|
|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] PROPOSAL: Cluster 10 - CGI (31 candidates)
This Low controversy cluster contains 31 candidates, all having to do with vulnerabilities in CGI programs. - Steve Summary of votes to use (in ascending order of "severity"): ACCEPT - member accepts the candidate as proposed NOOP - member has no opinion on the candidate MODIFY - member wants to change some minor detail (e.g. reference/description) REVIEWING - member is reviewing/researching the candidate RECAST - candidate must be significantly modified, e.g. split or merged REJECT - candidate is "not a vulnerability", or a duplicate, etc. Please write your vote on the line that starts with "VOTE: ". If you want to add comments or details, add them to lines after the VOTE: line. ================================= Candidate: CAN-1999-0066 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990623 Assigned: 19990607 Category: SF Reference: XF:http-cgi-anyform AnyForm CGI remote execution VOTE: ================================= Candidate: CAN-1999-0070 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990623 Assigned: 19990607 Category: SF Reference: XF:http-cgi-test test-cgi program allows an attacker to list files on the server VOTE: ================================= Candidate: CAN-1999-0146 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990623 Assigned: 19990607 Category: SF Reference: XF:http-cgi-campas The campas CGI program provided with some NCSA web servers allows an attacker to read arbitrary files. VOTE: ================================= Candidate: CAN-1999-0147 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990623 Assigned: 19990607 Category: SF Reference: XF:http-cgi-glimpse The aglimpse CGI program of the Glimpse package allows remote execution of arbitrary commands VOTE: ================================= Candidate: CAN-1999-0148 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990623 Assigned: 19990607 Category: SF Reference: XF:http-sgi-handler The handler CGI program in IRIX allows arbitrary command execution. VOTE: ================================= Candidate: CAN-1999-0149 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990623 Assigned: 19990607 Category: SF Reference: XF:http-sgi-wrap The wrap CGI program in IRIX allows arbitrary command execution from remote users. VOTE: ================================= Candidate: CAN-1999-0172 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990623 Assigned: 19990607 Category: SF Reference: XF:http-cgi-formmail-exe FormMail CGI program allows remote execution of commands. VOTE: ================================= Candidate: CAN-1999-0173 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990623 Assigned: 19990607 Category: SF Reference: XF:http-cgi-formmail-use FormMail CGI program can be used by web servers other than the host server that the program resides on. VOTE: ================================= Candidate: CAN-1999-0174 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990623 Assigned: 19990607 Category: SF The view-source CGI program allows remote attackers to read any file on the system that is internally accessible by the web server. VOTE: ================================= Candidate: CAN-1999-0176 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990623 Assigned: 19990607 Category: SF Reference: XF:http-webgais-query The Webgais program allows a remote user to execute arbitrary commands. VOTE: ================================= Candidate: CAN-1999-0177 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990623 Assigned: 19990607 Category: SF Reference: XF:http-website-uploader The uploader program in the WebSite web server allows a remote attacker to execute arbitrary programs. VOTE: ================================= Candidate: CAN-1999-0178 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990623 Assigned: 19990607 Category: SF Reference: XF:http-website-winsample The win-c-sample program in the WebSite web server has a buffer overflow that allows remote execution of commands. VOTE: ================================= Candidate: CAN-1999-0191 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990623 Assigned: 19990607 Category: SF IIS newdsn.exe CGI script allows remote users to overwrite files. VOTE: ================================= Candidate: CAN-1999-0196 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990623 Assigned: 19990607 Category: SF Reference: XF:http-webgais-smail The websendmail program in the Webgais program allows a remote user to access arbitrary files. VOTE: ================================= Candidate: CAN-1999-0233 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990623 Assigned: 19990607 Category: SF Reference: XF:http-iis-cmd IIS and WebSite allow users to execute arbitrary commands using .bat or .cmd files. VOTE: ================================= Candidate: CAN-1999-0236 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990623 Assigned: 19990607 Category: SF Reference: XF:http-scriptalias ScriptAlias directory in NCSA and Apache httpd allowed attackers to read CGI programs. VOTE: ================================= Candidate: CAN-1999-0237 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990623 Assigned: 19990607 Category: SF Reference: XF:http-cgi-guestbook Remote execution of arbitrary commands through Guestbook CGI program. VOTE: ================================= Candidate: CAN-1999-0238 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990623 Assigned: 19990607 Category: SF Reference: XF:http-cgi-phpfileread php.cgi allows attackers to read any file on the system. VOTE: ================================= Candidate: CAN-1999-0253 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990623 Assigned: 19990607 Category: SF Reference: XF:http-iis-2e IIS 3.0 allows remote intruders to read source code for ASP programs by using a "2e" instead of a "." in the URL. VOTE: ================================= Candidate: CAN-1999-0262 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990623 Assigned: 19990607 Category: SF faxsurvey CGI script on Linux allows remote command execution via shell metacharacters. VOTE: ================================= Candidate: CAN-1999-0264 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990623 Assigned: 19990607 Category: SF htmlscript CGI program allows remote read access to files. VOTE: ================================= Candidate: CAN-1999-0268 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990623 Assigned: 19990607 Category: SF MetaInfo MetaWeb web server allows users to upload and execute scripts. VOTE: ================================= Candidate: CAN-1999-0269 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990623 Assigned: 19990607 Category: SF Netscape Enterprise servers may list files through the PageServices query. VOTE: ================================= Candidate: CAN-1999-0270 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990623 Assigned: 19990607 Category: SF pfdispaly CGI program for SGI's Performer API Search Tool allows read access to files. VOTE: ================================= Candidate: CAN-1999-0271 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990623 Assigned: 19990607 Category: SF Progressive Networks Real Video server (pnserver) can be crashed remotely. VOTE: ================================= Candidate: CAN-1999-0278 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990623 Assigned: 19990607 Category: SF In IIS, remote attackers can obtain source code for ASP files by appending "::$DATA" to the URL. VOTE: ================================= Candidate: CAN-1999-0279 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990623 Assigned: 19990607 Category: SF Reference: CERT:VB-98.01.excite Excite for Web Servers (EWS) allows remote command execution via shell metacharacters. VOTE: ================================= Candidate: CAN-1999-0283 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990623 Assigned: 19990607 Category: SF The Java Web Server would allow remote users to obtain the source code for CGI programs. VOTE: ================================= Candidate: CAN-1999-0347 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990623 Assigned: 19990607 Category: SF Reference: BUGTRAQ:Jan26,1999 Reference: NTBUGTRAQ:Jan28,1999 Javascript bug in Internet Explorer 4.01 by adding %01URL allows reading local files and spoofing of web pages from other sites. VOTE: ================================= Candidate: CAN-1999-0348 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990623 Assigned: 19990607 Category: SF Reference: NTBUGTRAQ:Jan27,1999 IIS ASP caching problem releases sensitive information when two virtual servers share the same physical directory. VOTE: ================================= Candidate: CAN-1999-0360 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990623 Assigned: 19990607 Category: SF Reference: BUGTRAQ:Jan29,1999 Reference: NTBUGTRAQ:Jan29,1999 MS Site Server 2.0 with IIS 4 can allow users to upload content, including ASP, to the target web site, thus allowing them to execute commands remotely. VOTE:
|
||||
