Vulnerability Summary for the Week of October 22, 2007

Released
Oct 29, 2007
Document ID
SB07-302

The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. NVD is sponsored by CISA. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available.

Vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

  • High: vulnerabilities with a CVSS base score of 7.0–10.0
  • Medium: vulnerabilities with a CVSS base score of 4.0–6.9
  • Low: vulnerabilities with a CVSS base score of 0.0–3.9

Entries may include additional information provided by organizations and efforts sponsored by CISA. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletin is compiled from external, open-source reports and is not a direct result of CISA analysis. 

">

High Vulnerabilities
Primary
Vendor -- Product
Description
Discovered
Published
CVSS ScoreSource & Patch Info
almico -- SpeedFanSpeedfan.sys in Alfredo Milani Comparetti SpeedFan 4.33, when used on Microsoft Windows Vista x64, allows local users to read or write arbitrary MSRs, and gain privileges and load unsigned drivers, via the (1) IOCTL_RDMSR 0x9C402438 and (2) IOCTL_WRMSR 0x9C40243C IOCTLs to \Device\speedfan, as demonstrated by an IOCTL_WRMSR action on MSR_LSTAR.
unknown
2007-10-23
7.2CVE-2007-5633
OTHER-REF
OTHER-REF
BID
BBsProcesS -- BBPortalSSQL injection vulnerability in tnews.php in BBsProcesS BBPortalS 1.5.10 through 2.0 allows remote attackers to execute arbitrary SQL commands via the id parameter in a tnews action.
unknown
2007-10-23
7.5CVE-2007-5630
MILW0RM
btglobalservices -- BT Consumer webhelperMultiple buffer overflows in the British Telecommunications Consumer webhelper ActiveX control before 2.0.0.8 in btwebcontrol.dll allow remote attackers to execute arbitrary code via unspecified vectors.
unknown
2007-10-25
9.3CVE-2007-2983
CERT-VN
BID
FRSIRT
SECUNIA
XF
Cisco -- IOS
Cisco -- CatOS
Unspecified vulnerability in the Extensible Authentication Protocol (EAP) implementation in Cisco IOS 12.3 and 12.4 on Cisco Access Points and 1310 Wireless Bridges (Wireless EAP devices), IOS 12.1 and 12.2 on Cisco switches (Wired EAP devices), and CatOS 6.x through 8.x on Cisco switches allows remote attackers to cause a denial of service (device reload) via a crafted EAP Response Identity packet.
unknown
2007-10-23
7.1CVE-2007-5651
CISCO
BID
deeemm -- DMCMSSQL injection vulnerability in index.php in DeeEmm.com DM CMS 0.7.0.Beta allows remote attackers to execute arbitrary SQL commands via the id parameter in the media page (build_media_content.php).
unknown
2007-10-24
7.5CVE-2007-5679
BUGTRAQ
BID
XF
IBM -- DB2Unspecified vulnerability in IBM DB2 9.1 before Fix Pack 4 might allow attackers to cause a denial of service (instance crash) or trigger memory corruption via unspecified vectors involving DB2 UDB authentication.
unknown
2007-10-23
7.8CVE-2007-5652
OTHER-REF
AIXAPAR
FRSIRT
SECUNIA
Lussumo -- VanillaMultiple SQL injection vulnerabilities in Lussumo Vanilla 1.1.3 and earlier allow remote attackers to execute arbitrary SQL commands via (1) the CategoryID parameter to ajax/sortcategories.php or (2) an unspecified vector to ajax/sortroles.php.
unknown
2007-10-23
7.5CVE-2007-5643
MILW0RM
BID
Lussumo -- VanillaLussumo Vanilla 1.1.3 and earlier does not require admin privileges for (1) ajax/sortcategories.php and (2) ajax/sortroles.php, which allows remote attackers to conduct unauthorized sort operations and other activities.
unknown
2007-10-23
7.5CVE-2007-5644
MILW0RM
MultiXTpm -- Application ServerStack-based buffer overflow in the DebugPrint function in MultiXTpm Application Server before 4.0.2d allows remote attackers to execute arbitrary code via a long string argument.
unknown
2007-10-24
7.5CVE-2007-5675
OTHER-REF
BID
SECUNIA
Nortel -- IP softphoneBuffer overflow in the Nortel UNIStim IP Softphone 2050 allows remote attackers to cause a denial of service (application abort) and possibly execute arbitrary code via a flood of invalid characters to the RTCP port (5678/udp) that triggers a Windows error message, aka "extraneous messaging."
unknown
2007-10-23
7.5CVE-2007-5636
BUGTRAQ
OTHER-REF
OTHER-REF
BID
FRSIRT
SECUNIA
XF
Nortel -- Mobile Voice Client
Nortel -- IP softphone
The Nortel UNIStim IP Softphone 2050, IP Phone 1140E, and other Nortel IP Phone, Mobile Voice Client, and WLAN Handsets products allow remote attackers to cause a denial of service (device hang) via a flood of Mute and UnMute messages that have a spoofed source IP address for the Signaling Server.
unknown
2007-10-23
7.1CVE-2007-5639
BUGTRAQ
OTHER-REF
OTHER-REF
BID
XF
Nortel -- Mobile Voice Client
Nortel -- Centrex IP Element Manager
Nortel -- Business Communications Manager
Nortel -- Meridian SL100
Nortel -- Meridian-Core-Option
Nortel -- Centrex IP Client Manager
The Nortel UNIStim IP Softphone 2050, IP Phone 1140E, and additional Nortel products from the IP Phone, Business Communications Manager (BCM), Mobile Voice Client, and other product lines, allow remote attackers to block calls and force re-registration via a resume message to the Signaling Server that has a spoofed source IP address for the phone. NOTE: the attack is more disruptive if a new spoofed resume message is sent after each re-registration.
unknown
2007-10-23
7.1CVE-2007-5640
BUGTRAQ
OTHER-REF
OTHER-REF
BID
SECUNIA
XF
PHP -- PHPThe Component Object Model (COM) functions in PHP 5.x on Windows do not follow safe_mode and disable_functions restrictions, which allows context-dependent attackers to bypass intended limitations, as demonstrated by executing objects with the kill bit set in the corresponding ActiveX control Compatibility Flags, executing programs via a function in compatUI.dll, invoking wscript.shell via wscript.exe, invoking Scripting.FileSystemObject via wshom.ocx, and adding users via a function in shgina.dll, related to the com_load_typelib function.
unknown
2007-10-23
9.3CVE-2007-5653
MILW0RM
phpBasic -- phpBasicSQL injection vulnerability in the Music module in phpBasic allows remote attackers to execute arbitrary SQL commands via the id parameter in a view action to the default URI.
unknown
2007-10-24
7.5CVE-2007-5678
BUGTRAQ
ReloadCMS -- ReloadCMSDirectory traversal vulnerability in system.php in ReloadCMS 1.2.7 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the module parameter to index.php.
unknown
2007-10-23
7.5CVE-2007-5650
BUGTRAQ
BID
Salford Software -- Support Incident TrackerMultiple unspecified vulnerabilities in Salford Software Support Incident Tracker (SiT!) before 3.30 have unknown impact and attack vectors.
unknown
2007-10-23
10.0CVE-2007-5635
OTHER-REF
SECUNIA
Simple Machines -- Simple Machines Forum
MySQL -- MySQL
SQL injection vulnerability in Sources/Search.php in Simple Machines Forum (SMF) 1.1.3, when MySQL 5 is used, allows remote attackers to execute arbitrary SQL commands via the userspec parameter in a search2 action to index.php.
unknown
2007-10-23
7.5CVE-2007-5646
BUGTRAQ
MILW0RM
OTHER-REF
BID
zehnet -- ZZ FlashChatDirectory traversal vulnerability in admin/inc/help.php in ZZ:FlashChat 3.1 and earlier allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the file parameter.
unknown
2007-10-22
7.5CVE-2007-5620
MILW0RM

Back to top

Medium Vulnerabilities
Primary
Vendor -- Product
Description
Discovered
Published
CVSS ScoreSource & Patch Info
Alcatel-Lucent -- OmniVistaMultiple cross-site scripting (XSS) vulnerabilities in Alcatel OmniVista 4760 R4.2 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the action parameter to php-bin/Webclient.php or (2) the Langue parameter to the default URI.
unknown
2007-10-22
4.3CVE-2007-5190
BUGTRAQ
OTHER-REF
OTHER-REF
BID
FRSIRT
SECUNIA
almico -- SpeedFanSpeedfan.sys in Alfredo Milani Comparetti SpeedFan 4.33, when used on Microsoft Windows Vista x64, does not properly check a buffer during an IOCTL 0x9c402420 call, which allows local users to cause a denial of service (machine crash) and possibly gain privileges via unspecified vectors.
unknown
2007-10-23
4.9CVE-2007-5634
OTHER-REF
CA -- Host-Based Intrusion Prevention SystemCross-site scripting (XSS) vulnerability in the Server component in CA Host-Based Intrusion Prevention System (HIPS) before 8.0.0.93 allows remote attackers to inject arbitrary web script or HTML via requests that are written to logs for later display in the log viewer.
unknown
2007-10-22
4.3CVE-2007-5472
OTHER-REF
FRSIRT
SECUNIA
CandyPress -- CandyPress StoreCross-site scripting (XSS) vulnerability in admin/logon.asp in ShoppingTree CandyPress Store 4.1 allows remote attackers to inject arbitrary web script or HTML via the msg parameter, a different vector than CVE-2007-2804. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
unknown
2007-10-23
4.3CVE-2007-5629
OTHER-REF
BID
Creative Digital Resources -- SocketMailCross-site scripting (XSS) vulnerability in lostpwd.php in Creative Digital Resources SocketMail 2.2.1 allows remote attackers to inject arbitrary web script or HTML via the lost_id parameter.
unknown
2007-10-23
4.3CVE-2007-5649
OTHER-REF
BID
Hackish -- HackishCross-site scripting (XSS) vulnerability in shoutbox/blocco.php in Hackish BETA 1.1 allows remote attackers to inject arbitrary web script or HTML via the go_shout parameter.
unknown
2007-10-24
4.3CVE-2007-5677
BUGTRAQ
BID
ifnet -- WebifCross-site scripting (XSS) vulnerability in cgi-bin/webif.exe in ifnet WebIf allows remote attackers to inject arbitrary web script or HTML via the cmd parameter.
unknown
2007-10-24
4.3CVE-2007-5673
FULLDISC
FULLDISC
BID
SECUNIA
instaguide -- weatherDirectory traversal vulnerability in index.php in InstaGuide Weather (aka Weather for PHP) 1.0, when magic_quotes_gpc is disabled, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the PageName parameter.
unknown
2007-10-24
6.8CVE-2007-5674
MILW0RM
BID
SECUNIA
LiteSpeed Technologies -- LiteSpeed Web ServerLiteSpeed Web Server before 3.2.4 allows remote attackers to trigger use of an arbitrary MIME type for a file via a "%00." sequence followed by a new extension, as demonstrated by reading PHP source code via requests for .php%00.txt files, aka "Mime Type Injection."
unknown
2007-10-23
6.8CVE-2007-5654
MILW0RM
OTHER-REF
Mozilla -- FirefoxMozilla Firefox 2.0 before 2.0.0.8 allows remote attackers to obtain sensitive system information by using the addMicrosummaryGenerator sidebar method to access file: URIs.
unknown
2007-10-23
4.3CVE-2007-5335
OTHER-REF
Nagios -- PluginsBuffer overflow in the check_snmp function in Nagios Plugins (nagios-plugins) 1.4.10 allows remote attackers to cause a denial of service (crash) via crafted snmpget replies.
unknown
2007-10-23
5.0CVE-2007-5623
OTHER-REF
Nagios -- NagiosCross-site scripting (XSS) vulnerability in Nagios 2.x before 2.10 allows remote attackers to inject arbitrary web script or HTML via unknown vectors to unspecified CGI scripts.
unknown
2007-10-23
4.3CVE-2007-5624
OTHER-REF
SECUNIA
Nortel -- Mobile Voice Client
Nortel -- Centrex IP Element Manager
Nortel -- Business Communications Manager
Nortel -- Meridian SL100
Nortel -- Meridian-Core-Option
Nortel -- Centrex IP Client Manager
The Nortel UNIStim IP Softphone 2050, IP Phone 1140E, and additional Nortel products from the IP Phone, Business Communications Manager (BCM), and other product lines allow remote attackers to eavesdrop on the physical environment via an Open Audio Stream message that enables "surveillance mode." NOTE: issues relating to a small ID number space can be leveraged to make this attack easier.
unknown
2007-10-23
4.3CVE-2007-5637
BUGTRAQ
OTHER-REF
OTHER-REF
BID
SECUNIA
XF
Nortel -- Mobile Voice Client
Nortel -- Centrex IP Element Manager
Nortel -- Business Communications Manager
Nortel -- Meridian SL100
Nortel -- Meridian-Core-Option
Nortel -- Centrex IP Client Manager
The Nortel UNIStim IP Softphone 2050, IP Phone 1140E, and additional Nortel products from the IP Phone, Business Communications Manager (BCM), and other product lines, use only 65536 different values in the 32-bit ID number field of an RUDP datagram, which makes it easier for remote attackers to guess the RUDP ID and spoof messages. NOTE: this can be leveraged for an eavesdropping attack by sending many Open Audio Stream messages.
unknown
2007-10-23
4.3CVE-2007-5638
BUGTRAQ
OTHER-REF
BID
SECUNIA
XF
PeopleAggregator -- PeopleAggregatorMultiple PHP remote file inclusion vulnerabilities in PeopleAggregator 1.2pre6 allow remote attackers to execute arbitrary PHP code via a URL in the current_blockmodule_path parameter to (1) AudiosMediaGalleryModule/AudiosMediaGalleryModule.php, (2) ImagesMediaGalleryModule/ImagesMediaGalleryModule.php, (3) MembersFacewallModule/MembersFacewallModule.php, (4) NewestGroupsModule/NewestGroupsModule.php, (5) UploadMediaModule/UploadMediaModule.php, and (6) VideosMediaGalleryModule/VideosMediaGalleryModule.php in BetaBlockModules/; and (7) the path_prefix parameter to several components.
unknown
2007-10-23
6.8CVE-2007-5631
MILW0RM
PHP-Nuke -- PHP-Nuke PlatinumPHP remote file inclusion vulnerability in modules/Forums/favorites.php in PHP-Nuke Platinum 7.6.b.5 allows remote attackers to execute arbitrary PHP code via a URL in the nuke_bb_root_path parameter.
unknown
2007-10-24
6.8CVE-2007-5676
MILW0RM
phppm -- PHP Project ManagementMultiple PHP remote file inclusion vulnerabilities in PHP Project Management 0.8.10 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the full_path parameter to (1) certinfo/index.php, (2) emails/index.php, (3) events/index.php, (4) fax/index.php, (5) files/index.php, (6) files/list.php, (7) groupadm/index.php, (8) history/index.php, (9) info/index.php, (10) log/index.php, (11) mail/index.php, (12) messages/index.php, (13) organizations/index.php, (14) phones/index.php, (15) presence/index.php, (16) projects/index.php, (17) projects/summary.inc.php, (18) projects/list.php, (19) reports/index.php, (20) search/index.php, (21) snf/index.php?full_path, (22) syslog/index.php, (23) tasks/searchsimilar.php, (24) tasks/index.php, (25) tasks/summary.inc.php, and (26) useradm/index.php in modules; (27) /ajax/loadsplash.php; (28) /blocks/birthday.php; (29) /blocks/events.php; and (30) /blocks/help.php.
unknown
2007-10-23
6.8CVE-2007-5641
MILW0RM
phppm -- PHP Project ManagementMultiple directory traversal vulnerabilities in PHP Project Management 0.8.10 and earlier allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in (1) the def_lang parameter to modules/files/list.php; the m_path parameter to (2) modules/projects/summary.inc.php or (3) modules/tasks/summary.inc.php; (4) the module parameter to modules/projects/list.php; or the module parameter to index.php in the (5) certinfo, (6) emails, (7) events, (8) fax, (9) files, (10) groupadm, (11) history, (12) info, (13) log, (14) mail, (15) messages, (16) organizations, (17) phones, (18) presence, (19) projects, (20) reports, (21) search, (22) snf, (23) syslog, (24) tasks, or (25) useradm subdirectory of modules/.
unknown
2007-10-23
6.8CVE-2007-5642
MILW0RM
redhat -- enterprise_linuxUnspecified vulnerability in the stack unwinder fixes in Red Hat Enterprise Linux 5, when running on AMD64 and Intel 64, allows local users to cause a denial of service via unknown vectors.
unknown
2007-10-23
4.7CVE-2007-4574
REDHAT
rnote -- rnoteMultiple cross-site scripting (XSS) vulnerabilities in rnote.php in rNote 0.9.7.5 allow remote attackers to inject arbitrary web script or HTML via the (1) d or the (2) u parameter.
unknown
2007-10-23
4.3CVE-2007-5648
OTHER-REF
BID
simongibson -- ASP Site Search SearchSimon LiteCross-site scripting (XSS) vulnerability in filename.asp in ASP Site Search SearchSimon Lite 1.0 allows remote attackers to inject arbitrary web script or HTML via the QUERY parameter.
unknown
2007-10-23
4.3CVE-2007-5625
BUGTRAQ
BID
SECUNIA
SocketKB -- SocketKBMultiple cross-site scripting (XSS) vulnerabilities in SocketKB 1.1.5 allow remote attackers to inject arbitrary web script or HTML via the (1) art_id or (2) node parameter in an article action to the default URI.
unknown
2007-10-23
4.3CVE-2007-5647
OTHER-REF
BID
SECUNIA
SocketMail -- SocketMailPHP remote file inclusion vulnerability in content/fnc-readmail3.php in SocketMail 2.2.8 allows remote attackers to execute arbitrary PHP code via a URL in the __SOCKETMAIL_ROOT parameter.
unknown
2007-10-23
6.8CVE-2007-5627
MILW0RM
Sun -- SolarisMultiple unspecified vulnerabilities in the kernel in Sun Solaris 8 through 10 allow local users to cause a denial of service (panic), related to the support for retrieval of kernel statistics, and possibly related to the sfmmu_mlspl_enter or sfmmu_mlist_enter functions.
unknown
2007-10-23
4.9CVE-2007-5632
SUNALERT
FRSIRT
SECTRACK
SECUNIA
XF
TOWeLs -- TOWeLSPHP remote file inclusion vulnerability in src/scripture.php in TOWeLS 0.1 allows remote attackers to execute arbitrary PHP code via a URL in the pageHeaderFile parameter.
unknown
2007-10-23
6.8CVE-2007-5628
MILW0RM

Back to top

Low Vulnerabilities
Primary
Vendor -- Product
Description
Discovered
Published
CVSS ScoreSource & Patch Info
bacula -- Bacula backupmake_catalog_backup in Bacula 2.2.5, and probably earlier, sends a MySQL password as a command line argument, and sometimes transmits cleartext e-mail containing this command line, which allows context-dependent attackers to obtain the password by listing the process and its arguments, or by sniffing the network.
unknown
2007-10-23
2.1CVE-2007-5626
OTHER-REF
OTHER-REF
FRSIRT
SECUNIA
Drupal -- Fullname field for CCK
Drupal -- Ubercart Module
Drupal -- ASIN Field Module
Drupal -- Drupal
Drupal -- e-Commerce Module
Drupal -- Pathauto Module
Drupal -- PayPal Node Module
Drupal -- Invite Module
Drupal -- Node Relativity Module
Drupal -- Token Module
Multiple cross-site scripting (XSS) vulnerabilities in the Token module before 4.7.x-1.5, and 5.x before 5.x-1.9, for Drupal; as used by the ASIN Field, e-Commerce, Fullname field for CCK, Invite, Node Relativity, Pathauto, PayPal Node, and Ubercart modules; allow remote authenticated users with a post comments privilege to inject arbitrary web script or HTML via unspecified vectors related to (1) comments, (2) vocabulary names, (3) term names, and (4) usernames.
unknown
2007-10-22
3.5CVE-2007-5621
OTHER-REF
SECUNIA
Linux -- KernelThe eHCA driver in Linux kernel 2.6 before 2.6.22, when running on PowerPC, does not properly map userspace resources, which allows local users to read portions of physical address space.
unknown
2007-10-23
1.9CVE-2007-3850
OTHER-REF
REDHAT

Back to top

Please share your thoughts

We recently updated our anonymous product survey; we’d welcome your feedback.