*************************************************************************

         @RISK: The Consensus Security Vulnerability Alert

July 24, 2008                                             Vol. 7. Week 30

*************************************************************************

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

 

Summary of Updates and Vulnerabilities in this Consensus

Platform                        Number of Updates and Vulnerabilities

- ------------------------        -------------------------------------

Windows                                          1

Third Party Windows Apps                         4

Mac Os                                           1

Linux                                            2

Cross Platform                                  10 (#1, #2, #3, #4)

Web Application - Cross Site Scripting           4

Web Application - SQL Injection                 14

Web Application                                 15

 

*************************************************************************

 

Table Of Contents

Part I -- Critical Vulnerabilities from TippingPoint (http://www.tippingpoint.com/)

 

Widely Deployed Software

(1) CRITICAL: Mozilla Products Memory Corruption Vulnerability

(2) CRITICAL: Sun Java Web Start Multiple Vulnerabilities

(3) CRITICAL: Oracle WebLogic Apache Connector Buffer Overflow

(4) EXPLOIT: Multiple DNS Cache Poisoning Exploits

 

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (http://www.qualys.com/)

 

 -- Windows

08.30.1  - Microsoft Windows Vista Shutdown Button Local Security Bypass

 -- Third Party Windows Apps

08.30.2  - PPMate PPMedia Class ActiveX Control Remote Buffer Overflow

08.30.3  - MediaMonkey URI Handling Multiple Denial of Service Vulnerabilities

08.30.4  - BitComet URI Handling Remote Denial of Service

08.30.5  - QuickPlayer ".m3u" File Buffer Overflow

 -- Mac Os

08.30.6  - Mozilla Firefox Mac OS X GIF Rendering Memory Corruption

 -- Linux

08.30.7  - Debian OpenSSH SELinux Privilege Escalation

08.30.8  - zypp-refresh-patches wrapper XML Repository Corruption

 -- Cross Platform

08.30.9  - Oracle Weblogic Server Apache Connector Remote Buffer Overflow 08.30.10 - IBM WebSphere Application Server "PropFilePasswordEncoder" Unspecified

08.30.11 - HP Select Identity Bidrectional LDAP Connector Remote Unauthorized Access

08.30.12 - F-PROT Antivirus CHM File Remote Denial of Service

08.30.13 - F-PROT Antivirus Multiple File Processing Remote Denial of Service Vulnerabilities

08.30.14 - Velocity Security Management System HTTP Server Directory Traversal

08.30.15 - Spring Framework Multiple Remote Vulnerabilities

08.30.16 - CGI::Session "CGISESSID" Cookie Value Directory Traversal

08.30.17 - OpenLink Virtuoso Multiple Denial Of Service Vulnerabilities

08.30.18 - SmbClientParser Perl Module Remote Command Execution

 -- Web Application - Cross Site Scripting

08.30.19 - IBS "username" Parameter Cross Site Scripting 08.30.20 - LunarNight Laboratory WebProxy Cross Site Scripting

08.30.21 - phpFreeChat "demo21_with_hardocded_urls.php" Cross Site Scripting

08.30.22 - MoinMoin "AdvancedSearch.py" Multiple Cross-Site Scripting Vulnerabilities

 -- Web Application - SQL Injection

08.30.23 - phpHoo3 "phpHoo3.php" SQL Injection

08.30.24 - AlstraSoft Video Share Enterprise "album.php" SQL Injection

08.30.25 - AlstraSoft Article Manager Pro "contact_author.php" SQL Injection

08.30.26 - Arctic Issue Tracker "filter" Parameter SQL Injection

08.30.27 - preCMS "id" Parameter SQL Injection

08.30.28 - HockeySTATS Online "index.php" Multiple SQL Injection Vulnerabilities

08.30.29 - Joomla! and Mambo DT Register Component "eventId" Parameter SQL Injection 08.30.30 - AlstraSoft Affiliate Network Pro "pgm" Parameter SQL Injection

08.30.31 - tplSoccerSite Multiple SQL Injection Vulnerabilities

08.30.32 - Def_Blog "article" Parameter Multiple SQL Injection Vulnerabilities

08.30.33 - Siteframe "folder.php" SQL Injection

08.30.34 - Aprox CMS Engine "index.php" SQL Injection

08.30.35 - PHPFootball "show.php" SQL Injection

08.30.36 - Zoph Multiple SQL Injection Vulnerabilities

 -- Web Application

08.30.37 - Claroline Multiple Unspecified Security Vulnerabilities

08.30.38 - Community CMS "include.php" Remote File Include

08.30.39 - Afuse "afuse.c" Shell Command Injection 08.30.40 - Galatolo WebManager Cookie Authentication Bypass

08.30.41 - PhotoPost vBGallery "upload.php" Arbitrary File Upload

08.30.42 - PHPizabi "v_cron_proc.php" Arbitrary Script Injection Vulnerabilities

08.30.43 - Evaria ECMS "DOCUMENT_ROOT" Parameter Multiple Remote File Include Vulnerabilities

08.30.44 - OpenPro "search_wA.php" Remote File Include

08.30.45 - Simple Machines Forum Multiple Unspecified "html-tag" and Random Generator Seeding Vulnerabilities

08.30.46 - FormEncode "chained_validators" Class Security Bypass

08.30.47 - CreaCMS Multiple Remote File Include Vulnerabilities

08.30.48 - Lemon CMS "browser.php" Local File Include

08.30.49 - Stash Cookie Authentication Bypass 08.30.50 - SWAT 4 Multiple Denial of Service Vulnerabilities

08.30.51 - phpScheduleIt "useLogonName" Security Bypass

 

______________________________________________________________________

 

PART I Critical Vulnerabilities

 

Part I for this issue has been compiled by Rob King at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

 

*****************************

Widely Deployed Software

*****************************

 

(1) CRITICAL: Mozilla Products Memory Corruption Vulnerability

Affected:

Mozilla Firefox versions prior to 3.0.1

Mozilla Thunderbird versions prior to 2.0.0.16 Mozilla SeaMonkey versions prior to 1.1.11

 

Description: Products based on the Mozilla codebase, including the popular Firefox web browser, contain a memory corruption vulnerability.

A specially crafted web page containing a script that manipulates CSS objects could trigger this vulnerability. Successfully exploiting this vulnerability would allow an attacker to execute arbitrary code with the privileges of the current user. Full technical details are publicly available for this vulnerability via various advisories and through source code analysis. Note that Thunderbird is not believed to be vulnerable in its default configuration.

 

Status: Vendor confirmed, updates available.

 

References:

Zero Day Initiative Advisory

http://zerodayinitiative.com/advisories/ZDI-08-044/

Mozilla Security Advisory

http://www.mozilla.org/security/announce/2008/mfsa2008-34.html

Mozilla Home Page

http://www.mozilla.org/

SecurityFocus BID

http://www.securityfocus.com/bid/29802

 

***************************************************

 

(2) CRITICAL: Sun Java Web Start Multiple Vulnerabilities

Affected:

Sun Java Runtime Environment versions 6u7 and prior

 

Description: Java Web Start is a technology using Sun's Java Runtime Environment to automatically launch applications distributed via the web. It contains multiple vulnerabilities in its handling of these applications. A specially crafted Java applet using Java Web Start could trigger one of these vulnerabilities, leading to arbitrary code execution with the privileges of the current user, or modify arbitrary files with the privileges of the current user. Depending upon configuration, Java Web Start applets may be launched upon receipt. Java Web Start is installed by default on all Apple Mac OS X systems, as well as many Unix, Unix-like, and Linux-based operating systems, and a large number of Microsoft Windows systems. Some technical details are publicly available for these vulnerabilities.

 

Status: Vendor confirmed, updates available.

 

References:

Zero Day Initiative Advisories

http://zerodayinitiative.com/advisories/ZDI-08-043/

http://zerodayinitiative.com/advisories/ZDI-08-042/

Sun Security Advisory

http://sunsolve.sun.com/search/document.do?assetkey=1-26-238905-1

Sun Java Home Page

http://java.sun.com/

SecurityFocus BID

http://www.securityfocus.com/bid/30148

 

***************************************************

 

(3) CRITICAL: Oracle WebLogic Apache Connector Buffer Overflow

Affected:

Oracle WebLogic Server versions 10.x and prior

 

Description: Oracle WebLogic (formerly BEA WebLogic) contains a buffer overflow in its "mod_wl" Apache module. An overlong HTTP POST request to a sever using this module could trigger this buffer overflow, allowing an attacker to execute arbitrary code with the privileges of the vulnerable process. Full technical details and a proof-of-concept exploit are publicly available for this vulnerability.

 

Status: Vendor has not confirmed, no updates available.

 

References:

Proof-of-Concept

http://milw0rm.com/exploits/6089

Product Home Pages

http://edocs.bea.com/wls/docs70/plugins/apache.html

http://www.bea.com/framework.jsp?CNT=index.htm&FP=/content/products/weblogic/server

SecurityFocus BID

http://www.securityfocus.com/bid/30273

 

***************************************************

 

(4) EXPLOIT: Multiple DNS Cache Poisoning Exploits Affected; Most major DNS implementations, including BIND and Microsoft DNS

 

Description: The DNS flaw discussed in a previous edition of @RISK has had its technical details disclosed and several working exploits published. The full details of the exploit were originally going to be initially disclosed at the Black Hat information security conference, but were released early. Several exploits have been published, including at least two for the popular Metasploit exploit framework. An attacker who used one of these exploits could poison a target DNS server's cache, allowing the attacker to return falsified responses to users' queries.

This could result in an attacker redirecting users to malicious hosts for further exploitation, or for an attacker to steal sensitive information.

 

Status: Vendors confirmed, updates available. Users are urged to apply updates and patches as quickly as possible.

 

References:

Metasploit Exploit Modules

http://metasploit.com/dev/trac/browser/framework3/trunk/modules/auxiliary/spoof/dns/bailiwicked_domain.rb

http://metasploit.com/dev/trac/browser/framework3/trunk/modules/auxiliary/spoof/dns/bailiwicked_host.rb

Metasploit Home Page

http://metasploit.com/

Proof-of-Concept

http://milw0rm.com/exploits/6123

Previous @RISK Entry

http://www.sans.org/newsletters/risk/display.php?v=7&i=28#widely3

 

*******************************************************

 

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities Week 30, 2008 This list is compiled by Qualys ( http://www.qualys.com/ ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 5549 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

 

______________________________________________________________________

 

08.30.1 CVE: Not Available

Platform: Windows

Title: Microsoft Windows Vista Shutdown Button Local Security Bypass

Description: Microsoft Windows is exposed to a local security bypass issue. The problem occurs when the security option "Shutdown: Allow system to be shutdown without having to log on" is disabled, and the power management setting "When I press the power button" is set to "Shut Down". Windows Vista SP1 is affected.

Ref: http://www.securityfocus.com/archive/1/494533

______________________________________________________________________

 

08.30.2 CVE: Not Available

Platform: Third Party Windows Apps

Title: PPMate PPMedia Class ActiveX Control Remote Buffer Overflow

Description: PPMate is a peer-to-peer video streaming application. The application is exposed to a heap-based buffer overflow issue because it fails to perform adequate boundary checks on user-supplied input.

PPMate version 2.3.1.93 is affected.

Ref: http://support.microsoft.com/kb/240797

______________________________________________________________________

 

08.30.3 CVE: Not Available

Platform: Third Party Windows Apps

Title: MediaMonkey URI Handling Multiple Denial of Service Vulnerabilities

Description: MediaMonkey is an audio player. It is available for Microsoft Windows platforms. The application is exposed to two denial of service issues because it fails to properly handle certain URIs.

The issues can be triggered by overly long ".m3u" or ".pcast" URIs.

MediaMonkey version 3.0.3 is affected.

Ref: http://www.securityfocus.com/bid/30251

______________________________________________________________________

 

08.30.4 CVE: Not Available

Platform: Third Party Windows Apps

Title: BitComet URI Handling Remote Denial of Service

Description: BitComet is a BitTorrent/HTTP/FTP download management application available for Microsoft Windows. The application is exposed to a denial of service issue because it fails to properly handle batch files containing an excessively large URI. BitComet version 1.02 is affected.

Ref: http://www.securityfocus.com/bid/30255

______________________________________________________________________

 

08.30.5 CVE: Not Available

Platform: Third Party Windows Apps

Title: QuickPlayer ".m3u" File Buffer Overflow

Description: QuickPlayer is a media player application for Windows.

The application is exposed to a buffer overflow issue because it fails to perform adequate boundary checks on user-supplied input. This issue occurs when the application fails to handle overly large URIs in ".m3u" files. QuickPlayer version 1.3 is affected.

Ref: http://www.securityfocus.com/bid/30252

______________________________________________________________________

 

08.30.6 CVE: CVE-2008-2934

Platform: Mac Os

Title: Mozilla Firefox Mac OS X GIF Rendering Memory Corruption

Description: Mozilla Firefox is a browser available for multiple platforms. The application is exposed to a memory corruption issue in Mozilla graphics code for handling GIF files on Mac OS X platform.

Firefox version 3.0 is affected.

Ref: http://www.mozilla.org/security/announce/2008/mfsa2008-36.html

______________________________________________________________________

 

08.30.7 CVE: Not Available

Platform: Linux

Title: Debian OpenSSH SELinux Privilege Escalation

Description: Debian Linux can be configured to utilize SELinux extensions. OpenSSH may also be configured to utilize SELinux, and to interface with the role-based privilege system. The application is exposed to an SELinux privilege escalation issue due to a flaw in its OpenSSH package.

Ref: http://www.securityfocus.com/bid/30276

______________________________________________________________________

 

08.30.8 CVE: CVE-2008-3187

Platform: Linux

Title: zypp-refresh-patches wrapper XML Repository Corruption

Description: The zypp-refresh-patches wrapper is used by various online update applets in openSUSE to check for new software updates.

The application is exposed to a weakness that may allow attackers to corrupt XML repositories. This issue occurs because the application accepts new repository keys without verifying certificates.

Ref: http://www.securityfocus.com/bid/30293

______________________________________________________________________

 

08.30.9 CVE: Not Available

Platform: Cross Platform

Title: Oracle Weblogic Server Apache Connector Remote Buffer Overflow

Description: Oracle Weblogic Server (formerly known as BEA WebLogic

Server) is an enterprise application server product distributed by Oracle. The application is exposed to a remote buffer overflow issue because the application fails to perform adequate boundary checks on user-supplied data. This issue affects the Apache Connector.

Ref: http://www.securityfocus.com/bid/30273

______________________________________________________________________

 

08.30.10 CVE: Not Available

Platform: Cross Platform

Title: IBM WebSphere Application Server "PropFilePasswordEncoder"

Unspecified Vulnerability

Description: IBM WebSphere Application Server is a utility designed to facilitate the creation of various enterprise web applications. The application is exposed to an unspecified issue that affects the "PropFilePasswordEncoder" utility. WebSphere Application Server versions prior to 5.1.1.19 are affected.

Ref: http://www-1.ibm.com/support/docview.wss?uid=swg27006879#51119

______________________________________________________________________

 

08.30.11 CVE: CVE-2008-1665

Platform: Cross Platform

Title: HP Select Identity Bidrectional LDAP Connector Remote Unauthorized Access

Description: HP Select Identity (HPSI) Active Directory Bidirectional LDAP Connector is exposed to an unauthorized access issue. HP Select Identity Active Directory Bidirectional LDAP Connector versions 2.20, 2.20.001, 2.20.002 and 2.30 are affected.

Ref: http://www.securityfocus.com/bid/30250

______________________________________________________________________

 

08.30.12 CVE: Not Available

Platform: Cross Platform

Title: F-PROT Antivirus CHM File Remote Denial of Service

Description: F-PROT Antivirus is an antivirus application available for multiple operating systems. The application is exposed to a remote denial of service issue because it fails to properly handle malformed CHM files. F-PROT Antivirus engine versions prior to 4.4.4 are affected.

Ref: http://www.f-prot.com/download/ReleaseNotesWindows.txt

______________________________________________________________________

 

08.30.13 CVE: Not Available

Platform: Cross Platform

Title: F-PROT Antivirus Multiple File Processing Remote Denial of Service Vulnerabilities

Description: F-PROT Antivirus is an antivirus application available for multiple operating systems. The application is exposed to multiple remote denial of service issues because it fails to properly handle malformed files. F-PROT Antivirus engine versions prior to 4.4.4 are affected.

Ref: http://www.f-prot.com/download/ReleaseNotesWindows.txt

______________________________________________________________________

 

08.30.14 CVE: Not Available

Platform: Cross Platform

Title: Velocity Security Management System HTTP Server Directory Traversal

Description: Velocity Security Management System is a management application for physical security devices such as door controls and alarms. The application is exposed to a directory traversal issue because it fails to sufficiently sanitize user-supplied input. This issue occurs in the application's HTTP server. Velocity Security Management System version 1.0 is affected.

Ref: http://www.securityfocus.com/archive/1/494422

______________________________________________________________________

 

08.30.15 CVE: Not Available

Platform: Cross Platform

Title: Spring Framework Multiple Remote Vulnerabilities

Description: Spring Framework is a layered Java/J2EE application framework. The application is exposed to two security issues.

Attackers can exploit these issues to gain unauthorized access to files on the web server or compromise the affected application.

Ref: http://www.springsource.com/securityadvisory

______________________________________________________________________

 

08.30.16 CVE: Not Available

Platform: Cross Platform

Title: CGI::Session "CGISESSID" Cookie Value Directory Traversal

Description: CGI::Session is a session manager library implemented in Perl. The library is exposed to a directory traversal issue because it fails to sufficiently sanitize user-supplied input to the "CGISESSID"

cookie value in "Session.pm". CGI::Session versions 3.94, 3.95 and

4.33 are affected.

Ref: http://vuln.sg/cgisession433-en.html

______________________________________________________________________

 

08.30.17 CVE: Not Available

Platform: Cross Platform

Title: OpenLink Virtuoso Multiple Denial Of Service Vulnerabilities

Description: OpenLink Virtuoso is an open-source object-relational SQL database. The application is exposed to multiple remote denial of service issues because it fails to properly handle certain types of queries. OpenLink Virtuoso version 5.0.6 is affected.

Ref: http://sourceforge.net/project/shownotes.php?release_id=614029

______________________________________________________________________

 

08.30.18 CVE: Not Available

Platform: Cross Platform

Title: SmbClientParser Perl Module Remote Command Execution

Description: The SmbClientParser perl module is an API used to access Samba resources using "smbclient". The module is exposed to a remote command execution issue because it fails to sufficiently sanitize user-supplied data. An attacker could exploit this issue by enticing an unsuspecting user to use a tool created with this module to scan a shared folder that contains a folder with a specially crafted name.

Filesys::SmbClientParser version 2.7 is affected.

Ref: http://www.securityfocus.com/archive/1/494536

______________________________________________________________________

 

08.30.19 CVE: Not Available

Platform: Web Application - Cross Site Scripting

Title: IBS "username" Parameter Cross-Site Scripting

Description: IBS is an accounting application for Internet service providers. The application is exposed to a cross-site scripting issue because it fails to sanitize user-supplied input to the "username"

parameter of the "interface/ibs/admin/index.php" script. IBS version

0.15 is affected.

Ref: http://www.securityfocus.com/bid/30270

______________________________________________________________________

 

08.30.20 CVE: Not Available

Platform: Web Application - Cross Site Scripting

Title: LunarNight Laboratory WebProxy Cross-Site Scripting

Description: LunarNight Laboratory WebProxy is a Perl-based proxy. The application is exposed to a cross-site scripting issue because it fails to properly sanitize user-supplied input before using it in dynamically generated content. LunarNight Laboratory WebProxy versions prior to

1.7.9 are affected.

Ref: http://www.securityfocus.com/bid/30283

______________________________________________________________________

 

08.30.21 CVE: Not Available

Platform: Web Application - Cross Site Scripting

Title: phpFreeChat "demo21_with_hardocded_urls.php" Cross-Site Scripting

Description: phpFreeChat is a chat application. The application is exposed to a cross-site scripting issue because it fails to sanitize user-supplied input to the "demo21_with_hardcoded_urls.php" script.

phpFreeChat version 1.1 is affected.

Ref: http://www.securityfocus.com/bid/30292

______________________________________________________________________

 

08.30.22 CVE: Not Available

Platform: Web Application - Cross Site Scripting

Title: MoinMoin "AdvancedSearch.py" Multiple Cross-Site Scripting Vulnerabilities

Description: MoinMoin is a freely available, open-source wiki written in Python. It is available for UNIX and Linux platforms. The application is exposed to multiple cross-site scripting issues because it fails to sanitize user-supplied input. These issues affect various parameters of the "macro/AdvancedSearch.py" script. MoinMoin versions 1.7.0 and 1.6.3 are affected.

Ref: http://moinmo.in/SecurityFixes

______________________________________________________________________

 

08.30.23 CVE: Not Available

Platform: Web Application - SQL Injection

Title: phpHoo3 "phpHoo3.php" SQL Injection

Description: phpHoo3 is a link database. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "viewCat" parameter of the "phpHoo3.php"

script file before using it in an SQL query.

Ref: http://www.securityfocus.com/bid/30271

______________________________________________________________________

 

08.30.24 CVE: Not Available

Platform: Web Application - SQL Injection

Title: AlstraSoft Video Share Enterprise "album.php" SQL Injection

Description: AlstraSoft Video Share Enterprise is a web-based video sharing application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "UID" parameter of the "album.php" script before using it in an SQL query.

Ref: http://www.securityfocus.com/bid/30272

______________________________________________________________________

 

08.30.25 CVE: Not Available

Platform: Web Application - SQL Injection

Title: AlstraSoft Article Manager Pro "contact_author.php" SQL Injection

Description: AlstraSoft Article Manager Pro is a PHP-based content management application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "userid" parameter of the "contact_author.php" script before using it in an SQL query.

Ref: http://www.securityfocus.com/bid/30274

______________________________________________________________________

 

08.30.26 CVE: Not Available

Platform: Web Application - SQL Injection

Title: Arctic Issue Tracker "filter" Parameter SQL Injection

Description: Arctic Issue Tracker is a web-based application for tracking tasks. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Specifically, it fails to properly sanitize the "filter" parameter of the "index.php" script. Arctic Issue Tracker version v2.0.0 is affected.

Ref: http://www.securityfocus.com/bid/30277

______________________________________________________________________

 

08.30.27 CVE: Not Available

Platform: Web Application - SQL Injection

Title: preCMS "id" Parameter SQL Injection

Description: preCMS is a web-based content manager. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Specifically, it fails to properly sanitize the "id" parameter of the "index.php" script. preCMS version v.1 is affected.

Ref: http://www.securityfocus.com/bid/30278

______________________________________________________________________

 

08.30.28 CVE: Not Available

Platform: Web Application - SQL Injection

Title: HockeySTATS Online "index.php" Multiple SQL Injection Vulnerabilities

Description: HockeySTATS Online is a PHP-based hockey statistics tracking application. The application is exposed to multiple SQL injection issues because it fails to sufficiently sanitize user-supplied data to the "id" and "divid" parameters of the "index.php" script before using it in an SQL query. HockeySTATS Online Basic and Advanced version 2.0 is affected.

Ref: http://www.securityfocus.com/bid/30248

______________________________________________________________________

 

08.30.29 CVE: Not Available

Platform: Web Application - SQL Injection

Title: Joomla! and Mambo DT Register Component "eventId" Parameter SQL Injection

Description: DT Register is a PHP-based component for the Mambo and Joomla! content managers used for managing event registrations. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "eventId" parameter of the "com_dtregister" component before using it in an SQL query.

Ref: http://www.securityfocus.com/bid/30256

______________________________________________________________________

 

08.30.30 CVE: Not Available

Platform: Web Application - SQL Injection

Title: AlstraSoft Affiliate Network Pro "pgm" Parameter SQL Injection

Description: AlstraSoft Affiliate Network Pro is a web-based affiliate marketing solution. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Ref: http://www.securityfocus.com/bid/30259

______________________________________________________________________

 

08.30.31 CVE: Not Available

Platform: Web Application - SQL Injection

Title: tplSoccerSite Multiple SQL Injection Vulnerabilities

Description: tplSoccerSite is a web-based soccer stats application.

The application is exposed to multiple SQL injection issues because it fails to sufficiently sanitize user-supplied data. tplSoccerSite version 1.0 is affected.

Ref: http://www.securityfocus.com/bid/30260

______________________________________________________________________

 

08.30.32 CVE: Not Available

Platform: Web Application - SQL Injection

Title: Def_Blog "article" Parameter Multiple SQL Injection Vulnerabilities

Description: Def_Blog is a web-log application. The application is exposed to multiple SQL injection issues because it fails to sufficiently sanitize user-supplied data to the "article" parameter of the "comaddok.php" and "comlook.php" scripts. Def_Blog version 1.0.3 is affected.

Ref: http://www.securityfocus.com/bid/30289

______________________________________________________________________

 

08.30.33 CVE: Not Available

Platform: Web Application - SQL Injection

Title: Siteframe "folder.php" SQL Injection

Description: Siteframe is a content manager. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "id" parameter of the "folder.php"

script before using it in an SQL query.

Ref: http://www.securityfocus.com/bid/30294

______________________________________________________________________

 

08.30.34 CVE: Not Available

Platform: Web Application - SQL Injection

Title: Aprox CMS Engine "index.php" SQL Injection

Description: phpHoo3 is a link database. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "id" parameter of the "index.php" script before using it in an SQL query. Aprox CMS Engine version 5.1.0.4 is affected.

Ref: http://www.securityfocus.com/bid/30295

______________________________________________________________________

 

08.30.35 CVE: Not Available

Platform: Web Application - SQL Injection

Title: PHPFootball "show.php" SQL Injection

Description: PHPFootball is a web-based management application for football leagues. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "dbtable" parameter of the "show.php" script before using it in an SQL query. PHPFootball version 1.6 is affected.

Ref: http://www.securityfocus.com/bid/30296

______________________________________________________________________

 

08.30.36 CVE: Not Available

Platform: Web Application - SQL Injection

Title: Zoph Multiple SQL Injection Vulnerabilities

Description: Zoph is a PHP-based application for managing digital photographs. The application is exposed to multiple SQL injection issues because it fails to sufficiently sanitize user-supplied data.

Zoph versions prior to 0.7.0.5 are affected.

Ref: http://sourceforge.net/project/shownotes.php?group_id=69353&relea

se_id=614672

______________________________________________________________________

 

08.30.37 CVE: Not Available

Platform: Web Application

Title: Claroline Multiple Unspecified Security Vulnerabilities

Description: Claroline is a PHP-based online educational platform. The application is exposed to multiple unspecified issues. Claroline version 1.8.9 is affected.

Ref: http://www.securityfocus.com/archive/1/494539

______________________________________________________________________

 

08.30.38 CVE: Not Available

Platform: Web Application

Title: Community CMS "include.php" Remote File Include

Description: Community CMS is a PHP-based content manager. The application is exposed to a remote file include issue because it fails to sufficiently sanitize user-supplied input to the "root" parameter of the "include.php" script. Community CMS version 0.1 is affected.

Ref: http://www.securityfocus.com/archive/1/494503

______________________________________________________________________

 

08.30.39 CVE: CVE-2008-2232

Platform: Web Application

Title: Afuse "afuse.c" Shell Command Injection

Description: Afuse is an auto mounting file system implemented in user-space. The application is exposed to a command injection issue in the "afuse.c" file. Specifically, the application fails to sanitize metacharacters in a user-supplied filename. Afuse version 2.0-2 is affected.

Ref: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=490921

______________________________________________________________________

 

08.30.40 CVE: Not Available

Platform: Web Application

Title: Galatolo WebManager Cookie Authentication Bypass

Description: Galatolo WebManager is a PHP-based content manager. The application is exposed to an authentication bypass issue because it fails to adequately verify user-supplied input used for cookie-based authentication. Galatolo WebManager version 1.3a is affected.

Ref: http://www.securityfocus.com/bid/30247

______________________________________________________________________

 

08.30.41 CVE: Not Available

Platform: Web Application

Title: PhotoPost vBGallery "upload.php" Arbitrary File Upload

Description: PhotoPost vBGallery is a PHP-based photo sharing application for the vBulletin forum. The application is exposed to an issue that lets remote attackers upload and execute arbitrary script code because it fails to properly sanitize user-supplied input to the "upload.php" script. PhotoPost vBGallery version v2.4.2 is affected.

Ref: http://www.securityfocus.com/bid/30249

______________________________________________________________________

 

08.30.42 CVE: Not Available

Platform: Web Application

Title: PHPizabi "v_cron_proc.php" Arbitrary Script Injection Vulnerabilities

Description: PHPizabi is a PHP-based content manager. The application is exposed to two issues that allow attackers to execute arbitrary script code because it fails to properly sanitize user-supplied input to the "CONF["CRON_LOGFILE"]" and "CONF["LOCALE_LONG_DATE_TIME"]"

parameters of the "system/v_cron_proc.php" script. PHPizabi version 0.848b C1 HFP1 is affected.

Ref: http://www.securityfocus.com/bid/30257

______________________________________________________________________

 

08.30.43 CVE: Not Available

Platform: Web Application

Title: Evaria ECMS "DOCUMENT_ROOT" Parameter Multiple Remote File Include Vulnerabilities

Description: ECMS is a web-based content management system. The application is exposed to multiple remote file include issues because it fails to sufficiently sanitize user-supplied input to the "DOCUMENT_ROOT" parameter of the following scripts: "index.php" and "eprint.php". ECMS version 1.1 is affected.

Ref: http://www.securityfocus.com/bid/30262

______________________________________________________________________

 

08.30.44 CVE: Not Available

Platform: Web Application

Title: OpenPro "search_wA.php" Remote File Include

Description: OpenPro is a web-based application. The application is exposed to a remote file include issue because it fails to sufficiently sanitize user-supplied input to the "LIBPATH" parameter of the "search_wA.php" script. OpenPro version 1.3.1 is affected.

Ref: http://www.securityfocus.com/bid/30264

______________________________________________________________________

 

08.30.45 CVE: CVE-2008-3073, CVE-2008-3072

Platform: Web Application

Title: Simple Machines Forum Multiple Unspecified "html-tag" and Random Generator Seeding Vulnerabilities

Description: Simple Machines Forum is web-based forum software.

Simple Machines Forum is exposed to multiple unspecified issues. An unspecified issue arises due to the use of "html-tag"; and an issue is due to improper seeding of the random number generator. Simple Machines Forum versions prior to 1.0.13 and 1.1.5 are affected.

Ref: http://www.securityfocus.com/bid/30271

______________________________________________________________________

 

08.30.46 CVE: Not Available

Platform: Web Application

Title: FormEncode "chained_validators" Class Security Bypass

Description: FormEncode is a validation and form generation package; it is implemented in Python. The application is exposed to an issue that may allow users to bypass certain filters. FormEncode version 1.0 is affected.

Ref: http://sourceforge.net/tracker/index.php?func=detail&aid=1925164&group_id=91231&atid=596416

______________________________________________________________________

 

08.30.47 CVE: Not Available

Platform: Web Application

Title: CreaCMS Multiple Remote File Include Vulnerabilities

Description: CreaCMS is a PHP-based content manager. The application is exposed to multiple remote file include issues because it fails to sufficiently sanitize user-supplied input. CreaCMS version 1 is affected.

Ref: http://www.securityfocus.com/bid/30284

______________________________________________________________________

 

08.30.48 CVE: Not Available

Platform: Web Application

Title: Lemon CMS "browser.php" Local File Include

Description: Lemon CMS is a content manager. The application is exposed to a local file include issue because it fails to properly sanitize user-supplied input to the "dir" parameter of the "lemon_includes/FCKeditor/editor/filemanager/browser/browser.php"

script. Lemon CMS version 1.10 is affected.

Ref: http://www.securityfocus.com/bid/30285

______________________________________________________________________

 

08.30.49 CVE: Not Available

Platform: Web Application

Title: Stash Cookie Authentication Bypass

Description: Stash is a PHP-based content manager specifically for managing band web sites. The application is exposed to an authentication bypass issue because it fails to adequately verify user-supplied input used for cookie-based authentication. Stash version 1.0.3 is affected.

Ref: http://www.securityfocus.com/bid/30286

______________________________________________________________________

 

08.30.50 CVE: Not Available

Platform: Web Application

Title: SWAT 4 Multiple Denial of Service Vulnerabilities

Description: SWAT 4 is a first-person shooter computer game. The application is exposed to multiple remote denial of service issues because it fails to properly handle certain input. SWAT version 4 1.1 is affected.

Ref: http://www.securityfocus.com/bid/30299

______________________________________________________________________

 

08.30.51 CVE: Not Available

Platform: Web Application

Title: phpScheduleIt "useLogonName" Security Bypass

Description: phpScheduleIt is a web-based reservation and scheduling system. The application is exposed to an issue that gives an attacker unauthorized access to administration areas of the application because the software fails to properly restrict access in an unspecified script. phpScheduleIt versions up to and including 1.2.9 are affected.

Ref: http://www.securityfocus.com/bid/30300

______________________________________________________________________

 

(c) 2008.  All rights reserved.  The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only.  In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.