Vulnerability Summary for the Week of August 4, 2008
Released
Aug 11, 2008
Document ID
SB08-224
The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded in the past week. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores.
Vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:
- High: vulnerabilities with a CVSS base score of 7.0–10.0
- Medium: vulnerabilities with a CVSS base score of 4.0–6.9
- Low: vulnerabilities with a CVSS base score of 0.0–3.9
Entries may include additional information provided by organizations and efforts sponsored by CISA. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletin is compiled from external, open-source reports and is not a direct result of CISA analysis.
Vulnerability Severity:
">
| High Vulnerabilities |
|---|
| Primary Vendor -- Product | Description |
| CVSS Score | Source & Patch Info | ||
|---|---|---|---|---|---|---|
| 8e6 -- R3000 Internet Filter | 8e6 R3000 Internet Filter 2.0.12.10 allows remote attackers to bypass intended restrictions via an extra HTTP Host header with additional leading text placed before the real Host header. |
| 7.8 | CVE-2008-3494 BUGTRAQ BID | ||
| Apple -- iTunes | Apple iTunes before 6.0.5.20 does not properly verify the authenticity of updates, which allows man-in-the-middle attackers to execute arbitrary code via a Trojan horse update, as demonstrated by evilgrade and DNS cache poisoning. |
| 7.5 | CVE-2008-3434 FULLDISC OTHER-REF | ||
| Aspindir -- pcshey_portal | SQL injection vulnerability in kategori.asp in Pcshey Portal allows remote attackers to execute arbitrary SQL commands via the kid parameter. |
| 7.5 | CVE-2008-3495 OTHER-REF BID XF | ||
| bestpractical -- request_tracker | Unspecified vulnerability in Best Practical Solutions RT 3.0.0 through 3.6.6 allows remote authenticated users to cause a denial of service (CPU or memory consumption) via unspecified vectors related to the Devel::StackTrace module for Perl. |
| 9.0 | CVE-2008-3502 MLIST BID XF | ||
| Citrix -- xp Citrix -- MetaFrame Presentation Server | Untrusted search path vulnerability in Citrix MetaFrame Presentation Server allows local users to gain privileges via a malicious icabar.exe placed in the search path. |
| 7.2 | CVE-2008-3485 BUGTRAQ BID | ||
| coppermine-gallery -- coppermine_photo_gallery | themes/sample/theme.php in Coppermine Photo Gallery (CPG) 1.4.18 and earlier allows remote attackers to obtain sensitive information via a direct request, which reveals the installation path in an error message. |
| 7.5 | CVE-2008-3481 MILW0RM | ||
| coppermine-gallery -- coppermine_photo_gallery | Directory traversal vulnerability in the user_get_profile function in include/functions.inc.php in Coppermine Photo Gallery (CPG) 1.4.18 and earlier, when the charset is utf-8, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the lang part of serialized data in an _data cookie. |
| 7.5 | CVE-2008-3486 MILW0RM BID | ||
| ektron -- cms4000.net | Unspecified vulnerability in "a page in the workarea folder" in Ektron CMS400.NET 7.00 through 7.04 and 7.50 through 7.52 has unknown impact and attack vectors. |
| 10.0 | CVE-2008-3499 | ||
| estoreaff -- estoreaff | SQL injection vulnerability in eStoreAff 0.1 allows remote attackers to execute arbitrary SQL commands via the cid parameter in a showcat action to index.php. |
| 7.5 | CVE-2008-3484 MILW0RM BID | ||
| GIT -- GIT | Stack-based buffer overflow in the (1) diff_addremove and (2) diff_change functions in GIT before 1.5.6.4 might allow local users to execute arbitrary code via a PATH whose length is larger than the system's PATH_MAX when running GIT utilities such as git-diff or git-grep. |
| 7.5 | CVE-2008-3546 MLIST OTHER-REF BID SECTRACK | ||
| impresscms -- impresscms | Multiple unspecified vulnerabilities in ImpressCMS 1.0 have unknown impact and attack vectors, related to modules/admin.php and "a few files." |
| 10.0 | CVE-2008-3453 OTHER-REF SECUNIA | ||
| Ingres -- Ingres | Untrusted search path vulnerability in ingvalidpw in Ingres 2.6, Ingres 2006 release 1 (aka 9.0.4), and Ingres 2006 release 2 (aka 9.1.0) on Linux and HP-UX allows local users to gain privileges via a crafted shared library, related to a "pointer overwrite vulnerability." |
| 7.2 | CVE-2008-3357 IDEFENSE OTHER-REF BID SECTRACK | ||
| JnSHosts -- php_hosting_directory | JnSHosts PHP Hosting Directory 2.0 allows remote attackers to bypass authentication and gain administrative access by setting the "adm" cookie value to 1. |
| 7.5 | CVE-2008-3454 MILW0RM BID | ||
| JnSHosts -- php_hosting_directory | PHP remote file inclusion vulnerability in include/admin.php in JnSHosts PHP Hosting Directory 2.0 allows remote attackers to execute arbitrary PHP code via a URL in the rd parameter. |
| 10.0 | CVE-2008-3455 MILW0RM BID | ||
| Joomla -- com_netinvoice | SQL injection vulnerability in the nBill (com_netinvoice) component 1.2.0 SP1 for Joomla! allows remote attackers to execute arbitrary SQL commands via the cid parameter in an orders action to index.php. NOTE: some of these details are obtained from third party information. |
| 7.5 | CVE-2008-3498 MILW0RM | ||
| Linux -- Kernel | Buffer overflow in format descriptor parsing in the uvc_parse_format function in drivers/media/video/uvc/uvc_driver.c in uvcvideo in the video4linux (V4L) implementation in the Linux kernel before 2.6.26.1 has unknown impact and attack vectors. |
| 10.0 | CVE-2008-3496 MLIST OTHER-REF BID XF | ||
| LoveCMS -- LoveCMS | LoveCMS 1.6.2 does not require administrative authentication for (1) addblock.php, (2) blocks.php, and (3) themes.php in system/admin/, which allows remote attackers to change the configuration or execute arbitrary PHP code, related to "inserted page blocks." NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. |
| 7.5 | CVE-2008-3509 | ||
| mpfm -- mask_php_file_manager | Unspecified vulnerability in mask PHP File Manager (mPFM) before 2.3 has unknown impact and remote attack vectors related to "manipulation of cookies." |
| 7.5 | CVE-2008-3504 OTHER-REF BID XF | ||
| Notepad++ -- Notepad++ | The GUP generic update process in Notepad++ before 4.8.1 does not properly verify the authenticity of updates, which allows man-in-the-middle attackers to execute arbitrary code via a Trojan horse update, as demonstrated by evilgrade and DNS cache poisoning. |
| 7.5 | CVE-2008-3436 FULLDISC OTHER-REF | ||
| Novell -- iManager | Unspecified vulnerability in Novell iManager before 2.7 SP1 (2.7.1) allows remote attackers to delete Plug-in Studio created Property Book Pages via unknown vectors. |
| 7.5 | CVE-2008-3488 | ||
| Nullsoft -- Winamp | Nullsoft Winamp before 5.24 does not properly verify the authenticity of updates, which allows man-in-the-middle attackers to execute arbitrary code via a Trojan horse update, as demonstrated by evilgrade and DNS cache poisoning. |
| 7.5 | CVE-2008-3441 FULLDISC OTHER-REF SECTRACK | ||
| OpenVPN -- OpenVPN | Unspecified vulnerability in OpenVPN 2.1-beta14 through 2.1-rc8, when running on non-Windows systems, allows remote servers to execute arbitrary commands via crafted (1) "lladdr" and (2) "iproute" configuration directives, probably related to shell metacharacters. |
| 10.0 | CVE-2008-3459 OTHER-REF | ||
| php_nuke -- Kleinanzeigen module | SQL injection vulnerability in the Kleinanzeigen module for PHP-Nuke allows remote attackers to execute arbitrary SQL commands via the lid parameter in a visit action to modules.php. |
| 7.5 | CVE-2008-3512 BUGTRAQ | ||
| php_nuke -- basis_consultant_book_catalog | SQL injection vulnerability in the Book Catalog module 1.0 for PHP-Nuke allows remote attackers to execute arbitrary SQL commands via the catid parameter in a category action to modules.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. |
| 7.5 | CVE-2008-3513 OTHER-REF BID | ||
| phpauctions -- phpauction_gpl_enhanced | SQL injection vulnerability in profile.php in PHPAuction GPL Enhanced 2.51 allows remote attackers to execute arbitrary SQL commands via the id parameter. |
| 7.5 | CVE-2008-3487 MILW0RM BID | ||
| phpMyRealty -- phpMyRealty | SQL injection vulnerability in index.php in phpMyRealty (PMR) 2.0.0 allows remote attackers to execute arbitrary SQL commands via the location parameter. |
| 7.5 | CVE-2008-3445 MILW0RM BID | ||
| PHPX -- PHPX | SQL injection vulnerability in checkCookie function in includes/functions.inc.php in PHPX 3.5.16 allows remote attackers to execute arbitrary SQL commands via a PXL cookie. |
| 7.5 | CVE-2008-3489 MILW0RM BID | ||
| polypager -- polypager | SQL injection vulnerability in PolyPager 1.0 rc2 and earlier allows remote attackers to execute arbitrary SQL commands via the nr parameter to the default URI. |
| 7.5 | CVE-2008-3506 MILW0RM | ||
| Python Software Foundation -- Python | Multiple integer overflows in Python before 2.5.2 might allow context-dependent attackers to have an unknown impact via vectors related to (1) Include/pymem.h; (2) _csv.c, (3) _struct.c, (4) arraymodule.c, (5) audioop.c, (6) binascii.c, (7) cPickle.c, (8) cStringIO.c, (9) cjkcodecs/multibytecodec.c, (10) datetimemodule.c, (11) md5.c, (12) rgbimgmodule.c, and (13) stropmodule.c in Modules/; (14) bufferobject.c, (15) listobject.c, and (16) obmalloc.c in Objects/; (17) Parser/node.c; and (18) asdl.c, (19) ast.c, (20) bltinmodule.c, and (21) compile.c in Python/, as addressed by "checks for integer overflows, contributed by Google." |
| 7.5 | CVE-2008-3143 OTHER-REF OTHER-REF OTHER-REF OTHER-REF GENTOO | ||
| scripts24 -- itgp scripts24 -- ipost | SQL injection vulnerability in go.php in Scripts24 iPost 1.0.1 and iTGP 1.0.4 allows remote attackers to execute arbitrary SQL commands via the id parameter in a report action. |
| 7.5 | CVE-2008-3491 MILW0RM MILW0RM BID BID | ||
| speedbit -- speedbit_video_accelerator | SpeedBit Video Acceleration before 2.2.1.8 does not properly verify the authenticity of updates, which allows man-in-the-middle attackers to execute arbitrary code via a Trojan horse update, as demonstrated by evilgrade and DNS cache poisoning. |
| 7.5 | CVE-2008-3439 FULLDISC OTHER-REF | ||
| Sun -- xvm_virtualbox | The VBoxDrvNtDeviceControl function in VBoxDrv.sys in Sun xVM VirtualBox before 1.6.4 uses the METHOD_NEITHER communication method for IOCTLs and does not properly validate a buffer associated with the Irp object, which allows local users to gain privileges by opening the \\.\VBoxDrv device and calling DeviceIoControl to send a crafted kernel address. |
| 7.2 | CVE-2008-3431 BUGTRAQ OTHER-REF OTHER-REF SUNALERT BID SECTRACK | ||
| wogan_may -- litenews | SQL injection vulnerability in index.php in LiteNews 0.1 (aka 01), and possibly 1.2 and earlier, allows remote attackers to execute arbitrary SQL commands via the id parameter in a view action. |
| 7.5 | CVE-2008-3507 MILW0RM |
| Medium Vulnerabilities |
|---|
| Primary Vendor -- Product | Description |
| CVSS Score | Source & Patch Info | ||
|---|---|---|---|---|---|---|
| americasarmy -- America's Army | America's Army (aka AA or Army Game Project) 2.8.3.1 and earlier allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a crafted UDP packet, probably involving a VoiceIndex value that is outside of the range specified by VOICE_MAX_CHATTERS. |
| 5.0 | CVE-2008-3492 BUGTRAQ OTHER-REF OTHER-REF BID XF | ||
| Apache Software Foundation -- Tomcat | Cross-site scripting (XSS) vulnerability in Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16 allows remote attackers to inject arbitrary web script or HTML via a crafted string that is used in the message argument to the HttpServletResponse.sendError method. |
| 4.3 | CVE-2008-1232 BUGTRAQ OTHER-REF OTHER-REF OTHER-REF | ||
| Apache Software Foundation -- Apache | Cross-site scripting (XSS) vulnerability in proxy_ftp.c in the mod_proxy_ftp module in Apache 2.0.63 and earlier, and mod_proxy_ftp.c in the mod_proxy_ftp module in Apache 2.2.9 and earlier 2.2 versions, allows remote attackers to inject arbitrary web script or HTML via wildcards in a pathname in an FTP URI. |
| 4.3 | CVE-2008-2939 OTHER-REF OTHER-REF BID | ||
| Apple -- Mac OS X Server Apple -- Mac OS X | The Repair Permissions tool in Disk Utility in Apple Mac OS X 10.4.11 adds the setuid bit to the emacs executable file, which allows local users to gain privileges by executing commands within emacs. |
| 4.6 | CVE-2008-2324 APPLE BID BID | ||
| Crafty Syntax Live Help -- Crafty Syntax Live Help | Cross-site scripting (XSS) vulnerability in livehelp_js.php in Crafty Syntax Live Help (CSLH) 2.14.6 allows remote attackers to inject arbitrary web script or HTML via the department parameter. |
| 4.3 | CVE-2008-3510 OTHER-REF BID | ||
| Drupal -- suggested_terms_module | Cross-site scripting (XSS) vulnerability in the Suggested Terms module 5.x before 5.x-1.2 for Drupal allows remote authenticated users to inject arbitrary web script or HTML via crafted Taxonomy terms. |
| 4.3 | CVE-2008-3500 OTHER-REF | ||
| e-topbiz -- online_dating | SQL injection vulnerability in members/mail.php in E-topbiz Online Dating 3 1.0 allows remote authenticated users to execute arbitrary SQL commands via the mail_id parameter in a veiw action. |
| 6.5 | CVE-2008-3490 MILW0RM BID | ||
| eNdonesia -- calendar_module eNdonesia -- eNdonesia | SQL injection vulnerability in the Calendar module in eNdonesia 8.4 allows remote attackers to execute arbitrary SQL commands via the loc_id parameter in a list_events action to mod.php. |
| 6.8 | CVE-2008-3452 MILW0RM BID | ||
| Ingres -- Ingres | verifydb in Ingres 2.6, Ingres 2006 release 1 (aka 9.0.4), and Ingres 2006 release 2 (aka 9.1.0) on Linux and other Unix platforms sets the ownership or permissions of an iivdb.log file without verifying that it is the application's own log file, which allows local users to overwrite arbitrary files by creating a symlink with an iivdb.log filename. |
| 4.6 | CVE-2008-3356 IDEFENSE OTHER-REF BID SECTRACK | ||
| Ingres -- Ingres | Stack-based buffer overflow in the libbecompat library in Ingres 2.6, Ingres 2006 release 1 (aka 9.0.4), and Ingres 2006 release 2 (aka 9.1.0) on Linux and HP-UX allows local users to gain privileges by setting a long value of an environment variable before running (1) verifydb, (2) iimerge, or (3) csreport. |
| 4.6 | CVE-2008-3389 IDEFENSE OTHER-REF BID SECTRACK | ||
| MyPHP CMS -- MyPHP CMS | SQL injection vulnerability in pages.php in MyPHP CMS 0.3.1 allows remote attackers to execute arbitrary SQL commands via the pid parameter. |
| 6.8 | CVE-2008-3497 MILW0RM BID XF | ||
| Novell -- Groupwise | Cross-site scripting (XSS) vulnerability in the WebAccess simple interface in Novell Groupwise 7.0.x allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
| 4.3 | CVE-2008-3501 BID XF | ||
| Panasonic -- BB_HCM511 Panasonic -- BL_C131 Panasonic -- BB_HCM531 Panasonic -- BB_HCM527 Panasonic -- BB_HCM580 Panasonic -- BB_HCM515 Panasonic -- BL_C111 Panasonic -- BB_HCM581 | Cross-site scripting (XSS) vulnerability in the error page feature in Panasonic Network Camera BL-C111, BL-C131, BB-HCM511, BB-HCM531, BB-HCM580, BB-HCM581, BB-HCM527, and BB-HCM515 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
| 4.3 | CVE-2008-3482 OTHER-REF OTHER-REF | ||
| phpMyAdmin -- phpMyAdmin | phpMyAdmin before 2.11.8 does not sufficiently prevent its pages from using frames that point to pages in other domains, which makes it easier for remote attackers to conduct spoofing or phishing activities via a cross-site framing attack. |
| 6.4 | CVE-2008-3456 OTHER-REF OTHER-REF | ||
| PhpWebGallery -- PhpWebGallery | PhpWebGallery 1.7.0 and 1.7.1 allows remote authenticated users with advisor privileges to obtain the real e-mail addresses of other users by editing the user's profile. |
| 4.0 | CVE-2008-3451 MLIST OTHER-REF OTHER-REF XF | ||
| polypager -- polypager | Cross-site scripting (XSS) vulnerability in PolyPager 1.0 rc2 and earlier allows remote attackers to inject arbitrary web script or HTML via the nr parameter to the default URI. |
| 4.3 | CVE-2008-3505 MILW0RM | ||
| RealVNC -- realvnc_windows_client | vncviewer.exe in RealVNC Windows Client 4.1.2.0 allows remote VNC servers to cause a denial of service (application crash) via a crafted frame buffer update packet. |
| 5.0 | CVE-2008-3493 MILW0RM BID | ||
| screwturn -- screwturn_wiki | Cross-site scripting (XSS) vulnerability in ScrewTurn Wiki 2.0.29 and 2.0.30 allows remote attackers to inject arbitrary web script or HTML via error messages in the "/admin.aspx - System Log" page. |
| 4.3 | CVE-2008-3483 OTHER-REF OTHER-REF BID | ||
| SoftBiz -- Image Gallery | Multiple cross-site scripting (XSS) vulnerabilities in Softbiz Image Gallery (Photo Gallery) allow remote attackers to inject arbitrary web script or HTML via the (1) latest parameter to (a) index.php, (b) images.php, (c) suggest_image.php, and (d) image_desc.php; and the (2) msg parameter to index.php, images.php, and suggest_image.php, and (e) index.php, (f) adminhome.php, (g) config.php, (h) changepassword.php, (i) cleanup.php, (j) browsecats.php, and (k) images.php in admin/. NOTE: the image_desc.php/msg vector is covered by CVE-2006-1660. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. |
| 4.3 | CVE-2008-3511 OTHER-REF BID | ||
| Sun -- Netra T5220 Server | Unspecified vulnerability in the Sun Netra T5220 Server with firmware 7.1.3 allows local users to cause a denial of service (panic) via unknown vectors. |
| 4.9 | CVE-2008-3548 | ||
| Sun -- opensolaris Sun -- Solaris | Unspecified vulnerability in the pthread_mutex_reltimedlock_np API in Sun Solaris 10 and OpenSolaris before snv_90 allows local users to cause a denial of service (system hang or panic) via unknown vectors. |
| 4.7 | CVE-2008-3549 | ||
| vtiger -- vtiger_crm | Vtiger CRM before 5.0.4 stores sensitive information under the web root with insufficient access control, which allows remote attackers to read mail merge templates via a direct request to the wordtemplatedownload directory. |
| 5.0 | CVE-2008-3458 OTHER-REF OTHER-REF OTHER-REF OTHER-REF OSVDB | ||
| WebGUI -- plain_black_webgui | RSSFromParent in Plain Black WebGUI before 7.5.13 does not restrict view access to Collaboration System (CS) RSS feeds, which allows remote attackers to obtain sensitive information (CS data). |
| 5.0 | CVE-2008-3503 OTHER-REF OTHER-REF BID XF | ||
| wogan_may -- litenews | LiteNews 0.1 (aka 01), and possibly 1.2 and earlier, allows remote attackers to bypass authentication and gain administrative access by setting the admin cookie. |
| 5.0 | CVE-2008-3508 MILW0RM BID |
| Low Vulnerabilities |
|---|
| Primary Vendor -- Product | Description |
| CVSS Score | Source & Patch Info | ||
|---|---|---|---|---|---|---|
| phpMyAdmin -- phpMyAdmin | Cross-site scripting (XSS) vulnerability in setup.php in phpMyAdmin before 2.11.8 allows user-assisted remote attackers to inject arbitrary web script or HTML via crafted setup arguments. NOTE: this issue can only be exploited in limited scenarios in which the attacker must be able to modify config/config.inc.php. |
| 2.6 | CVE-2008-3457 OTHER-REF OTHER-REF |
Please share your thoughts
We recently updated our anonymous product survey; we’d welcome your feedback.