Weekly Vulnerabilities Reports > November 29 to December 5, 2010

Overview

40 new vulnerabilities reported during this period, including 6 critical vulnerabilities and 13 high severity vulnerabilities. This weekly summary report vulnerabilities in 28 products from 18 vendors including Artica, Nullsoft, MIT, Awstats, and Boka. Vulnerabilities are notably categorized as "SQL Injection", "Cross-site Scripting", "Code Injection", "Numeric Errors", and "Cryptographic Issues".

  • 40 reported vulnerabilities are remotely exploitables.
  • 22 reported vulnerabilities have public exploit available.
  • 20 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 33 reported vulnerabilities are exploitable by an anonymous user.
  • Artica has the most reported vulnerabilities, with 6 reported vulnerabilities.
  • Nullsoft has the most reported critical vulnerabilities, with 4 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

6 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2010-12-02 CVE-2010-4279 Artica Improper Authentication vulnerability in Artica Pandora FMS

The default configuration of Pandora FMS 3.1 and earlier specifies an empty string for the loginhash_pwd field, which allows remote attackers to bypass authentication by sending a request to index.php with "admin" in the loginhash_user parameter, in conjunction with the md5 hash of "admin" in the loginhash_data parameter.

10.0
2010-12-02 CVE-2010-4372 Nullsoft Numeric Errors vulnerability in Nullsoft Winamp

Integer overflow in the in_nsv plugin in Winamp before 5.6 allows remote attackers to have an unspecified impact via vectors related to improper allocation of memory for NSV metadata, a different vulnerability than CVE-2010-2586.

9.3
2010-12-02 CVE-2010-4371 Nullsoft Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Nullsoft Winamp

Buffer overflow in the in_mod plugin in Winamp before 5.6 allows remote attackers to have an unspecified impact via vectors related to the comment box.

9.3
2010-12-02 CVE-2010-4370 Nullsoft Numeric Errors vulnerability in Nullsoft Winamp

Multiple integer overflows in the in_midi plugin in Winamp before 5.6 allow remote attackers to execute arbitrary code via a crafted MIDI file that triggers a buffer overflow.

9.3
2010-12-02 CVE-2010-2586 Nullsoft Numeric Errors vulnerability in Nullsoft Winamp

Multiple integer overflows in in_nsv.dll in the in_nsv plugin in Winamp before 5.6 allow remote attackers to execute arbitrary code via a crafted Table of Contents (TOC) in a (1) NSV stream or (2) NSV file that triggers a heap-based buffer overflow.

9.3
2010-12-02 CVE-2010-4278 Artica OS Command Injection vulnerability in Artica Pandora FMS

operation/agentes/networkmap.php in Pandora FMS before 3.1.1 allows remote authenticated users to execute arbitrary commands via shell metacharacters in the layout parameter in an operation/agentes/networkmap action to index.php.

9.0

13 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2010-12-02 CVE-2010-4283 Artica Code Injection vulnerability in Artica Pandora FMS

PHP remote file inclusion vulnerability in extras/pandora_diag.php in Pandora FMS before 3.1.1 allows remote attackers to execute arbitrary PHP code via a URL in the argv[1] parameter.

7.5
2010-12-02 CVE-2010-4282 Artica Path Traversal vulnerability in Artica Pandora FMS

Multiple directory traversal vulnerabilities in Pandora FMS before 3.1.1 allow remote attackers to include and execute arbitrary local files via (1) the page parameter to ajax.php or (2) the id parameter to general/pandora_help.php, and allow remote attackers to include and execute, create, modify, or delete arbitrary local files via (3) the layout parameter to operation/agentes/networkmap.php.

7.5
2010-12-02 CVE-2010-4281 Artica Code Injection vulnerability in Artica Pandora FMS

Incomplete blacklist vulnerability in the safe_url_extraclean function in ajax.php in Pandora FMS before 3.1.1 allows remote attackers to execute arbitrary PHP code by using a page parameter containing a UNC share pathname, which bypasses the check for the : (colon) character.

7.5
2010-12-02 CVE-2010-4280 Artica SQL Injection vulnerability in Artica Pandora FMS

Multiple SQL injection vulnerabilities in Pandora FMS before 3.1.1 allow remote authenticated users to execute arbitrary SQL commands via (1) the id_group parameter in an operation/agentes/ver_agente action to ajax.php or (2) the group_id parameter in an operation/agentes/estado_agente action to index.php, related to operation/agentes/estado_agente.php.

7.5
2010-12-02 CVE-2010-4368 Awstats
Microsoft
Code Injection vulnerability in Awstats

awstats.cgi in AWStats before 7.0 on Windows accepts a configdir parameter in the URL, which allows remote attackers to execute arbitrary commands via a crafted configuration file located at a UNC share pathname.

7.5
2010-12-02 CVE-2010-4367 Awstats Code Injection vulnerability in Awstats

awstats.cgi in AWStats before 7.0 accepts a configdir parameter in the URL, which allows remote attackers to execute arbitrary commands via a crafted configuration file located on a (1) WebDAV server or (2) NFS server.

7.5
2010-12-01 CVE-2010-4365 Harmistechnology
Joomla
SQL Injection vulnerability in Harmistechnology COM Jeajaxeventcalendar

SQL injection vulnerability in JE Ajax Event Calendar (com_jeajaxeventcalendar) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the event_id parameter in an alleventlist_more action to index.php.

7.5
2010-12-01 CVE-2010-4362 Micronetsoft SQL Injection vulnerability in Micronetsoft RV Dealer Website

Multiple SQL injection vulnerabilities in MicroNetsoft RV Dealer Website allow remote attackers to execute arbitrary SQL commands via the (1) selStock parameter to search.asp and the (2) orderBy parameter to showAlllistings.asp.

7.5
2010-12-01 CVE-2010-4360 Jurpo SQL Injection vulnerability in Jurpo Jurpopage 0.2.0

Multiple SQL injection vulnerabilities in index.php in Jurpopage 0.2.0 allow remote attackers to execute arbitrary SQL commands via the (1) note and (2) pg parameters, different vectors than CVE-2010-4359.

7.5
2010-12-01 CVE-2010-4359 Jurpo SQL Injection vulnerability in Jurpo Jurpopage 0.2.0

SQL injection vulnerability in index.php in Jurpopage 0.2.0 allows remote attackers to execute arbitrary SQL commands via the category parameter.

7.5
2010-12-01 CVE-2010-4357 Boka SQL Injection vulnerability in Boka Siteengine 7.1

SQL injection vulnerability in comments.php in SiteEngine 7.1 allows remote attackers to execute arbitrary SQL commands via the module parameter.

7.5
2010-12-01 CVE-2010-4356 Site2Nite SQL Injection vulnerability in Site2Nite BIG Truck Broker

SQL injection vulnerability in news_default.asp in Site2Nite Big Truck Broker allows remote attackers to execute arbitrary SQL commands via the txtSiteId parameter.

7.5
2010-12-01 CVE-2008-7267 Boka SQL Injection vulnerability in Boka Siteengine 5.0

SQL injection vulnerability in announcements.php in SiteEngine 5.x allows remote attackers to execute arbitrary SQL commands via the id parameter.

7.5

16 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2010-12-01 CVE-2010-4363 Mrcgiguy SQL Injection vulnerability in Mrcgiguy Freeticket 1.0.0

Multiple SQL injection vulnerabilities in contact.php in MRCGIGUY (MCG) FreeTicket 1.0.0, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) id and (2) email parameters in a showtickets action.

6.8
2010-12-02 CVE-2010-3267 Ifdefined SQL Injection vulnerability in Ifdefined Bugtracker.Net

Multiple SQL injection vulnerabilities in BugTracker.NET before 3.4.5 allow remote authenticated users to execute arbitrary SQL commands via (1) the qu_id parameter to bugs.aspx, (2) the row_id parameter to delete_query.aspx, the (3) new_project or (4) us_id parameter to edit_bug.aspx, or (5) the bug_list parameter to massedit.aspx.

6.5
2010-12-02 CVE-2010-4369 Awstats Path Traversal vulnerability in Awstats

Directory traversal vulnerability in AWStats before 7.0 allows remote attackers to have an unspecified impact via a crafted LoadPlugin directory.

6.4
2010-12-02 CVE-2010-4313 Novo WS Unspecified vulnerability in Novo-Ws Orbis CMS 1.0.2

Unrestricted file upload vulnerability in fileman_file_upload.php in Orbis CMS 1.0.2 allows remote authenticated users to execute arbitrary code by uploading a .php file, and then accessing it via a direct request to the file in uploads/.

6.0
2010-12-02 CVE-2009-5020 Awstats Improper Input Validation vulnerability in Awstats

Open redirect vulnerability in awredir.pl in AWStats before 6.95 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.

5.8
2010-12-01 CVE-2008-7269 Boka Improper Input Validation vulnerability in Boka Siteengine 5.0

Open redirect vulnerability in api.php in SiteEngine 5.x allows user-assisted remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the forward parameter in a logout action.

5.8
2010-12-01 CVE-2009-5019 Webwiz Permissions, Privileges, and Access Controls vulnerability in Webwiz web WIZ Newspad

Web Wiz NewsPad stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database via a direct request for database/NewsPad.mdb.

5.0
2010-12-01 CVE-2008-7268 Boka Information Exposure vulnerability in Boka Siteengine 5.0

The phpinfo function in SiteEngine 5.x allows remote attackers to obtain system information by setting the action parameter to php_info in misc.php.

5.0
2010-11-30 CVE-2010-4354 Cisco Information Exposure vulnerability in Cisco products

The remote-access IPSec VPN implementation on Cisco Adaptive Security Appliances (ASA) 5500 series devices, PIX Security Appliances 500 series devices, and VPN Concentrators 3000 series devices responds to an Aggressive Mode IKE Phase I message only when the group name is configured on the device, which allows remote attackers to enumerate valid group names via a series of IKE negotiation attempts, aka Bug ID CSCtj96108, a different vulnerability than CVE-2005-2025.

5.0
2010-12-02 CVE-2010-4374 Nullsoft Resource Management Errors vulnerability in Nullsoft Winamp

The in_mkv plugin in Winamp before 5.6 allows remote attackers to cause a denial of service (application crash) via a Matroska Video (MKV) file containing a string with a crafted length.

4.3
2010-12-02 CVE-2010-4373 Nullsoft Denial-Of-Service vulnerability in Winamp

The in_mp4 plugin in Winamp before 5.6 allows remote attackers to cause a denial of service (application crash) via crafted (1) metadata or (2) albumart in an invalid MP4 file.

4.3
2010-12-02 CVE-2010-1324 MIT Cryptographic Issues vulnerability in MIT Kerberos 5

MIT Kerberos 5 (aka krb5) 1.7.x and 1.8.x through 1.8.3 does not properly determine the acceptability of checksums, which might allow remote attackers to forge GSS tokens, gain privileges, or have unspecified other impact via (1) an unkeyed checksum, (2) an unkeyed PAC checksum, or (3) a KrbFastArmoredReq checksum based on an RC4 key.

4.3
2010-12-01 CVE-2010-4366 ABK Soft Cross-Site Scripting vulnerability in Abk-Soft Chameleon Social Networking

Multiple cross-site scripting (XSS) vulnerabilities in forum_new_topic.php in Chameleon Social Networking allow remote attackers to inject arbitrary web script or HTML via the (1) thread_title and (2) thread_description parameters in a message.

4.3
2010-12-01 CVE-2010-4364 Dadabik Cross-Site Scripting vulnerability in Dadabik 4.3

DaDaBIK 4.3 beta3, when running in a case-sensitive environment, does not include the htmLawed library, which allows remote attackers to bypass the protection mechanism for CVE-2010-4355 and conduct cross-site scripting (XSS) attacks via the (1) html content and (2) rich_editor fields.

4.3
2010-12-01 CVE-2010-4361 Jurpo Cross-Site Scripting vulnerability in Jurpo Jurpopage 0.2.0

Cross-site scripting (XSS) vulnerability in url-gateway.php in Jurpopage 0.2.0 allows remote attackers to inject arbitrary web script or HTML via the url parameter.

4.3
2010-12-01 CVE-2010-4358 Mrcgiguy Cross-Site Scripting vulnerability in Mrcgiguy Guestbook 1.0

Multiple cross-site scripting (XSS) vulnerabilities in gb.cgi in MRCGIGUY (MCG) Guestbook 1.0 allow remote attackers to inject arbitrary web script or HTML via the (1) name, (2) email, (3) website, and (4) message parameters.

4.3

5 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2010-12-02 CVE-2010-4020 MIT Cryptographic Issues vulnerability in MIT Kerberos 5

MIT Kerberos 5 (aka krb5) 1.8.x through 1.8.3 does not reject RC4 key-derivation checksums, which might allow remote authenticated users to forge a (1) AD-SIGNEDPATH or (2) AD-KDC-ISSUED signature, and possibly gain privileges, by leveraging the small key space that results from certain one-byte stream-cipher operations.

3.5
2010-12-02 CVE-2010-3266 Ifdefined Cross-Site Scripting vulnerability in Ifdefined Bugtracker.Net

Multiple cross-site scripting (XSS) vulnerabilities in BugTracker.NET before 3.4.5 allow remote authenticated users to inject arbitrary web script or HTML via (1) the pcd parameter to edit_bug.aspx, (2) the bug_id parameter to edit_comment.aspx, (3) the id parameter to edit_user_permissions2.aspx, or (4) the default_name parameter to edit_customfield.aspx.

3.5
2010-12-01 CVE-2010-4355 Dadabik Cross-Site Scripting vulnerability in Dadabik

Cross-site scripting (XSS) vulnerability in DaDaBIK before 4.3 beta2, when the insert or edit feature is enabled, allows remote authenticated users to inject arbitrary web script or HTML via the select_single parameter.

3.5
2010-12-02 CVE-2010-1323 MIT Cryptographic Issues vulnerability in MIT Kerberos and Kerberos 5

MIT Kerberos 5 (aka krb5) 1.3.x, 1.4.x, 1.5.x, 1.6.x, 1.7.x, and 1.8.x through 1.8.3 does not properly determine the acceptability of checksums, which might allow remote attackers to modify user-visible prompt text, modify a response to a Key Distribution Center (KDC), or forge a KRB-SAFE message via certain checksums that (1) are unkeyed or (2) use RC4 keys.

2.6
2010-12-02 CVE-2010-4021 MIT Permissions, Privileges, and Access Controls vulnerability in MIT Kerberos 5 1.7

The Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.7 does not properly restrict the use of TGT credentials for armoring TGS requests, which might allow remote authenticated users to impersonate a client by rewriting an inner request, aka a "KrbFastReq forgery issue."

2.1