|
|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [PROPOSAL] Clusters RECENT-33 and RECENT-34 - 56 candidates
This message contains candidates from 2 clusters, due to the volume of candidates being proposed this week. The clusters are separated on the voting web site. Board members can use the voting web site instead of this ballot, which is posted for other Board members and as a part of the public record. These voting ballots include the new Analysis field as discussed in a previous post with explanations of applications of content decisions. The degree of vendor acknowledgement is also made more prominent. Finally, a new ACCEPT_REASON form has been added for Board members to include the reason why they vote to ACCEPT or MODIFY an item. RECENT-33 contains 30 candidates that were announced between 8/9/2000 and 8/16/2000. RECENT-34 contains 26 problems that were announced between 8/17/2000 and 8/24/2000. - Steve Summary of votes to use (in ascending order of "severity") ---------------------------------------------------------- ACCEPT - voter accepts the candidate as proposed NOOP - voter has no opinion on the candidate MODIFY - voter wants to change some MINOR detail (e.g. reference/description) REVIEWING - voter is reviewing/researching the candidate, or needs more info RECAST - candidate must be significantly modified, e.g. split or merged REJECT - candidate is "not a vulnerability", or a duplicate, etc. 1) Please write your vote on the line that starts with "VOTE: ". If you want to add comments or details, add them to lines after the VOTE: line. 2) If you see any missing references, please mention them so that they can be included. References help greatly during mapping. 3) Note that a "MODIFY" is treated as an "ACCEPT" when counting votes. So if you don't have sufficient information for a candidate but you don't want to NOOP, use a REVIEWING. ********** NOTE ********** NOTE ********** NOTE ********** NOTE ********** Please keep in mind that your vote and comments will be recorded and publicly viewable in the mailing list archives or in other formats. ====================================================== Candidate: CAN-2000-0677 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000921 Assigned: 20000823 Category: SF Reference: ISS:20000907 Buffer Overflow in IBM Net.Data db2www CGI program. Reference: URL:http://xforce.iss.net/alerts/ Buffer overflow in IBM Net.Data db2www CGI program allows remote attackers to execute arbitrary commands via a long PATH_INFO environmental variable. Analysis ---------------- ED_PRI CAN-2000-0677 1 Vendor Acknowledgement: yes Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0678 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000921 Assigned: 20000825 Category: SF Reference: CERT:CA-2000-18 Reference: URL:http://www.cert.org/advisories/CA-2000-18.html Reference: BID:1606 Reference: URL:http://www.securityfocus.com/bid/1606 PGP 5.5.x through 6.5.3 does not properly check if an Additional Decryption Key (ADK) is stored in the signed portion of a public certificate, which allows an attacker who can modify a victim's public certificate to decrypt any data that has been encrypted with the modified certificate. Analysis ---------------- ED_PRI CAN-2000-0678 1 Vendor Acknowledgement: yes Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0706 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000921 Assigned: 20000919 Category: SF Reference: FREEBSD:FreeBSD-SA-00:36 Reference: URL:http://archives.neohapsis.com/archives/freebsd/2000-08/0095.html Reference: DEBIAN:20000830 ntop: Still remotely exploitable using buffer overflows Reference: URL:http://www.debian.org/security/2000/20000830 Reference: BID:1576 Reference: URL:http://www.securityfocus.com/bid/1576 Buffer overflows in ntop running in web mode allows remote attackers to execute arbitrary commands. Analysis ---------------- ED_PRI CAN-2000-0706 1 Vendor Acknowledgement: yes advisory Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0725 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000921 Assigned: 20000919 Category: SF Reference: CONFIRM:http://www.zope.org/Products/Zope/Hotfix_08_09_2000/security_alert Reference: REDHAT:RHSA-2000:052-02 Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0131.html Reference: DEBIAN:20000821 zope: unauthorized escalation of privilege (update) Reference: URL:http://www.debian.org/security/2000/20000821 Reference: BUGTRAQ:20000821 Conectiva Linux Security Announcement - Zope Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0259.html Reference: BUGTRAQ:20000816 MDKSA-2000:035 Zope update Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0198.html Reference: BID:1577 Reference: URL:http://www.securityfocus.com/bid/1577 Zope before 2.2.1 does not properly restrict access to the getRoles method, which allows users who can edit DTML to add or modify roles by modifying the roles list that is included in a request. Analysis ---------------- ED_PRI CAN-2000-0725 1 Vendor Acknowledgement: yes advisory Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0730 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000921 Assigned: 20000919 Category: SF Reference: HP:HPSBUX0008-118 Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0144.html Reference: BID:1580 Reference: URL:http://www.securityfocus.com/bid/1580 Vulnerability in newgrp command in HP-UX 11.0 allows local users to gain privileges. Analysis ---------------- ED_PRI CAN-2000-0730 1 Vendor Acknowledgement: yes advisory There is insufficient information to determine if this is the same vulnerability as CVE-1999-0050, which was announced several years earlier. To be safe, this is being recorded separately. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0733 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000921 Assigned: 20000919 Category: SF Reference: BUGTRAQ:20000814 [LSD] IRIX telnetd remote vulnerability Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0154.html Reference: SGI:20000801-02-P Reference: URL:ftp://sgigate.sgi.com/security/20000801-02-P Reference: BID:1572 Reference: URL:http://www.securityfocus.com/bid/1572 Telnetd telnet server in IRIX 5.2 through 6.1 does not properly cleans user-injected format strings, which allows remote attackers to execute arbitrary commands via a long RLD variable in the IAC-SB-TELOPT_ENVIRON request. Analysis ---------------- ED_PRI CAN-2000-0733 1 Vendor Acknowledgement: yes advisory While the SGI advisory describes this as a buffer overflow problem, it is actually a format string problem, as indicated by the references that SGI includes in its advisory. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0754 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000921 Assigned: 20000919 Category: SF Reference: HP:HPSBUX0008-119 Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0144.html Reference: BID:1581 Reference: URL:http://www.securityfocus.com/bid/1581 Vulnerability in HP OpenView Network Node Manager (NMM) version 6.1 related to passwords. Analysis ---------------- ED_PRI CAN-2000-0754 1 Vendor Acknowledgement: yes advisory The HP advisory does not provide additional details. It is difficult to tell what the impact/damage is, or whether the problem is locally or remotely exploitable. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0763 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000921 Assigned: 20000919 Category: SF Reference: BUGTRAQ:20000816 xlock vulnerability Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=20000815231724.A14694@subterrain.net Reference: DEBIAN:20000816 xlockmore: possible shadow file compromise Reference: URL:http://www.debian.org/security/2000/20000816 Reference: FREEBSD:FreeBSD-SA-00:44.xlockmore Reference: URL:http://archives.neohapsis.com/archives/freebsd/2000-08/0340.html Reference: BUGTRAQ:20000817 Conectiva Linux Security Announcement - xlockmore Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0212.html Reference: BUGTRAQ:20000823 MDKSA-2000:038 - xlockmore update Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0294.html Reference: BID:1585 Reference: URL:http://www.securityfocus.com/bid/1585 xlockmore and xlockf do not properly cleanse user-injected format strings, which allows local users to gain root privileges via the -d option. Analysis ---------------- ED_PRI CAN-2000-0763 1 Vendor Acknowledgement: yes advisory Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0765 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000921 Assigned: 20000919 Category: SF Reference: MS:MS00-056 Reference: URL:http://www.microsoft.com/technet/security/bulletin/MS00-056.asp Reference: BID:1561 Reference: URL:http://www.securityfocus.com/bid/1561 Buffer overflow in the HTML interpreter in Microsoft Office 2000 allows an attacker to execute arbitrary commands via a long embedded object tag, aka the "Microsoft Office HTML Object Tag" vulnerability. Analysis ---------------- ED_PRI CAN-2000-0765 1 Vendor Acknowledgement: yes advisory Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0767 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000921 Assigned: 20000919 Category: SF Reference: MS:MS00-055 Reference: URL:http://www.microsoft.com/technet/security/bulletin/MS00-055.asp Reference: BID:1564 Reference: URL:http://www.securityfocus.com/bid/1564 The ActiveX control for invoking a scriptlet in Internet Explorer 4.x and 5.x renders arbitrary file types instead of HTML, which allows an attacker to read arbitrary files, aka the "Scriptlet Rendering" vulnerability. Analysis ---------------- ED_PRI CAN-2000-0767 1 Vendor Acknowledgement: yes advisory Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0768 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000921 Assigned: 20000919 Category: SF Reference: MS:MS00-055 Reference: URL:http://www.microsoft.com/technet/security/bulletin/MS00-055.asp Reference: BID:1564 Reference: URL:http://www.securityfocus.com/bid/1564 A function in Internet Explorer 4.x and 5.x does not properly verify the domain of a frame within a browser window, which allows a remote attacker to read client files, aka a variant of the "Frame Domain Verification" vulnerability. Analysis ---------------- ED_PRI CAN-2000-0768 1 Vendor Acknowledgement: yes advisory The original "Frame Domain Verification" problem is described in MS:MS00-033 and CVE-2000-0465. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0770 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000921 Assigned: 20000919 Category: SF Reference: MS:MS00-057 Reference: http://www.microsoft.com/technet/security/bulletin/MS00-057.asp Reference: BID:1565 Reference: URL:http://www.securityfocus.com/bid/1565 IIS 4.0 and 5.0 does not properly restrict access to certain types of files when their parent folders have less restrictive permissions, which could allow remote attackers to bypass access restrictions to some files, aka the "File Permission Canonicalization" vulnerability. Analysis ---------------- ED_PRI CAN-2000-0770 1 Vendor Acknowledgement: yes Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0778 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000921 Assigned: 20000919 Category: SF Reference: MS:MS00-058 Reference: URL:http://www.microsoft.com/technet/security/bulletin/MS00-058.asp Reference: BUGTRAQ:20000815 Translate:f summary, history and thoughts Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=080D5336D882D211B56B0060080F2CD696A7C9@beta.mia.cz Reference: NTBUGTRAQ:20000816 Translate: f Reference: URL:http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0008&L=ntbugtraq&F=&S=&P=5212 Reference: BID:1578 Reference: URL:http://www.securityfocus.com/bid/1578 IIS 5.0 allows remote attackers to obtain source code for .ASP files and other scripts via an HTTP GET request with a "Translate: f" header, aka the "Specialized Header" vulnerability. Analysis ---------------- ED_PRI CAN-2000-0778 1 Vendor Acknowledgement: yes advisory Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0787 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000921 Assigned: 20000919 Category: SF Reference: BUGTRAQ: 20000817 XChat URL handler vulnerabilty Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0215.html Reference: BID:1601 Reference: URL:http://www.securityfocus.com/bid/1601 Reference: REDHAT:RHSA-2000:055-03 Reference: URL:http://www.redhat.com/support/errata/RHSA-2000-055-03.html Reference: BUGTRAQ:20000824 MDKSA-2000:039 - xchat update Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0301.html Reference: BUGTRAQ:20000825 Conectiva Linux Security Announcement - xchat Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0305.html IRC Xchat client versions 1.4.2 and earlier allows remote attackers to execute arbitrary commands by encoding shell metacharacters into a URL which XChat uses to launch a web browser. Analysis ---------------- ED_PRI CAN-2000-0787 1 Vendor Acknowledgement: yes Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0800 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000921 Assigned: 20000919 Category: SF Reference: SUSE:20000810 Security Hole in knfsd, all versions Reference: URL:http://www.suse.de/de/support/security/suse_security_announce_58.txt String parsing error in rpc.kstatd in the linuxnfs or knfsd packages in SuSE and possibly other Linux systems allows remote attackers to gain root privileges. Analysis ---------------- ED_PRI CAN-2000-0800 1 Vendor Acknowledgement: yes DESCRIPTION: This sounds like one of the new format string problems, but the wording of the advisory is unclear. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0708 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000921 Assigned: 20000919 Category: SF Reference: NTBUGTRAQ:20000824 Remote DoS Attack in Pragma TelnetServer 2000 (Remote Execute Daemon) Vulnerability Reference: URL:http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0008&L=NTBUGTRAQ&P=R4247 Reference: BID:1605 Reference: URL:http://www.securityfocus.com/bid/1605 Buffer overflow in Pragma Systems TelnetServer 2000 version 4.0 allows remote attackers to cause a denial of service via a long series of null characters to the rexec port. Analysis ---------------- ED_PRI CAN-2000-0708 2 Vendor Acknowledgement: yes web-page Vendor acknowledgement at http://www.pragmasys.com/TelnetServer/ : "USSRLabs reported a buffer overflow security breach for TelnetD Server Version 4 Build 4 for NT. This problem has been corrected and is now available for download" Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0709 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000921 Assigned: 20000919 Category: SF Reference: BUGTRAQ:20000823 Xato Advisory: FrontPage DOS Device DoS Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0288.html Reference: CONFIRM:http://msdn.microsoft.com/workshop/languages/fp/2000/sr12.asp Reference: BID:1608 Reference: URL:http://www.securityfocus.com/bid/1608 The shtml.exe component of Microsoft FrontPage 2000 Server Extensions 1.1 allows remote attackers to cause a denial of service in some components by requesting a URL whose name includes a standard DOS device name. Analysis ---------------- ED_PRI CAN-2000-0709 2 Vendor Acknowledgement: yes patch Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0718 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000921 Assigned: 20000919 Category: SF Reference: BUGTRAQ:20000812 MDKSA-2000:034 MandrakeUpdate update Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0146.html Reference: BID:1567 Reference: URL:http://www.securityfocus.com/vdb/bottom.html?vid=1567 A race condition in MandrakeUpdate allows local users to modify RPM files while they are in the /tmp directory before they are installed. Analysis ---------------- ED_PRI CAN-2000-0718 2 Vendor Acknowledgement: yes advisory Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0743 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000921 Assigned: 20000919 Category: SF Reference: BUGTRAQ:20000810 Remote vulnerability in Gopherd 2.x Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0112.html Reference: BID:1569 Reference: URL:http://www.securityfocus.com/bid/1569 Buffer overflow in University of Minnesota (UMN) gopherd 2.x allows remote attackers to execute arbitrary commands via a DES key generation request (GDESkey) that contains a long ticket value. Analysis ---------------- ED_PRI CAN-2000-0743 2 Vendor Acknowledgement: yes patch ACKNOWLEDGEMENT: Lines 501-503 of gopher2_3.1/gopherd/authenticate.c in the following distribution provide the patch as suggested in the original post: ftp://boombox.micro.umn.edu/pub/gopher/Unix/gopher2_3.1.tar.gz Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0744 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000921 Assigned: 20000919 Category: SF Reference: BUGTRAQ:20000810 Remote vulnerability in Gopherd 2.x Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0112.html Reference: BID:1569 Reference: URL:http://www.securityfocus.com/bid/1569 Buffer overflow in University of Minnesota (UMN) gopherd 2.x allows remote attackers to execute arbitrary commands via a DES key generation request (GDESkey) that contains a long ticket value. Analysis ---------------- ED_PRI CAN-2000-0744 2 Vendor Acknowledgement: yes patch Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0745 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000921 Assigned: 20000919 Category: SF Reference: BUGTRAQ:20000821 Vuln. in all sites using PHP-Nuke, versions less than 3 Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0243.html Reference: BID:1592 Reference: URL:http://www.securityfocus.com/bid/1592 admin.php3 in PHP-Nuke does not properly verify the PHP-Nuke administrator password, which allows remote attackers to gain privileges by requesting a URL that does not specify the aid or pwd parameter. Analysis ---------------- ED_PRI CAN-2000-0745 2 Vendor Acknowledgement: yes changelog ACKNOWLEDGEMENT: The CHANGES file in the PHP-Nuke-3.0.tar.gz distribution at: http://www.ncc.org.ve/php-nuke.php3?op=download&location=&file= includes the following: >August 2000: Version 3.0 >======================== >- Fixed security bug in admin.php3 that allows anyone to enter to the > admin section without login and password Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0758 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000921 Assigned: 20000919 Category: SF Reference: BUGTRAQ:20000811 Lyris List Manager Administration Hole Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0149.html Reference: CONFIRM:http://www.lyris.com/lm/lm_updates.html Reference: BID:1584 Reference: URL:http://www.securityfocus.com/bid/1584 The web interface for Lyris List Manager 3 and 4 allows list subscribers to obtain administrative access by modifying the value of the list_admin hidden form field. Analysis ---------------- ED_PRI CAN-2000-0758 2 Vendor Acknowledgement: yes web-page Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0761 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000921 Assigned: 20000919 Category: SF Reference: BUGTRAQ:20000815 OS/2 Warp 4.5 FTP Server DoS Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0166.html Reference: CONFIRM:ftp://ftp.software.ibm.com/ps/products/tcpip/fixes/v4.3os2/ic27721/README Reference: BID:1582 Reference: URL:http://www.securityfocus.com/bid/1582 OS2/Warp 4.5 FTP server allows remote attackers to cause a denial of service via a long username. Analysis ---------------- ED_PRI CAN-2000-0761 2 Vendor Acknowledgement: yes patch Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0780 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000921 Assigned: 20000919 Category: SF Reference: BUGTRAQ:20000830 Vulnerability Report On IPSWITCH's IMail Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=96767207207553&w=2 Reference: CONFIRM:http://www.ipswitch.com/Support/IMail/news.html Reference: BID:1617 Reference: URL:http://www.securityfocus.com/bid/1617 The web server in IPSWITCH IMail 6.04 and earlier allows remote attackers to read and delete arbitrary files via a .. (dot dot) attack. Analysis ---------------- ED_PRI CAN-2000-0780 2 Vendor Acknowledgement: yes news Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0782 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000921 Assigned: 20000919 Category: SF Reference: BUGTRAQ:20000817 Netauth: Web Based Email Management System Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=NEBBJCLKGNOGCOIOBJNAGEHLCPAA.marc@eeye.com Reference: CONFIRM:http://netwinsite.com/netauth/updates.htm Reference: BID:1587 Reference: URL:http://www.securityfocus.com/bid/1587 netauth.cgi program in Netwin Netauth 4.2e and earlier allows remote attackers to read arbitrary files via a .. (dot dot) attack. Analysis ---------------- ED_PRI CAN-2000-0782 2 Vendor Acknowledgement: yes changelog Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0792 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000921 Assigned: 20000919 Category: SF Reference: BUGTRAQ:20000819 Security update for Gnome-Lokkit Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0252.html Reference: BID:1590 Reference: URL:http://www.securityfocus.com/bid/1590 Gnome Lokkit firewall package before 0.41 does not properly restrict access to some ports, even if a user does not make any services available. Analysis ---------------- ED_PRI CAN-2000-0792 2 Vendor Acknowledgement: yes post Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0686 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000921 Assigned: 20000919 Category: SF Reference: BUGTRAQ:20000823 Auction WeaverT LITE 1.0 Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0310.html Reference: BID:1630 Reference: URL:http://www.securityfocus.com/bid/1630 Auction Weaver CGI script 1.03 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) attack in the fromfile parameter. Analysis ---------------- ED_PRI CAN-2000-0686 3 Vendor Acknowledgement: yes patch Content Decisions: SF-LOC It is not certain if this problem was fixed in 1.02 or 1.03. The source code from http://www.cgiscriptcenter.com/awl/awl10.zip indicates that the catdir parameter is cleansed in different lines of code than the fromfile parameter. Thus CD:SF-LOC says to have separate entries for fromfile vs. catdir. The fromfile and catdir parameters also suffered from a shell metacharacter problem, so CD:SF-LOC says to keep them separate as well. Also, there was at least one version that had this problem but not the shell metacharacter problem. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0687 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000921 Assigned: 20000919 Category: SF Reference: BUGTRAQ:20000823 Auction WeaverT LITE 1.0 Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0310.html Reference: BID:1630 Reference: URL:http://www.securityfocus.com/bid/1630 Auction Weaver CGI script 1.03 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) attack in the catdir parameter. Analysis ---------------- ED_PRI CAN-2000-0687 3 Vendor Acknowledgement: yes patch Content Decisions: SF-LOC It is not certain if this problem was fixed in 1.02 or 1.03. A look at the source code from http://www.cgiscriptcenter.com/awl/awl10.zip indicates that the catdir parameter is cleansed in different lines of code than the fromfile parameter. Thus CD:SF-LOC says to have separate entries for fromfile vs. catdir. The fromfile and catdir parameters also suffered from a shell metacharacter problem, so CD:SF-LOC says to keep them separate as well. Also, there was at least one version that had this problem but not the shell metacharacter problem. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0688 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000921 Assigned: 20000919 Category: SF Reference: BUGTRAQ:20000823 Subscribe Me Vulnerability Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0292.html Reference: BUGTRAQ:20000823 Re: Subscribe Me CGI Vulnerability Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=96722957421029&w=2 Reference: CONFIRM:http://www.cgiscriptcenter.com/subscribe/ Reference: BID:1607 Reference: URL:http://www.securityfocus.com/bid/1607 Subscribe Me LITE does not properly authenticate attempts to change the administrator password, which allows remote attackers to gain privileges for the Account Manager by directly calling the subscribe.pl script with the setpwd parameter. Analysis ---------------- ED_PRI CAN-2000-0688 3 Vendor Acknowledgement: yes email-followup Content Decisions: SF-EXEC This is the same type of problem as the one in Account Manager LITE. Although the two products are provided by the same vendor, they are distributed separately, thus aren't part of the same package. Therefore CD:SF-EXEC says to keep this one separate from the Subscribe Me LITE problem. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0689 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000921 Assigned: 20000919 Category: SF Reference: BUGTRAQ:20000823 Account Manager CGI Vulnerability Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0291.html Reference: CONFIRM:http://www.cgiscriptcenter.com/acctlite/ Reference: BID:1604 Reference: URL:http://www.securityfocus.com/bid/1604 Account Manager LITE does not properly authenticate attempts to change the administrator password, which allows remote attackers to gain privileges for the Account Manager by directly calling the amadmin.pl script with the setpasswd parameter. Analysis ---------------- ED_PRI CAN-2000-0689 3 Vendor Acknowledgement: unknown Content Decisions: SF-EXEC This is the same type of problem as the one in Subscribe Me LITE. Although the two products are provided by the same vendor, they are distributed separately, thus aren't part of the same package. Therefore CD:SF-EXEC says to keep this one separate from the Subscribe Me LITE problem. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0692 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000921 Assigned: 20000919 Category: SF Reference: BUGTRAQ:20000822 DOS on RealSecure 3.2 Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0267.html Reference: BID:1597 Reference: URL:http://www.securityfocus.com/bid/1597 ISS RealSecure 3.2.1 and 3.2.2 allows remote attackers to cause a denial of service via a flood of fragmented packets with the SYN flag set. Analysis ---------------- ED_PRI CAN-2000-0692 3 Vendor Acknowledgement: unknown Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0698 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000921 Assigned: 20000919 Category: SF Reference: BUGTRAQ:20000819 RH 6.1 / 6.2 minicom vulnerability Reference: URL:http://www.securityfocus.com/archive/1/77361 Reference: BID:1599 Reference: URL:http://www.securityfocus.com/bid/1599 Minicom 1.82.1 and earlier on some Linux systems allows local users to create arbitrary files via a symlink attack. Analysis ---------------- ED_PRI CAN-2000-0698 3 Vendor Acknowledgement: unknown Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0702 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000921 Assigned: 20000919 Category: SF Reference: BUGTRAQ:20000821 [HackersLab bugpaper] HP-UX net.init rc script Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0261.html Reference: BID:1602 Reference: URL:http://www.securityfocus.com/bid/1602 The net.init rc script in HP-UX 11.00 (S008net.init) allows local users to overwrite arbitrary files via a symlink attack that points from /tmp/stcp.conf to the targeted file. Analysis ---------------- ED_PRI CAN-2000-0702 3 Vendor Acknowledgement: unknown Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0710 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000921 Assigned: 20000919 Category: SF Reference: BUGTRAQ:20000823 Xato Advisory: FrontPage DOS Device DoS Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0288.html Reference: CONFIRM:http://msdn.microsoft.com/workshop/languages/fp/2000/sr12.asp Reference: BID:1608 Reference: URL:http://www.securityfocus.com/bid/1608 The shtml.exe component of Microsoft FrontPage 2000 Server Extensions 1.1 allows remote attackers determine the physical path of the server components by requesting an invalid URL whose name includes a standard DOS device name. Analysis ---------------- ED_PRI CAN-2000-0710 3 Vendor Acknowledgement: yes patch Content Decisions: DESIGN-REAL-PATH CD:DESIGN-REAL-PATH says that revealing physical path information to remote attackers is an exposure, and thus should be included in CVE. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0716 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000921 Assigned: 20000919 Category: SF Reference: NTBUGTRAQ:20000809 Session hijacking in Alt-N's MDaemon 2.8 Reference: URL:http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0008&L=ntbugtraq&F=&S=&P=459 Reference: BID:1553 Reference: URL:http://www.securityfocus.com/bid/1553 WorldClient email client in MDaemon 2.8 includes the session ID in the referer field of an HTTP request when the user clicks on a URL, which allows the visited web site to hijcak the session ID and read the user's email. Analysis ---------------- ED_PRI CAN-2000-0716 3 Vendor Acknowledgement: unknown Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0719 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000921 Assigned: 20000919 Category: SF Reference: BUGTRAQ:20000810 VariCAD 7.0 premission vulnerability Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0126.html VariCAD 7.0 is installed with world-writeable files, which allows local users to replace the VariCAD programs with a Trojan horse program. Analysis ---------------- ED_PRI CAN-2000-0719 3 Vendor Acknowledgement: unknown Content Decisions: INSTALL-PERM ABSTRACTION ISSUE: Some problems like this one are related to installations of files that set improper permissions. Should each separate file get a separate CVE entry? Or should dot notation be used? This question has been labeled as CD:INSTALL-PERM. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0721 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000921 Assigned: 20000919 Category: SF Reference: BUGTRAQ:20000810 FlagShip v4.48.7449 premission vulnerability Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0114.html Reference: BID:1586 Reference: URL:http://www.securityfocus.com/bid/1586 The FSserial, FlagShip_c, and FlagShip_p programs in the FlagShip package are installed world-writeable, which allows local users to replace them with Trojan horses. Analysis ---------------- ED_PRI CAN-2000-0721 3 Vendor Acknowledgement: unknown Content Decisions: INSTALL-PERM ABSTRACTION ISSUE: Some problems like this one are related to installations of files that set improper permissions. Should each separate file get a separate CVE entry? Or should dot notation be used? This question has been labeled as CD:INSTALL-PERM. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0722 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000921 Assigned: 20000919 Category: SF Reference: BUGTRAQ:20000819 Multiple Local Vulnerabilities in Helix Gnome Installer Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=E13QAYl-0007il-00@the-village.bc.nu Reference: BUGTRAQ:20000820 Helix Code Security Advisory - Helix GNOME Update Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0240.html Reference: BUGTRAQ:20000820 [Helix Beta] Helix Code Security Advisory - Helix GNOME Installer Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0251.html Reference: BID:1593 Reference: URL:http://www.securityfocus.com/bid/1593 Helix GNOME Updater helix-update 0.5 and earlier allows local users to install arbitrary RPM packages by creating the /tmp/helix-install installation directory before root has begun installing packages. Analysis ---------------- ED_PRI CAN-2000-0722 3 Vendor Acknowledgement: yes advisory Content Decisions: SF-LOC, EX-BETA INCLUSION: A poster suggests that this software is in beta, in which case CD:EX-BETA might suggest that this problem should be excluded from CVE. However, the poster also says that it appears that many people may be using the products, in which case CD:EX-BETA would make an exception and suggest that this should be included. ABSTRACTION: CD:SF-LOC applies because there may be multiple bugs in the same software, namely this one and the overwriting of various /etc files. However, the /etc problem only applies to some affected OSes, which is an indicator that the bugs did not occur on the same line of code. Thus CD:SF-LOC, in the absence of additional information, suggests that these problems remain split. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0723 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000921 Assigned: 20000919 Category: SF Reference: BUGTRAQ:20000819 Multiple Local Vulnerabilities in Helix Gnome Installer Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=E13QAYl-0007il-00@the-village.bc.nu Reference: BUGTRAQ:20000820 [Helix Beta] Helix Code Security Advisory - Helix GNOME Installer Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0251.html Reference: BID:1596 Reference: URL:http://www.securityfocus.com/bid/1596 Helix GNOME Updater helix-update 0.5 and earlier does not properly create /tmp directories, which allows local users to create empty system configuration files such as /etc/config.d/bashrc, /etc/config.d/csh.cshrc, and /etc/rc.config. Analysis ---------------- ED_PRI CAN-2000-0723 3 Vendor Acknowledgement: yes advisory Content Decisions: SF-LOC, EX-BETA INCLUSION: A poster suggests that this software is in beta, in which case CD:EX-BETA might suggest that this problem should be excluded from CVE. However, the poster also says that it appears that many people may be using the products, in which case CD:EX-BETA would make an exception and suggest that this should be included. ABSTRACTION: CD:SF-LOC applies because there may be multiple bugs in the same software, namely this one and the installation of RPMs in /tmp/helix-install. However, the /etc problem only applies to some affected OSes, which is an indicator that the bugs did not occur on the same line of code. Thus CD:SF-LOC, in the absence of additional information, suggests that these problems remain split. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0724 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000921 Assigned: 20000919 Category: SF Reference: BUGTRAQ:20000829 More Helix Code installation problems (go-gnome) Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0351.html Reference: BUGTRAQ:20000829 Helix Code Security Advisory - go-gnome pre-installer Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0356.html Reference: BID:1622 Reference: URL:http://www.securityfocus.com/bid/1622 The go-gnome Helix GNOME pre-installer allows local users to overwrite arbitrary files via a symlink attack on various files in /tmp, including uudecode, snarf, and some installer files. Analysis ---------------- ED_PRI CAN-2000-0724 3 Vendor Acknowledgement: yes advisory Content Decisions: EX-BETA INCLUSION: A poster suggests that this software is in beta, in which case CD:EX-BETA might suggest that this problem should be excluded from CVE. However, the poster also says that it appears that many people may be using the products, in which case CD:EX-BETA would make an exception and suggest that this should be included. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0735 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000921 Assigned: 20000919 Category: SF Reference: BUGTRAQ:20000818 Becky! Internet Mail Buffer overflow Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0234.html Reference: CONFIRM:http://member.nifty.ne.jp/rimarts/becky-e/Readme.txt Reference: BID:1588 Reference: URL:http://www.securityfocus.com/bid/1588 Buffer overflow in Becky! Internet Mail client 1.26.03 and earlier allows remote attackers to cause a denial of service via a long Content-type: MIME header when the user replies to a message. Analysis ---------------- ED_PRI CAN-2000-0735 3 Vendor Acknowledgement: yes change-log Content Decisions: SF-LOC ABSTRACTION: While this vulnerability is almost exactly the same as that for when the user forwards a message, the forwarding problem was not fixed until 1.26.04. Since the forwarding bug was still present after this one was fixed, CD:SF-LOC suggests that these 2 items should remain split. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0736 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000921 Assigned: 20000919 Category: SF Reference: BUGTRAQ:20000818 Becky! Internet Mail Buffer overflow Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0234.html Reference: CONFIRM:http://member.nifty.ne.jp/rimarts/becky-e/Readme.txt Reference: BID:1588 Reference: URL:http://www.securityfocus.com/bid/1588 Buffer overflow in Becky! Internet Mail client 1.26.04 and earlier allows remote attackers to cause a denial of service via a long Content-type: MIME header when the user forwards a message. Analysis ---------------- ED_PRI CAN-2000-0736 3 Vendor Acknowledgement: yes change-log Content Decisions: SF-LOC ABSTRACTION: While this vulnerability is almost exactly the same as that for when the user replies to a message, the replying bug was fixed in 1.26.03. Since this bug was still present after the reply bug was fixed, CD:SF-LOC suggests that these 2 items should remain split. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0738 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000921 Assigned: 20000919 Category: SF Reference: NTBUGTRAQ:20000818 WebShield SMTP infinite loop DoS Attack Reference: URL:http://archives.neohapsis.com/archives/ntbugtraq/2000-q3/0101.html Reference: BID:1589 Reference: URL:http://www.securityfocus.com/bid/1589 WebShield SMTP 4.5 allows remote attackers to cause a denial of service by sending e-mail with a From: address that has a . (period) at the end, which causes WebShield to continuously send itself copies of the e-mail. Analysis ---------------- ED_PRI CAN-2000-0738 3 Vendor Acknowledgement: unknown Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0746 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000921 Assigned: 20000919 Category: SF Reference: BUGTRAQ:20000821 IIS 5.0 cross site scripting vulnerability - using .shtml files or /_vti_bin/shtml.dll Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=39A12BD6.E811BF4F@nat.bg Reference: MS:MS00-060 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms00-060.asp Reference: BID:1594 Reference: URL:http://www.securityfocus.com/bid/1594 Reference: BID:1595 Reference: URL:http://www.securityfocus.com/bid/1595 Vulnerabilities in IIS 4.0 and 5.0 do not properly protect against cross-site scripting (CSS) attacks. They allow a malicious web site operator to embed scripts in a link to a trusted site, which are returned without quoting in an error message back to the client. The client then executes those scripts in the same context as the trusted site, aka the "IIS Cross-Site Scripting" vulnerabilities. Analysis ---------------- ED_PRI CAN-2000-0746 3 Vendor Acknowledgement: yes advisory Content Decisions: SF-LOC, SF-EXEC ABSTRACTION: CD:SF-LOC suggests creating a separate entry for each different CSS item, but the advisory and the FAQ do not provide enough details to do so. The original Bugtraq post claims that there are 2 separate issues, one in FrontPage Extensions through /_vti_bin/shtml.dll, and another through any filename that ends in .shtml. However, it may be that .shtml files are redirected to shtml.dll; if so, then there may only nbe one bug (in shtml.dll), and CD:SF-LOC would apply and suggest using only one entry. However, since FrontPage is not required with all IIS installations, then these 2 problems are not part of the same "fundamental" software package. So CD:SF-EXEC suggests providing separate entries, one for FrontPage Extensions, and another for IIS. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0753 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000921 Assigned: 20000919 Category: SF Reference: BUGTRAQ:20000824 Outlook winmail.dat Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=LAW2-F305bYiMCIqtQv0000069d@hotmail.com Reference: BID:1631 Reference: URL:http://www.securityfocus.com/bid/1631 The Microsoft Outlook mail client identifies the physical path of the sender's machine within a winmail.dat attachment to Rich Text Format (RTF) files. Analysis ---------------- ED_PRI CAN-2000-0753 3 Vendor Acknowledgement: unknown Content Decisions: DESIGN-REAL-PATH CD:DESIGN-REAL-PATH says that revealing physical path information to remote attackers is an exposure, and thus should be included in CVE. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0755 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000921 Assigned: 20000919 Category: SF Reference: HP:HPSBUX0008-118 Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0144.html Reference: BID:1581 Reference: URL:http://www.securityfocus.com/bid/1581 Vulnerability in the newgrp command in HP-UX 11.00 allows local users to gain privileges. Analysis ---------------- ED_PRI CAN-2000-0755 3 Vendor Acknowledgement: yes advisory Content Decisions: DISCOVERY-DATE INCLUSION: The HP advisory does not provide additional details, but this looks like it could be a repeat of CVE-1999-0050. In the absence of further information, however, this problem should probably remain SPLIT from CVE-1999-0050. ABSTRACTION: CD:DISCOVERY-DATE also suggests that if a problem appears in version X, goes away in version X+n, and reappears in X+n+1, then separate entries should be created, since (a) a problem in the vendor's process re-introduced the bug, and (b) tools and system administrators may not be aware of the new variation, so having a separate entry is a way of handling this. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0762 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000921 Assigned: 20000919 Category: CF Reference: BUGTRAQ:20000811 eTrust Access Control - Root compromise for default install Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=004601c003a1$ba473260$ddeaa2cd@itradefair.net Reference: CONFIRM:http://support.ca.com/techbases/eTrust/etrust_access_control-response.html Reference: BID:1583 Reference: URL:http://www.securityfocus.com/bid/1583 The default installation of eTrust Access Control (formerly SeOS) uses a default encryption key, which allows remote attackers to spoof the eTrust administrator and gain privileges. Analysis ---------------- ED_PRI CAN-2000-0762 3 Vendor Acknowledgement: unknown Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0766 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000921 Assigned: 20000919 Category: SF Reference: BUGTRAQ:20000819 D.o.S Vulnerability in vqServer Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=200008270354.UAA10952@user4.hushmail.com Reference: BID:1610 Reference: URL:http://www.securityfocus.com/bid/1610 Buffer overflow in vqSoft vqServer 1.4.49 allows remote attackers to cause a denial of service or possibly gain privileges via a long HTTP GET request. Analysis ---------------- ED_PRI CAN-2000-0766 3 Vendor Acknowledgement: unknown poster-claimed Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0769 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000921 Assigned: 20000919 Category: SF Reference: BUGTRAQ:20000824 WebServer Pro 2.3.7 Vulnerability Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=96715834610888&w=2 Reference: BID:1611 Reference: URL:http://www.securityfocus.com/bid/1611 O'Reilly WebSite Pro 2.3.7 installs the uploader.exe program with execute permissions for all users, which allows remote attackers to create and execute arbitrary files by directly calling uploader.exe. Analysis ---------------- ED_PRI CAN-2000-0769 3 Vendor Acknowledgement: unknown Content Decisions: DISCOVERY-DATE INCLUSION: This could be a duplicate of CVE-1999-0177, which affected WebSite 1.1 and 2.0 beta according to XF:http-website-uploader at http://xforce.iss.net/static/294.php. Also see the original post at http://marc.theaimsgroup.com/?l=bugtraq&m=87602880019759&w=2 Also see http://ora.leftcoast.net/archives/website-talk/msg02835.html for a reply from "michael@oreilly.com" to a tech support query on July 13, 2000, which appears to be roughly akin to vendor acknowledgement. However, the poster for this candidate said that the problem did not exist on version 2.3.3, so this may be a reappearance of an old bug. Thus CD:DISCOVERY-DATE applies. Assume this is the same bug. CVE-1999-0177 < "safe" version 2.3.3 < vulnerable version 2.3.7. Thus this item should remain separate from CVE-1999-0177. CD:DISCOVERY-DATE suggests that if a problem appears in version X, goes away in version X+n, and reappears in X+n+1, then separate entries should be created, since (a) a problem in the vendor's process re-introduced the bug, and (b) tools and system administrators may not be aware of the new variation, so having a separate entry is a way of handling this. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0772 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000921 Assigned: 20000919 Category: CF Reference: BUGTRAQ:20000810 Tumbleweed Worldsecure (MMS) BLANK 'sa' account password vulnerability Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0098.html Reference: CONFIRM:http://thompson.tumbleweed.com/NewKB/bulletin/UPFiles/sa-official.htm Reference: BID:1562 Reference: URL:http://www.securityfocus.com/bid/1562 The installation of Tumbleweed Messaging Management System (MMS) 4.6 and earlier (formerly Worldtalk Worldsecure) creates a default account "sa" with no password. Analysis ---------------- ED_PRI CAN-2000-0772 3 Vendor Acknowledgement: unknown ABSTRACTION: CD:CF-PASS suggests that separate entries should be created for each "service" that has default passwords, no matter how many defaults there are. If this approach is adopted, then this should probably be MERGED with other database default accounts/passwords. The thread generated by this discussion is a good indicator of the disparate perspectives as to whether documented default passwords are a "real" vulnerability or not. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0776 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000921 Assigned: 20000919 Category: SF Reference: BUGTRAQ:20000810 [DeepZone Advisory] Statistics Server 5.02x stack overflow (Win2k remote exploit) Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0118.html Reference: BID:1568 Reference: URL:http://www.securityfocus.com/bid/1568 Mediahouse Statistics Server 5.02x allows remote attackers to execute arbitrary commands via a long HTTP GET request. Analysis ---------------- ED_PRI CAN-2000-0776 3 Vendor Acknowledgement: unknown INCLUSION: This ostensibly looks like a dupe of CVE-1999-0931, but the announcer claims that some versions older than 5.02x did not exhibit the problem. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0783 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000921 Assigned: 20000919 Category: SF Reference: BUGTRAQ:20000815 Watchguard Firebox Authentication DoS Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0162.html Reference: BID:1573 Reference: URL:http://www.securityfocus.com/bid/1573 Watchguard Firebox II allows remote attackers to cause a denial of service by sending a malformed URL to the authentication service on port 4100. Analysis ---------------- ED_PRI CAN-2000-0783 3 Vendor Acknowledgement: unknown claimed Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0784 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000921 Assigned: 20000919 Category: SF Reference: BUGTRAQ:20000816 Remote Root Compromise On All RapidStream VPN Appliances Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0216.html Reference: BID:1574 Reference: URL:http://www.securityfocus.com/bid/1574 sshd program in the Rapidstream 2.1 Beta VPN appliance has a hard-coded "rsadmin" account with a null password, which allows remote attackers to execute arbitrary commands via ssh. Analysis ---------------- ED_PRI CAN-2000-0784 3 Vendor Acknowledgement: yes followup Content Decisions: EX-BETA INCLUSION: CD:EX-BETA suggests that this should not be included in CVE because it is a beta version, unless this has been widely distributed. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0789 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000921 Assigned: 20000919 Category: SF Reference: BUGTRAQ:20000816 WinU 4/5 weak password vulnerability Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0201.html WinU 5.x and earlier uses weak encryption to store its configuration password, which allows local users to decrypt the password and gain privileges. Analysis ---------------- ED_PRI CAN-2000-0789 3 Vendor Acknowledgement: unknown Content Decisions: DESIGN-WEAK-ENCRYPTION Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0790 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000921 Assigned: 20000919 Category: SF Reference: BUGTRAQ:20000828 IE 5.5/5.x for Win98 may execute arbitrary files that can be accessed thru Microsoft Networking. Also local Administrator compromise at least on default Windows 2000. Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=3998370D.732A03F1@nat.bg Reference: BID:1571 Reference: URL:http://www.securityfocus.com/bid/1571 The web-based folder display capability in Microsoft Internet Explorer 5.5 on Windows 98 allows local users to insert Trojan horse programs by modifying the Folder.htt file and using the InvokeVerb method in the ShellDefView ActiveX control to specify a default execute option for the first file that is listed in the folder. Analysis ---------------- ED_PRI CAN-2000-0790 3 Vendor Acknowledgement: unknown Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0791 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000921 Assigned: 20000919 Category: SF Reference: BUGTRAQ:20000815 Trustix security advisory - apache-ssl Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0179.html Reference: BID:1575 Reference: URL:http://www.securityfocus.com/bid/1575 Trustix installs the httpsd program for Apache-SSL with world-writeable permissions, which allows local users to replace it with a Trojan horse. Analysis ---------------- ED_PRI CAN-2000-0791 3 Vendor Acknowledgement: yes post Content Decisions: INSTALL-PERM ABSTRACTION: Some problems like this one are related to installations of files that set improper permissions. Should each separate file get a separate CVE entry? Or should dot notation be used? This question has been labeled as CD:INSTALL-PERM. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS:
|
||||
