Weekly Vulnerabilities Reports > July 25 to 31, 2011

Overview

51 new vulnerabilities reported during this period, including 9 critical vulnerabilities and 8 high severity vulnerabilities. This weekly summary report vulnerabilities in 49 products from 29 vendors including Joomla, IBM, Redhat, Linux, and Cisco. Vulnerabilities are notably categorized as "Improper Restriction of Operations within the Bounds of a Memory Buffer", "Cross-site Scripting", "Resource Management Errors", "Permissions, Privileges, and Access Controls", and "Information Exposure".

  • 43 reported vulnerabilities are remotely exploitables.
  • 2 reported vulnerabilities have public exploit available.
  • 11 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 49 reported vulnerabilities are exploitable by an anonymous user.
  • Joomla has the most reported vulnerabilities, with 7 reported vulnerabilities.
  • Sunwayland has the most reported critical vulnerabilities, with 2 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

9 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2011-07-29 CVE-2011-2963 Progea Improper Authentication vulnerability in Progea Movicon 11.2

TCPUploadServer.exe in Progea Movicon 11.2 before Build 1084 does not require authentication for critical functions, which allows remote attackers to obtain sensitive information, delete files, execute arbitrary programs, or cause a denial of service (crash) via a crafted packet to TCP port 10651.

10.0
2011-07-29 CVE-2011-2961 Sunwayland Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Sunwayland Pnetpower

Heap-based buffer overflow in AngelServer.exe 6.0.11.3 in Sunway pNetPower allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted UDP packet.

10.0
2011-07-29 CVE-2011-2960 Sunwayland Buffer Errors vulnerability in Sunwayland Forcecontrol 6.1

Heap-based buffer overflow in httpsvr.exe 6.0.5.3 in Sunway ForceControl 6.1 SP1, SP2, and SP3 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted URL.

10.0
2011-07-29 CVE-2011-2959 7T Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in 7T Igss

Stack-based buffer overflow in the Open Database Connectivity (ODBC) service (Odbcixv9se.exe) in 7-Technologies Interactive Graphical SCADA System (IGSS) 9 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted packet to TCP port 22202.

10.0
2011-07-28 CVE-2011-2667 Broadcom
CA
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in multiple products

Icihttp.exe in CA Gateway Security for HTTP, as used in CA Gateway Security 8.1 before 8.1.0.69 and CA Total Defense r12, does not properly parse URLs, which allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption and daemon crash) via a malformed request.

10.0
2011-07-27 CVE-2011-2884 IBM Denial of Service vulnerability and Unspecified vulnerability in IBM Lotus Symphony 3.0.0/3.0.0.1/3.0.0.2

Multiple unspecified vulnerabilities in IBM Lotus Symphony 3 before FP3 have unknown impact and attack vectors, related to "critical security vulnerability issues."

10.0
2011-07-29 CVE-2011-2962 Invensys Buffer Errors vulnerability in Invensys Wonderware Information Server 3.1/4.0

Multiple stack-based buffer overflows in Invensys Wonderware Information Server 3.1, 4.0, and 4.0 SP1 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via two unspecified ActiveX controls.

9.3
2011-07-28 CVE-2011-2747 Google Code Injection vulnerability in Google Picasa

Google Picasa before 3.6 Build 105.67 does not properly handle invalid properties in JPEG images, which allows remote attackers to execute arbitrary code via a crafted image file.

9.3
2011-07-28 CVE-2011-2547 Cisco Permissions, Privileges, and Access Controls vulnerability in Cisco products

The web-based management interface on Cisco SA 500 series security appliances with software before 2.1.19 allows remote authenticated users to execute arbitrary commands via crafted parameters to web forms, aka Bug ID CSCtq65681.

9.0

8 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2011-07-29 CVE-2011-2401 HP Session Fixation vulnerability in HP SiteScope

Session fixation vulnerability in HP SiteScope 9.x, 10.x, and 11.x allows remote attackers to hijack web sessions via unspecified vectors.

8.3
2011-07-28 CVE-2011-2549 Cisco Denial of Service vulnerability in Cisco ASR 9006 Router, ASR 9010 Router and IOS XR

Unspecified vulnerability in Cisco IOS XR 4.1.x before 4.1.1 on Cisco Aggregation Services Routers (ASR) 9000 series devices allows remote attackers to cause a denial of service (line-card reload) via an IPv4 packet, aka Bug ID CSCtr26695.

7.8
2011-07-28 CVE-2011-2956 Azeotech Improper Authentication vulnerability in Azeotech Daqfactory

AzeoTech DAQFactory before 5.85 (Build 1842) does not perform authentication for certain signals, which allows remote attackers to cause a denial of service (system reboot or shutdown) via a signal.

7.8
2011-07-28 CVE-2011-2688 MOD Authnz External Project
Debian
SQL Injection vulnerability in multiple products

SQL injection vulnerability in mysql/mysql-auth.pl in the mod_authnz_external module 3.2.5 and earlier for the Apache HTTP Server allows remote attackers to execute arbitrary SQL commands via the user field.

7.5
2011-07-27 CVE-2011-2687 Drupal Permissions, Privileges, and Access Controls vulnerability in Drupal 7.0/7.1/7.2

Drupal 7.x before 7.3 allows remote attackers to bypass intended node_access restrictions via vectors related to a listing that shows nodes but lacks a JOIN clause for the node table.

7.5
2011-07-27 CVE-2011-1782 Gimp Buffer Errors vulnerability in Gimp 2.6.11

Heap-based buffer overflow in the read_channel_data function in file-psp.c in the Paint Shop Pro (PSP) plugin in GIMP 2.6.11 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a PSP_COMP_RLE (aka RLE compression) image file that begins a long run count at the end of the image.

7.5
2011-07-27 CVE-2011-2490 NRL Improper Input Validation vulnerability in NRL Opie

opielogin.c in opielogin in OPIE 2.4.1-test1 and earlier does not check the return value of the setuid system call, which allows local users to gain privileges by arranging for an account to already be running its maximum number of processes.

7.2
2011-07-27 CVE-2011-2489 NRL Numeric Errors vulnerability in NRL Opie

Multiple off-by-one errors in opiesu.c in opiesu in OPIE 2.4.1-test1 and earlier might allow local users to gain privileges via a crafted command line.

7.2

32 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2011-07-28 CVE-2011-2957 Rockwellautomation Remote Code Execution vulnerability in Rockwellautomation Factorytalk Diagnostics Viewer 2.10/2.10.01

Unspecified vulnerability in Rockwell Automation FactoryTalk Diagnostics Viewer before V2.30.00 (CPR9 SR3) allows local users to execute arbitrary code via a crafted FactoryTalk Diagnostics Viewer (.ftd) configuration file, which triggers memory corruption.

6.9
2011-07-29 CVE-2011-2964 Linuxfoundation Code Injection vulnerability in Linuxfoundation Foomatic 4.0.6

foomaticrip.c in foomatic-rip in foomatic-filters in Foomatic 4.0.6 allows remote attackers to execute arbitrary code via a crafted *FoomaticRIPCommandLine field in a .ppd file, a different vulnerability than CVE-2011-2697.

6.8
2011-07-29 CVE-2011-2697 HP Improper Input Validation vulnerability in HP Linux Imaging and Printing Project 3.11.5

foomatic-rip-hplip in HP Linux Imaging and Printing (HPLIP) 3.11.5 allows remote attackers to execute arbitrary code via a crafted *FoomaticRIPCommandLine field in a .ppd file.

6.8
2011-07-29 CVE-2011-2522 Samba Cross-Site Request Forgery (CSRF) vulnerability in Samba

Multiple cross-site request forgery (CSRF) vulnerabilities in the Samba Web Administration Tool (SWAT) in Samba 3.x before 3.5.10 allow remote attackers to hijack the authentication of administrators for requests that (1) shut down daemons, (2) start daemons, (3) add shares, (4) remove shares, (5) add printers, (6) remove printers, (7) add user accounts, or (8) remove user accounts, as demonstrated by certain start, stop, and restart parameters to the status program.

6.8
2011-07-27 CVE-2011-2696 Mega Nerd Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Mega-Nerd Libsndfile

Integer overflow in libsndfile before 1.0.25 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted PARIS Audio Format (PAF) file that triggers a heap-based buffer overflow.

6.8
2011-07-27 CVE-2011-2588 Videolan Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Videolan VLC Media Player

Heap-based buffer overflow in the AVI_ChunkRead_strf function in libavi.c in the AVI demuxer in VideoLAN VLC media player before 1.1.11 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted AVI media file.

6.8
2011-07-27 CVE-2011-2587 Videolan Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Videolan VLC Media Player

Heap-based buffer overflow in the DemuxAudioSipr function in real.c in the RealMedia demuxer in VideoLAN VLC media player 1.1.x before 1.1.11 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted Real Media file.

6.8
2011-07-27 CVE-2011-2196 Redhat Permissions, Privileges, and Access Controls vulnerability in Redhat products

jboss-seam.jar in the JBoss Seam 2 framework 2.2.x and earlier, as distributed in Red Hat JBoss Enterprise SOA Platform 4.3.0.CP05 and 5.1.0; JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.3.0, 4.3.0.CP09, and 5.1.1; and JBoss Enterprise Web Platform 5.1.1, does not properly restrict use of Expression Language (EL) statements in FacesMessages during page exception handling, which allows remote attackers to execute arbitrary Java code via a crafted URL to an application.

6.8
2011-07-27 CVE-2009-4139 Redhat Cross-Site Request Forgery (CSRF) vulnerability in Redhat Network Satellite Server and Spacewalk-Java

Cross-site request forgery (CSRF) vulnerability in the Spacewalk Java site packages (aka spacewalk-java) 1.2.39 in Spacewalk, as used in the server in Red Hat Network Satellite 5.3.0 through 5.4.1 and other products, allows remote attackers to hijack the authentication of arbitrary users for requests that (1) disable the current user account, (2) add user accounts, or (3) modify user accounts to have administrator privileges.

6.8
2011-07-27 CVE-2011-1484 Redhat Permissions, Privileges, and Access Controls vulnerability in Redhat products

jboss-seam.jar in the JBoss Seam 2 framework 2.2.x and earlier, as distributed in Red Hat JBoss Enterprise SOA Platform 4.3.0.CP04 and 5.1.0 and JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.3.0.CP09 and 5.1.0, does not properly restrict use of Expression Language (EL) statements in FacesMessages during page exception handling, which allows remote attackers to execute arbitrary Java code via a crafted URL to an application.

6.8
2011-07-27 CVE-2011-2745 Chyrp Permissions, Privileges, and Access Controls vulnerability in Chyrp 2.0

upload_handler.php in the swfupload extension in Chyrp 2.0 and earlier relies on client-side JavaScript code to restrict the file extensions of uploaded files, which allows remote authenticated users to upload a .php file, and consequently execute arbitrary PHP code, via a write_post action to the default URI under admin/.

6.5
2011-07-27 CVE-2011-2467 Likewise SQL Injection vulnerability in Likewise Open 5.4/6.0/6.1

SQL injection vulnerability in lsassd in Lsass in the Likewise Security Authority in Likewise Open 5.4 through 6.1, and Likewise Enterprise 6.0, allows local users to execute arbitrary SQL commands via unspecified vectors.

5.8
2011-07-28 CVE-2011-2546 Cisco SQL Injection vulnerability in Cisco products

SQL injection vulnerability in the web-based management interface on Cisco SA 500 series security appliances with software before 2.1.19 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, aka Bug ID CSCtq65669.

5.0
2011-07-27 CVE-2011-2891 Joomla Information Exposure vulnerability in Joomla Joomla! 1.6/1.6.0/1.6.1

Joomla! 1.6.x before 1.6.2 allows remote attackers to obtain sensitive information via an empty Itemid array parameter to index.php, which reveals the installation path in an error message, a different vulnerability than CVE-2011-2488.

5.0
2011-07-27 CVE-2011-2890 Joomla Information Exposure vulnerability in Joomla Joomla!

The MediaViewMedia class in administrator/components/com_media/views/media/view.html.php in Joomla! 1.5.23 and earlier allows remote attackers to obtain sensitive information via vectors involving the base variable, leading to disclosure of the installation path, a different vulnerability than CVE-2011-2488.

5.0
2011-07-27 CVE-2011-2889 Joomla Information Exposure vulnerability in Joomla Joomla!

templates/system/error.php in Joomla! before 1.5.23 might allow remote attackers to obtain sensitive information via unspecified vectors that trigger an undefined value of a certain error field, leading to disclosure of the installation path.

5.0
2011-07-27 CVE-2011-2488 Joomla Information Exposure vulnerability in Joomla Joomla!

Joomla! before 1.5.23 does not properly check for errors, which allows remote attackers to obtain sensitive information via unspecified vectors.

5.0
2011-07-28 CVE-2011-2695 Linux Off-By-One Error vulnerability in Linux Kernel

Multiple off-by-one errors in the ext4 subsystem in the Linux kernel before 3.0-rc5 allow local users to cause a denial of service (BUG_ON and system crash) by accessing a sparse file in extent format with a write operation involving a block number corresponding to the largest possible 32-bit unsigned integer.

4.9
2011-07-28 CVE-2011-2689 Linux
Redhat
Resource Exhaustion vulnerability in Linux Kernel

The gfs2_fallocate function in fs/gfs2/file.c in the Linux kernel before 3.0-rc1 does not ensure that the size of a chunk allocation is a multiple of the block size, which allows local users to cause a denial of service (BUG and system crash) by arranging for all resource groups to have too little free space.

4.9
2011-07-27 CVE-2011-2185 Fabfile Link Following vulnerability in Fabfile Fabric

Fabric before 1.1.0 allows local users to overwrite arbitrary files via a symlink attack on (1) a /tmp/fab.*.tar file or (2) certain other files in the top level of /tmp/.

4.4
2011-07-29 CVE-2011-2400 HP Cross-Site Scripting vulnerability in HP Sitescope

Cross-site scripting (XSS) vulnerability in HP SiteScope 9.x, 10.x, and 11.x allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2011-07-28 CVE-2011-2958 Ecava Cross-Site Scripting vulnerability in Ecava Integraxor

Multiple cross-site scripting (XSS) vulnerabilities in Ecava IntegraXor before 3.60 (Build 4080) allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2011-07-28 CVE-2011-1339 Google Cross-Site Scripting vulnerability in Google Search Appliance

Cross-site scripting (XSS) vulnerability in Google Search Appliance before 5.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2011-07-27 CVE-2011-2893 IBM Resource Management Errors vulnerability in IBM Lotus Symphony 3.0.0/3.0.0.1/3.0.0.2

The DataPilot feature in IBM Lotus Symphony 3 before FP3 allows user-assisted remote attackers to cause a denial of service (application crash) via a large .xls spreadsheet with an invalid Value reference.

4.3
2011-07-27 CVE-2011-2892 Joomla Improper Input Validation vulnerability in Joomla Joomla! 1.6/1.6.0/1.6.1

Joomla! 1.6.x before 1.6.2 does not prevent page rendering inside a frame in a third-party HTML document, which makes it easier for remote attackers to conduct clickjacking attacks via a crafted web site.

4.3
2011-07-27 CVE-2011-2888 IBM Resource Management Errors vulnerability in IBM Lotus Symphony 3.0.0/3.0.0.1/3.0.0.2

IBM Lotus Symphony 3 before FP3 allows remote attackers to cause a denial of service (application hang) via complex graphics in a presentation.

4.3
2011-07-27 CVE-2011-2887 IBM
Linux
Resource Management Errors vulnerability in IBM Lotus Symphony 3.0.0/3.0.0.1/3.0.0.2

IBM Lotus Symphony 3 before FP3 on Linux allows remote attackers to cause a denial of service (application crash) via a certain sample document.

4.3
2011-07-27 CVE-2011-2886 IBM Resource Management Errors vulnerability in IBM Lotus Symphony 3.0.0/3.0.0.1/3.0.0.2

IBM Lotus Symphony 3 before FP3 allows remote attackers to cause a denial of service (application crash) via a .docx document with empty bullet styles for parent bullets.

4.3
2011-07-27 CVE-2011-2885 IBM Resource Management Errors vulnerability in IBM Lotus Symphony 3.0.0/3.0.0.1/3.0.0.2

IBM Lotus Symphony 3 before FP3 allows remote attackers to cause a denial of service (application crash) via the sample .doc document that incorporates a user-defined toolbar.

4.3
2011-07-27 CVE-2011-2710 Joomla Cross-Site Scripting vulnerability in Joomla Joomla!

Multiple cross-site scripting (XSS) vulnerabilities in Joomla! before 1.7.0 allow remote attackers to inject arbitrary web script or HTML via (1) the URI to includes/application.php, reachable through index.php; and, when Internet Explorer or Konqueror is used, (2) allow remote attackers to inject arbitrary web script or HTML via the searchword parameter in a search action to index.php in the com_search component.

4.3
2011-07-27 CVE-2011-2509 Joomla Cross-Site Scripting vulnerability in Joomla Joomla!

Multiple cross-site scripting (XSS) vulnerabilities in Joomla! before 1.6.4 allow remote attackers to inject arbitrary web script or HTML via (1) the query string to the com_contact component, as demonstrated by the Itemid parameter to index.php; (2) the query string to the com_content component, as demonstrated by the filter_order parameter to index.php; (3) the query string to the com_newsfeeds component, as demonstrated by an arbitrary parameter to index.php; or (4) the option parameter in a reset.request action to index.php; and, when Internet Explorer or Konqueror is used, (5) allow remote attackers to inject arbitrary web script or HTML via the searchword parameter in a search action to index.php in the com_search component.

4.3
2011-07-27 CVE-2011-1829 Debian
Canonical
Improper Input Validation vulnerability in multiple products

APT before 0.8.15.2 does not properly validate inline GPG signatures, which allows man-in-the-middle attackers to install modified packages via vectors involving lack of an initial clearsigned message.

4.3

2 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2011-07-29 CVE-2011-2694 Samba Cross-Site Scripting vulnerability in Samba

Cross-site scripting (XSS) vulnerability in the chg_passwd function in web/swat.c in the Samba Web Administration Tool (SWAT) in Samba 3.x before 3.5.10 allows remote authenticated administrators to inject arbitrary web script or HTML via the username parameter to the passwd program (aka the user field to the Change Password page).

2.6
2011-07-28 CVE-2011-2492 Linux
Redhat
Information Exposure vulnerability in Linux Kernel

The bluetooth subsystem in the Linux kernel before 3.0-rc4 does not properly initialize certain data structures, which allows local users to obtain potentially sensitive information from kernel memory via a crafted getsockopt system call, related to (1) the l2cap_sock_getsockopt_old function in net/bluetooth/l2cap_sock.c and (2) the rfcomm_sock_getsockopt_old function in net/bluetooth/rfcomm/sock.c.

1.9