|
|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [PROPOSAL] Cluster RECENT-89 - 50 candidates
I am proposing cluster RECENT-89 for review and voting by the Editorial Board. Name: RECENT-89 Description: Candidates announced between 1/2/2002 and 3/9/2002 Size: 50 You may vote on candidates by modifying this email ballot and sending it back to me, or by using the CVE voting web site. The candidates are listed in order of priority. Priority 1 and Priority 2 candidates both deal with varying levels of vendor confirmation, so they should be easy to review and it can be trusted that the problems are real. If you discover that any RECENT-XX cluster is incomplete with respect to the problems discovered during the associated time frame, please send that information to me so that candidates can be assigned. - Steve Summary of votes to use (in ascending order of "severity") ---------------------------------------------------------- ACCEPT - voter accepts the candidate as proposed NOOP - voter has no opinion on the candidate MODIFY - voter wants to change some MINOR detail (e.g. reference/description) REVIEWING - voter is reviewing/researching the candidate, or needs more info RECAST - candidate must be significantly modified, e.g. split or merged REJECT - candidate is "not a vulnerability", or a duplicate, etc. 1) Please write your vote on the line that starts with "VOTE: ". If you want to add comments or details, add them to lines after the VOTE: line. 2) If you see any missing references, please mention them so that they can be included. References help greatly during mapping. 3) Note that a "MODIFY" is treated as an "ACCEPT" when counting votes. So if you don't have sufficient information for a candidate but you don't want to NOOP, use a REVIEWING. ********** NOTE ********** NOTE ********** NOTE ********** NOTE ********** Please keep in mind that your vote and comments will be recorded and publicly viewable in the mailing list archives or in other formats. ====================================================== Candidate: CAN-2002-0006 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0006 Final-Decision: Interim-Decision: Modified: Proposed: 20020611 Assigned: 20020108 Category: SF Reference: BUGTRAQ:20020109 xchat IRC session hijacking vulnerability (versions 1.4.1, 1.4.2) Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101060676210255&w=2 Reference: DEBIAN:DSA-099 Reference: URL:http://www.debian.org/security/2002/dsa-099 Reference: REDHAT:RHSA-2002:005 Reference: URL:http://rhn.redhat.com/errata/RHSA-2002-005.html Reference: HP:HPSBTL0201-016 Reference: URL:http://online.securityfocus.com/advisories/3806 Reference: CONECTIVA:CLA-2002:453 Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000453 Reference: XF:xchat-ctcp-ping-command(7856) Reference: URL:http://xforce.iss.net/static/7856.php Reference: BID:3830 Reference: URL:http://www.securityfocus.com/bid/3830 XChat 1.8.7 and earlier, including default configurations of 1.4.2 and 1.4.3, allows remote attackers to execute arbitrary IRC commands as other clients via encoded characters in a PRIVMSG command that calls CTCP PING, which expands the characters in the client response when the percascii variable is set. Analysis ---------------- ED_PRI CAN-2002-0006 1 Vendor Acknowledgement: yes advisory Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0363 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0363 Final-Decision: Interim-Decision: Modified: Proposed: 20020611 Assigned: 20020507 Category: SF Reference: MISC:http://www.ghostscript.com/pipermail/gs-code-review/2002-January/001801.html Reference: MISC:http://www.ghostscript.com/pipermail/gs-code-review/2002-February/001900.html Reference: REDHAT:RHSA-2002:083 Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-083.html ghostscript before 6.53 allows attackers to execute arbitrary commands by using .locksafe or .setsafe to reset the current pagedevice. Analysis ---------------- ED_PRI CAN-2002-0363 1 Vendor Acknowledgement: yes Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0412 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0412 Final-Decision: Interim-Decision: Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020304 [H20020304]: Remotely exploitable format string vulnerability in ntop Reference: URL:http://online.securityfocus.com/archive/1/259642 Reference: BUGTRAQ:20020411 ALERT ALERT ALERT ALERT ALERT ALERT ALERT ALERT ALERT ALERT ALERT Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101854261030453&w=2 Reference: BUGTRAQ:20020411 re: gobbles ntop alert Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101856541322245&w=2 Reference: BUGTRAQ:20020417 segfault in ntop Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101908224609740&w=2 Reference: VULNWATCH:20020304 [VulnWatch] [H20020304]: Remotely exploitable format string vulnerability in ntop Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0056.html Reference: CONFIRM:http://snapshot.ntop.org/ Reference: MISC:http://listmanager.unipi.it/pipermail/ntop-dev/2002-February/000489.html Reference: XF:ntop-traceevent-format-string(8347) Reference: URL:http://www.iss.net/security_center/static/8347.php Reference: BID:4225 Reference: URL:http://www.securityfocus.com/bid/4225 Format string vulnerability in TraceEvent function for ntop before 2.1 allows remote attackers to execute arbitrary code by causing format strings to be injected into calls to the syslog function, via (1) an HTTP GET request, (2) a user name in HTTP authentication, or (3) a password in HTTP authentication. Analysis ---------------- ED_PRI CAN-2002-0412 1 Vendor Acknowledgement: yes advisory ACKNOWLEDGEMENT: On the front page, the vendor has an item dated March 5, 2002, which states "A security exposure (remote code execution) in ntop was reported to bugtraq (bugtraq@securityfocus.com) by 'hologram'" - the original discloser to Bugtraq. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0414 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0414 Final-Decision: Interim-Decision: Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020304 BSD: IPv4 forwarding doesn't consult inbound SPD in KAME-derived IPsec Reference: URL:http://www.securityfocus.com/archive/1/259598 Reference: CONFIRM:http://orange.kame.net/dev/cvsweb.cgi/kame/CHANGELOG Reference: BID:4224 Reference: URL:http://www.securityfocus.com/bid/4224 Reference: XF:kame-forged-packet-forwarding(8416) Reference: URL:http://www.iss.net/security_center/static/8416.php Reference: VULNWATCH:20020304 [VulnWatch] BSD: IPv4 forwarding doesn't consult inbound SPD in KAME-derived IPsec Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0057.html KAME-derived implementations of IPsec on NetBSD 1.5.2, FreeBSD 4.5, and other operating systems, does not properly consult the Security Policy Database (SPD), which could cause a Security Gateway (SG) that does not use Encapsulating Security Payload (ESP) to forward forged IPv4 packets. Analysis ---------------- ED_PRI CAN-2002-0414 1 Vendor Acknowledgement: yes changelog ACKNOWLEDGEMENT: In a changelog item dated "Mon Feb 25 2:00:06 2002," the vendor says "enforce ipsec policy checking on forwarding case" and credits the Bugtraq poster. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0423 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0423 Final-Decision: Interim-Decision: Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020306 efingerd remote buffer overflow and a dangerous feature Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-03/0050.html Reference: CONFIRM:http://melkor.dnp.fmph.uniba.sk/~garabik/efingerd/efingerd_1.5.tar.gz Reference: BID:4239 Reference: URL:http://www.securityfocus.com/bid/4239 Reference: XF:efingerd-reverse-lookup-bo(8380) Reference: URL:http://www.iss.net/security_center/static/8380.php Buffer overflow in efingerd 1.5 and earlier, and possibly up to 1.61, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a finger request from an IP address with a long hostname that is obtained via a reverse DNS lookup. Analysis ---------------- ED_PRI CAN-2002-0423 1 Vendor Acknowledgement: yes patch ACKNOWLEDGEMENT: an examination of the source code for 1.6.2 has a child.c file, dated several weeks after initial disclosure, whose only change was to terminate the string that is copied. But the source code shows a strncpy call, as opposed to a strcpy as claimed by the discloser. Looking back at the source code for older versions, it appears that the first attempt to fix the overflow was made in version 1.5, where the strcpy was replaced by strncpy. However, since the string was not null terminated until 1.6.2, the discloser may have believed that the overflow still existed since they were probably still able to at least trigger a crash. It is unclear whether the unterminated string in versions 1.5 through 1.6.2 is actually exploitable. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0424 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0424 Final-Decision: Interim-Decision: Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020306 efingerd remote buffer overflow and a dangerous feature Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-03/0050.html Reference: CONFIRM:http://melkor.dnp.fmph.uniba.sk/~garabik/efingerd/efingerd_1.6.2.tar.gz Reference: BID:4240 Reference: URL:http://www.securityfocus.com/bid/4240 Reference: XF:efingerd-file-execution(8381) Reference: URL:http://www.iss.net/security_center/static/8381.php efingerd 1.61 and earlier, when configured without the -u option, executes .efingerd files as the efingerd user (typically "nobody"), which allows local users to gain privileges as the efingerd user by modifying their own .efingerd file and running finger. Analysis ---------------- ED_PRI CAN-2002-0424 1 Vendor Acknowledgement: yes changelog ACKNOWLEDGEMENT: the vendor acknowledges but does not fix the problem in 1.6.2. The README file for efingerd 1.6.2 includes a new "Security Notes" section that states: "unless run with option -u, efingerd executes ... [the .efingerd file] under the same UID as the efingerd daemon... This means that users could gain access to this UID very easily." For the purposes of CVE, vendor acknowledgement is all that is necessary. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0429 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0429 Final-Decision: Interim-Decision: Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020308 linux <=2.4.18 x86 traps.c problem Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101561298818888&w=2 Reference: CONFIRM:http://www.openwall.com/linux/ Reference: BID:4259 Reference: URL:http://online.securityfocus.com/bid/4259 The iBCS routines in arch/i386/kernel/traps.c for Linux kernels 2.4.18 and earlier on x86 systems allow local users to kill arbitrary processes via a a binary compatibility interface (lcall). Analysis ---------------- ED_PRI CAN-2002-0429 1 Vendor Acknowledgement: yes ACKNOWLEDGEMENT: the Openwall home page has an item dated March 3, 2002, which states "Linux 2.2.20-ow2 fixes an x86-specific vulnerability in the Linux kernel discovered by Stephan Springl where local users could abuse a binary compatibility interface (lcall) to kill processes not belonging to them ." Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0497 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0497 Final-Decision: Interim-Decision: Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020306 mtr 0.45, 0.46 Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-03/0048.html Reference: DEBIAN:DSA-124 Reference: URL:http://www.debian.org/security/2002/dsa-124 Reference: BID:4217 Reference: URL:http://www.securityfocus.com/bid/4217 Reference: XF:mtr-options-bo(8367) Reference: URL:http://www.iss.net/security_center/static/8367.php Buffer overflow in mtr 0.46 and earlier, when installed setuid root, allows local users to access a raw socket via a long MTR_OPTIONS environment variable. Analysis ---------------- ED_PRI CAN-2002-0497 1 Vendor Acknowledgement: yes advisory Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0517 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0517 Final-Decision: Interim-Decision: Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020108 dtterm exploit in Unixware 7.1.1 Reference: URL:http://www.securityfocus.com/archive/1/249106 Reference: BUGTRAQ:20020108 xterm exploit in Unixware 7.0.1 Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-01/0099.html Reference: CALDERA:CSSA-2002-SCO.15 Reference: URL:ftp://stage.caldera.com/pub/security/openunix/CSSA-2002-SCO.15/CSSA-2002-SCO.15.txt Reference: BID:4502 Reference: URL:http://www.securityfocus.com/bid/4502 Reference: XF:unixware-openunix-dtterm-bo(7282) Reference: URL:http://www.iss.net/security_center/static/7282.php Reference: XF:x11-xrm-bo(8828) Reference: URL:http://www.iss.net/security_center/static/8828.php Buffer overflow in X11 library (libX11) on Caldera Open UNIX 8.0.0, UnixWare 7.1.1, and possibly other operating systems, allows local users to gain root privileges via a long -xrm argument to programs such as (1) dtterm or (2) xterm. Analysis ---------------- ED_PRI CAN-2002-0517 1 Vendor Acknowledgement: yes advisory Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0567 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0567 Final-Decision: Interim-Decision: Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020206 Remote Compromise in Oracle 9i Database Server Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101301332402079&w=2 Reference: CERT-VN:VU#180147 Reference: URL:http://www.kb.cert.org/vuls/id/180147 Reference: CERT:CA-2002-08 Reference: URL:http://www.cert.org/advisories/CA-2002-08.html Reference: CONFIRM:http://otn.oracle.com/deploy/security/pdf/plsextproc_alert.pdf Reference: BID:4033 Reference: URL:http://www.securityfocus.com/bid/4033 Reference: XF:oracle-plsql-remote-access(8089) Reference: URL:http://xforce.iss.net/static/8089.php Oracle 8i and 9i with PL/SQL package for External Procedures (EXTPROC) allows remote attackers to bypass authentication and execute arbitrary functions by using the TNS Listener to directly connect to the EXTPROC process. Analysis ---------------- ED_PRI CAN-2002-0567 1 Vendor Acknowledgement: yes advisory Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0568 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0568 Final-Decision: Interim-Decision: Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020206 Hackproofing Oracle Application Server paper Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101301813117562&w=2 Reference: CERT:CA-2002-08 Reference: URL:http://www.cert.org/advisories/CA-2002-08.html Reference: CERT-VN:VU#476619 Reference: URL:http://www.kb.cert.org/vuls/id/476619 Reference: MISC:http://www.nextgenss.com/papers/hpoas.pdf Reference: BID:4290 Reference: URL:http://www.securityfocus.com/bid/4290 Oracle 9i Application Server stores XSQL and SOAP configuration files insecurely, which allows local users to obtain sensitive information including usernames and passwords by requesting (1) XSQLConfig.xml or (2) soapConfig.xml through a virtual directory. Analysis ---------------- ED_PRI CAN-2002-0568 1 Vendor Acknowledgement: yes advisory Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0569 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0569 Final-Decision: Interim-Decision: Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020206 Hackproofing Oracle Application Server paper Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101301813117562&w=2 Reference: CERT-VN:VU#977251 Reference: URL:http://www.kb.cert.org/vuls/id/977251 Reference: CERT:CA-2002-08 Reference: URL:http://www.cert.org/advisories/CA-2002-08.html Reference: MISC:http://www.nextgenss.com/papers/hpoas.pdf Reference: BID:4298 Reference: URL:http://www.securityfocus.com/bid/4298 Oracle 9i Application Server allows remote attackers to bypass access restrictions for configuration files via a direct request to the XSQL Servlet (XSQLServlet). Analysis ---------------- ED_PRI CAN-2002-0569 1 Vendor Acknowledgement: yes advisory Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0406 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0406 Final-Decision: Interim-Decision: Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020302 Denial of Service in Sphereserver Reference: URL:http://online.securityfocus.com/archive/1/259334 Reference: XF:sphereserver-connections-dos(8338) Reference: URL:http://www.iss.net/security_center/static/8338.php Reference: BID:4258 Reference: URL:http://www.securityfocus.com/bid/4258 Menasoft SPHERE server 0.99x and 0.5x allows remote attackers to cause a denial of service by establishing a large number of connections to the server without providing login credentials, which prevents other users from being able to log in. Analysis ---------------- ED_PRI CAN-2002-0406 3 Vendor Acknowledgement: Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0407 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0407 Final-Decision: Interim-Decision: Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020207 Re: KPMG-2002004: Lotus Domino Webserver DOS-device Denial of Service Reference: URL:http://online.securityfocus.com/archive/1/254768 Reference: BUGTRAQ:20020402 KPMG-2002006: Lotus Domino Physical Path Revealed Reference: URL:http://www.securityfocus.com/archive/1/265380 Reference: BID:4406 Reference: URL:http://www.securityfocus.com/bid/4406 Reference: XF:lotus-domino-reveal-information(8160) Reference: URL:http://www.iss.net/security_center/static/8160.php htcgibin.exe in Lotus Domino server 5.0.9a and earlier allows remote attackers to determine the physical pathname for the server via requests that contain certain MS-DOS device names such as com5, such as (1) a request with a .pl or .java extension, or (2) a request containing a large number of periods, which causes htcgibin.exe to leak the pathname in an error message. Analysis ---------------- ED_PRI CAN-2002-0407 3 Vendor Acknowledgement: unknown discloser-claimed Content Decisions: SF-LOC Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0408 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0408 Final-Decision: Interim-Decision: Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020207 Re: KPMG-2002004: Lotus Domino Webserver DOS-device Denial of Service Reference: URL:http://online.securityfocus.com/archive/1/254768 Reference: BUGTRAQ:20020303 Re: KPMG-2002006: Lotus Domino Physical Path Revealed Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101785616526383&w=2 Reference: BID:4049 Reference: URL:http://www.securityfocus.com/bid/4049 htcgibin.exe in Lotus Domino server 5.0.9a and earlier, when configured with the NoBanner setting, allows remote attackers to determine the version number of the server via a request that generates an HTTP 500 error code, which leaks the version in a hard-coded error message. Analysis ---------------- ED_PRI CAN-2002-0408 3 Vendor Acknowledgement: unknown discloser-claimed Content Decisions: SF-LOC ABSTARCTION: this has some overlap with CAN-2002-0245 item (2), although different versions are affected. These may be the same underlying issue (a configuration or design problem in Domino) that crosses multiple versions. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0409 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0409 Final-Decision: Interim-Decision: Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020303 iBuySpy store hole Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101518860823788&w=2 orderdetails.aspx, as made available to Microsoft .NET developers as example code and demonstrated on www.ibuyspystore.com, allows remote attackers to view the orders of other users by modifying the OrderID parameter. Analysis ---------------- ED_PRI CAN-2002-0409 3 Vendor Acknowledgement: Content Decisions: EX-ONLINE-SVC INCLUSION: CD:EX-ONLINE-SVC normally recommends that online services or application service providers be excluded from CVE. However, in this case, the discloser claims that Microsoft "have encouraged developers to view and copy the code for their own projects," which makes this akin to a distribution of software to other parties. Therefore this issue should be included in CVE. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0410 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0410 Final-Decision: Interim-Decision: Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020303 AeroMail multiple vulnerabilities Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-03/0004.html Reference: CONFIRM:http://the.cushman.net/projects/aeromail/download/aeromail-1.45.tar.gz Reference: MISC:http://the.cushman.net/projects/aeromail/download/ Reference: XF:aeromail-obtain-files(8345) Reference: URL:http://www.iss.net/security_center/static/8345.php Reference: BID:4214 Reference: URL:http://www.securityfocus.com/bid/4214 send_message.php in AeroMail before 1.45 allows remote attackers to read arbitrary files on the server, instead of just uploaded files, via an attachment that modifies the filename to be uploaded. Analysis ---------------- ED_PRI CAN-2002-0410 3 Vendor Acknowledgement: yes patch Content Decisions: SF-LOC ACKNOWLEDGEMENT: On the vendor download page, a brief change log for version 1.45 says "Patched security holes," which is not clear enough to be sure that the vendor is patching *this* vulnerability. However, a look at line 25 of send_message.php indicates a call to a function is_uploaded_file(), which is part of a conditional that determines if a file should be attached. This function was NOT called in version 1.40 - the latest version available before 1.45 - based on a source code comparison. Therefore, even though the written acknowledgement from the vendor is vague, an examination of the source code indicates a patch that would fix this problem. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0411 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0411 Final-Decision: Interim-Decision: Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020303 AeroMail multiple vulnerabilities Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-03/0004.html Reference: CONFIRM:http://the.cushman.net/projects/aeromail/download/aeromail-1.45.tar.gz Reference: BID:4215 Reference: URL:http://www.securityfocus.com/bid/4215 Reference: XF:aeromail-subject-css(8346) Reference: URL:http://www.iss.net/security_center/static/8346.php Cross-site scripting vulnerability in message.php for AeroMail before 1.45 allows remote attackers to execute Javascript as an AeroMail user via an email message with the script in the Subject line. Analysis ---------------- ED_PRI CAN-2002-0411 3 Vendor Acknowledgement: yes patch Content Decisions: SF-LOC ACKNOWLEDGEMENT: On the vendor download page, a brief change log for version 1.45 says "Patched security holes," which is not clear enough to be sure that the vendor is patching *this* vulnerability. However, a look at line 7 of message.php indicates a call to a function htmlspecialchars() while building the subject. This function was NOT called in version 1.40 - the latest version available before 1.45 - based on a source code comparison. Therefore, even though the written acknowledgement from the vendor is vague, an examination of the source code indicates a patch that would fix this problem. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0413 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0413 Final-Decision: Interim-Decision: Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020304 ReBB javascripts vulnerability Reference: URL:http://online.securityfocus.com/archive/1/259464 Reference: BID:4220 Reference: URL:http://www.securityfocus.com/bid/4220 Reference: XF:rebb-img-css(8353) Reference: URL:http://www.iss.net/security_center/static/8353.php Cross-site scripting vulnerability in ReBB allows remote attackers to execute arbitrary Javascript and steal cookies via an IMG tag whose URL includes the malicious script. Analysis ---------------- ED_PRI CAN-2002-0413 3 Vendor Acknowledgement: Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0415 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0415 Final-Decision: Interim-Decision: Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020302 RealPlayer bug Reference: URL:http://www.securityfocus.com/archive/1/259333 Reference: BID:4221 Reference: URL:http://www.securityfocus.com/bid/4221 Reference: XF:realplayer-http-directory-traversal(8336) Reference: URL:http://www.iss.net/security_center/static/8336.php Directory traversal vulnerability in the web server used in RealPlayer 6.0.7, and possibly other versions, may allow local users to read files that are accessible to RealPlayer via a .. (dot dot) in an HTTP GET request to port 1275. Analysis ---------------- ED_PRI CAN-2002-0415 3 Vendor Acknowledgement: INCLUSION: followup discussions on Bugtraq indicate that RealPlayer appears to limit access to localhost, which limits the problem to local users only. Theoretically, such local users would have access to all or most of the file system anyway. However, it is possible that RealPlayer would have access to certain files that other users would not; in addition, an attacker to read a raw device file to cause a denial of service. Therefore, while the scope of this vulnerability may be limited, there are certain scenarios in which an attacker may be able to conduct unauthorized activities. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0416 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0416 Final-Decision: Interim-Decision: Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020305 Buffer Overflows in sh39.com Reference: URL:http://www.securityfocus.com/archive/1/259818 Reference: BID:4232 Reference: URL:http://www.securityfocus.com/bid/4232 Reference: XF:sh39-mailserver-dos(8379) Reference: URL:http://www.iss.net/security_center/static/8379.php Buffer overflow in SH39 MailServer 1.21 and earlier allows remote attackers to cause a denial of service, and possibly execute arbitrary code, via a long command to the SMTP port. Analysis ---------------- ED_PRI CAN-2002-0416 3 Vendor Acknowledgement: unknown discloser-claimed Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0417 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0417 Final-Decision: Interim-Decision: Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020305 Endymion SakeMail and MailMan File Disclosure Vulnerability Reference: URL:http://online.securityfocus.com/archive/1/259730 Reference: CONFIRM:http://www.endymion.com/products/mailman/history.htm Reference: XF:mailman-alternate-templates-traversal(8357) Reference: URL:http://www.iss.net/security_center/static/8357.php Reference: BID:4222 Reference: URL:http://www.securityfocus.com/bid/4222 Directory traversal vulnerability in Endymion MailMan before 3.1 allows remote attackers to read arbitrary files via a .. (dot dot) and a null character in the ALTERNATE_TEMPLATES parameter for various mmstdo*.cgi programs. Analysis ---------------- ED_PRI CAN-2002-0417 3 Vendor Acknowledgement: yes changelog Content Decisions: SF-CODEBASE ACKNOWLEDGEMENT: The history file for MailMan includes an item dated March 6, 2002, which describes a "Minor security revision to prevent file disclosure hole." ABSTRACTION: CD:SF-CODEBASE suggests performing a SPLIT when there appear to be different bugs of the same type, in different packages offered by the vendor. Therefore the MailMan and SakeMail are kept separate. In addition, the bug has been fixed in MailMan but not in SakeMail as of this writing. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0418 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0418 Final-Decision: Interim-Decision: Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020305 Endymion SakeMail and MailMan File Disclosure Vulnerability Reference: URL:http://online.securityfocus.com/archive/1/259730 Reference: BID:4223 Reference: URL:http://www.securityfocus.com/bid/4223 Reference: XF:sakemail-paramname-directory-traversal(8358) Reference: URL:http://www.iss.net/security_center/static/8358.php Directory traversal vulnerability in the com.endymion.sake.servlet.mail.MailServlet servlet for Endymion SakeMail 1.0.36 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) and a null character in the param_name parameter. Analysis ---------------- ED_PRI CAN-2002-0418 3 Vendor Acknowledgement: unknown Content Decisions: SF-CODEBASE ABSTRACTION: CD:SF-CODEBASE suggests performing a SPLIT when there appear to be different bugs of the same type, in different packages offered by the vendor. Therefore the MailMan and SakeMail are kept separate. In addition, the bug has been fixed in MailMan but not in SakeMail as of this writing. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0419 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0419 Final-Decision: Interim-Decision: Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020305 Considerations for IIS Authentication (#NISR05032002C) Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101535399100534&w=2 Reference: XF:iis-authentication-error-messages(8382) Reference: URL:http://www.iss.net/security_center/static/8382.php Reference: BID:4235 Reference: URL:http://www.securityfocus.com/bid/4235 Information leaks in IIS 4 through 5.1 allow remote attackers to obtain potentially sensitive information or more easily conduct brute force attacks via responses from the server in which (1) the server reveals whether it supports Basic or NTLM authentication through 401 Access Denied error messages, (2) in certain configurations, the server IP address is provided as the realm for Basic authentication, which could reveal real IP addresses that were obscured by NAT, or (3) when NTLM authentication is used, the NetBIOS name of the server and its Windows NT domain are revealed in response to an Authorization request. Analysis ---------------- ED_PRI CAN-2002-0419 3 Vendor Acknowledgement: no discloser claims dispute Content Decisions: SF-LOC ABSTRACTION: CD:SF-LOC suggests merging problems that are all the same type. In this case, all these issues are information leaks. However, information leaks are not well-studied as a class, and there may be lower-level categories in which this item could be SPLIT. INCLUSION: information leaks are an exposure. Therefore, this item should be included in CVE. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0420 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0420 Final-Decision: Interim-Decision: Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020305 PureTLS Security Announcement: Upgrade to 0.9b2 Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-03/0056.html Reference: BID:4237 Reference: URL:http://www.securityfocus.com/bid/4237 Reference: XF:puretls-injection-attack(8386) Reference: URL:http://www.iss.net/security_center/static/8386.php Vulnerability in PureTLS before 0.9b2 related to injection attacks, which could possibly allow remote attackers to corrupt or hijack user sessions. Analysis ---------------- ED_PRI CAN-2002-0420 3 Vendor Acknowledgement: yes Content Decisions: VAGUE INCLUSION: CD:VAGUE suggests that even if a security issue is reported by a vendor with no details, it should be included in CVE because there is high confidence that the issue is real. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0421 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0421 Final-Decision: Interim-Decision: Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020306 NT user (who is locked changing his/her password by administrator ) can bypass the security policy and Change the password. Reference: URL:http://online.securityfocus.com/archive/1/259963 Reference: BID:4236 Reference: URL:http://www.securityfocus.com/bid/4236 Reference: XF:winnt-pw-policy-bypass(8388) Reference: URL:http://www.iss.net/security_center/static/8388.php IIS 4.0 allows local users to bypass the "User cannot change password" policy for Windows NT by directly calling .htr password changing programs in the /iisadmpwd directory, including (1) aexp2.htr, (2) aexp2b.htr, (3) aexp3.htr , or (4) aexp4.htr. Analysis ---------------- ED_PRI CAN-2002-0421 3 Vendor Acknowledgement: unknown discloser-claimed Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0422 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0422 Final-Decision: Interim-Decision: Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020305 IIS Internal IP Address Disclosure (#NISR05032002B) Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101536634207324&w=2 Reference: NTBUGTRAQ:20020305 IIS Internal IP Address Disclosure (#NISR05032002B) Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=101535147125320&w=2 IIS 5 and 5.1 supporting WebDAV methods allows remote attackers to determine the internal IP address of the system (which may be obscured by NAT) via (1) a PROPFIND HTTP request with a blank Host header, which leaks the address in an HREF property in a 207 Multi-Status response, or (2) via the WRITE or MKCOL method, which leaks the IP in the Location server header. Analysis ---------------- ED_PRI CAN-2002-0422 3 Vendor Acknowledgement: Content Decisions: SF-LOC ABSTRACTION: CD:SF-LOC suggests a SPLIT when problems appear in different versions. This information leak appears only in IIS 5.0 and above, whereas the Basic/NTLM leaks were also in IIS 4.0. Therefore these 2 items should be SPLIT. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0425 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0425 Final-Decision: Interim-Decision: Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020306 mIRC DCC Server Security Flaw Reference: URL:http://online.securityfocus.com/archive/1/260244 Reference: XF:mirc-dcc-reveal-info(8393) Reference: URL:http://www.iss.net/security_center/static/8393.php Reference: BID:4247 Reference: URL:http://www.securityfocus.com/bid/4247 mIRC DCC server protocol allows remote attackers to gain sensitive information such as alternate IRC nicknames via a "100 testing" message in a DCC connection request that cannot be ignored or canceled by the user, which may leak the alternate nickname in a response message. Analysis ---------------- ED_PRI CAN-2002-0425 3 Vendor Acknowledgement: Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0426 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0426 Final-Decision: Interim-Decision: Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020308 Linksys BEFVP41 VPN Server does not follow proper VPN standards Reference: URL:http://online.securityfocus.com/archive/1/260613 Reference: MISC:ftp://ftp.linksys.com/pub/befsr41/befvp41-1402.zip Reference: XF:linksys-etherfast-weak-encryption(8397) Reference: URL:http://www.iss.net/security_center/static/8397.php Reference: BID:4250 Reference: URL:http://www.securityfocus.com/bid/4250 VPN Server module in Linksys EtherFast BEFVP41 Cable/DSL VPN Router before 1.40.1 reduces the key lengths for keys that are supplied via manual key entry, which makes it easier for attackers to crack the keys. Analysis ---------------- ED_PRI CAN-2002-0426 3 Vendor Acknowledgement: unknown vague Content Decisions: DESIGN-WEAK-ENCRYPTION ACKNOWLEDGEMENT: the vendor has provided *some* patch, but it's not clear whether it addresses this vulnerability. The history.txt file in the patch includes an item dated 2002-03-01 that says "In Manual Keying option, the maximum phrase length of Encryption Key is changed from 23 to 24 characters." However, this item specifically talks about the phrase length and not the key length, and the number of characters is not consistent with what the original discloser said. Therefore there is insufficient information to be certain that the patch addresses this vulnerability. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0427 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0427 Final-Decision: Interim-Decision: Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: MANDRAKE:MDKSA-2002:021 Reference: URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-021.php Reference: FREEBSD:FreeBSD-SA-02:17 Reference: URL:ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:17.mod_frontpage.asc Reference: BID:4251 Reference: URL:http://www.securityfocus.com/bid/4251 Reference: XF:apache-modfrontpage-bo(8400) Reference: URL:http://www.iss.net/security_center/static/8400.php Buffer overflows in fpexec in mod_frontpage before 1.6.1 may allow attackers to gain root privileges. Analysis ---------------- ED_PRI CAN-2002-0427 3 Vendor Acknowledgement: yes advisory Content Decisions: SF-LOC ACCURACY: the Mandrake advisory says the problem is remote, but the FreeBSD advisory says the issue is local. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0428 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0428 Final-Decision: Interim-Decision: Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020308 Checkpoint FW1 SecuRemote/SecureClient "re-authentication" (client side hacks of users.C) Reference: URL:http://online.securityfocus.com/archive/1/260662 Reference: BID:4253 Reference: URL:http://www.securityfocus.com/bid/4253 Reference: XF:fw1-authentication-bypass-timeouts(8423) Reference: URL:http://www.iss.net/security_center/static/8423.php Check Point FireWall-1 SecuRemote/SecuClient 4.0 and 4.1 allows clients to bypass the "authentication timeout" by modifying the to_expire or expire values in the client's users.C configuration file. Analysis ---------------- ED_PRI CAN-2002-0428 3 Vendor Acknowledgement: unknown discloser-claimed ACKNOWLEDGEMENT: the original post includes an email attachment that is said to have come from Check Point, but that is not clear enough proof that the vendor has publicly acknowledged the issue. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0430 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0430 Final-Decision: Interim-Decision: Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020308 Remote Cobalt Raq XTR vulns Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-03/0081.html Reference: BID:4252 Reference: URL:http://online.securityfocus.com/bid/4252 MultiFileUploadHandler.php in the Sun Cobalt RaQ XTR administration interface allows local users to bypass authentication and overwrite arbitrary files via a symlink attack on a temporary file, followed by a request to MultiFileUpload.php. Analysis ---------------- ED_PRI CAN-2002-0430 3 Vendor Acknowledgement: Content Decisions: SF-LOC ABSTRACTION: CD:SF-LOC suggests performing a SPLIT of different types of vulnerabilities. This is an example of a "compound" vulnerability in which the lack of authentication plays a role in making it easier for attackers to conduct a symlink attack, but it is not clear whether adding authentication would fix the symlink problem. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0431 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0431 Final-Decision: Interim-Decision: Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020309 xtux server DoS. Reference: URL:http://online.securityfocus.com/archive/1/260912 Reference: MISC:https://sourceforge.net/tracker/index.php?func=detail&aid=529046&group_id=206&atid=100206 Reference: BID:4260 Reference: URL:http://www.securityfocus.com/bid/4260 Reference: XF:xtux-server-dos(8422) Reference: URL:http://www.iss.net/security_center/static/8422.php XTux allows remote attackers to cause a denial of service (CPU consumption) via random inputs in the initial connection. Analysis ---------------- ED_PRI CAN-2002-0431 3 Vendor Acknowledgement: ACKNOWLEDGEMENT: as of this writing (20020514), a bug report was filed on 20020319, but the vendor had not responded. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0432 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0432 Final-Decision: Interim-Decision: Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020309 Citadel/UX Server Remote DoS attack Vulnerability Reference: URL:http://online.securityfocus.com/archive/1/260934 Reference: CONFIRM:http://uncensored.citadel.org/pub/citadel/citadel-ux-5.91.tar.gz Reference: XF:citadel-helo-bo(8426) Reference: URL:http://www.iss.net/security_center/static/8426.php Reference: BID:4263 Reference: URL:http://www.securityfocus.com/bid/4263 Buffer overflow in (1) lprintf and (2) cprintf in sysdep.c of Citadel/UX 5.90 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via attacks such as a long HELO command to the SMTP server. Analysis ---------------- ED_PRI CAN-2002-0432 3 Vendor Acknowledgement: yes changelog Content Decisions: SF-LOC, SF-EXEC ABSTRACTION: CD:SF-LOC and CD:SF-EXEC suggest combining problems of the same type that appear in the same version, so the lprintf and cprintf overflows are combined. ACKNOWLEDGEMENT: in the vendor ChangeLog, the comments for Revision 590.134, dated 2002/03/09, state "Applied a patch submitted by [the Bugtraq poster] to fix a potential buffer overflow problem in lprintf(). I also did the same fix to cprintf()." Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0443 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0443 Final-Decision: Interim-Decision: Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020307 Windows 2000 password policy bypass possibility Reference: URL:http://online.securityfocus.com/archive/1/260704 Reference: XF:win2k-password-bypass-policy(8402) Reference: URL:http://www.iss.net/security_center/static/8402.php Reference: BID:4256 Reference: URL:http://www.securityfocus.com/bid/4256 Microsoft Windows 2000 allows local users to bypass the policy that prohibits reusing old passwords by changing the current password before it expires, which does not enable the check for previous passwords. Analysis ---------------- ED_PRI CAN-2002-0443 3 Vendor Acknowledgement: Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0444 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0444 Final-Decision: Interim-Decision: Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020408 Vulnerability: Windows2000Server running Terminalservices Reference: URL:http://www.securityfocus.com/archive/1/266729 Reference: BID:4464 Reference: URL:http://www.securityfocus.com/bid/4464 Reference: XF:win2k-terminal-bypass-policies(8813) Reference: URL:http://www.iss.net/security_center/static/8813.php Microsoft Windows 2000 running the Terminal Server 90-day trial version, and possibly other versions, does not apply group policies to incoming users when the number of connections to the SYSVOL share exceeds the maximum, e.g. with a maximum number of licenses, which can allow remote authenticated users to bypass group policies. Analysis ---------------- ED_PRI CAN-2002-0444 3 Vendor Acknowledgement: Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0447 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0447 Final-Decision: Interim-Decision: Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020308 Xerver-2.10-File-Disclousure&DoS-attack Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-03/0091.html Reference: BUGTRAQ:20020312 Xerver Free Web Server 2.10 file Disclosure & DoS PATCH (update version) Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-03/0155.html Reference: XF:xerver-dot-directory-traversal(8421) Reference: URL:http://www.iss.net/security_center/static/8421.php Reference: BID:4255 Reference: URL:http://www.securityfocus.com/bid/4255 Directory traversal vulnerability in Xerver Free Web Server 2.10 and earlier allows remote attackers to list arbitrary directories via a .. (dot dot) in an HTTP GET request. Analysis ---------------- ED_PRI CAN-2002-0447 3 Vendor Acknowledgement: yes followup Content Decisions: SF-LOC Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0448 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0448 Final-Decision: Interim-Decision: Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020308 Xerver-2.10-File-Disclousure&DoS-attack Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-03/0091.html Reference: BUGTRAQ:20020312 Xerver Free Web Server 2.10 file Disclosure & DoS PATCH (update version) Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-03/0155.html Reference: XF:xerver-multiple-request-dos(8419) Reference: URL:http://www.iss.net/security_center/static/8419.php Reference: BID:4254 Reference: URL:http://www.securityfocus.com/bid/4254 Xerver Free Web Server 2.10 and earlier allows remote attackers to cause a denial of service (crash) via an HTTP request that contains many "C:/" sequences. Analysis ---------------- ED_PRI CAN-2002-0448 3 Vendor Acknowledgement: yes followup Content Decisions: SF-LOC Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0449 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0449 Final-Decision: Interim-Decision: Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020305 Buffer Overrun in Talentsoft's Web+ (#NISR01032002A) Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101535141925150&w=2 Reference: CONFIRM:http://www.talentsoft.com/Issues/IssueDetail.wml?ID=WP943 Reference: BID:4233 Reference: URL:http://www.securityfocus.com/bid/4233 Reference: XF:webplus-webpsvc-bo(8361) Reference: URL:http://www.iss.net/security_center/static/8361.php Buffer overflow in webpsvc.exe for Talentsoft Web+ 5.0 and earlier allows remote attackers execute arbitrary code via a long argument to webplus.exe program, which triggers the overflow in webpsvc.exe. Analysis ---------------- ED_PRI CAN-2002-0449 3 Vendor Acknowledgement: yes Content Decisions: SF-LOC ACKNOWLEDGEMENT: A knowledge base article on the vendor web site says "Security Issue: An ultra long url can cause the Web+ server to crash by overflowing an unchecked buffer. An attacker can use this to harm your system." ABSTRACTION: CD:SF-LOC suggests that if 2 vulnerabilities of the same type appear in the same product, then they should be SPLIT if they appear in different versions. Since the webpsvc.exe overflow was fixed, followed by a new patch for the WML issue, these should remain SPLIT. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0450 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0450 Final-Decision: Interim-Decision: Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020313 2nd Buffer Overflow in Talentsoft's Web+ (#NISR13032002) Reference: URL:http://www.securityfocus.com/archive/1/261658 Reference: CONFIRM:http://www.talentsoft.com/Issues/IssueDetail.wml?ID=WP943 Reference: BID:4282 Reference: URL:http://www.securityfocus.com/bid/4282 Buffer overflow in Talentsoft Web+ 5.0 and earlier allows remote attackers to execute arbitrary code via a long Web Markup Language (wml) file name to (1) webplus.dll or (2) webplus.exe. Analysis ---------------- ED_PRI CAN-2002-0450 3 Vendor Acknowledgement: yes Content Decisions: SF-LOC ACKNOWLEDGEMENT: A knowledge base article on the vendor web site says "Security Issue: An ultra long url can cause the Web+ server to crash by overflowing an unchecked buffer. An attacker can use this to harm your system." ABSTRACTION: CD:SF-LOC suggests that if 2 vulnerabilities of the same type appear in the same product, then they should be SPLIT if they appear in different versions. Since there was a period of time when the webpsvc.exe overflow was fixed, but the WML was not, these should remain SPLIT. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0502 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0502 Final-Decision: Interim-Decision: Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020123 RE: Citrix NFuse 1.6 Reference: URL:http://www.securityfocus.com/archive/1/251923 Reference: BUGTRAQ:20020122 Citrix NFuse 1.6 Reference: URL:http://www.securityfocus.com/archive/1/251737 Reference: XF:nfuse-applist-information-disclosure(7984) Reference: URL:http://xforce.iss.net/static/7984.php Reference: BID:3926 Reference: URL:http://www.securityfocus.com/bid/3926 Citrix NFuse 1.6 may allow remote attackers to list applications without authentication by accessing the applist.asp page. Analysis ---------------- ED_PRI CAN-2002-0502 3 Vendor Acknowledgement: no disputed INCLUSION: Followup posts indicate that the original report may have been in error, and that the original discloser may have already had a session cookie enabled within their browser. If this is the case, then there is not really an issue in Nfuse itself, so perhaps this item should be excluded from CVE. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0559 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0559 Final-Decision: Interim-Decision: Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020206 Multiple Buffer Overflows in Oracle 9iAS Reference: URL:http://online.securityfocus.com/archive/1/254426 Reference: CERT:CA-2002-08 Reference: URL:http://www.cert.org/advisories/CA-2002-08.html Reference: CERT-VN:VU#750299 Reference: URL:http://www.kb.cert.org/vuls/id/750299 Reference: CERT-VN:VU#878603 Reference: URL:http://www.kb.cert.org/vuls/id/878603 Reference: CERT-VN:VU#659043 Reference: URL:http://www.kb.cert.org/vuls/id/659043 Reference: CERT-VN:VU#313280 Reference: URL:http://www.kb.cert.org/vuls/id/313280 Reference: CERT-VN:VU#923395 Reference: URL:http://www.kb.cert.org/vuls/id/923395 Reference: CONFIRM:http://otn.oracle.com/deploy/security/pdf/ias_modplsql_alert.pdf Reference: MISC:http://www.nextgenss.com/papers/hpoas.pdf Reference: XF:oracle-appserver-plsql-adddad-bo(8098) Reference: URL:http://xforce.iss.net/static/8098.php Reference: XF:oracle-appserver-plsql-bo(8095) Reference: URL:http://xforce.iss.net/static/8095.php Reference: XF:oracle-appserver-plsql-cache-bo(8097) Reference: URL:http://xforce.iss.net/static/8097.php Reference: XF:oracle-appserver-plsql-authclient-bo(8096) Reference: URL:http://xforce.iss.net/static/8096.php Reference: BID:4032 Reference: URL:http://www.securityfocus.com/bid/4032 Buffer overflows in PL/SQL module 3.0.9.8.2 in Oracle 9i Application Server 1.0.2.x allow remote attackers to cause a denial of service or execute arbitrary code via (1) a long help page request without a dadname, which overflows the resulting HTTP Location header, (2) a long HTTP request to the plsql module, (3) a long password in the HTTP Authorization, (4) a long Access Descriptor (DAD) password in the addadd form, or (5) a long cache directory name. Analysis ---------------- ED_PRI CAN-2002-0559 3 Vendor Acknowledgement: yes advisory Content Decisions: SF-LOC ABSTRACTION: CD:SF-LOC suggests MERGING problems of the same type that appear in the same version. All of these issues were fixed in the same version, so they are combined. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0560 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0560 Final-Decision: Interim-Decision: Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020206 Hackproofing Oracle Application Server paper Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101301813117562&w=2 Reference: MISC:http://www.nextgenss.com/papers/hpoas.pdf Reference: CERT:CA-2002-08 Reference: URL:http://www.cert.org/advisories/CA-2002-08.html Reference: CERT-VN:VU#307835 Reference: URL:http://www.kb.cert.org/vuls/id/307835 Reference: CONFIRM:http://otn.oracle.com/deploy/security/pdf/ias_modplsql_alert.pdf Reference: BID:4294 Reference: URL:http://www.securityfocus.com/bid/4294 PL/SQL module 3.0.9.8.2 in Oracle 9i Application Server 1.0.2.x allows remote attackers to obtain sensitive information via the OWA_UTIL stored procedures (1) OWA_UTIL.signature, (2) OWA_UTIL.listprint, or (3) OWA_UTIL.show_query_columns. Analysis ---------------- ED_PRI CAN-2002-0560 3 Vendor Acknowledgement: yes advisory Content Decisions: SF-LOC ABSTRACTION: CD:SF-LOC suggests MERGING problems of the same type that appear in the same version. All of these issues were fixed in the same version, so they are combined. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0561 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0561 Final-Decision: Interim-Decision: Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020206 Hackproofing Oracle Application Server paper Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101301813117562&w=2 Reference: CERT-VN:VU#611776 Reference: URL:http://www.kb.cert.org/vuls/id/611776 Reference: CERT:CA-2002-08 Reference: URL:http://www.cert.org/advisories/CA-2002-08.html Reference: CONFIRM:http://otn.oracle.com/deploy/security/pdf/ias_modplsql_alert.pdf Reference: MISC:http://www.nextgenss.com/papers/hpoas.pdf Reference: BID:4292 Reference: URL:http://www.securityfocus.com/bid/4292 The default configuration of the PL/SQL Gateway web administration interface in Oracle 9i Application Server 1.0.2.x uses null authentication, which allows remote attackers to gain privileges and modify DAD settings. Analysis ---------------- ED_PRI CAN-2002-0561 3 Vendor Acknowledgement: yes advisory Content Decisions: SF-LOC Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0562 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0562 Final-Decision: Interim-Decision: Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020206 JSP translation file access under Oracle 9iAS Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101301440005580&w=2 Reference: CERT:CA-2002-08 Reference: URL:http://www.cert.org/advisories/CA-2002-08.html Reference: CERT-VN:VU#698467 Reference: URL:http://www.kb.cert.org/vuls/id/698467 Reference: CONFIRM:http://otn.oracle.com/deploy/security/pdf/ias_modplsql_alert.pdf Reference: BID:4034 Reference: URL:http://www.securityfocus.com/bid/4034 The default configuration of Oracle 9i Application Server 1.0.2.x running Oracle JSP or SQLJSP stores globals.jsa under the web root, which allows remote attackers to gain sensitive information including usernames and passwords via a direct HTTP request to globals.jsa. Analysis ---------------- ED_PRI CAN-2002-0562 3 Vendor Acknowledgement: yes advisory Content Decisions: SF-LOC Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0563 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0563 Final-Decision: Interim-Decision: Modified: Proposed: 20020611 Assigned: 20020607 Category: CF Reference: BUGTRAQ:20020206 Hackproofing Oracle Application Server paper Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101301813117562&w=2 Reference: CERT:CA-2002-08 Reference: URL:http://www.cert.org/advisories/CA-2002-08.html Reference: CERT-VN:VU#168795 Reference: URL:http://www.kb.cert.org/vuls/id/168795 Reference: CONFIRM:http://otn.oracle.com/deploy/security/pdf/ias_modplsql_alert.pdf Reference: MISC:http://www.nextgenss.com/papers/hpoas.pdf Reference: BID:4293 Reference: URL:http://www.securityfocus.com/bid/4293 The default configuration of Oracle 9i Application Server 1.0.2.x allows remote anonymous users to access sensitive services without authentication, including Dynamic Monitoring Services. Analysis ---------------- ED_PRI CAN-2002-0563 3 Vendor Acknowledgement: yes advisory Content Decisions: SF-LOC Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0564 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0564 Final-Decision: Interim-Decision: Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020206 Hackproofing Oracle Application Server paper Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101301813117562&w=2 Reference: CERT-VN:VU#193523 Reference: URL:http://www.kb.cert.org/vuls/id/193523 Reference: CERT:CA-2002-08 Reference: URL:http://www.cert.org/advisories/CA-2002-08.html Reference: CONFIRM:http://otn.oracle.com/deploy/security/pdf/ias_modplsql_alert.pdf Reference: MISC:http://www.nextgenss.com/papers/hpoas.pdf PL/SQL module 3.0.9.8.2 in Oracle 9i Application Server 1.0.2.x allows remote attackers to bypass authentication for a Database Access Descriptor (DAD) by modifying the URL to reference an alternate DAD that already has valid credentials. Analysis ---------------- ED_PRI CAN-2002-0564 3 Vendor Acknowledgement: yes advisory Content Decisions: SF-LOC Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0565 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0565 Final-Decision: Interim-Decision: Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020206 JSP translation file access under Oracle 9iAS Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101301440005580&w=2 Reference: CERT:CA-2002-08 Reference: URL:http://www.cert.org/advisories/CA-2002-08.html Reference: CERT-VN:VU#547459 Reference: URL:http://www.kb.cert.org/vuls/id/547459 Reference: CONFIRM:http://otn.oracle.com/deploy/security/pdf/ias_modplsql_alert.pdf Reference: BID:4034 Reference: URL:http://www.securityfocus.com/bid/4034 Reference: XF:oracle-appserver-oraclejsp-view-info(8100) Reference: URL:http://xforce.iss.net/static/8100.php Oracle 9iAS 1.0.2.x compiles JSP files in the _pages directory with world-readable permissions under the web root, which allows remote attackers to obtain sensitive information derived from the JSP code, including usernames and passwords, via a direct HTTP request to _pages. Analysis ---------------- ED_PRI CAN-2002-0565 3 Vendor Acknowledgement: yes advisory Content Decisions: SF-LOC Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0566 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0566 Final-Decision: Interim-Decision: Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020206 Multiple Buffer Overflows in Oracle 9iAS Reference: CERT-VN:VU#805915 Reference: URL:http://www.kb.cert.org/vuls/id/805915 Reference: CERT:CA-2002-08 Reference: URL:http://www.cert.org/advisories/CA-2002-08.html Reference: CONFIRM:http://otn.oracle.com/deploy/security/pdf/ias_modplsql_alert.pdf Reference: BID:4037 Reference: URL:http://www.securityfocus.com/bid/4037 Reference: XF:oracle-appserver-plsql-pls-dos(8099) Reference: URL:http://xforce.iss.net/static/8099.php PL/SQL module 3.0.9.8.2 in Oracle 9i Application Server 1.0.2.x allows remote attackers to cause a denial of service (crash) via an HTTP Authorization header without an authentication type. Analysis ---------------- ED_PRI CAN-2002-0566 3 Vendor Acknowledgement: yes advisory Content Decisions: SF-LOC Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0570 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0570 Final-Decision: Interim-Decision: Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020102 Vulnerability in encrypted loop device for linux Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-01/0010.html Reference: BID:3775 Reference: URL:http://www.securityfocus.com/bid/3775 Reference: XF:linux-loop-device-encryption(7769) Reference: URL:http://xforce.iss.net/static/7769.php The encrypted loop device in Linux kernel 2.4.10 and earlier does not authenticate the entity that is encrypting data, which allows local users to modify encrypted data without knowing the key. Analysis ---------------- ED_PRI CAN-2002-0570 3 Vendor Acknowledgement: unknown Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS:
|
||||
