Weekly Vulnerabilities Reports > August 30 to September 5, 2010

Overview

45 new vulnerabilities reported during this period, including 14 critical vulnerabilities and 11 high severity vulnerabilities. This weekly summary report vulnerabilities in 50 products from 32 vendors including Microsoft, IBM, Realnetworks, Linux, and Canonical. Vulnerabilities are notably categorized as "Code Injection", "Permissions, Privileges, and Access Controls", "SQL Injection", "Improper Restriction of Operations within the Bounds of a Memory Buffer", and "Cross-site Scripting".

  • 37 reported vulnerabilities are remotely exploitables.
  • 11 reported vulnerabilities have public exploit available.
  • 10 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 43 reported vulnerabilities are exploitable by an anonymous user.
  • Microsoft has the most reported vulnerabilities, with 9 reported vulnerabilities.
  • Microsoft has the most reported critical vulnerabilities, with 8 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

14 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2010-08-31 CVE-2010-3193 IBM Unspecified vulnerability in IBM DB2 9.1/9.5/9.7

Unspecified vulnerability in the DB2STST program in IBM DB2 9.1 before FP9, 9.5 before FP6, and 9.7 before FP2 has unknown impact and attack vectors.

10.0
2010-08-30 CVE-2010-3187 IBM Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in IBM AIX

Buffer overflow in ftpd in IBM AIX 5.3 and earlier allows remote attackers to execute arbitrary code via a long NLST command.

10.0
2010-08-30 CVE-2010-3186 IBM Improper Input Validation vulnerability in IBM Websphere Application Server

IBM WebSphere Application Server (WAS) 7.x before 7.0.0.13, and WebSphere Application Server Feature Pack for Web Services 6.1.0.9 through 6.1.0.32, when a JAX-WS application is used, does not properly handle an IncludeTimestamp setting in the WS-Security policy, which has unspecified impact and remote attack vectors.

10.0
2010-08-31 CVE-2010-3191 Adobe Unspecified vulnerability in Adobe Captivate 5.0.0.596

Untrusted search path vulnerability in Adobe Captivate 5.0.0.596, and possibly other versions, allows local users, and possibly remote attackers, to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the same folder as a .cptx file.

9.3
2010-08-31 CVE-2010-3190 Apple
Microsoft
Untrusted Search Path vulnerability in multiple products

Untrusted search path vulnerability in the Microsoft Foundation Class (MFC) Library in Microsoft Visual Studio .NET 2003 SP1; Visual Studio 2005 SP1, 2008 SP1, and 2010; Visual C++ 2005 SP1, 2008 SP1, and 2010; and Exchange Server 2010 Service Pack 3, 2013, and 2013 allows local users to gain privileges via a Trojan horse dwmapi.dll file in the current working directory during execution of an MFC application such as AtlTraceTool8.exe (aka ATL MFC Trace Tool), as demonstrated by a directory that contains a TRC, cur, rs, rct, or res file, aka "MFC Insecure Library Loading Vulnerability." Per: https://technet.microsoft.com/en-us/security/bulletin/ms11-025 Access Vector: Network per "This is a remote code execution vulnerability" Per: http://cwe.mitre.org/data/definitions/426.html CWE-426: Untrusted Search Path

9.3
2010-08-31 CVE-2010-3189 Trendmicro Code Injection vulnerability in Trendmicro Internet Security 2010

The extSetOwner function in the UfProxyBrowserCtrl ActiveX control (UfPBCtrl.dll) in Trend Micro Internet Security Pro 2010 allows remote attackers to execute arbitrary code via an invalid address that is dereferenced as a pointer.

9.3
2010-08-31 CVE-2010-1818 Apple Access of Uninitialized Pointer vulnerability in Apple Quicktime

The IPersistPropertyBag2::Read function in QTPlugin.ocx in Apple QuickTime 6.x, 7.x before 7.6.8, and other versions allows remote attackers to execute arbitrary code via the _Marshaled_pUnk attribute, which triggers unmarshalling of an untrusted pointer.

9.3
2010-08-30 CVE-2010-3002 Realnetworks
Microsoft
Unspecified vulnerability in Realnetworks Realplayer 11.0/11.1

Unspecified vulnerability in RealNetworks RealPlayer 11.0 through 11.1 allows attackers to bypass intended access restrictions on files via unknown vectors.

9.3
2010-08-30 CVE-2010-3001 Realnetworks
Microsoft
Unspecified vulnerability in Realnetworks Realplayer and Realplayer SP

Unspecified vulnerability in an ActiveX control in the Internet Explorer (IE) plugin in RealNetworks RealPlayer 11.0 through 11.1 and RealPlayer SP 1.0 through 1.1.4 on Windows has unknown impact and attack vectors related to "multiple browser windows."

9.3
2010-08-30 CVE-2010-3000 Realnetworks
Microsoft
Numeric Errors vulnerability in Realnetworks Realplayer and Realplayer SP

Multiple integer overflows in the ParseKnownType function in RealNetworks RealPlayer 11.0 through 11.1 and RealPlayer SP 1.0 through 1.1.4 on Windows allow remote attackers to execute arbitrary code via crafted (1) HX_FLV_META_AMF_TYPE_MIXEDARRAY or (2) HX_FLV_META_AMF_TYPE_ARRAY data in an FLV file.

9.3
2010-08-30 CVE-2010-2996 Realnetworks
Microsoft
Code Injection vulnerability in Realnetworks Realplayer 11.0/11.1

Array index error in RealNetworks RealPlayer 11.0 through 11.1 on Windows allows remote attackers to execute arbitrary code via a malformed header in a RealMedia .IVR file.

9.3
2010-08-30 CVE-2010-0120 Realnetworks
Microsoft
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Realnetworks Realplayer and Realplayer SP

Heap-based buffer overflow in RealNetworks RealPlayer 11.0 through 11.1 and RealPlayer SP 1.0 through 1.1.4 on Windows allows remote attackers to execute arbitrary code via large size values in QCP audio content.

9.3
2010-08-30 CVE-2010-0117 Realnetworks
Microsoft
Unspecified vulnerability in Realnetworks Realplayer and Realplayer SP

RealNetworks RealPlayer 11.0 through 11.1 and RealPlayer SP 1.0 through 1.1.4 on Windows do not properly handle dimensions during YUV420 transformations, which might allow remote attackers to execute arbitrary code via crafted MP4 content.

9.3
2010-08-30 CVE-2010-0116 Realnetworks
Microsoft
Numeric Errors vulnerability in Realnetworks Realplayer and Realplayer SP

Integer overflow in RealNetworks RealPlayer 11.0 through 11.1 and RealPlayer SP 1.0 through 1.1.4 on Windows might allow remote attackers to execute arbitrary code via a crafted QCP file that triggers a heap-based buffer overflow.

9.3

11 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2010-09-03 CVE-2010-3212 Seagullproject ORG SQL Injection vulnerability in Seagullproject.Org Seagull

SQL injection vulnerability in index.php in Seagull 0.6.7 and earlier allows remote attackers to execute arbitrary SQL commands via the frmQuestion parameter in a retrieve action, in conjunction with a user/password PATH_INFO.

7.5
2010-09-03 CVE-2010-3211 Jextn
Joomla
SQL Injection vulnerability in Jextn COM Jefaqpro 1.5.0

Multiple SQL injection vulnerabilities in the JE FAQ Pro (com_jefaqpro) component 1.5.0 for Joomla! allow remote attackers to execute arbitrary SQL commands via category categorylist operations with (1) the catid parameter or (2) the catid parameter in a lists action.

7.5
2010-09-03 CVE-2010-3210 Martin LEE Code Injection vulnerability in Martin LEE Multi-Lingual E-Commerce System 0.2

Multiple PHP remote file inclusion vulnerabilities in Multi-lingual E-Commerce System 0.2 allow remote attackers to execute arbitrary PHP code via a URL in the include_path parameter to (1) checkout2-CYM.php, (2) checkout2-EN.php, (3) checkout2-FR.php, (4) cat-FR.php, (5) cat-EN.php, (6) cat-CYM.php, (7) checkout1-CYM.php, (8) checkout1-EN.php, (9) checkout1-FR.php, (10) prod-CYM.php, (11) prod-EN.php, and (12) prod-FR.php in inc/.

7.5
2010-09-03 CVE-2010-3209 Seagullproject ORG Code Injection vulnerability in Seagullproject.Org Seagull 0.6.7

Multiple PHP remote file inclusion vulnerabilities in Seagull 0.6.7 allow remote attackers to execute arbitrary PHP code via a URL in the includeFile parameter to (1) Config/Container.php and (2) HTML/QuickForm.php in fog/lib/pear/, the (3) driverpath parameter to fog/lib/pear/DB/NestedSet.php, and the (4) path parameter to fog/lib/pear/DB/NestedSet/Output.php.

7.5
2010-09-03 CVE-2010-3206 DIY CMS Code Injection vulnerability in Diy-Cms 1.0

Multiple PHP remote file inclusion vulnerabilities in DiY-CMS 1.0 allow remote attackers to execute arbitrary PHP code via a URL in the (1) lang parameter to modules/guestbook/blocks/control.block.php, (2) main_module parameter to index.php, and (3) getFile parameter to includes/general.functions.php.

7.5
2010-09-03 CVE-2010-3205 Textpattern Code Injection vulnerability in Textpattern 4.2.0

PHP remote file inclusion vulnerability in index.php in Textpattern CMS 4.2.0 allows remote attackers to execute arbitrary PHP code via a URL in the inc parameter.

7.5
2010-09-03 CVE-2010-3204 Pecio CMS Code Injection vulnerability in Pecio-Cms Pecio CMS 2.0.5

Multiple PHP remote file inclusion vulnerabilities in Pecio CMS 2.0.5 allow remote attackers to execute arbitrary PHP code via a URL in the template parameter to (1) post.php, (2) article.php, (3) blog.php, or (4) home.php in pec_templates/nova-blue/.

7.5
2010-08-31 CVE-2010-3194 IBM Permissions, Privileges, and Access Controls vulnerability in IBM DB2 9.1/9.5/9.7

The DB2DART program in IBM DB2 9.1 before FP9, 9.5 before FP6, and 9.7 before FP2 allows attackers to bypass intended file access restrictions via unspecified vectors related to overwriting files owned by an instance owner.

7.5
2010-08-31 CVE-2010-3188 Ifdefined SQL Injection vulnerability in Ifdefined Bugtracker.Net

SQL injection vulnerability in search.aspx in BugTracker.NET 3.4.3 and earlier allows remote attackers to execute arbitrary SQL commands via a custom field to the search page.

7.5
2010-09-03 CVE-2010-2532 Opensuse Permissions, Privileges, and Access Controls vulnerability in Opensuse 11.3

** DISPUTED ** lxsession-logout in lxsession in LXDE, as used on SUSE openSUSE 11.3 and other platforms, does not lock the screen when the Suspend or Hibernate button is pressed, which might make it easier for physically proximate attackers to access an unattended laptop via a resume action.

7.2
2010-09-03 CVE-2010-2240 Linux Code Injection vulnerability in Linux Kernel

The do_anonymous_page function in mm/memory.c in the Linux kernel before 2.6.27.52, 2.6.32.x before 2.6.32.19, 2.6.34.x before 2.6.34.4, and 2.6.35.x before 2.6.35.2 does not properly separate the stack and the heap, which allows context-dependent attackers to execute arbitrary code by writing to the bottom page of a shared memory segment, as demonstrated by a memory-exhaustion attack against the X.Org X server.

7.2

16 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2010-08-30 CVE-2010-2945 Simone Rota Configuration vulnerability in Simone Rota Slim Simple Login Manager

The default configuration of SLiM before 1.3.2 places ./ (dot slash) at the beginning of the default_path option, which might allow local users to gain privileges via a Trojan horse program in the current working directory, related to slim.conf and cfg.cpp.

6.9
2010-09-03 CVE-2010-3207 Galeriashqip SQL Injection vulnerability in Galeriashqip 1.0

SQL injection vulnerability in index.php in GaleriaSHQIP 1.0, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the album_id parameter.

6.8
2010-08-30 CVE-2010-2712 HP Unspecified vulnerability in HP Hp-Ux B.11.11/B.11.23/B.11.31

Unspecified vulnerability in Software Distributor (sd) in HP HP-UX B.11.11, B.11.23, and B.11.31 allows local users to gain privileges via unknown vectors.

6.8
2010-08-30 CVE-2010-2575 KDE Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in KDE SC

Heap-based buffer overflow in the RLE decompression functionality in the TranscribePalmImageToJPEG function in generators/plucker/inplug/image.cpp in Okular in KDE SC 4.3.0 through 4.5.0 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted image in a PDB file.

6.8
2010-08-30 CVE-2010-2363 IIJ Permissions, Privileges, and Access Controls vulnerability in IIJ products

The IPv6 Unicast Reverse Path Forwarding (RPF) implementation on the SEIL/X1, SEIL/X2, and SEIL/B1 routers with firmware 1.00 through 2.73, when strict mode is used, does not properly drop packets, which might allow remote attackers to bypass intended access restrictions via a spoofed IP address.

5.8
2010-08-30 CVE-2010-2940 Fedoraproject Improper Authentication vulnerability in Fedoraproject Sssd 1.3.0

The auth_send function in providers/ldap/ldap_auth.c in System Security Services Daemon (SSSD) 1.3.0, when LDAP authentication and anonymous bind are enabled, allows remote attackers to bypass the authentication requirements of pam_authenticate via an empty password.

5.1
2010-09-03 CVE-2010-1507 Novell Credentials Management vulnerability in Novell Suse Linux 11

WebYaST in yast2-webclient in SUSE Linux Enterprise (SLE) 11 on the WebYaST appliance uses a fixed secret key that is embedded in the appliance's image, which allows remote attackers to spoof session cookies by leveraging knowledge of this key.

5.0
2010-09-03 CVE-2010-3203 Xmlswf
Joomla
Path Traversal vulnerability in Xmlswf COM Picsell 1.0

Directory traversal vulnerability in the PicSell (com_picsell) component 1.0 for Joomla! allows remote attackers to read arbitrary files via a ..

5.0
2010-08-31 CVE-2010-3197 IBM Permissions, Privileges, and Access Controls vulnerability in IBM DB2 9.7

IBM DB2 9.7 before FP2 does not perform the expected access control on the monitor administrative views in the SYSIBMADM schema, which allows remote attackers to obtain sensitive information via unspecified vectors.

5.0
2010-08-31 CVE-2010-3195 IBM
Microsoft
Unspecified vulnerability in IBM DB2 9.1/9.5/9.7

Unspecified vulnerability in IBM DB2 9.1 before FP9, 9.5 before FP6, and 9.7 before FP2 on Windows Server 2008 allows attackers to cause a denial of service (trap) via vectors involving "special group and user enumeration."

5.0
2010-08-30 CVE-2010-3035 Cisco Improper Input Validation vulnerability in Cisco IOS XR

Cisco IOS XR 3.4.0 through 3.9.1, when BGP is enabled, does not properly handle unrecognized transitive attributes, which allows remote attackers to cause a denial of service (peering reset) via a crafted prefix announcement, as demonstrated in the wild in August 2010 with attribute type code 99, aka Bug ID CSCti62211.

5.0
2010-09-03 CVE-2010-2954 Linux
Opensuse
Suse
Canonical
Null Pointer Dereference vulnerability in multiple products

The irda_bind function in net/irda/af_irda.c in the Linux kernel before 2.6.36-rc3-next-20100901 does not properly handle failure of the irda_open_tsap function, which allows local users to cause a denial of service (NULL pointer dereference and panic) and possibly have unspecified other impact via multiple unsuccessful calls to bind on an AF_IRDA (aka PF_IRDA) socket.

4.9
2010-09-03 CVE-2010-1325 Novell Cross-Site Request Forgery (CSRF) vulnerability in Novell Suse Lifecycle Management Server 1.0

Cross-site request forgery (CSRF) vulnerability in the apache2-slms package in SUSE Lifecycle Management Server (SLMS) 1.0 on SUSE Linux Enterprise (SLE) 11 allows remote attackers to hijack the authentication of unspecified victims via vectors related to improper parameter quoting.

4.3
2010-09-03 CVE-2010-3208 Wiccle Cross-Site Scripting vulnerability in Wiccle web Builder 1.0.1/1.00

Cross-site scripting (XSS) vulnerability in ajax.php in Wiccle Web Builder (WWB) 1.00 and 1.0.1 allows remote attackers to inject arbitrary web script or HTML via the post_text parameter in a site custom_search action to index.php.

4.3
2010-08-31 CVE-2010-2365 Common1 Cross-Site Scripting vulnerability in Common1 Moobbs2

Cross-site scripting (XSS) vulnerability in Free CGI Moo moobbs2 before 1.03 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2010-08-31 CVE-2010-2364 Common1 Cross-Site Scripting vulnerability in Common1 Moobbs

Cross-site scripting (XSS) vulnerability in Free CGI Moo moobbs before 1.03 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3

4 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2010-08-31 CVE-2010-3196 IBM Permissions, Privileges, and Access Controls vulnerability in IBM DB2 9.7

IBM DB2 9.7 before FP2, when AUTO_REVAL is IMMEDIATE, allows remote authenticated users to cause a denial of service (loss of privileges) to a view owner by defining a dependent view.

3.5
2010-08-30 CVE-2010-2794 Redhat
Mozilla
Link Following vulnerability in Redhat Spice-Xpi 2.2

The SPICE (aka spice-xpi) plug-in 2.2 for Firefox allows local users to overwrite arbitrary files via a symlink attack on an unspecified log file.

3.3
2010-08-30 CVE-2010-2792 Redhat
Mozilla
Race Condition vulnerability in Redhat Spice-Xpi 2.2

Race condition in the SPICE (aka spice-xpi) plug-in 2.2 for Firefox allows local users to obtain sensitive information, and conduct man-in-the-middle attacks, by providing a UNIX socket for communication between this plug-in and the client (aka qspice-client) in qspice 0.3.0, and then accessing this socket.

3.3
2010-09-03 CVE-2010-2226 Linux
Suse
Debian
Canonical
Information Exposure vulnerability in multiple products

The xfs_swapext function in fs/xfs/xfs_dfrag.c in the Linux kernel before 2.6.35 does not properly check the file descriptors passed to the SWAPEXT ioctl, which allows local users to leverage write access and obtain read access by swapping one file into another file.

2.1