@RISK: The Consensus Security Vulnerability Alert
Week 1 2012



This is a weekly newsletter that provides in-depth analysis of
the latest vulnerabilities with straightforward remediation advice. Qualys
supplies a large part of the newly-discovered vulnerability content used in
this newsletter.

@RISK: The Consensus Security Vulnerability Alert

Week 1 2012

Summary of Updates and Vulnerabilities in this Consensus

Platform                        Number of Updates and Vulnerabilities

Other Microsoft Products                   1 (#1)
Third Party Windows Apps                   1
Linux                                      1
Cross Platform                             4
Web Application - Cross Site Scripting     3
Web Application - SQL Injection            5
Web Application                            8
Network Device                             1
Hardware                                   2


Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)
Widely Deployed Software
(1) MEDIUM: ASP.NET Authentication Bypass

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys
(www.qualys.com)

-- Other Microsoft Products
12.2.1 - Microsoft ASP.NET Multiple vulnerabilities
-- Third Party Windows Apps
12.2.2 - IBM Web Experience Factory Smart Refresh HTML Injection
-- Linux
12.2.3 - lio-utils Debug Mode Insecure Temporary File Creation
-- Cross Platform
12.2.4 - VLC Media Player TiVo Demuxer Remote Heap-Based Buffer Overflow
12.2.5 - Java Hash Collision Denial of Service
12.2.6 - Python Hash Collision Denial of Service
12.2.7 - Apache Tomcat Hash Collision Denial of Service
-- Web Application - Cross Site Scripting
12.2.8 - Siena CMS "err" Parameter Cross-Site Scripting
12.2.9 - PhpMyAdmin Multiple Cross-Site Scripting Vulnerabilities
12.2.10  - BigACE Multiple Cross-Site Scripting Vulnerabilities
-- Web Application - SQL Injection
12.2.11  - WSN Links "report.php" SQL Injection
12.2.12  - Plogger "id" Parameter SQL Injection
12.2.13  - OpenEMR "validateUser.php" SQL Injection
12.2.14  - DedeCMS Multiple SQL Injection Vulnerabilities
12.2.15  - Akiva WebBoard "name" Parameter SQL Injection
-- Web Application
12.2.16  - RapidLeech "notes" Parameter HTML Injection
12.2.17  - Winn Guestbook "name" Parameter HTML Injection
12.2.18  - Joomla! Simple File Upload Arbitrary File Upload
12.2.19  - Mavili Guestbook Multiple Security Vulnerabilities
12.2.20  - E107 Multiple Vulnerabilities
12.2.21  - Bugzilla Cross-Site Scripting and Security Bypass Vulnerabilities
12.2.22  - Register Plus Redux Multiple Security vulnerabilities
12.2.23  - Vtiger CRM "graph.php" Script Authentication Bypass
-- Network Device
12.2.24  - WiFi Protected Setup PIN Brute Force Authentication Bypass
-- Hardware
12.2.25  - Multiple Digital Satellite TV Platforms Multiple Unspecified Vulnerabilities
12.2.26  - Op5 Appliance Multiple Unspecified Remote Command Execution Vulnerabilities

PART I Critical Vulnerabilities
Part I for this issue has been compiled by Josh Bronson at TippingPoint,
a division of HP, as a by-product of that company's continuous effort
to ensure that its intrusion prevention products effectively block
exploits using known vulnerabilities. TippingPoint's analysis is
complemented by input from a council of security managers from twelve
large organizations who confidentially share with SANS the specific
actions they have taken to protect their systems. A detailed description
of the process may be found at
http://www.sans.org/newsletters/risk/#process

(1) MEDIUM: ASP.NET Authentication Bypass
Affected
Microsoft .NET Framework 1.1 Service Pack 1
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.5 Service Pack 1
Microsoft .NET Framework 4

Description Microsoft has released patches for multiple security
vulnerabilities affecting its ASP.NET web application framework. ASP.NET
has built-in code for authenticating users to web applications, and the
updates address vulnerabilities in that code. By sending a malicious
request to a vulnerable ASP.NET server, an attacker can exploit one of
these security vulnerabilities in order to gain access to a user account
whose name the attacker already knew. And by enticing a target to click
a malicious link, an attacker could again gain access to the target's
user account. After gaining access to a user account, the attacker could
execute arbitrary commands on the site with the permissions of that user
account.

Status vendor confirmed, updates available

References
Vendor Site
http://www.microsoft.com
Microsoft Security Bulletin
http://technet.microsoft.com/en-us/security/bulletin/ms11-100
SecurityFocus BugTraq IDs
http://www.securityfocus.com/bid/51201
http://www.securityfocus.com/bid/51203

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys
(www.qualys.com)

This list is compiled by Qualys ( www.qualys.com ) as part of that
company's ongoing effort to ensure its vulnerability management web
service tests for all known vulnerabilities that can be scanned. As of
this week Qualys scans for 12975 unique vulnerabilities. For this
special SANS community listing, Qualys also includes vulnerabilities
that cannot be scanned remotely.


12.2.1 CVE CVE-2011-3414,CVE-2011-3415,CVE-2011-3416,CVE-2011-3417
Platform Other Microsoft Products
Title Microsoft ASP.NET Multiple vulnerabilities
Description ASP.NET is a Web application framework developed and
marketed by Microsoft. The application is exposed to multiple security
issues. See reference for further details. Microsoft .NET Framework
1.1 Service Pack 1, Microsoft .NET Framework 2.0 Service Pack 2,
Microsoft .NET Framework 3.5 Service Pack 1, Microsoft .NET Framework
3.5.1 and Microsoft .NET Framework 4 on all supported editions of
Microsoft Windows are affected.
Ref http://technet.microsoft.com/en-us/security/bulletin/ms11-100

12.2.2 CVE Not Available
Platform Third Party Windows Apps
Title IBM Web Experience Factory Smart Refresh HTML Injection
Description IBM Web Experience Factory is a software lifecycle
management application. The application is exposed to an HTML injection
issue because it fails to properly sanitize user-supplied input.
This issue affects the "Smart Refresh" component. IBM Web Experience
Factory 7.0 and 7.0.1 are affected.
Ref http://www-01.ibm.com/support/docview.wss?uid=swg21575083

12.2.3 CVE Not Available
Platform Linux
Title lio-utils Debug Mode Insecure Temporary File Creation
Description lio-utils is a low-level configuration tool set. The
application is exposed to an insecure temporary file creation issue.
This issue is caused by a logic error in the "etc/init.d/target"
script, which allows the application to fall unexpectedly into debug
mode. The application later creates the "/tmp/tgetctl-dbug" file in an
insecure manner while running in debug mode. lio-utils 4.1 is
vulnerable; other versions may also be affected.
Ref http://www.securityfocus.com/bid/51242/references

12.2.4 CVE Not Available
Platform Cross Platform
Title VLC Media Player TiVo Demuxer Remote Heap-Based Buffer Overflow
Description VLC is a cross-platform media player. VLC media player is
exposed to a heap-based buffer overflow issue that affects the TiVo
demuxer. This issue occurs when handling a specially crafted header of
the TiVo (".TY") files. VLC media player versions 0.9.0 through 1.1.12
are vulnerable; other versions may also be affected.
Ref http://www.videolan.org/security/sa1108.html

12.2.5 CVE Not Available
Platform Cross Platform
Title Java Hash Collision Denial of Service
Description Java is a programming language. The application is
exposed to a denial of service issue due to an
error during hashing form posts and updating a hash table. Specially
crafted forms in HTTP POST requests can trigger hash collisions
resulting in high CPU consumption. Java 7 and prior are affected.
Ref http://www.ocert.org/advisories/ocert-2011-003.html
http://www.securityfocus.com/bid/51236/references

12.2.6 CVE Not Available
Platform Cross Platform
Title Python Hash Collision Denial of Service
Description Python is a programming language available for multiple
platforms. The application is exposed to a denial of service issue
due to an error during hashing form posts and updating a hash table.
Specially crafted forms in HTTP POST requests
can trigger hash collisions resulting in high CPU consumption.
All versions of Python are affected.
Ref http://www.securityfocus.com/bid/51239/references

12.2.7 CVE CVE-2011-4084
Platform Cross Platform
Title Apache Tomcat Hash Collision Denial of Service
Description Apache Tomcat is a Java-based web server application for
multiple operating systems. The application is exposed to a
denial of service issue due to an error during
hashing form posts and updating a hash table. Specially crafted forms
in HTTP POST requests can trigger hash collisions resulting in high
CPU consumption. All versions of Apache Tomcat are affected.
Ref
http://mail-archives.apache.org/mod_mbox/tomcat-announce/201112.mbox/%3C4EFB9800.5010106@apache.org%3E
http://www.securityfocus.com/bid/51200/references

12.2.8 CVE Not Available
Platform Web Application - Cross Site Scripting
Title Siena CMS "err" Parameter Cross-Site Scripting
Description Siena CMS is a PHP-based content management system.
PHP-SCMS is exposed to a cross-site-scripting issue because it fails
to properly sanitize user-supplied input submitted to the "err"
parameter of the "index.php" script. Siena CMS 1.242 is vulnerable;
other versions may also be affected.
Ref http://www.securityfocus.com/bid/51218/discuss

12.2.9 CVE CVE-2011-4780
Platform Web Application - Cross Site Scripting
Title PhpMyAdmin Multiple Cross-Site Scripting Vulnerabilities
Description PhpMyAdmin is a web-based administration interface for
MySQL databases. The application is exposed to multiple cross-site
scripting issues because it fails to properly sanitize user-supplied
input submitted to the "libraries/display_export.lib.php" script.
Specifically, these issues affect the export panels in the server,
database and table sections.  phpMyAdmin versions prior to 3.4.x are
affected.
Ref http://www.phpmyadmin.net/home_page/security/PMASA-2011-20.php

12.2.10 CVE Not Available
Platform Web Application - Cross Site Scripting
Title BigACE Multiple Cross-Site Scripting Vulnerabilities
Description BigACE is a PHP-based content manager. The application is
exposed to multiple cross-site scripting issues because it fails to
sufficiently sanitize user-supplied input submitted to multiple
scripts and parameters. BigACE 2.7.5 is vulnerable; other versions may
also be affected.
Ref http://www.securityfocus.com/archive/1/521088

12.2.11 CVE Not Available
Platform Web Application - SQL Injection
Title WSN Links "report.php" SQL Injection
Description WSN Links is a web-based directory application
implemented in PHP. The application is exposed to an SQL injection
issue because it fails to sufficiently sanitize user-supplied input
submitted to the "id" parameter of the "report.php" script. All
versions of WSN Links are affected.
Ref http://www.securityfocus.com/bid/51222/discuss

12.2.12 CVE Not Available
Platform Web Application - SQL Injection
Title Plogger "id" Parameter SQL Injection
Description Plogger is a web-based photo gallery application
implemented in PHP. The application is exposed to an SQL injection
issue because it fails to sufficiently sanitize user-supplied data
submitted to the "id" parameter. Plogger 1.0 Rc1 is affected.
Ref http://www.securityfocus.com/bid/51228/discuss

12.2.13 CVE Not Available
Platform Web Application - SQL Injection
Title OpenEMR "validateUser.php" SQL Injection
Description OpenEMR is an electronic medical record application
implemented in PHP. The application is exposed to an SQL injection
issue because it fails to properly sanitize user-supplied input
submitted to the "u" parameter of the
"interface/login/validateUser.php" script. OpenEMR 4.1.0 is
vulnerable; other versions may also be affected.
Ref
http://www.mavitunasecurity.com/sql-injection-vulnerability-in-openemr/
http://www.securityfocus.com/bid/51247/references

12.2.14 CVE Not Available
Platform Web Application - SQL Injection
Title DedeCMS Multiple SQL Injection Vulnerabilities
Description DedeCMS is a PHP-based content manager. The application
is exposed to multiple SQL injection issues because it fails to
sufficiently sanitize user-supplied data submitted to the following
scripts and parameters: "list.php": "id", "members.php": "id" and
"book.php": "id".  DeDeCMS 5.1, 5.3, 5.5 and 5.6 are affected.
Ref http://www.securityfocus.com/bid/51211/discuss

12.2.15 CVE Not Available
Platform Web Application - SQL Injection
Title Akiva WebBoard "name" Parameter SQL Injection
Description Akiva WebBoard is a PHP-based bulletin board application.
The application is exposed to an SQL injection issue because it fails
to sufficiently sanitize user-supplied data submitted to the "name"
parameter of the "WB/Default.asp" script. Versions prior to Akiva
WebBoard 8 SR 1 are affected.
Ref http://www.securityfocus.com/bid/51210/references

12.2.16 CVE Not Available
Platform Web Application
Title RapidLeech "notes" Parameter HTML Injection
Description RapidLeech is a PHP-based server transfer script. The
application is exposed to an HTML injection issue because it fails to
sufficiently sanitize user-supplied data to the "notes" parameter of
the "notes.php" script. RapidLeech 2.3 is vulnerable and other versions
may also be affected.
Ref http://www.securityfocus.com/bid/51230/discuss

12.2.17 CVE CVE-2011-5026
Platform Web Application
Title Winn Guestbook "name" Parameter HTML Injection
Description Winn Guestbook is a Web application implemented in PHP.
The application is exposed to an HTML injection issue because it fails
to sufficiently sanitize user-supplied data to the "name" parameter of
the "index.php" script. Winn Guestbook 2.4.8c is vulnerable and other
versions may also be affected.
Ref http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-5026
http://www.securityfocus.com/bid/51232/references

12.2.18 CVE Not Available
Platform Web Application
Title Joomla! Simple File Upload Arbitrary File Upload
Description Joomla is a PHP-based content management system. Simple
File Upload is an extension for Joomla. The application is exposed
to an arbitrary file upload issue because it fails to properly
sanitize user-supplied input. Specifically, it fails to adequately
validate files with ".php5" extension before uploading them onto the
web server. Simple File Upload 1.3 is vulnerable and other versions may
also be affected.
Ref
http://wasen.net/index.php?option=com_content&view=article&id=64&Itemid=59

12.2.19 CVE Not Available
Platform Web Application
Title Mavili Guestbook Multiple Security Vulnerabilities
Description Mavili Guestbook is a web-based application implemented
in ASP. Mavili Guestbook is exposed to multiple security vulnerabilities.
An SQL injection issue affects the "id" parameter of the "/edit.asp"
script. Multiple cross-site scripting issues occur and a security bypass
issue exists. Mavili Guestbook 200711 is affected.
Ref http://www.securityfocus.com/archive/1/521090

12.2.20 CVE Not Available
Platform Web Application
Title E107 Multiple Vulnerabilities
Description E107 is a PHP-based Web application. The application is
exposed to multiple issues. A cross-site scripting issue
affects the "resend_name" parameter of the "e107_admin/users.php"
script. Multiple cross-site scripting issues affect the
"e107_images/thumb.php" and "rate.php" scripts. An HTML injection
issue affects the "link" BBCode in user signatures. An SQL
injection issue affects the "username" parameter of the
"usersettings.php" script. E107 0.7.26 is vulnerable and other versions
may be affected.
Ref http://secunia.com/advisories/46706/
http://permalink.gmane.org/gmane.comp.security.oss.general/6571

12.2.21 CVE CVE-2011-3657,CVE-2011-3667
Platform Web Application
Title Bugzilla Cross Site Scripting and Security Bypass
Vulnerabilities
Description Bugzilla is a web-based bug tracking application. The
application is exposed to multiple issues. A cross-site
scripting issue occurs in the "chart.cgi" and "report.cgi" scripts.
A security-bypass issue occurs because the
"User.offer_account_by_email()" method fails to check the
"user_can_create_account" setting of the authentication method in
accounts creation. Bugzilla 2.17.1 to 3.4.12, 3.5.1 to 3.6.6, 3.7.1 to
4.0.2 and 4.1.1 to 4.1.3 are affected.
Ref http://www.bugzilla.org/security/3.4.12/
http://www.securityfocus.com/bid/51213/references

12.2.22 CVE Not Available
Platform Web Application
Title Register Plus Redux Multiple Security vulnerabilities
Description Register Plus Redux is a plugin for WordPress. WordPress
is a web-based publishing application implemented in PHP. Register
Plus Redux is exposed to multiple input-validation issues. See
reference for further details. Register Plus Redux 3.7.3.1 is
vulnerable; other versions may also be affected.
Ref http://www.securityfocus.com/archive/1/520561
https://www.htbridge.ch/advisory/multiple_vulnerabilities_in_weberp.html

12.2.23 CVE Not Available
Platform Web Application
Title Vtiger CRM "graph.php" Script Authentication Bypass
Description Vtiger CRM is a PHP-based customer relationship
management application. The application is exposed to an
authentication bypass issue because it fails to check credentials in
database backup requests through the "graph.php" script. Vtiger CRM
5.2.x and 5.1.x are affected.
Ref
http://francoisharvey.ca/2011/12/advisory-meds-2011-01-vtigercrm-anonymous-access-to-setting-module/

12.2.24 CVE Not Available
Platform Network Device
Title WiFi Protected Setup PIN Brute Force Authentication Bypass
Description WiFi Protected Setup is a computing standard created by
the WiFi Alliance to ease the setup and securing of a wireless home
network. WiFi Protected Setup is exposed to an authentication bypass
issue because it fails to provide a lock out policy for brute force
attempts.  Specifically, the "external registrar" method requires
just the router's PIN in authentication. Attackers can determine whether
the PIN is correct through the "EAP-NACK" message, which is sent when
the PIN authentication fails. wireless routers that support WPS are
affected.
Ref http://www.kb.cert.org/vuls/id/723755
http://www.securityfocus.com/bid/51187/references

12.2.25 CVE Not Available
Platform Hardware
Title Multiple Digital Satellite TV Platforms Multiple Unspecified
Vulnerabilities
Description Multiple Digital Satellite TV Platforms are exposed to
multiple unspecified issues. In total, 24 unspecified security issues
have been reported in various Satellite TV products. The most serious
issue will allow attackers to completely compromise the affected
application. Limited information is currently available regarding
these issues. Devices from Onet.pl S.A, Advanced Digital Broadcast,
STMicroelectronics, ITI Neovision, Conax AS and DreamLab Onet.pl S are
affected.
Ref http://www.securityfocus.com/bid/51251/discuss
http://www.security-explorations.com/en/SE-2011-01.html

12.2.26 CVE CVE-2012-0261,CVE-2012-0262,CVE-2012-0263,CVE-2012-0264
Platform Hardware
Title Op5 Appliance Multiple Unspecified Remote Command Execution
Vulnerabilities
Description Op5 Monitor and op5 Appliance are network monitoring
servers. The servers are exposed to multiple remote command execution
issues and a credentials leaking issue because it fails to properly
validate user-supplied input. op5 Monitor 5.5.x and op5 Appliance are
affected.
Ref
http://www.op5.com/news/support-news/fixed-vulnerabilities-op5-monitor-op5-appliance/

Qualys Solutions
Qualys Community
Free Tools & Trials
Free Trial

Nothing to install or download!

1 (800) 745 4355