The most trusted source for computer security training, certification and research.

@RISK: The Consensus Security Vulnerability Alert

Volume: VII, Issue: 43
October 23, 2008

SANS Newsletters Home

The "big one" this week just happened a few hours ago when Microsoft announced an extra patch was coming out early to fix an RPC problem that is in XP and Vista (and other MS operating systems), meaning in tens of millions of systems. Kudos to Microsoft for acting quickly. The defenders need to act just as quickly.

In addition, many commercial email systems are at risk because they use libspf2 versions prior to 1.2.8. And the third critical vulnerability affects multiple security products from F-Secure. Alan

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Platform Number of Updates and Vulnerabilities
    • - ------------------------ -------------------------------------
    • Microsoft Windows
    • 1 (#1)
    • Other Microsoft Products
    • 1
    • Third Party Windows Apps
    • 4 (#4, #5)
    • Linux
    • 2
    • Unix
    • 1
    • Cross Platform
    • 19 (#2, #3)
    • Web Application - Cross Site Scripting
    • 7
    • Web Application - SQL Injection
    • 31
    • Web Application
    • 18

*********************** Sponsored By Sourcefire, Inc. *******************

Best of Open Source Security (BOSS) Conference February 8-10, 2009 Flamingo Las Vegas

Be sure to register the first IT security conference dedicated to promoting open source security (OSS) technologies and the commercial products that embrace them.

This long overdue conference will bring together passionate OSS advocates and vendors under the same roof to share ideas and experiences.

For more information, visit http://www.sans.org/ info/34513"> http://www.sans.org/ info/34513

*************************************************************************

TRAINING UPDATE - - SANS CDI in Washington 30 courses; big security tools expo; lots of evening sessions: http://www.sans.org/ cdi08/ - - Monterey (10/31-11/6) http://www.sans.org/ info/30738 - - Sydney Australia (10/27-11/1) http://www.sans.org/ sydney08/ - - Vancouver (11/17-11/22) http://www.sans.org/ vancouver08/ and in 100 other cites and on line any time: www.sans.org

******************************************************************

Table Of Contents
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
Other Microsoft Products
Third Party Windows Apps
Linux
Unix
Cross Platform
Web Application - Cross Site Scripting
Web Application - SQL Injection
Web Application
PART I Critical Vulnerabilities

Part I for this issue has been compiled by Rob King at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Widely Deployed Software
  • (2) CRITICAL: LibSPF2 DNS TXT Record Handling Buffer Overflow
  • Affected:
    • libspf2 versions prior to 1.2.8

  • Description: SPF is the Sender Policy Framework (formerly "Sender Permitted From"). SPF is a mechanism to help prevent unauthorized or undesired email messages ("spam") by indicating from what servers a domain can send email. Receiving mail servers can check SPF records exported via DNS records to determine if a server sending email from a domain is legitimately doing so. LibSPF2 is a popular implementation of the SPF protocol and is used by a variety of mail and DNS products. It contains a buffer overflow in its processing of SPF records exported from DNS. A specially crafted SPF record could trigger this vulnerability. In most common scenarios, an attacker could exploit this vulnerability by simply sending an email message to a sever known to check SPF records.; therefore no user interaction is required. Successfully exploiting this vulnerability would allow an attacker to execute arbitrary code with the privileges of the vulnerable process, often a high-privilege account. Full technical details and a proof-of-concept are publicly available for this vulnerability.

  • Status: Vendor confirmed, updates available.

  • References:
  • (3) CRITICAL: F-Secure Multiple Products RPM File Handling Integer Overflow
  • Affected:
    • Multiple F-Secure products; see vendor advisory

  • Description: The RPM Package Manager (formerly the Red Hat Package Manager, commonly "RPM") is a package manager used by a number of Linux- and Unix-based operating systems. Its packages are distributed in files referred to as "RPMs". A number of F-Secure malware scanning products contain an integer overflow when processing RPM packages. A specially crafted RPM package could trigger this overflow, leading to arbitrary code execution with the privileges of the vulnerable process. In situations where the vulnerable product is used to scan email messages, it is sufficient to have an email message transiting the server to trigger the vulnerability; no user interaction is necessary. Some technical details are publicly available for this vulnerability. Additionally, the RPM file format is open and well documented, making it amenable to fuzzing.

  • Status: Vendor confirmed, updates available.

  • References:
  • (4) HIGH: Trend Micro OfficeScan CGI Handling Buffer Overflow
  • Affected:
    • Trend Microsoft OfficeScan versions 8.0 SP1 and prior

  • Description: Trend Micro OfficeScan is a popular enterprise malware scanning application. It provides administrative and other facilities via a web interface, using the Common Gateway Interface (CGI). Some of the web interface CGI programs contain buffer overflow vulnerabilities in their handling of HTTP requests. A specially crafted request to the web interface could trigger one of these buffer overflows, allowing an attacker to execute arbitrary code with the privileges of the vulnerable process. Some technical details are publicly available for these vulnerabilities.

  • Status: Vendor confirmed, updates available.

  • References:
  • (5) HIGH: Hummingbird Multiple Vulnerabilities
  • Affected:
    • Hummingbird Deployment Wizard 10 ActiveX Control
    • Hummingbird Host Explorer ActiveX Control versions 8.0 and prior

  • Description: Hummingbird Host Explorer is a popular terminal access solution for remote systems, and the Hummingbird Deployment Wizard is a product used to deploy other Hummingbird products. Both products provide some of their functionality via ActiveX controls. These controls contain various vulnerabilities, including buffer overflow and input validation vulnerabilities. A specially crafted web page that instantiated one of these controls could trigger one of these vulnerabilities, allowing an attacker to execute arbitrary code with the privileges of the current user. Technical details are publicly available for these vulnerabilities. A proof-of-concept is also publicly available.

  • Status: No confirmed updates available. Users can disable the affected controls via Microsoft's "kill bit' mechanism. Note that this will affect normal application functionality.

  • References:
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 43, 2008

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 5549 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

  • 08.43.1 - CVE: CVE-2008-1547
  • Platform: Other Microsoft Products
  • Title: Microsoft Outlook Web Access for Exchange Server "redir.asp" URI Redirection
  • Description: Outlook Web Access (OWA) is a web mail component of Microsoft Exchange Server. Outlook Web Access is exposed to a remote URI redirection issue because it fails to properly sanitize user-supplied input in the "URL" parameter of the "redir.asp" script. Outlook Web Access version 6.5 SP 2 is affected.
  • Ref: http://www.securityfocus.com/archive/1/497374
  • 08.43.2 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Hummingbird HostExplorer ActiveX Control "PlainTextPassword()" Buffer Overflow
  • Description: Hummingbird HostExplorer is terminal emulation software. HostExplorer includes an ActiveX control for Microsoft Windows clients. The application is exposed to a buffer overflow issue because it fails to perform adequate boundary checks on user-supplied input.
  • Ref: http://www.securityfocus.com/bid/31781
  • 10.0.0.44 - CVE: Not Available10 is affected.
  • Platform: Third Party Windows Apps
  • Title: Hummingbird Deployment Wizard 10 "DeployRun.dll" ActiveX Control Multiple Security Vulnerabilities
  • Description: Hummingbird Deployment Wizard 10 ActiveX control is an application used by Hummingbird products to aid in software installation and configuration. The ActiveX control provided by the "DeployRun.dll" file is exposed to multiple issues that attackers can exploit to run arbitrary code. Hummingbird Deployment Wizard version
  • Ref: http://support.microsoft.com/kb/240797
  • 08.43.4 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Dart Communications PowerTCP FTP for ActiveX "DartFtp.dll" Buffer Overflow
  • Description: PowerTCP FTP for ActiveX is an ActiveX control that utilizes an FTP client. The application is exposed to a buffer overflow issue because it fails to perform adequate boundary checks on user-supplied input. PowerTCP FTP for ActiveX version 2.0.2.0 is affected.
  • Ref: http://www.securityfocus.com/bid/31814
  • 08.43.5 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Symantec Altiris Deployment Solution Client User Interface Local Privilege Escalation
  • Description: Symantec Altiris Deployment Solution is software for deploying and managing servers, desktops, notebooks, thin clients, and handheld devices from a centralized location. It is available for Microsoft Windows. The application is exposed to a local privilege escalation issue. The problem occurs in the client graphical user interface (GUI).
  • Ref: http://www.symantec.com/avcenter/security/Content/2008.10.20a.html
  • 08.43.6 - CVE: CVE-2008-3831
  • Platform: Linux
  • Title: Linux Kernel i915 Driver "drivers/char/drm/i915_dma.c" Memory Corruption
  • Description: The Linux kernel is exposed to a memory corruption issue because of insufficient boundary checks in the i915 driver. This issue affects the "drivers/char/drm/i915_dma.c" source file and can be exploited with specially-crafted "DRM_I915_HWS_ADDR" IOCTL calls. Linux kernel versions 2.6.24.6 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/31792
  • 08.43.7 - CVE: CVE-2008-4618
  • Platform: Linux
  • Title: Linux Kernel SCTP Protocol Violation Remote Denial of Service
  • Description: The Linux kernel is exposed to a remote denial of service issue because it fails to handle SCTP protocol violations. This issue occurs when handling certain SCTP protocol violations resulting from invalid parameter lengths. Linux kernel versions prior to 2.6.27 are affected.
  • Ref: http://permalink.gmane.org/gmane.comp.security.oss.general/1079
  • 08.43.8 - CVE: Not Available
  • Platform: Unix
  • Title: Symantec Veritas File System "qioadmin" Local Information Disclosure
  • Description: Symantec Veritas File System (VxFS) is a commercial filesystem available for Unix and Unix like operating systems. The application is exposed to a local information disclosure issue that is present in the "qioadmin" utility for the Quick I/O for Database feature.
  • Ref: http://seer.entsupport.symantec.com/docs/310872.htm
  • 08.43.9 - CVE: CVE-2008-4473
  • Platform: Cross Platform
  • Title: Adobe Flash CS3 Professional SWF File Remote Code Execution
  • Description: Adobe Flash CS3 Professional is an application for creating Flash media files. Flash CS3 Professional is exposed to a remote code execution issue when processing specially crafted SWF files. Flash CS3 Professional for Microsoft Windows is affected.
  • Ref: http://www.securityfocus.com/archive/1/497397
  • 08.43.10 - CVE: CVE-2008-4575
  • Platform: Cross Platform
  • Title: jhead versions Prior to 2.84 Multiple Vulnerabilities
  • Description: jhead is an exif jpeg header manipulation tool. jhead is exposed to multiple remote issues. Attackers can exploit these issues to execute arbitrary code within the context of the affected application, crash the affected application, perform symbolic link attacks and overwrite arbitrary files on the affected computer. jhead versions prior to 2.84 are affected.
  • Ref: https://bugs.launchpad.net/ubuntu/+source/jhead/+bug/271020
  • 08.43.11 - CVE: CVE-2008-4412
  • Platform: Cross Platform
  • Title: Hewlett-Packard Systems Insight Manager Unspecified Unauthorized Access
  • Description: Hewlett Packard Systems Insight Manager (SIM) is a tool for managing HP servers. SIM is exposed to an unspecified unauthorized access issue. A remote attacker may exploit this issue to gain unauthorized access to data. SIM versions prior to 5.2 SP2 are affected.
  • Ref: http://www.securityfocus.com/bid/31777
  • 08.43.14 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Apache HTTP Server OS Fingerprinting Unspecified Security
  • Description: Apache is an HTTP server available for various operating systems. The application is exposed to an unspecified security issue related to OS fingerprinting at the application level. Apache version 2.2.9 is affected.
  • Ref: http://www.securityfocus.com/archive/1/497506
  • 08.43.15 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Hitachi JP1/File Transmission Server/FTP File Modification Unauthorized Access
  • Description: Hitachi JP1/File Transmission Server/FTP is an enterprise FTP application. Hitachi JP1/File Transmission Server/FTP is exposed to an issue that may allow attackers to modify file permissions.
  • Ref: http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS08-018/inde
    x.html
  • 08.43.16 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Hitachi JP1/File Transmission Server/FTP Unspecified Denial of Service
  • Description: Hitachi JP1/File Transmission Server/FTP is exposed to an unspecified denial of service issue because it fails to properly handle unexpected data.
  • Ref: http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vu s/HS08-017/index.html
  • 08.43.17 - CVE: Not Available
  • Platform: Cross Platform
  • Title: VLC Media Player TY File Stack-Based Buffer Overflow
  • Description: VLC is a cross-platform media player. VLC is exposed to a stack-based buffer overflow issue because it fails to perform adequate checks on user-supplied input. This occurs when the application parses specially-crafted TY files. VLC Media Player versions prior to 0.9.0 up to and including 0.9.4 are affected.
  • Ref: http://www.securityfocus.com/archive/1/497587
  • 08.43.18 - CVE: CVE-2008-4552
  • Platform: Cross Platform
  • Title: "nfs-utils" Package "hosts_ctl()" Security Bypass
  • Description: The "nfs-utils" package provides a daemon for the kernel NFS server and related tools. The application is exposed to a security bypass issue because of an error in the implementation of TCP wrappers. This issue is caused due to a wrong number of arguments passed to the "hosts_ctl()" function, causing TCP Wrappers to ignore netgroups. "nfs-utils" package version 1.0.9 is affected.
  • Ref: https://bugzilla.redhat.com/show_bug.cgi?id=458676
  • 08.43.19 - CVE: Not Available
  • Platform: Cross Platform
  • Title: MUSCLE "Message::AddToString()" Buffer Overflow
  • Description: MUSCLE (Multi User Server Client Linkage Environment) is a cross-platform client server messaging system. The library is exposed to a buffer overflow issue because it fails to perform adequate boundary checks on user-supplied data. MUSCLE version 4.30 is affected.
  • Ref: https://public.msli.com/lcs/muscle/muscle/HISTORY.txt
  • 08.43.20 - CVE: Not Available
  • Platform: Cross Platform
  • Title: FireGPG Insecure Temporary File Creation
  • Description: FireGPG is an add on providing GNU Privacy Guard (GPG) functionality for the Firefox web browser. FireGPG creates temporary files in an insecure manner. Specifically, when decrypting email, FireGPG creates temporary files with predictable names for the encrypted content, the decrypted content, and the user passphrase. FireGPG versions prior to 6.0 are affected.
  • Ref: http://www.securityfocus.com/archive/1/497547
  • 08.43.21 - CVE: CVE-2008-3248
  • Platform: Cross Platform
  • Title: Symantec Veritas File System "qiomkfile" Local Information Disclosure
  • Description: Symantec Veritas File System (VxFS) is a commercial filesystem available for Unix and Unix like operating systems. The application is exposed to an information disclosure issue which may result in sensitive information being made available to local attackers. Veritas File System versions prior to 5.0 MP3 are affected.
  • Ref: http://www.symantec.com/avcenter/security/Content/2008.10.20.html
  • 08.43.22 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Multiple Vendor USB, PS/2 and Laptop Keyboard Electromagnetic Emanation Capture
  • Description: Keyboards from multiple vendors are exposed to an information disclosure issue because the devices do not adequately shield electromagnetic emanations. This issue affects USB, PS/2, and laptop keyboards manufactured between 2001 and 2008.
  • Ref: http://www.securityfocus.com/bid/31831
  • 08.43.23 - CVE: Not Available
  • Platform: Cross Platform
  • Title: RealVNC 4.1.2 "CMsgReader::readRect()" Remote Code Execution
  • Description: RealVNC (Virtual Network Computing) allows users to access remote computers for administration purposes. RealVNC Viewer is exposed to a remote code execution issue because it fails to adequately handle certain encoding types. RealVNC Free Edition versions prior to 4.1.3 are affected.
  • Ref: http://www.realvnc.com/products/free/4.1/release-notes.html
  • 08.43.24 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Wireshark 1.0.3 Multiple Denial Of Service Vulnerabilities
  • Description: Wireshark (formerly Ethereal) is an application for analyzing network traffic; it is available for Microsoft Windows and UNIX like operating systems. Wireshark is exposed to multiple denial of service issues when handling certain types of packets and protocols in varying conditions. Wireshark versions 0.10.3 up to and including 1.0.3 are affected.
  • Ref: http://www.wireshark.org/security/wnpa-sec-2008-06.html
  • 08.43.25 - CVE: Not Available
  • Platform: Cross Platform
  • Title: IBM WebSphere Application Server Denial of Service And Security Bypass Vulnerabilities
  • Description: IBM WebSphere Application Server (WAS) is an application infrastructure used for service oriented architecture. The application is exposed to multiple issues. Successful exploits may allow attackers to hang the server causing a denial of service condition or bypass certain security restrictions. IBM WebSphere Application Server versions prior to 6.0.2.31 are affected.
  • Ref: http://www-01.ibm.com/support/docview.wss?uid=swg27006876
  • 08.43.26 - CVE: Not Available
  • Platform: Cross Platform
  • Title: F-Secure Multiple Products RPM File Integer Overflow
  • Description: Multiple F-Secure products are exposed to an integer overflow issue because the applications fail to properly handle user-supplied input. Specifically, the issue occurs when an affected application parses a specially-crafted malicious RPM archive file.
  • Ref: http://www.f-secure.com/security/fsc-2008-3.shtml
  • 08.43.27 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Symantec Altiris Deployment Solution Clear Text Password Local Information Disclosure
  • Description: Symantec Altiris Deployment Solution is software for deploying and managing servers, desktops, and notebooks. The application is exposed to a local information disclosure issue because it stores Application Identity Account passwords in clear text on the affected computer. Symantec Altiris Deployment Solution versions prior to 6.9.355 are affected.
  • Ref: http://www.symantec.com/avcenter/security/Content/2008.10.20b.html
  • 08.43.28 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Elxis CMS "index.php" Multiple Cross-Site Scripting and Session Fixation Vulnerabilities
  • Description: Elxis CMS is a content manager. The application is exposed to multiple cross-site scripting issues because it fails to sufficiently sanitize user-supplied input. Elxis CMS version 2006.1 is affected.
  • Ref: http://www.securityfocus.com/bid/31764
  • 08.43.29 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Habari "habari_username" Parameter Cross-Site Scripting
  • Description: Habari is a PHP based content manager. The application is exposed to a cross-site scripting issue because it fails to sufficiently sanitize user-supplied input to the "habari_username" parameter. Habari version 0.5.1 is affected.
  • Ref: http://www.securityfocus.com/bid/31794
  • 08.43.30 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: WebGUI Security Bypass and Multiple Cross-Site Scripting Vulnerabilities
  • Description: WebGUI is a web-based content manager. The application is exposed to multiple issues. WebGUI version 7.5.25 is affected.
  • Ref: http://www.webgui.org/getwebgui/advisories/webgui-7.5.26-stable-released
  • 08.43.31 - CVE: CVE-2008-4121
  • Platform: Web Application - Cross Site Scripting
  • Title: cpCommerce Multiple Cross-Site Scripting Vulnerabilities
  • Description: cpCommerce is a PHP based e-commerce application. The application is exposed to multiple cross-site scripting issues because it fails to properly sanitize user-supplied input. cpCommerce versions prior to 1.2.4 are affected.
  • Ref: http://www.securityfocus.com/archive/1/497545
  • 08.43.32 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Movable Type Prior to Version 4.22 Unspecified Cross-Site Scripting
  • Description: Movable Type is a web-log application written in PERL. Movable Type is exposed to an unspecified cross-site scripting issue because it fails to sufficiently sanitize user-supplied data. This issue affects the application management section of the application. Movable Type versions prior to 4.22 are affected.
  • Ref: http://www.securityfocus.com/bid/31826
  • 08.43.33 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: MyNETS Unspecified Cross-Site Scripting
  • Description: MyNETS is a web-based application. MyNETS is exposed to an unspecified cross-site scripting issue because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site.
  • Ref: http://www.securityfocus.com/bid/31835
  • 08.43.34 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Wysi Wiki Wyg "index.php" Cross-Site Scripting
  • Description: Wysi Wiki Wyg is a PHP based wiki application. The application is exposed to a cross-site scripting issue because it fails to sufficiently sanitize user-supplied input passed to the "s" parameter of the "index.php" script.
  • Ref: http://www.securityfocus.com/bid/31836
  • 08.43.35 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: AstroSPACES "profile.php" SQL Injection
  • Description: AstroSPACES is a web-based social networking application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "id" parameter of the "profile.php" script before using it in an SQL query.
  • Ref: http://www.securityfocus.com/bid/31771
  • 08.43.36 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: PhpWebGallery "comments.php" SQL Injection and Code Execution Vulnerabilities
  • Description: PhpWebGallery is a PHP based photo gallery. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "sort_by" parameter of the "comments.php" script before using it in an SQL query. PhpWebGallery versions up to and including 1.7.2 are affected.
  • Ref: http://www.securityfocus.com/bid/31762
  • 08.43.37 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: MyPHPDating "success_story.php" SQL Injection
  • Description: MyPHPDating is a PHP based application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "id" parameter of the "success_story.php" script before using it in an SQL query.
  • Ref: http://www.securityfocus.com/bid/31763
  • 08.43.38 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: myStats Security Bypass and SQL Injection Vulnerabilities
  • Description: myStats is a web-based application. The application is exposed to multiple security issues.
  • Ref: http://www.securityfocus.com/bid/31772
  • 08.43.39 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: myEvent "viewevent.php" SQL Injection
  • Description: myEvent is a web-based application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "eventdate" parameter of the "viewevent.php" script before using it in an SQL query. myEvent version 1.6 is affected.
  • Ref: http://www.securityfocus.com/bid/31773
  • 08.43.40 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: SweetCMS "index.php" SQL Injection
  • Description: SweetCMS is a web-based content manager. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "page" parameter of the "index.php" script before using it in an SQL query. SweetCMS version 1.5.2 is affected.
  • Ref: http://www.securityfocus.com/bid/31774
  • 08.43.41 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: WEB//NEWS Multiple SQL Injection Vulnerabilities
  • Description: WEB//NEWS is a web-based news script. The application is exposed to multiple SQL injection issues because it fails to sufficiently sanitize user-supplied input. WEB//NEWS versions prior to 1.4.1a are affected.
  • Ref: http://www.securityfocus.com/archive/1/497399
  • 08.43.42 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Drupal Node Vote Module Cast Vote SQL Injection
  • Description: Drupal Node Vote is a voting module for the Drupal content manager. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data. This issue occurs in an unspecified field when changing a previous cast vote.
  • Ref: http://drupal.org/node/321685
  • 08.43.43 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: IP Reg "locationdel.php" SQL Injection
  • Description: IP Reg is an IPAM tool to keep track of assets and nodes (IP addresses, MAC addresses, DNS aliases) within different subnets over different locations or VLANs. The application is exposed to an SQL injection issue because it fails to properly sanitize user-supplied input to the "location_id" parameter of the "locationdel.php" script before using it in SQL queries. IP Reg version 0.4 is affected.
  • Ref: http://www.securityfocus.com/bid/31781
  • 08.43.44 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Mosaic Commerce "category.php" SQL Injection
  • Description: Mosaic Commerce is a PHP based e-commerce application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "cid" parameter of the "category.php" script before using it in an SQL query.
  • Ref: http://www.securityfocus.com/bid/31782
  • 08.43.45 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: CafeEngine "id" Parameter Multiple SQL Injection Vulnerabilities
  • Description: CafeEngine is online cafe management software. The application is exposed to multiple SQL injection issues because it fails to sufficiently sanitize user-supplied data to the "id" parameter of these scripts: "dish.php" and "menu.php".
  • Ref: http://www.securityfocus.com/bid/31786
  • 08.43.46 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: CafeEngine Easy Cafe Engine "itemid" Parameter SQL Injection
  • Description: CafeEngine Easy Cafe Engine is a PHP-based application for managing cafe web pages. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "itemid" parameter of the "index.php" script before using it in an SQL query. Easy Cafe Engine version 1.1 is affected.
  • Ref: http://www.securityfocus.com/bid/31788
  • 08.43.47 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: ShiftThis Newsletter WordPress Plugin "stnl_iframe.php" SQL Injection
  • Description: ShiftThis Newsletter is a plugin for the WordPress web log application. The plugin is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "newsletter" parameter of the "plugins/st_newsletter/stnl_iframe.php" script before using it in an SQL query.
  • Ref: http://www.securityfocus.com/bid/31806
  • 08.43.48 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Zeeproperty "bannerclick.php" SQL Injection
  • Description: Zeeproperty is a real estate portal application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "adid" parameter of the "bannerclick.php" script before using it in an SQL query.
  • Ref: http://www.securityfocus.com/bid/31807
  • 08.43.49 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: XOOPS GesGaleri Module "index.php" SQL Injection
  • Description: GesGaleri is a gallery module for the XOOPS content management system. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "kategorino" parameter of the "index.php" script before using it in an SQL query.
  • Ref: http://www.securityfocus.com/bid/31808
  • 08.43.50 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Meeting Room Booking System "month.php" SQL Injection
  • Description: Meeting Room Booking System is a web-based application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "area" parameter of the "month.php" script before using it in an SQL query. Meeting Room Booking System version 1.4 is affected.
  • Ref: http://www.securityfocus.com/bid/31809
  • 08.43.51 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: myWebland miniBloggie "del.php" SQL Injection
  • Description: miniBloggie is a web log application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "post_id" parameter of the "del.php" script before using it in an SQL query. miniBloggie version 1.0 is affected.
  • Ref: http://www.securityfocus.com/bid/31810
  • 08.43.52 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Nice Talk Joomla! Component "tagid" Parameter SQL Injection
  • Description: Nice Talk is a PHP-based component for the Joomla! content manager. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "tagid" parameter.
  • Ref: http://www.securityfocus.com/bid/31818
  • 08.43.53 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: DS-Syndicate Joomla! Component "feed_id" Parameter SQL Injection
  • Description: DS-Syndicate is a PHP-based component for the Joomla! content manager. The application is prone to an SQL injection vulnerability because it fails to sufficiently sanitize user-supplied data to the "feed_id" parameter.
  • Ref: http://www.securityfocus.com/bid/31819
  • 08.43.54 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Woltlab Burning Board rGallery Plugin "itemID" Parameter SQL Injection
  • Description: The rGallery plugin for Woltlab Burning Board is a web-based application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "itemID" parameter of the "RGalleryImageWrapper" page. rGallery version 1.09 is affected.
  • Ref: http://www.securityfocus.com/bid/31820
  • 08.43.55 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: e107 CMS
  • Description: e107 CMS is a PHP-based content manager. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "ue[]" array parameter of the "usersettings.php" script before using it in an SQL query. e107 CMS versions 0.7.13 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/31821
  • 08.43.56 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Jetbox CMS Multiple SQL Injection Vulnerabilities
  • Description: Jetbox CMS is a content manager. The application is exposed to multiple SQL injection issues because it fails to sufficiently sanitize user-supplied data. Jetbox CMS version 2.1 is affected.
  • Ref: http://www.digitrustgroup.com/advisories/web-application-security-jetbox
  • 08.43.57 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: PHP-Nuke Sarkilar Module "id" Parameter SQL Injection
  • Description: Sarkilar is a plugin for PHP Nuke. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "id" parameter before using it in an SQL query.
  • Ref: http://www.securityfocus.com/bid/31830
  • 08.43.58 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Makale XOOPS Module "makale.php" SQL Injection
  • Description: The "makale" module is a PHP-based application for the XOOPS content manager. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "id" parameter of the "modules/makale/makale.php" script before using it in an SQL query. The "makale" XOOPS module update025 is affected.
  • Ref: http://www.securityfocus.com/bid/31834
  • 08.43.59 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Limbo CMS "open.php" SQL Injection
  • Description: Limbo CMS is a content manager. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "id" parameter in the "com_privmsg/open.php" before using it in an SQL query.
  • Ref: http://www.securityfocus.com/bid/31837
  • 08.43.60 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: TYPO3 JobControl Extension Unspecified SQL Injection
  • Description: JobControl is an extension for the TYPO3 content manager. JobControl is not a part of the TYPO3 default installation. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize input before using it in an SQL query. TYPO3 JobControl versions up to and including 1.15.4 are affected.
  • Ref: http://typo3.org/teams/security/security-bulletins/typo3-20081020-1/
  • 08.43.61 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: TYPO3 Econda Plugin Extension Unspecified SQL Injection
  • Description: Econda Plugin is an extension for the TYPO3 content manager. Econda Plugin is not a part of the TYPO3 default installation. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize input before using it in an SQL query. TYPO3 Econda Plugin versions up to and including 0.0.4 are affected.
  • Ref: http://typo3.org/teams/security/security-bulletins/typo3-20081020-1/
  • 08.43.62 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: TYPO3 Frontend Users View Extension Unspecified SQL Injection
  • Description: Frontend Users View is an extension for the TYPO3 content manager. Frontend Users View is not a part of the TYPO3 default installation. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize input before using it in an SQL query. TYPO3 Frontend Users View versions up to and including 0.1.6 are affected.
  • Ref: http://typo3.org/teams/security/security-bulletins/typo3-20081020-1/
  • 08.43.63 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: TYPO3 Mannschaftsliste Extension Unspecified SQL Injection
  • Description: Mannschaftsliste is an extension for the TYPO3 content manager. Mannschaftsliste is not a part of the TYPO3 default installation. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize input before using it in an SQL query. TYPO3 Mannschaftsliste versions up to and including 1.0.3 are affected.
  • Ref: http://typo3.org/teams/security/security-bulletins/typo3-20081020-1/
  • 08.43.64 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: TYPO3 M1 Intern Extension Unspecified SQL Injection
  • Description: M1 Intern is an extension for the TYPO3 content manager. M1 Intern is not a part of the TYPO3 default installation. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize input before using it in an SQL query. TYPO3 M1 Intern version 1.0.0 is affected.
  • Ref: http://typo3.org/teams/security/security-bulletins/typo3-20081020-1/
  • 08.43.65 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: TYPO3 Simple survey Extension Unspecified SQL Injection
  • Description: TYPO3 Simple survey is a PHP-based survey application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize input before using it in an SQL query. TYPO3 Simple survey versions 1.7.0 and prior are vulnerable.
  • Ref: http://typo3.org/teams/security/security-bulletins/typo3-20081020-1/
  • 08.43.66 - CVE: Not Available
  • Platform: Web Application
  • Title: myPHPNuke "displayCategory.php" Multiple Remote File Include Vulnerabilities
  • Description: MyPHPNuke is a PHP-based content manager. The application is exposed to multiple remote file include issues because it fails to sufficiently sanitize user-supplied input to the "basepath" and "adminpath" parameters of the "gallery/displayCategory.php" script. MyPHPNuke version 188_8 rc2 is affected.
  • Ref: http://www.securityfocus.com/bid/31778
  • 08.43.67 - CVE: Not Available
  • Platform: Web Application
  • Title: Drupal Node Clone Module Information Disclosure
  • Description: Node Clone module is a module for Drupal that allows users to copy existing items of content (nodes). The application is exposed to an information disclosure issue because it fails to restrict access to certain portions of the affected application.
  • Ref: http://drupal.org/node/321737
  • 08.43.68 - CVE: Not Available
  • Platform: Web Application
  • Title: Kure Multiple Local File Include Vulnerabilities
  • Description: Kure is a web log application. The application is exposed to multiple local file include issues because it fails to properly sanitize user-supplied input to the "post" and "doc" parameters of the "index.php" script. Kure version 0.6.3 is affected.
  • Ref: http://www.securityfocus.com/bid/31785
  • 08.43.69 - CVE: Not Available
  • Platform: Web Application
  • Title: Mic_blog SQL Injection and Unauthorized Access Vulnerabilities
  • Description: Mic_blog is a blog application. The application is exposed to multiple remote issues. An SQL injection issue affects the "cat" parameter of the "category.php" script. An unauthorized access issue permits attackers to add administrative accounts to the affected application. Mic_blog version 0.0.3 is affected.
  • Ref: http://www.securityfocus.com/bid/31812
  • 08.43.70 - CVE: Not Available
  • Platform: Web Application
  • Title: Mantis "manage_proj_page.php" PHP Code Injection
  • Description: Mantis is a web-based bug tracking system. Mantis is exposed to an issue that lets attackers inject arbitrary PHP code. The issue occurs because the application fails to properly sanitize user-supplied input to the "sort" parameter of the "manage_proj_page.php" script. Mantis versions 1.1.3 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/31789
  • 08.43.71 - CVE: Not Available
  • Platform: Web Application
  • Title: Calendars for the Web Security Bypass
  • Description: Calendars for the Web is a web-based application. The application is exposed to a security bypass issue. Specifically, the vulnerability exists in the administration page because the application saves the past session. Calendars for the Web version 4.01 is affected.
  • Ref: http://www.securityfocus.com/bid/31791
  • 08.43.72 - CVE: Not Available
  • Platform: Web Application
  • Title: XOOPS "hisa_cart" Module Remote Information Disclosure
  • Description: "hisa_cart" is a module for XOOPS content manager. The module is exposed to a remote information disclosure issue due to an unspecified error. "hisa_cart" versions prior to 1.29 are affected.
  • Ref: http://www.securityfocus.com/bid/31795
  • 08.43.73 - CVE: Not Available
  • Platform: Web Application
  • Title: Post Affiliate Pro "index.php" Local File Include
  • Description: Post Affiliate Pro is an affiliate management application. The application is exposed to a local file include issue because it fails to properly sanitize user-supplied input to the "md" parameter of the "index.php" script. Post Affiliate Pro version 2.0 is affected.
  • Ref: http://www.securityfocus.com/bid/31796
  • 08.43.74 - CVE: Not Available
  • Platform: Web Application
  • Title: Slaytanic Scripts Content Plus Version 2.1.1 Multiple Unspecified Vulnerabilities
  • Description: Slaytanic Scripts Content Plus is an enhancement distribution for PHP Nuke. The application is exposed to multiple issues caused by unspecified errors. Slaytanic Scripts Content Plus version 2.1.1 is affected.
  • Ref: http://sourceforge.net/project/shownotes.php?release_id=632842
  • 08.43.75 - CVE: Not Available
  • Platform: Web Application
  • Title: FlashChat "connection.php" Role Filter Security Bypass
  • Description: FlashChat is a chat room application. The application is exposed to a security bypass issue that may allow attackers to gain administrative access to the affected application. This issue affects the "s" parameter of the "connection.php" script.
  • Ref: http://www.securityfocus.com/archive/1/497474
  • 08.43.76 - CVE: Not Available
  • Platform: Web Application
  • Title: phpFastNews Cookie Authentication Bypass
  • Description: phpFastNews is a web-based news application. The application is exposed to an authentication bypass issue because it fails to adequately verify user-supplied input used for cookie-based authentication. phpFastNews version 1.0.0 is affected.
  • Ref: http://www.securityfocus.com/bid/31811
  • 08.43.77 - CVE: Not Available
  • Platform: Web Application
  • Title: FCKeditor "command.php" Arbitrary File Upload
  • Description: FCKeditor is an online text/DHTML editor. FCKeditor is exposed to an arbitrary file upload issue because it fails to adequately sanitize user-supplied input. This issue affects the "editor/filemanager/browser/default/connectors/php/connector.php" script.
  • Ref: http://www.securityfocus.com/bid/31812
  • 08.43.78 - CVE: Not Available
  • Platform: Web Application
  • Title: Vivvo Article Management "classified_path" Parameter Remote File Include
  • Description: Vivvo Article Management is a content manager. The application is exposed to a remote file include issue because it fails to properly sanitize user-supplied input to the "classified_path" parameter of the "HTML_function.php" script. Vivvo Article Management versions 3.2 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/31815
  • 08.43.79 - CVE: Not Available
  • Platform: Web Application
  • Title: HP SiteScope SNMP Trap HTML Injection
  • Description: HP SiteScope is an agentless distribution system for IT infrastructure. The web interface is prone to an HTML injection issue because it fails to properly sanitize input from received SNMP trap messages. HP SiteScope version 9.0 build 911 is affected.
  • Ref: http://www.securityfocus.com/archive/1/497548
  • 08.43.80 - CVE: Not Available
  • Platform: Web Application
  • Title: Fast Click SQL Lite "init.php" Remote File Include
  • Description: Fast Click SQL Lite is an application that counts web site visitors. The application is exposed to a remote file include issue because it fails to properly sanitize user-supplied input to the "CFG[CDIR]" parameter of the "init.php" script. Fast Click SQL Lite version 1.1.7 is affected.
  • Ref: http://www.securityfocus.com/bid/31817
  • 08.43.81 - CVE: Not Available
  • Platform: Web Application
  • Title: Midgard Components Framework Multiple Unspecified Vulnerabilities
  • Description: Midgard Components Framework is a PHP based web development component library. The library is exposed to multiple issues caused by unspecified errors. Midgard Components Framework versions prior to 8.09.1 are affected.
  • Ref: http://freshmeat.net/projects/midcom/?branch_id=38063&release_id=286210
  • 08.43.82 - CVE: Not Available
  • Platform: Web Application
  • Title: yappa-ng "album" Parameter Local File Include
  • Description: yappa-ng is a photo album application. The application is exposed to a local file include issue because it fails to properly sanitize user-supplied input to the "album" parameter of the "index.php" script. yappa-ng version 2.3.2 is affected.
  • Ref: http://www.securityfocus.com/bid/31828
  • 08.43.83 - CVE: Not Available
  • Platform: Web Application
  • Title: Opera Web Browser HTML Injection and Cross-Site Scripting Vulnerabilities
  • Description: Opera Web Browser is a browser that runs on multiple operating systems. The application is prone to HTML injection and cross-site scripting issues because it fails to properly sanitize user-supplied input. Opera Web Browser versions prior to 9.61 are affected.
  • Ref: http://www.opera.com/support/search/view/905/

(c) 2008. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.Subscriptions:

@RISK is distributed free of charge by the SANS Institute to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.

SANS never fails to provide top level training that is worth every penny.
-Tyler Hudak, Yellow Roadway Tech

SANS Security West 2010

Contact us: (301) 654-SANS(7267)
Monday - Friday 9am-8pm EST/EDT