Weekly Vulnerabilities Reports > December 19 to 25, 2011

Overview

53 new vulnerabilities reported during this period, including 16 critical vulnerabilities and 11 high severity vulnerabilities. This weekly summary report vulnerabilities in 50 products from 40 vendors including Mozilla, TOR, Wuzly, IBM, and Phpmyadmin. Vulnerabilities are notably categorized as "Improper Restriction of Operations within the Bounds of a Memory Buffer", "Information Exposure", "Code Injection", "Resource Management Errors", and "Cross-site Scripting".

  • 53 reported vulnerabilities are remotely exploitables.
  • 17 reported vulnerabilities have public exploit available.
  • 10 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 49 reported vulnerabilities are exploitable by an anonymous user.
  • Mozilla has the most reported vulnerabilities, with 7 reported vulnerabilities.
  • IBM has the most reported critical vulnerabilities, with 3 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

16 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2011-12-25 CVE-2011-5012 Attachmate Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Attachmate products

Heap-based buffer overflow in the Reflection FTP Client (rftpcom.dll 7.2.0.106 and possibly other versions), as used in Attachmate Reflection 2008, Reflection 2011 R1 before 15.3.2.569 and R1 SP1 before, Reflection 2011 R2 before 15.4.1.327, Reflection Windows Client 7.2 SP1 before hotfix 7.2.1186, and Reflection 14.1 SP1 before 14.1.1.206, allows remote FTP servers to execute arbitrary code via a long directory name in a response to a LIST command.

10.0
2011-12-25 CVE-2011-5010 Ctekproducts Permissions, Privileges, and Access Controls vulnerability in Ctekproducts Skyrouter 4200/4300

apps/a3/cfg_ethping.cgi in the Ctek SkyRouter 4200 and 4300 allows remote attackers to execute arbitrary commands via shell metacharacters in the PINGADDRESS parameter for a "u" action.

10.0
2011-12-25 CVE-2011-5007 3Ssoftware Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in 3Ssoftware Codesys

Stack-based buffer overflow in the CmpWebServer component in 3S CoDeSys 3.4 SP4 Patch 2 and earlier, as used on the ABB AC500 PLC and possibly other products, allows remote attackers to execute arbitrary code via a long URI to TCP port 8080.

10.0
2011-12-25 CVE-2011-5003 Avid Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Avid Media Composer

Stack-based buffer overflow in the Phonetic Indexer (AvidPhoneticIndexer.exe) in Avid Media Composer 5.5.3 and earlier allows remote attackers to execute arbitrary code via a long request to TCP port 4659.

10.0
2011-12-25 CVE-2011-5002 Finaldraft Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Finaldraft

Multiple stack-based buffer overflows in Final Draft 8 before 8.02 allow remote attackers to execute arbitrary code via a .fdx or .fdxt file with long (1) Word, (2) Transition, (3) Location, (4) Extension, (5) SceneIntro, (6) TimeOfDay, and (7) Character elements.

10.0
2011-12-25 CVE-2011-5001 Trend Micro Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Trend Micro Control Manager

Stack-based buffer overflow in the CGenericScheduler::AddTask function in cmdHandlerRedAlertController.dll in CmdProcessor.exe in Trend Micro Control Manager 5.5 before Build 1613 allows remote attackers to execute arbitrary code via a crafted IPC packet to TCP port 20101.

10.0
2011-12-25 CVE-2011-4862 GNU
Heimdal Project
MIT
Freebsd
Fedoraproject
Debian
Opensuse
Suse
Classic Buffer Overflow vulnerability in multiple products

Buffer overflow in libtelnet/encrypt.c in telnetd in FreeBSD 7.3 through 9.0, MIT Kerberos Version 5 Applications (aka krb5-appl) 1.0.2 and earlier, Heimdal 1.5.1 and earlier, GNU inetutils, and possibly other products allows remote attackers to execute arbitrary code via a long encryption key, as exploited in the wild in December 2011.

10.0
2011-12-21 CVE-2011-3660 Mozilla Memory Corruption vulnerability in Mozilla Firefox, Seamonkey and Thunderbird

Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox 4.x through 8.0, Thunderbird 5.0 through 8.0, and SeaMonkey before 2.6 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors that trigger a compartment mismatch associated with the nsDOMMessageEvent::GetData function, and unknown other vectors.

10.0
2011-12-25 CVE-2011-5006 Qqplayer Buffer Errors vulnerability in Qqplayer 3.2.845

Stack-based buffer overflow in QQPlayer 3.2.845 allows remote attackers to execute arbitrary code via a crafted PnSize value in a MOV file.

9.3
2011-12-25 CVE-2010-5081 Mini Stream Buffer Errors vulnerability in Mini-Stream Rm-Mp3 Converter 3.1.2.1

Stack-based buffer overflow in Mini-Stream RM-MP3 Converter 3.1.2.1 allows remote attackers to execute arbitrary code via a long URL in a .pls file.

9.3
2011-12-25 CVE-2009-5109 Mini Stream Buffer Errors vulnerability in Mini-Stream Ripper 3.0.1.1

Stack-based buffer overflow in Mini-Stream Ripper 3.0.1.1 allows remote attackers to execute arbitrary code via a long entry in a .pls file.

9.3
2011-12-24 CVE-2011-3378 RPM Code Injection vulnerability in RPM

RPM 4.4.x through 4.9.x, probably before 4.9.1.2, allows remote attackers to cause a denial of service (memory corruption) and possibly execute arbitrary code via an rpm package with crafted headers and offsets that are not properly handled when a package is queried or installed, related to (1) the regionSwab function, (2) the headerLoad function, and (3) multiple functions in rpmio/rpmpgp.c.

9.3
2011-12-23 CVE-2011-1392 Bbsoftware
IBM
Code Injection vulnerability in .Bbsoftware BB Flashback

The Blueberry FlashBack ActiveX control in BB FlashBack Recorder.dll in Blueberry BB FlashBack, as used in IBM Rational Rhapsody before 7.6.1 and other products, does not properly implement the (1) Start, (2) PauseAndSave, (3) InsertMarker, and (4) InsertSoundToFBRAtMarker methods, which allows remote attackers to execute arbitrary code via unspecified vectors.

9.3
2011-12-23 CVE-2011-1391 Bbsoftware
IBM
Code Injection vulnerability in .Bbsoftware BB Flashback

The Blueberry FlashBack ActiveX control in BB FlashBack Recorder.dll in Blueberry BB FlashBack, as used in IBM Rational Rhapsody before 7.6.1 and other products, does not properly implement the InsertMarker method, which allows remote attackers to execute arbitrary code via unspecified vectors.

9.3
2011-12-23 CVE-2011-1388 Bbsoftware
IBM
Code Injection vulnerability in .Bbsoftware BB Flashback

The Blueberry FlashBack ActiveX control in BB FlashBack Recorder.dll in Blueberry BB FlashBack, as used in IBM Rational Rhapsody before 7.6.1 and other products, does not properly implement the TestCompatibilityRecordMode method, which allows remote attackers to execute arbitrary code via unspecified vectors.

9.3
2011-12-22 CVE-2011-4037 Sielcosistemi Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Sielcosistemi Winlog Lite and Winlog PRO

Buffer overflow in Sielco Sistemi Winlog PRO before 2.07.09 and Winlog Lite before 2.07.09 allows user-assisted remote attackers to execute arbitrary code via invalid data in unspecified fields of a project file.

9.3

11 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2011-12-20 CVE-2011-4869 Unbound Resource Management Errors vulnerability in Unbound

validator/val_nsec3.c in Unbound before 1.4.13p2 does not properly perform proof processing for NSEC3-signed zones, which allows remote DNS servers to cause a denial of service (daemon crash) via a malformed response that lacks expected NSEC3 records, a different vulnerability than CVE-2011-4528.

7.8
2011-12-23 CVE-2011-2778 TOR Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in TOR

Multiple heap-based buffer overflows in Tor before 0.2.2.35 allow remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code by (1) establishing a SOCKS connection to SocksPort or (2) leveraging a SOCKS proxy configuration.

7.6
2011-12-25 CVE-2011-5008 3Ssoftware Numeric Errors vulnerability in 3Ssoftware Codesys 3.4

Integer overflow in the GatewayService component in 3S CoDeSys 3.4 SP4 Patch 2 allows remote attackers to execute arbitrary code via a large size value in the packet header, which triggers a heap-based buffer overflow.

7.5
2011-12-25 CVE-2011-5005 Claudio Klingler
Mads Brunn
Unrestricted file upload vulnerability in QuiXplorer 2.3 and earlier allows remote attackers to execute arbitrary code by uploading a file with an executable extension using the upload action to index.php, then accessing it via a direct request to the file in an unspecified directory.
7.5
2011-12-24 CVE-2011-3839 Wuzly Permissions, Privileges, and Access Controls vulnerability in Wuzly 2.0

The administration functionality in Wuzly 2.0 allows remote attackers to bypass authentication by setting the dXNlcm5hbWU cookie.

7.5
2011-12-24 CVE-2011-3838 Wuzly SQL Injection vulnerability in Wuzly 2.0

Multiple SQL injection vulnerabilities in Wuzly 2.0 allow remote attackers to execute arbitrary SQL commands via the (1) u parameter to fp.php, (2) epage parameter to newpage.php, (3) epost parameter to newpost.php, and (4) username parameter to login.php in admin/; or the (5) username parameter to mobile/login.php.

7.5
2011-12-24 CVE-2011-3372 Cyrus Improper Authentication vulnerability in Cyrus Imapd

imap/nntpd.c in the NNTP server (nntpd) for Cyrus IMAPd 2.4.x before 2.4.12 allows remote attackers to bypass authentication by sending an AUTHINFO USER command without sending an additional AUTHINFO PASS command.

7.5
2011-12-22 CVE-2011-4453 Pmwiki Code Injection vulnerability in Pmwiki

The PageListSort function in scripts/pagelist.php in PmWiki 2.x before 2.2.35 allows remote attackers to execute arbitrary code via PHP sequences in a crafted order parameter in a pagelist directive, leading to unintended use of the PHP create_function function.

7.5
2011-12-21 CVE-2011-3665 Mozilla Resource Management Errors vulnerability in Mozilla Firefox, Seamonkey and Thunderbird

Mozilla Firefox 4.x through 8.0, Thunderbird 5.0 through 8.0, and SeaMonkey before 2.6 allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via an Ogg VIDEO element that is not properly handled after scaling.

7.5
2011-12-21 CVE-2011-3661 Mozilla Resource Management Errors vulnerability in Mozilla Firefox, Seamonkey and Thunderbird

YARR, as used in Mozilla Firefox 4.x through 8.0, Thunderbird 5.0 through 8.0, and SeaMonkey before 2.6, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via crafted JavaScript.

7.5
2011-12-21 CVE-2011-3658 Mozilla Resource Management Errors vulnerability in Mozilla Firefox, Seamonkey and Thunderbird

The SVG implementation in Mozilla Firefox 8.0, Thunderbird 8.0, and SeaMonkey 2.5 does not properly interact with DOMAttrModified event handlers, which allows remote attackers to cause a denial of service (out-of-bounds memory access) or possibly have unspecified other impact via vectors involving removal of SVG elements.

7.5

26 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2011-12-25 CVE-2011-5011 XT Commerce Cross-Site Request Forgery (CSRF) vulnerability in Xt-Commerce Xt:Commerce 3.0.4

Multiple cross-site request forgery (CSRF) vulnerabilities in xt:Commerce 3.0.4 SP2.1 and possibly earlier allow remote attackers to hijack the authentication of Admins for requests that (1) set a New user to Admin via the cID parameter to a statusconfirm action in admin/customers.php and (2) grant permissions to users via the cID parameter to a save action in admin/accounting.php.

6.8
2011-12-24 CVE-2011-3837 Wuzly Path Traversal vulnerability in Wuzly 2.0

Directory traversal vulnerability in blog_system/data_functions.php in Wuzly 2.0 allows remote attackers to read arbitrary files via a ..

6.8
2011-12-24 CVE-2011-3836 Wuzly Cross-Site Request Forgery (CSRF) vulnerability in Wuzly 2.0

Multiple cross-site request forgery (CSRF) vulnerabilities in Wuzly 2.0 allow remote attackers to hijack the authentication of administrators for requests that (1) add an administrator, (2) perform cross-site scripting (XSS), (3) perform SQL injection, or have other unspecified impact via unknown vectors.

6.8
2011-12-21 CVE-2011-3666 Mozilla
Apple
Permissions, Privileges, and Access Controls vulnerability in Mozilla Firefox and Thunderbird

Mozilla Firefox before 3.6.25 and Thunderbird before 3.1.17 on Mac OS X do not consider .jar files to be executable files, which allows user-assisted remote attackers to bypass intended access restrictions via a crafted file.

6.8
2011-12-21 CVE-2011-3664 Mozilla
Apple
NULL Pointer Dereference Denial Of Service vulnerability in Mozilla Firefox, Seamonkey and Thunderbird

Mozilla Firefox before 9.0, Thunderbird before 9.0, and SeaMonkey before 2.6 on Mac OS X do not properly handle certain DOM frame deletions by plugins, which allows remote attackers to cause a denial of service (incorrect pointer dereference and application crash) or possibly have unspecified other impact via a crafted web site.

6.8
2011-12-20 CVE-2011-4723 D Link Cryptographic Issues vulnerability in D-Link Dir-300

The D-Link DIR-300 router stores cleartext passwords, which allows context-dependent attackers to obtain sensitive information via unspecified vectors.

6.8
2011-12-25 CVE-2011-5004 Fabrikar
Joomla
Unspecified vulnerability in Fabrikar COM Fabrikar

Unrestricted file upload vulnerability in models/importcsv.php in the Fabrik (com_fabrik) component before 2.1.1 for Joomla! allows remote authenticated users with Manager privileges to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in an unspecified directory.

6.0
2011-12-23 CVE-2011-4596 Openstack Path Traversal vulnerability in Openstack Nova 2011.3

Multiple directory traversal vulnerabilities in OpenStack Nova before 2011.3.1, when the EC2 API and the S3/RegisterImage image-registration method are enabled, allow remote authenticated users to overwrite arbitrary files via a crafted (1) tarball or (2) manifest.

6.0
2011-12-23 CVE-2011-2768 TOR Permissions, Privileges, and Access Controls vulnerability in TOR

Tor before 0.2.2.34, when configured as a client or bridge, sends a TLS certificate chain as part of an outgoing OR connection, which allows remote relays to bypass intended anonymity properties by reading this chain and then determining the set of entry guards that the client or bridge had selected.

5.8
2011-12-20 CVE-2011-4717 Zftpserver Path Traversal vulnerability in Zftpserver Suite 6.0.0.52

Directory traversal vulnerability in zFTPServer Suite 6.0.0.52 allows remote authenticated users to delete arbitrary directories via a crafted RMD (aka rmdir) command.

5.5
2011-12-25 CVE-2011-5009 3Ssoftware Unspecified vulnerability in 3Ssoftware Codesys 3.4

The CmpWebServer.dll module in the Control service in 3S CoDeSys 3.4 SP4 Patch 2 allows remote attackers to cause a denial of service (NULL pointer dereference) via (1) a crafted Content-Length in an HTTP POST or (2) an invalid HTTP request method.

5.0
2011-12-25 CVE-2011-4601 Pidgin Improper Input Validation vulnerability in Pidgin

family_feedbag.c in the oscar protocol plugin in libpurple in Pidgin before 2.10.1 does not perform the expected UTF-8 validation on message data, which allows remote attackers to cause a denial of service (application crash) via a crafted (1) AIM or (2) ICQ message associated with buddy-list addition.

5.0
2011-12-24 CVE-2011-4362 Lighttpd
Debian
Integer signedness error in the base64_decode function in the HTTP authentication functionality (http_auth.c) in lighttpd 1.4 before 1.4.30 and 1.5 before SVN revision 2806 allows remote attackers to cause a denial of service (segmentation fault) via crafted base64 input that triggers an out-of-bounds read with a negative index.
5.0
2011-12-22 CVE-2011-4203 Moodle Code Injection vulnerability in Moodle

CRLF injection vulnerability in calendar/set.php in the Calendar component in Moodle 1.9.x before 1.9.15, 2.0.x before 2.0.6, 2.1.x before 2.1.3, and 2.2 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via vectors involving the url variable.

5.0
2011-12-20 CVE-2011-4528 Unbound Resource Management Errors vulnerability in Unbound

Unbound before 1.4.13p2 attempts to free unallocated memory during processing of duplicate CNAME records in a signed zone, which allows remote DNS servers to cause a denial of service (daemon crash) via a crafted response.

5.0
2011-12-24 CVE-2011-3835 Wuzly Cross-Site Scripting vulnerability in Wuzly 2.0

Multiple cross-site scripting (XSS) vulnerabilities in Wuzly 2.0 allow remote attackers to inject arbitrary web script or HTML via the Referer header to (1) admin/login.php and (2) admin/404.php; the (3) q parameter to search.php; the (4) theme_name parameter to theme_settings.php, (5) extension_name parameter to extension_settings.php, (6) q parameter to search.php, (7) type parameter to comments.php, sort parameter to (8) pages.php and (9) posts.php, and the (10) type and (11) q parameter to media.php in admin/; the sidebar parameter to (12) add_widget.php and (13) widgets.php, id parameter to (14) category_delete.php, (15) comment.php, (16) page_delete.php, and (17) post_delete.php, (18) type parameter to media.php, and (19) id and (20) sidebar parameter to widget_delete.php in mobile/; and the (21) name, (22) email, (23) website, and (24) comment parameters to index.php; and the (25) username parameter to admin/login.php.

4.3
2011-12-23 CVE-2011-4897 TOR Information Exposure vulnerability in TOR

Tor before 0.2.2.25-alpha, when configured as a relay without the Nickname configuration option, uses the local hostname as the Nickname value, which allows remote attackers to obtain potentially sensitive information by reading this value.

4.3
2011-12-23 CVE-2011-4896 TOR Information Exposure vulnerability in TOR

Tor before 0.2.2.24-alpha continues to use a reachable bridge that was previously configured but is not currently configured, which might allow remote attackers to obtain sensitive information about clients in opportunistic circumstances by monitoring network traffic to the bridge port.

4.3
2011-12-23 CVE-2011-4895 TOR Information Exposure vulnerability in TOR

Tor before 0.2.2.34, when configured as a bridge, sets up circuits through a process different from the process used by a client, which makes it easier for remote attackers to enumerate bridges by observing circuit building.

4.3
2011-12-23 CVE-2011-4894 TOR Information Exposure vulnerability in TOR

Tor before 0.2.2.34, when configured as a bridge, uses direct DirPort access instead of a Tor TLS connection for a directory fetch, which makes it easier for remote attackers to enumerate bridges by observing DirPort connections.

4.3
2011-12-23 CVE-2011-2769 TOR Information Exposure vulnerability in TOR

Tor before 0.2.2.34, when configured as a bridge, accepts the CREATE and CREATE_FAST values in the Command field of a cell within an OR connection that it initiated, which allows remote relays to enumerate bridges by using these values.

4.3
2011-12-22 CVE-2011-4782 Phpmyadmin Cross-Site Scripting vulnerability in PHPmyadmin

Cross-site scripting (XSS) vulnerability in libraries/config/ConfigFile.class.php in the setup interface in phpMyAdmin 3.4.x before 3.4.9 allows remote attackers to inject arbitrary web script or HTML via the host parameter.

4.3
2011-12-22 CVE-2011-4780 Phpmyadmin Cross-Site Scripting vulnerability in PHPmyadmin

Multiple cross-site scripting (XSS) vulnerabilities in libraries/display_export.lib.php in phpMyAdmin 3.4.x before 3.4.9 allow remote attackers to inject arbitrary web script or HTML via crafted URL parameters, related to the export panels in the (1) server, (2) database, and (3) table sections.

4.3
2011-12-22 CVE-2011-4634 Phpmyadmin Cross-Site Scripting vulnerability in PHPmyadmin

Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 3.4.x before 3.4.8 allow remote attackers to inject arbitrary web script or HTML via (1) a crafted database name, related to the Database Synchronize panel; (2) a crafted database name, related to the Database rename panel; (3) a crafted SQL query, related to the table overview panel; (4) a crafted SQL query, related to the view creation dialog; (5) a crafted column type, related to the table search dialog; or (6) a crafted column type, related to the create index dialog.

4.3
2011-12-22 CVE-2011-3990 Pukiwiki Cross-Site Scripting vulnerability in Pukiwiki Plus!

Cross-site scripting (XSS) vulnerability in plugin/comment.inc.php in PukiWiki Plus! 1.4.7plus-u2-i18n and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2011-12-21 CVE-2011-3663 Mozilla Information Exposure vulnerability in Mozilla Firefox, Seamonkey and Thunderbird

Mozilla Firefox 4.x through 8.0, Thunderbird 5.0 through 8.0, and SeaMonkey before 2.6 allow remote attackers to capture keystrokes entered on a web page, even when JavaScript is disabled, by using SVG animation accessKey events within that web page.

4.3

0 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS