[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PROPOSAL] Cluster RECENT-90 - 51 candidates

I am proposing cluster RECENT-90 for review and voting by the
Editorial Board.

Name: RECENT-90
Description: Candidates announced between 3/10/2002 and 3/21/2002
Size: 51

You may vote on candidates by modifying this email ballot and sending
it back to me, or by using the CVE voting web site.

The candidates are listed in order of priority.  Priority 1 and
Priority 2 candidates both deal with varying levels of vendor
confirmation, so they should be easy to review and it can be trusted
that the problems are real.

If you discover that any RECENT-XX cluster is incomplete with respect
to the problems discovered during the associated time frame, please
send that information to me so that candidates can be assigned.

- Steve







Summary of votes to use (in ascending order of "severity")
----------------------------------------------------------

ACCEPT - voter accepts the candidate as proposed
NOOP - voter has no opinion on the candidate
MODIFY - voter wants to change some MINOR detail (e.g. reference/description)
REVIEWING - voter is reviewing/researching the candidate, or needs more info
RECAST - candidate must be significantly modified, e.g. split or merged
REJECT - candidate is "not a vulnerability", or a duplicate, etc.

1) Please write your vote on the line that starts with "VOTE: ".  If
   you want to add comments or details, add them to lines after the
   VOTE: line.

2) If you see any missing references, please mention them so that they
   can be included.  References help greatly during mapping.

3) Note that a "MODIFY" is treated as an "ACCEPT" when counting votes.
   So if you don't have sufficient information for a candidate but you
   don't want to NOOP, use a REVIEWING.

********** NOTE ********** NOTE ********** NOTE ********** NOTE **********

Please keep in mind that your vote and comments will be recorded and
publicly viewable in the mailing list archives or in other formats.

======================================================
Candidate: CAN-2002-0178
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0178
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020417
Category: SF
Reference: REDHAT:RHSA-2002:065
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-065.html

uudecode, as available in the sharutils package before 4.2.1, does not
check whether the filename of the uudecoded file is a pipe or symbolic
link, which could allow attackers to overwrite files or execute
commands.

Analysis
----------------
ED_PRI CAN-2002-0178 1
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0367
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0367
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020508
Category: SF
Reference: BUGTRAQ:20020314 Fwd: DebPloit (exploit)
Reference: URL:http://www.securityfocus.com/archive/1/262074
Reference: BUGTRAQ:20020326 Re: DebPloit (exploit)
Reference: URL:http://www.securityfocus.com/archive/1/264441
Reference: BUGTRAQ:20020327 Local Security Vulnerability in Windows NT and Windows 2000
Reference: URL:http://www.securityfocus.com/archive/1/264927
Reference: NTBUGTRAQ:20020314 DebPloit (exploit)
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=101614320402695&w=2
Reference: BID:4287
Reference: URL:http://www.securityfocus.com/bid/4287
Reference: XF:win-debug-duplicate-handles(8462)
Reference: URL:http://www.iss.net/security_center/static/8462.php
Reference: MS:MS02-024
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-024.asp

smss.exe debugging subsystem in Windows NT and Windows 2000 does not
properly authenticate programs that connect to other programs, which
allows local users to gain administrator or SYSTEM privileges by
duplicating a handle to a privileged process, as demonstrated by
DebPloit.

Analysis
----------------
ED_PRI CAN-2002-0367 1
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0381
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0381
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020517
Category: SF
Reference: MISC:http://www.FreeBSD.org/cgi/query-pr.cgi?pr=35022
Reference: BUGTRAQ:20020317 TCP Connections to a Broadcast Address on BSD-Based Systems
Reference: URL:http://online.securityfocus.com/archive/1/262733
Reference: CONFIRM:http://www.openbsd.org/cgi-bin/cvsweb/src/sys/netinet/tcp_input.c.diff?r1=1.109&r2=1.110
Reference: CONFIRM:http://cvsweb.netbsd.org/bsdweb.cgi/syssrc/sys/netinet/tcp_input.c.diff?r1=1.136&r2=1.137
Reference: BID:4309
Reference: URL:http://online.securityfocus.com/bid/4309
Reference: XF:bsd-broadcast-address(8485)
Reference: URL:http://www.iss.net/security_center/static/8485.php

The TCP implementation in various BSD operating systems (tcp_input.c)
does not properly block connections to broadcast addresses, which
could allow remote attackers to bypass intended filters via packets
with a unicast link layer address and an IP broadcast address.

Analysis
----------------
ED_PRI CAN-2002-0381 1
Vendor Acknowledgement: yes

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0435
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0435
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020310 GNU fileutils - recursive directory removal race condition
Reference: URL:http://www.securityfocus.com/archive/1/260936
Reference: CONFIRM:http://mail.gnu.org/pipermail/bug-fileutils/2002-March/002440.html
Reference: CALDERA:CSSA-2002-018.1
Reference: URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-018.1.txt
Reference: XF:gnu-fileutils-race-condition(8432)
Reference: URL:http://www.iss.net/security_center/static/8432.php
Reference: BID:4266
Reference: URL:http://www.securityfocus.com/bid/4266

Race condition in the recursive (1) directory deletion and (2)
directory move in GNU File Utilities (fileutils) 4.1 and earlier
allows local users to delete directories as the user running fileutils
by moving a low-level directory to a higher level as it is being
deleted, which causes fileutils to chdir to a ".." directory that is
higher than expected, possibly up to the root file system.

Analysis
----------------
ED_PRI CAN-2002-0435 1
Vendor Acknowledgement: yes

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0437
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0437
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020311 SMStools vulnerabilities in release before 1.4.8
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-03/0103.html
Reference: CONFIRM:http://www.isis.de/members/~s.frings/smstools/history.html
Reference: BID:4268
Reference: URL:http://www.securityfocus.com/bid/4268
Reference: XF:sms-tools-format-string(8433)
Reference: URL:http://www.iss.net/security_center/static/8433.php

Smsd in SMS Server Tools (SMStools) before 1.4.8 allows remote
attackers to execute arbitrary commands via shell metacharacters
(backquotes) in message text, as described with the term "string
format vulnerability" by some sources.

Analysis
----------------
ED_PRI CAN-2002-0437 1
Vendor Acknowledgement: yes changelog

ACCURACY: The original discloser (probably a non-native English
speaker) says the problem is due to "string format vulnerabilities,"
which makes it sound like format string vulnerabilities; but the
impact is described as "arbitrary command injection," and the vendor's
change log says "disable execution of programs by using backquotes in
the message text," which makes it sound like a shell metacharacter
problem. In addition, a source code review of 1.4.9 indicates that the
problem is with shell metacharacters. getSMSdata() in smsd.c removes
the quote from a text field, which is then provided to sendsms(),
which is then fed into my_system(), which then calls system().  A
followup email to the discloser confirms that the discloser was
dealing with a metacharacter issue.
ACKNOWLEDGEMENT: In a "thanks" page, the vendor credits the
researcher, and in the change log, described security issues that
match the dates and affected versions from the initial disclosure.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0441
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0441
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020311 Directory traversal vulnerability in phpimglist
Reference: URL:http://www.securityfocus.com/archive/1/261221
Reference: CONFIRM:http://www.liquidpulse.net/get.lp?id=17
Reference: XF:phpimglist-dot-directory-traversal(8441)
Reference: URL:http://www.iss.net/security_center/static/8441.php
Reference: BID:4276
Reference: URL:http://www.securityfocus.com/bid/4276

Directory traversal vulnerability in imlist.php for Php Imglist allows
remote attackers to read arbitrary code via a .. (dot dot) in the cwd
parameter.

Analysis
----------------
ED_PRI CAN-2002-0441 1
Vendor Acknowledgement: yes changelog

ACKNOWLEDGEMENT: The CHANGELOG for version 1.2.2 identifies a bug fix
that "stops people from browsing outside of your specified directory."

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0442
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0442
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category:
Reference: CALDERA:CSSA-2002-SCO.8
Reference: URL:ftp://stage.caldera.com/pub/security/openserver/CSSA-2002-SCO.8/CSSA-2002-SCO.8.txt
Reference: XF:openserver-dlvraudit-bo(8442)
Reference: URL:http://www.iss.net/security_center/static/8442.php
Reference: BID:4273
Reference: URL:http://www.securityfocus.com/bid/4273

Buffer overflow in dlvr_audit for Caldera OpenServer 5.0.5 and 5.0.6
allows local users to gain root privileges.

Analysis
----------------
ED_PRI CAN-2002-0442 1
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0451
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0451
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020313 Command execution in phprojekt.
Reference: URL:http://www.securityfocus.com/archive/1/261676
Reference: CONFIRM:http://www.phprojekt.com/modules.php?op=modload&name=News&file=article&sid=19&mode=&order=
Reference: BID:4284
Reference: URL:http://www.securityfocus.com/bid/4284
Reference: XF:phpprojekt-filemanager-include-files(8448)
Reference: URL:http://www.iss.net/security_center/static/8448.php

filemanager_forms.php in PHProjekt 3.1 and 3.1a allows remote
attackers to execute arbitrary PHP code by specifying the URL to the
code in the lib_path parameter.

Analysis
----------------
ED_PRI CAN-2002-0451 1
Vendor Acknowledgement: yes

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0454
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0454
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020315 Bug in QPopper (All Versions?)
Reference: URL:http://www.securityfocus.com/archive/1/262213
Reference: CONFIRM:ftp://ftp.qualcomm.com/eudora/servers/unix/popper/qpopper4.0.4.tar.gz
Reference: XF:qpopper-qpopper-dos(8458)
Reference: URL:http://www.iss.net/security_center/static/8458.php
Reference: BID:4295
Reference: URL:http://www.securityfocus.com/bid/4295

Qpopper (aka in.qpopper or popper) 4.0.3 and earlier allows remote
attackers to cause a denial of service (CPU consumption) via a very
large string, which causes an infinite loop.

Analysis
----------------
ED_PRI CAN-2002-0454 1
Vendor Acknowledgement: yes patch

ACKNOWLEDGEMENT: the change log for version 4.0.4 says "Fixed DOS
attack seen on some systems," but the description itself is too vague
to be certain that the vendor has fixed *this* issue. However, a diff
of popper/popper.c in versions 4.0.4 and 4.0.3 reveals a new comment:
"getline() now clears out storage buffer when giving up after
discarding bytes. Fixes looping DOS attack seen on some systems." That
would be consistent with the behavior that was originally reported.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0462
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0462
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020318 [ARL02-A11] Big Sam (Built-In Guestbook Stand-Alone Module) Multiple Vulnerabilities
Reference: URL:http://www.securityfocus.com/archive/1/262735
Reference: CONFIRM:http://www.gezzed.net/bigsam/bigsam.1_1_12.php.txt
Reference: XF:bigsam-displaybegin-dos(8478)
Reference: URL:http://www.iss.net/security_center/static/8478.php
Reference: XF:bigsam-safemode-path-disclosure(8479)
Reference: URL:http://www.iss.net/security_center/static/8479.php
Reference: BID:4312
Reference: URL:http://www.securityfocus.com/bid/4312

bigsam_guestbook.php for Big Sam (Built-In Guestbook Stand-Alone
Module) 1.1.08 and earlier allows remote attackers to cause a denial
of service (CPU consumption) or obtain the absolute path of the web
server via an error message when PHP safe_mode is enabled, via a
displayBegin parameter with a very large number.

Analysis
----------------
ED_PRI CAN-2002-0462 1
Vendor Acknowledgement: yes

ACKNOWLEDGEMENT: in the source code for the program, the vendor has a
comment that states "Checks if $displayBegin is not too large," and
credits the discloser.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0464
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0464
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020318 Hosting Directory Traversal madness...
Reference: URL:http://www.securityfocus.com/archive/1/262734
Reference: CONFIRM:http://www.hostingcontroller.com/english/patches/ForAll/download/dot-slash.zip
Reference: BID:4311
Reference: URL:http://www.securityfocus.com/bid/4311

Directory traversal vulnerability in Hosting Controller 1.4.1 and
earlier allows remote attackers to read and modify arbitrary files and
directories via a .. (dot dot) in arguments to (1) file_editor.asp,
(2) folderactions.asp, or (3) editoractions.asp.

Analysis
----------------
ED_PRI CAN-2002-0464 1
Vendor Acknowledgement: yes changelog

ACKNOWLEDGEMENT: the readme.txt file in a patch labeled "Infamous
Dot-Slash Bug Fix," dated March 22, 2002, states: "Folder Manager was
vulnerable to infamous ../ bug, if an alternate path was sent using
the query string variables, the altered path could be deleted or
renamed."
ABSTRACTION: Although another directory traversal vulnerability was
discovered shortly before this one (January 2002), CD:SF-LOC suggests
keeping separate CVE items for them because separate patches were
produced.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0473
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0473
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: VULN-DEV:20020318 phpBB2 remote execution command
Reference: URL:http://online.securityfocus.com/archive/82/262600
Reference: BUGTRAQ:20020318 Re: phpBB2 remote execution command (fwd)
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-03/0221.html
Reference: BUGTRAQ:20020318 phpBB2 remote execution command
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-03/0229.html
Reference: CONFIRM:http://prdownloads.sourceforge.net/phpbb/phpBB-2.0.1.zip
Reference: MISC:http://phpbb.sourceforge.net/phpBB2/viewtopic.php?t=9483
Reference: BID:4380
Reference: URL:http://www.securityfocus.com/bid/4380
Reference: XF:phpbb-db-command-execution(8476)
Reference: URL:http://www.iss.net/security_center/static/8476.php

db.php in phBB 2.0 (aka phBB2) RC-3 and earlier allows remote
attackers to execute arbitrary code from remote servers via the
phpbb_root_path parameter.

Analysis
----------------
ED_PRI CAN-2002-0473 1
Vendor Acknowledgement: yes changelog

ACKNOWLEDGEMENT: a followup post to Bugtraq points to a URL that could
contain acknowledgement, but no longer exists. A post from the
developer to a web forum, dated March 23, 2002, is titled "Security
vulnerability in phpBB 2.0" and implies that any "CVS version dated
before March 19th 2002" is vulnerable. The comments in the changelog
in docs/README.html say that version RC4 "Addressed serious security
issue with included files," which would be consistent with the
slightly vague Bugtraq post, which says "some backdoor server [is]
needed to launch the attack," which implies that the problem is in PHP
include files or the rough equivalent. A "diff" between 2.0.1 and
2.0.0 RC3 indicates that the only change to db.php was a check for the
IN_PHPBB variable, which (a) does not exist in RC3, (b) is defined in
all top-level PHP programs in 2.0.1, and (c) dies with the phrase
"Hacking attempt" if IN_PHPBB is not defined.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0476
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0476
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020319 More SWF vulnerabilities?
Reference: URL:http://www.securityfocus.com/archive/1/262990
Reference: CONFIRM:http://www.macromedia.com/support/flash/ts/documents/fs_save.htm
Reference: BID:4320
Reference: URL:http://www.securityfocus.com/bid/4320
Reference: XF:flash-fscommand-save(8584)
Reference: URL:http://www.iss.net/security_center/static/8584.php

Standalone Macromedia Flash Player 5.0 allows remote attackers to save
arbitrary files and programs via a .SWF file containing the
undocumented "save" FSCommand.

Analysis
----------------
ED_PRI CAN-2002-0476 1
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0477
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0477
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020109 Shockwave Flash player issue
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101071988413107&w=2
Reference: BUGTRAQ:20020319 More SWF vulnerabilities?
Reference: URL:http://www.securityfocus.com/archive/1/262990
Reference: CONFIRM:http://www.macromedia.com/support/flash/ts/documents/swf_clear.htm
Reference: CONFIRM:http://www.macromedia.com/support/flash/ts/documents/standalone_update.htm
Reference: XF:flash-fscommand-exec(8587)
Reference: URL:http://www.iss.net/security_center/static/8587.php
Reference: BID:4321
Reference: URL:http://www.securityfocus.com/bid/4321

Standalone Macromedia Flash Player 5.0 before 5,0,30,2 allows remote
attackers to execute arbitrary programs via a .SWF file containing the
"exec" FSCommand.

Analysis
----------------
ED_PRI CAN-2002-0477 1
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0484
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0484
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020321 Re: move_uploaded_file breaks safe_mode restrictions in PHP
Reference: URL:http://online.securityfocus.com/archive/1/263259
Reference: BUGTRAQ:20020317 move_uploaded_file breaks safe_mode restrictions in PHP
Reference: URL:http://online.securityfocus.com/archive/1/262999
Reference: BUGTRAQ:20020322 Re: move_uploaded_file breaks safe_mode restrictions in PHP
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101683938806677&w=2
Reference: CONFIRM:http://bugs.php.net/bug.php?id=16128
Reference: XF:php-moveuploadedfile-create-files(8591)
Reference: URL:http://www.iss.net/security_center/static/8591.php
Reference: BID:4325
Reference: URL:http://www.securityfocus.com/bid/4325

move_uploaded_file in PHP does not does not check for the base
directory (open_basedir), which could allow remote attackers to upload
files to unintended locations on the system.

Analysis
----------------
ED_PRI CAN-2002-0484 1
Vendor Acknowledgement: yes followup

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0488
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0488
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020321 PHP script: Penguin Traceroute, Remote Command Execution
Reference: URL:http://www.securityfocus.com/archive/1/263285
Reference: CONFIRM:http://www.linux-directory.com/scripts/traceroute.pl
Reference: XF:penguin-traceroute-command-execution(8600)
Reference: URL:http://www.iss.net/security_center/static/8600.php
Reference: BID:4332
Reference: URL:http://www.securityfocus.com/bid/4332

Linux Directory Penguin traceroute.pl CGI script 1.0 allows remote
attackers to execute arbitrary code via shell metacharacters in the
host parameter.

Analysis
----------------
ED_PRI CAN-2002-0488 1
Vendor Acknowledgement: yes patch

ACKNOWLEDGEMENT: in the source code, the vendor cleanses the host
parameter, adding a comment dated 20020321 that says the line was
added.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0061
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0061
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020213
Category: SF
Reference: BUGTRAQ:20020321 Vulnerability in Apache for Win32 batch file processing - Remote command execution
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101674082427358&w=2
Reference: BUGTRAQ:20020325 Apache 1.3.24 Released! (fwd)
Reference: URL:http://online.securityfocus.com/archive/1/263927
Reference: XF:apache-dos-batch-command-execution(8589)
Reference: URL:http://www.iss.net/security_center/static/8589.php
Reference: BID:4335
Reference: URL:http://www.securityfocus.com/bid/4335

Apache for Win32 before 1.3.24, and 2.0.x before 2.0.34-beta, allows
remote attackers to execute arbitrary commands via shell
metacharacters (a | pipe character) provided as arguments to batch
(.bat) or .cmd scripts, which are sent unfiltered to the shell
interpreter, typically cmd.exe.

Analysis
----------------
ED_PRI CAN-2002-0061 2
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0463
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0463
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020319 Re: [ARL02-A07] ARSC Really Simple Chat System Information Path    Disclosure Vulnerability
Reference: URL:http://www.securityfocus.com/archive/1/262802
Reference: BUGTRAQ:20020316 [ARL02-A07] ARSC Really Simple Chat System Information Path Disclosure Vulnerability
Reference: URL:http://www.securityfocus.com/archive/1/262652
Reference: BID:4307
Reference: URL:http://www.securityfocus.com/bid/4307
Reference: XF:arsc-language-path-disclosure(8472)
Reference: URL:http://www.iss.net/security_center/static/8472.php

home.php in ARSC (Really Simple Chat) 1.0.1 and earlier allows remote
attackers to determine the full pathname of the web server via an
invalid language in the arsc_language parameter, which leaks the
pathname in an error message.

Analysis
----------------
ED_PRI CAN-2002-0463 2
Vendor Acknowledgement: yes followup

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0433
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0433
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020310 Pi3Web/2.0.0 File-Disclosure/Path Disclosure vuln
Reference: URL:http://online.securityfocus.com/archive/1/260734
Reference: XF:pi3web-asterisk-view-files(8429)
Reference: URL:http://www.iss.net/security_center/static/8429.php
Reference: BID:4262
Reference: URL:http://www.securityfocus.com/bid/4262

Pi3Web 2.0.0 allows remote attackers to view restricted files via an
HTTP request containing a "*" (wildcard or asterisk) character.

Analysis
----------------
ED_PRI CAN-2002-0433 3
Vendor Acknowledgement:

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0434
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0434
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020310 Marcus S. Xenakis "directory.php" allows arbitrary code execution
Reference: URL:http://www.securityfocus.com/archive/1/261512
Reference: BID:4278
Reference: URL:http://www.securityfocus.com/bid/4278
Reference: XF:xenakis-directory-execute-commands(8440)
Reference: URL:http://www.iss.net/security_center/static/8440.php

Marcus S. Xenakis directory.php script allows remote attackers to
execute arbitrary commands via shell metacharacters in the dir
parameter.

Analysis
----------------
ED_PRI CAN-2002-0434 3
Vendor Acknowledgement: no vendor-unknown
Content Decisions: INCLUSION

INCLUSION/ACKNOWLEDGEMENT: there does not seem to be any record of a
"Marcus S. Xenakis" or related software on the Web. Vendor
acknowledgement could not be determined because the vendor cannot even
be identified.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0436
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0436
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020311 SunSolve CD cgi scripts...
Reference: URL:http://www.securityfocus.com/archive/1/261544
Reference: BID:4269
Reference: URL:http://www.securityfocus.com/bid/4269
Reference: XF:sunsolve-cd-command-execution(8435)
Reference: URL:http://www.iss.net/security_center/static/8435.php

sscd_suncourier.pl CGI script in the Sun Sunsolve CD pack allows
remote attackers to execute arbitrary commands via shell
metacharacters in the email address parameter.

Analysis
----------------
ED_PRI CAN-2002-0436 3
Vendor Acknowledgement:

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0438
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0438
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020311 ZyXEL ZyWALL10 DoS
Reference: URL:http://www.securityfocus.com/archive/1/261411
Reference: MISC:ftp://ftp.zyxel.com/public/zywall10/firmware/zywall10_V3.50(WA.2)C0_Standard.zip
Reference: XF:zyxel-zywall10-arp-dos(8436)
Reference: URL:http://www.iss.net/security_center/static/8436.php
Reference: BID:4272
Reference: URL:http://www.securityfocus.com/bid/4272
Reference: VULNWATCH:20020312 [VulnWatch] ZyXEL ZyWALL10 DoS
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0067.html

ZyXEL ZyWALL 10 before 3.50 allows remote attackers to cause a denial
of service via an ARP packet with the firewall's IP address and an
incorrect MAC address, which causes the firewall to disable the LAN
interface.

Analysis
----------------
ED_PRI CAN-2002-0438 3
Vendor Acknowledgement: unknown vague

ACKNOWLEDGEMENT: There is no clear vendor acknowledgement on the web
site. In a firmware patch for 3.50(WA.2) release note, 350WA2C0.PDF,
there is a statement: "30. [BUG FIXED] IP Alias address cannot fake
MAC address in SMT2 and WEB." This is not clear enough to be certain
that it addresses the specified vulnerability.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0439
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0439
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020311 CaupoShop: cross-site-scripting bug
Reference: URL:http://www.securityfocus.com/archive/1/261218
Reference: XF:cauposhop-user-info-css(8431)
Reference: URL:http://www.iss.net/security_center/static/8431.php
Reference: BID:4270
Reference: URL:http://www.securityfocus.com/bid/4270

Cross-site scripting vulnerability in CaupoShop 1.30a and earlier, and
possibly CaupoShopPro, allows remote attackers to execute arbitrary
Javascript and steal credit card numbers or delete items by injecting
the script into new customer information fields such as the message
field.

Analysis
----------------
ED_PRI CAN-2002-0439 3
Vendor Acknowledgement: unknown discloser-claimed
Content Decisions: SF-LOC

ACKNOWLEDGEMENT: vendor site is in German, cannot tell whether vendor
has acknowledged the issue or not.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0440
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0440
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020311 VirusWall HTTP proxy content scanning circumvention
Reference: URL:http://www.securityfocus.com/archive/1/261083
Reference: BID:4265
Reference: URL:http://www.securityfocus.com/bid/4265

Trend Micro InterScan VirusWall HTTP proxy 3.6 with the "Skip scanning
if Content-length equals 0" option enabled allows malicious web
servers to bypass content scanning via a Content-length header set to
0, which is often ignored by HTTP clients.

Analysis
----------------
ED_PRI CAN-2002-0440 3
Vendor Acknowledgement: unknown discloser-claimed

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0445
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0445
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020312 [ARL02-A05] PHP FirstPost System Information Path Disclosure Vulnerability
Reference: URL:http://www.securityfocus.com/archive/1/261337
Reference: XF:phpfirstpost-path-disclosure(8434)
Reference: URL:http://www.iss.net/security_center/static/8434.php
Reference: BID:4274
Reference: URL:http://www.securityfocus.com/bid/4274

article.php in PHP FirstPost 0.1 allows allows remote attackers to
obtain the full pathname of the server via an invalid post number in
the post parameter, which leaks the pathname in an error message.

Analysis
----------------
ED_PRI CAN-2002-0445 3
Vendor Acknowledgement: unknown discloser-claimed

INCLUSION: CD:EX-BETA suggests that beta software should not be
included in CVE unless it is popular or in permanent beta. The home
page for PHP FirstPost implies that the product is in beta; however,
the discloser suggests that the developer has stopped maintaining the
code, so it could be argued that this software is in "permanent beta"
and should be included in CVE.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0446
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0446
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020312 [ARL02-A06] Black Tie Project System Information Path Disclosure Vulnerability
Reference: URL:http://www.securityfocus.com/archive/1/261681
Reference: BID:4275
Reference: URL:http://www.securityfocus.com/bid/4275
Reference: XF:btp-cid-path-disclosure(8439)
Reference: URL:http://www.iss.net/security_center/static/8439.php

categorie.php3 in Black Tie Project (BTP) 0.4b through 0.5b allows
remote attackers to determine the absolute path of the web server via
an invalid category ID (cid) parameter, which leaks the pathname in an
error message.

Analysis
----------------
ED_PRI CAN-2002-0446 3
Vendor Acknowledgement: unknown discloser-claimed

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0452
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0452
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020313 Foundry Networks ServerIron don't decode URIs
Reference: URL:http://www.securityfocus.com/archive/1/261834
Reference: XF:foundry-serveriron-reveal-source(8459)
Reference: URL:http://www.iss.net/security_center/static/8459.php
Reference: BID:4286
Reference: URL:http://www.securityfocus.com/bid/4286

Foundry Networks ServerIron switches do not decode URIs when applying
"url-map" rules, which could make it easier for attackers to cause the
switch to forward traffic to a different server than intended and
exploit vulnerabilities that would otherwise be inaccessible.

Analysis
----------------
ED_PRI CAN-2002-0452 3
Vendor Acknowledgement: no disputed
Content Decisions: INCLUSION

INCLUSION: A followup post argues that this is not a vulnerability in
the ServerIron switch, as this behavior is entirely dependent on
whether the affected servers have a vulnerability related to encoding.
That alone still qualifies this issue as an exposure according to the
CVE definition; but if the switch's design is not expected to provide
protection against encoding attacks (just as an HTTP server isn't
expected to protect against packet fragmentation attacks), then maybe
this issue should not be included in CVE.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0453
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0453
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020314 Account Lockout Vulnerability in Oblix NetPoint v5.2
Reference: URL:http://www.securityfocus.com/archive/1/262066
Reference: BID:4288
Reference: URL:http://www.securityfocus.com/bid/4288
Reference: XF:netpoint-account-lockout-bypass(8461)
Reference: URL:http://www.iss.net/security_center/static/8461.php

The account lockout capability in Oblix NetPoint 5.2 and earlier only
locks out users once for the specified lockout period, which makes it
easier for remote attackers to conduct brute force password guessing
by waiting until the lockout period ends, then guessing passwords
without being locked out again.

Analysis
----------------
ED_PRI CAN-2002-0453 3
Vendor Acknowledgement: unknown discloser-claimed

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0455
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0455
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020315 MSIE vulnerability exploitable with IncrediMail
Reference: URL:http://www.securityfocus.com/archive/1/262262
Reference: BID:4297
Reference: URL:http://www.securityfocus.com/bid/4297
Reference: XF:incredimail-insecure-attachment-directory(8460)
Reference: URL:http://www.iss.net/security_center/static/8460.php

IncrediMail stores attachments in a directory with a fixed name, which
could make it easier for attackers to exploit vulnerabilities in other
software that rely on installing and reading files from directories
with known pathnames.

Analysis
----------------
ED_PRI CAN-2002-0455 3
Vendor Acknowledgement:
Content Decisions: INCLUSION

INCLUSION: technically, this issue is an exposure; it makes other
attacks easier. However, so much software uses standard directory
names that there is a question of scale here. Should all software that
uses a standard directory name be included in CVE?

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0456
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0456
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020315 RE: MSIE vulnerability exploitable with IncrediMail
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101622857703677&w=2
Reference: BUGTRAQ:20020316 MSIE vulnerability exploitable with Eudora (was: IncrediMail)
Reference: URL:http://www.securityfocus.com/archive/1/262704
Reference: BID:4306
Reference: URL:http://www.securityfocus.com/bid/4306
Reference: XF:eudora-insecure-attachment-directory(8487)
Reference: URL:http://www.iss.net/security_center/static/8487.php

Eudora 5.1 and earlier versions stores attachments in a directory with
a fixed name, which could make it easier for attackers to exploit
vulnerabilities in other software that rely on installing and reading
files from directories with known pathnames.

Analysis
----------------
ED_PRI CAN-2002-0456 3
Vendor Acknowledgement:
Content Decisions: INCLUSION

INCLUSION: technically, this issue is an exposure; it makes other
attacks easier. However, so much software uses standard directory
names that there is a question of scale here. Should all software that
uses a standard directory name be included in CVE?

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0457
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0457
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020316 [ARL02-A08] BG Guestbook Cross Site Scripting Vulnerability
Reference: URL:http://www.securityfocus.com/archive/1/262693
Reference: BID:4308
Reference: URL:http://www.securityfocus.com/bid/4308
Reference: XF:bgguestbook-post-css(8474)
Reference: URL:http://www.iss.net/security_center/static/8474.php

Cross-site scripting vulnerability in signgbook.php for BG GuestBook
1.0 allows remote attackers to execute arbitrary Javascript via
encoded tags such as <, >, and & in fields such as (1) name,
(2) email, (3) AIM screen name, (4) website, (5) location, or (6)
message.

Analysis
----------------
ED_PRI CAN-2002-0457 3
Vendor Acknowledgement: unknown discloser-claimed

ACKNOWLEDGEMENT: the vendor web site is not available to verify
acknowledgement.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0458
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0458
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020316 [ARL02-A10] News-TNK Cross Site Scripting Vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-03/0206.html
Reference: CONFIRM:http://translate.google.com/translate?u=http%3A%2F%2Fwww.linux-sottises.net%2Findex.php%3Fnews_init%3D13%23newstag&langpair=fr%7Cen&hl=en&ie=UTF8&oe=UTF8&prev=%2Flanguage_tools
Reference: XF:newstnk-web-css(8477)
Reference: URL:http://www.iss.net/security_center/static/8477.php

Cross-site scripting vulnerability in News-TNK 1.2.1 and earlier
allows remote attackers to execute arbitrary Javascript via the WEB
parameter.

Analysis
----------------
ED_PRI CAN-2002-0458 3
Vendor Acknowledgement: yes
Content Decisions: SF-CODEBASE

ABSTRACTION: CD:SF-CODEBASE suggests that if two packages from the
same vendor have the same vulnerability, but the packages are
separately available and the problem is not in a library, then
separate candidates should be created. Therefore, Board-TNK and
News-TNK should receive separate identifiers.
ACKNOWLEDGEMENT: while the original vendor web site is in French, an
automatic translation makes it pretty clear. An item dated March 16,
2002, says "The same vulnerability [as the CSS problem in Board-TNK]
is also resent in news-tnk."

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0459
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0459
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020316 [ARL02-A09] Board-TNK Cross Site Scripting Vulnerability
Reference: URL:http://www.securityfocus.com/archive/1/262694
Reference: CONFIRM:http://translate.google.com/translate?u=http%3A%2F%2Fwww.linux-sottises.net%2Findex.php%3Fnews_init%3D13%23newstag&langpair=fr%7Cen&hl=en&ie=UTF8&oe=UTF8&prev=%2Flanguage_tools
Reference: BID:4305
Reference: URL:http://www.securityfocus.com/bid/4305
Reference: XF:boardtnk-web-css(8475)
Reference: URL:http://www.iss.net/security_center/static/8475.php

Cross-site scripting vulnerability in Board-TNK 1.3.1 and earlier
allows remote attackers to execute arbitrary Javascript via the WEB
parameter.

Analysis
----------------
ED_PRI CAN-2002-0459 3
Vendor Acknowledgement: yes
Content Decisions: SF-CODEBASE

ABSTRACTION: CD:SF-CODEBASE suggests that if two packages from the
same vendor have the same vulnerability, but the packages are
separately available and the problem is not in a library, then
separate candidates should be created. Therefore, Board-TNK and
News-TNK should receive separate identifiers. ACKNOWLEDGEMENT: while
the original vendor web site is in French, an automatic translation
makes it pretty clear. An item dated March 15, 2002, mentions a
"Vulnerability of 'cross-country race site scripting' discovered by
Ahmet Sabri ALPER"

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0460
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0460
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020318 KPMG-2002005: BitVise WinSSH Denial of Service
Reference: URL:http://online.securityfocus.com/archive/1/262681
Reference: BID:4300
Reference: URL:http://www.securityfocus.com/bid/4300
Reference: XF:winsshd-incomplete-connection-dos(8470)
Reference: URL:http://www.iss.net/security_center/static/8470.php
Reference: VULNWATCH:20020318 [VulnWatch] KPMG-2002005: BitVise WinSSH Denial of Service
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0068.html

Bitvise WinSSHD before 2002-03-16 allows remote attackers to cause a
denial of service (resource exhaustion) via a large number of
incomplete connections that are not properly terminated, which are not
properly freed by SSHd.

Analysis
----------------
ED_PRI CAN-2002-0460 3
Vendor Acknowledgement: unknown discloser-claimed

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0461
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0461
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020318 Javascript loop causes IE to crash
Reference: URL:http://online.securityfocus.com/archive/1/262994
Reference: BID:4322
Reference: URL:http://www.securityfocus.com/bid/4322
Reference: XF:ie-javascript-dos(8488)
Reference: URL:http://www.iss.net/security_center/static/8488.php

Internet Explorer 5.01 through 6 allows remote attackers to cause a
denial of service (application crash) via Javascript in a web page
that calls location.replace on itself, causing a loop.

Analysis
----------------
ED_PRI CAN-2002-0461 3
Vendor Acknowledgement:
Content Decisions: EX-CLIENT-DOS

INCLUSION: CD:EX-CLIENT-DOS suggests that a client-side denial of
service whose scope is limited to the client, and which can be fixed
by restarting the client, should not be included in CVE. So, perhaps
this issue should not be included.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0465
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0465
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020105 Hosting Controller's - Multiple Security Vulnerabilities
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-01/0039.html
Reference: CONFIRM:http://www.hostingcontroller.com/english/patches/ForAll/download/foldersecurity.zip
Reference: XF:hosting-controller-dot-directory-traversal(7824)
Reference: URL:http://xforce.iss.net/static/7824.php
Reference: BID:3811
Reference: URL:http://www.securityfocus.com/bid/3811

Directory traversal vulnerability in filemanager.asp for Hosting
Controller 1.4.1 and earlier allows remote attackers to read and
modify arbitrary files, and execute commands, via a .. (dot dot) in
the OpenPath parameter.

Analysis
----------------
ED_PRI CAN-2002-0465 3
Vendor Acknowledgement: yes changelog
Content Decisions: SF-LOC

ACKNOWLEDGEMENT: the readme.txt file in a patch labeled "Folder
Security Hot Fix," dated January 1, 2002, includes verbatim copies of
sections from the Bugtraq post.
ABSTRACTION: Although other directory traversal vulnerabilities were
discovered shortly after this one (March 2002), CD:SF-LOC suggests
keeping separate CVE items for them because separate patches were
produced.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0466
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0466
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020105 Hosting Controller's - Multiple Security Vulnerabilities
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-01/0039.html
Reference: CONFIRM:http://www.hostingcontroller.com/english/patches/ForAll/download/foldersecurity.zip
Reference: XF:hosting-controller-directory-browsing(7823)
Reference: URL:http://xforce.iss.net/static/7823.php
Reference: BID:3808
Reference: URL:http://www.securityfocus.com/bid/3808

Hosting Controller 1.4.1 and earlier allows remote attackers to browse
arbitrary directories via a full C: style pathname in the filepath
arguments to (1) Statsbrowse.asp, (2) servubrowse.asp, (3)
browsedisk.asp, (4) browsewebalizerexe.asp, or (5) sqlbrowse.asp.

Analysis
----------------
ED_PRI CAN-2002-0466 3
Vendor Acknowledgement: yes changelog
Content Decisions: SF-LOC

ACKNOWLEDGEMENT: the readme.txt file in a patch labeled "Folder
Security Hot Fix," dated January 1, 2002, includes verbatim copies of
sections from the Bugtraq post.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0467
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0467
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020310 Ecartis/Listar multiple vulnerabilities
Reference: URL:http://www.securityfocus.com/archive/1/261209
Reference: DEBIAN:DSA-123
Reference: URL:http://www.debian.org/security/2002/dsa-123
Reference: CONFIRM:http://www.ecartis.org/
Reference: XF:ecartis-mystring-bo(8284)
Reference: URL:http://www.iss.net/security_center/static/8284.php
Reference: BID:4176
Reference: URL:http://www.securityfocus.com/bid/4176
Reference: VULNWATCH:20020311 [VulnWatch] Ecartis/Listar multiple vulnerabilities
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0063.html

Buffer overflows in Ecartis (formerly Listar) 1.0.0 before snapshot
20020125 allows remote attackers to execute arbitrary code via (1)
address_match() of mystring.c or (2) other functions in tolist.c.

Analysis
----------------
ED_PRI CAN-2002-0467 3
Vendor Acknowledgement: yes changelog
Content Decisions: SF-LOC

ACKNOWLEDGEMENT: in the vendor changelog entry dated [01/09/2002], the
vendor says "funkysh@kris.top.pl [the discloser] reported a security
flaw/buffer overflow in mystring.c... [and] fixed same issues in
tolist.c"

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0468
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0468
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020427 Response to KF about Listar/Ecartis Vulnerability
Reference: URL:http://online.securityfocus.com/archive/1/269879
Reference: VULN-DEV:20020227 listar / ecaris remote or local?
Reference: URL:http://online.securityfocus.com/archive/82/258763
Reference: BUGTRAQ:20020425 ecartis / listar PoC
Reference: URL:http://online.securityfocus.com/archive/1/269658
Reference: BUGTRAQ:20020310 Ecartis/Listar multiple vulnerabilities
Reference: URL:http://www.securityfocus.com/archive/1/261209
Reference: CONFIRM:http://www.ecartis.org/
Reference: MISC:http://marc.theaimsgroup.com/?l=listar-support&m=101590272221720&w=2
Reference: BID:4271
Reference: URL:http://www.securityfocus.com/bid/4271
Reference: XF:ecartis-local-bo(8445)
Reference: URL:http://www.iss.net/security_center/static/8445.php

Buffer overflows in Ecartis (formerly Listar) 1.0.0 in snapshot
20020427 and earlier allow local users to gain privileges via (1) a
long command line argument, which is not properly handled in core.c,
or possibly via bad uses of sprintf() in (2) moderate.c, (3) lcgi.c,
(4) fileapi.c, (5) cookie.c, (6) codes.c, or other files.

Analysis
----------------
ED_PRI CAN-2002-0468 3
Vendor Acknowledgement: yes changelog
Content Decisions: SF-LOC, VAGUE

ACCURACY: the lack of specific details makes it difficult to know
which of the local sprintf() vulnerabilities are exploitable, as the
only exploit was coded for an issue in core.c, and the vendor did a
series of massive replacements of sprintf with a safer
"buffer_printf()" call, which affected many files. It seems likely
that at least some of the sprintf calls were not exploitable.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0469
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0469
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020310 Ecartis/Listar multiple vulnerabilities
Reference: URL:http://www.securityfocus.com/archive/1/261209
Reference: BID:4277
Reference: URL:http://www.securityfocus.com/bid/4277
Reference: XF:ecartis-root-privileges(8444)
Reference: URL:http://www.iss.net/security_center/static/8444.php
Reference: VULNWATCH:20020311 [VulnWatch] Ecartis/Listar multiple vulnerabilities
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0063.html

Ecartis (formerly Listar) 1.0.0 in snapshot 20020125 and earlier does
not properly drop privileges when Ecartis is installed setuid-root,
"lock-to-user" is not set, and ecartis is called by certain MTA's,
which could allow local users to gain privileges.

Analysis
----------------
ED_PRI CAN-2002-0469 3
Vendor Acknowledgement:
Content Decisions: SF-LOC, VAGUE

INCLUSION: the discloser does not provide any scenarios under which
the raised privileges might pose a threat.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0470
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0470
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020318 PHP Net Toolpack: input validation error
Reference: URL:http://www.securityfocus.com/archive/1/262594
Reference: BID:4304
Reference: URL:http://www.securityfocus.com/bid/4304
Reference: XF:phpnettoolpack-traceroute-insecure-path(8484)
Reference: URL:http://www.iss.net/security_center/static/8484.php

PHPNetToolpack 0.1 relies on its environment's PATH to find and
execute the traceroute program, which could allow local users to gain
privileges by inserting a Trojan horse program into the search path.

Analysis
----------------
ED_PRI CAN-2002-0470 3
Vendor Acknowledgement:
Content Decisions: SF-LOC

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0471
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0471
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020318 PHP Net Toolpack: input validation error
Reference: URL:http://www.securityfocus.com/archive/1/262594
Reference: BID:4303
Reference: URL:http://www.securityfocus.com/bid/4303
Reference: XF:phpnettoolpack-traceroute-command-execution(8482)
Reference: URL:http://www.iss.net/security_center/static/8482.php

PHPNetToolpack 0.1 allows remote attackers to execute arbitrary code
via shell metacharacters in the a_query variable.

Analysis
----------------
ED_PRI CAN-2002-0471 3
Vendor Acknowledgement:
Content Decisions: SF-LOC

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0472
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0472
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020319 Potential vulnerabilities of the Microsoft RVP-based Instant Messaging
Reference: URL:http://www.securityfocus.com/archive/1/262906
Reference: MISC:http://www.encode-sec.com/esp0202.pdf
Reference: BID:4316
Reference: URL:http://www.securityfocus.com/bid/4316
Reference: XF:msn-messenger-message-spoofing(8582)
Reference: URL:http://www.iss.net/security_center/static/8582.php

MSN Messenger Service 3.6, and possibly other versions, uses weak
authentication when exchanging messages between clients, which allows
remote attackers to spoof messages from other users.

Analysis
----------------
ED_PRI CAN-2002-0472 3
Vendor Acknowledgement:

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0478
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0478
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: CF
Reference: BUGTRAQ:20020320 Default SNMP configuration issue with Foundry Networks EdgeIron 4802F
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101666425609914&w=2
Reference: XF:edgelron-default-snmp-string(8592)
Reference: URL:http://www.iss.net/security_center/static/8592.php
Reference: BID:4330
Reference: URL:http://www.securityfocus.com/bid/4330

The default configuration of Foundry Networks EdgeIron 4802F allows
remote attackers to modify sensitive information via arbitrary SNMP
community strings.

Analysis
----------------
ED_PRI CAN-2002-0478 3
Vendor Acknowledgement:

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0479
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0479
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020320 Gravity Storm Service Pack Manager 2000 Share Vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-03/0284.html
Reference: XF:sp-manager-insecure-directories(8607)
Reference: URL:http://www.iss.net/security_center/static/8607.php
Reference: BID:4347
Reference: URL:http://www.securityfocus.com/bid/4347

Gravity Storm Service Pack Manager 2000 creates a hidden share
(SPM2000c$) mapped to the C drive, which may allow local users to
bypass access restrictions on certain directories in the C drive, such
as system32, by accessing them through the hidden share.

Analysis
----------------
ED_PRI CAN-2002-0479 3
Vendor Acknowledgement: unknown discloser-claimed

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0480
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0480
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: CF
Reference: BUGTRAQ:20020320 NMRC Advisory - KeyManager Issue in ISS RealSecure on Nokia Appliances
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101666833321138&w=2
Reference: BUGTRAQ:20020322 RE: NMRC Advisory: RealSecure KeyManager Issue - Further Explanation
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101684141308876&w=2
Reference: BUGTRAQ:20020321 RE: [VulnWatch] NMRC Advisory - KeyManager Issue in ISS RealSecure on Nokia Appliances
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101675086010051&w=2
Reference: BID:4331
Reference: URL:http://online.securityfocus.com/bid/4331

ISS RealSecure for Nokia devices before IPSO build 6.0.2001.141d is
configured to allow a user "skank" on a machine "starscream" to become
a key manager when the "first time connection" feature is enabled and
before any legitimate administrators have connected, which could allow
remote attackers to gain access to the device during installation.

Analysis
----------------
ED_PRI CAN-2002-0480 3
Vendor Acknowledgement: yes followup
Content Decisions: INCLUSION

INCLUSION: there is some disagreement between the researcher and the
vendor regarding whether this issue can be exploited or not. The
vendor states that the issue requires root privileges on the sensor
itself to exploit, in which case the attacker gains no additional
privileges by attacking RealSecure. However, the discloser stated that
connections could be made from a remote console without having root
privileges on the sensor.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0481
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0481
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020321 How Outlook 2002 can still execute JavaScript in an HTML email message
Reference: URL:http://online.securityfocus.com/archive/1/263429
Reference: BID:4340
Reference: URL:http://www.securityfocus.com/bid/4340
Reference: XF:outlook-iframe-javascript(8604)
Reference: URL:http://www.iss.net/security_center/static/8604.php

An interaction between Windows Media Player (WMP) and Outlook 2002
allows remote attackers to bypass Outlook security settings and
execute Javascript via an IFRAME in an HTML email message that
references .WMS (Windows Media Skin) or other WMP media files, whose
onload handlers execute the player.LaunchURL() Javascript function.

Analysis
----------------
ED_PRI CAN-2002-0481 3
Vendor Acknowledgement:

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0483
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0483
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020320 Fw: PHPNuke 5.4 Path Disclosure Vulnerability?
Reference: URL:http://online.securityfocus.com/archive/1/263337
Reference: BID:4333
Reference: URL:http://www.securityfocus.com/bid/4333
Reference: XF:phpnuke-index-path-disclosure(8618)
Reference: URL:http://www.iss.net/security_center/static/8618.php

index.php for PHP-Nuke 5.4 and earlier allows remote attackers to
determine the physical pathname of the web server when the file
parameter is set to index.php, which triggers an error message that
leaks the pathname.

Analysis
----------------
ED_PRI CAN-2002-0483 3
Vendor Acknowledgement:

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0489
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0489
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020322 Re: PHP script: Penguin Traceroute, Remote Command Execution
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101684215209558&w=2
Reference: XF:penguin-nslookup-command-execution(8601)
Reference: URL:http://www.iss.net/security_center/static/8601.php
Reference: BID:4353
Reference: URL:http://www.securityfocus.com/bid/4353

Linux Directory Penguin NsLookup CGI script (nslookup.pl) 1.0 allows
remote attackers to execute arbitrary code via shell metacharacters in
the (1) query or (2) type parameters.

Analysis
----------------
ED_PRI CAN-2002-0489 3
Vendor Acknowledgement:

ACCURACY: the query/type parameters were inferred from inspection of
the source code.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0510
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0510
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020319 Identifying Kernel 2.4.x based Linux machines using UDP
Reference: URL:http://www.securityfocus.com/archive/1/262840
Reference: BID:4314
Reference: URL:http://www.securityfocus.com/bid/4314
Reference: XF:linux-udp-fingerprint(8588)
Reference: URL:http://www.iss.net/security_center/static/8588.php

The UDP implementation in Linux 2.4.x kernels keeps the IP
Identification field at 0 for all non-fragmented packets, which could
allow remote attackers to determine that a target system is running
Linux.

Analysis
----------------
ED_PRI CAN-2002-0510 3
Vendor Acknowledgement:
Content Decisions: INCLUSION

INCLUSION: since knowledge of a target's operating system can make
other attackers easier, this issue fits the CVE definition of
"exposure" and should be included in CVE. However, it has been
suggested that this behavior has some useful features. If it is
adopted in the future by other operating systems, this behavior would
no longer be an exposure.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0557
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0557
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: OPENBSD:20020319 016: SECURITY FIX: March 19, 2002
Reference: URL:http://www.openbsd.org/errata30.html#approval
Reference: BID:4338
Reference: URL:http://www.securityfocus.com/bid/4338
Reference: XF:bsd-yp-execute-shell(8625)
Reference: URL:http://www.iss.net/security_center/static/8625.php

Vulnerability in OpenBSD 3.0, when using YP with netgroups in the
password database, causes (1) rexec or (2) rsh to run another another
user's shell, or (3) atrun to change to a different user's directory,
possibly due to memory allocation failures or an incorrect call to
auth_approval().

Analysis
----------------
ED_PRI CAN-2002-0557 3
Vendor Acknowledgement: yes advisory
Content Decisions: VAGUE

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:
Page Last Updated or Reviewed: May 22, 2007