|
|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [PROPOSAL] Cluster RECENT-19 - 33 candidates
The next 3 RECENT-XX clusters identify a total of 92 candidates - it's been very busy these last few months. The following cluster contains 33 candidates that were announced between 4/24/2000 and 5/10/2000. The candidates are listed in order of priority. Priority 1 and Priority 2 candidates both deal with varying levels of vendor confirmation, so they should be easy to review and it can be trusted that the problems are real. If you discover that any RECENT-XX cluster is incomplete with respect to the problems discovered during the associated time frame, please send that information to me so that candidates can be assigned. - Steve Summary of votes to use (in ascending order of "severity") ---------------------------------------------------------- ACCEPT - voter accepts the candidate as proposed NOOP - voter has no opinion on the candidate MODIFY - voter wants to change some MINOR detail (e.g. reference/description) REVIEWING - voter is reviewing/researching the candidate, or needs more info RECAST - candidate must be significantly modified, e.g. split or merged REJECT - candidate is "not a vulnerability", or a duplicate, etc. 1) Please write your vote on the line that starts with "VOTE: ". If you want to add comments or details, add them to lines after the VOTE: line. 2) If you see any missing references, please mention them so that they can be included. References help greatly during mapping. 3) Note that a "MODIFY" is treated as an "ACCEPT" when counting votes. So if you don't have sufficient information for a candidate but you don't want to NOOP, use a REVIEWING. ********** NOTE ********** NOTE ********** NOTE ********** NOTE ********** Please keep in mind that your vote and comments will be recorded and publicly viewable in the mailing list archives or in other formats. ================================= Candidate: CAN-2000-0249 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000615 Assigned: 20000425 Category: SF Reference: ISS:20000426 Insecure file handling in IBM AIX frcactrl program Reference: URL:http://xforce.iss.net/alerts/advise47.php3 The AIX Fast Response Cache Accelerator (FRCA) allows local users to modify arbitrary files via the configuration capability in the frcactrl program. ED_PRI CAN-2000-0249 1 VOTE: ================================= Candidate: CAN-2000-0380 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000615 Assigned: 20000614 Category: SF Reference: BUGTRAQ:20000426 Cisco HTTP possible bug: Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-04/0261.html Reference: CISCO:20000514 Cisco IOS HTTP Server Vulnerability Reference: URL:http://www.cisco.com/warp/public/707/ioshttpserver-pub.shtml Reference: XF:cisco-ios-http-dos The IOS HTTP service in Cisco routers and switches running IOS 11.1 through 12.1 allows remote attackers to cause a denial of service by requesting a URL that contains a %% string. ED_PRI CAN-2000-0380 1 VOTE: ================================= Candidate: CAN-2000-0382 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000615 Assigned: 20000614 Category: SF Reference: ALLAIRE:ASB00-12 Reference: URL:http://www.allaire.com/handlers/index.cfm?ID=15697&Method=Full Reference: BID:1179 Reference: URL:http://www.securityfocus.com/bid/1179 Reference: XF:allaire-clustercats-url-redirect ColdFusion ClusterCATS appends stale query string arguments to a URL during HTML redirection, which may provide sensitive information to the redirected site. ED_PRI CAN-2000-0382 1 VOTE: ================================= Candidate: CAN-2000-0387 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000615 Assigned: 20000614 Category: SF Reference: FREEBSD:FreeBSD-SA-00:16 Reference: URL:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:16.golddig.asc Reference: BID:1184 Reference: URL:http://www.securityfocus.com/bid/1184 The makelev program in the golddig game from the FreeBSD ports collection allows local users to overwrite arbitrary files. ED_PRI CAN-2000-0387 1 VOTE: ================================= Candidate: CAN-2000-0388 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000615 Assigned: 20000614 Category: SF Reference: FREEBSD:FreeBSD-SA-00:17 Reference: URL:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00%3A17.libmytinfo.asc Reference: BID:1185 Reference: URL:http://www.securityfocus.com/bid/1185 Reference: XF:libmytinfo-bo Buffer overflow in FreeBSD libmytinfo library allows local users to execute commands via a long TERMCAP environmental variable. ED_PRI CAN-2000-0388 1 VOTE: ================================= Candidate: CAN-2000-0414 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000615 Assigned: 20000614 Category: SF Reference: HP:HPSBUX0005-113 Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-05/0047.html Reference: XF:hp-shutdown-privileges Reference: BID:1214 Reference: URL:http://www.securityfocus.com/bid/1214 Vulnerability in shutdown command in HP-UX 11.X and 10.X allows allows local users to gain privileges via malformed input variables. ED_PRI CAN-2000-0414 1 VOTE: ================================= Candidate: CAN-2000-0433 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000615 Assigned: 20000614 Category: SF Reference: SUSE:20000502 aaabase < 2000.5.2 Reference: URL:http://www.suse.de/de/support/security/suse_security_announce_47.txt Reference: XF:aaabase-execute-dot-files The SuSE aaa_base package installs some system accounts with home directories set to /tmp, which allows local users to gain privileges to those accounts by creating standard user startup scripts such as profiles. ED_PRI CAN-2000-0433 1 VOTE: ================================= Candidate: CAN-2000-0439 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000615 Assigned: 20000614 Category: SF Reference: BUGTRAQ:20000510 IE Domain Confusion Vulnerability Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=20000511135609.D7774@securityfocus.com Reference: BUGTRAQ:20000511 IE Domain Confusion Vulnerability is an Email problem also Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=NDBBKGHPMKBKDDGLDEEHAEHMDIAA.rms2000@bellatlantic.net Reference: MS:MS00-033 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms00-033.asp Reference: BID:1194 Reference: URL:http://www.securityfocus.com/bid/1194 Reference: XF:ie-cookie-disclosure Internet Explorer 4.0 and 5.0 allows a malicious web site to obtain client cookies from another domain by including that domain name and escaped characters in a URL, aka the "Unauthorized Cookie Access" vulnerability. ED_PRI CAN-2000-0439 1 VOTE: ================================= Candidate: CAN-2000-0440 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000615 Assigned: 20000614 Category: SF Reference: NETBSD:NetBSD-SA2000-002 Reference: URL:ftp://ftp.netbsd.org/pub/NetBSD/misc/security/advisories/NetBSD-SA2000-002.txt.asc Reference: BUGTRAQ:20000506 [NHC20000504a.0: NetBSD Panics when sent unaligned IP options] Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-05/0088.html Reference: BID:1173 Reference: URL:http://www.securityfocus.com/bid/1173 NetBSD 1.4.2 and earlier allows remote attackers to cause a denial of service by sending a packet with an unaligned IP timestamp option. ED_PRI CAN-2000-0440 1 VOTE: ================================= Candidate: CAN-2000-0457 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000615 Assigned: 20000614 Category: SF Reference: BUGTRAQ:20000511 Alert: IIS ism.dll exposes file contents Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=95810120719608&w=2 Reference: MS:MS00-031 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms00-031.asp Reference: BID:1193 Reference: URL:http://www.securityfocus.com/bid/1193 ISM.DLL in IIS 4.0 and 5.0 allows remote attackers to read file contents by requesting the file and appending a large number of encoded spaces (%20) and terminated with a .htr extension, aka the ".HTR File Fragment Reading" or "File Fragment Reading via .HTR" vulnerability. ED_PRI CAN-2000-0457 1 VOTE: ================================= Candidate: CAN-2000-0379 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000615 Assigned: 20000614 Category: SF Reference: BUGTRAQ:20000507 Advisory: Netopia R9100 router vulnerability Reference: http://www.securityfocus.com/templates/archive.pike?list=1&msg=200005082054.NAA32590@linux.mtndew.com Reference: CONFIRM:http://www.netopia.com/equipment/purchase/fmw_update.html Reference: BID:1177 Reference: URL:http://www.securityfocus.com/bid/1177 Reference: XF:netopia-snmp-comm-strings The Netopia R9100 router does not prevent authenticated users from modifying SNMP tables, even if the administrator has configured it to do so. ED_PRI CAN-2000-0379 2 VOTE: ================================= Candidate: CAN-2000-0427 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000615 Assigned: 20000614 Category: unknown Reference: L0PHT:20000504 eToken Private Information Extraction and Physical Attack Reference: URL:http://www.l0pht.com/advisories/etoken-piepa.txt Reference: XF:aladdin-etoken-pin-reset Reference: BID:1170 Reference: URL:http://www.securityfocus.com/bid/1170 The Aladdin Knowledge Systems eToken device allows attackers with physical access to the device to obtain sensitive information without knowing the PIN of the owner by resetting the PIN the EEPROM. ED_PRI CAN-2000-0427 2 VOTE: ================================= Candidate: CAN-2000-0428 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000615 Assigned: 20000614 Category: SF Reference: NAI:20000503 Trend Micro InterScan VirusWall Remote Overflow Reference: URL:http://www.nai.com/nai_labs/asp_set/advisory/39_Trend.asp Reference: BID:1168 Reference: URL:http://www.securityfocus.com/bid/1168 Reference: XF:interscan-viruswall-bo Buffer overflow in the SMTP gateway for InterScan Virus Wall 3.32 and earlier allows a remote attacker to execute arbitrary commands via a long filename for a uuencoded attachment. ED_PRI CAN-2000-0428 2 VOTE: ================================= Candidate: CAN-2000-0378 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000615 Assigned: 20000614 Category: SF Reference: BUGTRAQ:20000502 pam_console bug Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-05/0023.html Reference: BID:1176 Reference: URL:http://www.securityfocus.com/bid/1176 The pam_console PAM module in Linux systems performs a chown on various devices upon a user login, but the ownership of some devices is not reset when the user logs out, which allows that user to sniff activity on these devices when subsequent users log in. ED_PRI CAN-2000-0378 3 VOTE: ================================= Candidate: CAN-2000-0381 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000615 Assigned: 20000614 Category: SF Reference: BUGTRAQ:20000505 Black Watch Labs Vulnerability Alert Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-05/0067.html Reference: MISC:http://www.perfectotech.com/blackwatchlabs/vul5_05.html Reference: XF:http-cgi-dbman-db Reference: BID:1178 Reference: URL:http://www.securityfocus.com/bid/1178 The Gossamer Threads DBMan db.cgi CGI script allows remote attackers to view environmental variables and setup information by referencing a non-existing database in the db parameter. ED_PRI CAN-2000-0381 3 VOTE: ================================= Candidate: CAN-2000-0383 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000615 Assigned: 20000614 Category: SF Reference: XF:aolim-file-path Reference: BugTraq Mailing List: "AOL Instant Messenger" at: Reference: http://www.securityfocus.com/templates/archive.pike?list=1&msg=002401bfb918$7310d5a0$1ef084ce@karemor.com Reference: BID:1180 Reference: URL:http://www.securityfocus.com/bid/1180 The file transfer component of AOL Instant Messenger (AIM) reveals the physical path of the transferred file to the remote recipient. ED_PRI CAN-2000-0383 3 VOTE: ================================= Candidate: CAN-2000-0384 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000615 Assigned: 20000614 Category: CF Reference: L0PHT:20000508 NetStructure 7180 remote backdoor vulnerability Reference: URL:http://www.lopht.com/advisories/ipivot7110.html Reference: L0PHT:20000508 NetStructure 7110 console backdoor Reference: URL:http://www.l0pht.com/advisories/ipivot7180.html Reference: CONFIRM:http://216.188.41.136/ Reference: XF:netstructure-root-compromise Reference: XF:netstructure-wizard-mode Reference: BID:1182 Reference: URL:http://www.securityfocus.com/bid/1182 Reference: BID:1183 Reference: URL:http://www.securityfocus.com/bid/1183 NetStructure 7110 and 7180 have undocumented accounts (servnow, root, and wizard) whose passwords are easily guessable from the NetStructure's MAC address, which could allow remote attackers to gain root access. ED_PRI CAN-2000-0384 3 VOTE: ================================= Candidate: CAN-2000-0385 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000615 Assigned: 20000614 Category: SF Reference: MISC:http://www.blueworld.com/blueworld/news/05.01.00-FM5_Security.html Reference: CONFIRM:http://www.filemaker.com/support/webcompanion.html Reference: XF:macos-filemaker-xml Reference: XF:macos-filemaker-email FileMaker Pro 5 Web Companion allows remote attackers to bypass Field-Level database security restrictions via the XML publishing or email capabilities. ED_PRI CAN-2000-0385 3 VOTE: ================================= Candidate: CAN-2000-0386 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000615 Assigned: 20000614 Category: SF Reference: MISC:http://www.blueworld.com/blueworld/news/05.01.00-FM5_Security.html Reference: CONFIRM:http://www.filemaker.com/support/webcompanion.html Reference: XF:macos-filemaker-anonymous-email FileMaker Pro 5 Web Companion allows remote attackers to send anonymous or forged email. ED_PRI CAN-2000-0386 3 VOTE: ================================= Candidate: CAN-2000-0409 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000615 Assigned: 20000614 Category: SF Reference: BUGTRAQ:20000510 Possible symlink problems with Netscape 4.73 Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-05/0126.html Reference: BID:1201 Reference: URL:http://www.securityfocus.com/bid/1201 Reference: XF:netscape-import-certificate-symlink Netscape 4.73 and earlier follows symlinks when it imports a new certificate, which allows local users to overwrite files of the user importing the certificate. ED_PRI CAN-2000-0409 3 VOTE: ================================= Candidate: CAN-2000-0410 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000615 Assigned: 20000614 Category: SF Reference: NTBUGTRAQ:20000510 Cold Fusion Server 4.5.1 DoS Vulnerability. Reference: URL:http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0005&L=ntbugtraq&F=&S=&P=4843 Reference: XF:coldfusion-cfcache-dos Reference: BID:1192 Reference: URL:http://www.securityfocus.com/bid/1192 Cold Fusion Server 4.5.1 allows remote attackers to cause a denial of service by making repeated requests to a CFCACHE tagged cache file that is not stored in memory. ED_PRI CAN-2000-0410 3 VOTE: ================================= Candidate: CAN-2000-0411 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000615 Assigned: 20000614 Category: SF Reference: BUGTRAQ:20000510 Black Watch Labs Vulnerability Alert Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-05/0125.html Reference: MISC:http://www.perfectotech.com/blackwatchlabs/vul5_10.html Reference: XF:http-cgi-formmail-environment Reference: BID:1187 Reference: URL:http://www.securityfocus.com/bid/1187 Matt Wright's FormMail CGI script allows remote attackers to obtain environmental variables via the env_report parameter. ED_PRI CAN-2000-0411 3 VOTE: ================================= Candidate: CAN-2000-0412 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000615 Assigned: 20000614 Category: SF Reference: BUGTRAQ:20000510 KNapster Vulnerability Compromises User-readable Files Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-05/0124.html Reference: BUGTRAQ:20000510 Gnapster Vulnerability Compromises User-readable Files Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-05/0127.html Reference: FREEBSD:FreeBSD-SA-00:18 Reference: URL:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:18-gnapster.adv Reference: XF:gnapster-view-files Reference: BID:1186 Reference: URL:http://www.securityfocus.com/bid/1186 The gnapster and knapster clients for Napster do not properly restrict access only to MP3 files, which allows remote attackers to read arbitrary files from the client by specifying the full pathname for the file. ED_PRI CAN-2000-0412 3 VOTE: ================================= Candidate: CAN-2000-0413 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000615 Assigned: 20000614 Category: SF Reference: BUGTRAQ:20000506 shtml.exe reveal local path of IIS web directory Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-05/0084.html Reference: BID:1174 Reference: URL:http://www.securityfocus.com/bid/1174 Reference: XF:iis-shtml-reveal-path The shtml.exe program in the FrontPage extensions package of IIS 4.0 and 5.0 allows remote attackers to determine the physical path of HTML, HTM, ASP, and SHTML files by requesting a file that does not exist, which generates an error message that reveals the path. ED_PRI CAN-2000-0413 3 VOTE: ================================= Candidate: CAN-2000-0417 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000615 Assigned: 20000614 Category: SF Reference: BUGTRAQ:20000505 Cayman 3220-H DSL Router DOS Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-05/0075.html Reference: BUGTRAQ:20000523 Cayman 3220H DSL Router Software Update and New Bonus Attack Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-05/0280.html Reference: BID:1219 Reference: URL:http://www.securityfocus.com/bid/1219 The HTTP administration interface to the Cayman 3220-H DSL router allows remote attackers to cause a denial of service via a long username or password. ED_PRI CAN-2000-0417 3 VOTE: ================================= Candidate: CAN-2000-0422 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000615 Assigned: 20000614 Category: SF Reference: BUGTRAQ:20000504 Alert: DMailWeb buffer overflow Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=95749276827558&w=2 Reference: XF:http-cgi-dmailweb-bo Reference: BID:1171 Reference: URL:http://www.securityfocus.com/bid/1171 Buffer overflow in Netwin DMailWeb CGI program allows remote attackers to execute arbitrary commands via a long utoken parameter. ED_PRI CAN-2000-0422 3 VOTE: ================================= Candidate: CAN-2000-0423 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000615 Assigned: 20000614 Category: SF Reference: BUGTRAQ:20000505 Alert: DNewsWeb buffer overflow Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=95764950403250&w=2 Reference: XF:http-cgi-dnews-bo Reference: BID:1172 Reference: URL:http://www.securityfocus.com/bid/1172 Buffer overflow in Netwin DNEWSWEB CGI program allows remote attackers to execute arbitrary commands via long parameters such as group, cmd, and utag. ED_PRI CAN-2000-0423 3 VOTE: ================================= Candidate: CAN-2000-0425 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000615 Assigned: 20000614 Category: SF Reference: CONFIRM:http://www.lsoft.com/news/default.asp?item=Advisory0 Reference: BUGTRAQ:20000505 Alert: Listserv Web Archives (wa) buffer overflow Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-05/0048.html Reference: XF:http-cgi-listserv-wa-bo Reference: BID:1167 Reference: URL:http://www.securityfocus.com/bid/1167 Buffer overflow in the Web Archives component of L-Soft LISTSERV 1.8 allows remote attackers to execute arbitrary commands. ED_PRI CAN-2000-0425 3 VOTE: ================================= Candidate: CAN-2000-0426 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000615 Assigned: 20000614 Category: SF Reference: BUGTRAQ:20000505 Re: Fun with UltraBoard V1.6X Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-05/0059.html Reference: BID:1175 Reference: URL:http://www.securityfocus.com/bid/1175 Reference: XF:ultraboard-cgi-dos UltraBoard 1.6 and other versions allow remote attackers to cause a denial of service by referencing UltraBoard in the Session parameter, which causes UltraBoard to fork copies of itself. ED_PRI CAN-2000-0426 3 VOTE: ================================= Candidate: CAN-2000-0429 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000615 Assigned: 20000614 Category: SF Reference: BUGTRAQ:20000427 Alert: Cart32 secret password backdoor (CISADV000427) Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=95686068203138&w=2 Reference: CONFIRM:http://www.cart32.com/kbshow.asp?article=c048 A backdoor password in Cart32 3.0 and earlier allows remote attackers to execute arbitrary commands. ED_PRI CAN-2000-0429 3 VOTE: ================================= Candidate: CAN-2000-0430 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000615 Assigned: 20000614 Category: SF Reference: BUGTRAQ:20000503 Another interesting Cart32 command Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=95738697301956&w=2 Reference: XF:cart32-expdate Cart32 allows remote attackers to access sensitive debugging information by appending /expdate to the URL request. ED_PRI CAN-2000-0430 3 VOTE: ================================= Candidate: CAN-2000-0458 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000615 Assigned: 20000614 Category: SF Reference: BUGTRAQ:20000424 Two Problems in IMP 2 Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=95672120116627&w=2 Reference: XF:imp-tmpfile-view The MSWordView application in IMP creates world-readable files in the /tmp directory, which allows other local users to read potentially sensitive information. ED_PRI CAN-2000-0458 3 VOTE: ================================= Candidate: CAN-2000-0459 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000615 Assigned: 20000614 Category: SF Reference: BUGTRAQ:20000424 Two Problems in IMP 2 Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=95672120116627&w=2 Reference: XF:imp-wordfile-dos IMP does not remove files properly if the MSWordView application quits, which allows local users to cause a denial of service by filling up the disk space by requesting a large number of documents and prematurely stopping the request. ED_PRI CAN-2000-0459 3 VOTE:
|
||||
