[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PROPOSAL] Cluster RECENT-98 - 42 candidates

I am proposing cluster RECENT-98 for review and voting by the
Editorial Board.

Name: RECENT-98
Description: CANs announced between 2002/04/28 and 2002/05/31
Size: 42

You may vote on candidates by modifying this email ballot and sending
it back to me, or by using the CVE voting web site.

The candidates are listed in order of priority.  Priority 1 and
Priority 2 candidates both deal with varying levels of vendor
confirmation, so they should be easy to review and it can be trusted
that the problems are real.

If you discover that any RECENT-XX cluster is incomplete with respect
to the problems discovered during the associated time frame, please
send that information to me so that candidates can be assigned.

- Steve







Summary of votes to use (in ascending order of "severity")
----------------------------------------------------------

ACCEPT - voter accepts the candidate as proposed
NOOP - voter has no opinion on the candidate
MODIFY - voter wants to change some MINOR detail (e.g. reference/description)
REVIEWING - voter is reviewing/researching the candidate, or needs more info
RECAST - candidate must be significantly modified, e.g. split or merged
REJECT - candidate is "not a vulnerability", or a duplicate, etc.

1) Please write your vote on the line that starts with "VOTE: ".  If
   you want to add comments or details, add them to lines after the
   VOTE: line.

2) If you see any missing references, please mention them so that they
   can be included.  References help greatly during mapping.

3) Note that a "MODIFY" is treated as an "ACCEPT" when counting votes.
   So if you don't have sufficient information for a candidate but you
   don't want to NOOP, use a REVIEWING.

********** NOTE ********** NOTE ********** NOTE ********** NOTE **********

Please keep in mind that your vote and comments will be recorded and
publicly viewable in the mailing list archives or in other formats.

======================================================
Candidate: CAN-2002-0844
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0844
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020830
Assigned: 20020809
Category: SF
Reference: VULNWATCH:20020525 [VulnWatch] [DER ADV#8] - Local off by one in CVSD
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0081.html
Reference: CALDERA:CSSA-2002-035.0
Reference: URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-035.0.txt
Reference: BUGTRAQ:20020525 [DER ADV#8] - Local off by one in CVSD
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102233767925177&w=2

Off-by-one overflow in the CVS PreservePermissions of rcs.c for CVSD
before 1.11.2 allows local users to execute arbitrary code.

Analysis
----------------
ED_PRI CAN-2002-0844 1
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0887
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0887
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020830
Assigned: 20020816
Category: SF
Reference: BUGTRAQ:20010522 [SRT2001-10] - scoadmin /tmp issues
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=99057164129869&w=2
Reference: CALDERA:CSSA-2002-SCO.22
Reference: URL:ftp://stage.caldera.com/pub/security/openserver/CSSA-2002-SCO.22/CSSA-2002-SCO.22.txt
Reference: BID:4875
Reference: URL:http://www.securityfocus.com/bid/4875
Reference: XF:openserver-scoadmin-symlink(9210)
Reference: URL:http://www.iss.net/security_center/static/9210.php

scoadmin for Caldera/SCO OpenServer 5.0.5 and 5.0.6 allows local users
to overwrite arbitrary files via a symlink attack on temporary log
files.

Analysis
----------------
ED_PRI CAN-2002-0887 1
Vendor Acknowledgement: yes advisory

ACKNOWLEDGEMENT: The Caldera advisory credits "Kevin Finisterre
(dotslash@snosoft.com)" with this issue, and he is credited by the
original poster to Bugtraq.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0889
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0889
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020830
Assigned: 20020816
Category: SF
Reference: VULN-DEV:20020428 QPopper 4.0.4 buffer overflow
Reference: URL:http://marc.theaimsgroup.com/?l=vuln-dev&m=102003707432457&w=2
Reference: BUGTRAQ:20020428 QPopper 4.0.4 buffer overflow
Reference: URL:http://online.securityfocus.com/archive/1/269969
Reference: CALDERA:CSSA-2002-SCO.20
Reference: URL:ftp://stage.caldera.com/pub/security/openserver/CSSA-2002-SCO.20/CSSA-2002-SCO.20.txt
Reference: XF:qpopper-bulldir-bo(8949)
Reference: URL:http://www.iss.net/security_center/static/8949.php
Reference: BID:4614
Reference: URL:http://www.securityfocus.com/bid/4614

Buffer overflow in Qpopper (popper) 4.0.4 and earlier allows local
users to cause a denial of service and possibly execute arbitrary code
via a long bulldir argument in the user's .qpopper-options
configuration file.

Analysis
----------------
ED_PRI CAN-2002-0889 1
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0891
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0891
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020830
Assigned: 20020816
Category: SF
Reference: BUGTRAQ:20020527 Netscreen 25 unauthorised reboot issue
Reference: URL:http://online.securityfocus.com/archive/1/274240
Reference: CONFIRM:http://www.netscreen.com/support/ns25_reboot.html
Reference: XF:netscreen-screenos-username-dos(9186)
Reference: URL:http://www.iss.net/security_center/static/9186.php
Reference: BID:4842
Reference: URL:http://www.securityfocus.com/bid/4842

The web interface (WebUI) of NetScreen ScreenOS from 2.6.1r8 to
versions before 3.1.0r1 allows remote attackers to cause a denial of
service (crash) via a long user name.

Analysis
----------------
ED_PRI CAN-2002-0891 1
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0892
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0892
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020830
Assigned: 20020816
Category: CF
Reference: BUGTRAQ:20020522 Multiple vulnerabilities in NewAtlanta ServletExec ISAPI 4.1
Reference: URL:http://online.securityfocus.com/archive/1/273615
Reference: VULNWATCH:20020522 [VulnWatch] Multiple vulnerabilities in NewAtlanta ServletExec ISAPI 4.1
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0077.html
Reference: CONFIRM:http://www.newatlanta.com/do/findFaq?faq_id=151
Reference: BID:4793
Reference: URL:http://www.securityfocus.com/bid/4793
Reference: XF:servletexec-jsp10servlet-path-disclosure(9139)
Reference: URL:http://www.iss.net/security_center/static/9139.php

The default configuration of NewAtlanta ServletExec ISAPI 4.1 allows
remote attackers to determine the path of the web root via a direct
request to com.newatlanta.servletexec.JSP10Servlet without a filename,
which leaks the pathname in an error message.

Analysis
----------------
ED_PRI CAN-2002-0892 1
Vendor Acknowledgement: yes

ACKNOWLEDGEMENT: The ServletExec FAQ item 151 has the question "If I
request a JSP page that does not exist I receive a response in my
browser which discloses the absolute path to my web server's document
root or to the document root of my web application. Isn't this a
security risk?" The response is: "Use the errorPage init parameter
with the JSP10Servlet so that the JSP10Servlet will no longer use the
default response which discloses the path."

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0898
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0898
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020830
Assigned: 20020816
Category: SF
Reference: NTBUGTRAQ:20020527 Reading ANY local file in Opera (GM#001-OP)
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=102256058220402&w=2
Reference: BUGTRAQ:20020527 Reading ANY local file in Opera (GM#001-OP)
Reference: URL:http://online.securityfocus.com/archive/1/274202
Reference: CONFIRM:http://www.opera.com/windows/changelog/log603.html
Reference: BID:4834
Reference: URL:http://www.securityfocus.com/bid/4834
Reference: XF:opera-browser-file-retrieval(9188)
Reference: URL:http://www.iss.net/security_center/static/9188.php

Opera 6.0.1 and 6.0.2 allows a remote web site to upload arbiotrary
files from the client system, without prompting the client, via an
input type=file tag whose value contains a newline.

Analysis
----------------
ED_PRI CAN-2002-0898 1
Vendor Acknowledgement: yes changelog

ACKNOWLEDGEMENT: the change log for Opera 6.0.3 says "Fixed security
issue with file upload, as reported by GreyMagic Software," the
discoverers of the issue.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0904
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0904
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020830
Assigned: 20020816
Category: SF
Reference: VULN-DEV:20020529 New Kismet Packages available - SayText() and suid kismet_server issues
Reference: URL:http://marc.theaimsgroup.com/?l=vuln-dev&m=102269718506080&w=2
Reference: BUGTRAQ:20020528 New Kismet Packages available - SayText() and suid kismet_server issues
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-05/0259.html
Reference: CONFIRM:http://www.kismetwireless.net/CHANGELOG
Reference: BID:4883
Reference: URL:http://www.securityfocus.com/bid/4883
Reference: XF:kismet-saytext-command-execution(9213)
Reference: URL:http://www.iss.net/security_center/static/9213.php

SayText function in Kismet 2.2.1 and earlier allows remote attackers
to execute arbitrary commands via shell metacharacters (backtick or
pipe) in the essid argument.

Analysis
----------------
ED_PRI CAN-2002-0904 1
Vendor Acknowledgement: yes changelog

ACKNOWLEDGEMENT: In the vendor changelog, an entry dated "May 27 2002"
says "Fixed remote-exploitable hole (ack!) with specially crafted
SSID's"

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0947
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0947
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020830
Assigned: 20020816
Category: SF
Reference: BUGTRAQ:20020612 Oracle Reports Server Buffer Overflow (#NISR12062002B)
Reference: URL:http://online.securityfocus.com/archive/1/276524
Reference: VULNWATCH:20020612 [VulnWatch] Oracle Reports Server Buffer Overflow (#NISR12062002B)
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0097.html
Reference: CERT-VN:VU#997403
Reference: URL:http://www.kb.cert.org/vuls/id/997403
Reference: CONFIRM:http://technet.oracle.com/deploy/security/pdf/reports6i_alert.pdf
Reference: MISC:http://www.nextgenss.com/vna/ora-reports.txt
Reference: BID:4848
Reference: URL:http://www.securityfocus.com/bid/4848
Reference: XF:oracle-reports-server-bo(9289)
Reference: URL:http://www.iss.net/security_center/static/9289.php

Buffer overflow in rwcgi60 CGI program for Oracle 9iAS Reports Server
6.0.8.18.0 and earlier allows remote attackers to execute arbitrary
code via a long database name parameter.

Analysis
----------------
ED_PRI CAN-2002-0947 1
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0965
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0965
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020830
Assigned: 20020816
Category: SF
Reference: BUGTRAQ:20020612 Oracle TNS Listener Buffer Overflow (#NISR12062002A)
Reference: URL:http://online.securityfocus.com/archive/1/276526
Reference: VULNWATCH:20020612 [VulnWatch] Oracle TNS Listener Buffer Overflow (#NISR12062002A)
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0096.html
Reference: CONFIRM:http://otn.oracle.com/deploy/security/pdf/net9_dos_alert.pdf
Reference: BID:4845
Reference: URL:http://www.securityfocus.com/bid/4845

Buffer overflow in TNS Listener for Oracle 9i Database Server on
Windows systems allows local users to execute arbitrary code via a
long SERVICE_NAME parameter, which is not properly handled when
writing an error message to a log file.

Analysis
----------------
ED_PRI CAN-2002-0965 1
Vendor Acknowledgement: yes advisory

ACKNOWLEDGEMENT: while the Oracle advisory itself does not explicitly
mention a buffer overflow, the link to this document on Oracle's
advisory page says "Buffer Overflow Vulnerability in Oracle Net
(Oracle9i Database Server)." This, combined with the acknowledgement
to the disclosers and correlated dates, provides sufficient
information to indicate acknowledgement.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0802
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0802
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020830
Assigned: 20020729
Category: SF
Reference: MISC:http://marc.theaimsgroup.com/?l=postgresql-general&m=102032794322362

The multibyte support in PostgreSQL 6.5.x with SQL_ASCII encoding
consumes an extra character when processing a character that cannot be
converted, which could remove an escape character from the query and
make the application subject to SQL injection attacks.

Analysis
----------------
ED_PRI CAN-2002-0802 2
Vendor Acknowledgement: yes

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0876
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0876
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020830
Assigned: 20020816
Category: SF
Reference: BUGTRAQ:20020530 [[ TH 026 Inc. ]] SA #3 - Shambala Server 4.5, Directory Traversal and DoS
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-05/0282.html
Reference: BUGTRAQ:20020709 Exploit for previously reported DoS issues in Shambala Server 4.5
Reference: URL:http://online.securityfocus.com/archive/1/281265
Reference: BID:4897
Reference: URL:http://www.securityfocus.com/bid/4897
Reference: XF:shambala-web-request-dos(9225)
Reference: URL:http://www.iss.net/security_center/static/9225.php

Web server for Shambala 4.5 allows remote attackers to cause a denial
of service (crash) via a malformed HTTP request.

Analysis
----------------
ED_PRI CAN-2002-0876 3
Vendor Acknowledgement:

ACCURACY: while the initial announcement says that the vulnerability
is in the GET request, a followup exploit doesn't send a GET at all.
One thing that is common to both is an exclamation point (!), but the
discloser does not provide enough information to know for sure whether
that is the true factor.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0877
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0877
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020830
Assigned: 20020816
Category: SF
Reference: BUGTRAQ:20020530 [[ TH 026 Inc. ]] SA #3 - Shambala Server 4.5, Directory Traversal and DoS
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-05/0282.html
Reference: BID:4896
Reference: URL:http://www.securityfocus.com/bid/4896
Reference: XF:shambala-dotdot-directory-traversal(9224)
Reference: URL:http://www.iss.net/security_center/static/9224.php

Directory traversal vulnerability in the FTP server for Shambala 4.5
allows remote attackers to read arbitrary files via a .. (dot dot) in
the (1) LIST (ls) or (2) GET commands.

Analysis
----------------
ED_PRI CAN-2002-0877 3
Vendor Acknowledgement:
Content Decisions: SF-LOC, REDISCOVERY

INCLUSION: a separate .. issue was published in 2000 (CAN-2001-0758),
which also affects Shambala 4.5. CD:SF-LOC might suggest merging that
issue with this one (same problem type in the same version), but since
the vendor hasn't fixed the original problem and it's been 2 years
since the announcement of the previous vulnerability, maybe they
should be separated.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0879
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0879
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020830
Assigned: 20020816
Category: SF
Reference: BUGTRAQ:20020529 Gafware's CFXImage vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-05/0256.html
Reference: XF:cfximage-dotdot-directory-traversal(9196)
Reference: URL:http://www.iss.net/security_center/static/9196.php
Reference: BID:4882
Reference: URL:http://www.securityfocus.com/bid/4882

showtemp.cfm for Gafware CFXImage 1.6.6 allows remote attackers to
read arbitrary files via (1) a .. or (2) a C: style pathname in the
FILE parameter.

Analysis
----------------
ED_PRI CAN-2002-0879 3
Vendor Acknowledgement: unknown discloser-claimed
Content Decisions: SF-LOC

ABSTRACTION: it could be argued that .. and C: pathname problems,
while closely related, are different enough that they should be SPLIT.
Fixing a .. issue won't necessarily fix a C: issue, or vice versa. On
the other hand, both of these issues are instances of the "trusted
form fields" problem.
ACKNOWLEDGEMENT: www.gafware.com was unavailable on 2002/07/26, so it
could not be determined whether the vendor has fixed the vulnerability
or not.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0880
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0880
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020830
Assigned: 20020816
Category: SF
Reference: CISCO:20020522 Multiple Vulnerabilities in Cisco IP Telephones
Reference: URL:http://www.cisco.com/warp/public/707/multiple-ip-phone-vulnerabilities-pub.shtml

Cisco IP Phone (VoIP) models 7910, 7940, and 7960 allow remote
attackers to cause a denial of service (crash) via malformed packets
as demonstrated by (1) "jolt", (2) "jolt2", (3) "raped", (4) "hping2",
(5) "bloop", (6) "bubonic", (7) "mutant", (8) "trash", and (9)
"trash2."

Analysis
----------------
ED_PRI CAN-2002-0880 3
Vendor Acknowledgement: yes advisory
Content Decisions: SF-LOC, INCLUSION, SF-CODEBASE

INCLUSION/ABSTRACTION: It could be argued that some of these
vulnerabilities (jolt, jolt2, etc.) are already separately identified
in CVE; however, it is unlikely that the VoIP phones share the same
codebase as the Microsoft systems that were subject to the original
jolt/jolt2.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0881
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0881
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020830
Assigned: 20020816
Category: SF
Reference: BUGTRAQ:20020522 Multiple Vulnerabilities in CISCO VoIP Phones
Reference: URL:http://online.securityfocus.com/archive/1/273673
Reference: CISCO:20020522 Multiple Vulnerabilities in Cisco IP Telephones
Reference: URL:http://www.cisco.com/warp/public/707/multiple-ip-phone-vulnerabilities-pub.shtml
Reference: BID:4799
Reference: URL:http://www.securityfocus.com/bid/4799
Reference: XF:cisco-ipphone-configuration-access(9144)
Reference: URL:http://www.iss.net/security_center/static/9144.php

Cisco IP Phone (VoIP) models 7910, 7940, and 7960 use a default
administrative password, which allows atackers with physical access to
the phone to modify the configuration settings.

Analysis
----------------
ED_PRI CAN-2002-0881 3
Vendor Acknowledgement: yes advisory
Content Decisions: SF-LOC, CF-PASS

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0882
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0882
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020830
Assigned: 20020816
Category: SF
Reference: BUGTRAQ:20020522 Multiple Vulnerabilities in CISCO VoIP Phones
Reference: URL:http://online.securityfocus.com/archive/1/273673
Reference: CISCO:20020522 Multiple Vulnerabilities in Cisco IP Telephones
Reference: URL:http://www.cisco.com/warp/public/707/multiple-ip-phone-vulnerabilities-pub.shtml
Reference: BID:4794
Reference: URL:http://www.securityfocus.com/bid/4794
Reference: XF:cisco-ipphone-portinformation(9143)
Reference: URL:http://www.iss.net/security_center/static/9143.php
Reference: XF:cisco-ipphone-streamingstatistics-dos(9142)
Reference: URL:http://www.iss.net/security_center/static/9142.php
Reference: BID:4798
Reference: URL:http://www.securityfocus.com/bid/4798

The web server for Cisco IP Phone (VoIP) models 7910, 7940, and 7960
allows remote attackers to cause a denial of service (reset) and
possibly read sensitive memory via a large integer value in (1) the
stream ID of the StreamingStatistics script, or (2) the port ID of the
PortInformation script.

Analysis
----------------
ED_PRI CAN-2002-0882 3
Vendor Acknowledgement: yes advisory
Content Decisions: SF-LOC, SF-EXEC

ABSTRACTION: while there are two separate instances of attacks on two
separate URLs with two different results, the underlying vulnerability
("can't handle too-large integer") is the same, and the affected
products/versions are the same; therefore, CD:SF-LOC and CD:SF-EXEC
suggest that these problems should be MERGED.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0883
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0883
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020830
Assigned: 20020816
Category: SF
Reference: COMPAQ:SSRT2179
Reference: URL:http://ftp.support.compaq.com/patches/.new/html/SSRT2179.shtml
Reference: XF:compaq-proliant-gain-access(9202)
Reference: URL:http://www.iss.net/security_center/static/9202.php
Reference: BID:4802
Reference: URL:http://www.securityfocus.com/bid/4802

Vulnerability in Compaq ProLiant BL e-Class Integrated Administrator
1.0 and 1.10, allows authenticated users with Telnet, SSH, or console
access to conduct unauthorized activities.

Analysis
----------------
ED_PRI CAN-2002-0883 3
Vendor Acknowledgement: yes advisory
Content Decisions: VAGUE

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0884
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0884
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020830
Assigned: 20020816
Category: SF
Reference: BUGTRAQ:20020522 [DER Adv #7] - Multiple Vulnerabilities in solaris in.rarpd
Reference: URL:http://online.securityfocus.com/archive/1/273584
Reference: VULNWATCH:20020521 [VulnWatch] [DER Adv #7] - Multiple Vulnerabilities in solaris in.rarpd
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0074.html
Reference: CALDERA:CSSA-2002-SCO.29
Reference: URL:ftp://ftp.caldera.com/pub/updates/OpenUNIX/CSSA-2002-SCO.29/CSSA-2002-SCO.29.txt
Reference: XF:solaris-inrarpd-code-execution(9150)
Reference: URL:http://www.iss.net/security_center/static/9150.php
Reference: BID:4791
Reference: URL:http://www.securityfocus.com/bid/4791

Multiple format string vulnerabilities in in.rarpd (ARP server) on
Solaris, Caldera UnixWare and Open UNIX, and possibly other operating
systems, allows remote attackers to execute arbitrary code via format
strings that are not properly handled in the functions (1) syserr and
(2) error.

Analysis
----------------
ED_PRI CAN-2002-0884 3
Vendor Acknowledgement: yes advisory
Content Decisions: SF-LOC

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0885
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0885
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020830
Assigned: 20020816
Category: SF
Reference: BUGTRAQ:20020522 [DER Adv #7] - Multiple Vulnerabilities in solaris in.rarpd
Reference: URL:http://online.securityfocus.com/archive/1/273584
Reference: VULNWATCH:20020521 [VulnWatch] [DER Adv #7] - Multiple Vulnerabilities in solaris in.rarpd
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0074.html
Reference: MISC:ftp://ftp.caldera.com/pub/updates/OpenUNIX/CSSA-2002-SCO.29/CSSA-2002-SCO.29.txt
Reference: XF:solaris-inrarpd-code-execution(9150)
Reference: URL:http://www.iss.net/security_center/static/9150.php
Reference: BID:4791
Reference: URL:http://www.securityfocus.com/bid/4791

Multiple buffer overflows in in.rarpd (ARP server) on Solaris, and
possibly other operating systems including Caldera UnixWare and Open
UNIX, allow remote attackers to execute arbitrary code, possibly via
the functions (1) syserr and (2) error.

Analysis
----------------
ED_PRI CAN-2002-0885 3
Vendor Acknowledgement: unknown vague
Content Decisions: SF-LOC, SF-CODEBASE, VAGUE

ACCURACY: Caldera advisory CSSA-2002-SCO.29 is titled "format string
vulnerability," which implies that it only addressed the reported
format string issues but not the apparent overflows; since the
original report was for Solaris, there is a possibility that the
overflows did not affect Caldera. The original report is unclear as to
whether the "3 remotely exploitable" overflows are related to the
syserr/error functions at all; the allegedly vulnerable source code
provided by the reporter only seems to demonstrate one vulnerability
(in the vsprintf call in error()), while the only other *possible*
vulnerability would be an sprintf call in syserr(), although that
call's inputs are most likely not controllable by the attacker.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0886
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0886
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020830
Assigned: 20020816
Category: SF
Reference: CISCO:20020523 CBOS - Improving Resilience to Denial-of-Service Attacks
Reference: URL:http://www.cisco.com/warp/public/707/CBOS-DoS.shtml
Reference: XF:cisco-cbos-dhcp-dos(9151)
Reference: URL:http://www.iss.net/security_center/static/9151.php
Reference: BID:4813
Reference: URL:http://www.securityfocus.com/bid/4813

Cisco DSL CPE devices running CBOS 2.4.4 and earlier allows remote
attackers to cause a denial of service (hang or memory consumption)
via (1) a large packet to the DHCP port, (2) a large packet to the
Telnet port, or (3) a flood of large packets to the CPE.

Analysis
----------------
ED_PRI CAN-2002-0886 3
Vendor Acknowledgement: yes advisory
Content Decisions: SF-LOC

ABSTRACTION: while there are slightly different attack vectors,
clearly problems (1) and (2) are of the same type, and should stay
MERGED within the same item, by CD:SF-LOC. Problem (3), while it deals
with a flood of packets, still requires large packets, which could be
the underlying cause of problem (3); therefore, (3) is also MERGED
into this item.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0888
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0888
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020830
Assigned: 20020816
Category: SF
Reference: BUGTRAQ:20020527 Vulnerability in 3Com® OfficeConnect® Remote 812 ADSL Router
Reference: URL:http://online.securityfocus.com/archive/1/274239
Reference: BUGTRAQ:20020612 Part II: Vulnerability in 3Com® OfficeConnect® Remote 812 ADSL Router
Reference: URL:http://online.securityfocus.com/archive/1/276586
Reference: BID:4841
Reference: URL:http://www.securityfocus.com/bid/4841
Reference: XF:3com-officeconnect-pat-access(9185)
Reference: URL:http://www.iss.net/security_center/static/9185.php

3Com OfficeConnect Remote 812 ADSL Router, firmware 1.1.9 and 1.1.7,
allows remote attackers to bypass port access restrictions by
connecting to an approved port and quickly connecting to the desired
port, which is allowed by the router.

Analysis
----------------
ED_PRI CAN-2002-0888 3
Vendor Acknowledgement:

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0893
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0893
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020830
Assigned: 20020816
Category: CF
Reference: BUGTRAQ:20020522 Multiple vulnerabilities in NewAtlanta ServletExec ISAPI 4.1
Reference: URL:http://online.securityfocus.com/archive/1/273615
Reference: VULNWATCH:20020522 [VulnWatch] Multiple vulnerabilities in NewAtlanta ServletExec ISAPI 4.1
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0077.html
Reference: XF:servletexec-dotdot-directory-traversal(9140)
Reference: URL:http://www.iss.net/security_center/static/9140.php
Reference: BID:4795
Reference: URL:http://www.securityfocus.com/bid/4795

Directory traversal vulnerability in NewAtlanta ServletExec ISAPI 4.1
allows remote attackers to read arbitrary files via a URL-encoded
request to com.newatlanta.servletexec.JSP10Servlet containing "..%5c"
(modified dot-dot) sequences.

Analysis
----------------
ED_PRI CAN-2002-0893 3
Vendor Acknowledgement: unknown discloser-claimed

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0894
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0894
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020830
Assigned: 20020816
Category: CF
Reference: BUGTRAQ:20020522 Multiple vulnerabilities in NewAtlanta ServletExec ISAPI 4.1
Reference: URL:http://online.securityfocus.com/archive/1/273615
Reference: VULNWATCH:20020522 [VulnWatch] Multiple vulnerabilities in NewAtlanta ServletExec ISAPI 4.1
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0077.html
Reference: XF:servletexec-long-jsp-dos(9141)
Reference: URL:http://www.iss.net/security_center/static/9141.php
Reference: BID:4796
Reference: URL:http://www.securityfocus.com/bid/4796

NewAtlanta ServletExec ISAPI 4.1 allows remote attackers to cause a
denial of service (crash) via (1) a request for a long .jsp file, or
(2) a long URL sent directly to
com.newatlanta.servletexec.JSP10Servlet.

Analysis
----------------
ED_PRI CAN-2002-0894 3
Vendor Acknowledgement: unknown discloser-claimed

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0895
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0895
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020830
Assigned: 20020816
Category: SF
Reference: BUGTRAQ:20020522 MatuFtpServer Remote Buffer Overflow and Possible DoS
Reference: URL:http://online.securityfocus.com/archive/1/273581
Reference: BID:4792
Reference: URL:http://www.securityfocus.com/bid/4792
Reference: XF:matuftpserver-pass-bo(9138)
Reference: URL:http://www.iss.net/security_center/static/9138.php

Buffer overflow in MatuFtpServer 1.1.3.0 (1.1.3) allows remote
attackers to cause a denial of service and possibly execute arbitrary
code via a long PASS (password) command.

Analysis
----------------
ED_PRI CAN-2002-0895 3
Vendor Acknowledgement:

ACKNOWLEDGEMENT: vendor web page is in Japanese, so acknowledgement
could not be determined.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0896
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0896
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020830
Assigned: 20020816
Category: SF
Reference: BUGTRAQ:20020515 swatch bug in throttle
Reference: URL:http://online.securityfocus.com/archive/1/272582
Reference: BID:4746
Reference: URL:http://www.securityfocus.com/bid/4746
Reference: XF:swatch-event-reporting-failure(9100)
Reference: URL:http://www.iss.net/security_center/static/9100.php

The throttle capability in Swatch may fail to report certain events if
(1) the same type of event occurs after the throttle period, or (2)
when multiple events matching the same "watchfor" expression do not
occur after the throttle period, which could allow attackers to avoid
detection.

Analysis
----------------
ED_PRI CAN-2002-0896 3
Vendor Acknowledgement:
Content Decisions: SF-LOC

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0897
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0897
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020830
Assigned: 20020816
Category: SF
Reference: VULNWATCH:20020524 [VulnWatch] [SecurityOffice] LocalWeb2000 Web Server Protected File Access Vulnerability
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0079.html
Reference: BUGTRAQ:20020524 [SecurityOffice] LocalWeb2000 Web Server Protected File Access Vulnerability
Reference: URL:http://online.securityfocus.com/archive/1/274020
Reference: BID:4820
Reference: URL:http://www.securityfocus.com/bid/4820
Reference: XF:localweb2k-protection-bypass(9165)
Reference: URL:http://www.iss.net/security_center/static/9165.php

LocalWEB2000 2.1.0 web server allows remote attackers to bypass access
restrictions for restricted files via a URL that contains the "/./"
directory.

Analysis
----------------
ED_PRI CAN-2002-0897 3
Vendor Acknowledgement:

ACKNOWLEDGEMENT: email inquiry sent to bugalert@intranet-server.co.uk
on July 28, 2002.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0899
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0899
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020830
Assigned: 20020816
Category: SF
Reference: VULNWATCH:20020527 [VulnWatch] [SecurityOffice] Falcon Web Server Unauthorized File Disclosure Vulnerability #2
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0084.html
Reference: BUGTRAQ:20020527 [SecurityOffice] Falcon Web Server Unauthorized File Disclosure Vulnerability #2
Reference: URL:http://online.securityfocus.com/archive/1/274205
Reference: BID:4833
Reference: URL:http://www.securityfocus.com/bid/4833
Reference: XF:falcon-protected-file-access(9179)
Reference: URL:http://www.iss.net/security_center/static/9179.php

Falcon web server 2.0.0.1021 and earlier allows remote attackers to
bypass access restrictions for protected files via a URL whose
directory portion ends in a . (dot).

Analysis
----------------
ED_PRI CAN-2002-0899 3
Vendor Acknowledgement:

ACKNOWLEDGEMENT: email inquiry sent to support@blueface.com on
2002/07/28.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0900
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0900
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020830
Assigned: 20020816
Category: SF
Reference: BUGTRAQ:20020524 pks public key server DOS and remote execution
Reference: URL:http://online.securityfocus.com/archive/1/274107
Reference: BID:4828
Reference: URL:http://www.securityfocus.com/bid/4828
Reference: XF:pgp-pks-search-bo(9171)
Reference: URL:http://www.iss.net/security_center/static/9171.php

Buffer overflow in pks PGP public key web server allows remote
attackers to cause a denial of service (crash) and possibly execute
arbitrary code via a long search argument to the lookup capability.

Analysis
----------------
ED_PRI CAN-2002-0900 3
Vendor Acknowledgement:

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0901
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0901
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020830
Assigned: 20020816
Category: SF
Reference: BUGTRAQ:20020527 AMANDA security issues
Reference: URL:http://online.securityfocus.com/archive/1/274215
Reference: XF:amanda-operator-bo(9182)
Reference: URL:http://www.iss.net/security_center/static/9182.php
Reference: XF:amanda-amindexd-bo(9181)
Reference: URL:http://www.iss.net/security_center/static/9181.php
Reference: BID:4836
Reference: URL:http://www.securityfocus.com/bid/4836
Reference: BID:4840
Reference: URL:http://www.securityfocus.com/bid/4840

Multiple buffer overflows in Advanced Maryland Automatic Network Disk
Archiver (AMANDA) 2.3.0.4 allow (1) remote attackers to execute
arbitrary code via long commands to the amindexd daemon, or certain
local users to execute arbitrary code via long command line arguments
to the programs (2) amcheck, (3) amgetidx, (4) amtrmidx, (5)
createindex-dump, or (6) createindex-gnutar.

Analysis
----------------
ED_PRI CAN-2002-0901 3
Vendor Acknowledgement:
Content Decisions: SF-LOC, SF-EXEC

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0902
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0902
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020830
Assigned: 20020816
Category: SF
Reference: BUGTRAQ:20020526 Cross Site Scripting Vulnerability in phpBB2's [IMG] tag and remote avatar
Reference: URL:http://online.securityfocus.com/archive/1/274273
Reference: BID:4858
Reference: URL:http://www.securityfocus.com/bid/4858
Reference: XF:phpbb-bbcode-image-css(9178)
Reference: URL:http://www.iss.net/security_center/static/9178.php

Cross-site scripting vulnerability in phpBB 2.0.0 (phpBB2) allows
remote attackers to execute Javascript as other phpBB users by
including a http:// and a double-quote (") in the [IMG] tag, which
bypasses phpBB's security check, terminates the src parameter of the
resulting HTML IMG tag, and injects the script.

Analysis
----------------
ED_PRI CAN-2002-0902 3
Vendor Acknowledgement: unknown discloser-claimed

ABSTRACTION: while this seems very similar to CAN-2002-0475, that
issue dealt with script in enclosed IMG tags, e.g. [IMG]script[/IMG].
This is a different exploit, *and* a different affected version, so
the issues are SPLIT.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0903
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0903
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020830
Assigned: 20020816
Category: SF
Reference: BUGTRAQ:20020526 wbbboard 1.1.1 registration _new_users_vulnerability_
Reference: URL:http://online.securityfocus.com/archive/1/274269
Reference: XF:burningboard-bbs-account-hijacking(9177)
Reference: URL:http://www.iss.net/security_center/static/9177.php
Reference: BID:4859
Reference: URL:http://www.securityfocus.com/bid/4859

register.php for WoltLab Burning Board (wbboard) 1.1.1 uses a small
number of random values for the "code" parameter that is provided to
action.php to approve a new registration, along with predictable new
user ID's, which allows remote attackers to hijack new user accounts
via a brute force attack on the new user ID and the code value.

Analysis
----------------
ED_PRI CAN-2002-0903 3
Vendor Acknowledgement:

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0905
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0905
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020830
Assigned: 20020816
Category: SF
Reference: BUGTRAQ:20020529 Informix SE-7.25 /lib/sqlexec Vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-05/0270.html
Reference: BID:4891
Reference: URL:http://www.securityfocus.com/bid/4891
Reference: XF:informix-sqlexec-bo(9219)
Reference: URL:http://www.iss.net/security_center/static/9219.php

Buffer overflow in sqlexec for Informix SE-7.25 allows local users to
gain root privileges via a long INFORMIXDIR environment variable.

Analysis
----------------
ED_PRI CAN-2002-0905 3
Vendor Acknowledgement:

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0908
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0908
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020830
Assigned: 20020816
Category: SF
Reference: BUGTRAQ:20020524 Cisco IDS Device Manager 3.1.1 Advisory
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-05/0214.html
Reference: BID:4760
Reference: URL:http://www.securityfocus.com/bid/4760
Reference: XF:cisco-ids-directory-traversal(9174)
Reference: URL:http://www.iss.net/security_center/static/9174.php

Directory traversal vulnerability in the web server for Cisco IDS
Device Manager before 3.1.2 allows remote attackers to read arbitrary
files via a .. (dot dot) in the HTTPS request.

Analysis
----------------
ED_PRI CAN-2002-0908 3
Vendor Acknowledgement: unknown discloser-claimed

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0909
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0909
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020830
Assigned: 20020816
Category: SF
Reference: VULN-DEV:20020531 Mnews 1.22 PoC exploit
Reference: URL:http://marc.theaimsgroup.com/?l=vuln-dev&m=102297259123103&w=2
Reference: BUGTRAQ:20020531 SRT Security Advisory (SRT2002-04-31-1159):  Mnews
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-05/0287.html
Reference: BUGTRAQ:20020531 Mnews 1.22 PoC exploit
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102306166201275&w=2
Reference: BID:4899
Reference: URL:http://www.securityfocus.com/bid/4899
Reference: BID:4900
Reference: URL:http://www.securityfocus.com/bid/4900
Reference: XF:mnews-nntp-response-bo(9226)
Reference: URL:http://www.iss.net/security_center/static/9226.php
Reference: XF:mnews-multiple-local-bo(9227)
Reference: URL:http://www.iss.net/security_center/static/9227.php

Multiple buffer overflows in mnews 1.22 and earlier allow (1) a remote
NNTP server to execute arbitrary code via long responses, or local
users can gain privileges via long command line arguments (2) -f, (3)
-n, (4) -D, (5) -M, or (6) -P, or via long environment variables (7)
JNAMES or (8) MAILSERVER.

Analysis
----------------
ED_PRI CAN-2002-0909 3
Vendor Acknowledgement:

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0910
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0910
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020830
Assigned: 20020816
Category: SF
Reference: BUGTRAQ:20020525 Re: Netstd 3.07-17 multiple remote buffer overflows
Reference: URL:http://online.securityfocus.com/archive/1/274143
Reference: BUGTRAQ:20020524 Netstd 3.07-17 multiple remote buffer overflows
Reference: URL:http://online.securityfocus.com/archive/1/273987
Reference: XF:netstd-utilities-bo(9164)
Reference: URL:http://www.iss.net/security_center/static/9164.php
Reference: BID:4816
Reference: URL:http://www.securityfocus.com/bid/4816

Buffer overflows in netstd 3.07-17 package allows remote DNS servers
to execute arbitrary code via a long FQDN reply, as observed in the
utilities (1) linux-ftpd, (2) pcnfsd, (3) tftp, (4) traceroute, or (5)
from/to.

Analysis
----------------
ED_PRI CAN-2002-0910 3
Vendor Acknowledgement:
Content Decisions: INCLUSION, VAGUE

INCLUSION: a followup-post says that the original advisory included
some factual errors, e.g. that netstd 3.07-17 was not on the Debian
platform as claimed by the poster, and bug reports were not filed
despite the poster's indication that the vendor had been contacted. In
conjunction with very little detail about the nature of the
vulnerabilities, perhaps this item does not have enough information to
be included in CVE.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0912
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0912
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020830
Assigned: 20020816
Category: SF
Reference: DEBIAN:DSA-129
Reference: URL:http://www.debian.org/security/2002/dsa-129
Reference: XF:debian-in-uucpd-dos(9230)
Reference: URL:http://www.iss.net/security_center/static/9230.php
Reference: BID:4910
Reference: URL:http://www.securityfocus.com/bid/4910

in.uucpd UUCP server in Debian GNU/Linux 2.2, and possibly other
operating systems, does not properly terminate long strings, which
allows remote attackers to cause a denial of service, possibly due to
a buffer overflow.

Analysis
----------------
ED_PRI CAN-2002-0912 3
Vendor Acknowledgement: yes advisory
Content Decisions: VAGUE

ACCURACY: while this sounds like a buffer overflow, Debian does not
explicitly say this, which could imply that there is a different
problem.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0915
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0915
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020830
Assigned: 20020816
Category: SF
Reference: BUGTRAQ:20020528 Xandros based linux autorun -c
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-05/0260.html
Reference: XF:xandros-autorun-view-files(9211)
Reference: URL:http://www.iss.net/security_center/static/9211.php
Reference: BID:4884
Reference: URL:http://www.securityfocus.com/bid/4884

autorun in Xandros based Linux distributions allows local users to
read the first line of arbitrary files via the -c parameter, which
causes autorun to print the first line of the file.

Analysis
----------------
ED_PRI CAN-2002-0915 3
Vendor Acknowledgement: unknown discloser-claimed

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0917
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0917
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020830
Assigned: 20020816
Category: SF
Reference: BUGTRAQ:20020529 CGIscript.net - csPassword.cgi - Multiple Vulnerabilities
Reference: URL:http://online.securityfocus.com/archive/1/274727
Reference: BID:4885
Reference: URL:http://www.securityfocus.com/bid/4885
Reference: XF:cgiscript-cspassword-htpasswd-access(9220)
Reference: URL:http://www.iss.net/security_center/static/9220.php

CGIScript.net csPassword.cgi stores .htpasswd files under the web
document root, which could allow remote authenticated users to
download the file and crack the passwords of other users.

Analysis
----------------
ED_PRI CAN-2002-0917 3
Vendor Acknowledgement: unknown discloser-claimed
Content Decisions: SF-LOC

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0918
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0918
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020830
Assigned: 20020816
Category: SF
Reference: BUGTRAQ:20020529 CGIscript.net - csPassword.cgi - Multiple Vulnerabilities
Reference: URL:http://online.securityfocus.com/archive/1/274727
Reference: XF:cgiscript-cspassword-information-disclosure(9221)
Reference: URL:http://www.iss.net/security_center/static/9221.php
Reference: BID:4887
Reference: URL:http://www.securityfocus.com/bid/4887

CGIScript.net csPassword.cgi leaks sensitive information such as the
pathname of the server in debug messages that are presented when the
script fails, which allows remote attackers to obtain the information
via a "remove" option in the command parameter, which generates an
error.

Analysis
----------------
ED_PRI CAN-2002-0918 3
Vendor Acknowledgement: unknown discloser-claimed
Content Decisions: SF-LOC

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0919
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0919
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020830
Assigned: 20020816
Category: SF
Reference: BUGTRAQ:20020529 CGIscript.net - csPassword.cgi - Multiple Vulnerabilities
Reference: URL:http://online.securityfocus.com/archive/1/274727
Reference: BID:4888
Reference: URL:http://www.securityfocus.com/bid/4888
Reference: XF:cgiscript-cspassword-htaccess-modification(9222)
Reference: URL:http://www.iss.net/security_center/static/9222.php

CGIScript.net csPassword.cgi allows remote authenticated users to
modify the .htaccess file and gain privileges via newlines in the
title field of the edit page.

Analysis
----------------
ED_PRI CAN-2002-0919 3
Vendor Acknowledgement: unknown discloser-claimed
Content Decisions: SF-LOC

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0920
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0920
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020830
Assigned: 20020816
Category: SF
Reference: BUGTRAQ:20020529 CGIscript.net - csPassword.cgi - Multiple Vulnerabilities
Reference: URL:http://online.securityfocus.com/archive/1/274727
Reference: BID:4889
Reference: URL:http://online.securityfocus.com/bid/4889
Reference: XF:cgiscript-cspassword-tmpfile-access(9223)
Reference: URL:http://www.iss.net/security_center/static/9223.php

CGIScript.net csPassword.cgi stores usernames and unencrypted
passwords in the password.cgi.tmp temporary file while modifying data,
which could allow local users (and possibly remote attackers) to gain
privileges by stealing the file before it has been processed.

Analysis
----------------
ED_PRI CAN-2002-0920 3
Vendor Acknowledgement: unknown discloser-claimed
Content Decisions: SF-LOC

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0939
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0939
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020830
Assigned: 20020816
Category: SF
Reference: BUGTRAQ:20020513 nCipher Security Advisory #3: MSCAPI CSP Install Wizard
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-05/0103.html
Reference: XF:mscapi-csp-key-generation(9076)
Reference: URL:http://www.iss.net/security_center/static/9076.php
Reference: BID:4729
Reference: URL:http://online.securityfocus.com/bid/4729

The Install Wizard for nCipher MSCAPI CSP 5.50 does not use Operator
Card Set protected keys when the user requests them but does not
generate the Operator Card Set, which results in a lower protection
level than specified by the user (module protection only).

Analysis
----------------
ED_PRI CAN-2002-0939 3
Vendor Acknowledgement: yes advisory
Content Decisions: SF-LOC

ABSTRACTION: CD:SF-LOC suggests that two problems of the same type,
with different versions, should be SPLIT. The domesticinstall.exe
issue is in 5.50 and 5.54, but the Install Wizard is only in 5.50.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:
Page Last Updated or Reviewed: May 22, 2007