Vulnerability Summary for the Week of January 18, 2010

Released
Jan 25, 2010
Document ID
SB10-025

The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. NVD is sponsored by CISA. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available.

Vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

  • High: vulnerabilities with a CVSS base score of 7.0–10.0
  • Medium: vulnerabilities with a CVSS base score of 4.0–6.9
  • Low: vulnerabilities with a CVSS base score of 0.0–3.9

Entries may include additional information provided by organizations and efforts sponsored by CISA. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletin is compiled from external, open-source reports and is not a direct result of CISA analysis. 


High Vulnerabilities

Primary
Vendor -- Product
DescriptionPublished CVSS ScoreSource & Patch Info
adobe -- shockwave_playerHeap-based buffer overflow in Adobe Shockwave Player before 11.5.6.606 allows remote attackers to execute arbitrary code via a crafted 3D model in a Shockwave file.2010-01-219.3CVE-2009-4002
VUPEN
CONFIRM
adobe -- shockwave_playerMultiple integer overflows in Adobe Shockwave Player before 11.5.6.606 allow remote attackers to execute arbitrary code via (1) an unspecified block type in a Shockwave file, leading to a heap-based buffer overflow; and might allow remote attackers to execute arbitrary code via (2) an unspecified 3D block in a Shockwave file, leading to memory corruption; or (3) a crafted 3D model in a Shockwave file, leading to heap memory corruption.2010-01-219.3CVE-2009-4003
CONFIRM
adobe -- flash_player
microsoft -- windows_xp
Use-after-free vulnerability in Adobe Flash Player 6.0.79, as distributed in Microsoft Windows XP SP2 and SP3, allows remote attackers to execute arbitrary code by unloading a Flash object that is currently being accessed by a script, leading to memory corruption, aka a "Movie Unloading Vulnerability."2010-01-219.3CVE-2010-0378
CERT-VN
CONFIRM
SECTRACK
MISC
SECUNIA
adobe -- flash_player
microsoft -- windows_xp
Multiple unspecified vuilnerabilities in the Macromedia Flash ActiveX control in Adobe Flash Player 6, as distributed in Microsoft Windows XP SP2 and SP3, might allow remote attackers to execute arbitrary code via unspecified vectors that are not related to the use-after-free "Movie Unloading Vulnerability" (CVE-2010-0378). NOTE: due to lack of details, it is not clear whether this overlaps any other CVE item.2010-01-219.3CVE-2010-0379
CONFIRM
SECTRACK
SECUNIA
apple -- mac_os_x
apple -- mac_os_x_server
Buffer overflow in CoreAudio in Apple Mac OS X 10.5.8 and 10.6.2 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted MP4 audio file.2010-01-209.3CVE-2010-0036
BID
apple -- mac_os_x
apple -- mac_os_x_server
Buffer overflow in Image RAW in Apple Mac OS X 10.5.8 and 10.6.2 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted DNG image.2010-01-209.3CVE-2010-0037
XF
VUPEN
SECTRACK
BID
CONFIRM
SECUNIA
APPLE
bitscripts -- bits_video_scriptMultiple unrestricted file upload vulnerabilities in (1) register.php and (2) addvideo.php in BitScripts Bits Video Script 2.04 and 2.05 Gold Beta allow remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in an unspecified directory.2010-01-2110.0CVE-2010-0366
XF
MISC
SECUNIA
OSVDB
bitscripts -- bits_video_scriptMultiple PHP remote file inclusion vulnerabilities in BitScripts Bits Video Script 2.05 Gold Beta, and possibly 2.04, allow remote attackers to execute arbitrary PHP code via a URL in the rowptem[template] parameter to (1) showcasesearch.php and (2) showcase2search.php.2010-01-217.5CVE-2010-0367
XF
MISC
cisco -- ios_xrUnspecified vulnerability in the sshd_child_handler process in the SSH server in Cisco IOS XR 3.4.1 through 3.7.0 allows remote attackers to cause a denial of service (process crash and memory consumption) via a crafted SSH2 packet, aka Bug ID CSCsu10574.2010-01-217.8CVE-2010-0137
CISCO
cisco -- ciscoworks_internetwork_performance_monitorBuffer overflow in Cisco CiscoWorks Internetwork Performance Monitor (IPM) 2.6 and earlier on Windows, as distributed in CiscoWorks LAN Management Solution (LMS), allows remote attackers to execute arbitrary code via a malformed getProcessName CORBA General Inter-ORB Protocol (GIOP) request, related to a "third-party component," aka Bug ID CSCsv62350.2010-01-2110.0CVE-2010-0138
XF
MISC
VUPEN
BID
CISCO
SECTRACK
SECUNIA
dan_brown -- moa_galleryMultiple PHP remote file inclusion vulnerabilities in Moa Gallery 1.2.0 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the MOA_PATH parameter to (1) _error_funcs.php, (2) _integrity_funcs.php, (3) _template_component_admin.php, (4) _template_component_gallery.php, (5) _template_parser.php, (6) mod_gallery_funcs.php, (7) mod_image_funcs.php, (8) mod_tag_funcs.php, (9) mod_tag_view.php, (10) mod_upgrade_funcs.php, (11) mod_user_funcs.php, (12) page_admin.php, (13) page_gallery_add.php, (14) page_gallery_view.php, (15) page_image_add.php, (16) page_image_view_full.php, (17) page_login.php, and (18) page_sitemap.php in sources/.2010-01-187.5CVE-2009-4614
VUPEN
MILW0RM
hong_chuyen -- com_articlemanagerSQL injection vulnerability in the Articlemanager (com_articlemanager) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the artid parameter in a display action to index.php.2010-01-217.5CVE-2010-0372
XF
BID
MISC
MISC
hp -- power_managerStack-based buffer overflow in goform/formExportDataLogs in HP Power Manager before 4.2.10 allows remote attackers to execute arbitrary code via a long fileName parameter.2010-01-2010.0CVE-2009-3999
BID
SECTRACK
MISC
SECUNIA
HP
HP
hp -- power_managerDirectory traversal vulnerability in goform/formExportDataLogs in HP Power Manager before 4.2.10 allows remote attackers to overwrite arbitrary files, and execute arbitrary code, via directory traversal sequences in the fileName parameter.2010-01-207.5CVE-2009-4000
BID
SECTRACK
MISC
SECUNIA
HP
HP
ibm -- lotus_dominoHeap-based buffer overflow in the server in IBM Lotus Domino 7 and 8.5 FP1 allows remote attackers to cause a denial of service (daemon exit) and possibly have unspecified other impact via a long string in a crafted LDAP message to a TCP port, a different vulnerability than CVE-2009-3087.2010-01-2010.0CVE-2010-0358
SECTRACK
MISC
MISC
jce-tech -- php_calendars_scriptSQL injection vulnerability in product_list.php in JCE-Tech PHP Calendars, downloaded 2010-01-11, allows remote attackers to execute arbitrary SQL commands via the cat parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.2010-01-217.5CVE-2010-0375
XF
OSVDB
MISC
SECUNIA
joomla -- com_librosSQL injection vulnerability in the libros (com_libros) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a detail action to index.php.2010-01-217.5CVE-2010-0373
XF
MISC
MISC
joomloc -- com_joomlocSQL injection vulnerability in the Joomloc (com_joomloc) component 1.0 for Joomla allows remote attackers to execute arbitrary SQL commands via the id parameter in an edit task to index.php.2010-01-187.5CVE-2009-4620
XF
VUPEN
BID
MILW0RM
SECUNIA
OSVDB
linux -- kernelUse-after-free vulnerability in the fasync_helper function in fs/fcntl.c in the Linux kernel before 2.6.33-rc4-git1 allows local users to gain privileges via vectors that include enabling O_ASYNC (aka FASYNC or FIOASYNC) on a locked file, and then closing this file.2010-01-197.2CVE-2009-4141
CONFIRM
MISC
CONFIRM
linux.thai -- libthaiMultiple integer overflows in LibThai before 0.1.13 might allow context-dependent attackers to execute arbitrary code via long strings that trigger heap-based buffer overflows, related to (1) thbrk/thbrk.c and (2) thwbrk/thwbrk.c. NOTE: some of these details are obtained from third party information.2010-01-1910.0CVE-2009-4012
CONFIRM
CONFIRM
lucygames -- com_lucygamesSQL injection vulnerability in the Lucy Games (com_lucygames) component 1.5.4 for Joomla! allows remote attackers to execute arbitrary SQL commands via the gameid parameter in a game action to index.php. NOTE: some of these details are obtained from third party information.2010-01-187.5CVE-2009-4619
XF
BID
MILW0RM
microsoft -- internet_explorerUse-after-free vulnerability in Microsoft Internet Explorer 6, 6 SP1, 7, and 8 on Windows 2000 SP4; Windows XP SP2 and SP3; Windows Server 2003 SP2; Windows Vista Gold, SP1, and SP2; Windows Server 2008 Gold, SP2, and R2; and Windows 7 allows remote attackers to execute arbitrary code by accessing a pointer associated with a deleted object, as exploited in the wild in January 2010.2010-01-159.3CVE-2010-0249
CERT-VN
XF
VUPEN
BID
CONFIRM
MISC
MSKB
SECTRACK
OSVDB
CONFIRM
myrephp -- myre_holiday_rental_managerSQL injection vulnerability in review.php in MYRE Holiday Rental Manager allows remote attackers to execute arbitrary SQL commands via the link_id parameter in a show_review action.2010-01-187.5CVE-2009-4615
MILW0RM
SECUNIA
nicecoder -- ideskSQL injection vulnerability in download.php in Nicecoder iDesk allows remote attackers to execute arbitrary SQL commands via the cat_id parameter, a different vector than CVE-2005-3843.2010-01-187.5CVE-2009-4624
XF
BID
MILW0RM
SECUNIA
patching -- jianghu_innSQL injection vulnerability in the JiangHu Inn plugin 1.1 and earlier for Discuz! allows remote attackers to execute arbitrary SQL commands via the id parameter in a show action to forummission.php.2010-01-187.5CVE-2009-4621
XF
VUPEN
BID
MILW0RM
phpmyadmin -- phpmyadminlibraries/File.class.php in phpMyAdmin 2.11.x before 2.11.10 creates a temporary directory with 0777 permissions, which has unknown impact and attack vectors.2010-01-197.5CVE-2008-7251
BID
CONFIRM
SECUNIA
CONFIRM
CONFIRM
phpmyadmin -- phpmyadminlibraries/File.class.php in phpMyAdmin 2.11.x before 2.11.10 uses predictable filenames for temporary files, which has unknown impact and attack vectors.2010-01-197.5CVE-2008-7252
BID
phpmyspace -- phpmyspaceSQL injection vulnerability in modules/arcade/index.php in PHP MySpace Gold Edition 8.0 and 8.10 allows remote attackers to execute arbitrary SQL commands via the gid parameter in a play_game action. NOTE: some of these details are obtained from third party information.2010-01-217.5CVE-2010-0377
SECUNIA
MISC
phpnagios -- phpnagiosDirectory traversal vulnerability in menu.php in phpNagios 1.2.0 allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the conf[lang] parameter.2010-01-187.5CVE-2009-4626
XF
VUPEN
MILW0RM
plohni -- advanced_comment_systemMultiple PHP remote file inclusion vulnerabilities in Advanced Comment System 1.0 allow remote attackers to execute arbitrary PHP code via a URL in the ACS_path parameter to (1) index.php and (2) admin.php in advanced_comment_system/. NOTE: this might only be a vulnerability when the administrator has not followed installation instructions in install.php.2010-01-187.5CVE-2009-4623
MILW0RM
SECUNIA
rockwellautomation -- ab_micrologix_controllerMultiple unspecified vulnerabilities on the Rockwell Automation AB Micrologix 1100 and 1400 controllers allow remote attackers to obtain privileged access or cause a denial of service (halt) via unknown vectors.2010-01-1910.0CVE-2009-3739
BUGTRAQ
sourceforge -- drunken_golem_gaming_portalPHP remote file inclusion vulnerability in admin/admin_news_bot.php in Drunken:Golem Gaming Portal 0.5.1 alpha 2 allows remote attackers to execute arbitrary PHP code via a URL in the root_path parameter, a different vector than CVE-2007-0572.2010-01-187.5CVE-2009-4622
XF
MILW0RM
sun -- java_system_web_serverSun Java System Web Server (aka SJWS) 7.0 Update 7 allows remote attackers to overwrite memory locations in the heap, and discover the contents of memory locations, via a malformed HTTP TRACE request that includes a long URI and many empty headers, related to an "overflow." NOTE: this might overlap CVE-2010-0272 and CVE-2010-0273.2010-01-207.5CVE-2010-0360
MISC
MISC
sun -- java_system_web_serverStack-based buffer overflow in the WebDAV implementation in webservd in Sun Java System Web Server (aka SJWS) 7.0 Update 7 allows remote attackers to cause a denial of service (daemon crash) and possibly have unspecified other impact via a long URI in an HTTP OPTIONS request.2010-01-2010.0CVE-2010-0361
MISC
tamlyncreative -- com_bfsurvey_profreeSQL injection vulnerability in the updateOnePage function in components/com_bfsurvey_pro/controller.php in BF Survey Pro Free (com_bfsurvey_profree) 1.2.4, and other versions before 1.2.6, a component for Joomla!, allows remote attackers to execute arbitrary SQL commands via the table parameter in an updateOnePage action to index.php.2010-01-187.5CVE-2009-4625
XF
VUPEN
CONFIRM
MILW0RM
SECUNIA
OSVDB
templateplaza -- com_tpduggSQL injection vulnerability in the TemplatePlaza.com TPDugg (com_tpdugg) component 1.1 for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a tags action to index.php.2010-01-187.5CVE-2009-4628
CONFIRM
tourismscripts -- tourism_script_accomodation_hotel_booking_portal_scriptMultiple SQL injection vulnerabilities in Tourism Script Accommodation Hotel Booking Portal Script allow remote attackers to execute arbitrary SQL commands via the hotel_id parameter to (1) hotel.php, (2) details.php, (3) roomtypes.php, (4) photos.php, (5) map.php, (6) weather.php, (7) reviews.php, and (8) book.php.2010-01-187.5CVE-2009-4617
XF
MILW0RM
SECUNIA
tourismscripts -- bus_scriptMultiple SQL injection vulnerabilities in Tourism Script Bus Script allow remote attackers to execute arbitrary SQL commands via the sitetext_id parameter to (1) aboutus.php and (2) faq.php.2010-01-187.5CVE-2009-4618
MILW0RM
SECUNIA
videolan -- vlc_media_playerStack-based buffer overflow in VideoLAN VLC Media Player 0.8.6 allows user-assisted remote attackers to execute arbitrary code via an ogg file with a crafted Advanced SubStation Alpha Subtitle (.ass) file, probably involving the Dialogue field.2010-01-219.3CVE-2010-0364
XF
BID
MISC
zeus -- zeus_web_serverBuffer overflow in the SSLv2 support in Zeus Web Server before 4.3r5 allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via a long string in an invalid Client Hello message.2010-01-2010.0CVE-2010-0359
VUPEN
BID
OSVDB
CONFIRM
CONFIRM
SECTRACK
SECUNIA
MISC
MISC
zeus -- zeus_web_serverZeus Web Server before 4.3r5 does not use random transaction IDs for DNS requests, which makes it easier for remote attackers to spoof DNS responses.2010-01-207.5CVE-2010-0362
CONFIRM

Back to top


Medium Vulnerabilities

Primary
Vendor -- Product
DescriptionPublished CVSS ScoreSource & Patch Info
bitscripts -- bits_video_scriptCross-site scripting (XSS) vulnerability in search.php in BitScripts Bits Video Script 2.04 and 2.05 Gold Beta allows remote attackers to inject arbitrary web script or HTML via the order parameter.2010-01-214.3CVE-2010-0365
XF
MISC
SECUNIA
OSVDB
codingfish -- com_marketplaceCross-site scripting (XSS) vulnerability in the Marketplace (com_marketplace) component 1.2 for Joomla! allows remote attackers to inject arbitrary web script or HTML via the catid parameter in a show_category action to index.php.2010-01-214.3CVE-2010-0374
XF
BID
MISC
dan_brown -- moa_galleryDirectory traversal vulnerability in sources/_template_parser.php in Moa Gallery 1.2.0 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the p_filename parameter, a different issue than CVE-2009-4614.2010-01-185.0CVE-2009-4627
XF
VUPEN
MILW0RM
hitmaaan -- hitmaaan_galleryMultiple cross-site scripting (XSS) vulnerabilities in index.php in Hitmaaan Gallery 1.3 allow remote attackers to inject arbitrary web script or HTML via the (1) gall and (2) levela parameters.2010-01-214.3CVE-2010-0371
XF
SECUNIA
MISC
OSVDB
ibm -- lotus_web_content_managementCross-site scripting (XSS) vulnerability in the Login page in IBM Lotus Web Content Management (WCM) 6.0.1.4, 6.0.1.5, and 6.0.1.6 before iFix 32; and 6.1.0.1 and 6.1.0.2 before iFix 24; for WebSphere Portal allows remote attackers to inject arbitrary web script or HTML via unspecified parameters.2010-01-204.3CVE-2010-0357
AIXAPAR
jce-tech -- php_calendars_scriptCross-site scripting (XSS) vulnerability in product_list.php in JCE-Tech PHP Calendars, downloaded 2010-01-11, allows remote attackers to inject arbitrary web script or HTML via the cat parameter. NOTE: this issue is reportedly resultant from a forced SQL error message that occurs from exploitation of CVE-2010-0375.2010-01-214.3CVE-2010-0376
XF
MISC
SECUNIA
MISC
microsoft -- windows_2000
microsoft -- windows_7
microsoft -- windows_server_2003
microsoft -- windows_server_2008
microsoft -- windows_vista
microsoft -- windows_xp
The kernel in Microsoft Windows NT 3.1 through Windows 7, including Windows 2000 SP4, Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista Gold, SP1, and SP2, and Windows Server 2008 Gold and SP2, when access to 16-bit applications is enabled on a 32-bit x86 platform, does not properly validate certain BIOS calls, which allows local users to gain privileges by crafting a VDM_TIB data structure in the Thread Environment Block (TEB), and then calling the NtVdmControl function to start the Windows Virtual DOS Machine (aka NTVDM) subsystem, leading to improperly handled exceptions involving the #GP trap handler (aka nt!KiTrap0D).2010-01-216.6CVE-2010-0232
XF
VUPEN
BID
CONFIRM
SECTRACK
SECUNIA
FULLDISC
MISC
MLIST
CONFIRM
myrephp -- myre_holiday_rental_managerCross-site scripting (XSS) vulnerability in search.php in MYRE Holiday Rental Manager allows remote attackers to inject arbitrary web script or HTML via the cat_id1 parameter.2010-01-184.3CVE-2009-4616
MILW0RM
SECUNIA
phpmyadmin -- phpmyadminscripts/setup.php (aka the setup script) in phpMyAdmin 2.11.x before 2.11.10 calls the unserialize function on the values of the (1) configuration and (2) v[0] parameters, which might allow remote attackers to conduct cross-site request forgery (CSRF) attacks via unspecified vectors.2010-01-195.0CVE-2009-4605
CONFIRM

Back to top


Low Vulnerabilities

Primary
Vendor -- Product
DescriptionPublished CVSS ScoreSource & Patch Info
linux -- kernelnet/bridge/netfilter/ebtables.c in the ebtables module in the netfilter framework in the Linux kernel before 2.6.33-rc4 does not require the CAP_NET_ADMIN capability for setting or modifying rules, which allows local users to bypass intended access restrictions and configure arbitrary network-traffic filtering via a modified ebtables application.2010-01-192.1CVE-2010-0007
VUPEN
roger_lopez -- nodeblock
thomas_turnbull -- nodeblock
Cross-site scripting (XSS) vulnerability in the Node Blocks module 5.x-1.1 and earlier, and 6.x-1.3 and earlier, a module for Drupal, allows remote authenticated users, with permissions to create or edit content and administer blocks, to inject arbitrary web script or HTML via the edit-title parameter (aka block title).2010-01-213.5CVE-2010-0370
BID
OSVDB
CONFIRM
CONFIRM
CONFIRM
zeus -- zeus_web_serverCross-site scripting (XSS) vulnerability in Zeus Web Server before 4.3r5, when SSL is enabled for the admin server, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2002-1785.2010-01-203.5CVE-2010-0363
CONFIRM

Back to top

Please share your thoughts

We recently updated our anonymous product survey; we’d welcome your feedback.