Weekly Vulnerabilities Reports > May 25 to 31, 2009

Overview

57 new vulnerabilities reported during this period, including 17 critical vulnerabilities and 13 high severity vulnerabilities. This weekly summary report vulnerabilities in 59 products from 42 vendors including Collector, Aten, Sangoma, Nullsoft, and SUN. Vulnerabilities are notably categorized as "Improper Restriction of Operations within the Bounds of a Memory Buffer", "SQL Injection", "Cross-site Scripting", "Improper Authentication", and "Cryptographic Issues".

  • 53 reported vulnerabilities are remotely exploitables.
  • 33 reported vulnerabilities have public exploit available.
  • 23 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 52 reported vulnerabilities are exploitable by an anonymous user.
  • Collector has the most reported vulnerabilities, with 6 reported vulnerabilities.
  • Nullsoft has the most reported critical vulnerabilities, with 3 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

17 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2009-05-29 CVE-2009-1830 Slsknet Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Slsknet Soulseek 156/157Ns

Stack-based buffer overflow in Soulseek 156 and 157 NS allows remote attackers to execute arbitrary code via a long search query.

10.0
2009-05-28 CVE-2008-6816 Eaton Improper Authentication vulnerability in Eaton Network Shutdown Module

Eaton MGEOPS Network Shutdown Module before 3.10 Build 13 allows remote attackers to execute arbitrary code by adding a custom action to the MGE frontend via pane_actionbutton.php, and then executing this action via exec_action.php.

10.0
2009-05-27 CVE-2009-1477 Aten Cryptographic Issues vulnerability in Aten products

The https web interfaces on the ATEN KH1516i IP KVM switch with firmware 1.0.063, the KN9116 IP KVM switch with firmware 1.1.104, and the PN9108 power-control unit have a hardcoded SSL private key, which makes it easier for remote attackers to decrypt https sessions by extracting this key from their own switch and then sniffing network traffic to a switch owned by a different customer.

10.0
2009-05-27 CVE-2009-1473 Aten Cryptographic Issues vulnerability in Aten Kh1516I IP KVM Switch and Kn9116 IP KVM Switch

The (1) Windows and (2) Java client programs for the ATEN KH1516i IP KVM switch with firmware 1.0.063 and the KN9116 IP KVM switch with firmware 1.1.104 do not properly use RSA cryptography for a symmetric session-key negotiation, which makes it easier for remote attackers to (a) decrypt network traffic, or (b) conduct man-in-the-middle attacks, by repeating unspecified "client-side calculations."

10.0
2009-05-27 CVE-2009-1472 Aten Cryptographic Issues vulnerability in Aten Kh1516I IP KVM Switch and Kn9116 IP KVM Switch

The Java client program for the ATEN KH1516i IP KVM switch with firmware 1.0.063 and the KN9116 IP KVM switch with firmware 1.1.104 has a hardcoded AES encryption key, which makes it easier for man-in-the-middle attackers to (1) execute arbitrary Java code, or (2) gain access to machines connected to the switch, by hijacking a session.

10.0
2009-05-26 CVE-2008-3870 SUN Numeric Errors vulnerability in SUN Solaris 8.0/9.0

Integer overflow in sadmind in Sun Solaris 8 and 9 allows remote attackers to execute arbitrary code via a crafted RPC request that triggers a heap-based buffer overflow, related to improper memory allocation.

10.0
2009-05-26 CVE-2008-3869 SUN Buffer Errors vulnerability in SUN Solaris 8.0/9.0

Heap-based buffer overflow in sadmind in Sun Solaris 8 and 9 allows remote attackers to execute arbitrary code via a crafted RPC request, related to improper decoding of request parameters.

10.0
2009-05-26 CVE-2009-1636 Novell Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Novell Groupwise

Multiple buffer overflows in the Internet Agent (aka GWIA) component in Novell GroupWise 7.x before 7.03 HP3 and 8.x before 8.0 HP2 allow remote attackers to execute arbitrary code via (1) a crafted e-mail address in an SMTP session or (2) an SMTP command.

10.0
2009-05-29 CVE-2009-1831 Nullsoft Numeric Errors vulnerability in Nullsoft Winamp

The Nullsoft Modern Skins Support module (gen_ff.dll) in Nullsoft Winamp before 5.552 allows remote attackers to execute arbitrary code via a crafted MAKI file, which triggers an incorrect sign extension, an integer overflow, and a stack-based buffer overflow.

9.3
2009-05-29 CVE-2009-1792 Stonetrip OS Command Injection vulnerability in Stonetrip S3Dplayer Standalone and S3Dplayer web

The system.openURL function in StoneTrip Ston3D StandalonePlayer (aka S3DPlayer StandAlone) 1.6.2.4 and 1.7.0.1 and WebPlayer (aka S3DPlayer Web) 1.6.0.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the first argument (the sURL argument).

9.3
2009-05-29 CVE-2009-1537 Microsoft Remote Code Execution vulnerability in Microsoft DirectX DirectShow QuickTime Video

Unspecified vulnerability in the QuickTime Movie Parser Filter in quartz.dll in DirectShow in Microsoft DirectX 7.0 through 9.0c on Windows 2000 SP4, Windows XP SP2 and SP3, and Windows Server 2003 SP2 allows remote attackers to execute arbitrary code via a crafted QuickTime media file, as exploited in the wild in May 2009, aka "DirectX NULL Byte Overwrite Vulnerability." Per: http://www.microsoft.com/technet/security/advisory/971778.mspx "Microsoft is aware of limited, active attacks that use this exploit code.

9.3
2009-05-29 CVE-2009-1817 Digimode10 Buffer Errors vulnerability in Digimode10 Maya 1.0.2

Multiple buffer overflows in DigiMode Maya 1.0.2 allow remote attackers to execute arbitrary code via a long string in a malformed (1) .m3u or (2) .m3l playlist file.

9.3
2009-05-29 CVE-2009-1815 Sonicspot Buffer Errors vulnerability in Sonicspot Audioactive Player 1.93B

Stack-based buffer overflow in Sonic Spot Audioactive Player 1.93b allows remote attackers to execute arbitrary code via a long string in a playlist file, as demonstrated by a long .mp3 URL in a .m3u file.

9.3
2009-05-28 CVE-2009-1807 Baofeng Unspecified vulnerability in Baofeng Storm

Unspecified vulnerability in Config.dll in Baofeng products 3.09.04.17 and earlier allows remote attackers to execute arbitrary code by calling the SetAttributeValue method, as exploited in the wild in April and May 2009.

9.3
2009-05-28 CVE-2009-1806 IBM Unspecified vulnerability in IBM Hardware Management Console 7.3.4.0

Unspecified vulnerability in IBM Hardware Management Console (HMC) 7 release 3.4.0 SP2, when Active Memory Sharing is used, has unknown impact and attack vectors, related to a shared memory partition and a shared memory pool with redundant paging Virtual I/O Server (VIOS) partitions.

9.3
2009-05-26 CVE-2009-1791 Mega Nerd
Nullsoft
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in multiple products

Heap-based buffer overflow in aiff_read_header in libsndfile 1.0.15 through 1.0.19, as used in Winamp 5.552 and possibly other media programs, allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via an AIFF file with an invalid header value.

9.3
2009-05-26 CVE-2009-1788 Mega Nerd
Nullsoft
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in multiple products

Heap-based buffer overflow in voc_read_header in libsndfile 1.0.15 through 1.0.19, as used in Winamp 5.552 and possibly other media programs, allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a VOC file with an invalid header value.

9.3

13 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2009-05-27 CVE-2009-1474 Aten Cryptographic Issues vulnerability in Aten Kh1516I IP KVM Switch and Kn9116 IP KVM Switch

The ATEN KH1516i IP KVM switch with firmware 1.0.063 and the KN9116 IP KVM switch with firmware 1.1.104 do not (1) encrypt mouse events, which makes it easier for man-in-the-middle attackers to perform mouse operations on machines connected to the switch by injecting network traffic; and do not (2) set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session.

7.6
2009-05-29 CVE-2009-1822 Joomla
Gonzalo Maser
Code Injection vulnerability in Gonzalo Maser COM Artforms 2.1B7

Multiple PHP remote file inclusion vulnerabilities in the InterJoomla ArtForms (com_artforms) component 2.1b7 for Joomla! allow remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter to (1) imgcaptcha.php or (2) mp3captcha.php in assets/captcha/includes/captchaform/, or (3) assets/captcha/includes/captchatalk/swfmovie.php.

7.5
2009-05-29 CVE-2009-1819 2Daybiz SQL Injection vulnerability in 2Daybiz Custom T-Shirt Design Script

SQL injection vulnerability in product.php in 2daybiz Custom T-shirt Design Script allows remote attackers to execute arbitrary SQL commands via the id parameter.

7.5
2009-05-29 CVE-2009-1818 Maxcms SQL Injection vulnerability in Maxcms 2.0

SQL injection vulnerability in admin/admin_manager.asp in MaxCMS 2.0 allows remote attackers to execute arbitrary SQL commands via an m_username cookie in an add action.

7.5
2009-05-29 CVE-2009-1816 Mygamescript SQL Injection vulnerability in Mygamescript MY Game Script 2.0

SQL injection vulnerability in admin.php in My Game Script 2.0 allows remote attackers to execute arbitrary SQL commands via the user parameter (aka the username field).

7.5
2009-05-29 CVE-2009-1814 Jevontech SQL Injection vulnerability in Jevontech PHPenpals

SQL injection vulnerability in mail.php in PHPenpals 1.1 and earlier allows remote attackers to execute arbitrary SQL commands via the ID parameter.

7.5
2009-05-29 CVE-2009-1813 Submitterscript SQL Injection vulnerability in Submitterscript 2

Multiple SQL injection vulnerabilities in admin/index.php in Submitter Script 2 allow remote attackers to execute arbitrary SQL commands via (1) the uNev parameter (aka the username field) or (2) the uJelszo parameter (aka the Password field).

7.5
2009-05-28 CVE-2009-1804 Videoscript SQL Injection vulnerability in Videoscript Youtube Video Script

Multiple SQL injection vulnerabilities in admin/index.php in VideoScript.us YouTube Video Script allow remote attackers to execute arbitrary SQL commands via the (1) username and (2) password parameters.

7.5
2009-05-28 CVE-2009-1800 Chinagames Buffer Errors vulnerability in Chinagames Igame 2009

Stack-based buffer overflow in the Chinagames CGAgent ActiveX control 1.x in CGAgent.dll, as distributed in Chinagames iGame 2009, allows remote attackers to execute arbitrary code via a long argument to the CreateChinagames method, as exploited in the wild in April and May 2009.

7.5
2009-05-26 CVE-2009-1787 Phpdirsubmit SQL Injection vulnerability in PHPdirsubmit PHP DIR Submit

Multiple SQL injection vulnerabilities in PHP Dir Submit (aka WebsiteSubmitter and Submitter Script) allow remote attackers to bypass authentication and gain administrative access via the (1) username and (2) password parameters.

7.5
2009-05-26 CVE-2009-1634 Novell Multiple Security vulnerability in Novell GroupWise WebAccess

The WebAccess component in Novell GroupWise 7.x before 7.03 HP3 and 8.x before 8.0 HP2 does not properly implement session management mechanisms, which allows remote attackers to gain access to user accounts via unspecified vectors.

7.5
2009-05-29 CVE-2009-1824 Arcabit Improper Input Validation vulnerability in Arcabit products

The ps_drv.sys kernel driver in ArcaBit ArcaVir 2009 Antivirus Protection 9.4.3201.9 and earlier, ArcaVir 2009 Internet Security 9.4.3202.9 and earlier, ArcaVir 2009 System Protection 9.4.3203.9 and earlier, and ArcaBit 2009 Home Protection 9.4.3204.9 and earlier, allows local users to gain privileges via crafted METHOD_NEITHER IOCTL requests to \Device\ps_drv containing arbitrary kernel addresses, as demonstrated using the (1) 0x2A7B802B and possibly (2) 0x2A7B8004 and (3) 0x2A7B802F IOCTLs.

7.2
2009-05-26 CVE-2009-1476 Darren Reed Buffer Errors vulnerability in Darren Reed Ipfilter 4.1.31

Buffer overflow in lib/load_http.c in ippool in Darren Reed IPFilter (aka IP Filter) 4.1.31 allows local users to gain privileges via vectors involving a long hostname in a URL.

7.2

26 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2009-05-26 CVE-2009-1786 IBM Race Condition vulnerability in IBM AIX 5.3/6.1

The malloc subsystem in libc in IBM AIX 5.3 and 6.1 allows local users to create or overwrite arbitrary files via a symlink attack on the log file associated with the MALLOCDEBUG environment variable.

6.9
2009-05-28 CVE-2009-1802 Freepbx
Sangoma
Cross-Site Request Forgery (CSRF) vulnerability in multiple products

Multiple cross-site request forgery (CSRF) vulnerabilities in FreePBX 2.5.1, and other 2.4.x, 2.5.x, and pre-release 2.6.x versions, allow remote attackers to hijack the authentication of admins for requests that create a new admin account or have unspecified other impact.

6.8
2009-05-28 CVE-2009-1799 Sebastian Thiele SQL Injection vulnerability in Sebastian-Thiele St-Gallery 0.1Alpha

Multiple SQL injection vulnerabilities in the getGalleryImage function in st_admin/gallery_output.php in ST-Gallery 0.1 alpha, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) gallery_category or (2) gallery_show parameter to example.php.

6.8
2009-05-28 CVE-2008-6814 JAN DE Graaff
Mambo
Improper Input Validation vulnerability in JAN DE Graaff COM Simpleboard

Unrestricted file upload vulnerability in image_upload.php in the SimpleBoard (com_simpleboard) component 1.0.1 and earlier for Mambo allows remote attackers to execute arbitrary code by uploading a file with an executable extension and an image/jpeg content type, then accessing this file via a direct request to the file in components/com_simpleboard/, a different vulnerability than CVE-2006-3528.

6.8
2009-05-29 CVE-2009-1826 Collector Improper Authentication vulnerability in Collector Mygesuad 0.9.14

modules/admuser.php in myGesuad 0.9.14 (aka 0.9) does not require administrative authentication, which allows remote authenticated users to list user accounts via a Find action.

6.5
2009-05-27 CVE-2009-0588 Redhat Unspecified vulnerability in Redhat Certificate System and Dogtag Certificate System

agent/request/op.cgi in the Registration Authority (RA) component in Red Hat Certificate System (RHCS) 7.3 and Dogtag Certificate System allows remote authenticated users to approve certificate requests queued for arbitrary agent groups via a modified request ID field.

6.5
2009-05-29 CVE-2009-1812 Collector SQL Injection vulnerability in Collector Mygesuad 0.9.14

Multiple SQL injection vulnerabilities in myGesuad 0.9.14 (aka 0.9) allow remote attackers to execute arbitrary SQL commands via (1) the formUser parameter (aka the Name field) to common/login.php, and allow remote authenticated users to execute arbitrary SQL commands via the ID parameter in a Detail action to (2) kategorie.php, (3) budget.php, (4) zahlung.php, or (5) adresse.php in modules/, related to classes/class.perform.php.

6.0
2009-05-29 CVE-2009-1810 Collector SQL Injection vulnerability in Collector Mycolex 1.4.2

Multiple SQL injection vulnerabilities in myColex 1.4.2 allow remote attackers to execute arbitrary SQL commands via (1) the formUser parameter (aka the Name field) to common/login.php, and allow remote authenticated users to execute arbitrary SQL commands via the ID parameter in a Detail action to (2) kategorie.php, (3) medium.php, (4) person.php, or (5) schlagwort.php in modules/, related to classes/class.perform.php.

6.0
2009-05-29 CVE-2009-1829 Wireshark Denial of Service vulnerability in Wireshark PCNFSD Dissector

Unspecified vulnerability in the PCNFSD dissector in Wireshark 0.8.20 through 1.0.7 allows remote attackers to cause a denial of service (crash) via crafted PCNFSD packets.

5.0
2009-05-29 CVE-2009-1828 Mozilla Resource Management Errors vulnerability in Mozilla Firefox 3.0.10

Mozilla Firefox 3.0.10 allows remote attackers to cause a denial of service (infinite loop, application hang, and memory consumption) via a KEYGEN element in conjunction with (1) a META element specifying automatic page refresh or (2) a JavaScript onLoad event handler for a BODY element.

5.0
2009-05-29 CVE-2009-1827 Mozilla Resource Management Errors vulnerability in Mozilla Firefox 3.0.4

The SVG component in Mozilla Firefox 3.0.4 allows remote attackers to cause a denial of service (application hang) via a large value in the r (aka Radius) attribute of a circle element, related to an "unclamped loop."

5.0
2009-05-29 CVE-2009-1821 Dmxready Permissions, Privileges, and Access Controls vulnerability in Dmxready Registration Manager 1.1

DMXReady Registration Manager 1.1 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download the database file via a direct request for databases/webblogmanager.mdb.

5.0
2009-05-28 CVE-2009-1384 Redhat
Eyrie
Improper Authentication vulnerability in Eyrie Pam-Krb5 2.2.14/2.3/2.3.4

pam_krb5 2.2.14 through 2.3.4, as used in Red Hat Enterprise Linux (RHEL) 5, generates different password prompts depending on whether the user account exists, which allows remote attackers to enumerate valid usernames.

5.0
2009-05-28 CVE-2009-1803 Freepbx
Sangoma
Information Exposure vulnerability in multiple products

FreePBX 2.5.1, and other 2.4.x, 2.5.x, and pre-release 2.6.x versions, generates different error messages for a failed login attempt depending on whether the user account exists, which allows remote attackers to enumerate valid usernames.

5.0
2009-05-28 CVE-2008-6815 Myktools Improper Authentication vulnerability in Myktools 2.4

mykdownload.php in MyKtools 2.4 does not require administrative authentication, which allows remote attackers to read a database backup by making a direct request, and then sending an unspecified request to the download page for the backup.

5.0
2009-05-26 CVE-2009-1375 Pidgin Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Pidgin

The PurpleCircBuffer implementation in Pidgin (formerly Gaim) before 2.5.6 does not properly maintain a certain buffer, which allows remote attackers to cause a denial of service (memory corruption and application crash) via vectors involving the (1) XMPP or (2) Sametime protocol.

5.0
2009-05-26 CVE-2009-1374 Pidgin Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Pidgin

Buffer overflow in the decrypt_out function in Pidgin (formerly Gaim) before 2.5.6 allows remote attackers to cause a denial of service (application crash) via a QQ packet.

5.0
2009-05-28 CVE-2009-1808 Microsoft Denial-Of-Service vulnerability in Windows XP Professional

Microsoft Windows XP SP3 allows local users to cause a denial of service (system crash) by making an SPI_SETDESKWALLPAPER SystemParametersInfo call with an improperly terminated pvParam argument, followed by an SPI_GETDESKWALLPAPER SystemParametersInfo call.

4.9
2009-05-29 CVE-2009-1820 2Daybiz Cross-Site Scripting vulnerability in 2Daybiz Custom T-Shirt Design Script

Cross-site scripting (XSS) vulnerability in product.php in 2daybiz Custom T-shirt Design Script allows remote attackers to inject arbitrary web script or HTML via the id parameter.

4.3
2009-05-29 CVE-2009-1811 Collector Cross-Site Scripting vulnerability in Collector Mygesuad 0.9.14

Multiple cross-site scripting (XSS) vulnerabilities in myGesuad 0.9.14 (aka 0.9) allow remote attackers to inject arbitrary web script or HTML via (1) the Page parameter in a List action to modules/ereignis.php, (2) the Kontext parameter in a Search action to modules/kategorie.php, (3) the image parameter to modules/image.php, or (4) the ID parameter in a Detail action to modules/sitzung.php.

4.3
2009-05-29 CVE-2009-1809 Collector Cross-Site Scripting vulnerability in Collector Mycolex 1.4.2

Multiple cross-site scripting (XSS) vulnerabilities in myColex 1.4.2 allow remote attackers to inject arbitrary web script or HTML via (1) the year parameter to modules/kalender.php, (2) the Page parameter in a List action to modules/ereignis.php, (3) the Kontext parameter in a Search action to modules/kategorie.php, or (4) the image parameter to modules/image.php.

4.3
2009-05-28 CVE-2009-1801 Freepbx
Sangoma
Cross-Site Scripting vulnerability in multiple products

Multiple cross-site scripting (XSS) vulnerabilities in FreePBX 2.5.1, and other 2.4.x, 2.5.x, and pre-release 2.6.x versions, allow remote attackers to inject arbitrary web script or HTML via the (1) display parameter to reports.php, the (2) order and (3) extdisplay parameters to config.php, and the (4) sort parameter to recordings/index.php.

4.3
2009-05-26 CVE-2009-1796 SUN Cross-Site Scripting vulnerability in SUN Java System Portal Server 6.3.1/7.1/7.2

Cross-site scripting (XSS) vulnerability in Sun Java System Portal Server 6.3.1, 7.1, and 7.2 allows remote attackers to inject arbitrary web script or HTML via vectors related to an error page.

4.3
2009-05-26 CVE-2009-1790 CGI Rescue Cross-Site Scripting vulnerability in CGI Rescue

Cross-site scripting (XSS) vulnerability in CGI RESCUE Trees before 2.11 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters.

4.3
2009-05-26 CVE-2009-1789 Eggheads
Philip Moore
Remote Denial Of Service vulnerability in Eggdrop 'ctcpbuf'

mod/server.mod/servmsg.c in Eggheads Eggdrop and Windrop 1.6.19 and earlier allows remote attackers to cause a denial of service (crash) via a crafted PRIVMSG that causes an empty string to trigger a negative string length copy.

4.3
2009-05-29 CVE-2009-1825 Collector Improper Authentication vulnerability in Collector Mycolex 1.4.2

modules/admuser.php in myColex 1.4.2 does not require administrative authentication, which allows remote authenticated users to list user accounts via a Find action.

4.0

1 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2009-05-29 CVE-2009-1823 Drupal Cross-Site Scripting vulnerability in Drupal Print

Cross-site scripting (XSS) vulnerability in the Print (aka Printer, e-mail and PDF versions) module 5.x before 5.x-4.7 and 6.x before 6.x-1.7, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML by modifying a document head, before the Content-Type META element, to contain crafted UTF-8 byte sequences that are treated as UTF-7 by Internet Explorer 6 and 7, a related issue to CVE-2009-1575.

2.6