CVE Candidates as of 20130516 ----------------------------- Candidates must be reviewed and accepted by the CVE Editorial Board before they can be added to the official CVE list. Therefore, these candidates may be modified or even rejected in the future. They are provided for use by individuals who have a need for an early numbering scheme for items that have not been fully reviewed by the Editorial Board. ====================================================== Name: CVE-1999-0001 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0001 Phase: Modified (20051217) Category: SF Reference: CERT:CA-98-13-tcp-denial-of-service Reference: BUGTRAQ:19981223 Re: CERT Advisory CA-98.13 - TCP/IP Denial of Service Reference: CONFIRM:http://www.openbsd.org/errata23.html#tcpfix Reference: OSVDB:5707 Reference: URL:http://www.osvdb.org/5707 ip_input.c in BSD-derived TCP/IP implementations allows remote attackers to cause a denial of service (crash or hang) via crafted packets. Current Votes: MODIFY(1) Frech NOOP(2) Northcutt, Wall REVIEWING(1) Christey Voter Comments: Christey> A Bugtraq posting indicates that the bug has to do with "short packets with certain options set," so the description should be modified accordingly. But is this the same as CVE-1999-0052? That one is related to nestea (CVE-1999-0257) and probably the one described in BUGTRAQ:19981023 nestea v2 against freebsd 3.0-Release The patch for nestea is in ip_input.c around line 750. The patches for CVE-1999-0001 are in lines 388&446. So, CVE-1999-0001 is different from CVE-1999-0257 and CVE-1999-0052. The FreeBSD patch for CVE-1999-0052 is in line 750. So, CVE-1999-0257 and CVE-1999-0052 may be the same, though CVE-1999-0052 should be RECAST since this bug affects Linux and other OSes besides FreeBSD. Frech> XF:teardrop(338) This assignment was based solely on references to the CERT advisory. Christey> The description for BID:190, which links to CVE-1999-0052 (a FreeBSD advisory), notes that the patches provided by FreeBSD in CERT:CA-1998-13 suggest a connection between CVE-1999-0001 and CVE-1999-0052. CERT:CA-1998-13 is too vague to be sure without further analysis. ====================================================== Name: CVE-1999-0004 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0004 Phase: Modified (19990621-01) Category: SF Reference: CERT:CA-98.10.mime_buffer_overflows Reference: XF:outlook-long-name Reference: SUN:00175 Reference: MS:MS98-008 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms98-008.asp MIME buffer overflow in email clients, e.g. Solaris mailtool and Outlook. Current Votes: ACCEPT(8) Baker, Cole, Collins, Dik, Landfield, Magdych, Northcutt, Wall MODIFY(1) Frech NOOP(1) Christey REVIEWING(1) Shostack Voter Comments: Frech> Extremely minor, but I believe e-mail is the correct term. (If you reject this suggestion, I will not be devastated.) :-) Christey> This issue seems to have been rediscovered in BUGTRAQ:20000515 Eudora Pro & Outlook Overflow - too long filenames again http://marc.theaimsgroup.com/?l=bugtraq&m=95842482413076&w=2 Also see BUGTRAQ:19990320 Eudora Attachment Buffer Overflow http://marc.theaimsgroup.com/?l=bugtraq&m=92195396912110&w=2 Christey> CVE-2000-0415 may be a later rediscovery of this problem for Outlook. Dik> Sun bug 4163471, Christey> ADDREF BID:125 Christey> BUGTRAQ:19980730 Long Filenames & Lotus Products URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221104526201&w=2 ====================================================== Name: CVE-1999-0015 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0015 Phase: Modified (20090302) Category: SF Reference: CERT:CA-97.28.Teardrop_Land Reference: OVAL:oval:org.mitre.oval:def:5579 Reference: URL:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:5579 Reference: XF:teardrop Teardrop IP denial of service. Current Votes: ACCEPT(1) Wall MODIFY(1) Frech REVIEWING(1) Christey Voter Comments: Frech> XF: teardrop-mod Christey> Not sure how many separate "instances" of Teardrop there are. See: CVE-1999-0015, CVE-1999-0104, CVE-1999-0257, CVE-1999-0258 Christey> See the SCO advisory at: http://www.securityfocus.com/templates/advisory.html?id=1411 which may further clarify the issue. Christey> MSKB:Q154174 MSKB:Q154174 (CVE-1999-0015) and MSKB:Q179129 (CVE-1999-0104) indicate that CVE-1999-0015 was fixed in NT SP3, but CVE-1999-0104 was not. Thus CD:SF-LOC suggests that the problems keep separate candidates because one problem appears in a different version than the other. Christey> BID:124 http://www.securityfocus.com/bid/124 Consider MSKB:Q154174 http://support.microsoft.com/support/kb/articles/q154/1/74.asp Consider BUGTRAQ:19971113 Linux IP fragment overlap bug http://www.securityfocus.com/archive/1/8014 ====================================================== Name: CVE-1999-0020 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0020 Phase: Modified (20050204) Category: SF ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-1999-0032. Reason: This candidate is a duplicate of CVE-1999-0032. Notes: All CVE users should reference CVE-1999-0032 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Current Votes: MODIFY(1) Frech NOOP(4) Levy, Northcutt, Shostack, Wall REJECT(2) Baker, Christey Voter Comments: Frech> XF:lpr-bo Christey> DUPE CVE-1999-0032, which includes XF:lpr-bo ====================================================== Name: CVE-1999-0030 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0030 Phase: Proposed (19990623) Category: SF Reference: CERT:CA-97.21.sgi_buffer_overflow Reference: AUSCERT:AA-97.24.IRIX.xlock.buffer.overflow.vul Reference: XF:sgi-xlockbo Reference: SGI:19970508-02-PX root privileges via buffer overflow in xlock command on SGI IRIX systems. Current Votes: ACCEPT(3) Levy, Ozancin, Prosser NOOP(1) Baker RECAST(1) Frech REJECT(1) Christey Voter Comments: Frech> XF:xlock-bo (also add) As per xlock-bo, also appears on AIX, BSDI, DG/UX, FreeBSD, Solaris, and several Linii. Also, don't you mean to cite SGI:19970502-02-PX? The one you list is login/scheme. Levy> Notice that this xlock overflow is the same as in CA-97.13. CA-97.21 simply is a reminder. Christey> As pointed out by Elias, CA-97.21 states: "For more information about vulnerabilities in xlock... see CA-97.13" CA-97.13 = CVE-1999-0038. This may also be a duplicate with CVE-1999-0306. See exploits at: http://marc.theaimsgroup.com/?l=bugtraq&m=87602167418394&w=2 http://marc.theaimsgroup.com/?l=bugtraq&m=87602167418404&w=2 Sun also has this problem, at http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/150&type=0&nav=sec.sba ====================================================== Name: CVE-1999-0033 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0033 Phase: Modified (20040811) Category: SF Reference: CERT:CA-97.18.at Reference: SUN:00160 Reference: XF:sun-atbo Command execution in Sun systems via buffer overflow in the at program. Current Votes: ACCEPT(8) Baker, Cole, Collins, Dik, Hill, Northcutt, Shostack, Wall NOOP(1) Christey RECAST(1) Frech Voter Comments: Frech> This vulnerability also manifests itself for the following platforms: AIX, HPUX, IRIX, Solaris, SCO, NCR MP-RAS. In this light, please add the following: Reference: XF:at-bo Dik> Sun bug 1265200, 4063161 Christey> ADDREF SGI:19971102-01-PX ftp://patches.sgi.com/support/free/security/advisories/19971102-01-PX SCO:SB.97:01 ftp://ftp.sco.com/SSE/security_bulletins/SB.97:01a Christey> CIAC:F-15 http://ciac.llnl.gov/ciac/bulletins/f-15.shtml HP:HPSBUX9502-023 Christey> Add period to the end of the description. ====================================================== Name: CVE-1999-0061 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0061 Phase: Proposed (19990630) Category: SF Reference: NAI:NAI-20 Reference: XF:bsd-lpd File creation and deletion, and remote execution, in the BSD line printer daemon (lpd). Current Votes: ACCEPT(3) Frech, Hill, Northcutt RECAST(1) Baker REVIEWING(1) Christey Voter Comments: Christey> This should be split into three separate problems based on the SNI advisory. But there's newer information to further complicate things. What do we do about this one? in 1997 or so, SNI did an advisory on this problem. In early 2000, it was still discovered to be present in some Linux systems. So an SF-DISCOVERY content decision might say that this is a long enough time between the two, so this should be recorded separately. But they're the same codebase... so if we keep them in the same entry, how do we make sure that this entry reflects that some new information has been discovered? The use of dot notation may help in this regard, to use one dot for the original problem as discovered in 1997, and another dot for the resurgence of the problem in 2000. Baker> We should merge these. Christey> Perhaps this should be NAI-19 instead of NAI-20? The original Bugtraq post for the SNI advisory suggests SNI-19: BUGTRAQ:19971002 SNI-19:BSD lpd vulnerability URL:SNI-19:BSD lpd vulnerability Also add: BUGTRAQ:19971021 SNI-19: BSD lpd vulnerabilities (UPDATE) URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87747479514310&w=2 However, archives of "NAI-0020" point to the lpd vuln. If I recall correctly, some of the NAI advisory numbers got switched when NAI acquired SNI. ====================================================== Name: CVE-1999-0076 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0076 Phase: Modified (19990925-01) Category: SF Reference: XF:ftp-args Buffer overflow in wu-ftp from PASV command causes a core dump. Current Votes: ACCEPT(3) Baker, Frech, Ozancin NOOP(1) Balinsky REVIEWING(1) Christey Voter Comments: Balinsky> Don't know what this is. Is this the LIST Core dump vulnerability? Christey> Need to add more references and details. ====================================================== Name: CVE-1999-0078 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0078 Phase: Modified (19990621-01) Category: SF Reference: CERT:CA-96.08.pcnfsd Reference: XF:rpc-pcnfsd pcnfsd (aka rpc.pcnfsd) allows local users to change file permissions, or execute arbitrary commands through arguments in the RPC call. Current Votes: ACCEPT(5) Collins, Frech, Landfield, Northcutt, Shostack NOOP(1) Baker RECAST(1) Christey Voter Comments: Christey> This candidate should be SPLIT, since there are two separate software flaws. One is a symlink race and the other is a shell metacharacter problem. Christey> The permissions part of this vulnerability appears to overlap with CVE-1999-0353 Christey> SGI:20020802-01-I ====================================================== Name: CVE-1999-0086 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0086 Phase: Interim (19990630) Category: SF Reference: ERS:ERS-SVA-E01-1998:001.1 Reference: XF:ibm-routed AIX routed allows remote users to modify sensitive files. Current Votes: ACCEPT(2) Northcutt, Shostack MODIFY(2) Frech, Prosser NOOP(1) Baker REJECT(1) Christey Voter Comments: Frech> Reference: XF:ibm-routed Prosser> This vulnerability allows debug mode to be turned on which is the problem. Should this be more specific in the description? This one also affects SGI OSes, ref SGI Security Advisory 19981004-PX which is in the SGI cluster, shouldn't these be cross-referenced as the same vuln affects multiple OSes. Christey> This appears to be subsumed by CVE-1999-0215 ====================================================== Name: CVE-1999-0088 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0088 Phase: Proposed (19990617) Category: SF Reference: ERS:ERS-SVA-E01-1998:004.1 Reference: URL:http://www-1.ibm.com/services/brs/brspwhub.nsf/advisories/852567CC004F9038852566BF007B6393/$file/ERS-SVA-E01-1998_004_1.txt IRIX and AIX automountd services (autofsd) allow remote users to execute root commands. Current Votes: ACCEPT(2) Northcutt, Shostack MODIFY(2) Frech, Prosser RECAST(1) Baker REVIEWING(1) Christey Voter Comments: Frech> ERS (and other references, BTW) explicitly stipulate 'local and remote'. Reference: XF:irix-autofsd Prosser> Include the SGI Alert as well since it is mentioned in the description. SGI Security Advisory 19981005-01-PX Christey> DUPE CVE-1999-0210? Christey> ADDREF CIAC:J-014 Baker> It does look very similar to 1999-0210. Perhaps they should be a single entry ====================================================== Name: CVE-1999-0089 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0089 Phase: Interim (19990630) Category: SF Reference: ERS:ERS-SVA-E01-1997:005.1 Reference: XF:ibm-libDtSvc Buffer overflow in AIX libDtSvc library can allow local users to gain root access. Current Votes: ACCEPT(2) Northcutt, Shostack MODIFY(2) Frech, Prosser RECAST(1) Baker REVIEWING(1) Christey Voter Comments: Frech> Reference: XF:ibm-libDtSvc Prosser> The overflow is in the dtaction utility. Also affects dtaction in the CDE on versions of SunOS (SUN 164). Probably should be specific. Christey> Same Codebase as CVE-1999-0121, so the two entries should be merged. ====================================================== Name: CVE-1999-0092 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0092 Phase: Proposed (19990623) Category: SF Reference: ERS:ERS-SVA-E01-1997:006.1 Various vulnerabilities in the AIX portmir command allows local users to obtain root access. Current Votes: ACCEPT(2) Baker, Bollinger MODIFY(1) Frech NOOP(1) Ozancin Voter Comments: Frech> XF:ibm-portmir ====================================================== Name: CVE-1999-0098 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0098 Phase: Proposed (19990726) Category: SF Reference: XF:smtp-helo-bo Buffer overflow in SMTP HELO command in Sendmail allows a remote attacker to hide activities. Current Votes: MODIFY(2) Baker, Frech NOOP(1) Wall REVIEWING(1) Christey Voter Comments: Frech> (Accept XF reference.) Our references do not mention hiding activities. This issue can crash the SMTP server or execute arbitrary byte-code. Is there another reference available? Christey> Should this be merged with CVE-1999-0284, which is Sendmail with SMTP HELO? Christey> BUGTRAQ:19980522 about sendmail 8.8.8 HELO hole http://marc.theaimsgroup.com/?l=bugtraq&m=90221101925991&w=2 BUGTRAQ:19980527 about sendmail 8.8.8 HELO hole http://marc.theaimsgroup.com/?l=bugtraq&m=90221101926003&w=2 Baker> Apparently this XF reference is not for this issue, but for the other issue. This should be modified to have the Bugtraq references, and remove the XF reference. ====================================================== Name: CVE-1999-0104 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0104 Phase: Modified (20090302) Category: SF Reference: CERT:CA-97.28.Teardrop_Land Reference: OVAL:oval:org.mitre.oval:def:5743 Reference: URL:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:5743 Reference: XF:teardrop-mod A later variation on the Teardrop IP denial of service attack, a.k.a. Teardrop-2. Current Votes: ACCEPT(2) Frech, Wall REVIEWING(1) Christey Voter Comments: Wall> Another reference is Microsoft Knowledge Base Q179129. Christey> Not sure how many separate "instances" of Teardrop there are. See: CVE-1999-0015, CVE-1999-0104, CVE-1999-0257, CVE-1999-0258 Christey> See the SCO advisory at: http://www.securityfocus.com/templates/advisory.html?id=1411 which may further clarify the issue. Christey> MSKB:Q179129 http://support.microsoft.com/support/kb/articles/q179/1/29.asp Christey> MSKB:Q179129 http://support.microsoft.com/support/kb/articles/q179/1/29.asp Note that the hotfix name is teardrop2, but the keywords included in the KB article specifically name bonk (CVE-1999-0258) and boink. Since teardrop2 was fixed in a slightly different version (at least in a separate patch) than Teardrop, CD:SF-LOC suggests keeping them separate. Christey> Add period to the end of the description. ====================================================== Name: CVE-1999-0105 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0105 Phase: Proposed (19990726) Category: SF finger allows recursive searches by using a long string of @ symbols. Current Votes: MODIFY(3) Baker, Frech, Shostack NOOP(1) Christey REJECT(1) Northcutt Voter Comments: Shostack> fingerD Frech> XF:finger-bomb Christey> aka redirection or forwarding requests? (but then might overlap CVE-1999-0106) Baker> should change description to indicate the recursive searching can consume enough system resources to cause a DoS. ====================================================== Name: CVE-1999-0106 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0106 Phase: Proposed (19990726) Category: SF Finger redirection allows finger bombs. Current Votes: ACCEPT(1) Northcutt MODIFY(2) Frech, Shostack RECAST(1) Baker REVIEWING(1) Christey Voter Comments: Shostack> fingerd allows redirection This is a larger modification, since there are two applications of the vulnerability, one that I can finger anonymously, and the other that I can finger bomb anonymously. Frech> XF:finger-bomb Christey> need more refs Baker> This should be merged with 1999-0105 ====================================================== Name: CVE-1999-0107 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0107 Phase: Modified (19991223-01) Category: SF Reference: XF:apache-dos Reference: BUGTRAQ:19971230 Apache DoS attack? Buffer overflow in Apache 1.2.5 and earlier allows a remote attacker to cause a denial of service with a large number of GET requests containing a large number of / characters. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(3) Northcutt, Shostack, Wall REVIEWING(1) Levy REVOTE(1) Christey Voter Comments: Wall> - Although this is probably the phf hack. Frech> XF:apache-dos Christey> This sounds like the incident reported in: NTBUGTRAQ:20000810 Apache Distributed Denial of Service Levy> I belive this is the problem where sending lot of HTTP headers to apache resulted on a denial of service. BUGTRAQ: http://www.securityfocus.com/archive/1/10228 BUGTRAQ: http://www.securityfocus.com/archive/1/10516 ====================================================== Name: CVE-1999-0110 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0110 Phase: Interim (19990810) Category: SF ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-1999-0315. Reason: This candidate's original description had a typo that delayed it from being detected as a duplicate of CVE-1999-0315. Notes: All CVE users should reference CVE-1999-0315 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Current Votes: MODIFY(1) Frech NOOP(4) Levy, Northcutt, Shostack, Wall REJECT(3) Baker, Christey, Dik Voter Comments: Frech> XF:fdformat-bo Christey> Duplicate of CVE-1999-0315 Dik> dup ====================================================== Name: CVE-1999-0114 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0114 Phase: Modified (20000106-01) Category: SF Reference: BUGTRAQ:19990912 elm filter program Reference: BUGTRAQ:19951226 filter (elm package) security hole Reference: XF:elm-filter2 Local users can execute commands as other users, and read other users' files, through the filter command in the Elm elm-2.4 mail package using a symlink attack. Current Votes: ACCEPT(7) Armstrong, Bishop, Blake, Cole, Landfield, Shostack, Wall MODIFY(2) Baker, Frech NOOP(3) Christey, Northcutt, Ozancin REVIEWING(1) Levy Voter Comments: Frech> XF:elm-filter2 CHANGE> [Wall changed vote from NOOP to ACCEPT] Landfield> with Frech modifications Baker> ADD REF http://www.cert.org/ftp/cert_bulletins/VB-95:10a.elm Official Advisory Christey> The correct URL is http://www.cert.org/vendor_bulletins/VB-95:10a.elm Need to make sure that this CERT advisory describes the right problem, especially since the CERT advisory is dated December 18, 1995 and the original Bugtraq post was December 26, 1995. Christey> BID:1802 URL:http://www.securityfocus.com/bid/1802 BID:1802 doesn't include the 1999 posting - does Security Focus think that the 1999 post describes a different vulnerability? Christey> XF:elm-filter2 isn't on the X-Force web site. How about XF:elm-filter(402) ? Its references point to the December 26, 1995 BUgtraq post. Also consider CIAC:G-36 and CERT:VB-95:10 Frech> DELREF:XF:elm-filter2(711) ADDREF:XF:elm-filter(402) ====================================================== Name: CVE-1999-0119 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0119 Phase: Proposed (19990728) Category: SF Windows NT 4.0 beta allows users to read and delete shares. Current Votes: MODIFY(1) Frech NOOP(2) Baker, Northcutt REJECT(1) Wall Voter Comments: Wall> Reject based on beta copy. Frech> XF:nt-beta(11) Reconsider reject, because this beta was in widespread use. ====================================================== Name: CVE-1999-0121 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0121 Phase: Proposed (19990617) Category: SF Reference: SUN:00164 Reference: ERS:ERS-SVA-E01-1997:005.1 Buffer overflow in dtaction command gives root access. Current Votes: ACCEPT(2) Dik, Northcutt MODIFY(3) Baker, Frech, Prosser REVIEWING(1) Christey Voter Comments: Frech> Reference: XF:dtaction-bo Reference: XF:sun-dtaction Prosser> Buffer overflow also affects /usr/dt/bin/dtaction in libDtSvc.a library in AIX 4.x, but reference for this Sun vulnerability should only reflect the Sun Bulletin or the CIAC I-032 version of the Sun Bulletin Christey> This is the Same Codebase as CVE-1999-0089, so the two entries should be merged. Frech> Replace sun-dtaction(732) with dtaction-bo(879) Baker> Merge with 1999-0089 ====================================================== Name: CVE-1999-0123 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0123 Phase: Modified (20000105-01) Category: SF Reference: XF:linux-mailx Reference: BUGTRAQ:19951222 mailx-5.5 (slackware /bin/mail) security hole Race condition in Linux mailx command allows local users to read user files. Current Votes: ACCEPT(3) Baker, Frech, Ozancin NOOP(1) Wall ====================================================== Name: CVE-1999-0127 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0127 Phase: Proposed (19990623) Category: SF Reference: CERT:CA-96.27.hp_sw_install Reference: AUSCERT:AA-96.04 Reference: XF:hpux-swinstall swinstall and swmodify commands in SD-UX package in HP-UX systems allow local users to create or overwrite arbitrary files to gain root access. Current Votes: ACCEPT(2) Baker, Prosser MODIFY(1) Frech NOOP(1) Christey Voter Comments: Frech> (keep current XF: reference, and add) XF:hpux-sqwmodify Christey> Perhaps this should be split, per SF-LOC. Christey> CIAC:H-81 http://ciac.llnl.gov/ciac/bulletins/h-81.shtml HP:HPSBUX9707-064 references CERT:CA-96.27 http://ciac.llnl.gov/ciac/bulletins/h-81.shtml The original AUSCERT advisory says that the programs "create files in an insecure manner" and "Exploit details involving this vulnerability have been made publicly available." which leads one to assume that the following original Bugtraq post provides the details for a standard symlink problem: BUGTRAQ:19961005 swinst,bug http://marc.theaimsgroup.com/?l=bugtraq&m=87602167419941&w=2 ====================================================== Name: CVE-1999-0140 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0140 Phase: Proposed (19990630) Category: SF Denial of service in RAS/PPTP on NT systems. Current Votes: ACCEPT(1) Hill MODIFY(2) Frech, Meunier NOOP(1) Baker REJECT(1) Christey Voter Comments: Meunier> Add "pptp invalid packet length in header" to distinguish from other vulnerabilities in RAS/PPTP on NT systems resulting in DOS, that might be discovered in the future. Frech> XF:nt-ras-bo ONLY IF reference is to MS:MS99-016 Christey> According to my mappings, this is not the MS:MS99-016 problem referred to by Andre. However, I have yet to dig up a source. CHANGE> [Christey changed vote from NOOP to REVIEWING] CHANGE> [Christey changed vote from REVIEWING to REJECT] Christey> This is too general to know which problem is being discussed. More precise candidates should be created. Christey> Consider adding BID:2111 ====================================================== Name: CVE-1999-0144 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0144 Phase: Modified (20010301-02) Category: SF Reference: BUGTRAQ:19970612 qmail-dos-2.c, another denial of service attack Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602558319024&w=2 Reference: BUGTRAQ:19970612 Re: Denial of service (qmail-smtpd) Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602558319029&w=2 Reference: MISC:http://cr.yp.to/qmail/venema.html Reference: MISC:http://www.ornl.gov/its/archives/mailing-lists/qmail/1997/06/threads.html Reference: BID:2237 Reference: URL:http://www.securityfocus.com/bid/2237 Reference: XF:qmail-rcpt Reference: URL:http://xforce.iss.net/static/208.php Denial of service in Qmail by specifying a large number of recipients with the RCPT command. Current Votes: ACCEPT(4) Baker, Frech, Hill, Meunier REVIEWING(1) Christey Voter Comments: Christey> DUPE CVE-1999-0418 and CVE-1999-0250? Christey> Dan Bernstein, author of Qmail, says that this is not a vulnerability in qmail because Unix has built-in resource limits that can restrict the size of a qmail process; other limits can be specified by the administrator. See http://cr.yp.to/qmail/venema.html Significant discussion of this issue took place on the qmail list. The fundamental question appears to be whether application software should set its own limits, or rely on limits set by the parent operating system (in this case, UNIX). Also, some people said that the only problem was that the suggested configuration was not well documented, but this was refuted by others. See the following threads at http://www.ornl.gov/its/archives/mailing-lists/qmail/1997/06/threads.html "Denial of service (qmail-smtpd)" "qmail-dos-2.c, another denial of service" "[PATCH] denial of service" "just another qmail denial-of-service" "the UNIX way" "Time for a reality check" Also see Bugtraq threads on a different vulnerability that is related to this topic: BUGTRAQ:19990903 Web servers / possible DOS Attack / mime header flooding http://archives.neohapsis.com/archives/bugtraq/1998_3/0742.html Baker> http://cr.yp.to/qmail/venema.html Berstein rejects this as a vulnerability, claiming this is a slander campaign by Wietse Venema. His page states this is not a qmail problem, rather it is a UNIX problem that many apps can consume all available memory, and that the administrator is responsible to set limits in the OS, rather than expect applications to individually prevent memory exhaustion. CAN 1999-0250 does appear to be a duplicate of this entry, based on the research I have done so far. There were two different bugtraq postings, but the second one references the first, stating that the new exploit uses perl instead of shell scripting to accomplish the same attack/exploit. Baker> http://www.securityfocus.com/archive/1/6970 http://www.securityfocus.com/archive/1/6969 http://cr.yp.to/qmail/venema.html Should probably reject CVE-1999-0250, and add these references to this Candidate. Baker> http://www.securityfocus.com/bid/2237 CHANGE> [Baker changed vote from REVIEWING to ACCEPT] Christey> qmail-dos-1.c, as published by Wietse Venema (CVE-1999-0250) in "BUGTRAQ:19970612 Denial of service (qmail-smtpd)", does not use any RCPT commands. Instead, it sends long strings of "X" characters. A followup by "super@UFO.ORG" includes an exploit that claims to do the same thing; however, that exploit does not send long strings of X characters - it sends a large number of RCPT commands. It appears that super@ufo.org followed up to the wrong message. NOTE: the ufo.org domain was purchased by another party in 2003, so the current owner is not associated with any statements by "super@ufo.org" that were made before 2003. qmail-dos-2.c, as published by Wietse Venema (CVE-1999-0144) in "BUGTRAQ:19970612 qmail-dos-2.c, another denial of service attack" sends a large number of RCPT commands. ADDREF BID:2237 ADDREF BUGTRAQ:19970612 qmail-dos-2.c, another denial of service attack ADDREF BUGTRAQ:19970612 Re: Denial of service (qmail-smtpd) Also see a related thread: BUGTRAQ:19990308 SMTP server account probing http://marc.theaimsgroup.com/?l=bugtraq&m=92100018214316&w=2 This also describes a problem with mail servers not being able to handle too many "RCPT TO" requests. A followup message notes that application-level protection is used in Sendmail to prevent this: BUGTRAQ:19990309 Re: SMTP server account probing http://marc.theaimsgroup.com/?l=bugtraq&m=92101584629263&w=2 The person further says, "This attack can easily be prevented with configuration methods." ====================================================== Name: CVE-1999-0154 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0154 Phase: Proposed (20010912) Category: SF Reference: MSKB:Q163485 Reference: MSKB:Q164059 Reference: BUGTRAQ:19970220 ! [ADVISORY] Major Security Hole in MS ASP Reference: XF:http-iis-aspdot Reference: XF:http-iis-aspsource IIS 2.0 and 3.0 allows remote attackers to read the source code for ASP pages by appending a . (dot) to the end of the URL. Current Votes: ACCEPT(4) Foat, Frech, Stracener, Wall NOOP(3) Baker, Christey, Cole Voter Comments: Christey> This is the precursor to the problem that is identified in CVE-1999-0253. Christey> CIAC:H-48 URL:http://ciac.llnl.gov/ciac/bulletins/h-48.shtml CHANGE> [Foat changed vote from NOOP to ACCEPT] ====================================================== Name: CVE-1999-0156 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0156 Phase: Proposed (19990714) Category: SF Reference: XF:ftp-pwless wu-ftpd FTP daemon allows any user and password combination. Current Votes: ACCEPT(2) Northcutt, Shostack NOOP(1) Baker RECAST(1) Frech REVIEWING(2) Christey, Prosser Voter Comments: Prosser> but so far can find no reference to this one Frech> Our records indicate that this does not necessarly affect just wu-ftp (ie, also affects IIS FTP server). Christey> The references for XF:ftp-pwless are not specific enough, e.g. in terms of version numbers. Perhaps this candidate should be rejected due to insufficient information. ====================================================== Name: CVE-1999-0163 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0163 Phase: Proposed (19990714) Category: SF Reference: XF:smtp-pipe In older versions of Sendmail, an attacker could use a pipe character to execute root commands. Current Votes: ACCEPT(2) Frech, Northcutt MODIFY(1) Prosser NOOP(2) Baker, Christey RECAST(1) Shostack Voter Comments: Shostack> there was a 'To: |' and a 'From: |' attack, which I think are seperate. Prosser> older vulnerability, but one additional reference is- The Ultimate Sendmail Hole List by Markus Hübner @ bau2.uibk.ac.at/matic/buglist.htm '|PROGRAM ' Christey> Description needs to be more specific to distinguish between this and CVE-1999-0203, as alluded to by Adam Shostack ====================================================== Name: CVE-1999-0165 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0165 Phase: Modified (20040811) Category: SF Reference: XF:nfs-cache NFS cache poisoning. Current Votes: ACCEPT(3) Baker, Frech, Northcutt MODIFY(1) Shostack NOOP(1) Prosser REVIEWING(1) Christey Voter Comments: Shostack> need more data Christey> need more refs Christey> Add period to the end of the description. ====================================================== Name: CVE-1999-0169 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0169 Phase: Proposed (19990714) Category: SF Reference: XF:nfs-uid NFS allows attackers to read and write any file on the system by specifying a false UID. Current Votes: ACCEPT(2) Frech, Northcutt MODIFY(1) Baker REJECT(1) Shostack Voter Comments: Shostack> this is not a vulnerability but a design feature. Baker> Maybe we should reword it so that it is clear that this was a problem to something like: "A remote attacker could read/write files to the system with root-level permissions on NFS servers that fail to properly check the UID." ====================================================== Name: CVE-1999-0171 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0171 Phase: Proposed (19990714) Category: SF Reference: XF:syslog-flood Denial of service in syslog by sending it a large number of superfluous messages. Current Votes: ACCEPT(2) Frech, Northcutt NOOP(1) Baker REJECT(2) Christey, Shostack Voter Comments: Shostack> design issue, not a vulnerability. Alternately, add: DOS on server by opening a large number of telnet sessions.. Christey> Duplicate of CVE-1999-0566 ====================================================== Name: CVE-1999-0186 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0186 Phase: Modified (20071119) Category: SF Reference: CONFIRM:http://support.novell.com/cgi-bin/search/searchtid.cgi?/10080762.htm Reference: SUN:00178 Reference: XF:snmp-backdoor-access In Solaris, an SNMP subagent has a default community string that allows remote attackers to execute arbitrary commands as root, or modify system parameters. Current Votes: ACCEPT(2) Baker, Dik MODIFY(1) Frech NOOP(1) Wall REVIEWING(1) Christey Voter Comments: Frech> Change XF:snmp-backdoor-access to XF:sol-hidden-commstr Add ISS:Hidden Community String in SNMP Implementation Christey> What is the proper level of abstraction to use here? Should we have a separate entry for each different default community string? See: http://cve.mitre.org/Board_Sponsors/archives/msg00242.html and http://cve.mitre.org/Board_Sponsors/archives/msg00250.html http://cve.mitre.org/Board_Sponsors/archives/msg00251.html Until the associated content decisions have been approved by the Editorial Board, this candidate cannot be accepted for inclusion in CVE. Christey> ADDREF BID:177 Christey> ISS:19981102 Hidden community string in SNMP implementation http://xforce.iss.net/alerts/advise11.php Change description to include "hidden" Christey> XF:snmp-backdoor-access is missing. ====================================================== Name: CVE-1999-0187 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0187 Phase: Modified (20050204) Category: SF ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-1999-0022. Reason: This candidate is a duplicate of CVE-1999-0022. Notes: All CVE users should reference CVE-1999-0022 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Current Votes: ACCEPT(2) Hill, Northcutt RECAST(3) Baker, Frech, Prosser REJECT(1) Dik REVIEWING(1) Christey Voter Comments: Prosser> The Sun Patches in Ref roll-up fixes for an earlier BO in rdist lookup( )(ref CERT 96.14)as well as the BO in rdist function expstr() (ref CERT 97-23) and various vendor bulletins. However both of these rdist BO's affect many more OSs than just Sun, i.e., BSD/OS 2.1, DEC OSF's, AIX, FreeBSD, SCO, SGI, etc. Believe this falls into the SF-codebase content decision Frech> XF:rdist-bo (error msg formation) XF:rdist-bo2 (execute code) XF:rdist-bo3 (execute user-created code) XF:rdist-sept97 (root from local) Christey> Duplicate of CVE-1999-0022 (SUN:00179 is referenced in CERT:CA-97.23.rdist), but as Mike and Andre noted, there are multiple flaws here, so a RECAST may be necessary. Dik> As currently phrasedm thissa duplicate of CVE-1999-0022 Baker> Based on our new philosophy, this should be recast/merged or re-described. ====================================================== Name: CVE-1999-0193 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0193 Phase: Proposed (19990714) Category: SF Denial of service in Ascend and 3com routers, which can be rebooted by sending a zero length TCP option. Current Votes: ACCEPT(5) Bishop, Cole, Northcutt, Ozancin, Shostack MODIFY(2) Baker, Blake NOOP(4) Armstrong, Frech, Landfield, Wall REVIEWING(2) Christey, Levy Voter Comments: Frech> possibly XF:ascend-kill I can't find a reference that lists both routers in the same reference. Wall> Comment: There is a reference about the zero length TCP option in BugTraq on Feb 5, 1999 and it mentions Cisco, but not directly Ascend or 3Com. CIAC Advisory I-038 mentions vulnerabilities in Ascend, but does not mention TCP. CIAC Advisory I-052 mentions 3Com vulnerabilities, but not TCP. Too confusing withour better references. Landfield> What are the references for this ? I cannot find a means to check it out. CHANGE> [Frech changed vote from REVIEWING to NOOP] Frech> Cannot reconcile to our database without further references. Blake> I'm with Andre. I only remember and can find reference to the Ascend issue. Do we have a refernce to the 3Coms? If not, that should be removed from the description. Baker> http://xforce.iss.net/static/614.php Misc Defensive Info http://www.securityfocus.com/archive/1/5682 Misc Offensive Info http://www.securityfocus.com/archive/1/5647 Misc Defensive Info http://www.securityfocus.com/archive/1/5640 Misc Defensive Info CHANGE> [Armstrong changed vote from REVIEWING to NOOP] ====================================================== Name: CVE-1999-0195 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0195 Phase: Modified (19991130-01) Category: SF Reference: BUGTRAQ:19990128 rpcbind: deceive, enveigle and obfuscate Denial of service in RPC portmapper allows attackers to register or unregister RPC services or spoof RPC services using a spoofed source IP address such as 127.0.0.1. Current Votes: ACCEPT(2) Balinsky, Shostack MODIFY(1) Frech NOOP(3) Baker, Northcutt, Wall REVIEWING(2) Christey, Levy Voter Comments: Frech> XF:rpcbind-spoof Christey> CVE-1999-0195 = CVE-1999-0461 ? If this is approved over CVE-1999-0461, make sure it gets XF:pmap-sset ====================================================== Name: CVE-1999-0197 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0197 Phase: Proposed (19990726) Category: SF finger 0@host on some systems may print information on some user accounts. Current Votes: ACCEPT(1) Baker MODIFY(2) Frech, Shostack REJECT(1) Northcutt Voter Comments: Shostack> fingerd may respond to 'finger 0@host' with account info Frech> Need more reference to establish this 'exposure'. CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> XF:finger-unused-accounts(8378) We're entering it into our database solely to track competition. The only references seem to be product listings: http://hq.mcafeeasap.com/vulnerabilities/vuln_data/1000.asp (1002 Finger 0@host check) http://www.ipnsa.com/ipnsa_vuln.htm?step=1000 (Finger 0@host check) http://cgi.nessus.org/plugins/dump.php3?id=10069 (Finger zero at host feature) ====================================================== Name: CVE-1999-0198 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0198 Phase: Proposed (19990726) Category: SF finger .@host on some systems may print information on some user accounts. Current Votes: ACCEPT(1) Baker MODIFY(2) Frech, Shostack REJECT(1) Northcutt Voter Comments: Shostack> as above Frech> Need more reference to establish this 'exposure'. CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> XF:finger-unused-accounts(8378) We're entering it into our database solely to track competition. The only references seem to be product listings: http://hq.mcafeeasap.com/vulnerabilities/vuln_data/1000.asp (1004 Finger .@target-host check) http://www.ipnsa.com/ipnsa_vuln.htm?step=1000 (Finger .@target-host check ) http://cgi.nessus.org/plugins/dump.php3?id=10072 (Finger dot at host feature) ====================================================== Name: CVE-1999-0200 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0200 Phase: Modified (19991130-01) Category: SF Reference: MSKB:Q137853 Windows NT FTP server (WFTP) with the guest account enabled without a password allows an attacker to log into the FTP server using any username and password. Current Votes: ACCEPT(1) Baker MODIFY(2) Frech, Shostack NOOP(2) Northcutt, Wall REJECT(1) Christey REVIEWING(1) Levy Voter Comments: Shostack> WFTP is not sufficient; is this wu-, ws-, war-, or another? Frech> Other have mentioned this before, but it may be WU-FTP. POSSIBLY XF:ftp-exec; does this have to do with the Site Exec allowing root access without anon FTP or a regular account? POSSIBLY XF:wu-ftpd-exec;same as above conditions, but instead from a non-anon FTP account and gain root privs. Christey> added MSKB reference CHANGE> [Christey changed vote from REVOTE to REJECT] Christey> The MSKB article may have confused things even more. There were reports of problems in a Windows-based FTP server called WFTP (http://www.wftpd.com/) that is not a Microsft FTP server. It's best to just kill this candidate where it stands and start fresh. ====================================================== Name: CVE-1999-0205 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0205 Phase: Modified (19990925-01) Category: SF Reference: BUGTRAQ:19990708 SM 8.6.12 Denial of service in Sendmail 8.6.11 and 8.6.12. Current Votes: ACCEPT(2) Hill, Northcutt MODIFY(2) Frech, Prosser NOOP(1) Baker REVIEWING(2) Christey, Ozancin Voter Comments: Frech> XF:sendmail-alias-dos Prosser> additional source Bugtraq "Re: SM 8.6.12" http://www.securityfocus.com Christey> The Bugtraq thread does not provide any proof, including a comment by Eric Allman that he hadn't been provided any details either. See http://www.securityfocus.com/templates/archive.pike?list=1&date=1995-07-8&thread=199507131402.KAA02492@bedbugs.net.ohio-state.edu for the thread. Christey> Change Bugtraq reference date to 19950708. ====================================================== Name: CVE-1999-0213 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0213 Phase: Modified (20001009-01) Category: SF Reference: XF:sun-libnsl Reference: SUNBUG:4305859 libnsl in Solaris allowed an attacker to perform a denial of service of rpcbind. Current Votes: ACCEPT(6) Blake, Cole, Dik, Hill, Landfield, Ozancin MODIFY(3) Baker, Frech, Levy NOOP(4) Armstrong, Bishop, Meunier, Wall REVIEWING(1) Christey Voter Comments: Frech> XF:sun-libnsl Dik> Sun bug #4305859 Baker> http://xforce.iss.net/static/1204.php Misc Defensive Info http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/172&type=0&nav=sec.sba Vendor Info http://www-1.ibm.com/services/continuity/recover1.nsf/advisories/A1050E354364BF498525680F0077E414/$file/ERS-OAR-E01-1998_074_1.txt Vendor Info http://www.securityfocus.com/archive/1/9749 Misc Defensive Info Christey> I don't think this is the bug that everyone thinks it is. This candidate came from CyberCop Scanner 2.4/2.5, which only reports this as a DoS problem. If SUN:00172 is an advisory for this, then it may be a duplicate of CVE-1999-0055. There appears to be overlap with other references as well. HOWEVER, this particular one deals with a DoS in rpcbind - which isn't mentioned in the sources for CVE-1999-0055. Levy> BID 148 ====================================================== Name: CVE-1999-0216 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0216 Phase: Modified (19991203-01) Category: SF Reference: BUGTRAQ:19971130 Linux inetd.. Reference: XF:linux-inetd-dos Reference: HP:HPSBUX9803-077 Reference: XF:hp-inetd Denial of service of inetd on Linux through SYN and RST packets. Current Votes: ACCEPT(1) Hill MODIFY(2) Baker, Frech RECAST(1) Meunier Voter Comments: Meunier> The location of the vulnerability, whether in the Linux kernel or the application, is debatable. Any program making the same (reasonnable) assumption is vulnerable, i.e., implements the same vulnerability: "Assumption that TCP-three-way handshake is complete after calling Linux kernel function accept(), which returns socket after getting SYN. Result is process death by SIGPIPE" Moreover, whether it results in DOS (to third parties) depends on the process that made the assumption. I think that the present entry should be split, one entry for every application that implements the vulnerability (really describing threat instances, which is what other people think about when we talk about vulnerabilities), and one entry for the Linux kernel that allows the vulnerability to happen. Frech> XF:hp-inetd XF:linux-inetd-dos Baker> Since we have an hpux bulletin, the description should not specifically say Linux, should it? It applies to mulitple OS and should be likely either modified, or in extreme case, recast ====================================================== Name: CVE-1999-0220 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0220 Phase: Proposed (19990728) Category: SF Attackers can do a denial of service of IRC by crashing the server. Current Votes: NOOP(2) Baker, Northcutt REJECT(2) Christey, Frech Voter Comments: Frech> Would reconsider if any references were available. Christey> No references available, combined with extremely vague description, equals REJECT. ====================================================== Name: CVE-1999-0222 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0222 Phase: Proposed (19990714) Category: SF Denial of service in Cisco IOS web server allows attackers to reboot the router using a long URL. Current Votes: ACCEPT(1) Baker MODIFY(3) Frech, Levy, Shostack NOOP(3) Balinsky, Northcutt, Wall RECAST(1) Ziese REJECT(1) Christey Voter Comments: Shostack> I follow cisco announcements and problems pretty closely, and haven't seen this. Source? Frech> XF:cisco-web-crash Christey> XF:cisco-web-crash has no additional references. I can't find any references in Bugtraq or Cisco either. This bug is supposedly tested by at least one security product, but that product's database doesn't have any references either. So a question becomes, how did it make it into at least two security companies' databases? Levy> BUGTGRAQ: http://www.securityfocus.com/archive/1/60159 BID 1154 Ziese> The vulnerability is addressed by a vendor acknowledgement. This one, if recast to reflect that "...after using a long url..." should be replaced with "...A defect in multiple releases of Cisco IOS software will cause a Cisco router or switch to halt and reload if the IOS HTTP service is enabled, browsing to "http://router-ip/anytext?/" is attempted, and the enable password is supplied when requested. This defect can be exploited to produce a denial of service (DoS) attack." Then I can accept this and mark it as "Verfied by my Company". If it can't be recast because this (long uri) is diffferent then our release (special url construction). CHANGE> [Christey changed vote from REVIEWING to REJECT] Christey> Elias Levy's suggested reference is CVE-2000-0380. I don't think that Kevin's description is really addressing this either. The lack of references and a specific description make this candidate unusable, so it should be rejected. ====================================================== Name: CVE-1999-0226 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0226 Phase: Proposed (19990728) Category: SF Windows NT TCP/IP processes fragmented IP packets improperly, causing a denial of service. Current Votes: ACCEPT(1) Northcutt MODIFY(1) Frech NOOP(1) Baker REJECT(1) Christey Voter Comments: Christey> Too general, and no references. Frech> XF:nt-frag(528) See reference from BugTraq Mailing List, "A New Fragmentation Attack" at http://www.securityfocus.com/templates/archive.pike?list=1&date=1997-07-8&ms g=Pine.SUN.3.94.970710054440.11707A-100000@dfw.dfw.net ====================================================== Name: CVE-1999-0229 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0229 Phase: Modified (19991228-02) Category: SF Reference: MSKB:Q115052 Denial of service in Windows NT IIS server using ..\.. Current Votes: ACCEPT(2) Baker, Shostack MODIFY(2) Frech, Wall NOOP(1) Northcutt REJECT(1) Christey REVIEWING(1) Levy Voter Comments: Wall> Denial of service in Windows NT IIS Server 1.0 using ..\... Source: Microsoft Knowledge Base Article Q115052 - IIS Server. Frech> XF:http-dotdot (not necessarily IIS?) Christey> DELREF XF:http-dotdot - it deals with a read/access dot dot problem. Christey> This actually looks like XF:iis-dot-dot-crash(1638) http://xforce.iss.net/static/1638.php If so, include the version number (2.0) CHANGE> [Christey changed vote from REVOTE to REJECT] Christey> Bill Wall intended to suggest Q155052, but the affected IIS version there is 1.0; the effect is to read files, so this sounds like a directory traversal problem, instead of an inability to process certain strings. As a result, this candidate is too general, since it could apply to 2 different problems, so it should be REJECTed. Christey> Consider adding BID:2218 ====================================================== Name: CVE-1999-0231 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0231 Phase: Modified (19991207-01) Category: SF Reference: BUGTRAQ:19990317 Re: SLMail 2.6 DoS - Imail also Buffer overflow in IP-Switch IMail and Seattle Labs Slmail 2.6 packages using a long VRFY command, causing a denial of service and possibly remote access. Current Votes: ACCEPT(2) Baker, Levy NOOP(3) Christey, Landfield, Northcutt RECAST(1) Frech REVIEWING(1) Ozancin Voter Comments: Frech> XF:slmail-vrfyexpn-overflow (for Slmail v3.2 and below) XF:smtp-vrfy-bo (many mail packages) Northcutt> (There is no way I will have access to these systems) Christey> Some sources report that VRFY and EXPN are both affected. ====================================================== Name: CVE-1999-0232 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0232 Phase: Modified (19991220-01) Category: SF Buffer overflow in NCSA WebServer (version 1.5c) gives remote access. Current Votes: ACCEPT(2) Hill, Northcutt MODIFY(1) Frech NOOP(1) Prosser REJECT(1) Baker REVIEWING(1) Christey Voter Comments: Frech> Unable to provide a match due to vague/insufficient description/references. Possible matches are: XF:ftp-ncsa (probably not, considering you've mentioned the webserver.) XF:http-ncsa-longurl (highest probability) Christey> CVE-1999-0235 is the one associated with XF:http-ncsa-longurl More research is necessary for this one. Baker> Since this has no references at all, and is vague and we have a CAN for the most likely issue, we should kill this one ====================================================== Name: CVE-1999-0235 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0235 Phase: Modified (19991220-01) Category: SF Reference: CERT:CA-95:04 Reference: CIAC:F-11 Buffer overflow in NCSA WebServer (1.4.1 and below) gives remote access. Current Votes: ACCEPT(3) Hill, Northcutt, Prosser MODIFY(1) Frech REJECT(2) Baker, Christey Voter Comments: Frech> XF:http-ncsa-longurl Christey> CVE-1999-0235 has the same ref's as CVE-1999-0267 Baker> Not to mention, the X-force listings of http-ncsa-longurl and http-port both refer to the same problem. This should be rejected as 1999-0267 is the same problem. ====================================================== Name: CVE-1999-0238 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0238 Phase: Proposed (19990623) Category: SF Reference: XF:http-cgi-phpfileread php.cgi allows attackers to read any file on the system. Current Votes: ACCEPT(5) Baker, Collins, Frech, Northcutt, Prosser NOOP(1) Christey Voter Comments: Prosser> additional source AUSCERT External Security Bulletin ESB-97.047 http://www.auscert.org.au Christey> ADDREF BUGTRAQ:19970416 Update on PHP/FI hole URL:http://www.dataguard.no/bugtraq/1997_2/0069.html The attacker specifies the filename as an argument to the program. Add "PHP/FI" to description to facilitate search. AUSCERT URL is ftp://ftp.auscert.org.au/pub/auscert/ESB/ESB-97.047 Christey> Consider adding BID:2250 ====================================================== Name: CVE-1999-0240 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0240 Phase: Proposed (19990728) Category: SF Some filters or firewalls allow fragmented SYN packets with IP reserved bits in violation of their implemented policy. Current Votes: ACCEPT(1) Northcutt NOOP(1) Baker REJECT(1) Frech Voter Comments: Frech> Would reconsider if any references were available. ====================================================== Name: CVE-1999-0241 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0241 Phase: Modified (19990925-01) Category: SF Reference: XF:http-xguess-cookie Guessable magic cookies in X Windows allows remote attackers to execute commands, e.g. through xterm. Current Votes: ACCEPT(3) Hill, Northcutt, Proctor MODIFY(2) Frech, Prosser NOOP(1) Baker REVIEWING(1) Christey Voter Comments: Frech> Also add to references: XF:sol-mkcookie Prosser> additional source Bugtraq "X11 cookie hijacker" http://www.securityfocus.com Christey> The cookie hijacker thread has to do with stealing cookies through a file with bad permissions. I'm not sure the X-Force reference identifies this problem either. Christey> CIAC:G-04 URL:http://ciac.llnl.gov/ciac/bulletins/g-04.shtml SGI:19960601-01-I URL:ftp://patches.sgi.com/support/free/security/advisories/19960601-01-I CERT:VB-95:08 ====================================================== Name: CVE-1999-0242 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0242 Phase: Modified (20000106-01) Category: SF Reference: BUGTRAQ:19951222 mailx-5.5 (slackware /bin/mail) security hole Reference: XF:linux-pop3d Remote attackers can access mail files via POP3 in some Linux systems that are using shadow passwords. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(4) Christey, Northcutt, Shostack, Wall REVIEWING(1) Levy Voter Comments: Frech> Ambiguous description: need more detail. Possibly: XF:linux-pop3d (mktemp() leads to reading e-mail) Christey> At first glance this might look like CVE-1999-0123 or CVE-1999-0125, however this particular candidate arises out of a brief mention of the problem in a larger posting which discusses CVE-1999-0123 (which may be the same bug as CVE-1999-0125). See the following phrase in the Bugtraq post: "one such example of this is in.pop3d" However, the original source of this candidate's description explicitly mentions shadowed passwords, though it has no references to help out here. ====================================================== Name: CVE-1999-0243 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0243 Phase: Proposed (19990714) Category: SF Linux cfingerd could be exploited to gain root access. Current Votes: ACCEPT(1) Shostack NOOP(4) Baker, Levy, Northcutt, Wall REJECT(2) Christey, Frech Voter Comments: Christey> This has no sources; neither does the original database that this entry came from. It's a likely duplicate of CVE-1999-0813. Frech> I disagree on the dupe; see Linux-Security Mailing List, "[linux-security] Cfinger (Yet more :)" at http://www.geocrawler.com/archives/3/92/1996/9/0/2217716/. Seems as if v1.2.3 is vulnerable, perhaps 1.3.0 also. CVE-1999-0813 pertains to 1.4.x and below and shows up two years later. CHANGE> [Frech changed vote from REVIEWING to REJECT] Frech> If the reference I previously supplied is correct, then it appears as if the poster modified the source using authorized access to make it vulnerable. Modifying the source in this manner does not qualify as being listed a vulnerability. I disagree on the dupe; see Linux-Security Mailing List, "[linux-security] Cfinger (Yet more :)" at http://www.geocrawler.com/archives/3/92/1996/9/0/2217716/. Seems as if v1.2.3 is vulnerable, perhaps 1.3.0 also. CVE-1999-0813 pertains to 1.4.x and below and shows up two years later. ====================================================== Name: CVE-1999-0246 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0246 Phase: Proposed (19990630) Category: SF Reference: XF:hp-remote HP Remote Watch allows a remote user to gain root access. Current Votes: ACCEPT(4) Frech, Hill, Northcutt, Prosser NOOP(1) Baker RECAST(1) Christey Voter Comments: Frech> Comment: Determine if it's RemoteWatch or Remote Watch. Christey> HP:HPSBUX9610-039 alludes to multiple vulnerabilities in Remote Watch (the advisory uses two words, not one, for the "Remote Watch" name) ADDREF BUGTRAQ:19961015 HP/UX Remote Watch (was Re: BoS: SOD remote exploit) URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=199610151351.JAA18241@grymoire.crd.ge.com Prosser> agree that the advisory mentions two vulnerabilities in Remote Watch, one being a socket connection and other with the showdisk utility which seems to be a suid vulnerability. Never get much details on this anywhere since the recommendation is to remove the program since it is obsolete and superceded by later tools. Believe the biggest concern here is to just not run the tool at all. Christey> CIAC:H-16 Also, http://www.cert.org/vendor_bulletins/VB-96.20.hp And possibly AUSCERT:AA-96.07 at ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-96.07.HP-UX.Remote.Watch.vul Christey> Also BUGTRAQ:19961013 BoS: SOD remote exploit http://marc.theaimsgroup.com/?l=bugtraq&m=87602167419969&w=2 Include "remwatch" in the description to facilitate search. ====================================================== Name: CVE-1999-0249 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0249 Phase: Proposed (19990714) Category: SF Windows NT RSHSVC program allows remote users to execute arbitrary commands. Current Votes: ACCEPT(1) Baker MODIFY(2) Frech, Wall NOOP(2) Northcutt, Shostack RECAST(1) Christey REVIEWING(1) Levy Voter Comments: Wall> Windows NT Rshsvc.exe from the Windows NT Resource Kit allows remote users to execute arbitrary commands. Source: rshsvc.txt from the Windows NT Resource Kit. Frech> XF:rsh-svc Christey> MSKB:Q158320, last reviewed in January 1999, refers to a case where remote users coming from authorized machines are allowed access regardless of what .rhosts says. XF:rsh-svc refers to a bug circa 1997 where any remote entity could execute commands as system. ====================================================== Name: CVE-1999-0250 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0250 Phase: Modified (20010301-01) Category: SF Reference: BUGTRAQ:19970612 qmail-dos-2.c, another denial of service attack Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602558319024&w=2 Reference: MISC:http://cr.yp.to/qmail/venema.html Reference: MISC:http://www.ornl.gov/its/archives/mailing-lists/qmail/1997/06/threads.html Reference: XF:qmail-leng Denial of service in Qmail through long SMTP commands. Current Votes: ACCEPT(2) Hill, Meunier MODIFY(1) Frech REJECT(1) Baker REVIEWING(1) Christey Voter Comments: Frech> XF:qmail-rcpt Christey> DUPE CVE-1999-0418 and CVE-1999-0144? Christey> Dan Bernstein, author of Qmail, says that this is not a vulnerability in qmail because Unix has built-in resource limits that can restrict the size of a qmail process; other limits can be specified by the administrator. See http://cr.yp.to/qmail/venema.html Significant discussion of this issue took place on the qmail list. The fundamental question appears to be whether application software should set its own limits, or rely on limits set by the parent operating system (in this case, UNIX). Also, some people said that the only problem was that the suggested configuration was not well documented, but this was refuted by others. See the following threads at http://www.ornl.gov/its/archives/mailing-lists/qmail/1997/06/threads.html "Denial of service (qmail-smtpd)" "qmail-dos-2.c, another denial of service" "[PATCH] denial of service" "just another qmail denial-of-service" "the UNIX way" "Time for a reality check" Also see Bugtraq threads on a different vulnerability that is related to this topic: BUGTRAQ:19990903 Web servers / possible DOS Attack / mime header flooding http://archives.neohapsis.com/archives/bugtraq/1998_3/0742.html Baker> This appears to be the same vulnerability listed in CAN 1999-0144. In reading through both bugtraq postings, the one that is referenced by 0144 is based on a shell code exploit to cause memory exhaustion. The bugtraq posting referenced by this entry refers explicitly to the prior posting for 0144, and states that the same effect could be accomplished by a perl exploit, which was then attached. Baker> http://www.securityfocus.com/archive/1/6969 CVE-1999-0144 http://www.securityfocus.com/archive/1/6970 CVE-1999-0250 Both references should be added to CVE-1999-0144, and CVE-1999-0250 should likely be rejected. CHANGE> [Baker changed vote from REVIEWING to REJECT] Christey> XF:qmail-leng no longer exists; check with Andre to see if they regarded it as a duplicate as well. qmail-dos-1.c, as published by Wietse Venema (CVE-1999-0250) in "BUGTRAQ:19970612 Denial of service (qmail-smtpd)", does not use any RCPT commands. Instead, it sends long strings of "X" characters. A followup by "super@UFO.ORG" includes an exploit that claims to do the same thing; however, that exploit does not send long strings of X characters - it sends a large number of RCPT commands. It appears that super@ufo.org followed up to the wrong message. qmail-dos-2.c, as published by Wietse Venema (CVE-1999-0144) in "BUGTRAQ:19970612 qmail-dos-2.c, another denial of service attack" sends a large number of RCPT commands. ADDREF BUGTRAQ:19970612 Denial of service (qmail-smtpd) ADDREF BUGTRAQ:19970612 qmail-dos-2.c, another denial of service attack Also see a related thread: BUGTRAQ:19990308 SMTP server account probing http://marc.theaimsgroup.com/?l=bugtraq&m=92100018214316&w=2 This also describes a problem with mail servers not being able to handle too many "RCPT TO" requests. A followup message notes that application-level protection is used in Sendmail to prevent this: BUGTRAQ:19990309 Re: SMTP server account probing http://marc.theaimsgroup.com/?l=bugtraq&m=92101584629263&w=2 The person further says, "This attack can easily be prevented with configuration methods." ====================================================== Name: CVE-1999-0253 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0253 Phase: Modified (20000106-01) Category: SF Reference: XF:http-iis-2e Reference: L0PHT:19970319 IIS 3.0 with the iis-fix hotfix installed allows remote intruders to read source code for ASP programs by using a %2e instead of a . (dot) in the URL. Current Votes: ACCEPT(9) Armstrong, Baker, Bishop, Blake, Cole, Collins, Frech, Landfield, Northcutt MODIFY(1) LeBlanc NOOP(3) Ozancin, Prosser, Wall REVIEWING(1) Christey Voter Comments: Christey> This is a problem that was introduced after patching a previous dot bug with the iis-fix hotfix (see CVE-1999-0154). Since the hotfix introduced the problem, this should be treated as a seaprate issue. Wall> Agree with the comment. LeBlanc> - this one is so old, I don't remember it at all and can't verify or deny the issue. If you can find some documentation that says we fixed it (KB article, hotfix, something), then I would change this to ACCEPT CHANGE> [Christey changed vote from NOOP to REVIEWING] Christey> BID:1814 URL:http://www.securityfocus.com/bid/1814 ====================================================== Name: CVE-1999-0254 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0254 Phase: Proposed (19990726) Category: SF Reference: ISS:Hidden SNMP community in HP OpenView Reference: XF:hpov-hidden-snmp-comm A hidden SNMP community string in HP OpenView allows remote attackers to modify MIB tables and obtain sensitive information. Current Votes: ACCEPT(2) Baker, Frech NOOP(1) Wall REVIEWING(1) Christey Voter Comments: Christey> What is the proper level of abstraction to use here? Should we have a separate entry for each different default community string? See: http://cve.mitre.org/Board_Sponsors/archives/msg00242.html and http://cve.mitre.org/Board_Sponsors/archives/msg00250.html http://cve.mitre.org/Board_Sponsors/archives/msg00251.html Until the associated content decisions have been approved by the Editorial Board, this candidate cannot be accepted for inclusion in CVE. ====================================================== Name: CVE-1999-0255 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0255 Phase: Proposed (19990623) Category: SF Buffer overflow in ircd allows arbitrary command execution. Current Votes: ACCEPT(3) Baker, Hill, Northcutt MODIFY(1) Frech NOOP(1) Prosser REJECT(1) Christey Voter Comments: Frech> XF:irc-bo Christey> This is too general and doesn't have any references. The XF reference doesn't appear toe xist any more. Perhaps this reference would help: BUGTRAQ:19970701 ircd buffer overflow Baker> It appears that the XForce entry has been corrected, and there is a patch posted in the original bugtraq post. ====================================================== Name: CVE-1999-0257 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0257 Phase: Proposed (19990726) Category: SF Nestea variation of teardrop IP fragmentation denial of service. Current Votes: ACCEPT(1) Wall MODIFY(1) Frech REVIEWING(1) Christey Voter Comments: Frech> XF:nestea-linux-dos Christey> Not sure how many separate "instances" of Teardrop and its ilk. Also see comments on CVE-1999-0001. See: CVE-1999-0015, CVE-1999-0104, CVE-1999-0257, CVE-1999-0258 Is CVE-1999-0001 the same as CVE-1999-0052? That one is related to nestea (CVE-1999-0257) and probably the one described in BUGTRAQ:19981023 nestea v2 against freebsd 3.0-Release The patch for nestea is in ip_input.c around line 750. The patches for CVE-1999-0001 are in lines 388&446. So, CVE-1999-0001 is different from CVE-1999-0257 and CVE-1999-0052. The FreeBSD patch for CVE-1999-0052 is in line 750. So, CVE-1999-0257 and CVE-1999-0052 may be the same, though CVE-1999-0052 should be RECAST since this bug affects Linux and other OSes besides FreeBSD. Also see BUGTRAQ:19990909 CISCO and nestea. Finally, note that there is no fundamental difference between nestea and nestea2/nestea-v2; they are different ports that exploit the same problem. The original nestea advisory is at http://www.technotronic.com/rhino9/advisories/06.htm but notice that the suggested fix is in line 375 of ip_fragment.c, not ip_input.c. Christey> See the SCO advisory at: http://www.securityfocus.com/templates/advisory.html?id=1411 which may further clarify the issue. Christey> BUGTRAQ:19980501 nestea does other things http://marc.theaimsgroup.com/?l=bugtraq&m=90221101925819&w=2 BUGTRAQ:19980508 nestea2 and HP Jet Direct cards. URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221101925870&w=2 BUGTRAQ:19981027 nestea v2 against freebsd 3.0-Release URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90951521507669&w=2 Nestea source code is in MISC:http://oliver.efri.hr/~crv/security/bugs/Linux/ipfrag6.html ====================================================== Name: CVE-1999-0258 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0258 Phase: Proposed (19990726) Category: SF Bonk variation of teardrop IP fragmentation denial of service. Current Votes: MODIFY(2) Frech, Wall REVIEWING(1) Christey Voter Comments: Wall> Reference Q179129 Frech> XF:teardrop-mod Christey> Not sure how many separate "instances" of Teardrop there are. See: CVE-1999-0015, CVE-1999-0104, CVE-1999-0257, CVE-1999-0258 Christey> See the SCO advisory at: http://www.securityfocus.com/templates/advisory.html?id=1411 which may further clarify the issue. Christey> BUGTRAQ:19980108 bonk.c URL:http://marc.theaimsgroup.com/?l=bugtraq&m=88429524325956&w=2 NTBUGTRAQ:19980108 bonk.c URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=88433857200304&w=2 NTBUGTRAQ:19980109 Re: Bonk.c URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=88441302913269&w=2 NTBUGTRAQ:19980304 Update on wide-spread NewTear Denial of Service attacks URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=88901842000424&w=2 BUGTRAQ:19980304 Update on wide-spread NewTear Denial of Service attacks URL:http://marc.theaimsgroup.com/?l=bugtraq&m=88903296104349&w=2 CIAC:I-031a http://ciac.llnl.gov/ciac/bulletins/i-031a.shtml CERT summary CS-98.02 implies that bonk, boink, and newtear all exploit the same vulnerability. ====================================================== Name: CVE-1999-0261 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0261 Phase: Modified (20000827-01) Category: SF Reference: BUGTRAQ:19980504 Netmanage Holes Reference: MISC:http://www.insecure.org/sploits/netmanage.chameleon.overflows.html Netmanager Chameleon SMTPd has several buffer overflows that cause a crash. Current Votes: ACCEPT(1) Baker MODIFY(2) Frech, Landfield NOOP(3) Christey, Northcutt, Ozancin Voter Comments: Frech> XF:chamelion-smtp-dos Landfield> - Specify what "a crash" means. Christey> ADDREF XF:chameleon-smtp-dos ? (but it's not on the web site) Christey> Consider adding BID:2387 ====================================================== Name: CVE-1999-0271 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0271 Phase: Modified (19990925-01) Category: SF Reference: BUGTRAQ:19980115 pnserver exploit.. Reference: BUGTRAQ:19980817 Re: Real Audio Server Version 5 bug? Progressive Networks Real Video server (pnserver) can be crashed remotely. Current Votes: ACCEPT(3) Baker, Blake, Northcutt MODIFY(1) Frech NOOP(1) Prosser REVIEWING(1) Christey Voter Comments: Christey> Problem confirmed by RealServer vendor (URL listed in Bugtraq posting), but may be multiple codebases since several Real Audio servers are affected. Also, this may be the same as BUGTRAQ:19991105 RealNetworks RealServer G2 buffer overflow. See CVE-1999-0896 CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> ADDREF XF:realvideo-telnet-dos ====================================================== Name: CVE-1999-0282 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0282 Phase: Modified (20050830) Category: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-1999-1584, CVE-1999-1586. Reason: This candidate combined references from one issue with the description from another issue. Notes: Users should consult CVE-1999-1584 and CVE-1999-1586 to obtain the appropriate name. All references and descriptions in this candidate have been removed to prevent accidental usage. Current Votes: ACCEPT(2) Baker, Dik MODIFY(1) Frech NOOP(1) Ozancin RECAST(1) Prosser REJECT(1) Christey Voter Comments: Frech> XF:sun-loadmodule XF:sun-modload (CERT CA-93.18 very old!) Prosser> Believe the reference given, 95-12, is referencing a later loadmodule(8) setuid problem in the X11/NeWS windowing system. There is an earlier, similar setuid vulnerability in the CA-93.18, CIAC G-02 advisories for the SunOS 4.1.x/Solbourne and OpenWindow 3.0. In fact, there may be the same as the HP patches are 100448-02 for the 93 loadmodule/modload vulnerability and 100448-03 for the 95 loadmodule vulnerability which normally indicated a patch update. Looks like the original patch either didn't completely fix the problem or it resurfaced in X11 NeWS. Can't tell much beyond that and this is my opinion only as have no way to check it. Which one is this CVE referencing? I accept both. Dik> There are three similar Sun bug ids associated with the patches. 1076118 loadmodule has a security vulnerability 1148753 loadmodule has a security vulnerability 1222192 loadmodule has a security vulnerability as well as: 1137491 Ancient stuff. Christey> Add period to the end of the description. CHANGE> [Christey changed vote from NOOP to REVIEWING] Christey> This is distinct from CVE-1999-1584 - CVE-1999-1584 is for CA-93.18. CHANGE> [Christey changed vote from REVIEWING to REJECT] Christey> This candidate combines two separate issues. It uses the CERT alert reference from 1995, from one issue, but a description that is associated with a separate issue. ====================================================== Name: CVE-1999-0283 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0283 Phase: Modified (19991203-01) Category: SF Reference: BUGTRAQ:19970716 Viewable .jhtml source with JavaWebServer Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=88256790401004&w=2 The Java Web Server would allow remote users to obtain the source code for CGI programs. Current Votes: ACCEPT(7) Baker, Blake, Cole, Collins, Dik, Northcutt, Wall MODIFY(1) Frech NOOP(5) Armstrong, Bishop, Christey, Landfield, Prosser REVIEWING(1) Ozancin Voter Comments: Wall> Acknowledged by vendor at http://www.sun.com/software/jwebserver/techinfo/jws112info.html. Baker> Vulnerability Reference (HTML) Reference Type http://www.securityfocus.com/archive/1/7260 Misc Defensive Info http://www.sun.com/software/jwebserver/techinfo/jws112info.html Vendor Info Christey> BID:1891 URL:http://www.securityfocus.com/bid/1891 Christey> Add version number (1.1 beta) and details of attack (appending a . or a \) The Sun URL referenced by Dave Baker no longer exists, so I wasn't able to verify that it addressed the problem described in the Bugtraq post. This might not even be Sun's "Java Web Server," as CVE-2001-0186 describes some product called "Free Java Web Server" Dik> There appears to be some confusion. The particular bug seems to be on in JWS 1.1beta or 1.1 which was fixed in 1.1.2 (get foo.jthml source by appending "." of "\" to URL) There are other bugs that give access and that require a configuration change. http://www.sun.com/software/jwebserver/techinfo/security_advisory.html Christey> Need to make sure to create CAN's for the other bugs, as documented in: NTBUGTRAQ:19980724 Alert: New Source Bug Affect Sun JWS http://marc.theaimsgroup.com/?l=ntbugtraq&m=90222454131622&w=2 BUGTRAQ:19980725 Alert: New Source Bug Affect Sun JWS http://marc.theaimsgroup.com/?l=bugtraq&m=90221104526086&w=2 The reported bugs are: 1) file read by appending %20 2) Directly call /servlet/file URL:http://www.sddt.com/cgi-bin/Subscriber?/library/98/07/24/tbd.html #2 is explicitly mentioned in the Sun advisory for CVE-1999-0283. CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> XF:javawebserver-cgi-source(5383) ====================================================== Name: CVE-1999-0284 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0284 Phase: Proposed (19990623) Category: SF Reference: XF:smtp-helo-bo Denial of service to NT mail servers including Ipswitch, Mdaemon, and Exchange through a buffer overflow in the SMTP HELO command. Current Votes: ACCEPT(2) Blake, Northcutt MODIFY(3) Frech, Levy, Ozancin NOOP(1) Baker REVIEWING(1) Christey Voter Comments: Frech> "Windows NT-based mail servers" (A trademark thing, and for clarification) XF:mdaemon-helo-bo XF:lotus-notes-helo-crash XF:slmail-helo-overflow XF:smtp-helo-bo (mentions several products) XF:smtp-exchangedos Levy> - Need one per software. Each one should be its own vulnerability. Ozancin> => Windows NT is correct Christey> These are probably multiple codebases, so we'll need to use dot notation. Also need to see if this should be merged with CVE-1999-0098 (Sendmail SMTP HELO). ====================================================== Name: CVE-1999-0285 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0285 Phase: Proposed (19990630) Category: SF Denial of service in telnet from the Windows NT Resource Kit, by opening then immediately closing a connection. Current Votes: ACCEPT(1) Hill NOOP(2) Baker, Wall REJECT(2) Christey, Frech Voter Comments: Christey> No references, no information. CHANGE> [Frech changed vote from REVIEWING to REJECT] Frech> No references; closest documented match is with CVE-2001-0346, but that's for Windows 2000. ====================================================== Name: CVE-1999-0286 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0286 Phase: Proposed (19990714) Category: SF In some NT web servers, appending a space at the end of a URL may allow attackers to read source code for active pages. Current Votes: ACCEPT(3) Armstrong, Cole, Shostack MODIFY(3) Blake, Levy, Wall NOOP(5) Baker, Bishop, Landfield, Northcutt, Ozancin REJECT(1) Frech REVIEWING(1) Christey Voter Comments: Wall> In some NT web servers, appending a dot at the end of a URL may allows attackers to read source code for active pages. Source: MS Knowledge Base Article Q163485 - "Active Server Pages Script Appears in Browser" Frech> In the meantime, reword description as 'Windows NT' (trademark issue) Christey> Q163485 does not refer to a space, it refers to a dot. However, I don't have other references. Reading source code with a dot appended is in CVE-1999-0154, which will be proposed. A subsequent bug similar to the dot bug is CVE-1999-0253. Levy> NTBUGTRAQ: http://www.securityfocus.com/archive/2/22014 NTBUGTRAQ: http://www.securityfocus.com/archive/2/22019 BID 273 Blake> Reference: http://www.allaire.com/handlers/index.cfm?ID=10967 CHANGE> [Christey changed vote from NOOP to REVIEWING] CHANGE> [Frech changed vote from REVIEWING to REJECT] Frech> BID articles) ====================================================== Name: CVE-1999-0287 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0287 Phase: Proposed (19990714) Category: SF Vulnerability in the Wguest CGI program. Current Votes: MODIFY(2) Frech, Shostack NOOP(4) Blake, Levy, Northcutt, Wall REJECT(2) Baker, Christey Voter Comments: Shostack> allows file reading Frech> XF:http-cgi-webcom-guestbook Christey> CVE-1999-0287 is probably a duplicate of CVE-1999-0467. In NTBUGTRAQ:19990409 Webcom's CGI Guestbook for Win32 web servers Mnemonix says that he had previously reported on a similar problem. Let's refer to the NTBugtraq posting as CVE-1999-0467. We will refer to the "previous report" as CVE-1999-0287, which could be found at: http://oliver.efri.hr/~crv/security/bugs/NT/httpd41.html 0287 describes an exploit via the "template" hidden variable. The exploit describes manually editing the HTML form to change the filename to read from the template variable. The exploit as described in 0467 encodes the template variable directly into the URL. However, hidden variables are also encoded into the URL, which would have looked the same to the web server regardless of the exploit. Therefore 0287 and 0467 are the same. Christey> BID:2024 ====================================================== Name: CVE-1999-0298 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0298 Phase: Modified (20000524-01) Category: SF Reference: NAI:19970205 Vulnerabilities in Ypbind when run with -ypset/-ypsetme Reference: URL:http://www.nai.com/nai_labs/asp_set/advisory/06_ypbindsetme_adv.asp ypbind with -ypset and -ypsetme options activated in Linux Slackware and SunOS allows local and remote attackers to overwrite files via a .. (dot dot) attack. Current Votes: ACCEPT(4) Cole, Dik, Levy, Northcutt MODIFY(1) Frech NOOP(3) Baker, Christey, Shostack Voter Comments: Christey> ADDREF BID:1441 URL:http://www.securityfocus.com/bid/1441 Dik> If you run with "-ypset", then you're always insecure. With ypsetme, only root on the local host can run ypset in Solaris 2.x+. Probably true for SunOS 4, hence my vote. CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> ADDREF XF:ypbind-ypset-root CHANGE> [Dik changed vote from REVIEWING to ACCEPT] Dik> This vulnerability does exist in SunOS 4.x in non default configurations. In Solaris 2.x, the vulnerability only applies to files named "cache_binding" and not all files ending in .2 Both releases are not vulnerable in the default configuration (both disabllow ypset by default which prevents this problem from occurring) ====================================================== Name: CVE-1999-0306 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0306 Phase: Proposed (19990714) Category: SF Reference: XF:hp-xlock buffer overflow in HP xlock program. Current Votes: ACCEPT(3) Baker, Frech, Northcutt MODIFY(1) Prosser NOOP(1) Shostack REJECT(1) Christey Voter Comments: Prosser> This is another of those with multiple affected OSs. Refs: CA-97.13, http://207.237.120.45/linux/xlock-exploit.txt, HPSBUX9711-073, SGI 19970502-02-PX, Sun Bulletin 000150 Christey> XF:hp-xlock points to SGI:19970502-02-PX which says this is the same problem as in CERT:CA-97.13, which is CVE-1999-0038. ====================================================== Name: CVE-1999-0307 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0307 Phase: Modified (19991207-01) Category: SF Reference: BUGTRAQ:19961116 This week: turn me on, dead man Reference: XF:hpux-cstm-bo Buffer overflow in HP-UX cstm program allows local users to gain root privileges. Current Votes: ACCEPT(2) Frech, Northcutt NOOP(3) Baker, Prosser, Shostack RECAST(1) Christey Voter Comments: Prosser> only ref I can find is an old SOD exploit on www.outpost9.com Christey> MERGE CVE-1999-0336 (the exact exploit works with both cstm and mstm, which are clearly part of the same package, so CD:SF-EXEC says to merge them.) Also, there does not seem to be any recognition of this problem by HP. The only other information besides the Bugtraq post is the SOD exploit. See the original post: http://www.securityfocus.com/templates/archive.pike?list=1&date=1996-11-15&msg=Pine.LNX.3.91.961116112242.15276J-100000@underground.org ====================================================== Name: CVE-1999-0317 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0317 Phase: Modified (19991216-01) Category: SF Reference: BUGTRAQ:19990818 slackware-3.5 /bin/su buffer overflow Reference: XF:su-bo Buffer overflow in Linux su command gives root access to local users. Current Votes: ACCEPT(3) Frech, Hill, Northcutt NOOP(1) Prosser RECAST(1) Baker REVIEWING(1) Christey Voter Comments: Christey> DUPE CVE-1999-0845? Also, ADDREF XF:unixware-su-username-bo A report summary by Aleph One states that nobody was able to confirm this problem on any Linux distribution. Baker> If this is the same as the unixware, the n it is a dupe of 1999-0845. There is about a two and half month difference in the bugtraq reporting of these. Sounds like the same bug however... Christey> XF:su-bo no longer seems to exist. How about XF:linux-subo(734) ? http://xforce.iss.net/static/734.php BID:475 also seems to describe the same problem (http://www.securityfocus.com/bid/475) in which case, vsyslog is blamed in: BUGTRAQ:19971220 Linux vsyslog() overflow http://www.securityfocus.com/archive/1/8274 ====================================================== Name: CVE-1999-0319 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0319 Phase: Proposed (19990623) Category: SF Reference: XF:xmcd-tiflestr Buffer overflow in xmcd 2.1 allows local users to gain access through a user resource setting. Current Votes: ACCEPT(3) Frech, Hill, Northcutt NOOP(2) Baker, Prosser REVIEWING(1) Christey Voter Comments: Christey> BUGTRAQ:19961126 Security Problems in XMCD 2.1 A followup to this post says that xmcd is not suid here. ====================================================== Name: CVE-1999-0330 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0330 Phase: Modified (20000105-01) Category: SF Reference: BUGTRAQ:19940101 (No Subject) Reference: XF:bdash-bo Linux bdash game has a buffer overflow that allows local users to gain root access. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(3) Northcutt, Shostack, Wall REVIEWING(1) Levy Voter Comments: Frech> XF:bdash-bo ====================================================== Name: CVE-1999-0331 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0331 Phase: Modified (20040811) Category: SF Reference: XF:msie-bo Buffer overflow in Internet Explorer 4.0(1). Current Votes: ACCEPT(2) Baker, Northcutt MODIFY(2) Frech, Shostack RECAST(1) Prosser REJECT(2) Christey, LeBlanc Voter Comments: Shostack> this is a high cardinality item Prosser> needs to be more specific. Frech> Replace reference with XF:iemk-bug (msie-bo is obsolete and a vague duplicate) Description (from xfdb): Some versions of Internet Explorer for Windows contain a vulnerability that may crash the broswer when a malicious web site contains a certain kind of URL (that begins with "mk://") with more characters than the browser supports. Christey> The description is too vague. LeBlanc> too vague Christey> Add period to the end of the description. ====================================================== Name: CVE-1999-0333 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0333 Phase: Modified (19990925-01) Category: SF Reference: RSI:RSI.0009.09-08-98.HP-UX.OMNIBACK Reference: HP:HPSBUX9810-085 Reference: XF:omniback-remote HP OpenView Omniback allows remote execution of commands as root via spoofing, and local users can gain root access via a symlink attack. Current Votes: ACCEPT(2) Baker, Frech MODIFY(1) Prosser RECAST(1) Christey Voter Comments: Prosser> additional source HP Security Bulletin 85 http://us-support.external.hp.com http://europe-support.external.hp.com Christey> Two separate bugs, so SF-LOC says this candidate should be split Christey> ADDREF CIAC:J-007 URL:http://ciac.llnl.gov/ciac/bulletins/j-007.shtml ====================================================== Name: CVE-1999-0336 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0336 Phase: Modified (19991207-01) Category: SF Reference: BUGTRAQ:19961116 This week: turn me on, dead man Reference: XF:hpux-mstm-bo Buffer overflow in mstm in HP-UX allows local users to gain root access. Current Votes: ACCEPT(2) Frech, Northcutt NOOP(3) Baker, Prosser, Shostack RECAST(1) Christey Voter Comments: Prosser> same as CVE-1999-0307, only ref I can find is an old SOD exploit on www.outpost9.com Christey> MERGE CVE-1999-0307 (the exact exploit works with both cstm and mstm, which are clearly part of the same package, so CD:SF-EXEC says to merge them.) Also, there does not seem to be any recognition of this problem by HP. The only other information besides the Bugtraq post is the SOD exploit. ====================================================== Name: CVE-1999-0345 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0345 Phase: Proposed (19990728) Category: SF Jolt ICMP attack causes a denial of service in Windows 95 and Windows NT systems. Current Votes: ACCEPT(2) Blake, Cole MODIFY(2) Frech, Wall NOOP(4) Bishop, Landfield, Northcutt, Ozancin RECAST(1) Meunier REJECT(4) Armstrong, Baker, LeBlanc, Levy REVIEWING(1) Christey Voter Comments: Wall> Invalid ICMP datagram fragments causes a denial of service in Windows 95 and Windows NT systems. Reference: Q154174. Jolt is also known as sPING, ICMP bug, Icenewk, and Ping of Death. It is a modified teardrop 2 attack. Frech> XF:nt-ssping ADDREF XF:ping-death ADDREF XF:teardrop-mod ADDREF XF:mpeix-echo-request-dos Christey> I can't tell whether the Jolt exploit at: http://www.securityfocus.com/templates/archive.pike?list=1&date=1997-06-28&msg=Pine.BSF.3.95q.970629163422.3264A-200000@apollo.tomco.net is exploiting any different flaw than teardrop does. CHANGE> [Christey changed vote from NOOP to REVIEWING] Baker> Jolt (original) is basically just a fragmented oversized ICMP that kills Win boxes ala Ping of Death. Teardrop is altering the offset in fragmented tcp packets so that the end of subsequent fragments is inside first packet... Teardrop 2 is UDP packets, if I remember right. Seems like Jolt (original, not jolt 2) is just exploit code that creates a ping of death (CVE 1999-0128) Levy> I tend to agree with Baker. CHANGE> [Armstrong changed vote from REVIEWING to REJECT] Armstrong> This code does not use fragment overlap. It is simply a large ICMP echo request. Christey> See the SCO advisory at: http://www.securityfocus.com/templates/advisory.html?id=1411 which may further clarify the issue. LeBlanc> This is a hodge-podge of DoS attacks. Jolt isn't the same thing as ping of death - POD was an oversized ICMP packet, Jolt froze Linux and Solaris (and I think not NT), IIRC Jolt2 did get NT boxes. Teardrop and teardrop2 were related attacks (usually ICMP frag attacks), but each of these is a distinct vulnerability, affected a discrete group of systems, and should have distinct CVE numbers. CVE entries should be precise as to what the problem is. Meunier> I agree with Leblanc in that Jolt is multi-faceted. Jolt has characteristics of Ping of Death AND teardrop, but it doesn't do either exactly. Moreover, it sends a truncated IP fragment. I disagree with Armstrong; jolt uses overlapping fragments. It's not a simple ping of death either. It may be that the author's intent was to construct a "super attack" somehow combining elements of other vulnerabilities to try to make it more potent. In any case it succeeded in confusing the CVE board :-). I notice that Jolt uses echo replies (type 0) instead of echo requests (to get past firewalls?). Jolt is peculiar in that it also sends numerous overlapping fragments. The "Pascal Simulator" :-) says it sends: - 172 fragments of length 400 with offset starting at 5120 and increasing by about 47 (odd arithmetic of 5120 OR ((n* 380) >> 3)), which eventually results in sending fragments inside an already covered area once ((n* 380) >> 3) is greater than 5120, which occurs when n is reaches 108. This would look a bit like TearDrop if fragments were reassembled on-the-fly. - 1 fragment such that the total length of all the fragments is greater than 65535 (my calculation is 172*380 + 418 = 65778; the comment about 65538 must be wrong). The last packet is size 418 according to the IP header but the buffer is of size 400. The sendto takes as argument the size of the buffer so a truncated packet is sent. So, I am not sure if the problem is because the last packet doesn't extend to the payload it says it has or because the total size of all fragments is greater than 65535. The author says it may take more than one sending, so perhaps this has to do with an incorrect error handling and recovery. One would need to experiment and isolate each of those characteristics and test them independently. Inasmuch as each of those things is likely a different vulnerability, then I agree with Leblanc that this entry should be split. I'll try that if I ever get bored. Jolt 2 should also have a different entry (see below). Jolt 2 runs in an infinite loop, sending the same fragmented IP packet, which can pretend to be "ICMP" or "UDP" data; however this is meaningless, as it's just a late fragment of an IP packet. The attack works only as long as packets are sent. According to http://www.securityfocus.com/archive/1/62170 the packets are truncated, and would overflow over the 65535 byte limit, which is similar to Jolt. Note that Jolt does send that much data whereas jolt2 doesn't. Since jolt2 is simpler and narrower than jolt, and it has weaker consequences, I believe that it's a different vulnerability. "Jolt 2 vulnerability causes a temporary denial-of-service in Windows-type OSes" would be a title for it. ====================================================== Name: CVE-1999-0347 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0347 Phase: Modified (20051028) Category: SF Reference: BUGTRAQ:19990126 Javascript ecurity bug in Internet Explorer Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91745430007021&w=2 Reference: NTBUGTRAQ:19990126 Javascript ecurity bug in Internet Explorer Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=91756771207719&w=2 Internet Explorer 4.01 allows remote attackers to read local files and spoof web pages via a "%01" character in an "about:" Javascript URL, which causes Internet Explorer to use the domain specified after the character. Current Votes: ACCEPT(4) Baker, LeBlanc, Levy, Northcutt MODIFY(2) Frech, Prosser REVIEWING(1) Christey Voter Comments: Prosser> this is a modified Cross-Frame vulnerability that circumvents the original Cross-Frame Patch. Addressed in MS Bulletin MS99.012 http://www.microsoft.com/security/bulletins/ms99-012.asp Christey> Duplicate of CVE-1999-0490? LeBlanc> If Prosser is correct that this is MS99-012, accept Christey> BUGTRAQ:19990126 Javascript ecurity bug in Internet Explorer URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91745430007021&w=2 NTBUGTRAQ:19990128 Javascript %01 bug in Internet Explorer URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=91756771207719&w=2 BID:197 URL:http://www.securityfocus.com/bid/197 CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> XF:ie-window-spoof(2069) ====================================================== Name: CVE-1999-0352 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0352 Phase: Proposed (19990721) Category: SF Reference: ISS:Multiple vulnerabilities in ControlIT(tm) (formerly Remotely Possible/32) enterprise management software Reference: XF:controlit-passwd-encrypt ControlIT 4.5 and earlier (aka Remotely Possible) has weak password encryption. Current Votes: ACCEPT(2) Baker, Frech NOOP(2) Northcutt, Wall RECAST(1) Ozancin Voter Comments: Ozancin> Can we combine this with CVE-1999-0356 - ControlIT(tm) 4.5 and earlier uses weak encryption. ====================================================== Name: CVE-1999-0354 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0354 Phase: Proposed (19990623) Category: SF Reference: NTBUGTRAQ:Jan27,1999 Reference: MS:MS99-002 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-002.asp Internet Explorer 4.x or 5.x with Word 97 allows arbitrary execution of Visual Basic programs to the IE client through the Word 97 template, which doesn't warn the user that the template contains executable content. Also applies to Outlook when the client views a malicious email message. Current Votes: ACCEPT(3) Baker, Ozancin, Wall MODIFY(1) Frech NOOP(1) Christey Voter Comments: Frech> XF:word97-template-macro Christey> CHANGEREF NTBUGTRAQ:19990127 IE 4/5/Outlook + Word 97 security hole URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=91747570922757&w=2 BID:196 http://www.securityfocus.com/bid/196 Christey> MSKB:Q214652 http://support.microsoft.com/support/kb/articles/q214/6/52.asp ====================================================== Name: CVE-1999-0356 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0356 Phase: Proposed (19990721) Category: SF Reference: ISS:Multiple vulnerabilities in ControlIT(tm) (formerly Remotely Possible/32) enterprise management software Reference: XF:controlit-bookfile-access ControlIT v4.5 and earlier uses weak encryption to store usernames and passwords in an address book. Current Votes: ACCEPT(2) Baker, Frech NOOP(2) Northcutt, Wall RECAST(1) Ozancin ====================================================== Name: CVE-1999-0359 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0359 Phase: Proposed (20010214) Category: SF Reference: BUGTRAQ:19990127 UNIX shell modem access vulnerabilities Reference: XF:ptylogin-dos ptylogin in Unix systems allows users to perform a denial of service by locking out modems, dial out with that modem, or obtain passwords. Current Votes: ACCEPT(2) Cole, Frech MODIFY(1) Baker Voter Comments: Frech> XF:ptylogin-dos Baker> Should say "... lock out a modem, ..." rather than "... locking out modems..." ====================================================== Name: CVE-1999-0360 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0360 Phase: Modified (20000530-01) Category: SF Reference: BUGTRAQ:19990130 Security Advisory for Internet Information Server 4 with Site Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91763097004101&w=2 Reference: NTBUGTRAQ:Jan29,1999 MS Site Server 2.0 with IIS 4 can allow users to upload content, including ASP, to the target web site, thus allowing them to execute commands remotely. Current Votes: ACCEPT(6) Blake, Cole, Collins, Landfield, Northcutt, Wall MODIFY(3) Baker, Frech, LeBlanc NOOP(4) Armstrong, Christey, Ozancin, Prosser Voter Comments: Christey> I can't find the original Bugtraq posting (it appears that mnemonix discovered the problem). LeBlanc> - if there was a fix or a KB article, I'd ACCEPT. A vuln based on a BUGTRAQ posting we can't find could be anything. Baker> Vulnerability Reference (HTML) Reference Type http://www.securityfocus.com/archive/1/12218 Misc Defensive InfoVulnerability Reference (HTML) Reference Type THis is the URL for the Bugtraq posting. It was cross posted to NT Bugtraq as well, but identical text. It was Mnemonix... Christey> BID:1811 URL:http://www.securityfocus.com/bid/1811 Christey> CHANGEREF BUGTRAQ add "Server 2." to the subject. Also standardize NTBUGTRAQ reference title. Christey> Add "uploadn.asp" to the description. CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> XF:siteserver-user-dir-permissions(5384) ====================================================== Name: CVE-1999-0361 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0361 Phase: Proposed (19990728) Category: SF Reference: BUGTRAQ:Jan29,1999 NetWare version of LaserFiche stores usernames and passwords unencrypted, and allows administrative changes without logging. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(2) Northcutt, Wall Voter Comments: Frech> XF:compulink-pw-laserfiche(1679) Normalize BUGTRAQ reference to: BUGTRAQ:19990129 Compulink LaserFiche Client/Server - unencrypted passwords ====================================================== Name: CVE-1999-0364 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0364 Phase: Modified (20000426-01) Category: SF Reference: BUGTRAQ:19990204 Microsoft Access 97 Stores Database Password as Plaintext Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91816470220259&w=2 Microsoft Access 97 stores a database password as plaintext in a foreign mdb, allowing access to data. Current Votes: ACCEPT(2) Baker, LeBlanc MODIFY(1) Frech NOOP(2) Northcutt, Wall Voter Comments: CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> XF:access-weak-passwords(1774) An older published reference (from our own Adam) would be better: ailab.coderpunks Newsgroup, 1998/06/23 "Re: MS Access 2.0" http://x15.dejanews.com/[ST_rn=ps]/getdoc.xp?AN=365308578&CONTEXT=9192 07028.1462108427&hitnum=1 ====================================================== Name: CVE-1999-0370 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0370 Phase: Modified (19991210-01) Category: SF Reference: SUN:00184 Reference: BID:165 Reference: URL:http://www.securityfocus.com/bid/165 In Sun Solaris and SunOS, man and catman contain vulnerabilities that allow overwriting arbitrary files. Current Votes: ACCEPT(4) Baker, Dik, Northcutt, Prosser MODIFY(1) Frech REVIEWING(1) Christey Voter Comments: Frech> Reference: XF:sun-man Christey> ADDREF CIAC:J-028 Is the Linux man symlink problem the same as the one for Sun? See BUGTRAQ:19990602 /tmp symlink problems in SuSE Linux 6.1 Also see BID:305 Dik> sun bug 4154565 ====================================================== Name: CVE-1999-0381 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0381 Phase: Proposed (19990726) Category: SF Reference: BUGTRAQ:19990225 SUPER buffer overflow Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.3.96.990225011801.12757A-100000@eleet Reference: XF:linux-super-logging-bo Reference: BID:342 Reference: URL:http://www.securityfocus.com/bid/342 super 3.11.6 and other versions have a buffer overflow in the syslog utility which allows a local user to gain root access. Current Votes: ACCEPT(7) Baker, Blake, Cole, Frech, Landfield, Levy, Ozancin MODIFY(1) Bishop NOOP(2) Armstrong, Wall REVIEWING(1) Christey Voter Comments: Christey> Is this the same as CVE-1999-0373? They both have the same X-Force reference. BID:342 suggests that there are two. http://www.debian.org/security/1999/19990215a suggests that there are two. However, CVE-1999-0373 is written up in a fashion that is too general; and both XF:linux-super-bo and XF:linux-super-logging-bo refer to CVE-1999-0373. CVE-1999-0373 may need to be split. Frech> From what I can surmise, ISS released the original advisory (attached to linux-super-bo), and Sekure SDI expanded on it by releasing another related overflow in syslog (which is linux-super-logging-bo). When I was originally assigning these issues, I placed both XF references and the ISS advisory on the -0373 candidate, since there was nothing else available. Based on the information above, I'd request that XF:linux-super-logging-bo be removed from CVE-1999-0373. Christey> Given Andre's feedback, these are different issues. CVE-1999-0373 does not need to be split because the ISS reference is sufficient to distinguish that CVE from this candidate; however, the CVE-1999-0373 description should probably be modified slightly. Bishop> (as indicated by Christey) CHANGE> [Cole changed vote from NOOP to ACCEPT] CHANGE> [Christey changed vote from NOOP to REVIEWING] Christey> There are 2 bugs, as confirmed by the super author at: BUGTRAQ:19990226 Buffer Overflow in Super (new) http://www.securityfocus.com/archive/1/12713 BID:397 also seems to cover this one, and it may cover CVE-1999-0373 as well. ====================================================== Name: CVE-1999-0389 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0389 Phase: Modified (19991207-01) Category: SF Reference: DEBIAN:19990104 Reference: BUGTRAQ:19990103 [SECURITY] New versions of netstd fixes buffer overflows Reference: BID:324 Reference: URL:http://www.securityfocus.com/bid/324 Buffer overflow in the bootp server in the Debian Linux netstd package. Current Votes: ACCEPT(3) Baker, Ozancin, Stracener MODIFY(1) Frech REVIEWING(1) Christey Voter Comments: Christey> Is CVE-1999-0389 a duplicate of CVE-1999-0798? CVE-1999-0389 has January 1999 dates associated with it, while CVE-1999-0798 was reported in late December. Also, is this the same line of code as CVE-1999-0914? Both are in the netstd package, it could look like a library problem. However, deep in the changelog in the netstd_3.07-7slink.3.diff on Debian, Herbert Xu includes the following entry: +netstd (3.07-7slink.1) frozen; urgency=high + + * bootpd: Applied patch from Redhat as well as a fix for the overflow in + report() (fixes #30675). + * netkit-ftp: Applied patch from RedHat that fixes some obscure overflow + bugs. + + -- Herbert Xu Sat, 19 Dec 1998 14:36:48 +1100 This tells me that two separate bugs are involved. Note that Red Hat posted *some* fix for *some* bootp problem in June 1998. See: http://www.redhat.com/support/errata/rh42-errata-general.html#bootp Frech> XF:debian-netstd-bo Christey> Further analysis indicates that this is a duplicate of CVE-1999-0799 CHANGE> [Christey changed vote from REJECT to REVIEWING] Christey> The fix information for BID:324 suggests that there are two overflows, one of which is in handle_request (bootpd.c) and is likely related to a file name; but there is another issue in report (report.c) which also looks like a straightforward overflow, which would suggest that this is not a duplicate of CVE-1999-0798 or CVE-1999-0799. Note: see comments for CVE-1999-0798 which explain how that candidate is not related to CVE-1999-0799. ====================================================== Name: CVE-1999-0394 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0394 Phase: Proposed (19990728) Category: SF Reference: BUGTRAQ:19990115 DPEC Online Courseware DPEC Online Courseware allows an attacker to change another user's password without knowing the original password. Current Votes: ACCEPT(1) Baker NOOP(1) Christey REJECT(1) Frech Voter Comments: Frech> If I understand the issue, this HIGHCARD involves insecure web programming. If I don't understand, mark this as my first NOOP. Christey> CONFIRM:http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26msg%3D19990803132618.16407.qmail%40securityfocus.com ADDREF BID:565 URL:http://www.securityfocus.com/vdb/bottom.html?vid=565 ====================================================== Name: CVE-1999-0397 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0397 Phase: Proposed (19990728) Category: SF Reference: L0PHT:Jan21,1999 Reference: BUGTRAQ:Jan21,1999 The demo version of the Quakenbush NT Password Appraiser sends passwords across the network in plaintext. Current Votes: ACCEPT(1) Northcutt MODIFY(1) Frech NOOP(1) Baker REJECT(1) Wall Voter Comments: Wall> Reject based on beta copy. Frech> XF:quakenbush-pw-appraiser(1652) ====================================================== Name: CVE-1999-0398 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0398 Phase: Modified (20000106-01) Category: SF Reference: BUGTRAQ:19990123 SSH 1.x and 2.x Daemon Reference: BUGTRAQ:19990124 SSH Daemon Reference: XF:ssh-exp-account-access In some instances of SSH 1.2.27 and 2.0.11 on Linux systems, SSH will allow users with expired accounts to login. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech Voter Comments: Frech> Followups to the bugtraq message (1/24/99) indicate that 1.2.27 was not yet released. v1.2.26 should be substituted in the description for '27. XF:ssh-exp-account-access ====================================================== Name: CVE-1999-0399 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0399 Phase: Modified (20000105-01) Category: SF Reference: BUGTRAQ:19990124 Mirc 5.5 'DCC Server' hole Reference: XF:mirc-dcc-metachar-filename The DCC server command in the Mirc 5.5 client doesn't filter characters from file names properly, allowing remote attackers to place a malicious file in a different location, possibly allowing the attacker to execute commands. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech Voter Comments: Frech> XF:mirc-dcc-metachar-filename ====================================================== Name: CVE-1999-0400 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0400 Phase: Modified (20000105-01) Category: SF Reference: BUGTRAQ:19990127 2.2.0 SECURITY (fwd) Reference: XF:linux-kernel-ldd-dos Reference: BID:344 Reference: URL:http://www.securityfocus.com/bid/344 Denial of service in Linux 2.2.0 running the ldd command on a core file. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech Voter Comments: Frech> BUGTRAQ:Jan27,1999 (http://www.securityfocus.com/templates/archive.pike?list=1&date=1999-01-22& msg=Pine.LNX.4.05.9901270538380.539-100000@vitelus.com) XF:linux-kernel-ldd-dos ====================================================== Name: CVE-1999-0401 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0401 Phase: Modified (20000105-01) Category: SF Reference: BUGTRAQ:19990202 [patch] /proc race fixes for 2.2.1 (fwd) Reference: XF:linux-race-condition-proc A race condition in Linux 2.2.1 allows local users to read arbitrary memory from /proc files. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech Voter Comments: Frech> XF:linux-race-condition-proc ====================================================== Name: CVE-1999-0406 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0406 Phase: Proposed (19990728) Category: SF Reference: BUGTRAQ:Feb19,1999 Reference: XF:digital-networker-bo Digital Unix Networker program nsralist has a buffer overflow which allows local users to obtain root privilege. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech Voter Comments: Frech> In description, change 'which' to 'that'. ====================================================== Name: CVE-1999-0411 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0411 Phase: Proposed (19990726) Category: SF Reference: BUGTRAQ:Feb19,1999 Reference: XF:sco-startup-scripts Several startup scripts in SCO OpenServer Enterprise System v 5.0.4p, including S84rpcinit, S95nis, S85tcp, and S89nfs, are vulnerable to a symlink attack, allowing a local user to gain root access. Current Votes: MODIFY(2) Baker, Frech NOOP(2) Christey, Wall Voter Comments: Frech> Neither XFDB nor the BugTraq article (incidentally, shows up as 7 March, not 19 February) does not mention gaining root access... it says a local user could "delete or overwrite arbitrary files on the system." Baker> By overwriting arbitrary files, one could then gain root access. I agree with a minor description change to reflect this. Christey> Normalize Bugtraq reference to: BUGTRAQ:19990307 Little exploit for startup scripts (SCO 5.0.4p). http://marc.theaimsgroup.com/?l=bugtraq&m=92087765014242&w=2 Also, SCO:SB-99.17 ftp://ftp.sco.com/SSE/security_bulletins/SB-99.17c ====================================================== Name: CVE-1999-0418 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0418 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19990308 SMTP server account probing Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92100018214316&w=2 Denial of service in SMTP applications such as Sendmail, when a remote attacker (e.g. spammer) uses many "RCPT TO" commands in the same connection. Current Votes: ACCEPT(1) Cole MODIFY(1) Frech NOOP(3) Baker, Foat, Wall REVIEWING(1) Christey Voter Comments: Christey> DUPE CVE-1999-0144 and CVE-1999-0250? Frech> XF:smtp-rctpto-dos(7499) ====================================================== Name: CVE-1999-0419 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0419 Phase: Modified (20000105-01) Category: SF Reference: BUGTRAQ:19990319 Microsoft's SMTP service broken/stupid Reference: XF:smtp-4xx-error-dos When the Microsoft SMTP service attempts to send a message to a server and receives a 4xx error code, it quickly and repeatedly attempts to redeliver the message, causing a denial of service. Current Votes: ACCEPT(1) Baker MODIFY(2) Frech, LeBlanc REVIEWING(1) Christey Voter Comments: Frech> XF:smtp-4xx-error-dos LeBlanc> - if we can find a KB or something that shows that this wasn't just user error, I'd vote ACCEPT. Christey> David Lemson, Microsoft SMTP Service Program Manager, posted a followup that said "We have confirmed this as a problem..." http://marc.theaimsgroup.com/?l=bugtraq&m=92171608127206&w=2 ====================================================== Name: CVE-1999-0426 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0426 Phase: Proposed (19990728) Category: SF Reference: BUGTRAQ:19990319 The default permissions on /dev/kmem is insecure. The default permissions of /dev/kmem in Linux versions before 2.0.36 allows IP spoofing. Current Votes: MODIFY(1) Frech NOOP(1) Baker REJECT(1) Christey Voter Comments: Frech> XF:linux-dev-kmem-spoof Christey> DUPE CVE-1999-0414 XF:linux-dev-kmem-spoof does not exist. Christey> *Now* XF:linux-dev-kmem-spoof(3500) exists... ====================================================== Name: CVE-1999-0427 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0427 Phase: Proposed (19990728) Category: SF Reference: BUGTRAQ:19990320 Eudora Attachment Buffer Overflow Reference: XF:eudora-long-attachments Eudora 4.1 allows remote attackers to perform a denial of service by sending attachments with long file names. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(1) Christey Voter Comments: Frech> Change version number to 4.2beta. Second to last paragraph in bugtraq reference states: "Both the Win 95 and Win NT versions, along with the 4.2 beta of Eudora are affected." Christey> This issue seems to have been rediscovered in BUGTRAQ:20000515 Eudora Pro & Outlook Overflow - too long filenames again http://marc.theaimsgroup.com/?l=bugtraq&m=95842482413076&w=2 Also see BUGTRAQ:19990320 Eudora Attachment Buffer Overflow http://marc.theaimsgroup.com/?l=bugtraq&m=92195396912110&w=2 Is this a duplicate/subsumed by CVE-1999-0004? ====================================================== Name: CVE-1999-0431 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0431 Phase: Modified (20000106-01) Category: SF Reference: BUGTRAQ:19990324 DoS for Linux 2.1.89 - 2.2.3: 0 length fragment bug Reference: XF:linux-zerolength-fragment Linux 2.2.3 and earlier allow a remote attacker to perform an IP fragmentation attack, causing a denial of service. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(1) Christey Voter Comments: Frech> XF:linux-zerolength-fragment Christey> Consider adding BID:2247 ====================================================== Name: CVE-1999-0434 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0434 Phase: Proposed (19990728) Category: SF Reference: BUGTRAQ:19990331 Bug in xfs Reference: BID:359 Reference: URL:http://www.securityfocus.com/bid/359 XFree86 xfs command is vulnerable to a symlink attack, allowing local users to create files in restricted directories, possibly allowing them to gain privileges or cause a denial of service. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(1) Christey Voter Comments: Frech> XF:xfree86-xfs-symlink-dos Christey> Is this the same problem as CVE-1999-0433? CVE-1999-0433 deals with a symlink attack on one file (/tmp/.X11-unix), while xfs (this candidate) deals with /tmp/.font-unix XF:xfree86-xfs-symlink-dos doesn't exist. Christey> ADDREF DEBIAN:19990331 symbolic link can be used to make any file world readable Note: Debian's advisory says that this is not a problem for Debian. ====================================================== Name: CVE-1999-0435 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0435 Phase: Proposed (19990623) Category: SF Reference: HP:HPSBUX9903-096 MC/ServiceGuard and MC/LockManager in HP-UX allows local users to gain privileges through SAM. Current Votes: ACCEPT(2) Baker, Ozancin MODIFY(1) Frech NOOP(1) Christey Voter Comments: Frech> XF:hp-servicegaurd Christey> ADDREF CIAC:J-039 Christey> Note the typo in Andre's suggested reference. Normalize to XF:hp-serviceguard(2046) ====================================================== Name: CVE-1999-0443 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0443 Phase: Proposed (19990728) Category: SF Reference: BUGTRAQ:19990409 Patrol security bugs Reference: URL:http://www.securityfocus.com/archive/1/13204 Reference: XF:bmc-patrol-replay Patrol management software allows a remote attacker to conduct a replay attack to steal the administrator password. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech Voter Comments: Frech> Change "Patrol management software" to "The PATROL management product from BMC Software". ====================================================== Name: CVE-1999-0444 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0444 Phase: Modified (20000106-01) Category: SF Reference: BUGTRAQ:19990412 ARP problem in Windows9X/NT Reference: XF:windows-arp-dos Remote attackers can perform a denial of service in Windows machines using malicious ARP packets, forcing a message box display for each packet or filling up log files. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech Voter Comments: Frech> ADDREF: XF:windows-arp-dos ====================================================== Name: CVE-1999-0450 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0450 Phase: Modified (20090622) Category: SF Reference: BUGTRAQ:19990122 Perl.exe and IIS security advisory Reference: BID:194 Reference: URL:http://www.securityfocus.com/bid/194 In IIS, an attacker could determine a real path using a request for a non-existent URL that would be interpreted by Perl (perl.exe). Current Votes: ACCEPT(2) Ozancin, Wall NOOP(2) Baker, Christey REJECT(2) Frech, LeBlanc Voter Comments: Frech> Can't find in database. Christey> This looks like another discovery of CVE-2000-0071 LeBlanc> - I just tried to repro this based on the BUGTRAQ vuln information, and it does not repro - GET /bogus.pl HTTP/1.0 HTTP/1.1 404 Object Not Found Server: Microsoft-IIS/5.0 Date: Thu, 05 Oct 2000 21:04:20 GMT Content-Length: 3243 Content-Type: text/html No path is returned whatsoever. This may have been a problem on some version of IIS in the past, but the BUGTRAQ ID says all versions are vulnerable. Let's try and figure out what version had the problem, whether it is intrinsic to IIS or the result of adding a 3rd party implementation of perl, and when it got fixed, then we can try again. CHANGE> [Frech changed vote from REVIEWING to REJECT] Christey> Add "no-such-file.pl" as an example to the desc, to facilitate search (it's used by CGI scanners and in the original example) ====================================================== Name: CVE-1999-0451 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0451 Phase: Proposed (19990726) Category: SF Reference: BUGTRAQ:Jan19,1999 Reference: BID:343 Reference: URL:http://www.securityfocus.com/bid/343 Denial of service in Linux 2.0.36 allows local users to prevent any server from listening on any non-privileged port. Current Votes: ACCEPT(2) Baker, Ozancin MODIFY(1) Frech NOOP(1) Wall Voter Comments: CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> XF:linux-ports-dos(8364) ====================================================== Name: CVE-1999-0452 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0452 Phase: Proposed (19990726) Category: SF A service or application has a backdoor password that was placed there by the developer. Current Votes: ACCEPT(2) Baker, Wall REJECT(1) Frech Voter Comments: Frech> Much too broad. Also may be HIGHCARD (or will be in the future). Baker> I think we want to address this using the dot notation idea. We do need to address this, just not a separate entry for every single occurance. ====================================================== Name: CVE-1999-0453 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0453 Phase: Modified (20040512-02) Category: SF Reference: BUGTRAQ:19990118 Remote Cisco Identification An attacker can identify a CISCO device by sending a SYN packet to port 1999, which is for the Cisco Discovery Protocol (CDP). Current Votes: ACCEPT(2) Baker, Balinsky MODIFY(1) Frech NOOP(2) Northcutt, Wall REVIEWING(1) Christey Voter Comments: Frech> XF:cisco-ident(2289) ADDREF BUGTRAQ:19990118 Remote Cisco Identification In description, probably better to use "Cisco" as product/company name. Balinsky> CiscoSecure IDS has a signature for this...ID 3602 Cisco IOS Identity. Christey> There may be a slight abstraction problem here, e.g. look at the candidate for queso/nmap; also see followup Bugtraq post from "Basement Research" on 19990120 which says that there are many other features in Cisco products that allow remote identification. Christey> fix typo: "Dicsovery" ====================================================== Name: CVE-1999-0454 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0454 Phase: Proposed (19990728) Category: SF A remote attacker can sometimes identify the operating system of a host based on how it reacts to some IP or ICMP packets, using a tool such as nmap or queso. Current Votes: MODIFY(1) Frech NOOP(2) Christey, Wall REJECT(2) Baker, Northcutt Voter Comments: Northcutt> Nmap and queso are the tip of the iceberg and not the most advanced ways to accomplish this. To pursue making the world signature free is as much a vulnerability as having signatures, nay more. Frech> XF:decod-nmap(2053) XF:decod-queso(2048) Christey> Add "fingerprinting" to facilitate search. Some references: MISC:http://www.insecure.org/nmap/nmap-fingerprinting-article.html BUGTRAQ:19981228 A few more fingerprinting techniques - time and netmask http://marc.theaimsgroup.com/?l=bugtraq&m=91489155019895&w=2 BUGTRAQ:19990222 Preventing remote OS detection http://marc.theaimsgroup.com/?l=bugtraq&m=91971553006937&w=2 BUGTRAQ:20000901 ICMP Usage In Scanning v2.0 - Research Paper http://marc.theaimsgroup.com/?l=bugtraq&m=96791499611849&w=2 BUGTRAQ:20000912 Using the Unused (Identifying OpenBSD, http://marc.theaimsgroup.com/?l=bugtraq&m=96879267724690&w=2 BUGTRAQ:20000912 The DF Bit Playground (Identifying Sun Solaris & OpenBSD OSs) http://marc.theaimsgroup.com/?l=bugtraq&m=96879481129637&w=2 BUGTRAQ:20000816 TOSing OSs out of the window / Fingerprinting Windows 2000 with http://marc.theaimsgroup.com/?l=bugtraq&m=96644121403569&w=2 BUGTRAQ:20000609 p0f - passive os fingerprinting tool http://marc.theaimsgroup.com/?l=bugtraq&m=96062535628242&w=2 Baker> I think we can probably reject this as the corollary is that you can identify OS from a IP/TCP packet sent by a system, looking at various parts of the SYN packet. Unless we believe that all systems should always use identical packet header/identical responses, in which case the protocol should not permit variation. ====================================================== Name: CVE-1999-0455 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0455 Phase: Modified (19991210-01) Category: SF Reference: ALLAIRE:ASB-001 Reference: XF:coldfusion-expression-evaluator Reference: BID:115 Reference: URL:http://www.securityfocus.com/bid/115 The Expression Evaluator sample application in ColdFusion allows remote attackers to read or delete files on the server via exprcalc.cfm, which does not restrict access to the server properly. Current Votes: ACCEPT(3) Balinsky, Frech, Ozancin MODIFY(1) Wall NOOP(1) Baker REVIEWING(1) Christey Voter Comments: Wall> The reference should be ASB99-01 (Expression Evaluator Security Issues) make application plural since there are three sample applications (openfile.cfm, displayopenedfile.cfm, and exprcalc.cfm). Christey> The CD:SF-EXEC and CD:SF-LOC content decisions apply here. Since there are 3 separate "executables" with the same (or similar) problem, we need to make sure that CD:SF-EXEC determines what to do here. There is evidence that some of these .cfm scripts have an "include" file, and if so, then CD:SF-LOC says that we shouldn't make separate entries for each of these scripts. On the other hand, the initial L0pht discovery didn't include all 3 of these scripts, and as far as I can tell, Allaire had patched the first problem before the others were discovered. So, CD:DISCOVERY-DATE may argue that we should split these because the problems were discovered and patched at different times. In any case, this candidate can not be accepted until the Editorial Board has accepted the CD:SF-EXEC, CD:SF-LOC, and CD:DISCOVERY-DATE content decisions. ====================================================== Name: CVE-1999-0459 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0459 Phase: Proposed (19990728) Category: SF Reference: XF:linux-milo-halt Local users can perform a denial of service in Alpha Linux, using MILO to force a reboot. Current Votes: ACCEPT(1) Frech NOOP(2) Baker, Northcutt REJECT(1) Wall Voter Comments: Wall> Reject based on beta copy. ====================================================== Name: CVE-1999-0460 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0460 Phase: Proposed (19990726) Category: SF Reference: BUGTRAQ:19990218 Linux autofs overflow in 2.0.36+ Reference: BID:312 Reference: URL:http://www.securityfocus.com/bid/312 Buffer overflow in Linux autofs module through long directory names allows local users to perform a denial of service. Current Votes: ACCEPT(2) Baker, Ozancin MODIFY(1) Frech NOOP(1) Wall Voter Comments: CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> XF:linux-autofs-bo(8365) ====================================================== Name: CVE-1999-0461 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0461 Phase: Proposed (19990728) Category: SF Versions of rpcbind including Linux, IRIX, and Wietse Venema's rpcbind allow a remote attacker to insert and delete entries by spoofing a source address. Current Votes: MODIFY(1) Frech RECAST(1) Baker REVIEWING(1) Christey Voter Comments: Frech> ADDREF XF:pmap-sset Christey> CVE-1999-0195 = CVE-1999-0461 ? If this is approved over CVE-1999-0195, make sure it gets XF:pmap-sset Baker> THis does appear to be a duplicate. We should accept 1999-0195, since it already has the votes and get rid of this one ====================================================== Name: CVE-1999-0462 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0462 Phase: Proposed (19990728) Category: SF Reference: BUGTRAQ:19990114 Secuity hole with perl (suidperl) and nosuid mounts on Linux Reference: BID:339 Reference: URL:http://www.securityfocus.com/bid/339 suidperl in Linux Perl does not check the nosuid mount option on file systems, allowing local users to gain root access by placing a setuid script in a mountable file system, e.g. a CD-ROM or floppy disk. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(1) Christey Voter Comments: Frech> XF:perl-suidperl-bo Christey> XF:perl-suidperl-bo doesn't exist. ====================================================== Name: CVE-1999-0465 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0465 Phase: Proposed (19990728) Category: SF Reference: XF:http-img-overflow Remote attackers can crash Lynx and Internet Explorer using an IMG tag with a large width parameter. Current Votes: ACCEPT(2) Frech, Northcutt NOOP(1) Baker REJECT(2) LeBlanc, Wall Voter Comments: Wall> Reject based on client-side DoS LeBlanc> Client side DOS ====================================================== Name: CVE-1999-0467 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0467 Phase: Modified (20000106-01) Category: SF Reference: NTBUGTRAQ:19990409 Webcom's CGI Guestbook for Win32 web servers Reference: XF:http-cgi-webcom-guestbook The Webcom CGI Guestbook programs wguest.exe and rguest.exe allow a remote attacker to read arbitrary files using the "template" parameter. Current Votes: ACCEPT(4) Blake, Frech, Landfield, Ozancin NOOP(3) Baker, Christey, Northcutt Voter Comments: Christey> CVE-1999-0287 is probably a duplicate of CVE-1999-0467. In NTBUGTRAQ:19990409 Webcom's CGI Guestbook for Win32 web servers Mnemonix says that he had previously reported on a similar problem. Let's refer to the NTBugtraq posting as CVE-1999-0467. We will refer to the "previous report" as CVE-1999-0287, which can be found at: http://oliver.efri.hr/~crv/security/bugs/NT/httpd41.html 0287 describes an exploit via the "template" hidden variable. The exploit describes manually editing the HTML form to change the filename to read from the template variable. The exploit as described in 0467 encodes the template variable directly into the URL. However, hidden variables are also encoded into the URL, which would have looked the same to the web server regardless of the exploit. Therefore 0287 and 0467 are the same. Christey> The CD:SF-EXEC content decision also applies here. We have 2 programs, wguest.exe and rguest.exe, which appear to have the same problem. CD:SF-EXEC needs to be accepted by the Editorial Board before this candidate can be converted into a CVE entry. When finalized, CD:SF-EXEC will decide whether this candidate should be split or not. Christey> BID:2024 ====================================================== Name: CVE-1999-0469 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0469 Phase: Proposed (19990728) Category: SF Reference: BUGTRAQ:19990409 IE 5.0 security vulnerabilities - %01 bug again Reference: XF:ie-window-spoof Internet Explorer 5.0 allows window spoofing, allowing a remote attacker to spoof a legitimate web site and capture information from the client. Current Votes: ACCEPT(1) Wall NOOP(2) Baker, Northcutt REJECT(3) Christey, Frech, LeBlanc Voter Comments: Wall> Reference: Microsoft Security Bulletin MS99-012 Christey> DUPE CVE-1999-0488 Frech> Defer to Christey's vote. However, XF:ie-mshtml-crossframe(2216) assigned to CVE-1999-0488. LeBlanc> Duplicate ====================================================== Name: CVE-1999-0476 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0476 Phase: Proposed (19990721) Category: SF Reference: BUGTRAQ:19990331 Potential vulnerability in SCO TermVision Windows 95 client Reference: XF:sco-termvision-password A weak encryption algorithm is used for passwords in SCO TermVision, allowing them to be easily decrypted by a local user. Current Votes: ACCEPT(3) Baker, Frech, Ozancin NOOP(3) LeBlanc, Northcutt, Wall ====================================================== Name: CVE-1999-0477 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0477 Phase: Modified (19991210-01) Category: SF Reference: L0PHT:Cold Fusion App Server Reference: XF:coldfusion-expression-evaluator Reference: BID:115 Reference: URL:http://www.securityfocus.com/bid/115 The Expression Evaluator in the ColdFusion Application Server allows a remote attacker to upload files to the server via openfile.cfm, which does not restrict access to the server properly. Current Votes: ACCEPT(4) Baker, Christey, Frech, Ozancin REJECT(1) Wall Voter Comments: Wall> Duplicate of 0455 Christey> CVE-1999-0477 and CVE-1999-0455 were discovered at different times. Also, the attack was different. So "Same Attack" and "Same Time of Discovery" dictate that these should remain separate. ====================================================== Name: CVE-1999-0480 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0480 Phase: Modified (20000106-01) Category: SF Reference: BUGTRAQ:19980315 Midnight Commander /tmp race Local attackers can conduct a denial of service in Midnight Commander 4.x with a symlink attack. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(1) Christey Voter Comments: Frech> XF:midnight-commander-symlink-dos Christey> XF:midnight-commander-symlink-dos(3505) ====================================================== Name: CVE-1999-0486 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0486 Phase: Modified (20000106-01) Category: SF Reference: BUGTRAQ:19990420 AOL Instant Messenger URL Crash Denial of service in AOL Instant Messenger when a remote attacker sends a malicious hyperlink to the receiving client, potentially causing a system crash. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(1) Christey Voter Comments: Frech> XF:aol-im. Christey> XF:aol-im appears to be related to the problem discussed in BUGTRAQ:19980224 AOL Instant Messanger Bug This one is related to BUGTRAQ:19990420 AOL Instant Messenger URL Crash ====================================================== Name: CVE-1999-0488 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0488 Phase: Modified (19991205-01) Category: SF Reference: MS:MS99-012 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-012.asp Internet Explorer 4.0 and 5.0 allows a remote attacker to execute security scripts in a different security context using malicious URLs, a variant of the "cross frame" vulnerability. Current Votes: ACCEPT(2) Baker, Landfield MODIFY(2) Frech, Wall NOOP(2) Christey, Ozancin Voter Comments: Frech> XF:ie-mshtml-crossframe Wall> (source: MSKB:Q168485) Christey> CVE-1999-0469 appears to be a duplicate; prefer this one over that one, since this one has an MS advisory. Confirm with Microsoft that these are really duplicates. Also review CVE-1999-0487, which appears to be a similar bug. ====================================================== Name: CVE-1999-0489 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0489 Phase: Modified (19991205-01) Category: SF Reference: MS:MS99-015 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-015.asp MSHTML.DLL in Internet Explorer 5.0 allows a remote attacker to paste a file name into the file upload intrinsic control, a variant of "untrusted scripted paste" as described in MS:MS98-013. Current Votes: ACCEPT(1) Levy MODIFY(1) Wall NOOP(2) Baker, Ozancin RECAST(1) Prosser REJECT(1) Christey REVIEWING(1) Frech Voter Comments: Frech> Wasn't Untrusted scripted paste MS98-015? I can find no mention of a clipboard in either. I cannot proceed on this one without further clarification. Wall> (source: MS:MS99-012) Prosser> agree with Andre here. The Untrusted Scripted paste vulnerability was originally addressed in MS98-015 and it is in the file upload intrinsic control in which an attacker can paste the name of a file on the target's drive in the control and a form submission would then send that file from the attacked machine to the remote web site. This one has nothing to do with the clipboard. What the advisory mentioned here, MS99-012, does is replace the MSHTML parsing engine which is supposed to fix the original Untrusted Scripted Paste issue and a variant, as well as the two Cross-Frame variants and a privacy issue in IMG SRC. The vulnerability that allowed reading of a user's clipboard is the Forms 2.0 Active X control vulnerability discussed in MS99-01 Christey> The advisory should have been listed as MS99-012. CVE-1999-0468 describes the untrusted scripted paste problem in MS99-012. Frech> Pending response to guidance request. 12/6/01. ====================================================== Name: CVE-1999-0490 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0490 Phase: Modified (19991205-01) Category: SF Reference: MS:MS99-012 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-012.asp MSHTML.DLL in Internet Explorer 5.0 allows a remote attacker to learn information about a local user's files via an IMG SRC tag. Current Votes: ACCEPT(2) Landfield, Wall MODIFY(1) Frech NOOP(2) Baker, Ozancin REVIEWING(1) Christey Voter Comments: Frech> XF:ie-scriplet-fileread Christey> Duplicate of CVE-1999-0347? ====================================================== Name: CVE-1999-0492 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0492 Phase: Proposed (19990726) Category: SF Reference: BUGTRAQ:Apr23,1999 The ffingerd 1.19 allows remote attackers to identify users on the target system based on its responses. Current Votes: ACCEPT(3) Armstrong, Collins, Northcutt MODIFY(4) Baker, Blake, Frech, Shostack NOOP(4) Christey, Cole, Landfield, Wall REVIEWING(1) Ozancin Voter Comments: Shostack> isn't that what finger is supposed to do? Landfield> Maybe we need a new category of "unsafe system utilities and protocols" Blake> Ffingerd 1.19 allows remote attackers to differentiate valid and invalid usernames on the target system based on its responses to finger queries. Christey> CHANGEREF BUGTRAQ [canonicalize] BUGTRAQ:19990423 Ffingerd privacy issues http://marc.theaimsgroup.com/?l=bugtraq&m=92488772121313&w=2 Here's the nature of the problem. (1) FFingerd allows users to decide not to be fingered, printing a message "That user does not want to be fingered" (2) If the fingered user does not exist, then FFingerd's intended default is to print that the user does not want to be fingered; however, the error message has a period at the end. Thus, ffingerd can allow someone to determine who valid users on the server are, *in spite of* the intended functionality of ffingerd itself. Thus this exposure should be viewed in light of the intended functionality of the application, as opposed to the common usage of the finger protocol in general. Also, the vendor posted a followup and said that a patch was available. See: http://marc.theaimsgroup.com/?l=bugtraq&m=92489375428016&w=2 Baker> Vulnerability Reference (HTML) Reference Type http://www.securityfocus.com/archive/1/13422 Misc Defensive Info CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> XF:ffinger-user-info(5393) ====================================================== Name: CVE-1999-0495 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0495 Phase: Proposed (19990728) Category: SF A remote attacker can gain access to a file system using .. (dot dot) when accessing SMB shares. Current Votes: ACCEPT(6) Baker, Blake, Cole, Collins, Northcutt, Ozancin MODIFY(1) Frech NOOP(4) Armstrong, Bishop, Landfield, Wall REVIEWING(2) Christey, Levy Voter Comments: Frech> XF:nb-dotdotknown(837) References would be appreciated. We've got no reference for this issue; confidence rating is consequently low. Levy> Some refernces: http://www.securityfocus.com/archive/1/3894 http://www.securityfocus.com/archive/1/3533 http://www.securityfocus.com/archive/1/3535 ====================================================== Name: CVE-1999-0497 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0497 Phase: Modified (20040811) Category: CF Anonymous FTP is enabled. Current Votes: ACCEPT(1) Shostack MODIFY(1) Frech NOOP(2) Baker, Christey REJECT(1) Northcutt Voter Comments: Frech> ftp-anon(52) at http://xforce.iss.net/static/52.php ftp-anon2(543) at http://xforce.iss.net/static/543.php Christey> Add period to the end of the description. Baker> DOn't know about this, but it may be the only easy way to allow access to data for some folks. ====================================================== Name: CVE-1999-0498 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0498 Phase: Modified (19990925-01) Category: CF Reference: CERT:CA-91.18.Active.Internet.tftp.Attacks TFTP is not running in a restricted directory, allowing a remote attacker to access sensitive information such as password files. Current Votes: ACCEPT(3) Blake, Hill, Northcutt MODIFY(1) Frech NOOP(1) Baker REVIEWING(1) Christey Voter Comments: Frech> XF:linux-tftp Christey> XF:linux-tftp refers to CVE-1999-0183 ====================================================== Name: CVE-1999-0499 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0499 Phase: Proposed (19990721) Category: CF NETBIOS share information may be published through SNMP registry keys in NT. Current Votes: ACCEPT(5) Baker, Northcutt, Ozancin, Shostack, Wall MODIFY(1) Frech REJECT(1) LeBlanc Voter Comments: Frech> Change wording to 'Windows NT.' XF:snmp-netbios LeBlanc> Share info can be obtained via SNMP queries, but I question whether this is a vulnerability. The system can be configured not to do this, and one may argue that SNMP itself is an insecure configuration. Furthermore, the share information isn't published via registry keys - the description could refer to more than one actual issue. SNMP is meant to allow people to obtain information about systems. I'm willing to discuss this with the rest of the board. ====================================================== Name: CVE-1999-0501 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0501 Phase: Proposed (19990714) Category: CF A Unix account has a guessable password. Current Votes: ACCEPT(3) Baker, Northcutt, Shostack RECAST(2) Frech, Meunier REVIEWING(1) Christey Voter Comments: Frech> Guessable falls into the class of CVE-1999-0502, since I can guess a default, null, etc. password. Suggest changing to something like "has an existing non-default password that can be guessed." I'm also including default passwords in this entry. In that vein, we show the following references: XF:user-password XF:passwd-username XF:default-unix-sync XF:default-unix-4dgifts XF:default-unix-bin XF:default-unix-daemon XF:default-unix-lp XF:default-unix-me XF:default-unix-nuucp XF:default-unix-root XF:default-unix-toor XF:default-unix-tour XF:default-unix-tty XF:default-unix-uucp Christey> This candidate is affected by the CD:CF-PASS content decision, which determines the appropriate level of abstraction to use for password problems. CD:CF-PASS needs to be accepted by the Editorial Board before this candidate can be converted into a CVE entry; the final version of CD:CF-PASS may require using a different LOA than this candidate is currently using. CHANGE> [Meunier changed vote from ACCEPT to RECAST] Meunier> This relates only to account password technology, so this candidate is independent of the operating system, application, web site or other application of this technology. The appropriate (natural) level of abstraction is therefore without specifying that it is for UNIX. Change the description to "An account has a guessable password other than default, null, blank." This should satisfy Andre's objection. This Candidate should be merged with any candidate relating to account password technology where "Unix" in the original description can be replaced by something else. ====================================================== Name: CVE-1999-0502 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0502 Phase: Proposed (19990714) Category: CF A Unix account has a default, null, blank, or missing password. Current Votes: ACCEPT(4) Baker, Meunier, Northcutt, Shostack MODIFY(1) Frech REVIEWING(1) Christey Voter Comments: Frech> XF:passwd-blank XF:no-pass XF:dict XF:sgi-accounts XF:linux-caldera-lisa Christey> This candidate is affected by the CD:CF-PASS content decision, which determines the appropriate level of abstraction to use for password problems. CD:CF-PASS needs to be accepted by the Editorial Board before this candidate can be converted into a CVE entry; the final version of CD:CF-PASS may require using a different LOA than this candidate is currently using. ====================================================== Name: CVE-1999-0503 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0503 Phase: Proposed (19990714) Category: CF A Windows NT local user or administrator account has a guessable password. Current Votes: ACCEPT(4) Baker, Meunier, Northcutt, Shostack MODIFY(1) Frech REVIEWING(1) Christey Voter Comments: Frech> Note: I am assuming that this entry includes Windows 2000 accounts and machine/service accounts listed in User Manager. XF:nt-guess-admin XF:nt-guess-user XF:nt-guess-guest XF:nt-guessed-operpwd XF:nt-guessed-powerwd XF:nt-guessed-disabled XF:nt-guessed-backup XF:nt-guessed-acctoper-pwd XF:nt-adminuserpw XF:nt-guestuserpw XF:nt-accountuserpw XF:nt-operator-userpw XF:nt-service-user-pwd XF:nt-server-oper-user-pwd XF:nt-power-user-pwd XF:nt-backup-operator-userpwd XF:nt-disabled-account-userpwd Christey> This candidate is affected by the CD:CF-PASS content decision, which determines the appropriate level of abstraction to use for password problems. CD:CF-PASS needs to be accepted by the Editorial Board before this candidate can be converted into a CVE entry; the final version of CD:CF-PASS may require using a different LOA than this candidate is currently using. ====================================================== Name: CVE-1999-0504 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0504 Phase: Proposed (19990714) Category: CF A Windows NT local user or administrator account has a default, null, blank, or missing password. Current Votes: ACCEPT(4) Baker, Meunier, Northcutt, Shostack MODIFY(1) Frech REVIEWING(1) Christey Voter Comments: Frech> XF:nt-guestblankpw XF:nt-adminblankpw XF:nt-adminnopw XF:nt-usernopw XF:nt-guestnopw XF:nt-accountblankpw XF:nt-nopw XF:nt-operator-blankpwd XF:nt-server-oper-blank-pwd XF:nt-power-user-blankpwd XF:nt-backup-operator-blankpwd XF:nt-disabled-account-blankpwd Christey> This candidate is affected by the CD:CF-PASS content decision, which determines the appropriate level of abstraction to use for password problems. CD:CF-PASS needs to be accepted by the Editorial Board before this candidate can be converted into a CVE entry; the final version of CD:CF-PASS may require using a different LOA than this candidate is currently using. ====================================================== Name: CVE-1999-0505 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0505 Phase: Proposed (19990714) Category: CF A Windows NT domain user or administrator account has a guessable password. Current Votes: ACCEPT(4) Baker, Meunier, Northcutt, Shostack MODIFY(1) Frech Voter Comments: Frech> XF:nt-guessed-domain-userpwd XF:nt-guessed-domain-guestpwd XF:nt-guessed-domain-adminpwd XF:nt-domain-userpwd XF:nt-domain-admin-userpwd XF:nt-domain-guest-userpwd XF:win2k-certpub-usrpwd XF:win2k-dhcpadm-usrpwd XF:win2k-dnsadm-usrpwd XF:win2k-entadm-usrpwd XF:win2k-schema-usrpwd XF:win2k-guessed-certpub XF:win2k-guessed-dhcpadm XF:win2k-guessed-dnsadm XF:win2k-guessed-entadm XF:win2k-guessed-schema ====================================================== Name: CVE-1999-0506 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0506 Phase: Proposed (19990714) Category: CF A Windows NT domain user or administrator account has a default, null, blank, or missing password. Current Votes: ACCEPT(4) Baker, Meunier, Northcutt, Shostack MODIFY(1) Frech Voter Comments: Frech> XF:nt-domain-admin-blankpwd XF:nt-domain-admin-nopwd XF:nt-domain-guest-blankpwd XF:nt-domain-guest-nopwd XF:nt-domain-user-blankpwd XF:nt-domain-user-nopwd XF:win2k-certpub-blnkpwd XF:win2k-dhcpadm-blnkpwd XF:win2k-dnsadm-blnkpwd XF:win2k-entadm-blnkpwd XF:win2k-schema-blnkpwd ====================================================== Name: CVE-1999-0507 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0507 Phase: Proposed (19990714) Category: CF An account on a router, firewall, or other network device has a guessable password. Current Votes: ACCEPT(4) Baker, Meunier, Northcutt, Shostack MODIFY(1) Frech Voter Comments: Frech> XF:firewall-tisopen XF:firewall-raptoropen XF:firewall-msopen XF:firewall-checkpointopen XF:firewall-ciscoopen ====================================================== Name: CVE-1999-0508 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0508 Phase: Proposed (19990714) Category: CF An account on a router, firewall, or other network device has a default, null, blank, or missing password. Current Votes: ACCEPT(4) Baker, Meunier, Northcutt, Shostack MODIFY(1) Frech NOOP(1) Christey Voter Comments: Frech> Note: Because the distinction between network hardware and software is not distinct, the term 'network device' was liberally interpreted. Feel free to reject any of the below terms. XF:default-netranger XF:cayman-gatorbox XF:breezecom-default-passwords XF:default-portmaster XF:wingate-unpassworded XF:netopia-unpassworded XF:default-bay-switches XF:motorola-cable-default-pass XF:default-flowpoint XF:qms-2060-no-root-password XF:avirt-ras-password XF:webtrends-rtp-serv-install-password XF:cisco-bruteforce XF:cisco-bruteadmin XF:sambar-server-defaults XF:management-pfcuser XF:http-cgi-wwwboard-default Christey> DELREF XF:avirt-ras-password - does not fit CVE-1999-0508. ====================================================== Name: CVE-1999-0509 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0509 Phase: Modified (20000114-01) Category: CF Reference: CERT:CA-96.11 Perl, sh, csh, or other shell interpreters are installed in the cgi-bin directory on a WWW site, which allows remote attackers to execute arbitrary commands. Current Votes: ACCEPT(2) Northcutt, Wall MODIFY(1) Frech NOOP(1) Baker REVIEWING(1) Christey Voter Comments: Christey> What is the right level of abstraction to use here? Should we combine all possible interpreters into a single entry, or have a different entry for each one? I've often seen Perl separated from other interpreters - is it included by default in some Windows web server configurations? Christey> Add tcsh, zsh, bash, rksh, ksh, ash, to support search. Frech> XF:http-cgi-vuln(146) ====================================================== Name: CVE-1999-0510 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0510 Phase: Proposed (19990726) Category: CF A router or firewall allows source routed packets from arbitrary hosts. Current Votes: ACCEPT(2) Baker, Northcutt MODIFY(1) Frech Voter Comments: Frech> XF:source-routing ====================================================== Name: CVE-1999-0511 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0511 Phase: Proposed (19990726) Category: CF IP forwarding is enabled on a machine which is not a router or firewall. Current Votes: ACCEPT(2) Baker, Northcutt MODIFY(1) Frech Voter Comments: Frech> XF:ip-forwarding ====================================================== Name: CVE-1999-0512 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0512 Phase: Modified (20020427-01) Category: CF A mail server is explicitly configured to allow SMTP mail relay, which allows abuse by spammers. Current Votes: ACCEPT(3) Baker, Northcutt, Shostack MODIFY(1) Frech NOOP(1) Christey Voter Comments: Frech> XF:smtp-sendmail-relay(210) XF:ntmail-relay(2257) XF:exchange-relay(3107) (also assigned to CVE-1999-0682) XF:smtp-relay-uucp(3470) XF:sco-sendmail-spam(4342) XF:sco-openserver-mmdf-spam(4343) XF:lotus-domino-smtp-mail-relay(6591) XF:win2k-smtp-mail-relay(6803) XF:cobalt-poprelayd-mail-relay(6806) Candidate implicitly may refer to relaying settings enabled by default, or the bypass/circumvention of relaying. Both interpretations were used in assigning this candidate. Christey> The intention of this candidate is to cover configurations in which the admin has explicitly enabled relaying. Other cases in which the application *intends* to prvent relaying, but there is some specific input that bypasses/tricks it, count as vulnerabilities (or exposures?) and as such would be assigned different numbers. http://www.sendmail.org/~ca/email/spam.html seems like a good general resource, as does ftp://ftp.isi.edu/in-notes/rfc2505.txt Christey> I changed the description to make it more clear that the issue is that of explicit configuration, as opposed to being the result of a vulnerability. ====================================================== Name: CVE-1999-0515 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0515 Phase: Proposed (19990728) Category: CF An unrestricted remote trust relationship for Unix systems has been set up, e.g. by using a + sign in /etc/hosts.equiv. Current Votes: ACCEPT(2) Baker, Northcutt MODIFY(1) Frech REJECT(1) Shostack Voter Comments: Shostack> Overly broad Frech> XF:rsh-equiv(111) Baker> Since this is unrestricted trust, I agree this is a problem ====================================================== Name: CVE-1999-0516 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0516 Phase: Proposed (19990714) Category: CF An SNMP community name is guessable. Current Votes: ACCEPT(4) Baker, Meunier, Northcutt, Shostack MODIFY(1) Frech REVIEWING(1) Christey Voter Comments: Frech> XF:snmp-get-guess XF:snmp-set-guess XF:sol-hidden-commstr XF:hpov-hidden-snmp-comm Christey> This candidate is affected by the CD:CF-PASS content decision, which determines the appropriate level of abstraction to use for password problems. CD:CF-PASS needs to be accepted by the Editorial Board before this candidate can be converted into a CVE entry; the final version of CD:CF-PASS may require using a different LOA than this candidate is currently using. ====================================================== Name: CVE-1999-0517 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0517 Phase: Proposed (19990714) Category: CF An SNMP community name is the default (e.g. public), null, or missing. Current Votes: ACCEPT(4) Baker, Meunier, Northcutt, Shostack MODIFY(1) Frech REVIEWING(1) Christey Voter Comments: Frech> XF:nt-snmp XF:snmp-comm XF:snmp-set-any XF:snmp-get-public XF:snmp-set-public XF:snmp-get-any Christey> This candidate is affected by the CD:CF-PASS content decision, which determines the appropriate level of abstraction to use for password problems. CD:CF-PASS needs to be accepted by the Editorial Board before this candidate can be converted into a CVE entry; the final version of CD:CF-PASS may require using a different LOA than this candidate is currently using. Christey> Consider adding BID:2112 ====================================================== Name: CVE-1999-0518 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0518 Phase: Proposed (19990714) Category: CF A NETBIOS/SMB share password is guessable. Current Votes: ACCEPT(5) Baker, LeBlanc, Meunier, Northcutt, Shostack MODIFY(1) Frech Voter Comments: Frech> Change description term to NetBIOS. XF:nt-netbios-perm XF:sharepass XF:win95-smb-password XF:nt-netbios-dict ====================================================== Name: CVE-1999-0519 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0519 Phase: Proposed (19990714) Category: CF A NETBIOS/SMB share password is the default, null, or missing. Current Votes: ACCEPT(5) Baker, LeBlanc, Meunier, Northcutt, Shostack MODIFY(1) Frech Voter Comments: Frech> Change description term to NetBIOS. XF:decod-smb-password-empty XF:nt-netbios-everyoneaccess XF:nt-netbios-guestaccess XF:nt-netbios-allaccess XF:nt-netbios-open XF:nt-netbios-write XF:nt-netbios-shareguest XF:nt-writable-netbios XF:nt-netbios-everyoneaccess-printer XF:nt-netbios-share-print-guest ====================================================== Name: CVE-1999-0520 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0520 Phase: Proposed (19990803) Category: CF A system-critical NETBIOS/SMB share has inappropriate access control. Current Votes: ACCEPT(1) Wall MODIFY(1) Frech NOOP(1) Baker RECAST(1) Northcutt REJECT(1) LeBlanc REVIEWING(1) Christey Voter Comments: Northcutt> I think we need to enumerate the shares and or the access control Christey> One question is, what is "inappropriate"? It's probably very dependent on the policy of the enterprise on which this is found. And should writable shares be different from readable shares? (Or file systems, mail spools, etc.) Yes, the impact may be different, but we could have a large number of entries for each possible type of access. A content decision (CD:CF-DATA) needs to be reviewed and accepted by the Editorial Board in order to resolve this question. LeBlanc> Unacceptably vague - agree with Christey's comments. Frech> associated to: XF:nt-netbios-everyoneaccess(1) XF:nt-netbios-guestaccess(2) XF:nt-netbios-allaccess(3) XF:nt-netbios-open(15) XF:nt-netbios-write(19) XF:nt-netbios-shareguest(20) XF:nt-writable-netbios(26) XF:nb-rootshare(393) XF:decod-smb-password-empty(2358) ====================================================== Name: CVE-1999-0521 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0521 Phase: Proposed (19990714) Category: CF An NIS domain name is easily guessable. Current Votes: ACCEPT(4) Baker, Meunier, Northcutt, Shostack MODIFY(1) Frech NOOP(1) Christey Voter Comments: Frech> XF:nis-dom Christey> Consider http://www.cert.org/advisories/CA-1992-13.html as well as ftp://ciac.llnl.gov/pub/ciac/bulletin/c-fy92/c-25.ciac-sunos-nis-patch ====================================================== Name: CVE-1999-0522 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0522 Phase: Proposed (19990803) Category: CF Reference: CERT:CA-96.10 The permissions for a system-critical NIS+ table (e.g. passwd) are inappropriate. Current Votes: ACCEPT(2) Baker, Wall NOOP(1) Christey RECAST(1) Northcutt Voter Comments: Northcutt> Why not say world readable, this is what you do further down in the file (world exportable in CVE-1999-0554) Christey> ADDREF AUSCERT:AA-96.02 ====================================================== Name: CVE-1999-0523 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0523 Phase: Proposed (19990726) Category: CF ICMP echo (ping) is allowed from arbitrary hosts. Current Votes: MODIFY(1) Meunier NOOP(1) Baker REJECT(2) Frech, Northcutt Voter Comments: Northcutt> (Though I sympathize with this one :) CHANGE> [Frech changed vote from REVIEWING to REJECT] Frech> Ping is a utility that can be run on demand; ICMP echo is a message type. As currently worded, this candidate seems as if an arbitrary host is vulnerable because it is capable of running an arbitrary program or function (in this case, ping/ICMP echo). There are many programs/functions that 'shouldn't' be on a computer, from a security admin's perspective. Even if this were a vulnerability, it would be impacted by CD-HIGHCARD. Meunier> Every ICMP message type presents a vulnerability or an exposure, if access is not controlled. By that I mean not only those in RFC 792, but also those in RFC 1256, 950, and more. I think that the description should be changed to "ICMP messages are acted upon without any access control". ICMP is an error and debugging protocol. We complain about vendors leaving testing backdoors in their programs. ICMP is the equivalent for TCP/IP. ICMP should be in the dog house, unless you are trying to troubleshoot something. MTU discovery is just a performance tweak -- it's not necessary. I don't know of any ICMP message type that is necessary if the network is functional. Limited logging of ICMP messages could be useful, but acting upon them and allowing the modification of routing tables, the behavior of the TCP/IP stack, etc... without any form of authentication is just crazy. ====================================================== Name: CVE-1999-0524 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0524 Phase: Modified (20070716) Category: CF Reference: MISC:http://descriptions.securescout.com/tc/11010 Reference: MISC:http://descriptions.securescout.com/tc/11011 Reference: MISC:http://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&externalId=1434 Reference: OSVDB:95 Reference: URL:http://www.osvdb.org/95 Reference: XF:icmp-netmask(306) Reference: URL:http://xforce.iss.net/xforce/xfdb/306 Reference: XF:icmp-timestamp(322) Reference: URL:http://xforce.iss.net/xforce/xfdb/322 ICMP information such as (1) netmask and (2) timestamp is allowed from arbitrary hosts. Current Votes: MODIFY(3) Baker, Frech, Meunier REJECT(1) Northcutt Voter Comments: Frech> XF:icmp-timestamp XF:icmp-netmask Meunier> If this is not merged with 1999-0523 as I commented for that CVE, then the description should be changed to "ICMP messages of types 13 and 14 (timestamp request and reply) and 17 and 18 (netmask request and reply) are acted upon without any access control". It's a more precise and correct language. I believe that this is a valid CVE entry (it's a common source of vulnerabilities or exposures) even though I see that the inferred action was "reject". Knowing the time of a host also allows attacks against random number generators that are seeded with the current time. I want to push to have it accepted. Baker> I agree with the description changes suggested by Pascal ====================================================== Name: CVE-1999-0525 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0525 Phase: Proposed (19990726) Category: CF IP traceroute is allowed from arbitrary hosts. Current Votes: MODIFY(1) Frech NOOP(1) Baker REJECT(1) Northcutt Voter Comments: Frech> XF:traceroute ====================================================== Name: CVE-1999-0527 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0527 Phase: Proposed (19990803) Category: CF The permissions for system-critical data in an anonymous FTP account are inappropriate. For example, the root directory is writeable by world, a real password file is obtainable, or executable commands such as "ls" can be overwritten. Current Votes: ACCEPT(3) Baker, Northcutt, Wall MODIFY(1) Frech Voter Comments: Northcutt> That that starts to get specific :) Frech> ftp-writable-directory(6253) ftp-write(53) "writeable" in the description should be "writable." ====================================================== Name: CVE-1999-0528 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0528 Phase: Proposed (19990726) Category: CF A router or firewall forwards external packets that claim to come from inside the network that the router/firewall is in front of. Current Votes: ACCEPT(3) Baker, Meunier, Northcutt MODIFY(1) Frech Voter Comments: Frech> possibly XF:nisd-dns-fwd-check CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> XF:firewall-external-packet-forwarding(8372) ====================================================== Name: CVE-1999-0529 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0529 Phase: Proposed (19990726) Category: CF A router or firewall forwards packets that claim to come from IANA reserved or private addresses, e.g. 10.x.x.x, 127.x.x.x, 217.x.x.x, etc. Current Votes: ACCEPT(1) Frech MODIFY(2) Baker, Meunier REJECT(1) Northcutt Voter Comments: Northcutt> I have seen ISPs "assign" private addresses within their domain Meunier> A border router or firewall forwards packets that claim to come from IANA reserved or private addresses, e.g. 10.x.x.x, 127.x.x.x, 217.x.x.x, etc, outside of their area of validity. CHANGE> [Frech changed vote from REVIEWING to ACCEPT] Baker> I think the description should be modified to say they accept this type of traffic from an interface not residing on private/reserved network. ====================================================== Name: CVE-1999-0530 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0530 Phase: Proposed (19990728) Category: CF A system is operating in "promiscuous" mode which allows it to perform packet sniffing. Current Votes: ACCEPT(2) Baker, Northcutt MODIFY(1) Frech REJECT(1) Shostack Voter Comments: Frech> XF:etherstatd(264) XF:sniffer-attack(778) XF:decod-packet-capture-remote(1072) XF:netmon-running(1448) XF:netxray3-probe(1450) XF:sol-snoop-getquota-bo(3670) (also assigned to CVE-1999-0974) Baker> Does pose a problem in non-switched environments ====================================================== Name: CVE-1999-0531 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0531 Phase: Modified (20080731) Category: CF ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "An SMTP service supports EXPN, VRFY, HELP, ESMTP, and/or EHLO." Current Votes: MODIFY(1) Frech NOOP(1) Christey RECAST(1) Shostack REJECT(1) Northcutt Voter Comments: Shostack> I think expn != vrfy, help, esmtp. Frech> XF:lotus-domino-esmtp-bo(4499) (also assigned to CVE-2000-0452 and CVE-2000-1046) XF:smtp-expn(128) XF:smtp-vrfy(130) XF:smtp-helo-bo(886) XF:smtp-vrfy-bo(887) XF:smtp-expn-bo(888) XF:slmail-vrfyexpn-overflow(1721) XF:smtp-ehlo(323) Perhaps add RCPT? If so, add XF:smtp-rcpt(1928) Christey> XF:smtp-vrfy(130) ? ====================================================== Name: CVE-1999-0532 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0532 Phase: Proposed (19990726) Category: CF A DNS server allows zone transfers. Current Votes: MODIFY(1) Frech NOOP(1) Baker REJECT(1) Northcutt Voter Comments: Northcutt> (With split DNS implementations this is quite appropriate) Frech> XF:dns-zonexfer ====================================================== Name: CVE-1999-0533 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0533 Phase: Proposed (19990726) Category: CF A DNS server allows inverse queries. Current Votes: MODIFY(1) Frech NOOP(1) Baker REJECT(1) Northcutt Voter Comments: Northcutt> (rule of thumb) Frech> XF:dns-iquery ====================================================== Name: CVE-1999-0534 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0534 Phase: Proposed (19990721) Category: CF A Windows NT user has inappropriate rights or privileges, e.g. Act as System, Add Workstation, Backup, Change System Time, Create Pagefile, Create Permanent Object, Create Token Name, Debug, Generate Security Audit, Increase Priority, Increase Quota, Load Driver, Lock Memory, Profile Single Process, Remote Shutdown, Replace Process Token, Restore, System Environment, Take Ownership, or Unsolicited Input. Current Votes: ACCEPT(5) Baker, Christey, Ozancin, Shostack, Wall MODIFY(2) Frech, Northcutt Voter Comments: Northcutt> If we are going to write a laundry list put access to the scheduler in it. Christey> The list of privileges is very useful for lookup. Frech> XF:nt-create-token XF:nt-replace-token XF:nt-lock-memory XF:nt-increase-quota XF:nt-unsol-input XF:nt-act-system XF:nt-create-object XF:nt-sec-audit XF:nt-add-workstation XF:nt-manage-log XF:nt-take-owner XF:nt-load-driver XF:nt-profile-system XF:nt-system-time XF:nt-single-process XF:nt-increase-priority XF:nt-create-pagefile XF:nt-backup XF:nt-restore XF:nt-debug XF:nt-system-env XF:nt-remote-shutdown ====================================================== Name: CVE-1999-0535 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0535 Phase: Proposed (19990721) Category: CF A Windows NT account policy for passwords has inappropriate, security-critical settings, e.g. for password length, password age, or uniqueness. Current Votes: ACCEPT(2) Shostack, Wall MODIFY(2) Baker, Frech RECAST(2) Northcutt, Ozancin Voter Comments: Northcutt> inappropriate implies there is appropriate. As a guy who has been monitoring networks for years I have deep reservations about justiying the existance of any fixed cleartext password. For appropriate to exist, some "we" would have to establish some criteria for appropriate passwords. Baker> Perhaps this could be re-worded a bit. The CVE CVE-1999-00582 specifies "...settings for lockouts". To remain consistent with the other, maybe it should specify "...settings for passwords" I think most people would agree that passwords should be at least 8 characters; contain letters (upper and lowercase), numbers and at least one non-alphanumeric; should only be good a limited time 30-90 days; and should not contain character combinations from user's prior 2 or 3 passwords. Suggested rewrite - A Windows NT account policy does not enforce reasonable minimum security-critical settings for passwords, e.g. passwords of sufficient length, periodic required password changes, or new password uniqueness Ozancin> What is appropriate? Frech> XF:nt-autologonpwd XF:nt-pwlen XF:nt-maxage XF:nt-minage XF:nt-pw-history XF:nt-user-pwnoexpire XF:nt-unknown-pwdfilter XF:nt-pwd-never-expire XF:nt-pwd-nochange XF:nt-pwdcache-enable XF:nt-guest-change-passwords ====================================================== Name: CVE-1999-0537 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0537 Phase: Proposed (19990726) Category: CF A configuration in a web browser such as Internet Explorer or Netscape Navigator allows execution of active content such as ActiveX, Java, Javascript, etc. Current Votes: ACCEPT(1) Wall NOOP(1) Baker RECAST(1) Frech REJECT(1) LeBlanc Voter Comments: Frech> Good candidate for dot notation. XF:nav-java-enabled XF:nav-javascript-enabled XF:ie-active-content XF:ie-active-download XF:ie-active-scripting XF:ie-activex-execution XF:ie-java-enabled XF:netscape-javascript XF:netscape-java XF:zone-active-scripting XF:zone-activex-execution XF:zone-desktop-install XF:zone-low-channel XF:zone-file-download XF:zone-file-launch XF:zone-java-scripting XF:zone-low-java XF:zone-safe-scripting XF:zone-unsafe-scripting LeBlanc> Not a vulnerability. These are just checks for configuration settings that a user might have changed. I understand need to increase number of checks in a scanning product, but don't feel like these belong in CVE. Scanner vendors could argue that these entries are needed to keep a common language. Baker> Not sure about whether we should bother to include this type issue or not. It does provide a stepping stone for further actions, but in and of itself it isn't a specific vulnerability. ====================================================== Name: CVE-1999-0539 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0539 Phase: Proposed (19990728) Category: CF A trust relationship exists between two Unix hosts. Current Votes: MODIFY(1) Frech NOOP(1) Baker REJECT(2) Northcutt, Shostack Voter Comments: Northcutt> Too non specific Frech> XF:trusted-host(341) XF:trust-remote-same(717) XF:trust-remote-root(718) XF:trust-remote-nonroot(719) XF:trust-remote-any(720) XF:trust-other-host(723) XF:trust-all-nonroot(726) XF:trust-any-remote(727) XF:trust-local-acct(728) XF:trust-local-any(729) XF:trust-local-nonroot(730) XF:trust-all-hosts(731) XF:nt-trusted-domain(1284) XF:rsagent-trusted-domainadded(1588) XF:trust-remote-user(2955) XF:user-trust-hosts(3074) XF:user-trust-other-host(3077) XF:user-trust-remote-account(3079) ====================================================== Name: CVE-1999-0541 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0541 Phase: Proposed (19990714) Category: CF A password for accessing a WWW URL is guessable. Current Votes: ACCEPT(4) Baker, Meunier, Northcutt, Shostack MODIFY(1) Frech Voter Comments: Frech> XF:http-password ====================================================== Name: CVE-1999-0546 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0546 Phase: Proposed (19990721) Category: CF The Windows NT guest account is enabled. Current Votes: ACCEPT(5) Baker, Northcutt, Ozancin, Shostack, Wall MODIFY(1) Frech Voter Comments: Frech> XF:nt-guest-account ====================================================== Name: CVE-1999-0547 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0547 Phase: Proposed (19990728) Category: CF An SSH server allows authentication through the .rhosts file. Current Votes: ACCEPT(2) Baker, Shostack MODIFY(1) Frech NOOP(1) Northcutt Voter Comments: Frech> XF:sshd-rhosts(315) ====================================================== Name: CVE-1999-0548 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0548 Phase: Proposed (19990728) Category: CF A superfluous NFS server is running, but it is not importing or exporting any file systems. Current Votes: ACCEPT(1) Shostack NOOP(1) Baker REJECT(1) Northcutt ====================================================== Name: CVE-1999-0549 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0549 Phase: Proposed (19990630) Category: CF Windows NT automatically logs in an administrator upon rebooting. Current Votes: ACCEPT(1) Hill MODIFY(3) Blake, Frech, Ozancin NOOP(1) Wall REJECT(1) Baker Voter Comments: Wall> Don't know what this is. Don't think it is a vulnerability and would initially reject. This is different than just renaming the administrator account. Frech> Would appreciate more information on this one, as in a reference. Blake> Reference: XF:nt-autologin Ozancin> Needs more detail Baker> I tried to find the XF:nt-autologin reference, and got no matching records from their search engine. No refs, no details, should reject CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> XF:nt-autologon(5) ====================================================== Name: CVE-1999-0550 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0550 Phase: Proposed (19990726) Category: CF A router's routing tables can be obtained from arbitrary hosts. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech RECAST(1) Northcutt Voter Comments: Northcutt> Don't you mean obtained by arbitrary hosts Frech> XF:routed XF:decod-rip-entry XF:rip Baker> Concur with this as a security issue ====================================================== Name: CVE-1999-0554 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0554 Phase: Proposed (19990803) Category: CF NFS exports system-critical data to the world, e.g. / or a password file. Current Votes: ACCEPT(2) Northcutt, Wall NOOP(1) Baker REVIEWING(1) Christey Voter Comments: Christey> A content decision (CD:CF-DATA) needs to be reviewed and accepted by the Editorial Board in order to resolve this question. ====================================================== Name: CVE-1999-0555 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0555 Phase: Proposed (19990728) Category: CF A Unix account with a name other than "root" has UID 0, i.e. root privileges. Current Votes: NOOP(1) Baker REJECT(2) Northcutt, Shostack Voter Comments: Northcutt> This is very bogus ====================================================== Name: CVE-1999-0556 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0556 Phase: Proposed (19990728) Category: CF Two or more Unix accounts have the same UID. Current Votes: NOOP(2) Baker, Christey REJECT(2) Northcutt, Shostack Voter Comments: Christey> XF:duplicate-uid(876) Christey> Add terms "duplicate" and "user ID" to facilitate search. ftp://ftp.auscert.org.au/pub/auscert/papers/unix_security_checklist ====================================================== Name: CVE-1999-0559 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0559 Phase: Proposed (19990803) Category: CF A system-critical Unix file or directory has inappropriate permissions. Current Votes: ACCEPT(2) Baker, Wall RECAST(2) Northcutt, Shostack Voter Comments: Northcutt> Writable other than by root/bin/wheelgroup? ====================================================== Name: CVE-1999-0560 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0560 Phase: Proposed (19990803) Category: CF A system-critical Windows NT file or directory has inappropriate permissions. Current Votes: ACCEPT(2) Baker, Wall RECAST(1) Northcutt Voter Comments: Northcutt> I think we should specify these ====================================================== Name: CVE-1999-0561 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0561 Phase: Proposed (19990728) Category: CF IIS has the #exec function enabled for Server Side Include (SSI) files. Current Votes: NOOP(2) Baker, Northcutt RECAST(1) Shostack REJECT(1) LeBlanc Voter Comments: LeBlanc> Does not meet definition of a vulnerability. This function is just enabled. You can turn it off if you want. if you trust the people putting up your web pages, this isn't a problem. If you don't, this is just one of many things you need to change. ====================================================== Name: CVE-1999-0562 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0562 Phase: Modified (20061101) Category: CF Reference: OVAL:oval:org.mitre.oval:def:1023 Reference: URL:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:1023 The registry in Windows NT can be accessed remotely by users who are not administrators. Current Votes: ACCEPT(4) Baker, Ozancin, Shostack, Wall MODIFY(1) Frech RECAST(1) Northcutt Voter Comments: Northcutt> This isn't all or nothing, users may be allowed to access part of the registry. Frech> XF:nt-winreg-all XF:nt-winreg-net ====================================================== Name: CVE-1999-0564 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0564 Phase: Proposed (19990728) Category: CF An attacker can force a printer to print arbitrary documents (e.g. if the printer doesn't require a password) or to become disabled. Current Votes: ACCEPT(2) Baker, Shostack NOOP(1) Northcutt ====================================================== Name: CVE-1999-0565 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0565 Phase: Proposed (19990728) Category: CF A Sendmail alias allows input to be piped to a program. Current Votes: ACCEPT(1) Northcutt NOOP(1) Baker RECAST(1) Shostack REVIEWING(1) Christey Voter Comments: Shostack> Is this a default alias? Is my .procmailrc an instance of this? Christey> It is not entirely clear whether the simple fact that an alias pipes into a program should be considered a vulnerability. It all depends on the behavior of that particular program. This is one of a number of configuration-related issues from the "draft" CVE that came from vulnerability scanners. In general, when we get to general configuration and "policy," it becomes more difficult to use the current CVE model to represent them. So at the very least, this candidate (and similar ones) should be given close consideration and discussion before being added to the official CVE list. Because this candidate is related to general configuration issues, and we have not completely determined how to handle such issues in CVE, this candidate cannot be promoted to an official CVE entry until such issues are resolved. ====================================================== Name: CVE-1999-0568 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0568 Phase: Proposed (19990728) Category: CF rpc.admind in Solaris is not running in a secure mode. Current Votes: ACCEPT(1) Northcutt NOOP(2) Baker, Christey RECAST(2) Dik, Shostack Voter Comments: Shostack> are there secure modes? Dik> Several: 1) there is no "rpc.admind" daemon. there used to be a "admind" RPC daemon (100087/10) and there's now an "sadmind" daemon (100232/10) The switch over was somewhere around Solaris 2.4. 2) Neither defaults to "secure mode" 3) secure mode is "using secure RPC" which does proper over the wire authentication by specifying the "-S 2" option in inetd.conf (security level 2) Christey> XF:rpc-admind(626) http://xforce.iss.net/static/626.php MISC:http://pulhas.org/xploitsdb/mUNIXes/admind.html ====================================================== Name: CVE-1999-0569 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0569 Phase: Modified (19991130-01) Category: CF A URL for a WWW directory allows auto-indexing, which provides a list of all files in that directory if it does not contain an index.html file. Current Votes: ACCEPT(1) Wall NOOP(2) Baker, Christey REJECT(1) Northcutt Voter Comments: Northcutt> I do this intentionally somethings in high content directories Christey> XF:http-noindex(90) ? ====================================================== Name: CVE-1999-0570 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0570 Phase: Proposed (19990728) Category: CF Windows NT is not using a password filter utility, e.g. PASSFILT.DLL. Current Votes: ACCEPT(1) Northcutt MODIFY(1) Frech NOOP(2) Baker, Christey REJECT(1) Wall Voter Comments: Northcutt> Here we are crossing into the best practices arena again. However since passfilt does establish a measurable standard and since we aren't the ones defining the stanard, simply saying it should be employed I will vote for this. Frech> XF:nt-passfilt-not-inst(1308) XF:nt-passfilt-not-found(1309) Christey> Consider MSKB:Q161990 and MSKB:Q151082 ====================================================== Name: CVE-1999-0571 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0571 Phase: Modified (20020312-01) Category: CF Reference: BUGTRAQ:Feb5,1999 A router's configuration service or management interface (such as a web server or telnet) is configured to allow connections from arbitrary hosts. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(2) Christey, Northcutt Voter Comments: CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> XF:ascend-config-kill(889) XF:cisco-ios-crash(1238) XF:webramp-remote-access(1670) XF:ascom-timeplex-debug(1824) XF:netopia-unpassworded(1850) XF:cisco-web-crash(1886) XF:cisco-router-commands(1951) XF:motorola-cable-default-pass(2002) XF:default-flowpoint(2091) XF:netgear-router-idle-dos(4003) XF:cisco-cbos-telnet(4251) XF:routermate-snmp-community(4290) XF:cayman-router-dos(4479) XF:wavelink-authentication(5185) XF:ciscosecure-ldap-bypass-authentication(5274) XF:foundry-firmware-telnet-dos(5514) XF:netopia-view-system-log(5536) XF:cisco-webadmin-remote-dos(5595) XF:cisco-cbos-web-access(5626) XF:netopia-telnet-dos(6001) XF:cisco-sn-gain-access(6827) XF:cayman-dsl-insecure-permissions(6841) XF:linksys-etherfast-reveal-passwords(6949) XF:zyxel-router-default-password(6968) XF:cisco-cbos-web-config(7027) XF:prestige-wan-bypass-filter(7146) Christey> I changed the description to make it more explicit that this candidate is about router configuration, as opposed to vulnerabilities that accidentally make a configuration service accessible to anyone. ====================================================== Name: CVE-1999-0572 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0572 Phase: Modified (20041017) Category: CF .reg files are associated with the Windows NT registry editor (regedit), making the registry susceptible to Trojan Horse attacks. Current Votes: ACCEPT(4) Baker, Ozancin, Shostack, Wall MODIFY(1) Frech NOOP(2) Christey, Northcutt Voter Comments: Northcutt> I don't quite get what this means, sorry Frech> XF:nt-regfile(178) Christey> MISC:http://security-archive.merton.ox.ac.uk/nt-security-199902/0087.html ====================================================== Name: CVE-1999-0575 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0575 Phase: Proposed (19990721) Category: CF A Windows NT system's user audit policy does not log an event success or failure, e.g. for Logon and Logoff, File and Object Access, Use of User Rights, User and Group Management, Security Policy Changes, Restart, Shutdown, and System, and Process Tracking. Current Votes: ACCEPT(4) Christey, Ozancin, Shostack, Wall MODIFY(1) Frech RECAST(2) Baker, Northcutt Voter Comments: Northcutt> It isn't a great truth that you should enable all or the above, if you do you potentially introduce a vulnerbility of filling up the file system with stuff you will never look at. Ozancin> It is far less interesting what a user does successfully that what they attempt and fail at. Christey> The list of event types is very useful for lookup. Frech> XF:nt-system-audit XF:nt-logon-audit XF:nt-object-audit XF:nt-privil-audit XF:nt-process-audit XF:nt-policy-audit XF:nt-account-audit CHANGE> [Baker changed vote from REVIEWING to RECAST] ====================================================== Name: CVE-1999-0576 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0576 Phase: Proposed (19990721) Category: CF A Windows NT system's file audit policy does not log an event success or failure for security-critical files or directories. Current Votes: ACCEPT(3) Baker, Shostack, Wall MODIFY(2) Frech, Ozancin REJECT(1) Northcutt Voter Comments: Northcutt> 1.) Too general are we ready to state what the security-critical files and directories are 2.) Does Ataris, Windows CE, PalmOS, Linux have such a capability Ozancin> Some files and directories are clearly understood to be critical. Others are unclear. We need to clarify that critical is. Frech> XF:nt-object-audit ====================================================== Name: CVE-1999-0577 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0577 Phase: Proposed (19990721) Category: CF A Windows NT system's file audit policy does not log an event success or failure for non-critical files or directories. Current Votes: ACCEPT(2) Shostack, Wall MODIFY(3) Baker, Frech, Ozancin REJECT(1) Northcutt Voter Comments: Ozancin> It is far less interesting what a user does successfully that what they attempt and fail at. Perhaps only failure should be logged. Frech> XF:nt-object-audit CHANGE> [Baker changed vote from REVIEWING to MODIFY] Baker> Failure on non-critical files is what should be monitored. ====================================================== Name: CVE-1999-0578 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0578 Phase: Proposed (19990721) Category: CF A Windows NT system's registry audit policy does not log an event success or failure for security-critical registry keys. Current Votes: ACCEPT(4) Baker, Ozancin, Shostack, Wall MODIFY(1) Frech REJECT(1) Northcutt Voter Comments: Ozancin> with reservation Again what is defined as critical CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> XF:nt-object-audit(228) ====================================================== Name: CVE-1999-0579 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0579 Phase: Proposed (19990721) Category: CF A Windows NT system's registry audit policy does not log an event success or failure for non-critical registry keys. Current Votes: ACCEPT(3) Baker, Shostack, Wall MODIFY(2) Frech, Ozancin REJECT(1) Northcutt Voter Comments: Ozancin> Again only failure may be of interest. It would be impractical to wad through the incredibly large amount of logging that this would generate. It could overwhelm log entries that you might find interesting. CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> XF:nt-object-audit(228) ====================================================== Name: CVE-1999-0580 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0580 Phase: Proposed (19990803) Category: CF The HKEY_LOCAL_MACHINE key in a Windows NT system has inappropriate, system-critical permissions. Current Votes: ACCEPT(1) Wall NOOP(1) Baker RECAST(1) Northcutt Voter Comments: Northcutt> I think we can define appropriate, take a look at the nt security .pdf and see if you can't see a way to phrase specific keys in a way that defines inappropriate. Baker> This is way vague... ====================================================== Name: CVE-1999-0581 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0581 Phase: Proposed (19990803) Category: CF The HKEY_CLASSES_ROOT key in a Windows NT system has inappropriate, system-critical permissions. Current Votes: ACCEPT(1) Wall NOOP(1) Baker RECAST(1) Northcutt Voter Comments: Northcutt> I think we can define appropriate, take a look at the nt security .pdf and see if you can't see a way to phrase specific keys in a way that defines inappropriate. Baker> way too vague ====================================================== Name: CVE-1999-0582 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0582 Phase: Proposed (19990721) Category: CF A Windows NT account policy has inappropriate, security-critical settings for lockout, e.g. lockout duration, lockout after bad logon attempts, etc. Current Votes: ACCEPT(3) Ozancin, Shostack, Wall MODIFY(2) Baker, Frech REJECT(1) Northcutt Voter Comments: Northcutt> The definition is? Baker> Maybe a rewording of this one too. I think most people would agree on some "minimum" policies like 3-5 bad attempts lockout for an hour or until the administrator unlocks the account. Suggested rewrite - A Windows NT account policy does not enforce reasonable minimum security-critical settings for lockouts, e.g. lockout duration, lockout after bad logon attempts, etc. Ozancin> with reservations What is appropriate? Frech> XF:nt-thres-lockout XF:nt-lock-duration XF:nt-lock-window XF:nt-perm-lockout XF:lockout-disabled ====================================================== Name: CVE-1999-0583 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0583 Phase: Proposed (19990728) Category: CF There is a one-way or two-way trust relationship between Windows NT domains. Current Votes: NOOP(2) Baker, Christey REJECT(2) Northcutt, Shostack Voter Comments: Christey> XF:nt-trusted-domain(1284) ====================================================== Name: CVE-1999-0584 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0584 Phase: Proposed (19990728) Category: CF A Windows NT file system is not NTFS. Current Votes: ACCEPT(2) Northcutt, Wall MODIFY(1) Frech NOOP(2) Baker, Christey Voter Comments: Wall> NTFS partition provides the security. This could be re-worded to "A Windows NT file system is FAT" since it is either NTFS or FAT and FAT is less secure. Frech> XF:nt-filesys(195) Christey> MSKB:Q214579 MSKB:Q214579 http://support.microsoft.com/support/kb/articles/Q100/1/08.ASP ====================================================== Name: CVE-1999-0585 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0585 Phase: Proposed (19990721) Category: CF A Windows NT administrator account has the default name of Administrator. Current Votes: ACCEPT(1) Ozancin MODIFY(1) Frech REJECT(3) Baker, Northcutt, Shostack REVIEWING(1) Wall Voter Comments: Wall> Some sources say this is not a vulnerability, but a warning. It just slows down the search for the admin account (SID = 500) which can always be found. Northcutt> I change this on all NT systems I am responsible for, but is root a vulnerability? Baker> There are ways to identify the administrator account anyway, so this is only a minor delay to someone that is knowledgeable. This, in and of itself, doesn't really strike me as a vulnerability, anymore than the root account on a Unix box. Shostack> (there is no way to hide the account name today) Frech> XF:nt-adminexists ====================================================== Name: CVE-1999-0586 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0586 Phase: Proposed (19990728) Category: CF A network service is running on a nonstandard port. Current Votes: NOOP(1) Baker RECAST(1) Shostack REJECT(1) Northcutt Voter Comments: Shostack> Might be acceptable if clearer; is that a standard service on a non-standard port, or any service on an unassigned port? Baker> It might actually be an enhancement rather than a problem to run a service on a non-standard port ====================================================== Name: CVE-1999-0587 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0587 Phase: Proposed (19990803) Category: CF A WWW server is not running in a restricted file system, e.g. through a chroot, thus allowing access to system-critical data. Current Votes: ACCEPT(1) Wall NOOP(1) Baker RECAST(1) Northcutt Voter Comments: Northcutt> While I would accept this for Unix, I am not sure this applies to NT, VMS, palm pilots, or commodore 64 ====================================================== Name: CVE-1999-0588 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0588 Phase: Proposed (19990726) Category: CF A filter in a router or firewall allows unusual fragmented packets. Current Votes: MODIFY(2) Baker, Frech REJECT(1) Northcutt Voter Comments: Northcutt> I want to vote to accept this one, but unusual is a shade broad. Frech> XF:nt-rras XF:cisco-fragmented-attacks XF:ip-frag Baker> Perhaps we should use the word abnormally fragmented or some other descriptor. ====================================================== Name: CVE-1999-0589 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0589 Phase: Proposed (19990803) Category: CF A system-critical Windows NT registry key has inappropriate permissions. Current Votes: ACCEPT(1) Wall NOOP(1) Baker RECAST(2) Christey, Northcutt Voter Comments: Northcutt> I think we can define appropriate, take a look at the nt security .pdf and see if you can't see a way to phrase specific keys in a way that defines inappropriate. Christey> Upon further reflection, this is too high-level for CVE. Specific registry keys with bad permissions is roughly equivalent to Unix configuration files that have bad permissions; those permission problems can be created by any vendor, not just a specific one. Therefore this candidate should be RECAST into each separate registry key that has this problem. ====================================================== Name: CVE-1999-0590 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0590 Phase: Proposed (19990728) Category: CF A system does not present an appropriate legal message or warning to a user who is accessing it. Current Votes: ACCEPT(2) Baker, Northcutt MODIFY(1) Christey RECAST(1) Shostack Voter Comments: Christey> ADDREF CIAC:J-043 URL:http://ciac.llnl.gov/ciac/bulletins/j-043.shtml Also add "banner" to the description to facilitate search. Baker> Should be in place where ever it is possible ====================================================== Name: CVE-1999-0591 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0591 Phase: Proposed (19990803) Category: CF An event log in Windows NT has inappropriate access permissions. Current Votes: ACCEPT(2) Baker, Wall RECAST(1) Northcutt Voter Comments: Northcutt> splain Lucy, splain ====================================================== Name: CVE-1999-0592 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0592 Phase: Proposed (19990728) Category: CF The Logon box of a Windows NT system displays the name of the last user who logged in. Current Votes: MODIFY(1) Frech NOOP(2) Baker, Christey REJECT(2) Northcutt, Wall Voter Comments: Wall> Information gathering, not vulnerability Northcutt> Ah a C2 weenie must have snuck this in, this can be a good thing not just vulnerability Frech> XF:nt-display-last-username(1353) Use it if you will. :-) If not, let us know so I can remove the CAN reference from our database. Christey> MSKB:Q114463 http://support.microsoft.com/support/kb/articles/q114/4/63.asp ====================================================== Name: CVE-1999-0593 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0593 Phase: Modified (20091029) Category: CF Reference: MISC:http://www.microsoft.com/technet/archive/winntas/deploy/confeat/06wntpcc.mspx?mfr=true Reference: CONFIRM:http://technet.microsoft.com/en-us/library/cc722469.aspx Reference: OSVDB:59333 Reference: URL:http://osvdb.org/59333 Reference: XF:nt-shutdown-without-logon(1291) Reference: URL:http://xforce.iss.net/xforce/xfdb/1291 The default setting for the Winlogon key entry ShutdownWithoutLogon in Windows NT allows users with physical access to shut down a Windows NT system without logging in. Current Votes: ACCEPT(1) Wall MODIFY(1) Frech NOOP(1) Baker REJECT(1) Northcutt Voter Comments: Wall> Still a denial of service. Northcutt> May well be appropriate Frech> XF:nt-shutdown-without-logon(1291) ====================================================== Name: CVE-1999-0594 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0594 Phase: Proposed (19990728) Category: CF A Windows NT system does not restrict access to removable media drives such as a floppy disk drive or CDROM drive. Current Votes: ACCEPT(1) Wall MODIFY(1) Frech NOOP(2) Baker, Christey REJECT(1) Northcutt Voter Comments: Wall> Perhaps it can be re-worded to "removable media drives such as a floppy disk drive or CDROM drive can be accessed (shared) in a Windows NT system." Northcutt> - what good is my NT w/o its floppy Frech> XF:nt-allocate-cdroms(1294) XF:nt-allocate-floppy(1318) Christey> MSKB:Q172520 URL:http://support.microsoft.com/support/kb/articles/q172/5/20.asp ====================================================== Name: CVE-1999-0595 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0595 Phase: Proposed (19990728) Category: CF Reference: MSKB:Q182086 A Windows NT system does not clear the system page file during shutdown, which might allow sensitive information to be recorded. Current Votes: ACCEPT(2) Baker, Wall MODIFY(1) Frech NOOP(1) Northcutt Voter Comments: Frech> XF:nt-clearpage(216) XF:reg-pagefile-clearing(2551) ====================================================== Name: CVE-1999-0596 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0596 Phase: Proposed (19990728) Category: CF A Windows NT log file has an inappropriate maximum size or retention period. Current Votes: MODIFY(1) Frech NOOP(1) Baker REJECT(2) Northcutt, Wall Voter Comments: Northcutt> define appropriate Frech> XF:reg-app-log-small(2521) XF:reg-sec-log-maxsize(2577) XF:reg-sys-log-small(2586) ====================================================== Name: CVE-1999-0597 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0597 Phase: Proposed (19990728) Category: CF A Windows NT account policy does not forcibly disconnect remote users from the server when their logon hours expire. Current Votes: ACCEPT(1) Northcutt MODIFY(1) Frech NOOP(1) Baker REJECT(1) Wall Voter Comments: Frech> XF:nt-forced-logoff(1343) ====================================================== Name: CVE-1999-0598 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0598 Phase: Proposed (19990726) Category: CF A network intrusion detection system (IDS) does not properly handle packets that are sent out of order, allowing an attacker to escape detection. Current Votes: ACCEPT(3) Armstrong, Baker, Northcutt NOOP(1) Frech REVIEWING(1) Christey Voter Comments: Frech> Waiting for CIEL. Christey> This is a design flaw, along with the other reported IDS problems; at least reference Ptacek/Newsham's paper. Christey> URL:http://www.robertgraham.com/mirror/Ptacek-Newsham-Evasion-98.html ====================================================== Name: CVE-1999-0599 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0599 Phase: Proposed (19990726) Category: CF A network intrusion detection system (IDS) does not properly handle packets with improper sequence numbers. Current Votes: ACCEPT(2) Baker, Northcutt NOOP(1) Frech REVIEWING(1) Christey Voter Comments: Frech> Waiting for CIEL. Christey> This is a design flaw, along with the other reported IDS problems; at least reference Ptacek/Newsham's paper. Christey> URL:http://www.robertgraham.com/mirror/Ptacek-Newsham-Evasion-98.html ====================================================== Name: CVE-1999-0600 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0600 Phase: Proposed (19990726) Category: CF A network intrusion detection system (IDS) does not verify the checksum on a packet. Current Votes: ACCEPT(2) Baker, Northcutt NOOP(1) Frech REVIEWING(1) Christey Voter Comments: Frech> Waiting for CIEL. Christey> This is a design flaw, along with the other reported IDS problems; at least reference Ptacek/Newsham's paper. Christey> URL:http://www.robertgraham.com/mirror/Ptacek-Newsham-Evasion-98.html ====================================================== Name: CVE-1999-0601 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0601 Phase: Proposed (19990726) Category: CF A network intrusion detection system (IDS) does not properly handle data within TCP handshake packets. Current Votes: ACCEPT(2) Baker, Northcutt NOOP(1) Frech REVIEWING(1) Christey Voter Comments: Frech> Waiting for Godot, er, CIEL. Christey> This is a design flaw, along with the other reported IDS problems; at least reference Ptacek/Newsham's paper. Christey> URL:http://www.robertgraham.com/mirror/Ptacek-Newsham-Evasion-98.html ====================================================== Name: CVE-1999-0602 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0602 Phase: Proposed (19990726) Category: CF A network intrusion detection system (IDS) does not properly reassemble fragmented packets. Current Votes: ACCEPT(2) Baker, Northcutt NOOP(1) Frech REVIEWING(1) Christey Voter Comments: Frech> Waiting for CIEL. Christey> This is a design flaw, along with the other reported IDS problems; at least reference Ptacek/Newsham's paper. Christey> URL:http://www.robertgraham.com/mirror/Ptacek-Newsham-Evasion-98.html ====================================================== Name: CVE-1999-0603 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0603 Phase: Proposed (19990728) Category: CF In Windows NT, an inappropriate user is a member of a group, e.g. Administrator, Backup Operators, Domain Admins, Domain Guests, Power Users, Print Operators, Replicators, System Operators, etc. Current Votes: MODIFY(1) Frech NOOP(1) Baker REJECT(2) Northcutt, Wall Voter Comments: Frech> XF:nt-system-operator XF:nt-admin-group XF:nt-replicator XF:nt-print-operator XF:nt-power-user XF:nt-guest-in-group XF:nt-backup-operator XF:nt-domain-admin XF:nt-domain-guest XF:win2k-acct-oper-grp XF:win2k-admin-grp XF:win2k-backup-oper-grp XF:win2k-certpublishers-grp XF:win2k-dhcp-admin-grp XF:win2k-dnsadm-grp XF:win2k-domainadm-grp XF:win2k-entadm-grp XF:win2k-printoper-grp XF:win2k-replicator-grp XF:win2k-schemaadm-grp XF:win2k-serveroper-grp You asked for it... :-) Use or reject at your discretion. If rejected, please let us know so we can remove CAN references from database. ====================================================== Name: CVE-1999-0604 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0604 Phase: Proposed (19990728) Category: CF Reference: BUGTRAQ:19990420 Shopping Carts exposing CC data Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92462991805485&w=2 An incorrect configuration of the WebStore 1.0 shopping cart CGI program "web_store.cgi" could disclose private information. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(2) Northcutt, Wall Voter Comments: Frech> XF:webstore-misconfig(3861) ====================================================== Name: CVE-1999-0605 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0605 Phase: Proposed (19990728) Category: CF Reference: BUGTRAQ:19990420 Shopping Carts exposing CC data Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92462991805485&w=2 An incorrect configuration of the Order Form 1.0 shopping cart CGI program could disclose private information. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(3) Christey, Northcutt, Wall Voter Comments: Frech> XF:orderform-misconfig(3860) Christey> BID:2021 Christey> Mention affected files: order_log_v12.dat and order_log.dat fix version number (1.2) ====================================================== Name: CVE-1999-0606 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0606 Phase: Proposed (19990728) Category: CF Reference: BUGTRAQ:19990420 Shopping Carts exposing CC data Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92462991805485&w=2 An incorrect configuration of the EZMall 2000 shopping cart CGI program "mall2000.cgi" could disclose private information. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(3) Christey, Northcutt, Wall Voter Comments: Frech> XF:ezmall2000-misconfig(3859) Christey> Add mall_log_files/order.log to desc ====================================================== Name: CVE-1999-0607 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0607 Phase: Modified (20060608) Category: CF Reference: BUGTRAQ:19990420 Shopping Carts exposing CC data Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92462991805485&w=2 quikstore.cgi in QuikStore shopping cart stores quikstore.cfg under the web document root with insufficient access control, which allows remote attackers to obtain the cleartext administrator password and gain privileges. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(3) Christey, Northcutt, Wall Voter Comments: Frech> XF:quikstore-misconfig(3858) Christey> http://www.quikstore.com/help/pages/Security/security.htm says: "It is IMPORTANT that during the setup of the QuikStore program, you check to make sure that the cgi-bin or executable program directory of your web site not be viewable from the outside world. You don't want the users to have access to your programs or log files that could be stored there! ... If you can view or download these files from the browser, someone else can too" So is this a configuration problem? See the configuration file at http://www.quikstore.com/help/pages/Configuration/configparametersfull.htm The [DIRECTORY_PATHS] section identifies pathnames and describes how pathnames are constructed. It clearly uses relative pathnames, so all data is underneath the base directory!! If we call this a configuration problem, then maybe this (and all other "CGI-data-in-web-tree" configuration problems) should be combined. Christey> Consider adding BID:1983 ====================================================== Name: CVE-1999-0609 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0609 Phase: Proposed (19990728) Category: CF Reference: BUGTRAQ:19990420 Shopping Carts exposing CC data Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92462991805485&w=2 An incorrect configuration of the SoftCart CGI program "SoftCart.exe" could disclose private information. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(3) Christey, Northcutt, Wall Voter Comments: Frech> XF:softcart-misconfig(3856) Christey> Consider adding BID:2055 ====================================================== Name: CVE-1999-0610 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0610 Phase: Proposed (19990728) Category: CF Reference: BUGTRAQ:19990420 Shopping Carts exposing CC data Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92462991805485&w=2 An incorrect configuration of the Webcart CGI program could disclose private information. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(2) Northcutt, Wall Voter Comments: Frech> Cite reference as: BUGTRAQ:19990424 Re: Shopping Carts exposing CC data URL: http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist% 3D1%26date%3D2000-08-22%26msg%3D3720E2B6.6031A2E7@datashopper.dk CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> XF:webcart-data-exposure(8374) ====================================================== Name: CVE-1999-0611 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0611 Phase: Proposed (19990803) Category: CF A system-critical Windows NT registry key has an inappropriate value. Current Votes: ACCEPT(1) Wall NOOP(1) Baker RECAST(1) Northcutt Voter Comments: Northcutt> I think we can define appropriate, take a look at the nt security .pdf and see if you can't see a way to phrase specific keys in a way that defines inappropriate. Baker> too vague ====================================================== Name: CVE-1999-0613 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0613 Phase: Proposed (19990721) Category: SA The rpc.sprayd service is running. Current Votes: ACCEPT(2) Baker, Ozancin MODIFY(1) Frech NOOP(1) Wall REJECT(1) Northcutt Voter Comments: Frech> XF:sprayd ====================================================== Name: CVE-1999-0614 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0614 Phase: Modified (20080731) Category: SA ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The FTP service is running." Current Votes: ACCEPT(2) Baker, Wall REJECT(1) Northcutt ====================================================== Name: CVE-1999-0615 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0615 Phase: Modified (20080731) Category: SA ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The SNMP service is running." Current Votes: ACCEPT(3) Baker, Prosser, Wall NOOP(1) Christey REJECT(1) Northcutt Voter Comments: Baker> Although newer versions on snmp are not as vulnerable as prior versions, this can still be a significant risk of exploitation, as seen in recent attacks on snmp services via automated worms Christey> XF:snmp(132) ? Prosser> This fits the "exposure" description although we also know there are many vulnerabilities in SNMP. This is more of a policy/best practice issue for administrators. If you need SNMP lock it down as tight as you can, if you don't need it, don't run it. ====================================================== Name: CVE-1999-0616 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0616 Phase: Modified (20080731) Category: SA ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The TFTP service is running." Current Votes: ACCEPT(2) Baker, Wall REJECT(1) Northcutt ====================================================== Name: CVE-1999-0617 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0617 Phase: Modified (20080731) Category: SA ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The SMTP service is running." Current Votes: ACCEPT(2) Baker, Wall REJECT(1) Northcutt ====================================================== Name: CVE-1999-0618 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0618 Phase: Modified (19990921-01) Category: SA Reference: XF:rexec The rexec service is running. Current Votes: ACCEPT(4) Baker, Northcutt, Ozancin, Wall MODIFY(1) Frech Voter Comments: Frech> XF:decod-rexec XF:rexec ====================================================== Name: CVE-1999-0619 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0619 Phase: Modified (20080731) Category: SA ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The Telnet service is running." Current Votes: ACCEPT(2) Baker, Wall REJECT(1) Northcutt ====================================================== Name: CVE-1999-0620 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0620 Phase: Modified (20080731) Category: SA ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "A component service related to NIS is running." Current Votes: ACCEPT(2) Baker, Wall NOOP(1) Christey REJECT(1) Northcutt Voter Comments: Christey> XF:ypserv(261) ====================================================== Name: CVE-1999-0621 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0621 Phase: Modified (20080731) Category: SA Reference: OVAL:oval:org.mitre.oval:def:1024 Reference: URL:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:1024 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "A component service related to NETBIOS is running." Current Votes: ACCEPT(2) Baker, Wall MODIFY(1) Frech REJECT(2) LeBlanc, Northcutt Voter Comments: LeBlanc> There is insufficient description to even know what this is. Lots of component services related to NetBIOS run, and usually do not constitute a problem. Frech> associated to: XF:nt-alerter(29) XF:nt-messenger(69) XF:reg-ras-gateway-enabled(2567) ====================================================== Name: CVE-1999-0622 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0622 Phase: Modified (20080731) Category: SA ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "A component service related to DNS service is running." Current Votes: ACCEPT(2) Baker, Wall REJECT(1) Northcutt ====================================================== Name: CVE-1999-0623 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0623 Phase: Modified (20080731) Category: SA ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The X Windows service is running." Current Votes: ACCEPT(2) Baker, Wall NOOP(1) Christey REJECT(1) Northcutt Voter Comments: Christey> Add "X11" to facilitate search. ====================================================== Name: CVE-1999-0624 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0624 Phase: Interim (19990925) Category: SA Reference: XF:rstat-out Reference: XF:rstatd The rstat/rstatd service is running. Current Votes: ACCEPT(3) Baker, Northcutt, Ozancin MODIFY(1) Frech NOOP(2) Meunier, Wall Voter Comments: Frech> XF:rstat-out XF:rstatd ====================================================== Name: CVE-1999-0625 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0625 Phase: Proposed (19990721) Category: SA The rpc.rquotad service is running. Current Votes: ACCEPT(3) Baker, Northcutt, Ozancin MODIFY(1) Frech NOOP(1) Wall Voter Comments: Frech> XF:rquotad ====================================================== Name: CVE-1999-0629 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0629 Phase: Proposed (19990721) Category: SA The ident/identd service is running. Current Votes: ACCEPT(2) Baker, Ozancin MODIFY(1) Frech NOOP(2) Christey, Wall REJECT(1) Northcutt Voter Comments: Frech> possibly XF:identd? Christey> XF:ident-users(318) ? CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> XF:identd-vuln(61) XF:ident-users(318) ====================================================== Name: CVE-1999-0630 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0630 Phase: Proposed (19990804) Category: SA The NT Alerter and Messenger services are running. Current Votes: ACCEPT(2) Baker, Wall NOOP(1) Christey REJECT(1) Northcutt Voter Comments: Christey> http://support.microsoft.com/support/kb/articles/q189/2/71.asp ====================================================== Name: CVE-1999-0631 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0631 Phase: Modified (20080731) Category: SA ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The NFS service is running." Current Votes: ACCEPT(2) Baker, Wall NOOP(1) Christey REJECT(1) Northcutt Voter Comments: Christey> XF:nfs-nfsd(76) ? Christey> Add rpc.mountd/mountd to facilitate search. ====================================================== Name: CVE-1999-0632 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0632 Phase: Proposed (19990804) Category: SA The RPC portmapper service is running. Current Votes: ACCEPT(2) Baker, Wall REJECT(1) Northcutt ====================================================== Name: CVE-1999-0633 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0633 Phase: Modified (20080731) Category: SA ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The HTTP/WWW service is running." Current Votes: ACCEPT(2) Baker, Wall REJECT(1) Northcutt ====================================================== Name: CVE-1999-0634 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0634 Phase: Modified (20080731) Category: SA ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The SSH service is running." Current Votes: ACCEPT(2) Baker, Wall REJECT(1) Northcutt ====================================================== Name: CVE-1999-0635 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0635 Phase: Modified (20060122) Category: SA Reference: FULLDISC:20060116 ACT P202S VoIP wireless phone multiple undocumented ports/services Reference: URL:http://lists.grok.org.uk/pipermail/full-disclosure/2006-January/041434.html Reference: SECUNIA:18514 Reference: URL:http://secunia.com/advisories/18514 The echo service is running. Current Votes: ACCEPT(3) Baker, Northcutt, Wall REVIEWING(1) Christey Voter Comments: Northcutt> The method to my madness is echo is the common denom in the dos attack Christey> How much of this is an overlap with the echo/chargen flood problem (CVE-1999-0103)? If this is only an exposure because of CVE-1999-0103, then maybe this should be REJECTed. ====================================================== Name: CVE-1999-0636 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0636 Phase: Proposed (19990804) Category: SA The discard service is running. Current Votes: ACCEPT(1) Baker NOOP(1) Wall REJECT(1) Northcutt ====================================================== Name: CVE-1999-0637 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0637 Phase: Proposed (19990804) Category: SA The systat service is running. Current Votes: ACCEPT(2) Baker, Wall REJECT(1) Northcutt ====================================================== Name: CVE-1999-0638 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0638 Phase: Proposed (19990804) Category: SA The daytime service is running. Current Votes: ACCEPT(1) Baker NOOP(1) Wall REJECT(1) Northcutt ====================================================== Name: CVE-1999-0639 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0639 Phase: Proposed (19990804) Category: SA The chargen service is running. Current Votes: ACCEPT(2) Baker, Wall REJECT(1) Northcutt REVIEWING(1) Christey Voter Comments: Christey> How much of this is an overlap with the echo/chargen flood problem (CVE-1999-0103)? If this is only an exposure because of CVE-1999-0103, then maybe this should be REJECTed. ====================================================== Name: CVE-1999-0640 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0640 Phase: Proposed (19990804) Category: SA The Gopher service is running. Current Votes: ACCEPT(2) Baker, Wall REJECT(1) Northcutt ====================================================== Name: CVE-1999-0641 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0641 Phase: Proposed (19990804) Category: SA The UUCP service is running. Current Votes: ACCEPT(2) Baker, Wall REJECT(1) Northcutt ====================================================== Name: CVE-1999-0642 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0642 Phase: Modified (20080731) Category: SA ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "A POP service is running." Current Votes: ACCEPT(2) Baker, Wall REJECT(1) Northcutt ====================================================== Name: CVE-1999-0643 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0643 Phase: Modified (20080731) Category: SA,DESIGN-NO-ENCRYPTION ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The IMAP service is running." Current Votes: ACCEPT(2) Baker, Wall REJECT(1) Northcutt ====================================================== Name: CVE-1999-0644 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0644 Phase: Modified (20080731) Category: SA ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The NNTP news service is running." Current Votes: ACCEPT(2) Baker, Wall NOOP(1) Christey REJECT(1) Northcutt Voter Comments: Christey> XF:nntp-post(88) ? ====================================================== Name: CVE-1999-0645 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0645 Phase: Modified (20080731) Category: SA ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The IRC service is running." Current Votes: ACCEPT(2) Baker, Wall NOOP(1) Christey REJECT(1) Northcutt Voter Comments: Christey> XF:irc-server(767) ? ====================================================== Name: CVE-1999-0646 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0646 Phase: Modified (20080731) Category: SA ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The LDAP service is running." Current Votes: ACCEPT(2) Baker, Wall REJECT(1) Northcutt ====================================================== Name: CVE-1999-0647 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0647 Phase: Modified (20080731) Category: SA ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The bootparam (bootparamd) service is running." Current Votes: ACCEPT(2) Baker, Ozancin MODIFY(1) Frech NOOP(1) Wall REJECT(1) Northcutt Voter Comments: Frech> XF:bootp ====================================================== Name: CVE-1999-0648 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0648 Phase: Modified (20080731) Category: SA ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The X25 service is running." Current Votes: ACCEPT(2) Baker, Wall REJECT(1) Northcutt ====================================================== Name: CVE-1999-0649 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0649 Phase: Modified (20080731) Category: SA ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The FSP service is running." Current Votes: ACCEPT(1) Baker NOOP(1) Wall REJECT(1) Northcutt ====================================================== Name: CVE-1999-0650 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0650 Phase: Modified (20060608) Category: SA Reference: XF:netstat(72) The netstat service is running, which provides sensitive information to remote attackers. Current Votes: ACCEPT(2) Baker, Wall REJECT(1) Northcutt ====================================================== Name: CVE-1999-0651 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0651 Phase: Proposed (19990804) Category: SA The rsh/rlogin service is running. Current Votes: ACCEPT(2) Baker, Wall MODIFY(1) Frech NOOP(1) Christey REJECT(1) Northcutt Voter Comments: Christey> aka "shell" on UNIX systems (at least Solaris) in the /etc/inetd.conf file. Frech> associated to: XF:nt-rlogin(92) XF:rsh-svc(114) XF:rshd(2995) ====================================================== Name: CVE-1999-0652 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0652 Phase: Modified (20080731) Category: SA ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "A database service is running, e.g. a SQL server, Oracle, or mySQL." Current Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(1) Wall REJECT(1) Northcutt Voter Comments: Frech> XF:nt-sql-server(1289) XF:msql-detect(2211) XF:oracle-detect(2388) XF:sybase-detect-namedpipes(1461) ====================================================== Name: CVE-1999-0653 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0653 Phase: Proposed (19990804) Category: SA A component service related to NIS+ is running. Current Votes: ACCEPT(2) Baker, Wall REJECT(1) Northcutt ====================================================== Name: CVE-1999-0654 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0654 Phase: Proposed (19990728) Category: SA The OS/2 or POSIX subsystem in NT is enabled. Current Votes: ACCEPT(1) Wall MODIFY(1) Frech NOOP(2) Baker, Christey REJECT(1) Northcutt Voter Comments: Wall> These subsystems could still allow a process to persist across logins. Frech> XF:nt-posix(217) XF:nt-posix-sub-c2(2397) XF:nt-posix-sub-onceonly(2478) XF:nt-os2-sub(218) XF:nt-os2-sub-c2(2396) XF:nt-os2-sub-onceonly(2477) XF:nt-os2-registry(2550) Christey> s2-file-os2(1865) ====================================================== Name: CVE-1999-0655 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0655 Phase: Modified (20080731) Category: SA ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is not about any specific product, protocol, or design, so it is out of scope of CVE. Notes: the former description is: "A service may include useful information in its banner or help function (such as the name and version), making it useful for information gathering activities." Current Votes: ACCEPT(5) Baker, Frech, Northcutt, Ozancin, Wall Voter Comments: CHANGE> [Frech changed vote from REVIEWING to ACCEPT] ====================================================== Name: CVE-1999-0656 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0656 Phase: Modified (20080731) Category: SA Reference: MISC:http://ca.com/au/securityadvisor/vulninfo/Vuln.aspx?ID=1638 Reference: XF:linux-ugidd(348) Reference: URL:http://xforce.iss.net/xforce/xfdb/348 The ugidd RPC interface, by design, allows remote attackers to enumerate valid usernames by specifying arbitrary UIDs that ugidd maps to local user and group names. Current Votes: ACCEPT(1) Baker NOOP(1) Wall REJECT(1) Northcutt ====================================================== Name: CVE-1999-0657 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0657 Phase: Proposed (19990804) Category: SA WinGate is being used. Current Votes: ACCEPT(1) Baker NOOP(1) Wall REJECT(1) Northcutt ====================================================== Name: CVE-1999-0658 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0658 Phase: Modified (20080731) Category: SA ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "DCOM is running." Current Votes: ACCEPT(2) Baker, Wall REJECT(1) Northcutt ====================================================== Name: CVE-1999-0659 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0659 Phase: Modified (20080731) Category: SA ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "A Windows NT Primary Domain Controller (PDC) or Backup Domain Controller (BDC) is present." Current Votes: REJECT(3) Baker, Northcutt, Wall Voter Comments: Wall> Don't consider this a service or a problem. Baker> concur with wall on this ====================================================== Name: CVE-1999-0660 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0660 Phase: Modified (20080730) Category: MP ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is not about any specific product, protocol, or design, so it is out of scope of CVE. It might be more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "A hacker utility, back door, or Trojan Horse is installed on a system, e.g. NetBus, Back Orifice, Rootkit, etc." Current Votes: ACCEPT(4) Baker, Hill, Northcutt, Wall NOOP(1) Christey Voter Comments: Christey> Add "back door" to description. ====================================================== Name: CVE-1999-0661 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0661 Phase: Modified (20050529) Category: MP Reference: CERT:CA-1994-07 Reference: URL:http://www.cert.org/advisories/CA-1994-07.html Reference: CERT:CA-1994-14 Reference: URL:http://www.cert.org/advisories/CA-1994-14.html Reference: CERT:CA-1999-01 Reference: URL:http://www.cert.org/advisories/CA-1999-01.html Reference: CERT:CA-1999-02 Reference: URL:http://www.cert.org/advisories/CA-1999-02.html Reference: CERT:CA-2002-28 Reference: URL:http://www.cert.org/advisories/CA-2002-28.html Reference: BUGTRAQ:20020801 trojan horse in recent openssh (version 3.4 portable 1) Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102820843403741&w=2 Reference: BUGTRAQ:20020801 OpenSSH Security Advisory: Trojaned Distribution Files Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102821663814127&w=2 Reference: BUGTRAQ:20021009 Re: CERT Advisory CA-2002-28 Trojan Horse Sendmail Reference: URL:http://online.securityfocus.com/archive/1/294539 Reference: BID:5921 Reference: URL:http://www.securityfocus.com/bid/5921 Reference: XF:sendmail-backdoor(10313) Reference: URL:http://www.iss.net/security_center/static/10313.php A system is running a version of software that was replaced with a Trojan Horse at one of its distribution points, such as (1) TCP Wrappers 7.6, (2) util-linux 2.9g, (3) wuarchive ftpd (wuftpd) 2.2 and 2.1f, (4) IRC client (ircII) ircII 2.2.9, (5) OpenSSH 3.4p1, or (6) Sendmail 8.12.6. Current Votes: ACCEPT(4) Baker, Hill, Northcutt, Wall REVIEWING(1) Christey Voter Comments: Christey> Should add the specific CERT advisory references for well-known Trojaned software. TCP Wrappers -> CERT:CA-1999-01 CERT:CA-1999-02 includes util-linux wuarchive - CERT:CA-94.07 IRC client - CERT:CA-1994-14 Christey> BUGTRAQ:20020801 trojan horse in recent openssh (version 3.4 portable 1) Modify description to use dot notation. Christey> CERT:CA-2002-24 URL:http://www.cert.org/advisories/CA-2002-24.html XF:openssh-backdoor(9763) URL:http://www.iss.net/security_center/static/9763.php BID:5374 URL:http://www.securityfocus.com/bid/5374 CHANGE> [Christey changed vote from NOOP to REVIEWING] Christey> Add libpcap and tcpdump: BUGTRAQ:20021113 Latest libpcap & tcpdump sources from tcpdump.org contain a trojan URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103722456708471&w=2 CERT:CA-2002-30 URL:http://www.cert.org/advisories/CA-2002-30.html This CAN has been active for over 4 years. At this moment, my thinking is that we should SPLIT this CAN into each separate trojaned product, then create some criteria that restrict creation of new CANs to "widespread" or "important" products only. ====================================================== Name: CVE-1999-0662 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0662 Phase: Proposed (19990804) Category: AN A system-critical program or library does not have the appropriate patch, hotfix, or service pack installed, or is outdated or obsolete. Current Votes: ACCEPT(4) Baker, Hill, Northcutt, Wall ====================================================== Name: CVE-1999-0663 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0663 Phase: Proposed (19990804) Category: AN A system-critical program, library, or file has a checksum or other integrity measurement that indicates that it has been modified. Current Votes: ACCEPT(3) Baker, Hill, Wall RECAST(1) Northcutt Voter Comments: Northcutt> This needs to be worded carefully. 1. Rootkits evade checksum detection. 2. The modification could be positive (a patch) ====================================================== Name: CVE-1999-0664 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0664 Phase: Proposed (19990803) Category: CF An application-critical Windows NT registry key has inappropriate permissions. Current Votes: ACCEPT(1) Wall NOOP(1) Baker RECAST(2) Christey, Northcutt Voter Comments: Northcutt> I think we can define appropriate, take a look at the nt security .pdf and see if you can't see a way to phrase specific keys in a way that defines inappropriate. Christey> Upon further reflection, this is too high-level for CVE. Specific registry keys with bad permissions is roughly equivalent to Unix configuration files that have bad permissions; those permission problems can be created by any vendor, not just a specific one. Therefore this candidate should be RECAST into each separate registry key that has this problem. ====================================================== Name: CVE-1999-0665 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0665 Phase: Proposed (19990803) Category: CF An application-critical Windows NT registry key has an inappropriate value. Current Votes: ACCEPT(1) Wall NOOP(1) Baker RECAST(1) Northcutt Voter Comments: Northcutt> I think we can define appropriate, take a look at the nt security .pdf and see if you can't see a way to phrase specific keys in a way that defines inappropriate. Baker> very vague ====================================================== Name: CVE-1999-0667 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0667 Phase: Proposed (19991222) Category: SF The ARP protocol allows any host to spoof ARP replies and poison the ARP cache to conduct IP address spoofing or a denial of service. Current Votes: ACCEPT(2) Blake, Cole MODIFY(1) Stracener NOOP(2) Baker, Christey REJECT(1) Frech Voter Comments: Stracener> Add Ref: BUGTRAQ:19970919 Playing redir games with ARP and ICMP Frech> Cannot proceed without a reference. Too vague, and resembles XF:netbsd-arp: CVE-1999-0763: NetBSD on a multi-homed host allows ARP packets on one network to modify ARP entries on another connected network. CVE-1999-0764: NetBSD allows ARP packets to overwrite static ARP entries. Will reconsider if reference provides enough information to render a distinction. Christey> This particular vulnerability was exploited by an attacker during the ID'Net IDS test network exercise at the SANS Network Security '99 conference. The attacker adapted a publicly available program that was able to spoof another machine on the same physical network. See http://marc.theaimsgroup.com/?l=bugtraq&m=87602880019797&w=2 for the Bugtraq reference that Tom Stracener suggested. This generated a long thread on Bugtraq in 1997. Blake> I'll second Tom's request to add the reference, it's a very posting good and the vulnerability is clearly derivative of the work. (I do recall talking to the guy and drafting a description.) ====================================================== Name: CVE-1999-0669 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0669 Phase: Interim (19991229) Category: SF Reference: MS:MS99-032 Reference: CIAC:J-064 Reference: URL:http://ciac.llnl.gov/ciac/bulletins/j-064.shtml Reference: XF:ms-scriptlet-eyedog-unsafe Reference: MSKB:Q240308 The Eyedog ActiveX control is marked as "safe for scripting" for Internet Explorer, which allows a remote attacker to execute arbitrary commands as demonstrated by Bubbleboy. Current Votes: ACCEPT(5) Baker, Cole, Ozancin, Prosser, Wall MODIFY(2) Frech, Stracener REVIEWING(1) Christey Voter Comments: Frech> XF:ms-scriptlet-eyedog-unsafe Stracener> Add Ref: MSKB Q240308 Christey> Should CVE-1999-0669 and 668 be merged? If not, then this is a reason for not merging CVE-1999-0988 and CVE-1999-0828. ====================================================== Name: CVE-1999-0670 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0670 Phase: Proposed (19991208) Category: SF Reference: MS:MS99-032 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-032.asp Reference: CIAC:J-064 Reference: URL:http://ciac.llnl.gov/ciac/bulletins/j-064.shtml Buffer overflow in the Eyedog ActiveX control allows a remote attacker to execute arbitrary commands. Current Votes: ACCEPT(3) Ozancin, Prosser, Wall MODIFY(2) Frech, Stracener REJECT(2) Baker, Cole Voter Comments: Frech> XF:ie-eyedog-bo Cole> Based on the references and information listed this is the same as CVE-1999-0669 Stracener> Add Ref: MSKB Q240308 Baker> Duplicate ====================================================== Name: CVE-1999-0673 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0673 Phase: Proposed (19991222) Category: SF Reference: BID:574 Reference: URL:http://www.securityfocus.com/bid/574 Buffer overflow in ALMail32 POP3 client via From: or To: headers. Current Votes: ACCEPT(6) Baker, Blake, Cole, Collins, Levy, Wall MODIFY(2) Frech, Stracener NOOP(3) Armstrong, Landfield, Oliver REVIEWING(1) Ozancin Voter Comments: Stracener> AddRef: ShadowPenguinSecurity:PenguinToolbox,No.037 Frech> XF:almail-bo CHANGE> [Cole changed vote from NOOP to ACCEPT] ====================================================== Name: CVE-1999-0677 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0677 Phase: Modified (19991228-01) Category: CF Reference: BUGTRAQ:19990802 [LoWNOISE] Password hunting with webramp Reference: BID:577 Reference: URL:http://www.securityfocus.com/bid/577 The WebRamp web administration utility has a default password. Current Votes: ACCEPT(3) Baker, Blake, Stracener MODIFY(2) Cole, Frech NOOP(2) Armstrong, Christey Voter Comments: Cole> I would add that is is not forced to be changed. Frech> XF:webramp-default-password Christey> This problem may have been detected in January 1999: BUGTRAQ:19990121 Re: WebRamp M3 remote network access bug http://marc.theaimsgroup.com/?l=bugtraq&m=91702375402055&w=2 ====================================================== Name: CVE-1999-0684 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0684 Phase: Proposed (19991214) Category: SF Reference: HP:HPSBUX9904-097 Denial of service in Sendmail 8.8.6 in HPUX. Current Votes: ACCEPT(2) Blake, Cole MODIFY(3) Frech, Prosser, Stracener NOOP(1) Baker REJECT(1) Christey Voter Comments: Stracener> Add Ref: CIAC: J-040 Prosser> Might change description to indicate DoS caused by multiple connections Christey> Andre's right. This is a duplicate of CVE-1999-0684. Frech> Without further information and/or references, this issue looks like an ambiguous version of CVE-1999-0478: Denial of service in HP-UX sendmail 8.8.6 related to accepting connections. (was REJECT) XF:hp-sendmail-connect-dos ====================================================== Name: CVE-1999-0698 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0698 Phase: Proposed (19991222) Category: SF Denial of service in IP protocol logger (ippl) on Red Hat and Debian Linux. Current Votes: ACCEPT(6) Armstrong, Baker, Blake, Cole, Collins, Ozancin MODIFY(1) Frech NOOP(4) Landfield, Levy, Stracener, Wall REJECT(1) Christey Voter Comments: Stracener> Is the candidate referring to the denial of service problem mentioned in the changelogs for versions previous to 1.4.3-1 or does it pertain to some problem with or 1.4.8-1? Frech> Depending on the version, this could be any number of DoSes related to ippl. From http://www.larve.net/ippl/: 9 April 1999: version 1.4.3 released, correctly fixing a potential denial of service attack. 7 April 1999: version 1.4.2 released, fixing a potential denial of service attack. XF:linux-ippl-dos Christey> Changelog: http://pltplp.net/ippl/docs/HISTORY See comments for version 1.4.2 and 1.4.3 Another source: http://freshmeat.net/news/1999/04/08/923586598.html CHANGE> [Stracener changed vote from REVIEWING to NOOP] CHANGE> [Christey changed vote from NOOP to REJECT] Christey> As mentioned by others, this could apply to several different versions. Since the description is too vague, this CAN should be REJECTED and recast into other candidates. ====================================================== Name: CVE-1999-0712 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0712 Phase: Proposed (19991214) Category: SF Reference: CALDERA:CSSA-1999:009 Reference: XF:linux-coas A vulnerability in Caldera Open Administration System (COAS) allows the /etc/shadow password file to be made world-readable. Current Votes: ACCEPT(4) Baker, Cole, Frech, Stracener MODIFY(1) Blake NOOP(1) Armstrong REVIEWING(1) Christey Voter Comments: Blake> This obscurely-written advisory seems to state that COAS will make the file world-readable, not that it allows the user to make it so. I hardly think that allowing the user to turn off security is a vulnerability. Christey> It's difficult to write the description based on what's in the advisory. If COAS inadvertently changes permissions without user confirmation, then it should be ACCEPTed with appropriate modification to the description. Christey> ADDREF BID:137 CHANGE> [Armstrong changed vote from REVIEWING to NOOP] ====================================================== Name: CVE-1999-0736 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0736 Phase: Modified (20061101) Category: SF Reference: L0PHT:May7,1999 Reference: MS:MS99-013 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-013.asp Reference: MSKB:Q232449 Reference: MSKB:Q231368 Reference: OVAL:oval:org.mitre.oval:def:932 Reference: URL:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:932 The showcode.asp sample file in IIS and Site Server allows remote attackers to read arbitrary files. Current Votes: ACCEPT(4) Ozancin, Prosser, Stracener, Wall MODIFY(2) Cole, Frech NOOP(1) Baker REVIEWING(1) Christey Voter Comments: Frech> XF:iis-samples-showcode Cole> There are several sample files that allow this. I would quote showcode.asp but make it more generic. Prosser> (Modify) Have a question on this and on the following three candidates as well. All of these are part of the file viewers utilities that allow unauthorized files reading, but MSKB Q231368 also mentioned the diagnostics program,Winmsdp.exe, as another vulnerable viewer in this same set of viewers. If we are going to split out the seperate viewer tools then shouldn't there should be a seperate CAN for Winmsdp.exe also. Christey> Mike's question basically touches on the CD:SF-EXEC content decision - what do you do when you have the same bug in multiple executables? CD:SF-EXEC needs to be reviewed and approved by the Editorial Board before we can decide what to do with this candidate. Christey> Mark Burnett says that Microsoft's mention of winmsdp.exe in MSKB:Q231368 may be an error, and that winmsdp.exe is a Microsoft Diagnostics Report Generator which may not even be installed as part of IIS. Also see http://www.securityfocus.com/focus/microsoft/iis/showcode.html Christey> ADDREF BID:167 URL:http://www.securityfocus.com/vdb/bottom.html?vid=167 Christey> MISC:http://p.ulh.as/xploitsdb/NT/iis38.html covers a showcode.asp directory traversal vulnerability and refers to the L0pht advisory. Mark Burnett's article is at: MISC:http://www.securityfocus.com/infocus/1317 ====================================================== Name: CVE-1999-0737 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0737 Phase: Proposed (19991208) Category: SF Reference: MS:MS99-013 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-013.asp Reference: MSKB:Q231656 The viewcode.asp sample file in IIS and Site Server allows remote attackers to read arbitrary files. Current Votes: ACCEPT(4) Ozancin, Prosser, Stracener, Wall MODIFY(1) Frech NOOP(2) Baker, Christey REJECT(1) Cole Voter Comments: Frech> XF:iis-samples-viewcode Cole> I would combine this with the previous. Prosser> (modify) See comments in 0736 above Christey> See http://www.securityfocus.com/focus/microsoft/iis/showcode.html for additional details. Christey> Mark Burnett's article is at: MISC:http://www.securityfocus.com/infocus/1317 ====================================================== Name: CVE-1999-0738 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0738 Phase: Proposed (19991208) Category: SF Reference: MS:MS99-013 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-013.asp Reference: MSKB:Q232449 Reference: MSKB:Q231368 The code.asp sample file in IIS and Site Server allows remote attackers to read arbitrary files. Current Votes: ACCEPT(4) Ozancin, Prosser, Stracener, Wall MODIFY(1) Frech NOOP(2) Baker, Christey REJECT(1) Cole Voter Comments: Frech> XF:iis-samples-code Cole> Same as above Prosser> (modify) See comments in 0736 above Christey> See http://www.securityfocus.com/focus/microsoft/iis/showcode.html for additional details. Christey> Mark Burnett's article is at: MISC:http://www.securityfocus.com/infocus/1317 ====================================================== Name: CVE-1999-0739 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0739 Phase: Proposed (19991208) Category: SF Reference: MS:MS99-013 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-013.asp Reference: MSKB:Q232449 Reference: MSKB:Q231368 The codebrws.asp sample file in IIS and Site Server allows remote attackers to read arbitrary files. Current Votes: ACCEPT(4) Ozancin, Prosser, Stracener, Wall MODIFY(1) Frech NOOP(2) Baker, Christey REJECT(1) Cole Voter Comments: Frech> XF:iis-samples-codebrws Cole> Same as above. Prosser> (modify) See comments in 0736 above Christey> codebrw2.asp and Codebrw1.asp also need to be included somewhere. Also see http://www.securityfocus.com/focus/microsoft/iis/showcode.html Christey> Mark Burnett's article is at: MISC:http://www.securityfocus.com/infocus/1317 ====================================================== Name: CVE-1999-0741 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0741 Phase: Proposed (19991222) Category: SF Reference: BUGTRAQ:19990818 QMS 2060 printer security hole Reference: BID:593 Reference: URL:http://www.securityfocus.com/bid/593 Reference: XF:qms-2060-no-root-password QMS CrownNet Unix Utilities for 2060 allows root to log on without a password. Current Votes: ACCEPT(4) Baker, Frech, Levy, Stracener NOOP(2) Christey, Oliver Voter Comments: Christey> change description - anyone can log on *as* root Frech> (Note: this XF also cataloged under CVE-1999-0508.) ====================================================== Name: CVE-1999-0748 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0748 Phase: Proposed (19991214) Category: SF Reference: REDHAT:RHSA-1999:017-01 Buffer overflows in Red Hat net-tools package. Current Votes: ACCEPT(4) Armstrong, Baker, Cole, Stracener MODIFY(1) Frech REJECT(1) Blake Voter Comments: Blake> RHSA-1999:017-01 describes "potential security problem fixed" in the absence of knowing whether or not the problems actually existed, I don't think we have an entry here. Frech> XF:redhat-net-tool-bo ====================================================== Name: CVE-1999-0750 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0750 Phase: Proposed (19991222) Category: SF Reference: BUGTRAQ:19990913 Hotmail security vulnerability - injecting JavaScript using 'STYLE' tag Reference: BID:630 Reference: URL:http://www.securityfocus.com/bid/630 Hotmail allows Javascript to be executed via the HTML STYLE tag, allowing remote attackers to execute commands on the user's Hotmail account. Current Votes: ACCEPT(1) Levy MODIFY(2) Frech, Stracener NOOP(1) Baker Voter Comments: Stracener> Many sites are vulnerable to this problem. I recommend removing the explicit references to Hotmail and making the description more generic. Suggest: Javascript can be injected using the STYLE tag in an HTML formatted e-mail, allowing remote attackers to execute commands on user accounts. Frech> XF:hotmail-html-style-embed ====================================================== Name: CVE-1999-0757 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0757 Phase: Proposed (20010214) Category: SF Reference: ALLAIRE:ASB99-08 Reference: URL:http://www.allaire.com/handlers/index.cfm?ID=10969&Method=Full Reference: XF:coldfusion-encryption Reference: URL:http://xforce.iss.net/static/2208.php The ColdFusion CFCRYPT program for encrypting CFML templates has weak encryption, allowing attackers to decrypt the templates. Current Votes: ACCEPT(3) Baker, Cole, Frech NOOP(1) Christey Voter Comments: Frech> XF:coldfusion-encryption Christey> BUGTRAQ:19990724 Re: New Allaire Security Zone Bulletins and KB Articles URL:http://www.securityfocus.com/archive/1/19471 Christey> ADDREF BID:275 URL:http://www.securityfocus.com/bid/275 ====================================================== Name: CVE-1999-0767 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0767 Phase: Proposed (19991214) Category: SF Reference: SUN:00189 Buffer overflow in Solaris libc, ufsrestore, and rcp via LC_MESSAGES environmental variable. Current Votes: ACCEPT(4) Baker, Blake, Cole, Dik MODIFY(2) Frech, Stracener REVIEWING(2) Christey, Prosser Voter Comments: Stracener> Add Ref: CIAC: J-069 Frech> XF:sun-libc-lcmessages Prosser> BID 268 is an additional reference for this one as it has info on the Sun vulnerability. However, BID 268 also includes AIX in this vulnerability and refs APARS issued to fix a vulnerability in various 'nixs with the Natural Language Service environmental variables NSLPATH and PATH_LOCALE depending on the 'nix, ref CERT CA-97.10, CVE-1999-0041. However, Georgi Guninski reported a BO in AIX with LC_MESSAGES + mount, also refed in BID 268, so it is possible the AIX APARs fix an earlier, similar vulnerability to the Sun BO in LC_MESSAGES. This should probably be considered under a different CAN. Any ideas? Christey> Given that the buffer overflows in CVE-1999-0041 are NLSPATH and PATH_LOCALE, I'd say that's good evidence that this is not the same problem. But a buffer overflow in libc in LC_MESSAGES... We must ask if these are basically the same codebase. ADDREF CIAC:J-069 Christey> While the description indicates multiple programs, CD:SF-EXEC does not apply because the vulnerability was in libc, and rcp and ufsrestore were both statically linked against libc. Thus CD:SF-LOC applies, and a single candidate is maintained because the problem occurred in a library. Dik> Sun bug 4240566 Christey> I'm consulting with Casper Dik and Troy Bollinger to see if this should be combined with the AIX buffer overflows for LC_MESSAGES; current indications are that they should be split. Christey> For further consultation, consider this post, though it's associated with CVE-1999-0041: BUGTRAQ:19970213 Linux NLSPATH buffer overflow http://www.securityfocus.com/archive/1/6296 Also add "NLSPATH" and "PATH_LOCALE" to the description to facilitate search. ====================================================== Name: CVE-1999-0776 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0776 Phase: Proposed (19991214) Category: SF Reference: NTBUGTRAQ:19990506 ".."-hole in Alibaba 2.0 Reference: URL:http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind9905&L=NTBUGTRAQ&P=R1533 Reference: XF:http-alibaba-dotdot Alibaba HTTP server allows remote attackers to read files via a .. (dot dot) attack. Current Votes: ACCEPT(4) Frech, Levy, Ozancin, Stracener MODIFY(1) Baker NOOP(6) Armstrong, Blake, Cole, Landfield, LeBlanc, Wall REVIEWING(1) Christey Voter Comments: Christey> This candidate is unconfirmed by the vendor. Posted by Arne Vidstrom. Blake> I'd like to change my vote on this from ACCEPT to NOOP. I did some digging and the vendor seems to have discontinued the product, so no information is available beyond Arne's post. Unless Andre has a copy in his archive and can test it, I think we have to leave it out. Wall> I agree with Blake. We have not seen the product and it has been discontinued. CHANGE> [Christey changed vote from NOOP to REVIEWING] Christey> If this is (or was) tested by some tool, we should ACCEPT it. Baker> http://www.securityfocus.com/bid/270 Christey> BID:270 URL:http://www.securityfocus.com/bid/270 ====================================================== Name: CVE-1999-0784 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0784 Phase: Proposed (20010214) Category: SF Reference: NTBUGTRAQ:19980827 NERP DoS attack possible in Oracle Reference: URL:http://archives.neohapsis.com/archives/ntbugtraq/1998/msg00536.html Reference: BUGTRAQ:19990104 Re: Fw:"NERP" DoS attack possible in Oracle Reference: URL:http://archives.neohapsis.com/archives/bugtraq/1999_1/0056.html Reference: BUGTRAQ:19981228 Oracle8 TNSLSNR DoS Reference: URL:http://archives.neohapsis.com/archives/bugtraq/1998_4/0764.html Denial of service in Oracle TNSLSNR SQL*Net Listener via a malformed string to the listener port, aka NERP. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(1) Cole Voter Comments: Frech> XF:oracle-tnslsnr-dos(1551) ====================================================== Name: CVE-1999-0792 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0792 Phase: Modified (20000827) Category: CF Reference: MISC:http://www2.merton.ox.ac.uk/~security/rootshell/0022.html ROUTERmate has a default SNMP community name which allows remote attackers to modify its configuration. Current Votes: ACCEPT(1) Baker MODIFY(2) Frech, Stracener NOOP(1) Christey REVIEWING(1) Levy Voter Comments: Stracener> Change the Ref to read: ROOTSHELL: Osicom Technologies ROUTERmate Security Advisory Frech> XF:routermate-snmp-community Christey> BUGTRAQ:19980914 [rootshell] Security Bulletin #23 URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90581019105693&w=2 ====================================================== Name: CVE-1999-0795 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0795 Phase: Proposed (19991222) Category: SF Reference: NAI:NAI-27 The NIS+ rpc.nisd server allows remote attackers to execute certain RPC calls without authentication to obtain system information, disable logging, or modify caches. Current Votes: ACCEPT(2) Baker, Stracener MODIFY(1) Frech NOOP(1) Ozancin Voter Comments: Frech> XF:sun-nisplus ====================================================== Name: CVE-1999-0798 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0798 Phase: Proposed (19991222) Category: SF Reference: BUGTRAQ:19981204 bootpd remote vulnerability Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91278867118128&w=2 Buffer overflow in bootpd on OpenBSD, FreeBSD, and Linux systems via a malformed header type. Current Votes: ACCEPT(3) Baker, Ozancin, Stracener MODIFY(1) Frech NOOP(1) Christey Voter Comments: Christey> Is CVE-1999-0389 a duplicate of CVE-1999-0798? CVE-1999-0389 has January 1999 dates associated with it, while CVE-1999-0798 was reported in late December. http://marc.theaimsgroup.com/?l=bugtraq&m=91278867118128&w=2 SCO appears to have acknowledged this as well: ftp://ftp.sco.com/SSE/security_bulletins/SB-99.01a The poster also claims that OpenBSD fixed this as well. Frech> XF:bootp-remote-bo Christey> Further analysis indicates that this is a duplicate of CVE-1999-0799 CHANGE> [Christey changed vote from REJECT to NOOP] Christey> What was I thinking? Brian Caswell pointed out that this is *not* the same bug as CVE-1999-0799. As reported in the 1998 Bugtraq post, the bug is in bootpd.c, and is related to providing an htype value that is used as an index into an array, and exceeds the intended boundaries of that array. ====================================================== Name: CVE-1999-0805 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0805 Phase: Proposed (20010214) Category: SF Reference: BUGTRAQ:19990512 DoS with Netware 4.x's TTS Reference: URL:http://archives.neohapsis.com/archives/bugtraq/1999_2/0439.html Reference: XF:novell-tts-dos Reference: URL:http://xforce.iss.net/static/2184.php Novell NetWare Transaction Tracking System (TTS) in Novell 4.11 and earlier allows remote attackers to cause a denial of service via a large number of requests. Current Votes: ACCEPT(2) Baker, Frech NOOP(2) Christey, Cole Voter Comments: Christey> BID:276 URL:http://www.securityfocus.com/vdb/bottom.html?vid=276 Frech> XF:novell-tts-dos ====================================================== Name: CVE-1999-0808 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0808 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19980518 DHCP 1.0 and 2.0 SECURITY ALERT! (fwd) Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221101925960&w=2 Reference: CIAC:I-053 Reference: URL:http://ciac.llnl.gov/ciac/bulletins/i-053.shtml Reference: MISC:ftp://ftp.isc.org/isc/dhcp/dhcp-1.0-history/dhcp-1.0.0-1.0pl1.diff.gz Multiple buffer overflows in ISC DHCP Distribution server (dhcpd) 1.0 and 2.0 allow a remote attacker to cause a denial of service (crash) and possibly execute arbitrary commands via long options. Current Votes: ACCEPT(4) Armstrong, Cole, Foat, Stracener MODIFY(1) Frech NOOP(1) Wall Voter Comments: Frech> XF:dhcp-remote-dos(7248) ====================================================== Name: CVE-1999-0816 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0816 Phase: Modified (20000313-01) Category: SF Reference: BUGTRAQ:19980510 Security Vulnerability in Motorola CableRouters Reference: URL:http://www.netspace.org/cgi-bin/wa?A2=ind9805B&L=bugtraq&P=R1621 Reference: XF:motorola-cable-default-pass The Motorola CableRouter allows any remote user to connect to and configure the router on port 1024. Current Votes: ACCEPT(3) Baker, Cole, Stracener MODIFY(1) Frech NOOP(2) Christey, LeBlanc Voter Comments: Christey> This candidate is unconfirmed by the vendor. Frech> XF:motorola-cable-default-pass ====================================================== Name: CVE-1999-0818 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0818 Phase: Proposed (19991208) Category: SF Reference: BUGTRAQ:19991130 another hole of Solaris7 kcms_configure Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=38433B7F5A.53F4SHADOWPENGUIN@fox.nightland.net Reference: BID:831 Reference: URL:http://www.securityfocus.com/bid/831 Buffer overflow in Solaris kcms_configure via a long NETPATH environmental variable. Current Votes: ACCEPT(2) Armstrong, Stracener MODIFY(4) Cole, Dik, Frech, Prosser NOOP(1) Baker REVIEWING(1) Christey Voter Comments: Cole> This can cause code to be executed. Frech> XF:sol-kcms-conf-netpath-bo Dik> the bug has nothing to do with kcms_configure; it's a bug in libnsl.so. All set-uid executables that trigger this code path are vulnerable. Sun bug 4295834; fixed in Solaris 8. Prosser> Okay, I am confused. Based on Casper's comments and checking on the Sun patch site, I found the 4295834 bug(4295834 NETPATH security problem in libnsl) fixed in SunOS 5.4, Patch 101974-37(x86) 101973 (sparc). Multiple libnsl vulnerabilities was first reported in an 98 Sun Bulletin #00172 for 5.4 up through 2.6. Was this NETPATH a problem that resurfaced in 7 (looks like in 5.4 as well) and was fixed in 8? Christey> Need to dig up my offline email on this. Christey> May be a duplicate of CVE-1999-0321, whose sole reference (XF:sun-kcms-configure-bo) no longer exists. Also examine BID:452 and BUGTRAQ:19981223 Merry Christmas to Sun! (Was: L0pht NFR N-Code Modules Updated) which are the same as XF:sol-kcms-conf-p-bo(3652), which could be the new name for XF:sun-kcms-configure-bo. ====================================================== Name: CVE-1999-0821 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0821 Phase: Proposed (19991208) Category: SF Reference: BUGTRAQ:19991130 Several FreeBSD-3.3 vulnerabilities Reference: BID:838 Reference: URL:http://www.securityfocus.com/bid/838 FreeBSD seyon allows local users to gain privileges by providing a malicious program in the -emulator argument. Current Votes: ACCEPT(2) Armstrong, Stracener MODIFY(1) Frech NOOP(2) Baker, Christey REJECT(1) Cole REVIEWING(1) Prosser Voter Comments: Cole> I would combine this with the previous. To me the general vulnerabilities are similar it is just the end result that changes. Frech> XF:freebsd-seyon-setgid Christey> ADDREF? CALDERA:CSSA-1999-037.0 ====================================================== Name: CVE-1999-0822 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0822 Phase: Proposed (19991208) Category: SF Reference: BUGTRAQ:19991130 serious Qpopper 3.0 vulnerability Reference: BUGTRAQ:19991130 qpop3.0b20 and below - notes and exploit Reference: BID:830 Reference: URL:http://www.securityfocus.com/bid/830 Buffer overflow in Qpopper (qpop) 3.0 allows remote root access via AUTH command. Current Votes: ACCEPT(4) Armstrong, Baker, Cole, Stracener MODIFY(1) Frech NOOP(1) Christey REVIEWING(1) Prosser Voter Comments: Frech> XF:qpopper-auth-bo Christey> ADDREF? DEBIAN:19991215 buffer overflow in qpopper v3.0 ADDREF XF:qpopper-auth-bo ====================================================== Name: CVE-1999-0825 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0825 Phase: Modified (20000121-01) Category: CF Reference: BUGTRAQ:19991203 UnixWare read/modify users' mail Reference: BUGTRAQ:19991215 Recent postings about SCO UnixWare 7 Reference: BUGTRAQ:19991223 FYI, SCO Security patches available. Reference: BID:849 Reference: URL:http://www.securityfocus.com/bid/849 The default permissions for UnixWare /var/mail allow local users to read and modify other users' mail. Current Votes: ACCEPT(4) Armstrong, Baker, Cole, Stracener MODIFY(1) Frech NOOP(1) Christey REVIEWING(1) Prosser Voter Comments: Frech> XF:sco-mail-permissions Christey> ADDREF ftp://ftp.sco.com/SSE/security_bulletins/SB-99.25a ====================================================== Name: CVE-1999-0827 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0827 Phase: Proposed (19991208) Category: SF Reference: BUGTRAQ:19991130 Default IE 5.0 security settings allow frame spoofing By default, Internet Explorer 5.0 and other versions enables the "Navigate sub-frames across different domains" option, which allows frame spoofing. Current Votes: ACCEPT(4) Armstrong, Baker, LeBlanc, Stracener MODIFY(2) Cole, Frech REVIEWING(1) Prosser Voter Comments: Cole> The BID is 855. If I have the right vulnerability, this allows an attacker to access URL's of there choosing which could lead to a compromise of private information. Frech> XF:http-frame-spoof Question: Similar vulnerability to MS98-020 / CVE-1999-0869? LeBlanc> MSRC tells me this is patched in MS00-009 ====================================================== Name: CVE-1999-0828 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0828 Phase: Modified (20000121-01) Category: unknown Reference: BUGTRAQ:19991203 UnixWare and the dacread permission Reference: BUGTRAQ:19991204 UnixWare pkg* command exploits Reference: BUGTRAQ:19991223 FYI, SCO Security patches available. Reference: BUGTRAQ:19991220 SCO OpenServer Security Status Reference: BID:853 Reference: URL:http://www.securityfocus.com/bid/853 UnixWare pkg commands such as pkginfo, pkgcat, and pkgparam allow local users to read arbitrary files via the dacread permission. Current Votes: ACCEPT(3) Armstrong, Baker, Stracener MODIFY(2) Cole, Frech REVIEWING(2) Christey, Prosser Voter Comments: Cole> This is BID 850. Christey> See comments on CVE-1999-0988. Perhaps these two should be merged. ftp://ftp.sco.com/SSE/security_bulletins/SB-99.28a loosely alludes to this problem; the README for patch SSE053 effectively confirms it. Frech> XF:sco-pkg-dacread-fileread ====================================================== Name: CVE-1999-0829 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0829 Phase: Proposed (19991208) Category: SF Reference: BUGTRAQ:19991201 HP Secure Web Console HP Secure Web Console uses weak encryption. Current Votes: ACCEPT(2) Armstrong, Stracener MODIFY(1) Frech NOOP(2) Baker, Cole REVIEWING(1) Prosser Voter Comments: Cole> I could not find details on this using the above references. Frech> XF:hp-secure-console ====================================================== Name: CVE-1999-0830 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0830 Phase: Proposed (19991208) Category: SF Reference: BUGTRAQ:19991126 [w00giving '99 #6]: UnixWare 7's Xsco Buffer overflow in SCO UnixWare Xsco command via a long argument. Current Votes: ACCEPT(3) Armstrong, Baker, Stracener MODIFY(3) Cole, Frech, Prosser REVIEWING(1) Christey Voter Comments: Cole> This is BID 824 and the BUGTRAQ reference is 19991125. Frech> XF:sco-unixware-xsco Christey> Confirmed by vendor, albeit vaguely: http://marc.theaimsgroup.com/?l=bugtraq&m=94581379905584&w=2 Prosser> agree with Steve on vendor confirmation, however not sure the fix ref'd in BID 824 (SSE041) is right. It lists fixes for libnsl and tcpip.so, nothing about xsco. SSE050b (ftp://ftp.sco.com/SSE/security_bulletins/SB-99.26b) fixes a buffer overflow in xsco on OpenServer (the vendor message Steve refers to) but not the UnixWare vulnerability reported on Bugtraq and in BID824. Anyone more familar with SCO shed some light on this? Are they the same codebase so fix would be same? From the SCO site it seems the UnixWare and OpenSever products are similar but have differences. CHANGE> [Christey changed vote from NOOP to REVIEWING] Christey> BID:824 http://www.securityfocus.com/bid/824 ====================================================== Name: CVE-1999-0840 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0840 Phase: Modified (20071022) Category: SF Reference: BUGTRAQ:19991129 Solaris7 dtmail/dtmailpr/mailtool Buffer Overflow Reference: URL:http://www.security-express.com/archives/bugtraq/1999-q4/0122.html Reference: MISC:http://www.securiteam.com/exploits/3J5QQPPQ0O.html Reference: BID:832 Reference: URL:http://www.securityfocus.com/bid/832 Reference: MISC:http://www.securiteam.com/exploits/3J5QQPPQ0O.html Reference: XF:solaris-dtmail-overflow(3579) Reference: URL:http://xforce.iss.net/xforce/xfdb/3579 Reference: XF:solaris-dtmailpr-overflow(3580) Reference: URL:http://xforce.iss.net/xforce/xfdb/3580 Buffer overflow in CDE dtmail and dtmailpr programs allows local users to gain privileges via a long -f option. Current Votes: ACCEPT(4) Armstrong, Baker, Dik, Stracener MODIFY(1) Frech NOOP(1) Cole REVIEWING(1) Prosser Voter Comments: Cole> I went to 1129 and it looks like a reference for a different vulnerability. Frech> In the description, should dtmailptr be dtmailpr? XF:solaris-dtmailpr-overflow XF:solaris-dtmail-overflow Dik> sun bug: 4166321 ====================================================== Name: CVE-1999-0841 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0841 Phase: Modified (20071022) Category: SF Reference: BUGTRAQ:19991129 Solaris7 dtmail/dtmailpr/mailtool Buffer Overflow Reference: URL:http://www.security-express.com/archives/bugtraq/1999-q4/0122.html Reference: MISC:http://www.securiteam.com/exploits/3J5QQPPQ0O.html Reference: BID:832 Reference: URL:http://www.securityfocus.com/bid/832 Reference: MISC:http://www.securiteam.com/exploits/3J5QQPPQ0O.html Reference: XF:cde-mailtool-bo(3732) Reference: URL:http://xforce.iss.net/xforce/xfdb/3732 Buffer overflow in CDE mailtool allows local users to gain root privileges via a long MIME Content-Type. Current Votes: ACCEPT(5) Armstrong, Baker, Cole, Dik, Stracener MODIFY(1) Frech REVIEWING(1) Prosser Voter Comments: Frech> XF:cde-mailtool-bo Dik> bug 4163471 (Root access is only possible when mail is send to root and he uses dtmail to read it) ====================================================== Name: CVE-1999-0843 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0843 Phase: Proposed (19991208) Category: SF Reference: BUGTRAQ:19991104 Cisco NAT DoS (VD#1) Reference: BUGTRAQ:19991128 Re: Cisco NAT DoS (VD#1) Denial of service in Cisco routers running NAT via a PORT command from an FTP client to a Telnet port. Current Votes: ACCEPT(3) Balinsky, Cole, Stracener MODIFY(1) Frech NOOP(2) Armstrong, Baker REVIEWING(3) Christey, Prosser, Ziese Voter Comments: Frech> XF:cisco-nat-dos Christey> Mike Prosser's REVIEWING vote expires July 17, 2000 Ziese> After reviewing http://www.cisco.com/warp/public/707/iostelnetopt-pub.shtml I can not confirm this exists unless it's restructred to describe a problem against IOS per se; not NAT per se. I am reviewing this and it may take some time. CHANGE> [Christey changed vote from NOOP to REVIEWING] Christey> Not sure if Kevin's suggested reference really describes this one. However, a followup email by Jim Duncan of Cisco does acknowledge the problem as discussed in the Bugtraq post: http://marc.theaimsgroup.com/?l=vuln-dev&m=94385601831585&w=2 The original post is: http://marc.theaimsgroup.com/?l=bugtraq&m=94184947504814&w=2 It could be that the researcher believed that the problem was NAT, but in fact it wasn't. I need to follow up with Ziese/Balinsky on this one. ====================================================== Name: CVE-1999-0844 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0844 Phase: Proposed (19991208) Category: SF Reference: NTBUGTRAQ:19991124 Remote DoS Attack in WorldClient Server v2.0.0.0 Vulnerability Reference: BUGTRAQ:19991130 Fwd: RE: Multiples Remotes DoS Attacks in MDaemon Server v2.8.5.0 Vulnerability Reference: BID:823 Reference: URL:http://www.securityfocus.com/bid/823 Reference: BID:820 Reference: URL:http://www.securityfocus.com/bid/820 Denial of service in MDaemon WorldClient and WebConfig services via a long URL. Current Votes: ACCEPT(2) Baker, Stracener MODIFY(2) Cole, Frech NOOP(1) Armstrong RECAST(1) Christey REVIEWING(1) Prosser Voter Comments: Cole> 823 and 820 are two different vulnerabilities and should be separated out. They are both buffer overflows but accomplish it in a different fashion and the end exploit is different. Frech> (RECAST?) XF:mdaemon-worldclient-dos XF:mdaemon-webconfig-dos Recast request: This is really two services exhibiting the same problem. Christey> as suggested by others. Also see confirmation at: http://mdaemon.deerfield.com/helpdesk/hotfix.cfm ====================================================== Name: CVE-1999-0845 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0845 Phase: Proposed (19991208) Category: SF Reference: BUGTRAQ:19991126 [w00giving '99 #5 and w00news]: UnixWare 7's su Reference: SCO:99.19 Reference: BUGTRAQ:19991128 SCO su patches Buffer overflow in SCO su program allows local users to gain root access via a long username. Current Votes: ACCEPT(4) Armstrong, Cole, Prosser, Stracener MODIFY(1) Frech RECAST(1) Baker REVIEWING(1) Christey Voter Comments: Christey> DUPE CVE-1999-0317? Frech> XF:sco-su-username-bo Christey> ADDREF BID:826 CONFIRM:ftp://ftp.sco.com/SSE/sse039.tar.Z ====================================================== Name: CVE-1999-0846 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0846 Phase: Proposed (19991208) Category: SF Reference: BUGTRAQ:19991129 MDaemon 2.7 J DoS Reference: BUGTRAQ:19991130 Fwd: RE: Multiples Remotes DoS Attacks in MDaemon Server v2.8.5.0 Vulnerability Denial of service in MDaemon 2.7 via a large number of connection attempts. Current Votes: ACCEPT(5) Armstrong, Baker, Cole, Prosser, Stracener MODIFY(1) Frech REVIEWING(1) Christey Voter Comments: Frech> XF:mdaemon-dos Christey> CVE-1999-0844 is confirmed by MDaemon at http://mdaemon.deerfield.com/helpdesk/hotfix.cfm but there is no apparent confirmation for this problem, even though it was posted the same day. Prosser> Looks like from a follow-on message on Bugtraq from Nobuo Deerfield sent a reply about the DoS problems in MDaemon 2.8.5, that also talks about fixing the 2.7 J DoS that Nobuo initially reported. Can't find the original message, so may have been limited distro. Looks like an upgrade to the latest release might be the final solution here. ====================================================== Name: CVE-1999-0850 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0850 Phase: Proposed (19991208) Category: CF Reference: BID:845 Reference: URL:http://www.securityfocus.com/bid/845 Reference: BUGTRAQ:19991202 Insecure default permissions for MailMan Professional Edition, version 3.0.18 The default permissions for Endymion MailMan allow local users to read email or modify files. Current Votes: ACCEPT(2) Cole, Stracener MODIFY(1) Frech NOOP(2) Armstrong, Baker REVIEWING(1) Prosser Voter Comments: Frech> XF:endymion-mailman-perms ====================================================== Name: CVE-1999-0852 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0852 Phase: Proposed (19991208) Category: CF Reference: BID:844 Reference: URL:http://www.securityfocus.com/bid/844 Reference: BUGTRAQ:19991202 WebSphere protections from installation IBM WebSphere sets permissions that allow a local user to modify a deinstallation script or its data files stored in /usr/bin. Current Votes: ACCEPT(3) Armstrong, Cole, Stracener MODIFY(1) Frech NOOP(1) Baker REVIEWING(1) Prosser Voter Comments: Frech> XF:websphere-protect ====================================================== Name: CVE-1999-0855 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0855 Phase: Proposed (19991208) Category: SF Reference: BID:834 Reference: URL:http://www.securityfocus.com/bid/834 Reference: BUGTRAQ:19991130 FreeBSD 3.3 gated-3.1.5 local exploit Buffer overflow in FreeBSD gdc program. Current Votes: ACCEPT(3) Armstrong, Prosser, Stracener MODIFY(2) Cole, Frech NOOP(2) Baker, Christey Voter Comments: Cole> The BID is 834 and the reference is 19991201 not 1130. Frech> XF:freebsd-gdc-bo Christey> ADDREF BID:780 ? ====================================================== Name: CVE-1999-0857 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0857 Phase: Proposed (19991208) Category: SF Reference: BUGTRAQ:19991130 FreeBSD 3.3 gated-3.1.5 local exploit Reference: BID:835 Reference: URL:http://www.securityfocus.com/bid/835 FreeBSD gdc program allows local users to modify files via a symlink attack. Current Votes: ACCEPT(3) Armstrong, Prosser, Stracener MODIFY(2) Cole, Frech NOOP(1) Baker Voter Comments: Cole> This is via debug output. Frech> XF:freebsd-gdc ====================================================== Name: CVE-1999-0860 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0860 Phase: Proposed (19991208) Category: SF Reference: BUGTRAQ:19991130 Solaris 2.x chkperm/arp vulnerabilities Reference: BID:837 Reference: URL:http://www.securityfocus.com/bid/837 Solaris chkperm allows local users to read files owned by bin via the VMSYS environmental variable and a symlink attack. Current Votes: ACCEPT(2) Armstrong, Stracener MODIFY(2) Dik, Frech NOOP(2) Baker, Christey REJECT(1) Cole REVIEWING(1) Prosser Voter Comments: Cole> This is the same as the pervious. Frech> XF:sol-chkperm-vmsys Dik> include reference to Sun bug 4296167 Christey> Remove BID:837, which is for arp, not chkperm ====================================================== Name: CVE-1999-0862 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0862 Phase: Proposed (19991208) Category: CF Reference: BUGTRAQ:19991202 PostgreSQL RPM's permission problems Insecure directory permissions in RPM distribution for PostgreSQL allows local users to gain privileges by reading a plaintext password file. Current Votes: ACCEPT(3) Armstrong, Cole, Stracener MODIFY(1) Frech NOOP(1) Baker REVIEWING(1) Prosser Voter Comments: Frech> XF:postgresql-insecure-perms ====================================================== Name: CVE-1999-0863 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0863 Phase: Proposed (19991208) Category: SF Reference: BUGTRAQ:19970617 Seyon vulnerability - IRIX Reference: BUGTRAQ:19991108 FreeBSD 3.3's seyon vulnerability Reference: BUGTRAQ:19991130 Several FreeBSD-3.3 vulnerabilities Buffer overflow in FreeBSD seyon via HOME environmental variable, -emulator argument, -modems argument, or the GUI. Current Votes: ACCEPT(4) Armstrong, Cole, Prosser, Stracener MODIFY(1) Frech NOOP(1) Baker REVIEWING(1) Christey Voter Comments: Frech> XF:freebsd-seyon-bo Christey> ADDREF? CALDERA:CSSA-1999-037.0 Christey> May be multiple bugs here, or a single library problem. CD:SF-LOC needs to be resolved before determining if this candidate should be SPLIT. Also see CVE-1999-0821. ====================================================== Name: CVE-1999-0872 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0872 Phase: Proposed (19991214) Category: SF Reference: BID:759 Reference: URL:http://www.securityfocus.com/bid/759 Reference: BID:611 Reference: URL:http://www.securityfocus.com/bid/611 Reference: REDHAT:RHSA-1999:030-02 Buffer overflow in Vixie cron allows local users to gain root access via a long MAILTO environment variable in a crontab file. Current Votes: MODIFY(2) Cole, Frech NOOP(1) Baker REJECT(3) Blake, Christey, Stracener Voter Comments: Cole> 611 is the mail to listed above but 759 is for the mail from and should be listed as a separate vulenrability. Blake> This does not appear materially different from CVE-1999-0768 Christey> This is an apparent duplicate of CVE-1999-0768. REDHAT:RHSA-1999:030-02 describes two issues, one of which is CVE-1999-0768, and the other is CVE-1999-0769. Stracener> This is a duplicate of candidate CVE-1999-0768. Frech> XF:cron-sendmail-bo-root Christey> BID:759 is improperly assigned to this candidate and doesn't even describe it. It may have been inadvertently copied from CVE-1999-0873. ====================================================== Name: CVE-1999-0882 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0882 Phase: Proposed (19991214) Category: SF Reference: BUGTRAQ:19991025 Falcon Web Server Reference: BINDVIEW:Falcon Web Server Falcon web server allows remote attackers to determine the absolute path of the web root via long file names. Current Votes: ACCEPT(3) Baker, Blake, Stracener MODIFY(1) Frech NOOP(2) Armstrong, Cole Voter Comments: Frech> XF:falcon-server-long-filename ====================================================== Name: CVE-1999-0885 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0885 Phase: Modified (20000313-01) Category: SF Reference: BUGTRAQ:19991103 More Alibaba Web Server problems... Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&date=1999-11-01&msg=01BF261F.928821E0.kerb@fnusa.com Reference: BID:770 Reference: URL:http://www.securityfocus.com/bid/770 Reference: XF:alibaba-url-file-manipulation Alibaba web server allows remote attackers to execute commands via a pipe character in a malformed URL. Current Votes: ACCEPT(2) Baker, Stracener MODIFY(1) Frech NOOP(5) Armstrong, Blake, Christey, Cole, LeBlanc Voter Comments: Christey> This candidate is unconfirmed by the vendor. Blake> Same as CVE-1999-0776. Frech> XF:alibaba-url-file-manipulation Christey> CD:SF-LOC and CD:SF-EXEC may say to merge this candidate with the problems described in: BUGTRAQ:20000718 Multiple bugs in Alibaba 2.0 URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0237.html If so, then ADDREF BID:1485 as well. Christey> Include the names of the affected CGI's, including tst.bat, get32.exe, alibaba.pl, etc. ====================================================== Name: CVE-1999-0910 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0910 Phase: Proposed (19991208) Category: SF Reference: MS:MS99-035 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-035.asp Reference: BID:625 Reference: URL:http://www.securityfocus.com/bid/625 Microsoft Site Server and Commercial Internet System (MCIS) do not set an expiration for a cookie, which could then be cached by a proxy and inadvertently used by a different user. Current Votes: ACCEPT(4) Baker, Ozancin, Prosser, Wall MODIFY(2) Frech, Stracener REJECT(1) Cole Voter Comments: Frech> XF:siteserver-cis-cookie-cache Cole> Whether cookies are a vulnerbality is a debate for another time, the question here is whether the expiration feature is a vulnerability and I do not think it is because the underlying concerns for this are present even without this feature. The expiration feature does not add any new vulenrabilities that are not already present with cookies. Stracener> Add Ref: MSKB Q238647 ====================================================== Name: CVE-1999-0911 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0911 Phase: Modified (20050309) Category: SF Reference: BUGTRAQ:19990827 ProFTPD Reference: BUGTRAQ:19990907 ProFTP-1.2.0pre4 buffer overflow -- once more Reference: DEBIAN:19990210 Reference: URL:http://www.debian.org/security/1999/19990210 Reference: FREEBSD:FreeBSD-SA-99:03 Reference: BID:612 Reference: URL:http://www.securityfocus.com/bid/612 Buffer overflow in ProFTPD, wu-ftpd, and beroftpd allows remote attackers to gain root access via a series of MKD and CWD commands that create nested directories. Current Votes: ACCEPT(5) Baker, Blake, Cole, Prosser, Stracener MODIFY(1) Frech REVIEWING(1) Christey Voter Comments: Frech> XF:proftpd-long-dir-bo(3399) Christey> Not absolutely sure if this isn't the same as Palmetto (CVE-1999-0368), which describes a similar type of overflow. NETBSD:NetBSD-SA1999-003 may refer to CVE-1999-0368: ADDREF URL:ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/advisories/NetBSD-SA1999-003.txt.asc Christey> ADDREF CIAC:J-068 Include version numbers; too many wu-ftp/etc. problems were published in summer/fall 1999 ====================================================== Name: CVE-1999-0913 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0913 Phase: Proposed (19991214) Category: SF Reference: BUGTRAQ:19990804 NSW Dragon Fire gets drowned Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93383593909438&w=2 Reference: BID:564 Reference: URL:http://www.securityfocus.com/bid/564 dfire.cgi script in Dragon-Fire IDS allows remote users to execute commands via shell metacharacters. Current Votes: ACCEPT(2) Blake, Stracener MODIFY(1) Frech NOOP(4) Armstrong, Baker, Cole, LeBlanc REVIEWING(1) Christey Voter Comments: Christey> Some voters should use ABSTAIN. Frech> XF:dragon-fire-ids-metachar(3834) CHANGE> [Armstrong changed vote from REVIEWING to NOOP] ====================================================== Name: CVE-1999-0919 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0919 Phase: Modified (20020226-02) Category: SF Reference: BUGTRAQ:19980510 Security Vulnerability in Motorola CableRouters Reference: URL:http://www.netspace.org/cgi-bin/wa?A2=ind9805B&L=bugtraq&P=R1621 Reference: XF:motorola-cable-crash(2004) Reference: URL:http://xforce.iss.net/static/2004.php A memory leak in a Motorola CableRouter allows remote attackers to conduct a denial of service via a large number of telnet connections. Current Votes: ACCEPT(2) Baker, Cole MODIFY(1) Frech NOOP(7) Armstrong, Christey, Landfield, LeBlanc, Ozancin, Stracener, Wall REVIEWING(1) Levy Voter Comments: Christey> This candidate is unconfirmed by the vendor. Frech> XF:motorola-cable-crash Christey> This has enough votes, but not the "confidence" yet (until we resolve the question of the amount of verification needed for CVE). ====================================================== Name: CVE-1999-0923 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0923 Phase: Proposed (20010214) Category: SF Reference: ALLAIRE:ASB99-02 Reference: URL:http://www.allaire.com/handlers/index.cfm?ID=8739&Method=Full Sample runnable code snippets in ColdFusion Server 4.0 allow remote attackers to read files, conduct a denial of service, or use the server as a proxy for other HTTP calls. Current Votes: ACCEPT(2) Baker, Cole MODIFY(1) Frech NOOP(1) Christey Voter Comments: Frech> XF:coldfusion-source-display(1741) XF:coldfusion-syntax-checker(1742) XF:coldfusion-file-existence(1743) XF:coldfusion-sourcewindow(1744) Christey> List all affected runnable code snippets to facilitate search, which may include: viewexample.cfm (though could that be part of CVE-1999-0922?) ====================================================== Name: CVE-1999-0925 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0925 Phase: Modified (20020829-01) Category: SF Reference: BUGTRAQ:19980903 Web servers / possible DOS Attack / mime header flooding Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90486243124867&w=2 UnityMail allows remote attackers to conduct a denial of service via a large number of MIME headers. Current Votes: ACCEPT(2) Baker, Stracener MODIFY(1) Frech NOOP(1) Christey REVIEWING(1) Levy Voter Comments: Frech> XF:unitymail-web-dos(1630) Christey> BID:1760 URL:http://www.securityfocus.com/bid/1760 Christey> Affected version is 2.0 Change date of Bugtraq post - it was 1998. ====================================================== Name: CVE-1999-0926 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0926 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19990903 Web servers / possible DOS Attack / mime header flooding Reference: URL:http://archives.neohapsis.com/archives/bugtraq/1998_3/0742.html Apache allows remote attackers to conduct a denial of service via a large number of MIME headers. Current Votes: ACCEPT(1) Cole MODIFY(1) Frech NOOP(3) Christey, Foat, Wall Voter Comments: Christey> BID:1760 URL:http://www.securityfocus.com/bid/1760 Frech> XF:unitymail-web-dos(1630) ====================================================== Name: CVE-1999-0929 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0929 Phase: Interim (19991229) Category: SF Reference: BUGTRAQ:19990616 Novell NetWare webservers DoS Novell NetWare with Novell-HTTP-Server or YAWN web servers allows remote attackers to conduct a denial of service via a large number of HTTP GET requests. Current Votes: ACCEPT(4) Armstrong, Blake, Cole, Stracener MODIFY(1) Frech NOOP(1) Baker Voter Comments: Frech> XF:novell-webserver-dos(2287) ====================================================== Name: CVE-1999-0941 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0941 Phase: Proposed (19991222) Category: SF Reference: BUGTRAQ:19980728 mutt x.x Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221104526154&w=2 Mutt mail client allows a remote attacker to execute commands via shell metacharacters. Current Votes: ACCEPT(1) Stracener NOOP(2) Baker, Christey REJECT(1) Frech REVIEWING(1) Levy Voter Comments: Frech> References are vague, but seem to be identical to CVE-1999-0940 (XF:mutt-text-enriched-mime-bo). According to the references, the malformed messages consist of metacharacters. In addition, -0941's reference and -0940's SuSE reference both refer to fixes in 1.0pre3 release. Will reconsider vote if other clearer references are forthcoming. Christey> Modify to mention that the metachar's are in the Content-Type header. http://marc.theaimsgroup.com/?l=bugtraq&m=90221104526154&w=2 ====================================================== Name: CVE-1999-0944 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0944 Phase: Proposed (19991222) Category: SF Reference: BUGTRAQ:19991024 password leak in IBM WebSphere / HTTP Server / ikeyman IBM WebSphere ikeyman tool uses weak encryption to store a password for a key database that is used for SSL connections. Current Votes: ACCEPT(2) Baker, Stracener MODIFY(1) Frech NOOP(2) Bollinger, Christey REVIEWING(1) Levy Voter Comments: Frech> XF:websphere-database-pwd-accessible Christey> ADDREF BID:1763 URL:http://www.securityfocus.com/bid/1763 ====================================================== Name: CVE-1999-0948 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0948 Phase: Proposed (19991222) Category: SF Reference: BID:757 Reference: URL:http://www.securityfocus.com/bid/757 Reference: BUGTRAQ:19991102 Some holes for Win/UNIX softwares Buffer overflow in uum program for Canna input system allows local users to gain root privileges. Current Votes: ACCEPT(2) Levy, Stracener MODIFY(1) Frech NOOP(2) Baker, Christey Voter Comments: Christey> CVE-1999-0948 and CVE-1999-0949 are extremely similar. uum (0948) is exploitable through a different set of options than canuum (0949). If it's the same generic option parsing routine used by both programs, then CD:SF-CODEBASE says to merge them. But if it's not, then CD:SF-LOC and CD:SF-EXEC says to split them. However, this is a prime example of how SF-EXEC might be modified - uum and canuum are clearly part of the same package, so in the absence of clear information, maybe we should merge them. Frech> XF:canna-uum-bo ====================================================== Name: CVE-1999-0949 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0949 Phase: Proposed (19991222) Category: SF Reference: BID:757 Reference: URL:http://www.securityfocus.com/bid/757 Reference: BUGTRAQ:19991102 Some holes for Win/UNIX softwares Buffer overflow in canuum program for Canna input system allows local users to gain root privileges. Current Votes: ACCEPT(2) Levy, Stracener MODIFY(1) Frech NOOP(2) Baker, Christey Voter Comments: Christey> CVE-1999-0948 and CVE-1999-0949 are extremely similar. uum (0948) is exploitable through a different set of options than canuum (0949). If it's the same generic option parsing routine used by both programs, then CD:SF-CODEBASE says to merge them. But if it's not, then CD:SF-LOC and CD:SF-EXEC says to split them. However, this is a prime example of how SF-EXEC might be modified - uum and canuum are clearly part of the same package, so in the absence of clear information, maybe we should merge them. Also review BID:758 and BID:757 - may need to change the BID here. Frech> XF:canna-uum-bo Christey> CHANGEREF BID:757 BID:758 Christey> The following page says that canuum is a "Japanese input tty frontend for Canna using uum," which suggests that it is, at the least, a different package, so perhaps this should stay SPLIT. http://wuarchive.wustl.edu/mirrors/NetBSD/NetBSD-current/pkgsrc/inputmethod/canuum/README.html ====================================================== Name: CVE-1999-0952 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0952 Phase: Proposed (19991222) Category: SF Reference: BUGTRAQ:19990126 Buffer overflow in Solaris 2.6/2.7 /usr/bin/lpstat Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91759216618637&w=2 Buffer overflow in Solaris lpstat via class argument allows local users to gain root access. Current Votes: ACCEPT(3) Baker, Ozancin, Stracener MODIFY(2) Dik, Frech REVIEWING(1) Christey Voter Comments: Frech> XF:solaris-lpstat-bo Christey> It is unclear from Casper Dik's followup whether this is exploitable or not. Dik> Sunbug 4129917 (other reports in the same thread suggest that the then current patchd id fix the problem) Christey> Confirm with Casper Dik that the overflow is in the -c option, and if so, include it in the description to differentiate it from the lpstat -n buffer overflow. ====================================================== Name: CVE-1999-0970 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0970 Phase: Modified (20020226-01) Category: SF Reference: BUGTRAQ:19990605 Remote Exploit (Bug) in OmniHTTPd Web Server Reference: URL:http://www.securityfocus.com/archive/1/14311 Reference: XF:omnihttpd-dos(2271) Reference: URL:http://xforce.iss.net/static/2271.php Reference: BID:1808 Reference: URL:http://www.securityfocus.com/bid/1808 The OmniHTTPD visadmin.exe program allows a remote attacker to conduct a denial of service via a malformed URL which causes a large number of temporary files to be created. Current Votes: ACCEPT(3) Baker, Blake, Stracener MODIFY(1) Frech NOOP(1) Christey REVIEWING(1) Levy Voter Comments: Frech> XF:omnihttpd-dos Christey> Some sort of confirmation might be findable at: http://www.omnicron.ab.ca/httpd/docs/release.html Christey> See http://www.omnicron.ab.ca/index.html The August 16, 2000 news item says "This release fixes some security problems." It's for version 2.07, but the discloser didn't say what version was available. Other security fixes are in the release notes at http://www.omnicron.ab.ca/httpd/docs/release.html Notes for Professional Version 1.01 say "Patched up two security weaknesses." Notes for version 2.07 say "Fixes dot-appending vulnerability." Professional Alpha 7 says "Revamped CGI launching and security," Professional Alpha 4 says "Fixed SSI path mapping and security problems," Alpha 5 says "Security fixup." In other words, you can't tell whether they've fixed this bug or not. Christey> BID:1808 URL:http://www.securityfocus.com/bid/1808 ====================================================== Name: CVE-1999-0983 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0983 Phase: Proposed (19991214) Category: SF Reference: BUGTRAQ:19991109 Whois.cgi - ADVISORY. Whois Internic Lookup program whois.cgi allows remote attackers to execute commands via shell metacharacters in the domain entry. Current Votes: ACCEPT(3) Blake, Cole, Stracener MODIFY(1) Frech NOOP(1) Baker REVIEWING(1) Christey Voter Comments: Christey> More examination is required to determine if CVE-1999-0983, CVE-1999-0984, or CVE-1999-0985 are the same codebase. Frech> XF:whois-internic-shell-meta Christey> ADDREF BID:2000 Christey> The XF appears to be gone. Perhaps it's this one: XF:http-cgi-whois-meta(3798) ====================================================== Name: CVE-1999-0984 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0984 Phase: Proposed (19991214) Category: SF Reference: BUGTRAQ:19991109 Whois.cgi - ADVISORY. Matt's Whois program whois.cgi allows remote attackers to execute commands via shell metacharacters in the domain entry. Current Votes: ACCEPT(2) Blake, Stracener MODIFY(1) Frech NOOP(2) Baker, Cole REVIEWING(1) Christey Voter Comments: Cole> How is this different than the previous? Christey> More examination is required to determine if CVE-1999-0983, CVE-1999-0984, or CVE-1999-0985 are the same codebase. Frech> XF:matts-whois-meta Christey> ADDREF BID:2000 Christey> XF reference is gone. Replace with http-cgi-matts-whois-meta(3799) ? ====================================================== Name: CVE-1999-0985 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0985 Phase: Proposed (19991214) Category: SF Reference: BUGTRAQ:19991109 Whois.cgi - ADVISORY. CC Whois program whois.cgi allows remote attackers to execute commands via shell metacharacters in the domain entry. Current Votes: ACCEPT(2) Blake, Stracener MODIFY(1) Frech NOOP(2) Baker, Cole REVIEWING(1) Christey Voter Comments: Cole> I would combine all of these. Christey> More examination is required to determine if CVE-1999-0983, CVE-1999-0984, or CVE-1999-0985 are the same codebase. Frech> XF:cc-whois-meta Christey> ADDREF BID:2000 Frech> Change cc-whois-meta(3800) to http-cgi-ccwhois(3747) Christey> Replace XF reference with XF:cc-whois-meta(3800) ? ====================================================== Name: CVE-1999-0988 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0988 Phase: Modified (20000121-01) Category: SF Reference: BUGTRAQ:19991204 UnixWare pkg* command exploits Reference: BUGTRAQ:19991215 Recent postings about SCO UnixWare 7 Reference: BUGTRAQ:19991223 FYI, SCO Security patches available. Reference: BUGTRAQ:19991220 SCO OpenServer Security Status UnixWare pkgtrans allows local users to read arbitrary files via a symlink attack. Current Votes: ACCEPT(3) Baker, Blake, Cole MODIFY(1) Frech RECAST(1) Stracener REVIEWING(1) Christey Voter Comments: Stracener> The pkg* programs pkgtrans, pkginfo, pkgcat, pkginstall, and pkgparam can be used to mount etc/shadow printing attacks as a result of the "dacread" permission (cf. /etc/security/tcb/privs). The procedural differences between the individual exploits for each of these utilities are therefore inconsequential. CVE-1999-0988 should be merged with CVE-1999-0828. From the standpoint of maintaining consistency of the level of abstraction used in CVE, the co-existence of CANS 1999-0988/1999-0828 present two choices: either merge 0988 with 0828, or split 0828 into 4 distinct candidates, keeping 0988 intact. Due to the very small differences (in principle) between the exploits subsumed by 0828 and 0988 and the shared dacread permissions of the pkg* suite, I suggest a merge. Below is a summary of the data upon which my decision was based. utility exploit -------- ---------------------------------- pkgtrans --> symlink + dacread permission prob pkginfo --> truss (debugging utility) in conjunction with pkginfio -d etc/shadow. In this case, it captures the interaction between pkginfo the shadow file. Once again: dacread. pkgcat --> buffer overflow + dacread permission prob pkginstall -> buffer overflow + dacread permission prob pkgparam --> -f etc/shadow (works because of dacread). Christey> This is a tough one. While there are few procedural differences, one could view "assignment of an improper permission" as a "class" of problems along the lines of buffer overflows and the like. Just like some programs were fine until they got turned into CGI scripts, this could be an emerging pattern which should be given consideration. Consider the Eyedog and scriptlet.typelib ActiveX utilities being marked as safe for scripting (CVE-1999-0668 and 0669). ftp://ftp.sco.com/SSE/security_bulletins/SB-99.28a loosely alludes to this problem; the README for patch SSE053 effectively confirms it. Frech> XF:unixware-pkgtrans-symlink ====================================================== Name: CVE-1999-0990 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0990 Phase: Interim (19991229) Category: SF Reference: BUGTRAQ:19991205 gdm thing Error messages generated by gdm with the VerboseAuth setting allows an attacker to identify valid users on a system. Current Votes: ACCEPT(3) Blake, Cole, Stracener MODIFY(1) Frech NOOP(1) Baker Voter Comments: Frech> XF:verbose-auth-identify-user(3804) ====================================================== Name: CVE-1999-0993 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0993 Phase: Proposed (19991222) Category: unknown Reference: NTBUGTRAQ:19991213 Changing ACL's in Exchange Server Modifications to ACLs (Access Control Lists) in Microsoft Exchange 5.5 do not take effect until the directory store cache is refreshed. Current Votes: ACCEPT(2) Stracener, Wall MODIFY(1) Frech NOOP(2) Baker, Cole REJECT(1) LeBlanc Voter Comments: Frech> XF:exchange-acl-changes(3916) LeBlanc> Not a vulnerability ====================================================== Name: CVE-1999-1002 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1002 Phase: Modified (20030619-01) Category: SF Reference: MISC:http://www.rstcorp.com/news/bad-crypto.html Reference: BUGTRAQ:19991216 Reinventing the wheel (aka "Decoding Netscape Mail passwords") Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94536309217214&w=2 Reference: BUGTRAQ:19991220 Netscape password scrambling Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94570673523998&w=2 Netscape Navigator uses weak encryption for storing a user's Netscape mail password. Current Votes: ACCEPT(4) Baker, Cole, Stracener, Wall MODIFY(1) Frech NOOP(1) Christey Voter Comments: Frech> XF:netscape-mail-encryption(3921) Christey> CHANGEREF make the RCA URL a "MISC" reference ====================================================== Name: CVE-1999-1003 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1003 Phase: Proposed (19991222) Category: SF Reference: BUGTRAQ:19991214 Local / Remote D.o.S Attack in War FTP Daemon 1.70 Vulnerability Reference: BUGTRAQ:19991216 Statement: Local / Remote D.o.S Attack in War FTP Daemon 1.70 War FTP Daemon 1.70 allows remote attackers to cause a denial of service by flooding it with connections. Current Votes: ACCEPT(3) Baker, Cole, Stracener MODIFY(1) Frech NOOP(1) Wall Voter Comments: Frech> XF:warftp-connection-flood ====================================================== Name: CVE-1999-1006 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1006 Phase: Proposed (19991222) Category: SF Reference: BUGTRAQ:19991219 Groupewise Web Interface Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94571433731824&w=2 Groupwise web server GWWEB.EXE allows remote attackers to determine the real path of the web server via the HELP parameter. Current Votes: ACCEPT(4) Baker, Cole, Prosser, Stracener MODIFY(1) Frech NOOP(2) Christey, Wall Voter Comments: Frech> XF:groupwise-web-path Prosser> Pretty well confirmed by testing with responses to BugTraq list. additional ref: BugTraq ID 879 http://www.securityfocus.com/bid/879 Christey> A later discovery almost 2 years later is at: BUGTRAQ:20020227 SecurityOffice Security Advisory:// Novell GroupWise Web Access Path Disclosure Vulnerability http://marc.theaimsgroup.com/?l=bugtraq&m=101494830315071&w=2 CD:SF-LOC might suggest merging these together. ====================================================== Name: CVE-1999-1009 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1009 Phase: Proposed (19991222) Category: unknown Reference: BUGTRAQ:19991213 Privacy hole in Go Express Search The Disney Go Express Search allows remote attackers to access and modify search information for users by connecting to an HTTP server on the user's system. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(4) Balinsky, Cole, Stracener, Wall Voter Comments: Frech> XF:disney-search-info(3955) Balinsky> The go.express.com web site does not mention the existence of the Express web server mentioned in the advisory. There appears to be no way of verifying this. ====================================================== Name: CVE-1999-1012 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1012 Phase: Proposed (20010912) Category: Reference: BUGTRAQ:19990504 AS/400 Reference: URL:http://www.securityfocus.com/archive/1/13527 Reference: BID:173 Reference: URL:http://www.securityfocus.com/bid/173 SMTP component of Lotus Domino 4.6.1 on AS/400, and possibly other operating systems, allows a remote attacker to crash the mail server via a long string. Current Votes: ACCEPT(1) Cole MODIFY(1) Frech NOOP(2) Foat, Wall Voter Comments: Frech> (Task 1770) CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> XF:lotus-domino-smtp-dos(8790) ====================================================== Name: CVE-1999-1013 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1013 Phase: Proposed (20010912) Category: SF Reference: BID:673 Reference: URL:http://www.securityfocus.com/bid/673 Reference: BUGTRAQ:19990923 named-xfer hole on AIX (fwd) Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93837026726954&w=2 named-xfer in AIX 4.1.5 and 4.2.1 allows members of the system group to overwrite system files to gain root access via the -f parameter and a malformed zone file. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:aix-named-xfer-root-access(3308) ====================================================== Name: CVE-1999-1015 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1015 Phase: Proposed (20010912) Category: Reference: BUGTRAQ:19980408 AppleShare IP Mail Server Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=89200657216213&w=2 Reference: BID:61 Reference: URL:http://www.securityfocus.com/bid/61 Buffer overflow in Apple AppleShare Mail Server 5.0.3 on MacOS 8.1 and earlier allows a remote attacker to cause a denial of service (crash) via a long HELO command. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:smtp-helo-bo(886) ====================================================== Name: CVE-1999-1016 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1016 Phase: Modified (20040811) Category: SF Reference: NTBUGTRAQ:19990827 HTML code to crash IE5 and Outlook Express 5 Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=93578772920970&w=2 Reference: BID:606 Reference: URL:http://www.securityfocus.com/bid/606 Microsoft HTML control as used in (1) Internet Explorer 5.0, (2) FrontPage Express, (3) Outlook Express 5, and (4) Eudora, and possibly others, allows remote malicious web site or HTML emails to cause a denial of service (100% CPU consumption) via large HTML form fields such as text inputs in a table cell. Current Votes: ACCEPT(2) Cole, Wall MODIFY(1) Frech NOOP(2) Christey, Foat Voter Comments: Frech> XF:ms-html-table-form-dos(3246) Frech> XF:ms-html-table-form-dos(3246) Christey> Add period to the end of the description. ====================================================== Name: CVE-1999-1017 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1017 Phase: Proposed (20010912) Category: SF Reference: NTBUGTRAQ:19990728 Seattle Labs EMURL Vulnerability Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=93316253431588&w=2 Reference: BID:544 Reference: URL:http://www.securityfocus.com/bid/544 Seattle Labs Emurl 2.0, and possibly earlier versions, stores e-mail attachments in a specific directory with scripting enabled, which allows a malicious ASP file attachment to execute when the recipient opens the message. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> (Task 2281) CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> XF:emurl-attachment-execution(8794) ====================================================== Name: CVE-1999-1018 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1018 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19990727 Linux 2.2.10 ipchains Advisory Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93312523904591&w=2 Reference: BID:543 Reference: URL:http://www.securityfocus.com/bid/543 IPChains in Linux kernels 2.2.10 and earlier does not reassemble IP fragments before checking the header information, which allows a remote attacker to bypass the filtering rules using several fragments with 0 offsets. Current Votes: ACCEPT(1) Cole MODIFY(1) Frech NOOP(2) Foat, Wall Voter Comments: Frech> XF:linux-ipchains-bypass-filter(6516) Frech> XF:linux-ipchains-bypass-filter(6516) ====================================================== Name: CVE-1999-1020 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1020 Phase: Proposed (20010912) Category: CF Reference: BUGTRAQ:19980918 NMRC Advisory - Default NDS Rights Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90613355902262&w=2 Reference: BID:484 Reference: URL:http://www.securityfocus.com/bid/484 Reference: XF:novell-nds(1364) Reference: URL:http://xforce.iss.net/static/1364.php The installation of Novell Netware NDS 5.99 provides an unauthenticated client with Read access for the tree, which allows remote attackers to access sensitive information such as users, groups, and readable objects via CX.EXE and NLIST.EXE. Current Votes: ACCEPT(2) Cole, Frech NOOP(2) Foat, Wall ====================================================== Name: CVE-1999-1022 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1022 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19941002 Reference: URL:http://www.securityfocus.com/archive/1/930 Reference: XF:sgi-serialports(2111) Reference: URL:http://xforce.iss.net/static/2111.php Reference: BID:464 Reference: URL:http://www.securityfocus.com/bid/464 serial_ports administrative program in IRIX 4.x and 5.x trusts the user's PATH environmental variable to find and execute the ls program, which allows local users to gain root privileges via a Trojan horse ls program. Current Votes: ACCEPT(2) Cole, Frech NOOP(2) Christey, Foat Voter Comments: Christey> Note: CVE-1999-1310 is a duplicate of this candidate. CVE-1999-1310 will be REJECTed; this is the proper CAN to use. CIAC:F-01 URL:http://ciac.llnl.gov/ciac/bulletins/f-01.shtml SGI:19941001-01-P URL:ftp://patches.sgi.com/support/free/security/advisories/19941001-01-P MISC:http://www.netsys.com/firewalls/firewalls-9410/0019.html ====================================================== Name: CVE-1999-1023 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1023 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19990610 Sun Useradd program expiration date bug Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92904175406756&w=2 Reference: BID:426 Reference: URL:http://www.securityfocus.com/bid/426 useradd in Solaris 7.0 does not properly interpret certain date formats as specified in the "-e" (expiration date) argument, which could allow users to login after their accounts have expired. Current Votes: ACCEPT(1) Dik MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Dik> sun bug: 4222400 Frech> XF:solaris-useradd-expired-accounts(8375) CONFIRM:(2.6)110883-01, (2.6_x86) 110884-01, (7)110869-01, (7_x86) 110870-01 ====================================================== Name: CVE-1999-1024 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1024 Phase: Proposed (20010912) Category: Reference: BUGTRAQ:19990616 tcpdump 3.4 bug? Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92955903802773&w=2 Reference: BUGTRAQ:19990617 Re: tcpdump 3.4 bug? Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92963447601748&w=2 Reference: BUGTRAQ:19990620 Re: tcpdump 3.4 bug? (final) Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92989907627051&w=2 Reference: BID:313 Reference: URL:http://www.securityfocus.com/bid/313 ip_print procedure in Tcpdump 3.4a allows remote attackers to cause a denial of service via a packet with a zero length header, which causes an infinite loop and core dump when tcpdump prints the packet. Current Votes: ACCEPT(1) Cole MODIFY(1) Frech NOOP(2) Foat, Wall Voter Comments: Frech> XF:tcpdump-ipprint-dos(8373) ====================================================== Name: CVE-1999-1025 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1025 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19981012 Annoying Solaris/CDE/NIS+ bug Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90831127921062&w=2 Reference: SUNBUG:4115685 Reference: URL:http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fpatches%2F106027&zone_32=411568%2A%20 Reference: BID:294 Reference: URL:http://www.securityfocus.com/bid/294 CDE screen lock program (screenlock) on Solaris 2.6 does not properly lock an unprivileged user's console session when the host is an NIS+ client, which allows others with physical access to login with any string. Current Votes: ACCEPT(4) Cole, Dik, Foat, Stracener MODIFY(1) Frech Voter Comments: Frech> XF:solaris-cde-nisplus-lock(7473) Dik> sun bug: 4115685 ====================================================== Name: CVE-1999-1026 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1026 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19961220 Solaris 2.5 x86 aspppd (semi-exploitable-hole) Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167420343&w=2 Reference: BID:292 Reference: URL:http://www.securityfocus.com/bid/292 aspppd on Solaris 2.5 x86 allows local users to modify arbitrary files and gain root privileges via a symlink attack on the /tmp/.asppp.fifo file. Current Votes: ACCEPT(1) Cole MODIFY(1) Frech NOOP(1) Foat Voter Comments: Frech> XF:sun-aspppd-tmp-symlink(7173) ====================================================== Name: CVE-1999-1029 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1029 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19990513 - J.J.F. / Hackers Team warns for SSHD 2.x brute force password hacking Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92663402004280&w=2 Reference: BID:277 Reference: URL:http://www.securityfocus.com/bid/277 Reference: XF:ssh2-bruteforce(2193) Reference: URL:http://xforce.iss.net/static/2193.php SSH server (sshd2) before 2.0.12 does not properly record login attempts if the connection is closed before the maximum number of tries, allowing a remote attacker to guess the password without showing up in the audit logs. Current Votes: ACCEPT(2) Cole, Frech NOOP(2) Foat, Wall ====================================================== Name: CVE-1999-1030 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1030 Phase: Proposed (20010912) Category: Reference: BUGTRAQ:19990519 Denial of Service in Counter.exe version 2.70 Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92713790426690&w=2 Reference: NTBUGTRAQ:19990519 Denial of Service in Counter.exe version 2.70 Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=92707671717292&w=2 Reference: BID:267 Reference: URL:http://www.securityfocus.com/bid/267 counter.exe 2.70 allows a remote attacker to cause a denial of service (hang) via an HTTP request that ends in %0A (newline), which causes a malformed entry in the counter log that produces an access violation. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:http-cgi-counter-long(2196) Frech> XF:http-cgi-counter-long(2196) ====================================================== Name: CVE-1999-1031 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1031 Phase: Proposed (20010912) Category: Reference: BUGTRAQ:19990519 Denial of Service in Counter.exe version 2.70 Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92713790426690&w=2 Reference: NTBUGTRAQ:19990519 Denial of Service in Counter.exe version 2.70 Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=92707671717292&w=2 Reference: BID:267 Reference: URL:http://www.securityfocus.com/bid/267 counter.exe 2.70 allows a remote attacker to cause a denial of service (hang) via a long argument. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:http-cgi-counter-long(2196) Frech> XF:http-cgi-counter-long(2196) ====================================================== Name: CVE-1999-1033 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1033 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19990511 Outlook Express Win98 bug Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92647407427342&w=2 Reference: BUGTRAQ:19990512 Outlook Express Win98 bug, addition. Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92663402004275&w=2 Reference: BID:252 Reference: URL:http://www.securityfocus.com/bid/252 Microsoft Outlook Express before 4.72.3612.1700 allows a malicious user to send a message that contains a .., which can inadvertently cause Outlook to re-enter POP3 command mode and cause the POP3 session to hang. Current Votes: ACCEPT(2) Cole, Wall MODIFY(1) Frech NOOP(1) Foat Voter Comments: Frech> (Task 2241) CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> XF:outlook-pop3-dot-dos(8926) ====================================================== Name: CVE-1999-1036 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1036 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19980626 vulnerability in satan, cops & tiger Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221103125976&w=2 COPS 1.04 allows local users to overwrite or create arbitrary files via a symlink attack on temporary files in (1) res_diff, (2) ca.src, and (3) mail.chk. Current Votes: ACCEPT(1) Foat MODIFY(1) Frech NOOP(2) Cole, Wall Voter Comments: Frech> XF:cops-temp-file-symlink(7325) ====================================================== Name: CVE-1999-1038 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1038 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19980626 vulnerability in satan, cops & tiger Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221103125976&w=2 Tiger 2.2.3 allows local users to overwrite arbitrary files via a symlink attack on various temporary files in Tiger's default working directory, as defined by the WORKDIR variable. Current Votes: ACCEPT(1) Foat MODIFY(1) Frech NOOP(2) Cole, Wall Voter Comments: Frech> XF:tiger-workdir-symlink(7326) ====================================================== Name: CVE-1999-1039 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1039 Phase: Proposed (20010912) Category: SF Reference: SGI:19980502-01-P3030 Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19980502-01-P3030 Vulnerability in (1) diskalign and (2) diskperf in IRIX 6.4 patches 2291 and 2848 allow a local user to create root-owned files leading to a root compromise. Current Votes: ACCEPT(3) Cole, Foat, Stracener REJECT(1) Frech ====================================================== Name: CVE-1999-1040 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1040 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19980408 SGI O2 ipx security issue Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=89217373930054&w=2 Reference: SGI:19980501-01-P Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19980501-01-P2869 Reference: CIAC:I-055 Reference: URL:http://ciac.llnl.gov/ciac/bulletins/i-055.shtml Vulnerabilities in (1) ipxchk and (2) ipxlink in NetWare Client 1.0 on IRIX 6.3 and 6.4 allows local users to gain root access via a modified IFS environmental variable. Current Votes: ACCEPT(3) Cole, Foat, Stracener NOOP(1) Christey REJECT(1) Frech Voter Comments: Christey> This candidate and CVE-1999-1501 are duplicates. However, CVE-1999-1501 will be REJECTed in favor of this candidate. Add the following references: BID:70 URL:http://www.securityfocus.com/bid/70 BID:71 URL:http://www.securityfocus.com/bid/71 XF:irix-ipxchk-ipxlink-ifs-commands(7365) URL:http://xforce.iss.net/static/7365.php ====================================================== Name: CVE-1999-1041 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1041 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19980827 SCO mscreen vul. Reference: URL:http://www.securityfocus.com/archive/1/10420 Reference: BUGTRAQ:19980926 Root exploit for SCO OpenServer. Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90686250717719&w=2 Reference: SCO:SB-98.05a Reference: URL:ftp://ftp.sco.com/SSE/security_bulletins/SB-98.05a Reference: CERT:VB-98.10 Reference: URL:http://www.cert.org/vendor_bulletins/VB-98.10.sco.mscreen Buffer overflow in mscreen on SCO OpenServer 5.0 and SCO UNIX 3.2v4 allows a local user to gain root access via (1) a long TERM environmental variable and (2) a long entry in the .mscreenrc file. Current Votes: ACCEPT(3) Cole, Foat, Stracener MODIFY(1) Frech NOOP(1) Wall REVIEWING(1) Christey Voter Comments: Frech> XF:sco-openserver-mscreen-bo(1379) Christey> Possible dupe with CVE-1999-1185. ====================================================== Name: CVE-1999-1042 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1042 Phase: Proposed (20010912) Category: SF Reference: CISCO:19980813 CRM Temporary File Vulnerability Reference: URL:http://www.cisco.com/warp/public/770/crmtmp-pub.shtml Cisco Resource Manager (CRM) 1.0 and 1.1 creates world-readable log files and temporary files, which may expose sensitive information, to local users such as user IDs, passwords and SNMP community strings. Current Votes: ACCEPT(3) Cole, Foat, Stracener MODIFY(1) Frech NOOP(1) Wall REJECT(3) Armstrong, Balinsky, Christey Voter Comments: Frech> XF:cisco-crm-file-vuln(1575) Armstrong> I think that this is the same as Can-1999-1126 Balinsky> This is the same as CVE-1999-1126. Merge them. Christey> DUPE CVE-1999-1126, as noted by others. This candidate will be rejected. CVE-1999-1126 will be promoted. ====================================================== Name: CVE-1999-1043 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1043 Phase: Proposed (20010912) Category: SF Reference: MS:MS98-007 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms98-007.asp Microsoft Exchange Server 5.5 and 5.0 does not properly handle (1) malformed NNTP data, or (2) malformed SMTP data, which allows remote attackers to cause a denial of service (application error). Current Votes: ACCEPT(3) Cole, Foat, Wall MODIFY(1) Frech Voter Comments: Frech> XF:exchange-dos(1223) ====================================================== Name: CVE-1999-1046 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1046 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19990302 Multiple IMail Vulnerabilites Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92038879607336&w=2 Reference: BID:504 Reference: URL:http://www.securityfocus.com/bid/504 Reference: XF:imail-imonitor-overflow(1897) Reference: URL:http://xforce.iss.net/static/1897.php Buffer overflow in IMonitor in IMail 5.0 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long string to port 8181. Current Votes: ACCEPT(2) Cole, Frech NOOP(2) Foat, Wall ====================================================== Name: CVE-1999-1049 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1049 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19990222 Severe Security Hole in ARCserve NT agents (fwd) Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91972006211238&w=2 ARCserve NT agents use weak encryption (XOR) for passwords, which allows remote attackers to sniff the authentication request to port 6050 and decrypt the password. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:arcserve-agent-passwords(1822) ====================================================== Name: CVE-1999-1050 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1050 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19991112 FormHandler.cgi Reference: URL:http://www.securityfocus.com/archive/1/34600 Reference: BUGTRAQ:19991116 Re: FormHandler.cgi Reference: URL:http://www.securityfocus.com/archive/1/34939 Reference: BID:798 Reference: URL:http://www.securityfocus.com/bid/798 Reference: BID:799 Reference: URL:http://www.securityfocus.com/bid/799 Reference: XF:formhandler-cgi-absolute-path(3550) Reference: URL:http://xforce.iss.net/static/3550.php Directory traversal vulnerability in Matt Wright FormHandler.cgi script allows remote attackers to read arbitrary files via (1) a .. (dot dot) in the reply_message_attach attachment parameter, or (2) by specifying the filename as a template. Current Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall REVIEWING(1) Christey Voter Comments: Christey> Abstraction and definition issue: CD:SF-LOC suggests combining issues of the same type. Some people refer to "directory traversal" and just mean .. problems; but there are other issues (specifying an absolute pathname, using C: drive letters, doing encodings) that, to my way of thinking, are "different." Perhaps this should be split. My brain hurts too much right now. There are a couple problems with the references and descriptions of CVE-1999-1050 and CVE-1999-1051. I'm interpreting the underlying nature of the problem(s) a little differently than others are. Some of it may be due to differing definitions or thoughts about what "directory traversal vulnerabilities" are. ====================================================== Name: CVE-1999-1051 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1051 Phase: Proposed (20010912) Category: CF Reference: BUGTRAQ:19991116 Re: FormHandler.cgi Reference: URL:http://www.securityfocus.com/archive/1/34939 Default configuration in Matt Wright FormHandler.cgi script allows arbitrary directories to be used for attachments, and only restricts access to the /etc/ directory, which allows remote attackers to read arbitrary files via the reply_message_attach attachment parameter. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall REVIEWING(1) Christey Voter Comments: Frech> XF:formhandler-cgi-reply-message(7782) Christey> I view one of these as a configuration issue: FormHandler.cgi *could* be configured to limit hard-coded pathnames to a single directory which, while being an information leak, would still be "reasonably secure." But by default, it's just not configured that way. My brain hurts too much right now. There are a couple problems with the references and descriptions of CVE-1999-1050 and CVE-1999-1051. I'm interpreting the underlying nature of the problem(s) a little differently than others are. Some of it may be due to differing definitions or thoughts about what "directory traversal vulnerabilities" are. ====================================================== Name: CVE-1999-1052 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1052 Phase: Proposed (20010912) Category: Reference: BUGTRAQ:19990824 Front Page form_results Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93582550911564&w=2 Microsoft FrontPage stores form results in a default location in /_private/form_results.txt, which is world-readable and accessible in the document root, which allows remote attackers to read possibly sensitive information submitted by other users. Current Votes: ACCEPT(1) Wall MODIFY(1) Frech NOOP(2) Cole, Foat Voter Comments: Frech> XF:frontpage-formresults-world-readable(8362) ====================================================== Name: CVE-1999-1053 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1053 Phase: Proposed (20010912) Category: SF Reference: VULN-DEV:19990913 Guestbook perl script (long) Reference: URL:http://www.securityfocus.com/archive/82/27296 Reference: VULN-DEV:19990916 Re: Guestbook perl script (error fix) Reference: URL:http://www.securityfocus.com/archive/82/27560 Reference: BUGTRAQ:19991105 Guestbook.pl, sloppy SSI handling in Apache? (VD#2) Reference: URL:http://www.securityfocus.com/archive/1/33674 Reference: BID:776 Reference: URL:http://www.securityfocus.com/bid/776 guestbook.pl cleanses user-inserted SSI commands by removing text between "" separators, which allows remote attackers to execute arbitrary commands when guestbook.pl is run on Apache 1.3.9 and possibly other versions, since Apache allows other closing sequences besides "-->". Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:guestbook-cgi-command-execution(7783) ====================================================== Name: CVE-1999-1054 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1054 Phase: Proposed (20010912) Category: CF Reference: BUGTRAQ:19980925 Globetrotter FlexLM 'lmdown' bogosity Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90675672323825&w=2 The default configuration of FLEXlm license manager 6.0d, and possibly other versions, allows remote attackers to shut down the server via the lmdown command. Current Votes: ACCEPT(1) Cole NOOP(2) Foat, Wall ====================================================== Name: CVE-1999-1056 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1056 Phase: Modified (20050204) Category: SF ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-1999-1395. Reason: This candidate is a duplicate of CVE-1999-1395. Notes: All CVE users should reference CVE-1999-1395 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Current Votes: ACCEPT(3) Cole, Foat, Stracener MODIFY(1) Frech NOOP(1) Wall REJECT(1) Christey Voter Comments: Frech> XF:vms-monitor-gain-privileges(7136) Christey> DUPE CVE-1999-1395 This CAN is being rejected in favor of CVE-1999-1395 because CVE-1999-1395 has more references. ====================================================== Name: CVE-1999-1058 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1058 Phase: Proposed (20010912) Category: SF Reference: NTBUGTRAQ:19991122 Remote DoS Attack in Vermillion FTP Daemon (VFTPD) v1.23 Vulnerability Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=94337185023159&w=2 Reference: BUGTRAQ:19991122 Remote DoS Attack in Vermillion FTP Daemon (VFTPD) v1.23 Vulnerability Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94329968617085&w=2 Reference: XF:vermillion-ftp-cwd-overflow(3543) Reference: URL:http://xforce.iss.net/static/3543.php Reference: BID:818 Reference: URL:http://www.securityfocus.com/bid/818 Buffer overflow in Vermillion FTP Daemon VFTPD 1.23 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via several long CWD commands. Current Votes: ACCEPT(2) Cole, Frech NOOP(2) Foat, Wall ====================================================== Name: CVE-1999-1060 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1060 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19990217 Tetrix 1.13.16 is Vulnerable Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91937090211855&w=2 Reference: BID:340 Reference: URL:http://www.securityfocus.com/bid/340 Buffer overflow in Tetrix TetriNet daemon 1.13.16 allows remote attackers to cause a denial of service and possibly execute arbitrary commands by connecting to port 31457 from a host with a long DNS hostname. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:tetrinet-dns-hostname-bo(7500) ====================================================== Name: CVE-1999-1061 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1061 Phase: Proposed (20010912) Category: CF Reference: BUGTRAQ:19971004 HP Laserjet 4M Plus DirectJet Problem Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602248518480&w=2 Reference: XF:laserjet-unpassworded(1876) Reference: URL:http://xforce.iss.net/static/1876.php HP Laserjet printers with JetDirect cards, when configured with TCP/IP, can be configured without a password, which allows remote attackers to connect to the printer and change its IP address or disable logging. Current Votes: ACCEPT(2) Cole, Frech NOOP(1) Foat Voter Comments: Frech> CONFIRM:http://www.hp.com/cposupport/printers/support_doc/bpl 02914.html ====================================================== Name: CVE-1999-1062 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1062 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19971004 HP Laserjet 4M Plus DirectJet Problem Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602248518480&w=2 Reference: XF:laserjet-unpassworded(1876) Reference: URL:http://xforce.iss.net/static/1876.php HP Laserjet printers with JetDirect cards, when configured with TCP/IP, allow remote attackers to bypass print filters by directly sending PostScript documents to TCP ports 9099 and 9100. Current Votes: ACCEPT(1) Cole MODIFY(1) Frech NOOP(1) Foat Voter Comments: Frech> DELREF:XF:laserjet-unpassworded(1876) ADDREF:XF:hp-printer-flood(1818) ====================================================== Name: CVE-1999-1063 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1063 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19990601 whois_raw.cgi problem Reference: URL:http://www.securityfocus.com/archive/1/14019 Reference: BID:304 Reference: URL:http://www.securityfocus.com/bid/304 Reference: XF:http-cgi-cdomain(2251) Reference: URL:http://xforce.iss.net/static/2251.php CDomain whois_raw.cgi whois CGI script allows remote attackers to execute arbitrary commands via shell metacharacters in the fqdn parameter. Current Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall ====================================================== Name: CVE-1999-1064 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1064 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19990822 Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93555317429630&w=2 Reference: BUGTRAQ:19990824 Re: WindowMaker bugs (was sub:none ) Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93582070508957&w=2 Reference: BID:596 Reference: URL:http://www.securityfocus.com/bid/596 Multiple buffer overflows in WindowMaker 0.52 through 0.60.0 allow attackers to cause a denial of service and possibly execute arbitrary commands by executing WindowMaker with a long program name (argv[0]). Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:windowmaker-bo(3249) Frech> XF:windowmaker-bo(3249) ====================================================== Name: CVE-1999-1065 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1065 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19991104 Palm Hotsync vulnerable to DoS attack Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94175465525422&w=2 Palm Pilot HotSync Manager 3.0.4 in Windows 98 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long string to port 14238 while the manager is in network mode. Current Votes: ACCEPT(1) Cole MODIFY(1) Frech NOOP(2) Foat, Wall Voter Comments: Frech> XF:palm-hotsync-bo(7785) ====================================================== Name: CVE-1999-1066 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1066 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19991222 Quake "smurf" - Quake War Utils Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94589559631535&w=2 Quake 1 server responds to an initial UDP game connection request with a large amount of traffic, which allows remote attackers to use the server as an amplifier in a "Smurf" style attack on another host, by spoofing the connection request. Current Votes: MODIFY(1) Frech NOOP(4) Christey, Cole, Foat, Wall Voter Comments: Christey> This is apparently a problem with the connection protocol. See BUGTRAQ:19980522 NetQuake Protocol problem resulting in smurf like effect. URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221101925989&w=2 Frech> XF:quake-udp-connection-dos(7862) ====================================================== Name: CVE-1999-1067 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1067 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19970507 Re: SGI Security Advisory 19970501-01-A - Vulnerability in webdist.cgi Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167420919&w=2 Reference: XF:sgi-machineinfo SGI MachineInfo CGI program, installed by default on some web servers, prints potentially sensitive system status information, which could be used by remote attackers for information gathering activities. Current Votes: ACCEPT(1) Frech NOOP(2) Cole, Foat Voter Comments: Frech> I'd be a lot more confident in this vote if there was a more concrete reference strongly associating webdist.cgi and machineinfo. ====================================================== Name: CVE-1999-1068 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1068 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19970723 DoS against Oracle Webserver 2.1 with PL/SQL stored procedures Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602661419366&w=2 Oracle Webserver 2.1, when serving PL/SQL stored procedures, allows remote attackers to cause a denial of service via a long HTTP GET request. Current Votes: MODIFY(1) Frech NOOP(2) Cole, Foat Voter Comments: Frech> XF:oracle-webserver-dos(1812) ====================================================== Name: CVE-1999-1069 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1069 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19971108 Security bug in iCat Suite version 3.0 Reference: URL:http://www.securityfocus.com/archive/1/7943 Reference: BID:2126 Reference: URL:http://www.securityfocus.com/bid/2126 Reference: XF:icat-carbo-server-vuln(1620) Reference: URL:http://xforce.iss.net/static/1620.php Directory traversal vulnerability in carbo.dll in iCat Carbo Server 3.0.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the icatcommand parameter. Current Votes: ACCEPT(2) Cole, Frech NOOP(1) Foat Voter Comments: Frech> iCat's site at http://www.icat.com/ is shut down, and no further support seems to be available. ====================================================== Name: CVE-1999-1070 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1070 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19980725 Annex DoS Reference: URL:http://www.securityfocus.com/archive/1/10021 Buffer overflow in ping CGI program in Xylogics Annex terminal service allows remote attackers to cause a denial of service via a long query parameter. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:annex-ping-crash(2090) ====================================================== Name: CVE-1999-1071 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1071 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19981130 Security bugs in Excite for Web Servers 1.1 Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91248445931140&w=2 Reference: XF:excite-world-write(1417) Reference: URL:http://xforce.iss.net/static/1417.php Excite for Web Servers (EWS) 1.1 installs the Architext.conf authentication file with world-writeable permissions, which allows local users to gain access to Excite accounts by modifying the file. Current Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall ====================================================== Name: CVE-1999-1072 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1072 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19981130 Security bugs in Excite for Web Servers 1.1 Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91248445931140&w=2 Excite for Web Servers (EWS) 1.1 allows local users to gain privileges by obtaining the encrypted password from the world-readable Architext.conf authentication file and replaying the encrypted password in an HTTP request to AT-generated.cgi or AT-admin.cgi. Current Votes: NOOP(3) Cole, Foat, Wall ====================================================== Name: CVE-1999-1073 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1073 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19981130 Security bugs in Excite for Web Servers 1.1 Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91248445931140&w=2 Excite for Web Servers (EWS) 1.1 records the first two characters of a plaintext password in the beginning of the encrypted password, which makes it easier for an attacker to guess passwords via a brute force or dictionary attack. Current Votes: NOOP(3) Cole, Foat, Wall ====================================================== Name: CVE-1999-1075 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1075 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19980318 AIX 4.1.5 DoS attack (aka "Port 1025 problem") Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=89025820612530&w=2 inetd in AIX 4.1.5 dynamically assigns a port N when starting ttdbserver (ToolTalk server), but also inadvertently listens on port N-1 without passing control to ttdbserver, which allows remote attackers to cause a denial of service via a large number of connections to port N-1, which are not properly closed by inetd. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:aix-ttdbserver(813) CONFIRM:APAR IX70400 ====================================================== Name: CVE-1999-1076 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1076 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19991026 Mac OS 9 Idle Lock Bug Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94096348604173&w=2 Reference: BID:745 Reference: URL:http://www.securityfocus.com/bid/745 Idle locking function in MacOS 9 allows local users to bypass the password protection of idled sessions by selecting the "Log Out" option and selecting a "Cancel" option in the dialog box for an application that attempts to verify that the user wants to log out, which returns the attacker into the locked session. Current Votes: ACCEPT(2) Cole, Foat MODIFY(1) Frech NOOP(1) Wall Voter Comments: Frech> XF:macos-idle-screenlock-bypass(7794) ====================================================== Name: CVE-1999-1077 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1077 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19991101 Re: Mac OS 9 Idle Lock Bug Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94149318124548&w=2 Reference: BID:756 Reference: URL:http://www.securityfocus.com/bid/756 Idle locking function in MacOS 9 allows local attackers to bypass the password protection of idled sessions via the programmer's switch or CMD-PWR keyboard sequence, which brings up a debugger that the attacker can use to disable the lock. Current Votes: ACCEPT(2) Cole, Foat MODIFY(1) Frech NOOP(1) Wall Voter Comments: Frech> XF:macos-debug-screenlock-access(3426) ====================================================== Name: CVE-1999-1078 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1078 Phase: Proposed (20010912) Category: SF Reference: NTBUGTRAQ:19990729 WS_FTP Pro 6.0 Weak Password Encryption Vulnerability Reference: URL:http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind9907&L=ntbugtraq&D=0&P=10370&F=P Reference: BID:547 Reference: URL:http://www.securityfocus.com/bid/547 WS_FTP Pro 6.0 uses weak encryption for passwords in its initialization files, which allows remote attackers to easily decrypt the passwords and gain privileges. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:wsftp-weak-password-encryption(8349) ====================================================== Name: CVE-1999-1079 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1079 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19990506 AIX Security Fixes Update Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92601792420088&w=2 Reference: BUGTRAQ:19990825 AIX security summary Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93587956513233&w=2 Reference: AIXAPAR:IX80470 Reference: URL:http://www-1.ibm.com/servlet/support/manager?rs=0&rt=0&org=apars&doc=08E0B1A1B85472A1852567C90031BB36 Reference: BID:439 Reference: URL:http://www.securityfocus.com/bid/439 Vulnerability in ptrace in AIX 4.3 allows local users to gain privileges by attaching to a setgid program. Current Votes: ACCEPT(3) Cole, Foat, Stracener MODIFY(1) Frech Voter Comments: Frech> XF:aix-ptrace-setgid(7487) ====================================================== Name: CVE-1999-1081 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1081 Phase: Proposed (20010912) Category: SF Reference: MISC:http://www.w3.org/Security/Faq/wwwsf8.html#Q87 Reference: MISC:http://www.roxanne.org/faqs/www-secure/wwwsf4.html#Q35 Reference: XF:http-nov-files(2054) Reference: URL:http://xforce.iss.net/static/2054.php Vulnerability in files.pl script in Novell WebServer Examples Toolkit 2 allows remote attackers to read arbitrary files. Current Votes: ACCEPT(2) Cole, Frech NOOP(1) Foat ====================================================== Name: CVE-1999-1082 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1082 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19991008 Jana webserver exploit Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93941794201059&w=2 Reference: BID:699 Reference: URL:http://www.securityfocus.com/bid/699 Directory traversal vulnerability in Jana proxy web server 1.40 allows remote attackers to ready arbitrary files via a "......" (modified dot dot) attack. Current Votes: ACCEPT(1) Cole MODIFY(1) Frech NOOP(2) Foat, Wall Voter Comments: Frech> XF:jana-server-directory-traversal(6513) ====================================================== Name: CVE-1999-1083 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1083 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:20000502 Security Bug in Jana HTTP Server Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=95730430727064&w=2 Reference: BID:699 Reference: URL:http://www.securityfocus.com/bid/699 Directory traversal vulnerability in Jana proxy web server 1.45 allows remote attackers to ready arbitrary files via a .. (dot dot) attack. Current Votes: ACCEPT(1) Cole MODIFY(1) Frech NOOP(3) Christey, Foat, Wall Voter Comments: Frech> XF:jana-server-directory-traversal(6513) Christey> MODIFY description - the attack is of the form "/./../" (single dot followed by double-dot) ====================================================== Name: CVE-1999-1084 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1084 Phase: Proposed (20010912) Category: CF Reference: NTBUGTRAQ:19980622 Yet another "get yourself admin rights exploit": Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=90222453431604&w=2 Reference: MSKB:Q103861 Reference: URL:http://support.microsoft.com/support/kb/articles/q103/8/61.asp Reference: MS:MS00-008 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms00-008.asp Reference: CIAC:K-029 Reference: URL:http://www.ciac.org/ciac/bulletins/k-029.shtml Reference: BID:1044 Reference: URL:http://www.securityfocus.com/bid/1044 The "AEDebug" registry key is installed with insecure permissions, which allows local users to modify the key to specify a Trojan Horse debugger which is automatically executed on a system crash. Current Votes: ACCEPT(3) Cole, Foat, Wall MODIFY(1) Frech Voter Comments: Frech> XF:nt-registry-permissions(4111) ====================================================== Name: CVE-1999-1086 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1086 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19990715 NMRC Advisory: Netware 5 Client Hijacking Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93214475111651&w=2 Reference: BID:528 Reference: URL:http://www.securityfocus.com/bid/528 Novell 5 and earlier, when running over IPX with a packet signature level less than 3, allows remote attackers to gain administrator privileges by spoofing the MAC address in IPC fragmented packets that make NetWare Core Protocol (NCP) calls. Current Votes: ACCEPT(1) Cole MODIFY(1) Frech NOOP(2) Foat, Wall Voter Comments: Frech> XF:netware-ipx-session-spoof(2350) ====================================================== Name: CVE-1999-1088 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1088 Phase: Proposed (20010912) Category: SF Reference: HP:HPSBUX9701-050 Reference: CIAC:H-21 Reference: URL:http://ciac.llnl.gov/ciac/bulletins/h-21.shtml Reference: XF:hp-chsh(2012) Reference: URL:http://xforce.iss.net/static/2012.php Vulnerability in chsh command in HP-UX 9.X through 10.20 allows local users to gain privileges. Current Votes: ACCEPT(4) Cole, Foat, Frech, Stracener ====================================================== Name: CVE-1999-1089 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1089 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19961209 the HP Bug of the Week! Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167420285&w=2 Reference: HP:HPSBUX9701-049 Reference: CIAC:H-21 Reference: URL:http://ciac.llnl.gov/ciac/bulletins/h-21.shtml Reference: CIAC:H-16 Reference: URL:http://ciac.llnl.gov/ciac/bulletins/h-16.shtml Reference: AUSCERT:AA-96.18 Reference: XF:hp-chfn(2008) Buffer overflow in chfn command in HP-UX 9.X through 10.20 allows local users to gain privileges via a long command line argument. Current Votes: ACCEPT(4) Cole, Foat, Frech, Stracener ====================================================== Name: CVE-1999-1091 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1091 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19960903 [BUG] Vulnerability in TIN Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167419835&w=2 Reference: BUGTRAQ:19960903 Re: BoS: [BUG] Vulnerability in TIN Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167419839&w=2 Reference: BUGTRAQ:19970329 symlink bug in tin/rtin Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167420726&w=2 Reference: XF:tin-tmpfile(431) Reference: URL:http://xforce.iss.net/static/431.php UNIX news readers tin and rtin create the /tmp/.tin_log file with insecure permissions and follow symlinks, which allows attackers to modify the permissions of files writable by the user via a symlink attack. Current Votes: ACCEPT(1) Frech NOOP(2) Cole, Foat ====================================================== Name: CVE-1999-1092 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1092 Phase: Proposed (20010912) Category: unknown Reference: BUGTRAQ:19991117 default permissions for tin Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94286179032648&w=2 tin 1.40 creates the .tin directory with insecure permissions, which allows local users to read passwords from the .inputhistory file. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:tin-insecure-permissions(7796) Confirmed in changelog for 1.4.1 http://ftp.kreonet.re.kr/pub/tools/news/tin/v1.4/CHANGES ====================================================== Name: CVE-1999-1095 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1095 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19971006 KSR[T] Advisory #3: updatedb / crontabs Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87619953510834&w=2 Reference: BUGTRAQ:19980303 updatedb stuff Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=88890116304676&w=2 Reference: BUGTRAQ:19980303 updatedb: sort patch Reference: BUGTRAQ:19980302 overwrite any file with updatedb Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=88886870129518&w=2 sort creates temporary files and follows symbolic links, which allows local users to modify arbitrary files that are writable by the user running sort, as observed in updatedb and other programs that use sort. Current Votes: MODIFY(1) Frech NOOP(3) Christey, Cole, Foat Voter Comments: Frech> XF:sort-tmp-file-symlink(7182) Christey> This issue clearly has a long history. CALDERA:CSSA-2002-SCO.21 URL:http://archives.neohapsis.com/archives/linux/caldera/2002-q2/0018.html CALDERA:CSSA-2002-SCO.2 URL:http://archives.neohapsis.com/archives/linux/caldera/2002-q1/0002.html (There are 2 Caldera advisories because one is for Open UNIX and UnixWare, and the other is for OpenServer) XF:openserver-sort-symlink(9218) URL:http://www.iss.net/security_center/static/9218.php ====================================================== Name: CVE-1999-1096 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1096 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19980516 kde exploit Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221101925954&w=2 Reference: BUGTRAQ:19980517 simple kde exploit fix Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221101925959&w=2 Reference: XF:kde-klock-home-bo(1644) Reference: URL:http://xforce.iss.net/static/1644.php Buffer overflow in kscreensaver in KDE klock allows local users to gain root privileges via a long HOME environmental variable. Current Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall ====================================================== Name: CVE-1999-1097 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1097 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19990504 Microsoft Netmeeting Hole Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92586457816446&w=2 Reference: XF:netmeeting-clipboard(2187) Reference: URL:http://xforce.iss.net/static/2187.php Microsoft NetMeeting 2.1 allows one client to read the contents of another client's clipboard via a CTRL-C in the chat box when the box is empty. Current Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall ====================================================== Name: CVE-1999-1101 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1101 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19990219 Yet Another password storing problem (was: Re: Possible Netscape Crypto Security Flaw) Reference: URL:http://www.securityfocus.com/archive/1/12618 Kabsoftware Lydia utility uses weak encryption to store user passwords in the lydia.ini file, which allows local users to easily decrypt the passwords and gain privileges. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:lydia-ini-passwords(7501) ADDREF:http://www.kabsoftware.com/lydia_history.txt (Version History for Lydia, V3.3 - 11/24/00) ====================================================== Name: CVE-1999-1106 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1106 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19980429 Security hole in kppp Reference: URL:http://www.securityfocus.com/archive/1/9121 Reference: XF:kde-kppp-account-bo(1643) Reference: URL:http://xforce.iss.net/static/1643.php Reference: BID:92 Reference: URL:http://www.securityfocus.com/bid/92 Buffer overflow in kppp in KDE allows local users to gain root access via a long -c (account_name) command line argument. Current Votes: ACCEPT(2) Cole, Frech NOOP(2) Foat, Wall ====================================================== Name: CVE-1999-1107 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1107 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19981118 Multiple KDE security vulnerabilities (root compromise) Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91141486301691&w=2 Reference: XF:kde-kppp-path-bo(1650) Reference: URL:http://xforce.iss.net/static/1650.php Buffer overflow in kppp in KDE allows local users to gain root access via a long PATH environmental variable. Current Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall ====================================================== Name: CVE-1999-1108 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1108 Phase: Modified (20050204) Category: SF ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-1999-1107. Reason: This candidate is a duplicate of CVE-1999-1107. Notes: All CVE users should reference CVE-1999-1107 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Current Votes: ACCEPT(1) Cole NOOP(2) Foat, Wall REJECT(2) Christey, Frech Voter Comments: Frech> Has exactly the same attributes as CVE-1999-1107. Christey> DUPE CVE-1999-1107. ====================================================== Name: CVE-1999-1110 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1110 Phase: Proposed (20010912) Category: Reference: BUGTRAQ:19991114 IE 5.0 and Windows Media Player ActiveX object allow checking the existence of local files and directories Reference: URL:http://www.securityfocus.com/archive/1/34675 Reference: BID:793 Reference: URL:http://www.securityfocus.com/bid/793 Windows Media Player ActiveX object as used in Internet Explorer 5.0 returns a specific error code when a file does not exist, which allows remote malicious web sites to determine the existence of files on the client. Current Votes: ACCEPT(1) Wall MODIFY(1) Frech NOOP(2) Cole, Foat Voter Comments: Frech> XF:ie-mediaplayer-activex(7800) ====================================================== Name: CVE-1999-1112 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1112 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19991109 Irfan view 3.07 buffer overflow Reference: URL:http://www.securityfocus.com/archive/1/34066 Reference: MISC:http://stud4.tuwien.ac.at/~e9227474/main2.html Reference: XF:irfan-view32-bo(3549) Reference: URL:http://xforce.iss.net/static/3549.php Reference: BID:781 Reference: URL:http://www.securityfocus.com/bid/781 Buffer overflow in IrfanView32 3.07 and earlier allows attackers to execute arbitrary commands via a long string after the "8BPS" image type in a Photo Shop image header. Current Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall ====================================================== Name: CVE-1999-1113 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1113 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19980414 MacOS based buffer overflows... Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=89258194718577&w=2 Reference: BID:75 Reference: URL:http://www.securityfocus.com/bid/75 Buffer overflow in Eudora Internet Mail Server (EIMS) 2.01 and earlier on MacOS systems allows remote attackers to cause a denial of service via a long USER command to port 106. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:eudora-ims-user-dos(7300) ====================================================== Name: CVE-1999-1123 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1123 Phase: Proposed (20010912) Category: CF Reference: CERT:CA-1991-07 Reference: URL:http://www.cert.org/advisories/CA-1991-07.html Reference: SUN:00107 Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/107&type=0&nav=sec.sba Reference: BID:21 Reference: URL:http://www.securityfocus.com/bid/21 Reference: BID:22 Reference: URL:http://www.securityfocus.com/bid/22 Reference: XF:sun-sourcetapes(582) Reference: URL:http://xforce.iss.net/static/582.php The installation of Sun Source (sunsrc) tapes allows local users to gain root privileges via setuid root programs (1) makeinstall or (2) winstall. Current Votes: ACCEPT(5) Cole, Dik, Foat, Frech, Stracener NOOP(1) Wall Voter Comments: Dik> sun bug: 1059621 ====================================================== Name: CVE-1999-1124 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1124 Phase: Proposed (20010912) Category: SF Reference: MISC:http://packetstorm.securify.com/mag/phrack/phrack54/P54-08 HTTP Client application in ColdFusion allows remote attackers to bypass access restrictions for web pages on other ports by providing the target page to the mainframeset.cfm application, which requests the page from the server, making it look like the request is coming from the local host. Current Votes: ACCEPT(2) Cole, Wall NOOP(1) Foat ====================================================== Name: CVE-1999-1125 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1125 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19970919 Instresting practises of Oracle [Oracle Webserver] Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602880019796&w=2 Oracle Webserver 2.1 and earlier runs setuid root, but the configuration file is owned by the oracle account, which allows any local or remote attacker who obtains access to the oracle account to gain privileges or modify arbitrary files by modifying the configuration file. Current Votes: MODIFY(1) Frech NOOP(2) Cole, Foat Voter Comments: Frech> XF:oracle-webserver-gain-root(7174) ====================================================== Name: CVE-1999-1126 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1126 Phase: Proposed (20010912) Category: CF Reference: CISCO:19980813 CRM Temporary File Vulnerability Reference: URL:http://www.cisco.com/warp/public/770/crmtmp-pub.shtml Reference: CIAC:I-086 Reference: URL:http://ciac.llnl.gov/ciac/bulletins/i-086.shtml Reference: XF:cisco-crm-file-vuln(1575) Reference: URL:http://xforce.iss.net/static/1575.php Cisco Resource Manager (CRM) 1.1 and earlier creates certain files with insecure permissions that allow local users to obtain sensitive configuration information including usernames, passwords, and SNMP community strings, from (1) swim_swd.log, (2) swim_debug.log, (3) dbi_debug.log, and (4) temporary files whose names begin with "DPR_". Current Votes: ACCEPT(5) Armstrong, Cole, Foat, Frech, Stracener NOOP(1) Wall REJECT(1) Balinsky Voter Comments: Balinsky> Duplicate of CVE-1999-1042 ====================================================== Name: CVE-1999-1128 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1128 Phase: Proposed (20010912) Category: SF Reference: MISC:http://oliver.efri.hr/~crv/security/bugs/NT/ie3.html Reference: MISC:http://members.tripod.com/~unibyte/iebug3.htm Internet Explorer 3.01 on Windows 95 allows remote malicious web sites to execute arbitrary commands via a .isp file, which is automatically downloaded and executed without prompting the user. Current Votes: ACCEPT(1) Cole MODIFY(1) Frech NOOP(2) Christey, Foat Voter Comments: Frech> XF:http-ie-exec(462) Christey> DELREF MISC:http://oliver.efri.hr/~crv/security/bugs/NT/ie3.html ADDREF MISC:http://focus.silversand.net/vulner/allbug/ie3.html ====================================================== Name: CVE-1999-1129 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1129 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19990901 VLAN Security Reference: URL:http://www.securityfocus.com/archive/1/26008 Reference: MISC:http://www.cisco.com/univercd/cc/td/doc/product/lan/28201900/1928v8x/eescg8x/aleakyv.htm Reference: XF:cisco-catalyst-vlan-frames(3294) Reference: URL:http://xforce.iss.net/static/3294.php Reference: BID:615 Reference: URL:http://www.securityfocus.com/bid/615 Cisco Catalyst 2900 Virtual LAN (VLAN) switches allow remote attackers to inject 802.1q frames into another VLAN by forging the VLAN identifier in the trunking tag. Current Votes: ACCEPT(2) Foat, Frech NOOP(2) Cole, Wall Voter Comments: CHANGE> [Foat changed vote from NOOP to ACCEPT] ====================================================== Name: CVE-1999-1130 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1130 Phase: Proposed (20010912) Category: CF Reference: BUGTRAQ:19990730 Netscape Enterprise Server yeilds source of JHTML Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93346448121208&w=2 Reference: NTBUGTRAQ:19990730 Netscape Enterprise Server yeilds source of JHTML Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=93337389603117&w=2 Reference: BID:559 Reference: URL:http://www.securityfocus.com/bid/559 Default configuration of the search engine in Netscape Enterprise Server 3.5.1, and possibly other versions, allows remote attackers to read the source of JHTML files by specifying a search command using the HTML-tocrec-demo1.pat pattern file. Current Votes: ACCEPT(1) Cole MODIFY(1) Frech NOOP(2) Foat, Wall Voter Comments: Frech> XF:netscape-enterprise-view-jhtml(8352) ====================================================== Name: CVE-1999-1133 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1133 Phase: Modified (20020217-01) Category: SF Reference: HP:HPSBUX9709-069 Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602880019776&w=2 Reference: XF:hp-vue-dt(499) Reference: URL:http://xforce.iss.net/static/499.php HP-UX 9.x and 10.x running X windows may allow local attackers to gain privileges via (1) vuefile, (2) vuepad, (3) dtfile, or (4) dtpad, which do not authenticate users. Current Votes: ACCEPT(4) Cole, Foat, Frech, Stracener NOOP(1) Christey Voter Comments: Christey> CHANGEREF: chaneg XF reference to XF:hp-vue-dt(499) ====================================================== Name: CVE-1999-1134 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1134 Phase: Modified (20020217-01) Category: SF Reference: HP:HPSBUX9404-008 Reference: URL:http://packetstorm.securify.com/advisories/hpalert/008 Reference: CIAC:E-23 Reference: URL:http://ciac.llnl.gov/ciac/bulletins/e-23.shtml Reference: XF:hp-vue(2284) Reference: URL:http://www.iss.net/security_center/static/2284.php Vulnerability in Vue 3.0 in HP 9.x allows local users to gain root privileges, as fixed by PHSS_4038, PHSS_4055, and PHSS_4066. Current Votes: ACCEPT(3) Cole, Foat, Stracener MODIFY(1) Frech Voter Comments: Frech> XF:hp-vue(2284) Packetstorm URL is dead. Try another archive. ====================================================== Name: CVE-1999-1135 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1135 Phase: Proposed (20010912) Category: SF Reference: HP:HPSBUX9504-027 Reference: URL:http://packetstorm.securify.com/advisories/hpalert/027 Reference: XF:hp-vue(2284) Reference: URL:http://xforce.iss.net/static/2284.php Vulnerability in VUE 3.0 in HP 9.x allows local users to gain root privileges, as fixed by PHSS_4994 and PHSS_5438. Current Votes: ACCEPT(4) Cole, Foat, Frech, Stracener ====================================================== Name: CVE-1999-1141 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1141 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19970515 MicroSolved finds hole in Ascom Timeplex Router Security Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167420981&w=2 Reference: XF:ascom-timeplex-debug(1824) Reference: URL:http://xforce.iss.net/static/1824.php Ascom Timeplex router allows remote attackers to obtain sensitive information or conduct unauthorized activities by entering debug mode through a sequence of CTRL-D characters. Current Votes: ACCEPT(1) Frech NOOP(2) Cole, Foat ====================================================== Name: CVE-1999-1149 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1149 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19980716 S.A.F.E.R. Security Bulletin 980708.DOS.1.1 Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221104525993&w=2 Reference: XF:csm-proxy-dos(1422) Reference: URL:http://xforce.iss.net/static/1422.php Buffer overflow in CSM Proxy 4.1 allows remote attackers to cause a denial of service (crash) via a long string to the FTP port. Current Votes: ACCEPT(2) Cole, Frech NOOP(2) Foat, Wall ====================================================== Name: CVE-1999-1150 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1150 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19980630 Livingston Portmaster - ISN generation is loosy! Reference: URL:http://www.securityfocus.com/archive/1/9723 Reference: XF:portmaster-fixed-isn(1882) Reference: URL:http://xforce.iss.net/static/1882.php Livingston Portmaster routers running ComOS use the same initial sequence number (ISN) for TCP connections, which allows remote attackers to conduct spoofing and hijack TCP sessions. Current Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall ====================================================== Name: CVE-1999-1151 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1151 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19980603 Compaq/Microcom 6000 DoS + more Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90296493106214&w=2 Reference: XF:microcom-dos(2089) Reference: URL:http://xforce.iss.net/static/2089.php Compaq/Microcom 6000 Access Integrator does not cause a session timeout after prompting for a username or password, which allows remote attackers to cause a denial of service by connecting to the integrator without providing a username or password. Current Votes: ACCEPT(2) Cole, Frech NOOP(2) Foat, Wall ====================================================== Name: CVE-1999-1152 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1152 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19980603 Compaq/Microcom 6000 DoS + more Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90296493106214&w=2 Compaq/Microcom 6000 Access Integrator does not disconnect a client after a certain number of failed login attempts, which allows remote attackers to guess usernames or passwords via a brute force attack. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:microcom-brute-force(7301) ====================================================== Name: CVE-1999-1153 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1153 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19981109 Several new CGI vulnerabilities Reference: URL:http://www.securityfocus.com/archive/1/11175 Reference: XF:cgi-perl-mail-programs(1400) Reference: URL:http://xforce.iss.net/static/1400.php HAMcards Postcard CGI script 1.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the recipient email address. Current Votes: ACCEPT(2) Cole, Frech NOOP(2) Foat, Wall ====================================================== Name: CVE-1999-1154 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1154 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19981109 Several new CGI vulnerabilities Reference: URL:http://www.securityfocus.com/archive/1/11175 Reference: MISC:http://lakeweb.com/scripts/ Reference: XF:cgi-perl-mail-programs(1400) Reference: URL:http://xforce.iss.net/static/1400.php LakeWeb Filemail CGI script allows remote attackers to execute arbitrary commands via shell metacharacters in the recipient email address. Current Votes: ACCEPT(2) Cole, Frech NOOP(3) Christey, Foat, Wall Voter Comments: Christey> I confirmed this problem via visual inspection of the source code in http://www.lakeweb.com/scripts/filemail.zip Line 82 has an insufficient check for shell metacharacters that doesn't exclude semicolons. Line 129 is the call where the metacharacters are injected. Need to add "filemail.pl" to the description. ====================================================== Name: CVE-1999-1155 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1155 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19981109 Several new CGI vulnerabilities Reference: URL:http://www.securityfocus.com/archive/1/11175 Reference: MISC:http://lakeweb.com/scripts/ Reference: XF:cgi-perl-mail-programs(1400) Reference: URL:http://xforce.iss.net/static/1400.php LakeWeb Mail List CGI script allows remote attackers to execute arbitrary commands via shell metacharacters in the recipient email address. Current Votes: ACCEPT(2) Cole, Frech NOOP(2) Foat, Wall ====================================================== Name: CVE-1999-1158 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1158 Phase: Proposed (20010912) Category: SF Reference: AUSCERT:AA-97.09 Reference: URL:ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-97.09.Solaris.passwd.buffer.overrun.vul Reference: SUN:00139 Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/139&type=0&nav=sec.sba Buffer overflow in (1) pluggable authentication module (PAM) on Solaris 2.5.1 and 2.5 and (2) unix_scheme in Solaris 2.4 and 2.3 allows local users to gain root privileges via programs that use these modules such as passwd, yppasswd, and nispasswd. Current Votes: ACCEPT(4) Cole, Dik, Foat, Stracener MODIFY(1) Frech RECAST(1) Christey Voter Comments: Frech> XF:solaris-pam-bo(7432) Dik> sun bug: 4018347 Christey> These issues should be SPLIT per CD:SF-EXEC because the PAM problem appears in different Solaris versions than unix_scheme. ====================================================== Name: CVE-1999-1164 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1164 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19990625 Outlook denial of service Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93041631215856&w=2 Microsoft Outlook client allows remote attackers to cause a denial of service by sending multiple email messages with the same X-UIDL headers, which causes Outlook to hang. Current Votes: ACCEPT(1) Wall MODIFY(1) Frech NOOP(2) Cole, Foat Voter Comments: Frech> XF:outlook-xuidl-dos(8356) ====================================================== Name: CVE-1999-1165 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1165 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19990721 old gnu finger bugs Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93268249021561&w=2 Reference: BUGTRAQ:19950317 GNU finger 1.37 executes ~/.fingerrc with gid root Reference: URL:http://www.securityfocus.com/archive/1/2478 Reference: BID:535 Reference: URL:http://www.securityfocus.com/bid/535 GNU fingerd 1.37 does not properly drop privileges before accessing user information, which could allow local users to (1) gain root privileges via a malicious program in the .fingerrc file, or (2) read arbitrary files via symbolic links from .plan, .forward, or .project files. Current Votes: MODIFY(1) Frech NOOP(2) Cole, Foat Voter Comments: Frech> XF:gnu-finger-privilege-dropping(7175) ====================================================== Name: CVE-1999-1166 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1166 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19990711 Linux 2.0.37 segment limit bug Reference: URL:http://www.securityfocus.com/archive/1/18156 Reference: BID:523 Reference: URL:http://www.securityfocus.com/bid/523 Linux 2.0.37 does not properly encode the Custom segment limit, which allows local users to gain root privileges by accessing and modifying kernel memory. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> (Task 2253) CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> XF:linux-segment-limit-privileges(11202) ====================================================== Name: CVE-1999-1168 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1168 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19990220 ISS install.iss security hole Reference: URL:http://www.securityfocus.com/archive/1/12640 install.iss installation script for Internet Security Scanner (ISS) for Linux, version 5.3, allows local users to change the permissions of arbitrary files via a symlink attack on a temporary file. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:iss-temp-files(1793) ADDREF:http://www.securityfocus.com/archive/1/12679 ====================================================== Name: CVE-1999-1169 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1169 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19990204 NOBO denial of service Reference: URL:http://www.securityfocus.com/archive/1/12284 nobo 1.2 allows remote attackers to cause a denial of service (crash) via a series of large UDP packets. Current Votes: ACCEPT(1) Foat MODIFY(1) Frech NOOP(2) Cole, Wall Voter Comments: Frech> XF:nobo-udp-packet-dos(7502) ADDREF:http://www.securityfocus.com/archive/1/12378 ADDREF:http://web.cip.com.br/nobo/mudancas_en.html ====================================================== Name: CVE-1999-1170 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1170 Phase: Proposed (20010912) Category: SF Reference: NTBUGTRAQ:19990204 WS FTP Server Remote DoS Attack Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=91816507920544&w=2 Reference: BID:218 Reference: URL:http://www.securityfocus.com/bid/218 IPswitch IMail allows local users to gain additional privileges and modify or add mail accounts by setting the "flags" registry key to 1920. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:imail-registry(1725) ====================================================== Name: CVE-1999-1171 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1171 Phase: Proposed (20010912) Category: SF Reference: NTBUGTRAQ:19990204 WS FTP Server Remote DoS Attack Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=91816507920544&w=2 Reference: BID:218 Reference: URL:http://www.securityfocus.com/bid/218 IPswitch WS_FTP allows local users to gain additional privileges and modify or add mail accounts by setting the "flags" registry key to 1920. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:wsftp-registry(1726) ====================================================== Name: CVE-1999-1172 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1172 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19990114 security hole in Maximizer Reference: URL:http://www.securityfocus.com/archive/1/11947 By design, Maximizer Enterprise 4 calendar and address book program allows arbitrary users to modify the calendar of other users when the calendar is being shared. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall REVIEWING(1) Christey Voter Comments: Christey> The discloser does not provide enough details to fully understand what the problem is. This makes it difficult because if Maximizer has a concept of "users" and it is designed to allow any user to modify any other user's data, then this would not be a vulnerability or exposure, unless that "cross-user" capability could be used to violate system integrity, data confidentiality, or the like. There are some features of Maximizer 6.0 that, if abused, could allow someone to do some bad things. For example, an attacker could modify the email addresses for contacts to redirect sales to locations besides the customer. There's also a capability of assigning priorities and alarms, which could be susceptible to an "inconvenience attack" at the very least, as well as tie-ins to e-commerce capabilities. The critical question becomes: "how is this data shared" in the first place? If it's through a network share or other distribution method besides transferring the complete database between sites, then this may be accessible to any attacker who can mimic a Maximizer client (if there is such a thing as a client), and this could be a vulnerability or exposure according to the CVE definition. However, since the Maximizer functionality is unknown to me and not readily apparent from product documentation, it's hard to know what to do about this one. CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> XF:maximizer-enterprise-calendar-modification(7590) ====================================================== Name: CVE-1999-1173 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1173 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19981218 wordperfect 8 for linux security Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91404045014047&w=2 Corel Word Perfect 8 for Linux creates a temporary working directory with world-writable permissions, which allows local users to (1) modify Word Perfect behavior by modifying files in the working directory, or (2) modify files of other users via a symlink attack. Current Votes: NOOP(3) Cole, Foat, Wall ====================================================== Name: CVE-1999-1174 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1174 Phase: Proposed (20010912) Category: SF Reference: MISC:http://www.counterpane.com/crypto-gram-9812.html#doghouse ZIP drive for Iomega ZIP-100 disks allows attackers with physical access to the drive to bypass password protection by inserting a known disk with a known password, waiting for the ZIP drive to power down, manually replacing the known disk with the target disk, and using the known password to access the target disk. Current Votes: ACCEPT(1) Cole NOOP(2) Foat, Wall ====================================================== Name: CVE-1999-1176 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1176 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19980110 Cidentd Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=88466930416716&w=2 Reference: BUGTRAQ:19980911 Re: security problems with jidentd Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90554230925545&w=2 Reference: MISC:http://spisa.act.uji.es/spi/progs/codigo/www.hack.co.za/exploits/daemon/ident/cidentd.c Buffer overflow in cidentd ident daemon allows local users to gain root privileges via a long line in the .authlie script. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:cidentd-authlie-bo(7327) ====================================================== Name: CVE-1999-1178 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1178 Phase: Proposed (20010912) Category: SF Reference: XF:sambar-dump-env(3223) Reference: URL:http://xforce.iss.net/static/3223.php Reference: BUGTRAQ:19980610 Sambar Server Beta BUG.. Reference: URL:http://www.securityfocus.com/archive/1/9505 Sambar Server 4.1 beta allows remote attackers to obtain sensitive information about the server via an HTTP request for the dumpenv.pl script. Current Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall ====================================================== Name: CVE-1999-1179 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1179 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19980515 May SysAdmin man.sh security hole Reference: URL:http://www.securityfocus.com/archive/1/9330 Vulnerability in man.sh CGI script, included in May 1998 issue of SysAdmin Magazine, allows remote attackers to execute arbitrary commands. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:mansh-execute-commands(7328) ====================================================== Name: CVE-1999-1180 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1180 Phase: Proposed (20010912) Category: SF Reference: MISC:http://oliver.efri.hr/~crv/security/bugs/NT/buffer.html Reference: BUGTRAQ:19990216 Website Pro v2.0 (NT) Configuration Issues Reference: URL:http://www.tryc.on.ca/archives/bugtraq/1999_1/0612.html O'Reilly WebSite 1.1e and Website Pro 2.0 allows remote attackers to execute arbitrary commands via shell metacharacters in an argument to (1) args.cmd or (2) args.bat. Current Votes: ACCEPT(1) Wall MODIFY(1) Frech NOOP(3) Christey, Cole, Foat Voter Comments: Christey> DELREF MISC:http://oliver.efri.hr/~crv/security/bugs/NT/buffer.html ADDREF MISC:http://focus.silversand.net/vulner/allbug/buffer.html Frech> XF:website-pro-args-commands(7529) ====================================================== Name: CVE-1999-1182 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1182 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19970717 KSR[T] Advisory #2: ld.so Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602661419318&w=2 Reference: BUGTRAQ:19970722 ld.so vulnerability Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602661419351&w=2 Reference: BUGTRAQ:19980204 An old ld-linux.so hole Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=88661732807795&w=2 Buffer overflow in run-time linkers (1) ld.so or (2) ld-linux.so for Linux systems allows local users to gain privileges by calling a setuid program with a long program name (argv[0]) and forcing ld.so/ld-linux.so to report an error. Current Votes: NOOP(2) Cole, Foat ====================================================== Name: CVE-1999-1183 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1183 Phase: Modified (20060705) Category: SF Reference: SGI:19980403-02-PX Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19980403-02-PX Reference: SGI:19980403-01-PX Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19980403-01-PX Reference: OSVDB:8556 Reference: URL:http://www.osvdb.org/8556 Reference: XF:sgi-mailcap(809) Reference: URL:http://www.iss.net/security_center/static/809.php System Manager sysmgr GUI in SGI IRIX 6.4 and 6.3 allows remote attackers to execute commands by providing a trojan horse (1) runtask or (2) runexec descriptor file, which is used to execute a System Manager Task when the user's Mailcap entry supports the x-sgi-task or x-sgi-exec type. Current Votes: ACCEPT(3) Cole, Foat, Stracener MODIFY(1) Frech Voter Comments: Frech> XF:sgi-mailcap(809) ====================================================== Name: CVE-1999-1184 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1184 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19970513 Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167420967&w=2 Reference: BUGTRAQ:19970514 Re: ELM overflow Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167420970&w=2 Buffer overflow in Elm 2.4 and earlier allows local users to gain privileges via a long TERM environmental variable. Current Votes: MODIFY(1) Frech NOOP(2) Cole, Foat Voter Comments: Frech> XF:elm-term-bo(7183) ====================================================== Name: CVE-1999-1185 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1185 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19980827 SCO mscreen vul. Reference: BUGTRAQ:19980926 Root exploit for SCO OpenServer. Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90686250717719&w=2 Reference: CERT:VB-98.10 Reference: SCO:98.05 Reference: XF:sco-openserver-mscreen-bo(1379) Buffer overflow in SCO mscreen allows local users to gain root privileges via a long terminal entry (TERM) in the .mscreenrc file. Current Votes: ACCEPT(4) Cole, Foat, Frech, Stracener NOOP(1) Wall REVIEWING(1) Christey Voter Comments: Frech> Possible dupe on CVE-1999-1041. Christey> Possible dupe with CVE-1999-1041. ====================================================== Name: CVE-1999-1186 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1186 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19960102 rxvt security hole Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167418966&w=2 rxvt, when compiled with the PRINT_PIPE option in various Linux operating systems including Linux Slackware 3.0 and RedHat 2.1, allows local users to gain root privileges by specifying a malicious program using the -print-pipe command line parameter. Current Votes: MODIFY(1) Frech NOOP(2) Cole, Foat Voter Comments: Frech> XF:rxvtpipe(425) ====================================================== Name: CVE-1999-1187 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1187 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19960826 [BUG] Vulnerability in PINE Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167419803&w=2 Reference: XF:pine-tmpfile(416) Reference: URL:http://xforce.iss.net/static/416.php Pine before version 3.94 allows local users to gain privileges via a symlink attack on a lockfile that is created when a user receives new mail. Current Votes: ACCEPT(1) Frech NOOP(2) Cole, Foat Voter Comments: Frech> CONFIRM:http://www.washington.edu/pine/changes.html ====================================================== Name: CVE-1999-1190 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1190 Phase: Proposed (20010912) Category: SF Reference: MISC:http://www.securiteam.com/exploits/E-MailClub__FROM__remote_buffer_overflow.html Reference: BID:801 Reference: URL:http://www.securityfocus.com/bid/801 Buffer overflow in POP3 server of Admiral Systems EmailClub 1.05 allows remote attackers to execute arbitrary commands via a long "From" header in an e-mail message. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:emailclub-pop3-from-bo(7873) ====================================================== Name: CVE-1999-1195 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1195 Phase: Proposed (20010912) Category: SF Reference: NTBUGTRAQ:19990505 NAI AntiVirus Update Problem Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=92587579032534&w=2 Reference: BUGTRAQ:19990505 NAI AntiVirus Update Problem Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92588169005196&w=2 Reference: BID:169 Reference: URL:http://www.securityfocus.com/bid/169 NAI VirusScan NT 4.0.2 does not properly modify the scan.dat virus definition file during an update via FTP, but it reports that the update was successful, which could cause a system administrator to believe that the definitions have been updated correctly. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:virusscan-ftp-update(8387) ====================================================== Name: CVE-1999-1196 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1196 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19990427 NT/Exceed D.O.S. Reference: URL:http://www.securityfocus.com/archive/1/13451 Reference: BID:158 Reference: URL:http://www.securityfocus.com/bid/158 Hummingbird Exceed X version 5 allows remote attackers to cause a denial of service via malformed data to port 6000. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:exceed-xserver-dos(7530) ====================================================== Name: CVE-1999-1200 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1200 Phase: Proposed (20010912) Category: SF Reference: NTBUGTRAQ:19980720 DOS in Vintra systems Mailserver software. Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=90222454131610&w=2 Reference: XF:vintra-mail-dos(1617) Reference: URL:http://xforce.iss.net/static/1617.php Vintra SMTP MailServer allows remote attackers to cause a denial of service via a malformed "EXPN *@" command. Current Votes: ACCEPT(2) Cole, Frech NOOP(2) Foat, Wall ====================================================== Name: CVE-1999-1202 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1202 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19980703 Windows95 Proxy DoS Vulnerabilites Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221104525873&w=2 Reference: XF:startech-pop3-overflow(2088) Reference: URL:http://xforce.iss.net/static/2088.php StarTech (1) POP3 proxy server and (2) telnet server allows remote attackers to cause a denial of service via a long USER command. Current Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall ====================================================== Name: CVE-1999-1206 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1206 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19990729 New ActiveX security problems in Windows 98 PCs Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93336970231857&w=2 Reference: CONFIRM:http://www.systemsoft.com/l-2/l-3/support-systemwizard.htm Reference: BID:555 Reference: URL:http://www.securityfocus.com/bid/555 SystemSoft SystemWizard package in HP Pavilion PC with Windows 98, and possibly other platforms and operating systems, installs two ActiveX controls that are marked as safe for scripting, which allows remote attackers to execute arbitrary commands via a malicious web page that references (1) the Launch control, or (2) the RegObj control. Current Votes: ACCEPT(4) Armstrong, Cole, Foat, Stracener MODIFY(1) Frech NOOP(2) Christey, Wall Voter Comments: Frech> XF:systemwizard-modify-registry(7080) Christey> CERT-VN:VU#22919 URL:http://www.kb.cert.org/vuls/id/22919 CERT-VN:VU#34453 URL:http://www.kb.cert.org/vuls/id/34453 ====================================================== Name: CVE-1999-1207 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1207 Phase: Proposed (20010912) Category: SF Reference: MISC:http://www.efri.hr/~crv/security/bugs/NT/netxtray.html Reference: XF:netxray-bo(907) Reference: URL:http://xforce.iss.net/static/907.php Buffer overflow in web-admin tool in NetXRay 2.6 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long HTTP request. Current Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall ====================================================== Name: CVE-1999-1210 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1210 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19971112 Digital Unix Security Problem Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87936891504885&w=2 Reference: XF:dec-xterm(613) Reference: URL:http://xforce.iss.net/static/613.php xterm in Digital UNIX 4.0B *with* patch kit 5 allows local users to overwrite arbitrary files via a symlink attack on a core dump file, which is created when xterm is called with a DISPLAY environmental variable set to a display that xterm cannot access. Current Votes: ACCEPT(1) Frech NOOP(2) Cole, Foat ====================================================== Name: CVE-1999-1211 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1211 Phase: Proposed (20010912) Category: SF Reference: CERT:CA-1991-02 Reference: URL:http://www.cert.org/advisories/CA-1991-02.html Reference: XF:sun-intelnetd(574) Reference: URL:http://xforce.iss.net/static/574.php Vulnerability in in.telnetd in SunOS 4.1.1 and earlier allows local users to gain root privileges. Current Votes: ACCEPT(5) Cole, Dik, Foat, Frech, Stracener NOOP(1) Wall Voter Comments: Frech> CONFIRM:Sun Microsystems, Inc. Security Bulletin #00106 at http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/1 06&type=0&nav=sec.sba Dik> sun bug: 1054669 1049886 1042370 1033809 ====================================================== Name: CVE-1999-1212 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1212 Phase: Proposed (20010912) Category: SF Reference: CERT:CA-1991-02 Reference: URL:http://www.cert.org/advisories/CA-1991-02.html Reference: XF:sun-intelnetd(574) Reference: URL:http://xforce.iss.net/static/574.php Vulnerability in in.rlogind in SunOS 4.0.3 and 4.0.3c allows local users to gain root privileges. Current Votes: ACCEPT(5) Cole, Dik, Foat, Frech, Stracener NOOP(1) Wall Voter Comments: Dik> sun bug: 1054669 1049886 1042370 1033809 ====================================================== Name: CVE-1999-1213 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1213 Phase: Proposed (20010912) Category: SF Reference: HP:HPSBUX9710-070 Reference: URL:http://www2.dataguard.no/bugtraq/1997_4/0001.html Reference: XF:hp-telnetdos(571) Reference: URL:http://xforce.iss.net/static/571.php Vulnerability in telnet service in HP-UX 10.30 allows attackers to cause a denial of service. Current Votes: ACCEPT(4) Cole, Foat, Frech, Stracener ====================================================== Name: CVE-1999-1216 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1216 Phase: Proposed (20010912) Category: SF Reference: CERT:CA-1993-07 Reference: URL:http://www.cert.org/advisories/CA-1993-07.html Reference: CIAC:D-15 Reference: URL:http://ciac.llnl.gov/ciac/bulletins/d-15.shtml Reference: XF:cisco-sourceroute(541) Reference: URL:http://xforce.iss.net/static/541.php Cisco routers 9.17 and earlier allow remote attackers to bypass security restrictions via certain IP source routed packets that should normally be denied using the "no ip source-route" command. Current Votes: ACCEPT(4) Cole, Foat, Frech, Stracener NOOP(1) Wall ====================================================== Name: CVE-1999-1218 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1218 Phase: Proposed (20010912) Category: SF Reference: CERT:CA-1993-04 Reference: URL:http://www.cert.org/advisories/CA-1993-04.html Reference: XF:amiga-finger(522) Reference: URL:http://xforce.iss.net/static/522.php Vulnerability in finger in Commodore Amiga UNIX 2.1p2a and earlier allows local users to read arbitrary files. Current Votes: ACCEPT(4) Cole, Foat, Frech, Stracener NOOP(1) Wall ====================================================== Name: CVE-1999-1219 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1219 Phase: Proposed (20010912) Category: Reference: CERT:CA-1994-13 Reference: URL:http://www.cert.org/advisories/CA-1994-13.html Reference: AUSCERT:AA-94.04a Reference: CIAC:E-33 Reference: URL:http://ciac.llnl.gov/ciac/bulletins/e-33.shtml Reference: XF:sgi-prn-mgr(511) Reference: URL:http://xforce.iss.net/static/511.php Reference: BID:468 Reference: URL:http://www.securityfocus.com/bid/468 Vulnerability in sgihelp in the SGI help system and print manager in IRIX 5.2 and earlier allows local users to gain root privileges, possibly through the clogin command. Current Votes: ACCEPT(4) Cole, Foat, Frech, Stracener NOOP(1) Wall ====================================================== Name: CVE-1999-1220 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1220 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19970824 Vulnerability in Majordomo Reference: URL:http://www.securityfocus.com/archive/1/7527 Reference: XF:majordomo-advertise(502) Reference: URL:http://xforce.iss.net/static/502.php Majordomo 1.94.3 and earlier allows remote attackers to execute arbitrary commands when the advertise or noadvertise directive is used in a configuration file, via shell metacharacters in the Reply-To header. Current Votes: ACCEPT(1) Frech NOOP(2) Cole, Foat ====================================================== Name: CVE-1999-1221 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1221 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19961117 Digital Unix v3.x (v4.x?) security vulnerability Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167420141&w=2 Reference: XF:dgux-chpwd(399) Reference: URL:http://xforce.iss.net/static/399.php dxchpwd in Digital Unix (OSF/1) 3.x allows local users to modify arbitrary files via a symlink attack on the dxchpwd.log file. Current Votes: ACCEPT(1) Frech NOOP(2) Cole, Foat ====================================================== Name: CVE-1999-1224 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1224 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19971008 L0pht Advisory: IMAP4rev1 imapd server Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87635124302928&w=2 Reference: XF:imapd-core(349) Reference: URL:http://xforce.iss.net/static/349.php IMAP 4.1 BETA, and possibly other versions, does not properly handle the SIGABRT (abort) signal, which allows local users to crash the server (imapd) via certain sequences of commands, which causes a core dump that may contain sensitive password information. Current Votes: ACCEPT(1) Frech NOOP(2) Cole, Foat ====================================================== Name: CVE-1999-1225 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1225 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19970824 Serious security flaw in rpc.mountd on several operating systems. Reference: URL:http://www.securityfocus.com/archive/1/7526 Reference: XF:mountd-file-exists(347) Reference: URL:http://xforce.iss.net/static/347.php rpc.mountd on Linux, Ultrix, and possibly other operating systems, allows remote attackers to determine the existence of a file on the server by attempting to mount that file, which generates different error messages depending on whether the file exists or not. Current Votes: ACCEPT(1) Frech NOOP(2) Cole, Foat ====================================================== Name: CVE-1999-1227 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1227 Phase: Proposed (20010912) Category: SF Reference: MISC:http://www.ethereal.com/lists/ethereal-dev/199907/msg00126.html Reference: MISC:http://www.ethereal.com/lists/ethereal-dev/199907/msg00130.html Reference: XF:ethereal-dev-capturec-root(3334) Reference: URL:http://xforce.iss.net/static/3334.php Ethereal allows local users to overwrite arbitrary files via a symlink attack on the packet capture file. Current Votes: ACCEPT(2) Cole, Frech NOOP(2) Foat, Wall ====================================================== Name: CVE-1999-1228 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1228 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19980927 1+2=3, +++ATH0=Old school DoS Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90695973308453&w=2 Reference: MISC:http://www.macintouch.com/modemsecurity.html Reference: XF:global-village-modem-dos(3320) Reference: URL:http://xforce.iss.net/static/3320.php Various modems that do not implement a guard time, or are configured with a guard time of 0, can allow remote attackers to execute arbitrary modem commands such as ATH, ATH0, etc., via a "+++" sequence that appears in ICMP packets, the subject of an e-mail message, IRC commands, and others. Current Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall ====================================================== Name: CVE-1999-1229 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1229 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19980225 Quake 2 Linux 3.13 (and lower) allow users to read arbitrary files Reference: URL:http://www.securityfocus.com/archive/1/8590 Reference: XF:linux-quake2(733) Reference: URL:http://xforce.iss.net/static/733.php Quake 2 server 3.13 on Linux does not properly check file permissions for the config.cfg configuration file, which allows local users to read arbitrary files via a symlink from config.cfg to the target file. Current Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall ====================================================== Name: CVE-1999-1230 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1230 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19971224 Quake II Remote Denial of Service Reference: URL:http://www.securityfocus.com/archive/1/8282 Reference: XF:quake2-dos(698) Reference: URL:http://xforce.iss.net/static/698.php Quake 2 server allows remote attackers to cause a denial of service via a spoofed UDP packet with a source address of 127.0.0.1, which causes the server to attempt to connect to itself. Current Votes: ACCEPT(1) Frech NOOP(2) Cole, Foat ====================================================== Name: CVE-1999-1231 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1231 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19990609 ssh advirsory Reference: URL:http://www.securityfocus.com/archive/1/14758 Reference: XF:ssh-leak(2276) Reference: URL:http://xforce.iss.net/static/2276.php ssh 2.0.12, and possibly other versions, allows valid user names to attempt to enter the correct password multiple times, but only prompts an invalid user name for a password once, which allows remote attackers to determine user account names on the server. Current Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall ====================================================== Name: CVE-1999-1232 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1232 Phase: Modified (20060503) Category: SF Reference: BUGTRAQ:19970516 Irix and WWW Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167420994&w=2 Reference: OSVDB:8559 Reference: URL:http://www.osvdb.org/8559 Reference: XF:sgi-day5datacopier(3316) Reference: URL:http://xforce.iss.net/static/3316.php Untrusted search path vulnerability in day5datacopier in SGI IRIX 6.2 allows local users to execute arbitrary commands via a modified PATH environment variable that points to a malicious cp program. Current Votes: ACCEPT(1) Frech NOOP(2) Cole, Foat ====================================================== Name: CVE-1999-1234 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1234 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19991026 Re: LSA vulnerability on NT40 SP5 Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=94096671308565&w=2 Reference: XF:msrpc-samr-open-dos(3293) Reference: URL:http://xforce.iss.net/static/3293.php LSA (LSASS.EXE) in Windows NT 4.0 allows remote attackers to cause a denial of service via a NULL policy handle in a call to (1) SamrOpenDomain, (2) SamrEnumDomainUsers, and (3) SamrQueryDomainInfo. Current Votes: ACCEPT(3) Cole, Frech, Wall NOOP(1) Foat ====================================================== Name: CVE-1999-1235 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1235 Phase: Proposed (20010912) Category: SF Reference: NTBUGTRAQ:19990331 Minor Bug in IE5.0 Reference: URL:http://ntbugtraq.ntadvice.com/default.asp?pid=36&sid=1&A2=ind9904&L=NTBUGTRAQ&P=R179 Reference: NTBUGTRAQ:19990825 IE5 FTP password exposure & index.dat null ACL problem Reference: URL:http://packetderm.cotse.com/mailing-lists/ntbugtraq/1999/0364.html Reference: XF:nt-ie5-user-ftp-password(3289) Reference: URL:http://xforce.iss.net/static/3289.php Internet Explorer 5.0 records the username and password for FTP servers in the URL history, which could allow (1) local users to read the information from another user's index.dat, or (2) people who are physically observing ("shoulder surfing") another user to read the information from the status bar when the user moves the mouse over a link. Current Votes: ACCEPT(4) Cole, Foat, Frech, Wall Voter Comments: CHANGE> [Foat changed vote from NOOP to ACCEPT] ====================================================== Name: CVE-1999-1236 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1236 Phase: Proposed (20010912) Category: SF Reference: NTBUGTRAQ:19991001 Vulnerabilities in the Internet Anywhere Mail Server Reference: URL:http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind9910&L=ntbugtraq&F=&S=&P=662 Reference: BID:731 Reference: URL:http://www.securityfocus.com/bid/731 Reference: XF:iams-passwords-plaintext(3285) Reference: URL:http://xforce.iss.net/static/3285.php Internet Anywhere Mail Server 2.3.1 stores passwords in plaintext in the msgboxes.dbf file, which could allow local users to gain privileges by extracting the passwords from msgboxes.dbf. Current Votes: ACCEPT(2) Cole, Frech NOOP(2) Foat, Wall ====================================================== Name: CVE-1999-1237 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1237 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19990606 Buffer overflows in smbval library Reference: URL:http://www.securityfocus.com/archive/1/14384 Reference: XF:smbvalid-bo(2272) Reference: URL:http://xforce.iss.net/static/2272.php Multiple buffer overflows in smbvalid/smbval SMB authentication library, as used in Apache::AuthenSmb and possibly other modules, allows remote attackers to execute arbitrary commands via (1) a long username, (2) a long password, and (3) other unspecified methods. Current Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall ====================================================== Name: CVE-1999-1238 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1238 Phase: Proposed (20010912) Category: SF Reference: HP:HPSBUX9409-017 Reference: URL:http://www.securityfocus.com/advisories/1531 Reference: XF:hp-core-diag-fileset(2262) Reference: URL:http://xforce.iss.net/static/2262.php Vulnerability in CORE-DIAG fileset in HP message catalog in HP-UX 9.05 and earlier allows local users to gain privileges. Current Votes: ACCEPT(4) Cole, Foat, Frech, Stracener ====================================================== Name: CVE-1999-1239 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1239 Phase: Proposed (20010912) Category: SF Reference: HP:HPSBUX9407-015 Reference: URL:http://www.securityfocus.com/advisories/1559 Reference: XF:hp-xauthority(2261) Reference: URL:http://xforce.iss.net/static/2261.php HP-UX 9.x does not properly enable the Xauthority mechanism in certain conditions, which could allow local users to access the X display even when they have not explicitly been authorized to do so. Current Votes: ACCEPT(4) Cole, Foat, Frech, Stracener ====================================================== Name: CVE-1999-1240 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1240 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19961126 Major Security Vulnerabilities in Remote CD Databases Reference: URL:http://www.securityfocus.com/archive/1/5784 Reference: XF:cddbd-bo(2203) Reference: URL:http://xforce.iss.net/static/2203.php Buffer overflow in cddbd CD database server allows remote attackers to execute arbitrary commands via a long log message. Current Votes: ACCEPT(1) Frech NOOP(2) Cole, Foat ====================================================== Name: CVE-1999-1241 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1241 Phase: Proposed (20010912) Category: SF Reference: MISC:http://oliver.efri.hr/~crv/security/bugs/NT/activex4.html Reference: XF:ie-filesystemobject(2173) Reference: URL:http://xforce.iss.net/static/2173.php Internet Explorer, with a security setting below Medium, allows remote attackers to execute arbitrary commands via a malicious web page that uses the FileSystemObject ActiveX object. Current Votes: ACCEPT(3) Cole, Frech, Wall NOOP(2) Christey, Foat Voter Comments: Christey> DELREF MISC:http://oliver.efri.hr/~crv/security/bugs/NT/activex4.html ADDREF MISC:http://focus.silversand.net/vulner/allbug/activex4.html Frech> Change MISC to http://www.securitybugware.org/NT/1018.html ====================================================== Name: CVE-1999-1242 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1242 Phase: Proposed (20010912) Category: SF Reference: HP:HPSBUX9402-003 Reference: URL:http://packetstormsecurity.org/advisories/hpalert/003 Reference: XF:hp-subnet-config(2162) Reference: URL:http://xforce.iss.net/static/2162.php Vulnerability in subnetconfig in HP-UX 9.01 and 9.0 allows local users to gain privileges. Current Votes: ACCEPT(4) Cole, Foat, Frech, Stracener ====================================================== Name: CVE-1999-1244 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1244 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19990415 FSA-99.04-IPFILTER-v3.2.10 Reference: URL:http://www.securityfocus.com/archive/1/13303 Reference: XF:ipfilter-temp-file(2087) Reference: URL:http://xforce.iss.net/static/2087.php IPFilter 3.2.3 through 3.2.10 allows local users to modify arbitrary files via a symlink attack on the saved output file. Current Votes: ACCEPT(2) Cole, Frech NOOP(2) Foat, Wall ====================================================== Name: CVE-1999-1245 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1245 Phase: Proposed (20010912) Category: SF Reference: XF:ucd-snmpd-community(2086) Reference: URL:http://xforce.iss.net/static/2086.php vacm ucd-snmp SNMP server, version 3.52, does not properly disable access to the public community string, which could allow remote attackers to obtain sensitive information. Current Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> http://www.securityfocus.com/archive/1/13130 ====================================================== Name: CVE-1999-1247 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1247 Phase: Proposed (20010912) Category: SF Reference: HP:HPSBUX9402-006 Reference: URL:http://packetstormsecurity.org/advisories/hpalert/006 Reference: XF:hp-dce9000(2061) Reference: URL:http://xforce.iss.net/static/2061.php Vulnerability in HP Camera component of HP DCE/9000 in HP-UX 9.x allows attackers to gain root privileges. Current Votes: ACCEPT(4) Cole, Foat, Frech, Stracener ====================================================== Name: CVE-1999-1248 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1248 Phase: Proposed (20010912) Category: SF Reference: HP:HPSBUX9411-019 Reference: URL:http://packetstormsecurity.org/advisories/hpalert/019 Reference: XF:hp-supportwatch(2058) Reference: URL:http://xforce.iss.net/static/2058.php Vulnerability in Support Watch (aka SupportWatch) in HP-UX 8.0 through 9.0 allows local users to gain privileges. Current Votes: ACCEPT(4) Cole, Foat, Frech, Stracener ====================================================== Name: CVE-1999-1250 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1250 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19970819 Lasso CGI security hole (fwd) Reference: URL:http://www.securityfocus.com/archive/1/7506 Reference: XF:http-cgi-lasso(2044) Reference: URL:http://xforce.iss.net/static/2044.php Vulnerability in CGI program in the Lasso application by Blue World, as used on WebSTAR and other servers, allows remote attackers to read arbitrary files. Current Votes: ACCEPT(1) Frech NOOP(2) Cole, Foat ====================================================== Name: CVE-1999-1251 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1251 Phase: Proposed (20010912) Category: SF Reference: HP:HPSBUX9612-043 Reference: URL:http://packetstormsecurity.org/advisories/hpalert/043 Reference: XF:hp-audio-panic(2010) Reference: URL:http://xforce.iss.net/static/2010.php Vulnerability in direct audio user space code on HP-UX 10.20 and 10.10 allows local users to cause a denial of service. Current Votes: ACCEPT(4) Cole, Foat, Frech, Stracener ====================================================== Name: CVE-1999-1252 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1252 Phase: Proposed (20010912) Category: Reference: CERT:VB-96.15 Reference: URL:http://www.cert.org/vendor_bulletins/VB-96.15.sco Reference: SCO:96:002 Reference: URL:ftp://ftp.sco.COM/SSE/security_bulletins/SB.96:02a Reference: XF:sco-system-call(1966) Reference: URL:http://xforce.iss.net/static/1966.php Vulnerability in a certain system call in SCO UnixWare 2.0.x and 2.1.0 allows local users to access arbitrary files and gain root privileges. Current Votes: ACCEPT(4) Cole, Foat, Frech, Stracener NOOP(1) Wall ====================================================== Name: CVE-1999-1253 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1253 Phase: Proposed (20010912) Category: Reference: CERT:VB-96.10 Reference: URL:http://www.cert.org/vendor_bulletins/VB-96.10.sco Reference: SCO:96:001 Reference: URL:ftp://ftp.sco.com/SSE/security_bulletins/SB.96:01a Reference: XF:sco-kernel(1965) Reference: URL:http://xforce.iss.net/static/1965.php Vulnerability in a kernel error handling routine in SCO OpenServer 5.0.2 and earlier, and SCO Internet FastStart 1.0, allows local users to gain root privileges. Current Votes: ACCEPT(4) Cole, Foat, Frech, Stracener NOOP(1) Wall ====================================================== Name: CVE-1999-1254 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1254 Phase: Proposed (20010912) Category: SF Reference: NTBUGTRAQ:19990308 Winfreeze EXPLOIT Win9x/NT Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=92099515709467&w=2 Reference: XF:win-redirects-freeze(1947) Reference: URL:http://xforce.iss.net/static/1947.php Windows 95, 98, and NT 4.0 allow remote attackers to cause a denial of service by spoofing ICMP redirect messages from a router, which causes Windows to change its routing tables. Current Votes: ACCEPT(3) Cole, Frech, Wall MODIFY(1) Meunier NOOP(2) Christey, Foat Voter Comments: Christey> Need to get feedback from MS on this. Christey> (prompted from Pascal Meunier) should this be treated as a general design issue with ICMP? Or is it a specific implementation flaw that only affects Reliant? Meunier> The description is too narrow and incorrect. Spoofed ICMP redirect messages can be used to setup man-in-the-middle attacks instead of a DoS. There's no reason that this behavior would be limited to Windows, as it is specified by the standard. As I said elsewhere, ICMP messages should not be acted upon without access controls. ====================================================== Name: CVE-1999-1255 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1255 Phase: Proposed (20010912) Category: Reference: MISC:http://www.rootshell.com/archive-j457nxiqi3gq59dv/199902/hyperseek.txt.html Reference: XF:hyperseek-modify(1914) Reference: URL:http://xforce.iss.net/static/1914.php Hyperseek allows remote attackers to modify the hyperseek configuration by directly calling the admin.cgi program with an edit_file action parameter. Current Votes: ACCEPT(2) Cole, Frech NOOP(2) Foat, Wall ====================================================== Name: CVE-1999-1256 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1256 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19990304 Oracle Plaintext Password Reference: URL:http://www.securityfocus.com/archive/1/12744 Reference: NTBUGTRAQ:19990304 Oracle Plaintext Password Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=92056752115116&w=2 Reference: XF:oracle-passwords(1902) Reference: URL:http://xforce.iss.net/static/1902.php Oracle Database Assistant 1.0 in Oracle 8.0.3 Enterprise Edition stores the database master password in plaintext in the spoolmain.log file when a new database is created, which allows local users to obtain the password from that file. Current Votes: ACCEPT(2) Cole, Frech NOOP(2) Foat, Wall ====================================================== Name: CVE-1999-1257 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1257 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19971126 Xyplex terminal server bug Reference: URL:http://www.securityfocus.com/archive/1/8134 Reference: XF:xyplex-controlz-login(1825) Reference: URL:http://xforce.iss.net/static/1825.php Reference: XF:xyplex-question-login(1826) Reference: URL:http://xforce.iss.net/static/1826.php Xyplex terminal server 6.0.1S1, and possibly other versions, allows remote attackers to bypass the password prompt by entering (1) a CTRL-Z character, or (2) a ? (question mark). Current Votes: ACCEPT(1) Frech NOOP(2) Cole, Foat ====================================================== Name: CVE-1999-1260 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1260 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19990215 KSR[T] Advisory #10: mSQL ServerStats Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91910115718150&w=2 Reference: XF:msql-serverstats(1777) Reference: URL:http://xforce.iss.net/static/1777.php mSQL (Mini SQL) 2.0.6 allows remote attackers to obtain sensitive server information such as logged users, database names, and server version via the ServerStats query. Current Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall ====================================================== Name: CVE-1999-1261 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1261 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19990211 Rainbow Six Buffer Overflow..... Reference: URL:http://www.securityfocus.com/archive/1/12433 Reference: XF:rainbowsix-nick-bo(1772) Reference: URL:http://xforce.iss.net/static/1772.php Buffer overflow in Rainbow Six Multiplayer allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long nickname (nick) command. Current Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall ====================================================== Name: CVE-1999-1264 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1264 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19990121 WebRamp M3 remote network access bug Reference: URL:http://www.securityfocus.com/archive/1/12048 Reference: BUGTRAQ:19990203 WebRamp M3 Perceived Bug Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91815321510224&w=2 Reference: XF:webramp-remote-access(1670) Reference: URL:http://xforce.iss.net/static/1670.php WebRamp M3 router does not disable remote telnet or HTTP access to itself, even when access has been expliticly disabled. Current Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall ====================================================== Name: CVE-1999-1265 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1265 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19980922 Re: WARNING! SMTP Denial of Service in SLmail ver 3.1 Reference: BUGTRAQ:19980922 WARNING! SMTP Denial of Service in SLmail ver 3.1 Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90649892424117&w=2 Reference: NTBUGTRAQ:19980922 WARNING! SMTP Denial of Service in SLmail ver 3.1 Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=90650438826447&w=2 Reference: XF:slmail-parens-overload(1664) Reference: URL:http://xforce.iss.net/static/1664.php SMTP server in SLmail 3.1 and earlier allows remote attackers to cause a denial of service via malformed commands whose arguments begin with a "(" (parenthesis) character, such as (1) SEND, (2) VRFY, (3) EXPN, (4) MAIL FROM, (5) RCPT TO. Current Votes: ACCEPT(3) Cole, Foat, Frech NOOP(1) Wall ====================================================== Name: CVE-1999-1266 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1266 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19970613 rshd gives away usernames Reference: URL:http://www.securityfocus.com/archive/1/6978 Reference: XF:rsh-username-leaks(1660) Reference: URL:http://xforce.iss.net/static/1660.php rsh daemon (rshd) generates different error messages when a valid username is provided versus an invalid name, which allows remote attackers to determine valid users on the system. Current Votes: ACCEPT(1) Frech NOOP(2) Cole, Foat ====================================================== Name: CVE-1999-1267 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1267 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19970505 Hole in the KDE desktop Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167420906&w=2 Reference: XF:kde-flawed-ipc(1646) Reference: URL:http://xforce.iss.net/static/1646.php KDE file manager (kfm) uses a TCP server for certain file operations, which allows remote attackers to modify arbitrary files by sending a copy command to the server. Current Votes: ACCEPT(1) Frech NOOP(2) Cole, Foat ====================================================== Name: CVE-1999-1268 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1268 Phase: Proposed (20010912) Category: SF Reference: MISC:http://lists.kde.org/?l=kde-devel&m=91560433413263&w=2 Reference: XF:kde-konsole-hijack(1645) Reference: URL:http://xforce.iss.net/static/1645.php Vulnerability in KDE konsole allows local users to hijack or observe sessions of other users by accessing certain devices. Current Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall ====================================================== Name: CVE-1999-1269 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1269 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19980206 serious security hole in KDE Beta 3 Reference: URL:http://www.securityfocus.com/archive/1/8506 Reference: XF:kde-kss-file-clobber(1641) Reference: URL:http://xforce.iss.net/static/1641.php Screen savers in KDE beta 3 allows local users to overwrite arbitrary files via a symlink attack on the .kss.pid file. Current Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall ====================================================== Name: CVE-1999-1270 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1270 Phase: Proposed (20010912) Category: SF Reference: MISC:http://lists.kde.org/?l=kde-devel&m=90221974029738&w=2 Reference: XF:kde-kmail-passphrase-leak(1639) Reference: URL:http://xforce.iss.net/static/1639.php KMail in KDE 1.0 provides a PGP passphrase as a command line argument to other programs, which could allow local users to obtain the passphrase and compromise the PGP keys of other users by viewing the arguments via programs that list process information, such as ps. Current Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall ====================================================== Name: CVE-1999-1271 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1271 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19980611 Unsecure passwords in Macromedia Dreamweaver Reference: URL:http://www.securityfocus.com/archive/1/9511 Reference: XF:dreamweaver-weak-passwords(1636) Reference: URL:http://xforce.iss.net/static/1636.php Macromedia Dreamweaver uses weak encryption to store FTP passwords, which could allow local users to easily decrypt the passwords of other users. Current Votes: ACCEPT(2) Cole, Frech NOOP(2) Foat, Wall ====================================================== Name: CVE-1999-1272 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1272 Phase: Proposed (20010912) Category: SF Reference: SGI:19980301-01-PX Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19980301-01-PX Reference: XF:irix-cdrom-confidence(1635) Reference: URL:http://xforce.iss.net/static/1635.php Buffer overflows in CDROM Confidence Test program (cdrom) allow local users to gain root privileges. Current Votes: ACCEPT(4) Cole, Foat, Frech, Stracener ====================================================== Name: CVE-1999-1273 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1273 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19980220 Simple way to bypass squid ACLs Reference: URL:http://www.securityfocus.com/archive/1/8551 Reference: XF:squid-regexp-acl(1627) Reference: URL:http://xforce.iss.net/static/1627.php Squid Internet Object Cache 1.1.20 allows users to bypass access control lists (ACLs) by encoding the URL with hexadecimal escape sequences. Current Votes: ACCEPT(2) Cole, Frech NOOP(2) Foat, Wall ====================================================== Name: CVE-1999-1274 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1274 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19971229 iPass RoamServer 3.1 Reference: URL:http://www.securityfocus.com/archive/1/8307 Reference: XF:ipass-temporary-files(1625) Reference: URL:http://xforce.iss.net/static/1625.php iPass RoamServer 3.1 creates temporary files with world-writable permissions. Current Votes: ACCEPT(1) Frech NOOP(2) Cole, Foat ====================================================== Name: CVE-1999-1275 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1275 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19970908 Password unsecurity in cc:Mail release 8 Reference: URL:http://www.securityfocus.com/archive/1/9478 Reference: XF:lotus-ccmail-passwords(1619) Reference: URL:http://xforce.iss.net/static/1619.php Lotus cc:Mail release 8 stores the postoffice password in plaintext in a hidden file which has insecure permissions, which allows local users to gain privileges. Current Votes: ACCEPT(1) Frech NOOP(2) Cole, Foat ====================================================== Name: CVE-1999-1277 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1277 Phase: Proposed (20010912) Category: SF Reference: NTBUGTRAQ:19981224 BackWeb - Password issue (used by NAI for Corporate customer notification). Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=91487886514546&w=2 Reference: XF:backweb-cleartext-passwords(1565) Reference: URL:http://xforce.iss.net/static/1565.php BackWeb client stores the username and password in cleartext for proxy authentication in the Communication registry key, which could allow other local users to gain privileges by reading the password. Current Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall ====================================================== Name: CVE-1999-1278 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1278 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19981225 Re: Nlog v1.0 Released - Nmap 2.x log management / analyzing tool Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91470326629357&w=2 Reference: BUGTRAQ:19981226 Nlog 1.1b released - security holes fixed Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91471400632145&w=2 Reference: XF:http-cgi-nlog-netbios(1550) Reference: URL:http://xforce.iss.net/static/1550.php Reference: XF:http-cgi-nlog-metachars(1549) nlog CGI scripts do not properly filter shell metacharacters from the IP address argument, which could allow remote attackers to execute certain commands via (1) nlog-smb.pl or (2) rpc-nlog.pl. Current Votes: ACCEPT(3) Cole, Foat, Frech NOOP(1) Wall ====================================================== Name: CVE-1999-1280 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1280 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19981203 Remote Tools w/Exceed v.6.0.1.0 fer 95 Reference: URL:http://www.securityfocus.com/archive/1/11512 Reference: XF:exceed-cleartext-passwords(1547) Reference: URL:http://xforce.iss.net/static/1547.php Hummingbird Exceed 6.0.1.0 inadvertently includes a DLL that was meant for development and testing, which logs user names and passwords in cleartext in the test.log file. Current Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall ====================================================== Name: CVE-1999-1281 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1281 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19981226 Breeze Network Server remote reboot and other bogosity. Reference: URL:http://www.securityfocus.com/archive/1/11720 Reference: XF:breeze-remote-reboot(1544) Reference: URL:http://xforce.iss.net/static/1544.php Development version of Breeze Network Server allows remote attackers to cause the system to reboot by accessing the configbreeze CGI program. Current Votes: ACCEPT(2) Cole, Frech NOOP(2) Foat, Wall Voter Comments: Frech> There have been no followups to indicate that this issue has been resolved in the production version, and as a benefit to the doubt, this issue transcends EX-BETA until proven otherwise. ====================================================== Name: CVE-1999-1282 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1282 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19981210 RealSystem passwords Reference: URL:http://www.securityfocus.com/archive/1/11543 Reference: XF:realsystem-readable-conf-file(1542) Reference: URL:http://xforce.iss.net/static/1542.php RealSystem G2 server stores the administrator password in cleartext in a world-readable configuration file, which allows local users to gain privileges. Current Votes: ACCEPT(2) Cole, Frech NOOP(2) Foat, Wall ====================================================== Name: CVE-1999-1283 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1283 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19980814 URL exploit to crash Opera Browser Reference: URL:http://www.securityfocus.com/archive/1/10320 Reference: XF:opera-slash-crash(1541) Reference: URL:http://xforce.iss.net/static/1541.php Opera 3.2.1 allows remote attackers to cause a denial of service (application crash) via a URL that contains an extra / in the http:// tag. Current Votes: ACCEPT(2) Cole, Frech NOOP(2) Foat, Wall Voter Comments: Frech> Will go along with a REJECT if MITRE decides on EX-CLIENT-DOS. ====================================================== Name: CVE-1999-1285 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1285 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19981227 [patch] fix for urandom read(2) not interruptible Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91495921611500&w=2 Reference: XF:linux-random-read-dos(1472) Reference: URL:http://xforce.iss.net/static/1472.php Linux 2.1.132 and earlier allows local users to cause a denial of service (resource exhaustion) by reading a large buffer from a random device (e.g. /dev/urandom), which cannot be interrupted until the read has completed. Current Votes: ACCEPT(2) Cole, Frech NOOP(2) Foat, Wall ====================================================== Name: CVE-1999-1286 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1286 Phase: Modified (20060623) Category: SF Reference: BUGTRAQ:19970509 Re: Irix: misc Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167420927&w=2 Reference: MISC:ftp://patches.sgi.com/support/free/security/advisories/19961203-02-PX Reference: BID:330 Reference: URL:http://www.securityfocus.com/bid/330 Reference: OSVDB:8560 Reference: URL:http://www.osvdb.org/8560 Reference: XF:irix-addnetpr(1433) Reference: URL:http://xforce.iss.net/static/1433.php addnetpr in SGI IRIX 6.2 and earlier allows local users to modify arbitrary files and possibly gain root access via a symlink attack on a temporary file. Current Votes: ACCEPT(1) Frech NOOP(3) Christey, Cole, Foat Voter Comments: Christey> CHANGE DESC: "via a symlink attack on the printers temporary file." Add 5.3 as another affected version. MISC:ftp://patches.sgi.com/support/free/security/advisories/19961203-02-PX SGI:19961203-02-PX may solve this problem, but the advisory is so vague that it is uncertain whether this was fixed or not. addnetpr is not specifically named in the advisory, which names netprint, which is not specified in the original Bugtraq post. In addition, the date on the advisory is one day earlier than that of the Bugtraq post, though that could be a difference in time zones. It seems plausible that the problem had already been patched (the researcher did say "There *was* [a] race condition") so maybe SGI released this advisory after the problem was publicized. ADDREF BID:330 URL:http://www.securityfocus.com/bid/330 Note: this is a dupe of CVE-1999-1410, but CVE-1999-1410 will be rejected in favor of CVE-1999-1286. ====================================================== Name: CVE-1999-1287 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1287 Phase: Proposed (20010912) Category: SF Reference: CONFIRM:http://www.statslab.cam.ac.uk/~sret1/analog/security.html Reference: XF:analog-remote-file(1410) Reference: URL:http://xforce.iss.net/static/1410.php Vulnerability in Analog 3.0 and earlier allows remote attackers to read arbitrary files via the forms interface. Current Votes: ACCEPT(4) Armstrong, Cole, Frech, Stracener NOOP(2) Foat, Wall Voter Comments: CHANGE> [Foat changed vote from ACCEPT to NOOP] ====================================================== Name: CVE-1999-1289 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1289 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19981111 WARNING: Another ICQ IP address vulnerability Reference: URL:http://www.securityfocus.com/archive/1/11233 Reference: XF:icq-ip-info(1398) Reference: URL:http://xforce.iss.net/static/1398.php ICQ 98 beta on Windows NT leaks the internal IP address of a client in the TCP data segment of an ICQ packet instead of the public address (e.g. through NAT), which provides remote attackers with potentially sensitive information about the client or the internal network configuration. Current Votes: ACCEPT(3) Cole, Frech, Wall NOOP(1) Foat Voter Comments: Frech> Override EX-BETA in this case, since ICQ is always in beta and is widely run in production environments. ====================================================== Name: CVE-1999-1291 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1291 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19981005 New Windows Vulnerability Reference: URL:http://www.securityfocus.com/archive/1/10789 Reference: XF:nt-brkill(1383) Reference: URL:http://xforce.iss.net/static/1383.php TCP/IP implementation in Microsoft Windows 95, Windows NT 4.0, and possibly others, allows remote attackers to reset connections by forcing a reset (RST) via a PSH ACK or other means, obtaining the target's last sequence number from the resulting packet, then spoofing a reset to the target. Current Votes: ACCEPT(3) Cole, Frech, Wall NOOP(2) Christey, Foat Voter Comments: Christey> Need to get feedback from MS on this. ====================================================== Name: CVE-1999-1292 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1292 Phase: Proposed (20010912) Category: SF Reference: ISS:19980901 Remote Buffer Overflow in the Kolban Webcam32 Program Reference: URL:http://xforce.iss.net/alerts/advise7.php Reference: XF:webcam32-buffer-overflow(1366) Reference: URL:http://xforce.iss.net/static/1366.php Buffer overflow in web administration feature of Kolban Webcam32 4.8.3 and earlier allows remote attackers to execute arbitrary commands via a long URL. Current Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall ====================================================== Name: CVE-1999-1293 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1293 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19980106 Apache security advisory Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=88413292830649&w=2 Reference: CONFIRM:http://www.apache.org/info/security_bulletin_1.2.5.html mod_proxy in Apache 1.2.5 and earlier allows remote attackers to cause a denial of service via malformed FTP commands, which causes Apache to dump core. Current Votes: ACCEPT(3) Armstrong, Cole, Stracener MODIFY(1) Frech NOOP(2) Foat, Wall Voter Comments: Frech> XF:apache-mod-proxy-dos(7249) CONFIRM reference no longer seems to exist. BugTraq message seems to be a confirmation/advisory, however. CHANGE> [Foat changed vote from ACCEPT to NOOP] ====================================================== Name: CVE-1999-1295 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1295 Phase: Modified (20020218-01) Category: SF Reference: CERT:VB-96.16 Reference: URL:http://www.cert.org/vendor_bulletins/VB-96.16.transarc Reference: XF:dfs-login-groups(7154) Reference: URL:http://xforce.iss.net/static/7154.php Transarc DCE Distributed File System (DFS) 1.1 for Solaris 2.4 and 2.5 does not properly initialize the grouplist for users who belong to a large number of groups, which could allow those users to gain access to resources that are protected by DFS. Current Votes: ACCEPT(3) Cole, Foat, Stracener MODIFY(1) Frech NOOP(1) Wall Voter Comments: Frech> XF:dfs-login-groups(7154) ====================================================== Name: CVE-1999-1296 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1296 Phase: Proposed (20010912) Category: Reference: BUGTRAQ:19970429 vulnerabilities in kerberos Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167420878&w=2 Buffer overflow in Kerberos IV compatibility libraries as used in Kerberos V allows local users to gain root privileges via a long line in a kerberos configuration file, which can be specified via the KRB_CONF environmental variable. Current Votes: MODIFY(1) Frech NOOP(2) Cole, Foat Voter Comments: Frech> XF:kerberos-config-file-bo(7184) ====================================================== Name: CVE-1999-1299 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1299 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19970203 Linux rcp bug Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167420509&w=2 rcp on various Linux systems including Red Hat 4.0 allows a "nobody" user or other user with UID of 65535 to overwrite arbitrary files, since 65535 is interpreted as -1 by chown and other system calls, which causes the calls to fail to modify the ownership of the file. Current Votes: MODIFY(1) Frech NOOP(2) Cole, Foat Voter Comments: Frech> XF:rcp-nobody-file-overwrite(7187) ====================================================== Name: CVE-1999-1300 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1300 Phase: Proposed (20010912) Category: SF Reference: CIAC:B-31 Reference: URL:http://ciac.llnl.gov/ciac/bulletins/b-31.shtml Vulnerability in accton in Cray UNICOS 6.1 and 6.0 allows local users to read arbitrary files and modify system accounting configuration. Current Votes: ACCEPT(4) Armstrong, Cole, Foat, Stracener MODIFY(1) Frech NOOP(1) Wall Voter Comments: Frech> XF: unicos-accton-read-files(7210) ====================================================== Name: CVE-1999-1302 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1302 Phase: Modified (20070105) Category: SF Reference: CERT:VB-94:01 Reference: URL:http://ftp.cerias.purdue.edu/pub/advisories/cert/cert_bulletins/VB-94:01.sco Reference: CIAC:F-05 Reference: URL:http://ciac.llnl.gov/ciac/bulletins/f-05.shtml Reference: SCO:94:001 Reference: URL:http://ciac.llnl.gov/ciac/bulletins/f-05.shtml Reference: OSVDB:8797 Reference: URL:http://www.osvdb.org/8797 Reference: XF:sco-pt_chmod(7586) Reference: URL:http://xforce.iss.net/xforce/xfdb/7586 Unspecified vulnerability in pt_chmod in SCO UNIX 4.2 and earlier allows local users to gain root access. Current Votes: ACCEPT(3) Cole, Foat, Stracener MODIFY(1) Frech Voter Comments: Frech> XF:sco-pt_chmod(7586) ====================================================== Name: CVE-1999-1303 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1303 Phase: Proposed (20010912) Category: SF Reference: CIAC:F-05 Reference: URL:http://ciac.llnl.gov/ciac/bulletins/f-05.shtml Reference: SCO:94:001 Reference: URL:http://ciac.llnl.gov/ciac/bulletins/f-05.shtml Vulnerability in prwarn in SCO UNIX 4.2 and earlier allows local users to gain root access. Current Votes: ACCEPT(3) Cole, Foat, Stracener MODIFY(1) Frech Voter Comments: Frech> XF:sco-prwarn(7587) ====================================================== Name: CVE-1999-1304 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1304 Phase: Proposed (20010912) Category: SF Reference: CIAC:F-05 Reference: URL:http://ciac.llnl.gov/ciac/bulletins/f-05.shtml Reference: SCO:94:001 Reference: URL:http://ciac.llnl.gov/ciac/bulletins/f-05.shtml Vulnerability in login in SCO UNIX 4.2 and earlier allows local users to gain root access. Current Votes: ACCEPT(3) Cole, Foat, Stracener MODIFY(1) Frech Voter Comments: Frech> XF:sco-login(7588) ====================================================== Name: CVE-1999-1305 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1305 Phase: Proposed (20010912) Category: SF Reference: CIAC:F-05 Reference: URL:http://ciac.llnl.gov/ciac/bulletins/f-05.shtml Reference: SCO:94:001 Reference: URL:http://ciac.llnl.gov/ciac/bulletins/f-05.shtml Vulnerability in "at" program in SCO UNIX 4.2 and earlier allows local users to gain root access. Current Votes: ACCEPT(3) Cole, Foat, Stracener MODIFY(1) Frech Voter Comments: Frech> XF:sco-at(7589) ====================================================== Name: CVE-1999-1306 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1306 Phase: Proposed (20010912) Category: Reference: CERT:CA-1992-20 Reference: URL:http://www.cert.org/advisories/CA-1992-20.html Cisco IOS 9.1 and earlier does not properly handle extended IP access lists when the IP route cache is enabled and the "established" keyword is set, which could allow attackers to bypass filters. Current Votes: ACCEPT(3) Cole, Foat, Stracener MODIFY(1) Frech NOOP(1) Wall REVIEWING(1) Christey Voter Comments: Frech> XF:cisco-acl-established(1248) Possibly duplicate with CVE-1999-0162? Christey> Might be a duplicate of CVE-1999-0162, but CVE-1999-0162 was released in 1995, whereas this bug was released in 1992. ====================================================== Name: CVE-1999-1307 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1307 Phase: Proposed (20010912) Category: unknown Reference: BUGTRAQ:19941209 Novell security advisory on sadc, urestore and the suid_exec feature Reference: URL:http://www.dataguard.no/bugtraq/1994_4/0676.html Reference: CIAC:F-06 Reference: URL:http://ciac.llnl.gov/ciac/bulletins/f-06.shtml Vulnerability in urestore in Novell UnixWare 1.1 allows local users to gain root privileges. Current Votes: ACCEPT(4) Armstrong, Cole, Foat, Stracener MODIFY(1) Frech NOOP(1) Wall Voter Comments: Frech> XF;novell-unixware-urestore-root(7211) ====================================================== Name: CVE-1999-1308 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1308 Phase: Modified (20020218-01) Category: SF Reference: HP:HPSBUX9611-041 Reference: URL:http://ciac.llnl.gov/ciac/bulletins/h-91.shtml Reference: CIAC:H-09 Reference: URL:http://ciac.llnl.gov/ciac/bulletins/h-09.shtml Reference: CIAC:H-91 Reference: URL:http://ciac.llnl.gov/ciac/bulletins/h-91.shtml Reference: XF:hp-large-uid-gid(7594) Reference: URL:http://www.iss.net/security_center/static/7594.php Certain programs in HP-UX 10.20 do not properly handle large user IDs (UID) or group IDs (GID) over 60000, which could allow local users to gain privileges. Current Votes: ACCEPT(3) Cole, Foat, Stracener MODIFY(1) Frech Voter Comments: Frech> XF:hp-large-uid-gid(7594) ====================================================== Name: CVE-1999-1310 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1310 Phase: Modified (20050204) Category: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-1999-1022. Reason: This candidate is a duplicate of CVE-1999-1022. Notes: All CVE users should reference CVE-1999-1022 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Current Votes: ACCEPT(3) Cole, Foat, Stracener REJECT(2) Christey, Frech Voter Comments: Frech> DUPE CVE-1999-1022 Christey> As noted by Andre Frech, this is a duplicate of CVE-1999-1022. The references from this candidate will be added to CVE-1999-1022. ====================================================== Name: CVE-1999-1311 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1311 Phase: Proposed (20010912) Category: SF Reference: HP:HPSBUX9701-046 Reference: URL:http://ciac.llnl.gov/ciac/bulletins/h-21.shtml Reference: CIAC:H-21 Reference: URL:http://ciac.llnl.gov/ciac/bulletins/h-21.shtml Vulnerability in dtlogin and dtsession in HP-UX 10.20 and 10.10 allows local users to bypass authentication and gain privileges. Current Votes: ACCEPT(3) Cole, Foat, Stracener MODIFY(1) Frech Voter Comments: Frech> XF:hp-dt-bypass-auth(7668) ACKNOWLEDGED-BY-VENDOR ====================================================== Name: CVE-1999-1312 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1312 Phase: Modified (20020218-01) Category: SF Reference: CERT:CA-1993-05 Reference: URL:http://www.cert.org/advisories/CA-1993-05.html Reference: XF:openvms-local-privilege-elevation(7142) Reference: URL:http://xforce.iss.net/static/7142.php Vulnerability in DEC OpenVMS VAX 5.5-2 through 5.0, and OpenVMS AXP 1.0, allows local users to gain system privileges. Current Votes: ACCEPT(3) Cole, Foat, Stracener MODIFY(1) Frech NOOP(1) Wall Voter Comments: Frech> XF:openvms-local-privilege-elevation(7142) ====================================================== Name: CVE-1999-1313 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1313 Phase: Modified (20020218-01) Category: SF Reference: CIAC:G-24 Reference: URL:http://ciac.llnl.gov/ciac/bulletins/g-24.shtml Reference: FREEBSD:FreeBSD-SA-96:11 Reference: URL:ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/old/FreeBSD-SA-96:11.man.asc Reference: XF:bsd-man-command-sequence(7348) Reference: URL:http://xforce.iss.net/static/7348.php Manual page reader (man) in FreeBSD 2.2 and earlier allows local users to gain privileges via a sequence of commands. Current Votes: ACCEPT(3) Cole, Foat, Stracener MODIFY(1) Frech Voter Comments: Frech> XF:bsd-man-command-sequence(7348) ====================================================== Name: CVE-1999-1314 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1314 Phase: Modified (20020218-01) Category: SF Reference: CIAC:G-24 Reference: URL:http://ciac.llnl.gov/ciac/bulletins/g-24.shtml Reference: FREEBSD:FreeBSD-SA-96:10 Reference: URL:ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/old/FreeBSD-SA-96:10.mount_union.asc Reference: XF:unionfs-mount-ordering(7429) Reference: URL:http://www.iss.net/security_center/static/7429.php Vulnerability in union file system in FreeBSD 2.2 and earlier, and possibly other operating systems, allows local users to cause a denial of service (system reload) via a series of certain mount_union commands. Current Votes: ACCEPT(3) Cole, Foat, Stracener MODIFY(1) Frech Voter Comments: Frech> XF:unionfs-mount-ordering(7429) ====================================================== Name: CVE-1999-1315 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1315 Phase: Proposed (20010912) Category: SF Reference: CIAC:F-04 Reference: URL:http://ciac.llnl.gov/ciac/bulletins/f-04.shtml Vulnerabilities in DECnet/OSI for OpenVMS before 5.8 on DEC Alpha AXP and VAX/VMS systems allow local users to gain privileges or cause a denial of service. Current Votes: ACCEPT(4) Armstrong, Cole, Foat, Stracener MODIFY(1) Frech NOOP(1) Wall Voter Comments: Frech> XF:openvms-decnetosi-gain-privileges(7212) ====================================================== Name: CVE-1999-1319 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1319 Phase: Modified (20020218-01) Category: SF Reference: SGI:19960101-01-PX Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19960101-01-PX Reference: XF:irix-object-server(7430) Reference: URL:http://www.iss.net/security_center/static/7430.php Vulnerability in object server program in SGI IRIX 5.2 through 6.1 allows remote attackers to gain root privileges in certain configurations. Current Votes: ACCEPT(3) Cole, Foat, Stracener MODIFY(1) Frech Voter Comments: Frech> XF:irix-object-server(7430) ====================================================== Name: CVE-1999-1322 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1322 Phase: Proposed (20010912) Category: SF Reference: NTBUGTRAQ:19981112 exchverify.log Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=91096758513985&w=2 Reference: NTBUGTRAQ:19981117 Re: exchverify.log - update #1 Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=91133714919229&w=2 Reference: NTBUGTRAQ:19981125 Re: exchverify.log - update #2 Reference: NTBUGTRAQ:19981216 Arcserve Exchange Client security issue being fixed Reference: NTBUGTRAQ:19990305 Cheyenne InocuLAN for Exchange plain text password still there Reference: NTBUGTRAQ:19990426 ArcServe Exchange Client Security Issue still unresolved The installation of 1ArcServe Backup and Inoculan AV client modules for Exchange create a log file, exchverify.log, which contains usernames and passwords in plaintext. Current Votes: NOOP(3) Cole, Foat, Wall ====================================================== Name: CVE-1999-1323 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1323 Phase: Proposed (20010912) Category: SF Reference: NTBUGTRAQ:19990409 NAV for MS Exchange & Internet Email Gateways Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=92370067416739&w=2 Norton AntiVirus for Internet Email Gateways (NAVIEG) 1.0.1.7 and earlier, and Norton AntiVirus for MS Exchange (NAVMSE) 1.5 and earlier, store the administrator password in cleartext in (1) the navieg.ini file for NAVIEG, and (2) the ModifyPassword registry key in NAVMSE. Current Votes: ACCEPT(1) Prosser MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:nav-admin-password(7543) Prosser> This has been since corrected in later releases. ====================================================== Name: CVE-1999-1334 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1334 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19980129 KSR[T] Advisory #7: filter Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=88609666024181&w=2 Reference: CONFIRM:http://www.redhat.com/support/errata/rh50-errata-general.html#elm Multiple buffer overflows in filter command in Elm 2.4 allows attackers to execute arbitrary commands via (1) long From: headers, (2) long Reply-To: headers, or (3) via a long -f (filterfile) command line argument. Current Votes: ACCEPT(3) Cole, Foat, Stracener MODIFY(1) Frech NOOP(2) Armstrong, Wall Voter Comments: Frech> XF:elm-filter-getfilterrules-bo(7214) XF:elm-filter2(711) ====================================================== Name: CVE-1999-1338 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1338 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19990721 Delegate creates directories writable for anyone Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93259112204664&w=2 Delegate proxy 5.9.3 and earlier creates files and directories in the DGROOT with world-writable permissions. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:delegate-dgroot-permissions(8438) ====================================================== Name: CVE-1999-1340 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1340 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19991104 hylafax-4.0.2 local exploit Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94173799532589&w=2 Reference: BID:765 Reference: URL:http://www.securityfocus.com/bid/765 Buffer overflow in faxalter in hylafax 4.0.2 allows local users to gain privileges via a long -m command line argument. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:hylafax-faxalter-gain-privs(3453) Proper spelling of the product is HylaFAX (see http://www.hylafax.org/) ====================================================== Name: CVE-1999-1342 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1342 Phase: Proposed (20010912) Category: SF Reference: NTBUGTRAQ:19991017 ICQ ActiveList Server Exploit... Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=94042342010662&w=2 ICQ ActiveList Server allows remote attackers to cause a denial of service (crash) via malformed packets to the server's UDP port. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:icq-activelist-udp-dos(7877) ====================================================== Name: CVE-1999-1343 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1343 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19991013 Xerox DocuColor 4 LP D.O.S Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93986405412867&w=2 HTTP server for Xerox DocuColor 4 LP allows remote attackers to cause a denial of service (hang) via a long URL that contains a large number of . characters. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:xerox-docucolor4lp-dos(8041) ====================================================== Name: CVE-1999-1344 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1344 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19991005 Auto_FTP v0.02 Advisory Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93923873006014&w=2 Auto_FTP.pl script in Auto_FTP 0.2 stores usernames and passwords in plaintext in the auto_ftp.conf configuration file. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:autoftp-plaintext-password(8045) ====================================================== Name: CVE-1999-1345 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1345 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19991005 Auto_FTP v0.02 Advisory Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93923873006014&w=2 Auto_FTP.pl script in Auto_FTP 0.2 uses the /tmp/ftp_tmp as a shared directory with insecure permissions, which allows local users to (1) send arbitrary files to the remote server by placing them in the directory, and (2) view files that are being transferred. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:autoftp-shared-directory(8047) ====================================================== Name: CVE-1999-1346 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1346 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19991007 Problems with redhat 6 Xsession and pam.d/rlogin. Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93942774609925&w=2 PAM configuration file for rlogin in Red Hat Linux 6.1 and earlier includes a less restrictive rule before a more restrictive one, which allows users to access the host via rlogin even if rlogin has been explicitly disabled using the /etc/nologin file. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:pam-rlogin-bypass(8315) ====================================================== Name: CVE-1999-1347 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1347 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19991007 Problems with redhat 6 Xsession and pam.d/rlogin. Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93942774609925&w=2 Xsession in Red Hat Linux 6.1 and earlier can allow local users with restricted accounts to bypass execution of the .xsession file by starting kde, gnome or anotherlevel from kdm. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:xsession-bypass(8316) ====================================================== Name: CVE-1999-1348 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1348 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19990630 linuxconf doesn't seem to deal correctly with /etc/pam.d/reboot Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93220073515880&w=2 Linuxconf on Red Hat Linux 6.0 and earlier does not properly disable PAM-based access to the shutdown command, which could allow local users to cause a denial of service. Current Votes: ACCEPT(1) Cole MODIFY(1) Frech NOOP(2) Foat, Wall Voter Comments: Frech> XF:linuxconf-pam-shutdown-dos(8437) ====================================================== Name: CVE-1999-1349 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1349 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19991006 Omni-NFS/X Enterprise (nfsd.exe) DOS Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93923679004325&w=2 NFS daemon (nfsd.exe) for Omni-NFS/X 6.1 allows remote attackers to cause a denial of service (resource exhaustion) via certain packets, possibly with the Urgent (URG) flag set, to port 111. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:xlink-nfsd-dos(8317) ====================================================== Name: CVE-1999-1350 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1350 Phase: Proposed (20010912) Category: CF Reference: BUGTRAQ:19990929 Multiple Vendor ARCAD permission problems Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93871933521519&w=2 ARCAD Systemhaus 0.078-5 installs critical programs and files with world-writeable permissions, which could allow local users to gain privileges by replacing a program with a Trojan horse. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:arcad-insecure-permissions(8318) ====================================================== Name: CVE-1999-1352 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1352 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19990928 Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93855134409747&w=2 mknod in Linux 2.2 follows symbolic links, which could allow local users to overwrite files or gain privileges. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:mknod-symlink(8319) ====================================================== Name: CVE-1999-1353 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1353 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19990907 MsgCore mailserver stores passwords in clear text Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=93698162708211&w=2 Nosque MsgCore 2.14 stores passwords in cleartext: (1) the administrator password in the AdmPasswd registry key, and (2) user passwords in the Userbase.dbf data file, which could allow local users to gain privielges. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:msgcore-plaintext-passwords(8271) BUGTRAQ Reference is actually NTBUGTRAQ. ====================================================== Name: CVE-1999-1354 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1354 Phase: Proposed (20010912) Category: SF Reference: NTBUGTRAQ:19990830 SoftArc's FirstClass E-mail Client Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=93637687305327&w=2 Reference: NTBUGTRAQ:19990909 SoftArc's FirstClass E-mail Client Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=93698283309513&w=2 E-mail client in Softarc FirstClass Internet Server 5.506 and earlier stores usernames and passwords in cleartext in the files (1) home.fc for version 5.506, (2) network.fc for version 3.5, or (3) FCCLIENT.LOG when logging is enabled. Current Votes: ACCEPT(1) Cole MODIFY(1) Frech NOOP(3) Christey, Foat, Wall Voter Comments: Frech> (Task 1766) CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> XF:firstclass-plaintext-account(9874) Christey> The following reference is for the FCCLIENT.LOG piece: ADDREF NTBUGTRAQ:19990911 Re: SoftArc's FirstClass E-mail Client URL:http://archives.neohapsis.com/archives/ntbugtraq/1999-q3/0189.html ====================================================== Name: CVE-1999-1355 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1355 Phase: Proposed (20010912) Category: SF Reference: NTBUGTRAQ:19990817 Compaq PFCUser account Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=93542118727732&w=2 Reference: NTBUGTRAQ:19990905 Case ID SSRT0620 - PFCUser account communication Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=93654336516711&w=2 Reference: NTBUGTRAQ:19990915 (I) UPDATE - PFCUser Account, Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=93759822430801&w=2 Reference: NTBUGTRAQ:19991105 UPDATE: SSRT0620 Compaq Foundation Agents v4.40B PFCUser issues Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=94183795025294&w=2 Reference: CONFIRM:http://www.compaq.com/products/servers/management/advisory.html Reference: XF:management-pfcuser(3231) Reference: URL:http://xforce.iss.net/static/3231.php BMC Patrol component, when installed with Compaq Insight Management Agent 4.23 and earlier, or Management Agents for Servers 4.40 and earlier, creates a PFCUser account with a default password and potentially dangerous privileges. Current Votes: ACCEPT(5) Armstrong, Cole, Foat, Frech, Stracener NOOP(1) Wall ====================================================== Name: CVE-1999-1357 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1357 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19991005 Time to update those CGIs again Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93915331626185&w=2 Netscape Communicator 4.04 through 4.7 (and possibly other versions) in various UNIX operating systems converts the 0x8b character to a "<" sign, and the 0x9b character to a ">" sign, which could allow remote attackers to attack other clients via cross-site scripting (CSS) in CGI programs that do not filter these characters. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:netscape-cgi-filtering-css(8274) ====================================================== Name: CVE-1999-1361 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1361 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19980509 coke.c Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221101925891&w=2 Windows NT 3.51 and 4.0 running WINS (Windows Internet Name Service) allows remote attackers to cause a denial of service (resource exhaustion) via a flood of malformed packets, which causes the server to slow down and fill the event logs with error messages. Current Votes: ACCEPT(1) Wall MODIFY(1) Frech NOOP(2) Cole, Foat Voter Comments: Frech> XF:winnt-wins-packet-flood-dos(7329) ====================================================== Name: CVE-1999-1364 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1364 Phase: Modified (20020218-01) Category: SF Reference: MSKB:Q142653 Reference: URL:http://support.microsoft.com/support/kb/articles/q142/6/53.asp Reference: XF:nt-threadcontext-dos(7421) Reference: URL:http://www.iss.net/security_center/static/7421.php Windows NT 4.0 allows local users to cause a denial of service (crash) via an illegal kernel mode address to the functions (1) GetThreadContext or (2) SetThreadContext. Current Votes: ACCEPT(3) Cole, Foat, Wall MODIFY(1) Frech Voter Comments: Frech> XF:nt-threadcontext-dos(7421) ====================================================== Name: CVE-1999-1366 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1366 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19990515 Pegasus Mail weak encryption Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92714118829880&w=2 Pegasus e-mail client 3.0 and earlier uses weak encryption to store POP3 passwords in the pmail.ini file, which allows local users to easily decrypt the passwords and read e-mail. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:pegasus-weak-password-encryption(8430) ====================================================== Name: CVE-1999-1367 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1367 Phase: Proposed (20010912) Category: SF Reference: MISC:http://www.pcworld.com/news/article/0,aid,10842,00.asp Internet Explorer 5.0 does not properly reset the username/password cache for Web sites that do not use standard cache controls, which could allow users on the same system to access restricted web sites that were visited by other users. Current Votes: NOOP(3) Cole, Foat, Wall REVIEWING(1) Frech Voter Comments: Frech> (Task 2283) ====================================================== Name: CVE-1999-1368 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1368 Phase: Proposed (20010912) Category: SF Reference: NTBUGTRAQ:19990512 InoculateIT 4.53 Real-Time Exchange Scanner Flawed Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=92652152723629&w=2 Reference: NTBUGTRAQ:20001116 InoculateIT AV Option for MS Exchange Server Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=97439568517355&w=2 AV Option for MS Exchange Server option for InoculateIT 4.53, and possibly other versions, only scans the Inbox folder tree of a Microsoft Exchange server, which could allow viruses to escape detection if a user's rules cause the message to be moved to a different mailbox. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:inoculate-message-redirect-bypass(5602) ====================================================== Name: CVE-1999-1369 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1369 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19990414 Real Media Server stores passwords in plain text Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92411181619110&w=2 Real Media RealServer (rmserver) 6.0.3.353 stores a password in plaintext in the world-readable rmserver.cfg file, which allows local users to gain privileges. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:realserver-insecure-password(7544) ====================================================== Name: CVE-1999-1370 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1370 Phase: Proposed (20010912) Category: SF Reference: NTBUGTRAQ:19990323 MSIE 5 installer disables screen saver Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=92220197414799&w=2 The setup wizard (ie5setup.exe) for Internet Explorer 5.0 disables (1) the screen saver, which could leave the system open to users with physical access if a failure occurs during an unattended installation, and (2) the Task Scheduler Service, which might prevent the scheduled execution of security-critical programs. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:ie-ie5setup-disable-password(7545) ====================================================== Name: CVE-1999-1371 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1371 Phase: Modified (20040723) Category: SF Reference: BUGTRAQ:19990308 Solaris "/usr/bin/write" bug Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92100752221493&w=2 Reference: MISC:http://www.securiteam.com/exploits/5ZP0O1P35O.html Reference: XF:solaris-write-bo(7546) Reference: URL:http://xforce.iss.net/xforce/xfdb/7546 Buffer overflow in /usr/bin/write in Solaris 2.6 and 7 allows local users to gain privileges via a long string in the terminal name argument. Current Votes: ACCEPT(2) Cole, Dik MODIFY(1) Frech NOOP(3) Christey, Foat, Wall Voter Comments: Frech> XF:solaris-write-bo(7546) Christey> This appears to be a rediscovery of the problem for Solaris 2.8: BUGTRAQ:20011114 /usr/bin/write (solaris2.x) Segmentation Fault URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100588255815773&w=2 Dik> sun bug: 4218941 ====================================================== Name: CVE-1999-1372 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1372 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19990219 Plaintext Password in Tractive's Remote Manager Software Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91966339502073&w=2 Triactive Remote Manager with Basic authentication enabled stores the username and password in cleartext in registry keys, which could allow local users to gain privileges. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:triactive-remote-basic-auth(7548) ====================================================== Name: CVE-1999-1373 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1373 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19990105 Re: Network Scan Vulnerability [SUMMARY] Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91651770130771&w=2 FORE PowerHub before 5.0.1 allows remote attackers to cause a denial of service (hang) via a TCP SYN scan with TCP/IP OS fingerprinting, e.g. via nmap. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:powerhub-nmap-dos(7556) ====================================================== Name: CVE-1999-1374 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1374 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19990427 Re: Shopping Carts exposing CC data Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92523159819402&w=2 perlshop.cgi shopping cart program stores sensitive customer information in directories and files that are under the web root, which allows remote attackers to obtain that information via an HTTP request. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:perlshop-cgi-obtain-information(7557) ====================================================== Name: CVE-1999-1375 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1375 Phase: Proposed (20010912) Category: SF Reference: NTBUGTRAQ:19990211 Using FSO in ASP to view just about anything Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=91877455626320&w=2 Reference: BID:230 Reference: URL:http://www.securityfocus.com/bid/230 FileSystemObject (FSO) in the showfile.asp Active Server Page (ASP) allows remote attackers to read arbitrary files by specifying the name in the file parameter. Current Votes: ACCEPT(1) Cole MODIFY(1) Frech NOOP(3) Christey, Foat, Wall Voter Comments: Frech> XF:iis-fso-read-files(7558) Christey> Explicitly mention IIS ====================================================== Name: CVE-1999-1376 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1376 Phase: Proposed (20010912) Category: SF Reference: NTBUGTRAQ:19990114 MS IIS 4.0 Security Advisory Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=91632724913080&w=2 Reference: BUGTRAQ:19990114 MS IIS 4.0 Security Advisory Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91638375309890&w=2 Buffer overflow in fpcount.exe in IIS 4.0 with FrontPage Server Extensions allows remote attackers to execute arbitrary commands. Current Votes: ACCEPT(1) Wall MODIFY(1) Frech NOOP(2) Cole, Foat Voter Comments: Frech> XF:frontpage-ext-fpcount-crash(5494) ====================================================== Name: CVE-1999-1377 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1377 Phase: Proposed (20010912) Category: SF Reference: MISC:http://pulhas.org/phrack/55/P55-07.html Matt Wright's download.cgi 1.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the f parameter. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:download-cgi-directory-traversal(8279) ====================================================== Name: CVE-1999-1378 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1378 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19990917 improper chroot in dbmlparser.exe Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93250710625956&w=2 dbmlparser.exe CGI guestbook program does not perform a chroot operation properly, which allows remote attackers to read arbitrary files. Current Votes: NOOP(3) Cole, Foat, Wall REVIEWING(1) Frech Voter Comments: Frech> (Task 2284) ====================================================== Name: CVE-1999-1381 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1381 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19981008 buffer overflow in dbadmin Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90786656409618&w=2 Buffer overflow in dbadmin CGI program 1.0.1 on Linux allows remote attackers to execute arbitrary commands. Current Votes: NOOP(3) Cole, Foat, Wall ====================================================== Name: CVE-1999-1383 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1383 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19960913 tee see shell problems Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167419868&w=2 Reference: BUGTRAQ:19960919 Vulnerability in expansion of PS1 in bash & tcsh Reference: URL:http://www.dataguard.no/bugtraq/1996_3/0503.html (1) bash before 1.14.7, and (2) tcsh 6.05 allow local users to gain privileges via directory names that contain shell metacharacters (` back-tick), which can cause the commands enclosed in the directory name to be executed when the shell expands filenames using the \w option in the PS1 variable. Current Votes: NOOP(2) Cole, Foat ====================================================== Name: CVE-1999-1387 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1387 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19970402 Fatal bug in NT 4.0 server Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167420731&w=2 Reference: BUGTRAQ:19970403 Fatal bug in NT 4.0 server (more comments) Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167420732&w=2 Reference: BUGTRAQ:19970407 DUMP of NT system crash Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167420741&w=2 Windows NT 4.0 SP2 allows remote attackers to cause a denial of service (crash), possibly via malformed inputs or packets, such as those generated by a Linux smbmount command that was compiled on the Linux 2.0.29 kernel but executed on Linux 2.0.25. Current Votes: ACCEPT(1) Cole NOOP(1) Foat ====================================================== Name: CVE-1999-1388 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1388 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19940513 [8lgm]-Advisory-7.UNIX.passwd.11-May-1994 Reference: URL:http://www2.dataguard.no/bugtraq/1994_2/0197.html Reference: BUGTRAQ:19940514 [8lgm]-Advisory-7.UNIX.passwd.11-May-1994.NEWFIX Reference: URL:http://www2.dataguard.no/bugtraq/1994_2/0207.html Reference: BUGTRAQ:19941218 Sun Patch Id #102060-01 Reference: URL:http://www.dataguard.no/bugtraq/1994_4/0755.html passwd in SunOS 4.1.x allows local users to overwrite arbitrary files via a symlink attack and the -F command line argument. Current Votes: ACCEPT(1) Dik NOOP(2) Cole, Foat Voter Comments: Dik> sun bug: 1171499 ====================================================== Name: CVE-1999-1389 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1389 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19980511 3Com/USR Total Control Chassis dialup port access filters Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221101925916&w=2 Reference: BID:99 Reference: URL:http://www.securityfocus.com/bid/99 US Robotics/3Com Total Control Chassis with Frame Relay between 3.6.22 and 3.7.24 does not properly enforce access filters when the "set host prompt" setting is made for a port, which allows attackers to bypass restrictions by providing the hostname twice at the "host: " prompt. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:3com-netserver-filter-bypass(7330) ====================================================== Name: CVE-1999-1390 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1390 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19980428 [Debian 2.0] /usr/bin/suidexec gives root access Reference: URL:http://darwin.bio.uci.edu/~mcoogan/bugtraq/msg00890.html Reference: BID:94 Reference: URL:http://www.securityfocus.com/bid/94 suidexec in suidmanager 0.18 on Debian 2.0 allows local users to gain root privileges by specifying a malicious program on the command line. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:suidmanager-suidexec-root-privileges(7304) ====================================================== Name: CVE-1999-1391 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1391 Phase: Modified (20020218-01) Category: SF Reference: CERT:CA-1990-06 Reference: URL:http://www.cert.org/advisories/CA-1990-06.html Reference: CIAC:B-01 Reference: URL:http://ciac.llnl.gov/ciac/bulletins/b-01.shtml Reference: BID:10 Reference: URL:http://www.securityfocus.com/bid/10 Reference: XF:nextstep-npd-root-access(7143) Reference: URL:http://www.iss.net/security_center/static/7143.php Vulnerability in NeXT 1.0a and 1.0 with publicly accessible printers allows local users to gain privileges via a combination of the npd program and weak directory permissions. Current Votes: ACCEPT(3) Cole, Foat, Stracener MODIFY(1) Frech NOOP(1) Wall Voter Comments: Frech> XF:nextstep-npd-root-access(7143) ====================================================== Name: CVE-1999-1392 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1392 Phase: Modified (20020218-01) Category: SF Reference: CERT:CA-1990-06 Reference: URL:http://www.cert.org/advisories/CA-1990-06.html Reference: CIAC:B-01 Reference: URL:http://ciac.llnl.gov/ciac/bulletins/b-01.shtml Reference: BID:9 Reference: URL:http://www.securityfocus.com/bid/9 Reference: XF:nextstep-restore09-root-access(7144) Reference: URL:http://www.iss.net/security_center/static/7144.php Vulnerability in restore0.9 installation script in NeXT 1.0a and 1.0 allows local users to gain root privileges. Current Votes: ACCEPT(3) Cole, Foat, Stracener MODIFY(1) Frech NOOP(1) Wall Voter Comments: Frech> XF:nextstep-restore09-root-access(7144) ====================================================== Name: CVE-1999-1393 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1393 Phase: Proposed (20010912) Category: SF Reference: MISC:http://freaky.staticusers.net/macsec/data/powerbooksecurity-data.html Reference: BID:532 Reference: URL:http://www.securityfocus.com/bid/532 Control Panel "Password Security" option for Apple Powerbooks allows attackers with physical access to the machine to bypass the security by booting it with an emergency startup disk and using a disk editor to modify the on/off toggle or password in the aaaaaaaAPWD file, which is normally inaccessible. Current Votes: NOOP(3) Cole, Foat, Wall REVIEWING(1) Frech Voter Comments: Frech> (Task 2285) ====================================================== Name: CVE-1999-1394 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1394 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19990702 BSD-fileflags Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93094058620450&w=2 Reference: BID:510 Reference: URL:http://www.securityfocus.com/bid/510 BSD 4.4 based operating systems, when running at security level 1, allow the root user to clear the immutable and append-only flags for files by unmounting the file system and using a file system editor such as fsdb to directly modify the file through a device. Current Votes: ACCEPT(1) Cole NOOP(2) Foat, Wall REVIEWING(1) Frech Voter Comments: Frech> (Task 2286) ====================================================== Name: CVE-1999-1395 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1395 Phase: Modified (20091029) Category: SF Reference: CERT:CA-1992-18 Reference: URL:http://www.cert.org/advisories/CA-1992-18.html Reference: CERT:CA-92.16 Reference: URL:http://www.cert.org/advisories/CA-92.16.VMS.Monitor.vulnerability Reference: BID:51 Reference: URL:http://www.securityfocus.com/bid/51 Reference: OSVDB:59332 Reference: URL:http://osvdb.org/59332 Reference: XF:vms-monitor-gain-privileges(7136) Reference: URL:http://www.iss.net/security_center/static/7136.php Vulnerability in Monitor utility (SYS$SHARE:SPISHR.EXE) in VMS 5.0 through 5.4-2 allows local users to gain privileges. Current Votes: ACCEPT(3) Cole, Foat, Stracener MODIFY(1) Frech NOOP(2) Christey, Wall Voter Comments: Frech> XF:vms-monitor-gain-privileges(7136) Duplicate of CVE-1999-1056? If not, indicate why in Analysis comments. Christey> Note that CVE-1999-1056 Christey> CVE-1999-1056 is in fact a duplicate. This candidate will be kept, and CVE-1999-1056 will be REJECTed, because this candidate has more references. ====================================================== Name: CVE-1999-1396 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1396 Phase: Modified (20020218-01) Category: SF Reference: CERT:CA-1992-15 Reference: URL:http://www.cert.org/advisories/CA-1992-15.html Reference: BID:49 Reference: URL:http://www.securityfocus.com/bid/49 Reference: XF:sun-integer-multiplication-access(7150) Reference: URL:http://www.iss.net/security_center/static/7150.php Vulnerability in integer multiplication emulation code on SPARC architectures for SunOS 4.1 through 4.1.2 allows local users to gain root access or cause a denial of service (crash). Current Votes: ACCEPT(4) Cole, Dik, Foat, Stracener MODIFY(1) Frech NOOP(1) Wall Voter Comments: Frech> XF:sun-integer-multiplication-access(7150) Dik> sun bug: 1069072 1071053 ====================================================== Name: CVE-1999-1398 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1398 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19970507 Irix: misc Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167420921&w=2 Reference: MISC:http://www.insecure.org/sploits/irix.xfsdump.html Reference: BID:472 Reference: URL:http://www.securityfocus.com/bid/472 Vulnerability in xfsdump in SGI IRIX may allow local users to obtain root privileges via the bck.log log file, possibly via a symlink attack. Current Votes: ACCEPT(1) Cole MODIFY(1) Frech NOOP(1) Foat Voter Comments: Frech> XF:irix-xfsdump-symlink(7193) ====================================================== Name: CVE-1999-1399 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1399 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19970820 SpaceWare 7.3 v1.0 Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602746719552&w=2 Reference: BID:471 Reference: URL:http://www.securityfocus.com/bid/471 spaceball program in SpaceWare 7.3 v1.0 in IRIX 6.2 allows local users to gain root privileges by setting the HOSTNAME environmental variable to contain the commands to be executed. Current Votes: ACCEPT(1) Cole MODIFY(1) Frech NOOP(1) Foat Voter Comments: Frech> XF:spaceware-hostname-command-execution(7194) ====================================================== Name: CVE-1999-1400 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1400 Phase: Proposed (20010912) Category: SF Reference: NTBUGTRAQ:19990603 Huge Exploit in NT 4.0 SP5 Screensaver with Password Protection Enabled Reference: URL:http://archives.indenial.com/hypermail/ntbugtraq/1999/June1999/0007.html Reference: NTBUGTRAQ:19990603 Re: Huge Exploit in NT 4.0 SP5 Screensaver with Password Protecti on Enabled. Reference: URL:http://archives.indenial.com/hypermail/ntbugtraq/1999/June1999/0009.html Reference: NTBUGTRAQ:19990604 Official response from The Economist re: 1999 Screen Saver Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=92851653600852&w=2 Reference: BID:466 Reference: URL:http://www.securityfocus.com/bid/466 The Economist screen saver 1999 with the "Password Protected" option enabled allows users with physical access to the machine to bypass the screen saver and read files by running Internet Explorer while the screen is still locked. Current Votes: ACCEPT(1) Wall NOOP(2) Cole, Foat REVIEWING(1) Frech Voter Comments: Frech> (Task 2287) CONFIRM NTBUGTRAQ:19990604 Official response from The Economist re: 1999 Screen Saver ====================================================== Name: CVE-1999-1401 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1401 Phase: Modified (20060309) Category: SF Reference: SGI:19961201-01-PX Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19961201-01-PX Reference: BID:463 Reference: URL:http://www.securityfocus.com/bid/463 Reference: OSVDB:8563 Reference: URL:http://www.osvdb.org/8563 Reference: XF:irix-searchbook-permissions(7575) Reference: URL:http://www.iss.net/security_center/static/7575.php Vulnerability in Desktop searchbook program in IRIX 5.0.x through 6.2 sets insecure permissions for certain user files (iconbook and searchbook). Current Votes: ACCEPT(3) Cole, Foat, Stracener MODIFY(1) Frech Voter Comments: Frech> XF:irix-searchbook-permissions(7575) ====================================================== Name: CVE-1999-1403 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1403 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19981002 Several potential security problems in IBM/Tivoli OPC Tracker Age nt Reference: URL:http://www.securityfocus.com/archive/1/10771 Reference: BID:382 Reference: URL:http://www.securityfocus.com/bid/382 IBM/Tivoli OPC Tracker Agent version 2 release 1 creates files, directories, and IPC message queues with insecure permissions (world-readable and world-writable), which could allow local users to disrupt operations and possibly gain privileges by modifying or deleting files. Current Votes: NOOP(3) Cole, Foat, Wall ====================================================== Name: CVE-1999-1404 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1404 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19981002 Several potential security problems in IBM/Tivoli OPC Tracker Age nt Reference: URL:http://www.securityfocus.com/archive/1/10771 Reference: BID:382 Reference: URL:http://www.securityfocus.com/bid/382 IBM/Tivoli OPC Tracker Agent version 2 release 1 allows remote attackers to cause a denial of service (resource exhaustion) via malformed data to the localtracker client port (5011), which prevents the connection from being closed properly. Current Votes: NOOP(3) Cole, Foat, Wall ====================================================== Name: CVE-1999-1405 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1405 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19990217 snap utility for AIX. Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91936783009385&w=2 Reference: BUGTRAQ:19990220 Re: snap utility for AIX. Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91954824614013&w=2 Reference: BID:375 Reference: URL:http://www.securityfocus.com/bid/375 snap command in AIX before 4.3.2 creates the /tmp/ibmsupt directory with world-readable permissions and does not remove or clear the directory when snap -a is executed, which could allow local users to access the shadowed password file by creating /tmp/ibmsupt/general/passwd before root runs snap -a. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:aix-snap-insecure-tmp(7560) ====================================================== Name: CVE-1999-1406 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1406 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19980729 Crash a redhat 5.1 linux box Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221104526185&w=2 Reference: BUGTRAQ:19980730 FD's 0..2 and suid/sgid procs (Was: Crash a redhat 5.1 linux box) Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221104526192&w=2 Reference: BID:372 Reference: URL:http://www.securityfocus.com/bid/372 dumpreg in Red Hat Linux 5.1 opens /dev/mem with O_RDWR access, which allows local users to cause a denial of service (crash) by redirecting fd 1 (stdout) to the kernel. Current Votes: ACCEPT(1) Cole NOOP(2) Foat, Wall ====================================================== Name: CVE-1999-1408 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1408 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19970305 Bug in connect() for aix 4.1.4 ? Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167420641&w=2 Reference: BID:352 Reference: URL:http://www.securityfocus.com/bid/352 Vulnerability in AIX 4.1.4 and HP-UX 10.01 and 9.05 allows local users to cause a denial of service (crash) by using a socket to connect to a port on the localhost, calling shutdown to clear the socket, then using the same socket to connect to a different port on localhost. Current Votes: MODIFY(1) Frech NOOP(3) Christey, Cole, Foat Voter Comments: Frech> XF: aix-hpux-connect-dos(7195) Christey> BUGTRAQ:19970307 Re: Bug in connect() ? URL:http://www.securityfocus.com/archive/1/Pine.HPP.3.92.970307195408.12139B-100000@wpax13.physik.uni-wuerzburg.de BUGTRAQ:19970311 Re: Bug in connect() for aix 4.1.4 ? URL:http://www.securityfocus.com/cgi-bin/archive.pl?id=1&mid=6419 ====================================================== Name: CVE-1999-1410 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1410 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19970509 Re: Irix: misc Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167420927&w=2 Reference: MISC:ftp://patches.sgi.com/support/free/security/advisories/19961203-02-PX Reference: BID:330 Reference: URL:http://www.securityfocus.com/bid/330 addnetpr in IRIX 5.3 and 6.2 allows local users to overwrite arbitrary files and possibly gain root privileges via a symlink attack on the printers temporary file. Current Votes: NOOP(2) Cole, Foat REJECT(2) Christey, Frech Voter Comments: Christey> DUPE CVE-1999-1286 Need to add these references to CVE-1999-1286 ====================================================== Name: CVE-1999-1412 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1412 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19990603 MacOS X system panic with CGI Reference: URL:http://www.securityfocus.com/archive/1/14215 Reference: BID:306 Reference: URL:http://www.securityfocus.com/bid/306 A possible interaction between Apple MacOS X release 1.0 and Apache HTTP server allows remote attackers to cause a denial of service (crash) via a flood of HTTP GET requests to CGI programs, which generates a large number of processes. Current Votes: NOOP(3) Cole, Foat, Wall REVIEWING(1) Frech Voter Comments: Frech> (Task 2288) ====================================================== Name: CVE-1999-1413 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1413 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19960803 Exploiting Zolaris 2.4 ?? :) Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167419549&w=2 Reference: BID:296 Reference: URL:http://www.securityfocus.com/bid/296 Solaris 2.4 before kernel jumbo patch -35 allows set-gid programs to dump core even if the real user id is not in the set-gid group, which allows local users to overwrite or create files at higher privileges by causing a core dump, e.g. through dmesg. Current Votes: MODIFY(2) Dik, Frech NOOP(2) Cole, Foat Voter Comments: Frech> XF:solaris-coredump-symlink(7196) Dik> sun bug: 1208241 Also applies to set-uid executables that have made real and effective uid identical ====================================================== Name: CVE-1999-1415 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1415 Phase: Proposed (20010912) Category: SF Reference: CERT:CA-91.13 Reference: URL:http://www.cert.org/advisories/CA-91.13.Ultrix.mail.vulnerability Reference: BID:27 Reference: URL:http://www.securityfocus.com/bid/27 Vulnerability in /usr/bin/mail in DEC ULTRIX before 4.2 allows local users to gain privileges. Current Votes: ACCEPT(3) Cole, Foat, Stracener MODIFY(1) Frech NOOP(2) Christey, Wall Voter Comments: Frech> XF:bsd-binmail(515) CA-1991-13 was superseded by CA-1995-02. Christey> Is there overlap between CVE-1999-1415 and CVE-1999-1438? Both CERT advisories are vague. ====================================================== Name: CVE-1999-1416 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1416 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19980823 Solaris ab2 web server is junk Reference: URL:http://www.securityfocus.com/archive/1/10383 Reference: BID:253 Reference: URL:http://www.securityfocus.com/bid/253 AnswerBook2 (AB2) web server dwhttpd 3.1a4 allows remote attackers to cause a denial of service (resource exhaustion) via an HTTP POST request with a large content-length. Current Votes: NOOP(3) Cole, Foat, Wall ====================================================== Name: CVE-1999-1417 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1417 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19980823 Solaris ab2 web server is junk Reference: URL:http://www.securityfocus.com/archive/1/10383 Reference: BID:253 Reference: URL:http://www.securityfocus.com/bid/253 Format string vulnerability in AnswerBook2 (AB2) web server dwhttpd 3.1a4 allows remote attackers to cause a denial of service and possibly execute arbitrary commands via encoded % characters in an HTTP request, which is improperly logged. Current Votes: ACCEPT(1) Dik NOOP(3) Cole, Foat, Wall Voter Comments: Dik> sun bug: 4218283 ====================================================== Name: CVE-1999-1418 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1418 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19990501 Update: security hole in the ICQ-Webserver Reference: URL:http://www.securityfocus.com/archive/1/13508 Reference: BID:246 Reference: URL:http://www.securityfocus.com/bid/246 ICQ99 ICQ web server build 1701 with "Active Homepage" enabled generates allows remote attackers to determine the existence of files on the server by comparing server responses when a file exists ("404 Forbidden") versus when a file does not exist ("404 not found"). Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF;icq-webserver-gain-information(8229) CONFIRM:http://online.securityfocus.com/archive/1/13655 ====================================================== Name: CVE-1999-1420 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1420 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19980720 N-Base Vulnerability Advisory Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221104526016&w=2 Reference: BUGTRAQ:19980722 N-Base Vulnerability Advisory Followup Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221104526065&w=2 Reference: BID:212 Reference: URL:http://www.securityfocus.com/bid/212 NBase switches NH2012, NH2012R, NH2015, and NH2048 have a back door password that cannot be disabled, which allows remote attackers to modify the switch's configuration. Current Votes: ACCEPT(1) Cole NOOP(2) Foat, Wall ====================================================== Name: CVE-1999-1421 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1421 Phase: Proposed (20010912) Category: CF Reference: BUGTRAQ:19980720 N-Base Vulnerability Advisory Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221104526016&w=2 Reference: BUGTRAQ:19980722 N-Base Vulnerability Advisory Followup Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221104526065&w=2 Reference: BID:212 Reference: URL:http://www.securityfocus.com/bid/212 NBase switches NH208 and NH215 run a TFTP server which allows remote attackers to send software updates to modify the switch or cause a denial of service (crash) by guessing the target filenames, which have default names. Current Votes: ACCEPT(2) Cole, Foat NOOP(1) Wall ====================================================== Name: CVE-1999-1422 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1422 Phase: Proposed (20010912) Category: CF Reference: BUGTRAQ:19990102 PATH variable in zip-slackware 2.0.35 Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91540043023167&w=2 Reference: BID:211 Reference: URL:http://www.securityfocus.com/bid/211 The default configuration of Slackware 3.4, and possibly other versions, includes . (dot, the current directory) in the PATH environmental variable, which could allow local users to create Trojan horse programs that are inadvertently executed by other users. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:linux-path-execute-commands(7561) ====================================================== Name: CVE-1999-1424 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1424 Phase: Proposed (20010912) Category: SF Reference: SUN:00145 Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/145 Reference: BID:208 Reference: URL:http://www.securityfocus.com/bid/208 Solaris Solstice AdminSuite (AdminSuite) 2.1 uses unsafe permissions when adding new users to the NIS+ password table, which allows local users to gain root access by modifying their password table entries. Current Votes: ACCEPT(4) Cole, Dik, Foat, Stracener MODIFY(1) Frech Voter Comments: Frech> XF:solaris-adminsuite-nisplus-password(7467) Dik> sun bug:1237225 ====================================================== Name: CVE-1999-1425 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1425 Phase: Proposed (20010912) Category: SF Reference: SUN:00145 Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/145 Reference: BID:208 Reference: URL:http://www.securityfocus.com/bid/208 Solaris Solstice AdminSuite (AdminSuite) 2.1 incorrectly sets write permissions on source files for NIS maps, which could allow local users to gain privileges by modifying /etc/passwd. Current Votes: ACCEPT(4) Cole, Dik, Foat, Stracener MODIFY(1) Frech Voter Comments: Frech> XF:solaris-adminsuite-password-map-permissions(7468) Dik> 1236787 ====================================================== Name: CVE-1999-1426 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1426 Phase: Proposed (20010912) Category: SF Reference: SUN:00145 Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/145 Reference: BID:208 Reference: URL:http://www.securityfocus.com/bid/208 Solaris Solstice AdminSuite (AdminSuite) 2.1 follows symbolic links when updating an NIS database, which allows local users to overwrite arbitrary files. Current Votes: ACCEPT(4) Cole, Dik, Foat, Stracener MODIFY(1) Frech Voter Comments: Frech> XF:solaris-adminsuite-symlink(7469) Dik> sun bug: 1262888 ====================================================== Name: CVE-1999-1427 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1427 Phase: Proposed (20010912) Category: SF Reference: SUN:00145 Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/145 Reference: BID:208 Reference: URL:http://www.securityfocus.com/bid/208 Solaris Solstice AdminSuite (AdminSuite) 2.1 and 2.2 create lock files insecurely, which allows local users to gain root privileges. Current Votes: ACCEPT(4) Cole, Dik, Foat, Stracener MODIFY(1) Frech Voter Comments: Frech> XF:solaris-adminsuite-lock-file(7470) Dik> sun bug: 1262888 ====================================================== Name: CVE-1999-1428 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1428 Phase: Proposed (20010912) Category: SF Reference: SUN:00145 Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/145 Reference: BID:208 Reference: URL:http://www.securityfocus.com/bid/208 Solaris Solstice AdminSuite (AdminSuite) 2.1 and 2.2 allows local users to gain privileges via the save option in the Database Manager, which is running with setgid bin privileges. Current Votes: ACCEPT(4) Cole, Dik, Foat, Stracener MODIFY(1) Frech Voter Comments: Frech> XF:solaris-adminsuite-database-manager(7471) Dik> sun bug: 4005611 ====================================================== Name: CVE-1999-1429 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1429 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19980105 Security flaw in either DIT TransferPro or Solaris Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=88419633507543&w=2 Reference: BID:204 Reference: URL:http://www.securityfocus.com/bid/204 DIT TransferPro installs devices with world-readable and world-writable permissions, which could allow local users to damage disks through the ff device driver. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:transferpro-devices-insecure-permissions(7305) ====================================================== Name: CVE-1999-1430 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1430 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19990102 security problem with Royal daVinci Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91540043723185&w=2 Reference: BID:185 Reference: URL:http://www.securityfocus.com/bid/185 PIM software for Royal daVinci does not properly password-protext access to data stored in the .mdb (Microsoft Access) file, which allows local users to read the data without a password by directly accessing the files with a different application, such as Access. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:davinci-pim-access-information(7562) ====================================================== Name: CVE-1999-1431 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1431 Phase: Proposed (20010912) Category: SF Reference: NTBUGTRAQ:19990107 WinNT, ZAK and Office 97 Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=91576100022688&w=2 Reference: NTBUGTRAQ:19990109 WinNT, ZAK and Office 97 Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=91606260910008&w=2 Reference: BID:181 Reference: URL:http://www.securityfocus.com/bid/181 ZAK in Appstation mode allows users to bypass the "Run only allowed apps" policy by starting Explorer from Office 97 applications (such as Word), installing software into the TEMP directory, and changing the name to that for an allowed application, such as Winword.exe. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:zak-bypass-restrictions(7563) ====================================================== Name: CVE-1999-1434 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1434 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19980713 Slackware Shadow Insecurity Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221104525951&w=2 Reference: BID:155 Reference: URL:http://www.securityfocus.com/bid/155 login in Slackware Linux 3.2 through 3.5 does not properly check for an error when the /etc/group file is missing, which prevents it from dropping privileges, causing it to assign root privileges to any local user who logs on to the server. Current Votes: NOOP(3) Cole, Foat, Wall ====================================================== Name: CVE-1999-1435 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1435 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19980710 socks5 1.0r5 buffer overflow.. Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221104525933&w=2 Reference: BID:154 Reference: URL:http://www.securityfocus.com/bid/154 Buffer overflow in libsocks5 library of Socks 5 (socks5) 1.0r5 allows local users to gain privileges via long environmental variables. Current Votes: ACCEPT(1) Cole NOOP(2) Foat, Wall ====================================================== Name: CVE-1999-1436 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1436 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19980708 WWW Authorization Gateway Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221104525905&w=2 Reference: BID:152 Reference: URL:http://www.securityfocus.com/bid/152 Ray Chan WWW Authorization Gateway 0.1 CGI program allows remote attackers to execute arbitrary commands via shell metacharacters in the "user" parameter. Current Votes: NOOP(3) Cole, Foat, Wall ====================================================== Name: CVE-1999-1438 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1438 Phase: Proposed (20010912) Category: SF Reference: CERT:CA-1991-01 Reference: URL:http://www.cert.org/advisories/CA-91.01a.SunOS.mail.vulnerability Reference: SUN:00105 Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/105 Reference: BID:15 Reference: URL:http://www.securityfocus.com/bid/15 Vulnerability in /bin/mail in SunOS 4.1.1 and earlier allows local users to gain root privileges via certain command line arguments. Current Votes: ACCEPT(4) Cole, Dik, Foat, Stracener MODIFY(1) Frech NOOP(2) Christey, Wall Voter Comments: Frech> XF:bsd-binmail(515) Dik> sun bug: 1047340 Christey> Is there overlap between CVE-1999-1415 and CVE-1999-1438? Both CERT advisories are vague. ====================================================== Name: CVE-1999-1439 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1439 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19980102 Symlink bug with GCC 2.7.2 Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=88419592307388&w=2 Reference: BUGTRAQ:19980108 GCC Exploit Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=88524071002939&w=2 Reference: BUGTRAQ:19980115 GCC 2.7.? /tmp files Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=88492937727193&w=2 Reference: BID:146 Reference: URL:http://www.securityfocus.com/bid/146 gcc 2.7.2 allows local users to overwrite arbitrary files via a symlink attack on temporary .i, .s, or .o files. Current Votes: ACCEPT(1) Cole MODIFY(1) Frech NOOP(2) Foat, Wall Voter Comments: Frech> XF:gnu-gcc-tmp-symlink(7338) ====================================================== Name: CVE-1999-1440 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1440 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19990101 Win32 ICQ 98a flaw Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91522424302962&w=2 Reference: BID:132 Reference: URL:http://www.securityfocus.com/bid/132 Win32 ICQ 98a 1.30, and possibly other versions, does not display the entire portion of long filenames, which could allow attackers to send an executable file with a long name that contains so many spaces that the .exe extension is not displayed, which could make the user believe that the file is safe to open from the client. Current Votes: ACCEPT(1) Cole MODIFY(1) Frech NOOP(2) Foat, Wall Voter Comments: Frech> XF:icq-long-filename(7564) ====================================================== Name: CVE-1999-1441 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1441 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19980630 Serious Linux 2.0.34 security problem Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221103126047&w=2 Reference: BID:111 Reference: URL:http://www.securityfocus.com/bid/111 Linux 2.0.34 does not properly prevent users from sending SIGIO signals to arbitrary processes, which allows local users to cause a denial of service by sending SIGIO to processes that do not catch it. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:linux-sigio-dos(7339) ====================================================== Name: CVE-1999-1442 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1442 Phase: Proposed (20010912) Category: SF Reference: MISC:http://www.cs.helsinki.fi/linux/linux-kernel/Year-1998/1998-25/0816.html Reference: MISC:http://uwsg.iu.edu/hypermail/linux/kernel/9805.3/0855.html Reference: BID:105 Reference: URL:http://www.securityfocus.com/bid/105 Bug in AMD K6 processor on Linux 2.0.x and 2.1.x kernels allows local users to cause a denial of service (crash) via a particular sequence of instructions, possibly related to accessing addresses outside of segments. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:linux-k6-dos(7340) ====================================================== Name: CVE-1999-1443 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1443 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19980602 Full Armor.... Fool Proof etc... bugs Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221103125889&w=2 Reference: BUGTRAQ:19980609 Full Armor Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221103125869&w=2 Reference: BID:103 Reference: URL:http://www.securityfocus.com/bid/103 Micah Software Full Armor Network Configurator and Zero Administration allow local users with physical access to bypass the desktop protection by (1) using and kill the process using the task manager, (2) booting the system from a separate disk, or (3) interrupting certain processes that execute while the system is booting. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:full-armor-protection-bypass(7341) ====================================================== Name: CVE-1999-1444 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1444 Phase: Proposed (20010912) Category: SF Reference: MISC:http://catless.ncl.ac.uk/Risks/20.41.html#subj4 genkey utility in Alibaba 2.0 generates RSA key pairs with an exponent of 1, which results in transactions that are sent in cleartext. Current Votes: NOOP(3) Cole, Foat, Wall REVIEWING(1) Frech Voter Comments: Frech> (Task 2290) ====================================================== Name: CVE-1999-1445 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1445 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19980202 imapd/ipop3d coredump in slackware 3.4 Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=88637951600184&w=2 Vulnerability in imapd and ipop3d in Slackware 3.4 and 3.3 with shadowing enabled, and possibly other operating systems, allows remote attackers to cause a core dump via a short sequence of USER and PASS commands that do not provide valid usernames or passwords. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:linux-imapd-ipop3d-dos(7345) ====================================================== Name: CVE-1999-1446 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1446 Phase: Proposed (20010912) Category: SF Reference: NTBUGTRAQ:19970805 Re: Strange behavior regarding directory Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=87602837719654&w=2 Reference: NTBUGTRAQ:19970806 Re: Strange behavior regarding directory Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=87602837719655&w=2 Internet Explorer 3 records a history of all URL's that are visited by a user in DAT files located in the Temporary Internet Files and History folders, which are not cleared when the user selects the "Clear History" option, and are not visible when the user browses the folders because of tailored displays. Current Votes: MODIFY(1) Frech NOOP(2) Cole, Foat Voter Comments: Frech> XF:http-ie-record(524) In description, URL's should be URLs. ====================================================== Name: CVE-1999-1447 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1447 Phase: Modified (20020218-01) Category: SF Reference: BUGTRAQ:19980728 Object tag crashes Internet Explorer 4.0 Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221104526169&w=2 Reference: BUGTRAQ:19980730 Re: Object tag crashes Internet Explorer 4.0 Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221104526188&w=2 Internet Explorer 4.0 allows remote attackers to cause a denial of service (crash) via HTML code that contains a long CLASSID parameter in an OBJECT tag. Current Votes: ACCEPT(2) Cole, Wall NOOP(2) Christey, Foat Voter Comments: Christey> BUGTRAQ:19980730 Re: Object tag crashes Internet Explorer 4.0 URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221104526188&w=2 ====================================================== Name: CVE-1999-1448 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1448 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19980729 Eudora exploit (was Microsoft Security Bulletin (MS98-008)) Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221104526168&w=2 Eudora and Eudora Light before 3.05 allows remote attackers to cause a crash and corrupt the user's mailbox via an e-mail message with certain dates, such as (1) dates before 1970, which cause a Divide By Zero error, or (2) dates that are 100 years after the current date, which causes a segmentation fault. Current Votes: NOOP(3) Cole, Foat, Wall ====================================================== Name: CVE-1999-1449 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1449 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19970519 /dev/tcx0 crashes SunOS 4.1.4 on Sparc 20's Reference: URL:http://oamk.fi/~jukkao/bugtraq/before-971202/0498.html Reference: MISC:http://www.insecure.org/sploits/sunos.dev.tcx0.write.wierd.shit.to.device.bug.html SunOS 4.1.4 on a Sparc 20 machine allows local users to cause a denial of service (kernel panic) by reading from the /dev/tcx0 TCX device. Current Votes: MODIFY(1) Frech NOOP(2) Cole, Foat Voter Comments: Frech> XF:sun-tcx-dos(7197) ====================================================== Name: CVE-1999-1450 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1450 Phase: Proposed (20010912) Category: SF Reference: SCO:SB-99.03b Reference: URL:ftp://ftp.sco.com/SSE/security_bulletins/SB-99.03b Reference: SCO:SB-99.06b Reference: URL:ftp://ftp.sco.com/SSE/security_bulletins/SB-99.06b Reference: SCO:SSE020 Reference: URL:ftp://ftp.sco.COM/SSE/sse020.ltr Reference: SCO:SSE023 Vulnerability in (1) rlogin daemon rshd and (2) scheme on SCO UNIX OpenServer 5.0.5 and earlier, and SCO UnixWare 7.0.1 and earlier, allows remote attackers to gain privileges. Current Votes: ACCEPT(3) Cole, Foat, Stracener MODIFY(1) Frech Voter Comments: Frech> XF:sco-rshd(7466) Correct URLS are listed below: Reference: SCO:SSE020 Reference: URL:ftp://stage.caldera.com/pub/security/sse/sse020/sse020.ltr Reference: SCO:SSE023 Reference: URL:ftp://stage.caldera.com/pub/security/sse/sse023/sse023.ltr ====================================================== Name: CVE-1999-1451 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1451 Phase: Proposed (20010912) Category: SF Reference: MSKB:Q231368 Reference: URL:http://support.microsoft.com/support/kb/articles/q231/3/68.asp Reference: MS:MS99-013 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-013.asp Reference: XF:iis-samples-winmsdp(3271) Reference: URL:http://xforce.iss.net/static/3271.php The Winmsdp.exe sample file in IIS 4.0 and Site Server 3.0 allows remote attackers to read arbitrary files. Current Votes: ACCEPT(4) Cole, Foat, Frech, Wall ====================================================== Name: CVE-1999-1453 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1453 Phase: Proposed (20010912) Category: SF Reference: NTBUGTRAQ:19990222 New IE4 vulnerability : the clipboard again. Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=91979439932341&w=2 Reference: BID:215 Reference: URL:http://www.securityfocus.com/bid/215 Internet Explorer 4 allows remote attackers (malicious web site operators) to read the contents of the clipboard via the Internet WebBrowser ActiveX object. Current Votes: ACCEPT(1) Wall MODIFY(1) Frech NOOP(2) Cole, Foat Voter Comments: Frech> XF:webbrowser-activex-view-clipboard(7565) REMOVE:http://www.securityfocus.com/bid/215 This reference deals with the Forms vulnerability only. ====================================================== Name: CVE-1999-1454 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1454 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19991004 Weakness In "The Matrix" Screensaver For Windows Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93915027622690&w=2 Macromedia "The Matrix" screen saver on Windows 95 with the "Password protected" option enabled allows attackers with physical access to the machine to bypass the password prompt by pressing the ESC (Escape) key. Current Votes: MODIFY(1) Frech NOOP(4) Christey, Cole, Foat, Wall Voter Comments: Christey> Looks like there might have been a re-discovery, though the exploit is slightly different, and there is insufficient detail to be certain that this isn't for a different Matrix screen saver: BUGTRAQ:20010801 matrix screensvr(16 Bit CineMac Screen Saver Engine) - [input validation error?] URL:http://marc.theaimsgroup.com/?l=bugtraq&m=99669949717618&w=2 BID:3130 URL:http://www.securityfocus.com/bid/3130 Frech> XF:matrix-win95-password-bypass(8280) ====================================================== Name: CVE-1999-1457 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1457 Phase: Proposed (20010912) Category: SF Reference: SUSE:19991116 thttpd Reference: URL:http://www.novell.com/linux/security/advisories/suse_security_announce_30.html Buffer overflow in thttpd HTTP server before 2.04-31 allows remote attackers to execute arbitrary commands via a long date string, which is not properly handled by the tdate_parse function. Current Votes: ACCEPT(3) Cole, Foat, Stracener REJECT(1) Frech ====================================================== Name: CVE-1999-1458 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1458 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19990125 Digital Unix 4.0 exploitable buffer overflows Reference: URL:http://www.securityfocus.com/archive/1/12121 Reference: SCO:SSRT0583U Reference: URL:http://ftp1.support.compaq.com/public/dunix/v4.0d/ssrt0583u.README Reference: XF:du-at(3138) Reference: URL:http://xforce.iss.net/static/3138.php Buffer overflow in at program in Digital UNIX 4.0 allows local users to gain root privileges via a long command line argument. Current Votes: ACCEPT(3) Cole, Foat, Frech NOOP(1) Stracener ====================================================== Name: CVE-1999-1459 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1459 Phase: Proposed (20010912) Category: SF Reference: ISS:19981102 BMC PATROL File Creation Vulnerability Reference: URL:http://xforce.iss.net/alerts/advise10.php Reference: XF:bmc-patrol-file-create(1388) Reference: URL:http://xforce.iss.net/static/1388.php Reference: BID:534 Reference: URL:http://www.securityfocus.com/bid/534 BMC PATROL Agent before 3.2.07 allows local users to gain root privileges via a symlink attack on a temporary file. Current Votes: ACCEPT(2) Cole, Frech NOOP(3) Christey, Foat, Wall Voter Comments: Christey> The vendor has acknowledged this vulnerability via e-mail. It has been fixed. NOTE: despite the fact that this candidate has been acknowledged and fixed by the vendor, it is affected by the CVE content decision CD:SF-LOC. It cannot be accepted until the CD:SF-LOC guidelines have been finalized. ====================================================== Name: CVE-1999-1460 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1460 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19990713 Root Perms Gained with Patrol SNMP Agent 3.2 (all others?) Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93198293132463&w=2 Reference: BUGTRAQ:19990801 Re: Root Perms Gained with Patrol SNMP Agent 3.2 (all others?) Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93372579004129&w=2 Reference: BID:525 Reference: URL:http://www.securityfocus.com/bid/525 BMC PATROL SNMP Agent before 3.2.07 allows local users to create arbitrary world-writeable files as root by specifying the target file as the second argument to the snmpmagt program. Current Votes: MODIFY(1) Frech NOOP(4) Christey, Cole, Foat, Wall Voter Comments: Frech> XF:patrol-snmp-file-creation(2347) Christey> The vendor has acknowledged this vulnerability via e-mail. It has been fixed. NOTE: despite the fact that this candidate has been acknowledged and fixed by the vendor, it is affected by the CVE content decision CD:SF-LOC. It cannot be accepted until the CD:SF-LOC guidelines have been finalized. ====================================================== Name: CVE-1999-1461 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1461 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19970507 Irix: misc Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167420921&w=2 Reference: SGI:20001101-01-I Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/20001101-01-I Reference: BID:381 Reference: URL:http://www.securityfocus.com/bid/381 inpview in InPerson on IRIX 5.3 through IRIX 6.5.10 trusts the PATH environmental variable to find and execute the ttsession program, which allows local users to obtain root access by modifying the PATH to point to a Trojan horse ttsession program. Current Votes: ACCEPT(3) Cole, Foat, Stracener REJECT(1) Frech Voter Comments: Frech> Possible conflict with CVE-2000-0799. ====================================================== Name: CVE-1999-1462 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1462 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19990426 FW: Security Notice: Big Brother 1.09b/c Reference: URL:http://www.securityfocus.com/archive/1/13440 Reference: CONFIRM:http://bb4.com/README.CHANGES Reference: BID:142 Reference: URL:http://www.securityfocus.com/bid/142 Reference: XF:http-cgi-bigbrother-bbhist(3755) Reference: URL:http://xforce.iss.net/static/3755.php Vulnerability in bb-hist.sh CGI History module in Big Brother 1.09b and 1.09c allows remote attacker to read portions of arbitrary files. Current Votes: ACCEPT(5) Armstrong, Cole, Foat, Frech, Stracener NOOP(1) Wall ====================================================== Name: CVE-1999-1463 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1463 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19970710 A New Fragmentation Attack Reference: URL:http://www.securityfocus.com/archive/1/7219 Reference: XF:nt-frag(528) Reference: URL:http://xforce.iss.net/static/528.php Windows NT 4.0 before SP3 allows remote attackers to bypass firewall restrictions or cause a denial of service (crash) by sending improperly fragmented IP packets without the first fragment, which the TCP/IP stack incorrectly reassembles into a valid session. Current Votes: ACCEPT(2) Cole, Frech NOOP(1) Foat Voter Comments: Frech> This issue is also listed under CVE-1999-0226. ====================================================== Name: CVE-1999-1464 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1464 Phase: Proposed (20010912) Category: SF Reference: CISCO:19981105 Cisco IOS DFS Access List Leakage Reference: URL:http://www.cisco.com/warp/public/770/iosdfsacl-pub.shtml Reference: CIAC:J-016 Reference: URL:http://ciac.llnl.gov/ciac/bulletins/j-016.shtml Reference: XF:cisco-acl-leakage(1401) Reference: URL:http://xforce.iss.net/static/1401.php Vulnerability in Cisco IOS 11.1CC and 11.1CT with distributed fast switching (DFS) enabled allows remote attackers to bypass certain access control lists when the router switches traffic from a DFS-enabled interface to an interface that does not have DFS enabled, as described by Cisco bug CSCdk35564. Current Votes: ACCEPT(6) Armstrong, Balinsky, Cole, Foat, Frech, Stracener NOOP(1) Wall ====================================================== Name: CVE-1999-1465 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1465 Phase: Modified (20020228-01) Category: SF Reference: CISCO:19981105 Cisco IOS DFS Access List Leakage Reference: URL:http://www.cisco.com/warp/public/770/iosdfsacl-pub.shtml Reference: CIAC:J-016 Reference: URL:http://ciac.llnl.gov/ciac/bulletins/j-016.shtml Reference: XF:cisco-acl-leakage(1401) Reference: URL:http://xforce.iss.net/static/1401.php Vulnerability in Cisco IOS 11.1 through 11.3 with distributed fast switching (DFS) enabled allows remote attackers to bypass certain access control lists when the router switches traffic from a DFS-enabled input interface to an output interface with a logical subinterface, as described by Cisco bug CSCdk43862. Current Votes: ACCEPT(6) Armstrong, Balinsky, Cole, Foat, Frech, Stracener NOOP(1) Wall ====================================================== Name: CVE-1999-1466 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1466 Phase: Proposed (20010912) Category: SF Reference: CERT:CA-1992-20 Reference: URL:http://www.cert.org/advisories/CA-1992-20.html Reference: BID:53 Reference: URL:http://www.securityfocus.com/bid/53 Vulnerability in Cisco routers versions 8.2 through 9.1 allows remote attackers to bypass access control lists when extended IP access lists are used on certain interfaces, the IP route cache is enabled, and the access list uses the "established" keyword. Current Votes: ACCEPT(3) Cole, Foat, Stracener MODIFY(1) Frech NOOP(2) Christey, Wall Voter Comments: Frech> XF:cisco-acl-established(1248) Possible dupe with CVE-1999-0162. Christey> This is not a dupe with CVE-1999-0162. The Cisco advisory referenced in CVE-1999-0162 says that affected Cisco versions are 10.0 through 10.3. This CAN deals with versions 8.2 through 9.1. In addition, the date of release of CVE-1999-0162 is June 1995; this CAN was released December 1992. Both items include clear Cisco acknowledgement with details, so we should conclude that they are separate problems, despite the vagueness of the reports. ====================================================== Name: CVE-1999-1467 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1467 Phase: Proposed (20010912) Category: SF Reference: CERT:CA-1989-07 Reference: URL:http://www.cert.org/advisories/CA-1989-07.html Reference: BID:5 Reference: URL:http://www.securityfocus.com/bid/5 Reference: XF:sun-rcp(3165) Reference: URL:http://xforce.iss.net/static/3165.php Vulnerability in rcp on SunOS 4.0.x allows remote attackers from trusted hosts to execute arbitrary commands as root, possibly related to the configuration of the nobody user. Current Votes: ACCEPT(5) Cole, Dik, Foat, Frech, Stracener NOOP(1) Wall Voter Comments: Dik> sun bug: 1028958 ====================================================== Name: CVE-1999-1469 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1469 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19990930 mini-sql Buffer Overflow Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93871926821410&w=2 Buffer overflow in w3-auth CGI program in miniSQL package allows remote attackers to execute arbitrary commands via an HTTP request with (1) a long URL, or (2) a long User-Agent MIME header. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:msql-w3auth-bo(8301) ====================================================== Name: CVE-1999-1470 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1470 Phase: Proposed (20010912) Category: SF Reference: NTBUGTRAQ:19990624 Eastman Software Work Management 3.21 Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=93034788412494&w=2 Reference: XF:eastman-cleartext-passwords(2303) Reference: URL:http://xforce.iss.net/static/2303.php Reference: BID:485 Reference: URL:http://www.securityfocus.com/bid/485 Eastman Work Management 3.21 stores passwords in cleartext in the COMMON and LOCATOR registry keys, which could allow local users to gain privileges. Current Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall ====================================================== Name: CVE-1999-1471 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1471 Phase: Modified (20020218-01) Category: Reference: CERT:CA-1989-01 Reference: URL:http://www.cert.org/advisories/CA-1989-01.html Reference: BID:4 Reference: URL:http://www.securityfocus.com/bid/4 Reference: XF:bsd-passwd-bo(7152) Reference: URL:http://www.iss.net/security_center/static/7152.php Buffer overflow in passwd in BSD based operating systems 4.3 and earlier allows local users to gain root privileges by specifying a long shell or GECOS field. Current Votes: ACCEPT(3) Cole, Foat, Stracener MODIFY(1) Frech NOOP(1) Wall Voter Comments: Frech> XF:bsd-passwd-bo(7152) ====================================================== Name: CVE-1999-1474 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1474 Phase: Proposed (20010912) Category: SF Reference: CONFIRM:http://www.microsoft.com/windows/ie/security/powerpoint.asp Reference: XF:nt-ppt-patch(179) Reference: URL:http://xforce.iss.net/static/179.php PowerPoint 95 and 97 allows remote attackers to cause an application to be run automatically without prompting the user, possibly through the slide show, when the document is opened in browsers such as Internet Explorer. Current Votes: ACCEPT(6) Armstrong, Cole, Foat, Frech, Stracener, Wall Voter Comments: Frech> Looks like CONFIRM URL is too old for Microsoft to keep (currently cached at http://www.google.com/search?q=cache:86loHcRhaL4:www.microsoft.com/ie/ security/powerpoint.htm+%22PowerPoint+Browsing+Security+Issue%22&hl=en ). Same information is available at BugTraq at http://www.securityfocus.com/cgi-bin/archive.pl?id=1&mid=6724 ====================================================== Name: CVE-1999-1475 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1475 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19991119 ProFTPd - mod_sqlpw.c Reference: URL:http://www.securityfocus.com/archive/1/35483 Reference: BID:812 Reference: URL:http://www.securityfocus.com/bid/812 ProFTPd 1.2 compiled with the mod_sqlpw module records user passwords in the wtmp log file, which allows local users to obtain the passwords and gain privileges by reading wtmp, e.g. via the last command. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:proftpd-modsqlpw-insecure-passwords(8332) ====================================================== Name: CVE-1999-1477 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1477 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19990923 Linux GNOME exploit Reference: URL:http://www.securityfocus.com/archive/1/28717 Reference: BID:663 Reference: URL:http://www.securityfocus.com/bid/663 Reference: XF:gnome-espeaker-local-bo(3349) Reference: URL:http://xforce.iss.net/static/3349.php Buffer overflow in GNOME libraries 1.0.8 allows local user to gain root access via a long --espeaker argument in programs such as nethack. Current Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall ====================================================== Name: CVE-1999-1479 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1479 Phase: Modified (20080304) Category: SF Reference: BUGTRAQ:19980624 textcounter.pl SECURITY HOLE Reference: URL:http://www.securityfocus.com/archive/1/9609 Reference: BID:2265 Reference: URL:http://www.securityfocus.com/bid/2265 Reference: XF:http-cgi-textcounter(2052) Reference: URL:http://xforce.iss.net/static/2052.php The textcounter.pl by Matt Wright allows remote attackers to execute arbitrary commands via shell metacharacters. Current Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall ====================================================== Name: CVE-1999-1480 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1480 Phase: Proposed (20010912) Category: SF Reference: BID:429 Reference: URL:http://www.securityfocus.com/bid/429 (1) acledit and (2) aclput in AIX 4.3 allow local users to create or modify files via a symlink attack. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:aix-acledit-aclput-symlink(7346) CONFIRM:APAR IX79139 ====================================================== Name: CVE-1999-1482 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1482 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19990219 Security hole: "zgv" Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&date=1999-02-15&msg=Pine.LNX.3.96.990219175605.9622A-100000@ferret.lmh.ox.ac.uk SVGAlib zgv 3.0-7 and earlier allows local users to gain root access via a privilege leak of the iopl(3) privileges to child processes. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:zgv-privilege-leak(1798) ====================================================== Name: CVE-1999-1483 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1483 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19970619 svgalib/zgv Reference: URL:http://www.securityfocus.com/archive/1/7041 Buffer overflow in zgv in svgalib 1.2.10 and earlier allows local users to execute arbitrary code via a long HOME environment variable. Current Votes: MODIFY(1) Frech NOOP(2) Cole, Foat Voter Comments: Frech> XF;linux-svgalib-dos(3412) ====================================================== Name: CVE-1999-1484 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1484 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19990924 Several ActiveX Buffer Overruns Reference: URL:http://www.securityfocus.com/archive/1/28719 Reference: XF:msn-setup-bbs-activex-bo(3310) Reference: URL:http://xforce.iss.net/static/3310.php Reference: BID:668 Reference: URL:http://www.securityfocus.com/bid/668 Buffer overflow in MSN Setup BBS 4.71.0.10 ActiveX control (setupbbs.ocx) allows a remote attacker to execute arbitrary commands via the methods (1) vAddNewsServer or (2) bIsNewsServerConfigured. Current Votes: ACCEPT(2) Cole, Frech NOOP(2) Foat, Wall ====================================================== Name: CVE-1999-1485 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1485 Phase: Modified (20060705) Category: SF Reference: BUGTRAQ:19990531 IRIX 6.5 nsd virtual filesystem vulnerability Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92818552106912&w=2 Reference: OSVDB:8564 Reference: URL:http://www.osvdb.org/8564 Reference: XF:sgi-nsd-view(2246) Reference: URL:http://xforce.iss.net/static/2246.php Reference: XF:sgi-nsd-create(2247) Reference: URL:http://xforce.iss.net/static/2247.php Reference: BID:412 Reference: URL:http://www.securityfocus.com/bid/412 nsd in IRIX 6.5 through 6.5.2 exports a virtual filesystem on a UDP port, which allows remote attackers to view files and cause a possible denial of service by mounting the nsd virtual file system. Current Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall ====================================================== Name: CVE-1999-1487 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1487 Phase: Modified (20020218-01) Category: SF Reference: AIXAPAR:IX74599 Reference: URL:http://www-1.ibm.com/servlet/support/manager?rt=0&rs=0&org=apars&doc=41D8B61D1E1C4FAB852567C9002C546C Reference: BID:405 Reference: URL:http://www.securityfocus.com/bid/405 Reference: XF:aix-digest(7477) Reference: URL:http://www.iss.net/security_center/static/7477.php Vulnerability in digest in AIX 4.3 allows printq users to gain root privileges by creating and/or modifing any file on the system. Current Votes: ACCEPT(3) Cole, Foat, Stracener MODIFY(1) Frech Voter Comments: Frech> XF:aix-digest(7477) ====================================================== Name: CVE-1999-1489 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1489 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19970304 Linux SuperProbe exploit Reference: URL:http://www.securityfocus.com/archive/1/6384 Reference: BID:364 Reference: URL:http://www.securityfocus.com/bid/364 Buffer overflow in TestChip function in XFree86 SuperProbe in Slackware Linux 3.1 allows local users to gain root privileges via a long -nopr argument. Current Votes: MODIFY(1) Frech NOOP(2) Cole, Foat Voter Comments: Frech> XF:xfree86-superprobe-testchip-bo(7198) ====================================================== Name: CVE-1999-1491 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1491 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19960202 abuse Red Hat 2.1 security hole Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167418994&w=2 Reference: BID:354 Reference: URL:http://www.securityfocus.com/bid/354 abuse.console in Red Hat 2.1 uses relative pathnames to find and execute the undrv program, which allows local users to execute arbitrary commands via a path that points to a Trojan horse program. Current Votes: ACCEPT(1) Cole NOOP(1) Foat ====================================================== Name: CVE-1999-1492 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1492 Phase: Proposed (20010912) Category: CF Reference: SGI:19980502-01-P3030 Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19980502-01-P3030 Reference: XF:sgi-diskalign(2104) Reference: URL:http://xforce.iss.net/static/2104.php Reference: XF:sgi-diskperf(2103) Reference: URL:http://xforce.iss.net/static/2103.php Reference: BID:348 Reference: URL:http://www.securityfocus.com/bid/348 Vulnerability in (1) diskperf and (2) diskalign in IRIX 6.4 allows local attacker to create arbitrary root owned files, leading to root privileges. Current Votes: ACCEPT(4) Cole, Foat, Frech, Stracener ====================================================== Name: CVE-1999-1493 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1493 Phase: Modified (20020308-01) Category: CF Reference: CERT:CA-1991-23 Reference: URL:http://www.cert.org/advisories/CA-1991-23.html Reference: BID:34 Reference: URL:http://www.securityfocus.com/bid/34 Reference: XF:apollo-crp-root-access(7158) Reference: URL:http://xforce.iss.net/static/7158.php Vulnerability in crp in Hewlett Packard Apollo Domain OS SR10 through SR10.3 allows remote attackers to gain root privileges via insecure system calls, (1) pad_$dm_cmd and (2) pad_$def_pfk(). Current Votes: ACCEPT(3) Cole, Foat, Stracener MODIFY(1) Frech NOOP(1) Wall Voter Comments: Frech> XF:apollo-crp-root-access(7158) ====================================================== Name: CVE-1999-1495 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1495 Phase: Proposed (20010912) Category: CF Reference: BUGTRAQ:19990218 xtvscreen and suse 6 Reference: URL:http://www.securityfocus.com/archive/1/12580 Reference: XF:xtvscreen-overwrite(1792) Reference: URL:http://xforce.iss.net/static/1792.php Reference: BID:325 Reference: URL:http://www.securityfocus.com/bid/325 xtvscreen in SuSE Linux 6.0 allows local users to overwrite arbitrary files via a symlink attack on the pic000.pnm file. Current Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall ====================================================== Name: CVE-1999-1496 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1496 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19990608 unneeded information in sudo Reference: URL:http://www.securityfocus.com/archive/1/14665 Reference: BID:321 Reference: URL:http://www.securityfocus.com/bid/321 Reference: XF:sudo-file-exists(2277) Reference: URL:http://xforce.iss.net/static/2277.php Sudo 1.5 in Debian Linux 2.1 and Red Hat 6.0 allows local users to determine the existence of arbitrary files by attempting to execute the target filename as a program, which generates a different error message when the file does not exist. Current Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall ====================================================== Name: CVE-1999-1497 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1497 Phase: Modified (20070122) Category: SF Reference: BUGTRAQ:19991221 [w00giving '99 #11] IMail's password encryption scheme Reference: URL:http://www.securityfocus.com/archive/1/39329 Reference: BID:880 Reference: URL:http://www.securityfocus.com/bid/880 Ipswitch IMail 5.0 and 6.0 uses weak encryption to store passwords in registry keys, which allows local attackers to read passwords for e-mail accounts. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:imail-passwords(1901) May be the same as CVE-2000-0019 on a different level of abstraction. ====================================================== Name: CVE-1999-1498 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1498 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19980406 insecure tmp file creation Reference: BID:82 Reference: URL:http://www.securityfocus.com/bid/82 Slackware Linux 3.4 pkgtool allows local attacker to read and write to arbitrary files via a symlink attack on the reply file. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:linux-pkgtool-reply-symlink(7347) ====================================================== Name: CVE-1999-1499 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1499 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19980410 BIND 4.9.7 named follows symlinks, clobbers anything Reference: URL:http://www.securityfocus.com/archive/1/8966 Reference: BID:80 Reference: URL:http://www.securityfocus.com/bid/80 named in ISC BIND 4.9 and 8.1 allows local users to destroy files via a symlink attack on (1) named_dump.db when root kills the process with a SIGINT, or (2) named.stats when SIGIOT is used. Current Votes: MODIFY(1) Frech NOOP(2) Cole, Wall REJECT(1) Foat Voter Comments: Foat> The files get written to /var/named which the user does not have write access. Frech> XF:bind-sigint-sigiot-symlink(7366) ====================================================== Name: CVE-1999-1500 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1500 Phase: Proposed (20010912) Category: SF Reference: NTBUGTRAQ:19991001 Vulnerabilities in the Internet Anywhere Mail Server Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=93880357530599&w=2 Reference: BID:733 Reference: URL:http://www.securityfocus.com/bid/733 Internet Anywhere POP3 Mail Server 2.3.1 allows remote attackers to cause a denial of service (crash) via (1) LIST, (2) TOP, or (3) UIDL commands using letters as arguments. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:iams-pop3-command-dos(3283) ====================================================== Name: CVE-1999-1501 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1501 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19980408 SGI O2 ipx security issue Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=89217373930054&w=2 Reference: BID:70 Reference: URL:http://www.securityfocus.com/bid/70 Reference: BID:71 Reference: URL:http://www.securityfocus.com/bid/71 (1) ipxchk and (2) ipxlink in SGI OS2 IRIX 6.3 does not properly clear the IFS environmental variable before executing system calls, which allows local users to execute arbitrary commands. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall REJECT(1) Christey Voter Comments: Frech> XF:irix-ipxchk-ipxlink-ifs-commands(7365) Christey> DUPE CVE-1999-1040 ====================================================== Name: CVE-1999-1502 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1502 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19980408 QuakeI client: serious holes. Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=89205623028934&w=2 Reference: BID:68 Reference: URL:http://www.securityfocus.com/bid/68 Reference: BID:69 Reference: URL:http://www.securityfocus.com/bid/69 Buffer overflows in Quake 1.9 client allows remote malicious servers to execute arbitrary commands via long (1) precache paths, (2) server name, (3) server address, or (4) argument to the map console command. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:quake-precache-bo(7358) XF:quake-server-address-bo(7359) XF:quake-map-argument-bo(7360) ====================================================== Name: CVE-1999-1503 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1503 Phase: Proposed (20010912) Category: SF Reference: BID:63 Reference: URL:http://www.securityfocus.com/bid/63 Network Flight Recorder (NFR) 1.5 and 1.6 allows remote attackers to cause a denial of service in nfrd (crash) via a TCP packet with a null header and data field. Current Votes: ACCEPT(1) Cole MODIFY(1) Frech NOOP(2) Foat, Wall Voter Comments: Frech> XF:nfr-tcp-packet-dos(7357) ====================================================== Name: CVE-1999-1504 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1504 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19980408 Re: AppleShare IP Mail Server Reference: URL:http://www.securityfocus.com/archive/1/8951 Reference: BID:62 Reference: URL:http://www.securityfocus.com/bid/62 Stalker Internet Mail Server 1.6 allows a remote attacker to cause a denial of service (crash) via a long HELO command. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:smtp-helo-bo(886) ====================================================== Name: CVE-1999-1505 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1505 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19980407 QW vulnerability Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=89200537415923&w=2 Reference: BID:60 Reference: URL:http://www.securityfocus.com/bid/60 Buffer overflow in QuakeWorld 2.10 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary commands via a long initial connect packet. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:quakeworld-connect-bo(7356) ====================================================== Name: CVE-1999-1506 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1506 Phase: Proposed (20010912) Category: SF Reference: CERT:CA-1990-01 Reference: URL:http://www.cert.org/advisories/CA-90.01.sun.sendmail.vulnerability Reference: BID:6 Reference: URL:http://www.securityfocus.com/bid/6 Vulnerability in SMI Sendmail 4.0 and earlier, on SunOS up to 4.0.3, allows remote attackers to access user bin. Current Votes: ACCEPT(3) Cole, Dik, Stracener MODIFY(1) Frech NOOP(2) Foat, Wall Voter Comments: Frech> XF:sunos-sendmail-bin-access(7161) Dik> sun bug 1028173 CHANGE> [Foat changed vote from ACCEPT to NOOP] ====================================================== Name: CVE-1999-1508 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1508 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19991116 [Fwd: Printer Vulnerability: Tektronix PhaserLink Webserver gives Administrator Password] Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94286041430870&w=2 Reference: BID:806 Reference: URL:http://www.securityfocus.com/bid/806 Web server in Tektronix PhaserLink Printer 840.0 and earlier allows a remote attacker to gain administrator access by directly calling undocumented URLs such as ncl_items.html and ncl_subjects.html. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall REVIEWING(1) Christey Voter Comments: Frech> XF:tektronix-phaserlink-webserver-backdoor(6482) Possible dupe with CVE-2001-0484 and BID-2659. Christey> CVE-2001-0484 may be a duplicate. ====================================================== Name: CVE-1999-1509 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1509 Phase: Proposed (20010912) Category: SF Reference: NTBUGTRAQ:19991104 Eserv 2.50 Web interface Server Directory Traversal Vulnerability Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=94177470915423&w=2 Reference: BUGTRAQ:19991104 Eserv 2.50 Web interface Server Directory Traversal Vulnerability Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94183041514522&w=2 Reference: BID:773 Reference: URL:http://www.securityfocus.com/bid/773 Reference: XF:eserv-fileread Directory traversal vulnerability in Etype Eserv 2.50 web server allows a remote attacker to read any file in the file system via a .. (dot dot) in a URL. Current Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> Normalize XF:eserv-fileread(3449) Normalize URL:http://xforce.iss.net/static/3449.php ====================================================== Name: CVE-1999-1510 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1510 Phase: Proposed (20010912) Category: SF Reference: NTBUGTRAQ:19990517 Vulnerabilities in BisonWare FTP Server 3.5 Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=92697301706956&w=2 Reference: XF:bisonware-command-bo(3234) Reference: URL:http://xforce.iss.net/static/3234.php Buffer overflows in Bisonware FTP server prior to 4.1 allow remote attackers to cause a denial of service, and possibly execute arbitrary commands, via long (1) USER, (2) LIST, or (3) CWD commands. Current Votes: ACCEPT(3) Cole, Foat, Frech NOOP(1) Wall ====================================================== Name: CVE-1999-1511 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1511 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19991110 Multiples Remotes DoS Attacks in Artisoft XtraMail v1.11 Vulnerability Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94226003804744&w=2 Reference: BID:791 Reference: URL:http://www.securityfocus.com/bid/791 Reference: XF:xtramail-pass-dos(3488) Reference: URL:http://xforce.iss.net/static/3488.php Buffer overflows in Xtramail 1.11 allow attackers to cause a denial of service (crash) and possibly execute arbitrary commands via (1) a long PASS command in the POP3 service, (2) a long HELO command in the SMTP service, or (3) a long user name in the Control Service. Current Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall ====================================================== Name: CVE-1999-1513 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1513 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19990830 One more 3Com SNMP vulnerability Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93616983223090&w=2 Management information base (MIB) for a 3Com SuperStack II hub running software version 2.10 contains an object identifier (.1.3.6.1.4.1.43.10.4.2) that is accessible by a read-only community string, but lists the entire table of community strings, which could allow attackers to conduct unauthorized activities. Current Votes: NOOP(3) Cole, Foat, Wall REVIEWING(1) Frech Voter Comments: Frech> (ACCEPT; Task 2355) ====================================================== Name: CVE-1999-1514 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1514 Phase: Proposed (20010912) Category: SF Reference: NTBUGTRAQ:19990729 ExpressFS 2.x FTPServer remotely exploitable buffer overflow vulnerability Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=94130292519646&w=2 Reference: BUGTRAQ:19990729 ExpressFS 2.x FTPServer remotely exploitable buffer overflow vulnerability Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94121377716133&w=2 Reference: BID:749 Reference: URL:http://www.securityfocus.com/bid/749 Reference: XF:expressfs-command-bo(3401) Reference: URL:http://xforce.iss.net/static/3401.php Buffer overflow in Celtech ExpressFS FTP server 2.x allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long USER command. Current Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> BugTraq reference date seems to be 19991029; see http://online.securityfocus.com/archive/1/33123 ====================================================== Name: CVE-1999-1515 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1515 Phase: Proposed (20010912) Category: CF Reference: BID:613 Reference: URL:http://www.securityfocus.com/bid/613 Reference: XF:tfs-gateway-dos(3290) Reference: URL:http://xforce.iss.net/static/3290.php A non-default configuration in TenFour TFS Gateway 4.0 allows an attacker to cause a denial of service via messages with incorrect sender and recipient addresses, which causes the gateway to continuously try to return the message every 10 seconds. Current Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall ====================================================== Name: CVE-1999-1516 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1516 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19990902 [SECURITY] TenFour TFS SMTP 3.2 Buffer Overflow Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93677241318492&w=2 A buffer overflow in TenFour TFS Gateway SMTP mail server 3.2 allows an attacker to crash the mail server and possibly execute arbitrary code by offering more than 128 bytes in a MAIL FROM string. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:tfs-gateway-dos(3290) ====================================================== Name: CVE-1999-1517 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1517 Phase: Proposed (20010912) Category: CF Reference: BUGTRAQ:19991101 Amanda multiple vendor local root compromises Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94148942818975&w=2 Reference: BID:750 Reference: URL:http://www.securityfocus.com/bid/750 runtar in the Amanda backup system used in various UNIX operating systems executes tar with root privileges, which allows a user to overwrite or read arbitrary files by providing the target files to runtar. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:amanda-runtar(3402) ====================================================== Name: CVE-1999-1518 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1518 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19990715 Shared memory DoS's Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93207728118694&w=2 Reference: BID:526 Reference: URL:http://www.securityfocus.com/bid/526 Reference: XF:bsd-shared-memory-dos(2351) Reference: URL:http://xforce.iss.net/static/2351.php Operating systems with shared memory implementations based on BSD 4.4 code allow a user to conduct a denial of service and bypass memory limits (e.g., as specified with rlimits) using mmap or shmget to allocate memory and cause page faults. Current Votes: ACCEPT(2) Cole, Frech NOOP(2) Foat, Wall ====================================================== Name: CVE-1999-1519 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1519 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19991117 Remote D.o.S Attack in G6 FTP Server v2.0 (beta 4/5) Vulnerability Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94286244700573&w=2 Reference: BID:805 Reference: URL:http://www.securityfocus.com/bid/805 Reference: XF:g6ftp-username-dos(3513) Reference: URL:http://xforce.iss.net/static/3513.php Gene6 G6 FTP Server 2.0 allows a remote attacker to cause a denial of service (resource exhaustion) via a long (1) user name or (2) password. Current Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall ====================================================== Name: CVE-1999-1521 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1521 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19990912 Many kind of POP3/SMTP server softwares for Windows have buffer overflow bug Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93720402717560&w=2 Reference: BUGTRAQ:19990729 Vulnerability in CMail SMTP Server Version 2.4: Remotely exploitable buffer Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94121824921783&w=2 Reference: BID:633 Reference: URL:http://www.securityfocus.com/bid/633 Reference: XF:cmail-command-bo(2240) Reference: URL:http://xforce.iss.net/static/2240.php Computalynx CMail 2.4 and CMail 2.3 SP2 SMTP servers are vulnerable to a buffer overflow attack in the MAIL FROM command that may allow a remote attacker to execute arbitrary code on the server. Current Votes: ACCEPT(1) Frech NOOP(4) Christey, Cole, Foat, Wall Voter Comments: Christey> Remove "attack" from description and slightly rewrite. Christey> ADDREF BUGTRAQ:19991029 Vulnerability in CMail SMTP Server Version 2.4: Remotely exploitable buffer URL:URL:http://www.securityfocus.com/archive/1/32573 ADDREF BUGTRAQ:19990616 C-Mail SMTP Server Remote Buffer Overflow Exploit URL:http://online.securityfocus.com/archive/1/15524 Note: this last post exploits an overflow through VRFY instead of MAIL FROM. However, CD:SF-LOC suggests merging two issues of the same type that are in the same versions. ADDREF BUGTRAQ:19990526 Multiple Web Interface Security Holes URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92774425211457&w=2 ====================================================== Name: CVE-1999-1522 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1522 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19991007 Roxen security alert Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93942579008408&w=2 Vulnerability in htmlparse.pike in Roxen Web Server 1.3.11 and earlier, possibly related to recursive parsing and referer tags in RXML. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:roxen-rxml-recursive-parsing(3372) ====================================================== Name: CVE-1999-1523 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1523 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19991004 Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93901161727373&w=2 Reference: BUGTRAQ:19991006 Re: Sample DOS against the Sambar HTTP-Server Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93941351229256&w=2 Reference: XF:sambar-logging-bo(1672) Reference: URL:http://xforce.iss.net/static/1672.php Buffer overflow in Sambar Web Server 4.2.1 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long HTTP GET request. Current Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall ====================================================== Name: CVE-1999-1524 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1524 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19990807 Re: FlowPoint DSL router vulnerability Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93424680430460&w=2 FlowPoint DSL router firmware versions prior to 3.0.8 allows a remote attacker to exploit a password recovery feature from the network and conduct brute force password guessing, instead of limiting the feature to the serial console port. Current Votes: NOOP(3) Cole, Foat, Wall ====================================================== Name: CVE-1999-1525 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1525 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19970314 Shockwave Security Alert Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167420670&w=2 Reference: XF:shockwave-internal-access(1585) Reference: URL:http://xforce.iss.net/static/1585.php Reference: XF:shockwave-file-read-vuln(1586) Reference: URL:http://xforce.iss.net/static/1586.php Reference: XF:http-ns-shockwave(460) Reference: URL:http://xforce.iss.net/static/460.php Macromedia Shockwave before 6.0 allows a malicious webmaster to read a user's mail box and possibly access internal web servers via the GetNextText command on a Shockwave movie. Current Votes: ACCEPT(1) Frech NOOP(2) Cole, Foat ====================================================== Name: CVE-1999-1526 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1526 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19990311 [Fwd: Shockwave 7 Security Hole] Reference: URL:http://www.securityfocus.com/archive/1/12842 Reference: XF:shockwave-updater(1931) Reference: URL:http://xforce.iss.net/static/1931.php Auto-update feature of Macromedia Shockwave 7 transmits a user's password and hard disk information back to Macromedia. Current Votes: ACCEPT(1) Frech NOOP(2) Cole, Foat ====================================================== Name: CVE-1999-1527 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1527 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19991123 NetBeans/ Forte' Java IDE HTTP vulnerability Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94338883114254&w=2 Reference: BID:816 Reference: URL:http://www.securityfocus.com/bid/816 Internal HTTP server in Sun Netbeans Java IDE in Netbeans Developer 3.0 Beta and Forte Community Edition 1.0 Beta does not properly restrict access to IP addresses as specified in its configuration, which allows arbitrary remote attackers to access the server. Current Votes: ACCEPT(1) Cole MODIFY(1) Frech NOOP(2) Foat, Wall Voter Comments: Frech> XF:sun-java-ide-http-access(8333) ====================================================== Name: CVE-1999-1528 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1528 Phase: Proposed (20010912) Category: unknown Reference: BUGTRAQ:19991114 MacOS 9 and the MacOS Netware Client Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94261444428430&w=2 Reference: BID:794 Reference: URL:http://www.securityfocus.com/bid/794 ProSoft Netware Client 5.12 on Macintosh MacOS 9 does not automatically log a user out of the NDS tree when the user logs off the system, which allows other users of the same system access to the unprotected NDS session. Current Votes: ACCEPT(1) Cole MODIFY(1) Frech NOOP(2) Foat, Wall Voter Comments: Frech> XF:macos-netware-nds-access(8339) ====================================================== Name: CVE-1999-1529 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1529 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19991107 Interscan VirusWall NT 3.23/3.3 buffer overflow Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94201512111092&w=2 Reference: NTBUGTRAQ:19991107 Interscan VirusWall NT 3.23/3.3 buffer overflow. Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=94199707625818&w=2 Reference: BUGTRAQ:19991108 Re: Interscan VirusWall NT 3.23/3.3 buffer overflow. Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94210427406568&w=2 Reference: BUGTRAQ:19991108 Patch for VirusWall 3.23. Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94204166130782&w=2 Reference: NTBUGTRAQ:19991108 Patch for VirusWall 3.23. Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=94208143007829&w=2 Reference: BUGTRAQ:20000417 New DOS on Interscan NT/3.32 Reference: URL:http://www.securityfocus.com/archive/1/55551 Reference: BID:787 Reference: URL:http://www.securityfocus.com/bid/787 Reference: XF:viruswall-helo-bo(3465) Reference: URL:http://xforce.iss.net/static/3465.php A buffer overflow exists in the HELO command in Trend Micro Interscan VirusWall SMTP gateway 3.23/3.3 for NT, which may allow an attacker to execute arbitrary code. Current Votes: ACCEPT(2) Cole, Foat NOOP(1) Wall REJECT(1) Frech ====================================================== Name: CVE-1999-1532 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1532 Phase: Modified (20011126-01) Category: SF Reference: BUGTRAQ:19991029 message:Netscape Messaging Server RCPT TO vul. Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94117465014255&w=2 Reference: BID:748 Reference: URL:http://www.securityfocus.com/bid/748 Netscape Messaging Server 3.54, 3.55, and 3.6 allows a remote attacker to cause a denial of service (memory exhaustion) via a series of long RCPT TO commands. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:netscape-messaging-rcptto-dos(8340) Description ends with a comma and not a period, possibly indicating that the sentence is not complete, ====================================================== Name: CVE-1999-1533 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1533 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19990926 DoS Exploit in Eicon Diehl LAN ISDN Modem Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93846522511387&w=2 Reference: BID:665 Reference: URL:http://www.securityfocus.com/bid/665 Reference: XF:diva-lan-isdn-dos(3317) Reference: URL:http://xforce.iss.net/static/3317.php Eicon Technology Diva LAN ISDN modem allows a remote attacker to cause a denial of service (hang) via a long password argument to the login.htm file in its HTTP service. Current Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall ====================================================== Name: CVE-1999-1534 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1534 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19990923 Multiple vendor Knox Arkiea local root/remote DoS Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93837184228248&w=2 Reference: BID:661 Reference: URL:http://www.securityfocus.com/bid/661 Buffer overflow in (1) nlservd and (2) rnavc in Knox Software Arkeia backup product allows local users to obtain root access via a long HOME environmental variable. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:arkiea-backup-home-bo(3322) ====================================================== Name: CVE-1999-1536 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1536 Phase: Modified (20070207) Category: CF Reference: BUGTRAQ:19990730 World writable root owned script in SalesBuilder (RedHat 6.0) Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93347785827287&w=2 Reference: BID:560 Reference: URL:http://www.securityfocus.com/bid/560 Reference: OSVDB:13557 Reference: URL:http://www.osvdb.org/13557 .sbstart startup script in AcuShop Salesbuilder is world writable, which allows local users to gain privileges by appending commands to the file. Current Votes: NOOP(3) Cole, Foat, Wall REVIEWING(1) Frech Voter Comments: Frech> (ACCEPT; Task 2356) ====================================================== Name: CVE-1999-1538 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1538 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19990114 MS IIS 4.0 Security Advisory Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91638375309890&w=2 Reference: NTBUGTRAQ:19990114 MS IIS 4.0 Security Advisory Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=91632724913080&w=2 Reference: BID:189 Reference: URL:http://www.securityfocus.com/bid/189 When IIS 2 or 3 is upgraded to IIS 4, ism.dll is inadvertently left in /scripts/iisadmin, which does not restrict access to the local machine and allows an unauthorized user to gain access to sensitive server information, including the Administrator's password. Current Votes: ACCEPT(1) Wall MODIFY(1) Frech NOOP(2) Cole, Foat Voter Comments: Frech> XF:iis-ismdll-info(7566) ====================================================== Name: CVE-1999-1539 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1539 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19991110 Remote DoS Attack in QVT/Term 'Plus' 4.2d FTP Server Vulnerability Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94225924803704&w=2 Reference: NTBUGTRAQ:19991110 Remote DoS Attack in QVT/Term 'Plus' 4.2d FTP Server Vulnerability Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=94223972910670&w=2 Reference: BID:796 Reference: URL:http://www.securityfocus.com/bid/796 Reference: XF:qvtterm-login-dos(3491) Reference: URL:http://xforce.iss.net/static/3491.php Buffer overflow in FTP server in QPC Software's QVT/Term Plus versions 4.2d and 4.3 and QVT/Net 4.3 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long (1) user name or (2) password. Current Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall ====================================================== Name: CVE-1999-1540 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1540 Phase: Proposed (20010912) Category: SF Reference: L0PHT:19991004 Reference: URL:http://www.atstake.com/research/advisories/1999/shell-lock.txt Reference: BUGTRAQ:19991005 Cactus Software's shell-lock Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93916168802365&w=2 Reference: XF:cactus-shell-lock-retrieve-shell-code(3356) Reference: URL:http://xforce.iss.net/static/3356.php shell-lock in Cactus Software Shell Lock uses weak encryption (trivial encoding) which allows attackers to easily decrypt and obtain the source code. Current Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall ====================================================== Name: CVE-1999-1541 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1541 Phase: Proposed (20010912) Category: SF Reference: L0PHT:19991004 Reference: URL:http://www.atstake.com/research/advisories/1999/shell-lock.txt Reference: BUGTRAQ:19991005 Cactus Software's shell-lock Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93916168802365&w=2 Reference: XF:cactus-shell-lock-root-privs(3358) Reference: URL:http://xforce.iss.net/static/3358.php shell-lock in Cactus Software Shell Lock allows local users to read or modify decoded shell files before they are executed, via a symlink attack on a temporary file. Current Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall ====================================================== Name: CVE-1999-1543 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1543 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19990710 MacOS system encryption algorithm Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93188174906513&w=2 Reference: BUGTRAQ:19990914 MacOS system encryption algorithm 3 Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93736667813924&w=2 Reference: BID:519 Reference: URL:http://www.securityfocus.com/bid/519 MacOS uses weak encryption for passwords that are stored in the Users & Groups Data File. Current Votes: NOOP(3) Cole, Foat, Wall REVIEWING(1) Frech Voter Comments: Frech> (ACCEPT; Task 2357) ====================================================== Name: CVE-1999-1544 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1544 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19990124 Advisory: IIS FTP Exploit/DoS Attack Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91722115016183&w=2 Buffer overflow in FTP server in Microsoft IIS 3.0 and 4.0 allows local and sometimes remote attackers to cause a denial of service via a long NLST (ls) command. Current Votes: ACCEPT(1) Wall NOOP(2) Cole, Foat REJECT(1) Frech Voter Comments: Frech> Dupe CVE-1999-0349 ====================================================== Name: CVE-1999-1545 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1545 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19990714 Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93216103027827&w=2 Reference: BUGTRAQ:19990717 joe 2.8 makes world-readable DEADJOE Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93226771401036&w=2 Joe's Own Editor (joe) 2.8 sets the world-readable permission on its crash-save file, DEADJOE, which could allow local users to read files that were being edited by other users. Current Votes: NOOP(3) Cole, Foat, Wall REVIEWING(1) Frech Voter Comments: Frech> (ACCEPT; Task 2358) ====================================================== Name: CVE-1999-1546 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1546 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19990129 TROJAN: netstation.navio-comm.rte 1.1.0.1 Reference: URL:http://www.securityfocus.com/archive/1/12217 Reference: XF:navionc-config-script(1724) Reference: URL:http://xforce.iss.net/static/1724.php netstation.navio-com.rte 1.1.0.1 configuration script for Navio NC on IBM AIX exports /tmp over NFS as world-readable and world-writable. Current Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall ====================================================== Name: CVE-1999-1547 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1547 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19991125 Oracle Web Listener Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94359982417686&w=2 Reference: NTBUGTRAQ:19991125 Oracle Web Listener Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=94390053530890&w=2 Reference: BID:841 Reference: URL:http://www.securityfocus.com/bid/841 Oracle Web Listener 2.1 allows remote attackers to bypass access restrictions by replacing a character in the URL with its HTTP-encoded (hex) equivalent. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:oracle-weblistener-bypass-restrictions(8355) ====================================================== Name: CVE-1999-1548 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1548 Phase: Proposed (20010912) Category: SF Reference: BINDVIEW:19991124 Cabletron SmartSwitch Router 8000 Firmware v2.x Reference: URL:http://razor.bindview.com/publish/advisories/adv_Cabletron.html Reference: BID:821 Reference: URL:http://www.securityfocus.com/bid/841 Cabletron SmartSwitch Router (SSR) 8000 firmware 2.x can only handle 200 ARP requests per second allowing a denial of service attack to succeed with a flood of ARP requests exceeding that limit. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:smartswitch-arp-flood-dos(7770) BID URL should be 821, not 841. ====================================================== Name: CVE-1999-1549 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1549 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19991116 lynx 2.8.x - 'special URLs' anti-spoofing protection is weak Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94286509804526&w=2 Reference: BID:804 Reference: URL:http://www.securityfocus.com/bid/804 Lynx 2.x does not properly distinguish between internal and external HTML, which may allow a local attacker to read a "secure" hidden form value from a temporary file and craft a LYNXOPTIONS: URL that causes Lynx to modify the user's configuration file and execute commands. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:lynx-lynxurl-spoof(8342) ====================================================== Name: CVE-1999-1551 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1551 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19990302 Multiple IMail Vulnerabilites Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92038879607336&w=2 Reference: BID:505 Reference: URL:http://www.securityfocus.com/bid/505 Reference: XF:imail-websvc-overflow(1898) Reference: URL:http://xforce.iss.net/static/1898.php Buffer overflow in Ipswitch IMail Service 5.0 allows an attacker to cause a denial of service (crash) and possibly execute arbitrary commands via a long URL. Current Votes: ACCEPT(2) Cole, Frech NOOP(2) Foat, Wall ====================================================== Name: CVE-1999-1552 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1552 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19940720 xnews and XDM Reference: URL:http://lists.insecure.org/lists/bugtraq/1994/Jul/0038.html Reference: BID:358 Reference: URL:http://www.securityfocus.com/bid/358 dpsexec (DPS Server) when running under XDM in IBM AIX 3.2.5 and earlier does not properly check privileges, which allows local users to overwrite arbitrary files and gain privileges. Current Votes: NOOP(2) Cole, Foat ====================================================== Name: CVE-1999-1553 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1553 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19990301 [0z0n3] XCmail remotely exploitable vulnerability Reference: URL:http://www.securityfocus.com/archive/1/12730 Reference: BID:311 Reference: URL:http://www.securityfocus.com/bid/311 Reference: XF:xcmail-reply-overflow(1859) Reference: URL:http://xforce.iss.net/static/1859.php Buffer overflow in XCmail 0.99.6 with autoquote enabled allows remote attackers to execute arbitrary commands via a long subject line. Current Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall ====================================================== Name: CVE-1999-1554 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1554 Phase: Modified (20020218-01) Category: SF Reference: CERT:CA-1990-08 Reference: URL:http://www.cert.org/advisories/CA-1990-08.html Reference: BID:13 Reference: URL:http://www.securityfocus.com/bid/13 Reference: XF:sgi-irix-reset(3164) Reference: URL:http://www.iss.net/security_center/static/3164.php /usr/sbin/Mail on SGI IRIX 3.3 and 3.3.1 does not properly set the group ID to the group ID of the user who started Mail, which allows local users to read the mail of other users. Current Votes: ACCEPT(2) Cole, Stracener MODIFY(1) Frech NOOP(2) Foat, Wall Voter Comments: Frech> XF:sgi-irix-reset(3164) CHANGE> [Foat changed vote from ACCEPT to NOOP] ====================================================== Name: CVE-1999-1555 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1555 Phase: Proposed (20010912) Category: CF Reference: BUGTRAQ:19980611 Cheyenne Inoculan vulnerability on NT Reference: URL:http://www.securityfocus.com/archive/1/9515 Reference: BID:106 Reference: XF:inoculan-bad-permissions(1536) Reference: URL:http://xforce.iss.net/static/1536.php Cheyenne InocuLAN Anti-Virus Server in Inoculan 4.0 before Service Pack 2 creates an update directory with "EVERYONE FULL CONTROL" permissions, which allows local users to cause Inoculan's antivirus update feature to install a Trojan horse dll. Current Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> http://support.cai.com/Download/patches/inocnt.html ====================================================== Name: CVE-1999-1557 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1557 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19990301 Multiple IMail Vulnerabilites Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92038879607336&w=2 Reference: XF:imail-imap-overflow(1895) Reference: URL:http://xforce.iss.net/static/1895.php Buffer overflow in the login functions in IMAP server (imapd) in Ipswitch IMail 5.0 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary code via (1) a long user name or (2) a long password. Current Votes: ACCEPT(2) Cole, Frech NOOP(2) Foat, Wall ====================================================== Name: CVE-1999-1558 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1558 Phase: Modified (20020218-01) Category: SF Reference: CIAC:I-071A Reference: URL:http://ciac.llnl.gov/ciac/bulletins/i-071a.shtml Reference: CERT:VB-98.07 Reference: BID:161 Reference: URL:http://www.securityfocus.com/bid/161 Reference: XF:openvms-loginout-unauth-access(7151) Reference: URL:http://www.iss.net/security_center/static/7151.php Vulnerability in loginout in Digital OpenVMS 7.1 and earlier allows unauthorized access when external authentication is enabled. Current Votes: ACCEPT(3) Cole, Foat, Stracener MODIFY(1) Frech NOOP(1) Wall Voter Comments: Frech> XF:openvms-loginout-unauth-access(7151) ====================================================== Name: CVE-1999-1559 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1559 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19990331 Xylan OmniSwitch "features" Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92299263017061&w=2 Reference: XF:xylan-omniswitch-login(2064) Reference: URL:http://xforce.iss.net/static/2064.php Xylan OmniSwitch before 3.2.6 allows remote attackers to bypass the login prompt via a CTRL-D (control d) character, which locks other users out of the switch because it only supports one session at a time. Current Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall ====================================================== Name: CVE-1999-1560 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1560 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19990720 tiger vulnerability Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93252050203589&w=2 Reference: XF:tiger-script-execute(2369) Reference: URL:http://xforce.iss.net/static/2369.php Vulnerability in a script in Texas A&M University (TAMU) Tiger allows local users to execute arbitrary commands as the Tiger user, usually root. Current Votes: ACCEPT(3) Cole, Foat, Frech NOOP(1) Wall ====================================================== Name: CVE-1999-1561 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1561 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19990820 Winamp SHOUTcast server: Gain Administrator Password Reference: URL:http://www.securityfocus.com/archive/1/24852 Nullsoft SHOUTcast server stores the administrative password in plaintext in a configuration file (sc_serv.conf), which could allow a local user to gain administrative privileges on the server. Current Votes: NOOP(3) Cole, Foat, Wall REVIEWING(1) Frech Voter Comments: Frech> (ACCEPT; Task 2359) ====================================================== Name: CVE-1999-1562 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1562 Phase: Modified (20050309) Category: SF Reference: BUGTRAQ:19990905 gftp Reference: URL:http://www.securityfocus.com/archive/1/26915 Reference: DEBIAN:DSA-084 Reference: URL:http://www.debian.org/security/2001/dsa-084 Reference: BID:3446 Reference: URL:http://www.securityfocus.com/bid/3446 gFTP FTP client 1.13, and other versions before 2.0.0, records a password in plaintext in (1) the log window, or (2) in a log file. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:gftp-plaintext-password(7319) ====================================================== Name: CVE-1999-1563 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1563 Phase: Proposed (20010912) Category: SF/CF/MP/SA/AN/unknown Reference: BUGTRAQ:19991014 NEUROCOM: Nashuatec printer, 3 vulnerabilities found Reference: URL:http://www.securityfocus.com/archive/1/30849 Reference: BUGTRAQ:19991116 NEUROCOM: Nashuatec D445/435 vulnerabilities updated Reference: URL:http://www.securityfocus.com/archive/1/35075 Nachuatec D435 and D445 printer allows remote attackers to cause a denial of service via ICMP redirect storm. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:icmp-redirect(285) ====================================================== Name: CVE-1999-1564 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1564 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19990902 [ Kernel panic with FreeBSD-3.2-19990830-STABLE ] Reference: URL:http://www.securityfocus.com/archive/1/26166 FreeBSD 3.2 and possibly other versions allows a local user to cause a denial of service (panic) with a large number accesses of an NFS v3 mounted directory from a large number of processes. Current Votes: ACCEPT(1) Cole MODIFY(1) Frech NOOP(2) Foat, Wall Voter Comments: Frech> XF:freebsd-nfs-access-dos(8325) ====================================================== Name: CVE-1999-1566 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1566 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19990508 iParty Daemon Vulnerability w/ Exploit Code (worse than thought?) Reference: URL:http://www.securityfocus.com/archive/1/13600 Buffer overflow in iParty server 1.2 and earlier allows remote attackers to cause a denial of service (crash) by connecting to default port 6004 and sending repeated extended characters. Current Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall Voter Comments: Frech> XF:iparty-dos(1416) ====================================================== Name: CVE-1999-1567 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1567 Phase: Modified (20020218-01) Category: SF Reference: NTBUGTRAQ:19990308 Password and DOS Vulnerability with Testrack (bug tracking software) Reference: URL:http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind9903&L=NTBUGTRAQ&P=R1215 Reference: NTBUGTRAQ:19990616 Password and DOS Vulnerability with Testrack (bug tracking software) Reference: URL:http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind9906&L=NTBUGTRAQ&P=R1680 Reference: XF:testtrack-dos(1948) Reference: URL:http://xforce.iss.net/static/1948.php Seapine Software TestTrack server allows a remote attacker to cause a denial of service (high CPU) via (1) TestTrackWeb.exe and (2) ttcgi.exe by connecting to port 99 and disconnecting without sending any data. Current Votes: ACCEPT(2) Cole, Foat MODIFY(1) Frech NOOP(1) Wall Voter Comments: Frech> XF:testtrack-dos(1948) ====================================================== Name: CVE-1999-1569 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1569 Phase: Proposed (20020830) Category: SF Reference: BUGTRAQ:20010716 Quake client and server denial-of-service Reference: URL:http://www.securityfocus.com/archive/1/197268 Reference: BUGTRAQ:19981101 Quake problem? Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91012172524181&w=2 Reference: BUGTRAQ:19980502 NetQuake Protocol problem resulting in smurf like effect. Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221101925989&w=2 Reference: XF:quake-spoofed-client-dos(6871) Reference: URL:http://xforce.iss.net/static/6871.php Reference: BID:3051 Reference: URL:http://www.securityfocus.com/bid/3051 Quake 1 and NetQuake servers allow remote attackers to cause a denial of service (resource exhaustion or forced disconnection) via a flood of spoofed UDP connection packets, which exceeds the server's player limit. Current Votes: ACCEPT(1) Frech NOOP(5) Armstrong, Cole, Cox, Foat, Wall REVIEWING(1) Green ====================================================== Name: CVE-1999-1570 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1570 Phase: Proposed (20020830) Category: SF Reference: VULN-DEV:20020509 Sar -o exploitation process info. Reference: URL:http://marc.theaimsgroup.com/?l=vuln-dev&m=102098949103708&w=2 Reference: BUGTRAQ:19990909 19 SCO 5.0.5+Skunware98 buffer overflows Reference: URL:http://online.securityfocus.com/archive/1/27074 Reference: CALDERA:CSSA-2002-SCO.17 Reference: URL:ftp://stage.caldera.com/pub/security/openserver/CSSA-2002-SCO.17/CSSA-2002-SCO.17.txt Reference: BID:4089 Reference: URL:http://www.securityfocus.com/bid/4089 Reference: XF:openserver-sar-bo(8989) Reference: URL:http://www.iss.net/security_center/static/8989.php Buffer overflow in sar for OpenServer 5.0.5 allows local users to gain root privileges via a long -o parameter. Current Votes: ACCEPT(4) Armstrong, Cole, Frech, Green NOOP(3) Cox, Foat, Wall REVIEWING(1) Christey Voter Comments: Frech> It seems as if the BID-4089 assignment on this CAN name may be in error. BID-4089 (Multiple Vendor SNMP Request Handling Vulnerabilities) is already assigned to CVE-2002-0013. Also, this CVE issue seems to have nothing to do with SNMP. Christey> Agreed, this is the wrong BID. SecurityFocus has assigned BID:643 to CVE-1999-1570, but there's a bit of an inconsistency. BID:643 alludes to Bugtraq posts in 1999 from Brock Tellier, mentioning overflows in sar via BOTH the -o and -f parameters. However, they also link this issue to SCO advisory 99.17, although the advisory itself is too vague to *really* know what vulns they fixed. And now the link to a potentially more detailed document (sse037.ltr) is broken. So we don't have any independent reason for knowing whether SCO 99.17 (a) addresses any "sar" vulnerabilities, and (b) even if it does, whether it addresses *both* the -o and -f arguments originally claimed by Tellier. Finally, it seems rather curious that CSSA-2002-SCO.17 talks about a -o overflow but does not mention -f. Sounds like an email to the security people at SCO is in order... OK. Having consulted with SCO (who responded quickly), I looked even further into this issue. There is now sufficient evidence that the -f overflow was fixed in 1999. This means that a separate candidate should be created (by CD:SF-LOC), so the -f overflow is now covered by CVE-1999-1571. Need to DELREF BID:4089 CHANGE> [Frech changed vote from NOOP to ACCEPT] CHANGE> [Christey changed vote from NOOP to REVIEWING] ====================================================== Name: CVE-1999-1571 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1571 Phase: Assigned (20021008) Category: SF Reference: BUGTRAQ:19990909 19 SCO 5.0.5+Skunware98 buffer overflows Reference: URL:http://online.securityfocus.com/archive/1/27074 Reference: BUGTRAQ:19990917 Re: recent SCO 5.0.x vulnerabilities Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93762097815861&w=2 Reference: BUGTRAQ:19991020 Re: recent SCO 5.0.x vulnerabilities Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94053017801639&w=2 Reference: BUGTRAQ:19991105 SCO Security Bulletin 99.17 Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94183363719024&w=2 Reference: MISC:http://online.securityfocus.com/advisories/1843 Reference: SCO:SB-99.17c Reference: URL:ftp://stage.caldera.com/pub/security/sse/security_bulletins/SB-99.17c Reference: CONFIRM:ftp://stage.caldera.com/pub/security/sse/sse037c/sse037c.ltr Reference: BID:643 Reference: URL:http://www.securityfocus.com/bid/643 Reference: VULN-DEV:20020509 Sar -o exploitation process info. Reference: URL:http://marc.theaimsgroup.com/?l=vuln-dev&m=102098949103708&w=2 Reference: XF:openserver-sar-bo(8989) Reference: URL:http://www.iss.net/security_center/static/8989.php Buffer overflow in sar for SCO OpenServer 5.0.0 through 5.0.5 may allow local users to gain root privileges via a long -f parameter, a different vulnerability than CVE-1999-1570. Current Votes: None (candidate not yet proposed) ====================================================== Name: CVE-1999-1572 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1572 Phase: Assigned (20050127) Category: SF Reference: MISC:http://www.freebsd.org/cgi/query-pr.cgi?pr=bin/1391 Reference: CONFIRM:http://support.avaya.com/elmodocs2/security/ASA-2005-212.pdf Reference: DEBIAN:DSA-664 Reference: URL:http://www.debian.org/security/2005/dsa-664 Reference: MANDRAKE:MDKSA-2005:032 Reference: URL:http://www.mandriva.com/security/advisories?name=MDKSA-2005:032 Reference: REDHAT:RHSA-2005:073 Reference: URL:http://www.redhat.com/support/errata/RHSA-2005-073.html Reference: REDHAT:RHSA-2005:080 Reference: URL:http://www.redhat.com/support/errata/RHSA-2005-080.html Reference: REDHAT:RHSA-2005:806 Reference: URL:http://www.redhat.com/support/errata/RHSA-2005-806.html Reference: TRUSTIX:2005-0003 Reference: URL:http://www.trustix.org/errata/2005/0003/ Reference: BUGTRAQ:20050204 [USN-75-1] cpio vulnerability Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=110763404701519&w=2 Reference: OVAL:oval:org.mitre.oval:def:10888 Reference: URL:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:10888 Reference: SECUNIA:14357 Reference: URL:http://secunia.com/advisories/14357 Reference: SECUNIA:17063 Reference: URL:http://secunia.com/advisories/17063 Reference: SECUNIA:17532 Reference: URL:http://secunia.com/advisories/17532 Reference: XF:cpio-o-archive-insecure-permissions(19167) Reference: URL:http://xforce.iss.net/xforce/xfdb/19167 cpio on FreeBSD 2.1.0, Debian GNU/Linux 3.0, and possibly other operating systems, uses a 0 umask when creating files using the -O (archive) or -F options, which creates the files with mode 0666 and allows local users to read or overwrite those files. Current Votes: None (candidate not yet proposed) ====================================================== Name: CVE-1999-1573 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1573 Phase: Assigned (20050421) Category: SF Reference: HP:HPSBUX9812-090 Reference: URL:http://www.securityfocus.com/advisories/1471 Reference: AUSCERT:ESB-98.186 Reference: URL:http://www.auscert.org.au/render.html?it=490 Reference: CERT-VN:VU#13217 Reference: URL:http://www.kb.cert.org/vuls/id/13217 Reference: CIAC:J-022 Reference: URL:http://www.ciac.org/ciac/bulletins/j-022.shtml Reference: OVAL:oval:org.mitre.oval:def:5550 Reference: URL:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:5550 Reference: XF:hp-rcmnds-gain-privileges(7860) Reference: URL:http://xforce.iss.net/xforce/xfdb/7860 Multiple unknown vulnerabilities in the "r-cmnds" (1) remshd, (2) rexecd, (3) rlogind, (4) rlogin, (5) remsh, (6) rcp, (7) rexec, and (8) rdist for HP-UX 10.00 through 11.00 allow attackers to gain privileges or access files. Current Votes: None (candidate not yet proposed) ====================================================== Name: CVE-1999-1574 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1574 Phase: Assigned (20050421) Category: SF Reference: AIXAPAR:IX79909 Reference: URL:http://www-1.ibm.com/support/search.wss?rs=0&q=IX79909&apar=only Reference: CERT-VN:VU#182777 Reference: URL:http://www.kb.cert.org/vuls/id/182777 Reference: XF:aix-nslookup-lex-bo(7867) Reference: URL:http://xforce.iss.net/xforce/xfdb/7867 Buffer overflow in the lex routines of nslookup for AIX 4.3 may allow attackers to cause a core dump and possibly execute arbitrary code via "long input strings." Current Votes: None (candidate not yet proposed) ====================================================== Name: CVE-1999-1575 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1575 Phase: Assigned (20050421) Category: SF Reference: BUGTRAQ:19990924 Several ActiveX Buffer Overruns Reference: URL:http://www.securityfocus.com/archive/1/28719 Reference: MS:MS99-037 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-037.mspx Reference: CERT-VN:VU#23412 Reference: URL:http://www.kb.cert.org/vuls/id/23412 Reference: CERT-VN:VU#24839 Reference: URL:http://www.kb.cert.org/vuls/id/24839 Reference: CERT-VN:VU#26924 Reference: URL:http://www.kb.cert.org/vuls/id/26924 Reference: CERT-VN:VU#41408 Reference: URL:http://www.kb.cert.org/vuls/id/41408 Reference: CERT-VN:VU#9162 Reference: URL:http://www.kb.cert.org/vuls/id/9162 Reference: XF:wang-kodak-activex-control(7097) Reference: URL:http://xforce.iss.net/xforce/xfdb/7097 The Kodak/Wang (1) Image Edit (imgedit.ocx), (2) Image Annotation (imgedit.ocx), (3) Image Scan (imgscan.ocx), (4) Thumbnail Image (imgthumb.ocx), (5) Image Admin (imgadmin.ocx), (6) HHOpen (hhopen.ocx), (7) Registration Wizard (regwizc.dll), and (8) IE Active Setup (setupctl.dll) ActiveX controls for Internet Explorer (IE) 4.01 and 5.0 are marked as "Safe for Scripting," which allows remote attackers to create and modify files and execute arbitrary commands. Current Votes: None (candidate not yet proposed) ====================================================== Name: CVE-1999-1576 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1576 Phase: Assigned (20050421) Category: SF Reference: BUGTRAQ:19990924 Several ActiveX Buffer Overruns Reference: URL:http://www.securityfocus.com/archive/1/28719 Reference: CERT-VN:VU#25919 Reference: URL:http://www.kb.cert.org/vuls/id/25919 Reference: BID:666 Reference: URL:http://www.securityfocus.com/bid/666 Reference: XF:adobe-acrobat-pdf-bo(3318) Reference: URL:http://xforce.iss.net/xforce/xfdb/3318 Buffer overflow in Adobe Acrobat ActiveX control (pdf.ocx, PDF.PdfCtrl.1) 1.3.188 for Acrobat Reader 4.0 allows remote attackers to execute arbitrary code via the pdf.setview method. Current Votes: None (candidate not yet proposed) ====================================================== Name: CVE-1999-1577 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1577 Phase: Assigned (20050421) Category: SF Reference: BUGTRAQ:19990924 Several ActiveX Buffer Overruns Reference: URL:http://www.securityfocus.com/archive/1/28719 Reference: CERT-VN:VU#29795 Reference: URL:http://www.kb.cert.org/vuls/id/29795 Reference: BID:669 Reference: URL:http://www.securityfocus.com/bid/0669 Reference: XF:ie-hhopen-bo(3314) Reference: URL:http://xforce.iss.net/xforce/xfdb/3314 Buffer overflow in HHOpen ActiveX control (hhopen.ocx) 1.0.0.1 for Internet Explorer 4.01 and 5 allows remote attackers to execute arbitrary commands via long arguments to the OpenHelp method. Current Votes: None (candidate not yet proposed) ====================================================== Name: CVE-1999-1578 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1578 Phase: Assigned (20050421) Category: SF Reference: BUGTRAQ:19990924 Several ActiveX Buffer Overruns Reference: URL:http://www.securityfocus.com/archive/1/28719 Reference: CERT-VN:VU#37556 Reference: URL:http://www.kb.cert.org/vuls/id/37556 Reference: BID:671 Reference: URL:http://www.securityfocus.com/bid/671 Reference: XF:ie-registration-wiz-bo(3311) Reference: URL:http://xforce.iss.net/xforce/xfdb/3311 Buffer overflow in Registration Wizard ActiveX control (regwizc.dll, InvokeRegWizard) 3.0.0.0 for Internet Explorer 4.01 and 5 allows remote attackers to execute arbitrary commands. Current Votes: None (candidate not yet proposed) ====================================================== Name: CVE-1999-1579 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1579 Phase: Assigned (20050421) Category: SF Reference: MSKB:Q242366 Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];242366 Reference: CERT-VN:VU#3062 Reference: URL:http://www.kb.cert.org/vuls/id/3062 Reference: BID:6827 Reference: URL:http://www.securityfocus.com/bid/6827 Reference: XF:winnt-xenroll-dos(7107) Reference: URL:http://xforce.iss.net/xforce/xfdb/7107 The Cenroll ActiveX control (xenroll.dll) for Terminal Server Editions of Windows NT 4.0 and Windows NT Server 4.0 before SP6 allows remote attackers to cause a denial of service (resource consumption) by creating a large number of arbitrary files on the target machine. Current Votes: None (candidate not yet proposed) ====================================================== Name: CVE-1999-1580 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1580 Phase: Assigned (20050421) Category: SF Reference: MISC:http://www.alw.nih.gov/Security/8lgm/8lgm-Advisory-21.html Reference: AUSCERT:AA-95.09 Reference: URL:http://www.auscert.org.au/render.html?it=1853&cid=1978 Reference: CERT:CA-1995-11 Reference: URL:http://www.cert.org/advisories/CA-95.11.sun.sendmail-oR.vul Reference: CERT-VN:VU#3278 Reference: URL:http://www.kb.cert.org/vuls/id/3278 Reference: BID:7829 Reference: URL:http://www.securityfocus.com/bid/7829 SunOS sendmail 5.59 through 5.65 uses popen to process a forwarding host argument, which allows local users to gain root privileges by modifying the IFS (Internal Field Separator) variable and passing crafted values to the -oR option. Current Votes: None (candidate not yet proposed) ====================================================== Name: CVE-1999-1581 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1581 Phase: Assigned (20050421) Category: SF Reference: MSKB:Q178381 Reference: URL:http://support.microsoft.com/kb/q178381/ Reference: CERT-VN:VU#4923 Reference: URL:http://www.kb.cert.org/vuls/id/4923 Reference: XF:winnt-snmp-oid-memory-leak(8231) Reference: URL:http://xforce.iss.net/xforce/xfdb/8231 Memory leak in Simple Network Management Protocol (SNMP) agent (snmp.exe) for Windows NT 4.0 before Service Pack 4 allows remote attackers to cause a denial of service (memory consumption) via a large number of SNMP packets with Object Identifiers (OIDs) that cannot be decoded. Current Votes: None (candidate not yet proposed) ====================================================== Name: CVE-1999-1582 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1582 Phase: Assigned (20050421) Category: CF Reference: CISCO:19980715 PIX Firewall "established" Command Reference: URL:http://www.cisco.com/warp/public/707/pixest-pub.shtml Reference: CERT-VN:VU#6733 Reference: URL:http://www.kb.cert.org/vuls/id/6733 Reference: XF:cisco-pix-established-bypass(8052) Reference: URL:http://xforce.iss.net/xforce/xfdb/8052 By design, the "established" command on the Cisco PIX firewall allows connections from one host to arbitrary ports of a target host if an alternative conduit has already been allowed, which can cause administrators to configure less restrictive access controls than intended if they do not understand this functionality. Current Votes: None (candidate not yet proposed) ====================================================== Name: CVE-1999-1583 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1583 Phase: Assigned (20050421) Category: SF Reference: AIXAPAR:IY02120 Reference: URL:http://www-1.ibm.com/support/search.wss?rs=0&q=IY02120&apar=only Reference: CERT-VN:VU#872443 Reference: URL:http://www.kb.cert.org/vuls/id/872443 Reference: XF:aix-nslookup-hostname-bo(8031) Reference: URL:http://xforce.iss.net/xforce/xfdb/8031 Buffer overflow in nslookup for AIX 4.3 allows local users to execute arbitrary code via a long hostname command line argument. Current Votes: None (candidate not yet proposed) ====================================================== Name: CVE-1999-1584 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1584 Phase: Assigned (20050830) Category: SF Reference: SUN:00124 Reference: URL:http://sunsolve.sun.com/search/document.do?assetkey=1-22-00124-1 Reference: CERT:CA-93.18 Reference: URL:http://www.cert.org/advisories/CA-1993-18.html Unknown vulnerability in (1) loadmodule, and (2) modload if modload is installed with setuid/setgid privileges, in SunOS 4.1.1 through 4.1.3c, and Open Windows 3.0, allows local users to gain root privileges via environment variables, a different vulnerability than CVE-1999-1586. Current Votes: None (candidate not yet proposed) ====================================================== Name: CVE-1999-1585 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1585 Phase: Assigned (20050830) Category: SF Reference: SUN:00124 Reference: URL:http://sunsolve.sun.com/search/document.do?assetkey=1-22-00124-1 The (1) rcS and (2) mountall programs in Sun Solaris 2.x, possibly before 2.4, start a privileged shell on the system console if fsck fails while the system is booting, which allows attackers with physical access to gain root privileges. Current Votes: None (candidate not yet proposed) ====================================================== Name: CVE-1999-1586 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1586 Phase: Assigned (20050830) Category: SF Reference: CERT:CA-95.12 Reference: URL:http://www.cert.org/advisories/CA-1995-12.html Reference: CIAC:G-02 Reference: URL:http://www.ciac.org/ciac/bulletins/g-02.shtml Reference: XF:sun-loadmodule(498) Reference: URL:http://xforce.iss.net/xforce/xfdb/498 loadmodule in SunOS 4.1.x, as used by xnews, does not properly sanitize its environment, which allows local users to gain privileges, a different vulnerability than CVE-1999-1584. Current Votes: None (candidate not yet proposed) ====================================================== Name: CVE-1999-1587 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1587 Phase: Assigned (20060328) Category: Reference: MISC:http://www.sunmanagers.org/archives/1996/1383.html Reference: SUNALERT:102215 Reference: URL:http://sunsolve.sun.com/search/document.do?assetkey=1-26-102215-1 Reference: BID:19662 Reference: URL:http://www.securityfocus.com/bid/19662 Reference: VUPEN:ADV-2006-1123 Reference: URL:http://www.vupen.com/english/advisories/2006/1123 Reference: OSVDB:24200 Reference: URL:http://www.osvdb.org/24200 Reference: OVAL:oval:org.mitre.oval:def:1470 Reference: URL:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:1470 Reference: SECTRACK:1015833 Reference: URL:http://securitytracker.com/id?1015833 Reference: SECUNIA:19426 Reference: URL:http://secunia.com/advisories/19426 Reference: XF:solaris-ps-information-disclosure(25460) Reference: URL:http://xforce.iss.net/xforce/xfdb/25460 /usr/ucb/ps in Sun Microsystems Solaris 8 and 9, and certain earlier releases, allows local users to view the environment variables and values of arbitrary processes via the -e option. Current Votes: None (candidate not yet proposed) ====================================================== Name: CVE-1999-1588 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1588 Phase: Assigned (20060421) Category: Reference: MISC:http://security-protocols.com/sploits/unsorted_exploits/nlps_server.c Reference: MISC:http://www.securityfocus.com/data/vulnerabilities/exploits/nlps_server.c Reference: MISC:http://lsd-pl.net/files/get?SOLARIS/solx86_nlps_server Reference: BID:2319 Reference: URL:http://www.securityfocus.com/bid/2319 Buffer overflow in nlps_server in Sun Solaris x86 2.4, 2.5, and 2.5.1 allows remote attackers to execute arbitrary code as root via a long string beginning with "NLPS:002:002:" to the listen (aka System V listener) port, TCP port 2766. Current Votes: None (candidate not yet proposed) ====================================================== Name: CVE-1999-1589 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1589 Phase: Assigned (20060615) Category: Reference: AIXAPAR:IX26997 Reference: CERT:CA-1992-10 Reference: URL:http://www.cert.org/advisories/CA-1992-10.html Reference: BID:357 Reference: URL:http://www.securityfocus.com/bid/357 Unspecified vulnerability in crontab in IBM AIX 3.2 allows local users to gain root privileges via unknown attack vectors. Current Votes: None (candidate not yet proposed) ====================================================== Name: CVE-1999-1590 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1590 Phase: Assigned (20061203) Category: Reference: BUGTRAQ:19971010 Security flaw in Count.cgi (wwwcount) Reference: URL:http://seclists.org/bugtraq/1997/Oct/0058.html Directory traversal vulnerability in Muhammad A. Muquit wwwcount (Count.cgi) 2.3 allows remote attackers to read arbitrary GIF files via ".." sequences in the image parameter, a different vulnerability than CVE-1999-0021. Current Votes: None (candidate not yet proposed) ====================================================== Name: CVE-1999-1591 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1591 Phase: Assigned (20070705) Category: Reference: NTBUGTRAQ:19990118 IIS4.0 and Visual Interdev Reference: URL:http://archives.neohapsis.com/archives/ntbugtraq/1998-1999/msg00276.html Reference: NTBUGTRAQ:19990119 Re: IIS4.0 and Visual Interdev Reference: URL:http://archives.neohapsis.com/archives/ntbugtraq/1998-1999/msg00277.html Reference: BID:190 Reference: URL:http://www.securityfocus.com/bid/190 Microsoft Internet Information Services (IIS) server 4.0 SP4, without certain hotfixes released for SP4, does not require authentication credentials under certain conditions, which allows remote attackers to bypass authentication requirements, as demonstrated by connecting via Microsoft Visual InterDev 6.0. Current Votes: None (candidate not yet proposed) ====================================================== Name: CVE-1999-1592 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1592 Phase: Assigned (20070712) Category: Reference: SUN:00159 Reference: URL:http://sunsolve.sun.com/search/document.do?assetkey=1-22-00159-1 Reference: BID:243 Reference: URL:http://www.securityfocus.com/bid/243 Multiple unspecified vulnerabilities in sendmail 5, as installed on Sun SunOS 4.1.3_U1 and 4.1.4, have unspecified attack vectors and impact. NOTE: this might overlap CVE-1999-0129. Current Votes: None (candidate not yet proposed) ====================================================== Name: CVE-1999-1593 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1593 Phase: Assigned (20090114) Category: Reference: NTBUGTRAQ:19990302 NT Domain DoS and Security Exploit with SAMBA Server Reference: URL:http://archives.neohapsis.com/archives/ntbugtraq/1998-1999/msg00371.html Reference: BUGTRAQ:20010117 Re: Invalid WINS entries Reference: URL:http://seclists.org/bugtraq/2001/Jan/0269.html Reference: BUGTRAQ:20010117 Invalid WINS entries Reference: URL:http://seclists.org/bugtraq/2001/Jan/0264.html Reference: BUGTRAQ:20010117 Re: Invalid WINS entries Reference: URL:http://seclists.org/bugtraq/2001/Jan/0276.html Reference: BUGTRAQ:20010117 Re: Invalid WINS entries Reference: URL:http://seclists.org/bugtraq/2001/Jan/0274.html Reference: BUGTRAQ:20010118 Re: Invalid WINS entries Reference: URL:http://seclists.org/bugtraq/2001/Jan/0289.html Reference: BUGTRAQ:20010118 Re: Invalid WINS entries Reference: URL:http://seclists.org/bugtraq/2001/Jan/0271.html Reference: BUGTRAQ:20010119 Re: Invalid WINS entries Reference: URL:http://seclists.org/bugtraq/2001/Jan/0298.html Reference: MISC:https://www2.sans.org/reading_room/whitepapers/win2k/185.php Reference: BID:2221 Reference: URL:http://www.securityfocus.com/bid/2221 Windows Internet Naming Service (WINS) allows remote attackers to cause a denial of service (connectivity loss) or steal credentials via a 1Ch registration that causes WINS to change the domain controller to point to a malicious server. NOTE: this problem may be limited when Windows 95/98 clients are used, or if the primary domain controller becomes unavailable. Current Votes: None (candidate not yet proposed) ====================================================== Name: CVE-1999-1594 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1594 Phase: Assigned (20120104) Category: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. Current Votes: None (candidate not yet proposed) ====================================================== Name: CVE-1999-1595 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1595 Phase: Assigned (20120104) Category: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. Current Votes: None (candidate not yet proposed) ====================================================== Name: CVE-1999-1596 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1596 Phase: Assigned (20120104) Category: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. Current Votes: None (candidate not yet proposed) ====================================================== Name: CVE-1999-1597 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1597 Phase: Assigned (20120104) Category: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. Current Votes: None (candidate not yet proposed) ====================================================== Name: CVE-1999-1598 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1598 Phase: Assigned (20120104) Category: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. Current Votes: None (candidate not yet proposed) ====================================================== Name: CVE-2000-0005 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0005 Phase: Modified (20090302) Category: SF Reference: BUGTRAQ:19991230 aserver.sh Reference: BUGTRAQ:20000102 HPUX Aserver revisited. Reference: HP:HPSBUX0001-108 Reference: OVAL:oval:org.mitre.oval:def:5635 Reference: URL:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:5635 Reference: XF:hp-aserver HP-UX aserver program allows local users to gain privileges via a symlink attack. Current Votes: ACCEPT(3) Armstrong, Baker, Stracener MODIFY(1) Frech RECAST(1) Christey REVIEWING(1) Levy Voter Comments: Christey> BUGTRAQ:20000102 "HPUX Aserver revisited." indicates that two different versions of aserver have symlink problems, but with different files. So CD:SF-LOC says we should split this. Frech> XF:hp-aserver Christey> BID:1928 and BID:1930? Which one is being described in this candidate? Christey> BID:1930 ====================================================== Name: CVE-2000-0008 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0008 Phase: Proposed (20000111) Category: SF/CF/MP/SA/AN/unknown Reference: BUGTRAQ:19991227 FTPPro insecuities FTPPro allows local users to read sensitive information, which is stored in plain text. Current Votes: ACCEPT(3) Armstrong, Baker, Stracener MODIFY(1) Frech NOOP(1) Christey REVIEWING(1) Levy Voter Comments: Frech> XF:ftppro-plaintext-information Christey> ADDREF BID:1790 ADDREF URL:http://www.securityfocus.com/bid/1790 ====================================================== Name: CVE-2000-0016 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0016 Phase: Proposed (20000111) Category: SF Reference: NTBUGTRAQ:19991001 Vulnerabilities in the Internet Anywhere Mail Server Reference: BUGTRAQ:19991227 Remote DoS/Access Attack in Internet Anywhere Mail Server(POP 3) v2.3.1 Reference: BID:730 Reference: URL:http://www.securityfocus.com/bid/730 Buffer overflow in Internet Anywhere POP3 Mail Server allows remote attackers to cause a denial of service or execute commands via a long username. Current Votes: ACCEPT(4) Armstrong, Baker, Levy, Stracener MODIFY(1) Frech Voter Comments: Frech> XF:iams-pop3-command-dos ====================================================== Name: CVE-2000-0017 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0017 Phase: Proposed (20000111) Category: SF Reference: BUGTRAQ:19991221 (Possible) Linuxconf Remote Buffer Overflow Vulnerability Buffer overflow in Linux linuxconf package allows remote attackers to gain root privileges via a long parameter. Current Votes: NOOP(4) Armstrong, Baker, Christey, Stracener REJECT(2) Frech, Levy Voter Comments: Christey> It's not certain whether this is exploitable or not. An expert (the linuxconf author?) wasn't able to duplicate the bug - see http://lwn.net/1999/1223/a/linuxconfresponse.html The original posting with example exploit was http://marc.theaimsgroup.com/?l=bugtraq&m=94580196627059&w=2 However - GIAC and the Security Focus incidents list have consistently reported that scans are taking place for linuxconf, so do the hackers know more than we do? Frech> Unless vendor or other confirmation occurs, there has been no corroboration of this issue in public forums. CHANGE> [Armstrong changed vote from ACCEPT to NOOP] ====================================================== Name: CVE-2000-0019 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0019 Phase: Proposed (20000111) Category: SF Reference: BUGTRAQ:19991221 [w00giving '99 #11] IMail's password encryption scheme IMail POP3 daemon uses weak encryption, which allows local users to read files. Current Votes: ACCEPT(3) Armstrong, Baker, Stracener MODIFY(2) Frech, Levy NOOP(1) Christey Voter Comments: Frech> XF:imail-passwords Levy> BID 880 Christey> BUGTRAQ:19990304 IMAIL password recovery is trivial. http://www.securityfocus.com/archive/1/12750 Christey> Add version numbers (5.0 through 5.08) ====================================================== Name: CVE-2000-0021 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0021 Phase: Modified (20060616) Category: SF/CF/MP/SA/AN/unknown Reference: BUGTRAQ:19991221 serious Lotus Domino HTTP denial of service Reference: BUGTRAQ:19991227 Re: Lotus Domino HTTP denial of service attack Reference: BID:881 Reference: URL:http://www.securityfocus.com/bid/881 Lotus Domino HTTP server allows remote attackers to determine the real path of the server via a request to a non-existent script in /cgi-bin. Current Votes: ACCEPT(3) Armstrong, Baker, Stracener MODIFY(2) Frech, Levy NOOP(1) Christey Voter Comments: Frech> XF:http-cgi-lotus-domino Levy> BID 881 Christey> BID:881 ====================================================== Name: CVE-2000-0028 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0028 Phase: Modified (20000626-01) Category: SF Reference: BUGTRAQ:19991222 IE 5.01 vulnerabilities in external.NavigateAndFind() Reference: XF:ie-navigateandfind Internet Explorer 5.0 and 5.01 allows remote attackers to bypass the cross frame security policy and read files via the external.NavigateAndFind function. Current Votes: ACCEPT(2) Armstrong, Stracener MODIFY(2) Frech, Levy NOOP(1) Baker RECAST(1) LeBlanc REVIEWING(1) Christey Voter Comments: Frech> XF:ie-navigateandfind Christey> May be a duplicate of CVE-2000-0465 according to my communications with Microsoft people. CVE-2000-0266 may also be a variant. Levy> BID 887 LeBlanc> duplicate ====================================================== Name: CVE-2000-0035 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0035 Phase: Proposed (20000111) Category: SF Reference: BUGTRAQ:19991228 majordomo local exploit Reference: BUGTRAQ:20000113 Info on some security holes reported against SCO Unixware. Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94780294009285&w=2 Reference: BID:902 Reference: URL:http://www.securityfocus.com/bid/902 resend command in Majordomo allows local users to gain privileges via shell metacharacters. Current Votes: ACCEPT(3) Baker, Levy, Stracener MODIFY(2) Cox, Frech NOOP(1) Armstrong REVIEWING(1) Christey Voter Comments: Frech> XF:majordomo-local-resend Christey> The Bugtraq thread indicates that this problem may be due to misconfiguration, and may extend beyond just the resend command. CHANGE> [Armstrong changed vote from REVIEWING to NOOP] Christey> Include "wrapper" to facilitate search and matching? (but double-check CVE-2000-0037). Add "1.94.4 and earlier" as the affected version number. ADDREF AUSCERT:AA-2000.01 ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-2000.01 Cox> ADDREF REDHAT:RHSA-2000:005 ====================================================== Name: CVE-2000-0038 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0038 Phase: Proposed (20000111) Category: CF Reference: BUGTRAQ:19991223 Multiple vulnerabilites in glFtpD (current versions) glFtpD includes a default glftpd user account with a default password and a UID of 0. Current Votes: ACCEPT(2) Armstrong, Stracener MODIFY(2) Frech, Levy NOOP(1) Baker Voter Comments: Frech> XF:glftpd-default-account Levy> BID 881 ====================================================== Name: CVE-2000-0046 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0046 Phase: Modified (20000204-01) Category: SF Reference: BID:929 Reference: URL:http://www.securityfocus.com/bid/929 Reference: BUGTRAQ:20000111 ICQ Buffer Overflow Exploit Reference: XF:icq-url-bo Buffer overflow in ICQ 99b 1.1.1.1 client allows remote attackers to execute commands via a malformed URL within an ICQ message. Current Votes: ACCEPT(2) Baker, Williams MODIFY(1) Frech Voter Comments: Frech> ADDREF XF:icq-url-bo ====================================================== Name: CVE-2000-0047 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0047 Phase: Modified (20000202-01) Category: SF Reference: BUGTRAQ:20000117 Yahoo Pager/Messanger Buffer Overflow Reference: XF:yahoo-messenger-pager-dos Buffer overflow in Yahoo Pager/Messenger client allows remote attackers to cause a denial of service via a long URL within a message. Current Votes: ACCEPT(2) Baker, Frech NOOP(1) Williams ====================================================== Name: CVE-2000-0049 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0049 Phase: Modified (20071115) Category: SF Reference: NTBUGTRAQ:20000107 Winamp buffer overflow advisory Reference: BUGTRAQ:20000109 Buffer overflow with WinAmp 2.10 Reference: BID:925 Reference: URL:http://www.securityfocus.com/bid/925 Reference: OSVDB:12022 Reference: URL:http://www.osvdb.org/12022 Reference: XF:winamp-playlist-bo Buffer overflow in Winamp client allows remote attackers to execute commands via a long entry in a .pls file. Current Votes: ACCEPT(2) Cole, Wall MODIFY(2) Baker, Frech REVIEWING(1) Christey Voter Comments: Frech> XF:winamp-playlist-bo Christey> This may have been discovered earlier in: BUGTRAQ:19990512 Buffer overflow in WinAMP 2.x URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92662988700367&w=2 See the following for possible confirmation: URL:http://www.winamp.com/getwinamp/newfeatures.jhtml Wall> This vulnerability has been seen in several versions of Winamp and part of ISS X-Force and SecuriTeam vulnerability checks. CHANGE> [Christey changed vote from NOOP to REVIEWING] Baker> The old confirm url doesn't work any more... I am not sure where we can get the old changelog/error list. ====================================================== Name: CVE-2000-0054 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0054 Phase: Proposed (20000125) Category: SF Reference: BUGTRAQ:20000104 Another search.cgi vulnerability Reference: BID:921 Reference: URL:http://www.securityfocus.com/bid/921 search.cgi in the SolutionScripts Home Free package allows remote attackers to view directories via a .. (dot dot) attack. Current Votes: MODIFY(1) Frech Voter Comments: Frech> XF:http-cgi-homefree-search ====================================================== Name: CVE-2000-0055 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0055 Phase: Proposed (20000125) Category: SF Reference: BUGTRAQ:20000106 [Hackerslab bug_paper] Solaris chkperm buffer overflow Reference: BID:918 Reference: URL:http://www.securityfocus.com/bid/918 Buffer overflow in Solaris chkperm command allows local users to gain root access via a long -n option. Current Votes: MODIFY(2) Baker, Frech NOOP(1) Dik Voter Comments: Frech> XF:sol-chkperm-bo(3870) Dik> chkperm runs set-uid bin, so initially the access granted will be user bin, not root. (Though bin access can easily be leveraged to root access, less so in Solaris 8+) Also, there is reason to believe this bug is not exploitable; the buffer overflown is declared in the stack in main(); yet, the program never returns from main() but calls exit instead so any damage to return addresses is never noticed. Baker> Maybe the details from Caspar could be included, or modify the description somewhat ====================================================== Name: CVE-2000-0058 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0058 Phase: Proposed (20000125) Category: SF Reference: BUGTRAQ:20000105 Handspring Visor Network HotSync Security Hole Reference: URL:http://www.security-express.com/archives/bugtraq/2000-01/0085.html Reference: BID:920 Reference: URL:http://www.securityfocus.com/bid/920 Network HotSync program in Handspring Visor does not have authentication, which allows remote attackers to retrieve email and files. Current Votes: MODIFY(2) Baker, Frech NOOP(1) Christey Voter Comments: Frech> XF:handspring-visor-auth(3873) Consider removing the security-express.com reference, since it is identical to the BugTraq reference. The BugTraq reference is (hopefully) not going to disappear soon, and the security-express.com reference provides no new or additional information. Christey> URLs will begin to be included with candidates to support Board members' voting activities. They will be converted to the generalized reference format when if candidate is ACCEPTed and becomes an official entry. Christey> The problem may not be a lack of authentication (as mentioned by the poster), but rather weak authentication (the apparent need to provide the same username). Baker> MOdify description to indicate the weak authentication ====================================================== Name: CVE-2000-0059 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0059 Phase: Proposed (20000125) Category: SF Reference: BUGTRAQ:20000103 PHP3 safe_mode and popen() Reference: BID:911 Reference: URL:http://www.securityfocus.com/bid/911 PHP3 with safe_mode enabled does not properly filter shell metacharacters from commands that are executed by popen, which could allow remote attackers to execute commands. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(1) Christey Voter Comments: Frech> XF:php3-popen-execute(3900) Christey> CONFIRM:http://www.php.net/ChangeLog.php3 Section dated January 11, 2000 says: "Fix safe-mode problem in popen() (Kristian)" ====================================================== Name: CVE-2000-0061 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0061 Phase: Proposed (20000125) Category: SF Reference: BUGTRAQ:20000107 IE 5 security vulnerablity - circumventing Cross-frame security policy and accessing the DOM of "old" documents. Reference: BID:923 Reference: URL:http://www.securityfocus.com/bid/923 Internet Explorer 5 does not modify the security zone for a document that is being loaded into a window until after the document has been loaded, which could allow remote attackers to execute Javascript in a different security context while the document is loading. Current Votes: MODIFY(2) Frech, LeBlanc NOOP(1) Baker REJECT(1) Christey Voter Comments: Frech> XF:ie-cross-frame-docs(3901) LeBlanc> - I'd like to see a KB or bulletin referenced Christey> This is a duplicate of CVE-2000-0156. The FAQ at http://www.microsoft.com/technet/security/bulletin/fq00-009.asp. says "the vulnerability requires Active Scripting" and "it is possible, under very specific conditions, to violate IE's cross-domain security model." Also says "the redirect is made, via the HTML tag" Need to copy these references over to CVE-2000-0156. ====================================================== Name: CVE-2000-0066 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0066 Phase: Proposed (20000125) Category: SF Reference: BUGTRAQ:20000112 WebSitePro/2.3.18 is revealing Webdirectories WebSite Pro allows remote attackers to determine the real pathname of webdirectories via a malformed URL request. Current Votes: ACCEPT(2) Baker, Williams MODIFY(1) Frech NOOP(1) Christey Voter Comments: Frech> XF:website-pro-dir-path Christey> ADDREF BUGTRAQ:20000113 Re: WebSitePro/2.3.18 + 2.4.9 is revealing Webdirectories URL:http://www.securityfocus.com/archive/1/41798 Also BID:932 ====================================================== Name: CVE-2000-0067 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0067 Phase: Proposed (20000125) Category: SF Reference: BUGTRAQ:20000112 CyberCash MCK 3.2.0.4: Large /tmp hole CyberCash Merchant Connection Kit (MCK) allows local users to modify files via a symlink attack. Current Votes: ACCEPT(2) Baker, Williams MODIFY(1) Frech Voter Comments: Frech> XF:cybercash-mck-tmp(3823) ====================================================== Name: CVE-2000-0068 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0068 Phase: Proposed (20000125) Category: SF Reference: BUGTRAQ:20000104 [rootshell] Security Bulletin #27 Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94704437920965&w=2 daynad program in Intel InBusiness E-mail Station does not require authentication, which allows remote attackers to modify its configuration, delete files, or read mail. Current Votes: MODIFY(1) Frech Voter Comments: Frech> XF:intel-email-unauthenticate-users ====================================================== Name: CVE-2000-0069 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0069 Phase: Proposed (20000125) Category: SF Reference: BUGTRAQ:20000104 Security problem with Solstice Backup/Legato Networker recover command The recover program in Solstice Backup allows local users to restore sensitive files. Current Votes: MODIFY(1) Frech Voter Comments: Frech> XF:solstice-backup-restore-files(3904) ====================================================== Name: CVE-2000-0071 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0071 Phase: Proposed (20000125) Category: SF Reference: BUGTRAQ:20000111 IIS still revealing paths for web directories Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94770020309953&w=2 Reference: BUGTRAQ:20000113 SV: IIS still revealing paths for web directories Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94780058006791&w=2 IIS 4.0 allows a remote attacker to obtain the real pathname of the document root by requesting non-existent files with .ida or .idq extensions. Current Votes: ACCEPT(2) LeBlanc, Levy MODIFY(1) Frech NOOP(1) Baker REJECT(1) Christey Voter Comments: Frech> XF:iis-ida-idq-paths Christey> Consider adding: ADDREF BID:1065 BUGTRAQ:20000309 Enumerate Root Web Server Directory Vulnerability for IIS 4.0 Are there really 2 different threads on the same problem? Also consider XF:iis-root-enum May also be a dupe of CVE-1999-0450 (BID:194) CHANGE> [Christey changed vote from NOOP to REVIEWING] Christey> Appears to be a duplicate of CVE-2000-0098. Confirm with Microsoft, and if it is a duplicate, then REJECT this candidate. CHANGE> [Christey changed vote from REVIEWING to REJECT] Christey> Confirmed duplicate by Microsoft. Christey> iis-ida-idq-paths(4346) is obsolete; ensure http-indexserver-path(3890) is added to CVE-2000-0098. ====================================================== Name: CVE-2000-0074 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0074 Phase: Proposed (20000125) Category: SF Reference: BUGTRAQ:20000111 PowerScripts PlusMail Vulnerablity PowerScripts PlusMail CGI program allows remote attackers to execute commands via a password file with improper permissions. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(2) Christey, Williams Voter Comments: Frech> XF:plusmail-password-permissions Christey> Re-read the Bugtraq post to make sure the problem is described properly. The advisory itself is vague as to the nature of the problem, and the exploit doesn't help clarify too much. Christey> Consider adding BID:2653 ====================================================== Name: CVE-2000-0077 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0077 Phase: Modified (20090302) Category: SF Reference: BUGTRAQ:20000102 HPUX Aserver revisited. Reference: HP:HPSBUX0001-108 Reference: OVAL:oval:org.mitre.oval:def:5549 Reference: URL:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:5549 The October 1998 version of the HP-UX aserver program allows local users to gain privileges by specifying an alternate PATH which aserver uses to find the ps and grep commands. Current Votes: MODIFY(2) Baker, Frech REVIEWING(1) Christey Voter Comments: Frech> ADDREF XF:hp-aserver Christey> The Bugtraq posting does not mention specific versions. Is October 1998 equivalent to HP-UX 10.x? CHANGE> [Christey changed vote from NOOP to REVIEWING] Christey> BID:1929 Make sure not dupe's with CVE-2000-0005 and CVE-20000-0078. Baker> Was the BID reference ever added to this one? ====================================================== Name: CVE-2000-0078 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0078 Phase: Modified (20090302) Category: SF Reference: BUGTRAQ:20000102 HPUX Aserver revisited. Reference: HP:HPSBUX0001-108 Reference: OVAL:oval:org.mitre.oval:def:5728 Reference: URL:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:5728 The June 1999 version of the HP-UX aserver program allows local users to gain privileges by specifying an alternate PATH which aserver uses to find the awk command. Current Votes: ACCEPT(2) Baker, Prosser MODIFY(1) Frech REVIEWING(1) Christey Voter Comments: Frech> ADDREF XF:hp-aserver Christey> The Bugtraq posting does not mention specific versions. Is June 1999 equivalent to HP-UX 10.x? Prosser> The HP Bulletin (already ref'd) just specifies 10.x and 11.x OS versions running on HP9000 700/800 series. According to Tripp (bugtraq), the audio server doesn't run on a machine without Audio Hardware (logical). So one has to assume from the bulletin that any 9000 with audio hardware that is running a 10.x or 11.x version of OS with either the 98 or 99 version of Aserver loaded will be vulnerable to either the exploit in CVE-1999-0005(the 98 version of Aserver) or CVE-2000-0078 (the 99 version)and should take appropriate action. No patches out from HP as of 10/2/2000 so either remove the program or tighten the permissions considerably. CHANGE> [Christey changed vote from NOOP to REVIEWING] Christey> BID:1929 Make sure not dupe's with CVE-2000-0005 and CVE-20000-0077. ====================================================== Name: CVE-2000-0079 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0079 Phase: Proposed (20000125) Category: SF Reference: BUGTRAQ:20000118 Re: IIS still revealing paths for web directories Reference: BID:936 Reference: URL:http://www.securityfocus.com/bid/936 The W3C CERN httpd HTTP server allows remote attackers to determine the real pathnames of some commands via a request for a nonexistent URL. Current Votes: MODIFY(2) Baker, Frech NOOP(2) Christey, Williams RECAST(1) LeBlanc Voter Comments: Frech> XF:w3c-httpd-reveal-paths LeBlanc> Title references IIS, vuln references W3C CERN httpd. Which one is broken? Christey> The mention of CERN httpd was buried in a followup on a description of an IIS problem, so this is the correct reference. Baker> Will the XF reference be added? ====================================================== Name: CVE-2000-0081 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0081 Phase: Proposed (20000125) Category: SF Reference: BUGTRAQ:20000110 Yet another Hotmail security hole - injecting JavaScript using "jAvascript:" Hotmail does not properly filter JavaScript code from a user's mailbox, which allows a remote attacker to execute the code by using hexadecimal codes to specify the javascript: protocol, e.g. jAvascript. Current Votes: MODIFY(1) Frech REJECT(1) Baker Voter Comments: CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> XF:hotmail-vascript-java-injection ====================================================== Name: CVE-2000-0082 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0082 Phase: Modified (20040901) Category: SF Reference: MISC:http://net4tv.com/voice/story.cfm?StoryID=1823 Reference: MISC:http://www.wired.com/news/technology/0,1282,33420,00.html Reference: BUGTRAQ:20000104 The WebTV Email Exploit WebTV email client allows remote attackers to force the client to send email without the user's knowledge via HTML. Current Votes: MODIFY(1) Frech REJECT(1) Baker Voter Comments: CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> ADDREF XF:webtv-hijack-mail-forward ====================================================== Name: CVE-2000-0084 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0084 Phase: Proposed (20000125) Category: SF Reference: BUGTRAQ:20000105 CuteFTP saved password 'encryption' weakness CuteFTP uses weak encryption to store password information in its tree.dat file. Current Votes: MODIFY(2) Baker, Frech NOOP(1) Christey Voter Comments: Frech> XF:cuteftp-weak-encrypt(3910) Christey> BUGTRAQ:20010823 Re: Respondus v1.1.2 stores passwords using weak encryption URL:http://marc.theaimsgroup.com/?l=bugtraq&m=99861651923668&w=2 This followup to a different thread mentions the sm.dat file for the site manager. Baker> The reference from the Bugtraq mentions the sm.dat uses better encryption, but doesn't really address the tree.dat file. ====================================================== Name: CVE-2000-0085 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0085 Phase: Proposed (20000125) Category: SF Reference: BUGTRAQ:20000103 Hotmail security hole - injecting JavaScript using Reference: BUGTRAQ:20000104 Yet another Hotmail security hole - injecting JavaScript in IE using Hotmail does not properly filter JavaScript code from a user's mailbox, which allows a remote attacker to execute code via the LOWSRC or DYNRC parameters in the IMG tag. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech Voter Comments: Frech> XF:hotmail-java-execute ====================================================== Name: CVE-2000-0086 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0086 Phase: Proposed (20000125) Category: SF Reference: BUGTRAQ:20000116 TB2 Pro sending NT passwords cleartext Reference: BID:935 Reference: URL:http://www.securityfocus.com/bid/935 Netopia Timbuktu Pro sends user IDs and passwords in cleartext, which allows remote attackers to obtain them via sniffing. Current Votes: ACCEPT(2) Baker, Williams MODIFY(1) Frech Voter Comments: Frech> XF:timbuktu-password-cleartext ====================================================== Name: CVE-2000-0093 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0093 Phase: Proposed (20000208) Category: SF Reference: BUGTRAQ:20000122 NIS security advisory : password method downgrade Reference: BUGTRAQ:20000121 Rh 6.1 initial root password encryption An installation of Red Hat uses DES password encryption with crypt() for the initial password, instead of md5. Current Votes: ACCEPT(2) Baker, Cole MODIFY(1) Frech NOOP(1) Wall Voter Comments: Frech> XF:linux-initial-password-encryption ====================================================== Name: CVE-2000-0096 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0096 Phase: Proposed (20000208) Category: SF Reference: BUGTRAQ:20000126 Qpopper security bug Reference: BID:948 Reference: URL:http://www.securityfocus.com/bid/948 Buffer overflow in qpopper 3.0 beta versions allows local users to gain privileges via a long LIST command. Current Votes: ACCEPT(2) Baker, Cole MODIFY(1) Frech NOOP(1) Wall Voter Comments: Frech> XF:qpopper-list-bo ====================================================== Name: CVE-2000-0101 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0101 Phase: Proposed (20000208) Category: SF Reference: ISS:20000201 Form Tampering Vulnerabilities in Several Web-Based Shopping Cart Applications The Make-a-Store OrderPage shopping cart application allows remote users to modify sensitive purchase information via hidden form fields. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(1) Christey RECAST(1) Cole REVIEWING(1) Wall Voter Comments: Cole> I would combine all of these shopping cart applications into one listing, since they all have the same vulnerability being able to modify sensitive purchase information via hidden form fields. My concern is in cases like this we used over 10 entries for basically the same vulnerability. I could think of cases were there could be 20+ applications with the same vulnerability and in my opinion it could start to weaken the value of CVE where there are 30 entries all referring to the same thing. It is almost like we are playing the vendor game where more is better. I think we should go after the quality over quantity aspect. Christey> I disagree with Eric here. This vulnerability is a "type" of problem in the same way that a buffer overflow is a "type" of problem. While the shopping cart application bugs were proposed mostly at the same time, they are all by different vendors. The raw numbers of applications with this problem can make it appear that CVE is artificially inflating the number of entries. However, content decisions such as CD:SF-LOC (different lines of code) dictate that these should be separated. It's not a "numbers game" but rather a principled and consistent approach to resolving problems with selecting a level of abstraction. Frech> XF:shopping-cart-form-tampering ====================================================== Name: CVE-2000-0102 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0102 Phase: Proposed (20000208) Category: SF Reference: ISS:20000201 Form Tampering Vulnerabilities in Several Web-Based Shopping Cart Applications The SalesCart shopping cart application allows remote users to modify sensitive purchase information via hidden form fields. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech RECAST(1) Cole REVIEWING(1) Wall Voter Comments: Cole> See comments for CVE-2000-0101 Frech> XF:shopping-cart-form-tampering ====================================================== Name: CVE-2000-0103 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0103 Phase: Proposed (20000208) Category: SF Reference: ISS:20000201 Form Tampering Vulnerabilities in Several Web-Based Shopping Cart Applications The SmartCart shopping cart application allows remote users to modify sensitive purchase information via hidden form fields. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech RECAST(1) Cole REVIEWING(1) Wall Voter Comments: Cole> See comments for CVE-2000-0101 Frech> XF:shopping-cart-form-tampering ====================================================== Name: CVE-2000-0104 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0104 Phase: Proposed (20000208) Category: SF Reference: ISS:20000201 Form Tampering Vulnerabilities in Several Web-Based Shopping Cart Applications The Shoptron shopping cart application allows remote users to modify sensitive purchase information via hidden form fields. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech RECAST(1) Cole REVIEWING(1) Wall Voter Comments: Cole> See comments for CVE-2000-0101 Frech> XF:shopping-cart-form-tampering ====================================================== Name: CVE-2000-0105 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0105 Phase: Proposed (20000208) Category: SF Reference: BUGTRAQ:20000201 Outlook Express 5 vulnerability - Active Scripting may read email messages Reference: BID:962 Reference: URL:http://www.securityfocus.com/bid/962 Outlook Express 5.01 and Internet Explorer 5.01 allow remote attackers to view a user's email messages via a script that accesses a variable that references subsequent email messages that are read by the client. Current Votes: ACCEPT(2) Cole, Wall MODIFY(1) Frech NOOP(1) Baker REVIEWING(1) Christey Voter Comments: Frech> email-active-script-html Christey> Acknowledged via personal communication with Microsoft personnel, but I need to look through my email logs to recall whether they said that it is a duplicate of CVE-2000-0653 CHANGE> [Christey changed vote from NOOP to REVIEWING] ====================================================== Name: CVE-2000-0106 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0106 Phase: Proposed (20000208) Category: SF Reference: ISS:20000201 Form Tampering Vulnerabilities in Several Web-Based Shopping Cart Applications The EasyCart shopping cart application allows remote users to modify sensitive purchase information via hidden form fields. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech RECAST(1) Cole REVIEWING(1) Wall Voter Comments: Cole> See comments for CVE-2000-0101 Frech> XF:shopping-cart-form-tampering ====================================================== Name: CVE-2000-0108 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0108 Phase: Proposed (20000208) Category: SF Reference: ISS:20000201 Form Tampering Vulnerabilities in Several Web-Based Shopping Cart Applications The Intellivend shopping cart application allows remote users to modify sensitive purchase information via hidden form fields. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech RECAST(1) Cole REVIEWING(1) Wall Voter Comments: Cole> See comments for CVE-2000-0101 Frech> XF:shopping-cart-form-tampering ====================================================== Name: CVE-2000-0109 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0109 Phase: Proposed (20000208) Category: SF Reference: BUGTRAQ:20000201 Security issues with S&P ComStock multiCSP (Linux) The mcsp Client Site Processor system (MultiCSP) in Standard and Poor's ComStock is installed with several accounts that have no passwords or easily guessable default passwords. Current Votes: ACCEPT(2) Cole, Levy MODIFY(1) Frech NOOP(3) Baker, Christey, Wall Voter Comments: Christey> ADDREF BUGTRAQ:20000324 Security issues with S&P ComStock multiCSP (Linux) http://marc.theaimsgroup.com/?l=bugtraq&m=95422382625409&w=2 Note: this posting was a repeat of the February 1 post, saying that the problem still hadn't been fixed. Frech> XF:comstock-multicsp-passwords Christey> ADDREF BID:1080 URL:http://www.securityfocus.com/vdb/bottom.html?vid=1080 ====================================================== Name: CVE-2000-0110 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0110 Phase: Proposed (20000208) Category: SF Reference: ISS:20000201 Form Tampering Vulnerabilities in Several Web-Based Shopping Cart Applications The WebSiteTool shopping cart application allows remote users to modify sensitive purchase information via hidden form fields. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech RECAST(1) Cole REVIEWING(1) Wall Voter Comments: Cole> See comments for CVE-2000-0101 Frech> XF:shopping-cart-form-tampering ====================================================== Name: CVE-2000-0114 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0114 Phase: Proposed (20000208) Category: SF Reference: BUGTRAQ:20000203 2 MS Frontpage issues Cerberus Information Security Advisory (CISADV000203) Frontpage Server Extensions allows remote attackers to determine the name of the anonymous account via an RPC POST request to shtml.dll in the /_vti_bin/ virtual directory. Current Votes: ACCEPT(3) Baker, Cole, Wall MODIFY(1) Frech REVIEWING(1) Christey Voter Comments: Frech> XF:iis-frontpage-info Christey> Acknowledged via personal communication with Microsoft personnel. May be the same as BID:1174 and/or BID:1433 (both mention FrontPage, but one mentions shtml.exe and another mentions shtml.dll) Christey> [note to self: review comments by Mark Burnett] CHANGE> [Christey changed vote from NOOP to REVIEWING] ====================================================== Name: CVE-2000-0115 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0115 Phase: Proposed (20000208) Category: SF Reference: NTBUGTRAQ:20000121 Strange behaviour IIS and RegExp IIS allows local users to cause a denial of service via invalid regular expressions in a Visual Basic script in an ASP page. Current Votes: ACCEPT(1) Cole NOOP(1) Baker REJECT(2) Frech, LeBlanc REVIEWING(1) Wall Voter Comments: Frech> This reference to NTBugtraq has a message that ends with "Can anyone reproduce this?", and there are no followups. This makes for a weak reference. There are also no other references listed for this CAN. LeBlanc> - no follow-ups, no KB article, no fix CHANGE> [Frech changed vote from REVIEWING to REJECT] ====================================================== Name: CVE-2000-0118 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0118 Phase: Proposed (20000208) Category: SF Reference: BUGTRAQ:20000130 RedHat 6.1 /and others/ PAM Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94935300520617&w=2 The Red Hat Linux su program does not log failed password guesses if the su process is killed before it times out, which allows local attackers to conduct brute force password guessing. Current Votes: ACCEPT(3) Baker, Cole, Levy MODIFY(1) Frech NOOP(1) Wall REVIEWING(1) Christey Voter Comments: Frech> Is this the same issue as BugTraq Mailing List, Wed, 9 Jun 1999 14:07:27 -0700 "vulnerability in su/PAM in redhat" at http://www.netspace.org/cgi-bin/wa?A2=ind9906b&L=bugtraq&F=&S=&P=5356 and "Solaris 2.5 /bin/su [was: vulnerability in su/PAM in redhat]" at http://www.netspace.org/cgi-bin/wa?A2=ind9906b&L=bugtraq&F=&S=&P=6051 If so, then MODIFY XF:su-brute Christey> BID:320 URL:http://www.securityfocus.com/vdb/bottom.html?vid=320 CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> XF:su-brute(2278) This issue involves more platforms than Red Hat. See BugTraq Mailing List, Thu Jun 10 1999 12:13:06, "Solaris 2.5 /bin/su [was: vulnerability in su/PAM in redhat]", http://www.securityfocus.com/archive/1/14854 Christey> It does look like this is the same issue as the other Bugtraq post that explicitly mentions Red Hat and PAM. CHANGE> [Christey changed vote from NOOP to REVIEWING] ====================================================== Name: CVE-2000-0119 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0119 Phase: Proposed (20000208) Category: CF Reference: BUGTRAQ:20000130 Bypass Virus Checking Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94936267131123&w=2 The default configurations for McAfee Virus Scan and Norton Anti-Virus virus checkers do not check files in the RECYCLED folder that is used by the Windows Recycle Bin utility, which allows attackers to store malicious code without detection. Current Votes: ACCEPT(2) Cole, Wall MODIFY(1) Frech NOOP(1) Baker REVIEWING(1) Christey Voter Comments: Christey> ADDREF BID:956 A followup post on Feb 8 by Paul L Schmehl claims that this would not work, because the anti-virus checkers would activate if the user attempts to execute the program. Frech> XF:win-trojan-detection-bypass Much earlier possible reference at NTBugtraq Mailing List, Wed, 22 Dec 1999 20:37:43 -0800, "Bypass Virus Checking under 95/98/NT" at http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind9912&L=ntbugtraq&F=&S=&P=6030 CHANGE> [Cole changed vote from REVIEWING to ACCEPT] Christey> NTBUGTRAQ:19991222 Bypass Virus Checking under 95/98/NT http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind9912&L=ntbugtraq&F=&S=&P=6030 ====================================================== Name: CVE-2000-0122 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0122 Phase: Modified (20070607) Category: SF Reference: BUGTRAQ:20070603 CERN İmage Map Dispatcher Reference: URL:http://www.securityfocus.com/archive/1/archive/1/470458/100/0/threaded Reference: NTBUGTRAQ:20000203 2 MS Frontpage issues Cerberus Information Security Advisory (CISADV000203) Reference: BID:964 Reference: URL:http://www.securityfocus.com/bid/964 Reference: XF:frontpage-cern-information-disclosure(34719) Reference: URL:http://xforce.iss.net/xforce/xfdb/34719 Frontpage Server Extensions allows remote attackers to determine the physical path of a virtual directory via a GET request to the htimage.exe CGI program. Current Votes: ACCEPT(4) Baker, Cole, LeBlanc, Wall MODIFY(1) Frech NOOP(1) Christey Voter Comments: Frech> XF:ms-frontpage-get-htimage Christey> It appears that this was rediscovered in April 18, 2000: BUGTRAQ:20000418 More vulnerabilities in FP URL:http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26msg%3D38FCAC0C.869611C0%40hobbiton.org This in turn may match BID:1141 Christey> According to Scott Culp of Microsoft, this was patched in MS:MS00-028. Christey> BID:1141 ?? ====================================================== Name: CVE-2000-0123 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0123 Phase: Proposed (20000208) Category: SF Reference: BUGTRAQ:20000203 Re: [xforce@iss.net: ISSalert: ISS E-Security Alert: Form Tampering Vulnerabilities in Several Web-Based Shopping Cart Applications] The shopping cart application provided with Filemaker allows remote users to modify sensitive purchase information via hidden form fields. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech RECAST(1) Cole REVIEWING(1) Wall Voter Comments: Cole> See comments for CVE-2000-0101 Frech> XF:shopping-cart-form-tampering ====================================================== Name: CVE-2000-0124 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0124 Phase: Proposed (20000208) Category: SF Reference: BUGTRAQ:20000203 surfCONTROL SuperScout v2.6.1.6 flaw Reference: BID:965 Reference: URL:http://www.securityfocus.com/bid/965 surfCONTROL SuperScout does not properly asign a category to web sites with a . (dot) at the end, which may allow users to bypass web access restrictions. Current Votes: MODIFY(2) Baker, Frech NOOP(2) Christey, Wall RECAST(1) Cole Voter Comments: Cole> See comments for CVE-2000-0101 Frech> XF:surfcontrol-superscout-bypass-filter(4009) Christey> Fix typo: "asign" Baker> Description still has typo asign instead of assign ====================================================== Name: CVE-2000-0125 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0125 Phase: Proposed (20000208) Category: SF Reference: BUGTRAQ:20000203 RFP2K01 - "How I hacked Packetstorm" (wwwthreads advisory) Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.4.10.10002031027120.15921-100000@eight.wiretrip.net Reference: BID:967 Reference: URL:http://www.securityfocus.com/bid/967 wwwthreads does not properly cleanse numeric data or table names that are passed to SQL queries, which allows remote attackers to gain privileges for wwwthreads forums. Current Votes: ACCEPT(2) Baker, Cole MODIFY(1) Frech NOOP(2) Christey, Wall Voter Comments: Frech> XF:wwwthreads-sql-command-privs(4011) Christey> CONFIRM:http://www.wwwthreads.com/perl/showflat.pl?Cat=&Board=info&Number=9932&page=1&view=collapsed&sb=5 ====================================================== Name: CVE-2000-0126 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0126 Phase: Proposed (20000208) Category: SF Reference: BUGTRAQ:20000202 Alert: IIS 4 / IS 2 IDQ Cerberus Information Security Advisory (CISADV000202) Reference: NTBUGTRAQ:20000202 Alert: IIS 4 / IS 2 IDQ Cerberus Information Security Advisory (CISADV000202) Sample Internet Data Query (IDQ) scripts in IIS 3 and 4 allow remote attackers to read files via a .. (dot dot) attack. Current Votes: ACCEPT(4) Baker, Cole, LeBlanc, Wall MODIFY(1) Frech REVIEWING(1) Christey Voter Comments: Frech> XF:iis-dir-traversal-read Christey> This may be a variant of CVE-2000-0097 or CVE-2000-0098. MS:MS00-006 says that a new variant was announced on February 4, but that it only revealed the physical path. The post related to this CAN is dated February 2, but it describes the impact as being able to read files. See http://marc.theaimsgroup.com/?l=bugtraq&m=94972759912790&w=2 Christey> According to Mark Burnett: "CISADV000202 [described] idq.dll and involving .idq files... IDQ files are vulnerable to a double-dot bug that allows files on the same partition as the web root to be viewed.... [This candidate] refers to the same MS00-006" ADDREF MS:MS00-006 ADDREF BID:968 ? Frech> Change iis-dir-traversal-read(4014) to http-indexserver-view-files(4232) ====================================================== Name: CVE-2000-0129 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0129 Phase: Proposed (20000208) Category: SF Reference: NTBUGTRAQ:20000204 Local / Remote D.o.S Attack in Serv-U FTP-Server v2.5b for Win9x/WinNT Vulnerability Reference: BUGTRAQ:20000204 Local / Remote D.o.S Attack in Serv-U FTP-Server v2.5b for Win9x/WinNT Vulnerability Reference: NTBUGTRAQ:20000204 Windows Api SHGetPathFromIDList Buffer Overflow Reference: BUGTRAQ:20000204 Windows Api SHGetPathFromIDList Buffer Overflow Buffer overflow in the SHGetPathFromIDList function of the Serv-U FTP server allows attackers to cause a denial of service by performing a LIST command on a malformed .lnk file. Current Votes: ACCEPT(3) Baker, Blake, Cole MODIFY(2) Frech, Levy NOOP(2) Armstrong, Ozancin RECAST(1) Christey REVIEWING(1) Wall Voter Comments: Frech> XF:win-shortcut-api-bo The real problem seems to be with the Windows API call, not the Serv-U FTP app. As the "Windows Api SHGetPathFromIDList Buffer Overflow" reference states, [The bug can] "cause whatever handles the shortcuts to crash." As a suggestion, rephrase the description from Windows's context, and state that the Serv-U FTP server is an example of an app that exhibits this problem. Wall> Comment: the original UssrLabs advisory does mention the SHGetPathFromIDList buffer overflow in a Windows API and that Serv-U FTP uses this API to cause the problem. The problem does not exist on Windows 2000. The solution seems to be in a new release of Serv-U FTP. Levy> BID 970 Christey> Reports indicate that while the vulnerable function was found in Serv-U FTP server, the function is actually from Microsoft, and as such may affect other applications. XF:win-shortcut-api-bo BID:970 ====================================================== Name: CVE-2000-0132 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0132 Phase: Proposed (20000208) Category: SF Reference: BUGTRAQ:20000201 `Microsoft VM for Java' allows reading local files using `getSystemResourceAsStream'. Reference: BID:957 Reference: URL:http://www.securityfocus.com/bid/957 Microsoft Java Virtual Machine allows remote attackers to read files via the getSystemResourceAsStream function. Current Votes: ACCEPT(2) Cole, Wall NOOP(1) Baker REJECT(3) Christey, Frech, LeBlanc Voter Comments: Frech> How is this different from MITRE:CVE-2000-0162, other than the fact that it has an MS advisory that's vague on the reason but has the same outcome, and this one mentions the getSystemResourceAsStream function? Christey> This is a duplicate of CVE-2000-0162, as confirmed via David LeBlanc. The descriptions of CVE-2000-0132 and CVE-2000-0162 were significantly different, as was the descriptive text of MS:MS00-011 and the original Bugtraq posting. So this duplicate wasn't picked up before. CVE-2000-0162 needs to be modified to include XF:virtual-machine-file-read as a reference. LeBlanc> Duplicate Christey> Ensure that CVE-2000-0162 uses msvm-java-file-read(4024) now, instead of virtual-machine-file-read(4577) Frech> If duplicate with CVE-2000-0098, shouldn't the references be moved over to the valid CVE number? Please advise. Christey> When CVE-2000-0132 is rejected, the references will be added to CVE-2000-0098. ====================================================== Name: CVE-2000-0133 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0133 Phase: Proposed (20000208) Category: SF Reference: BUGTRAQ:20000201 Tiny FTPd 0.52 beta3 Buffer Overflow Reference: BID:961 Reference: URL:http://www.securityfocus.com/bid/961 Buffer overflows in Tiny FTPd 0.52 beta3 FTP server allows users to execute commands via the STOR, RNTO, MKD, XMKD, RMD, XRMD, APPE, SIZE, and RNFR commands. Current Votes: ACCEPT(2) Baker, Cole MODIFY(1) Frech NOOP(1) Wall Voter Comments: Frech> XF:tinyftp-command-overflow(4000) ====================================================== Name: CVE-2000-0134 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0134 Phase: Proposed (20000208) Category: SF Reference: ISS:20000201 Form Tampering Vulnerabilities in Several Web-Based Shopping Cart Applications The Check It Out shopping cart application allows remote users to modify sensitive purchase information via hidden form fields. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech RECAST(1) Cole REVIEWING(1) Wall Voter Comments: Cole> See comments for CVE-2000-0101 Frech> XF:shopping-cart-form-tampering ====================================================== Name: CVE-2000-0135 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0135 Phase: Proposed (20000208) Category: SF Reference: ISS:20000201 Form Tampering Vulnerabilities in Several Web-Based Shopping Cart Applications The @Retail shopping cart application allows remote users to modify sensitive purchase information via hidden form fields. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech RECAST(1) Cole REVIEWING(1) Wall Voter Comments: Cole> See comments for CVE-2000-0101 Frech> XF:shopping-cart-form-tampering ====================================================== Name: CVE-2000-0136 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0136 Phase: Proposed (20000208) Category: SF Reference: ISS:20000201 Form Tampering Vulnerabilities in Several Web-Based Shopping Cart Applications The Cart32 shopping cart application allows remote users to modify sensitive purchase information via hidden form fields. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech RECAST(1) Cole REVIEWING(1) Wall Voter Comments: Cole> See comments for CVE-2000-0101 Frech> XF:shopping-cart-form-tampering ====================================================== Name: CVE-2000-0137 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0137 Phase: Proposed (20000208) Category: SF Reference: ISS:20000201 Form Tampering Vulnerabilities in Several Web-Based Shopping Cart Applications The CartIt shopping cart application allows remote users to modify sensitive purchase information via hidden form fields. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech RECAST(1) Cole REVIEWING(1) Wall Voter Comments: Cole> See comments for CVE-2000-0101 Frech> XF:shopping-cart-form-tampering ====================================================== Name: CVE-2000-0138 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0138 Phase: Modified (20130104-02) Category: MP Reference: CERT:CA-2000-01 Reference: CERT:IN-99-04 Reference: SUN:00193 Reference: ISS:20000209 Denial of Service Attack using the TFN2K and Stacheldraht programs Reference: ISS:20000502 "mstream" Distributed Denial of Service Tool Reference: URL:http://xforce.iss.net/alerts/advise48.php3 Reference: BUGTRAQ:19991206 Analysis of trin00 Reference: BUGTRAQ:19991206 Analysis of Tribe Flood Network Reference: BUGTRAQ:19991229 Analysis of "stacheldraht" Reference: BUGTRAQ:20000211 DDOS Attack Mitigation Reference: BUGTRAQ:20000211 TFN2K - An Analysis Reference: BUGTRAQ:20000211 A DDOS proposal. Reference: BUGTRAQ:20000429 Source code to mstream, a DDoS tool Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=95715370208598&w=2 Reference: BUGTRAQ:20000501 Re: Source code to mstream, a DDoS tool Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=95722093124322&w=2 A system has a distributed denial of service (DDOS) attack master, agent, or zombie installed, such as (1) Trinoo, (2) Tribe Flood Network (TFN), (3) Tribe Flood Network 2000 (TFN2K), (4) stacheldraht, (5) mstream, or (6) shaft. Current Votes: ACCEPT(2) Cole, Wall NOOP(4) Christey, Dik, Levy, Shostack RECAST(3) Baker, Meunier, Ziese REVIEWING(2) Bishop, Blake Voter Comments: Christey> ********************************************************** THIS CANDIDATE HAS GENERATED A LONG THREAD. SEE THE EDITORIAL BOARD ARCHIVES FOR DETAILS, BEGINNING AT http://cve.mitre.org/Board_Sponsors/archives/msg00590.html ********************************************************** Ziese> I suggest we I'd like to suggest that we consider not tying specifically to a DDOS tool. Instead, since we are at at higher abstraction level, that we make the class include those master/slave tool combinations that are used for malicious purposes (i.e. DDOS, data exfiltration, or whatever the appropriate classes of effect are). My concern is that (1) we treat all distributed attacks at the same abstract level; not just the DDOS ones. Second, if it is at a higher abstraction level then it seems right to unlimit it (by including master/slave combinations in general; not just the DDOS asect). Meunier> I think that trinoo etc... are very similar to smurf attacks (CVE-1999-0513 ) in the sense that a third party allows itself to be used. Also, there is an obvious solution that can only be done by that third party. As for the CVE entry, I am considering whether the common entry point could be reduced to "egress filtering has not been implemented or has been disabled, allowing the sending of spoofed IP packets". Incidentally, this would prevent the use of decoys in port scans, etc... This single CVE entry would be very powerful. We could use the dot notation to list the DDoS tools and attacks that rely on the absence of egress filtering based on the argument that if you have egress filtering, nobody will bother to put or use DDoS tools on your computers. The weakness of this is that one could in theory still use DDoS tools even if you have egress filtering -- only they will be one shot guns, almost completely eliminating their appeal and effectiveness. One use, and they will be blocked, tracked down and destroyed efficiently. Pascal P.S.: I am attracted by the idea of starting an internet (fire)wall of shame, for people who haven't implemented egress filtering. It worked pretty well against sites allowing themselves to be used for smurf attacks (http://www.powertech.no/smurf/). Why not use the same strategy for egress filtering? Of course it's hard to know who is the source of IP spoofed packets. However the consistent detection of crud originating from a server is a sure sign that they haven't implemented egress filtering. For example (my first candidate to this wall of shame), this weekend the Linux suse ftp server sent many packets with an illegal ip address as source, one reserved for local area networks, upon making an ftp connection (it may still be doing it, I haven't checked since -- the suse ftp admin mentioned that they were aware of it). It was easy to figure out it was them by repeating the ftp connections and observing the 100% reproducibility and time correlation of the extraneous packets. In addition, the suse servers kept sending me crud for *hours* after a failed attempt to download their PPC beta. The cost of egress filtering is easily justified. The argument is similar to those relating to pollution, excepted that people don't try to break into your car if you have removed the catalytic converter. Bishop> I need to think about the exact meaning of MP. I suspect I will agree with the classification, on an operational basis (meaning I may want to revisit it), but I want to think on it some more. Blake> I don't agree with Pascal that this is a filtering problem analogous to smurf. Rootkit is a better analogy. The DDoS software doesn't exploit any unique vulnerability directly. It's presence is entirely predicated on the existence of at least one other, easily exploited vulnerability. >From the perspective of the system owner, this is just one of several backdoors that could be installed. Seems to me that the presence of a known backdoor package should be considered a vulnerability (or at least an exposure). I'm really torn on whether or not to split them out, though. My inclination is to group master and slave by package; i.e., trinoo master/slave, tfn master/slave, etc. Wall> Just to be consistent, you may add Trinoo (trin00) and does it matter if it is Tribal or Tribe? The original internal c program says Tribe Flood Network. Meunier> What they have in common is the use of an amplification mechanism. They are broadcasting (multicasting) to a (virtual private) network, which then amplifies the messages. In both cases, the amplification is done by the third party victim hosts. The difference is just that the network is virtual instead of physical. Scott, you are assuming that the people who have the tools installed are unwilling. Let's say theoretically speaking that there is an underground hacker group (or student association) who is hooked up to DSL lines (like in university residences) and who thinks that it would be "cool" to form an "army". How about a popular civil movement protesting something, like the WTO last summer? I think some people would voluntarily "enlist" their computers in a cause that would use DDoS attacks. The rootkit analogy does not hold, yet the DDoS attacks could be just as effective. However, if the university or ISPs implemented egress filtering, the DDoS attacks could be easily stopped because the people could be held accountable. The crux of the matter is the anonymity provided by IP spoofing. You are correct that in most cases, having a DDoS tool installed on your system is an exposure like rootkit. Maybe that deserves a CVE entry. However, I think that does not capture the nature of the DDoS, and that an entry about egress filtering is of utmost importance because it patches a fundamental vulnerability of IPv4. Blake> Excellent response, Pascal, thanks. I hadn't thought of people volunteering, but that's certainly a plausible scenario. Part of my motivation/thinking was a desire to stay away from making this into only yet another use for spoofed IP packets. I wholeheartedly agree that egress filtering essential, but am reluctant to single out the recent DDoS events as the reason for it. I'd prefer to split out egress filtering as a seperate CVE entry (on the theory that not using egress filtering constitutes an exposure -- at least to liability), rather than tying it to these entries. Levy> I agree with Scott for no other reason that there needs to be a CVE ID so that IDS systems can report this things. Are we going to start handing out CVE ids for low level design faults? E.g. lack of encryption at the IPv4 packet level? lack of resource allocation protocols? the used of DES instead of Triple DES? etc Shostack> Both excellent points, however, I'd like to add that even if people volunteer to host the tools, Trinoo and company allow the controlling attacker to hide activities, which counts as an exposure under http://cve.mitre.org/About_CVE/About/definition.html Cole> Even with all of the debate i accept this one. Christey> With respect to inclusion of design flaws in CVE, review http://cve.mitre.org/Board_Sponsors/archives/msg00602.html Other design flaws that have already been added to CVE include Smurf (CVE-1999-0513), Fraggle (CVE-1999-0514) and TCP sequence number prediction (CVE-1999-0077), although this last one may need to be RECAST to a lower level of abstraction. CHANGE> [Meunier changed vote from REVIEWING to RECAST] Meunier> In the sense that this is like a rootkit, then it is a duplicate of CVE-1999-0660, "A hacker utility or Trojan Horse is installed on a system, e.g. NetBus, Back Orifice, Rootkit, etc..." It should be recast as CVE-1999-0660.1 DDoS tools Other dot notations could indicate different effects of the tools. Dik> There doesn't seem to be much to add to the discussion. Baker> Concur that this is a hacker utility, and should be recast and merged with other backdoor programs that allow a hacker to control the activities of the system. ====================================================== Name: CVE-2000-0142 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0142 Phase: Proposed (20000216) Category: SF Reference: BUGTRAQ:20000211 Timbuktu Pro 2.0b650 DoS The authentication protocol in Timbuktu Pro 2.0b650 allows remote attackers to cause a denial of service via connections to port 407 and 1417. Current Votes: ACCEPT(4) Bishop, Blake, Cole, LeBlanc MODIFY(2) Frech, Levy NOOP(2) Baker, Christey Voter Comments: Frech> XF:timbuktu-auth-dos Levy> BID 984 Christey> BUGTRAQ:20000412 Timbuktu DoS repaired by Netopia http://www.securityfocus.com/archive/1/54850 BID:984 ====================================================== Name: CVE-2000-0143 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0143 Phase: Interim (20001011) Category: SF Reference: BUGTRAQ:20000211 sshd and pop/ftponly users incorrect configuration Reference: XF:ssh-redirect-tcp-connection The SSH protocol server sshd allows local users without shell access to redirect a TCP connection through a service that uses the standard system password database for authentication, such as POP or FTP. Current Votes: ACCEPT(3) Blake, Cole, LeBlanc MODIFY(1) Frech NOOP(2) Baker, Bishop REJECT(1) Levy REVIEWING(1) Christey Voter Comments: Frech> XF:ssh-redirect-tcp-connection CHANGE> [Cole changed vote from REVIEWING to ACCEPT] Christey> Examine the thread at http://marc.theaimsgroup.com/?l=bugtraq&m=95055978131077&w=2 to ensure that this problem is being characterized appropriately. Levy> SSH is working as designed. The fact that some of its interactions are not forseen by some is not a vulnerability. ====================================================== Name: CVE-2000-0147 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0147 Phase: Modified (20000321-01) Category: CF Reference: NAI:20000207 SNMPD default writable community string Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-02/0045.html Reference: SCO:SB-00.04a Reference: URL:ftp://ftp.sco.com/SSE/security_bulletins/SB-00.04a Reference: BID:973 Reference: URL:http://www.securityfocus.com/bid/973 snmpd in SCO OpenServer has an SNMP community string that is writable by default, which allows local attackers to modify the host's configuration. Current Votes: ACCEPT(5) Baker, Bishop, Blake, Cole, Levy MODIFY(1) Frech NOOP(1) LeBlanc Voter Comments: Frech> XF:sco-openserver-snmpd ====================================================== Name: CVE-2000-0151 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0151 Phase: Proposed (20000216) Category: SF Reference: SUSE:20000209 make-3.77-44 Reference: BID:981 Reference: URL:http://www.securityfocus.com/bid/981 GNU make follows symlinks when it reads a Makefile from stdin, which allows other local users to execute commands. Current Votes: ACCEPT(3) Bishop, Blake, Levy MODIFY(1) Frech NOOP(3) Baker, Cole, LeBlanc REJECT(1) Christey Voter Comments: Frech> XF:gnu-makefile-tmp-root (We have made assignment to two CANs. Requesting confirmation that this is not a duplicate of CVE-2000-0092: The BSD make program allows local users to modify files via a symlink attack when the -j option is being used.) Christey> To confirm Andre's question, this is being treated as different from CVE-2000-0092, based largely on the fact that the exploit is different. I believe there was another reason for keeping these distinct, but that "deeper analysis" was not recorded :-( While it's possible that this is the same bug from some common version of make, in the absence of other information we should probably keep these two split. CHANGE> [Christey changed vote from NOOP to REVIEWING] CHANGE> [Christey changed vote from REVIEWING to REJECT] Christey> Taking a fresh look at the diff's for FreeBSD make: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:01.make.asc And Debian make: http://security.debian.org/dists/slink/updates/source/make_3.77-5slink.diff.gz OK... now that I've hurt my brain looking at the code, while there are major differences in the surrounding code, ultimately both FreeBSD and Debian create an "outfile" file descriptor for the temporary file, within main() in main.c. In addition, child_execute_job() in job.c uses an outfile variable - for both sources. Perhaps FreeBSD reported the -j problem without seeing that it could come in from stdin as well, and/or Debian/etc. didn't realize that it was exploitable from job control, or maybe a combination of the two. Regardless, the two problems are the same. Phew! There goes a half-hour of my life that I'll never be able to get back... ====================================================== Name: CVE-2000-0153 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0153 Phase: Proposed (20000223) Category: SF Reference: BUGTRAQ:20000216 Doubledot bug in FrontPage FrontPage Personal Web Server. Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-02-15&msg=000801bf780a$9ad4b2e0$0100007f@localhost Reference: BID:989 Reference: URL:http://www.securityfocus.com/bid/989 FrontPage Personal Web Server (PWS) allows remote attackers to read files via a .... (dot dot) attack. Current Votes: ACCEPT(3) Cole, Levy, Wall MODIFY(1) Frech NOOP(2) Baker, Christey REJECT(1) LeBlanc Voter Comments: LeBlanc> I think this is the same as http://www.microsoft.com/technet/security/bulletin/ms99-010.asp If that is true, and you already have it logged, we don't want to have an entry for the same bug. Christey> MS:MS99-010 describes CVE-1999-0386. Are there sufficient details to ensure that this is the same problem? See http://www.securityfocus.com/templates/archive.pike?list=1&msg=01bae51a$9ab232b0$0100007f@nordnode Frech> XF:pws-file-access (We currently have this issue assigned to this CAN and to CVE-1999-0386. I see that others have similar concerns that this is a duplicate; please confirm on current status of this candidate.) Christey> [note to self: review comments by Mark Burnett] ====================================================== Name: CVE-2000-0154 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0154 Phase: Modified (20000403-01) Category: SF Reference: NAI:20000215 ARCserve symlink vulnerability Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-02-15&msg=000101bf78af$94528870$4d2f45a1@jmagdych.na.nai.com Reference: BID:988 Reference: URL:http://www.securityfocus.com/bid/988 Reference: MISC:http://www.sco.com/security/ The ARCserve agent in UnixWare allows local attackers to modify arbitrary files via a symlink attack. Current Votes: ACCEPT(1) Cole NOOP(3) Baker, LeBlanc, Wall REJECT(3) Christey, Frech, Levy Voter Comments: Christey> DUPE CVE-2000-0224 Frech> DUPE MITRE:CVE-2000-0224; XF:sco-openserver-arc-symlink Recommend moving BID reference to CVE-2000-0224. ====================================================== Name: CVE-2000-0155 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0155 Phase: Proposed (20000223) Category: SF Reference: BUGTRAQ:20000218 AUTORUN.INF Vulnerability Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-02-15&msg=000701bf79cd$fdb5a620$4c4342a6@mightye.org Reference: BID:993 Reference: URL:http://www.securityfocus.com/bid/993 Windows NT Autorun executes the autorun.inf file on non-removable media, which allows local attackers to specify an alternate program to execute when other users access a drive. Current Votes: ACCEPT(4) Baker, Cole, Levy, Wall MODIFY(1) Frech REVIEWING(1) Christey Voter Comments: Frech> XF:nt-autorun-notdefault Christey> Consider: http://support.microsoft.com/support/kb/articles/Q155/2/17.asp http://support.microsoft.com/support/kb/articles/Q136/2/14.asp ====================================================== Name: CVE-2000-0158 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0158 Phase: Modified (20000403-01) Category: SF Reference: NAI:20000215 Remote Vulnerability in the MMDF SMTP Daemon Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-02-15&msg=000001bf78af$6d0d47a0$4d2f45a1@jmagdych.na.nai.com Reference: BUGTRAQ:20000218 MMDF Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-02-15&msg=200002181449.JAA03436@dragonfly.corp.home.net Reference: SCO:SB-00.06a Reference: URL:ftp://ftp.sco.com/SSE/security_bulletins/SB-00.06a Reference: BID:997 Reference: URL:http://www.securityfocus.com/bid/997 Buffer overflow in MMDF server allows remote attackers to gain privileges via a long MAIL FROM command to the SMTP daemon. Current Votes: ACCEPT(3) Baker, Cole, Levy MODIFY(1) Frech NOOP(2) LeBlanc, Wall Voter Comments: Frech> XF:sco-mmdf-bo ====================================================== Name: CVE-2000-0160 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0160 Phase: Modified (20000321-01) Category: SF Reference: BUGTRAQ:20000221 Microsoft signed software can be install software without prompting users Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-02-15&msg=20000221103938.T21312@securityfocus.com Reference: XF:win-active-setup The Microsoft Active Setup ActiveX component in Internet Explorer 4.x and 5.x allows a remote attacker to install software components without prompting the user by stating that the software's manufacturer is Microsoft. Current Votes: ACCEPT(4) Baker, LeBlanc, Levy, Wall MODIFY(1) Frech NOOP(1) Cole REVIEWING(1) Christey Voter Comments: Christey> In a followup to Bugtraq, Juan Carlos Cuartango makes some clarifications, specifically that the code that is executed *must* be signed by Microsoft. See BUGTRAQ:20000222 MS signed softwrare privileges Microsoft sends some followups, including a statement that it will include notification. The question is, does this belong in CVE? There is no known means of exploitation; on the other hand, it is related to privacy concerns. Several posts to the Bugtraq list indicate that some people believe that unprompted installation is a significant concern. Frech> XF:win-active-setup Levy> BID 999 I do consider this vulnerability as it allows a malicious web page to install *old* and *vulnerable* components signed by microsoft. LeBlanc> Fixed in MS00-042 Christey> BID:999 Also add XF:ie-active-setup-download ? ====================================================== Name: CVE-2000-0163 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0163 Phase: Proposed (20000223) Category: SF Reference: FREEBSD:FreeBSD-SA-00:03 Reference: URL:http://www.securityfocus.com/templates/advisory.html?id=2092 Reference: BID:996 Reference: URL:http://www.securityfocus.com/bid/996 asmon and ascpu in FreeBSD allow local users to gain root privileges via a configuration file. Current Votes: ACCEPT(3) Baker, Cole, Levy MODIFY(1) Frech NOOP(2) LeBlanc, Wall Voter Comments: Frech> XF:asmon-ascpu-execute-commands (Not sims-slapd-logfiles) ====================================================== Name: CVE-2000-0167 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0167 Phase: Proposed (20000223) Category: SF Reference: NTBUGTRAQ:20000215 Crashing Inetinfo.exe by using a longfilename in the \mailroot\pickup directory Reference: URL:http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0002&L=ntbugtraq&F=&S=&P=8800 IIS Inetinfo.exe allows local users to cause a denial of service by creating a mail file with a long name and a .txt.eml extension in the pickup directory. Current Votes: ACCEPT(1) Cole MODIFY(1) Frech NOOP(1) Baker REVIEWING(4) Christey, LeBlanc, Levy, Wall Voter Comments: Frech> XF:iis-pickup-directory-dos Christey> BID:1819 URL:http://www.securityfocus.com/bid/1819 LeBlanc> Trying to get more info ====================================================== Name: CVE-2000-0173 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0173 Phase: Proposed (20000322) Category: SF Reference: SCO:SB-00.08a Reference: URL:ftp://ftp.sco.com/SSE/security_bulletins/SB-00.08a Vulnerability in the EELS system in SCO UnixWare 7.1.x allows remote attackers to cause a denial of service. Current Votes: ACCEPT(3) Baker, Blake, Cole MODIFY(1) Frech NOOP(4) LeBlanc, Ozancin, Prosser, Wall REVIEWING(2) Christey, Levy Voter Comments: Prosser> Although SCO is reporting the problem, there is too little info available to make an informed decision. Unable to find anything anywhere on this. It is an events logging system, so one would assume that there is a way to fill up the log and cause a system halt, but no way of confirming this with limited information. Christey> Perhaps we should create a content decision, say CD:VAGUE-ACK, which says whether it's reasonable to ACCEPT vendor-acknowledged problems that do not provide any salient details, as in this candidate as well as several others. Cole> I researched this a little more and you can change my NOOP to an ACCEPT Frech> XF:sco-eels-dos ====================================================== Name: CVE-2000-0176 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0176 Phase: Proposed (20000322) Category: SF/CF/MP/SA/AN/unknown Reference: BUGTRAQ:20000228 Serv-U FTP-Server v2.4a showing real path Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-02/0417.html Reference: BID:1016 Reference: URL:http://www.securityfocus.com/bid/1016 The default configuration of Serv-U 2.5d and earlier allows remote attackers to determine the real pathname of the server by requesting a URL for a directory or file that does not exist. Current Votes: ACCEPT(4) Blake, Cole, Levy, Ozancin MODIFY(1) Frech NOOP(3) Baker, LeBlanc, Wall Voter Comments: Frech> XF:servu-ftp-server-path(4060) ====================================================== Name: CVE-2000-0177 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0177 Phase: Proposed (20000322) Category: SF Reference: BUGTRAQ:20000302 DNSTools v1.08 has no input validation Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-03/0000.html Reference: BID:1028 Reference: URL:http://www.securityfocus.com/bid/1028 DNSTools CGI applications allow remote attackers to execute arbitrary commands via shell metacharacters. Current Votes: ACCEPT(4) Blake, Cole, Levy, Ozancin MODIFY(1) Frech NOOP(3) Baker, LeBlanc, Wall Voter Comments: Frech> XF:dnstools-invalid-input(4876) ====================================================== Name: CVE-2000-0187 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0187 Phase: Proposed (20000322) Category: SF Reference: BUGTRAQ:20000227 EZ Shopper 3.0 shopping cart CGI remote command execution Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-02/0356.html Reference: BID:1014 Reference: URL:http://www.securityfocus.com/bid/1014 EZShopper 3.0 loadpage.cgi CGI script allows remote attackers to read arbitrary files via a .. (dot dot) attack or execute commands via shell metacharacters. Current Votes: ACCEPT(2) Levy, Ozancin MODIFY(1) Frech NOOP(6) Baker, Blake, Christey, Cole, LeBlanc, Wall Voter Comments: Christey> Since EZShopper is written in Perl, there is strong evidence that both the .. and metacharacter attack probably go through the same insecure open() call. (Perl's open can either read a regular file, or read piped output from a command that is specified to the open). Frech> XF:ezshopper-loadpage-cgi(4044) ====================================================== Name: CVE-2000-0188 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0188 Phase: Proposed (20000322) Category: SF Reference: BUGTRAQ:20000227 EZ Shopper 3.0 shopping cart CGI remote command execution Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-02/0356.html Reference: BID:1014 Reference: URL:http://www.securityfocus.com/bid/1014 EZShopper 3.0 search.cgi CGI script allows remote attackers to read arbitrary files via a .. (dot dot) attack or execute commands via shell metacharacters. Current Votes: ACCEPT(2) Levy, Ozancin MODIFY(1) Frech NOOP(6) Baker, Blake, Christey, Cole, LeBlanc, Wall Voter Comments: Christey> The exploit is different than CVE-2000-0187 by going through a different field in a different script, so maybe this should be kept separate, even though it's probably another open() call problem. Frech> XF:ezshopper-search-cgi(4045) ====================================================== Name: CVE-2000-0190 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0190 Phase: Proposed (20000322) Category: SF Reference: BUGTRAQ:20000303 Aol Instant Messenger DoS vulnerability Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-03/0016.html AOL Instant Messenger (AIM) client allows remote attackers to cause a denial of service via a message with a malformed ASCII value. Current Votes: ACCEPT(2) Blake, Cole MODIFY(1) Frech NOOP(3) Baker, LeBlanc, Ozancin REVIEWING(2) Levy, Wall Voter Comments: Frech> XF:aolim-malformed-ascii-dos(4877) ====================================================== Name: CVE-2000-0197 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0197 Phase: Proposed (20000322) Category: SF Reference: NTBUGTRAQ:20000313 AT Jobs - Denial of serice/Privilege Elevation Reference: URL:http://archives.neohapsis.com/archives/ntbugtraq/current/0202.html Reference: BID:1050 Reference: URL:http://www.securityfocus.com/bid/1050 The Windows NT scheduler uses the drive mapping of the interactive user who is currently logged onto the system, which allows the local user to gain privileges by providing a Trojan horse batch file in place of the original batch file. Current Votes: ACCEPT(3) Baker, Cole, Levy MODIFY(1) Frech NOOP(2) Blake, Ozancin REJECT(1) LeBlanc REVIEWING(1) Wall Voter Comments: LeBlanc> this is just bad security practice, not a vulnerability Frech> XF:nt-at-drive-mappings ====================================================== Name: CVE-2000-0198 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0198 Phase: Proposed (20000322) Category: SF/CF/MP/SA/AN/unknown Reference: NTBUGTRAQ:20000314 Local / Remote Multiples Remote DoS Attacks in MERCUR v3.2* for Windows 98/NT Vulnerability Reference: URL:http://archives.neohapsis.com/archives/ntbugtraq/current/0206.html Reference: BUGTRAQ:20000314 Local / Remote Multiples Remote DoS Attacks in MERCUR v3.2* for Windows 98/NT Vulnerability Reference: URL:http://archives.neohapsis.com/archives/bugtraq/current/0137.html Reference: BID:1051 Reference: URL:http://www.securityfocus.com/bid/1051 Buffer overflow in POP3 and IMAP servers in the MERCUR mail server suite allows remote attackers to cause a denial of service. Current Votes: ACCEPT(2) Levy, Ozancin MODIFY(1) Frech NOOP(5) Baker, Blake, Cole, LeBlanc, Wall Voter Comments: Frech> XF:mercur-login-dos The following don't seem to be correct: Reference: URL:http://archives.neohapsis.com/archives/ntbugtraq/current/0206.html Perhaps it is: http://archives.neohapsis.com/archives/ntbugtraq/2000-q1/0206.html Reference: URL:http://archives.neohapsis.com/archives/bugtraq/current/0137.html Perhaps it is: http://archives.neohapsis.com/archives/bugtraq/2000-03/0137.html ====================================================== Name: CVE-2000-0199 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0199 Phase: Proposed (20000322) Category: CF Reference: ISS:20000314 Vulnerability in Microsoft SQL Server 7.0 Encryption Used to Store Administrative Login ID Reference: BID:1055 Reference: URL:http://www.securityfocus.com/bid/1055 When a new SQL Server is registered in Enterprise Manager for Microsoft SQL Server 7.0 and the "Always prompt for login name and password" option is not set, then the Enterprise Manager uses weak encryption to store the login ID and password. Current Votes: ACCEPT(6) Baker, Blake, Cole, Levy, Ozancin, Wall MODIFY(1) Frech REVIEWING(2) Christey, LeBlanc Voter Comments: LeBlanc> I think this may just be user error - I'd like more information. Frech> XF:mssql-weak-encryption ISS:Vulnerability in Microsoft SQL Server 7.0 Encryption Used to Store Administrative Login ID URL:http://xforce.iss.net/alerts/advise45.php3 Christey> According to Scott Culp, this can only be reproduced if the SQL server is running in an unsafe mode that is not recommended by Microsoft: "To securely use SQL Server, Microsoft recommends using Windows Integrated Security. In Windows Integrated Security mode passwords are never stored, as your Windows Domain sign-on is used as the security identifier to the database server." We still must consider approving this candidate, however, as a user configuration error instead of a software flaw. CD:DESIGN-WEAK-ENCRYPTION applies in this case, so if we decide to include configuration problems in which a user intentionally selects weak encryption, then we might still approve this candidate. ====================================================== Name: CVE-2000-0203 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0203 Phase: Proposed (20000322) Category: SF/CF/MP/SA/AN/unknown Reference: BUGTRAQ:20000228 Re: TrendMicro OfficeScan tmlisten.exe DoS Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=412FC0AFD62ED31191B40008C7E9A11A0D481D@srvnt04.previnet.it Reference: BUGTRAQ:20000315 Trend Micro release patch for "OfficeScan DoS & Message Replay" V ulnerabilies Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=D129BBE1730AD2118A0300805FC1C2FE038AF28B@209-76-212-10.trendmicro.com Reference: MISC:http://www.antivirus.com/download/ofce_patch_35.htm Reference: BID:1013 Reference: URL:http://www.securityfocus.com/bid/1013 The Trend Micro OfficeScan client tmlisten.exe allows remote attackers to cause a denial of service via malformed data to port 12345. Current Votes: ACCEPT(5) Armstrong, Baker, Blake, Levy, Wall MODIFY(1) Frech NOOP(3) Cole, LeBlanc, Ozancin Voter Comments: Frech> XF:trendmicro-tmlisten-dos ====================================================== Name: CVE-2000-0204 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0204 Phase: Proposed (20000322) Category: SF/CF/MP/SA/AN/unknown Reference: BUGTRAQ:20000226 DOS in Trendmicro OfficeScan Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-02/0340.html Reference: BUGTRAQ:20000315 Trend Micro release patch for "OfficeScan DoS & Message Replay" V ulnerabilies Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=D129BBE1730AD2118A0300805FC1C2FE038AF28B@209-76-212-10.trendmicro.com Reference: MISC:http://www.antivirus.com/download/ofce_patch_35.htm Reference: BID:1013 Reference: URL:http://www.securityfocus.com/bid/1013 The Trend Micro OfficeScan client allows remote attackers to cause a denial of service by making 5 connections to port 12345, which raises CPU utilization to 100%. Current Votes: ACCEPT(6) Armstrong, Baker, Blake, Cole, Levy, Wall MODIFY(1) Frech NOOP(2) LeBlanc, Ozancin Voter Comments: Frech> XF:trendmicro-simultaneous-dos ====================================================== Name: CVE-2000-0205 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0205 Phase: Proposed (20000322) Category: SF/CF/MP/SA/AN/unknown Reference: BUGTRAQ:20000303 TrendMicro OfficeScan, numerous security holes, remote files modification. Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-03/0015.html Reference: BUGTRAQ:20000315 Trend Micro release patch for "OfficeScan DoS & Message Replay" V ulnerabilies Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=D129BBE1730AD2118A0300805FC1C2FE038AF28B@209-76-212-10.trendmicro.com Reference: MISC:http://www.antivirus.com/download/ofce_patch_35.htm Reference: BID:1013 Reference: URL:http://www.securityfocus.com/bid/1013 Trend Micro OfficeScan allows remote attackers to replay administrative commands and modify the configuration of OfficeScan clients. Current Votes: ACCEPT(4) Baker, Blake, Cole, Levy MODIFY(1) Frech NOOP(3) LeBlanc, Ozancin, Wall Voter Comments: Frech> XF:trendmicro-admin-command(4041) ====================================================== Name: CVE-2000-0213 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0213 Phase: Proposed (20000322) Category: SF Reference: BUGTRAQ:20000223 Sambar Server alert! Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=38B3E60A.6A84FEC3@cybcom.net Reference: CONFIRM:http://www.sambar.com/session/highlight?url=/syshelp/history.htm&words=security+&color=red Reference: XF:sambar-batfiles Reference: BID:1002 Reference: URL:http://www.securityfocus.com/bid/1002 The Sambar server includes batch files ECHO.BAT and HELLO.BAT in the CGI directory, which allow remote attackers to execute commands via shell metacharacters. Current Votes: ACCEPT(6) Armstrong, Baker, Blake, Cole, Frech, Levy NOOP(3) LeBlanc, Ozancin, Wall ====================================================== Name: CVE-2000-0214 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0214 Phase: Proposed (20000322) Category: SF Reference: BUGTRAQ:20000224 How the password could be recover using FTP Explorer's registry! Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.4.10.10002242035500.30645-100000@unreal.sekure.org Reference: BID:1003 Reference: URL:http://www.securityfocus.com/bid/1003 FTP Explorer uses weak encryption for storing the username, password, and profile of FTP sites. Current Votes: ACCEPT(5) Armstrong, Baker, Cole, Levy, Ozancin MODIFY(1) Frech NOOP(3) Blake, LeBlanc, Wall Voter Comments: Frech> XF:ftp-explorer-weak-pwd(4038) ====================================================== Name: CVE-2000-0216 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0216 Phase: Proposed (20000322) Category: SF/CF/MP/SA/AN/unknown Reference: NTBUGTRAQ:20000229 mailbombing DoS easily exploitable against mail systems using MS mail clients. Reference: URL:http://archives.neohapsis.com/archives/ntbugtraq/2000-q1/0176.html Microsoft email clients in Outlook, Exchange, and Windows Messaging automatically respond to Read Receipt and Delivery Receipt tags, which could allow an attacker to flood a mail system with responses by forging a Read Receipt request that is redirected to a large distribution list. Current Votes: ACCEPT(1) Cole MODIFY(1) Frech NOOP(2) Baker, Ozancin REJECT(3) Blake, LeBlanc, Levy REVIEWING(1) Wall Voter Comments: Blake> This is a configuration issue. Should the fact that NT can be configured to accept a blank Admin password have a CVE entry? LeBlanc> This is documented as bad practice - if you have a wide distribution mailing list, you should only allow certain users to send mail to it. I don't think we want to start listing all possible admin errors as vulnerabilities. Frech> XF:microsoft-mail-client-dos(4893) Levy> I agree with all the above comments. Furthermore the delivery status notification RFC makes it clear that mailing list software should strip messages from DSN headers. I assume Microsoft's products are using the DSN standard and not something else. ====================================================== Name: CVE-2000-0219 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0219 Phase: Proposed (20000322) Category: SF/CF/MP/SA/AN/unknown Reference: BUGTRAQ:20000223 redhat 6.0: single user boot security hole Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=200002230248.NAA19185@cairo.anu.edu.au Reference: BID:1005 Reference: URL:http://www.securityfocus.com/bid/1005 Red Hat 6.0 allows local users to gain root access by booting single user and hitting ^C at the password prompt. Current Votes: ACCEPT(4) Armstrong, Cole, Levy, Ozancin MODIFY(1) Frech NOOP(4) Baker, Blake, LeBlanc, Wall REVIEWING(1) Christey Voter Comments: Ozancin> We need an additional CVE entry for other distributions that simply drop you into a root shell in single user mode. Christey> Based on Craig's comments, need to consider if this is an LOA issue. Frech> XF:redhat-single-user-auth(4026) ====================================================== Name: CVE-2000-0220 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0220 Phase: Proposed (20000322) Category: SF/CF/MP/SA/AN/unknown Reference: BUGTRAQ:20000225 Zonealarm exports sensitive data ZoneAlarm sends sensitive system and network information in cleartext to the Zone Labs server if a user requests more information about an event. Current Votes: ACCEPT(1) Armstrong MODIFY(1) Frech NOOP(5) Baker, Cole, LeBlanc, Ozancin, Wall REJECT(1) Blake REVIEWING(1) Levy Voter Comments: Blake> Discussion on Bugtraq shows that this is a really marginal issue. Very tough to come up with a viable attack scenario. Also, it's part of how this class of software works, not a flaw in the cited package. Might be possible to recast this into something more generic.... Frech> XF:zonealarm-exposes-info ====================================================== Name: CVE-2000-0227 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0227 Phase: Modified (20010910-01) Category: SF Reference: BUGTRAQ:20000323 Local Denial-of-Service attack against Linux Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-03/0254.html Reference: BUGTRAQ:20000328 Re: Local Denial-of-Service attack against Linux Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=95421263519558&w=2 Reference: BID:1072 Reference: URL:http://www.securityfocus.com/bid/1072 Reference: XF:linux-domain-socket-dos(4186) Reference: URL:http://xforce.iss.net/static/4186.php The Linux 2.2.x kernel does not restrict the number of Unix domain sockets as defined by the wmem_max paremeter, which allows local users to cause a denial of service by requesting a large number of sockets. Current Votes: ACCEPT(8) Armstrong, Baker, Blake, Cole, Collins, Frech, Levy, Ozancin NOOP(3) Christey, Magdych, Wall Voter Comments: Christey> Fix typo: 'paremeter' Magdych> I remember when this came up... seems like there were some wildly mixed results for the exploit. Christey> See http://marc.theaimsgroup.com/?l=bugtraq&m=95421263519558&w=2 for Elias' summary of the mixed results. It looks like enough people were able to replicate it that we should include it. Christey> Fix typo: "paremeter" CHANGE> [Magdych changed vote from REVIEWING to NOOP] ====================================================== Name: CVE-2000-0239 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0239 Phase: Proposed (20000412) Category: SF Reference: BUGTRAQ:20000315 Local / Remote DoS Attack in MERCUR WebView WebMail-Client 1.0 Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=95325335825295&w=2 Reference: URL:http://www.ussrback.com/labs36.html Reference: BID:1056 Reference: URL:http://www.securityfocus.com/bid/1056 Reference: XF:mercur-webview-get-dos Buffer overflow in the MERCUR WebView WebMail server allows remote attackers to cause a denial of service via a long mail_user parameter in the GET request. Current Votes: ACCEPT(3) Baker, Frech, Levy NOOP(2) Cole, Magdych Voter Comments: CHANGE> [Magdych changed vote from REVIEWING to NOOP] ====================================================== Name: CVE-2000-0241 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0241 Phase: Proposed (20000412) Category: SF/CF/MP/SA/AN/unknown Reference: BUGTRAQ:20000321 vqserver /........../ Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=4.1.20000321084646.0095c7f0@olga.swip.net Reference: BID:1068 Reference: URL:http://www.securityfocus.com/bid/1068 Reference: XF:vqserver-passwd-plaintext vqSoft vqServer stores sensitive information such as passwords in cleartext in the server.cfg file, which allows attackers to gain privileges. Current Votes: ACCEPT(3) Baker, Frech, Levy NOOP(2) Cole, Magdych Voter Comments: CHANGE> [Magdych changed vote from REVIEWING to NOOP] ====================================================== Name: CVE-2000-0242 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0242 Phase: Proposed (20000412) Category: SF Reference: BUGTRAQ:20000325 Windmail allow web user get any file Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-03-22&msg=20000325224146.6839.qmail@securityfocus.com Reference: XF:windmail-fileread Reference: XF:windmail-pipe-command Reference: BID:1073 Reference: URL:http://www.securityfocus.com/bid/1073 WindMail allows remote attackers to read arbitrary files or execute commands via shell metacharacters. Current Votes: ACCEPT(2) Cole, Levy NOOP(1) Baker RECAST(1) Frech REJECT(2) Christey, Magdych Voter Comments: Frech> Violation of fundamentum divisionis (that is, it's more than one issue) and a potential nitpick: - windmail-fileread: allows remote attackers to read arbitrary files - windmail-pipe-command: execute commands via shell metacharacters - The conjunction 'or' should be 'and', if you decide to stick with one CAN. Christey> As Andre basically said without naming content decisions, CD:SF-LOC says this should be split. HOWEVER - the author of the product says that WindMail isn't supposed to be a CGI script, and says that the pipe character problem is not related to Geocel. So should CVE record when someone runs a program that wasn't intended to be a CGI? There may be a level of abstraction issue here. Note that Perl and shell interpreters in CGI-BIN are already mentioned in CVE-1999-0509. If we want to include "using a program that wasn't designed to be a CGI" as a problem, we should have a separate candidate. See the author's comments at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=3.0.5.32.20000331114325.013af680@mailhost.geocel.com which also claims that the original announcer hasn't provided any more details after the author was unable to reproduce the problem. CHANGE> [Magdych changed vote from REVIEWING to REJECT] Magdych> After reviewing the author's comments, I'm inclined to think that this is more of a misconfiguration than a vulnerability. ====================================================== Name: CVE-2000-0244 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0244 Phase: Proposed (20000412) Category: SF Reference: BUGTRAQ:20000328 Citrix ICA Basic Encryption Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.BSO.4.20.0003290949280.2640-100000@naughty.monkey.org Reference: BID:1077 Reference: URL:http://www.securityfocus.com/bid/1077 The Citrix ICA (Independent Computing Architecture) protocol uses weak encryption (XOR) for user authentication. Current Votes: ACCEPT(2) Levy, Magdych MODIFY(1) Frech NOOP(2) Baker, Cole Voter Comments: Frech> XF:citrix-encryption ====================================================== Name: CVE-2000-0248 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0248 Phase: Modified (20070924) Category: CF Reference: ISS:20000424 Backdoor Password in Red Hat Linux Virtual Server Package Reference: URL:http://xforce.iss.net/alerts/advise46.php3 Reference: REDHAT:RHSA-2000:014-10 The web GUI for the Linux Virtual Server (LVS) software in the Red Hat Linux Piranha package has a backdoor password that allows remote attackers to execute arbitrary commands. Current Votes: ACCEPT(3) Baker, Cole, Levy MODIFY(1) Frech NOOP(2) Christey, Wall REJECT(1) Cox Voter Comments: Christey> Typo fix: change "passowrd" to "password" ADDREF BID:1148 ADDREF URL:http://www.securityfocus.com/bid/1148 Christey> ADDREF XF:piranha-default-password Frech> XF:piranha-default-password In description, passowrd should be password. Cox> The "execute arbitrary commands" part is a seperate vulnerability, already assigned CVE-2000-0322. The package was designed to have no password on installation, so "backdoor" does not apply. When users install Piranha they are expected to add a password to the web administration GUI, it's a documented part of the procedure. "The web GUI for the Linux Virtual Server (LVS) software in the Red Hat Linux Piranha package installs with a default password" is accurate if it qualifies as an exposure. Christey> BUGTRAQ:20000425 piranha default password/exploit URL:http://marc.theaimsgroup.com/?l=bugtraq&m=95668829621268&w=2 Default accounts/passwords need to be accounted for in CVE, but the question is what level of abstraction to use - a separate CVE for each password, or one CVE for all passwords, or somewhere in the middle? That is the crux of CD:CF-PASS. ====================================================== Name: CVE-2000-0250 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0250 Phase: Proposed (20000426) Category: SF Reference: BUGTRAQ:20000414 qnx crypt comprimised Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-04/0072.html Reference: BID:1114 Reference: URL:http://www.securityfocus.com/bid/1114 The crypt function in QNX uses weak encryption, which allows local users to decrypt passwords. Current Votes: ACCEPT(2) Baker, Levy MODIFY(1) Frech NOOP(2) Cole, Wall Voter Comments: Frech> XF:qnx-weak-encryption(4866) ====================================================== Name: CVE-2000-0256 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0256 Phase: Modified (20070607) Category: SF Reference: BUGTRAQ:20070603 CERN İmage Map Dispatcher Reference: URL:http://www.securityfocus.com/archive/1/archive/1/470458/100/0/threaded Reference: MS:MS00-028 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms00-028.asp Reference: BID:1117 Reference: URL:http://www.securityfocus.com/bid/1117 Reference: XF:frontpage-cern-bo(34720) Reference: URL:http://xforce.iss.net/xforce/xfdb/34720 Buffer overflows in htimage.exe and Imagemap.exe in FrontPage 97 and 98 Server Extensions allow a user to conduct activities that are not otherwise available through the web site, aka the "Server-Side Image Map Components" vulnerability. Current Votes: ACCEPT(4) Baker, Cole, Levy, Wall MODIFY(1) Frech NOOP(1) Christey Voter Comments: Frech> XF:frontpage-ext-image-map Christey> Possibly related to BUGTRAQ:20000418 More vulnerabilities in FP http://archives.neohapsis.com/archives/bugtraq/2000-04/0116.html ====================================================== Name: CVE-2000-0259 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0259 Phase: Proposed (20000426) Category: CF Reference: MS:MS00-024 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms00-024.asp Reference: BID:1105 Reference: URL:http://www.securityfocus.com/bid/1105 The default permissions for the Cryptography\Offload registry key used by the OffloadModExpo in Windows NT 4.0 allows local users to obtain compromise the cryptographic keys of other users. Current Votes: ACCEPT(4) Baker, Cole, Levy, Wall MODIFY(1) Frech NOOP(1) Christey Voter Comments: Frech> XF:winnt-cryptkeys-compromise Christey> Include "CryptoAPI" to facilitate search. MSKB:Q259496 URL:http://www.microsoft.com/technet/support/kb.asp?ID=259496 ====================================================== Name: CVE-2000-0266 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0266 Phase: Proposed (20000426) Category: SF Reference: BUGTRAQ:20000418 IE 5 security vulnerablity - circumventing Cross-frame security policy using Java/JavaScript (and disabling Active Scripting is not that easy) Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=38FC6130.D6D178FD@nat.bg Reference: BID:1121 Reference: URL:http://www.securityfocus.com/bid/1121 Internet Explorer 5.01 allows remote attackers to bypass the cross frame security policy via a malicious applet that interacts with the Java JSObject to modify the DOM properties to set the IFRAME to an arbitrary Javascript URL. Current Votes: ACCEPT(5) Baker, Cole, LeBlanc, Levy, Wall MODIFY(1) Frech REVIEWING(1) Christey Voter Comments: Frech> XF:ie-java-crossframe-security Christey> May be a duplicate of CVE-2000-0465 according to my communications with Microsoft people. CVE-2000-0028 may also be a variant. LeBlanc> MS00-039 ====================================================== Name: CVE-2000-0269 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0269 Phase: Proposed (20000426) Category: SF Reference: BUGTRAQ:20000418 RUS-CERT Advisory 200004-01: GNU Emacs 20 Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-04-15&msg=tg4s8zioxq.fsf@mercury.rus.uni-stuttgart.de Reference: BID:1125 Reference: URL:http://www.securityfocus.com/bid/1125 Emacs 20 does not properly set permissions for a slave PTY device when starting a new subprocess, which allows local users to read or modify communications between Emacs and the subprocess. Current Votes: ACCEPT(2) Baker, Levy MODIFY(1) Frech NOOP(3) Christey, Cole, Wall Voter Comments: Christey> ADDREF XF:emacs-local-eavesdrop Verify BID for this - is it 1125, 1126, or 1127? Also, ADDREF CALDERA:CSSA-2000-011.1 ?? URL:ftp://ftp.calderasystems.com/pub/OpenLinux/security/CSSA-2000-011.1.txt Frech> XF:emacs-local-eavesdrop Christey> ADDREF MANDRAKE:MDKSA-2000:088 ? Also http://www.securityfocus.com/bid/2164, but is that a duplicate of BID:1125? ====================================================== Name: CVE-2000-0270 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0270 Phase: Proposed (20000426) Category: SF Reference: BUGTRAQ:20000418 RUS-CERT Advisory 200004-01: GNU Emacs 20 Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-04-15&msg=tg4s8zioxq.fsf@mercury.rus.uni-stuttgart.de Reference: BID:1125 Reference: URL:http://www.securityfocus.com/bid/1126 The make-temp-name Lisp function in Emacs 20 creates temporary files with predictable names, which allows attackers to conduct a symlink attack. Current Votes: ACCEPT(1) Baker MODIFY(2) Frech, Levy NOOP(3) Christey, Cole, Wall Voter Comments: Christey> ADDREF XF:emacs-tempfile-creation Verify BID for this - is it 1125, 1126, or 1127? Also, ADDREF CALDERA:CSSA-2000-011.1 ?? URL:ftp://ftp.calderasystems.com/pub/OpenLinux/security/CSSA-2000-011.1.txt Frech> XF:emacs-tempfile-creation Levy> Change BID reference to BID 1126 ====================================================== Name: CVE-2000-0271 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0271 Phase: Proposed (20000426) Category: SF Reference: BUGTRAQ:20000418 RUS-CERT Advisory 200004-01: GNU Emacs 20 Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-04-15&msg=tg4s8zioxq.fsf@mercury.rus.uni-stuttgart.de Reference: BID:1125 Reference: URL:http://www.securityfocus.com/bid/1125 read-passwd and other Lisp functions in Emacs 20 do not properly clear the history of recently typed keys, which allows an attacker to read unencrypted passwords. Current Votes: ACCEPT(1) Baker MODIFY(2) Frech, Levy NOOP(3) Christey, Cole, Wall Voter Comments: Christey> Verify BID for this - is it 1125, 1126, or 1127? Also, ADDREF CALDERA:CSSA-2000-011.1 ?? URL:ftp://ftp.calderasystems.com/pub/OpenLinux/security/CSSA-2000-011.1.txt ADDREF XF:emacs-password-history Frech> XF:emacs-password-history Levy> Change BID reference to BID 1127 ====================================================== Name: CVE-2000-0275 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0275 Phase: Proposed (20000426) Category: SF Reference: L0PHT:20000410 CRYPTOCard PalmToken PIN Extraction Reference: URL:http://www.l0pht.com/advisories/cc-pinextract.txt Reference: BUGTRAQ:20000410 CRYPTOAdmin 4.1 server with PalmPilot PT-1 token 1.04 PIN Extract ion Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-04/0033.html Reference: BID:1097 Reference: URL:http://www.securityfocus.com/bid/1097 CRYPTOCard CryptoAdmin for PalmOS uses weak encryption to store a user's PIN number, which allows an attacker with access to the .PDB file to generate valid PT-1 tokens after cracking the PIN. Current Votes: ACCEPT(3) Baker, Cole, Levy MODIFY(1) Frech NOOP(1) Wall Voter Comments: Frech> XF:cryptoadmin-weak-encryption ====================================================== Name: CVE-2000-0280 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0280 Phase: Proposed (20000426) Category: SF Reference: BUGTRAQ:20000403 Win32 RealPlayer 6/7 Buffer Overflow Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-04/0018.html Reference: BID:1088 Reference: URL:http://www.securityfocus.com/bid/1088 Buffer overflow in the RealNetworks RealPlayer client versions 6 and 7 allows remote attackers to cause a denial of service via a long Location URL. Current Votes: ACCEPT(3) Cole, Levy, Wall MODIFY(1) Frech NOOP(1) Baker Voter Comments: Frech> XF:realserver-ramgen-dos ====================================================== Name: CVE-2000-0281 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0281 Phase: Proposed (20000426) Category: SF Reference: BUGTRAQ:20000326 neat little napster bug Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-03/0277.html Reference: BUGTRAQ:20000330 Napster, Inc. response to Colten Edwards Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-03/0299.html Buffer overflow in the Napster client beta 5 allows remote attackers to cause a denial of service via a long message. Current Votes: NOOP(2) Cole, Wall REJECT(3) Baker, Frech, Levy Voter Comments: Frech> Does not meet CVE candidate requirements. The problem was remedied on the server end, and no fault exists at the client. Based on http://archives.neohapsis.com/archives/bugtraq/2000-03/0299.html: Approximately one hour after receiving the post from BugTraq, Napster's servers were patched to prevent this from occurring. Users of the Napster Win32 client software are NOT vulnerable. Baker> Agree with Andre ====================================================== Name: CVE-2000-0284 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0284 Phase: Proposed (20000426) Category: SF Reference: BUGTRAQ:20000416 imapd4r1 v12.264 Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-04/0074.html Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-04/0085.html Reference: BID:1110 Reference: URL:http://www.securityfocus.com/bid/1110 Buffer overflow in University of Washington imapd version 4.7 allows users with a valid account to execute commands via LIST or other commands. Current Votes: ACCEPT(3) Baker, Cole, Levy MODIFY(1) Frech NOOP(2) Christey, Wall Voter Comments: Christey> ADDREF FREEBSD:FreeBSD-SA-00:14 URL:http://www.securityfocus.com/templates/advisory.html?id=2179 Frech> XF:imap-mailserver-bo ====================================================== Name: CVE-2000-0286 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0286 Phase: Proposed (20000426) Category: SF Reference: BUGTRAQ:20000416 xfs Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-04/0079.html Reference: BID:1111 Reference: URL:http://www.securityfocus.com/bid/1111 X fontserver xfs allows local users to cause a denial of service via malformed input to the server. Current Votes: MODIFY(1) Frech NOOP(3) Baker, Cole, Wall REJECT(2) Christey, Levy Voter Comments: Frech> XF:redhat-fontserver-dos POTENTIAL DUPE: CVE-2000-0263: The X font server xfs in Red Hat Linux 6.x allows an attacker to cause a denial of service via a malformed request. Christey> As Andre observed, this is a duplicate of CVE-2000-0263. ====================================================== Name: CVE-2000-0288 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0288 Phase: Proposed (20000426) Category: SF Reference: BUGTRAQ:20000412 Infonautic's getdoc.cgi may allow unauthorized access to documents Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-04/0049.html Infonautics getdoc.cgi allows remote attackers to bypass the payment phase for accessing documents via a modified form variable. Current Votes: MODIFY(1) Frech NOOP(2) Cole, Wall REJECT(1) Baker REVIEWING(2) Christey, Levy Voter Comments: Frech> XF:http-cgi-infonautics-getdoc Christey> CD:EX-ONLINE-SVC applies here. This may be a vulnerability in an online service (the search engines used by Infonautics) which poses no risk to anyone but the company itself. ====================================================== Name: CVE-2000-0291 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0291 Phase: Proposed (20000426) Category: SF Reference: BUGTRAQ:20000416 StarOffice 5.1 Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-04/0077.html Reference: BID:1112 Reference: URL:http://www.securityfocus.com/bid/1112 Buffer overflow in Star Office 5.1 allows attackers to cause a denial of service by embedding a long URL within a document. Current Votes: ACCEPT(2) Dik, Levy MODIFY(1) Frech NOOP(3) Baker, Cole, Wall Voter Comments: Frech> XF:staroffice-long-url-bo ====================================================== Name: CVE-2000-0293 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0293 Phase: Proposed (20000426) Category: SF Reference: BUGTRAQ:20000421 local user can delete arbitrary files on SuSE-Linux Reference: BID:1130 Reference: URL:http://www.securityfocus.com/bid/1130 aaa_base in SuSE Linux 6.3, and cron.daily in earlier versions, allow local users to delete arbitrary files by creating files whose names include spaces, which are then incorrectly interpreted by aaa_base when it deletes expired files from the /tmp directory. Current Votes: ACCEPT(3) Baker, Cole, Levy MODIFY(1) Frech NOOP(2) Christey, Wall Voter Comments: Christey> ADDREF SUSE:20000502 aaabase < 2000.5.2 URL: http://www.suse.de/de/support/security/suse_security_announce_47.txt This advisory references another problem that is listed in CVE-2000-0433. Frech> XF:aaabase-file-deletion ====================================================== Name: CVE-2000-0295 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0295 Phase: Modified (20071220) Category: SF Reference: BUGTRAQ:20000420 Remote vulnerability in LCDproc 0.4 Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.3.96.1000421010946.15318I-200000@schizo.strange.net Reference: GENTOO:GLSA-200301-07 Reference: URL:http://www.securityfocus.com/archive/1/archive/1/305589/30/26390/threaded Reference: BID:1131 Reference: URL:http://www.securityfocus.com/bid/1131 Reference: SECUNIA:7829 Reference: URL:http://secunia.com/advisories/7829 Reference: XF:lcdproc-remote-overflow(4315) Reference: URL:http://xforce.iss.net/xforce/xfdb/4315 Buffer overflow in LCDproc allows remote attackers to gain root privileges via the screen_add command. Current Votes: ACCEPT(2) Baker, Levy MODIFY(1) Frech NOOP(2) Cole, Wall Voter Comments: Frech> XF:lcdproc-remote-overflow ====================================================== Name: CVE-2000-0299 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0299 Phase: Proposed (20000426) Category: SF Reference: BUGTRAQ:20000404 WebObjects DoS Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-04/0020.html Buffer overflow in WebObjects.exe in the WebObjects Developer 4.5 package allows remote attackers to cause a denial of service via an HTTP request with long headers such as Accept. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(4) Christey, Cole, Wall, Williams REVIEWING(1) Levy Voter Comments: Christey> ADDREF XF:webobjects-post-dos Frech> XF:webobjects-post-dos Christey> See http://til.info.apple.com/techinfo.nsf/artnum/n75087 Document says: "A request with a large, malformed http header can crash a WOApp" (Apple reference #2470254) appears to be the acknowledgement needed. Is this sufficient acknowledgement? This is dated AUgust 24, but the initial disclosure occurred on April 4. Christey> BID:1896 ====================================================== Name: CVE-2000-0300 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0300 Phase: Proposed (20000426) Category: SF Reference: BUGTRAQ:20000405 PcAnywhere weak password encryption Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=20000406030958.23902.qmail@securityfocus.com Reference: BID:1093 Reference: URL:http://www.securityfocus.com/bid/1093 The default encryption method of PcAnywhere 9.x uses weak encryption, which allows remote attackers to sniff and decrypt PcAnywhere or NT domain accounts. Current Votes: ACCEPT(4) Baker, Cole, Levy, Prosser MODIFY(1) Frech REVIEWING(1) Wall Voter Comments: Frech> XF:pcanywhere-weak-encryption Prosser> http://service2.symantec.com/SUPPORT/pca.nsf/pfdocs/1999022312571812 Upgraded in pcA 10 ====================================================== Name: CVE-2000-0312 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0312 Phase: Proposed (20010214) Category: SF Reference: OPENBSD:19990830 In cron(8), make sure argv[] is NULL terminated in the fake popen() and run sendmail as the user, not as root. Reference: URL:http://www.openbsd.org/errata25.html#cron cron in OpenBSD 2.5 allows local users to gain root privileges via an argv[] that is not NULL terminated, which is passed to cron's fake popen function. Current Votes: ACCEPT(3) Baker, Cole, Collins MODIFY(1) Frech REVIEWING(1) Christey Voter Comments: Frech> XF:cron-sendmail-root(3335) Seems like this issue is not just OpenBSD, and is described differently by other vendors: SuSE Security Announcement #15 Security hole in cron http://www.suse.de/de/support/security/suse_security_announce_15.txt Red Hat, Inc. Security Advisory RHSA-1999:030-02 Buffer overflow in cron daemon http://www.redhat.com/support/errata/rh52-errata-general.html#vixie-cron Caldera Systems, Inc. Security Advisory CSSA-1999-023.0 serious security problem in cron http://www.calderasystems.com/support/security/advisories/CSSA-1999-023.0.tx t All are dated on or around 1999-08-27 to 1999-08-30. Also, may overlap with CVE-1999-0769: Vixie Cron on Linux systems allows local users to set parameters of sendmail commands via the MAILTO environmental variable. Christey> See Andre's comments, but I believe this is different than CVE-1999-0769. Also consider CVE-1999-0768 and CVE-1999-0872 (Vixie Cron buffer overflow via MAILTO), ====================================================== Name: CVE-2000-0317 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0317 Phase: Proposed (20000518) Category: SF Reference: BUGTRAQ:20000424 Solaris 7 x86 lpset exploit. Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-04/0192.html Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-04/0236.html Reference: BUGTRAQ:20000427 Re: Solaris/SPARC 2.7 lpset exploit (well not likely !) Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=95729763119559&w=2 Reference: SUNBUG:4334568 Reference: BID:1138 Reference: URL:http://www.securityfocus.com/bid/1138 Buffer overflow in Solaris 7 lpset allows local users to gain root privileges via a long -r option. Current Votes: ACCEPT(3) Baker, Cole, Levy MODIFY(1) Frech NOOP(3) Christey, LeBlanc, Wall RECAST(1) Dik Voter Comments: Dik> there's a lot of confusion in this one. These point to buffer overflows: Reference: BUGTRAQ:20000424 Solaris 7 x86 lpset exploit. Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-04/0192.html Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-04/0236.html But these point to dlopen() in libprint that doesnt' check pathnames: Reference: BUGTRAQ:20000427 Re: Solaris/SPARC 2.7 lpset exploit (well not likely !) Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=95729763119559&w=2 Reference: SUNBUG:4334568 And this is a bufferoverflow again: Reference: BID:1138 Reference: URL:http://www.securityfocus.com/bid/1138 Frech> XF:solaris-lpset-bo Christey> ADDREF SUN:00195? Need to check with Casper. ====================================================== Name: CVE-2000-0321 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0321 Phase: Proposed (20000518) Category: SF Reference: BUGTRAQ:20000424 Buffer Overflow in version .14 Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-04/0190.html Reference: BID:1147 Reference: URL:http://www.securityfocus.com/bid/1147 Buffer overflow in IC Radius package allows a remote attacker to cause a denial of service via a long user name. Current Votes: ACCEPT(1) Levy MODIFY(1) Frech NOOP(4) Baker, Cole, LeBlanc, Wall REJECT(1) Christey Voter Comments: Frech> XF:icradius-username-bo Every reference I pull up shows the product's name as ICRADIUS. See http://mysql.eunet.fi/Downloads/Contrib/icradius.README Christey> In a followup, Alan DeKok (aland@FREERADIUS.ORG) says that this could occur in other RADIUS servers also; however, the bug could only be exploited if someone has altered the configuration file, which shouldn't normally be modifiable by anyone else. So, this should be REJECTed since the bug doesn't directly give anyone else any additional privileges or access. Christey> Alan DeKok says it applies to other RADIUS programs also, *however* since it needs a valid username, only the RADIUS owner can exploit it by changing the config file. But if the config file can be written by others - well, that's still a potential risk, but you've probably got bigger problems then. - http://marc.theaimsgroup.com/?l=bugtraq&m=95671883515060&w=2 Look at ChangeLog at ftp://ftp.cheapnet.net/pub/icradius/ChangeLog Possible confirmation in 0.15: "sql_getvpdata now dynamically allocates buffer sizes for sql queries to avoid over runs" But that's a bit general. Alan Kok said that Cistron and other RADIUS servers were affected; the ICRADIUS changelog says to check the Cistron logs for other possible bug fixes, since ICRADIUS uses Cistron codebase. Go back to freeradius.org and find link to Cistron at http://www.miquels.cistron.nl/radius/ Cistron changelog at http://www.miquels.cistron.nl/radius/ChangeLog It has different version numbers - go back to ICRADIUS changelog to find rought equivalents. ICRADIUS 0.15 uses Cistron 1.6.3 patches, so start from there. No apparent problems in 1.6.3 or 1.6.4, but 1.6.1 says: "Fix all strcpy(), strcat(), sprintf() and sccanf() calls for buffer overflows." So perhaps the problem was fixed then? Or maybe the vulnerable sscanf() call was missed and/or disregarded because it was believed that the hostname could be trusted since it came from a well-controlled configuration file? ====================================================== Name: CVE-2000-0325 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0325 Phase: Modified (20020222-01) Category: SF Reference: MS:MS99-030 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-030.asp Reference: XF:jet-vba-shell(3155) Reference: URL:http://xforce.iss.net/static/3155.php Reference: BID:548 Reference: URL:http://www.securityfocus.com/bid/548 The Microsoft Jet database engine allows an attacker to execute commands via a database query, aka the "VBA Shell" vulnerability. Current Votes: ACCEPT(5) Armstrong, Baker, Cole, Prosser, Wall MODIFY(1) Frech REJECT(1) LeBlanc REVIEWING(1) Christey Voter Comments: LeBlanc> - same as CVE-1999-1011 If I'm misunderstanding something here, please correct me. In fact, it has the same bulletin as a reference. Frech> XF:jet-vba-shell Prosser> This entry is not the same as "now" CVE-1999-1011. That entry is "The Remote Data Service (RDS) DataFactory component of Microsoft Data Access Components (MDAC) in IIS 3.x and 4.x exposes unsafe methods, which allows remote attackers to execute arbitrary commands." This one should be correct. Christey> BUGTRAQ:19990525 Advisory: NT ODBC Remote Compromise http://marc.theaimsgroup.com/?l=bugtraq&m=92765973107637&w=2 NTBUGTRAQ:19990526 Advisory: NT ODBC Remote Compromise http://marc.theaimsgroup.com/?l=ntbugtraq&m=92781907215748&w=2 Christey> The Microsoft advisory itself describes two separate vulnerabilities, calling the TEXT I-ISAM problem (CVE-2000-0323) a variant of the VBA Shell problem (this CAN). In addition, CVE-2000-0323 does *not* appear in Jet 4.0, while this one does. Since one problem appears in a different version than the other, CD:SF-LOC suggests keeping these candidates SPLIT. BID:548 http://www.securityfocus.com/bid/548 CHANGE> [Christey changed vote from NOOP to REVIEWING] Christey> Need to clarify whether the Bugtraq/NTBugtraq posts are really describing the same issue (those are BID:286). ====================================================== Name: CVE-2000-0326 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0326 Phase: Proposed (20000518) Category: SF Reference: BID:1151 Reference: URL:http://www.securityfocus.com/bid/1151 Reference: CONFIRM:http://support.on.com/support/mmxp.nsf/31af51e08bcc93eb852565a90056138b/11af70407a16b165852568c50056a952?OpenDocument Meeting Maker uses weak encryption (a polyalphabetic substitution cipher) for passwords, which allows remote attackers to sniff and decrypt passwords for Meeting Maker accounts. Current Votes: ACCEPT(2) Baker, Levy MODIFY(1) Frech NOOP(4) Christey, Cole, LeBlanc, Wall Voter Comments: Frech> XF:meetingmaker-weak-encryption Christey> Add original Bugtraq reference at: http://archives.neohapsis.com/archives/bugtraq/2000-04/0223.html Also ADDREF XF:meetingmaker-weak-encryption ====================================================== Name: CVE-2000-0333 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0333 Phase: Proposed (20000518) Category: SF Reference: BUGTRAQ:20000502 Denial of service attack against tcpdump Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.SOL.4.10.10005021942380.2077-100000@paranoia.pgci.ca Reference: BID:1165 Reference: URL:http://www.securityfocus.com/bid/1165 tcpdump, Ethereal, and other sniffer packages allow remote attackers to cause a denial of service via malformed DNS packets in which a jump offset refers to itself, which causes tcpdump to enter an infinite loop while decompressing the packet. Current Votes: ACCEPT(3) Armstrong, Baker, Levy MODIFY(1) Frech NOOP(2) Cole, Wall Voter Comments: Frech> XF:sniffer-dns-decode-dos ====================================================== Name: CVE-2000-0343 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0343 Phase: Proposed (20000518) Category: SF Reference: BUGTRAQ:20000502 spj-003-000 - S0ftPj Advisory Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=200005021736.TAA01991@ALuSSi Reference: BID:1158 Reference: URL:http://www.securityfocus.com/bid/1158 Buffer overflow in Sniffit 0.3.x with the -L logging option enabled allows remote attackers to execute arbitrary commands via a long MAIL FROM mail header. Current Votes: ACCEPT(2) Cole, Levy MODIFY(2) Christey, Frech NOOP(2) Armstrong, Wall Voter Comments: Frech> XF:sniffit-lmail-bo Christey> This issue was rediscovered. ADDREF BUGTRAQ:20020119 remote buffer overflow in sniffit URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101167452712383&w=2 ADDREF BUGTRAQ:20000525 `sniffit -L mail' vulnerabilities URL:http://marc.theaimsgroup.com/?l=bugtraq&m=95928090612990&w=2 I reviewed the patch that was claimed in the 20020119 Bugtraq post, and it could well address the issue. However, since the patch is also dated around the time of the original Bugtraq post, *and* it says that it's addressing an issue that's discussed on Bugtraq, that is sufficient to establish acknowledgement. CHANGE> [Christey changed vote from NOOP to MODIFY] Christey> XF:sniffit-normmail-l-bo(7933) URL:http://www.iss.net/security_center/static/7933.php ====================================================== Name: CVE-2000-0345 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0345 Phase: Proposed (20000518) Category: SF Reference: BUGTRAQ:20000502 Possible issue with Cisco on-line help? Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=20000502222246.28423.qmail@securityfocus.com Reference: BID:1161 Reference: URL:http://www.securityfocus.com/bid/1161 The on-line help system options in Cisco routers allows non-privileged users without "enabled" access to obtain sensitive information via the show command. Current Votes: ACCEPT(1) Prosser MODIFY(1) Frech NOOP(5) Armstrong, Baker, Cole, Levy, Wall REJECT(1) Balinsky Voter Comments: Levy> Arguably this is not a vulnerability. Cisco replying saying this is standard behaviour that was simply not well documented. They have no plans to change it and will simply document it better. Frech> XF:cisco-online-help Balinsky> As noted in a bugtraq posting by Lisa Napier from Cisco's Product Security Incident Response Team, this is a poorly documented feature. This is intended behavior, and does not represent a vulnerability in Cisco's opinion. http://www.securityfocus.com/frames/?content=/templates/archive.pike?list=1&mid=59434 Prosser> Although Lisa Napier did say this issue was "functioning as designed", it was not intended to allow unprivileged access. Lisa did indicate that Cisco would be updating instructions on configuration to ensure proper user privileges. So, this should be considered IMHO an "exposure" vice a vulnerability, but security-related none the less. http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26msg%3D20000502222246.28423.qmail@securityfocus.com http://www.securityfocus.com/bid/1161 ====================================================== Name: CVE-2000-0355 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0355 Phase: Proposed (20000524) Category: SF Reference: SUSE:19990920 Security hole in pbpg Reference: URL:http://www.novell.com/linux/security/advisories/suse_security_announce_21.html Reference: XF:linux-pb-fileread Reference: XF:linux-pg-fileread pg and pb in SuSE pbpg 1.x package allows an attacker to read arbitrary files. Current Votes: ACCEPT(3) Baker, Frech, Levy NOOP(1) Christey Voter Comments: Christey> ADDREF BID:1271 Christey> ADDREF BID:1271 URL:http://www.securityfocus.com/bid/1271 ====================================================== Name: CVE-2000-0357 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0357 Phase: Proposed (20000524) Category: SF Reference: REDHAT:RHSA-1999:058-01 Reference: URL:http://www.redhat.com/corp/support/errata/RHSA1999058-01.html ORBit and esound in Red Hat Linux 6.1 do not use sufficiently random numbers, which allows local users to guess the authentication keys. Current Votes: ACCEPT(2) Baker, Levy MODIFY(1) Frech NOOP(1) Christey Voter Comments: Christey> ADDREF BID:1275 Christey> ADDREF BID:1275 URL:http://www.securityfocus.com/bid/1275 Frech> XF:linux-orbit-esound-authentication-keys ====================================================== Name: CVE-2000-0358 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0358 Phase: Proposed (20000524) Category: SF Reference: REDHAT:RHSA-1999:058-01 Reference: URL:http://www.redhat.com/corp/support/errata/RHSA1999058-01.html ORBit and gnome-session in Red Hat Linux 6.1 allows remote attackers to crash a program. Current Votes: ACCEPT(2) Baker, Levy MODIFY(1) Frech NOOP(1) Christey Voter Comments: Christey> ADDREF BID:1283 Christey> ADDREF BID:1283 URL:http://www.securityfocus.com/bid/1283 Frech> XF:linux-orbit-gnome-session-dos ====================================================== Name: CVE-2000-0364 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0364 Phase: Proposed (20000524) Category: SF Reference: BUGTRAQ:19990606 RedHat 6.0, /dev/pts permissions bug when using xterm Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92877527701347&w=2 Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92886009012161&w=2 Reference: REDHAT:RHSA1999014_01 Reference: URL:http://www.redhat.com/corp/support/errata/RHSA1999014_01.html Reference: BID:309 Reference: URL:http://www.securityfocus.com/bid/309 screen and rxvt in Red Hat Linux 6.0 do not properly set the modes of tty devices, which allows local users to write to other ttys. Current Votes: ACCEPT(2) Baker, Levy MODIFY(1) Frech NOOP(1) Christey Voter Comments: Frech> XF:linux-tty-improper-mode Christey> BUGTRAQ:19990607 Re: RedHat 6.0, /dev/pts permissions bug when using xterm http://marc.theaimsgroup.com/?l=bugtraq&m=92886008912147&w=2 BUGTRAQ:19990607 Re: Red Hat 6.0, /dev/pts permissions bug when using xterm URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92886358415964&w=2 ====================================================== Name: CVE-2000-0365 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0365 Phase: Proposed (20000524) Category: CF Reference: BUGTRAQ:19990606 RedHat 6.0, /dev/pts permissions bug when using xterm Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92877527701347&w=2 Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92886009012161&w=2 Reference: REDHAT:RHSA1999014_01 Reference: URL:http://www.redhat.com/corp/support/errata/RHSA1999014_01.html Reference: BID:308 Reference: URL:http://www.securityfocus.com/bid/308 Red Hat Linux 6.0 installs the /dev/pts file system with insecure modes, which allows local users to write to other tty devices. Current Votes: ACCEPT(2) Baker, Levy MODIFY(1) Frech NOOP(1) Christey Voter Comments: Frech> XF:linux-dev-insecure-mode Christey> BUGTRAQ:19990607 Re: RedHat 6.0, /dev/pts permissions bug when using xterm http://marc.theaimsgroup.com/?l=bugtraq&m=92886008912147&w=2 BUGTRAQ:19990607 Re: Red Hat 6.0, /dev/pts permissions bug when using xterm URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92886358415964&w=2 ====================================================== Name: CVE-2000-0383 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0383 Phase: Modified (20000706-01) Category: SF Reference: BUGTRAQ:20000507 AOL Instant Messenger Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=002401bfb918$7310d5a0$1ef084ce@karemor.com Reference: XF:aolim-file-path Reference: BID:1180 Reference: URL:http://www.securityfocus.com/bid/1180 The file transfer component of AOL Instant Messenger (AIM) reveals the physical path of the transferred file to the remote recipient. Current Votes: ACCEPT(5) Cole, Frech, Levy, Ozancin, Stracener NOOP(3) Baker, Christey, Prosser Voter Comments: Christey> Normalize the Bugtraq reference! ====================================================== Name: CVE-2000-0384 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0384 Phase: Proposed (20000615) Category: CF Reference: L0PHT:20000508 NetStructure 7180 remote backdoor vulnerability Reference: URL:http://www.lopht.com/advisories/ipivot7110.html Reference: L0PHT:20000508 NetStructure 7110 console backdoor Reference: URL:http://www.l0pht.com/advisories/ipivot7180.html Reference: CONFIRM:http://216.188.41.136/ Reference: XF:netstructure-root-compromise Reference: XF:netstructure-wizard-mode Reference: BID:1182 Reference: URL:http://www.securityfocus.com/bid/1182 Reference: BID:1183 Reference: URL:http://www.securityfocus.com/bid/1183 NetStructure 7110 and 7180 have undocumented accounts (servnow, root, and wizard) whose passwords are easily guessable from the NetStructure's MAC address, which could allow remote attackers to gain root access. Current Votes: ACCEPT(6) Baker, Frech, Levy, Ozancin, Prosser, Stracener NOOP(1) Cole ====================================================== Name: CVE-2000-0385 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0385 Phase: Proposed (20000615) Category: SF Reference: MISC:http://www.blueworld.com/blueworld/news/05.01.00-FM5_Security.html Reference: CONFIRM:http://www.filemaker.com/support/webcompanion.html Reference: XF:macos-filemaker-xml Reference: XF:macos-filemaker-email FileMaker Pro 5 Web Companion allows remote attackers to bypass Field-Level database security restrictions via the XML publishing or email capabilities. Current Votes: ACCEPT(5) Baker, Frech, Ozancin, Prosser, Stracener MODIFY(1) Levy NOOP(1) Cole Voter Comments: Levy> Reference: BID 1159 ====================================================== Name: CVE-2000-0386 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0386 Phase: Proposed (20000615) Category: SF Reference: MISC:http://www.blueworld.com/blueworld/news/05.01.00-FM5_Security.html Reference: CONFIRM:http://www.filemaker.com/support/webcompanion.html Reference: XF:macos-filemaker-anonymous-email FileMaker Pro 5 Web Companion allows remote attackers to send anonymous or forged email. Current Votes: ACCEPT(5) Baker, Frech, Ozancin, Prosser, Stracener MODIFY(1) Levy NOOP(1) Cole Voter Comments: Levy> Reference: BID 1159 ====================================================== Name: CVE-2000-0400 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0400 Phase: Proposed (20000615) Category: SF Reference: BUGTRAQ:20000516 MICROSOFT SECURITY FLAW? Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=95868514521257&w=2 Reference: BID:1221 Reference: URL:http://www.securityfocus.com/bid/1221 Reference: XF:ie-active-movie-control The Microsoft Active Movie ActiveX Control in Internet Explorer 5 does not restrict which file types can be downloaded, which allows an attacker to download any type of file to a user's system by encoding it within an email message or news post. Current Votes: ACCEPT(4) Frech, Levy, Ozancin, Wall NOOP(2) Cole, Stracener REJECT(1) Christey REVIEWING(1) LeBlanc Voter Comments: LeBlanc> COMMENT - this definately will not work if the user has applied the security patch. I don't know whether this repros right now, and have sent a query to find out. Christey> Is this now documented in MS:MS00-042? LeBlanc> the problem isn't in the Active Movie control. What was observed was a symptom of another problem that got fixed in some bulletin or another - I don't remember. Christey> According to Scott Culp, this existed because the patch for the Cache Bypass vulnerability (MS:MS00-046, CVE-2000-0621) was not applied, so this should be REJECTed as a duplicate of CVE-2000-0621. ====================================================== Name: CVE-2000-0401 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0401 Phase: Proposed (20000615) Category: SF Reference: BUGTRAQ:20000525 Alert: PDG Cart Overflows Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=95928319715983&w=2 Reference: NTBUGTRAQ:20000525 Alert: PDG Cart Overflows Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=95928667119963&w=2 Reference: CONFIRM:http://www.pdgsoft.com/Security/security2.html Reference: BID:1256 Reference: URL:http://www.securityfocus.com/bid/1256 Buffer overflows in redirect.exe and changepw.exe in PDGSoft shopping cart allow remote attackers to execute arbitrary commands via a long query string. Current Votes: ACCEPT(2) Levy, Stracener MODIFY(1) Frech NOOP(2) Cole, Wall Voter Comments: Frech> XF:pdgsoft-changepw-bo XF:pdgsoft-redirect-bo ====================================================== Name: CVE-2000-0412 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0412 Phase: Proposed (20000615) Category: SF Reference: BUGTRAQ:20000510 KNapster Vulnerability Compromises User-readable Files Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-05/0124.html Reference: BUGTRAQ:20000510 Gnapster Vulnerability Compromises User-readable Files Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-05/0127.html Reference: FREEBSD:FreeBSD-SA-00:18 Reference: URL:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:18-gnapster.adv Reference: XF:gnapster-view-files Reference: BID:1186 Reference: URL:http://www.securityfocus.com/bid/1186 The gnapster and knapster clients for Napster do not properly restrict access only to MP3 files, which allows remote attackers to read arbitrary files from the client by specifying the full pathname for the file. Current Votes: ACCEPT(4) Baker, Levy, Ozancin, Stracener MODIFY(1) Frech NOOP(2) Cole, Prosser Voter Comments: Frech> ADDREF XF:knapster-view-files ====================================================== Name: CVE-2000-0413 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0413 Phase: Proposed (20000615) Category: SF Reference: BUGTRAQ:20000506 shtml.exe reveal local path of IIS web directory Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-05/0084.html Reference: BID:1174 Reference: URL:http://www.securityfocus.com/bid/1174 Reference: XF:iis-shtml-reveal-path The shtml.exe program in the FrontPage extensions package of IIS 4.0 and 5.0 allows remote attackers to determine the physical path of HTML, HTM, ASP, and SHTML files by requesting a file that does not exist, which generates an error message that reveals the path. Current Votes: ACCEPT(7) Baker, Cole, Frech, LeBlanc, Levy, Ozancin, Stracener MODIFY(1) Prosser NOOP(1) Christey Voter Comments: Prosser> additional source Security BugWare http://161.53.42.3/~crv/security/bugs/NT/fpse10.html comments on page re: "MS soon to be released service release OSR 1.2 with needed changes." I haven't located anything on MS site yet. Anyone help? Christey> BID:1433 may also refer to this issue. Christey> [note to self: review comments by Mark Burnett] Christey> CHANGEREF XF:iis-shtml-reveal-path XF:frontpage-ext-shtml-path(4439) LeBlanc> Fixes are up on site now - have been for a while. ====================================================== Name: CVE-2000-0415 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0415 Phase: Proposed (20000615) Category: SF Reference: BUGTRAQ:20000512 Overflow in Outlook Express 4.* - too long filenames with graphic format extension Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-05/0140.html Reference: BID:1195 Reference: URL:http://www.securityfocus.com/bid/1195 Buffer overflow in Outlook Express 4.x allows attackers to cause a denial of service via a mail or news message that has a .jpg or .bmp attachment with a long file name. Current Votes: ACCEPT(3) Levy, Ozancin, Wall MODIFY(1) Frech NOOP(3) Christey, Cole, Stracener REJECT(1) LeBlanc Voter Comments: LeBlanc> The poster re-discovered a vulnerability we patched two years ago, in http://www.microsoft.com/technet/security/bulletin/ms98-008.asp Microsoft posted a response to BugTraq when this one went public, and reminded them that we'd already patched it. BTW, I think we want to try and pay attention to follow-ups to these threads in order to minimize noise in the process. Christey> Based on David's comments, this is covered by CVE-1999-0002. However, that candidate may wind up being SPLIT, so I will keep this one around for the moment. With respect to watching followups, we are relying quite a bit on other data feeds instead of doing our own reviews of all the different data sources. The data feeds may report these problems as new before corrections are posted. Followups do often lend additional information to the candidates, and as is the case with this one, we will often catch the discrepancy before the candidate becomes an official entry, whether by MITRE's own analysis or by that of other Board members. Frech> XF:outlook-image-long-filename ====================================================== Name: CVE-2000-0420 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0420 Phase: Proposed (20000615) Category: CF Reference: NTBUGTRAQ:20000511 ISS SAVANT Advisory 00/26 Reference: URL:http://archives.neohapsis.com/archives/ntbugtraq/2000-q2/0112.html Reference: BID:1198 Reference: URL:http://www.securityfocus.com/bid/1198 The default configuration of SYSKEY in Windows 2000 stores the startup key in the registry, which could allow an attacker tor ecover it and use it to decrypt Encrypted File System (EFS) data. Current Votes: ACCEPT(2) Levy, Ozancin MODIFY(1) Frech NOOP(2) Cole, Stracener REJECT(1) LeBlanc REVIEWING(1) Wall Voter Comments: LeBlanc> This is not a vulnerability. It is essentially an advisory on best practices. Also, the description is extremely inaccurate. If I weren't intimately familiar with the issue, I would not be able to understand it from this. Syskey, when applied at lower levels, has well-documented limitations. Stracener> "..to recover" Frech> XF:win2k-syskey-default-configuration Change "tor ecover" to "to recover" ====================================================== Name: CVE-2000-0422 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0422 Phase: Proposed (20000615) Category: SF Reference: BUGTRAQ:20000504 Alert: DMailWeb buffer overflow Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=95749276827558&w=2 Reference: XF:http-cgi-dmailweb-bo Reference: BID:1171 Reference: URL:http://www.securityfocus.com/bid/1171 Buffer overflow in Netwin DMailWeb CGI program allows remote attackers to execute arbitrary commands via a long utoken parameter. Current Votes: ACCEPT(5) Frech, Levy, Ozancin, Prosser, Stracener NOOP(2) Baker, Cole ====================================================== Name: CVE-2000-0423 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0423 Phase: Proposed (20000615) Category: SF Reference: BUGTRAQ:20000505 Alert: DNewsWeb buffer overflow Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=95764950403250&w=2 Reference: XF:http-cgi-dnews-bo Reference: BID:1172 Reference: URL:http://www.securityfocus.com/bid/1172 Buffer overflow in Netwin DNEWSWEB CGI program allows remote attackers to execute arbitrary commands via long parameters such as group, cmd, and utag. Current Votes: ACCEPT(5) Frech, Levy, Ozancin, Prosser, Stracener NOOP(2) Baker, Cole ====================================================== Name: CVE-2000-0429 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0429 Phase: Proposed (20000615) Category: SF Reference: BUGTRAQ:20000427 Alert: Cart32 secret password backdoor (CISADV000427) Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=95686068203138&w=2 Reference: CONFIRM:http://www.cart32.com/kbshow.asp?article=c048 A backdoor password in Cart32 3.0 and earlier allows remote attackers to execute arbitrary commands. Current Votes: ACCEPT(3) Ozancin, Prosser, Stracener MODIFY(2) Frech, Levy NOOP(2) Baker, Cole Voter Comments: Levy> Reference: BID 1153 Frech> XF:cart32-admin-password ====================================================== Name: CVE-2000-0433 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0433 Phase: Proposed (20000615) Category: SF Reference: SUSE:20000502 aaabase < 2000.5.2 Reference: URL:http://www.novell.com/linux/security/advisories/suse_security_announce_47.html Reference: XF:aaabase-execute-dot-files The SuSE aaa_base package installs some system accounts with home directories set to /tmp, which allows local users to gain privileges to those accounts by creating standard user startup scripts such as profiles. Current Votes: ACCEPT(6) Baker, Cole, Frech, Levy, Ozancin, Stracener MODIFY(1) Prosser Voter Comments: Prosser> add source: SecurityFocus BID1357 SuSE Linux aaabase User Account with /tmp Home Vulnerability http://www.securityfocus.com/bid/1357 CHANGE> [Levy changed vote from REVIEWING to ACCEPT] ====================================================== Name: CVE-2000-0434 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0434 Phase: Proposed (20000615) Category: CF Reference: BUGTRAQ:20000516 Allmanage.pl Vulnerabilities Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-05/0167.html Reference: BID:1217 Reference: URL:http://www.securityfocus.com/bid/1217 The administrative password for the Allmanage web site administration software is stored in plaintext in a file which could be accessed by remote attackers. Current Votes: ACCEPT(3) Levy, Ozancin, Stracener MODIFY(1) Frech NOOP(3) Cole, LeBlanc, Wall Voter Comments: Frech> XF:http-cgi-allmanage-plaintext-admin ====================================================== Name: CVE-2000-0444 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0444 Phase: Proposed (20000615) Category: SF Reference: BUGTRAQ:20000524 HP Web JetAdmin Version 6.0 Remote DoS attack Vulnerability Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-05/0277.html Reference: XF:hp-jetadmin-malformed-url-dos Reference: BID:1246 Reference: URL:http://www.securityfocus.com/bid/1246 HP Web JetAdmin 6.0 allows remote attackers to cause a denial of service via a malformed URL to port 8000. Current Votes: ACCEPT(4) Frech, Levy, Prosser, Stracener NOOP(2) Cole, Wall REVIEWING(1) Christey Voter Comments: Christey> ADDREF CONFIRM:http://www.hp.com/cposupport/networking/support_doc/bpj06522.html Christey> HP:HPSBUX0006-116 ? XF:jetadmin-network-dos CHANGE> [Christey changed vote from NOOP to REVIEWING] Prosser> Vendor acknowledged in HP Bulletin HPSBUX0006-116 with upgrade info. ====================================================== Name: CVE-2000-0449 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0449 Phase: Proposed (20000615) Category: SF Reference: BUGTRAQ:20000525 Omnis Weak Encryption - Many products affected Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-05/0311.html Reference: BID:1255 Reference: URL:http://www.securityfocus.com/bid/1255 Omnis Studio 2.4 uses weak encryption (trivial encoding) for encrypting database fields. Current Votes: ACCEPT(2) Levy, Stracener MODIFY(1) Frech NOOP(2) Cole, Wall Voter Comments: Frech> XF:omnis-studio-weak-encryption ====================================================== Name: CVE-2000-0450 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0450 Phase: Proposed (20000615) Category: SF Reference: BUGTRAQ:20000518 FW: Security Notice: Big Brother System and Network Monitor Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-05/0216.html Reference: BID:1257 Reference: URL:http://www.securityfocus.com/bid/1257 Vulnerability in bbd server in Big Brother System and Network Monitor allows an attacker to execute arbitrary commands. Current Votes: ACCEPT(3) Levy, Ozancin, Stracener MODIFY(1) Frech NOOP(3) Christey, Cole, Wall RECAST(1) LeBlanc Voter Comments: LeBlanc> I have no idea what this one is talking about from the description. I also don't think it involves "Network Monitor", which is a component of Windows NT/Windows 2000. This should be clarified. Frech> XF:big-brother-bbd-bo Christey> The original advisory, as forwarded to Bugtraq, does not provide any details, so the description is necessarily vague. Also, the home page at http://bb4.com has it referring to itself as "Big Brother System and Network Monitor," so "Network Monitor" is apparently part of the name of the product. Change this description to mention version 1.4g, to distinguish from other Big Brother vulnerabilities. ====================================================== Name: CVE-2000-0473 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0473 Phase: Proposed (20000712) Category: SF Reference: BUGTRAQ:19991231 Local / Remote GET Buffer Overflow Vulnerability in AnalogX SimpleServer:WWW HTTP Server v1.1 Reference: MISC:http://www.analogx.com/contents/download/network/sswww.htm Reference: BID:1349 Reference: URL:http://www.securityfocus.com/bid/1349 Buffer overflow in AnalogX SimpleServer 1.05 allows a remote attacker to cause a denial of service via a long GET request for a program in the cgi-bin directory. Current Votes: ACCEPT(1) Levy MODIFY(1) Frech REVIEWING(1) Christey Voter Comments: Christey> Appears to be the same as, or similar to, CVE-2000-0011, which was also discovered by USSR. Comments on the AnalogX web site are decidedly sparse. In CVE-2000-0011, USSR only claims that the vendor was informed, so is this still the same problem? XF:simpleserver-long-url-dos Frech> XF:simpleserver-long-url-dos(4693) Please review whether your BUGTRAQ:19991231 reference is correct; seems like this is the reference to CVE-2000-0011: Buffer overflow in AnalogX SimpleServer:WWW HTTP server allows remote attackers to execute commands via a long GET request. They are subtle; almost the only thing that changed was the version. A possible reference is "Remote DoS attack in AnalogX SimpleServer WWW Version 1.05 Vulnerability" at http://www.ussrback.com/labs45.html. ====================================================== Name: CVE-2000-0476 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0476 Phase: Proposed (20000712) Category: SF Reference: BUGTRAQ:20000601 [rootshell.com] Xterm DoS Attack Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-05/0409.html Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-05/0420.html Reference: BID:1298 Reference: URL:http://www.securityfocus.com/bid/1298 xterm, Eterm, and rxvt allow an attacker to cause a denial of service by embedding certain escape characters which force the window to be resized. Current Votes: ACCEPT(2) Levy, Ozancin MODIFY(1) Frech NOOP(2) LeBlanc, Wall Voter Comments: Frech> XF:xterm-control-characters-dos(4987) ====================================================== Name: CVE-2000-0479 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0479 Phase: Proposed (20000712) Category: SF Reference: BUGTRAQ:20000616 Multiples Remotes DoS Attacks in Dragon Server v1.00 and v2.00 Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=96113734714517&w=2 Reference: BID:1352 Reference: URL:http://www.securityfocus.com/bid/1352 Dragon FTP server allows remote attackers to cause a denial of service via a long USER command. Current Votes: ACCEPT(2) Baker, Levy MODIFY(1) Frech NOOP(1) Christey Voter Comments: Christey> XF:dragon-ftp-dos Frech> XF:dragon-ftp-dos(4691) ====================================================== Name: CVE-2000-0480 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0480 Phase: Proposed (20000712) Category: SF Reference: BUGTRAQ:20000616 Multiples Remotes DoS Attacks in Dragon Server v1.00 and v2.00 Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=96113734714517&w=2 Reference: BID:1352 Reference: URL:http://www.securityfocus.com/bid/1352 Dragon telnet server allows remote attackers to cause a denial of service via a long username. Current Votes: ACCEPT(2) Baker, Levy MODIFY(1) Frech NOOP(1) Christey Voter Comments: Christey> XF:dragon-telnet-dos Frech> XF:dragon-ftp-dos(4691) ====================================================== Name: CVE-2000-0487 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0487 Phase: Proposed (20000712) Category: SF Reference: MS:MS00-032 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms00-032.asp Reference: BID:1295 Reference: URL:http://www.securityfocus.com/bid/1295 The Protected Store in Windows 2000 does not properly select the strongest encryption when available, which causes it to use a default of 40-bit encryption instead of 56-bit DES encryption, aka the "Protected Store Key Length" vulnerability. Current Votes: ACCEPT(3) LeBlanc, Levy, Wall MODIFY(1) Frech NOOP(1) Ozancin Voter Comments: Frech> XF:ms-protected-store(4589) ====================================================== Name: CVE-2000-0491 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0491 Phase: Proposed (20000712) Category: SF Reference: BUGTRAQ:20000521 "gdm" remote hole Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-05/0241.html Reference: SUSE:20000524 Security hole in gdm <= 2.0beta4-25 Reference: URL:http://www.novell.com/linux/security/advisories/suse_security_announce_49.html Reference: BUGTRAQ:20000607 Conectiva Linux Security Announcement - gdm Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-06/0025.html Reference: CALDERA:CSSA-2000-013.0 Reference: URL:ftp://ftp.calderasystems.com/pub/OpenLinux/security/CSSA-2000-013.0.txt Reference: BID:1233 Reference: URL:http://www.securityfocus.com/bid/1233 Reference: BID:1279 Reference: URL:http://www.securityfocus.com/bid/1279 Reference: BID:1370 Reference: URL:http://www.securityfocus.com/bid/1370 Buffer overflow in the XDMCP parsing code of GNOME gdm, KDE kdm, and wdm allows remote attackers to execute arbitrary commands or cause a denial of service via a long FORWARD_QUERY request. Current Votes: MODIFY(2) Frech, Levy NOOP(2) LeBlanc, Wall REVIEWING(2) Christey, Ozancin Voter Comments: Levy> The BID 1233 vulns is different from the other ones. BID 1233 uses a FORWARD_QUERY request to overflow an in_addr structure via a memmove in daemon/xdmcp.c, gdm_xdmcp_handle_forward_query(). In BID 1370 a buffer is overflowed by a sprintf in xdmcp.c, send_failed(). Frech> XF:gnome-gdm-bo(4530) Christey> MANDRAKE:MDKSA-2001:070 URL:http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-070.php3 Christey> BUGTRAQ:20000527 gdm exploit URL:http://marc.theaimsgroup.com/?l=bugtraq&m=96017189021021&w=2 Consider REDHAT:RHSA-2000:027 Christey> RHSA-2000:027 confirmed via Mark Cox ====================================================== Name: CVE-2000-0492 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0492 Phase: Proposed (20000712) Category: SF Reference: BUGTRAQ:20000609 Insecure encryption in PassWD v1.2 Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-05/0450.html Reference: BID:1300 Reference: URL:http://www.securityfocus.com/bid/1300 PassWD 1.2 uses weak encryption (trivial encoding) to store passwords, which allows an attacker who can read the password file to easliy decrypt the passwords. Current Votes: ACCEPT(1) Levy MODIFY(2) Frech, Ozancin NOOP(2) LeBlanc, Wall Voter Comments: Ozancin> change "attacker who can read the password" to "attacker to decrypt and read the password" Frech> XF:passwd-weak-encryption(4596) ====================================================== Name: CVE-2000-0503 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0503 Phase: Proposed (20000712) Category: SF Reference: BUGTRAQ:20000606 IE 5 Cross-frame security vulnerability using IFRAME and WebBrowser control Reference: URL:http://archives.neohapsis.com/archives/win2ksecadvice/2000-q2/0154.html Reference: BID:1311 Reference: URL:http://www.securityfocus.com/bid/1311 The IFRAME of the WebBrowser control in Internet Explorer 5.01 allows a remote attacker to violate the cross frame security policy via the NavigateComplete2 event. Current Votes: ACCEPT(1) Levy MODIFY(2) Frech, Wall NOOP(2) LeBlanc, Ozancin REVIEWING(1) Christey Voter Comments: Wall> This affects more than IE 5.01. See http://www.securityfocus.com/bid/1311 for all versions of IE that this affects. Works on Windows 98, IE 5.01 and IE 5.5. LeBlanc> If this is the one I was discussing offline with Steve, ACCEPT Frech> XF:ie-cross-frame(4610) Christey> Make sure this is the one I was discussing offline with David :-) Frech> CVE-2000-0503 was reassigned to ie-frame-domain-file-access(5504) from ie-cross-frame(4610), which was obsoleted and redirected to this issue. Since these are the same issues but just described differently, CVE-2000-0503 appears to be a dupe of CVE-2000-0768. ====================================================== Name: CVE-2000-0509 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0509 Phase: Proposed (20000712) Category: SF Reference: BUGTRAQ:20000601 DST2K0008: Buffer Overrun in Sambar Server 4.3 Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=95990103207665&w=2 Reference: BID:1287 Reference: URL:http://www.securityfocus.com/bid/1287 Buffer overflows in the finger and whois demonstration scripts in Sambar Server 4.3 allow remote attackers to execute arbitrary commands via a long hostname. Current Votes: ACCEPT(2) Levy, Ozancin MODIFY(1) Frech NOOP(2) LeBlanc, Wall Voter Comments: Frech> XF:sambar-dll-bo(4592) ====================================================== Name: CVE-2000-0520 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0520 Phase: Proposed (20000712) Category: SF Reference: BUGTRAQ:20000630 CONECTIVA LINUX SECURITY ANNOUNCEMENT - dump Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=96240393814071&w=2 Reference: MISC:http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=11880 Reference: BID:1330 Reference: URL:http://www.securityfocus.com/bid/1330 Buffer overflow in restore program 0.4b17 and earlier in dump package allows local users to execute arbitrary commands via a long tape name. Current Votes: ACCEPT(2) Levy, Prosser MODIFY(1) Frech NOOP(4) Christey, LeBlanc, Ozancin, Wall Voter Comments: Christey> ADDREF BUGTRAQ:20000711 MDKSA-2000:018 dump update URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0166.html Frech> XF:linux-restore-bo(4647) Prosser> Add Sources: http://www.linux-mandrake.com/en/updates/2000/MDKSA-2000-018.php3?dis=6.0 http://www.redhat.com/support/errata/RHSA-2000-100.html ====================================================== Name: CVE-2000-0524 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0524 Phase: Proposed (20000712) Category: SF Reference: BUGTRAQ:20000604 Microsoft Outlook (Express) bug.. Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-06/0045.html Reference: BID:1333 Reference: URL:http://www.securityfocus.com/bid/1333 Microsoft Outlook and Outlook Express allow remote attackers to cause a denial of service by sending email messages with blank fields such as BCC, Reply-To, Return-Path, or From. Current Votes: MODIFY(3) Frech, LeBlanc, Levy NOOP(1) Ozancin RECAST(1) Wall Voter Comments: Levy> There was plenty of people that could not reproduce the problem although some did. More research (as in actual testing) is probably required. LeBlanc> This entry does not specify which versions of Outloook are vulnerable, nor is that clear from the BUGTRAQ record. It is much too broad to say just "Outlook" when it is definately not all versions of Outlook. The problem appears confined to some version of Outlook 97, and if I recall correctly, there has been a patch for this for quite some time. Frech> XF:outlook-header-dos(4645) CHANGE> [Wall changed vote from REVIEWING to RECAST] Wall> UNABLE TO DUPLICATE ====================================================== Name: CVE-2000-0526 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0526 Phase: Proposed (20000712) Category: SF Reference: BUGTRAQ:20000609 Mailstudio2000 CGI Vulnerabilities [S0ftPj.4] Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-06/0081.html Reference: BID:1335 Reference: URL:http://www.securityfocus.com/bid/1335 mailview.cgi CGI program in MailStudio 2000 2.0 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) attack. Current Votes: ACCEPT(2) Baker, Levy MODIFY(1) Frech NOOP(4) Christey, LeBlanc, Ozancin, Wall Voter Comments: Christey> ADDREF XF:mailstudio-view-files Frech> XF:mailstudio-view-files(4737) ====================================================== Name: CVE-2000-0527 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0527 Phase: Proposed (20000712) Category: SF Reference: BUGTRAQ:20000609 Mailstudio2000 CGI Vulnerabilities [S0ftPj.4] Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-06/0081.html Reference: BID:1335 Reference: URL:http://www.securityfocus.com/bid/1335 userreg.cgi CGI program in MailStudio 2000 2.0 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters. Current Votes: ACCEPT(2) Baker, Levy MODIFY(1) Frech NOOP(4) Christey, LeBlanc, Ozancin, Wall Voter Comments: Christey> Modify description - explicitly mention %0a string; other metachar's are filtered Frech> XF:mailstudio-cgi-input-vaildation(4739) ====================================================== Name: CVE-2000-0531 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0531 Phase: Modified (20040818) Category: SF Reference: BUGTRAQ:20000620 Bug in gpm Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.4.10.10006201453090.1812-200000@apollo.aci.com.pl Reference: REDHAT:RHSA-2000:045 Reference: URL:http://www.redhat.com/support/errata/RHSA-2000-045.html Reference: BUGTRAQ:20000728 MDKSA:2000-025 gpm update Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0409.html Reference: BID:1377 Reference: URL:http://www.securityfocus.com/bid/1377 Reference: XF:linux-gpm-gpmctl-dos Reference: URL:http://xforce.iss.net/static/5010.php Linux gpm program allows local users to cause a denial of service by flooding the /dev/gpmctl device with STREAM sockets. Current Votes: ACCEPT(1) Levy MODIFY(1) Frech REVIEWING(1) Christey Voter Comments: Frech> XF:linux-gpm-gpmctl-dos(5010) Christey> ADDREF REDHAT:RHSA-2000:045-01 ADDREF BUGTRAQ:20000728 MDKSA:2000-025 gpm update URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0409.html CHANGE> [Christey changed vote from NOOP to REVIEWING] Christey> Per Andre Frech's comments for CVE-2000-0667. ====================================================== Name: CVE-2000-0535 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0535 Phase: Proposed (20000712) Category: SF Reference: FREEBSD:FreeBSD-SA-00:25 Reference: URL:http://archives.neohapsis.com/archives/freebsd/2000-06/0083.html Reference: BID:1340 Reference: URL:http://www.securityfocus.com/bid/1340 OpenSSL 0.9.4 and OpenSSH for FreeBSD do not properly check for the existence of the /dev/random or /dev/urandom devices, which are absent on FreeBSD Alpha systems, which causes them to produce weak keys which may be more easily broken. Current Votes: ACCEPT(2) Levy, Ozancin MODIFY(1) Frech NOOP(2) LeBlanc, Wall REVIEWING(1) Christey Voter Comments: Christey> ADDREF NETBSD http://archives.neohapsis.com/archives/bugtraq/2000-06/0208.html Frech> XF:freebsd-alpha-weak-encryption(4704) Christey> ftp://ftp.netbsd.org/pub/NetBSD/misc/security/advisories/NetBSD-SA2000-007.txt.asc CHANGE> [Christey changed vote from NOOP to REVIEWING] Christey> Should the NetBSD problem really be combined with this? ====================================================== Name: CVE-2000-0543 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0543 Phase: Modified (20001010-1) Category: SF Reference: BUGTRAQ:20000614 Remote DoS attack in Networks Associates PGP Certificate Server Version 2.5 Vulnerability Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-06/0107.html Reference: BID:1343 Reference: URL:http://www.securityfocus.com/bid/1343 Reference: XF:pgp-cert-server-dos Reference: URL:http://xforce.iss.net/static/4695.php The command port for PGP Certificate Server 2.5.0 and 2.5.1 allows remote attackers to cause a denial of service if their hostname does not have a reverse DNS entry and they connect to port 4000. Current Votes: ACCEPT(5) Baker, Cole, Collins, Levy, Ozancin MODIFY(1) Frech NOOP(1) Armstrong REVIEWING(1) Christey Voter Comments: Christey> XF:pgp-cert-server-dos Frech> XF:pgp-cert-server-dos(4695) CHANGE> [Armstrong changed vote from REVIEWING to NOOP] CHANGE> [Christey changed vote from NOOP to REVIEWING] Christey> Need to consult Jim Magdych on this one. ====================================================== Name: CVE-2000-0544 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0544 Phase: Proposed (20000712) Category: SF Reference: NTBUGTRAQ:20000604 anonymous SMBwriteX DoS Reference: URL:http://archives.neohapsis.com/archives/ntbugtraq/2000-q2/0231.html Reference: BID:1304 Reference: URL:http://www.securityfocus.com/bid/1304 Windows NT and Windows 2000 hosts allow a remote attacker to cause a denial of service via malformed DCE/RPC SMBwriteX requests that contain an invalid data length. Current Votes: ACCEPT(2) LeBlanc, Levy MODIFY(1) Frech NOOP(1) Ozancin REVIEWING(2) Christey, Wall Voter Comments: Frech> XF;nt-smb-request-dos(4600) Christey> Consult with Microsoft to see if this is MS:MS00-066 Christey> ADDREF MS:MS00-066 (confirmed offline with David LeBlanc) Subsequently, add BID:1673 and XF:win2k-rpc-dos(5222) ====================================================== Name: CVE-2000-0545 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0545 Phase: Proposed (20000712) Category: SF Reference: BUGTRAQ:20000602 /usr/bin/Mail exploit for Slackware 7.0 (mail-slack.c) Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-05/0435.html Reference: DEBIAN:20000605 mailx: mail group exploit in mailx Reference: URL:http://www.debian.org/security/2000/20000605 Reference: BID:1305 Reference: URL:http://www.securityfocus.com/bid/1305 Buffer overflow in mailx mail command (aka Mail) on Linux systems allows local users to gain privileges via a long -c (carbon copy) parameter. Current Votes: ACCEPT(2) Levy, Ozancin MODIFY(1) Frech NOOP(2) LeBlanc, Wall REVIEWING(1) Christey Voter Comments: Frech> XF:sgi-mailx-bo(1371) CVE-2000-0545 seems to be a dupe of CVE-1999-0125 (Buffer overflow in SGI IRIX mailx program) since they both allow 'mail' group privileges. There was no exploit for SGI's vuln to compare. Christey> Since we are taking a split-by-default approach when there are insufficient details, we should keep this separate from CVE-1999-0125. The difference in the time of discovery is also a factor, even if these wind up being the same problem. However, there just aren't enough details to be sure if this is the same problem or not. Christey> On June 25, 1998, a buffer overflow in mailx via the HOME environmental variable was posted at: BUGTRAQ:19980625 security hole in mailx http://marc.theaimsgroup.com/?l=bugtraq&m=90221103125955&w=2 This affected multiple OSes. SGI:19980605-01-PX (CVE-1999-0125) was published on September 29, 1998; while the advisory is short on details, it does mention a buffer overflow. So, there's enough distinction here (time and what gets exploited) to say that these should remain split; but CVE-1999-0125 likely needs to be RECAST to mention other affected OSes. ====================================================== Name: CVE-2000-0546 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0546 Phase: Proposed (20000712) Category: SF Reference: BUGTRAQ:20000609 Security Advisory: MULTIPLE DENIAL OF SERVICE VULNERABILITIES IN KRB4 KDC Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-06/0064.html Reference: CONFIRM:http://web.mit.edu/kerberos/www/advisories/krb4kdc.txt Reference: CERT:CA-2000-11 Reference: URL:http://www.cert.org/advisories/CA-2000-11.html Reference: CIAC:K-051 Reference: URL:http://ciac.llnl.gov/ciac/bulletins/k-051.shtml Reference: BID:1338 Reference: URL:http://www.securityfocus.com/bid/1338 Buffer overflow in Kerberos 4 KDC program allows remote attackers to cause a denial of service via the lastrealm variable in the set_tgtkey function. Current Votes: ACCEPT(2) Levy, Ozancin MODIFY(2) Cox, Frech NOOP(3) Christey, LeBlanc, Wall Voter Comments: Christey> ADDREF XF:kerberos-lastrealm-bo Frech> XF:kerberos-lastrealm-bo(4656) I question whether BID-1338 is appropriate here. Cox> ADDREF REDHAT:RHSA-2000:031 ====================================================== Name: CVE-2000-0547 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0547 Phase: Proposed (20000712) Category: SF Reference: BUGTRAQ:20000609 Security Advisory: MULTIPLE DENIAL OF SERVICE VULNERABILITIES IN KRB4 KDC Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-06/0064.html Reference: CONFIRM:http://web.mit.edu/kerberos/www/advisories/krb4kdc.txt Reference: CERT:CA-2000-11 Reference: URL:http://www.cert.org/advisories/CA-2000-11.html Reference: CIAC:K-051 Reference: URL:http://ciac.llnl.gov/ciac/bulletins/k-051.shtml Reference: BID:1338 Reference: URL:http://www.securityfocus.com/bid/1338 Buffer overflow in Kerberos 4 KDC program allows remote attackers to cause a denial of service via the localrealm variable in the process_v4 function. Current Votes: ACCEPT(2) Levy, Ozancin MODIFY(2) Cox, Frech NOOP(2) LeBlanc, Wall Voter Comments: Frech> XF:kerberos-localrealm-bo(4657) I question whether BID-1338 is appropriate here. Cox> ADDREF REDHAT:RHSA-2000:031 ====================================================== Name: CVE-2000-0554 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0554 Phase: Proposed (20000712) Category: SF Reference: NTBUGTRAQ:20000608 DST2K0010: DoS & Path Revealing Vulnerability in Ceilidh v2.60a Reference: URL:http://archives.neohapsis.com/archives/ntbugtraq/2000-q2/0246.html Reference: BID:1320 Reference: URL:http://www.securityfocus.com/bid/1320 Ceilidh allows remote attackers to obtain the real path of the Ceilidh directory via the translated_path hidden form field. Current Votes: ACCEPT(2) Cole, Levy MODIFY(1) Frech NOOP(4) Christey, LeBlanc, Ozancin, Wall Voter Comments: Christey> ADDREF XF:ceilidh-path-disclosure Frech> XF:ceilidh-path-disclosure(4620) ====================================================== Name: CVE-2000-0559 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0559 Phase: Proposed (20000712) Category: SF Reference: BUGTRAQ:20000607 SessionWall-3 Paper + (links to) code Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.BSO.4.21.0006072124320.28062-100000@bearclaw.bogus.net Reference: BID:1341 Reference: URL:http://www.securityfocus.com/bid/1341 eTrust Intrusion Detection System (formerly SessionWall-3) uses weak encryption (XOR) to store administrative passwords in the registry, which allows local users to easily decrypt the passwords. Current Votes: ACCEPT(2) Levy, Ozancin MODIFY(1) Frech NOOP(2) LeBlanc, Wall Voter Comments: Frech> XF:etrust-weak-password-encryption(5051) ====================================================== Name: CVE-2000-0562 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0562 Phase: Proposed (20000712) Category: SF Reference: BUGTRAQ:20000620 BlackICE by Network ICE Corp vulnerability against Back Orifice 1.2 Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-06/0190.html BlackIce Defender 2.1 and earlier, and BlackIce Pro 2.0.23 and earlier, do not properly block Back Orifice traffic when the security setting is Nervous or lower. Current Votes: ACCEPT(3) Armstrong, Cole, Levy MODIFY(2) Baker, Frech NOOP(1) Ozancin REVIEWING(1) Christey Voter Comments: Levy> What do others think? Should this be a vuln? I can see the argument that some features are simply not available unless you use the maximum security settings. Christey> At the very least, this needs to be modified to state that this problem/concern applies to high ports in general, not just Back orifice. The Bugtraq poster claims that BlackICE "shuts down" the port, but only *after* some initial traffic "leaks" out. This may be by design, but it does mean that there is a small window of opportunity in which BlackICE may not work "as advertised," even at lower security settings. Christey> XF:blackice-security-level-nervous BID:1389 Frech> XF:blackice-security-level-nervous(4777) CHANGE> [Levy changed vote from REVIEWING to ACCEPT] CHANGE> [Christey changed vote from NOOP to REVIEWING] Baker> I accept it more as a security exposure, than a real vulnerability. It performs just as any other "firewall" or IDS product can be configured to allow traffic without notifying the user. You can adjust settings on any product that allow traffic that other people or organizations would find unacceptable. So, as long as it is reflected that this is more of a configuration that allows such traffic as opposed to a defective or improperly functioning software issue, I don't have a problem with it. ====================================================== Name: CVE-2000-0563 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0563 Phase: Proposed (20000712) Category: SF Reference: BUGTRAQ:20000609 Security Holes Found in URLConnection of MRJ and IE of Mac OS (was Re: Reappearance of an old IE security bug) Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-06/0056.html Reference: BUGTRAQ:20000513 Re: Reappearance of an old IE security bug Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-05-8&msg=391C95DE2DA.5E3BTAKAGI@java-house.etl.go.jp Reference: BID:1336 Reference: URL:http://www.securityfocus.com/bid/1336 The URLConnection function in MacOS Runtime Java (MRJ) 2.1 and earlier and the Microsoft virtual machine (VM) for MacOS allows a malicious web site operator to connect to arbitrary hosts using a HTTP redirection, in violation of the Java security model. Current Votes: ACCEPT(2) Levy, Ozancin MODIFY(1) Frech NOOP(2) Christey, Wall REVIEWING(1) LeBlanc Voter Comments: Christey> Confirmed by Scott Culp, but this only applies to outdated/unsupported versions of the JVM. Frech> XF:macos-java-security-ignored(5052) Christey> Consult with Microsoft to ensure that this is fixed by MS:MS00-059. If so, then this might not just be in MacOS. ====================================================== Name: CVE-2000-0564 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0564 Phase: Proposed (20000712) Category: SF Reference: NTBUGTRAQ:20000529 ICQ Web Front Remote DoS Attack Vulnerability Reference: URL:http://archives.neohapsis.com/archives/ntbugtraq/2000-q2/0218.html The guestbook CGI program in ICQ Web Front service for ICQ 2000a, 99b, and others allows remote attackers to cause a denial of service via a URL with a long name parameter. Current Votes: ACCEPT(2) Baker, Levy MODIFY(1) Frech NOOP(5) Christey, Cole, LeBlanc, Ozancin, Wall Voter Comments: Christey> ADDREF BID:1463 URL:http://www.securityfocus.com/bid/1463 Frech> XF:icq-webfront-guestbook-dos(4574) ====================================================== Name: CVE-2000-0572 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0572 Phase: Proposed (20000719) Category: SF Reference: BUGTRAQ:20000704 Recovering Passwords in Visible Systems' Razor Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-07-8&msg=613309F30B6DD2118C020000F809376C05CABD49@emss03m09.orl.lmco.com Reference: BID:1424 Reference: URL:http://www.securityfocus.com/bid/1424 The Razor configuration management tool uses weak encryption for its password file, which allows local users to gain privileges. Current Votes: ACCEPT(2) Baker, Levy MODIFY(1) Frech NOOP(4) Cole, LeBlanc, Magdych, Wall Voter Comments: Frech> XF;razor-weak-encryption(4875) CHANGE> [Magdych changed vote from REVIEWING to NOOP] ====================================================== Name: CVE-2000-0574 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0574 Phase: Proposed (20000719) Category: SF Reference: BUGTRAQ:20000705 proftp advisory Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0031.html Reference: BUGTRAQ:20000706 ftpd and setproctitle() Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0061.html Reference: CERT:CA-2000-13 Reference: URL:http://www.cert.org/advisories/CA-2000-13.html Reference: BUGTRAQ:20000710 opieftpd setproctitle() patches Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0121.html Reference: NETBSD:NetBSD-SA2000-009 Reference: URL:ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/advisories/NetBSD-SA2000-009.txt.asc Reference: BID:1425 Reference: URL:http://www.securityfocus.com/bid/1425 Reference: BID:1438 Reference: URL:http://www.securityfocus.com/bid/1438 FTP servers such as OpenBSD ftpd, NetBSD ftpd, ProFTPd and Opieftpd do not properly cleanse untrusted format strings that are used in the setproctitle function (sometimes called by set_proc_title), which allows remote attackers to cause a denial of service or execute arbitrary commands. Current Votes: ACCEPT(3) Cole, Levy, Magdych MODIFY(1) Frech NOOP(2) LeBlanc, Wall REVIEWING(1) Christey Voter Comments: Christey> CD:SF-CODEBASE applies here. There are many ftpd's that have this setproctitle() problem, but it might be traced back to the same codebase. See if the HP problem is the same here as well, and if so, ADDREF HP:HPSBUX0007-117 URL:http://www.securityfocus.com/templates/advisory.html?id=2404 Frech> XF:ftp-setproctitle-format-string(4908) BID:1438 does not exist. Christey> ADDREF HP:HPSBUX0007-117?? http://archives.neohapsis.com/archives/hp/2000-q4/0020.html Christey> ADDREF BID:650 ? ====================================================== Name: CVE-2000-0578 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0578 Phase: Proposed (20000719) Category: SF Reference: BUGTRAQ:20000621 Predictability Problems in IRIX Cron and Compilers Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-06/0204.html Reference: BID:1412 Reference: URL:http://www.securityfocus.com/bid/1412 SGI MIPSPro compilers C, C++, F77 and F90 generate temporary files in /tmp with predictable file names, which could allow local users to insert malicious contents into these files as they are being compiled by another user. Current Votes: ACCEPT(4) Baker, Blake, Cole, Levy MODIFY(1) Frech NOOP(7) Armstrong, Christey, LeBlanc, Magdych, Oliver, Ozancin, Wall Voter Comments: Frech> XF:sgi-mipspro-modify-files(5007) CHANGE> [Cole changed vote from NOOP to ACCEPT] CHANGE> [Magdych changed vote from REVIEWING to NOOP] Christey> SGI:20030605-01-A URL:ftp://patches.sgi.com/support/free/security/advisories/20030605-01-A ====================================================== Name: CVE-2000-0580 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0580 Phase: Proposed (20000719) Category: SF Reference: BUGTRAQ:20000630 SecureXpert Advisory [SX-20000620-2] Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.3.96.1000630161935.4619B-100000@fjord.fscinternet.com Reference: XF:win2k-cpu-overload-dos Reference: BID:1415 Reference: URL:http://www.securityfocus.com/bid/1415 Windows 2000 Server allows remote attackers to cause a denial of service by sending a continuous stream of binary zeros to various TCP and UDP ports, which significantly increases the CPU utilization. Current Votes: ACCEPT(3) Cole, Frech, Levy REJECT(2) LeBlanc, Magdych REVIEWING(1) Wall Voter Comments: LeBlanc> Insufficient data. Most of their claims are not reproducible. You can, however, DoS the telnet server this way. As far as I know, there is no repro on any of the other ports. I am not sure of fix status at this time (7/19/00). Also overlaps with CVE-2000-0581 CHANGE> [Magdych changed vote from REVIEWING to REJECT] Magdych> The only independent verification of these claims I have heard is for the Telnet denial of service, which is already defined in CVE candidate CVE-2000-0581. Frech> Replace win2k-cpu-overload-dos(4824) with win2k-telnetserver-dos(4823) ====================================================== Name: CVE-2000-0589 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0589 Phase: Proposed (20000719) Category: SF Reference: BUGTRAQ:20000626 sawmill5.0.21 old path bug & weak hash algorithm Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-06/0271.html Reference: BUGTRAQ:20000706 Patch for Flowerfire Sawmill Vulnerabilities Available Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0080.html Reference: BID:1403 Reference: URL:http://www.securityfocus.com/bid/1403 Reference: XF:sawmill-weak-encryption SawMill 5.0.21 uses weak encryption to store passwords, which allows attackers to easily decrypt the password and modify the SawMill configuration. Current Votes: ACCEPT(3) Frech, Levy, Magdych NOOP(3) Cole, LeBlanc, Wall Voter Comments: CHANGE> [Magdych changed vote from REVIEWING to ACCEPT] ====================================================== Name: CVE-2000-0592 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0592 Phase: Proposed (20000719) Category: SF Reference: BUGTRAQ:20000627 [SPSadvisory #37]WinProxy 2.0.0/2.0.1 DoS and Exploitable Buffer Overflow Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=200006271417.GFE84146.-BJXON@lac.co.jp Reference: XF:winproxy-command-bo Reference: BID:1400 Reference: URL:http://www.securityfocus.com/bid/1400 Buffer overflows in POP3 service in WinProxy 2.0 and 2.0.1 allow remote attackers to execute arbitrary commands via long USER, PASS, LIST, RETR, or DELE commands. Current Votes: ACCEPT(4) Cole, Frech, Levy, Magdych NOOP(1) LeBlanc REVIEWING(1) Wall ====================================================== Name: CVE-2000-0605 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0605 Phase: Proposed (20000719) Category: unknown Reference: NTBUGTRAQ:20000710 Two issues: Blackboard CourseInfo 4.0 stores admin password in clear text; strange settings on the winreg key. Reference: URL:http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0007&L=NTBUGTRAQ&P=R1647 Reference: BID:1460 Reference: URL:http://www.securityfocus.com/bid/1460 Blackboard CourseInfo 4.0 stores the local and SQL administrator user names and passwords in cleartext in a registry key whose access control allows users to access the passwords. Current Votes: ACCEPT(2) Baker, Levy MODIFY(1) Frech NOOP(4) Christey, Cole, LeBlanc, Magdych REVIEWING(1) Wall Voter Comments: Christey> ADDREF NTBUGTRAQ:20000718 Security Fix for Blackboard CourseInfo 4.0 URL:http://archives.neohapsis.com/archives/ntbugtraq/2000-q3/0040.html Frech> XF:blackboard-courseinfo-plaintext(4904) Christey> Vendor acknowledgement is at: BUGTRAQ:20000719 Security Fix for Blackboard CourseInfo 4.0 URL:http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26msg%3D20000719151904.I17986@securityfocus.com CHANGE> [Magdych changed vote from REVIEWING to NOOP] ====================================================== Name: CVE-2000-0606 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0606 Phase: Proposed (20000719) Category: SF Reference: BUGTRAQ:20000619 Problems with "kon2" package Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.4.21.0006192340340.19998-100000@ferret.lmh.ox.ac.uk Reference: XF:linux-kon-bo Reference: BID:1371 Reference: URL:http://www.securityfocus.com/bid/1371 Buffer overflow in kon program in Kanji on Console (KON) package on Linux may allow local users to gain root privileges via a long -StartupMessage parameter. Current Votes: ACCEPT(3) Baker, Frech, Levy NOOP(4) Cole, LeBlanc, Magdych, Wall Voter Comments: CHANGE> [Magdych changed vote from REVIEWING to NOOP] ====================================================== Name: CVE-2000-0607 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0607 Phase: Proposed (20000719) Category: SF Reference: BUGTRAQ:20000619 Problems with "kon2" package Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.4.21.0006192340340.19998-100000@ferret.lmh.ox.ac.uk Reference: XF:linux-kon-bo Reference: BID:1371 Reference: URL:http://www.securityfocus.com/bid/1371 Buffer overflow in fld program in Kanji on Console (KON) package on Linux may allow local users to gain root privileges via an input file containing long CHARSET_REGISTRY or CHARSET_ENCODING settings. Current Votes: ACCEPT(3) Baker, Frech, Levy NOOP(5) Christey, Cole, LeBlanc, Magdych, Wall Voter Comments: Christey> BID:1983 URL:http://www.securityfocus.com/bid/1983 CHANGE> [Magdych changed vote from REVIEWING to NOOP] ====================================================== Name: CVE-2000-0608 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0608 Phase: Proposed (20000719) Category: SF Reference: BUGTRAQ:20000620 NetWin dMailWeb Denial of Service Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-06-15&msg=4.1.20000621113334.00996820@qlink.queensu.ca Reference: BID:1376 Reference: URL:http://www.securityfocus.com/bid/1376 Reference: XF:dmailweb-long-pophost-dos NetWin dMailWeb and cwMail 2.6i and earlier allows remote attackers to cause a denial of service via a long POP parameter (pophost). Current Votes: ACCEPT(3) Frech, Levy, Magdych NOOP(3) Cole, LeBlanc, Wall ====================================================== Name: CVE-2000-0609 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0609 Phase: Proposed (20000719) Category: SF Reference: BUGTRAQ:20000620 NetWin dMailWeb Denial of Service Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-06-15&msg=4.1.20000621113334.00996820@qlink.queensu.ca Reference: XF:dmailweb-long-username-dos Reference: BID:1376 Reference: URL:http://www.securityfocus.com/bid/1376 NetWin dMailWeb and cwMail 2.6g and earlier allows remote attackers to cause a denial of service via a long username parameter. Current Votes: ACCEPT(3) Frech, Levy, Magdych NOOP(3) Cole, LeBlanc, Wall ====================================================== Name: CVE-2000-0612 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0612 Phase: Proposed (20000719) Category: SF Reference: BUGTRAQ:20000629 Buggy ARP handling in Windoze Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=395B7E64.9FB3D4DB@starzetz.de Reference: XF:win-arp-spoofing Reference: BID:1406 Reference: URL:http://www.securityfocus.com/bid/1406 Windows 95 and Windows 98 do not properly process spoofed ARP packets, which allows remote attackers to overwrite static entries in the cache table. Current Votes: ACCEPT(4) Cole, Frech, LeBlanc, Levy NOOP(2) Magdych, Wall REVIEWING(1) Christey Voter Comments: LeBlanc> I know we have a repro on this, but you may want to leave this in the REVIEWING state until a fix is released. CHANGE> [Magdych changed vote from REVIEWING to NOOP] ====================================================== Name: CVE-2000-0614 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0614 Phase: Proposed (20000719) Category: SF Reference: SUSE:20000710 Security Hole in tnef < 0-124 Reference: URL:http://archives.neohapsis.com/archives/vendor/2000-q3/0002.html Reference: BID:1450 Reference: URL:http://www.securityfocus.com/bid/1450 Tnef program in Linux systems allows remote attackers to overwrite arbitrary files via TNEF encoded compressed attachments which specify absolute path names for the decompressed output. Current Votes: ACCEPT(1) Levy MODIFY(1) Frech NOOP(4) Cole, LeBlanc, Magdych, Wall REVIEWING(1) Christey Voter Comments: Christey> This problem appears in AMaViS as well, so they may be the same codebase. If so, then CD:SF-CODEBASE says to merge the two (thus ADDREF BID:1461). If they are not the same codebase, then create a separate candidate for BID:1461. Frech> XF:linux-tnef-email-overwrite(4915) CHANGE> [Magdych changed vote from REVIEWING to NOOP] ====================================================== Name: CVE-2000-0617 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0617 Phase: Proposed (20000719) Category: SF Reference: BUGTRAQ:20000622 RHL 6.2 xconq package - overflows yield gid games Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-06/0222.html Buffer overflow in xconq and cconq game programs on Red Hat Linux allows local users to gain additional privileges via long USER environmental variable. Current Votes: ACCEPT(2) Cole, Levy MODIFY(1) Frech NOOP(4) Christey, LeBlanc, Magdych, Wall Voter Comments: Frech> XF:xconq-elevate-privileges(4995) Christey> ADDREF BID:1495 ADDREF URL:http://www.securityfocus.com/bid/1495 CHANGE> [Levy changed vote from REVIEWING to ACCEPT] CHANGE> [Magdych changed vote from REVIEWING to NOOP] ====================================================== Name: CVE-2000-0618 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0618 Phase: Proposed (20000719) Category: SF Reference: BUGTRAQ:20000622 RHL 6.2 xconq package - overflows yield gid games Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-06/0222.html Buffer overflow in xconq and cconq game programs on Red Hat Linux allows local users to gain additional privileges via long DISPLAY environmental variable. Current Votes: ACCEPT(2) Cole, Levy MODIFY(1) Frech NOOP(4) Christey, LeBlanc, Magdych, Wall Voter Comments: Frech> XF:xconq-elevate-privileges(4995) Christey> ADDREF BID:1495 ADDREF URL:http://www.securityfocus.com/bid/1495 CHANGE> [Levy changed vote from REVIEWING to ACCEPT] CHANGE> [Magdych changed vote from REVIEWING to NOOP] ====================================================== Name: CVE-2000-0623 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0623 Phase: Proposed (20000803) Category: SF Reference: NTBUGTRAQ:20000719 Alert: Buffer Overrun is O'Reilly WebsitePro httpd32.exe (CISADV000717) Reference: URL:http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0007&L=ntbugtraq&F=&S=&P=5946 Reference: BID:1492 Reference: URL:http://www.securityfocus.com/bid/1492 Buffer overflow in O'Reilly WebSite Professional web server 2.4 and earlier allows remote attackers to execute arbitrary commands via a long GET request or Referrer header. Current Votes: ACCEPT(2) Cole, Levy MODIFY(1) Frech NOOP(1) LeBlanc REVIEWING(1) Wall Voter Comments: Frech> XF:website-httpd32-bo(4970) In the description, I think it's spelled "referer" ====================================================== Name: CVE-2000-0625 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0625 Phase: Proposed (20000803) Category: SF Reference: L0PHT:20000718 NetZero Password Encryption Algorithm Reference: URL:http://www.l0pht.com/advisories/netzero.txt Reference: BID:1483 Reference: URL:http://www.securityfocus.com/bid/1483 NetZero 3.0 and earlier uses weak encryption for storing a user's login information, which allows a local user to decrypt the password. Current Votes: ACCEPT(2) Cole, Levy MODIFY(1) Frech NOOP(2) LeBlanc, Wall Voter Comments: Frech> XF:zeroport-weak-encryption(4963) ====================================================== Name: CVE-2000-0626 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0626 Phase: Proposed (20000803) Category: SF Reference: BUGTRAQ:20000718 Multiple bugs in Alibaba 2.0 Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0237.html Reference: BID:1482 Reference: URL:http://www.securityfocus.com/bid/1482 Buffer overflow in Alibaba web server allows remote attackers to cause a denial of service via a long GET request. Current Votes: ACCEPT(4) Baker, Blake, Levy, Wall MODIFY(1) Frech NOOP(5) Armstrong, Cole, LeBlanc, Oliver, Ozancin REVIEWING(1) Christey Voter Comments: Frech> XF:alibaba-get-dos(4934) Christey> This is in a relatively old Nessus plugin, though the exploit uses POST instead of GET. This was probably discovered earlier than the references indicate. CHANGE> [Wall changed vote from NOOP to ACCEPT] Wall> Found by Arne Vidstrom and found in multiple sources CHANGE> [Christey changed vote from NOOP to REVIEWING] Christey> See the POST comment in http://marc.theaimsgroup.com/?l=bugtraq&m=94182951012884&w=2 Also see http://marc.theaimsgroup.com/?l=bugtraq&m=94191318721834&w=2 One poster says that a large number of sites are running Alibaba (based on a netcraft report), but I'm not 100% sure Netcraft's doing a good job of identifying Alibaba servers. ====================================================== Name: CVE-2000-0629 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0629 Phase: Proposed (20000803) Category: CF Reference: BUGTRAQ:20000711 Sun's Java Web Server remote command execution vulnerability Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0163.html Reference: MISC:http://www.sun.com/software/jwebserver/faq/jwsca-2000-02.html Reference: BID:1459 Reference: URL:http://www.securityfocus.com/bid/1459 The default configuration of the Sun Java web server 2.0 and earlier allows remote attackers to execute arbitrary commands by uploading Java code to the server via board.html, then directly calling the JSP compiler servlet. Current Votes: ACCEPT(3) Cole, Dik, Levy MODIFY(1) Frech NOOP(3) Christey, LeBlanc, Wall Voter Comments: Frech> XF:sunjava-webadmin-bbs(5135) Christey> Need to create/update Dik> (through internal confirmation) ====================================================== Name: CVE-2000-0645 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0645 Phase: Proposed (20000803) Category: SF Reference: BUGTRAQ:20000721 WFTPD/WFTPD Pro 2.41 RC11 vulnerabilities. Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0295.html Reference: BID:1506 Reference: URL:http://www.securityfocus.com/bid/1506 WFTPD and WFTPD Pro 2.41 allows remote attackers to cause a denial of service by using the RESTART (REST) command and writing beyond the end of a file, or writing to a file that does not exist, via commands such as STORE UNIQUE (STOU), STORE (STOR), or APPEND (APPE). Current Votes: ACCEPT(2) Baker, Levy MODIFY(1) Frech NOOP(3) Cole, LeBlanc, Wall Voter Comments: Frech> XF:wftpd-rest-dos(5004) ====================================================== Name: CVE-2000-0646 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0646 Phase: Proposed (20000803) Category: SF Reference: BUGTRAQ:20000721 WFTPD/WFTPD Pro 2.41 RC11 vulnerabilities. Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0295.html Reference: BID:1506 Reference: URL:http://www.securityfocus.com/bid/1506 WFTPD and WFTPD Pro 2.41 allows remote attackers to obtain the real pathname for a file by executing a STATUS (STAT) command while the file is being transferred. Current Votes: ACCEPT(2) Baker, Levy MODIFY(1) Frech NOOP(3) Cole, LeBlanc, Wall Voter Comments: Frech> XF:wftpd-stat-info(5005) ====================================================== Name: CVE-2000-0647 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0647 Phase: Proposed (20000803) Category: SF Reference: BUGTRAQ:20000721 WFTPD/WFTPD Pro 2.41 RC11 vulnerabilities. Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0295.html Reference: BID:1506 Reference: URL:http://www.securityfocus.com/bid/1506 WFTPD and WFTPD Pro 2.41 allows remote attackers to cause a denial of service by executing an MLST command before logging into the server. Current Votes: ACCEPT(2) Baker, Levy MODIFY(1) Frech NOOP(3) Cole, LeBlanc, Wall Voter Comments: Frech> XF:wftpd-mlst-dos(5006) ====================================================== Name: CVE-2000-0648 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0648 Phase: Proposed (20000803) Category: SF Reference: BUGTRAQ:20000711 WFTPD/WFTPD Pro 2.41 RC10 denial-of-service Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=E13BvU6-0007d8-00@dwarf.box.sk Reference: BID:1456 Reference: URL:http://www.securityfocus.com/bid/1456 WFTPD and WFTPD Pro 2.41 allows local users to cause a denial of service by executing the RENAME TO (RNTO) command before a RENAME FROM (RNFR) command. Current Votes: ACCEPT(2) Baker, Levy MODIFY(1) Frech NOOP(2) Cole, LeBlanc REVIEWING(1) Wall Voter Comments: Frech> XF:wftpd-rnto-dos(4930) ====================================================== Name: CVE-2000-0649 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0649 Phase: Proposed (20000803) Category: SF Reference: NTBUGTRAQ:20000713 IIS4 Basic authentication realm issue Reference: URL:http://archives.neohapsis.com/archives/ntbugtraq/2000-q3/0025.html Reference: BID:1499 Reference: URL:http://www.securityfocus.com/bid/1499 IIS 4.0 allows remote attackers to obtain the internal IP address of the server via an HTTP 1.0 request for a web page which is protected by basic authentication and has no realm defined. Current Votes: ACCEPT(2) LeBlanc, Levy MODIFY(1) Frech NOOP(1) Cole REVIEWING(2) Christey, Wall Voter Comments: Christey> ADDREF http://support.microsoft.com/support/kb/articles/Q218/1/80.ASP Change description to point out that the internal IP address exposure is due to the default configuration as opposed to a bug. Frech> XF:iis-internal-ip-disclosure(5106) CHANGE> [Christey changed vote from NOOP to REVIEWING] Christey> There are two variants of the same type of issue here. The KB article shows that IIS 4.0 reveals the IP address in a Content-Location MIME header field. The NTBugtraq article says that the IP address is shown in the WWW-Authenticate MIME header. Which one has been fixed, or both, and when? Christey> MSKB:Q218180 identifies a problem in which IIS returns the info in a Content-Location header, but the authentication realm problem is not specifically mentioned. Are these the same problem? ====================================================== Name: CVE-2000-0653 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0653 Phase: Proposed (20000803) Category: SF Reference: MS:MS00-045 Reference: URL:http://www.microsoft.com/technet/security/bulletin/MS00-045.asp Reference: BID:1502 Reference: URL:http://www.securityfocus.com/bid/1502 Microsoft Outlook Express allows remote attackers to monitor a user's email by creating a persistent browser link to the Outlook Express windows, aka the "Persistent Mail-Browser Link" vulnerability. Current Votes: ACCEPT(3) Cole, Levy, Wall NOOP(1) LeBlanc REJECT(1) Frech REVIEWING(1) Christey Voter Comments: Frech> Is this a duplicate of CVE-2000-0105? I can find no differentiating evidence to show that this issue is unique. Christey> I need to look through my email logs to recall whether I resolved this potential duplicate with Microsoft people. CHANGE> [Frech changed vote from REVIEWING to REJECT] ====================================================== Name: CVE-2000-0656 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0656 Phase: Proposed (20000803) Category: SF Reference: BUGTRAQ:20000724 AnalogX Proxy DoS Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0360.html Reference: CONFIRM:http://www.analogx.com/contents/download/network/proxy.htm Reference: BID:1504 Reference: URL:http://www.securityfocus.com/bid/1504 Buffer overflow in AnalogX proxy server 4.04 and earlier allows remote attackers to cause a denial of service via a long USER command in the FTP protocol. Current Votes: ACCEPT(1) Levy MODIFY(1) Frech NOOP(3) Cole, LeBlanc, Wall Voter Comments: Frech> XF:analogx-proxy-ftp-crash(4981) ====================================================== Name: CVE-2000-0657 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0657 Phase: Proposed (20000803) Category: SF Reference: BUGTRAQ:20000724 AnalogX Proxy DoS Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0360.html Reference: CONFIRM:http://www.analogx.com/contents/download/network/proxy.htm Reference: BID:1504 Reference: URL:http://www.securityfocus.com/bid/1504 Buffer overflow in AnalogX proxy server 4.04 and earlier allows remote attackers to cause a denial of service via a long HELO command in the SMTP protocol. Current Votes: ACCEPT(1) Levy MODIFY(1) Frech NOOP(3) Cole, LeBlanc, Wall Voter Comments: Frech> XF:analogx-proxy-smtp-helo(5164) ====================================================== Name: CVE-2000-0658 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0658 Phase: Proposed (20000803) Category: SF Reference: BUGTRAQ:20000724 AnalogX Proxy DoS Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0360.html Reference: CONFIRM:http://www.analogx.com/contents/download/network/proxy.htm Reference: BID:1504 Reference: URL:http://www.securityfocus.com/bid/1504 Buffer overflow in AnalogX proxy server 4.04 and earlier allows remote attackers to cause a denial of service via a long USER command in the POP3 protocol. Current Votes: ACCEPT(1) Levy MODIFY(1) Frech NOOP(3) Cole, LeBlanc, Wall Voter Comments: Frech> XF:analogx-proxy-pop3-crash(4982) ====================================================== Name: CVE-2000-0659 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0659 Phase: Proposed (20000803) Category: SF Reference: BUGTRAQ:20000724 AnalogX Proxy DoS Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0360.html Reference: BID:1504 Reference: URL:http://www.securityfocus.com/bid/1504 Buffer overflow in AnalogX proxy server 4.04 and earlier allows remote attackers to cause a denial of service via a long user ID in a SOCKS4 CONNECT request. Current Votes: ACCEPT(2) Baker, Levy MODIFY(1) Frech NOOP(3) Cole, LeBlanc, Wall Voter Comments: Frech> XF:analogx-proxy-socks4-crash(4997) ====================================================== Name: CVE-2000-0667 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0667 Phase: Proposed (20000803) Category: SF Reference: CALDERA:CSSA-2000-024.0 Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0273.html Reference: BID:1512 Reference: URL:http://www.securityfocus.com/bid/1512 Vulnerability in gpm in Caldera Linux allows local users to delete arbitrary files or conduct a denial of service. Current Votes: ACCEPT(1) Levy MODIFY(1) Frech NOOP(3) Cole, LeBlanc, Wall REVIEWING(1) Christey Voter Comments: Frech> XF:linux-gpm-gpmctl-dos(5010) We show this issue to be cross-Linux-platform and not Caldera specific. May also be a LOA issue or duplicate or specific instance of CVE-2000-0531. This position is further validated by BID-1512 and BID-1377, which lists this as a Conectiva Linux/Mandrake issue and list Mandrake:MDKSA-2000:025 in common. We will list both CVEs under the listed XF tag unless otherwise instructed. Christey> ADDREF Conectiva? URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0396.html Christey> ADDREF REDHAT:RHSA-2000:045-01 ADDREF BUGTRAQ:20000727 CONECTIVA LINUX SECURITY ANNOUNCEMENT - GPM URL:http://marc.theaimsgroup.com/?l=bugtraq&m=96473014104340&w=2 Another possible reference is: BUGTRAQ:20000728 MDKSA:2000-025 gpm update URL:http://marc.theaimsgroup.com/?l=bugtraq&m=96480812908563&w=2 although the advisory is not explicit. It also refers to CVE-2000-0531. CHANGE> [Christey changed vote from NOOP to REVIEWING] Christey> Per Andre Frech's comments. ====================================================== Name: CVE-2000-0680 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0680 Phase: Proposed (20000921) Category: SF Reference: BUGTRAQ:20000728 cvs security problem Reference: URL:http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26msg%3Dhvou2daoebb.fsf%40serein.m17n.org Reference: BID:1524 Reference: URL:http://www.securityfocus.com/bid/1524 The CVS 1.10.8 server does not properly restrict users from creating arbitrary Checkin.prog or Update.prog programs, which allows remote CVS committers to modify or create Trojan horse programs with the Checkin.prog or Update.prog names, then performing a CVS commit action. Current Votes: ACCEPT(2) Baker, Levy MODIFY(1) Frech NOOP(2) Cole, Wall Voter Comments: Frech> XF:cvs-checkin-execute-binary ====================================================== Name: CVE-2000-0686 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0686 Phase: Proposed (20000921) Category: SF Reference: BUGTRAQ:20000823 Auction WeaverT LITE 1.0 Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0310.html Reference: BID:1630 Reference: URL:http://www.securityfocus.com/bid/1630 Auction Weaver CGI script 1.03 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) attack in the fromfile parameter. Current Votes: ACCEPT(2) Cole, Levy MODIFY(1) Frech NOOP(1) Wall Voter Comments: Frech> XF:cgi-auction-weaver-read-files Frech> XF:cgi-auction-weaver-read-files(5150) ====================================================== Name: CVE-2000-0687 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0687 Phase: Proposed (20000921) Category: SF Reference: BUGTRAQ:20000823 Auction WeaverT LITE 1.0 Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0310.html Reference: BID:1630 Reference: URL:http://www.securityfocus.com/bid/1630 Auction Weaver CGI script 1.03 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) attack in the catdir parameter. Current Votes: ACCEPT(2) Cole, Levy MODIFY(1) Frech NOOP(2) Christey, Wall Voter Comments: Frech> XF:cgi-auction-weaver-read-files Christey> Need to double-check BID's on all these Auction Weaver prob's. Frech> XF:cgi-auction-weaver-read-files(5150) ====================================================== Name: CVE-2000-0688 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0688 Phase: Proposed (20000921) Category: SF Reference: BUGTRAQ:20000823 Subscribe Me Vulnerability Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0292.html Reference: BUGTRAQ:20000823 Re: Subscribe Me CGI Vulnerability Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=96722957421029&w=2 Reference: CONFIRM:http://www.cgiscriptcenter.com/subscribe/ Reference: BID:1607 Reference: URL:http://www.securityfocus.com/bid/1607 Subscribe Me LITE does not properly authenticate attempts to change the administrator password, which allows remote attackers to gain privileges for the Account Manager by directly calling the subscribe.pl script with the setpwd parameter. Current Votes: ACCEPT(2) Cole, Levy MODIFY(1) Frech NOOP(2) Christey, Wall Voter Comments: Frech> XF:subscribe-me-overwrite-password Christey> Make sure the mention of Account Manager is correct. XF:subscribe-me-overwrite-password http://xforce.iss.net/static/5126.php Frech> XF:subscribe-me-overwrite-password(5126) ====================================================== Name: CVE-2000-0689 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0689 Phase: Modified (20061027) Category: SF Reference: BUGTRAQ:20000823 Account Manager CGI Vulnerability Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0291.html Reference: CONFIRM:http://www.cgiscriptcenter.com/acctlite/ Reference: BID:1604 Reference: URL:http://www.securityfocus.com/bid/1604 Reference: OSVDB:13341 Reference: URL:http://www.osvdb.org/13341 Reference: XF:account-manager-overwrite-password(5125) Reference: URL:http://xforce.iss.net/xforce/xfdb/5125 Account Manager LITE does not properly authenticate attempts to change the administrator password, which allows remote attackers to gain privileges for the Account Manager by directly calling the amadmin.pl script with the setpasswd parameter. Current Votes: ACCEPT(2) Cole, Levy MODIFY(1) Frech NOOP(2) Christey, Wall Voter Comments: Frech> XF:account-manager-overwrite-password In description, you probably want to indicate both Account Manager LITE and PRO. Because CONFIRM redirects, you may want to verify and normalize to http://www.cgiscriptcenter.com/acctman/index2.html. Christey> XF:account-manager-overwrite-password http://xforce.iss.net/static/5125.php Frech> XF:account-manager-overwrite-password(5125) ====================================================== Name: CVE-2000-0690 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0690 Phase: Proposed (20000921) Category: SF Reference: BUGTRAQ:20000830 More problems with Auction Weaver & CGI Script Center. Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0370.html Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0452.html Auction Weaver CGI script 1.02 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in the fromfile parameter. Current Votes: ACCEPT(1) Baker MODIFY(2) Frech, Levy NOOP(3) Christey, Cole, Wall Voter Comments: Levy> Reference: BID 1645 Christey> BID:1645 URL:http://www.securityfocus.com/bid/1645 Frech> XF:auction-weaver-execute-commands(6175) ====================================================== Name: CVE-2000-0691 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0691 Phase: Proposed (20000921) Category: SF Reference: BUGTRAQ:20000826 Advisory: mgetty local compromise Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0329.html Reference: CONFIRM:http://archives.neohapsis.com/archives/bugtraq/2000-08/0330.html Reference: CALDERA:CSSA-2000-029.0 Reference: URL:http://www.calderasystems.com/support/security/advisories/CSSA-2000-029.0.txt Reference: BID:1612 Reference: URL:http://www.securityfocus.com/bid/1612 The faxrunq and faxrunqd in the mgetty package allows local users to create or modify arbitrary files via a symlink attack which creates a symlink in from /var/spool/fax/outgoing/.last_run to the target file. Current Votes: ACCEPT(1) Levy MODIFY(2) Cox, Frech NOOP(3) Christey, Cole, Wall Voter Comments: Frech> XF:mgetty-faxrunq-symlink Christey> ADDREF XF:mgetty-faxrunq-symlink ADDREF URL:http://xforce.iss.net/static/5159.php ADDREF REDHAT:RHSA-2000:059-02 ADDREF BUGTRAQ:20000830 Conectiva Linux Security Announcement - mgetty ADDREF MANDRAKE:MDKSA-2000:042 Christey> ADDREF REDHAT:RHSA-2000:059-02 Christey> ADDREF FREEBSD:FreeBSD-SA-00:71 ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:71.mgetty.asc Frech> XF:mgetty-faxrunq-symlink(5159) Cox> ADDREF REDHAT:RHSA-2000:059 ====================================================== Name: CVE-2000-0692 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0692 Phase: Modified (20001010-1) Category: SF Reference: BUGTRAQ:20000822 DOS on RealSecure 3.2 Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0267.html Reference: BID:1597 Reference: URL:http://www.securityfocus.com/bid/1597 Reference: XF:realsecure-rskill-dos ISS RealSecure 3.2.1 and 3.2.2 allows remote attackers to cause a denial of service via a flood of fragmented packets with the SYN flag set. Current Votes: ACCEPT(2) Cole, Levy MODIFY(1) Frech NOOP(1) Wall REVIEWING(1) Christey Voter Comments: Frech> XF:realsecure-rskill-dos Christey> CHANGEREF XF:realsecure-rskill-dos to XF:realsecure-frag-syn-dos? http://xforce.iss.net/static/5133.php CHANGE> [Christey changed vote from NOOP to REVIEWING] Christey> In an email to issforum@iss.net on September 7, 2000, ISS says that Network Sensor 3.2.2 is affected by SYN flooding, but RealSecure 5.0 is not affected by Syn flooding. In addition, they could not find conclusive evidence that RS 3.2.2 or 5.0 was affected by IP fragmentation. This seems to indicate that there are 2 *possible* problems: syn flooding (acknowledged by ISS) and fragmentation (unconfirmed). Perhaps this candidate needs to be split, or its description should be rewritten to separate the 2 reported problems. Frech> XF:realsecure-rskill-dos(5133) ====================================================== Name: CVE-2000-0695 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0695 Phase: Modified (20010417-01) Category: SF Reference: BUGTRAQ:20000802 Local root compromise in PGX Config Sun Sparc Solaris Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0463.html Buffer overflows in pgxconfig in the Raptor GFX configuration tool allow local users to gain privileges via command line options. Current Votes: ACCEPT(3) Baker, Dik, Levy NOOP(2) Cole, Wall Voter Comments: Dik> as CVE-2000-0693 ====================================================== Name: CVE-2000-0696 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0696 Phase: Modified (20080918) Category: SF Reference: BUGTRAQ:20000807 Vulnerabilities in Sun Solaris AnswerBook2 dwhttpd server Reference: URL:http://seclists.org/bugtraq/2000/Aug/0105.html Reference: MISC:http://www.s21sec.com/en/avisos/s21sec-004-en.txt Reference: SUN:00196 Reference: URL:http://archives.neohapsis.com/archives/sun/2000-q3/0001.html Reference: XF:solaris-answerbook2-admin-interface(5069) Reference: URL:http://xforce.iss.net/static/5069.php Reference: BID:1554 Reference: URL:http://www.securityfocus.com/bid/1554 The administration interface for the dwhttpd web server in Solaris AnswerBook2 does not properly authenticate requests to its supporting CGI scripts, which allows remote attackers to add user accounts to the interface by directly calling the admin CGI script. Current Votes: ACCEPT(4) Baker, Cole, Dik, Levy MODIFY(1) Frech NOOP(2) Christey, Wall Voter Comments: Frech> XF:solaris-answerbook2-admin-interface Christey> XF:solaris-answerbook2-admin-interface http://xforce.iss.net/static/5069.php Christey> BUGTRAQ:20000807 Vulnerabilities in Sun Solaris AnswerBook2 dwhttpd server http://www.securityfocus.com/archive/1/74382 Christey> Fix typo: "CGi" CHANGE> [Dik changed vote from REVIEWING to ACCEPT] ====================================================== Name: CVE-2000-0697 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0697 Phase: Modified (20080918) Category: SF Reference: BUGTRAQ:20000807 Vulnerabilities in Sun Solaris AnswerBook2 dwhttpd server Reference: URL:http://seclists.org/bugtraq/2000/Aug/0105.html Reference: MISC:http://www.s21sec.com/en/avisos/s21sec-004-en.txt Reference: SUN:00196 Reference: URL:http://archives.neohapsis.com/archives/sun/2000-q3/0001.html Reference: XF:solaris-answerbook2-remote-execution(5058) Reference: URL:http://www.iss.net/security_center/static/5058.php Reference: BID:1556 Reference: URL:http://www.securityfocus.com/bid/1556 The administration interface for the dwhttpd web server in Solaris AnswerBook2 allows interface users to remotely execute commands via shell metacharacters. Current Votes: ACCEPT(4) Baker, Cole, Dik, Levy MODIFY(1) Frech NOOP(2) Christey, Wall Voter Comments: Frech> XF:solaris-answerbook2-remote-execution Christey> XF:solaris-answerbook2-remote-execution http://xforce.iss.net/static/5058.php CHANGE> [Dik changed vote from REVIEWING to ACCEPT] Dik> COMMENTS verified bug existance. Christey> There needs to be a separate item for the .. problem reported in this same post. ====================================================== Name: CVE-2000-0701 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0701 Phase: Modified (20040818) Category: SF Reference: BUGTRAQ:20000801 Advisory: mailman local compromise Reference: URL:http://www.securityfocus.com/archive/1/73220 Reference: CONFIRM:http://www.securityfocus.com/templates/archive.pike?list=1&msg=20000802105050.A11733@rak.isternet.sk Reference: BUGTRAQ:20000802 CONECTIVA LINUX SECURITY ANNOUNCEMENT - mailman Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0474.html Reference: BUGTRAQ:20000802 MDKSA-2000:030 - Linux-Mandrake not affected by mailman problem Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0479.html Reference: REDHAT:RHSA-2000:030 Reference: URL:http://www.redhat.com/support/errata/RHSA-2000-030.html Reference: BID:1539 Reference: URL:http://www.securityfocus.com/bid/1539 The wrapper program in mailman 2.0beta3 and 2.0beta4 does not properly cleanse untrusted format strings, which allows local users to gain privileges. Current Votes: ACCEPT(3) Baker, Cole, Levy MODIFY(1) Frech NOOP(1) Wall Voter Comments: Frech> XF:gnu-mailman-format-string You can perhaps normalize Bugtraq URL to CONFIRM:http://www.securityfocus.com/archive/1/73355. ====================================================== Name: CVE-2000-0704 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0704 Phase: Modified (20060505) Category: SF Reference: SGI:20000803-01-A Reference: URL:ftp://sgigate.sgi.com/security/20000803-01-A Reference: BID:1603 Reference: URL:http://www.securityfocus.com/bid/1603 Reference: OSVDB:11080 Reference: URL:http://www.osvdb.org/11080 Reference: XF:irix-worldview-wnn-bo(5163) Reference: URL:http://xforce.iss.net/xforce/xfdb/5163 Buffer overflow in SGI Omron WorldView Wnn allows remote attackers to execute arbitrary commands via long JS_OPEN, JS_MKDIR, or JS_FILE_INFO commands. Current Votes: ACCEPT(3) Baker, Cole, Levy MODIFY(1) Frech NOOP(2) Christey, Wall Voter Comments: Frech> XF:irix-worldview-wnn-bo Christey> XF:irix-worldview-wnn-bo http://xforce.iss.net/static/5163.php ====================================================== Name: CVE-2000-0709 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0709 Phase: Proposed (20000921) Category: SF Reference: BUGTRAQ:20000823 Xato Advisory: FrontPage DOS Device DoS Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0288.html Reference: CONFIRM:http://msdn.microsoft.com/workshop/languages/fp/2000/sr12.asp Reference: BID:1608 Reference: URL:http://www.securityfocus.com/bid/1608 The shtml.exe component of Microsoft FrontPage 2000 Server Extensions 1.1 allows remote attackers to cause a denial of service in some components by requesting a URL whose name includes a standard DOS device name. Current Votes: ACCEPT(3) Cole, Levy, Wall MODIFY(1) Frech REVIEWING(1) Christey Voter Comments: Christey> [note to self: review comments by Mark Burnett] CHANGE> [Christey changed vote from NOOP to REVIEWING] Christey> XF:frontpage-ext-device-name-dos(5124) Frech> XF:frontpage-ext-device-name-dos(5124) ====================================================== Name: CVE-2000-0710 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0710 Phase: Proposed (20000921) Category: SF Reference: BUGTRAQ:20000823 Xato Advisory: FrontPage DOS Device DoS Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0288.html Reference: CONFIRM:http://msdn.microsoft.com/workshop/languages/fp/2000/sr12.asp Reference: BID:1608 Reference: URL:http://www.securityfocus.com/bid/1608 The shtml.exe component of Microsoft FrontPage 2000 Server Extensions 1.1 allows remote attackers determine the physical path of the server components by requesting an invalid URL whose name includes a standard DOS device name. Current Votes: ACCEPT(3) Cole, Levy, Wall MODIFY(1) Frech NOOP(1) Christey Voter Comments: Christey> [note to self: review comments by Mark Burnett] Frech> XF:frontpage-ext-device-name-dos(5124) ====================================================== Name: CVE-2000-0713 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0713 Phase: Proposed (20000921) Category: SF Reference: BUGTRAQ:20000726 [SPSadvisory#39]Adobe Acrobat Series PDF File Buffer Overflow Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0382.html Reference: CONFIRM:http://www.adobe.com/misc/pdfsecurity.html Reference: BID:1509 Reference: URL:http://www.securityfocus.com/bid/1509 Buffer overflow in Adobe Acrobat 4.05, Reader, Business Tools, and Fill In products that handle PDF files allows attackers to execute arbitrary commands via a long /Registry or /Ordering specifier. Current Votes: ACCEPT(4) Baker, Cole, Levy, Wall NOOP(1) Christey Voter Comments: Christey> ADDREF XF:adobe-pdf-bo(5002) ====================================================== Name: CVE-2000-0714 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0714 Phase: Modified (20040818) Category: SF Reference: REDHAT:RHSA-2000:047 Reference: URL:http://www.redhat.com/support/errata/RHSA-2000-047.html Reference: BID:1551 Reference: URL:http://www.securityfocus.com/bid/1551 umb-scheme 3.2-11 for Red Hat Linux is installed with world-writeable files. Current Votes: ACCEPT(5) Baker, Cole, Cox, Levy, Williams NOOP(2) Christey, Wall Voter Comments: Christey> XF:linux-umb-scheme http://xforce.iss.net/static/5048.php Cox> (If me voting speeds up its inclusion :)) ====================================================== Name: CVE-2000-0715 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0715 Phase: Modified (20080226) Category: SF Reference: BUGTRAQ:20000622 Re: rh 6.2 - gid compromises, etc [+ MORE!!!] Reference: URL:http://seclists.org/bugtraq/2000/Jun/0298.html Reference: BUGTRAQ:20000805 Diskcheck 3.1.1 Symlink Vulnerability Reference: URL:http://seclists.org/bugtraq/2000/Aug/0082.html Reference: BUGTRAQ:20000807 Re: Diskcheck 3.1.1 Symlink Vulnerability Reference: URL:http://seclists.org/bugtraq/2000/Aug/0096.html Reference: BID:1552 Reference: URL:http://www.securityfocus.com/bid/1552 DiskCheck script diskcheck.pl in Red Hat Linux 6.2 allows local users to create or overwrite arbitrary files via a symlink attack on a temporary file. Current Votes: ACCEPT(3) Baker, Levy, Williams MODIFY(2) Christey, Cox NOOP(2) Cole, Wall Voter Comments: Christey> XF:diskcheck-tmp-race-condition http://xforce.iss.net/static/5061.php Christey> ADDREF REDHAT:RHSA-2000:122-04 ? The advisory addresses some diskcheck symlink vulnerability, but the initial announcement was 4 months before the advisory was released; however, the DiskCheck versions seem to correspond. Christey> See various Bugtraq posts relating to this, and verify if the Conectiva/Red Hat/etc. advisories are really addressing this particular problem. e.g.: BUGTRAQ:20000622 Re: rh 6.2 - gid compromises, etc [+ MORE!!!] http://marc.theaimsgroup.com/?l=bugtraq&m=96172022819526&w=2 BUGTRAQ:20000810 CONECTIVA LINUX SECURITY ANNOUNCEMENT - diskcheck http://marc.theaimsgroup.com/?l=bugtraq&m=96604843017702&w=2 REDHAT:RHSA-2000:122-06 http://marc.theaimsgroup.com/?l=bugtraq&m=97649229201967&w=2 BID:2050 URL:http://www.securityfocus.com/bid/2050 Christey> The following RedHat advisory appears to identify the same problem as one that was posted to Bugtraq on August 8, 2000: REDHAT:RHSA-2000:122-06 http://www.redhat.com/support/errata/powertools/RHSA-2000-122.html See the following BugID, as referenced in the advisory: http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=11724 So, add: BID:2050 URL:http://www.securityfocus.com/bid/2050 XF:linux-diskcheck-race-symlink URL:http://xforce.iss.net/static/5624.php [note the apparent BID duplicates, however] CHANGE> [Christey changed vote from NOOP to MODIFY] Christey> Missing BID - BID:1552 Cox> ADDREF REDHAT:RHSA-2000:122 ====================================================== Name: CVE-2000-0719 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0719 Phase: Proposed (20000921) Category: SF Reference: BUGTRAQ:20000810 VariCAD 7.0 premission vulnerability Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0126.html VariCAD 7.0 is installed with world-writeable files, which allows local users to replace the VariCAD programs with a Trojan horse program. Current Votes: MODIFY(1) Frech NOOP(4) Christey, Cole, Wall, Williams REVIEWING(1) Levy Voter Comments: Christey> XF:varicad-world-write-permissions http://xforce.iss.net/static/5077.php Frech> XF:aricad-world-write-permissions(5077) Christey> BID:1862 ====================================================== Name: CVE-2000-0721 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0721 Phase: Proposed (20000921) Category: SF Reference: BUGTRAQ:20000810 FlagShip v4.48.7449 premission vulnerability Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0114.html Reference: BID:1586 Reference: URL:http://www.securityfocus.com/bid/1586 The FSserial, FlagShip_c, and FlagShip_p programs in the FlagShip package are installed world-writeable, which allows local users to replace them with Trojan horses. Current Votes: ACCEPT(2) Baker, Levy MODIFY(1) Frech NOOP(2) Cole, Wall Voter Comments: Frech> XF:flagship-incorrect-permissions(5114) ====================================================== Name: CVE-2000-0722 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0722 Phase: Proposed (20000921) Category: SF Reference: BUGTRAQ:20000819 Multiple Local Vulnerabilities in Helix Gnome Installer Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=E13QAYl-0007il-00@the-village.bc.nu Reference: BUGTRAQ:20000820 Helix Code Security Advisory - Helix GNOME Update Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0240.html Reference: BUGTRAQ:20000820 [Helix Beta] Helix Code Security Advisory - Helix GNOME Installer Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0251.html Reference: BID:1593 Reference: URL:http://www.securityfocus.com/bid/1593 Helix GNOME Updater helix-update 0.5 and earlier allows local users to install arbitrary RPM packages by creating the /tmp/helix-install installation directory before root has begun installing packages. Current Votes: ACCEPT(2) Cole, Levy MODIFY(1) Frech NOOP(2) Christey, Wall Voter Comments: Christey> XF:linux-update-race-condition Frech> XF:gnome-installer-overwrite-configuration(5129) ====================================================== Name: CVE-2000-0723 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0723 Phase: Proposed (20000921) Category: SF Reference: BUGTRAQ:20000819 Multiple Local Vulnerabilities in Helix Gnome Installer Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=E13QAYl-0007il-00@the-village.bc.nu Reference: BUGTRAQ:20000820 [Helix Beta] Helix Code Security Advisory - Helix GNOME Installer Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0251.html Reference: BID:1596 Reference: URL:http://www.securityfocus.com/bid/1596 Helix GNOME Updater helix-update 0.5 and earlier does not properly create /tmp directories, which allows local users to create empty system configuration files such as /etc/config.d/bashrc, /etc/config.d/csh.cshrc, and /etc/rc.config. Current Votes: ACCEPT(2) Cole, Levy MODIFY(1) Frech NOOP(2) Christey, Wall Voter Comments: Christey> XF:gnome-installer-overwrite-configuration(5129) Frech> XF:gnome-installer-overwrite-configuration(5129) ====================================================== Name: CVE-2000-0724 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0724 Phase: Proposed (20000921) Category: SF Reference: BUGTRAQ:20000829 More Helix Code installation problems (go-gnome) Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0351.html Reference: BUGTRAQ:20000829 Helix Code Security Advisory - go-gnome pre-installer Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0356.html Reference: BID:1622 Reference: URL:http://www.securityfocus.com/bid/1622 The go-gnome Helix GNOME pre-installer allows local users to overwrite arbitrary files via a symlink attack on various files in /tmp, including uudecode, snarf, and some installer files. Current Votes: ACCEPT(2) Cole, Levy MODIFY(1) Frech NOOP(2) Christey, Wall Voter Comments: Christey> XF:go-gnome-preinstaller-symlink(5161) Frech> XF:go-gnome-preinstaller-symlink(5161) ====================================================== Name: CVE-2000-0734 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0734 Phase: Proposed (20000921) Category: SF Reference: BUGTRAQ:20000831 Remote DoS Attack in Eeye Iris 1.01 and SpyNet CaptureNet v3.12 Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=96774637326591&w=2 Reference: BID:1627 Reference: URL:http://www.securityfocus.com/bid/1627 eEye IRIS 1.01 beta allows remote attackers to cause a denial of service via a large number of UDP connections. Current Votes: MODIFY(1) Levy NOOP(2) Cole, Wall REJECT(1) Frech Voter Comments: Levy> The product is in wide use even while is in beta. eEye brought another company and made all their previous customers upgrade to the new software. ====================================================== Name: CVE-2000-0735 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0735 Phase: Proposed (20000921) Category: SF Reference: BUGTRAQ:20000818 Becky! Internet Mail Buffer overflow Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0234.html Reference: CONFIRM:http://member.nifty.ne.jp/rimarts/becky-e/Readme.txt Reference: BID:1588 Reference: URL:http://www.securityfocus.com/bid/1588 Buffer overflow in Becky! Internet Mail client 1.26.03 and earlier allows remote attackers to cause a denial of service via a long Content-type: MIME header when the user replies to a message. Current Votes: ACCEPT(2) Cole, Levy MODIFY(1) Frech NOOP(2) Christey, Wall Voter Comments: Christey> XF:becky-imail-header-dos http://xforce.iss.net/static/5110.php Frech> XF:becky-imail-header-dos(5110) ====================================================== Name: CVE-2000-0736 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0736 Phase: Proposed (20000921) Category: SF Reference: BUGTRAQ:20000818 Becky! Internet Mail Buffer overflow Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0234.html Reference: CONFIRM:http://member.nifty.ne.jp/rimarts/becky-e/Readme.txt Reference: BID:1588 Reference: URL:http://www.securityfocus.com/bid/1588 Buffer overflow in Becky! Internet Mail client 1.26.04 and earlier allows remote attackers to cause a denial of service via a long Content-type: MIME header when the user forwards a message. Current Votes: ACCEPT(2) Cole, Levy MODIFY(1) Frech NOOP(2) Christey, Wall Voter Comments: Christey> XF:becky-imail-header-dos http://xforce.iss.net/static/5110.php Frech> XF:becky-imail-header-dos(5110) ====================================================== Name: CVE-2000-0746 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0746 Phase: Proposed (20000921) Category: SF Reference: BUGTRAQ:20000821 IIS 5.0 cross site scripting vulnerability - using .shtml files or /_vti_bin/shtml.dll Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=39A12BD6.E811BF4F@nat.bg Reference: MS:MS00-060 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms00-060.asp Reference: BID:1594 Reference: URL:http://www.securityfocus.com/bid/1594 Reference: BID:1595 Reference: URL:http://www.securityfocus.com/bid/1595 Vulnerabilities in IIS 4.0 and 5.0 do not properly protect against cross-site scripting (CSS) attacks. They allow a malicious web site operator to embed scripts in a link to a trusted site, which are returned without quoting in an error message back to the client. The client then executes those scripts in the same context as the trusted site, aka the "IIS Cross-Site Scripting" vulnerabilities. Current Votes: ACCEPT(3) Cole, Levy, Wall MODIFY(1) Frech REVIEWING(1) Christey Voter Comments: Christey> Make sure both BID's are appropriate XF:iis-cross-site-scripting http://xforce.iss.net/static/5156.php Frech> XF: iis-cross-site-scripting(5156) CHANGE> [Christey changed vote from NOOP to REVIEWING] Christey> A re-release of MS:MS00-060 indicates that a new variant of this problem was discovered, but the advisory does not provide sufficient details to distinguish it from this candidate. A new candidate is being created, but the description can't be written without mentioning this CAN. ====================================================== Name: CVE-2000-0748 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0748 Phase: Proposed (20000921) Category: SF Reference: BUGTRAQ:20000726 Group-writable executable in OpenLDAP Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0375.html Reference: BID:1511 Reference: URL:http://www.securityfocus.com/bid/1511 OpenLDAP 1.2.11 and earlier improperly installs the ud binary with group write permissions, which could allow any user in that group to replace the binary with a Trojan horse. Current Votes: ACCEPT(1) Levy NOOP(4) Baker, Cole, Wall, Williams ====================================================== Name: CVE-2000-0752 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0752 Phase: Proposed (20000921) Category: SF Reference: FREEBSD:FreeBSD-SA-00:43 Reference: URL:http://archives.neohapsis.com/archives/freebsd/2000-08/0339.html Reference: BID:1629 Reference: URL:http://www.securityfocus.com/bid/1629 Buffer overflows in brouted in FreeBSD and possibly other OSes allows local users to gain root privileges via long command line arguments. Current Votes: ACCEPT(2) Baker, Levy MODIFY(1) Frech NOOP(2) Cole, Wall Voter Comments: Frech> XF:freebsd-brouted-bo(6185) ====================================================== Name: CVE-2000-0755 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0755 Phase: Proposed (20000921) Category: SF Reference: HP:HPSBUX0008-118 Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0144.html Reference: BID:1581 Reference: URL:http://www.securityfocus.com/bid/1581 Vulnerability in the newgrp command in HP-UX 11.00 allows local users to gain privileges. Current Votes: ACCEPT(2) Cole, Levy NOOP(2) Baker, Wall REJECT(2) Christey, Frech Voter Comments: Christey> DUPE CVE-2000-0730 Also, the BID is wrong. Frech> DUPE OF CVE-2000-0730 Also, the BID is wrong. ====================================================== Name: CVE-2000-0756 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0756 Phase: Proposed (20000921) Category: SF Reference: BUGTRAQ:20000831 vCard DoS on Outlook 2000 Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=Springmail.105.967737080.0.16997300@www.springmail.com Reference: BID:1633 Reference: URL:http://www.securityfocus.com/bid/1633 Microsoft Outlook 2000 does not properly process long or malformed fields in vCard (.vcf) files, which allows attackers to cause a denial of service. Current Votes: ACCEPT(2) Cole, Levy MODIFY(2) Frech, LeBlanc REVIEWING(2) Christey, Wall Voter Comments: LeBlanc> - if a KB article, bulletin, or patch can be found, then I'll ACCEPT Christey> This is the same as MS:MS01-012 (CVE-2001-0145) See the Bugtraq post by Joel Moses: http://marc.theaimsgroup.com/?l=bugtraq&m=98322714210100&w=2 As of this writing, it is not certain which candidate should be preferred: the candidate that has been publicly known longer (i.e. CVE-2000-0756), or the more "official" candidate, which has probably been publicized more (i.e. CVE-2001-0145). Frech> XF:outlook-vcard-dos(5175) XF:outlook-vcard-bo(6145) Because there's another more recent CAN linked to @stake and Microsoft's advisories, we'll link both of our records to both candiates until a final decision occurs. If a decision has been made to promote the CVE-2001 entry, then enter my vote as a REJECT for CVE-2000-0756. Frech> Replace outlook-vcard-bo(6145) with outlook-vcard-dos(5175) ====================================================== Name: CVE-2000-0757 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0757 Phase: Proposed (20000921) Category: SF Reference: BUGTRAQ:20000808 Exploit for Totalbill... Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0074.html Reference: BID:1555 Reference: URL:http://www.securityfocus.com/bid/1555 The sysgen service in Aptis Totalbill does not perform authentication, which allows remote attackers to gain root privileges by connecting to the service and specifying the commands to be executed. Current Votes: ACCEPT(2) Baker, Levy NOOP(4) Christey, Cole, Wall, Williams Voter Comments: Christey> XF:totalbill-remote-execution http://xforce.iss.net/static/5068.php ====================================================== Name: CVE-2000-0759 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0759 Phase: Modified (20050703) Category: SF Reference: BUGTRAQ:20000719 [LoWNOISE] Tomcat 3.1 Path Revealing Problem. Reference: URL:http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26date%3D2000-07-15%26msg%3DPine.SUN.3.96.1000719184401.17782A-100000@grex.cyberspace.org Reference: BID:1531 Reference: URL:http://www.securityfocus.com/bid/1531 Reference: XF:tomcat-error-path-reveal(4967) Reference: URL:http://www.iss.net/security_center/static/4967.php Jakarta Tomcat 3.1 under Apache reveals physical path information when a remote attacker requests a URL that does not exist, which generates an error message that includes the physical path. Current Votes: ACCEPT(2) Baker, Levy NOOP(3) Cole, Wall, Williams ====================================================== Name: CVE-2000-0760 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0760 Phase: Proposed (20000921) Category: SF Reference: BUGTRAQ:20000719 [LoWNOISE] Snoop Servlet (Tomcat 3.1 and 3.0) Reference: URL:http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26date%3D2000-07-15%26msg%3DPine.SUN.3.96.1000719235404.24004A-100000@grex.cyberspace.org Reference: XF:tomcat-snoop-info Reference: BID:1532 Reference: URL:http://www.securityfocus.com/bid/1532 The Snoop servlet in Jakarta Tomcat 3.1 and 3.0 under Apache reveals sensitive system information when a remote attacker requests a nonexistent URL with a .snp extension. Current Votes: ACCEPT(2) Baker, Levy NOOP(3) Cole, Wall, Williams ====================================================== Name: CVE-2000-0769 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0769 Phase: Proposed (20000921) Category: SF Reference: BUGTRAQ:20000824 WebServer Pro 2.3.7 Vulnerability Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=96715834610888&w=2 Reference: BID:1611 Reference: URL:http://www.securityfocus.com/bid/1611 O'Reilly WebSite Pro 2.3.7 installs the uploader.exe program with execute permissions for all users, which allows remote attackers to create and execute arbitrary files by directly calling uploader.exe. Current Votes: ACCEPT(2) Baker, Levy MODIFY(1) Frech NOOP(2) Christey, Cole REVIEWING(1) Wall Voter Comments: Christey> XF:website-pro-upload-files(5157) Frech> XF:website-pro-upload-files(5157) ====================================================== Name: CVE-2000-0772 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0772 Phase: Modified (20010116-01) Category: CF Reference: BUGTRAQ:20000810 Tumbleweed Worldsecure (MMS) BLANK 'sa' account password vulnerability Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0098.html Reference: CONFIRM:http://thompson.tumbleweed.com/NewKB/bulletin/UPFiles/sa-official.htm Reference: BID:1562 Reference: URL:http://www.securityfocus.com/bid/1562 Reference: XF:tumbleweed-mms-blank-password Reference: URL:http://xforce.iss.net/static/5072.php The installation of Tumbleweed Messaging Management System (MMS) 4.6 and earlier (formerly Worldtalk Worldsecure) creates a default account "sa" with no password. Current Votes: ACCEPT(2) Baker, Levy MODIFY(1) Frech NOOP(3) Christey, Cole, Wall Voter Comments: Christey> XF:tumbleweed-mms-blank-password http://xforce.iss.net/static/5072.php Frech> XF:umbleweed-mms-blank-password(5072) ====================================================== Name: CVE-2000-0774 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0774 Phase: Proposed (20000921) Category: SF Reference: BUGTRAQ:20000731 Two security flaws in Bajie Webserver Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0426.html Reference: BID:1521 Reference: URL:http://www.securityfocus.com/bid/1521 The sample Java servlet "test" in Bajie HTTP web server 0.30a reveals the real pathname of the web document root. Current Votes: ACCEPT(3) Baker, Levy, Williams NOOP(2) Cole, Wall Voter Comments: Baker> Vendor fixed this issue in later version of the software ====================================================== Name: CVE-2000-0775 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0775 Phase: Proposed (20000921) Category: SF Reference: BUGTRAQ:20000828 [NT] Viking security vulnerabilities enable remote code execution (long URL, date parsing) Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=399a01c01122$0d7f2310$0201a8c0@aviram Reference: CONFIRM:http://www.robtex.com/viking/bugs.htm Reference: BID:1614 Reference: URL:http://www.securityfocus.com/bid/1614 Buffer overflow in RobTex Viking server earlier than 1.06-370 allows remote attackers to cause a denial of service or execute arbitrary commands via a long HTTP GET request, or long Unless-Modified-Since, If-Range, or If-Modified-Since headers. Current Votes: ACCEPT(2) Baker, Levy MODIFY(1) Frech NOOP(3) Christey, Cole, Wall Voter Comments: Christey> XF:viking-server-bo(5158) Frech> XF:viking-server-bo(5158) ====================================================== Name: CVE-2000-0784 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0784 Phase: Proposed (20000921) Category: SF Reference: BUGTRAQ:20000816 Remote Root Compromise On All RapidStream VPN Appliances Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0216.html Reference: BID:1574 Reference: URL:http://www.securityfocus.com/bid/1574 sshd program in the Rapidstream 2.1 Beta VPN appliance has a hard-coded "rsadmin" account with a null password, which allows remote attackers to execute arbitrary commands via ssh. Current Votes: ACCEPT(3) Baker, Cole, Levy MODIFY(1) Frech NOOP(2) Christey, Wall Voter Comments: Christey> XF:rapidstream-remote-execution http://xforce.iss.net/static/5093.php Frech> XF:rapidstream-remote-execution(5093) ====================================================== Name: CVE-2000-0785 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0785 Phase: Proposed (20000921) Category: SF Reference: BUGTRAQ:20000713 More wIRCSrv stupidity Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=96353027909756&w=2 WircSrv IRC Server 5.07s allows IRC operators to read arbitrary files via the importmotd command, which sets the Message of the Day (MOTD) to the specified file. Current Votes: ACCEPT(1) Baker MODIFY(1) Levy NOOP(3) Cole, Wall, Williams Voter Comments: Levy> BID 1472 ====================================================== Name: CVE-2000-0789 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0789 Phase: Proposed (20000921) Category: SF Reference: BUGTRAQ:20000816 WinU 4/5 weak password vulnerability Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0201.html WinU 5.x and earlier uses weak encryption to store its configuration password, which allows local users to decrypt the password and gain privileges. Current Votes: ACCEPT(1) Williams MODIFY(2) Baker, Frech NOOP(3) Christey, Cole, Wall REVIEWING(1) Levy Voter Comments: Frech> XF:winu-backdoor(5376) Christey> ADDREF BID:1741 ADDREF URL:http://www.securityfocus.com/bid/1741 Baker> Since there are apparently two different methods of weak encryption, perhaps the description should read " ... used weak encryption methods.." ====================================================== Name: CVE-2000-0791 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0791 Phase: Proposed (20000921) Category: SF Reference: BUGTRAQ:20000815 Trustix security advisory - apache-ssl Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0179.html Reference: BID:1575 Reference: URL:http://www.securityfocus.com/bid/1575 Trustix installs the httpsd program for Apache-SSL with world-writeable permissions, which allows local users to replace it with a Trojan horse. Current Votes: ACCEPT(3) Baker, Cole, Levy MODIFY(1) Frech NOOP(2) Christey, Wall Voter Comments: Christey> XF:trustix-secure-apache-misconfig http://xforce.iss.net/static/5099.php Frech> XF:trustix-secure-apache-misconfig(5099) ====================================================== Name: CVE-2000-0793 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0793 Phase: Proposed (20000921) Category: SF Reference: BUGTRAQ:20000728 Norton Antivirus Protection Disabled under Novell Netware Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=398222C5@zathras.cc.vt.edu Reference: BID:1533 Reference: URL:http://www.securityfocus.com/bid/1533 Norton AntiVirus 5.00.01C with the Novell Netware client does not properly restart the auto-protection service after the first user has logged off of the system. Current Votes: ACCEPT(1) Levy MODIFY(1) Baker NOOP(3) Cole, Wall, Williams Voter Comments: Baker> Perhaps the description should read "... after the first user to log on to the system logs off." ====================================================== Name: CVE-2000-0794 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0794 Phase: Modified (20060705) Category: SF Reference: BUGTRAQ:20000802 [LSD] some unpublished LSD exploit codes Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=200008021924.e72JOVs12558@ix.put.poznan.pl Reference: BID:1527 Reference: URL:http://www.securityfocus.com/bid/1527 Reference: OSVDB:8568 Reference: URL:http://www.osvdb.org/8568 Reference: XF:irix-libgl-bo(5063) Reference: URL:http://www.iss.net/security_center/static/5063.php Buffer overflow in IRIX libgl.so library allows local users to gain root privileges via a long HOME variable to programs such as (1) gmemusage and (2) gr_osview. Current Votes: ACCEPT(3) Baker, Levy, Williams NOOP(3) Christey, Cole, Wall Voter Comments: Christey> XF:irix-libgl-bo http://xforce.iss.net/static/5063.php ====================================================== Name: CVE-2000-0798 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0798 Phase: Modified (20060626) Category: SF Reference: BUGTRAQ:20000802 [LSD] some unpublished LSD exploit codes Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=200008021924.e72JOVs12558@ix.put.poznan.pl Reference: BID:1540 Reference: URL:http://www.securityfocus.com/bid/1540 Reference: OSVDB:8569 Reference: URL:http://www.osvdb.org/8569 The truncate function in IRIX 6.x does not properly check for privileges when the file is in the xfs file system, which allows local users to delete the contents of arbitrary files. Current Votes: ACCEPT(3) Baker, Levy, Williams NOOP(3) Christey, Cole, Wall Voter Comments: Christey> XF:irix-xfs-truncate http://xforce.iss.net/static/5011.php Christey> XF:sgi-xfs(2110) ? SGI:19970102-01-PX ? Christey> Consulting SGI on this... the relationship is pretty close. ====================================================== Name: CVE-2000-0800 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0800 Phase: Proposed (20000921) Category: SF Reference: SUSE:20000810 Security Hole in knfsd, all versions Reference: URL:http://www.novell.com/linux/security/advisories/suse_security_announce_58.html String parsing error in rpc.kstatd in the linuxnfs or knfsd packages in SuSE and possibly other Linux systems allows remote attackers to gain root privileges. Current Votes: ACCEPT(1) Cole MODIFY(2) Frech, Levy NOOP(2) Baker, Wall REJECT(1) Christey Voter Comments: Levy> This is the same as other Linux vendors statd format string problem. Reference: BID 1480 Christey> If this is the same as the other statd format string problems, then this is a duplicate of CVE-2000-0666. Frech> XF:linux-rpcstatd-format-overwrite(4939) CHANGE> [Christey changed vote from REVIEWING to REJECT] Christey> OK, I agree that this is a dupe of CVE-2000-0666. Here's why: BUGTRAQ:20000803 SuSE Security: miscellaneous URL:http://marc.theaimsgroup.com/?l=bugtraq&m=96540330329127&w=2 One statement says "The SuSE package containing rpc.kstatd (other vendors named it rpc.statd)... An updated package is currently being tested." ====================================================== Name: CVE-2000-0801 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0801 Phase: Proposed (20000921) Category: SF Reference: BUGTRAQ:20000727 [ Hackerslab bug_paper ] HP-UX bdf -t option buffer overflow vul. Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0388.html Reference: BID:1520 Reference: URL:http://www.securityfocus.com/bid/1520 Buffer overflow in bdf program in HP-UX 11.00 may allow local users to gain root privileges via a long -t option. Current Votes: ACCEPT(3) Baker, Levy, Williams NOOP(3) Christey, Cole, Wall Voter Comments: Christey> ADDREF HP:HPSBUX0010-127?? http://archives.neohapsis.com/archives/hp/2000-q4/0028.html ====================================================== Name: CVE-2000-0802 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0802 Phase: Proposed (20000921) Category: SF Reference: BUGTRAQ:20000722 More bad censorware Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=96430372326912&w=2 Reference: XF:bair-security-removal The BAIR program does not properly restrict access to the Internet Explorer Internet options menu, which allows local users to obtain access to the menu by modifying the registry key that starts BAIR. Current Votes: NOOP(5) Baker, Cole, LeBlanc, Wall, Williams REVIEWING(1) Levy Voter Comments: LeBlanc> What the heck is BAIR? I don't think it is MS software. ====================================================== Name: CVE-2000-0812 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0812 Phase: Interim (20010117) Category: CF Reference: SUN:00197 Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/197&type=0&nav=sec.sba Reference: MISC:http://www.securityfocus.com/templates/advisory.html?id=2542 Reference: BID:1600 Reference: URL:http://www.securityfocus.com/bid/1600 Reference: XF:sunjava-webadmin-bbs Reference: URL:http://xforce.iss.net/static/5135.php The administration module in Sun Java web server allows remote attackers to execute arbitrary commands by uploading Java code to the module and invoke the com.sun.server.http.pagecompile.jsp92.JspServlet by requesting a URL that begins with a /servlet/ tag. Current Votes: ACCEPT(2) Baker, Dik MODIFY(2) Frech, Levy NOOP(3) Armstrong, Cole, Wall REVIEWING(1) Christey Voter Comments: Frech> XF:sunjava-webadmin-bbs(5135) Levy> BID 1600 Frech> We also show this associated with CVE-2000-0629: The default configuration of the Sun Java web server 2.0 and earlier allows remote attackers to execute arbitrary commands by uploading Java code to the server via board.html, then directly calling the JSP compiler servlet. CVE web site concurs. Christey> I think that Casper Dik confirmed that CVE-2000-0629 is a configuration problem, and this one is a bug, so they are different problems. I need to dig up that email, though... Dik> CVE-2000-0629 indeed is about sample code which shouldn't be run on prodution servers This one is an actual bug and patches have been produced for JWS 2.0 and 1.1.3 ====================================================== Name: CVE-2000-0817 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0817 Phase: Modified (20010119-01) Category: SF Reference: ISS:20001101 Buffer Overflow in Microsoft Windows NT 4.0 and Windows 2000 Network Monitor Reference: URL:http://xforce.iss.net/alerts/index.php Reference: MS:MS00-083 Reference: URL:http://www.microsoft.com/technet/security/bulletin/MS00-083.asp Reference: XF:network-monitor-bo(5399) Buffer overflow in the HTTP protocol parser for Microsoft Network Monitor (Netmon) allows remote attackers to execute arbitrary commands via malformed data, aka the "Netmon Protocol Parsing" vulnerability. Current Votes: ACCEPT(3) Baker, Cole, Mell MODIFY(1) Frech NOOP(1) Renaud Voter Comments: Frech> XF:network-monitor-bo(5399) ====================================================== Name: CVE-2000-0826 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0826 Phase: Proposed (20001018) Category: SF Reference: ATSTAKE:A090800-1 Reference: URL:http://www.atstake.com/research/advisories/2000/a090800-1.txt Reference: BID:1657 Reference: URL:http://www.securityfocus.com/bid/1657 Reference: XF:documentdirect-get-bo Reference: URL:http://xforce.iss.net/static/5210.php Buffer overflow in ddicgi.exe program in Mobius DocumentDirect for the Internet 1.2 allows remote attackers to execute arbitrary commands via a long GET request. Current Votes: ACCEPT(2) Baker, Collins NOOP(3) Armstrong, Cole, Wall ====================================================== Name: CVE-2000-0827 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0827 Phase: Proposed (20001018) Category: SF Reference: ATSTAKE:A090800-1 Reference: URL:http://www.atstake.com/research/advisories/2000/a090800-1.txt Reference: BID:1657 Reference: URL:http://www.securityfocus.com/bid/1657 Reference: XF:documentdirect-username-bo Reference: URL:http://xforce.iss.net/static/5211.php Buffer overflow in the web authorization form of Mobius DocumentDirect for the Internet 1.2 allows remote attackers to cause a denial of service or execute arbitrary commands via a long username. Current Votes: ACCEPT(2) Baker, Collins NOOP(3) Armstrong, Cole, Wall ====================================================== Name: CVE-2000-0828 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0828 Phase: Proposed (20001018) Category: SF Reference: ATSTAKE:A090800-1 Reference: URL:http://www.atstake.com/research/advisories/2000/a090800-1.txt Reference: BID:1657 Reference: URL:http://www.securityfocus.com/bid/1657 Reference: XF:documentdirect-user-agent-bo Reference: URL:http://xforce.iss.net/static/5212.php Buffer overflow in ddicgi.exe in Mobius DocumentDirect for the Internet 1.2 allows remote attackers to execute arbitrary commands via a long User-Agent parameter. Current Votes: ACCEPT(2) Baker, Collins NOOP(3) Armstrong, Cole, Wall ====================================================== Name: CVE-2000-0831 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0831 Phase: Proposed (20001018) Category: SF Reference: WIN2KSEC:20000912 DST2K0027: DoS in Faststream FTP++ 2.0 Reference: URL:http://archives.neohapsis.com/archives/win2ksecadvice/2000-q3/0109.html Buffer overflow in Fastream FTP++ 2.0 allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long username. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(3) Armstrong, Cole, Magdych REVIEWING(2) Christey, Wall Voter Comments: Frech> XF:fastream-ftp-dos(5235) Christey> XF:fastream-ftp-dos CHANGE> [Christey changed vote from NOOP to REVIEWING] Christey> CVE-2000-0831 and CVE-2001-0256 are probable duplicates, since they involve the same product and version (Fastream FTP++ 2.0), vuln type (buffer overflow), and attack vector (username). ====================================================== Name: CVE-2000-0832 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0832 Phase: Modified (20010910-01) Category: SF Reference: BUGTRAQ:20000817 Htgrep CGI Arbitrary File Viewing Vulnerability Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0208.html Reference: XF:htgrep-cgi-view-files(5476) Reference: URL:http://xforce.iss.net/static/5476.php Htgrep CGI program allows remote attackers to read arbitrary files by specifying the full pathname in the hdr parameter. Current Votes: ACCEPT(2) Baker, Collins MODIFY(1) Frech NOOP(4) Armstrong, Christey, Cole, Wall Voter Comments: Frech> XF:htgrep-cgi-view-files(5476) Collins> http://www.iam.unibe.ch/~scg/Src/Doc/ Christey> The change log for htgrep acknowledges the problem, but it says that the qry tag is also affected. CD:SF-LOC says that multiple problems of the same type in the same version should be combined, so this candidate should get a "soft recast" and qry should be added to the description. ====================================================== Name: CVE-2000-0833 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0833 Phase: Modified (20020222-01) Category: SF Reference: BUGTRAQ:2000911 WinSMTPD remote exploit/DoS problem Reference: URL:http://www.securityfocus.com/archive/1/81693 Reference: BID:1680 Reference: URL:http://www.securityfocus.com/bid/1680 Reference: XF:winsmtp-helo-bo(5255) Reference: URL:http://xforce.iss.net/static/5255.php Buffer overflow in WinSMTP 1.06f and 2.X allows remote attackers to cause a denial of service via a long (1) USER or (2) HELO command. Current Votes: ACCEPT(5) Baker, Cole, Collins, Frech, Wall NOOP(2) Armstrong, Magdych Voter Comments: Cole> HAS-INDEPENDENT-CONFIRMATION CHANGE> [Wall changed vote from REVIEWING to ACCEPT] ====================================================== Name: CVE-2000-0835 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0835 Phase: Modified (20100115) Category: SF Reference: BUGTRAQ:20000915 Sambar Server search CGI vulnerability Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-09/0175.html Reference: BID:1684 Reference: URL:http://www.securityfocus.com/bid/1684 search.dll Sambar ISAPI Search utility in Sambar Server 4.4 Beta 3 allows remote attackers to read arbitrary directories by specifying the directory in the query parameter. Current Votes: MODIFY(1) Frech NOOP(5) Armstrong, Christey, Cole, Collins, Wall REJECT(2) Baker, Magdych Voter Comments: Magdych> Unless the beta product is in very widespread use, or the product is in "perpetual beta" (e.g. ICQ), I would prefer not to include beta software. Christey> XF:sambar-search-view-folder Frech> XF:sambar-search-view-folder(5247) Baker> Unless we change our CD:EX-BETA, we should reject this entry. Perhaps we need to address the issue of Beta software again, but the previous discussion was pretty thorough and I believe the editorial board was unanimous in excluding normal beta software. Christey> Fix typo: "paramater" Christey> fix typo: "paramatar" ====================================================== Name: CVE-2000-0836 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0836 Phase: Proposed (20001018) Category: SF Reference: BUGTRAQ:20000915 [NEWS] Vulnerability in CamShot server (Authorization) Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-09/0176.html Reference: BID:1685 Reference: URL:http://www.securityfocus.com/bid/1685 Reference: XF:camshot-password-bo Reference: URL:http://xforce.iss.net/static/5246.php Buffer overflow in CamShot WebCam Trial2.6 allows remote attackers to execute arbitrary commands via a long Authorization header. Current Votes: ACCEPT(2) Baker, Frech NOOP(3) Armstrong, Cole, Magdych REVIEWING(1) Wall ====================================================== Name: CVE-2000-0840 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0840 Phase: Proposed (20001018) Category: SF Reference: BUGTRAQ:20000906 [NEWS] XMail vulnerable to a remotely exploitable buffer overflow (APOP, USER) Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-09/0001.html Reference: BID:1652 Reference: URL:http://www.securityfocus.com/bid/1652 Reference: XF:xmail-long-user-bo Reference: URL:http://xforce.iss.net/static/5192.php Buffer overflow in XMail POP3 server before version 0.59 allows remote attackers to execute arbitrary commands via a long USER command. Current Votes: ACCEPT(4) Armstrong, Baker, Cole, Collins NOOP(2) Christey, Wall Voter Comments: Cole> INDEPENDENT-CONFIRMATION Christey> CONFIRM:http://www.mycio.com/davidel/xmail/xmaildoc.htm The entry dated 30-07-2000 for version 0.59 says: "A possible buffer overflow error has been fixed." ====================================================== Name: CVE-2000-0841 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0841 Phase: Proposed (20001018) Category: SF Reference: BUGTRAQ:20000906 [NEWS] XMail vulnerable to a remotely exploitable buffer overflow (APOP, USER) Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-09/0001.html Reference: BID:1652 Reference: URL:http://www.securityfocus.com/bid/1652 Reference: XF:xmail-long-apop-bo Reference: URL:http://xforce.iss.net/static/5191.php Buffer overflow in XMail POP3 server before version 0.59 allows remote attackers to execute arbitrary commands via a long APOP command. Current Votes: ACCEPT(4) Armstrong, Baker, Cole, Collins NOOP(2) Christey, Wall Voter Comments: Cole> INDEPENDENT-CONFIRMATION Christey> CONFIRM:http://www.mycio.com/davidel/xmail/xmaildoc.htm The entry dated 30-07-2000 for version 0.59 says: "A possible buffer overflow error has been fixed." ====================================================== Name: CVE-2000-0842 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0842 Phase: Proposed (20001018) Category: SF Reference: BUGTRAQ:20000911 SCO scohelhttp documentation webserver exposes local files Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-09/0086.html Reference: BID:1663 Reference: URL:http://www.securityfocus.com/bid/1663 The search97cgi/vtopic" in the UnixWare 7 scohelphttp webserver allows remote attackers to read arbitrary files via a .. (dot dot) attack. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(5) Armstrong, Christey, Cole, Magdych, Wall Voter Comments: Frech> XF:sco-help-view-files(5226) Christey> What is the proper "spelling" for the SCO help HTTP server? I've seen it as "SCOhelp" and "scohelphttp" and "SCO help HTTP" Christey> XF:sco-help-view-files Christey> typo - extra " ====================================================== Name: CVE-2000-0843 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0843 Phase: Proposed (20001018) Category: SF Reference: BUGTRAQ:20000910 (SRADV00002) Remote root compromise through pam_smb and pam_ntdom Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-09/0073.html Reference: DEBIAN:20000911 libpam-smb: remote root exploit Reference: URL:http://www.debian.org/security/2000/20000911 Reference: SUSE:20000913 pam_smb remotely exploitable buffer overflow Reference: URL:http://www.novell.com/linux/security/advisories/adv8_draht_pam_smb_txt.html Reference: MANDRAKE:MDKSA-2000:047 Reference: URL:http://www.linux-mandrake.com/en/security/MDKSA-2000-047.php3 Reference: BUGTRAQ:20000911 Conectiva Linux Security Announcement - pam_smb Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-09/0114.html Reference: BID:1666 Reference: URL:http://www.securityfocus.com/bid/1666 Buffer overflow in pam_smb and pam_ntdom pluggable authentication modules (PAM) allow remote attackers to execute arbitrary commands via a login with a long user name. Current Votes: ACCEPT(4) Armstrong, Baker, Collins, Magdych MODIFY(1) Frech NOOP(3) Christey, Cole, Wall Voter Comments: Magdych> ACKNOWLEDGED-BY-VENDOR Christey> ADDREF XF:pam-authentication-bo Frech> XF:pam-authentication-bo(5225) ====================================================== Name: CVE-2000-0845 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0845 Phase: Proposed (20001018) Category: SF Reference: BUGTRAQ:20000918 [ENIGMA] Digital UNIX/Tru64 UNIX remote kdebug Vulnerability Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-09/0204.html kdebug daemon (kdebugd) in Digital Unix 4.0F allows remote attackers to read arbitrary files by specifying the full file name in the initialization packet. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(5) Armstrong, Christey, Cole, Magdych, Wall Voter Comments: Frech> XF:du-kdebugd-write-access(5262) Christey> This problem also allows attackers to overwrite files. ADDREF BID:1693 ADDREF URL:http://www.securityfocus.com/bid/1693 ADDREF XF:du-kdebugd-write-access ADDREF http://xforce.iss.net/static/5262.php ====================================================== Name: CVE-2000-0855 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0855 Phase: Proposed (20001018) Category: SF Reference: BUGTRAQ:20000901 [EXPL] SunFTP vulnerable to two Denial-of-Service attacks (long buffer, half-open) Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0408.html Reference: BID:1637 Reference: URL:http://www.securityfocus.com/bid/1637 SunFTP build 9(1) allows remote attackers to cause a denial of service by connecting to the server and disconnecting before sending a newline. Current Votes: ACCEPT(4) Armstrong, Baker, Cole, Collins NOOP(1) Wall Voter Comments: Cole> INDEPENDENT-CONFIRMATION ====================================================== Name: CVE-2000-0857 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0857 Phase: Proposed (20001018) Category: SF Reference: BUGTRAQ:20000909 format string bug in muh Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-09/0067.html Reference: BUGTRAQ:20000909 Re: format string bug in muh Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-09/0068.html Reference: BID:1665 Reference: URL:http://www.securityfocus.com/bid/1665 Reference: XF:muh-log-dos Reference: URL:http://xforce.iss.net/static/5215.php The logging capability in muh 2.05d IRC server does not properly cleanse user-injected format strings, which allows remote attackers to cause a denial of service or execute arbitrary commands via a malformed nickname. Current Votes: ACCEPT(4) Baker, Cole, Collins, Frech NOOP(4) Armstrong, Christey, Magdych, Wall Voter Comments: Cole> HAS-INDEPENDENT-CONFIRMATION Christey> ADDREF FREEBSD:FreeBSD-SA-00:57 CHANGE> [Magdych changed vote from REVIEWING to NOOP] ====================================================== Name: CVE-2000-0866 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0866 Phase: Proposed (20001018) Category: SF Reference: BUGTRAQ:20000907 SEGFAULTING Interbase 6 SS Linux Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-09/0027.html Reference: BID:1654 Reference: URL:http://www.securityfocus.com/bid/1654 Reference: XF:interbase-query-dos Reference: URL:http://xforce.iss.net/static/5205.php Interbase 6 SuperServer for Linux allows an attacker to cause a denial of service via a query containing 0 bytes. Current Votes: ACCEPT(2) Baker, Collins NOOP(3) Armstrong, Cole, Wall ====================================================== Name: CVE-2000-0872 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0872 Phase: Proposed (20001018) Category: SF Reference: BUGTRAQ:20000906 PhotoAlbum 0.9.9 explorer.php Vulnerability Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-09/0015.html Reference: BID:1650 Reference: URL:http://www.securityfocus.com/bid/1650 Reference: XF:phpphoto-dir-traverse Reference: URL:http://xforce.iss.net/static/5198.php explorer.php in PhotoAlbum 0.9.9 allows remote attackers to read arbitrary files via a .. (dot dot) attack. Current Votes: ACCEPT(2) Baker, Collins NOOP(3) Armstrong, Cole, Wall ====================================================== Name: CVE-2000-0879 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0879 Phase: Proposed (20001018) Category: SF Reference: BUGTRAQ:20000906 Multiple Security Holes in LPPlus Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0531.html Reference: BID:1643 Reference: URL:http://www.securityfocus.com/bid/1643 Reference: XF:lpplus-permissions-dos Reference: URL:http://xforce.iss.net/static/5199.php LPPlus programs dccsched, dcclpdser, dccbkst, dccshut, dcclpdshut, and dccbkstshut are installed setuid root and world executable, which allows arbitrary local users to start and stop various LPD services. Current Votes: ACCEPT(2) Baker, Collins NOOP(3) Armstrong, Cole, Wall ====================================================== Name: CVE-2000-0880 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0880 Phase: Proposed (20001018) Category: SF Reference: BUGTRAQ:20000906 Multiple Security Holes in LPPlus Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0531.html Reference: BID:1643 Reference: URL:http://www.securityfocus.com/bid/1643 Reference: XF:lpplus-process-perms-dos Reference: URL:http://xforce.iss.net/static/5200.php LPPlus creates the lpdprocess file with world-writeable permissions, which allows local users to kill arbitrary processes by specifying an alternate process ID and using the setuid dcclpdshut program to kill the process that was specified in the lpdprocess file. Current Votes: ACCEPT(2) Baker, Collins NOOP(3) Armstrong, Cole, Wall ====================================================== Name: CVE-2000-0881 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0881 Phase: Proposed (20001018) Category: SF Reference: BUGTRAQ:20000906 Multiple Security Holes in LPPlus Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0531.html Reference: BID:1644 Reference: URL:http://www.securityfocus.com/bid/1644 Reference: XF:lpplus-dccscan-file-read Reference: URL:http://xforce.iss.net/static/5201.php The dccscan setuid program in LPPlus does not properly check if the user has the permissions to print the file that is specified to dccscan, which allows local users to print arbitrary files. Current Votes: ACCEPT(2) Baker, Collins NOOP(3) Armstrong, Cole, Wall ====================================================== Name: CVE-2000-0882 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0882 Phase: Proposed (20001018) Category: SF Reference: BUGTRAQ:20000906 VIGILANTE-2000010: Intel Express Switch series 500 DoS #2 Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0533.html Reference: BID:1647 Reference: URL:http://www.securityfocus.com/bid/1647 Intel Express 500 series switches allow a remote attacker to cause a denial of service via a malformed ICMP packet, which causes the CPU to crash. Current Votes: ACCEPT(1) Baker NOOP(3) Armstrong, Cole, Wall ====================================================== Name: CVE-2000-0885 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0885 Phase: Modified (20010119-01) Category: SF Reference: NAI:20001101 Multiple Network Monitor Overflows Reference: MS:MS00-083 Reference: URL:http://www.microsoft.com/technet/security/bulletin/MS00-083.asp Reference: XF:network-monitor-bo(5399) Buffer overflows in Microsoft Network Monitor (Netmon) allow remote attackers to execute arbitrary commands via a long Browser Name in a CIFS Browse Frame, a long SNMP community name, or a long username or filename in an SMB session, aka the "Netmon Protocol Parsing" vulnerability. NOTE: It is highly likely that this candidate will be split into multiple candidates. Current Votes: ACCEPT(4) Baker, Cole, Mell, Renaud MODIFY(1) Frech Voter Comments: Frech> XF:network-monitor-bo(5399) ====================================================== Name: CVE-2000-0889 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0889 Phase: Proposed (20010202) Category: SF/CF/MP/SA/AN/unknown Reference: CERT:CA-2000-19 Reference: URL:http://www.cert.org/advisories/CA-2000-19.html Reference: SUN:00198 Reference: URL:http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/198&type=0&nav=sec.sba Two Sun security certificates have been compromised, which could allow attackers to insert malicious code such as applets and make it appear that it is signed by Sun. Current Votes: ACCEPT(3) Baker, Cole, Dik MODIFY(1) Frech NOOP(2) Wall, Ziese REVIEWING(1) Christey Voter Comments: Frech> XF:sun-compromised-certificate(5404) Christey> Should revoked cert's be included in CVE? How about the ones for Microsoft from early 2001? ====================================================== Name: CVE-2000-0893 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0893 Phase: Proposed (20010202) Category: SF Reference: CERT-VN:VU#28027 Reference: URL:http://www.kb.cert.org/vuls/id/28027 The presence of the Distributed GL Daemon (dgld) service on port 5232 on SGI IRIX systems allows remote attackers to identify the target host as an SGI system. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(2) Cole, Wall REVIEWING(1) Ziese Voter Comments: CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> XF:irix-dgld-port-scan(6592) ====================================================== Name: CVE-2000-0898 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0898 Phase: Proposed (20001219) Category: SF Reference: BUGTRAQ:20001114 Vulnerabilites in SmallHTTP Server Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97421834001092&w=2 Small HTTP Server 2.01 does not properly process Server Side Includes (SSI) tags that contain null values, which allows local users, and possibly remote attackers, to cause the server to crash by inserting the SSI into an HTML file. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(4) Armstrong, Balinsky, Cole, Wall Voter Comments: Frech> XF:small-http-ssi-dos(5960) Balinsky> Found no data on vendor web site to support this. http://home.lanck.net/mf/srv/index.htm ====================================================== Name: CVE-2000-0899 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0899 Phase: Proposed (20001219) Category: SF Reference: BUGTRAQ:20001114 Vulnerabilites in SmallHTTP Server Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97421834001092&w=2 Reference: BID:1942 Reference: URL:http://www.securityfocus.com/bid/1942 Small HTTP Server 2.01 allows remote attackers to cause a denial of service by connecting to the server and sending out multiple GET, HEAD, or POST requests and closing the connection before the server responds to the requests. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(4) Armstrong, Balinsky, Cole, Wall Voter Comments: Frech> XF:small-http-request-dos(5523) Balinsky> Found no data on vendor web site to support this. http://home.lanck.net/mf/srv/index.htm ====================================================== Name: CVE-2000-0902 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0902 Phase: Proposed (20001129) Category: SF Reference: BUGTRAQ:20000907 Re: PhotoAlbum 0.9.9 explorer.php Vulnerability Reference: URL:http://www.securityfocus.com/archive/1/80858 Reference: XF:phpphotoalbum-getalbum-directory-traversal Reference: URL:http://xforce.iss.net/static/5209.php getalbum.php in PhotoAlbum before 0.9.9 allows remote attackers to read arbitrary files via a .. (dot dot) attack. Current Votes: ACCEPT(2) Collins, Mell NOOP(2) Cole, Wall ====================================================== Name: CVE-2000-0903 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0903 Phase: Proposed (20001129) Category: SF Reference: BUGTRAQ:20000901 Multiple QNX Voyager Issues Reference: URL:http://www.securityfocus.com/archive/1/79956 Reference: BID:1648 Reference: URL:http://www.securityfocus.com/bid/1648 Directory traversal vulnerability in Voyager web server 2.01B in the demo disks for QNX 405 allows remote attackers to read arbitrary files via a .. (dot dot) attack. Current Votes: ACCEPT(2) Baker, Mell NOOP(3) Cole, Collins, Wall Voter Comments: Collins> Assigning CVE numbers for demo software is not appropriate Baker> Was this a beta version in the demo disk? I don't think it was. While we do have an exclusion for beta software, software that is distributed as production software, just limited in scope, does not mean beta.. The current version is 4, but it is still offered for free download from their website for use. CHANGE> [Baker changed vote from REVIEWING to ACCEPT] Baker> SHould change vote from review to accept ====================================================== Name: CVE-2000-0904 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0904 Phase: Proposed (20001129) Category: SF Reference: BUGTRAQ:20000901 Multiple QNX Voyager Issues Reference: URL:http://www.securityfocus.com/archive/1/79956 Reference: BID:1648 Reference: URL:http://www.securityfocus.com/bid/1648 Voyager web server 2.01B in the demo disks for QNX 405 stores sensitive web client information in the .photon directory in the web document root, which allows remote attackers to obtain that information. Current Votes: ACCEPT(1) Mell NOOP(3) Cole, Collins, Wall Voter Comments: Collins> assigning CVE numbers for demo software is not appropriate ====================================================== Name: CVE-2000-0905 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0905 Phase: Proposed (20001129) Category: SF Reference: BUGTRAQ:20000901 Multiple QNX Voyager Issues Reference: URL:http://www.securityfocus.com/archive/1/79956 Reference: BID:1648 Reference: URL:http://www.securityfocus.com/bid/1648 QNX Embedded Resource Manager in Voyager web server 2.01B in the demo disks for QNX 405 allows remote attackers to read sensitive system statistics information via the embedded.html web page. Current Votes: ACCEPT(1) Mell NOOP(2) Cole, Wall ====================================================== Name: CVE-2000-0906 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0906 Phase: Proposed (20001129) Category: Reference: BUGTRAQ:20001002 Moreover Cached_Feed CGI Vulnerability Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-10/0013.html Reference: XF:moreover-cgi-dir-traverse Reference: URL:http://xforce.iss.net/static/5334.php Reference: BID:1762 Reference: URL:http://www.securityfocus.com/bid/1762 Directory traversal vulnerability in Moreover.com cached_feed.cgi script version 4.July.00 allows remote attackers to read arbitrary files via a .. (dot dot) attack on the category or format parameters. Current Votes: ACCEPT(3) Collins, Frech, Mell NOOP(2) Cole, Wall ====================================================== Name: CVE-2000-0907 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0907 Phase: Proposed (20001129) Category: SF Reference: WIN2KSEC:20000925 DST2K0030: DoS in EServ 2.92 Build 2982 Reference: URL:http://archives.neohapsis.com/archives/win2ksecadvice/2000-q3/0131.html EServ 2.92 Build 2982 allows remote attackers to cause a denial of service and possibly execute arbitrary commands via long HELO and MAIL FROM commands. Current Votes: ACCEPT(3) Baker, Collins, Mell MODIFY(1) Frech NOOP(2) Cole, Wall Voter Comments: Frech> XF:eserv-remote-dos(5643) ====================================================== Name: CVE-2000-0916 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0916 Phase: Proposed (20001129) Category: SF Reference: FREEBSD:FreeBSD-SA-00:52 Reference: URL:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:52.tcp-iss.asc Reference: BID:1766 Reference: URL:http://www.securityfocus.com/bid/1766 FreeBSD 4.1.1 and earlier, and possibly other BSD-based OSes, uses an insufficient random number generator to generate initial TCP sequence numbers (ISN), which allows remote attackers to spoof TCP connections. Current Votes: ACCEPT(2) Cole, Mell MODIFY(1) Frech REVIEWING(1) Christey Voter Comments: Frech> XF:tcp-seq-predict(139) Christey> Abstraction issue: CVE-1999-0077 is for TCP sequence prediction as a general problem; but here we have a specific implementation flaw. ====================================================== Name: CVE-2000-0918 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0918 Phase: Proposed (20001129) Category: SF Reference: BID:1700 Reference: URL:http://www.securityfocus.com/bid/1700 Reference: BUGTRAQ:20000919 kvt format bug Reference: URL:http://www.securityfocus.com/archive/1/83914 Format string vulnerability in kvt in KDE 1.1.2 may allow local users to execute arbitrary commands via a DISPLAY environmental variable that contains formatting characters. Current Votes: ACCEPT(2) Baker, Mell NOOP(2) Cole, Wall REVIEWING(1) Christey Voter Comments: Christey> May be a duplicate of CVE-2000-0373, but the ref's in that CVE are vague. I suspect this *isn't* a duplicate because this is a format string problem. Baker> I think it is sufficiently different from 2000-0373. ====================================================== Name: CVE-2000-0931 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0931 Phase: Proposed (20001129) Category: SF Reference: BUGTRAQ:20001004 Another Pegasus Mail vulnerability Reference: URL:http://www.securityfocus.com/archive/1/137518 Reference: BID:1750 Reference: URL:http://www.securityfocus.com/bid/1750 Buffer overflow in Pegasus Mail 3.11 allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long email message containing binary data. Current Votes: ACCEPT(1) Mell MODIFY(1) Frech NOOP(2) Cole, Wall Voter Comments: Frech> XF:pegasus-mail-bo(5644) ====================================================== Name: CVE-2000-0939 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0939 Phase: Proposed (20001129) Category: SF Reference: BUGTRAQ:20001030 Samba 2.0.7 SWAT vulnerabilities Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-10/0430.html Reference: XF:samba-swat-url-filename-dos Reference: URL:http://xforce.iss.net/static/5444.php Samba Web Administration Tool (SWAT) in Samba 2.0.7 allows remote attackers to cause a denial of service by repeatedly submitting a nonstandard URL in the GET HTTP request and forcing it to restart. Current Votes: ACCEPT(2) Frech, Mell NOOP(1) Cole REJECT(1) Renaud Voter Comments: Renaud> SWAT makes this DoS easier to perform, but actually, it is an inetd problem, not a swat problem. ====================================================== Name: CVE-2000-0940 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0940 Phase: Proposed (20001129) Category: SF Reference: BUGTRAQ:20001029 Minor bug in Pagelog.cgi Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-10/0422.html Reference: BID:1864 Reference: URL:http://www.securityfocus.com/bid/1864 Reference: XF:pagelog-cgi-dir-traverse Reference: URL:http://xforce.iss.net/static/5451.php Directory traversal vulnerability in Metertek pagelog.cgi allows remote attackers to read arbitrary files via a .. (dot dot) attack on the "name" or "display" parameter. Current Votes: ACCEPT(2) Frech, Mell NOOP(1) Cole ====================================================== Name: CVE-2000-0950 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0950 Phase: Proposed (20001129) Category: SF Reference: BUGTRAQ:20001026 FWTK x-gw Security Advisory [GSA2000-01] Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-10/0376.html Reference: XF:tisfwtk-xgw-execute-code Reference: URL:http://xforce.iss.net/static/5420.php Format string vulnerability in x-gw in TIS Firewall Toolkit (FWTK) allows local users to execute arbitrary commands via a malformed display name. Current Votes: ACCEPT(4) Baker, Cole, Frech, Mell NOOP(1) Renaud REVIEWING(1) Christey Voter Comments: Christey> I thought I saw some mailing list that questioned whether this problem was only a DoS... ====================================================== Name: CVE-2000-0954 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0954 Phase: Proposed (20001129) Category: SF Reference: BUGTRAQ:20001009 Shambala 4.5 vulnerability Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-10/0134.html Reference: BID:1771 Reference: URL:http://www.securityfocus.com/bid/1771 Reference: XF:shambala-password-plaintext Reference: URL:http://xforce.iss.net/static/5346.php Shambala Server 4.5 stores passwords in plaintext, which could allow local users to obtain the passwords and compromise the server. Current Votes: ACCEPT(3) Baker, Frech, Mell NOOP(1) Cole ====================================================== Name: CVE-2000-0955 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0955 Phase: Proposed (20001129) Category: SF Reference: ATSTAKE:A102600-1 Reference: URL:http://www.atstake.com/research/advisories/2000/a102600-1.txt Reference: BID:1885 Reference: URL:http://www.securityfocus.com/bid/1885 Reference: XF:cisco-vco-snmp-passwords Reference: URL:http://xforce.iss.net/static/5425.php Cisco Virtual Central Office 4000 (VCO/4K) uses weak encryption to store usernames and passwords in the SNMP MIB, which allows an attacker who knows the community name to crack the password and gain privileges. Current Votes: ACCEPT(4) Cole, Frech, Mell, Ziese NOOP(2) Balinsky, Christey Voter Comments: Christey> CISCO:20001026 VCO/4K Remote Password Disclosure http://www.cisco.com/warp/public/707/vco4kpasswdexposure-pub.shtml CHANGE> [Balinsky changed vote from REVIEWING to NOOP] ====================================================== Name: CVE-2000-0963 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0963 Phase: Modified (20080819) Category: SF Reference: BUGTRAQ:20001009 ncurses buffer overflows Reference: URL:http://www.securityfocus.com/archive/1/138550 Reference: CALDERA:CSSA-2000-036.0 Reference: URL:http://www.calderasystems.com/support/security/advisories/CSSA-2000-036.0.txt Reference: BID:1142 Reference: URL:http://www.securityfocus.com/bid/1142 Reference: XF:gnu-ncurses-term-terminfodirs-bo(44487) Reference: URL:http://xforce.iss.net/xforce/xfdb/44487 Buffer overflow in ncurses library allows local users to execute arbitrary commands via long environmental information such as TERM or TERMINFO_DIRS. Current Votes: ACCEPT(2) Cole, Mell MODIFY(1) Frech REVIEWING(1) Christey Voter Comments: Christey> Various vendor writeups indicate that there are multiple overflows, so maybe this needs to be SPLIT. ADDREF FREEBSD:FreeBSD-SA-00:68 ADDREF DEBIAN:20001121 ncurses: local privilege escalation http://www.debian.org/security/2000/20001121 ADDREF REDHAT:RHSA-2000:115 http://www.redhat.com/support/errata/RHSA-2000-115.html BUGTRAQ:20001201 Immunix OS Security update for ncurses http://marc.theaimsgroup.com/?l=bugtraq&m=97570745306444&w=2 Frech> XF:libmytinfo-bo(4422) CHANGE> [Christey changed vote from NOOP to REVIEWING] Christey> This is all a library issue in which TERM/TERMINFO_DIRS are one possible attack vector, but another is through entries in the .terminfo file. Add .terminfo and termcap to the description, as well as libncurses. ADDREF MANDRAKE:MDKSA-2001:052 URL:http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-052.php3 Now need to examine whether this is a dupe of CVE-2002-0062, and/or BID:2116. There's certainly enough confusion to go around. CHANGE> [Christey changed vote from REVIEWING to NOOP] Christey> This is not a dupe of CVE-2002-0062. As explained in DEBIAN:DSA-113, the original patches for CVE-2000-0963 didn't catch every problem. ADDREF SUSE:SuSE-SA:2000:043 URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97267560724404&w=2 CHANGE> [Christey changed vote from NOOP to REVIEWING] ====================================================== Name: CVE-2000-0971 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0971 Phase: Proposed (20001129) Category: SF Reference: BUGTRAQ:20001023 Avirt Mail 4.x DoS Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-10/0301.html Reference: XF:avirt-mail-from-dos Reference: URL:http://xforce.iss.net/static/5397.php Reference: XF:avirt-rcpt-to-dos Reference: URL:http://xforce.iss.net/static/5398.php Avirt Mail 4.0 and 4.2 allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long "RCPT TO" or "MAIL FROM" command. Current Votes: ACCEPT(3) Cole, Frech, Mell NOOP(2) Armstrong, Christey Voter Comments: Christey> Fix typo: "possible" should be "possibly" Christey> fix typo: "and possible" ====================================================== Name: CVE-2000-0985 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0985 Phase: Proposed (20001129) Category: SF Reference: ATSTAKE:A101200-2 Reference: URL:http://www.atstake.com/research/advisories/2000/a101200-2.txt Reference: BID:1789 Reference: URL:http://www.securityfocus.com/bid/1789 Buffer overflow in All-Mail 1.1 allows remote attackers to execute arbitrary commands via a long "MAIL FROM" or "RCPT TO" command. Current Votes: ACCEPT(2) Baker, Mell MODIFY(1) Frech NOOP(1) Cole Voter Comments: Frech> XF:all-mail-smtp-bo(5360) ====================================================== Name: CVE-2000-0986 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0986 Phase: Proposed (20001129) Category: SF Reference: BUGTRAQ:20001020 [ Hackerslab bug_paper ] Linux ORACLE 8.1.5 vulnerability Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-10/0294.html Reference: XF:oracle-home-bo Reference: URL:http://xforce.iss.net/static/5390.php Buffer overflow in Oracle 8.1.5 applications such as names, namesctl, onrsd, osslogin, tnslsnr, tnsping, trcasst, and trcroute possibly allow local users to gain privileges via a long ORACLE_HOME environmental variable. Current Votes: ACCEPT(3) Baker, Frech, Mell NOOP(2) Armstrong, Cole ====================================================== Name: CVE-2000-0987 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0987 Phase: Proposed (20001129) Category: SF Reference: XF:oracle-oidldap-bo Reference: URL:http://xforce.iss.net/static/5401.php Reference: BUGTRAQ:20001018 vulnerability in Oracle Internet Directory in Oracle 8.1.6 Reference: URL:http://www.securityfocus.com/archive/1/140340 Reference: BUGTRAQ:20001020 In response to posting 10/18/2000 vulnerability in Oracle Internet Directory in Oracle 8.1.6 Reference: URL:http://www.securityfocus.com/archive/1/140709 Buffer overflow in oidldapd in Oracle 8.1.6 allow local users to gain privileges via a long "connect" command line parameter. Current Votes: ACCEPT(3) Cole, Frech, Mell NOOP(2) Armstrong, Christey Voter Comments: Christey> http://archives.neohapsis.com/archives/bugtraq/2000-12/0400.html appears to be a rediscovery of this problem. Christey> It looks like Juan Manuel Pascual Escriba saw this issue in a later version and re-posted, but that later post doesn't mention the earlier one. The exploit is almost exactly the same, but the affected version is 8.1.7. ADDREF BUGTRAQ:20001221 vulnerability #1 in Oracle Internet Directory 2.1.1.1 in Oracle 8.1.7 http://archives.neohapsis.com/archives/bugtraq/2000-12/0400.html ADDREF BUGTRAQ:20010118 Patch for Potential Buffer Overflow Vulnerabilities in Oracle Internet Directory http://archives.neohapsis.com/archives/bugtraq/2001-01/0325.html ====================================================== Name: CVE-2000-0988 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0988 Phase: Proposed (20001129) Category: SF Reference: BUGTRAQ:20001013 WinU Backdoor passwords!!!! Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-10/0238.html Reference: CONFIRM:http://www.bardon.com/pwdcrack.htm Reference: BID:1801 Reference: URL:http://www.securityfocus.com/bid/1801 Reference: XF:winu-backdoor Reference: URL:http://xforce.iss.net/static/5376.php WinU 1.0 through 5.1 has a backdoor password that allows remote attackers to gain access to its administrative interface and modify configuration. Current Votes: ACCEPT(4) Armstrong, Cole, Frech, Mell ====================================================== Name: CVE-2000-0997 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0997 Phase: Proposed (20001129) Category: SF Reference: OPENBSD:20001006 There are printf-style format string bugs in several privileged programs. Reference: MISC:ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.7/common/028_format_strings.patch Reference: BID:1752 Reference: URL:http://www.securityfocus.com/bid/1752 Reference: XF:bsd-eeprom-format Reference: URL:http://xforce.iss.net/static/5337.php Format string vulnerabilities in eeprom program in OpenBSD, NetBSD, and possibly other operating systems allows local attackers to gain root privileges. Current Votes: ACCEPT(3) Cole, Frech, Mell NOOP(1) Wall ====================================================== Name: CVE-2000-0998 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0998 Phase: Proposed (20001129) Category: SF Reference: OPENBSD:20001006 There are printf-style format string bugs in several privileged programs. Reference: MISC:ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.7/common/028_format_strings.patch Reference: FREEBSD:FreeBSD-SA-00:62 Reference: URL:ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:62.top.v1.1.asc Reference: BID:1895 Reference: URL:http://www.securityfocus.com/bid/1895 Format string vulnerability in top program allows local attackers to gain root privileges via the "kill" or "renice" function. Current Votes: ACCEPT(3) Cole, Collins, Mell MODIFY(1) Frech NOOP(2) Christey, Wall Voter Comments: Frech> XF:top-format-string(5486) Christey> BUGTRAQ:20011114 SCO skunkware top format strings issue URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100576637928933&w=2 ====================================================== Name: CVE-2000-0999 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0999 Phase: Proposed (20001129) Category: SF Reference: OPENBSD:20001006 There are printf-style format string bugs in several privileged programs. Reference: MISC:ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.7/common/028_format_strings.patch Format string vulnerabilities in OpenBSD ssh program (and possibly other BSD-based operating systems) allow attackers to gain root privileges. Current Votes: ACCEPT(1) Cole MODIFY(1) Frech NOOP(2) Mell, Wall Voter Comments: Frech> XF:bsd-ssh-format(5637) ====================================================== Name: CVE-2000-1008 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1008 Phase: Modified (20010116-01) Category: SF Reference: ATSTAKE:A092600-1 Reference: URL:http://www.atstake.com/research/advisories/2000/a092600-1.txt Reference: BID:1715 Reference: URL:http://www.securityfocus.com/bid/1715 PalmOS 3.5.2 and earlier uses weak encryption to store the user password, which allows attackers with physical access to the Palm device to decrypt the password and gain access to the device. Current Votes: ACCEPT(2) Cole, Mell MODIFY(1) Frech NOOP(1) Wall Voter Comments: Frech> XF:palm-weak-encryption(5308) ====================================================== Name: CVE-2000-1009 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1009 Phase: Proposed (20001129) Category: SF Reference: BUGTRAQ:20001030 Redhat 6.2 dump command executes external program with suid priviledge. Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-10/0438.html Reference: BID:1871 Reference: URL:http://www.securityfocus.com/bid/1871 Reference: XF:linux-dump-execute-code Reference: URL:http://xforce.iss.net/static/5437.php dump in Red Hat Linux 6.2 trusts the pathname specified by the RSH environmental variable, which allows local users to obtain root privileges by modifying the RSH variable to point to a Trojan horse program. Current Votes: ACCEPT(5) Baker, Cole, Frech, Mell, Renaud NOOP(1) Christey Voter Comments: Christey> http://www.redhat.com/support/errata/RHSA-2000-100.html ADDREF BUGTRAQ:20001103 Trustix Security Advisory - dump http://archives.neohapsis.com/archives/bugtraq/2000-11/0026.html Christey> CERT-VN:VU#153653 URL:http://www.kb.cert.org/vuls/id/153653 ====================================================== Name: CVE-2000-1012 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1012 Phase: Proposed (20001129) Category: SF Reference: FREEBSD:FreeBSD-SA-00:53 Reference: URL:ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:53.catopen.asc The catopen function in FreeBSD 5.0 and earlier, and possibly other OSes, allows local users to read arbitrary files via the LANG environmental variable. Current Votes: ACCEPT(3) Cole, Collins, Mell MODIFY(1) Frech NOOP(1) Wall Voter Comments: Frech> XF:freebsd-display-read-files(5645) ====================================================== Name: CVE-2000-1013 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1013 Phase: Proposed (20001129) Category: SF Reference: FREEBSD:FreeBSD-SA-00:53 Reference: URL:ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:53.catopen.asc The setlocale function in FreeBSD 5.0 and earlier, and possibly other OSes, allows local users to read arbitrary files via the LANG environmental variable. Current Votes: ACCEPT(2) Cole, Mell MODIFY(1) Frech NOOP(1) Wall Voter Comments: Frech> XF:freebsd-display-read-files(5645) ====================================================== Name: CVE-2000-1015 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1015 Phase: Proposed (20001129) Category: CF Reference: BUGTRAQ:20000929 Default admin password with Slashcode. Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-09/0366.html Reference: BID:1731 Reference: URL:http://www.securityfocus.com/bid/1731 Reference: XF:slashcode-default-admin-passwords Reference: URL:http://xforce.iss.net/static/5306.php The default configuration of Slashcode before version 2.0 Alpha has a default administrative password, which allows remote attackers to gain Slashcode priviliges and possibly execute arbitrary commands. Current Votes: ACCEPT(4) Cole, Collins, Frech, Mell NOOP(1) Wall ====================================================== Name: CVE-2000-1017 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1017 Phase: Proposed (20001129) Category: Reference: BUGTRAQ:20001002 DST2K0039: Webteachers Webdata: Importing files lower than web ro ot possible in to database Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-10/0007.html Reference: BUGTRAQ:20001003 Update to DST2K0039: Webteachers Webdata: Importing files lower t han web root possible in to database Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-10/0032.html Reference: BID:1732 Reference: URL:http://www.securityfocus.com/bid/1732 Webteachers Webdata allows remote attackers with valid Webdata accounts to read arbitrary files by posting a request to import the file into the WebData database. Current Votes: ACCEPT(2) Frech, Mell NOOP(2) Cole, Wall ====================================================== Name: CVE-2000-1020 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1020 Phase: Proposed (20001129) Category: SF Reference: BUGTRAQ:20000917 VIGILANTE-2000012: Mdaemon Web Services Heap Overflow DoS Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=96925269716274&w=2 Reference: BID:1689 Reference: URL:http://www.securityfocus.com/bid/1689 Reference: XF:mdaemon-url-dos Reference: URL:http://xforce.iss.net/static/5250.php Heap overflow in Worldclient in Mdaemon 3.1.1 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long URL. Current Votes: ACCEPT(4) Baker, Cole, Collins, Mell NOOP(1) Wall ====================================================== Name: CVE-2000-1021 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1021 Phase: Proposed (20001129) Category: SF Reference: BUGTRAQ:20000917 VIGILANTE-2000012: Mdaemon Web Services Heap Overflow DoS Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=96925269716274&w=2 Reference: BID:1689 Reference: URL:http://www.securityfocus.com/bid/1689 Reference: XF:mdaemon-url-dos Reference: URL:http://xforce.iss.net/static/5250.php Heap overflow in WebConfig in Mdaemon 3.1.1 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long URL. Current Votes: ACCEPT(4) Baker, Cole, Collins, Mell NOOP(1) Wall ====================================================== Name: CVE-2000-1023 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1023 Phase: Proposed (20001129) Category: SF Reference: BUGTRAQ:20000924 Major Vulnerability in Alabanza Control Panel Reference: URL:http://www.securityfocus.com/archive/1/84766 Reference: BID:1710 Reference: URL:http://www.securityfocus.com/bid/1710 Reference: XF:alabanza-unauthorized-access Reference: URL:http://xforce.iss.net/static/5284.php The Alabanza Control Panel does not require passwords to access administrative commands, which allows remote attackers to modify domain name information via the nsManager.cgi CGI program. Current Votes: ACCEPT(2) Collins, Mell NOOP(2) Cole, Wall REJECT(1) Baker Voter Comments: Baker> I agree with Steve that this appears to be an on-line applet, accessible from their server only. CHANGE> [Baker changed vote from REVIEWING to REJECT] ====================================================== Name: CVE-2000-1025 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1025 Phase: Proposed (20001129) Category: SF Reference: BUGTRAQ:20001030 Unify eWave ServletExec DoS Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97295224226042&w=2 Reference: BID:1868 Reference: URL:http://www.securityfocus.com/bid/1868 Reference: XF:ewave-servletexec-dos Reference: URL:http://xforce.iss.net/static/5435.php eWave ServletExec JSP/Java servlet engine, versions 3.0C and earlier, allows remote attackers to cause a denial of service via a URL that contains the "/servlet/" string, which invokes the ServletExec servlet and causes an exception if the servlet is already running. Current Votes: ACCEPT(2) Frech, Mell NOOP(1) Cole ====================================================== Name: CVE-2000-1028 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1028 Phase: Modified (20010119-01) Category: SF Reference: BUGTRAQ:20001102 HPUX cu -l option buffer overflow vulnerabilit Reference: URL:http://www.securityfocus.com/archive/1/142792 Reference: BID:1886 Reference: URL:http://www.securityfocus.com/bid/1886 Reference: XF:hp-cu-bo(5460) Buffer overflow in cu program in HP-UX 11.0 may allow local users to gain privileges via a long -l command line argument. Current Votes: ACCEPT(1) Mell MODIFY(1) Frech NOOP(2) Cole, Renaud Voter Comments: Frech> XF:hp-cu-bo(5460) ====================================================== Name: CVE-2000-1029 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1029 Phase: Modified (20010119-01) Category: SF Reference: BUGTRAQ:20001027 old version of host command vulnearbility Reference: URL:http://www.securityfocus.com/archive/1/141660 Reference: BID:1887 Reference: URL:http://www.securityfocus.com/bid/1887 Reference: XF:isc-bind-axfr-bo(5462) Buffer overflow in host command allows a remote attacker to execute arbitrary commands via a long response to an AXFR query. Current Votes: ACCEPT(1) Mell MODIFY(1) Frech NOOP(2) Cole, Renaud Voter Comments: Frech> XF:isc-bind-axfr-bo(5462) ====================================================== Name: CVE-2000-1030 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1030 Phase: Modified (20010119-01) Category: SF Reference: BUGTRAQ:20001031 Re: Samba 2.0.7 SWAT vulnerabilities Reference: URL:http://www.securityfocus.com/archive/1/142672 Reference: BID:1888 Reference: URL:http://www.securityfocus.com/bid/1888 Reference: XF:corporatetime-brute-force(5529) CS&T CorporateTime for the Web returns different error messages for invalid usernames and invalid passwords, which allows remote attackers to determine valid usernames on the server. Current Votes: ACCEPT(1) Mell MODIFY(1) Frech NOOP(1) Cole Voter Comments: Frech> XF:corporatetime-brute-force(5529) ====================================================== Name: CVE-2000-1033 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1033 Phase: Proposed (20001129) Category: SF Reference: BUGTRAQ:20001029 Brute Forcing FTP Servers with enabled anti-hammering (anti brute-force) modus Reference: URL:http://www.securityfocus.com/archive/1/141905 Reference: BID:1860 Reference: URL:http://www.securityfocus.com/bid/1860 Reference: XF:ftp-servu-brute-force Reference: URL:http://xforce.iss.net/static/5436.php Serv-U FTP Server allows remote attackers to bypass its anti-hammering feature by first logging on as a valid user (possibly anonymous) and then attempting to guess the passwords of other users. Current Votes: ACCEPT(2) Frech, Mell NOOP(1) Cole ====================================================== Name: CVE-2000-1035 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1035 Phase: Proposed (20001129) Category: SF Reference: BUGTRAQ:20000912 TYPSoft FTP Server remote DoS Problem Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=96879389027478&w=2 Reference: MISC:http://www.synnergy.net/Archives/Advisories/dethy/typsoft-ftpd.txt Reference: BID:1690 Reference: URL:http://www.securityfocus.com/bid/1690 Buffer overflows in TYPSoft FTP Server 0.78 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long USER, PASS, or CWD command. Current Votes: ACCEPT(1) Mell MODIFY(1) Baker NOOP(2) Cole, Wall Voter Comments: CHANGE> [Baker changed vote from NOOP to MODIFY] Baker> http://www.synnergy.net/downloads/advisories/SLA-2000-07.typsoft-ftpd.txt ====================================================== Name: CVE-2000-1037 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1037 Phase: Proposed (20001129) Category: SF Reference: BUGTRAQ:20000815 Firewall-1 session agent 3.0 -> 4.1, dictionnary and brute force attack Reference: URL:http://www.securityfocus.com/archive/1/76389 Reference: BID:1662 Reference: URL:http://www.securityfocus.com/bid/1662 Check Point Firewall-1 session agent 3.0 through 4.1 generates different error messages for invalid user names versus invalid passwords, which allows remote attackers to determine valid usernames and guess a password via a brute force attack. Current Votes: ACCEPT(2) Baker, Mell NOOP(2) Cole, Wall ====================================================== Name: CVE-2000-1039 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1039 Phase: Proposed (20001219) Category: SF Reference: BINDVIEW:20001130 The NAPTHA DoS vulnerabilities Reference: URL:http://razor.bindview.com/publish/advisories/adv_NAPTHA.html Reference: WIN2KSEC:20001204 NAPTHA Advisory Updated - BindView RAZOR Reference: URL:http://archives.neohapsis.com/archives/win2ksecadvice/2000-q4/0105.html Reference: CERT:CA-2000-21 Reference: URL:http://www.cert.org/advisories/CA-2000-21.html Reference: MS:MS00-091 Reference: URL:http://www.microsoft.com/technet/security/bulletin/MS00-091.asp Reference: BID:2022 Reference: URL:http://www.securityfocus.com/bid/2022 Various TCP/IP stacks and network applications allow remote attackers to cause a denial of service by flooding a target host with TCP connection attempts and completing the TCP/IP handshake without maintaining the connection state on the attacker host, aka the "NAPTHA" class of vulnerabilities. NOTE: this candidate may change significantly as the security community discusses the technical nature of NAPTHA and learns more about the affected applications. This candidate is at a higher level of abstraction than is typical for CVE. Current Votes: ACCEPT(3) Baker, Cole, Renaud MODIFY(1) Frech NOOP(2) Magdych, Wall REVIEWING(1) Christey Voter Comments: Baker> Although this is at a high level, the fact is that it is a vulnerability, and as such we need to recognize this, even if we have to recast or modify the description at some later time. Christey> This needs to be commented on and reviewed by many Board members. Frech> XF:naptha-resource-starvation(5810) Christey> ADDREF SGI:20020304-01-A Christey> SGI:20020304-01-A ====================================================== Name: CVE-2000-1046 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1046 Phase: Modified (20040723) Category: SF Reference: BUGTRAQ:20000911 Advisory Code: VIGILANTE-2000011 Lotus Domino ESMTP Service Buffer overflow Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-09/0093.html Multiple buffer overflows in the ESMTP service of Lotus Domino 5.0.2c and earlier allow remote attackers to cause a denial of service and possibly execute arbitrary code via long (1) "RCPT TO," (2) "SAML FROM," or (3) "SOML FROM" commands. Current Votes: ACCEPT(2) Baker, Mell MODIFY(1) Collins NOOP(2) Cole, Wall Voter Comments: Collins> http://www.synnergy.net/downloads/advisories/SLA-2000-07.typsoft-ftpd.txt Baker> Reference by Collins was entered into the wrong CAN Entry... It should have been for 2000-1035, not this CAN CHANGE> [Baker changed vote from REVIEWING to ACCEPT] ====================================================== Name: CVE-2000-1048 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1048 Phase: Proposed (20001129) Category: SF Reference: BUGTRAQ:20001016 Wingate 4.1 Beta A vulnerability Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-10/0245.html Reference: XF:wingate-view-files Reference: URL:http://xforce.iss.net/static/5373.php Directory traversal vulnerability in the logfile service of Wingate 4.1 Beta A and earlier allows remote attackers to read arbitrary files via a .. (dot dot) attack via an HTTP GET request that uses encoded characters in the URL. Current Votes: ACCEPT(3) Baker, Frech, Mell NOOP(2) Armstrong, Cole ====================================================== Name: CVE-2000-1052 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1052 Phase: Proposed (20001129) Category: SF Reference: BUGTRAQ:20001023 Allaire JRUN 2.3 Arbitrary File Retrieval Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97236692714978&w=2 Allaire JRun 2.3 server allows remote attackers to obtain source code for executable content by directly calling the SSIFilter servlet. Current Votes: ACCEPT(3) Armstrong, Cole, Mell MODIFY(1) Frech Voter Comments: Frech> XF:allaire-jrun-ssifilter-url(5405) ====================================================== Name: CVE-2000-1053 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1053 Phase: Proposed (20001129) Category: SF Reference: BUGTRAQ:20001023 Allaire JRUN 2.3 Remote command execution Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97236125107957&w=2 Reference: ALLAIRE:ASB00-029 Reference: URL:http://www.allaire.com/handlers/index.cfm?ID=17969&Method=Full Reference: XF:allaire-jrun-jsp-execute Reference: URL:http://xforce.iss.net/static/5406.php Allaire JRun 2.3.3 server allows remote attackers to compile and execute JSP code by inserting it via a cross-site scripting (CSS) attack and directly calling the com.livesoftware.jrun.plugins.JSP JSP servlet. Current Votes: ACCEPT(4) Armstrong, Cole, Frech, Mell ====================================================== Name: CVE-2000-1062 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1062 Phase: Proposed (20001129) Category: SF Reference: BUGTRAQ:20001010 VIGILANTE-2000014: HP Jetdirect multiple DoS Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97119729613778&w=2 Reference: BID:1775 Reference: URL:http://www.securityfocus.com/bid/1775 Reference: XF:hp-jetdirect-firmware-dos Reference: URL:http://xforce.iss.net/static/5353.php Buffer overflow in the FTP service in HP JetDirect printer card Firmware x.08.20 and earlier allows remote attackers to cause a denial of service. Current Votes: ACCEPT(3) Baker, Frech, Mell NOOP(1) Cole ====================================================== Name: CVE-2000-1063 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1063 Phase: Proposed (20001129) Category: SF Reference: BUGTRAQ:20001010 VIGILANTE-2000014: HP Jetdirect multiple DoS Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97119729613778&w=2 Reference: BID:1775 Reference: URL:http://www.securityfocus.com/bid/1775 Reference: XF:hp-jetdirect-firmware-dos Reference: URL:http://xforce.iss.net/static/5353.php Buffer overflow in the Telnet service in HP JetDirect printer card Firmware x.08.20 and earlier allows remote attackers to cause a denial of service. Current Votes: ACCEPT(3) Cole, Frech, Mell ====================================================== Name: CVE-2000-1064 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1064 Phase: Proposed (20001129) Category: SF Reference: BUGTRAQ:20001010 VIGILANTE-2000014: HP Jetdirect multiple DoS Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97119729613778&w=2 Reference: BID:1775 Reference: URL:http://www.securityfocus.com/bid/1775 Reference: XF:hp-jetdirect-firmware-dos Reference: URL:http://xforce.iss.net/static/5353.php Buffer overflow in the LPD service in HP JetDirect printer card Firmware x.08.20 and earlier allows remote attackers to cause a denial of service. Current Votes: ACCEPT(3) Cole, Frech, Mell ====================================================== Name: CVE-2000-1065 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1065 Phase: Proposed (20001129) Category: SF Reference: BUGTRAQ:20001010 VIGILANTE-2000014: HP Jetdirect multiple DoS Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97119729613778&w=2 Reference: BID:1775 Reference: URL:http://www.securityfocus.com/bid/1775 Reference: XF:hp-jetdirect-ip-implementation Reference: URL:http://xforce.iss.net/static/5354.php Vulnerability in IP implementation of HP JetDirect printer card Firmware x.08.20 and earlier allows remote attackers to cause a denial of service (printer crash) via a malformed packet. Current Votes: ACCEPT(3) Baker, Frech, Mell NOOP(1) Cole ====================================================== Name: CVE-2000-1066 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1066 Phase: Modified (20010119-01) Category: SF Reference: FREEBSD:FreeBSD-SA-00:63 Reference: URL:ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:63.getnameinfo.asc Reference: BID:1894 Reference: URL:http://www.securityfocus.com/bid/1894 Reference: XF:getnameinfo-dos(5454) The getnameinfo function in FreeBSD 4.1.1 and earlier, and possibly other operating systems, allows a remote attacker to cause a denial of service via a long DNS hostname. Current Votes: ACCEPT(2) Cole, Mell MODIFY(1) Frech NOOP(1) Renaud Voter Comments: Frech> XF:getnameinfo-dos(5454) ====================================================== Name: CVE-2000-1076 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1076 Phase: Proposed (20001129) Category: SF Reference: BUGTRAQ:20001026 [CORE SDI ADVISORY] iPlanet Certificate Management System 4.2 path traversal bug Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-10/0383.html Reference: XF:iplanet-netscape-plaintext-password Reference: URL:http://xforce.iss.net/static/5422.php Netscape (iPlanet) Certificate Management System 4.2 and Directory Server 4.12 stores the administrative password in plaintext, which could allow local and possibly remote attackers to gain administrative privileges on the server. Current Votes: ACCEPT(3) Baker, Frech, Mell NOOP(2) Christey, Cole Voter Comments: Christey> Partial vendor acknowledgement at: http://docs.iplanet.com/docs/manuals/cms/42/relnotes/release_notes.html "By default, Administration Server administrator's password (also known as the SIE password) is stored in clear text in the adm.conf file. This does not usually pose a security threat because most administrators use their Operating System's security features to ensure that the file is protected from other users." ====================================================== Name: CVE-2000-1078 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1078 Phase: Proposed (20001129) Category: SF Reference: BUGTRAQ:20001007 ICQ WebFront HTTPd DoS Reference: URL:http://www.securityfocus.com/archive/1/138332 Reference: XF:icq-webfront-url-dos Reference: URL:http://xforce.iss.net/static/5332.php ICQ Web Front HTTPd allows remote attackers to cause a denial of service by requesting a URL that contains a "?" character. Current Votes: ACCEPT(3) Baker, Frech, Mell NOOP(2) Christey, Cole Voter Comments: Christey> The following post appears to describe the same problem, 7 months earlier: BUGTRAQ:20000310 ICQ remote DoS ====================================================== Name: CVE-2000-1079 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1079 Phase: Modified (20061101) Category: SF Reference: NAI:20000829 Windows NetBIOS Unsolicited Cache Corruption Reference: URL:http://www.nai.com/research/covert/advisories/045.asp Reference: NTBUGTRAQ:20000829 Re: [COVERT-2000-10] Windows NetBIOS Unsolicited Cache Corruption Reference: URL:http://archives.neohapsis.com/archives/ntbugtraq/2000-q3/0116.html Reference: BID:1620 Reference: URL:http://www.securityfocus.com/bid/1620 Reference: XF:win-netbios-corrupt-cache Reference: URL:http://xforce.iss.net/static/5168.php Reference: OVAL:oval:org.mitre.oval:def:1079 Reference: URL:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:1079 Interactions between the CIFS Browser Protocol and NetBIOS as implemented in Microsoft Windows 95, 98, NT, and 2000 allow remote attackers to modify dynamic NetBIOS name cache entries via a spoofed Browse Frame Request in a unicast or UDP broadcast datagram. Current Votes: ACCEPT(3) Baker, Mell, Wall NOOP(1) Cole REVIEWING(1) Christey Voter Comments: Wall> No known exploit or patch yet. Christey> This was a little controversial, if I recall correctly. ====================================================== Name: CVE-2000-1081 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1081 Phase: Modified (20061101) Category: SF Reference: ATSTAKE:20001201 Microsoft SQL Server extended stored procedure vulnerability Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97570878710037&w=2 Reference: MS:MS00-092 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms00-092.asp Reference: BID:2030 Reference: URL:http://www.securityfocus.com/bid/2030 Reference: OVAL:oval:org.mitre.oval:def:231 Reference: URL:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:231 The xp_displayparamstmt function in SQL Server and Microsoft SQL Server Desktop Engine (MSDE) does not properly restrict the length of a buffer before calling the srv_paraminfo function in the SQL Server API for Extended Stored Procedures (XP), which allows an attacker to cause a denial of service or execute arbitrary commands, aka the "Extended Stored Procedure Parameter Parsing" vulnerability. Current Votes: ACCEPT(3) Baker, Cole, Magdych MODIFY(1) Frech NOOP(1) Christey REVIEWING(1) Wall Voter Comments: Baker> ALready posted in refs Christey> ADDREF XF:mssql-xp-paraminfo-bo URL:http://xforce.iss.net/static/5622.php Frech> XF:mssql-xp-paraminfo-bo(5622) ====================================================== Name: CVE-2000-1082 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1082 Phase: Proposed (20001219) Category: SF Reference: ATSTAKE:20001201 Microsoft SQL Server extended stored procedure vulnerability Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97570878710037&w=2 Reference: MS:MS00-092 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms00-092.asp Reference: BID:2031 Reference: URL:http://www.securityfocus.com/bid/2031 The xp_enumresultset function in SQL Server and Microsoft SQL Server Desktop Engine (MSDE) does not properly restrict the length of a buffer before calling the srv_paraminfo function in the SQL Server API for Extended Stored Procedures (XP), which allows an attacker to cause a denial of service or execute arbitrary commands, aka the "Extended Stored Procedure Parameter Parsing" vulnerability. Current Votes: ACCEPT(3) Baker, Cole, Magdych MODIFY(1) Frech NOOP(1) Christey REVIEWING(1) Wall Voter Comments: Christey> ADDREF XF:mssql-xp-paraminfo-bo URL:http://xforce.iss.net/static/5622.php Frech> XF:mssql-xp-paraminfo-bo(5622) ====================================================== Name: CVE-2000-1083 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1083 Phase: Proposed (20001219) Category: SF Reference: ATSTAKE:20001201 Microsoft SQL Server extended stored procedure vulnerability Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97570878710037&w=2 Reference: MS:MS00-092 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms00-092.asp Reference: BID:2038 Reference: URL:http://www.securityfocus.com/bid/2038 The xp_showcolv function in SQL Server and Microsoft SQL Server Desktop Engine (MSDE) does not properly restrict the length of a buffer before calling the srv_paraminfo function in the SQL Server API for Extended Stored Procedures (XP), which allows an attacker to cause a denial of service or execute arbitrary commands, aka the "Extended Stored Procedure Parameter Parsing" vulnerability. Current Votes: ACCEPT(3) Baker, Cole, Magdych MODIFY(1) Frech NOOP(1) Christey REVIEWING(1) Wall Voter Comments: Christey> ADDREF XF:mssql-xp-paraminfo-bo URL:http://xforce.iss.net/static/5622.php Frech> XF:mssql-xp-paraminfo-bo(5622) ====================================================== Name: CVE-2000-1084 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1084 Phase: Proposed (20001219) Category: SF Reference: ATSTAKE:20001201 Microsoft SQL Server extended stored procedure vulnerability Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97570878710037&w=2 Reference: MS:MS00-092 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms00-092.asp Reference: BID:2039 Reference: URL:http://www.securityfocus.com/bid/2039 The xp_updatecolvbm function in SQL Server and Microsoft SQL Server Desktop Engine (MSDE) does not properly restrict the length of a buffer before calling the srv_paraminfo function in the SQL Server API for Extended Stored Procedures (XP), which allows an attacker to cause a denial of service or execute arbitrary commands, aka the "Extended Stored Procedure Parameter Parsing" vulnerability. Current Votes: ACCEPT(3) Baker, Cole, Magdych MODIFY(1) Frech NOOP(1) Christey REVIEWING(1) Wall Voter Comments: Christey> ADDREF XF:mssql-xp-paraminfo-bo URL:http://xforce.iss.net/static/5622.php Frech> XF:mssql-xp-paraminfo-bo(5622) ====================================================== Name: CVE-2000-1085 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1085 Phase: Proposed (20001219) Category: SF Reference: ATSTAKE:20001201 SQL Server 2000 Extended Stored Procedure Vulnerability Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97570884410184&w=2 Reference: MS:MS00-092 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms00-092.asp Reference: BID:2040 Reference: URL:http://www.securityfocus.com/bid/2040 The xp_peekqueue function in Microsoft SQL Server 2000 and SQL Server Desktop Engine (MSDE) does not properly restrict the length of a buffer before calling the srv_paraminfo function in the SQL Server API for Extended Stored Procedures (XP), which allows an attacker to cause a denial of service or execute arbitrary commands, aka the "Extended Stored Procedure Parameter Parsing" vulnerability. Current Votes: ACCEPT(4) Baker, Cole, Magdych, Wall MODIFY(1) Frech REVIEWING(1) Christey Voter Comments: Christey> CVE-2000-1085, CVE-2000-1086, CVE-2000-1087, and CVE-2000-1088 all have abstraction issues; perhaps they should be RECAST into a single candidate. Christey> ADDREF XF:mssql-xp-paraminfo-bo URL:http://xforce.iss.net/static/5622.php Frech> XF:mssql-xp-paraminfo-bo(5622) ====================================================== Name: CVE-2000-1086 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1086 Phase: Proposed (20001219) Category: SF Reference: ATSTAKE:20001201 SQL Server 2000 Extended Stored Procedure Vulnerability Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97570884410184&w=2 Reference: MS:MS00-092 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms00-092.asp Reference: BID:2041 Reference: URL:http://www.securityfocus.com/bid/2041 The xp_printstatements function in Microsoft SQL Server 2000 and SQL Server Desktop Engine (MSDE) does not properly restrict the length of a buffer before calling the srv_paraminfo function in the SQL Server API for Extended Stored Procedures (XP), which allows an attacker to cause a denial of service or execute arbitrary commands, aka the "Extended Stored Procedure Parameter Parsing" vulnerability. Current Votes: ACCEPT(4) Baker, Cole, Magdych, Wall MODIFY(1) Frech REVIEWING(1) Christey Voter Comments: Christey> CVE-2000-1085, CVE-2000-1086, CVE-2000-1087, and CVE-2000-1088 all have abstraction issues; perhaps they should be RECAST into a single candidate. Christey> ADDREF XF:mssql-xp-paraminfo-bo URL:http://xforce.iss.net/static/5622.php Frech> XF:mssql-xp-paraminfo-bo(5622) ====================================================== Name: CVE-2000-1087 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1087 Phase: Proposed (20001219) Category: SF Reference: ATSTAKE:20001201 SQL Server 2000 Extended Stored Procedure Vulnerability Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97570884410184&w=2 Reference: MS:MS00-092 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms00-092.asp Reference: BID:2042 Reference: URL:http://www.securityfocus.com/bid/2042 The xp_proxiedmetadata function in Microsoft SQL Server 2000 and SQL Server Desktop Engine (MSDE) does not properly restrict the length of a buffer before calling the srv_paraminfo function in the SQL Server API for Extended Stored Procedures (XP), which allows an attacker to cause a denial of service or execute arbitrary commands, aka the "Extended Stored Procedure Parameter Parsing" vulnerability. Current Votes: ACCEPT(4) Baker, Cole, Magdych, Wall MODIFY(1) Frech REVIEWING(1) Christey Voter Comments: Christey> CVE-2000-1085, CVE-2000-1086, CVE-2000-1087, and CVE-2000-1088 all have abstraction issues; perhaps they should be RECAST into a single candidate. Christey> ADDREF XF:mssql-xp-paraminfo-bo URL:http://xforce.iss.net/static/5622.php Frech> XF:mssql-xp-paraminfo-bo(5622) ====================================================== Name: CVE-2000-1088 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1088 Phase: Proposed (20001219) Category: SF Reference: ATSTAKE:20001201 SQL Server 2000 Extended Stored Procedure Vulnerability Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97570884410184&w=2 Reference: MS:MS00-092 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms00-092.asp Reference: BID:2043 Reference: URL:http://www.securityfocus.com/bid/2043 The xp_SetSQLSecurity function in Microsoft SQL Server 2000 and SQL Server Desktop Engine (MSDE) does not properly restrict the length of a buffer before calling the srv_paraminfo function in the SQL Server API for Extended Stored Procedures (XP), which allows an attacker to cause a denial of service or execute arbitrary commands, aka the "Extended Stored Procedure Parameter Parsing" vulnerability. Current Votes: ACCEPT(4) Baker, Cole, Magdych, Wall MODIFY(1) Frech REVIEWING(1) Christey Voter Comments: Christey> CVE-2000-1085, CVE-2000-1086, CVE-2000-1087, and CVE-2000-1088 all have abstraction issues; perhaps they should be RECAST into a single candidate. Christey> ADDREF XF:mssql-xp-paraminfo-bo URL:http://xforce.iss.net/static/5622.php Frech> XF:mssql-xp-paraminfo-bo(5622) ====================================================== Name: CVE-2000-1090 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1090 Phase: Proposed (20010202) Category: SF Reference: MISC:http://www.nsfocus.com/english/homepage/sa_08.htm Reference: BID:2100 Reference: URL:http://www.securityfocus.com/bid/2100 Reference: XF:microsoft-iis-file-disclosure Reference: URL:http://xforce.iss.net/static/5729.php Microsoft IIS for Far East editions 4.0 and 5.0 allows remote attackers to read source code for parsed pages via a malformed URL that uses the lead-byte of a double-byte character. Current Votes: ACCEPT(3) Baker, Frech, LeBlanc NOOP(1) Cole REVIEWING(3) Christey, Wall, Ziese Voter Comments: LeBlanc> Fixed in SP2 for Win2K. NT 4.0 is not affected. bulletin MS99-022 Christey> Need to add the Bugtraq references for this. CHANGE> [Christey changed vote from NOOP to REVIEWING] Christey> Is this really the same problem addressed by MS99-022, which is covered by CVE-1999-0725 ? ====================================================== Name: CVE-2000-1092 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1092 Phase: Modified (20020327-01) Category: SF Reference: BUGTRAQ:20001213 NSFOCUS SA2000-09 : AHG EZshopper Loadpage.cgi File List Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97676270729984&w=2 Reference: BID:2109 Reference: URL:http://www.securityfocus.com/bid/2109 Reference: XF:ezshopper-cgi-file-disclosure(5740) Reference: URL:http://xforce.iss.net/static/5740.php loadpage.cgi CGI program in EZshopper 3.0 and 2.0 allows remote attackers to list and read files in the EZshopper data directory by inserting a "/" in front of the target filename in the "file" parameter. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(4) Christey, Cole, Magdych, Wall Voter Comments: Christey> This is documented in an NSFOCUS security advisory released sometime around December 11. Also, it's BID:2109. Christey> BUGTRAQ:20001213 NSFOCUS SA2000-09 : AHG EZshopper Loadpage.cgi File List http://marc.theaimsgroup.com/?l=bugtraq&m=97676270729984&w=2 XF:ezshopper-cgi-file-disclosure URL:http://xforce.iss.net/static/5740.php Frech> XF:ezshopper-cgi-file-disclosure(5740) Christey> Followup posts indicate that this problem may have been discovered earlier than 20001213. ====================================================== Name: CVE-2000-1093 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1093 Phase: Modified (20010417-01) Category: SF Reference: ATSTAKE:A121200-1 Reference: URL:http://www.atstake.com/research/advisories/2000/a121200-1.txt Reference: XF:aim-remote-bo(5732) Buffer overflow in AOL Instant Messenger before 4.3.2229 allows remote attackers to execute arbitrary commands via a long "goim" command. Current Votes: ACCEPT(2) Baker, Wall MODIFY(1) Frech NOOP(1) Cole REVIEWING(1) Christey Voter Comments: Frech> XF:aim-remote-bo(5732) Christey> CD:SF-LOC as currently written suggests merging this with CVE-2000-1094, since both describe buffer overflows in the same software version. Christey> Consider adding BID:2118 ====================================================== Name: CVE-2000-1098 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1098 Phase: Interim (20010117) Category: SF Reference: BUGTRAQ:20001201 Re: DoS in Sonicwall SOHO firewall Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-11/0439.html Reference: BUGTRAQ:20001201 FW: SonicWALL SOHO Vulnerability (fwd) Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-11/0435.html The web server for the SonicWALL SOHO firewall allows remote attackers to cause a denial of service via an empty GET or POST request. Current Votes: ACCEPT(2) Baker, Cole MODIFY(1) Frech NOOP(1) Wall Voter Comments: Frech> The company's name is SonicWALL. CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> XF:sonicwall-empty-request-dos(6042) The company's name is SonicWALL. ====================================================== Name: CVE-2000-1100 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1100 Phase: Proposed (20001219) Category: SF Reference: BUGTRAQ:20001130 PostACI Webmail Vulnerability Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-11/0433.html Reference: BID:2029 Reference: URL:http://www.securityfocus.com/bid/2029 The default configuration for PostACI webmail system installs the /includes/global.inc configuration file within the web root, which allows remote attackers to read sensitive information such as database usernames and passwords via a direct HTTP GET request. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(2) Cole, Wall Voter Comments: Frech> XF:postaci-webmail-reveal-passwords(5612) ====================================================== Name: CVE-2000-1102 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1102 Phase: Proposed (20001219) Category: SF Reference: BID:2008 Reference: URL:http://www.securityfocus.com/bid/2008 Reference: BUGTRAQ:20001126 Vulnerablity in PTlink3.5.3ircd + PTlink.Services.1.8.1... Reference: URL:http://www.securityfocus.com/archive/1/147115 PTlink IRCD 3.5.3 and PTlink Services 1.8.1 allow remote attackers to cause a denial of service (server crash) via "mode +owgscfxeb" and "oper" commands. Current Votes: ACCEPT(2) Baker, Cole MODIFY(1) Frech NOOP(1) Wall Voter Comments: Frech> XF:ptlink-ircd-mode-dos(5589) ====================================================== Name: CVE-2000-1103 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1103 Phase: Proposed (20001219) Category: SF Reference: BUGTRAQ:20001127 BSDi 3.0/4.0 rcvtty gid=tty exploit... (mh package) Reference: URL:http://www.securityfocus.com/archive/1/147120 Reference: BID:2009 Reference: URL:http://www.securityfocus.com/bid/2009 rcvtty in BSD 3.0 and 4.0 does not properly drop privileges before executing a script, which allows local attackers to gain privileges by specifying an alternate Trojan horse script on the command line. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(2) Cole, Wall Voter Comments: Frech> XF:rcvtty-elevate-privileges(5587) ====================================================== Name: CVE-2000-1104 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1104 Phase: Proposed (20001219) Category: SF Reference: MS:MS00-060 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms00-060.asp Variant of the "IIS Cross-Site Scripting" vulnerability as originally discussed in MS:MS00-060 (CVE-2000-0746) allows a malicious web site operator to embed scripts in a link to a trusted site, which are returned without quoting in an error message back to the client. The client then executes those scripts in the same context as the trusted site. Current Votes: ACCEPT(3) Baker, Cole, Wall MODIFY(1) Frech Voter Comments: Frech> XF:iis-cross-site-scripting(5156) ====================================================== Name: CVE-2000-1105 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1105 Phase: Proposed (20001219) Category: SF Reference: BUGTRAQ:20001110 IE 5.x Win2000 Indexing service vulnerability Reference: URL:http://www.securityfocus.com/archive/1/144270 Reference: WIN2KSEC:20001110 IE 5.x Win2000 Indexing service vulnerability Reference: URL:http://archives.neohapsis.com/archives/win2ksecadvice/2000-q4/0074.html Reference: BID:1933 Reference: URL:http://www.securityfocus.com/bid/1933 The ixsso.query ActiveX Object is marked as safe for scripting, which allows malicious web site operators to embed a script that remotely determines the existence of files on visiting Windows 2000 systems that have Indexing Services enabled. Current Votes: ACCEPT(2) Baker, Cole MODIFY(1) Frech REVIEWING(2) Christey, Wall Voter Comments: Frech> XF:win2k-index-service-ixsso(5502) Christey> ADDREF MS:MS00-098 ADDREF XF:win2k-index-service-activex URL:http://xforce.iss.net/static/5800.php Add 'aka the "Indexing Service File Enumeration" vulnerability' to the description. CHANGE> [Christey changed vote from NOOP to REVIEWING] Christey> DUPE CVE-2001-0245? Need to check w/Microsoft. ====================================================== Name: CVE-2000-1110 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1110 Phase: Proposed (20001219) Category: SF Reference: BUGTRAQ:20001128 IBM Net.Data Local Path Disclosure Vulnerability? Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-11/0384.html Reference: BID:2017 Reference: URL:http://www.securityfocus.com/bid/2017 document.d2w CGI program in the IBM Net.Data db2www package allows remote attackers to determine the physical path of the web server by sending a nonexistent command to the program. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(2) Cole, Wall Voter Comments: Frech> XF:ibm-netdata-reveal-path(5599) ====================================================== Name: CVE-2000-1114 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1114 Phase: Proposed (20001219) Category: SF Reference: BUGTRAQ:20001121 Disclosure of JSP source code with ServletExec AS v3.0c + web ins tance Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-11/0285.html Reference: BID:1970 Reference: URL:http://www.securityfocus.com/bid/1970 Unify ServletExec AS v3.0C allows remote attackers to read source code for JSP pages via an HTTP request that ends with characters such as ".", or "+", or "%20". Current Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(2) Cole, Wall Voter Comments: Frech> XF:ewave-jsp-source-read(5562) ====================================================== Name: CVE-2000-1116 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1116 Phase: Proposed (20001219) Category: SF Reference: WIN2KSEC:20001018 TransSoft's Broker FTP Server 3.x & 4.x Remote DoS attack Vulnerability Reference: URL:http://archives.neohapsis.com/archives/win2ksecadvice/2000-q4/0041.html Reference: XF:broker-ftp-username-dos Reference: URL:http://xforce.iss.net/static/5388.php Buffer overflow in TransSoft Broker FTP Server before 4.3.0.1 allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long command. Current Votes: MODIFY(1) Frech NOOP(2) Cole, Wall Voter Comments: Frech> XF:broker-user-dos(3482) ====================================================== Name: CVE-2000-1117 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1117 Phase: Proposed (20001219) Category: SF Reference: BUGTRAQ:20001124 Security Hole in ECL Feature of Java VM Embedded in Lotus Notes Client R5 Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-11/0341.html Reference: BID:1994 Reference: URL:http://www.securityfocus.com/bid/1994 The Extended Control List (ECL) feature of the Java Virtual Machine (JVM) in Lotus Notes Client R5 allows malicious web site operators to determine the existence of files on the client by measuring delays in the execution of the getSystemResource method. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(2) Cole, Wall Voter Comments: Frech> XF:lotus-notes-verify-files(5565) ====================================================== Name: CVE-2000-1118 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1118 Phase: Proposed (20001219) Category: SF Reference: BUGTRAQ:20001127 24Link Webserver Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-11/0369.html 24Link 1.06 web server allows remote attackers to bypass access restrictions by prepending strings such as "/+/" or "/." to the HTTP GET request. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(2) Cole, Wall Voter Comments: Frech> XF:24link-bypass-authentication(5930) ====================================================== Name: CVE-2000-1125 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1125 Phase: Proposed (20001219) Category: SF Reference: BUGTRAQ:20001104 Redhat 6.2 restore exploit Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97336034309944&w=2 Reference: BID:1914 Reference: URL:http://www.securityfocus.com/bid/1914 restore 0.4b15 and earlier in Red Hat Linux 6.2 trusts the pathname specified by the RSH environmental variable, which allows local users to obtain root privileges by modifying the RSH variable to point to a Trojan horse program. Current Votes: ACCEPT(2) Baker, Cole MODIFY(1) Frech NOOP(2) Christey, Wall Voter Comments: Frech> XF:restore-rsh-executable(5483) Christey> CERT-VN:VU#960877 URL:http://www.kb.cert.org/vuls/id/960877 ====================================================== Name: CVE-2000-1126 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1126 Phase: Modified (20090302) Category: SF Reference: HP:HPSBUX0011-130 Reference: URL:http://www.securityfocus.com/advisories/2850 Reference: BID:1954 Reference: URL:http://www.securityfocus.com/bid/1954 Reference: OVAL:oval:org.mitre.oval:def:5655 Reference: URL:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:5655 Vulnerability in auto_parms and set_parms in HP-UX 11.00 and earlier allows remote attackers to execute arbitrary commands or cause a denial of service. Current Votes: ACCEPT(3) Armstrong, Baker, Cole MODIFY(1) Frech NOOP(1) Wall Voter Comments: Frech> XF:hpux-autoparms-execute-commands(5961) ====================================================== Name: CVE-2000-1127 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1127 Phase: Proposed (20001219) Category: SF Reference: BUGTRAQ:20001108 HP-UX 10.20 resource monitor service Reference: URL:http://www.securityfocus.com/archive/1/143845 Reference: BID:1919 Reference: URL:http://www.securityfocus.com/bid/1919 registrar in the HP resource monitor service allows local users to read and modify arbitrary files by renaming the original registrar.log log file and creating a symbolic link to the target file, to which registrar appends log information and sets the permissions to be world readable. Current Votes: MODIFY(1) Frech NOOP(2) Cole, Wall Voter Comments: Frech> XF:hp-registrar-file-read(5485) ====================================================== Name: CVE-2000-1128 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1128 Phase: Proposed (20001219) Category: CF Reference: NTBUGTRAQ:20001103 Elevation of Privileges Exploit with McAfee VirusScan 4.5 Reference: URL:http://archives.neohapsis.com/archives/ntbugtraq/2000-q4/0073.html Reference: BID:1920 Reference: URL:http://www.securityfocus.com/bid/1920 The default configuration of McAfee VirusScan 4.5 does not quote the ImagePath variable, which improperly sets the search path and allows local users to place a Trojan horse "common.exe" program in the C:\Program Files directory. Current Votes: ACCEPT(1) Cole MODIFY(1) Frech REVIEWING(1) Wall Voter Comments: Frech> XF:nai-virusscan-unquoted-imagepath(5484) ====================================================== Name: CVE-2000-1129 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1129 Phase: Proposed (20001219) Category: SF Reference: BUGTRAQ:20001123 McAfee WebShield SMTP vulnerabilities Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-11/0324.html Reference: BID:1999 Reference: URL:http://www.securityfocus.com/bid/1999 McAfee WebShield SMTP 4.5 allows remote attackers to cause a denial of service via a malformed recipient field. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(1) Cole REVIEWING(1) Wall Voter Comments: Frech> XF:webshield-smtp-recpt-dos(5572) ====================================================== Name: CVE-2000-1130 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1130 Phase: Proposed (20001219) Category: SF Reference: BUGTRAQ:20001123 McAfee WebShield SMTP vulnerabilities Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-11/0324.html Reference: BID:1993 Reference: URL:http://www.securityfocus.com/bid/1993 McAfee WebShield SMTP 4.5 allows remote attackers to bypass email content filtering rules by including Extended ASCII characters in name of the attachment. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(2) Christey, Cole REVIEWING(1) Wall Voter Comments: Frech> XF:webshield-smtp-filter-bypass(5571) Christey> Fix typo: "in name" ====================================================== Name: CVE-2000-1133 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1133 Phase: Proposed (20001219) Category: SF Reference: BUGTRAQ:20001106 Authentix Security Advisory Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97353881829760&w=2 Reference: BUGTRAQ:20001107 Explanation Authentix Input Validation Error Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97362374200478&w=2 Reference: BID:1907 Reference: URL:http://www.securityfocus.com/bid/1907 Authentix Authentix100 allows remote attackers to bypass authentication by inserting a . (dot) into the URL for a protected directory. Current Votes: MODIFY(1) Frech NOOP(2) Cole, Wall Voter Comments: Frech> XF:flicks-authentix-url-info(5477) ====================================================== Name: CVE-2000-1134 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1134 Phase: Modified (20061101) Category: SF Reference: BUGTRAQ:20001028 tcsh: unsafe tempfile in << redirects Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-10/0418.html Reference: BUGTRAQ:20001130 [ADV/EXP]: RH6.x root from bash /tmp vuln + MORE Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97561816504170&w=2 Reference: BUGTRAQ:20001128 /bin/sh creates insecure tmp files Reference: URL:http://www.securityfocus.com/archive/1/146657 Reference: CALDERA:CSSA-2000-043.0 Reference: URL:http://www.calderasystems.com/support/security/advisories/CSSA-2000-043.0.txt Reference: CALDERA:CSSA-2000-042.0 Reference: URL:http://www.calderasystems.com/support/security/advisories/CSSA-2000-042.0.txt Reference: COMPAQ:SSRT1-41U Reference: URL:http://archives.neohapsis.com/archives/tru64/2002-q1/0009.html Reference: CONECTIVA:CLSA-2000:354 Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000354 Reference: DEBIAN:20001111a Reference: URL:http://www.debian.org/security/2000/20001111a Reference: FREEBSD:FreeBSD-SA-00:76 Reference: URL:ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:76.tcsh-csh.asc Reference: MANDRAKE:MDKSA-2000-069 Reference: URL:http://www.linux-mandrake.com/en/security/MDKSA-2000-069.php3 Reference: MANDRAKE:MDKSA-2000:075 Reference: URL:http://www.linux-mandrake.com/en/security/MDKSA-2000-075.php3 Reference: REDHAT:RHSA-2000:117 Reference: URL:http://www.redhat.com/support/errata/RHSA-2000-117.html Reference: REDHAT:RHSA-2000:121 Reference: URL:http://www.redhat.com/support/errata/RHSA-2000-121.html Reference: SGI:20011103-02-P Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/20011103-02-P Reference: CERT-VN:VU#10277 Reference: URL:http://www.kb.cert.org/vuls/id/10277 Reference: BID:1926 Reference: URL:http://www.securityfocus.com/bid/1926 Reference: BID:2006 Reference: URL:http://www.securityfocus.com/bid/2006 Reference: CONECTIVA:CLA-2000:350 Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000350 Reference: OVAL:oval:org.mitre.oval:def:4047 Reference: URL:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:4047 Multiple shell programs on various Unix systems, including (1) tcsh, (2) csh, (3) sh, and (4) bash, follow symlinks when processing << redirects (aka here-documents or in-here documents), which allows local users to overwrite files of other users via a symlink attack. Current Votes: ACCEPT(2) Baker, Cole MODIFY(1) Frech NOOP(1) Wall REVIEWING(1) Christey Voter Comments: Frech> XF:linux-bash-tmp-symlink(5593) Christey> Don't all these shell programs originate from the same codebase, including ksh? If so, we should have a single CAN for all of these, and add: XF:ksh-redirection-symlink URL:http://xforce.iss.net/static/5811.php CONECTIVA:CLA-2000:354 BUGTRAQ:20001208 Immunix OS Security update for tcsh http://archives.neohapsis.com/archives/linux/immunix/2000-q4/0041.html BUGTRAQ:20001220 /bin/ksh creates insecure tmp files http://archives.neohapsis.com/archives/bugtraq/2000-12/0368.html BUGTRAQ:20001227 IBM Findings: Korn Shell Redirection Race Condition Vulnerability http://archives.neohapsis.com/archives/bugtraq/2000-12/0473.html Also see: http://archives.neohapsis.com/archives/bugtraq/2000-12/0420.html which gives some shell history which may be of use. Christey> ADDREF FREEBSD:FreeBSD-SA-01:03 for the bash problem. Christey> Consider adding BID:2148 if this CAN should include ksh Christey> SGI:20011103-01-I URL:ftp://patches.sgi.com/support/free/security/advisories/20011103-01-I Also, DELREF BID:2148 and BID:1926. Keep BID:2006 Christey> COMPAQ:SSRT1-41U URL:http://ftp.support.compaq.com/patches/.new/html/SSRT0742U-59U.shtml CERT-VN:VU#10277 URL:http://www.kb.cert.org/vuls/id/10277 Christey> SGI:20011103-02-P URL:ftp://patches.sgi.com/support/free/security/advisories/20011103-02-P Note that this is an update of the other SGI reference. Christey> CALDERA:CSSA-2001-SCO.24 URL:ftp://stage.caldera.com/pub/security/openserver/CSSA-2001-SCO.24.1/CSSA-2001-SCO.24.1.txt CERT-VN:VU#10277 URL:http://www.kb.cert.org/vuls/id/10277 Christey> Missing BID - BID:1926 Christey> HP:SSRT3618 URL:http://archives.neohapsis.com/archives/hp/2003-q3/0042.html ====================================================== Name: CVE-2000-1138 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1138 Phase: Proposed (20001219) Category: SF Reference: BUGTRAQ:20001108 Lotus Notes R5 clients - no warning for broken signature or encryption Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97370725220953&w=2 Reference: BID:1925 Reference: URL:http://www.securityfocus.com/bid/1925 Lotus Notes R5 client R5.0.5 and earlier does not properly warn users when an S/MIME email message has been modified, which could allow an attacker to modify the email in transit without being detected. Current Votes: MODIFY(1) Frech NOOP(2) Cole, Wall Voter Comments: Frech> XF:lotus-notes-r5-mime(5492) ====================================================== Name: CVE-2000-1147 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1147 Phase: Modified (20010116-01) Category: SF Reference: BUGTRAQ:20001103 IIS ASP $19.95 hack - IISHack 1.5 Reference: URL:http://www.securityfocus.com/archive/1/143070 Reference: BID:1911 Reference: URL:http://www.securityfocus.com/bid/1911 Reference: XF:iis-isapi-asp-bo Reference: URL:http://xforce.iss.net/static/5510.php Buffer overflow in IIS ISAPI .ASP parsing mechanism allows attackers to execute arbitrary commands via a long string to the "LANGUAGE" argument in a script tag. Current Votes: ACCEPT(2) Baker, Wall MODIFY(1) Frech NOOP(1) Cole RECAST(1) LeBlanc REVIEWING(1) Christey Voter Comments: Frech> XF:iis-isapi-asp-bo(5510) Christey> Consult Microsoft on this one. LeBlanc> This one was already fixed in several hotfixes when it was found. I'm not sure what the content decision is on this. It is a valid problem, but it was already fixed when announced. I will go along with an accept vote once it is modified to show fixes. ====================================================== Name: CVE-2000-1150 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1150 Phase: Proposed (20001219) Category: SF Reference: BUGTRAQ:20001113 beos vulnerabilities Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-11/0203.html Felix IRC client in BeOS r5 pro and earlier allows remote attackers to conduct a denial of service via a message that contains a long URL. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(3) Armstrong, Cole, Wall Voter Comments: Frech> XF:felix-irc-long-url(5520) ====================================================== Name: CVE-2000-1151 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1151 Phase: Proposed (20001219) Category: SF Reference: BUGTRAQ:20001113 beos vulnerabilities Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-11/0203.html Baxter IRC client in BeOS r5 pro and earlier allows remote attackers to conduct a denial of service via a message that contains a long URL. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(3) Armstrong, Cole, Wall Voter Comments: Frech> XF:baxter-irc-bo(5518) ====================================================== Name: CVE-2000-1152 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1152 Phase: Proposed (20001219) Category: SF Reference: BUGTRAQ:20001113 beos vulnerabilities Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-11/0203.html Browser IRC client in BeOS r5 pro and earlier allows remote attackers to conduct a denial of service via a message that contains a long URL. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(3) Armstrong, Cole, Wall Voter Comments: Frech> XF:bowser-irc-dos(5964) ====================================================== Name: CVE-2000-1153 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1153 Phase: Proposed (20001219) Category: SF Reference: BUGTRAQ:20001113 beos vulnerabilities Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-11/0203.html PostMaster 1.0 in BeOS r5 pro and earlier allows remote attackers to conduct a denial of service via a message that contains a long URL. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(3) Armstrong, Cole, Wall Voter Comments: Frech> XF:postmaster-long-url-bo(5522) ====================================================== Name: CVE-2000-1154 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1154 Phase: Proposed (20001219) Category: SF Reference: BUGTRAQ:20001113 beos vulnerabilities Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-11/0203.html RHConsole in RobinHood 1.1 web server in BeOS r5 pro and earlier allows remote attackers to cause a denial of service via long HTTP request. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(3) Armstrong, Cole, Wall Voter Comments: Frech> XF:robinhood-cpp-request-bo(5521) ====================================================== Name: CVE-2000-1155 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1155 Phase: Proposed (20001219) Category: SF Reference: BUGTRAQ:20001113 beos vulnerabilities Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-11/0203.html RHDaemon in RobinHood 1.1 web server in BeOS r5 pro and earlier allows remote attackers to cause a denial of service via long HTTP request. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(3) Armstrong, Cole, Wall Voter Comments: Frech> XF:robinhood-cpp-request-bo(5521) ====================================================== Name: CVE-2000-1156 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1156 Phase: Modified (20010116-01) Category: SF Reference: BUGTRAQ:20001108 StarOffice 5.2 Temporary Dir Vulnerability Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-11/0115.html Reference: BID:1922 Reference: URL:http://www.securityfocus.com/bid/1922 Reference: XF:staroffice-tmp-sym-link Reference: URL:http://xforce.iss.net/static/5487.php StarOffice 5.2 follows symlinks and sets world-readable permissions for the /tmp/soffice.tmp directory, which allows a local user to read files of the user who is using StarOffice. Current Votes: ACCEPT(3) Baker, Cole, Dik MODIFY(1) Frech NOOP(1) Wall REVIEWING(1) Christey Voter Comments: Frech> XF:staroffice-tmp-sym-link(5487) Christey> Consult Sun on this one. Dik> Supposedly fixed in Soffice 5.1 Service pack 1 ====================================================== Name: CVE-2000-1157 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1157 Phase: Proposed (20001219) Category: SF Reference: BUGTRAQ:20001102 Remotely exploitable buffer overflow in NAI's Distributed Sniffer Agent Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-11/0038.html Reference: BID:1901 Reference: URL:http://www.securityfocus.com/bid/1901 Buffer overflow in NAI Sniffer Agent allows remote attackers to execute arbitrary commands via a long SNMP community name. Current Votes: MODIFY(1) Frech NOOP(2) Cole, Wall Voter Comments: Frech> XF:sniffer-agent-snmp-bo(5455) ====================================================== Name: CVE-2000-1158 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1158 Phase: Proposed (20001219) Category: SF Reference: BUGTRAQ:20001102 Remotely exploitable buffer overflow in NAI's Distributed Sniffer Agent Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-11/0038.html NAI Sniffer Agent uses base64 encoding for authentication, which allows attackers to sniff the network and easily decrypt usernames and passwords. Current Votes: MODIFY(1) Frech NOOP(2) Cole, Wall Voter Comments: Frech> XF:sniffer-agent-weak-authentication(5951) ====================================================== Name: CVE-2000-1159 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1159 Phase: Proposed (20001219) Category: SF Reference: BUGTRAQ:20001102 Remotely exploitable buffer overflow in NAI's Distributed Sniffer Agent Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-11/0038.html Reference: BID:1902 Reference: URL:http://www.securityfocus.com/bid/1902 NAI Sniffer Agent allows remote attackers to gain privileges on the agent by sniffing the initial UDP authentication packets and spoofing commands. Current Votes: ACCEPT(2) Baker, Cole MODIFY(1) Frech NOOP(1) Wall REVIEWING(1) Christey Voter Comments: Frech> XF:sniffer-agent-snmp-bo(5455) Christey> Consult NAI on this one. ====================================================== Name: CVE-2000-1160 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1160 Phase: Proposed (20001219) Category: SF Reference: BUGTRAQ:20001102 Remotely exploitable buffer overflow in NAI's Distributed Sniffer Agent Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-11/0038.html Reference: BID:1903 Reference: URL:http://www.securityfocus.com/bid/1903 NAI Sniffer Agent allows remote attackers to cause a denial of service (crash) by sending a large number of login requests. Current Votes: ACCEPT(2) Baker, Cole MODIFY(1) Frech NOOP(1) Wall REVIEWING(1) Christey Voter Comments: Frech> XF:sniffer-agent-login-dos(5456) Christey> Consult NAI on this one. ====================================================== Name: CVE-2000-1161 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1161 Phase: Proposed (20001219) Category: CF Reference: BUGTRAQ:20001120 security problem in AdCycle installation Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-11/0271.html Reference: BID:1969 Reference: URL:http://www.securityfocus.com/bid/1969 The installation of AdCycle banner management system leaves the build.cgi program in a web-accessible directory, which allows remote attackers to execute the program and view passwords or delete databases. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(3) Armstrong, Cole, Wall Voter Comments: Frech> XF:adcycle-password-disclosure(5559) ====================================================== Name: CVE-2000-1168 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1168 Phase: Proposed (20001219) Category: SF Reference: BUGTRAQ:20001123 IBM HTTP Server 1.3.6 Remote Overflow Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97502498610979&w=2 Reference: BID:1988 Reference: URL:http://www.securityfocus.com/bid/1988 IBM HTTP Server 1.3.6 (based on Apache) allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long GET request. Current Votes: ACCEPT(2) Baker, Cole MODIFY(1) Frech NOOP(1) Wall REVIEWING(1) Christey Voter Comments: Frech> XF:ibm-http-server-dos(5577) Christey> Consult Troy Bollinger on this one. ====================================================== Name: CVE-2000-1172 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1172 Phase: Proposed (20001219) Category: SF Reference: BUGTRAQ:20001110 Advisory: Gaim remote vulnerability Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-11/0204.html Reference: BID:1948 Reference: URL:http://www.securityfocus.com/bid/1948 Buffer overflow in Gaim 0.10.3 and earlier using the OSCAR protocol allows remote attackers to conduct a denial of service and possibly execute arbitrary commands via a long HTML tag. Current Votes: MODIFY(1) Frech NOOP(2) Cole, Wall Voter Comments: Frech> XF:gaim-remote-bo(5511) ====================================================== Name: CVE-2000-1173 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1173 Phase: Proposed (20001219) Category: SF Reference: BUGTRAQ:20001122 CyberPatrol - poor credit card protection Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-11/0323.html Reference: BID:1977 Reference: URL:http://www.securityfocus.com/bid/1977 Microsys CyberPatrol uses weak encryption (trivial encoding) for credit card numbers and uses no encryption for the remainder of the information during registration, which could allow attackers to sniff network traffic and obtain this sensitive information. Current Votes: ACCEPT(2) Baker, Cole MODIFY(1) Frech NOOP(1) Wall Voter Comments: Frech> XF:cyberpatrol-insecure-data(5578) ====================================================== Name: CVE-2000-1175 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1175 Phase: Proposed (20001219) Category: SF Reference: BUGTRAQ:20001120 local exploit for linux's Koules1.4 package Reference: URL:http://www.securityfocus.com/archive/1/145823 Reference: BID:1967 Reference: URL:http://www.securityfocus.com/bid/1967 Buffer overflow in Koules 1.4 allows local users to execute arbitrary commands via a long command line argument. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(3) Armstrong, Cole, Wall Voter Comments: Frech> XF:koules-svgalib-bo(5558) ====================================================== Name: CVE-2000-1176 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1176 Phase: Proposed (20001219) Category: SF Reference: BUGTRAQ:20001107 Insecure input balidation in YaBB Search.pl Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-11/0110.html Reference: BID:1921 Reference: URL:http://www.securityfocus.com/bid/1921 Directory traversal vulnerability in YaBB search.pl CGI script allows remote attackers to read arbitrary files via a .. (dot dot) attack in the "catsearch" form field. Current Votes: MODIFY(1) Frech NOOP(2) Cole, Wall Voter Comments: Frech> XF:yabb-search-format-string(5501) ====================================================== Name: CVE-2000-1177 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1177 Phase: Proposed (20001219) Category: SF Reference: BUGTRAQ:20001121 Big Brother Advisory - Fate Research Labs Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-11/0284.html Reference: CONFIRM:http://bb4.com/incident.nov21 Reference: BID:1971 Reference: URL:http://www.securityfocus.com/bid/1971 bb-hist.sh, bb-histlog.sh, bb-hostsvc.sh, bb-rep.sh, bb-replog.sh, and bb-ack.sh in Big Brother (BB) before 1.5d3 allows remote attackers to determine the existence of files and user ID's by specifying the target file in the HISTFILE parameter. Current Votes: ACCEPT(3) Armstrong, Baker, Cole MODIFY(1) Frech NOOP(1) Wall Voter Comments: Frech> XF:bb-cgi-brute-force(5560) ====================================================== Name: CVE-2000-1183 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1183 Phase: Proposed (20001219) Category: SF Reference: BUGTRAQ:20001115 socks5 remote exploit / linux x86 Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-11/0219.html Buffer overflow in socks5 server on Linux allows attackers to execute arbitrary commands via a long connection request. Current Votes: MODIFY(1) Frech NOOP(3) Armstrong, Cole, Wall Voter Comments: CHANGE> [Armstrong changed vote from REVIEWING to NOOP] CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> XF:linux-socks5-connection-bo(8376) ====================================================== Name: CVE-2000-1185 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1185 Phase: Proposed (20001219) Category: SF Reference: BUGTRAQ:20001113 Rideway PN Telnet DoS Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-11/0201.html Reference: BID:1938 Reference: URL:http://www.securityfocus.com/bid/1938 The telnet proxy in RideWay PN proxy server allows remote attackers to cause a denial of service via a flood of connections that contain malformed requests. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(3) Armstrong, Cole, Wall Voter Comments: Frech> XF:rideway-pn-proxy-dos(5525) ====================================================== Name: CVE-2000-1186 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1186 Phase: Modified (20010122-01) Category: SF Reference: BUGTRAQ:20001115 Exploit: phf buffer overflow (CGI) Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-11/0221.html Reference: XF:phf-cgi-bo(5970) Reference: URL:http://xforce.iss.net/static/5970.php Buffer overflow in phf CGI program allows remote attackers to execute arbitrary commands by specifying a large number of arguments and including a long MIME header. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(3) Armstrong, Cole, Wall Voter Comments: CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> XF:phf-cgi-bo(5970) ====================================================== Name: CVE-2000-1188 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1188 Phase: Modified (20060413) Category: SF Reference: BUGTRAQ:20001120 Cgisecurity Quickstore Shopping cart Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-11/0283.html Directory traversal vulnerability in Quikstore shopping cart program allows remote attackers to read arbitrary files via a .. (dot dot) attack in the "page" parameter. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(3) Armstrong, Cole, Wall Voter Comments: Frech> XF:quikstore-cgi-read-files(5561) Armstrong> in Description: change rmeote to remote. ====================================================== Name: CVE-2000-1191 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1191 Phase: Modified (20100819) Category: SF Reference: MISC:http://www.securiteam.com/exploits/htDig_reveals_web_server_configuration_paths.html Reference: BID:4366 Reference: URL:http://www.securityfocus.com/bid/4366 Reference: OVAL:oval:org.mitre.oval:def:10526 Reference: URL:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:10526 Reference: XF:htdig-htsearch-path-disclosure(7367) Reference: URL:http://xforce.iss.net/xforce/xfdb/7367 htsearch program in htDig 3.2 beta, 3.1.6, 3.1.5, and earlier allows remote attackers to determine the physical path of the server by requesting a non-existent configuration file using the config parameter, which generates an error message that includes the full path. Current Votes: ACCEPT(1) Stracener MODIFY(1) Frech NOOP(4) Cole, Foat, Wall, Williams Voter Comments: Frech> XF:htdig-htsearch-path-disclosure(7367) MISC reference should be http://www.securiteam.com/exploits/5YQ0C000IU.html. ====================================================== Name: CVE-2000-1192 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1192 Phase: Proposed (20010912) Category: SF Reference: MISC:http://www.securiteam.com/windowsntfocus/5ZP0C000KC.html Reference: MISC:http://www.bttsoftware.co.uk/snmptrap.html Reference: XF:snmp-trapwatcher-string-dos Reference: BID:985 Reference: URL:http://www.securityfocus.com/bid/985 Buffer overflow in BTT Software SNMP Trap Watcher 1.16 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long string trap. Current Votes: ACCEPT(1) Frech NOOP(5) Cole, Foat, Stracener, Wall, Williams ====================================================== Name: CVE-2000-1194 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1194 Phase: Proposed (20010912) Category: SF Reference: MISC:http://www.mdma.za.net/fk/FK9.zip Reference: BID:1227 Reference: URL:http://www.securityfocus.com/bid/1227 Argosoft FRP server 1.0 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long string to the (1) USER or (2) CWD commands. Current Votes: ACCEPT(1) Williams MODIFY(1) Frech NOOP(4) Cole, Foat, Stracener, Wall Voter Comments: Frech> XF:argosoft-ftp-bo(6553) Williams> %s/FRP/FTP CHANGE> [Williams changed vote from MODIFY to ACCEPT] ====================================================== Name: CVE-2000-1197 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1197 Phase: Proposed (20010912) Category: Reference: BUGTRAQ:20000420 pop3d/imap DOS (while we're on the subject) Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=95624629924545&w=2 Reference: FREEBSD:FreeBSD-SA-00:15 Reference: URL:ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:15.imap-uw.asc Reference: BID:1132 Reference: URL:http://www.securityfocus.com/bid/1132 POP2 or POP3 server (pop3d) in imap-uw IMAP package on FreeBSD and other operating systems creates lock files with predictable names, which allows local users to cause a denial of service (lack of mail access) for other users by creating lock files for other mail boxes. Current Votes: ACCEPT(4) Baker, Cole, Foat, Stracener MODIFY(1) Frech NOOP(1) Wall Voter Comments: Foat> ACKNOWLEDGED-BY-VENDOR Frech> XF:freebsd-imap-uw(4335) Frech> Please change XF:freebsd-imap-uw(4335) to XF:pop-predictable-lockfile(4335) ====================================================== Name: CVE-2000-1198 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1198 Phase: Proposed (20010912) Category: Reference: BUGTRAQ:20000420 pop3 Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=95634229925906&w=2 Reference: BUGTRAQ:20000420 pop3d/imap DOS (while we're on the subject) Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=95624629924545&w=2 Reference: BID:1132 Reference: URL:http://www.securityfocus.com/bid/1132 qpopper POP server creates lock files with predictable names, which allows local users to cause a denial of service for other users (lack of mail access) by creating lock files for other mail boxes. Current Votes: ACCEPT(3) Baker, Cole, Stracener MODIFY(1) Frech NOOP(2) Foat, Wall Voter Comments: Frech> XF:pop-predictable-lockfile(4335) ====================================================== Name: CVE-2000-1199 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1199 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:20000423 Postgresql cleartext password storage Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=95659987018649&w=2 Reference: XF:postgresql-plaintext-passwords(4364) Reference: URL:http://xforce.iss.net/static/4364.php Reference: BID:1139 Reference: URL:http://www.securityfocus.com/bid/1139 PostgreSQL stores usernames and passwords in plaintext in (1) pg_shadow and (2) pg_pwd, which allows attackers with sufficient privileges to gain access to databases. Current Votes: ACCEPT(1) Frech NOOP(5) Cole, Foat, Stracener, Wall, Williams ====================================================== Name: CVE-2000-1201 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1201 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:20000707 Re: CheckPoint FW1 BUG Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0085.html Check Point FireWall-1 allows remote attackers to cause a denial of service (high CPU) via a flood of packets to port 264. Current Votes: MODIFY(1) Frech NOOP(5) Cole, Foat, Stracener, Wall, Williams Voter Comments: Frech> XF:fw1-portflood-dos(7368) ====================================================== Name: CVE-2000-1202 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1202 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:20000405 minor issue with IBM HTTPD and /usr/bin/ikeyman Reference: URL:http://www.securityfocus.com/archive/1/54073 Reference: BID:1092 Reference: URL:http://www.securityfocus.com/bid/1092 Reference: XF:ibm-ikeyman(4235) Reference: URL:http://xforce.iss.net/static/4235.php ikeyman in IBM IBMHSSSB 1.0 sets the CLASSPATH environmental variable to include the user's own CLASSPATH directories before the system's directories, which allows a malicious local user to execute arbitrary code as root via a Trojan horse Ikeyman class. Current Votes: ACCEPT(2) Frech, Williams NOOP(4) Cole, Foat, Stracener, Wall Voter Comments: Williams> :%s/IBMHSSSB/IBMHSSB ====================================================== Name: CVE-2000-1204 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1204 Phase: Proposed (20020830) Category: SF Reference: CONFIRM:http://www.apacheweek.com/issues/00-10-13 Vulnerability in the mod_vhost_alias virtual hosting module for Apache 1.3.9, 1.3.11 and 1.3.12 allows remote attackers to obtain the source code for CGI programs if the cgi-bin directory is under the document root. Current Votes: ACCEPT(5) Armstrong, Baker, Cole, Cox, Green MODIFY(1) Frech NOOP(2) Foat, Wall Voter Comments: Frech> XF:apache-modvhostalias-source-disclosure(11088) ====================================================== Name: CVE-2000-1205 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1205 Phase: Modified (20070926) Category: SF Reference: BUGTRAQ:20021223 Re: 'printenv' XSS vulnerability Reference: URL:http://archive.cert.uni-stuttgart.de/bugtraq/2002/12/msg00243.html Reference: CONFIRM:http://httpd.apache.org/info/css-security/apache_specific.html Reference: BUGTRAQ:20021222 'printenv' XSS vulnerability Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-12/0233.html Reference: BUGTRAQ:20070724 printenv.pl(all versions) cross site scripting Vulnerability Reference: URL:http://marc.info/?l=bugtraq&m=118529436424127&w=2 Reference: XF:apache-printenv-xss(10938) Reference: URL:http://xforce.iss.net/xforce/xfdb/10938 Reference: XF:apache-printenv-acuparam-xss(35597) Reference: URL:http://xforce.iss.net/xforce/xfdb/35597 Cross site scripting vulnerabilities in Apache 1.3.0 through 1.3.11 allow remote attackers to execute script as other web site visitors via (1) the printenv CGI (printenv.pl), which does not encode its output, (2) pages generated by the ap_send_error_response function such as a default 404, which does not add an explicit charset, or (3) various messages that are generated by certain Apache modules or core code. NOTE: the printenv issue might still exist for web browsers that can render text/plain content types as HTML, such as Internet Explorer, but CVE regards this as a design limitation of those browsers, not Apache. The printenv.pl/acuparam vector, discloser on 20070724, is one such variant. Current Votes: ACCEPT(7) Armstrong, Baker, Cole, Cox, Foat, Green, Wall MODIFY(1) Frech Voter Comments: Frech> XF:apache-printenv-xss(10938) ====================================================== Name: CVE-2000-1206 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1206 Phase: Proposed (20020830) Category: SF Reference: CONFIRM:http://www.apacheweek.com/issues/00-01-07#status Vulnerability in Apache httpd before 1.3.11, when configured for mass virtual hosting using mod_rewrite, or mod_vhost_alias in Apache 1.3.9, allows remote attackers to retrieve arbitrary files. Current Votes: ACCEPT(6) Armstrong, Baker, Cole, Cox, Green, Wall MODIFY(1) Frech NOOP(1) Foat Voter Comments: Frech> XF:apache-virtualhosting-obtain-files(11139) ====================================================== Name: CVE-2000-1207 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1207 Phase: Proposed (20020830) Category: SF Reference: BUGTRAQ:20000930 glibc and userhelper - local root Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97034397026473&w=2 Reference: REDHAT:RHSA-2000:075 Reference: URL:http://www.redhat.com/support/errata/RHSA-2000-075.html Reference: MANDRAKE:MDKSA-2000:059 Reference: URL:http://www.linux-mandrake.com/en/security/2000/MDKSA-2000-059.php3 Reference: BUGTRAQ:20001003 SuSE: userhelper/usermode Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97063854808796&w=2 userhelper in the usermode package on Red Hat Linux executes non-setuid programs as root, which does not activate the security measures in glibc and allows the programs to be exploited via format string vulnerabilities in glibc via the LANG or LC_ALL environment variables (CVE-2000-0844). Current Votes: ACCEPT(6) Armstrong, Baker, Cole, Cox, Green, Wall MODIFY(1) Frech NOOP(1) Foat Voter Comments: Frech> XF:usermode-userhelper-bypass-security(11089) ====================================================== Name: CVE-2000-1208 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1208 Phase: Proposed (20020830) Category: SF Reference: BUGTRAQ:20000925 Format strings: bug #1: BSD-lpr Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=96994604300675&w=2 Reference: REDHAT:RHSA-2000:066 Reference: URL:http://www.redhat.com/support/errata/RHSA-2000-066.html Reference: MANDRAKE:MDKSA-2000:054 Reference: CONECTIVA:CLSA-2000:321 Reference: BUGTRAQ:20001004 Immunix OS Security Update for lpr Reference: URL:http://online.securityfocus.com/archive/1/137555 Reference: XF:lpr-checkremote-format-string(5286) Reference: URL:http://www.iss.net/security_center/static/5286.php Reference: BID:1711 Reference: URL:http://www.securityfocus.com/bid/1711 Format string vulnerability in startprinting() function of printjob.c in BSD-based lpr lpd package may allow local users to gain privileges via an improper syslog call that uses format strings from the checkremote() call. Current Votes: ACCEPT(6) Armstrong, Baker, Cole, Cox, Frech, Green NOOP(2) Foat, Wall ====================================================== Name: CVE-2000-1209 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1209 Phase: Modified (20071113) Category: SF Reference: BUGTRAQ:20000710 MSDE / Re: Default Password Database Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=96333895000350&w=2 Reference: BUGTRAQ:20000810 Tumbleweed Worldsecure (MMS) BLANK 'sa' account password Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=96593218804850&w=2 Reference: BUGTRAQ:20000815 MS-SQL 'sa' user exploit code Reference: URL:http://security-archive.merton.ox.ac.uk/bugtraq-200008/0233.html Reference: BUGTRAQ:20000816 Released Patch: Tumbleweed Worldsecure (MMS) BLANK 'sa' account password Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=96644570412692&w=2 Reference: BUGTRAQ:20020522 Opty-Way Enterprise includes MSDE with sa Reference: URL:http://online.securityfocus.com/archive/1/273639 Reference: MSKB:Q313418 Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q313418 Reference: MSKB:Q321081 Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;EN-US;q321081 Reference: CONFIRM:http://www.microsoft.com/security/security_bulletins/ms02020_sql.asp Reference: ISS:20020521 Microsoft SQL Spida Worm Propagation Reference: CERT-VN:VU#635463 Reference: URL:http://www.kb.cert.org/vuls/id/635463 Reference: COMPAQ:SSRT2195 Reference: BID:4797 Reference: URL:http://www.securityfocus.com/bid/4797 Reference: OSVDB:3570 Reference: URL:http://www.osvdb.org/3570 Reference: XF:mssql-no-sapassword(1459) Reference: URL:http://www.iss.net/security_center/static/1459.php The "sa" account is installed with a default null password on (1) Microsoft SQL Server 2000, (2) SQL Server 7.0, and (3) Data Engine (MSDE) 1.0, including third party packages that use these products such as (4) Tumbleweed Secure Mail (MMS) (5) Compaq Insight Manager, and (6) Visio 2000, which allows remote attackers to gain privileges, as exploited by worms such as Voyager Alpha Force and Spida. Current Votes: ACCEPT(5) Armstrong, Baker, Cole, Green, Wall MODIFY(1) Frech NOOP(3) Christey, Cox, Foat Voter Comments: Frech> XF:tumbleweed-mms-blank-password(5072) XF:msde-mssql-default-password(9154) May overlap with CVE-2000-0772. Christey> fix desc - "installed with a default password" appears twice. ====================================================== Name: CVE-2000-1213 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1213 Phase: Proposed (20020830) Category: SF Reference: BUGTRAQ:20001025 Immunix OS Security Update for ping package Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97249980727834&w=2 Reference: BUGTRAQ:20001030 Trustix Security Advisory - ping gnupg ypbind Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-10/0429.html Reference: REDHAT:RHSA-2000:087 Reference: URL:http://www.redhat.com/support/errata/RHSA-2000-087.html ping in iputils before 20001010, as distributed on Red Hat Linux 6.2 through 7J and other operating systems, does not drop privileges after acquiring a raw socket, which increases ping's exposure to bugs that otherwise would occur at lower privileges. Current Votes: ACCEPT(7) Armstrong, Baker, Cole, Cox, Foat, Green, Wall MODIFY(1) Frech Voter Comments: Frech> XF:iputils-ping-privileges(11090) ====================================================== Name: CVE-2000-1214 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1214 Phase: Proposed (20020830) Category: SF Reference: BUGTRAQ:20001025 Immunix OS Security Update for ping package Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97249980727834&w=2 Reference: BUGTRAQ:20001020 Re: [RHSA-2000:087-02] Potential security problems in ping fixed. Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97208562830613&w=2 Reference: BUGTRAQ:20001030 Trustix Security Advisory - ping gnupg ypbind Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-10/0429.html Reference: REDHAT:RHSA-2000:087 Reference: URL:http://www.redhat.com/support/errata/RHSA-2000-087.html Reference: BID:1813 Reference: URL:http://www.securityfocus.com/bid/1813 Reference: XF:ping-buf-bo(5431) Reference: URL:http://www.iss.net/security_center/static/5431.php Buffer overflows in the (1) outpack or (2) buf variables of ping in iputils before 20001010, as distributed on Red Hat Linux 6.2 through 7J and other operating systems, may allow local users to gain privileges. Current Votes: ACCEPT(8) Armstrong, Baker, Cole, Cox, Foat, Frech, Green, Wall ====================================================== Name: CVE-2000-1215 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1215 Phase: Assigned (20050421) Category: SF Reference: BUGTRAQ:20010919 lotus domino server 5.08 is very gabby Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100094373621813&w=2 Reference: CONFIRM:http://www-10.lotus.com/ldd/r5fixlist.nsf/5c087391999d06e7852569280062619d/5552251934afaa9585256c0000737a7f?OpenDocument&Highlight=0,AWHN4A8QWM Reference: CERT-VN:VU#984555 Reference: URL:http://www.kb.cert.org/vuls/id/984555 Reference: XF:lotus-domino-information-disclosure(10685) Reference: URL:http://xforce.iss.net/xforce/xfdb/10685 The default configuration of Lotus Domino server 5.0.8 includes system information (version, operating system, and build date) in the HTTP headers of replies, which allows remote attackers to obtain sensitive information. Current Votes: None (candidate not yet proposed) ====================================================== Name: CVE-2000-1216 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1216 Phase: Assigned (20050421) Category: SF Reference: AIXAPAR:IY07832 Reference: URL:http://www-1.ibm.com/support/docview.wss?uid=isg1IY07832 Reference: CERT-VN:VU#433499 Reference: URL:http://www.kb.cert.org/vuls/id/433499 Reference: XF:aix-portmir-echoerror-bo(7929) Reference: URL:http://xforce.iss.net/xforce/xfdb/7929 Buffer overflow in portmir for AIX 4.3.0 allows local users to corrupt lock files and gain root privileges via the echo_error routine. Current Votes: None (candidate not yet proposed) ====================================================== Name: CVE-2000-1217 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1217 Phase: Assigned (20050421) Category: SF Reference: MS:MS00-089 Reference: URL:http://www.microsoft.com/technet/security/bulletin/MS00-089.mspx Reference: CERT-VN:VU#818496 Reference: URL:http://www.kb.cert.org/vuls/id/818496 Reference: BID:1973 Reference: URL:http://www.securityfocus.com/bid/1973 Reference: XF:win2k-brute-force(5585) Reference: URL:http://xforce.iss.net/xforce/xfdb/5585 Microsoft Windows 2000 before Service Pack 2 (SP2), when running in a non-Windows 2000 domain and using NTLM authentication, and when credentials of an account are locally cached, allows local users to bypass account lockout policies and make an unlimited number of login attempts, aka the "Domain Account Lockout" vulnerability. Current Votes: None (candidate not yet proposed) ====================================================== Name: CVE-2000-1218 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1218 Phase: Assigned (20050421) Category: CF Reference: CERT-VN:VU#458659 Reference: URL:http://www.kb.cert.org/vuls/id/458659 Reference: XF:win2k-dns-resolver(4280) Reference: URL:http://xforce.iss.net/xforce/xfdb/4280 The default configuration for the domain name resolver for Microsoft Windows 98, NT 4.0, 2000, and XP sets the QueryIpMatching parameter to 0, which causes Windows to accept DNS updates from hosts that it did not query, which allows remote attackers to poison the DNS cache. Current Votes: None (candidate not yet proposed) ====================================================== Name: CVE-2000-1219 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1219 Phase: Assigned (20050421) Category: SF Reference: MLIST:[gcc-bugs] 20020506 c/6586: -ftrapv doesn't catch multiplication overflow Reference: URL:http://gcc.gnu.org/ml/gcc-bugs/2002-05/msg00198.html Reference: CERT-VN:VU#540517 Reference: URL:http://www.kb.cert.org/vuls/id/540517 The -ftrapv compiler option in gcc and g++ 3.3.3 and earlier does not handle all types of integer overflows, which may leave applications vulnerable to vulnerabilities related to overflows. Current Votes: None (candidate not yet proposed) ====================================================== Name: CVE-2000-1220 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1220 Phase: Assigned (20050421) Category: SF Reference: BUGTRAQ:20000108 L0pht Advisory: LPD, RH 4.x,5.x,6.x Reference: URL:http://seclists.org/lists/bugtraq/2000/Jan/0116.html Reference: L0PHT:20000108 Quadruple Inverted Backflip Reference: URL:http://www.atstake.com/research/advisories/2000/lpd_advisory.txt Reference: MISC:http://www.atstake.com/research/advisories/2000/lpd_advisory.txt Reference: DEBIAN:20000109 lpr -- access control problem and root exploit Reference: URL:http://www.debian.org/security/2000/20000109 Reference: DEBIAN:DSA-20000109 Reference: URL:http://www.debian.org/security/2000/20000109 Reference: REDHAT:RHSA-2000:002 Reference: URL:http://www.redhat.com/support/errata/RHSA-2000-002.html Reference: SGI:20021104-01-P Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/20021104-01-P Reference: CERT-VN:VU#39001 Reference: URL:http://www.kb.cert.org/vuls/id/39001 Reference: BID:927 Reference: URL:http://www.securityfocus.com/bid/927 Reference: XF:redhat-lpd-print-control(3841) Reference: URL:http://xforce.iss.net/xforce/xfdb/3841 The line printer daemon (lpd) in the lpr package in multiple Linux operating systems allows local users to gain root privileges by causing sendmail to execute with arbitrary command line arguments, as demonstrated using the -C option to specify a configuration file. Current Votes: None (candidate not yet proposed) ====================================================== Name: CVE-2000-1221 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1221 Phase: Assigned (20050421) Category: SF Reference: ATSTAKE:A010800-v Reference: URL:http://www.atstake.com/research/advisories/2000/lpd_advisory.txt Reference: L0PHT:20000108 Quadruple Inverted Backflip Reference: URL:http://www.atstake.com/research/advisories/2000/lpd_advisory.txt Reference: DEBIAN:20000109 lpr -- access control problem and root exploit Reference: URL:http://www.debian.org/security/2000/20000109 Reference: REDHAT:RHSA-2000:002 Reference: URL:http://rhn.redhat.com/errata/RHSA-2000-002.html Reference: SGI:20021104-01-P Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/20021104-01-P Reference: CERT-VN:VU#30308 Reference: URL:http://www.kb.cert.org/vuls/id/30308 Reference: BID:927 Reference: URL:http://www.securityfocus.com/bid/0927 Reference: XF:redhat-lpd-auth(3840) Reference: URL:http://xforce.iss.net/xforce/xfdb/3840 The line printer daemon (lpd) in the lpr package in multiple Linux operating systems authenticates by comparing the reverse-resolved hostname of the local machine to the hostname of the print server as returned by gethostname, which allows remote attackers to bypass intended access controls by modifying the DNS for the attacking IP. Current Votes: None (candidate not yet proposed) ====================================================== Name: CVE-2000-1222 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1222 Phase: Assigned (20050421) Category: SF Reference: CERT-VN:VU#17566 Reference: URL:http://www.kb.cert.org/vuls/id/17566 Reference: XF:aix-sysback-elevate-privileges(6432) Reference: URL:http://xforce.iss.net/xforce/xfdb/6432 AIX sysback before 4.2.1.13 uses a relative path to find and execute the hostname program, which allows local users to gain privileges by modifying the path to point to a malicious hostname program. Current Votes: None (candidate not yet proposed) ====================================================== Name: CVE-2000-1223 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1223 Phase: Assigned (20050421) Category: SF Reference: CERT-VN:VU#671444 Reference: URL:http://www.kb.cert.org/vuls/id/671444 quikstore.cgi in Quikstore Shopping Cart allows remote attackers to execute arbitrary commands via shell metacharacters in the URL portion of an HTTP GET request. Current Votes: None (candidate not yet proposed) ====================================================== Name: CVE-2000-1224 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1224 Phase: Assigned (20050519) Category: SF Reference: BUGTRAQ:20001123 RESIN ServletExec JSP Source Disclosure Vulnerability(Apache 1.3.6 Win2k)) Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97502269408279&w=2 Reference: BUGTRAQ:20001123 Re: RESIN ServletExec JSP Source Disclosure Vulnerab