Weekly Vulnerabilities Reports > January 25 to 31, 2010

Overview

46 new vulnerabilities reported during this period, including 12 critical vulnerabilities and 12 high severity vulnerabilities. This weekly summary report vulnerabilities in 47 products from 27 vendors including Apple, Microsoft, Realnetworks, SUN, and Cisco. Vulnerabilities are notably categorized as "Improper Restriction of Operations within the Bounds of a Memory Buffer", "Information Exposure", "SQL Injection", "Permissions, Privileges, and Access Controls", and "Cross-site Scripting".

  • 43 reported vulnerabilities are remotely exploitables.
  • 6 reported vulnerabilities have public exploit available.
  • 12 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 41 reported vulnerabilities are exploitable by an anonymous user.
  • Apple has the most reported vulnerabilities, with 9 reported vulnerabilities.
  • Apple has the most reported critical vulnerabilities, with 9 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

12 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2010-01-28 CVE-2010-0140 Cisco Multiple vulnerability in Cisco Unified MeetingPlace

Multiple unspecified vulnerabilities in the web server in Cisco Unified MeetingPlace 7 before 7.0(2.3) hotfix 5F, 6 before 6.0.639.3, and possibly 5 allow remote attackers to create (1) user or (2) administrator accounts via a crafted URL in a request to the internal interface, aka Bug IDs CSCtc59231 and CSCtd40661.

10.0
2010-01-28 CVE-2003-1576 SUN Buffer Errors vulnerability in SUN Change Manager 1.0

Buffer overflow in pamverifier in Change Manager (CM) 1.0 for Sun Management Center (SunMC) 3.0 on Solaris 8 and 9 on the sparc platform allows remote attackers to execute arbitrary code via unspecified vectors.

10.0
2010-01-25 CVE-2009-4257 Realnetworks
Microsoft
Apple
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Realnetworks products

Heap-based buffer overflow in datatype/smil/common/smlpkt.cpp in smlrender.dll in RealNetworks RealPlayer 10, RealPlayer 10.5 6.0.12.1040 through 6.0.12.1741, RealPlayer 11 11.0.0 through 11.0.4, RealPlayer Enterprise, Mac RealPlayer 10 and 10.1, Linux RealPlayer 10 and 11.0.0, and Helix Player 10.x and 11.0.0 allows remote attackers to execute arbitrary code via an SMIL file with crafted string lengths.

9.3
2010-01-25 CVE-2009-4248 Realnetworks
Microsoft
Apple
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Realnetworks products

Buffer overflow in the RTSPProtocol::HandleSetParameterRequest function in client/core/rtspprotocol.cpp in RealNetworks RealPlayer 10, RealPlayer 10.5 6.0.12.1040 through 6.0.12.1741, RealPlayer 11 11.0.0 through 11.0.4, RealPlayer Enterprise, Mac RealPlayer 10 and 10.1, Linux RealPlayer 10, and Helix Player 10.x allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted RTSP SET_PARAMETER request.

9.3
2010-01-25 CVE-2009-4247 Realnetworks
Microsoft
Apple
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Realnetworks products

Stack-based buffer overflow in protocol/rtsp/rtspclnt.cpp in RealNetworks RealPlayer 10; RealPlayer 10.5 6.0.12.1040 through 6.0.12.1741; RealPlayer 11 11.0.x; RealPlayer SP 1.0.0 and 1.0.1; RealPlayer Enterprise; Mac RealPlayer 10, 10.1, 11.0, and 11.0.1; Linux RealPlayer 10, 11.0.0, and 11.0.1; and Helix Player 10.x, 11.0.0, and 11.0.1 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via an ASM RuleBook with a large number of rules, related to an "array overflow." Specific affected release information can be found from RealNetworks at: http://service.real.com/realplayer/security/01192010_player/en/

9.3
2010-01-25 CVE-2009-4246 Realnetworks
Microsoft
Apple
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Realnetworks products

Stack-based buffer overflow in RealNetworks RealPlayer 10, RealPlayer 10.5 6.0.12.1040 through 6.0.12.1741, RealPlayer 11 11.0.0 through 11.0.4, RealPlayer Enterprise, Mac RealPlayer 10 and 10.1, Linux RealPlayer 10, and Helix Player 10.x allows user-assisted remote attackers to execute arbitrary code via a malformed .RJS skin file that contains a web.xmb file with crafted length values.

9.3
2010-01-25 CVE-2009-4245 Realnetworks
Microsoft
Apple
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Realnetworks products

Heap-based buffer overflow in RealNetworks RealPlayer 10, RealPlayer 10.5 6.0.12.1040 through 6.0.12.1741, RealPlayer 11 11.0.0 through 11.0.4, RealPlayer Enterprise, Mac RealPlayer 10 and 10.1, Linux RealPlayer 10, and Helix Player 10.x allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a compressed GIF file, related to gifcodec.cpp and gifimage.cpp.

9.3
2010-01-25 CVE-2009-4244 Realnetworks
Microsoft
Apple
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Realnetworks products

Heap-based buffer overflow in RealNetworks RealPlayer 10; RealPlayer 10.5 6.0.12.1040 through 6.0.12.1741; RealPlayer 11 11.0.0 through 11.0.4; RealPlayer Enterprise; Mac RealPlayer 10, 10.1, and 11.0; Linux RealPlayer 10; and Helix Player 10.x allows remote attackers to execute arbitrary code via an SIPR codec field with a small length value that triggers incorrect memory allocation.

9.3
2010-01-25 CVE-2009-4243 Realnetworks
Microsoft
Apple
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Realnetworks products

RealNetworks RealPlayer 10, RealPlayer 10.5 6.0.12.1040 through 6.0.12.1741, RealPlayer 11 11.0.0 through 11.0.4, RealPlayer Enterprise, Mac RealPlayer 10 and 10.1, Linux RealPlayer 10, and Helix Player 10.x allow remote attackers to have an unspecified impact via a crafted media file that uses HTTP chunked transfer coding, related to an "overflow." Specific affected release information can be found from RealNetworks at: http://service.real.com/realplayer/security/01192010_player/en/

9.3
2010-01-25 CVE-2009-4242 Realnetworks
Microsoft
Apple
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Realnetworks products

Heap-based buffer overflow in the CGIFCodec::GetPacketBuffer function in datatype/image/gif/common/gifcodec.cpp in RealNetworks RealPlayer 10; RealPlayer 10.5 6.0.12.1040 through 6.0.12.1741; RealPlayer 11 11.0.0 through 11.0.4; RealPlayer Enterprise; Mac RealPlayer 10, 10.1, and 11.0; Linux RealPlayer 10; and Helix Player 10.x allows remote attackers to execute arbitrary code via a GIF file with crafted chunk sizes that trigger improper memory allocation.

9.3
2010-01-25 CVE-2009-4241 Realnetworks
Microsoft
Apple
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Realnetworks products

Heap-based buffer overflow in RealNetworks RealPlayer 10, RealPlayer 10.5 6.0.12.1040 through 6.0.12.1741, RealPlayer 11 11.0.0 through 11.0.4, RealPlayer Enterprise, Mac RealPlayer 10 and 10.1, Linux RealPlayer 10, and Helix Player 10.x allows remote attackers to execute arbitrary code via a file with invalid ASMRuleBook structures that trigger heap memory corruption.

9.3
2010-01-28 CVE-2010-0139 Cisco SQL Injection vulnerability in Cisco Unified Meetingplace

Cisco Unified MeetingPlace 7 before 7.0(2.3) hotfix 5F, 6 before 6.0.639.2, and possibly 5 does not properly validate SQL commands, which allows remote attackers to create, modify, or delete data in a database via unspecified vectors, aka Bug ID CSCtc39691.

9.0

12 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2010-01-28 CVE-2010-0142 Cisco Permissions, Privileges, and Access Controls vulnerability in Cisco Unified Meetingplace

MeetingTime in Cisco Unified MeetingPlace 6 before MR5, and possibly 5, allows remote authenticated users to gain privileges via a modified authentication sequence, aka Bug ID CSCsv66530.

8.5
2010-01-29 CVE-2010-0005 Viewvc Permissions, Privileges, and Access Controls vulnerability in Viewvc

query.py in the query interface in ViewVC before 1.1.3 does not reject configurations that specify an unsupported authorizer for a root, which might allow remote attackers to bypass intended access restrictions via a query.

7.5
2010-01-28 CVE-2010-0459 Yoflash
Joomla
SQL Injection vulnerability in Yoflash COM Mochigames 0.51

SQL injection vulnerability in the Mochigames (com_mochigames) component 0.51 and possibly other versions for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter to index.php.

7.5
2010-01-28 CVE-2010-0458 Netartmedia SQL Injection vulnerability in Netartmedia Blog System 1.5

Multiple SQL injection vulnerabilities in NetArt Media Blog System 1.5 allow remote attackers to execute arbitrary SQL commands via the (1) cat parameter to index.php and the (2) note parameter to blog.php.

7.5
2010-01-28 CVE-2010-0457 A3Malnet SQL Injection vulnerability in A3Malnet Magic-Portal 2.1

SQL injection vulnerability in home.php in magic-portal 2.1 allows remote attackers to execute arbitrary SQL commands via the id parameter.

7.5
2010-01-28 CVE-2010-0456 Indianpulses
Joomla
SQL Injection vulnerability in Indianpulses COM Gameserver 1.2

SQL injection vulnerability in the indianpulse Game Server (com_gameserver) component 1.2 for Joomla! allows remote attackers to execute arbitrary SQL commands via the grp parameter in a gameserver action to index.php.

7.5
2010-01-28 CVE-2010-0454 Fabricadigital SQL Injection vulnerability in Fabricadigital Publique! 2.3

SQL injection vulnerability in cgi/cgilua.exe/sys/start.htm in Publique! 2.3 allows remote attackers to execute arbitrary SQL commands via the sid parameter.

7.5
2010-01-28 CVE-2005-4885 SUN Remote Security vulnerability in StorEdge 6130 Array

Unspecified vulnerability on certain Sun StorEdge 6130 (SE6130) Controller Arrays allows remote attackers to delete data via unknown vectors.

7.5
2010-01-27 CVE-2009-4272 Linux
Redhat
Improper Locking vulnerability in multiple products

A certain Red Hat patch for net/ipv4/route.c in the Linux kernel 2.6.18 on Red Hat Enterprise Linux (RHEL) 5 allows remote attackers to cause a denial of service (deadlock) via crafted packets that force collisions in the IPv4 routing hash table, and trigger a routing "emergency" in which a hash chain is too long.

7.5
2010-01-26 CVE-2010-0391 Embarcadero Buffer Errors vulnerability in Embarcadero Interbase SMP 2009 9.0.3.437

Multiple stack-based buffer overflows in Embarcadero Technologies InterBase SMP 2009 9.0.3.437 allow remote attackers to execute arbitrary code via unknown vectors involving crafted packets.

7.5
2010-01-25 CVE-2010-0388 SUN USE of Externally-Controlled Format String vulnerability in SUN Java System web Server 7.0

Format string vulnerability in the WebDAV implementation in webservd in Sun Java System Web Server 7.0 Update 6 allows remote attackers to cause a denial of service (daemon crash) and possibly have unspecified other impact via format string specifiers in the encoding attribute of the XML declaration in a PROPFIND request.

7.5
2010-01-25 CVE-2010-0387 SUN Buffer Errors vulnerability in SUN Java System web Server 7.0

Multiple heap-based buffer overflows in (1) webservd and (2) the admin server in Sun Java System Web Server 7.0 Update 7 allow remote attackers to cause a denial of service (daemon crash) and possibly have unspecified other impact via a long string in an "Authorization: Digest" HTTP header.

7.5

20 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2010-01-29 CVE-2009-2624 GNU Improper Input Validation vulnerability in GNU Gzip

The huft_build function in inflate.c in gzip before 1.3.13 creates a hufts (aka huffman) table that is too small, which allows remote attackers to cause a denial of service (application crash or infinite loop) or possibly execute arbitrary code via a crafted archive.

6.8
2010-01-26 CVE-2010-0390 Phpf1 Unspecified vulnerability in PHPf1 Max'S Image Uploader 1.0

Unrestricted file upload vulnerability in maxImageUpload/index.php in PHP F1 Max's Image Uploader 1.0, when Apache is not configured to handle the mime-type for files with pjpeg or jpeg extensions, allows remote attackers to execute arbitrary code by uploading a file with a pjpeg or jpeg extension, then accessing it via a direct request to the file in original/.

6.8
2010-01-25 CVE-2005-4884 Oracle Remote Security vulnerability in Oracle Database Server 10.1.0.4

Unspecified vulnerability in the Oracle OLAP component in Oracle Database Server 10.1.0.4 (10g) allows remote authenticated attackers to affect availability via unknown vectors, aka DB02.

6.8
2010-01-28 CVE-2010-0462 IBM Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in IBM DB2 9.1/9.5/9.7

Heap-based buffer overflow in IBM DB2 9.1 before FP9, 9.5 before FP6, and 9.7 before FP2 allows remote authenticated users to have an unspecified impact via a SELECT statement that has a long column name generated with the REPEAT function.

6.5
2010-01-28 CVE-2010-0461 Joomla SQL Injection vulnerability in Joomla COM Casino 1.0

SQL injection vulnerability in the casino (com_casino) component 1.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a (1) category or (2) player action to index.php.

6.5
2010-01-28 CVE-2010-0141 Cisco Credentials Management vulnerability in Cisco Unified Meetingplace 6.0/6.0.170.0/6.0.244

MeetingTime in Cisco Unified MeetingPlace 6 before MR5, and possibly 5, allows remote attackers to discover usernames, passwords, and unspecified other data from the user database via a modified authentication sequence to the Audio Server, aka Bug ID CSCsv76935.

6.4
2010-01-29 CVE-2010-0464 Roundcube Information Exposure vulnerability in Roundcube Webmail

Roundcube 0.3.1 and earlier does not request that the web browser avoid DNS prefetching of domain names contained in e-mail messages, which makes it easier for remote attackers to determine the network location of the webmail user by logging DNS requests.

5.0
2010-01-29 CVE-2010-0463 Horde Information Exposure vulnerability in Horde IMP

Horde IMP 4.3.6 and earlier does not request that the web browser avoid DNS prefetching of domain names contained in e-mail messages, which makes it easier for remote attackers to determine the network location of the webmail user by logging DNS requests.

5.0
2010-01-29 CVE-2009-4630 Mozilla Information Exposure vulnerability in Mozilla Firefox, Seamonkey and Thunderbird

Mozilla Necko, as used in Firefox, SeaMonkey, and other applications, performs DNS prefetching of domain names contained in links within local HTML documents, which makes it easier for remote attackers to determine the network location of the application's user by logging DNS requests.

5.0
2010-01-29 CVE-2009-4629 Mozilla Information Exposure vulnerability in Mozilla Seamonkey and Thunderbird

Mozilla Necko, as used in Thunderbird 3.0.1, SeaMonkey, and other applications, performs DNS prefetching even when the app type is APP_TYPE_MAIL or APP_TYPE_EDITOR, which makes it easier for remote attackers to determine the network location of the application's user by logging DNS requests, as demonstrated by DNS requests triggered by reading text/plain e-mail messages in Thunderbird.

5.0
2010-01-25 CVE-2010-0389 SUN Unspecified vulnerability in SUN Java System web Server 7.0

The admin server in Sun Java System Web Server 7.0 Update 6 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an HTTP request that lacks a method token.

5.0
2010-01-25 CVE-2010-0385 TOR Information Exposure vulnerability in TOR

Tor before 0.2.1.22, and 0.2.2.x before 0.2.2.7-alpha, when functioning as a bridge directory authority, allows remote attackers to obtain sensitive information about bridge identities and bridge descriptors via a dbg-stability.txt directory query.

5.0
2010-01-25 CVE-2010-0383 TOR Information Exposure vulnerability in TOR

Tor before 0.2.1.22, and 0.2.2.x before 0.2.2.7-alpha, uses deprecated identity keys for certain directory authorities, which makes it easier for man-in-the-middle attackers to compromise the anonymity of traffic sources and destinations.

5.0
2010-01-28 CVE-2009-4183 HP Remote Unauthorized Access vulnerability in HP OpenView Storage Data Protector 6.00/6.10

Unspecified vulnerability in HP OpenView Storage Data Protector 6.00 and 6.10 allows local users to obtain unspecified "access" via unknown vectors.

4.6
2010-01-28 CVE-2003-1575 Symantec
SUN
Permissions, Privileges, and Access Controls vulnerability in Symantec Vxfs 3.3.3/3.4/3.5

VERITAS File System (VxFS) 3.3.3, 3.4, and 3.5 before MP1 Rolling Patch 02 for Sun Solaris 2.5.1 through 9 does not properly implement inheritance of default ACLs in certain circumstances related to the characteristics of a directory inode, which allows local users to bypass intended file permissions by accessing a file on a VxFS filesystem.

4.6
2010-01-28 CVE-2010-0455 Punbb Cross-Site Scripting vulnerability in Punbb 1.3

Cross-site scripting (XSS) vulnerability in forum/viewtopic.php in PunBB 1.3 allows remote attackers to inject arbitrary web script or HTML via the pid parameter.

4.3
2010-01-28 CVE-2004-2766 SUN
Redhat
Information Exposure vulnerability in SUN Iplanet Messaging Server and ONE Messaging Server

Webmail in Sun ONE Messaging Server 6.1 and iPlanet Messaging Server 5.2 before 5.2hf2.02 allows remote attackers to obtain unspecified "access" to e-mail via a crafted e-mail message, related to a "session hijacking" issue, a different vulnerability than CVE-2005-2022 and CVE-2006-5486.

4.3
2010-01-28 CVE-2004-2765 SUN
Redhat
Cross-Site Scripting vulnerability in SUN Iplanet Messaging Server and ONE Messaging Server

Cross-site scripting (XSS) vulnerability in Webmail in Sun ONE Messaging Server 6.1 and iPlanet Messaging Server 5.2 before 5.2hf2.02, when Internet Explorer is used, allows remote attackers to inject arbitrary web script or HTML via a crafted e-mail message, a different vulnerability than CVE-2005-2022 and CVE-2006-5486.

4.3
2010-01-25 CVE-2010-0386 SUN Configuration vulnerability in SUN Java System Application Server 7.0

The default configuration of Sun Java System Application Server 7 and 7 2004Q2 enables the HTTP TRACE method, which makes it easier for remote attackers to steal cookies and authentication credentials via a cross-site tracing (XST) attack, a related issue to CVE-2004-2763 and CVE-2005-3398.

4.3
2010-01-25 CVE-2008-7253 IBM Configuration vulnerability in IBM Lotus Domino Server

The default configuration of the web server in IBM Lotus Domino Server, possibly 6.0 through 8.0, enables the HTTP TRACE method, which makes it easier for remote attackers to steal cookies and authentication credentials via a cross-site tracing (XST) attack, a related issue to CVE-2004-2763 and CVE-2005-3398.

4.3

2 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2010-01-28 CVE-2010-0460 Kayako Cross-Site Scripting vulnerability in Kayako Esupport and Supportsuite

Multiple cross-site scripting (XSS) vulnerabilities in staff/index.php in Kayako SupportSuite 3.60.04 and earlier allow remote authenticated users to inject arbitrary web script or HTML via the (1) subject parameter and (2) contents parameter (aka body) in an insertquestion action.

3.5
2010-01-25 CVE-2010-0384 TOR Information Exposure vulnerability in TOR

Tor 0.2.2.x before 0.2.2.7-alpha, when functioning as a directory mirror, does not prevent logging of the client IP address upon detection of erroneous client behavior, which might make it easier for local users to discover the identities of clients in opportunistic circumstances by reading log files.

2.1