Entry Buffer overflow in NFS mountd gives root access to remote attackers, mostly in Linux systems. 19981006-01-I CA-98.12.mountd J-006 121 linux-mountd-bo Entry Execute commands as root via buffer overflow in Tooltalk database server (rpc.ttdbserverd). NAI-29 CA-98.11.tooltalk 19981101-01-A 19981101-01-PX aix-ttdbserver tooltalk 122 Entry Arbitrary command execution via IMAP buffer overflow in authenticate command. CA-98.09.imapd 00177 130 imap-authenticate-bo Entry Buffer overflow in POP servers based on BSD/Qualcomm's qpopper allows remote attackers to gain root access using a long PASS command. CA-98.08.qpopper_vul 19980801-01-I AA-98.01 qpopper-pass-overflow 133 Entry Information from SSL-encrypted sessions via PKCS #1. CA-98.07.PKCS MS98-002 nt-ssl-fix Entry Buffer overflow in NIS+, in Sun's rpc.nisd program. CA-98.06.nisd 00170 June10,1998 nisd-bo-check Entry Inverse query buffer overflow in BIND 4.9 and BIND 8 Releases. 19980603-01-PX HPSBUX9808-083 00180 CA-98.05.bind_problems bind-bo 134 Entry Denial of Service vulnerability in BIND 8 Releases via maliciously formatted DNS messages. CA-98.05.bind_problems 19980603-01-PX HPSBUX9808-083 bind-dos Entry Denial of Service vulnerabilities in BIND 4.9 and BIND 8 Releases via CNAME record and zone transfer. CA-98.05.bind_problems 19980603-01-PX HPSBUX9808-083 00180 bind-axfr-dos Entry Some web servers under Microsoft Windows allow remote attackers to bypass access restrictions for files with long file names. CA-98.04.Win32.WebServers nt-web8.3 Entry Stolen credentials from SSH clients via ssh-agent program, allowing other local users to access remote accounts belonging to the ssh-agent user. CA-98.03.ssh-agent NAI-24 ssh-agent Entry Unauthorized privileged access or denial of service via dtappgather program in CDE. HPSBUX9801-075 00185 CA-98.02.CDE Entry Land IP denial of service. CA-97.28.Teardrop_Land FreeBSD-SA-98:01 HPSBUX9801-076 http://www.cisco.com/warp/public/770/land-pub.shtml cisco-land land 95-verv-tcp land-patch ver-tcpip-sys Entry FTP servers can allow an attacker to connect to arbitrary ports on machines other than the FTP client, aka FTP bounce. CA-97.27.FTP_bounce ftp-bounce ftp-privileged-port Entry Buffer overflow in statd allows root privileges. CA-97.26.statd AA-97.29 statd 127 Entry Delete or create a file via rpc.statd, due to invalid information. CA-96.09.rpc.statd rpc-stat 00135 Entry Arbitrary command execution via buffer overflow in Count.cgi (wwwcount) cgi-bin program. 19971010 Security flaw in Count.cgi (wwwcount) CA-97.24.Count_cgi http-cgi-count 128 Entry Local user gains root privileges via buffer overflow in rdist, via expstr() function. CA-97.23.rdist 00179 rdist-bo3 rdist-sept97 Entry Local user gains root privileges via buffer overflow in rdist, via lookup() function. CA-96.14.rdist_vul rdist-bo rdist-bo2 Entry DNS cache poisoning via BIND, by predictable query IDs. CA-97.22.bind bind NAI-11 Entry root privileges via buffer overflow in df command on SGI IRIX systems. CA-1997-21 AA-97.19.IRIX.df.buffer.overflow.vul SGI:19970505-01-A SGI:19970505-02-PX VU#20851 346 df-bo(440) Entry root privileges via buffer overflow in pset command on SGI IRIX systems. CA-97.21.sgi_buffer_overflow AA-97.20.IRIX.pset.buffer.overflow.vul pset-bo Entry root privileges via buffer overflow in eject command on SGI IRIX systems. CA-97.21.sgi_buffer_overflow AA-97.21.IRIX.eject.buffer.overflow.vul eject-bo Entry root privileges via buffer overflow in login/scheme command on SGI IRIX systems. CA-97.21.sgi_buffer_overflow AA-97.22.IRIX.login.scheme.buffer.overflow.vul sgi-schemebo Entry root privileges via buffer overflow in ordist command on SGI IRIX systems. CA-97.21.sgi_buffer_overflow AA-97.23-IRIX.ordist.buffer.overflow.vul ordist-bo Entry JavaScript in Internet Explorer 3.x and 4.x, and Netscape 2.x, 3.x and 4.x, allows remote attackers to monitor a user's web activities, aka the Bell Labs vulnerability. CA-97.20.javascript HPSBUX9707-065 Entry Buffer overflow in lpr, as used in BSD-based systems including Linux, allows local users to execute arbitrary code as root via a long -C (classification) command line option. 19960813 Possible bufferoverflow condition in lpr, xterm and xload 19961025 Linux & BSD's lpr exploit [freebsd-security] 19961025 Vadim Kolontsov: BoS: Linux & BSD's lpr exploit [linux-security] 19961122 LSF Update#14: Vulnerability of the lpr program. CA-97.19.bsdlp AA-96.12 H-08 I-042 19980402-01-PX 707 bsd-lprbo2 bsd-lprbo lpr-bo Entry Buffer overflow in suidperl (sperl), Perl 4.x and 5.x. CA-97.17.sperl perl-suid Entry Race condition in signal handling routine in ftpd, allowing read/write arbitrary files. ftp-ftpd CA-97.16.ftpd AA-97.03 Entry IRIX login program with a nonzero LOCKOUT parameter allows creation or damage to files. CA-97.15.sgi_login AA-97.12 H-106 19970508-02-PX 990 sgi-lockout(557) Entry Arbitrary command execution via metamail package using message headers, when user processes attacker's message using metamail. CA-97.14.metamail metamail-header-commands Entry Buffer overflow in xlock program allows local users to execute commands as root. CA-97.13.xlock xlock-bo Entry webdist CGI program (webdist.cgi) in SGI IRIX allows remote attackers to execute arbitrary commands via shell metacharacters in the distloc parameter. 19970507 Re: SGI Security Advisory 19970501-01-A - Vulnerability in 19970507 Re: SGI Advisory: webdist.cgi CA-1997-12 AA-97.14 19970501-02-PX 374 235 http-sgi-webdist(333) Entry Buffer overflow in Xt library of X Windowing System allows local users to execute commands with root privileges. CA-97.11.libXt libXt-bo Entry Buffer overflow in NLS (Natural Language Service). CA-97.10.nls nls-bo Entry Buffer overflow in University of Washington's implementation of IMAP and POP servers. NAI-21 CA-97.09.imap_pop popimap-bo Entry Command execution via shell metachars in INN daemon (innd) 1.5 using "newgroup" and "rmgroup" control messages, and others. CA-97.08.innd inn-controlmsg Entry fsdump command in IRIX allows local users to obtain root access by modifying sensitive files. 19970301-01-P sgi-fsdump Entry List of arbitrary files on Web host via nph-test-cgi script. CA-97.07.nph-test-cgi_script http-cgi-nph Entry Buffer overflow of rlogin program using TERM environmental variable. CA-97.06.rlogin-term rlogin-termbo Entry MIME conversion buffer overflow in sendmail versions 8.8.3 and 8.8.4. CA-97.05.sendmail 685 sendmail-mime-bo2 Entry Talkd, when given corrupt DNS information, can be used to execute arbitrary commands with root privileges. CA-97.04.talkd FreeBSD-SA-96:21 AA-97.01 00147 talkd-bo netkit-talkd Entry Csetup under IRIX allows arbitrary file creation or overwriting. sgi-csetup CA-97.03.csetup Entry Buffer overflow in HP-UX newgrp program. CA-97.02.hp_newgrp AA-96.16.HP-UX.newgrp.Buffer.Overrun.Vulnerability hp-newgrpbo Entry Arbitrary file creation and program execution using FLEXlm LicenseManager, from versions 4.0 to 5.0, in IRIX. sgi-licensemanager CA-97.01.flex_lm AA-96.03 Entry IP fragmentation denial of service in FreeBSD allows a remote attacker to cause a crash. FreeBSD-SA-98:08 908 freebsd-ip-frag-dos(1389) Entry TCP RST denial of service in FreeBSD. FreeBSD-SA-98:07 6094 Entry Sun's ftpd daemon can be subjected to a denial of service. 00171 sun-ftpd Entry Buffer overflows in Sun libnsl allow root access. 00172 IX80543 RSI.0005.05-14-98.SUN.LIBNSL sun-libnsl Entry Buffer overflow in Sun's ping program can give root access to local users. 00174 sun-ping Entry Vacation program allows command execution by remote users through a sendmail command. NAI-19 vacation HPSBUX9811-087 Entry Buffer overflow in PHP cgi program, php.cgi allows shell access. NAI-12 712 http-cgi-phpbo Entry IRIX fam service allows an attacker to obtain a list of all files on the server. NAI-16 353 164 irix-fam(325) Entry Attackers can cause a denial of service in Ascend MAX and Pipeline routers with a malformed packet to the discard port, which is used by the Java Configurator tool. NAI-26 ascend-config-kill http://www.ascend.com/2695.html Entry The chpass command in OpenBSD allows a local user to gain root access through file descriptor leakage. openbsd-chpass NAI-28 7559 Entry Cisco IOS 12.0 and other versions can be crashed by malicious UDP packets to the syslog port. ESB-98.197 http://www.cisco.com/warp/public/770/iossyslog-pub.shtml cisco-syslog-crash Entry Buffer overflow in AIX lquerylv program gives root access to local users. May28,1997 lquerylv-bo Entry Multiple buffer overflows in how dtmail handles attachments allows a remote attacker to execute commands. 00181 hp-dtmail Entry AnyForm CGI remote execution. 19950731 SECURITY HOLE: "AnyForm" CGI 719 http-cgi-anyform Entry phf CGI program allows remote command execution through shell metacharacters. 19960923 PHF Attacks - Fun and games for the whole family CA-1996-06 AA-96.01 629 136 http-cgi-phf Entry CGI PHP mylog script allows an attacker to read any file on the target server. 19971019 Vulnerability in PHP Example Logging Scripts http-cgi-php-mylog 713 3396 Entry Solaris ufsrestore buffer overflow. 00169 sun-ufsrestore 8158 Entry test-cgi program allows an attacker to list files on the server. http-cgi-test Entry Apache httpd cookie buffer overflow for versions 1.1.1 and earlier. http-apache-cookie NAI-2 Entry Buffer overflow in AIX xdat gives root access to local users. ERS-SVA-E01-1997:004.1 ibm-xdat Entry Telnet allows a remote client to specify environment variables including LD_LIBRARY_PATH, allowing an attacker to bypass the normal system libraries and gain root access. CA-95:14.Telnetd_Environment_Vulnerability linkerbug Entry Listening TCP ports are sequentially allocated, allowing spoofing attacks. seqport Entry PASV core dump in wu-ftpd daemon when attacker uses a QUOTE PASV command after specifying a username and password. 19961016 Re: ftpd bug? Was: bin/1805: Bug in ftpd ftp-pasvcore 5742 Entry Predictable TCP sequence numbers allow spoofing. tcp-seq-predict(139) Entry Remote attackers can cause a denial of service in FTP by issuing multiple PASV commands, causing the server to run out of available ports. ftp-pasv-dos ftp-pasvdos Entry Certain configurations of wu-ftp FTP server 2.4 use a _PATH_EXECPATH setting to a directory with dangerous commands, such as /bin, which allows remote authenticated users to gain root access via the "site exec" command. 19950531 SECURITY: problem with some wu-ftpd-2.4 binaries (fwd) CA-95:16.wu-ftpd.vul ftp-execdotdot Entry wu-ftp allows files to be overwritten via the rnfr command. ftp-rnfr Entry CWD ~root command in ftpd allows root access. ftp-cwd Improving the Security of Your Site by Breaking Into it Entry getcwd() file descriptor leak in FTP. cwdleak Entry Certain NFS servers allow users to use mknod to gain privileges by creating a writable kmem device and setting the UID to 0. nfs-mknod(78) Entry Buffer overflow in rwhod on AIX and other operating systems allows remote attackers to execute arbitrary code via a UDP packet with a long hostname. 19960821 rwhod buffer overflow rwhod(119) rwhod-vuln(118) Entry Denial of service in AIX telnet can freeze a system and prevent users from accessing the server. ibm-telnetdos ERS-SVA-E01-1998:003.1 7992 Entry Buffer overflow in AIX rcp command allows local users to obtain root access. ERS-SVA-E01-1997:005.1 ibm-rcp Entry Buffer overflow in AIX writesrv command allows local users to obtain root access. ERS-SVA-E01-1997:005.1 ibm-writesrv Entry AIX nslookup command allows local users to obtain root access by not dropping privileges correctly. ERS-SVA-E01-1997:008.1 ibm-nslookup Entry AIX piodmgrsu command allows local users to gain additional group privileges. ERS-SVA-E01-1997:007.1 ibm-piodmgrsu Entry The debug command in Sendmail is enabled, allowing attackers to execute commands as root. CA-88.01 CA-93.14 1 195 smtp-debug Entry Sendmail decode alias can be used to overwrite sensitive files. CA-93.16 CA-95.05 A-13 A-14 00122 smtp-dcod Entry The AIX FTP client can be forced to execute commands from a malicious server through shell metacharacters (e.g. a pipe character). ERS-SVA-E01-1997:009.1 ibm-ftp Entry Buffer overflow in syslog utility allows local or remote attackers to gain root privileges. CA-95.13.syslog.vul smtp-syslog Entry Remote access in AIX innd 1.5.1, using control messages. ERS-SVA-E01-1997:002.1 inn-controlmsg Entry Buffer overflow in AIX and Solaris "gethostbyname" library call allows root access through corrupt DNS host names. ERS-SVA-E01-1997:001.1 ERS-SVA-E01-1996:007.1 00137a H-13 NAI-1 ghbn-bo Entry Buffer overflow in SLmail 3.x allows attackers to execute commands using a large FROM line. slmail-fromheader-overflow Entry Echo and chargen, or other combinations of UDP services, can be used in tandem to flood the server, a.k.a. UDP bomb or UDP packet storm. CA-96.01.UDP_service_denial echo chargen chargen-patch Entry The printers program in IRIX has a buffer overflow that gives root access to local users. another day, another buffer overflow... printers-bo Entry Buffer overflow in ffbconfig in Solaris 2.5.1. 00140 AA-97.06 ffbconfig-bo Entry RIP v1 is susceptible to spoofing. rip Entry Buffer overflow in AIX dtterm program for the CDE. 19970520 AIX 4.2 dtterm exploit dtterm-bo(878) Entry Some implementations of rlogin allow root access if given a -froot parameter. 19940729 -froot??? (AIX rlogin bug) CA-94.09.bin.login.vulnerability E-26 458 rlogin-froot Entry AIX bugfiler program allows local users to gain root access. 19970909 AIX bugfiler ibm-bugfiler 1800 Entry Denial of service when an attacker sends many SYN packets to create multiple connections without ever sending an ACK to complete the connection, aka SYN flood. CA-96.21.tcp_syn.flooding 19961202-01-PX 00136 Entry AIX passwd allows local users to gain root access. ibm-passwd CA-92:07.AIX.passwd.vulnerability Entry AIX infod allows local users to gain root access through an X display. 19981119 RSI.0011.11-09-98.AIX.INFOD aix-infod Entry Sun/Solaris utmp file allows local users to gain root access if it is writable by users other than root. 00126 CA-94.06.utmp.vulnerability utmp-write Entry Buffer overflow in AIX lchangelv gives root access. Jul21,1999 lchangelv-bo Entry Vulnerabilities in UMN gopher and gopher+ versions 1.12 and 2.0x allow an intruder to read any files that can be accessed by the gopher daemon. CA-93:11.UMN.UNIX.gopher.vulnerability gopher-vuln Entry Buffer overflow in SGI IRIX mailx program. sgi-mailx-bo 19980605-01-PX Entry SGI IRIX buffer overflow in xterm and Xaw allows root access. VB-98.04.xterm.Xaw J-010 xfree86-xterm-xaw xfree86-xaw Entry Oversized ICMP ping packets can result in a denial of service, aka Ping o' Death. ping-death CA-96.26.ping Entry Sendmail allows local users to write to a file and gain group permissions via a .forward or :include: file. CA-96.25.sendmail_groups Entry Local users can start Sendmail in daemon mode and gain root privileges. CA-96.24.sendmail.daemon.mode 716 sendmail-daemon-mode Entry Buffer overflow and denial of service in Sendmail 8.7.5 and earlier through GECOS field gives root access to local users. CA-96.20.sendmail_vul smtp-875bo 717 Entry Expreserve, as used in vi and ex, allows local users to overwrite arbitrary files and gain root access. CA-1996-19 11723 expreserve(401) Entry fm_fls license server for Adobe Framemaker allows local users to overwrite arbitrary files and gain root access. CA-96.18.fm_fls fmaker-logfile Entry vold in Solaris 2.x allows local users to gain root access. sol-voldtmp CA-96.17.Solaris_vold_vul AL-96.04 8159 Entry admintool in Solaris allows a local user to write to arbitrary files and gain root access. sun-admintool CA-96.16.Solaris_admintool_vul AL-96.03 Entry Kodak Color Management System (KCMS) on Solaris allows a local user to write to arbitrary files and gain root access. sol-KCMSvuln AL-96.02 CA-96.15.Solaris_KCMS_vul Entry The dip program on many Linux systems allows local users to gain root access via a buffer overflow. linux-dipbo CA-96.13.dip_vul dip-bo Entry The suidperl and sperl program do not give up root privileges when changing UIDs back to the original users, allowing root access. CA-96.12.suidperl_vul sperl-suid Entry Buffer overflow in Solaris x86 mkcookie allows local users to obtain root access. sol-mkcookie RSI.0012.12-03-98.SOLARIS.MKCOOKIE 8205 Entry Java Bytecode Verifier allows malicious applets to execute arbitrary commands as the user of the applet. http-java-applet CA-96.07.java_bytecode_verifier 00134 Entry The Java Applet Security Manager implementation in Netscape Navigator 2.0 and Java Developer's Kit 1.0 allows an applet to connect to arbitrary hosts. CA-96.05.java_applet_security_mgr http-java-appletsecmgr Entry Kerberos 4 key servers allow a user to masquerade as another by breaking and generating session keys. CA-96.03.kerberos_4_key_server kerberos-bf Entry Sendmail WIZ command enabled, allowing root access. CA-1990-11 CA-1993-14 19950206 sendmail wizard thing... Improving the Security of Your Site by Breaking Into it Entry The campas CGI program provided with some NCSA web servers allows an attacker to execute arbitrary commands via encoded carriage return characters in the query string, as demonstrated by reading the password file. 19970715 Bug CGI campas 1975 http-cgi-campas(298) Entry The aglimpse CGI program of the Glimpse package allows remote execution of arbitrary commands. http-cgi-glimpse AA-97.28 Entry The handler CGI program in IRIX allows arbitrary command execution. 19970501-02-PX 380 http-sgi-handler Entry The wrap CGI program in IRIX allows remote attackers to view arbitrary directory listings via a .. (dot dot) attack. 19970420 IRIX 6.x /cgi-bin/wrap bug 19970501-02-PX 373 247 http-sgi-wrap(290) Entry The Perl fingerd program allows arbitrary command execution from remote users. perl-fingerd Entry The SATAN session key may be disclosed if the user points the web browser to other sites, possibly allowing root access. CA-95.07a.REVISED.satan.vul CA-95.06.satan.vul Entry The DG/UX finger daemon allows remote command execution through shell metacharacters. 19970811 dgux in.fingerd vulnerability dgux-fingerd Entry Windows 95/NT out of band (OOB) data denial of service through NETBIOS port, aka WinNuke. win-oob 1666 Entry The ghostscript command with the -dSAFER option allows remote attackers to execute commands. gscript-dsafer CA-95.10.ghostscript Entry Cisco PIX firewall and CBAC IP fragmentation attack results in a denial of service. http://www.cisco.com/warp/public/770/nifrag.shtml cisco-fragmented-attacks 1097 Entry Cisco PIX firewall manager (PFM) on Windows NT allows attackers to connect to port 8080 on the PFM server and retrieve any file whose name and location is known. 20010913 Cisco PIX Firewall Manager File Exposure cisco-pix-file-exposure 685 Entry Attackers can crash a Cisco IOS router or device, provided they can get to an interactive prompt (such as a login). This applies to some IOS 9.x, 10.x, and 11.x releases. http://www.cisco.com/warp/public/770/ioslogin-pub.shtml cisco-ios-crash Entry Some classic Cisco IOS devices have a vulnerability in the PPP CHAP authentication to establish unauthorized PPP connections. 19971001 Vulnerabilities in Cisco CHAP Authentication I-002A 1099 cisco-chap Entry In Cisco IOS 10.3, with the tacacs-ds or tacacs keyword, an extended IP access control list could bypass filtering. http://www.cisco.com/warp/public/707/1.html cisco-acl-tacacs 797 Entry The "established" keyword in some Cisco IOS software allowed an attacker to bypass filtering. 19950601 "Established" Keyword May Allow Packets to Bypass Filter cisco-acl-established Entry A race condition in the Solaris ps command allows an attacker to overwrite critical files. sol-pstmprace AA-95.07 CA-95.09.Solaris.ps.vul 8346 Entry NFS allows users to use a "cd .." command to access other directories besides the exported file system. nfs-cd Entry In SunOS, NFS file handles could be guessed, giving unauthorized access to the exported file system. nfs-guess CA-91.21.SunOS.NFS.Jumbo.and.fsirand Entry The portmapper may act as a proxy and redirect service requests from an attacker, making the request appear to come from the local host, possibly bypassing authentication that would otherwise have taken place. For example, NFS file systems could be mounted through the portmapper despite export restrictions. nfs-portmap Entry Remote attackers can mount an NFS file system in Ultrix or OSF, even if it is denied on the access list. nfs-ultrix Entry FormMail CGI program allows remote execution of commands. http-cgi-formmail-exe Aug02,1995 Entry FormMail CGI program can be used by web servers other than the host server that the program resides on. http-cgi-formmail-use Entry The view-source CGI program allows remote attackers to read arbitrary files via a .. (dot dot) attack. 19970208 view-source http-cgi-viewsrc Entry The convert.bas program in the Novell web server allows a remote attackers to read any file on the system that is internally accessible by the web server. http-nov-convert Entry The Webgais program allows a remote user to execute arbitrary commands. Jul10,1997 http-webgais-query Entry The uploader program in the WebSite web server allows a remote attacker to execute arbitrary programs. 19970904 [Alert] Website's uploader.exe (from demo) vulnerable 19970905 Re: FW: [Alert] Website's uploader.exe (from demo) vulnerable 19970904 [Alert] Website's uploader.exe (from demo) vulnerable http-website-uploader Entry Buffer overflow in the win-c-sample program (win-c-sample.exe) in the WebSite web server 1.1e allows remote attackers to execute arbitrary code via a long query string. 19970106 Re: signal handling 2078 8 http-website-winsample(295) Entry Windows NT crashes or locks up when a Samba client executes a "cd .." command on a file share. Q140818 nt-samba-dotdot nt-351 nt-35 Entry in.rshd allows users to login with a NULL username and execute commands. rsh-null Entry The wall daemon can be used for denial of service, social engineering attacks, or to execute remote commands. walld Entry Samba has a buffer overflow which allows a remote attacker to obtain root access by specifying a long password. H-110 VB-97.10.samba nt-samba-bo Entry Linux implementations of TFTP would allow access to files outside the restricted directory. linux-tftp Entry When compiled with the -DALLOW_UPDATES option, bind allows dynamic updates to the DNS server, allowing for malicious modification of DNS records. dns-updates Entry In SunOS or Solaris, a remote user could connect from an FTP server's data port to an rlogin server on a host that trusts the FTP server, allowing remote command execution. 00156 sun-ftpd/logind Entry The passwd command in Solaris can be subjected to a denial of service. 00182 sun-passwd-dos Entry Solaris rpcbind listens on a high numbered UDP port, which may not be filtered since the standard port number is 111. NAI-15 00142 rpc-32771 Entry Solaris rpcbind can be exploited to overwrite arbitrary files and gain root access. 00167 sun-rpcbind Entry IIS newdsn.exe CGI script allows remote users to overwrite files. http-cgi-newdsn 275 Entry Buffer overflow in telnet daemon tgetent routing allows remote attackers to gain root access via the TERMCAP environmental variable. SNI-20 bsd-tel-tgetent Entry Denial of service in in.comsat allows attackers to generate messages. comsat Entry websendmail in Webgais 1.0 allows a remote user to access arbitrary files and execute arbitrary code via the receiver parameter ($VAR_receiver variable). 19970704 Vulnerability in websendmail 2077 237 http-webgais-smail Entry A quote cwd command on FTP servers can reveal the full path of the home directory of the "ftp" user. ftp-home Entry The GNU tar command, when used in FTP sessions, may allow an attacker to execute arbitrary commands. ftp-exectar Entry In Sendmail, attackers can gain root privileges via SMTP by specifying an improper "mail from" address and an invalid "rcpt to" address that would cause the mail to bounce to a program. CA-95.08 E-03 smtp-sendmail-version5 Entry Sendmail 8.6.9 allows remote attackers to execute root commands, using ident. ident-bo F-13 Entry MIME buffer overflow in Sendmail 8.8.0 and 8.8.1 gives root access. sendmail-mime-bo AA-96.06a Entry Remote attacker can execute commands through Majordomo using the Reply-To field and a "lists" command. majordomo-exe CA-94.11.majordomo.vulnerabilities Entry rpc.ypupdated (NIS) allows remote users to execute arbitrary commands. rpc-update CA-95.17.rpc.ypupdated.vul Entry The SunView (SunTools) selection_svc facility allows remote users to read files. CA-90.05.sunselection.vulnerability 8 selsvc Entry Automount daemon automountd allows local or remote users to gain privileges via shell metacharacters. 19971126 Solaris 2.5.1 automountd exploit (fwd) 19990103 SUN almost has a clue! (automountd) HPSBUX9910-104 CA-99-05 235 Entry Extra long export lists over 256 characters in some mount daemons allows NFS directories to be mounted by anyone. CA-94.02.REVISED.SunOS.rpc.mountd.vulnerability 24 Entry Solaris rpc.mountd generates error messages that allow a remote attacker to determine what files are on the server. 00168 I-048 sun-mountd Entry Denial of service by sending forged ICMP unreachable packets. icmp-unreachable Entry Routed allows attackers to append data to files. 19981004-01-PX J-012 ripapp Entry Malicious option settings in UDP packets could force a reboot in SunOS 4.1.3 systems. udp-bomb Entry Livingston portmaster machines could be rebooted via a series of commands. portmaster-reboot Entry Buffer overflow in FTP Serv-U 2.5 allows remote authenticated users to cause a denial of service (crash) via a long (1) CWD or (2) LS (list) command. 19990503 Buffer overflows in FTP Serv-U 2.5 19990504 Re: Buffer overflows in FTP Serv-U 2.5 19990909 Exploit: Serv-U Ver2.5 FTPd Win9x/NT 269 ftp-servu(205) Entry Denial of service of Ascend routers through port 150 (remote administration). ascend-150-kill Entry Solaris syslogd crashes when receiving a message from a host that doesn't have an inverse DNS entry. 19961109 Syslogd and Solaris 2.4 1249320 http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?patchid=103291&collection=fpatches sol-syslogd-crash 1878 Entry Denial of service in Windows NT messenger service through a long username. nt-messenger Entry Windows NT 4.0 allows remote attackers to cause a denial of service via a malformed SMB logon request in which the actual data size does not match the specified size. 19980214 Windows NT Logon Denial of Service Q180963 nt-logondos Entry Access violation in LSASS.EXE (LSA/LSARPC) program in Windows NT allows a denial of service. Q154087 nt-lsass-crash Entry Denial of service in RPCSS.EXE program (RPC Locator) in Windows NT. nt-rpc-ver Q162567 Entry Buffer overflow in Cisco 7xx routers through the telnet service. http://www.cisco.com/warp/public/770/pwbuf-pub.shtml 1102 Entry IIS 1.0 allows users to execute arbitrary commands using .bat or .cmd files. Q148188 Q155056 http-iis-cmd Entry Bash treats any character with a value of 255 as a command separator. bash-cmd CA-96.22.bash_vuls Entry ScriptAlias directory in NCSA and Apache httpd allowed attackers to read CGI programs. http-scriptalias Entry Remote execution of arbitrary commands through Guestbook CGI program. http-cgi-guestbook VB-97.02 Entry Netscape FastTrack Web server lists files when a lowercase "get" command is used instead of an uppercase GET. fastrack-get-directory-list 122 Entry Livingston RADIUS code has a buffer overflow which can allow remote execution of commands as root. NAI-23 radius-accounting-overflow Entry Some configurations of NIS+ in Linux allowed attackers to log in as the user "+". 19950907 Linux NIS security problem hole and fix linux-plus Entry Buffer overflow in nnrpd program in INN up to version 1.6 allows remote users to execute arbitrary commands. 19970721 INN news server vulnerabilities 1443 inn-bo Entry A race condition in the authentication agent mechanism of sshd 1.2.17 allows an attacker to steal another user's credentials. http://oliver.efri.hr/~crv/security/bugs/mUNIXes/ssh2.html http://www.uni-karlsruhe.de/~ig25/ssh-faq/ssh-faq-6.html#ss6.1 Entry Denial of service in talk program allows remote attackers to disrupt a user's display. talkd-flash Entry Buffer overflow in listserv allows arbitrary command execution. smtp-listserv Entry Buffer overflow in War FTP allows remote execution of commands. war-ftpd 875 Entry cfingerd lists all users on a system via search.**@target. 19970523 cfingerd vulnerability cfinger-user-enumeration Entry The jj CGI program allows command execution via shell metacharacters. 19961224 jj cgi http-cgi-jj Entry Hylafax faxsurvey CGI script on Linux allows remote attackers to execute arbitrary commands via shell metacharacters in the query string. 19980804 remote exploit in faxsurvey cgi-script 19980804 PATCH: faxsurvey 2056 http-cgi-faxsurvey(1532) Entry Solaris SUNWadmap can be exploited to obtain root access. 00173 sun-sunwadmap Entry htmlscript CGI program allows remote read access to files. http-htmlscript-file-access Jan27,1998 Entry ICMP redirect messages may crash or lock up a host. Q154174 ICMP Redirects Against Embedded Controllers icmp-redirect Entry The info2www CGI script allows remote file access or remote command execution. 19980303 Vulnerabilites in some versions of info2www CGI 1995 http-cgi-info2www Entry Buffer overflow in NCSA HTTP daemon v1.3 allows remote command execution. http-port CA-95.04.NCSA.http.daemon.for.unix.vulnerability Entry MetaInfo MetaWeb web server allows users to upload, execute, and read scripts. 19980630 Security vulnerabilities in MetaInfo products 19980703 Followup to MetaInfo vulnerabilities 110 3969 metaweb-server-dot-attack Entry Netscape Enterprise servers may list files through the PageServices query. netscape-server-pageservices Entry Directory traversal vulnerability in pfdispaly.cgi program (sometimes referred to as "pfdisplay") for SGI's Performer API Search Tool (performer_tools) allows remote attackers to read arbitrary files. 19980317 IRIX performer_tools bug 19980401-01-P I-041 64 134 sgi-pfdispaly(810) Entry Denial of service in Slmail v2.5 through the POP3 port. slmail-username-bo Entry Denial of service through Solaris 2.5.1 telnet by sending ^D characters. sun-telnet-kill Entry Denial of service in Windows NT DNS servers through malicious packet which contains a response to a query that wasn't made. NAI-5 nt-dns-dos Entry Denial of service in Windows NT DNS servers by flooding port 53 with too many characters. nt-dnscrash nt-dnsver Q169461 Entry mSQL v2.0.1 and below allows remote execution through a buffer overflow. msql-debug-bo sekure.01-99.msql Entry The WorkMan program can be used to overwrite any file to get root access. workman CA-96.23.workman_vul Entry In IIS, remote attackers can obtain source code for ASP files by appending "::$DATA" to the URL. MS98-003 iis-asp-data-check oval:org.mitre.oval:def:913 Entry Excite for Web Servers (EWS) allows remote command execution via shell metacharacters. 19971217 CGI security hole in EWS (Excite for Web Servers) 19980115 Excite announcement VB-98.01.excite excite-cgi-search-vuln Entry Remote command execution in Microsoft Internet Explorer using .lnk and .url files. 19970317 Internet Explorer Bug #4 H-38 http-ie-lnkurl Entry Denial of service in IIS using long URLs. http-iis-longurl Entry The WINS server in Microsoft Windows NT 4.0 before SP4 allows remote attackers to cause a denial of service (process termination) via invalid UDP frames to port 137 (NETBIOS Name Service), as demonstrated via a flood of random packets. 19970801 WINS flooding 19970801 WINS flooding 19970815 Re: WINS flooding http://safenetworks.com/Windows/wins.html 155701 nt-winsupd-fix(1233) Entry The Apache web server for Win32 may provide access to restricted files when a . (dot) is appended to a requested URL. Entry The WinGate telnet proxy allows remote attackers to cause a denial of service via a large number of connections to localhost. 19980221 WinGate DoS 19980326 WinGate Intermediary Fix/Update wingate-dos Entry The WinGate proxy is installed without a password, which allows remote attackers to redirect connections without authentication. wingate-unpassworded Entry Denial of service through Winpopup using large user names. nt-winpopup Entry AAA authentication on Cisco systems allows attackers to execute commands without authorization. http://www.cisco.com/warp/public/770/aaapair-pub.shtml cisco-ios-aaa-auth Entry All records in a WINS database can be deleted through SNMP for a denial of service. nt-wins-snmp2 Entry Solaris sysdef command allows local users to read kernel memory, potentially leading to root privileges. sun-sysdef 00157 Entry Solaris volrmmount program allows attackers to read any file. 00162 sun-volrmmount Entry Buffer overflow in Vixie Cron library up to version 3.0 allows local users to obtain root access via a long environmental variable. NAI-3 AA-96.21 H-17 vixie-cron Entry Buffer overflow in FreeBSD lpd through long DNS hostnames. NAI-9 6093 Entry nis_cachemgr for Solaris NIS+ allows attackers to add malicious NIS+ servers. 00155 sun-niscache Entry Buffer overflow in SunOS/Solaris ps command. 00149 AUSCERT-97.17 sun-ps2bo Entry SunOS/Solaris FTP clients can be forced to execute arbitrary commands from a malicious FTP server. 00176 sun-ftp-server Entry Buffer overflow in BNU UUCP daemon (uucpd) through long hostnames. bnu-uucpd-bo RSI.0002.05-18-98.BNU.UUCPD Entry mmap function in BSD allows local attackers in the kmem group to modify memory through devices. bsd-mmap FreeBSD-SA-98:02 Entry The system configuration control (sysctl) facility in BSD based operating systems OpenBSD 2.2 and earlier, and FreeBSD 2.2.5 and earlier, does not properly restrict source routed packets even when the (1) dosourceroute or (2) forwarding variables are set, which allows remote attackers to spoof TCP connections. Feb15,1998 "IP Source Routing Problem" http://www.openbsd.org/advisories/sourceroute.txt 11502 bsd-sourceroute(736) Entry HP-UX gwind program allows users to modify arbitrary files. HPSBUX9410-018 hpux-gwind-overwrite H-03: HP-UX suid Vulnerabilities Entry HP-UX vgdisplay program gives root access to local users. HPSBUX9702-056 hpux-vgdisplay H-27: HP-UX vgdisplay Buffer Overrun Vulnerability Entry SSH 1.2.25 on HP-UX allows access to new user accounts. ssh-1225 Entry fpkg2swpk in HP-UX allows local users to gain root access. hpux-fpkg2swpk HPSBUX9612-042 Entry HP ypbind allows attackers with root privileges to modify NIS data. nis-ypbind CA-93:01.REVISED.HP.NIS.ypbind.vulnerability Entry disk_bandwidth on SGI IRIX 6.4 S2MP for Origin/Onyx2 allows local users to gain root access using relative pathnames. http://www.securityfocus.com/bid/213/exploit 19980701-01-P 214 936 sgi-disk-bandwidth(1441) Entry ioconfig on SGI IRIX 6.4 S2MP for Origin/Onyx2 allows local users to gain root access using relative pathnames. http://www.securityfocus.com/bid/213/exploit 19980701-01-P 213 6788 sgi-ioconfig(1199) Entry Buffer overflow in Solaris fdformat command gives root access to local users. fdformat-bo 00138 Entry Buffer overflow in Linux splitvt command gives root access to local users. linux-splitvt G-08 Entry Buffer overflow in xmcd 2.0p12 allows local users to gain access through an environmental variable. 19961125 Security Problems in XMCD 19961125 XMCD v2.1 released (was: Security Problems in XMCD) xmcd-envbo Entry SunOS rpc.cmsd allows attackers to obtain root access by overwriting arbitrary files. 00166 sun-rpc.cmsd Entry Buffer overflow in Solaris kcms_configure command allows local users to gain root access. sun-kcms-configure-bo Entry The open() function in FreeBSD allows local attackers to write to arbitrary files. FreeBSD-SA-97:05 freebsd-open 6092 Entry FreeBSD mmap function allows users to modify append-only or immutable files. FreeBSD-SA-98:04 1998-003 bsd-mmap Entry ppl program in HP-UX allows local users to create root files through symlinks. HPSBUX9702-053 H-31 hp-ppllog Entry vhe_u_mnt program in HP-UX allows local users to create root files through symlinks. hp-vhe HPSBUX9406-013 Entry Vulnerability in HP-UX mediainit program. HPSBUX9710-071 hp-mediainit Entry SGI syserr program allows local users to corrupt files. 19971103-01-PX sgi-syserr Entry SGI permissions program allows local users to gain root privileges. 19971103-01-PX sgi-permtool Entry SGI mediad program allows local users to gain root access. 19980602-01-PX sgi-mediad Entry Buffer overflow in NetMeeting allows denial of service and remote command execution. nt-netmeeting Q184346 Entry In Solaris 2.2 and 2.3, when fsck fails on startup, it allows a local user with physical access to obtain root access. sol-startup CA-93.19.Solaris.Startup.vulnerability Entry DEPRECATED. This entry has been deprecated. It is a duplicate of CVE-1999-0032. Entry AIX batch queue (bsh) allows local and remote users to gain additional privileges when network printing is enabled. CA-94.10.IBM.AIX.bsh.vulnerability.html ibm-bsh Entry AIX Licensed Program Product performance tools allow local users to gain root access. ibm-perf-tools CA-94.03.AIX.performance.tools Entry Buffer overflow in the libauth library in Solaris allows local users to gain additional privileges, possibly root access. sol-sun-libauth RSI.0007.05-26-98 Entry Buffer overflow in Linux Slackware crond program allows local users to gain root access. 005 linux-crond Entry Buffer overflow in the Linux mail program "deliver" allows local users to gain root access. 006 linux-deliver Entry Linux PAM modules allow local users to gain root access using temporary files. http://www.redhat.com/corp/support/errata/rh42-errata-general.html#pam linux-pam-passwd-tmprace Entry A malicious Palace server can force a client to execute arbitrary programs. 19981002 Announcements from The Palace (fwd) palace-malicious-servers-vuln Entry NT users can gain debug-level access on a system process using the Sechole exploit. MS98-009 Q190288 nt-priv-fix Entry CGI PHP mlog script allows an attacker to read any file on the target server. 19971019 Vulnerability in PHP Example Logging Scripts 713 http-cgi-php-mlog 3397 Entry IIS ASP caching problem releases sensitive information when two virtual servers share the same physical directory. Jan27,1999 Q197003 930 Entry A buffer overflow in the FTP list (ls) command in IIS allows remote attackers to conduct a denial of service and, in some cases, execute arbitrary commands. IIS Remote FTP Exploit/DoS Attack MS99-003 Q188348 Jan27,1999 iis-remote-ftp Entry Race condition in the db_loader program in ClearCase gives local users root access by setting SUID bits. Feb8,1999 clearcase-temp-race Entry FTP PASV "Pizza Thief" denial of service and unauthorized data access. Attackers can steal data by connecting to a port that was intended for use by a client. 01 http://attrition.org/security/advisory/misc/infowar/iw_sec_01.txt pasv-pizza-thief-dos(3389) Entry rpc.pcnfsd in HP gives remote root access by changing the permissions on the main printer spool directory. HPSBUX9902-091 J-026 pcnfsd-world-write Entry Local or remote users can force ControlIT 4.5 to reboot or force a user to log out, resulting in a denial of service. Multiple vulnerabilities in ControlIT(tm) (formerly Remotely Possible/32) enterprise management software controlit-reboot Entry Windows 98 and other operating systems allows remote attackers to cause a denial of service via crafted "oshare" packets, possibly involving invalid fragmentation offsets. 19990125 Win98 crash? win98-oshare-dos Entry Digital Unix 4.0 has a buffer overflow in the inc program of the mh package. 19990125 Digital Unix 4.0 exploitable buffer overflows SSRT0583U du-inc J-027 Entry WS_FTP server remote denial of service through cwd command. AD02021999 wsftp-remote-dos 217 Entry SuSE 5.2 PLP lpc program has a buffer overflow that leads to root compromise. Feb02,1999 plp-lpc-bo 328 Entry The metamail package allows remote command execution using shell metacharacters that are not quoted in a mailcap entry. Feb04,1999 metamail-header-commands Entry In some cases, Service Pack 4 for Windows NT 4.0 can allow access to network shares using a blank password, through a problem with a null NT hash value. MS99-004 Q214840 nt-sp4-auth-error Entry NetBSD netstat command allows local users to access kernel memory. 1999-002 7571 Entry Buffer overflows in wuarchive ftpd (wu-ftpd) and ProFTPD lead to remote root access, a.k.a. palmetto. palmetto.ftpd CA-99.03 palmetto-ftpd-bo Entry The Sun sdtcm_convert calendar utility for OpenWindows has a buffer overflow which can gain root access. 00183 sun-sdtcm-convert-bo Entry Lynx allows a local user to overwrite sensitive files through /tmp symlinks. 19990211 Lynx /tmp problem VB-97.05.lynx lynx-temp-files-race Entry The installer for BackOffice Server includes account names and passwords in a setup file (reboot.ini) which is not deleted. MS99-005 nt-backoffice-setup Q217004 Entry Buffer overflow in the "Super" utility in Debian GNU/Linux, and other operating systems, allows local users to execute commands as root. Buffer Overflow in "Super" package in Debian Linux linux-super-bo linux-super-logging-bo Entry Debian GNU/Linux cfengine package is susceptible to a symlink attack. 19990215 Feb16,1999 linux-cfengine-symlinks Entry Buffer overflow in webd in Network Flight Recorder (NFR) 2.0.2-Research allows remote attackers to execute commands. February 16, 1999 Feb16,1999 nfr-webd-overflow Entry Local users in Windows NT can obtain administrator privileges by changing the KnownDLLs list to reference malicious programs. MS99-006 Feb20,1999 Feb18,1999 nt-knowndlls-list Entry Process table attack in Unix systems allows a remote attacker to perform a denial of service by filling a machine's process tables through multiple connections to network services. Feb22,1999 Entry InterScan VirusWall for Solaris doesn't scan files for viruses when a single HTTP request includes two GET commands. 19990222 BlackHats Advisory -- InterScan VirusWall 19990225 Patch for InterScan VirusWall for Unix now available viruswall-http-request 6167 Entry Microsoft Taskpads allows remote web sites to execute commands on the visiting user's machine via certain methods that are marked as Safe for Scripting. MS99-007 19990223 Microsoft Security Bulletin (MS99-007) 498 1019 win-resourcekit-taskpads Entry SLMail 3.1 and 3.2 allows local users to access any file in the NTFS file system when the Remote Administration Service (RAS) is enabled by setting a user's Finger File to point to the target file, then running finger on the user. 199902225 ALERT: SLMail 3.2 (and 3.1) with the Remote Administration Service 19990225 ALERT: SLMail 3.2 (and 3.1) with the Remote Administration Service SLmail 3.2 Build 3113 (Web Administration Security Fix) 497 slmail-ras-ntfs-bypass(5392) Entry The screen saver in Windows NT does not verify that its security context has been changed properly, allowing attackers to run programs with elevated privileges. MS99-008 nt-screen-saver Entry ACC Tigris allows public access without a login. 19990103 Tigris vulnerability 183 267 acc-tigris-login Entry The Forms 2.0 ActiveX control (included with Visual Basic for Applications 5.0) can be used to read text from a user's clipboard when the user accesses documents with ActiveX content. forms-vuln-patch MS99-001 Entry The LDAP bind function in Exchange 5.5 has a buffer overflow that allows a remote attacker to conduct a denial of service or execute commands. MS99-009 LDAP Buffer overflow against Microsoft Directory Services ldap-exchange-overflow ldap-mds-dos Entry Microsoft Personal Web Server and FrontPage Personal Web Server in some Windows systems allows a remote attacker to read files on the server by using a nonstandard URL. MS99-010 pws-file-access 111 Entry A legacy credential caching mechanism used in Windows 95 and Windows 98 systems allows attackers to read plaintext network passwords. MS99-052 Q168115 829 9x-plaintext-pwd Entry DataLynx suGuard trusts the PATH environment variable to execute the ps command, allowing local users to execute commands as root. datalynx-suguard-relative-paths Jan3,1999 3186 Entry Buffer overflow in Dosemu Slang library in Linux. 19990104 Dosemu/S-Lang Overflow + sploit CSSA-1999-006.1 187 Entry The cryptographic challenge of SMB authentication in Windows 95 and Windows 98 can be reused, allowing an attacker to replay the response and impersonate a user. Jan. 5, 1999 Entry Buffer overflow in Thomas Boutell's cgic library version up to 1.05. Jan10,1999 http-cgic-library-bo Entry Remote attackers can cause a denial of service in Sendmail 8.8.x and 8.9.2 by sending messages with a large number of headers. 19981212 ** Sendmail 8.9.2 DoS - exploit ** get what you want! 19990121 Sendmail 8.8.x/8.9.x bugware sendmail-parsing-redirection Entry A race condition in the BackWeb Polite Agent Protocol allows an attacker to spoof a BackWeb server. 19990118 Vulnerability in the BackWeb Polite Agent Protocol backweb-polite-agent-protocol Entry A race condition between the select() and accept() calls in NetBSD TCP servers allows remote attackers to cause a denial of service. 1999-001 Feb17,1999 netbsd-tcp-race Entry wget 1.5.3 follows symlinks to change permissions of the target file instead of the symlink itself. Feb2,1999 wget-permissions 19990220 Entry A bug in Cyrix CPUs on Linux allows local users to perform a denial of service. 19990204 Cyrix bug: freeze in hell, badboy cyrix-hang Entry Buffer overflow in the Mail-Max SMTP server for Windows systems allows remote command execution. Feb14,1999 mailmax-bo Entry A buffer overflow in lsof allows local users to obtain root privilege. 002 Feb18,1999 19990220a lsof-bo 3163 Entry By default, IIS 4.0 has a virtual directory /IISADMPWD which contains files that can be used as proxies for brute force password attacks, or to identify valid users on the system. 19990209 ALERT: IIS4 allows proxied password attacks over NetBIOS 19990209 Re: IIS4 allows proxied password attacks over NetBIOS iis-iisadmpwd Entry Files created from interactive shell sessions in Cobalt RaQ microservers (e.g. .bash_history) are world readable, and thus are accessible from the web server. 19990225 Cobalt root exploit cobalt-raq-history-exposure 337 Entry Buffer overflow in gnuplot in Linux version 3.5 allows local users to obtain root access. 19990304 Linux /usr/bin/gnuplot overflow gnuplot-home-overflow 319 Entry The cancel command in Solaris 2.6 (i386) has a buffer overflow that allows local users to obtain root access. Mar5,1999 sol-cancel 293 Entry In IIS and other web servers, an attacker can attack commands as SYSTEM if the server is running as SYSTEM and loading an ISAPI extension. Feb19,1999 iis-isapi-execute 501 Entry A buffer overflow in the SGI X server allows local users to gain root access through the X server font path. 19990301-01-PX irix-font-path-overflow Entry In Linux before version 2.0.36, remote attackers can spoof a TCP connection and pass data to the application layer before fully establishing the connection. Linux Blind TCP Spoofing linux-blind-spoof Entry The HTTP server in Cisco 7xx series routers 3.2 through 4.2 is enabled by default, which allows remote attackers to change the router's configuration. 19990311 Remote Reconfiguration and Denial of Service Vulnerabilities in Cisco 700 ISDN Routers 19990311 Cisco 7xx TCP and HTTP Vulnerabilities J-034 cisco-router-commands cisco-web-config Entry Vulnerability in Cisco 7xx series routers allows a remote attacker to cause a system reload via a TCP connection to the router's TELNET port. 19990311 Remote Reconfiguration and Denial of Service Vulnerabilities in Cisco 700 ISDN Routers 19990311 Cisco 7xx TCP and HTTP Vulnerabilities J-034 cisco-web-crash Entry 64 bit Solaris 7 procfs allows local users to perform a denial of service. Mar9,1999 solaris-psinfo-crash 448 1001 Entry umapfs allows local users to gain root privileges by changing their uid through a malicious mount_umap program. 1999-006 Entry During a reboot after an installation of Linux Slackware 3.6, a remote attacker can obtain root access by logging in to the root account without a password. Short-Term High-Risk Vulnerability During Slackware 3.6 Network Installations linux-slackware-install 338 981 Entry In some cases, NetBSD 1.3.3 mount allows local users to execute programs in some file systems that have the "noexec" flag set. 1999-007 Entry Vulnerability in hpterm on HP-UX 10.20 allows local users to gain additional privileges. HPSBUX9903-093 hp-hpterm-files Entry talkback in Netscape 4.5 allows a local user to overwrite arbitrary files of another user whose Netscape crashes. Mar18,1999 netscape-talkback-overwrite Entry talkback in Netscape 4.5 allows a local user to kill an arbitrary process of another user whose Netscape crashes. Mar18,1999 netscape-talkback-kill Entry OpenSSL and SSLeay allow remote attackers to reuse SSL sessions and bypass access controls. 19990322 OpenSSL/SSLeay Security Alert ssl-session-reuse 3936 Entry The Lotus Notes 4.5 client may send a copy of encrypted mail in the clear across the network if the user does not set the "Encrypt Saved Mail" preference. 19990323 19990324 Re: LNotes encryption 19990326 Lotus Notes Encryption Bug 19990326 Re: Lotus Notes security advisory lotus-client-encryption Entry Cisco Catalyst LAN switches running Catalyst 5000 supervisor software allows remote attackers to perform a denial of service by forcing the supervisor module to reload. Remote Denial of Service Vulnerability in Cisco Catalyst Series Ethernet Switches Cisco Catalyst Supervisor Remote Reload cisco-catalyst-crash 1103 Entry ftp on HP-UX 11.00 allows local users to gain privileges. HPSBUX9903-094 hp-ftp Entry XFree86 startx command is vulnerable to a symlink attack, allowing local users to create files in restricted directories, possibly allowing them to gain privileges or cause a denial of service. Mar28,1999 19990321 X11R6 NetBSD Security Problem xfree86-temp-directories Entry Domain Enterprise Server Management System (DESMS) in HP-UX allows local users to gain privileges. HPSBUX9903-095 hp-desms-servers Entry Remote attackers can perform a denial of service in WebRamp systems by sending a malicious string to the HTTP port. WebRamp Denial of Service Attacks webramp-device-crash Entry Remote attackers can perform a denial of service in WebRamp systems by sending a malicious UDP packet to port 5353, changing its IP address. WebRamp Denial of Service Attacks webramp-ipchange Entry Buffer overflow in procmail before version 3.12 allows remote or local attackers to execute commands via expansions in the procmailrc configuration file. 19990405 Re: [SECURITY] new version of procmail with security fixes 19990422 CSSA-1999:007 procmail-overflow Entry The byte code verifier component of the Java Virtual Machine (JVM) allows remote execution through malicious web pages. 19990405 Security Hole in Java 2 (and JDK 1.1.x) http://java.sun.com/pr/1999/03/pr990329-01.html 1939 java-unverified-code Entry Remote attackers can perform a denial of service in WinGate machines using a buffer overflow in the Winsock Redirector Service. AD02221999 wingate-redirector-dos 509 Entry Solaris ff.core allows local users to modify files. 19990107 really silly ff.core exploit for Solaris 19990108 ff.core exploit on Solaris (2.)7 19990408 Solaris7 and ff.core 327 Entry In Cisco routers under some versions of IOS 12.0 running NAT, some packets may not be filtered by input access list filters. Cisco IOS(R) Software Input Access List Leakage with NAT cisco-natacl-leakage 1104 Entry Local users can perform a denial of service in NetBSD 1.3.3 and earlier versions by creating an unusual symbolic link with the ln command, triggering a bug in VFS. 1999-008 netbsd-vfslocking-panic 7051 Entry Local users can gain privileges using the debug utility in the MPE/iX operating system. HPSBMP9904-006 mpeix-debug Entry IIS 4.0 and Apache log HTTP request methods, regardless of how long they are, allowing a remote attacker to hide the URL they really request. 19990121 IIS 4 Request Logging Security Advisory iis-http-request-logging Entry The ExAir sample site in IIS 4 allows remote attackers to cause a denial of service (CPU consumption) via a direct request to the (1) advsearch.asp, (2) query.asp, or (3) search.asp scripts. 19990126 IIS 4 Advisory - ExAir sample site DoS 19990126 IIS 4 Advisory - ExAir sample site DoS 19990125 Re: [NTSEC] IIS 4 Advisory - ExAir sample site DoS 193 2 3 4 iis-exair-dos Entry Linux ftpwatch program allows local users to gain root privileges. Jan17,1999 19990117 ftpwatch-vuln 317