Weekly Vulnerabilities Reports > December 22 to 28, 2008

Overview

56 new vulnerabilities reported during this period, including 11 critical vulnerabilities and 17 high severity vulnerabilities. This weekly summary report vulnerabilities in 48 products from 42 vendors including Netcat, Linux, Mozilla, Qemu, and KDE. Vulnerabilities are notably categorized as "SQL Injection", "Resource Management Errors", "Permissions, Privileges, and Access Controls", "Improper Restriction of Operations within the Bounds of a Memory Buffer", and "Improper Input Validation".

  • 42 reported vulnerabilities are remotely exploitables.
  • 26 reported vulnerabilities have public exploit available.
  • 20 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 54 reported vulnerabilities are exploitable by an anonymous user.
  • Netcat has the most reported vulnerabilities, with 5 reported vulnerabilities.
  • Trend Micro has the most reported critical vulnerabilities, with 2 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

11 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2008-12-26 CVE-2008-5722 Sawstudio Buffer Errors vulnerability in Sawstudio 3.9I

Buffer overflow in SAWStudio 3.9i allows user-assisted remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a long SAWSTUDIO PREFERENCES STRUCT value in a .prf (preferences) file.

10.0
2008-12-23 CVE-2008-5557 PHP Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in PHP

Heap-based buffer overflow in ext/mbstring/libmbfl/filters/mbfilter_htmlent.c in the mbstring extension in PHP 4.3.0 through 5.2.6 allows context-dependent attackers to execute arbitrary code via a crafted string containing an HTML entity, which is not properly handled during Unicode conversion, related to the (1) mb_convert_encoding, (2) mb_check_encoding, (3) mb_convert_variables, and (4) mb_parse_str functions.

10.0
2008-12-23 CVE-2008-4304 Phpcollab OS Command Injection vulnerability in PHPcollab

general/login.php in phpCollab 2.5 rc3 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in unspecified input related to the SSL_CLIENT_CERT environment variable.

10.0
2008-12-26 CVE-2008-5735 Coolplayer Buffer Errors vulnerability in Coolplayer 2.17/2.18/2.19

Stack-based buffer overflow in skin.c in CoolPlayer 2.17 through 2.19 allows remote attackers to execute arbitrary code via a large PlaylistSkin value in a skin file.

9.3
2008-12-26 CVE-2008-5718 Netatalk OS Command Injection vulnerability in Netatalk

The papd daemon in Netatalk before 2.0.4-beta2, when using certain variables in a pipe command for the print file, allows remote attackers to execute arbitrary commands via shell metacharacters in a print request, as demonstrated using a crafted Title.

9.3
2008-12-24 CVE-2008-5711 Facebook Buffer Errors vulnerability in Facebook Photouploader 4.5.57.0

Heap-based buffer overflow in the Facebook PhotoUploader ActiveX control 5.0.14.0 and earlier allows remote attackers to execute arbitrary code via a long FileMask property value.

9.3
2008-12-23 CVE-2008-2435 Trend Micro Resource Management Errors vulnerability in Trend Micro Housecall 6.51.0.1028/6.6.0.1278

Use-after-free vulnerability in the Trend Micro HouseCall ActiveX control 6.51.0.1028 and 6.6.0.1278 in Housecall_ActiveX.dll allows remote attackers to execute arbitrary code via a crafted notifyOnLoadNative callback function.

9.3
2008-12-23 CVE-2008-2434 Trend Micro Code Injection vulnerability in Trend Micro Housecall 6.51.0.1028/6.6/6.6.0.1278

The Trend Micro HouseCall ActiveX control 6.51.0.1028 and 6.6.0.1278 in Housecall_ActiveX.dll allows remote attackers to download an arbitrary library file onto a client system via a "custom update server" argument.

9.3
2008-12-22 CVE-2008-5705 Verlihub Project Improper Input Validation vulnerability in Verlihub-Project Verlihub 0.9.8D

The cTrigger::DoIt function in src/ctrigger.cpp in the trigger mechanism in the daemon in Verlihub 0.9.8d-RC2 and earlier, when user triggers are enabled, allows remote attackers to execute arbitrary commands via shell metacharacters in an argument.

9.3
2008-12-24 CVE-2008-5709 Avaya Improper Input Validation vulnerability in Avaya Communication Manager

Multiple unspecified vulnerabilities in the web management interface in Avaya Communication Manager (CM) 3.1 before 3.1.4 SP2, 4.0 before 4.0.3 SP1, and 5.0 before 5.0 SP3 allow remote authenticated users to execute arbitrary code via unknown attack vectors in the (1) Set Static Routes and (2) Backup History components.

9.0
2008-12-23 CVE-2008-4305 PHP Collab Code Injection vulnerability in PHP-Collab 2.2/2.3/2.4

Static code injection vulnerability in installation/setup.php in phpCollab 2.5 rc3 and earlier allows remote authenticated administrators to inject arbitrary PHP code into include/settings.php via the URI.

9.0

17 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2008-12-24 CVE-2008-5714 Qemu Numeric Errors vulnerability in Qemu 0.9.1

Off-by-one error in monitor.c in Qemu 0.9.1 might make it easier for remote attackers to guess the VNC password, which is limited to seven characters where eight was intended.

7.8
2008-12-22 CVE-2008-5704 Gpsdrive Link Following vulnerability in Gpsdrive 1.32/1.33/2.09

src/unit_test.c in gpsdrive (aka gpsdrive-scripts) 2.10~pre4 might allow local users to overwrite arbitrary files via a symlink attack on the /tmp/gpsdrive-unit-test/proc temporary file, a different vector than CVE-2008-4959 and CVE-2008-5380.

7.6
2008-12-26 CVE-2008-5739 Pligg SQL Injection vulnerability in Pligg CMS 9.9.5

SQL injection vulnerability in evb/check_url.php in Pligg CMS 9.9.5 Beta allows remote attackers to execute arbitrary SQL commands via the url parameter.

7.5
2008-12-26 CVE-2008-5738 Nodstrum Permissions, Privileges, and Access Controls vulnerability in Nodstrum Mysql Calendar 1.1/1.2

Nodstrum MySQL Calendar 1.1 and 1.2 allows remote attackers to bypass authentication and gain administrative access by setting the nodstrumCalendarV2 cookie to 1.

7.5
2008-12-26 CVE-2008-5737 Nodstrum SQL Injection vulnerability in Nodstrum Mysql Calendar 1.1/1.2

SQL injection vulnerability in index.php in Nodstrum MySQL Calendar 1.1 and 1.2 allows remote attackers to execute arbitrary SQL commands via the username parameter.

7.5
2008-12-26 CVE-2008-5733 PHP Fusion SQL Injection vulnerability in PHP-Fusion Team Impact TI Blog System Module

SQL injection vulnerability in blog.php in the Team Impact TI Blog System mod for PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the id parameter.

7.5
2008-12-26 CVE-2008-5732 Kafooeyblog Improper Input Validation vulnerability in Kafooeyblog 1.55B

Unrestricted file upload vulnerability in lib/image_upload.php in KafooeyBlog 1.55b allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file.

7.5
2008-12-26 CVE-2008-5730 Netcat Improper Input Validation vulnerability in Netcat

Multiple CRLF injection vulnerabilities in AIST NetCat 3.12 and earlier allow remote attackers to have an unknown impact via unspecified vectors involving (1) a %0a sequence in a cookie and (2) the add.php file.

7.5
2008-12-26 CVE-2008-5726 Stormboards Aaronnemisis SQL Injection vulnerability in Stormboards Aaronnemisis Stormboards 1.0.1

SQL injection vulnerability in thread.php in stormBoards 1.0.1 allows remote attackers to execute arbitrary SQL commands via the id parameter.

7.5
2008-12-24 CVE-2008-5708 Slimcms Improper Authentication vulnerability in Slimcms 1.0.0

redirect.php in SlimCMS 1.0.0 does not require authentication, which allows remote attackers to create administrative users by using the newusername and newpassword parameters and setting the newisadmin parameter to 1.

7.5
2008-12-24 CVE-2008-5707 Aspindir SQL Injection vulnerability in Aspindir Iltaweb Alisveris Sistemi NIL

SQL injection vulnerability in urunler.asp in Iltaweb Alisveris Sistemi allows remote attackers to execute arbitrary SQL commands via the catno parameter.

7.5
2008-12-26 CVE-2008-5744 Asterisk Numeric Errors vulnerability in Asterisk Zaptel 1.2/1.2.27/1.4

Array index error in the dahdi/tor2.c driver in Zaptel (aka DAHDI) 1.4.11 and earlier allows local users in the dialout group to overwrite an integer value in kernel memory by writing to /dev/zap/ctl, related to an incorrect tor2 patch for CVE-2008-5396 that uses the wrong variable in a range check against the value of lc->sync.

7.2
2008-12-26 CVE-2008-5736 Freebsd Permissions, Privileges, and Access Controls vulnerability in Freebsd

Multiple unspecified vulnerabilities in FreeBSD 6 before 6.4-STABLE, 6.3 before 6.3-RELEASE-p7, 6.4 before 6.4-RELEASE-p1, 7.0 before 7.0-RELEASE-p7, 7.1 before 7.1-RC2, and 7 before 7.1-PRERELEASE allow local users to gain privileges via unknown attack vectors related to function pointers that are "not properly initialized" for (1) netgraph sockets and (2) bluetooth sockets.

7.2
2008-12-26 CVE-2008-5725 Entechtaiwan Permissions, Privileges, and Access Controls vulnerability in Entechtaiwan Powerstrip

The NT kernel-mode driver (aka pstrip.sys) 5.0.1.1 and earlier in EnTech Taiwan PowerStrip 3.84 and earlier allows local users to gain privileges via certain IRP parameters in an IOCTL request to \Device\Powerstrip1 that overwrites portions of memory.

7.2
2008-12-26 CVE-2008-5724 Eset Permissions, Privileges, and Access Controls vulnerability in Eset Smart Security

The Personal Firewall driver (aka epfw.sys) 3.0.672.0 and earlier in ESET Smart Security 3.0.672 and earlier allows local users to gain privileges via a crafted IRP in a certain METHOD_NEITHER IOCTL request to \Device\Epfw that overwrites portions of memory.

7.2
2008-12-24 CVE-2008-5716 Citrix Permissions, Privileges, and Access Controls vulnerability in Citrix XEN 3.3.0

xend in Xen 3.3.0 does not properly restrict a guest VM's write access within the /local/domain xenstore directory tree, which allows guest OS users to cause a denial of service and possibly have unspecified other impact by writing to (1) console/tty, (2) console/limit, or (3) image/device-model-pid.

7.2
2008-12-22 CVE-2008-5702 Linux Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Linux Kernel

Buffer underflow in the ibwdt_ioctl function in drivers/watchdog/ib700wdt.c in the Linux kernel before 2.6.28-rc1 might allow local users to have an unknown impact via a certain /dev/watchdog WDIOC_SETTIMEOUT IOCTL call.

7.2

27 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2008-12-26 CVE-2008-5743 Pdfjam Link Following vulnerability in Pdfjam NIL

pdfjam creates the (1) pdf90, (2) pdfjoin, and (3) pdfnup files with a predictable name, which allows local users to overwrite arbitrary files via a symlink attack.

6.9
2008-12-22 CVE-2008-5706 Verlihub Project Link Following vulnerability in Verlihub-Project Verlihub 0.9.8D

The cTrigger::DoIt function in src/ctrigger.cpp in the trigger mechanism in the daemon in Verlihub 0.9.8d-RC2 and earlier allows local users to overwrite arbitrary files via a symlink attack on the /tmp/trigger.tmp temporary file.

6.9
2008-12-26 CVE-2008-5727 Netcat SQL Injection vulnerability in Netcat

SQL injection vulnerability in modules/auth/password_recovery.php in AIST NetCat 3.12 and earlier, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the query string.

6.8
2008-12-23 CVE-2008-4303 PHP Collab SQL Injection vulnerability in PHP-Collab 2.2/2.3/2.4

Multiple SQL injection vulnerabilities in phpCollab 2.5 rc3, 2.4, and earlier allow remote attackers to execute arbitrary SQL commands via the loginForm parameter to general/login.php, and unspecified other vectors.

6.8
2008-12-22 CVE-2008-5703 Gpsdrive Link Following vulnerability in Gpsdrive 1.32/1.33/2.09

gpsdrive (aka gpsdrive-scripts) 2.10~pre4 allows local users to overwrite arbitrary files via a symlink attack on the (a) /tmp/.smswatch or (b) /tmp/gpsdrivepos temporary file, related to (1) examples/gpssmswatch and (2) src/splash.c, different vectors than CVE-2008-4959 and CVE-2008-5380.

6.2
2008-12-26 CVE-2008-5728 Netcat Path Traversal vulnerability in Netcat

Multiple directory traversal vulnerabilities in AIST NetCat 3.12 and earlier, when magic_quotes_gpc is disabled and register_globals is enabled, allow remote attackers to include and execute arbitrary local files via a ..

5.1
2008-12-22 CVE-2008-2380 Courier MTA SQL Injection vulnerability in Courier-Mta Courtier-Authlib

SQL injection vulnerability in authpgsqllib.c in Courier-Authlib before 0.62.0, when a non-Latin locale Postgres database is used, allows remote attackers to execute arbitrary SQL commands via query parameters containing apostrophes.

5.1
2008-12-26 CVE-2008-5498 PHP Information Exposure vulnerability in PHP

Array index error in the imageRotate function in PHP 5.2.8 and earlier allows context-dependent attackers to read the contents of arbitrary memory locations via a crafted value of the third argument (aka the bgd_color or clrBack argument) for an indexed image.

5.0
2008-12-26 CVE-2008-5723 CGI Rescue Path Traversal vulnerability in Cgi-Rescue Kannibbs2000 and Kannibbs2000I

Directory traversal vulnerability in CGI RESCUE KanniBBS2000 (aka KanniBBS2000i, MiniBBS2000, and MiniBBS2000i) before 1.03 allows remote attackers to read arbitrary files via unspecified vectors.

5.0
2008-12-26 CVE-2008-5721 Sapporoworks Improper Authentication vulnerability in Sapporoworks Blackjumbodog

SapporoWorks BlackJumboDog (BJD) before 4.2.3 allows remote attackers to bypass authentication and obtain sensitive information via unspecified vectors.

5.0
2008-12-24 CVE-2008-5715 Mozilla
Microsoft
Improper Input Validation vulnerability in Mozilla Firefox 3.0.5

Mozilla Firefox 3.0.5 on Windows Vista allows remote attackers to cause a denial of service (application crash) via JavaScript code with a long string value for the hash property (aka location.hash).

5.0
2008-12-24 CVE-2008-5712 KDE Improper Input Validation vulnerability in KDE Konqueror 3.5.9

The HTML parser in KDE Konqueror 3.5.9 allows remote attackers to cause a denial of service (application crash) via (1) a long COLOR attribute in an HR element; or a long (a) BGCOLOR or (b) BORDERCOLOR attribute in a (2) TABLE, (3) TD, or (4) TR element.

5.0
2008-12-24 CVE-2008-5710 Avaya Configuration vulnerability in Avaya Communication Manager

Multiple unspecified vulnerabilities in the web management interface in Avaya Communication Manager (CM) 3.1.x, 4.0.3, and 5.x allow remote attackers to read (1) configuration files, (2) log files, (3) binary image files, and (4) help files via unknown vectors.

5.0
2008-12-24 CVE-2008-2382 Qemu
KVM Qumranet
Resource Management Errors vulnerability in multiple products

The protocol_client_msg function in vnc.c in the VNC server in (1) Qemu 0.9.1 and earlier and (2) KVM kvm-79 and earlier allows remote attackers to cause a denial of service (infinite loop) via a certain message.

5.0
2008-12-26 CVE-2008-5731 PGP Resource Management Errors vulnerability in PGP Desktop 9.0.6/9.9.0

The PGPwded device driver (aka PGPwded.sys) in PGP Corporation PGP Desktop 9.0.6 build 6060 and 9.9.0 build 397 allows local users to cause a denial of service (system crash) and possibly gain privileges via a certain METHOD_BUFFERED IOCTL request that overwrites portions of memory, related to a "Driver Collapse." NOTE: some of these details are obtained from third party information.

4.9
2008-12-24 CVE-2008-5713 Linux Resource Management Errors vulnerability in Linux Kernel

The __qdisc_run function in net/sched/sch_generic.c in the Linux kernel before 2.6.25 on SMP machines allows local users to cause a denial of service (soft lockup) by sending a large amount of network traffic, as demonstrated by multiple simultaneous invocations of the Netperf benchmark application in UDP_STREAM mode.

4.9
2008-12-22 CVE-2008-5701 Linux
Debian
Numeric Errors vulnerability in Linux Kernel

Array index error in arch/mips/kernel/scall64-o32.S in the Linux kernel before 2.6.28-rc8 on 64-bit MIPS platforms allows local users to cause a denial of service (system crash) via an o32 syscall with a small syscall number, which leads to an attempted read operation outside the bounds of the syscall table.

4.7
2008-12-22 CVE-2008-5699 SUN Permissions, Privileges, and Access Controls vulnerability in SUN Opensolaris and Solaris

The name service cache daemon (nscd) in Sun Solaris 10 and OpenSolaris snv_50 through snv_104 does not properly check permissions, which allows local users to gain privileges and obtain sensitive information via unspecified vectors.

4.6
2008-12-26 CVE-2008-5734 Icewarp Cross-Site Scripting vulnerability in Icewarp Merak Mail Server 9.3.2

Cross-site scripting (XSS) vulnerability in WebMail Pro in IceWarp Software Merak Mail Server 9.3.2 allows remote attackers to inject arbitrary web script or HTML via an IMG element in an HTML e-mail message.

4.3
2008-12-26 CVE-2008-5729 Netcat Cross-Site Scripting vulnerability in Netcat

Multiple cross-site scripting (XSS) vulnerabilities in AIST NetCat 3.12 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) form and (2) control parameters to FCKeditor/neditor.php, and the (3) path parameter to admin/siteinfo/iframe.inc.php.

4.3
2008-12-26 CVE-2008-5720 Seasar Cross-Site Scripting vulnerability in Seasar Mayaa

Cross-site scripting (XSS) vulnerability in Mayaa before 1.1.23 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors involving the default error page for the org.seasar.mayaa.impl.engine.PageNotFoundException exception and possibly other exceptions.

4.3
2008-12-26 CVE-2008-5719 Hitachi Cross-Site Scripting vulnerability in Hitachi products

Cross-site scripting (XSS) vulnerability in Hitachi Groupmax Web Workflow SDK Set for Active Server Pages before 06-52-/C and Hitachi Groupmax Workflow - Development Kit for Active Server Pages before 06-52-/A allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2008-12-26 CVE-2008-5717 Hitachi Cross-Site Scripting vulnerability in Hitachi JP1 Integrated Management Service Support

Cross-site scripting (XSS) vulnerability in Hitachi JP1/Integrated Management - Service Support 08-10 through 08-10-05, 08-11 through 08-11-03, and 08-50 through 08-50-03 on Windows allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2008-12-23 CVE-2008-5514 University OF Washington Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in University of Washington Imap

Off-by-one error in the rfc822_output_char function in the RFC822BUFFER routines in the University of Washington (UW) c-client library, as used by the UW IMAP toolkit before imap-2007e and other applications, allows context-dependent attackers to cause a denial of service (crash) via an e-mail message that triggers a buffer overflow.

4.3
2008-12-22 CVE-2008-5698 KDE Resource Management Errors vulnerability in KDE Konqueror

HTMLTokenizer::scriptHandler in Konqueror in KDE 3.5.9 and 3.5.10 allows remote attackers to cause a denial of service (application crash) via an invalid document.load call that triggers use of a deleted object.

4.3
2008-12-22 CVE-2008-5697 Skype
Mozilla
Unspecified vulnerability in Skype Extension for Firefox 2.2.0.95

The skype_tool.copy_num method in the Skype extension BETA 2.2.0.95 for Firefox allows remote attackers to write arbitrary data to the clipboard via a string argument.

4.3
2008-12-26 CVE-2008-5742 Netcat Link Following vulnerability in Netcat

Multiple open redirect vulnerabilities in AIST NetCat 3.12 and earlier allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via (1) the redirect parameter in a logoff action to modules/auth/index.php or (2) the url parameter to modules/linkmanager/redirect.php.

4.0

1 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2008-12-22 CVE-2008-5700 Linux Resource Management Errors vulnerability in Linux Kernel

libata in the Linux kernel before 2.6.27.9 does not set minimum timeouts for SG_IO requests, which allows local users to cause a denial of service (Programmed I/O mode on drives) via multiple simultaneous invocations of an unspecified test program.

1.9