[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PROPOSAL] Cluster RECENT-35 - 18 candidates



The following cluster contains 18 candidates that were announced
between 8/25/2000 and 8/31/2000.  Board members can use the voting web
site instead of this ballot, which is posted for other Board members
and as a part of the public record.

These voting ballots include the new Analysis field as discussed in a
previous post with explanations of applications of content decisions.
The degree of vendor acknowledgement is also made more prominent.
Finally, a new ACCEPT_REASON form has been added for Board members to
include the reason why they vote to ACCEPT or MODIFY an item.

- Steve


Summary of votes to use (in ascending order of "severity")
----------------------------------------------------------

ACCEPT - voter accepts the candidate as proposed
NOOP - voter has no opinion on the candidate
MODIFY - voter wants to change some MINOR detail (e.g. reference/description)
REVIEWING - voter is reviewing/researching the candidate, or needs more info
RECAST - candidate must be significantly modified, e.g. split or merged
REJECT - candidate is "not a vulnerability", or a duplicate, etc.

1) Please write your vote on the line that starts with "VOTE: ".  If
   you want to add comments or details, add them to lines after the
   VOTE: line.

2) If you see any missing references, please mention them so that they
   can be included.  References help greatly during mapping.

3) Note that a "MODIFY" is treated as an "ACCEPT" when counting votes.
   So if you don't have sufficient information for a candidate but you
   don't want to NOOP, use a REVIEWING.

********** NOTE ********** NOTE ********** NOTE ********** NOTE **********

Please keep in mind that your vote and comments will be recorded and
publicly viewable in the mailing list archives or in other formats.

======================================================
Candidate: CAN-2000-0727
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: BUGTRAQ:20000829 MDKSA-2000:041 - xpdf update
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=96766355023239&w=2
Reference: BUGTRAQ:20000913 Conectiva Linux Security Announcement - xpdf
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=96886599829687&w=2
Reference: DEBIAN:20000910 xpdf: local exploit
Reference: URL:http://www.debian.org/security/2000/20000910a
Reference: REDHAT:RHSA-2000:060-03
Reference: URL:http://www.redhat.com/support/errata/RHSA-2000-060-03.html
Reference: CALDERA:CSSA-2000-031.0
Reference: URL:http://www.calderasystems.com/support/security/advisories/CSSA-2000-031.0.txt
Reference: BID:1624
Reference: URL:http://www.securityfocus.com/bid/1624

xpdf PDF viewer client earlier than 0.91 does not properly launch a
web browser for embedded URL's, which allows an attacker to execute
arbitrary commands via a URL that contains shell metacharacters.

Analysis
----------------
ED_PRI CAN-2000-0727 1
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0728
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: BUGTRAQ:20000829 MDKSA-2000:041 - xpdf update
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=96766355023239&w=2
Reference: BUGTRAQ:20000913 Conectiva Linux Security Announcement - xpdf
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=96886599829687&w=2
Reference: DEBIAN:20000910 xpdf: local exploit
Reference: URL:http://www.debian.org/security/2000/20000910a
Reference: REDHAT:RHSA-2000:060-03
Reference: URL:http://www.redhat.com/support/errata/RHSA-2000-060-03.html
Reference: CALDERA:CSSA-2000-031.0
Reference: URL:http://www.calderasystems.com/support/security/advisories/CSSA-2000-031.0.txt
Reference: BID:1624
Reference: URL:http://www.securityfocus.com/bid/1624

xpdf PDF viewer client earlier than 0.91 allows local users to
overwrite arbitrary files via a symlink attack.

Analysis
----------------
ED_PRI CAN-2000-0728 1
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0729
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: FREEBSD:FreeBSD-SA-00:41
Reference: URL:http://archives.neohapsis.com/archives/freebsd/2000-08/0337.html
Reference: BID:1625
Reference: URL:http://www.securityfocus.com/bid/1625

FreeBSD 5.x, 4.x, and 3.x allows local users to cause a denial of
service by executing a program with a malformed ELF image header.

Analysis
----------------
ED_PRI CAN-2000-0729 1
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0749
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: FREEBSD:FreeBSD-SA-00:42
Reference: URL:http://archives.neohapsis.com/archives/freebsd/2000-08/0338.html
Reference: BID:1628
Reference: URL:http://www.securityfocus.com/bid/1628

Buffer overflow in the Linux binary compatability module in FreeBSD
3.x through 5.x allows local users to gain root privileges via long
filenames in the linux shadow file system.

Analysis
----------------
ED_PRI CAN-2000-0749 1
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0771
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: MS:MS00-062
Reference: URL:http://www.microsoft.com/technet/security/bulletin/MS00-062.asp
Reference: BID:1613
Reference: URL:http://www.securityfocus.com/bid/1613

Microsoft Windows 2000 allows local users to cause a denial of service
by corrupting the local security policy via malformed RPC traffic, aka
the "Local Security Policy Corruption" vulnerability.

Analysis
----------------
ED_PRI CAN-2000-0771 1
Vendor Acknowledgement: yes

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0777
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: MS:MS00-061
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms00-061.asp
Reference: BID:1615
Reference: URL:http://www.securityfocus.com/bid/1615

The password protection feature of Microsoft Money can store the
password in plaintext, which allows attackers with physical access to
the system to obtain the password, aka the "Money Password"
vulnerability.

Analysis
----------------
ED_PRI CAN-2000-0777 1
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0690
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: BUGTRAQ:20000830 More problems with Auction Weaver & CGI Script Center.
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0370.html
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0452.html

Auction Weaver CGI script 1.02 and earlier allows remote attackers to
execute arbitrary commands via shell metacharacters in the fromfile
parameter.

Analysis
----------------
ED_PRI CAN-2000-0690 3
Vendor Acknowledgement: yes email-followup
Content Decisions: SF-LOC

This bug is vaguely alluded to in the Readme.txt for the download at
http://www.cgiscriptcenter.com/awl/awl10.zip and acknowledged in an
email followup.  In addition, you can see the patches in the source
code.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0691
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: BUGTRAQ:20000826 Advisory: mgetty local compromise
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0329.html
Reference: CONFIRM:http://archives.neohapsis.com/archives/bugtraq/2000-08/0330.html
Reference: CALDERA:CSSA-2000-029.0
Reference: URL:http://www.calderasystems.com/support/security/advisories/CSSA-2000-029.0.txt
Reference: BID:1612
Reference: URL:http://www.securityfocus.com/bid/1612

The faxrunq and faxrunqd in the mgetty package allows local users to
create or modify arbitrary files via a symlink attack which creates a
symlink in from /var/spool/fax/outgoing/.last_run to the target file.

Analysis
----------------
ED_PRI CAN-2000-0691 3
Vendor Acknowledgement: yes followup
Content Decisions: SF-EXEC

ABSTRACTION ISSUES:

CD:SF-EXEC suggests to keep faxrunq and faxrunqd in the same CVE item
because there are 2 binaries in the same package with the same flaw.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0717
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: BUGTRAQ:20000830 [EXPL] GoodTech's FTP Server vulnerable to a DoS (RNTO)
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=02ff01c0124c$e9387660$0201a8c0@aviram
Reference: BID:1619
Reference: URL:http://www.securityfocus.com/bid/1619

GoodTech FTP server allows remote attackers to cause a denial of
service via a large number of RNTO commands.

Analysis
----------------
ED_PRI CAN-2000-0717 3
Vendor Acknowledgement: unknown

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0720
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: BUGTRAQ:20000929 News Publisher CGI Vulnerability
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=003301c0123b$18f8c1a0$953b29d4@e8s9s4
Reference: BID:1621
Reference: URL:http://www.securityfocus.com/bid/1621

news.cgi in GWScripts News Publisher does not properly authenticate
requests to add an author to the author index, which allows remote
attackers to add new authors by directly posting an HTTP request to
the new.cgi program with an addAuthor parameter, and setting the
Referer to the news.cgi program.

Analysis
----------------
ED_PRI CAN-2000-0720 3
Vendor Acknowledgement: unknown

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0726
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: BUGTRAQ:20000829 Stalker's CGImail Gives Read Access to All Server Files
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=20000829194618.H7744@thathost.com
Reference: BID:1623
Reference: URL:http://www.securityfocus.com/bid/1623

CGIMail.exe CGI program in Stalkerlab Mailers 1.1.2 allows remote
attackers to read arbitrary files by specifying the file in the
$Attach$ hidden form variable.

Analysis
----------------
ED_PRI CAN-2000-0726 3
Vendor Acknowledgement: unknown

INCLUSION:

The poster indicates that he tested it successfully on a server, but
the vendor web site appears to be down.  This should not be included
in CVE without strong proof that it is (or was) a known problem.
However, it appears that a few ISP's still offer this as a service.

ANALYSIS:

The best documentation on the product seems to be at:

  http://www.cnsp.com/cgimail/cgimailins.htm

and the "Reserved Variables" certainly indicates the potential for
abuse.

This appears to have been originally discovered by Mnemonix in 1998
(http://ftp.hackzone.ru/nsp/info/www/cgi-bugs.htm) and replicated by a
few more sources (e.g. http://webm43ac.ntx.net/Articles/cgimail.html)
but there is still a question of whether this can be sufficiently
proven to exist.

The cgichk CGI scanner included this at least as recently as mid-1999,
but CGI scanners are notorious for cutting and pasting URL's from
other scanners, which makes it easy to introduce errors.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0731
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: NTBUGTRAQ:20000825 DST2K0023: Directory Traversal Possible & Denial of Service in Wo rm HTTP Server
Reference: URL:http://archives.neohapsis.com/archives/ntbugtraq/2000-q3/0111.html
Reference: BID:1626
Reference: URL:http://www.securityfocus.com/bid/1626

Worm HTTP server allows remote attackers to read arbitrary files via a
.. (dot dot) attack.

Analysis
----------------
ED_PRI CAN-2000-0731 3
Vendor Acknowledgement: unknown

ACKNOWLEDGEMENT:

As of 9/16/2000, the binary could not be downloaded from the vendor
web site, and there was no concrete acknowledgement of the
vulnerability.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0732
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: NTBUGTRAQ:20000825 DST2K0023: Directory Traversal Possible & Denial of Service in Wo rm HTTP Server
Reference: URL:http://archives.neohapsis.com/archives/ntbugtraq/2000-q3/0111.html
Reference: BID:1626
Reference: URL:http://www.securityfocus.com/bid/1626

Worm HTTP server allows remote attackers to cause a denial of service
via a long URL.

Analysis
----------------
ED_PRI CAN-2000-0732 3
Vendor Acknowledgement: unknown

ACKNOWLEDGEMENT:

As of 9/16/2000, the binary could not be downloaded from the vendor
web site, and there was no acknowledgement of the vulnerability on the
site.

This product appears to be freeware.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0734
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: BUGTRAQ:20000831 Remote DoS Attack in Eeye Iris 1.01 and SpyNet CaptureNet v3.12
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=96774637326591&w=2
Reference: BID:1627
Reference: URL:http://www.securityfocus.com/bid/1627

eEye IRIS 1.01 beta allows remote attackers to cause a denial of
service via a large number of UDP connections.

Analysis
----------------
ED_PRI CAN-2000-0734 3
Vendor Acknowledgement: unknown
Content Decisions: EX-BETA

INCLUSION:

CD:EX-BETA suggests that this should not be included in CVE because it
is a beta version, unless this has been widely distributed.

This thread also highlighted many issues related to the CD:EX-BETA
discussion, e.g.:

  http://marc.theaimsgroup.com/?l=bugtraq&m=96784626915584&w=2
  http://marc.theaimsgroup.com/?l=bugtraq&m=96783686531301&w=2

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0752
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: FREEBSD:FreeBSD-SA-00:43
Reference: URL:http://archives.neohapsis.com/archives/freebsd/2000-08/0339.html
Reference: BID:1629
Reference: URL:http://www.securityfocus.com/bid/1629

Buffer overflows in brouted in FreeBSD and possibly other OSes allows
local users to gain root privileges via long command line arguments.

Analysis
----------------
ED_PRI CAN-2000-0752 3
Vendor Acknowledgement: yes advisory
Content Decisions: SF-LOC

CD:SF-LOC would suggest to SPLIT this for each buffer overflow, but
more detailed analysis at the source code level would be necessary.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0756
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: BUGTRAQ:20000831 vCard DoS on Outlook 2000
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=Springmail.105.967737080.0.16997300@www.springmail.com
Reference: BID:1633
Reference: URL:http://www.securityfocus.com/bid/1633

Microsoft Outlook 2000 does not properly process long or malformed
fields in vCard (.vcf) files, which allows attackers to cause a denial
of service.

Analysis
----------------
ED_PRI CAN-2000-0756 3
Vendor Acknowledgement: unknown

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0764
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: BUGTRAQ:20000828 Intel Express Switch 500 series DoS
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0338.html
Reference: BID:1609
Reference: URL:http://www.securityfocus.com/bid/1609

Intel Express 500 series switches allow a remote attacker to cause a
denial of service via a malformed IP packet.

Analysis
----------------
ED_PRI CAN-2000-0764 3
Vendor Acknowledgement: unknown

ACKNOWLEDGEMENT: could not find vendor acknowledgement on web site.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0775
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: BUGTRAQ:20000828 [NT] Viking security vulnerabilities enable remote code execution (long URL, date parsing)
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=399a01c01122$0d7f2310$0201a8c0@aviram
Reference: CONFIRM:http://www.robtex.com/viking/bugs.htm
Reference: BID:1614
Reference: URL:http://www.securityfocus.com/bid/1614

Buffer overflow in RobTex Viking server earlier than 1.06-370 allows
remote attackers to cause a denial of service or execute arbitrary
commands via a long HTTP GET request, or long Unless-Modified-Since,
If-Range, or If-Modified-Since headers.

Analysis
----------------
ED_PRI CAN-2000-0775 3
Vendor Acknowledgement: yes advisory
Content Decisions: SF-LOC

ABSTRACTION:

There are multiple attacks that can trigger a buffer overflow, both in
a long GET as well as long MIME headers.  If these are all due to the
same line of code (e.g. an fgets() call), then CD:SF-LOC says to
combine them all.  Otherwise, if there are separate lines of code for
each bad header, then separate entries should be created.  But should
CD:SF-LOC have a maximum number of entries for each different bug?  A
poorly written application might have dozens (or hundreds) of buffer
overflows in it, but should CVE have a separate entry for each one?

The level of abstraction of this candidate is the same as that for
CAN-2000-0623, which also has HTTP GET and header request problems.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

Page Last Updated or Reviewed: May 22, 2007