Weekly Vulnerabilities Reports > May 5 to 11, 2008

Overview

66 new vulnerabilities reported during this period, including 7 critical vulnerabilities and 30 high severity vulnerabilities. This weekly summary report vulnerabilities in 65 products from 55 vendors including PHP, SUN, Redhat, Mozilla, and Linux. Vulnerabilities are notably categorized as "SQL Injection", "Cross-site Scripting", "Resource Management Errors", "Path Traversal", and "Permissions, Privileges, and Access Controls".

  • 60 reported vulnerabilities are remotely exploitables.
  • 26 reported vulnerabilities have public exploit available.
  • 36 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 60 reported vulnerabilities are exploitable by an anonymous user.
  • PHP has the most reported vulnerabilities, with 5 reported vulnerabilities.
  • PHP has the most reported critical vulnerabilities, with 3 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

7 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2008-05-05 CVE-2008-2051 PHP Multiple vulnerability in PHP 5.2.5 and Prior Versions

The escapeshellcmd API function in PHP before 5.2.6 has unknown impact and context-dependent attack vectors related to "incomplete multibyte chars."

10.0
2008-05-05 CVE-2008-2050 PHP Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in PHP

Stack-based buffer overflow in the FastCGI SAPI (fastcgi.c) in PHP before 5.2.6 has unknown impact and attack vectors.

10.0
2008-05-05 CVE-2008-0599 PHP Multiple vulnerability in PHP 5.2.5 and Prior Versions

The init_request_info function in sapi/cgi/cgi_main.c in PHP before 5.2.6 does not properly consider operator precedence when calculating the length of PATH_TRANSLATED, which might allow remote attackers to execute arbitrary code via a crafted URI.

10.0
2008-05-05 CVE-2008-2077 Plain Black Security vulnerability in Plain Black Webgui 7.4.34

Unspecified vulnerability in Plain Black WebGUI 7.4.34 has unknown impact and attack vectors related to "data form list view."

10.0
2008-05-08 CVE-2008-2042 Adobe Improper Input Validation vulnerability in Adobe Acrobat and Acrobat Reader

The Javascript API in Adobe Acrobat Professional 7.0.9 and possibly 8.1.1 exposes a dangerous method, which allows remote attackers to execute arbitrary commands or trigger a buffer overflow via a crafted PDF file that invokes app.checkForUpdate with a malicious callback function.

9.3
2008-05-07 CVE-2008-2111 Yahoo Resource Management Errors vulnerability in Yahoo Assistant

The ActiveX Control (yNotifier.dll) in Yahoo! Assistant 3.6 and earlier allows remote attackers to execute arbitrary code via unspecified vectors in the Ynoifier COM object that trigger memory corruption.

9.3
2008-05-05 CVE-2008-2081 Siteman Path Traversal vulnerability in Siteman 2.0

Directory traversal vulnerability in index.php in Siteman 2.0.x2 allows remote authenticated administrators to include and execute arbitrary local files via a ..

9.0

30 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2008-05-08 CVE-2008-2112 Novell
Redhat
SUN
Privilege Escalation vulnerability in SUN RAY Server Software 4.0

Unspecified vulnerability in Sun Ray Kiosk Mode 4.0 allows local and remote authenticated Sun Ray administrators to gain root privileges via unknown vectors related to utconfig.

8.5
2008-05-09 CVE-2008-2121 SUN Configuration vulnerability in SUN Sunos 5.10/5.8/5.9

The TCP implementation in Sun Solaris 8, 9, and 10 allows remote attackers to cause a denial of service (CPU consumption and new connection timeouts) via a TCP SYN flood attack.

7.8
2008-05-06 CVE-2008-2092 Linksys Resource Management Errors vulnerability in Linksys Spa-2102 Phone Adapter 3.3.6

Linksys SPA-2102 Phone Adapter 3.3.6 allows remote attackers to cause a denial of service (crash) via a long ping packet ("ping of death").

7.8
2008-05-06 CVE-2008-2090 SUN Resource Management Errors vulnerability in SUN Solaris 10

Unspecified vulnerability in the SCTP protocol implementation in Sun Solaris 10 allows remote attackers to cause a denial of service (CPU consumption and network traffic amplification) via a crafted SCTP packet.

7.8
2008-05-06 CVE-2008-2089 SUN Configuration vulnerability in SUN Solaris 10

Unspecified vulnerability in the SCTP protocol implementation in Sun Solaris 10 allows remote attackers to cause a denial of service (panic) via a crafted SCTP packet.

7.8
2008-05-09 CVE-2008-2135 Visualshapers SQL Injection vulnerability in Visualshapers Ezcontents 2.0.0

Multiple SQL injection vulnerabilities in VisualShapers ezContents 2.0.0 allow remote attackers to execute arbitrary SQL commands via the (1) contentname parameter to showdetails.php and the (2) article parameter to printer.php.

7.5
2008-05-09 CVE-2008-2132 Systementor SQL Injection vulnerability in Systementor Postcardmentor

SQL injection vulnerability in step1.asp in Systementor PostcardMentor allows remote attackers to execute arbitrary SQL commands via the cat_fldAuto parameter.

7.5
2008-05-09 CVE-2008-2130 Igaming SQL Injection vulnerability in Igaming CMS 1.5

SQL injection vulnerability in poll_vote.php in iGaming CMS 1.5 allows remote attackers to execute arbitrary SQL commands via the id parameter.

7.5
2008-05-09 CVE-2008-2128 CMS Faethon Code Injection vulnerability in CMS Faethon CMS Faethon 2.2

PHP remote file inclusion vulnerability in templates/header.php in CMS Faethon 2.2 Ultimate allows remote attackers to execute arbitrary PHP code via a URL in the mainpath parameter, a different vulnerability than CVE-2006-5588 and CVE-2006-3185.

7.5
2008-05-09 CVE-2008-2125 Musicbox SQL Injection vulnerability in Musicbox 2.3.6/2.3.7

SQL injection vulnerability in viewalbums.php in Musicbox 2.3.6 and 2.3.7 allows remote attackers to execute arbitrary SQL commands via the artistId parameter.

7.5
2008-05-09 CVE-2008-2124 Fipsasp SQL Injection vulnerability in Fipsasp Fipscms 2.1

SQL injection vulnerability in modules/print.asp in fipsASP fipsCMS allows remote attackers to execute arbitrary SQL commands via the lg parameter.

7.5
2008-05-08 CVE-2008-2118 Project Alumni SQL Injection vulnerability in Project Alumni Project Alumni 1.0.9

SQL injection vulnerability in info.php in Project Alumni 1.0.9 allows remote attackers to execute arbitrary SQL commands via the id parameter.

7.5
2008-05-08 CVE-2008-2114 Preprojects SQL Injection vulnerability in Preprojects PRE Shopping Mall 1.1

SQL injection vulnerability in emall/search.php in Pre Shopping Mall 1.1 allows remote attackers to execute arbitrary SQL commands via the search parameter.

7.5
2008-05-08 CVE-2008-2113 Phpeasydata SQL Injection vulnerability in PHPeasydata 1.5.4

SQL injection vulnerability in annuaire.php in PHPEasyData 1.5.4 allows remote attackers to execute arbitrary SQL commands via the cat_id parameter.

7.5
2008-05-07 CVE-2008-2110 QTO Improper Input Validation vulnerability in QTO Qtofilemanager 1.0

Unrestricted file upload vulnerability in qtofm.php in QTOFileManager 1.0 allows remote attackers to execute arbitrary PHP code by uploading a file with an executable extension, then accessing it via a direct request.

7.5
2008-05-07 CVE-2008-2108 PHP Numeric Errors vulnerability in PHP

The GENERATE_SEED macro in PHP 4.x before 4.4.8 and 5.x before 5.2.5, when running on 64-bit systems, performs a multiplication that generates a portion of zero bits during conversion due to insufficient precision, which produces 24 bits of entropy and simplifies brute force attacks against protection mechanisms that use the rand and mt_rand functions.

7.5
2008-05-07 CVE-2008-2107 PHP Numeric Errors vulnerability in PHP

The GENERATE_SEED macro in PHP 4.x before 4.4.8 and 5.x before 5.2.5, when running on 32-bit systems, performs a multiplication using values that can produce a zero seed in rare circumstances, which allows context-dependent attackers to predict subsequent values of the rand and mt_rand functions and possibly bypass protection mechanisms that rely on an unknown initial seed.

7.5
2008-05-06 CVE-2008-2095 Joomla
Mambo
Page Flip Tools
SQL Injection vulnerability in multiple products

SQL injection vulnerability in index.php in the FlippingBook (com_flippingbook) 1.0.4 component for Joomla! allows remote attackers to execute arbitrary SQL commands via the book_id parameter.

7.5
2008-05-06 CVE-2008-2094 Xoops SQL Injection vulnerability in Xoops Article Module

SQL injection vulnerability in article.php in the Article module for XOOPS allows remote attackers to execute arbitrary SQL commands via the id parameter.

7.5
2008-05-06 CVE-2008-2093 Joomla
Joomlapolis
Mambo
SQL Injection vulnerability in multiple products

SQL injection vulnerability in the Profiler (com_comprofiler) component in Community Builder for Mambo and Joomla! allows remote attackers to execute arbitrary SQL commands via the user parameter in a userProfile action to index.php.

7.5
2008-05-06 CVE-2008-2091 Kubelabs Path Traversal vulnerability in Kubelabs Kubelance 1.6.4

Directory traversal vulnerability in ipn.php in KubeLabs Kubelance 1.6.4 allows remote attackers to include and execute arbitrary local files via the i parameter.

7.5
2008-05-06 CVE-2008-2088 Phpforge SQL Injection vulnerability in PHPforge PHP Forge 3.0

SQL injection vulnerability in admin/news.php in PHP Forge 3.0 beta 2 allows remote attackers to execute arbitrary SQL commands via the id parameter in the news module to admin.php.

7.5
2008-05-06 CVE-2008-2080 Nasa Goddard Space Flight Center Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Nasa Goddard Space Flight Center Common Data Format

Stack-based buffer overflow in the Read32s_64 function in src/lib/cdfread64.c in the NASA Goddard Space Flight Center Common Data Format (CDF) library before 3.2.1 allows context-dependent attackers to execute arbitrary code via a .cdf file with crafted length tags.

7.5
2008-05-05 CVE-2008-2084 Myarticles
Runcms
SQL Injection vulnerability in multiple products

SQL injection vulnerability in topics.php in the MyArticles 0.6 beta-1 module for RunCMS allows remote attackers to execute arbitrary SQL commands via the topic_id parameter in a listarticles action.

7.5
2008-05-05 CVE-2008-2078 Robocode Permissions, Privileges, and Access Controls vulnerability in Robocode 1.0.7/1.4.9

Robocode before 1.6.0 allows user-assisted remote attackers to "access the internals of the Robocode game" via unspecified vectors related to the AWT Event Queue.

7.5
2008-05-05 CVE-2008-2076 Actualscripts Path Traversal vulnerability in Actualscripts Actualanalyzer Lite 2.78

Directory traversal vulnerability in admin.php in ActualScripts ActualAnalyzer Lite 2.78 allows remote attackers to include and execute arbitrary local files via a ..

7.5
2008-05-05 CVE-2008-2074 Successkid Code Injection vulnerability in Successkid Harris WAP Chat 1.0

Multiple PHP remote file inclusion vulnerabilities Harris Yusuf Arifin Harris Wap Chat 1.0, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the sysFileDir parameter to (1) eng.writeMsg.php, (2) eng.adCreate.php, (3) eng.adCreateSave.php, (4) eng.adDispByTypeOptions.php, (5) eng.createRoom.php, (6) eng.forward.php, (7) eng.pageLogout.php, (8) eng.resultMember.php, (9) eng.roomDeleteConfirm.php, (10) eng.saveNewRoom.php, and (11) eng.searchMember.php in src/.

7.5
2008-05-05 CVE-2008-2073 Virtual Design Studios Path Traversal vulnerability in Virtual Design Studios Vlbook 1.21

Directory traversal vulnerability in include/global.inc.php in Virtual Design Studio vlbook 1.21 allows remote attackers to include and execute arbitrary local files via a ..

7.5
2008-05-08 CVE-2008-1659 HP Local Unauthorized Access vulnerability in HP-UX LDAP-UX

Unspecified vulnerability in HP LDAP-UX vB.04.10 through vB.04.15 allows local users to gain privileges via unknown vectors.

7.2
2008-05-08 CVE-2007-6282 Redhat Configuration vulnerability in Redhat Enterprise Linux and Enterprise Linux Desktop

The IPsec implementation in Linux kernel before 2.6.25 allows remote routers to cause a denial of service (crash) via a fragmented ESP packet in which the first fragment does not contain the entire ESP header and IV.

7.1

28 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2008-05-08 CVE-2008-1669 Linux Race Condition vulnerability in Linux Kernel

Linux kernel before 2.6.25.2 does not apply a certain protection mechanism for fcntl functionality, which allows local users to (1) execute code in parallel or (2) exploit a race condition to obtain "re-ordered access to the descriptor table."

6.9
2008-05-09 CVE-2008-2134 TRU Zone Improper Input Validation vulnerability in Tru-Zone Nukeet

The Journal module in Tru-Zone Nuke ET 3.x allows remote attackers to obtain access to arbitrary user accounts, and alter or delete data, via a modified username in an unspecified cookie.

6.8
2008-05-09 CVE-2008-2129 Cine SQL Injection vulnerability in Cine Galleristic 1.0

SQL injection vulnerability in index.php in Galleristic 1.0, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the cat parameter.

6.8
2008-05-07 CVE-2008-2106 Activision Improper Input Validation vulnerability in Activision Call of Duty 4

Call of Duty 4 (CoD4) 1.5 and earlier allows remote authenticated users to cause a denial of service (crash) via a type 7 stats packet, which triggers a memcpy with a negative value.

6.8
2008-05-07 CVE-2008-2096 Backlinkspider SQL Injection vulnerability in Backlinkspider Backlink Spider

SQL injection vulnerability in BackLinkSpider allows remote attackers to execute arbitrary SQL commands via the cat_id parameter to a site-specific component name such as link.php or backlinkspider.php.

6.8
2008-05-06 CVE-2008-2087 Softbiz SQL Injection vulnerability in Softbiz web Hosting Directory Script

SQL injection vulnerability in search_result.php in Softbiz Web Host Directory Script, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the host_id parameter, a different vector than CVE-2005-3817.

6.8
2008-05-05 CVE-2008-2083 Prozilla SQL Injection vulnerability in Prozilla Hosting Index

SQL injection vulnerability in directory.php in Prozilla Hosting Index, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the cat_id parameter in a list action.

6.8
2008-05-09 CVE-2008-2122 IBM Resource Management Errors vulnerability in IBM Rational Build Forge 7.0.2

IBM Rational Build Forge 7.0.2 allows remote attackers to cause a denial of service (CPU consumption) via a port scan, which spawns multiple bfagent server processes that attempt to read data from closed sockets.

5.0
2008-05-09 CVE-2008-2120 SUN Information Exposure vulnerability in SUN products

Unspecified vulnerability in Sun Java System Application Server 7 2004Q2 before Update 6, Web Server 6.1 before SP8, and Web Server 7.0 before Update 1 allows remote attackers to obtain source code of JSP files via unknown vectors.

5.0
2008-05-07 CVE-2008-2109 Media Libs Denial of Service vulnerability in Media-Libs Libid3Tag 0.15.0B

field.c in the libid3tag 0.15.0b library allows context-dependent attackers to cause a denial of service (CPU consumption) via an ID3_FIELD_TYPE_STRINGLIST field that ends in '\0', which triggers an infinite loop.

5.0
2008-05-06 CVE-2008-2005 Wonderware Resource Management Errors vulnerability in Wonderware Intouch and Suitelink

The SuiteLink Service (aka slssvc.exe) in WonderWare SuiteLink before 2.0 Patch 01, as used in WonderWare InTouch 8.0, allows remote attackers to cause a denial of service (NULL pointer dereference and service shutdown) and possibly execute arbitrary code via a large length value in a Registration packet to TCP port 5413, which causes a memory allocation failure.

5.0
2008-05-08 CVE-2008-1615 Redhat
AMD
Resource Management Errors vulnerability in Redhat Enterprise Linux and Enterprise Linux Desktop

Linux kernel 2.6.18, and possibly other versions, when running on AMD64 architectures, allows local users to cause a denial of service (crash) via certain ptrace calls.

4.9
2008-05-08 CVE-2007-5498 Linux Resource Management Errors vulnerability in Linux Kernel 2.6.18

The Xen hypervisor block backend driver for Linux kernel 2.6.18, when running on a 64-bit host with a 32-bit paravirtualized guest, allows local privileged users in the guest OS to cause a denial of service (host OS crash) via a request that specifies a large number of blocks.

4.9
2008-05-08 CVE-2007-5001 Redhat Resource Management Errors vulnerability in Redhat Enterprise Linux and Enterprise Linux Desktop

Linux kernel before 2.4.21 allows local users to cause a denial of service (kernel panic) via asynchronous input or output on a FIFO special file.

4.9
2008-05-05 CVE-2008-2079 Mysql
Oracle
Debian
Canonical
Permissions, Privileges, and Access Controls vulnerability in multiple products

MySQL 4.1.x before 4.1.24, 5.0.x before 5.0.60, 5.1.x before 5.1.24, and 6.0.x before 6.0.5 allows local users to bypass certain privilege checks by calling CREATE TABLE on a MyISAM table with modified (1) DATA DIRECTORY or (2) INDEX DIRECTORY arguments that are within the MySQL home data directory, which can point to tables that are created in the future.

4.6
2008-05-08 CVE-2008-2116 Scriptsez Path Traversal vulnerability in Scriptsez Power Editor 2.0

Multiple directory traversal vulnerabilities in editor.php in ScriptsEZ.net Power Editor 2.0 allow remote attackers to read arbitrary local files via a ..

4.4
2008-05-09 CVE-2008-2133 TRU Zone Cross-Site Scripting vulnerability in Tru-Zone Nukeet

Cross-site scripting (XSS) vulnerability in the Journal module in Tru-Zone Nuke ET 3.x allows remote attackers to inject arbitrary web script or HTML via the title parameter in a new entry, as demonstrated by a CSS property in the STYLE attribute of a DIV element, a different vulnerability than CVE-2008-1873.

4.3
2008-05-09 CVE-2008-2131 Myvietnam Cross-Site Scripting vulnerability in Myvietnam Mvnforum 1.1

Cross-site scripting (XSS) vulnerability in mvnForum 1.1 GA allows remote authenticated users to inject arbitrary web script or HTML via the topic field, which is later displayed by user/viewthread.jsp through use of the "quick reply button."

4.3
2008-05-09 CVE-2008-2127 CMS Faethon Cross-Site Scripting vulnerability in CMS Faethon CMS Faethon 2.2Ultimate

Cross-site scripting (XSS) vulnerability in search.php in CMS Faethon 2.2 Ultimate allows remote attackers to inject arbitrary web script or HTML via the what parameter.

4.3
2008-05-09 CVE-2008-2126 TUX CMS Cross-Site Scripting vulnerability in TUX CMS TUX CMS 0.1

Multiple cross-site scripting (XSS) vulnerabilities in Tux CMS 0.1 allow remote attackers to inject arbitrary web script or HTML via the (1) q parameter to index.php and the (2) returnURL parameter to tux-login.php.

4.3
2008-05-09 CVE-2008-2123 SAP Cross-Site Scripting vulnerability in SAP Internet Transaction Server 6200.1017.50954.0Build730827

Cross-site scripting (XSS) vulnerability in WGate in SAP Internet Transaction Server (ITS) 6.20 allows remote attackers to inject arbitrary web script or HTML via (1) a "<>" sequence in the ~service parameter to wgate.dll, or (2) Javascript splicing in the query string, a different vector than CVE-2006-5114.

4.3
2008-05-08 CVE-2008-2117 Project Alumni Cross-Site Scripting vulnerability in Project Alumni Project Alumni 1.0.9

Cross-site scripting (XSS) vulnerability in pages/news.page.inc in Project Alumni 1.0.9 allows remote attackers to inject arbitrary web script or HTML via the year parameter in a news action to index.php, a different vector than CVE-2007-6126.

4.3
2008-05-08 CVE-2008-2115 Scriptsez Cross-Site Scripting vulnerability in Scriptsez Power Editor 2.0

Multiple cross-site scripting (XSS) vulnerabilities in editor.php in ScriptsEZ.net Power Editor 2.0 allow remote attackers to inject arbitrary web script or HTML via the (1) te and (2) dir parameters in a tempedit action.

4.3
2008-05-07 CVE-2008-2103 Mozilla Cross-Site Scripting vulnerability in Mozilla Bugzilla

Cross-site scripting (XSS) vulnerability in Bugzilla 2.17.2 and later allows remote attackers to inject arbitrary web script or HTML via the id parameter to the "Format for Printing" view or "Long Format" bug list.

4.3
2008-05-05 CVE-2008-2082 Siteman Cross-Site Scripting vulnerability in Siteman 2.0

Cross-site scripting (XSS) vulnerability in index.php in Siteman 2.0.x2 allows remote attackers to inject arbitrary web script or HTML via the module parameter, which leaks the path in an error message.

4.3
2008-05-05 CVE-2008-2075 Astrocam Cross-Site Scripting vulnerability in Astrocam

Cross-site scripting (XSS) vulnerability in pic.php in AstroCam 2.5.0 through 2.7.3 allows remote attackers to inject arbitrary web script or HTML via the picfile parameter.

4.3
2008-05-05 CVE-2008-2072 Virtual Design Studios Cross-Site Scripting vulnerability in Virtual Design Studios Vlbook 1.21

Cross-site scripting (XSS) vulnerability in index.php in Virtual Design Studio vlbook 1.21 allows remote attackers to inject arbitrary web script or HTML via the l parameter, a different vector than CVE-2006-3260.

4.3
2008-05-07 CVE-2008-2104 Mozilla Permissions, Privileges, and Access Controls vulnerability in Mozilla Bugzilla 3.1.3

The WebService in Bugzilla 3.1.3 allows remote authenticated users without canconfirm privileges to create NEW or ASSIGNED bug entries via a request to the XML-RPC interface, which bypasses the canconfirm check.

4.0

1 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2008-05-07 CVE-2008-2105 Mozilla Permissions, Privileges, and Access Controls vulnerability in Mozilla Bugzilla

email_in.pl in Bugzilla 2.23.4, 3.0.x before 3.0.4, and 3.1.x before 3.1.4 allows remote authenticated users to more easily spoof the changer of a bug via a @reporter command in the body of an e-mail message, which overrides the e-mail address as normally obtained from the From e-mail header.

3.5