|
|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [PROPOSAL] Cluster RECENT-90 - 51 candidates
I am proposing cluster RECENT-90 for review and voting by the Editorial Board. Name: RECENT-90 Description: Candidates announced between 3/10/2002 and 3/21/2002 Size: 51 You may vote on candidates by modifying this email ballot and sending it back to me, or by using the CVE voting web site. The candidates are listed in order of priority. Priority 1 and Priority 2 candidates both deal with varying levels of vendor confirmation, so they should be easy to review and it can be trusted that the problems are real. If you discover that any RECENT-XX cluster is incomplete with respect to the problems discovered during the associated time frame, please send that information to me so that candidates can be assigned. - Steve Summary of votes to use (in ascending order of "severity") ---------------------------------------------------------- ACCEPT - voter accepts the candidate as proposed NOOP - voter has no opinion on the candidate MODIFY - voter wants to change some MINOR detail (e.g. reference/description) REVIEWING - voter is reviewing/researching the candidate, or needs more info RECAST - candidate must be significantly modified, e.g. split or merged REJECT - candidate is "not a vulnerability", or a duplicate, etc. 1) Please write your vote on the line that starts with "VOTE: ". If you want to add comments or details, add them to lines after the VOTE: line. 2) If you see any missing references, please mention them so that they can be included. References help greatly during mapping. 3) Note that a "MODIFY" is treated as an "ACCEPT" when counting votes. So if you don't have sufficient information for a candidate but you don't want to NOOP, use a REVIEWING. ********** NOTE ********** NOTE ********** NOTE ********** NOTE ********** Please keep in mind that your vote and comments will be recorded and publicly viewable in the mailing list archives or in other formats. ====================================================== Candidate: CAN-2002-0178 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0178 Final-Decision: Interim-Decision: Modified: Proposed: 20020611 Assigned: 20020417 Category: SF Reference: REDHAT:RHSA-2002:065 Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-065.html uudecode, as available in the sharutils package before 4.2.1, does not check whether the filename of the uudecoded file is a pipe or symbolic link, which could allow attackers to overwrite files or execute commands. Analysis ---------------- ED_PRI CAN-2002-0178 1 Vendor Acknowledgement: yes advisory Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0367 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0367 Final-Decision: Interim-Decision: Modified: Proposed: 20020611 Assigned: 20020508 Category: SF Reference: BUGTRAQ:20020314 Fwd: DebPloit (exploit) Reference: URL:http://www.securityfocus.com/archive/1/262074 Reference: BUGTRAQ:20020326 Re: DebPloit (exploit) Reference: URL:http://www.securityfocus.com/archive/1/264441 Reference: BUGTRAQ:20020327 Local Security Vulnerability in Windows NT and Windows 2000 Reference: URL:http://www.securityfocus.com/archive/1/264927 Reference: NTBUGTRAQ:20020314 DebPloit (exploit) Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=101614320402695&w=2 Reference: BID:4287 Reference: URL:http://www.securityfocus.com/bid/4287 Reference: XF:win-debug-duplicate-handles(8462) Reference: URL:http://www.iss.net/security_center/static/8462.php Reference: MS:MS02-024 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-024.asp smss.exe debugging subsystem in Windows NT and Windows 2000 does not properly authenticate programs that connect to other programs, which allows local users to gain administrator or SYSTEM privileges by duplicating a handle to a privileged process, as demonstrated by DebPloit. Analysis ---------------- ED_PRI CAN-2002-0367 1 Vendor Acknowledgement: yes advisory Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0381 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0381 Final-Decision: Interim-Decision: Modified: Proposed: 20020611 Assigned: 20020517 Category: SF Reference: MISC:http://www.FreeBSD.org/cgi/query-pr.cgi?pr=35022 Reference: BUGTRAQ:20020317 TCP Connections to a Broadcast Address on BSD-Based Systems Reference: URL:http://online.securityfocus.com/archive/1/262733 Reference: CONFIRM:http://www.openbsd.org/cgi-bin/cvsweb/src/sys/netinet/tcp_input.c.diff?r1=1.109&r2=1.110 Reference: CONFIRM:http://cvsweb.netbsd.org/bsdweb.cgi/syssrc/sys/netinet/tcp_input.c.diff?r1=1.136&r2=1.137 Reference: BID:4309 Reference: URL:http://online.securityfocus.com/bid/4309 Reference: XF:bsd-broadcast-address(8485) Reference: URL:http://www.iss.net/security_center/static/8485.php The TCP implementation in various BSD operating systems (tcp_input.c) does not properly block connections to broadcast addresses, which could allow remote attackers to bypass intended filters via packets with a unicast link layer address and an IP broadcast address. Analysis ---------------- ED_PRI CAN-2002-0381 1 Vendor Acknowledgement: yes Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0435 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0435 Final-Decision: Interim-Decision: Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020310 GNU fileutils - recursive directory removal race condition Reference: URL:http://www.securityfocus.com/archive/1/260936 Reference: CONFIRM:http://mail.gnu.org/pipermail/bug-fileutils/2002-March/002440.html Reference: CALDERA:CSSA-2002-018.1 Reference: URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-018.1.txt Reference: XF:gnu-fileutils-race-condition(8432) Reference: URL:http://www.iss.net/security_center/static/8432.php Reference: BID:4266 Reference: URL:http://www.securityfocus.com/bid/4266 Race condition in the recursive (1) directory deletion and (2) directory move in GNU File Utilities (fileutils) 4.1 and earlier allows local users to delete directories as the user running fileutils by moving a low-level directory to a higher level as it is being deleted, which causes fileutils to chdir to a ".." directory that is higher than expected, possibly up to the root file system. Analysis ---------------- ED_PRI CAN-2002-0435 1 Vendor Acknowledgement: yes Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0437 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0437 Final-Decision: Interim-Decision: Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020311 SMStools vulnerabilities in release before 1.4.8 Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-03/0103.html Reference: CONFIRM:http://www.isis.de/members/~s.frings/smstools/history.html Reference: BID:4268 Reference: URL:http://www.securityfocus.com/bid/4268 Reference: XF:sms-tools-format-string(8433) Reference: URL:http://www.iss.net/security_center/static/8433.php Smsd in SMS Server Tools (SMStools) before 1.4.8 allows remote attackers to execute arbitrary commands via shell metacharacters (backquotes) in message text, as described with the term "string format vulnerability" by some sources. Analysis ---------------- ED_PRI CAN-2002-0437 1 Vendor Acknowledgement: yes changelog ACCURACY: The original discloser (probably a non-native English speaker) says the problem is due to "string format vulnerabilities," which makes it sound like format string vulnerabilities; but the impact is described as "arbitrary command injection," and the vendor's change log says "disable execution of programs by using backquotes in the message text," which makes it sound like a shell metacharacter problem. In addition, a source code review of 1.4.9 indicates that the problem is with shell metacharacters. getSMSdata() in smsd.c removes the quote from a text field, which is then provided to sendsms(), which is then fed into my_system(), which then calls system(). A followup email to the discloser confirms that the discloser was dealing with a metacharacter issue. ACKNOWLEDGEMENT: In a "thanks" page, the vendor credits the researcher, and in the change log, described security issues that match the dates and affected versions from the initial disclosure. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0441 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0441 Final-Decision: Interim-Decision: Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020311 Directory traversal vulnerability in phpimglist Reference: URL:http://www.securityfocus.com/archive/1/261221 Reference: CONFIRM:http://www.liquidpulse.net/get.lp?id=17 Reference: XF:phpimglist-dot-directory-traversal(8441) Reference: URL:http://www.iss.net/security_center/static/8441.php Reference: BID:4276 Reference: URL:http://www.securityfocus.com/bid/4276 Directory traversal vulnerability in imlist.php for Php Imglist allows remote attackers to read arbitrary code via a .. (dot dot) in the cwd parameter. Analysis ---------------- ED_PRI CAN-2002-0441 1 Vendor Acknowledgement: yes changelog ACKNOWLEDGEMENT: The CHANGELOG for version 1.2.2 identifies a bug fix that "stops people from browsing outside of your specified directory." Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0442 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0442 Final-Decision: Interim-Decision: Modified: Proposed: 20020611 Assigned: 20020607 Category: Reference: CALDERA:CSSA-2002-SCO.8 Reference: URL:ftp://stage.caldera.com/pub/security/openserver/CSSA-2002-SCO.8/CSSA-2002-SCO.8.txt Reference: XF:openserver-dlvraudit-bo(8442) Reference: URL:http://www.iss.net/security_center/static/8442.php Reference: BID:4273 Reference: URL:http://www.securityfocus.com/bid/4273 Buffer overflow in dlvr_audit for Caldera OpenServer 5.0.5 and 5.0.6 allows local users to gain root privileges. Analysis ---------------- ED_PRI CAN-2002-0442 1 Vendor Acknowledgement: yes advisory Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0451 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0451 Final-Decision: Interim-Decision: Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020313 Command execution in phprojekt. Reference: URL:http://www.securityfocus.com/archive/1/261676 Reference: CONFIRM:http://www.phprojekt.com/modules.php?op=modload&name=News&file=article&sid=19&mode=&order= Reference: BID:4284 Reference: URL:http://www.securityfocus.com/bid/4284 Reference: XF:phpprojekt-filemanager-include-files(8448) Reference: URL:http://www.iss.net/security_center/static/8448.php filemanager_forms.php in PHProjekt 3.1 and 3.1a allows remote attackers to execute arbitrary PHP code by specifying the URL to the code in the lib_path parameter. Analysis ---------------- ED_PRI CAN-2002-0451 1 Vendor Acknowledgement: yes Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0454 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0454 Final-Decision: Interim-Decision: Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020315 Bug in QPopper (All Versions?) Reference: URL:http://www.securityfocus.com/archive/1/262213 Reference: CONFIRM:ftp://ftp.qualcomm.com/eudora/servers/unix/popper/qpopper4.0.4.tar.gz Reference: XF:qpopper-qpopper-dos(8458) Reference: URL:http://www.iss.net/security_center/static/8458.php Reference: BID:4295 Reference: URL:http://www.securityfocus.com/bid/4295 Qpopper (aka in.qpopper or popper) 4.0.3 and earlier allows remote attackers to cause a denial of service (CPU consumption) via a very large string, which causes an infinite loop. Analysis ---------------- ED_PRI CAN-2002-0454 1 Vendor Acknowledgement: yes patch ACKNOWLEDGEMENT: the change log for version 4.0.4 says "Fixed DOS attack seen on some systems," but the description itself is too vague to be certain that the vendor has fixed *this* issue. However, a diff of popper/popper.c in versions 4.0.4 and 4.0.3 reveals a new comment: "getline() now clears out storage buffer when giving up after discarding bytes. Fixes looping DOS attack seen on some systems." That would be consistent with the behavior that was originally reported. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0462 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0462 Final-Decision: Interim-Decision: Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020318 [ARL02-A11] Big Sam (Built-In Guestbook Stand-Alone Module) Multiple Vulnerabilities Reference: URL:http://www.securityfocus.com/archive/1/262735 Reference: CONFIRM:http://www.gezzed.net/bigsam/bigsam.1_1_12.php.txt Reference: XF:bigsam-displaybegin-dos(8478) Reference: URL:http://www.iss.net/security_center/static/8478.php Reference: XF:bigsam-safemode-path-disclosure(8479) Reference: URL:http://www.iss.net/security_center/static/8479.php Reference: BID:4312 Reference: URL:http://www.securityfocus.com/bid/4312 bigsam_guestbook.php for Big Sam (Built-In Guestbook Stand-Alone Module) 1.1.08 and earlier allows remote attackers to cause a denial of service (CPU consumption) or obtain the absolute path of the web server via an error message when PHP safe_mode is enabled, via a displayBegin parameter with a very large number. Analysis ---------------- ED_PRI CAN-2002-0462 1 Vendor Acknowledgement: yes ACKNOWLEDGEMENT: in the source code for the program, the vendor has a comment that states "Checks if $displayBegin is not too large," and credits the discloser. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0464 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0464 Final-Decision: Interim-Decision: Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020318 Hosting Directory Traversal madness... Reference: URL:http://www.securityfocus.com/archive/1/262734 Reference: CONFIRM:http://www.hostingcontroller.com/english/patches/ForAll/download/dot-slash.zip Reference: BID:4311 Reference: URL:http://www.securityfocus.com/bid/4311 Directory traversal vulnerability in Hosting Controller 1.4.1 and earlier allows remote attackers to read and modify arbitrary files and directories via a .. (dot dot) in arguments to (1) file_editor.asp, (2) folderactions.asp, or (3) editoractions.asp. Analysis ---------------- ED_PRI CAN-2002-0464 1 Vendor Acknowledgement: yes changelog ACKNOWLEDGEMENT: the readme.txt file in a patch labeled "Infamous Dot-Slash Bug Fix," dated March 22, 2002, states: "Folder Manager was vulnerable to infamous ../ bug, if an alternate path was sent using the query string variables, the altered path could be deleted or renamed." ABSTRACTION: Although another directory traversal vulnerability was discovered shortly before this one (January 2002), CD:SF-LOC suggests keeping separate CVE items for them because separate patches were produced. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0473 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0473 Final-Decision: Interim-Decision: Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: VULN-DEV:20020318 phpBB2 remote execution command Reference: URL:http://online.securityfocus.com/archive/82/262600 Reference: BUGTRAQ:20020318 Re: phpBB2 remote execution command (fwd) Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-03/0221.html Reference: BUGTRAQ:20020318 phpBB2 remote execution command Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-03/0229.html Reference: CONFIRM:http://prdownloads.sourceforge.net/phpbb/phpBB-2.0.1.zip Reference: MISC:http://phpbb.sourceforge.net/phpBB2/viewtopic.php?t=9483 Reference: BID:4380 Reference: URL:http://www.securityfocus.com/bid/4380 Reference: XF:phpbb-db-command-execution(8476) Reference: URL:http://www.iss.net/security_center/static/8476.php db.php in phBB 2.0 (aka phBB2) RC-3 and earlier allows remote attackers to execute arbitrary code from remote servers via the phpbb_root_path parameter. Analysis ---------------- ED_PRI CAN-2002-0473 1 Vendor Acknowledgement: yes changelog ACKNOWLEDGEMENT: a followup post to Bugtraq points to a URL that could contain acknowledgement, but no longer exists. A post from the developer to a web forum, dated March 23, 2002, is titled "Security vulnerability in phpBB 2.0" and implies that any "CVS version dated before March 19th 2002" is vulnerable. The comments in the changelog in docs/README.html say that version RC4 "Addressed serious security issue with included files," which would be consistent with the slightly vague Bugtraq post, which says "some backdoor server [is] needed to launch the attack," which implies that the problem is in PHP include files or the rough equivalent. A "diff" between 2.0.1 and 2.0.0 RC3 indicates that the only change to db.php was a check for the IN_PHPBB variable, which (a) does not exist in RC3, (b) is defined in all top-level PHP programs in 2.0.1, and (c) dies with the phrase "Hacking attempt" if IN_PHPBB is not defined. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0476 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0476 Final-Decision: Interim-Decision: Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020319 More SWF vulnerabilities? Reference: URL:http://www.securityfocus.com/archive/1/262990 Reference: CONFIRM:http://www.macromedia.com/support/flash/ts/documents/fs_save.htm Reference: BID:4320 Reference: URL:http://www.securityfocus.com/bid/4320 Reference: XF:flash-fscommand-save(8584) Reference: URL:http://www.iss.net/security_center/static/8584.php Standalone Macromedia Flash Player 5.0 allows remote attackers to save arbitrary files and programs via a .SWF file containing the undocumented "save" FSCommand. Analysis ---------------- ED_PRI CAN-2002-0476 1 Vendor Acknowledgement: yes advisory Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0477 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0477 Final-Decision: Interim-Decision: Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020109 Shockwave Flash player issue Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101071988413107&w=2 Reference: BUGTRAQ:20020319 More SWF vulnerabilities? Reference: URL:http://www.securityfocus.com/archive/1/262990 Reference: CONFIRM:http://www.macromedia.com/support/flash/ts/documents/swf_clear.htm Reference: CONFIRM:http://www.macromedia.com/support/flash/ts/documents/standalone_update.htm Reference: XF:flash-fscommand-exec(8587) Reference: URL:http://www.iss.net/security_center/static/8587.php Reference: BID:4321 Reference: URL:http://www.securityfocus.com/bid/4321 Standalone Macromedia Flash Player 5.0 before 5,0,30,2 allows remote attackers to execute arbitrary programs via a .SWF file containing the "exec" FSCommand. Analysis ---------------- ED_PRI CAN-2002-0477 1 Vendor Acknowledgement: yes advisory Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0484 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0484 Final-Decision: Interim-Decision: Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020321 Re: move_uploaded_file breaks safe_mode restrictions in PHP Reference: URL:http://online.securityfocus.com/archive/1/263259 Reference: BUGTRAQ:20020317 move_uploaded_file breaks safe_mode restrictions in PHP Reference: URL:http://online.securityfocus.com/archive/1/262999 Reference: BUGTRAQ:20020322 Re: move_uploaded_file breaks safe_mode restrictions in PHP Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101683938806677&w=2 Reference: CONFIRM:http://bugs.php.net/bug.php?id=16128 Reference: XF:php-moveuploadedfile-create-files(8591) Reference: URL:http://www.iss.net/security_center/static/8591.php Reference: BID:4325 Reference: URL:http://www.securityfocus.com/bid/4325 move_uploaded_file in PHP does not does not check for the base directory (open_basedir), which could allow remote attackers to upload files to unintended locations on the system. Analysis ---------------- ED_PRI CAN-2002-0484 1 Vendor Acknowledgement: yes followup Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0488 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0488 Final-Decision: Interim-Decision: Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020321 PHP script: Penguin Traceroute, Remote Command Execution Reference: URL:http://www.securityfocus.com/archive/1/263285 Reference: CONFIRM:http://www.linux-directory.com/scripts/traceroute.pl Reference: XF:penguin-traceroute-command-execution(8600) Reference: URL:http://www.iss.net/security_center/static/8600.php Reference: BID:4332 Reference: URL:http://www.securityfocus.com/bid/4332 Linux Directory Penguin traceroute.pl CGI script 1.0 allows remote attackers to execute arbitrary code via shell metacharacters in the host parameter. Analysis ---------------- ED_PRI CAN-2002-0488 1 Vendor Acknowledgement: yes patch ACKNOWLEDGEMENT: in the source code, the vendor cleanses the host parameter, adding a comment dated 20020321 that says the line was added. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0061 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0061 Final-Decision: Interim-Decision: Modified: Proposed: 20020611 Assigned: 20020213 Category: SF Reference: BUGTRAQ:20020321 Vulnerability in Apache for Win32 batch file processing - Remote command execution Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101674082427358&w=2 Reference: BUGTRAQ:20020325 Apache 1.3.24 Released! (fwd) Reference: URL:http://online.securityfocus.com/archive/1/263927 Reference: XF:apache-dos-batch-command-execution(8589) Reference: URL:http://www.iss.net/security_center/static/8589.php Reference: BID:4335 Reference: URL:http://www.securityfocus.com/bid/4335 Apache for Win32 before 1.3.24, and 2.0.x before 2.0.34-beta, allows remote attackers to execute arbitrary commands via shell metacharacters (a | pipe character) provided as arguments to batch (.bat) or .cmd scripts, which are sent unfiltered to the shell interpreter, typically cmd.exe. Analysis ---------------- ED_PRI CAN-2002-0061 2 Vendor Acknowledgement: yes advisory Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0463 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0463 Final-Decision: Interim-Decision: Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020319 Re: [ARL02-A07] ARSC Really Simple Chat System Information Path Disclosure Vulnerability Reference: URL:http://www.securityfocus.com/archive/1/262802 Reference: BUGTRAQ:20020316 [ARL02-A07] ARSC Really Simple Chat System Information Path Disclosure Vulnerability Reference: URL:http://www.securityfocus.com/archive/1/262652 Reference: BID:4307 Reference: URL:http://www.securityfocus.com/bid/4307 Reference: XF:arsc-language-path-disclosure(8472) Reference: URL:http://www.iss.net/security_center/static/8472.php home.php in ARSC (Really Simple Chat) 1.0.1 and earlier allows remote attackers to determine the full pathname of the web server via an invalid language in the arsc_language parameter, which leaks the pathname in an error message. Analysis ---------------- ED_PRI CAN-2002-0463 2 Vendor Acknowledgement: yes followup Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0433 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0433 Final-Decision: Interim-Decision: Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020310 Pi3Web/2.0.0 File-Disclosure/Path Disclosure vuln Reference: URL:http://online.securityfocus.com/archive/1/260734 Reference: XF:pi3web-asterisk-view-files(8429) Reference: URL:http://www.iss.net/security_center/static/8429.php Reference: BID:4262 Reference: URL:http://www.securityfocus.com/bid/4262 Pi3Web 2.0.0 allows remote attackers to view restricted files via an HTTP request containing a "*" (wildcard or asterisk) character. Analysis ---------------- ED_PRI CAN-2002-0433 3 Vendor Acknowledgement: Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0434 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0434 Final-Decision: Interim-Decision: Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020310 Marcus S. Xenakis "directory.php" allows arbitrary code execution Reference: URL:http://www.securityfocus.com/archive/1/261512 Reference: BID:4278 Reference: URL:http://www.securityfocus.com/bid/4278 Reference: XF:xenakis-directory-execute-commands(8440) Reference: URL:http://www.iss.net/security_center/static/8440.php Marcus S. Xenakis directory.php script allows remote attackers to execute arbitrary commands via shell metacharacters in the dir parameter. Analysis ---------------- ED_PRI CAN-2002-0434 3 Vendor Acknowledgement: no vendor-unknown Content Decisions: INCLUSION INCLUSION/ACKNOWLEDGEMENT: there does not seem to be any record of a "Marcus S. Xenakis" or related software on the Web. Vendor acknowledgement could not be determined because the vendor cannot even be identified. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0436 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0436 Final-Decision: Interim-Decision: Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020311 SunSolve CD cgi scripts... Reference: URL:http://www.securityfocus.com/archive/1/261544 Reference: BID:4269 Reference: URL:http://www.securityfocus.com/bid/4269 Reference: XF:sunsolve-cd-command-execution(8435) Reference: URL:http://www.iss.net/security_center/static/8435.php sscd_suncourier.pl CGI script in the Sun Sunsolve CD pack allows remote attackers to execute arbitrary commands via shell metacharacters in the email address parameter. Analysis ---------------- ED_PRI CAN-2002-0436 3 Vendor Acknowledgement: Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0438 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0438 Final-Decision: Interim-Decision: Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020311 ZyXEL ZyWALL10 DoS Reference: URL:http://www.securityfocus.com/archive/1/261411 Reference: MISC:ftp://ftp.zyxel.com/public/zywall10/firmware/zywall10_V3.50(WA.2)C0_Standard.zip Reference: XF:zyxel-zywall10-arp-dos(8436) Reference: URL:http://www.iss.net/security_center/static/8436.php Reference: BID:4272 Reference: URL:http://www.securityfocus.com/bid/4272 Reference: VULNWATCH:20020312 [VulnWatch] ZyXEL ZyWALL10 DoS Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0067.html ZyXEL ZyWALL 10 before 3.50 allows remote attackers to cause a denial of service via an ARP packet with the firewall's IP address and an incorrect MAC address, which causes the firewall to disable the LAN interface. Analysis ---------------- ED_PRI CAN-2002-0438 3 Vendor Acknowledgement: unknown vague ACKNOWLEDGEMENT: There is no clear vendor acknowledgement on the web site. In a firmware patch for 3.50(WA.2) release note, 350WA2C0.PDF, there is a statement: "30. [BUG FIXED] IP Alias address cannot fake MAC address in SMT2 and WEB." This is not clear enough to be certain that it addresses the specified vulnerability. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0439 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0439 Final-Decision: Interim-Decision: Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020311 CaupoShop: cross-site-scripting bug Reference: URL:http://www.securityfocus.com/archive/1/261218 Reference: XF:cauposhop-user-info-css(8431) Reference: URL:http://www.iss.net/security_center/static/8431.php Reference: BID:4270 Reference: URL:http://www.securityfocus.com/bid/4270 Cross-site scripting vulnerability in CaupoShop 1.30a and earlier, and possibly CaupoShopPro, allows remote attackers to execute arbitrary Javascript and steal credit card numbers or delete items by injecting the script into new customer information fields such as the message field. Analysis ---------------- ED_PRI CAN-2002-0439 3 Vendor Acknowledgement: unknown discloser-claimed Content Decisions: SF-LOC ACKNOWLEDGEMENT: vendor site is in German, cannot tell whether vendor has acknowledged the issue or not. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0440 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0440 Final-Decision: Interim-Decision: Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020311 VirusWall HTTP proxy content scanning circumvention Reference: URL:http://www.securityfocus.com/archive/1/261083 Reference: BID:4265 Reference: URL:http://www.securityfocus.com/bid/4265 Trend Micro InterScan VirusWall HTTP proxy 3.6 with the "Skip scanning if Content-length equals 0" option enabled allows malicious web servers to bypass content scanning via a Content-length header set to 0, which is often ignored by HTTP clients. Analysis ---------------- ED_PRI CAN-2002-0440 3 Vendor Acknowledgement: unknown discloser-claimed Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0445 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0445 Final-Decision: Interim-Decision: Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020312 [ARL02-A05] PHP FirstPost System Information Path Disclosure Vulnerability Reference: URL:http://www.securityfocus.com/archive/1/261337 Reference: XF:phpfirstpost-path-disclosure(8434) Reference: URL:http://www.iss.net/security_center/static/8434.php Reference: BID:4274 Reference: URL:http://www.securityfocus.com/bid/4274 article.php in PHP FirstPost 0.1 allows allows remote attackers to obtain the full pathname of the server via an invalid post number in the post parameter, which leaks the pathname in an error message. Analysis ---------------- ED_PRI CAN-2002-0445 3 Vendor Acknowledgement: unknown discloser-claimed INCLUSION: CD:EX-BETA suggests that beta software should not be included in CVE unless it is popular or in permanent beta. The home page for PHP FirstPost implies that the product is in beta; however, the discloser suggests that the developer has stopped maintaining the code, so it could be argued that this software is in "permanent beta" and should be included in CVE. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0446 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0446 Final-Decision: Interim-Decision: Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020312 [ARL02-A06] Black Tie Project System Information Path Disclosure Vulnerability Reference: URL:http://www.securityfocus.com/archive/1/261681 Reference: BID:4275 Reference: URL:http://www.securityfocus.com/bid/4275 Reference: XF:btp-cid-path-disclosure(8439) Reference: URL:http://www.iss.net/security_center/static/8439.php categorie.php3 in Black Tie Project (BTP) 0.4b through 0.5b allows remote attackers to determine the absolute path of the web server via an invalid category ID (cid) parameter, which leaks the pathname in an error message. Analysis ---------------- ED_PRI CAN-2002-0446 3 Vendor Acknowledgement: unknown discloser-claimed Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0452 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0452 Final-Decision: Interim-Decision: Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020313 Foundry Networks ServerIron don't decode URIs Reference: URL:http://www.securityfocus.com/archive/1/261834 Reference: XF:foundry-serveriron-reveal-source(8459) Reference: URL:http://www.iss.net/security_center/static/8459.php Reference: BID:4286 Reference: URL:http://www.securityfocus.com/bid/4286 Foundry Networks ServerIron switches do not decode URIs when applying "url-map" rules, which could make it easier for attackers to cause the switch to forward traffic to a different server than intended and exploit vulnerabilities that would otherwise be inaccessible. Analysis ---------------- ED_PRI CAN-2002-0452 3 Vendor Acknowledgement: no disputed Content Decisions: INCLUSION INCLUSION: A followup post argues that this is not a vulnerability in the ServerIron switch, as this behavior is entirely dependent on whether the affected servers have a vulnerability related to encoding. That alone still qualifies this issue as an exposure according to the CVE definition; but if the switch's design is not expected to provide protection against encoding attacks (just as an HTTP server isn't expected to protect against packet fragmentation attacks), then maybe this issue should not be included in CVE. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0453 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0453 Final-Decision: Interim-Decision: Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020314 Account Lockout Vulnerability in Oblix NetPoint v5.2 Reference: URL:http://www.securityfocus.com/archive/1/262066 Reference: BID:4288 Reference: URL:http://www.securityfocus.com/bid/4288 Reference: XF:netpoint-account-lockout-bypass(8461) Reference: URL:http://www.iss.net/security_center/static/8461.php The account lockout capability in Oblix NetPoint 5.2 and earlier only locks out users once for the specified lockout period, which makes it easier for remote attackers to conduct brute force password guessing by waiting until the lockout period ends, then guessing passwords without being locked out again. Analysis ---------------- ED_PRI CAN-2002-0453 3 Vendor Acknowledgement: unknown discloser-claimed Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0455 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0455 Final-Decision: Interim-Decision: Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020315 MSIE vulnerability exploitable with IncrediMail Reference: URL:http://www.securityfocus.com/archive/1/262262 Reference: BID:4297 Reference: URL:http://www.securityfocus.com/bid/4297 Reference: XF:incredimail-insecure-attachment-directory(8460) Reference: URL:http://www.iss.net/security_center/static/8460.php IncrediMail stores attachments in a directory with a fixed name, which could make it easier for attackers to exploit vulnerabilities in other software that rely on installing and reading files from directories with known pathnames. Analysis ---------------- ED_PRI CAN-2002-0455 3 Vendor Acknowledgement: Content Decisions: INCLUSION INCLUSION: technically, this issue is an exposure; it makes other attacks easier. However, so much software uses standard directory names that there is a question of scale here. Should all software that uses a standard directory name be included in CVE? Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0456 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0456 Final-Decision: Interim-Decision: Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020315 RE: MSIE vulnerability exploitable with IncrediMail Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101622857703677&w=2 Reference: BUGTRAQ:20020316 MSIE vulnerability exploitable with Eudora (was: IncrediMail) Reference: URL:http://www.securityfocus.com/archive/1/262704 Reference: BID:4306 Reference: URL:http://www.securityfocus.com/bid/4306 Reference: XF:eudora-insecure-attachment-directory(8487) Reference: URL:http://www.iss.net/security_center/static/8487.php Eudora 5.1 and earlier versions stores attachments in a directory with a fixed name, which could make it easier for attackers to exploit vulnerabilities in other software that rely on installing and reading files from directories with known pathnames. Analysis ---------------- ED_PRI CAN-2002-0456 3 Vendor Acknowledgement: Content Decisions: INCLUSION INCLUSION: technically, this issue is an exposure; it makes other attacks easier. However, so much software uses standard directory names that there is a question of scale here. Should all software that uses a standard directory name be included in CVE? Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0457 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0457 Final-Decision: Interim-Decision: Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020316 [ARL02-A08] BG Guestbook Cross Site Scripting Vulnerability Reference: URL:http://www.securityfocus.com/archive/1/262693 Reference: BID:4308 Reference: URL:http://www.securityfocus.com/bid/4308 Reference: XF:bgguestbook-post-css(8474) Reference: URL:http://www.iss.net/security_center/static/8474.php Cross-site scripting vulnerability in signgbook.php for BG GuestBook 1.0 allows remote attackers to execute arbitrary Javascript via encoded tags such as <, >, and & in fields such as (1) name, (2) email, (3) AIM screen name, (4) website, (5) location, or (6) message. Analysis ---------------- ED_PRI CAN-2002-0457 3 Vendor Acknowledgement: unknown discloser-claimed ACKNOWLEDGEMENT: the vendor web site is not available to verify acknowledgement. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0458 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0458 Final-Decision: Interim-Decision: Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020316 [ARL02-A10] News-TNK Cross Site Scripting Vulnerability Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-03/0206.html Reference: CONFIRM:http://translate.google.com/translate?u=http%3A%2F%2Fwww.linux-sottises.net%2Findex.php%3Fnews_init%3D13%23newstag&langpair=fr%7Cen&hl=en&ie=UTF8&oe=UTF8&prev=%2Flanguage_tools Reference: XF:newstnk-web-css(8477) Reference: URL:http://www.iss.net/security_center/static/8477.php Cross-site scripting vulnerability in News-TNK 1.2.1 and earlier allows remote attackers to execute arbitrary Javascript via the WEB parameter. Analysis ---------------- ED_PRI CAN-2002-0458 3 Vendor Acknowledgement: yes Content Decisions: SF-CODEBASE ABSTRACTION: CD:SF-CODEBASE suggests that if two packages from the same vendor have the same vulnerability, but the packages are separately available and the problem is not in a library, then separate candidates should be created. Therefore, Board-TNK and News-TNK should receive separate identifiers. ACKNOWLEDGEMENT: while the original vendor web site is in French, an automatic translation makes it pretty clear. An item dated March 16, 2002, says "The same vulnerability [as the CSS problem in Board-TNK] is also resent in news-tnk." Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0459 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0459 Final-Decision: Interim-Decision: Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020316 [ARL02-A09] Board-TNK Cross Site Scripting Vulnerability Reference: URL:http://www.securityfocus.com/archive/1/262694 Reference: CONFIRM:http://translate.google.com/translate?u=http%3A%2F%2Fwww.linux-sottises.net%2Findex.php%3Fnews_init%3D13%23newstag&langpair=fr%7Cen&hl=en&ie=UTF8&oe=UTF8&prev=%2Flanguage_tools Reference: BID:4305 Reference: URL:http://www.securityfocus.com/bid/4305 Reference: XF:boardtnk-web-css(8475) Reference: URL:http://www.iss.net/security_center/static/8475.php Cross-site scripting vulnerability in Board-TNK 1.3.1 and earlier allows remote attackers to execute arbitrary Javascript via the WEB parameter. Analysis ---------------- ED_PRI CAN-2002-0459 3 Vendor Acknowledgement: yes Content Decisions: SF-CODEBASE ABSTRACTION: CD:SF-CODEBASE suggests that if two packages from the same vendor have the same vulnerability, but the packages are separately available and the problem is not in a library, then separate candidates should be created. Therefore, Board-TNK and News-TNK should receive separate identifiers. ACKNOWLEDGEMENT: while the original vendor web site is in French, an automatic translation makes it pretty clear. An item dated March 15, 2002, mentions a "Vulnerability of 'cross-country race site scripting' discovered by Ahmet Sabri ALPER" Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0460 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0460 Final-Decision: Interim-Decision: Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020318 KPMG-2002005: BitVise WinSSH Denial of Service Reference: URL:http://online.securityfocus.com/archive/1/262681 Reference: BID:4300 Reference: URL:http://www.securityfocus.com/bid/4300 Reference: XF:winsshd-incomplete-connection-dos(8470) Reference: URL:http://www.iss.net/security_center/static/8470.php Reference: VULNWATCH:20020318 [VulnWatch] KPMG-2002005: BitVise WinSSH Denial of Service Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0068.html Bitvise WinSSHD before 2002-03-16 allows remote attackers to cause a denial of service (resource exhaustion) via a large number of incomplete connections that are not properly terminated, which are not properly freed by SSHd. Analysis ---------------- ED_PRI CAN-2002-0460 3 Vendor Acknowledgement: unknown discloser-claimed Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0461 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0461 Final-Decision: Interim-Decision: Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020318 Javascript loop causes IE to crash Reference: URL:http://online.securityfocus.com/archive/1/262994 Reference: BID:4322 Reference: URL:http://www.securityfocus.com/bid/4322 Reference: XF:ie-javascript-dos(8488) Reference: URL:http://www.iss.net/security_center/static/8488.php Internet Explorer 5.01 through 6 allows remote attackers to cause a denial of service (application crash) via Javascript in a web page that calls location.replace on itself, causing a loop. Analysis ---------------- ED_PRI CAN-2002-0461 3 Vendor Acknowledgement: Content Decisions: EX-CLIENT-DOS INCLUSION: CD:EX-CLIENT-DOS suggests that a client-side denial of service whose scope is limited to the client, and which can be fixed by restarting the client, should not be included in CVE. So, perhaps this issue should not be included. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0465 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0465 Final-Decision: Interim-Decision: Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020105 Hosting Controller's - Multiple Security Vulnerabilities Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-01/0039.html Reference: CONFIRM:http://www.hostingcontroller.com/english/patches/ForAll/download/foldersecurity.zip Reference: XF:hosting-controller-dot-directory-traversal(7824) Reference: URL:http://xforce.iss.net/static/7824.php Reference: BID:3811 Reference: URL:http://www.securityfocus.com/bid/3811 Directory traversal vulnerability in filemanager.asp for Hosting Controller 1.4.1 and earlier allows remote attackers to read and modify arbitrary files, and execute commands, via a .. (dot dot) in the OpenPath parameter. Analysis ---------------- ED_PRI CAN-2002-0465 3 Vendor Acknowledgement: yes changelog Content Decisions: SF-LOC ACKNOWLEDGEMENT: the readme.txt file in a patch labeled "Folder Security Hot Fix," dated January 1, 2002, includes verbatim copies of sections from the Bugtraq post. ABSTRACTION: Although other directory traversal vulnerabilities were discovered shortly after this one (March 2002), CD:SF-LOC suggests keeping separate CVE items for them because separate patches were produced. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0466 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0466 Final-Decision: Interim-Decision: Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020105 Hosting Controller's - Multiple Security Vulnerabilities Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-01/0039.html Reference: CONFIRM:http://www.hostingcontroller.com/english/patches/ForAll/download/foldersecurity.zip Reference: XF:hosting-controller-directory-browsing(7823) Reference: URL:http://xforce.iss.net/static/7823.php Reference: BID:3808 Reference: URL:http://www.securityfocus.com/bid/3808 Hosting Controller 1.4.1 and earlier allows remote attackers to browse arbitrary directories via a full C: style pathname in the filepath arguments to (1) Statsbrowse.asp, (2) servubrowse.asp, (3) browsedisk.asp, (4) browsewebalizerexe.asp, or (5) sqlbrowse.asp. Analysis ---------------- ED_PRI CAN-2002-0466 3 Vendor Acknowledgement: yes changelog Content Decisions: SF-LOC ACKNOWLEDGEMENT: the readme.txt file in a patch labeled "Folder Security Hot Fix," dated January 1, 2002, includes verbatim copies of sections from the Bugtraq post. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0467 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0467 Final-Decision: Interim-Decision: Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020310 Ecartis/Listar multiple vulnerabilities Reference: URL:http://www.securityfocus.com/archive/1/261209 Reference: DEBIAN:DSA-123 Reference: URL:http://www.debian.org/security/2002/dsa-123 Reference: CONFIRM:http://www.ecartis.org/ Reference: XF:ecartis-mystring-bo(8284) Reference: URL:http://www.iss.net/security_center/static/8284.php Reference: BID:4176 Reference: URL:http://www.securityfocus.com/bid/4176 Reference: VULNWATCH:20020311 [VulnWatch] Ecartis/Listar multiple vulnerabilities Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0063.html Buffer overflows in Ecartis (formerly Listar) 1.0.0 before snapshot 20020125 allows remote attackers to execute arbitrary code via (1) address_match() of mystring.c or (2) other functions in tolist.c. Analysis ---------------- ED_PRI CAN-2002-0467 3 Vendor Acknowledgement: yes changelog Content Decisions: SF-LOC ACKNOWLEDGEMENT: in the vendor changelog entry dated [01/09/2002], the vendor says "funkysh@kris.top.pl [the discloser] reported a security flaw/buffer overflow in mystring.c... [and] fixed same issues in tolist.c" Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0468 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0468 Final-Decision: Interim-Decision: Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020427 Response to KF about Listar/Ecartis Vulnerability Reference: URL:http://online.securityfocus.com/archive/1/269879 Reference: VULN-DEV:20020227 listar / ecaris remote or local? Reference: URL:http://online.securityfocus.com/archive/82/258763 Reference: BUGTRAQ:20020425 ecartis / listar PoC Reference: URL:http://online.securityfocus.com/archive/1/269658 Reference: BUGTRAQ:20020310 Ecartis/Listar multiple vulnerabilities Reference: URL:http://www.securityfocus.com/archive/1/261209 Reference: CONFIRM:http://www.ecartis.org/ Reference: MISC:http://marc.theaimsgroup.com/?l=listar-support&m=101590272221720&w=2 Reference: BID:4271 Reference: URL:http://www.securityfocus.com/bid/4271 Reference: XF:ecartis-local-bo(8445) Reference: URL:http://www.iss.net/security_center/static/8445.php Buffer overflows in Ecartis (formerly Listar) 1.0.0 in snapshot 20020427 and earlier allow local users to gain privileges via (1) a long command line argument, which is not properly handled in core.c, or possibly via bad uses of sprintf() in (2) moderate.c, (3) lcgi.c, (4) fileapi.c, (5) cookie.c, (6) codes.c, or other files. Analysis ---------------- ED_PRI CAN-2002-0468 3 Vendor Acknowledgement: yes changelog Content Decisions: SF-LOC, VAGUE ACCURACY: the lack of specific details makes it difficult to know which of the local sprintf() vulnerabilities are exploitable, as the only exploit was coded for an issue in core.c, and the vendor did a series of massive replacements of sprintf with a safer "buffer_printf()" call, which affected many files. It seems likely that at least some of the sprintf calls were not exploitable. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0469 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0469 Final-Decision: Interim-Decision: Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020310 Ecartis/Listar multiple vulnerabilities Reference: URL:http://www.securityfocus.com/archive/1/261209 Reference: BID:4277 Reference: URL:http://www.securityfocus.com/bid/4277 Reference: XF:ecartis-root-privileges(8444) Reference: URL:http://www.iss.net/security_center/static/8444.php Reference: VULNWATCH:20020311 [VulnWatch] Ecartis/Listar multiple vulnerabilities Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0063.html Ecartis (formerly Listar) 1.0.0 in snapshot 20020125 and earlier does not properly drop privileges when Ecartis is installed setuid-root, "lock-to-user" is not set, and ecartis is called by certain MTA's, which could allow local users to gain privileges. Analysis ---------------- ED_PRI CAN-2002-0469 3 Vendor Acknowledgement: Content Decisions: SF-LOC, VAGUE INCLUSION: the discloser does not provide any scenarios under which the raised privileges might pose a threat. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0470 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0470 Final-Decision: Interim-Decision: Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020318 PHP Net Toolpack: input validation error Reference: URL:http://www.securityfocus.com/archive/1/262594 Reference: BID:4304 Reference: URL:http://www.securityfocus.com/bid/4304 Reference: XF:phpnettoolpack-traceroute-insecure-path(8484) Reference: URL:http://www.iss.net/security_center/static/8484.php PHPNetToolpack 0.1 relies on its environment's PATH to find and execute the traceroute program, which could allow local users to gain privileges by inserting a Trojan horse program into the search path. Analysis ---------------- ED_PRI CAN-2002-0470 3 Vendor Acknowledgement: Content Decisions: SF-LOC Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0471 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0471 Final-Decision: Interim-Decision: Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020318 PHP Net Toolpack: input validation error Reference: URL:http://www.securityfocus.com/archive/1/262594 Reference: BID:4303 Reference: URL:http://www.securityfocus.com/bid/4303 Reference: XF:phpnettoolpack-traceroute-command-execution(8482) Reference: URL:http://www.iss.net/security_center/static/8482.php PHPNetToolpack 0.1 allows remote attackers to execute arbitrary code via shell metacharacters in the a_query variable. Analysis ---------------- ED_PRI CAN-2002-0471 3 Vendor Acknowledgement: Content Decisions: SF-LOC Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0472 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0472 Final-Decision: Interim-Decision: Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020319 Potential vulnerabilities of the Microsoft RVP-based Instant Messaging Reference: URL:http://www.securityfocus.com/archive/1/262906 Reference: MISC:http://www.encode-sec.com/esp0202.pdf Reference: BID:4316 Reference: URL:http://www.securityfocus.com/bid/4316 Reference: XF:msn-messenger-message-spoofing(8582) Reference: URL:http://www.iss.net/security_center/static/8582.php MSN Messenger Service 3.6, and possibly other versions, uses weak authentication when exchanging messages between clients, which allows remote attackers to spoof messages from other users. Analysis ---------------- ED_PRI CAN-2002-0472 3 Vendor Acknowledgement: Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0478 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0478 Final-Decision: Interim-Decision: Modified: Proposed: 20020611 Assigned: 20020607 Category: CF Reference: BUGTRAQ:20020320 Default SNMP configuration issue with Foundry Networks EdgeIron 4802F Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101666425609914&w=2 Reference: XF:edgelron-default-snmp-string(8592) Reference: URL:http://www.iss.net/security_center/static/8592.php Reference: BID:4330 Reference: URL:http://www.securityfocus.com/bid/4330 The default configuration of Foundry Networks EdgeIron 4802F allows remote attackers to modify sensitive information via arbitrary SNMP community strings. Analysis ---------------- ED_PRI CAN-2002-0478 3 Vendor Acknowledgement: Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0479 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0479 Final-Decision: Interim-Decision: Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020320 Gravity Storm Service Pack Manager 2000 Share Vulnerability Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-03/0284.html Reference: XF:sp-manager-insecure-directories(8607) Reference: URL:http://www.iss.net/security_center/static/8607.php Reference: BID:4347 Reference: URL:http://www.securityfocus.com/bid/4347 Gravity Storm Service Pack Manager 2000 creates a hidden share (SPM2000c$) mapped to the C drive, which may allow local users to bypass access restrictions on certain directories in the C drive, such as system32, by accessing them through the hidden share. Analysis ---------------- ED_PRI CAN-2002-0479 3 Vendor Acknowledgement: unknown discloser-claimed Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0480 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0480 Final-Decision: Interim-Decision: Modified: Proposed: 20020611 Assigned: 20020607 Category: CF Reference: BUGTRAQ:20020320 NMRC Advisory - KeyManager Issue in ISS RealSecure on Nokia Appliances Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101666833321138&w=2 Reference: BUGTRAQ:20020322 RE: NMRC Advisory: RealSecure KeyManager Issue - Further Explanation Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101684141308876&w=2 Reference: BUGTRAQ:20020321 RE: [VulnWatch] NMRC Advisory - KeyManager Issue in ISS RealSecure on Nokia Appliances Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101675086010051&w=2 Reference: BID:4331 Reference: URL:http://online.securityfocus.com/bid/4331 ISS RealSecure for Nokia devices before IPSO build 6.0.2001.141d is configured to allow a user "skank" on a machine "starscream" to become a key manager when the "first time connection" feature is enabled and before any legitimate administrators have connected, which could allow remote attackers to gain access to the device during installation. Analysis ---------------- ED_PRI CAN-2002-0480 3 Vendor Acknowledgement: yes followup Content Decisions: INCLUSION INCLUSION: there is some disagreement between the researcher and the vendor regarding whether this issue can be exploited or not. The vendor states that the issue requires root privileges on the sensor itself to exploit, in which case the attacker gains no additional privileges by attacking RealSecure. However, the discloser stated that connections could be made from a remote console without having root privileges on the sensor. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0481 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0481 Final-Decision: Interim-Decision: Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020321 How Outlook 2002 can still execute JavaScript in an HTML email message Reference: URL:http://online.securityfocus.com/archive/1/263429 Reference: BID:4340 Reference: URL:http://www.securityfocus.com/bid/4340 Reference: XF:outlook-iframe-javascript(8604) Reference: URL:http://www.iss.net/security_center/static/8604.php An interaction between Windows Media Player (WMP) and Outlook 2002 allows remote attackers to bypass Outlook security settings and execute Javascript via an IFRAME in an HTML email message that references .WMS (Windows Media Skin) or other WMP media files, whose onload handlers execute the player.LaunchURL() Javascript function. Analysis ---------------- ED_PRI CAN-2002-0481 3 Vendor Acknowledgement: Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0483 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0483 Final-Decision: Interim-Decision: Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020320 Fw: PHPNuke 5.4 Path Disclosure Vulnerability? Reference: URL:http://online.securityfocus.com/archive/1/263337 Reference: BID:4333 Reference: URL:http://www.securityfocus.com/bid/4333 Reference: XF:phpnuke-index-path-disclosure(8618) Reference: URL:http://www.iss.net/security_center/static/8618.php index.php for PHP-Nuke 5.4 and earlier allows remote attackers to determine the physical pathname of the web server when the file parameter is set to index.php, which triggers an error message that leaks the pathname. Analysis ---------------- ED_PRI CAN-2002-0483 3 Vendor Acknowledgement: Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0489 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0489 Final-Decision: Interim-Decision: Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020322 Re: PHP script: Penguin Traceroute, Remote Command Execution Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101684215209558&w=2 Reference: XF:penguin-nslookup-command-execution(8601) Reference: URL:http://www.iss.net/security_center/static/8601.php Reference: BID:4353 Reference: URL:http://www.securityfocus.com/bid/4353 Linux Directory Penguin NsLookup CGI script (nslookup.pl) 1.0 allows remote attackers to execute arbitrary code via shell metacharacters in the (1) query or (2) type parameters. Analysis ---------------- ED_PRI CAN-2002-0489 3 Vendor Acknowledgement: ACCURACY: the query/type parameters were inferred from inspection of the source code. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0510 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0510 Final-Decision: Interim-Decision: Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: BUGTRAQ:20020319 Identifying Kernel 2.4.x based Linux machines using UDP Reference: URL:http://www.securityfocus.com/archive/1/262840 Reference: BID:4314 Reference: URL:http://www.securityfocus.com/bid/4314 Reference: XF:linux-udp-fingerprint(8588) Reference: URL:http://www.iss.net/security_center/static/8588.php The UDP implementation in Linux 2.4.x kernels keeps the IP Identification field at 0 for all non-fragmented packets, which could allow remote attackers to determine that a target system is running Linux. Analysis ---------------- ED_PRI CAN-2002-0510 3 Vendor Acknowledgement: Content Decisions: INCLUSION INCLUSION: since knowledge of a target's operating system can make other attackers easier, this issue fits the CVE definition of "exposure" and should be included in CVE. However, it has been suggested that this behavior has some useful features. If it is adopted in the future by other operating systems, this behavior would no longer be an exposure. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0557 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0557 Final-Decision: Interim-Decision: Modified: Proposed: 20020611 Assigned: 20020607 Category: SF Reference: OPENBSD:20020319 016: SECURITY FIX: March 19, 2002 Reference: URL:http://www.openbsd.org/errata30.html#approval Reference: BID:4338 Reference: URL:http://www.securityfocus.com/bid/4338 Reference: XF:bsd-yp-execute-shell(8625) Reference: URL:http://www.iss.net/security_center/static/8625.php Vulnerability in OpenBSD 3.0, when using YP with netgroups in the password database, causes (1) rexec or (2) rsh to run another another user's shell, or (3) atrun to change to a different user's directory, possibly due to memory allocation failures or an incorrect call to auth_approval(). Analysis ---------------- ED_PRI CAN-2002-0557 3 Vendor Acknowledgement: yes advisory Content Decisions: VAGUE Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS:
|
||||
