Common Vulnerabilities and Exposures

CVE (version 20061101)

Description:
Buffer overflow in NFS mountd gives root access to remote attackers, mostly in Linux systems.

Status: Entry
Reference: SGI:19981006-01-I
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19981006-01-I
Reference: CERT:CA-98.12.mountd
Reference: CIAC:J-006
Reference: URL:http://www.ciac.org/ciac/bulletins/j-006.shtml
Reference: BID:121
Reference: URL:http://www.securityfocus.com/bid/121
Reference: XF:linux-mountd-bo

Description:
Execute commands as root via buffer overflow in Tooltalk database server (rpc.ttdbserverd).

Status: Entry
Reference: NAI:NAI-29
Reference: CERT:CA-98.11.tooltalk
Reference: SGI:19981101-01-A
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19981101-01-A
Reference: SGI:19981101-01-PX
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19981101-01-PX
Reference: XF:aix-ttdbserver
Reference: XF:tooltalk
Reference: BID:122
Reference: URL:http://www.securityfocus.com/bid/122

Description:
Arbitrary command execution via IMAP buffer overflow in authenticate command.

Status: Entry
Reference: CERT:CA-98.09.imapd
Reference: SUN:00177
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/177
Reference: BID:130
Reference: URL:http://www.securityfocus.com/bid/130
Reference: XF:imap-authenticate-bo

Description:
Buffer overflow in POP servers based on BSD/Qualcomm's qpopper allows remote attackers to gain root access using a long PASS command.

Status: Entry
Reference: CERT:CA-98.08.qpopper_vul
Reference: SGI:19980801-01-I
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19980801-01-I
Reference: AUSCERT:AA-98.01
Reference: XF:qpopper-pass-overflow
Reference: BID:133
Reference: URL:http://www.securityfocus.com/bid/133

Description:
Information from SSL-encrypted sessions via PKCS #1.

Status: Entry
Reference: CERT:CA-98.07.PKCS
Reference: MS:MS98-002
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms98-002.mspx
Reference: XF:nt-ssl-fix

Description:
Buffer overflow in NIS+, in Sun's rpc.nisd program.

Status: Entry
Reference: CERT:CA-98.06.nisd
Reference: SUN:00170
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/170
Reference: ISS:June10,1998
Reference: XF:nisd-bo-check

Description:
Inverse query buffer overflow in BIND 4.9 and BIND 8 Releases.

Status: Entry
Reference: SGI:19980603-01-PX
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19980603-01-PX
Reference: HP:HPSBUX9808-083
Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9808-083
Reference: SUN:00180
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/180
Reference: CERT:CA-98.05.bind_problems
Reference: XF:bind-bo
Reference: BID:134
Reference: URL:http://www.securityfocus.com/bid/134

Description:
Denial of Service vulnerability in BIND 8 Releases via maliciously formatted DNS messages.

Status: Entry
Reference: CERT:CA-98.05.bind_problems
Reference: SGI:19980603-01-PX
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19980603-01-PX
Reference: HP:HPSBUX9808-083
Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9808-083
Reference: XF:bind-dos

Description:
Denial of Service vulnerabilities in BIND 4.9 and BIND 8 Releases via CNAME record and zone transfer.

Status: Entry
Reference: CERT:CA-98.05.bind_problems
Reference: SGI:19980603-01-PX
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19980603-01-PX
Reference: HP:HPSBUX9808-083
Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9808-083
Reference: SUN:00180
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/180
Reference: XF:bind-axfr-dos

Description:
Some web servers under Microsoft Windows allow remote attackers to bypass access restrictions for files with long file names.

Status: Entry
Reference: CERT:CA-98.04.Win32.WebServers
Reference: XF:nt-web8.3

Description:
Stolen credentials from SSH clients via ssh-agent program, allowing other local users to access remote accounts belonging to the ssh-agent user.

Status: Entry
Reference: CERT:CA-98.03.ssh-agent
Reference: NAI:NAI-24
Reference: XF:ssh-agent

Description:
Unauthorized privileged access or denial of service via dtappgather program in CDE.

Status: Entry
Reference: HP:HPSBUX9801-075
Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9801-075
Reference: SUN:00185
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/185
Reference: CERT:CA-98.02.CDE

Description:
Land IP denial of service.

Status: Entry
Reference: CERT:CA-97.28.Teardrop_Land
Reference: FREEBSD:FreeBSD-SA-98:01
Reference: HP:HPSBUX9801-076
Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9801-076
Reference: CISCO:http://www.cisco.com/warp/public/770/land-pub.shtml
Reference: XF:cisco-land
Reference: XF:land
Reference: XF:95-verv-tcp
Reference: XF:land-patch
Reference: XF:ver-tcpip-sys

Description:
FTP servers can allow an attacker to connect to arbitrary ports on machines other than the FTP client, aka FTP bounce.

Status: Entry
Reference: CERT:CA-97.27.FTP_bounce
Reference: XF:ftp-bounce
Reference: XF:ftp-privileged-port

Description:
Buffer overflow in statd allows root privileges.

Status: Entry
Reference: CERT:CA-97.26.statd
Reference: AUSCERT:AA-97.29
Reference: XF:statd
Reference: BID:127
Reference: URL:http://www.securityfocus.com/bid/127

Description:
Delete or create a file via rpc.statd, due to invalid information.

Status: Entry
Reference: CERT:CA-96.09.rpc.statd
Reference: XF:rpc-stat
Reference: SUN:00135
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/135

Description:
Arbitrary command execution via buffer overflow in Count.cgi (wwwcount) cgi-bin program.

Status: Entry
Reference: BUGTRAQ:19971010 Security flaw in Count.cgi (wwwcount)
Reference: CERT:CA-97.24.Count_cgi
Reference: XF:http-cgi-count
Reference: BID:128
Reference: URL:http://www.securityfocus.com/bid/128

Description:
Local user gains root privileges via buffer overflow in rdist, via expstr() function.

Status: Entry
Reference: CERT:CA-97.23.rdist
Reference: SUN:00179
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/179
Reference: XF:rdist-bo3
Reference: XF:rdist-sept97

Description:
Local user gains root privileges via buffer overflow in rdist, via lookup() function.

Status: Entry
Reference: CERT:CA-96.14.rdist_vul
Reference: XF:rdist-bo
Reference: XF:rdist-bo2

Description:
DNS cache poisoning via BIND, by predictable query IDs.

Status: Entry
Reference: CERT:CA-97.22.bind
Reference: XF:bind
Reference: NAI:NAI-11

Description:
root privileges via buffer overflow in df command on SGI IRIX systems.

Status: Entry
Reference: CERT:CA-1997-21
Reference: URL:http://www.cert.org/advisories/CA-1997-21.html
Reference: AUSCERT:AA-97.19.IRIX.df.buffer.overflow.vul
Reference: SGI:SGI:19970505-01-A
Reference: SGI:SGI:19970505-02-PX
Reference: CERT-VN:VU#20851
Reference: URL:http://www.kb.cert.org/vuls/id/20851
Reference: BID:346
Reference: URL:http://www.securityfocus.com/bid/346
Reference: XF:df-bo(440)
Reference: URL:http://xforce.iss.net/xforce/xfdb/440

Description:
root privileges via buffer overflow in pset command on SGI IRIX systems.

Status: Entry
Reference: CERT:CA-97.21.sgi_buffer_overflow
Reference: AUSCERT:AA-97.20.IRIX.pset.buffer.overflow.vul
Reference: XF:pset-bo

Description:
root privileges via buffer overflow in eject command on SGI IRIX systems.

Status: Entry
Reference: CERT:CA-97.21.sgi_buffer_overflow
Reference: AUSCERT:AA-97.21.IRIX.eject.buffer.overflow.vul
Reference: XF:eject-bo

Description:
root privileges via buffer overflow in login/scheme command on SGI IRIX systems.

Status: Entry
Reference: CERT:CA-97.21.sgi_buffer_overflow
Reference: AUSCERT:AA-97.22.IRIX.login.scheme.buffer.overflow.vul
Reference: XF:sgi-schemebo

Description:
root privileges via buffer overflow in ordist command on SGI IRIX systems.

Status: Entry
Reference: CERT:CA-97.21.sgi_buffer_overflow
Reference: AUSCERT:AA-97.23-IRIX.ordist.buffer.overflow.vul
Reference: XF:ordist-bo

Description:
JavaScript in Internet Explorer 3.x and 4.x, and Netscape 2.x, 3.x and 4.x, allows remote attackers to monitor a user's web activities, aka the Bell Labs vulnerability.

Status: Entry
Reference: CERT:CA-97.20.javascript
Reference: HP:HPSBUX9707-065
Reference: URL:http://www.codetalker.com/advisories/vendor/hp/hpsbux9707-065.html

Description:
Buffer overflow in lpr, as used in BSD-based systems including Linux, allows local users to execute arbitrary code as root via a long -C (classification) command line option.

Status: Entry
Reference: BUGTRAQ:19960813 Possible bufferoverflow condition in lpr, xterm and xload
Reference: BUGTRAQ:19961025 Linux & BSD's lpr exploit
Reference: MLIST:[freebsd-security] 19961025 Vadim Kolontsov: BoS: Linux & BSD's lpr exploit
Reference: MLIST:[linux-security] 19961122 LSF Update#14: Vulnerability of the lpr program.
Reference: CERT:CA-97.19.bsdlp
Reference: AUSCERT:AA-96.12
Reference: CIAC:H-08
Reference: CIAC:I-042
Reference: URL:http://www.ciac.org/ciac/bulletins/i-042.shtml
Reference: SGI:19980402-01-PX
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19980402-01-PX
Reference: BID:707
Reference: URL:http://www.securityfocus.com/bid/707
Reference: XF:bsd-lprbo2
Reference: XF:bsd-lprbo
Reference: XF:lpr-bo

Description:
Buffer overflow in suidperl (sperl), Perl 4.x and 5.x.

Status: Entry
Reference: CERT:CA-97.17.sperl
Reference: XF:perl-suid

Description:
Race condition in signal handling routine in ftpd, allowing read/write arbitrary files.

Status: Entry
Reference: XF:ftp-ftpd
Reference: CERT:CA-97.16.ftpd
Reference: AUSCERT:AA-97.03

Description:
IRIX login program with a nonzero LOCKOUT parameter allows creation or damage to files.

Status: Entry
Reference: CERT:CA-97.15.sgi_login
Reference: AUSCERT:AA-97.12
Reference: CIAC:H-106
Reference: URL:http://www.ciac.org/ciac/bulletins/h-106.shtml
Reference: SGI:19970508-02-PX
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19970508-02-PX
Reference: OSVDB:990
Reference: URL:http://www.osvdb.org/990
Reference: XF:sgi-lockout(557)
Reference: URL:http://xforce.iss.net/xforce/xfdb/557

Description:
Arbitrary command execution via metamail package using message headers, when user processes attacker's message using metamail.

Status: Entry
Reference: CERT:CA-97.14.metamail
Reference: XF:metamail-header-commands

Description:
Buffer overflow in xlock program allows local users to execute commands as root.

Status: Entry
Reference: CERT:CA-97.13.xlock
Reference: XF:xlock-bo

Description:
webdist CGI program (webdist.cgi) in SGI IRIX allows remote attackers to execute arbitrary commands via shell metacharacters in the distloc parameter.

Status: Entry
Reference: BUGTRAQ:19970507 Re: SGI Security Advisory 19970501-01-A - Vulnerability in
Reference: BUGTRAQ:19970507 Re: SGI Advisory: webdist.cgi
Reference: CERT:CA-1997-12
Reference: URL:http://www.cert.org/advisories/CA-1997-12.html
Reference: AUSCERT:AA-97.14
Reference: SGI:19970501-02-PX
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19970501-02-PX
Reference: BID:374
Reference: URL:http://www.securityfocus.com/bid/374
Reference: OSVDB:235
Reference: URL:http://www.osvdb.org/235
Reference: XF:http-sgi-webdist(333)
Reference: URL:http://xforce.iss.net/xforce/xfdb/333

Description:
Buffer overflow in Xt library of X Windowing System allows local users to execute commands with root privileges.

Status: Entry
Reference: CERT:CA-97.11.libXt
Reference: XF:libXt-bo

Description:
Buffer overflow in NLS (Natural Language Service).

Status: Entry
Reference: CERT:CA-97.10.nls
Reference: XF:nls-bo

Description:
Buffer overflow in University of Washington's implementation of IMAP and POP servers.

Status: Entry
Reference: NAI:NAI-21
Reference: CERT:CA-97.09.imap_pop
Reference: XF:popimap-bo

Description:
Command execution via shell metachars in INN daemon (innd) 1.5 using "newgroup" and "rmgroup" control messages, and others.

Status: Entry
Reference: CERT:CA-97.08.innd
Reference: XF:inn-controlmsg

Description:
fsdump command in IRIX allows local users to obtain root access by modifying sensitive files.

Status: Entry
Reference: SGI:19970301-01-P
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19970301-01-P
Reference: XF:sgi-fsdump

Description:
List of arbitrary files on Web host via nph-test-cgi script.

Status: Entry
Reference: CERT:CA-97.07.nph-test-cgi_script
Reference: XF:http-cgi-nph

Description:
Buffer overflow of rlogin program using TERM environmental variable.

Status: Entry
Reference: CERT:CA-97.06.rlogin-term
Reference: XF:rlogin-termbo

Description:
MIME conversion buffer overflow in sendmail versions 8.8.3 and 8.8.4.

Status: Entry
Reference: CERT:CA-97.05.sendmail
Reference: BID:685
Reference: URL:http://www.securityfocus.com/bid/685
Reference: XF:sendmail-mime-bo2

Description:
Talkd, when given corrupt DNS information, can be used to execute arbitrary commands with root privileges.

Status: Entry
Reference: CERT:CA-97.04.talkd
Reference: FREEBSD:FreeBSD-SA-96:21
Reference: AUSCERT:AA-97.01
Reference: SUN:00147
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/147
Reference: XF:talkd-bo
Reference: XF:netkit-talkd

Description:
Csetup under IRIX allows arbitrary file creation or overwriting.

Status: Entry
Reference: XF:sgi-csetup
Reference: CERT:CA-97.03.csetup

Description:
Buffer overflow in HP-UX newgrp program.

Status: Entry
Reference: CERT:CA-97.02.hp_newgrp
Reference: AUSCERT:AA-96.16.HP-UX.newgrp.Buffer.Overrun.Vulnerability
Reference: XF:hp-newgrpbo

Description:
Arbitrary file creation and program execution using FLEXlm LicenseManager, from versions 4.0 to 5.0, in IRIX.

Status: Entry
Reference: XF:sgi-licensemanager
Reference: CERT:CA-97.01.flex_lm
Reference: AUSCERT:AA-96.03

Description:
IP fragmentation denial of service in FreeBSD allows a remote attacker to cause a crash.

Status: Entry
Reference: FREEBSD:FreeBSD-SA-98:08
Reference: OSVDB:908
Reference: URL:http://www.osvdb.org/908
Reference: XF:freebsd-ip-frag-dos(1389)
Reference: URL:http://xforce.iss.net/xforce/xfdb/1389

Description:
TCP RST denial of service in FreeBSD.

Status: Entry
Reference: FREEBSD:FreeBSD-SA-98:07
Reference: OSVDB:6094
Reference: URL:http://www.osvdb.org/6094

Description:
Sun's ftpd daemon can be subjected to a denial of service.

Status: Entry
Reference: SUN:00171
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/171
Reference: XF:sun-ftpd

Description:
Buffer overflows in Sun libnsl allow root access.

Status: Entry
Reference: SUN:00172
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/172
Reference: AIXAPAR:IX80543
Reference: URL:http://www-1.ibm.com/support/search.wss?rs=0&q=IX80543&apar=only
Reference: RSI:RSI.0005.05-14-98.SUN.LIBNSL
Reference: XF:sun-libnsl

Description:
Buffer overflow in Sun's ping program can give root access to local users.

Status: Entry
Reference: SUN:00174
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/174
Reference: XF:sun-ping

Description:
Vacation program allows command execution by remote users through a sendmail command.

Status: Entry
Reference: NAI:NAI-19
Reference: XF:vacation
Reference: HP:HPSBUX9811-087
Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9811-087

Description:
Buffer overflow in PHP cgi program, php.cgi allows shell access.

Status: Entry
Reference: NAI:NAI-12
Reference: BID:712
Reference: URL:http://www.securityfocus.com/bid/712
Reference: XF:http-cgi-phpbo

Description:
IRIX fam service allows an attacker to obtain a list of all files on the server.

Status: Entry
Reference: NAI:NAI-16
Reference: BID:353
Reference: URL:http://www.securityfocus.com/bid/353
Reference: OSVDB:164
Reference: URL:http://www.osvdb.org/164
Reference: XF:irix-fam(325)
Reference: URL:http://xforce.iss.net/xforce/xfdb/325

Description:
Attackers can cause a denial of service in Ascend MAX and Pipeline routers with a malformed packet to the discard port, which is used by the Java Configurator tool.

Status: Entry
Reference: NAI:NAI-26
Reference: XF:ascend-config-kill
Reference: ASCEND:http://www.ascend.com/2695.html

Description:
The chpass command in OpenBSD allows a local user to gain root access through file descriptor leakage.

Status: Entry
Reference: XF:openbsd-chpass
Reference: NAI:NAI-28
Reference: OSVDB:7559
Reference: URL:http://www.osvdb.org/7559

Description:
Cisco IOS 12.0 and other versions can be crashed by malicious UDP packets to the syslog port.

Status: Entry
Reference: AUSCERT:ESB-98.197
Reference: CISCO:http://www.cisco.com/warp/public/770/iossyslog-pub.shtml
Reference: XF:cisco-syslog-crash

Description:
Buffer overflow in AIX lquerylv program gives root access to local users.

Status: Entry
Reference: BUGTRAQ:May28,1997
Reference: XF:lquerylv-bo

Description:
Multiple buffer overflows in how dtmail handles attachments allows a remote attacker to execute commands.

Status: Entry
Reference: SUN:00181
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/181
Reference: XF:hp-dtmail

Description:
AnyForm CGI remote execution.

Status: Entry
Reference: BUGTRAQ:19950731 SECURITY HOLE: "AnyForm" CGI
Reference: BID:719
Reference: URL:http://www.securityfocus.com/bid/719
Reference: XF:http-cgi-anyform

Description:
phf CGI program allows remote command execution through shell metacharacters.

Status: Entry
Reference: BUGTRAQ:19960923 PHF Attacks - Fun and games for the whole family
Reference: CERT:CA-1996-06
Reference: URL:http://www.cert.org/advisories/CA-1996-06.html
Reference: AUSCERT:AA-96.01
Reference: BID:629
Reference: URL:http://www.securityfocus.com/bid/629
Reference: OSVDB:136
Reference: URL:http://www.osvdb.org/136
Reference: XF:http-cgi-phf

Description:
CGI PHP mylog script allows an attacker to read any file on the target server.

Status: Entry
Reference: BUGTRAQ:19971019 Vulnerability in PHP Example Logging Scripts
Reference: XF:http-cgi-php-mylog
Reference: BID:713
Reference: URL:http://www.securityfocus.com/bid/713
Reference: OSVDB:3396
Reference: URL:http://www.osvdb.org/3396

Description:
Solaris ufsrestore buffer overflow.

Status: Entry
Reference: SUN:00169
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/169
Reference: XF:sun-ufsrestore
Reference: OSVDB:8158
Reference: URL:http://www.osvdb.org/8158

Description:
test-cgi program allows an attacker to list files on the server.

Status: Entry
Reference: XF:http-cgi-test

Description:
Apache httpd cookie buffer overflow for versions 1.1.1 and earlier.

Status: Entry
Reference: XF:http-apache-cookie
Reference: NAI:NAI-2

Description:
Buffer overflow in AIX xdat gives root access to local users.

Status: Entry
Reference: ERS:ERS-SVA-E01-1997:004.1
Reference: XF:ibm-xdat

Description:
Telnet allows a remote client to specify environment variables including LD_LIBRARY_PATH, allowing an attacker to bypass the normal system libraries and gain root access.

Status: Entry
Reference: CERT:CA-95:14.Telnetd_Environment_Vulnerability
Reference: XF:linkerbug

Description:
Listening TCP ports are sequentially allocated, allowing spoofing attacks.

Status: Entry
Reference: XF:seqport

Description:
PASV core dump in wu-ftpd daemon when attacker uses a QUOTE PASV command after specifying a username and password.

Status: Entry
Reference: BUGTRAQ:19961016 Re: ftpd bug? Was: bin/1805: Bug in ftpd
Reference: XF:ftp-pasvcore
Reference: OSVDB:5742
Reference: URL:http://www.osvdb.org/5742

Description:
Predictable TCP sequence numbers allow spoofing.

Status: Entry
Reference: XF:tcp-seq-predict(139)
Reference: URL:http://xforce.iss.net/static/139.php

Description:
Remote attackers can cause a denial of service in FTP by issuing multiple PASV commands, causing the server to run out of available ports.

Status: Entry
Reference: XF:ftp-pasv-dos
Reference: XF:ftp-pasvdos

Description:
Certain configurations of wu-ftp FTP server 2.4 use a _PATH_EXECPATH setting to a directory with dangerous commands, such as /bin, which allows remote authenticated users to gain root access via the "site exec" command.

Status: Entry
Reference: BUGTRAQ:19950531 SECURITY: problem with some wu-ftpd-2.4 binaries (fwd)
Reference: CERT:CA-95:16.wu-ftpd.vul
Reference: XF:ftp-execdotdot

Description:
wu-ftp allows files to be overwritten via the rnfr command.

Status: Entry
Reference: XF:ftp-rnfr

Description:
CWD ~root command in ftpd allows root access.

Status: Entry
Reference: XF:ftp-cwd
Reference: FarmerVenema:Improving the Security of Your Site by Breaking Into it
Reference: URL:http://www.alw.nih.gov/Security/Docs/admin-guide-to-cracking.101.html

Description:
getcwd() file descriptor leak in FTP.

Status: Entry
Reference: XF:cwdleak

Description:
Certain NFS servers allow users to use mknod to gain privileges by creating a writable kmem device and setting the UID to 0.

Status: Entry
Reference: XF:nfs-mknod(78)
Reference: URL:http://xforce.iss.net/xforce/xfdb/78

Description:
Buffer overflow in rwhod on AIX and other operating systems allows remote attackers to execute arbitrary code via a UDP packet with a long hostname.

Status: Entry
Reference: BUGTRAQ:19960821 rwhod buffer overflow
Reference: XF:rwhod(119)
Reference: URL:http://xforce.iss.net/xforce/xfdb/119
Reference: XF:rwhod-vuln(118)
Reference: URL:http://xforce.iss.net/xforce/xfdb/118

Description:
Denial of service in AIX telnet can freeze a system and prevent users from accessing the server.

Status: Entry
Reference: XF:ibm-telnetdos
Reference: ERS:ERS-SVA-E01-1998:003.1
Reference: OSVDB:7992
Reference: URL:http://www.osvdb.org/7992

Description:
Buffer overflow in AIX rcp command allows local users to obtain root access.

Status: Entry
Reference: ERS:ERS-SVA-E01-1997:005.1
Reference: XF:ibm-rcp

Description:
Buffer overflow in AIX writesrv command allows local users to obtain root access.

Status: Entry
Reference: ERS:ERS-SVA-E01-1997:005.1
Reference: XF:ibm-writesrv

Description:
AIX nslookup command allows local users to obtain root access by not dropping privileges correctly.

Status: Entry
Reference: ERS:ERS-SVA-E01-1997:008.1
Reference: XF:ibm-nslookup

Description:
AIX piodmgrsu command allows local users to gain additional group privileges.

Status: Entry
Reference: ERS:ERS-SVA-E01-1997:007.1
Reference: XF:ibm-piodmgrsu

Description:
The debug command in Sendmail is enabled, allowing attackers to execute commands as root.

Status: Entry
Reference: CERT:CA-88.01
Reference: CERT:CA-93.14
Reference: BID:1
Reference: URL:http://www.securityfocus.com/bid/1
Reference: OSVDB:195
Reference: URL:http://www.osvdb.org/195
Reference: XF:smtp-debug

Description:
Sendmail decode alias can be used to overwrite sensitive files.

Status: Entry
Reference: CERT:CA-93.16
Reference: CERT:CA-95.05
Reference: CIAC:A-13
Reference: CIAC:A-14
Reference: SUN:00122
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/122&type=0&nav=sec.sba
Reference: XF:smtp-dcod

Description:
The AIX FTP client can be forced to execute commands from a malicious server through shell metacharacters (e.g. a pipe character).

Status: Entry
Reference: ERS:ERS-SVA-E01-1997:009.1
Reference: XF:ibm-ftp

Description:
Buffer overflow in syslog utility allows local or remote attackers to gain root privileges.

Status: Entry
Reference: CERT:CA-95.13.syslog.vul
Reference: XF:smtp-syslog

Description:
Remote access in AIX innd 1.5.1, using control messages.

Status: Entry
Reference: ERS:ERS-SVA-E01-1997:002.1
Reference: XF:inn-controlmsg

Description:
Buffer overflow in AIX and Solaris "gethostbyname" library call allows root access through corrupt DNS host names.

Status: Entry
Reference: ERS:ERS-SVA-E01-1997:001.1
Reference: ERS:ERS-SVA-E01-1996:007.1
Reference: SUN:00137a
Reference: CIAC:H-13
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/h-13.shtml
Reference: NAI:NAI-1
Reference: XF:ghbn-bo

Description:
Buffer overflow in SLmail 3.x allows attackers to execute commands using a large FROM line.

Status: Entry
Reference: XF:slmail-fromheader-overflow

Description:
Echo and chargen, or other combinations of UDP services, can be used in tandem to flood the server, a.k.a. UDP bomb or UDP packet storm.

Status: Entry
Reference: CERT:CA-96.01.UDP_service_denial
Reference: XF:echo
Reference: XF:chargen
Reference: XF:chargen-patch

Description:
The printers program in IRIX has a buffer overflow that gives root access to local users.

Status: Entry
Reference: BUGTRAQ:another day, another buffer overflow...
Reference: XF:printers-bo

Description:
Buffer overflow in ffbconfig in Solaris 2.5.1.

Status: Entry
Reference: SUN:00140
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/140
Reference: AUSCERT:AA-97.06
Reference: XF:ffbconfig-bo

Description:
RIP v1 is susceptible to spoofing.

Status: Entry
Reference: XF:rip

Description:
Buffer overflow in AIX dtterm program for the CDE.

Status: Entry
Reference: BUGTRAQ:19970520 AIX 4.2 dtterm exploit
Reference: XF:dtterm-bo(878)
Reference: URL:http://xforce.iss.net/xforce/xfdb/878

Description:
Some implementations of rlogin allow root access if given a -froot parameter.

Status: Entry
Reference: BUGTRAQ:19940729 -froot??? (AIX rlogin bug)
Reference: CERT:CA-94.09.bin.login.vulnerability
Reference: CIAC:E-26
Reference: BID:458
Reference: URL:http://www.securityfocus.com/bid/458
Reference: XF:rlogin-froot

Description:
AIX bugfiler program allows local users to gain root access.

Status: Entry
Reference: BUGTRAQ:19970909 AIX bugfiler
Reference: XF:ibm-bugfiler
Reference: BID:1800
Reference: URL:http://www.securityfocus.com/bid/1800

Description:
Denial of service when an attacker sends many SYN packets to create multiple connections without ever sending an ACK to complete the connection, aka SYN flood.

Status: Entry
Reference: CERT:CA-96.21.tcp_syn.flooding
Reference: SGI:19961202-01-PX
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19961202-01-PX
Reference: SUN:00136
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/136

Description:
AIX passwd allows local users to gain root access.

Status: Entry
Reference: XF:ibm-passwd
Reference: CERT:CA-92:07.AIX.passwd.vulnerability

Description:
AIX infod allows local users to gain root access through an X display.

Status: Entry
Reference: BUGTRAQ:19981119 RSI.0011.11-09-98.AIX.INFOD
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91158980826979&w=2
Reference: XF:aix-infod

Description:
Sun/Solaris utmp file allows local users to gain root access if it is writable by users other than root.

Status: Entry
Reference: SUN:00126
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/126
Reference: CERT:CA-94.06.utmp.vulnerability
Reference: XF:utmp-write

Description:
Buffer overflow in AIX lchangelv gives root access.

Status: Entry
Reference: BUGTRAQ:Jul21,1999
Reference: XF:lchangelv-bo

Description:
Vulnerabilities in UMN gopher and gopher+ versions 1.12 and 2.0x allow an intruder to read any files that can be accessed by the gopher daemon.

Status: Entry
Reference: CERT:CA-93:11.UMN.UNIX.gopher.vulnerability
Reference: XF:gopher-vuln

Description:
Buffer overflow in SGI IRIX mailx program.

Status: Entry
Reference: XF:sgi-mailx-bo
Reference: SGI:19980605-01-PX
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19980605-01-PX

Description:
SGI IRIX buffer overflow in xterm and Xaw allows root access.

Status: Entry
Reference: CERT:VB-98.04.xterm.Xaw
Reference: CIAC:J-010
Reference: URL:http://www.ciac.org/ciac/bulletins/j-010.shtml
Reference: XF:xfree86-xterm-xaw
Reference: XF:xfree86-xaw

Description:
Oversized ICMP ping packets can result in a denial of service, aka Ping o' Death.

Status: Entry
Reference: XF:ping-death
Reference: CERT:CA-96.26.ping

Description:
Sendmail allows local users to write to a file and gain group permissions via a .forward or :include: file.

Status: Entry
Reference: CERT:CA-96.25.sendmail_groups

Description:
Local users can start Sendmail in daemon mode and gain root privileges.

Status: Entry
Reference: CERT:CA-96.24.sendmail.daemon.mode
Reference: BID:716
Reference: URL:http://www.securityfocus.com/bid/716
Reference: XF:sendmail-daemon-mode

Description:
Buffer overflow and denial of service in Sendmail 8.7.5 and earlier through GECOS field gives root access to local users.

Status: Entry
Reference: CERT:CA-96.20.sendmail_vul
Reference: XF:smtp-875bo
Reference: BID:717
Reference: URL:http://www.securityfocus.com/bid/717

Description:
Expreserve, as used in vi and ex, allows local users to overwrite arbitrary files and gain root access.

Status: Entry
Reference: CERT:CA-1996-19
Reference: URL:http://www.cert.org/advisories/CA-1996-19.html
Reference: OSVDB:11723
Reference: URL:http://www.osvdb.org/11723
Reference: XF:expreserve(401)
Reference: URL:http://xforce.iss.net/xforce/xfdb/401

Description:
fm_fls license server for Adobe Framemaker allows local users to overwrite arbitrary files and gain root access.

Status: Entry
Reference: CERT:CA-96.18.fm_fls
Reference: XF:fmaker-logfile

Description:
vold in Solaris 2.x allows local users to gain root access.

Status: Entry
Reference: XF:sol-voldtmp
Reference: CERT:CA-96.17.Solaris_vold_vul
Reference: AUSCERT:AL-96.04
Reference: OSVDB:8159
Reference: URL:http://www.osvdb.org/8159

Description:
admintool in Solaris allows a local user to write to arbitrary files and gain root access.

Status: Entry
Reference: XF:sun-admintool
Reference: CERT:CA-96.16.Solaris_admintool_vul
Reference: AUSCERT:AL-96.03

Description:
Kodak Color Management System (KCMS) on Solaris allows a local user to write to arbitrary files and gain root access.

Status: Entry
Reference: XF:sol-KCMSvuln
Reference: AUSCERT:AL-96.02
Reference: CERT:CA-96.15.Solaris_KCMS_vul

Description:
The dip program on many Linux systems allows local users to gain root access via a buffer overflow.

Status: Entry
Reference: XF:linux-dipbo
Reference: CERT:CA-96.13.dip_vul
Reference: XF:dip-bo

Description:
The suidperl and sperl program do not give up root privileges when changing UIDs back to the original users, allowing root access.

Status: Entry
Reference: CERT:CA-96.12.suidperl_vul
Reference: XF:sperl-suid

Description:
Buffer overflow in Solaris x86 mkcookie allows local users to obtain root access.

Status: Entry
Reference: XF:sol-mkcookie
Reference: RSI:RSI.0012.12-03-98.SOLARIS.MKCOOKIE
Reference: OSVDB:8205
Reference: URL:http://www.osvdb.org/8205

Description:
Java Bytecode Verifier allows malicious applets to execute arbitrary commands as the user of the applet.

Status: Entry
Reference: XF:http-java-applet
Reference: CERT:CA-96.07.java_bytecode_verifier
Reference: SUN:00134
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/134

Description:
The Java Applet Security Manager implementation in Netscape Navigator 2.0 and Java Developer's Kit 1.0 allows an applet to connect to arbitrary hosts.

Status: Entry
Reference: CERT:CA-96.05.java_applet_security_mgr
Reference: XF:http-java-appletsecmgr

Description:
Kerberos 4 key servers allow a user to masquerade as another by breaking and generating session keys.

Status: Entry
Reference: CERT:CA-96.03.kerberos_4_key_server
Reference: XF:kerberos-bf

Description:
Sendmail WIZ command enabled, allowing root access.

Status: Entry
Reference: CERT:CA-1990-11
Reference: URL:http://www.cert.org/advisories/CA-1990-11.html
Reference: CERT:CA-1993-14
Reference: URL:http://www.cert.org/advisories/CA-1993-14.html
Reference: BUGTRAQ:19950206 sendmail wizard thing...
Reference: URL:http://www2.dataguard.no/bugtraq/1995_1/0332.html
Reference: FarmerVenema:Improving the Security of Your Site by Breaking Into it
Reference: URL:http://www.alw.nih.gov/Security/Docs/admin-guide-to-cracking.101.html

Description:
The campas CGI program provided with some NCSA web servers allows an attacker to execute arbitrary commands via encoded carriage return characters in the query string, as demonstrated by reading the password file.

Status: Entry
Reference: BUGTRAQ:19970715 Bug CGI campas
Reference: BID:1975
Reference: URL:http://www.securityfocus.com/bid/1975
Reference: XF:http-cgi-campas(298)
Reference: URL:http://xforce.iss.net/xforce/xfdb/298

Description:
The aglimpse CGI program of the Glimpse package allows remote execution of arbitrary commands.

Status: Entry
Reference: XF:http-cgi-glimpse
Reference: AUSCERT:AA-97.28

Description:
The handler CGI program in IRIX allows arbitrary command execution.

Status: Entry
Reference: SGI:19970501-02-PX
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19970501-02-PX
Reference: BID:380
Reference: URL:http://www.securityfocus.com/bid/380
Reference: XF:http-sgi-handler

Description:
The wrap CGI program in IRIX allows remote attackers to view arbitrary directory listings via a .. (dot dot) attack.

Status: Entry
Reference: BUGTRAQ:19970420 IRIX 6.x /cgi-bin/wrap bug
Reference: SGI:19970501-02-PX
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19970501-02-PX
Reference: BID:373
Reference: URL:http://www.securityfocus.com/bid/373
Reference: OSVDB:247
Reference: URL:http://www.osvdb.org/247
Reference: XF:http-sgi-wrap(290)
Reference: URL:http://xforce.iss.net/xforce/xfdb/290

Description:
The Perl fingerd program allows arbitrary command execution from remote users.

Status: Entry
Reference: XF:perl-fingerd

Description:
The SATAN session key may be disclosed if the user points the web browser to other sites, possibly allowing root access.

Status: Entry
Reference: CERT:CA-95.07a.REVISED.satan.vul
Reference: CERT:CA-95.06.satan.vul

Description:
The DG/UX finger daemon allows remote command execution through shell metacharacters.

Status: Entry
Reference: BUGTRAQ:19970811 dgux in.fingerd vulnerability
Reference: XF:dgux-fingerd

Description:
Windows 95/NT out of band (OOB) data denial of service through NETBIOS port, aka WinNuke.

Status: Entry
Reference: XF:win-oob
Reference: OSVDB:1666
Reference: URL:http://www.osvdb.org/1666

Description:
The ghostscript command with the -dSAFER option allows remote attackers to execute commands.

Status: Entry
Reference: XF:gscript-dsafer
Reference: CERT:CA-95.10.ghostscript

Description:
Cisco PIX firewall and CBAC IP fragmentation attack results in a denial of service.

Status: Entry
Reference: CISCO:http://www.cisco.com/warp/public/770/nifrag.shtml
Reference: XF:cisco-fragmented-attacks
Reference: OSVDB:1097
Reference: URL:http://www.osvdb.org/1097

Description:
Cisco PIX firewall manager (PFM) on Windows NT allows attackers to connect to port 8080 on the PFM server and retrieve any file whose name and location is known.

Status: Entry
Reference: CISCO:20010913 Cisco PIX Firewall Manager File Exposure
Reference: URL:http://www.cisco.com/warp/public/770/pixmgrfile-pub.shtml
Reference: XF:cisco-pix-file-exposure
Reference: OSVDB:685
Reference: URL:http://www.osvdb.org/685

Description:
Attackers can crash a Cisco IOS router or device, provided they can get to an interactive prompt (such as a login). This applies to some IOS 9.x, 10.x, and 11.x releases.

Status: Entry
Reference: CISCO:http://www.cisco.com/warp/public/770/ioslogin-pub.shtml
Reference: XF:cisco-ios-crash

Description:
Some classic Cisco IOS devices have a vulnerability in the PPP CHAP authentication to establish unauthorized PPP connections.

Status: Entry
Reference: CISCO:19971001 Vulnerabilities in Cisco CHAP Authentication
Reference: CIAC:I-002A
Reference: OSVDB:1099
Reference: URL:http://www.osvdb.org/1099
Reference: XF:cisco-chap

Description:
In Cisco IOS 10.3, with the tacacs-ds or tacacs keyword, an extended IP access control list could bypass filtering.

Status: Entry
Reference: CISCO:http://www.cisco.com/warp/public/707/1.html
Reference: XF:cisco-acl-tacacs
Reference: OSVDB:797
Reference: URL:http://www.osvdb.org/797

Description:
The "established" keyword in some Cisco IOS software allowed an attacker to bypass filtering.

Status: Entry
Reference: CISCO:19950601 "Established" Keyword May Allow Packets to Bypass Filter
Reference: XF:cisco-acl-established

Description:
A race condition in the Solaris ps command allows an attacker to overwrite critical files.

Status: Entry
Reference: XF:sol-pstmprace
Reference: AUSCERT:AA-95.07
Reference: CERT:CA-95.09.Solaris.ps.vul
Reference: OSVDB:8346
Reference: URL:http://www.osvdb.org/8346

Description:
NFS allows users to use a "cd .." command to access other directories besides the exported file system.

Status: Entry
Reference: XF:nfs-cd

Description:
In SunOS, NFS file handles could be guessed, giving unauthorized access to the exported file system.

Status: Entry
Reference: XF:nfs-guess
Reference: CERT:CA-91.21.SunOS.NFS.Jumbo.and.fsirand

Description:
The portmapper may act as a proxy and redirect service requests from an attacker, making the request appear to come from the local host, possibly bypassing authentication that would otherwise have taken place. For example, NFS file systems could be mounted through the portmapper despite export restrictions.

Status: Entry
Reference: XF:nfs-portmap

Description:
Remote attackers can mount an NFS file system in Ultrix or OSF, even if it is denied on the access list.

Status: Entry
Reference: XF:nfs-ultrix

Description:
FormMail CGI program allows remote execution of commands.

Status: Entry
Reference: XF:http-cgi-formmail-exe
Reference: BUGTRAQ:Aug02,1995

Description:
FormMail CGI program can be used by web servers other than the host server that the program resides on.

Status: Entry
Reference: XF:http-cgi-formmail-use

Description:
The view-source CGI program allows remote attackers to read arbitrary files via a .. (dot dot) attack.

Status: Entry
Reference: BUGTRAQ:19970208 view-source
Reference: XF:http-cgi-viewsrc

Description:
The convert.bas program in the Novell web server allows a remote attackers to read any file on the system that is internally accessible by the web server.

Status: Entry
Reference: XF:http-nov-convert

Description:
The Webgais program allows a remote user to execute arbitrary commands.

Status: Entry
Reference: BUGTRAQ:Jul10,1997
Reference: XF:http-webgais-query

Description:
The uploader program in the WebSite web server allows a remote attacker to execute arbitrary programs.

Status: Entry
Reference: NTBUGTRAQ:19970904 [Alert] Website's uploader.exe (from demo) vulnerable
Reference: NTBUGTRAQ:19970905 Re: FW: [Alert] Website's uploader.exe (from demo) vulnerable
Reference: BUGTRAQ:19970904 [Alert] Website's uploader.exe (from demo) vulnerable
Reference: XF:http-website-uploader

Description:
Buffer overflow in the win-c-sample program (win-c-sample.exe) in the WebSite web server 1.1e allows remote attackers to execute arbitrary code via a long query string.

Status: Entry
Reference: BUGTRAQ:19970106 Re: signal handling
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/1997_1/0021.html
Reference: BID:2078
Reference: URL:http://www.securityfocus.com/bid/2078
Reference: OSVDB:8
Reference: URL:http://www.osvdb.org/8
Reference: XF:http-website-winsample(295)
Reference: URL:http://xforce.iss.net/xforce/xfdb/295

Description:
Windows NT crashes or locks up when a Samba client executes a "cd .." command on a file share.

Status: Entry
Reference: MSKB:Q140818
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q140818
Reference: XF:nt-samba-dotdot
Reference: XF:nt-351
Reference: XF:nt-35

Description:
in.rshd allows users to login with a NULL username and execute commands.

Status: Entry
Reference: XF:rsh-null

Description:
The wall daemon can be used for denial of service, social engineering attacks, or to execute remote commands.

Status: Entry
Reference: XF:walld

Description:
Samba has a buffer overflow which allows a remote attacker to obtain root access by specifying a long password.

Status: Entry
Reference: CIAC:H-110
Reference: URL:http://www.ciac.org/ciac/bulletins/h-110.shtml
Reference: CERT:VB-97.10.samba
Reference: XF:nt-samba-bo

Description:
Linux implementations of TFTP would allow access to files outside the restricted directory.

Status: Entry
Reference: XF:linux-tftp

Description:
When compiled with the -DALLOW_UPDATES option, bind allows dynamic updates to the DNS server, allowing for malicious modification of DNS records.

Status: Entry
Reference: XF:dns-updates

Description:
In SunOS or Solaris, a remote user could connect from an FTP server's data port to an rlogin server on a host that trusts the FTP server, allowing remote command execution.

Status: Entry
Reference: SUN:00156
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/156
Reference: XF:sun-ftpd/logind

Description:
The passwd command in Solaris can be subjected to a denial of service.

Status: Entry
Reference: SUN:00182
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/182
Reference: XF:sun-passwd-dos

Description:
Solaris rpcbind listens on a high numbered UDP port, which may not be filtered since the standard port number is 111.

Status: Entry
Reference: NAI:NAI-15
Reference: SUN:00142
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/142
Reference: XF:rpc-32771

Description:
Solaris rpcbind can be exploited to overwrite arbitrary files and gain root access.

Status: Entry
Reference: SUN:00167
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/167
Reference: XF:sun-rpcbind

Description:
IIS newdsn.exe CGI script allows remote users to overwrite files.

Status: Entry
Reference: XF:http-cgi-newdsn
Reference: OSVDB:275
Reference: URL:http://www.osvdb.org/275

Description:
Buffer overflow in telnet daemon tgetent routing allows remote attackers to gain root access via the TERMCAP environmental variable.

Status: Entry
Reference: SNI:SNI-20
Reference: XF:bsd-tel-tgetent

Description:
Denial of service in in.comsat allows attackers to generate messages.

Status: Entry
Reference: XF:comsat

Description:
websendmail in Webgais 1.0 allows a remote user to access arbitrary files and execute arbitrary code via the receiver parameter ($VAR_receiver variable).

Status: Entry
Reference: BUGTRAQ:19970704 Vulnerability in websendmail
Reference: BID:2077
Reference: URL:http://www.securityfocus.com/bid/2077
Reference: OSVDB:237
Reference: URL:http://www.osvdb.org/237
Reference: XF:http-webgais-smail

Description:
A quote cwd command on FTP servers can reveal the full path of the home directory of the "ftp" user.

Status: Entry
Reference: XF:ftp-home

Description:
The GNU tar command, when used in FTP sessions, may allow an attacker to execute arbitrary commands.

Status: Entry
Reference: XF:ftp-exectar

Description:
In Sendmail, attackers can gain root privileges via SMTP by specifying an improper "mail from" address and an invalid "rcpt to" address that would cause the mail to bounce to a program.

Status: Entry
Reference: CERT:CA-95.08
Reference: CIAC:E-03
Reference: XF:smtp-sendmail-version5

Description:
Sendmail 8.6.9 allows remote attackers to execute root commands, using ident.

Status: Entry
Reference: XF:ident-bo
Reference: CIAC:F-13

Description:
MIME buffer overflow in Sendmail 8.8.0 and 8.8.1 gives root access.

Status: Entry
Reference: XF:sendmail-mime-bo
Reference: AUSCERT:AA-96.06a

Description:
Remote attacker can execute commands through Majordomo using the Reply-To field and a "lists" command.

Status: Entry
Reference: XF:majordomo-exe
Reference: CERT:CA-94.11.majordomo.vulnerabilities

Description:
rpc.ypupdated (NIS) allows remote users to execute arbitrary commands.

Status: Entry
Reference: XF:rpc-update
Reference: CERT:CA-95.17.rpc.ypupdated.vul

Description:
The SunView (SunTools) selection_svc facility allows remote users to read files.

Status: Entry
Reference: CERT:CA-90.05.sunselection.vulnerability
Reference: BID:8
Reference: URL:http://www.securityfocus.com/bid/8
Reference: XF:selsvc

Description:
Automount daemon automountd allows local or remote users to gain privileges via shell metacharacters.

Status: Entry
Reference: BUGTRAQ:19971126 Solaris 2.5.1 automountd exploit (fwd)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=88053459921223&w=2
Reference: BUGTRAQ:19990103 SUN almost has a clue! (automountd)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91547759121289&w=2
Reference: HP:HPSBUX9910-104
Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9910-104
Reference: CERT:CA-99-05
Reference: URL:http://www.cert.org/advisories/CA-99-05-statd-automountd.html
Reference: BID:235
Reference: URL:http://www.securityfocus.com/bid/235

Description:
Extra long export lists over 256 characters in some mount daemons allows NFS directories to be mounted by anyone.

Status: Entry
Reference: CERT:CA-94.02.REVISED.SunOS.rpc.mountd.vulnerability
Reference: BID:24
Reference: URL:http://www.securityfocus.com/bid/24

Description:
Solaris rpc.mountd generates error messages that allow a remote attacker to determine what files are on the server.

Status: Entry
Reference: SUN:00168
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/168
Reference: CIAC:I-048
Reference: URL:http://www.ciac.org/ciac/bulletins/i-048.shtml
Reference: XF:sun-mountd

Description:
Denial of service by sending forged ICMP unreachable packets.

Status: Entry
Reference: XF:icmp-unreachable

Description:
Routed allows attackers to append data to files.

Status: Entry
Reference: SGI:19981004-01-PX
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19981004-01-PX
Reference: CIAC:J-012
Reference: URL:http://www.ciac.org/ciac/bulletins/j-012.shtml
Reference: XF:ripapp

Description:
Malicious option settings in UDP packets could force a reboot in SunOS 4.1.3 systems.

Status: Entry
Reference: XF:udp-bomb

Description:
Livingston portmaster machines could be rebooted via a series of commands.

Status: Entry
Reference: XF:portmaster-reboot

Description:
Buffer overflow in FTP Serv-U 2.5 allows remote authenticated users to cause a denial of service (crash) via a long (1) CWD or (2) LS (list) command.

Status: Entry
Reference: NTBUGTRAQ:19990503 Buffer overflows in FTP Serv-U 2.5
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=92574916930144&w=2
Reference: NTBUGTRAQ:19990504 Re: Buffer overflows in FTP Serv-U 2.5
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=92582581330282&w=2
Reference: BUGTRAQ:19990909 Exploit: Serv-U Ver2.5 FTPd Win9x/NT
Reference: BID:269
Reference: URL:http://www.securityfocus.com/bid/269
Reference: XF:ftp-servu(205)
Reference: URL:http://xforce.iss.net/xforce/xfdb/205

Description:
Denial of service of Ascend routers through port 150 (remote administration).

Status: Entry
Reference: XF:ascend-150-kill

Description:
Solaris syslogd crashes when receiving a message from a host that doesn't have an inverse DNS entry.

Status: Entry
Reference: BUGTRAQ:19961109 Syslogd and Solaris 2.4
Reference: SUNBUG:1249320
Reference: CONFIRM:http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?patchid=103291&collection=fpatches
Reference: XF:sol-syslogd-crash
Reference: BID:1878
Reference: URL:http://www.securityfocus.com/bid/1878

Description:
Denial of service in Windows NT messenger service through a long username.

Status: Entry
Reference: XF:nt-messenger

Description:
Windows NT 4.0 allows remote attackers to cause a denial of service via a malformed SMB logon request in which the actual data size does not match the specified size.

Status: Entry
Reference: NAI:19980214 Windows NT Logon Denial of Service
Reference: URL:http://www.nai.com/nai_labs/asp_set/advisory/25_windows_nt_dos_adv.asp
Reference: MSKB:Q180963
Reference: URL:http://www.microsoft.com/technet/support/kb.asp?ID=180963
Reference: XF:nt-logondos

Description:
Access violation in LSASS.EXE (LSA/LSARPC) program in Windows NT allows a denial of service.

Status: Entry
Reference: MSKB:Q154087
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q154087
Reference: XF:nt-lsass-crash

Description:
Denial of service in RPCSS.EXE program (RPC Locator) in Windows NT.

Status: Entry
Reference: XF:nt-rpc-ver
Reference: MSKB:Q162567
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q162567

Description:
Buffer overflow in Cisco 7xx routers through the telnet service.

Status: Entry
Reference: CISCO:http://www.cisco.com/warp/public/770/pwbuf-pub.shtml
Reference: OSVDB:1102
Reference: URL:http://www.osvdb.org/1102

Description:
IIS 1.0 allows users to execute arbitrary commands using .bat or .cmd files.

Status: Entry
Reference: MSKB:Q148188
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q148188
Reference: MSKB:Q155056
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q155056
Reference: XF:http-iis-cmd

Description:
Bash treats any character with a value of 255 as a command separator.

Status: Entry
Reference: XF:bash-cmd
Reference: CERT:CA-96.22.bash_vuls

Description:
ScriptAlias directory in NCSA and Apache httpd allowed attackers to read CGI programs.

Status: Entry
Reference: XF:http-scriptalias

Description:
Remote execution of arbitrary commands through Guestbook CGI program.

Status: Entry
Reference: XF:http-cgi-guestbook
Reference: CERT:VB-97.02

Description:
Netscape FastTrack Web server lists files when a lowercase "get" command is used instead of an uppercase GET.

Status: Entry
Reference: XF:fastrack-get-directory-list
Reference: OSVDB:122
Reference: URL:http://www.osvdb.org/122

Description:
Livingston RADIUS code has a buffer overflow which can allow remote execution of commands as root.

Status: Entry
Reference: NAI:NAI-23
Reference: XF:radius-accounting-overflow

Description:
Some configurations of NIS+ in Linux allowed attackers to log in as the user "+".

Status: Entry
Reference: BUGTRAQ:19950907 Linux NIS security problem hole and fix
Reference: XF:linux-plus

Description:
Buffer overflow in nnrpd program in INN up to version 1.6 allows remote users to execute arbitrary commands.

Status: Entry
Reference: NAI:19970721 INN news server vulnerabilities
Reference: URL:http://www.nai.com/nai_labs/asp_set/advisory/17_inn_avd.asp
Reference: BID:1443
Reference: URL:http://www.securityfocus.com/bid/1443
Reference: XF:inn-bo

Description:
A race condition in the authentication agent mechanism of sshd 1.2.17 allows an attacker to steal another user's credentials.

Status: Entry
Reference: MISC:http://oliver.efri.hr/~crv/security/bugs/mUNIXes/ssh2.html
Reference: CONFIRM:http://www.uni-karlsruhe.de/~ig25/ssh-faq/ssh-faq-6.html#ss6.1

Description:
Denial of service in talk program allows remote attackers to disrupt a user's display.

Status: Entry
Reference: XF:talkd-flash

Description:
Buffer overflow in listserv allows arbitrary command execution.

Status: Entry
Reference: XF:smtp-listserv

Description:
Buffer overflow in War FTP allows remote execution of commands.

Status: Entry
Reference: XF:war-ftpd
Reference: OSVDB:875
Reference: URL:http://www.osvdb.org/875

Description:
cfingerd lists all users on a system via search.**@target.

Status: Entry
Reference: BUGTRAQ:19970523 cfingerd vulnerability
Reference: XF:cfinger-user-enumeration

Description:
The jj CGI program allows command execution via shell metacharacters.

Status: Entry
Reference: BUGTRAQ:19961224 jj cgi
Reference: XF:http-cgi-jj

Description:
Hylafax faxsurvey CGI script on Linux allows remote attackers to execute arbitrary commands via shell metacharacters in the query string.

Status: Entry
Reference: BUGTRAQ:19980804 remote exploit in faxsurvey cgi-script
Reference: BUGTRAQ:19980804 PATCH: faxsurvey
Reference: BID:2056
Reference: URL:http://www.securityfocus.com/bid/2056
Reference: XF:http-cgi-faxsurvey(1532)
Reference: URL:http://xforce.iss.net/xforce/xfdb/1532

Description:
Solaris SUNWadmap can be exploited to obtain root access.

Status: Entry
Reference: SUN:00173
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/173
Reference: XF:sun-sunwadmap

Description:
htmlscript CGI program allows remote read access to files.

Status: Entry
Reference: XF:http-htmlscript-file-access
Reference: BUGTRAQ:Jan27,1998

Description:
ICMP redirect messages may crash or lock up a host.

Status: Entry
Reference: MSKB:Q154174
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q154174
Reference: ISS:ICMP Redirects Against Embedded Controllers
Reference: XF:icmp-redirect

Description:
The info2www CGI script allows remote file access or remote command execution.

Status: Entry
Reference: BUGTRAQ:19980303 Vulnerabilites in some versions of info2www CGI
Reference: BID:1995
Reference: URL:http://www.securityfocus.com/bid/1995
Reference: XF:http-cgi-info2www

Description:
Buffer overflow in NCSA HTTP daemon v1.3 allows remote command execution.

Status: Entry
Reference: XF:http-port
Reference: CERT:CA-95.04.NCSA.http.daemon.for.unix.vulnerability

Description:
MetaInfo MetaWeb web server allows users to upload, execute, and read scripts.

Status: Entry
Reference: BUGTRAQ:19980630 Security vulnerabilities in MetaInfo products
Reference: BUGTRAQ:19980703 Followup to MetaInfo vulnerabilities
Reference: OSVDB:110
Reference: URL:http://www.osvdb.org/110
Reference: OSVDB:3969
Reference: URL:http://www.osvdb.org/3969
Reference: XF:metaweb-server-dot-attack

Description:
Netscape Enterprise servers may list files through the PageServices query.

Status: Entry
Reference: XF:netscape-server-pageservices

Description:
Directory traversal vulnerability in pfdispaly.cgi program (sometimes referred to as "pfdisplay") for SGI's Performer API Search Tool (performer_tools) allows remote attackers to read arbitrary files.

Status: Entry
Reference: BUGTRAQ:19980317 IRIX performer_tools bug
Reference: SGI:19980401-01-P
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19980401-01-P
Reference: CIAC:I-041
Reference: URL:http://www.ciac.org/ciac/bulletins/i-041.shtml
Reference: BID:64
Reference: URL:http://www.securityfocus.com/bid/64
Reference: OSVDB:134
Reference: URL:http://www.osvdb.org/134
Reference: XF:sgi-pfdispaly(810)
Reference: URL:http://xforce.iss.net/xforce/xfdb/810

Description:
Denial of service in Slmail v2.5 through the POP3 port.

Status: Entry
Reference: XF:slmail-username-bo

Description:
Denial of service through Solaris 2.5.1 telnet by sending ^D characters.

Status: Entry
Reference: XF:sun-telnet-kill

Description:
Denial of service in Windows NT DNS servers through malicious packet which contains a response to a query that wasn't made.

Status: Entry
Reference: NAI:NAI-5
Reference: XF:nt-dns-dos

Description:
Denial of service in Windows NT DNS servers by flooding port 53 with too many characters.

Status: Entry
Reference: XF:nt-dnscrash
Reference: XF:nt-dnsver
Reference: MS:Q169461

Description:
mSQL v2.0.1 and below allows remote execution through a buffer overflow.

Status: Entry
Reference: XF:msql-debug-bo
Reference: SEKURE:sekure.01-99.msql

Description:
The WorkMan program can be used to overwrite any file to get root access.

Status: Entry
Reference: XF:workman
Reference: CERT:CA-96.23.workman_vul

Description:
In IIS, remote attackers can obtain source code for ASP files by appending "::$DATA" to the URL.

Status: Entry
Reference: MS:MS98-003
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms98-003.mspx
Reference: XF:iis-asp-data-check
Reference: OVAL:oval:org.mitre.oval:def:913
Reference: URL:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:913

Description:
Excite for Web Servers (EWS) allows remote command execution via shell metacharacters.

Status: Entry
Reference: BUGTRAQ:19971217 CGI security hole in EWS (Excite for Web Servers)
Reference: BUGTRAQ:19980115 Excite announcement
Reference: CERT:VB-98.01.excite
Reference: XF:excite-cgi-search-vuln

Description:
Remote command execution in Microsoft Internet Explorer using .lnk and .url files.

Status: Entry
Reference: NTBUGTRAQ:19970317 Internet Explorer Bug #4
Reference: CIAC:H-38
Reference: XF:http-ie-lnkurl

Description:
Denial of service in IIS using long URLs.

Status: Entry
Reference: XF:http-iis-longurl

Description:
The WINS server in Microsoft Windows NT 4.0 before SP4 allows remote attackers to cause a denial of service (process termination) via invalid UDP frames to port 137 (NETBIOS Name Service), as demonstrated via a flood of random packets.

Status: Entry
Reference: NTBUGTRAQ:19970801 WINS flooding
Reference: BUGTRAQ:19970801 WINS flooding
Reference: BUGTRAQ:19970815 Re: WINS flooding
Reference: MISC:http://safenetworks.com/Windows/wins.html
Reference: MSKB:155701
Reference: XF:nt-winsupd-fix(1233)
Reference: URL:http://xforce.iss.net/xforce/xfdb/1233

Description:
The Apache web server for Win32 may provide access to restricted files when a . (dot) is appended to a requested URL.

Status: Entry

Description:
The WinGate telnet proxy allows remote attackers to cause a denial of service via a large number of connections to localhost.

Status: Entry
Reference: BUGTRAQ:19980221 WinGate DoS
Reference: BUGTRAQ:19980326 WinGate Intermediary Fix/Update
Reference: XF:wingate-dos

Description:
The WinGate proxy is installed without a password, which allows remote attackers to redirect connections without authentication.

Status: Entry
Reference: XF:wingate-unpassworded

Description:
Denial of service through Winpopup using large user names.

Status: Entry
Reference: XF:nt-winpopup

Description:
AAA authentication on Cisco systems allows attackers to execute commands without authorization.

Status: Entry
Reference: CISCO:http://www.cisco.com/warp/public/770/aaapair-pub.shtml
Reference: XF:cisco-ios-aaa-auth

Description:
All records in a WINS database can be deleted through SNMP for a denial of service.

Status: Entry
Reference: XF:nt-wins-snmp2

Description:
Solaris sysdef command allows local users to read kernel memory, potentially leading to root privileges.

Status: Entry
Reference: XF:sun-sysdef
Reference: SUN:00157
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/157

Description:
Solaris volrmmount program allows attackers to read any file.

Status: Entry
Reference: SUN:00162
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/162
Reference: XF:sun-volrmmount

Description:
Buffer overflow in Vixie Cron library up to version 3.0 allows local users to obtain root access via a long environmental variable.

Status: Entry
Reference: NAI:NAI-3
Reference: AUSCERT:AA-96.21
Reference: CIAC:H-17
Reference: XF:vixie-cron

Description:
Buffer overflow in FreeBSD lpd through long DNS hostnames.

Status: Entry
Reference: NAI:NAI-9
Reference: OSVDB:6093
Reference: URL:http://www.osvdb.org/6093

Description:
nis_cachemgr for Solaris NIS+ allows attackers to add malicious NIS+ servers.

Status: Entry
Reference: SUN:00155
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/155
Reference: XF:sun-niscache

Description:
Buffer overflow in SunOS/Solaris ps command.

Status: Entry
Reference: SUN:00149
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/149
Reference: AUSCERT:AUSCERT-97.17
Reference: XF:sun-ps2bo

Description:
SunOS/Solaris FTP clients can be forced to execute arbitrary commands from a malicious FTP server.

Status: Entry
Reference: SUN:00176
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/176
Reference: XF:sun-ftp-server

Description:
Buffer overflow in BNU UUCP daemon (uucpd) through long hostnames.

Status: Entry
Reference: XF:bnu-uucpd-bo
Reference: RSI:RSI.0002.05-18-98.BNU.UUCPD

Description:
mmap function in BSD allows local attackers in the kmem group to modify memory through devices.

Status: Entry
Reference: XF:bsd-mmap
Reference: FREEBSD:FreeBSD-SA-98:02

Description:
The system configuration control (sysctl) facility in BSD based operating systems OpenBSD 2.2 and earlier, and FreeBSD 2.2.5 and earlier, does not properly restrict source routed packets even when the (1) dosourceroute or (2) forwarding variables are set, which allows remote attackers to spoof TCP connections.

Status: Entry
Reference: OPENBSD:Feb15,1998 "IP Source Routing Problem"
Reference: MISC:http://www.openbsd.org/advisories/sourceroute.txt
Reference: OSVDB:11502
Reference: URL:http://www.osvdb.org/11502
Reference: XF:bsd-sourceroute(736)
Reference: URL:http://xforce.iss.net/xforce/xfdb/736

Description:
HP-UX gwind program allows users to modify arbitrary files.

Status: Entry
Reference: HP:HPSBUX9410-018
Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9410-018
Reference: XF:hpux-gwind-overwrite
Reference: CIAC:H-03: HP-UX suid Vulnerabilities

Description:
HP-UX vgdisplay program gives root access to local users.

Status: Entry
Reference: HP:HPSBUX9702-056
Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9702-056
Reference: XF:hpux-vgdisplay
Reference: CIAC:H-27: HP-UX vgdisplay Buffer Overrun Vulnerability

Description:
SSH 1.2.25 on HP-UX allows access to new user accounts.

Status: Entry
Reference: XF:ssh-1225

Description:
fpkg2swpk in HP-UX allows local users to gain root access.

Status: Entry
Reference: XF:hpux-fpkg2swpk
Reference: HP:HPSBUX9612-042
Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9612-042

Description:
HP ypbind allows attackers with root privileges to modify NIS data.

Status: Entry
Reference: XF:nis-ypbind
Reference: CERT:CA-93:01.REVISED.HP.NIS.ypbind.vulnerability

Description:
disk_bandwidth on SGI IRIX 6.4 S2MP for Origin/Onyx2 allows local users to gain root access using relative pathnames.

Status: Entry
Reference: MISC:http://www.securityfocus.com/bid/213/exploit
Reference: SGI:19980701-01-P
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19980701-01-P
Reference: BID:214
Reference: URL:http://www.securityfocus.com/bid/214
Reference: OSVDB:936
Reference: URL:http://www.osvdb.org/936
Reference: XF:sgi-disk-bandwidth(1441)
Reference: URL:http://xforce.iss.net/xforce/xfdb/1441

Description:
ioconfig on SGI IRIX 6.4 S2MP for Origin/Onyx2 allows local users to gain root access using relative pathnames.

Status: Entry
Reference: MISC:http://www.securityfocus.com/bid/213/exploit
Reference: SGI:19980701-01-P
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19980701-01-P
Reference: BID:213
Reference: URL:http://www.securityfocus.com/bid/213
Reference: OSVDB:6788
Reference: URL:http://www.osvdb.org/6788
Reference: XF:sgi-ioconfig(1199)
Reference: URL:http://xforce.iss.net/xforce/xfdb/1199

Description:
Buffer overflow in Solaris fdformat command gives root access to local users.

Status: Entry
Reference: XF:fdformat-bo
Reference: SUN:00138
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/138

Description:
Buffer overflow in Linux splitvt command gives root access to local users.

Status: Entry
Reference: XF:linux-splitvt
Reference: CIAC:G-08

Description:
Buffer overflow in xmcd 2.0p12 allows local users to gain access through an environmental variable.

Status: Entry
Reference: BUGTRAQ:19961125 Security Problems in XMCD
Reference: BUGTRAQ:19961125 XMCD v2.1 released (was: Security Problems in XMCD)
Reference: XF:xmcd-envbo

Description:
SunOS rpc.cmsd allows attackers to obtain root access by overwriting arbitrary files.

Status: Entry
Reference: SUN:00166
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/166
Reference: XF:sun-rpc.cmsd

Description:
Buffer overflow in Solaris kcms_configure command allows local users to gain root access.

Status: Entry
Reference: XF:sun-kcms-configure-bo

Description:
The open() function in FreeBSD allows local attackers to write to arbitrary files.

Status: Entry
Reference: FREEBSD:FreeBSD-SA-97:05
Reference: XF:freebsd-open
Reference: OSVDB:6092
Reference: URL:http://www.osvdb.org/6092

Description:
FreeBSD mmap function allows users to modify append-only or immutable files.

Status: Entry
Reference: FREEBSD:FreeBSD-SA-98:04
Reference: NETBSD:1998-003
Reference: URL:ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/advisories/NetBSD-SA1998-003.txt.asc
Reference: XF:bsd-mmap

Description:
ppl program in HP-UX allows local users to create root files through symlinks.

Status: Entry
Reference: HP:HPSBUX9702-053
Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9702-053
Reference: CIAC:H-31
Reference: XF:hp-ppllog

Description:
vhe_u_mnt program in HP-UX allows local users to create root files through symlinks.

Status: Entry
Reference: XF:hp-vhe
Reference: HP:HPSBUX9406-013
Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9406-013

Description:
Vulnerability in HP-UX mediainit program.

Status: Entry
Reference: HP:HPSBUX9710-071
Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9710-071
Reference: XF:hp-mediainit

Description:
SGI syserr program allows local users to corrupt files.

Status: Entry
Reference: SGI:19971103-01-PX
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19971103-01-PX
Reference: XF:sgi-syserr

Description:
SGI permissions program allows local users to gain root privileges.

Status: Entry
Reference: SGI:19971103-01-PX
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19971103-01-PX
Reference: XF:sgi-permtool

Description:
SGI mediad program allows local users to gain root access.

Status: Entry
Reference: SGI:19980602-01-PX
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19980602-01-PX
Reference: XF:sgi-mediad

Description:
Buffer overflow in NetMeeting allows denial of service and remote command execution.

Status: Entry
Reference: XF:nt-netmeeting
Reference: MSKB:Q184346
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q184346

Description:
In Solaris 2.2 and 2.3, when fsck fails on startup, it allows a local user with physical access to obtain root access.

Status: Entry
Reference: XF:sol-startup
Reference: CERT:CA-93.19.Solaris.Startup.vulnerability

Description:
DEPRECATED. This entry has been deprecated. It is a duplicate of CVE-1999-0032.

Status: Entry

Description:
AIX batch queue (bsh) allows local and remote users to gain additional privileges when network printing is enabled.

Status: Entry
Reference: CERT:CA-94.10.IBM.AIX.bsh.vulnerability.html
Reference: XF:ibm-bsh

Description:
AIX Licensed Program Product performance tools allow local users to gain root access.

Status: Entry
Reference: XF:ibm-perf-tools
Reference: CERT:CA-94.03.AIX.performance.tools

Description:
Buffer overflow in the libauth library in Solaris allows local users to gain additional privileges, possibly root access.

Status: Entry
Reference: XF:sol-sun-libauth
Reference: RSI:RSI.0007.05-26-98

Description:
Buffer overflow in Linux Slackware crond program allows local users to gain root access.

Status: Entry
Reference: KSRT:005
Reference: XF:linux-crond

Description:
Buffer overflow in the Linux mail program "deliver" allows local users to gain root access.

Status: Entry
Reference: KSRT:006
Reference: XF:linux-deliver

Description:
Linux PAM modules allow local users to gain root access using temporary files.

Status: Entry
Reference: REDHAT:http://www.redhat.com/corp/support/errata/rh42-errata-general.html#pam
Reference: XF:linux-pam-passwd-tmprace

Description:
A malicious Palace server can force a client to execute arbitrary programs.

Status: Entry
Reference: BUGTRAQ:19981002 Announcements from The Palace (fwd)
Reference: XF:palace-malicious-servers-vuln

Description:
NT users can gain debug-level access on a system process using the Sechole exploit.

Status: Entry
Reference: MS:MS98-009
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms98-009.mspx
Reference: MSKB:Q190288
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q190288
Reference: XF:nt-priv-fix

Description:
CGI PHP mlog script allows an attacker to read any file on the target server.

Status: Entry
Reference: BUGTRAQ:19971019 Vulnerability in PHP Example Logging Scripts
Reference: BID:713
Reference: URL:http://www.securityfocus.com/bid/713
Reference: XF:http-cgi-php-mlog
Reference: OSVDB:3397
Reference: URL:http://www.osvdb.org/3397

Description:
IIS ASP caching problem releases sensitive information when two virtual servers share the same physical directory.

Status: Entry
Reference: NTBUGTRAQ:Jan27,1999
Reference: MSKB:Q197003
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q197003
Reference: OSVDB:930
Reference: URL:http://www.osvdb.org/930

Description:
A buffer overflow in the FTP list (ls) command in IIS allows remote attackers to conduct a denial of service and, in some cases, execute arbitrary commands.

Status: Entry
Reference: EEYE:IIS Remote FTP Exploit/DoS Attack
Reference: URL:http://www.eeye.com/html/Research/Advisories/IIS Remote FTP Exploit/DoS Attack.html
Reference: MS:MS99-003
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-003.mspx
Reference: MSKB:Q188348
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q188348
Reference: BUGTRAQ:Jan27,1999
Reference: XF:iis-remote-ftp

Description:
Race condition in the db_loader program in ClearCase gives local users root access by setting SUID bits.

Status: Entry
Reference: L0PHT:Feb8,1999
Reference: XF:clearcase-temp-race

Description:
FTP PASV "Pizza Thief" denial of service and unauthorized data access. Attackers can steal data by connecting to a port that was intended for use by a client.

Status: Entry
Reference: INFOWAR:01
Reference: MISC:http://attrition.org/security/advisory/misc/infowar/iw_sec_01.txt
Reference: XF:pasv-pizza-thief-dos(3389)
Reference: URL:http://xforce.iss.net/xforce/xfdb/3389

Description:
rpc.pcnfsd in HP gives remote root access by changing the permissions on the main printer spool directory.

Status: Entry
Reference: HP:HPSBUX9902-091
Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9902-091
Reference: CIAC:J-026
Reference: URL:http://www.ciac.org/ciac/bulletins/j-026.shtml
Reference: XF:pcnfsd-world-write

Description:
Local or remote users can force ControlIT 4.5 to reboot or force a user to log out, resulting in a denial of service.

Status: Entry
Reference: ISS:Multiple vulnerabilities in ControlIT(tm) (formerly Remotely Possible/32) enterprise management software
Reference: XF:controlit-reboot

Description:
Windows 98 and other operating systems allows remote attackers to cause a denial of service via crafted "oshare" packets, possibly involving invalid fragmentation offsets.

Status: Entry
Reference: BUGTRAQ:19990125 Win98 crash?
Reference: XF:win98-oshare-dos

Description:
Digital Unix 4.0 has a buffer overflow in the inc program of the mh package.

Status: Entry
Reference: BUGTRAQ:19990125 Digital Unix 4.0 exploitable buffer overflows
Reference: URL:http://www.securityfocus.com/archive/1/12121
Reference: COMPAQ:SSRT0583U
Reference: XF:du-inc
Reference: CIAC:J-027
Reference: URL:http://www.ciac.org/ciac/bulletins/j-027.shtml

Description:
WS_FTP server remote denial of service through cwd command.

Status: Entry
Reference: EEYE:AD02021999
Reference: URL:http://www.eeye.com/html/Research/Advisories/AD02021999.html
Reference: XF:wsftp-remote-dos
Reference: BID:217
Reference: URL:http://www.securityfocus.com/bid/217

Description:
SuSE 5.2 PLP lpc program has a buffer overflow that leads to root compromise.

Status: Entry
Reference: BUGTRAQ:Feb02,1999
Reference: XF:plp-lpc-bo
Reference: BID:328
Reference: URL:http://www.securityfocus.com/bid/328

Description:
The metamail package allows remote command execution using shell metacharacters that are not quoted in a mailcap entry.

Status: Entry
Reference: BUGTRAQ:Feb04,1999
Reference: XF:metamail-header-commands

Description:
In some cases, Service Pack 4 for Windows NT 4.0 can allow access to network shares using a blank password, through a problem with a null NT hash value.

Status: Entry
Reference: MS:MS99-004
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-004.mspx
Reference: MSKB:Q214840
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q214840
Reference: XF:nt-sp4-auth-error

Description:
NetBSD netstat command allows local users to access kernel memory.

Status: Entry
Reference: NETBSD:1999-002
Reference: OSVDB:7571
Reference: URL:http://www.osvdb.org/7571

Description:
Buffer overflows in wuarchive ftpd (wu-ftpd) and ProFTPD lead to remote root access, a.k.a. palmetto.

Status: Entry
Reference: NETECT:palmetto.ftpd
Reference: CERT:CA-99.03
Reference: XF:palmetto-ftpd-bo

Description:
The Sun sdtcm_convert calendar utility for OpenWindows has a buffer overflow which can gain root access.

Status: Entry
Reference: SUN:00183
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/183
Reference: XF:sun-sdtcm-convert-bo

Description:
Lynx allows a local user to overwrite sensitive files through /tmp symlinks.

Status: Entry
Reference: BUGTRAQ:19990211 Lynx /tmp problem
Reference: CERT:VB-97.05.lynx
Reference: XF:lynx-temp-files-race

Description:
The installer for BackOffice Server includes account names and passwords in a setup file (reboot.ini) which is not deleted.

Status: Entry
Reference: MS:MS99-005
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-005.mspx
Reference: XF:nt-backoffice-setup
Reference: MSKB:Q217004
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q217004

Description:
Buffer overflow in the "Super" utility in Debian GNU/Linux, and other operating systems, allows local users to execute commands as root.

Status: Entry
Reference: ISS:Buffer Overflow in "Super" package in Debian Linux
Reference: XF:linux-super-bo
Reference: XF:linux-super-logging-bo

Description:
Debian GNU/Linux cfengine package is susceptible to a symlink attack.

Status: Entry
Reference: DEBIAN:19990215
Reference: BUGTRAQ:Feb16,1999
Reference: XF:linux-cfengine-symlinks

Description:
Buffer overflow in webd in Network Flight Recorder (NFR) 2.0.2-Research allows remote attackers to execute commands.

Status: Entry
Reference: NAI:February 16, 1999
Reference: BUGTRAQ:Feb16,1999
Reference: XF:nfr-webd-overflow

Description:
Local users in Windows NT can obtain administrator privileges by changing the KnownDLLs list to reference malicious programs.

Status: Entry
Reference: MS:MS99-006
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-006.mspx
Reference: BUGTRAQ:Feb20,1999
Reference: L0PHT:Feb18,1999
Reference: XF:nt-knowndlls-list

Description:
Process table attack in Unix systems allows a remote attacker to perform a denial of service by filling a machine's process tables through multiple connections to network services.

Status: Entry
Reference: BUGTRAQ:Feb22,1999

Description:
InterScan VirusWall for Solaris doesn't scan files for viruses when a single HTTP request includes two GET commands.

Status: Entry
Reference: BUGTRAQ:19990222 BlackHats Advisory -- InterScan VirusWall
Reference: BUGTRAQ:19990225 Patch for InterScan VirusWall for Unix now available
Reference: XF:viruswall-http-request
Reference: OSVDB:6167
Reference: URL:http://www.osvdb.org/6167

Description:
Microsoft Taskpads allows remote web sites to execute commands on the visiting user's machine via certain methods that are marked as Safe for Scripting.

Status: Entry
Reference: MS:MS99-007
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-007.mspx
Reference: BUGTRAQ:19990223 Microsoft Security Bulletin (MS99-007)
Reference: BID:498
Reference: URL:http://www.securityfocus.com/bid/498
Reference: OSVDB:1019
Reference: URL:http://www.osvdb.org/1019
Reference: XF:win-resourcekit-taskpads

Description:
SLMail 3.1 and 3.2 allows local users to access any file in the NTFS file system when the Remote Administration Service (RAS) is enabled by setting a user's Finger File to point to the target file, then running finger on the user.

Status: Entry
Reference: NTBUGTRAQ:199902225 ALERT: SLMail 3.2 (and 3.1) with the Remote Administration Service
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=91999015212415&w=2
Reference: BUGTRAQ:19990225 ALERT: SLMail 3.2 (and 3.1) with the Remote Administration Service
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91996412724720&w=2
Reference: NTBUGTRAQ:SLmail 3.2 Build 3113 (Web Administration Security Fix)
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=92110501504997&w=2
Reference: BID:497
Reference: URL:http://www.securityfocus.com/bid/497
Reference: XF:slmail-ras-ntfs-bypass(5392)
Reference: URL:http://xforce.iss.net/static/5392.php

Description:
The screen saver in Windows NT does not verify that its security context has been changed properly, allowing attackers to run programs with elevated privileges.

Status: Entry
Reference: MS:MS99-008
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-008.mspx
Reference: XF:nt-screen-saver

Description:
ACC Tigris allows public access without a login.

Status: Entry
Reference: BUGTRAQ:19990103 Tigris vulnerability
Reference: BID:183
Reference: URL:http://www.securityfocus.com/bid/183
Reference: OSVDB:267
Reference: URL:http://www.osvdb.org/267
Reference: XF:acc-tigris-login

Description:
The Forms 2.0 ActiveX control (included with Visual Basic for Applications 5.0) can be used to read text from a user's clipboard when the user accesses documents with ActiveX content.

Status: Entry
Reference: XF:forms-vuln-patch
Reference: MS:MS99-001
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-001.mspx

Description:
The LDAP bind function in Exchange 5.5 has a buffer overflow that allows a remote attacker to conduct a denial of service or execute commands.

Status: Entry
Reference: MS:MS99-009
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-009.mspx
Reference: ISS:LDAP Buffer overflow against Microsoft Directory Services
Reference: XF:ldap-exchange-overflow
Reference: XF:ldap-mds-dos

Description:
Microsoft Personal Web Server and FrontPage Personal Web Server in some Windows systems allows a remote attacker to read files on the server by using a nonstandard URL.

Status: Entry
Reference: MS:MS99-010
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-010.mspx
Reference: XF:pws-file-access
Reference: OSVDB:111
Reference: URL:http://www.osvdb.org/111

Description:
A legacy credential caching mechanism used in Windows 95 and Windows 98 systems allows attackers to read plaintext network passwords.

Status: Entry
Reference: MS:MS99-052
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-052.asp
Reference: MSKB:Q168115
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q168115
Reference: BID:829
Reference: URL:http://www.securityfocus.com/bid/829
Reference: XF:9x-plaintext-pwd

Description:
DataLynx suGuard trusts the PATH environment variable to execute the ps command, allowing local users to execute commands as root.

Status: Entry
Reference: XF:datalynx-suguard-relative-paths
Reference: L0PHT:Jan3,1999
Reference: OSVDB:3186
Reference: URL:http://www.osvdb.org/3186

Description:
Buffer overflow in Dosemu Slang library in Linux.

Status: Entry
Reference: BUGTRAQ:19990104 Dosemu/S-Lang Overflow + sploit
Reference: CALDERA:CSSA-1999-006.1
Reference: URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-1999-006.1.txt
Reference: BID:187
Reference: URL:http://www.securityfocus.com/bid/187

Description:
The cryptographic challenge of SMB authentication in Windows 95 and Windows 98 can be reused, allowing an attacker to replay the response and impersonate a user.

Status: Entry
Reference: L0PHT:Jan. 5, 1999

Description:
Buffer overflow in Thomas Boutell's cgic library version up to 1.05.

Status: Entry
Reference: BUGTRAQ:Jan10,1999
Reference: XF:http-cgic-library-bo

Description:
Remote attackers can cause a denial of service in Sendmail 8.8.x and 8.9.2 by sending messages with a large number of headers.

Status: Entry
Reference: BUGTRAQ:19981212 ** Sendmail 8.9.2 DoS - exploit ** get what you want!
Reference: BUGTRAQ:19990121 Sendmail 8.8.x/8.9.x bugware
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91694391227372&w=2
Reference: XF:sendmail-parsing-redirection

Description:
A race condition in the BackWeb Polite Agent Protocol allows an attacker to spoof a BackWeb server.

Status: Entry
Reference: ISS:19990118 Vulnerability in the BackWeb Polite Agent Protocol
Reference: URL:http://xforce.iss.net/alerts/advise17.php
Reference: XF:backweb-polite-agent-protocol

Description:
A race condition between the select() and accept() calls in NetBSD TCP servers allows remote attackers to cause a denial of service.

Status: Entry
Reference: NETBSD:1999-001
Reference: OPENBSD:Feb17,1999
Reference: XF:netbsd-tcp-race

Description:
wget 1.5.3 follows symlinks to change permissions of the target file instead of the symlink itself.

Status: Entry
Reference: BUGTRAQ:Feb2,1999
Reference: XF:wget-permissions
Reference: DEBIAN:19990220

Description:
A bug in Cyrix CPUs on Linux allows local users to perform a denial of service.

Status: Entry
Reference: BUGTRAQ:19990204 Cyrix bug: freeze in hell, badboy
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91821080015725&w=2
Reference: XF:cyrix-hang

Description:
Buffer overflow in the Mail-Max SMTP server for Windows systems allows remote command execution.

Status: Entry
Reference: BUGTRAQ:Feb14,1999
Reference: XF:mailmax-bo

Description:
A buffer overflow in lsof allows local users to obtain root privilege.

Status: Entry
Reference: HERT:002
Reference: BUGTRAQ:Feb18,1999
Reference: DEBIAN:19990220a
Reference: XF:lsof-bo
Reference: OSVDB:3163
Reference: URL:http://www.osvdb.org/3163

Description:
By default, IIS 4.0 has a virtual directory /IISADMPWD which contains files that can be used as proxies for brute force password attacks, or to identify valid users on the system.

Status: Entry
Reference: BUGTRAQ:19990209 ALERT: IIS4 allows proxied password attacks over NetBIOS
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91983486431506&w=2
Reference: BUGTRAQ:19990209 Re: IIS4 allows proxied password attacks over NetBIOS
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92000623021036&w=2
Reference: XF:iis-iisadmpwd

Description:
Files created from interactive shell sessions in Cobalt RaQ microservers (e.g. .bash_history) are world readable, and thus are accessible from the web server.

Status: Entry
Reference: BUGTRAQ:19990225 Cobalt root exploit
Reference: XF:cobalt-raq-history-exposure
Reference: BID:337
Reference: URL:http://www.securityfocus.com/bid/337

Description:
Buffer overflow in gnuplot in Linux version 3.5 allows local users to obtain root access.

Status: Entry
Reference: BUGTRAQ:19990304 Linux /usr/bin/gnuplot overflow
Reference: XF:gnuplot-home-overflow
Reference: BID:319
Reference: URL:http://www.securityfocus.com/bid/319

Description:
The cancel command in Solaris 2.6 (i386) has a buffer overflow that allows local users to obtain root access.

Status: Entry
Reference: BUGTRAQ:Mar5,1999
Reference: XF:sol-cancel
Reference: BID:293
Reference: URL:http://www.securityfocus.com/bid/293

Description:
In IIS and other web servers, an attacker can attack commands as SYSTEM if the server is running as SYSTEM and loading an ISAPI extension.

Status: Entry
Reference: BUGTRAQ:Feb19,1999
Reference: XF:iis-isapi-execute
Reference: BID:501
Reference: URL:http://www.securityfocus.com/bid/501

Description:
A buffer overflow in the SGI X server allows local users to gain root access through the X server font path.

Status: Entry
Reference: SGI:19990301-01-PX
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19990301-01-PX
Reference: XF:irix-font-path-overflow

Description:
In Linux before version 2.0.36, remote attackers can spoof a TCP connection and pass data to the application layer before fully establishing the connection.

Status: Entry
Reference: NAI:Linux Blind TCP Spoofing
Reference: XF:linux-blind-spoof

Description:
The HTTP server in Cisco 7xx series routers 3.2 through 4.2 is enabled by default, which allows remote attackers to change the router's configuration.

Status: Entry
Reference: ISS:19990311 Remote Reconfiguration and Denial of Service Vulnerabilities in Cisco 700 ISDN Routers
Reference: CISCO:19990311 Cisco 7xx TCP and HTTP Vulnerabilities
Reference: URL:http://www.cisco.com/warp/public/770/7xxconn-pub.shtml
Reference: CIAC:J-034
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/j-034.shtml
Reference: XF:cisco-router-commands
Reference: XF:cisco-web-config

Description:
Vulnerability in Cisco 7xx series routers allows a remote attacker to cause a system reload via a TCP connection to the router's TELNET port.

Status: Entry
Reference: ISS:19990311 Remote Reconfiguration and Denial of Service Vulnerabilities in Cisco 700 ISDN Routers
Reference: CISCO:19990311 Cisco 7xx TCP and HTTP Vulnerabilities
Reference: URL:http://www.cisco.com/warp/public/770/7xxconn-pub.shtml
Reference: CIAC:J-034
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/j-034.shtml
Reference: XF:cisco-web-crash

Description:
64 bit Solaris 7 procfs allows local users to perform a denial of service.

Status: Entry
Reference: BUGTRAQ:Mar9,1999
Reference: XF:solaris-psinfo-crash
Reference: BID:448
Reference: URL:http://www.securityfocus.com/bid/448
Reference: OSVDB:1001
Reference: URL:http://www.osvdb.org/1001

Description:
umapfs allows local users to gain root privileges by changing their uid through a malicious mount_umap program.

Status: Entry
Reference: NETBSD:1999-006

Description:
During a reboot after an installation of Linux Slackware 3.6, a remote attacker can obtain root access by logging in to the root account without a password.

Status: Entry
Reference: ISS:Short-Term High-Risk Vulnerability During Slackware 3.6 Network Installations
Reference: XF:linux-slackware-install
Reference: BID:338
Reference: URL:http://www.securityfocus.com/bid/338
Reference: OSVDB:981
Reference: URL:http://www.osvdb.org/981

Description:
In some cases, NetBSD 1.3.3 mount allows local users to execute programs in some file systems that have the "noexec" flag set.

Status: Entry
Reference: NETBSD:1999-007

Description:
Vulnerability in hpterm on HP-UX 10.20 allows local users to gain additional privileges.

Status: Entry
Reference: HP:HPSBUX9903-093
Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9903-093
Reference: XF:hp-hpterm-files

Description:
talkback in Netscape 4.5 allows a local user to overwrite arbitrary files of another user whose Netscape crashes.

Status: Entry
Reference: SUSE:Mar18,1999
Reference: XF:netscape-talkback-overwrite

Description:
talkback in Netscape 4.5 allows a local user to kill an arbitrary process of another user whose Netscape crashes.

Status: Entry
Reference: SUSE:Mar18,1999
Reference: XF:netscape-talkback-kill

Description:
OpenSSL and SSLeay allow remote attackers to reuse SSL sessions and bypass access controls.

Status: Entry
Reference: BUGTRAQ:19990322 OpenSSL/SSLeay Security Alert
Reference: XF:ssl-session-reuse
Reference: OSVDB:3936
Reference: URL:http://www.osvdb.org/3936

Description:
The Lotus Notes 4.5 client may send a copy of encrypted mail in the clear across the network if the user does not set the "Encrypt Saved Mail" preference.

Status: Entry
Reference: BUGTRAQ:19990323
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92221437025743&w=2
Reference: BUGTRAQ:19990324 Re: LNotes encryption
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92241547418689&w=2
Reference: BUGTRAQ:19990326 Lotus Notes Encryption Bug
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92246997917866&w=2
Reference: BUGTRAQ:19990326 Re: Lotus Notes security advisory
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92249282302994&w=2
Reference: XF:lotus-client-encryption

Description:
Cisco Catalyst LAN switches running Catalyst 5000 supervisor software allows remote attackers to perform a denial of service by forcing the supervisor module to reload.

Status: Entry
Reference: ISS:Remote Denial of Service Vulnerability in Cisco Catalyst Series Ethernet Switches
Reference: CISCO:Cisco Catalyst Supervisor Remote Reload
Reference: XF:cisco-catalyst-crash
Reference: OSVDB:1103
Reference: URL:http://www.osvdb.org/1103

Description:
ftp on HP-UX 11.00 allows local users to gain privileges.

Status: Entry
Reference: HP:HPSBUX9903-094
Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9903-094
Reference: XF:hp-ftp

Description:
XFree86 startx command is vulnerable to a symlink attack, allowing local users to create files in restricted directories, possibly allowing them to gain privileges or cause a denial of service.

Status: Entry
Reference: SUSE:Mar28,1999
Reference: BUGTRAQ:19990321 X11R6 NetBSD Security Problem
Reference: XF:xfree86-temp-directories

Description:
Domain Enterprise Server Management System (DESMS) in HP-UX allows local users to gain privileges.

Status: Entry
Reference: HP:HPSBUX9903-095
Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9903-095
Reference: XF:hp-desms-servers

Description:
Remote attackers can perform a denial of service in WebRamp systems by sending a malicious string to the HTTP port.

Status: Entry
Reference: ISS:WebRamp Denial of Service Attacks
Reference: XF:webramp-device-crash

Description:
Remote attackers can perform a denial of service in WebRamp systems by sending a malicious UDP packet to port 5353, changing its IP address.

Status: Entry
Reference: ISS:WebRamp Denial of Service Attacks
Reference: XF:webramp-ipchange

Description:
Buffer overflow in procmail before version 3.12 allows remote or local attackers to execute commands via expansions in the procmailrc configuration file.

Status: Entry
Reference: BUGTRAQ:19990405 Re: [SECURITY] new version of procmail with security fixes
Reference: DEBIAN:19990422
Reference: CALDERA:CSSA-1999:007
Reference: XF:procmail-overflow

Description:
The byte code verifier component of the Java Virtual Machine (JVM) allows remote execution through malicious web pages.

Status: Entry
Reference: BUGTRAQ:19990405 Security Hole in Java 2 (and JDK 1.1.x)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92333596624452&w=2
Reference: CONFIRM:http://java.sun.com/pr/1999/03/pr990329-01.html
Reference: BID:1939
Reference: URL:http://www.securityfocus.com/bid/1939
Reference: XF:java-unverified-code

Description:
Remote attackers can perform a denial of service in WinGate machines using a buffer overflow in the Winsock Redirector Service.

Status: Entry
Reference: EEYE:AD02221999
Reference: URL:http://www.eeye.com/html/Research/Advisories/AD02221999.html
Reference: XF:wingate-redirector-dos
Reference: BID:509
Reference: URL:http://www.securityfocus.com/bid/509

Description:
Solaris ff.core allows local users to modify files.

Status: Entry
Reference: BUGTRAQ:19990107 really silly ff.core exploit for Solaris
Reference: BUGTRAQ:19990108 ff.core exploit on Solaris (2.)7
Reference: BUGTRAQ:19990408 Solaris7 and ff.core
Reference: BID:327
Reference: URL:http://www.securityfocus.com/bid/327

Description:
In Cisco routers under some versions of IOS 12.0 running NAT, some packets may not be filtered by input access list filters.

Status: Entry
Reference: CISCO:Cisco IOS(R) Software Input Access List Leakage with NAT
Reference: XF:cisco-natacl-leakage
Reference: OSVDB:1104
Reference: URL:http://www.osvdb.org/1104

Description:
Local users can perform a denial of service in NetBSD 1.3.3 and earlier versions by creating an unusual symbolic link with the ln command, triggering a bug in VFS.

Status: Entry
Reference: NETBSD:1999-008
Reference: XF:netbsd-vfslocking-panic
Reference: OSVDB:7051
Reference: URL:http://www.osvdb.org/7051

Description:
Local users can gain privileges using the debug utility in the MPE/iX operating system.

Status: Entry
Reference: HP:HPSBMP9904-006
Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBMP9904-006
Reference: XF:mpeix-debug

Description:
IIS 4.0 and Apache log HTTP request methods, regardless of how long they are, allowing a remote attacker to hide the URL they really request.

Status: Entry
Reference: BUGTRAQ:19990121 IIS 4 Request Logging Security Advisory
Reference: XF:iis-http-request-logging

Description:
The ExAir sample site in IIS 4 allows remote attackers to cause a denial of service (CPU consumption) via a direct request to the (1) advsearch.asp, (2) query.asp, or (3) search.asp scripts.

Status: Entry
Reference: BUGTRAQ:19990126 IIS 4 Advisory - ExAir sample site DoS
Reference: NTBUGTRAQ:19990126 IIS 4 Advisory - ExAir sample site DoS
Reference: BUGTRAQ:19990125 Re: [NTSEC] IIS 4 Advisory - ExAir sample site DoS
Reference: BID:193
Reference: URL:http://www.securityfocus.com/bid/193
Reference: OSVDB:2
Reference: URL:http://www.osvdb.org/2
Reference: OSVDB:3
Reference: URL:http://www.osvdb.org/3
Reference: OSVDB:4
Reference: URL:http://www.osvdb.org/4
Reference: XF:iis-exair-dos

Description:
Linux ftpwatch program allows local users to gain root privileges.

Status: Entry
Reference: BUGTRAQ:Jan17,1999
Reference: DEBIAN:19990117
Reference: XF:ftpwatch-vuln
Reference: BID:317
Reference: URL:http://www.securityfocus.com/bid/317

Description:
L0phtcrack 2.5 used temporary files in the system TEMP directory which could contain password information.

Status: Entry
Reference: BUGTRAQ:Jan6,1999
Reference: XF:l0phtcrack-temp-files
Reference: OSVDB:915
Reference: URL:http://www.osvdb.org/915

Description:
Remote attackers can perform a denial of service using IRIX fcagent.

Status: Entry
Reference: SGI:19981201-01-PX
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19981201-01-PX
Reference: XF:sgi-fcagent-dos

Description:
Local users can perform a denial of service in Tripwire 1.2 and earlier using long filenames.

Status: Entry
Reference: BUGTRAQ:19990104 Tripwire mess..
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91553066310826&w=2
Reference: CONFIRM:http://marc.theaimsgroup.com/?l=bugtraq&m=91592136122066&w=2
Reference: OSVDB:6609
Reference: URL:http://www.osvdb.org/6609

Description:
The SVR4 /dev/wabi special device file in NetBSD 1.3.3 and earlier allows a local user to read or write arbitrary files on the disk associated with that device.

Status: Entry
Reference: NETBSD:1999-009
Reference: OSVDB:905
Reference: URL:http://www.osvdb.org/905

Description:
Internet Explorer 5.0 allows a remote server to read arbitrary files on the client's file system using the Microsoft Scriptlet Component.

Status: Entry
Reference: MS:MS99-012
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-012.asp
Reference: XF:ie-scriplet-fileread
Reference: BUGTRAQ:Apr9,1999

Description:
A weak encryption algorithm is used for passwords in Novell Remote.NLM, allowing them to be easily decrypted.

Status: Entry
Reference: BUGTRAQ:19990409 New Novell Remote.NLM Password Decryption Algorithm with Exploit
Reference: BID:482
Reference: URL:http://www.securityfocus.com/bid/482
Reference: XF:netware-remotenlm-passwords

Description:
The remote proxy server in Winroute allows a remote attacker to reconfigure the proxy without authentication through the "cancel" button.

Status: Entry
Reference: XF:winroute-config
Reference: BUGTRAQ:Apr9,1999

Description:
The SNMP default community name "public" is not properly removed in NetApps C630 Netcache, even if the administrator tries to disable it.

Status: Entry
Reference: XF:netcache-snmp
Reference: BUGTRAQ:Apr7,1999

Description:
The rsync command before rsync 2.3.1 may inadvertently change the permissions of the client's working directory to the permissions of the directory being transferred.

Status: Entry
Reference: BUGTRAQ:19990407 rsync 2.3.1 release - security fix
Reference: CALDERA:CSSA-1999:010.0
Reference: DEBIAN:19990823
Reference: BID:145
Reference: URL:http://www.securityfocus.com/bid/145
Reference: XF:rsync-permissions

Description:
The ICQ Webserver allows remote attackers to use .. to access arbitrary files outside of the user's personal directory.

Status: Entry
Reference: XF:icq-webserver-read
Reference: BUGTRAQ:Apr5,1999

Description:
A race condition in how procmail handles .procmailrc files allows a local user to read arbitrary files available to the user who is running procmail.

Status: Entry
Reference: XF:procmail-race
Reference: BUGTRAQ:Apr5,1999

Description:
Denial of service in HP-UX sendmail 8.8.6 related to accepting connections.

Status: Entry
Reference: HP:HPSBUX9904-097
Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9904-097
Reference: XF:sendmail-headers-dos

Description:
Denial of service Netscape Enterprise Server with VirtualVault on HP-UX VVOS systems.

Status: Entry
Reference: HP:HPSBUX9903-092
Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9903-092
Reference: XF:netscape-server-dos

Description:
Denial of service in "poll" in OpenBSD.

Status: Entry
Reference: OPENBSD:Mar22,1999
Reference: OSVDB:7556
Reference: URL:http://www.osvdb.org/7556

Description:
OpenBSD kernel crash through TSS handling, as caused by the crashme program.

Status: Entry
Reference: OPENBSD:Mar21,1999
Reference: OSVDB:7557
Reference: URL:http://www.osvdb.org/7557

Description:
OpenBSD crash using nlink value in FFS and EXT2FS filesystems.

Status: Entry
Reference: OPENBSD:Feb25,1999
Reference: OSVDB:6129
Reference: URL:http://www.osvdb.org/6129

Description:
Buffer overflow in OpenBSD ping.

Status: Entry
Reference: OPENBSD:Feb23,1999
Reference: OSVDB:6130
Reference: URL:http://www.osvdb.org/6130

Description:
Remote attackers can cause a system crash through ipintr() in ipq in OpenBSD.

Status: Entry
Reference: OPENBSD:Feb19,1999
Reference: XF:openbsd-ipintr-race
Reference: OSVDB:7558
Reference: URL:http://www.osvdb.org/7558

Description:
The DHTML Edit ActiveX control in Internet Explorer allows remote attackers to read arbitrary files.

Status: Entry
Reference: MS:MS99-011
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-011.mspx
Reference: XF:ie-dhtml-control

Description:
The prompt parsing in bash allows a local user to execute commands as another user by creating a directory with the name of the command to execute.

Status: Entry
Reference: BUGTRAQ:19990420 Bash Bug
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.4.10.9904202114070.6623-100000@smooth.Operator.org
Reference: CALDERA:CSSA-1999-008.0
Reference: URL:ftp://ftp.calderasystems.com/pub/OpenLinux/security/CSSA-1999-008.0.txt
Reference: BID:119
Reference: URL:http://www.securityfocus.com/bid/119

Description:
rpc.statd allows remote attackers to forward RPC calls to the local operating system via the SM_MON and SM_NOTIFY commands, which in turn could be used to remotely exploit other bugs such as in automountd.

Status: Entry
Reference: CERT:CA-99-05
Reference: URL:http://www.cert.org/advisories/CA-99-05-statd-automountd.html
Reference: SUN:00186
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/186&type=0&nav=sec.sba
Reference: CIAC:J-045
Reference: URL:http://www.ciac.org/ciac/bulletins/j-045.shtml
Reference: BUGTRAQ:19990103 SUN almost has a clue! (automountd)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91547759121289&w=2
Reference: BID:450
Reference: URL:http://www.securityfocus.com/bid/450

Description:
Denial of service in WinGate proxy through a buffer overflow in POP3.

Status: Entry
Reference: XF:wingate-pop3-user-bo

Description:
A Windows NT 4.0 user can gain administrative rights by forcing NtOpenProcessToken to succeed regardless of the user's permissions, aka GetAdmin.

Status: Entry
Reference: MSKB:Q146965
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q146965
Reference: XF:nt-getadmin
Reference: XF:nt-getadmin-present

Description:
ICMP messages to broadcast addresses are allowed, allowing for a Smurf attack that can cause a denial of service.

Status: Entry
Reference: CERT:CA-98.01.smurf
Reference: FREEBSD:FreeBSD-SA-98:06
Reference: XF:smurf

Description:
UDP messages to broadcast addresses are allowed, allowing for a Fraggle attack that can cause a denial of service by flooding the target.

Status: Entry
Reference: XF:fraggle

Description:
An X server's access control is disabled (e.g. through an "xhost +" command) and allows anyone to connect to the server.

Status: Entry
Reference: XF:xcheck-keystroke
Reference: CERT-VN:VU#704969
Reference: URL:http://www.kb.cert.org/vuls/id/704969

Description:
HP OpenMail can be misconfigured to allow users to run arbitrary commands using malicious print requests.

Status: Entry
Reference: HP:HPSBUX9804-078
Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9804-078
Reference: XF:hp-openmail

Description:
An attacker can write to syslog files from any location, causing a denial of service by filling up the logs, and hiding activities.

Status: Entry
Reference: XF:ibm-syslogd
Reference: XF:syslog-flood

Description:
An incorrect configuration of the PDG Shopping Cart CGI program "shopper.cgi" could disclose private information.

Status: Entry
Reference: BUGTRAQ:19990420 Shopping Carts exposing CC data
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92462991805485&w=2
Reference: CONFIRM:http://www.pdgsoft.com/Security/security.html.
Reference: XF:pdgsoftcart-misconfig(3857)
Reference: URL:http://xforce.iss.net/xforce/xfdb/3857

Description:
A version of finger is running that exposes valid user information to any entity on the network.

Status: Entry
Reference: XF:finger-out
Reference: XF:finger-running

Description:
A version of rusers is running that exposes valid user information to any entity on the network.

Status: Entry
Reference: XF:rusersd
Reference: XF:ruser

Description:
The rexd service is running, which uses weak authentication that can allow an attacker to execute commands.

Status: Entry
Reference: XF:rexd

Description:
The rwho/rwhod service is running, which exposes machine status and user information.

Status: Entry
Reference: XF:rwhod

Description:
The scriptlet.typelib ActiveX control is marked as "safe for scripting" for Internet Explorer, which allows a remote attacker to execute arbitrary commands as demonstrated by Bubbleboy.

Status: Entry
Reference: BUGTRAQ:19990821 IE 5.0 allows executing programs
Reference: MS:MS99-032
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-032.asp
Reference: CIAC:J-064
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/j-064.shtml
Reference: BID:598
Reference: URL:http://www.securityfocus.com/bid/598
Reference: XF:ms-scriptlet-eyedog-unsafe
Reference: MSKB:Q240308
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q240308

Description:
Buffer overflow in ToxSoft NextFTP client through CWD command.

Status: Entry
Reference: BID:572
Reference: URL:http://www.securityfocus.com/bid/572
Reference: XF:toxsoft-nextftp-cwd-bo

Description:
Buffer overflow in Fujitsu Chocoa IRC client via IRC channel topics.

Status: Entry
Reference: XF:fujitsu-topic-bo
Reference: BID:573
Reference: URL:http://www.securityfocus.com/bid/573

Description:
The BSD profil system call allows a local user to modify the internal data space of a program via profiling and execve.

Status: Entry
Reference: NETBSD:1999-011
Reference: OPENBSD:Aug 9,1999
Reference: FREEBSD:FreeBSD-SA-99:02
Reference: BUGTRAQ:19990809 profil(2) bug, a simple test program
Reference: BID:570
Reference: URL:http://www.securityfocus.com/bid/570
Reference: CIAC:J-067
Reference: URL:http://www.ciac.org/ciac/bulletins/j-067.shtml
Reference: XF:netbsd-profil

Description:
Check Point FireWall-1 can be subjected to a denial of service via UDP packets that are sent through VPN-1 to port 0 of a host.

Status: Entry
Reference: BUGTRAQ:19990809 FW1 UDP Port 0 DoS
Reference: URL:http://www.securityfocus.com/archive/1/23615
Reference: BID:576
Reference: URL:http://www.securityfocus.com/bid/576
Reference: XF:checkpoint-port
Reference: OSVDB:1038
Reference: URL:http://www.osvdb.org/1038

Description:
sdtcm_convert in Solaris 2.6 allows a local user to overwrite sensitive files via a symlink attack.

Status: Entry
Reference: BUGTRAQ:19990808 sdtcm_convert
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=19990809134220.A1191@hades.chaoz.org
Reference: XF:sun-sdtcm-convert
Reference: BID:575
Reference: URL:http://www.securityfocus.com/bid/575

Description:
A default configuration of Apache on Debian GNU/Linux sets the ServerRoot to /usr/doc, which allows remote users to read documentation files for the entire server.

Status: Entry
Reference: XF:apache-debian-usrdoc
Reference: BUGTRAQ:19990405 An issue with Apache on Debian
Reference: BID:318
Reference: URL:http://www.securityfocus.com/bid/318

Description:
Buffer overflow in hybrid-6 IRC server commonly used on EFnet allows remote attackers to execute commands via m_invite invite option.

Status: Entry
Reference: BUGTRAQ:19990813 w00w00's efnet ircd advisory (exploit included)
Reference: CONFIRM:http://www.efnet.org/archive/servers/hybrid/ChangeLog
Reference: BID:581
Reference: URL:http://www.securityfocus.com/bid/581
Reference: XF:hybrid-ircd-minvite-bo

Description:
Windows NT Terminal Server performs extra work when a client opens a new connection but before it is authenticated, allowing for a denial of service.

Status: Entry
Reference: MS:MS99-028
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-028.mspx
Reference: MSKB:Q238600
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q238600
Reference: CIAC:J-057
Reference: URL:http://www.ciac.org/ciac/bulletins/j-057.shtml
Reference: BID:571
Reference: URL:http://www.securityfocus.com/bid/571
Reference: XF:nt-terminal-dos

Description:
Buffer overflow in Microsoft FrontPage Server Extensions (PWS) 3.0.2.926 on Windows 95, and possibly other versions, allows remote attackers to cause a denial of service via a long URL.

Status: Entry
Reference: BUGTRAQ:19990807 Crash FrontPage Remotely...
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/1999-q3/0381.html
Reference: XF:frontpage-pws-dos
Reference: URL:http://xforce.iss.net/static/3117.php
Reference: BID:568
Reference: URL:http://www.securityfocus.com/bid/568

Description:
Microsoft Exchange 5.5 allows a remote attacker to relay email (i.e. spam) using encapsulated SMTP addresses, even if the anti-relaying features are enabled.

Status: Entry
Reference: MS:MS99-027
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-027.mspx
Reference: MSKB:Q237927
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q237927
Reference: BID:567
Reference: URL:http://www.securityfocus.com/bid/567
Reference: CIAC:J-056
Reference: URL:http://www.ciac.org/ciac/bulletins/j-056.shtml
Reference: XF:exchange-relay

Description:
Denial of service in Gauntlet Firewall via a malformed ICMP packet.

Status: Entry
Reference: XF:gauntlet-dos
Reference: BUGTRAQ:19990729 Remotely Lock Up Gauntlet 5.0
Reference: BID:556
Reference: URL:http://www.securityfocus.com/bid/556
Reference: OSVDB:1029
Reference: URL:http://www.osvdb.org/1029

Description:
Buffer overflow in Netscape Communicator via EMBED tags in the pluginspage option.

Status: Entry
Reference: BUGTRAQ:19991209 Netscape communicator 4.06J, 4.5J-4.6J, 4.61e Buffer Overflow
Reference: BID:618
Reference: URL:http://www.securityfocus.com/bid/618

Description:
Denial of service in Netscape Enterprise Server (NES) in HP Virtual Vault (VVOS) via a long URL.

Status: Entry
Reference: BUGTRAQ:19990514 TGAD DoS
Reference: BUGTRAQ:19990610 Re: VVOS/Netscape Bug
Reference: HP:HPSBUX9906-098
Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9906-098
Reference: CIAC:J-046
Reference: URL:http://www.ciac.org/ciac/bulletins/j-046.shtml
Reference: XF:hp-tgad-dos

Description:
The ToolTalk ttsession daemon uses weak RPC authentication, which allows a remote attacker to execute commands.

Status: Entry
Reference: BUGTRAQ:19990913 Vulnerability in ttsession
Reference: SUN:00192
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/192
Reference: HP:HPSBUX9909-103
Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9909-103
Reference: COMPAQ:SSRT0617U_TTSESSION
Reference: CIAC:K-001
Reference: URL:http://www.ciac.org/ciac/bulletins/k-001.shtml
Reference: CERT:CA-99-11
Reference: BID:637
Reference: URL:http://www.securityfocus.com/bid/637
Reference: XF:cde-ttsession-rpc-auth

Description:
Buffer overflows in HP Software Distributor (SD) for HPUX 10.x and 11.x.

Status: Entry
Reference: HP:HPSBUX9907-101
Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9907-101
Reference: BID:545
Reference: URL:http://www.securityfocus.com/bid/545
Reference: XF:hp-sd-bo

Description:
The CDE dtspcd daemon allows local users to execute arbitrary commands via a symlink attack.

Status: Entry
Reference: BUGTRAQ:19990913 Vulnerability in dtspcd
Reference: SUN:00192
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/192
Reference: HP:HPSBUX9909-103
Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9909-103
Reference: CERT:CA-99-11
Reference: OVAL:oval:org.mitre.oval:def:1880
Reference: URL:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:1880
Reference: XF:cde-dtspcd-file-auth
Reference: BID:636
Reference: URL:http://www.securityfocus.com/bid/636

Description:
HP CDE program includes the current directory in root's PATH variable.

Status: Entry
Reference: HP:HPSBUX9907-100
Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9907-100
Reference: CIAC:J-053
Reference: URL:http://www.ciac.org/ciac/bulletins/j-053.shtml
Reference: XF:hp-cde-directory

Description:
Buffer overflow in the AddSuLog function of the CDE dtaction utility allows local users to gain root privileges via a long user name.

Status: Entry
Reference: BUGTRAQ:19990913 Vulnerability in dtaction
Reference: SUN:00192
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/192
Reference: HP:HPSBUX9909-103
Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9909-103
Reference: COMPAQ:SSRTO615U_DTACTION
Reference: CERT:CA-99-11
Reference: BID:635
Reference: URL:http://www.securityfocus.com/bid/635
Reference: OVAL:oval:org.mitre.oval:def:3078
Reference: URL:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:3078
Reference: XF:cde-dtaction-username-bo

Description:
The default configuration of the Array Services daemon (arrayd) disables authentication, allowing remote users to gain root privileges.

Status: Entry
Reference: CERT:CA-99-09
Reference: CIAC:J-052
Reference: URL:http://www.ciac.org/ciac/bulletins/j-052.shtml
Reference: SGI:19990701-01-P
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19990701-01-P
Reference: XF:sgi-arrayd

Description:
Buffer overflow in TT_SESSION environment variable in ToolTalk shared library allows local users to gain root privileges.

Status: Entry
Reference: CERT:CA-99-11
Reference: SUN:00192
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/192
Reference: HP:HPSBUX9909-103
Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9909-103
Reference: BID:641
Reference: URL:http://www.securityfocus.com/bid/641
Reference: OVAL:oval:org.mitre.oval:def:4374
Reference: URL:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:4374
Reference: XF:cde-dtsession-env-bo

Description:
Denial of service in AIX ptrace system call allows local users to crash the system.

Status: Entry
Reference: CIAC:J-055
Reference: URL:http://www.ciac.org/ciac/bulletins/j-055.shtml
Reference: IBM:ERS-SVA-E01-1999:002.1
Reference: XF:aix-ptrace-halt

Description:
The Sybase PowerDynamo personal web server allows attackers to read arbitrary files through a .. (dot dot) attack.

Status: Entry
Reference: BUGTRAQ:19990904 [Sybase] software vendors do not think about old bugs
Reference: XF:http-powerdynamo-dotdotslash
Reference: BID:620
Reference: URL:http://www.securityfocus.com/bid/620
Reference: OSVDB:1064
Reference: URL:http://www.osvdb.org/1064

Description:
Buffer overflow in CDE Calendar Manager Service Daemon (rpc.cmsd).

Status: Entry
Reference: BUGTRAQ:19990709 Exploit of rpc.cmsd
Reference: SCO:SB-99.12
Reference: SUN:00188
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/188
Reference: SUNBUG:4230754
Reference: HP:HPSBUX9908-102
Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9908-102
Reference: COMPAQ:SSRT0614U_RPC_CMSD
Reference: CERT:CA-99-08
Reference: CIAC:J-051
Reference: URL:http://www.ciac.org/ciac/bulletins/j-051.shtml
Reference: XF:sun-cmsd-bo

Description:
SCO Doctor allows local users to gain root privileges through a Tools option.

Status: Entry
Reference: BUGTRAQ:19990908 SCO 5.0.5 /bin/doctor nightmare
Reference: BID:621
Reference: URL:http://www.securityfocus.com/bid/621
Reference: XF:sco-doctor-execute

Description:
The Bluestone Sapphire web server allows session hijacking via easily guessable session IDs.

Status: Entry
Reference: BUGTRAQ:19990908 [Security] Spoofed Id in Bluestone Sapphire/Web
Reference: BID:623
Reference: URL:http://www.securityfocus.com/bid/623

Description:
Buffer overflow in Microsoft Phone Dialer (dialer.exe), via a malformed dialer entry in the dialer.ini file.

Status: Entry
Reference: MSKB:Q237185
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q237185
Reference: MS:MS99-026
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-026.mspx
Reference: XF:nt-malformed-dialer

Description:
After an unattended installation of Windows NT 4.0, an installation file could include sensitive information such as the local Administrator password.

Status: Entry
Reference: MS:MS99-036
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-036.mspx
Reference: MSKB:Q173039
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q173039
Reference: BID:626
Reference: URL:http://www.securityfocus.com/bid/626
Reference: XF:nt-install-unattend-file

Description:
Internet Explorer 5.0 and 5.01 allows remote attackers to modify or execute files via the Import/Export Favorites feature, aka the "ImportExportFavorites" vulnerability.

Status: Entry
Reference: BUGTRAQ:19990909 IE 5.0 security vulnerabilities - ImportExportFavorites - at least creating and overwriting files, probably executing programs
Reference: MS:MS99-037
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-037.mspx
Reference: MSKB:Q241361
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q241361
Reference: XF:ie5-import-export-favorites
Reference: BID:627
Reference: URL:http://www.securityfocus.com/bid/627

Description:
OpenBSD, BSDI, and other Unix operating systems allow users to set chflags and fchflags on character and block devices.

Status: Entry
Reference: BUGTRAQ:19990805 4.4 BSD issue -- chflags
Reference: OPENBSD:Jul30,1999
Reference: FREEBSD:FreeBSD-SA-99:01
Reference: CIAC:J-066
Reference: URL:http://www.ciac.org/ciac/bulletins/j-066.shtml
Reference: XF:openbsd-chflags-fchflags-permitted

Description:
Buffer overflow in Berkeley automounter daemon (amd) logging facility provided in the Linux am-utils package and others.

Status: Entry
Reference: REDHAT:RHSA-1999:032-01
Reference: CALDERA:CSSA-1999:024.0
Reference: FREEBSD:SA-99:06
Reference: DEBIAN:19991018
Reference: BID:614
Reference: URL:http://www.securityfocus.com/bid/614
Reference: CERT:CA-99-12
Reference: XF:amd-bo

Description:
Buffer overflow in INN inews program.

Status: Entry
Reference: XF:inn-inews-bo
Reference: REDHAT:RHSA1999033_01
Reference: CALDERA:CSSA-1999-026
Reference: SUSE:19990831 Security hole in INN
Reference: DEBIAN:19990907
Reference: BID:616
Reference: URL:http://www.securityfocus.com/bid/616

Description:
Linux xmonisdn package allows local users to gain root privileges by modifying the IFS or PATH environmental variables.

Status: Entry
Reference: DEBIAN:19990807
Reference: SUSE:19990817 Security hole in i4l (xmonisdn)
Reference: BID:583
Reference: URL:http://www.securityfocus.com/bid/583

Description:
The default FTP configuration in HP Visualize Conference allows conference users to send a file to other participants without authorization.

Status: Entry
Reference: HP:HPSBUX9906-099
Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9906-099
Reference: CIAC:J-050
Reference: URL:http://www.ciac.org/ciac/bulletins/j-050.shtml
Reference: BID:493
Reference: URL:http://www.securityfocus.com/bid/493
Reference: XF:hp-visualize-conference-ftp

Description:
Buffer overflow in cfingerd allows local users to gain root privileges via a long GECOS field.

Status: Entry
Reference: BUGTRAQ:19990921 BP9909-00: cfingerd local buffer overflow
Reference: BID:651
Reference: URL:http://www.securityfocus.com/bid/651

Description:
The Squid package in Red Hat Linux 5.2 and 6.0, and other distributions, installs cachemgr.cgi in a public web directory, which allows remote attackers to use it as an intermediary to connect to other systems.

Status: Entry
Reference: BUGTRAQ:19990725 Redhat 6.0 cachemgr.cgi lameness
Reference: CONFIRM:http://www.redhat.com/support/errata/archives/rh52-errata-general.html#squid
Reference: DEBIAN:DSA-576
Reference: URL:http://www.debian.org/security/2004/dsa-576
Reference: FEDORA:FEDORA-2005-373
Reference: URL:http://www.redhat.com/archives/fedora-announce-list/2005-May/msg00025.html
Reference: FEDORA:FLSA-2006:152809
Reference: URL:http://fedoranews.org/updates/FEDORA--.shtml
Reference: REDHAT:RHSA-1999:025
Reference: URL:http://www.redhat.com/support/errata/RHSA-1999-025.html
Reference: REDHAT:RHSA-2005:489
Reference: URL:http://www.redhat.com/support/errata/RHSA-2005-489.html
Reference: BID:2059
Reference: URL:http://www.securityfocus.com/bid/2059
Reference: XF:http-cgi-cachemgr(2385)
Reference: URL:http://xforce.iss.net/xforce/xfdb/2385

Description:
The oratclsh interpreter in Oracle 8.x Intelligent Agent for Unix allows local users to execute Tcl commands as root.

Status: Entry
Reference: BUGTRAQ:19990430 *Huge* security hole in Oracle 8.0.5 with Intellegent agent installed
Reference: URL:http://marc.theaimsgroup.com/?t=92550157100002&w=2&r=1
Reference: BUGTRAQ:19990506 Oracle Security Followup, patch and FAQ: setuid on oratclsh
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92609807906778&w=2
Reference: XF:oracle-oratclsh

Description:
The dtlogin program in Compaq Tru64 UNIX allows local users to gain root privileges.

Status: Entry
Reference: BUGTRAQ:19990404 Digital Unix 4.0E /var permission
Reference: CIAC:J-044
Reference: URL:http://www.ciac.org/ciac/bulletins/j-044.shtml
Reference: XF:cde-dtlogin
Reference: COMPAQ:SSRT0600U

Description:
Vulnerability in Compaq Tru64 UNIX edauth command.

Status: Entry
Reference: COMPAQ:SSRT0588U
Reference: XF:du-edauth

Description:
Buffer overflow in Remote Access Service (RAS) client allows an attacker to execute commands or cause a denial of service via a malformed phonebook entry.

Status: Entry
Reference: BUGTRAQ:19990519 Buffer Overruns in RAS allows execution of arbitary code as system
Reference: MS:MS99-016
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-016.mspx
Reference: MSKB:Q230677
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q230677
Reference: XF:nt-ras-bo

Description:
Buffer overflow in Windows NT 4.0 help file utility via a malformed help file.

Status: Entry
Reference: XF:nt-helpfile-bo
Reference: MSKB:Q231605
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q231605
Reference: MS:MS99-015
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-015.asp

Description:
A remote attacker can disable the virus warning mechanism in Microsoft Excel 97.

Status: Entry
Reference: MS:MS99-014
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-014.mspx
Reference: MSKB:Q231304
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q231304
Reference: XF:excel-virus-warning

Description:
IBM GINA, when used for OS/2 domain authentication of Windows NT users, allows local users to gain administrator privileges by changing the GroupMapping registry key.

Status: Entry
Reference: NTBUGTRAQ:19990823 IBM Gina security warning
Reference: URL:http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind9908&L=ntbugtraq&F=&S=&P=5534
Reference: BID:608
Reference: URL:http://www.securityfocus.com/bid/608
Reference: XF:ibm-gina-group-add
Reference: URL:http://xforce.iss.net/static/3166.php

Description:
The Guile plugin for the Gnumeric spreadsheet package allows attackers to execute arbitrary code.

Status: Entry
Reference: BUGTRAQ:19990802 Gnumeric potential security hole.
Reference: REDHAT:RHSA-1999:023-01
Reference: XF:gnu-guile-plugin-export
Reference: BID:563
Reference: URL:http://www.securityfocus.com/bid/563

Description:
The pt_chown command in Linux allows local users to modify TTY terminal devices that belong to other users.

Status: Entry
Reference: BUGTRAQ:19990823 [Linux] glibc 2.1.x / wu-ftpd <=2.5 / BeroFTPD / lynx / vlock / mc / glibc 2.0.x
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=lcamtuf.4.05.9907041223290.355-300000@nimue.ids.pl
Reference: BID:597
Reference: URL:http://www.securityfocus.com/bid/597
Reference: XF:linux-pt-chown

Description:
Denial of service in Windows NT Local Security Authority (LSA) through a malformed LSA request.

Status: Entry
Reference: BINDVIEW:Phantom Technical Advisory
Reference: MSKB:Q231457
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q231457
Reference: MS:MS99-020
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-020.mspx
Reference: CIAC:J-049
Reference: URL:http://www.ciac.org/ciac/bulletins/j-049.shtml
Reference: XF:msrpc-lsa-lookupnames-dos

Description:
The default configuration of Cobalt RaQ2 servers allows remote users to install arbitrary software packages.

Status: Entry
Reference: CERT:CA-99-10
Reference: BID:558
Reference: URL:http://www.securityfocus.com/bid/558
Reference: XF:cobalt-raq2-default-config

Description:
The Windows NT Client Server Runtime Subsystem (CSRSS) can be subjected to a denial of service when all worker threads are waiting for user input.

Status: Entry
Reference: NTBUGTRAQ:19990411 Death by MessageBox
Reference: MS:MS99-021
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-021.mspx
Reference: MSKB:Q233323
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q233323
Reference: CIAC:J-049
Reference: URL:http://www.ciac.org/ciac/bulletins/j-049.shtml
Reference: BID:478
Reference: URL:http://www.securityfocus.com/bid/478
Reference: XF:nt-csrss-dos

Description:
Buffer overflow in OpenBSD procfs and fdescfs file systems via uio_offset in the readdir() function.

Status: Entry
Reference: OPENBSD:Aug12,1999
Reference: XF:openbsd-uio_offset-bo
Reference: OSVDB:6128
Reference: URL:http://www.osvdb.org/6128

Description:
When IIS is run with a default language of Chinese, Korean, or Japanese, it allows a remote attacker to view the source code of certain files, a.k.a. "Double Byte Code Page".

Status: Entry
Reference: MSKB:Q233335
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q233335
Reference: MS:MS99-022
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-022.mspx
Reference: BID:477
Reference: URL:http://www.securityfocus.com/bid/477
Reference: XF:iis-double-byte-code-page(2302)
Reference: URL:http://xforce.iss.net/xforce/xfdb/2302

Description:
An attacker can conduct a denial of service in Windows NT by executing a program with a malformed file image header.

Status: Entry
Reference: MS:MS99-023
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-023.mspx
Reference: MSKB:Q234557
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q234557
Reference: BID:499
Reference: URL:http://www.securityfocus.com/bid/499
Reference: XF:nt-malformed-image-header

Description:
A kernel leak in the OpenBSD kernel allows IPsec packets to be sent unencrypted.

Status: Entry
Reference: OPENBSD:19990608 Packets that should have been handled by IPsec may be transmitted as cleartext
Reference: XF:openbsd-ipsec-cleartext
Reference: OSVDB:6127
Reference: URL:http://www.osvdb.org/6127

Description:
A Windows NT user can disable the keyboard or mouse by directly calling the IOCTLs which control them.

Status: Entry
Reference: MS:MS99-024
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-024.mspx
Reference: MSKB:Q236359
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q236359
Reference: XF:nt-ioctl-dos

Description:
Buffer overflow in Lotus Notes LDAP (NLDAP) allows an attacker to conduct a denial of service through the ldap_search request.

Status: Entry
Reference: ISS:19990823 Denial of Service Attack against Lotus Notes Domino Server 4.6
Reference: URL:http://xforce.iss.net/alerts/advise34.php
Reference: CIAC:J-061
Reference: URL:http://www.ciac.org/ciac/bulletins/j-061.shtml
Reference: BID:601
Reference: URL:http://www.securityfocus.com/bid/601
Reference: XF:lotus-ldap-bo
Reference: OSVDB:1057
Reference: URL:http://www.osvdb.org/1057

Description:
The zsoelim program in the Debian man-db package allows local users to overwrite files via a symlink attack.

Status: Entry
Reference: DEBIAN:19990612

Description:
The KDE klock program allows local users to unlock a session using malformed input.

Status: Entry
Reference: BUGTRAQ:19990623 Security flaw in klock
Reference: CALDERA:CSSA-1999:017
Reference: SUSE:19990629 Security hole in Klock
Reference: BID:489
Reference: URL:http://www.securityfocus.com/bid/489

Description:
The logging facilitity of the Debian smtp-refuser package allows local users to delete arbitrary files using symbolic links.

Status: Entry
Reference: DEBIAN:19990823b
Reference: XF:smtp-refuser-tmp

Description:
Buffer overflow in VMWare 1.0.1 for Linux via a long HOME environmental variable.

Status: Entry
Reference: BUGTRAQ:19990626 VMWare Advisory - buffer overflows
Reference: BUGTRAQ:19990626 VMware Security Alert
Reference: BUGTRAQ:19990705 Re: VMWare Advisory.. - exploit
Reference: BID:490
Reference: URL:http://www.securityfocus.com/bid/490
Reference: XF:vmware-bo

Description:
A default configuration of CiscoSecure Access Control Server (ACS) allows remote users to modify the server database without authentication.

Status: Entry
Reference: CISCO: CiscoSecure Access Control Server for UNIX Remote Administration Vulnerability
Reference: XF:ciscosecure-read-write

Description:
KDE K-Mail allows local users to gain privileges via a symlink attack in temporary user directories.

Status: Entry
Reference: ISS:KDE K-Mail File Creation Vulnerability
Reference: CALDERA:CSSA-1999:016
Reference: REDHAT:RHSA-1999:015-01
Reference: URL:http://www.redhat.com/support/errata/RHSA1999015_01.html
Reference: BID:300
Reference: URL:http://www.securityfocus.com/bid/300

Description:
Remote attackers can cause a denial of service on Linux in.telnetd telnet daemon through a malformed TERM environmental variable.

Status: Entry
Reference: BID:594
Reference: URL:http://www.securityfocus.com/bid/594
Reference: XF:linux-telnetd-term
Reference: CALDERA:CSSA-1999:022
Reference: REDHAT:RHSA1999029_01

Description:
The Debian mailman package uses weak authentication, which allows attackers to gain privileges.

Status: Entry
Reference: DEBIAN:19990623
Reference: BID:480
Reference: URL:http://www.securityfocus.com/bid/480

Description:
Trn allows local users to overwrite other users' files via symlinks.

Status: Entry
Reference: BUGTRAQ:19990819 Insecure use of file in /tmp by trn
Reference: DEBIAN:19990823c
Reference: SUSE:19990824 Security hole in trn
Reference: XF:trn-symlinks(3144)
Reference: URL:http://xforce.iss.net/xforce/xfdb/3144

Description:
Buffer overflow in Netscape Enterprise Server and FastTrask Server allows remote attackers to gain privileges via a long HTTP GET request.

Status: Entry
Reference: ISS:Buffer Overflow in Netscape Enterprise and FastTrack Web Servers
Reference: BID:603
Reference: URL:http://www.securityfocus.com/bid/603

Description:
Buffer overflow in Source Code Browser Program Database Name Server Daemon (pdnsd) for the IBM AIX C Set ++ compiler.

Status: Entry
Reference: IBM:ERS-SVA-E01-1999:003.1
Reference: CIAC:J-059
Reference: URL:http://www.ciac.org/ciac/bulletins/j-059.shtml
Reference: BID:590
Reference: URL:http://www.securityfocus.com/bid/590
Reference: XF:aix-pdnsd-bo

Description:
A default configuration of in.identd in SuSE Linux waits 120 seconds between requests, allowing a remote attacker to conduct a denial of service.

Status: Entry
Reference: BUGTRAQ:19990814 DOS against SuSE's identd
Reference: SUSE:19990824 Security hole in netcfg
Reference: BID:587
Reference: URL:http://www.securityfocus.com/bid/587
Reference: XF:suse-identd-dos

Description:
Denial of service in BSDi Symmetric Multiprocessing (SMP) when an fstat call is made when the system has a high CPU load.

Status: Entry
Reference: BUGTRAQ:19990816 Symmetric Multiprocessing (SMP) Vulnerbility in BSDi 4.0.1
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.BSI.4.10.9908170253560.19291-100000@saturn.psn.net
Reference: BID:589
Reference: URL:http://www.securityfocus.com/bid/589
Reference: XF:bsdi-smp-dos

Description:
Buffer overflow in Microsoft Telnet client in Windows 95 and Windows 98 via a malformed Telnet argument.

Status: Entry
Reference: BUGTRAQ:19990815 telnet.exe heap overflow - remotely exploitable
Reference: MS:MS99-033
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-033.mspx
Reference: XF:win-ie5-telnet-heap-overflow
Reference: BID:586
Reference: URL:http://www.securityfocus.com/bid/586

Description:
Buffer overflow in Accept command in Netscape Enterprise Server 3.6 with the SSL Handshake Patch.

Status: Entry
Reference: BUGTRAQ:19990913 Accept overflow on Netscape Enterprise Server 3.6 SP2
Reference: BID:631
Reference: URL:http://www.securityfocus.com/bid/631
Reference: XF:netscape-accept-bo(3256)
Reference: URL:http://xforce.iss.net/xforce/xfdb/3256

Description:
Denial of service in Netscape Enterprise Server via a buffer overflow in the SSL handshake.

Status: Entry
Reference: BUGTRAQ:19990706 Netscape Enterprise Server SSL Handshake Bug

Description:
The w3-msql CGI script provided with Mini SQL allows remote attackers to view restricted directories.

Status: Entry
Reference: BUGTRAQ:19990817 Stupid bug in W3-msql
Reference: XF:mini-sql-w3-msql-cgi
Reference: BID:591
Reference: URL:http://www.securityfocus.com/bid/591

Description:
The INN inndstart program allows local users to gain privileges by specifying an alternate configuration file using the INNCONF environmental variable.

Status: Entry
Reference: BUGTRAQ:19990511 INN 2.0 and higher. Root compromise potential
Reference: CALDERA:CSSA-1999-011.0
Reference: URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-1999-011.0.txt
Reference: SUSE:19990518 Security hole in INN
Reference: MISC:http://www.redhat.com/corp/support/errata/inn99_05_22.html
Reference: BID:255
Reference: URL:http://www.securityfocus.com/bid/255
Reference: XF:inn-innconf-env

Description:
Windows NT RRAS and RAS clients cache a user's password even if the user has not selected the "Save password" option.

Status: Entry
Reference: XF:nt-ras-pwcache
Reference: MSKB:Q230681
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q230681
Reference: MS:MS99-017
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-017.mspx

Description:
ColdFusion Administrator with Advanced Security enabled allows remote users to stop the ColdFusion server via the Start/Stop utility.

Status: Entry
Reference: ALLAIRE:ASB99-07
Reference: URL:http://www.allaire.com/handlers/index.cfm?ID=10968&Method=Full
Reference: XF:coldfusion-admin-dos(2207)
Reference: URL:http://xforce.iss.net/static/2207.php

Description:
Netscape Enterprise 3.5.1 and FastTrack 3.01 servers allow a remote attacker to view source code to scripts by appending a %20 to the script's URL.

Status: Entry
Reference: ALLAIRE:ASB99-06
Reference: XF:netscape-space-view

Description:
Buffer overflow in FuseMAIL POP service via long USER and PASS commands.

Status: Entry
Reference: BUGTRAQ:19990913 Many kind of POP3/SMTP server softwares for Windows have buffer overflow bug
Reference: CONFIRM:http://www.crosswinds.net/~fuseware/faq.html#8
Reference: BID:634
Reference: URL:http://www.securityfocus.com/bid/634
Reference: XF:fuseware-popmail-bo

Description:
Undocumented ColdFusion Markup Language (CFML) tags and functions in the ColdFusion Administrator allow users to gain additional privileges.

Status: Entry
Reference: ALLAIRE:ASB99-10
Reference: URL:http://www.allaire.com/handlers/index.cfm?ID=11714&Method=Full
Reference: BID:550
Reference: URL:http://www.securityfocus.com/bid/550
Reference: XF:coldfusion-server-cfml-tags
Reference: URL:http://xforce.iss.net/static/3288.php

Description:
Buffer overflow in FreeBSD fts library routines allows local user to modify arbitrary files via the periodic program.

Status: Entry
Reference: FREEBSD:FreeBSD-SA-99:05
Reference: XF:freebsd-fts-lib-bo
Reference: BID:644
Reference: URL:http://www.securityfocus.com/bid/644
Reference: OSVDB:1074
Reference: URL:http://www.osvdb.org/1074

Description:
When Javascript is embedded within the TITLE tag, Netscape Communicator allows a remote attacker to use the "about" protocol to gain access to browser information.

Status: Entry
Reference: XF:netscape-title
Reference: BUGTRAQ:19990524 Netscape Communicator JavaScript in <TITLE> security vulnerability

Description:
NetBSD on a multi-homed host allows ARP packets on one network to modify ARP entries on another connected network.

Status: Entry
Reference: NETBSD:1999-010
Reference: XF:netbsd-arp
Reference: OSVDB:6540
Reference: URL:http://www.osvdb.org/6540

Description:
NetBSD allows ARP packets to overwrite static ARP entries.

Status: Entry
Reference: NETBSD:1999-010
Reference: XF:netbsd-arp
Reference: OSVDB:6539
Reference: URL:http://www.osvdb.org/6539

Description:
SGI IRIX midikeys program allows local users to modify arbitrary files via a text editor.

Status: Entry
Reference: BUGTRAQ:19990619 IRIX midikeys root exploit.
Reference: SGI:19990501-01-A
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19990501-01-A
Reference: BID:262
Reference: URL:http://www.securityfocus.com/bid/262
Reference: XF:irix-midikeys

Description:
The Microsoft Java Virtual Machine allows a malicious Java applet to execute arbitrary commands outside of the sandbox environment.

Status: Entry
Reference: MS:MS99-031
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-031.mspx
Reference: MSKB:Q240346
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q240346
Reference: BID:600
Reference: URL:http://www.securityfocus.com/bid/600
Reference: XF:msvm-verifier-java

Description:
Buffer overflow in Vixie Cron on Red Hat systems via the MAILTO environmental variable.

Status: Entry
Reference: BID:602
Reference: URL:http://www.securityfocus.com/bid/602
Reference: REDHAT:RHSA-1999:030-02
Reference: SUSE:19990829 Security hole in cron

Description:
Vixie Cron on Linux systems allows local users to set parameters of sendmail commands via the MAILTO environmental variable.

Status: Entry
Reference: REDHAT:RHSA-1999:030-02
Reference: CALDERA:CSSA-1999:023.0
Reference: SUSE:19990829 Security hole in cron
Reference: DEBIAN:19990830 cron
Reference: BID:611
Reference: URL:http://www.securityfocus.com/bid/611

Description:
Firewall-1 sets a long timeout for connections that begin with ACK or other packets except SYN, allowing an attacker to conduct a denial of service via a large number of connection attempts to unresponsive systems.

Status: Entry
Reference: BUGTRAQ:19990729 Simple DOS attack on FW-1
Reference: BID:549
Reference: URL:http://www.securityfocus.com/bid/549
Reference: CHECKPOINT:ACK DOS ATTACK
Reference: OSVDB:1027
Reference: URL:http://www.osvdb.org/1027

Description:
The web components of Compaq Management Agents and the Compaq Survey Utility allow a remote attacker to read arbitrary files via a .. (dot dot) attack.

Status: Entry
Reference: BUGTRAQ:19990526 Infosec.19990526.compaq-im.a
Reference: COMPAQ:SSRT0612U
Reference: XF:management-agent-file-read

Description:
Denial of service in Compaq Management Agents and the Compaq Survey Utility via a long string sent to port 2301.

Status: Entry
Reference: BUGTRAQ:19990527 Re: Infosec.19990526.compaq-im.a (New DoS and correction to my previous post)
Reference: COMPAQ:SSRT0612U
Reference: XF:management-agent-dos

Description:
Buffer overflow in Solaris lpset program allows local users to gain root access.

Status: Entry
Reference: BUGTRAQ:19990511 Solaris2.6 and 2.7 lpset overflow
Reference: URL:http://www.netspace.org/cgi-bin/wa?A2=ind9905B&L=bugtraq&P=R2017
Reference: XF:sol-lpset-bo

Description:
Buffer overflows in Mars NetWare Emulation (NWE, mars_nwe) package via long directory names.

Status: Entry
Reference: BUGTRAQ:19990830 Babcia Padlina Ltd. security advisory: mars_nwe buffer overf
Reference: REDHAT:RHSA1999037_01
Reference: SUSE:19990916 Security hole in mars nwe
Reference: BID:617
Reference: URL:http://www.securityfocus.com/bid/617

Description:
Cisco Gigabit Switch routers running IOS allow remote attackers to forward unauthorized packets due to improper handling of the "established" keyword in an access list.

Status: Entry
Reference: CISCO:19990610 Cisco IOS Software established Access List Keyword Error
Reference: XF:cisco-gigaswitch

Description:
IIS FTP servers may allow a remote attacker to read or delete files on the server, even if they have "No Access" permissions.

Status: Entry
Reference: MS:MS99-039
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-039.asp
Reference: MSKB:Q241407
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q241407
Reference: MSKB:Q242559
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q242559
Reference: XF:iis-ftp-no-access-files
Reference: BID:658
Reference: URL:http://www.securityfocus.com/bid/658