Search

See Resources

@RISK Newsletter for January 05, 2012 The Consensus Security Vulnerability Alert

This is a weekly newsletter that provides in-depth analysis of the latest vulnerabilities with straightforward remediation advice. Qualys supplies a large part of the newly-discovered vulnerability content used in this newsletter.


@RISK: The Consensus Security Vulnerability Alert
Vol. 12, Num. 1

Providing a reliable, weekly summary of newly discovered attack vectors, vulnerabilities with active exploits, and explanations of how recent attacks worked.

Archived issues may be found at https://www.qualys.com/research/sans-at-risk/


Summary of Updates and Vulnerabilities in this Consensus

Platform Number of Updates and Vulnerabilities
Other Microsoft Products 1 (#1)
Third Party Windows Apps 1
Linux 1
Cross Platform 4
Web Application - Cross Site Scripting 3
Web Application - SQL Injection 5
Web Application 8
Network Device 1
Hardware 2

Part I – Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)

Widely Deployed Software
(1) MEDIUM: ASP.NET Authentication Bypass


Part II – Comprehensive List of Newly Discovered Vulnerabilities from Qualys

(www.qualys.com)

Other Microsoft Products

12.2.1 - Microsoft ASP.NET Multiple vulnerabilities

Third Party Windows Apps

12.2.2 - IBM Web Experience Factory Smart Refresh HTML Injection

Linux

12.2.3 - lio-utils Debug Mode Insecure Temporary File Creation

Cross Platform

12.2.4 - VLC Media Player TiVo Demuxer Remote Heap-Based Buffer Overflow
12.2.5 - Java Hash Collision Denial of Service
12.2.6 - Python Hash Collision Denial of Service
12.2.7 - Apache Tomcat Hash Collision Denial of Service

Web Application - Cross Site Scripting

12.2.8 - Siena CMS “err” Parameter Cross-Site Scripting
12.2.9 - PhpMyAdmin Multiple Cross-Site Scripting Vulnerabilities
12.2.10 - BigACE Multiple Cross-Site Scripting Vulnerabilities

Web Application - SQL Injection

12.2.11 - WSN Links “report.php” SQL Injection
12.2.12 - Plogger “id” Parameter SQL Injection
12.2.13 - OpenEMR “validateUser.php” SQL Injection
12.2.14 - DedeCMS Multiple SQL Injection Vulnerabilities
12.2.15 - Akiva WebBoard “name” Parameter SQL Injection

Web Application

12.2.16 - RapidLeech “notes” Parameter HTML Injection
12.2.17 - Winn Guestbook “name” Parameter HTML Injection
12.2.18 - Joomla! Simple File Upload Arbitrary File Upload
12.2.19 - Mavili Guestbook Multiple Security Vulnerabilities
12.2.20 - E107 Multiple Vulnerabilities
12.2.21 - Bugzilla Cross-Site Scripting and Security Bypass Vulnerabilities
12.2.22 - Register Plus Redux Multiple Security vulnerabilities
12.2.23 - Vtiger CRM “graph.php” Script Authentication Bypass

Network Device

12.2.24 - WiFi Protected Setup PIN Brute Force Authentication Bypass

Hardware

12.2.25 - Multiple Digital Satellite TV Platforms Multiple Unspecified Vulnerabilities
12.2.26 - Op5 Appliance Multiple Unspecified Remote Command Execution Vulnerabilities


PART I Critical Vulnerabilities

Part I for this issue has been compiled by Josh Bronson at TippingPoint,
a division of HP, as a by-product of that company’s continuous effort
to ensure that its intrusion prevention products effectively block
exploits using known vulnerabilities. TippingPoint’s analysis is
complemented by input from a council of security managers from twelve
large organizations who confidentially share with SANS the specific
actions they have taken to protect their systems. A detailed description
of the process may be found at
http://www.sans.org/newsletters/risk/#process


(1) MEDIUM: ASP.NET Authentication Bypass

Affected:
Microsoft .NET Framework 1.1 Service Pack 1
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.5 Service Pack 1
Microsoft .NET Framework 4

Description: Microsoft has released patches for multiple security
vulnerabilities affecting its ASP.NET web application framework. ASP.NET
has built-in code for authenticating users to web applications, and the
updates address vulnerabilities in that code. By sending a malicious
request to a vulnerable ASP.NET server, an attacker can exploit one of
these security vulnerabilities in order to gain access to a user account
whose name the attacker already knew. And by enticing a target to click
a malicious link, an attacker could again gain access to the target’s
user account. After gaining access to a user account, the attacker could
execute arbitrary commands on the site with the permissions of that user
account.

Status: vendor confirmed, updates available

References:
Vendor Site
http://www.microsoft.com
Microsoft Security Bulletin
http://technet.microsoft.com/en-us/security/bulletin/ms11-100
SecurityFocus BugTraq IDs
http://www.securityfocus.com/bid/51201
http://www.securityfocus.com/bid/51203


Part II – Comprehensive List of Newly Discovered Vulnerabilities from Qualys

(www.qualys.com)

This list is compiled by Qualys (www.qualys.com) as part of that
company’s ongoing effort to ensure its vulnerability management web
service tests for all known vulnerabilities that can be scanned. As of
this week Qualys scans for 12975 unique vulnerabilities. For this
special SANS community listing, Qualys also includes vulnerabilities
that cannot be scanned remotely.


12.2.1 CVE: CVE-2011-3414,CVE-2011-3415,CVE-2011-3416,CVE-2011-3417

Platform: Other Microsoft Products
Title: Microsoft ASP.NET Multiple vulnerabilities
Description: ASP.NET is a Web application framework developed and
marketed by Microsoft. The application is exposed to multiple security
issues. See reference for further details. Microsoft .NET Framework
1.1 Service Pack 1, Microsoft .NET Framework 2.0 Service Pack 2,
Microsoft .NET Framework 3.5 Service Pack 1, Microsoft .NET Framework
3.5.1 and Microsoft .NET Framework 4 on all supported editions of
Microsoft Windows are affected.
Ref: http://technet.microsoft.com/en-us/security/bulletin/ms11-100


12.2.2 CVE: Not Available

Platform: Third Party Windows Apps
Title: IBM Web Experience Factory Smart Refresh HTML Injection
Description: IBM Web Experience Factory is a software lifecycle
management application. The application is exposed to an HTML injection
issue because it fails to properly sanitize user-supplied input.
This issue affects the “Smart Refresh” component. IBM Web Experience
Factory 7.0 and 7.0.1 are affected.
Ref: http://www-01.ibm.com/support/docview.wss?uid=swg21575083


12.2.3 CVE: Not Available

Platform: Linux
Title: lio-utils Debug Mode Insecure Temporary File Creation
Description: lio-utils is a low-level configuration tool set. The
application is exposed to an insecure temporary file creation issue.
This issue is caused by a logic error in the “etc/init.d/target”
script, which allows the application to fall unexpectedly into debug
mode. The application later creates the “/tmp/tgetctl-dbug” file in an
insecure manner while running in debug mode. lio-utils 4.1 is
vulnerable; other versions may also be affected.
Ref: http://www.securityfocus.com/bid/51242/references


12.2.4 CVE: Not Available

Platform: Cross Platform
Title: VLC Media Player TiVo Demuxer Remote Heap-Based Buffer Overflow
Description: VLC is a cross-platform media player. VLC media player is
exposed to a heap-based buffer overflow issue that affects the TiVo
demuxer. This issue occurs when handling a specially crafted header of
the TiVo (“.TY”) files. VLC media player versions 0.9.0 through 1.1.12
are vulnerable; other versions may also be affected.
Ref: http://www.videolan.org/security/sa1108.html


12.2.5 CVE: Not Available

Platform: Cross Platform
Title: Java Hash Collision Denial of Service
Description: Java is a programming language. The application is
exposed to a denial of service issue due to an
error during hashing form posts and updating a hash table. Specially
crafted forms in HTTP POST requests can trigger hash collisions
resulting in high CPU consumption. Java 7 and prior are affected.
Ref: http://www.ocert.org/advisories/ocert-2011-003.html
http://www.securityfocus.com/bid/51236/references


12.2.6 CVE: Not Available

Platform: Cross Platform
Title: Python Hash Collision Denial of Service
Description: Python is a programming language available for multiple
platforms. The application is exposed to a denial of service issue
due to an error during hashing form posts and updating a hash table.
Specially crafted forms in HTTP POST requests
can trigger hash collisions resulting in high CPU consumption.
All versions of Python are affected.
Ref: http://www.securityfocus.com/bid/51239/references


12.2.7 CVE: CVE-2011-4084

Platform: Cross Platform
Title: Apache Tomcat Hash Collision Denial of Service
Description: Apache Tomcat is a Java-based web server application for
multiple operating systems. The application is exposed to a
denial of service issue due to an error during
hashing form posts and updating a hash table. Specially crafted forms
in HTTP POST requests can trigger hash collisions resulting in high
CPU consumption. All versions of Apache Tomcat are affected.
Ref:
http://mail-archives.apache.org/mod_mbox/tomcat-announce/201112.mbox/%3C4EFB9800.5010106@apache.org%3E
http://www.securityfocus.com/bid/51200/references


12.2.8 CVE: Not Available

Platform: Web Application - Cross Site Scripting
Title: Siena CMS “err” Parameter Cross-Site Scripting
Description: Siena CMS is a PHP-based content management system.
PHP-SCMS is exposed to a cross-site-scripting issue because it fails
to properly sanitize user-supplied input submitted to the “err”
parameter of the “index.php” script. Siena CMS 1.242 is vulnerable;
other versions may also be affected.
Ref: http://www.securityfocus.com/bid/51218/discuss


12.2.9 CVE: CVE-2011-4780

Platform: Web Application - Cross Site Scripting
Title: PhpMyAdmin Multiple Cross-Site Scripting Vulnerabilities
Description: PhpMyAdmin is a web-based administration interface for
MySQL databases. The application is exposed to multiple cross-site
scripting issues because it fails to properly sanitize user-supplied
input submitted to the “libraries/display_export.lib.php” script.
Specifically, these issues affect the export panels in the server,
database and table sections. phpMyAdmin versions prior to 3.4.x are
affected.
Ref: http://www.phpmyadmin.net/home_page/security/PMASA-2011-20.php


12.2.10 CVE: Not Available

Platform: Web Application - Cross Site Scripting
Title: BigACE Multiple Cross-Site Scripting Vulnerabilities
Description: BigACE is a PHP-based content manager. The application is
exposed to multiple cross-site scripting issues because it fails to
sufficiently sanitize user-supplied input submitted to multiple
scripts and parameters. BigACE 2.7.5 is vulnerable; other versions may
also be affected.
Ref: http://www.securityfocus.com/archive/1/521088


12.2.11 CVE: Not Available

Platform: Web Application - SQL Injection
Title: WSN Links “report.php” SQL Injection
Description: WSN Links is a web-based directory application
implemented in PHP. The application is exposed to an SQL injection
issue because it fails to sufficiently sanitize user-supplied input
submitted to the “id” parameter of the “report.php” script. All
versions of WSN Links are affected.
Ref: http://www.securityfocus.com/bid/51222/discuss


12.2.12 CVE: Not Available

Platform: Web Application - SQL Injection
Title: Plogger “id” Parameter SQL Injection
Description: Plogger is a web-based photo gallery application
implemented in PHP. The application is exposed to an SQL injection
issue because it fails to sufficiently sanitize user-supplied data
submitted to the “id” parameter. Plogger 1.0 Rc1 is affected.
Ref: http://www.securityfocus.com/bid/51228/discuss


12.2.13 CVE: Not Available

Platform: Web Application - SQL Injection
Title: OpenEMR “validateUser.php” SQL Injection
Description: OpenEMR is an electronic medical record application
implemented in PHP. The application is exposed to an SQL injection
issue because it fails to properly sanitize user-supplied input
submitted to the “u” parameter of the
“interface/login/validateUser.php” script. OpenEMR 4.1.0 is
vulnerable; other versions may also be affected.
Ref:
http://www.mavitunasecurity.com/sql-injection-vulnerability-in-openemr/
http://www.securityfocus.com/bid/51247/references


12.2.14 CVE: Not Available

Platform: Web Application - SQL Injection
Title: DedeCMS Multiple SQL Injection Vulnerabilities
Description: DedeCMS is a PHP-based content manager. The application
is exposed to multiple SQL injection issues because it fails to
sufficiently sanitize user-supplied data submitted to the following
scripts and parameters: “list.php”: “id”, “members.php”: “id” and
“book.php”: “id”. DeDeCMS 5.1, 5.3, 5.5 and 5.6 are affected.
Ref: http://www.securityfocus.com/bid/51211/discuss


12.2.15 CVE: Not Available

Platform: Web Application - SQL Injection
Title: Akiva WebBoard “name” Parameter SQL Injection
Description: Akiva WebBoard is a PHP-based bulletin board application.
The application is exposed to an SQL injection issue because it fails
to sufficiently sanitize user-supplied data submitted to the “name”
parameter of the “WB/Default.asp” script. Versions prior to Akiva
WebBoard 8 SR 1 are affected.
Ref: http://www.securityfocus.com/bid/51210/references


12.2.16 CVE: Not Available

Platform: Web Application
Title: RapidLeech “notes” Parameter HTML Injection
Description: RapidLeech is a PHP-based server transfer script. The
application is exposed to an HTML injection issue because it fails to
sufficiently sanitize user-supplied data to the “notes” parameter of
the “notes.php” script. RapidLeech 2.3 is vulnerable and other versions
may also be affected.
Ref: http://www.securityfocus.com/bid/51230/discuss


12.2.17 CVE: CVE-2011-5026

Platform: Web Application
Title: Winn Guestbook “name” Parameter HTML Injection
Description: Winn Guestbook is a Web application implemented in PHP.
The application is exposed to an HTML injection issue because it fails
to sufficiently sanitize user-supplied data to the “name” parameter of
the “index.php” script. Winn Guestbook 2.4.8c is vulnerable and other
versions may also be affected.
Ref: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-5026
http://www.securityfocus.com/bid/51232/references


12.2.18 CVE: Not Available

Platform: Web Application
Title: Joomla! Simple File Upload Arbitrary File Upload
Description: Joomla is a PHP-based content management system. Simple
File Upload is an extension for Joomla. The application is exposed
to an arbitrary file upload issue because it fails to properly
sanitize user-supplied input. Specifically, it fails to adequately
validate files with “.php5” extension before uploading them onto the
web server. Simple File Upload 1.3 is vulnerable and other versions may
also be affected.
Ref:
http://wasen.net/index.php?option=com_content&view=article&id=64&Itemid=59


12.2.19 CVE: Not Available

Platform: Web Application
Title: Mavili Guestbook Multiple Security Vulnerabilities
Description: Mavili Guestbook is a web-based application implemented
in ASP. Mavili Guestbook is exposed to multiple security vulnerabilities.
An SQL injection issue affects the “id” parameter of the “/edit.asp”
script. Multiple cross-site scripting issues occur and a security bypass
issue exists. Mavili Guestbook 200711 is affected.
Ref: http://www.securityfocus.com/archive/1/521090


12.2.20 CVE: Not Available

Platform: Web Application
Title: E107 Multiple Vulnerabilities
Description: E107 is a PHP-based Web application. The application is
exposed to multiple issues. A cross-site scripting issue
affects the “resend_name” parameter of the “e107_admin/users.php”
script. Multiple cross-site scripting issues affect the
“e107_images/thumb.php” and “rate.php” scripts. An HTML injection
issue affects the “link” BBCode in user signatures. An SQL
injection issue affects the “username” parameter of the
“usersettings.php” script. E107 0.7.26 is vulnerable and other versions
may be affected.
Ref: http://secunia.com/advisories/46706/
http://permalink.gmane.org/gmane.comp.security.oss.general/6571


12.2.21 CVE: CVE-2011-3657,CVE-2011-3667

Platform: Web Application
Title: Bugzilla Cross Site Scripting and Security Bypass
Vulnerabilities
Description: Bugzilla is a web-based bug tracking application. The
application is exposed to multiple issues. A cross-site
scripting issue occurs in the “chart.cgi” and “report.cgi” scripts.
A security-bypass issue occurs because the
“User.offer_account_by_email()” method fails to check the
“user_can_create_account” setting of the authentication method in
accounts creation. Bugzilla 2.17.1 to 3.4.12, 3.5.1 to 3.6.6, 3.7.1 to
4.0.2 and 4.1.1 to 4.1.3 are affected.
Ref: http://www.bugzilla.org/security/3.4.12/
http://www.securityfocus.com/bid/51213/references


12.2.22 CVE: Not Available

Platform: Web Application
Title: Register Plus Redux Multiple Security vulnerabilities
Description: Register Plus Redux is a plugin for WordPress. WordPress
is a web-based publishing application implemented in PHP. Register
Plus Redux is exposed to multiple input-validation issues. See
reference for further details. Register Plus Redux 3.7.3.1 is
vulnerable; other versions may also be affected.
Ref: http://www.securityfocus.com/archive/1/520561
https://www.htbridge.ch/advisory/multiple_vulnerabilities_in_weberp.html


12.2.23 CVE: Not Available

Platform: Web Application
Title: Vtiger CRM “graph.php” Script Authentication Bypass
Description: Vtiger CRM is a PHP-based customer relationship
management application. The application is exposed to an
authentication bypass issue because it fails to check credentials in
database backup requests through the “graph.php” script. Vtiger CRM
5.2.x and 5.1.x are affected.
Ref:
http://francoisharvey.ca/2011/12/advisory-meds-2011-01-vtigercrm-anonymous-access-to-setting-module/


12.2.24 CVE: Not Available

Platform: Network Device
Title: WiFi Protected Setup PIN Brute Force Authentication Bypass
Description: WiFi Protected Setup is a computing standard created by
the WiFi Alliance to ease the setup and securing of a wireless home
network. WiFi Protected Setup is exposed to an authentication bypass
issue because it fails to provide a lock out policy for brute force
attempts. Specifically, the “external registrar” method requires
just the router’s PIN in authentication. Attackers can determine whether
the PIN is correct through the “EAP-NACK” message, which is sent when
the PIN authentication fails. wireless routers that support WPS are
affected.
Ref: http://www.kb.cert.org/vuls/id/723755
http://www.securityfocus.com/bid/51187/references


12.2.25 CVE: Not Available

Platform: Hardware
Title: Multiple Digital Satellite TV Platforms Multiple Unspecified
Vulnerabilities
Description: Multiple Digital Satellite TV Platforms are exposed to
multiple unspecified issues. In total, 24 unspecified security issues
have been reported in various Satellite TV products. The most serious
issue will allow attackers to completely compromise the affected
application. Limited information is currently available regarding
these issues. Devices from Onet.pl S.A, Advanced Digital Broadcast,
STMicroelectronics, ITI Neovision, Conax AS and DreamLab Onet.pl S are
affected.
Ref: http://www.securityfocus.com/bid/51251/discuss
http://www.security-explorations.com/en/SE-2011-01.html


12.2.26 CVE: CVE-2012-0261,CVE-2012-0262,CVE-2012-0263,CVE-2012-0264

Platform: Hardware
Title: Op5 Appliance Multiple Unspecified Remote Command Execution
Vulnerabilities
Description: Op5 Monitor and op5 Appliance are network monitoring
servers. The servers are exposed to multiple remote command execution
issues and a credentials leaking issue because it fails to properly
validate user-supplied input. op5 Monitor 5.5.x and op5 Appliance are
affected.
Ref:
http://www.op5.com/news/support-news/fixed-vulnerabilities-op5-monitor-op5-appliance/


Email or call us at +1 800 745 4355 or try our Global Contacts
Subscription Packages
Qualys Solutions
Qualys Community
Company
Free Trial & Tools
Popular Topics