Vulnerability Summary for the Week of December 10, 2007
Released
Dec 17, 2007
Document ID
SB07-351
The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded in the past week. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores.
Vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:
- High: vulnerabilities with a CVSS base score of 7.0–10.0
- Medium: vulnerabilities with a CVSS base score of 4.0–6.9
- Low: vulnerabilities with a CVSS base score of 0.0–3.9
Entries may include additional information provided by organizations and efforts sponsored by CISA. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletin is compiled from external, open-source reports and is not a direct result of CISA analysis.
Vulnerability Severity:
">
| High Vulnerabilities |
|---|
| Primary Vendor -- Product | Description |
| CVSS Score | Source & Patch Info | ||
|---|---|---|---|---|---|---|
| Aurora -- Aurora Framework | SQL injection vulnerability in aurora framework before 20071208 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, possibly the value parameter to the pack_var function in module/db.lib/db_mysql.lib. NOTE: some of these details are obtained from third party information. |
| 7.5 | CVE-2007-6345 OTHER-REF SECUNIA | ||
| AVS Media -- AVSMJPEGFILE.DLL | Buffer overflow in a certain ActiveX control in Online Media Technologies AVSMJPEGFILE.DLL 1.1.1.102 allows remote attackers to execute arbitrary code via a long first argument to the CreateStill method. |
| 7.5 | CVE-2007-6327 MILW0RM OTHER-REF BID XF | ||
| David Castro -- Apache_AuthCAS | SQL injection vulnerability in the David Castro AuthCAS module (AuthCAS.pm) 0.4 for the Apache HTTP Server allows remote attackers to execute arbitrary SQL commands via the SESSION_COOKIE_NAME (session ID) in a cookie. |
| 7.5 | CVE-2007-6342 BUGTRAQ BID | ||
| DOSBox -- DOSBox | ** DISPUTED ** DOSBox 0.72 and earlier allows local users to obtain access to the filesystem on the host operating system via the mount command. NOTE: the researcher reports a vendor response stating that this is not a security problem. |
| 7.2 | CVE-2007-6328 BUGTRAQ FRSIRT XF | ||
| Falt4 CMS -- Falt4 Extreme RC4 | SQL injection vulnerability in (1) index.php, and possibly (2) admin/index.php, in Falt4Extreme RC4 10.9.2007 allows remote attackers to execute arbitrary SQL commands via the nav_ID parameter. |
| 7.5 | CVE-2007-6311 BUGTRAQ MILW0RM OTHER-REF OTHER-REF BID | ||
| GNU -- Emacs | Stack-based buffer overflow in emacs allows user-assisted attackers to cause a denial of service (application crash) and possibly have unspecified other impact via a large precision value in an integer format string specifier to the format function, as demonstrated via a certain "emacs -batch -eval" command line. |
| 10.0 | CVE-2007-6109 SUSE OTHER-REF GENTOO SECUNIA XF | ||
| HP -- OpenView Network Node Manager | Multiple stack-based buffer overflows in HP OpenView Network Node Manager (OV NNM) 6.41, 7.01, and 7.51 allow remote attackers to execute arbitrary code via unspecified long arguments to (1) ovlogin.exe, (2) OpenView5.exe, (3) snmpviewer.exe, and (4) webappmon.exe. |
| 10.0 | CVE-2007-6204 BUGTRAQ OTHER-REF HP BID FRSIRT SECTRACK SECUNIA XF | ||
| HP -- Info Center | Absolute path traversal vulnerability in the HPInfoDLL.HPInfo.1 ActiveX control in HPInfoDLL.dll 1.0, as shipped with HP Info Center (hpinfocenter.exe) 1.0.1.1 in HP Quick Launch Buttons (QLBCTRL.exe), allows remote attackers to execute arbitrary programs via the first argument to the LaunchApp method. NOTE: only a user-assisted attack is possible on Windows Vista. |
| 9.3 | CVE-2007-6331 MILW0RM OTHER-REF BID FRSIRT SECTRACK SECUNIA XF | ||
| HP -- Info Center | The HPInfoDLL.HPInfo.1 ActiveX control in HPInfoDLL.dll 1.0, as shipped with HP Info Center (hpinfocenter.exe) 1.0.1.1 in HP Quick Launch Buttons (QLBCTRL.exe), on Microsoft Windows before Vista allows remote attackers to create or modify arbitrary registry values via the arguments to the SetRegValue method. |
| 9.3 | CVE-2007-6332 MILW0RM OTHER-REF BID FRSIRT SECTRACK SECUNIA XF | ||
| Meridian Software -- Prolog Manager | Meridian Prolog Manager 2007, and 7.5 and earlier, sends all usernames and passwords to the client in a (1) cleartext or (2) weakly encrypted format to support client-side login authentication, which makes it easier for remote attackers to obtain database access by capturing credentials via a man-in-the-middle attack. |
| 10.0 | CVE-2007-6330 BUGTRAQ BID XF | ||
| Microsoft -- windows_media_format_runtime Microsoft -- windows_media_services Microsoft -- Media Format Runtime | Unspecified vulnerability in Windows Media Format Runtime 7.1, 9, 9.5, 9.5 x64 Edition, 11, and Windows Media Services 9.1 for Microsoft Windows 2000, XP, Server 2003, and Vista allows user-assisted remote attackers to execute arbitrary code via a crafted Advanced Systems Format (ASF) file. |
| 9.3 | CVE-2007-0064 MS | ||
| Microsoft -- Message Queuing MSMQ | Buffer overflow in the Microsoft Message Queuing (MSMQ) service in Microsoft Windows 2000 Server SP4, Windows 2000 Professional SP4, and Windows XP SP2 allows attackers to execute arbitrary code via unspecified vectors. NOTE: remote vectors exist for Windows 2000 Professional SP4 and Windows XP SP2; they are only local for the other operating systems. |
| 9.0 | CVE-2007-3039 MS | ||
| Microsoft -- DirectX | Unspecified vulnerability in Microsoft DirectShow in Microsoft DirectX 7.0 through 10.0 allows remote attackers to execute arbitrary code via a crafted (1) WAV or (2) AVI file. |
| 9.3 | CVE-2007-3895 MS FRSIRT SECUNIA | ||
| Microsoft -- DirectX | Unspecified vulnerability in Microsoft DirectShow in Microsoft DirectX 7.0 through 10.0 allows remote attackers to execute arbitrary code via a crafted Synchronized Accessible Media Interchange (SAMI) file. |
| 10.0 | CVE-2007-3901 MS FRSIRT SECUNIA XF | ||
| Microsoft -- Internet Explorer | Microsoft Internet Explorer 5.01 through 7 allows remote attackers to execute arbitrary code via a crafted website involving uninitialized or deleted objects, a different issue than CVE-2007-3903 and CVE-2007-5344, one variant of "Uninitialized Memory Corruption Vulnerability." |
| 10.0 | CVE-2007-3902 | ||
| Microsoft -- windows-nt | Unspecified vulnerability in the Windows Advanced Local Procedure Call (ALPC) in the kernel in Microsoft Windows Vista allows local users to gain privileges via unspecified vectors involving "legacy reply paths." |
| 7.2 | CVE-2007-5350 MS | ||
| scponly -- scponly | scponly 4.6 and earlier allows remote authenticated users to bypass intended restrictions and execute code by invoking dangerous subcommands including (1) unison, (2) rsync, and (3) svn , as originally demonstrated by creating a Subversion (SVN) repository with malicious hooks, then using svn to trigger execution of those hooks. |
| 8.5 | CVE-2007-6350 OTHER-REF |
| Medium Vulnerabilities |
|---|
| Primary Vendor -- Product | Description |
| CVSS Score | Source & Patch Info | ||
|---|---|---|---|---|---|---|
| Apache Software Foundation -- Apache HTTP Server | Cross-site scripting (XSS) vulnerability in the (1) mod_imap module in the Apache HTTP Server 1.3.0 through 1.3.39 and 2.0.35 through 2.0.61 and the (2) mod_imagemap module in the Apache HTTP Server 2.2.0 through 2.2.6 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
| 4.3 | CVE-2007-5000 OTHER-REF OTHER-REF OTHER-REF FRSIRT FRSIRT SECUNIA SECUNIA | ||
| City Writer -- CityWriter | PHP remote file inclusion vulnerability in head.php in CityWriter 0.9.7 allows remote attackers to execute arbitrary PHP code via a URL in the path parameter. |
| 6.8 | CVE-2007-6324 MILW0RM | ||
| Drupal -- feature_module | Feature 4.7.x-dev and 5.x-dev before 20071206, a Drupal module, does not follow Drupal's Forms API submission model, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks. |
| 4.3 | CVE-2007-6320 OTHER-REF | ||
| Ext2 Filesystems Utilities -- e2fsprogs | Multiple integer overflows in libext2fs in e2fsprogs before 1.40.3 allow user-assisted remote attackers to execute arbitrary code via a crafted filesystem image. |
| 5.8 | CVE-2007-5497 SUSE OTHER-REF DEBIAN UBUNTU BID FRSIRT SECUNIA SECUNIA SECUNIA XF MANDRIVA SECUNIA | ||
| Falt4 CMS -- Falt4 Extreme RC4 | Multiple cross-site scripting (XSS) vulnerabilities in Falt4Extreme RC4 10.9.2007 allow remote attackers to inject arbitrary web script or HTML via the handler parameter to (1) index.php and possibly (2) admin/index.php, and (3) the topic parameter to modules/feed/feed.php (aka modules/feed.php). |
| 4.3 | CVE-2007-6310 BUGTRAQ MILW0RM OTHER-REF OTHER-REF BID | ||
| Fastpublish -- Fastpublish CMS | PHP remote file inclusion vulnerability in adminbereich/designconfig.php in Fastpublish CMS 1.9999 allows remote attackers to execute arbitrary PHP code via a URL in the config[fsBase] parameter, a different vector than CVE-2006-2726. |
| 6.8 | CVE-2007-6325 MILW0RM FRSIRT SECUNIA | ||
| GNOME -- Balsa | Stack-based buffer overflow in the ir_fetch_seq function in balsa before 2.3.20 might allow remote IMAP servers to execute arbitrary code via a long response to a FETCH command. |
| 6.8 | CVE-2007-5007 MLIST OTHER-REF OTHER-REF OTHER-REF GENTOO SUSE BID FRSIRT SECUNIA SECUNIA SECUNIA | ||
| HP -- Info Center | The HPInfoDLL.HPInfo.1 ActiveX control in HPInfoDLL.dll 1.0, as shipped with HP Info Center (hpinfocenter.exe) 1.0.1.1 in HP Quick Launch Buttons (QLBCTRL.exe), allows remote attackers to read arbitrary registry values via the arguments to the GetRegValue method. |
| 5.8 | CVE-2007-6333 MILW0RM OTHER-REF BID FRSIRT SECTRACK SECUNIA XF | ||
| HP -- OpenView Network Node Manager | Cross-site scripting (XSS) vulnerability in HP OpenView Network Node Manager (OV NNM) 6.41, 7.01, and 7.51 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
| 4.3 | CVE-2007-6343 HP FRSIRT SECTRACK SECUNIA | ||
| HttpLogger -- HttpLogger | Cross-site scripting (XSS) vulnerability in HttpLogger 0.8.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
| 4.3 | CVE-2007-6308 OTHER-REF OTHER-REF SECUNIA | ||
| IBM -- Hardware Management Console | Multiple unspecified vulnerabilities in IBM Hardware Management Console (HMC) 7 R3.2.0 allow attackers to gain privileges via "some HMC commands." |
| 4.6 | CVE-2007-6305 OTHER-REF OTHER-REF SECUNIA | ||
| JFree -- JFreeChart | Multiple cross-site scripting (XSS) vulnerabilities in the image map feature in JFreeChart 1.0.8 allow remote attackers to inject arbitrary web script or HTML via the (1) chart name or (2) chart tool tip text; or the (3) href, (4) shape, or (5) coords attribute of a chart area. |
| 4.3 | CVE-2007-6306 BUGTRAQ OTHER-REF OTHER-REF OTHER-REF OTHER-REF BID SECUNIA XF | ||
| JFree -- JFreeChart | Multiple cross-site scripting (XSS) vulnerabilities in clickstats.php in wwwstats 3.21 allow remote attackers to inject arbitrary web script or HTML via (1) the link parameter or (2) the User-Agent HTTP header. |
| 4.3 | CVE-2007-6307 BUGTRAQ OTHER-REF BID SECUNIA XF | ||
| Mcms -- Easy Web Make | Directory traversal vulnerability in modules/cms/index.php in Mcms Easy Web Make 1.3, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the template parameter. |
| 6.8 | CVE-2007-6344 MILW0RM BID SECUNIA XF | ||
| Microsoft -- Internet Explorer | Microsoft Internet Explorer 5.01 through 7 allows remote attackers to execute arbitrary code via a crafted website involving uninitialized or deleted objects, a different issue than CVE-2007-3902 and CVE-2007-5344, a variant of "Uninitialized Memory Corruption Vulnerability." |
| 6.8 | CVE-2007-3903 MS | ||
| Microsoft -- Internet Explorer | Microsoft Internet Explorer 5.01 through 7 allows remote attackers to execute arbitrary code via a crafted website involving uninitialized or deleted objects, a different issue than CVE-2007-3902 and CVE-2007-3903, a variant of "Uninitialized Memory Corruption Vulnerability." |
| 6.8 | CVE-2007-5344 | ||
| Microsoft -- Internet Explorer | Microsoft Internet Explorer 5.01 through 7 allows remote attackers to execute arbitrary code via "unexpected method calls to HTML objects," aka "DHTML Object Memory Corruption Vulnerability." |
| 6.8 | CVE-2007-5347 MS | ||
| Microsoft -- windows-nt | Unspecified vulnerability in Server Message Block Version 2 (SMBv2) signing support in Microsoft Vista allows remote attackers to force signature re-computation and execute arbitrary code via a crafted SMBv2 packet, aka "SMBv2 Signing Vulnerability." |
| 6.4 | CVE-2007-5351 MS | ||
| Microsoft -- Office | Microsoft Office 2007 12.0.6015.5000 and MSO 12.0.6017.5000 do not sign the metadata of Office Open XML (OOXML) documents, which makes it easier for remote attackers to modify Dublin Core metadata fields, as demonstrated by the (1) LastModifiedBy and (2) creator fields in docProps/core.xml in the OOXML ZIP container. |
| 6.4 | CVE-2007-6329 BUGTRAQ BID | ||
| MMS Gallery -- MMS Gallery PHP | Multiple directory traversal vulnerabilities in MMS Gallery PHP 1.0 allow remote attackers to read arbitrary files via a .. (dot dot) in the id parameter to (1) get_image.php or (2) get_file.php in mms_template/. |
| 5.0 | CVE-2007-6323 MILW0RM | ||
| MySQL -- MySQL | MySQL 5.1.x before 5.1.23 and 6.0.x before 6.0.4 allows remote authenticated users to gain privileges on arbitrary tables via unspecified vectors involving use of table-level DATA DIRECTORY and INDEX DIRECTORY options when creating a partitioned table with the same name as a table on which the user lacks privileges. |
| 5.8 | CVE-2007-5970 OTHER-REF OTHER-REF | ||
| MySQL -- MySQL | The federated engine in MySQL 5.0.x before 5.0.52, 5.1.x before 5.1.23, and 6.0.x before 6.0.4, when performing a certain SHOW TABLE STATUS query, does not properly handle a response with a small number of columns, which allows remote MySQL servers to cause a denial of service (federated handler crash and daemon crash) via a response that lacks the minimum required number of columns. |
| 5.0 | CVE-2007-6304 OTHER-REF OTHER-REF OTHER-REF OTHER-REF | ||
| Novell -- NetMail | Multiple heap-based buffer overflows in avirus.exe in Novell NetMail 3.5.2 before Messaging Architects M+NetMail 3.52f (aka 3.5.2F) allows remote attackers to execute arbitrary code via unspecified ASCII integers used as memory allocation arguments, aka "ZDI-CVE-162." |
| 6.8 | CVE-2007-6302 OTHER-REF OTHER-REF FRSIRT SECUNIA BUGTRAQ OTHER-REF BID SECTRACK XF | ||
| Rainboard -- Rainboard | Cross-site scripting (XSS) vulnerability in Rainboard before 2.10 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
| 4.3 | CVE-2007-6346 OTHER-REF OTHER-REF SECUNIA | ||
| Real Time Logic -- BarracudaDrive Web Server Real Time Logic -- BarracudaDrive Web Server Home Server | BarracudaDrive Web Server before 3.8 allows remote attackers to read the source code for web scripts by appending a (1) + (plus), (2) . (dot), or (3) %80 and similar characters to the file name in the URL. |
| 5.0 | CVE-2007-6314 BUGTRAQ OTHER-REF BID SECUNIA | ||
| Real Time Logic -- BarracudaDrive Web Server Real Time Logic -- BarracudaDrive Web Server Home Server | Group Chat in BarracudaDrive Web Server before 3.8 allows remote authenticated users to cause a denial of service (crash) via a HTTP request to /eh/chat.ehintf/C. that does not contain a Connection ID, which results in a NULL pointer dereference. |
| 4.0 | CVE-2007-6315 BUGTRAQ OTHER-REF BID SECUNIA | ||
| Real Time Logic -- BarracudaDrive Web Server Real Time Logic -- BarracudaDrive Web Server Home Server | Cross-site scripting (XSS) vulnerability in BarracudaDrive Web Server before 3.8 allows remote attackers to inject arbitrary web script or HTML via the URI path in an HTTP GET request, which is activated by administrators viewing log files via the Trace page. |
| 4.3 | CVE-2007-6316 BUGTRAQ OTHER-REF BID SECUNIA | ||
| Real Time Logic -- BarracudaDrive Web Server Real Time Logic -- BarracudaDrive Web Server Home Server | Multiple directory traversal vulnerabilities in BarracudaDrive Web Server before 3.8 allow (1) remote attackers to read arbitrary files via certain ..\ (dot dot backslash) sequences in the URL path, or (2) remote authenticated users to delete arbitrary files or create arbitrary directories via a ..\ (dot dot backslash) sequence in the dir parameter to /drive/c/bdusers/USER/. |
| 5.5 | CVE-2007-6317 BUGTRAQ OTHER-REF BID SECUNIA | ||
| Red Hat -- enterprise_linux | The default configuration of autofs 5 in Red Hat Enterprise Linux (RHEL) 5 omits the nosuid option for the hosts (/net filesystem) map, which allows local users to gain privileges via a setuid program on a remote NFS server. |
| 6.9 | CVE-2007-5964 OTHER-REF REDHAT SECUNIA | ||
| Roundcube Webmail Project -- Roundcube Webmail | Cross-site scripting (XSS) vulnerability in RoundCube webmail 0.1rc2, 2007-12-09, and earlier versions, when using Internet Explorer, allows remote attackers to inject arbitrary web script or HTML via style sheets containing expression commands. |
| 4.3 | CVE-2007-6321 BUGTRAQ OTHER-REF XF | ||
| S9Y -- Serendipity | Cross-site scripting (XSS) vulnerability in the remote RSS sidebar plugin (serendipity_plugin_remoterss) in S9Y Serendipity before 1.2.1 allows remote attackers to inject arbitrary web script or HTML via a link in an RSS feed. |
| 4.3 | CVE-2007-6205 BUGTRAQ OTHER-REF OTHER-REF BID SECUNIA | ||
| Samba -- Samba | Stack-based buffer overflow in the send_mailslot function in nmbd in Samba 3.0.0 through 3.0.27a, when the "domain logons" option is enabled, allows remote attackers to execute arbitrary code via a GETDC mailslot request composed of a long GETDC string following an offset username in a SAMLOGON logon request. |
| 6.8 | CVE-2007-6015 BUGTRAQ BUGTRAQ BUGTRAQ OTHER-REF OTHER-REF REDHAT BID SECUNIA | ||
| Sergey Lyubka -- Simple HTTPD | Sergey Lyubka Simple HTTPD (shttpd) 1.3 on Windows allows remote attackers to cause a denial of service via a request that includes an MS-DOS device name, as demonstrated by the /aux URI. |
| 5.0 | CVE-2007-6326 MILW0RM OTHER-REF BID XF | ||
| Skype Technologies -- Skype | Unspecified vulnerability in the skype4com URI handler in Skype before 3.6 GOLD allows remote attackers to execute arbitrary code via "short string values" that result in heap corruption. |
| 6.8 | CVE-2007-5989 BUGTRAQ OTHER-REF BID FRSIRT SECUNIA | ||
| SquirrelMail -- SquirrelMail | SquirrelMail 1.4.11 and 1.4.12, as distributed on www.squirrelmail.org before 20071213, has been externally modified to create a Trojan Horse that introduces a PHP remote file inclusion vulnerability, which allows remote attackers to execute arbitrary code. |
| 6.8 | CVE-2007-6348 OTHER-REF | ||
| ViArt -- Helpdesk ViArt -- Shop Evaluation ViArt -- Shop Free ViArt -- CMS | PHP remote file inclusion vulnerability in blocks/block_site_map.php in ViArt (1) CMS 3.3.2, (2) HelpDesk 3.3.2, (3) Shop Evaluation 3.3.2, and (4) Shop Free 3.3.2 allows remote attackers to execute arbitrary PHP code via a URL in the root_folder_path parameter. NOTE: some of these details are obtained from third party information. |
| 6.8 | CVE-2007-6347 MILW0RM BID SECUNIA | ||
| Websense -- Web Security Suite Websense -- Enterpise Websense -- Reporting Tools | Cross-site scripting (XSS) vulnerability in the logon page in Web Reporting Tools portal in Websense Enterprise and Web Security Suite 6.3 allows remote attackers to inject arbitrary web script or HTML via the username field. |
| 4.3 | CVE-2007-6312 BUGTRAQ OTHER-REF OTHER-REF BID | ||
| webSPELL -- webSPELL | Multiple cross-site scripting (XSS) vulnerabilities in index.php in webSPELL 4.1.2 allow remote attackers to inject arbitrary web script or HTML via (1) the galleryID parameter in a usergallery upload action; or the (2) upID, (3) tag, (4) month, (5) userID, or (6) year parameter in a calendar announce action. |
| 4.3 | CVE-2007-6309 BUGTRAQ BID | ||
| WordPress -- WordPress | SQL injection vulnerability in wp-includes/query.php in WordPress 2.3.1 and earlier allows remote attackers to execute arbitrary SQL commands via the s parameter, when DB_CHARSET is set to (1) Big5, (2) GBK, or possibly other character set encodings that support a "\" in a multibyte character. |
| 6.8 | CVE-2007-6318 BUGTRAQ OTHER-REF BID FRSIRT SECUNIA XF FULLDISC | ||
| xml2owl -- xml2owl | Directory traversal vulnerability in filedownload.php in xml2owl 0.1.1 allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter. |
| 5.0 | CVE-2007-6322 MILW0RM |
| Low Vulnerabilities |
|---|
| Primary Vendor -- Product | Description |
| CVSS Score | Source & Patch Info | ||
|---|---|---|---|---|---|---|
| MySQL -- MySQL | MySQL 5.0.x before 5.0.52, 5.1.x before 5.1.23, and 6.0.x before 6.0.4 does not update the DEFINER value of a view when the view is altered, which allows remote authenticated users to gain privileges via a sequence of statements including a CREATE SQL SECURITY DEFINER VIEW statement and an ALTER VIEW statement. |
| 3.5 | CVE-2007-6303 OTHER-REF OTHER-REF OTHER-REF OTHER-REF |
Please share your thoughts
We recently updated our anonymous product survey; we’d welcome your feedback.