[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PROPOSAL] Clusters RECENT-31 and RECENT-32 - 53 candidates
- To: cve-editorial-board-list@lists.mitre.org
- Subject: [PROPOSAL] Clusters RECENT-31 and RECENT-32 - 53 candidates
- From: "Steven M. Christey" <coley@linus.mitre.org>
- Date: Wed, 20 Sep 2000 23:20:04 -0400 (EDT)
- Delivery-Date: Wed Sep 20 23:23:51 2000
- Sender: owner-cve-editorial-board-list@lists.mitre.org
This message contains candidates from 2 clusters, due to the volume of candidates being proposed this week. The clusters are separated on the voting web site. Board members can use the voting web site instead of this ballot, which is posted for other Board members and as a part of the public record. These voting ballots include the new Analysis field as discussed in a previous post with explanations of applications of content decisions. The degree of vendor acknowledgement is also made more prominent. Finally, a new ACCEPT_REASON form has been added for Board members to include the reason why they vote to ACCEPT or MODIFY an item. RECENT-31 contains 20 problems that were announced between 7/10/2000 and 7/31/2000. RECENT-32 contains 33 problems that were announced between 8/1/2000 and 8/8/2000. - Steve Summary of votes to use (in ascending order of "severity") ---------------------------------------------------------- ACCEPT - voter accepts the candidate as proposed NOOP - voter has no opinion on the candidate MODIFY - voter wants to change some MINOR detail (e.g. reference/description) REVIEWING - voter is reviewing/researching the candidate, or needs more info RECAST - candidate must be significantly modified, e.g. split or merged REJECT - candidate is "not a vulnerability", or a duplicate, etc. 1) Please write your vote on the line that starts with "VOTE: ". If you want to add comments or details, add them to lines after the VOTE: line. 2) If you see any missing references, please mention them so that they can be included. References help greatly during mapping. 3) Note that a "MODIFY" is treated as an "ACCEPT" when counting votes. So if you don't have sufficient information for a candidate but you don't want to NOOP, use a REVIEWING. ********** NOTE ********** NOTE ********** NOTE ********** NOTE ********** Please keep in mind that your vote and comments will be recorded and publicly viewable in the mailing list archives or in other formats. ====================================================== Candidate: CAN-2000-0676 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000921 Assigned: 20000811 Category: SF Reference: CERT:CA-2000-15 Reference: URL:http://www.cert.org/advisories/CA-2000-15.html Reference: BID:1546 Reference: URL:http://www.securityfocus.com/bid/1546 Netscape Communicator and Navigator 4.04 through 4.74 allows remote attackers to read arbitrary files by using a Java applet to open a connection to a URL using the "file", "http", "https", and "ftp" protocols, as demonstrated by Brown Orifice. Analysis ---------------- ED_PRI CAN-2000-0676 1 Vendor Acknowledgement: yes advisory Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0696 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000921 Assigned: 20000919 Category: SF Reference: SUN:00196 Reference: URL:http://archives.neohapsis.com/archives/sun/2000-q3/0001.html Reference: BID:1554 Reference: URL:http://www.securityfocus.com/bid/1554 The administration interface for the dwhttpd web server in Solaris AnswerBook2 does not properly authenticate requests to its supporting CGi scripts, which allows remote attackers to add user accounts to the interface by directly calling the admin CGI script. Analysis ---------------- ED_PRI CAN-2000-0696 1 Vendor Acknowledgement: yes advisory Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0697 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000921 Assigned: 20000919 Category: SF Reference: SUN:00196 Reference: URL:http://archives.neohapsis.com/archives/sun/2000-q3/0001.html Reference: BID:1556 Reference: URL:http://www.securityfocus.com/bid/1556 The administration interface for the dwhttpd web server in Solaris AnswerBook2 allows interface users to remotely execute commands via shell metacharacters. Analysis ---------------- ED_PRI CAN-2000-0697 1 Vendor Acknowledgement: yes advisory Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0700 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000921 Assigned: 20000919 Category: SF Reference: CISCO:20000803 Possible Access Control Bypass and Denial of Service in Gigabit Switch Routers Using Gigabit Ethernet or Fast Ethernet Cards Reference: URL:http://www.cisco.com/warp/public/707/gsraclbypassdos-pub.shtml Reference: BID:1541 Reference: URL:http://www.securityfocus.com/bid/1541 Cisco Gigabit Switch Routers (GSR) with Fast Ethernet / Gigabit Ethernet cards and versions IOS 11.2 or greater do not properly handle line card failures, which allows remote attackers to bypass ACLs or force the interface to stop forwarding packets. Analysis ---------------- ED_PRI CAN-2000-0700 1 Vendor Acknowledgement: yes advisory Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0703 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000921 Assigned: 20000919 Category: SF Reference: BUGTRAQ:20000805 sperl 5.00503 (and newer ;) exploit Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0022.html Reference: SUSE:20000810 Security Hole in perl, all versions Reference: URL:http://www.suse.de/de/support/security/suse_security_announce_59.txt Reference: CALDERA:CSSA-2000-026.0 Reference: URL:http://www.calderasystems.com/support/security/advisories/CSSA-2000-026.0.txt Reference: DEBIAN:20000808 mailx: local exploit Reference: URL:http://www.debian.org/security/2000/20000810 Reference: REDHAT:RHSA-2000:048-03 Reference: URL:http://www.redhat.com/support/errata/RHSA-2000-048-03.html Reference: TURBO:TLSA2000018-1 Reference: URL:http://www.turbolinux.com/pipermail/tl-security-announce/2000-August/000017.html Reference: BUGTRAQ:20000814 Trustix Security Advisory - perl and mailx Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0153.html Reference: BUGTRAQ:20000808 MDKSA-2000:031 perl update Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0086.html Reference: BUGTRAQ:20000810 Conectiva Linux security announcemente - PERL Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0113.html Reference: BID:1547 Reference: URL:http://www.securityfocus.com/bid/1547 suidperl (aka sperl) does not properly cleanse the escape sequence "~!" before calling /bin/mail to send an error report, which allows local users to gain privileges by setting the "interactive" environmental variable and calling suidperl with a filename that contains the escape sequence. Analysis ---------------- ED_PRI CAN-2000-0703 1 Vendor Acknowledgement: yes advisory Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0705 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000921 Assigned: 20000919 Category: SF Reference: BUGTRAQ:20000802 [ Hackerslab bug_paper ] ntop web mode vulnerabliity Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0459.html Reference: REDHAT:RHSA-2000:049-02 Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0065.html Reference: BID:1550 Reference: URL:http://www.securityfocus.com/bid/1550 ntop running in web mode allows remote attackers to read arbitrary files via a .. (dot dot) attack. Analysis ---------------- ED_PRI CAN-2000-0705 1 Vendor Acknowledgement: yes advisory Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0711 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000921 Assigned: 20000919 Category: SF Reference: BUGTRAQ:20000816 JDK 1.1.x Listening Socket Vulnerability (was Re: BrownOrifice can break firewalls!) Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=3999922128E.EE84TAKAGI@java-house.etl.go.jp Reference: BUGTRAQ:20000805 Dangerous Java/Netscape Security Hole Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=20000805020429.11774.qmail@securityfocus.com Reference: CERT:CA-2000-15 Reference: URL:http://www.cert.org/advisories/CA-2000-15.html Reference: BID:1545 Reference: URL:http://www.securityfocus.com/bid/1545 Netscape Communicator does not properly prevent a ServerSocket object from being created by untrusted entities, which allows remote attackers to create a server on the victim's system via a malicious applet, as demonstrated by Brown Orifice. Analysis ---------------- ED_PRI CAN-2000-0711 1 Vendor Acknowledgement: yes This is very similar to CAN-2000-0676, which is the other vulnerability that was described in the original posts that announced Brown Orifice. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0737 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000921 Assigned: 20000919 Category: SF Reference: MS:MS00-053 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms00-053.asp Reference: BID:1535 Reference: URL:http://www.securityfocus.com/bid/1535 The Service Control Manager (SCM) in Windows 2000 creates predictable named pipes, which allows a local user with console access to gain administrator privileges, aka the "Service Control Manager Named Pipe Impersonation" vulnerability. Analysis ---------------- ED_PRI CAN-2000-0737 1 Vendor Acknowledgement: yes advisory Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0742 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000921 Assigned: 20000919 Category: SF Reference: BUGTRAQ:20000602 ipx storm Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&mid=63120 Reference: MS:MS00-054 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms00-054.asp Reference: BID:1544 Reference: URL:http://www.securityfocus.com/bid/1544 The IPX protocol implementation in Microsoft Windows 95 and 98 allows remote attackers to cause a denial of service by sending a ping packet with a source IP address that is a broadcast address. Analysis ---------------- ED_PRI CAN-2000-0742 1 Vendor Acknowledgement: yes advisory Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0750 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000921 Assigned: 20000919 Category: SF Reference: BUGTRAQ:20000808 OpenBSD 2.7 / NetBSD 1.4.2 mopd buffer overflow Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0064.html Reference: FREEBSD:FreeBSD-SA-00:40 Reference: URL:http://archives.neohapsis.com/archives/freebsd/2000-08/0336.html Reference: OPENBSD:20000705 Mopd contained a buffer overflow. Reference: URL:http://www.openbsd.org/errata.html#mopd Reference: REDHAT:RHSA-2000-050-01 Reference: URL:http://www.redhat.com/support/errata/powertools/RHSA-2000-050-01.html Reference: MISC:http://cvsweb.netbsd.org/bsdweb.cgi/basesrc/usr.sbin/mopd/mopd/process.c.diff?r1=1.7&r2=1.8&f=h Reference: BID:1558 Reference: URL:http://www.securityfocus.com/bid/1558 Buffer overflow in mopd (Maintenance Operations Protocol loader daemon) allows remote attackers to execute arbitrary commands via a long file name. Analysis ---------------- ED_PRI CAN-2000-0750 1 Vendor Acknowledgement: yes advisory ABSTRACTION: This is a different type of bug than the format string problem, so CD:SF-LOC suggests that there should be a separate entry for this. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0751 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000921 Assigned: 20000919 Category: SF Reference: BUGTRAQ:20000808 OpenBSD 2.7 / NetBSD 1.4.2 mopd buffer overflow Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0064.html Reference: FREEBSD:FreeBSD-SA-00:40 Reference: URL:http://archives.neohapsis.com/archives/freebsd/2000-08/0336.html Reference: OPENBSD:20000705 Mopd contained a buffer overflow. Reference: URL:http://www.openbsd.org/errata.html#mopd Reference: REDHAT:RHSA-2000-050-01 Reference: URL:http://www.redhat.com/support/errata/powertools/RHSA-2000-050-01.html Reference: MISC:http://cvsweb.netbsd.org/bsdweb.cgi/basesrc/usr.sbin/mopd/mopd/process.c.diff?r1=1.7&r2=1.8&f=h Reference: BID:1559 Reference: URL:http://www.securityfocus.com/bid/1559 mopd (Maintenance Operations Protocol loader daemon) does not properly cleanse user-injected format strings, which allows remote attackers to execute arbitrary commands. Analysis ---------------- ED_PRI CAN-2000-0751 1 Vendor Acknowledgement: yes advisory ABSTRACTION: There are multiple format string vulnerabilities. For example, see: ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.7/common/018_mopd.patch http://cvsweb.netbsd.org/bsdweb.cgi/basesrc/usr.sbin/mopd/mopd/process.c.diff?r1=1.7&r2=1.8&f=h CD:SF-LOC suggests to create a separate entry for each one. But how could these be reported? The source code line numbers differ between OpenBSD and NetBSD, for example. Procedure names alone aren't sufficient since there could be multiple vuln's in the same procedure. The conditions that enable the bug may be appropriate, but I don't have source code to examine. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0786 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000921 Assigned: 20000919 Category: SF Reference: BUGTRAQ:20000726 userv security boundary tool 1.0.1 (SECURITY FIX) Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0389.html Reference: DEBIAN:20000727 userv: local exploit Reference: URL:http://www.debian.org/security/2000/20000727 Reference: CONFIRM:http://marc.theaimsgroup.com/?l=bugtraq&m=96473640717095&w=2 Reference: BID:1516 Reference: URL:http://www.securityfocus.com/bid/1516 GNU userv 1.0.0 and earlier does not properly perform file descriptor swapping, which can corrupt the USERV_GROUPS and USERV_GIDS environmental variables and allow local users to bypass some access restrictions. Analysis ---------------- ED_PRI CAN-2000-0786 1 Vendor Acknowledgement: yes post Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0681 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000921 Assigned: 20000919 Category: SF Reference: BUGTRAQ:20000815 BEA Weblogic server proxy library vulnerabilities Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0186.html Reference: BID:1570 Reference: URL:http://www.securityfocus.com/bid/1570 Buffer overflow in BEA WebLogic server proxy plugin allows remote attackers to execute arbitrary commands via a long URL with a .JSP extension. Analysis ---------------- ED_PRI CAN-2000-0681 2 Vendor Acknowledgement: yes advisory ABSTRACTION: Various sources report multiple overflows, so CD:SF-LOC would suggest creating a separate entry for each one. However, the BEA advisory indicates that the problem is in a single location. It may appear to be multiple overflows because the proxy can be installed on many different web servers. In accordance with guidance by the Editorial Board that the vendor should be the final authority, this should remain a single entry unless it is conclusively proven that there were multiple overflows. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0682 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000921 Assigned: 20000919 Category: SF Reference: BUGTRAQ:20000728 BEA's WebLogic force handlers show code vulnerability Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0410.html Reference: CONFIRM:http://developer.bea.com/alerts/security_000731.html Reference: BID:1518 Reference: URL:http://www.securityfocus.com/bid/1518 BEA WebLogic 5.1.x allows remote attackers to read source code for parsed pages by inserting /ConsoleHelp/ into the URL, which invokes the FileServlet. Analysis ---------------- ED_PRI CAN-2000-0682 2 Vendor Acknowledgement: yes advisory CD:SF-LOC applies to this and the SSIServlet /*.shtml/ problem too. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0683 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000921 Assigned: 20000919 Category: SF Reference: BUGTRAQ:20000728 BEA's WebLogic force handlers show code vulnerability Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0410.html Reference: CONFIRM:http://developer.bea.com/alerts/security_000728.html Reference: BID:1517 Reference: URL:http://www.securityfocus.com/bid/1517 BEA WebLogic 5.1.x allows remote attackers to read source code for parsed pages by inserting /*.shtml/ into the URL, which invokes the SSIServlet. Analysis ---------------- ED_PRI CAN-2000-0683 2 Vendor Acknowledgement: yes advisory CD:SF-LOC applies to this and the ConsoleHelp problem too. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0684 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000921 Assigned: 20000919 Category: SF Reference: BUGTRAQ:20000731 BEA's WebLogic *.jsp/*.jhtml remote command execution Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0434.html Reference: CONFIRM:http://developer.bea.com/alerts/security_000731.html Reference: BID:1525 Reference: URL:http://www.securityfocus.com/bid/1525 BEA WebLogic 5.1.x does not properly restrict access to the JSPServlet, which could allow remote attackers to compile and execute Java JSP code by directly invoking the servlet on any source file. Analysis ---------------- ED_PRI CAN-2000-0684 2 Vendor Acknowledgement: yes advisory This and the PageCompileServlet bug are affected by CF:SF-LOC. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0685 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000921 Assigned: 20000919 Category: SF Reference: BUGTRAQ:20000731 BEA's WebLogic *.jsp/*.jhtml remote command execution Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0434.html Reference: CONFIRM:http://developer.bea.com/alerts/security_000731.html Reference: BID:1525 Reference: URL:http://www.securityfocus.com/bid/1525 BEA WebLogic 5.1.x does not properly restrict access to the PageCompileServlet, which could allow remote attackers to compile and execute Java JHTML code by directly invoking the servlet on any source file. Analysis ---------------- ED_PRI CAN-2000-0685 2 Vendor Acknowledgement: yes advisory Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0707 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000921 Assigned: 20000919 Category: SF Reference: BUGTRAQ:20000804 PCCS MySQL DB Admin Tool v1.2.3- Advisory Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0015.html Reference: CONFIRM:http://pccs-linux.com/public/view.php3?bn=agora_pccslinux&key=965951324 Reference: BID:1557 Reference: URL:http://www.securityfocus.com/bid/1557 PCCS MySQLDatabase Admin Tool Manager 1.2.4 and earlier installs the file dbconnect.inc within the web root, which allows remote attackers to obtain sensitive information such as the administrative password. Analysis ---------------- ED_PRI CAN-2000-0707 2 Vendor Acknowledgement: yes user-group Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0712 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000921 Assigned: 20000919 Category: SF Reference: MISC:http://www.egroups.com/message/lids/1038 Reference: BUGTRAQ:2000803 LIDS severe bug Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0486.html Reference: CONFIRM:http://www.lids.org/changelog.html Reference: BID:1549 Reference: URL:http://www.securityfocus.com/bid/1549 Linux Intrusion Detection System (LIDS) 0.9.7 allows local users to gain root privileges when LIDS is disabled via the security=0 boot option. Analysis ---------------- ED_PRI CAN-2000-0712 2 Vendor Acknowledgement: yes changelog Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0747 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000921 Assigned: 20000919 Category: SF Reference: BUGTRAQ:20000726 CONECTIVA LINUX SECURITY ANNOUNCEMENT - OPENLDAP Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0379.html The logrotate script for openldap earlier than 1.2.11 in Conectiva Linux sends an improper signal to the kernel log daemon (klogd) and kills it. Analysis ---------------- ED_PRI CAN-2000-0747 2 Vendor Acknowledgement: yes advisory Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0779 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000921 Assigned: 20000919 Category: SF Reference: CONFIRM:http://www.checkpoint.com/techsupport/alerts/list_vun.html#Improper_stderr Reference: BID:1534 Reference: URL:http://www.securityfocus.com/bid/1534 Checkpoint Firewall-1 with the RSH/REXEC setting enabled allows remote attackers to bypass access restrictions and connect to a RSH/REXEC client via malformed connection requests. Analysis ---------------- ED_PRI CAN-2000-0779 2 Vendor Acknowledgement: yes advisory Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0679 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000921 Assigned: 20000919 Category: SF Reference: BUGTRAQ:20000728 cvs security problem Reference: URL:http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26msg%3Dhvou2daoebb.fsf%40serein.m17n.org Reference: BID:1523 Reference: URL:http://www.securityfocus.com/bid/1523 The CVS 1.10.8 client trusts pathnames that are provided by the CVS server, which allows the server to force the client to create arbitrary files. Analysis ---------------- ED_PRI CAN-2000-0679 3 Vendor Acknowledgement: unknown Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0680 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000921 Assigned: 20000919 Category: SF Reference: BUGTRAQ:20000728 cvs security problem Reference: URL:http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26msg%3Dhvou2daoebb.fsf%40serein.m17n.org Reference: BID:1524 Reference: URL:http://www.securityfocus.com/bid/1524 The CVS 1.10.8 server does not properly restrict users from creating arbitrary Checkin.prog or Update.prog programs, which allows remote CVS committers to modify or create Trojan horse programs with the Checkin.prog or Update.prog names, then performing a CVS commit action. Analysis ---------------- ED_PRI CAN-2000-0680 3 Vendor Acknowledgement: unknown Content Decisions: SF-EXEC, SF-LOC INCLUSION ISSUES: Followups to the original post indicate that there is disagreement as to whether this is a problem or not. Some claim that CVS is designed to be used by people with shell access, thus there is no additional access granted to attackers who "exploit" this apparent bug. ABSTRACTION ISSUES: CD:SF-EXEC applies here because there are 2 binaries that could be exploited, Checkin.prog and Update.prog. Since both are critical components of the same software package and they demonstrate the same problem, CD:SF-EXEC says to keep them combined. It could be argued that the problem is in the CVS commit process which launches these binaries; in that case, CD:SF-EXEC does not apply, and we would apply CD:SF-LOC to see if these 2 should be SPLIT. The suggested patch indicates that the Checkin.prog and Update.prog are treated as separate requests, and they exist in 2 separate lines of code, thus CD:SF-LOC in this case might suggest SPLITTING them. This could be viewed as analogous to different ActiveX controls being marked as safe for scripting (scriptlet.typelib in CVE-1999-0668, and Eyedog in CAN-1999-0669). Decisions regarding those ActiveX controls could thus apply in this case as well. Also note that this affects CAN-1999-0988 and CAN-1999-0828. See the voting record for these candidates for further discussion. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0693 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000921 Assigned: 20000919 Category: SF Reference: BUGTRAQ:20000802 Local root compromise in PGX Config Sun Sparc Solaris Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0463.html Reference: BID:1563 Reference: URL:http://www.securityfocus.com/bid/1563 pgxconfig in the Raptor GFX configuration tool uses a relative path name for a system call to the "cp" program, which allows local users to execute arbitrary commands by modifying their path to point to an alternate "cp" program. Analysis ---------------- ED_PRI CAN-2000-0693 3 Vendor Acknowledgement: unknown Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0694 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000921 Assigned: 20000919 Category: SF Reference: BUGTRAQ:20000802 Local root compromise in PGX Config Sun Sparc Solaris Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0463.html pgxconfig in the Raptor GFX configuration tool may allow local users to gain privileges via a symlink attack. Analysis ---------------- ED_PRI CAN-2000-0694 3 Vendor Acknowledgement: unknown This issue was alluded to in the original Bugtraq post, but not described in detail. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0695 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000921 Assigned: 20000919 Category: SF Reference: BUGTRAQ:20000802 Local root compromise in PGX Config Sun Sparc Solaris Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0463.html pgxconfig in the Raptor GFX configuration tool may contain buffer overflows that allow local users to gain privileges via command line options. Analysis ---------------- ED_PRI CAN-2000-0695 3 Vendor Acknowledgement: unknown This issue was alluded to in the original Bugtraq post, but not described in detail. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0699 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000921 Assigned: 20000919 Category: SF Reference: BUGTRAQ:20000806 HPUX FTPd vulnerability Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0028.html Reference: BID:1560 Reference: URL:http://www.securityfocus.com/bid/1560 HP-UX ftpd does not properly cleanse untrusted format strings, which may allow remote attackers to cause a denial of service or execute arbitrary commands via the PASS command. Analysis ---------------- ED_PRI CAN-2000-0699 3 Vendor Acknowledgement: unknown Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0701 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000921 Assigned: 20000919 Category: SF Reference: BUGTRAQ:20000801 Advisory: mailman local compromise Reference: URL:http://www.securityfocus.com/archive/1/73220 Reference: CONFIRM:http://www.securityfocus.com/templates/archive.pike?list=1&msg=20000802105050.A11733@rak.isternet.sk Reference: BUGTRAQ:20000802 CONECTIVA LINUX SECURITY ANNOUNCEMENT - mailman Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0474.html Reference: BUGTRAQ:20000802 MDKSA-2000:030 - Linux-Mandrake not affected by mailman problem Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0479.html Reference: REDHAT:RHSA-2000:030-03 Reference: URL:http://www.redhat.com/support/errata/secureserver/RHSA-2000-030-03.html Reference: BID:1539 Reference: URL:http://www.securityfocus.com/bid/1539 The wrapper program in mailman 2.0beta3 and 2.0beta4 does not properly cleanse untrusted format strings, which allows local users to gain privileges. Analysis ---------------- ED_PRI CAN-2000-0701 3 Vendor Acknowledgement: yes advisory Content Decisions: EX-BETA CD:EX-BETA suggests that this should not be included in CVE because it is a beta version, unless this has been widely distributed. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0704 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000921 Assigned: 20000919 Category: SF Reference: SGI:20000803-01-A Reference: URL:ftp://sgigate.sgi.com/security/20000803-01-A Reference: BID:1603 Reference: URL:http://www.securityfocus.com/bid/1603 Buffer overflow in SGI Omron WorldView Wnn allows remote attackers to execute arbitrary commands via long JS_OPEN, JS_MKDIR, or JS_FILE_INFO commands. Analysis ---------------- ED_PRI CAN-2000-0704 3 Vendor Acknowledgement: yes advisory Content Decisions: SF-LOC CD:SF-LOC applies here, but more information is needed. If each command is handled by a single read/parse function, then these should stay in a single CVE item. If there is a different read/parse function call for each command, then this should be SPLIT. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0713 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000921 Assigned: 20000919 Category: SF Reference: BUGTRAQ:20000726 [SPSadvisory#39]Adobe Acrobat Series PDF File Buffer Overflow Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0382.html Reference: CONFIRM:http://www.adobe.com/misc/pdfsecurity.html Reference: BID:1509 Reference: URL:http://www.securityfocus.com/bid/1509 Buffer overflow in Adobe Acrobat 4.05, Reader, Business Tools, and Fill In products that handle PDF files allows attackers to execute arbitrary commands via a long /Registry or /Ordering specifier. Analysis ---------------- ED_PRI CAN-2000-0713 3 Vendor Acknowledgement: yes advisory Content Decisions: SF-EXEC,SF-LOC ABSTRACTION ISSUES: CD:SF-EXEC may apply since there are multiple products/executables; it would suggest MERGING these into a single CVE item since the products are part of the same package. However, these bugs may all originate from a single "library," in which case CD:SF-LOC applies and might suggest a MERGE. But there might be a different line of code for /Registry versus /Ordering, in which case CD:SF-LOC would suggest a SPLIT. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0714 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000921 Assigned: 20000919 Category: SF Reference: REDHAT:RHSA-2000:047-03 Reference: URL:http://www.redhat.com/support/errata/RHSA-2000-047-03.html Reference: BID:1551 Reference: URL:http://www.securityfocus.com/bid/1551 umb-scheme 3.2-11 for Red Hat Linux is installed with world-writeable files. Analysis ---------------- ED_PRI CAN-2000-0714 3 Vendor Acknowledgement: yes advisory Content Decisions: INSTALL-PERM ABSTRACTION ISSUE: Some problems like this one are related to installations of files that set improper permissions. Should each separate file get a separate CVE entry? Or should dot notation be used? This question has been labeled as CD:INSTALL-PERM. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0715 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000921 Assigned: 20000919 Category: SF Reference: BUGTRAQ:20000805 Diskcheck 3.1.1 Symlink Vulnerability Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=398BD1FD.BAEE3B70@chonnam.chonnam.ac.kr Reference: BID:1552 Reference: URL:http://www.securityfocus.com/bid/1552 DiskCheck script diskcheck.pl in Red Hat Linux allows local users to create or overwrite arbitrary files via a symlink attack. Analysis ---------------- ED_PRI CAN-2000-0715 3 Vendor Acknowledgement: unknown Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0739 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000921 Assigned: 20000919 Category: SF Reference: BUGTRAQ:20000802 NAI Net Tools PKI Server vulnerabilities Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0473.html Reference: BID:1537 Reference: URL:http://www.securityfocus.com/bid/1537 strong.exe program in NAI Net Tools PKI server allows remote attackers to read arbitrary files via a .. (dot dot) attack. Analysis ---------------- ED_PRI CAN-2000-0739 3 Vendor Acknowledgement: unknown Various sources for this candidate include references to patches, but there does not appear to be a way to obtain simple vendor acknowledgement without registering and/or being a customer. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0740 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000921 Assigned: 20000919 Category: SF Reference: BUGTRAQ:20000802 NAI Net Tools PKI Server vulnerabilities Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0473.html Reference: BID:1536 Reference: URL:http://www.securityfocus.com/bid/1536 Buffer overflow in strong.exe program in NAI Net Tools PKI server allows remote attackers to execute arbitrary commands via a long URL in the HTTPS port. Analysis ---------------- ED_PRI CAN-2000-0740 3 Vendor Acknowledgement: unknown Various sources for this item include references to patches, but there does not appear to be a way to obtain simple vendor acknowledgement without registering and/or being a customer. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0741 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000921 Assigned: 20000919 Category: SF Reference: BUGTRAQ:20000802 NAI Net Tools PKI Server vulnerabilities Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0473.html Reference: BID:1538 Reference: URL:http://www.securityfocus.com/bid/1538 strong.exe program in NAI Net Tools PKI server does not properly cleanse user-injected format strings, which allows remote attackers to execute arbitrary commands via a URL with a .XUDA extension. Analysis ---------------- ED_PRI CAN-2000-0741 3 Vendor Acknowledgement: unknown Various sources for this item include references to patches, but there does not appear to be a way to obtain simple vendor acknowledgement without registering and/or being a customer. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0748 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000921 Assigned: 20000919 Category: SF Reference: BUGTRAQ:20000726 Group-writable executable in OpenLDAP Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0375.html Reference: BID:1511 Reference: URL:http://www.securityfocus.com/bid/1511 OpenLDAP 1.2.11 and earlier improperly installs the ud binary with group write permissions, which could allow any user in that group to replace the binary with a Trojan horse. Analysis ---------------- ED_PRI CAN-2000-0748 3 Vendor Acknowledgement: unknown INCLUSION: Mandrake MDKSA-2000:024 and a SUSE document say that they are not vulnerable. Followup posts were not able to duplicate the problem. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0757 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000921 Assigned: 20000919 Category: SF Reference: BUGTRAQ:20000808 Exploit for Totalbill... Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0074.html Reference: BID:1555 Reference: URL:http://www.securityfocus.com/bid/1555 The sysgen service in Aptis Totalbill does not perform authentication, which allows remote attackers to gain root privileges by connecting to the service and specifying the commands to be executed. Analysis ---------------- ED_PRI CAN-2000-0757 3 Vendor Acknowledgement: unknown Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0759 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000921 Assigned: 20000919 Category: SF Reference: BUGTRAQ:20000719 [LoWNOISE] Tomcat 3.1 Path Revealing Problem. Reference: URL:http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26date%3D2000-07-15%26msg%3DPine.SUN.3.96.1000719184401.17782A-100000@grex.cyberspace.org Reference: BID:1531 Reference: URL:http://www.securityfocus.com/bid/1531 Reference: XF:tomcat-error-path-reveal Jakarta Tomcat 3.1 under Apache reveals physical path information when a remote attacker requests a URL that does not exist, which generates an error message that includes the physical path. Analysis ---------------- ED_PRI CAN-2000-0759 3 Vendor Acknowledgement: unknown Content Decisions: DESIGN-REAL-PATH INCLUSION: CD:DESIGN-REAL-PATH says that revealing physical path information to remote attackers is an exposure, and thus should be included in CVE. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0760 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000921 Assigned: 20000919 Category: SF Reference: BUGTRAQ:20000719 [LoWNOISE] Snoop Servlet (Tomcat 3.1 and 3.0) Reference: http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26date%3D2000-07-15%26msg%3DPine.SUN.3.96.1000719235404.24004A-100000@grex.cyberspace.org Reference: XF:tomcat-snoop-info Reference: BID:1532 Reference: URL:http://www.securityfocus.com/bid/1532 The Snoop servlet in Jakarta Tomcat 3.1 and 3.0 under Apache reveals sensitive system information when a remote attacker requests a nonexistent URL with a .snp extension. Analysis ---------------- ED_PRI CAN-2000-0760 3 Vendor Acknowledgement: unknown Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0773 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000921 Assigned: 20000919 Category: SF Reference: BUGTRAQ:20000731 Two security flaws in Bajie Webserver Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0426.html Reference: BID:1522 Reference: URL:http://www.securityfocus.com/bid/1522 Bajie HTTP web server 0.30a allows remote attackers to read arbitrary files by requesting a URL that contains a "....", a variant of the dot dot attack. Analysis ---------------- ED_PRI CAN-2000-0773 3 Vendor Acknowledgement: unknown Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0774 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000921 Assigned: 20000919 Category: SF Reference: BUGTRAQ:20000731 Two security flaws in Bajie Webserver Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0426.html Reference: BID:1521 Reference: URL:http://www.securityfocus.com/bid/1521 The sample Java servlet "test" in Bajie HTTP web server 0.30a reveals the real pathname of the web document root. Analysis ---------------- ED_PRI CAN-2000-0774 3 Vendor Acknowledgement: unknown Content Decisions: DESIGN-REAL-PATH INCLUSION: CD:DESIGN-REAL-PATH says that revealing physical path information to remote attackers is an exposure, and thus should be included in CVE. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0781 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000921 Assigned: 20000919 Category: SF Reference: BUGTRAQ:20000728 Client Agent 6.62 for Unix Vulnerability Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=20000728034420.A19824@sdf.freeshell.org Reference: BID:1519 Reference: URL:http://www.securityfocus.com/bid/1519 uagentsetup in ARCServeIT Client Agent 6.62 does not properly check for the existence or ownership of a temporary file which is moved to the the agent.cfg configuration file, which allows local users to execute arbitrary commands by modifying the temporary file before it is moved. Analysis ---------------- ED_PRI CAN-2000-0781 3 Vendor Acknowledgement: unknown Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0785 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000921 Assigned: 20000919 Category: SF Reference: BUGTRAQ:20000713 More wIRCSrv stupidity Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=96353027909756&w=2 WircSrv IRC Server 5.07s allows IRC operators to read arbitrary files via the importmotd command, which sets the Message of the Day (MOTD) to the specified file. Analysis ---------------- ED_PRI CAN-2000-0785 3 Vendor Acknowledgement: unknown Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0788 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000921 Assigned: 20000919 Category: SF Reference: BUGTRAQ:20000807 MS Word and MS Access vulnerability - executing arbitrary programs, may be exploited by IE/Outlook Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=398EB9CA.27E03A9C@nat.bg Reference: BID:1566 Reference: URL:http://www.securityfocus.com/bid/1566 The Mail Merge tool in Microsoft Word does not prompt the user before executing Visual Basic (VBA) scripts in an Access database, which could allow an attacker to execute arbitrary commands. Analysis ---------------- ED_PRI CAN-2000-0788 3 Vendor Acknowledgement: unknown Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0793 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000921 Assigned: 20000919 Category: SF Reference: BUGTRAQ:20000728 Norton Antivirus Protection Disabled under Novell Netware Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=398222C5@zathras.cc.vt.edu Reference: BID:1533 Reference: URL:http://www.securityfocus.com/bid/1533 Norton AntiVirus 5.00.01C with the Novell Netware client does not properly restart the auto-protection service after the first user has logged off of the system. Analysis ---------------- ED_PRI CAN-2000-0793 3 Vendor Acknowledgement: unknown Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0794 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000921 Assigned: 20000919 Category: SF Reference: BUGTRAQ:20000802 [LSD] some unpublished LSD exploit codes Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=200008021924.e72JOVs12558@ix.put.poznan.pl Reference: BID:1527 Reference: URL:http://www.securityfocus.com/bid/1527 Buffer overflow in IRIX libgl.so library allows local users to gain root privileges via a long HOME variable to programs such as gmemusage and gr_osview. Analysis ---------------- ED_PRI CAN-2000-0794 3 Vendor Acknowledgement: unknown ABSTRACTION: CD:SF-LOC says that since this is a bug in a library, a single entry should be created, even if that library is used by multiple executables. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0795 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000921 Assigned: 20000919 Category: SF Reference: BUGTRAQ:20000802 [LSD] some unpublished LSD exploit codes Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=200008021924.e72JOVs12558@ix.put.poznan.pl Reference: BID:1529 Reference: URL:http://www.securityfocus.com/bid/1529 Buffer overflow in lpstat in IRIX 6.2 and 6.3 allows local users to gain root privileges via a long -n option. Analysis ---------------- ED_PRI CAN-2000-0795 3 Vendor Acknowledgement: unknown This is probably a different bug than CAN-1999-0952, since -0952 is in the -c option. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0796 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000921 Assigned: 20000919 Category: SF Reference: BUGTRAQ:20000802 [LSD] some unpublished LSD exploit codes Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=200008021924.e72JOVs12558@ix.put.poznan.pl Reference: BID:1528 Reference: URL:http://www.securityfocus.com/bid/1528 Buffer overflow in dmplay in IRIX 6.2 and 6.3 allows local users to gain root privileges via a long command line option. Analysis ---------------- ED_PRI CAN-2000-0796 3 Vendor Acknowledgement: unknown Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0797 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000921 Assigned: 20000919 Category: SF Reference: BUGTRAQ:20000802 [LSD] some unpublished LSD exploit codes Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=200008021924.e72JOVs12558@ix.put.poznan.pl Reference: BID:1526 Reference: URL:http://www.securityfocus.com/bid/1526 Buffer overflow in gr_osview in IRIX 6.2 and 6.3 allows local users to gain privileges via a long -D option. Analysis ---------------- ED_PRI CAN-2000-0797 3 Vendor Acknowledgement: unknown Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0798 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000921 Assigned: 20000919 Category: SF Reference: BUGTRAQ:20000802 [LSD] some unpublished LSD exploit codes Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=200008021924.e72JOVs12558@ix.put.poznan.pl Reference: BID:1540 Reference: URL:http://www.securityfocus.com/bid/1540 The truncate function in IRIX 6.x does not properly check for privileges when the file is in the xfs file system, which allows local users to delete the contents of arbitrary files. Analysis ---------------- ED_PRI CAN-2000-0798 3 Vendor Acknowledgement: unknown Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0799 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000921 Assigned: 20000919 Category: SF Reference: BUGTRAQ:20000802 [LSD] some unpublished LSD exploit codes Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=200008021924.e72JOVs12558@ix.put.poznan.pl Reference: BID:1530 Reference: URL:http://www.securityfocus.com/bid/1530 inpview program in SGI IRIX allows local users to gain privileges via a symlink attack. Analysis ---------------- ED_PRI CAN-2000-0799 3 Vendor Acknowledgement: unknown Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0801 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000921 Assigned: 20000919 Category: SF Reference: BUGTRAQ:20000727 [ Hackerslab bug_paper ] HP-UX bdf -t option buffer overflow vul. Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0388.html Reference: BID:1520 Reference: URL:http://www.securityfocus.com/bid/1520 Buffer overflow in bdf program in HP-UX 11.00 may allow local users to gain root privileges via a long -t option. Analysis ---------------- ED_PRI CAN-2000-0801 3 Vendor Acknowledgement: unknown INCLUSION: The initial announcement indicates that it is uncertain whether this is exploitable. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0802 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000921 Assigned: 20000919 Category: SF Reference: BUGTRAQ:20000722 More bad censorware Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=96430372326912&w=2 Reference: XF:bair-security-removal The BAIR program does not properly restrict access to the Internet Explorer Internet options menu, which allows local users to obtain access to the menu by modifying the registry key that starts BAIR. Analysis ---------------- ED_PRI CAN-2000-0802 3 Vendor Acknowledgement: unknown Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS:
- Prev by Date: [BOARD] Troy Bollinger has joined the Editorial Board
- Next by Date: [PROPOSAL] Clusters RECENT-33 and RECENT-34 - 56 candidates
- Prev by thread: [BOARD] Troy Bollinger has joined the Editorial Board
- Next by thread: [PROPOSAL] Clusters RECENT-33 and RECENT-34 - 56 candidates
- Index(es):
