Weekly Vulnerabilities Reports > January 2 to 8, 2006

Overview

49 new vulnerabilities reported during this period, including 0 critical vulnerabilities and 21 high severity vulnerabilities. This weekly summary report vulnerabilities in 45 products from 42 vendors including Ralph Capper, Linux, Enhanced Simple PHP Gallery, Idea Development ID OY, and Oaboard. Vulnerabilities are notably categorized as "Cross-site Scripting", "Code Injection", "Use of Externally-Controlled Format String", "Resource Management Errors", and "Information Exposure".

  • 43 reported vulnerabilities are remotely exploitables.
  • 3 reported vulnerabilities have public exploit available.
  • 3 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 49 reported vulnerabilities are exploitable by an anonymous user.
  • Ralph Capper has the most reported vulnerabilities, with 3 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

0 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS

21 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2006-01-04 CVE-2006-0081 Intel Resource Management Errors vulnerability in Intel Graphics Accelerator Driver 6.14.10.4308

ialmnt5.sys in the ialmrnt5 display driver in Intel Graphics Accelerator Driver 6.14.10.4308 allows attackers to cause a denial of service (crash or screen resolution change) via a long text field, as demonstrated using a long window title.

7.8
2006-01-07 CVE-2006-0108 Idea Development ID OY SQL-Injection vulnerability in Timecan CMS

SQL injection vulnerability in mcl_login.asp in Timecan CMS allows remote attackers to execute arbitrary SQL commands via the email parameter.

7.5
2006-01-07 CVE-2006-0107 Idea Development ID OY SQL Injection vulnerability in Timecan CMS ViewID

SQL injection vulnerability in Timecan CMS allows remote attackers to execute arbitrary SQL commands via the viewID parameter.

7.5
2006-01-06 CVE-2006-0106 Wine Remote Security vulnerability in Wine

gdi/driver.c and gdi/printdrv.c in Wine 20050930, and other versions, implement the SETABORTPROC GDI Escape function call for Windows Metafile (WMF) files, which allows attackers to execute arbitrary code, the same vulnerability as CVE-2005-4560 but in a different codebase.

7.5
2006-01-06 CVE-2006-0099 Valdersoft Remote File Include vulnerability in Valdersoft Shopping Cart 3.0

PHP remote file include vulnerability in (1) include/templates/categories/default.php and (2) certain other include/templates/categories/ PHP scripts in Valdersoft Shopping Cart 3.0 allows remote attackers to execute arbitrary code via a URL in the catalogDocumentRoot parameter.

7.5
2006-01-06 CVE-2006-0097 PHP Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in PHP

Stack-based buffer overflow in the create_named_pipe function in libmysql.c in PHP 4.3.10 and 4.4.x before 4.4.3 for Windows allows attackers to execute arbitrary code via a long (1) arg_host or (2) arg_unix_socket argument, as demonstrated by a long named pipe variable in the host argument to the mysql_connect function.

7.5
2006-01-05 CVE-2006-0094 Oaboard Code Injection vulnerability in Oaboard 1.0

PHP remote file include vulnerability in forum.php in oaBoard 1.0 allows remote attackers to execute arbitrary PHP code via a URL in the inc_stat parameter, a different vulnerability than CVE-2006-0076.

7.5
2006-01-05 CVE-2006-0088 Intouch SQL Injection vulnerability in Intouch 0.5.1Alpha

SQL injection vulnerability in intouch.lib.php in inTouch 0.5.1 Alpha allows remote attackers to execute arbitrary SQL commands via the user parameter.

7.5
2006-01-05 CVE-2006-0087 Lizard Cart SQL Injection vulnerability in Lizard Cart Lizard Cart CMS 1.0.4

SQL injection vulnerability in (1) pages.php and (2) detail.php in Lizard Cart CMS 1.04 allows remote attackers to execute arbitrary SQL commands via the id parameter.

7.5
2006-01-05 CVE-2006-0085 Nkads SQL-Injection vulnerability in Nkads 1.0Alfa2/1.0Alfa3

SQL injection vulnerability in Nkads 1.0 alfa 3 allows remote attackers to execute arbitrary SQL commands via the (1) usuario_nkads_admin or (2) password_nkads_admin parameters.

7.5
2006-01-04 CVE-2006-0079 Scoznet SQL Injection vulnerability in Scoznet Scozbook 1.1Beta

SQL injection vulnerability in auth.php in ScozNet ScozBook BETA 1.1 allows remote attackers to execute arbitrary SQL commands via the username field (adminname variable).

7.5
2006-01-04 CVE-2006-0076 Oaboard Remote File Include vulnerability in Oaboard 1.0

PHP remote file include vulnerability in forum.php in oaBoard 1.0 allows remote attackers to execute arbitrary PHP code via a URL in the inc parameter.

7.5
2006-01-04 CVE-2006-0075 GNU Unspecified vulnerability in GNU PHPbook

Direct static code injection vulnerability in phpBook 1.3.2 and earlier allows remote attackers to execute arbitrary PHP code via the e-mail field (mail variable) in a new message, which is written to a PHP file.

7.5
2006-01-04 CVE-2006-0074 Jevontech SQL Injection vulnerability in Jevontech PHPenpals

SQL injection vulnerability in profile.php in PHPenpals allows remote attackers to execute arbitrary SQL commands via the personalID parameter.

7.5
2006-01-04 CVE-2006-0072 SCO Buffer Overflow vulnerability in SCO OpenServer Termsh

Buffer overflow in termsh on SCO OpenServer 5.0.7 allows remote attackers to execute arbitrary code via a long -o command line argument.

7.5
2006-01-03 CVE-2006-0068 Primo Place SQL Injection vulnerability in Primo Place Primo Cart

SQL injection vulnerability in Primo Cart 1.0 and earlier allows remote attackers to execute arbitrary SQL commands via the (1) q parameter to search.php and (2) email parameter to user.php.

7.5
2006-01-03 CVE-2006-0067 Vego SQL Injection vulnerability in VEGO Links Builder Login Script

SQL injection vulnerability in login.php in VEGO Links Builder 2.00 and earlier allows remote attackers to execute arbitrary SQL commands via the username parameter.

7.5
2006-01-03 CVE-2006-0066 Phpjournaler SQL Injection vulnerability in PHPjournaler 1.0

SQL injection vulnerability in index.php in PHPjournaler 1.0 allows remote attackers to execute arbitrary SQL commands via the readold parameter.

7.5
2006-01-03 CVE-2006-0065 Vego SQL Injection vulnerability in VEGO Web Forum Theme_ID

SQL injection vulnerability in (1) functions.php, (2) functions_update.php, and (3) functions_display.php in VEGO Web Forum 1.26 and earlier allows remote attackers to execute arbitrary SQL commands via the theme_id parameter in index.php.

7.5
2006-01-03 CVE-2006-0064 Devellion Code Injection vulnerability in Devellion Cubecart

PHP remote file include vulnerability in includes/orderSuccess.inc.php in CubeCart allows remote attackers to execute arbitrary PHP code via a URL in the glob[rootDir] parameter.

7.5
2006-01-06 CVE-2006-0096 Linux Local Firmware Access vulnerability in Linux Kernel SDLA IOCTL Unauthorized

wan/sdla.c in Linux kernel 2.6.x before 2.6.11 and 2.4.x before 2.4.29 does not require the CAP_SYS_RAWIO privilege for an SDLA firmware upgrade, with unknown impact and local attack vectors.

7.2

26 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2006-01-04 CVE-2006-0071 Gentoo Local Privilege Escalation vulnerability in Gentoo Pinentry

The ebuild for pinentry before 0.7.2-r2 on Gentoo Linux sets setgid bits for pinentry programs, which allows local users to read or overwrite arbitrary files as gid 0.

6.6
2006-01-04 CVE-2006-0082 Imagemagick USE of Externally-Controlled Format String vulnerability in Imagemagick 6.2.3

Format string vulnerability in the SetImageInfo function in image.c for ImageMagick 6.2.3 and other versions, and GraphicsMagick, allows user-assisted attackers to cause a denial of service (crash) and possibly execute arbitrary code via a numeric format string specifier such as %d in the file name, a variant of CVE-2005-0397, and as demonstrated using the convert program.

5.1
2006-01-07 CVE-2006-0113 Enhanced Simple PHP Gallery Remote Security vulnerability in Enhanced Simple PHP Gallery Enhanced Simple PHP Gallery 1.7

Enhanced Simple PHP Gallery 1.7 allows remote attackers to obtain the full path of the application via a direct request to sp_helper_functions.php, which leaks the pathname in an error message.

5.0
2006-01-07 CVE-2006-0111 Boxcar Media Cross-Site Scripting vulnerability in Shopping Cart

Cross-site scripting vulnerability in index.php in Boxcar Media Shopping Cart allows remote attackers to inject arbitrary web script or HTML via the (1) parent or (2) pg parameter.

5.0
2006-01-07 CVE-2006-0109 Modular Merchant Cross-Site Scripting vulnerability in Modular Merchant Shopping Cart

Cross-site scripting vulnerability in category.php in Modular Merchant Shopping Cart allows remote attackers to inject arbitrary web script or HTML via the cat parameter.

5.0
2006-01-06 CVE-2006-0104 Ralph Capper Directory Traversal vulnerability in TinyPHPForum

Directory traversal vulnerability in TinyPHPForum 3.6 and earlier allows remote attackers to create a new user account, create a new topic, or view the profile of a user account, as demonstrated via a ..

5.0
2006-01-06 CVE-2006-0103 Ralph Capper Information Exposure vulnerability in Ralph Capper Tinyphpforum

TinyPHPForum 3.6 and earlier stores the (1) users/[USERNAME].hash and (2) users/[USERNAME].email files under the web root with insufficient access control, which allows remote attackers to list all registered users and possibly obtain other sensitive information.

5.0
2006-01-05 CVE-2006-0090 IDV Directory Viewer Information Disclosure vulnerability in IDV Directory Viewer IDV Directory Viewer 2005.1B1

Directory traversal vulnerability in index.php in IDV Directory Viewer before 2005.1 allows remote attackers to view arbitrary directory contents via a ..

5.0
2006-01-05 CVE-2006-0089 Esri Buffer Overflow vulnerability in Esri Arcpad 7.0.0.156

Buffer overflow in ESRI ArcPad 7.0.0.156 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a .amp file with a COORDSYS tag with a long string attribute.

5.0
2006-01-05 CVE-2006-0086 Next Generation Image Gallery Cross-Site Scripting vulnerability in Next Generation Image Gallery Next Generation Image Gallery 0.0.1Lite

Cross-site scripting vulnerability in index.php in Next Generation Image Gallery 0.0.1 Lite Edition allows remote attackers to inject arbitrary web script or HTML via the page parameter.

5.0
2006-01-05 CVE-2006-0084 Rasmp HTML Injection vulnerability in Rasmp 2.0.0

Cross-site scripting vulnerability in index.php in raSMP 2.0.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the $_SERVER[HTTP_USER_AGENT] variable (User-Agent header).

5.0
2006-01-06 CVE-2006-0100 Nicosw Local Security vulnerability in Nicoftp

Buffer overflow in NicoFTP 3.0.1.19 and earlier might allow local users to execute arbitrary code via a long string in the "Name of site" field of an FTP account.

4.6
2006-01-06 CVE-2006-0098 Openbsd Unspecified vulnerability in Openbsd 3.7/3.8

The dupfdopen function in sys/kern/kern_descrip.c in OpenBSD 3.7 and 3.8 allows local users to re-open arbitrary files by using setuid programs to access file descriptors using /dev/fd/.

4.6
2006-01-07 CVE-2006-0112 Enhanced Simple PHP Gallery Cross-Site Scripting vulnerability in Enhanced Simple PHP Gallery Enhanced Simple PHP Gallery 1.7

Cross-site scripting (XSS) vulnerability in index.php in Enhanced Simple PHP Gallery 1.7 allows remote attackers to inject arbitrary web script or HTML via the dir parameter.

4.3
2006-01-07 CVE-2006-0110 Javier Suarez Sanz Input Validation vulnerability in Javier Suarez Sanz Foro Domus 2.10

Cross-site scripting (XSS) vulnerability in escribir.php in Foro Domus 2.10 allows remote attackers to inject arbitrary web script via the email parameter.

4.3
2006-01-06 CVE-2006-0102 Ralph Capper Cross-Site Scripting vulnerability in Tinyphpforum

Cross-site scripting (XSS) vulnerability in TinyPHPForum (TPF) 3.6 and earlier allows remote attackers to inject arbitrary web script via a javascript: scheme in an "[a]" bbcode tag, possibly the txt parameter to action.php.

4.3
2006-01-06 CVE-2006-0101 Sblog Cross-Site Scripting vulnerability in Sblog

Multiple cross-site scripting (XSS) vulnerabilities in sBLOG 0.7.1 Beta 20051202 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) p and (2) keyword parameters in (a) index.php and (b) search.php.

4.3
2006-01-06 CVE-2006-0341 Rockliffe Cross-Site Scripting vulnerability in Rockliffe MailSite HTTP Mail Management

Cross-site scripting (XSS) vulnerability in WCONSOLE.DLL in Rockliffe MailSite 5.x and 6.1.22 and earlier allows remote attackers to inject arbitrary web script or HTML via the query string.

4.3
2006-01-05 CVE-2006-0063 Phpbb Group Cross-Site Scripting vulnerability in PHPbb Group PHPbb 2.0.19

Cross-site scripting (XSS) vulnerability in phpBB 2.0.19, when "Allowed HTML tags" is enabled, allows remote attackers to inject arbitrary web script or HTML via a permitted HTML tag with ' (single quote) characters and active attributes such as onmouseover, a variant of CVE-2005-4357.

4.3
2006-01-05 CVE-2006-0093 Ecardmax COM Cross-Site Scripting vulnerability in Atcard Me Php

Cross-site scripting (XSS) vulnerability in index.php in @Card ME PHP allows remote attackers to inject arbitrary web script or HTML via the cat parameter.

4.3
2006-01-05 CVE-2006-0091 Open Xchange Cross-Site Scripting vulnerability in Open-Xchange

Cross-site scripting (XSS) vulnerability in webmail in Open-Xchange 0.8.1-6 and earlier, with "Inline HTML" enabled, allows remote attackers to inject arbitrary web script or HTML via e-mail attachments, which are rendered inline.

4.3
2006-01-04 CVE-2006-0080 Jelsoft HTML Injection vulnerability in Jelsoft Vbulletin 3.5.2

Cross-site scripting (XSS) vulnerability in vBulletin 3.5.2, and possibly earlier versions, allows remote attackers to inject arbitrary web script or HTML via the title of an event, which is not properly filtered by (1) calendar.php and (2) reminder.php.

4.3
2006-01-04 CVE-2006-0078 Haddad Said HTML Injection vulnerability in Haddad Said B-Net Software 1.0

Multiple cross-site scripting (XSS) vulnerabilities in B-net Software 1.0 allow remote attackers to inject arbitrary web script or HTML via the (1) name and (2) shout variables to (a) shout.php, or the (3) title and (4) message variables to (b) guestbook.php.

4.3
2006-01-04 CVE-2006-0073 Discusware Cross-Site Scripting vulnerability in DiscusWare Discus Error Message

Cross-site scripting (XSS) vulnerability in DiscusWare Discus Freeware 3.10.5 and Professional 3.10.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors in a URL, which is not properly sanitized from the resulting error message.

4.3
2006-01-04 CVE-2006-0070 Drupal Unspecified vulnerability in Drupal 4.5.6/4.6.4

** DISPUTED ** Drupal allows remote attackers to conduct cross-site scripting (XSS) attacks via an IMG tag with an unusual encoded Javascript function name, as demonstrated using variations of the alert() function.

4.3
2006-01-03 CVE-2006-0069 Chipmunk Scripts HTML Injection vulnerability in Chipmunk Guestbook Homepage

Cross-site scripting (XSS) vulnerability in addentry.php in Chipmunk Guestbook 1.4 and earlier allows remote attackers to inject arbitrary web script or HTML via the homepage parameter.

4.3

2 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2006-01-06 CVE-2006-0095 Linux Local Information Disclosure vulnerability in Linux Kernel DM-Crypt

dm-crypt in Linux kernel 2.6.15 and earlier does not clear a structure before it is freed, which leads to a memory disclosure that could allow local users to obtain sensitive information about a cryptographic key.

2.1
2006-01-04 CVE-2006-0077 Richard Dawe Buffer Overflow vulnerability in Richard Dawe File Extattr 0.1/0.2

Off-by-one error in the getfattr function in File::ExtAttr before 0.03 allows attackers to trigger a buffer overflow via unspecified attack vectors.

2.1