[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PROPOSAL] Cluster RECENT-89 - 50 candidates

I am proposing cluster RECENT-89 for review and voting by the
Editorial Board.

Name: RECENT-89
Description: Candidates announced between 1/2/2002 and 3/9/2002
Size: 50

You may vote on candidates by modifying this email ballot and sending
it back to me, or by using the CVE voting web site.

The candidates are listed in order of priority.  Priority 1 and
Priority 2 candidates both deal with varying levels of vendor
confirmation, so they should be easy to review and it can be trusted
that the problems are real.

If you discover that any RECENT-XX cluster is incomplete with respect
to the problems discovered during the associated time frame, please
send that information to me so that candidates can be assigned.

- Steve




Summary of votes to use (in ascending order of "severity")
----------------------------------------------------------

ACCEPT - voter accepts the candidate as proposed
NOOP - voter has no opinion on the candidate
MODIFY - voter wants to change some MINOR detail (e.g. reference/description)
REVIEWING - voter is reviewing/researching the candidate, or needs more info
RECAST - candidate must be significantly modified, e.g. split or merged
REJECT - candidate is "not a vulnerability", or a duplicate, etc.

1) Please write your vote on the line that starts with "VOTE: ".  If
   you want to add comments or details, add them to lines after the
   VOTE: line.

2) If you see any missing references, please mention them so that they
   can be included.  References help greatly during mapping.

3) Note that a "MODIFY" is treated as an "ACCEPT" when counting votes.
   So if you don't have sufficient information for a candidate but you
   don't want to NOOP, use a REVIEWING.

********** NOTE ********** NOTE ********** NOTE ********** NOTE **********

Please keep in mind that your vote and comments will be recorded and
publicly viewable in the mailing list archives or in other formats.

======================================================
Candidate: CAN-2002-0006
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0006
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020108
Category: SF
Reference: BUGTRAQ:20020109 xchat IRC session hijacking vulnerability (versions 1.4.1, 1.4.2)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101060676210255&w=2
Reference: DEBIAN:DSA-099
Reference: URL:http://www.debian.org/security/2002/dsa-099
Reference: REDHAT:RHSA-2002:005
Reference: URL:http://rhn.redhat.com/errata/RHSA-2002-005.html
Reference: HP:HPSBTL0201-016
Reference: URL:http://online.securityfocus.com/advisories/3806
Reference: CONECTIVA:CLA-2002:453
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000453
Reference: XF:xchat-ctcp-ping-command(7856)
Reference: URL:http://xforce.iss.net/static/7856.php
Reference: BID:3830
Reference: URL:http://www.securityfocus.com/bid/3830

XChat 1.8.7 and earlier, including default configurations of 1.4.2 and
1.4.3, allows remote attackers to execute arbitrary IRC commands as
other clients via encoded characters in a PRIVMSG command that calls
CTCP PING, which expands the characters in the client response when
the percascii variable is set.

Analysis
----------------
ED_PRI CAN-2002-0006 1
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0363
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0363
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020507
Category: SF
Reference: MISC:http://www.ghostscript.com/pipermail/gs-code-review/2002-January/001801.html
Reference: MISC:http://www.ghostscript.com/pipermail/gs-code-review/2002-February/001900.html
Reference: REDHAT:RHSA-2002:083
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-083.html

ghostscript before 6.53 allows attackers to execute arbitrary commands
by using .locksafe or .setsafe to reset the current pagedevice.

Analysis
----------------
ED_PRI CAN-2002-0363 1
Vendor Acknowledgement: yes

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0412
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0412
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020304 [H20020304]: Remotely exploitable format string vulnerability in ntop
Reference: URL:http://online.securityfocus.com/archive/1/259642
Reference: BUGTRAQ:20020411 ALERT ALERT ALERT ALERT ALERT ALERT ALERT ALERT ALERT ALERT ALERT
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101854261030453&w=2
Reference: BUGTRAQ:20020411 re: gobbles ntop alert
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101856541322245&w=2
Reference: BUGTRAQ:20020417 segfault in ntop
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101908224609740&w=2
Reference: VULNWATCH:20020304 [VulnWatch] [H20020304]: Remotely exploitable format string vulnerability in ntop
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0056.html
Reference: CONFIRM:http://snapshot.ntop.org/
Reference: MISC:http://listmanager.unipi.it/pipermail/ntop-dev/2002-February/000489.html
Reference: XF:ntop-traceevent-format-string(8347)
Reference: URL:http://www.iss.net/security_center/static/8347.php
Reference: BID:4225
Reference: URL:http://www.securityfocus.com/bid/4225

Format string vulnerability in TraceEvent function for ntop before 2.1
allows remote attackers to execute arbitrary code by causing format
strings to be injected into calls to the syslog function, via (1) an
HTTP GET request, (2) a user name in HTTP authentication, or (3) a
password in HTTP authentication.

Analysis
----------------
ED_PRI CAN-2002-0412 1
Vendor Acknowledgement: yes advisory

ACKNOWLEDGEMENT: On the front page, the vendor has an item dated March
5, 2002, which states "A security exposure (remote code execution) in
ntop was reported to bugtraq (bugtraq@securityfocus.com) by
'hologram'" - the original discloser to Bugtraq.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0414
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0414
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020304 BSD: IPv4 forwarding doesn't consult inbound SPD in KAME-derived IPsec
Reference: URL:http://www.securityfocus.com/archive/1/259598
Reference: CONFIRM:http://orange.kame.net/dev/cvsweb.cgi/kame/CHANGELOG
Reference: BID:4224
Reference: URL:http://www.securityfocus.com/bid/4224
Reference: XF:kame-forged-packet-forwarding(8416)
Reference: URL:http://www.iss.net/security_center/static/8416.php
Reference: VULNWATCH:20020304 [VulnWatch] BSD: IPv4 forwarding doesn't consult inbound SPD in KAME-derived IPsec
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0057.html

KAME-derived implementations of IPsec on NetBSD 1.5.2, FreeBSD 4.5,
and other operating systems, does not properly consult the Security
Policy Database (SPD), which could cause a Security Gateway (SG) that
does not use Encapsulating Security Payload (ESP) to forward forged
IPv4 packets.

Analysis
----------------
ED_PRI CAN-2002-0414 1
Vendor Acknowledgement: yes changelog

ACKNOWLEDGEMENT: In a changelog item dated "Mon Feb 25 2:00:06 2002,"
the vendor says "enforce ipsec policy checking on forwarding case" and
credits the Bugtraq poster.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0423
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0423
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020306 efingerd remote buffer overflow and a dangerous feature
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-03/0050.html
Reference: CONFIRM:http://melkor.dnp.fmph.uniba.sk/~garabik/efingerd/efingerd_1.5.tar.gz
Reference: BID:4239
Reference: URL:http://www.securityfocus.com/bid/4239
Reference: XF:efingerd-reverse-lookup-bo(8380)
Reference: URL:http://www.iss.net/security_center/static/8380.php

Buffer overflow in efingerd 1.5 and earlier, and possibly up to 1.61,
allows remote attackers to cause a denial of service and possibly
execute arbitrary code via a finger request from an IP address with a
long hostname that is obtained via a reverse DNS lookup.

Analysis
----------------
ED_PRI CAN-2002-0423 1
Vendor Acknowledgement: yes patch

ACKNOWLEDGEMENT: an examination of the source code for 1.6.2 has a
child.c file, dated several weeks after initial disclosure, whose only
change was to terminate the string that is copied. But the source code
shows a strncpy call, as opposed to a strcpy as claimed by the
discloser. Looking back at the source code for older versions, it
appears that the first attempt to fix the overflow was made in version
1.5, where the strcpy was replaced by strncpy. However, since the
string was not null terminated until 1.6.2, the discloser may have
believed that the overflow still existed since they were probably
still able to at least trigger a crash. It is unclear whether the
unterminated string in versions 1.5 through 1.6.2 is actually
exploitable.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0424
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0424
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020306 efingerd remote buffer overflow and a dangerous feature
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-03/0050.html
Reference: CONFIRM:http://melkor.dnp.fmph.uniba.sk/~garabik/efingerd/efingerd_1.6.2.tar.gz
Reference: BID:4240
Reference: URL:http://www.securityfocus.com/bid/4240
Reference: XF:efingerd-file-execution(8381)
Reference: URL:http://www.iss.net/security_center/static/8381.php

efingerd 1.61 and earlier, when configured without the -u option,
executes .efingerd files as the efingerd user (typically "nobody"),
which allows local users to gain privileges as the efingerd user by
modifying their own .efingerd file and running finger.

Analysis
----------------
ED_PRI CAN-2002-0424 1
Vendor Acknowledgement: yes changelog

ACKNOWLEDGEMENT: the vendor acknowledges but does not fix the problem
in 1.6.2. The README file for efingerd 1.6.2 includes a new "Security
Notes" section that states: "unless run with option -u, efingerd
executes ... [the .efingerd file] under the same UID as the efingerd
daemon... This means that users could gain access to this UID very
easily." For the purposes of CVE, vendor acknowledgement is all that
is necessary.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0429
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0429
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020308 linux <=2.4.18 x86 traps.c problem
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101561298818888&w=2
Reference: CONFIRM:http://www.openwall.com/linux/
Reference: BID:4259
Reference: URL:http://online.securityfocus.com/bid/4259

The iBCS routines in arch/i386/kernel/traps.c for Linux kernels 2.4.18
and earlier on x86 systems allow local users to kill arbitrary
processes via a a binary compatibility interface (lcall).

Analysis
----------------
ED_PRI CAN-2002-0429 1
Vendor Acknowledgement: yes

ACKNOWLEDGEMENT: the Openwall home page has an item dated March 3,
2002, which states "Linux 2.2.20-ow2 fixes an x86-specific
vulnerability in the Linux kernel discovered by Stephan Springl where
local users could abuse a binary compatibility interface (lcall) to
kill processes not belonging to them ."

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0497
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0497
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020306 mtr 0.45, 0.46
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-03/0048.html
Reference: DEBIAN:DSA-124
Reference: URL:http://www.debian.org/security/2002/dsa-124
Reference: BID:4217
Reference: URL:http://www.securityfocus.com/bid/4217
Reference: XF:mtr-options-bo(8367)
Reference: URL:http://www.iss.net/security_center/static/8367.php

Buffer overflow in mtr 0.46 and earlier, when installed setuid root,
allows local users to access a raw socket via a long MTR_OPTIONS
environment variable.

Analysis
----------------
ED_PRI CAN-2002-0497 1
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0517
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0517
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020108 dtterm exploit in Unixware 7.1.1
Reference: URL:http://www.securityfocus.com/archive/1/249106
Reference: BUGTRAQ:20020108 xterm exploit in Unixware 7.0.1
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-01/0099.html
Reference: CALDERA:CSSA-2002-SCO.15
Reference: URL:ftp://stage.caldera.com/pub/security/openunix/CSSA-2002-SCO.15/CSSA-2002-SCO.15.txt
Reference: BID:4502
Reference: URL:http://www.securityfocus.com/bid/4502
Reference: XF:unixware-openunix-dtterm-bo(7282)
Reference: URL:http://www.iss.net/security_center/static/7282.php
Reference: XF:x11-xrm-bo(8828)
Reference: URL:http://www.iss.net/security_center/static/8828.php

Buffer overflow in X11 library (libX11) on Caldera Open UNIX 8.0.0,
UnixWare 7.1.1, and possibly other operating systems, allows local
users to gain root privileges via a long -xrm argument to programs
such as (1) dtterm or (2) xterm.

Analysis
----------------
ED_PRI CAN-2002-0517 1
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0567
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0567
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020206 Remote Compromise in Oracle 9i Database Server
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101301332402079&w=2
Reference: CERT-VN:VU#180147
Reference: URL:http://www.kb.cert.org/vuls/id/180147
Reference: CERT:CA-2002-08
Reference: URL:http://www.cert.org/advisories/CA-2002-08.html
Reference: CONFIRM:http://otn.oracle.com/deploy/security/pdf/plsextproc_alert.pdf
Reference: BID:4033
Reference: URL:http://www.securityfocus.com/bid/4033
Reference: XF:oracle-plsql-remote-access(8089)
Reference: URL:http://xforce.iss.net/static/8089.php

Oracle 8i and 9i with PL/SQL package for External Procedures (EXTPROC)
allows remote attackers to bypass authentication and execute arbitrary
functions by using the TNS Listener to directly connect to the EXTPROC
process.

Analysis
----------------
ED_PRI CAN-2002-0567 1
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0568
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0568
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020206 Hackproofing Oracle Application Server paper
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101301813117562&w=2
Reference: CERT:CA-2002-08
Reference: URL:http://www.cert.org/advisories/CA-2002-08.html
Reference: CERT-VN:VU#476619
Reference: URL:http://www.kb.cert.org/vuls/id/476619
Reference: MISC:http://www.nextgenss.com/papers/hpoas.pdf
Reference: BID:4290
Reference: URL:http://www.securityfocus.com/bid/4290

Oracle 9i Application Server stores XSQL and SOAP configuration files
insecurely, which allows local users to obtain sensitive information
including usernames and passwords by requesting (1) XSQLConfig.xml or
(2) soapConfig.xml through a virtual directory.

Analysis
----------------
ED_PRI CAN-2002-0568 1
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0569
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0569
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020206 Hackproofing Oracle Application Server paper
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101301813117562&w=2
Reference: CERT-VN:VU#977251
Reference: URL:http://www.kb.cert.org/vuls/id/977251
Reference: CERT:CA-2002-08
Reference: URL:http://www.cert.org/advisories/CA-2002-08.html
Reference: MISC:http://www.nextgenss.com/papers/hpoas.pdf
Reference: BID:4298
Reference: URL:http://www.securityfocus.com/bid/4298

Oracle 9i Application Server allows remote attackers to bypass access
restrictions for configuration files via a direct request to the XSQL
Servlet (XSQLServlet).

Analysis
----------------
ED_PRI CAN-2002-0569 1
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0406
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0406
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020302 Denial of Service in Sphereserver
Reference: URL:http://online.securityfocus.com/archive/1/259334
Reference: XF:sphereserver-connections-dos(8338)
Reference: URL:http://www.iss.net/security_center/static/8338.php
Reference: BID:4258
Reference: URL:http://www.securityfocus.com/bid/4258

Menasoft SPHERE server 0.99x and 0.5x allows remote attackers to cause
a denial of service by establishing a large number of connections to
the server without providing login credentials, which prevents other
users from being able to log in.

Analysis
----------------
ED_PRI CAN-2002-0406 3
Vendor Acknowledgement:

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0407
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0407
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020207 Re: KPMG-2002004: Lotus Domino Webserver DOS-device Denial of Service
Reference: URL:http://online.securityfocus.com/archive/1/254768
Reference: BUGTRAQ:20020402 KPMG-2002006: Lotus Domino Physical Path Revealed
Reference: URL:http://www.securityfocus.com/archive/1/265380
Reference: BID:4406
Reference: URL:http://www.securityfocus.com/bid/4406
Reference: XF:lotus-domino-reveal-information(8160)
Reference: URL:http://www.iss.net/security_center/static/8160.php

htcgibin.exe in Lotus Domino server 5.0.9a and earlier allows remote
attackers to determine the physical pathname for the server via
requests that contain certain MS-DOS device names such as com5, such
as (1) a request with a .pl or .java extension, or (2) a request
containing a large number of periods, which causes htcgibin.exe to
leak the pathname in an error message.

Analysis
----------------
ED_PRI CAN-2002-0407 3
Vendor Acknowledgement: unknown discloser-claimed
Content Decisions: SF-LOC

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0408
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0408
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020207 Re: KPMG-2002004: Lotus Domino Webserver DOS-device Denial of Service
Reference: URL:http://online.securityfocus.com/archive/1/254768
Reference: BUGTRAQ:20020303 Re: KPMG-2002006: Lotus Domino Physical Path Revealed
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101785616526383&w=2
Reference: BID:4049
Reference: URL:http://www.securityfocus.com/bid/4049

htcgibin.exe in Lotus Domino server 5.0.9a and earlier, when
configured with the NoBanner setting, allows remote attackers to
determine the version number of the server via a request that
generates an HTTP 500 error code, which leaks the version in a
hard-coded error message.

Analysis
----------------
ED_PRI CAN-2002-0408 3
Vendor Acknowledgement: unknown discloser-claimed
Content Decisions: SF-LOC

ABSTARCTION: this has some overlap with CAN-2002-0245 item (2),
although different versions are affected.  These may be the same
underlying issue (a configuration or design problem in Domino) that
crosses multiple versions.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0409
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0409
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020303 iBuySpy store hole
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101518860823788&w=2

orderdetails.aspx, as made available to Microsoft .NET developers as
example code and demonstrated on www.ibuyspystore.com, allows remote
attackers to view the orders of other users by modifying the OrderID
parameter.

Analysis
----------------
ED_PRI CAN-2002-0409 3
Vendor Acknowledgement:
Content Decisions: EX-ONLINE-SVC

INCLUSION: CD:EX-ONLINE-SVC normally recommends that online services
or application service providers be excluded from CVE. However, in
this case, the discloser claims that Microsoft "have encouraged
developers to view and copy the code for their own projects," which
makes this akin to a distribution of software to other parties.
Therefore this issue should be included in CVE.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0410
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0410
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020303 AeroMail multiple vulnerabilities
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-03/0004.html
Reference: CONFIRM:http://the.cushman.net/projects/aeromail/download/aeromail-1.45.tar.gz
Reference: MISC:http://the.cushman.net/projects/aeromail/download/
Reference: XF:aeromail-obtain-files(8345)
Reference: URL:http://www.iss.net/security_center/static/8345.php
Reference: BID:4214
Reference: URL:http://www.securityfocus.com/bid/4214

send_message.php in AeroMail before 1.45 allows remote attackers to
read arbitrary files on the server, instead of just uploaded files,
via an attachment that modifies the filename to be uploaded.

Analysis
----------------
ED_PRI CAN-2002-0410 3
Vendor Acknowledgement: yes patch
Content Decisions: SF-LOC

ACKNOWLEDGEMENT: On the vendor download page, a brief change log for
version 1.45 says "Patched security holes," which is not clear enough
to be sure that the vendor is patching *this* vulnerability. However,
a look at line 25 of send_message.php indicates a call to a function
is_uploaded_file(), which is part of a conditional that determines if
a file should be attached. This function was NOT called in version
1.40 - the latest version available before 1.45 - based on a source
code comparison. Therefore, even though the written acknowledgement
from the vendor is vague, an examination of the source code indicates
a patch that would fix this problem.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0411
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0411
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020303 AeroMail multiple vulnerabilities
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-03/0004.html
Reference: CONFIRM:http://the.cushman.net/projects/aeromail/download/aeromail-1.45.tar.gz
Reference: BID:4215
Reference: URL:http://www.securityfocus.com/bid/4215
Reference: XF:aeromail-subject-css(8346)
Reference: URL:http://www.iss.net/security_center/static/8346.php

Cross-site scripting vulnerability in message.php for AeroMail before
1.45 allows remote attackers to execute Javascript as an AeroMail user
via an email message with the script in the Subject line.

Analysis
----------------
ED_PRI CAN-2002-0411 3
Vendor Acknowledgement: yes patch
Content Decisions: SF-LOC

ACKNOWLEDGEMENT: On the vendor download page, a brief change log for
version 1.45 says "Patched security holes," which is not clear enough
to be sure that the vendor is patching *this* vulnerability. However,
a look at line 7 of message.php indicates a call to a function
htmlspecialchars() while building the subject. This function was NOT
called in version 1.40 - the latest version available before 1.45 -
based on a source code comparison. Therefore, even though the written
acknowledgement from the vendor is vague, an examination of the source
code indicates a patch that would fix this problem.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0413
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0413
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020304 ReBB javascripts vulnerability
Reference: URL:http://online.securityfocus.com/archive/1/259464
Reference: BID:4220
Reference: URL:http://www.securityfocus.com/bid/4220
Reference: XF:rebb-img-css(8353)
Reference: URL:http://www.iss.net/security_center/static/8353.php

Cross-site scripting vulnerability in ReBB allows remote attackers to
execute arbitrary Javascript and steal cookies via an IMG tag whose
URL includes the malicious script.

Analysis
----------------
ED_PRI CAN-2002-0413 3
Vendor Acknowledgement:

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0415
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0415
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020302 RealPlayer bug
Reference: URL:http://www.securityfocus.com/archive/1/259333
Reference: BID:4221
Reference: URL:http://www.securityfocus.com/bid/4221
Reference: XF:realplayer-http-directory-traversal(8336)
Reference: URL:http://www.iss.net/security_center/static/8336.php

Directory traversal vulnerability in the web server used in RealPlayer
6.0.7, and possibly other versions, may allow local users to read
files that are accessible to RealPlayer via a .. (dot dot) in an HTTP
GET request to port 1275.

Analysis
----------------
ED_PRI CAN-2002-0415 3
Vendor Acknowledgement:

INCLUSION: followup discussions on Bugtraq indicate that RealPlayer
appears to limit access to localhost, which limits the problem to
local users only. Theoretically, such local users would have access to
all or most of the file system anyway. However, it is possible that
RealPlayer would have access to certain files that other users would
not; in addition, an attacker to read a raw device file to cause a
denial of service. Therefore, while the scope of this vulnerability
may be limited, there are certain scenarios in which an attacker may
be able to conduct unauthorized activities.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0416
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0416
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020305 Buffer Overflows in sh39.com
Reference: URL:http://www.securityfocus.com/archive/1/259818
Reference: BID:4232
Reference: URL:http://www.securityfocus.com/bid/4232
Reference: XF:sh39-mailserver-dos(8379)
Reference: URL:http://www.iss.net/security_center/static/8379.php

Buffer overflow in SH39 MailServer 1.21 and earlier allows remote
attackers to cause a denial of service, and possibly execute arbitrary
code, via a long command to the SMTP port.

Analysis
----------------
ED_PRI CAN-2002-0416 3
Vendor Acknowledgement: unknown discloser-claimed

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0417
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0417
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020305 Endymion SakeMail and MailMan File Disclosure Vulnerability
Reference: URL:http://online.securityfocus.com/archive/1/259730
Reference: CONFIRM:http://www.endymion.com/products/mailman/history.htm
Reference: XF:mailman-alternate-templates-traversal(8357)
Reference: URL:http://www.iss.net/security_center/static/8357.php
Reference: BID:4222
Reference: URL:http://www.securityfocus.com/bid/4222

Directory traversal vulnerability in Endymion MailMan before 3.1
allows remote attackers to read arbitrary files via a .. (dot dot) and
a null character in the ALTERNATE_TEMPLATES parameter for various
mmstdo*.cgi programs.

Analysis
----------------
ED_PRI CAN-2002-0417 3
Vendor Acknowledgement: yes changelog
Content Decisions: SF-CODEBASE

ACKNOWLEDGEMENT: The history file for MailMan includes an item dated
March 6, 2002, which describes a "Minor security revision to prevent
file disclosure hole." ABSTRACTION: CD:SF-CODEBASE suggests performing
a SPLIT when there appear to be different bugs of the same type, in
different packages offered by the vendor. Therefore the MailMan and
SakeMail are kept separate. In addition, the bug has been fixed in
MailMan but not in SakeMail as of this writing.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0418
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0418
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020305 Endymion SakeMail and MailMan File Disclosure Vulnerability
Reference: URL:http://online.securityfocus.com/archive/1/259730
Reference: BID:4223
Reference: URL:http://www.securityfocus.com/bid/4223
Reference: XF:sakemail-paramname-directory-traversal(8358)
Reference: URL:http://www.iss.net/security_center/static/8358.php

Directory traversal vulnerability in the
com.endymion.sake.servlet.mail.MailServlet servlet for Endymion
SakeMail 1.0.36 and earlier allows remote attackers to read arbitrary
files via a .. (dot dot) and a null character in the param_name
parameter.

Analysis
----------------
ED_PRI CAN-2002-0418 3
Vendor Acknowledgement: unknown
Content Decisions: SF-CODEBASE

ABSTRACTION: CD:SF-CODEBASE suggests performing a SPLIT when there
appear to be different bugs of the same type, in different packages
offered by the vendor. Therefore the MailMan and SakeMail are kept
separate. In addition, the bug has been fixed in MailMan but not in
SakeMail as of this writing.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0419
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0419
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020305 Considerations for IIS Authentication (#NISR05032002C)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101535399100534&w=2
Reference: XF:iis-authentication-error-messages(8382)
Reference: URL:http://www.iss.net/security_center/static/8382.php
Reference: BID:4235
Reference: URL:http://www.securityfocus.com/bid/4235

Information leaks in IIS 4 through 5.1 allow remote attackers to
obtain potentially sensitive information or more easily conduct brute
force attacks via responses from the server in which (1) the server
reveals whether it supports Basic or NTLM authentication through 401
Access Denied error messages, (2) in certain configurations, the
server IP address is provided as the realm for Basic authentication,
which could reveal real IP addresses that were obscured by NAT, or (3)
when NTLM authentication is used, the NetBIOS name of the server and
its Windows NT domain are revealed in response to an Authorization
request.

Analysis
----------------
ED_PRI CAN-2002-0419 3
Vendor Acknowledgement: no discloser claims dispute
Content Decisions: SF-LOC

ABSTRACTION: CD:SF-LOC suggests merging problems that are all the same
type. In this case, all these issues are information leaks. However,
information leaks are not well-studied as a class, and there may be
lower-level categories in which this item could be SPLIT. INCLUSION:
information leaks are an exposure. Therefore, this item should be
included in CVE.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0420
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0420
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020305 PureTLS Security Announcement: Upgrade to 0.9b2
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-03/0056.html
Reference: BID:4237
Reference: URL:http://www.securityfocus.com/bid/4237
Reference: XF:puretls-injection-attack(8386)
Reference: URL:http://www.iss.net/security_center/static/8386.php

Vulnerability in PureTLS before 0.9b2 related to injection attacks,
which could possibly allow remote attackers to corrupt or hijack user
sessions.

Analysis
----------------
ED_PRI CAN-2002-0420 3
Vendor Acknowledgement: yes
Content Decisions: VAGUE

INCLUSION: CD:VAGUE suggests that even if a security issue is reported
by a vendor with no details, it should be included in CVE because
there is high confidence that the issue is real.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0421
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0421
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020306 NT user (who is locked changing his/her password by administrator )  can bypass the security policy and Change the password.
Reference: URL:http://online.securityfocus.com/archive/1/259963
Reference: BID:4236
Reference: URL:http://www.securityfocus.com/bid/4236
Reference: XF:winnt-pw-policy-bypass(8388)
Reference: URL:http://www.iss.net/security_center/static/8388.php

IIS 4.0 allows local users to bypass the "User cannot change password"
policy for Windows NT by directly calling .htr password changing
programs in the /iisadmpwd directory, including (1) aexp2.htr, (2)
aexp2b.htr, (3) aexp3.htr , or (4) aexp4.htr.

Analysis
----------------
ED_PRI CAN-2002-0421 3
Vendor Acknowledgement: unknown discloser-claimed

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0422
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0422
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020305 IIS Internal IP Address Disclosure (#NISR05032002B)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101536634207324&w=2
Reference: NTBUGTRAQ:20020305 IIS Internal IP Address Disclosure (#NISR05032002B)
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=101535147125320&w=2

IIS 5 and 5.1 supporting WebDAV methods allows remote attackers to
determine the internal IP address of the system (which may be obscured
by NAT) via (1) a PROPFIND HTTP request with a blank Host header,
which leaks the address in an HREF property in a 207 Multi-Status
response, or (2) via the WRITE or MKCOL method, which leaks the IP in
the Location server header.

Analysis
----------------
ED_PRI CAN-2002-0422 3
Vendor Acknowledgement:
Content Decisions: SF-LOC

ABSTRACTION: CD:SF-LOC suggests a SPLIT when problems appear in
different versions. This information leak appears only in IIS 5.0 and
above, whereas the Basic/NTLM leaks were also in IIS 4.0. Therefore
these 2 items should be SPLIT.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0425
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0425
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020306 mIRC DCC Server Security Flaw
Reference: URL:http://online.securityfocus.com/archive/1/260244
Reference: XF:mirc-dcc-reveal-info(8393)
Reference: URL:http://www.iss.net/security_center/static/8393.php
Reference: BID:4247
Reference: URL:http://www.securityfocus.com/bid/4247

mIRC DCC server protocol allows remote attackers to gain sensitive
information such as alternate IRC nicknames via a "100 testing"
message in a DCC connection request that cannot be ignored or canceled
by the user, which may leak the alternate nickname in a response
message.

Analysis
----------------
ED_PRI CAN-2002-0425 3
Vendor Acknowledgement:

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0426
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0426
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020308 Linksys BEFVP41 VPN Server does not follow proper VPN standards
Reference: URL:http://online.securityfocus.com/archive/1/260613
Reference: MISC:ftp://ftp.linksys.com/pub/befsr41/befvp41-1402.zip
Reference: XF:linksys-etherfast-weak-encryption(8397)
Reference: URL:http://www.iss.net/security_center/static/8397.php
Reference: BID:4250
Reference: URL:http://www.securityfocus.com/bid/4250

VPN Server module in Linksys EtherFast BEFVP41 Cable/DSL VPN Router
before 1.40.1 reduces the key lengths for keys that are supplied via
manual key entry, which makes it easier for attackers to crack the
keys.

Analysis
----------------
ED_PRI CAN-2002-0426 3
Vendor Acknowledgement: unknown vague
Content Decisions: DESIGN-WEAK-ENCRYPTION

ACKNOWLEDGEMENT: the vendor has provided *some* patch, but it's not
clear whether it addresses this vulnerability. The history.txt file in
the patch includes an item dated 2002-03-01 that says "In Manual
Keying option, the maximum phrase length of Encryption Key is changed
from 23 to 24 characters." However, this item specifically talks about
the phrase length and not the key length, and the number of characters
is not consistent with what the original discloser said. Therefore
there is insufficient information to be certain that the patch
addresses this vulnerability.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0427
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0427
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: MANDRAKE:MDKSA-2002:021
Reference: URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-021.php
Reference: FREEBSD:FreeBSD-SA-02:17
Reference: URL:ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:17.mod_frontpage.asc
Reference: BID:4251
Reference: URL:http://www.securityfocus.com/bid/4251
Reference: XF:apache-modfrontpage-bo(8400)
Reference: URL:http://www.iss.net/security_center/static/8400.php

Buffer overflows in fpexec in mod_frontpage before 1.6.1 may allow
attackers to gain root privileges.

Analysis
----------------
ED_PRI CAN-2002-0427 3
Vendor Acknowledgement: yes advisory
Content Decisions: SF-LOC

ACCURACY: the Mandrake advisory says the problem is remote, but the
FreeBSD advisory says the issue is local.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0428
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0428
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020308 Checkpoint FW1 SecuRemote/SecureClient "re-authentication" (client side hacks of users.C)
Reference: URL:http://online.securityfocus.com/archive/1/260662
Reference: BID:4253
Reference: URL:http://www.securityfocus.com/bid/4253
Reference: XF:fw1-authentication-bypass-timeouts(8423)
Reference: URL:http://www.iss.net/security_center/static/8423.php

Check Point FireWall-1 SecuRemote/SecuClient 4.0 and 4.1 allows
clients to bypass the "authentication timeout" by modifying the
to_expire or expire values in the client's users.C configuration file.

Analysis
----------------
ED_PRI CAN-2002-0428 3
Vendor Acknowledgement: unknown discloser-claimed

ACKNOWLEDGEMENT: the original post includes an email attachment that
is said to have come from Check Point, but that is not clear enough
proof that the vendor has publicly acknowledged the issue.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0430
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0430
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020308 Remote Cobalt Raq XTR vulns
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-03/0081.html
Reference: BID:4252
Reference: URL:http://online.securityfocus.com/bid/4252

MultiFileUploadHandler.php in the Sun Cobalt RaQ XTR administration
interface allows local users to bypass authentication and overwrite
arbitrary files via a symlink attack on a temporary file, followed by
a request to MultiFileUpload.php.

Analysis
----------------
ED_PRI CAN-2002-0430 3
Vendor Acknowledgement:
Content Decisions: SF-LOC

ABSTRACTION: CD:SF-LOC suggests performing a SPLIT of different types
of vulnerabilities. This is an example of a "compound" vulnerability
in which the lack of authentication plays a role in making it easier
for attackers to conduct a symlink attack, but it is not clear whether
adding authentication would fix the symlink problem.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0431
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0431
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020309 xtux server DoS.
Reference: URL:http://online.securityfocus.com/archive/1/260912
Reference: MISC:https://sourceforge.net/tracker/index.php?func=detail&aid=529046&group_id=206&atid=100206
Reference: BID:4260
Reference: URL:http://www.securityfocus.com/bid/4260
Reference: XF:xtux-server-dos(8422)
Reference: URL:http://www.iss.net/security_center/static/8422.php

XTux allows remote attackers to cause a denial of service (CPU
consumption) via random inputs in the initial connection.

Analysis
----------------
ED_PRI CAN-2002-0431 3
Vendor Acknowledgement:

ACKNOWLEDGEMENT: as of this writing (20020514), a bug report was filed
on 20020319, but the vendor had not responded.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0432
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0432
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020309 Citadel/UX Server Remote DoS attack Vulnerability
Reference: URL:http://online.securityfocus.com/archive/1/260934
Reference: CONFIRM:http://uncensored.citadel.org/pub/citadel/citadel-ux-5.91.tar.gz
Reference: XF:citadel-helo-bo(8426)
Reference: URL:http://www.iss.net/security_center/static/8426.php
Reference: BID:4263
Reference: URL:http://www.securityfocus.com/bid/4263

Buffer overflow in (1) lprintf and (2) cprintf in sysdep.c of
Citadel/UX 5.90 and earlier allows remote attackers to cause a denial
of service (crash) and possibly execute arbitrary code via attacks
such as a long HELO command to the SMTP server.

Analysis
----------------
ED_PRI CAN-2002-0432 3
Vendor Acknowledgement: yes changelog
Content Decisions: SF-LOC, SF-EXEC

ABSTRACTION: CD:SF-LOC and CD:SF-EXEC suggest combining problems of
the same type that appear in the same version, so the lprintf and
cprintf overflows are combined.
ACKNOWLEDGEMENT: in the vendor ChangeLog, the comments for Revision
590.134, dated 2002/03/09, state "Applied a patch submitted by [the
Bugtraq poster] to fix a potential buffer overflow problem in
lprintf(). I also did the same fix to cprintf()."

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0443
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0443
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020307 Windows 2000 password policy bypass possibility
Reference: URL:http://online.securityfocus.com/archive/1/260704
Reference: XF:win2k-password-bypass-policy(8402)
Reference: URL:http://www.iss.net/security_center/static/8402.php
Reference: BID:4256
Reference: URL:http://www.securityfocus.com/bid/4256

Microsoft Windows 2000 allows local users to bypass the policy that
prohibits reusing old passwords by changing the current password
before it expires, which does not enable the check for previous
passwords.

Analysis
----------------
ED_PRI CAN-2002-0443 3
Vendor Acknowledgement:

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0444
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0444
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020408 Vulnerability: Windows2000Server running Terminalservices
Reference: URL:http://www.securityfocus.com/archive/1/266729
Reference: BID:4464
Reference: URL:http://www.securityfocus.com/bid/4464
Reference: XF:win2k-terminal-bypass-policies(8813)
Reference: URL:http://www.iss.net/security_center/static/8813.php

Microsoft Windows 2000 running the Terminal Server 90-day trial
version, and possibly other versions, does not apply group policies to
incoming users when the number of connections to the SYSVOL share
exceeds the maximum, e.g. with a maximum number of licenses, which can
allow remote authenticated users to bypass group policies.

Analysis
----------------
ED_PRI CAN-2002-0444 3
Vendor Acknowledgement:

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0447
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0447
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020308 Xerver-2.10-File-Disclousure&DoS-attack
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-03/0091.html
Reference: BUGTRAQ:20020312 Xerver Free Web Server 2.10 file Disclosure & DoS PATCH (update version)
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-03/0155.html
Reference: XF:xerver-dot-directory-traversal(8421)
Reference: URL:http://www.iss.net/security_center/static/8421.php
Reference: BID:4255
Reference: URL:http://www.securityfocus.com/bid/4255

Directory traversal vulnerability in Xerver Free Web Server 2.10 and
earlier allows remote attackers to list arbitrary directories via a ..
(dot dot) in an HTTP GET request.

Analysis
----------------
ED_PRI CAN-2002-0447 3
Vendor Acknowledgement: yes followup
Content Decisions: SF-LOC

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0448
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0448
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020308 Xerver-2.10-File-Disclousure&DoS-attack
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-03/0091.html
Reference: BUGTRAQ:20020312 Xerver Free Web Server 2.10 file Disclosure & DoS PATCH (update version)
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-03/0155.html
Reference: XF:xerver-multiple-request-dos(8419)
Reference: URL:http://www.iss.net/security_center/static/8419.php
Reference: BID:4254
Reference: URL:http://www.securityfocus.com/bid/4254

Xerver Free Web Server 2.10 and earlier allows remote attackers to
cause a denial of service (crash) via an HTTP request that contains
many "C:/" sequences.

Analysis
----------------
ED_PRI CAN-2002-0448 3
Vendor Acknowledgement: yes followup
Content Decisions: SF-LOC

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0449
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0449
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020305 Buffer Overrun in Talentsoft's Web+ (#NISR01032002A)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101535141925150&w=2
Reference: CONFIRM:http://www.talentsoft.com/Issues/IssueDetail.wml?ID=WP943
Reference: BID:4233
Reference: URL:http://www.securityfocus.com/bid/4233
Reference: XF:webplus-webpsvc-bo(8361)
Reference: URL:http://www.iss.net/security_center/static/8361.php

Buffer overflow in webpsvc.exe for Talentsoft Web+ 5.0 and earlier
allows remote attackers execute arbitrary code via a long argument to
webplus.exe program, which triggers the overflow in webpsvc.exe.

Analysis
----------------
ED_PRI CAN-2002-0449 3
Vendor Acknowledgement: yes
Content Decisions: SF-LOC

ACKNOWLEDGEMENT: A knowledge base article on the vendor web site says
"Security Issue: An ultra long url can cause the Web+ server to crash
by overflowing an unchecked buffer. An attacker can use this to harm
your system."
ABSTRACTION: CD:SF-LOC suggests that if 2 vulnerabilities of the same
type appear in the same product, then they should be SPLIT if they
appear in different versions. Since the webpsvc.exe overflow was
fixed, followed by a new patch for the WML issue, these should remain
SPLIT.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0450
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0450
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020313 2nd Buffer Overflow in Talentsoft's Web+ (#NISR13032002)
Reference: URL:http://www.securityfocus.com/archive/1/261658
Reference: CONFIRM:http://www.talentsoft.com/Issues/IssueDetail.wml?ID=WP943
Reference: BID:4282
Reference: URL:http://www.securityfocus.com/bid/4282

Buffer overflow in Talentsoft Web+ 5.0 and earlier allows remote
attackers to execute arbitrary code via a long Web Markup Language
(wml) file name to (1) webplus.dll or (2) webplus.exe.

Analysis
----------------
ED_PRI CAN-2002-0450 3
Vendor Acknowledgement: yes
Content Decisions: SF-LOC

ACKNOWLEDGEMENT: A knowledge base article on the vendor web site says
"Security Issue: An ultra long url can cause the Web+ server to crash
by overflowing an unchecked buffer. An attacker can use this to harm
your system."
ABSTRACTION: CD:SF-LOC suggests that if 2 vulnerabilities of the same
type appear in the same product, then they should be SPLIT if they
appear in different versions. Since there was a period of time when
the webpsvc.exe overflow was fixed, but the WML was not, these should
remain SPLIT.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0502
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0502
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020123 RE: Citrix NFuse 1.6
Reference: URL:http://www.securityfocus.com/archive/1/251923
Reference: BUGTRAQ:20020122 Citrix NFuse 1.6
Reference: URL:http://www.securityfocus.com/archive/1/251737
Reference: XF:nfuse-applist-information-disclosure(7984)
Reference: URL:http://xforce.iss.net/static/7984.php
Reference: BID:3926
Reference: URL:http://www.securityfocus.com/bid/3926

Citrix NFuse 1.6 may allow remote attackers to list applications
without authentication by accessing the applist.asp page.

Analysis
----------------
ED_PRI CAN-2002-0502 3
Vendor Acknowledgement: no disputed

INCLUSION: Followup posts indicate that the original report may have
been in error, and that the original discloser may have already had a
session cookie enabled within their browser. If this is the case, then
there is not really an issue in Nfuse itself, so perhaps this item
should be excluded from CVE.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0559
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0559
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020206 Multiple Buffer Overflows in Oracle 9iAS
Reference: URL:http://online.securityfocus.com/archive/1/254426
Reference: CERT:CA-2002-08
Reference: URL:http://www.cert.org/advisories/CA-2002-08.html
Reference: CERT-VN:VU#750299
Reference: URL:http://www.kb.cert.org/vuls/id/750299
Reference: CERT-VN:VU#878603
Reference: URL:http://www.kb.cert.org/vuls/id/878603
Reference: CERT-VN:VU#659043
Reference: URL:http://www.kb.cert.org/vuls/id/659043
Reference: CERT-VN:VU#313280
Reference: URL:http://www.kb.cert.org/vuls/id/313280
Reference: CERT-VN:VU#923395
Reference: URL:http://www.kb.cert.org/vuls/id/923395
Reference: CONFIRM:http://otn.oracle.com/deploy/security/pdf/ias_modplsql_alert.pdf
Reference: MISC:http://www.nextgenss.com/papers/hpoas.pdf
Reference: XF:oracle-appserver-plsql-adddad-bo(8098)
Reference: URL:http://xforce.iss.net/static/8098.php
Reference: XF:oracle-appserver-plsql-bo(8095)
Reference: URL:http://xforce.iss.net/static/8095.php
Reference: XF:oracle-appserver-plsql-cache-bo(8097)
Reference: URL:http://xforce.iss.net/static/8097.php
Reference: XF:oracle-appserver-plsql-authclient-bo(8096)
Reference: URL:http://xforce.iss.net/static/8096.php
Reference: BID:4032
Reference: URL:http://www.securityfocus.com/bid/4032

Buffer overflows in PL/SQL module 3.0.9.8.2 in Oracle 9i Application
Server 1.0.2.x allow remote attackers to cause a denial of service or
execute arbitrary code via (1) a long help page request without a
dadname, which overflows the resulting HTTP Location header, (2) a
long HTTP request to the plsql module, (3) a long password in the HTTP
Authorization, (4) a long Access Descriptor (DAD) password in the
addadd form, or (5) a long cache directory name.

Analysis
----------------
ED_PRI CAN-2002-0559 3
Vendor Acknowledgement: yes advisory
Content Decisions: SF-LOC

ABSTRACTION: CD:SF-LOC suggests MERGING problems of the same type that
appear in the same version. All of these issues were fixed in the same
version, so they are combined.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0560
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0560
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020206 Hackproofing Oracle Application Server paper
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101301813117562&w=2
Reference: MISC:http://www.nextgenss.com/papers/hpoas.pdf
Reference: CERT:CA-2002-08
Reference: URL:http://www.cert.org/advisories/CA-2002-08.html
Reference: CERT-VN:VU#307835
Reference: URL:http://www.kb.cert.org/vuls/id/307835
Reference: CONFIRM:http://otn.oracle.com/deploy/security/pdf/ias_modplsql_alert.pdf
Reference: BID:4294
Reference: URL:http://www.securityfocus.com/bid/4294

PL/SQL module 3.0.9.8.2 in Oracle 9i Application Server 1.0.2.x allows
remote attackers to obtain sensitive information via the OWA_UTIL
stored procedures (1) OWA_UTIL.signature, (2) OWA_UTIL.listprint, or
(3) OWA_UTIL.show_query_columns.

Analysis
----------------
ED_PRI CAN-2002-0560 3
Vendor Acknowledgement: yes advisory
Content Decisions: SF-LOC

ABSTRACTION: CD:SF-LOC suggests MERGING problems of the same type that
appear in the same version. All of these issues were fixed in the same
version, so they are combined.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0561
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0561
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020206 Hackproofing Oracle Application Server paper
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101301813117562&w=2
Reference: CERT-VN:VU#611776
Reference: URL:http://www.kb.cert.org/vuls/id/611776
Reference: CERT:CA-2002-08
Reference: URL:http://www.cert.org/advisories/CA-2002-08.html
Reference: CONFIRM:http://otn.oracle.com/deploy/security/pdf/ias_modplsql_alert.pdf
Reference: MISC:http://www.nextgenss.com/papers/hpoas.pdf
Reference: BID:4292
Reference: URL:http://www.securityfocus.com/bid/4292

The default configuration of the PL/SQL Gateway web administration
interface in Oracle 9i Application Server 1.0.2.x uses null
authentication, which allows remote attackers to gain privileges and
modify DAD settings.

Analysis
----------------
ED_PRI CAN-2002-0561 3
Vendor Acknowledgement: yes advisory
Content Decisions: SF-LOC

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0562
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0562
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020206 JSP translation file access under Oracle 9iAS
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101301440005580&w=2
Reference: CERT:CA-2002-08
Reference: URL:http://www.cert.org/advisories/CA-2002-08.html
Reference: CERT-VN:VU#698467
Reference: URL:http://www.kb.cert.org/vuls/id/698467
Reference: CONFIRM:http://otn.oracle.com/deploy/security/pdf/ias_modplsql_alert.pdf
Reference: BID:4034
Reference: URL:http://www.securityfocus.com/bid/4034

The default configuration of Oracle 9i Application Server 1.0.2.x
running Oracle JSP or SQLJSP stores globals.jsa under the web root,
which allows remote attackers to gain sensitive information including
usernames and passwords via a direct HTTP request to globals.jsa.

Analysis
----------------
ED_PRI CAN-2002-0562 3
Vendor Acknowledgement: yes advisory
Content Decisions: SF-LOC

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0563
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0563
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: CF
Reference: BUGTRAQ:20020206 Hackproofing Oracle Application Server paper
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101301813117562&w=2
Reference: CERT:CA-2002-08
Reference: URL:http://www.cert.org/advisories/CA-2002-08.html
Reference: CERT-VN:VU#168795
Reference: URL:http://www.kb.cert.org/vuls/id/168795
Reference: CONFIRM:http://otn.oracle.com/deploy/security/pdf/ias_modplsql_alert.pdf
Reference: MISC:http://www.nextgenss.com/papers/hpoas.pdf
Reference: BID:4293
Reference: URL:http://www.securityfocus.com/bid/4293

The default configuration of Oracle 9i Application Server 1.0.2.x
allows remote anonymous users to access sensitive services without
authentication, including Dynamic Monitoring Services.

Analysis
----------------
ED_PRI CAN-2002-0563 3
Vendor Acknowledgement: yes advisory
Content Decisions: SF-LOC

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0564
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0564
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020206 Hackproofing Oracle Application Server paper
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101301813117562&w=2
Reference: CERT-VN:VU#193523
Reference: URL:http://www.kb.cert.org/vuls/id/193523
Reference: CERT:CA-2002-08
Reference: URL:http://www.cert.org/advisories/CA-2002-08.html
Reference: CONFIRM:http://otn.oracle.com/deploy/security/pdf/ias_modplsql_alert.pdf
Reference: MISC:http://www.nextgenss.com/papers/hpoas.pdf

PL/SQL module 3.0.9.8.2 in Oracle 9i Application Server 1.0.2.x allows
remote attackers to bypass authentication for a Database Access
Descriptor (DAD) by modifying the URL to reference an alternate DAD
that already has valid credentials.

Analysis
----------------
ED_PRI CAN-2002-0564 3
Vendor Acknowledgement: yes advisory
Content Decisions: SF-LOC

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0565
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0565
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020206 JSP translation file access under Oracle 9iAS
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101301440005580&w=2
Reference: CERT:CA-2002-08
Reference: URL:http://www.cert.org/advisories/CA-2002-08.html
Reference: CERT-VN:VU#547459
Reference: URL:http://www.kb.cert.org/vuls/id/547459
Reference: CONFIRM:http://otn.oracle.com/deploy/security/pdf/ias_modplsql_alert.pdf
Reference: BID:4034
Reference: URL:http://www.securityfocus.com/bid/4034
Reference: XF:oracle-appserver-oraclejsp-view-info(8100)
Reference: URL:http://xforce.iss.net/static/8100.php

Oracle 9iAS 1.0.2.x compiles JSP files in the _pages directory with
world-readable permissions under the web root, which allows remote
attackers to obtain sensitive information derived from the JSP code,
including usernames and passwords, via a direct HTTP request to
_pages.

Analysis
----------------
ED_PRI CAN-2002-0565 3
Vendor Acknowledgement: yes advisory
Content Decisions: SF-LOC

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0566
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0566
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020206 Multiple Buffer Overflows in Oracle 9iAS
Reference: CERT-VN:VU#805915
Reference: URL:http://www.kb.cert.org/vuls/id/805915
Reference: CERT:CA-2002-08
Reference: URL:http://www.cert.org/advisories/CA-2002-08.html
Reference: CONFIRM:http://otn.oracle.com/deploy/security/pdf/ias_modplsql_alert.pdf
Reference: BID:4037
Reference: URL:http://www.securityfocus.com/bid/4037
Reference: XF:oracle-appserver-plsql-pls-dos(8099)
Reference: URL:http://xforce.iss.net/static/8099.php

PL/SQL module 3.0.9.8.2 in Oracle 9i Application Server 1.0.2.x allows
remote attackers to cause a denial of service (crash) via an HTTP
Authorization header without an authentication type.

Analysis
----------------
ED_PRI CAN-2002-0566 3
Vendor Acknowledgement: yes advisory
Content Decisions: SF-LOC

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0570
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0570
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020102 Vulnerability in encrypted loop device for linux
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-01/0010.html
Reference: BID:3775
Reference: URL:http://www.securityfocus.com/bid/3775
Reference: XF:linux-loop-device-encryption(7769)
Reference: URL:http://xforce.iss.net/static/7769.php

The encrypted loop device in Linux kernel 2.4.10 and earlier does not
authenticate the entity that is encrypting data, which allows local
users to modify encrypted data without knowing the key.

Analysis
----------------
ED_PRI CAN-2002-0570 3
Vendor Acknowledgement: unknown

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:
Page Last Updated or Reviewed: May 22, 2007