Weekly Vulnerabilities Reports > June 20 to 26, 2011

Overview

53 new vulnerabilities reported during this period, including 4 critical vulnerabilities and 9 high severity vulnerabilities. This weekly summary report vulnerabilities in 26 products from 21 vendors including Apple, Linux, Simplemachines, Prosody, and Phpnuke. Vulnerabilities are notably categorized as "Resource Management Errors", "Improper Restriction of Operations within the Bounds of a Memory Buffer", "Numeric Errors", "Information Exposure", and "Cross-site Scripting".

  • 43 reported vulnerabilities are remotely exploitables.
  • 6 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 50 reported vulnerabilities are exploitable by an anonymous user.
  • Apple has the most reported vulnerabilities, with 20 reported vulnerabilities.
  • Foxitsoftware has the most reported critical vulnerabilities, with 1 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

4 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2011-06-21 CVE-2011-1127 Simplemachines Permissions, Privileges, and Access Controls vulnerability in Simplemachines SMF

SSI.php in Simple Machines Forum (SMF) before 1.1.13, and 2.x before 2.0 RC5, does not properly restrict guest access, which allows remote attackers to have an unspecified impact via unknown vectors.

10.0
2011-06-24 CVE-2011-2194 Videolan Numeric Errors vulnerability in Videolan VLC Media Player

Integer overflow in the XSPF playlist parser in VideoLAN VLC media player 0.8.5 through 1.1.9 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unspecified vectors that trigger a heap-based buffer overflow.

9.3
2011-06-24 CVE-2011-1908 Foxitsoftware Numeric Errors vulnerability in Foxitsoftware Foxit Reader

Integer overflow in the Type 1 font decoder in the FreeType engine in Foxit Reader before 4.0.0.0619 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted font in a PDF document.

9.3
2011-06-22 CVE-2011-2530 Rockwellautomation Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Rockwellautomation EDS Hardware Installation Tool and Rslinx

Buffer overflow in RSEds.dll in RSHWare.exe in the EDS Hardware Installation Tool 1.0.5.1 and earlier in Rockwell Automation RSLinx Classic before 2.58 allows user-assisted remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a malformed .eds file.

9.3

9 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2011-06-24 CVE-2011-2193 Clusterresources Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Clusterresources Torque Resource Manager

Multiple buffer overflows in Terascale Open-Source Resource and Queue Manager (aka TORQUE Resource Manager) 2.x before 2.4.14, 2.5.x before 2.5.6, and 3.x before 3.0.2 allow (1) remote authenticated users to gain privileges via a long Job_Name field in a qsub command to the server, and might allow (2) local users to gain privileges via vectors involving a long host variable in pbs_iff.

8.5
2011-06-24 CVE-2011-1770 Linux
Fedoraproject
Integer Underflow (Wrap OR Wraparound) vulnerability in Linux Kernel

Integer underflow in the dccp_parse_options function (net/dccp/options.c) in the Linux kernel before 2.6.33.14 allows remote attackers to cause a denial of service via a Datagram Congestion Control Protocol (DCCP) packet with an invalid feature options length, which triggers a buffer over-read.

7.8
2011-06-24 CVE-2011-0196 Apple Resource Management Errors vulnerability in Apple mac OS X and mac OS X Server

AirPort in Apple Mac OS X 10.5.8 allows remote attackers to cause a denial of service (out-of-bounds read and reboot) via Wi-Fi frames on the local wireless network.

7.8
2011-06-24 CVE-2011-0206 Apple Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Apple mac OS X and mac OS X Server

Buffer overflow in International Components for Unicode (ICU) in Apple Mac OS X before 10.6.8 allows context-dependent attackers to execute arbitrary code or cause a denial of service (application crash) via vectors involving uppercase strings.

7.5
2011-06-24 CVE-2011-0201 Apple Numeric Errors vulnerability in Apple mac OS X and mac OS X Server

Off-by-one error in the CoreFoundation framework in Apple Mac OS X before 10.6.8 allows context-dependent attackers to execute arbitrary code or cause a denial of service (application crash) via a CFString object that triggers a buffer overflow.

7.5
2011-06-21 CVE-2011-1480 Phpnuke SQL Injection vulnerability in PHPnuke PHP-Nuke

SQL injection vulnerability in admin.php in the administration backend in Francisco Burzi PHP-Nuke 8.0 and earlier allows remote attackers to execute arbitrary SQL commands via the chng_uid parameter.

7.5
2011-06-21 CVE-2011-1130 Simplemachines Improper Input Validation vulnerability in Simplemachines SMF

Simple Machines Forum (SMF) before 1.1.13, and 2.x before 2.0 RC5, does not properly validate the start parameter, which might allow remote attackers to conduct SQL injection attacks, obtain sensitive information, or cause a denial of service via a crafted value, related to the cleanRequest function in QueryString.php and the constructPageIndex function in Subs.php.

7.5
2011-06-21 CVE-2011-1128 Simplemachines Cryptographic Issues vulnerability in Simplemachines SMF

The loadUserSettings function in Load.php in Simple Machines Forum (SMF) before 1.1.13, and 2.x before 2.0 RC5, does not properly handle invalid login attempts, which might make it easier for remote attackers to obtain access or cause a denial of service via a brute-force attack.

7.5
2011-06-22 CVE-2011-2534 Linux Classic Buffer Overflow vulnerability in Linux Kernel

Buffer overflow in the clusterip_proc_write function in net/ipv4/netfilter/ipt_CLUSTERIP.c in the Linux kernel before 2.6.39 might allow local users to cause a denial of service or have unspecified other impact via a crafted write operation, related to string data that lacks a terminating '\0' character.

7.2

33 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2011-06-24 CVE-2011-0213 Apple Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Apple mac OS X, mac OS X Server and Quicktime

Buffer overflow in QuickTime in Apple Mac OS X before 10.6.8 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted JPEG file.

6.8
2011-06-24 CVE-2011-0211 Apple Numeric Errors vulnerability in Apple mac OS X, mac OS X Server and Quicktime

Integer overflow in QuickTime in Apple Mac OS X before 10.6.8 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted movie file.

6.8
2011-06-24 CVE-2011-0210 Apple Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Apple mac OS X, mac OS X Server and Quicktime

QuickTime in Apple Mac OS X before 10.6.8 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via crafted sample tables in a movie file.

6.8
2011-06-24 CVE-2011-0209 Apple Numeric Errors vulnerability in Apple mac OS X, mac OS X Server and Quicktime

Integer overflow in QuickTime in Apple Mac OS X before 10.6.8 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted RIFF WAV file.

6.8
2011-06-24 CVE-2011-0208 Apple Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Apple mac OS X and mac OS X Server

QuickLook in Apple Mac OS X 10.6 before 10.6.8 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted Microsoft Office document.

6.8
2011-06-24 CVE-2011-0205 Apple Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Apple Imageio, mac OS X and mac OS X Server

Heap-based buffer overflow in ImageIO in Apple Mac OS X before 10.6.8 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted JPEG2000 image.

6.8
2011-06-24 CVE-2011-0204 Apple Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Apple Imageio, mac OS X and mac OS X Server

Heap-based buffer overflow in ImageIO in Apple Mac OS X before 10.6.8 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted TIFF image.

6.8
2011-06-24 CVE-2011-0202 Apple Numeric Errors vulnerability in Apple mac OS X and mac OS X Server

Integer overflow in CoreGraphics in Apple Mac OS X before 10.6.8 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted embedded Type 1 font in a PDF document.

6.8
2011-06-24 CVE-2011-0200 Apple Numeric Errors vulnerability in Apple mac OS X and mac OS X Server

Integer overflow in ColorSync in Apple Mac OS X before 10.6.8 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via an image containing a crafted embedded ColorSync profile that triggers a heap-based buffer overflow.

6.8
2011-06-24 CVE-2011-0198 Apple Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Apple mac OS X and mac OS X Server

Heap-based buffer overflow in Apple Type Services (ATS) in Apple Mac OS X before 10.6.8 allows remote attackers to execute arbitrary code via a crafted embedded TrueType font.

6.8
2011-06-21 CVE-2011-1482 Phpnuke Cross-Site Request Forgery (CSRF) vulnerability in PHPnuke PHP-Nuke

Multiple cross-site request forgery (CSRF) vulnerabilities in mainfile.php in Francisco Burzi PHP-Nuke 8.0 and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) add user accounts or (2) grant the administrative privilege to a user account, related to a Referer check that uses a substring comparison.

6.8
2011-06-24 CVE-2011-0212 Apple Resource Management Errors vulnerability in Apple mac OS X Server

servermgrd in Apple Mac OS X before 10.6.8 allows remote attackers to read arbitrary files, and possibly send HTTP requests to intranet servers or cause a denial of service (CPU and memory consumption), via an XML-RPC request containing an entity declaration in conjunction with an entity reference, related to an XML External Entity (aka XXE) issue.

6.4
2011-06-24 CVE-2011-0199 Apple Improper Input Validation vulnerability in Apple mac OS X and mac OS X Server

The Certificate Trust Policy component in Apple Mac OS X before 10.6.8 does not perform CRL checking for Extended Validation (EV) certificates that lack OCSP URLs, which might allow man-in-the-middle attackers to spoof an SSL server via a revoked certificate.

5.8
2011-06-22 CVE-2011-2206 Brad Fitzpatrick Resource Management Errors vulnerability in Brad Fitzpatrick Djabberd

XMLParser.pm in DJabberd before 0.85 allows remote authenticated users to read arbitrary files, and possibly send HTTP requests to intranet servers or cause a denial of service (CPU and memory consumption), via an XML external entity declaration in conjunction with an entity reference, a different vulnerability than CVE-2011-1757.

5.5
2011-06-24 CVE-2011-1409 Ulli Horlacher Improper Authentication vulnerability in Ulli Horlacher FEX 20100208

Frams's Fast File EXchange (F*EX, aka fex) 20100208, and possibly other versions before 20110610, allows remote attackers to bypass authentication and upload arbitrary files via a request that lacks an authentication ID.

5.0
2011-06-24 CVE-2011-0207 Apple Cryptographic Issues vulnerability in Apple mac OS X and mac OS X Server

The MobileMe component in Apple Mac OS X before 10.6.8 uses a cleartext HTTP session for the Mail application to read e-mail aliases, which allows remote attackers to obtain potentially sensitive alias information by sniffing the network.

5.0
2011-06-24 CVE-2011-0203 Apple Path Traversal vulnerability in Apple mac OS X Server

Absolute path traversal vulnerability in xftpd in the FTP Server component in Apple Mac OS X before 10.6.8 allows remote attackers to list arbitrary directories by using the root directory as the starting point of a recursive listing.

5.0
2011-06-22 CVE-2011-1173 Linux Information Exposure vulnerability in Linux Kernel

The econet_sendmsg function in net/econet/af_econet.c in the Linux kernel before 2.6.39 on the x86_64 platform allows remote attackers to obtain potentially sensitive information from kernel stack memory by reading uninitialized data in the ah field of an Acorn Universal Networking (AUN) packet.

5.0
2011-06-22 CVE-2011-2532 Prosody Resource Management Errors vulnerability in Prosody 0.8.0

The json.decode function in util/json.lua in Prosody 0.8.x before 0.8.1 might allow remote attackers to cause a denial of service (infinite loop) via invalid JSON data, as demonstrated by truncated data.

5.0
2011-06-22 CVE-2011-2205 Prosody Resource Management Errors vulnerability in Prosody

Prosody before 0.8.1 does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.

5.0
2011-06-21 CVE-2011-2188 Matthewwild Resource Management Errors vulnerability in Matthewwild Luaexpat 1.0/1.0.1/1.0.2

LuaExpat before 1.2.0 does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.

5.0
2011-06-21 CVE-2011-1757 Brad Fitzpatrick Resource Management Errors vulnerability in Brad Fitzpatrick Djabberd

DJabberd 0.84 and earlier does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.

5.0
2011-06-21 CVE-2011-1756 Citadel Resource Management Errors vulnerability in Citadel

modules/xmpp/serv_xmpp.c in Citadel 7.86 and earlier does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.

5.0
2011-06-21 CVE-2011-1755 Jabber Resource Management Errors vulnerability in Jabber Jabberd2

jabberd2 before 2.2.14 does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.

5.0
2011-06-21 CVE-2011-1754 Jabberd Resource Management Errors vulnerability in Jabberd Jabberd14

jabberd14 1.6.1.1 and earlier does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.

5.0
2011-06-21 CVE-2011-1753 Process ONE Resource Management Errors vulnerability in Process-One Ejabberd and Exmpp

expat_erl.c in ejabberd before 2.1.7 and 3.x before 3.0.0-alpha-3, and exmpp before 0.9.7, does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.

5.0
2011-06-21 CVE-2011-1131 Simplemachines Information Exposure vulnerability in Simplemachines SMF

The PlushSearch2 function in Search.php in Simple Machines Forum (SMF) before 1.1.13, and 2.x before 2.0 RC5, uses certain cached data in a situation where a temporary table has been created, even though this cached data is intended only for situations where a temporary table has not been created, which might allow remote attackers to obtain sensitive information via a search.

5.0
2011-06-24 CVE-2011-2484 Linux Resource Management Errors vulnerability in Linux Kernel

The add_del_listener function in kernel/taskstats.c in the Linux kernel 2.6.39.1 and earlier does not prevent multiple registrations of exit handlers, which allows local users to cause a denial of service (memory and CPU consumption), and bypass the OOM Killer, via a crafted application.

4.9
2011-06-24 CVE-2011-1132 Apple Denial of Service vulnerability in Apple Mac OS X IPV6 Socket Options (CVE-2010-1132)

The IPv6 implementation in the kernel in Apple Mac OS X before 10.6.8 allows local users to cause a denial of service (NULL pointer dereference and reboot) via vectors involving socket options.

4.9
2011-06-22 CVE-2011-2200 D BUS Project Improper Input Validation vulnerability in D-Bus Project D-Bus

The _dbus_header_byteswap function in dbus-marshal-header.c in D-Bus (aka DBus) 1.2.x before 1.2.28, 1.4.x before 1.4.12, and 1.5.x before 1.5.4 does not properly handle a non-native byte order, which allows local users to cause a denial of service (connection loss), obtain potentially sensitive information, or conduct unspecified state-modification attacks via crafted messages.

4.6
2011-06-22 CVE-2011-1330 KBS Cross-Site Scripting vulnerability in KBS Weblygo

Cross-site scripting (XSS) vulnerability in WeblyGo 5.0 Pro/LE, 5.02 Pro/LE, 5.03 Pro/LE, 5.04 Pro/LE, and 5.10 Pro/LE allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2011-06-22 CVE-2011-2531 Prosody Resource Management Errors vulnerability in Prosody 0.8.0

Prosody 0.8.x before 0.8.1, when MySQL is used, assigns an incorrect data type to the value column in certain tables, which might allow remote attackers to cause a denial of service (data truncation) by sending a large amount of data.

4.3
2011-06-21 CVE-2011-1481 Phpnuke Cross-Site Scripting vulnerability in PHPnuke PHP-Nuke

Multiple cross-site scripting (XSS) vulnerabilities in Francisco Burzi PHP-Nuke 8.0 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) sender_name or (2) sender_email parameter in a Feedback action to modules.php.

4.3

7 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2011-06-21 CVE-2011-1129 Simplemachines Cross-Site Scripting vulnerability in Simplemachines SMF

Cross-site scripting (XSS) vulnerability in the EditNews function in ManageNews.php in Simple Machines Forum (SMF) before 1.1.13, and 2.x before 2.0 RC5, might allow remote authenticated users to inject arbitrary web script or HTML via a save_items action.

3.5
2011-06-24 CVE-2009-5044 Apple
GNU
Link Following vulnerability in multiple products

contrib/pdfmark/pdfroff.sh in GNU troff (aka groff) before 1.21 allows local users to overwrite arbitrary files via a symlink attack on a pdf#####.tmp temporary file.

3.3
2011-06-22 CVE-2011-2533 Freedesktop Link Following vulnerability in Freedesktop Dbus

The configure script in D-Bus (aka DBus) 1.2.x before 1.2.28 allows local users to overwrite arbitrary files via a symlink attack on an unspecified file in /tmp/.

3.3
2011-06-24 CVE-2011-0197 Apple Information Exposure vulnerability in Apple mac OS X and mac OS X Server

App Store in Apple Mac OS X before 10.6.8 creates a log entry containing a user's AppleID password, which might allow local users to obtain sensitive information by reading a log file, as demonstrated by a log file that has non-default permissions.

2.1
2011-06-22 CVE-2011-1172 Linux Information Exposure vulnerability in Linux Kernel

net/ipv6/netfilter/ip6_tables.c in the IPv6 implementation in the Linux kernel before 2.6.39 does not place the expected '\0' character at the end of string data in the values of certain structure members, which allows local users to obtain potentially sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability to issue a crafted request, and then reading the argument to the resulting modprobe process.

2.1
2011-06-22 CVE-2011-1171 Linux Information Exposure vulnerability in Linux Kernel

net/ipv4/netfilter/ip_tables.c in the IPv4 implementation in the Linux kernel before 2.6.39 does not place the expected '\0' character at the end of string data in the values of certain structure members, which allows local users to obtain potentially sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability to issue a crafted request, and then reading the argument to the resulting modprobe process.

2.1
2011-06-22 CVE-2011-1170 Linux Information Exposure vulnerability in Linux Kernel

net/ipv4/netfilter/arp_tables.c in the IPv4 implementation in the Linux kernel before 2.6.39 does not place the expected '\0' character at the end of string data in the values of certain structure members, which allows local users to obtain potentially sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability to issue a crafted request, and then reading the argument to the resulting modprobe process.

2.1