Weekly Vulnerabilities Reports > August 1 to 7, 2011

Overview

64 new vulnerabilities reported during this period, including 10 critical vulnerabilities and 5 high severity vulnerabilities. This weekly summary report vulnerabilities in 38 products from 26 vendors including Google, Apple, Microsoft, Phpmyadmin, and Debian. Vulnerabilities are notably categorized as "Improper Input Validation", "Improper Restriction of Operations within the Bounds of a Memory Buffer", "Use After Free", "Cross-site Scripting", and "Information Exposure".

  • 63 reported vulnerabilities are remotely exploitables.
  • 12 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 61 reported vulnerabilities are exploitable by an anonymous user.
  • Google has the most reported vulnerabilities, with 30 reported vulnerabilities.
  • Apple has the most reported critical vulnerabilities, with 8 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

10 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2011-08-04 CVE-2011-2764 Ioquake3
Openarena
Smokin Guns
Tremulous
Urbanterror
Worldofpadman
Improper Input Validation vulnerability in multiple products

The FS_CheckFilenameIsNotExecutable function in qcommon/files.c in the ioQuake3 engine 1.36 and earlier, as used in World of Padman, Smokin' Guns, OpenArena, Tremulous, and ioUrbanTerror, does not properly determine dangerous file extensions, which allows remote attackers to execute arbitrary code via a crafted third-party addon that creates a Trojan horse DLL file.

10.0
2011-08-05 CVE-2011-2591 Provideo Buffer Errors vulnerability in Provideo products

Multiple buffer overflows in the Provideo ActiveX controls allow remote attackers to execute arbitrary code via crafted input fields, as demonstrated by (1) a long strIp argument to the voice method in 2way.dll in the alarm 1.0.3.1 ActiveX control, (2) a network response to AXPlayer.ocx in the GMAXPlayer 2.0.8.2 ActiveX control, the (3) UserName or (4) Password parameter to AXPlayer.ocx in the GMAXPlayer 2.0.8.2 ActiveX control, (5) a long Id parameter to the GetString method in PAxPlayer.ocx in the PAxPlayer 3.0.0.9 ActiveX control, or (6) a long strAdr parameter to the ConnectIPCam method in PAxPlayer.ocx in the PAxPlayer 3.0.0.9 ActiveX control.

9.3
2011-08-04 CVE-2011-0252 Apple Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Apple Quicktime

Heap-based buffer overflow in Apple QuickTime before 7.7 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via crafted STTS atoms in a QuickTime movie file.

9.3
2011-08-04 CVE-2011-0251 Apple
Microsoft
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Apple Quicktime

Heap-based buffer overflow in Apple QuickTime before 7.7 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via crafted STSZ atoms in a QuickTime movie file.

9.3
2011-08-04 CVE-2011-0250 Apple
Microsoft
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Apple Quicktime

Heap-based buffer overflow in Apple QuickTime before 7.7 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via crafted STSS atoms in a QuickTime movie file.

9.3
2011-08-04 CVE-2011-0249 Apple
Microsoft
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Apple Quicktime

Heap-based buffer overflow in Apple QuickTime before 7.7 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via crafted STSC atoms in a QuickTime movie file.

9.3
2011-08-04 CVE-2011-0248 Apple
Microsoft
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Apple Quicktime

Stack-based buffer overflow in the QuickTime ActiveX control in Apple QuickTime before 7.7 on Windows, when Internet Explorer is used, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted QTL file.

9.3
2011-08-04 CVE-2011-0247 Apple
Microsoft
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Apple Quicktime

Multiple stack-based buffer overflows in Apple QuickTime before 7.7 on Windows allow remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted H.264 movie.

9.3
2011-08-04 CVE-2011-0246 Apple
Microsoft
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Apple Quicktime

Heap-based buffer overflow in Apple QuickTime before 7.7 on Windows allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted GIF file.

9.3
2011-08-04 CVE-2011-0245 Apple Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Apple Quicktime

Buffer overflow in Apple QuickTime before 7.7 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted pict file.

9.3

5 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2011-08-01 CVE-2011-2399 HP Denial of Service vulnerability in HP OpenView Storage Data Protector 6.10/6.11

Unspecified vulnerability in the Media Management Daemon (mmd) in HP Data Protector 6.11 and earlier allows remote attackers to cause a denial of service via unknown vectors.

7.8
2011-08-05 CVE-2011-2900 Shttpd
Valenok
Yassl
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in multiple products

Stack-based buffer overflow in the (1) put_dir function in mongoose.c in Mongoose 3.0, (2) put_dir function in yasslEWS.c in yaSSL Embedded Web Server (yasslEWS) 0.2, and (3) _shttpd_put_dir function in io_dir.c in Simple HTTPD (shttpd) 1.42 allows remote attackers to execute arbitrary code via an HTTP PUT request, as exploited in the wild in 2011.

7.5
2011-08-04 CVE-2011-1412 Ioquake3
Openarena
Worldofpadman
Linux
Improper Input Validation vulnerability in multiple products

sys/sys_unix.c in the ioQuake3 engine on Unix and Linux, as used in World of Padman 1.5.x before 1.5.1.1 and OpenArena 0.8.x-15 and 0.8.x-16, allows remote game servers to execute arbitrary commands via shell metacharacters in a long fs_game variable.

7.5
2011-08-01 CVE-2011-2704 UMN Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in UMN Mapserver

Stack-based buffer overflow in MapServer before 4.10.7 and 5.x before 5.6.7 allows remote attackers to execute arbitrary code via vectors related to OGC filter encoding.

7.5
2011-08-01 CVE-2011-2703 UMN SQL Injection vulnerability in UMN Mapserver

Multiple SQL injection vulnerabilities in MapServer before 4.10.7, 5.x before 5.6.7, and 6.x before 6.0.1 allow remote attackers to execute arbitrary SQL commands via vectors related to (1) OGC filter encoding or (2) WMS time support.

7.5

45 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2011-08-03 CVE-2011-2819 Google
Apple
Unspecified vulnerability in Google Chrome

Google Chrome before 13.0.782.107 allows remote attackers to bypass the Same Origin Policy via vectors related to handling of the base URI.

6.8
2011-08-03 CVE-2011-2818 Google
Apple
Debian
USE After Free vulnerability in Google Chrome

Use-after-free vulnerability in Google Chrome before 13.0.782.107 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to display box rendering.

6.8
2011-08-03 CVE-2011-2805 Google
Apple
Injection vulnerability in Google Chrome

Google Chrome before 13.0.782.107 allows remote attackers to bypass the Same Origin Policy and conduct script injection attacks via unspecified vectors.

6.8
2011-08-03 CVE-2011-2803 Google Out-Of-Bounds Read vulnerability in Google Chrome

Google Chrome before 13.0.782.107 does not properly handle Skia paths, which allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors.

6.8
2011-08-03 CVE-2011-2802 Google Improper Input Validation vulnerability in Google Chrome

Google V8, as used in Google Chrome before 13.0.782.107, does not properly perform const lookups, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted web site.

6.8
2011-08-03 CVE-2011-2801 Google USE After Free vulnerability in Google Chrome

Use-after-free vulnerability in Google Chrome before 13.0.782.107 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the frame loader.

6.8
2011-08-03 CVE-2011-2799 Google
Apple
USE After Free vulnerability in Google Chrome

Use-after-free vulnerability in Google Chrome before 13.0.782.107 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to HTML range handling.

6.8
2011-08-03 CVE-2011-2798 Google Unspecified vulnerability in Google Chrome

Google Chrome before 13.0.782.107 does not properly restrict access to internal schemes, which allows remote attackers to have an unspecified impact via a crafted web site.

6.8
2011-08-03 CVE-2011-2797 Google
Apple
USE After Free vulnerability in Google Chrome

Use-after-free vulnerability in Google Chrome before 13.0.782.107 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to resource caching.

6.8
2011-08-03 CVE-2011-2796 Google USE After Free vulnerability in Google Chrome

Use-after-free vulnerability in Skia, as used in Google Chrome before 13.0.782.107, allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors.

6.8
2011-08-03 CVE-2011-2794 Google Out-Of-Bounds Read vulnerability in Google Chrome

Google Chrome before 13.0.782.107 does not properly perform text iteration, which allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors.

6.8
2011-08-03 CVE-2011-2793 Google USE After Free vulnerability in Google Chrome

Use-after-free vulnerability in Google Chrome before 13.0.782.107 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to media selectors.

6.8
2011-08-03 CVE-2011-2792 Google
Apple
USE After Free vulnerability in Google Chrome

Use-after-free vulnerability in Google Chrome before 13.0.782.107 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to float removal.

6.8
2011-08-03 CVE-2011-2791 Google Out-Of-Bounds Write vulnerability in Google Chrome

The International Components for Unicode (ICU) functionality in Google Chrome before 13.0.782.107 allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors that trigger an out-of-bounds write.

6.8
2011-08-03 CVE-2011-2790 Google
Apple
USE After Free vulnerability in Google Chrome

Use-after-free vulnerability in Google Chrome before 13.0.782.107 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving floating styles.

6.8
2011-08-03 CVE-2011-2789 Google USE After Free vulnerability in Google Chrome

Use-after-free vulnerability in Google Chrome before 13.0.782.107 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to instantiation of the Pepper plug-in.

6.8
2011-08-03 CVE-2011-2788 Google
Apple
Classic Buffer Overflow vulnerability in Google Chrome

Buffer overflow in the inspector serialization functionality in Google Chrome before 13.0.782.107 allows user-assisted remote attackers to have an unspecified impact via unknown vectors.

6.8
2011-08-03 CVE-2011-2783 Google Improper Input Validation vulnerability in Google Chrome

Google Chrome before 13.0.782.107 does not ensure that developer-mode NPAPI extension installations are confirmed by a browser dialog, which makes it easier for remote attackers to modify the product's functionality via a Trojan horse extension.

6.8
2011-08-03 CVE-2011-2359 Google
Apple
Debian
Improper Input Validation vulnerability in Google Chrome

Google Chrome before 13.0.782.107 does not properly track line boxes during rendering, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors that lead to a "stale pointer."

6.8
2011-08-03 CVE-2011-2358 Google Improper Input Validation vulnerability in Google Chrome

Google Chrome before 13.0.782.107 does not ensure that extension installations are confirmed by a browser dialog, which makes it easier for remote attackers to modify the product's functionality via a Trojan horse extension.

6.8
2011-08-01 CVE-2011-2975 UMN Resource Management Errors vulnerability in UMN Mapserver

Double free vulnerability in the msAddImageSymbol function in mapsymbol.c in MapServer before 6.0.1 might allow remote attackers to cause a denial of service (application crash) or have unspecified other impact via crafted mapfile data.

6.8
2011-08-01 CVE-2011-2643 Phpmyadmin Path Traversal vulnerability in PHPmyadmin

Directory traversal vulnerability in sql.php in phpMyAdmin 3.4.x before 3.4.3.2, when configuration storage is enabled, allows remote attackers to include and execute arbitrary local files via directory traversal sequences in a MIME-type transformation parameter.

6.8
2011-08-01 CVE-2011-2403 HP SQL Injection vulnerability in HP Network Automation

SQL injection vulnerability in HP Network Automation 7.2x, 7.5x, 7.6x, 9.0, and 9.10 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.

6.5
2011-08-01 CVE-2011-2719 Phpmyadmin Improper Input Validation vulnerability in PHPmyadmin

libraries/auth/swekey/swekey.auth.lib.php in phpMyAdmin 3.x before 3.3.10.3 and 3.4.x before 3.4.3.2 does not properly manage sessions associated with Swekey authentication, which allows remote attackers to modify the SESSION superglobal array, other superglobal arrays, and certain swekey.auth.lib.php local variables via a crafted query string, a related issue to CVE-2011-2505.

6.4
2011-08-01 CVE-2011-2718 Phpmyadmin Path Traversal vulnerability in PHPmyadmin

Multiple directory traversal vulnerabilities in the relational schema implementation in phpMyAdmin 3.4.x before 3.4.3.2 allow remote authenticated users to include and execute arbitrary local files via directory traversal sequences in an export type field, related to (1) libraries/schema/User_Schema.class.php and (2) schema_export.php.

6.0
2011-08-04 CVE-2011-2701 Freeradius Improper Authentication vulnerability in Freeradius 2.1.11

The ocsp_check function in rlm_eap_tls.c in FreeRADIUS 2.1.11, when OCSP is enabled, does not properly parse replies from OCSP responders, which allows remote attackers to bypass authentication by using the EAP-TLS protocol with a revoked X.509 client certificate.

5.8
2011-08-01 CVE-2011-1744 EMC Permissions, Privileges, and Access Controls vulnerability in EMC Captiva Einput

EMC Captiva eInput 2.1.1 before 2.1.1.37 does not restrict the origin of calls to ActiveX functions, which allows remote attackers to read arbitrary files or cause a denial of service via a crafted web site.

5.8
2011-08-05 CVE-2011-3009 Ruby Lang Cryptographic Issues vulnerability in Ruby-Lang Ruby 1.8.6

Ruby before 1.8.6-p114 does not reset the random seed upon forking, which makes it easier for context-dependent attackers to predict the values of random numbers by leveraging knowledge of the number sequence obtained in a different child process, a related issue to CVE-2003-0900.

5.0
2011-08-05 CVE-2011-3008 Avaya Configuration vulnerability in Avaya Secure Access Link Gateway 1.5/1.8/2.0

The default configuration of Avaya Secure Access Link (SAL) Gateway 1.5, 1.8, and 2.0 contains certain domain names in the Secondary Core Server URL and Secondary Remote Server URL fields, which allows remote attackers to obtain sensitive information by leveraging administrative access to these domain names, as demonstrated by alarm and log information.

5.0
2011-08-05 CVE-2011-2721 Clamav Numeric Errors vulnerability in Clamav

Off-by-one error in the cli_hm_scan function in matcher-hash.c in libclamav in ClamAV before 0.97.2 allows remote attackers to cause a denial of service (daemon crash) via an e-mail message that is not properly handled during certain hash calculations.

5.0
2011-08-05 CVE-2011-2720 Glpi Project Information Exposure vulnerability in Glpi-Project Glpi

The autocompletion functionality in GLPI before 0.80.2 does not blacklist certain username and password fields, which allows remote attackers to obtain sensitive information via a crafted POST request.

5.0
2011-08-05 CVE-2011-2705 Ruby Lang Improper Input Validation vulnerability in Ruby-Lang Ruby

The SecureRandom.random_bytes function in lib/securerandom.rb in Ruby before 1.8.7-p352 and 1.9.x before 1.9.2-p290 relies on PID values for initialization, which makes it easier for context-dependent attackers to predict the result string by leveraging knowledge of random strings obtained in an earlier process with the same PID.

5.0
2011-08-05 CVE-2011-2686 Ruby Lang Cryptographic Issues vulnerability in Ruby-Lang Ruby

Ruby before 1.8.7-p352 does not reset the random seed upon forking, which makes it easier for context-dependent attackers to predict the values of random numbers by leveraging knowledge of the number sequence obtained in a different child process, a related issue to CVE-2003-0900.

5.0
2011-08-05 CVE-2011-1340 Plone Cross-Site Scripting vulnerability in Plone

Cross-site scripting (XSS) vulnerability in skins/plone_templates/default_error_message.pt in Plone before 2.5.3 allows remote attackers to inject arbitrary web script or HTML via the type_name parameter to Members/ipa/createObject.

4.3
2011-08-03 CVE-2011-2804 Google Improper Input Validation vulnerability in Google Chrome

Google Chrome before 13.0.782.107 does not properly handle nested functions in PDF documents, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted document.

4.3
2011-08-03 CVE-2011-2800 Google
Apple
Debian
Information Exposure vulnerability in Google Chrome

Google Chrome before 13.0.782.107 allows remote attackers to obtain potentially sensitive information about client-side redirect targets via a crafted web site.

4.3
2011-08-03 CVE-2011-2795 Google Unspecified vulnerability in Google Chrome

Google Chrome before 13.0.782.107 does not prevent calls to functions in other frames, which allows remote attackers to bypass intended access restrictions via a crafted web site, related to a "cross-frame function leak."

4.3
2011-08-03 CVE-2011-2787 Google Improper Input Validation vulnerability in Google Chrome

Google Chrome before 13.0.782.107 does not properly address re-entrancy issues associated with the GPU lock, which allows remote attackers to cause a denial of service (application crash) via unspecified vectors.

4.3
2011-08-03 CVE-2011-2786 Google Improper Input Validation vulnerability in Google Chrome

Google Chrome before 13.0.782.107 does not ensure that the speech-input bubble is shown on the product's screen, which might make it easier for remote attackers to make audio recordings via a crafted web page containing an INPUT element.

4.3
2011-08-03 CVE-2011-2785 Google Improper Input Validation vulnerability in Google Chrome

The extensions implementation in Google Chrome before 13.0.782.107 does not properly validate the URL for the home page, which allows remote attackers to have an unspecified impact via a crafted extension.

4.3
2011-08-03 CVE-2011-2782 Google
Linux
Incorrect Default Permissions vulnerability in Google Chrome

The drag-and-drop implementation in Google Chrome before 13.0.782.107 on Linux does not properly enforce permissions for files, which allows user-assisted remote attackers to bypass intended access restrictions via unspecified vectors.

4.3
2011-08-03 CVE-2011-2361 Google Improper Authentication vulnerability in Google Chrome

The Basic Authentication dialog implementation in Google Chrome before 13.0.782.107 does not properly handle strings, which might make it easier for remote attackers to capture credentials via a crafted web site.

4.3
2011-08-03 CVE-2011-2360 Google Unspecified vulnerability in Google Chrome

Google Chrome before 13.0.782.107 does not ensure that the user is prompted before download of a dangerous file, which makes it easier for remote attackers to bypass intended content restrictions via a crafted web site.

4.3
2011-08-01 CVE-2011-2402 HP Cross-Site Scripting vulnerability in HP Network Automation

Cross-site scripting (XSS) vulnerability in HP Network Automation 7.2x, 7.5x, 7.6x, 9.0, and 9.10 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2011-08-01 CVE-2011-1743 EMC Cross-Site Scripting vulnerability in EMC Captiva Einput

Cross-site scripting (XSS) vulnerability in EMC Captiva eInput 2.1.1 before 2.1.1.37 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3

4 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2011-08-03 CVE-2011-2711 Lars Hjemli Cross-Site Scripting vulnerability in Lars Hjemli Cgit

Cross-site scripting (XSS) vulnerability in the print_fileinfo function in ui-diff.c in cgit 0.9.0.2 and earlier allows remote authenticated users to inject arbitrary web script or HTML via the filename associated with the rename hint.

3.5
2011-08-01 CVE-2011-2642 Phpmyadmin Cross-Site Scripting vulnerability in PHPmyadmin

Multiple cross-site scripting (XSS) vulnerabilities in the table Print view implementation in tbl_printview.php in phpMyAdmin before 3.3.10.3 and 3.4.x before 3.4.3.2 allow remote authenticated users to inject arbitrary web script or HTML via a crafted table name.

2.6
2011-08-03 CVE-2011-2784 Google Information Exposure vulnerability in Google Chrome

Google Chrome before 13.0.782.107 allows remote attackers to obtain sensitive information via a request for the GL program log, which reveals a local path in an unspecified log entry.

2.1
2011-08-01 CVE-2011-1742 EMC Credentials Management vulnerability in EMC Data Protection Advisor

EMC Data Protection Advisor before 5.8.1 places cleartext account credentials in the DPA configuration file in unspecified circumstances, which might allow local users to obtain sensitive information by reading this file.

2.1