter is set
to "category". GameScript version 3.0 is affected.
Ref: http://www.securityfocus.com/bid/38414
______________________________________________________________________

10.10.62 CVE: Not Available
Platform: Web Application - SQL Injection
Title: JSK Internet WebAdministrator "download.php" SQL Injection
Description: JSK Internet WebAdministrator is a PHP-based content
manager. The application is exposed to an SQL injection issue because
it fails to sufficiently sanitize user-supplied input to the "s"
parameter of the "download.php" script before using it in an SQL
query. JSK Internet WebAdministrator Lite is affected.
Ref: http://www.securityfocus.com/bid/38416
______________________________________________________________________

10.10.63 CVE: Not Available
Platform: Web Application - SQL Injection
Title: Softbiz Recipes Portal and Link Directory Script "showcats.php"
SQL Injection
Description: Softbiz Recipes Portal and Link Directory Script are
PHP-based scripts for sharing online information. These applications
are exposed to an SQL injection issue because they fail to
sufficiently sanitize user-supplied data to the "sbcat_id" parameter
of the "showcats.php" script before using it in an SQL query.
Ref: http://www.securityfocus.com/bid/38418
______________________________________________________________________

10.10.64 CVE: Not Available
Platform: Web Application - SQL Injection
Title: Entry Level CMS "index.php" SQL Injection
Description: Entry Level CMS is a PHP-based content management system.
The application is exposed to an SQL injection issue because it fails
to sufficiently sanitize user-supplied input to the "subj" parameter
of the "index.php" script.
Ref: http://www.securityfocus.com/bid/38422
______________________________________________________________________

10.10.65 CVE: Not Available
Platform: Web Application - SQL Injection
Title: Pre Classified Listings "signup.asp" SQL Injection
Description: Pre Classified Listings is an ASP-based application for
managing classifieds. The application is exposed to an SQL injection
issue because it fails to sufficiently sanitize user-supplied input to
the "email" parameter of the "signup.asp" script.
Ref: http://www.securityfocus.com/bid/38446
______________________________________________________________________

10.10.66 CVE: Not Available
Platform: Web Application - SQL Injection
Title: SLAED CMS SQL Injection
Description: SLAED CMS is a PHP-based content manager. The application
is exposed to an SQL injection issue because it fails to sufficiently
sanitize user-supplied input to the "index.php" script. SLAED CMS
version 4 is affected.
Ref: http://www.securityfocus.com/bid/38452
______________________________________________________________________

10.10.67 CVE: Not Available
Platform: Web Application - SQL Injection
Title: Joomla! "com_yanc" Component "listid" Parameter SQL Injection
Description: The "com_yanc" application is a PHP-based component for
the Joomla! content manager. The component is exposed to an SQL
injection issue because it fails to sufficiently sanitize
user-supplied data to the "listid" parameter before using it in an SQL
query.
Ref: http://www.securityfocus.com/bid/38454
______________________________________________________________________

10.10.68 CVE: Not Available
Platform: Web Application - SQL Injection
Title: Uiga Fan Club and Personal Portal "id" Parameter SQL Injection
Description: Uiga Fan Club is a fan page application. Uiga Personal
Portal is a web portal application. The applications are exposed to an
SQL injection issue because they fail to sufficiently sanitize
user-supplied input to the "id" parameter of the "index.php" script
when the "view" parameter is set to "photo".
Ref: http://www.securityfocus.com/bid/38464
______________________________________________________________________

10.10.69 CVE: Not Available
Platform: Web Application - SQL Injection
Title: Blax Blog "girisyap.php" SQL Injection
Description: Blax Blog is a PHP-based blogging application. The
application is exposed to an SQL injection issue because it fails to
sufficiently sanitize user-supplied input to the "username" and
"password" fields of the "admin/girisyap.php" script.
Blax Blog version 0.1 is affected.
Ref: http://www.securityfocus.com/bid/38465
______________________________________________________________________

10.10.70 CVE: Not Available
Platform: Web Application - SQL Injection
Title: Uiga Fan Club Login Multiple SQL Injection Vulnerabilities
Description: Uiga Fan Club is a PHP-based fan page application. The
application is exposed to multiple SQL injection issues because it
fails to adequately sanitize user-supplied input to the "Username" and
"Password" fields when logging in as an administrator via the
"admin/admin_login.php" script. Uiga Fan Club version 1.0 is affected.
Ref: http://www.securityfocus.com/bid/38466
______________________________________________________________________

10.10.71 CVE: Not Available
Platform: Web Application - SQL Injection
Title: Scriptsfeed Business Directory Software
Description: Scriptsfeed Business Directory Software is a PHP-based
online directory application. The application is exposed to multiple
SQL injection issues because it fails to sufficiently sanitize
user-supplied input to the "us" and "ps" parameters of the "login.php"
script.
Ref: http://www.securityfocus.com/bid/38470
______________________________________________________________________

10.10.72 CVE: Not Available
Platform: Web Application - SQL Injection
Title: 1024 CMS "id" Parameter SQL Injection
Description: 1024 CMS is a content manager implemented in PHP. The
application is exposed to an SQL injection issue because it fails to
sufficiently sanitize user-supplied input to the "id" parameter of the
"rss.php" script. 1024 CMS version 2.1.1 is affected.
Ref: http://www.securityfocus.com/bid/38476
______________________________________________________________________

10.10.73 CVE: Not Available
Platform: Web Application - SQL Injection
Title: My Little Forum "contact.php" SQL Injection
Description: My Little Forum is a PHP-based web forum application. The
application is exposed to an SQL injection issue because it fails to
sufficiently sanitize user-supplied input to the "id" parameter of the
"contact.php" script before using it in an SQL query.
Ref: http://www.securityfocus.com/bid/38485
______________________________________________________________________

10.10.74 CVE: Not Available
Platform: Web Application - SQL Injection
Title: Phptroubleticket "vedi_faq.php" SQL Injection
Description: Phptroubleticket is a PHP-based IT service management
application. The application is exposed to an SQL injection issue
because it fails to sufficiently sanitize user-supplied input to the
"id" parameter of the "vedi_faq.php" script before using it in an SQL
query. Phptroubleticket version 2.0 is affected.
Ref: http://www.securityfocus.com/bid/38486
______________________________________________________________________

10.10.75 CVE: Not Available
Platform: Web Application
Title: WikyBlog Multiple Remote Input Validation Vulnerabilities
Description: WikyBlog is a combined wiki and blog application
implemented in PHP and MySQL. The application is exposed to multiple
security issues. 1) An arbitrary file upload issue that occurs because
the application fails to sufficiently sanitize user-supplied input. 2)
A cross-site scripting issue that affects the "which" parameter of the
"index.php/Special/Main/Templates" script. 3) A session fixation issue
that exists due to a design error when handling sessions. 4) A remote
file include issue that presents itself because the application fails
to properly sanitize user-supplied input to the "langFile" parameter
of the "include/WBmap.php" script. WikyBlog version 1.7.3rc2 is
affected.
Ref: http://www.securityfocus.com/bid/38386
______________________________________________________________________

10.10.76 CVE: Not Available
Platform: Web Application
Title: SilverStripe Multiple Remote Vulnerabilities
Description: SilverStripe is a PHP-based content management system.
The application is exposed to multiple remote issues. 1) A cross-site
scripting issue is present because the application fails to
sufficiently sanitize user-supplied data. 2) The application is
exposed to multiple information disclosure issues. SilverStripe
versions prior to 2.3.6 are affected.
Ref:
http://groups.google.com/group/silverstripe-announce/browse_thread/thread/c75fbd7926ed2725?tvc=2&fwc=1&pli=1
______________________________________________________________________

10.10.77 CVE: Not Available
Platform: Web Application
Title: PHP F1 Max's Photo Album "admin.php" Arbitrary File Upload
Description: Max's Photo Album is a PHP-based web application. The
application is exposed to an issue that lets attackers upload
arbitrary files. The issue occurs because the application fails to
adequately sanitize user-supplied input before uploading files via the
"admin.php" script.
Ref: http://www.securityfocus.com/bid/38400
______________________________________________________________________

10.10.78 CVE: Not Available
Platform: Web Application
Title: OpenInferno OI.Blogs Multiple Local File Include
Vulnerabilities
Description: OI.Blogs is a PHP-based blogging application. The
application is exposed to local file include issues because it fails
to properly sanitize user-supplied input. An attacker can exploit
these vulnerabilities to obtain potentially sensitive information and
execute arbitrary local scripts in the context of the web server
process. OpenInferno OI.Blogs version 1.0.0 is affected.
Ref: http://www.securityfocus.com/bid/38402
______________________________________________________________________

10.10.79 CVE: Not Available
Platform: Web Application
Title: Facebook-style Statuses Module User Status Security Bypass
Description: Facebook-style Statuses is a module for the Drupal
content manager. The module is exposed to a security bypass issue in
the weekly summary listings. Specifically, a design error in the
application may allow an attacker to overwrite another user's status
if it's posted within 10 seconds after the victim has posted their
status message.
Ref: http://drupal.org/node/724842
______________________________________________________________________

10.10.80 CVE: Not Available
Platform: Web Application
Title: PBoard "upload/index.php" Remote File Upload
Description: PBoard is a PHP-based bulletin board. The application is
exposed to a remote file upload issue because it fails to sufficiently
sanitize user-supplied input. This issue affects the avatar upload
feature in the "upload/index.php" script. PBoard version 2.0.5 is
affected.
Ref: http://www.securityfocus.com/bid/38406
______________________________________________________________________

10.10.81 CVE: Not Available
Platform: Web Application
Title: Article Friendly Security Bypass
Description: Article Friendly is a PHP-based application for
publishing articles. The application is exposed to a security bypass
issue because it fails to properly validate certain HTTP requests.
Specifically an attacker may create an arbitrary user with admin
privileges by enticing a logged-in administrator to visit a crafted
site.
Ref: http://www.articlefriendly.com/updates.html
______________________________________________________________________

10.10.82 CVE: Not Available
Platform: Web Application
Title: Newbie CMS Insecure Cookie Authentication Bypass
Description: Newbie CMS is a web application. The application is
exposed to an authentication bypass issue because it fails to
adequately verify user-supplied input used for cookie-based
authentication. Specifically, attackers can gain administrative access
to the application by setting the "nb_logged" cookie parameter to an
administrator's username and the "path" parameter to "/newbb/admin/"
via the "admin/config.php" script. Newbie CMS versions prior to 0.03
are affected.
Ref:
http://newbie-cms.com/forum/index.php?action=vthread&forum=1&topic=1#msg1
______________________________________________________________________

10.10.83 CVE: Not Available
Platform: Web Application
Title: Arab Cart "showimg.php" Cross-Site Scripting and SQL Injection
Vulnerabilities
Description: Arab Cart is a PHP-based ecommerce application. The
application is exposed to a cross-site scripting issue and an SQL
injection issue because it fails to sanitize user-supplied input to the
"id" parameter of the "showimg.php" script. Arab Cart version 1.0.2.0
is affected.
Ref: http://www.securityfocus.com/bid/38426
______________________________________________________________________

10.10.84 CVE: Not Available
Platform: Web Application
Title: Ceondo InDefero Unauthorized Access
Description: InDefero is a web application for developing software.
The application is exposed to an unauthorized access issue because it
fails to adequately limit authenticated users' access to other users'
projects. Specifically, the git-serving component may allow users with
a valid SSH key to access restricted files in read-only mode when an
attacker knows the short name of a target project. InDefero versions
prior to 0.8.10 are affected.
Ref: http://www.ceondo.com/ecte/2010/02/indefero-security-vulnerability
______________________________________________________________________

10.10.85 CVE: Not Available
Platform: Web Application
Title: Website Baker "framework/class.wb.php" Security Bypass
Description: Website Baker is a PHP-based content manager. The
application is exposed to a security bypass issue because it fails to
properly enforce security restrictions. Specifically, an attacker can
exploit the "print_error()" function of the "framework/class.wb.php"
script to impersonate a registered user. Website Baker version 2.8.0
is affected.
Ref: http://www.websitebaker2.org/forum/index.php/topic,15519.0.html
______________________________________________________________________

10.10.86 CVE: Not Available
Platform: Web Application
Title: TYPO3 OpenID Module Backend User Account Security Bypass
Description: OpenID is a third party extension for the TYPO3 content
manager. The OpenID module included in TYPO3 is exposed to a security
bypass issue. Specifically, attackers can log in to the TYPO3 backend
by using a backend user account's OpenID identity. TYPO3 version 4.3.0
is affected.
Ref:
http://typo3.org/teams/security/security-bulletins/typo3-sa-2010-001/
______________________________________________________________________

10.10.87 CVE: Not Available
Platform: Web Application
Title: Crawlability vBSEO "vbseo.php" Local File Include
Description: vBSEO is a PHP-based application for optimizing search
engines. The application is exposed to a local file include issue
because it fails to properly sanitize user-supplied input to the
"vbseourl" file of the "vbseo.php" script. vBSEO version 3.1.0 is
affected.
Ref: http://www.securityfocus.com/bid/38439
______________________________________________________________________

10.10.88 CVE: CVE-2010-0688
Platform: Web Application
Title: Orbital Viewer ".orb" File Stack-Based Buffer Overflow
Description: Orbital Viewer is an application for viewing ".orb"
files. The application is exposed to a stack-based buffer overflow
issue because it fails to properly bounds check user-supplied data
before copying it into an insufficiently sized buffer. This issue
occurs when a specially crafted ".orb" file is opened. Orbital Viewer
version 1.04 is affected.
Ref:
http://www.corelan.be:8800/index.php/forum/security-advisories/corelan-10-011-orbital-viewer-orb-buffer-overflow/
______________________________________________________________________

10.10.89 CVE: Not Available
Platform: Web Application
Title: Nemo Multiple File Attachments Mail Form "upload.php" Arbitrary
File Upload
Description: Nemo Multiple File Attachments Mail Form is a PHP-based
application for handling email attachments. The application is exposed
to an issue that lets attackers upload arbitrary files. Specifically,
the issue occurs because the application fails to adequately sanitize
file extensions before uploading files to the web server through the
"upload.php" script. Nemo Multiple File Attachments Mail Form PRO-V2
is affected.
Ref: http://www.securityfocus.com/bid/38443
______________________________________________________________________

10.10.90 CVE: Not Available
Platform: Web Application
Title: Open Educational System "CONF_INCLUDE_PATH" Parameter Multiple
Remote File Include Vulnerabilities
Description: Open Educational System is an open source e-learning
application. The application is exposed to multiple remote file
include issues because it fails to sufficiently sanitize user-supplied
input. Open Educational System version 0.1 beta and earlier are
affected.
Ref: http://www.securityfocus.com/bid/38449
______________________________________________________________________

10.10.91 CVE: Not Available
Platform: Web Application
Title: SLAED CMS Remote File Upload
Description: SLAED CMS is a PHP-based content manager. The application
is exposed to a remote file upload issue because it fails to
sufficiently sanitize user-supplied input. This issue affects upload
feature accessible via the "index.php" script. Uploaded content can be
accessed via the "sd/uploads/files/temp/" directory. SLAED CMS version
4 is affected.
Ref: http://www.securityfocus.com/bid/38450/
______________________________________________________________________

10.10.92 CVE: Not Available
Platform: Web Application
Title: SLAED CMS Multiple Remote File Include Vulnerabilities
Description: SLAED CMS is a PHP-based content manager. The application
is exposed to multiple remote file include issues because it fails to
sufficiently sanitize user-supplied input to the "file" and "name"
parameters of the "index" script. SLAED CMS version 4 is affected.
Ref: http://www.securityfocus.com/bid/38451
______________________________________________________________________

10.10.93 CVE: Not Available
Platform: Web Application
Title: SLAED CMS Installation Script Unauthorized Access
Description: SLAED CMS is a PHP-based content manager. SLAED CMS is
exposed to an unauthorized access issue that allows attackers to gain
access to installation scripts. This issue arises because the
application fails to implement access controls in a proper manner.
SLAED CMS 4 is affected.
Ref: http://www.securityfocus.com/bid/38453
______________________________________________________________________

10.10.94 CVE: Not Available
Platform: Web Application
Title: Article Friendly "filename" Parameter Local File Include
Description: Article Friendly is a PHP-based article publishing
application. The application is exposed to a local file include issue
because it fails to properly sanitize user-supplied input to the
"filename" parameter of the "admin/index.php" script. Article Friendly
Pro is affected.
Ref: http://www.securityfocus.com/bid/38461
______________________________________________________________________

10.10.95 CVE: Not Available
Platform: Web Application
Title: DeDeCMS
Description: DeDeCMS is a PHP-based content manager. The application
is exposed to an authentication bypass issue because it fails to
adequately verify user-supplied input. Specifically, the application
allows users to gain unauthorized access to the application by setting
the "_SESSION[dede_admin_id]" parameter to 1. DeDeCMS GBK version 5.5
is affected.
Ref: http://www.securityfocus.com/bid/38469
______________________________________________________________________

10.10.96 CVE: Not Available
Platform: Network Device
Title: TrendNet TV-IP110W Missing Authentication Check Security Bypass
Description: TrendNet TV-IP110W is a wireless security camera.
TrendNet TV-IP110W is exposed to a security bypass issue due to the
fact that an authentication check is missing from the firmware.
Firmware versions prior to TrendNet TV-IP110W 1.1.0.93 are affected.
Ref: http://www.securityfocus.com/bid/38482
______________________________________________________________________

(c) 2010. All rights reserved. The information contained in this
newsletter, including any external links, is provided "AS IS," with no
express or implied warranty, for informational purposes only. In some
cases, copyright for material in this newsletter may be held by a
party other than Qualys (as indicated herein) and permission to use
such material must be requested from the copyright owner.

Subscriptions: RISK is distributed free of charge by the SANS Institute
to people responsible for managing and securing information systems and
networks. You may forward this newsletter to others with such
responsibility inside or outside your organization.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)

iEYEARECAAYFAkuQEaIACgkQ+LUG5KFpTkY5PgCglV+H2213TrQJdY1TNyWef6yw
0y4AnjJ0AEj5Z4TzGB5JYs5RaX02hJuv
=VGIu
-----END PGP SIGNATURE-----

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]