Weekly Vulnerabilities Reports > August 2 to 8, 2010

Overview

45 new vulnerabilities reported during this period, including 12 critical vulnerabilities and 9 high severity vulnerabilities. This weekly summary report vulnerabilities in 51 products from 33 vendors including Windriver, Redhat, Moinmo, Pharscape, and Apache. Vulnerabilities are notably categorized as "Permissions, Privileges, and Access Controls", "Cross-site Scripting", "Improper Restriction of Operations within the Bounds of a Memory Buffer", "Improper Input Validation", and "Path Traversal".

  • 38 reported vulnerabilities are remotely exploitables.
  • 8 reported vulnerabilities have public exploit available.
  • 14 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 42 reported vulnerabilities are exploitable by an anonymous user.
  • Windriver has the most reported vulnerabilities, with 4 reported vulnerabilities.
  • Gigabyte has the most reported critical vulnerabilities, with 2 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

12 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2010-08-05 CVE-2010-2965 Windriver
Rockwellautomation
Permissions, Privileges, and Access Controls vulnerability in multiple products

The WDB target agent debug service in Wind River VxWorks 6.x, 5.x, and earlier, as used on the Rockwell Automation 1756-ENBT series A with firmware 3.2.6 and 3.6.1 and other products, allows remote attackers to read or modify arbitrary memory locations, perform function calls, or manage tasks via requests to UDP port 17185, a related issue to CVE-2005-3804.

10.0
2010-08-02 CVE-2010-2540 UMN Permissions, Privileges, and Access Controls vulnerability in UMN Mapserver

mapserv.c in mapserv in MapServer before 4.10.6 and 5.x before 5.6.4 does not properly restrict the use of CGI command-line arguments that were intended for debugging, which allows remote attackers to have an unspecified impact via crafted arguments.

10.0
2010-08-02 CVE-2010-1518 Gigabyte Improper Input Validation vulnerability in Gigabyte Dldrv2 Activex Control 1.4.206.11

Array index error in the SetDLInfo method in the GIGABYTE Dldrv2 ActiveX control 1.4.206.11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via the item argument.

10.0
2010-08-02 CVE-2010-1517 Gigabyte Improper Input Validation vulnerability in Gigabyte Dldrv2 Activex Control 1.4.206.11

The GIGABYTE Dldrv2 ActiveX control 1.4.206.11 allows remote attackers to (1) download arbitrary programs onto a client system, and execute these programs, via vectors involving the dl method; and (2) download arbitrary programs onto a client system via vectors involving the SetDLInfo method in conjunction with the Bdl method.

10.0
2010-08-05 CVE-2010-2974 Invensys Buffer Errors vulnerability in Invensys products

Stack-based buffer overflow in the IConfigurationAccess interface in the Invensys Wonderware Archestra ConfigurationAccessComponent ActiveX control in Wonderware Application Server (WAS) before 3.1 SP2 P01, as used in the Wonderware Archestra Integrated Development Environment (IDE) and the InFusion Integrated Engineering Environment (IEE), allows remote attackers to execute arbitrary code via the first argument to the UnsubscribeData method.

9.3
2010-08-05 CVE-2010-2862 Adobe Numeric Errors vulnerability in Adobe Acrobat and Acrobat Reader

Integer overflow in CoolType.dll in Adobe Reader 8.2.3 and 9.3.3, and Acrobat 9.3.3, allows remote attackers to execute arbitrary code via a TrueType font with a large maxCompositePoints value in a Maximum Profile (maxp) table.

9.3
2010-08-05 CVE-2010-2709 HP Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in HP Openview Network Node Manager 7.51/7.53

Stack-based buffer overflow in webappmon.exe in HP OpenView Network Node Manager (OV NNM) 7.51 and 7.53 allows remote attackers to execute arbitrary code via a long OvJavaLocale value in a cookie.

9.3
2010-08-05 CVE-2010-2932 Barcodewiz Buffer Errors vulnerability in Barcodewiz Barcode Activex Control 3.29

Buffer overflow in BarCodeWiz BarCode 3.29 ActiveX control (BarcodeWiz.dll) allows remote attackers to execute arbitrary code via a long argument to the LoadProperties method.

9.3
2010-08-05 CVE-2010-2931 Topazsystems Buffer Errors vulnerability in Topazsystems Sigplus PRO Activex Control 3.74

Stack-based buffer overflow in SigPlus Pro 3.74 ActiveX control allows remote attackers to execute arbitrary code via a long eighth argument (HexString) to the LCDWriteString method.

9.3
2010-08-05 CVE-2010-2971 Raphael Assenat Buffer Errors vulnerability in Raphael Assenat Libmikmod 3.1.12

loaders/load_it.c in libmikmod, possibly 3.1.12, does not properly account for the larger size of name##env relative to name##tick and name##node, which allows remote attackers to trigger a buffer over-read and possibly have unspecified other impact via a crafted Impulse Tracker file, a related issue to CVE-2010-2546.

9.3
2010-08-05 CVE-2010-2860 EMC Permissions, Privileges, and Access Controls vulnerability in EMC Celerra Network Attached Storage

The EMC Celerra Network Attached Storage (NAS) appliance accepts external network traffic to IP addresses intended for an intranet network within the appliance, which allows remote attackers to read, create, or modify arbitrary files in the user data directory via NFS requests.

9.3
2010-08-05 CVE-2010-2546 Raphael Assenat Buffer Errors vulnerability in Raphael Assenat Libmikmod 3.1.12

Multiple heap-based buffer overflows in loaders/load_it.c in libmikmod, possibly 3.1.12, might allow remote attackers to execute arbitrary code via (1) crafted samples or (2) crafted instrument definitions in an Impulse Tracker file, related to panpts, pitpts, and IT_ProcessEnvelope.

9.3

9 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2010-08-05 CVE-2010-2968 Windriver Permissions, Privileges, and Access Controls vulnerability in Windriver Vxworks

The FTP daemon in Wind River VxWorks does not close the TCP connection after a number of failed login attempts, which makes it easier for remote attackers to obtain access via a brute-force attack.

7.8
2010-08-05 CVE-2010-2967 Windriver Cryptographic Issues vulnerability in Windriver Vxworks

The loginDefaultEncrypt algorithm in loginLib in Wind River VxWorks before 6.9 does not properly support a large set of distinct possible passwords, which makes it easier for remote attackers to obtain access via a (1) telnet, (2) rlogin, or (3) FTP session.

7.8
2010-08-05 CVE-2010-2966 Windriver Credentials Management vulnerability in Windriver Vxworks

The INCLUDE_SECURITY functionality in Wind River VxWorks 6.x, 5.x, and earlier uses the LOGIN_USER_NAME and LOGIN_USER_PASSWORD (aka LOGIN_PASSWORD) parameters to create hardcoded credentials, which makes it easier for remote attackers to obtain access via a (1) telnet, (2) rlogin, or (3) FTP session.

7.8
2010-08-02 CVE-2010-2633 EMC Remote Denial of Service vulnerability in EMC Disk Library Communication Module

Unspecified vulnerability in EMC Disk Library (EDL) before 3.2.7, 3.3.x before 3.3.2 epatch 8, and 4.0.x before 4.0.1 epatch 4 allows remote attackers to cause a denial of service (communication-module crash) by sending a crafted message through TCP.

7.8
2010-08-05 CVE-2010-2933 Avscripts SQL Injection vulnerability in Avscripts AV Arcade 3

SQL injection vulnerability in AV Scripts AV Arcade 3 allows remote attackers to execute arbitrary SQL commands via the ava_code cookie to the "main page," related to index.php and the login task.

7.5
2010-08-05 CVE-2010-2725 Barnowl Improper Input Validation vulnerability in Barnowl

BarnOwl before 1.6.2 does not check the return code of calls to the (1) ZPending and (2) ZReceiveNotice functions in libzephyr, which allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown vectors.

7.5
2010-08-02 CVE-2010-2930 Pharscape Buffer Errors vulnerability in Pharscape Hsolink 1.0.118

Multiple stack-based buffer overflows in hsolinkcontrol in hsolink 1.0.118 allow local users to gain privileges via long command-line arguments, a different vulnerability than CVE-2010-1671.

7.2
2010-08-02 CVE-2010-2929 Pharscape Permissions, Privileges, and Access Controls vulnerability in Pharscape Hsolink 1.0.118

Untrusted search path vulnerability in hsolinkcontrol in hsolink 1.0.118 allows local users to gain privileges via a modified PATH environment variable, which is used during execution of the (1) route, (2) mv, and (3) cp programs, a different vulnerability than CVE-2010-1671.

7.2
2010-08-02 CVE-2010-1671 Pharscape Permissions, Privileges, and Access Controls vulnerability in Pharscape Hsolink 1.0.118

hsolinkcontrol in hsolink 1.0.118 allows local users to gain privileges via shell metacharacters in command-line arguments, as demonstrated by the second argument in a down action.

7.2

22 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2010-08-05 CVE-2010-2973 Apple Permissions, Privileges, and Access Controls vulnerability in Apple Iphone OS 4.0/4.0.1

Integer overflow in IOSurface in Apple iOS before 4.0.2 on the iPhone and iPod touch, and before 3.2.2 on the iPad, allows local users to gain privileges via vectors involving IOSurface properties, as demonstrated by JailbreakMe.

6.9
2010-08-05 CVE-2010-2713 Nalin Dahyabhai
Gnome
Remote Code Execution vulnerability in VTE Window and Icon Title

The vte_sequence_handler_window_manipulation function in vteseq.c in libvte (aka libvte9) in VTE 0.25.1 and earlier, as used in gnome-terminal, does not properly handle escape sequences, which allows remote attackers to execute arbitrary commands or obtain potentially sensitive information via a (1) window title or (2) icon title sequence.

6.8
2010-08-05 CVE-2010-1871 Redhat Improper Input Validation vulnerability in Redhat Jboss Enterprise Application Platform 4.3.0

JBoss Seam 2 (jboss-seam2), as used in JBoss Enterprise Application Platform 4.3.0 for Red Hat Linux, does not properly sanitize inputs for JBoss Expression Language (EL) expressions, which allows remote attackers to execute arbitrary code via a crafted URL.

6.8
2010-08-02 CVE-2010-2786 Matomo Path Traversal vulnerability in Matomo

Directory traversal vulnerability in Piwik 0.6 through 0.6.3 allows remote attackers to include arbitrary local files and possibly have unspecified other impact via directory traversal sequences in a crafted data-renderer request.

6.8
2010-08-02 CVE-2010-2785 Kvirc Unspecified vulnerability in Kvirc

The IRC Protocol component in KVIrc 3.x and 4.x before r4693 does not properly handle \ (backslash) characters, which allows remote authenticated users to execute arbitrary CTCP commands via vectors involving \r and \40 sequences, a different vulnerability than CVE-2010-2451 and CVE-2010-2452.

6.5
2010-08-02 CVE-2009-4896 Mlmmj Path Traversal vulnerability in Mlmmj 1.2.15/1.2.16/1.2.17

Multiple directory traversal vulnerabilities in the mlmmj-php-admin web interface for Mailing List Managing Made Joyful (mlmmj) 1.2.15 through 1.2.17 allow remote authenticated users to overwrite, create, or delete arbitrary files, or determine the existence of arbitrary directories, via a ..

6.5
2010-08-05 CVE-2010-2547 Gnupg Resource Management Errors vulnerability in Gnupg

Use-after-free vulnerability in kbx/keybox-blob.c in GPGSM in GnuPG 2.x through 2.0.16 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a certificate with a large number of Subject Alternate Names, which is not properly handled in a realloc operation when importing the certificate or verifying its signature.

5.1
2010-08-05 CVE-2010-2791 Apache Information Exposure vulnerability in Apache Http Server 2.2.9

mod_proxy in httpd in Apache HTTP Server 2.2.9, when running on Unix, does not close the backend connection if a timeout occurs when reading a response from a persistent connection, which allows remote attackers to obtain a potentially sensitive response intended for a different client in opportunistic circumstances via a normal HTTP request.

5.0
2010-08-02 CVE-2010-2927 IBM Improper Authentication vulnerability in IBM Tivoli Directory Server

The slapi_printmessage function in IBM Tivoli Directory Server (ITDS) before 6.0.0.8-TIV-ITDS-IF0006 allows remote attackers to cause a denial of service (daemon crash) via multiple incomplete DIGEST-MD5 connection attempts.

5.0
2010-08-02 CVE-2010-2320 Eterna Permissions, Privileges, and Access Controls vulnerability in Eterna Bozohttpd

bozotic HTTP server (aka bozohttpd) before 20100621 allows remote attackers to list the contents of home directories, and determine the existence of user accounts, via multiple requests for URIs beginning with /~ sequences.

5.0
2010-08-02 CVE-2010-2195 Eterna Unspecified vulnerability in Eterna Bozohttpd 20090522/20100509/20100512

bozotic HTTP server (aka bozohttpd) 20090522 through 20100512 allows attackers to cause a denial of service via vectors related to a "wrong code generation interaction with GCC." Per: http://www.eterna.com.au/bozohttpd/ 'please note that a bozohttpd versions 20090522 to 20100512, inclusive, have a serious wrong code generation interaction with GCC that has been fixed in the 20100617 release.

5.0
2010-08-02 CVE-2010-1794 Apple Permissions, Privileges, and Access Controls vulnerability in Apple mac OS X 10.6.0

The webdav_mount function in webdav_vfsops.c in the WebDAV kernel extension (aka webdav_fs.kext) for Mac OS X 10.6 allows local users to cause a denial of service (panic) via a mount request with a large integer in the pa_socket_namelen field.

4.9
2010-08-05 CVE-2010-2526 Heinz Mauelshagen
Redhat
Improper Authentication vulnerability in Heinz Mauelshagen Lvm2

The cluster logical volume manager daemon (clvmd) in lvm2-cluster in LVM2 before 2.02.72, as used in Red Hat Global File System (GFS) and other products, does not verify client credentials upon a socket connection, which allows local users to cause a denial of service (daemon exit or logical-volume change) or possibly have unspecified other impact via crafted control commands.

4.6
2010-08-05 CVE-2009-2696 Apache
Redhat
Cross-Site Scripting vulnerability in Apache Tomcat

Cross-site scripting (XSS) vulnerability in jsp/cal/cal2.jsp in the calendar application in the examples web application in Apache Tomcat on Red Hat Enterprise Linux 5, Desktop Workstation 5, and Linux Desktop 5 allows remote attackers to inject arbitrary web script or HTML via the time parameter, related to "invalid HTML." NOTE: this is due to a missing fix for CVE-2009-0781.

4.3
2010-08-05 CVE-2010-2790 Zabbix Cross-Site Scripting vulnerability in Zabbix

Multiple cross-site scripting (XSS) vulnerabilities in the formatQuery function in frontends/php/include/classes/class.curl.php in Zabbix before 1.8.3rc1 allow remote attackers to inject arbitrary web script or HTML via the (1) filter_set, (2) show_details, (3) filter_rst, or (4) txt_select parameters to the triggers page (tr_status.php).

4.3
2010-08-05 CVE-2010-2970 Moinmo Cross-Site Scripting vulnerability in Moinmo Moinmoin 1.9.0/1.9.1/1.9.2

Multiple cross-site scripting (XSS) vulnerabilities in MoinMoin 1.9.x before 1.9.3 allow remote attackers to inject arbitrary web script or HTML via crafted content, related to (1) action/SlideShow.py, (2) action/anywikidraw.py, and (3) action/language_setup.py, a similar issue to CVE-2010-2487.

4.3
2010-08-05 CVE-2010-2969 Moinmo Cross-Site Scripting vulnerability in Moinmo Moinmoin

Multiple cross-site scripting (XSS) vulnerabilities in MoinMoin 1.7.3 and earlier, and 1.9.x before 1.9.3, allow remote attackers to inject arbitrary web script or HTML via crafted content, related to (1) action/LikePages.py, (2) action/chart.py, and (3) action/userprofile.py, a similar issue to CVE-2010-2487.

4.3
2010-08-05 CVE-2010-2487 Moinmo Cross-Site Scripting vulnerability in Moinmo Moinmoin

Multiple cross-site scripting (XSS) vulnerabilities in MoinMoin 1.7.3 and earlier, 1.8.x before 1.8.8, and 1.9.x before 1.9.3 allow remote attackers to inject arbitrary web script or HTML via crafted content, related to (1) Page.py, (2) PageEditor.py, (3) PageGraphicalEditor.py, (4) action/CopyPage.py, (5) action/Load.py, (6) action/RenamePage.py, (7) action/backup.py, (8) action/login.py, (9) action/newaccount.py, and (10) action/recoverpass.py.

4.3
2010-08-02 CVE-2010-2536 Adjam Cross-Site Scripting vulnerability in Adjam Rekonq

Multiple cross-site scripting (XSS) vulnerabilities in rekonq 0.5 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) a URL associated with a nonexistent domain name, related to webpage.cpp, aka a "universal XSS" issue; (2) unspecified vectors related to webview.cpp; and the about: views for (3) favorites, (4) bookmarks, (5) closed tabs, and (6) history.

4.3
2010-08-02 CVE-2009-4976 URS Wolfer
KDE
Cross-Site Scripting vulnerability in URS Wolfer Kwebkitpart 0.9.6

Cross-site scripting (XSS) vulnerability in webkitpart.cpp in kwebkitpart allows remote attackers to inject arbitrary web script or HTML via a URL associated with a nonexistent domain name, related to a "universal XSS" issue, a similar vulnerability to CVE-2010-2536.

4.3
2010-08-02 CVE-2009-4975 Nokia Cross-Site Scripting vulnerability in Nokia Qtdemobrowser

Cross-site scripting (XSS) vulnerability in webview.cpp in QtDemoBrowser allows remote attackers to inject arbitrary web script or HTML via a URL associated with a nonexistent domain name, related to a "universal XSS" issue, a similar vulnerability to CVE-2010-2536.

4.3
2010-08-05 CVE-2010-2795 Joachim Fritschi Improper Input Validation vulnerability in Joachim Fritschi PHPcas

phpCAS before 1.1.2 allows remote authenticated users to hijack sessions via a query string containing a crafted ticket value.

4.0

2 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2010-08-05 CVE-2010-2796 Joachim Fritschi Cross-Site Scripting vulnerability in Joachim Fritschi PHPcas

Cross-site scripting (XSS) vulnerability in phpCAS before 1.1.2, when proxy mode is enabled, allows remote attackers to inject arbitrary web script or HTML via a callback URL.

2.6
2010-08-02 CVE-2010-2539 UMN Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in UMN Mapserver

Buffer overflow in the msTmpFile function in maputil.c in mapserv in MapServer before 4.10.6 and 5.x before 5.6.4 allows local users to cause a denial of service via vectors involving names of temporary files.

2.1