Weekly Vulnerabilities Reports > November 29 to December 5, 2010

Overview

56 new vulnerabilities reported during this period, including 6 critical vulnerabilities and 13 high severity vulnerabilities. This weekly summary report vulnerabilities in 38 products from 25 vendors including Linux, Debian, Suse, Opensuse, and Artica. Vulnerabilities are notably categorized as "Information Exposure", "SQL Injection", "Cross-site Scripting", "Missing Initialization of Resource", and "Code Injection".

  • 41 reported vulnerabilities are remotely exploitables.
  • 24 reported vulnerabilities have public exploit available.
  • 21 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 49 reported vulnerabilities are exploitable by an anonymous user.
  • Linux has the most reported vulnerabilities, with 15 reported vulnerabilities.
  • Nullsoft has the most reported critical vulnerabilities, with 4 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

6 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2010-12-02 CVE-2010-4279 Artica Improper Authentication vulnerability in Artica Pandora FMS

The default configuration of Pandora FMS 3.1 and earlier specifies an empty string for the loginhash_pwd field, which allows remote attackers to bypass authentication by sending a request to index.php with "admin" in the loginhash_user parameter, in conjunction with the md5 hash of "admin" in the loginhash_data parameter.

10.0
2010-12-02 CVE-2010-4372 Nullsoft Numeric Errors vulnerability in Nullsoft Winamp

Integer overflow in the in_nsv plugin in Winamp before 5.6 allows remote attackers to have an unspecified impact via vectors related to improper allocation of memory for NSV metadata, a different vulnerability than CVE-2010-2586.

9.3
2010-12-02 CVE-2010-4371 Nullsoft Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Nullsoft Winamp

Buffer overflow in the in_mod plugin in Winamp before 5.6 allows remote attackers to have an unspecified impact via vectors related to the comment box.

9.3
2010-12-02 CVE-2010-4370 Nullsoft Numeric Errors vulnerability in Nullsoft Winamp

Multiple integer overflows in the in_midi plugin in Winamp before 5.6 allow remote attackers to execute arbitrary code via a crafted MIDI file that triggers a buffer overflow.

9.3
2010-12-02 CVE-2010-2586 Nullsoft Numeric Errors vulnerability in Nullsoft Winamp

Multiple integer overflows in in_nsv.dll in the in_nsv plugin in Winamp before 5.6 allow remote attackers to execute arbitrary code via a crafted Table of Contents (TOC) in a (1) NSV stream or (2) NSV file that triggers a heap-based buffer overflow.

9.3
2010-12-02 CVE-2010-4278 Artica OS Command Injection vulnerability in Artica Pandora FMS

operation/agentes/networkmap.php in Pandora FMS before 3.1.1 allows remote authenticated users to execute arbitrary commands via shell metacharacters in the layout parameter in an operation/agentes/networkmap action to index.php.

9.0

13 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2010-12-02 CVE-2010-4283 Artica Code Injection vulnerability in Artica Pandora FMS

PHP remote file inclusion vulnerability in extras/pandora_diag.php in Pandora FMS before 3.1.1 allows remote attackers to execute arbitrary PHP code via a URL in the argv[1] parameter.

7.5
2010-12-02 CVE-2010-4282 Artica Path Traversal vulnerability in Artica Pandora FMS

Multiple directory traversal vulnerabilities in Pandora FMS before 3.1.1 allow remote attackers to include and execute arbitrary local files via (1) the page parameter to ajax.php or (2) the id parameter to general/pandora_help.php, and allow remote attackers to include and execute, create, modify, or delete arbitrary local files via (3) the layout parameter to operation/agentes/networkmap.php.

7.5
2010-12-02 CVE-2010-4281 Artica Code Injection vulnerability in Artica Pandora FMS

Incomplete blacklist vulnerability in the safe_url_extraclean function in ajax.php in Pandora FMS before 3.1.1 allows remote attackers to execute arbitrary PHP code by using a page parameter containing a UNC share pathname, which bypasses the check for the : (colon) character.

7.5
2010-12-02 CVE-2010-4280 Artica SQL Injection vulnerability in Artica Pandora FMS

Multiple SQL injection vulnerabilities in Pandora FMS before 3.1.1 allow remote authenticated users to execute arbitrary SQL commands via (1) the id_group parameter in an operation/agentes/ver_agente action to ajax.php or (2) the group_id parameter in an operation/agentes/estado_agente action to index.php, related to operation/agentes/estado_agente.php.

7.5
2010-12-02 CVE-2010-4368 Awstats
Microsoft
Code Injection vulnerability in Awstats

awstats.cgi in AWStats before 7.0 on Windows accepts a configdir parameter in the URL, which allows remote attackers to execute arbitrary commands via a crafted configuration file located at a UNC share pathname.

7.5
2010-12-02 CVE-2010-4367 Awstats Code Injection vulnerability in Awstats

awstats.cgi in AWStats before 7.0 accepts a configdir parameter in the URL, which allows remote attackers to execute arbitrary commands via a crafted configuration file located on a (1) WebDAV server or (2) NFS server.

7.5
2010-12-01 CVE-2010-4365 Harmistechnology
Joomla
SQL Injection vulnerability in Harmistechnology COM Jeajaxeventcalendar

SQL injection vulnerability in JE Ajax Event Calendar (com_jeajaxeventcalendar) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the event_id parameter in an alleventlist_more action to index.php.

7.5
2010-12-01 CVE-2010-4362 Micronetsoft SQL Injection vulnerability in Micronetsoft RV Dealer Website

Multiple SQL injection vulnerabilities in MicroNetsoft RV Dealer Website allow remote attackers to execute arbitrary SQL commands via the (1) selStock parameter to search.asp and the (2) orderBy parameter to showAlllistings.asp.

7.5
2010-12-01 CVE-2010-4360 Jurpo SQL Injection vulnerability in Jurpo Jurpopage 0.2.0

Multiple SQL injection vulnerabilities in index.php in Jurpopage 0.2.0 allow remote attackers to execute arbitrary SQL commands via the (1) note and (2) pg parameters, different vectors than CVE-2010-4359.

7.5
2010-12-01 CVE-2010-4359 Jurpo SQL Injection vulnerability in Jurpo Jurpopage 0.2.0

SQL injection vulnerability in index.php in Jurpopage 0.2.0 allows remote attackers to execute arbitrary SQL commands via the category parameter.

7.5
2010-12-01 CVE-2010-4357 Boka SQL Injection vulnerability in Boka Siteengine 7.1

SQL injection vulnerability in comments.php in SiteEngine 7.1 allows remote attackers to execute arbitrary SQL commands via the module parameter.

7.5
2010-12-01 CVE-2010-4356 Site2Nite SQL Injection vulnerability in Site2Nite BIG Truck Broker

SQL injection vulnerability in news_default.asp in Site2Nite Big Truck Broker allows remote attackers to execute arbitrary SQL commands via the txtSiteId parameter.

7.5
2010-12-01 CVE-2008-7267 Boka SQL Injection vulnerability in Boka Siteengine 5.0

SQL injection vulnerability in announcements.php in SiteEngine 5.x allows remote attackers to execute arbitrary SQL commands via the id parameter.

7.5

20 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2010-12-01 CVE-2010-4363 Mrcgiguy SQL Injection vulnerability in Mrcgiguy Freeticket 1.0.0

Multiple SQL injection vulnerabilities in contact.php in MRCGIGUY (MCG) FreeTicket 1.0.0, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) id and (2) email parameters in a showtickets action.

6.8
2010-12-02 CVE-2010-3267 Ifdefined SQL Injection vulnerability in Ifdefined Bugtracker.Net

Multiple SQL injection vulnerabilities in BugTracker.NET before 3.4.5 allow remote authenticated users to execute arbitrary SQL commands via (1) the qu_id parameter to bugs.aspx, (2) the row_id parameter to delete_query.aspx, the (3) new_project or (4) us_id parameter to edit_bug.aspx, or (5) the bug_list parameter to massedit.aspx.

6.5
2010-12-02 CVE-2010-4369 Awstats Path Traversal vulnerability in Awstats

Directory traversal vulnerability in AWStats before 7.0 allows remote attackers to have an unspecified impact via a crafted LoadPlugin directory.

6.4
2010-12-02 CVE-2010-4313 Novo WS Unspecified vulnerability in Novo-Ws Orbis CMS 1.0.2

Unrestricted file upload vulnerability in fileman_file_upload.php in Orbis CMS 1.0.2 allows remote authenticated users to execute arbitrary code by uploading a .php file, and then accessing it via a direct request to the file in uploads/.

6.0
2010-12-02 CVE-2009-5020 Awstats Improper Input Validation vulnerability in Awstats

Open redirect vulnerability in awredir.pl in AWStats before 6.95 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.

5.8
2010-12-01 CVE-2008-7269 Boka Improper Input Validation vulnerability in Boka Siteengine 5.0

Open redirect vulnerability in api.php in SiteEngine 5.x allows user-assisted remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the forward parameter in a logout action.

5.8
2010-12-01 CVE-2009-5019 Webwiz Permissions, Privileges, and Access Controls vulnerability in Webwiz web WIZ Newspad

Web Wiz NewsPad stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database via a direct request for database/NewsPad.mdb.

5.0
2010-12-01 CVE-2008-7268 Boka Information Exposure vulnerability in Boka Siteengine 5.0

The phpinfo function in SiteEngine 5.x allows remote attackers to obtain system information by setting the action parameter to php_info in misc.php.

5.0
2010-11-30 CVE-2010-4354 Cisco Information Exposure vulnerability in Cisco products

The remote-access IPSec VPN implementation on Cisco Adaptive Security Appliances (ASA) 5500 series devices, PIX Security Appliances 500 series devices, and VPN Concentrators 3000 series devices responds to an Aggressive Mode IKE Phase I message only when the group name is configured on the device, which allows remote attackers to enumerate valid group names via a series of IKE negotiation attempts, aka Bug ID CSCtj96108, a different vulnerability than CVE-2005-2025.

5.0
2010-11-30 CVE-2010-4248 Linux Race Condition vulnerability in Linux Kernel

Race condition in the __exit_signal function in kernel/exit.c in the Linux kernel before 2.6.37-rc2 allows local users to cause a denial of service via vectors related to multithreaded exec, the use of a thread group leader in kernel/posix-cpu-timers.c, and the selection of a new thread group leader in the de_thread function in fs/exec.c.

4.9
2010-11-30 CVE-2010-3858 Linux
Debian
Canonical
Resource Exhaustion vulnerability in multiple products

The setup_arg_pages function in fs/exec.c in the Linux kernel before 2.6.36, when CONFIG_STACK_GROWSDOWN is used, does not properly restrict the stack memory consumption of the (1) arguments and (2) environment for a 32-bit application on a 64-bit platform, which allows local users to cause a denial of service (system crash) via a crafted exec system call, a related issue to CVE-2010-2240.

4.9
2010-11-29 CVE-2010-4249 Linux
Fedoraproject
Resource Exhaustion vulnerability in multiple products

The wait_for_unix_gc function in net/unix/garbage.c in the Linux kernel before 2.6.37-rc3-next-20101125 does not properly select times for garbage collection of inflight sockets, which allows local users to cause a denial of service (system hang) via crafted use of the socketpair and sendmsg system calls for SOCK_SEQPACKET sockets.

4.9
2010-12-02 CVE-2010-4374 Nullsoft Resource Management Errors vulnerability in Nullsoft Winamp

The in_mkv plugin in Winamp before 5.6 allows remote attackers to cause a denial of service (application crash) via a Matroska Video (MKV) file containing a string with a crafted length.

4.3
2010-12-02 CVE-2010-4373 Nullsoft Denial-Of-Service vulnerability in Winamp

The in_mp4 plugin in Winamp before 5.6 allows remote attackers to cause a denial of service (application crash) via crafted (1) metadata or (2) albumart in an invalid MP4 file.

4.3
2010-12-02 CVE-2010-4329 Phpmyadmin Cross-Site Scripting vulnerability in PHPmyadmin

Cross-site scripting (XSS) vulnerability in the PMA_linkOrButton function in libraries/common.lib.php in the database (db) search script in phpMyAdmin 2.11.x before 2.11.11.1 and 3.x before 3.3.8.1 allows remote attackers to inject arbitrary web script or HTML via a crafted request.

4.3
2010-12-02 CVE-2010-1324 MIT Cryptographic Issues vulnerability in MIT Kerberos 5

MIT Kerberos 5 (aka krb5) 1.7.x and 1.8.x through 1.8.3 does not properly determine the acceptability of checksums, which might allow remote attackers to forge GSS tokens, gain privileges, or have unspecified other impact via (1) an unkeyed checksum, (2) an unkeyed PAC checksum, or (3) a KrbFastArmoredReq checksum based on an RC4 key.

4.3
2010-12-01 CVE-2010-4366 ABK Soft Cross-Site Scripting vulnerability in Abk-Soft Chameleon Social Networking

Multiple cross-site scripting (XSS) vulnerabilities in forum_new_topic.php in Chameleon Social Networking allow remote attackers to inject arbitrary web script or HTML via the (1) thread_title and (2) thread_description parameters in a message.

4.3
2010-12-01 CVE-2010-4364 Dadabik Cross-Site Scripting vulnerability in Dadabik 4.3

DaDaBIK 4.3 beta3, when running in a case-sensitive environment, does not include the htmLawed library, which allows remote attackers to bypass the protection mechanism for CVE-2010-4355 and conduct cross-site scripting (XSS) attacks via the (1) html content and (2) rich_editor fields.

4.3
2010-12-01 CVE-2010-4361 Jurpo Cross-Site Scripting vulnerability in Jurpo Jurpopage 0.2.0

Cross-site scripting (XSS) vulnerability in url-gateway.php in Jurpopage 0.2.0 allows remote attackers to inject arbitrary web script or HTML via the url parameter.

4.3
2010-12-01 CVE-2010-4358 Mrcgiguy Cross-Site Scripting vulnerability in Mrcgiguy Guestbook 1.0

Multiple cross-site scripting (XSS) vulnerabilities in gb.cgi in MRCGIGUY (MCG) Guestbook 1.0 allow remote attackers to inject arbitrary web script or HTML via the (1) name, (2) email, (3) website, and (4) message parameters.

4.3

17 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2010-12-02 CVE-2010-4020 MIT Cryptographic Issues vulnerability in MIT Kerberos 5

MIT Kerberos 5 (aka krb5) 1.8.x through 1.8.3 does not reject RC4 key-derivation checksums, which might allow remote authenticated users to forge a (1) AD-SIGNEDPATH or (2) AD-KDC-ISSUED signature, and possibly gain privileges, by leveraging the small key space that results from certain one-byte stream-cipher operations.

3.5
2010-12-02 CVE-2010-3266 Ifdefined Cross-Site Scripting vulnerability in Ifdefined Bugtracker.Net

Multiple cross-site scripting (XSS) vulnerabilities in BugTracker.NET before 3.4.5 allow remote authenticated users to inject arbitrary web script or HTML via (1) the pcd parameter to edit_bug.aspx, (2) the bug_id parameter to edit_comment.aspx, (3) the id parameter to edit_user_permissions2.aspx, or (4) the default_name parameter to edit_customfield.aspx.

3.5
2010-12-01 CVE-2010-4355 Dadabik Cross-Site Scripting vulnerability in Dadabik

Cross-site scripting (XSS) vulnerability in DaDaBIK before 4.3 beta2, when the insert or edit feature is enabled, allows remote authenticated users to inject arbitrary web script or HTML via the select_single parameter.

3.5
2010-12-02 CVE-2010-1323 MIT Cryptographic Issues vulnerability in MIT Kerberos and Kerberos 5

MIT Kerberos 5 (aka krb5) 1.3.x, 1.4.x, 1.5.x, 1.6.x, 1.7.x, and 1.8.x through 1.8.3 does not properly determine the acceptability of checksums, which might allow remote attackers to modify user-visible prompt text, modify a response to a Key Distribution Center (KDC), or forge a KRB-SAFE message via certain checksums that (1) are unkeyed or (2) use RC4 keys.

2.6
2010-12-02 CVE-2010-4021 MIT Permissions, Privileges, and Access Controls vulnerability in MIT Kerberos 5 1.7

The Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.7 does not properly restrict the use of TGT credentials for armoring TGS requests, which might allow remote authenticated users to impersonate a client by rewriting an inner request, aka a "KrbFastReq forgery issue."

2.1
2010-11-30 CVE-2010-4080 Linux
Opensuse
Suse
Debian
Information Exposure vulnerability in multiple products

The snd_hdsp_hwdep_ioctl function in sound/pci/rme9652/hdsp.c in the Linux kernel before 2.6.36-rc6 does not initialize a certain structure, which allows local users to obtain potentially sensitive information from kernel stack memory via an SNDRV_HDSP_IOCTL_GET_CONFIG_INFO ioctl call.

2.1
2010-11-30 CVE-2010-4083 Linux
Opensuse
Suse
Debian
Missing Initialization of Resource vulnerability in multiple products

The copy_semid_to_user function in ipc/sem.c in the Linux kernel before 2.6.36 does not initialize a certain structure, which allows local users to obtain potentially sensitive information from kernel stack memory via a (1) IPC_INFO, (2) SEM_INFO, (3) IPC_STAT, or (4) SEM_STAT command in a semctl system call.

1.9
2010-11-30 CVE-2010-4082 Linux
Opensuse
Suse
Missing Initialization of Resource vulnerability in multiple products

The viafb_ioctl_get_viafb_info function in drivers/video/via/ioctl.c in the Linux kernel before 2.6.36-rc5 does not properly initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via a VIAFB_GET_INFO ioctl call.

1.9
2010-11-30 CVE-2010-4081 Linux
Opensuse
Suse
Debian
Missing Initialization of Resource vulnerability in multiple products

The snd_hdspm_hwdep_ioctl function in sound/pci/rme9652/hdspm.c in the Linux kernel before 2.6.36-rc6 does not initialize a certain structure, which allows local users to obtain potentially sensitive information from kernel stack memory via an SNDRV_HDSPM_IOCTL_GET_CONFIG_INFO ioctl call.

1.9
2010-11-29 CVE-2010-4079 Linux
Debian
Information Exposure vulnerability in multiple products

The ivtvfb_ioctl function in drivers/media/video/ivtv/ivtvfb.c in the Linux kernel before 2.6.36-rc8 does not properly initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via an FBIOGET_VBLANK ioctl call.

1.9
2010-11-29 CVE-2010-4078 Linux
Opensuse
Suse
Debian
Missing Initialization of Resource vulnerability in multiple products

The sisfb_ioctl function in drivers/video/sis/sis_main.c in the Linux kernel before 2.6.36-rc6 does not properly initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via an FBIOGET_VBLANK ioctl call.

1.9
2010-11-29 CVE-2010-4077 Linux Information Exposure vulnerability in Linux Kernel

The ntty_ioctl_tiocgicount function in drivers/char/nozomi.c in the Linux kernel 2.6.36.1 and earlier does not properly initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via a TIOCGICOUNT ioctl call.

1.9
2010-11-29 CVE-2010-4076 Linux Information Exposure vulnerability in Linux Kernel

The rs_ioctl function in drivers/char/amiserial.c in the Linux kernel 2.6.36.1 and earlier does not properly initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via a TIOCGICOUNT ioctl call.

1.9
2010-11-29 CVE-2010-4075 Linux Information Exposure vulnerability in Linux Kernel

The uart_get_count function in drivers/serial/serial_core.c in the Linux kernel before 2.6.37-rc1 does not properly initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via a TIOCGICOUNT ioctl call.

1.9
2010-11-29 CVE-2010-4074 Linux
Debian
Information Exposure vulnerability in multiple products

The USB subsystem in the Linux kernel before 2.6.36-rc5 does not properly initialize certain structure members, which allows local users to obtain potentially sensitive information from kernel stack memory via vectors related to TIOCGICOUNT ioctl calls, and the (1) mos7720_ioctl function in drivers/usb/serial/mos7720.c and (2) mos7840_ioctl function in drivers/usb/serial/mos7840.c.

1.9
2010-11-29 CVE-2010-4073 Linux
Opensuse
Suse
Debian
Information Exposure vulnerability in multiple products

The ipc subsystem in the Linux kernel before 2.6.37-rc1 does not initialize certain structures, which allows local users to obtain potentially sensitive information from kernel stack memory via vectors related to the (1) compat_sys_semctl, (2) compat_sys_msgctl, and (3) compat_sys_shmctl functions in ipc/compat.c; and the (4) compat_sys_mq_open and (5) compat_sys_mq_getsetattr functions in ipc/compat_mq.c.

1.9
2010-11-29 CVE-2010-4072 Linux
Opensuse
Suse
Debian
Canonical
Information Exposure vulnerability in multiple products

The copy_shmid_to_user function in ipc/shm.c in the Linux kernel before 2.6.37-rc1 does not initialize a certain structure, which allows local users to obtain potentially sensitive information from kernel stack memory via vectors related to the shmctl system call and the "old shm interface."

1.9