Weekly Vulnerabilities Reports > October 22 to 28, 2007

Overview

53 new vulnerabilities reported during this period, including 4 critical vulnerabilities and 16 high severity vulnerabilities. This weekly summary report vulnerabilities in 84 products from 47 vendors including Nortel, Tiki, Microsoft, Nagios, and Almico. Vulnerabilities are notably categorized as "Cross-site Scripting", "Improper Restriction of Operations within the Bounds of a Memory Buffer", "Path Traversal", "Information Exposure", and "SQL Injection".

  • 45 reported vulnerabilities are remotely exploitables.
  • 15 reported vulnerabilities have public exploit available.
  • 24 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 51 reported vulnerabilities are exploitable by an anonymous user.
  • Nortel has the most reported vulnerabilities, with 5 reported vulnerabilities.
  • PHP has the most reported critical vulnerabilities, with 1 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

4 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2007-10-23 CVE-2007-5635 Sitracker Security vulnerability in Support Incident Tracker SiT!

Multiple unspecified vulnerabilities in Salford Software Support Incident Tracker (SiT!) before 3.30 have unknown impact and attack vectors.

10.0
2007-10-28 CVE-2007-5687 Justsystem Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Justsystem Ichitaro

Multiple buffer overflows in the rich text processing functionality in JustSystems Ichitaro 2004 through 2007, 11 through 13, and other versions allow remote attackers to execute arbitrary code via a long (1) pard field or (2) font name in the fcharset0 field, which is not properly handled in (a) JSTARO4.OCX; or (3) a long title, which is not properly handled by (b) TJSVDA.DLL.

9.3
2007-10-25 CVE-2007-2983 Btglobalservices Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Btglobalservices BT Consumer Webhelper

Multiple buffer overflows in the British Telecommunications Consumer webhelper ActiveX control before 2.0.0.8 in btwebcontrol.dll allow remote attackers to execute arbitrary code via unspecified vectors.

9.3
2007-10-23 CVE-2007-5653 PHP OS Command Injection vulnerability in PHP

The Component Object Model (COM) functions in PHP 5.x on Windows do not follow safe_mode and disable_functions restrictions, which allows context-dependent attackers to bypass intended limitations, as demonstrated by executing objects with the kill bit set in the corresponding ActiveX control Compatibility Flags, executing programs via a function in compatUI.dll, invoking wscript.shell via wscript.exe, invoking Scripting.FileSystemObject via wshom.ocx, and adding users via a function in shgina.dll, related to the com_load_typelib function.

9.3

16 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2007-10-23 CVE-2007-5652 IBM Buffer Errors vulnerability in IBM DB2 9.1

IBM DB2 UDB 9.1 before Fixpak 4 does not properly manage storage of a list containing authentication information, which might allow attackers to cause a denial of service (instance crash) or trigger memory corruption.

7.8
2007-10-26 CVE-2007-5684 Tiki Path Traversal vulnerability in Tiki Tikiwiki Cms/Groupware

Multiple directory traversal vulnerabilities in TikiWiki 1.9.8.1 and earlier allow remote attackers to include and execute arbitrary files via an absolute pathname in (1) error_handler_file and (2) local_php parameters to (a) tiki-index.php, or (3) encoded "..%2F" sequences in the imp_language parameter to tiki-imexport_languages.php.

7.5
2007-10-26 CVE-2007-5682 Tiki Permissions, Privileges, and Access Controls vulnerability in Tiki Tikiwiki Cms/Groupware

Incomplete blacklist vulnerability in tiki-graph_formula.php in TikiWiki before 1.9.8.2 allows remote attackers to execute arbitrary code by using variable functions and variable variables to write variables whose names match the whitelist, a different vulnerability than CVE-2007-5423.

7.5
2007-10-25 CVE-2007-5679 Deeemm SQL Injection vulnerability in Deeemm Dmcms 0.7.0/0.7.4

SQL injection vulnerability in index.php in DeeEmm.com DM CMS 0.7.0.Beta allows remote attackers to execute arbitrary SQL commands via the id parameter in the media page (build_media_content.php).

7.5
2007-10-24 CVE-2007-5678 Phpbasic SQL Injection vulnerability in PHPbasic

SQL injection vulnerability in the Music module in phpBasic allows remote attackers to execute arbitrary SQL commands via the id parameter in a view action to the default URI.

7.5
2007-10-24 CVE-2007-5675 Multixtpm Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Multixtpm Application Server

Stack-based buffer overflow in the DebugPrint function in MultiXTpm Application Server before 4.0.2d allows remote attackers to execute arbitrary code via a long string argument.

7.5
2007-10-23 CVE-2007-5650 Reloadcms Path Traversal vulnerability in Reloadcms 1.2.7

Directory traversal vulnerability in system.php in ReloadCMS 1.2.7 allows remote attackers to include and execute arbitrary local files via a ..

7.5
2007-10-23 CVE-2007-5644 Lussumo Permissions, Privileges, and Access Controls vulnerability in Lussumo Vanilla

Lussumo Vanilla 1.1.3 and earlier does not require admin privileges for (1) ajax/sortcategories.php and (2) ajax/sortroles.php, which allows remote attackers to conduct unauthorized sort operations and other activities.

7.5
2007-10-23 CVE-2007-5643 Lussumo SQL Injection vulnerability in Lussumo Vanilla

Multiple SQL injection vulnerabilities in Lussumo Vanilla 1.1.3 and earlier allow remote attackers to execute arbitrary SQL commands via (1) the CategoryID parameter to ajax/sortcategories.php or (2) an unspecified vector to ajax/sortroles.php.

7.5
2007-10-23 CVE-2007-5636 Nortel Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Nortel IP Softphone 2050

Buffer overflow in the Nortel UNIStim IP Softphone 2050 allows remote attackers to cause a denial of service (application abort) and possibly execute arbitrary code via a flood of invalid characters to the RTCP port (5678/udp) that triggers a Windows error message, aka "extraneous messaging."

7.5
2007-10-23 CVE-2007-5630 Bbsprocess SQL Injection vulnerability in Bbsprocess Bbportals

SQL injection vulnerability in tnews.php in BBsProcesS BBPortalS 1.5.10 through 2.0 allows remote attackers to execute arbitrary SQL commands via the id parameter in a tnews action.

7.5
2007-10-22 CVE-2007-5620 Zehnet Path Traversal vulnerability in Zehnet ZZ Flashchat

Directory traversal vulnerability in admin/inc/help.php in ZZ:FlashChat 3.1 and earlier allows remote attackers to include and execute arbitrary local files via a ..

7.5
2007-10-23 CVE-2007-5633 Microsoft
Almico
Local Privilege Escalation vulnerability in Almico Speedfan 4.33

Speedfan.sys in Alfredo Milani Comparetti SpeedFan 4.33, when used on Microsoft Windows Vista x64, allows local users to read or write arbitrary MSRs, and gain privileges and load unsigned drivers, via the (1) IOCTL_RDMSR 0x9C402438 and (2) IOCTL_WRMSR 0x9C40243C IOCTLs to \Device\speedfan, as demonstrated by an IOCTL_WRMSR action on MSR_LSTAR.

7.2
2007-10-23 CVE-2007-5651 Cisco Products Extensible Authentication Protocol Denial of Service vulnerability in Cisco Catos and IOS

Unspecified vulnerability in the Extensible Authentication Protocol (EAP) implementation in Cisco IOS 12.3 and 12.4 on Cisco Access Points and 1310 Wireless Bridges (Wireless EAP devices), IOS 12.1 and 12.2 on Cisco switches (Wired EAP devices), and CatOS 6.x through 8.x on Cisco switches allows remote attackers to cause a denial of service (device reload) via a crafted EAP Response Identity packet.

7.1
2007-10-23 CVE-2007-5640 Nortel Remote Denial of Service vulnerability in Nortel UNIStim IP Phone

The Nortel UNIStim IP Softphone 2050, IP Phone 1140E, and additional Nortel products from the IP Phone, Business Communications Manager (BCM), Mobile Voice Client, and other product lines, allow remote attackers to block calls and force re-registration via a resume message to the Signaling Server that has a spoofed source IP address for the phone.

7.1
2007-10-23 CVE-2007-5639 Nortel Denial of Service vulnerability in Nortel IP Phones UNIStim Messages

The Nortel UNIStim IP Softphone 2050, IP Phone 1140E, and other Nortel IP Phone, Mobile Voice Client, and WLAN Handsets products allow remote attackers to cause a denial of service (device hang) via a flood of Mute and UnMute messages that have a spoofed source IP address for the Signaling Server.

7.1

30 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2007-10-24 CVE-2007-5676 Futurenuke Code Injection vulnerability in Futurenuke Platinum 7.6.B.5

PHP remote file inclusion vulnerability in modules/Forums/favorites.php in PHP-Nuke Platinum 7.6.b.5 allows remote attackers to execute arbitrary PHP code via a URL in the nuke_bb_root_path parameter.

6.8
2007-10-24 CVE-2007-5674 Instaguide Path Traversal vulnerability in Instaguide Weather 1.0

Directory traversal vulnerability in index.php in InstaGuide Weather (aka Weather for PHP) 1.0, when magic_quotes_gpc is disabled, allows remote attackers to include and execute arbitrary local files via a ..

6.8
2007-10-23 CVE-2007-5646 Simple Machines SQL Injection vulnerability in Simple Machines Simple Machines Forum 1.0.11/1.1.3

SQL injection vulnerability in Sources/Search.php in Simple Machines Forum (SMF) 1.1.3, when MySQL 5 is used, allows remote attackers to execute arbitrary SQL commands via the userspec parameter in a search2 action to index.php.

6.8
2007-10-23 CVE-2007-5642 Phppm Path Traversal vulnerability in PHPpm PHP Project Management

Multiple directory traversal vulnerabilities in PHP Project Management 0.8.10 and earlier allow remote attackers to include and execute arbitrary local files via a ..

6.8
2007-10-23 CVE-2007-5641 Phppm Code Injection vulnerability in PHPpm PHP Project Management

Multiple PHP remote file inclusion vulnerabilities in PHP Project Management 0.8.10 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the full_path parameter to (1) certinfo/index.php, (2) emails/index.php, (3) events/index.php, (4) fax/index.php, (5) files/index.php, (6) files/list.php, (7) groupadm/index.php, (8) history/index.php, (9) info/index.php, (10) log/index.php, (11) mail/index.php, (12) messages/index.php, (13) organizations/index.php, (14) phones/index.php, (15) presence/index.php, (16) projects/index.php, (17) projects/summary.inc.php, (18) projects/list.php, (19) reports/index.php, (20) search/index.php, (21) snf/index.php, (22) syslog/index.php, (23) tasks/searchsimilar.php, (24) tasks/index.php, (25) tasks/summary.inc.php, and (26) useradm/index.php in modules; (27) /ajax/loadsplash.php; (28) /blocks/birthday.php; (29) /blocks/events.php; and (30) /blocks/help.php.

6.8
2007-10-23 CVE-2007-5631 Peopleaggregator Code Injection vulnerability in Peopleaggregator 1.2Pre6

Multiple PHP remote file inclusion vulnerabilities in PeopleAggregator 1.2pre6, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the current_blockmodule_path parameter to (1) AudiosMediaGalleryModule/AudiosMediaGalleryModule.php, (2) ImagesMediaGalleryModule/ImagesMediaGalleryModule.php, (3) MembersFacewallModule/MembersFacewallModule.php, (4) NewestGroupsModule/NewestGroupsModule.php, (5) UploadMediaModule/UploadMediaModule.php, and (6) VideosMediaGalleryModule/VideosMediaGalleryModule.php in BetaBlockModules/; and (7) the path_prefix parameter to several components.

6.8
2007-10-23 CVE-2007-5628 Towels Code Injection vulnerability in Towels 0.1

PHP remote file inclusion vulnerability in src/scripture.php in The Online Web Library Site (TOWels) 0.1 allows remote attackers to execute arbitrary PHP code via a URL in the pageHeaderFile parameter.

6.8
2007-10-23 CVE-2007-5627 Socketmail Code Injection vulnerability in Socketmail 2.2.8

PHP remote file inclusion vulnerability in content/fnc-readmail3.php in SocketMail 2.2.8 allows remote attackers to execute arbitrary PHP code via a URL in the __SOCKETMAIL_ROOT parameter.

6.8
2007-10-28 CVE-2007-3919 Debian
Xensource INC
Link Following vulnerability in Xensource INC XEN 3.0.301/3.0.303

(1) xenbaked and (2) xenmon.py in Xen 3.1 and earlier allow local users to truncate arbitrary files via a symlink attack on /tmp/xenq-shm.

6.0
2007-10-28 CVE-2007-5685 Serverkit Path Traversal vulnerability in Serverkit Shttp

The safe_path function in shttp before 0.0.5 allows remote attackers to conduct directory traversal attacks and read files via a combination of ".." and sub-directory specifiers that resolve to a pathname that is at or below the same level as the web document root, but in a different part of the directory tree.

5.0
2007-10-23 CVE-2007-5654 Litespeed Technologies Information Exposure vulnerability in Litespeed Technologies Litespeed web Server

LiteSpeed Web Server before 3.2.4 allows remote attackers to trigger use of an arbitrary MIME type for a file via a "%00." sequence followed by a new extension, as demonstrated by reading PHP source code via requests for .php%00.txt files, aka "Mime Type Injection."

5.0
2007-10-23 CVE-2007-5623 Nagios Buffer Errors vulnerability in Nagios Plugins 1.4.10

Buffer overflow in the check_snmp function in Nagios Plugins (nagios-plugins) 1.4.10 allows remote attackers to cause a denial of service (crash) via crafted snmpget replies.

5.0
2007-10-28 CVE-2007-5686 Rpath Permissions, Privileges, and Access Controls vulnerability in Rpath Linux 1

initscripts in rPath Linux 1 sets insecure permissions for the /var/log/btmp file, which allows local users to obtain sensitive information regarding authentication attempts.

4.9
2007-10-23 CVE-2007-5634 Microsoft
Almico
Buffer Errors vulnerability in Almico Speedfan 4.33

Speedfan.sys in Alfredo Milani Comparetti SpeedFan 4.33, when used on Microsoft Windows Vista x64, does not properly check a buffer during an IOCTL 0x9c402420 call, which allows local users to cause a denial of service (machine crash) and possibly gain privileges via unspecified vectors.

4.9
2007-10-23 CVE-2007-5632 SUN Local Denial of Service vulnerability in SUN Solaris 10.0/8.0/9.0

Multiple unspecified vulnerabilities in the kernel in Sun Solaris 8 through 10 allow local users to cause a denial of service (panic), related to the support for retrieval of kernel statistics, and possibly related to the sfmmu_mlspl_enter or sfmmu_mlist_enter functions.

4.9
2007-10-23 CVE-2007-4574 Redhat
AMD
Intel
Local Denial Of Service vulnerability in Redhat Enterprise Linux 5.0

Unspecified vulnerability in the "stack unwinder fixes" in kernel in Red Hat Enterprise Linux 5, when running on AMD64 and Intel 64, allows local users to cause a denial of service via unknown vectors.

4.7
2007-10-26 CVE-2007-5683 Tiki Cross-Site Scripting vulnerability in Tiki Tikiwiki Cms/Groupware

Multiple cross-site scripting (XSS) vulnerabilities in TikiWiki 1.9.8.1 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the username parameter to the password reminder page (tiki-remind_password.php), (2) IMG tags in wiki pages, and (3) the local_php parameter to db/tiki-db.php.

4.3
2007-10-24 CVE-2007-5677 Hackish Cross-Site Scripting vulnerability in Hackish 1.1Beta

Cross-site scripting (XSS) vulnerability in shoutbox/blocco.php in Hackish BETA 1.1 allows remote attackers to inject arbitrary web script or HTML via the go_shout parameter.

4.3
2007-10-24 CVE-2007-5673 Ifnet Cross-Site Scripting vulnerability in Ifnet Webif

Cross-site scripting (XSS) vulnerability in cgi-bin/webif.exe in ifnet WebIf allows remote attackers to inject arbitrary web script or HTML via the cmd parameter.

4.3
2007-10-24 CVE-2007-5335 Mozilla Information Exposure vulnerability in Mozilla Firefox

Mozilla Firefox 2.0 before 2.0.0.8 allows remote attackers to obtain sensitive system information by using the addMicrosummaryGenerator sidebar method to access file: URIs.

4.3
2007-10-23 CVE-2007-5649 Socketmail Cross-Site Scripting vulnerability in Socketmail 2.2.1

Cross-site scripting (XSS) vulnerability in lostpwd.php in Creative Digital Resources SocketMail 2.2.1 allows remote attackers to inject arbitrary web script or HTML via the lost_id parameter.

4.3
2007-10-23 CVE-2007-5648 Rnote Cross-Site Scripting vulnerability in Rnote 0.9.7.5

Multiple cross-site scripting (XSS) vulnerabilities in rnote.php in rNote 0.9.7.5 allow remote attackers to inject arbitrary web script or HTML via the (1) d or the (2) u parameter.

4.3
2007-10-23 CVE-2007-5647 Socketkb Cross-Site Scripting vulnerability in Socketkb 1.1.5

Multiple cross-site scripting (XSS) vulnerabilities in SocketKB 1.1.5 allow remote attackers to inject arbitrary web script or HTML via the (1) art_id or (2) node parameter in an article action to the default URI.

4.3
2007-10-23 CVE-2007-5638 Nortel Information Exposure vulnerability in Nortel products

The Nortel UNIStim IP Softphone 2050, IP Phone 1140E, and additional Nortel products from the IP Phone, Business Communications Manager (BCM), and other product lines, use only 65536 different values in the 32-bit ID number field of an RUDP datagram, which makes it easier for remote attackers to guess the RUDP ID and spoof messages.

4.3
2007-10-23 CVE-2007-5637 Nortel Information Exposure vulnerability in Nortel products

The Nortel UNIStim IP Softphone 2050, IP Phone 1140E, and additional Nortel products from the IP Phone, Business Communications Manager (BCM), and other product lines allow remote attackers to eavesdrop on the physical environment via an Open Audio Stream message that enables "surveillance mode." NOTE: issues relating to a small ID number space can be leveraged to make this attack easier.

4.3
2007-10-23 CVE-2007-5629 Candypress Cross-Site Scripting vulnerability in Candypress Store 4.1

Cross-site scripting (XSS) vulnerability in admin/logon.asp in ShoppingTree CandyPress Store 4.1 allows remote attackers to inject arbitrary web script or HTML via the msg parameter, a different vector than CVE-2007-2804.

4.3
2007-10-23 CVE-2007-5625 Simongibson Cross-Site Scripting vulnerability in Simongibson ASP Site Search Searchsimon Lite 1.0

Cross-site scripting (XSS) vulnerability in filename.asp in ASP Site Search SearchSimon Lite 1.0 allows remote attackers to inject arbitrary web script or HTML via the QUERY parameter.

4.3
2007-10-23 CVE-2007-5624 Nagios Cross-Site Scripting vulnerability in Nagios 2.0.1/2.1.3

Cross-site scripting (XSS) vulnerability in Nagios 2.x before 2.10 allows remote attackers to inject arbitrary web script or HTML via unknown vectors to unspecified CGI scripts.

4.3
2007-10-22 CVE-2007-5472 Broadcom Cross-Site Scripting vulnerability in Broadcom Host-Based Intrusion Prevention System 8

Cross-site scripting (XSS) vulnerability in the Server component in CA Host-Based Intrusion Prevention System (HIPS) before 8.0.0.93 allows remote attackers to inject arbitrary web script or HTML via requests that are written to logs for later display in the log viewer.

4.3
2007-10-22 CVE-2007-5190 Alcatel Lucent Cross-Site Scripting vulnerability in Alcatel-Lucent Omnivista

Multiple cross-site scripting (XSS) vulnerabilities in Alcatel OmniVista 4760 R4.2 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the action parameter to php-bin/Webclient.php or (2) the Langue parameter to the default URI.

4.3

3 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2007-10-22 CVE-2007-5621 Drupal Cross-Site Scripting vulnerability in Drupal products

Multiple cross-site scripting (XSS) vulnerabilities in the Token module before 4.7.x-1.5, and 5.x before 5.x-1.9, for Drupal; as used by the ASIN Field, e-Commerce, Fullname field for CCK, Invite, Node Relativity, Pathauto, PayPal Node, and Ubercart modules; allow remote authenticated users with a post comments privilege to inject arbitrary web script or HTML via unspecified vectors related to (1) comments, (2) vocabulary names, (3) term names, and (4) usernames.

3.5
2007-10-23 CVE-2007-5626 Bacula Cryptographic Issues vulnerability in Bacula

make_catalog_backup in Bacula 2.2.5, and probably earlier, sends a MySQL password as a command line argument, and sometimes transmits cleartext e-mail containing this command line, which allows context-dependent attackers to obtain the password by listing the process and its arguments, or by sniffing the network.

2.1
2007-10-23 CVE-2007-3850 Linux
Apple
Information Exposure vulnerability in Linux Kernel

The eHCA driver in Linux kernel 2.6 before 2.6.22, when running on PowerPC, does not properly map userspace resources, which allows local users to read portions of physical address space.

1.9