Vulnerability Summary for the Week of October 22, 2007
Released
Oct 29, 2007
Document ID
SB07-302
The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded in the past week. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores.
Vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:
- High: vulnerabilities with a CVSS base score of 7.0–10.0
- Medium: vulnerabilities with a CVSS base score of 4.0–6.9
- Low: vulnerabilities with a CVSS base score of 0.0–3.9
Entries may include additional information provided by organizations and efforts sponsored by CISA. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletin is compiled from external, open-source reports and is not a direct result of CISA analysis.
Vulnerability Severity:
">
| High Vulnerabilities |
|---|
| Primary Vendor -- Product | Description |
| CVSS Score | Source & Patch Info | ||
|---|---|---|---|---|---|---|
| almico -- SpeedFan | Speedfan.sys in Alfredo Milani Comparetti SpeedFan 4.33, when used on Microsoft Windows Vista x64, allows local users to read or write arbitrary MSRs, and gain privileges and load unsigned drivers, via the (1) IOCTL_RDMSR 0x9C402438 and (2) IOCTL_WRMSR 0x9C40243C IOCTLs to \Device\speedfan, as demonstrated by an IOCTL_WRMSR action on MSR_LSTAR. |
| 7.2 | CVE-2007-5633 OTHER-REF OTHER-REF BID | ||
| BBsProcesS -- BBPortalS | SQL injection vulnerability in tnews.php in BBsProcesS BBPortalS 1.5.10 through 2.0 allows remote attackers to execute arbitrary SQL commands via the id parameter in a tnews action. |
| 7.5 | CVE-2007-5630 MILW0RM | ||
| btglobalservices -- BT Consumer webhelper | Multiple buffer overflows in the British Telecommunications Consumer webhelper ActiveX control before 2.0.0.8 in btwebcontrol.dll allow remote attackers to execute arbitrary code via unspecified vectors. |
| 9.3 | CVE-2007-2983 CERT-VN BID FRSIRT SECUNIA XF | ||
| Cisco -- IOS Cisco -- CatOS | Unspecified vulnerability in the Extensible Authentication Protocol (EAP) implementation in Cisco IOS 12.3 and 12.4 on Cisco Access Points and 1310 Wireless Bridges (Wireless EAP devices), IOS 12.1 and 12.2 on Cisco switches (Wired EAP devices), and CatOS 6.x through 8.x on Cisco switches allows remote attackers to cause a denial of service (device reload) via a crafted EAP Response Identity packet. |
| 7.1 | CVE-2007-5651 CISCO BID | ||
| deeemm -- DMCMS | SQL injection vulnerability in index.php in DeeEmm.com DM CMS 0.7.0.Beta allows remote attackers to execute arbitrary SQL commands via the id parameter in the media page (build_media_content.php). |
| 7.5 | CVE-2007-5679 BUGTRAQ BID XF | ||
| IBM -- DB2 | Unspecified vulnerability in IBM DB2 9.1 before Fix Pack 4 might allow attackers to cause a denial of service (instance crash) or trigger memory corruption via unspecified vectors involving DB2 UDB authentication. |
| 7.8 | CVE-2007-5652 OTHER-REF AIXAPAR FRSIRT SECUNIA | ||
| Lussumo -- Vanilla | Multiple SQL injection vulnerabilities in Lussumo Vanilla 1.1.3 and earlier allow remote attackers to execute arbitrary SQL commands via (1) the CategoryID parameter to ajax/sortcategories.php or (2) an unspecified vector to ajax/sortroles.php. |
| 7.5 | CVE-2007-5643 MILW0RM BID | ||
| Lussumo -- Vanilla | Lussumo Vanilla 1.1.3 and earlier does not require admin privileges for (1) ajax/sortcategories.php and (2) ajax/sortroles.php, which allows remote attackers to conduct unauthorized sort operations and other activities. |
| 7.5 | CVE-2007-5644 MILW0RM | ||
| MultiXTpm -- Application Server | Stack-based buffer overflow in the DebugPrint function in MultiXTpm Application Server before 4.0.2d allows remote attackers to execute arbitrary code via a long string argument. |
| 7.5 | CVE-2007-5675 OTHER-REF BID SECUNIA | ||
| Nortel -- IP softphone | Buffer overflow in the Nortel UNIStim IP Softphone 2050 allows remote attackers to cause a denial of service (application abort) and possibly execute arbitrary code via a flood of invalid characters to the RTCP port (5678/udp) that triggers a Windows error message, aka "extraneous messaging." |
| 7.5 | CVE-2007-5636 BUGTRAQ OTHER-REF OTHER-REF BID FRSIRT SECUNIA XF | ||
| Nortel -- Mobile Voice Client Nortel -- IP softphone | The Nortel UNIStim IP Softphone 2050, IP Phone 1140E, and other Nortel IP Phone, Mobile Voice Client, and WLAN Handsets products allow remote attackers to cause a denial of service (device hang) via a flood of Mute and UnMute messages that have a spoofed source IP address for the Signaling Server. |
| 7.1 | CVE-2007-5639 BUGTRAQ OTHER-REF OTHER-REF BID XF | ||
| Nortel -- Mobile Voice Client Nortel -- Centrex IP Element Manager Nortel -- Business Communications Manager Nortel -- Meridian SL100 Nortel -- Meridian-Core-Option Nortel -- Centrex IP Client Manager | The Nortel UNIStim IP Softphone 2050, IP Phone 1140E, and additional Nortel products from the IP Phone, Business Communications Manager (BCM), Mobile Voice Client, and other product lines, allow remote attackers to block calls and force re-registration via a resume message to the Signaling Server that has a spoofed source IP address for the phone. NOTE: the attack is more disruptive if a new spoofed resume message is sent after each re-registration. |
| 7.1 | CVE-2007-5640 BUGTRAQ OTHER-REF OTHER-REF BID SECUNIA XF | ||
| PHP -- PHP | The Component Object Model (COM) functions in PHP 5.x on Windows do not follow safe_mode and disable_functions restrictions, which allows context-dependent attackers to bypass intended limitations, as demonstrated by executing objects with the kill bit set in the corresponding ActiveX control Compatibility Flags, executing programs via a function in compatUI.dll, invoking wscript.shell via wscript.exe, invoking Scripting.FileSystemObject via wshom.ocx, and adding users via a function in shgina.dll, related to the com_load_typelib function. |
| 9.3 | CVE-2007-5653 MILW0RM | ||
| phpBasic -- phpBasic | SQL injection vulnerability in the Music module in phpBasic allows remote attackers to execute arbitrary SQL commands via the id parameter in a view action to the default URI. |
| 7.5 | CVE-2007-5678 BUGTRAQ | ||
| ReloadCMS -- ReloadCMS | Directory traversal vulnerability in system.php in ReloadCMS 1.2.7 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the module parameter to index.php. |
| 7.5 | CVE-2007-5650 BUGTRAQ BID | ||
| Salford Software -- Support Incident Tracker | Multiple unspecified vulnerabilities in Salford Software Support Incident Tracker (SiT!) before 3.30 have unknown impact and attack vectors. |
| 10.0 | CVE-2007-5635 OTHER-REF SECUNIA | ||
| Simple Machines -- Simple Machines Forum MySQL -- MySQL | SQL injection vulnerability in Sources/Search.php in Simple Machines Forum (SMF) 1.1.3, when MySQL 5 is used, allows remote attackers to execute arbitrary SQL commands via the userspec parameter in a search2 action to index.php. |
| 7.5 | CVE-2007-5646 BUGTRAQ MILW0RM OTHER-REF BID | ||
| zehnet -- ZZ FlashChat | Directory traversal vulnerability in admin/inc/help.php in ZZ:FlashChat 3.1 and earlier allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the file parameter. |
| 7.5 | CVE-2007-5620 MILW0RM |
| Medium Vulnerabilities |
|---|
| Primary Vendor -- Product | Description |
| CVSS Score | Source & Patch Info | ||
|---|---|---|---|---|---|---|
| Alcatel-Lucent -- OmniVista | Multiple cross-site scripting (XSS) vulnerabilities in Alcatel OmniVista 4760 R4.2 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the action parameter to php-bin/Webclient.php or (2) the Langue parameter to the default URI. |
| 4.3 | CVE-2007-5190 BUGTRAQ OTHER-REF OTHER-REF BID FRSIRT SECUNIA | ||
| almico -- SpeedFan | Speedfan.sys in Alfredo Milani Comparetti SpeedFan 4.33, when used on Microsoft Windows Vista x64, does not properly check a buffer during an IOCTL 0x9c402420 call, which allows local users to cause a denial of service (machine crash) and possibly gain privileges via unspecified vectors. |
| 4.9 | CVE-2007-5634 OTHER-REF | ||
| CA -- Host-Based Intrusion Prevention System | Cross-site scripting (XSS) vulnerability in the Server component in CA Host-Based Intrusion Prevention System (HIPS) before 8.0.0.93 allows remote attackers to inject arbitrary web script or HTML via requests that are written to logs for later display in the log viewer. |
| 4.3 | CVE-2007-5472 OTHER-REF FRSIRT SECUNIA | ||
| CandyPress -- CandyPress Store | Cross-site scripting (XSS) vulnerability in admin/logon.asp in ShoppingTree CandyPress Store 4.1 allows remote attackers to inject arbitrary web script or HTML via the msg parameter, a different vector than CVE-2007-2804. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. |
| 4.3 | CVE-2007-5629 OTHER-REF BID | ||
| Creative Digital Resources -- SocketMail | Cross-site scripting (XSS) vulnerability in lostpwd.php in Creative Digital Resources SocketMail 2.2.1 allows remote attackers to inject arbitrary web script or HTML via the lost_id parameter. |
| 4.3 | CVE-2007-5649 OTHER-REF BID | ||
| Hackish -- Hackish | Cross-site scripting (XSS) vulnerability in shoutbox/blocco.php in Hackish BETA 1.1 allows remote attackers to inject arbitrary web script or HTML via the go_shout parameter. |
| 4.3 | CVE-2007-5677 BUGTRAQ BID | ||
| ifnet -- Webif | Cross-site scripting (XSS) vulnerability in cgi-bin/webif.exe in ifnet WebIf allows remote attackers to inject arbitrary web script or HTML via the cmd parameter. |
| 4.3 | CVE-2007-5673 FULLDISC FULLDISC BID SECUNIA | ||
| instaguide -- weather | Directory traversal vulnerability in index.php in InstaGuide Weather (aka Weather for PHP) 1.0, when magic_quotes_gpc is disabled, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the PageName parameter. |
| 6.8 | CVE-2007-5674 MILW0RM BID SECUNIA | ||
| LiteSpeed Technologies -- LiteSpeed Web Server | LiteSpeed Web Server before 3.2.4 allows remote attackers to trigger use of an arbitrary MIME type for a file via a "%00." sequence followed by a new extension, as demonstrated by reading PHP source code via requests for .php%00.txt files, aka "Mime Type Injection." |
| 6.8 | CVE-2007-5654 MILW0RM OTHER-REF | ||
| Mozilla -- Firefox | Mozilla Firefox 2.0 before 2.0.0.8 allows remote attackers to obtain sensitive system information by using the addMicrosummaryGenerator sidebar method to access file: URIs. |
| 4.3 | CVE-2007-5335 OTHER-REF | ||
| Nagios -- Plugins | Buffer overflow in the check_snmp function in Nagios Plugins (nagios-plugins) 1.4.10 allows remote attackers to cause a denial of service (crash) via crafted snmpget replies. |
| 5.0 | CVE-2007-5623 OTHER-REF | ||
| Nagios -- Nagios | Cross-site scripting (XSS) vulnerability in Nagios 2.x before 2.10 allows remote attackers to inject arbitrary web script or HTML via unknown vectors to unspecified CGI scripts. |
| 4.3 | CVE-2007-5624 OTHER-REF SECUNIA | ||
| Nortel -- Mobile Voice Client Nortel -- Centrex IP Element Manager Nortel -- Business Communications Manager Nortel -- Meridian SL100 Nortel -- Meridian-Core-Option Nortel -- Centrex IP Client Manager | The Nortel UNIStim IP Softphone 2050, IP Phone 1140E, and additional Nortel products from the IP Phone, Business Communications Manager (BCM), and other product lines allow remote attackers to eavesdrop on the physical environment via an Open Audio Stream message that enables "surveillance mode." NOTE: issues relating to a small ID number space can be leveraged to make this attack easier. |
| 4.3 | CVE-2007-5637 BUGTRAQ OTHER-REF OTHER-REF BID SECUNIA XF | ||
| Nortel -- Mobile Voice Client Nortel -- Centrex IP Element Manager Nortel -- Business Communications Manager Nortel -- Meridian SL100 Nortel -- Meridian-Core-Option Nortel -- Centrex IP Client Manager | The Nortel UNIStim IP Softphone 2050, IP Phone 1140E, and additional Nortel products from the IP Phone, Business Communications Manager (BCM), and other product lines, use only 65536 different values in the 32-bit ID number field of an RUDP datagram, which makes it easier for remote attackers to guess the RUDP ID and spoof messages. NOTE: this can be leveraged for an eavesdropping attack by sending many Open Audio Stream messages. |
| 4.3 | CVE-2007-5638 BUGTRAQ OTHER-REF BID SECUNIA XF | ||
| PeopleAggregator -- PeopleAggregator | Multiple PHP remote file inclusion vulnerabilities in PeopleAggregator 1.2pre6 allow remote attackers to execute arbitrary PHP code via a URL in the current_blockmodule_path parameter to (1) AudiosMediaGalleryModule/AudiosMediaGalleryModule.php, (2) ImagesMediaGalleryModule/ImagesMediaGalleryModule.php, (3) MembersFacewallModule/MembersFacewallModule.php, (4) NewestGroupsModule/NewestGroupsModule.php, (5) UploadMediaModule/UploadMediaModule.php, and (6) VideosMediaGalleryModule/VideosMediaGalleryModule.php in BetaBlockModules/; and (7) the path_prefix parameter to several components. |
| 6.8 | CVE-2007-5631 MILW0RM | ||
| PHP-Nuke -- PHP-Nuke Platinum | PHP remote file inclusion vulnerability in modules/Forums/favorites.php in PHP-Nuke Platinum 7.6.b.5 allows remote attackers to execute arbitrary PHP code via a URL in the nuke_bb_root_path parameter. |
| 6.8 | CVE-2007-5676 MILW0RM | ||
| phppm -- PHP Project Management | Multiple PHP remote file inclusion vulnerabilities in PHP Project Management 0.8.10 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the full_path parameter to (1) certinfo/index.php, (2) emails/index.php, (3) events/index.php, (4) fax/index.php, (5) files/index.php, (6) files/list.php, (7) groupadm/index.php, (8) history/index.php, (9) info/index.php, (10) log/index.php, (11) mail/index.php, (12) messages/index.php, (13) organizations/index.php, (14) phones/index.php, (15) presence/index.php, (16) projects/index.php, (17) projects/summary.inc.php, (18) projects/list.php, (19) reports/index.php, (20) search/index.php, (21) snf/index.php?full_path, (22) syslog/index.php, (23) tasks/searchsimilar.php, (24) tasks/index.php, (25) tasks/summary.inc.php, and (26) useradm/index.php in modules; (27) /ajax/loadsplash.php; (28) /blocks/birthday.php; (29) /blocks/events.php; and (30) /blocks/help.php. |
| 6.8 | CVE-2007-5641 MILW0RM | ||
| phppm -- PHP Project Management | Multiple directory traversal vulnerabilities in PHP Project Management 0.8.10 and earlier allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in (1) the def_lang parameter to modules/files/list.php; the m_path parameter to (2) modules/projects/summary.inc.php or (3) modules/tasks/summary.inc.php; (4) the module parameter to modules/projects/list.php; or the module parameter to index.php in the (5) certinfo, (6) emails, (7) events, (8) fax, (9) files, (10) groupadm, (11) history, (12) info, (13) log, (14) mail, (15) messages, (16) organizations, (17) phones, (18) presence, (19) projects, (20) reports, (21) search, (22) snf, (23) syslog, (24) tasks, or (25) useradm subdirectory of modules/. |
| 6.8 | CVE-2007-5642 MILW0RM | ||
| redhat -- enterprise_linux | Unspecified vulnerability in the stack unwinder fixes in Red Hat Enterprise Linux 5, when running on AMD64 and Intel 64, allows local users to cause a denial of service via unknown vectors. |
| 4.7 | CVE-2007-4574 REDHAT | ||
| rnote -- rnote | Multiple cross-site scripting (XSS) vulnerabilities in rnote.php in rNote 0.9.7.5 allow remote attackers to inject arbitrary web script or HTML via the (1) d or the (2) u parameter. |
| 4.3 | CVE-2007-5648 OTHER-REF BID | ||
| simongibson -- ASP Site Search SearchSimon Lite | Cross-site scripting (XSS) vulnerability in filename.asp in ASP Site Search SearchSimon Lite 1.0 allows remote attackers to inject arbitrary web script or HTML via the QUERY parameter. |
| 4.3 | CVE-2007-5625 BUGTRAQ BID SECUNIA | ||
| SocketKB -- SocketKB | Multiple cross-site scripting (XSS) vulnerabilities in SocketKB 1.1.5 allow remote attackers to inject arbitrary web script or HTML via the (1) art_id or (2) node parameter in an article action to the default URI. |
| 4.3 | CVE-2007-5647 OTHER-REF BID SECUNIA | ||
| SocketMail -- SocketMail | PHP remote file inclusion vulnerability in content/fnc-readmail3.php in SocketMail 2.2.8 allows remote attackers to execute arbitrary PHP code via a URL in the __SOCKETMAIL_ROOT parameter. |
| 6.8 | CVE-2007-5627 MILW0RM | ||
| Sun -- Solaris | Multiple unspecified vulnerabilities in the kernel in Sun Solaris 8 through 10 allow local users to cause a denial of service (panic), related to the support for retrieval of kernel statistics, and possibly related to the sfmmu_mlspl_enter or sfmmu_mlist_enter functions. |
| 4.9 | CVE-2007-5632 SUNALERT FRSIRT SECTRACK SECUNIA XF | ||
| TOWeLs -- TOWeLS | PHP remote file inclusion vulnerability in src/scripture.php in TOWeLS 0.1 allows remote attackers to execute arbitrary PHP code via a URL in the pageHeaderFile parameter. |
| 6.8 | CVE-2007-5628 MILW0RM |
| Low Vulnerabilities |
|---|
| Primary Vendor -- Product | Description |
| CVSS Score | Source & Patch Info | ||
|---|---|---|---|---|---|---|
| bacula -- Bacula backup | make_catalog_backup in Bacula 2.2.5, and probably earlier, sends a MySQL password as a command line argument, and sometimes transmits cleartext e-mail containing this command line, which allows context-dependent attackers to obtain the password by listing the process and its arguments, or by sniffing the network. |
| 2.1 | CVE-2007-5626 OTHER-REF OTHER-REF FRSIRT SECUNIA | ||
| Drupal -- Fullname field for CCK Drupal -- Ubercart Module Drupal -- ASIN Field Module Drupal -- Drupal Drupal -- e-Commerce Module Drupal -- Pathauto Module Drupal -- PayPal Node Module Drupal -- Invite Module Drupal -- Node Relativity Module Drupal -- Token Module | Multiple cross-site scripting (XSS) vulnerabilities in the Token module before 4.7.x-1.5, and 5.x before 5.x-1.9, for Drupal; as used by the ASIN Field, e-Commerce, Fullname field for CCK, Invite, Node Relativity, Pathauto, PayPal Node, and Ubercart modules; allow remote authenticated users with a post comments privilege to inject arbitrary web script or HTML via unspecified vectors related to (1) comments, (2) vocabulary names, (3) term names, and (4) usernames. |
| 3.5 | CVE-2007-5621 OTHER-REF SECUNIA | ||
| Linux -- Kernel | The eHCA driver in Linux kernel 2.6 before 2.6.22, when running on PowerPC, does not properly map userspace resources, which allows local users to read portions of physical address space. |
| 1.9 | CVE-2007-3850 OTHER-REF REDHAT |
Please share your thoughts
We recently updated our anonymous product survey; we’d welcome your feedback.