Weekly Vulnerabilities Reports > September 27 to October 3, 2010

Overview

18 new vulnerabilities reported during this period, including 0 critical vulnerabilities and 3 high severity vulnerabilities. This weekly summary report vulnerabilities in 45 products from 20 vendors including Linux, Canonical, Suse, Drupal, and Peter Wolanin. Vulnerabilities are notably categorized as "Path Traversal", "Improper Authentication", "Information Exposure", "Use of Externally-Controlled Format String", and "Permissions, Privileges, and Access Controls".

  • 11 reported vulnerabilities are remotely exploitables.
  • 2 reported vulnerabilities have public exploit available.
  • 7 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 13 reported vulnerabilities are exploitable by an anonymous user.
  • Linux has the most reported vulnerabilities, with 4 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

0 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS

3 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2010-09-30 CVE-2010-2943 Linux
Canonical
Vmware
Avaya
Information Exposure vulnerability in multiple products

The xfs implementation in the Linux kernel before 2.6.35 does not look up inode allocation btrees before reading inode buffers, which allows remote authenticated users to read unlinked files, or read or overwrite disk blocks that are currently assigned to an active file but were previously assigned to an unlinked file, by accessing a stale NFS filehandle.

8.1
2010-09-29 CVE-2010-3688 Netartmedia Path Traversal vulnerability in Netartmedia Websiteadmin

Directory traversal vulnerability in ADMIN/login.php in NetArtMEDIA WebSiteAdmin allows remote emote attackers to include and execute arbitrary local files via directory traversal sequences in the lng parameter.

7.5
2010-09-30 CVE-2010-2537 Linux
Canonical
Suse
The btrfs_ioctl_clone function in fs/btrfs/ioctl.c in the Linux kernel before 2.6.35 allows local users to overwrite an append-only file via a (1) BTRFS_IOC_CLONE or (2) BTRFS_IOC_CLONE_RANGE ioctl call that specifies this file as a donor.
7.1

13 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2010-09-29 CVE-2010-3380 Llnl Local Privilege Escalation vulnerability in SLURM 'slurm' and 'slurmdbd'

The (1) init.d/slurm and (2) init.d/slurmdbd scripts in SLURM before 2.1.14 place the .

6.9
2010-09-28 CVE-2010-3087 Libtiff
Opensuse
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in multiple products

LibTIFF before 3.9.2-5.2.1 in SUSE openSUSE 11.3 allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a crafted TIFF image.

6.8
2010-09-28 CVE-2010-2950 PHP USE of Externally-Controlled Format String vulnerability in PHP

Format string vulnerability in stream.c in the phar extension in PHP 5.3.x through 5.3.3 allows context-dependent attackers to obtain sensitive information (memory contents) and possibly execute arbitrary code via a crafted phar:// URI that is not properly handled by the phar_stream_flush function, leading to errors in the php_stream_wrapper_log_error function.

6.8
2010-09-28 CVE-2010-3490 Sangoma Path Traversal vulnerability in Sangoma Freepbx

Directory traversal vulnerability in page.recordings.php in the System Recordings component in the configuration interface in FreePBX 2.8.0 and earlier allows remote authenticated administrators to create arbitrary files via a ..

6.5
2010-09-30 CVE-2010-3079 Linux
Canonical
Suse
NULL Pointer Dereference vulnerability in multiple products

kernel/trace/ftrace.c in the Linux kernel before 2.6.35.5, when debugfs is enabled, does not properly handle interaction between mutex possession and llseek operations, which allows local users to cause a denial of service (NULL pointer dereference and outage of all function tracing files) via an lseek call on a file descriptor associated with the set_ftrace_filter file.

5.5
2010-09-30 CVE-2010-2538 Linux
Canonical
Suse
Information Exposure vulnerability in multiple products

Integer overflow in the btrfs_ioctl_clone function in fs/btrfs/ioctl.c in the Linux kernel before 2.6.35 might allow local users to obtain sensitive information via a BTRFS_IOC_CLONE_RANGE ioctl call.

5.5
2010-09-29 CVE-2010-3687 Alex Kellner
Typo3
Security Bypass vulnerability in Powermail

Unspecified vulnerability in the powermail extension 1.5.3 and earlier for TYPO3 allows remote attackers to bypass validation have an unspecified impact by "[injecting] arbitrary values into validated fields," as demonstrated using the (1) Email and (2) URL fields.

5.0
2010-09-29 CVE-2010-3686 Drupal
Peter Wolanin
Improper Authentication vulnerability in multiple products

The OpenID module in Drupal 6.x before 6.18, and the OpenID module 5.x before 5.x-1.4 for Drupal, violates the OpenID 2.0 protocol by not ensuring that fields are signed, which allows remote attackers to bypass authentication by leveraging an assertion from an OpenID provider.

5.0
2010-09-29 CVE-2010-3685 Drupal
Peter Wolanin
Improper Authentication vulnerability in multiple products

The OpenID module in Drupal 6.x before 6.18, and the OpenID module 5.x before 5.x-1.4 for Drupal, violates the OpenID 2.0 protocol by not checking for reuse of openid.response_nonce values, which allows remote attackers to bypass authentication by leveraging an assertion from an OpenID provider.

5.0
2010-09-29 CVE-2010-3468 Blueriver Path Traversal vulnerability in Blueriver Mura CMS and Sava CMS

Directory traversal vulnerability in fileManager.cfc in Mura CMS 5.1 before 5.1.498 and 5.2 before 5.2.2809, and Sava CMS 5 through 5.2, allows remote attackers to read arbitrary files via a ..

5.0
2010-09-29 CVE-2010-3091 Drupal
Peter Wolanin
Improper Authentication vulnerability in multiple products

The OpenID module in Drupal 6.x before 6.18, and the OpenID module 5.x before 5.x-1.4 for Drupal, violates the OpenID 2.0 protocol by not verifying the openid.return_to value, which allows remote attackers to bypass authentication by leveraging an assertion from an OpenID provider.

5.0
2010-09-29 CVE-2010-2530 Netbsd
Apple
Freebsd
Numeric Errors vulnerability in multiple products

Multiple integer signedness errors in smb_subr.c in the netsmb module in the kernel in NetBSD 5.0.2 and earlier, FreeBSD, and Apple Mac OS X allow local users to cause a denial of service (panic) via a negative size value in a /dev/nsmb ioctl operation, as demonstrated by a (1) SMBIOC_LOOKUP or (2) SMBIOC_OPENSESSION ioctl call.

4.9
2010-09-29 CVE-2010-2453 Synology Cross-Site Scripting vulnerability in Synology DSM

Multiple cross-site scripting (XSS) vulnerabilities in Synology Disk Station 2.x before DSM3.0-1337 allow remote attackers to inject arbitrary web script or HTML by connecting to the FTP server and providing a crafted (1) USER or (2) PASS command, which is written by the FTP logging module to a web-interface log window, related to a "web commands injection" issue.

4.3

2 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2010-09-29 CVE-2010-3684 Synology Credentials Management vulnerability in Synology DSM

The FTP authentication module in Synology Disk Station 2.x logs passwords to the web application interface in cases of incorrect login attempts, which allows local users to obtain sensitive information by reading a log, a different vulnerability than CVE-2010-2453.

2.1
2010-09-28 CVE-2010-3277 Vmware Permissions, Privileges, and Access Controls vulnerability in VMWare Player and Workstation

The installer in VMware Workstation 7.x before 7.1.2 build 301548 and VMware Player 3.x before 3.1.2 build 301548 renders an index.htm file if present in the installation directory, which might allow local users to trigger unintended interpretation of web script or HTML by creating this file.

2.1