View Previous Bulletins

Bulletin (SB07-302)

Vulnerability Summary for the Week of October 22, 2007

Original Release date: Oct 29, 2007 | Last revised: -

The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information.

The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.


High Vulnerabilities
Primary
Vendor -- Product		Description
Discovered
Published
CVSS ScoreSource & Patch Info
almico -- SpeedFan
Speedfan.sys in Alfredo Milani Comparetti SpeedFan 4.33, when used on Microsoft Windows Vista x64, allows local users to read or write arbitrary MSRs, and gain privileges and load unsigned drivers, via the (1) IOCTL_RDMSR 0x9C402438 and (2) IOCTL_WRMSR 0x9C40243C IOCTLs to \Device\speedfan, as demonstrated by an IOCTL_WRMSR action on MSR_LSTAR.
unknown
2007-10-23
7.2CVE-2007-5633
OTHER-REF
OTHER-REF
BID
BBsProcesS -- BBPortalS
SQL injection vulnerability in tnews.php in BBsProcesS BBPortalS 1.5.10 through 2.0 allows remote attackers to execute arbitrary SQL commands via the id parameter in a tnews action.
unknown
2007-10-23
7.5CVE-2007-5630
MILW0RM
btglobalservices -- BT Consumer webhelper
Multiple buffer overflows in the British Telecommunications Consumer webhelper ActiveX control before 2.0.0.8 in btwebcontrol.dll allow remote attackers to execute arbitrary code via unspecified vectors.
unknown
2007-10-25
9.3CVE-2007-2983
CERT-VN
BID
FRSIRT
SECUNIA
XF
Cisco -- IOS
Cisco -- CatOS
Unspecified vulnerability in the Extensible Authentication Protocol (EAP) implementation in Cisco IOS 12.3 and 12.4 on Cisco Access Points and 1310 Wireless Bridges (Wireless EAP devices), IOS 12.1 and 12.2 on Cisco switches (Wired EAP devices), and CatOS 6.x through 8.x on Cisco switches allows remote attackers to cause a denial of service (device reload) via a crafted EAP Response Identity packet.
unknown
2007-10-23
7.1CVE-2007-5651
CISCO
BID
deeemm -- DMCMS
SQL injection vulnerability in index.php in DeeEmm.com DM CMS 0.7.0.Beta allows remote attackers to execute arbitrary SQL commands via the id parameter in the media page (build_media_content.php).
unknown
2007-10-24
7.5CVE-2007-5679
BUGTRAQ
BID
XF
IBM -- DB2
Unspecified vulnerability in IBM DB2 9.1 before Fix Pack 4 might allow attackers to cause a denial of service (instance crash) or trigger memory corruption via unspecified vectors involving DB2 UDB authentication.
unknown
2007-10-23
7.8CVE-2007-5652
OTHER-REF
AIXAPAR
FRSIRT
SECUNIA
Lussumo -- Vanilla
Multiple SQL injection vulnerabilities in Lussumo Vanilla 1.1.3 and earlier allow remote attackers to execute arbitrary SQL commands via (1) the CategoryID parameter to ajax/sortcategories.php or (2) an unspecified vector to ajax/sortroles.php.
unknown
2007-10-23
7.5CVE-2007-5643
MILW0RM
BID
Lussumo -- Vanilla
Lussumo Vanilla 1.1.3 and earlier does not require admin privileges for (1) ajax/sortcategories.php and (2) ajax/sortroles.php, which allows remote attackers to conduct unauthorized sort operations and other activities.
unknown
2007-10-23
7.5CVE-2007-5644
MILW0RM
MultiXTpm -- Application Server
Stack-based buffer overflow in the DebugPrint function in MultiXTpm Application Server before 4.0.2d allows remote attackers to execute arbitrary code via a long string argument.
unknown
2007-10-24
7.5CVE-2007-5675
OTHER-REF
BID
SECUNIA
Nortel -- IP softphone
Buffer overflow in the Nortel UNIStim IP Softphone 2050 allows remote attackers to cause a denial of service (application abort) and possibly execute arbitrary code via a flood of invalid characters to the RTCP port (5678/udp) that triggers a Windows error message, aka "extraneous messaging."
unknown
2007-10-23
7.5CVE-2007-5636
BUGTRAQ
OTHER-REF
OTHER-REF
BID
FRSIRT
SECUNIA
XF
Nortel -- Mobile Voice Client
Nortel -- IP softphone
The Nortel UNIStim IP Softphone 2050, IP Phone 1140E, and other Nortel IP Phone, Mobile Voice Client, and WLAN Handsets products allow remote attackers to cause a denial of service (device hang) via a flood of Mute and UnMute messages that have a spoofed source IP address for the Signaling Server.
unknown
2007-10-23
7.1CVE-2007-5639
BUGTRAQ
OTHER-REF
OTHER-REF
BID
XF
Nortel -- Mobile Voice Client
Nortel -- Centrex IP Element Manager
Nortel -- Business Communications Manager
Nortel -- Meridian SL100
Nortel -- Meridian-Core-Option
Nortel -- Centrex IP Client Manager
The Nortel UNIStim IP Softphone 2050, IP Phone 1140E, and additional Nortel products from the IP Phone, Business Communications Manager (BCM), Mobile Voice Client, and other product lines, allow remote attackers to block calls and force re-registration via a resume message to the Signaling Server that has a spoofed source IP address for the phone. NOTE: the attack is more disruptive if a new spoofed resume message is sent after each re-registration.
unknown
2007-10-23
7.1CVE-2007-5640
BUGTRAQ
OTHER-REF
OTHER-REF
BID
SECUNIA
XF
PHP -- PHP
The Component Object Model (COM) functions in PHP 5.x on Windows do not follow safe_mode and disable_functions restrictions, which allows context-dependent attackers to bypass intended limitations, as demonstrated by executing objects with the kill bit set in the corresponding ActiveX control Compatibility Flags, executing programs via a function in compatUI.dll, invoking wscript.shell via wscript.exe, invoking Scripting.FileSystemObject via wshom.ocx, and adding users via a function in shgina.dll, related to the com_load_typelib function.
unknown
2007-10-23
9.3CVE-2007-5653
MILW0RM
phpBasic -- phpBasic
SQL injection vulnerability in the Music module in phpBasic allows remote attackers to execute arbitrary SQL commands via the id parameter in a view action to the default URI.
unknown
2007-10-24
7.5CVE-2007-5678
BUGTRAQ
ReloadCMS -- ReloadCMS
Directory traversal vulnerability in system.php in ReloadCMS 1.2.7 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the module parameter to index.php.
unknown
2007-10-23
7.5CVE-2007-5650
BUGTRAQ
BID
Salford Software -- Support Incident Tracker
Multiple unspecified vulnerabilities in Salford Software Support Incident Tracker (SiT!) before 3.30 have unknown impact and attack vectors.
unknown
2007-10-23
10.0CVE-2007-5635
OTHER-REF
SECUNIA
Simple Machines -- Simple Machines Forum
MySQL -- MySQL
SQL injection vulnerability in Sources/Search.php in Simple Machines Forum (SMF) 1.1.3, when MySQL 5 is used, allows remote attackers to execute arbitrary SQL commands via the userspec parameter in a search2 action to index.php.
unknown
2007-10-23
7.5CVE-2007-5646
BUGTRAQ
MILW0RM
OTHER-REF
BID
zehnet -- ZZ FlashChat
Directory traversal vulnerability in admin/inc/help.php in ZZ:FlashChat 3.1 and earlier allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the file parameter.
unknown
2007-10-22
7.5CVE-2007-5620
MILW0RM
Back to top

Medium Vulnerabilities
Primary
Vendor -- Product		Description
Discovered
Published
CVSS ScoreSource & Patch Info
Alcatel-Lucent -- OmniVista
Multiple cross-site scripting (XSS) vulnerabilities in Alcatel OmniVista 4760 R4.2 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the action parameter to php-bin/Webclient.php or (2) the Langue parameter to the default URI.
unknown
2007-10-22
4.3CVE-2007-5190
BUGTRAQ
OTHER-REF
OTHER-REF
BID
FRSIRT
SECUNIA
almico -- SpeedFan
Speedfan.sys in Alfredo Milani Comparetti SpeedFan 4.33, when used on Microsoft Windows Vista x64, does not properly check a buffer during an IOCTL 0x9c402420 call, which allows local users to cause a denial of service (machine crash) and possibly gain privileges via unspecified vectors.
unknown
2007-10-23
4.9CVE-2007-5634
OTHER-REF
CA -- Host-Based Intrusion Prevention System
Cross-site scripting (XSS) vulnerability in the Server component in CA Host-Based Intrusion Prevention System (HIPS) before 8.0.0.93 allows remote attackers to inject arbitrary web script or HTML via requests that are written to logs for later display in the log viewer.
unknown
2007-10-22
4.3CVE-2007-5472
OTHER-REF
FRSIRT
SECUNIA
CandyPress -- CandyPress Store
Cross-site scripting (XSS) vulnerability in admin/logon.asp in ShoppingTree CandyPress Store 4.1 allows remote attackers to inject arbitrary web script or HTML via the msg parameter, a different vector than CVE-2007-2804. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
unknown
2007-10-23
4.3CVE-2007-5629
OTHER-REF
BID
Creative Digital Resources -- SocketMail
Cross-site scripting (XSS) vulnerability in lostpwd.php in Creative Digital Resources SocketMail 2.2.1 allows remote attackers to inject arbitrary web script or HTML via the lost_id parameter.
unknown
2007-10-23
4.3CVE-2007-5649
OTHER-REF
BID
Hackish -- Hackish
Cross-site scripting (XSS) vulnerability in shoutbox/blocco.php in Hackish BETA 1.1 allows remote attackers to inject arbitrary web script or HTML via the go_shout parameter.
unknown
2007-10-24
4.3CVE-2007-5677
BUGTRAQ
BID
ifnet -- Webif
Cross-site scripting (XSS) vulnerability in cgi-bin/webif.exe in ifnet WebIf allows remote attackers to inject arbitrary web script or HTML via the cmd parameter.
unknown
2007-10-24
4.3CVE-2007-5673
FULLDISC
FULLDISC
BID
SECUNIA
instaguide -- weather
Directory traversal vulnerability in index.php in InstaGuide Weather (aka Weather for PHP) 1.0, when magic_quotes_gpc is disabled, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the PageName parameter.
unknown
2007-10-24
6.8CVE-2007-5674
MILW0RM
BID
SECUNIA
LiteSpeed Technologies -- LiteSpeed Web Server
LiteSpeed Web Server before 3.2.4 allows remote attackers to trigger use of an arbitrary MIME type for a file via a "%00." sequence followed by a new extension, as demonstrated by reading PHP source code via requests for .php%00.txt files, aka "Mime Type Injection."
unknown
2007-10-23
6.8CVE-2007-5654
MILW0RM
OTHER-REF
Mozilla -- Firefox
Mozilla Firefox 2.0 before 2.0.0.8 allows remote attackers to obtain sensitive system information by using the addMicrosummaryGenerator sidebar method to access file: URIs.
unknown
2007-10-23
4.3CVE-2007-5335
OTHER-REF
Nagios -- Plugins
Buffer overflow in the check_snmp function in Nagios Plugins (nagios-plugins) 1.4.10 allows remote attackers to cause a denial of service (crash) via crafted snmpget replies.
unknown
2007-10-23
5.0CVE-2007-5623
OTHER-REF
Nagios -- Nagios
Cross-site scripting (XSS) vulnerability in Nagios 2.x before 2.10 allows remote attackers to inject arbitrary web script or HTML via unknown vectors to unspecified CGI scripts.
unknown
2007-10-23
4.3CVE-2007-5624
OTHER-REF
SECUNIA
Nortel -- Mobile Voice Client
Nortel -- Centrex IP Element Manager
Nortel -- Business Communications Manager
Nortel -- Meridian SL100
Nortel -- Meridian-Core-Option
Nortel -- Centrex IP Client Manager
The Nortel UNIStim IP Softphone 2050, IP Phone 1140E, and additional Nortel products from the IP Phone, Business Communications Manager (BCM), and other product lines allow remote attackers to eavesdrop on the physical environment via an Open Audio Stream message that enables "surveillance mode." NOTE: issues relating to a small ID number space can be leveraged to make this attack easier.
unknown
2007-10-23
4.3CVE-2007-5637
BUGTRAQ
OTHER-REF
OTHER-REF
BID
SECUNIA
XF
Nortel -- Mobile Voice Client
Nortel -- Centrex IP Element Manager
Nortel -- Business Communications Manager
Nortel -- Meridian SL100
Nortel -- Meridian-Core-Option
Nortel -- Centrex IP Client Manager
The Nortel UNIStim IP Softphone 2050, IP Phone 1140E, and additional Nortel products from the IP Phone, Business Communications Manager (BCM), and other product lines, use only 65536 different values in the 32-bit ID number field of an RUDP datagram, which makes it easier for remote attackers to guess the RUDP ID and spoof messages. NOTE: this can be leveraged for an eavesdropping attack by sending many Open Audio Stream messages.
unknown
2007-10-23
4.3CVE-2007-5638
BUGTRAQ
OTHER-REF
BID
SECUNIA
XF
PeopleAggregator -- PeopleAggregator
Multiple PHP remote file inclusion vulnerabilities in PeopleAggregator 1.2pre6 allow remote attackers to execute arbitrary PHP code via a URL in the current_blockmodule_path parameter to (1) AudiosMediaGalleryModule/AudiosMediaGalleryModule.php, (2) ImagesMediaGalleryModule/ImagesMediaGalleryModule.php, (3) MembersFacewallModule/MembersFacewallModule.php, (4) NewestGroupsModule/NewestGroupsModule.php, (5) UploadMediaModule/UploadMediaModule.php, and (6) VideosMediaGalleryModule/VideosMediaGalleryModule.php in BetaBlockModules/; and (7) the path_prefix parameter to several components.
unknown
2007-10-23
6.8CVE-2007-5631
MILW0RM
PHP-Nuke -- PHP-Nuke Platinum
PHP remote file inclusion vulnerability in modules/Forums/favorites.php in PHP-Nuke Platinum 7.6.b.5 allows remote attackers to execute arbitrary PHP code via a URL in the nuke_bb_root_path parameter.
unknown
2007-10-24
6.8CVE-2007-5676
MILW0RM
phppm -- PHP Project Management
Multiple PHP remote file inclusion vulnerabilities in PHP Project Management 0.8.10 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the full_path parameter to (1) certinfo/index.php, (2) emails/index.php, (3) events/index.php, (4) fax/index.php, (5) files/index.php, (6) files/list.php, (7) groupadm/index.php, (8) history/index.php, (9) info/index.php, (10) log/index.php, (11) mail/index.php, (12) messages/index.php, (13) organizations/index.php, (14) phones/index.php, (15) presence/index.php, (16) projects/index.php, (17) projects/summary.inc.php, (18) projects/list.php, (19) reports/index.php, (20) search/index.php, (21) snf/index.php?full_path, (22) syslog/index.php, (23) tasks/searchsimilar.php, (24) tasks/index.php, (25) tasks/summary.inc.php, and (26) useradm/index.php in modules; (27) /ajax/loadsplash.php; (28) /blocks/birthday.php; (29) /blocks/events.php; and (30) /blocks/help.php.
unknown
2007-10-23
6.8CVE-2007-5641
MILW0RM
phppm -- PHP Project Management
Multiple directory traversal vulnerabilities in PHP Project Management 0.8.10 and earlier allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in (1) the def_lang parameter to modules/files/list.php; the m_path parameter to (2) modules/projects/summary.inc.php or (3) modules/tasks/summary.inc.php; (4) the module parameter to modules/projects/list.php; or the module parameter to index.php in the (5) certinfo, (6) emails, (7) events, (8) fax, (9) files, (10) groupadm, (11) history, (12) info, (13) log, (14) mail, (15) messages, (16) organizations, (17) phones, (18) presence, (19) projects, (20) reports, (21) search, (22) snf, (23) syslog, (24) tasks, or (25) useradm subdirectory of modules/.
unknown
2007-10-23
6.8CVE-2007-5642
MILW0RM
redhat -- enterprise_linux
Unspecified vulnerability in the stack unwinder fixes in Red Hat Enterprise Linux 5, when running on AMD64 and Intel 64, allows local users to cause a denial of service via unknown vectors.
unknown
2007-10-23
4.7CVE-2007-4574
REDHAT
rnote -- rnote
Multiple cross-site scripting (XSS) vulnerabilities in rnote.php in rNote 0.9.7.5 allow remote attackers to inject arbitrary web script or HTML via the (1) d or the (2) u parameter.
unknown
2007-10-23
4.3CVE-2007-5648
OTHER-REF
BID
simongibson -- ASP Site Search SearchSimon Lite
Cross-site scripting (XSS) vulnerability in filename.asp in ASP Site Search SearchSimon Lite 1.0 allows remote attackers to inject arbitrary web script or HTML via the QUERY parameter.
unknown
2007-10-23
4.3CVE-2007-5625
BUGTRAQ
BID
SECUNIA
SocketKB -- SocketKB
Multiple cross-site scripting (XSS) vulnerabilities in SocketKB 1.1.5 allow remote attackers to inject arbitrary web script or HTML via the (1) art_id or (2) node parameter in an article action to the default URI.
unknown
2007-10-23
4.3CVE-2007-5647
OTHER-REF
BID
SECUNIA
SocketMail -- SocketMail
PHP remote file inclusion vulnerability in content/fnc-readmail3.php in SocketMail 2.2.8 allows remote attackers to execute arbitrary PHP code via a URL in the __SOCKETMAIL_ROOT parameter.
unknown
2007-10-23
6.8CVE-2007-5627
MILW0RM
Sun -- Solaris
Multiple unspecified vulnerabilities in the kernel in Sun Solaris 8 through 10 allow local users to cause a denial of service (panic), related to the support for retrieval of kernel statistics, and possibly related to the sfmmu_mlspl_enter or sfmmu_mlist_enter functions.
unknown
2007-10-23
4.9CVE-2007-5632
SUNALERT
FRSIRT
SECTRACK
SECUNIA
XF
TOWeLs -- TOWeLS
PHP remote file inclusion vulnerability in src/scripture.php in TOWeLS 0.1 allows remote attackers to execute arbitrary PHP code via a URL in the pageHeaderFile parameter.
unknown
2007-10-23
6.8CVE-2007-5628
MILW0RM
Back to top

Low Vulnerabilities
Primary
Vendor -- Product		Description
Discovered
Published
CVSS ScoreSource & Patch Info
bacula -- Bacula backup
make_catalog_backup in Bacula 2.2.5, and probably earlier, sends a MySQL password as a command line argument, and sometimes transmits cleartext e-mail containing this command line, which allows context-dependent attackers to obtain the password by listing the process and its arguments, or by sniffing the network.
unknown
2007-10-23
2.1CVE-2007-5626
OTHER-REF
OTHER-REF
FRSIRT
SECUNIA
Drupal -- Fullname field for CCK
Drupal -- Ubercart Module
Drupal -- ASIN Field Module
Drupal -- Drupal
Drupal -- e-Commerce Module
Drupal -- Pathauto Module
Drupal -- PayPal Node Module
Drupal -- Invite Module
Drupal -- Node Relativity Module
Drupal -- Token Module
Multiple cross-site scripting (XSS) vulnerabilities in the Token module before 4.7.x-1.5, and 5.x before 5.x-1.9, for Drupal; as used by the ASIN Field, e-Commerce, Fullname field for CCK, Invite, Node Relativity, Pathauto, PayPal Node, and Ubercart modules; allow remote authenticated users with a post comments privilege to inject arbitrary web script or HTML via unspecified vectors related to (1) comments, (2) vocabulary names, (3) term names, and (4) usernames.
unknown
2007-10-22
3.5CVE-2007-5621
OTHER-REF
SECUNIA
Linux -- Kernel
The eHCA driver in Linux kernel 2.6 before 2.6.22, when running on PowerPC, does not properly map userspace resources, which allows local users to read portions of physical address space.
unknown
2007-10-23
1.9CVE-2007-3850
OTHER-REF
REDHAT
Back to top

This product is provided subject to this Notification and this Privacy & Use policy.

Document Feedback

Was this document helpful?  Yes  |   Somewhat  |   No