CVE Candidates as of 20130516
Name: CVE-1999-0001
Description:
ip_input.c in BSD-derived TCP/IP implementations allows remote
attackers to cause a denial of service (crash or hang) via crafted
packets.
Status: Candidate
Phase: Modified (20051217)
Reference: CERT:CA-98-13-tcp-denial-of-service
Reference: BUGTRAQ:19981223 Re: CERT Advisory CA-98.13 - TCP/IP Denial of Service
Reference: CONFIRM:http://www.openbsd.org/errata23.html#tcpfix
Reference: OSVDB:5707
Reference: URL:http://www.osvdb.org/5707
Votes:
MODIFY(1) Frech
NOOP(2) Northcutt, Wall
REVIEWING(1) Christey
Voter Comments:
Christey> A Bugtraq posting indicates that the bug has to do with
"short packets with certain options set," so the description
should be modified accordingly.
But is this the same as CVE-1999-0052? That one is related
to nestea (CVE-1999-0257) and probably the one described in
BUGTRAQ:19981023 nestea v2 against freebsd 3.0-Release
The patch for nestea is in ip_input.c around line 750.
The patches for CVE-1999-0001 are in lines 388&446. So,
CVE-1999-0001 is different from CVE-1999-0257 and CVE-1999-0052.
The FreeBSD patch for CVE-1999-0052 is in line 750.
So, CVE-1999-0257 and CVE-1999-0052 may be the same, though
CVE-1999-0052 should be RECAST since this bug affects Linux
and other OSes besides FreeBSD.
Frech> XF:teardrop(338)
This assignment was based solely on references to the CERT advisory.
Christey> The description for BID:190, which links to CVE-1999-0052 (a
FreeBSD advisory), notes that the patches provided by FreeBSD in
CERT:CA-1998-13 suggest a connection between CVE-1999-0001 and
CVE-1999-0052. CERT:CA-1998-13 is too vague to be sure without
further analysis.
Name: CVE-1999-0004
Description:
MIME buffer overflow in email clients, e.g. Solaris mailtool
and Outlook.
Status: Candidate
Phase: Modified (19990621-01)
Reference: CERT:CA-98.10.mime_buffer_overflows
Reference: XF:outlook-long-name
Reference: SUN:00175
Reference: MS:MS98-008
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms98-008.asp
Votes:
ACCEPT(8) Baker, Cole, Collins, Dik, Landfield, Magdych, Northcutt, Wall
MODIFY(1) Frech
NOOP(1) Christey
REVIEWING(1) Shostack
Voter Comments:
Frech> Extremely minor, but I believe e-mail is the correct term. (If you reject
this suggestion, I will not be devastated.) :-)
Christey> This issue seems to have been rediscovered in
BUGTRAQ:20000515 Eudora Pro & Outlook Overflow - too long filenames again
http://marc.theaimsgroup.com/?l=bugtraq&m=95842482413076&w=2
Also see
BUGTRAQ:19990320 Eudora Attachment Buffer Overflow
http://marc.theaimsgroup.com/?l=bugtraq&m=92195396912110&w=2
Christey>
CVE-2000-0415 may be a later rediscovery of this problem
for Outlook.
Dik> Sun bug 4163471,
Christey> ADDREF BID:125
Christey> BUGTRAQ:19980730 Long Filenames & Lotus Products
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221104526201&w=2
Name: CVE-1999-0015
Description:
Teardrop IP denial of service.
Status: Candidate
Phase: Modified (20090302)
Reference: CERT:CA-97.28.Teardrop_Land
Reference: OVAL:oval:org.mitre.oval:def:5579
Reference: URL:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:5579
Reference: XF:teardrop
Votes:
ACCEPT(1) Wall
MODIFY(1) Frech
REVIEWING(1) Christey
Voter Comments:
Frech> XF: teardrop-mod
Christey> Not sure how many separate "instances" of Teardrop there are.
See: CVE-1999-0015, CVE-1999-0104, CVE-1999-0257, CVE-1999-0258
Christey> See the SCO advisory at:
http://www.securityfocus.com/templates/advisory.html?id=1411
which may further clarify the issue.
Christey> MSKB:Q154174
MSKB:Q154174 (CVE-1999-0015) and MSKB:Q179129 (CVE-1999-0104)
indicate that CVE-1999-0015 was fixed in NT SP3, but
CVE-1999-0104 was not. Thus CD:SF-LOC suggests that the
problems keep separate candidates because one problem appears
in a different version than the other.
Christey> BID:124
http://www.securityfocus.com/bid/124
Consider MSKB:Q154174
http://support.microsoft.com/support/kb/articles/q154/1/74.asp
Consider BUGTRAQ:19971113 Linux IP fragment overlap bug
http://www.securityfocus.com/archive/1/8014
Name: CVE-1999-0020
Description:
** REJECT **
DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-1999-0032. Reason:
This candidate is a duplicate of CVE-1999-0032. Notes: All CVE users
should reference CVE-1999-0032 instead of this candidate. All
references and descriptions in this candidate have been removed to
prevent accidental usage.
Status: Candidate
Phase: Modified (20050204)
Votes:
MODIFY(1) Frech
NOOP(4) Levy, Northcutt, Shostack, Wall
REJECT(2) Baker, Christey
Voter Comments:
Frech> XF:lpr-bo
Christey> DUPE CVE-1999-0032, which includes XF:lpr-bo
Name: CVE-1999-0030
Description:
root privileges via buffer overflow in xlock command on SGI IRIX
systems.
Status: Candidate
Phase: Proposed (19990623)
Reference: CERT:CA-97.21.sgi_buffer_overflow
Reference: AUSCERT:AA-97.24.IRIX.xlock.buffer.overflow.vul
Reference: XF:sgi-xlockbo
Reference: SGI:19970508-02-PX
Votes:
ACCEPT(3) Levy, Ozancin, Prosser
NOOP(1) Baker
RECAST(1) Frech
REJECT(1) Christey
Voter Comments:
Frech> XF:xlock-bo (also add)
As per xlock-bo, also appears on AIX, BSDI, DG/UX, FreeBSD, Solaris, and
several Linii.
Also, don't you mean to cite SGI:19970502-02-PX? The one you list is
login/scheme.
Levy> Notice that this xlock overflow is the same as in
CA-97.13. CA-97.21 simply is a reminder.
Christey> As pointed out by Elias, CA-97.21 states: "For more
information about vulnerabilities in xlock... see CA-97.13"
CA-97.13 = CVE-1999-0038.
This may also be a duplicate with CVE-1999-0306.
See exploits at:
http://marc.theaimsgroup.com/?l=bugtraq&m=87602167418394&w=2
http://marc.theaimsgroup.com/?l=bugtraq&m=87602167418404&w=2
Sun also has this problem, at
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/150&type=0&nav=sec.sba
Name: CVE-1999-0033
Description:
Command execution in Sun systems via buffer overflow in the at
program.
Status: Candidate
Phase: Modified (20040811)
Reference: CERT:CA-97.18.at
Reference: SUN:00160
Reference: XF:sun-atbo
Votes:
ACCEPT(8) Baker, Cole, Collins, Dik, Hill, Northcutt, Shostack, Wall
NOOP(1) Christey
RECAST(1) Frech
Voter Comments:
Frech> This vulnerability also manifests itself for the following
platforms: AIX, HPUX, IRIX, Solaris, SCO, NCR MP-RAS. In this light,
please add the following:
Reference: XF:at-bo
Dik> Sun bug 1265200, 4063161
Christey> ADDREF SGI:19971102-01-PX
ftp://patches.sgi.com/support/free/security/advisories/19971102-01-PX
SCO:SB.97:01
ftp://ftp.sco.com/SSE/security_bulletins/SB.97:01a
Christey> CIAC:F-15
http://ciac.llnl.gov/ciac/bulletins/f-15.shtml
HP:HPSBUX9502-023
Christey> Add period to the end of the description.
Name: CVE-1999-0061
Description:
File creation and deletion, and remote execution, in the BSD
line printer daemon (lpd).
Status: Candidate
Phase: Proposed (19990630)
Reference: NAI:NAI-20
Reference: XF:bsd-lpd
Votes:
ACCEPT(3) Frech, Hill, Northcutt
RECAST(1) Baker
REVIEWING(1) Christey
Voter Comments:
Christey> This should be split into three separate problems based on
the SNI advisory. But there's newer information to further
complicate things.
What do we do about this one? in 1997 or so, SNI did an
advisory on this problem. In early 2000, it was still
discovered to be present in some Linux systems. So an
SF-DISCOVERY content decision might say that this is a
long enough time between the two, so this should be recorded
separately. But they're the same codebase... so if we keep
them in the same entry, how do we make sure that this entry
reflects that some new information has been discovered?
The use of dot notation may help in this regard, to use one
dot for the original problem as discovered in 1997, and
another dot for the resurgence of the problem in 2000.
Baker> We should merge these.
Christey> Perhaps this should be NAI-19 instead of NAI-20?
The original Bugtraq post for the SNI advisory suggests SNI-19:
BUGTRAQ:19971002 SNI-19:BSD lpd vulnerability
URL:SNI-19:BSD lpd vulnerability
Also add:
BUGTRAQ:19971021 SNI-19: BSD lpd vulnerabilities (UPDATE)
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87747479514310&w=2
However, archives of "NAI-0020" point to the lpd vuln.
If I recall correctly, some of the NAI advisory numbers got
switched when NAI acquired SNI.
Name: CVE-1999-0076
Description:
Buffer overflow in wu-ftp from PASV command causes a core dump.
Status: Candidate
Phase: Modified (19990925-01)
Reference: XF:ftp-args
Votes:
ACCEPT(3) Baker, Frech, Ozancin
NOOP(1) Balinsky
REVIEWING(1) Christey
Voter Comments:
Balinsky> Don't know what this is. Is this the LIST Core dump vulnerability?
Christey> Need to add more references and details.
Name: CVE-1999-0078
Description:
pcnfsd (aka rpc.pcnfsd) allows local users to change file permissions,
or execute arbitrary commands through arguments in the RPC call.
Status: Candidate
Phase: Modified (19990621-01)
Reference: CERT:CA-96.08.pcnfsd
Reference: XF:rpc-pcnfsd
Votes:
ACCEPT(5) Collins, Frech, Landfield, Northcutt, Shostack
NOOP(1) Baker
RECAST(1) Christey
Voter Comments:
Christey> This candidate should be SPLIT, since there are two separate
software flaws. One is a symlink race and the other is a
shell metacharacter problem.
Christey> The permissions part of this vulnerability appears to
overlap with CVE-1999-0353
Christey> SGI:20020802-01-I
Name: CVE-1999-0086
Description:
AIX routed allows remote users to modify sensitive files.
Status: Candidate
Phase: Interim (19990630)
Reference: ERS:ERS-SVA-E01-1998:001.1
Reference: XF:ibm-routed
Votes:
ACCEPT(2) Northcutt, Shostack
MODIFY(2) Frech, Prosser
NOOP(1) Baker
REJECT(1) Christey
Voter Comments:
Frech> Reference: XF:ibm-routed
Prosser> This vulnerability allows debug mode to be turned on which is
the problem. Should this be more specific in the description? This
one also affects SGI OSes, ref SGI Security Advisory 19981004-PX which
is in the SGI cluster, shouldn't these be cross-referenced as the same
vuln affects multiple OSes.
Christey> This appears to be subsumed by CVE-1999-0215
Name: CVE-1999-0088
Description:
IRIX and AIX automountd services (autofsd) allow remote users to
execute root commands.
Status: Candidate
Phase: Proposed (19990617)
Reference: ERS:ERS-SVA-E01-1998:004.1
Reference: URL:http://www-1.ibm.com/services/brs/brspwhub.nsf/advisories/852567CC004F9038852566BF007B6393/$file/ERS-SVA-E01-1998_004_1.txt
Votes:
ACCEPT(2) Northcutt, Shostack
MODIFY(2) Frech, Prosser
RECAST(1) Baker
REVIEWING(1) Christey
Voter Comments:
Frech> ERS (and other references, BTW) explicitly stipulate 'local and
remote'.
Reference: XF:irix-autofsd
Prosser> Include the SGI Alert as well since it is mentioned in the
description.
SGI Security Advisory 19981005-01-PX
Christey> DUPE CVE-1999-0210?
Christey> ADDREF CIAC:J-014
Baker> It does look very similar to 1999-0210. Perhaps they should be a single entry
Name: CVE-1999-0089
Description:
Buffer overflow in AIX libDtSvc library can allow local users
to gain root access.
Status: Candidate
Phase: Interim (19990630)
Reference: ERS:ERS-SVA-E01-1997:005.1
Reference: XF:ibm-libDtSvc
Votes:
ACCEPT(2) Northcutt, Shostack
MODIFY(2) Frech, Prosser
RECAST(1) Baker
REVIEWING(1) Christey
Voter Comments:
Frech> Reference: XF:ibm-libDtSvc
Prosser> The overflow is in the dtaction utility. Also affects
dtaction in the CDE on versions of SunOS (SUN 164). Probably should be
specific.
Christey> Same Codebase as CVE-1999-0121, so the two entries should be
merged.
Name: CVE-1999-0092
Description:
Various vulnerabilities in the AIX portmir command allows
local users to obtain root access.
Status: Candidate
Phase: Proposed (19990623)
Reference: ERS:ERS-SVA-E01-1997:006.1
Votes:
ACCEPT(2) Baker, Bollinger
MODIFY(1) Frech
NOOP(1) Ozancin
Voter Comments:
Frech> XF:ibm-portmir
Name: CVE-1999-0098
Description:
Buffer overflow in SMTP HELO command in Sendmail allows a remote
attacker to hide activities.
Status: Candidate
Phase: Proposed (19990726)
Reference: XF:smtp-helo-bo
Votes:
MODIFY(2) Baker, Frech
NOOP(1) Wall
REVIEWING(1) Christey
Voter Comments:
Frech> (Accept XF reference.)
Our references do not mention hiding activities. This issue can crash the
SMTP server or execute arbitrary byte-code. Is there another reference
available?
Christey> Should this be merged with CVE-1999-0284, which is Sendmail
with SMTP HELO?
Christey> BUGTRAQ:19980522 about sendmail 8.8.8 HELO hole
http://marc.theaimsgroup.com/?l=bugtraq&m=90221101925991&w=2
BUGTRAQ:19980527 about sendmail 8.8.8 HELO hole
http://marc.theaimsgroup.com/?l=bugtraq&m=90221101926003&w=2
Baker> Apparently this XF reference is not for this issue, but for the other issue. This should be modified to have the Bugtraq references, and remove the XF reference.
Name: CVE-1999-0104
Description:
A later variation on the Teardrop IP denial of service attack,
a.k.a. Teardrop-2.
Status: Candidate
Phase: Modified (20090302)
Reference: CERT:CA-97.28.Teardrop_Land
Reference: OVAL:oval:org.mitre.oval:def:5743
Reference: URL:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:5743
Reference: XF:teardrop-mod
Votes:
ACCEPT(2) Frech, Wall
REVIEWING(1) Christey
Voter Comments:
Wall> Another reference is Microsoft Knowledge Base Q179129.
Christey> Not sure how many separate "instances" of Teardrop there are.
See: CVE-1999-0015, CVE-1999-0104, CVE-1999-0257, CVE-1999-0258
Christey> See the SCO advisory at:
http://www.securityfocus.com/templates/advisory.html?id=1411
which may further clarify the issue.
Christey> MSKB:Q179129
http://support.microsoft.com/support/kb/articles/q179/1/29.asp
Christey> MSKB:Q179129
http://support.microsoft.com/support/kb/articles/q179/1/29.asp
Note that the hotfix name is teardrop2, but the keywords
included in the KB article specifically name bonk
(CVE-1999-0258) and boink.
Since teardrop2 was fixed in a slightly different version
(at least in a separate patch) than Teardrop, CD:SF-LOC
suggests keeping them separate.
Christey> Add period to the end of the description.
Name: CVE-1999-0105
Description:
finger allows recursive searches by using a long string of @ symbols.
Status: Candidate
Phase: Proposed (19990726)
Votes:
MODIFY(3) Baker, Frech, Shostack
NOOP(1) Christey
REJECT(1) Northcutt
Voter Comments:
Shostack> fingerD
Frech> XF:finger-bomb
Christey> aka redirection or forwarding requests? (but then might
overlap CVE-1999-0106)
Baker> should change description to indicate the recursive searching can consume enough system resources to cause a DoS.
Name: CVE-1999-0106
Description:
Finger redirection allows finger bombs.
Status: Candidate
Phase: Proposed (19990726)
Votes:
ACCEPT(1) Northcutt
MODIFY(2) Frech, Shostack
RECAST(1) Baker
REVIEWING(1) Christey
Voter Comments:
Shostack> fingerd allows redirection
This is a larger modification, since there are two applications of the
vulnerability, one that I can finger anonymously, and the other that I
can finger bomb anonymously.
Frech> XF:finger-bomb
Christey> need more refs
Baker> This should be merged with 1999-0105
Name: CVE-1999-0107
Description:
Buffer overflow in Apache 1.2.5 and earlier allows a remote attacker
to cause a denial of service with a large number of GET requests
containing a large number of / characters.
Status: Candidate
Phase: Modified (19991223-01)
Reference: XF:apache-dos
Reference: BUGTRAQ:19971230 Apache DoS attack?
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
NOOP(3) Northcutt, Shostack, Wall
REVIEWING(1) Levy
REVOTE(1) Christey
Voter Comments:
Wall> - Although this is probably the phf hack.
Frech> XF:apache-dos
Christey> This sounds like the incident reported in:
NTBUGTRAQ:20000810 Apache Distributed Denial of Service
Levy> I belive this is the problem where sending lot of HTTP headers to apache resulted on a denial of service.
BUGTRAQ: http://www.securityfocus.com/archive/1/10228
BUGTRAQ: http://www.securityfocus.com/archive/1/10516
Name: CVE-1999-0110
Description:
** REJECT **
DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-1999-0315. Reason:
This candidate's original description had a typo that delayed it from
being detected as a duplicate of CVE-1999-0315. Notes: All CVE users
should reference CVE-1999-0315 instead of this candidate. All
references and descriptions in this candidate have been removed to
prevent accidental usage.
Status: Candidate
Phase: Interim (19990810)
Votes:
MODIFY(1) Frech
NOOP(4) Levy, Northcutt, Shostack, Wall
REJECT(3) Baker, Christey, Dik
Voter Comments:
Frech> XF:fdformat-bo
Christey> Duplicate of CVE-1999-0315
Dik> dup
Name: CVE-1999-0114
Description:
Local users can execute commands as other users, and read other users'
files, through the filter command in the Elm elm-2.4 mail package
using a symlink attack.
Status: Candidate
Phase: Modified (20000106-01)
Reference: BUGTRAQ:19990912 elm filter program
Reference: BUGTRAQ:19951226 filter (elm package) security hole
Reference: XF:elm-filter2
Votes:
ACCEPT(7) Armstrong, Bishop, Blake, Cole, Landfield, Shostack, Wall
MODIFY(2) Baker, Frech
NOOP(3) Christey, Northcutt, Ozancin
REVIEWING(1) Levy
Voter Comments:
Frech> XF:elm-filter2
CHANGE> [Wall changed vote from NOOP to ACCEPT]
Landfield> with Frech modifications
Baker> ADD REF http://www.cert.org/ftp/cert_bulletins/VB-95:10a.elm Official Advisory
Christey> The correct URL is http://www.cert.org/vendor_bulletins/VB-95:10a.elm
Need to make sure that this CERT advisory describes the right
problem, especially since the CERT advisory is dated December
18, 1995 and the original Bugtraq post was December 26, 1995.
Christey> BID:1802
URL:http://www.securityfocus.com/bid/1802
BID:1802 doesn't include the 1999 posting - does Security
Focus think that the 1999 post describes a different
vulnerability?
Christey> XF:elm-filter2 isn't on the X-Force web site. How about XF:elm-filter(402) ?
Its references point to the December 26, 1995 BUgtraq post.
Also consider CIAC:G-36 and CERT:VB-95:10
Frech> DELREF:XF:elm-filter2(711)
ADDREF:XF:elm-filter(402)
Name: CVE-1999-0119
Description:
Windows NT 4.0 beta allows users to read and delete shares.
Status: Candidate
Phase: Proposed (19990728)
Votes:
MODIFY(1) Frech
NOOP(2) Baker, Northcutt
REJECT(1) Wall
Voter Comments:
Wall> Reject based on beta copy.
Frech> XF:nt-beta(11)
Reconsider reject, because this beta was in widespread use.
Name: CVE-1999-0121
Description:
Buffer overflow in dtaction command gives root access.
Status: Candidate
Phase: Proposed (19990617)
Reference: SUN:00164
Reference: ERS:ERS-SVA-E01-1997:005.1
Votes:
ACCEPT(2) Dik, Northcutt
MODIFY(3) Baker, Frech, Prosser
REVIEWING(1) Christey
Voter Comments:
Frech> Reference: XF:dtaction-bo
Reference: XF:sun-dtaction
Prosser> Buffer overflow also affects /usr/dt/bin/dtaction in libDtSvc.a
library in AIX 4.x, but reference for this Sun vulnerability should
only reflect the Sun Bulletin or the CIAC I-032 version of the Sun
Bulletin
Christey> This is the Same Codebase as CVE-1999-0089, so the two entries
should be merged.
Frech> Replace sun-dtaction(732) with dtaction-bo(879)
Baker> Merge with 1999-0089
Name: CVE-1999-0123
Description:
Race condition in Linux mailx command allows local users to
read user files.
Status: Candidate
Phase: Modified (20000105-01)
Reference: XF:linux-mailx
Reference: BUGTRAQ:19951222 mailx-5.5 (slackware /bin/mail) security hole
Votes:
ACCEPT(3) Baker, Frech, Ozancin
NOOP(1) Wall
Name: CVE-1999-0127
Description:
swinstall and swmodify commands in SD-UX package in HP-UX systems
allow local users to create or overwrite arbitrary files to gain root
access.
Status: Candidate
Phase: Proposed (19990623)
Reference: CERT:CA-96.27.hp_sw_install
Reference: AUSCERT:AA-96.04
Reference: XF:hpux-swinstall
Votes:
ACCEPT(2) Baker, Prosser
MODIFY(1) Frech
NOOP(1) Christey
Voter Comments:
Frech> (keep current XF: reference, and add)
XF:hpux-sqwmodify
Christey> Perhaps this should be split, per SF-LOC.
Christey> CIAC:H-81
http://ciac.llnl.gov/ciac/bulletins/h-81.shtml
HP:HPSBUX9707-064 references CERT:CA-96.27
http://ciac.llnl.gov/ciac/bulletins/h-81.shtml
The original AUSCERT advisory says that the programs "create
files in an insecure manner" and "Exploit details involving
this vulnerability have been made publicly available." which
leads one to assume that the following original Bugtraq post
provides the details for a standard symlink problem:
BUGTRAQ:19961005 swinst,bug
http://marc.theaimsgroup.com/?l=bugtraq&m=87602167419941&w=2
Name: CVE-1999-0140
Description:
Denial of service in RAS/PPTP on NT systems.
Status: Candidate
Phase: Proposed (19990630)
Votes:
ACCEPT(1) Hill
MODIFY(2) Frech, Meunier
NOOP(1) Baker
REJECT(1) Christey
Voter Comments:
Meunier> Add "pptp invalid packet length in header" to distinguish from other
vulnerabilities in RAS/PPTP on NT systems resulting in DOS, that might be
discovered in the future.
Frech> XF:nt-ras-bo
ONLY IF reference is to MS:MS99-016
Christey> According to my mappings, this is not the MS:MS99-016 problem
referred to by Andre. However, I have yet to dig up a
source.
CHANGE> [Christey changed vote from NOOP to REVIEWING]
CHANGE> [Christey changed vote from REVIEWING to REJECT]
Christey> This is too general to know which problem is being discussed.
More precise candidates should be created.
Christey> Consider adding BID:2111
Name: CVE-1999-0144
Description:
Denial of service in Qmail by specifying a large number of recipients
with the RCPT command.
Status: Candidate
Phase: Modified (20010301-02)
Reference: BUGTRAQ:19970612 qmail-dos-2.c, another denial of service attack
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602558319024&w=2
Reference: BUGTRAQ:19970612 Re: Denial of service (qmail-smtpd)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602558319029&w=2
Reference: MISC:http://cr.yp.to/qmail/venema.html
Reference: MISC:http://www.ornl.gov/its/archives/mailing-lists/qmail/1997/06/threads.html
Reference: BID:2237
Reference: URL:http://www.securityfocus.com/bid/2237
Reference: XF:qmail-rcpt
Reference: URL:http://xforce.iss.net/static/208.php
Votes:
ACCEPT(4) Baker, Frech, Hill, Meunier
REVIEWING(1) Christey
Voter Comments:
Christey> DUPE CVE-1999-0418 and CVE-1999-0250?
Christey> Dan Bernstein, author of Qmail, says that this is not a
vulnerability in qmail because Unix has built-in resource
limits that can restrict the size of a qmail process; other
limits can be specified by the administrator. See
http://cr.yp.to/qmail/venema.html
Significant discussion of this issue took place on the qmail
list. The fundamental question appears to be whether
application software should set its own limits, or rely
on limits set by the parent operating system (in this case,
UNIX). Also, some people said that the only problem was that
the suggested configuration was not well documented, but this
was refuted by others.
See the following threads at
http://www.ornl.gov/its/archives/mailing-lists/qmail/1997/06/threads.html
"Denial of service (qmail-smtpd)"
"qmail-dos-2.c, another denial of service"
"[PATCH] denial of service"
"just another qmail denial-of-service"
"the UNIX way"
"Time for a reality check"
Also see Bugtraq threads on a different vulnerability that
is related to this topic:
BUGTRAQ:19990903 Web servers / possible DOS Attack / mime header flooding
http://archives.neohapsis.com/archives/bugtraq/1998_3/0742.html
Baker> http://cr.yp.to/qmail/venema.html
Berstein rejects this as a vulnerability, claiming this is a slander campaign by Wietse Venema.
His page states this is not a qmail problem, rather it is a UNIX problem
that many apps can consume all available memory, and that the administrator
is responsible to set limits in the OS, rather than expect applications to
individually prevent memory exhaustion. CAN 1999-0250 does appear to
be a duplicate of this entry, based on the research I have done so far.
There were two different bugtraq postings, but the second one references
the first, stating that the new exploit uses perl instead of shell scripting
to accomplish the same attack/exploit.
Baker> http://www.securityfocus.com/archive/1/6970
http://www.securityfocus.com/archive/1/6969
http://cr.yp.to/qmail/venema.html
Should probably reject CVE-1999-0250, and add these references to this
Candidate.
Baker> http://www.securityfocus.com/bid/2237
CHANGE> [Baker changed vote from REVIEWING to ACCEPT]
Christey> qmail-dos-1.c, as published by Wietse Venema (CVE-1999-0250)
in "BUGTRAQ:19970612 Denial of service (qmail-smtpd)", does not
use any RCPT commands. Instead, it sends long strings
of "X" characters. A followup by "super@UFO.ORG" includes
an exploit that claims to do the same thing; however, that
exploit does not send long strings of X characters - it sends
a large number of RCPT commands. It appears that super@ufo.org
followed up to the wrong message.
NOTE: the ufo.org domain was purchased by another party in
2003, so the current owner is not associated with any
statements by "super@ufo.org" that were made before 2003.
qmail-dos-2.c, as published by Wietse Venema (CVE-1999-0144)
in "BUGTRAQ:19970612 qmail-dos-2.c, another denial of service attack"
sends a large number of RCPT commands.
ADDREF BID:2237
ADDREF BUGTRAQ:19970612 qmail-dos-2.c, another denial of service attack
ADDREF BUGTRAQ:19970612 Re: Denial of service (qmail-smtpd)
Also see a related thread:
BUGTRAQ:19990308 SMTP server account probing
http://marc.theaimsgroup.com/?l=bugtraq&m=92100018214316&w=2
This also describes a problem with mail servers not being able
to handle too many "RCPT TO" requests. A followup message
notes that application-level protection is used in Sendmail
to prevent this:
BUGTRAQ:19990309 Re: SMTP server account probing
http://marc.theaimsgroup.com/?l=bugtraq&m=92101584629263&w=2
The person further says, "This attack can easily be
prevented with configuration methods."
Name: CVE-1999-0154
Description:
IIS 2.0 and 3.0 allows remote attackers to read the source code for
ASP pages by appending a . (dot) to the end of the URL.
Status: Candidate
Phase: Proposed (20010912)
Reference: MSKB:Q163485
Reference: MSKB:Q164059
Reference: BUGTRAQ:19970220 ! [ADVISORY] Major Security Hole in MS ASP
Reference: XF:http-iis-aspdot
Reference: XF:http-iis-aspsource
Votes:
ACCEPT(4) Foat, Frech, Stracener, Wall
NOOP(3) Baker, Christey, Cole
Voter Comments:
Christey> This is the precursor to the problem that is identified in
CVE-1999-0253.
Christey> CIAC:H-48
URL:http://ciac.llnl.gov/ciac/bulletins/h-48.shtml
CHANGE> [Foat changed vote from NOOP to ACCEPT]
Name: CVE-1999-0156
Description:
wu-ftpd FTP daemon allows any user and password combination.
Status: Candidate
Phase: Proposed (19990714)
Reference: XF:ftp-pwless
Votes:
ACCEPT(2) Northcutt, Shostack
NOOP(1) Baker
RECAST(1) Frech
REVIEWING(2) Christey, Prosser
Voter Comments:
Prosser> but so far can find no reference to this one
Frech> Our records indicate that this does not necessarly affect just wu-ftp (ie,
also affects IIS FTP server).
Christey> The references for XF:ftp-pwless are not specific enough,
e.g. in terms of version numbers. Perhaps this candidate
should be rejected due to insufficient information.
Name: CVE-1999-0163
Description:
In older versions of Sendmail, an attacker could use a pipe character
to execute root commands.
Status: Candidate
Phase: Proposed (19990714)
Reference: XF:smtp-pipe
Votes:
ACCEPT(2) Frech, Northcutt
MODIFY(1) Prosser
NOOP(2) Baker, Christey
RECAST(1) Shostack
Voter Comments:
Shostack> there was a 'To: |' and a 'From: |' attack, which I
think are seperate.
Prosser> older vulnerability, but one additional reference is-
The Ultimate Sendmail Hole List by Markus Hübner @
bau2.uibk.ac.at/matic/buglist.htm
'|PROGRAM '
Christey> Description needs to be more specific to distinguish between
this and CVE-1999-0203, as alluded to by Adam Shostack
Name: CVE-1999-0165
Description:
NFS cache poisoning.
Status: Candidate
Phase: Modified (20040811)
Reference: XF:nfs-cache
Votes:
ACCEPT(3) Baker, Frech, Northcutt
MODIFY(1) Shostack
NOOP(1) Prosser
REVIEWING(1) Christey
Voter Comments:
Shostack> need more data
Christey> need more refs
Christey> Add period to the end of the description.
Name: CVE-1999-0169
Description:
NFS allows attackers to read and write any file on the system by
specifying a false UID.
Status: Candidate
Phase: Proposed (19990714)
Reference: XF:nfs-uid
Votes:
ACCEPT(2) Frech, Northcutt
MODIFY(1) Baker
REJECT(1) Shostack
Voter Comments:
Shostack> this is not a vulnerability but a design feature.
Baker> Maybe we should reword it so that it is clear that this was a problem to something like:
"A remote attacker could read/write files to the system with root-level permissions on NFS servers that fail to properly check the UID."
Name: CVE-1999-0171
Description:
Denial of service in syslog by sending it a large number of
superfluous messages.
Status: Candidate
Phase: Proposed (19990714)
Reference: XF:syslog-flood
Votes:
ACCEPT(2) Frech, Northcutt
NOOP(1) Baker
REJECT(2) Christey, Shostack
Voter Comments:
Shostack> design issue, not a vulnerability. Alternately, add:
DOS on server by opening a large number of telnet sessions..
Christey> Duplicate of CVE-1999-0566
Name: CVE-1999-0186
Description:
In Solaris, an SNMP subagent has a default community string that allows remote
attackers to execute arbitrary commands as root, or modify system
parameters.
Status: Candidate
Phase: Modified (20071119)
Reference: CONFIRM:http://support.novell.com/cgi-bin/search/searchtid.cgi?/10080762.htm
Reference: SUN:00178
Reference: XF:snmp-backdoor-access
Votes:
ACCEPT(2) Baker, Dik
MODIFY(1) Frech
NOOP(1) Wall
REVIEWING(1) Christey
Voter Comments:
Frech> Change XF:snmp-backdoor-access to XF:sol-hidden-commstr
Add ISS:Hidden Community String in SNMP Implementation
Christey> What is the proper level of abstraction to use here? Should
we have a separate entry for each different default community
string? See:
http://cve.mitre.org/Board_Sponsors/archives/msg00242.html and
http://cve.mitre.org/Board_Sponsors/archives/msg00250.html
http://cve.mitre.org/Board_Sponsors/archives/msg00251.html
Until the associated content decisions have been approved
by the Editorial Board, this candidate cannot be accepted
for inclusion in CVE.
Christey> ADDREF BID:177
Christey> ISS:19981102 Hidden community string in SNMP implementation
http://xforce.iss.net/alerts/advise11.php
Change description to include "hidden"
Christey> XF:snmp-backdoor-access is missing.
Name: CVE-1999-0187
Description:
** REJECT **
DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-1999-0022. Reason:
This candidate is a duplicate of CVE-1999-0022. Notes: All CVE users
should reference CVE-1999-0022 instead of this candidate. All
references and descriptions in this candidate have been removed to
prevent accidental usage.
Status: Candidate
Phase: Modified (20050204)
Votes:
ACCEPT(2) Hill, Northcutt
RECAST(3) Baker, Frech, Prosser
REJECT(1) Dik
REVIEWING(1) Christey
Voter Comments:
Prosser> The Sun Patches in Ref roll-up fixes for an earlier BO in
rdist lookup( )(ref CERT 96.14)as well as the BO in rdist function expstr()
(ref CERT 97-23) and various vendor bulletins. However both of these rdist
BO's affect many more OSs than just Sun, i.e., BSD/OS 2.1, DEC OSF's, AIX,
FreeBSD, SCO, SGI, etc. Believe this falls into the SF-codebase content
decision
Frech> XF:rdist-bo (error msg formation)
XF:rdist-bo2 (execute code)
XF:rdist-bo3 (execute user-created code)
XF:rdist-sept97 (root from local)
Christey> Duplicate of CVE-1999-0022 (SUN:00179 is referenced in
CERT:CA-97.23.rdist), but as Mike and Andre noted, there
are multiple flaws here, so a RECAST may be necessary.
Dik> As currently phrasedm thissa duplicate of CVE-1999-0022
Baker> Based on our new philosophy, this should be recast/merged or re-described.
Name: CVE-1999-0193
Description:
Denial of service in Ascend and 3com routers, which can be rebooted by
sending a zero length TCP option.
Status: Candidate
Phase: Proposed (19990714)
Votes:
ACCEPT(5) Bishop, Cole, Northcutt, Ozancin, Shostack
MODIFY(2) Baker, Blake
NOOP(4) Armstrong, Frech, Landfield, Wall
REVIEWING(2) Christey, Levy
Voter Comments:
Frech> possibly XF:ascend-kill
I can't find a reference that lists both routers in the same reference.
Wall> Comment: There is a reference about the zero length TCP option in BugTraq on
Feb 5, 1999
and it mentions Cisco, but not directly Ascend or 3Com. CIAC Advisory I-038
mentions
vulnerabilities in Ascend, but does not mention TCP. CIAC Advisory I-052
mentions
3Com vulnerabilities, but not TCP. Too confusing withour better references.
Landfield> What are the references for this ? I cannot find a means to check it out.
CHANGE> [Frech changed vote from REVIEWING to NOOP]
Frech> Cannot reconcile to our database without further references.
Blake> I'm with Andre. I only remember and can find reference to the Ascend
issue. Do we have a refernce to the 3Coms? If not, that should be
removed from the description.
Baker> http://xforce.iss.net/static/614.php Misc Defensive Info
http://www.securityfocus.com/archive/1/5682 Misc Offensive Info
http://www.securityfocus.com/archive/1/5647 Misc Defensive Info
http://www.securityfocus.com/archive/1/5640 Misc Defensive Info
CHANGE> [Armstrong changed vote from REVIEWING to NOOP]
Name: CVE-1999-0195
Description:
Denial of service in RPC portmapper allows attackers to register or
unregister RPC services or spoof RPC services using a spoofed source
IP address such as 127.0.0.1.
Status: Candidate
Phase: Modified (19991130-01)
Reference: BUGTRAQ:19990128 rpcbind: deceive, enveigle and obfuscate
Votes:
ACCEPT(2) Balinsky, Shostack
MODIFY(1) Frech
NOOP(3) Baker, Northcutt, Wall
REVIEWING(2) Christey, Levy
Voter Comments:
Frech> XF:rpcbind-spoof
Christey> CVE-1999-0195 = CVE-1999-0461 ?
If this is approved over CVE-1999-0461, make sure it gets
XF:pmap-sset
Name: CVE-1999-0197
Description:
finger 0@host on some systems may print information on some user accounts.
Status: Candidate
Phase: Proposed (19990726)
Votes:
ACCEPT(1) Baker
MODIFY(2) Frech, Shostack
REJECT(1) Northcutt
Voter Comments:
Shostack> fingerd may respond to 'finger 0@host' with account info
Frech> Need more reference to establish this 'exposure'.
CHANGE> [Frech changed vote from REVIEWING to MODIFY]
Frech> XF:finger-unused-accounts(8378)
We're entering it into our database solely to track
competition. The only references seem to be product listings:
http://hq.mcafeeasap.com/vulnerabilities/vuln_data/1000.asp (1002
Finger 0@host check)
http://www.ipnsa.com/ipnsa_vuln.htm?step=1000 (Finger 0@host check)
http://cgi.nessus.org/plugins/dump.php3?id=10069 (Finger zero at host
feature)
Name: CVE-1999-0198
Description:
finger .@host on some systems may print information on some user accounts.
Status: Candidate
Phase: Proposed (19990726)
Votes:
ACCEPT(1) Baker
MODIFY(2) Frech, Shostack
REJECT(1) Northcutt
Voter Comments:
Shostack> as above
Frech> Need more reference to establish this 'exposure'.
CHANGE> [Frech changed vote from REVIEWING to MODIFY]
Frech> XF:finger-unused-accounts(8378)
We're entering it into our database solely to track
competition. The only references seem to be product listings:
http://hq.mcafeeasap.com/vulnerabilities/vuln_data/1000.asp (1004
Finger .@target-host check)
http://www.ipnsa.com/ipnsa_vuln.htm?step=1000 (Finger .@target-host
check )
http://cgi.nessus.org/plugins/dump.php3?id=10072 (Finger dot at host
feature)
Name: CVE-1999-0200
Description:
Windows NT FTP server (WFTP) with the guest account enabled without a
password allows an attacker to log into the FTP server using any
username and password.
Status: Candidate
Phase: Modified (19991130-01)
Reference: MSKB:Q137853
Votes:
ACCEPT(1) Baker
MODIFY(2) Frech, Shostack
NOOP(2) Northcutt, Wall
REJECT(1) Christey
REVIEWING(1) Levy
Voter Comments:
Shostack> WFTP is not sufficient; is this wu-, ws-, war-, or another?
Frech> Other have mentioned this before, but it may be WU-FTP.
POSSIBLY XF:ftp-exec; does this have to do with the Site Exec allowing root
access without anon FTP or a regular account?
POSSIBLY XF:wu-ftpd-exec;same as above conditions, but instead from a
non-anon FTP account and gain root privs.
Christey> added MSKB reference
CHANGE> [Christey changed vote from REVOTE to REJECT]
Christey> The MSKB article may have confused things even more. There
were reports of problems in a Windows-based FTP server called
WFTP (http://www.wftpd.com/) that is not a Microsft FTP
server. It's best to just kill this candidate where it
stands and start fresh.
Name: CVE-1999-0205
Description:
Denial of service in Sendmail 8.6.11 and 8.6.12.
Status: Candidate
Phase: Modified (19990925-01)
Reference: BUGTRAQ:19990708 SM 8.6.12
Votes:
ACCEPT(2) Hill, Northcutt
MODIFY(2) Frech, Prosser
NOOP(1) Baker
REVIEWING(2) Christey, Ozancin
Voter Comments:
Frech> XF:sendmail-alias-dos
Prosser> additional source
Bugtraq
"Re: SM 8.6.12"
http://www.securityfocus.com
Christey> The Bugtraq thread does not provide any proof, including a
comment by Eric Allman that he hadn't been provided any
details either.
See http://www.securityfocus.com/templates/archive.pike?list=1&date=1995-07-8&thread=199507131402.KAA02492@bedbugs.net.ohio-state.edu
for the thread.
Christey> Change Bugtraq reference date to 19950708.
Name: CVE-1999-0213
Description:
libnsl in Solaris allowed an attacker to perform a denial of service
of rpcbind.
Status: Candidate
Phase: Modified (20001009-01)
Reference: XF:sun-libnsl
Reference: SUNBUG:4305859
Votes:
ACCEPT(6) Blake, Cole, Dik, Hill, Landfield, Ozancin
MODIFY(3) Baker, Frech, Levy
NOOP(4) Armstrong, Bishop, Meunier, Wall
REVIEWING(1) Christey
Voter Comments:
Frech> XF:sun-libnsl
Dik> Sun bug #4305859
Baker> http://xforce.iss.net/static/1204.php Misc Defensive Info
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/172&type=0&nav=sec.sba Vendor Info
http://www-1.ibm.com/services/continuity/recover1.nsf/advisories/A1050E354364BF498525680F0077E414/$file/ERS-OAR-E01-1998_074_1.txt Vendor Info
http://www.securityfocus.com/archive/1/9749 Misc Defensive Info
Christey> I don't think this is the bug that everyone thinks it is.
This candidate came from CyberCop Scanner 2.4/2.5, which
only reports this as a DoS problem. If SUN:00172 is an
advisory for this, then it may be a duplicate of
CVE-1999-0055. There appears to be overlap with other
references as well. HOWEVER, this particular one deals with a
DoS in rpcbind - which isn't mentioned in the sources for
CVE-1999-0055.
Levy> BID 148
Name: CVE-1999-0216
Description:
Denial of service of inetd on Linux through SYN and RST packets.
Status: Candidate
Phase: Modified (19991203-01)
Reference: BUGTRAQ:19971130 Linux inetd..
Reference: XF:linux-inetd-dos
Reference: HP:HPSBUX9803-077
Reference: XF:hp-inetd
Votes:
ACCEPT(1) Hill
MODIFY(2) Baker, Frech
RECAST(1) Meunier
Voter Comments:
Meunier> The location of the vulnerability, whether in the Linux kernel or the
application, is debatable. Any program making the same (reasonnable)
assumption is vulnerable, i.e., implements the same vulnerability:
"Assumption that TCP-three-way handshake is complete after calling Linux
kernel function accept(), which returns socket after getting SYN. Result
is process death by SIGPIPE"
Moreover, whether it results in DOS (to third parties) depends on the
process that made the assumption.
I think that the present entry should be split, one entry for every
application that implements the vulnerability (really describing threat
instances, which is what other people think about when we talk about
vulnerabilities), and one entry for the Linux kernel that allows the
vulnerability to happen.
Frech> XF:hp-inetd
XF:linux-inetd-dos
Baker> Since we have an hpux bulletin, the description should not specifically say Linux, should it? It applies to mulitple OS and should be likely either modified, or in extreme case, recast
Name: CVE-1999-0220
Description:
Attackers can do a denial of service of IRC by crashing the server.
Status: Candidate
Phase: Proposed (19990728)
Votes:
NOOP(2) Baker, Northcutt
REJECT(2) Christey, Frech
Voter Comments:
Frech> Would reconsider if any references were available.
Christey> No references available, combined with extremely vague
description, equals REJECT.
Name: CVE-1999-0222
Description:
Denial of service in Cisco IOS web server allows attackers to reboot
the router using a long URL.
Status: Candidate
Phase: Proposed (19990714)
Votes:
ACCEPT(1) Baker
MODIFY(3) Frech, Levy, Shostack
NOOP(3) Balinsky, Northcutt, Wall
RECAST(1) Ziese
REJECT(1) Christey
Voter Comments:
Shostack> I follow cisco announcements and problems pretty closely, and haven't
seen this. Source?
Frech> XF:cisco-web-crash
Christey> XF:cisco-web-crash has no additional references. I can't find
any references in Bugtraq or Cisco either. This bug is
supposedly tested by at least one security product, but that
product's database doesn't have any references either. So
a question becomes, how did it make it into at least two
security companies' databases?
Levy> BUGTGRAQ: http://www.securityfocus.com/archive/1/60159
BID 1154
Ziese> The vulnerability is addressed by a vendor acknowledgement. This one, if
recast to reflect that "...after using a long url..." should be replaced
with
"...A defect in multiple releases of Cisco IOS software will cause a Cisco
router or switch to halt and reload if the IOS HTTP service is enabled,
browsing to "http://router-ip/anytext?/" is attempted, and the enable
password is supplied when requested. This defect can be exploited to produce
a denial of service (DoS) attack."
Then I can accept this and mark it as "Verfied by my Company". If it can't
be recast because this (long uri) is diffferent then our release (special
url construction).
CHANGE> [Christey changed vote from REVIEWING to REJECT]
Christey> Elias Levy's suggested reference is CVE-2000-0380.
I don't think that Kevin's description is really addressing
this either. The lack of references and a specific
description make this candidate unusable, so it should be
rejected.
Name: CVE-1999-0226
Description:
Windows NT TCP/IP processes fragmented IP packets improperly, causing
a denial of service.
Status: Candidate
Phase: Proposed (19990728)
Votes:
ACCEPT(1) Northcutt
MODIFY(1) Frech
NOOP(1) Baker
REJECT(1) Christey
Voter Comments:
Christey> Too general, and no references.
Frech> XF:nt-frag(528)
See reference from BugTraq Mailing List, "A New Fragmentation Attack" at
http://www.securityfocus.com/templates/archive.pike?list=1&date=1997-07-8&ms
g=Pine.SUN.3.94.970710054440.11707A-100000@dfw.dfw.net
Name: CVE-1999-0229
Description:
Denial of service in Windows NT IIS server using ..\..
Status: Candidate
Phase: Modified (19991228-02)
Reference: MSKB:Q115052
Votes:
ACCEPT(2) Baker, Shostack
MODIFY(2) Frech, Wall
NOOP(1) Northcutt
REJECT(1) Christey
REVIEWING(1) Levy
Voter Comments:
Wall> Denial of service in Windows NT IIS Server 1.0 using ..\...
Source: Microsoft Knowledge Base Article Q115052 - IIS Server.
Frech> XF:http-dotdot (not necessarily IIS?)
Christey> DELREF XF:http-dotdot - it deals with a read/access dot dot
problem.
Christey> This actually looks like XF:iis-dot-dot-crash(1638)
http://xforce.iss.net/static/1638.php
If so, include the version number (2.0)
CHANGE> [Christey changed vote from REVOTE to REJECT]
Christey> Bill Wall intended to suggest Q155052, but the affected
IIS version there is 1.0; the effect is to read files,
so this sounds like a directory traversal problem,
instead of an inability to process certain strings.
As a result, this candidate is too general, since it could
apply to 2 different problems, so it should be REJECTed.
Christey> Consider adding BID:2218
Name: CVE-1999-0231
Description:
Buffer overflow in IP-Switch IMail and Seattle Labs Slmail 2.6
packages using a long VRFY command, causing a denial of service and
possibly remote access.
Status: Candidate
Phase: Modified (19991207-01)
Reference: BUGTRAQ:19990317 Re: SLMail 2.6 DoS - Imail also
Votes:
ACCEPT(2) Baker, Levy
NOOP(3) Christey, Landfield, Northcutt
RECAST(1) Frech
REVIEWING(1) Ozancin
Voter Comments:
Frech> XF:slmail-vrfyexpn-overflow (for Slmail v3.2 and below)
XF:smtp-vrfy-bo (many mail packages)
Northcutt> (There is no way I will have access to these systems)
Christey> Some sources report that VRFY and EXPN are both affected.
Name: CVE-1999-0232
Description:
Buffer overflow in NCSA WebServer (version 1.5c) gives remote access.
Status: Candidate
Phase: Modified (19991220-01)
Votes:
ACCEPT(2) Hill, Northcutt
MODIFY(1) Frech
NOOP(1) Prosser
REJECT(1) Baker
REVIEWING(1) Christey
Voter Comments:
Frech> Unable to provide a match due to vague/insufficient description/references.
Possible matches are:
XF:ftp-ncsa (probably not, considering you've mentioned the webserver.)
XF:http-ncsa-longurl (highest probability)
Christey> CVE-1999-0235 is the one associated with XF:http-ncsa-longurl
More research is necessary for this one.
Baker> Since this has no references at all, and is vague and we have a
CAN for the most likely issue, we should kill this one
Name: CVE-1999-0235
Description:
Buffer overflow in NCSA WebServer (1.4.1 and below) gives remote access.
Status: Candidate
Phase: Modified (19991220-01)
Reference: CERT:CA-95:04
Reference: CIAC:F-11
Votes:
ACCEPT(3) Hill, Northcutt, Prosser
MODIFY(1) Frech
REJECT(2) Baker, Christey
Voter Comments:
Frech> XF:http-ncsa-longurl
Christey> CVE-1999-0235 has the same ref's as CVE-1999-0267
Baker> Not to mention, the X-force listings of http-ncsa-longurl and http-port both
refer to the same problem. This should be rejected as 1999-0267 is the same problem.
Name: CVE-1999-0238
Description:
php.cgi allows attackers to read any file on the system.
Status: Candidate
Phase: Proposed (19990623)
Reference: XF:http-cgi-phpfileread
Votes:
ACCEPT(5) Baker, Collins, Frech, Northcutt, Prosser
NOOP(1) Christey
Voter Comments:
Prosser> additional source
AUSCERT External Security Bulletin ESB-97.047
http://www.auscert.org.au
Christey> ADDREF BUGTRAQ:19970416 Update on PHP/FI hole
URL:http://www.dataguard.no/bugtraq/1997_2/0069.html
The attacker specifies the filename as an argument to the
program.
Add "PHP/FI" to description to facilitate search.
AUSCERT URL is ftp://ftp.auscert.org.au/pub/auscert/ESB/ESB-97.047
Christey> Consider adding BID:2250
Name: CVE-1999-0240
Description:
Some filters or firewalls allow fragmented SYN packets with IP
reserved bits in violation of their implemented policy.
Status: Candidate
Phase: Proposed (19990728)
Votes:
ACCEPT(1) Northcutt
NOOP(1) Baker
REJECT(1) Frech
Voter Comments:
Frech> Would reconsider if any references were available.
Name: CVE-1999-0241
Description:
Guessable magic cookies in X Windows allows remote attackers to
execute commands, e.g. through xterm.
Status: Candidate
Phase: Modified (19990925-01)
Reference: XF:http-xguess-cookie
Votes:
ACCEPT(3) Hill, Northcutt, Proctor
MODIFY(2) Frech, Prosser
NOOP(1) Baker
REVIEWING(1) Christey
Voter Comments:
Frech> Also add to references:
XF:sol-mkcookie
Prosser> additional source
Bugtraq
"X11 cookie hijacker"
http://www.securityfocus.com
Christey> The cookie hijacker thread has to do with stealing cookies
through a file with bad permissions. I'm not sure the
X-Force reference identifies this problem either.
Christey> CIAC:G-04
URL:http://ciac.llnl.gov/ciac/bulletins/g-04.shtml
SGI:19960601-01-I
URL:ftp://patches.sgi.com/support/free/security/advisories/19960601-01-I
CERT:VB-95:08
Name: CVE-1999-0242
Description:
Remote attackers can access mail files via POP3 in some Linux systems
that are using shadow passwords.
Status: Candidate
Phase: Modified (20000106-01)
Reference: BUGTRAQ:19951222 mailx-5.5 (slackware /bin/mail) security hole
Reference: XF:linux-pop3d
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
NOOP(4) Christey, Northcutt, Shostack, Wall
REVIEWING(1) Levy
Voter Comments:
Frech> Ambiguous description: need more detail. Possibly:
XF:linux-pop3d (mktemp() leads to reading e-mail)
Christey> At first glance this might look like CVE-1999-0123 or
CVE-1999-0125, however this particular candidate arises out
of a brief mention of the problem in a larger posting which
discusses CVE-1999-0123 (which may be the same bug as
CVE-1999-0125). See the following phrase in the Bugtraq
post: "one such example of this is in.pop3d"
However, the original source of this candidate's description
explicitly mentions shadowed passwords, though it has no
references to help out here.
Name: CVE-1999-0243
Description:
Linux cfingerd could be exploited to gain root access.
Status: Candidate
Phase: Proposed (19990714)
Votes:
ACCEPT(1) Shostack
NOOP(4) Baker, Levy, Northcutt, Wall
REJECT(2) Christey, Frech
Voter Comments:
Christey> This has no sources; neither does the original database that
this entry came from. It's a likely duplicate of
CVE-1999-0813.
Frech> I disagree on the dupe; see Linux-Security Mailing List,
"[linux-security] Cfinger (Yet more :)" at
http://www.geocrawler.com/archives/3/92/1996/9/0/2217716/. Seems as
if v1.2.3 is vulnerable, perhaps 1.3.0 also. CVE-1999-0813 pertains
to 1.4.x and below and shows up two years later.
CHANGE> [Frech changed vote from REVIEWING to REJECT]
Frech> If the reference I previously supplied is correct, then
it appears as if the poster modified the source using authorized
access to make it vulnerable. Modifying the source in this manner
does not qualify as being listed a vulnerability.
I disagree on the dupe; see Linux-Security Mailing List,
"[linux-security] Cfinger (Yet more :)" at
http://www.geocrawler.com/archives/3/92/1996/9/0/2217716/. Seems as
if v1.2.3 is vulnerable, perhaps 1.3.0 also. CVE-1999-0813 pertains
to 1.4.x and below and shows up two years later.
Name: CVE-1999-0246
Description:
HP Remote Watch allows a remote user to gain root access.
Status: Candidate
Phase: Proposed (19990630)
Reference: XF:hp-remote
Votes:
ACCEPT(4) Frech, Hill, Northcutt, Prosser
NOOP(1) Baker
RECAST(1) Christey
Voter Comments:
Frech> Comment: Determine if it's RemoteWatch or Remote Watch.
Christey> HP:HPSBUX9610-039 alludes to multiple vulnerabilities in
Remote Watch (the advisory uses two words, not one, for the
"Remote Watch" name)
ADDREF BUGTRAQ:19961015 HP/UX Remote Watch (was Re: BoS: SOD remote exploit)
URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=199610151351.JAA18241@grymoire.crd.ge.com
Prosser> agree that the advisory mentions two vulnerabilities in Remote
Watch, one being a socket connection and other with the showdisk utility
which seems to be a suid vulnerability. Never get much details on this
anywhere since the recommendation is to remove the program since it is
obsolete and superceded by later tools. Believe the biggest concern here is
to just not run the tool at all.
Christey> CIAC:H-16
Also, http://www.cert.org/vendor_bulletins/VB-96.20.hp
And possibly AUSCERT:AA-96.07 at
ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-96.07.HP-UX.Remote.Watch.vul
Christey> Also BUGTRAQ:19961013 BoS: SOD remote exploit
http://marc.theaimsgroup.com/?l=bugtraq&m=87602167419969&w=2
Include "remwatch" in the description to facilitate search.
Name: CVE-1999-0249
Description:
Windows NT RSHSVC program allows remote users to execute arbitrary
commands.
Status: Candidate
Phase: Proposed (19990714)
Votes:
ACCEPT(1) Baker
MODIFY(2) Frech, Wall
NOOP(2) Northcutt, Shostack
RECAST(1) Christey
REVIEWING(1) Levy
Voter Comments:
Wall> Windows NT Rshsvc.exe from the Windows NT Resource Kit allows
remote
users to execute arbitrary commands.
Source: rshsvc.txt from the Windows NT Resource Kit.
Frech> XF:rsh-svc
Christey> MSKB:Q158320, last reviewed in January 1999, refers to a case
where remote users coming from authorized machines are
allowed access regardless of what .rhosts says. XF:rsh-svc
refers to a bug circa 1997 where any remote entity could
execute commands as system.
Name: CVE-1999-0250
Description:
Denial of service in Qmail through long SMTP commands.
Status: Candidate
Phase: Modified (20010301-01)
Reference: BUGTRAQ:19970612 qmail-dos-2.c, another denial of service attack
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602558319024&w=2
Reference: MISC:http://cr.yp.to/qmail/venema.html
Reference: MISC:http://www.ornl.gov/its/archives/mailing-lists/qmail/1997/06/threads.html
Reference: XF:qmail-leng
Votes:
ACCEPT(2) Hill, Meunier
MODIFY(1) Frech
REJECT(1) Baker
REVIEWING(1) Christey
Voter Comments:
Frech> XF:qmail-rcpt
Christey> DUPE CVE-1999-0418 and CVE-1999-0144?
Christey> Dan Bernstein, author of Qmail, says that this is not a
vulnerability in qmail because Unix has built-in resource
limits that can restrict the size of a qmail process; other
limits can be specified by the administrator. See
http://cr.yp.to/qmail/venema.html
Significant discussion of this issue took place on the qmail
list. The fundamental question appears to be whether
application software should set its own limits, or rely
on limits set by the parent operating system (in this case,
UNIX). Also, some people said that the only problem was that
the suggested configuration was not well documented, but this
was refuted by others.
See the following threads at
http://www.ornl.gov/its/archives/mailing-lists/qmail/1997/06/threads.html
"Denial of service (qmail-smtpd)"
"qmail-dos-2.c, another denial of service"
"[PATCH] denial of service"
"just another qmail denial-of-service"
"the UNIX way"
"Time for a reality check"
Also see Bugtraq threads on a different vulnerability that
is related to this topic:
BUGTRAQ:19990903 Web servers / possible DOS Attack / mime header flooding
http://archives.neohapsis.com/archives/bugtraq/1998_3/0742.html
Baker> This appears to be the same vulnerability listed in CAN 1999-0144. In reading
through both bugtraq postings, the one that is referenced by 0144 is
based on a shell code exploit to cause memory exhaustion. The bugtraq
posting referenced by this entry refers explicitly to the prior
posting for 0144, and states that the same effect could be
accomplished by a perl exploit, which was then attached.
Baker> http://www.securityfocus.com/archive/1/6969 CVE-1999-0144
http://www.securityfocus.com/archive/1/6970 CVE-1999-0250
Both references should be added to CVE-1999-0144, and CVE-1999-0250
should likely be rejected.
CHANGE> [Baker changed vote from REVIEWING to REJECT]
Christey> XF:qmail-leng no longer exists; check with Andre to see if they
regarded it as a duplicate as well.
qmail-dos-1.c, as published by Wietse Venema (CVE-1999-0250)
in "BUGTRAQ:19970612 Denial of service (qmail-smtpd)", does not
use any RCPT commands. Instead, it sends long strings
of "X" characters. A followup by "super@UFO.ORG" includes
an exploit that claims to do the same thing; however, that
exploit does not send long strings of X characters - it sends
a large number of RCPT commands. It appears that super@ufo.org
followed up to the wrong message.
qmail-dos-2.c, as published by Wietse Venema (CVE-1999-0144)
in "BUGTRAQ:19970612 qmail-dos-2.c, another denial of service attack"
sends a large number of RCPT commands.
ADDREF BUGTRAQ:19970612 Denial of service (qmail-smtpd)
ADDREF BUGTRAQ:19970612 qmail-dos-2.c, another denial of service attack
Also see a related thread:
BUGTRAQ:19990308 SMTP server account probing
http://marc.theaimsgroup.com/?l=bugtraq&m=92100018214316&w=2
This also describes a problem with mail servers not being able
to handle too many "RCPT TO" requests. A followup message
notes that application-level protection is used in Sendmail
to prevent this:
BUGTRAQ:19990309 Re: SMTP server account probing
http://marc.theaimsgroup.com/?l=bugtraq&m=92101584629263&w=2
The person further says, "This attack can easily be
prevented with configuration methods."
Name: CVE-1999-0253
Description:
IIS 3.0 with the iis-fix hotfix installed allows remote intruders to
read source code for ASP programs by using a %2e instead of a . (dot)
in the URL.
Status: Candidate
Phase: Modified (20000106-01)
Reference: XF:http-iis-2e
Reference: L0PHT:19970319
Votes:
ACCEPT(9) Armstrong, Baker, Bishop, Blake, Cole, Collins, Frech, Landfield, Northcutt
MODIFY(1) LeBlanc
NOOP(3) Ozancin, Prosser, Wall
REVIEWING(1) Christey
Voter Comments:
Christey> This is a problem that was introduced after patching a
previous dot bug with the iis-fix hotfix (see CVE-1999-0154).
Since the hotfix introduced the problem, this should be
treated as a seaprate issue.
Wall> Agree with the comment.
LeBlanc> - this one is so old, I don't remember it at all and can't verify or
deny the issue. If you can find some documentation that says we fixed it (KB
article, hotfix, something), then I would change this to ACCEPT
CHANGE> [Christey changed vote from NOOP to REVIEWING]
Christey> BID:1814
URL:http://www.securityfocus.com/bid/1814
Name: CVE-1999-0254
Description:
A hidden SNMP community string in HP OpenView allows remote attackers
to modify MIB tables and obtain sensitive information.
Status: Candidate
Phase: Proposed (19990726)
Reference: ISS:Hidden SNMP community in HP OpenView
Reference: XF:hpov-hidden-snmp-comm
Votes:
ACCEPT(2) Baker, Frech
NOOP(1) Wall
REVIEWING(1) Christey
Voter Comments:
Christey> What is the proper level of abstraction to use here? Should
we have a separate entry for each different default community
string? See:
http://cve.mitre.org/Board_Sponsors/archives/msg00242.html and
http://cve.mitre.org/Board_Sponsors/archives/msg00250.html
http://cve.mitre.org/Board_Sponsors/archives/msg00251.html
Until the associated content decisions have been approved
by the Editorial Board, this candidate cannot be accepted
for inclusion in CVE.
Name: CVE-1999-0255
Description:
Buffer overflow in ircd allows arbitrary command execution.
Status: Candidate
Phase: Proposed (19990623)
Votes:
ACCEPT(3) Baker, Hill, Northcutt
MODIFY(1) Frech
NOOP(1) Prosser
REJECT(1) Christey
Voter Comments:
Frech> XF:irc-bo
Christey> This is too general and doesn't have any references. The
XF reference doesn't appear toe xist any more.
Perhaps this reference would help:
BUGTRAQ:19970701 ircd buffer overflow
Baker> It appears that the XForce entry has been corrected, and there is a patch posted in the original bugtraq post.
Name: CVE-1999-0257
Description:
Nestea variation of teardrop IP fragmentation denial of service.
Status: Candidate
Phase: Proposed (19990726)
Votes:
ACCEPT(1) Wall
MODIFY(1) Frech
REVIEWING(1) Christey
Voter Comments:
Frech> XF:nestea-linux-dos
Christey> Not sure how many separate "instances" of Teardrop
and its ilk. Also see comments on CVE-1999-0001.
See: CVE-1999-0015, CVE-1999-0104, CVE-1999-0257, CVE-1999-0258
Is CVE-1999-0001 the same as CVE-1999-0052? That one is related
to nestea (CVE-1999-0257) and probably the one described in
BUGTRAQ:19981023 nestea v2 against freebsd 3.0-Release
The patch for nestea is in ip_input.c around line 750.
The patches for CVE-1999-0001 are in lines 388&446. So,
CVE-1999-0001 is different from CVE-1999-0257 and CVE-1999-0052.
The FreeBSD patch for CVE-1999-0052 is in line 750.
So, CVE-1999-0257 and CVE-1999-0052 may be the same, though
CVE-1999-0052 should be RECAST since this bug affects Linux
and other OSes besides FreeBSD.
Also see BUGTRAQ:19990909 CISCO and nestea.
Finally, note that there is no fundamental difference between
nestea and nestea2/nestea-v2; they are different ports that
exploit the same problem.
The original nestea advisory is at
http://www.technotronic.com/rhino9/advisories/06.htm
but notice that the suggested fix is in line 375 of
ip_fragment.c, not ip_input.c.
Christey> See the SCO advisory at:
http://www.securityfocus.com/templates/advisory.html?id=1411
which may further clarify the issue.
Christey> BUGTRAQ:19980501 nestea does other things
http://marc.theaimsgroup.com/?l=bugtraq&m=90221101925819&w=2
BUGTRAQ:19980508 nestea2 and HP Jet Direct cards.
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221101925870&w=2
BUGTRAQ:19981027 nestea v2 against freebsd 3.0-Release
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90951521507669&w=2
Nestea source code is in
MISC:http://oliver.efri.hr/~crv/security/bugs/Linux/ipfrag6.html
Name: CVE-1999-0258
Description:
Bonk variation of teardrop IP fragmentation denial of service.
Status: Candidate
Phase: Proposed (19990726)
Votes:
MODIFY(2) Frech, Wall
REVIEWING(1) Christey
Voter Comments:
Wall> Reference Q179129
Frech> XF:teardrop-mod
Christey> Not sure how many separate "instances" of Teardrop there are.
See: CVE-1999-0015, CVE-1999-0104, CVE-1999-0257, CVE-1999-0258
Christey> See the SCO advisory at:
http://www.securityfocus.com/templates/advisory.html?id=1411
which may further clarify the issue.
Christey> BUGTRAQ:19980108 bonk.c
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=88429524325956&w=2
NTBUGTRAQ:19980108 bonk.c
URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=88433857200304&w=2
NTBUGTRAQ:19980109 Re: Bonk.c
URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=88441302913269&w=2
NTBUGTRAQ:19980304 Update on wide-spread NewTear Denial of Service attacks
URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=88901842000424&w=2
BUGTRAQ:19980304 Update on wide-spread NewTear Denial of Service attacks
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=88903296104349&w=2
CIAC:I-031a
http://ciac.llnl.gov/ciac/bulletins/i-031a.shtml
CERT summary CS-98.02 implies that bonk, boink, and newtear
all exploit the same vulnerability.
Name: CVE-1999-0261
Description:
Netmanager Chameleon SMTPd has several buffer overflows that cause a crash.
Status: Candidate
Phase: Modified (20000827-01)
Reference: BUGTRAQ:19980504 Netmanage Holes
Reference: MISC:http://www.insecure.org/sploits/netmanage.chameleon.overflows.html
Votes:
ACCEPT(1) Baker
MODIFY(2) Frech, Landfield
NOOP(3) Christey, Northcutt, Ozancin
Voter Comments:
Frech> XF:chamelion-smtp-dos
Landfield> - Specify what "a crash" means.
Christey> ADDREF XF:chameleon-smtp-dos ? (but it's not on the web site)
Christey> Consider adding BID:2387
Name: CVE-1999-0271
Description:
Progressive Networks Real Video server (pnserver) can be crashed remotely.
Status: Candidate
Phase: Modified (19990925-01)
Reference: BUGTRAQ:19980115 pnserver exploit..
Reference: BUGTRAQ:19980817 Re: Real Audio Server Version 5 bug?
Votes:
ACCEPT(3) Baker, Blake, Northcutt
MODIFY(1) Frech
NOOP(1) Prosser
REVIEWING(1) Christey
Voter Comments:
Christey> Problem confirmed by RealServer vendor (URL listed in Bugtraq
posting), but may be multiple codebases since several
Real Audio servers are affected.
Also, this may be the same as BUGTRAQ:19991105 RealNetworks RealServer G2 buffer overflow.
See CVE-1999-0896
CHANGE> [Frech changed vote from REVIEWING to MODIFY]
Frech> ADDREF XF:realvideo-telnet-dos
Name: CVE-1999-0282
Description:
** REJECT **
DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-1999-1584,
CVE-1999-1586. Reason: This candidate combined references from one
issue with the description from another issue. Notes: Users should
consult CVE-1999-1584 and CVE-1999-1586 to obtain the appropriate
name. All references and descriptions in this candidate have been
removed to prevent accidental usage.
Status: Candidate
Phase: Modified (20050830)
Votes:
ACCEPT(2) Baker, Dik
MODIFY(1) Frech
NOOP(1) Ozancin
RECAST(1) Prosser
REJECT(1) Christey
Voter Comments:
Frech> XF:sun-loadmodule
XF:sun-modload (CERT CA-93.18 very old!)
Prosser> Believe the reference given, 95-12, is referencing a later
loadmodule(8) setuid problem in the X11/NeWS windowing system. There is an
earlier, similar setuid vulnerability in the CA-93.18, CIAC G-02 advisories
for the SunOS 4.1.x/Solbourne and OpenWindow 3.0. In fact, there may be the
same as the HP patches are 100448-02 for the 93 loadmodule/modload
vulnerability and 100448-03 for the 95 loadmodule vulnerability which
normally indicated a patch update. Looks like the original patch either
didn't completely fix the problem or it resurfaced in X11 NeWS. Can't tell
much beyond that and this is my opinion only as have no way to check it.
Which one is this CVE referencing? I accept both.
Dik> There are three similar Sun bug ids associated with the patches.
1076118 loadmodule has a security vulnerability
1148753 loadmodule has a security vulnerability
1222192 loadmodule has a security vulnerability
as well as:
1137491
Ancient stuff.
Christey> Add period to the end of the description.
CHANGE> [Christey changed vote from NOOP to REVIEWING]
Christey> This is distinct from CVE-1999-1584 - CVE-1999-1584 is for
CA-93.18.
CHANGE> [Christey changed vote from REVIEWING to REJECT]
Christey> This candidate combines two separate issues. It uses the CERT
alert reference from 1995, from one issue, but a description that
is associated with a separate issue.
Name: CVE-1999-0283
Description:
The Java Web Server would allow remote users to obtain the source
code for CGI programs.
Status: Candidate
Phase: Modified (19991203-01)
Reference: BUGTRAQ:19970716 Viewable .jhtml source with JavaWebServer
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=88256790401004&w=2
Votes:
ACCEPT(7) Baker, Blake, Cole, Collins, Dik, Northcutt, Wall
MODIFY(1) Frech
NOOP(5) Armstrong, Bishop, Christey, Landfield, Prosser
REVIEWING(1) Ozancin
Voter Comments:
Wall> Acknowledged by vendor at
http://www.sun.com/software/jwebserver/techinfo/jws112info.html.
Baker> Vulnerability Reference (HTML) Reference Type
http://www.securityfocus.com/archive/1/7260 Misc Defensive Info
http://www.sun.com/software/jwebserver/techinfo/jws112info.html Vendor Info
Christey> BID:1891
URL:http://www.securityfocus.com/bid/1891
Christey> Add version number (1.1 beta) and details of attack (appending
a . or a \)
The Sun URL referenced by Dave Baker no longer exists, so I
wasn't able to verify that it addressed the problem described
in the Bugtraq post. This might not even be Sun's
"Java Web Server," as CVE-2001-0186 describes some product
called "Free Java Web Server"
Dik> There appears to be some confusion.
The particular bug seems to be on in JWS 1.1beta or 1.1 which was fixed
in 1.1.2 (get foo.jthml source by appending "." of "\" to URL)
There are other bugs that give access and that require a configuration
change.
http://www.sun.com/software/jwebserver/techinfo/security_advisory.html
Christey> Need to make sure to create CAN's for the other bugs,
as documented in:
NTBUGTRAQ:19980724 Alert: New Source Bug Affect Sun JWS
http://marc.theaimsgroup.com/?l=ntbugtraq&m=90222454131622&w=2
BUGTRAQ:19980725 Alert: New Source Bug Affect Sun JWS
http://marc.theaimsgroup.com/?l=bugtraq&m=90221104526086&w=2
The reported bugs are:
1) file read by appending %20
2) Directly call /servlet/file
URL:http://www.sddt.com/cgi-bin/Subscriber?/library/98/07/24/tbd.html
#2 is explicitly mentioned in the Sun advisory for
CVE-1999-0283.
CHANGE> [Frech changed vote from REVIEWING to MODIFY]
Frech> XF:javawebserver-cgi-source(5383)
Name: CVE-1999-0284
Description:
Denial of service to NT mail servers including Ipswitch, Mdaemon, and
Exchange through a buffer overflow in the SMTP HELO command.
Status: Candidate
Phase: Proposed (19990623)
Reference: XF:smtp-helo-bo
Votes:
ACCEPT(2) Blake, Northcutt
MODIFY(3) Frech, Levy, Ozancin
NOOP(1) Baker
REVIEWING(1) Christey
Voter Comments:
Frech> "Windows NT-based mail servers" (A trademark thing, and for clarification)
XF:mdaemon-helo-bo
XF:lotus-notes-helo-crash
XF:slmail-helo-overflow
XF:smtp-helo-bo (mentions several products)
XF:smtp-exchangedos
Levy> - Need one per software. Each one should be its own
vulnerability.
Ozancin> => Windows NT is correct
Christey> These are probably multiple codebases, so we'll need to use
dot notation. Also need to see if this should be merged
with CVE-1999-0098 (Sendmail SMTP HELO).
Name: CVE-1999-0285
Description:
Denial of service in telnet from the Windows NT Resource Kit, by
opening then immediately closing a connection.
Status: Candidate
Phase: Proposed (19990630)
Votes:
ACCEPT(1) Hill
NOOP(2) Baker, Wall
REJECT(2) Christey, Frech
Voter Comments:
Christey> No references, no information.
CHANGE> [Frech changed vote from REVIEWING to REJECT]
Frech> No references; closest documented match is with
CVE-2001-0346, but that's for Windows 2000.
Name: CVE-1999-0286
Description:
In some NT web servers, appending a space at the end of a URL may
allow attackers to read source code for active pages.
Status: Candidate
Phase: Proposed (19990714)
Votes:
ACCEPT(3) Armstrong, Cole, Shostack
MODIFY(3) Blake, Levy, Wall
NOOP(5) Baker, Bishop, Landfield, Northcutt, Ozancin
REJECT(1) Frech
REVIEWING(1) Christey
Voter Comments:
Wall> In some NT web servers, appending a dot at the end of a URL may
allows attackers to read source code for active pages.
Source: MS Knowledge Base Article Q163485 - "Active Server Pages Script Appears
in Browser"
Frech> In the meantime, reword description as 'Windows NT' (trademark issue)
Christey> Q163485 does not refer to a space, it refers to a dot.
However, I don't have other references.
Reading source code with a dot appended is in CVE-1999-0154,
which will be proposed. A subsequent bug similar to the
dot bug is CVE-1999-0253.
Levy> NTBUGTRAQ: http://www.securityfocus.com/archive/2/22014
NTBUGTRAQ: http://www.securityfocus.com/archive/2/22019
BID 273
Blake> Reference: http://www.allaire.com/handlers/index.cfm?ID=10967
CHANGE> [Christey changed vote from NOOP to REVIEWING]
CHANGE> [Frech changed vote from REVIEWING to REJECT]
Frech> BID articles)
Name: CVE-1999-0287
Description:
Vulnerability in the Wguest CGI program.
Status: Candidate
Phase: Proposed (19990714)
Votes:
MODIFY(2) Frech, Shostack
NOOP(4) Blake, Levy, Northcutt, Wall
REJECT(2) Baker, Christey
Voter Comments:
Shostack> allows file reading
Frech> XF:http-cgi-webcom-guestbook
Christey> CVE-1999-0287 is probably a duplicate of CVE-1999-0467. In
NTBUGTRAQ:19990409 Webcom's CGI Guestbook for Win32 web servers
Mnemonix says that he had previously reported on a similar
problem. Let's refer to the NTBugtraq posting as
CVE-1999-0467. We will refer to the "previous report" as
CVE-1999-0287, which could be found at:
http://oliver.efri.hr/~crv/security/bugs/NT/httpd41.html
0287 describes an exploit via the "template" hidden variable.
The exploit describes manually editing the HTML form to
change the filename to read from the template variable.
The exploit as described in 0467 encodes the template variable
directly into the URL. However, hidden variables are also
encoded into the URL, which would have looked the same to
the web server regardless of the exploit. Therefore 0287
and 0467 are the same.
Christey> BID:2024
Name: CVE-1999-0298
Description:
ypbind with -ypset and -ypsetme options activated in Linux Slackware
and SunOS allows local and remote attackers to overwrite files via a
.. (dot dot) attack.
Status: Candidate
Phase: Modified (20000524-01)
Reference: NAI:19970205 Vulnerabilities in Ypbind when run with -ypset/-ypsetme
Reference: URL:http://www.nai.com/nai_labs/asp_set/advisory/06_ypbindsetme_adv.asp
Votes:
ACCEPT(4) Cole, Dik, Levy, Northcutt
MODIFY(1) Frech
NOOP(3) Baker, Christey, Shostack
Voter Comments:
Christey> ADDREF BID:1441
URL:http://www.securityfocus.com/bid/1441
Dik> If you run with "-ypset", then you're always insecure.
With ypsetme, only root on the local host
can run ypset in Solaris 2.x+.
Probably true for SunOS 4, hence my vote.
CHANGE> [Frech changed vote from REVIEWING to MODIFY]
Frech> ADDREF XF:ypbind-ypset-root
CHANGE> [Dik changed vote from REVIEWING to ACCEPT]
Dik> This vulnerability does exist in SunOS 4.x in non default configurations.
In Solaris 2.x, the vulnerability only applies to files named "cache_binding"
and not all files ending in .2
Both releases are not vulnerable in the default configuration (both
disabllow ypset by default which prevents this problem from occurring)
Name: CVE-1999-0306
Description:
buffer overflow in HP xlock program.
Status: Candidate
Phase: Proposed (19990714)
Reference: XF:hp-xlock
Votes:
ACCEPT(3) Baker, Frech, Northcutt
MODIFY(1) Prosser
NOOP(1) Shostack
REJECT(1) Christey
Voter Comments:
Prosser> This is another of those with multiple affected OSs.
Refs: CA-97.13, http://207.237.120.45/linux/xlock-exploit.txt,
HPSBUX9711-073, SGI 19970502-02-PX, Sun Bulletin 000150
Christey> XF:hp-xlock points to SGI:19970502-02-PX which says this is
the same problem as in CERT:CA-97.13, which is CVE-1999-0038.
Name: CVE-1999-0307
Description:
Buffer overflow in HP-UX cstm program allows local users to gain
root privileges.
Status: Candidate
Phase: Modified (19991207-01)
Reference: BUGTRAQ:19961116 This week: turn me on, dead man
Reference: XF:hpux-cstm-bo
Votes:
ACCEPT(2) Frech, Northcutt
NOOP(3) Baker, Prosser, Shostack
RECAST(1) Christey
Voter Comments:
Prosser> only ref I can find is an old SOD exploit on
www.outpost9.com
Christey> MERGE CVE-1999-0336 (the exact exploit works with both
cstm and mstm, which are clearly part of the same package,
so CD:SF-EXEC says to merge them.)
Also, there does not seem to be any recognition of this problem
by HP. The only other information besides the Bugtraq post
is the SOD exploit.
See the original post:
http://www.securityfocus.com/templates/archive.pike?list=1&date=1996-11-15&msg=Pine.LNX.3.91.961116112242.15276J-100000@underground.org
Name: CVE-1999-0317
Description:
Buffer overflow in Linux su command gives root access to local
users.
Status: Candidate
Phase: Modified (19991216-01)
Reference: BUGTRAQ:19990818 slackware-3.5 /bin/su buffer overflow
Reference: XF:su-bo
Votes:
ACCEPT(3) Frech, Hill, Northcutt
NOOP(1) Prosser
RECAST(1) Baker
REVIEWING(1) Christey
Voter Comments:
Christey> DUPE CVE-1999-0845?
Also, ADDREF XF:unixware-su-username-bo
A report summary by Aleph One states that nobody was able to
confirm this problem on any Linux distribution.
Baker> If this is the same as the unixware, the n it is a dupe of 1999-0845. There is about a two and half month difference in the bugtraq reporting of these.
Sounds like the same bug however...
Christey> XF:su-bo no longer seems to exist.
How about XF:linux-subo(734) ?
http://xforce.iss.net/static/734.php
BID:475 also seems to describe the same problem
(http://www.securityfocus.com/bid/475) in which case,
vsyslog is blamed in:
BUGTRAQ:19971220 Linux vsyslog() overflow
http://www.securityfocus.com/archive/1/8274
Name: CVE-1999-0319
Description:
Buffer overflow in xmcd 2.1 allows local users to gain access
through a user resource setting.
Status: Candidate
Phase: Proposed (19990623)
Reference: XF:xmcd-tiflestr
Votes:
ACCEPT(3) Frech, Hill, Northcutt
NOOP(2) Baker, Prosser
REVIEWING(1) Christey
Voter Comments:
Christey> BUGTRAQ:19961126 Security Problems in XMCD 2.1
A followup to this post says that xmcd is not suid here.
Name: CVE-1999-0330
Description:
Linux bdash game has a buffer overflow that allows local users to
gain root access.
Status: Candidate
Phase: Modified (20000105-01)
Reference: BUGTRAQ:19940101 (No Subject)
Reference: XF:bdash-bo
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
NOOP(3) Northcutt, Shostack, Wall
REVIEWING(1) Levy
Voter Comments:
Frech> XF:bdash-bo
Name: CVE-1999-0331
Description:
Buffer overflow in Internet Explorer 4.0(1).
Status: Candidate
Phase: Modified (20040811)
Reference: XF:msie-bo
Votes:
ACCEPT(2) Baker, Northcutt
MODIFY(2) Frech, Shostack
RECAST(1) Prosser
REJECT(2) Christey, LeBlanc
Voter Comments:
Shostack> this is a high cardinality item
Prosser> needs to be more specific.
Frech> Replace reference with XF:iemk-bug (msie-bo is obsolete and a vague
duplicate)
Description (from xfdb): Some versions of Internet Explorer for Windows
contain a vulnerability that may crash the broswer when a malicious web site
contains a certain kind of URL (that begins with "mk://") with more
characters than the browser supports.
Christey> The description is too vague.
LeBlanc> too vague
Christey> Add period to the end of the description.
Name: CVE-1999-0333
Description:
HP OpenView Omniback allows remote execution of commands as root via
spoofing, and local users can gain root access via a symlink attack.
Status: Candidate
Phase: Modified (19990925-01)
Reference: RSI:RSI.0009.09-08-98.HP-UX.OMNIBACK
Reference: HP:HPSBUX9810-085
Reference: XF:omniback-remote
Votes:
ACCEPT(2) Baker, Frech
MODIFY(1) Prosser
RECAST(1) Christey
Voter Comments:
Prosser> additional source
HP Security Bulletin 85
http://us-support.external.hp.com
http://europe-support.external.hp.com
Christey> Two separate bugs, so SF-LOC says this candidate should be
split
Christey> ADDREF CIAC:J-007
URL:http://ciac.llnl.gov/ciac/bulletins/j-007.shtml
Name: CVE-1999-0336
Description:
Buffer overflow in mstm in HP-UX allows local users to gain root
access.
Status: Candidate
Phase: Modified (19991207-01)
Reference: BUGTRAQ:19961116 This week: turn me on, dead man
Reference: XF:hpux-mstm-bo
Votes:
ACCEPT(2) Frech, Northcutt
NOOP(3) Baker, Prosser, Shostack
RECAST(1) Christey
Voter Comments:
Prosser> same as CVE-1999-0307, only ref I can find is an old SOD
exploit on www.outpost9.com
Christey> MERGE CVE-1999-0307 (the exact exploit works with both
cstm and mstm, which are clearly part of the same package,
so CD:SF-EXEC says to merge them.)
Also, there does not seem to be any recognition of this problem
by HP. The only other information besides the Bugtraq post
is the SOD exploit.
Name: CVE-1999-0345
Description:
Jolt ICMP attack causes a denial of service in Windows 95 and Windows
NT systems.
Status: Candidate
Phase: Proposed (19990728)
Votes:
ACCEPT(2) Blake, Cole
MODIFY(2) Frech, Wall
NOOP(4) Bishop, Landfield, Northcutt, Ozancin
RECAST(1) Meunier
REJECT(4) Armstrong, Baker, LeBlanc, Levy
REVIEWING(1) Christey
Voter Comments:
Wall> Invalid ICMP datagram fragments causes a denial of service in Windows 95 and
Windows NT systems.
Reference: Q154174.
Jolt is also known as sPING, ICMP bug, Icenewk, and Ping of Death.
It is a modified teardrop 2 attack.
Frech> XF:nt-ssping
ADDREF XF:ping-death
ADDREF XF:teardrop-mod
ADDREF XF:mpeix-echo-request-dos
Christey> I can't tell whether the Jolt exploit at:
http://www.securityfocus.com/templates/archive.pike?list=1&date=1997-06-28&msg=Pine.BSF.3.95q.970629163422.3264A-200000@apollo.tomco.net
is exploiting any different flaw than teardrop does.
CHANGE> [Christey changed vote from NOOP to REVIEWING]
Baker> Jolt (original) is basically just a fragmented oversized ICMP that
kills Win boxes ala Ping of Death.
Teardrop is altering the offset in fragmented tcp packets so that the
end of subsequent fragments is inside first packet...
Teardrop 2 is UDP packets, if I remember right.
Seems like Jolt (original, not jolt 2) is just exploit code that
creates a ping of death (CVE 1999-0128)
Levy> I tend to agree with Baker.
CHANGE> [Armstrong changed vote from REVIEWING to REJECT]
Armstrong> This code does not use fragment overlap. It is simply a large ICMP echo request.
Christey> See the SCO advisory at:
http://www.securityfocus.com/templates/advisory.html?id=1411
which may further clarify the issue.
LeBlanc> This is a hodge-podge of DoS attacks. Jolt isn't the same
thing as ping of death - POD was an oversized ICMP packet, Jolt froze
Linux and Solaris (and I think not NT), IIRC Jolt2 did get NT boxes.
Teardrop and teardrop2 were related attacks (usually ICMP frag attacks),
but each of these is a distinct vulnerability, affected a discrete group
of systems, and should have distinct CVE numbers. CVE entries should be
precise as to what the problem is.
Meunier> I agree with Leblanc in that Jolt is multi-faceted. Jolt has
characteristics of Ping of Death AND teardrop, but it doesn't do
either exactly. Moreover, it sends a truncated IP fragment. I
disagree with Armstrong; jolt uses overlapping fragments. It's not a
simple ping of death either. It may be that the author's intent was
to construct a "super attack" somehow combining elements of other
vulnerabilities to try to make it more potent. In any case it
succeeded in confusing the CVE board :-).
I notice that Jolt uses echo replies (type 0) instead of echo
requests (to get past firewalls?). Jolt is peculiar in that it also
sends numerous overlapping fragments. The "Pascal Simulator" :-) says
it sends:
- 172 fragments of length 400 with offset starting at 5120 and
increasing by about 47 (odd arithmetic of 5120 OR ((n* 380) >> 3)),
which eventually results in sending fragments inside an already
covered area once ((n* 380) >> 3) is greater than 5120, which occurs
when n is reaches 108. This would look a bit like TearDrop if
fragments were reassembled on-the-fly.
- 1 fragment such that the total length of all the fragments
is greater than 65535 (my calculation is 172*380 + 418 = 65778; the
comment about 65538 must be wrong). The last packet is size 418
according to the IP header but the buffer is of size 400. The sendto
takes as argument the size of the buffer so a truncated packet is
sent.
So, I am not sure if the problem is because the last packet
doesn't extend to the payload it says it has or because the total size
of all fragments is greater than 65535. The author says it may take
more than one sending, so perhaps this has to do with an incorrect
error handling and recovery. One would need to experiment and isolate
each of those characteristics and test them independently. Inasmuch
as each of those things is likely a different vulnerability, then I
agree with Leblanc that this entry should be split. I'll try that if
I ever get bored. Jolt 2 should also have a different entry (see
below).
Jolt 2 runs in an infinite loop, sending the same fragmented
IP packet, which can pretend to be "ICMP" or "UDP" data; however this
is meaningless, as it's just a late fragment of an IP packet. The
attack works only as long as packets are sent. According to
http://www.securityfocus.com/archive/1/62170 the packets are
truncated, and would overflow over the 65535 byte limit, which is
similar to Jolt. Note that Jolt does send that much data whereas
jolt2 doesn't. Since jolt2 is simpler and narrower than jolt, and it
has weaker consequences, I believe that it's a different
vulnerability.
"Jolt 2 vulnerability causes a temporary denial-of-service in
Windows-type OSes" would be a title for it.
Name: CVE-1999-0347
Description:
Internet Explorer 4.01 allows remote attackers to read local files and
spoof web pages via a "%01" character in an "about:" Javascript URL,
which causes Internet Explorer to use the domain specified after the
character.
Status: Candidate
Phase: Modified (20051028)
Reference: BUGTRAQ:19990126 Javascript ecurity bug in Internet Explorer
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91745430007021&w=2
Reference: NTBUGTRAQ:19990126 Javascript ecurity bug in Internet Explorer
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=91756771207719&w=2
Votes:
ACCEPT(4) Baker, LeBlanc, Levy, Northcutt
MODIFY(2) Frech, Prosser
REVIEWING(1) Christey
Voter Comments:
Prosser> this is a modified Cross-Frame vulnerability that circumvents
the original Cross-Frame Patch. Addressed in MS Bulletin MS99.012
http://www.microsoft.com/security/bulletins/ms99-012.asp
Christey> Duplicate of CVE-1999-0490?
LeBlanc> If Prosser is correct that this is MS99-012, accept
Christey> BUGTRAQ:19990126 Javascript ecurity bug in Internet Explorer
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91745430007021&w=2
NTBUGTRAQ:19990128 Javascript %01 bug in Internet Explorer
URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=91756771207719&w=2
BID:197
URL:http://www.securityfocus.com/bid/197
CHANGE> [Frech changed vote from REVIEWING to MODIFY]
Frech> XF:ie-window-spoof(2069)
Name: CVE-1999-0352
Description:
ControlIT 4.5 and earlier (aka Remotely Possible) has weak password
encryption.
Status: Candidate
Phase: Proposed (19990721)
Reference: ISS:Multiple vulnerabilities in ControlIT(tm) (formerly Remotely Possible/32) enterprise management software
Reference: XF:controlit-passwd-encrypt
Votes:
ACCEPT(2) Baker, Frech
NOOP(2) Northcutt, Wall
RECAST(1) Ozancin
Voter Comments:
Ozancin> Can we combine this with CVE-1999-0356 - ControlIT(tm) 4.5 and earlier uses
weak encryption.
Name: CVE-1999-0354
Description:
Internet Explorer 4.x or 5.x with Word 97 allows arbitrary execution
of Visual Basic programs to the IE client through the Word 97
template, which doesn't warn the user that the template contains
executable content. Also applies to Outlook when the client views a
malicious email message.
Status: Candidate
Phase: Proposed (19990623)
Reference: NTBUGTRAQ:Jan27,1999
Reference: MS:MS99-002
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-002.asp
Votes:
ACCEPT(3) Baker, Ozancin, Wall
MODIFY(1) Frech
NOOP(1) Christey
Voter Comments:
Frech> XF:word97-template-macro
Christey> CHANGEREF NTBUGTRAQ:19990127 IE 4/5/Outlook + Word 97 security hole
URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=91747570922757&w=2
BID:196
http://www.securityfocus.com/bid/196
Christey> MSKB:Q214652
http://support.microsoft.com/support/kb/articles/q214/6/52.asp
Name: CVE-1999-0356
Description:
ControlIT v4.5 and earlier uses weak encryption to store
usernames and passwords in an address book.
Status: Candidate
Phase: Proposed (19990721)
Reference: ISS:Multiple vulnerabilities in ControlIT(tm) (formerly Remotely Possible/32) enterprise management software
Reference: XF:controlit-bookfile-access
Votes:
ACCEPT(2) Baker, Frech
NOOP(2) Northcutt, Wall
RECAST(1) Ozancin
Name: CVE-1999-0359
Description:
ptylogin in Unix systems allows users to perform a denial of service
by locking out modems, dial out with that modem, or obtain passwords.
Status: Candidate
Phase: Proposed (20010214)
Reference: BUGTRAQ:19990127 UNIX shell modem access vulnerabilities
Reference: XF:ptylogin-dos
Votes:
ACCEPT(2) Cole, Frech
MODIFY(1) Baker
Voter Comments:
Frech> XF:ptylogin-dos
Baker> Should say "... lock out a modem, ..." rather than "... locking out modems..."
Name: CVE-1999-0360
Description:
MS Site Server 2.0 with IIS 4 can allow users to upload content,
including ASP, to the target web site, thus allowing them to
execute commands remotely.
Status: Candidate
Phase: Modified (20000530-01)
Reference: BUGTRAQ:19990130 Security Advisory for Internet Information Server 4 with Site
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91763097004101&w=2
Reference: NTBUGTRAQ:Jan29,1999
Votes:
ACCEPT(6) Blake, Cole, Collins, Landfield, Northcutt, Wall
MODIFY(3) Baker, Frech, LeBlanc
NOOP(4) Armstrong, Christey, Ozancin, Prosser
Voter Comments:
Christey> I can't find the original Bugtraq posting (it appears that
mnemonix discovered the problem).
LeBlanc> - if there was a fix or a KB article, I'd ACCEPT. A vuln based on a
BUGTRAQ posting we can't find could be anything.
Baker> Vulnerability Reference (HTML) Reference Type
http://www.securityfocus.com/archive/1/12218 Misc Defensive InfoVulnerability Reference (HTML) Reference Type
THis is the URL for the Bugtraq posting. It was cross posted to
NT Bugtraq as well, but identical text. It was Mnemonix...
Christey> BID:1811
URL:http://www.securityfocus.com/bid/1811
Christey> CHANGEREF BUGTRAQ add "Server 2." to the subject.
Also standardize NTBUGTRAQ reference title.
Christey> Add "uploadn.asp" to the description.
CHANGE> [Frech changed vote from REVIEWING to MODIFY]
Frech> XF:siteserver-user-dir-permissions(5384)
Name: CVE-1999-0361
Description:
NetWare version of LaserFiche stores usernames and passwords
unencrypted, and allows administrative changes without logging.
Status: Candidate
Phase: Proposed (19990728)
Reference: BUGTRAQ:Jan29,1999
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
NOOP(2) Northcutt, Wall
Voter Comments:
Frech> XF:compulink-pw-laserfiche(1679)
Normalize BUGTRAQ reference to:
BUGTRAQ:19990129 Compulink LaserFiche Client/Server - unencrypted passwords
Name: CVE-1999-0364
Description:
Microsoft Access 97 stores a database password as plaintext in a
foreign mdb, allowing access to data.
Status: Candidate
Phase: Modified (20000426-01)
Reference: BUGTRAQ:19990204 Microsoft Access 97 Stores Database Password as Plaintext
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91816470220259&w=2
Votes:
ACCEPT(2) Baker, LeBlanc
MODIFY(1) Frech
NOOP(2) Northcutt, Wall
Voter Comments:
CHANGE> [Frech changed vote from REVIEWING to MODIFY]
Frech> XF:access-weak-passwords(1774)
An older published reference (from our own Adam) would be
better:
ailab.coderpunks Newsgroup, 1998/06/23 "Re: MS Access 2.0"
http://x15.dejanews.com/[ST_rn=ps]/getdoc.xp?AN=365308578&CONTEXT=9192
07028.1462108427&hitnum=1
Name: CVE-1999-0370
Description:
In Sun Solaris and SunOS, man and catman contain vulnerabilities
that allow overwriting arbitrary files.
Status: Candidate
Phase: Modified (19991210-01)
Reference: SUN:00184
Reference: BID:165
Reference: URL:http://www.securityfocus.com/bid/165
Votes:
ACCEPT(4) Baker, Dik, Northcutt, Prosser
MODIFY(1) Frech
REVIEWING(1) Christey
Voter Comments:
Frech> Reference: XF:sun-man
Christey> ADDREF CIAC:J-028
Is the Linux man symlink problem the same as the one for Sun?
See BUGTRAQ:19990602 /tmp symlink problems in SuSE Linux 6.1
Also see BID:305
Dik> sun bug 4154565
Name: CVE-1999-0381
Description:
super 3.11.6 and other versions have a buffer overflow in the syslog
utility which allows a local user to gain root access.
Status: Candidate
Phase: Proposed (19990726)
Reference: BUGTRAQ:19990225 SUPER buffer overflow
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.3.96.990225011801.12757A-100000@eleet
Reference: XF:linux-super-logging-bo
Reference: BID:342
Reference: URL:http://www.securityfocus.com/bid/342
Votes:
ACCEPT(7) Baker, Blake, Cole, Frech, Landfield, Levy, Ozancin
MODIFY(1) Bishop
NOOP(2) Armstrong, Wall
REVIEWING(1) Christey
Voter Comments:
Christey> Is this the same as CVE-1999-0373? They both have the same
X-Force reference.
BID:342 suggests that there are two.
http://www.debian.org/security/1999/19990215a suggests
that there are two. However, CVE-1999-0373 is written up in
a fashion that is too general; and both XF:linux-super-bo and
XF:linux-super-logging-bo refer to CVE-1999-0373.
CVE-1999-0373 may need to be split.
Frech> From what I can surmise, ISS released the original advisory (attached to
linux-super-bo), and Sekure SDI expanded on it by releasing another related
overflow in syslog (which is linux-super-logging-bo).
When I was originally assigning these issues, I placed both XF references
and the ISS advisory on the -0373 candidate, since there was nothing else
available. Based on the information above, I'd request that
XF:linux-super-logging-bo be removed from CVE-1999-0373.
Christey> Given Andre's feedback, these are different issues.
CVE-1999-0373 does not need to be split because the ISS
reference is sufficient to distinguish that CVE from this
candidate; however, the CVE-1999-0373 description should
probably be modified slightly.
Bishop> (as indicated by Christey)
CHANGE> [Cole changed vote from NOOP to ACCEPT]
CHANGE> [Christey changed vote from NOOP to REVIEWING]
Christey> There are 2 bugs, as confirmed by the super author at:
BUGTRAQ:19990226 Buffer Overflow in Super (new)
http://www.securityfocus.com/archive/1/12713
BID:397 also seems to cover this one, and it may cover
CVE-1999-0373 as well.
Name: CVE-1999-0389
Description:
Buffer overflow in the bootp server in the Debian Linux netstd
package.
Status: Candidate
Phase: Modified (19991207-01)
Reference: DEBIAN:19990104
Reference: BUGTRAQ:19990103 [SECURITY] New versions of netstd fixes buffer overflows
Reference: BID:324
Reference: URL:http://www.securityfocus.com/bid/324
Votes:
ACCEPT(3) Baker, Ozancin, Stracener
MODIFY(1) Frech
REVIEWING(1) Christey
Voter Comments:
Christey> Is CVE-1999-0389 a duplicate of CVE-1999-0798? CVE-1999-0389
has January 1999 dates associated with it, while CVE-1999-0798
was reported in late December.
Also, is this the same line of code as CVE-1999-0914? Both are in
the netstd package, it could look like a library problem.
However, deep in the changelog in the
netstd_3.07-7slink.3.diff on Debian, Herbert Xu includes
the following entry:
+netstd (3.07-7slink.1) frozen; urgency=high
+
+ * bootpd: Applied patch from Redhat as well as a fix for the overflow in
+ report() (fixes #30675).
+ * netkit-ftp: Applied patch from RedHat that fixes some obscure overflow
+ bugs.
+
+ -- Herbert Xu <herbert@debian.org> Sat, 19 Dec 1998 14:36:48 +1100
This tells me that two separate bugs are involved.
Note that Red Hat posted *some* fix for *some* bootp problem
in June 1998. See:
http://www.redhat.com/support/errata/rh42-errata-general.html#bootp
Frech> XF:debian-netstd-bo
Christey> Further analysis indicates that this is a duplicate of CVE-1999-0799
CHANGE> [Christey changed vote from REJECT to REVIEWING]
Christey> The fix information for BID:324 suggests that there are two
overflows, one of which is in handle_request (bootpd.c) and is
likely related to a file name; but there is another issue in
report (report.c) which also looks like a straightforward
overflow, which would suggest that this is not a duplicate of
CVE-1999-0798 or CVE-1999-0799.
Note: see comments for CVE-1999-0798 which explain how that
candidate is not related to CVE-1999-0799.
Name: CVE-1999-0394
Description:
DPEC Online Courseware allows an attacker to change another user's
password without knowing the original password.
Status: Candidate
Phase: Proposed (19990728)
Reference: BUGTRAQ:19990115 DPEC Online Courseware
Votes:
ACCEPT(1) Baker
NOOP(1) Christey
REJECT(1) Frech
Voter Comments:
Frech> If I understand the issue, this HIGHCARD involves insecure web programming.
If I don't understand, mark this as my first NOOP.
Christey> CONFIRM:http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26msg%3D19990803132618.16407.qmail%40securityfocus.com
ADDREF BID:565
URL:http://www.securityfocus.com/vdb/bottom.html?vid=565
Name: CVE-1999-0397
Description:
The demo version of the Quakenbush NT Password Appraiser sends
passwords across the network in plaintext.
Status: Candidate
Phase: Proposed (19990728)
Reference: L0PHT:Jan21,1999
Reference: BUGTRAQ:Jan21,1999
Votes:
ACCEPT(1) Northcutt
MODIFY(1) Frech
NOOP(1) Baker
REJECT(1) Wall
Voter Comments:
Wall> Reject based on beta copy.
Frech> XF:quakenbush-pw-appraiser(1652)
Name: CVE-1999-0398
Description:
In some instances of SSH 1.2.27 and 2.0.11 on Linux systems, SSH will
allow users with expired accounts to login.
Status: Candidate
Phase: Modified (20000106-01)
Reference: BUGTRAQ:19990123 SSH 1.x and 2.x Daemon
Reference: BUGTRAQ:19990124 SSH Daemon
Reference: XF:ssh-exp-account-access
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
Voter Comments:
Frech> Followups to the bugtraq message (1/24/99) indicate that 1.2.27 was not yet
released. v1.2.26 should be substituted in the description for '27.
XF:ssh-exp-account-access
Name: CVE-1999-0399
Description:
The DCC server command in the Mirc 5.5 client doesn't filter
characters from file names properly, allowing remote attackers to
place a malicious file in a different location, possibly allowing the
attacker to execute commands.
Status: Candidate
Phase: Modified (20000105-01)
Reference: BUGTRAQ:19990124 Mirc 5.5 'DCC Server' hole
Reference: XF:mirc-dcc-metachar-filename
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
Voter Comments:
Frech> XF:mirc-dcc-metachar-filename
Name: CVE-1999-0400
Description:
Denial of service in Linux 2.2.0 running the ldd command on a core
file.
Status: Candidate
Phase: Modified (20000105-01)
Reference: BUGTRAQ:19990127 2.2.0 SECURITY (fwd)
Reference: XF:linux-kernel-ldd-dos
Reference: BID:344
Reference: URL:http://www.securityfocus.com/bid/344
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
Voter Comments:
Frech> BUGTRAQ:Jan27,1999
(http://www.securityfocus.com/templates/archive.pike?list=1&date=1999-01-22&
msg=Pine.LNX.4.05.9901270538380.539-100000@vitelus.com)
XF:linux-kernel-ldd-dos
Name: CVE-1999-0401
Description:
A race condition in Linux 2.2.1 allows local users to read arbitrary
memory from /proc files.
Status: Candidate
Phase: Modified (20000105-01)
Reference: BUGTRAQ:19990202 [patch] /proc race fixes for 2.2.1 (fwd)
Reference: XF:linux-race-condition-proc
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
Voter Comments:
Frech> XF:linux-race-condition-proc
Name: CVE-1999-0406
Description:
Digital Unix Networker program nsralist has a buffer overflow which
allows local users to obtain root privilege.
Status: Candidate
Phase: Proposed (19990728)
Reference: BUGTRAQ:Feb19,1999
Reference: XF:digital-networker-bo
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
Voter Comments:
Frech> In description, change 'which' to 'that'.
Name: CVE-1999-0411
Description:
Several startup scripts in SCO OpenServer Enterprise System v 5.0.4p,
including S84rpcinit, S95nis, S85tcp, and S89nfs, are vulnerable to a
symlink attack, allowing a local user to gain root access.
Status: Candidate
Phase: Proposed (19990726)
Reference: BUGTRAQ:Feb19,1999
Reference: XF:sco-startup-scripts
Votes:
MODIFY(2) Baker, Frech
NOOP(2) Christey, Wall
Voter Comments:
Frech> Neither XFDB nor the BugTraq article (incidentally, shows up as 7 March, not
19 February) does not mention gaining root access... it says a local user
could
"delete or overwrite arbitrary files on the system."
Baker> By overwriting arbitrary files, one could then gain root access. I agree with a minor description change to reflect this.
Christey> Normalize Bugtraq reference to:
BUGTRAQ:19990307 Little exploit for startup scripts (SCO 5.0.4p).
http://marc.theaimsgroup.com/?l=bugtraq&m=92087765014242&w=2
Also, SCO:SB-99.17
ftp://ftp.sco.com/SSE/security_bulletins/SB-99.17c
Name: CVE-1999-0418
Description:
Denial of service in SMTP applications such as Sendmail, when a
remote attacker (e.g. spammer) uses many "RCPT TO" commands in the
same connection.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990308 SMTP server account probing
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92100018214316&w=2
Votes:
ACCEPT(1) Cole
MODIFY(1) Frech
NOOP(3) Baker, Foat, Wall
REVIEWING(1) Christey
Voter Comments:
Christey> DUPE CVE-1999-0144 and CVE-1999-0250?
Frech> XF:smtp-rctpto-dos(7499)
Name: CVE-1999-0419
Description:
When the Microsoft SMTP service attempts to send a message to a server
and receives a 4xx error code, it quickly and repeatedly attempts to
redeliver the message, causing a denial of service.
Status: Candidate
Phase: Modified (20000105-01)
Reference: BUGTRAQ:19990319 Microsoft's SMTP service broken/stupid
Reference: XF:smtp-4xx-error-dos
Votes:
ACCEPT(1) Baker
MODIFY(2) Frech, LeBlanc
REVIEWING(1) Christey
Voter Comments:
Frech> XF:smtp-4xx-error-dos
LeBlanc> - if we can find a KB or something that shows that this wasn't just
user error, I'd vote ACCEPT.
Christey> David Lemson, Microsoft SMTP Service Program Manager,
posted a followup that said "We have confirmed this as a
problem..."
http://marc.theaimsgroup.com/?l=bugtraq&m=92171608127206&w=2
Name: CVE-1999-0426
Description:
The default permissions of /dev/kmem in Linux versions before 2.0.36
allows IP spoofing.
Status: Candidate
Phase: Proposed (19990728)
Reference: BUGTRAQ:19990319 The default permissions on /dev/kmem is insecure.
Votes:
MODIFY(1) Frech
NOOP(1) Baker
REJECT(1) Christey
Voter Comments:
Frech> XF:linux-dev-kmem-spoof
Christey> DUPE CVE-1999-0414
XF:linux-dev-kmem-spoof does not exist.
Christey> *Now* XF:linux-dev-kmem-spoof(3500) exists...
Name: CVE-1999-0427
Description:
Eudora 4.1 allows remote attackers to perform a denial of service by
sending attachments with long file names.
Status: Candidate
Phase: Proposed (19990728)
Reference: BUGTRAQ:19990320 Eudora Attachment Buffer Overflow
Reference: XF:eudora-long-attachments
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
NOOP(1) Christey
Voter Comments:
Frech> Change version number to 4.2beta. Second to last paragraph in bugtraq
reference states: "Both the Win 95 and Win NT versions, along with the 4.2
beta of Eudora are affected."
Christey> This issue seems to have been rediscovered in
BUGTRAQ:20000515 Eudora Pro & Outlook Overflow - too long filenames again
http://marc.theaimsgroup.com/?l=bugtraq&m=95842482413076&w=2
Also see
BUGTRAQ:19990320 Eudora Attachment Buffer Overflow
http://marc.theaimsgroup.com/?l=bugtraq&m=92195396912110&w=2
Is this a duplicate/subsumed by CVE-1999-0004?
Name: CVE-1999-0431
Description:
Linux 2.2.3 and earlier allow a remote attacker to perform an IP
fragmentation attack, causing a denial of service.
Status: Candidate
Phase: Modified (20000106-01)
Reference: BUGTRAQ:19990324 DoS for Linux 2.1.89 - 2.2.3: 0 length fragment bug
Reference: XF:linux-zerolength-fragment
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
NOOP(1) Christey
Voter Comments:
Frech> XF:linux-zerolength-fragment
Christey> Consider adding BID:2247
Name: CVE-1999-0434
Description:
XFree86 xfs command is vulnerable to a symlink attack, allowing
local users to create files in restricted directories, possibly
allowing them to gain privileges or cause a denial of service.
Status: Candidate
Phase: Proposed (19990728)
Reference: BUGTRAQ:19990331 Bug in xfs
Reference: BID:359
Reference: URL:http://www.securityfocus.com/bid/359
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
NOOP(1) Christey
Voter Comments:
Frech> XF:xfree86-xfs-symlink-dos
Christey> Is this the same problem as CVE-1999-0433? CVE-1999-0433
deals with a symlink attack on one file (/tmp/.X11-unix),
while xfs (this candidate) deals with /tmp/.font-unix
XF:xfree86-xfs-symlink-dos doesn't exist.
Christey> ADDREF DEBIAN:19990331 symbolic link can be used to make any file world readable
Note: Debian's advisory says that this is not a problem for Debian.
Name: CVE-1999-0435
Description:
MC/ServiceGuard and MC/LockManager in HP-UX allows local users to gain
privileges through SAM.
Status: Candidate
Phase: Proposed (19990623)
Reference: HP:HPSBUX9903-096
Votes:
ACCEPT(2) Baker, Ozancin
MODIFY(1) Frech
NOOP(1) Christey
Voter Comments:
Frech> XF:hp-servicegaurd
Christey> ADDREF CIAC:J-039
Christey> Note the typo in Andre's suggested reference.
Normalize to XF:hp-serviceguard(2046)
Name: CVE-1999-0443
Description:
Patrol management software allows a remote attacker to conduct a
replay attack to steal the administrator password.
Status: Candidate
Phase: Proposed (19990728)
Reference: BUGTRAQ:19990409 Patrol security bugs
Reference: URL:http://www.securityfocus.com/archive/1/13204
Reference: XF:bmc-patrol-replay
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
Voter Comments:
Frech> Change "Patrol management software" to "The PATROL management product from
BMC Software".
Name: CVE-1999-0444
Description:
Remote attackers can perform a denial of service in Windows machines
using malicious ARP packets, forcing a message box display for each
packet or filling up log files.
Status: Candidate
Phase: Modified (20000106-01)
Reference: BUGTRAQ:19990412 ARP problem in Windows9X/NT
Reference: XF:windows-arp-dos
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
Voter Comments:
Frech> ADDREF: XF:windows-arp-dos
Name: CVE-1999-0450
Description:
In IIS, an attacker could determine a real path using a request for a
non-existent URL that would be interpreted by Perl (perl.exe).
Status: Candidate
Phase: Modified (20090622)
Reference: BUGTRAQ:19990122 Perl.exe and IIS security advisory
Reference: BID:194
Reference: URL:http://www.securityfocus.com/bid/194
Votes:
ACCEPT(2) Ozancin, Wall
NOOP(2) Baker, Christey
REJECT(2) Frech, LeBlanc
Voter Comments:
Frech> Can't find in database.
Christey> This looks like another discovery of CVE-2000-0071
LeBlanc> - I just tried to repro this based on the BUGTRAQ vuln information,
and it does not repro -
GET /bogus.pl HTTP/1.0
HTTP/1.1 404 Object Not Found
Server: Microsoft-IIS/5.0
Date: Thu, 05 Oct 2000 21:04:20 GMT
Content-Length: 3243
Content-Type: text/html
No path is returned whatsoever. This may have been a problem on some version
of IIS in the past, but the BUGTRAQ ID says all versions are vulnerable.
Let's try and figure out what version had the problem, whether it is
intrinsic to IIS or the result of adding a 3rd party implementation of perl,
and when it got fixed, then we can try again.
CHANGE> [Frech changed vote from REVIEWING to REJECT]
Christey> Add "no-such-file.pl" as an example to the desc, to facilitate
search (it's used by CGI scanners and in the original example)
Name: CVE-1999-0451
Description:
Denial of service in Linux 2.0.36 allows local users to prevent
any server from listening on any non-privileged port.
Status: Candidate
Phase: Proposed (19990726)
Reference: BUGTRAQ:Jan19,1999
Reference: BID:343
Reference: URL:http://www.securityfocus.com/bid/343
Votes:
ACCEPT(2) Baker, Ozancin
MODIFY(1) Frech
NOOP(1) Wall
Voter Comments:
CHANGE> [Frech changed vote from REVIEWING to MODIFY]
Frech> XF:linux-ports-dos(8364)
Name: CVE-1999-0452
Description:
A service or application has a backdoor password that was placed there
by the developer.
Status: Candidate
Phase: Proposed (19990726)
Votes:
ACCEPT(2) Baker, Wall
REJECT(1) Frech
Voter Comments:
Frech> Much too broad. Also may be HIGHCARD (or will be in the future).
Baker> I think we want to address this using the dot notation idea. We do need to address this, just not a separate entry for every single occurance.
Name: CVE-1999-0453
Description:
An attacker can identify a CISCO device by sending a SYN packet to
port 1999, which is for the Cisco Discovery Protocol (CDP).
Status: Candidate
Phase: Modified (20040512-02)
Reference: BUGTRAQ:19990118 Remote Cisco Identification
Votes:
ACCEPT(2) Baker, Balinsky
MODIFY(1) Frech
NOOP(2) Northcutt, Wall
REVIEWING(1) Christey
Voter Comments:
Frech> XF:cisco-ident(2289)
ADDREF BUGTRAQ:19990118 Remote Cisco Identification
In description, probably better to use "Cisco" as product/company name.
Balinsky> CiscoSecure IDS has a signature for this...ID 3602 Cisco IOS Identity.
Christey> There may be a slight abstraction problem here, e.g. look
at the candidate for queso/nmap; also see followup Bugtraq post
from "Basement Research" on 19990120 which says that there are
many other features in Cisco products that allow remote
identification.
Christey> fix typo: "Dicsovery"
Name: CVE-1999-0454
Description:
A remote attacker can sometimes identify the operating system of a
host based on how it reacts to some IP or ICMP packets, using a tool
such as nmap or queso.
Status: Candidate
Phase: Proposed (19990728)
Votes:
MODIFY(1) Frech
NOOP(2) Christey, Wall
REJECT(2) Baker, Northcutt
Voter Comments:
Northcutt> Nmap and queso are the tip of the iceberg and not the most advanced
ways to accomplish this. To pursue making the world signature free
is as much a vulnerability as having signatures, nay more.
Frech> XF:decod-nmap(2053)
XF:decod-queso(2048)
Christey> Add "fingerprinting" to facilitate search.
Some references:
MISC:http://www.insecure.org/nmap/nmap-fingerprinting-article.html
BUGTRAQ:19981228 A few more fingerprinting techniques - time and netmask
http://marc.theaimsgroup.com/?l=bugtraq&m=91489155019895&w=2
BUGTRAQ:19990222 Preventing remote OS detection
http://marc.theaimsgroup.com/?l=bugtraq&m=91971553006937&w=2
BUGTRAQ:20000901 ICMP Usage In Scanning v2.0 - Research Paper
http://marc.theaimsgroup.com/?l=bugtraq&m=96791499611849&w=2
BUGTRAQ:20000912 Using the Unused (Identifying OpenBSD,
http://marc.theaimsgroup.com/?l=bugtraq&m=96879267724690&w=2
BUGTRAQ:20000912 The DF Bit Playground (Identifying Sun Solaris & OpenBSD OSs)
http://marc.theaimsgroup.com/?l=bugtraq&m=96879481129637&w=2
BUGTRAQ:20000816 TOSing OSs out of the window / Fingerprinting Windows 2000 with
http://marc.theaimsgroup.com/?l=bugtraq&m=96644121403569&w=2
BUGTRAQ:20000609 p0f - passive os fingerprinting tool
http://marc.theaimsgroup.com/?l=bugtraq&m=96062535628242&w=2
Baker> I think we can probably reject this as the corollary is that you can identify OS from a IP/TCP packet sent by a system, looking at various parts of the SYN packet. Unless we believe that all systems should always use identical packet header/identical responses, in which case the protocol should not permit variation.
Name: CVE-1999-0455
Description:
The Expression Evaluator sample application in ColdFusion allows
remote attackers to read or delete files on the server via
exprcalc.cfm, which does not restrict access to the server properly.
Status: Candidate
Phase: Modified (19991210-01)
Reference: ALLAIRE:ASB-001
Reference: XF:coldfusion-expression-evaluator
Reference: BID:115
Reference: URL:http://www.securityfocus.com/bid/115
Votes:
ACCEPT(3) Balinsky, Frech, Ozancin
MODIFY(1) Wall
NOOP(1) Baker
REVIEWING(1) Christey
Voter Comments:
Wall> The reference should be ASB99-01 (Expression Evaluator Security Issues)
make application plural since there are three sample applications
(openfile.cfm, displayopenedfile.cfm, and exprcalc.cfm).
Christey> The CD:SF-EXEC and CD:SF-LOC content decisions apply here.
Since there are 3 separate "executables" with the same
(or similar) problem, we need to make sure that CD:SF-EXEC
determines what to do here. There is evidence that some
of these .cfm scripts have an "include" file, and if so,
then CD:SF-LOC says that we shouldn't make separate entries
for each of these scripts. On the other hand, the initial
L0pht discovery didn't include all 3 of these scripts, and
as far as I can tell, Allaire had patched the first problem
before the others were discovered. So, CD:DISCOVERY-DATE
may argue that we should split these because the problems
were discovered and patched at different times.
In any case, this candidate can not be accepted until the
Editorial Board has accepted the CD:SF-EXEC, CD:SF-LOC,
and CD:DISCOVERY-DATE content decisions.
Name: CVE-1999-0459
Description:
Local users can perform a denial of service in Alpha Linux, using MILO
to force a reboot.
Status: Candidate
Phase: Proposed (19990728)
Reference: XF:linux-milo-halt
Votes:
ACCEPT(1) Frech
NOOP(2) Baker, Northcutt
REJECT(1) Wall
Voter Comments:
Wall> Reject based on beta copy.
Name: CVE-1999-0460
Description:
Buffer overflow in Linux autofs module through long directory names
allows local users to perform a denial of service.
Status: Candidate
Phase: Proposed (19990726)
Reference: BUGTRAQ:19990218 Linux autofs overflow in 2.0.36+
Reference: BID:312
Reference: URL:http://www.securityfocus.com/bid/312
Votes:
ACCEPT(2) Baker, Ozancin
MODIFY(1) Frech
NOOP(1) Wall
Voter Comments:
CHANGE> [Frech changed vote from REVIEWING to MODIFY]
Frech> XF:linux-autofs-bo(8365)
Name: CVE-1999-0461
Description:
Versions of rpcbind including Linux, IRIX, and Wietse Venema's rpcbind
allow a remote attacker to insert and delete entries by spoofing a
source address.
Status: Candidate
Phase: Proposed (19990728)
Votes:
MODIFY(1) Frech
RECAST(1) Baker
REVIEWING(1) Christey
Voter Comments:
Frech> ADDREF XF:pmap-sset
Christey> CVE-1999-0195 = CVE-1999-0461 ?
If this is approved over CVE-1999-0195, make sure it gets
XF:pmap-sset
Baker> THis does appear to be a duplicate. We should accept 1999-0195, since it already has the votes and get rid of this one
Name: CVE-1999-0462
Description:
suidperl in Linux Perl does not check the nosuid mount option on file
systems, allowing local users to gain root access by placing a setuid
script in a mountable file system, e.g. a CD-ROM or floppy disk.
Status: Candidate
Phase: Proposed (19990728)
Reference: BUGTRAQ:19990114 Secuity hole with perl (suidperl) and nosuid mounts on Linux
Reference: BID:339
Reference: URL:http://www.securityfocus.com/bid/339
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
NOOP(1) Christey
Voter Comments:
Frech> XF:perl-suidperl-bo
Christey> XF:perl-suidperl-bo doesn't exist.
Name: CVE-1999-0465
Description:
Remote attackers can crash Lynx and Internet Explorer using an IMG tag
with a large width parameter.
Status: Candidate
Phase: Proposed (19990728)
Reference: XF:http-img-overflow
Votes:
ACCEPT(2) Frech, Northcutt
NOOP(1) Baker
REJECT(2) LeBlanc, Wall
Voter Comments:
Wall> Reject based on client-side DoS
LeBlanc> Client side DOS
Name: CVE-1999-0467
Description:
The Webcom CGI Guestbook programs wguest.exe and rguest.exe allow a
remote attacker to read arbitrary files using the "template"
parameter.
Status: Candidate
Phase: Modified (20000106-01)
Reference: NTBUGTRAQ:19990409 Webcom's CGI Guestbook for Win32 web servers
Reference: XF:http-cgi-webcom-guestbook
Votes:
ACCEPT(4) Blake, Frech, Landfield, Ozancin
NOOP(3) Baker, Christey, Northcutt
Voter Comments:
Christey> CVE-1999-0287 is probably a duplicate of CVE-1999-0467. In
NTBUGTRAQ:19990409 Webcom's CGI Guestbook for Win32 web servers
Mnemonix says that he had previously reported on a similar
problem. Let's refer to the NTBugtraq posting as
CVE-1999-0467. We will refer to the "previous report" as
CVE-1999-0287, which can be found at:
http://oliver.efri.hr/~crv/security/bugs/NT/httpd41.html
0287 describes an exploit via the "template" hidden variable.
The exploit describes manually editing the HTML form to
change the filename to read from the template variable.
The exploit as described in 0467 encodes the template variable
directly into the URL. However, hidden variables are also
encoded into the URL, which would have looked the same to
the web server regardless of the exploit. Therefore 0287
and 0467 are the same.
Christey>
The CD:SF-EXEC content decision also applies here. We have 2
programs, wguest.exe and rguest.exe, which appear to have the
same problem. CD:SF-EXEC needs to be accepted by the Editorial
Board before this candidate can be converted into a CVE
entry. When finalized, CD:SF-EXEC will decide whether
this candidate should be split or not.
Christey> BID:2024
Name: CVE-1999-0469
Description:
Internet Explorer 5.0 allows window spoofing, allowing a remote
attacker to spoof a legitimate web site and capture information from
the client.
Status: Candidate
Phase: Proposed (19990728)
Reference: BUGTRAQ:19990409 IE 5.0 security vulnerabilities - %01 bug again
Reference: XF:ie-window-spoof
Votes:
ACCEPT(1) Wall
NOOP(2) Baker, Northcutt
REJECT(3) Christey, Frech, LeBlanc
Voter Comments:
Wall> Reference: Microsoft Security Bulletin MS99-012
Christey> DUPE CVE-1999-0488
Frech> Defer to Christey's vote.
However, XF:ie-mshtml-crossframe(2216) assigned to CVE-1999-0488.
LeBlanc> Duplicate
Name: CVE-1999-0476
Description:
A weak encryption algorithm is used for passwords in SCO TermVision,
allowing them to be easily decrypted by a local user.
Status: Candidate
Phase: Proposed (19990721)
Reference: BUGTRAQ:19990331 Potential vulnerability in SCO TermVision Windows 95 client
Reference: XF:sco-termvision-password
Votes:
ACCEPT(3) Baker, Frech, Ozancin
NOOP(3) LeBlanc, Northcutt, Wall
Name: CVE-1999-0477
Description:
The Expression Evaluator in the ColdFusion Application Server allows a
remote attacker to upload files to the server via openfile.cfm, which
does not restrict access to the server properly.
Status: Candidate
Phase: Modified (19991210-01)
Reference: L0PHT:Cold Fusion App Server
Reference: XF:coldfusion-expression-evaluator
Reference: BID:115
Reference: URL:http://www.securityfocus.com/bid/115
Votes:
ACCEPT(4) Baker, Christey, Frech, Ozancin
REJECT(1) Wall
Voter Comments:
Wall> Duplicate of 0455
Christey> CVE-1999-0477 and CVE-1999-0455 were discovered at different
times. Also, the attack was different. So "Same Attack" and
"Same Time of Discovery" dictate that these should remain
separate.
Name: CVE-1999-0480
Description:
Local attackers can conduct a denial of service in Midnight Commander
4.x with a symlink attack.
Status: Candidate
Phase: Modified (20000106-01)
Reference: BUGTRAQ:19980315 Midnight Commander /tmp race
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
NOOP(1) Christey
Voter Comments:
Frech> XF:midnight-commander-symlink-dos
Christey> XF:midnight-commander-symlink-dos(3505)
Name: CVE-1999-0486
Description:
Denial of service in AOL Instant Messenger when a remote attacker
sends a malicious hyperlink to the receiving client, potentially
causing a system crash.
Status: Candidate
Phase: Modified (20000106-01)
Reference: BUGTRAQ:19990420 AOL Instant Messenger URL Crash
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
NOOP(1) Christey
Voter Comments:
Frech> XF:aol-im.
Christey> XF:aol-im appears to be related to the problem discussed in
BUGTRAQ:19980224 AOL Instant Messanger Bug
This one is related to BUGTRAQ:19990420 AOL Instant Messenger URL Crash
Name: CVE-1999-0488
Description:
Internet Explorer 4.0 and 5.0 allows a remote attacker to execute
security scripts in a different security context using malicious
URLs, a variant of the "cross frame" vulnerability.
Status: Candidate
Phase: Modified (19991205-01)
Reference: MS:MS99-012
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-012.asp
Votes:
ACCEPT(2) Baker, Landfield
MODIFY(2) Frech, Wall
NOOP(2) Christey, Ozancin
Voter Comments:
Frech> XF:ie-mshtml-crossframe
Wall> (source: MSKB:Q168485)
Christey> CVE-1999-0469 appears to be a duplicate; prefer this one over
that one, since this one has an MS advisory. Confirm with
Microsoft that these are really duplicates.
Also review CVE-1999-0487, which appears to be a similar
bug.
Name: CVE-1999-0489
Description:
MSHTML.DLL in Internet Explorer 5.0 allows a remote attacker to paste
a file name into the file upload intrinsic control, a variant of
"untrusted scripted paste" as described in MS:MS98-013.
Status: Candidate
Phase: Modified (19991205-01)
Reference: MS:MS99-015
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-015.asp
Votes:
ACCEPT(1) Levy
MODIFY(1) Wall
NOOP(2) Baker, Ozancin
RECAST(1) Prosser
REJECT(1) Christey
REVIEWING(1) Frech
Voter Comments:
Frech> Wasn't Untrusted scripted paste MS98-015? I can find no mention of a
clipboard in either.
I cannot proceed on this one without further clarification.
Wall> (source: MS:MS99-012)
Prosser> agree with Andre here. The Untrusted Scripted paste
vulnerability was originally addressed in MS98-015 and it is in the file
upload intrinsic control in which an attacker can paste the name of a file
on the target's drive in the control and a form submission would then send
that file from the attacked machine to the remote web site. This one has
nothing to do with the clipboard. What the advisory mentioned here,
MS99-012, does is replace the MSHTML parsing engine which is supposed to fix
the original Untrusted Scripted Paste issue and a variant, as well as the
two Cross-Frame variants and a privacy issue in IMG SRC.
The vulnerability that allowed reading of a user's clipboard is the Forms
2.0 Active X control vulnerability discussed in MS99-01
Christey> The advisory should have been listed as MS99-012.
CVE-1999-0468 describes the untrusted scripted paste problem
in MS99-012.
Frech> Pending response to guidance request. 12/6/01.
Name: CVE-1999-0490
Description:
MSHTML.DLL in Internet Explorer 5.0 allows a remote attacker to learn
information about a local user's files via an IMG SRC tag.
Status: Candidate
Phase: Modified (19991205-01)
Reference: MS:MS99-012
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-012.asp
Votes:
ACCEPT(2) Landfield, Wall
MODIFY(1) Frech
NOOP(2) Baker, Ozancin
REVIEWING(1) Christey
Voter Comments:
Frech> XF:ie-scriplet-fileread
Christey> Duplicate of CVE-1999-0347?
Name: CVE-1999-0492
Description:
The ffingerd 1.19 allows remote attackers to identify users on the
target system based on its responses.
Status: Candidate
Phase: Proposed (19990726)
Reference: BUGTRAQ:Apr23,1999
Votes:
ACCEPT(3) Armstrong, Collins, Northcutt
MODIFY(4) Baker, Blake, Frech, Shostack
NOOP(4) Christey, Cole, Landfield, Wall
REVIEWING(1) Ozancin
Voter Comments:
Shostack> isn't that what finger is supposed to do?
Landfield> Maybe we need a new category of "unsafe system utilities and protocols"
Blake> Ffingerd 1.19 allows remote attackers to differentiate valid and invalid
usernames on the target system based on its responses to finger queries.
Christey> CHANGEREF BUGTRAQ [canonicalize]
BUGTRAQ:19990423 Ffingerd privacy issues
http://marc.theaimsgroup.com/?l=bugtraq&m=92488772121313&w=2
Here's the nature of the problem.
(1) FFingerd allows users to decide not to be fingered,
printing a message "That user does not want to be fingered"
(2) If the fingered user does not exist, then FFingerd's
intended default is to print that the user does not
want to be fingered; however, the error message has a
period at the end.
Thus, ffingerd can allow someone to determine who valid users
on the server are, *in spite of* the intended functionality of
ffingerd itself. Thus this exposure should be viewed in light
of the intended functionality of the application, as opposed
to the common usage of the finger protocol in general.
Also, the vendor posted a followup and said that a patch was
available. See:
http://marc.theaimsgroup.com/?l=bugtraq&m=92489375428016&w=2
Baker> Vulnerability Reference (HTML) Reference Type
http://www.securityfocus.com/archive/1/13422 Misc Defensive Info
CHANGE> [Frech changed vote from REVIEWING to MODIFY]
Frech> XF:ffinger-user-info(5393)
Name: CVE-1999-0495
Description:
A remote attacker can gain access to a file system using .. (dot dot)
when accessing SMB shares.
Status: Candidate
Phase: Proposed (19990728)
Votes:
ACCEPT(6) Baker, Blake, Cole, Collins, Northcutt, Ozancin
MODIFY(1) Frech
NOOP(4) Armstrong, Bishop, Landfield, Wall
REVIEWING(2) Christey, Levy
Voter Comments:
Frech> XF:nb-dotdotknown(837)
References would be appreciated. We've got no reference for this issue;
confidence rating is consequently low.
Levy> Some refernces:
http://www.securityfocus.com/archive/1/3894
http://www.securityfocus.com/archive/1/3533
http://www.securityfocus.com/archive/1/3535
Name: CVE-1999-0497
Description:
Anonymous FTP is enabled.
Status: Candidate
Phase: Modified (20040811)
Votes:
ACCEPT(1) Shostack
MODIFY(1) Frech
NOOP(2) Baker, Christey
REJECT(1) Northcutt
Voter Comments:
Frech> ftp-anon(52) at http://xforce.iss.net/static/52.php
ftp-anon2(543) at http://xforce.iss.net/static/543.php
Christey> Add period to the end of the description.
Baker> DOn't know about this, but it may be the only easy way to allow access to data for some folks.
Name: CVE-1999-0498
Description:
TFTP is not running in a restricted directory, allowing a remote
attacker to access sensitive information such as password files.
Status: Candidate
Phase: Modified (19990925-01)
Reference: CERT:CA-91.18.Active.Internet.tftp.Attacks
Votes:
ACCEPT(3) Blake, Hill, Northcutt
MODIFY(1) Frech
NOOP(1) Baker
REVIEWING(1) Christey
Voter Comments:
Frech> XF:linux-tftp
Christey> XF:linux-tftp refers to CVE-1999-0183
Name: CVE-1999-0499
Description:
NETBIOS share information may be published through SNMP registry keys
in NT.
Status: Candidate
Phase: Proposed (19990721)
Votes:
ACCEPT(5) Baker, Northcutt, Ozancin, Shostack, Wall
MODIFY(1) Frech
REJECT(1) LeBlanc
Voter Comments:
Frech> Change wording to 'Windows NT.'
XF:snmp-netbios
LeBlanc> Share info can be obtained via SNMP queries, but I question
whether this is a vulnerability. The system can be configured not to do
this, and one may argue that SNMP itself is an insecure configuration.
Furthermore, the share information isn't published via registry keys -
the description could refer to more than one actual issue. SNMP is meant
to allow people to obtain information about systems. I'm willing to
discuss this with the rest of the board.
Name: CVE-1999-0501
Description:
A Unix account has a guessable password.
Status: Candidate
Phase: Proposed (19990714)
Votes:
ACCEPT(3) Baker, Northcutt, Shostack
RECAST(2) Frech, Meunier
REVIEWING(1) Christey
Voter Comments:
Frech> Guessable falls into the class of CVE-1999-0502, since I can guess a
default, null, etc. password.
Suggest changing to something like "has an existing non-default password
that can be guessed."
I'm also including default passwords in this entry.
In that vein, we show the following references:
XF:user-password
XF:passwd-username
XF:default-unix-sync
XF:default-unix-4dgifts
XF:default-unix-bin
XF:default-unix-daemon
XF:default-unix-lp
XF:default-unix-me
XF:default-unix-nuucp
XF:default-unix-root
XF:default-unix-toor
XF:default-unix-tour
XF:default-unix-tty
XF:default-unix-uucp
Christey> This candidate is affected by the CD:CF-PASS content decision,
which determines the appropriate level of abstraction to
use for password problems. CD:CF-PASS needs to be accepted
by the Editorial Board before this candidate can be
converted into a CVE entry; the final version of CD:CF-PASS
may require using a different LOA than this candidate is
currently using.
CHANGE> [Meunier changed vote from ACCEPT to RECAST]
Meunier> This relates only to account password technology, so this candidate is
independent of the operating system, application, web site or other
application of this technology. The appropriate (natural) level of
abstraction is therefore without specifying that it is for UNIX.
Change the description to "An account has a guessable password other
than default, null, blank." This should satisfy Andre's objection.
This Candidate should be merged with any candidate relating to
account password technology where "Unix" in the original description
can be replaced by something else.
Name: CVE-1999-0502
Description:
A Unix account has a default, null, blank, or missing password.
Status: Candidate
Phase: Proposed (19990714)
Votes:
ACCEPT(4) Baker, Meunier, Northcutt, Shostack
MODIFY(1) Frech
REVIEWING(1) Christey
Voter Comments:
Frech> XF:passwd-blank
XF:no-pass
XF:dict
XF:sgi-accounts
XF:linux-caldera-lisa
Christey> This candidate is affected by the CD:CF-PASS content decision,
which determines the appropriate level of abstraction to
use for password problems. CD:CF-PASS needs to be accepted
by the Editorial Board before this candidate can be
converted into a CVE entry; the final version of CD:CF-PASS
may require using a different LOA than this candidate is
currently using.
Name: CVE-1999-0503
Description:
A Windows NT local user or administrator account has a guessable
password.
Status: Candidate
Phase: Proposed (19990714)
Votes:
ACCEPT(4) Baker, Meunier, Northcutt, Shostack
MODIFY(1) Frech
REVIEWING(1) Christey
Voter Comments:
Frech> Note: I am assuming that this entry includes Windows 2000 accounts and
machine/service accounts listed in User Manager.
XF:nt-guess-admin
XF:nt-guess-user
XF:nt-guess-guest
XF:nt-guessed-operpwd
XF:nt-guessed-powerwd
XF:nt-guessed-disabled
XF:nt-guessed-backup
XF:nt-guessed-acctoper-pwd
XF:nt-adminuserpw
XF:nt-guestuserpw
XF:nt-accountuserpw
XF:nt-operator-userpw
XF:nt-service-user-pwd
XF:nt-server-oper-user-pwd
XF:nt-power-user-pwd
XF:nt-backup-operator-userpwd
XF:nt-disabled-account-userpwd
Christey> This candidate is affected by the CD:CF-PASS content decision,
which determines the appropriate level of abstraction to
use for password problems. CD:CF-PASS needs to be accepted
by the Editorial Board before this candidate can be
converted into a CVE entry; the final version of CD:CF-PASS
may require using a different LOA than this candidate is
currently using.
Name: CVE-1999-0504
Description:
A Windows NT local user or administrator account has a default, null,
blank, or missing password.
Status: Candidate
Phase: Proposed (19990714)
Votes:
ACCEPT(4) Baker, Meunier, Northcutt, Shostack
MODIFY(1) Frech
REVIEWING(1) Christey
Voter Comments:
Frech> XF:nt-guestblankpw
XF:nt-adminblankpw
XF:nt-adminnopw
XF:nt-usernopw
XF:nt-guestnopw
XF:nt-accountblankpw
XF:nt-nopw
XF:nt-operator-blankpwd
XF:nt-server-oper-blank-pwd
XF:nt-power-user-blankpwd
XF:nt-backup-operator-blankpwd
XF:nt-disabled-account-blankpwd
Christey> This candidate is affected by the CD:CF-PASS content decision,
which determines the appropriate level of abstraction to
use for password problems. CD:CF-PASS needs to be accepted
by the Editorial Board before this candidate can be
converted into a CVE entry; the final version of CD:CF-PASS
may require using a different LOA than this candidate is
currently using.
Name: CVE-1999-0505
Description:
A Windows NT domain user or administrator account has a guessable
password.
Status: Candidate
Phase: Proposed (19990714)
Votes:
ACCEPT(4) Baker, Meunier, Northcutt, Shostack
MODIFY(1) Frech
Voter Comments:
Frech> XF:nt-guessed-domain-userpwd
XF:nt-guessed-domain-guestpwd
XF:nt-guessed-domain-adminpwd
XF:nt-domain-userpwd
XF:nt-domain-admin-userpwd
XF:nt-domain-guest-userpwd
XF:win2k-certpub-usrpwd
XF:win2k-dhcpadm-usrpwd
XF:win2k-dnsadm-usrpwd
XF:win2k-entadm-usrpwd
XF:win2k-schema-usrpwd
XF:win2k-guessed-certpub
XF:win2k-guessed-dhcpadm
XF:win2k-guessed-dnsadm
XF:win2k-guessed-entadm
XF:win2k-guessed-schema
Name: CVE-1999-0506
Description:
A Windows NT domain user or administrator account has a default, null,
blank, or missing password.
Status: Candidate
Phase: Proposed (19990714)
Votes:
ACCEPT(4) Baker, Meunier, Northcutt, Shostack
MODIFY(1) Frech
Voter Comments:
Frech> XF:nt-domain-admin-blankpwd
XF:nt-domain-admin-nopwd
XF:nt-domain-guest-blankpwd
XF:nt-domain-guest-nopwd
XF:nt-domain-user-blankpwd
XF:nt-domain-user-nopwd
XF:win2k-certpub-blnkpwd
XF:win2k-dhcpadm-blnkpwd
XF:win2k-dnsadm-blnkpwd
XF:win2k-entadm-blnkpwd
XF:win2k-schema-blnkpwd
Name: CVE-1999-0507
Description:
An account on a router, firewall, or other network device has a guessable
password.
Status: Candidate
Phase: Proposed (19990714)
Votes:
ACCEPT(4) Baker, Meunier, Northcutt, Shostack
MODIFY(1) Frech
Voter Comments:
Frech> XF:firewall-tisopen
XF:firewall-raptoropen
XF:firewall-msopen
XF:firewall-checkpointopen
XF:firewall-ciscoopen
Name: CVE-1999-0508
Description:
An account on a router, firewall, or other network device has a
default, null, blank, or missing password.
Status: Candidate
Phase: Proposed (19990714)
Votes:
ACCEPT(4) Baker, Meunier, Northcutt, Shostack
MODIFY(1) Frech
NOOP(1) Christey
Voter Comments:
Frech> Note: Because the distinction between network hardware and software is not
distinct,
the term 'network device' was liberally interpreted. Feel free to reject any
of the
below terms.
XF:default-netranger
XF:cayman-gatorbox
XF:breezecom-default-passwords
XF:default-portmaster
XF:wingate-unpassworded
XF:netopia-unpassworded
XF:default-bay-switches
XF:motorola-cable-default-pass
XF:default-flowpoint
XF:qms-2060-no-root-password
XF:avirt-ras-password
XF:webtrends-rtp-serv-install-password
XF:cisco-bruteforce
XF:cisco-bruteadmin
XF:sambar-server-defaults
XF:management-pfcuser
XF:http-cgi-wwwboard-default
Christey> DELREF XF:avirt-ras-password - does not fit CVE-1999-0508.
Name: CVE-1999-0509
Description:
Perl, sh, csh, or other shell interpreters are installed in the
cgi-bin directory on a WWW site, which allows remote attackers to
execute arbitrary commands.
Status: Candidate
Phase: Modified (20000114-01)
Reference: CERT:CA-96.11
Votes:
ACCEPT(2) Northcutt, Wall
MODIFY(1) Frech
NOOP(1) Baker
REVIEWING(1) Christey
Voter Comments:
Christey> What is the right level of abstraction to use here? Should
we combine all possible interpreters into a single entry,
or have a different entry for each one? I've often seen
Perl separated from other interpreters - is it included
by default in some Windows web server configurations?
Christey> Add tcsh, zsh, bash, rksh, ksh, ash, to support search.
Frech> XF:http-cgi-vuln(146)
Name: CVE-1999-0510
Description:
A router or firewall allows source routed packets from arbitrary
hosts.
Status: Candidate
Phase: Proposed (19990726)
Votes:
ACCEPT(2) Baker, Northcutt
MODIFY(1) Frech
Voter Comments:
Frech> XF:source-routing
Name: CVE-1999-0511
Description:
IP forwarding is enabled on a machine which is not a router or
firewall.
Status: Candidate
Phase: Proposed (19990726)
Votes:
ACCEPT(2) Baker, Northcutt
MODIFY(1) Frech
Voter Comments:
Frech> XF:ip-forwarding
Name: CVE-1999-0512
Description:
A mail server is explicitly configured to allow SMTP mail relay, which
allows abuse by spammers.
Status: Candidate
Phase: Modified (20020427-01)
Votes:
ACCEPT(3) Baker, Northcutt, Shostack
MODIFY(1) Frech
NOOP(1) Christey
Voter Comments:
Frech> XF:smtp-sendmail-relay(210)
XF:ntmail-relay(2257)
XF:exchange-relay(3107) (also assigned to CVE-1999-0682)
XF:smtp-relay-uucp(3470)
XF:sco-sendmail-spam(4342)
XF:sco-openserver-mmdf-spam(4343)
XF:lotus-domino-smtp-mail-relay(6591)
XF:win2k-smtp-mail-relay(6803)
XF:cobalt-poprelayd-mail-relay(6806)
Candidate implicitly may refer to relaying settings enabled by default, or
the bypass/circumvention of relaying. Both interpretations were used in
assigning this candidate.
Christey> The intention of this candidate is to cover configurations in
which the admin has explicitly enabled relaying. Other cases
in which the application *intends* to prvent relaying, but
there is some specific input that bypasses/tricks it, count
as vulnerabilities (or exposures?) and as such would be
assigned different numbers.
http://www.sendmail.org/~ca/email/spam.html seems like a good
general resource, as does ftp://ftp.isi.edu/in-notes/rfc2505.txt
Christey> I changed the description to make it more clear that the issue
is that of explicit configuration, as opposed to being the
result of a vulnerability.
Name: CVE-1999-0515
Description:
An unrestricted remote trust relationship for Unix systems has been
set up, e.g. by using a + sign in /etc/hosts.equiv.
Status: Candidate
Phase: Proposed (19990728)
Votes:
ACCEPT(2) Baker, Northcutt
MODIFY(1) Frech
REJECT(1) Shostack
Voter Comments:
Shostack> Overly broad
Frech> XF:rsh-equiv(111)
Baker> Since this is unrestricted trust, I agree this is a problem
Name: CVE-1999-0516
Description:
An SNMP community name is guessable.
Status: Candidate
Phase: Proposed (19990714)
Votes:
ACCEPT(4) Baker, Meunier, Northcutt, Shostack
MODIFY(1) Frech
REVIEWING(1) Christey
Voter Comments:
Frech> XF:snmp-get-guess
XF:snmp-set-guess
XF:sol-hidden-commstr
XF:hpov-hidden-snmp-comm
Christey> This candidate is affected by the CD:CF-PASS content decision,
which determines the appropriate level of abstraction to
use for password problems. CD:CF-PASS needs to be accepted
by the Editorial Board before this candidate can be
converted into a CVE entry; the final version of CD:CF-PASS
may require using a different LOA than this candidate is
currently using.
Name: CVE-1999-0517
Description:
An SNMP community name is the default (e.g. public), null, or
missing.
Status: Candidate
Phase: Proposed (19990714)
Votes:
ACCEPT(4) Baker, Meunier, Northcutt, Shostack
MODIFY(1) Frech
REVIEWING(1) Christey
Voter Comments:
Frech> XF:nt-snmp
XF:snmp-comm
XF:snmp-set-any
XF:snmp-get-public
XF:snmp-set-public
XF:snmp-get-any
Christey> This candidate is affected by the CD:CF-PASS content decision,
which determines the appropriate level of abstraction to
use for password problems. CD:CF-PASS needs to be accepted
by the Editorial Board before this candidate can be
converted into a CVE entry; the final version of CD:CF-PASS
may require using a different LOA than this candidate is
currently using.
Christey> Consider adding BID:2112
Name: CVE-1999-0518
Description:
A NETBIOS/SMB share password is guessable.
Status: Candidate
Phase: Proposed (19990714)
Votes:
ACCEPT(5) Baker, LeBlanc, Meunier, Northcutt, Shostack
MODIFY(1) Frech
Voter Comments:
Frech> Change description term to NetBIOS.
XF:nt-netbios-perm
XF:sharepass
XF:win95-smb-password
XF:nt-netbios-dict
Name: CVE-1999-0519
Description:
A NETBIOS/SMB share password is the default, null, or missing.
Status: Candidate
Phase: Proposed (19990714)
Votes:
ACCEPT(5) Baker, LeBlanc, Meunier, Northcutt, Shostack
MODIFY(1) Frech
Voter Comments:
Frech> Change description term to NetBIOS.
XF:decod-smb-password-empty
XF:nt-netbios-everyoneaccess
XF:nt-netbios-guestaccess
XF:nt-netbios-allaccess
XF:nt-netbios-open
XF:nt-netbios-write
XF:nt-netbios-shareguest
XF:nt-writable-netbios
XF:nt-netbios-everyoneaccess-printer
XF:nt-netbios-share-print-guest
Name: CVE-1999-0520
Description:
A system-critical NETBIOS/SMB share has inappropriate access control.
Status: Candidate
Phase: Proposed (19990803)
Votes:
ACCEPT(1) Wall
MODIFY(1) Frech
NOOP(1) Baker
RECAST(1) Northcutt
REJECT(1) LeBlanc
REVIEWING(1) Christey
Voter Comments:
Northcutt> I think we need to enumerate the shares and or the access control
Christey> One question is, what is "inappropriate"? It's probably
very dependent on the policy of the enterprise on which
this is found. And should writable shares be different
from readable shares? (Or file systems, mail spools, etc.)
Yes, the impact may be different, but we could have a
large number of entries for each possible type of access.
A content decision (CD:CF-DATA) needs to be reviewed
and accepted by the Editorial Board in order to resolve
this question.
LeBlanc> Unacceptably vague - agree with Christey's comments.
Frech> associated to:
XF:nt-netbios-everyoneaccess(1)
XF:nt-netbios-guestaccess(2)
XF:nt-netbios-allaccess(3)
XF:nt-netbios-open(15)
XF:nt-netbios-write(19)
XF:nt-netbios-shareguest(20)
XF:nt-writable-netbios(26)
XF:nb-rootshare(393)
XF:decod-smb-password-empty(2358)
Name: CVE-1999-0521
Description:
An NIS domain name is easily guessable.
Status: Candidate
Phase: Proposed (19990714)
Votes:
ACCEPT(4) Baker, Meunier, Northcutt, Shostack
MODIFY(1) Frech
NOOP(1) Christey
Voter Comments:
Frech> XF:nis-dom
Christey> Consider http://www.cert.org/advisories/CA-1992-13.html
as well as ftp://ciac.llnl.gov/pub/ciac/bulletin/c-fy92/c-25.ciac-sunos-nis-patch
Name: CVE-1999-0522
Description:
The permissions for a system-critical NIS+ table (e.g. passwd) are
inappropriate.
Status: Candidate
Phase: Proposed (19990803)
Reference: CERT:CA-96.10
Votes:
ACCEPT(2) Baker, Wall
NOOP(1) Christey
RECAST(1) Northcutt
Voter Comments:
Northcutt> Why not say world readable, this is what you do further down in the
file (world exportable in CVE-1999-0554)
Christey> ADDREF AUSCERT:AA-96.02
Name: CVE-1999-0523
Description:
ICMP echo (ping) is allowed from arbitrary hosts.
Status: Candidate
Phase: Proposed (19990726)
Votes:
MODIFY(1) Meunier
NOOP(1) Baker
REJECT(2) Frech, Northcutt
Voter Comments:
Northcutt> (Though I sympathize with this one :)
CHANGE> [Frech changed vote from REVIEWING to REJECT]
Frech> Ping is a utility that can be run on demand; ICMP echo is a
message
type. As currently worded, this candidate seems as if an arbitrary
host
is vulnerable because it is capable of running an arbitrary program
or
function (in this case, ping/ICMP echo). There are many
programs/functions that
'shouldn't' be on a computer, from a security admin's perspective.
Even if this
were a vulnerability, it would be impacted by CD-HIGHCARD.
Meunier> Every ICMP message type presents a vulnerability or an
exposure, if access is not controlled. By that I mean not only those
in RFC 792, but also those in RFC 1256, 950, and more. I think that
the description should be changed to "ICMP messages are acted upon
without any access control". ICMP is an error and debugging protocol.
We complain about vendors leaving testing backdoors in their programs.
ICMP is the equivalent for TCP/IP. ICMP should be in the dog house,
unless you are trying to troubleshoot something. MTU discovery is
just a performance tweak -- it's not necessary. I don't know of any
ICMP message type that is necessary if the network is functional.
Limited logging of ICMP messages could be useful, but acting upon them
and allowing the modification of routing tables, the behavior of the
TCP/IP stack, etc... without any form of authentication is just crazy.
Name: CVE-1999-0524
Description:
ICMP information such as (1) netmask and (2) timestamp is allowed from
arbitrary hosts.
Status: Candidate
Phase: Modified (20070716)
Reference: MISC:http://descriptions.securescout.com/tc/11010
Reference: MISC:http://descriptions.securescout.com/tc/11011
Reference: MISC:http://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&externalId=1434
Reference: OSVDB:95
Reference: URL:http://www.osvdb.org/95
Reference: XF:icmp-netmask(306)
Reference: URL:http://xforce.iss.net/xforce/xfdb/306
Reference: XF:icmp-timestamp(322)
Reference: URL:http://xforce.iss.net/xforce/xfdb/322
Votes:
MODIFY(3) Baker, Frech, Meunier
REJECT(1) Northcutt
Voter Comments:
Frech> XF:icmp-timestamp
XF:icmp-netmask
Meunier> If this is not merged with 1999-0523 as I commented for that
CVE, then the description should be changed to "ICMP messages of types
13 and 14 (timestamp request and reply) and 17 and 18 (netmask request
and reply) are acted upon without any access control". It's a more
precise and correct language. I believe that this is a valid CVE
entry (it's a common source of vulnerabilities or exposures) even
though I see that the inferred action was "reject". Knowing the time
of a host also allows attacks against random number generators that
are seeded with the current time. I want to push to have it accepted.
Baker> I agree with the description changes suggested by Pascal
Name: CVE-1999-0525
Description:
IP traceroute is allowed from arbitrary hosts.
Status: Candidate
Phase: Proposed (19990726)
Votes:
MODIFY(1) Frech
NOOP(1) Baker
REJECT(1) Northcutt
Voter Comments:
Frech> XF:traceroute
Name: CVE-1999-0527
Description:
The permissions for system-critical data in an anonymous FTP account
are inappropriate. For example, the root directory is writeable by
world, a real password file is obtainable, or executable commands such
as "ls" can be overwritten.
Status: Candidate
Phase: Proposed (19990803)
Votes:
ACCEPT(3) Baker, Northcutt, Wall
MODIFY(1) Frech
Voter Comments:
Northcutt> That that starts to get specific :)
Frech> ftp-writable-directory(6253)
ftp-write(53)
"writeable" in the description should be "writable."
Name: CVE-1999-0528
Description:
A router or firewall forwards external packets that claim to come from
inside the network that the router/firewall is in front of.
Status: Candidate
Phase: Proposed (19990726)
Votes:
ACCEPT(3) Baker, Meunier, Northcutt
MODIFY(1) Frech
Voter Comments:
Frech> possibly XF:nisd-dns-fwd-check
CHANGE> [Frech changed vote from REVIEWING to MODIFY]
Frech> XF:firewall-external-packet-forwarding(8372)
Name: CVE-1999-0529
Description:
A router or firewall forwards packets that claim to come from IANA
reserved or private addresses, e.g. 10.x.x.x, 127.x.x.x, 217.x.x.x,
etc.
Status: Candidate
Phase: Proposed (19990726)
Votes:
ACCEPT(1) Frech
MODIFY(2) Baker, Meunier
REJECT(1) Northcutt
Voter Comments:
Northcutt> I have seen ISPs "assign" private addresses within their domain
Meunier> A border router or firewall forwards packets that claim to come from IANA
reserved or private addresses, e.g. 10.x.x.x, 127.x.x.x, 217.x.x.x,
etc, outside of their area of validity.
CHANGE> [Frech changed vote from REVIEWING to ACCEPT]
Baker> I think the description should be modified to say they accept this type of traffic from an interface not residing on private/reserved network.
Name: CVE-1999-0530
Description:
A system is operating in "promiscuous" mode which allows it to perform
packet sniffing.
Status: Candidate
Phase: Proposed (19990728)
Votes:
ACCEPT(2) Baker, Northcutt
MODIFY(1) Frech
REJECT(1) Shostack
Voter Comments:
Frech> XF:etherstatd(264)
XF:sniffer-attack(778)
XF:decod-packet-capture-remote(1072)
XF:netmon-running(1448)
XF:netxray3-probe(1450)
XF:sol-snoop-getquota-bo(3670) (also assigned to CVE-1999-0974)
Baker> Does pose a problem in non-switched environments
Name: CVE-1999-0531
Description:
** REJECT **
DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this
candidate is solely about a configuration that does not directly
introduce security vulnerabilities, so it is more appropriate to cover
under the Common Configuration Enumeration (CCE). Notes: the former
description is: "An SMTP service supports EXPN, VRFY, HELP, ESMTP,
and/or EHLO."
Status: Candidate
Phase: Modified (20080731)
Votes:
MODIFY(1) Frech
NOOP(1) Christey
RECAST(1) Shostack
REJECT(1) Northcutt
Voter Comments:
Shostack> I think expn != vrfy, help, esmtp.
Frech> XF:lotus-domino-esmtp-bo(4499) (also assigned to CVE-2000-0452 and
CVE-2000-1046)
XF:smtp-expn(128)
XF:smtp-vrfy(130)
XF:smtp-helo-bo(886)
XF:smtp-vrfy-bo(887)
XF:smtp-expn-bo(888)
XF:slmail-vrfyexpn-overflow(1721)
XF:smtp-ehlo(323)
Perhaps add RCPT? If so, add XF:smtp-rcpt(1928)
Christey> XF:smtp-vrfy(130) ?
Name: CVE-1999-0532
Description:
A DNS server allows zone transfers.
Status: Candidate
Phase: Proposed (19990726)
Votes:
MODIFY(1) Frech
NOOP(1) Baker
REJECT(1) Northcutt
Voter Comments:
Northcutt> (With split DNS implementations this is quite appropriate)
Frech> XF:dns-zonexfer
Name: CVE-1999-0533
Description:
A DNS server allows inverse queries.
Status: Candidate
Phase: Proposed (19990726)
Votes:
MODIFY(1) Frech
NOOP(1) Baker
REJECT(1) Northcutt
Voter Comments:
Northcutt> (rule of thumb)
Frech> XF:dns-iquery
Name: CVE-1999-0534
Description:
A Windows NT user has inappropriate rights or privileges, e.g. Act as
System, Add Workstation, Backup, Change System Time, Create Pagefile,
Create Permanent Object, Create Token Name, Debug, Generate Security
Audit, Increase Priority, Increase Quota, Load Driver, Lock Memory,
Profile Single Process, Remote Shutdown, Replace Process Token,
Restore, System Environment, Take Ownership, or Unsolicited Input.
Status: Candidate
Phase: Proposed (19990721)
Votes:
ACCEPT(5) Baker, Christey, Ozancin, Shostack, Wall
MODIFY(2) Frech, Northcutt
Voter Comments:
Northcutt> If we are going to write a laundry list put access to the scheduler in it.
Christey> The list of privileges is very useful for lookup.
Frech> XF:nt-create-token
XF:nt-replace-token
XF:nt-lock-memory
XF:nt-increase-quota
XF:nt-unsol-input
XF:nt-act-system
XF:nt-create-object
XF:nt-sec-audit
XF:nt-add-workstation
XF:nt-manage-log
XF:nt-take-owner
XF:nt-load-driver
XF:nt-profile-system
XF:nt-system-time
XF:nt-single-process
XF:nt-increase-priority
XF:nt-create-pagefile
XF:nt-backup
XF:nt-restore
XF:nt-debug
XF:nt-system-env
XF:nt-remote-shutdown
Name: CVE-1999-0535
Description:
A Windows NT account policy for passwords has inappropriate,
security-critical settings, e.g. for password length, password age, or
uniqueness.
Status: Candidate
Phase: Proposed (19990721)
Votes:
ACCEPT(2) Shostack, Wall
MODIFY(2) Baker, Frech
RECAST(2) Northcutt, Ozancin
Voter Comments:
Northcutt> inappropriate implies there is appropriate. As a guy who has been
monitoring
networks for years I have deep reservations about justiying the existance
of any fixed cleartext password. For appropriate to exist, some "we" would
have to establish some criteria for appropriate passwords.
Baker> Perhaps this could be re-worded a bit. The CVE CVE-1999-00582
specifies "...settings for lockouts". To remain consistent with the
other, maybe it should specify "...settings for passwords" I think
most people would agree that passwords should be at least 8
characters; contain letters (upper and lowercase), numbers and at
least one non-alphanumeric; should only be good a limited time 30-90
days; and should not contain character combinations from user's prior
2 or 3 passwords.
Suggested rewrite -
A Windows NT account policy does not enforce reasonable minimum
security-critical settings for passwords, e.g. passwords of sufficient
length, periodic required password changes, or new password uniqueness
Ozancin> What is appropriate?
Frech> XF:nt-autologonpwd
XF:nt-pwlen
XF:nt-maxage
XF:nt-minage
XF:nt-pw-history
XF:nt-user-pwnoexpire
XF:nt-unknown-pwdfilter
XF:nt-pwd-never-expire
XF:nt-pwd-nochange
XF:nt-pwdcache-enable
XF:nt-guest-change-passwords
Name: CVE-1999-0537
Description:
A configuration in a web browser such as Internet Explorer or Netscape
Navigator allows execution of active content such as ActiveX, Java,
Javascript, etc.
Status: Candidate
Phase: Proposed (19990726)
Votes:
ACCEPT(1) Wall
NOOP(1) Baker
RECAST(1) Frech
REJECT(1) LeBlanc
Voter Comments:
Frech> Good candidate for dot notation.
XF:nav-java-enabled
XF:nav-javascript-enabled
XF:ie-active-content
XF:ie-active-download
XF:ie-active-scripting
XF:ie-activex-execution
XF:ie-java-enabled
XF:netscape-javascript
XF:netscape-java
XF:zone-active-scripting
XF:zone-activex-execution
XF:zone-desktop-install
XF:zone-low-channel
XF:zone-file-download
XF:zone-file-launch
XF:zone-java-scripting
XF:zone-low-java
XF:zone-safe-scripting
XF:zone-unsafe-scripting
LeBlanc> Not a vulnerability. These are just checks for configuration
settings that a user might have changed. I understand need to increase
number of checks in a scanning product, but don't feel like these belong
in CVE. Scanner vendors could argue that these entries are needed to
keep a common language.
Baker> Not sure about whether we should bother to include this type issue or not. It does provide a stepping stone for further actions, but in and of itself it isn't a specific vulnerability.
Name: CVE-1999-0539
Description:
A trust relationship exists between two Unix hosts.
Status: Candidate
Phase: Proposed (19990728)
Votes:
MODIFY(1) Frech
NOOP(1) Baker
REJECT(2) Northcutt, Shostack
Voter Comments:
Northcutt> Too non specific
Frech> XF:trusted-host(341)
XF:trust-remote-same(717)
XF:trust-remote-root(718)
XF:trust-remote-nonroot(719)
XF:trust-remote-any(720)
XF:trust-other-host(723)
XF:trust-all-nonroot(726)
XF:trust-any-remote(727)
XF:trust-local-acct(728)
XF:trust-local-any(729)
XF:trust-local-nonroot(730)
XF:trust-all-hosts(731)
XF:nt-trusted-domain(1284)
XF:rsagent-trusted-domainadded(1588)
XF:trust-remote-user(2955)
XF:user-trust-hosts(3074)
XF:user-trust-other-host(3077)
XF:user-trust-remote-account(3079)
Name: CVE-1999-0541
Description:
A password for accessing a WWW URL is guessable.
Status: Candidate
Phase: Proposed (19990714)
Votes:
ACCEPT(4) Baker, Meunier, Northcutt, Shostack
MODIFY(1) Frech
Voter Comments:
Frech> XF:http-password
Name: CVE-1999-0546
Description:
The Windows NT guest account is enabled.
Status: Candidate
Phase: Proposed (19990721)
Votes:
ACCEPT(5) Baker, Northcutt, Ozancin, Shostack, Wall
MODIFY(1) Frech
Voter Comments:
Frech> XF:nt-guest-account
Name: CVE-1999-0547
Description:
An SSH server allows authentication through the .rhosts file.
Status: Candidate
Phase: Proposed (19990728)
Votes:
ACCEPT(2) Baker, Shostack
MODIFY(1) Frech
NOOP(1) Northcutt
Voter Comments:
Frech> XF:sshd-rhosts(315)
Name: CVE-1999-0548
Description:
A superfluous NFS server is running, but it is not importing or exporting
any file systems.
Status: Candidate
Phase: Proposed (19990728)
Votes:
ACCEPT(1) Shostack
NOOP(1) Baker
REJECT(1) Northcutt
Name: CVE-1999-0549
Description:
Windows NT automatically logs in an administrator upon rebooting.
Status: Candidate
Phase: Proposed (19990630)
Votes:
ACCEPT(1) Hill
MODIFY(3) Blake, Frech, Ozancin
NOOP(1) Wall
REJECT(1) Baker
Voter Comments:
Wall> Don't know what this is. Don't think it is a vulnerability and would
initially reject. This is different than just renaming the
administrator account.
Frech> Would appreciate more information on this one, as in a reference.
Blake> Reference: XF:nt-autologin
Ozancin> Needs more detail
Baker> I tried to find the XF:nt-autologin reference, and got no matching records from their search engine.
No refs, no details, should reject
CHANGE> [Frech changed vote from REVIEWING to MODIFY]
Frech> XF:nt-autologon(5)
Name: CVE-1999-0550
Description:
A router's routing tables can be obtained from arbitrary hosts.
Status: Candidate
Phase: Proposed (19990726)
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
RECAST(1) Northcutt
Voter Comments:
Northcutt> Don't you mean obtained by arbitrary hosts
Frech> XF:routed
XF:decod-rip-entry
XF:rip
Baker> Concur with this as a security issue
Name: CVE-1999-0554
Description:
NFS exports system-critical data to the world, e.g. / or a password
file.
Status: Candidate
Phase: Proposed (19990803)
Votes:
ACCEPT(2) Northcutt, Wall
NOOP(1) Baker
REVIEWING(1) Christey
Voter Comments:
Christey> A content decision (CD:CF-DATA) needs to be reviewed
and accepted by the Editorial Board in order to resolve
this question.
Name: CVE-1999-0555
Description:
A Unix account with a name other than "root" has UID 0, i.e. root
privileges.
Status: Candidate
Phase: Proposed (19990728)
Votes:
NOOP(1) Baker
REJECT(2) Northcutt, Shostack
Voter Comments:
Northcutt> This is very bogus
Name: CVE-1999-0556
Description:
Two or more Unix accounts have the same UID.
Status: Candidate
Phase: Proposed (19990728)
Votes:
NOOP(2) Baker, Christey
REJECT(2) Northcutt, Shostack
Voter Comments:
Christey> XF:duplicate-uid(876)
Christey> Add terms "duplicate" and "user ID" to facilitate search.
ftp://ftp.auscert.org.au/pub/auscert/papers/unix_security_checklist
Name: CVE-1999-0559
Description:
A system-critical Unix file or directory has inappropriate
permissions.
Status: Candidate
Phase: Proposed (19990803)
Votes:
ACCEPT(2) Baker, Wall
RECAST(2) Northcutt, Shostack
Voter Comments:
Northcutt> Writable other than by root/bin/wheelgroup?
Name: CVE-1999-0560
Description:
A system-critical Windows NT file or directory has inappropriate
permissions.
Status: Candidate
Phase: Proposed (19990803)
Votes:
ACCEPT(2) Baker, Wall
RECAST(1) Northcutt
Voter Comments:
Northcutt> I think we should specify these
Name: CVE-1999-0561
Description:
IIS has the #exec function enabled for Server Side Include (SSI) files.
Status: Candidate
Phase: Proposed (19990728)
Votes:
NOOP(2) Baker, Northcutt
RECAST(1) Shostack
REJECT(1) LeBlanc
Voter Comments:
LeBlanc> Does not meet definition of a vulnerability. This function is
just enabled. You can turn it off if you want. if you trust the people
putting up your web pages, this isn't a problem. If you don't, this is
just one of many things you need to change.
Name: CVE-1999-0562
Description:
The registry in Windows NT can be accessed remotely by users who are
not administrators.
Status: Candidate
Phase: Modified (20061101)
Reference: OVAL:oval:org.mitre.oval:def:1023
Reference: URL:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:1023
Votes:
ACCEPT(4) Baker, Ozancin, Shostack, Wall
MODIFY(1) Frech
RECAST(1) Northcutt
Voter Comments:
Northcutt> This isn't all or nothing, users may be allowed to access part of the
registry.
Frech> XF:nt-winreg-all
XF:nt-winreg-net
Name: CVE-1999-0564
Description:
An attacker can force a printer to print arbitrary documents (e.g. if
the printer doesn't require a password) or to become disabled.
Status: Candidate
Phase: Proposed (19990728)
Votes:
ACCEPT(2) Baker, Shostack
NOOP(1) Northcutt
Name: CVE-1999-0565
Description:
A Sendmail alias allows input to be piped to a program.
Status: Candidate
Phase: Proposed (19990728)
Votes:
ACCEPT(1) Northcutt
NOOP(1) Baker
RECAST(1) Shostack
REVIEWING(1) Christey
Voter Comments:
Shostack> Is this a default alias? Is my .procmailrc an instance of this?
Christey> It is not entirely clear whether the simple fact that an alias
pipes into a program should be considered a vulnerability. It
all depends on the behavior of that particular program. This
is one of a number of configuration-related issues from the
"draft" CVE that came from vulnerability scanners. In
general, when we get to general configuration and "policy,"
it becomes more difficult to use the current CVE model to
represent them. So at the very least, this candidate (and
similar ones) should be given close consideration and
discussion before being added to the official CVE list.
Because this candidate is related to general configuration
issues, and we have not completely determined how to handle
such issues in CVE, this candidate cannot be promoted to an
official CVE entry until such issues are resolved.
Name: CVE-1999-0568
Description:
rpc.admind in Solaris is not running in a secure mode.
Status: Candidate
Phase: Proposed (19990728)
Votes:
ACCEPT(1) Northcutt
NOOP(2) Baker, Christey
RECAST(2) Dik, Shostack
Voter Comments:
Shostack> are there secure modes?
Dik> Several:
1) there is no "rpc.admind" daemon.
there used to be a "admind" RPC daemon (100087/10)
and there's now an "sadmind" daemon (100232/10)
The switch over was somewhere around Solaris 2.4.
2) Neither defaults to "secure mode"
3) secure mode is "using secure RPC" which does
proper over the wire authentication by specifying
the "-S 2" option in inetd.conf
(security level 2)
Christey> XF:rpc-admind(626)
http://xforce.iss.net/static/626.php
MISC:http://pulhas.org/xploitsdb/mUNIXes/admind.html
Name: CVE-1999-0569
Description:
A URL for a WWW directory allows auto-indexing, which provides a list
of all files in that directory if it does not contain an index.html
file.
Status: Candidate
Phase: Modified (19991130-01)
Votes:
ACCEPT(1) Wall
NOOP(2) Baker, Christey
REJECT(1) Northcutt
Voter Comments:
Northcutt> I do this intentionally somethings in high content directories
Christey> XF:http-noindex(90) ?
Name: CVE-1999-0570
Description:
Windows NT is not using a password filter utility, e.g. PASSFILT.DLL.
Status: Candidate
Phase: Proposed (19990728)
Votes:
ACCEPT(1) Northcutt
MODIFY(1) Frech
NOOP(2) Baker, Christey
REJECT(1) Wall
Voter Comments:
Northcutt> Here we are crossing into the best practices arena again. However since
passfilt does establish a measurable standard and since we aren't the
ones defining the stanard, simply saying it should be employed I will
vote for this.
Frech> XF:nt-passfilt-not-inst(1308)
XF:nt-passfilt-not-found(1309)
Christey> Consider MSKB:Q161990 and MSKB:Q151082
Name: CVE-1999-0571
Description:
A router's configuration service or management interface (such as a
web server or telnet) is configured to allow connections from
arbitrary hosts.
Status: Candidate
Phase: Modified (20020312-01)
Reference: BUGTRAQ:Feb5,1999
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
NOOP(2) Christey, Northcutt
Voter Comments:
CHANGE> [Frech changed vote from REVIEWING to MODIFY]
Frech> XF:ascend-config-kill(889)
XF:cisco-ios-crash(1238)
XF:webramp-remote-access(1670)
XF:ascom-timeplex-debug(1824)
XF:netopia-unpassworded(1850)
XF:cisco-web-crash(1886)
XF:cisco-router-commands(1951)
XF:motorola-cable-default-pass(2002)
XF:default-flowpoint(2091)
XF:netgear-router-idle-dos(4003)
XF:cisco-cbos-telnet(4251)
XF:routermate-snmp-community(4290)
XF:cayman-router-dos(4479)
XF:wavelink-authentication(5185)
XF:ciscosecure-ldap-bypass-authentication(5274)
XF:foundry-firmware-telnet-dos(5514)
XF:netopia-view-system-log(5536)
XF:cisco-webadmin-remote-dos(5595)
XF:cisco-cbos-web-access(5626)
XF:netopia-telnet-dos(6001)
XF:cisco-sn-gain-access(6827)
XF:cayman-dsl-insecure-permissions(6841)
XF:linksys-etherfast-reveal-passwords(6949)
XF:zyxel-router-default-password(6968)
XF:cisco-cbos-web-config(7027)
XF:prestige-wan-bypass-filter(7146)
Christey> I changed the description to make it more explicit that this
candidate is about router configuration, as opposed to
vulnerabilities that accidentally make a configuration
service accessible to anyone.
Name: CVE-1999-0572
Description:
.reg files are associated with the Windows NT registry editor
(regedit), making the registry susceptible to Trojan Horse attacks.
Status: Candidate
Phase: Modified (20041017)
Votes:
ACCEPT(4) Baker, Ozancin, Shostack, Wall
MODIFY(1) Frech
NOOP(2) Christey, Northcutt
Voter Comments:
Northcutt> I don't quite get what this means, sorry
Frech> XF:nt-regfile(178)
Christey> MISC:http://security-archive.merton.ox.ac.uk/nt-security-199902/0087.html
Name: CVE-1999-0575
Description:
A Windows NT system's user audit policy does not log an event success
or failure, e.g. for Logon and Logoff, File and Object Access, Use of
User Rights, User and Group Management, Security Policy Changes,
Restart, Shutdown, and System, and Process Tracking.
Status: Candidate
Phase: Proposed (19990721)
Votes:
ACCEPT(4) Christey, Ozancin, Shostack, Wall
MODIFY(1) Frech
RECAST(2) Baker, Northcutt
Voter Comments:
Northcutt> It isn't a great truth that you should enable all or the above, if you
do you potentially introduce a vulnerbility of filling up the file
system with stuff you will never look at.
Ozancin> It is far less interesting what a user does successfully that what they
attempt and fail at.
Christey> The list of event types is very useful for lookup.
Frech> XF:nt-system-audit
XF:nt-logon-audit
XF:nt-object-audit
XF:nt-privil-audit
XF:nt-process-audit
XF:nt-policy-audit
XF:nt-account-audit
CHANGE> [Baker changed vote from REVIEWING to RECAST]
Name: CVE-1999-0576
Description:
A Windows NT system's file audit policy does not log an event success
or failure for security-critical files or directories.
Status: Candidate
Phase: Proposed (19990721)
Votes:
ACCEPT(3) Baker, Shostack, Wall
MODIFY(2) Frech, Ozancin
REJECT(1) Northcutt
Voter Comments:
Northcutt> 1.) Too general are we ready to state what the security-critical files
and directories are
2.) Does Ataris, Windows CE, PalmOS, Linux have such a capability
Ozancin> Some files and directories are clearly understood to be critical. Others are
unclear. We need to clarify that critical is.
Frech> XF:nt-object-audit
Name: CVE-1999-0577
Description:
A Windows NT system's file audit policy does not log an event success
or failure for non-critical files or directories.
Status: Candidate
Phase: Proposed (19990721)
Votes:
ACCEPT(2) Shostack, Wall
MODIFY(3) Baker, Frech, Ozancin
REJECT(1) Northcutt
Voter Comments:
Ozancin> It is far less interesting what a user does successfully that what they
attempt and fail at.
Perhaps only failure should be logged.
Frech> XF:nt-object-audit
CHANGE> [Baker changed vote from REVIEWING to MODIFY]
Baker> Failure on non-critical files is what should be monitored.
Name: CVE-1999-0578
Description:
A Windows NT system's registry audit policy does not log an event
success or failure for security-critical registry keys.
Status: Candidate
Phase: Proposed (19990721)
Votes:
ACCEPT(4) Baker, Ozancin, Shostack, Wall
MODIFY(1) Frech
REJECT(1) Northcutt
Voter Comments:
Ozancin> with reservation
Again what is defined as critical
CHANGE> [Frech changed vote from REVIEWING to MODIFY]
Frech> XF:nt-object-audit(228)
Name: CVE-1999-0579
Description:
A Windows NT system's registry audit policy does not log an event
success or failure for non-critical registry keys.
Status: Candidate
Phase: Proposed (19990721)
Votes:
ACCEPT(3) Baker, Shostack, Wall
MODIFY(2) Frech, Ozancin
REJECT(1) Northcutt
Voter Comments:
Ozancin> Again only failure may be of interest. It would be impractical to wad
through the incredibly large amount of logging that this would generate. It
could overwhelm log entries that you might find interesting.
CHANGE> [Frech changed vote from REVIEWING to MODIFY]
Frech> XF:nt-object-audit(228)
Name: CVE-1999-0580
Description:
The HKEY_LOCAL_MACHINE key in a Windows NT system has inappropriate,
system-critical permissions.
Status: Candidate
Phase: Proposed (19990803)
Votes:
ACCEPT(1) Wall
NOOP(1) Baker
RECAST(1) Northcutt
Voter Comments:
Northcutt> I think we can define appropriate, take a look at the nt security .pdf
and see if you can't see a way to phrase specific keys in a way that
defines inappropriate.
Baker> This is way vague...
Name: CVE-1999-0581
Description:
The HKEY_CLASSES_ROOT key in a Windows NT system has inappropriate,
system-critical permissions.
Status: Candidate
Phase: Proposed (19990803)
Votes:
ACCEPT(1) Wall
NOOP(1) Baker
RECAST(1) Northcutt
Voter Comments:
Northcutt> I think we can define appropriate, take a look at the nt security .pdf
and see if you can't see a way to phrase specific keys in a way that
defines inappropriate.
Baker> way too vague
Name: CVE-1999-0582
Description:
A Windows NT account policy has inappropriate, security-critical
settings for lockout, e.g. lockout duration, lockout after bad logon
attempts, etc.
Status: Candidate
Phase: Proposed (19990721)
Votes:
ACCEPT(3) Ozancin, Shostack, Wall
MODIFY(2) Baker, Frech
REJECT(1) Northcutt
Voter Comments:
Northcutt> The definition is?
Baker> Maybe a rewording of this one too. I think most people would agree on
some "minimum" policies like 3-5 bad attempts lockout for an hour or
until the administrator unlocks the account.
Suggested rewrite -
A Windows NT account policy does not enforce reasonable minimum
security-critical settings for lockouts, e.g. lockout duration,
lockout after bad logon attempts, etc.
Ozancin> with reservations
What is appropriate?
Frech> XF:nt-thres-lockout
XF:nt-lock-duration
XF:nt-lock-window
XF:nt-perm-lockout
XF:lockout-disabled
Name: CVE-1999-0583
Description:
There is a one-way or two-way trust relationship between Windows NT
domains.
Status: Candidate
Phase: Proposed (19990728)
Votes:
NOOP(2) Baker, Christey
REJECT(2) Northcutt, Shostack
Voter Comments:
Christey> XF:nt-trusted-domain(1284)
Name: CVE-1999-0584
Description:
A Windows NT file system is not NTFS.
Status: Candidate
Phase: Proposed (19990728)
Votes:
ACCEPT(2) Northcutt, Wall
MODIFY(1) Frech
NOOP(2) Baker, Christey
Voter Comments:
Wall> NTFS partition provides the security. This could be re-worded
to "A Windows NT file system is FAT" since it is either NTFS or FAT
and FAT is less secure.
Frech> XF:nt-filesys(195)
Christey> MSKB:Q214579
MSKB:Q214579
http://support.microsoft.com/support/kb/articles/Q100/1/08.ASP
Name: CVE-1999-0585
Description:
A Windows NT administrator account has the default name of
Administrator.
Status: Candidate
Phase: Proposed (19990721)
Votes:
ACCEPT(1) Ozancin
MODIFY(1) Frech
REJECT(3) Baker, Northcutt, Shostack
REVIEWING(1) Wall
Voter Comments:
Wall> Some sources say this is not a vulnerability, but a warning. It just
slows down the search for the admin account (SID = 500) which can
always be found.
Northcutt> I change this on all NT systems I am responsible for, but is
root a vulnerability?
Baker> There are ways to identify the administrator account anyway, so this
is only a minor delay to someone that is knowledgeable. This, in and
of itself, doesn't really strike me as a vulnerability, anymore than
the root account on a Unix box.
Shostack> (there is no way to hide the account name today)
Frech> XF:nt-adminexists
Name: CVE-1999-0586
Description:
A network service is running on a nonstandard port.
Status: Candidate
Phase: Proposed (19990728)
Votes:
NOOP(1) Baker
RECAST(1) Shostack
REJECT(1) Northcutt
Voter Comments:
Shostack> Might be acceptable if clearer; is that a standard service on a
non-standard port, or any service on an unassigned port?
Baker> It might actually be an enhancement rather than a problem to run a service on a non-standard port
Name: CVE-1999-0587
Description:
A WWW server is not running in a restricted file system, e.g. through
a chroot, thus allowing access to system-critical data.
Status: Candidate
Phase: Proposed (19990803)
Votes:
ACCEPT(1) Wall
NOOP(1) Baker
RECAST(1) Northcutt
Voter Comments:
Northcutt> While I would accept this for Unix, I am not sure this applies to NT,
VMS, palm pilots, or commodore 64
Name: CVE-1999-0588
Description:
A filter in a router or firewall allows unusual fragmented packets.
Status: Candidate
Phase: Proposed (19990726)
Votes:
MODIFY(2) Baker, Frech
REJECT(1) Northcutt
Voter Comments:
Northcutt> I want to vote to accept this one, but unusual is a shade broad.
Frech> XF:nt-rras
XF:cisco-fragmented-attacks
XF:ip-frag
Baker> Perhaps we should use the word abnormally fragmented or some other descriptor.
Name: CVE-1999-0589
Description:
A system-critical Windows NT registry key has inappropriate
permissions.
Status: Candidate
Phase: Proposed (19990803)
Votes:
ACCEPT(1) Wall
NOOP(1) Baker
RECAST(2) Christey, Northcutt
Voter Comments:
Northcutt> I think we can define appropriate, take a look at the nt security .pdf
and see if you can't see a way to phrase specific keys in a way that
defines inappropriate.
Christey> Upon further reflection, this is too high-level for CVE.
Specific registry keys with bad permissions is roughly
equivalent to Unix configuration files that have bad
permissions; those permission problems can be created by
any vendor, not just a specific one. Therefore this
candidate should be RECAST into each separate registry
key that has this problem.
Name: CVE-1999-0590
Description:
A system does not present an appropriate legal message or warning to a
user who is accessing it.
Status: Candidate
Phase: Proposed (19990728)
Votes:
ACCEPT(2) Baker, Northcutt
MODIFY(1) Christey
RECAST(1) Shostack
Voter Comments:
Christey> ADDREF CIAC:J-043
URL:http://ciac.llnl.gov/ciac/bulletins/j-043.shtml
Also add "banner" to the description to facilitate search.
Baker> Should be in place where ever it is possible
Name: CVE-1999-0591
Description:
An event log in Windows NT has inappropriate access permissions.
Status: Candidate
Phase: Proposed (19990803)
Votes:
ACCEPT(2) Baker, Wall
RECAST(1) Northcutt
Voter Comments:
Northcutt> splain Lucy, splain
Name: CVE-1999-0592
Description:
The Logon box of a Windows NT system displays the name of the last
user who logged in.
Status: Candidate
Phase: Proposed (19990728)
Votes:
MODIFY(1) Frech
NOOP(2) Baker, Christey
REJECT(2) Northcutt, Wall
Voter Comments:
Wall> Information gathering, not vulnerability
Northcutt> Ah a C2 weenie must have snuck this in, this can be a good thing
not just vulnerability
Frech> XF:nt-display-last-username(1353)
Use it if you will. :-) If not, let us know so I can remove the CAN
reference from our database.
Christey> MSKB:Q114463
http://support.microsoft.com/support/kb/articles/q114/4/63.asp
Name: CVE-1999-0593
Description:
The default setting for the Winlogon key entry ShutdownWithoutLogon in
Windows NT allows users with physical access to shut down a Windows NT
system without logging in.
Status: Candidate
Phase: Modified (20091029)
Reference: MISC:http://www.microsoft.com/technet/archive/winntas/deploy/confeat/06wntpcc.mspx?mfr=true
Reference: CONFIRM:http://technet.microsoft.com/en-us/library/cc722469.aspx
Reference: OSVDB:59333
Reference: URL:http://osvdb.org/59333
Reference: XF:nt-shutdown-without-logon(1291)
Reference: URL:http://xforce.iss.net/xforce/xfdb/1291
Votes:
ACCEPT(1) Wall
MODIFY(1) Frech
NOOP(1) Baker
REJECT(1) Northcutt
Voter Comments:
Wall> Still a denial of service.
Northcutt> May well be appropriate
Frech> XF:nt-shutdown-without-logon(1291)
Name: CVE-1999-0594
Description:
A Windows NT system does not restrict access to removable media drives
such as a floppy disk drive or CDROM drive.
Status: Candidate
Phase: Proposed (19990728)
Votes:
ACCEPT(1) Wall
MODIFY(1) Frech
NOOP(2) Baker, Christey
REJECT(1) Northcutt
Voter Comments:
Wall> Perhaps it can be re-worded to "removable media drives
such as a floppy disk drive or CDROM drive can be accessed (shared) in a
Windows NT system."
Northcutt> - what good is my NT w/o its floppy
Frech> XF:nt-allocate-cdroms(1294)
XF:nt-allocate-floppy(1318)
Christey> MSKB:Q172520
URL:http://support.microsoft.com/support/kb/articles/q172/5/20.asp
Name: CVE-1999-0595
Description:
A Windows NT system does not clear the system page file during
shutdown, which might allow sensitive information to be recorded.
Status: Candidate
Phase: Proposed (19990728)
Reference: MSKB:Q182086
Votes:
ACCEPT(2) Baker, Wall
MODIFY(1) Frech
NOOP(1) Northcutt
Voter Comments:
Frech> XF:nt-clearpage(216)
XF:reg-pagefile-clearing(2551)
Name: CVE-1999-0596
Description:
A Windows NT log file has an inappropriate maximum size or retention
period.
Status: Candidate
Phase: Proposed (19990728)
Votes:
MODIFY(1) Frech
NOOP(1) Baker
REJECT(2) Northcutt, Wall
Voter Comments:
Northcutt> define appropriate
Frech> XF:reg-app-log-small(2521)
XF:reg-sec-log-maxsize(2577)
XF:reg-sys-log-small(2586)
Name: CVE-1999-0597
Description:
A Windows NT account policy does not forcibly disconnect remote users
from the server when their logon hours expire.
Status: Candidate
Phase: Proposed (19990728)
Votes:
ACCEPT(1) Northcutt
MODIFY(1) Frech
NOOP(1) Baker
REJECT(1) Wall
Voter Comments:
Frech> XF:nt-forced-logoff(1343)
Name: CVE-1999-0598
Description:
A network intrusion detection system (IDS) does not properly handle
packets that are sent out of order, allowing an attacker to escape
detection.
Status: Candidate
Phase: Proposed (19990726)
Votes:
ACCEPT(3) Armstrong, Baker, Northcutt
NOOP(1) Frech
REVIEWING(1) Christey
Voter Comments:
Frech> Waiting for CIEL.
Christey> This is a design flaw, along with the other reported IDS
problems; at least reference Ptacek/Newsham's paper.
Christey> URL:http://www.robertgraham.com/mirror/Ptacek-Newsham-Evasion-98.html
Name: CVE-1999-0599
Description:
A network intrusion detection system (IDS) does not properly handle
packets with improper sequence numbers.
Status: Candidate
Phase: Proposed (19990726)
Votes:
ACCEPT(2) Baker, Northcutt
NOOP(1) Frech
REVIEWING(1) Christey
Voter Comments:
Frech> Waiting for CIEL.
Christey> This is a design flaw, along with the other reported IDS
problems; at least reference Ptacek/Newsham's paper.
Christey> URL:http://www.robertgraham.com/mirror/Ptacek-Newsham-Evasion-98.html
Name: CVE-1999-0600
Description:
A network intrusion detection system (IDS) does not verify the
checksum on a packet.
Status: Candidate
Phase: Proposed (19990726)
Votes:
ACCEPT(2) Baker, Northcutt
NOOP(1) Frech
REVIEWING(1) Christey
Voter Comments:
Frech> Waiting for CIEL.
Christey> This is a design flaw, along with the other reported IDS
problems; at least reference Ptacek/Newsham's paper.
Christey> URL:http://www.robertgraham.com/mirror/Ptacek-Newsham-Evasion-98.html
Name: CVE-1999-0601
Description:
A network intrusion detection system (IDS) does not properly handle
data within TCP handshake packets.
Status: Candidate
Phase: Proposed (19990726)
Votes:
ACCEPT(2) Baker, Northcutt
NOOP(1) Frech
REVIEWING(1) Christey
Voter Comments:
Frech> Waiting for Godot, er, CIEL.
Christey> This is a design flaw, along with the other reported IDS
problems; at least reference Ptacek/Newsham's paper.
Christey> URL:http://www.robertgraham.com/mirror/Ptacek-Newsham-Evasion-98.html
Name: CVE-1999-0602
Description:
A network intrusion detection system (IDS) does not properly
reassemble fragmented packets.
Status: Candidate
Phase: Proposed (19990726)
Votes:
ACCEPT(2) Baker, Northcutt
NOOP(1) Frech
REVIEWING(1) Christey
Voter Comments:
Frech> Waiting for CIEL.
Christey> This is a design flaw, along with the other reported IDS
problems; at least reference Ptacek/Newsham's paper.
Christey> URL:http://www.robertgraham.com/mirror/Ptacek-Newsham-Evasion-98.html
Name: CVE-1999-0603
Description:
In Windows NT, an inappropriate user is a member of a group,
e.g. Administrator, Backup Operators, Domain Admins, Domain Guests,
Power Users, Print Operators, Replicators, System Operators, etc.
Status: Candidate
Phase: Proposed (19990728)
Votes:
MODIFY(1) Frech
NOOP(1) Baker
REJECT(2) Northcutt, Wall
Voter Comments:
Frech> XF:nt-system-operator
XF:nt-admin-group
XF:nt-replicator
XF:nt-print-operator
XF:nt-power-user
XF:nt-guest-in-group
XF:nt-backup-operator
XF:nt-domain-admin
XF:nt-domain-guest
XF:win2k-acct-oper-grp
XF:win2k-admin-grp
XF:win2k-backup-oper-grp
XF:win2k-certpublishers-grp
XF:win2k-dhcp-admin-grp
XF:win2k-dnsadm-grp
XF:win2k-domainadm-grp
XF:win2k-entadm-grp
XF:win2k-printoper-grp
XF:win2k-replicator-grp
XF:win2k-schemaadm-grp
XF:win2k-serveroper-grp
You asked for it... :-) Use or reject at your discretion. If rejected,
please let us know so we can remove CAN references from database.
Name: CVE-1999-0604
Description:
An incorrect configuration of the WebStore 1.0 shopping cart
CGI program "web_store.cgi" could disclose private information.
Status: Candidate
Phase: Proposed (19990728)
Reference: BUGTRAQ:19990420 Shopping Carts exposing CC data
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92462991805485&w=2
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
NOOP(2) Northcutt, Wall
Voter Comments:
Frech> XF:webstore-misconfig(3861)
Name: CVE-1999-0605
Description:
An incorrect configuration of the Order Form 1.0 shopping cart
CGI program could disclose private information.
Status: Candidate
Phase: Proposed (19990728)
Reference: BUGTRAQ:19990420 Shopping Carts exposing CC data
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92462991805485&w=2
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
NOOP(3) Christey, Northcutt, Wall
Voter Comments:
Frech> XF:orderform-misconfig(3860)
Christey> BID:2021
Christey> Mention affected files: order_log_v12.dat and order_log.dat
fix version number (1.2)
Name: CVE-1999-0606
Description:
An incorrect configuration of the EZMall 2000 shopping cart
CGI program "mall2000.cgi" could disclose private information.
Status: Candidate
Phase: Proposed (19990728)
Reference: BUGTRAQ:19990420 Shopping Carts exposing CC data
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92462991805485&w=2
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
NOOP(3) Christey, Northcutt, Wall
Voter Comments:
Frech> XF:ezmall2000-misconfig(3859)
Christey> Add mall_log_files/order.log to desc
Name: CVE-1999-0607
Description:
quikstore.cgi in QuikStore shopping cart stores quikstore.cfg under
the web document root with insufficient access control, which allows
remote attackers to obtain the cleartext administrator password and
gain privileges.
Status: Candidate
Phase: Modified (20060608)
Reference: BUGTRAQ:19990420 Shopping Carts exposing CC data
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92462991805485&w=2
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
NOOP(3) Christey, Northcutt, Wall
Voter Comments:
Frech> XF:quikstore-misconfig(3858)
Christey> http://www.quikstore.com/help/pages/Security/security.htm says:
"It is IMPORTANT that during the setup of the QuikStore program, you
check to make sure that the cgi-bin or executable program directory
of your web site not be viewable from the outside world. You don't
want the users to have access to your programs or log files that could
be stored there!
...
If you can view or download these files from the browser, someone
else can too"
So is this a configuration problem? See the configuration file at
http://www.quikstore.com/help/pages/Configuration/configparametersfull.htm
The [DIRECTORY_PATHS] section identifies pathnames and describes how
pathnames are constructed. It clearly uses relative pathnames,
so all data is underneath the base directory!!
If we call this a configuration problem, then maybe this (and
all other "CGI-data-in-web-tree" configuration problems) should
be combined.
Christey> Consider adding BID:1983
Name: CVE-1999-0609
Description:
An incorrect configuration of the SoftCart CGI program
"SoftCart.exe" could disclose private information.
Status: Candidate
Phase: Proposed (19990728)
Reference: BUGTRAQ:19990420 Shopping Carts exposing CC data
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92462991805485&w=2
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
NOOP(3) Christey, Northcutt, Wall
Voter Comments:
Frech> XF:softcart-misconfig(3856)
Christey> Consider adding BID:2055
Name: CVE-1999-0610
Description:
An incorrect configuration of the Webcart CGI program
could disclose private information.
Status: Candidate
Phase: Proposed (19990728)
Reference: BUGTRAQ:19990420 Shopping Carts exposing CC data
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92462991805485&w=2
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
NOOP(2) Northcutt, Wall
Voter Comments:
Frech> Cite reference as:
BUGTRAQ:19990424 Re: Shopping Carts exposing CC data
URL:
http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%
3D1%26date%3D2000-08-22%26msg%3D3720E2B6.6031A2E7@datashopper.dk
CHANGE> [Frech changed vote from REVIEWING to MODIFY]
Frech> XF:webcart-data-exposure(8374)
Name: CVE-1999-0611
Description:
A system-critical Windows NT registry key has an inappropriate value.
Status: Candidate
Phase: Proposed (19990803)
Votes:
ACCEPT(1) Wall
NOOP(1) Baker
RECAST(1) Northcutt
Voter Comments:
Northcutt> I think we can define appropriate, take a look at the nt security .pdf
and see if you can't see a way to phrase specific keys in a way that
defines inappropriate.
Baker> too vague
Name: CVE-1999-0613
Description:
The rpc.sprayd service is running.
Status: Candidate
Phase: Proposed (19990721)
Votes:
ACCEPT(2) Baker, Ozancin
MODIFY(1) Frech
NOOP(1) Wall
REJECT(1) Northcutt
Voter Comments:
Frech> XF:sprayd
Name: CVE-1999-0614
Description:
** REJECT **
DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this
candidate is solely about a configuration that does not directly
introduce security vulnerabilities, so it is more appropriate to cover
under the Common Configuration Enumeration (CCE). Notes: the former
description is: "The FTP service is running."
Status: Candidate
Phase: Modified (20080731)
Votes:
ACCEPT(2) Baker, Wall
REJECT(1) Northcutt
Name: CVE-1999-0615
Description:
** REJECT **
DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this
candidate is solely about a configuration that does not directly
introduce security vulnerabilities, so it is more appropriate to cover
under the Common Configuration Enumeration (CCE). Notes: the former
description is: "The SNMP service is running."
Status: Candidate
Phase: Modified (20080731)
Votes:
ACCEPT(3) Baker, Prosser, Wall
NOOP(1) Christey
REJECT(1) Northcutt
Voter Comments:
Baker> Although newer versions on snmp are not as vulnerable as prior versions,
this can still be a significant risk of exploitation, as seen in recent
attacks on snmp services via automated worms
Christey> XF:snmp(132) ?
Prosser> This fits the "exposure" description although we also know there are many vulnerabilities in SNMP. This is more of a policy/best practice issue for administrators. If you need SNMP lock it down as tight as you can, if you don't need it, don't run it.
Name: CVE-1999-0616
Description:
** REJECT **
DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this
candidate is solely about a configuration that does not directly
introduce security vulnerabilities, so it is more appropriate to cover
under the Common Configuration Enumeration (CCE). Notes: the former
description is: "The TFTP service is running."
Status: Candidate
Phase: Modified (20080731)
Votes:
ACCEPT(2) Baker, Wall
REJECT(1) Northcutt
Name: CVE-1999-0617
Description:
** REJECT **
DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this
candidate is solely about a configuration that does not directly
introduce security vulnerabilities, so it is more appropriate to cover
under the Common Configuration Enumeration (CCE). Notes: the former
description is: "The SMTP service is running."
Status: Candidate
Phase: Modified (20080731)
Votes:
ACCEPT(2) Baker, Wall
REJECT(1) Northcutt
Name: CVE-1999-0618
Description:
The rexec service is running.
Status: Candidate
Phase: Modified (19990921-01)
Reference: XF:rexec
Votes:
ACCEPT(4) Baker, Northcutt, Ozancin, Wall
MODIFY(1) Frech
Voter Comments:
Frech> XF:decod-rexec
XF:rexec
Name: CVE-1999-0619
Description:
** REJECT **
DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this
candidate is solely about a configuration that does not directly
introduce security vulnerabilities, so it is more appropriate to cover
under the Common Configuration Enumeration (CCE). Notes: the former
description is: "The Telnet service is running."
Status: Candidate
Phase: Modified (20080731)
Votes:
ACCEPT(2) Baker, Wall
REJECT(1) Northcutt
Name: CVE-1999-0620
Description:
** REJECT **
DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this
candidate is solely about a configuration that does not directly
introduce security vulnerabilities, so it is more appropriate to cover
under the Common Configuration Enumeration (CCE). Notes: the former
description is: "A component service related to NIS is running."
Status: Candidate
Phase: Modified (20080731)
Votes:
ACCEPT(2) Baker, Wall
NOOP(1) Christey
REJECT(1) Northcutt
Voter Comments:
Christey> XF:ypserv(261)
Name: CVE-1999-0621
Description:
** REJECT **
DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this
candidate is solely about a configuration that does not directly
introduce security vulnerabilities, so it is more appropriate to cover
under the Common Configuration Enumeration (CCE). Notes: the former
description is: "A component service related to NETBIOS is running."
Status: Candidate
Phase: Modified (20080731)
Reference: OVAL:oval:org.mitre.oval:def:1024
Reference: URL:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:1024
Votes:
ACCEPT(2) Baker, Wall
MODIFY(1) Frech
REJECT(2) LeBlanc, Northcutt
Voter Comments:
LeBlanc> There is insufficient description to even know what this is.
Lots of component services related to NetBIOS run, and usually do not
constitute a problem.
Frech> associated to:
XF:nt-alerter(29)
XF:nt-messenger(69)
XF:reg-ras-gateway-enabled(2567)
Name: CVE-1999-0622
Description:
** REJECT **
DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this
candidate is solely about a configuration that does not directly
introduce security vulnerabilities, so it is more appropriate to cover
under the Common Configuration Enumeration (CCE). Notes: the former
description is: "A component service related to DNS service is
running."
Status: Candidate
Phase: Modified (20080731)
Votes:
ACCEPT(2) Baker, Wall
REJECT(1) Northcutt
Name: CVE-1999-0623
Description:
** REJECT **
DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this
candidate is solely about a configuration that does not directly
introduce security vulnerabilities, so it is more appropriate to cover
under the Common Configuration Enumeration (CCE). Notes: the former
description is: "The X Windows service is running."
Status: Candidate
Phase: Modified (20080731)
Votes:
ACCEPT(2) Baker, Wall
NOOP(1) Christey
REJECT(1) Northcutt
Voter Comments:
Christey> Add "X11" to facilitate search.
Name: CVE-1999-0624
Description:
The rstat/rstatd service is running.
Status: Candidate
Phase: Interim (19990925)
Reference: XF:rstat-out
Reference: XF:rstatd
Votes:
ACCEPT(3) Baker, Northcutt, Ozancin
MODIFY(1) Frech
NOOP(2) Meunier, Wall
Voter Comments:
Frech> XF:rstat-out
XF:rstatd
Name: CVE-1999-0625
Description:
The rpc.rquotad service is running.
Status: Candidate
Phase: Proposed (19990721)
Votes:
ACCEPT(3) Baker, Northcutt, Ozancin
MODIFY(1) Frech
NOOP(1) Wall
Voter Comments:
Frech> XF:rquotad
Name: CVE-1999-0629
Description:
The ident/identd service is running.
Status: Candidate
Phase: Proposed (19990721)
Votes:
ACCEPT(2) Baker, Ozancin
MODIFY(1) Frech
NOOP(2) Christey, Wall
REJECT(1) Northcutt
Voter Comments:
Frech> possibly XF:identd?
Christey> XF:ident-users(318) ?
CHANGE> [Frech changed vote from REVIEWING to MODIFY]
Frech> XF:identd-vuln(61)
XF:ident-users(318)
Name: CVE-1999-0630
Description:
The NT Alerter and Messenger services are running.
Status: Candidate
Phase: Proposed (19990804)
Votes:
ACCEPT(2) Baker, Wall
NOOP(1) Christey
REJECT(1) Northcutt
Voter Comments:
Christey> http://support.microsoft.com/support/kb/articles/q189/2/71.asp
Name: CVE-1999-0631
Description:
** REJECT **
DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this
candidate is solely about a configuration that does not directly
introduce security vulnerabilities, so it is more appropriate to cover
under the Common Configuration Enumeration (CCE). Notes: the former
description is: "The NFS service is running."
Status: Candidate
Phase: Modified (20080731)
Votes:
ACCEPT(2) Baker, Wall
NOOP(1) Christey
REJECT(1) Northcutt
Voter Comments:
Christey> XF:nfs-nfsd(76) ?
Christey> Add rpc.mountd/mountd to facilitate search.
Name: CVE-1999-0632
Description:
The RPC portmapper service is running.
Status: Candidate
Phase: Proposed (19990804)
Votes:
ACCEPT(2) Baker, Wall
REJECT(1) Northcutt
Name: CVE-1999-0633
Description:
** REJECT **
DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this
candidate is solely about a configuration that does not directly
introduce security vulnerabilities, so it is more appropriate to cover
under the Common Configuration Enumeration (CCE). Notes: the former
description is: "The HTTP/WWW service is running."
Status: Candidate
Phase: Modified (20080731)
Votes:
ACCEPT(2) Baker, Wall
REJECT(1) Northcutt
Name: CVE-1999-0634
Description:
** REJECT **
DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this
candidate is solely about a configuration that does not directly
introduce security vulnerabilities, so it is more appropriate to cover
under the Common Configuration Enumeration (CCE). Notes: the former
description is: "The SSH service is running."
Status: Candidate
Phase: Modified (20080731)
Votes:
ACCEPT(2) Baker, Wall
REJECT(1) Northcutt
Name: CVE-1999-0635
Description:
The echo service is running.
Status: Candidate
Phase: Modified (20060122)
Reference: FULLDISC:20060116 ACT P202S VoIP wireless phone multiple undocumented ports/services
Reference: URL:http://lists.grok.org.uk/pipermail/full-disclosure/2006-January/041434.html
Reference: SECUNIA:18514
Reference: URL:http://secunia.com/advisories/18514
Votes:
ACCEPT(3) Baker, Northcutt, Wall
REVIEWING(1) Christey
Voter Comments:
Northcutt> The method to my madness is echo is the common denom in the dos attack
Christey> How much of this is an overlap with the echo/chargen flood
problem (CVE-1999-0103)? If this is only an exposure because
of CVE-1999-0103, then maybe this should be REJECTed.
Name: CVE-1999-0636
Description:
The discard service is running.
Status: Candidate
Phase: Proposed (19990804)
Votes:
ACCEPT(1) Baker
NOOP(1) Wall
REJECT(1) Northcutt
Name: CVE-1999-0637
Description:
The systat service is running.
Status: Candidate
Phase: Proposed (19990804)
Votes:
ACCEPT(2) Baker, Wall
REJECT(1) Northcutt
Name: CVE-1999-0638
Description:
The daytime service is running.
Status: Candidate
Phase: Proposed (19990804)
Votes:
ACCEPT(1) Baker
NOOP(1) Wall
REJECT(1) Northcutt
Name: CVE-1999-0639
Description:
The chargen service is running.
Status: Candidate
Phase: Proposed (19990804)
Votes:
ACCEPT(2) Baker, Wall
REJECT(1) Northcutt
REVIEWING(1) Christey
Voter Comments:
Christey> How much of this is an overlap with the echo/chargen flood
problem (CVE-1999-0103)? If this is only an exposure because
of CVE-1999-0103, then maybe this should be REJECTed.
Name: CVE-1999-0640
Description:
The Gopher service is running.
Status: Candidate
Phase: Proposed (19990804)
Votes:
ACCEPT(2) Baker, Wall
REJECT(1) Northcutt
Name: CVE-1999-0641
Description:
The UUCP service is running.
Status: Candidate
Phase: Proposed (19990804)
Votes:
ACCEPT(2) Baker, Wall
REJECT(1) Northcutt
Name: CVE-1999-0642
Description:
** REJECT **
DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this
candidate is solely about a configuration that does not directly
introduce security vulnerabilities, so it is more appropriate to cover
under the Common Configuration Enumeration (CCE). Notes: the former
description is: "A POP service is running."
Status: Candidate
Phase: Modified (20080731)
Votes:
ACCEPT(2) Baker, Wall
REJECT(1) Northcutt
Name: CVE-1999-0643
Description:
** REJECT **
DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this
candidate is solely about a configuration that does not directly
introduce security vulnerabilities, so it is more appropriate to cover
under the Common Configuration Enumeration (CCE). Notes: the former
description is: "The IMAP service is running."
Status: Candidate
Phase: Modified (20080731)
Votes:
ACCEPT(2) Baker, Wall
REJECT(1) Northcutt
Name: CVE-1999-0644
Description:
** REJECT **
DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this
candidate is solely about a configuration that does not directly
introduce security vulnerabilities, so it is more appropriate to cover
under the Common Configuration Enumeration (CCE). Notes: the former
description is: "The NNTP news service is running."
Status: Candidate
Phase: Modified (20080731)
Votes:
ACCEPT(2) Baker, Wall
NOOP(1) Christey
REJECT(1) Northcutt
Voter Comments:
Christey> XF:nntp-post(88) ?
Name: CVE-1999-0645
Description:
** REJECT **
DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this
candidate is solely about a configuration that does not directly
introduce security vulnerabilities, so it is more appropriate to cover
under the Common Configuration Enumeration (CCE). Notes: the former
description is: "The IRC service is running."
Status: Candidate
Phase: Modified (20080731)
Votes:
ACCEPT(2) Baker, Wall
NOOP(1) Christey
REJECT(1) Northcutt
Voter Comments:
Christey> XF:irc-server(767) ?
Name: CVE-1999-0646
Description:
** REJECT **
DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this
candidate is solely about a configuration that does not directly
introduce security vulnerabilities, so it is more appropriate to cover
under the Common Configuration Enumeration (CCE). Notes: the former
description is: "The LDAP service is running."
Status: Candidate
Phase: Modified (20080731)
Votes:
ACCEPT(2) Baker, Wall
REJECT(1) Northcutt
Name: CVE-1999-0647
Description:
** REJECT **
DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this
candidate is solely about a configuration that does not directly
introduce security vulnerabilities, so it is more appropriate to cover
under the Common Configuration Enumeration (CCE). Notes: the former
description is: "The bootparam (bootparamd) service is running."
Status: Candidate
Phase: Modified (20080731)
Votes:
ACCEPT(2) Baker, Ozancin
MODIFY(1) Frech
NOOP(1) Wall
REJECT(1) Northcutt
Voter Comments:
Frech> XF:bootp
Name: CVE-1999-0648
Description:
** REJECT **
DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this
candidate is solely about a configuration that does not directly
introduce security vulnerabilities, so it is more appropriate to cover
under the Common Configuration Enumeration (CCE). Notes: the former
description is: "The X25 service is running."
Status: Candidate
Phase: Modified (20080731)
Votes:
ACCEPT(2) Baker, Wall
REJECT(1) Northcutt
Name: CVE-1999-0649
Description:
** REJECT **
DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this
candidate is solely about a configuration that does not directly
introduce security vulnerabilities, so it is more appropriate to cover
under the Common Configuration Enumeration (CCE). Notes: the former
description is: "The FSP service is running."
Status: Candidate
Phase: Modified (20080731)
Votes:
ACCEPT(1) Baker
NOOP(1) Wall
REJECT(1) Northcutt
Name: CVE-1999-0650
Description:
The netstat service is running, which provides sensitive information
to remote attackers.
Status: Candidate
Phase: Modified (20060608)
Reference: XF:netstat(72)
Votes:
ACCEPT(2) Baker, Wall
REJECT(1) Northcutt
Name: CVE-1999-0651
Description:
The rsh/rlogin service is running.
Status: Candidate
Phase: Proposed (19990804)
Votes:
ACCEPT(2) Baker, Wall
MODIFY(1) Frech
NOOP(1) Christey
REJECT(1) Northcutt
Voter Comments:
Christey> aka "shell" on UNIX systems (at least Solaris) in the
/etc/inetd.conf file.
Frech> associated to:
XF:nt-rlogin(92)
XF:rsh-svc(114)
XF:rshd(2995)
Name: CVE-1999-0652
Description:
** REJECT **
DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this
candidate is solely about a configuration that does not directly
introduce security vulnerabilities, so it is more appropriate to cover
under the Common Configuration Enumeration (CCE). Notes: the former
description is: "A database service is running, e.g. a SQL server,
Oracle, or mySQL."
Status: Candidate
Phase: Modified (20080731)
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
NOOP(1) Wall
REJECT(1) Northcutt
Voter Comments:
Frech> XF:nt-sql-server(1289)
XF:msql-detect(2211)
XF:oracle-detect(2388)
XF:sybase-detect-namedpipes(1461)
Name: CVE-1999-0653
Description:
A component service related to NIS+ is running.
Status: Candidate
Phase: Proposed (19990804)
Votes:
ACCEPT(2) Baker, Wall
REJECT(1) Northcutt
Name: CVE-1999-0654
Description:
The OS/2 or POSIX subsystem in NT is enabled.
Status: Candidate
Phase: Proposed (19990728)
Votes:
ACCEPT(1) Wall
MODIFY(1) Frech
NOOP(2) Baker, Christey
REJECT(1) Northcutt
Voter Comments:
Wall> These subsystems could still allow a process to persist across logins.
Frech> XF:nt-posix(217)
XF:nt-posix-sub-c2(2397)
XF:nt-posix-sub-onceonly(2478)
XF:nt-os2-sub(218)
XF:nt-os2-sub-c2(2396)
XF:nt-os2-sub-onceonly(2477)
XF:nt-os2-registry(2550)
Christey> s2-file-os2(1865)
Name: CVE-1999-0655
Description:
** REJECT **
DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this
candidate is not about any specific product, protocol, or design, so
it is out of scope of CVE. Notes: the former description is: "A
service may include useful information in its banner or help function
(such as the name and version), making it useful for information
gathering activities."
Status: Candidate
Phase: Modified (20080731)
Votes:
ACCEPT(5) Baker, Frech, Northcutt, Ozancin, Wall
Voter Comments:
CHANGE> [Frech changed vote from REVIEWING to ACCEPT]
Name: CVE-1999-0656
Description:
The ugidd RPC interface, by design, allows remote attackers to
enumerate valid usernames by specifying arbitrary UIDs that ugidd maps
to local user and group names.
Status: Candidate
Phase: Modified (20080731)
Reference: MISC:http://ca.com/au/securityadvisor/vulninfo/Vuln.aspx?ID=1638
Reference: XF:linux-ugidd(348)
Reference: URL:http://xforce.iss.net/xforce/xfdb/348
Votes:
ACCEPT(1) Baker
NOOP(1) Wall
REJECT(1) Northcutt
Name: CVE-1999-0657
Description:
WinGate is being used.
Status: Candidate
Phase: Proposed (19990804)
Votes:
ACCEPT(1) Baker
NOOP(1) Wall
REJECT(1) Northcutt
Name: CVE-1999-0658
Description:
** REJECT **
DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this
candidate is solely about a configuration that does not directly
introduce security vulnerabilities, so it is more appropriate to cover
under the Common Configuration Enumeration (CCE). Notes: the former
description is: "DCOM is running."
Status: Candidate
Phase: Modified (20080731)
Votes:
ACCEPT(2) Baker, Wall
REJECT(1) Northcutt
Name: CVE-1999-0659
Description:
** REJECT **
DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this
candidate is solely about a configuration that does not directly
introduce security vulnerabilities, so it is more appropriate to cover
under the Common Configuration Enumeration (CCE). Notes: the former
description is: "A Windows NT Primary Domain Controller (PDC) or
Backup Domain Controller (BDC) is present."
Status: Candidate
Phase: Modified (20080731)
Votes:
REJECT(3) Baker, Northcutt, Wall
Voter Comments:
Wall> Don't consider this a service or a problem.
Baker> concur with wall on this
Name: CVE-1999-0660
Description:
** REJECT **
DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this
candidate is not about any specific product, protocol, or design, so
it is out of scope of CVE. It might be more appropriate to cover
under the Common Configuration Enumeration (CCE). Notes: the former
description is: "A hacker utility, back door, or Trojan Horse is
installed on a system, e.g. NetBus, Back Orifice, Rootkit, etc."
Status: Candidate
Phase: Modified (20080730)
Votes:
ACCEPT(4) Baker, Hill, Northcutt, Wall
NOOP(1) Christey
Voter Comments:
Christey> Add "back door" to description.
Name: CVE-1999-0661
Description:
A system is running a version of software that was replaced with a
Trojan Horse at one of its distribution points, such as (1) TCP
Wrappers 7.6, (2) util-linux 2.9g, (3) wuarchive ftpd (wuftpd) 2.2 and
2.1f, (4) IRC client (ircII) ircII 2.2.9, (5) OpenSSH 3.4p1, or (6)
Sendmail 8.12.6.
Status: Candidate
Phase: Modified (20050529)
Reference: CERT:CA-1994-07
Reference: URL:http://www.cert.org/advisories/CA-1994-07.html
Reference: CERT:CA-1994-14
Reference: URL:http://www.cert.org/advisories/CA-1994-14.html
Reference: CERT:CA-1999-01
Reference: URL:http://www.cert.org/advisories/CA-1999-01.html
Reference: CERT:CA-1999-02
Reference: URL:http://www.cert.org/advisories/CA-1999-02.html
Reference: CERT:CA-2002-28
Reference: URL:http://www.cert.org/advisories/CA-2002-28.html
Reference: BUGTRAQ:20020801 trojan horse in recent openssh (version 3.4 portable 1)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102820843403741&w=2
Reference: BUGTRAQ:20020801 OpenSSH Security Advisory: Trojaned Distribution Files
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102821663814127&w=2
Reference: BUGTRAQ:20021009 Re: CERT Advisory CA-2002-28 Trojan Horse Sendmail
Reference: URL:http://online.securityfocus.com/archive/1/294539
Reference: BID:5921
Reference: URL:http://www.securityfocus.com/bid/5921
Reference: XF:sendmail-backdoor(10313)
Reference: URL:http://www.iss.net/security_center/static/10313.php
Votes:
ACCEPT(4) Baker, Hill, Northcutt, Wall
REVIEWING(1) Christey
Voter Comments:
Christey> Should add the specific CERT advisory references for
well-known Trojaned software.
TCP Wrappers -> CERT:CA-1999-01
CERT:CA-1999-02 includes util-linux
wuarchive - CERT:CA-94.07
IRC client - CERT:CA-1994-14
Christey> BUGTRAQ:20020801 trojan horse in recent openssh (version 3.4 portable 1)
Modify description to use dot notation.
Christey> CERT:CA-2002-24
URL:http://www.cert.org/advisories/CA-2002-24.html
XF:openssh-backdoor(9763)
URL:http://www.iss.net/security_center/static/9763.php
BID:5374
URL:http://www.securityfocus.com/bid/5374
CHANGE> [Christey changed vote from NOOP to REVIEWING]
Christey> Add libpcap and tcpdump:
BUGTRAQ:20021113 Latest libpcap & tcpdump sources from tcpdump.org contain a trojan
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103722456708471&w=2
CERT:CA-2002-30
URL:http://www.cert.org/advisories/CA-2002-30.html
This CAN has been active for over 4 years. At this moment, my
thinking is that we should SPLIT this CAN into each separate
trojaned product, then create some criteria that restrict
creation of new CANs to "widespread" or "important" products only.
Name: CVE-1999-0662
Description:
A system-critical program or library does not have the appropriate
patch, hotfix, or service pack installed, or is outdated or obsolete.
Status: Candidate
Phase: Proposed (19990804)
Votes:
ACCEPT(4) Baker, Hill, Northcutt, Wall
Name: CVE-1999-0663
Description:
A system-critical program, library, or file has a checksum or other
integrity measurement that indicates that it has been modified.
Status: Candidate
Phase: Proposed (19990804)
Votes:
ACCEPT(3) Baker, Hill, Wall
RECAST(1) Northcutt
Voter Comments:
Northcutt> This needs to be worded carefully.
1. Rootkits evade checksum detection.
2. The modification could be positive (a patch)
Name: CVE-1999-0664
Description:
An application-critical Windows NT registry key has inappropriate
permissions.
Status: Candidate
Phase: Proposed (19990803)
Votes:
ACCEPT(1) Wall
NOOP(1) Baker
RECAST(2) Christey, Northcutt
Voter Comments:
Northcutt> I think we can define appropriate, take a look at the nt security .pdf
and see if you can't see a way to phrase specific keys in a way that
defines inappropriate.
Christey> Upon further reflection, this is too high-level for CVE.
Specific registry keys with bad permissions is roughly
equivalent to Unix configuration files that have bad
permissions; those permission problems can be created by
any vendor, not just a specific one. Therefore this
candidate should be RECAST into each separate registry
key that has this problem.
Name: CVE-1999-0665
Description:
An application-critical Windows NT registry key has an inappropriate
value.
Status: Candidate
Phase: Proposed (19990803)
Votes:
ACCEPT(1) Wall
NOOP(1) Baker
RECAST(1) Northcutt
Voter Comments:
Northcutt> I think we can define appropriate, take a look at the nt security .pdf
and see if you can't see a way to phrase specific keys in a way that
defines inappropriate.
Baker> very vague
Name: CVE-1999-0667
Description:
The ARP protocol allows any host to spoof ARP replies and poison the
ARP cache to conduct IP address spoofing or a denial of service.
Status: Candidate
Phase: Proposed (19991222)
Votes:
ACCEPT(2) Blake, Cole
MODIFY(1) Stracener
NOOP(2) Baker, Christey
REJECT(1) Frech
Voter Comments:
Stracener> Add Ref: BUGTRAQ:19970919 Playing redir games with ARP and ICMP
Frech> Cannot proceed without a reference. Too vague, and resembles XF:netbsd-arp:
CVE-1999-0763: NetBSD on a multi-homed host allows ARP packets on one
network to modify ARP entries on another connected network.
CVE-1999-0764: NetBSD allows ARP packets to overwrite static ARP entries.
Will reconsider if reference provides enough information to render a
distinction.
Christey> This particular vulnerability was exploited by an attacker
during the ID'Net IDS test network exercise at the SANS
Network Security '99 conference. The attacker adapted a
publicly available program that was able to spoof another
machine on the same physical network.
See http://marc.theaimsgroup.com/?l=bugtraq&m=87602880019797&w=2
for the Bugtraq reference that Tom Stracener suggested.
This generated a long thread on Bugtraq in 1997.
Blake> I'll second Tom's request to add the reference, it's a very
posting good and the vulnerability is clearly derivative of
the work.
(I do recall talking to the guy and drafting a description.)
Name: CVE-1999-0669
Description:
The Eyedog ActiveX control is marked as "safe for scripting" for
Internet Explorer, which allows a remote attacker to execute arbitrary
commands as demonstrated by Bubbleboy.
Status: Candidate
Phase: Interim (19991229)
Reference: MS:MS99-032
Reference: CIAC:J-064
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/j-064.shtml
Reference: XF:ms-scriptlet-eyedog-unsafe
Reference: MSKB:Q240308
Votes:
ACCEPT(5) Baker, Cole, Ozancin, Prosser, Wall
MODIFY(2) Frech, Stracener
REVIEWING(1) Christey
Voter Comments:
Frech> XF:ms-scriptlet-eyedog-unsafe
Stracener> Add Ref: MSKB Q240308
Christey> Should CVE-1999-0669 and 668 be merged? If not, then this is
a reason for not merging CVE-1999-0988 and CVE-1999-0828.
Name: CVE-1999-0670
Description:
Buffer overflow in the Eyedog ActiveX control allows a remote attacker
to execute arbitrary commands.
Status: Candidate
Phase: Proposed (19991208)
Reference: MS:MS99-032
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-032.asp
Reference: CIAC:J-064
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/j-064.shtml
Votes:
ACCEPT(3) Ozancin, Prosser, Wall
MODIFY(2) Frech, Stracener
REJECT(2) Baker, Cole
Voter Comments:
Frech> XF:ie-eyedog-bo
Cole> Based on the references and information listed this is the same as
CVE-1999-0669
Stracener> Add Ref: MSKB Q240308
Baker> Duplicate
Name: CVE-1999-0673
Description:
Buffer overflow in ALMail32 POP3 client via From: or To: headers.
Status: Candidate
Phase: Proposed (19991222)
Reference: BID:574
Reference: URL:http://www.securityfocus.com/bid/574
Votes:
ACCEPT(6) Baker, Blake, Cole, Collins, Levy, Wall
MODIFY(2) Frech, Stracener
NOOP(3) Armstrong, Landfield, Oliver
REVIEWING(1) Ozancin
Voter Comments:
Stracener> AddRef: ShadowPenguinSecurity:PenguinToolbox,No.037
Frech> XF:almail-bo
CHANGE> [Cole changed vote from NOOP to ACCEPT]
Name: CVE-1999-0677
Description:
The WebRamp web administration utility has a default password.
Status: Candidate
Phase: Modified (19991228-01)
Reference: BUGTRAQ:19990802 [LoWNOISE] Password hunting with webramp
Reference: BID:577
Reference: URL:http://www.securityfocus.com/bid/577
Votes:
ACCEPT(3) Baker, Blake, Stracener
MODIFY(2) Cole, Frech
NOOP(2) Armstrong, Christey
Voter Comments:
Cole> I would add that is is not forced to be changed.
Frech> XF:webramp-default-password
Christey> This problem may have been detected in January 1999:
BUGTRAQ:19990121 Re: WebRamp M3 remote network access bug
http://marc.theaimsgroup.com/?l=bugtraq&m=91702375402055&w=2
Name: CVE-1999-0684
Description:
Denial of service in Sendmail 8.8.6 in HPUX.
Status: Candidate
Phase: Proposed (19991214)
Reference: HP:HPSBUX9904-097
Votes:
ACCEPT(2) Blake, Cole
MODIFY(3) Frech, Prosser, Stracener
NOOP(1) Baker
REJECT(1) Christey
Voter Comments:
Stracener> Add Ref: CIAC: J-040
Prosser> Might change description to indicate DoS caused by multiple connections
Christey> Andre's right. This is a duplicate of CVE-1999-0684.
Frech> Without further information and/or references, this issue looks like an
ambiguous version of CVE-1999-0478: Denial of service in HP-UX sendmail
8.8.6 related to accepting connections.
(was REJECT)
XF:hp-sendmail-connect-dos
Name: CVE-1999-0698
Description:
Denial of service in IP protocol logger (ippl) on Red Hat and Debian
Linux.
Status: Candidate
Phase: Proposed (19991222)
Votes:
ACCEPT(6) Armstrong, Baker, Blake, Cole, Collins, Ozancin
MODIFY(1) Frech
NOOP(4) Landfield, Levy, Stracener, Wall
REJECT(1) Christey
Voter Comments:
Stracener> Is the candidate referring to the denial of service problem mentioned in
the
changelogs for versions previous to 1.4.3-1 or does it pertain to some
problem with or
1.4.8-1?
Frech> Depending on the version, this could be any number of DoSes
related to ippl.
From http://www.larve.net/ippl/:
9 April 1999: version 1.4.3 released, correctly fixing a
potential denial of service attack.
7 April 1999: version 1.4.2 released, fixing a potential
denial of service attack.
XF:linux-ippl-dos
Christey> Changelog: http://pltplp.net/ippl/docs/HISTORY
See comments for version 1.4.2 and 1.4.3
Another source: http://freshmeat.net/news/1999/04/08/923586598.html
CHANGE> [Stracener changed vote from REVIEWING to NOOP]
CHANGE> [Christey changed vote from NOOP to REJECT]
Christey> As mentioned by others, this could apply to several different
versions. Since the description is too vague, this CAN should
be REJECTED and recast into other candidates.
Name: CVE-1999-0712
Description:
A vulnerability in Caldera Open Administration System (COAS) allows
the /etc/shadow password file to be made world-readable.
Status: Candidate
Phase: Proposed (19991214)
Reference: CALDERA:CSSA-1999:009
Reference: XF:linux-coas
Votes:
ACCEPT(4) Baker, Cole, Frech, Stracener
MODIFY(1) Blake
NOOP(1) Armstrong
REVIEWING(1) Christey
Voter Comments:
Blake> This obscurely-written advisory seems to state that COAS will make the
file world-readable, not that it allows the user to make it so. I hardly
think that allowing the user to turn off security is a vulnerability.
Christey> It's difficult to write the description based on what's in
the advisory. If COAS inadvertently changes permissions
without user confirmation, then it should be ACCEPTed with
appropriate modification to the description.
Christey> ADDREF BID:137
CHANGE> [Armstrong changed vote from REVIEWING to NOOP]
Name: CVE-1999-0736
Description:
The showcode.asp sample file in IIS and Site Server allows remote
attackers to read arbitrary files.
Status: Candidate
Phase: Modified (20061101)
Reference: L0PHT:May7,1999
Reference: MS:MS99-013
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-013.asp
Reference: MSKB:Q232449
Reference: MSKB:Q231368
Reference: OVAL:oval:org.mitre.oval:def:932
Reference: URL:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:932
Votes:
ACCEPT(4) Ozancin, Prosser, Stracener, Wall
MODIFY(2) Cole, Frech
NOOP(1) Baker
REVIEWING(1) Christey
Voter Comments:
Frech> XF:iis-samples-showcode
Cole> There are several sample files that allow this. I would quote
showcode.asp but make it more generic.
Prosser> (Modify)
Have a question on this and on the following three candidates as well. All
of these are part of the file viewers utilities that allow unauthorized
files reading, but MSKB Q231368 also mentioned the diagnostics
program,Winmsdp.exe, as another vulnerable viewer in this same set of
viewers. If we are going to split out the seperate viewer tools then
shouldn't there should be a seperate CAN for Winmsdp.exe also.
Christey> Mike's question basically touches on the CD:SF-EXEC
content decision - what do you do when you have the same bug
in multiple executables? CD:SF-EXEC needs to be reviewed
and approved by the Editorial Board before we can decide
what to do with this candidate.
Christey> Mark Burnett says that Microsoft's mention of winmsdp.exe in
MSKB:Q231368 may be an error, and that winmsdp.exe is a
Microsoft Diagnostics Report Generator which may not even
be installed as part of IIS.
Also see http://www.securityfocus.com/focus/microsoft/iis/showcode.html
Christey> ADDREF BID:167
URL:http://www.securityfocus.com/vdb/bottom.html?vid=167
Christey> MISC:http://p.ulh.as/xploitsdb/NT/iis38.html covers a showcode.asp
directory traversal vulnerability and refers to the L0pht advisory.
Mark Burnett's article is at:
MISC:http://www.securityfocus.com/infocus/1317
Name: CVE-1999-0737
Description:
The viewcode.asp sample file in IIS and Site Server allows remote
attackers to read arbitrary files.
Status: Candidate
Phase: Proposed (19991208)
Reference: MS:MS99-013
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-013.asp
Reference: MSKB:Q231656
Votes:
ACCEPT(4) Ozancin, Prosser, Stracener, Wall
MODIFY(1) Frech
NOOP(2) Baker, Christey
REJECT(1) Cole
Voter Comments:
Frech> XF:iis-samples-viewcode
Cole> I would combine this with the previous.
Prosser> (modify)
See comments in 0736 above
Christey> See http://www.securityfocus.com/focus/microsoft/iis/showcode.html
for additional details.
Christey> Mark Burnett's article is at:
MISC:http://www.securityfocus.com/infocus/1317
Name: CVE-1999-0738
Description:
The code.asp sample file in IIS and Site Server allows remote
attackers to read arbitrary files.
Status: Candidate
Phase: Proposed (19991208)
Reference: MS:MS99-013
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-013.asp
Reference: MSKB:Q232449
Reference: MSKB:Q231368
Votes:
ACCEPT(4) Ozancin, Prosser, Stracener, Wall
MODIFY(1) Frech
NOOP(2) Baker, Christey
REJECT(1) Cole
Voter Comments:
Frech> XF:iis-samples-code
Cole> Same as above
Prosser> (modify)
See comments in 0736 above
Christey> See http://www.securityfocus.com/focus/microsoft/iis/showcode.html
for additional details.
Christey> Mark Burnett's article is at:
MISC:http://www.securityfocus.com/infocus/1317
Name: CVE-1999-0739
Description:
The codebrws.asp sample file in IIS and Site Server allows remote
attackers to read arbitrary files.
Status: Candidate
Phase: Proposed (19991208)
Reference: MS:MS99-013
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-013.asp
Reference: MSKB:Q232449
Reference: MSKB:Q231368
Votes:
ACCEPT(4) Ozancin, Prosser, Stracener, Wall
MODIFY(1) Frech
NOOP(2) Baker, Christey
REJECT(1) Cole
Voter Comments:
Frech> XF:iis-samples-codebrws
Cole> Same as above.
Prosser> (modify)
See comments in 0736 above
Christey> codebrw2.asp and Codebrw1.asp also need to be included
somewhere.
Also see http://www.securityfocus.com/focus/microsoft/iis/showcode.html
Christey> Mark Burnett's article is at:
MISC:http://www.securityfocus.com/infocus/1317
Name: CVE-1999-0741
Description:
QMS CrownNet Unix Utilities for 2060 allows root to log on without a
password.
Status: Candidate
Phase: Proposed (19991222)
Reference: BUGTRAQ:19990818 QMS 2060 printer security hole
Reference: BID:593
Reference: URL:http://www.securityfocus.com/bid/593
Reference: XF:qms-2060-no-root-password
Votes:
ACCEPT(4) Baker, Frech, Levy, Stracener
NOOP(2) Christey, Oliver
Voter Comments:
Christey> change description - anyone can log on *as* root
Frech> (Note: this XF also cataloged under CVE-1999-0508.)
Name: CVE-1999-0748
Description:
Buffer overflows in Red Hat net-tools package.
Status: Candidate
Phase: Proposed (19991214)
Reference: REDHAT:RHSA-1999:017-01
Votes:
ACCEPT(4) Armstrong, Baker, Cole, Stracener
MODIFY(1) Frech
REJECT(1) Blake
Voter Comments:
Blake> RHSA-1999:017-01 describes "potential security problem fixed" in the
absence of knowing whether or not the problems actually existed, I don't
think we have an entry here.
Frech> XF:redhat-net-tool-bo
Name: CVE-1999-0750
Description:
Hotmail allows Javascript to be executed via the HTML STYLE tag,
allowing remote attackers to execute commands on the user's Hotmail
account.
Status: Candidate
Phase: Proposed (19991222)
Reference: BUGTRAQ:19990913 Hotmail security vulnerability - injecting JavaScript using 'STYLE' tag
Reference: BID:630
Reference: URL:http://www.securityfocus.com/bid/630
Votes:
ACCEPT(1) Levy
MODIFY(2) Frech, Stracener
NOOP(1) Baker
Voter Comments:
Stracener> Many sites are vulnerable to this problem. I recommend removing the
explicit references to Hotmail and making the description more generic.
Suggest: Javascript can be injected using the STYLE tag in an HTML
formatted e-mail, allowing remote attackers to execute commands on user
accounts.
Frech> XF:hotmail-html-style-embed
Name: CVE-1999-0757
Description:
The ColdFusion CFCRYPT program for encrypting CFML templates has weak
encryption, allowing attackers to decrypt the templates.
Status: Candidate
Phase: Proposed (20010214)
Reference: ALLAIRE:ASB99-08
Reference: URL:http://www.allaire.com/handlers/index.cfm?ID=10969&Method=Full
Reference: XF:coldfusion-encryption
Reference: URL:http://xforce.iss.net/static/2208.php
Votes:
ACCEPT(3) Baker, Cole, Frech
NOOP(1) Christey
Voter Comments:
Frech> XF:coldfusion-encryption
Christey> BUGTRAQ:19990724 Re: New Allaire Security Zone Bulletins and KB Articles
URL:http://www.securityfocus.com/archive/1/19471
Christey> ADDREF BID:275
URL:http://www.securityfocus.com/bid/275
Name: CVE-1999-0767
Description:
Buffer overflow in Solaris libc, ufsrestore, and rcp via LC_MESSAGES
environmental variable.
Status: Candidate
Phase: Proposed (19991214)
Reference: SUN:00189
Votes:
ACCEPT(4) Baker, Blake, Cole, Dik
MODIFY(2) Frech, Stracener
REVIEWING(2) Christey, Prosser
Voter Comments:
Stracener> Add Ref: CIAC: J-069
Frech> XF:sun-libc-lcmessages
Prosser> BID 268 is an additional reference for this one as it has info on the Sun
vulnerability. However, BID 268 also includes AIX in this vulnerability and
refs APARS issued to fix a vulnerability in various 'nixs with the Natural
Language Service environmental variables NSLPATH and PATH_LOCALE depending
on the 'nix, ref CERT CA-97.10, CVE-1999-0041. However, Georgi Guninski
reported a BO in AIX with LC_MESSAGES + mount, also refed in BID 268, so it
is possible the AIX APARs fix an earlier, similar vulnerability to the Sun
BO in LC_MESSAGES. This should probably be considered under a different
CAN. Any ideas?
Christey> Given that the buffer overflows in CVE-1999-0041 are NLSPATH
and PATH_LOCALE, I'd say that's good evidence that this is not
the same problem. But a buffer overflow in libc in
LC_MESSAGES... We must ask if these are basically the same
codebase.
ADDREF CIAC:J-069
Christey> While the description indicates multiple programs, CD:SF-EXEC
does not apply because the vulnerability was in libc, and
rcp and ufsrestore were both statically linked against libc.
Thus CD:SF-LOC applies, and a single candidate is maintained
because the problem occurred in a library.
Dik> Sun bug 4240566
Christey> I'm consulting with Casper Dik and Troy Bollinger to see if
this should be combined with the AIX buffer overflows for
LC_MESSAGES; current indications are that they should be
split.
Christey> For further consultation, consider this post, though it's
associated with CVE-1999-0041:
BUGTRAQ:19970213 Linux NLSPATH buffer overflow
http://www.securityfocus.com/archive/1/6296
Also add "NLSPATH" and "PATH_LOCALE" to the description to
facilitate search.
Name: CVE-1999-0776
Description:
Alibaba HTTP server allows remote attackers to read files via a
.. (dot dot) attack.
Status: Candidate
Phase: Proposed (19991214)
Reference: NTBUGTRAQ:19990506 ".."-hole in Alibaba 2.0
Reference: URL:http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind9905&L=NTBUGTRAQ&P=R1533
Reference: XF:http-alibaba-dotdot
Votes:
ACCEPT(4) Frech, Levy, Ozancin, Stracener
MODIFY(1) Baker
NOOP(6) Armstrong, Blake, Cole, Landfield, LeBlanc, Wall
REVIEWING(1) Christey
Voter Comments:
Christey> This candidate is unconfirmed by the vendor.
Posted by Arne Vidstrom.
Blake> I'd like to change my vote on this from ACCEPT to NOOP. I did some
digging and the vendor seems to have discontinued the product, so no
information is available beyond Arne's post. Unless Andre has a copy
in his archive and can test it, I think we have to leave it out.
Wall> I agree with Blake. We have not seen the product and it has been discontinued.
CHANGE> [Christey changed vote from NOOP to REVIEWING]
Christey> If this is (or was) tested by some tool, we should ACCEPT it.
Baker> http://www.securityfocus.com/bid/270
Christey> BID:270
URL:http://www.securityfocus.com/bid/270
Name: CVE-1999-0784
Description:
Denial of service in Oracle TNSLSNR SQL*Net Listener via a malformed
string to the listener port, aka NERP.
Status: Candidate
Phase: Proposed (20010214)
Reference: NTBUGTRAQ:19980827 NERP DoS attack possible in Oracle
Reference: URL:http://archives.neohapsis.com/archives/ntbugtraq/1998/msg00536.html
Reference: BUGTRAQ:19990104 Re: Fw:"NERP" DoS attack possible in Oracle
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/1999_1/0056.html
Reference: BUGTRAQ:19981228 Oracle8 TNSLSNR DoS
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/1998_4/0764.html
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
NOOP(1) Cole
Voter Comments:
Frech> XF:oracle-tnslsnr-dos(1551)
Name: CVE-1999-0792
Description:
ROUTERmate has a default SNMP community name which allows remote
attackers to modify its configuration.
Status: Candidate
Phase: Modified (20000827)
Reference: MISC:http://www2.merton.ox.ac.uk/~security/rootshell/0022.html
Votes:
ACCEPT(1) Baker
MODIFY(2) Frech, Stracener
NOOP(1) Christey
REVIEWING(1) Levy
Voter Comments:
Stracener> Change the Ref to read: ROOTSHELL: Osicom Technologies ROUTERmate
Security
Advisory
Frech> XF:routermate-snmp-community
Christey> BUGTRAQ:19980914 [rootshell] Security Bulletin #23
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90581019105693&w=2
Name: CVE-1999-0795
Description:
The NIS+ rpc.nisd server allows remote attackers to execute certain
RPC calls without authentication to obtain system information, disable
logging, or modify caches.
Status: Candidate
Phase: Proposed (19991222)
Reference: NAI:NAI-27
Votes:
ACCEPT(2) Baker, Stracener
MODIFY(1) Frech
NOOP(1) Ozancin
Voter Comments:
Frech> XF:sun-nisplus
Name: CVE-1999-0798
Description:
Buffer overflow in bootpd on OpenBSD, FreeBSD, and Linux systems via
a malformed header type.
Status: Candidate
Phase: Proposed (19991222)
Reference: BUGTRAQ:19981204 bootpd remote vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91278867118128&w=2
Votes:
ACCEPT(3) Baker, Ozancin, Stracener
MODIFY(1) Frech
NOOP(1) Christey
Voter Comments:
Christey> Is CVE-1999-0389 a duplicate of CVE-1999-0798? CVE-1999-0389
has January 1999 dates associated with it, while CVE-1999-0798
was reported in late December.
http://marc.theaimsgroup.com/?l=bugtraq&m=91278867118128&w=2
SCO appears to have acknowledged this as well:
ftp://ftp.sco.com/SSE/security_bulletins/SB-99.01a
The poster also claims that OpenBSD fixed this as well.
Frech> XF:bootp-remote-bo
Christey> Further analysis indicates that this is a duplicate of CVE-1999-0799
CHANGE> [Christey changed vote from REJECT to NOOP]
Christey> What was I thinking? Brian Caswell pointed out that this is
*not* the same bug as CVE-1999-0799. As reported in the
1998 Bugtraq post, the bug is in bootpd.c, and is related
to providing an htype value that is used as an index
into an array, and exceeds the intended boundaries of that
array.
Name: CVE-1999-0805
Description:
Novell NetWare Transaction Tracking System (TTS) in Novell 4.11 and
earlier allows remote attackers to cause a denial of service via a
large number of requests.
Status: Candidate
Phase: Proposed (20010214)
Reference: BUGTRAQ:19990512 DoS with Netware 4.x's TTS
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/1999_2/0439.html
Reference: XF:novell-tts-dos
Reference: URL:http://xforce.iss.net/static/2184.php
Votes:
ACCEPT(2) Baker, Frech
NOOP(2) Christey, Cole
Voter Comments:
Christey> BID:276
URL:http://www.securityfocus.com/vdb/bottom.html?vid=276
Frech> XF:novell-tts-dos
Name: CVE-1999-0808
Description:
Multiple buffer overflows in ISC DHCP Distribution server (dhcpd) 1.0
and 2.0 allow a remote attacker to cause a denial of service (crash)
and possibly execute arbitrary commands via long options.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19980518 DHCP 1.0 and 2.0 SECURITY ALERT! (fwd)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221101925960&w=2
Reference: CIAC:I-053
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/i-053.shtml
Reference: MISC:ftp://ftp.isc.org/isc/dhcp/dhcp-1.0-history/dhcp-1.0.0-1.0pl1.diff.gz
Votes:
ACCEPT(4) Armstrong, Cole, Foat, Stracener
MODIFY(1) Frech
NOOP(1) Wall
Voter Comments:
Frech> XF:dhcp-remote-dos(7248)
Name: CVE-1999-0816
Description:
The Motorola CableRouter allows any remote user to connect to and
configure the router on port 1024.
Status: Candidate
Phase: Modified (20000313-01)
Reference: BUGTRAQ:19980510 Security Vulnerability in Motorola CableRouters
Reference: URL:http://www.netspace.org/cgi-bin/wa?A2=ind9805B&L=bugtraq&P=R1621
Reference: XF:motorola-cable-default-pass
Votes:
ACCEPT(3) Baker, Cole, Stracener
MODIFY(1) Frech
NOOP(2) Christey, LeBlanc
Voter Comments:
Christey> This candidate is unconfirmed by the vendor.
Frech> XF:motorola-cable-default-pass
Name: CVE-1999-0818
Description:
Buffer overflow in Solaris kcms_configure via a long NETPATH
environmental variable.
Status: Candidate
Phase: Proposed (19991208)
Reference: BUGTRAQ:19991130 another hole of Solaris7 kcms_configure
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=38433B7F5A.53F4SHADOWPENGUIN@fox.nightland.net
Reference: BID:831
Reference: URL:http://www.securityfocus.com/bid/831
Votes:
ACCEPT(2) Armstrong, Stracener
MODIFY(4) Cole, Dik, Frech, Prosser
NOOP(1) Baker
REVIEWING(1) Christey
Voter Comments:
Cole> This can cause code to be executed.
Frech> XF:sol-kcms-conf-netpath-bo
Dik> the bug has nothing to do with kcms_configure; it's a bug
in libnsl.so. All set-uid executables that trigger this code path are
vulnerable. Sun bug 4295834; fixed in Solaris 8.
Prosser> Okay, I am confused. Based on Casper's comments and checking
on the Sun patch site, I found the 4295834 bug(4295834 NETPATH security
problem in libnsl) fixed in SunOS 5.4, Patch 101974-37(x86) 101973 (sparc).
Multiple libnsl vulnerabilities was first reported in an 98 Sun Bulletin
#00172 for 5.4 up through 2.6. Was this NETPATH a problem that resurfaced
in 7 (looks like in 5.4 as well) and was fixed in 8?
Christey> Need to dig up my offline email on this.
Christey> May be a duplicate of CVE-1999-0321, whose sole reference
(XF:sun-kcms-configure-bo) no longer exists. Also examine
BID:452 and
BUGTRAQ:19981223 Merry Christmas to Sun! (Was: L0pht NFR N-Code
Modules Updated)
which are the same as XF:sol-kcms-conf-p-bo(3652), which could
be the new name for XF:sun-kcms-configure-bo.
Name: CVE-1999-0821
Description:
FreeBSD seyon allows local users to gain privileges by providing a
malicious program in the -emulator argument.
Status: Candidate
Phase: Proposed (19991208)
Reference: BUGTRAQ:19991130 Several FreeBSD-3.3 vulnerabilities
Reference: BID:838
Reference: URL:http://www.securityfocus.com/bid/838
Votes:
ACCEPT(2) Armstrong, Stracener
MODIFY(1) Frech
NOOP(2) Baker, Christey
REJECT(1) Cole
REVIEWING(1) Prosser
Voter Comments:
Cole> I would combine this with the previous. To me the general
vulnerabilities are similar it is just the end result that changes.
Frech> XF:freebsd-seyon-setgid
Christey> ADDREF? CALDERA:CSSA-1999-037.0
Name: CVE-1999-0822
Description:
Buffer overflow in Qpopper (qpop) 3.0 allows remote root access via
AUTH command.
Status: Candidate
Phase: Proposed (19991208)
Reference: BUGTRAQ:19991130 serious Qpopper 3.0 vulnerability
Reference: BUGTRAQ:19991130 qpop3.0b20 and below - notes and exploit
Reference: BID:830
Reference: URL:http://www.securityfocus.com/bid/830
Votes:
ACCEPT(4) Armstrong, Baker, Cole, Stracener
MODIFY(1) Frech
NOOP(1) Christey
REVIEWING(1) Prosser
Voter Comments:
Frech> XF:qpopper-auth-bo
Christey> ADDREF? DEBIAN:19991215 buffer overflow in qpopper v3.0
ADDREF XF:qpopper-auth-bo
Name: CVE-1999-0825
Description:
The default permissions for UnixWare /var/mail allow local users to
read and modify other users' mail.
Status: Candidate
Phase: Modified (20000121-01)
Reference: BUGTRAQ:19991203 UnixWare read/modify users' mail
Reference: BUGTRAQ:19991215 Recent postings about SCO UnixWare 7
Reference: BUGTRAQ:19991223 FYI, SCO Security patches available.
Reference: BID:849
Reference: URL:http://www.securityfocus.com/bid/849
Votes:
ACCEPT(4) Armstrong, Baker, Cole, Stracener
MODIFY(1) Frech
NOOP(1) Christey
REVIEWING(1) Prosser
Voter Comments:
Frech> XF:sco-mail-permissions
Christey> ADDREF ftp://ftp.sco.com/SSE/security_bulletins/SB-99.25a
Name: CVE-1999-0827
Description:
By default, Internet Explorer 5.0 and other versions enables the
"Navigate sub-frames across different domains" option, which allows
frame spoofing.
Status: Candidate
Phase: Proposed (19991208)
Reference: BUGTRAQ:19991130 Default IE 5.0 security settings allow frame spoofing
Votes:
ACCEPT(4) Armstrong, Baker, LeBlanc, Stracener
MODIFY(2) Cole, Frech
REVIEWING(1) Prosser
Voter Comments:
Cole> The BID is 855. If I have the right vulnerability, this allows an
attacker to access URL's of there choosing which could lead to a compromise
of private information.
Frech> XF:http-frame-spoof
Question: Similar vulnerability to MS98-020 / CVE-1999-0869?
LeBlanc> MSRC tells me this is patched in MS00-009
Name: CVE-1999-0828
Description:
UnixWare pkg commands such as pkginfo, pkgcat, and pkgparam
allow local users to read arbitrary files via the dacread permission.
Status: Candidate
Phase: Modified (20000121-01)
Reference: BUGTRAQ:19991203 UnixWare and the dacread permission
Reference: BUGTRAQ:19991204 UnixWare pkg* command exploits
Reference: BUGTRAQ:19991223 FYI, SCO Security patches available.
Reference: BUGTRAQ:19991220 SCO OpenServer Security Status
Reference: BID:853
Reference: URL:http://www.securityfocus.com/bid/853
Votes:
ACCEPT(3) Armstrong, Baker, Stracener
MODIFY(2) Cole, Frech
REVIEWING(2) Christey, Prosser
Voter Comments:
Cole> This is BID 850.
Christey> See comments on CVE-1999-0988. Perhaps these two should be
merged. ftp://ftp.sco.com/SSE/security_bulletins/SB-99.28a
loosely alludes to this problem; the README for patch SSE053
effectively confirms it.
Frech> XF:sco-pkg-dacread-fileread
Name: CVE-1999-0829
Description:
HP Secure Web Console uses weak encryption.
Status: Candidate
Phase: Proposed (19991208)
Reference: BUGTRAQ:19991201 HP Secure Web Console
Votes:
ACCEPT(2) Armstrong, Stracener
MODIFY(1) Frech
NOOP(2) Baker, Cole
REVIEWING(1) Prosser
Voter Comments:
Cole> I could not find details on this using the above references.
Frech> XF:hp-secure-console
Name: CVE-1999-0830
Description:
Buffer overflow in SCO UnixWare Xsco command via a long argument.
Status: Candidate
Phase: Proposed (19991208)
Reference: BUGTRAQ:19991126 [w00giving '99 #6]: UnixWare 7's Xsco
Votes:
ACCEPT(3) Armstrong, Baker, Stracener
MODIFY(3) Cole, Frech, Prosser
REVIEWING(1) Christey
Voter Comments:
Cole> This is BID 824 and the BUGTRAQ reference is 19991125.
Frech> XF:sco-unixware-xsco
Christey> Confirmed by vendor, albeit vaguely:
http://marc.theaimsgroup.com/?l=bugtraq&m=94581379905584&w=2
Prosser> agree with Steve on vendor confirmation, however not sure the
fix ref'd in BID 824 (SSE041) is right. It lists fixes for libnsl and
tcpip.so, nothing about xsco. SSE050b
(ftp://ftp.sco.com/SSE/security_bulletins/SB-99.26b) fixes a buffer overflow
in xsco on OpenServer (the vendor message Steve refers to) but not the
UnixWare vulnerability reported on Bugtraq and in BID824. Anyone more
familar with SCO shed some light on this? Are they the same codebase so fix
would be same? From the SCO site it seems the UnixWare and OpenSever
products are similar but have differences.
CHANGE> [Christey changed vote from NOOP to REVIEWING]
Christey> BID:824
http://www.securityfocus.com/bid/824
Name: CVE-1999-0840
Description:
Buffer overflow in CDE dtmail and dtmailpr programs allows local users
to gain privileges via a long -f option.
Status: Candidate
Phase: Modified (20071022)
Reference: BUGTRAQ:19991129 Solaris7 dtmail/dtmailpr/mailtool Buffer Overflow
Reference: URL:http://www.security-express.com/archives/bugtraq/1999-q4/0122.html
Reference: MISC:http://www.securiteam.com/exploits/3J5QQPPQ0O.html
Reference: BID:832
Reference: URL:http://www.securityfocus.com/bid/832
Reference: MISC:http://www.securiteam.com/exploits/3J5QQPPQ0O.html
Reference: XF:solaris-dtmail-overflow(3579)
Reference: URL:http://xforce.iss.net/xforce/xfdb/3579
Reference: XF:solaris-dtmailpr-overflow(3580)
Reference: URL:http://xforce.iss.net/xforce/xfdb/3580
Votes:
ACCEPT(4) Armstrong, Baker, Dik, Stracener
MODIFY(1) Frech
NOOP(1) Cole
REVIEWING(1) Prosser
Voter Comments:
Cole> I went to 1129 and it looks like a reference for a different
vulnerability.
Frech> In the description, should dtmailptr be dtmailpr?
XF:solaris-dtmailpr-overflow
XF:solaris-dtmail-overflow
Dik> sun bug: 4166321
Name: CVE-1999-0841
Description:
Buffer overflow in CDE mailtool allows local users to gain root
privileges via a long MIME Content-Type.
Status: Candidate
Phase: Modified (20071022)
Reference: BUGTRAQ:19991129 Solaris7 dtmail/dtmailpr/mailtool Buffer Overflow
Reference: URL:http://www.security-express.com/archives/bugtraq/1999-q4/0122.html
Reference: MISC:http://www.securiteam.com/exploits/3J5QQPPQ0O.html
Reference: BID:832
Reference: URL:http://www.securityfocus.com/bid/832
Reference: MISC:http://www.securiteam.com/exploits/3J5QQPPQ0O.html
Reference: XF:cde-mailtool-bo(3732)
Reference: URL:http://xforce.iss.net/xforce/xfdb/3732
Votes:
ACCEPT(5) Armstrong, Baker, Cole, Dik, Stracener
MODIFY(1) Frech
REVIEWING(1) Prosser
Voter Comments:
Frech> XF:cde-mailtool-bo
Dik> bug 4163471
(Root access is only possible when mail is send to root and he
uses dtmail to read it)
Name: CVE-1999-0843
Description:
Denial of service in Cisco routers running NAT via a PORT command from
an FTP client to a Telnet port.
Status: Candidate
Phase: Proposed (19991208)
Reference: BUGTRAQ:19991104 Cisco NAT DoS (VD#1)
Reference: BUGTRAQ:19991128 Re: Cisco NAT DoS (VD#1)
Votes:
ACCEPT(3) Balinsky, Cole, Stracener
MODIFY(1) Frech
NOOP(2) Armstrong, Baker
REVIEWING(3) Christey, Prosser, Ziese
Voter Comments:
Frech> XF:cisco-nat-dos
Christey> Mike Prosser's REVIEWING vote expires July 17, 2000
Ziese> After reviewing
http://www.cisco.com/warp/public/707/iostelnetopt-pub.shtml
I can not confirm this exists unless it's restructred to
describe a problem against IOS per se; not NAT per se. I am
reviewing this and it may take some time.
CHANGE> [Christey changed vote from NOOP to REVIEWING]
Christey> Not sure if Kevin's suggested reference really describes this
one. However, a followup email by Jim Duncan of Cisco does
acknowledge the problem as discussed in the Bugtraq post:
http://marc.theaimsgroup.com/?l=vuln-dev&m=94385601831585&w=2
The original post is:
http://marc.theaimsgroup.com/?l=bugtraq&m=94184947504814&w=2
It could be that the researcher believed that the problem was
NAT, but in fact it wasn't.
I need to follow up with Ziese/Balinsky on this one.
Name: CVE-1999-0844
Description:
Denial of service in MDaemon WorldClient and WebConfig services via
a long URL.
Status: Candidate
Phase: Proposed (19991208)
Reference: NTBUGTRAQ:19991124 Remote DoS Attack in WorldClient Server v2.0.0.0 Vulnerability
Reference: BUGTRAQ:19991130 Fwd: RE: Multiples Remotes DoS Attacks in MDaemon Server v2.8.5.0 Vulnerability
Reference: BID:823
Reference: URL:http://www.securityfocus.com/bid/823
Reference: BID:820
Reference: URL:http://www.securityfocus.com/bid/820
Votes:
ACCEPT(2) Baker, Stracener
MODIFY(2) Cole, Frech
NOOP(1) Armstrong
RECAST(1) Christey
REVIEWING(1) Prosser
Voter Comments:
Cole> 823 and 820 are two different vulnerabilities and should be
separated out. They are both buffer overflows but accomplish it in a
different fashion and the end exploit is different.
Frech> (RECAST?)
XF:mdaemon-worldclient-dos
XF:mdaemon-webconfig-dos
Recast request: This is really two services exhibiting the same problem.
Christey> as suggested by others.
Also see confirmation at:
http://mdaemon.deerfield.com/helpdesk/hotfix.cfm
Name: CVE-1999-0845
Description:
Buffer overflow in SCO su program allows local users to gain root
access via a long username.
Status: Candidate
Phase: Proposed (19991208)
Reference: BUGTRAQ:19991126 [w00giving '99 #5 and w00news]: UnixWare 7's su
Reference: SCO:99.19
Reference: BUGTRAQ:19991128 SCO su patches
Votes:
ACCEPT(4) Armstrong, Cole, Prosser, Stracener
MODIFY(1) Frech
RECAST(1) Baker
REVIEWING(1) Christey
Voter Comments:
Christey> DUPE CVE-1999-0317?
Frech> XF:sco-su-username-bo
Christey> ADDREF BID:826
CONFIRM:ftp://ftp.sco.com/SSE/sse039.tar.Z
Name: CVE-1999-0846
Description:
Denial of service in MDaemon 2.7 via a large number of connection
attempts.
Status: Candidate
Phase: Proposed (19991208)
Reference: BUGTRAQ:19991129 MDaemon 2.7 J DoS
Reference: BUGTRAQ:19991130 Fwd: RE: Multiples Remotes DoS Attacks in MDaemon Server v2.8.5.0 Vulnerability
Votes:
ACCEPT(5) Armstrong, Baker, Cole, Prosser, Stracener
MODIFY(1) Frech
REVIEWING(1) Christey
Voter Comments:
Frech> XF:mdaemon-dos
Christey> CVE-1999-0844 is confirmed by MDaemon at
http://mdaemon.deerfield.com/helpdesk/hotfix.cfm but there
is no apparent confirmation for this problem, even
though it was posted the same day.
Prosser> Looks like from a follow-on message on Bugtraq from Nobuo
<http://www.securityfocus.com/templates/archive.pike?list=1&date=1999-11-28&msg=199912011604.HJI39569.BX-NOJ@lac.co.jp> Deerfield sent a reply about the
DoS problems in MDaemon 2.8.5, that also talks about fixing the 2.7 J DoS
that Nobuo initially reported. Can't find the original message, so may have
been limited distro. Looks like an upgrade to the latest release might be
the final solution here.
Name: CVE-1999-0850
Description:
The default permissions for Endymion MailMan allow local users to read
email or modify files.
Status: Candidate
Phase: Proposed (19991208)
Reference: BID:845
Reference: URL:http://www.securityfocus.com/bid/845
Reference: BUGTRAQ:19991202 Insecure default permissions for MailMan Professional Edition, version 3.0.18
Votes:
ACCEPT(2) Cole, Stracener
MODIFY(1) Frech
NOOP(2) Armstrong, Baker
REVIEWING(1) Prosser
Voter Comments:
Frech> XF:endymion-mailman-perms
Name: CVE-1999-0852
Description:
IBM WebSphere sets permissions that allow a local user to modify a
deinstallation script or its data files stored in /usr/bin.
Status: Candidate
Phase: Proposed (19991208)
Reference: BID:844
Reference: URL:http://www.securityfocus.com/bid/844
Reference: BUGTRAQ:19991202 WebSphere protections from installation
Votes:
ACCEPT(3) Armstrong, Cole, Stracener
MODIFY(1) Frech
NOOP(1) Baker
REVIEWING(1) Prosser
Voter Comments:
Frech> XF:websphere-protect
Name: CVE-1999-0855
Description:
Buffer overflow in FreeBSD gdc program.
Status: Candidate
Phase: Proposed (19991208)
Reference: BID:834
Reference: URL:http://www.securityfocus.com/bid/834
Reference: BUGTRAQ:19991130 FreeBSD 3.3 gated-3.1.5 local exploit
Votes:
ACCEPT(3) Armstrong, Prosser, Stracener
MODIFY(2) Cole, Frech
NOOP(2) Baker, Christey
Voter Comments:
Cole> The BID is 834 and the reference is 19991201 not 1130.
Frech> XF:freebsd-gdc-bo
Christey> ADDREF BID:780 ?
Name: CVE-1999-0857
Description:
FreeBSD gdc program allows local users to modify files via a symlink
attack.
Status: Candidate
Phase: Proposed (19991208)
Reference: BUGTRAQ:19991130 FreeBSD 3.3 gated-3.1.5 local exploit
Reference: BID:835
Reference: URL:http://www.securityfocus.com/bid/835
Votes:
ACCEPT(3) Armstrong, Prosser, Stracener
MODIFY(2) Cole, Frech
NOOP(1) Baker
Voter Comments:
Cole> This is via debug output.
Frech> XF:freebsd-gdc
Name: CVE-1999-0860
Description:
Solaris chkperm allows local users to read files owned by bin via
the VMSYS environmental variable and a symlink attack.
Status: Candidate
Phase: Proposed (19991208)
Reference: BUGTRAQ:19991130 Solaris 2.x chkperm/arp vulnerabilities
Reference: BID:837
Reference: URL:http://www.securityfocus.com/bid/837
Votes:
ACCEPT(2) Armstrong, Stracener
MODIFY(2) Dik, Frech
NOOP(2) Baker, Christey
REJECT(1) Cole
REVIEWING(1) Prosser
Voter Comments:
Cole> This is the same as the pervious.
Frech> XF:sol-chkperm-vmsys
Dik> include reference to Sun bug 4296167
Christey> Remove BID:837, which is for arp, not chkperm
Name: CVE-1999-0862
Description:
Insecure directory permissions in RPM distribution for PostgreSQL
allows local users to gain privileges by reading a plaintext password
file.
Status: Candidate
Phase: Proposed (19991208)
Reference: BUGTRAQ:19991202 PostgreSQL RPM's permission problems
Votes:
ACCEPT(3) Armstrong, Cole, Stracener
MODIFY(1) Frech
NOOP(1) Baker
REVIEWING(1) Prosser
Voter Comments:
Frech> XF:postgresql-insecure-perms
Name: CVE-1999-0863
Description:
Buffer overflow in FreeBSD seyon via HOME environmental variable,
-emulator argument, -modems argument, or the GUI.
Status: Candidate
Phase: Proposed (19991208)
Reference: BUGTRAQ:19970617 Seyon vulnerability - IRIX
Reference: BUGTRAQ:19991108 FreeBSD 3.3's seyon vulnerability
Reference: BUGTRAQ:19991130 Several FreeBSD-3.3 vulnerabilities
Votes:
ACCEPT(4) Armstrong, Cole, Prosser, Stracener
MODIFY(1) Frech
NOOP(1) Baker
REVIEWING(1) Christey
Voter Comments:
Frech> XF:freebsd-seyon-bo
Christey> ADDREF? CALDERA:CSSA-1999-037.0
Christey> May be multiple bugs here, or a single library problem.
CD:SF-LOC needs to be resolved before determining if this
candidate should be SPLIT. Also see CVE-1999-0821.
Name: CVE-1999-0872
Description:
Buffer overflow in Vixie cron allows local users to gain root access
via a long MAILTO environment variable in a crontab file.
Status: Candidate
Phase: Proposed (19991214)
Reference: BID:759
Reference: URL:http://www.securityfocus.com/bid/759
Reference: BID:611
Reference: URL:http://www.securityfocus.com/bid/611
Reference: REDHAT:RHSA-1999:030-02
Votes:
MODIFY(2) Cole, Frech
NOOP(1) Baker
REJECT(3) Blake, Christey, Stracener
Voter Comments:
Cole> 611 is the mail to listed above but 759 is for the mail from and
should be listed as a separate vulenrability.
Blake> This does not appear materially different from CVE-1999-0768
Christey> This is an apparent duplicate of CVE-1999-0768.
REDHAT:RHSA-1999:030-02 describes two issues, one of which is
CVE-1999-0768, and the other is CVE-1999-0769.
Stracener> This is a duplicate of candidate CVE-1999-0768.
Frech> XF:cron-sendmail-bo-root
Christey> BID:759 is improperly assigned to this candidate and doesn't
even describe it. It may have been inadvertently copied
from CVE-1999-0873.
Name: CVE-1999-0882
Description:
Falcon web server allows remote attackers to determine the absolute
path of the web root via long file names.
Status: Candidate
Phase: Proposed (19991214)
Reference: BUGTRAQ:19991025 Falcon Web Server
Reference: BINDVIEW:Falcon Web Server
Votes:
ACCEPT(3) Baker, Blake, Stracener
MODIFY(1) Frech
NOOP(2) Armstrong, Cole
Voter Comments:
Frech> XF:falcon-server-long-filename
Name: CVE-1999-0885
Description:
Alibaba web server allows remote attackers to execute commands via a
pipe character in a malformed URL.
Status: Candidate
Phase: Modified (20000313-01)
Reference: BUGTRAQ:19991103 More Alibaba Web Server problems...
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&date=1999-11-01&msg=01BF261F.928821E0.kerb@fnusa.com
Reference: BID:770
Reference: URL:http://www.securityfocus.com/bid/770
Reference: XF:alibaba-url-file-manipulation
Votes:
ACCEPT(2) Baker, Stracener
MODIFY(1) Frech
NOOP(5) Armstrong, Blake, Christey, Cole, LeBlanc
Voter Comments:
Christey> This candidate is unconfirmed by the vendor.
Blake> Same as CVE-1999-0776.
Frech> XF:alibaba-url-file-manipulation
Christey> CD:SF-LOC and CD:SF-EXEC may say to merge this candidate with
the problems described in:
BUGTRAQ:20000718 Multiple bugs in Alibaba 2.0
URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0237.html
If so, then ADDREF BID:1485 as well.
Christey> Include the names of the affected CGI's, including tst.bat,
get32.exe, alibaba.pl, etc.
Name: CVE-1999-0910
Description:
Microsoft Site Server and Commercial Internet System (MCIS) do not set
an expiration for a cookie, which could then be cached by a proxy and
inadvertently used by a different user.
Status: Candidate
Phase: Proposed (19991208)
Reference: MS:MS99-035
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-035.asp
Reference: BID:625
Reference: URL:http://www.securityfocus.com/bid/625
Votes:
ACCEPT(4) Baker, Ozancin, Prosser, Wall
MODIFY(2) Frech, Stracener
REJECT(1) Cole
Voter Comments:
Frech> XF:siteserver-cis-cookie-cache
Cole> Whether cookies are a vulnerbality is a debate for another time, the
question here is whether the
expiration feature is a vulnerability and I do not think it is
because the underlying concerns for this
are present even without this feature. The expiration feature does
not add any new vulenrabilities
that are not already present with cookies.
Stracener> Add Ref: MSKB Q238647
Name: CVE-1999-0911
Description:
Buffer overflow in ProFTPD, wu-ftpd, and beroftpd allows remote
attackers to gain root access via a series of MKD and CWD commands
that create nested directories.
Status: Candidate
Phase: Modified (20050309)
Reference: BUGTRAQ:19990827 ProFTPD
Reference: BUGTRAQ:19990907 ProFTP-1.2.0pre4 buffer overflow -- once more
Reference: DEBIAN:19990210
Reference: URL:http://www.debian.org/security/1999/19990210
Reference: FREEBSD:FreeBSD-SA-99:03
Reference: BID:612
Reference: URL:http://www.securityfocus.com/bid/612
Votes:
ACCEPT(5) Baker, Blake, Cole, Prosser, Stracener
MODIFY(1) Frech
REVIEWING(1) Christey
Voter Comments:
Frech> XF:proftpd-long-dir-bo(3399)
Christey> Not absolutely sure if this isn't the same as Palmetto
(CVE-1999-0368), which describes a similar type of overflow.
NETBSD:NetBSD-SA1999-003 may refer to CVE-1999-0368:
ADDREF URL:ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/advisories/NetBSD-SA1999-003.txt.asc
Christey> ADDREF CIAC:J-068
Include version numbers; too many wu-ftp/etc. problems
were published in summer/fall 1999
Name: CVE-1999-0913
Description:
dfire.cgi script in Dragon-Fire IDS allows remote users to execute
commands via shell metacharacters.
Status: Candidate
Phase: Proposed (19991214)
Reference: BUGTRAQ:19990804 NSW Dragon Fire gets drowned
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93383593909438&w=2
Reference: BID:564
Reference: URL:http://www.securityfocus.com/bid/564
Votes:
ACCEPT(2) Blake, Stracener
MODIFY(1) Frech
NOOP(4) Armstrong, Baker, Cole, LeBlanc
REVIEWING(1) Christey
Voter Comments:
Christey> Some voters should use ABSTAIN.
Frech> XF:dragon-fire-ids-metachar(3834)
CHANGE> [Armstrong changed vote from REVIEWING to NOOP]
Name: CVE-1999-0919
Description:
A memory leak in a Motorola CableRouter allows remote attackers to
conduct a denial of service via a large number of telnet connections.
Status: Candidate
Phase: Modified (20020226-02)
Reference: BUGTRAQ:19980510 Security Vulnerability in Motorola CableRouters
Reference: URL:http://www.netspace.org/cgi-bin/wa?A2=ind9805B&L=bugtraq&P=R1621
Reference: XF:motorola-cable-crash(2004)
Reference: URL:http://xforce.iss.net/static/2004.php
Votes:
ACCEPT(2) Baker, Cole
MODIFY(1) Frech
NOOP(7) Armstrong, Christey, Landfield, LeBlanc, Ozancin, Stracener, Wall
REVIEWING(1) Levy
Voter Comments:
Christey> This candidate is unconfirmed by the vendor.
Frech> XF:motorola-cable-crash
Christey> This has enough votes, but not the "confidence" yet (until we
resolve the question of the amount of verification needed
for CVE).
Name: CVE-1999-0923
Description:
Sample runnable code snippets in ColdFusion Server 4.0 allow remote
attackers to read files, conduct a denial of service, or use the
server as a proxy for other HTTP calls.
Status: Candidate
Phase: Proposed (20010214)
Reference: ALLAIRE:ASB99-02
Reference: URL:http://www.allaire.com/handlers/index.cfm?ID=8739&Method=Full
Votes:
ACCEPT(2) Baker, Cole
MODIFY(1) Frech
NOOP(1) Christey
Voter Comments:
Frech> XF:coldfusion-source-display(1741)
XF:coldfusion-syntax-checker(1742)
XF:coldfusion-file-existence(1743)
XF:coldfusion-sourcewindow(1744)
Christey> List all affected runnable code snippets to facilitate
search, which may include:
viewexample.cfm (though could that be part of CVE-1999-0922?)
Name: CVE-1999-0925
Description:
UnityMail allows remote attackers to conduct a denial of service via a
large number of MIME headers.
Status: Candidate
Phase: Modified (20020829-01)
Reference: BUGTRAQ:19980903 Web servers / possible DOS Attack / mime header flooding
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90486243124867&w=2
Votes:
ACCEPT(2) Baker, Stracener
MODIFY(1) Frech
NOOP(1) Christey
REVIEWING(1) Levy
Voter Comments:
Frech> XF:unitymail-web-dos(1630)
Christey> BID:1760
URL:http://www.securityfocus.com/bid/1760
Christey> Affected version is 2.0
Change date of Bugtraq post - it was 1998.
Name: CVE-1999-0926
Description:
Apache allows remote attackers to conduct a denial of service via a
large number of MIME headers.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990903 Web servers / possible DOS Attack / mime header flooding
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/1998_3/0742.html
Votes:
ACCEPT(1) Cole
MODIFY(1) Frech
NOOP(3) Christey, Foat, Wall
Voter Comments:
Christey> BID:1760
URL:http://www.securityfocus.com/bid/1760
Frech> XF:unitymail-web-dos(1630)
Name: CVE-1999-0929
Description:
Novell NetWare with Novell-HTTP-Server or YAWN web servers allows
remote attackers to conduct a denial of service via a large number of
HTTP GET requests.
Status: Candidate
Phase: Interim (19991229)
Reference: BUGTRAQ:19990616 Novell NetWare webservers DoS
Votes:
ACCEPT(4) Armstrong, Blake, Cole, Stracener
MODIFY(1) Frech
NOOP(1) Baker
Voter Comments:
Frech> XF:novell-webserver-dos(2287)
Name: CVE-1999-0941
Description:
Mutt mail client allows a remote attacker to execute commands via
shell metacharacters.
Status: Candidate
Phase: Proposed (19991222)
Reference: BUGTRAQ:19980728 mutt x.x
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221104526154&w=2
Votes:
ACCEPT(1) Stracener
NOOP(2) Baker, Christey
REJECT(1) Frech
REVIEWING(1) Levy
Voter Comments:
Frech> References are vague, but seem to be identical to CVE-1999-0940
(XF:mutt-text-enriched-mime-bo). According to the references, the malformed
messages consist of metacharacters. In addition, -0941's reference and
-0940's SuSE reference both refer to fixes in 1.0pre3 release. Will
reconsider vote if other clearer references are forthcoming.
Christey> Modify to mention that the metachar's are in the Content-Type header.
http://marc.theaimsgroup.com/?l=bugtraq&m=90221104526154&w=2
Name: CVE-1999-0944
Description:
IBM WebSphere ikeyman tool uses weak encryption to store
a password for a key database that is used for SSL connections.
Status: Candidate
Phase: Proposed (19991222)
Reference: BUGTRAQ:19991024 password leak in IBM WebSphere / HTTP Server / ikeyman
Votes:
ACCEPT(2) Baker, Stracener
MODIFY(1) Frech
NOOP(2) Bollinger, Christey
REVIEWING(1) Levy
Voter Comments:
Frech> XF:websphere-database-pwd-accessible
Christey> ADDREF BID:1763
URL:http://www.securityfocus.com/bid/1763
Name: CVE-1999-0948
Description:
Buffer overflow in uum program for Canna input system allows local
users to gain root privileges.
Status: Candidate
Phase: Proposed (19991222)
Reference: BID:757
Reference: URL:http://www.securityfocus.com/bid/757
Reference: BUGTRAQ:19991102 Some holes for Win/UNIX softwares
Votes:
ACCEPT(2) Levy, Stracener
MODIFY(1) Frech
NOOP(2) Baker, Christey
Voter Comments:
Christey> CVE-1999-0948 and CVE-1999-0949 are extremely similar.
uum (0948) is exploitable through a different set of options
than canuum (0949). If it's the same generic option parsing
routine used by both programs, then CD:SF-CODEBASE says to
merge them. But if it's not, then CD:SF-LOC and CD:SF-EXEC
says to split them. However, this is a prime example of
how SF-EXEC might be modified - uum and canuum are clearly
part of the same package, so in the absence of clear
information, maybe we should merge them.
Frech> XF:canna-uum-bo
Name: CVE-1999-0949
Description:
Buffer overflow in canuum program for Canna input system allows local
users to gain root privileges.
Status: Candidate
Phase: Proposed (19991222)
Reference: BID:757
Reference: URL:http://www.securityfocus.com/bid/757
Reference: BUGTRAQ:19991102 Some holes for Win/UNIX softwares
Votes:
ACCEPT(2) Levy, Stracener
MODIFY(1) Frech
NOOP(2) Baker, Christey
Voter Comments:
Christey> CVE-1999-0948 and CVE-1999-0949 are extremely similar.
uum (0948) is exploitable through a different set of options
than canuum (0949). If it's the same generic option parsing
routine used by both programs, then CD:SF-CODEBASE says to
merge them. But if it's not, then CD:SF-LOC and CD:SF-EXEC
says to split them. However, this is a prime example of
how SF-EXEC might be modified - uum and canuum are clearly
part of the same package, so in the absence of clear
information, maybe we should merge them.
Also review BID:758 and BID:757 - may need to change the BID
here.
Frech> XF:canna-uum-bo
Christey> CHANGEREF BID:757 BID:758
Christey> The following page says that canuum is a "Japanese input tty
frontend for Canna using uum," which suggests that it is, at
the least, a different package, so perhaps this should stay SPLIT.
http://wuarchive.wustl.edu/mirrors/NetBSD/NetBSD-current/pkgsrc/inputmethod/canuum/README.html
Name: CVE-1999-0952
Description:
Buffer overflow in Solaris lpstat via class argument allows local
users to gain root access.
Status: Candidate
Phase: Proposed (19991222)
Reference: BUGTRAQ:19990126 Buffer overflow in Solaris 2.6/2.7 /usr/bin/lpstat
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91759216618637&w=2
Votes:
ACCEPT(3) Baker, Ozancin, Stracener
MODIFY(2) Dik, Frech
REVIEWING(1) Christey
Voter Comments:
Frech> XF:solaris-lpstat-bo
Christey> It is unclear from Casper Dik's followup whether this is
exploitable or not.
Dik> Sunbug 4129917
(other reports in the same thread suggest that the then current patchd id
fix the problem)
Christey> Confirm with Casper Dik that the overflow is in the -c option,
and if so, include it in the description to differentiate
it from the lpstat -n buffer overflow.
Name: CVE-1999-0970
Description:
The OmniHTTPD visadmin.exe program allows a remote attacker to conduct
a denial of service via a malformed URL which causes a large number of
temporary files to be created.
Status: Candidate
Phase: Modified (20020226-01)
Reference: BUGTRAQ:19990605 Remote Exploit (Bug) in OmniHTTPd Web Server
Reference: URL:http://www.securityfocus.com/archive/1/14311
Reference: XF:omnihttpd-dos(2271)
Reference: URL:http://xforce.iss.net/static/2271.php
Reference: BID:1808
Reference: URL:http://www.securityfocus.com/bid/1808
Votes:
ACCEPT(3) Baker, Blake, Stracener
MODIFY(1) Frech
NOOP(1) Christey
REVIEWING(1) Levy
Voter Comments:
Frech> XF:omnihttpd-dos
Christey> Some sort of confirmation might be findable at:
http://www.omnicron.ab.ca/httpd/docs/release.html
Christey> See http://www.omnicron.ab.ca/index.html
The August 16, 2000 news item says "This release fixes some
security problems." It's for version 2.07, but the discloser
didn't say what version was available.
Other security fixes are in the release notes at
http://www.omnicron.ab.ca/httpd/docs/release.html Notes for
Professional Version 1.01 say "Patched up two security weaknesses."
Notes for version 2.07 say "Fixes dot-appending vulnerability."
Professional Alpha 7 says "Revamped CGI launching and security,"
Professional Alpha 4 says "Fixed SSI path mapping and security
problems," Alpha 5 says "Security fixup."
In other words, you can't tell whether they've fixed this bug
or not.
Christey> BID:1808
URL:http://www.securityfocus.com/bid/1808
Name: CVE-1999-0983
Description:
Whois Internic Lookup program whois.cgi allows remote attackers to
execute commands via shell metacharacters in the domain entry.
Status: Candidate
Phase: Proposed (19991214)
Reference: BUGTRAQ:19991109 Whois.cgi - ADVISORY.
Votes:
ACCEPT(3) Blake, Cole, Stracener
MODIFY(1) Frech
NOOP(1) Baker
REVIEWING(1) Christey
Voter Comments:
Christey> More examination is required to determine if CVE-1999-0983,
CVE-1999-0984, or CVE-1999-0985 are the same codebase.
Frech> XF:whois-internic-shell-meta
Christey> ADDREF BID:2000
Christey> The XF appears to be gone. Perhaps it's this one:
XF:http-cgi-whois-meta(3798)
Name: CVE-1999-0984
Description:
Matt's Whois program whois.cgi allows remote attackers to
execute commands via shell metacharacters in the domain entry.
Status: Candidate
Phase: Proposed (19991214)
Reference: BUGTRAQ:19991109 Whois.cgi - ADVISORY.
Votes:
ACCEPT(2) Blake, Stracener
MODIFY(1) Frech
NOOP(2) Baker, Cole
REVIEWING(1) Christey
Voter Comments:
Cole> How is this different than the previous?
Christey> More examination is required to determine if CVE-1999-0983,
CVE-1999-0984, or CVE-1999-0985 are the same codebase.
Frech> XF:matts-whois-meta
Christey> ADDREF BID:2000
Christey> XF reference is gone. Replace with http-cgi-matts-whois-meta(3799) ?
Name: CVE-1999-0985
Description:
CC Whois program whois.cgi allows remote attackers to execute commands
via shell metacharacters in the domain entry.
Status: Candidate
Phase: Proposed (19991214)
Reference: BUGTRAQ:19991109 Whois.cgi - ADVISORY.
Votes:
ACCEPT(2) Blake, Stracener
MODIFY(1) Frech
NOOP(2) Baker, Cole
REVIEWING(1) Christey
Voter Comments:
Cole> I would combine all of these.
Christey> More examination is required to determine if CVE-1999-0983,
CVE-1999-0984, or CVE-1999-0985 are the same codebase.
Frech> XF:cc-whois-meta
Christey> ADDREF BID:2000
Frech> Change cc-whois-meta(3800) to http-cgi-ccwhois(3747)
Christey> Replace XF reference with XF:cc-whois-meta(3800) ?
Name: CVE-1999-0988
Description:
UnixWare pkgtrans allows local users to read arbitrary files via a
symlink attack.
Status: Candidate
Phase: Modified (20000121-01)
Reference: BUGTRAQ:19991204 UnixWare pkg* command exploits
Reference: BUGTRAQ:19991215 Recent postings about SCO UnixWare 7
Reference: BUGTRAQ:19991223 FYI, SCO Security patches available.
Reference: BUGTRAQ:19991220 SCO OpenServer Security Status
Votes:
ACCEPT(3) Baker, Blake, Cole
MODIFY(1) Frech
RECAST(1) Stracener
REVIEWING(1) Christey
Voter Comments:
Stracener> The pkg* programs pkgtrans, pkginfo, pkgcat, pkginstall, and pkgparam
can be used to mount etc/shadow printing attacks as a result of the
"dacread" permission (cf. /etc/security/tcb/privs). The procedural
differences between the individual exploits for each of these utilities
are therefore inconsequential. CVE-1999-0988 should be merged with
CVE-1999-0828. From the standpoint of maintaining consistency of the
level of abstraction used in CVE, the co-existence of CANS
1999-0988/1999-0828 present two choices: either merge 0988 with 0828, or
split 0828 into 4 distinct candidates, keeping 0988 intact. Due to the
very small differences (in principle) between the exploits subsumed by
0828 and 0988 and the shared dacread permissions of the pkg* suite, I
suggest a merge. Below is a summary of the data upon which my decision
was based.
utility exploit
-------- ----------------------------------
pkgtrans --> symlink + dacread permission prob
pkginfo --> truss (debugging utility) in conjunction with pkginfio -d
etc/shadow. In this case, it captures the interaction between
pkginfo the shadow file. Once again: dacread.
pkgcat --> buffer overflow + dacread permission prob
pkginstall -> buffer overflow + dacread permission prob
pkgparam --> -f etc/shadow (works because of dacread).
Christey> This is a tough one. While there are few procedural
differences, one could view "assignment of an improper
permission" as a "class" of problems along the lines of
buffer overflows and the like. Just like some programs
were fine until they got turned into CGI scripts, this
could be an emerging pattern which should be given
consideration. Consider the Eyedog and scriptlet.typelib
ActiveX utilities being marked as safe for scripting
(CVE-1999-0668 and 0669).
ftp://ftp.sco.com/SSE/security_bulletins/SB-99.28a loosely
alludes to this problem; the README for patch SSE053
effectively confirms it.
Frech> XF:unixware-pkgtrans-symlink
Name: CVE-1999-0990
Description:
Error messages generated by gdm with the VerboseAuth setting allows an
attacker to identify valid users on a system.
Status: Candidate
Phase: Interim (19991229)
Reference: BUGTRAQ:19991205 gdm thing
Votes:
ACCEPT(3) Blake, Cole, Stracener
MODIFY(1) Frech
NOOP(1) Baker
Voter Comments:
Frech> XF:verbose-auth-identify-user(3804)
Name: CVE-1999-0993
Description:
Modifications to ACLs (Access Control Lists) in Microsoft Exchange
5.5 do not take effect until the directory store cache is refreshed.
Status: Candidate
Phase: Proposed (19991222)
Reference: NTBUGTRAQ:19991213 Changing ACL's in Exchange Server
Votes:
ACCEPT(2) Stracener, Wall
MODIFY(1) Frech
NOOP(2) Baker, Cole
REJECT(1) LeBlanc
Voter Comments:
Frech> XF:exchange-acl-changes(3916)
LeBlanc> Not a vulnerability
Name: CVE-1999-1002
Description:
Netscape Navigator uses weak encryption for storing a user's Netscape
mail password.
Status: Candidate
Phase: Modified (20030619-01)
Reference: MISC:http://www.rstcorp.com/news/bad-crypto.html
Reference: BUGTRAQ:19991216 Reinventing the wheel (aka "Decoding Netscape Mail passwords")
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94536309217214&w=2
Reference: BUGTRAQ:19991220 Netscape password scrambling
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94570673523998&w=2
Votes:
ACCEPT(4) Baker, Cole, Stracener, Wall
MODIFY(1) Frech
NOOP(1) Christey
Voter Comments:
Frech> XF:netscape-mail-encryption(3921)
Christey> CHANGEREF make the RCA URL a "MISC" reference
Name: CVE-1999-1003
Description:
War FTP Daemon 1.70 allows remote attackers to cause a denial of
service by flooding it with connections.
Status: Candidate
Phase: Proposed (19991222)
Reference: BUGTRAQ:19991214 Local / Remote D.o.S Attack in War FTP Daemon 1.70 Vulnerability
Reference: BUGTRAQ:19991216 Statement: Local / Remote D.o.S Attack in War FTP Daemon 1.70
Votes:
ACCEPT(3) Baker, Cole, Stracener
MODIFY(1) Frech
NOOP(1) Wall
Voter Comments:
Frech> XF:warftp-connection-flood
Name: CVE-1999-1006
Description:
Groupwise web server GWWEB.EXE allows remote attackers to determine
the real path of the web server via the HELP parameter.
Status: Candidate
Phase: Proposed (19991222)
Reference: BUGTRAQ:19991219 Groupewise Web Interface
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94571433731824&w=2
Votes:
ACCEPT(4) Baker, Cole, Prosser, Stracener
MODIFY(1) Frech
NOOP(2) Christey, Wall
Voter Comments:
Frech> XF:groupwise-web-path
Prosser> Pretty well confirmed by testing with responses to BugTraq list.
additional ref: BugTraq ID 879 http://www.securityfocus.com/bid/879
Christey> A later discovery almost 2 years later is at:
BUGTRAQ:20020227 SecurityOffice Security Advisory:// Novell
GroupWise Web Access Path Disclosure Vulnerability
http://marc.theaimsgroup.com/?l=bugtraq&m=101494830315071&w=2
CD:SF-LOC might suggest merging these together.
Name: CVE-1999-1009
Description:
The Disney Go Express Search allows remote attackers to access and
modify search information for users by connecting to an HTTP server on
the user's system.
Status: Candidate
Phase: Proposed (19991222)
Reference: BUGTRAQ:19991213 Privacy hole in Go Express Search
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
NOOP(4) Balinsky, Cole, Stracener, Wall
Voter Comments:
Frech> XF:disney-search-info(3955)
Balinsky> The go.express.com web site does not mention the existence of the Express web server mentioned in the advisory. There appears to be no way of verifying this.
Name: CVE-1999-1012
Description:
SMTP component of Lotus Domino 4.6.1 on AS/400, and possibly other
operating systems, allows a remote attacker to crash the mail server
via a long string.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990504 AS/400
Reference: URL:http://www.securityfocus.com/archive/1/13527
Reference: BID:173
Reference: URL:http://www.securityfocus.com/bid/173
Votes:
ACCEPT(1) Cole
MODIFY(1) Frech
NOOP(2) Foat, Wall
Voter Comments:
Frech> (Task 1770)
CHANGE> [Frech changed vote from REVIEWING to MODIFY]
Frech> XF:lotus-domino-smtp-dos(8790)
Name: CVE-1999-1013
Description:
named-xfer in AIX 4.1.5 and 4.2.1 allows members of the system group
to overwrite system files to gain root access via the -f parameter and
a malformed zone file.
Status: Candidate
Phase: Proposed (20010912)
Reference: BID:673
Reference: URL:http://www.securityfocus.com/bid/673
Reference: BUGTRAQ:19990923 named-xfer hole on AIX (fwd)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93837026726954&w=2
Votes:
MODIFY(1) Frech
NOOP(3) Cole, Foat, Wall
Voter Comments:
Frech> XF:aix-named-xfer-root-access(3308)
Name: CVE-1999-1015
Description:
Buffer overflow in Apple AppleShare Mail Server 5.0.3 on MacOS 8.1 and
earlier allows a remote attacker to cause a denial of service (crash)
via a long HELO command.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19980408 AppleShare IP Mail Server
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=89200657216213&w=2
Reference: BID:61
Reference: URL:http://www.securityfocus.com/bid/61
Votes:
MODIFY(1) Frech
NOOP(3) Cole, Foat, Wall
Voter Comments:
Frech> XF:smtp-helo-bo(886)
Name: CVE-1999-1016
Description:
Microsoft HTML control as used in (1) Internet Explorer 5.0, (2)
FrontPage Express, (3) Outlook Express 5, and (4) Eudora, and possibly
others, allows remote malicious web site or HTML emails to cause a
denial of service (100% CPU consumption) via large HTML form fields
such as text inputs in a table cell.
Status: Candidate
Phase: Modified (20040811)
Reference: NTBUGTRAQ:19990827 HTML code to crash IE5 and Outlook Express 5
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=93578772920970&w=2
Reference: BID:606
Reference: URL:http://www.securityfocus.com/bid/606
Votes:
ACCEPT(2) Cole, Wall
MODIFY(1) Frech
NOOP(2) Christey, Foat
Voter Comments:
Frech> XF:ms-html-table-form-dos(3246)
Frech> XF:ms-html-table-form-dos(3246)
Christey> Add period to the end of the description.
Name: CVE-1999-1017
Description:
Seattle Labs Emurl 2.0, and possibly earlier versions, stores e-mail
attachments in a specific directory with scripting enabled, which
allows a malicious ASP file attachment to execute when the recipient
opens the message.
Status: Candidate
Phase: Proposed (20010912)
Reference: NTBUGTRAQ:19990728 Seattle Labs EMURL Vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=93316253431588&w=2
Reference: BID:544
Reference: URL:http://www.securityfocus.com/bid/544
Votes:
MODIFY(1) Frech
NOOP(3) Cole, Foat, Wall
Voter Comments:
Frech> (Task 2281)
CHANGE> [Frech changed vote from REVIEWING to MODIFY]
Frech> XF:emurl-attachment-execution(8794)
Name: CVE-1999-1018
Description:
IPChains in Linux kernels 2.2.10 and earlier does not reassemble IP
fragments before checking the header information, which allows a
remote attacker to bypass the filtering rules using several fragments
with 0 offsets.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990727 Linux 2.2.10 ipchains Advisory
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93312523904591&w=2
Reference: BID:543
Reference: URL:http://www.securityfocus.com/bid/543
Votes:
ACCEPT(1) Cole
MODIFY(1) Frech
NOOP(2) Foat, Wall
Voter Comments:
Frech> XF:linux-ipchains-bypass-filter(6516)
Frech> XF:linux-ipchains-bypass-filter(6516)
Name: CVE-1999-1020
Description:
The installation of Novell Netware NDS 5.99 provides an
unauthenticated client with Read access for the tree, which allows
remote attackers to access sensitive information such as users,
groups, and readable objects via CX.EXE and NLIST.EXE.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19980918 NMRC Advisory - Default NDS Rights
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90613355902262&w=2
Reference: BID:484
Reference: URL:http://www.securityfocus.com/bid/484
Reference: XF:novell-nds(1364)
Reference: URL:http://xforce.iss.net/static/1364.php
Votes:
ACCEPT(2) Cole, Frech
NOOP(2) Foat, Wall
Name: CVE-1999-1022
Description:
serial_ports administrative program in IRIX 4.x and 5.x trusts the
user's PATH environmental variable to find and execute the ls program,
which allows local users to gain root privileges via a Trojan horse ls
program.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19941002
Reference: URL:http://www.securityfocus.com/archive/1/930
Reference: XF:sgi-serialports(2111)
Reference: URL:http://xforce.iss.net/static/2111.php
Reference: BID:464
Reference: URL:http://www.securityfocus.com/bid/464
Votes:
ACCEPT(2) Cole, Frech
NOOP(2) Christey, Foat
Voter Comments:
Christey> Note: CVE-1999-1310 is a duplicate of this candidate.
CVE-1999-1310 will be REJECTed; this is the proper CAN to use.
CIAC:F-01
URL:http://ciac.llnl.gov/ciac/bulletins/f-01.shtml
SGI:19941001-01-P
URL:ftp://patches.sgi.com/support/free/security/advisories/19941001-01-P
MISC:http://www.netsys.com/firewalls/firewalls-9410/0019.html
Name: CVE-1999-1023
Description:
useradd in Solaris 7.0 does not properly interpret certain date
formats as specified in the "-e" (expiration date) argument, which
could allow users to login after their accounts have expired.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990610 Sun Useradd program expiration date bug
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92904175406756&w=2
Reference: BID:426
Reference: URL:http://www.securityfocus.com/bid/426
Votes:
ACCEPT(1) Dik
MODIFY(1) Frech
NOOP(3) Cole, Foat, Wall
Voter Comments:
Dik> sun bug: 4222400
Frech> XF:solaris-useradd-expired-accounts(8375)
CONFIRM:(2.6)110883-01, (2.6_x86) 110884-01, (7)110869-01,
(7_x86) 110870-01
Name: CVE-1999-1024
Description:
ip_print procedure in Tcpdump 3.4a allows remote attackers to cause a
denial of service via a packet with a zero length header, which causes
an infinite loop and core dump when tcpdump prints the packet.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990616 tcpdump 3.4 bug?
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92955903802773&w=2
Reference: BUGTRAQ:19990617 Re: tcpdump 3.4 bug?
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92963447601748&w=2
Reference: BUGTRAQ:19990620 Re: tcpdump 3.4 bug? (final)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92989907627051&w=2
Reference: BID:313
Reference: URL:http://www.securityfocus.com/bid/313
Votes:
ACCEPT(1) Cole
MODIFY(1) Frech
NOOP(2) Foat, Wall
Voter Comments:
Frech> XF:tcpdump-ipprint-dos(8373)
Name: CVE-1999-1025
Description:
CDE screen lock program (screenlock) on Solaris 2.6 does not properly
lock an unprivileged user's console session when the host is an NIS+
client, which allows others with physical access to login with any
string.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19981012 Annoying Solaris/CDE/NIS+ bug
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90831127921062&w=2
Reference: SUNBUG:4115685
Reference: URL:http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fpatches%2F106027&zone_32=411568%2A%20
Reference: BID:294
Reference: URL:http://www.securityfocus.com/bid/294
Votes:
ACCEPT(4) Cole, Dik, Foat, Stracener
MODIFY(1) Frech
Voter Comments:
Frech> XF:solaris-cde-nisplus-lock(7473)
Dik> sun bug: 4115685
Name: CVE-1999-1026
Description:
aspppd on Solaris 2.5 x86 allows local users to modify arbitrary files
and gain root privileges via a symlink attack on the /tmp/.asppp.fifo
file.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19961220 Solaris 2.5 x86 aspppd (semi-exploitable-hole)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167420343&w=2
Reference: BID:292
Reference: URL:http://www.securityfocus.com/bid/292
Votes:
ACCEPT(1) Cole
MODIFY(1) Frech
NOOP(1) Foat
Voter Comments:
Frech> XF:sun-aspppd-tmp-symlink(7173)
Name: CVE-1999-1029
Description:
SSH server (sshd2) before 2.0.12 does not properly record login
attempts if the connection is closed before the maximum number of
tries, allowing a remote attacker to guess the password without
showing up in the audit logs.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990513 - J.J.F. / Hackers Team warns for SSHD 2.x brute force password hacking
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92663402004280&w=2
Reference: BID:277
Reference: URL:http://www.securityfocus.com/bid/277
Reference: XF:ssh2-bruteforce(2193)
Reference: URL:http://xforce.iss.net/static/2193.php
Votes:
ACCEPT(2) Cole, Frech
NOOP(2) Foat, Wall
Name: CVE-1999-1030
Description:
counter.exe 2.70 allows a remote attacker to cause a denial of
service (hang) via an HTTP request that ends in %0A (newline), which
causes a malformed entry in the counter log that produces an access
violation.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990519 Denial of Service in Counter.exe version 2.70
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92713790426690&w=2
Reference: NTBUGTRAQ:19990519 Denial of Service in Counter.exe version 2.70
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=92707671717292&w=2
Reference: BID:267
Reference: URL:http://www.securityfocus.com/bid/267
Votes:
MODIFY(1) Frech
NOOP(3) Cole, Foat, Wall
Voter Comments:
Frech> XF:http-cgi-counter-long(2196)
Frech> XF:http-cgi-counter-long(2196)
Name: CVE-1999-1031
Description:
counter.exe 2.70 allows a remote attacker to cause a denial of service
(hang) via a long argument.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990519 Denial of Service in Counter.exe version 2.70
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92713790426690&w=2
Reference: NTBUGTRAQ:19990519 Denial of Service in Counter.exe version 2.70
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=92707671717292&w=2
Reference: BID:267
Reference: URL:http://www.securityfocus.com/bid/267
Votes:
MODIFY(1) Frech
NOOP(3) Cole, Foat, Wall
Voter Comments:
Frech> XF:http-cgi-counter-long(2196)
Frech> XF:http-cgi-counter-long(2196)
Name: CVE-1999-1033
Description:
Microsoft Outlook Express before 4.72.3612.1700 allows a malicious
user to send a message that contains a .., which can inadvertently
cause Outlook to re-enter POP3 command mode and cause the POP3 session
to hang.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990511 Outlook Express Win98 bug
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92647407427342&w=2
Reference: BUGTRAQ:19990512 Outlook Express Win98 bug, addition.
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92663402004275&w=2
Reference: BID:252
Reference: URL:http://www.securityfocus.com/bid/252
Votes:
ACCEPT(2) Cole, Wall
MODIFY(1) Frech
NOOP(1) Foat
Voter Comments:
Frech> (Task 2241)
CHANGE> [Frech changed vote from REVIEWING to MODIFY]
Frech> XF:outlook-pop3-dot-dos(8926)
Name: CVE-1999-1036
Description:
COPS 1.04 allows local users to overwrite or create arbitrary files
via a symlink attack on temporary files in (1) res_diff, (2) ca.src,
and (3) mail.chk.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19980626 vulnerability in satan, cops & tiger
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221103125976&w=2
Votes:
ACCEPT(1) Foat
MODIFY(1) Frech
NOOP(2) Cole, Wall
Voter Comments:
Frech> XF:cops-temp-file-symlink(7325)
Name: CVE-1999-1038
Description:
Tiger 2.2.3 allows local users to overwrite arbitrary files via a
symlink attack on various temporary files in Tiger's default working
directory, as defined by the WORKDIR variable.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19980626 vulnerability in satan, cops & tiger
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221103125976&w=2
Votes:
ACCEPT(1) Foat
MODIFY(1) Frech
NOOP(2) Cole, Wall
Voter Comments:
Frech> XF:tiger-workdir-symlink(7326)
Name: CVE-1999-1039
Description:
Vulnerability in (1) diskalign and (2) diskperf in IRIX 6.4 patches
2291 and 2848 allow a local user to create root-owned files leading to
a root compromise.
Status: Candidate
Phase: Proposed (20010912)
Reference: SGI:19980502-01-P3030
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19980502-01-P3030
Votes:
ACCEPT(3) Cole, Foat, Stracener
REJECT(1) Frech
Name: CVE-1999-1040
Description:
Vulnerabilities in (1) ipxchk and (2) ipxlink in NetWare Client 1.0 on
IRIX 6.3 and 6.4 allows local users to gain root access via a modified
IFS environmental variable.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19980408 SGI O2 ipx security issue
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=89217373930054&w=2
Reference: SGI:19980501-01-P
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19980501-01-P2869
Reference: CIAC:I-055
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/i-055.shtml
Votes:
ACCEPT(3) Cole, Foat, Stracener
NOOP(1) Christey
REJECT(1) Frech
Voter Comments:
Christey> This candidate and CVE-1999-1501 are duplicates. However,
CVE-1999-1501 will be REJECTed in favor of this candidate.
Add the following references:
BID:70
URL:http://www.securityfocus.com/bid/70
BID:71
URL:http://www.securityfocus.com/bid/71
XF:irix-ipxchk-ipxlink-ifs-commands(7365)
URL:http://xforce.iss.net/static/7365.php
Name: CVE-1999-1041
Description:
Buffer overflow in mscreen on SCO OpenServer 5.0 and SCO UNIX 3.2v4
allows a local user to gain root access via (1) a long TERM
environmental variable and (2) a long entry in the .mscreenrc file.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19980827 SCO mscreen vul.
Reference: URL:http://www.securityfocus.com/archive/1/10420
Reference: BUGTRAQ:19980926 Root exploit for SCO OpenServer.
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90686250717719&w=2
Reference: SCO:SB-98.05a
Reference: URL:ftp://ftp.sco.com/SSE/security_bulletins/SB-98.05a
Reference: CERT:VB-98.10
Reference: URL:http://www.cert.org/vendor_bulletins/VB-98.10.sco.mscreen
Votes:
ACCEPT(3) Cole, Foat, Stracener
MODIFY(1) Frech
NOOP(1) Wall
REVIEWING(1) Christey
Voter Comments:
Frech> XF:sco-openserver-mscreen-bo(1379)
Christey> Possible dupe with CVE-1999-1185.
Name: CVE-1999-1042
Description:
Cisco Resource Manager (CRM) 1.0 and 1.1 creates world-readable log
files and temporary files, which may expose sensitive information, to
local users such as user IDs, passwords and SNMP community strings.
Status: Candidate
Phase: Proposed (20010912)
Reference: CISCO:19980813 CRM Temporary File Vulnerability
Reference: URL:http://www.cisco.com/warp/public/770/crmtmp-pub.shtml
Votes:
ACCEPT(3) Cole, Foat, Stracener
MODIFY(1) Frech
NOOP(1) Wall
REJECT(3) Armstrong, Balinsky, Christey
Voter Comments:
Frech> XF:cisco-crm-file-vuln(1575)
Armstrong> I think that this is the same as Can-1999-1126
Balinsky> This is the same as CVE-1999-1126. Merge them.
Christey> DUPE CVE-1999-1126, as noted by others.
This candidate will be rejected. CVE-1999-1126 will be
promoted.
Name: CVE-1999-1043
Description:
Microsoft Exchange Server 5.5 and 5.0 does not properly handle (1)
malformed NNTP data, or (2) malformed SMTP data, which allows remote
attackers to cause a denial of service (application error).
Status: Candidate
Phase: Proposed (20010912)
Reference: MS:MS98-007
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms98-007.asp
Votes:
ACCEPT(3) Cole, Foat, Wall
MODIFY(1) Frech
Voter Comments:
Frech> XF:exchange-dos(1223)
Name: CVE-1999-1046
Description:
Buffer overflow in IMonitor in IMail 5.0 allows remote attackers to
cause a denial of service, and possibly execute arbitrary commands,
via a long string to port 8181.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990302 Multiple IMail Vulnerabilites
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92038879607336&w=2
Reference: BID:504
Reference: URL:http://www.securityfocus.com/bid/504
Reference: XF:imail-imonitor-overflow(1897)
Reference: URL:http://xforce.iss.net/static/1897.php
Votes:
ACCEPT(2) Cole, Frech
NOOP(2) Foat, Wall
Name: CVE-1999-1049
Description:
ARCserve NT agents use weak encryption (XOR) for passwords, which
allows remote attackers to sniff the authentication request to port
6050 and decrypt the password.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990222 Severe Security Hole in ARCserve NT agents (fwd)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91972006211238&w=2
Votes:
MODIFY(1) Frech
NOOP(3) Cole, Foat, Wall
Voter Comments:
Frech> XF:arcserve-agent-passwords(1822)
Name: CVE-1999-1050
Description:
Directory traversal vulnerability in Matt Wright FormHandler.cgi
script allows remote attackers to read arbitrary files via (1) a ..
(dot dot) in the reply_message_attach attachment parameter, or (2) by
specifying the filename as a template.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19991112 FormHandler.cgi
Reference: URL:http://www.securityfocus.com/archive/1/34600
Reference: BUGTRAQ:19991116 Re: FormHandler.cgi
Reference: URL:http://www.securityfocus.com/archive/1/34939
Reference: BID:798
Reference: URL:http://www.securityfocus.com/bid/798
Reference: BID:799
Reference: URL:http://www.securityfocus.com/bid/799
Reference: XF:formhandler-cgi-absolute-path(3550)
Reference: URL:http://xforce.iss.net/static/3550.php
Votes:
ACCEPT(1) Frech
NOOP(3) Cole, Foat, Wall
REVIEWING(1) Christey
Voter Comments:
Christey> Abstraction and definition issue: CD:SF-LOC suggests combining
issues of the same type. Some people refer to "directory
traversal" and just mean .. problems; but there are other
issues (specifying an absolute pathname, using C: drive
letters, doing encodings) that, to my way of thinking, are
"different." Perhaps this should be split.
My brain hurts too much right now. There are a couple
problems with the references and descriptions of CVE-1999-1050
and CVE-1999-1051. I'm interpreting the underlying nature
of the problem(s) a little differently than others are.
Some of it may be due to differing definitions or thoughts
about what "directory traversal vulnerabilities" are.
Name: CVE-1999-1051
Description:
Default configuration in Matt Wright FormHandler.cgi script allows
arbitrary directories to be used for attachments, and only restricts
access to the /etc/ directory, which allows remote attackers to read
arbitrary files via the reply_message_attach attachment parameter.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19991116 Re: FormHandler.cgi
Reference: URL:http://www.securityfocus.com/archive/1/34939
Votes:
MODIFY(1) Frech
NOOP(3) Cole, Foat, Wall
REVIEWING(1) Christey
Voter Comments:
Frech> XF:formhandler-cgi-reply-message(7782)
Christey> I view one of these as a configuration issue: FormHandler.cgi
*could* be configured to limit hard-coded pathnames to a single
directory which, while being an information leak, would still be
"reasonably secure." But by default, it's just not configured that
way.
My brain hurts too much right now. There are a couple
problems with the references and descriptions of CVE-1999-1050
and CVE-1999-1051. I'm interpreting the underlying nature
of the problem(s) a little differently than others are.
Some of it may be due to differing definitions or thoughts
about what "directory traversal vulnerabilities" are.
Name: CVE-1999-1052
Description:
Microsoft FrontPage stores form results in a default location in
/_private/form_results.txt, which is world-readable and accessible in
the document root, which allows remote attackers to read possibly
sensitive information submitted by other users.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990824 Front Page form_results
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93582550911564&w=2
Votes:
ACCEPT(1) Wall
MODIFY(1) Frech
NOOP(2) Cole, Foat
Voter Comments:
Frech> XF:frontpage-formresults-world-readable(8362)
Name: CVE-1999-1053
Description:
guestbook.pl cleanses user-inserted SSI commands by removing text
between "<!--" and "-->" separators, which allows remote attackers to
execute arbitrary commands when guestbook.pl is run on Apache 1.3.9
and possibly other versions, since Apache allows other closing
sequences besides "-->".
Status: Candidate
Phase: Proposed (20010912)
Reference: VULN-DEV:19990913 Guestbook perl script (long)
Reference: URL:http://www.securityfocus.com/archive/82/27296
Reference: VULN-DEV:19990916 Re: Guestbook perl script (error fix)
Reference: URL:http://www.securityfocus.com/archive/82/27560
Reference: BUGTRAQ:19991105 Guestbook.pl, sloppy SSI handling in Apache? (VD#2)
Reference: URL:http://www.securityfocus.com/archive/1/33674
Reference: BID:776
Reference: URL:http://www.securityfocus.com/bid/776
Votes:
MODIFY(1) Frech
NOOP(3) Cole, Foat, Wall
Voter Comments:
Frech> XF:guestbook-cgi-command-execution(7783)
Name: CVE-1999-1054
Description:
The default configuration of FLEXlm license manager 6.0d, and possibly
other versions, allows remote attackers to shut down the server via
the lmdown command.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19980925 Globetrotter FlexLM 'lmdown' bogosity
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90675672323825&w=2
Votes:
ACCEPT(1) Cole
NOOP(2) Foat, Wall
Name: CVE-1999-1056
Description:
** REJECT **
DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-1999-1395. Reason:
This candidate is a duplicate of CVE-1999-1395. Notes: All CVE users
should reference CVE-1999-1395 instead of this candidate. All
references and descriptions in this candidate have been removed to
prevent accidental usage.
Status: Candidate
Phase: Modified (20050204)
Votes:
ACCEPT(3) Cole, Foat, Stracener
MODIFY(1) Frech
NOOP(1) Wall
REJECT(1) Christey
Voter Comments:
Frech> XF:vms-monitor-gain-privileges(7136)
Christey> DUPE CVE-1999-1395
This CAN is being rejected in favor of CVE-1999-1395 because
CVE-1999-1395 has more references.
Name: CVE-1999-1058
Description:
Buffer overflow in Vermillion FTP Daemon VFTPD 1.23 allows remote
attackers to cause a denial of service, and possibly execute arbitrary
commands, via several long CWD commands.
Status: Candidate
Phase: Proposed (20010912)
Reference: NTBUGTRAQ:19991122 Remote DoS Attack in Vermillion FTP Daemon (VFTPD) v1.23 Vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=94337185023159&w=2
Reference: BUGTRAQ:19991122 Remote DoS Attack in Vermillion FTP Daemon (VFTPD) v1.23 Vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94329968617085&w=2
Reference: XF:vermillion-ftp-cwd-overflow(3543)
Reference: URL:http://xforce.iss.net/static/3543.php
Reference: BID:818
Reference: URL:http://www.securityfocus.com/bid/818
Votes:
ACCEPT(2) Cole, Frech
NOOP(2) Foat, Wall
Name: CVE-1999-1060
Description:
Buffer overflow in Tetrix TetriNet daemon 1.13.16 allows remote
attackers to cause a denial of service and possibly execute arbitrary
commands by connecting to port 31457 from a host with a long DNS
hostname.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990217 Tetrix 1.13.16 is Vulnerable
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91937090211855&w=2
Reference: BID:340
Reference: URL:http://www.securityfocus.com/bid/340
Votes:
MODIFY(1) Frech
NOOP(3) Cole, Foat, Wall
Voter Comments:
Frech> XF:tetrinet-dns-hostname-bo(7500)
Name: CVE-1999-1061
Description:
HP Laserjet printers with JetDirect cards, when configured with
TCP/IP, can be configured without a password, which allows remote
attackers to connect to the printer and change its IP address or
disable logging.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19971004 HP Laserjet 4M Plus DirectJet Problem
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602248518480&w=2
Reference: XF:laserjet-unpassworded(1876)
Reference: URL:http://xforce.iss.net/static/1876.php
Votes:
ACCEPT(2) Cole, Frech
NOOP(1) Foat
Voter Comments:
Frech> CONFIRM:http://www.hp.com/cposupport/printers/support_doc/bpl
02914.html
Name: CVE-1999-1062
Description:
HP Laserjet printers with JetDirect cards, when configured with
TCP/IP, allow remote attackers to bypass print filters by directly
sending PostScript documents to TCP ports 9099 and 9100.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19971004 HP Laserjet 4M Plus DirectJet Problem
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602248518480&w=2
Reference: XF:laserjet-unpassworded(1876)
Reference: URL:http://xforce.iss.net/static/1876.php
Votes:
ACCEPT(1) Cole
MODIFY(1) Frech
NOOP(1) Foat
Voter Comments:
Frech> DELREF:XF:laserjet-unpassworded(1876)
ADDREF:XF:hp-printer-flood(1818)
Name: CVE-1999-1063
Description:
CDomain whois_raw.cgi whois CGI script allows remote attackers to
execute arbitrary commands via shell metacharacters in the fqdn
parameter.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990601 whois_raw.cgi problem
Reference: URL:http://www.securityfocus.com/archive/1/14019
Reference: BID:304
Reference: URL:http://www.securityfocus.com/bid/304
Reference: XF:http-cgi-cdomain(2251)
Reference: URL:http://xforce.iss.net/static/2251.php
Votes:
ACCEPT(1) Frech
NOOP(3) Cole, Foat, Wall
Name: CVE-1999-1064
Description:
Multiple buffer overflows in WindowMaker 0.52 through 0.60.0 allow
attackers to cause a denial of service and possibly execute arbitrary
commands by executing WindowMaker with a long program name (argv[0]).
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990822
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93555317429630&w=2
Reference: BUGTRAQ:19990824 Re: WindowMaker bugs (was sub:none )
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93582070508957&w=2
Reference: BID:596
Reference: URL:http://www.securityfocus.com/bid/596
Votes:
MODIFY(1) Frech
NOOP(3) Cole, Foat, Wall
Voter Comments:
Frech> XF:windowmaker-bo(3249)
Frech> XF:windowmaker-bo(3249)
Name: CVE-1999-1065
Description:
Palm Pilot HotSync Manager 3.0.4 in Windows 98 allows remote attackers
to cause a denial of service, and possibly execute arbitrary commands,
via a long string to port 14238 while the manager is in network mode.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19991104 Palm Hotsync vulnerable to DoS attack
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94175465525422&w=2
Votes:
ACCEPT(1) Cole
MODIFY(1) Frech
NOOP(2) Foat, Wall
Voter Comments:
Frech> XF:palm-hotsync-bo(7785)
Name: CVE-1999-1066
Description:
Quake 1 server responds to an initial UDP game connection request with
a large amount of traffic, which allows remote attackers to use the
server as an amplifier in a "Smurf" style attack on another host, by
spoofing the connection request.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19991222 Quake "smurf" - Quake War Utils
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94589559631535&w=2
Votes:
MODIFY(1) Frech
NOOP(4) Christey, Cole, Foat, Wall
Voter Comments:
Christey> This is apparently a problem with the connection protocol.
See BUGTRAQ:19980522 NetQuake Protocol problem resulting in smurf like effect.
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221101925989&w=2
Frech> XF:quake-udp-connection-dos(7862)
Name: CVE-1999-1067
Description:
SGI MachineInfo CGI program, installed by default on some web servers,
prints potentially sensitive system status information, which could be
used by remote attackers for information gathering activities.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19970507 Re: SGI Security Advisory 19970501-01-A - Vulnerability in webdist.cgi
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167420919&w=2
Reference: XF:sgi-machineinfo
Votes:
ACCEPT(1) Frech
NOOP(2) Cole, Foat
Voter Comments:
Frech> I'd be a lot more confident in this vote if there was a more
concrete reference strongly associating webdist.cgi and machineinfo.
Name: CVE-1999-1068
Description:
Oracle Webserver 2.1, when serving PL/SQL stored procedures, allows
remote attackers to cause a denial of service via a long HTTP GET
request.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19970723 DoS against Oracle Webserver 2.1 with PL/SQL stored procedures
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602661419366&w=2
Votes:
MODIFY(1) Frech
NOOP(2) Cole, Foat
Voter Comments:
Frech> XF:oracle-webserver-dos(1812)
Name: CVE-1999-1069
Description:
Directory traversal vulnerability in carbo.dll in iCat Carbo Server
3.0.0 allows remote attackers to read arbitrary files via a .. (dot
dot) in the icatcommand parameter.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19971108 Security bug in iCat Suite version 3.0
Reference: URL:http://www.securityfocus.com/archive/1/7943
Reference: BID:2126
Reference: URL:http://www.securityfocus.com/bid/2126
Reference: XF:icat-carbo-server-vuln(1620)
Reference: URL:http://xforce.iss.net/static/1620.php
Votes:
ACCEPT(2) Cole, Frech
NOOP(1) Foat
Voter Comments:
Frech> iCat's site at http://www.icat.com/ is shut down, and no
further support seems to be available.
Name: CVE-1999-1070
Description:
Buffer overflow in ping CGI program in Xylogics Annex terminal service
allows remote attackers to cause a denial of service via a long query
parameter.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19980725 Annex DoS
Reference: URL:http://www.securityfocus.com/archive/1/10021
Votes:
MODIFY(1) Frech
NOOP(3) Cole, Foat, Wall
Voter Comments:
Frech> XF:annex-ping-crash(2090)
Name: CVE-1999-1071
Description:
Excite for Web Servers (EWS) 1.1 installs the Architext.conf
authentication file with world-writeable permissions, which allows
local users to gain access to Excite accounts by modifying the file.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19981130 Security bugs in Excite for Web Servers 1.1
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91248445931140&w=2
Reference: XF:excite-world-write(1417)
Reference: URL:http://xforce.iss.net/static/1417.php
Votes:
ACCEPT(1) Frech
NOOP(3) Cole, Foat, Wall
Name: CVE-1999-1072
Description:
Excite for Web Servers (EWS) 1.1 allows local users to gain privileges
by obtaining the encrypted password from the world-readable
Architext.conf authentication file and replaying the encrypted
password in an HTTP request to AT-generated.cgi or AT-admin.cgi.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19981130 Security bugs in Excite for Web Servers 1.1
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91248445931140&w=2
Votes:
NOOP(3) Cole, Foat, Wall
Name: CVE-1999-1073
Description:
Excite for Web Servers (EWS) 1.1 records the first two characters of a
plaintext password in the beginning of the encrypted password, which
makes it easier for an attacker to guess passwords via a brute force
or dictionary attack.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19981130 Security bugs in Excite for Web Servers 1.1
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91248445931140&w=2
Votes:
NOOP(3) Cole, Foat, Wall
Name: CVE-1999-1075
Description:
inetd in AIX 4.1.5 dynamically assigns a port N when starting
ttdbserver (ToolTalk server), but also inadvertently listens on port
N-1 without passing control to ttdbserver, which allows remote
attackers to cause a denial of service via a large number of
connections to port N-1, which are not properly closed by inetd.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19980318 AIX 4.1.5 DoS attack (aka "Port 1025 problem")
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=89025820612530&w=2
Votes:
MODIFY(1) Frech
NOOP(3) Cole, Foat, Wall
Voter Comments:
Frech> XF:aix-ttdbserver(813)
CONFIRM:APAR IX70400
Name: CVE-1999-1076
Description:
Idle locking function in MacOS 9 allows local users to bypass the
password protection of idled sessions by selecting the "Log Out"
option and selecting a "Cancel" option in the dialog box for an
application that attempts to verify that the user wants to log out,
which returns the attacker into the locked session.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19991026 Mac OS 9 Idle Lock Bug
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94096348604173&w=2
Reference: BID:745
Reference: URL:http://www.securityfocus.com/bid/745
Votes:
ACCEPT(2) Cole, Foat
MODIFY(1) Frech
NOOP(1) Wall
Voter Comments:
Frech> XF:macos-idle-screenlock-bypass(7794)
Name: CVE-1999-1077
Description:
Idle locking function in MacOS 9 allows local attackers to bypass the
password protection of idled sessions via the programmer's switch or
CMD-PWR keyboard sequence, which brings up a debugger that the
attacker can use to disable the lock.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19991101 Re: Mac OS 9 Idle Lock Bug
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94149318124548&w=2
Reference: BID:756
Reference: URL:http://www.securityfocus.com/bid/756
Votes:
ACCEPT(2) Cole, Foat
MODIFY(1) Frech
NOOP(1) Wall
Voter Comments:
Frech> XF:macos-debug-screenlock-access(3426)
Name: CVE-1999-1078
Description:
WS_FTP Pro 6.0 uses weak encryption for passwords in its
initialization files, which allows remote attackers to easily decrypt
the passwords and gain privileges.
Status: Candidate
Phase: Proposed (20010912)
Reference: NTBUGTRAQ:19990729 WS_FTP Pro 6.0 Weak Password Encryption Vulnerability
Reference: URL:http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind9907&L=ntbugtraq&D=0&P=10370&F=P
Reference: BID:547
Reference: URL:http://www.securityfocus.com/bid/547
Votes:
MODIFY(1) Frech
NOOP(3) Cole, Foat, Wall
Voter Comments:
Frech> XF:wsftp-weak-password-encryption(8349)
Name: CVE-1999-1079
Description:
Vulnerability in ptrace in AIX 4.3 allows local users to gain
privileges by attaching to a setgid program.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990506 AIX Security Fixes Update
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92601792420088&w=2
Reference: BUGTRAQ:19990825 AIX security summary
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93587956513233&w=2
Reference: AIXAPAR:IX80470
Reference: URL:http://www-1.ibm.com/servlet/support/manager?rs=0&rt=0&org=apars&doc=08E0B1A1B85472A1852567C90031BB36
Reference: BID:439
Reference: URL:http://www.securityfocus.com/bid/439
Votes:
ACCEPT(3) Cole, Foat, Stracener
MODIFY(1) Frech
Voter Comments:
Frech> XF:aix-ptrace-setgid(7487)
Name: CVE-1999-1081
Description:
Vulnerability in files.pl script in Novell WebServer Examples Toolkit
2 allows remote attackers to read arbitrary files.
Status: Candidate
Phase: Proposed (20010912)
Reference: MISC:http://www.w3.org/Security/Faq/wwwsf8.html#Q87
Reference: MISC:http://www.roxanne.org/faqs/www-secure/wwwsf4.html#Q35
Reference: XF:http-nov-files(2054)
Reference: URL:http://xforce.iss.net/static/2054.php
Votes:
ACCEPT(2) Cole, Frech
NOOP(1) Foat
Name: CVE-1999-1082
Description:
Directory traversal vulnerability in Jana proxy web server 1.40 allows
remote attackers to ready arbitrary files via a "......" (modified dot
dot) attack.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19991008 Jana webserver exploit
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93941794201059&w=2
Reference: BID:699
Reference: URL:http://www.securityfocus.com/bid/699
Votes:
ACCEPT(1) Cole
MODIFY(1) Frech
NOOP(2) Foat, Wall
Voter Comments:
Frech> XF:jana-server-directory-traversal(6513)
Name: CVE-1999-1083
Description:
Directory traversal vulnerability in Jana proxy web server 1.45 allows
remote attackers to ready arbitrary files via a .. (dot dot) attack.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:20000502 Security Bug in Jana HTTP Server
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=95730430727064&w=2
Reference: BID:699
Reference: URL:http://www.securityfocus.com/bid/699
Votes:
ACCEPT(1) Cole
MODIFY(1) Frech
NOOP(3) Christey, Foat, Wall
Voter Comments:
Frech> XF:jana-server-directory-traversal(6513)
Christey> MODIFY description - the attack is of the form "/./../"
(single dot followed by double-dot)
Name: CVE-1999-1084
Description:
The "AEDebug" registry key is installed with insecure permissions,
which allows local users to modify the key to specify a Trojan Horse
debugger which is automatically executed on a system crash.
Status: Candidate
Phase: Proposed (20010912)
Reference: NTBUGTRAQ:19980622 Yet another "get yourself admin rights exploit":
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=90222453431604&w=2
Reference: MSKB:Q103861
Reference: URL:http://support.microsoft.com/support/kb/articles/q103/8/61.asp
Reference: MS:MS00-008
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms00-008.asp
Reference: CIAC:K-029
Reference: URL:http://www.ciac.org/ciac/bulletins/k-029.shtml
Reference: BID:1044
Reference: URL:http://www.securityfocus.com/bid/1044
Votes:
ACCEPT(3) Cole, Foat, Wall
MODIFY(1) Frech
Voter Comments:
Frech> XF:nt-registry-permissions(4111)
Name: CVE-1999-1086
Description:
Novell 5 and earlier, when running over IPX with a packet signature
level less than 3, allows remote attackers to gain administrator
privileges by spoofing the MAC address in IPC fragmented packets that
make NetWare Core Protocol (NCP) calls.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990715 NMRC Advisory: Netware 5 Client Hijacking
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93214475111651&w=2
Reference: BID:528
Reference: URL:http://www.securityfocus.com/bid/528
Votes:
ACCEPT(1) Cole
MODIFY(1) Frech
NOOP(2) Foat, Wall
Voter Comments:
Frech> XF:netware-ipx-session-spoof(2350)
Name: CVE-1999-1088
Description:
Vulnerability in chsh command in HP-UX 9.X through 10.20 allows local
users to gain privileges.
Status: Candidate
Phase: Proposed (20010912)
Reference: HP:HPSBUX9701-050
Reference: CIAC:H-21
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/h-21.shtml
Reference: XF:hp-chsh(2012)
Reference: URL:http://xforce.iss.net/static/2012.php
Votes:
ACCEPT(4) Cole, Foat, Frech, Stracener
Name: CVE-1999-1089
Description:
Buffer overflow in chfn command in HP-UX 9.X through 10.20 allows
local users to gain privileges via a long command line argument.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19961209 the HP Bug of the Week!
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167420285&w=2
Reference: HP:HPSBUX9701-049
Reference: CIAC:H-21
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/h-21.shtml
Reference: CIAC:H-16
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/h-16.shtml
Reference: AUSCERT:AA-96.18
Reference: XF:hp-chfn(2008)
Votes:
ACCEPT(4) Cole, Foat, Frech, Stracener
Name: CVE-1999-1091
Description:
UNIX news readers tin and rtin create the /tmp/.tin_log file with
insecure permissions and follow symlinks, which allows attackers to
modify the permissions of files writable by the user via a symlink
attack.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19960903 [BUG] Vulnerability in TIN
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167419835&w=2
Reference: BUGTRAQ:19960903 Re: BoS: [BUG] Vulnerability in TIN
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167419839&w=2
Reference: BUGTRAQ:19970329 symlink bug in tin/rtin
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167420726&w=2
Reference: XF:tin-tmpfile(431)
Reference: URL:http://xforce.iss.net/static/431.php
Votes:
ACCEPT(1) Frech
NOOP(2) Cole, Foat
Name: CVE-1999-1092
Description:
tin 1.40 creates the .tin directory with insecure permissions, which
allows local users to read passwords from the .inputhistory file.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19991117 default permissions for tin
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94286179032648&w=2
Votes:
MODIFY(1) Frech
NOOP(3) Cole, Foat, Wall
Voter Comments:
Frech> XF:tin-insecure-permissions(7796)
Confirmed in changelog for 1.4.1
http://ftp.kreonet.re.kr/pub/tools/news/tin/v1.4/CHANGES
Name: CVE-1999-1095
Description:
sort creates temporary files and follows symbolic links, which allows
local users to modify arbitrary files that are writable by the user
running sort, as observed in updatedb and other programs that use
sort.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19971006 KSR[T] Advisory #3: updatedb / crontabs
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87619953510834&w=2
Reference: BUGTRAQ:19980303 updatedb stuff
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=88890116304676&w=2
Reference: BUGTRAQ:19980303 updatedb: sort patch
Reference: BUGTRAQ:19980302 overwrite any file with updatedb
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=88886870129518&w=2
Votes:
MODIFY(1) Frech
NOOP(3) Christey, Cole, Foat
Voter Comments:
Frech> XF:sort-tmp-file-symlink(7182)
Christey> This issue clearly has a long history.
CALDERA:CSSA-2002-SCO.21
URL:http://archives.neohapsis.com/archives/linux/caldera/2002-q2/0018.html
CALDERA:CSSA-2002-SCO.2
URL:http://archives.neohapsis.com/archives/linux/caldera/2002-q1/0002.html
(There are 2 Caldera advisories because one is for Open UNIX
and UnixWare, and the other is for OpenServer)
XF:openserver-sort-symlink(9218)
URL:http://www.iss.net/security_center/static/9218.php
Name: CVE-1999-1096
Description:
Buffer overflow in kscreensaver in KDE klock allows local users to
gain root privileges via a long HOME environmental variable.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19980516 kde exploit
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221101925954&w=2
Reference: BUGTRAQ:19980517 simple kde exploit fix
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221101925959&w=2
Reference: XF:kde-klock-home-bo(1644)
Reference: URL:http://xforce.iss.net/static/1644.php
Votes:
ACCEPT(1) Frech
NOOP(3) Cole, Foat, Wall
Name: CVE-1999-1097
Description:
Microsoft NetMeeting 2.1 allows one client to read the contents of
another client's clipboard via a CTRL-C in the chat box when the box
is empty.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990504 Microsoft Netmeeting Hole
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92586457816446&w=2
Reference: XF:netmeeting-clipboard(2187)
Reference: URL:http://xforce.iss.net/static/2187.php
Votes:
ACCEPT(1) Frech
NOOP(3) Cole, Foat, Wall
Name: CVE-1999-1101
Description:
Kabsoftware Lydia utility uses weak encryption to store user passwords
in the lydia.ini file, which allows local users to easily decrypt the
passwords and gain privileges.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990219 Yet Another password storing problem (was: Re: Possible Netscape Crypto Security Flaw)
Reference: URL:http://www.securityfocus.com/archive/1/12618
Votes:
MODIFY(1) Frech
NOOP(3) Cole, Foat, Wall
Voter Comments:
Frech> XF:lydia-ini-passwords(7501)
ADDREF:http://www.kabsoftware.com/lydia_history.txt (Version
History for Lydia, V3.3 - 11/24/00)
Name: CVE-1999-1106
Description:
Buffer overflow in kppp in KDE allows local users to gain root access
via a long -c (account_name) command line argument.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19980429 Security hole in kppp
Reference: URL:http://www.securityfocus.com/archive/1/9121
Reference: XF:kde-kppp-account-bo(1643)
Reference: URL:http://xforce.iss.net/static/1643.php
Reference: BID:92
Reference: URL:http://www.securityfocus.com/bid/92
Votes:
ACCEPT(2) Cole, Frech
NOOP(2) Foat, Wall
Name: CVE-1999-1107
Description:
Buffer overflow in kppp in KDE allows local users to gain root access
via a long PATH environmental variable.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19981118 Multiple KDE security vulnerabilities (root compromise)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91141486301691&w=2
Reference: XF:kde-kppp-path-bo(1650)
Reference: URL:http://xforce.iss.net/static/1650.php
Votes:
ACCEPT(1) Frech
NOOP(3) Cole, Foat, Wall
Name: CVE-1999-1108
Description:
** REJECT **
DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-1999-1107. Reason:
This candidate is a duplicate of CVE-1999-1107. Notes: All CVE users
should reference CVE-1999-1107 instead of this candidate. All
references and descriptions in this candidate have been removed to
prevent accidental usage.
Status: Candidate
Phase: Modified (20050204)
Votes:
ACCEPT(1) Cole
NOOP(2) Foat, Wall
REJECT(2) Christey, Frech
Voter Comments:
Frech> Has exactly the same attributes as CVE-1999-1107.
Christey> DUPE CVE-1999-1107.
Name: CVE-1999-1110
Description:
Windows Media Player ActiveX object as used in Internet Explorer 5.0
returns a specific error code when a file does not exist, which allows
remote malicious web sites to determine the existence of files on the
client.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19991114 IE 5.0 and Windows Media Player ActiveX object allow checking the existence of local files and directories
Reference: URL:http://www.securityfocus.com/archive/1/34675
Reference: BID:793
Reference: URL:http://www.securityfocus.com/bid/793
Votes:
ACCEPT(1) Wall
MODIFY(1) Frech
NOOP(2) Cole, Foat
Voter Comments:
Frech> XF:ie-mediaplayer-activex(7800)
Name: CVE-1999-1112
Description:
Buffer overflow in IrfanView32 3.07 and earlier allows attackers to
execute arbitrary commands via a long string after the "8BPS" image
type in a Photo Shop image header.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19991109 Irfan view 3.07 buffer overflow
Reference: URL:http://www.securityfocus.com/archive/1/34066
Reference: MISC:http://stud4.tuwien.ac.at/~e9227474/main2.html
Reference: XF:irfan-view32-bo(3549)
Reference: URL:http://xforce.iss.net/static/3549.php
Reference: BID:781
Reference: URL:http://www.securityfocus.com/bid/781
Votes:
ACCEPT(1) Frech
NOOP(3) Cole, Foat, Wall
Name: CVE-1999-1113
Description:
Buffer overflow in Eudora Internet Mail Server (EIMS) 2.01 and earlier
on MacOS systems allows remote attackers to cause a denial of service
via a long USER command to port 106.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19980414 MacOS based buffer overflows...
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=89258194718577&w=2
Reference: BID:75
Reference: URL:http://www.securityfocus.com/bid/75
Votes:
MODIFY(1) Frech
NOOP(3) Cole, Foat, Wall
Voter Comments:
Frech> XF:eudora-ims-user-dos(7300)
Name: CVE-1999-1123
Description:
The installation of Sun Source (sunsrc) tapes allows local users to
gain root privileges via setuid root programs (1) makeinstall or (2)
winstall.
Status: Candidate
Phase: Proposed (20010912)
Reference: CERT:CA-1991-07
Reference: URL:http://www.cert.org/advisories/CA-1991-07.html
Reference: SUN:00107
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/107&type=0&nav=sec.sba
Reference: BID:21
Reference: URL:http://www.securityfocus.com/bid/21
Reference: BID:22
Reference: URL:http://www.securityfocus.com/bid/22
Reference: XF:sun-sourcetapes(582)
Reference: URL:http://xforce.iss.net/static/582.php
Votes:
ACCEPT(5) Cole, Dik, Foat, Frech, Stracener
NOOP(1) Wall
Voter Comments:
Dik> sun bug: 1059621
Name: CVE-1999-1124
Description:
HTTP Client application in ColdFusion allows remote attackers to
bypass access restrictions for web pages on other ports by providing
the target page to the mainframeset.cfm application, which requests
the page from the server, making it look like the request is coming
from the local host.
Status: Candidate
Phase: Proposed (20010912)
Reference: MISC:http://packetstorm.securify.com/mag/phrack/phrack54/P54-08
Votes:
ACCEPT(2) Cole, Wall
NOOP(1) Foat
Name: CVE-1999-1125
Description:
Oracle Webserver 2.1 and earlier runs setuid root, but the
configuration file is owned by the oracle account, which allows any
local or remote attacker who obtains access to the oracle account to
gain privileges or modify arbitrary files by modifying the
configuration file.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19970919 Instresting practises of Oracle [Oracle Webserver]
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602880019796&w=2
Votes:
MODIFY(1) Frech
NOOP(2) Cole, Foat
Voter Comments:
Frech> XF:oracle-webserver-gain-root(7174)
Name: CVE-1999-1126
Description:
Cisco Resource Manager (CRM) 1.1 and earlier creates certain files
with insecure permissions that allow local users to obtain sensitive
configuration information including usernames, passwords, and SNMP
community strings, from (1) swim_swd.log, (2) swim_debug.log, (3)
dbi_debug.log, and (4) temporary files whose names begin with "DPR_".
Status: Candidate
Phase: Proposed (20010912)
Reference: CISCO:19980813 CRM Temporary File Vulnerability
Reference: URL:http://www.cisco.com/warp/public/770/crmtmp-pub.shtml
Reference: CIAC:I-086
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/i-086.shtml
Reference: XF:cisco-crm-file-vuln(1575)
Reference: URL:http://xforce.iss.net/static/1575.php
Votes:
ACCEPT(5) Armstrong, Cole, Foat, Frech, Stracener
NOOP(1) Wall
REJECT(1) Balinsky
Voter Comments:
Balinsky> Duplicate of CVE-1999-1042
Name: CVE-1999-1128
Description:
Internet Explorer 3.01 on Windows 95 allows remote malicious web sites
to execute arbitrary commands via a .isp file, which is automatically
downloaded and executed without prompting the user.
Status: Candidate
Phase: Proposed (20010912)
Reference: MISC:http://oliver.efri.hr/~crv/security/bugs/NT/ie3.html
Reference: MISC:http://members.tripod.com/~unibyte/iebug3.htm
Votes:
ACCEPT(1) Cole
MODIFY(1) Frech
NOOP(2) Christey, Foat
Voter Comments:
Frech> XF:http-ie-exec(462)
Christey> DELREF MISC:http://oliver.efri.hr/~crv/security/bugs/NT/ie3.html
ADDREF MISC:http://focus.silversand.net/vulner/allbug/ie3.html
Name: CVE-1999-1129
Description:
Cisco Catalyst 2900 Virtual LAN (VLAN) switches allow remote attackers
to inject 802.1q frames into another VLAN by forging the VLAN
identifier in the trunking tag.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990901 VLAN Security
Reference: URL:http://www.securityfocus.com/archive/1/26008
Reference: MISC:http://www.cisco.com/univercd/cc/td/doc/product/lan/28201900/1928v8x/eescg8x/aleakyv.htm
Reference: XF:cisco-catalyst-vlan-frames(3294)
Reference: URL:http://xforce.iss.net/static/3294.php
Reference: BID:615
Reference: URL:http://www.securityfocus.com/bid/615
Votes:
ACCEPT(2) Foat, Frech
NOOP(2) Cole, Wall
Voter Comments:
CHANGE> [Foat changed vote from NOOP to ACCEPT]
Name: CVE-1999-1130
Description:
Default configuration of the search engine in Netscape Enterprise
Server 3.5.1, and possibly other versions, allows remote attackers to
read the source of JHTML files by specifying a search command using
the HTML-tocrec-demo1.pat pattern file.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990730 Netscape Enterprise Server yeilds source of JHTML
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93346448121208&w=2
Reference: NTBUGTRAQ:19990730 Netscape Enterprise Server yeilds source of JHTML
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=93337389603117&w=2
Reference: BID:559
Reference: URL:http://www.securityfocus.com/bid/559
Votes:
ACCEPT(1) Cole
MODIFY(1) Frech
NOOP(2) Foat, Wall
Voter Comments:
Frech> XF:netscape-enterprise-view-jhtml(8352)
Name: CVE-1999-1133
Description:
HP-UX 9.x and 10.x running X windows may allow local attackers to gain
privileges via (1) vuefile, (2) vuepad, (3) dtfile, or (4) dtpad,
which do not authenticate users.
Status: Candidate
Phase: Modified (20020217-01)
Reference: HP:HPSBUX9709-069
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602880019776&w=2
Reference: XF:hp-vue-dt(499)
Reference: URL:http://xforce.iss.net/static/499.php
Votes:
ACCEPT(4) Cole, Foat, Frech, Stracener
NOOP(1) Christey
Voter Comments:
Christey> CHANGEREF: chaneg XF reference to XF:hp-vue-dt(499)
Name: CVE-1999-1134
Description:
Vulnerability in Vue 3.0 in HP 9.x allows local users to gain root
privileges, as fixed by PHSS_4038, PHSS_4055, and PHSS_4066.
Status: Candidate
Phase: Modified (20020217-01)
Reference: HP:HPSBUX9404-008
Reference: URL:http://packetstorm.securify.com/advisories/hpalert/008
Reference: CIAC:E-23
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/e-23.shtml
Reference: XF:hp-vue(2284)
Reference: URL:http://www.iss.net/security_center/static/2284.php
Votes:
ACCEPT(3) Cole, Foat, Stracener
MODIFY(1) Frech
Voter Comments:
Frech> XF:hp-vue(2284)
Packetstorm URL is dead. Try another archive.
Name: CVE-1999-1135
Description:
Vulnerability in VUE 3.0 in HP 9.x allows local users to gain root
privileges, as fixed by PHSS_4994 and PHSS_5438.
Status: Candidate
Phase: Proposed (20010912)
Reference: HP:HPSBUX9504-027
Reference: URL:http://packetstorm.securify.com/advisories/hpalert/027
Reference: XF:hp-vue(2284)
Reference: URL:http://xforce.iss.net/static/2284.php
Votes:
ACCEPT(4) Cole, Foat, Frech, Stracener
Name: CVE-1999-1141
Description:
Ascom Timeplex router allows remote attackers to obtain sensitive
information or conduct unauthorized activities by entering debug mode
through a sequence of CTRL-D characters.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19970515 MicroSolved finds hole in Ascom Timeplex Router Security
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167420981&w=2
Reference: XF:ascom-timeplex-debug(1824)
Reference: URL:http://xforce.iss.net/static/1824.php
Votes:
ACCEPT(1) Frech
NOOP(2) Cole, Foat
Name: CVE-1999-1149
Description:
Buffer overflow in CSM Proxy 4.1 allows remote attackers to cause a
denial of service (crash) via a long string to the FTP port.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19980716 S.A.F.E.R. Security Bulletin 980708.DOS.1.1
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221104525993&w=2
Reference: XF:csm-proxy-dos(1422)
Reference: URL:http://xforce.iss.net/static/1422.php
Votes:
ACCEPT(2) Cole, Frech
NOOP(2) Foat, Wall
Name: CVE-1999-1150
Description:
Livingston Portmaster routers running ComOS use the same initial
sequence number (ISN) for TCP connections, which allows remote
attackers to conduct spoofing and hijack TCP sessions.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19980630 Livingston Portmaster - ISN generation is loosy!
Reference: URL:http://www.securityfocus.com/archive/1/9723
Reference: XF:portmaster-fixed-isn(1882)
Reference: URL:http://xforce.iss.net/static/1882.php
Votes:
ACCEPT(1) Frech
NOOP(3) Cole, Foat, Wall
Name: CVE-1999-1151
Description:
Compaq/Microcom 6000 Access Integrator does not cause a session
timeout after prompting for a username or password, which allows
remote attackers to cause a denial of service by connecting to the
integrator without providing a username or password.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19980603 Compaq/Microcom 6000 DoS + more
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90296493106214&w=2
Reference: XF:microcom-dos(2089)
Reference: URL:http://xforce.iss.net/static/2089.php
Votes:
ACCEPT(2) Cole, Frech
NOOP(2) Foat, Wall
Name: CVE-1999-1152
Description:
Compaq/Microcom 6000 Access Integrator does not disconnect a client
after a certain number of failed login attempts, which allows remote
attackers to guess usernames or passwords via a brute force attack.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19980603 Compaq/Microcom 6000 DoS + more
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90296493106214&w=2
Votes:
MODIFY(1) Frech
NOOP(3) Cole, Foat, Wall
Voter Comments:
Frech> XF:microcom-brute-force(7301)
Name: CVE-1999-1153
Description:
HAMcards Postcard CGI script 1.0 allows remote attackers to execute
arbitrary commands via shell metacharacters in the recipient email
address.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19981109 Several new CGI vulnerabilities
Reference: URL:http://www.securityfocus.com/archive/1/11175
Reference: XF:cgi-perl-mail-programs(1400)
Reference: URL:http://xforce.iss.net/static/1400.php
Votes:
ACCEPT(2) Cole, Frech
NOOP(2) Foat, Wall
Name: CVE-1999-1154
Description:
LakeWeb Filemail CGI script allows remote attackers to execute
arbitrary commands via shell metacharacters in the recipient email
address.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19981109 Several new CGI vulnerabilities
Reference: URL:http://www.securityfocus.com/archive/1/11175
Reference: MISC:http://lakeweb.com/scripts/
Reference: XF:cgi-perl-mail-programs(1400)
Reference: URL:http://xforce.iss.net/static/1400.php
Votes:
ACCEPT(2) Cole, Frech
NOOP(3) Christey, Foat, Wall
Voter Comments:
Christey> I confirmed this problem via visual inspection of the
source code in http://www.lakeweb.com/scripts/filemail.zip
Line 82 has an insufficient check for shell metacharacters
that doesn't exclude semicolons. Line 129 is the
call where the metacharacters are injected.
Need to add "filemail.pl" to the description.
Name: CVE-1999-1155
Description:
LakeWeb Mail List CGI script allows remote attackers to execute
arbitrary commands via shell metacharacters in the recipient email
address.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19981109 Several new CGI vulnerabilities
Reference: URL:http://www.securityfocus.com/archive/1/11175
Reference: MISC:http://lakeweb.com/scripts/
Reference: XF:cgi-perl-mail-programs(1400)
Reference: URL:http://xforce.iss.net/static/1400.php
Votes:
ACCEPT(2) Cole, Frech
NOOP(2) Foat, Wall
Name: CVE-1999-1158
Description:
Buffer overflow in (1) pluggable authentication module (PAM) on
Solaris 2.5.1 and 2.5 and (2) unix_scheme in Solaris 2.4 and 2.3
allows local users to gain root privileges via programs that use these
modules such as passwd, yppasswd, and nispasswd.
Status: Candidate
Phase: Proposed (20010912)
Reference: AUSCERT:AA-97.09
Reference: URL:ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-97.09.Solaris.passwd.buffer.overrun.vul
Reference: SUN:00139
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/139&type=0&nav=sec.sba
Votes:
ACCEPT(4) Cole, Dik, Foat, Stracener
MODIFY(1) Frech
RECAST(1) Christey
Voter Comments:
Frech> XF:solaris-pam-bo(7432)
Dik> sun bug: 4018347
Christey> These issues should be SPLIT per CD:SF-EXEC because the PAM
problem appears in different Solaris versions than
unix_scheme.
Name: CVE-1999-1164
Description:
Microsoft Outlook client allows remote attackers to cause a denial of
service by sending multiple email messages with the same X-UIDL
headers, which causes Outlook to hang.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990625 Outlook denial of service
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93041631215856&w=2
Votes:
ACCEPT(1) Wall
MODIFY(1) Frech
NOOP(2) Cole, Foat
Voter Comments:
Frech> XF:outlook-xuidl-dos(8356)
Name: CVE-1999-1165
Description:
GNU fingerd 1.37 does not properly drop privileges before accessing
user information, which could allow local users to (1) gain root
privileges via a malicious program in the .fingerrc file, or (2) read
arbitrary files via symbolic links from .plan, .forward, or .project
files.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990721 old gnu finger bugs
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93268249021561&w=2
Reference: BUGTRAQ:19950317 GNU finger 1.37 executes ~/.fingerrc with gid root
Reference: URL:http://www.securityfocus.com/archive/1/2478
Reference: BID:535
Reference: URL:http://www.securityfocus.com/bid/535
Votes:
MODIFY(1) Frech
NOOP(2) Cole, Foat
Voter Comments:
Frech> XF:gnu-finger-privilege-dropping(7175)
Name: CVE-1999-1166
Description:
Linux 2.0.37 does not properly encode the Custom segment limit, which
allows local users to gain root privileges by accessing and modifying
kernel memory.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990711 Linux 2.0.37 segment limit bug
Reference: URL:http://www.securityfocus.com/archive/1/18156
Reference: BID:523
Reference: URL:http://www.securityfocus.com/bid/523
Votes:
MODIFY(1) Frech
NOOP(3) Cole, Foat, Wall
Voter Comments:
Frech> (Task 2253)
CHANGE> [Frech changed vote from REVIEWING to MODIFY]
Frech> XF:linux-segment-limit-privileges(11202)
Name: CVE-1999-1168
Description:
install.iss installation script for Internet Security Scanner (ISS)
for Linux, version 5.3, allows local users to change the permissions
of arbitrary files via a symlink attack on a temporary file.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990220 ISS install.iss security hole
Reference: URL:http://www.securityfocus.com/archive/1/12640
Votes:
MODIFY(1) Frech
NOOP(3) Cole, Foat, Wall
Voter Comments:
Frech> XF:iss-temp-files(1793)
ADDREF:http://www.securityfocus.com/archive/1/12679
Name: CVE-1999-1169
Description:
nobo 1.2 allows remote attackers to cause a denial of service (crash)
via a series of large UDP packets.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990204 NOBO denial of service
Reference: URL:http://www.securityfocus.com/archive/1/12284
Votes:
ACCEPT(1) Foat
MODIFY(1) Frech
NOOP(2) Cole, Wall
Voter Comments:
Frech> XF:nobo-udp-packet-dos(7502)
ADDREF:http://www.securityfocus.com/archive/1/12378
ADDREF:http://web.cip.com.br/nobo/mudancas_en.html
Name: CVE-1999-1170
Description:
IPswitch IMail allows local users to gain additional privileges and
modify or add mail accounts by setting the "flags" registry key to
1920.
Status: Candidate
Phase: Proposed (20010912)
Reference: NTBUGTRAQ:19990204 WS FTP Server Remote DoS Attack
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=91816507920544&w=2
Reference: BID:218
Reference: URL:http://www.securityfocus.com/bid/218
Votes:
MODIFY(1) Frech
NOOP(3) Cole, Foat, Wall
Voter Comments:
Frech> XF:imail-registry(1725)
Name: CVE-1999-1171
Description:
IPswitch WS_FTP allows local users to gain additional privileges and
modify or add mail accounts by setting the "flags" registry key to
1920.
Status: Candidate
Phase: Proposed (20010912)
Reference: NTBUGTRAQ:19990204 WS FTP Server Remote DoS Attack
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=91816507920544&w=2
Reference: BID:218
Reference: URL:http://www.securityfocus.com/bid/218
Votes:
MODIFY(1) Frech
NOOP(3) Cole, Foat, Wall
Voter Comments:
Frech> XF:wsftp-registry(1726)
Name: CVE-1999-1172
Description:
By design, Maximizer Enterprise 4 calendar and address book program
allows arbitrary users to modify the calendar of other users when the
calendar is being shared.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990114 security hole in Maximizer
Reference: URL:http://www.securityfocus.com/archive/1/11947
Votes:
MODIFY(1) Frech
NOOP(3) Cole, Foat, Wall
REVIEWING(1) Christey
Voter Comments:
Christey> The discloser does not provide enough details to fully
understand what the problem is. This makes it difficult
because if Maximizer has a concept of "users" and it is
designed to allow any user to modify any other user's data,
then this would not be a vulnerability or exposure, unless
that "cross-user" capability could be used to violate system
integrity, data confidentiality, or the like. There are some
features of Maximizer 6.0 that, if abused, could allow someone
to do some bad things. For example, an attacker could modify
the email addresses for contacts to redirect sales to
locations besides the customer. There's also a capability of
assigning priorities and alarms, which could be susceptible to
an "inconvenience attack" at the very least, as well as
tie-ins to e-commerce capabilities.
The critical question becomes: "how is this data shared" in
the first place? If it's through a network share or other
distribution method besides transferring the complete database
between sites, then this may be accessible to any attacker who
can mimic a Maximizer client (if there is such a thing as a
client), and this could be a vulnerability or exposure
according to the CVE definition.
However, since the Maximizer functionality is unknown to me
and not readily apparent from product documentation, it's hard
to know what to do about this one.
CHANGE> [Frech changed vote from REVIEWING to MODIFY]
Frech> XF:maximizer-enterprise-calendar-modification(7590)
Name: CVE-1999-1173
Description:
Corel Word Perfect 8 for Linux creates a temporary working directory
with world-writable permissions, which allows local users to (1)
modify Word Perfect behavior by modifying files in the working
directory, or (2) modify files of other users via a symlink attack.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19981218 wordperfect 8 for linux security
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91404045014047&w=2
Votes:
NOOP(3) Cole, Foat, Wall
Name: CVE-1999-1174
Description:
ZIP drive for Iomega ZIP-100 disks allows attackers with physical
access to the drive to bypass password protection by inserting a known
disk with a known password, waiting for the ZIP drive to power down,
manually replacing the known disk with the target disk, and using the
known password to access the target disk.
Status: Candidate
Phase: Proposed (20010912)
Reference: MISC:http://www.counterpane.com/crypto-gram-9812.html#doghouse
Votes:
ACCEPT(1) Cole
NOOP(2) Foat, Wall
Name: CVE-1999-1176
Description:
Buffer overflow in cidentd ident daemon allows local users to gain
root privileges via a long line in the .authlie script.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19980110 Cidentd
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=88466930416716&w=2
Reference: BUGTRAQ:19980911 Re: security problems with jidentd
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90554230925545&w=2
Reference: MISC:http://spisa.act.uji.es/spi/progs/codigo/www.hack.co.za/exploits/daemon/ident/cidentd.c
Votes:
MODIFY(1) Frech
NOOP(3) Cole, Foat, Wall
Voter Comments:
Frech> XF:cidentd-authlie-bo(7327)
Name: CVE-1999-1178
Description:
Sambar Server 4.1 beta allows remote attackers to obtain sensitive
information about the server via an HTTP request for the dumpenv.pl
script.
Status: Candidate
Phase: Proposed (20010912)
Reference: XF:sambar-dump-env(3223)
Reference: URL:http://xforce.iss.net/static/3223.php
Reference: BUGTRAQ:19980610 Sambar Server Beta BUG..
Reference: URL:http://www.securityfocus.com/archive/1/9505
Votes:
ACCEPT(1) Frech
NOOP(3) Cole, Foat, Wall
Name: CVE-1999-1179
Description:
Vulnerability in man.sh CGI script, included in May 1998 issue of
SysAdmin Magazine, allows remote attackers to execute arbitrary
commands.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19980515 May SysAdmin man.sh security hole
Reference: URL:http://www.securityfocus.com/archive/1/9330
Votes:
MODIFY(1) Frech
NOOP(3) Cole, Foat, Wall
Voter Comments:
Frech> XF:mansh-execute-commands(7328)
Name: CVE-1999-1180
Description:
O'Reilly WebSite 1.1e and Website Pro 2.0 allows remote attackers to
execute arbitrary commands via shell metacharacters in an argument to
(1) args.cmd or (2) args.bat.
Status: Candidate
Phase: Proposed (20010912)
Reference: MISC:http://oliver.efri.hr/~crv/security/bugs/NT/buffer.html
Reference: BUGTRAQ:19990216 Website Pro v2.0 (NT) Configuration Issues
Reference: URL:http://www.tryc.on.ca/archives/bugtraq/1999_1/0612.html
Votes:
ACCEPT(1) Wall
MODIFY(1) Frech
NOOP(3) Christey, Cole, Foat
Voter Comments:
Christey> DELREF MISC:http://oliver.efri.hr/~crv/security/bugs/NT/buffer.html
ADDREF MISC:http://focus.silversand.net/vulner/allbug/buffer.html
Frech> XF:website-pro-args-commands(7529)
Name: CVE-1999-1182
Description:
Buffer overflow in run-time linkers (1) ld.so or (2) ld-linux.so for
Linux systems allows local users to gain privileges by calling a
setuid program with a long program name (argv[0]) and forcing
ld.so/ld-linux.so to report an error.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19970717 KSR[T] Advisory #2: ld.so
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602661419318&w=2
Reference: BUGTRAQ:19970722 ld.so vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602661419351&w=2
Reference: BUGTRAQ:19980204 An old ld-linux.so hole
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=88661732807795&w=2
Votes:
NOOP(2) Cole, Foat
Name: CVE-1999-1183
Description:
System Manager sysmgr GUI in SGI IRIX 6.4 and 6.3 allows remote
attackers to execute commands by providing a trojan horse (1) runtask
or (2) runexec descriptor file, which is used to execute a System
Manager Task when the user's Mailcap entry supports the x-sgi-task or
x-sgi-exec type.
Status: Candidate
Phase: Modified (20060705)
Reference: SGI:19980403-02-PX
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19980403-02-PX
Reference: SGI:19980403-01-PX
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19980403-01-PX
Reference: OSVDB:8556
Reference: URL:http://www.osvdb.org/8556
Reference: XF:sgi-mailcap(809)
Reference: URL:http://www.iss.net/security_center/static/809.php
Votes:
ACCEPT(3) Cole, Foat, Stracener
MODIFY(1) Frech
Voter Comments:
Frech> XF:sgi-mailcap(809)
Name: CVE-1999-1184
Description:
Buffer overflow in Elm 2.4 and earlier allows local users to gain
privileges via a long TERM environmental variable.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19970513
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167420967&w=2
Reference: BUGTRAQ:19970514 Re: ELM overflow
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167420970&w=2
Votes:
MODIFY(1) Frech
NOOP(2) Cole, Foat
Voter Comments:
Frech> XF:elm-term-bo(7183)
Name: CVE-1999-1185
Description:
Buffer overflow in SCO mscreen allows local users to gain root
privileges via a long terminal entry (TERM) in the .mscreenrc file.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19980827 SCO mscreen vul.
Reference: BUGTRAQ:19980926 Root exploit for SCO OpenServer.
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90686250717719&w=2
Reference: CERT:VB-98.10
Reference: SCO:98.05
Reference: XF:sco-openserver-mscreen-bo(1379)
Votes:
ACCEPT(4) Cole, Foat, Frech, Stracener
NOOP(1) Wall
REVIEWING(1) Christey
Voter Comments:
Frech> Possible dupe on CVE-1999-1041.
Christey> Possible dupe with CVE-1999-1041.
Name: CVE-1999-1186
Description:
rxvt, when compiled with the PRINT_PIPE option in various Linux
operating systems including Linux Slackware 3.0 and RedHat 2.1, allows
local users to gain root privileges by specifying a malicious program
using the -print-pipe command line parameter.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19960102 rxvt security hole
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167418966&w=2
Votes:
MODIFY(1) Frech
NOOP(2) Cole, Foat
Voter Comments:
Frech> XF:rxvtpipe(425)
Name: CVE-1999-1187
Description:
Pine before version 3.94 allows local users to gain privileges via a
symlink attack on a lockfile that is created when a user receives new
mail.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19960826 [BUG] Vulnerability in PINE
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167419803&w=2
Reference: XF:pine-tmpfile(416)
Reference: URL:http://xforce.iss.net/static/416.php
Votes:
ACCEPT(1) Frech
NOOP(2) Cole, Foat
Voter Comments:
Frech> CONFIRM:http://www.washington.edu/pine/changes.html
Name: CVE-1999-1190
Description:
Buffer overflow in POP3 server of Admiral Systems EmailClub 1.05
allows remote attackers to execute arbitrary commands via a long
"From" header in an e-mail message.
Status: Candidate
Phase: Proposed (20010912)
Reference: MISC:http://www.securiteam.com/exploits/E-MailClub__FROM__remote_buffer_overflow.html
Reference: BID:801
Reference: URL:http://www.securityfocus.com/bid/801
Votes:
MODIFY(1) Frech
NOOP(3) Cole, Foat, Wall
Voter Comments:
Frech> XF:emailclub-pop3-from-bo(7873)
Name: CVE-1999-1195
Description:
NAI VirusScan NT 4.0.2 does not properly modify the scan.dat virus
definition file during an update via FTP, but it reports that the
update was successful, which could cause a system administrator to
believe that the definitions have been updated correctly.
Status: Candidate
Phase: Proposed (20010912)
Reference: NTBUGTRAQ:19990505 NAI AntiVirus Update Problem
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=92587579032534&w=2
Reference: BUGTRAQ:19990505 NAI AntiVirus Update Problem
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92588169005196&w=2
Reference: BID:169
Reference: URL:http://www.securityfocus.com/bid/169
Votes:
MODIFY(1) Frech
NOOP(3) Cole, Foat, Wall
Voter Comments:
Frech> XF:virusscan-ftp-update(8387)
Name: CVE-1999-1196
Description:
Hummingbird Exceed X version 5 allows remote attackers to cause a
denial of service via malformed data to port 6000.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990427 NT/Exceed D.O.S.
Reference: URL:http://www.securityfocus.com/archive/1/13451
Reference: BID:158
Reference: URL:http://www.securityfocus.com/bid/158
Votes:
MODIFY(1) Frech
NOOP(3) Cole, Foat, Wall
Voter Comments:
Frech> XF:exceed-xserver-dos(7530)
Name: CVE-1999-1200
Description:
Vintra SMTP MailServer allows remote attackers to cause a denial of
service via a malformed "EXPN *@" command.
Status: Candidate
Phase: Proposed (20010912)
Reference: NTBUGTRAQ:19980720 DOS in Vintra systems Mailserver software.
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=90222454131610&w=2
Reference: XF:vintra-mail-dos(1617)
Reference: URL:http://xforce.iss.net/static/1617.php
Votes:
ACCEPT(2) Cole, Frech
NOOP(2) Foat, Wall
Name: CVE-1999-1202
Description:
StarTech (1) POP3 proxy server and (2) telnet server allows remote
attackers to cause a denial of service via a long USER command.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19980703 Windows95 Proxy DoS Vulnerabilites
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221104525873&w=2
Reference: XF:startech-pop3-overflow(2088)
Reference: URL:http://xforce.iss.net/static/2088.php
Votes:
ACCEPT(1) Frech
NOOP(3) Cole, Foat, Wall
Name: CVE-1999-1206
Description:
SystemSoft SystemWizard package in HP Pavilion PC with Windows 98, and
possibly other platforms and operating systems, installs two ActiveX
controls that are marked as safe for scripting, which allows remote
attackers to execute arbitrary commands via a malicious web page that
references (1) the Launch control, or (2) the RegObj control.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990729 New ActiveX security problems in Windows 98 PCs
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93336970231857&w=2
Reference: CONFIRM:http://www.systemsoft.com/l-2/l-3/support-systemwizard.htm
Reference: BID:555
Reference: URL:http://www.securityfocus.com/bid/555
Votes:
ACCEPT(4) Armstrong, Cole, Foat, Stracener
MODIFY(1) Frech
NOOP(2) Christey, Wall
Voter Comments:
Frech> XF:systemwizard-modify-registry(7080)
Christey> CERT-VN:VU#22919
URL:http://www.kb.cert.org/vuls/id/22919
CERT-VN:VU#34453
URL:http://www.kb.cert.org/vuls/id/34453
Name: CVE-1999-1207
Description:
Buffer overflow in web-admin tool in NetXRay 2.6 allows remote
attackers to cause a denial of service, and possibly execute arbitrary
commands, via a long HTTP request.
Status: Candidate
Phase: Proposed (20010912)
Reference: MISC:http://www.efri.hr/~crv/security/bugs/NT/netxtray.html
Reference: XF:netxray-bo(907)
Reference: URL:http://xforce.iss.net/static/907.php
Votes:
ACCEPT(1) Frech
NOOP(3) Cole, Foat, Wall
Name: CVE-1999-1210
Description:
xterm in Digital UNIX 4.0B *with* patch kit 5 allows local users to
overwrite arbitrary files via a symlink attack on a core dump file,
which is created when xterm is called with a DISPLAY environmental
variable set to a display that xterm cannot access.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19971112 Digital Unix Security Problem
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87936891504885&w=2
Reference: XF:dec-xterm(613)
Reference: URL:http://xforce.iss.net/static/613.php
Votes:
ACCEPT(1) Frech
NOOP(2) Cole, Foat
Name: CVE-1999-1211
Description:
Vulnerability in in.telnetd in SunOS 4.1.1 and earlier allows local
users to gain root privileges.
Status: Candidate
Phase: Proposed (20010912)
Reference: CERT:CA-1991-02
Reference: URL:http://www.cert.org/advisories/CA-1991-02.html
Reference: XF:sun-intelnetd(574)
Reference: URL:http://xforce.iss.net/static/574.php
Votes:
ACCEPT(5) Cole, Dik, Foat, Frech, Stracener
NOOP(1) Wall
Voter Comments:
Frech> CONFIRM:Sun Microsystems, Inc. Security Bulletin #00106 at
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/1
06&type=0&nav=sec.sba
Dik> sun bug: 1054669 1049886 1042370 1033809
Name: CVE-1999-1212
Description:
Vulnerability in in.rlogind in SunOS 4.0.3 and 4.0.3c allows local
users to gain root privileges.
Status: Candidate
Phase: Proposed (20010912)
Reference: CERT:CA-1991-02
Reference: URL:http://www.cert.org/advisories/CA-1991-02.html
Reference: XF:sun-intelnetd(574)
Reference: URL:http://xforce.iss.net/static/574.php
Votes:
ACCEPT(5) Cole, Dik, Foat, Frech, Stracener
NOOP(1) Wall
Voter Comments:
Dik> sun bug: 1054669 1049886 1042370 1033809
Name: CVE-1999-1213
Description:
Vulnerability in telnet service in HP-UX 10.30 allows attackers to
cause a denial of service.
Status: Candidate
Phase: Proposed (20010912)
Reference: HP:HPSBUX9710-070
Reference: URL:http://www2.dataguard.no/bugtraq/1997_4/0001.html
Reference: XF:hp-telnetdos(571)
Reference: URL:http://xforce.iss.net/static/571.php
Votes:
ACCEPT(4) Cole, Foat, Frech, Stracener
Name: CVE-1999-1216
Description:
Cisco routers 9.17 and earlier allow remote attackers to bypass
security restrictions via certain IP source routed packets that should
normally be denied using the "no ip source-route" command.
Status: Candidate
Phase: Proposed (20010912)
Reference: CERT:CA-1993-07
Reference: URL:http://www.cert.org/advisories/CA-1993-07.html
Reference: CIAC:D-15
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/d-15.shtml
Reference: XF:cisco-sourceroute(541)
Reference: URL:http://xforce.iss.net/static/541.php
Votes:
ACCEPT(4) Cole, Foat, Frech, Stracener
NOOP(1) Wall
Name: CVE-1999-1218
Description:
Vulnerability in finger in Commodore Amiga UNIX 2.1p2a and earlier
allows local users to read arbitrary files.
Status: Candidate
Phase: Proposed (20010912)
Reference: CERT:CA-1993-04
Reference: URL:http://www.cert.org/advisories/CA-1993-04.html
Reference: XF:amiga-finger(522)
Reference: URL:http://xforce.iss.net/static/522.php
Votes:
ACCEPT(4) Cole, Foat, Frech, Stracener
NOOP(1) Wall
Name: CVE-1999-1219
Description:
Vulnerability in sgihelp in the SGI help system and print manager in
IRIX 5.2 and earlier allows local users to gain root privileges,
possibly through the clogin command.
Status: Candidate
Phase: Proposed (20010912)
Reference: CERT:CA-1994-13
Reference: URL:http://www.cert.org/advisories/CA-1994-13.html
Reference: AUSCERT:AA-94.04a
Reference: CIAC:E-33
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/e-33.shtml
Reference: XF:sgi-prn-mgr(511)
Reference: URL:http://xforce.iss.net/static/511.php
Reference: BID:468
Reference: URL:http://www.securityfocus.com/bid/468
Votes:
ACCEPT(4) Cole, Foat, Frech, Stracener
NOOP(1) Wall
Name: CVE-1999-1220
Description:
Majordomo 1.94.3 and earlier allows remote attackers to execute
arbitrary commands when the advertise or noadvertise directive is used
in a configuration file, via shell metacharacters in the Reply-To
header.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19970824 Vulnerability in Majordomo
Reference: URL:http://www.securityfocus.com/archive/1/7527
Reference: XF:majordomo-advertise(502)
Reference: URL:http://xforce.iss.net/static/502.php
Votes:
ACCEPT(1) Frech
NOOP(2) Cole, Foat
Name: CVE-1999-1221
Description:
dxchpwd in Digital Unix (OSF/1) 3.x allows local users to modify
arbitrary files via a symlink attack on the dxchpwd.log file.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19961117 Digital Unix v3.x (v4.x?) security vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167420141&w=2
Reference: XF:dgux-chpwd(399)
Reference: URL:http://xforce.iss.net/static/399.php
Votes:
ACCEPT(1) Frech
NOOP(2) Cole, Foat
Name: CVE-1999-1224
Description:
IMAP 4.1 BETA, and possibly other versions, does not properly handle
the SIGABRT (abort) signal, which allows local users to crash the
server (imapd) via certain sequences of commands, which causes a core
dump that may contain sensitive password information.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19971008 L0pht Advisory: IMAP4rev1 imapd server
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87635124302928&w=2
Reference: XF:imapd-core(349)
Reference: URL:http://xforce.iss.net/static/349.php
Votes:
ACCEPT(1) Frech
NOOP(2) Cole, Foat
Name: CVE-1999-1225
Description:
rpc.mountd on Linux, Ultrix, and possibly other operating systems,
allows remote attackers to determine the existence of a file on the
server by attempting to mount that file, which generates different
error messages depending on whether the file exists or not.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19970824 Serious security flaw in rpc.mountd on several operating systems.
Reference: URL:http://www.securityfocus.com/archive/1/7526
Reference: XF:mountd-file-exists(347)
Reference: URL:http://xforce.iss.net/static/347.php
Votes:
ACCEPT(1) Frech
NOOP(2) Cole, Foat
Name: CVE-1999-1227
Description:
Ethereal allows local users to overwrite arbitrary files via a symlink
attack on the packet capture file.
Status: Candidate
Phase: Proposed (20010912)
Reference: MISC:http://www.ethereal.com/lists/ethereal-dev/199907/msg00126.html
Reference: MISC:http://www.ethereal.com/lists/ethereal-dev/199907/msg00130.html
Reference: XF:ethereal-dev-capturec-root(3334)
Reference: URL:http://xforce.iss.net/static/3334.php
Votes:
ACCEPT(2) Cole, Frech
NOOP(2) Foat, Wall
Name: CVE-1999-1228
Description:
Various modems that do not implement a guard time, or are configured
with a guard time of 0, can allow remote attackers to execute
arbitrary modem commands such as ATH, ATH0, etc., via a "+++" sequence
that appears in ICMP packets, the subject of an e-mail message, IRC
commands, and others.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19980927 1+2=3, +++ATH0=Old school DoS
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90695973308453&w=2
Reference: MISC:http://www.macintouch.com/modemsecurity.html
Reference: XF:global-village-modem-dos(3320)
Reference: URL:http://xforce.iss.net/static/3320.php
Votes:
ACCEPT(1) Frech
NOOP(3) Cole, Foat, Wall
Name: CVE-1999-1229
Description:
Quake 2 server 3.13 on Linux does not properly check file permissions
for the config.cfg configuration file, which allows local users to
read arbitrary files via a symlink from config.cfg to the target file.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19980225 Quake 2 Linux 3.13 (and lower) allow users to read arbitrary files
Reference: URL:http://www.securityfocus.com/archive/1/8590
Reference: XF:linux-quake2(733)
Reference: URL:http://xforce.iss.net/static/733.php
Votes:
ACCEPT(1) Frech
NOOP(3) Cole, Foat, Wall
Name: CVE-1999-1230
Description:
Quake 2 server allows remote attackers to cause a denial of service
via a spoofed UDP packet with a source address of 127.0.0.1, which
causes the server to attempt to connect to itself.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19971224 Quake II Remote Denial of Service
Reference: URL:http://www.securityfocus.com/archive/1/8282
Reference: XF:quake2-dos(698)
Reference: URL:http://xforce.iss.net/static/698.php
Votes:
ACCEPT(1) Frech
NOOP(2) Cole, Foat
Name: CVE-1999-1231
Description:
ssh 2.0.12, and possibly other versions, allows valid user names to
attempt to enter the correct password multiple times, but only prompts
an invalid user name for a password once, which allows remote
attackers to determine user account names on the server.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990609 ssh advirsory
Reference: URL:http://www.securityfocus.com/archive/1/14758
Reference: XF:ssh-leak(2276)
Reference: URL:http://xforce.iss.net/static/2276.php
Votes:
ACCEPT(1) Frech
NOOP(3) Cole, Foat, Wall
Name: CVE-1999-1232
Description:
Untrusted search path vulnerability in day5datacopier in SGI IRIX 6.2
allows local users to execute arbitrary commands via a modified PATH
environment variable that points to a malicious cp program.
Status: Candidate
Phase: Modified (20060503)
Reference: BUGTRAQ:19970516 Irix and WWW
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167420994&w=2
Reference: OSVDB:8559
Reference: URL:http://www.osvdb.org/8559
Reference: XF:sgi-day5datacopier(3316)
Reference: URL:http://xforce.iss.net/static/3316.php
Votes:
ACCEPT(1) Frech
NOOP(2) Cole, Foat
Name: CVE-1999-1234
Description:
LSA (LSASS.EXE) in Windows NT 4.0 allows remote attackers to cause a
denial of service via a NULL policy handle in a call to (1)
SamrOpenDomain, (2) SamrEnumDomainUsers, and (3) SamrQueryDomainInfo.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19991026 Re: LSA vulnerability on NT40 SP5
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=94096671308565&w=2
Reference: XF:msrpc-samr-open-dos(3293)
Reference: URL:http://xforce.iss.net/static/3293.php
Votes:
ACCEPT(3) Cole, Frech, Wall
NOOP(1) Foat
Name: CVE-1999-1235
Description:
Internet Explorer 5.0 records the username and password for FTP
servers in the URL history, which could allow (1) local users to read
the information from another user's index.dat, or (2) people who are
physically observing ("shoulder surfing") another user to read the
information from the status bar when the user moves the mouse over a
link.
Status: Candidate
Phase: Proposed (20010912)
Reference: NTBUGTRAQ:19990331 Minor Bug in IE5.0
Reference: URL:http://ntbugtraq.ntadvice.com/default.asp?pid=36&sid=1&A2=ind9904&L=NTBUGTRAQ&P=R179
Reference: NTBUGTRAQ:19990825 IE5 FTP password exposure & index.dat null ACL problem
Reference: URL:http://packetderm.cotse.com/mailing-lists/ntbugtraq/1999/0364.html
Reference: XF:nt-ie5-user-ftp-password(3289)
Reference: URL:http://xforce.iss.net/static/3289.php
Votes:
ACCEPT(4) Cole, Foat, Frech, Wall
Voter Comments:
CHANGE> [Foat changed vote from NOOP to ACCEPT]
Name: CVE-1999-1236
Description:
Internet Anywhere Mail Server 2.3.1 stores passwords in plaintext in
the msgboxes.dbf file, which could allow local users to gain
privileges by extracting the passwords from msgboxes.dbf.
Status: Candidate
Phase: Proposed (20010912)
Reference: NTBUGTRAQ:19991001 Vulnerabilities in the Internet Anywhere Mail Server
Reference: URL:http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind9910&L=ntbugtraq&F=&S=&P=662
Reference: BID:731
Reference: URL:http://www.securityfocus.com/bid/731
Reference: XF:iams-passwords-plaintext(3285)
Reference: URL:http://xforce.iss.net/static/3285.php
Votes:
ACCEPT(2) Cole, Frech
NOOP(2) Foat, Wall
Name: CVE-1999-1237
Description:
Multiple buffer overflows in smbvalid/smbval SMB authentication
library, as used in Apache::AuthenSmb and possibly other modules,
allows remote attackers to execute arbitrary commands via (1) a long
username, (2) a long password, and (3) other unspecified methods.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990606 Buffer overflows in smbval library
Reference: URL:http://www.securityfocus.com/archive/1/14384
Reference: XF:smbvalid-bo(2272)
Reference: URL:http://xforce.iss.net/static/2272.php
Votes:
ACCEPT(1) Frech
NOOP(3) Cole, Foat, Wall
Name: CVE-1999-1238
Description:
Vulnerability in CORE-DIAG fileset in HP message catalog in HP-UX 9.05
and earlier allows local users to gain privileges.
Status: Candidate
Phase: Proposed (20010912)
Reference: HP:HPSBUX9409-017
Reference: URL:http://www.securityfocus.com/advisories/1531
Reference: XF:hp-core-diag-fileset(2262)
Reference: URL:http://xforce.iss.net/static/2262.php
Votes:
ACCEPT(4) Cole, Foat, Frech, Stracener
Name: CVE-1999-1239
Description:
HP-UX 9.x does not properly enable the Xauthority mechanism in certain
conditions, which could allow local users to access the X display even
when they have not explicitly been authorized to do so.
Status: Candidate
Phase: Proposed (20010912)
Reference: HP:HPSBUX9407-015
Reference: URL:http://www.securityfocus.com/advisories/1559
Reference: XF:hp-xauthority(2261)
Reference: URL:http://xforce.iss.net/static/2261.php
Votes:
ACCEPT(4) Cole, Foat, Frech, Stracener
Name: CVE-1999-1240
Description:
Buffer overflow in cddbd CD database server allows remote attackers to
execute arbitrary commands via a long log message.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19961126 Major Security Vulnerabilities in Remote CD Databases
Reference: URL:http://www.securityfocus.com/archive/1/5784
Reference: XF:cddbd-bo(2203)
Reference: URL:http://xforce.iss.net/static/2203.php
Votes:
ACCEPT(1) Frech
NOOP(2) Cole, Foat
Name: CVE-1999-1241
Description:
Internet Explorer, with a security setting below Medium, allows remote
attackers to execute arbitrary commands via a malicious web page that
uses the FileSystemObject ActiveX object.
Status: Candidate
Phase: Proposed (20010912)
Reference: MISC:http://oliver.efri.hr/~crv/security/bugs/NT/activex4.html
Reference: XF:ie-filesystemobject(2173)
Reference: URL:http://xforce.iss.net/static/2173.php
Votes:
ACCEPT(3) Cole, Frech, Wall
NOOP(2) Christey, Foat
Voter Comments:
Christey> DELREF MISC:http://oliver.efri.hr/~crv/security/bugs/NT/activex4.html
ADDREF MISC:http://focus.silversand.net/vulner/allbug/activex4.html
Frech> Change MISC to http://www.securitybugware.org/NT/1018.html
Name: CVE-1999-1242
Description:
Vulnerability in subnetconfig in HP-UX 9.01 and 9.0 allows local users
to gain privileges.
Status: Candidate
Phase: Proposed (20010912)
Reference: HP:HPSBUX9402-003
Reference: URL:http://packetstormsecurity.org/advisories/hpalert/003
Reference: XF:hp-subnet-config(2162)
Reference: URL:http://xforce.iss.net/static/2162.php
Votes:
ACCEPT(4) Cole, Foat, Frech, Stracener
Name: CVE-1999-1244
Description:
IPFilter 3.2.3 through 3.2.10 allows local users to modify arbitrary
files via a symlink attack on the saved output file.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990415 FSA-99.04-IPFILTER-v3.2.10
Reference: URL:http://www.securityfocus.com/archive/1/13303
Reference: XF:ipfilter-temp-file(2087)
Reference: URL:http://xforce.iss.net/static/2087.php
Votes:
ACCEPT(2) Cole, Frech
NOOP(2) Foat, Wall
Name: CVE-1999-1245
Description:
vacm ucd-snmp SNMP server, version 3.52, does not properly disable
access to the public community string, which could allow remote
attackers to obtain sensitive information.
Status: Candidate
Phase: Proposed (20010912)
Reference: XF:ucd-snmpd-community(2086)
Reference: URL:http://xforce.iss.net/static/2086.php
Votes:
ACCEPT(1) Frech
NOOP(3) Cole, Foat, Wall
Voter Comments:
Frech> http://www.securityfocus.com/archive/1/13130
Name: CVE-1999-1247
Description:
Vulnerability in HP Camera component of HP DCE/9000 in HP-UX 9.x
allows attackers to gain root privileges.
Status: Candidate
Phase: Proposed (20010912)
Reference: HP:HPSBUX9402-006
Reference: URL:http://packetstormsecurity.org/advisories/hpalert/006
Reference: XF:hp-dce9000(2061)
Reference: URL:http://xforce.iss.net/static/2061.php
Votes:
ACCEPT(4) Cole, Foat, Frech, Stracener
Name: CVE-1999-1248
Description:
Vulnerability in Support Watch (aka SupportWatch) in HP-UX 8.0 through
9.0 allows local users to gain privileges.
Status: Candidate
Phase: Proposed (20010912)
Reference: HP:HPSBUX9411-019
Reference: URL:http://packetstormsecurity.org/advisories/hpalert/019
Reference: XF:hp-supportwatch(2058)
Reference: URL:http://xforce.iss.net/static/2058.php
Votes:
ACCEPT(4) Cole, Foat, Frech, Stracener
Name: CVE-1999-1250
Description:
Vulnerability in CGI program in the Lasso application by Blue World,
as used on WebSTAR and other servers, allows remote attackers to read
arbitrary files.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19970819 Lasso CGI security hole (fwd)
Reference: URL:http://www.securityfocus.com/archive/1/7506
Reference: XF:http-cgi-lasso(2044)
Reference: URL:http://xforce.iss.net/static/2044.php
Votes:
ACCEPT(1) Frech
NOOP(2) Cole, Foat
Name: CVE-1999-1251
Description:
Vulnerability in direct audio user space code on HP-UX 10.20 and 10.10
allows local users to cause a denial of service.
Status: Candidate
Phase: Proposed (20010912)
Reference: HP:HPSBUX9612-043
Reference: URL:http://packetstormsecurity.org/advisories/hpalert/043
Reference: XF:hp-audio-panic(2010)
Reference: URL:http://xforce.iss.net/static/2010.php
Votes:
ACCEPT(4) Cole, Foat, Frech, Stracener
Name: CVE-1999-1252
Description:
Vulnerability in a certain system call in SCO UnixWare 2.0.x and 2.1.0
allows local users to access arbitrary files and gain root privileges.
Status: Candidate
Phase: Proposed (20010912)
Reference: CERT:VB-96.15
Reference: URL:http://www.cert.org/vendor_bulletins/VB-96.15.sco
Reference: SCO:96:002
Reference: URL:ftp://ftp.sco.COM/SSE/security_bulletins/SB.96:02a
Reference: XF:sco-system-call(1966)
Reference: URL:http://xforce.iss.net/static/1966.php
Votes:
ACCEPT(4) Cole, Foat, Frech, Stracener
NOOP(1) Wall
Name: CVE-1999-1253
Description:
Vulnerability in a kernel error handling routine in SCO OpenServer
5.0.2 and earlier, and SCO Internet FastStart 1.0, allows local users
to gain root privileges.
Status: Candidate
Phase: Proposed (20010912)
Reference: CERT:VB-96.10
Reference: URL:http://www.cert.org/vendor_bulletins/VB-96.10.sco
Reference: SCO:96:001
Reference: URL:ftp://ftp.sco.com/SSE/security_bulletins/SB.96:01a
Reference: XF:sco-kernel(1965)
Reference: URL:http://xforce.iss.net/static/1965.php
Votes:
ACCEPT(4) Cole, Foat, Frech, Stracener
NOOP(1) Wall
Name: CVE-1999-1254
Description:
Windows 95, 98, and NT 4.0 allow remote attackers to cause a denial of
service by spoofing ICMP redirect messages from a router, which causes
Windows to change its routing tables.
Status: Candidate
Phase: Proposed (20010912)
Reference: NTBUGTRAQ:19990308 Winfreeze EXPLOIT Win9x/NT
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=92099515709467&w=2
Reference: XF:win-redirects-freeze(1947)
Reference: URL:http://xforce.iss.net/static/1947.php
Votes:
ACCEPT(3) Cole, Frech, Wall
MODIFY(1) Meunier
NOOP(2) Christey, Foat
Voter Comments:
Christey> Need to get feedback from MS on this.
Christey> (prompted from Pascal Meunier) should this be treated
as a general design issue with ICMP? Or is it a specific
implementation flaw that only affects Reliant?
Meunier> The description is too narrow and incorrect. Spoofed ICMP
redirect messages can be used to setup man-in-the-middle attacks
instead of a DoS. There's no reason that this behavior would be
limited to Windows, as it is specified by the standard. As I said
elsewhere, ICMP messages should not be acted upon without access
controls.
Name: CVE-1999-1255
Description:
Hyperseek allows remote attackers to modify the hyperseek
configuration by directly calling the admin.cgi program with an
edit_file action parameter.
Status: Candidate
Phase: Proposed (20010912)
Reference: MISC:http://www.rootshell.com/archive-j457nxiqi3gq59dv/199902/hyperseek.txt.html
Reference: XF:hyperseek-modify(1914)
Reference: URL:http://xforce.iss.net/static/1914.php
Votes:
ACCEPT(2) Cole, Frech
NOOP(2) Foat, Wall
Name: CVE-1999-1256
Description:
Oracle Database Assistant 1.0 in Oracle 8.0.3 Enterprise Edition
stores the database master password in plaintext in the spoolmain.log
file when a new database is created, which allows local users to
obtain the password from that file.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990304 Oracle Plaintext Password
Reference: URL:http://www.securityfocus.com/archive/1/12744
Reference: NTBUGTRAQ:19990304 Oracle Plaintext Password
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=92056752115116&w=2
Reference: XF:oracle-passwords(1902)
Reference: URL:http://xforce.iss.net/static/1902.php
Votes:
ACCEPT(2) Cole, Frech
NOOP(2) Foat, Wall
Name: CVE-1999-1257
Description:
Xyplex terminal server 6.0.1S1, and possibly other versions, allows
remote attackers to bypass the password prompt by entering (1) a
CTRL-Z character, or (2) a ? (question mark).
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19971126 Xyplex terminal server bug
Reference: URL:http://www.securityfocus.com/archive/1/8134
Reference: XF:xyplex-controlz-login(1825)
Reference: URL:http://xforce.iss.net/static/1825.php
Reference: XF:xyplex-question-login(1826)
Reference: URL:http://xforce.iss.net/static/1826.php
Votes:
ACCEPT(1) Frech
NOOP(2) Cole, Foat
Name: CVE-1999-1260
Description:
mSQL (Mini SQL) 2.0.6 allows remote attackers to obtain sensitive
server information such as logged users, database names, and server
version via the ServerStats query.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990215 KSR[T] Advisory #10: mSQL ServerStats
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91910115718150&w=2
Reference: XF:msql-serverstats(1777)
Reference: URL:http://xforce.iss.net/static/1777.php
Votes:
ACCEPT(1) Frech
NOOP(3) Cole, Foat, Wall
Name: CVE-1999-1261
Description:
Buffer overflow in Rainbow Six Multiplayer allows remote attackers to
cause a denial of service, and possibly execute arbitrary commands,
via a long nickname (nick) command.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990211 Rainbow Six Buffer Overflow.....
Reference: URL:http://www.securityfocus.com/archive/1/12433
Reference: XF:rainbowsix-nick-bo(1772)
Reference: URL:http://xforce.iss.net/static/1772.php
Votes:
ACCEPT(1) Frech
NOOP(3) Cole, Foat, Wall
Name: CVE-1999-1264
Description:
WebRamp M3 router does not disable remote telnet or HTTP access to
itself, even when access has been expliticly disabled.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990121 WebRamp M3 remote network access bug
Reference: URL:http://www.securityfocus.com/archive/1/12048
Reference: BUGTRAQ:19990203 WebRamp M3 Perceived Bug
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91815321510224&w=2
Reference: XF:webramp-remote-access(1670)
Reference: URL:http://xforce.iss.net/static/1670.php
Votes:
ACCEPT(1) Frech
NOOP(3) Cole, Foat, Wall
Name: CVE-1999-1265
Description:
SMTP server in SLmail 3.1 and earlier allows remote attackers to cause
a denial of service via malformed commands whose arguments begin with
a "(" (parenthesis) character, such as (1) SEND, (2) VRFY, (3) EXPN,
(4) MAIL FROM, (5) RCPT TO.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19980922 Re: WARNING! SMTP Denial of Service in SLmail ver 3.1
Reference: BUGTRAQ:19980922 WARNING! SMTP Denial of Service in SLmail ver 3.1
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90649892424117&w=2
Reference: NTBUGTRAQ:19980922 WARNING! SMTP Denial of Service in SLmail ver 3.1
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=90650438826447&w=2
Reference: XF:slmail-parens-overload(1664)
Reference: URL:http://xforce.iss.net/static/1664.php
Votes:
ACCEPT(3) Cole, Foat, Frech
NOOP(1) Wall
Name: CVE-1999-1266
Description:
rsh daemon (rshd) generates different error messages when a valid
username is provided versus an invalid name, which allows remote
attackers to determine valid users on the system.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19970613 rshd gives away usernames
Reference: URL:http://www.securityfocus.com/archive/1/6978
Reference: XF:rsh-username-leaks(1660)
Reference: URL:http://xforce.iss.net/static/1660.php
Votes:
ACCEPT(1) Frech
NOOP(2) Cole, Foat
Name: CVE-1999-1267
Description:
KDE file manager (kfm) uses a TCP server for certain file operations,
which allows remote attackers to modify arbitrary files by sending a
copy command to the server.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19970505 Hole in the KDE desktop
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167420906&w=2
Reference: XF:kde-flawed-ipc(1646)
Reference: URL:http://xforce.iss.net/static/1646.php
Votes:
ACCEPT(1) Frech
NOOP(2) Cole, Foat
Name: CVE-1999-1268
Description:
Vulnerability in KDE konsole allows local users to hijack or observe
sessions of other users by accessing certain devices.
Status: Candidate
Phase: Proposed (20010912)
Reference: MISC:http://lists.kde.org/?l=kde-devel&m=91560433413263&w=2
Reference: XF:kde-konsole-hijack(1645)
Reference: URL:http://xforce.iss.net/static/1645.php
Votes:
ACCEPT(1) Frech
NOOP(3) Cole, Foat, Wall
Name: CVE-1999-1269
Description:
Screen savers in KDE beta 3 allows local users to overwrite arbitrary
files via a symlink attack on the .kss.pid file.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19980206 serious security hole in KDE Beta 3
Reference: URL:http://www.securityfocus.com/archive/1/8506
Reference: XF:kde-kss-file-clobber(1641)
Reference: URL:http://xforce.iss.net/static/1641.php
Votes:
ACCEPT(1) Frech
NOOP(3) Cole, Foat, Wall
Name: CVE-1999-1270
Description:
KMail in KDE 1.0 provides a PGP passphrase as a command line argument
to other programs, which could allow local users to obtain the
passphrase and compromise the PGP keys of other users by viewing the
arguments via programs that list process information, such as ps.
Status: Candidate
Phase: Proposed (20010912)
Reference: MISC:http://lists.kde.org/?l=kde-devel&m=90221974029738&w=2
Reference: XF:kde-kmail-passphrase-leak(1639)
Reference: URL:http://xforce.iss.net/static/1639.php
Votes:
ACCEPT(1) Frech
NOOP(3) Cole, Foat, Wall
Name: CVE-1999-1271
Description:
Macromedia Dreamweaver uses weak encryption to store FTP passwords,
which could allow local users to easily decrypt the passwords of other
users.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19980611 Unsecure passwords in Macromedia Dreamweaver
Reference: URL:http://www.securityfocus.com/archive/1/9511
Reference: XF:dreamweaver-weak-passwords(1636)
Reference: URL:http://xforce.iss.net/static/1636.php
Votes:
ACCEPT(2) Cole, Frech
NOOP(2) Foat, Wall
Name: CVE-1999-1272
Description:
Buffer overflows in CDROM Confidence Test program (cdrom) allow local
users to gain root privileges.
Status: Candidate
Phase: Proposed (20010912)
Reference: SGI:19980301-01-PX
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19980301-01-PX
Reference: XF:irix-cdrom-confidence(1635)
Reference: URL:http://xforce.iss.net/static/1635.php
Votes:
ACCEPT(4) Cole, Foat, Frech, Stracener
Name: CVE-1999-1273
Description:
Squid Internet Object Cache 1.1.20 allows users to bypass access
control lists (ACLs) by encoding the URL with hexadecimal escape
sequences.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19980220 Simple way to bypass squid ACLs
Reference: URL:http://www.securityfocus.com/archive/1/8551
Reference: XF:squid-regexp-acl(1627)
Reference: URL:http://xforce.iss.net/static/1627.php
Votes:
ACCEPT(2) Cole, Frech
NOOP(2) Foat, Wall
Name: CVE-1999-1274
Description:
iPass RoamServer 3.1 creates temporary files with world-writable
permissions.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19971229 iPass RoamServer 3.1
Reference: URL:http://www.securityfocus.com/archive/1/8307
Reference: XF:ipass-temporary-files(1625)
Reference: URL:http://xforce.iss.net/static/1625.php
Votes:
ACCEPT(1) Frech
NOOP(2) Cole, Foat
Name: CVE-1999-1275
Description:
Lotus cc:Mail release 8 stores the postoffice password in plaintext in
a hidden file which has insecure permissions, which allows local users
to gain privileges.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19970908 Password unsecurity in cc:Mail release 8
Reference: URL:http://www.securityfocus.com/archive/1/9478
Reference: XF:lotus-ccmail-passwords(1619)
Reference: URL:http://xforce.iss.net/static/1619.php
Votes:
ACCEPT(1) Frech
NOOP(2) Cole, Foat
Name: CVE-1999-1277
Description:
BackWeb client stores the username and password in cleartext for proxy
authentication in the Communication registry key, which could allow
other local users to gain privileges by reading the password.
Status: Candidate
Phase: Proposed (20010912)
Reference: NTBUGTRAQ:19981224 BackWeb - Password issue (used by NAI for Corporate customer notification).
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=91487886514546&w=2
Reference: XF:backweb-cleartext-passwords(1565)
Reference: URL:http://xforce.iss.net/static/1565.php
Votes:
ACCEPT(1) Frech
NOOP(3) Cole, Foat, Wall
Name: CVE-1999-1278
Description:
nlog CGI scripts do not properly filter shell metacharacters from the
IP address argument, which could allow remote attackers to execute
certain commands via (1) nlog-smb.pl or (2) rpc-nlog.pl.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19981225 Re: Nlog v1.0 Released - Nmap 2.x log management / analyzing tool
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91470326629357&w=2
Reference: BUGTRAQ:19981226 Nlog 1.1b released - security holes fixed
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91471400632145&w=2
Reference: XF:http-cgi-nlog-netbios(1550)
Reference: URL:http://xforce.iss.net/static/1550.php
Reference: XF:http-cgi-nlog-metachars(1549)
Votes:
ACCEPT(3) Cole, Foat, Frech
NOOP(1) Wall
Name: CVE-1999-1280
Description:
Hummingbird Exceed 6.0.1.0 inadvertently includes a DLL that was meant
for development and testing, which logs user names and passwords in
cleartext in the test.log file.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19981203 Remote Tools w/Exceed v.6.0.1.0 fer 95
Reference: URL:http://www.securityfocus.com/archive/1/11512
Reference: XF:exceed-cleartext-passwords(1547)
Reference: URL:http://xforce.iss.net/static/1547.php
Votes:
ACCEPT(1) Frech
NOOP(3) Cole, Foat, Wall
Name: CVE-1999-1281
Description:
Development version of Breeze Network Server allows remote attackers
to cause the system to reboot by accessing the configbreeze CGI
program.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19981226 Breeze Network Server remote reboot and other bogosity.
Reference: URL:http://www.securityfocus.com/archive/1/11720
Reference: XF:breeze-remote-reboot(1544)
Reference: URL:http://xforce.iss.net/static/1544.php
Votes:
ACCEPT(2) Cole, Frech
NOOP(2) Foat, Wall
Voter Comments:
Frech> There have been no followups to indicate that this issue has
been
resolved in the production version, and as a benefit to the doubt,
this issue
transcends EX-BETA until proven otherwise.
Name: CVE-1999-1282
Description:
RealSystem G2 server stores the administrator password in cleartext in
a world-readable configuration file, which allows local users to gain
privileges.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19981210 RealSystem passwords
Reference: URL:http://www.securityfocus.com/archive/1/11543
Reference: XF:realsystem-readable-conf-file(1542)
Reference: URL:http://xforce.iss.net/static/1542.php
Votes:
ACCEPT(2) Cole, Frech
NOOP(2) Foat, Wall
Name: CVE-1999-1283
Description:
Opera 3.2.1 allows remote attackers to cause a denial of service
(application crash) via a URL that contains an extra / in the http://
tag.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19980814 URL exploit to crash Opera Browser
Reference: URL:http://www.securityfocus.com/archive/1/10320
Reference: XF:opera-slash-crash(1541)
Reference: URL:http://xforce.iss.net/static/1541.php
Votes:
ACCEPT(2) Cole, Frech
NOOP(2) Foat, Wall
Voter Comments:
Frech> Will go along with a REJECT if MITRE decides on
EX-CLIENT-DOS.
Name: CVE-1999-1285
Description:
Linux 2.1.132 and earlier allows local users to cause a denial of
service (resource exhaustion) by reading a large buffer from a random
device (e.g. /dev/urandom), which cannot be interrupted until the read
has completed.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19981227 [patch] fix for urandom read(2) not interruptible
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91495921611500&w=2
Reference: XF:linux-random-read-dos(1472)
Reference: URL:http://xforce.iss.net/static/1472.php
Votes:
ACCEPT(2) Cole, Frech
NOOP(2) Foat, Wall
Name: CVE-1999-1286
Description:
addnetpr in SGI IRIX 6.2 and earlier allows local users to modify
arbitrary files and possibly gain root access via a symlink attack on
a temporary file.
Status: Candidate
Phase: Modified (20060623)
Reference: BUGTRAQ:19970509 Re: Irix: misc
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167420927&w=2
Reference: MISC:ftp://patches.sgi.com/support/free/security/advisories/19961203-02-PX
Reference: BID:330
Reference: URL:http://www.securityfocus.com/bid/330
Reference: OSVDB:8560
Reference: URL:http://www.osvdb.org/8560
Reference: XF:irix-addnetpr(1433)
Reference: URL:http://xforce.iss.net/static/1433.php
Votes:
ACCEPT(1) Frech
NOOP(3) Christey, Cole, Foat
Voter Comments:
Christey> CHANGE DESC: "via a symlink attack on the printers temporary file."
Add 5.3 as another affected version.
MISC:ftp://patches.sgi.com/support/free/security/advisories/19961203-02-PX
SGI:19961203-02-PX may solve this problem, but the advisory is so
vague that it is uncertain whether this was fixed or not. addnetpr is
not specifically named in the advisory, which names netprint, which is
not specified in the original Bugtraq post. In addition, the date on
the advisory is one day earlier than that of the Bugtraq post, though
that could be a difference in time zones. It seems plausible that the
problem had already been patched (the researcher did say "There *was*
[a] race condition") so maybe SGI released this advisory after the
problem was publicized.
ADDREF BID:330
URL:http://www.securityfocus.com/bid/330
Note: this is a dupe of CVE-1999-1410, but CVE-1999-1410 will
be rejected in favor of CVE-1999-1286.
Name: CVE-1999-1287
Description:
Vulnerability in Analog 3.0 and earlier allows remote attackers to
read arbitrary files via the forms interface.
Status: Candidate
Phase: Proposed (20010912)
Reference: CONFIRM:http://www.statslab.cam.ac.uk/~sret1/analog/security.html
Reference: XF:analog-remote-file(1410)
Reference: URL:http://xforce.iss.net/static/1410.php
Votes:
ACCEPT(4) Armstrong, Cole, Frech, Stracener
NOOP(2) Foat, Wall
Voter Comments:
CHANGE> [Foat changed vote from ACCEPT to NOOP]
Name: CVE-1999-1289
Description:
ICQ 98 beta on Windows NT leaks the internal IP address of a client in
the TCP data segment of an ICQ packet instead of the public address
(e.g. through NAT), which provides remote attackers with potentially
sensitive information about the client or the internal network
configuration.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19981111 WARNING: Another ICQ IP address vulnerability
Reference: URL:http://www.securityfocus.com/archive/1/11233
Reference: XF:icq-ip-info(1398)
Reference: URL:http://xforce.iss.net/static/1398.php
Votes:
ACCEPT(3) Cole, Frech, Wall
NOOP(1) Foat
Voter Comments:
Frech> Override EX-BETA in this case, since ICQ is always in beta
and is
widely run in production environments.
Name: CVE-1999-1291
Description:
TCP/IP implementation in Microsoft Windows 95, Windows NT 4.0, and
possibly others, allows remote attackers to reset connections by
forcing a reset (RST) via a PSH ACK or other means, obtaining the
target's last sequence number from the resulting packet, then spoofing
a reset to the target.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19981005 New Windows Vulnerability
Reference: URL:http://www.securityfocus.com/archive/1/10789
Reference: XF:nt-brkill(1383)
Reference: URL:http://xforce.iss.net/static/1383.php
Votes:
ACCEPT(3) Cole, Frech, Wall
NOOP(2) Christey, Foat
Voter Comments:
Christey> Need to get feedback from MS on this.
Name: CVE-1999-1292
Description:
Buffer overflow in web administration feature of Kolban Webcam32 4.8.3
and earlier allows remote attackers to execute arbitrary commands via
a long URL.
Status: Candidate
Phase: Proposed (20010912)
Reference: ISS:19980901 Remote Buffer Overflow in the Kolban Webcam32 Program
Reference: URL:http://xforce.iss.net/alerts/advise7.php
Reference: XF:webcam32-buffer-overflow(1366)
Reference: URL:http://xforce.iss.net/static/1366.php
Votes:
ACCEPT(1) Frech
NOOP(3) Cole, Foat, Wall
Name: CVE-1999-1293
Description:
mod_proxy in Apache 1.2.5 and earlier allows remote attackers to cause
a denial of service via malformed FTP commands, which causes Apache to
dump core.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19980106 Apache security advisory
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=88413292830649&w=2
Reference: CONFIRM:http://www.apache.org/info/security_bulletin_1.2.5.html
Votes:
ACCEPT(3) Armstrong, Cole, Stracener
MODIFY(1) Frech
NOOP(2) Foat, Wall
Voter Comments:
Frech> XF:apache-mod-proxy-dos(7249)
CONFIRM reference no longer seems to exist. BugTraq message
seems to be a confirmation/advisory, however.
CHANGE> [Foat changed vote from ACCEPT to NOOP]
Name: CVE-1999-1295
Description:
Transarc DCE Distributed File System (DFS) 1.1 for Solaris 2.4 and 2.5
does not properly initialize the grouplist for users who belong to a
large number of groups, which could allow those users to gain access
to resources that are protected by DFS.
Status: Candidate
Phase: Modified (20020218-01)
Reference: CERT:VB-96.16
Reference: URL:http://www.cert.org/vendor_bulletins/VB-96.16.transarc
Reference: XF:dfs-login-groups(7154)
Reference: URL:http://xforce.iss.net/static/7154.php
Votes:
ACCEPT(3) Cole, Foat, Stracener
MODIFY(1) Frech
NOOP(1) Wall
Voter Comments:
Frech> XF:dfs-login-groups(7154)
Name: CVE-1999-1296
Description:
Buffer overflow in Kerberos IV compatibility libraries as used in
Kerberos V allows local users to gain root privileges via a long line
in a kerberos configuration file, which can be specified via the
KRB_CONF environmental variable.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19970429 vulnerabilities in kerberos
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167420878&w=2
Votes:
MODIFY(1) Frech
NOOP(2) Cole, Foat
Voter Comments:
Frech> XF:kerberos-config-file-bo(7184)
Name: CVE-1999-1299
Description:
rcp on various Linux systems including Red Hat 4.0 allows a "nobody"
user or other user with UID of 65535 to overwrite arbitrary files,
since 65535 is interpreted as -1 by chown and other system calls,
which causes the calls to fail to modify the ownership of the file.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19970203 Linux rcp bug
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167420509&w=2
Votes:
MODIFY(1) Frech
NOOP(2) Cole, Foat
Voter Comments:
Frech> XF:rcp-nobody-file-overwrite(7187)
Name: CVE-1999-1300
Description:
Vulnerability in accton in Cray UNICOS 6.1 and 6.0 allows local users
to read arbitrary files and modify system accounting configuration.
Status: Candidate
Phase: Proposed (20010912)
Reference: CIAC:B-31
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/b-31.shtml
Votes:
ACCEPT(4) Armstrong, Cole, Foat, Stracener
MODIFY(1) Frech
NOOP(1) Wall
Voter Comments:
Frech> XF: unicos-accton-read-files(7210)
Name: CVE-1999-1302
Description:
Unspecified vulnerability in pt_chmod in SCO UNIX 4.2 and earlier
allows local users to gain root access.
Status: Candidate
Phase: Modified (20070105)
Reference: CERT:VB-94:01
Reference: URL:http://ftp.cerias.purdue.edu/pub/advisories/cert/cert_bulletins/VB-94:01.sco
Reference: CIAC:F-05
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/f-05.shtml
Reference: SCO:94:001
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/f-05.shtml
Reference: OSVDB:8797
Reference: URL:http://www.osvdb.org/8797
Reference: XF:sco-pt_chmod(7586)
Reference: URL:http://xforce.iss.net/xforce/xfdb/7586
Votes:
ACCEPT(3) Cole, Foat, Stracener
MODIFY(1) Frech
Voter Comments:
Frech> XF:sco-pt_chmod(7586)
Name: CVE-1999-1303
Description:
Vulnerability in prwarn in SCO UNIX 4.2 and earlier allows local users
to gain root access.
Status: Candidate
Phase: Proposed (20010912)
Reference: CIAC:F-05
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/f-05.shtml
Reference: SCO:94:001
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/f-05.shtml
Votes:
ACCEPT(3) Cole, Foat, Stracener
MODIFY(1) Frech
Voter Comments:
Frech> XF:sco-prwarn(7587)
Name: CVE-1999-1304
Description:
Vulnerability in login in SCO UNIX 4.2 and earlier allows local users
to gain root access.
Status: Candidate
Phase: Proposed (20010912)
Reference: CIAC:F-05
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/f-05.shtml
Reference: SCO:94:001
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/f-05.shtml
Votes:
ACCEPT(3) Cole, Foat, Stracener
MODIFY(1) Frech
Voter Comments:
Frech> XF:sco-login(7588)
Name: CVE-1999-1305
Description:
Vulnerability in "at" program in SCO UNIX 4.2 and earlier allows local
users to gain root access.
Status: Candidate
Phase: Proposed (20010912)
Reference: CIAC:F-05
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/f-05.shtml
Reference: SCO:94:001
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/f-05.shtml
Votes:
ACCEPT(3) Cole, Foat, Stracener
MODIFY(1) Frech
Voter Comments:
Frech> XF:sco-at(7589)
Name: CVE-1999-1306
Description:
Cisco IOS 9.1 and earlier does not properly handle extended IP access
lists when the IP route cache is enabled and the "established" keyword
is set, which could allow attackers to bypass filters.
Status: Candidate
Phase: Proposed (20010912)
Reference: CERT:CA-1992-20
Reference: URL:http://www.cert.org/advisories/CA-1992-20.html
Votes:
ACCEPT(3) Cole, Foat, Stracener
MODIFY(1) Frech
NOOP(1) Wall
REVIEWING(1) Christey
Voter Comments:
Frech> XF:cisco-acl-established(1248)
Possibly duplicate with CVE-1999-0162?
Christey> Might be a duplicate of CVE-1999-0162, but CVE-1999-0162 was
released in 1995, whereas this bug was released in 1992.
Name: CVE-1999-1307
Description:
Vulnerability in urestore in Novell UnixWare 1.1 allows local users to
gain root privileges.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19941209 Novell security advisory on sadc, urestore and the suid_exec feature
Reference: URL:http://www.dataguard.no/bugtraq/1994_4/0676.html
Reference: CIAC:F-06
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/f-06.shtml
Votes:
ACCEPT(4) Armstrong, Cole, Foat, Stracener
MODIFY(1) Frech
NOOP(1) Wall
Voter Comments:
Frech> XF;novell-unixware-urestore-root(7211)
Name: CVE-1999-1308
Description:
Certain programs in HP-UX 10.20 do not properly handle large user IDs
(UID) or group IDs (GID) over 60000, which could allow local users to
gain privileges.
Status: Candidate
Phase: Modified (20020218-01)
Reference: HP:HPSBUX9611-041
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/h-91.shtml
Reference: CIAC:H-09
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/h-09.shtml
Reference: CIAC:H-91
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/h-91.shtml
Reference: XF:hp-large-uid-gid(7594)
Reference: URL:http://www.iss.net/security_center/static/7594.php
Votes:
ACCEPT(3) Cole, Foat, Stracener
MODIFY(1) Frech
Voter Comments:
Frech> XF:hp-large-uid-gid(7594)
Name: CVE-1999-1310
Description:
** REJECT **
DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-1999-1022. Reason:
This candidate is a duplicate of CVE-1999-1022. Notes: All CVE users
should reference CVE-1999-1022 instead of this candidate. All
references and descriptions in this candidate have been removed to
prevent accidental usage.
Status: Candidate
Phase: Modified (20050204)
Votes:
ACCEPT(3) Cole, Foat, Stracener
REJECT(2) Christey, Frech
Voter Comments:
Frech> DUPE CVE-1999-1022
Christey> As noted by Andre Frech, this is a duplicate of CVE-1999-1022.
The references from this candidate will be added to
CVE-1999-1022.
Name: CVE-1999-1311
Description:
Vulnerability in dtlogin and dtsession in HP-UX 10.20 and 10.10 allows
local users to bypass authentication and gain privileges.
Status: Candidate
Phase: Proposed (20010912)
Reference: HP:HPSBUX9701-046
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/h-21.shtml
Reference: CIAC:H-21
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/h-21.shtml
Votes:
ACCEPT(3) Cole, Foat, Stracener
MODIFY(1) Frech
Voter Comments:
Frech> XF:hp-dt-bypass-auth(7668)
ACKNOWLEDGED-BY-VENDOR
Name: CVE-1999-1312
Description:
Vulnerability in DEC OpenVMS VAX 5.5-2 through 5.0, and OpenVMS AXP
1.0, allows local users to gain system privileges.
Status: Candidate
Phase: Modified (20020218-01)
Reference: CERT:CA-1993-05
Reference: URL:http://www.cert.org/advisories/CA-1993-05.html
Reference: XF:openvms-local-privilege-elevation(7142)
Reference: URL:http://xforce.iss.net/static/7142.php
Votes:
ACCEPT(3) Cole, Foat, Stracener
MODIFY(1) Frech
NOOP(1) Wall
Voter Comments:
Frech> XF:openvms-local-privilege-elevation(7142)
Name: CVE-1999-1313
Description:
Manual page reader (man) in FreeBSD 2.2 and earlier allows local users
to gain privileges via a sequence of commands.
Status: Candidate
Phase: Modified (20020218-01)
Reference: CIAC:G-24
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/g-24.shtml
Reference: FREEBSD:FreeBSD-SA-96:11
Reference: URL:ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/old/FreeBSD-SA-96:11.man.asc
Reference: XF:bsd-man-command-sequence(7348)
Reference: URL:http://xforce.iss.net/static/7348.php
Votes:
ACCEPT(3) Cole, Foat, Stracener
MODIFY(1) Frech
Voter Comments:
Frech> XF:bsd-man-command-sequence(7348)
Name: CVE-1999-1314
Description:
Vulnerability in union file system in FreeBSD 2.2 and earlier, and
possibly other operating systems, allows local users to cause a denial
of service (system reload) via a series of certain mount_union
commands.
Status: Candidate
Phase: Modified (20020218-01)
Reference: CIAC:G-24
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/g-24.shtml
Reference: FREEBSD:FreeBSD-SA-96:10
Reference: URL:ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/old/FreeBSD-SA-96:10.mount_union.asc
Reference: XF:unionfs-mount-ordering(7429)
Reference: URL:http://www.iss.net/security_center/static/7429.php
Votes:
ACCEPT(3) Cole, Foat, Stracener
MODIFY(1) Frech
Voter Comments:
Frech> XF:unionfs-mount-ordering(7429)
Name: CVE-1999-1315
Description:
Vulnerabilities in DECnet/OSI for OpenVMS before 5.8 on DEC Alpha AXP
and VAX/VMS systems allow local users to gain privileges or cause a
denial of service.
Status: Candidate
Phase: Proposed (20010912)
Reference: CIAC:F-04
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/f-04.shtml
Votes:
ACCEPT(4) Armstrong, Cole, Foat, Stracener
MODIFY(1) Frech
NOOP(1) Wall
Voter Comments:
Frech> XF:openvms-decnetosi-gain-privileges(7212)
Name: CVE-1999-1319
Description:
Vulnerability in object server program in SGI IRIX 5.2 through 6.1
allows remote attackers to gain root privileges in certain
configurations.
Status: Candidate
Phase: Modified (20020218-01)
Reference: SGI:19960101-01-PX
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19960101-01-PX
Reference: XF:irix-object-server(7430)
Reference: URL:http://www.iss.net/security_center/static/7430.php
Votes:
ACCEPT(3) Cole, Foat, Stracener
MODIFY(1) Frech
Voter Comments:
Frech> XF:irix-object-server(7430)
Name: CVE-1999-1322
Description:
The installation of 1ArcServe Backup and Inoculan AV client modules
for Exchange create a log file, exchverify.log, which contains
usernames and passwords in plaintext.
Status: Candidate
Phase: Proposed (20010912)
Reference: NTBUGTRAQ:19981112 exchverify.log
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=91096758513985&w=2
Reference: NTBUGTRAQ:19981117 Re: exchverify.log - update #1
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=91133714919229&w=2
Reference: NTBUGTRAQ:19981125 Re: exchverify.log - update #2
Reference: NTBUGTRAQ:19981216 Arcserve Exchange Client security issue being fixed
Reference: NTBUGTRAQ:19990305 Cheyenne InocuLAN for Exchange plain text password still there
Reference: NTBUGTRAQ:19990426 ArcServe Exchange Client Security Issue still unresolved
Votes:
NOOP(3) Cole, Foat, Wall
Name: CVE-1999-1323
Description:
Norton AntiVirus for Internet Email Gateways (NAVIEG) 1.0.1.7 and
earlier, and Norton AntiVirus for MS Exchange (NAVMSE) 1.5 and
earlier, store the administrator password in cleartext in (1) the
navieg.ini file for NAVIEG, and (2) the ModifyPassword registry key in
NAVMSE.
Status: Candidate
Phase: Proposed (20010912)
Reference: NTBUGTRAQ:19990409 NAV for MS Exchange & Internet Email Gateways
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=92370067416739&w=2
Votes:
ACCEPT(1) Prosser
MODIFY(1) Frech
NOOP(3) Cole, Foat, Wall
Voter Comments:
Frech> XF:nav-admin-password(7543)
Prosser> This has been since corrected in later releases.
Name: CVE-1999-1334
Description:
Multiple buffer overflows in filter command in Elm 2.4 allows
attackers to execute arbitrary commands via (1) long From: headers,
(2) long Reply-To: headers, or (3) via a long -f (filterfile) command
line argument.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19980129 KSR[T] Advisory #7: filter
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=88609666024181&w=2
Reference: CONFIRM:http://www.redhat.com/support/errata/rh50-errata-general.html#elm
Votes:
ACCEPT(3) Cole, Foat, Stracener
MODIFY(1) Frech
NOOP(2) Armstrong, Wall
Voter Comments:
Frech> XF:elm-filter-getfilterrules-bo(7214)
XF:elm-filter2(711)
Name: CVE-1999-1338
Description:
Delegate proxy 5.9.3 and earlier creates files and directories in the
DGROOT with world-writable permissions.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990721 Delegate creates directories writable for anyone
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93259112204664&w=2
Votes:
MODIFY(1) Frech
NOOP(3) Cole, Foat, Wall
Voter Comments:
Frech> XF:delegate-dgroot-permissions(8438)
Name: CVE-1999-1340
Description:
Buffer overflow in faxalter in hylafax 4.0.2 allows local users to
gain privileges via a long -m command line argument.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19991104 hylafax-4.0.2 local exploit
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94173799532589&w=2
Reference: BID:765
Reference: URL:http://www.securityfocus.com/bid/765
Votes:
MODIFY(1) Frech
NOOP(3) Cole, Foat, Wall
Voter Comments:
Frech> XF:hylafax-faxalter-gain-privs(3453)
Proper spelling of the product is HylaFAX (see
http://www.hylafax.org/)
Name: CVE-1999-1342
Description:
ICQ ActiveList Server allows remote attackers to cause a denial of
service (crash) via malformed packets to the server's UDP port.
Status: Candidate
Phase: Proposed (20010912)
Reference: NTBUGTRAQ:19991017 ICQ ActiveList Server Exploit...
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=94042342010662&w=2
Votes:
MODIFY(1) Frech
NOOP(3) Cole, Foat, Wall
Voter Comments:
Frech> XF:icq-activelist-udp-dos(7877)
Name: CVE-1999-1343
Description:
HTTP server for Xerox DocuColor 4 LP allows remote attackers to cause
a denial of service (hang) via a long URL that contains a large number
of . characters.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19991013 Xerox DocuColor 4 LP D.O.S
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93986405412867&w=2
Votes:
MODIFY(1) Frech
NOOP(3) Cole, Foat, Wall
Voter Comments:
Frech> XF:xerox-docucolor4lp-dos(8041)
Name: CVE-1999-1344
Description:
Auto_FTP.pl script in Auto_FTP 0.2 stores usernames and passwords in
plaintext in the auto_ftp.conf configuration file.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19991005 Auto_FTP v0.02 Advisory
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93923873006014&w=2
Votes:
MODIFY(1) Frech
NOOP(3) Cole, Foat, Wall
Voter Comments:
Frech> XF:autoftp-plaintext-password(8045)
Name: CVE-1999-1345
Description:
Auto_FTP.pl script in Auto_FTP 0.2 uses the /tmp/ftp_tmp as a shared
directory with insecure permissions, which allows local users to (1)
send arbitrary files to the remote server by placing them in the
directory, and (2) view files that are being transferred.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19991005 Auto_FTP v0.02 Advisory
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93923873006014&w=2
Votes:
MODIFY(1) Frech
NOOP(3) Cole, Foat, Wall
Voter Comments:
Frech> XF:autoftp-shared-directory(8047)
Name: CVE-1999-1346
Description:
PAM configuration file for rlogin in Red Hat Linux 6.1 and earlier
includes a less restrictive rule before a more restrictive one, which
allows users to access the host via rlogin even if rlogin has been
explicitly disabled using the /etc/nologin file.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19991007 Problems with redhat 6 Xsession and pam.d/rlogin.
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93942774609925&w=2
Votes:
MODIFY(1) Frech
NOOP(3) Cole, Foat, Wall
Voter Comments:
Frech> XF:pam-rlogin-bypass(8315)
Name: CVE-1999-1347
Description:
Xsession in Red Hat Linux 6.1 and earlier can allow local users with
restricted accounts to bypass execution of the .xsession file by
starting kde, gnome or anotherlevel from kdm.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19991007 Problems with redhat 6 Xsession and pam.d/rlogin.
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93942774609925&w=2
Votes:
MODIFY(1) Frech
NOOP(3) Cole, Foat, Wall
Voter Comments:
Frech> XF:xsession-bypass(8316)
Name: CVE-1999-1348
Description:
Linuxconf on Red Hat Linux 6.0 and earlier does not properly disable
PAM-based access to the shutdown command, which could allow local
users to cause a denial of service.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990630 linuxconf doesn't seem to deal correctly with /etc/pam.d/reboot
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93220073515880&w=2
Votes:
ACCEPT(1) Cole
MODIFY(1) Frech
NOOP(2) Foat, Wall
Voter Comments:
Frech> XF:linuxconf-pam-shutdown-dos(8437)
Name: CVE-1999-1349
Description:
NFS daemon (nfsd.exe) for Omni-NFS/X 6.1 allows remote attackers to
cause a denial of service (resource exhaustion) via certain packets,
possibly with the Urgent (URG) flag set, to port 111.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19991006 Omni-NFS/X Enterprise (nfsd.exe) DOS
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93923679004325&w=2
Votes:
MODIFY(1) Frech
NOOP(3) Cole, Foat, Wall
Voter Comments:
Frech> XF:xlink-nfsd-dos(8317)
Name: CVE-1999-1350
Description:
ARCAD Systemhaus 0.078-5 installs critical programs and files with
world-writeable permissions, which could allow local users to gain
privileges by replacing a program with a Trojan horse.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990929 Multiple Vendor ARCAD permission problems
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93871933521519&w=2
Votes:
MODIFY(1) Frech
NOOP(3) Cole, Foat, Wall
Voter Comments:
Frech> XF:arcad-insecure-permissions(8318)
Name: CVE-1999-1352
Description:
mknod in Linux 2.2 follows symbolic links, which could allow local
users to overwrite files or gain privileges.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990928 Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy]
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93855134409747&w=2
Votes:
MODIFY(1) Frech
NOOP(3) Cole, Foat, Wall
Voter Comments:
Frech> XF:mknod-symlink(8319)
Name: CVE-1999-1353
Description:
Nosque MsgCore 2.14 stores passwords in cleartext: (1) the
administrator password in the AdmPasswd registry key, and (2) user
passwords in the Userbase.dbf data file, which could allow local users
to gain privielges.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990907 MsgCore mailserver stores passwords in clear text
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=93698162708211&w=2
Votes:
MODIFY(1) Frech
NOOP(3) Cole, Foat, Wall
Voter Comments:
Frech> XF:msgcore-plaintext-passwords(8271)
BUGTRAQ Reference is actually NTBUGTRAQ.
Name: CVE-1999-1354
Description:
E-mail client in Softarc FirstClass Internet Server 5.506 and earlier
stores usernames and passwords in cleartext in the files (1) home.fc
for version 5.506, (2) network.fc for version 3.5, or (3) FCCLIENT.LOG
when logging is enabled.
Status: Candidate
Phase: Proposed (20010912)
Reference: NTBUGTRAQ:19990830 SoftArc's FirstClass E-mail Client
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=93637687305327&w=2
Reference: NTBUGTRAQ:19990909 SoftArc's FirstClass E-mail Client
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=93698283309513&w=2
Votes:
ACCEPT(1) Cole
MODIFY(1) Frech
NOOP(3) Christey, Foat, Wall
Voter Comments:
Frech> (Task 1766)
CHANGE> [Frech changed vote from REVIEWING to MODIFY]
Frech> XF:firstclass-plaintext-account(9874)
Christey> The following reference is for the FCCLIENT.LOG piece:
ADDREF NTBUGTRAQ:19990911 Re: SoftArc's FirstClass E-mail Client
URL:http://archives.neohapsis.com/archives/ntbugtraq/1999-q3/0189.html
Name: CVE-1999-1355
Description:
BMC Patrol component, when installed with Compaq Insight Management
Agent 4.23 and earlier, or Management Agents for Servers 4.40 and
earlier, creates a PFCUser account with a default password and
potentially dangerous privileges.
Status: Candidate
Phase: Proposed (20010912)
Reference: NTBUGTRAQ:19990817 Compaq PFCUser account
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=93542118727732&w=2
Reference: NTBUGTRAQ:19990905 Case ID SSRT0620 - PFCUser account communication
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=93654336516711&w=2
Reference: NTBUGTRAQ:19990915 (I) UPDATE - PFCUser Account,
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=93759822430801&w=2
Reference: NTBUGTRAQ:19991105 UPDATE: SSRT0620 Compaq Foundation Agents v4.40B PFCUser issues
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=94183795025294&w=2
Reference: CONFIRM:http://www.compaq.com/products/servers/management/advisory.html
Reference: XF:management-pfcuser(3231)
Reference: URL:http://xforce.iss.net/static/3231.php
Votes:
ACCEPT(5) Armstrong, Cole, Foat, Frech, Stracener
NOOP(1) Wall
Name: CVE-1999-1357
Description:
Netscape Communicator 4.04 through 4.7 (and possibly other versions)
in various UNIX operating systems converts the 0x8b character to a "<"
sign, and the 0x9b character to a ">" sign, which could allow remote
attackers to attack other clients via cross-site scripting (CSS) in
CGI programs that do not filter these characters.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19991005 Time to update those CGIs again
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93915331626185&w=2
Votes:
MODIFY(1) Frech
NOOP(3) Cole, Foat, Wall
Voter Comments:
Frech> XF:netscape-cgi-filtering-css(8274)
Name: CVE-1999-1361
Description:
Windows NT 3.51 and 4.0 running WINS (Windows Internet Name Service)
allows remote attackers to cause a denial of service (resource
exhaustion) via a flood of malformed packets, which causes the server
to slow down and fill the event logs with error messages.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19980509 coke.c
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221101925891&w=2
Votes:
ACCEPT(1) Wall
MODIFY(1) Frech
NOOP(2) Cole, Foat
Voter Comments:
Frech> XF:winnt-wins-packet-flood-dos(7329)
Name: CVE-1999-1364
Description:
Windows NT 4.0 allows local users to cause a denial of service (crash)
via an illegal kernel mode address to the functions (1)
GetThreadContext or (2) SetThreadContext.
Status: Candidate
Phase: Modified (20020218-01)
Reference: MSKB:Q142653
Reference: URL:http://support.microsoft.com/support/kb/articles/q142/6/53.asp
Reference: XF:nt-threadcontext-dos(7421)
Reference: URL:http://www.iss.net/security_center/static/7421.php
Votes:
ACCEPT(3) Cole, Foat, Wall
MODIFY(1) Frech
Voter Comments:
Frech> XF:nt-threadcontext-dos(7421)
Name: CVE-1999-1366
Description:
Pegasus e-mail client 3.0 and earlier uses weak encryption to store
POP3 passwords in the pmail.ini file, which allows local users to
easily decrypt the passwords and read e-mail.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990515 Pegasus Mail weak encryption
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92714118829880&w=2
Votes:
MODIFY(1) Frech
NOOP(3) Cole, Foat, Wall
Voter Comments:
Frech> XF:pegasus-weak-password-encryption(8430)
Name: CVE-1999-1367
Description:
Internet Explorer 5.0 does not properly reset the username/password
cache for Web sites that do not use standard cache controls, which
could allow users on the same system to access restricted web sites
that were visited by other users.
Status: Candidate
Phase: Proposed (20010912)
Reference: MISC:http://www.pcworld.com/news/article/0,aid,10842,00.asp
Votes:
NOOP(3) Cole, Foat, Wall
REVIEWING(1) Frech
Voter Comments:
Frech> (Task 2283)
Name: CVE-1999-1368
Description:
AV Option for MS Exchange Server option for InoculateIT 4.53, and
possibly other versions, only scans the Inbox folder tree of a
Microsoft Exchange server, which could allow viruses to escape
detection if a user's rules cause the message to be moved to a
different mailbox.
Status: Candidate
Phase: Proposed (20010912)
Reference: NTBUGTRAQ:19990512 InoculateIT 4.53 Real-Time Exchange Scanner Flawed
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=92652152723629&w=2
Reference: NTBUGTRAQ:20001116 InoculateIT AV Option for MS Exchange Server
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=97439568517355&w=2
Votes:
MODIFY(1) Frech
NOOP(3) Cole, Foat, Wall
Voter Comments:
Frech> XF:inoculate-message-redirect-bypass(5602)
Name: CVE-1999-1369
Description:
Real Media RealServer (rmserver) 6.0.3.353 stores a password in
plaintext in the world-readable rmserver.cfg file, which allows local
users to gain privileges.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990414 Real Media Server stores passwords in plain text
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92411181619110&w=2
Votes:
MODIFY(1) Frech
NOOP(3) Cole, Foat, Wall
Voter Comments:
Frech> XF:realserver-insecure-password(7544)
Name: CVE-1999-1370
Description:
The setup wizard (ie5setup.exe) for Internet Explorer 5.0 disables (1)
the screen saver, which could leave the system open to users with
physical access if a failure occurs during an unattended installation,
and (2) the Task Scheduler Service, which might prevent the scheduled
execution of security-critical programs.
Status: Candidate
Phase: Proposed (20010912)
Reference: NTBUGTRAQ:19990323 MSIE 5 installer disables screen saver
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=92220197414799&w=2
Votes:
MODIFY(1) Frech
NOOP(3) Cole, Foat, Wall
Voter Comments:
Frech> XF:ie-ie5setup-disable-password(7545)
Name: CVE-1999-1371
Description:
Buffer overflow in /usr/bin/write in Solaris 2.6 and 7 allows local
users to gain privileges via a long string in the terminal name
argument.
Status: Candidate
Phase: Modified (20040723)
Reference: BUGTRAQ:19990308 Solaris "/usr/bin/write" bug
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92100752221493&w=2
Reference: MISC:http://www.securiteam.com/exploits/5ZP0O1P35O.html
Reference: XF:solaris-write-bo(7546)
Reference: URL:http://xforce.iss.net/xforce/xfdb/7546
Votes:
ACCEPT(2) Cole, Dik
MODIFY(1) Frech
NOOP(3) Christey, Foat, Wall
Voter Comments:
Frech> XF:solaris-write-bo(7546)
Christey> This appears to be a rediscovery of the problem for Solaris
2.8:
BUGTRAQ:20011114 /usr/bin/write (solaris2.x) Segmentation Fault
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100588255815773&w=2
Dik> sun bug: 4218941
Name: CVE-1999-1372
Description:
Triactive Remote Manager with Basic authentication enabled stores the
username and password in cleartext in registry keys, which could allow
local users to gain privileges.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990219 Plaintext Password in Tractive's Remote Manager Software
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91966339502073&w=2
Votes:
MODIFY(1) Frech
NOOP(3) Cole, Foat, Wall
Voter Comments:
Frech> XF:triactive-remote-basic-auth(7548)
Name: CVE-1999-1373
Description:
FORE PowerHub before 5.0.1 allows remote attackers to cause a denial
of service (hang) via a TCP SYN scan with TCP/IP OS fingerprinting,
e.g. via nmap.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990105 Re: Network Scan Vulnerability [SUMMARY]
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91651770130771&w=2
Votes:
MODIFY(1) Frech
NOOP(3) Cole, Foat, Wall
Voter Comments:
Frech> XF:powerhub-nmap-dos(7556)
Name: CVE-1999-1374
Description:
perlshop.cgi shopping cart program stores sensitive customer
information in directories and files that are under the web root,
which allows remote attackers to obtain that information via an HTTP
request.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990427 Re: Shopping Carts exposing CC data
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92523159819402&w=2
Votes:
MODIFY(1) Frech
NOOP(3) Cole, Foat, Wall
Voter Comments:
Frech> XF:perlshop-cgi-obtain-information(7557)
Name: CVE-1999-1375
Description:
FileSystemObject (FSO) in the showfile.asp Active Server Page (ASP)
allows remote attackers to read arbitrary files by specifying the name
in the file parameter.
Status: Candidate
Phase: Proposed (20010912)
Reference: NTBUGTRAQ:19990211 Using FSO in ASP to view just about anything
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=91877455626320&w=2
Reference: BID:230
Reference: URL:http://www.securityfocus.com/bid/230
Votes:
ACCEPT(1) Cole
MODIFY(1) Frech
NOOP(3) Christey, Foat, Wall
Voter Comments:
Frech> XF:iis-fso-read-files(7558)
Christey> Explicitly mention IIS
Name: CVE-1999-1376
Description:
Buffer overflow in fpcount.exe in IIS 4.0 with FrontPage Server
Extensions allows remote attackers to execute arbitrary commands.
Status: Candidate
Phase: Proposed (20010912)
Reference: NTBUGTRAQ:19990114 MS IIS 4.0 Security Advisory
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=91632724913080&w=2
Reference: BUGTRAQ:19990114 MS IIS 4.0 Security Advisory
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91638375309890&w=2
Votes:
ACCEPT(1) Wall
MODIFY(1) Frech
NOOP(2) Cole, Foat
Voter Comments:
Frech> XF:frontpage-ext-fpcount-crash(5494)
Name: CVE-1999-1377
Description:
Matt Wright's download.cgi 1.0 allows remote attackers to read
arbitrary files via a .. (dot dot) in the f parameter.
Status: Candidate
Phase: Proposed (20010912)
Reference: MISC:http://pulhas.org/phrack/55/P55-07.html
Votes:
MODIFY(1) Frech
NOOP(3) Cole, Foat, Wall
Voter Comments:
Frech> XF:download-cgi-directory-traversal(8279)
Name: CVE-1999-1378
Description:
dbmlparser.exe CGI guestbook program does not perform a chroot
operation properly, which allows remote attackers to read arbitrary
files.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990917 improper chroot in dbmlparser.exe
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93250710625956&w=2
Votes:
NOOP(3) Cole, Foat, Wall
REVIEWING(1) Frech
Voter Comments:
Frech> (Task 2284)
Name: CVE-1999-1381
Description:
Buffer overflow in dbadmin CGI program 1.0.1 on Linux allows remote
attackers to execute arbitrary commands.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19981008 buffer overflow in dbadmin
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90786656409618&w=2
Votes:
NOOP(3) Cole, Foat, Wall
Name: CVE-1999-1383
Description:
(1) bash before 1.14.7, and (2) tcsh 6.05 allow local users to gain
privileges via directory names that contain shell metacharacters (`
back-tick), which can cause the commands enclosed in the directory
name to be executed when the shell expands filenames using the \w
option in the PS1 variable.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19960913 tee see shell problems
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167419868&w=2
Reference: BUGTRAQ:19960919 Vulnerability in expansion of PS1 in bash & tcsh
Reference: URL:http://www.dataguard.no/bugtraq/1996_3/0503.html
Votes:
NOOP(2) Cole, Foat
Name: CVE-1999-1387
Description:
Windows NT 4.0 SP2 allows remote attackers to cause a denial of
service (crash), possibly via malformed inputs or packets, such as
those generated by a Linux smbmount command that was compiled on the
Linux 2.0.29 kernel but executed on Linux 2.0.25.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19970402 Fatal bug in NT 4.0 server
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167420731&w=2
Reference: BUGTRAQ:19970403 Fatal bug in NT 4.0 server (more comments)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167420732&w=2
Reference: BUGTRAQ:19970407 DUMP of NT system crash
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167420741&w=2
Votes:
ACCEPT(1) Cole
NOOP(1) Foat
Name: CVE-1999-1388
Description:
passwd in SunOS 4.1.x allows local users to overwrite arbitrary files
via a symlink attack and the -F command line argument.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19940513 [8lgm]-Advisory-7.UNIX.passwd.11-May-1994
Reference: URL:http://www2.dataguard.no/bugtraq/1994_2/0197.html
Reference: BUGTRAQ:19940514 [8lgm]-Advisory-7.UNIX.passwd.11-May-1994.NEWFIX
Reference: URL:http://www2.dataguard.no/bugtraq/1994_2/0207.html
Reference: BUGTRAQ:19941218 Sun Patch Id #102060-01
Reference: URL:http://www.dataguard.no/bugtraq/1994_4/0755.html
Votes:
ACCEPT(1) Dik
NOOP(2) Cole, Foat
Voter Comments:
Dik> sun bug: 1171499
Name: CVE-1999-1389
Description:
US Robotics/3Com Total Control Chassis with Frame Relay between 3.6.22
and 3.7.24 does not properly enforce access filters when the "set host
prompt" setting is made for a port, which allows attackers to bypass
restrictions by providing the hostname twice at the "host: " prompt.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19980511 3Com/USR Total Control Chassis dialup port access filters
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221101925916&w=2
Reference: BID:99
Reference: URL:http://www.securityfocus.com/bid/99
Votes:
MODIFY(1) Frech
NOOP(3) Cole, Foat, Wall
Voter Comments:
Frech> XF:3com-netserver-filter-bypass(7330)
Name: CVE-1999-1390
Description:
suidexec in suidmanager 0.18 on Debian 2.0 allows local users to gain
root privileges by specifying a malicious program on the command line.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19980428 [Debian 2.0] /usr/bin/suidexec gives root access
Reference: URL:http://darwin.bio.uci.edu/~mcoogan/bugtraq/msg00890.html
Reference: BID:94
Reference: URL:http://www.securityfocus.com/bid/94
Votes:
MODIFY(1) Frech
NOOP(3) Cole, Foat, Wall
Voter Comments:
Frech> XF:suidmanager-suidexec-root-privileges(7304)
Name: CVE-1999-1391
Description:
Vulnerability in NeXT 1.0a and 1.0 with publicly accessible printers
allows local users to gain privileges via a combination of the npd
program and weak directory permissions.
Status: Candidate
Phase: Modified (20020218-01)
Reference: CERT:CA-1990-06
Reference: URL:http://www.cert.org/advisories/CA-1990-06.html
Reference: CIAC:B-01
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/b-01.shtml
Reference: BID:10
Reference: URL:http://www.securityfocus.com/bid/10
Reference: XF:nextstep-npd-root-access(7143)
Reference: URL:http://www.iss.net/security_center/static/7143.php
Votes:
ACCEPT(3) Cole, Foat, Stracener
MODIFY(1) Frech
NOOP(1) Wall
Voter Comments:
Frech> XF:nextstep-npd-root-access(7143)
Name: CVE-1999-1392
Description:
Vulnerability in restore0.9 installation script in NeXT 1.0a and 1.0
allows local users to gain root privileges.
Status: Candidate
Phase: Modified (20020218-01)
Reference: CERT:CA-1990-06
Reference: URL:http://www.cert.org/advisories/CA-1990-06.html
Reference: CIAC:B-01
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/b-01.shtml
Reference: BID:9
Reference: URL:http://www.securityfocus.com/bid/9
Reference: XF:nextstep-restore09-root-access(7144)
Reference: URL:http://www.iss.net/security_center/static/7144.php
Votes:
ACCEPT(3) Cole, Foat, Stracener
MODIFY(1) Frech
NOOP(1) Wall
Voter Comments:
Frech> XF:nextstep-restore09-root-access(7144)
Name: CVE-1999-1393
Description:
Control Panel "Password Security" option for Apple Powerbooks allows
attackers with physical access to the machine to bypass the security
by booting it with an emergency startup disk and using a disk editor
to modify the on/off toggle or password in the aaaaaaaAPWD file, which
is normally inaccessible.
Status: Candidate
Phase: Proposed (20010912)
Reference: MISC:http://freaky.staticusers.net/macsec/data/powerbooksecurity-data.html
Reference: BID:532
Reference: URL:http://www.securityfocus.com/bid/532
Votes:
NOOP(3) Cole, Foat, Wall
REVIEWING(1) Frech
Voter Comments:
Frech> (Task 2285)
Name: CVE-1999-1394
Description:
BSD 4.4 based operating systems, when running at security level 1,
allow the root user to clear the immutable and append-only flags for
files by unmounting the file system and using a file system editor
such as fsdb to directly modify the file through a device.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990702 BSD-fileflags
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93094058620450&w=2
Reference: BID:510
Reference: URL:http://www.securityfocus.com/bid/510
Votes:
ACCEPT(1) Cole
NOOP(2) Foat, Wall
REVIEWING(1) Frech
Voter Comments:
Frech> (Task 2286)
Name: CVE-1999-1395
Description:
Vulnerability in Monitor utility (SYS$SHARE:SPISHR.EXE) in VMS 5.0
through 5.4-2 allows local users to gain privileges.
Status: Candidate
Phase: Modified (20091029)
Reference: CERT:CA-1992-18
Reference: URL:http://www.cert.org/advisories/CA-1992-18.html
Reference: CERT:CA-92.16
Reference: URL:http://www.cert.org/advisories/CA-92.16.VMS.Monitor.vulnerability
Reference: BID:51
Reference: URL:http://www.securityfocus.com/bid/51
Reference: OSVDB:59332
Reference: URL:http://osvdb.org/59332
Reference: XF:vms-monitor-gain-privileges(7136)
Reference: URL:http://www.iss.net/security_center/static/7136.php
Votes:
ACCEPT(3) Cole, Foat, Stracener
MODIFY(1) Frech
NOOP(2) Christey, Wall
Voter Comments:
Frech> XF:vms-monitor-gain-privileges(7136)
Duplicate of CVE-1999-1056? If not, indicate why in Analysis
comments.
Christey> Note that CVE-1999-1056
Christey> CVE-1999-1056 is in fact a duplicate. This candidate will
be kept, and CVE-1999-1056 will be REJECTed, because this
candidate has more references.
Name: CVE-1999-1396
Description:
Vulnerability in integer multiplication emulation code on SPARC
architectures for SunOS 4.1 through 4.1.2 allows local users to gain
root access or cause a denial of service (crash).
Status: Candidate
Phase: Modified (20020218-01)
Reference: CERT:CA-1992-15
Reference: URL:http://www.cert.org/advisories/CA-1992-15.html
Reference: BID:49
Reference: URL:http://www.securityfocus.com/bid/49
Reference: XF:sun-integer-multiplication-access(7150)
Reference: URL:http://www.iss.net/security_center/static/7150.php
Votes:
ACCEPT(4) Cole, Dik, Foat, Stracener
MODIFY(1) Frech
NOOP(1) Wall
Voter Comments:
Frech> XF:sun-integer-multiplication-access(7150)
Dik> sun bug: 1069072 1071053
Name: CVE-1999-1398
Description:
Vulnerability in xfsdump in SGI IRIX may allow local users to obtain
root privileges via the bck.log log file, possibly via a symlink
attack.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19970507 Irix: misc
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167420921&w=2
Reference: MISC:http://www.insecure.org/sploits/irix.xfsdump.html
Reference: BID:472
Reference: URL:http://www.securityfocus.com/bid/472
Votes:
ACCEPT(1) Cole
MODIFY(1) Frech
NOOP(1) Foat
Voter Comments:
Frech> XF:irix-xfsdump-symlink(7193)
Name: CVE-1999-1399
Description:
spaceball program in SpaceWare 7.3 v1.0 in IRIX 6.2 allows local users
to gain root privileges by setting the HOSTNAME environmental variable
to contain the commands to be executed.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19970820 SpaceWare 7.3 v1.0
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602746719552&w=2
Reference: BID:471
Reference: URL:http://www.securityfocus.com/bid/471
Votes:
ACCEPT(1) Cole
MODIFY(1) Frech
NOOP(1) Foat
Voter Comments:
Frech> XF:spaceware-hostname-command-execution(7194)
Name: CVE-1999-1400
Description:
The Economist screen saver 1999 with the "Password Protected" option
enabled allows users with physical access to the machine to bypass the
screen saver and read files by running Internet Explorer while the
screen is still locked.
Status: Candidate
Phase: Proposed (20010912)
Reference: NTBUGTRAQ:19990603 Huge Exploit in NT 4.0 SP5 Screensaver with Password Protection Enabled
Reference: URL:http://archives.indenial.com/hypermail/ntbugtraq/1999/June1999/0007.html
Reference: NTBUGTRAQ:19990603 Re: Huge Exploit in NT 4.0 SP5 Screensaver with Password Protecti on Enabled.
Reference: URL:http://archives.indenial.com/hypermail/ntbugtraq/1999/June1999/0009.html
Reference: NTBUGTRAQ:19990604 Official response from The Economist re: 1999 Screen Saver
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=92851653600852&w=2
Reference: BID:466
Reference: URL:http://www.securityfocus.com/bid/466
Votes:
ACCEPT(1) Wall
NOOP(2) Cole, Foat
REVIEWING(1) Frech
Voter Comments:
Frech> (Task 2287)
CONFIRM NTBUGTRAQ:19990604 Official response from The
Economist re: 1999 Screen Saver
Name: CVE-1999-1401
Description:
Vulnerability in Desktop searchbook program in IRIX 5.0.x through 6.2
sets insecure permissions for certain user files (iconbook and
searchbook).
Status: Candidate
Phase: Modified (20060309)
Reference: SGI:19961201-01-PX
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19961201-01-PX
Reference: BID:463
Reference: URL:http://www.securityfocus.com/bid/463
Reference: OSVDB:8563
Reference: URL:http://www.osvdb.org/8563
Reference: XF:irix-searchbook-permissions(7575)
Reference: URL:http://www.iss.net/security_center/static/7575.php
Votes:
ACCEPT(3) Cole, Foat, Stracener
MODIFY(1) Frech
Voter Comments:
Frech> XF:irix-searchbook-permissions(7575)
Name: CVE-1999-1403
Description:
IBM/Tivoli OPC Tracker Agent version 2 release 1 creates files,
directories, and IPC message queues with insecure permissions
(world-readable and world-writable), which could allow local users to
disrupt operations and possibly gain privileges by modifying or
deleting files.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19981002 Several potential security problems in IBM/Tivoli OPC Tracker Age nt
Reference: URL:http://www.securityfocus.com/archive/1/10771
Reference: BID:382
Reference: URL:http://www.securityfocus.com/bid/382
Votes:
NOOP(3) Cole, Foat, Wall
Name: CVE-1999-1404
Description:
IBM/Tivoli OPC Tracker Agent version 2 release 1 allows remote
attackers to cause a denial of service (resource exhaustion) via
malformed data to the localtracker client port (5011), which prevents
the connection from being closed properly.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19981002 Several potential security problems in IBM/Tivoli OPC Tracker Age nt
Reference: URL:http://www.securityfocus.com/archive/1/10771
Reference: BID:382
Reference: URL:http://www.securityfocus.com/bid/382
Votes:
NOOP(3) Cole, Foat, Wall
Name: CVE-1999-1405
Description:
snap command in AIX before 4.3.2 creates the /tmp/ibmsupt directory
with world-readable permissions and does not remove or clear the
directory when snap -a is executed, which could allow local users to
access the shadowed password file by creating
/tmp/ibmsupt/general/passwd before root runs snap -a.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990217 snap utility for AIX.
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91936783009385&w=2
Reference: BUGTRAQ:19990220 Re: snap utility for AIX.
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91954824614013&w=2
Reference: BID:375
Reference: URL:http://www.securityfocus.com/bid/375
Votes:
MODIFY(1) Frech
NOOP(3) Cole, Foat, Wall
Voter Comments:
Frech> XF:aix-snap-insecure-tmp(7560)
Name: CVE-1999-1406
Description:
dumpreg in Red Hat Linux 5.1 opens /dev/mem with O_RDWR access, which
allows local users to cause a denial of service (crash) by redirecting
fd 1 (stdout) to the kernel.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19980729 Crash a redhat 5.1 linux box
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221104526185&w=2
Reference: BUGTRAQ:19980730 FD's 0..2 and suid/sgid procs (Was: Crash a redhat 5.1 linux box)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221104526192&w=2
Reference: BID:372
Reference: URL:http://www.securityfocus.com/bid/372
Votes:
ACCEPT(1) Cole
NOOP(2) Foat, Wall
Name: CVE-1999-1408
Description:
Vulnerability in AIX 4.1.4 and HP-UX 10.01 and 9.05 allows local users
to cause a denial of service (crash) by using a socket to connect to a
port on the localhost, calling shutdown to clear the socket, then
using the same socket to connect to a different port on localhost.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19970305 Bug in connect() for aix 4.1.4 ?
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167420641&w=2
Reference: BID:352
Reference: URL:http://www.securityfocus.com/bid/352
Votes:
MODIFY(1) Frech
NOOP(3) Christey, Cole, Foat
Voter Comments:
Frech> XF: aix-hpux-connect-dos(7195)
Christey> BUGTRAQ:19970307 Re: Bug in connect() ?
URL:http://www.securityfocus.com/archive/1/Pine.HPP.3.92.970307195408.12139B-100000@wpax13.physik.uni-wuerzburg.de
BUGTRAQ:19970311 Re: Bug in connect() for aix 4.1.4 ?
URL:http://www.securityfocus.com/cgi-bin/archive.pl?id=1&mid=6419
Name: CVE-1999-1410
Description:
addnetpr in IRIX 5.3 and 6.2 allows local users to overwrite arbitrary
files and possibly gain root privileges via a symlink attack on the
printers temporary file.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19970509 Re: Irix: misc
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167420927&w=2
Reference: MISC:ftp://patches.sgi.com/support/free/security/advisories/19961203-02-PX
Reference: BID:330
Reference: URL:http://www.securityfocus.com/bid/330
Votes:
NOOP(2) Cole, Foat
REJECT(2) Christey, Frech
Voter Comments:
Christey> DUPE CVE-1999-1286
Need to add these references to CVE-1999-1286
Name: CVE-1999-1412
Description:
A possible interaction between Apple MacOS X release 1.0 and Apache
HTTP server allows remote attackers to cause a denial of service
(crash) via a flood of HTTP GET requests to CGI programs, which
generates a large number of processes.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990603 MacOS X system panic with CGI
Reference: URL:http://www.securityfocus.com/archive/1/14215
Reference: BID:306
Reference: URL:http://www.securityfocus.com/bid/306
Votes:
NOOP(3) Cole, Foat, Wall
REVIEWING(1) Frech
Voter Comments:
Frech> (Task 2288)
Name: CVE-1999-1413
Description:
Solaris 2.4 before kernel jumbo patch -35 allows set-gid programs to
dump core even if the real user id is not in the set-gid group, which
allows local users to overwrite or create files at higher privileges
by causing a core dump, e.g. through dmesg.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19960803 Exploiting Zolaris 2.4 ?? :)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167419549&w=2
Reference: BID:296
Reference: URL:http://www.securityfocus.com/bid/296
Votes:
MODIFY(2) Dik, Frech
NOOP(2) Cole, Foat
Voter Comments:
Frech> XF:solaris-coredump-symlink(7196)
Dik> sun bug: 1208241
Also applies to set-uid executables that have made real
and effective uid identical
Name: CVE-1999-1415
Description:
Vulnerability in /usr/bin/mail in DEC ULTRIX before 4.2 allows local
users to gain privileges.
Status: Candidate
Phase: Proposed (20010912)
Reference: CERT:CA-91.13
Reference: URL:http://www.cert.org/advisories/CA-91.13.Ultrix.mail.vulnerability
Reference: BID:27
Reference: URL:http://www.securityfocus.com/bid/27
Votes:
ACCEPT(3) Cole, Foat, Stracener
MODIFY(1) Frech
NOOP(2) Christey, Wall
Voter Comments:
Frech> XF:bsd-binmail(515)
CA-1991-13 was superseded by CA-1995-02.
Christey> Is there overlap between CVE-1999-1415 and CVE-1999-1438?
Both CERT advisories are vague.
Name: CVE-1999-1416
Description:
AnswerBook2 (AB2) web server dwhttpd 3.1a4 allows remote attackers to
cause a denial of service (resource exhaustion) via an HTTP POST
request with a large content-length.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19980823 Solaris ab2 web server is junk
Reference: URL:http://www.securityfocus.com/archive/1/10383
Reference: BID:253
Reference: URL:http://www.securityfocus.com/bid/253
Votes:
NOOP(3) Cole, Foat, Wall
Name: CVE-1999-1417
Description:
Format string vulnerability in AnswerBook2 (AB2) web server dwhttpd
3.1a4 allows remote attackers to cause a denial of service and
possibly execute arbitrary commands via encoded % characters in an
HTTP request, which is improperly logged.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19980823 Solaris ab2 web server is junk
Reference: URL:http://www.securityfocus.com/archive/1/10383
Reference: BID:253
Reference: URL:http://www.securityfocus.com/bid/253
Votes:
ACCEPT(1) Dik
NOOP(3) Cole, Foat, Wall
Voter Comments:
Dik> sun bug: 4218283
Name: CVE-1999-1418
Description:
ICQ99 ICQ web server build 1701 with "Active Homepage" enabled
generates allows remote attackers to determine the existence of files
on the server by comparing server responses when a file exists ("404
Forbidden") versus when a file does not exist ("404 not found").
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990501 Update: security hole in the ICQ-Webserver
Reference: URL:http://www.securityfocus.com/archive/1/13508
Reference: BID:246
Reference: URL:http://www.securityfocus.com/bid/246
Votes:
MODIFY(1) Frech
NOOP(3) Cole, Foat, Wall
Voter Comments:
Frech> XF;icq-webserver-gain-information(8229)
CONFIRM:http://online.securityfocus.com/archive/1/13655
Name: CVE-1999-1420
Description:
NBase switches NH2012, NH2012R, NH2015, and NH2048 have a back door
password that cannot be disabled, which allows remote attackers to
modify the switch's configuration.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19980720 N-Base Vulnerability Advisory
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221104526016&w=2
Reference: BUGTRAQ:19980722 N-Base Vulnerability Advisory Followup
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221104526065&w=2
Reference: BID:212
Reference: URL:http://www.securityfocus.com/bid/212
Votes:
ACCEPT(1) Cole
NOOP(2) Foat, Wall
Name: CVE-1999-1421
Description:
NBase switches NH208 and NH215 run a TFTP server which allows remote
attackers to send software updates to modify the switch or cause a
denial of service (crash) by guessing the target filenames, which have
default names.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19980720 N-Base Vulnerability Advisory
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221104526016&w=2
Reference: BUGTRAQ:19980722 N-Base Vulnerability Advisory Followup
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221104526065&w=2
Reference: BID:212
Reference: URL:http://www.securityfocus.com/bid/212
Votes:
ACCEPT(2) Cole, Foat
NOOP(1) Wall
Name: CVE-1999-1422
Description:
The default configuration of Slackware 3.4, and possibly other
versions, includes . (dot, the current directory) in the PATH
environmental variable, which could allow local users to create Trojan
horse programs that are inadvertently executed by other users.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990102 PATH variable in zip-slackware 2.0.35
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91540043023167&w=2
Reference: BID:211
Reference: URL:http://www.securityfocus.com/bid/211
Votes:
MODIFY(1) Frech
NOOP(3) Cole, Foat, Wall
Voter Comments:
Frech> XF:linux-path-execute-commands(7561)
Name: CVE-1999-1424
Description:
Solaris Solstice AdminSuite (AdminSuite) 2.1 uses unsafe permissions
when adding new users to the NIS+ password table, which allows local
users to gain root access by modifying their password table entries.
Status: Candidate
Phase: Proposed (20010912)
Reference: SUN:00145
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/145
Reference: BID:208
Reference: URL:http://www.securityfocus.com/bid/208
Votes:
ACCEPT(4) Cole, Dik, Foat, Stracener
MODIFY(1) Frech
Voter Comments:
Frech> XF:solaris-adminsuite-nisplus-password(7467)
Dik> sun bug:1237225
Name: CVE-1999-1425
Description:
Solaris Solstice AdminSuite (AdminSuite) 2.1 incorrectly sets write
permissions on source files for NIS maps, which could allow local
users to gain privileges by modifying /etc/passwd.
Status: Candidate
Phase: Proposed (20010912)
Reference: SUN:00145
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/145
Reference: BID:208
Reference: URL:http://www.securityfocus.com/bid/208
Votes:
ACCEPT(4) Cole, Dik, Foat, Stracener
MODIFY(1) Frech
Voter Comments:
Frech> XF:solaris-adminsuite-password-map-permissions(7468)
Dik> 1236787
Name: CVE-1999-1426
Description:
Solaris Solstice AdminSuite (AdminSuite) 2.1 follows symbolic links
when updating an NIS database, which allows local users to overwrite
arbitrary files.
Status: Candidate
Phase: Proposed (20010912)
Reference: SUN:00145
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/145
Reference: BID:208
Reference: URL:http://www.securityfocus.com/bid/208
Votes:
ACCEPT(4) Cole, Dik, Foat, Stracener
MODIFY(1) Frech
Voter Comments:
Frech> XF:solaris-adminsuite-symlink(7469)
Dik> sun bug: 1262888
Name: CVE-1999-1427
Description:
Solaris Solstice AdminSuite (AdminSuite) 2.1 and 2.2 create lock files
insecurely, which allows local users to gain root privileges.
Status: Candidate
Phase: Proposed (20010912)
Reference: SUN:00145
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/145
Reference: BID:208
Reference: URL:http://www.securityfocus.com/bid/208
Votes:
ACCEPT(4) Cole, Dik, Foat, Stracener
MODIFY(1) Frech
Voter Comments:
Frech> XF:solaris-adminsuite-lock-file(7470)
Dik> sun bug: 1262888
Name: CVE-1999-1428
Description:
Solaris Solstice AdminSuite (AdminSuite) 2.1 and 2.2 allows local
users to gain privileges via the save option in the Database Manager,
which is running with setgid bin privileges.
Status: Candidate
Phase: Proposed (20010912)
Reference: SUN:00145
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/145
Reference: BID:208
Reference: URL:http://www.securityfocus.com/bid/208
Votes:
ACCEPT(4) Cole, Dik, Foat, Stracener
MODIFY(1) Frech
Voter Comments:
Frech> XF:solaris-adminsuite-database-manager(7471)
Dik> sun bug: 4005611
Name: CVE-1999-1429
Description:
DIT TransferPro installs devices with world-readable and
world-writable permissions, which could allow local users to damage
disks through the ff device driver.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19980105 Security flaw in either DIT TransferPro or Solaris
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=88419633507543&w=2
Reference: BID:204
Reference: URL:http://www.securityfocus.com/bid/204
Votes:
MODIFY(1) Frech
NOOP(3) Cole, Foat, Wall
Voter Comments:
Frech> XF:transferpro-devices-insecure-permissions(7305)
Name: CVE-1999-1430
Description:
PIM software for Royal daVinci does not properly password-protext
access to data stored in the .mdb (Microsoft Access) file, which
allows local users to read the data without a password by directly
accessing the files with a different application, such as Access.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990102 security problem with Royal daVinci
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91540043723185&w=2
Reference: BID:185
Reference: URL:http://www.securityfocus.com/bid/185
Votes:
MODIFY(1) Frech
NOOP(3) Cole, Foat, Wall
Voter Comments:
Frech> XF:davinci-pim-access-information(7562)
Name: CVE-1999-1431
Description:
ZAK in Appstation mode allows users to bypass the "Run only allowed
apps" policy by starting Explorer from Office 97 applications (such as
Word), installing software into the TEMP directory, and changing the
name to that for an allowed application, such as Winword.exe.
Status: Candidate
Phase: Proposed (20010912)
Reference: NTBUGTRAQ:19990107 WinNT, ZAK and Office 97
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=91576100022688&w=2
Reference: NTBUGTRAQ:19990109 WinNT, ZAK and Office 97
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=91606260910008&w=2
Reference: BID:181
Reference: URL:http://www.securityfocus.com/bid/181
Votes:
MODIFY(1) Frech
NOOP(3) Cole, Foat, Wall
Voter Comments:
Frech> XF:zak-bypass-restrictions(7563)
Name: CVE-1999-1434
Description:
login in Slackware Linux 3.2 through 3.5 does not properly check for
an error when the /etc/group file is missing, which prevents it from
dropping privileges, causing it to assign root privileges to any local
user who logs on to the server.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19980713 Slackware Shadow Insecurity
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221104525951&w=2
Reference: BID:155
Reference: URL:http://www.securityfocus.com/bid/155
Votes:
NOOP(3) Cole, Foat, Wall
Name: CVE-1999-1435
Description:
Buffer overflow in libsocks5 library of Socks 5 (socks5) 1.0r5 allows
local users to gain privileges via long environmental variables.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19980710 socks5 1.0r5 buffer overflow..
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221104525933&w=2
Reference: BID:154
Reference: URL:http://www.securityfocus.com/bid/154
Votes:
ACCEPT(1) Cole
NOOP(2) Foat, Wall
Name: CVE-1999-1436
Description:
Ray Chan WWW Authorization Gateway 0.1 CGI program allows remote
attackers to execute arbitrary commands via shell metacharacters in
the "user" parameter.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19980708 WWW Authorization Gateway
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221104525905&w=2
Reference: BID:152
Reference: URL:http://www.securityfocus.com/bid/152
Votes:
NOOP(3) Cole, Foat, Wall
Name: CVE-1999-1438
Description:
Vulnerability in /bin/mail in SunOS 4.1.1 and earlier allows local
users to gain root privileges via certain command line arguments.
Status: Candidate
Phase: Proposed (20010912)
Reference: CERT:CA-1991-01
Reference: URL:http://www.cert.org/advisories/CA-91.01a.SunOS.mail.vulnerability
Reference: SUN:00105
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/105
Reference: BID:15
Reference: URL:http://www.securityfocus.com/bid/15
Votes:
ACCEPT(4) Cole, Dik, Foat, Stracener
MODIFY(1) Frech
NOOP(2) Christey, Wall
Voter Comments:
Frech> XF:bsd-binmail(515)
Dik> sun bug: 1047340
Christey> Is there overlap between CVE-1999-1415 and CVE-1999-1438?
Both CERT advisories are vague.
Name: CVE-1999-1439
Description:
gcc 2.7.2 allows local users to overwrite arbitrary files via a
symlink attack on temporary .i, .s, or .o files.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19980102 Symlink bug with GCC 2.7.2
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=88419592307388&w=2
Reference: BUGTRAQ:19980108 GCC Exploit
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=88524071002939&w=2
Reference: BUGTRAQ:19980115 GCC 2.7.? /tmp files
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=88492937727193&w=2
Reference: BID:146
Reference: URL:http://www.securityfocus.com/bid/146
Votes:
ACCEPT(1) Cole
MODIFY(1) Frech
NOOP(2) Foat, Wall
Voter Comments:
Frech> XF:gnu-gcc-tmp-symlink(7338)
Name: CVE-1999-1440
Description:
Win32 ICQ 98a 1.30, and possibly other versions, does not display the
entire portion of long filenames, which could allow attackers to send
an executable file with a long name that contains so many spaces that
the .exe extension is not displayed, which could make the user believe
that the file is safe to open from the client.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990101 Win32 ICQ 98a flaw
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91522424302962&w=2
Reference: BID:132
Reference: URL:http://www.securityfocus.com/bid/132
Votes:
ACCEPT(1) Cole
MODIFY(1) Frech
NOOP(2) Foat, Wall
Voter Comments:
Frech> XF:icq-long-filename(7564)
Name: CVE-1999-1441
Description:
Linux 2.0.34 does not properly prevent users from sending SIGIO
signals to arbitrary processes, which allows local users to cause a
denial of service by sending SIGIO to processes that do not catch it.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19980630 Serious Linux 2.0.34 security problem
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221103126047&w=2
Reference: BID:111
Reference: URL:http://www.securityfocus.com/bid/111
Votes:
MODIFY(1) Frech
NOOP(3) Cole, Foat, Wall
Voter Comments:
Frech> XF:linux-sigio-dos(7339)
Name: CVE-1999-1442
Description:
Bug in AMD K6 processor on Linux 2.0.x and 2.1.x kernels allows local
users to cause a denial of service (crash) via a particular sequence
of instructions, possibly related to accessing addresses outside of
segments.
Status: Candidate
Phase: Proposed (20010912)
Reference: MISC:http://www.cs.helsinki.fi/linux/linux-kernel/Year-1998/1998-25/0816.html
Reference: MISC:http://uwsg.iu.edu/hypermail/linux/kernel/9805.3/0855.html
Reference: BID:105
Reference: URL:http://www.securityfocus.com/bid/105
Votes:
MODIFY(1) Frech
NOOP(3) Cole, Foat, Wall
Voter Comments:
Frech> XF:linux-k6-dos(7340)
Name: CVE-1999-1443
Description:
Micah Software Full Armor Network Configurator and Zero Administration
allow local users with physical access to bypass the desktop
protection by (1) using <CTRL><ALT><DEL> and kill the process using
the task manager, (2) booting the system from a separate disk, or (3)
interrupting certain processes that execute while the system is
booting.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19980602 Full Armor.... Fool Proof etc... bugs
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221103125889&w=2
Reference: BUGTRAQ:19980609 Full Armor
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221103125869&w=2
Reference: BID:103
Reference: URL:http://www.securityfocus.com/bid/103
Votes:
MODIFY(1) Frech
NOOP(3) Cole, Foat, Wall
Voter Comments:
Frech> XF:full-armor-protection-bypass(7341)
Name: CVE-1999-1444
Description:
genkey utility in Alibaba 2.0 generates RSA key pairs with an exponent
of 1, which results in transactions that are sent in cleartext.
Status: Candidate
Phase: Proposed (20010912)
Reference: MISC:http://catless.ncl.ac.uk/Risks/20.41.html#subj4
Votes:
NOOP(3) Cole, Foat, Wall
REVIEWING(1) Frech
Voter Comments:
Frech> (Task 2290)
Name: CVE-1999-1445
Description:
Vulnerability in imapd and ipop3d in Slackware 3.4 and 3.3 with
shadowing enabled, and possibly other operating systems, allows remote
attackers to cause a core dump via a short sequence of USER and PASS
commands that do not provide valid usernames or passwords.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19980202 imapd/ipop3d coredump in slackware 3.4
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=88637951600184&w=2
Votes:
MODIFY(1) Frech
NOOP(3) Cole, Foat, Wall
Voter Comments:
Frech> XF:linux-imapd-ipop3d-dos(7345)
Name: CVE-1999-1446
Description:
Internet Explorer 3 records a history of all URL's that are visited by
a user in DAT files located in the Temporary Internet Files and
History folders, which are not cleared when the user selects the
"Clear History" option, and are not visible when the user browses the
folders because of tailored displays.
Status: Candidate
Phase: Proposed (20010912)
Reference: NTBUGTRAQ:19970805 Re: Strange behavior regarding directory
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=87602837719654&w=2
Reference: NTBUGTRAQ:19970806 Re: Strange behavior regarding directory
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=87602837719655&w=2
Votes:
MODIFY(1) Frech
NOOP(2) Cole, Foat
Voter Comments:
Frech> XF:http-ie-record(524)
In description, URL's should be URLs.
Name: CVE-1999-1447
Description:
Internet Explorer 4.0 allows remote attackers to cause a denial of
service (crash) via HTML code that contains a long CLASSID parameter
in an OBJECT tag.
Status: Candidate
Phase: Modified (20020218-01)
Reference: BUGTRAQ:19980728 Object tag crashes Internet Explorer 4.0
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221104526169&w=2
Reference: BUGTRAQ:19980730 Re: Object tag crashes Internet Explorer 4.0
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221104526188&w=2
Votes:
ACCEPT(2) Cole, Wall
NOOP(2) Christey, Foat
Voter Comments:
Christey> BUGTRAQ:19980730 Re: Object tag crashes Internet Explorer 4.0
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221104526188&w=2
Name: CVE-1999-1448
Description:
Eudora and Eudora Light before 3.05 allows remote attackers to cause a
crash and corrupt the user's mailbox via an e-mail message with
certain dates, such as (1) dates before 1970, which cause a Divide By
Zero error, or (2) dates that are 100 years after the current date,
which causes a segmentation fault.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19980729 Eudora exploit (was Microsoft Security Bulletin (MS98-008))
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221104526168&w=2
Votes:
NOOP(3) Cole, Foat, Wall
Name: CVE-1999-1449
Description:
SunOS 4.1.4 on a Sparc 20 machine allows local users to cause a denial
of service (kernel panic) by reading from the /dev/tcx0 TCX device.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19970519 /dev/tcx0 crashes SunOS 4.1.4 on Sparc 20's
Reference: URL:http://oamk.fi/~jukkao/bugtraq/before-971202/0498.html
Reference: MISC:http://www.insecure.org/sploits/sunos.dev.tcx0.write.wierd.shit.to.device.bug.html
Votes:
MODIFY(1) Frech
NOOP(2) Cole, Foat
Voter Comments:
Frech> XF:sun-tcx-dos(7197)
Name: CVE-1999-1450
Description:
Vulnerability in (1) rlogin daemon rshd and (2) scheme on SCO UNIX
OpenServer 5.0.5 and earlier, and SCO UnixWare 7.0.1 and earlier,
allows remote attackers to gain privileges.
Status: Candidate
Phase: Proposed (20010912)
Reference: SCO:SB-99.03b
Reference: URL:ftp://ftp.sco.com/SSE/security_bulletins/SB-99.03b
Reference: SCO:SB-99.06b
Reference: URL:ftp://ftp.sco.com/SSE/security_bulletins/SB-99.06b
Reference: SCO:SSE020
Reference: URL:ftp://ftp.sco.COM/SSE/sse020.ltr
Reference: SCO:SSE023
Votes:
ACCEPT(3) Cole, Foat, Stracener
MODIFY(1) Frech
Voter Comments:
Frech> XF:sco-rshd(7466)
Correct URLS are listed below:
Reference: SCO:SSE020
Reference:
URL:ftp://stage.caldera.com/pub/security/sse/sse020/sse020.ltr
Reference: SCO:SSE023
Reference:
URL:ftp://stage.caldera.com/pub/security/sse/sse023/sse023.ltr
Name: CVE-1999-1451
Description:
The Winmsdp.exe sample file in IIS 4.0 and Site Server 3.0 allows
remote attackers to read arbitrary files.
Status: Candidate
Phase: Proposed (20010912)
Reference: MSKB:Q231368
Reference: URL:http://support.microsoft.com/support/kb/articles/q231/3/68.asp
Reference: MS:MS99-013
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-013.asp
Reference: XF:iis-samples-winmsdp(3271)
Reference: URL:http://xforce.iss.net/static/3271.php
Votes:
ACCEPT(4) Cole, Foat, Frech, Wall
Name: CVE-1999-1453
Description:
Internet Explorer 4 allows remote attackers (malicious web site
operators) to read the contents of the clipboard via the Internet
WebBrowser ActiveX object.
Status: Candidate
Phase: Proposed (20010912)
Reference: NTBUGTRAQ:19990222 New IE4 vulnerability : the clipboard again.
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=91979439932341&w=2
Reference: BID:215
Reference: URL:http://www.securityfocus.com/bid/215
Votes:
ACCEPT(1) Wall
MODIFY(1) Frech
NOOP(2) Cole, Foat
Voter Comments:
Frech> XF:webbrowser-activex-view-clipboard(7565)
REMOVE:http://www.securityfocus.com/bid/215 This reference
deals with the Forms vulnerability only.
Name: CVE-1999-1454
Description:
Macromedia "The Matrix" screen saver on Windows 95 with the "Password
protected" option enabled allows attackers with physical access to the
machine to bypass the password prompt by pressing the ESC (Escape)
key.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19991004 Weakness In "The Matrix" Screensaver For Windows
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93915027622690&w=2
Votes:
MODIFY(1) Frech
NOOP(4) Christey, Cole, Foat, Wall
Voter Comments:
Christey> Looks like there might have been a re-discovery, though the
exploit is slightly different, and there is insufficient
detail to be certain that this isn't for a different
Matrix screen saver:
BUGTRAQ:20010801 matrix screensvr(16 Bit CineMac Screen Saver Engine) - [input validation error?]
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=99669949717618&w=2
BID:3130
URL:http://www.securityfocus.com/bid/3130
Frech> XF:matrix-win95-password-bypass(8280)
Name: CVE-1999-1457
Description:
Buffer overflow in thttpd HTTP server before 2.04-31 allows remote
attackers to execute arbitrary commands via a long date string, which
is not properly handled by the tdate_parse function.
Status: Candidate
Phase: Proposed (20010912)
Reference: SUSE:19991116 thttpd
Reference: URL:http://www.novell.com/linux/security/advisories/suse_security_announce_30.html
Votes:
ACCEPT(3) Cole, Foat, Stracener
REJECT(1) Frech
Name: CVE-1999-1458
Description:
Buffer overflow in at program in Digital UNIX 4.0 allows local users
to gain root privileges via a long command line argument.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990125 Digital Unix 4.0 exploitable buffer overflows
Reference: URL:http://www.securityfocus.com/archive/1/12121
Reference: SCO:SSRT0583U
Reference: URL:http://ftp1.support.compaq.com/public/dunix/v4.0d/ssrt0583u.README
Reference: XF:du-at(3138)
Reference: URL:http://xforce.iss.net/static/3138.php
Votes:
ACCEPT(3) Cole, Foat, Frech
NOOP(1) Stracener
Name: CVE-1999-1459
Description:
BMC PATROL Agent before 3.2.07 allows local users to gain root
privileges via a symlink attack on a temporary file.
Status: Candidate
Phase: Proposed (20010912)
Reference: ISS:19981102 BMC PATROL File Creation Vulnerability
Reference: URL:http://xforce.iss.net/alerts/advise10.php
Reference: XF:bmc-patrol-file-create(1388)
Reference: URL:http://xforce.iss.net/static/1388.php
Reference: BID:534
Reference: URL:http://www.securityfocus.com/bid/534
Votes:
ACCEPT(2) Cole, Frech
NOOP(3) Christey, Foat, Wall
Voter Comments:
Christey> The vendor has acknowledged this vulnerability via e-mail. It
has been fixed.
NOTE: despite the fact that this candidate has been acknowledged
and fixed by the vendor, it is affected by the CVE content
decision CD:SF-LOC. It cannot be accepted until the
CD:SF-LOC guidelines have been finalized.
Name: CVE-1999-1460
Description:
BMC PATROL SNMP Agent before 3.2.07 allows local users to create
arbitrary world-writeable files as root by specifying the target file
as the second argument to the snmpmagt program.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990713 Root Perms Gained with Patrol SNMP Agent 3.2 (all others?)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93198293132463&w=2
Reference: BUGTRAQ:19990801 Re: Root Perms Gained with Patrol SNMP Agent 3.2 (all others?)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93372579004129&w=2
Reference: BID:525
Reference: URL:http://www.securityfocus.com/bid/525
Votes:
MODIFY(1) Frech
NOOP(4) Christey, Cole, Foat, Wall
Voter Comments:
Frech> XF:patrol-snmp-file-creation(2347)
Christey> The vendor has acknowledged this vulnerability via e-mail. It
has been fixed.
NOTE: despite the fact that this candidate has been acknowledged
and fixed by the vendor, it is affected by the CVE content
decision CD:SF-LOC. It cannot be accepted until the
CD:SF-LOC guidelines have been finalized.
Name: CVE-1999-1461
Description:
inpview in InPerson on IRIX 5.3 through IRIX 6.5.10 trusts the PATH
environmental variable to find and execute the ttsession program,
which allows local users to obtain root access by modifying the PATH
to point to a Trojan horse ttsession program.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19970507 Irix: misc
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167420921&w=2
Reference: SGI:20001101-01-I
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/20001101-01-I
Reference: BID:381
Reference: URL:http://www.securityfocus.com/bid/381
Votes:
ACCEPT(3) Cole, Foat, Stracener
REJECT(1) Frech
Voter Comments:
Frech> Possible conflict with CVE-2000-0799.
Name: CVE-1999-1462
Description:
Vulnerability in bb-hist.sh CGI History module in Big Brother 1.09b
and 1.09c allows remote attacker to read portions of arbitrary files.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990426 FW: Security Notice: Big Brother 1.09b/c
Reference: URL:http://www.securityfocus.com/archive/1/13440
Reference: CONFIRM:http://bb4.com/README.CHANGES
Reference: BID:142
Reference: URL:http://www.securityfocus.com/bid/142
Reference: XF:http-cgi-bigbrother-bbhist(3755)
Reference: URL:http://xforce.iss.net/static/3755.php
Votes:
ACCEPT(5) Armstrong, Cole, Foat, Frech, Stracener
NOOP(1) Wall
Name: CVE-1999-1463
Description:
Windows NT 4.0 before SP3 allows remote attackers to bypass firewall
restrictions or cause a denial of service (crash) by sending
improperly fragmented IP packets without the first fragment, which the
TCP/IP stack incorrectly reassembles into a valid session.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19970710 A New Fragmentation Attack
Reference: URL:http://www.securityfocus.com/archive/1/7219
Reference: XF:nt-frag(528)
Reference: URL:http://xforce.iss.net/static/528.php
Votes:
ACCEPT(2) Cole, Frech
NOOP(1) Foat
Voter Comments:
Frech> This issue is also listed under CVE-1999-0226.
Name: CVE-1999-1464
Description:
Vulnerability in Cisco IOS 11.1CC and 11.1CT with distributed fast
switching (DFS) enabled allows remote attackers to bypass certain
access control lists when the router switches traffic from a
DFS-enabled interface to an interface that does not have DFS enabled,
as described by Cisco bug CSCdk35564.
Status: Candidate
Phase: Proposed (20010912)
Reference: CISCO:19981105 Cisco IOS DFS Access List Leakage
Reference: URL:http://www.cisco.com/warp/public/770/iosdfsacl-pub.shtml
Reference: CIAC:J-016
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/j-016.shtml
Reference: XF:cisco-acl-leakage(1401)
Reference: URL:http://xforce.iss.net/static/1401.php
Votes:
ACCEPT(6) Armstrong, Balinsky, Cole, Foat, Frech, Stracener
NOOP(1) Wall
Name: CVE-1999-1465
Description:
Vulnerability in Cisco IOS 11.1 through 11.3 with distributed fast
switching (DFS) enabled allows remote attackers to bypass certain
access control lists when the router switches traffic from a
DFS-enabled input interface to an output interface with a logical
subinterface, as described by Cisco bug CSCdk43862.
Status: Candidate
Phase: Modified (20020228-01)
Reference: CISCO:19981105 Cisco IOS DFS Access List Leakage
Reference: URL:http://www.cisco.com/warp/public/770/iosdfsacl-pub.shtml
Reference: CIAC:J-016
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/j-016.shtml
Reference: XF:cisco-acl-leakage(1401)
Reference: URL:http://xforce.iss.net/static/1401.php
Votes:
ACCEPT(6) Armstrong, Balinsky, Cole, Foat, Frech, Stracener
NOOP(1) Wall
Name: CVE-1999-1466
Description:
Vulnerability in Cisco routers versions 8.2 through 9.1 allows remote
attackers to bypass access control lists when extended IP access lists
are used on certain interfaces, the IP route cache is enabled, and the
access list uses the "established" keyword.
Status: Candidate
Phase: Proposed (20010912)
Reference: CERT:CA-1992-20
Reference: URL:http://www.cert.org/advisories/CA-1992-20.html
Reference: BID:53
Reference: URL:http://www.securityfocus.com/bid/53
Votes:
ACCEPT(3) Cole, Foat, Stracener
MODIFY(1) Frech
NOOP(2) Christey, Wall
Voter Comments:
Frech> XF:cisco-acl-established(1248)
Possible dupe with CVE-1999-0162.
Christey> This is not a dupe with CVE-1999-0162. The Cisco advisory
referenced in CVE-1999-0162 says that affected Cisco versions
are 10.0 through 10.3. This CAN deals with versions 8.2
through 9.1. In addition, the date of release of
CVE-1999-0162 is June 1995; this CAN was released December
1992. Both items include clear Cisco acknowledgement with
details, so we should conclude that they are separate
problems, despite the vagueness of the reports.
Name: CVE-1999-1467
Description:
Vulnerability in rcp on SunOS 4.0.x allows remote attackers from
trusted hosts to execute arbitrary commands as root, possibly related
to the configuration of the nobody user.
Status: Candidate
Phase: Proposed (20010912)
Reference: CERT:CA-1989-07
Reference: URL:http://www.cert.org/advisories/CA-1989-07.html
Reference: BID:5
Reference: URL:http://www.securityfocus.com/bid/5
Reference: XF:sun-rcp(3165)
Reference: URL:http://xforce.iss.net/static/3165.php
Votes:
ACCEPT(5) Cole, Dik, Foat, Frech, Stracener
NOOP(1) Wall
Voter Comments:
Dik> sun bug: 1028958
Name: CVE-1999-1469
Description:
Buffer overflow in w3-auth CGI program in miniSQL package allows
remote attackers to execute arbitrary commands via an HTTP request
with (1) a long URL, or (2) a long User-Agent MIME header.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990930 mini-sql Buffer Overflow
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93871926821410&w=2
Votes:
MODIFY(1) Frech
NOOP(3) Cole, Foat, Wall
Voter Comments:
Frech> XF:msql-w3auth-bo(8301)
Name: CVE-1999-1470
Description:
Eastman Work Management 3.21 stores passwords in cleartext in the
COMMON and LOCATOR registry keys, which could allow local users to
gain privileges.
Status: Candidate
Phase: Proposed (20010912)
Reference: NTBUGTRAQ:19990624 Eastman Software Work Management 3.21
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=93034788412494&w=2
Reference: XF:eastman-cleartext-passwords(2303)
Reference: URL:http://xforce.iss.net/static/2303.php
Reference: BID:485
Reference: URL:http://www.securityfocus.com/bid/485
Votes:
ACCEPT(1) Frech
NOOP(3) Cole, Foat, Wall
Name: CVE-1999-1471
Description:
Buffer overflow in passwd in BSD based operating systems 4.3 and
earlier allows local users to gain root privileges by specifying a
long shell or GECOS field.
Status: Candidate
Phase: Modified (20020218-01)
Reference: CERT:CA-1989-01
Reference: URL:http://www.cert.org/advisories/CA-1989-01.html
Reference: BID:4
Reference: URL:http://www.securityfocus.com/bid/4
Reference: XF:bsd-passwd-bo(7152)
Reference: URL:http://www.iss.net/security_center/static/7152.php
Votes:
ACCEPT(3) Cole, Foat, Stracener
MODIFY(1) Frech
NOOP(1) Wall
Voter Comments:
Frech> XF:bsd-passwd-bo(7152)
Name: CVE-1999-1474
Description:
PowerPoint 95 and 97 allows remote attackers to cause an application
to be run automatically without prompting the user, possibly through
the slide show, when the document is opened in browsers such as
Internet Explorer.
Status: Candidate
Phase: Proposed (20010912)
Reference: CONFIRM:http://www.microsoft.com/windows/ie/security/powerpoint.asp
Reference: XF:nt-ppt-patch(179)
Reference: URL:http://xforce.iss.net/static/179.php
Votes:
ACCEPT(6) Armstrong, Cole, Foat, Frech, Stracener, Wall
Voter Comments:
Frech> Looks like CONFIRM URL is too old for Microsoft to keep
(currently cached at
http://www.google.com/search?q=cache:86loHcRhaL4:www.microsoft.com/ie/
security/powerpoint.htm+%22PowerPoint+Browsing+Security+Issue%22&hl=en
). Same information is available at BugTraq at
http://www.securityfocus.com/cgi-bin/archive.pl?id=1&mid=6724
Name: CVE-1999-1475
Description:
ProFTPd 1.2 compiled with the mod_sqlpw module records user passwords
in the wtmp log file, which allows local users to obtain the passwords
and gain privileges by reading wtmp, e.g. via the last command.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19991119 ProFTPd - mod_sqlpw.c
Reference: URL:http://www.securityfocus.com/archive/1/35483
Reference: BID:812
Reference: URL:http://www.securityfocus.com/bid/812
Votes:
MODIFY(1) Frech
NOOP(3) Cole, Foat, Wall
Voter Comments:
Frech> XF:proftpd-modsqlpw-insecure-passwords(8332)
Name: CVE-1999-1477
Description:
Buffer overflow in GNOME libraries 1.0.8 allows local user to gain
root access via a long --espeaker argument in programs such as
nethack.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990923 Linux GNOME exploit
Reference: URL:http://www.securityfocus.com/archive/1/28717
Reference: BID:663
Reference: URL:http://www.securityfocus.com/bid/663
Reference: XF:gnome-espeaker-local-bo(3349)
Reference: URL:http://xforce.iss.net/static/3349.php
Votes:
ACCEPT(1) Frech
NOOP(3) Cole, Foat, Wall
Name: CVE-1999-1479
Description:
The textcounter.pl by Matt Wright allows remote attackers to execute
arbitrary commands via shell metacharacters.
Status: Candidate
Phase: Modified (20080304)
Reference: BUGTRAQ:19980624 textcounter.pl SECURITY HOLE
Reference: URL:http://www.securityfocus.com/archive/1/9609
Reference: BID:2265
Reference: URL:http://www.securityfocus.com/bid/2265
Reference: XF:http-cgi-textcounter(2052)
Reference: URL:http://xforce.iss.net/static/2052.php
Votes:
ACCEPT(1) Frech
NOOP(3) Cole, Foat, Wall
Name: CVE-1999-1480
Description:
(1) acledit and (2) aclput in AIX 4.3 allow local users to create or
modify files via a symlink attack.
Status: Candidate
Phase: Proposed (20010912)
Reference: BID:429
Reference: URL:http://www.securityfocus.com/bid/429
Votes:
MODIFY(1) Frech
NOOP(3) Cole, Foat, Wall
Voter Comments:
Frech> XF:aix-acledit-aclput-symlink(7346)
CONFIRM:APAR IX79139
Name: CVE-1999-1482
Description:
SVGAlib zgv 3.0-7 and earlier allows local users to gain root access
via a privilege leak of the iopl(3) privileges to child processes.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990219 Security hole: "zgv"
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&date=1999-02-15&msg=Pine.LNX.3.96.990219175605.9622A-100000@ferret.lmh.ox.ac.uk
Votes:
MODIFY(1) Frech
NOOP(3) Cole, Foat, Wall
Voter Comments:
Frech> XF:zgv-privilege-leak(1798)
Name: CVE-1999-1483
Description:
Buffer overflow in zgv in svgalib 1.2.10 and earlier allows local
users to execute arbitrary code via a long HOME environment variable.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19970619 svgalib/zgv
Reference: URL:http://www.securityfocus.com/archive/1/7041
Votes:
MODIFY(1) Frech
NOOP(2) Cole, Foat
Voter Comments:
Frech> XF;linux-svgalib-dos(3412)
Name: CVE-1999-1484
Description:
Buffer overflow in MSN Setup BBS 4.71.0.10 ActiveX control
(setupbbs.ocx) allows a remote attacker to execute arbitrary commands
via the methods (1) vAddNewsServer or (2) bIsNewsServerConfigured.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990924 Several ActiveX Buffer Overruns
Reference: URL:http://www.securityfocus.com/archive/1/28719
Reference: XF:msn-setup-bbs-activex-bo(3310)
Reference: URL:http://xforce.iss.net/static/3310.php
Reference: BID:668
Reference: URL:http://www.securityfocus.com/bid/668
Votes:
ACCEPT(2) Cole, Frech
NOOP(2) Foat, Wall
Name: CVE-1999-1485
Description:
nsd in IRIX 6.5 through 6.5.2 exports a virtual filesystem on a UDP
port, which allows remote attackers to view files and cause a possible
denial of service by mounting the nsd virtual file system.
Status: Candidate
Phase: Modified (20060705)
Reference: BUGTRAQ:19990531 IRIX 6.5 nsd virtual filesystem vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92818552106912&w=2
Reference: OSVDB:8564
Reference: URL:http://www.osvdb.org/8564
Reference: XF:sgi-nsd-view(2246)
Reference: URL:http://xforce.iss.net/static/2246.php
Reference: XF:sgi-nsd-create(2247)
Reference: URL:http://xforce.iss.net/static/2247.php
Reference: BID:412
Reference: URL:http://www.securityfocus.com/bid/412
Votes:
ACCEPT(1) Frech
NOOP(3) Cole, Foat, Wall
Name: CVE-1999-1487
Description:
Vulnerability in digest in AIX 4.3 allows printq users to gain root
privileges by creating and/or modifing any file on the system.
Status: Candidate
Phase: Modified (20020218-01)
Reference: AIXAPAR:IX74599
Reference: URL:http://www-1.ibm.com/servlet/support/manager?rt=0&rs=0&org=apars&doc=41D8B61D1E1C4FAB852567C9002C546C
Reference: BID:405
Reference: URL:http://www.securityfocus.com/bid/405
Reference: XF:aix-digest(7477)
Reference: URL:http://www.iss.net/security_center/static/7477.php
Votes:
ACCEPT(3) Cole, Foat, Stracener
MODIFY(1) Frech
Voter Comments:
Frech> XF:aix-digest(7477)
Name: CVE-1999-1489
Description:
Buffer overflow in TestChip function in XFree86 SuperProbe in
Slackware Linux 3.1 allows local users to gain root privileges via a
long -nopr argument.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19970304 Linux SuperProbe exploit
Reference: URL:http://www.securityfocus.com/archive/1/6384
Reference: BID:364
Reference: URL:http://www.securityfocus.com/bid/364
Votes:
MODIFY(1) Frech
NOOP(2) Cole, Foat
Voter Comments:
Frech> XF:xfree86-superprobe-testchip-bo(7198)
Name: CVE-1999-1491
Description:
abuse.console in Red Hat 2.1 uses relative pathnames to find and
execute the undrv program, which allows local users to execute
arbitrary commands via a path that points to a Trojan horse program.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19960202 abuse Red Hat 2.1 security hole
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167418994&w=2
Reference: BID:354
Reference: URL:http://www.securityfocus.com/bid/354
Votes:
ACCEPT(1) Cole
NOOP(1) Foat
Name: CVE-1999-1492
Description:
Vulnerability in (1) diskperf and (2) diskalign in IRIX 6.4 allows
local attacker to create arbitrary root owned files, leading to root
privileges.
Status: Candidate
Phase: Proposed (20010912)
Reference: SGI:19980502-01-P3030
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19980502-01-P3030
Reference: XF:sgi-diskalign(2104)
Reference: URL:http://xforce.iss.net/static/2104.php
Reference: XF:sgi-diskperf(2103)
Reference: URL:http://xforce.iss.net/static/2103.php
Reference: BID:348
Reference: URL:http://www.securityfocus.com/bid/348
Votes:
ACCEPT(4) Cole, Foat, Frech, Stracener
Name: CVE-1999-1493
Description:
Vulnerability in crp in Hewlett Packard Apollo Domain OS SR10 through
SR10.3 allows remote attackers to gain root privileges via insecure
system calls, (1) pad_$dm_cmd and (2) pad_$def_pfk().
Status: Candidate
Phase: Modified (20020308-01)
Reference: CERT:CA-1991-23
Reference: URL:http://www.cert.org/advisories/CA-1991-23.html
Reference: BID:34
Reference: URL:http://www.securityfocus.com/bid/34
Reference: XF:apollo-crp-root-access(7158)
Reference: URL:http://xforce.iss.net/static/7158.php
Votes:
ACCEPT(3) Cole, Foat, Stracener
MODIFY(1) Frech
NOOP(1) Wall
Voter Comments:
Frech> XF:apollo-crp-root-access(7158)
Name: CVE-1999-1495
Description:
xtvscreen in SuSE Linux 6.0 allows local users to overwrite arbitrary
files via a symlink attack on the pic000.pnm file.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990218 xtvscreen and suse 6
Reference: URL:http://www.securityfocus.com/archive/1/12580
Reference: XF:xtvscreen-overwrite(1792)
Reference: URL:http://xforce.iss.net/static/1792.php
Reference: BID:325
Reference: URL:http://www.securityfocus.com/bid/325
Votes:
ACCEPT(1) Frech
NOOP(3) Cole, Foat, Wall
Name: CVE-1999-1496
Description:
Sudo 1.5 in Debian Linux 2.1 and Red Hat 6.0 allows local users to
determine the existence of arbitrary files by attempting to execute
the target filename as a program, which generates a different error
message when the file does not exist.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990608 unneeded information in sudo
Reference: URL:http://www.securityfocus.com/archive/1/14665
Reference: BID:321
Reference: URL:http://www.securityfocus.com/bid/321
Reference: XF:sudo-file-exists(2277)
Reference: URL:http://xforce.iss.net/static/2277.php
Votes:
ACCEPT(1) Frech
NOOP(3) Cole, Foat, Wall
Name: CVE-1999-1497
Description:
Ipswitch IMail 5.0 and 6.0 uses weak encryption to store passwords in
registry keys, which allows local attackers to read passwords for
e-mail accounts.
Status: Candidate
Phase: Modified (20070122)
Reference: BUGTRAQ:19991221 [w00giving '99 #11] IMail's password encryption scheme
Reference: URL:http://www.securityfocus.com/archive/1/39329
Reference: BID:880
Reference: URL:http://www.securityfocus.com/bid/880
Votes:
MODIFY(1) Frech
NOOP(3) Cole, Foat, Wall
Voter Comments:
Frech> XF:imail-passwords(1901)
May be the same as CVE-2000-0019 on a different level of
abstraction.
Name: CVE-1999-1498
Description:
Slackware Linux 3.4 pkgtool allows local attacker to read and write to
arbitrary files via a symlink attack on the reply file.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19980406 insecure tmp file creation
Reference: BID:82
Reference: URL:http://www.securityfocus.com/bid/82
Votes:
MODIFY(1) Frech
NOOP(3) Cole, Foat, Wall
Voter Comments:
Frech> XF:linux-pkgtool-reply-symlink(7347)
Name: CVE-1999-1499
Description:
named in ISC BIND 4.9 and 8.1 allows local users to destroy files via
a symlink attack on (1) named_dump.db when root kills the process with
a SIGINT, or (2) named.stats when SIGIOT is used.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19980410 BIND 4.9.7 named follows symlinks, clobbers anything
Reference: URL:http://www.securityfocus.com/archive/1/8966
Reference: BID:80
Reference: URL:http://www.securityfocus.com/bid/80
Votes:
MODIFY(1) Frech
NOOP(2) Cole, Wall
REJECT(1) Foat
Voter Comments:
Foat> The files get written to /var/named which the user does not have write
access.
Frech> XF:bind-sigint-sigiot-symlink(7366)
Name: CVE-1999-1500
Description:
Internet Anywhere POP3 Mail Server 2.3.1 allows remote attackers to
cause a denial of service (crash) via (1) LIST, (2) TOP, or (3) UIDL
commands using letters as arguments.
Status: Candidate
Phase: Proposed (20010912)
Reference: NTBUGTRAQ:19991001 Vulnerabilities in the Internet Anywhere Mail Server
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=93880357530599&w=2
Reference: BID:733
Reference: URL:http://www.securityfocus.com/bid/733
Votes:
MODIFY(1) Frech
NOOP(3) Cole, Foat, Wall
Voter Comments:
Frech> XF:iams-pop3-command-dos(3283)
Name: CVE-1999-1501
Description:
(1) ipxchk and (2) ipxlink in SGI OS2 IRIX 6.3 does not properly clear
the IFS environmental variable before executing system calls, which
allows local users to execute arbitrary commands.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19980408 SGI O2 ipx security issue
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=89217373930054&w=2
Reference: BID:70
Reference: URL:http://www.securityfocus.com/bid/70
Reference: BID:71
Reference: URL:http://www.securityfocus.com/bid/71
Votes:
MODIFY(1) Frech
NOOP(3) Cole, Foat, Wall
REJECT(1) Christey
Voter Comments:
Frech> XF:irix-ipxchk-ipxlink-ifs-commands(7365)
Christey> DUPE CVE-1999-1040
Name: CVE-1999-1502
Description:
Buffer overflows in Quake 1.9 client allows remote malicious servers
to execute arbitrary commands via long (1) precache paths, (2) server
name, (3) server address, or (4) argument to the map console command.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19980408 QuakeI client: serious holes.
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=89205623028934&w=2
Reference: BID:68
Reference: URL:http://www.securityfocus.com/bid/68
Reference: BID:69
Reference: URL:http://www.securityfocus.com/bid/69
Votes:
MODIFY(1) Frech
NOOP(3) Cole, Foat, Wall
Voter Comments:
Frech> XF:quake-precache-bo(7358)
XF:quake-server-address-bo(7359)
XF:quake-map-argument-bo(7360)
Name: CVE-1999-1503
Description:
Network Flight Recorder (NFR) 1.5 and 1.6 allows remote attackers to
cause a denial of service in nfrd (crash) via a TCP packet with a null
header and data field.
Status: Candidate
Phase: Proposed (20010912)
Reference: BID:63
Reference: URL:http://www.securityfocus.com/bid/63
Votes:
ACCEPT(1) Cole
MODIFY(1) Frech
NOOP(2) Foat, Wall
Voter Comments:
Frech> XF:nfr-tcp-packet-dos(7357)
Name: CVE-1999-1504
Description:
Stalker Internet Mail Server 1.6 allows a remote attacker to cause a
denial of service (crash) via a long HELO command.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19980408 Re: AppleShare IP Mail Server
Reference: URL:http://www.securityfocus.com/archive/1/8951
Reference: BID:62
Reference: URL:http://www.securityfocus.com/bid/62
Votes:
MODIFY(1) Frech
NOOP(3) Cole, Foat, Wall
Voter Comments:
Frech> XF:smtp-helo-bo(886)
Name: CVE-1999-1505
Description:
Buffer overflow in QuakeWorld 2.10 allows remote attackers to cause a
denial of service (crash) and possibly execute arbitrary commands via
a long initial connect packet.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19980407 QW vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=89200537415923&w=2
Reference: BID:60
Reference: URL:http://www.securityfocus.com/bid/60
Votes:
MODIFY(1) Frech
NOOP(3) Cole, Foat, Wall
Voter Comments:
Frech> XF:quakeworld-connect-bo(7356)
Name: CVE-1999-1506
Description:
Vulnerability in SMI Sendmail 4.0 and earlier, on SunOS up to 4.0.3,
allows remote attackers to access user bin.
Status: Candidate
Phase: Proposed (20010912)
Reference: CERT:CA-1990-01
Reference: URL:http://www.cert.org/advisories/CA-90.01.sun.sendmail.vulnerability
Reference: BID:6
Reference: URL:http://www.securityfocus.com/bid/6
Votes:
ACCEPT(3) Cole, Dik, Stracener
MODIFY(1) Frech
NOOP(2) Foat, Wall
Voter Comments:
Frech> XF:sunos-sendmail-bin-access(7161)
Dik> sun bug 1028173
CHANGE> [Foat changed vote from ACCEPT to NOOP]
Name: CVE-1999-1508
Description:
Web server in Tektronix PhaserLink Printer 840.0 and earlier allows a
remote attacker to gain administrator access by directly calling
undocumented URLs such as ncl_items.html and ncl_subjects.html.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19991116 [Fwd: Printer Vulnerability: Tektronix PhaserLink Webserver gives Administrator Password]
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94286041430870&w=2
Reference: BID:806
Reference: URL:http://www.securityfocus.com/bid/806
Votes:
MODIFY(1) Frech
NOOP(3) Cole, Foat, Wall
REVIEWING(1) Christey
Voter Comments:
Frech> XF:tektronix-phaserlink-webserver-backdoor(6482)
Possible dupe with CVE-2001-0484 and BID-2659.
Christey> CVE-2001-0484 may be a duplicate.
Name: CVE-1999-1509
Description:
Directory traversal vulnerability in Etype Eserv 2.50 web server
allows a remote attacker to read any file in the file system via a
.. (dot dot) in a URL.
Status: Candidate
Phase: Proposed (20010912)
Reference: NTBUGTRAQ:19991104 Eserv 2.50 Web interface Server Directory Traversal Vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=94177470915423&w=2
Reference: BUGTRAQ:19991104 Eserv 2.50 Web interface Server Directory Traversal Vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94183041514522&w=2
Reference: BID:773
Reference: URL:http://www.securityfocus.com/bid/773
Reference: XF:eserv-fileread
Votes:
ACCEPT(1) Frech
NOOP(3) Cole, Foat, Wall
Voter Comments:
Frech> Normalize XF:eserv-fileread(3449)
Normalize URL:http://xforce.iss.net/static/3449.php
Name: CVE-1999-1510
Description:
Buffer overflows in Bisonware FTP server prior to 4.1 allow remote
attackers to cause a denial of service, and possibly execute arbitrary
commands, via long (1) USER, (2) LIST, or (3) CWD commands.
Status: Candidate
Phase: Proposed (20010912)
Reference: NTBUGTRAQ:19990517 Vulnerabilities in BisonWare FTP Server 3.5
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=92697301706956&w=2
Reference: XF:bisonware-command-bo(3234)
Reference: URL:http://xforce.iss.net/static/3234.php
Votes:
ACCEPT(3) Cole, Foat, Frech
NOOP(1) Wall
Name: CVE-1999-1511
Description:
Buffer overflows in Xtramail 1.11 allow attackers to cause a denial of
service (crash) and possibly execute arbitrary commands via (1) a long
PASS command in the POP3 service, (2) a long HELO command in the SMTP
service, or (3) a long user name in the Control Service.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19991110 Multiples Remotes DoS Attacks in Artisoft XtraMail v1.11 Vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94226003804744&w=2
Reference: BID:791
Reference: URL:http://www.securityfocus.com/bid/791
Reference: XF:xtramail-pass-dos(3488)
Reference: URL:http://xforce.iss.net/static/3488.php
Votes:
ACCEPT(1) Frech
NOOP(3) Cole, Foat, Wall
Name: CVE-1999-1513
Description:
Management information base (MIB) for a 3Com SuperStack II hub running
software version 2.10 contains an object identifier
(.1.3.6.1.4.1.43.10.4.2) that is accessible by a read-only community
string, but lists the entire table of community strings, which could
allow attackers to conduct unauthorized activities.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990830 One more 3Com SNMP vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93616983223090&w=2
Votes:
NOOP(3) Cole, Foat, Wall
REVIEWING(1) Frech
Voter Comments:
Frech> (ACCEPT; Task 2355)
Name: CVE-1999-1514
Description:
Buffer overflow in Celtech ExpressFS FTP server 2.x allows remote
attackers to cause a denial of service, and possibly execute arbitrary
commands, via a long USER command.
Status: Candidate
Phase: Proposed (20010912)
Reference: NTBUGTRAQ:19990729 ExpressFS 2.x FTPServer remotely exploitable buffer overflow vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=94130292519646&w=2
Reference: BUGTRAQ:19990729 ExpressFS 2.x FTPServer remotely exploitable buffer overflow vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94121377716133&w=2
Reference: BID:749
Reference: URL:http://www.securityfocus.com/bid/749
Reference: XF:expressfs-command-bo(3401)
Reference: URL:http://xforce.iss.net/static/3401.php
Votes:
ACCEPT(1) Frech
NOOP(3) Cole, Foat, Wall
Voter Comments:
Frech> BugTraq reference date seems to be 19991029; see
http://online.securityfocus.com/archive/1/33123
Name: CVE-1999-1515
Description:
A non-default configuration in TenFour TFS Gateway 4.0 allows an
attacker to cause a denial of service via messages with incorrect
sender and recipient addresses, which causes the gateway to
continuously try to return the message every 10 seconds.
Status: Candidate
Phase: Proposed (20010912)
Reference: BID:613
Reference: URL:http://www.securityfocus.com/bid/613
Reference: XF:tfs-gateway-dos(3290)
Reference: URL:http://xforce.iss.net/static/3290.php
Votes:
ACCEPT(1) Frech
NOOP(3) Cole, Foat, Wall
Name: CVE-1999-1516
Description:
A buffer overflow in TenFour TFS Gateway SMTP mail server 3.2 allows
an attacker to crash the mail server and possibly execute arbitrary
code by offering more than 128 bytes in a MAIL FROM string.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990902 [SECURITY] TenFour TFS SMTP 3.2 Buffer Overflow
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93677241318492&w=2
Votes:
MODIFY(1) Frech
NOOP(3) Cole, Foat, Wall
Voter Comments:
Frech> XF:tfs-gateway-dos(3290)
Name: CVE-1999-1517
Description:
runtar in the Amanda backup system used in various UNIX operating
systems executes tar with root privileges, which allows a user to
overwrite or read arbitrary files by providing the target files to
runtar.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19991101 Amanda multiple vendor local root compromises
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94148942818975&w=2
Reference: BID:750
Reference: URL:http://www.securityfocus.com/bid/750
Votes:
MODIFY(1) Frech
NOOP(3) Cole, Foat, Wall
Voter Comments:
Frech> XF:amanda-runtar(3402)
Name: CVE-1999-1518
Description:
Operating systems with shared memory implementations based on BSD 4.4
code allow a user to conduct a denial of service and bypass memory
limits (e.g., as specified with rlimits) using mmap or shmget to
allocate memory and cause page faults.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990715 Shared memory DoS's
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93207728118694&w=2
Reference: BID:526
Reference: URL:http://www.securityfocus.com/bid/526
Reference: XF:bsd-shared-memory-dos(2351)
Reference: URL:http://xforce.iss.net/static/2351.php
Votes:
ACCEPT(2) Cole, Frech
NOOP(2) Foat, Wall
Name: CVE-1999-1519
Description:
Gene6 G6 FTP Server 2.0 allows a remote attacker to cause a denial of
service (resource exhaustion) via a long (1) user name or (2)
password.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19991117 Remote D.o.S Attack in G6 FTP Server v2.0 (beta 4/5) Vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94286244700573&w=2
Reference: BID:805
Reference: URL:http://www.securityfocus.com/bid/805
Reference: XF:g6ftp-username-dos(3513)
Reference: URL:http://xforce.iss.net/static/3513.php
Votes:
ACCEPT(1) Frech
NOOP(3) Cole, Foat, Wall
Name: CVE-1999-1521
Description:
Computalynx CMail 2.4 and CMail 2.3 SP2 SMTP servers are vulnerable to
a buffer overflow attack in the MAIL FROM command that may allow a
remote attacker to execute arbitrary code on the server.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990912 Many kind of POP3/SMTP server softwares for Windows have buffer overflow bug
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93720402717560&w=2
Reference: BUGTRAQ:19990729 Vulnerability in CMail SMTP Server Version 2.4: Remotely exploitable buffer
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94121824921783&w=2
Reference: BID:633
Reference: URL:http://www.securityfocus.com/bid/633
Reference: XF:cmail-command-bo(2240)
Reference: URL:http://xforce.iss.net/static/2240.php
Votes:
ACCEPT(1) Frech
NOOP(4) Christey, Cole, Foat, Wall
Voter Comments:
Christey> Remove "attack" from description and slightly rewrite.
Christey> ADDREF BUGTRAQ:19991029 Vulnerability in CMail SMTP Server Version 2.4: Remotely exploitable buffer
URL:URL:http://www.securityfocus.com/archive/1/32573
ADDREF BUGTRAQ:19990616 C-Mail SMTP Server Remote Buffer Overflow Exploit
URL:http://online.securityfocus.com/archive/1/15524
Note: this last post exploits an overflow through VRFY
instead of MAIL FROM. However, CD:SF-LOC suggests merging two
issues of the same type that are in the same versions.
ADDREF BUGTRAQ:19990526 Multiple Web Interface Security Holes
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92774425211457&w=2
Name: CVE-1999-1522
Description:
Vulnerability in htmlparse.pike in Roxen Web Server 1.3.11 and
earlier, possibly related to recursive parsing and referer tags in
RXML.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19991007 Roxen security alert
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93942579008408&w=2
Votes:
MODIFY(1) Frech
NOOP(3) Cole, Foat, Wall
Voter Comments:
Frech> XF:roxen-rxml-recursive-parsing(3372)
Name: CVE-1999-1523
Description:
Buffer overflow in Sambar Web Server 4.2.1 allows remote attackers to
cause a denial of service, and possibly execute arbitrary commands,
via a long HTTP GET request.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19991004
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93901161727373&w=2
Reference: BUGTRAQ:19991006 Re: Sample DOS against the Sambar HTTP-Server
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93941351229256&w=2
Reference: XF:sambar-logging-bo(1672)
Reference: URL:http://xforce.iss.net/static/1672.php
Votes:
ACCEPT(1) Frech
NOOP(3) Cole, Foat, Wall
Name: CVE-1999-1524
Description:
FlowPoint DSL router firmware versions prior to 3.0.8 allows a remote
attacker to exploit a password recovery feature from the network and
conduct brute force password guessing, instead of limiting the feature
to the serial console port.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990807 Re: FlowPoint DSL router vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93424680430460&w=2
Votes:
NOOP(3) Cole, Foat, Wall
Name: CVE-1999-1525
Description:
Macromedia Shockwave before 6.0 allows a malicious webmaster to read a
user's mail box and possibly access internal web servers via the
GetNextText command on a Shockwave movie.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19970314 Shockwave Security Alert
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167420670&w=2
Reference: XF:shockwave-internal-access(1585)
Reference: URL:http://xforce.iss.net/static/1585.php
Reference: XF:shockwave-file-read-vuln(1586)
Reference: URL:http://xforce.iss.net/static/1586.php
Reference: XF:http-ns-shockwave(460)
Reference: URL:http://xforce.iss.net/static/460.php
Votes:
ACCEPT(1) Frech
NOOP(2) Cole, Foat
Name: CVE-1999-1526
Description:
Auto-update feature of Macromedia Shockwave 7 transmits a user's
password and hard disk information back to Macromedia.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990311 [Fwd: Shockwave 7 Security Hole]
Reference: URL:http://www.securityfocus.com/archive/1/12842
Reference: XF:shockwave-updater(1931)
Reference: URL:http://xforce.iss.net/static/1931.php
Votes:
ACCEPT(1) Frech
NOOP(2) Cole, Foat
Name: CVE-1999-1527
Description:
Internal HTTP server in Sun Netbeans Java IDE in Netbeans Developer
3.0 Beta and Forte Community Edition 1.0 Beta does not properly
restrict access to IP addresses as specified in its configuration,
which allows arbitrary remote attackers to access the server.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19991123 NetBeans/ Forte' Java IDE HTTP vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94338883114254&w=2
Reference: BID:816
Reference: URL:http://www.securityfocus.com/bid/816
Votes:
ACCEPT(1) Cole
MODIFY(1) Frech
NOOP(2) Foat, Wall
Voter Comments:
Frech> XF:sun-java-ide-http-access(8333)
Name: CVE-1999-1528
Description:
ProSoft Netware Client 5.12 on Macintosh MacOS 9 does not
automatically log a user out of the NDS tree when the user logs off
the system, which allows other users of the same system access to the
unprotected NDS session.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19991114 MacOS 9 and the MacOS Netware Client
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94261444428430&w=2
Reference: BID:794
Reference: URL:http://www.securityfocus.com/bid/794
Votes:
ACCEPT(1) Cole
MODIFY(1) Frech
NOOP(2) Foat, Wall
Voter Comments:
Frech> XF:macos-netware-nds-access(8339)
Name: CVE-1999-1529
Description:
A buffer overflow exists in the HELO command in Trend Micro
Interscan VirusWall SMTP gateway 3.23/3.3 for NT, which may allow an
attacker to execute arbitrary code.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19991107 Interscan VirusWall NT 3.23/3.3 buffer overflow
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94201512111092&w=2
Reference: NTBUGTRAQ:19991107 Interscan VirusWall NT 3.23/3.3 buffer overflow.
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=94199707625818&w=2
Reference: BUGTRAQ:19991108 Re: Interscan VirusWall NT 3.23/3.3 buffer overflow.
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94210427406568&w=2
Reference: BUGTRAQ:19991108 Patch for VirusWall 3.23.
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94204166130782&w=2
Reference: NTBUGTRAQ:19991108 Patch for VirusWall 3.23.
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=94208143007829&w=2
Reference: BUGTRAQ:20000417 New DOS on Interscan NT/3.32
Reference: URL:http://www.securityfocus.com/archive/1/55551
Reference: BID:787
Reference: URL:http://www.securityfocus.com/bid/787
Reference: XF:viruswall-helo-bo(3465)
Reference: URL:http://xforce.iss.net/static/3465.php
Votes:
ACCEPT(2) Cole, Foat
NOOP(1) Wall
REJECT(1) Frech
Name: CVE-1999-1532
Description:
Netscape Messaging Server 3.54, 3.55, and 3.6 allows a remote attacker
to cause a denial of service (memory exhaustion) via a series of long
RCPT TO commands.
Status: Candidate
Phase: Modified (20011126-01)
Reference: BUGTRAQ:19991029 message:Netscape Messaging Server RCPT TO vul.
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94117465014255&w=2
Reference: BID:748
Reference: URL:http://www.securityfocus.com/bid/748
Votes:
MODIFY(1) Frech
NOOP(3) Cole, Foat, Wall
Voter Comments:
Frech> XF:netscape-messaging-rcptto-dos(8340)
Description ends with a comma and not a period, possibly
indicating that the sentence is not complete,
Name: CVE-1999-1533
Description:
Eicon Technology Diva LAN ISDN modem allows a remote attacker to cause
a denial of service (hang) via a long password argument to the
login.htm file in its HTTP service.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990926 DoS Exploit in Eicon Diehl LAN ISDN Modem
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93846522511387&w=2
Reference: BID:665
Reference: URL:http://www.securityfocus.com/bid/665
Reference: XF:diva-lan-isdn-dos(3317)
Reference: URL:http://xforce.iss.net/static/3317.php
Votes:
ACCEPT(1) Frech
NOOP(3) Cole, Foat, Wall
Name: CVE-1999-1534
Description:
Buffer overflow in (1) nlservd and (2) rnavc in Knox Software Arkeia
backup product allows local users to obtain root access via a long
HOME environmental variable.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990923 Multiple vendor Knox Arkiea local root/remote DoS
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93837184228248&w=2
Reference: BID:661
Reference: URL:http://www.securityfocus.com/bid/661
Votes:
MODIFY(1) Frech
NOOP(3) Cole, Foat, Wall
Voter Comments:
Frech> XF:arkiea-backup-home-bo(3322)
Name: CVE-1999-1536
Description:
.sbstart startup script in AcuShop Salesbuilder is world writable,
which allows local users to gain privileges by appending commands to
the file.
Status: Candidate
Phase: Modified (20070207)
Reference: BUGTRAQ:19990730 World writable root owned script in SalesBuilder (RedHat 6.0)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93347785827287&w=2
Reference: BID:560
Reference: URL:http://www.securityfocus.com/bid/560
Reference: OSVDB:13557
Reference: URL:http://www.osvdb.org/13557
Votes:
NOOP(3) Cole, Foat, Wall
REVIEWING(1) Frech
Voter Comments:
Frech> (ACCEPT; Task 2356)
Name: CVE-1999-1538
Description:
When IIS 2 or 3 is upgraded to IIS 4, ism.dll is inadvertently left in
/scripts/iisadmin, which does not restrict access to the local machine
and allows an unauthorized user to gain access to sensitive server
information, including the Administrator's password.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990114 MS IIS 4.0 Security Advisory
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91638375309890&w=2
Reference: NTBUGTRAQ:19990114 MS IIS 4.0 Security Advisory
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=91632724913080&w=2
Reference: BID:189
Reference: URL:http://www.securityfocus.com/bid/189
Votes:
ACCEPT(1) Wall
MODIFY(1) Frech
NOOP(2) Cole, Foat
Voter Comments:
Frech> XF:iis-ismdll-info(7566)
Name: CVE-1999-1539
Description:
Buffer overflow in FTP server in QPC Software's QVT/Term Plus versions
4.2d and 4.3 and QVT/Net 4.3 allows remote attackers to cause a denial
of service, and possibly execute arbitrary commands, via a long (1)
user name or (2) password.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19991110 Remote DoS Attack in QVT/Term 'Plus' 4.2d FTP Server Vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94225924803704&w=2
Reference: NTBUGTRAQ:19991110 Remote DoS Attack in QVT/Term 'Plus' 4.2d FTP Server Vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=94223972910670&w=2
Reference: BID:796
Reference: URL:http://www.securityfocus.com/bid/796
Reference: XF:qvtterm-login-dos(3491)
Reference: URL:http://xforce.iss.net/static/3491.php
Votes:
ACCEPT(1) Frech
NOOP(3) Cole, Foat, Wall
Name: CVE-1999-1540
Description:
shell-lock in Cactus Software Shell Lock uses weak encryption (trivial
encoding) which allows attackers to easily decrypt and obtain the
source code.
Status: Candidate
Phase: Proposed (20010912)
Reference: L0PHT:19991004
Reference: URL:http://www.atstake.com/research/advisories/1999/shell-lock.txt
Reference: BUGTRAQ:19991005 Cactus Software's shell-lock
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93916168802365&w=2
Reference: XF:cactus-shell-lock-retrieve-shell-code(3356)
Reference: URL:http://xforce.iss.net/static/3356.php
Votes:
ACCEPT(1) Frech
NOOP(3) Cole, Foat, Wall
Name: CVE-1999-1541
Description:
shell-lock in Cactus Software Shell Lock allows local users to read or
modify decoded shell files before they are executed, via a symlink
attack on a temporary file.
Status: Candidate
Phase: Proposed (20010912)
Reference: L0PHT:19991004
Reference: URL:http://www.atstake.com/research/advisories/1999/shell-lock.txt
Reference: BUGTRAQ:19991005 Cactus Software's shell-lock
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93916168802365&w=2
Reference: XF:cactus-shell-lock-root-privs(3358)
Reference: URL:http://xforce.iss.net/static/3358.php
Votes:
ACCEPT(1) Frech
NOOP(3) Cole, Foat, Wall
Name: CVE-1999-1543
Description:
MacOS uses weak encryption for passwords that are stored in the Users
& Groups Data File.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990710 MacOS system encryption algorithm
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93188174906513&w=2
Reference: BUGTRAQ:19990914 MacOS system encryption algorithm 3
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93736667813924&w=2
Reference: BID:519
Reference: URL:http://www.securityfocus.com/bid/519
Votes:
NOOP(3) Cole, Foat, Wall
REVIEWING(1) Frech
Voter Comments:
Frech> (ACCEPT; Task 2357)
Name: CVE-1999-1544
Description:
Buffer overflow in FTP server in Microsoft IIS 3.0 and 4.0 allows
local and sometimes remote attackers to cause a denial of service via
a long NLST (ls) command.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990124 Advisory: IIS FTP Exploit/DoS Attack
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91722115016183&w=2
Votes:
ACCEPT(1) Wall
NOOP(2) Cole, Foat
REJECT(1) Frech
Voter Comments:
Frech> Dupe CVE-1999-0349
Name: CVE-1999-1545
Description:
Joe's Own Editor (joe) 2.8 sets the world-readable permission on its
crash-save file, DEADJOE, which could allow local users to read files
that were being edited by other users.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990714
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93216103027827&w=2
Reference: BUGTRAQ:19990717 joe 2.8 makes world-readable DEADJOE
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93226771401036&w=2
Votes:
NOOP(3) Cole, Foat, Wall
REVIEWING(1) Frech
Voter Comments:
Frech> (ACCEPT; Task 2358)
Name: CVE-1999-1546
Description:
netstation.navio-com.rte 1.1.0.1 configuration script for Navio NC on
IBM AIX exports /tmp over NFS as world-readable and world-writable.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990129 TROJAN: netstation.navio-comm.rte 1.1.0.1
Reference: URL:http://www.securityfocus.com/archive/1/12217
Reference: XF:navionc-config-script(1724)
Reference: URL:http://xforce.iss.net/static/1724.php
Votes:
ACCEPT(1) Frech
NOOP(3) Cole, Foat, Wall
Name: CVE-1999-1547
Description:
Oracle Web Listener 2.1 allows remote attackers to bypass access
restrictions by replacing a character in the URL with its HTTP-encoded
(hex) equivalent.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19991125 Oracle Web Listener
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94359982417686&w=2
Reference: NTBUGTRAQ:19991125 Oracle Web Listener
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=94390053530890&w=2
Reference: BID:841
Reference: URL:http://www.securityfocus.com/bid/841
Votes:
MODIFY(1) Frech
NOOP(3) Cole, Foat, Wall
Voter Comments:
Frech> XF:oracle-weblistener-bypass-restrictions(8355)
Name: CVE-1999-1548
Description:
Cabletron SmartSwitch Router (SSR) 8000 firmware 2.x can only handle
200 ARP requests per second allowing a denial of service attack to
succeed with a flood of ARP requests exceeding that limit.
Status: Candidate
Phase: Proposed (20010912)
Reference: BINDVIEW:19991124 Cabletron SmartSwitch Router 8000 Firmware v2.x
Reference: URL:http://razor.bindview.com/publish/advisories/adv_Cabletron.html
Reference: BID:821
Reference: URL:http://www.securityfocus.com/bid/841
Votes:
MODIFY(1) Frech
NOOP(3) Cole, Foat, Wall
Voter Comments:
Frech> XF:smartswitch-arp-flood-dos(7770)
BID URL should be 821, not 841.
Name: CVE-1999-1549
Description:
Lynx 2.x does not properly distinguish between internal and external
HTML, which may allow a local attacker to read a "secure" hidden form
value from a temporary file and craft a LYNXOPTIONS: URL that causes
Lynx to modify the user's configuration file and execute commands.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19991116 lynx 2.8.x - 'special URLs' anti-spoofing protection is weak
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94286509804526&w=2
Reference: BID:804
Reference: URL:http://www.securityfocus.com/bid/804
Votes:
MODIFY(1) Frech
NOOP(3) Cole, Foat, Wall
Voter Comments:
Frech> XF:lynx-lynxurl-spoof(8342)
Name: CVE-1999-1551
Description:
Buffer overflow in Ipswitch IMail Service 5.0 allows an attacker to
cause a denial of service (crash) and possibly execute arbitrary
commands via a long URL.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990302 Multiple IMail Vulnerabilites
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92038879607336&w=2
Reference: BID:505
Reference: URL:http://www.securityfocus.com/bid/505
Reference: XF:imail-websvc-overflow(1898)
Reference: URL:http://xforce.iss.net/static/1898.php
Votes:
ACCEPT(2) Cole, Frech
NOOP(2) Foat, Wall
Name: CVE-1999-1552
Description:
dpsexec (DPS Server) when running under XDM in IBM AIX 3.2.5 and
earlier does not properly check privileges, which allows local users
to overwrite arbitrary files and gain privileges.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19940720 xnews and XDM
Reference: URL:http://lists.insecure.org/lists/bugtraq/1994/Jul/0038.html
Reference: BID:358
Reference: URL:http://www.securityfocus.com/bid/358
Votes:
NOOP(2) Cole, Foat
Name: CVE-1999-1553
Description:
Buffer overflow in XCmail 0.99.6 with autoquote enabled allows remote
attackers to execute arbitrary commands via a long subject line.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990301 [0z0n3] XCmail remotely exploitable vulnerability
Reference: URL:http://www.securityfocus.com/archive/1/12730
Reference: BID:311
Reference: URL:http://www.securityfocus.com/bid/311
Reference: XF:xcmail-reply-overflow(1859)
Reference: URL:http://xforce.iss.net/static/1859.php
Votes:
ACCEPT(1) Frech
NOOP(3) Cole, Foat, Wall
Name: CVE-1999-1554
Description:
/usr/sbin/Mail on SGI IRIX 3.3 and 3.3.1 does not properly set the
group ID to the group ID of the user who started Mail, which allows
local users to read the mail of other users.
Status: Candidate
Phase: Modified (20020218-01)
Reference: CERT:CA-1990-08
Reference: URL:http://www.cert.org/advisories/CA-1990-08.html
Reference: BID:13
Reference: URL:http://www.securityfocus.com/bid/13
Reference: XF:sgi-irix-reset(3164)
Reference: URL:http://www.iss.net/security_center/static/3164.php
Votes:
ACCEPT(2) Cole, Stracener
MODIFY(1) Frech
NOOP(2) Foat, Wall
Voter Comments:
Frech> XF:sgi-irix-reset(3164)
CHANGE> [Foat changed vote from ACCEPT to NOOP]
Name: CVE-1999-1555
Description:
Cheyenne InocuLAN Anti-Virus Server in Inoculan 4.0 before Service
Pack 2 creates an update directory with "EVERYONE FULL CONTROL"
permissions, which allows local users to cause Inoculan's antivirus
update feature to install a Trojan horse dll.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19980611 Cheyenne Inoculan vulnerability on NT
Reference: URL:http://www.securityfocus.com/archive/1/9515
Reference: BID:106
Reference: XF:inoculan-bad-permissions(1536)
Reference: URL:http://xforce.iss.net/static/1536.php
Votes:
ACCEPT(1) Frech
NOOP(3) Cole, Foat, Wall
Voter Comments:
Frech> http://support.cai.com/Download/patches/inocnt.html
Name: CVE-1999-1557
Description:
Buffer overflow in the login functions in IMAP server (imapd) in
Ipswitch IMail 5.0 and earlier allows remote attackers to cause a
denial of service and possibly execute arbitrary code via (1) a long
user name or (2) a long password.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990301 Multiple IMail Vulnerabilites
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92038879607336&w=2
Reference: XF:imail-imap-overflow(1895)
Reference: URL:http://xforce.iss.net/static/1895.php
Votes:
ACCEPT(2) Cole, Frech
NOOP(2) Foat, Wall
Name: CVE-1999-1558
Description:
Vulnerability in loginout in Digital OpenVMS 7.1 and earlier allows
unauthorized access when external authentication is enabled.
Status: Candidate
Phase: Modified (20020218-01)
Reference: CIAC:I-071A
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/i-071a.shtml
Reference: CERT:VB-98.07
Reference: BID:161
Reference: URL:http://www.securityfocus.com/bid/161
Reference: XF:openvms-loginout-unauth-access(7151)
Reference: URL:http://www.iss.net/security_center/static/7151.php
Votes:
ACCEPT(3) Cole, Foat, Stracener
MODIFY(1) Frech
NOOP(1) Wall
Voter Comments:
Frech> XF:openvms-loginout-unauth-access(7151)
Name: CVE-1999-1559
Description:
Xylan OmniSwitch before 3.2.6 allows remote attackers to bypass the
login prompt via a CTRL-D (control d) character, which locks other
users out of the switch because it only supports one session at a
time.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990331 Xylan OmniSwitch "features"
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92299263017061&w=2
Reference: XF:xylan-omniswitch-login(2064)
Reference: URL:http://xforce.iss.net/static/2064.php
Votes:
ACCEPT(1) Frech
NOOP(3) Cole, Foat, Wall
Name: CVE-1999-1560
Description:
Vulnerability in a script in Texas A&M University (TAMU) Tiger allows
local users to execute arbitrary commands as the Tiger user, usually
root.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990720 tiger vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93252050203589&w=2
Reference: XF:tiger-script-execute(2369)
Reference: URL:http://xforce.iss.net/static/2369.php
Votes:
ACCEPT(3) Cole, Foat, Frech
NOOP(1) Wall
Name: CVE-1999-1561
Description:
Nullsoft SHOUTcast server stores the administrative password in
plaintext in a configuration file (sc_serv.conf), which could allow a
local user to gain administrative privileges on the server.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990820 Winamp SHOUTcast server: Gain Administrator Password
Reference: URL:http://www.securityfocus.com/archive/1/24852
Votes:
NOOP(3) Cole, Foat, Wall
REVIEWING(1) Frech
Voter Comments:
Frech> (ACCEPT; Task 2359)
Name: CVE-1999-1562
Description:
gFTP FTP client 1.13, and other versions before 2.0.0, records a
password in plaintext in (1) the log window, or (2) in a log file.
Status: Candidate
Phase: Modified (20050309)
Reference: BUGTRAQ:19990905 gftp
Reference: URL:http://www.securityfocus.com/archive/1/26915
Reference: DEBIAN:DSA-084
Reference: URL:http://www.debian.org/security/2001/dsa-084
Reference: BID:3446
Reference: URL:http://www.securityfocus.com/bid/3446
Votes:
MODIFY(1) Frech
NOOP(3) Cole, Foat, Wall
Voter Comments:
Frech> XF:gftp-plaintext-password(7319)
Name: CVE-1999-1563
Description:
Nachuatec D435 and D445 printer allows remote attackers to cause a
denial of service via ICMP redirect storm.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19991014 NEUROCOM: Nashuatec printer, 3 vulnerabilities found
Reference: URL:http://www.securityfocus.com/archive/1/30849
Reference: BUGTRAQ:19991116 NEUROCOM: Nashuatec D445/435 vulnerabilities updated
Reference: URL:http://www.securityfocus.com/archive/1/35075
Votes:
MODIFY(1) Frech
NOOP(3) Cole, Foat, Wall
Voter Comments:
Frech> XF:icmp-redirect(285)
Name: CVE-1999-1564
Description:
FreeBSD 3.2 and possibly other versions allows a local user to cause a
denial of service (panic) with a large number accesses of an NFS v3
mounted directory from a large number of processes.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990902 [ Kernel panic with FreeBSD-3.2-19990830-STABLE ]
Reference: URL:http://www.securityfocus.com/archive/1/26166
Votes:
ACCEPT(1) Cole
MODIFY(1) Frech
NOOP(2) Foat, Wall
Voter Comments:
Frech> XF:freebsd-nfs-access-dos(8325)
Name: CVE-1999-1566
Description:
Buffer overflow in iParty server 1.2 and earlier allows remote
attackers to cause a denial of service (crash) by connecting to
default port 6004 and sending repeated extended characters.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990508 iParty Daemon Vulnerability w/ Exploit Code (worse than thought?)
Reference: URL:http://www.securityfocus.com/archive/1/13600
Votes:
MODIFY(1) Frech
NOOP(3) Cole, Foat, Wall
Voter Comments:
Frech> XF:iparty-dos(1416)
Name: CVE-1999-1567
Description:
Seapine Software TestTrack server allows a remote attacker to cause a
denial of service (high CPU) via (1) TestTrackWeb.exe and (2)
ttcgi.exe by connecting to port 99 and disconnecting without sending
any data.
Status: Candidate
Phase: Modified (20020218-01)
Reference: NTBUGTRAQ:19990308 Password and DOS Vulnerability with Testrack (bug tracking software)
Reference: URL:http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind9903&L=NTBUGTRAQ&P=R1215
Reference: NTBUGTRAQ:19990616 Password and DOS Vulnerability with Testrack (bug tracking software)
Reference: URL:http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind9906&L=NTBUGTRAQ&P=R1680
Reference: XF:testtrack-dos(1948)
Reference: URL:http://xforce.iss.net/static/1948.php
Votes:
ACCEPT(2) Cole, Foat
MODIFY(1) Frech
NOOP(1) Wall
Voter Comments:
Frech> XF:testtrack-dos(1948)
Name: CVE-1999-1569
Description:
Quake 1 and NetQuake servers allow remote attackers to cause a denial
of service (resource exhaustion or forced disconnection) via a flood
of spoofed UDP connection packets, which exceeds the server's player
limit.
Status: Candidate
Phase: Proposed (20020830)
Reference: BUGTRAQ:20010716 Quake client and server denial-of-service
Reference: URL:http://www.securityfocus.com/archive/1/197268
Reference: BUGTRAQ:19981101 Quake problem?
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91012172524181&w=2
Reference: BUGTRAQ:19980502 NetQuake Protocol problem resulting in smurf like effect.
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221101925989&w=2
Reference: XF:quake-spoofed-client-dos(6871)
Reference: URL:http://xforce.iss.net/static/6871.php
Reference: BID:3051
Reference: URL:http://www.securityfocus.com/bid/3051
Votes:
ACCEPT(1) Frech
NOOP(5) Armstrong, Cole, Cox, Foat, Wall
REVIEWING(1) Green
Name: CVE-1999-1570
Description:
Buffer overflow in sar for OpenServer 5.0.5 allows local users to gain
root privileges via a long -o parameter.
Status: Candidate
Phase: Proposed (20020830)
Reference: VULN-DEV:20020509 Sar -o exploitation process info.
Reference: URL:http://marc.theaimsgroup.com/?l=vuln-dev&m=102098949103708&w=2
Reference: BUGTRAQ:19990909 19 SCO 5.0.5+Skunware98 buffer overflows
Reference: URL:http://online.securityfocus.com/archive/1/27074
Reference: CALDERA:CSSA-2002-SCO.17
Reference: URL:ftp://stage.caldera.com/pub/security/openserver/CSSA-2002-SCO.17/CSSA-2002-SCO.17.txt
Reference: BID:4089
Reference: URL:http://www.securityfocus.com/bid/4089
Reference: XF:openserver-sar-bo(8989)
Reference: URL:http://www.iss.net/security_center/static/8989.php
Votes:
ACCEPT(4) Armstrong, Cole, Frech, Green
NOOP(3) Cox, Foat, Wall
REVIEWING(1) Christey
Voter Comments:
Frech> It seems as if the BID-4089 assignment on this CAN name may be
in error.
BID-4089 (Multiple Vendor SNMP Request Handling Vulnerabilities) is
already assigned to CVE-2002-0013. Also, this CVE issue seems to have
nothing to do with SNMP.
Christey> Agreed, this is the wrong BID. SecurityFocus has assigned
BID:643 to CVE-1999-1570, but there's a bit of an
inconsistency. BID:643 alludes to Bugtraq posts in 1999
from Brock Tellier, mentioning overflows in sar via BOTH the
-o and -f parameters. However, they also link this issue to
SCO advisory 99.17, although the advisory itself is too vague
to *really* know what vulns they fixed. And now the link
to a potentially more detailed document (sse037.ltr)
is broken. So we don't have any independent reason for
knowing whether SCO 99.17 (a) addresses any "sar"
vulnerabilities, and (b) even if it does, whether it addresses
*both* the -o and -f arguments originally claimed by Tellier.
Finally, it seems rather curious that CSSA-2002-SCO.17
talks about a -o overflow but does not mention -f.
Sounds like an email to the security people at SCO
is in order...
OK. Having consulted with SCO (who responded quickly), I
looked even further into this issue. There is now sufficient
evidence that the -f overflow was fixed in 1999. This
means that a separate candidate should be created (by
CD:SF-LOC), so the -f overflow is now covered by
CVE-1999-1571.
Need to DELREF BID:4089
CHANGE> [Frech changed vote from NOOP to ACCEPT]
CHANGE> [Christey changed vote from NOOP to REVIEWING]
Name: CVE-1999-1571
Description:
Buffer overflow in sar for SCO OpenServer 5.0.0 through 5.0.5 may
allow local users to gain root privileges via a long -f parameter, a
different vulnerability than CVE-1999-1570.
Status: Candidate
Phase: Assigned (20021008)
Reference: BUGTRAQ:19990909 19 SCO 5.0.5+Skunware98 buffer overflows
Reference: URL:http://online.securityfocus.com/archive/1/27074
Reference: BUGTRAQ:19990917 Re: recent SCO 5.0.x vulnerabilities
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93762097815861&w=2
Reference: BUGTRAQ:19991020 Re: recent SCO 5.0.x vulnerabilities
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94053017801639&w=2
Reference: BUGTRAQ:19991105 SCO Security Bulletin 99.17
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94183363719024&w=2
Reference: MISC:http://online.securityfocus.com/advisories/1843
Reference: SCO:SB-99.17c
Reference: URL:ftp://stage.caldera.com/pub/security/sse/security_bulletins/SB-99.17c
Reference: CONFIRM:ftp://stage.caldera.com/pub/security/sse/sse037c/sse037c.ltr
Reference: BID:643
Reference: URL:http://www.securityfocus.com/bid/643
Reference: VULN-DEV:20020509 Sar -o exploitation process info.
Reference: URL:http://marc.theaimsgroup.com/?l=vuln-dev&m=102098949103708&w=2
Reference: XF:openserver-sar-bo(8989)
Reference: URL:http://www.iss.net/security_center/static/8989.php
Votes:
Name: CVE-1999-1572
Description:
cpio on FreeBSD 2.1.0, Debian GNU/Linux 3.0, and possibly other
operating systems, uses a 0 umask when creating files using the -O
(archive) or -F options, which creates the files with mode 0666 and
allows local users to read or overwrite those files.
Status: Candidate
Phase: Assigned (20050127)
Reference: MISC:http://www.freebsd.org/cgi/query-pr.cgi?pr=bin/1391
Reference: CONFIRM:http://support.avaya.com/elmodocs2/security/ASA-2005-212.pdf
Reference: DEBIAN:DSA-664
Reference: URL:http://www.debian.org/security/2005/dsa-664
Reference: MANDRAKE:MDKSA-2005:032
Reference: URL:http://www.mandriva.com/security/advisories?name=MDKSA-2005:032
Reference: REDHAT:RHSA-2005:073
Reference: URL:http://www.redhat.com/support/errata/RHSA-2005-073.html
Reference: REDHAT:RHSA-2005:080
Reference: URL:http://www.redhat.com/support/errata/RHSA-2005-080.html
Reference: REDHAT:RHSA-2005:806
Reference: URL:http://www.redhat.com/support/errata/RHSA-2005-806.html
Reference: TRUSTIX:2005-0003
Reference: URL:http://www.trustix.org/errata/2005/0003/
Reference: BUGTRAQ:20050204 [USN-75-1] cpio vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=110763404701519&w=2
Reference: OVAL:oval:org.mitre.oval:def:10888
Reference: URL:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:10888
Reference: SECUNIA:14357
Reference: URL:http://secunia.com/advisories/14357
Reference: SECUNIA:17063
Reference: URL:http://secunia.com/advisories/17063
Reference: SECUNIA:17532
Reference: URL:http://secunia.com/advisories/17532
Reference: XF:cpio-o-archive-insecure-permissions(19167)
Reference: URL:http://xforce.iss.net/xforce/xfdb/19167
Votes:
Name: CVE-1999-1573
Description:
Multiple unknown vulnerabilities in the "r-cmnds" (1) remshd, (2)
rexecd, (3) rlogind, (4) rlogin, (5) remsh, (6) rcp, (7) rexec, and
(8) rdist for HP-UX 10.00 through 11.00 allow attackers to gain
privileges or access files.
Status: Candidate
Phase: Assigned (20050421)
Reference: HP:HPSBUX9812-090
Reference: URL:http://www.securityfocus.com/advisories/1471
Reference: AUSCERT:ESB-98.186
Reference: URL:http://www.auscert.org.au/render.html?it=490
Reference: CERT-VN:VU#13217
Reference: URL:http://www.kb.cert.org/vuls/id/13217
Reference: CIAC:J-022
Reference: URL:http://www.ciac.org/ciac/bulletins/j-022.shtml
Reference: OVAL:oval:org.mitre.oval:def:5550
Reference: URL:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:5550
Reference: XF:hp-rcmnds-gain-privileges(7860)
Reference: URL:http://xforce.iss.net/xforce/xfdb/7860
Votes:
Name: CVE-1999-1574
Description:
Buffer overflow in the lex routines of nslookup for AIX 4.3 may allow
attackers to cause a core dump and possibly execute arbitrary code via
"long input strings."
Status: Candidate
Phase: Assigned (20050421)
Reference: AIXAPAR:IX79909
Reference: URL:http://www-1.ibm.com/support/search.wss?rs=0&q=IX79909&apar=only
Reference: CERT-VN:VU#182777
Reference: URL:http://www.kb.cert.org/vuls/id/182777
Reference: XF:aix-nslookup-lex-bo(7867)
Reference: URL:http://xforce.iss.net/xforce/xfdb/7867
Votes:
Name: CVE-1999-1575
Description:
The Kodak/Wang (1) Image Edit (imgedit.ocx), (2) Image Annotation
(imgedit.ocx), (3) Image Scan (imgscan.ocx), (4) Thumbnail Image
(imgthumb.ocx), (5) Image Admin (imgadmin.ocx), (6) HHOpen
(hhopen.ocx), (7) Registration Wizard (regwizc.dll), and (8) IE Active
Setup (setupctl.dll) ActiveX controls for Internet Explorer (IE) 4.01
and 5.0 are marked as "Safe for Scripting," which allows remote
attackers to create and modify files and execute arbitrary commands.
Status: Candidate
Phase: Assigned (20050421)
Reference: BUGTRAQ:19990924 Several ActiveX Buffer Overruns
Reference: URL:http://www.securityfocus.com/archive/1/28719
Reference: MS:MS99-037
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-037.mspx
Reference: CERT-VN:VU#23412
Reference: URL:http://www.kb.cert.org/vuls/id/23412
Reference: CERT-VN:VU#24839
Reference: URL:http://www.kb.cert.org/vuls/id/24839
Reference: CERT-VN:VU#26924
Reference: URL:http://www.kb.cert.org/vuls/id/26924
Reference: CERT-VN:VU#41408
Reference: URL:http://www.kb.cert.org/vuls/id/41408
Reference: CERT-VN:VU#9162
Reference: URL:http://www.kb.cert.org/vuls/id/9162
Reference: XF:wang-kodak-activex-control(7097)
Reference: URL:http://xforce.iss.net/xforce/xfdb/7097
Votes:
Name: CVE-1999-1576
Description:
Buffer overflow in Adobe Acrobat ActiveX control (pdf.ocx,
PDF.PdfCtrl.1) 1.3.188 for Acrobat Reader 4.0 allows remote attackers
to execute arbitrary code via the pdf.setview method.
Status: Candidate
Phase: Assigned (20050421)
Reference: BUGTRAQ:19990924 Several ActiveX Buffer Overruns
Reference: URL:http://www.securityfocus.com/archive/1/28719
Reference: CERT-VN:VU#25919
Reference: URL:http://www.kb.cert.org/vuls/id/25919
Reference: BID:666
Reference: URL:http://www.securityfocus.com/bid/666
Reference: XF:adobe-acrobat-pdf-bo(3318)
Reference: URL:http://xforce.iss.net/xforce/xfdb/3318
Votes:
Name: CVE-1999-1577
Description:
Buffer overflow in HHOpen ActiveX control (hhopen.ocx) 1.0.0.1 for
Internet Explorer 4.01 and 5 allows remote attackers to execute
arbitrary commands via long arguments to the OpenHelp method.
Status: Candidate
Phase: Assigned (20050421)
Reference: BUGTRAQ:19990924 Several ActiveX Buffer Overruns
Reference: URL:http://www.securityfocus.com/archive/1/28719
Reference: CERT-VN:VU#29795
Reference: URL:http://www.kb.cert.org/vuls/id/29795
Reference: BID:669
Reference: URL:http://www.securityfocus.com/bid/0669
Reference: XF:ie-hhopen-bo(3314)
Reference: URL:http://xforce.iss.net/xforce/xfdb/3314
Votes:
Name: CVE-1999-1578
Description:
Buffer overflow in Registration Wizard ActiveX control (regwizc.dll,
InvokeRegWizard) 3.0.0.0 for Internet Explorer 4.01 and 5 allows
remote attackers to execute arbitrary commands.
Status: Candidate
Phase: Assigned (20050421)
Reference: BUGTRAQ:19990924 Several ActiveX Buffer Overruns
Reference: URL:http://www.securityfocus.com/archive/1/28719
Reference: CERT-VN:VU#37556
Reference: URL:http://www.kb.cert.org/vuls/id/37556
Reference: BID:671
Reference: URL:http://www.securityfocus.com/bid/671
Reference: XF:ie-registration-wiz-bo(3311)
Reference: URL:http://xforce.iss.net/xforce/xfdb/3311
Votes:
Name: CVE-1999-1579
Description:
The Cenroll ActiveX control (xenroll.dll) for Terminal Server Editions
of Windows NT 4.0 and Windows NT Server 4.0 before SP6 allows remote
attackers to cause a denial of service (resource consumption) by
creating a large number of arbitrary files on the target machine.
Status: Candidate
Phase: Assigned (20050421)
Reference: MSKB:Q242366
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];242366
Reference: CERT-VN:VU#3062
Reference: URL:http://www.kb.cert.org/vuls/id/3062
Reference: BID:6827
Reference: URL:http://www.securityfocus.com/bid/6827
Reference: XF:winnt-xenroll-dos(7107)
Reference: URL:http://xforce.iss.net/xforce/xfdb/7107
Votes:
Name: CVE-1999-1580
Description:
SunOS sendmail 5.59 through 5.65 uses popen to process a forwarding
host argument, which allows local users to gain root privileges by
modifying the IFS (Internal Field Separator) variable and passing
crafted values to the -oR option.
Status: Candidate
Phase: Assigned (20050421)
Reference: MISC:http://www.alw.nih.gov/Security/8lgm/8lgm-Advisory-21.html
Reference: AUSCERT:AA-95.09
Reference: URL:http://www.auscert.org.au/render.html?it=1853&cid=1978
Reference: CERT:CA-1995-11
Reference: URL:http://www.cert.org/advisories/CA-95.11.sun.sendmail-oR.vul
Reference: CERT-VN:VU#3278
Reference: URL:http://www.kb.cert.org/vuls/id/3278
Reference: BID:7829
Reference: URL:http://www.securityfocus.com/bid/7829
Votes:
Name: CVE-1999-1581
Description:
Memory leak in Simple Network Management Protocol (SNMP) agent
(snmp.exe) for Windows NT 4.0 before Service Pack 4 allows remote
attackers to cause a denial of service (memory consumption) via a
large number of SNMP packets with Object Identifiers (OIDs) that
cannot be decoded.
Status: Candidate
Phase: Assigned (20050421)
Reference: MSKB:Q178381
Reference: URL:http://support.microsoft.com/kb/q178381/
Reference: CERT-VN:VU#4923
Reference: URL:http://www.kb.cert.org/vuls/id/4923
Reference: XF:winnt-snmp-oid-memory-leak(8231)
Reference: URL:http://xforce.iss.net/xforce/xfdb/8231
Votes:
Name: CVE-1999-1582
Description:
By design, the "established" command on the Cisco PIX firewall allows
connections from one host to arbitrary ports of a target host if an
alternative conduit has already been allowed, which can cause
administrators to configure less restrictive access controls than
intended if they do not understand this functionality.
Status: Candidate
Phase: Assigned (20050421)
Reference: CISCO:19980715 PIX Firewall "established" Command
Reference: URL:http://www.cisco.com/warp/public/707/pixest-pub.shtml
Reference: CERT-VN:VU#6733
Reference: URL:http://www.kb.cert.org/vuls/id/6733
Reference: XF:cisco-pix-established-bypass(8052)
Reference: URL:http://xforce.iss.net/xforce/xfdb/8052
Votes:
Name: CVE-1999-1583
Description:
Buffer overflow in nslookup for AIX 4.3 allows local users to execute
arbitrary code via a long hostname command line argument.
Status: Candidate
Phase: Assigned (20050421)
Reference: AIXAPAR:IY02120
Reference: URL:http://www-1.ibm.com/support/search.wss?rs=0&q=IY02120&apar=only
Reference: CERT-VN:VU#872443
Reference: URL:http://www.kb.cert.org/vuls/id/872443
Reference: XF:aix-nslookup-hostname-bo(8031)
Reference: URL:http://xforce.iss.net/xforce/xfdb/8031
Votes:
Name: CVE-1999-1584
Description:
Unknown vulnerability in (1) loadmodule, and (2) modload if modload is
installed with setuid/setgid privileges, in SunOS 4.1.1 through
4.1.3c, and Open Windows 3.0, allows local users to gain root
privileges via environment variables, a different vulnerability than
CVE-1999-1586.
Status: Candidate
Phase: Assigned (20050830)
Reference: SUN:00124
Reference: URL:http://sunsolve.sun.com/search/document.do?assetkey=1-22-00124-1
Reference: CERT:CA-93.18
Reference: URL:http://www.cert.org/advisories/CA-1993-18.html
Votes:
Name: CVE-1999-1585
Description:
The (1) rcS and (2) mountall programs in Sun Solaris 2.x, possibly
before 2.4, start a privileged shell on the system console if fsck
fails while the system is booting, which allows attackers with
physical access to gain root privileges.
Status: Candidate
Phase: Assigned (20050830)
Reference: SUN:00124
Reference: URL:http://sunsolve.sun.com/search/document.do?assetkey=1-22-00124-1
Votes:
Name: CVE-1999-1586
Description:
loadmodule in SunOS 4.1.x, as used by xnews, does not properly
sanitize its environment, which allows local users to gain privileges,
a different vulnerability than CVE-1999-1584.
Status: Candidate
Phase: Assigned (20050830)
Reference: CERT:CA-95.12
Reference: URL:http://www.cert.org/advisories/CA-1995-12.html
Reference: CIAC:G-02
Reference: URL:http://www.ciac.org/ciac/bulletins/g-02.shtml
Reference: XF:sun-loadmodule(498)
Reference: URL:http://xforce.iss.net/xforce/xfdb/498
Votes:
Name: CVE-1999-1587
Description:
/usr/ucb/ps in Sun Microsystems Solaris 8 and 9, and certain earlier
releases, allows local users to view the environment variables and
values of arbitrary processes via the -e option.
Status: Candidate
Phase: Assigned (20060328)
Reference: MISC:http://www.sunmanagers.org/archives/1996/1383.html
Reference: SUNALERT:102215
Reference: URL:http://sunsolve.sun.com/search/document.do?assetkey=1-26-102215-1
Reference: BID:19662
Reference: URL:http://www.securityfocus.com/bid/19662
Reference: VUPEN:ADV-2006-1123
Reference: URL:http://www.vupen.com/english/advisories/2006/1123
Reference: OSVDB:24200
Reference: URL:http://www.osvdb.org/24200
Reference: OVAL:oval:org.mitre.oval:def:1470
Reference: URL:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:1470
Reference: SECTRACK:1015833
Reference: URL:http://securitytracker.com/id?1015833
Reference: SECUNIA:19426
Reference: URL:http://secunia.com/advisories/19426
Reference: XF:solaris-ps-information-disclosure(25460)
Reference: URL:http://xforce.iss.net/xforce/xfdb/25460
Votes:
Name: CVE-1999-1588
Description:
Buffer overflow in nlps_server in Sun Solaris x86 2.4, 2.5, and 2.5.1
allows remote attackers to execute arbitrary code as root via a long
string beginning with "NLPS:002:002:" to the listen (aka System V
listener) port, TCP port 2766.
Status: Candidate
Phase: Assigned (20060421)
Reference: MISC:http://security-protocols.com/sploits/unsorted_exploits/nlps_server.c
Reference: MISC:http://www.securityfocus.com/data/vulnerabilities/exploits/nlps_server.c
Reference: MISC:http://lsd-pl.net/files/get?SOLARIS/solx86_nlps_server
Reference: BID:2319
Reference: URL:http://www.securityfocus.com/bid/2319
Votes:
Name: CVE-1999-1589
Description:
Unspecified vulnerability in crontab in IBM AIX 3.2 allows local users
to gain root privileges via unknown attack vectors.
Status: Candidate
Phase: Assigned (20060615)
Reference: AIXAPAR:IX26997
Reference: CERT:CA-1992-10
Reference: URL:http://www.cert.org/advisories/CA-1992-10.html
Reference: BID:357
Reference: URL:http://www.securityfocus.com/bid/357
Votes:
Name: CVE-1999-1590
Description:
Directory traversal vulnerability in Muhammad A. Muquit wwwcount
(Count.cgi) 2.3 allows remote attackers to read arbitrary GIF files
via ".." sequences in the image parameter, a different vulnerability
than CVE-1999-0021.
Status: Candidate
Phase: Assigned (20061203)
Reference: BUGTRAQ:19971010 Security flaw in Count.cgi (wwwcount)
Reference: URL:http://seclists.org/bugtraq/1997/Oct/0058.html
Votes:
Name: CVE-1999-1591
Description:
Microsoft Internet Information Services (IIS) server 4.0 SP4, without
certain hotfixes released for SP4, does not require authentication
credentials under certain conditions, which allows remote attackers to
bypass authentication requirements, as demonstrated by connecting via
Microsoft Visual InterDev 6.0.
Status: Candidate
Phase: Assigned (20070705)
Reference: NTBUGTRAQ:19990118 IIS4.0 and Visual Interdev
Reference: URL:http://archives.neohapsis.com/archives/ntbugtraq/1998-1999/msg00276.html
Reference: NTBUGTRAQ:19990119 Re: IIS4.0 and Visual Interdev
Reference: URL:http://archives.neohapsis.com/archives/ntbugtraq/1998-1999/msg00277.html
Reference: BID:190
Reference: URL:http://www.securityfocus.com/bid/190
Votes:
Name: CVE-1999-1592
Description:
Multiple unspecified vulnerabilities in sendmail 5, as installed on
Sun SunOS 4.1.3_U1 and 4.1.4, have unspecified attack vectors and
impact. NOTE: this might overlap CVE-1999-0129.
Status: Candidate
Phase: Assigned (20070712)
Reference: SUN:00159
Reference: URL:http://sunsolve.sun.com/search/document.do?assetkey=1-22-00159-1
Reference: BID:243
Reference: URL:http://www.securityfocus.com/bid/243
Votes:
Name: CVE-1999-1593
Description:
Windows Internet Naming Service (WINS) allows remote attackers to
cause a denial of service (connectivity loss) or steal credentials via
a 1Ch registration that causes WINS to change the domain controller to
point to a malicious server. NOTE: this problem may be limited when
Windows 95/98 clients are used, or if the primary domain controller
becomes unavailable.
Status: Candidate
Phase: Assigned (20090114)
Reference: NTBUGTRAQ:19990302 NT Domain DoS and Security Exploit with SAMBA Server
Reference: URL:http://archives.neohapsis.com/archives/ntbugtraq/1998-1999/msg00371.html
Reference: BUGTRAQ:20010117 Re: Invalid WINS entries
Reference: URL:http://seclists.org/bugtraq/2001/Jan/0269.html
Reference: BUGTRAQ:20010117 Invalid WINS entries
Reference: URL:http://seclists.org/bugtraq/2001/Jan/0264.html
Reference: BUGTRAQ:20010117 Re: Invalid WINS entries
Reference: URL:http://seclists.org/bugtraq/2001/Jan/0276.html
Reference: BUGTRAQ:20010117 Re: Invalid WINS entries
Reference: URL:http://seclists.org/bugtraq/2001/Jan/0274.html
Reference: BUGTRAQ:20010118 Re: Invalid WINS entries
Reference: URL:http://seclists.org/bugtraq/2001/Jan/0289.html
Reference: BUGTRAQ:20010118 Re: Invalid WINS entries
Reference: URL:http://seclists.org/bugtraq/2001/Jan/0271.html
Reference: BUGTRAQ:20010119 Re: Invalid WINS entries
Reference: URL:http://seclists.org/bugtraq/2001/Jan/0298.html
Reference: MISC:https://www2.sans.org/reading_room/whitepapers/win2k/185.php
Reference: BID:2221
Reference: URL:http://www.securityfocus.com/bid/2221
Votes:
Name: CVE-1999-1594
Description:
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.
Status: Candidate
Phase: Assigned (20120104)
Votes:
Name: CVE-1999-1595
Description:
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.
Status: Candidate
Phase: Assigned (20120104)
Votes:
Name: CVE-1999-1596
Description:
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.
Status: Candidate
Phase: Assigned (20120104)
Votes:
Name: CVE-1999-1597
Description:
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.
Status: Candidate
Phase: Assigned (20120104)
Votes:
Name: CVE-1999-1598
Description:
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.
Status: Candidate
Phase: Assigned (20120104)
Votes:
Name: CVE-2000-0005
Description:
HP-UX aserver program allows local users to gain privileges via a
symlink attack.
Status: Candidate
Phase: Modified (20090302)
Reference: BUGTRAQ:19991230 aserver.sh
Reference: BUGTRAQ:20000102 HPUX Aserver revisited.
Reference: HP:HPSBUX0001-108
Reference: OVAL:oval:org.mitre.oval:def:5635
Reference: URL:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:5635
Reference: XF:hp-aserver
Votes:
ACCEPT(3) Armstrong, Baker, Stracener
MODIFY(1) Frech
RECAST(1) Christey
REVIEWING(1) Levy
Voter Comments:
Christey> BUGTRAQ:20000102 "HPUX Aserver revisited." indicates that two
different versions of aserver have symlink problems, but with
different files. So CD:SF-LOC says we should split this.
Frech> XF:hp-aserver
Christey> BID:1928 and BID:1930? Which one is being described in
this candidate?
Christey> BID:1930
Name: CVE-2000-0008
Description:
FTPPro allows local users to read sensitive information, which is
stored in plain text.
Status: Candidate
Phase: Proposed (20000111)
Reference: BUGTRAQ:19991227 FTPPro insecuities
Votes:
ACCEPT(3) Armstrong, Baker, Stracener
MODIFY(1) Frech
NOOP(1) Christey
REVIEWING(1) Levy
Voter Comments:
Frech> XF:ftppro-plaintext-information
Christey> ADDREF BID:1790
ADDREF URL:http://www.securityfocus.com/bid/1790
Name: CVE-2000-0016
Description:
Buffer overflow in Internet Anywhere POP3 Mail Server allows remote
attackers to cause a denial of service or execute commands via a long
username.
Status: Candidate
Phase: Proposed (20000111)
Reference: NTBUGTRAQ:19991001 Vulnerabilities in the Internet Anywhere Mail Server
Reference: BUGTRAQ:19991227 Remote DoS/Access Attack in Internet Anywhere Mail Server(POP 3) v2.3.1
Reference: BID:730
Reference: URL:http://www.securityfocus.com/bid/730
Votes:
ACCEPT(4) Armstrong, Baker, Levy, Stracener
MODIFY(1) Frech
Voter Comments:
Frech> XF:iams-pop3-command-dos
Name: CVE-2000-0017
Description:
Buffer overflow in Linux linuxconf package allows remote attackers to
gain root privileges via a long parameter.
Status: Candidate
Phase: Proposed (20000111)
Reference: BUGTRAQ:19991221 (Possible) Linuxconf Remote Buffer Overflow Vulnerability
Votes:
NOOP(4) Armstrong, Baker, Christey, Stracener
REJECT(2) Frech, Levy
Voter Comments:
Christey> It's not certain whether this is exploitable or not. An
expert (the linuxconf author?) wasn't able to duplicate the
bug - see http://lwn.net/1999/1223/a/linuxconfresponse.html
The original posting with example exploit was
http://marc.theaimsgroup.com/?l=bugtraq&m=94580196627059&w=2
However - GIAC and the Security Focus incidents list have
consistently reported that scans are taking place for
linuxconf, so do the hackers know more than we do?
Frech> Unless vendor or other confirmation occurs, there has been no corroboration
of this issue in public forums.
CHANGE> [Armstrong changed vote from ACCEPT to NOOP]
Name: CVE-2000-0019
Description:
IMail POP3 daemon uses weak encryption, which allows local users to
read files.
Status: Candidate
Phase: Proposed (20000111)
Reference: BUGTRAQ:19991221 [w00giving '99 #11] IMail's password encryption scheme
Votes:
ACCEPT(3) Armstrong, Baker, Stracener
MODIFY(2) Frech, Levy
NOOP(1) Christey
Voter Comments:
Frech> XF:imail-passwords
Levy> BID 880
Christey> BUGTRAQ:19990304 IMAIL password recovery is trivial.
http://www.securityfocus.com/archive/1/12750
Christey> Add version numbers (5.0 through 5.08)
Name: CVE-2000-0021
Description:
Lotus Domino HTTP server allows remote attackers to determine the real
path of the server via a request to a non-existent script in
/cgi-bin.
Status: Candidate
Phase: Modified (20060616)
Reference: BUGTRAQ:19991221 serious Lotus Domino HTTP denial of service
Reference: BUGTRAQ:19991227 Re: Lotus Domino HTTP denial of service attack
Reference: BID:881
Reference: URL:http://www.securityfocus.com/bid/881
Votes:
ACCEPT(3) Armstrong, Baker, Stracener
MODIFY(2) Frech, Levy
NOOP(1) Christey
Voter Comments:
Frech> XF:http-cgi-lotus-domino
Levy> BID 881
Christey> BID:881
Name: CVE-2000-0028
Description:
Internet Explorer 5.0 and 5.01 allows remote attackers to bypass the
cross frame security policy and read files via the
external.NavigateAndFind function.
Status: Candidate
Phase: Modified (20000626-01)
Reference: BUGTRAQ:19991222 IE 5.01 vulnerabilities in external.NavigateAndFind()
Reference: XF:ie-navigateandfind
Votes:
ACCEPT(2) Armstrong, Stracener
MODIFY(2) Frech, Levy
NOOP(1) Baker
RECAST(1) LeBlanc
REVIEWING(1) Christey
Voter Comments:
Frech> XF:ie-navigateandfind
Christey> May be a duplicate of CVE-2000-0465 according to my
communications with Microsoft people. CVE-2000-0266 may
also be a variant.
Levy> BID 887
LeBlanc> duplicate
Name: CVE-2000-0035
Description:
resend command in Majordomo allows local users to gain privileges via
shell metacharacters.
Status: Candidate
Phase: Proposed (20000111)
Reference: BUGTRAQ:19991228 majordomo local exploit
Reference: BUGTRAQ:20000113 Info on some security holes reported against SCO Unixware.
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94780294009285&w=2
Reference: BID:902
Reference: URL:http://www.securityfocus.com/bid/902
Votes:
ACCEPT(3) Baker, Levy, Stracener
MODIFY(2) Cox, Frech
NOOP(1) Armstrong
REVIEWING(1) Christey
Voter Comments:
Frech> XF:majordomo-local-resend
Christey> The Bugtraq thread indicates that this problem may be
due to misconfiguration, and may extend beyond just the
resend command.
CHANGE> [Armstrong changed vote from REVIEWING to NOOP]
Christey> Include "wrapper" to facilitate search and matching? (but
double-check CVE-2000-0037).
Add "1.94.4 and earlier" as the affected version number.
ADDREF AUSCERT:AA-2000.01
ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-2000.01
Cox> ADDREF REDHAT:RHSA-2000:005
Name: CVE-2000-0038
Description:
glFtpD includes a default glftpd user account with a default password
and a UID of 0.
Status: Candidate
Phase: Proposed (20000111)
Reference: BUGTRAQ:19991223 Multiple vulnerabilites in glFtpD (current versions)
Votes:
ACCEPT(2) Armstrong, Stracener
MODIFY(2) Frech, Levy
NOOP(1) Baker
Voter Comments:
Frech> XF:glftpd-default-account
Levy> BID 881
Name: CVE-2000-0046
Description:
Buffer overflow in ICQ 99b 1.1.1.1 client allows remote attackers to
execute commands via a malformed URL within an ICQ message.
Status: Candidate
Phase: Modified (20000204-01)
Reference: BID:929
Reference: URL:http://www.securityfocus.com/bid/929
Reference: BUGTRAQ:20000111 ICQ Buffer Overflow Exploit
Reference: XF:icq-url-bo
Votes:
ACCEPT(2) Baker, Williams
MODIFY(1) Frech
Voter Comments:
Frech> ADDREF XF:icq-url-bo
Name: CVE-2000-0047
Description:
Buffer overflow in Yahoo Pager/Messenger client allows remote
attackers to cause a denial of service via a long URL within a
message.
Status: Candidate
Phase: Modified (20000202-01)
Reference: BUGTRAQ:20000117 Yahoo Pager/Messanger Buffer Overflow
Reference: XF:yahoo-messenger-pager-dos
Votes:
ACCEPT(2) Baker, Frech
NOOP(1) Williams
Name: CVE-2000-0049
Description:
Buffer overflow in Winamp client allows remote attackers to execute
commands via a long entry in a .pls file.
Status: Candidate
Phase: Modified (20071115)
Reference: NTBUGTRAQ:20000107 Winamp buffer overflow advisory
Reference: BUGTRAQ:20000109 Buffer overflow with WinAmp 2.10
Reference: BID:925
Reference: URL:http://www.securityfocus.com/bid/925
Reference: OSVDB:12022
Reference: URL:http://www.osvdb.org/12022
Reference: XF:winamp-playlist-bo
Votes:
ACCEPT(2) Cole, Wall
MODIFY(2) Baker, Frech
REVIEWING(1) Christey
Voter Comments:
Frech> XF:winamp-playlist-bo
Christey> This may have been discovered earlier in:
BUGTRAQ:19990512 Buffer overflow in WinAMP 2.x
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92662988700367&w=2
See the following for possible confirmation:
URL:http://www.winamp.com/getwinamp/newfeatures.jhtml
Wall> This vulnerability has been seen in several versions of Winamp and part of ISS
X-Force
and SecuriTeam vulnerability checks.
CHANGE> [Christey changed vote from NOOP to REVIEWING]
Baker> The old confirm url doesn't work any more... I am not sure where we can get the old changelog/error list.
Name: CVE-2000-0054
Description:
search.cgi in the SolutionScripts Home Free package allows remote
attackers to view directories via a .. (dot dot) attack.
Status: Candidate
Phase: Proposed (20000125)
Reference: BUGTRAQ:20000104 Another search.cgi vulnerability
Reference: BID:921
Reference: URL:http://www.securityfocus.com/bid/921
Votes:
MODIFY(1) Frech
Voter Comments:
Frech> XF:http-cgi-homefree-search
Name: CVE-2000-0055
Description:
Buffer overflow in Solaris chkperm command allows local users to
gain root access via a long -n option.
Status: Candidate
Phase: Proposed (20000125)
Reference: BUGTRAQ:20000106 [Hackerslab bug_paper] Solaris chkperm buffer overflow
Reference: BID:918
Reference: URL:http://www.securityfocus.com/bid/918
Votes:
MODIFY(2) Baker, Frech
NOOP(1) Dik
Voter Comments:
Frech> XF:sol-chkperm-bo(3870)
Dik> chkperm runs set-uid bin, so initially the access granted
will be user bin, not root. (Though bin access can easily be leveraged
to root access, less so in Solaris 8+)
Also, there is reason to believe this bug is not exploitable; the buffer
overflown is declared in the stack in main(); yet, the program never
returns from main() but calls exit instead so any damage to return addresses
is never noticed.
Baker> Maybe the details from Caspar could be included, or modify the description somewhat
Name: CVE-2000-0058
Description:
Network HotSync program in Handspring Visor does not have
authentication, which allows remote attackers to retrieve email and
files.
Status: Candidate
Phase: Proposed (20000125)
Reference: BUGTRAQ:20000105 Handspring Visor Network HotSync Security Hole
Reference: URL:http://www.security-express.com/archives/bugtraq/2000-01/0085.html
Reference: BID:920
Reference: URL:http://www.securityfocus.com/bid/920
Votes:
MODIFY(2) Baker, Frech
NOOP(1) Christey
Voter Comments:
Frech> XF:handspring-visor-auth(3873)
Consider removing the security-express.com reference, since it is identical
to the BugTraq reference. The BugTraq reference is (hopefully) not going to
disappear soon, and the security-express.com reference provides no new or
additional information.
Christey> URLs will begin to be included with candidates to support
Board members' voting activities. They will be converted to
the generalized reference format when if candidate is
ACCEPTed and becomes an official entry.
Christey> The problem may not be a lack of authentication (as mentioned
by the poster), but rather weak authentication (the apparent
need to provide the same username).
Baker> MOdify description to indicate the weak authentication
Name: CVE-2000-0059
Description:
PHP3 with safe_mode enabled does not properly filter shell
metacharacters from commands that are executed by popen, which could
allow remote attackers to execute commands.
Status: Candidate
Phase: Proposed (20000125)
Reference: BUGTRAQ:20000103 PHP3 safe_mode and popen()
Reference: BID:911
Reference: URL:http://www.securityfocus.com/bid/911
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
NOOP(1) Christey
Voter Comments:
Frech> XF:php3-popen-execute(3900)
Christey> CONFIRM:http://www.php.net/ChangeLog.php3
Section dated January 11, 2000 says: "Fix safe-mode problem in
popen() (Kristian)"
Name: CVE-2000-0061
Description:
Internet Explorer 5 does not modify the security zone for a document
that is being loaded into a window until after the document has been
loaded, which could allow remote attackers to execute Javascript in a
different security context while the document is loading.
Status: Candidate
Phase: Proposed (20000125)
Reference: BUGTRAQ:20000107 IE 5 security vulnerablity - circumventing Cross-frame security policy and accessing the DOM of "old" documents.
Reference: BID:923
Reference: URL:http://www.securityfocus.com/bid/923
Votes:
MODIFY(2) Frech, LeBlanc
NOOP(1) Baker
REJECT(1) Christey
Voter Comments:
Frech> XF:ie-cross-frame-docs(3901)
LeBlanc> - I'd like to see a KB or bulletin referenced
Christey> This is a duplicate of CVE-2000-0156. The FAQ at
http://www.microsoft.com/technet/security/bulletin/fq00-009.asp.
says "the vulnerability requires Active Scripting" and
"it is possible, under very specific conditions, to violate IE's
cross-domain security model." Also says "the redirect is made, via
the <IMG SRC> HTML tag"
Need to copy these references over to CVE-2000-0156.
Name: CVE-2000-0066
Description:
WebSite Pro allows remote attackers to determine the real pathname of
webdirectories via a malformed URL request.
Status: Candidate
Phase: Proposed (20000125)
Reference: BUGTRAQ:20000112 WebSitePro/2.3.18 is revealing Webdirectories
Votes:
ACCEPT(2) Baker, Williams
MODIFY(1) Frech
NOOP(1) Christey
Voter Comments:
Frech> XF:website-pro-dir-path
Christey> ADDREF BUGTRAQ:20000113 Re: WebSitePro/2.3.18 + 2.4.9 is revealing Webdirectories
URL:http://www.securityfocus.com/archive/1/41798
Also BID:932
Name: CVE-2000-0067
Description:
CyberCash Merchant Connection Kit (MCK) allows local users to modify
files via a symlink attack.
Status: Candidate
Phase: Proposed (20000125)
Reference: BUGTRAQ:20000112 CyberCash MCK 3.2.0.4: Large /tmp hole
Votes:
ACCEPT(2) Baker, Williams
MODIFY(1) Frech
Voter Comments:
Frech> XF:cybercash-mck-tmp(3823)
Name: CVE-2000-0068
Description:
daynad program in Intel InBusiness E-mail Station does not require
authentication, which allows remote attackers to modify its
configuration, delete files, or read mail.
Status: Candidate
Phase: Proposed (20000125)
Reference: BUGTRAQ:20000104 [rootshell] Security Bulletin #27
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94704437920965&w=2
Votes:
MODIFY(1) Frech
Voter Comments:
Frech> XF:intel-email-unauthenticate-users
Name: CVE-2000-0069
Description:
The recover program in Solstice Backup allows local users to restore
sensitive files.
Status: Candidate
Phase: Proposed (20000125)
Reference: BUGTRAQ:20000104 Security problem with Solstice Backup/Legato Networker recover command
Votes:
MODIFY(1) Frech
Voter Comments:
Frech> XF:solstice-backup-restore-files(3904)
Name: CVE-2000-0071
Description:
IIS 4.0 allows a remote attacker to obtain the real pathname of the
document root by requesting non-existent files with .ida or .idq
extensions.
Status: Candidate
Phase: Proposed (20000125)
Reference: BUGTRAQ:20000111 IIS still revealing paths for web directories
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94770020309953&w=2
Reference: BUGTRAQ:20000113 SV: IIS still revealing paths for web directories
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94780058006791&w=2
Votes:
ACCEPT(2) LeBlanc, Levy
MODIFY(1) Frech
NOOP(1) Baker
REJECT(1) Christey
Voter Comments:
Frech> XF:iis-ida-idq-paths
Christey> Consider adding:
ADDREF BID:1065
BUGTRAQ:20000309 Enumerate Root Web Server Directory Vulnerability for IIS 4.0
Are there really 2 different threads on the same problem?
Also consider XF:iis-root-enum
May also be a dupe of CVE-1999-0450 (BID:194)
CHANGE> [Christey changed vote from NOOP to REVIEWING]
Christey> Appears to be a duplicate of CVE-2000-0098. Confirm with
Microsoft, and if it is a duplicate, then REJECT this
candidate.
CHANGE> [Christey changed vote from REVIEWING to REJECT]
Christey> Confirmed duplicate by Microsoft.
Christey> iis-ida-idq-paths(4346) is obsolete; ensure
http-indexserver-path(3890) is added to CVE-2000-0098.
Name: CVE-2000-0074
Description:
PowerScripts PlusMail CGI program allows remote attackers to execute
commands via a password file with improper permissions.
Status: Candidate
Phase: Proposed (20000125)
Reference: BUGTRAQ:20000111 PowerScripts PlusMail Vulnerablity
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
NOOP(2) Christey, Williams
Voter Comments:
Frech> XF:plusmail-password-permissions
Christey> Re-read the Bugtraq post to make sure the problem is described
properly. The advisory itself is vague as to the nature of
the problem, and the exploit doesn't help clarify too much.
Christey> Consider adding BID:2653
Name: CVE-2000-0077
Description:
The October 1998 version of the HP-UX aserver program allows local
users to gain privileges by specifying an alternate PATH which aserver
uses to find the ps and grep commands.
Status: Candidate
Phase: Modified (20090302)
Reference: BUGTRAQ:20000102 HPUX Aserver revisited.
Reference: HP:HPSBUX0001-108
Reference: OVAL:oval:org.mitre.oval:def:5549
Reference: URL:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:5549
Votes:
MODIFY(2) Baker, Frech
REVIEWING(1) Christey
Voter Comments:
Frech> ADDREF XF:hp-aserver
Christey> The Bugtraq posting does not mention specific versions.
Is October 1998 equivalent to HP-UX 10.x?
CHANGE> [Christey changed vote from NOOP to REVIEWING]
Christey> BID:1929
Make sure not dupe's with CVE-2000-0005 and CVE-20000-0078.
Baker> Was the BID reference ever added to this one?
Name: CVE-2000-0078
Description:
The June 1999 version of the HP-UX aserver program allows local users
to gain privileges by specifying an alternate PATH which aserver uses
to find the awk command.
Status: Candidate
Phase: Modified (20090302)
Reference: BUGTRAQ:20000102 HPUX Aserver revisited.
Reference: HP:HPSBUX0001-108
Reference: OVAL:oval:org.mitre.oval:def:5728
Reference: URL:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:5728
Votes:
ACCEPT(2) Baker, Prosser
MODIFY(1) Frech
REVIEWING(1) Christey
Voter Comments:
Frech> ADDREF XF:hp-aserver
Christey> The Bugtraq posting does not mention specific versions.
Is June 1999 equivalent to HP-UX 10.x?
Prosser> The HP Bulletin (already ref'd) just specifies 10.x and 11.x OS versions running on HP9000 700/800 series. According to Tripp (bugtraq), the audio server doesn't run on a machine without Audio Hardware (logical). So one has to assume from the bulletin that any 9000 with audio hardware that is running a 10.x or 11.x version of OS with either the 98 or 99 version of Aserver loaded will be vulnerable to either the exploit in CVE-1999-0005(the 98 version of Aserver) or CVE-2000-0078 (the 99 version)and should take appropriate action. No patches out from HP as of 10/2/2000 so either remove the program or tighten the permissions considerably.
CHANGE> [Christey changed vote from NOOP to REVIEWING]
Christey> BID:1929
Make sure not dupe's with CVE-2000-0005 and CVE-20000-0077.
Name: CVE-2000-0079
Description:
The W3C CERN httpd HTTP server allows remote attackers to determine
the real pathnames of some commands via a request for a nonexistent
URL.
Status: Candidate
Phase: Proposed (20000125)
Reference: BUGTRAQ:20000118 Re: IIS still revealing paths for web directories
Reference: BID:936
Reference: URL:http://www.securityfocus.com/bid/936
Votes:
MODIFY(2) Baker, Frech
NOOP(2) Christey, Williams
RECAST(1) LeBlanc
Voter Comments:
Frech> XF:w3c-httpd-reveal-paths
LeBlanc> Title references IIS, vuln references W3C CERN httpd. Which
one is broken?
Christey> The mention of CERN httpd was buried in a followup on a
description of an IIS problem, so this is the correct reference.
Baker> Will the XF reference be added?
Name: CVE-2000-0081
Description:
Hotmail does not properly filter JavaScript code from a user's
mailbox, which allows a remote attacker to execute the code by using
hexadecimal codes to specify the javascript: protocol,
e.g. jAvascript.
Status: Candidate
Phase: Proposed (20000125)
Reference: BUGTRAQ:20000110 Yet another Hotmail security hole - injecting JavaScript using "jAvascript:"
Votes:
MODIFY(1) Frech
REJECT(1) Baker
Voter Comments:
CHANGE> [Frech changed vote from REVIEWING to MODIFY]
Frech> XF:hotmail-vascript-java-injection
Name: CVE-2000-0082
Description:
WebTV email client allows remote attackers to force the client to send
email without the user's knowledge via HTML.
Status: Candidate
Phase: Modified (20040901)
Reference: MISC:http://net4tv.com/voice/story.cfm?StoryID=1823
Reference: MISC:http://www.wired.com/news/technology/0,1282,33420,00.html
Reference: BUGTRAQ:20000104 The WebTV Email Exploit
Votes:
MODIFY(1) Frech
REJECT(1) Baker
Voter Comments:
CHANGE> [Frech changed vote from REVIEWING to MODIFY]
Frech> ADDREF XF:webtv-hijack-mail-forward
Name: CVE-2000-0084
Description:
CuteFTP uses weak encryption to store password information in its
tree.dat file.
Status: Candidate
Phase: Proposed (20000125)
Reference: BUGTRAQ:20000105 CuteFTP saved password 'encryption' weakness
Votes:
MODIFY(2) Baker, Frech
NOOP(1) Christey
Voter Comments:
Frech> XF:cuteftp-weak-encrypt(3910)
Christey> BUGTRAQ:20010823 Re: Respondus v1.1.2 stores passwords using weak encryption
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=99861651923668&w=2
This followup to a different thread mentions the sm.dat file
for the site manager.
Baker> The reference from the Bugtraq mentions the sm.dat uses better encryption, but doesn't really address the tree.dat file.
Name: CVE-2000-0085
Description:
Hotmail does not properly filter JavaScript code from a user's
mailbox, which allows a remote attacker to execute code via the LOWSRC
or DYNRC parameters in the IMG tag.
Status: Candidate
Phase: Proposed (20000125)
Reference: BUGTRAQ:20000103 Hotmail security hole - injecting JavaScript using <IMG LOWSRC="javascript:....">
Reference: BUGTRAQ:20000104 Yet another Hotmail security hole - injecting JavaScript in IE using <IMG DYNRC="javascript:....">
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
Voter Comments:
Frech> XF:hotmail-java-execute
Name: CVE-2000-0086
Description:
Netopia Timbuktu Pro sends user IDs and passwords in cleartext, which
allows remote attackers to obtain them via sniffing.
Status: Candidate
Phase: Proposed (20000125)
Reference: BUGTRAQ:20000116 TB2 Pro sending NT passwords cleartext
Reference: BID:935
Reference: URL:http://www.securityfocus.com/bid/935
Votes:
ACCEPT(2) Baker, Williams
MODIFY(1) Frech
Voter Comments:
Frech> XF:timbuktu-password-cleartext
Name: CVE-2000-0093
Description:
An installation of Red Hat uses DES password encryption with crypt()
for the initial password, instead of md5.
Status: Candidate
Phase: Proposed (20000208)
Reference: BUGTRAQ:20000122 NIS security advisory : password method downgrade
Reference: BUGTRAQ:20000121 Rh 6.1 initial root password encryption
Votes:
ACCEPT(2) Baker, Cole
MODIFY(1) Frech
NOOP(1) Wall
Voter Comments:
Frech> XF:linux-initial-password-encryption
Name: CVE-2000-0096
Description:
Buffer overflow in qpopper 3.0 beta versions allows local users to
gain privileges via a long LIST command.
Status: Candidate
Phase: Proposed (20000208)
Reference: BUGTRAQ:20000126 Qpopper security bug
Reference: BID:948
Reference: URL:http://www.securityfocus.com/bid/948
Votes:
ACCEPT(2) Baker, Cole
MODIFY(1) Frech
NOOP(1) Wall
Voter Comments:
Frech> XF:qpopper-list-bo
Name: CVE-2000-0101
Description:
The Make-a-Store OrderPage shopping cart application allows remote
users to modify sensitive purchase information via hidden form
fields.
Status: Candidate
Phase: Proposed (20000208)
Reference: ISS:20000201 Form Tampering Vulnerabilities in Several Web-Based Shopping Cart Applications
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
NOOP(1) Christey
RECAST(1) Cole
REVIEWING(1) Wall
Voter Comments:
Cole> I would combine all of these shopping cart applications into one listing,
since they all have the same vulnerability being able to modify sensitive
purchase information via hidden form fields. My concern is in cases like
this we used over 10 entries for basically the same vulnerability. I could
think of cases were there could be 20+ applications with the same
vulnerability and in my opinion it could start to weaken the value of CVE
where there are 30 entries all referring to the same thing. It is almost
like we are playing the vendor game where more is better. I think we
should go after the quality over quantity aspect.
Christey> I disagree with Eric here. This vulnerability is a "type" of
problem in the same way that a buffer overflow is a "type" of
problem. While the shopping cart application bugs were
proposed mostly at the same time, they are all by different
vendors.
The raw numbers of applications with this problem can make it
appear that CVE is artificially inflating the number of
entries. However, content decisions such as CD:SF-LOC
(different lines of code) dictate that these should be
separated. It's not a "numbers game" but rather a principled
and consistent approach to resolving problems with
selecting a level of abstraction.
Frech> XF:shopping-cart-form-tampering
Name: CVE-2000-0102
Description:
The SalesCart shopping cart application allows remote users to modify
sensitive purchase information via hidden form fields.
Status: Candidate
Phase: Proposed (20000208)
Reference: ISS:20000201 Form Tampering Vulnerabilities in Several Web-Based Shopping Cart Applications
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
RECAST(1) Cole
REVIEWING(1) Wall
Voter Comments:
Cole> See comments for CVE-2000-0101
Frech> XF:shopping-cart-form-tampering
Name: CVE-2000-0103
Description:
The SmartCart shopping cart application allows remote users to
modify sensitive purchase information via hidden form fields.
Status: Candidate
Phase: Proposed (20000208)
Reference: ISS:20000201 Form Tampering Vulnerabilities in Several Web-Based Shopping Cart Applications
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
RECAST(1) Cole
REVIEWING(1) Wall
Voter Comments:
Cole> See comments for CVE-2000-0101
Frech> XF:shopping-cart-form-tampering
Name: CVE-2000-0104
Description:
The Shoptron shopping cart application allows remote users to
modify sensitive purchase information via hidden form fields.
Status: Candidate
Phase: Proposed (20000208)
Reference: ISS:20000201 Form Tampering Vulnerabilities in Several Web-Based Shopping Cart Applications
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
RECAST(1) Cole
REVIEWING(1) Wall
Voter Comments:
Cole> See comments for CVE-2000-0101
Frech> XF:shopping-cart-form-tampering
Name: CVE-2000-0105
Description:
Outlook Express 5.01 and Internet Explorer 5.01 allow remote attackers
to view a user's email messages via a script that accesses a variable
that references subsequent email messages that are read by the client.
Status: Candidate
Phase: Proposed (20000208)
Reference: BUGTRAQ:20000201 Outlook Express 5 vulnerability - Active Scripting may read email messages
Reference: BID:962
Reference: URL:http://www.securityfocus.com/bid/962
Votes:
ACCEPT(2) Cole, Wall
MODIFY(1) Frech
NOOP(1) Baker
REVIEWING(1) Christey
Voter Comments:
Frech> email-active-script-html
Christey> Acknowledged via personal communication with Microsoft
personnel, but I need to look through my email logs to recall
whether they said that it is a duplicate of CVE-2000-0653
CHANGE> [Christey changed vote from NOOP to REVIEWING]
Name: CVE-2000-0106
Description:
The EasyCart shopping cart application allows remote users to
modify sensitive purchase information via hidden form fields.
Status: Candidate
Phase: Proposed (20000208)
Reference: ISS:20000201 Form Tampering Vulnerabilities in Several Web-Based Shopping Cart Applications
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
RECAST(1) Cole
REVIEWING(1) Wall
Voter Comments:
Cole> See comments for CVE-2000-0101
Frech> XF:shopping-cart-form-tampering
Name: CVE-2000-0108
Description:
The Intellivend shopping cart application allows remote users to
modify sensitive purchase information via hidden form fields.
Status: Candidate
Phase: Proposed (20000208)
Reference: ISS:20000201 Form Tampering Vulnerabilities in Several Web-Based Shopping Cart Applications
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
RECAST(1) Cole
REVIEWING(1) Wall
Voter Comments:
Cole> See comments for CVE-2000-0101
Frech> XF:shopping-cart-form-tampering
Name: CVE-2000-0109
Description:
The mcsp Client Site Processor system (MultiCSP) in Standard and
Poor's ComStock is installed with several accounts that have no
passwords or easily guessable default passwords.
Status: Candidate
Phase: Proposed (20000208)
Reference: BUGTRAQ:20000201 Security issues with S&P ComStock multiCSP (Linux)
Votes:
ACCEPT(2) Cole, Levy
MODIFY(1) Frech
NOOP(3) Baker, Christey, Wall
Voter Comments:
Christey> ADDREF BUGTRAQ:20000324 Security issues with S&P ComStock multiCSP (Linux)
http://marc.theaimsgroup.com/?l=bugtraq&m=95422382625409&w=2
Note: this posting was a repeat of the February 1 post,
saying that the problem still hadn't been fixed.
Frech> XF:comstock-multicsp-passwords
Christey> ADDREF BID:1080
URL:http://www.securityfocus.com/vdb/bottom.html?vid=1080
Name: CVE-2000-0110
Description:
The WebSiteTool shopping cart application allows remote users to
modify sensitive purchase information via hidden form fields.
Status: Candidate
Phase: Proposed (20000208)
Reference: ISS:20000201 Form Tampering Vulnerabilities in Several Web-Based Shopping Cart Applications
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
RECAST(1) Cole
REVIEWING(1) Wall
Voter Comments:
Cole> See comments for CVE-2000-0101
Frech> XF:shopping-cart-form-tampering
Name: CVE-2000-0114
Description:
Frontpage Server Extensions allows remote attackers to determine the
name of the anonymous account via an RPC POST request to shtml.dll in
the /_vti_bin/ virtual directory.
Status: Candidate
Phase: Proposed (20000208)
Reference: BUGTRAQ:20000203 2 MS Frontpage issues Cerberus Information Security Advisory (CISADV000203)
Votes:
ACCEPT(3) Baker, Cole, Wall
MODIFY(1) Frech
REVIEWING(1) Christey
Voter Comments:
Frech> XF:iis-frontpage-info
Christey> Acknowledged via personal communication with Microsoft
personnel.
May be the same as BID:1174 and/or BID:1433 (both mention
FrontPage, but one mentions shtml.exe and another mentions
shtml.dll)
Christey> [note to self: review comments by Mark Burnett]
CHANGE> [Christey changed vote from NOOP to REVIEWING]
Name: CVE-2000-0115
Description:
IIS allows local users to cause a denial of service via invalid
regular expressions in a Visual Basic script in an ASP page.
Status: Candidate
Phase: Proposed (20000208)
Reference: NTBUGTRAQ:20000121 Strange behaviour IIS and RegExp
Votes:
ACCEPT(1) Cole
NOOP(1) Baker
REJECT(2) Frech, LeBlanc
REVIEWING(1) Wall
Voter Comments:
Frech> This reference to NTBugtraq has a message that ends with "Can anyone
reproduce this?", and there are no followups. This makes for a weak
reference. There are also no other references listed for this CAN.
LeBlanc> - no follow-ups, no KB article, no fix
CHANGE> [Frech changed vote from REVIEWING to REJECT]
Name: CVE-2000-0118
Description:
The Red Hat Linux su program does not log failed password guesses if
the su process is killed before it times out, which allows local
attackers to conduct brute force password guessing.
Status: Candidate
Phase: Proposed (20000208)
Reference: BUGTRAQ:20000130 RedHat 6.1 /and others/ PAM
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94935300520617&w=2
Votes:
ACCEPT(3) Baker, Cole, Levy
MODIFY(1) Frech
NOOP(1) Wall
REVIEWING(1) Christey
Voter Comments:
Frech> Is this the same issue as BugTraq Mailing List, Wed, 9 Jun 1999 14:07:27
-0700 "vulnerability in su/PAM in redhat" at
http://www.netspace.org/cgi-bin/wa?A2=ind9906b&L=bugtraq&F=&S=&P=5356 and
"Solaris 2.5 /bin/su [was: vulnerability in su/PAM in redhat]" at
http://www.netspace.org/cgi-bin/wa?A2=ind9906b&L=bugtraq&F=&S=&P=6051
If so, then MODIFY XF:su-brute
Christey> BID:320
URL:http://www.securityfocus.com/vdb/bottom.html?vid=320
CHANGE> [Frech changed vote from REVIEWING to MODIFY]
Frech> XF:su-brute(2278)
This issue involves more platforms than Red Hat. See BugTraq
Mailing List, Thu Jun 10 1999 12:13:06, "Solaris 2.5 /bin/su [was:
vulnerability in su/PAM in redhat]",
http://www.securityfocus.com/archive/1/14854
Christey> It does look like this is the same issue as the other Bugtraq
post that explicitly mentions Red Hat and PAM.
CHANGE> [Christey changed vote from NOOP to REVIEWING]
Name: CVE-2000-0119
Description:
The default configurations for McAfee Virus Scan and Norton Anti-Virus
virus checkers do not check files in the RECYCLED folder that is used
by the Windows Recycle Bin utility, which allows attackers to store
malicious code without detection.
Status: Candidate
Phase: Proposed (20000208)
Reference: BUGTRAQ:20000130 Bypass Virus Checking
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94936267131123&w=2
Votes:
ACCEPT(2) Cole, Wall
MODIFY(1) Frech
NOOP(1) Baker
REVIEWING(1) Christey
Voter Comments:
Christey> ADDREF BID:956
A followup post on Feb 8 by Paul L Schmehl claims that this
would not work, because the anti-virus checkers would
activate if the user attempts to execute the program.
Frech> XF:win-trojan-detection-bypass
Much earlier possible reference at NTBugtraq Mailing List, Wed, 22 Dec 1999
20:37:43 -0800, "Bypass Virus Checking under 95/98/NT" at
http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind9912&L=ntbugtraq&F=&S=&P=6030
CHANGE> [Cole changed vote from REVIEWING to ACCEPT]
Christey> NTBUGTRAQ:19991222 Bypass Virus Checking under 95/98/NT
http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind9912&L=ntbugtraq&F=&S=&P=6030
Name: CVE-2000-0122
Description:
Frontpage Server Extensions allows remote attackers to determine the
physical path of a virtual directory via a GET request to the
htimage.exe CGI program.
Status: Candidate
Phase: Modified (20070607)
Reference: BUGTRAQ:20070603 CERN İmage Map Dispatcher
Reference: URL:http://www.securityfocus.com/archive/1/archive/1/470458/100/0/threaded
Reference: NTBUGTRAQ:20000203 2 MS Frontpage issues Cerberus Information Security Advisory (CISADV000203)
Reference: BID:964
Reference: URL:http://www.securityfocus.com/bid/964
Reference: XF:frontpage-cern-information-disclosure(34719)
Reference: URL:http://xforce.iss.net/xforce/xfdb/34719
Votes:
ACCEPT(4) Baker, Cole, LeBlanc, Wall
MODIFY(1) Frech
NOOP(1) Christey
Voter Comments:
Frech> XF:ms-frontpage-get-htimage
Christey> It appears that this was rediscovered in April 18, 2000:
BUGTRAQ:20000418 More vulnerabilities in FP
URL:http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26msg%3D38FCAC0C.869611C0%40hobbiton.org
This in turn may match BID:1141
Christey> According to Scott Culp of Microsoft, this was patched in MS:MS00-028.
Christey> BID:1141 ??
Name: CVE-2000-0123
Description:
The shopping cart application provided with Filemaker allows remote
users to modify sensitive purchase information via hidden form fields.
Status: Candidate
Phase: Proposed (20000208)
Reference: BUGTRAQ:20000203 Re: [xforce@iss.net: ISSalert: ISS E-Security Alert: Form Tampering Vulnerabilities in Several Web-Based Shopping Cart Applications]
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
RECAST(1) Cole
REVIEWING(1) Wall
Voter Comments:
Cole> See comments for CVE-2000-0101
Frech> XF:shopping-cart-form-tampering
Name: CVE-2000-0124
Description:
surfCONTROL SuperScout does not properly asign a category to web sites
with a . (dot) at the end, which may allow users to bypass web access
restrictions.
Status: Candidate
Phase: Proposed (20000208)
Reference: BUGTRAQ:20000203 surfCONTROL SuperScout v2.6.1.6 flaw
Reference: BID:965
Reference: URL:http://www.securityfocus.com/bid/965
Votes:
MODIFY(2) Baker, Frech
NOOP(2) Christey, Wall
RECAST(1) Cole
Voter Comments:
Cole> See comments for CVE-2000-0101
Frech> XF:surfcontrol-superscout-bypass-filter(4009)
Christey> Fix typo: "asign"
Baker> Description still has typo asign instead of assign
Name: CVE-2000-0125
Description:
wwwthreads does not properly cleanse numeric data or table names that
are passed to SQL queries, which allows remote attackers to gain
privileges for wwwthreads forums.
Status: Candidate
Phase: Proposed (20000208)
Reference: BUGTRAQ:20000203 RFP2K01 - "How I hacked Packetstorm" (wwwthreads advisory)
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.4.10.10002031027120.15921-100000@eight.wiretrip.net
Reference: BID:967
Reference: URL:http://www.securityfocus.com/bid/967
Votes:
ACCEPT(2) Baker, Cole
MODIFY(1) Frech
NOOP(2) Christey, Wall
Voter Comments:
Frech> XF:wwwthreads-sql-command-privs(4011)
Christey> CONFIRM:http://www.wwwthreads.com/perl/showflat.pl?Cat=&Board=info&Number=9932&page=1&view=collapsed&sb=5
Name: CVE-2000-0126
Description:
Sample Internet Data Query (IDQ) scripts in IIS 3 and 4 allow remote
attackers to read files via a .. (dot dot) attack.
Status: Candidate
Phase: Proposed (20000208)
Reference: BUGTRAQ:20000202 Alert: IIS 4 / IS 2 IDQ Cerberus Information Security Advisory (CISADV000202)
Reference: NTBUGTRAQ:20000202 Alert: IIS 4 / IS 2 IDQ Cerberus Information Security Advisory (CISADV000202)
Votes:
ACCEPT(4) Baker, Cole, LeBlanc, Wall
MODIFY(1) Frech
REVIEWING(1) Christey
Voter Comments:
Frech> XF:iis-dir-traversal-read
Christey> This may be a variant of CVE-2000-0097 or CVE-2000-0098.
MS:MS00-006 says that a new variant was announced on February 4,
but that it only revealed the physical path. The post related
to this CAN is dated February 2, but it describes the impact
as being able to read files.
See http://marc.theaimsgroup.com/?l=bugtraq&m=94972759912790&w=2
Christey> According to Mark Burnett: "CISADV000202 [described] idq.dll
and involving .idq files... IDQ files are vulnerable to a
double-dot bug that allows files on the same partition as the
web root to be viewed.... [This candidate] refers to the same
MS00-006"
ADDREF MS:MS00-006
ADDREF BID:968 ?
Frech> Change iis-dir-traversal-read(4014) to http-indexserver-view-files(4232)
Name: CVE-2000-0129
Description:
Buffer overflow in the SHGetPathFromIDList function of the Serv-U FTP
server allows attackers to cause a denial of service by performing a
LIST command on a malformed .lnk file.
Status: Candidate
Phase: Proposed (20000208)
Reference: NTBUGTRAQ:20000204 Local / Remote D.o.S Attack in Serv-U FTP-Server v2.5b for Win9x/WinNT Vulnerability
Reference: BUGTRAQ:20000204 Local / Remote D.o.S Attack in Serv-U FTP-Server v2.5b for Win9x/WinNT Vulnerability
Reference: NTBUGTRAQ:20000204 Windows Api SHGetPathFromIDList Buffer Overflow
Reference: BUGTRAQ:20000204 Windows Api SHGetPathFromIDList Buffer Overflow
Votes:
ACCEPT(3) Baker, Blake, Cole
MODIFY(2) Frech, Levy
NOOP(2) Armstrong, Ozancin
RECAST(1) Christey
REVIEWING(1) Wall
Voter Comments:
Frech> XF:win-shortcut-api-bo
The real problem seems to be with the Windows API call, not the Serv-U FTP
app. As the "Windows Api SHGetPathFromIDList Buffer Overflow" reference
states, [The bug can] "cause whatever handles the shortcuts to crash."
As a suggestion, rephrase the description from Windows's context, and state
that the Serv-U FTP server is an example of an app that exhibits this
problem.
Wall> Comment: the original UssrLabs advisory does mention the SHGetPathFromIDList
buffer overflow in a Windows API and that Serv-U FTP uses this API to cause the
problem. The problem does not exist on Windows 2000. The solution seems to be
in a new release of Serv-U FTP.
Levy> BID 970
Christey>
Reports indicate that while the vulnerable function was found in Serv-U FTP
server, the function is actually from Microsoft, and as such may affect other
applications.
XF:win-shortcut-api-bo
BID:970
Name: CVE-2000-0132
Description:
Microsoft Java Virtual Machine allows remote attackers to read
files via the getSystemResourceAsStream function.
Status: Candidate
Phase: Proposed (20000208)
Reference: BUGTRAQ:20000201 `Microsoft VM for Java' allows reading local files using `getSystemResourceAsStream'.
Reference: BID:957
Reference: URL:http://www.securityfocus.com/bid/957
Votes:
ACCEPT(2) Cole, Wall
NOOP(1) Baker
REJECT(3) Christey, Frech, LeBlanc
Voter Comments:
Frech> How is this different from MITRE:CVE-2000-0162, other than the
fact that it has an MS advisory that's vague on the reason but
has the same outcome, and this one mentions the
getSystemResourceAsStream function?
Christey> This is a duplicate of CVE-2000-0162, as confirmed via David
LeBlanc. The descriptions of CVE-2000-0132 and CVE-2000-0162 were
significantly different, as was the descriptive text of
MS:MS00-011 and the original Bugtraq posting. So this
duplicate wasn't picked up before. CVE-2000-0162 needs to be
modified to include XF:virtual-machine-file-read as a
reference.
LeBlanc> Duplicate
Christey> Ensure that CVE-2000-0162 uses msvm-java-file-read(4024) now,
instead of virtual-machine-file-read(4577)
Frech> If duplicate with CVE-2000-0098, shouldn't the references be
moved over to the valid CVE number? Please advise.
Christey> When CVE-2000-0132 is rejected, the references will be added
to CVE-2000-0098.
Name: CVE-2000-0133
Description:
Buffer overflows in Tiny FTPd 0.52 beta3 FTP server allows users to
execute commands via the STOR, RNTO, MKD, XMKD, RMD, XRMD, APPE, SIZE,
and RNFR commands.
Status: Candidate
Phase: Proposed (20000208)
Reference: BUGTRAQ:20000201 Tiny FTPd 0.52 beta3 Buffer Overflow
Reference: BID:961
Reference: URL:http://www.securityfocus.com/bid/961
Votes:
ACCEPT(2) Baker, Cole
MODIFY(1) Frech
NOOP(1) Wall
Voter Comments:
Frech> XF:tinyftp-command-overflow(4000)
Name: CVE-2000-0134
Description:
The Check It Out shopping cart application allows remote users to
modify sensitive purchase information via hidden form fields.
Status: Candidate
Phase: Proposed (20000208)
Reference: ISS:20000201 Form Tampering Vulnerabilities in Several Web-Based Shopping Cart Applications
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
RECAST(1) Cole
REVIEWING(1) Wall
Voter Comments:
Cole> See comments for CVE-2000-0101
Frech> XF:shopping-cart-form-tampering
Name: CVE-2000-0135
Description:
The @Retail shopping cart application allows remote users to modify
sensitive purchase information via hidden form fields.
Status: Candidate
Phase: Proposed (20000208)
Reference: ISS:20000201 Form Tampering Vulnerabilities in Several Web-Based Shopping Cart Applications
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
RECAST(1) Cole
REVIEWING(1) Wall
Voter Comments:
Cole> See comments for CVE-2000-0101
Frech> XF:shopping-cart-form-tampering
Name: CVE-2000-0136
Description:
The Cart32 shopping cart application allows remote users to modify
sensitive purchase information via hidden form fields.
Status: Candidate
Phase: Proposed (20000208)
Reference: ISS:20000201 Form Tampering Vulnerabilities in Several Web-Based Shopping Cart Applications
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
RECAST(1) Cole
REVIEWING(1) Wall
Voter Comments:
Cole> See comments for CVE-2000-0101
Frech> XF:shopping-cart-form-tampering
Name: CVE-2000-0137
Description:
The CartIt shopping cart application allows remote users to modify
sensitive purchase information via hidden form fields.
Status: Candidate
Phase: Proposed (20000208)
Reference: ISS:20000201 Form Tampering Vulnerabilities in Several Web-Based Shopping Cart Applications
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
RECAST(1) Cole
REVIEWING(1) Wall
Voter Comments:
Cole> See comments for CVE-2000-0101
Frech> XF:shopping-cart-form-tampering
Name: CVE-2000-0138
Description:
A system has a distributed denial of service (DDOS) attack master,
agent, or zombie installed, such as (1) Trinoo, (2) Tribe Flood
Network (TFN), (3) Tribe Flood Network 2000 (TFN2K), (4)
stacheldraht, (5) mstream, or (6) shaft.
Status: Candidate
Phase: Modified (20130104-02)
Reference: CERT:CA-2000-01
Reference: CERT:IN-99-04
Reference: SUN:00193
Reference: ISS:20000209 Denial of Service Attack using the TFN2K and Stacheldraht programs
Reference: ISS:20000502 "mstream" Distributed Denial of Service Tool
Reference: URL:http://xforce.iss.net/alerts/advise48.php3
Reference: BUGTRAQ:19991206 Analysis of trin00
Reference: BUGTRAQ:19991206 Analysis of Tribe Flood Network
Reference: BUGTRAQ:19991229 Analysis of "stacheldraht"
Reference: BUGTRAQ:20000211 DDOS Attack Mitigation
Reference: BUGTRAQ:20000211 TFN2K - An Analysis
Reference: BUGTRAQ:20000211 A DDOS proposal.
Reference: BUGTRAQ:20000429 Source code to mstream, a DDoS tool
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=95715370208598&w=2
Reference: BUGTRAQ:20000501 Re: Source code to mstream, a DDoS tool
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=95722093124322&w=2
Votes:
ACCEPT(2) Cole, Wall
NOOP(4) Christey, Dik, Levy, Shostack
RECAST(3) Baker, Meunier, Ziese
REVIEWING(2) Bishop, Blake
Voter Comments:
Christey> **********************************************************
THIS CANDIDATE HAS GENERATED A LONG THREAD. SEE THE
EDITORIAL BOARD ARCHIVES FOR DETAILS, BEGINNING AT
http://cve.mitre.org/Board_Sponsors/archives/msg00590.html
**********************************************************
Ziese>
I suggest we I'd like to suggest that we consider not tying
specifically to a DDOS tool. Instead, since we are at at higher
abstraction level, that we make the class include those master/slave
tool combinations that are used for malicious purposes (i.e. DDOS,
data exfiltration, or whatever the appropriate classes of effect are).
My concern is that (1) we treat all distributed attacks at the same
abstract level; not just the DDOS ones. Second, if it is at a higher
abstraction level then it seems right to unlimit it (by including
master/slave combinations in general; not just the DDOS asect).
Meunier> I think that trinoo etc... are very similar to smurf attacks
(CVE-1999-0513 ) in the sense that a third party allows itself to be
used. Also, there is an obvious solution that can only be done by
that third party.
As for the CVE entry, I am considering whether the common entry point
could be reduced to "egress filtering has not been implemented or has
been disabled, allowing the sending of spoofed IP packets".
Incidentally, this would prevent the use of decoys in port scans,
etc... This single CVE entry would be very powerful. We could use
the dot notation to list the DDoS tools and attacks that rely on the
absence of egress filtering based on the argument that if you have
egress filtering, nobody will bother to put or use DDoS tools on your
computers.
The weakness of this is that one could in theory still use DDoS tools
even if you have egress filtering -- only they will be one shot guns,
almost completely eliminating their appeal and effectiveness. One
use, and they will be blocked, tracked down and destroyed
efficiently.
Pascal
P.S.: I am attracted by the idea of starting an internet (fire)wall
of shame, for people who haven't implemented egress filtering. It
worked pretty well against sites allowing themselves to be used for
smurf attacks (http://www.powertech.no/smurf/). Why not use the same
strategy for egress filtering? Of course it's hard to know who is
the source of IP spoofed packets. However the consistent detection
of crud originating from a server is a sure sign that they haven't
implemented egress filtering. For example (my first candidate to
this wall of shame), this weekend the Linux suse ftp server sent many
packets with an illegal ip address as source, one reserved for local
area networks, upon making an ftp connection (it may still be doing
it, I haven't checked since -- the suse ftp admin mentioned that they
were aware of it). It was easy to figure out it was them by
repeating the ftp connections and observing the 100% reproducibility
and time correlation of the extraneous packets. In addition, the
suse servers kept sending me crud for *hours* after a failed attempt
to download their PPC beta.
The cost of egress filtering is easily justified. The argument is
similar to those relating to pollution, excepted that people don't
try to break into your car if you have removed the catalytic
converter.
Bishop> I need to think about the exact meaning of MP. I suspect I
will agree with the classification, on an operational basis
(meaning I may want to revisit it), but I want to think on it
some more.
Blake> I don't agree with Pascal that this is a filtering problem analogous to
smurf. Rootkit is a better analogy. The DDoS software doesn't exploit
any unique vulnerability directly. It's presence is entirely predicated
on the existence of at least one other, easily exploited vulnerability.
>From the perspective of the system owner, this is just one of several
backdoors that could be installed. Seems to me that the presence of a
known backdoor package should be considered a vulnerability (or at least
an exposure).
I'm really torn on whether or not to split them out, though. My
inclination is to group master and slave by package; i.e., trinoo
master/slave, tfn master/slave, etc.
Wall>
Just to be consistent, you may add Trinoo (trin00) and does it matter
if it is Tribal or Tribe? The original internal c program says Tribe Flood
Network.
Meunier> What they have in common is the use of an amplification mechanism.
They are broadcasting (multicasting) to a (virtual private) network,
which then amplifies the messages. In both cases, the amplification
is done by the third party victim hosts. The difference is just that
the network is virtual instead of physical.
Scott, you are assuming that the people who have the tools installed
are unwilling. Let's say theoretically speaking that there is an
underground hacker group (or student association) who is hooked up to
DSL lines (like in university residences) and who thinks that it
would be "cool" to form an "army". How about a popular civil
movement protesting something, like the WTO last summer? I think
some people would voluntarily "enlist" their computers in a cause
that would use DDoS attacks. The rootkit analogy does not hold, yet
the DDoS attacks could be just as effective. However, if the
university or ISPs implemented egress filtering, the DDoS attacks
could be easily stopped because the people could be held accountable.
The crux of the matter is the anonymity provided by IP spoofing.
You are correct that in most cases, having a DDoS tool installed on
your system is an exposure like rootkit. Maybe that deserves a CVE
entry. However, I think that does not capture the nature of the
DDoS, and that an entry about egress filtering is of utmost
importance because it patches a fundamental vulnerability of IPv4.
Blake> Excellent response, Pascal, thanks. I hadn't thought of people
volunteering, but that's certainly a plausible scenario. Part of my
motivation/thinking was a desire to stay away from making this into only
yet another use for spoofed IP packets. I wholeheartedly agree that
egress filtering essential, but am reluctant to single out the recent DDoS
events as the reason for it.
I'd prefer to split out egress filtering as a seperate CVE entry (on the
theory that not using egress filtering constitutes an exposure -- at least
to liability), rather than tying it to these entries.
Levy> I agree with Scott for no other reason that there needs to be a CVE
ID so that IDS systems can report this things.
Are we going to start handing out CVE ids for low level design faults?
E.g. lack of encryption at the IPv4 packet level? lack of resource
allocation protocols? the used of DES instead of Triple DES? etc
Shostack> Both excellent points, however, I'd like to add that even if people
volunteer to host the tools, Trinoo and company allow the controlling
attacker to hide activities, which counts as an exposure under
http://cve.mitre.org/About_CVE/About/definition.html
Cole> Even with all of the debate i accept this one.
Christey> With respect to inclusion of design flaws in CVE, review
http://cve.mitre.org/Board_Sponsors/archives/msg00602.html
Other design flaws that have already been added to CVE
include Smurf (CVE-1999-0513), Fraggle (CVE-1999-0514)
and TCP sequence number prediction (CVE-1999-0077), although
this last one may need to be RECAST to a lower level of
abstraction.
CHANGE> [Meunier changed vote from REVIEWING to RECAST]
Meunier> In the sense that this is like a rootkit, then it is a
duplicate of CVE-1999-0660, "A hacker utility or Trojan Horse is
installed on a system, e.g. NetBus, Back Orifice, Rootkit, etc..."
It should be recast as CVE-1999-0660.1 DDoS tools
Other dot notations could indicate different effects of the tools.
Dik> There doesn't seem to be much to add to the
discussion.
Baker> Concur that this is a hacker utility, and should be recast and merged with other backdoor programs that allow a hacker to control the activities of the system.
Name: CVE-2000-0142
Description:
The authentication protocol in Timbuktu Pro 2.0b650 allows remote
attackers to cause a denial of service via connections to port 407 and
1417.
Status: Candidate
Phase: Proposed (20000216)
Reference: BUGTRAQ:20000211 Timbuktu Pro 2.0b650 DoS
Votes:
ACCEPT(4) Bishop, Blake, Cole, LeBlanc
MODIFY(2) Frech, Levy
NOOP(2) Baker, Christey
Voter Comments:
Frech> XF:timbuktu-auth-dos
Levy> BID 984
Christey> BUGTRAQ:20000412 Timbuktu DoS repaired by Netopia
http://www.securityfocus.com/archive/1/54850
BID:984
Name: CVE-2000-0143
Description:
The SSH protocol server sshd allows local users without shell access
to redirect a TCP connection through a service that uses the standard
system password database for authentication, such as POP or FTP.
Status: Candidate
Phase: Interim (20001011)
Reference: BUGTRAQ:20000211 sshd and pop/ftponly users incorrect configuration
Reference: XF:ssh-redirect-tcp-connection
Votes:
ACCEPT(3) Blake, Cole, LeBlanc
MODIFY(1) Frech
NOOP(2) Baker, Bishop
REJECT(1) Levy
REVIEWING(1) Christey
Voter Comments:
Frech> XF:ssh-redirect-tcp-connection
CHANGE> [Cole changed vote from REVIEWING to ACCEPT]
Christey> Examine the thread at
http://marc.theaimsgroup.com/?l=bugtraq&m=95055978131077&w=2
to ensure that this problem is being characterized
appropriately.
Levy> SSH is working as designed. The fact that some of its interactions
are not forseen by some is not a vulnerability.
Name: CVE-2000-0147
Description:
snmpd in SCO OpenServer has an SNMP community string that is writable
by default, which allows local attackers to modify the host's
configuration.
Status: Candidate
Phase: Modified (20000321-01)
Reference: NAI:20000207 SNMPD default writable community string
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-02/0045.html
Reference: SCO:SB-00.04a
Reference: URL:ftp://ftp.sco.com/SSE/security_bulletins/SB-00.04a
Reference: BID:973
Reference: URL:http://www.securityfocus.com/bid/973
Votes:
ACCEPT(5) Baker, Bishop, Blake, Cole, Levy
MODIFY(1) Frech
NOOP(1) LeBlanc
Voter Comments:
Frech> XF:sco-openserver-snmpd
Name: CVE-2000-0151
Description:
GNU make follows symlinks when it reads a Makefile from stdin, which
allows other local users to execute commands.
Status: Candidate
Phase: Proposed (20000216)
Reference: SUSE:20000209 make-3.77-44
Reference: BID:981
Reference: URL:http://www.securityfocus.com/bid/981
Votes:
ACCEPT(3) Bishop, Blake, Levy
MODIFY(1) Frech
NOOP(3) Baker, Cole, LeBlanc
REJECT(1) Christey
Voter Comments:
Frech> XF:gnu-makefile-tmp-root
(We have made assignment to two CANs. Requesting confirmation that this is
not a duplicate of CVE-2000-0092: The BSD make program allows local users to
modify files via a symlink attack when the -j option is being used.)
Christey> To confirm Andre's question, this is being treated as
different from CVE-2000-0092, based largely on the fact
that the exploit is different. I believe there was
another reason for keeping these distinct, but that
"deeper analysis" was not recorded :-( While it's possible
that this is the same bug from some common version of make,
in the absence of other information we should probably
keep these two split.
CHANGE> [Christey changed vote from NOOP to REVIEWING]
CHANGE> [Christey changed vote from REVIEWING to REJECT]
Christey> Taking a fresh look at the diff's for FreeBSD make:
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:01.make.asc
And Debian make:
http://security.debian.org/dists/slink/updates/source/make_3.77-5slink.diff.gz
OK... now that I've hurt my brain looking at the code, while
there are major differences in the surrounding code,
ultimately both FreeBSD and Debian create an "outfile" file
descriptor for the temporary file, within main() in main.c.
In addition, child_execute_job() in job.c uses an outfile
variable - for both sources.
Perhaps FreeBSD reported the -j problem without seeing that it
could come in from stdin as well, and/or Debian/etc. didn't realize
that it was exploitable from job control, or maybe a combination of
the two. Regardless, the two problems are the same.
Phew! There goes a half-hour of my life that I'll never be
able to get back...
Name: CVE-2000-0153
Description:
FrontPage Personal Web Server (PWS) allows remote attackers to read
files via a .... (dot dot) attack.
Status: Candidate
Phase: Proposed (20000223)
Reference: BUGTRAQ:20000216 Doubledot bug in FrontPage FrontPage Personal Web Server.
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-02-15&msg=000801bf780a$9ad4b2e0$0100007f@localhost
Reference: BID:989
Reference: URL:http://www.securityfocus.com/bid/989
Votes:
ACCEPT(3) Cole, Levy, Wall
MODIFY(1) Frech
NOOP(2) Baker, Christey
REJECT(1) LeBlanc
Voter Comments:
LeBlanc> I think this is the same as
http://www.microsoft.com/technet/security/bulletin/ms99-010.asp
If that is true, and you already have it logged, we don't want to have an
entry for the same bug.
Christey> MS:MS99-010 describes CVE-1999-0386. Are there sufficient
details to ensure that this is the same problem?
See http://www.securityfocus.com/templates/archive.pike?list=1&msg=01bae51a$9ab232b0$0100007f@nordnode
Frech> XF:pws-file-access
(We currently have this issue assigned to this CAN and to CVE-1999-0386. I
see that others have similar concerns that this is a duplicate; please
confirm on current status of this candidate.)
Christey> [note to self: review comments by Mark Burnett]
Name: CVE-2000-0154
Description:
The ARCserve agent in UnixWare allows local attackers to modify
arbitrary files via a symlink attack.
Status: Candidate
Phase: Modified (20000403-01)
Reference: NAI:20000215 ARCserve symlink vulnerability
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-02-15&msg=000101bf78af$94528870$4d2f45a1@jmagdych.na.nai.com
Reference: BID:988
Reference: URL:http://www.securityfocus.com/bid/988
Reference: MISC:http://www.sco.com/security/
Votes:
ACCEPT(1) Cole
NOOP(3) Baker, LeBlanc, Wall
REJECT(3) Christey, Frech, Levy
Voter Comments:
Christey> DUPE CVE-2000-0224
Frech> DUPE MITRE:CVE-2000-0224; XF:sco-openserver-arc-symlink
Recommend moving BID reference to CVE-2000-0224.
Name: CVE-2000-0155
Description:
Windows NT Autorun executes the autorun.inf file on non-removable
media, which allows local attackers to specify an alternate program to
execute when other users access a drive.
Status: Candidate
Phase: Proposed (20000223)
Reference: BUGTRAQ:20000218 AUTORUN.INF Vulnerability
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-02-15&msg=000701bf79cd$fdb5a620$4c4342a6@mightye.org
Reference: BID:993
Reference: URL:http://www.securityfocus.com/bid/993
Votes:
ACCEPT(4) Baker, Cole, Levy, Wall
MODIFY(1) Frech
REVIEWING(1) Christey
Voter Comments:
Frech> XF:nt-autorun-notdefault
Christey> Consider:
http://support.microsoft.com/support/kb/articles/Q155/2/17.asp
http://support.microsoft.com/support/kb/articles/Q136/2/14.asp
Name: CVE-2000-0158
Description:
Buffer overflow in MMDF server allows remote attackers to gain
privileges via a long MAIL FROM command to the SMTP daemon.
Status: Candidate
Phase: Modified (20000403-01)
Reference: NAI:20000215 Remote Vulnerability in the MMDF SMTP Daemon
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-02-15&msg=000001bf78af$6d0d47a0$4d2f45a1@jmagdych.na.nai.com
Reference: BUGTRAQ:20000218 MMDF
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-02-15&msg=200002181449.JAA03436@dragonfly.corp.home.net
Reference: SCO:SB-00.06a
Reference: URL:ftp://ftp.sco.com/SSE/security_bulletins/SB-00.06a
Reference: BID:997
Reference: URL:http://www.securityfocus.com/bid/997
Votes:
ACCEPT(3) Baker, Cole, Levy
MODIFY(1) Frech
NOOP(2) LeBlanc, Wall
Voter Comments:
Frech> XF:sco-mmdf-bo
Name: CVE-2000-0160
Description:
The Microsoft Active Setup ActiveX component in Internet Explorer 4.x
and 5.x allows a remote attacker to install software components
without prompting the user by stating that the software's manufacturer
is Microsoft.
Status: Candidate
Phase: Modified (20000321-01)
Reference: BUGTRAQ:20000221 Microsoft signed software can be install software without prompting users
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-02-15&msg=20000221103938.T21312@securityfocus.com
Reference: XF:win-active-setup
Votes:
ACCEPT(4) Baker, LeBlanc, Levy, Wall
MODIFY(1) Frech
NOOP(1) Cole
REVIEWING(1) Christey
Voter Comments:
Christey> In a followup to Bugtraq, Juan Carlos Cuartango makes some
clarifications, specifically that the code that is executed
*must* be signed by Microsoft.
See BUGTRAQ:20000222 MS signed softwrare privileges
Microsoft sends some followups, including a statement that it
will include notification.
The question is, does this belong in CVE? There is no known
means of exploitation; on the other hand, it is related
to privacy concerns. Several posts to the Bugtraq list
indicate that some people believe that unprompted installation
is a significant concern.
Frech> XF:win-active-setup
Levy> BID 999
I do consider this vulnerability as it allows a malicious web page
to install *old* and *vulnerable* components signed by microsoft.
LeBlanc> Fixed in MS00-042
Christey> BID:999
Also add XF:ie-active-setup-download ?
Name: CVE-2000-0163
Description:
asmon and ascpu in FreeBSD allow local users to gain root privileges
via a configuration file.
Status: Candidate
Phase: Proposed (20000223)
Reference: FREEBSD:FreeBSD-SA-00:03
Reference: URL:http://www.securityfocus.com/templates/advisory.html?id=2092
Reference: BID:996
Reference: URL:http://www.securityfocus.com/bid/996
Votes:
ACCEPT(3) Baker, Cole, Levy
MODIFY(1) Frech
NOOP(2) LeBlanc, Wall
Voter Comments:
Frech> XF:asmon-ascpu-execute-commands
(Not sims-slapd-logfiles)
Name: CVE-2000-0167
Description:
IIS Inetinfo.exe allows local users to cause a denial of service by
creating a mail file with a long name and a .txt.eml extension in the
pickup directory.
Status: Candidate
Phase: Proposed (20000223)
Reference: NTBUGTRAQ:20000215 Crashing Inetinfo.exe by using a longfilename in the \mailroot\pickup directory
Reference: URL:http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0002&L=ntbugtraq&F=&S=&P=8800
Votes:
ACCEPT(1) Cole
MODIFY(1) Frech
NOOP(1) Baker
REVIEWING(4) Christey, LeBlanc, Levy, Wall
Voter Comments:
Frech> XF:iis-pickup-directory-dos
Christey> BID:1819
URL:http://www.securityfocus.com/bid/1819
LeBlanc> Trying to get more info
Name: CVE-2000-0173
Description:
Vulnerability in the EELS system in SCO UnixWare 7.1.x allows remote
attackers to cause a denial of service.
Status: Candidate
Phase: Proposed (20000322)
Reference: SCO:SB-00.08a
Reference: URL:ftp://ftp.sco.com/SSE/security_bulletins/SB-00.08a
Votes:
ACCEPT(3) Baker, Blake, Cole
MODIFY(1) Frech
NOOP(4) LeBlanc, Ozancin, Prosser, Wall
REVIEWING(2) Christey, Levy
Voter Comments:
Prosser> Although SCO is reporting the problem, there is too little info
available to make an informed decision. Unable to find anything
anywhere on this. It is an events logging system, so one would assume
that there is a way to fill up the log and cause a system halt, but no
way of confirming this with limited information.
Christey> Perhaps we should create a content decision, say
CD:VAGUE-ACK, which says whether it's reasonable to
ACCEPT vendor-acknowledged problems that do not provide any
salient details, as in this candidate as well as several
others.
Cole> I researched this a little more and you can change my NOOP to an
ACCEPT
Frech> XF:sco-eels-dos
Name: CVE-2000-0176
Description:
The default configuration of Serv-U 2.5d and earlier allows remote
attackers to determine the real pathname of the server by requesting a
URL for a directory or file that does not exist.
Status: Candidate
Phase: Proposed (20000322)
Reference: BUGTRAQ:20000228 Serv-U FTP-Server v2.4a showing real path
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-02/0417.html
Reference: BID:1016
Reference: URL:http://www.securityfocus.com/bid/1016
Votes:
ACCEPT(4) Blake, Cole, Levy, Ozancin
MODIFY(1) Frech
NOOP(3) Baker, LeBlanc, Wall
Voter Comments:
Frech> XF:servu-ftp-server-path(4060)
Name: CVE-2000-0177
Description:
DNSTools CGI applications allow remote attackers to execute arbitrary
commands via shell metacharacters.
Status: Candidate
Phase: Proposed (20000322)
Reference: BUGTRAQ:20000302 DNSTools v1.08 has no input validation
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-03/0000.html
Reference: BID:1028
Reference: URL:http://www.securityfocus.com/bid/1028
Votes:
ACCEPT(4) Blake, Cole, Levy, Ozancin
MODIFY(1) Frech
NOOP(3) Baker, LeBlanc, Wall
Voter Comments:
Frech> XF:dnstools-invalid-input(4876)
Name: CVE-2000-0187
Description:
EZShopper 3.0 loadpage.cgi CGI script allows remote attackers to read
arbitrary files via a .. (dot dot) attack or execute commands via
shell metacharacters.
Status: Candidate
Phase: Proposed (20000322)
Reference: BUGTRAQ:20000227 EZ Shopper 3.0 shopping cart CGI remote command execution
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-02/0356.html
Reference: BID:1014
Reference: URL:http://www.securityfocus.com/bid/1014
Votes:
ACCEPT(2) Levy, Ozancin
MODIFY(1) Frech
NOOP(6) Baker, Blake, Christey, Cole, LeBlanc, Wall
Voter Comments:
Christey> Since EZShopper is written in Perl, there is strong evidence
that both the .. and metacharacter attack probably go
through the same insecure open() call. (Perl's open can
either read a regular file, or read piped output from
a command that is specified to the open).
Frech> XF:ezshopper-loadpage-cgi(4044)
Name: CVE-2000-0188
Description:
EZShopper 3.0 search.cgi CGI script allows remote attackers to read
arbitrary files via a .. (dot dot) attack or execute commands via
shell metacharacters.
Status: Candidate
Phase: Proposed (20000322)
Reference: BUGTRAQ:20000227 EZ Shopper 3.0 shopping cart CGI remote command execution
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-02/0356.html
Reference: BID:1014
Reference: URL:http://www.securityfocus.com/bid/1014
Votes:
ACCEPT(2) Levy, Ozancin
MODIFY(1) Frech
NOOP(6) Baker, Blake, Christey, Cole, LeBlanc, Wall
Voter Comments:
Christey> The exploit is different than CVE-2000-0187 by going through
a different field in a different script, so maybe this should
be kept separate, even though it's probably another open()
call problem.
Frech> XF:ezshopper-search-cgi(4045)
Name: CVE-2000-0190
Description:
AOL Instant Messenger (AIM) client allows remote attackers to cause a
denial of service via a message with a malformed ASCII value.
Status: Candidate
Phase: Proposed (20000322)
Reference: BUGTRAQ:20000303 Aol Instant Messenger DoS vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-03/0016.html
Votes:
ACCEPT(2) Blake, Cole
MODIFY(1) Frech
NOOP(3) Baker, LeBlanc, Ozancin
REVIEWING(2) Levy, Wall
Voter Comments:
Frech> XF:aolim-malformed-ascii-dos(4877)
Name: CVE-2000-0197
Description:
The Windows NT scheduler uses the drive mapping of the interactive
user who is currently logged onto the system, which allows the local
user to gain privileges by providing a Trojan horse batch file in
place of the original batch file.
Status: Candidate
Phase: Proposed (20000322)
Reference: NTBUGTRAQ:20000313 AT Jobs - Denial of serice/Privilege Elevation
Reference: URL:http://archives.neohapsis.com/archives/ntbugtraq/current/0202.html
Reference: BID:1050
Reference: URL:http://www.securityfocus.com/bid/1050
Votes:
ACCEPT(3) Baker, Cole, Levy
MODIFY(1) Frech
NOOP(2) Blake, Ozancin
REJECT(1) LeBlanc
REVIEWING(1) Wall
Voter Comments:
LeBlanc> this is just bad security practice, not a vulnerability
Frech> XF:nt-at-drive-mappings
Name: CVE-2000-0198
Description:
Buffer overflow in POP3 and IMAP servers in the MERCUR mail server
suite allows remote attackers to cause a denial of service.
Status: Candidate
Phase: Proposed (20000322)
Reference: NTBUGTRAQ:20000314 Local / Remote Multiples Remote DoS Attacks in MERCUR v3.2* for Windows 98/NT Vulnerability
Reference: URL:http://archives.neohapsis.com/archives/ntbugtraq/current/0206.html
Reference: BUGTRAQ:20000314 Local / Remote Multiples Remote DoS Attacks in MERCUR v3.2* for Windows 98/NT Vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/current/0137.html
Reference: BID:1051
Reference: URL:http://www.securityfocus.com/bid/1051
Votes:
ACCEPT(2) Levy, Ozancin
MODIFY(1) Frech
NOOP(5) Baker, Blake, Cole, LeBlanc, Wall
Voter Comments:
Frech> XF:mercur-login-dos
The following don't seem to be correct:
Reference:
URL:http://archives.neohapsis.com/archives/ntbugtraq/current/0206.html
Perhaps it is:
http://archives.neohapsis.com/archives/ntbugtraq/2000-q1/0206.html
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/current/0137.html
Perhaps it is:
http://archives.neohapsis.com/archives/bugtraq/2000-03/0137.html
Name: CVE-2000-0199
Description:
When a new SQL Server is registered in Enterprise Manager for
Microsoft SQL Server 7.0 and the "Always prompt for login name and
password" option is not set, then the Enterprise Manager uses weak
encryption to store the login ID and password.
Status: Candidate
Phase: Proposed (20000322)
Reference: ISS:20000314 Vulnerability in Microsoft SQL Server 7.0 Encryption Used to Store Administrative Login ID
Reference: BID:1055
Reference: URL:http://www.securityfocus.com/bid/1055
Votes:
ACCEPT(6) Baker, Blake, Cole, Levy, Ozancin, Wall
MODIFY(1) Frech
REVIEWING(2) Christey, LeBlanc
Voter Comments:
LeBlanc> I think this may just be user error - I'd like more information.
Frech> XF:mssql-weak-encryption
ISS:Vulnerability in Microsoft SQL Server 7.0 Encryption Used to Store
Administrative Login ID
URL:http://xforce.iss.net/alerts/advise45.php3
Christey> According to Scott Culp, this can only be reproduced if the
SQL server is running in an unsafe mode that is not
recommended by Microsoft: "To securely use SQL Server,
Microsoft recommends using Windows Integrated Security. In
Windows Integrated Security mode passwords are never stored,
as your Windows Domain sign-on is used as the security
identifier to the database server."
We still must consider approving this candidate, however, as a
user configuration error instead of a software flaw.
CD:DESIGN-WEAK-ENCRYPTION applies in this case, so if we
decide to include configuration problems in which a user
intentionally selects weak encryption, then we might still
approve this candidate.
Name: CVE-2000-0203
Description:
The Trend Micro OfficeScan client tmlisten.exe allows remote attackers
to cause a denial of service via malformed data to port 12345.
Status: Candidate
Phase: Proposed (20000322)
Reference: BUGTRAQ:20000228 Re: TrendMicro OfficeScan tmlisten.exe DoS
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=412FC0AFD62ED31191B40008C7E9A11A0D481D@srvnt04.previnet.it
Reference: BUGTRAQ:20000315 Trend Micro release patch for "OfficeScan DoS & Message Replay" V ulnerabilies
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=D129BBE1730AD2118A0300805FC1C2FE038AF28B@209-76-212-10.trendmicro.com
Reference: MISC:http://www.antivirus.com/download/ofce_patch_35.htm
Reference: BID:1013
Reference: URL:http://www.securityfocus.com/bid/1013
Votes:
ACCEPT(5) Armstrong, Baker, Blake, Levy, Wall
MODIFY(1) Frech
NOOP(3) Cole, LeBlanc, Ozancin
Voter Comments:
Frech> XF:trendmicro-tmlisten-dos
Name: CVE-2000-0204
Description:
The Trend Micro OfficeScan client allows remote attackers to cause a
denial of service by making 5 connections to port 12345, which raises
CPU utilization to 100%.
Status: Candidate
Phase: Proposed (20000322)
Reference: BUGTRAQ:20000226 DOS in Trendmicro OfficeScan
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-02/0340.html
Reference: BUGTRAQ:20000315 Trend Micro release patch for "OfficeScan DoS & Message Replay" V ulnerabilies
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=D129BBE1730AD2118A0300805FC1C2FE038AF28B@209-76-212-10.trendmicro.com
Reference: MISC:http://www.antivirus.com/download/ofce_patch_35.htm
Reference: BID:1013
Reference: URL:http://www.securityfocus.com/bid/1013
Votes:
ACCEPT(6) Armstrong, Baker, Blake, Cole, Levy, Wall
MODIFY(1) Frech
NOOP(2) LeBlanc, Ozancin
Voter Comments:
Frech> XF:trendmicro-simultaneous-dos
Name: CVE-2000-0205
Description:
Trend Micro OfficeScan allows remote attackers to replay
administrative commands and modify the configuration of OfficeScan
clients.
Status: Candidate
Phase: Proposed (20000322)
Reference: BUGTRAQ:20000303 TrendMicro OfficeScan, numerous security holes, remote files modification.
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-03/0015.html
Reference: BUGTRAQ:20000315 Trend Micro release patch for "OfficeScan DoS & Message Replay" V ulnerabilies
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=D129BBE1730AD2118A0300805FC1C2FE038AF28B@209-76-212-10.trendmicro.com
Reference: MISC:http://www.antivirus.com/download/ofce_patch_35.htm
Reference: BID:1013
Reference: URL:http://www.securityfocus.com/bid/1013
Votes:
ACCEPT(4) Baker, Blake, Cole, Levy
MODIFY(1) Frech
NOOP(3) LeBlanc, Ozancin, Wall
Voter Comments:
Frech> XF:trendmicro-admin-command(4041)
Name: CVE-2000-0213
Description:
The Sambar server includes batch files ECHO.BAT and HELLO.BAT in the
CGI directory, which allow remote attackers to execute commands via
shell metacharacters.
Status: Candidate
Phase: Proposed (20000322)
Reference: BUGTRAQ:20000223 Sambar Server alert!
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=38B3E60A.6A84FEC3@cybcom.net
Reference: CONFIRM:http://www.sambar.com/session/highlight?url=/syshelp/history.htm&words=security+&color=red
Reference: XF:sambar-batfiles
Reference: BID:1002
Reference: URL:http://www.securityfocus.com/bid/1002
Votes:
ACCEPT(6) Armstrong, Baker, Blake, Cole, Frech, Levy
NOOP(3) LeBlanc, Ozancin, Wall
Name: CVE-2000-0214
Description:
FTP Explorer uses weak encryption for storing the username, password,
and profile of FTP sites.
Status: Candidate
Phase: Proposed (20000322)
Reference: BUGTRAQ:20000224 How the password could be recover using FTP Explorer's registry!
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.4.10.10002242035500.30645-100000@unreal.sekure.org
Reference: BID:1003
Reference: URL:http://www.securityfocus.com/bid/1003
Votes:
ACCEPT(5) Armstrong, Baker, Cole, Levy, Ozancin
MODIFY(1) Frech
NOOP(3) Blake, LeBlanc, Wall
Voter Comments:
Frech> XF:ftp-explorer-weak-pwd(4038)
Name: CVE-2000-0216
Description:
Microsoft email clients in Outlook, Exchange, and Windows Messaging
automatically respond to Read Receipt and Delivery Receipt tags, which
could allow an attacker to flood a mail system with responses by
forging a Read Receipt request that is redirected to a large
distribution list.
Status: Candidate
Phase: Proposed (20000322)
Reference: NTBUGTRAQ:20000229 mailbombing DoS easily exploitable against mail systems using MS mail clients.
Reference: URL:http://archives.neohapsis.com/archives/ntbugtraq/2000-q1/0176.html
Votes:
ACCEPT(1) Cole
MODIFY(1) Frech
NOOP(2) Baker, Ozancin
REJECT(3) Blake, LeBlanc, Levy
REVIEWING(1) Wall
Voter Comments:
Blake> This is a configuration issue. Should the fact that NT can be configured
to accept a blank Admin password have a CVE entry?
LeBlanc> This is documented as bad practice - if you have a wide distribution
mailing list, you should only allow certain users to send mail to it.
I don't think we want to start listing all possible admin errors as
vulnerabilities.
Frech> XF:microsoft-mail-client-dos(4893)
Levy> I agree with all the above comments. Furthermore the delivery status
notification RFC makes it clear that mailing list software should
strip messages from DSN headers. I assume Microsoft's products are
using the DSN standard and not something else.
Name: CVE-2000-0219
Description:
Red Hat 6.0 allows local users to gain root access by booting single
user and hitting ^C at the password prompt.
Status: Candidate
Phase: Proposed (20000322)
Reference: BUGTRAQ:20000223 redhat 6.0: single user boot security hole
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=200002230248.NAA19185@cairo.anu.edu.au
Reference: BID:1005
Reference: URL:http://www.securityfocus.com/bid/1005
Votes:
ACCEPT(4) Armstrong, Cole, Levy, Ozancin
MODIFY(1) Frech
NOOP(4) Baker, Blake, LeBlanc, Wall
REVIEWING(1) Christey
Voter Comments:
Ozancin> We need an additional CVE entry for other distributions that simply drop you
into a root shell in single user mode.
Christey> Based on Craig's comments, need to consider if this is an LOA
issue.
Frech> XF:redhat-single-user-auth(4026)
Name: CVE-2000-0220
Description:
ZoneAlarm sends sensitive system and network information in cleartext
to the Zone Labs server if a user requests more information about an
event.
Status: Candidate
Phase: Proposed (20000322)
Reference: BUGTRAQ:20000225 Zonealarm exports sensitive data
Votes:
ACCEPT(1) Armstrong
MODIFY(1) Frech
NOOP(5) Baker, Cole, LeBlanc, Ozancin, Wall
REJECT(1) Blake
REVIEWING(1) Levy
Voter Comments:
Blake> Discussion on Bugtraq shows that this is a really marginal issue. Very
tough to come up with a viable attack scenario. Also, it's part of how
this class of software works, not a flaw in the cited package. Might be
possible to recast this into something more generic....
Frech> XF:zonealarm-exposes-info
Name: CVE-2000-0227
Description:
The Linux 2.2.x kernel does not restrict the number of Unix domain
sockets as defined by the wmem_max paremeter, which allows local users
to cause a denial of service by requesting a large number of sockets.
Status: Candidate
Phase: Modified (20010910-01)
Reference: BUGTRAQ:20000323 Local Denial-of-Service attack against Linux
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-03/0254.html
Reference: BUGTRAQ:20000328 Re: Local Denial-of-Service attack against Linux
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=95421263519558&w=2
Reference: BID:1072
Reference: URL:http://www.securityfocus.com/bid/1072
Reference: XF:linux-domain-socket-dos(4186)
Reference: URL:http://xforce.iss.net/static/4186.php
Votes:
ACCEPT(8) Armstrong, Baker, Blake, Cole, Collins, Frech, Levy, Ozancin
NOOP(3) Christey, Magdych, Wall
Voter Comments:
Christey> Fix typo: 'paremeter'
Magdych> I remember when this came up... seems like there were some wildly
mixed results for the exploit.
Christey> See http://marc.theaimsgroup.com/?l=bugtraq&m=95421263519558&w=2
for Elias' summary of the mixed results. It looks like
enough people were able to replicate it that we should
include it.
Christey> Fix typo: "paremeter"
CHANGE> [Magdych changed vote from REVIEWING to NOOP]
Name: CVE-2000-0239
Description:
Buffer overflow in the MERCUR WebView WebMail server allows remote
attackers to cause a denial of service via a long mail_user parameter
in the GET request.
Status: Candidate
Phase: Proposed (20000412)
Reference: BUGTRAQ:20000315 Local / Remote DoS Attack in MERCUR WebView WebMail-Client 1.0
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=95325335825295&w=2
Reference: URL:http://www.ussrback.com/labs36.html
Reference: BID:1056
Reference: URL:http://www.securityfocus.com/bid/1056
Reference: XF:mercur-webview-get-dos
Votes:
ACCEPT(3) Baker, Frech, Levy
NOOP(2) Cole, Magdych
Voter Comments:
CHANGE> [Magdych changed vote from REVIEWING to NOOP]
Name: CVE-2000-0241
Description:
vqSoft vqServer stores sensitive information such as passwords in
cleartext in the server.cfg file, which allows attackers to gain
privileges.
Status: Candidate
Phase: Proposed (20000412)
Reference: BUGTRAQ:20000321 vqserver /........../
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=4.1.20000321084646.0095c7f0@olga.swip.net
Reference: BID:1068
Reference: URL:http://www.securityfocus.com/bid/1068
Reference: XF:vqserver-passwd-plaintext
Votes:
ACCEPT(3) Baker, Frech, Levy
NOOP(2) Cole, Magdych
Voter Comments:
CHANGE> [Magdych changed vote from REVIEWING to NOOP]
Name: CVE-2000-0242
Description:
WindMail allows remote attackers to read arbitrary files or execute
commands via shell metacharacters.
Status: Candidate
Phase: Proposed (20000412)
Reference: BUGTRAQ:20000325 Windmail allow web user get any file
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-03-22&msg=20000325224146.6839.qmail@securityfocus.com
Reference: XF:windmail-fileread
Reference: XF:windmail-pipe-command
Reference: BID:1073
Reference: URL:http://www.securityfocus.com/bid/1073
Votes:
ACCEPT(2) Cole, Levy
NOOP(1) Baker
RECAST(1) Frech
REJECT(2) Christey, Magdych
Voter Comments:
Frech> Violation of fundamentum divisionis (that is, it's more than one issue) and
a potential nitpick:
- windmail-fileread: allows remote attackers to read arbitrary files
- windmail-pipe-command: execute commands via shell metacharacters
- The conjunction 'or' should be 'and', if you decide to stick with one CAN.
Christey> As Andre basically said without naming content decisions,
CD:SF-LOC says this should be split.
HOWEVER - the author of the product says that WindMail isn't
supposed to be a CGI script, and says that the pipe
character problem is not related to Geocel. So should CVE
record when someone runs a program that wasn't intended to
be a CGI? There may be a level of abstraction issue here.
Note that Perl and shell interpreters in CGI-BIN are
already mentioned in CVE-1999-0509. If we want to include
"using a program that wasn't designed to be a CGI" as a
problem, we should have a separate candidate.
See the author's comments at:
http://www.securityfocus.com/templates/archive.pike?list=1&msg=3.0.5.32.20000331114325.013af680@mailhost.geocel.com
which also claims that the original announcer hasn't provided
any more details after the author was unable to reproduce the
problem.
CHANGE> [Magdych changed vote from REVIEWING to REJECT]
Magdych> After reviewing the author's comments, I'm inclined to think that this is more of a misconfiguration than a vulnerability.
Name: CVE-2000-0244
Description:
The Citrix ICA (Independent Computing Architecture) protocol uses weak
encryption (XOR) for user authentication.
Status: Candidate
Phase: Proposed (20000412)
Reference: BUGTRAQ:20000328 Citrix ICA Basic Encryption
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.BSO.4.20.0003290949280.2640-100000@naughty.monkey.org
Reference: BID:1077
Reference: URL:http://www.securityfocus.com/bid/1077
Votes:
ACCEPT(2) Levy, Magdych
MODIFY(1) Frech
NOOP(2) Baker, Cole
Voter Comments:
Frech> XF:citrix-encryption
Name: CVE-2000-0248
Description:
The web GUI for the Linux Virtual Server (LVS) software in the Red Hat
Linux Piranha package has a backdoor password that allows remote
attackers to execute arbitrary commands.
Status: Candidate
Phase: Modified (20070924)
Reference: ISS:20000424 Backdoor Password in Red Hat Linux Virtual Server Package
Reference: URL:http://xforce.iss.net/alerts/advise46.php3
Reference: REDHAT:RHSA-2000:014-10
Votes:
ACCEPT(3) Baker, Cole, Levy
MODIFY(1) Frech
NOOP(2) Christey, Wall
REJECT(1) Cox
Voter Comments:
Christey> Typo fix: change "passowrd" to "password"
ADDREF BID:1148
ADDREF URL:http://www.securityfocus.com/bid/1148
Christey> ADDREF XF:piranha-default-password
Frech> XF:piranha-default-password
In description, passowrd should be password.
Cox> The "execute arbitrary commands" part is a seperate vulnerability,
already assigned CVE-2000-0322. The package was designed to have no
password on installation, so "backdoor" does not apply. When users
install Piranha they are expected to add a password to the web
administration GUI, it's a documented part of the procedure. "The web
GUI for the Linux Virtual Server (LVS) software in the Red Hat Linux
Piranha package installs with a default password" is accurate if it
qualifies as an exposure.
Christey> BUGTRAQ:20000425 piranha default password/exploit
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=95668829621268&w=2
Default accounts/passwords need to be accounted for in CVE,
but the question is what level of abstraction to use - a
separate CVE for each password, or one CVE for all passwords,
or somewhere in the middle? That is the crux of CD:CF-PASS.
Name: CVE-2000-0250
Description:
The crypt function in QNX uses weak encryption, which allows local
users to decrypt passwords.
Status: Candidate
Phase: Proposed (20000426)
Reference: BUGTRAQ:20000414 qnx crypt comprimised
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-04/0072.html
Reference: BID:1114
Reference: URL:http://www.securityfocus.com/bid/1114
Votes:
ACCEPT(2) Baker, Levy
MODIFY(1) Frech
NOOP(2) Cole, Wall
Voter Comments:
Frech> XF:qnx-weak-encryption(4866)
Name: CVE-2000-0256
Description:
Buffer overflows in htimage.exe and Imagemap.exe in FrontPage 97 and
98 Server Extensions allow a user to conduct activities that are not
otherwise available through the web site, aka the "Server-Side Image
Map Components" vulnerability.
Status: Candidate
Phase: Modified (20070607)
Reference: BUGTRAQ:20070603 CERN İmage Map Dispatcher
Reference: URL:http://www.securityfocus.com/archive/1/archive/1/470458/100/0/threaded
Reference: MS:MS00-028
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms00-028.asp
Reference: BID:1117
Reference: URL:http://www.securityfocus.com/bid/1117
Reference: XF:frontpage-cern-bo(34720)
Reference: URL:http://xforce.iss.net/xforce/xfdb/34720
Votes:
ACCEPT(4) Baker, Cole, Levy, Wall
MODIFY(1) Frech
NOOP(1) Christey
Voter Comments:
Frech> XF:frontpage-ext-image-map
Christey> Possibly related to BUGTRAQ:20000418 More vulnerabilities in FP
http://archives.neohapsis.com/archives/bugtraq/2000-04/0116.html
Name: CVE-2000-0259
Description:
The default permissions for the Cryptography\Offload registry key used
by the OffloadModExpo in Windows NT 4.0 allows local users to obtain
compromise the cryptographic keys of other users.
Status: Candidate
Phase: Proposed (20000426)
Reference: MS:MS00-024
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms00-024.asp
Reference: BID:1105
Reference: URL:http://www.securityfocus.com/bid/1105
Votes:
ACCEPT(4) Baker, Cole, Levy, Wall
MODIFY(1) Frech
NOOP(1) Christey
Voter Comments:
Frech> XF:winnt-cryptkeys-compromise
Christey> Include "CryptoAPI" to facilitate search.
MSKB:Q259496
URL:http://www.microsoft.com/technet/support/kb.asp?ID=259496
Name: CVE-2000-0266
Description:
Internet Explorer 5.01 allows remote attackers to bypass the cross
frame security policy via a malicious applet that interacts with the
Java JSObject to modify the DOM properties to set the IFRAME to an
arbitrary Javascript URL.
Status: Candidate
Phase: Proposed (20000426)
Reference: BUGTRAQ:20000418 IE 5 security vulnerablity - circumventing Cross-frame security policy using Java/JavaScript (and disabling Active Scripting is not that easy)
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=38FC6130.D6D178FD@nat.bg
Reference: BID:1121
Reference: URL:http://www.securityfocus.com/bid/1121
Votes:
ACCEPT(5) Baker, Cole, LeBlanc, Levy, Wall
MODIFY(1) Frech
REVIEWING(1) Christey
Voter Comments:
Frech> XF:ie-java-crossframe-security
Christey> May be a duplicate of CVE-2000-0465 according to my
communications with Microsoft people. CVE-2000-0028 may
also be a variant.
LeBlanc> MS00-039
Name: CVE-2000-0269
Description:
Emacs 20 does not properly set permissions for a slave PTY device when
starting a new subprocess, which allows local users to read or modify
communications between Emacs and the subprocess.
Status: Candidate
Phase: Proposed (20000426)
Reference: BUGTRAQ:20000418 RUS-CERT Advisory 200004-01: GNU Emacs 20
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-04-15&msg=tg4s8zioxq.fsf@mercury.rus.uni-stuttgart.de
Reference: BID:1125
Reference: URL:http://www.securityfocus.com/bid/1125
Votes:
ACCEPT(2) Baker, Levy
MODIFY(1) Frech
NOOP(3) Christey, Cole, Wall
Voter Comments:
Christey> ADDREF XF:emacs-local-eavesdrop
Verify BID for this - is it 1125, 1126, or 1127?
Also, ADDREF CALDERA:CSSA-2000-011.1 ??
URL:ftp://ftp.calderasystems.com/pub/OpenLinux/security/CSSA-2000-011.1.txt
Frech> XF:emacs-local-eavesdrop
Christey> ADDREF MANDRAKE:MDKSA-2000:088 ?
Also http://www.securityfocus.com/bid/2164, but is that a
duplicate of BID:1125?
Name: CVE-2000-0270
Description:
The make-temp-name Lisp function in Emacs 20 creates temporary files
with predictable names, which allows attackers to conduct a symlink
attack.
Status: Candidate
Phase: Proposed (20000426)
Reference: BUGTRAQ:20000418 RUS-CERT Advisory 200004-01: GNU Emacs 20
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-04-15&msg=tg4s8zioxq.fsf@mercury.rus.uni-stuttgart.de
Reference: BID:1125
Reference: URL:http://www.securityfocus.com/bid/1126
Votes:
ACCEPT(1) Baker
MODIFY(2) Frech, Levy
NOOP(3) Christey, Cole, Wall
Voter Comments:
Christey> ADDREF XF:emacs-tempfile-creation
Verify BID for this - is it 1125, 1126, or 1127?
Also, ADDREF CALDERA:CSSA-2000-011.1 ??
URL:ftp://ftp.calderasystems.com/pub/OpenLinux/security/CSSA-2000-011.1.txt
Frech> XF:emacs-tempfile-creation
Levy> Change BID reference to BID 1126
Name: CVE-2000-0271
Description:
read-passwd and other Lisp functions in Emacs 20 do not properly clear
the history of recently typed keys, which allows an attacker to read
unencrypted passwords.
Status: Candidate
Phase: Proposed (20000426)
Reference: BUGTRAQ:20000418 RUS-CERT Advisory 200004-01: GNU Emacs 20
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-04-15&msg=tg4s8zioxq.fsf@mercury.rus.uni-stuttgart.de
Reference: BID:1125
Reference: URL:http://www.securityfocus.com/bid/1125
Votes:
ACCEPT(1) Baker
MODIFY(2) Frech, Levy
NOOP(3) Christey, Cole, Wall
Voter Comments:
Christey> Verify BID for this - is it 1125, 1126, or 1127?
Also, ADDREF CALDERA:CSSA-2000-011.1 ??
URL:ftp://ftp.calderasystems.com/pub/OpenLinux/security/CSSA-2000-011.1.txt
ADDREF XF:emacs-password-history
Frech> XF:emacs-password-history
Levy> Change BID reference to BID 1127
Name: CVE-2000-0275
Description:
CRYPTOCard CryptoAdmin for PalmOS uses weak encryption to store a
user's PIN number, which allows an attacker with access to the .PDB
file to generate valid PT-1 tokens after cracking the PIN.
Status: Candidate
Phase: Proposed (20000426)
Reference: L0PHT:20000410 CRYPTOCard PalmToken PIN Extraction
Reference: URL:http://www.l0pht.com/advisories/cc-pinextract.txt
Reference: BUGTRAQ:20000410 CRYPTOAdmin 4.1 server with PalmPilot PT-1 token 1.04 PIN Extract ion
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-04/0033.html
Reference: BID:1097
Reference: URL:http://www.securityfocus.com/bid/1097
Votes:
ACCEPT(3) Baker, Cole, Levy
MODIFY(1) Frech
NOOP(1) Wall
Voter Comments:
Frech> XF:cryptoadmin-weak-encryption
Name: CVE-2000-0280
Description:
Buffer overflow in the RealNetworks RealPlayer client versions 6 and 7
allows remote attackers to cause a denial of service via a long
Location URL.
Status: Candidate
Phase: Proposed (20000426)
Reference: BUGTRAQ:20000403 Win32 RealPlayer 6/7 Buffer Overflow
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-04/0018.html
Reference: BID:1088
Reference: URL:http://www.securityfocus.com/bid/1088
Votes:
ACCEPT(3) Cole, Levy, Wall
MODIFY(1) Frech
NOOP(1) Baker
Voter Comments:
Frech> XF:realserver-ramgen-dos
Name: CVE-2000-0281
Description:
Buffer overflow in the Napster client beta 5 allows remote attackers
to cause a denial of service via a long message.
Status: Candidate
Phase: Proposed (20000426)
Reference: BUGTRAQ:20000326 neat little napster bug
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-03/0277.html
Reference: BUGTRAQ:20000330 Napster, Inc. response to Colten Edwards
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-03/0299.html
Votes:
NOOP(2) Cole, Wall
REJECT(3) Baker, Frech, Levy
Voter Comments:
Frech> Does not meet CVE candidate requirements. The problem was remedied on the
server end, and no fault exists at the client. Based on
http://archives.neohapsis.com/archives/bugtraq/2000-03/0299.html:
Approximately one hour after receiving the post from BugTraq,
Napster's servers were patched to prevent this from occurring.
Users of the Napster Win32 client software are NOT vulnerable.
Baker> Agree with Andre
Name: CVE-2000-0284
Description:
Buffer overflow in University of Washington imapd version 4.7 allows
users with a valid account to execute commands via LIST or other
commands.
Status: Candidate
Phase: Proposed (20000426)
Reference: BUGTRAQ:20000416 imapd4r1 v12.264
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-04/0074.html
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-04/0085.html
Reference: BID:1110
Reference: URL:http://www.securityfocus.com/bid/1110
Votes:
ACCEPT(3) Baker, Cole, Levy
MODIFY(1) Frech
NOOP(2) Christey, Wall
Voter Comments:
Christey> ADDREF FREEBSD:FreeBSD-SA-00:14
URL:http://www.securityfocus.com/templates/advisory.html?id=2179
Frech> XF:imap-mailserver-bo
Name: CVE-2000-0286
Description:
X fontserver xfs allows local users to cause a denial of service via
malformed input to the server.
Status: Candidate
Phase: Proposed (20000426)
Reference: BUGTRAQ:20000416 xfs
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-04/0079.html
Reference: BID:1111
Reference: URL:http://www.securityfocus.com/bid/1111
Votes:
MODIFY(1) Frech
NOOP(3) Baker, Cole, Wall
REJECT(2) Christey, Levy
Voter Comments:
Frech> XF:redhat-fontserver-dos
POTENTIAL DUPE: CVE-2000-0263: The X font server xfs in Red Hat Linux 6.x
allows an attacker to cause a denial of service via a malformed request.
Christey> As Andre observed, this is a duplicate of CVE-2000-0263.
Name: CVE-2000-0288
Description:
Infonautics getdoc.cgi allows remote attackers to bypass the payment
phase for accessing documents via a modified form variable.
Status: Candidate
Phase: Proposed (20000426)
Reference: BUGTRAQ:20000412 Infonautic's getdoc.cgi may allow unauthorized access to documents
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-04/0049.html
Votes:
MODIFY(1) Frech
NOOP(2) Cole, Wall
REJECT(1) Baker
REVIEWING(2) Christey, Levy
Voter Comments:
Frech> XF:http-cgi-infonautics-getdoc
Christey> CD:EX-ONLINE-SVC applies here. This may be a vulnerability in
an online service (the search engines used by Infonautics)
which poses no risk to anyone but the company itself.
Name: CVE-2000-0291
Description:
Buffer overflow in Star Office 5.1 allows attackers to cause a denial
of service by embedding a long URL within a document.
Status: Candidate
Phase: Proposed (20000426)
Reference: BUGTRAQ:20000416 StarOffice 5.1
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-04/0077.html
Reference: BID:1112
Reference: URL:http://www.securityfocus.com/bid/1112
Votes:
ACCEPT(2) Dik, Levy
MODIFY(1) Frech
NOOP(3) Baker, Cole, Wall
Voter Comments:
Frech> XF:staroffice-long-url-bo
Name: CVE-2000-0293
Description:
aaa_base in SuSE Linux 6.3, and cron.daily in earlier versions, allow
local users to delete arbitrary files by creating files whose names
include spaces, which are then incorrectly interpreted by aaa_base
when it deletes expired files from the /tmp directory.
Status: Candidate
Phase: Proposed (20000426)
Reference: BUGTRAQ:20000421 local user can delete arbitrary files on SuSE-Linux
Reference: BID:1130
Reference: URL:http://www.securityfocus.com/bid/1130
Votes:
ACCEPT(3) Baker, Cole, Levy
MODIFY(1) Frech
NOOP(2) Christey, Wall
Voter Comments:
Christey> ADDREF SUSE:20000502 aaabase < 2000.5.2
URL: http://www.suse.de/de/support/security/suse_security_announce_47.txt
This advisory references another problem that is listed in
CVE-2000-0433.
Frech> XF:aaabase-file-deletion
Name: CVE-2000-0295
Description:
Buffer overflow in LCDproc allows remote attackers to gain root
privileges via the screen_add command.
Status: Candidate
Phase: Modified (20071220)
Reference: BUGTRAQ:20000420 Remote vulnerability in LCDproc 0.4
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.3.96.1000421010946.15318I-200000@schizo.strange.net
Reference: GENTOO:GLSA-200301-07
Reference: URL:http://www.securityfocus.com/archive/1/archive/1/305589/30/26390/threaded
Reference: BID:1131
Reference: URL:http://www.securityfocus.com/bid/1131
Reference: SECUNIA:7829
Reference: URL:http://secunia.com/advisories/7829
Reference: XF:lcdproc-remote-overflow(4315)
Reference: URL:http://xforce.iss.net/xforce/xfdb/4315
Votes:
ACCEPT(2) Baker, Levy
MODIFY(1) Frech
NOOP(2) Cole, Wall
Voter Comments:
Frech> XF:lcdproc-remote-overflow
Name: CVE-2000-0299
Description:
Buffer overflow in WebObjects.exe in the WebObjects Developer 4.5
package allows remote attackers to cause a denial of service via an
HTTP request with long headers such as Accept.
Status: Candidate
Phase: Proposed (20000426)
Reference: BUGTRAQ:20000404 WebObjects DoS
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-04/0020.html
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
NOOP(4) Christey, Cole, Wall, Williams
REVIEWING(1) Levy
Voter Comments:
Christey> ADDREF XF:webobjects-post-dos
Frech> XF:webobjects-post-dos
Christey> See http://til.info.apple.com/techinfo.nsf/artnum/n75087
Document says:
"A request with a large, malformed http header can crash a WOApp"
(Apple reference #2470254) appears to be the acknowledgement needed.
Is this sufficient acknowledgement? This is dated AUgust 24,
but the initial disclosure occurred on April 4.
Christey> BID:1896
Name: CVE-2000-0300
Description:
The default encryption method of PcAnywhere 9.x uses weak encryption,
which allows remote attackers to sniff and decrypt PcAnywhere or NT
domain accounts.
Status: Candidate
Phase: Proposed (20000426)
Reference: BUGTRAQ:20000405 PcAnywhere weak password encryption
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=20000406030958.23902.qmail@securityfocus.com
Reference: BID:1093
Reference: URL:http://www.securityfocus.com/bid/1093
Votes:
ACCEPT(4) Baker, Cole, Levy, Prosser
MODIFY(1) Frech
REVIEWING(1) Wall
Voter Comments:
Frech> XF:pcanywhere-weak-encryption
Prosser> http://service2.symantec.com/SUPPORT/pca.nsf/pfdocs/1999022312571812
Upgraded in pcA 10
Name: CVE-2000-0312
Description:
cron in OpenBSD 2.5 allows local users to gain root privileges via an
argv[] that is not NULL terminated, which is passed to cron's fake
popen function.
Status: Candidate
Phase: Proposed (20010214)
Reference: OPENBSD:19990830 In cron(8), make sure argv[] is NULL terminated in the fake popen() and run sendmail as the user, not as root.
Reference: URL:http://www.openbsd.org/errata25.html#cron
Votes:
ACCEPT(3) Baker, Cole, Collins
MODIFY(1) Frech
REVIEWING(1) Christey
Voter Comments:
Frech> XF:cron-sendmail-root(3335)
Seems like this issue is not just OpenBSD, and is described
differently by other vendors:
SuSE Security Announcement #15 Security hole in cron
http://www.suse.de/de/support/security/suse_security_announce_15.txt
Red Hat, Inc. Security Advisory RHSA-1999:030-02 Buffer overflow in
cron daemon
http://www.redhat.com/support/errata/rh52-errata-general.html#vixie-cron
Caldera Systems, Inc. Security Advisory CSSA-1999-023.0 serious security
problem in cron
http://www.calderasystems.com/support/security/advisories/CSSA-1999-023.0.tx
t
All are dated on or around 1999-08-27 to 1999-08-30.
Also, may overlap with CVE-1999-0769: Vixie Cron on Linux systems allows
local users to set parameters of sendmail commands via the MAILTO
environmental variable.
Christey> See Andre's comments, but I believe this is different than
CVE-1999-0769. Also consider CVE-1999-0768 and CVE-1999-0872
(Vixie Cron buffer overflow via MAILTO),
Name: CVE-2000-0317
Description:
Buffer overflow in Solaris 7 lpset allows local users to gain root
privileges via a long -r option.
Status: Candidate
Phase: Proposed (20000518)
Reference: BUGTRAQ:20000424 Solaris 7 x86 lpset exploit.
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-04/0192.html
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-04/0236.html
Reference: BUGTRAQ:20000427 Re: Solaris/SPARC 2.7 lpset exploit (well not likely !)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=95729763119559&w=2
Reference: SUNBUG:4334568
Reference: BID:1138
Reference: URL:http://www.securityfocus.com/bid/1138
Votes:
ACCEPT(3) Baker, Cole, Levy
MODIFY(1) Frech
NOOP(3) Christey, LeBlanc, Wall
RECAST(1) Dik
Voter Comments:
Dik> there's a lot of confusion in this one.
These point to buffer overflows:
Reference: BUGTRAQ:20000424 Solaris 7 x86 lpset exploit.
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-04/0192.html
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-04/0236.html
But these point to dlopen() in libprint that doesnt' check pathnames:
Reference: BUGTRAQ:20000427 Re: Solaris/SPARC 2.7 lpset exploit (well not likely !)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=95729763119559&w=2
Reference: SUNBUG:4334568
And this is a bufferoverflow again:
Reference: BID:1138
Reference: URL:http://www.securityfocus.com/bid/1138
Frech> XF:solaris-lpset-bo
Christey> ADDREF SUN:00195? Need to check with Casper.
Name: CVE-2000-0321
Description:
Buffer overflow in IC Radius package allows a remote attacker to cause
a denial of service via a long user name.
Status: Candidate
Phase: Proposed (20000518)
Reference: BUGTRAQ:20000424 Buffer Overflow in version .14
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-04/0190.html
Reference: BID:1147
Reference: URL:http://www.securityfocus.com/bid/1147
Votes:
ACCEPT(1) Levy
MODIFY(1) Frech
NOOP(4) Baker, Cole, LeBlanc, Wall
REJECT(1) Christey
Voter Comments:
Frech> XF:icradius-username-bo
Every reference I pull up shows the product's name as ICRADIUS. See
http://mysql.eunet.fi/Downloads/Contrib/icradius.README
Christey> In a followup, Alan DeKok (aland@FREERADIUS.ORG) says that
this could occur in other RADIUS servers also; however, the
bug could only be exploited if someone has altered the
configuration file, which shouldn't normally be modifiable
by anyone else.
So, this should be REJECTed since the bug doesn't directly give
anyone else any additional privileges or access.
Christey> Alan DeKok <aland@FREERADIUS.ORG> says it applies to other RADIUS
programs also, *however* since it needs a valid username, only
the RADIUS owner can exploit it by changing the config file. But
if the config file can be written by others - well, that's still
a potential risk, but you've probably got bigger problems then.
- http://marc.theaimsgroup.com/?l=bugtraq&m=95671883515060&w=2
Look at ChangeLog at ftp://ftp.cheapnet.net/pub/icradius/ChangeLog
Possible confirmation in 0.15: "sql_getvpdata now dynamically
allocates buffer sizes for sql queries to avoid over runs"
But that's a bit general.
Alan Kok said that Cistron and other RADIUS servers were affected; the
ICRADIUS changelog says to check the Cistron logs for other possible
bug fixes, since ICRADIUS uses Cistron codebase. Go back to
freeradius.org and find link to Cistron at
http://www.miquels.cistron.nl/radius/
Cistron changelog at http://www.miquels.cistron.nl/radius/ChangeLog It
has different version numbers - go back to ICRADIUS changelog to find
rought equivalents. ICRADIUS 0.15 uses Cistron 1.6.3 patches, so
start from there.
No apparent problems in 1.6.3 or 1.6.4, but 1.6.1 says: "Fix all
strcpy(), strcat(), sprintf() and sccanf() calls for buffer
overflows." So perhaps the problem was fixed then? Or maybe the
vulnerable sscanf() call was missed and/or disregarded because it was
believed that the hostname could be trusted since it came from a
well-controlled configuration file?
Name: CVE-2000-0325
Description:
The Microsoft Jet database engine allows an attacker to execute
commands via a database query, aka the "VBA Shell" vulnerability.
Status: Candidate
Phase: Modified (20020222-01)
Reference: MS:MS99-030
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-030.asp
Reference: XF:jet-vba-shell(3155)
Reference: URL:http://xforce.iss.net/static/3155.php
Reference: BID:548
Reference: URL:http://www.securityfocus.com/bid/548
Votes:
ACCEPT(5) Armstrong, Baker, Cole, Prosser, Wall
MODIFY(1) Frech
REJECT(1) LeBlanc
REVIEWING(1) Christey
Voter Comments:
LeBlanc> - same as CVE-1999-1011
If I'm misunderstanding something here, please correct me. In fact, it has
the same bulletin as a reference.
Frech> XF:jet-vba-shell
Prosser> This entry is not the same as "now" CVE-1999-1011. That entry is "The Remote Data Service (RDS) DataFactory component of Microsoft Data Access Components (MDAC) in IIS 3.x and 4.x exposes unsafe methods, which allows remote attackers to execute arbitrary commands." This one should be correct.
Christey> BUGTRAQ:19990525 Advisory: NT ODBC Remote Compromise
http://marc.theaimsgroup.com/?l=bugtraq&m=92765973107637&w=2
NTBUGTRAQ:19990526 Advisory: NT ODBC Remote Compromise
http://marc.theaimsgroup.com/?l=ntbugtraq&m=92781907215748&w=2
Christey> The Microsoft advisory itself describes two separate
vulnerabilities, calling the TEXT I-ISAM problem
(CVE-2000-0323) a variant of the VBA Shell problem (this
CAN). In addition, CVE-2000-0323 does *not* appear in Jet
4.0, while this one does. Since one problem appears in a
different version than the other, CD:SF-LOC suggests keeping
these candidates SPLIT.
BID:548
http://www.securityfocus.com/bid/548
CHANGE> [Christey changed vote from NOOP to REVIEWING]
Christey> Need to clarify whether the Bugtraq/NTBugtraq posts are
really describing the same issue (those are BID:286).
Name: CVE-2000-0326
Description:
Meeting Maker uses weak encryption (a polyalphabetic substitution
cipher) for passwords, which allows remote attackers to sniff and
decrypt passwords for Meeting Maker accounts.
Status: Candidate
Phase: Proposed (20000518)
Reference: BID:1151
Reference: URL:http://www.securityfocus.com/bid/1151
Reference: CONFIRM:http://support.on.com/support/mmxp.nsf/31af51e08bcc93eb852565a90056138b/11af70407a16b165852568c50056a952?OpenDocument
Votes:
ACCEPT(2) Baker, Levy
MODIFY(1) Frech
NOOP(4) Christey, Cole, LeBlanc, Wall
Voter Comments:
Frech> XF:meetingmaker-weak-encryption
Christey> Add original Bugtraq reference at:
http://archives.neohapsis.com/archives/bugtraq/2000-04/0223.html
Also ADDREF XF:meetingmaker-weak-encryption
Name: CVE-2000-0333
Description:
tcpdump, Ethereal, and other sniffer packages allow remote attackers
to cause a denial of service via malformed DNS packets in which a jump
offset refers to itself, which causes tcpdump to enter an infinite
loop while decompressing the packet.
Status: Candidate
Phase: Proposed (20000518)
Reference: BUGTRAQ:20000502 Denial of service attack against tcpdump
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.SOL.4.10.10005021942380.2077-100000@paranoia.pgci.ca
Reference: BID:1165
Reference: URL:http://www.securityfocus.com/bid/1165
Votes:
ACCEPT(3) Armstrong, Baker, Levy
MODIFY(1) Frech
NOOP(2) Cole, Wall
Voter Comments:
Frech> XF:sniffer-dns-decode-dos
Name: CVE-2000-0343
Description:
Buffer overflow in Sniffit 0.3.x with the -L logging option enabled
allows remote attackers to execute arbitrary commands via a long MAIL
FROM mail header.
Status: Candidate
Phase: Proposed (20000518)
Reference: BUGTRAQ:20000502 spj-003-000 - S0ftPj Advisory
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=200005021736.TAA01991@ALuSSi
Reference: BID:1158
Reference: URL:http://www.securityfocus.com/bid/1158
Votes:
ACCEPT(2) Cole, Levy
MODIFY(2) Christey, Frech
NOOP(2) Armstrong, Wall
Voter Comments:
Frech> XF:sniffit-lmail-bo
Christey> This issue was rediscovered.
ADDREF BUGTRAQ:20020119 remote buffer overflow in sniffit
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101167452712383&w=2
ADDREF BUGTRAQ:20000525 `sniffit -L mail' vulnerabilities
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=95928090612990&w=2
I reviewed the patch that was claimed in the 20020119 Bugtraq
post, and it could well address the issue. However, since the
patch is also dated around the time of the original Bugtraq
post, *and* it says that it's addressing an issue that's
discussed on Bugtraq, that is sufficient to establish
acknowledgement.
CHANGE> [Christey changed vote from NOOP to MODIFY]
Christey> XF:sniffit-normmail-l-bo(7933)
URL:http://www.iss.net/security_center/static/7933.php
Name: CVE-2000-0345
Description:
The on-line help system options in Cisco routers allows non-privileged
users without "enabled" access to obtain sensitive information via
the show command.
Status: Candidate
Phase: Proposed (20000518)
Reference: BUGTRAQ:20000502 Possible issue with Cisco on-line help?
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=20000502222246.28423.qmail@securityfocus.com
Reference: BID:1161
Reference: URL:http://www.securityfocus.com/bid/1161
Votes:
ACCEPT(1) Prosser
MODIFY(1) Frech
NOOP(5) Armstrong, Baker, Cole, Levy, Wall
REJECT(1) Balinsky
Voter Comments:
Levy> Arguably this is not a vulnerability. Cisco replying saying this
is standard behaviour that was simply not well documented. They have
no plans to change it and will simply document it better.
Frech> XF:cisco-online-help
Balinsky> As noted in a bugtraq posting by Lisa Napier from Cisco's Product Security Incident Response Team, this is a poorly documented feature. This is intended behavior, and does not represent a vulnerability in Cisco's opinion.
http://www.securityfocus.com/frames/?content=/templates/archive.pike?list=1&mid=59434
Prosser> Although Lisa Napier did say this issue was "functioning as designed", it was not intended to allow unprivileged access. Lisa did indicate that Cisco would be updating instructions on configuration to ensure proper user privileges. So, this should be considered IMHO an "exposure" vice a vulnerability, but security-related none the less.
http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26msg%3D20000502222246.28423.qmail@securityfocus.com
http://www.securityfocus.com/bid/1161
Name: CVE-2000-0355
Description:
pg and pb in SuSE pbpg 1.x package allows an attacker to read
arbitrary files.
Status: Candidate
Phase: Proposed (20000524)
Reference: SUSE:19990920 Security hole in pbpg
Reference: URL:http://www.novell.com/linux/security/advisories/suse_security_announce_21.html
Reference: XF:linux-pb-fileread
Reference: XF:linux-pg-fileread
Votes:
ACCEPT(3) Baker, Frech, Levy
NOOP(1) Christey
Voter Comments:
Christey> ADDREF BID:1271
Christey> ADDREF BID:1271
URL:http://www.securityfocus.com/bid/1271
Name: CVE-2000-0357
Description:
ORBit and esound in Red Hat Linux 6.1 do not use sufficiently random
numbers, which allows local users to guess the authentication keys.
Status: Candidate
Phase: Proposed (20000524)
Reference: REDHAT:RHSA-1999:058-01
Reference: URL:http://www.redhat.com/corp/support/errata/RHSA1999058-01.html
Votes:
ACCEPT(2) Baker, Levy
MODIFY(1) Frech
NOOP(1) Christey
Voter Comments:
Christey> ADDREF BID:1275
Christey> ADDREF BID:1275
URL:http://www.securityfocus.com/bid/1275
Frech> XF:linux-orbit-esound-authentication-keys
Name: CVE-2000-0358
Description:
ORBit and gnome-session in Red Hat Linux 6.1 allows remote attackers
to crash a program.
Status: Candidate
Phase: Proposed (20000524)
Reference: REDHAT:RHSA-1999:058-01
Reference: URL:http://www.redhat.com/corp/support/errata/RHSA1999058-01.html
Votes:
ACCEPT(2) Baker, Levy
MODIFY(1) Frech
NOOP(1) Christey
Voter Comments:
Christey> ADDREF BID:1283
Christey> ADDREF BID:1283
URL:http://www.securityfocus.com/bid/1283
Frech> XF:linux-orbit-gnome-session-dos
Name: CVE-2000-0364
Description:
screen and rxvt in Red Hat Linux 6.0 do not properly set the modes of
tty devices, which allows local users to write to other ttys.
Status: Candidate
Phase: Proposed (20000524)
Reference: BUGTRAQ:19990606 RedHat 6.0, /dev/pts permissions bug when using xterm
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92877527701347&w=2
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92886009012161&w=2
Reference: REDHAT:RHSA1999014_01
Reference: URL:http://www.redhat.com/corp/support/errata/RHSA1999014_01.html
Reference: BID:309
Reference: URL:http://www.securityfocus.com/bid/309
Votes:
ACCEPT(2) Baker, Levy
MODIFY(1) Frech
NOOP(1) Christey
Voter Comments:
Frech> XF:linux-tty-improper-mode
Christey> BUGTRAQ:19990607 Re: RedHat 6.0, /dev/pts permissions bug when using xterm
http://marc.theaimsgroup.com/?l=bugtraq&m=92886008912147&w=2
BUGTRAQ:19990607 Re: Red Hat 6.0, /dev/pts permissions bug when using xterm
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92886358415964&w=2
Name: CVE-2000-0365
Description:
Red Hat Linux 6.0 installs the /dev/pts file system with insecure
modes, which allows local users to write to other tty devices.
Status: Candidate
Phase: Proposed (20000524)
Reference: BUGTRAQ:19990606 RedHat 6.0, /dev/pts permissions bug when using xterm
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92877527701347&w=2
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92886009012161&w=2
Reference: REDHAT:RHSA1999014_01
Reference: URL:http://www.redhat.com/corp/support/errata/RHSA1999014_01.html
Reference: BID:308
Reference: URL:http://www.securityfocus.com/bid/308
Votes:
ACCEPT(2) Baker, Levy
MODIFY(1) Frech
NOOP(1) Christey
Voter Comments:
Frech> XF:linux-dev-insecure-mode
Christey> BUGTRAQ:19990607 Re: RedHat 6.0, /dev/pts permissions bug when using xterm
http://marc.theaimsgroup.com/?l=bugtraq&m=92886008912147&w=2
BUGTRAQ:19990607 Re: Red Hat 6.0, /dev/pts permissions bug when using xterm
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92886358415964&w=2
Name: CVE-2000-0383
Description:
The file transfer component of AOL Instant Messenger (AIM) reveals the
physical path of the transferred file to the remote recipient.
Status: Candidate
Phase: Modified (20000706-01)
Reference: BUGTRAQ:20000507 AOL Instant Messenger
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=002401bfb918$7310d5a0$1ef084ce@karemor.com
Reference: XF:aolim-file-path
Reference: BID:1180
Reference: URL:http://www.securityfocus.com/bid/1180
Votes:
ACCEPT(5) Cole, Frech, Levy, Ozancin, Stracener
NOOP(3) Baker, Christey, Prosser
Voter Comments:
Christey> Normalize the Bugtraq reference!
Name: CVE-2000-0384
Description:
NetStructure 7110 and 7180 have undocumented accounts (servnow, root,
and wizard) whose passwords are easily guessable from the
NetStructure's MAC address, which could allow remote attackers to gain
root access.
Status: Candidate
Phase: Proposed (20000615)
Reference: L0PHT:20000508 NetStructure 7180 remote backdoor vulnerability
Reference: URL:http://www.lopht.com/advisories/ipivot7110.html
Reference: L0PHT:20000508 NetStructure 7110 console backdoor
Reference: URL:http://www.l0pht.com/advisories/ipivot7180.html
Reference: CONFIRM:http://216.188.41.136/
Reference: XF:netstructure-root-compromise
Reference: XF:netstructure-wizard-mode
Reference: BID:1182
Reference: URL:http://www.securityfocus.com/bid/1182
Reference: BID:1183
Reference: URL:http://www.securityfocus.com/bid/1183
Votes:
ACCEPT(6) Baker, Frech, Levy, Ozancin, Prosser, Stracener
NOOP(1) Cole
Name: CVE-2000-0385
Description:
FileMaker Pro 5 Web Companion allows remote attackers to bypass
Field-Level database security restrictions via the XML publishing
or email capabilities.
Status: Candidate
Phase: Proposed (20000615)
Reference: MISC:http://www.blueworld.com/blueworld/news/05.01.00-FM5_Security.html
Reference: CONFIRM:http://www.filemaker.com/support/webcompanion.html
Reference: XF:macos-filemaker-xml
Reference: XF:macos-filemaker-email
Votes:
ACCEPT(5) Baker, Frech, Ozancin, Prosser, Stracener
MODIFY(1) Levy
NOOP(1) Cole
Voter Comments:
Levy> Reference: BID 1159
Name: CVE-2000-0386
Description:
FileMaker Pro 5 Web Companion allows remote attackers to send
anonymous or forged email.
Status: Candidate
Phase: Proposed (20000615)
Reference: MISC:http://www.blueworld.com/blueworld/news/05.01.00-FM5_Security.html
Reference: CONFIRM:http://www.filemaker.com/support/webcompanion.html
Reference: XF:macos-filemaker-anonymous-email
Votes:
ACCEPT(5) Baker, Frech, Ozancin, Prosser, Stracener
MODIFY(1) Levy
NOOP(1) Cole
Voter Comments:
Levy> Reference: BID 1159
Name: CVE-2000-0400
Description:
The Microsoft Active Movie ActiveX Control in Internet Explorer 5 does
not restrict which file types can be downloaded, which allows an
attacker to download any type of file to a user's system by encoding
it within an email message or news post.
Status: Candidate
Phase: Proposed (20000615)
Reference: BUGTRAQ:20000516 MICROSOFT SECURITY FLAW?
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=95868514521257&w=2
Reference: BID:1221
Reference: URL:http://www.securityfocus.com/bid/1221
Reference: XF:ie-active-movie-control
Votes:
ACCEPT(4) Frech, Levy, Ozancin, Wall
NOOP(2) Cole, Stracener
REJECT(1) Christey
REVIEWING(1) LeBlanc
Voter Comments:
LeBlanc> COMMENT - this definately will not work if the user has applied the security
patch. I don't know whether this repros right now, and have sent a query to
find out.
Christey> Is this now documented in MS:MS00-042?
LeBlanc> the problem isn't in the Active Movie control. What was
observed was a symptom of another problem that got fixed in
some bulletin or another - I don't remember.
Christey> According to Scott Culp, this existed because
the patch for the Cache Bypass vulnerability (MS:MS00-046,
CVE-2000-0621) was not applied, so this should be REJECTed
as a duplicate of CVE-2000-0621.
Name: CVE-2000-0401
Description:
Buffer overflows in redirect.exe and changepw.exe in PDGSoft shopping
cart allow remote attackers to execute arbitrary commands via a long
query string.
Status: Candidate
Phase: Proposed (20000615)
Reference: BUGTRAQ:20000525 Alert: PDG Cart Overflows
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=95928319715983&w=2
Reference: NTBUGTRAQ:20000525 Alert: PDG Cart Overflows
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=95928667119963&w=2
Reference: CONFIRM:http://www.pdgsoft.com/Security/security2.html
Reference: BID:1256
Reference: URL:http://www.securityfocus.com/bid/1256
Votes:
ACCEPT(2) Levy, Stracener
MODIFY(1) Frech
NOOP(2) Cole, Wall
Voter Comments:
Frech> XF:pdgsoft-changepw-bo
XF:pdgsoft-redirect-bo
Name: CVE-2000-0412
Description:
The gnapster and knapster clients for Napster do not properly restrict
access only to MP3 files, which allows remote attackers to read
arbitrary files from the client by specifying the full pathname for
the file.
Status: Candidate
Phase: Proposed (20000615)
Reference: BUGTRAQ:20000510 KNapster Vulnerability Compromises User-readable Files
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-05/0124.html
Reference: BUGTRAQ:20000510 Gnapster Vulnerability Compromises User-readable Files
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-05/0127.html
Reference: FREEBSD:FreeBSD-SA-00:18
Reference: URL:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:18-gnapster.adv
Reference: XF:gnapster-view-files
Reference: BID:1186
Reference: URL:http://www.securityfocus.com/bid/1186
Votes:
ACCEPT(4) Baker, Levy, Ozancin, Stracener
MODIFY(1) Frech
NOOP(2) Cole, Prosser
Voter Comments:
Frech> ADDREF XF:knapster-view-files
Name: CVE-2000-0413
Description:
The shtml.exe program in the FrontPage extensions package of IIS 4.0
and 5.0 allows remote attackers to determine the physical path of
HTML, HTM, ASP, and SHTML files by requesting a file that does not
exist, which generates an error message that reveals the path.
Status: Candidate
Phase: Proposed (20000615)
Reference: BUGTRAQ:20000506 shtml.exe reveal local path of IIS web directory
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-05/0084.html
Reference: BID:1174
Reference: URL:http://www.securityfocus.com/bid/1174
Reference: XF:iis-shtml-reveal-path
Votes:
ACCEPT(7) Baker, Cole, Frech, LeBlanc, Levy, Ozancin, Stracener
MODIFY(1) Prosser
NOOP(1) Christey
Voter Comments:
Prosser> additional source Security BugWare
http://161.53.42.3/~crv/security/bugs/NT/fpse10.html comments on page re:
"MS soon to be released service release OSR 1.2 with needed changes."
I haven't located anything on MS site yet. Anyone help?
Christey> BID:1433 may also refer to this issue.
Christey> [note to self: review comments by Mark Burnett]
Christey> CHANGEREF XF:iis-shtml-reveal-path XF:frontpage-ext-shtml-path(4439)
LeBlanc> Fixes are up on site now - have been for a while.
Name: CVE-2000-0415
Description:
Buffer overflow in Outlook Express 4.x allows attackers to cause a
denial of service via a mail or news message that has a .jpg or .bmp
attachment with a long file name.
Status: Candidate
Phase: Proposed (20000615)
Reference: BUGTRAQ:20000512 Overflow in Outlook Express 4.* - too long filenames with graphic format extension
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-05/0140.html
Reference: BID:1195
Reference: URL:http://www.securityfocus.com/bid/1195
Votes:
ACCEPT(3) Levy, Ozancin, Wall
MODIFY(1) Frech
NOOP(3) Christey, Cole, Stracener
REJECT(1) LeBlanc
Voter Comments:
LeBlanc> The poster re-discovered a vulnerability we patched two years
ago, in
http://www.microsoft.com/technet/security/bulletin/ms98-008.asp
Microsoft posted a response to BugTraq when this one went
public, and reminded them that we'd already patched it.
BTW, I think we want to try and pay attention to follow-ups to
these threads in order to minimize noise in the process.
Christey> Based on David's comments, this is covered by CVE-1999-0002.
However, that candidate may wind up being SPLIT, so I will
keep this one around for the moment.
With respect to watching followups, we are relying quite
a bit on other data feeds instead of doing our own reviews
of all the different data sources. The data feeds may report
these problems as new before corrections are posted.
Followups do often lend additional information to the
candidates, and as is the case with this one, we will
often catch the discrepancy before the candidate becomes an
official entry, whether by MITRE's own analysis or by that
of other Board members.
Frech> XF:outlook-image-long-filename
Name: CVE-2000-0420
Description:
The default configuration of SYSKEY in Windows 2000 stores the startup
key in the registry, which could allow an attacker tor ecover it and
use it to decrypt Encrypted File System (EFS) data.
Status: Candidate
Phase: Proposed (20000615)
Reference: NTBUGTRAQ:20000511 ISS SAVANT Advisory 00/26
Reference: URL:http://archives.neohapsis.com/archives/ntbugtraq/2000-q2/0112.html
Reference: BID:1198
Reference: URL:http://www.securityfocus.com/bid/1198
Votes:
ACCEPT(2) Levy, Ozancin
MODIFY(1) Frech
NOOP(2) Cole, Stracener
REJECT(1) LeBlanc
REVIEWING(1) Wall
Voter Comments:
LeBlanc> This is not a vulnerability. It is essentially an advisory on best
practices. Also, the description is extremely inaccurate. If I weren't
intimately familiar with the issue, I would not be able to understand it
from this. Syskey, when applied at lower levels, has well-documented
limitations.
Stracener> "..to recover"
Frech> XF:win2k-syskey-default-configuration
Change "tor ecover" to "to recover"
Name: CVE-2000-0422
Description:
Buffer overflow in Netwin DMailWeb CGI program allows remote attackers
to execute arbitrary commands via a long utoken parameter.
Status: Candidate
Phase: Proposed (20000615)
Reference: BUGTRAQ:20000504 Alert: DMailWeb buffer overflow
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=95749276827558&w=2
Reference: XF:http-cgi-dmailweb-bo
Reference: BID:1171
Reference: URL:http://www.securityfocus.com/bid/1171
Votes:
ACCEPT(5) Frech, Levy, Ozancin, Prosser, Stracener
NOOP(2) Baker, Cole
Name: CVE-2000-0423
Description:
Buffer overflow in Netwin DNEWSWEB CGI program allows remote attackers
to execute arbitrary commands via long parameters such as group, cmd,
and utag.
Status: Candidate
Phase: Proposed (20000615)
Reference: BUGTRAQ:20000505 Alert: DNewsWeb buffer overflow
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=95764950403250&w=2
Reference: XF:http-cgi-dnews-bo
Reference: BID:1172
Reference: URL:http://www.securityfocus.com/bid/1172
Votes:
ACCEPT(5) Frech, Levy, Ozancin, Prosser, Stracener
NOOP(2) Baker, Cole
Name: CVE-2000-0429
Description:
A backdoor password in Cart32 3.0 and earlier allows remote attackers
to execute arbitrary commands.
Status: Candidate
Phase: Proposed (20000615)
Reference: BUGTRAQ:20000427 Alert: Cart32 secret password backdoor (CISADV000427)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=95686068203138&w=2
Reference: CONFIRM:http://www.cart32.com/kbshow.asp?article=c048
Votes:
ACCEPT(3) Ozancin, Prosser, Stracener
MODIFY(2) Frech, Levy
NOOP(2) Baker, Cole
Voter Comments:
Levy> Reference: BID 1153
Frech> XF:cart32-admin-password
Name: CVE-2000-0433
Description:
The SuSE aaa_base package installs some system accounts with home
directories set to /tmp, which allows local users to gain privileges
to those accounts by creating standard user startup scripts such as
profiles.
Status: Candidate
Phase: Proposed (20000615)
Reference: SUSE:20000502 aaabase < 2000.5.2
Reference: URL:http://www.novell.com/linux/security/advisories/suse_security_announce_47.html
Reference: XF:aaabase-execute-dot-files
Votes:
ACCEPT(6) Baker, Cole, Frech, Levy, Ozancin, Stracener
MODIFY(1) Prosser
Voter Comments:
Prosser> add source:
SecurityFocus
BID1357
SuSE Linux aaabase User Account with /tmp Home Vulnerability
http://www.securityfocus.com/bid/1357
CHANGE> [Levy changed vote from REVIEWING to ACCEPT]
Name: CVE-2000-0434
Description:
The administrative password for the Allmanage web site administration
software is stored in plaintext in a file which could be accessed by
remote attackers.
Status: Candidate
Phase: Proposed (20000615)
Reference: BUGTRAQ:20000516 Allmanage.pl Vulnerabilities
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-05/0167.html
Reference: BID:1217
Reference: URL:http://www.securityfocus.com/bid/1217
Votes:
ACCEPT(3) Levy, Ozancin, Stracener
MODIFY(1) Frech
NOOP(3) Cole, LeBlanc, Wall
Voter Comments:
Frech> XF:http-cgi-allmanage-plaintext-admin
Name: CVE-2000-0444
Description:
HP Web JetAdmin 6.0 allows remote attackers to cause a denial of
service via a malformed URL to port 8000.
Status: Candidate
Phase: Proposed (20000615)
Reference: BUGTRAQ:20000524 HP Web JetAdmin Version 6.0 Remote DoS attack Vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-05/0277.html
Reference: XF:hp-jetadmin-malformed-url-dos
Reference: BID:1246
Reference: URL:http://www.securityfocus.com/bid/1246
Votes:
ACCEPT(4) Frech, Levy, Prosser, Stracener
NOOP(2) Cole, Wall
REVIEWING(1) Christey
Voter Comments:
Christey> ADDREF CONFIRM:http://www.hp.com/cposupport/networking/support_doc/bpj06522.html
Christey> HP:HPSBUX0006-116 ?
XF:jetadmin-network-dos
CHANGE> [Christey changed vote from NOOP to REVIEWING]
Prosser> Vendor acknowledged in HP Bulletin HPSBUX0006-116 with upgrade info.
Name: CVE-2000-0449
Description:
Omnis Studio 2.4 uses weak encryption (trivial encoding) for
encrypting database fields.
Status: Candidate
Phase: Proposed (20000615)
Reference: BUGTRAQ:20000525 Omnis Weak Encryption - Many products affected
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-05/0311.html
Reference: BID:1255
Reference: URL:http://www.securityfocus.com/bid/1255
Votes:
ACCEPT(2) Levy, Stracener
MODIFY(1) Frech
NOOP(2) Cole, Wall
Voter Comments:
Frech> XF:omnis-studio-weak-encryption
Name: CVE-2000-0450
Description:
Vulnerability in bbd server in Big Brother System and Network Monitor
allows an attacker to execute arbitrary commands.
Status: Candidate
Phase: Proposed (20000615)
Reference: BUGTRAQ:20000518 FW: Security Notice: Big Brother System and Network Monitor
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-05/0216.html
Reference: BID:1257
Reference: URL:http://www.securityfocus.com/bid/1257
Votes:
ACCEPT(3) Levy, Ozancin, Stracener
MODIFY(1) Frech
NOOP(3) Christey, Cole, Wall
RECAST(1) LeBlanc
Voter Comments:
LeBlanc> I have no idea what this one is talking about from the description. I also
don't think it involves "Network Monitor", which is a component of Windows
NT/Windows 2000. This should be clarified.
Frech> XF:big-brother-bbd-bo
Christey> The original advisory, as forwarded to Bugtraq, does not
provide any details, so the description is necessarily vague.
Also, the home page at http://bb4.com has it referring to
itself as "Big Brother System and Network Monitor," so
"Network Monitor" is apparently part of the name of the product.
Change this description to mention version 1.4g, to distinguish
from other Big Brother vulnerabilities.
Name: CVE-2000-0473
Description:
Buffer overflow in AnalogX SimpleServer 1.05 allows a remote attacker
to cause a denial of service via a long GET request for a program in
the cgi-bin directory.
Status: Candidate
Phase: Proposed (20000712)
Reference: BUGTRAQ:19991231 Local / Remote GET Buffer Overflow Vulnerability in AnalogX SimpleServer:WWW HTTP Server v1.1
Reference: MISC:http://www.analogx.com/contents/download/network/sswww.htm
Reference: BID:1349
Reference: URL:http://www.securityfocus.com/bid/1349
Votes:
ACCEPT(1) Levy
MODIFY(1) Frech
REVIEWING(1) Christey
Voter Comments:
Christey> Appears to be the same as, or similar to, CVE-2000-0011, which was
also discovered by USSR. Comments on the AnalogX web site are
decidedly sparse. In CVE-2000-0011, USSR only claims that
the vendor was informed, so is this still the same problem?
XF:simpleserver-long-url-dos
Frech> XF:simpleserver-long-url-dos(4693)
Please review whether your BUGTRAQ:19991231 reference is correct; seems like
this is the reference to CVE-2000-0011: Buffer overflow in AnalogX
SimpleServer:WWW HTTP server allows remote attackers to execute commands via
a long GET request. They are subtle; almost the only thing that changed was
the version.
A possible reference is "Remote DoS attack in AnalogX SimpleServer WWW
Version 1.05 Vulnerability" at http://www.ussrback.com/labs45.html.
Name: CVE-2000-0476
Description:
xterm, Eterm, and rxvt allow an attacker to cause a denial of service
by embedding certain escape characters which force the window to be
resized.
Status: Candidate
Phase: Proposed (20000712)
Reference: BUGTRAQ:20000601 [rootshell.com] Xterm DoS Attack
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-05/0409.html
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-05/0420.html
Reference: BID:1298
Reference: URL:http://www.securityfocus.com/bid/1298
Votes:
ACCEPT(2) Levy, Ozancin
MODIFY(1) Frech
NOOP(2) LeBlanc, Wall
Voter Comments:
Frech> XF:xterm-control-characters-dos(4987)
Name: CVE-2000-0479
Description:
Dragon FTP server allows remote attackers to cause a denial of service
via a long USER command.
Status: Candidate
Phase: Proposed (20000712)
Reference: BUGTRAQ:20000616 Multiples Remotes DoS Attacks in Dragon Server v1.00 and v2.00
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=96113734714517&w=2
Reference: BID:1352
Reference: URL:http://www.securityfocus.com/bid/1352
Votes:
ACCEPT(2) Baker, Levy
MODIFY(1) Frech
NOOP(1) Christey
Voter Comments:
Christey> XF:dragon-ftp-dos
Frech> XF:dragon-ftp-dos(4691)
Name: CVE-2000-0480
Description:
Dragon telnet server allows remote attackers to cause a denial of service
via a long username.
Status: Candidate
Phase: Proposed (20000712)
Reference: BUGTRAQ:20000616 Multiples Remotes DoS Attacks in Dragon Server v1.00 and v2.00
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=96113734714517&w=2
Reference: BID:1352
Reference: URL:http://www.securityfocus.com/bid/1352
Votes:
ACCEPT(2) Baker, Levy
MODIFY(1) Frech
NOOP(1) Christey
Voter Comments:
Christey> XF:dragon-telnet-dos
Frech> XF:dragon-ftp-dos(4691)
Name: CVE-2000-0487
Description:
The Protected Store in Windows 2000 does not properly select the
strongest encryption when available, which causes it to use a default
of 40-bit encryption instead of 56-bit DES encryption, aka the
"Protected Store Key Length" vulnerability.
Status: Candidate
Phase: Proposed (20000712)
Reference: MS:MS00-032
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms00-032.asp
Reference: BID:1295
Reference: URL:http://www.securityfocus.com/bid/1295
Votes:
ACCEPT(3) LeBlanc, Levy, Wall
MODIFY(1) Frech
NOOP(1) Ozancin
Voter Comments:
Frech> XF:ms-protected-store(4589)
Name: CVE-2000-0491
Description:
Buffer overflow in the XDMCP parsing code of GNOME gdm, KDE kdm, and
wdm allows remote attackers to execute arbitrary commands or cause a
denial of service via a long FORWARD_QUERY request.
Status: Candidate
Phase: Proposed (20000712)
Reference: BUGTRAQ:20000521 "gdm" remote hole
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-05/0241.html
Reference: SUSE:20000524 Security hole in gdm <= 2.0beta4-25
Reference: URL:http://www.novell.com/linux/security/advisories/suse_security_announce_49.html
Reference: BUGTRAQ:20000607 Conectiva Linux Security Announcement - gdm
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-06/0025.html
Reference: CALDERA:CSSA-2000-013.0
Reference: URL:ftp://ftp.calderasystems.com/pub/OpenLinux/security/CSSA-2000-013.0.txt
Reference: BID:1233
Reference: URL:http://www.securityfocus.com/bid/1233
Reference: BID:1279
Reference: URL:http://www.securityfocus.com/bid/1279
Reference: BID:1370
Reference: URL:http://www.securityfocus.com/bid/1370
Votes:
MODIFY(2) Frech, Levy
NOOP(2) LeBlanc, Wall
REVIEWING(2) Christey, Ozancin
Voter Comments:
Levy> The BID 1233 vulns is different from the other ones. BID 1233 uses
a FORWARD_QUERY request to overflow an in_addr structure via a memmove
in daemon/xdmcp.c, gdm_xdmcp_handle_forward_query(). In BID 1370
a buffer is overflowed by a sprintf in xdmcp.c, send_failed().
Frech> XF:gnome-gdm-bo(4530)
Christey> MANDRAKE:MDKSA-2001:070
URL:http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-070.php3
Christey> BUGTRAQ:20000527 gdm exploit
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=96017189021021&w=2
Consider REDHAT:RHSA-2000:027
Christey> RHSA-2000:027 confirmed via Mark Cox
Name: CVE-2000-0492
Description:
PassWD 1.2 uses weak encryption (trivial encoding) to store passwords,
which allows an attacker who can read the password file to easliy
decrypt the passwords.
Status: Candidate
Phase: Proposed (20000712)
Reference: BUGTRAQ:20000609 Insecure encryption in PassWD v1.2
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-05/0450.html
Reference: BID:1300
Reference: URL:http://www.securityfocus.com/bid/1300
Votes:
ACCEPT(1) Levy
MODIFY(2) Frech, Ozancin
NOOP(2) LeBlanc, Wall
Voter Comments:
Ozancin> change "attacker who can read the password" to "attacker to decrypt and read
the password"
Frech> XF:passwd-weak-encryption(4596)
Name: CVE-2000-0503
Description:
The IFRAME of the WebBrowser control in Internet Explorer 5.01 allows
a remote attacker to violate the cross frame security policy via the
NavigateComplete2 event.
Status: Candidate
Phase: Proposed (20000712)
Reference: BUGTRAQ:20000606 IE 5 Cross-frame security vulnerability using IFRAME and WebBrowser control
Reference: URL:http://archives.neohapsis.com/archives/win2ksecadvice/2000-q2/0154.html
Reference: BID:1311
Reference: URL:http://www.securityfocus.com/bid/1311
Votes:
ACCEPT(1) Levy
MODIFY(2) Frech, Wall
NOOP(2) LeBlanc, Ozancin
REVIEWING(1) Christey
Voter Comments:
Wall> This affects more than IE 5.01. See http://www.securityfocus.com/bid/1311 for
all versions of IE that this affects. Works on Windows 98, IE 5.01 and IE 5.5.
LeBlanc> If this is the one I was discussing offline with Steve, ACCEPT
Frech> XF:ie-cross-frame(4610)
Christey> Make sure this is the one I was discussing offline with David :-)
Frech> CVE-2000-0503 was reassigned to ie-frame-domain-file-access(5504) from
ie-cross-frame(4610), which was obsoleted and redirected to this
issue. Since these are the same issues but just described differently,
CVE-2000-0503 appears to be a dupe of CVE-2000-0768.
Name: CVE-2000-0509
Description:
Buffer overflows in the finger and whois demonstration scripts in
Sambar Server 4.3 allow remote attackers to execute arbitrary commands
via a long hostname.
Status: Candidate
Phase: Proposed (20000712)
Reference: BUGTRAQ:20000601 DST2K0008: Buffer Overrun in Sambar Server 4.3
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=95990103207665&w=2
Reference: BID:1287
Reference: URL:http://www.securityfocus.com/bid/1287
Votes:
ACCEPT(2) Levy, Ozancin
MODIFY(1) Frech
NOOP(2) LeBlanc, Wall
Voter Comments:
Frech> XF:sambar-dll-bo(4592)
Name: CVE-2000-0520
Description:
Buffer overflow in restore program 0.4b17 and earlier in dump package
allows local users to execute arbitrary commands via a long tape name.
Status: Candidate
Phase: Proposed (20000712)
Reference: BUGTRAQ:20000630 CONECTIVA LINUX SECURITY ANNOUNCEMENT - dump
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=96240393814071&w=2
Reference: MISC:http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=11880
Reference: BID:1330
Reference: URL:http://www.securityfocus.com/bid/1330
Votes:
ACCEPT(2) Levy, Prosser
MODIFY(1) Frech
NOOP(4) Christey, LeBlanc, Ozancin, Wall
Voter Comments:
Christey> ADDREF BUGTRAQ:20000711 MDKSA-2000:018 dump update
URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0166.html
Frech> XF:linux-restore-bo(4647)
Prosser> Add Sources:
http://www.linux-mandrake.com/en/updates/2000/MDKSA-2000-018.php3?dis=6.0
http://www.redhat.com/support/errata/RHSA-2000-100.html
Name: CVE-2000-0524
Description:
Microsoft Outlook and Outlook Express allow remote attackers to cause
a denial of service by sending email messages with blank fields such
as BCC, Reply-To, Return-Path, or From.
Status: Candidate
Phase: Proposed (20000712)
Reference: BUGTRAQ:20000604 Microsoft Outlook (Express) bug..
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-06/0045.html
Reference: BID:1333
Reference: URL:http://www.securityfocus.com/bid/1333
Votes:
MODIFY(3) Frech, LeBlanc, Levy
NOOP(1) Ozancin
RECAST(1) Wall
Voter Comments:
Levy> There was plenty of people that could not reproduce the problem although
some did. More research (as in actual testing) is probably required.
LeBlanc> This entry does not specify which versions of Outloook are vulnerable, nor
is that clear from the BUGTRAQ record. It is much too broad to say just
"Outlook" when it is definately not all versions of Outlook. The problem
appears confined to some version of Outlook 97, and if I recall correctly,
there has been a patch for this for quite some time.
Frech> XF:outlook-header-dos(4645)
CHANGE> [Wall changed vote from REVIEWING to RECAST]
Wall> UNABLE TO DUPLICATE
Name: CVE-2000-0526
Description:
mailview.cgi CGI program in MailStudio 2000 2.0 and earlier allows
remote attackers to read arbitrary files via a .. (dot dot) attack.
Status: Candidate
Phase: Proposed (20000712)
Reference: BUGTRAQ:20000609 Mailstudio2000 CGI Vulnerabilities [S0ftPj.4]
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-06/0081.html
Reference: BID:1335
Reference: URL:http://www.securityfocus.com/bid/1335
Votes:
ACCEPT(2) Baker, Levy
MODIFY(1) Frech
NOOP(4) Christey, LeBlanc, Ozancin, Wall
Voter Comments:
Christey> ADDREF XF:mailstudio-view-files
Frech> XF:mailstudio-view-files(4737)
Name: CVE-2000-0527
Description:
userreg.cgi CGI program in MailStudio 2000 2.0 and earlier allows
remote attackers to execute arbitrary commands via shell
metacharacters.
Status: Candidate
Phase: Proposed (20000712)
Reference: BUGTRAQ:20000609 Mailstudio2000 CGI Vulnerabilities [S0ftPj.4]
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-06/0081.html
Reference: BID:1335
Reference: URL:http://www.securityfocus.com/bid/1335
Votes:
ACCEPT(2) Baker, Levy
MODIFY(1) Frech
NOOP(4) Christey, LeBlanc, Ozancin, Wall
Voter Comments:
Christey> Modify description - explicitly mention %0a string; other
metachar's are filtered
Frech> XF:mailstudio-cgi-input-vaildation(4739)
Name: CVE-2000-0531
Description:
Linux gpm program allows local users to cause a denial of service by
flooding the /dev/gpmctl device with STREAM sockets.
Status: Candidate
Phase: Modified (20040818)
Reference: BUGTRAQ:20000620 Bug in gpm
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.4.10.10006201453090.1812-200000@apollo.aci.com.pl
Reference: REDHAT:RHSA-2000:045
Reference: URL:http://www.redhat.com/support/errata/RHSA-2000-045.html
Reference: BUGTRAQ:20000728 MDKSA:2000-025 gpm update
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0409.html
Reference: BID:1377
Reference: URL:http://www.securityfocus.com/bid/1377
Reference: XF:linux-gpm-gpmctl-dos
Reference: URL:http://xforce.iss.net/static/5010.php
Votes:
ACCEPT(1) Levy
MODIFY(1) Frech
REVIEWING(1) Christey
Voter Comments:
Frech> XF:linux-gpm-gpmctl-dos(5010)
Christey> ADDREF REDHAT:RHSA-2000:045-01
ADDREF BUGTRAQ:20000728 MDKSA:2000-025 gpm update
URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0409.html
CHANGE> [Christey changed vote from NOOP to REVIEWING]
Christey> Per Andre Frech's comments for CVE-2000-0667.
Name: CVE-2000-0535
Description:
OpenSSL 0.9.4 and OpenSSH for FreeBSD do not properly check for the
existence of the /dev/random or /dev/urandom devices, which are absent
on FreeBSD Alpha systems, which causes them to produce weak keys which
may be more easily broken.
Status: Candidate
Phase: Proposed (20000712)
Reference: FREEBSD:FreeBSD-SA-00:25
Reference: URL:http://archives.neohapsis.com/archives/freebsd/2000-06/0083.html
Reference: BID:1340
Reference: URL:http://www.securityfocus.com/bid/1340
Votes:
ACCEPT(2) Levy, Ozancin
MODIFY(1) Frech
NOOP(2) LeBlanc, Wall
REVIEWING(1) Christey
Voter Comments:
Christey> ADDREF NETBSD
http://archives.neohapsis.com/archives/bugtraq/2000-06/0208.html
Frech> XF:freebsd-alpha-weak-encryption(4704)
Christey> ftp://ftp.netbsd.org/pub/NetBSD/misc/security/advisories/NetBSD-SA2000-007.txt.asc
CHANGE> [Christey changed vote from NOOP to REVIEWING]
Christey> Should the NetBSD problem really be combined with this?
Name: CVE-2000-0543
Description:
The command port for PGP Certificate Server 2.5.0 and 2.5.1 allows
remote attackers to cause a denial of service if their hostname does
not have a reverse DNS entry and they connect to port 4000.
Status: Candidate
Phase: Modified (20001010-1)
Reference: BUGTRAQ:20000614 Remote DoS attack in Networks Associates PGP Certificate Server Version 2.5 Vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-06/0107.html
Reference: BID:1343
Reference: URL:http://www.securityfocus.com/bid/1343
Reference: XF:pgp-cert-server-dos
Reference: URL:http://xforce.iss.net/static/4695.php
Votes:
ACCEPT(5) Baker, Cole, Collins, Levy, Ozancin
MODIFY(1) Frech
NOOP(1) Armstrong
REVIEWING(1) Christey
Voter Comments:
Christey> XF:pgp-cert-server-dos
Frech> XF:pgp-cert-server-dos(4695)
CHANGE> [Armstrong changed vote from REVIEWING to NOOP]
CHANGE> [Christey changed vote from NOOP to REVIEWING]
Christey> Need to consult Jim Magdych on this one.
Name: CVE-2000-0544
Description:
Windows NT and Windows 2000 hosts allow a remote attacker to cause a
denial of service via malformed DCE/RPC SMBwriteX requests
that contain an invalid data length.
Status: Candidate
Phase: Proposed (20000712)
Reference: NTBUGTRAQ:20000604 anonymous SMBwriteX DoS
Reference: URL:http://archives.neohapsis.com/archives/ntbugtraq/2000-q2/0231.html
Reference: BID:1304
Reference: URL:http://www.securityfocus.com/bid/1304
Votes:
ACCEPT(2) LeBlanc, Levy
MODIFY(1) Frech
NOOP(1) Ozancin
REVIEWING(2) Christey, Wall
Voter Comments:
Frech> XF;nt-smb-request-dos(4600)
Christey> Consult with Microsoft to see if this is MS:MS00-066
Christey> ADDREF MS:MS00-066
(confirmed offline with David LeBlanc)
Subsequently, add BID:1673 and XF:win2k-rpc-dos(5222)
Name: CVE-2000-0545
Description:
Buffer overflow in mailx mail command (aka Mail) on Linux systems
allows local users to gain privileges via a long -c (carbon copy)
parameter.
Status: Candidate
Phase: Proposed (20000712)
Reference: BUGTRAQ:20000602 /usr/bin/Mail exploit for Slackware 7.0 (mail-slack.c)
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-05/0435.html
Reference: DEBIAN:20000605 mailx: mail group exploit in mailx
Reference: URL:http://www.debian.org/security/2000/20000605
Reference: BID:1305
Reference: URL:http://www.securityfocus.com/bid/1305
Votes:
ACCEPT(2) Levy, Ozancin
MODIFY(1) Frech
NOOP(2) LeBlanc, Wall
REVIEWING(1) Christey
Voter Comments:
Frech> XF:sgi-mailx-bo(1371)
CVE-2000-0545 seems to be a dupe of CVE-1999-0125 (Buffer overflow in SGI
IRIX mailx program) since they both allow 'mail' group privileges. There was
no exploit for SGI's vuln to compare.
Christey> Since we are taking a split-by-default approach when
there are insufficient details, we should keep this
separate from CVE-1999-0125. The difference in the
time of discovery is also a factor, even if these wind
up being the same problem. However, there just aren't
enough details to be sure if this is the same problem or not.
Christey> On June 25, 1998, a buffer overflow in mailx via the HOME
environmental variable was posted at:
BUGTRAQ:19980625 security hole in mailx
http://marc.theaimsgroup.com/?l=bugtraq&m=90221103125955&w=2
This affected multiple OSes.
SGI:19980605-01-PX (CVE-1999-0125) was published on September
29, 1998; while the advisory is short on details, it does
mention a buffer overflow.
So, there's enough distinction here (time and what gets
exploited) to say that these should remain split; but
CVE-1999-0125 likely needs to be RECAST to mention other
affected OSes.
Name: CVE-2000-0546
Description:
Buffer overflow in Kerberos 4 KDC program allows remote attackers to
cause a denial of service via the lastrealm variable in the set_tgtkey
function.
Status: Candidate
Phase: Proposed (20000712)
Reference: BUGTRAQ:20000609 Security Advisory: MULTIPLE DENIAL OF SERVICE VULNERABILITIES IN KRB4 KDC
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-06/0064.html
Reference: CONFIRM:http://web.mit.edu/kerberos/www/advisories/krb4kdc.txt
Reference: CERT:CA-2000-11
Reference: URL:http://www.cert.org/advisories/CA-2000-11.html
Reference: CIAC:K-051
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/k-051.shtml
Reference: BID:1338
Reference: URL:http://www.securityfocus.com/bid/1338
Votes:
ACCEPT(2) Levy, Ozancin
MODIFY(2) Cox, Frech
NOOP(3) Christey, LeBlanc, Wall
Voter Comments:
Christey> ADDREF XF:kerberos-lastrealm-bo
Frech> XF:kerberos-lastrealm-bo(4656)
I question whether BID-1338 is appropriate here.
Cox> ADDREF REDHAT:RHSA-2000:031
Name: CVE-2000-0547
Description:
Buffer overflow in Kerberos 4 KDC program allows remote attackers to
cause a denial of service via the localrealm variable in the
process_v4 function.
Status: Candidate
Phase: Proposed (20000712)
Reference: BUGTRAQ:20000609 Security Advisory: MULTIPLE DENIAL OF SERVICE VULNERABILITIES IN KRB4 KDC
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-06/0064.html
Reference: CONFIRM:http://web.mit.edu/kerberos/www/advisories/krb4kdc.txt
Reference: CERT:CA-2000-11
Reference: URL:http://www.cert.org/advisories/CA-2000-11.html
Reference: CIAC:K-051
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/k-051.shtml
Reference: BID:1338
Reference: URL:http://www.securityfocus.com/bid/1338
Votes:
ACCEPT(2) Levy, Ozancin
MODIFY(2) Cox, Frech
NOOP(2) LeBlanc, Wall
Voter Comments:
Frech> XF:kerberos-localrealm-bo(4657)
I question whether BID-1338 is appropriate here.
Cox> ADDREF REDHAT:RHSA-2000:031
Name: CVE-2000-0554
Description:
Ceilidh allows remote attackers to obtain the real path of the Ceilidh
directory via the translated_path hidden form field.
Status: Candidate
Phase: Proposed (20000712)
Reference: NTBUGTRAQ:20000608 DST2K0010: DoS & Path Revealing Vulnerability in Ceilidh v2.60a
Reference: URL:http://archives.neohapsis.com/archives/ntbugtraq/2000-q2/0246.html
Reference: BID:1320
Reference: URL:http://www.securityfocus.com/bid/1320
Votes:
ACCEPT(2) Cole, Levy
MODIFY(1) Frech
NOOP(4) Christey, LeBlanc, Ozancin, Wall
Voter Comments:
Christey> ADDREF XF:ceilidh-path-disclosure
Frech> XF:ceilidh-path-disclosure(4620)
Name: CVE-2000-0559
Description:
eTrust Intrusion Detection System (formerly SessionWall-3) uses weak
encryption (XOR) to store administrative passwords in the registry,
which allows local users to easily decrypt the passwords.
Status: Candidate
Phase: Proposed (20000712)
Reference: BUGTRAQ:20000607 SessionWall-3 Paper + (links to) code
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.BSO.4.21.0006072124320.28062-100000@bearclaw.bogus.net
Reference: BID:1341
Reference: URL:http://www.securityfocus.com/bid/1341
Votes:
ACCEPT(2) Levy, Ozancin
MODIFY(1) Frech
NOOP(2) LeBlanc, Wall
Voter Comments:
Frech> XF:etrust-weak-password-encryption(5051)
Name: CVE-2000-0562
Description:
BlackIce Defender 2.1 and earlier, and BlackIce Pro 2.0.23 and
earlier, do not properly block Back Orifice traffic when the security
setting is Nervous or lower.
Status: Candidate
Phase: Proposed (20000712)
Reference: BUGTRAQ:20000620 BlackICE by Network ICE Corp vulnerability against Back Orifice 1.2
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-06/0190.html
Votes:
ACCEPT(3) Armstrong, Cole, Levy
MODIFY(2) Baker, Frech
NOOP(1) Ozancin
REVIEWING(1) Christey
Voter Comments:
Levy> What do others think? Should this be a vuln? I can see the argument
that some features are simply not available unless you use the maximum
security settings.
Christey> At the very least, this needs to be modified to state that
this problem/concern applies to high ports in general, not
just Back orifice.
The Bugtraq poster claims that BlackICE "shuts down" the port,
but only *after* some initial traffic "leaks" out. This may
be by design, but it does mean that there is a small window
of opportunity in which BlackICE may not work "as
advertised," even at lower security settings.
Christey> XF:blackice-security-level-nervous
BID:1389
Frech> XF:blackice-security-level-nervous(4777)
CHANGE> [Levy changed vote from REVIEWING to ACCEPT]
CHANGE> [Christey changed vote from NOOP to REVIEWING]
Baker> I accept it more as a security exposure, than a real vulnerability.
It performs just as any other "firewall" or IDS product can be configured to
allow traffic without notifying the user. You can adjust settings on
any product that allow traffic that other people or organizations would
find unacceptable. So, as long as it is reflected that this is more of
a configuration that allows such traffic as opposed to a defective
or improperly functioning software issue, I don't have a problem with
it.
Name: CVE-2000-0563
Description:
The URLConnection function in MacOS Runtime Java (MRJ) 2.1 and earlier
and the Microsoft virtual machine (VM) for MacOS allows a malicious
web site operator to connect to arbitrary hosts using a HTTP
redirection, in violation of the Java security model.
Status: Candidate
Phase: Proposed (20000712)
Reference: BUGTRAQ:20000609 Security Holes Found in URLConnection of MRJ and IE of Mac OS (was Re: Reappearance of an old IE security bug)
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-06/0056.html
Reference: BUGTRAQ:20000513 Re: Reappearance of an old IE security bug
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-05-8&msg=391C95DE2DA.5E3BTAKAGI@java-house.etl.go.jp
Reference: BID:1336
Reference: URL:http://www.securityfocus.com/bid/1336
Votes:
ACCEPT(2) Levy, Ozancin
MODIFY(1) Frech
NOOP(2) Christey, Wall
REVIEWING(1) LeBlanc
Voter Comments:
Christey> Confirmed by Scott Culp, but this only applies to
outdated/unsupported versions of the JVM.
Frech> XF:macos-java-security-ignored(5052)
Christey> Consult with Microsoft to ensure that this is fixed by
MS:MS00-059. If so, then this might not just be in MacOS.
Name: CVE-2000-0564
Description:
The guestbook CGI program in ICQ Web Front service for ICQ 2000a, 99b,
and others allows remote attackers to cause a denial of service via a
URL with a long name parameter.
Status: Candidate
Phase: Proposed (20000712)
Reference: NTBUGTRAQ:20000529 ICQ Web Front Remote DoS Attack Vulnerability
Reference: URL:http://archives.neohapsis.com/archives/ntbugtraq/2000-q2/0218.html
Votes:
ACCEPT(2) Baker, Levy
MODIFY(1) Frech
NOOP(5) Christey, Cole, LeBlanc, Ozancin, Wall
Voter Comments:
Christey> ADDREF BID:1463
URL:http://www.securityfocus.com/bid/1463
Frech> XF:icq-webfront-guestbook-dos(4574)
Name: CVE-2000-0572
Description:
The Razor configuration management tool uses weak encryption for its
password file, which allows local users to gain privileges.
Status: Candidate
Phase: Proposed (20000719)
Reference: BUGTRAQ:20000704 Recovering Passwords in Visible Systems' Razor
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-07-8&msg=613309F30B6DD2118C020000F809376C05CABD49@emss03m09.orl.lmco.com
Reference: BID:1424
Reference: URL:http://www.securityfocus.com/bid/1424
Votes:
ACCEPT(2) Baker, Levy
MODIFY(1) Frech
NOOP(4) Cole, LeBlanc, Magdych, Wall
Voter Comments:
Frech> XF;razor-weak-encryption(4875)
CHANGE> [Magdych changed vote from REVIEWING to NOOP]
Name: CVE-2000-0574
Description:
FTP servers such as OpenBSD ftpd, NetBSD ftpd, ProFTPd and Opieftpd do
not properly cleanse untrusted format strings that are used in the
setproctitle function (sometimes called by set_proc_title), which
allows remote attackers to cause a denial of service or execute
arbitrary commands.
Status: Candidate
Phase: Proposed (20000719)
Reference: BUGTRAQ:20000705 proftp advisory
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0031.html
Reference: BUGTRAQ:20000706 ftpd and setproctitle()
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0061.html
Reference: CERT:CA-2000-13
Reference: URL:http://www.cert.org/advisories/CA-2000-13.html
Reference: BUGTRAQ:20000710 opieftpd setproctitle() patches
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0121.html
Reference: NETBSD:NetBSD-SA2000-009
Reference: URL:ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/advisories/NetBSD-SA2000-009.txt.asc
Reference: BID:1425
Reference: URL:http://www.securityfocus.com/bid/1425
Reference: BID:1438
Reference: URL:http://www.securityfocus.com/bid/1438
Votes:
ACCEPT(3) Cole, Levy, Magdych
MODIFY(1) Frech
NOOP(2) LeBlanc, Wall
REVIEWING(1) Christey
Voter Comments:
Christey> CD:SF-CODEBASE applies here. There are many ftpd's that
have this setproctitle() problem, but it might be traced
back to the same codebase. See if the HP problem is the
same here as well, and if so, ADDREF HP:HPSBUX0007-117
URL:http://www.securityfocus.com/templates/advisory.html?id=2404
Frech> XF:ftp-setproctitle-format-string(4908)
BID:1438 does not exist.
Christey> ADDREF HP:HPSBUX0007-117??
http://archives.neohapsis.com/archives/hp/2000-q4/0020.html
Christey> ADDREF BID:650 ?
Name: CVE-2000-0578
Description:
SGI MIPSPro compilers C, C++, F77 and F90 generate temporary files in
/tmp with predictable file names, which could allow local users to
insert malicious contents into these files as they are being compiled
by another user.
Status: Candidate
Phase: Proposed (20000719)
Reference: BUGTRAQ:20000621 Predictability Problems in IRIX Cron and Compilers
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-06/0204.html
Reference: BID:1412
Reference: URL:http://www.securityfocus.com/bid/1412
Votes:
ACCEPT(4) Baker, Blake, Cole, Levy
MODIFY(1) Frech
NOOP(7) Armstrong, Christey, LeBlanc, Magdych, Oliver, Ozancin, Wall
Voter Comments:
Frech> XF:sgi-mipspro-modify-files(5007)
CHANGE> [Cole changed vote from NOOP to ACCEPT]
CHANGE> [Magdych changed vote from REVIEWING to NOOP]
Christey> SGI:20030605-01-A
URL:ftp://patches.sgi.com/support/free/security/advisories/20030605-01-A
Name: CVE-2000-0580
Description:
Windows 2000 Server allows remote attackers to cause a denial of
service by sending a continuous stream of binary zeros to various TCP
and UDP ports, which significantly increases the CPU utilization.
Status: Candidate
Phase: Proposed (20000719)
Reference: BUGTRAQ:20000630 SecureXpert Advisory [SX-20000620-2]
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.3.96.1000630161935.4619B-100000@fjord.fscinternet.com
Reference: XF:win2k-cpu-overload-dos
Reference: BID:1415
Reference: URL:http://www.securityfocus.com/bid/1415
Votes:
ACCEPT(3) Cole, Frech, Levy
REJECT(2) LeBlanc, Magdych
REVIEWING(1) Wall
Voter Comments:
LeBlanc> Insufficient data. Most of their claims are not reproducible. You can,
however, DoS the telnet server this way. As far as I know, there is no repro
on any of the other ports. I am not sure of fix status at this time
(7/19/00). Also overlaps with CVE-2000-0581
CHANGE> [Magdych changed vote from REVIEWING to REJECT]
Magdych> The only independent verification of these claims I have heard is for the Telnet denial of service, which is already defined in CVE candidate CVE-2000-0581.
Frech> Replace win2k-cpu-overload-dos(4824) with win2k-telnetserver-dos(4823)
Name: CVE-2000-0589
Description:
SawMill 5.0.21 uses weak encryption to store passwords, which allows
attackers to easily decrypt the password and modify the SawMill
configuration.
Status: Candidate
Phase: Proposed (20000719)
Reference: BUGTRAQ:20000626 sawmill5.0.21 old path bug & weak hash algorithm
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-06/0271.html
Reference: BUGTRAQ:20000706 Patch for Flowerfire Sawmill Vulnerabilities Available
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0080.html
Reference: BID:1403
Reference: URL:http://www.securityfocus.com/bid/1403
Reference: XF:sawmill-weak-encryption
Votes:
ACCEPT(3) Frech, Levy, Magdych
NOOP(3) Cole, LeBlanc, Wall
Voter Comments:
CHANGE> [Magdych changed vote from REVIEWING to ACCEPT]
Name: CVE-2000-0592
Description:
Buffer overflows in POP3 service in WinProxy 2.0 and 2.0.1 allow
remote attackers to execute arbitrary commands via long USER, PASS,
LIST, RETR, or DELE commands.
Status: Candidate
Phase: Proposed (20000719)
Reference: BUGTRAQ:20000627 [SPSadvisory #37]WinProxy 2.0.0/2.0.1 DoS and Exploitable Buffer Overflow
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=200006271417.GFE84146.-BJXON@lac.co.jp
Reference: XF:winproxy-command-bo
Reference: BID:1400
Reference: URL:http://www.securityfocus.com/bid/1400
Votes:
ACCEPT(4) Cole, Frech, Levy, Magdych
NOOP(1) LeBlanc
REVIEWING(1) Wall
Name: CVE-2000-0605
Description:
Blackboard CourseInfo 4.0 stores the local and SQL administrator user
names and passwords in cleartext in a registry key whose access
control allows users to access the passwords.
Status: Candidate
Phase: Proposed (20000719)
Reference: NTBUGTRAQ:20000710 Two issues: Blackboard CourseInfo 4.0 stores admin password in clear text; strange settings on the winreg key.
Reference: URL:http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0007&L=NTBUGTRAQ&P=R1647
Reference: BID:1460
Reference: URL:http://www.securityfocus.com/bid/1460
Votes:
ACCEPT(2) Baker, Levy
MODIFY(1) Frech
NOOP(4) Christey, Cole, LeBlanc, Magdych
REVIEWING(1) Wall
Voter Comments:
Christey> ADDREF NTBUGTRAQ:20000718 Security Fix for Blackboard CourseInfo 4.0
URL:http://archives.neohapsis.com/archives/ntbugtraq/2000-q3/0040.html
Frech> XF:blackboard-courseinfo-plaintext(4904)
Christey> Vendor acknowledgement is at:
BUGTRAQ:20000719 Security Fix for Blackboard CourseInfo 4.0
URL:http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26msg%3D20000719151904.I17986@securityfocus.com
CHANGE> [Magdych changed vote from REVIEWING to NOOP]
Name: CVE-2000-0606
Description:
Buffer overflow in kon program in Kanji on Console (KON) package on
Linux may allow local users to gain root privileges via a long
-StartupMessage parameter.
Status: Candidate
Phase: Proposed (20000719)
Reference: BUGTRAQ:20000619 Problems with "kon2" package
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.4.21.0006192340340.19998-100000@ferret.lmh.ox.ac.uk
Reference: XF:linux-kon-bo
Reference: BID:1371
Reference: URL:http://www.securityfocus.com/bid/1371
Votes:
ACCEPT(3) Baker, Frech, Levy
NOOP(4) Cole, LeBlanc, Magdych, Wall
Voter Comments:
CHANGE> [Magdych changed vote from REVIEWING to NOOP]
Name: CVE-2000-0607
Description:
Buffer overflow in fld program in Kanji on Console (KON) package on
Linux may allow local users to gain root privileges via an input file
containing long CHARSET_REGISTRY or CHARSET_ENCODING settings.
Status: Candidate
Phase: Proposed (20000719)
Reference: BUGTRAQ:20000619 Problems with "kon2" package
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.4.21.0006192340340.19998-100000@ferret.lmh.ox.ac.uk
Reference: XF:linux-kon-bo
Reference: BID:1371
Reference: URL:http://www.securityfocus.com/bid/1371
Votes:
ACCEPT(3) Baker, Frech, Levy
NOOP(5) Christey, Cole, LeBlanc, Magdych, Wall
Voter Comments:
Christey> BID:1983
URL:http://www.securityfocus.com/bid/1983
CHANGE> [Magdych changed vote from REVIEWING to NOOP]
Name: CVE-2000-0608
Description:
NetWin dMailWeb and cwMail 2.6i and earlier allows remote attackers to
cause a denial of service via a long POP parameter (pophost).
Status: Candidate
Phase: Proposed (20000719)
Reference: BUGTRAQ:20000620 NetWin dMailWeb Denial of Service
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-06-15&msg=4.1.20000621113334.00996820@qlink.queensu.ca
Reference: BID:1376
Reference: URL:http://www.securityfocus.com/bid/1376
Reference: XF:dmailweb-long-pophost-dos
Votes:
ACCEPT(3) Frech, Levy, Magdych
NOOP(3) Cole, LeBlanc, Wall
Name: CVE-2000-0609
Description:
NetWin dMailWeb and cwMail 2.6g and earlier allows remote attackers to
cause a denial of service via a long username parameter.
Status: Candidate
Phase: Proposed (20000719)
Reference: BUGTRAQ:20000620 NetWin dMailWeb Denial of Service
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-06-15&msg=4.1.20000621113334.00996820@qlink.queensu.ca
Reference: XF:dmailweb-long-username-dos
Reference: BID:1376
Reference: URL:http://www.securityfocus.com/bid/1376
Votes:
ACCEPT(3) Frech, Levy, Magdych
NOOP(3) Cole, LeBlanc, Wall
Name: CVE-2000-0612
Description:
Windows 95 and Windows 98 do not properly process spoofed ARP packets,
which allows remote attackers to overwrite static entries in the cache
table.
Status: Candidate
Phase: Proposed (20000719)
Reference: BUGTRAQ:20000629 Buggy ARP handling in Windoze
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=395B7E64.9FB3D4DB@starzetz.de
Reference: XF:win-arp-spoofing
Reference: BID:1406
Reference: URL:http://www.securityfocus.com/bid/1406
Votes:
ACCEPT(4) Cole, Frech, LeBlanc, Levy
NOOP(2) Magdych, Wall
REVIEWING(1) Christey
Voter Comments:
LeBlanc> I know we have a repro on this, but you may want to leave this in
the REVIEWING state until a fix is released.
CHANGE> [Magdych changed vote from REVIEWING to NOOP]
Name: CVE-2000-0614
Description:
Tnef program in Linux systems allows remote attackers to overwrite
arbitrary files via TNEF encoded compressed attachments which specify
absolute path names for the decompressed output.
Status: Candidate
Phase: Proposed (20000719)
Reference: SUSE:20000710 Security Hole in tnef < 0-124
Reference: URL:http://archives.neohapsis.com/archives/vendor/2000-q3/0002.html
Reference: BID:1450
Reference: URL:http://www.securityfocus.com/bid/1450
Votes:
ACCEPT(1) Levy
MODIFY(1) Frech
NOOP(4) Cole, LeBlanc, Magdych, Wall
REVIEWING(1) Christey
Voter Comments:
Christey> This problem appears in AMaViS as well, so they may be the
same codebase. If so, then CD:SF-CODEBASE says to merge the
two (thus ADDREF BID:1461). If they are not the same
codebase, then create a separate candidate for BID:1461.
Frech> XF:linux-tnef-email-overwrite(4915)
CHANGE> [Magdych changed vote from REVIEWING to NOOP]
Name: CVE-2000-0617
Description:
Buffer overflow in xconq and cconq game programs on Red Hat Linux
allows local users to gain additional privileges via long USER
environmental variable.
Status: Candidate
Phase: Proposed (20000719)
Reference: BUGTRAQ:20000622 RHL 6.2 xconq package - overflows yield gid games
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-06/0222.html
Votes:
ACCEPT(2) Cole, Levy
MODIFY(1) Frech
NOOP(4) Christey, LeBlanc, Magdych, Wall
Voter Comments:
Frech> XF:xconq-elevate-privileges(4995)
Christey> ADDREF BID:1495
ADDREF URL:http://www.securityfocus.com/bid/1495
CHANGE> [Levy changed vote from REVIEWING to ACCEPT]
CHANGE> [Magdych changed vote from REVIEWING to NOOP]
Name: CVE-2000-0618
Description:
Buffer overflow in xconq and cconq game programs on Red Hat Linux
allows local users to gain additional privileges via long DISPLAY
environmental variable.
Status: Candidate
Phase: Proposed (20000719)
Reference: BUGTRAQ:20000622 RHL 6.2 xconq package - overflows yield gid games
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-06/0222.html
Votes:
ACCEPT(2) Cole, Levy
MODIFY(1) Frech
NOOP(4) Christey, LeBlanc, Magdych, Wall
Voter Comments:
Frech> XF:xconq-elevate-privileges(4995)
Christey> ADDREF BID:1495
ADDREF URL:http://www.securityfocus.com/bid/1495
CHANGE> [Levy changed vote from REVIEWING to ACCEPT]
CHANGE> [Magdych changed vote from REVIEWING to NOOP]
Name: CVE-2000-0623
Description:
Buffer overflow in O'Reilly WebSite Professional web server 2.4 and
earlier allows remote attackers to execute arbitrary commands via a
long GET request or Referrer header.
Status: Candidate
Phase: Proposed (20000803)
Reference: NTBUGTRAQ:20000719 Alert: Buffer Overrun is O'Reilly WebsitePro httpd32.exe (CISADV000717)
Reference: URL:http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0007&L=ntbugtraq&F=&S=&P=5946
Reference: BID:1492
Reference: URL:http://www.securityfocus.com/bid/1492
Votes:
ACCEPT(2) Cole, Levy
MODIFY(1) Frech
NOOP(1) LeBlanc
REVIEWING(1) Wall
Voter Comments:
Frech> XF:website-httpd32-bo(4970)
In the description, I think it's spelled "referer"
Name: CVE-2000-0625
Description:
NetZero 3.0 and earlier uses weak encryption for storing a user's
login information, which allows a local user to decrypt the password.
Status: Candidate
Phase: Proposed (20000803)
Reference: L0PHT:20000718 NetZero Password Encryption Algorithm
Reference: URL:http://www.l0pht.com/advisories/netzero.txt
Reference: BID:1483
Reference: URL:http://www.securityfocus.com/bid/1483
Votes:
ACCEPT(2) Cole, Levy
MODIFY(1) Frech
NOOP(2) LeBlanc, Wall
Voter Comments:
Frech> XF:zeroport-weak-encryption(4963)
Name: CVE-2000-0626
Description:
Buffer overflow in Alibaba web server allows remote attackers to cause
a denial of service via a long GET request.
Status: Candidate
Phase: Proposed (20000803)
Reference: BUGTRAQ:20000718 Multiple bugs in Alibaba 2.0
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0237.html
Reference: BID:1482
Reference: URL:http://www.securityfocus.com/bid/1482
Votes:
ACCEPT(4) Baker, Blake, Levy, Wall
MODIFY(1) Frech
NOOP(5) Armstrong, Cole, LeBlanc, Oliver, Ozancin
REVIEWING(1) Christey
Voter Comments:
Frech> XF:alibaba-get-dos(4934)
Christey> This is in a relatively old Nessus plugin, though the exploit
uses POST instead of GET. This was probably discovered
earlier than the references indicate.
CHANGE> [Wall changed vote from NOOP to ACCEPT]
Wall> Found by Arne Vidstrom and found in multiple sources
CHANGE> [Christey changed vote from NOOP to REVIEWING]
Christey> See the POST comment in
http://marc.theaimsgroup.com/?l=bugtraq&m=94182951012884&w=2
Also see http://marc.theaimsgroup.com/?l=bugtraq&m=94191318721834&w=2
One poster says that a large number of sites are running
Alibaba (based on a netcraft report), but I'm not 100%
sure Netcraft's doing a good job of identifying Alibaba
servers.
Name: CVE-2000-0629
Description:
The default configuration of the Sun Java web server 2.0 and earlier
allows remote attackers to execute arbitrary commands by uploading
Java code to the server via board.html, then directly calling the JSP
compiler servlet.
Status: Candidate
Phase: Proposed (20000803)
Reference: BUGTRAQ:20000711 Sun's Java Web Server remote command execution vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0163.html
Reference: MISC:http://www.sun.com/software/jwebserver/faq/jwsca-2000-02.html
Reference: BID:1459
Reference: URL:http://www.securityfocus.com/bid/1459
Votes:
ACCEPT(3) Cole, Dik, Levy
MODIFY(1) Frech
NOOP(3) Christey, LeBlanc, Wall
Voter Comments:
Frech> XF:sunjava-webadmin-bbs(5135)
Christey> Need to create/update
Dik> (through internal confirmation)
Name: CVE-2000-0645
Description:
WFTPD and WFTPD Pro 2.41 allows remote attackers to cause a denial of
service by using the RESTART (REST) command and writing beyond the end
of a file, or writing to a file that does not exist, via commands such
as STORE UNIQUE (STOU), STORE (STOR), or APPEND (APPE).
Status: Candidate
Phase: Proposed (20000803)
Reference: BUGTRAQ:20000721 WFTPD/WFTPD Pro 2.41 RC11 vulnerabilities.
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0295.html
Reference: BID:1506
Reference: URL:http://www.securityfocus.com/bid/1506
Votes:
ACCEPT(2) Baker, Levy
MODIFY(1) Frech
NOOP(3) Cole, LeBlanc, Wall
Voter Comments:
Frech> XF:wftpd-rest-dos(5004)
Name: CVE-2000-0646
Description:
WFTPD and WFTPD Pro 2.41 allows remote attackers to obtain the real
pathname for a file by executing a STATUS (STAT) command while the
file is being transferred.
Status: Candidate
Phase: Proposed (20000803)
Reference: BUGTRAQ:20000721 WFTPD/WFTPD Pro 2.41 RC11 vulnerabilities.
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0295.html
Reference: BID:1506
Reference: URL:http://www.securityfocus.com/bid/1506
Votes:
ACCEPT(2) Baker, Levy
MODIFY(1) Frech
NOOP(3) Cole, LeBlanc, Wall
Voter Comments:
Frech> XF:wftpd-stat-info(5005)
Name: CVE-2000-0647
Description:
WFTPD and WFTPD Pro 2.41 allows remote attackers to cause a denial of
service by executing an MLST command before logging into the server.
Status: Candidate
Phase: Proposed (20000803)
Reference: BUGTRAQ:20000721 WFTPD/WFTPD Pro 2.41 RC11 vulnerabilities.
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0295.html
Reference: BID:1506
Reference: URL:http://www.securityfocus.com/bid/1506
Votes:
ACCEPT(2) Baker, Levy
MODIFY(1) Frech
NOOP(3) Cole, LeBlanc, Wall
Voter Comments:
Frech> XF:wftpd-mlst-dos(5006)
Name: CVE-2000-0648
Description:
WFTPD and WFTPD Pro 2.41 allows local users to cause a denial of
service by executing the RENAME TO (RNTO) command before a RENAME FROM
(RNFR) command.
Status: Candidate
Phase: Proposed (20000803)
Reference: BUGTRAQ:20000711 WFTPD/WFTPD Pro 2.41 RC10 denial-of-service
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=E13BvU6-0007d8-00@dwarf.box.sk
Reference: BID:1456
Reference: URL:http://www.securityfocus.com/bid/1456
Votes:
ACCEPT(2) Baker, Levy
MODIFY(1) Frech
NOOP(2) Cole, LeBlanc
REVIEWING(1) Wall
Voter Comments:
Frech> XF:wftpd-rnto-dos(4930)
Name: CVE-2000-0649
Description:
IIS 4.0 allows remote attackers to obtain the internal IP address of
the server via an HTTP 1.0 request for a web page which is protected
by basic authentication and has no realm defined.
Status: Candidate
Phase: Proposed (20000803)
Reference: NTBUGTRAQ:20000713 IIS4 Basic authentication realm issue
Reference: URL:http://archives.neohapsis.com/archives/ntbugtraq/2000-q3/0025.html
Reference: BID:1499
Reference: URL:http://www.securityfocus.com/bid/1499
Votes:
ACCEPT(2) LeBlanc, Levy
MODIFY(1) Frech
NOOP(1) Cole
REVIEWING(2) Christey, Wall
Voter Comments:
Christey> ADDREF http://support.microsoft.com/support/kb/articles/Q218/1/80.ASP
Change description to point out that the internal IP address
exposure is due to the default configuration as opposed to
a bug.
Frech> XF:iis-internal-ip-disclosure(5106)
CHANGE> [Christey changed vote from NOOP to REVIEWING]
Christey> There are two variants of the same type of issue here. The
KB article shows that IIS 4.0 reveals the IP address in a
Content-Location MIME header field. The NTBugtraq article
says that the IP address is shown in the WWW-Authenticate
MIME header. Which one has been fixed, or both, and when?
Christey> MSKB:Q218180 identifies a problem in which IIS returns the
info in a Content-Location header, but the authentication
realm problem is not specifically mentioned. Are these the
same problem?
Name: CVE-2000-0653
Description:
Microsoft Outlook Express allows remote attackers to monitor a user's
email by creating a persistent browser link to the Outlook Express
windows, aka the "Persistent Mail-Browser Link" vulnerability.
Status: Candidate
Phase: Proposed (20000803)
Reference: MS:MS00-045
Reference: URL:http://www.microsoft.com/technet/security/bulletin/MS00-045.asp
Reference: BID:1502
Reference: URL:http://www.securityfocus.com/bid/1502
Votes:
ACCEPT(3) Cole, Levy, Wall
NOOP(1) LeBlanc
REJECT(1) Frech
REVIEWING(1) Christey
Voter Comments:
Frech> Is this a duplicate of CVE-2000-0105? I can find no differentiating evidence
to show that this issue is unique.
Christey> I need to look through my email logs to recall whether I
resolved this potential duplicate with Microsoft people.
CHANGE> [Frech changed vote from REVIEWING to REJECT]
Name: CVE-2000-0656
Description:
Buffer overflow in AnalogX proxy server 4.04 and earlier allows remote
attackers to cause a denial of service via a long USER command in the
FTP protocol.
Status: Candidate
Phase: Proposed (20000803)
Reference: BUGTRAQ:20000724 AnalogX Proxy DoS
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0360.html
Reference: CONFIRM:http://www.analogx.com/contents/download/network/proxy.htm
Reference: BID:1504
Reference: URL:http://www.securityfocus.com/bid/1504
Votes:
ACCEPT(1) Levy
MODIFY(1) Frech
NOOP(3) Cole, LeBlanc, Wall
Voter Comments:
Frech> XF:analogx-proxy-ftp-crash(4981)
Name: CVE-2000-0657
Description:
Buffer overflow in AnalogX proxy server 4.04 and earlier allows remote
attackers to cause a denial of service via a long HELO command in the
SMTP protocol.
Status: Candidate
Phase: Proposed (20000803)
Reference: BUGTRAQ:20000724 AnalogX Proxy DoS
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0360.html
Reference: CONFIRM:http://www.analogx.com/contents/download/network/proxy.htm
Reference: BID:1504
Reference: URL:http://www.securityfocus.com/bid/1504
Votes:
ACCEPT(1) Levy
MODIFY(1) Frech
NOOP(3) Cole, LeBlanc, Wall
Voter Comments:
Frech> XF:analogx-proxy-smtp-helo(5164)
Name: CVE-2000-0658
Description:
Buffer overflow in AnalogX proxy server 4.04 and earlier allows remote
attackers to cause a denial of service via a long USER command in the
POP3 protocol.
Status: Candidate
Phase: Proposed (20000803)
Reference: BUGTRAQ:20000724 AnalogX Proxy DoS
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0360.html
Reference: CONFIRM:http://www.analogx.com/contents/download/network/proxy.htm
Reference: BID:1504
Reference: URL:http://www.securityfocus.com/bid/1504
Votes:
ACCEPT(1) Levy
MODIFY(1) Frech
NOOP(3) Cole, LeBlanc, Wall
Voter Comments:
Frech> XF:analogx-proxy-pop3-crash(4982)
Name: CVE-2000-0659
Description:
Buffer overflow in AnalogX proxy server 4.04 and earlier allows remote
attackers to cause a denial of service via a long user ID in a SOCKS4
CONNECT request.
Status: Candidate
Phase: Proposed (20000803)
Reference: BUGTRAQ:20000724 AnalogX Proxy DoS
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0360.html
Reference: BID:1504
Reference: URL:http://www.securityfocus.com/bid/1504
Votes:
ACCEPT(2) Baker, Levy
MODIFY(1) Frech
NOOP(3) Cole, LeBlanc, Wall
Voter Comments:
Frech> XF:analogx-proxy-socks4-crash(4997)
Name: CVE-2000-0667
Description:
Vulnerability in gpm in Caldera Linux allows local users to delete
arbitrary files or conduct a denial of service.
Status: Candidate
Phase: Proposed (20000803)
Reference: CALDERA:CSSA-2000-024.0
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0273.html
Reference: BID:1512
Reference: URL:http://www.securityfocus.com/bid/1512
Votes:
ACCEPT(1) Levy
MODIFY(1) Frech
NOOP(3) Cole, LeBlanc, Wall
REVIEWING(1) Christey
Voter Comments:
Frech> XF:linux-gpm-gpmctl-dos(5010)
We show this issue to be cross-Linux-platform and not Caldera specific. May
also be a LOA issue or duplicate or specific instance of CVE-2000-0531. This
position is further validated by BID-1512 and BID-1377, which lists this as
a Conectiva Linux/Mandrake issue and list Mandrake:MDKSA-2000:025 in common.
We will list both CVEs under the listed XF tag unless otherwise instructed.
Christey> ADDREF Conectiva?
URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0396.html
Christey> ADDREF REDHAT:RHSA-2000:045-01
ADDREF BUGTRAQ:20000727 CONECTIVA LINUX SECURITY ANNOUNCEMENT - GPM
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=96473014104340&w=2
Another possible reference is:
BUGTRAQ:20000728 MDKSA:2000-025 gpm update
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=96480812908563&w=2
although the advisory is not explicit. It also refers to
CVE-2000-0531.
CHANGE> [Christey changed vote from NOOP to REVIEWING]
Christey> Per Andre Frech's comments.
Name: CVE-2000-0680
Description:
The CVS 1.10.8 server does not properly restrict users from creating
arbitrary Checkin.prog or Update.prog programs, which allows remote
CVS committers to modify or create Trojan horse programs with the
Checkin.prog or Update.prog names, then performing a CVS commit
action.
Status: Candidate
Phase: Proposed (20000921)
Reference: BUGTRAQ:20000728 cvs security problem
Reference: URL:http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26msg%3Dhvou2daoebb.fsf%40serein.m17n.org
Reference: BID:1524
Reference: URL:http://www.securityfocus.com/bid/1524
Votes:
ACCEPT(2) Baker, Levy
MODIFY(1) Frech
NOOP(2) Cole, Wall
Voter Comments:
Frech> XF:cvs-checkin-execute-binary
Name: CVE-2000-0686
Description:
Auction Weaver CGI script 1.03 and earlier allows remote attackers to
read arbitrary files via a .. (dot dot) attack in the fromfile
parameter.
Status: Candidate
Phase: Proposed (20000921)
Reference: BUGTRAQ:20000823 Auction WeaverT LITE 1.0
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0310.html
Reference: BID:1630
Reference: URL:http://www.securityfocus.com/bid/1630
Votes:
ACCEPT(2) Cole, Levy
MODIFY(1) Frech
NOOP(1) Wall
Voter Comments:
Frech> XF:cgi-auction-weaver-read-files
Frech> XF:cgi-auction-weaver-read-files(5150)
Name: CVE-2000-0687
Description:
Auction Weaver CGI script 1.03 and earlier allows remote attackers to
read arbitrary files via a .. (dot dot) attack in the catdir
parameter.
Status: Candidate
Phase: Proposed (20000921)
Reference: BUGTRAQ:20000823 Auction WeaverT LITE 1.0
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0310.html
Reference: BID:1630
Reference: URL:http://www.securityfocus.com/bid/1630
Votes:
ACCEPT(2) Cole, Levy
MODIFY(1) Frech
NOOP(2) Christey, Wall
Voter Comments:
Frech> XF:cgi-auction-weaver-read-files
Christey> Need to double-check BID's on all these Auction Weaver prob's.
Frech> XF:cgi-auction-weaver-read-files(5150)
Name: CVE-2000-0688
Description:
Subscribe Me LITE does not properly authenticate attempts to change
the administrator password, which allows remote attackers to gain
privileges for the Account Manager by directly calling the
subscribe.pl script with the setpwd parameter.
Status: Candidate
Phase: Proposed (20000921)
Reference: BUGTRAQ:20000823 Subscribe Me Vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0292.html
Reference: BUGTRAQ:20000823 Re: Subscribe Me CGI Vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=96722957421029&w=2
Reference: CONFIRM:http://www.cgiscriptcenter.com/subscribe/
Reference: BID:1607
Reference: URL:http://www.securityfocus.com/bid/1607
Votes:
ACCEPT(2) Cole, Levy
MODIFY(1) Frech
NOOP(2) Christey, Wall
Voter Comments:
Frech> XF:subscribe-me-overwrite-password
Christey> Make sure the mention of Account Manager is correct.
XF:subscribe-me-overwrite-password
http://xforce.iss.net/static/5126.php
Frech> XF:subscribe-me-overwrite-password(5126)
Name: CVE-2000-0689
Description:
Account Manager LITE does not properly authenticate attempts to change
the administrator password, which allows remote attackers to gain
privileges for the Account Manager by directly calling the amadmin.pl
script with the setpasswd parameter.
Status: Candidate
Phase: Modified (20061027)
Reference: BUGTRAQ:20000823 Account Manager CGI Vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0291.html
Reference: CONFIRM:http://www.cgiscriptcenter.com/acctlite/
Reference: BID:1604
Reference: URL:http://www.securityfocus.com/bid/1604
Reference: OSVDB:13341
Reference: URL:http://www.osvdb.org/13341
Reference: XF:account-manager-overwrite-password(5125)
Reference: URL:http://xforce.iss.net/xforce/xfdb/5125
Votes:
ACCEPT(2) Cole, Levy
MODIFY(1) Frech
NOOP(2) Christey, Wall
Voter Comments:
Frech> XF:account-manager-overwrite-password
In description, you probably want to indicate both Account Manager LITE and PRO.
Because CONFIRM redirects, you may want to verify and normalize to http://www.cgiscriptcenter.com/acctman/index2.html.
Christey> XF:account-manager-overwrite-password
http://xforce.iss.net/static/5125.php
Frech> XF:account-manager-overwrite-password(5125)
Name: CVE-2000-0690
Description:
Auction Weaver CGI script 1.02 and earlier allows remote attackers to
execute arbitrary commands via shell metacharacters in the fromfile
parameter.
Status: Candidate
Phase: Proposed (20000921)
Reference: BUGTRAQ:20000830 More problems with Auction Weaver & CGI Script Center.
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0370.html
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0452.html
Votes:
ACCEPT(1) Baker
MODIFY(2) Frech, Levy
NOOP(3) Christey, Cole, Wall
Voter Comments:
Levy> Reference: BID 1645
Christey> BID:1645
URL:http://www.securityfocus.com/bid/1645
Frech> XF:auction-weaver-execute-commands(6175)
Name: CVE-2000-0691
Description:
The faxrunq and faxrunqd in the mgetty package allows local users to
create or modify arbitrary files via a symlink attack which creates a
symlink in from /var/spool/fax/outgoing/.last_run to the target file.
Status: Candidate
Phase: Proposed (20000921)
Reference: BUGTRAQ:20000826 Advisory: mgetty local compromise
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0329.html
Reference: CONFIRM:http://archives.neohapsis.com/archives/bugtraq/2000-08/0330.html
Reference: CALDERA:CSSA-2000-029.0
Reference: URL:http://www.calderasystems.com/support/security/advisories/CSSA-2000-029.0.txt
Reference: BID:1612
Reference: URL:http://www.securityfocus.com/bid/1612
Votes:
ACCEPT(1) Levy
MODIFY(2) Cox, Frech
NOOP(3) Christey, Cole, Wall
Voter Comments:
Frech> XF:mgetty-faxrunq-symlink
Christey> ADDREF XF:mgetty-faxrunq-symlink
ADDREF URL:http://xforce.iss.net/static/5159.php
ADDREF REDHAT:RHSA-2000:059-02
ADDREF BUGTRAQ:20000830 Conectiva Linux Security Announcement - mgetty
ADDREF MANDRAKE:MDKSA-2000:042
Christey> ADDREF REDHAT:RHSA-2000:059-02
Christey> ADDREF FREEBSD:FreeBSD-SA-00:71
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:71.mgetty.asc
Frech> XF:mgetty-faxrunq-symlink(5159)
Cox> ADDREF REDHAT:RHSA-2000:059
Name: CVE-2000-0692
Description:
ISS RealSecure 3.2.1 and 3.2.2 allows remote attackers to cause a
denial of service via a flood of fragmented packets with the SYN flag
set.
Status: Candidate
Phase: Modified (20001010-1)
Reference: BUGTRAQ:20000822 DOS on RealSecure 3.2
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0267.html
Reference: BID:1597
Reference: URL:http://www.securityfocus.com/bid/1597
Reference: XF:realsecure-rskill-dos
Votes:
ACCEPT(2) Cole, Levy
MODIFY(1) Frech
NOOP(1) Wall
REVIEWING(1) Christey
Voter Comments:
Frech> XF:realsecure-rskill-dos
Christey> CHANGEREF XF:realsecure-rskill-dos to XF:realsecure-frag-syn-dos?
http://xforce.iss.net/static/5133.php
CHANGE> [Christey changed vote from NOOP to REVIEWING]
Christey> In an email to issforum@iss.net on September 7, 2000, ISS says
that Network Sensor 3.2.2 is affected by SYN flooding, but
RealSecure 5.0 is not affected by Syn flooding. In addition,
they could not find conclusive evidence that RS 3.2.2 or 5.0
was affected by IP fragmentation. This seems to indicate
that there are 2 *possible* problems: syn flooding (acknowledged
by ISS) and fragmentation (unconfirmed). Perhaps this
candidate needs to be split, or its description should be
rewritten to separate the 2 reported problems.
Frech> XF:realsecure-rskill-dos(5133)
Name: CVE-2000-0695
Description:
Buffer overflows in pgxconfig in the Raptor GFX configuration tool
allow local users to gain privileges via command line options.
Status: Candidate
Phase: Modified (20010417-01)
Reference: BUGTRAQ:20000802 Local root compromise in PGX Config Sun Sparc Solaris
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0463.html
Votes:
ACCEPT(3) Baker, Dik, Levy
NOOP(2) Cole, Wall
Voter Comments:
Dik> as CVE-2000-0693
Name: CVE-2000-0696
Description:
The administration interface for the dwhttpd web server in Solaris
AnswerBook2 does not properly authenticate requests to its supporting
CGI scripts, which allows remote attackers to add user accounts to the
interface by directly calling the admin CGI script.
Status: Candidate
Phase: Modified (20080918)
Reference: BUGTRAQ:20000807 Vulnerabilities in Sun Solaris AnswerBook2 dwhttpd server
Reference: URL:http://seclists.org/bugtraq/2000/Aug/0105.html
Reference: MISC:http://www.s21sec.com/en/avisos/s21sec-004-en.txt
Reference: SUN:00196
Reference: URL:http://archives.neohapsis.com/archives/sun/2000-q3/0001.html
Reference: XF:solaris-answerbook2-admin-interface(5069)
Reference: URL:http://xforce.iss.net/static/5069.php
Reference: BID:1554
Reference: URL:http://www.securityfocus.com/bid/1554
Votes:
ACCEPT(4) Baker, Cole, Dik, Levy
MODIFY(1) Frech
NOOP(2) Christey, Wall
Voter Comments:
Frech> XF:solaris-answerbook2-admin-interface
Christey> XF:solaris-answerbook2-admin-interface
http://xforce.iss.net/static/5069.php
Christey> BUGTRAQ:20000807 Vulnerabilities in Sun Solaris AnswerBook2 dwhttpd server
http://www.securityfocus.com/archive/1/74382
Christey> Fix typo: "CGi"
CHANGE> [Dik changed vote from REVIEWING to ACCEPT]
Name: CVE-2000-0697
Description:
The administration interface for the dwhttpd web server in Solaris
AnswerBook2 allows interface users to remotely execute commands via
shell metacharacters.
Status: Candidate
Phase: Modified (20080918)
Reference: BUGTRAQ:20000807 Vulnerabilities in Sun Solaris AnswerBook2 dwhttpd server
Reference: URL:http://seclists.org/bugtraq/2000/Aug/0105.html
Reference: MISC:http://www.s21sec.com/en/avisos/s21sec-004-en.txt
Reference: SUN:00196
Reference: URL:http://archives.neohapsis.com/archives/sun/2000-q3/0001.html
Reference: XF:solaris-answerbook2-remote-execution(5058)
Reference: URL:http://www.iss.net/security_center/static/5058.php
Reference: BID:1556
Reference: URL:http://www.securityfocus.com/bid/1556
Votes:
ACCEPT(4) Baker, Cole, Dik, Levy
MODIFY(1) Frech
NOOP(2) Christey, Wall
Voter Comments:
Frech> XF:solaris-answerbook2-remote-execution
Christey> XF:solaris-answerbook2-remote-execution
http://xforce.iss.net/static/5058.php
CHANGE> [Dik changed vote from REVIEWING to ACCEPT]
Dik> COMMENTS
verified bug existance.
Christey> There needs to be a separate item for the .. problem reported
in this same post.
Name: CVE-2000-0701
Description:
The wrapper program in mailman 2.0beta3 and 2.0beta4 does not properly
cleanse untrusted format strings, which allows local users to gain
privileges.
Status: Candidate
Phase: Modified (20040818)
Reference: BUGTRAQ:20000801 Advisory: mailman local compromise
Reference: URL:http://www.securityfocus.com/archive/1/73220
Reference: CONFIRM:http://www.securityfocus.com/templates/archive.pike?list=1&msg=20000802105050.A11733@rak.isternet.sk
Reference: BUGTRAQ:20000802 CONECTIVA LINUX SECURITY ANNOUNCEMENT - mailman
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0474.html
Reference: BUGTRAQ:20000802 MDKSA-2000:030 - Linux-Mandrake not affected by mailman problem
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0479.html
Reference: REDHAT:RHSA-2000:030
Reference: URL:http://www.redhat.com/support/errata/RHSA-2000-030.html
Reference: BID:1539
Reference: URL:http://www.securityfocus.com/bid/1539
Votes:
ACCEPT(3) Baker, Cole, Levy
MODIFY(1) Frech
NOOP(1) Wall
Voter Comments:
Frech> XF:gnu-mailman-format-string
You can perhaps normalize Bugtraq URL to CONFIRM:http://www.securityfocus.com/archive/1/73355.
Name: CVE-2000-0704
Description:
Buffer overflow in SGI Omron WorldView Wnn allows remote attackers to
execute arbitrary commands via long JS_OPEN, JS_MKDIR, or JS_FILE_INFO
commands.
Status: Candidate
Phase: Modified (20060505)
Reference: SGI:20000803-01-A
Reference: URL:ftp://sgigate.sgi.com/security/20000803-01-A
Reference: BID:1603
Reference: URL:http://www.securityfocus.com/bid/1603
Reference: OSVDB:11080
Reference: URL:http://www.osvdb.org/11080
Reference: XF:irix-worldview-wnn-bo(5163)
Reference: URL:http://xforce.iss.net/xforce/xfdb/5163
Votes:
ACCEPT(3) Baker, Cole, Levy
MODIFY(1) Frech
NOOP(2) Christey, Wall
Voter Comments:
Frech> XF:irix-worldview-wnn-bo
Christey> XF:irix-worldview-wnn-bo
http://xforce.iss.net/static/5163.php
Name: CVE-2000-0709
Description:
The shtml.exe component of Microsoft FrontPage 2000 Server Extensions
1.1 allows remote attackers to cause a denial of service in some
components by requesting a URL whose name includes a standard DOS
device name.
Status: Candidate
Phase: Proposed (20000921)
Reference: BUGTRAQ:20000823 Xato Advisory: FrontPage DOS Device DoS
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0288.html
Reference: CONFIRM:http://msdn.microsoft.com/workshop/languages/fp/2000/sr12.asp
Reference: BID:1608
Reference: URL:http://www.securityfocus.com/bid/1608
Votes:
ACCEPT(3) Cole, Levy, Wall
MODIFY(1) Frech
REVIEWING(1) Christey
Voter Comments:
Christey> [note to self: review comments by Mark Burnett]
CHANGE> [Christey changed vote from NOOP to REVIEWING]
Christey> XF:frontpage-ext-device-name-dos(5124)
Frech> XF:frontpage-ext-device-name-dos(5124)
Name: CVE-2000-0710
Description:
The shtml.exe component of Microsoft FrontPage 2000 Server Extensions
1.1 allows remote attackers determine the physical path of the server
components by requesting an invalid URL whose name includes a standard
DOS device name.
Status: Candidate
Phase: Proposed (20000921)
Reference: BUGTRAQ:20000823 Xato Advisory: FrontPage DOS Device DoS
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0288.html
Reference: CONFIRM:http://msdn.microsoft.com/workshop/languages/fp/2000/sr12.asp
Reference: BID:1608
Reference: URL:http://www.securityfocus.com/bid/1608
Votes:
ACCEPT(3) Cole, Levy, Wall
MODIFY(1) Frech
NOOP(1) Christey
Voter Comments:
Christey> [note to self: review comments by Mark Burnett]
Frech> XF:frontpage-ext-device-name-dos(5124)
Name: CVE-2000-0713
Description:
Buffer overflow in Adobe Acrobat 4.05, Reader, Business Tools, and
Fill In products that handle PDF files allows attackers to execute
arbitrary commands via a long /Registry or /Ordering specifier.
Status: Candidate
Phase: Proposed (20000921)
Reference: BUGTRAQ:20000726 [SPSadvisory#39]Adobe Acrobat Series PDF File Buffer Overflow
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0382.html
Reference: CONFIRM:http://www.adobe.com/misc/pdfsecurity.html
Reference: BID:1509
Reference: URL:http://www.securityfocus.com/bid/1509
Votes:
ACCEPT(4) Baker, Cole, Levy, Wall
NOOP(1) Christey
Voter Comments:
Christey> ADDREF XF:adobe-pdf-bo(5002)
Name: CVE-2000-0714
Description:
umb-scheme 3.2-11 for Red Hat Linux is installed with world-writeable
files.
Status: Candidate
Phase: Modified (20040818)
Reference: REDHAT:RHSA-2000:047
Reference: URL:http://www.redhat.com/support/errata/RHSA-2000-047.html
Reference: BID:1551
Reference: URL:http://www.securityfocus.com/bid/1551
Votes:
ACCEPT(5) Baker, Cole, Cox, Levy, Williams
NOOP(2) Christey, Wall
Voter Comments:
Christey> XF:linux-umb-scheme
http://xforce.iss.net/static/5048.php
Cox> (If me voting speeds up its inclusion :))
Name: CVE-2000-0715
Description:
DiskCheck script diskcheck.pl in Red Hat Linux 6.2 allows local users to
create or overwrite arbitrary files via a symlink attack on a
temporary file.
Status: Candidate
Phase: Modified (20080226)
Reference: BUGTRAQ:20000622 Re: rh 6.2 - gid compromises, etc [+ MORE!!!]
Reference: URL:http://seclists.org/bugtraq/2000/Jun/0298.html
Reference: BUGTRAQ:20000805 Diskcheck 3.1.1 Symlink Vulnerability
Reference: URL:http://seclists.org/bugtraq/2000/Aug/0082.html
Reference: BUGTRAQ:20000807 Re: Diskcheck 3.1.1 Symlink Vulnerability
Reference: URL:http://seclists.org/bugtraq/2000/Aug/0096.html
Reference: BID:1552
Reference: URL:http://www.securityfocus.com/bid/1552
Votes:
ACCEPT(3) Baker, Levy, Williams
MODIFY(2) Christey, Cox
NOOP(2) Cole, Wall
Voter Comments:
Christey> XF:diskcheck-tmp-race-condition
http://xforce.iss.net/static/5061.php
Christey> ADDREF REDHAT:RHSA-2000:122-04 ?
The advisory addresses some diskcheck symlink vulnerability,
but the initial announcement was 4 months before the advisory
was released; however, the DiskCheck versions seem to
correspond.
Christey> See various Bugtraq posts relating to this, and verify if the
Conectiva/Red Hat/etc. advisories are really addressing this
particular problem.
e.g.: BUGTRAQ:20000622 Re: rh 6.2 - gid compromises, etc [+ MORE!!!]
http://marc.theaimsgroup.com/?l=bugtraq&m=96172022819526&w=2
BUGTRAQ:20000810 CONECTIVA LINUX SECURITY ANNOUNCEMENT - diskcheck
http://marc.theaimsgroup.com/?l=bugtraq&m=96604843017702&w=2
REDHAT:RHSA-2000:122-06
http://marc.theaimsgroup.com/?l=bugtraq&m=97649229201967&w=2
BID:2050
URL:http://www.securityfocus.com/bid/2050
Christey> The following RedHat advisory appears to identify the same
problem as one that was posted to Bugtraq on August 8, 2000:
REDHAT:RHSA-2000:122-06
http://www.redhat.com/support/errata/powertools/RHSA-2000-122.html
See the following BugID, as referenced in the advisory:
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=11724
So, add:
BID:2050
URL:http://www.securityfocus.com/bid/2050
XF:linux-diskcheck-race-symlink
URL:http://xforce.iss.net/static/5624.php
[note the apparent BID duplicates, however]
CHANGE> [Christey changed vote from NOOP to MODIFY]
Christey> Missing BID - BID:1552
Cox> ADDREF REDHAT:RHSA-2000:122
Name: CVE-2000-0719
Description:
VariCAD 7.0 is installed with world-writeable files, which allows
local users to replace the VariCAD programs with a Trojan horse program.
Status: Candidate
Phase: Proposed (20000921)
Reference: BUGTRAQ:20000810 VariCAD 7.0 premission vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0126.html
Votes:
MODIFY(1) Frech
NOOP(4) Christey, Cole, Wall, Williams
REVIEWING(1) Levy
Voter Comments:
Christey> XF:varicad-world-write-permissions
http://xforce.iss.net/static/5077.php
Frech> XF:aricad-world-write-permissions(5077)
Christey> BID:1862
Name: CVE-2000-0721
Description:
The FSserial, FlagShip_c, and FlagShip_p programs in the FlagShip
package are installed world-writeable, which allows local users to
replace them with Trojan horses.
Status: Candidate
Phase: Proposed (20000921)
Reference: BUGTRAQ:20000810 FlagShip v4.48.7449 premission vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0114.html
Reference: BID:1586
Reference: URL:http://www.securityfocus.com/bid/1586
Votes:
ACCEPT(2) Baker, Levy
MODIFY(1) Frech
NOOP(2) Cole, Wall
Voter Comments:
Frech> XF:flagship-incorrect-permissions(5114)
Name: CVE-2000-0722
Description:
Helix GNOME Updater helix-update 0.5 and earlier allows local users to
install arbitrary RPM packages by creating the /tmp/helix-install
installation directory before root has begun installing packages.
Status: Candidate
Phase: Proposed (20000921)
Reference: BUGTRAQ:20000819 Multiple Local Vulnerabilities in Helix Gnome Installer
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=E13QAYl-0007il-00@the-village.bc.nu
Reference: BUGTRAQ:20000820 Helix Code Security Advisory - Helix GNOME Update
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0240.html
Reference: BUGTRAQ:20000820 [Helix Beta] Helix Code Security Advisory - Helix GNOME Installer
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0251.html
Reference: BID:1593
Reference: URL:http://www.securityfocus.com/bid/1593
Votes:
ACCEPT(2) Cole, Levy
MODIFY(1) Frech
NOOP(2) Christey, Wall
Voter Comments:
Christey> XF:linux-update-race-condition
Frech> XF:gnome-installer-overwrite-configuration(5129)
Name: CVE-2000-0723
Description:
Helix GNOME Updater helix-update 0.5 and earlier does not properly
create /tmp directories, which allows local users to create empty
system configuration files such as /etc/config.d/bashrc,
/etc/config.d/csh.cshrc, and /etc/rc.config.
Status: Candidate
Phase: Proposed (20000921)
Reference: BUGTRAQ:20000819 Multiple Local Vulnerabilities in Helix Gnome Installer
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=E13QAYl-0007il-00@the-village.bc.nu
Reference: BUGTRAQ:20000820 [Helix Beta] Helix Code Security Advisory - Helix GNOME Installer
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0251.html
Reference: BID:1596
Reference: URL:http://www.securityfocus.com/bid/1596
Votes:
ACCEPT(2) Cole, Levy
MODIFY(1) Frech
NOOP(2) Christey, Wall
Voter Comments:
Christey> XF:gnome-installer-overwrite-configuration(5129)
Frech> XF:gnome-installer-overwrite-configuration(5129)
Name: CVE-2000-0724
Description:
The go-gnome Helix GNOME pre-installer allows local users to overwrite
arbitrary files via a symlink attack on various files in /tmp,
including uudecode, snarf, and some installer files.
Status: Candidate
Phase: Proposed (20000921)
Reference: BUGTRAQ:20000829 More Helix Code installation problems (go-gnome)
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0351.html
Reference: BUGTRAQ:20000829 Helix Code Security Advisory - go-gnome pre-installer
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0356.html
Reference: BID:1622
Reference: URL:http://www.securityfocus.com/bid/1622
Votes:
ACCEPT(2) Cole, Levy
MODIFY(1) Frech
NOOP(2) Christey, Wall
Voter Comments:
Christey> XF:go-gnome-preinstaller-symlink(5161)
Frech> XF:go-gnome-preinstaller-symlink(5161)
Name: CVE-2000-0734
Description:
eEye IRIS 1.01 beta allows remote attackers to cause a denial of
service via a large number of UDP connections.
Status: Candidate
Phase: Proposed (20000921)
Reference: BUGTRAQ:20000831 Remote DoS Attack in Eeye Iris 1.01 and SpyNet CaptureNet v3.12
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=96774637326591&w=2
Reference: BID:1627
Reference: URL:http://www.securityfocus.com/bid/1627
Votes:
MODIFY(1) Levy
NOOP(2) Cole, Wall
REJECT(1) Frech
Voter Comments:
Levy> The product is in wide use even while is in beta. eEye brought another company and made all their previous customers upgrade to the new software.
Name: CVE-2000-0735
Description:
Buffer overflow in Becky! Internet Mail client 1.26.03 and earlier
allows remote attackers to cause a denial of service via a long
Content-type: MIME header when the user replies to a message.
Status: Candidate
Phase: Proposed (20000921)
Reference: BUGTRAQ:20000818 Becky! Internet Mail Buffer overflow
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0234.html
Reference: CONFIRM:http://member.nifty.ne.jp/rimarts/becky-e/Readme.txt
Reference: BID:1588
Reference: URL:http://www.securityfocus.com/bid/1588
Votes:
ACCEPT(2) Cole, Levy
MODIFY(1) Frech
NOOP(2) Christey, Wall
Voter Comments:
Christey> XF:becky-imail-header-dos
http://xforce.iss.net/static/5110.php
Frech> XF:becky-imail-header-dos(5110)
Name: CVE-2000-0736
Description:
Buffer overflow in Becky! Internet Mail client 1.26.04 and earlier
allows remote attackers to cause a denial of service via a long
Content-type: MIME header when the user forwards a message.
Status: Candidate
Phase: Proposed (20000921)
Reference: BUGTRAQ:20000818 Becky! Internet Mail Buffer overflow
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0234.html
Reference: CONFIRM:http://member.nifty.ne.jp/rimarts/becky-e/Readme.txt
Reference: BID:1588
Reference: URL:http://www.securityfocus.com/bid/1588
Votes:
ACCEPT(2) Cole, Levy
MODIFY(1) Frech
NOOP(2) Christey, Wall
Voter Comments:
Christey> XF:becky-imail-header-dos
http://xforce.iss.net/static/5110.php
Frech> XF:becky-imail-header-dos(5110)
Name: CVE-2000-0746
Description:
Vulnerabilities in IIS 4.0 and 5.0 do not properly protect against
cross-site scripting (CSS) attacks. They allow a malicious web site
operator to embed scripts in a link to a trusted site, which are
returned without quoting in an error message back to the client. The
client then executes those scripts in the same context as the trusted
site, aka the "IIS Cross-Site Scripting" vulnerabilities.
Status: Candidate
Phase: Proposed (20000921)
Reference: BUGTRAQ:20000821 IIS 5.0 cross site scripting vulnerability - using .shtml files or /_vti_bin/shtml.dll
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=39A12BD6.E811BF4F@nat.bg
Reference: MS:MS00-060
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms00-060.asp
Reference: BID:1594
Reference: URL:http://www.securityfocus.com/bid/1594
Reference: BID:1595
Reference: URL:http://www.securityfocus.com/bid/1595
Votes:
ACCEPT(3) Cole, Levy, Wall
MODIFY(1) Frech
REVIEWING(1) Christey
Voter Comments:
Christey> Make sure both BID's are appropriate
XF:iis-cross-site-scripting
http://xforce.iss.net/static/5156.php
Frech> XF: iis-cross-site-scripting(5156)
CHANGE> [Christey changed vote from NOOP to REVIEWING]
Christey> A re-release of MS:MS00-060 indicates that a new variant of
this problem was discovered, but the advisory does not
provide sufficient details to distinguish it from this
candidate. A new candidate is being created, but the
description can't be written without mentioning this CAN.
Name: CVE-2000-0748
Description:
OpenLDAP 1.2.11 and earlier improperly installs the ud binary with
group write permissions, which could allow any user in that group to
replace the binary with a Trojan horse.
Status: Candidate
Phase: Proposed (20000921)
Reference: BUGTRAQ:20000726 Group-writable executable in OpenLDAP
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0375.html
Reference: BID:1511
Reference: URL:http://www.securityfocus.com/bid/1511
Votes:
ACCEPT(1) Levy
NOOP(4) Baker, Cole, Wall, Williams
Name: CVE-2000-0752
Description:
Buffer overflows in brouted in FreeBSD and possibly other OSes allows
local users to gain root privileges via long command line arguments.
Status: Candidate
Phase: Proposed (20000921)
Reference: FREEBSD:FreeBSD-SA-00:43
Reference: URL:http://archives.neohapsis.com/archives/freebsd/2000-08/0339.html
Reference: BID:1629
Reference: URL:http://www.securityfocus.com/bid/1629
Votes:
ACCEPT(2) Baker, Levy
MODIFY(1) Frech
NOOP(2) Cole, Wall
Voter Comments:
Frech> XF:freebsd-brouted-bo(6185)
Name: CVE-2000-0755
Description:
Vulnerability in the newgrp command in HP-UX 11.00 allows local users
to gain privileges.
Status: Candidate
Phase: Proposed (20000921)
Reference: HP:HPSBUX0008-118
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0144.html
Reference: BID:1581
Reference: URL:http://www.securityfocus.com/bid/1581
Votes:
ACCEPT(2) Cole, Levy
NOOP(2) Baker, Wall
REJECT(2) Christey, Frech
Voter Comments:
Christey> DUPE CVE-2000-0730
Also, the BID is wrong.
Frech> DUPE OF CVE-2000-0730
Also, the BID is wrong.
Name: CVE-2000-0756
Description:
Microsoft Outlook 2000 does not properly process long or malformed
fields in vCard (.vcf) files, which allows attackers to cause a denial
of service.
Status: Candidate
Phase: Proposed (20000921)
Reference: BUGTRAQ:20000831 vCard DoS on Outlook 2000
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=Springmail.105.967737080.0.16997300@www.springmail.com
Reference: BID:1633
Reference: URL:http://www.securityfocus.com/bid/1633
Votes:
ACCEPT(2) Cole, Levy
MODIFY(2) Frech, LeBlanc
REVIEWING(2) Christey, Wall
Voter Comments:
LeBlanc> - if a KB article, bulletin, or patch can be found, then
I'll ACCEPT
Christey> This is the same as MS:MS01-012 (CVE-2001-0145)
See the Bugtraq post by Joel Moses:
http://marc.theaimsgroup.com/?l=bugtraq&m=98322714210100&w=2
As of this writing, it is not certain which candidate
should be preferred: the candidate that has been publicly
known longer (i.e. CVE-2000-0756), or the more "official"
candidate, which has probably been publicized more (i.e.
CVE-2001-0145).
Frech> XF:outlook-vcard-dos(5175)
XF:outlook-vcard-bo(6145)
Because there's another more recent CAN linked to @stake and
Microsoft's advisories, we'll link both of our records to both
candiates until a final decision occurs. If a decision has been made
to promote the CVE-2001 entry, then enter my vote as a REJECT for
CVE-2000-0756.
Frech> Replace outlook-vcard-bo(6145) with outlook-vcard-dos(5175)
Name: CVE-2000-0757
Description:
The sysgen service in Aptis Totalbill does not perform authentication,
which allows remote attackers to gain root privileges by connecting to
the service and specifying the commands to be executed.
Status: Candidate
Phase: Proposed (20000921)
Reference: BUGTRAQ:20000808 Exploit for Totalbill...
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0074.html
Reference: BID:1555
Reference: URL:http://www.securityfocus.com/bid/1555
Votes:
ACCEPT(2) Baker, Levy
NOOP(4) Christey, Cole, Wall, Williams
Voter Comments:
Christey> XF:totalbill-remote-execution
http://xforce.iss.net/static/5068.php
Name: CVE-2000-0759
Description:
Jakarta Tomcat 3.1 under Apache reveals physical path information when
a remote attacker requests a URL that does not exist, which generates
an error message that includes the physical path.
Status: Candidate
Phase: Modified (20050703)
Reference: BUGTRAQ:20000719 [LoWNOISE] Tomcat 3.1 Path Revealing Problem.
Reference: URL:http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26date%3D2000-07-15%26msg%3DPine.SUN.3.96.1000719184401.17782A-100000@grex.cyberspace.org
Reference: BID:1531
Reference: URL:http://www.securityfocus.com/bid/1531
Reference: XF:tomcat-error-path-reveal(4967)
Reference: URL:http://www.iss.net/security_center/static/4967.php
Votes:
ACCEPT(2) Baker, Levy
NOOP(3) Cole, Wall, Williams
Name: CVE-2000-0760
Description:
The Snoop servlet in Jakarta Tomcat 3.1 and 3.0 under Apache reveals
sensitive system information when a remote attacker requests a
nonexistent URL with a .snp extension.
Status: Candidate
Phase: Proposed (20000921)
Reference: BUGTRAQ:20000719 [LoWNOISE] Snoop Servlet (Tomcat 3.1 and 3.0)
Reference: URL:http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26date%3D2000-07-15%26msg%3DPine.SUN.3.96.1000719235404.24004A-100000@grex.cyberspace.org
Reference: XF:tomcat-snoop-info
Reference: BID:1532
Reference: URL:http://www.securityfocus.com/bid/1532
Votes:
ACCEPT(2) Baker, Levy
NOOP(3) Cole, Wall, Williams
Name: CVE-2000-0769
Description:
O'Reilly WebSite Pro 2.3.7 installs the uploader.exe program with
execute permissions for all users, which allows remote attackers to
create and execute arbitrary files by directly calling uploader.exe.
Status: Candidate
Phase: Proposed (20000921)
Reference: BUGTRAQ:20000824 WebServer Pro 2.3.7 Vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=96715834610888&w=2
Reference: BID:1611
Reference: URL:http://www.securityfocus.com/bid/1611
Votes:
ACCEPT(2) Baker, Levy
MODIFY(1) Frech
NOOP(2) Christey, Cole
REVIEWING(1) Wall
Voter Comments:
Christey> XF:website-pro-upload-files(5157)
Frech> XF:website-pro-upload-files(5157)
Name: CVE-2000-0772
Description:
The installation of Tumbleweed Messaging Management System (MMS) 4.6
and earlier (formerly Worldtalk Worldsecure) creates a default account
"sa" with no password.
Status: Candidate
Phase: Modified (20010116-01)
Reference: BUGTRAQ:20000810 Tumbleweed Worldsecure (MMS) BLANK 'sa' account password vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0098.html
Reference: CONFIRM:http://thompson.tumbleweed.com/NewKB/bulletin/UPFiles/sa-official.htm
Reference: BID:1562
Reference: URL:http://www.securityfocus.com/bid/1562
Reference: XF:tumbleweed-mms-blank-password
Reference: URL:http://xforce.iss.net/static/5072.php
Votes:
ACCEPT(2) Baker, Levy
MODIFY(1) Frech
NOOP(3) Christey, Cole, Wall
Voter Comments:
Christey> XF:tumbleweed-mms-blank-password
http://xforce.iss.net/static/5072.php
Frech> XF:umbleweed-mms-blank-password(5072)
Name: CVE-2000-0774
Description:
The sample Java servlet "test" in Bajie HTTP web server 0.30a reveals
the real pathname of the web document root.
Status: Candidate
Phase: Proposed (20000921)
Reference: BUGTRAQ:20000731 Two security flaws in Bajie Webserver
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0426.html
Reference: BID:1521
Reference: URL:http://www.securityfocus.com/bid/1521
Votes:
ACCEPT(3) Baker, Levy, Williams
NOOP(2) Cole, Wall
Voter Comments:
Baker> Vendor fixed this issue in later version of the software
Name: CVE-2000-0775
Description:
Buffer overflow in RobTex Viking server earlier than 1.06-370 allows
remote attackers to cause a denial of service or execute arbitrary
commands via a long HTTP GET request, or long Unless-Modified-Since,
If-Range, or If-Modified-Since headers.
Status: Candidate
Phase: Proposed (20000921)
Reference: BUGTRAQ:20000828 [NT] Viking security vulnerabilities enable remote code execution (long URL, date parsing)
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=399a01c01122$0d7f2310$0201a8c0@aviram
Reference: CONFIRM:http://www.robtex.com/viking/bugs.htm
Reference: BID:1614
Reference: URL:http://www.securityfocus.com/bid/1614
Votes:
ACCEPT(2) Baker, Levy
MODIFY(1) Frech
NOOP(3) Christey, Cole, Wall
Voter Comments:
Christey> XF:viking-server-bo(5158)
Frech> XF:viking-server-bo(5158)
Name: CVE-2000-0784
Description:
sshd program in the Rapidstream 2.1 Beta VPN appliance has a
hard-coded "rsadmin" account with a null password, which allows remote
attackers to execute arbitrary commands via ssh.
Status: Candidate
Phase: Proposed (20000921)
Reference: BUGTRAQ:20000816 Remote Root Compromise On All RapidStream VPN Appliances
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0216.html
Reference: BID:1574
Reference: URL:http://www.securityfocus.com/bid/1574
Votes:
ACCEPT(3) Baker, Cole, Levy
MODIFY(1) Frech
NOOP(2) Christey, Wall
Voter Comments:
Christey> XF:rapidstream-remote-execution
http://xforce.iss.net/static/5093.php
Frech> XF:rapidstream-remote-execution(5093)
Name: CVE-2000-0785
Description:
WircSrv IRC Server 5.07s allows IRC operators to read arbitrary files
via the importmotd command, which sets the Message of the Day (MOTD)
to the specified file.
Status: Candidate
Phase: Proposed (20000921)
Reference: BUGTRAQ:20000713 More wIRCSrv stupidity
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=96353027909756&w=2
Votes:
ACCEPT(1) Baker
MODIFY(1) Levy
NOOP(3) Cole, Wall, Williams
Voter Comments:
Levy> BID 1472
Name: CVE-2000-0789
Description:
WinU 5.x and earlier uses weak encryption to store its configuration
password, which allows local users to decrypt the password and gain
privileges.
Status: Candidate
Phase: Proposed (20000921)
Reference: BUGTRAQ:20000816 WinU 4/5 weak password vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0201.html
Votes:
ACCEPT(1) Williams
MODIFY(2) Baker, Frech
NOOP(3) Christey, Cole, Wall
REVIEWING(1) Levy
Voter Comments:
Frech> XF:winu-backdoor(5376)
Christey> ADDREF BID:1741
ADDREF URL:http://www.securityfocus.com/bid/1741
Baker> Since there are apparently two different methods of weak encryption, perhaps the description should read " ... used weak encryption methods.."
Name: CVE-2000-0791
Description:
Trustix installs the httpsd program for Apache-SSL with
world-writeable permissions, which allows local users to replace it
with a Trojan horse.
Status: Candidate
Phase: Proposed (20000921)
Reference: BUGTRAQ:20000815 Trustix security advisory - apache-ssl
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0179.html
Reference: BID:1575
Reference: URL:http://www.securityfocus.com/bid/1575
Votes:
ACCEPT(3) Baker, Cole, Levy
MODIFY(1) Frech
NOOP(2) Christey, Wall
Voter Comments:
Christey> XF:trustix-secure-apache-misconfig
http://xforce.iss.net/static/5099.php
Frech> XF:trustix-secure-apache-misconfig(5099)
Name: CVE-2000-0793
Description:
Norton AntiVirus 5.00.01C with the Novell Netware client does not
properly restart the auto-protection service after the first user has
logged off of the system.
Status: Candidate
Phase: Proposed (20000921)
Reference: BUGTRAQ:20000728 Norton Antivirus Protection Disabled under Novell Netware
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=398222C5@zathras.cc.vt.edu
Reference: BID:1533
Reference: URL:http://www.securityfocus.com/bid/1533
Votes:
ACCEPT(1) Levy
MODIFY(1) Baker
NOOP(3) Cole, Wall, Williams
Voter Comments:
Baker> Perhaps the description should read "... after the first user to log on to the system logs off."
Name: CVE-2000-0794
Description:
Buffer overflow in IRIX libgl.so library allows local users to gain
root privileges via a long HOME variable to programs such as (1)
gmemusage and (2) gr_osview.
Status: Candidate
Phase: Modified (20060705)
Reference: BUGTRAQ:20000802 [LSD] some unpublished LSD exploit codes
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=200008021924.e72JOVs12558@ix.put.poznan.pl
Reference: BID:1527
Reference: URL:http://www.securityfocus.com/bid/1527
Reference: OSVDB:8568
Reference: URL:http://www.osvdb.org/8568
Reference: XF:irix-libgl-bo(5063)
Reference: URL:http://www.iss.net/security_center/static/5063.php
Votes:
ACCEPT(3) Baker, Levy, Williams
NOOP(3) Christey, Cole, Wall
Voter Comments:
Christey> XF:irix-libgl-bo
http://xforce.iss.net/static/5063.php
Name: CVE-2000-0798
Description:
The truncate function in IRIX 6.x does not properly check for
privileges when the file is in the xfs file system, which allows local
users to delete the contents of arbitrary files.
Status: Candidate
Phase: Modified (20060626)
Reference: BUGTRAQ:20000802 [LSD] some unpublished LSD exploit codes
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=200008021924.e72JOVs12558@ix.put.poznan.pl
Reference: BID:1540
Reference: URL:http://www.securityfocus.com/bid/1540
Reference: OSVDB:8569
Reference: URL:http://www.osvdb.org/8569
Votes:
ACCEPT(3) Baker, Levy, Williams
NOOP(3) Christey, Cole, Wall
Voter Comments:
Christey> XF:irix-xfs-truncate
http://xforce.iss.net/static/5011.php
Christey> XF:sgi-xfs(2110) ?
SGI:19970102-01-PX ?
Christey> Consulting SGI on this... the relationship is pretty close.
Name: CVE-2000-0800
Description:
String parsing error in rpc.kstatd in the linuxnfs or knfsd packages
in SuSE and possibly other Linux systems allows remote attackers to
gain root privileges.
Status: Candidate
Phase: Proposed (20000921)
Reference: SUSE:20000810 Security Hole in knfsd, all versions
Reference: URL:http://www.novell.com/linux/security/advisories/suse_security_announce_58.html
Votes:
ACCEPT(1) Cole
MODIFY(2) Frech, Levy
NOOP(2) Baker, Wall
REJECT(1) Christey
Voter Comments:
Levy> This is the same as other Linux vendors statd format string problem.
Reference: BID 1480
Christey> If this is the same as the other statd format string problems,
then this is a duplicate of CVE-2000-0666.
Frech> XF:linux-rpcstatd-format-overwrite(4939)
CHANGE> [Christey changed vote from REVIEWING to REJECT]
Christey> OK, I agree that this is a dupe of CVE-2000-0666.
Here's why:
BUGTRAQ:20000803 SuSE Security: miscellaneous
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=96540330329127&w=2
One statement says "The SuSE package containing rpc.kstatd
(other vendors named it rpc.statd)... An updated package is
currently being tested."
Name: CVE-2000-0801
Description:
Buffer overflow in bdf program in HP-UX 11.00 may allow local users to
gain root privileges via a long -t option.
Status: Candidate
Phase: Proposed (20000921)
Reference: BUGTRAQ:20000727 [ Hackerslab bug_paper ] HP-UX bdf -t option buffer overflow vul.
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0388.html
Reference: BID:1520
Reference: URL:http://www.securityfocus.com/bid/1520
Votes:
ACCEPT(3) Baker, Levy, Williams
NOOP(3) Christey, Cole, Wall
Voter Comments:
Christey> ADDREF HP:HPSBUX0010-127??
http://archives.neohapsis.com/archives/hp/2000-q4/0028.html
Name: CVE-2000-0802
Description:
The BAIR program does not properly restrict access to the Internet
Explorer Internet options menu, which allows local users to obtain
access to the menu by modifying the registry key that starts BAIR.
Status: Candidate
Phase: Proposed (20000921)
Reference: BUGTRAQ:20000722 More bad censorware
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=96430372326912&w=2
Reference: XF:bair-security-removal
Votes:
NOOP(5) Baker, Cole, LeBlanc, Wall, Williams
REVIEWING(1) Levy
Voter Comments:
LeBlanc> What the heck is BAIR? I don't think it is MS software.
Name: CVE-2000-0812
Description:
The administration module in Sun Java web server allows remote
attackers to execute arbitrary commands by uploading Java code to the
module and invoke the com.sun.server.http.pagecompile.jsp92.JspServlet
by requesting a URL that begins with a /servlet/ tag.
Status: Candidate
Phase: Interim (20010117)
Reference: SUN:00197
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/197&type=0&nav=sec.sba
Reference: MISC:http://www.securityfocus.com/templates/advisory.html?id=2542
Reference: BID:1600
Reference: URL:http://www.securityfocus.com/bid/1600
Reference: XF:sunjava-webadmin-bbs
Reference: URL:http://xforce.iss.net/static/5135.php
Votes:
ACCEPT(2) Baker, Dik
MODIFY(2) Frech, Levy
NOOP(3) Armstrong, Cole, Wall
REVIEWING(1) Christey
Voter Comments:
Frech> XF:sunjava-webadmin-bbs(5135)
Levy> BID 1600
Frech> We also show this associated with CVE-2000-0629: The default
configuration of the Sun Java web server 2.0 and earlier allows remote
attackers to execute arbitrary commands by uploading Java code to the
server via board.html, then directly calling the JSP compiler
servlet. CVE web site concurs.
Christey> I think that Casper Dik confirmed that CVE-2000-0629 is a
configuration problem, and this one is a bug, so they are
different problems. I need to dig up that email, though...
Dik> CVE-2000-0629 indeed is about sample code which shouldn't
be run on prodution servers
This one is an actual bug and patches have been produced
for JWS 2.0 and 1.1.3
Name: CVE-2000-0817
Description:
Buffer overflow in the HTTP protocol parser for Microsoft Network
Monitor (Netmon) allows remote attackers to execute arbitrary commands
via malformed data, aka the "Netmon Protocol Parsing" vulnerability.
Status: Candidate
Phase: Modified (20010119-01)
Reference: ISS:20001101 Buffer Overflow in Microsoft Windows NT 4.0 and Windows 2000 Network Monitor
Reference: URL:http://xforce.iss.net/alerts/index.php
Reference: MS:MS00-083
Reference: URL:http://www.microsoft.com/technet/security/bulletin/MS00-083.asp
Reference: XF:network-monitor-bo(5399)
Votes:
ACCEPT(3) Baker, Cole, Mell
MODIFY(1) Frech
NOOP(1) Renaud
Voter Comments:
Frech> XF:network-monitor-bo(5399)
Name: CVE-2000-0826
Description:
Buffer overflow in ddicgi.exe program in Mobius DocumentDirect for the
Internet 1.2 allows remote attackers to execute arbitrary commands via
a long GET request.
Status: Candidate
Phase: Proposed (20001018)
Reference: ATSTAKE:A090800-1
Reference: URL:http://www.atstake.com/research/advisories/2000/a090800-1.txt
Reference: BID:1657
Reference: URL:http://www.securityfocus.com/bid/1657
Reference: XF:documentdirect-get-bo
Reference: URL:http://xforce.iss.net/static/5210.php
Votes:
ACCEPT(2) Baker, Collins
NOOP(3) Armstrong, Cole, Wall
Name: CVE-2000-0827
Description:
Buffer overflow in the web authorization form of Mobius DocumentDirect
for the Internet 1.2 allows remote attackers to cause a denial of
service or execute arbitrary commands via a long username.
Status: Candidate
Phase: Proposed (20001018)
Reference: ATSTAKE:A090800-1
Reference: URL:http://www.atstake.com/research/advisories/2000/a090800-1.txt
Reference: BID:1657
Reference: URL:http://www.securityfocus.com/bid/1657
Reference: XF:documentdirect-username-bo
Reference: URL:http://xforce.iss.net/static/5211.php
Votes:
ACCEPT(2) Baker, Collins
NOOP(3) Armstrong, Cole, Wall
Name: CVE-2000-0828
Description:
Buffer overflow in ddicgi.exe in Mobius DocumentDirect for the
Internet 1.2 allows remote attackers to execute arbitrary commands via
a long User-Agent parameter.
Status: Candidate
Phase: Proposed (20001018)
Reference: ATSTAKE:A090800-1
Reference: URL:http://www.atstake.com/research/advisories/2000/a090800-1.txt
Reference: BID:1657
Reference: URL:http://www.securityfocus.com/bid/1657
Reference: XF:documentdirect-user-agent-bo
Reference: URL:http://xforce.iss.net/static/5212.php
Votes:
ACCEPT(2) Baker, Collins
NOOP(3) Armstrong, Cole, Wall
Name: CVE-2000-0831
Description:
Buffer overflow in Fastream FTP++ 2.0 allows remote attackers to cause
a denial of service and possibly execute arbitrary commands via a long
username.
Status: Candidate
Phase: Proposed (20001018)
Reference: WIN2KSEC:20000912 DST2K0027: DoS in Faststream FTP++ 2.0
Reference: URL:http://archives.neohapsis.com/archives/win2ksecadvice/2000-q3/0109.html
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
NOOP(3) Armstrong, Cole, Magdych
REVIEWING(2) Christey, Wall
Voter Comments:
Frech> XF:fastream-ftp-dos(5235)
Christey> XF:fastream-ftp-dos
CHANGE> [Christey changed vote from NOOP to REVIEWING]
Christey> CVE-2000-0831 and CVE-2001-0256 are probable duplicates, since
they involve the same product and version (Fastream FTP++
2.0), vuln type (buffer overflow), and attack vector (username).
Name: CVE-2000-0832
Description:
Htgrep CGI program allows remote attackers to read arbitrary files by
specifying the full pathname in the hdr parameter.
Status: Candidate
Phase: Modified (20010910-01)
Reference: BUGTRAQ:20000817 Htgrep CGI Arbitrary File Viewing Vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0208.html
Reference: XF:htgrep-cgi-view-files(5476)
Reference: URL:http://xforce.iss.net/static/5476.php
Votes:
ACCEPT(2) Baker, Collins
MODIFY(1) Frech
NOOP(4) Armstrong, Christey, Cole, Wall
Voter Comments:
Frech> XF:htgrep-cgi-view-files(5476)
Collins> http://www.iam.unibe.ch/~scg/Src/Doc/
Christey> The change log for htgrep acknowledges the problem, but it
says that the qry tag is also affected. CD:SF-LOC says that
multiple problems of the same type in the same version should
be combined, so this candidate should get a "soft recast"
and qry should be added to the description.
Name: CVE-2000-0833
Description:
Buffer overflow in WinSMTP 1.06f and 2.X allows remote attackers to
cause a denial of service via a long (1) USER or (2) HELO command.
Status: Candidate
Phase: Modified (20020222-01)
Reference: BUGTRAQ:2000911 WinSMTPD remote exploit/DoS problem
Reference: URL:http://www.securityfocus.com/archive/1/81693
Reference: BID:1680
Reference: URL:http://www.securityfocus.com/bid/1680
Reference: XF:winsmtp-helo-bo(5255)
Reference: URL:http://xforce.iss.net/static/5255.php
Votes:
ACCEPT(5) Baker, Cole, Collins, Frech, Wall
NOOP(2) Armstrong, Magdych
Voter Comments:
Cole> HAS-INDEPENDENT-CONFIRMATION
CHANGE> [Wall changed vote from REVIEWING to ACCEPT]
Name: CVE-2000-0835
Description:
search.dll Sambar ISAPI Search utility in Sambar Server 4.4 Beta 3
allows remote attackers to read arbitrary directories by specifying
the directory in the query parameter.
Status: Candidate
Phase: Modified (20100115)
Reference: BUGTRAQ:20000915 Sambar Server search CGI vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-09/0175.html
Reference: BID:1684
Reference: URL:http://www.securityfocus.com/bid/1684
Votes:
MODIFY(1) Frech
NOOP(5) Armstrong, Christey, Cole, Collins, Wall
REJECT(2) Baker, Magdych
Voter Comments:
Magdych> Unless the beta product is in very widespread use, or the product is in
"perpetual beta" (e.g. ICQ), I would prefer not to include beta software.
Christey> XF:sambar-search-view-folder
Frech> XF:sambar-search-view-folder(5247)
Baker> Unless we change our CD:EX-BETA, we should reject this entry. Perhaps we need to address the issue of Beta software again, but the previous discussion was pretty thorough and I believe the editorial board was unanimous in excluding normal beta software.
Christey> Fix typo: "paramater"
Christey> fix typo: "paramatar"
Name: CVE-2000-0836
Description:
Buffer overflow in CamShot WebCam Trial2.6 allows remote attackers to
execute arbitrary commands via a long Authorization header.
Status: Candidate
Phase: Proposed (20001018)
Reference: BUGTRAQ:20000915 [NEWS] Vulnerability in CamShot server (Authorization)
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-09/0176.html
Reference: BID:1685
Reference: URL:http://www.securityfocus.com/bid/1685
Reference: XF:camshot-password-bo
Reference: URL:http://xforce.iss.net/static/5246.php
Votes:
ACCEPT(2) Baker, Frech
NOOP(3) Armstrong, Cole, Magdych
REVIEWING(1) Wall
Name: CVE-2000-0840
Description:
Buffer overflow in XMail POP3 server before version 0.59 allows remote
attackers to execute arbitrary commands via a long USER command.
Status: Candidate
Phase: Proposed (20001018)
Reference: BUGTRAQ:20000906 [NEWS] XMail vulnerable to a remotely exploitable buffer overflow (APOP, USER)
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-09/0001.html
Reference: BID:1652
Reference: URL:http://www.securityfocus.com/bid/1652
Reference: XF:xmail-long-user-bo
Reference: URL:http://xforce.iss.net/static/5192.php
Votes:
ACCEPT(4) Armstrong, Baker, Cole, Collins
NOOP(2) Christey, Wall
Voter Comments:
Cole> INDEPENDENT-CONFIRMATION
Christey> CONFIRM:http://www.mycio.com/davidel/xmail/xmaildoc.htm
The entry dated 30-07-2000 for version 0.59 says: "A possible
buffer overflow error has been fixed."
Name: CVE-2000-0841
Description:
Buffer overflow in XMail POP3 server before version 0.59 allows remote
attackers to execute arbitrary commands via a long APOP command.
Status: Candidate
Phase: Proposed (20001018)
Reference: BUGTRAQ:20000906 [NEWS] XMail vulnerable to a remotely exploitable buffer overflow (APOP, USER)
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-09/0001.html
Reference: BID:1652
Reference: URL:http://www.securityfocus.com/bid/1652
Reference: XF:xmail-long-apop-bo
Reference: URL:http://xforce.iss.net/static/5191.php
Votes:
ACCEPT(4) Armstrong, Baker, Cole, Collins
NOOP(2) Christey, Wall
Voter Comments:
Cole> INDEPENDENT-CONFIRMATION
Christey> CONFIRM:http://www.mycio.com/davidel/xmail/xmaildoc.htm
The entry dated 30-07-2000 for version 0.59 says: "A possible
buffer overflow error has been fixed."
Name: CVE-2000-0842
Description:
The search97cgi/vtopic" in the UnixWare 7 scohelphttp webserver allows
remote attackers to read arbitrary files via a .. (dot dot) attack.
Status: Candidate
Phase: Proposed (20001018)
Reference: BUGTRAQ:20000911 SCO scohelhttp documentation webserver exposes local files
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-09/0086.html
Reference: BID:1663
Reference: URL:http://www.securityfocus.com/bid/1663
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
NOOP(5) Armstrong, Christey, Cole, Magdych, Wall
Voter Comments:
Frech> XF:sco-help-view-files(5226)
Christey> What is the proper "spelling" for the SCO help HTTP server?
I've seen it as "SCOhelp" and "scohelphttp" and "SCO help HTTP"
Christey> XF:sco-help-view-files
Christey> typo - extra "
Name: CVE-2000-0843
Description:
Buffer overflow in pam_smb and pam_ntdom pluggable authentication modules
(PAM) allow remote attackers to execute arbitrary commands via a login with
a long user name.
Status: Candidate
Phase: Proposed (20001018)
Reference: BUGTRAQ:20000910 (SRADV00002) Remote root compromise through pam_smb and pam_ntdom
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-09/0073.html
Reference: DEBIAN:20000911 libpam-smb: remote root exploit
Reference: URL:http://www.debian.org/security/2000/20000911
Reference: SUSE:20000913 pam_smb remotely exploitable buffer overflow
Reference: URL:http://www.novell.com/linux/security/advisories/adv8_draht_pam_smb_txt.html
Reference: MANDRAKE:MDKSA-2000:047
Reference: URL:http://www.linux-mandrake.com/en/security/MDKSA-2000-047.php3
Reference: BUGTRAQ:20000911 Conectiva Linux Security Announcement - pam_smb
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-09/0114.html
Reference: BID:1666
Reference: URL:http://www.securityfocus.com/bid/1666
Votes:
ACCEPT(4) Armstrong, Baker, Collins, Magdych
MODIFY(1) Frech
NOOP(3) Christey, Cole, Wall
Voter Comments:
Magdych> ACKNOWLEDGED-BY-VENDOR
Christey> ADDREF XF:pam-authentication-bo
Frech> XF:pam-authentication-bo(5225)
Name: CVE-2000-0845
Description:
kdebug daemon (kdebugd) in Digital Unix 4.0F allows remote attackers to
read arbitrary files by specifying the full file name in the
initialization packet.
Status: Candidate
Phase: Proposed (20001018)
Reference: BUGTRAQ:20000918 [ENIGMA] Digital UNIX/Tru64 UNIX remote kdebug Vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-09/0204.html
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
NOOP(5) Armstrong, Christey, Cole, Magdych, Wall
Voter Comments:
Frech> XF:du-kdebugd-write-access(5262)
Christey> This problem also allows attackers to overwrite files.
ADDREF BID:1693
ADDREF URL:http://www.securityfocus.com/bid/1693
ADDREF XF:du-kdebugd-write-access
ADDREF http://xforce.iss.net/static/5262.php
Name: CVE-2000-0855
Description:
SunFTP build 9(1) allows remote attackers to cause a denial of service
by connecting to the server and disconnecting before sending a
newline.
Status: Candidate
Phase: Proposed (20001018)
Reference: BUGTRAQ:20000901 [EXPL] SunFTP vulnerable to two Denial-of-Service attacks (long buffer, half-open)
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0408.html
Reference: BID:1637
Reference: URL:http://www.securityfocus.com/bid/1637
Votes:
ACCEPT(4) Armstrong, Baker, Cole, Collins
NOOP(1) Wall
Voter Comments:
Cole> INDEPENDENT-CONFIRMATION
Name: CVE-2000-0857
Description:
The logging capability in muh 2.05d IRC server does not properly
cleanse user-injected format strings, which allows remote attackers to
cause a denial of service or execute arbitrary commands via a
malformed nickname.
Status: Candidate
Phase: Proposed (20001018)
Reference: BUGTRAQ:20000909 format string bug in muh
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-09/0067.html
Reference: BUGTRAQ:20000909 Re: format string bug in muh
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-09/0068.html
Reference: BID:1665
Reference: URL:http://www.securityfocus.com/bid/1665
Reference: XF:muh-log-dos
Reference: URL:http://xforce.iss.net/static/5215.php
Votes:
ACCEPT(4) Baker, Cole, Collins, Frech
NOOP(4) Armstrong, Christey, Magdych, Wall
Voter Comments:
Cole> HAS-INDEPENDENT-CONFIRMATION
Christey> ADDREF FREEBSD:FreeBSD-SA-00:57
CHANGE> [Magdych changed vote from REVIEWING to NOOP]
Name: CVE-2000-0866
Description:
Interbase 6 SuperServer for Linux allows an attacker to cause a denial
of service via a query containing 0 bytes.
Status: Candidate
Phase: Proposed (20001018)
Reference: BUGTRAQ:20000907 SEGFAULTING Interbase 6 SS Linux
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-09/0027.html
Reference: BID:1654
Reference: URL:http://www.securityfocus.com/bid/1654
Reference: XF:interbase-query-dos
Reference: URL:http://xforce.iss.net/static/5205.php
Votes:
ACCEPT(2) Baker, Collins
NOOP(3) Armstrong, Cole, Wall
Name: CVE-2000-0872
Description:
explorer.php in PhotoAlbum 0.9.9 allows remote attackers to read
arbitrary files via a .. (dot dot) attack.
Status: Candidate
Phase: Proposed (20001018)
Reference: BUGTRAQ:20000906 PhotoAlbum 0.9.9 explorer.php Vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-09/0015.html
Reference: BID:1650
Reference: URL:http://www.securityfocus.com/bid/1650
Reference: XF:phpphoto-dir-traverse
Reference: URL:http://xforce.iss.net/static/5198.php
Votes:
ACCEPT(2) Baker, Collins
NOOP(3) Armstrong, Cole, Wall
Name: CVE-2000-0879
Description:
LPPlus programs dccsched, dcclpdser, dccbkst, dccshut, dcclpdshut, and
dccbkstshut are installed setuid root and world executable, which
allows arbitrary local users to start and stop various LPD services.
Status: Candidate
Phase: Proposed (20001018)
Reference: BUGTRAQ:20000906 Multiple Security Holes in LPPlus
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0531.html
Reference: BID:1643
Reference: URL:http://www.securityfocus.com/bid/1643
Reference: XF:lpplus-permissions-dos
Reference: URL:http://xforce.iss.net/static/5199.php
Votes:
ACCEPT(2) Baker, Collins
NOOP(3) Armstrong, Cole, Wall
Name: CVE-2000-0880
Description:
LPPlus creates the lpdprocess file with world-writeable permissions,
which allows local users to kill arbitrary processes by specifying an
alternate process ID and using the setuid dcclpdshut program to kill
the process that was specified in the lpdprocess file.
Status: Candidate
Phase: Proposed (20001018)
Reference: BUGTRAQ:20000906 Multiple Security Holes in LPPlus
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0531.html
Reference: BID:1643
Reference: URL:http://www.securityfocus.com/bid/1643
Reference: XF:lpplus-process-perms-dos
Reference: URL:http://xforce.iss.net/static/5200.php
Votes:
ACCEPT(2) Baker, Collins
NOOP(3) Armstrong, Cole, Wall
Name: CVE-2000-0881
Description:
The dccscan setuid program in LPPlus does not properly check if the
user has the permissions to print the file that is specified to
dccscan, which allows local users to print arbitrary files.
Status: Candidate
Phase: Proposed (20001018)
Reference: BUGTRAQ:20000906 Multiple Security Holes in LPPlus
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0531.html
Reference: BID:1644
Reference: URL:http://www.securityfocus.com/bid/1644
Reference: XF:lpplus-dccscan-file-read
Reference: URL:http://xforce.iss.net/static/5201.php
Votes:
ACCEPT(2) Baker, Collins
NOOP(3) Armstrong, Cole, Wall
Name: CVE-2000-0882
Description:
Intel Express 500 series switches allow a remote attacker to cause a
denial of service via a malformed ICMP packet, which causes the CPU to
crash.
Status: Candidate
Phase: Proposed (20001018)
Reference: BUGTRAQ:20000906 VIGILANTE-2000010: Intel Express Switch series 500 DoS #2
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0533.html
Reference: BID:1647
Reference: URL:http://www.securityfocus.com/bid/1647
Votes:
ACCEPT(1) Baker
NOOP(3) Armstrong, Cole, Wall
Name: CVE-2000-0885
Description:
Buffer overflows in Microsoft Network Monitor (Netmon) allow remote
attackers to execute arbitrary commands via a long Browser Name in a
CIFS Browse Frame, a long SNMP community name, or a long username or
filename in an SMB session, aka the "Netmon Protocol Parsing"
vulnerability. NOTE: It is highly likely that this candidate will be
split into multiple candidates.
Status: Candidate
Phase: Modified (20010119-01)
Reference: NAI:20001101 Multiple Network Monitor Overflows
Reference: MS:MS00-083
Reference: URL:http://www.microsoft.com/technet/security/bulletin/MS00-083.asp
Reference: XF:network-monitor-bo(5399)
Votes:
ACCEPT(4) Baker, Cole, Mell, Renaud
MODIFY(1) Frech
Voter Comments:
Frech> XF:network-monitor-bo(5399)
Name: CVE-2000-0889
Description:
Two Sun security certificates have been compromised, which could allow
attackers to insert malicious code such as applets and make it appear
that it is signed by Sun.
Status: Candidate
Phase: Proposed (20010202)
Reference: CERT:CA-2000-19
Reference: URL:http://www.cert.org/advisories/CA-2000-19.html
Reference: SUN:00198
Reference: URL:http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/198&type=0&nav=sec.sba
Votes:
ACCEPT(3) Baker, Cole, Dik
MODIFY(1) Frech
NOOP(2) Wall, Ziese
REVIEWING(1) Christey
Voter Comments:
Frech> XF:sun-compromised-certificate(5404)
Christey> Should revoked cert's be included in CVE? How about the ones
for Microsoft from early 2001?
Name: CVE-2000-0893
Description:
The presence of the Distributed GL Daemon (dgld) service on port 5232
on SGI IRIX systems allows remote attackers to identify the target
host as an SGI system.
Status: Candidate
Phase: Proposed (20010202)
Reference: CERT-VN:VU#28027
Reference: URL:http://www.kb.cert.org/vuls/id/28027
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
NOOP(2) Cole, Wall
REVIEWING(1) Ziese
Voter Comments:
CHANGE> [Frech changed vote from REVIEWING to MODIFY]
Frech> XF:irix-dgld-port-scan(6592)
Name: CVE-2000-0898
Description:
Small HTTP Server 2.01 does not properly process Server Side Includes
(SSI) tags that contain null values, which allows local users, and
possibly remote attackers, to cause the server to crash by inserting
the SSI into an HTML file.
Status: Candidate
Phase: Proposed (20001219)
Reference: BUGTRAQ:20001114 Vulnerabilites in SmallHTTP Server
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97421834001092&w=2
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
NOOP(4) Armstrong, Balinsky, Cole, Wall
Voter Comments:
Frech> XF:small-http-ssi-dos(5960)
Balinsky> Found no data on vendor web site to support this.
http://home.lanck.net/mf/srv/index.htm
Name: CVE-2000-0899
Description:
Small HTTP Server 2.01 allows remote attackers to cause a denial of
service by connecting to the server and sending out multiple GET,
HEAD, or POST requests and closing the connection before the server
responds to the requests.
Status: Candidate
Phase: Proposed (20001219)
Reference: BUGTRAQ:20001114 Vulnerabilites in SmallHTTP Server
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97421834001092&w=2
Reference: BID:1942
Reference: URL:http://www.securityfocus.com/bid/1942
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
NOOP(4) Armstrong, Balinsky, Cole, Wall
Voter Comments:
Frech> XF:small-http-request-dos(5523)
Balinsky> Found no data on vendor web site to support this.
http://home.lanck.net/mf/srv/index.htm
Name: CVE-2000-0902
Description:
getalbum.php in PhotoAlbum before 0.9.9 allows remote attackers to read
arbitrary files via a .. (dot dot) attack.
Status: Candidate
Phase: Proposed (20001129)
Reference: BUGTRAQ:20000907 Re: PhotoAlbum 0.9.9 explorer.php Vulnerability
Reference: URL:http://www.securityfocus.com/archive/1/80858
Reference: XF:phpphotoalbum-getalbum-directory-traversal
Reference: URL:http://xforce.iss.net/static/5209.php
Votes:
ACCEPT(2) Collins, Mell
NOOP(2) Cole, Wall
Name: CVE-2000-0903
Description:
Directory traversal vulnerability in Voyager web server 2.01B in the
demo disks for QNX 405 allows remote attackers to read arbitrary files
via a .. (dot dot) attack.
Status: Candidate
Phase: Proposed (20001129)
Reference: BUGTRAQ:20000901 Multiple QNX Voyager Issues
Reference: URL:http://www.securityfocus.com/archive/1/79956
Reference: BID:1648
Reference: URL:http://www.securityfocus.com/bid/1648
Votes:
ACCEPT(2) Baker, Mell
NOOP(3) Cole, Collins, Wall
Voter Comments:
Collins> Assigning CVE numbers for demo software is not appropriate
Baker> Was this a beta version in the demo disk? I don't think it was. While we do have an exclusion for beta software,
software that is distributed as production software, just limited in scope, does not mean beta..
The current version is 4, but it is still offered for free download from their website for use.
CHANGE> [Baker changed vote from REVIEWING to ACCEPT]
Baker> SHould change vote from review to accept
Name: CVE-2000-0904
Description:
Voyager web server 2.01B in the demo disks for QNX 405 stores
sensitive web client information in the .photon directory in the web
document root, which allows remote attackers to obtain that
information.
Status: Candidate
Phase: Proposed (20001129)
Reference: BUGTRAQ:20000901 Multiple QNX Voyager Issues
Reference: URL:http://www.securityfocus.com/archive/1/79956
Reference: BID:1648
Reference: URL:http://www.securityfocus.com/bid/1648
Votes:
ACCEPT(1) Mell
NOOP(3) Cole, Collins, Wall
Voter Comments:
Collins> assigning CVE numbers for demo software is not appropriate
Name: CVE-2000-0905
Description:
QNX Embedded Resource Manager in Voyager web server 2.01B in the demo
disks for QNX 405 allows remote attackers to read sensitive system
statistics information via the embedded.html web page.
Status: Candidate
Phase: Proposed (20001129)
Reference: BUGTRAQ:20000901 Multiple QNX Voyager Issues
Reference: URL:http://www.securityfocus.com/archive/1/79956
Reference: BID:1648
Reference: URL:http://www.securityfocus.com/bid/1648
Votes:
ACCEPT(1) Mell
NOOP(2) Cole, Wall
Name: CVE-2000-0906
Description:
Directory traversal vulnerability in Moreover.com cached_feed.cgi
script version 4.July.00 allows remote attackers to read arbitrary
files via a .. (dot dot) attack on the category or format parameters.
Status: Candidate
Phase: Proposed (20001129)
Reference: BUGTRAQ:20001002 Moreover Cached_Feed CGI Vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-10/0013.html
Reference: XF:moreover-cgi-dir-traverse
Reference: URL:http://xforce.iss.net/static/5334.php
Reference: BID:1762
Reference: URL:http://www.securityfocus.com/bid/1762
Votes:
ACCEPT(3) Collins, Frech, Mell
NOOP(2) Cole, Wall
Name: CVE-2000-0907
Description:
EServ 2.92 Build 2982 allows remote attackers to cause a denial of
service and possibly execute arbitrary commands via long HELO and MAIL
FROM commands.
Status: Candidate
Phase: Proposed (20001129)
Reference: WIN2KSEC:20000925 DST2K0030: DoS in EServ 2.92 Build 2982
Reference: URL:http://archives.neohapsis.com/archives/win2ksecadvice/2000-q3/0131.html
Votes:
ACCEPT(3) Baker, Collins, Mell
MODIFY(1) Frech
NOOP(2) Cole, Wall
Voter Comments:
Frech> XF:eserv-remote-dos(5643)
Name: CVE-2000-0916
Description:
FreeBSD 4.1.1 and earlier, and possibly other BSD-based OSes, uses an
insufficient random number generator to generate initial TCP sequence
numbers (ISN), which allows remote attackers to spoof TCP connections.
Status: Candidate
Phase: Proposed (20001129)
Reference: FREEBSD:FreeBSD-SA-00:52
Reference: URL:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:52.tcp-iss.asc
Reference: BID:1766
Reference: URL:http://www.securityfocus.com/bid/1766
Votes:
ACCEPT(2) Cole, Mell
MODIFY(1) Frech
REVIEWING(1) Christey
Voter Comments:
Frech> XF:tcp-seq-predict(139)
Christey> Abstraction issue: CVE-1999-0077 is for TCP sequence
prediction as a general problem; but here we have a specific
implementation flaw.
Name: CVE-2000-0918
Description:
Format string vulnerability in kvt in KDE 1.1.2 may allow local users
to execute arbitrary commands via a DISPLAY environmental variable
that contains formatting characters.
Status: Candidate
Phase: Proposed (20001129)
Reference: BID:1700
Reference: URL:http://www.securityfocus.com/bid/1700
Reference: BUGTRAQ:20000919 kvt format bug
Reference: URL:http://www.securityfocus.com/archive/1/83914
Votes:
ACCEPT(2) Baker, Mell
NOOP(2) Cole, Wall
REVIEWING(1) Christey
Voter Comments:
Christey> May be a duplicate of CVE-2000-0373, but the ref's in that CVE
are vague. I suspect this *isn't* a duplicate because this is
a format string problem.
Baker> I think it is sufficiently different from 2000-0373.
Name: CVE-2000-0931
Description:
Buffer overflow in Pegasus Mail 3.11 allows remote attackers to cause
a denial of service and possibly execute arbitrary commands via a long
email message containing binary data.
Status: Candidate
Phase: Proposed (20001129)
Reference: BUGTRAQ:20001004 Another Pegasus Mail vulnerability
Reference: URL:http://www.securityfocus.com/archive/1/137518
Reference: BID:1750
Reference: URL:http://www.securityfocus.com/bid/1750
Votes:
ACCEPT(1) Mell
MODIFY(1) Frech
NOOP(2) Cole, Wall
Voter Comments:
Frech> XF:pegasus-mail-bo(5644)
Name: CVE-2000-0939
Description:
Samba Web Administration Tool (SWAT) in Samba 2.0.7 allows remote
attackers to cause a denial of service by repeatedly submitting a
nonstandard URL in the GET HTTP request and forcing it to restart.
Status: Candidate
Phase: Proposed (20001129)
Reference: BUGTRAQ:20001030 Samba 2.0.7 SWAT vulnerabilities
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-10/0430.html
Reference: XF:samba-swat-url-filename-dos
Reference: URL:http://xforce.iss.net/static/5444.php
Votes:
ACCEPT(2) Frech, Mell
NOOP(1) Cole
REJECT(1) Renaud
Voter Comments:
Renaud> SWAT makes this DoS easier to perform, but actually, it is an inetd
problem, not a swat problem.
Name: CVE-2000-0940
Description:
Directory traversal vulnerability in Metertek pagelog.cgi allows
remote attackers to read arbitrary files via a .. (dot dot) attack on
the "name" or "display" parameter.
Status: Candidate
Phase: Proposed (20001129)
Reference: BUGTRAQ:20001029 Minor bug in Pagelog.cgi
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-10/0422.html
Reference: BID:1864
Reference: URL:http://www.securityfocus.com/bid/1864
Reference: XF:pagelog-cgi-dir-traverse
Reference: URL:http://xforce.iss.net/static/5451.php
Votes:
ACCEPT(2) Frech, Mell
NOOP(1) Cole
Name: CVE-2000-0950
Description:
Format string vulnerability in x-gw in TIS Firewall Toolkit (FWTK)
allows local users to execute arbitrary commands via a malformed
display name.
Status: Candidate
Phase: Proposed (20001129)
Reference: BUGTRAQ:20001026 FWTK x-gw Security Advisory [GSA2000-01]
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-10/0376.html
Reference: XF:tisfwtk-xgw-execute-code
Reference: URL:http://xforce.iss.net/static/5420.php
Votes:
ACCEPT(4) Baker, Cole, Frech, Mell
NOOP(1) Renaud
REVIEWING(1) Christey
Voter Comments:
Christey> I thought I saw some mailing list that questioned whether this
problem was only a DoS...
Name: CVE-2000-0954
Description:
Shambala Server 4.5 stores passwords in plaintext, which could allow
local users to obtain the passwords and compromise the server.
Status: Candidate
Phase: Proposed (20001129)
Reference: BUGTRAQ:20001009 Shambala 4.5 vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-10/0134.html
Reference: BID:1771
Reference: URL:http://www.securityfocus.com/bid/1771
Reference: XF:shambala-password-plaintext
Reference: URL:http://xforce.iss.net/static/5346.php
Votes:
ACCEPT(3) Baker, Frech, Mell
NOOP(1) Cole
Name: CVE-2000-0955
Description:
Cisco Virtual Central Office 4000 (VCO/4K) uses weak encryption to
store usernames and passwords in the SNMP MIB, which allows an
attacker who knows the community name to crack the password and gain
privileges.
Status: Candidate
Phase: Proposed (20001129)
Reference: ATSTAKE:A102600-1
Reference: URL:http://www.atstake.com/research/advisories/2000/a102600-1.txt
Reference: BID:1885
Reference: URL:http://www.securityfocus.com/bid/1885
Reference: XF:cisco-vco-snmp-passwords
Reference: URL:http://xforce.iss.net/static/5425.php
Votes:
ACCEPT(4) Cole, Frech, Mell, Ziese
NOOP(2) Balinsky, Christey
Voter Comments:
Christey> CISCO:20001026 VCO/4K Remote Password Disclosure
http://www.cisco.com/warp/public/707/vco4kpasswdexposure-pub.shtml
CHANGE> [Balinsky changed vote from REVIEWING to NOOP]
Name: CVE-2000-0963
Description:
Buffer overflow in ncurses library allows local users to execute
arbitrary commands via long environmental information such as TERM or
TERMINFO_DIRS.
Status: Candidate
Phase: Modified (20080819)
Reference: BUGTRAQ:20001009 ncurses buffer overflows
Reference: URL:http://www.securityfocus.com/archive/1/138550
Reference: CALDERA:CSSA-2000-036.0
Reference: URL:http://www.calderasystems.com/support/security/advisories/CSSA-2000-036.0.txt
Reference: BID:1142
Reference: URL:http://www.securityfocus.com/bid/1142
Reference: XF:gnu-ncurses-term-terminfodirs-bo(44487)
Reference: URL:http://xforce.iss.net/xforce/xfdb/44487
Votes:
ACCEPT(2) Cole, Mell
MODIFY(1) Frech
REVIEWING(1) Christey
Voter Comments:
Christey> Various vendor writeups indicate that there are multiple
overflows, so maybe this needs to be SPLIT.
ADDREF FREEBSD:FreeBSD-SA-00:68
ADDREF DEBIAN:20001121 ncurses: local privilege escalation
http://www.debian.org/security/2000/20001121
ADDREF REDHAT:RHSA-2000:115
http://www.redhat.com/support/errata/RHSA-2000-115.html
BUGTRAQ:20001201 Immunix OS Security update for ncurses
http://marc.theaimsgroup.com/?l=bugtraq&m=97570745306444&w=2
Frech> XF:libmytinfo-bo(4422)
CHANGE> [Christey changed vote from NOOP to REVIEWING]
Christey> This is all a library issue in which TERM/TERMINFO_DIRS are
one possible attack vector, but another is through entries
in the .terminfo file. Add .terminfo and termcap to the
description, as well as libncurses.
ADDREF MANDRAKE:MDKSA-2001:052
URL:http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-052.php3
Now need to examine whether this is a dupe of CVE-2002-0062,
and/or BID:2116. There's certainly enough confusion to go
around.
CHANGE> [Christey changed vote from REVIEWING to NOOP]
Christey> This is not a dupe of CVE-2002-0062. As explained in
DEBIAN:DSA-113, the original patches for CVE-2000-0963
didn't catch every problem.
ADDREF SUSE:SuSE-SA:2000:043
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97267560724404&w=2
CHANGE> [Christey changed vote from NOOP to REVIEWING]
Name: CVE-2000-0971
Description:
Avirt Mail 4.0 and 4.2 allows remote attackers to cause a denial of
service and possibly execute arbitrary commands via a long "RCPT TO"
or "MAIL FROM" command.
Status: Candidate
Phase: Proposed (20001129)
Reference: BUGTRAQ:20001023 Avirt Mail 4.x DoS
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-10/0301.html
Reference: XF:avirt-mail-from-dos
Reference: URL:http://xforce.iss.net/static/5397.php
Reference: XF:avirt-rcpt-to-dos
Reference: URL:http://xforce.iss.net/static/5398.php
Votes:
ACCEPT(3) Cole, Frech, Mell
NOOP(2) Armstrong, Christey
Voter Comments:
Christey> Fix typo: "possible" should be "possibly"
Christey> fix typo: "and possible"
Name: CVE-2000-0985
Description:
Buffer overflow in All-Mail 1.1 allows remote attackers to execute
arbitrary commands via a long "MAIL FROM" or "RCPT TO" command.
Status: Candidate
Phase: Proposed (20001129)
Reference: ATSTAKE:A101200-2
Reference: URL:http://www.atstake.com/research/advisories/2000/a101200-2.txt
Reference: BID:1789
Reference: URL:http://www.securityfocus.com/bid/1789
Votes:
ACCEPT(2) Baker, Mell
MODIFY(1) Frech
NOOP(1) Cole
Voter Comments:
Frech> XF:all-mail-smtp-bo(5360)
Name: CVE-2000-0986
Description:
Buffer overflow in Oracle 8.1.5 applications such as names, namesctl,
onrsd, osslogin, tnslsnr, tnsping, trcasst, and trcroute possibly
allow local users to gain privileges via a long ORACLE_HOME
environmental variable.
Status: Candidate
Phase: Proposed (20001129)
Reference: BUGTRAQ:20001020 [ Hackerslab bug_paper ] Linux ORACLE 8.1.5 vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-10/0294.html
Reference: XF:oracle-home-bo
Reference: URL:http://xforce.iss.net/static/5390.php
Votes:
ACCEPT(3) Baker, Frech, Mell
NOOP(2) Armstrong, Cole
Name: CVE-2000-0987
Description:
Buffer overflow in oidldapd in Oracle 8.1.6 allow local users to gain
privileges via a long "connect" command line parameter.
Status: Candidate
Phase: Proposed (20001129)
Reference: XF:oracle-oidldap-bo
Reference: URL:http://xforce.iss.net/static/5401.php
Reference: BUGTRAQ:20001018 vulnerability in Oracle Internet Directory in Oracle 8.1.6
Reference: URL:http://www.securityfocus.com/archive/1/140340
Reference: BUGTRAQ:20001020 In response to posting 10/18/2000 vulnerability in Oracle Internet Directory in Oracle 8.1.6
Reference: URL:http://www.securityfocus.com/archive/1/140709
Votes:
ACCEPT(3) Cole, Frech, Mell
NOOP(2) Armstrong, Christey
Voter Comments:
Christey> http://archives.neohapsis.com/archives/bugtraq/2000-12/0400.html
appears to be a rediscovery of this problem.
Christey> It looks like Juan Manuel Pascual Escriba saw this issue
in a later version and re-posted, but that later post doesn't
mention the earlier one. The exploit is almost exactly the
same, but the affected version is 8.1.7.
ADDREF BUGTRAQ:20001221 vulnerability #1 in Oracle Internet Directory 2.1.1.1 in Oracle 8.1.7
http://archives.neohapsis.com/archives/bugtraq/2000-12/0400.html
ADDREF BUGTRAQ:20010118 Patch for Potential Buffer Overflow Vulnerabilities in Oracle Internet Directory
http://archives.neohapsis.com/archives/bugtraq/2001-01/0325.html
Name: CVE-2000-0988
Description:
WinU 1.0 through 5.1 has a backdoor password that allows remote
attackers to gain access to its administrative interface and modify
configuration.
Status: Candidate
Phase: Proposed (20001129)
Reference: BUGTRAQ:20001013 WinU Backdoor passwords!!!!
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-10/0238.html
Reference: CONFIRM:http://www.bardon.com/pwdcrack.htm
Reference: BID:1801
Reference: URL:http://www.securityfocus.com/bid/1801
Reference: XF:winu-backdoor
Reference: URL:http://xforce.iss.net/static/5376.php
Votes:
ACCEPT(4) Armstrong, Cole, Frech, Mell
Name: CVE-2000-0997
Description:
Format string vulnerabilities in eeprom program in OpenBSD, NetBSD,
and possibly other operating systems allows local attackers to gain
root privileges.
Status: Candidate
Phase: Proposed (20001129)
Reference: OPENBSD:20001006 There are printf-style format string bugs in several privileged programs.
Reference: MISC:ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.7/common/028_format_strings.patch
Reference: BID:1752
Reference: URL:http://www.securityfocus.com/bid/1752
Reference: XF:bsd-eeprom-format
Reference: URL:http://xforce.iss.net/static/5337.php
Votes:
ACCEPT(3) Cole, Frech, Mell
NOOP(1) Wall
Name: CVE-2000-0998
Description:
Format string vulnerability in top program allows local attackers to
gain root privileges via the "kill" or "renice" function.
Status: Candidate
Phase: Proposed (20001129)
Reference: OPENBSD:20001006 There are printf-style format string bugs in several privileged programs.
Reference: MISC:ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.7/common/028_format_strings.patch
Reference: FREEBSD:FreeBSD-SA-00:62
Reference: URL:ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:62.top.v1.1.asc
Reference: BID:1895
Reference: URL:http://www.securityfocus.com/bid/1895
Votes:
ACCEPT(3) Cole, Collins, Mell
MODIFY(1) Frech
NOOP(2) Christey, Wall
Voter Comments:
Frech> XF:top-format-string(5486)
Christey> BUGTRAQ:20011114 SCO skunkware top format strings issue
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100576637928933&w=2
Name: CVE-2000-0999
Description:
Format string vulnerabilities in OpenBSD ssh program (and possibly
other BSD-based operating systems) allow attackers to gain root
privileges.
Status: Candidate
Phase: Proposed (20001129)
Reference: OPENBSD:20001006 There are printf-style format string bugs in several privileged programs.
Reference: MISC:ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.7/common/028_format_strings.patch
Votes:
ACCEPT(1) Cole
MODIFY(1) Frech
NOOP(2) Mell, Wall
Voter Comments:
Frech> XF:bsd-ssh-format(5637)
Name: CVE-2000-1008
Description:
PalmOS 3.5.2 and earlier uses weak encryption to store the user
password, which allows attackers with physical access to the Palm
device to decrypt the password and gain access to the device.
Status: Candidate
Phase: Modified (20010116-01)
Reference: ATSTAKE:A092600-1
Reference: URL:http://www.atstake.com/research/advisories/2000/a092600-1.txt
Reference: BID:1715
Reference: URL:http://www.securityfocus.com/bid/1715
Votes:
ACCEPT(2) Cole, Mell
MODIFY(1) Frech
NOOP(1) Wall
Voter Comments:
Frech> XF:palm-weak-encryption(5308)
Name: CVE-2000-1009
Description:
dump in Red Hat Linux 6.2 trusts the pathname specified by the RSH
environmental variable, which allows local users to obtain root
privileges by modifying the RSH variable to point to a Trojan horse
program.
Status: Candidate
Phase: Proposed (20001129)
Reference: BUGTRAQ:20001030 Redhat 6.2 dump command executes external program with suid priviledge.
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-10/0438.html
Reference: BID:1871
Reference: URL:http://www.securityfocus.com/bid/1871
Reference: XF:linux-dump-execute-code
Reference: URL:http://xforce.iss.net/static/5437.php
Votes:
ACCEPT(5) Baker, Cole, Frech, Mell, Renaud
NOOP(1) Christey
Voter Comments:
Christey> http://www.redhat.com/support/errata/RHSA-2000-100.html
ADDREF BUGTRAQ:20001103 Trustix Security Advisory - dump
http://archives.neohapsis.com/archives/bugtraq/2000-11/0026.html
Christey> CERT-VN:VU#153653
URL:http://www.kb.cert.org/vuls/id/153653
Name: CVE-2000-1012
Description:
The catopen function in FreeBSD 5.0 and earlier, and possibly other
OSes, allows local users to read arbitrary files via the LANG
environmental variable.
Status: Candidate
Phase: Proposed (20001129)
Reference: FREEBSD:FreeBSD-SA-00:53
Reference: URL:ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:53.catopen.asc
Votes:
ACCEPT(3) Cole, Collins, Mell
MODIFY(1) Frech
NOOP(1) Wall
Voter Comments:
Frech> XF:freebsd-display-read-files(5645)
Name: CVE-2000-1013
Description:
The setlocale function in FreeBSD 5.0 and earlier, and possibly other
OSes, allows local users to read arbitrary files via the LANG
environmental variable.
Status: Candidate
Phase: Proposed (20001129)
Reference: FREEBSD:FreeBSD-SA-00:53
Reference: URL:ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:53.catopen.asc
Votes:
ACCEPT(2) Cole, Mell
MODIFY(1) Frech
NOOP(1) Wall
Voter Comments:
Frech> XF:freebsd-display-read-files(5645)
Name: CVE-2000-1015
Description:
The default configuration of Slashcode before version 2.0 Alpha has a
default administrative password, which allows remote attackers to gain
Slashcode priviliges and possibly execute arbitrary commands.
Status: Candidate
Phase: Proposed (20001129)
Reference: BUGTRAQ:20000929 Default admin password with Slashcode.
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-09/0366.html
Reference: BID:1731
Reference: URL:http://www.securityfocus.com/bid/1731
Reference: XF:slashcode-default-admin-passwords
Reference: URL:http://xforce.iss.net/static/5306.php
Votes:
ACCEPT(4) Cole, Collins, Frech, Mell
NOOP(1) Wall
Name: CVE-2000-1017
Description:
Webteachers Webdata allows remote attackers with valid Webdata
accounts to read arbitrary files by posting a request to import the
file into the WebData database.
Status: Candidate
Phase: Proposed (20001129)
Reference: BUGTRAQ:20001002 DST2K0039: Webteachers Webdata: Importing files lower than web ro ot possible in to database
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-10/0007.html
Reference: BUGTRAQ:20001003 Update to DST2K0039: Webteachers Webdata: Importing files lower t han web root possible in to database
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-10/0032.html
Reference: BID:1732
Reference: URL:http://www.securityfocus.com/bid/1732
Votes:
ACCEPT(2) Frech, Mell
NOOP(2) Cole, Wall
Name: CVE-2000-1020
Description:
Heap overflow in Worldclient in Mdaemon 3.1.1 and earlier allows
remote attackers to cause a denial of service and possibly execute
arbitrary commands via a long URL.
Status: Candidate
Phase: Proposed (20001129)
Reference: BUGTRAQ:20000917 VIGILANTE-2000012: Mdaemon Web Services Heap Overflow DoS
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=96925269716274&w=2
Reference: BID:1689
Reference: URL:http://www.securityfocus.com/bid/1689
Reference: XF:mdaemon-url-dos
Reference: URL:http://xforce.iss.net/static/5250.php
Votes:
ACCEPT(4) Baker, Cole, Collins, Mell
NOOP(1) Wall
Name: CVE-2000-1021
Description:
Heap overflow in WebConfig in Mdaemon 3.1.1 and earlier allows remote
attackers to cause a denial of service and possibly execute arbitrary
commands via a long URL.
Status: Candidate
Phase: Proposed (20001129)
Reference: BUGTRAQ:20000917 VIGILANTE-2000012: Mdaemon Web Services Heap Overflow DoS
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=96925269716274&w=2
Reference: BID:1689
Reference: URL:http://www.securityfocus.com/bid/1689
Reference: XF:mdaemon-url-dos
Reference: URL:http://xforce.iss.net/static/5250.php
Votes:
ACCEPT(4) Baker, Cole, Collins, Mell
NOOP(1) Wall
Name: CVE-2000-1023
Description:
The Alabanza Control Panel does not require passwords to access
administrative commands, which allows remote attackers to modify
domain name information via the nsManager.cgi CGI program.
Status: Candidate
Phase: Proposed (20001129)
Reference: BUGTRAQ:20000924 Major Vulnerability in Alabanza Control Panel
Reference: URL:http://www.securityfocus.com/archive/1/84766
Reference: BID:1710
Reference: URL:http://www.securityfocus.com/bid/1710
Reference: XF:alabanza-unauthorized-access
Reference: URL:http://xforce.iss.net/static/5284.php
Votes:
ACCEPT(2) Collins, Mell
NOOP(2) Cole, Wall
REJECT(1) Baker
Voter Comments:
Baker> I agree with Steve that this appears to be an on-line applet, accessible from their server only.
CHANGE> [Baker changed vote from REVIEWING to REJECT]
Name: CVE-2000-1025
Description:
eWave ServletExec JSP/Java servlet engine, versions 3.0C and earlier,
allows remote attackers to cause a denial of service via a URL that
contains the "/servlet/" string, which invokes the ServletExec servlet
and causes an exception if the servlet is already running.
Status: Candidate
Phase: Proposed (20001129)
Reference: BUGTRAQ:20001030 Unify eWave ServletExec DoS
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97295224226042&w=2
Reference: BID:1868
Reference: URL:http://www.securityfocus.com/bid/1868
Reference: XF:ewave-servletexec-dos
Reference: URL:http://xforce.iss.net/static/5435.php
Votes:
ACCEPT(2) Frech, Mell
NOOP(1) Cole
Name: CVE-2000-1028
Description:
Buffer overflow in cu program in HP-UX 11.0 may allow local users to
gain privileges via a long -l command line argument.
Status: Candidate
Phase: Modified (20010119-01)
Reference: BUGTRAQ:20001102 HPUX cu -l option buffer overflow vulnerabilit
Reference: URL:http://www.securityfocus.com/archive/1/142792
Reference: BID:1886
Reference: URL:http://www.securityfocus.com/bid/1886
Reference: XF:hp-cu-bo(5460)
Votes:
ACCEPT(1) Mell
MODIFY(1) Frech
NOOP(2) Cole, Renaud
Voter Comments:
Frech> XF:hp-cu-bo(5460)
Name: CVE-2000-1029
Description:
Buffer overflow in host command allows a remote attacker to execute
arbitrary commands via a long response to an AXFR query.
Status: Candidate
Phase: Modified (20010119-01)
Reference: BUGTRAQ:20001027 old version of host command vulnearbility
Reference: URL:http://www.securityfocus.com/archive/1/141660
Reference: BID:1887
Reference: URL:http://www.securityfocus.com/bid/1887
Reference: XF:isc-bind-axfr-bo(5462)
Votes:
ACCEPT(1) Mell
MODIFY(1) Frech
NOOP(2) Cole, Renaud
Voter Comments:
Frech> XF:isc-bind-axfr-bo(5462)
Name: CVE-2000-1030
Description:
CS&T CorporateTime for the Web returns different error messages for
invalid usernames and invalid passwords, which allows remote attackers
to determine valid usernames on the server.
Status: Candidate
Phase: Modified (20010119-01)
Reference: BUGTRAQ:20001031 Re: Samba 2.0.7 SWAT vulnerabilities
Reference: URL:http://www.securityfocus.com/archive/1/142672
Reference: BID:1888
Reference: URL:http://www.securityfocus.com/bid/1888
Reference: XF:corporatetime-brute-force(5529)
Votes:
ACCEPT(1) Mell
MODIFY(1) Frech
NOOP(1) Cole
Voter Comments:
Frech> XF:corporatetime-brute-force(5529)
Name: CVE-2000-1033
Description:
Serv-U FTP Server allows remote attackers to bypass its anti-hammering
feature by first logging on as a valid user (possibly anonymous) and
then attempting to guess the passwords of other users.
Status: Candidate
Phase: Proposed (20001129)
Reference: BUGTRAQ:20001029 Brute Forcing FTP Servers with enabled anti-hammering (anti brute-force) modus
Reference: URL:http://www.securityfocus.com/archive/1/141905
Reference: BID:1860
Reference: URL:http://www.securityfocus.com/bid/1860
Reference: XF:ftp-servu-brute-force
Reference: URL:http://xforce.iss.net/static/5436.php
Votes:
ACCEPT(2) Frech, Mell
NOOP(1) Cole
Name: CVE-2000-1035
Description:
Buffer overflows in TYPSoft FTP Server 0.78 and earlier allows remote
attackers to cause a denial of service and possibly execute arbitrary
commands via a long USER, PASS, or CWD command.
Status: Candidate
Phase: Proposed (20001129)
Reference: BUGTRAQ:20000912 TYPSoft FTP Server remote DoS Problem
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=96879389027478&w=2
Reference: MISC:http://www.synnergy.net/Archives/Advisories/dethy/typsoft-ftpd.txt
Reference: BID:1690
Reference: URL:http://www.securityfocus.com/bid/1690
Votes:
ACCEPT(1) Mell
MODIFY(1) Baker
NOOP(2) Cole, Wall
Voter Comments:
CHANGE> [Baker changed vote from NOOP to MODIFY]
Baker> http://www.synnergy.net/downloads/advisories/SLA-2000-07.typsoft-ftpd.txt
Name: CVE-2000-1037
Description:
Check Point Firewall-1 session agent 3.0 through 4.1 generates
different error messages for invalid user names versus invalid
passwords, which allows remote attackers to determine valid usernames
and guess a password via a brute force attack.
Status: Candidate
Phase: Proposed (20001129)
Reference: BUGTRAQ:20000815 Firewall-1 session agent 3.0 -> 4.1, dictionnary and brute force attack
Reference: URL:http://www.securityfocus.com/archive/1/76389
Reference: BID:1662
Reference: URL:http://www.securityfocus.com/bid/1662
Votes:
ACCEPT(2) Baker, Mell
NOOP(2) Cole, Wall
Name: CVE-2000-1039
Description:
Various TCP/IP stacks and network applications allow remote attackers
to cause a denial of service by flooding a target host with TCP
connection attempts and completing the TCP/IP handshake without
maintaining the connection state on the attacker host, aka the
"NAPTHA" class of vulnerabilities. NOTE: this candidate may change
significantly as the security community discusses the technical
nature of NAPTHA and learns more about the affected applications.
This candidate is at a higher level of abstraction than is typical for
CVE.
Status: Candidate
Phase: Proposed (20001219)
Reference: BINDVIEW:20001130 The NAPTHA DoS vulnerabilities
Reference: URL:http://razor.bindview.com/publish/advisories/adv_NAPTHA.html
Reference: WIN2KSEC:20001204 NAPTHA Advisory Updated - BindView RAZOR
Reference: URL:http://archives.neohapsis.com/archives/win2ksecadvice/2000-q4/0105.html
Reference: CERT:CA-2000-21
Reference: URL:http://www.cert.org/advisories/CA-2000-21.html
Reference: MS:MS00-091
Reference: URL:http://www.microsoft.com/technet/security/bulletin/MS00-091.asp
Reference: BID:2022
Reference: URL:http://www.securityfocus.com/bid/2022
Votes:
ACCEPT(3) Baker, Cole, Renaud
MODIFY(1) Frech
NOOP(2) Magdych, Wall
REVIEWING(1) Christey
Voter Comments:
Baker> Although this is at a high level, the fact is that it is a vulnerability, and as such we need to recognize this, even if we have to recast or modify the description at some later time.
Christey> This needs to be commented on and reviewed by many Board
members.
Frech> XF:naptha-resource-starvation(5810)
Christey> ADDREF SGI:20020304-01-A
Christey> SGI:20020304-01-A
Name: CVE-2000-1046
Description:
Multiple buffer overflows in the ESMTP service of Lotus Domino 5.0.2c
and earlier allow remote attackers to cause a denial of service and
possibly execute arbitrary code via long (1) "RCPT TO," (2) "SAML
FROM," or (3) "SOML FROM" commands.
Status: Candidate
Phase: Modified (20040723)
Reference: BUGTRAQ:20000911 Advisory Code: VIGILANTE-2000011 Lotus Domino ESMTP Service Buffer overflow
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-09/0093.html
Votes:
ACCEPT(2) Baker, Mell
MODIFY(1) Collins
NOOP(2) Cole, Wall
Voter Comments:
Collins> http://www.synnergy.net/downloads/advisories/SLA-2000-07.typsoft-ftpd.txt
Baker> Reference by Collins was entered into the wrong CAN Entry...
It should have been for 2000-1035, not this CAN
CHANGE> [Baker changed vote from REVIEWING to ACCEPT]
Name: CVE-2000-1048
Description:
Directory traversal vulnerability in the logfile service of Wingate
4.1 Beta A and earlier allows remote attackers to read arbitrary files
via a .. (dot dot) attack via an HTTP GET request that uses encoded
characters in the URL.
Status: Candidate
Phase: Proposed (20001129)
Reference: BUGTRAQ:20001016 Wingate 4.1 Beta A vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-10/0245.html
Reference: XF:wingate-view-files
Reference: URL:http://xforce.iss.net/static/5373.php
Votes:
ACCEPT(3) Baker, Frech, Mell
NOOP(2) Armstrong, Cole
Name: CVE-2000-1052
Description:
Allaire JRun 2.3 server allows remote attackers to obtain source code
for executable content by directly calling the SSIFilter servlet.
Status: Candidate
Phase: Proposed (20001129)
Reference: BUGTRAQ:20001023 Allaire JRUN 2.3 Arbitrary File Retrieval
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97236692714978&w=2
Votes:
ACCEPT(3) Armstrong, Cole, Mell
MODIFY(1) Frech
Voter Comments:
Frech> XF:allaire-jrun-ssifilter-url(5405)
Name: CVE-2000-1053
Description:
Allaire JRun 2.3.3 server allows remote attackers to compile and
execute JSP code by inserting it via a cross-site scripting (CSS)
attack and directly calling the com.livesoftware.jrun.plugins.JSP JSP
servlet.
Status: Candidate
Phase: Proposed (20001129)
Reference: BUGTRAQ:20001023 Allaire JRUN 2.3 Remote command execution
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97236125107957&w=2
Reference: ALLAIRE:ASB00-029
Reference: URL:http://www.allaire.com/handlers/index.cfm?ID=17969&Method=Full
Reference: XF:allaire-jrun-jsp-execute
Reference: URL:http://xforce.iss.net/static/5406.php
Votes:
ACCEPT(4) Armstrong, Cole, Frech, Mell
Name: CVE-2000-1062
Description:
Buffer overflow in the FTP service in HP JetDirect printer card
Firmware x.08.20 and earlier allows remote attackers to cause a denial
of service.
Status: Candidate
Phase: Proposed (20001129)
Reference: BUGTRAQ:20001010 VIGILANTE-2000014: HP Jetdirect multiple DoS
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97119729613778&w=2
Reference: BID:1775
Reference: URL:http://www.securityfocus.com/bid/1775
Reference: XF:hp-jetdirect-firmware-dos
Reference: URL:http://xforce.iss.net/static/5353.php
Votes:
ACCEPT(3) Baker, Frech, Mell
NOOP(1) Cole
Name: CVE-2000-1063
Description:
Buffer overflow in the Telnet service in HP JetDirect printer card
Firmware x.08.20 and earlier allows remote attackers to cause a denial
of service.
Status: Candidate
Phase: Proposed (20001129)
Reference: BUGTRAQ:20001010 VIGILANTE-2000014: HP Jetdirect multiple DoS
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97119729613778&w=2
Reference: BID:1775
Reference: URL:http://www.securityfocus.com/bid/1775
Reference: XF:hp-jetdirect-firmware-dos
Reference: URL:http://xforce.iss.net/static/5353.php
Votes:
ACCEPT(3) Cole, Frech, Mell
Name: CVE-2000-1064
Description:
Buffer overflow in the LPD service in HP JetDirect printer card
Firmware x.08.20 and earlier allows remote attackers to cause a denial
of service.
Status: Candidate
Phase: Proposed (20001129)
Reference: BUGTRAQ:20001010 VIGILANTE-2000014: HP Jetdirect multiple DoS
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97119729613778&w=2
Reference: BID:1775
Reference: URL:http://www.securityfocus.com/bid/1775
Reference: XF:hp-jetdirect-firmware-dos
Reference: URL:http://xforce.iss.net/static/5353.php
Votes:
ACCEPT(3) Cole, Frech, Mell
Name: CVE-2000-1065
Description:
Vulnerability in IP implementation of HP JetDirect printer card
Firmware x.08.20 and earlier allows remote attackers to cause a denial
of service (printer crash) via a malformed packet.
Status: Candidate
Phase: Proposed (20001129)
Reference: BUGTRAQ:20001010 VIGILANTE-2000014: HP Jetdirect multiple DoS
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97119729613778&w=2
Reference: BID:1775
Reference: URL:http://www.securityfocus.com/bid/1775
Reference: XF:hp-jetdirect-ip-implementation
Reference: URL:http://xforce.iss.net/static/5354.php
Votes:
ACCEPT(3) Baker, Frech, Mell
NOOP(1) Cole
Name: CVE-2000-1066
Description:
The getnameinfo function in FreeBSD 4.1.1 and earlier, and possibly
other operating systems, allows a remote attacker to cause a denial of
service via a long DNS hostname.
Status: Candidate
Phase: Modified (20010119-01)
Reference: FREEBSD:FreeBSD-SA-00:63
Reference: URL:ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:63.getnameinfo.asc
Reference: BID:1894
Reference: URL:http://www.securityfocus.com/bid/1894
Reference: XF:getnameinfo-dos(5454)
Votes:
ACCEPT(2) Cole, Mell
MODIFY(1) Frech
NOOP(1) Renaud
Voter Comments:
Frech> XF:getnameinfo-dos(5454)
Name: CVE-2000-1076
Description:
Netscape (iPlanet) Certificate Management System 4.2 and Directory
Server 4.12 stores the administrative password in plaintext, which
could allow local and possibly remote attackers to gain administrative
privileges on the server.
Status: Candidate
Phase: Proposed (20001129)
Reference: BUGTRAQ:20001026 [CORE SDI ADVISORY] iPlanet Certificate Management System 4.2 path traversal bug
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-10/0383.html
Reference: XF:iplanet-netscape-plaintext-password
Reference: URL:http://xforce.iss.net/static/5422.php
Votes:
ACCEPT(3) Baker, Frech, Mell
NOOP(2) Christey, Cole
Voter Comments:
Christey> Partial vendor acknowledgement at:
http://docs.iplanet.com/docs/manuals/cms/42/relnotes/release_notes.html
"By default, Administration Server administrator's password
(also known as the SIE password) is stored in clear text in the
adm.conf file.
This does not usually pose a security threat because most
administrators use their Operating System's security features to
ensure that the file is protected from other users."
Name: CVE-2000-1078
Description:
ICQ Web Front HTTPd allows remote attackers to cause a denial of
service by requesting a URL that contains a "?" character.
Status: Candidate
Phase: Proposed (20001129)
Reference: BUGTRAQ:20001007 ICQ WebFront HTTPd DoS
Reference: URL:http://www.securityfocus.com/archive/1/138332
Reference: XF:icq-webfront-url-dos
Reference: URL:http://xforce.iss.net/static/5332.php
Votes:
ACCEPT(3) Baker, Frech, Mell
NOOP(2) Christey, Cole
Voter Comments:
Christey> The following post appears to describe the same problem, 7
months earlier:
BUGTRAQ:20000310 ICQ remote DoS
Name: CVE-2000-1079
Description:
Interactions between the CIFS Browser Protocol and NetBIOS as
implemented in Microsoft Windows 95, 98, NT, and 2000 allow remote
attackers to modify dynamic NetBIOS name cache entries via a spoofed
Browse Frame Request in a unicast or UDP broadcast datagram.
Status: Candidate
Phase: Modified (20061101)
Reference: NAI:20000829 Windows NetBIOS Unsolicited Cache Corruption
Reference: URL:http://www.nai.com/research/covert/advisories/045.asp
Reference: NTBUGTRAQ:20000829 Re: [COVERT-2000-10] Windows NetBIOS Unsolicited Cache Corruption
Reference: URL:http://archives.neohapsis.com/archives/ntbugtraq/2000-q3/0116.html
Reference: BID:1620
Reference: URL:http://www.securityfocus.com/bid/1620
Reference: XF:win-netbios-corrupt-cache
Reference: URL:http://xforce.iss.net/static/5168.php
Reference: OVAL:oval:org.mitre.oval:def:1079
Reference: URL:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:1079
Votes:
ACCEPT(3) Baker, Mell, Wall
NOOP(1) Cole
REVIEWING(1) Christey
Voter Comments:
Wall> No known exploit or patch yet.
Christey> This was a little controversial, if I recall correctly.
Name: CVE-2000-1081
Description:
The xp_displayparamstmt function in SQL Server and Microsoft SQL
Server Desktop Engine (MSDE) does not properly restrict the length of
a buffer before calling the srv_paraminfo function in the SQL Server
API for Extended Stored Procedures (XP), which allows an attacker to
cause a denial of service or execute arbitrary commands, aka the
"Extended Stored Procedure Parameter Parsing" vulnerability.
Status: Candidate
Phase: Modified (20061101)
Reference: ATSTAKE:20001201 Microsoft SQL Server extended stored procedure vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97570878710037&w=2
Reference: MS:MS00-092
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms00-092.asp
Reference: BID:2030
Reference: URL:http://www.securityfocus.com/bid/2030
Reference: OVAL:oval:org.mitre.oval:def:231
Reference: URL:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:231
Votes:
ACCEPT(3) Baker, Cole, Magdych
MODIFY(1) Frech
NOOP(1) Christey
REVIEWING(1) Wall
Voter Comments:
Baker> ALready posted in refs
Christey> ADDREF XF:mssql-xp-paraminfo-bo
URL:http://xforce.iss.net/static/5622.php
Frech> XF:mssql-xp-paraminfo-bo(5622)
Name: CVE-2000-1082
Description:
The xp_enumresultset function in SQL Server and Microsoft SQL Server
Desktop Engine (MSDE) does not properly restrict the length of a
buffer before calling the srv_paraminfo function in the SQL Server API
for Extended Stored Procedures (XP), which allows an attacker to cause
a denial of service or execute arbitrary commands, aka the "Extended
Stored Procedure Parameter Parsing" vulnerability.
Status: Candidate
Phase: Proposed (20001219)
Reference: ATSTAKE:20001201 Microsoft SQL Server extended stored procedure vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97570878710037&w=2
Reference: MS:MS00-092
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms00-092.asp
Reference: BID:2031
Reference: URL:http://www.securityfocus.com/bid/2031
Votes:
ACCEPT(3) Baker, Cole, Magdych
MODIFY(1) Frech
NOOP(1) Christey
REVIEWING(1) Wall
Voter Comments:
Christey> ADDREF XF:mssql-xp-paraminfo-bo
URL:http://xforce.iss.net/static/5622.php
Frech> XF:mssql-xp-paraminfo-bo(5622)
Name: CVE-2000-1083
Description:
The xp_showcolv function in SQL Server and Microsoft SQL Server
Desktop Engine (MSDE) does not properly restrict the length of a
buffer before calling the srv_paraminfo function in the SQL Server API
for Extended Stored Procedures (XP), which allows an attacker to cause
a denial of service or execute arbitrary commands, aka the "Extended
Stored Procedure Parameter Parsing" vulnerability.
Status: Candidate
Phase: Proposed (20001219)
Reference: ATSTAKE:20001201 Microsoft SQL Server extended stored procedure vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97570878710037&w=2
Reference: MS:MS00-092
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms00-092.asp
Reference: BID:2038
Reference: URL:http://www.securityfocus.com/bid/2038
Votes:
ACCEPT(3) Baker, Cole, Magdych
MODIFY(1) Frech
NOOP(1) Christey
REVIEWING(1) Wall
Voter Comments:
Christey> ADDREF XF:mssql-xp-paraminfo-bo
URL:http://xforce.iss.net/static/5622.php
Frech> XF:mssql-xp-paraminfo-bo(5622)
Name: CVE-2000-1084
Description:
The xp_updatecolvbm function in SQL Server and Microsoft SQL Server
Desktop Engine (MSDE) does not properly restrict the length of a
buffer before calling the srv_paraminfo function in the SQL Server API
for Extended Stored Procedures (XP), which allows an attacker to cause
a denial of service or execute arbitrary commands, aka the "Extended
Stored Procedure Parameter Parsing" vulnerability.
Status: Candidate
Phase: Proposed (20001219)
Reference: ATSTAKE:20001201 Microsoft SQL Server extended stored procedure vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97570878710037&w=2
Reference: MS:MS00-092
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms00-092.asp
Reference: BID:2039
Reference: URL:http://www.securityfocus.com/bid/2039
Votes:
ACCEPT(3) Baker, Cole, Magdych
MODIFY(1) Frech
NOOP(1) Christey
REVIEWING(1) Wall
Voter Comments:
Christey> ADDREF XF:mssql-xp-paraminfo-bo
URL:http://xforce.iss.net/static/5622.php
Frech> XF:mssql-xp-paraminfo-bo(5622)
Name: CVE-2000-1085
Description:
The xp_peekqueue function in Microsoft SQL Server 2000 and SQL Server
Desktop Engine (MSDE) does not properly restrict the length of a
buffer before calling the srv_paraminfo function in the SQL Server API
for Extended Stored Procedures (XP), which allows an attacker to cause
a denial of service or execute arbitrary commands, aka the "Extended
Stored Procedure Parameter Parsing" vulnerability.
Status: Candidate
Phase: Proposed (20001219)
Reference: ATSTAKE:20001201 SQL Server 2000 Extended Stored Procedure Vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97570884410184&w=2
Reference: MS:MS00-092
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms00-092.asp
Reference: BID:2040
Reference: URL:http://www.securityfocus.com/bid/2040
Votes:
ACCEPT(4) Baker, Cole, Magdych, Wall
MODIFY(1) Frech
REVIEWING(1) Christey
Voter Comments:
Christey> CVE-2000-1085, CVE-2000-1086, CVE-2000-1087, and CVE-2000-1088
all have abstraction issues; perhaps they should be RECAST
into a single candidate.
Christey> ADDREF XF:mssql-xp-paraminfo-bo
URL:http://xforce.iss.net/static/5622.php
Frech> XF:mssql-xp-paraminfo-bo(5622)
Name: CVE-2000-1086
Description:
The xp_printstatements function in Microsoft SQL Server 2000 and SQL
Server Desktop Engine (MSDE) does not properly restrict the length of
a buffer before calling the srv_paraminfo function in the SQL Server
API for Extended Stored Procedures (XP), which allows an attacker to
cause a denial of service or execute arbitrary commands, aka the
"Extended Stored Procedure Parameter Parsing" vulnerability.
Status: Candidate
Phase: Proposed (20001219)
Reference: ATSTAKE:20001201 SQL Server 2000 Extended Stored Procedure Vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97570884410184&w=2
Reference: MS:MS00-092
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms00-092.asp
Reference: BID:2041
Reference: URL:http://www.securityfocus.com/bid/2041
Votes:
ACCEPT(4) Baker, Cole, Magdych, Wall
MODIFY(1) Frech
REVIEWING(1) Christey
Voter Comments:
Christey> CVE-2000-1085, CVE-2000-1086, CVE-2000-1087, and CVE-2000-1088
all have abstraction issues; perhaps they should be RECAST
into a single candidate.
Christey> ADDREF XF:mssql-xp-paraminfo-bo
URL:http://xforce.iss.net/static/5622.php
Frech> XF:mssql-xp-paraminfo-bo(5622)
Name: CVE-2000-1087
Description:
The xp_proxiedmetadata function in Microsoft SQL Server 2000 and SQL
Server Desktop Engine (MSDE) does not properly restrict the length of
a buffer before calling the srv_paraminfo function in the SQL Server
API for Extended Stored Procedures (XP), which allows an attacker to
cause a denial of service or execute arbitrary commands, aka the
"Extended Stored Procedure Parameter Parsing" vulnerability.
Status: Candidate
Phase: Proposed (20001219)
Reference: ATSTAKE:20001201 SQL Server 2000 Extended Stored Procedure Vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97570884410184&w=2
Reference: MS:MS00-092
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms00-092.asp
Reference: BID:2042
Reference: URL:http://www.securityfocus.com/bid/2042
Votes:
ACCEPT(4) Baker, Cole, Magdych, Wall
MODIFY(1) Frech
REVIEWING(1) Christey
Voter Comments:
Christey> CVE-2000-1085, CVE-2000-1086, CVE-2000-1087, and CVE-2000-1088
all have abstraction issues; perhaps they should be RECAST
into a single candidate.
Christey> ADDREF XF:mssql-xp-paraminfo-bo
URL:http://xforce.iss.net/static/5622.php
Frech> XF:mssql-xp-paraminfo-bo(5622)
Name: CVE-2000-1088
Description:
The xp_SetSQLSecurity function in Microsoft SQL Server 2000 and SQL
Server Desktop Engine (MSDE) does not properly restrict the length of
a buffer before calling the srv_paraminfo function in the SQL Server
API for Extended Stored Procedures (XP), which allows an attacker to
cause a denial of service or execute arbitrary commands, aka the
"Extended Stored Procedure Parameter Parsing" vulnerability.
Status: Candidate
Phase: Proposed (20001219)
Reference: ATSTAKE:20001201 SQL Server 2000 Extended Stored Procedure Vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97570884410184&w=2
Reference: MS:MS00-092
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms00-092.asp
Reference: BID:2043
Reference: URL:http://www.securityfocus.com/bid/2043
Votes:
ACCEPT(4) Baker, Cole, Magdych, Wall
MODIFY(1) Frech
REVIEWING(1) Christey
Voter Comments:
Christey> CVE-2000-1085, CVE-2000-1086, CVE-2000-1087, and CVE-2000-1088
all have abstraction issues; perhaps they should be RECAST
into a single candidate.
Christey> ADDREF XF:mssql-xp-paraminfo-bo
URL:http://xforce.iss.net/static/5622.php
Frech> XF:mssql-xp-paraminfo-bo(5622)
Name: CVE-2000-1090
Description:
Microsoft IIS for Far East editions 4.0 and 5.0 allows remote attackers
to read source code for parsed pages via a malformed URL that uses the
lead-byte of a double-byte character.
Status: Candidate
Phase: Proposed (20010202)
Reference: MISC:http://www.nsfocus.com/english/homepage/sa_08.htm
Reference: BID:2100
Reference: URL:http://www.securityfocus.com/bid/2100
Reference: XF:microsoft-iis-file-disclosure
Reference: URL:http://xforce.iss.net/static/5729.php
Votes:
ACCEPT(3) Baker, Frech, LeBlanc
NOOP(1) Cole
REVIEWING(3) Christey, Wall, Ziese
Voter Comments:
LeBlanc> Fixed in SP2 for Win2K. NT 4.0 is not affected. bulletin
MS99-022
Christey> Need to add the Bugtraq references for this.
CHANGE> [Christey changed vote from NOOP to REVIEWING]
Christey> Is this really the same problem addressed by MS99-022,
which is covered by CVE-1999-0725 ?
Name: CVE-2000-1092
Description:
loadpage.cgi CGI program in EZshopper 3.0 and 2.0 allows remote
attackers to list and read files in the EZshopper data directory by
inserting a "/" in front of the target filename in the "file"
parameter.
Status: Candidate
Phase: Modified (20020327-01)
Reference: BUGTRAQ:20001213 NSFOCUS SA2000-09 : AHG EZshopper Loadpage.cgi File List
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97676270729984&w=2
Reference: BID:2109
Reference: URL:http://www.securityfocus.com/bid/2109
Reference: XF:ezshopper-cgi-file-disclosure(5740)
Reference: URL:http://xforce.iss.net/static/5740.php
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
NOOP(4) Christey, Cole, Magdych, Wall
Voter Comments:
Christey> This is documented in an NSFOCUS security advisory released
sometime around December 11. Also, it's BID:2109.
Christey> BUGTRAQ:20001213 NSFOCUS SA2000-09 : AHG EZshopper Loadpage.cgi File List
http://marc.theaimsgroup.com/?l=bugtraq&m=97676270729984&w=2
XF:ezshopper-cgi-file-disclosure
URL:http://xforce.iss.net/static/5740.php
Frech> XF:ezshopper-cgi-file-disclosure(5740)
Christey> Followup posts indicate that this problem may have been
discovered earlier than 20001213.
Name: CVE-2000-1093
Description:
Buffer overflow in AOL Instant Messenger before 4.3.2229 allows remote
attackers to execute arbitrary commands via a long "goim" command.
Status: Candidate
Phase: Modified (20010417-01)
Reference: ATSTAKE:A121200-1
Reference: URL:http://www.atstake.com/research/advisories/2000/a121200-1.txt
Reference: XF:aim-remote-bo(5732)
Votes:
ACCEPT(2) Baker, Wall
MODIFY(1) Frech
NOOP(1) Cole
REVIEWING(1) Christey
Voter Comments:
Frech> XF:aim-remote-bo(5732)
Christey> CD:SF-LOC as currently written suggests merging this with
CVE-2000-1094, since both describe buffer overflows in the
same software version.
Christey> Consider adding BID:2118
Name: CVE-2000-1098
Description:
The web server for the SonicWALL SOHO firewall allows remote attackers
to cause a denial of service via an empty GET or POST request.
Status: Candidate
Phase: Interim (20010117)
Reference: BUGTRAQ:20001201 Re: DoS in Sonicwall SOHO firewall
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-11/0439.html
Reference: BUGTRAQ:20001201 FW: SonicWALL SOHO Vulnerability (fwd)
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-11/0435.html
Votes:
ACCEPT(2) Baker, Cole
MODIFY(1) Frech
NOOP(1) Wall
Voter Comments:
Frech> The company's name is SonicWALL.
CHANGE> [Frech changed vote from REVIEWING to MODIFY]
Frech> XF:sonicwall-empty-request-dos(6042)
The company's name is SonicWALL.
Name: CVE-2000-1100
Description:
The default configuration for PostACI webmail system installs the
/includes/global.inc configuration file within the web root, which
allows remote attackers to read sensitive information such as database
usernames and passwords via a direct HTTP GET request.
Status: Candidate
Phase: Proposed (20001219)
Reference: BUGTRAQ:20001130 PostACI Webmail Vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-11/0433.html
Reference: BID:2029
Reference: URL:http://www.securityfocus.com/bid/2029
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
NOOP(2) Cole, Wall
Voter Comments:
Frech> XF:postaci-webmail-reveal-passwords(5612)
Name: CVE-2000-1102
Description:
PTlink IRCD 3.5.3 and PTlink Services 1.8.1 allow remote attackers to
cause a denial of service (server crash) via "mode +owgscfxeb" and
"oper" commands.
Status: Candidate
Phase: Proposed (20001219)
Reference: BID:2008
Reference: URL:http://www.securityfocus.com/bid/2008
Reference: BUGTRAQ:20001126 Vulnerablity in PTlink3.5.3ircd + PTlink.Services.1.8.1...
Reference: URL:http://www.securityfocus.com/archive/1/147115
Votes:
ACCEPT(2) Baker, Cole
MODIFY(1) Frech
NOOP(1) Wall
Voter Comments:
Frech> XF:ptlink-ircd-mode-dos(5589)
Name: CVE-2000-1103
Description:
rcvtty in BSD 3.0 and 4.0 does not properly drop privileges before
executing a script, which allows local attackers to gain privileges by
specifying an alternate Trojan horse script on the command line.
Status: Candidate
Phase: Proposed (20001219)
Reference: BUGTRAQ:20001127 BSDi 3.0/4.0 rcvtty gid=tty exploit... (mh package)
Reference: URL:http://www.securityfocus.com/archive/1/147120
Reference: BID:2009
Reference: URL:http://www.securityfocus.com/bid/2009
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
NOOP(2) Cole, Wall
Voter Comments:
Frech> XF:rcvtty-elevate-privileges(5587)
Name: CVE-2000-1104
Description:
Variant of the "IIS Cross-Site Scripting" vulnerability as originally
discussed in MS:MS00-060 (CVE-2000-0746) allows a malicious web site
operator to embed scripts in a link to a trusted site, which are
returned without quoting in an error message back to the client. The
client then executes those scripts in the same context as the trusted
site.
Status: Candidate
Phase: Proposed (20001219)
Reference: MS:MS00-060
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms00-060.asp
Votes:
ACCEPT(3) Baker, Cole, Wall
MODIFY(1) Frech
Voter Comments:
Frech> XF:iis-cross-site-scripting(5156)
Name: CVE-2000-1105
Description:
The ixsso.query ActiveX Object is marked as safe for scripting, which
allows malicious web site operators to embed a script that remotely
determines the existence of files on visiting Windows 2000 systems
that have Indexing Services enabled.
Status: Candidate
Phase: Proposed (20001219)
Reference: BUGTRAQ:20001110 IE 5.x Win2000 Indexing service vulnerability
Reference: URL:http://www.securityfocus.com/archive/1/144270
Reference: WIN2KSEC:20001110 IE 5.x Win2000 Indexing service vulnerability
Reference: URL:http://archives.neohapsis.com/archives/win2ksecadvice/2000-q4/0074.html
Reference: BID:1933
Reference: URL:http://www.securityfocus.com/bid/1933
Votes:
ACCEPT(2) Baker, Cole
MODIFY(1) Frech
REVIEWING(2) Christey, Wall
Voter Comments:
Frech> XF:win2k-index-service-ixsso(5502)
Christey> ADDREF MS:MS00-098
ADDREF XF:win2k-index-service-activex
URL:http://xforce.iss.net/static/5800.php
Add 'aka the "Indexing Service File Enumeration" vulnerability'
to the description.
CHANGE> [Christey changed vote from NOOP to REVIEWING]
Christey> DUPE CVE-2001-0245? Need to check w/Microsoft.
Name: CVE-2000-1110
Description:
document.d2w CGI program in the IBM Net.Data db2www package allows
remote attackers to determine the physical path of the web server by
sending a nonexistent command to the program.
Status: Candidate
Phase: Proposed (20001219)
Reference: BUGTRAQ:20001128 IBM Net.Data Local Path Disclosure Vulnerability?
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-11/0384.html
Reference: BID:2017
Reference: URL:http://www.securityfocus.com/bid/2017
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
NOOP(2) Cole, Wall
Voter Comments:
Frech> XF:ibm-netdata-reveal-path(5599)
Name: CVE-2000-1114
Description:
Unify ServletExec AS v3.0C allows remote attackers to read source code
for JSP pages via an HTTP request that ends with characters such as
".", or "+", or "%20".
Status: Candidate
Phase: Proposed (20001219)
Reference: BUGTRAQ:20001121 Disclosure of JSP source code with ServletExec AS v3.0c + web ins tance
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-11/0285.html
Reference: BID:1970
Reference: URL:http://www.securityfocus.com/bid/1970
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
NOOP(2) Cole, Wall
Voter Comments:
Frech> XF:ewave-jsp-source-read(5562)
Name: CVE-2000-1116
Description:
Buffer overflow in TransSoft Broker FTP Server before 4.3.0.1 allows
remote attackers to cause a denial of service and possibly execute
arbitrary commands via a long command.
Status: Candidate
Phase: Proposed (20001219)
Reference: WIN2KSEC:20001018 TransSoft's Broker FTP Server 3.x & 4.x Remote DoS attack Vulnerability
Reference: URL:http://archives.neohapsis.com/archives/win2ksecadvice/2000-q4/0041.html
Reference: XF:broker-ftp-username-dos
Reference: URL:http://xforce.iss.net/static/5388.php
Votes:
MODIFY(1) Frech
NOOP(2) Cole, Wall
Voter Comments:
Frech> XF:broker-user-dos(3482)
Name: CVE-2000-1117
Description:
The Extended Control List (ECL) feature of the Java Virtual Machine
(JVM) in Lotus Notes Client R5 allows malicious web site operators to
determine the existence of files on the client by measuring delays in
the execution of the getSystemResource method.
Status: Candidate
Phase: Proposed (20001219)
Reference: BUGTRAQ:20001124 Security Hole in ECL Feature of Java VM Embedded in Lotus Notes Client R5
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-11/0341.html
Reference: BID:1994
Reference: URL:http://www.securityfocus.com/bid/1994
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
NOOP(2) Cole, Wall
Voter Comments:
Frech> XF:lotus-notes-verify-files(5565)
Name: CVE-2000-1118
Description:
24Link 1.06 web server allows remote attackers to bypass access
restrictions by prepending strings such as "/+/" or "/." to the HTTP
GET request.
Status: Candidate
Phase: Proposed (20001219)
Reference: BUGTRAQ:20001127 24Link Webserver
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-11/0369.html
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
NOOP(2) Cole, Wall
Voter Comments:
Frech> XF:24link-bypass-authentication(5930)
Name: CVE-2000-1125
Description:
restore 0.4b15 and earlier in Red Hat Linux 6.2 trusts the pathname
specified by the RSH environmental variable, which allows local users
to obtain root privileges by modifying the RSH variable to point to a
Trojan horse program.
Status: Candidate
Phase: Proposed (20001219)
Reference: BUGTRAQ:20001104 Redhat 6.2 restore exploit
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97336034309944&w=2
Reference: BID:1914
Reference: URL:http://www.securityfocus.com/bid/1914
Votes:
ACCEPT(2) Baker, Cole
MODIFY(1) Frech
NOOP(2) Christey, Wall
Voter Comments:
Frech> XF:restore-rsh-executable(5483)
Christey> CERT-VN:VU#960877
URL:http://www.kb.cert.org/vuls/id/960877
Name: CVE-2000-1126
Description:
Vulnerability in auto_parms and set_parms in HP-UX 11.00 and earlier
allows remote attackers to execute arbitrary commands or cause a
denial of service.
Status: Candidate
Phase: Modified (20090302)
Reference: HP:HPSBUX0011-130
Reference: URL:http://www.securityfocus.com/advisories/2850
Reference: BID:1954
Reference: URL:http://www.securityfocus.com/bid/1954
Reference: OVAL:oval:org.mitre.oval:def:5655
Reference: URL:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:5655
Votes:
ACCEPT(3) Armstrong, Baker, Cole
MODIFY(1) Frech
NOOP(1) Wall
Voter Comments:
Frech> XF:hpux-autoparms-execute-commands(5961)
Name: CVE-2000-1127
Description:
registrar in the HP resource monitor service allows local users to
read and modify arbitrary files by renaming the original registrar.log
log file and creating a symbolic link to the target file, to which
registrar appends log information and sets the permissions to be world
readable.
Status: Candidate
Phase: Proposed (20001219)
Reference: BUGTRAQ:20001108 HP-UX 10.20 resource monitor service
Reference: URL:http://www.securityfocus.com/archive/1/143845
Reference: BID:1919
Reference: URL:http://www.securityfocus.com/bid/1919
Votes: | 