Weekly Vulnerabilities Reports > January 1 to 7, 2007

Overview

43 new vulnerabilities reported during this period, including 2 critical vulnerabilities and 19 high severity vulnerabilities. This weekly summary report vulnerabilities in 41 products from 35 vendors including Adobe, Apple, Cisco, Microsoft, and Apache. Vulnerabilities are notably categorized as "Use of Externally-Controlled Format String", "Improper Restriction of Operations within the Bounds of a Memory Buffer", "Information Exposure", "Cross-site Scripting", and "Cross-Site Request Forgery (CSRF)".

  • 39 reported vulnerabilities are remotely exploitables.
  • 12 reported vulnerabilities have public exploit available.
  • 1 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 38 reported vulnerabilities are exploitable by an anonymous user.
  • Adobe has the most reported vulnerabilities, with 5 reported vulnerabilities.
  • Cisco has the most reported critical vulnerabilities, with 1 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

2 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2007-01-04 CVE-2007-0057 Cisco Credentials Management vulnerability in Cisco Network Admission Control Manager and Server System Software

Cisco Clean Access (CCA) 3.6.x through 3.6.4.2 and 4.0.x through 4.0.3.2 does not properly configure or allow modification of a shared secret authentication key, which causes all devices to have the same shared sercet and allows remote attackers to gain unauthorized access.

10.0
2007-01-05 CVE-2007-0097 Conexware Remote Security vulnerability in Conexware Powerarchiver 2006 9.64.02

Multiple stack-based buffer overflows in the (1) LoadTree and (2) ReadHeader functions in PAISO.DLL 1.7.3.0 (1.7.3 beta) in ConeXware PowerArchiver 2006 9.64.02 allow user-assisted attackers to execute arbitrary code via a crafted ISO file containing a file within several nested directories.

9.3

19 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2007-01-05 CVE-2007-0087 Microsoft Unspecified vulnerability in Microsoft Internet Information Server

** DISPUTED ** Microsoft Internet Information Services (IIS), when accessed through a TCP connection with a large window size, allows remote attackers to cause a denial of service (network bandwidth consumption) via a Range header that specifies multiple copies of the same fragment.

7.8
2007-01-05 CVE-2007-0086 Apache Unspecified vulnerability in Apache Http Server

** DISPUTED ** The Apache HTTP Server, when accessed through a TCP connection with a large window size, allows remote attackers to cause a denial of service (network bandwidth consumption) via a Range header that specifies multiple copies of the same fragment.

7.8
2007-01-05 CVE-2007-0079 Rblog Information Disclosure vulnerability in Rblog

rblog stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database via a direct request for (1) data/admin.mdb or (2) data/rblog.mdb.

7.8
2007-01-04 CVE-2007-0058 Cisco Information Exposure vulnerability in Cisco Network Admission Control Manager and Server System Software

Cisco Clean Access (CCA) 3.5.x through 3.5.9 and 3.6.x through 3.6.1.1 on the Clean Access Manager (CAM) allows remote attackers to bypass authentication and download arbitrary manual database backups by guessing the snapshot filename using brute force, then making a direct request for the file.

7.8
2007-01-05 CVE-2007-0096 Carbon Communities Information Disclosure vulnerability in Carbon Communities

CarbonCommunities stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing passwords via a direct request for DataBase/Carbon2.4d.mdb.

7.5
2007-01-05 CVE-2007-0094 Sven Moderow Information Disclosure vulnerability in Sven Moderow Sven Moderow Guestbook 0.3A

Sven Moderow GuestBook 0.3a stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing passwords via a direct request for (1) gbook97.mdb or (2) gbook.mdb in ~db/.

7.5
2007-01-05 CVE-2007-0093 CMS Center SQL-Injection vulnerability in Simple Web Cms

SQL injection vulnerability in page.php in Simple Web Content Management System allows remote attackers to execute arbitrary SQL commands via the id parameter.

7.5
2007-01-05 CVE-2007-0092 E Smart Cart SQL-Injection vulnerability in E-Smart Cart E-Smart Cart 1.0

SQL injection vulnerability in productdetail.asp in E-SMARTCART 1.0 allows remote attackers to execute arbitrary SQL commands via the product_id parameter.

7.5
2007-01-05 CVE-2007-0091 Katy Whitton WEB Development Information Disclosure vulnerability in Newscmslite

newsCMSlite stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing passwords via a direct request for newsCMS.mdb.

7.5
2007-01-05 CVE-2007-0090 Fermentigrafici Information Disclosure vulnerability in Wineglass

WineGlass stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing passwords via a direct request for db/data.mdb.

7.5
2007-01-05 CVE-2007-0089 Jgbbs Information Disclosure vulnerability in Jgbbs 3.0

jgbbs stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing passwords via a direct request for db/bbs.mdb.

7.5
2007-01-05 CVE-2007-0076 2Enetworx Information Disclosure vulnerability in OpenForum

Openforum stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing user passwords via a direct request for openforum.mdb.

7.5
2007-01-05 CVE-2007-0075 Aspbb Information Disclosure vulnerability in ASPBB

AspBB stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing user passwords via a direct request for db/aspbb.mdb.

7.5
2007-01-04 CVE-2007-0053 ASP Siteware SQL Injection vulnerability in autoDealer Detail.ASP

SQL injection vulnerability in detail.asp in ASP SiteWare autoDealer 2.0 and earlier allows remote attackers to execute arbitrary SQL commands via the iPro parameter.

7.5
2007-01-04 CVE-2007-0052 Vizayn Haber SQL Injection vulnerability in Vizayn Haber Haberdetay.ASP

SQL injection vulnerability in haberdetay.asp in Vizayn Haber allows remote attackers to execute arbitrary SQL commands via the id parameter.

7.5
2007-01-04 CVE-2007-0050 Openpinboard Unspecified vulnerability in Openpinboard 2.0

** DISPUTED ** PHP remote file inclusion vulnerability in index.php in OpenPinboard 2.0 allows remote attackers to execute arbitrary PHP code via a URL in the language parameter.

7.5
2007-01-04 CVE-2007-0049 Geckovich Unspecified vulnerability in Geckovich Tasktracker and Tasktracker PRO

Geckovich TaskTracker Pro 1.5 and earlier allows remote attackers to add administrative or other accounts via an Add action with a modified GroupID in a direct request to Customize.asp.

7.5
2007-01-03 CVE-2007-0046 Adobe Remote Security vulnerability in Reader

Double free vulnerability in the Adobe Acrobat Reader Plugin before 8.0.0, as used in Mozilla Firefox 1.5.0.7, allows remote attackers to execute arbitrary code by causing an error via a javascript: URI call to document.write in the (1) FDF, (2) XML, or (3) XFDF AJAX request parameters.

7.5
2007-01-03 CVE-2007-0016 Netfarer Buffer Errors vulnerability in Netfarer Movieplay 4.76

Stack-based buffer overflow in MoviePlay 4.76 allows remote attackers to execute arbitrary code via a long filename in a LST file.

7.5

22 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2007-01-05 CVE-2007-0098 Verliadmin File-Upload vulnerability in VerliAdmin

Directory traversal vulnerability in language.php in VerliAdmin 0.3 and earlier, when magic_quotes_gpc is disabled, allows remote attackers to include and execute arbitrary local files via a ..

6.8
2007-01-05 CVE-2007-0083 Nuked Klan Unspecified vulnerability in Nuked-Klan

Cross-site scripting (XSS) vulnerability in Nuked Klan 1.7 and earlier allows remote attackers to inject arbitrary web script or HTML via a javascript: URI in a getURL statement in a .swf file, as demonstrated by "Remote Cookie Disclosure." NOTE: it could be argued that this is an issue in Shockwave instead of Nuked Klan.

6.8
2007-01-05 CVE-2007-0081 Sunbelt Local Privilege Escalation vulnerability in Kerio Personal Firewall IPHLPAPI.DLL

Sunbelt Kerio Personal Firewall (SKPF) 4.3.268 and 4.3.246, and possibly other versions allows local users to provide a Trojan horse iphlpapi.dll to SKPF by placing it in the installation directory.

6.8
2007-01-05 CVE-2007-0059 Apple Remote Security vulnerability in QuickTime Player

Cross-zone scripting vulnerability in Apple Quicktime 3 to 7.1.3 allows remote user-assisted attackers to execute arbitrary code and list filesystem contents via a QuickTime movie (.MOV) with an HREF Track (HREFTrack) that contains an automatic action tag with a local URI, which is executed in a local zone during preview, as exploited by a MySpace worm.

6.8
2007-01-04 CVE-2007-0056 Ashopsoftware Cross-Site Scripting vulnerability in AShop Deluxe And AShop Administration Panel

Multiple cross-site scripting (XSS) vulnerabilities in AShop Deluxe 4.5 and AShop Administration Panel allow remote attackers to inject arbitrary web script or HTML via the (1) cat parameter to (a) ashop/catalogue.php and (b) ashop/basket.php, the (2) exp parameter to ashop/catalogue.php, the (3) searchstring parameter to (c) ashop/search.php, the (4) checkout and (5) action parameters to (d) ashop/shipping.php, the cat parameter to (f) cart-path/admin/editcatalogue.php, and the (7) resultpage parameter to (g) cart-path/admin/salesadmin.php.

6.8
2007-01-04 CVE-2007-0054 Belchior Foundry Cross-Site Scripting vulnerability in VCard Pro

Cross-site scripting (XSS) vulnerability in gbrowse.php in Belchior Foundry vCard PRO allows remote attackers to inject arbitrary web script or HTML via the sortby parameter.

6.8
2007-01-04 CVE-2007-0051 Apple USE of Externally-Controlled Format String vulnerability in Apple Iphoto 6.0.5

Format string vulnerability in Apple iPhoto 6.0.5 (316), and other versions before 6.0.6, allows remote user-assisted attackers to execute arbitrary code via a crafted photocast with format string specifiers in the title of an RSS iPhoto feed.

6.8
2007-01-03 CVE-2007-0047 Adobe Remote Security vulnerability in Reader

CRLF injection vulnerability in Adobe Acrobat Reader Plugin before 8.0.0, when used with the Microsoft.XMLHTTP ActiveX object in Internet Explorer, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the javascript: URI in the (1) FDF, (2) XML, or (3) XFDF AJAX request parameters.

6.8
2007-01-03 CVE-2007-0017 Videolan USE of Externally-Controlled Format String vulnerability in Videolan VLC Media Player

Multiple format string vulnerabilities in (1) the cdio_log_handler function in modules/access/cdda/access.c in the CDDA (libcdda_plugin) plugin, and the (2) cdio_log_handler and (3) vcd_log_handler functions in modules/access/vcdx/access.c in the VCDX (libvcdx_plugin) plugin, in VideoLAN VLC 0.7.0 through 0.8.6 allow user-assisted remote attackers to execute arbitrary code via format string specifiers in an invalid URI, as demonstrated by a udp://-- URI in an M3U file.

6.8
2007-01-01 CVE-2007-0015 Apple Remote Buffer Overflow vulnerability in Apple Quicktime 7.1.3

Buffer overflow in Apple QuickTime 7.1.3 allows remote attackers to execute arbitrary code via a long rtsp:// URI.

6.8
2007-01-05 CVE-2007-0084 Microsoft Unspecified vulnerability in Microsoft Message Compiler 1.00.5239

** DISPUTED ** Buffer overflow in the Windows NT Message Compiler (MC) 1.00.5239 on Microsoft Windows XP allows local users to gain privileges via a long MC-filename.

6.6
2007-01-05 CVE-2007-0080 Freeradius Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Freeradius

** DISPUTED ** Buffer overflow in the SMB_Connect_Server function in FreeRadius 1.1.3 and earlier allows attackers to execute arbitrary code related to the server desthost field of an SMB_Handle_Type instance.

6.6
2007-01-05 CVE-2007-0082 Imgallery Unspecified vulnerability in Imgallery 2.4/2.5

users_adm/start1.php in IMGallery 2.5 and earlier does not properly handle files with multiple extensions, which allows remote authenticated users to upload and execute arbitrary PHP scripts.

6.5
2007-01-05 CVE-2007-0085 Openbsd Local Security vulnerability in Openbsd 3.9/4.0

Unspecified vulnerability in sys/dev/pci/vga_pci.c in the VGA graphics driver for wscons in OpenBSD 3.9 and 4.0, when the kernel is compiled with the PCIAGP option and a non-AGP device is being used, allows local users to gain privileges via unspecified vectors, possibly related to agp_ioctl NULL pointer reference.

6.0
2007-01-05 CVE-2007-0095 Phpmyadmin Information Disclosure vulnerability in PHPmyadmin 2.9.1.1

phpMyAdmin 2.9.1.1 allows remote attackers to obtain sensitive information via a direct request for themes/darkblue_orange/layout.inc.php, which reveals the path in an error message.

5.0
2007-01-05 CVE-2007-0088 Openmedia Directory Traversal vulnerability in Openmedia

Multiple directory traversal vulnerabilities in openmedia allow remote attackers to read arbitrary files via a ..

5.0
2007-01-05 CVE-2007-0078 Battleblog Information Disclosure vulnerability in Battleblog 1.0D

BattleBlog stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database via a direct request for database/blankmaster.mdb.

5.0
2007-01-05 CVE-2007-0077 Lblog Information Disclosure vulnerability in LBlog

lblog stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database via a direct request for a certain file in admin/db/newFolder/.

5.0
2007-01-04 CVE-2007-0055 Fersch Directory Traversal vulnerability in Fersch Formbankserver 1.9

Directory traversal vulnerability in formbankcgi.exe/AbfrageForm in Formbankserver 1.9 allows remote attackers to read arbitrary files via directory traversal sequences in the Name parameter.

5.0
2007-01-03 CVE-2007-0048 Adobe Unspecified vulnerability in Adobe Acrobat, Acrobat 3D and Acrobat Reader

Adobe Acrobat Reader Plugin before 8.0.0, and possibly the plugin distributed with Adobe Reader 7.x before 7.1.4, 8.x before 8.1.7, and 9.x before 9.2, when used with Internet Explorer, Google Chrome, or Opera, allows remote attackers to cause a denial of service (memory consumption) via a long sequence of # (hash) characters appended to a PDF URL, related to a "cross-site scripting issue."

5.0
2007-01-03 CVE-2007-0045 Adobe Cross-Site Scripting vulnerability in Adobe Acrobat, Acrobat 3D and Acrobat Reader

Multiple cross-site scripting (XSS) vulnerabilities in Adobe Acrobat Reader Plugin before 8.0.0, and possibly the plugin distributed with Adobe Reader 7.x before 7.1.4, 8.x before 8.1.7, and 9.x before 9.2, for Mozilla Firefox, Microsoft Internet Explorer 6 SP1, Google Chrome, Opera 8.5.4 build 770, and Opera 9.10.8679 on Windows allow remote attackers to inject arbitrary JavaScript and conduct other attacks via a .pdf URL with a javascript: or res: URI with (1) FDF, (2) XML, and (3) XFDF AJAX parameters, or (4) an arbitrarily named name=URI anchor identifier, aka "Universal XSS (UXSS)."

4.3
2007-01-03 CVE-2007-0044 Adobe Cross-Site Request Forgery (CSRF) vulnerability in Adobe Acrobat, Acrobat 3D and Acrobat Reader

Adobe Acrobat Reader Plugin before 8.0.0 for the Firefox, Internet Explorer, and Opera web browsers allows remote attackers to force the browser to make unauthorized requests to other web sites via a URL in the (1) FDF, (2) xml, and (3) xfdf AJAX request parameters, following the # (hash) character, aka "Universal CSRF and session riding."

4.3

0 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS