[PROPOSAL] Cluster RECENT-28 - 18 candidates

["Steven M. Christey" <coley@linus.mitre.org>]

The following cluster contains 18 candidates that were announced
between 7/7/2000 and 7/12/2000.

The candidates are listed in order of priority.  Priority 1 and
Priority 2 candidates both deal with varying levels of vendor
confirmation, so they should be easy to review and it can be trusted
that the problems are real.

If you discover that any RECENT-XX cluster is incomplete with respect
to the problems discovered during the associated time frame, please
send that information to me so that candidates can be assigned.

- Steve


Summary of votes to use (in ascending order of "severity")
----------------------------------------------------------

ACCEPT - voter accepts the candidate as proposed
NOOP - voter has no opinion on the candidate
MODIFY - voter wants to change some MINOR detail (e.g. reference/description)
REVIEWING - voter is reviewing/researching the candidate, or needs more info
RECAST - candidate must be significantly modified, e.g. split or merged
REJECT - candidate is "not a vulnerability", or a duplicate, etc.

1) Please write your vote on the line that starts with "VOTE: ".  If
   you want to add comments or details, add them to lines after the
   VOTE: line.

2) If you see any missing references, please mention them so that they
   can be included.  References help greatly during mapping.

3) Note that a "MODIFY" is treated as an "ACCEPT" when counting votes.
   So if you don't have sufficient information for a candidate but you
   don't want to NOOP, use a REVIEWING.

********** NOTE ********** NOTE ********** NOTE ********** NOTE **********

Please keep in mind that your vote and comments will be recorded and
publicly viewable in the mailing list archives or in other formats.

=================================
Candidate: CAN-2000-0637
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000803
Assigned: 20000802
Category: SF
Reference: BUGTRAQ:20000711 Excel 2000 vulnerability - executing programs
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=396B3F8F.9244D290@nat.bg
Reference: MS:MS00-051
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms00-051.asp
Reference: BID:1451
Reference: URL:http://www.securityfocus.com/bid/1451

Microsoft Excel 97 and 2000 allows an attacker to execute arbitrary
commands by specifying a malicious .dll using the Register.ID
function, aka the "Excel REGISTER.ID Function" vulnerability.


ED_PRI CAN-2000-0637 1


VOTE:

=================================
Candidate: CAN-2000-0654
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000803
Assigned: 20000802
Category: SF
Reference: MS:MS00-041
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms00-041.asp
Reference: BID:1466
Reference: URL:http://www.securityfocus.com/bid/1466

Microsoft Enterprise Manager allows local users to obtain database
passwords via the Data Transformation Service (DTS) package Registered
Servers Dialog dialog, aka a variant of the "DTS Password"
vulnerability.


ED_PRI CAN-2000-0654 1


VOTE:

=================================
Candidate: CAN-2000-0670
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000803
Assigned: 20000802
Category: SF
Reference: BUGTRAQ:20000712 cvsweb: remote shell for cvs committers
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0178.html
Reference: BUGTRAQ:20000714 MDKSA-2000:019 cvsweb update
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0196.html
Reference: DEBIAN:20000716
Reference: URL:http://www.debian.org/security/2000/20000719b
Reference: BID:1469
Reference: URL:http://www.securityfocus.com/bid/1469

The cvsweb CGI script in CVSWeb 1.80 allows remote attackers with
write access to a CVS repository to execute arbitrary commands via
shell metacharacters.


ED_PRI CAN-2000-0670 1


VOTE:

=================================
Candidate: CAN-2000-0628
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000803
Assigned: 20000802
Category: SF
Reference: BUGTRAQ:20000710 ANNOUNCE Apache::ASP v1.95 - Security Hole Fixed
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0142.html
Reference: CONFIRM:http://www.nodeworks.com/asp/changes.html
Reference: BID:1457
Reference: URL:http://www.securityfocus.com/bid/1457

The source.asp example script in the Apache ASP module Apache::ASP
1.93 and earlier allows remote attackers to modify files.


ED_PRI CAN-2000-0628 2


VOTE:

=================================
Candidate: CAN-2000-0635
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000803
Assigned: 20000802
Category: SF
Reference: BUGTRAQ:20000711 Akopia MiniVend Piped Command Execution Vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0150.html
Reference: BID:1449
Reference: URL:http://www.securityfocus.com/bid/1449

The view_page.html sample page in the MiniVend shopping cart program
allows remote attackers to execute arbitrary commands via shell
metacharacters.


ED_PRI CAN-2000-0635 2


VOTE:

=================================
Candidate: CAN-2000-0638
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000803
Assigned: 20000802
Category: SF
Reference: BUGTRAQ:20000711 BIG BROTHER EXPLOIT
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0146.html
Reference: BUGTRAQ:20000711 REMOTE EXPLOIT IN ALL CURRENT VERSIONS OF BIG BROTHER
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0147.html
Reference: CONFIRM:http://bb4.com/README.CHANGES
Reference: BID:1455
Reference: URL:http://www.securityfocus.com/bid/1455

Big Brother 1.4h1 and earlier allows remote attackers to read
arbitrary files via a .. (dot dot) attack.


ED_PRI CAN-2000-0638 2


VOTE:

=================================
Candidate: CAN-2000-0639
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000803
Assigned: 20000802
Category: CF
Reference: BUGTRAQ:20000711 Big Brother filename extension vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0171.html
Reference: BID:1494
Reference: URL:http://www.securityfocus.com/bid/1494

The default configuration of Big Brother 1.4h2 and earlier does not
include proper access restrictions, which allows remote attackers to
execute arbitrary commands by using bbd to upload a file whose
extension will cause it to be executed as a CGI script by the web
server.


ED_PRI CAN-2000-0639 2


VOTE:

=================================
Candidate: CAN-2000-0650
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000803
Assigned: 20000802
Category: CF
Reference: NTBUGTRAQ:20000711 Potential Vulnerability in McAfee Netshield and VirusScan 4.5
Reference: URL:http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0007&L=ntbugtraq&F=&S=&P=2753
Reference: BID:1458
Reference: URL:http://www.securityfocus.com/bid/1458

The default installation of VirusScan 4.5 and NetShield 4.5 has
insecure permissions for the registry key that identifies the
AutoUpgrade directory, which allows local users to execute arbitrary
commands by replacing SETUP.EXE in that directory with a Trojan Horse.


ED_PRI CAN-2000-0650 2


VOTE:

=================================
Candidate: CAN-2000-0629
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000803
Assigned: 20000802
Category: CF
Reference: BUGTRAQ:20000711 Sun's Java Web Server remote command execution vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0163.html
Reference: MISC:http://www.sun.com/software/jwebserver/faq/jwsca-2000-02.html
Reference: BID:1459
Reference: URL:http://www.securityfocus.com/bid/1459

The default configuration of the Sun Java web server 2.0 and earlier
allows remote attackers to execute arbitrary commands by uploading
Java code to the server via board.html, then directly calling the JSP
compiler servlet.


ED_PRI CAN-2000-0629 3


VOTE:

=================================
Candidate: CAN-2000-0640
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000803
Assigned: 20000802
Category: SF
Reference: BUGTRAQ:20000708 gnu-pop3d (FTGate problem), Savant Webserver, Guild FTPd
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0114.html
Reference: BID:1452
Reference: URL:http://www.securityfocus.com/bid/1452

Guild FTPd allows remote attackers to determine the existence of files
outside the FTP root via a .. (dot dot) attack, which provides
different error messages depending on whether the file exists or not.


ED_PRI CAN-2000-0640 3


VOTE:

=================================
Candidate: CAN-2000-0641
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000803
Assigned: 20000802
Category: SF
Reference: BUGTRAQ:20000708 gnu-pop3d (FTGate problem), Savant Webserver, Guild FTPd
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0114.html
Reference: BID:1453
Reference: URL:http://www.securityfocus.com/bid/1453

Savant web server allows remote attackers to execute arbitrary
commands via a long GET request.


ED_PRI CAN-2000-0641 3


VOTE:

=================================
Candidate: CAN-2000-0642
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000803
Assigned: 20000802
Category: CF
Reference: BUGTRAQ:20000711 Lame DoS in WEBactive win65/NT server
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=200007130827.BAA32671@Rage.Resentment.org
Reference: BID:1497
Reference: URL:http://www.securityfocus.com/bid/1497

The default configuration of WebActive HTTP Server 1.00 stores the web
access log active.log in the document root, which allows remote
attackers to view the logs by directly requesting the page.


ED_PRI CAN-2000-0642 3


VOTE:

=================================
Candidate: CAN-2000-0648
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000803
Assigned: 20000802
Category: SF
Reference: BUGTRAQ:20000711 WFTPD/WFTPD Pro 2.41 RC10 denial-of-service
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=E13BvU6-0007d8-00@dwarf.box.sk
Reference: BID:1456
Reference: URL:http://www.securityfocus.com/bid/1456

WFTPD and WFTPD Pro 2.41 allows local users to cause a denial of
service by executing the RENAME TO (RNTO) command before a RENAME FROM
(RNFR) command.


ED_PRI CAN-2000-0648 3


VOTE:

=================================
Candidate: CAN-2000-0651
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000803
Assigned: 20000802
Category: SF
Reference: BUGTRAQ:20000707 Novell Border Manger - Anyone can pose as an authenticated user
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=06256915.00591E18.00@uprrsmtp2.notes.up.com
Reference: BID:1440
Reference: URL:http://www.securityfocus.com/bid/1440

The ClientTrust program in Novell BorderManager does not properly
verify the origin of authentication requests, which could allow remote
attackers to impersonate another user by replaying the authentication
requests and responses from port 3024 of the victim's machine.


ED_PRI CAN-2000-0651 3


VOTE:

=================================
Candidate: CAN-2000-0660
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000803
Assigned: 20000802
Category: SF
Reference: BUGTRAQ:20000712 Infosec.20000712.worldclient.2.1
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0173.html
Reference: BID:1462
Reference: URL:http://www.securityfocus.com/bid/1462

The WDaemon web server for WorldClient 2.1 allows remote attackers to
read arbitrary files via a .. (dot dot) attack.


ED_PRI CAN-2000-0660 3


VOTE:

=================================
Candidate: CAN-2000-0661
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000803
Assigned: 20000802
Category: SF
Reference: BUGTRAQ:20000710 Remote DoS Attack in WircSrv Irc Server v5.07s Vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0120.html
Reference: BID:1448
Reference: URL:http://www.securityfocus.com/bid/1448

WircSrv IRC Server 5.07s allows remote attackers to cause a denial of
service via a long string to the server port.


ED_PRI CAN-2000-0661 3


VOTE:

=================================
Candidate: CAN-2000-0669
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000803
Assigned: 20000802
Category: SF
Reference: BUGTRAQ:20000711 Remote Denial Of Service -- NetWare 5.0 with SP 5
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=000501bfeab5$9330c3d0$d801a8c0@dimuthu.baysidegrp.com.au
Reference: BID:1467
Reference: URL:http://www.securityfocus.com/bid/1467

Novell Netware 5.0 allows remote attackers to cause a denial of
service by flooding port 40193 with random data.


ED_PRI CAN-2000-0669 3


VOTE:

=================================
Candidate: CAN-2000-0674
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000803
Assigned: 20000802
Category: SF
Reference: BUGTRAQ:20000712 ftp.pl vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0177.html
Reference: BID:1471
Reference: URL:http://www.securityfocus.com/bid/1471

ftp.pl CGI program for Virtual Visions FTP browser allows remote
attackers to read directories outside of the document root via a
.. (dot dot) attack.


ED_PRI CAN-2000-0674 3


VOTE: