Entry Buffer overflow in NFS mountd gives root access to remote attackers, mostly in Linux systems. 19981006-01-I CA-98.12.mountd J-006 121 linux-mountd-bo Entry Execute commands as root via buffer overflow in Tooltalk database server (rpc.ttdbserverd). NAI-29 CA-98.11.tooltalk 19981101-01-A 19981101-01-PX aix-ttdbserver tooltalk 122 Entry Arbitrary command execution via IMAP buffer overflow in authenticate command. CA-98.09.imapd 00177 130 imap-authenticate-bo Entry Buffer overflow in POP servers based on BSD/Qualcomm's qpopper allows remote attackers to gain root access using a long PASS command. CA-98.08.qpopper_vul 19980801-01-I AA-98.01 qpopper-pass-overflow 133 Entry Information from SSL-encrypted sessions via PKCS #1. CA-98.07.PKCS MS98-002 nt-ssl-fix Entry Buffer overflow in NIS+, in Sun's rpc.nisd program. CA-98.06.nisd 00170 June10,1998 nisd-bo-check Entry Inverse query buffer overflow in BIND 4.9 and BIND 8 Releases. 19980603-01-PX HPSBUX9808-083 00180 CA-98.05.bind_problems bind-bo 134 Entry Denial of Service vulnerability in BIND 8 Releases via maliciously formatted DNS messages. CA-98.05.bind_problems 19980603-01-PX HPSBUX9808-083 bind-dos Entry Denial of Service vulnerabilities in BIND 4.9 and BIND 8 Releases via CNAME record and zone transfer. CA-98.05.bind_problems 19980603-01-PX HPSBUX9808-083 00180 bind-axfr-dos Entry Some web servers under Microsoft Windows allow remote attackers to bypass access restrictions for files with long file names. CA-98.04.Win32.WebServers nt-web8.3 Entry Stolen credentials from SSH clients via ssh-agent program, allowing other local users to access remote accounts belonging to the ssh-agent user. CA-98.03.ssh-agent NAI-24 ssh-agent Entry Unauthorized privileged access or denial of service via dtappgather program in CDE. HPSBUX9801-075 00185 CA-98.02.CDE Entry Land IP denial of service. CA-97.28.Teardrop_Land FreeBSD-SA-98:01 HPSBUX9801-076 http://www.cisco.com/warp/public/770/land-pub.shtml cisco-land land 95-verv-tcp land-patch ver-tcpip-sys Entry FTP servers can allow an attacker to connect to arbitrary ports on machines other than the FTP client, aka FTP bounce. CA-97.27.FTP_bounce ftp-bounce ftp-privileged-port Entry Buffer overflow in statd allows root privileges. CA-97.26.statd AA-97.29 statd 127 Entry Delete or create a file via rpc.statd, due to invalid information. CA-96.09.rpc.statd rpc-stat 00135 Entry Arbitrary command execution via buffer overflow in Count.cgi (wwwcount) cgi-bin program. 19971010 Security flaw in Count.cgi (wwwcount) CA-97.24.Count_cgi http-cgi-count 128 Entry Local user gains root privileges via buffer overflow in rdist, via expstr() function. CA-97.23.rdist 00179 rdist-bo3 rdist-sept97 Entry Local user gains root privileges via buffer overflow in rdist, via lookup() function. CA-96.14.rdist_vul rdist-bo rdist-bo2 Entry DNS cache poisoning via BIND, by predictable query IDs. CA-97.22.bind bind NAI-11 Entry root privileges via buffer overflow in df command on SGI IRIX systems. CA-1997-21 AA-97.19.IRIX.df.buffer.overflow.vul SGI:19970505-01-A SGI:19970505-02-PX VU#20851 346 df-bo(440) Entry root privileges via buffer overflow in pset command on SGI IRIX systems. CA-97.21.sgi_buffer_overflow AA-97.20.IRIX.pset.buffer.overflow.vul pset-bo Entry root privileges via buffer overflow in eject command on SGI IRIX systems. CA-97.21.sgi_buffer_overflow AA-97.21.IRIX.eject.buffer.overflow.vul eject-bo Entry root privileges via buffer overflow in login/scheme command on SGI IRIX systems. CA-97.21.sgi_buffer_overflow AA-97.22.IRIX.login.scheme.buffer.overflow.vul sgi-schemebo Entry root privileges via buffer overflow in ordist command on SGI IRIX systems. CA-97.21.sgi_buffer_overflow AA-97.23-IRIX.ordist.buffer.overflow.vul ordist-bo Entry JavaScript in Internet Explorer 3.x and 4.x, and Netscape 2.x, 3.x and 4.x, allows remote attackers to monitor a user's web activities, aka the Bell Labs vulnerability. CA-97.20.javascript HPSBUX9707-065 Entry Buffer overflow in lpr, as used in BSD-based systems including Linux, allows local users to execute arbitrary code as root via a long -C (classification) command line option. 19960813 Possible bufferoverflow condition in lpr, xterm and xload 19961025 Linux & BSD's lpr exploit [freebsd-security] 19961025 Vadim Kolontsov: BoS: Linux & BSD's lpr exploit [linux-security] 19961122 LSF Update#14: Vulnerability of the lpr program. CA-97.19.bsdlp AA-96.12 H-08 I-042 19980402-01-PX 707 bsd-lprbo2 bsd-lprbo lpr-bo Entry Buffer overflow in suidperl (sperl), Perl 4.x and 5.x. CA-97.17.sperl perl-suid Entry Race condition in signal handling routine in ftpd, allowing read/write arbitrary files. ftp-ftpd CA-97.16.ftpd AA-97.03 Entry IRIX login program with a nonzero LOCKOUT parameter allows creation or damage to files. CA-97.15.sgi_login AA-97.12 H-106 19970508-02-PX 990 sgi-lockout(557) Entry Arbitrary command execution via metamail package using message headers, when user processes attacker's message using metamail. CA-97.14.metamail metamail-header-commands Entry Buffer overflow in xlock program allows local users to execute commands as root. CA-97.13.xlock xlock-bo Entry webdist CGI program (webdist.cgi) in SGI IRIX allows remote attackers to execute arbitrary commands via shell metacharacters in the distloc parameter. 19970507 Re: SGI Security Advisory 19970501-01-A - Vulnerability in 19970507 Re: SGI Advisory: webdist.cgi CA-1997-12 AA-97.14 19970501-02-PX 374 235 http-sgi-webdist(333) Entry Buffer overflow in Xt library of X Windowing System allows local users to execute commands with root privileges. CA-97.11.libXt libXt-bo Entry Buffer overflow in NLS (Natural Language Service). CA-97.10.nls nls-bo Entry Buffer overflow in University of Washington's implementation of IMAP and POP servers. NAI-21 CA-97.09.imap_pop popimap-bo Entry Command execution via shell metachars in INN daemon (innd) 1.5 using "newgroup" and "rmgroup" control messages, and others. CA-97.08.innd inn-controlmsg Entry fsdump command in IRIX allows local users to obtain root access by modifying sensitive files. 19970301-01-P sgi-fsdump Entry List of arbitrary files on Web host via nph-test-cgi script. CA-97.07.nph-test-cgi_script http-cgi-nph Entry Buffer overflow of rlogin program using TERM environmental variable. CA-97.06.rlogin-term rlogin-termbo Entry MIME conversion buffer overflow in sendmail versions 8.8.3 and 8.8.4. CA-97.05.sendmail 685 sendmail-mime-bo2 Entry Talkd, when given corrupt DNS information, can be used to execute arbitrary commands with root privileges. CA-97.04.talkd FreeBSD-SA-96:21 AA-97.01 00147 talkd-bo netkit-talkd Entry Csetup under IRIX allows arbitrary file creation or overwriting. sgi-csetup CA-97.03.csetup Entry Buffer overflow in HP-UX newgrp program. CA-97.02.hp_newgrp AA-96.16.HP-UX.newgrp.Buffer.Overrun.Vulnerability hp-newgrpbo Entry Arbitrary file creation and program execution using FLEXlm LicenseManager, from versions 4.0 to 5.0, in IRIX. sgi-licensemanager CA-97.01.flex_lm AA-96.03 Entry IP fragmentation denial of service in FreeBSD allows a remote attacker to cause a crash. FreeBSD-SA-98:08 908 freebsd-ip-frag-dos(1389) Entry TCP RST denial of service in FreeBSD. FreeBSD-SA-98:07 6094 Entry Sun's ftpd daemon can be subjected to a denial of service. 00171 sun-ftpd Entry Buffer overflows in Sun libnsl allow root access. 00172 IX80543 RSI.0005.05-14-98.SUN.LIBNSL sun-libnsl Entry Buffer overflow in Sun's ping program can give root access to local users. 00174 sun-ping Entry Vacation program allows command execution by remote users through a sendmail command. NAI-19 vacation HPSBUX9811-087 Entry Buffer overflow in PHP cgi program, php.cgi allows shell access. NAI-12 712 http-cgi-phpbo Entry IRIX fam service allows an attacker to obtain a list of all files on the server. NAI-16 353 164 irix-fam(325) Entry Attackers can cause a denial of service in Ascend MAX and Pipeline routers with a malformed packet to the discard port, which is used by the Java Configurator tool. NAI-26 ascend-config-kill http://www.ascend.com/2695.html Entry The chpass command in OpenBSD allows a local user to gain root access through file descriptor leakage. openbsd-chpass NAI-28 7559 Entry Cisco IOS 12.0 and other versions can be crashed by malicious UDP packets to the syslog port. ESB-98.197 http://www.cisco.com/warp/public/770/iossyslog-pub.shtml cisco-syslog-crash Entry Buffer overflow in AIX lquerylv program gives root access to local users. May28,1997 lquerylv-bo Entry Multiple buffer overflows in how dtmail handles attachments allows a remote attacker to execute commands. 00181 hp-dtmail Entry AnyForm CGI remote execution. 19950731 SECURITY HOLE: "AnyForm" CGI 719 http-cgi-anyform Entry phf CGI program allows remote command execution through shell metacharacters. 19960923 PHF Attacks - Fun and games for the whole family CA-1996-06 AA-96.01 629 136 http-cgi-phf Entry CGI PHP mylog script allows an attacker to read any file on the target server. 19971019 Vulnerability in PHP Example Logging Scripts http-cgi-php-mylog 713 3396 Entry Solaris ufsrestore buffer overflow. 00169 sun-ufsrestore 8158 Entry test-cgi program allows an attacker to list files on the server. http-cgi-test Entry Apache httpd cookie buffer overflow for versions 1.1.1 and earlier. http-apache-cookie NAI-2 Entry Buffer overflow in AIX xdat gives root access to local users. ERS-SVA-E01-1997:004.1 ibm-xdat Entry Telnet allows a remote client to specify environment variables including LD_LIBRARY_PATH, allowing an attacker to bypass the normal system libraries and gain root access. CA-95:14.Telnetd_Environment_Vulnerability linkerbug Entry Listening TCP ports are sequentially allocated, allowing spoofing attacks. seqport Entry PASV core dump in wu-ftpd daemon when attacker uses a QUOTE PASV command after specifying a username and password. 19961016 Re: ftpd bug? Was: bin/1805: Bug in ftpd ftp-pasvcore 5742 Entry Predictable TCP sequence numbers allow spoofing. tcp-seq-predict(139) Entry Remote attackers can cause a denial of service in FTP by issuing multiple PASV commands, causing the server to run out of available ports. ftp-pasv-dos ftp-pasvdos Entry Certain configurations of wu-ftp FTP server 2.4 use a _PATH_EXECPATH setting to a directory with dangerous commands, such as /bin, which allows remote authenticated users to gain root access via the "site exec" command. 19950531 SECURITY: problem with some wu-ftpd-2.4 binaries (fwd) CA-95:16.wu-ftpd.vul ftp-execdotdot Entry wu-ftp allows files to be overwritten via the rnfr command. ftp-rnfr Entry CWD ~root command in ftpd allows root access. ftp-cwd Improving the Security of Your Site by Breaking Into it Entry getcwd() file descriptor leak in FTP. cwdleak Entry Certain NFS servers allow users to use mknod to gain privileges by creating a writable kmem device and setting the UID to 0. nfs-mknod(78) Entry Buffer overflow in rwhod on AIX and other operating systems allows remote attackers to execute arbitrary code via a UDP packet with a long hostname. 19960821 rwhod buffer overflow rwhod(119) rwhod-vuln(118) Entry Denial of service in AIX telnet can freeze a system and prevent users from accessing the server. ibm-telnetdos ERS-SVA-E01-1998:003.1 7992 Entry Buffer overflow in AIX rcp command allows local users to obtain root access. ERS-SVA-E01-1997:005.1 ibm-rcp Entry Buffer overflow in AIX writesrv command allows local users to obtain root access. ERS-SVA-E01-1997:005.1 ibm-writesrv Entry AIX nslookup command allows local users to obtain root access by not dropping privileges correctly. ERS-SVA-E01-1997:008.1 ibm-nslookup Entry AIX piodmgrsu command allows local users to gain additional group privileges. ERS-SVA-E01-1997:007.1 ibm-piodmgrsu Entry The debug command in Sendmail is enabled, allowing attackers to execute commands as root. CA-88.01 CA-93.14 1 195 smtp-debug Entry Sendmail decode alias can be used to overwrite sensitive files. CA-93.16 CA-95.05 A-13 A-14 00122 smtp-dcod Entry The AIX FTP client can be forced to execute commands from a malicious server through shell metacharacters (e.g. a pipe character). ERS-SVA-E01-1997:009.1 ibm-ftp Entry Buffer overflow in syslog utility allows local or remote attackers to gain root privileges. CA-95.13.syslog.vul smtp-syslog Entry Remote access in AIX innd 1.5.1, using control messages. ERS-SVA-E01-1997:002.1 inn-controlmsg Entry Buffer overflow in AIX and Solaris "gethostbyname" library call allows root access through corrupt DNS host names. ERS-SVA-E01-1997:001.1 ERS-SVA-E01-1996:007.1 00137a H-13 NAI-1 ghbn-bo Entry Buffer overflow in SLmail 3.x allows attackers to execute commands using a large FROM line. slmail-fromheader-overflow Entry Echo and chargen, or other combinations of UDP services, can be used in tandem to flood the server, a.k.a. UDP bomb or UDP packet storm. CA-96.01.UDP_service_denial echo chargen chargen-patch Entry The printers program in IRIX has a buffer overflow that gives root access to local users. another day, another buffer overflow... printers-bo Entry Buffer overflow in ffbconfig in Solaris 2.5.1. 00140 AA-97.06 ffbconfig-bo Entry RIP v1 is susceptible to spoofing. rip Entry Buffer overflow in AIX dtterm program for the CDE. 19970520 AIX 4.2 dtterm exploit dtterm-bo(878) Entry Some implementations of rlogin allow root access if given a -froot parameter. 19940729 -froot??? (AIX rlogin bug) CA-94.09.bin.login.vulnerability E-26 458 rlogin-froot Entry AIX bugfiler program allows local users to gain root access. 19970909 AIX bugfiler ibm-bugfiler 1800 Entry Denial of service when an attacker sends many SYN packets to create multiple connections without ever sending an ACK to complete the connection, aka SYN flood. CA-96.21.tcp_syn.flooding 19961202-01-PX 00136 Entry AIX passwd allows local users to gain root access. ibm-passwd CA-92:07.AIX.passwd.vulnerability Entry AIX infod allows local users to gain root access through an X display. 19981119 RSI.0011.11-09-98.AIX.INFOD aix-infod Entry Sun/Solaris utmp file allows local users to gain root access if it is writable by users other than root. 00126 CA-94.06.utmp.vulnerability utmp-write Entry Buffer overflow in AIX lchangelv gives root access. Jul21,1999 lchangelv-bo Entry Vulnerabilities in UMN gopher and gopher+ versions 1.12 and 2.0x allow an intruder to read any files that can be accessed by the gopher daemon. CA-93:11.UMN.UNIX.gopher.vulnerability gopher-vuln Entry Buffer overflow in SGI IRIX mailx program. sgi-mailx-bo 19980605-01-PX Entry SGI IRIX buffer overflow in xterm and Xaw allows root access. VB-98.04.xterm.Xaw J-010 xfree86-xterm-xaw xfree86-xaw Entry Oversized ICMP ping packets can result in a denial of service, aka Ping o' Death. ping-death CA-96.26.ping Entry Sendmail allows local users to write to a file and gain group permissions via a .forward or :include: file. CA-96.25.sendmail_groups Entry Local users can start Sendmail in daemon mode and gain root privileges. CA-96.24.sendmail.daemon.mode 716 sendmail-daemon-mode Entry Buffer overflow and denial of service in Sendmail 8.7.5 and earlier through GECOS field gives root access to local users. CA-96.20.sendmail_vul smtp-875bo 717 Entry Expreserve, as used in vi and ex, allows local users to overwrite arbitrary files and gain root access. CA-1996-19 11723 expreserve(401) Entry fm_fls license server for Adobe Framemaker allows local users to overwrite arbitrary files and gain root access. CA-96.18.fm_fls fmaker-logfile Entry vold in Solaris 2.x allows local users to gain root access. sol-voldtmp CA-96.17.Solaris_vold_vul AL-96.04 8159 Entry admintool in Solaris allows a local user to write to arbitrary files and gain root access. sun-admintool CA-96.16.Solaris_admintool_vul AL-96.03 Entry Kodak Color Management System (KCMS) on Solaris allows a local user to write to arbitrary files and gain root access. sol-KCMSvuln AL-96.02 CA-96.15.Solaris_KCMS_vul Entry The dip program on many Linux systems allows local users to gain root access via a buffer overflow. linux-dipbo CA-96.13.dip_vul dip-bo Entry The suidperl and sperl program do not give up root privileges when changing UIDs back to the original users, allowing root access. CA-96.12.suidperl_vul sperl-suid Entry Buffer overflow in Solaris x86 mkcookie allows local users to obtain root access. sol-mkcookie RSI.0012.12-03-98.SOLARIS.MKCOOKIE 8205 Entry Java Bytecode Verifier allows malicious applets to execute arbitrary commands as the user of the applet. http-java-applet CA-96.07.java_bytecode_verifier 00134 Entry The Java Applet Security Manager implementation in Netscape Navigator 2.0 and Java Developer's Kit 1.0 allows an applet to connect to arbitrary hosts. CA-96.05.java_applet_security_mgr http-java-appletsecmgr Entry Kerberos 4 key servers allow a user to masquerade as another by breaking and generating session keys. CA-96.03.kerberos_4_key_server kerberos-bf Entry Sendmail WIZ command enabled, allowing root access. CA-1990-11 CA-1993-14 19950206 sendmail wizard thing... Improving the Security of Your Site by Breaking Into it Entry The campas CGI program provided with some NCSA web servers allows an attacker to execute arbitrary commands via encoded carriage return characters in the query string, as demonstrated by reading the password file. 19970715 Bug CGI campas 1975 http-cgi-campas(298) Entry The aglimpse CGI program of the Glimpse package allows remote execution of arbitrary commands. http-cgi-glimpse AA-97.28 Entry The handler CGI program in IRIX allows arbitrary command execution. 19970501-02-PX 380 http-sgi-handler Entry The wrap CGI program in IRIX allows remote attackers to view arbitrary directory listings via a .. (dot dot) attack. 19970420 IRIX 6.x /cgi-bin/wrap bug 19970501-02-PX 373 247 http-sgi-wrap(290) Entry The Perl fingerd program allows arbitrary command execution from remote users. perl-fingerd Entry The SATAN session key may be disclosed if the user points the web browser to other sites, possibly allowing root access. CA-95.07a.REVISED.satan.vul CA-95.06.satan.vul Entry The DG/UX finger daemon allows remote command execution through shell metacharacters. 19970811 dgux in.fingerd vulnerability dgux-fingerd Entry Windows 95/NT out of band (OOB) data denial of service through NETBIOS port, aka WinNuke. win-oob 1666 Entry The ghostscript command with the -dSAFER option allows remote attackers to execute commands. gscript-dsafer CA-95.10.ghostscript Entry Cisco PIX firewall and CBAC IP fragmentation attack results in a denial of service. http://www.cisco.com/warp/public/770/nifrag.shtml cisco-fragmented-attacks 1097 Entry Cisco PIX firewall manager (PFM) on Windows NT allows attackers to connect to port 8080 on the PFM server and retrieve any file whose name and location is known. 20010913 Cisco PIX Firewall Manager File Exposure cisco-pix-file-exposure 685 Entry Attackers can crash a Cisco IOS router or device, provided they can get to an interactive prompt (such as a login). This applies to some IOS 9.x, 10.x, and 11.x releases. http://www.cisco.com/warp/public/770/ioslogin-pub.shtml cisco-ios-crash Entry Some classic Cisco IOS devices have a vulnerability in the PPP CHAP authentication to establish unauthorized PPP connections. 19971001 Vulnerabilities in Cisco CHAP Authentication I-002A 1099 cisco-chap Entry In Cisco IOS 10.3, with the tacacs-ds or tacacs keyword, an extended IP access control list could bypass filtering. http://www.cisco.com/warp/public/707/1.html cisco-acl-tacacs 797 Entry The "established" keyword in some Cisco IOS software allowed an attacker to bypass filtering. 19950601 "Established" Keyword May Allow Packets to Bypass Filter cisco-acl-established Entry A race condition in the Solaris ps command allows an attacker to overwrite critical files. sol-pstmprace AA-95.07 CA-95.09.Solaris.ps.vul 8346 Entry NFS allows users to use a "cd .." command to access other directories besides the exported file system. nfs-cd Entry In SunOS, NFS file handles could be guessed, giving unauthorized access to the exported file system. nfs-guess CA-91.21.SunOS.NFS.Jumbo.and.fsirand Entry The portmapper may act as a proxy and redirect service requests from an attacker, making the request appear to come from the local host, possibly bypassing authentication that would otherwise have taken place. For example, NFS file systems could be mounted through the portmapper despite export restrictions. nfs-portmap Entry Remote attackers can mount an NFS file system in Ultrix or OSF, even if it is denied on the access list. nfs-ultrix Entry FormMail CGI program allows remote execution of commands. http-cgi-formmail-exe Aug02,1995 Entry FormMail CGI program can be used by web servers other than the host server that the program resides on. http-cgi-formmail-use Entry The view-source CGI program allows remote attackers to read arbitrary files via a .. (dot dot) attack. 19970208 view-source http-cgi-viewsrc Entry The convert.bas program in the Novell web server allows a remote attackers to read any file on the system that is internally accessible by the web server. http-nov-convert Entry The Webgais program allows a remote user to execute arbitrary commands. Jul10,1997 http-webgais-query Entry The uploader program in the WebSite web server allows a remote attacker to execute arbitrary programs. 19970904 [Alert] Website's uploader.exe (from demo) vulnerable 19970905 Re: FW: [Alert] Website's uploader.exe (from demo) vulnerable 19970904 [Alert] Website's uploader.exe (from demo) vulnerable http-website-uploader Entry Buffer overflow in the win-c-sample program (win-c-sample.exe) in the WebSite web server 1.1e allows remote attackers to execute arbitrary code via a long query string. 19970106 Re: signal handling 2078 8 http-website-winsample(295) Entry Windows NT crashes or locks up when a Samba client executes a "cd .." command on a file share. Q140818 nt-samba-dotdot nt-351 nt-35 Entry in.rshd allows users to login with a NULL username and execute commands. rsh-null Entry The wall daemon can be used for denial of service, social engineering attacks, or to execute remote commands. walld Entry Samba has a buffer overflow which allows a remote attacker to obtain root access by specifying a long password. H-110 VB-97.10.samba nt-samba-bo Entry Linux implementations of TFTP would allow access to files outside the restricted directory. linux-tftp Entry When compiled with the -DALLOW_UPDATES option, bind allows dynamic updates to the DNS server, allowing for malicious modification of DNS records. dns-updates Entry In SunOS or Solaris, a remote user could connect from an FTP server's data port to an rlogin server on a host that trusts the FTP server, allowing remote command execution. 00156 sun-ftpd/logind Entry The passwd command in Solaris can be subjected to a denial of service. 00182 sun-passwd-dos Entry Solaris rpcbind listens on a high numbered UDP port, which may not be filtered since the standard port number is 111. NAI-15 00142 rpc-32771 Entry Solaris rpcbind can be exploited to overwrite arbitrary files and gain root access. 00167 sun-rpcbind Entry IIS newdsn.exe CGI script allows remote users to overwrite files. http-cgi-newdsn 275 Entry Buffer overflow in telnet daemon tgetent routing allows remote attackers to gain root access via the TERMCAP environmental variable. SNI-20 bsd-tel-tgetent Entry Denial of service in in.comsat allows attackers to generate messages. comsat Entry websendmail in Webgais 1.0 allows a remote user to access arbitrary files and execute arbitrary code via the receiver parameter ($VAR_receiver variable). 19970704 Vulnerability in websendmail 2077 237 http-webgais-smail Entry A quote cwd command on FTP servers can reveal the full path of the home directory of the "ftp" user. ftp-home Entry The GNU tar command, when used in FTP sessions, may allow an attacker to execute arbitrary commands. ftp-exectar Entry In Sendmail, attackers can gain root privileges via SMTP by specifying an improper "mail from" address and an invalid "rcpt to" address that would cause the mail to bounce to a program. CA-95.08 E-03 smtp-sendmail-version5 Entry Sendmail 8.6.9 allows remote attackers to execute root commands, using ident. ident-bo F-13 Entry MIME buffer overflow in Sendmail 8.8.0 and 8.8.1 gives root access. sendmail-mime-bo AA-96.06a Entry Remote attacker can execute commands through Majordomo using the Reply-To field and a "lists" command. majordomo-exe CA-94.11.majordomo.vulnerabilities Entry rpc.ypupdated (NIS) allows remote users to execute arbitrary commands. rpc-update CA-95.17.rpc.ypupdated.vul Entry The SunView (SunTools) selection_svc facility allows remote users to read files. CA-90.05.sunselection.vulnerability 8 selsvc Entry Automount daemon automountd allows local or remote users to gain privileges via shell metacharacters. 19971126 Solaris 2.5.1 automountd exploit (fwd) 19990103 SUN almost has a clue! (automountd) HPSBUX9910-104 CA-99-05 235 Entry Extra long export lists over 256 characters in some mount daemons allows NFS directories to be mounted by anyone. CA-94.02.REVISED.SunOS.rpc.mountd.vulnerability 24 Entry Solaris rpc.mountd generates error messages that allow a remote attacker to determine what files are on the server. 00168 I-048 sun-mountd Entry Denial of service by sending forged ICMP unreachable packets. icmp-unreachable Entry Routed allows attackers to append data to files. 19981004-01-PX J-012 ripapp Entry Malicious option settings in UDP packets could force a reboot in SunOS 4.1.3 systems. udp-bomb Entry Livingston portmaster machines could be rebooted via a series of commands. portmaster-reboot Entry Buffer overflow in FTP Serv-U 2.5 allows remote authenticated users to cause a denial of service (crash) via a long (1) CWD or (2) LS (list) command. 19990503 Buffer overflows in FTP Serv-U 2.5 19990504 Re: Buffer overflows in FTP Serv-U 2.5 19990909 Exploit: Serv-U Ver2.5 FTPd Win9x/NT 269 ftp-servu(205) Entry Denial of service of Ascend routers through port 150 (remote administration). ascend-150-kill Entry Solaris syslogd crashes when receiving a message from a host that doesn't have an inverse DNS entry. 19961109 Syslogd and Solaris 2.4 1249320 http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?patchid=103291&collection=fpatches sol-syslogd-crash 1878 Entry Denial of service in Windows NT messenger service through a long username. nt-messenger Entry Windows NT 4.0 allows remote attackers to cause a denial of service via a malformed SMB logon request in which the actual data size does not match the specified size. 19980214 Windows NT Logon Denial of Service Q180963 nt-logondos Entry Access violation in LSASS.EXE (LSA/LSARPC) program in Windows NT allows a denial of service. Q154087 nt-lsass-crash Entry Denial of service in RPCSS.EXE program (RPC Locator) in Windows NT. nt-rpc-ver Q162567 Entry Buffer overflow in Cisco 7xx routers through the telnet service. http://www.cisco.com/warp/public/770/pwbuf-pub.shtml 1102 Entry IIS 1.0 allows users to execute arbitrary commands using .bat or .cmd files. Q148188 Q155056 http-iis-cmd Entry Bash treats any character with a value of 255 as a command separator. bash-cmd CA-96.22.bash_vuls Entry ScriptAlias directory in NCSA and Apache httpd allowed attackers to read CGI programs. http-scriptalias Entry Remote execution of arbitrary commands through Guestbook CGI program. http-cgi-guestbook VB-97.02 Entry Netscape FastTrack Web server lists files when a lowercase "get" command is used instead of an uppercase GET. fastrack-get-directory-list 122 Entry Livingston RADIUS code has a buffer overflow which can allow remote execution of commands as root. NAI-23 radius-accounting-overflow Entry Some configurations of NIS+ in Linux allowed attackers to log in as the user "+". 19950907 Linux NIS security problem hole and fix linux-plus Entry Buffer overflow in nnrpd program in INN up to version 1.6 allows remote users to execute arbitrary commands. 19970721 INN news server vulnerabilities 1443 inn-bo Entry A race condition in the authentication agent mechanism of sshd 1.2.17 allows an attacker to steal another user's credentials. http://oliver.efri.hr/~crv/security/bugs/mUNIXes/ssh2.html http://www.uni-karlsruhe.de/~ig25/ssh-faq/ssh-faq-6.html#ss6.1 Entry Denial of service in talk program allows remote attackers to disrupt a user's display. talkd-flash Entry Buffer overflow in listserv allows arbitrary command execution. smtp-listserv Entry Buffer overflow in War FTP allows remote execution of commands. war-ftpd 875 Entry cfingerd lists all users on a system via search.**@target. 19970523 cfingerd vulnerability cfinger-user-enumeration Entry The jj CGI program allows command execution via shell metacharacters. 19961224 jj cgi http-cgi-jj Entry Hylafax faxsurvey CGI script on Linux allows remote attackers to execute arbitrary commands via shell metacharacters in the query string. 19980804 remote exploit in faxsurvey cgi-script 19980804 PATCH: faxsurvey 2056 http-cgi-faxsurvey(1532) Entry Solaris SUNWadmap can be exploited to obtain root access. 00173 sun-sunwadmap Entry htmlscript CGI program allows remote read access to files. http-htmlscript-file-access Jan27,1998 Entry ICMP redirect messages may crash or lock up a host. Q154174 ICMP Redirects Against Embedded Controllers icmp-redirect Entry The info2www CGI script allows remote file access or remote command execution. 19980303 Vulnerabilites in some versions of info2www CGI 1995 http-cgi-info2www Entry Buffer overflow in NCSA HTTP daemon v1.3 allows remote command execution. http-port CA-95.04.NCSA.http.daemon.for.unix.vulnerability Entry MetaInfo MetaWeb web server allows users to upload, execute, and read scripts. 19980630 Security vulnerabilities in MetaInfo products 19980703 Followup to MetaInfo vulnerabilities 110 3969 metaweb-server-dot-attack Entry Netscape Enterprise servers may list files through the PageServices query. netscape-server-pageservices Entry Directory traversal vulnerability in pfdispaly.cgi program (sometimes referred to as "pfdisplay") for SGI's Performer API Search Tool (performer_tools) allows remote attackers to read arbitrary files. 19980317 IRIX performer_tools bug 19980401-01-P I-041 64 134 sgi-pfdispaly(810) Entry Denial of service in Slmail v2.5 through the POP3 port. slmail-username-bo Entry Denial of service through Solaris 2.5.1 telnet by sending ^D characters. sun-telnet-kill Entry Denial of service in Windows NT DNS servers through malicious packet which contains a response to a query that wasn't made. NAI-5 nt-dns-dos Entry Denial of service in Windows NT DNS servers by flooding port 53 with too many characters. nt-dnscrash nt-dnsver Q169461 Entry mSQL v2.0.1 and below allows remote execution through a buffer overflow. msql-debug-bo sekure.01-99.msql Entry The WorkMan program can be used to overwrite any file to get root access. workman CA-96.23.workman_vul Entry In IIS, remote attackers can obtain source code for ASP files by appending "::$DATA" to the URL. MS98-003 iis-asp-data-check oval:org.mitre.oval:def:913 Entry Excite for Web Servers (EWS) allows remote command execution via shell metacharacters. 19971217 CGI security hole in EWS (Excite for Web Servers) 19980115 Excite announcement VB-98.01.excite excite-cgi-search-vuln Entry Remote command execution in Microsoft Internet Explorer using .lnk and .url files. 19970317 Internet Explorer Bug #4 H-38 http-ie-lnkurl Entry Denial of service in IIS using long URLs. http-iis-longurl Entry The WINS server in Microsoft Windows NT 4.0 before SP4 allows remote attackers to cause a denial of service (process termination) via invalid UDP frames to port 137 (NETBIOS Name Service), as demonstrated via a flood of random packets. 19970801 WINS flooding 19970801 WINS flooding 19970815 Re: WINS flooding http://safenetworks.com/Windows/wins.html 155701 nt-winsupd-fix(1233) Entry The Apache web server for Win32 may provide access to restricted files when a . (dot) is appended to a requested URL. Entry The WinGate telnet proxy allows remote attackers to cause a denial of service via a large number of connections to localhost. 19980221 WinGate DoS 19980326 WinGate Intermediary Fix/Update wingate-dos Entry The WinGate proxy is installed without a password, which allows remote attackers to redirect connections without authentication. wingate-unpassworded Entry Denial of service through Winpopup using large user names. nt-winpopup Entry AAA authentication on Cisco systems allows attackers to execute commands without authorization. http://www.cisco.com/warp/public/770/aaapair-pub.shtml cisco-ios-aaa-auth Entry All records in a WINS database can be deleted through SNMP for a denial of service. nt-wins-snmp2 Entry Solaris sysdef command allows local users to read kernel memory, potentially leading to root privileges. sun-sysdef 00157 Entry Solaris volrmmount program allows attackers to read any file. 00162 sun-volrmmount Entry Buffer overflow in Vixie Cron library up to version 3.0 allows local users to obtain root access via a long environmental variable. NAI-3 AA-96.21 H-17 vixie-cron Entry Buffer overflow in FreeBSD lpd through long DNS hostnames. NAI-9 6093 Entry nis_cachemgr for Solaris NIS+ allows attackers to add malicious NIS+ servers. 00155 sun-niscache Entry Buffer overflow in SunOS/Solaris ps command. 00149 AUSCERT-97.17 sun-ps2bo Entry SunOS/Solaris FTP clients can be forced to execute arbitrary commands from a malicious FTP server. 00176 sun-ftp-server Entry Buffer overflow in BNU UUCP daemon (uucpd) through long hostnames. bnu-uucpd-bo RSI.0002.05-18-98.BNU.UUCPD Entry mmap function in BSD allows local attackers in the kmem group to modify memory through devices. bsd-mmap FreeBSD-SA-98:02 Entry The system configuration control (sysctl) facility in BSD based operating systems OpenBSD 2.2 and earlier, and FreeBSD 2.2.5 and earlier, does not properly restrict source routed packets even when the (1) dosourceroute or (2) forwarding variables are set, which allows remote attackers to spoof TCP connections. Feb15,1998 "IP Source Routing Problem" http://www.openbsd.org/advisories/sourceroute.txt 11502 bsd-sourceroute(736) Entry HP-UX gwind program allows users to modify arbitrary files. HPSBUX9410-018 hpux-gwind-overwrite H-03: HP-UX suid Vulnerabilities Entry HP-UX vgdisplay program gives root access to local users. HPSBUX9702-056 hpux-vgdisplay H-27: HP-UX vgdisplay Buffer Overrun Vulnerability Entry SSH 1.2.25 on HP-UX allows access to new user accounts. ssh-1225 Entry fpkg2swpk in HP-UX allows local users to gain root access. hpux-fpkg2swpk HPSBUX9612-042 Entry HP ypbind allows attackers with root privileges to modify NIS data. nis-ypbind CA-93:01.REVISED.HP.NIS.ypbind.vulnerability Entry disk_bandwidth on SGI IRIX 6.4 S2MP for Origin/Onyx2 allows local users to gain root access using relative pathnames. http://www.securityfocus.com/bid/213/exploit 19980701-01-P 214 936 sgi-disk-bandwidth(1441) Entry ioconfig on SGI IRIX 6.4 S2MP for Origin/Onyx2 allows local users to gain root access using relative pathnames. http://www.securityfocus.com/bid/213/exploit 19980701-01-P 213 6788 sgi-ioconfig(1199) Entry Buffer overflow in Solaris fdformat command gives root access to local users. fdformat-bo 00138 Entry Buffer overflow in Linux splitvt command gives root access to local users. linux-splitvt G-08 Entry Buffer overflow in xmcd 2.0p12 allows local users to gain access through an environmental variable. 19961125 Security Problems in XMCD 19961125 XMCD v2.1 released (was: Security Problems in XMCD) xmcd-envbo Entry SunOS rpc.cmsd allows attackers to obtain root access by overwriting arbitrary files. 00166 sun-rpc.cmsd Entry Buffer overflow in Solaris kcms_configure command allows local users to gain root access. sun-kcms-configure-bo Entry The open() function in FreeBSD allows local attackers to write to arbitrary files. FreeBSD-SA-97:05 freebsd-open 6092 Entry FreeBSD mmap function allows users to modify append-only or immutable files. FreeBSD-SA-98:04 1998-003 bsd-mmap Entry ppl program in HP-UX allows local users to create root files through symlinks. HPSBUX9702-053 H-31 hp-ppllog Entry vhe_u_mnt program in HP-UX allows local users to create root files through symlinks. hp-vhe HPSBUX9406-013 Entry Vulnerability in HP-UX mediainit program. HPSBUX9710-071 hp-mediainit Entry SGI syserr program allows local users to corrupt files. 19971103-01-PX sgi-syserr Entry SGI permissions program allows local users to gain root privileges. 19971103-01-PX sgi-permtool Entry SGI mediad program allows local users to gain root access. 19980602-01-PX sgi-mediad Entry Buffer overflow in NetMeeting allows denial of service and remote command execution. nt-netmeeting Q184346 Entry In Solaris 2.2 and 2.3, when fsck fails on startup, it allows a local user with physical access to obtain root access. sol-startup CA-93.19.Solaris.Startup.vulnerability Entry DEPRECATED. This entry has been deprecated. It is a duplicate of CVE-1999-0032. Entry AIX batch queue (bsh) allows local and remote users to gain additional privileges when network printing is enabled. CA-94.10.IBM.AIX.bsh.vulnerability.html ibm-bsh Entry AIX Licensed Program Product performance tools allow local users to gain root access. ibm-perf-tools CA-94.03.AIX.performance.tools Entry Buffer overflow in the libauth library in Solaris allows local users to gain additional privileges, possibly root access. sol-sun-libauth RSI.0007.05-26-98 Entry Buffer overflow in Linux Slackware crond program allows local users to gain root access. 005 linux-crond Entry Buffer overflow in the Linux mail program "deliver" allows local users to gain root access. 006 linux-deliver Entry Linux PAM modules allow local users to gain root access using temporary files. http://www.redhat.com/corp/support/errata/rh42-errata-general.html#pam linux-pam-passwd-tmprace Entry A malicious Palace server can force a client to execute arbitrary programs. 19981002 Announcements from The Palace (fwd) palace-malicious-servers-vuln Entry NT users can gain debug-level access on a system process using the Sechole exploit. MS98-009 Q190288 nt-priv-fix Entry CGI PHP mlog script allows an attacker to read any file on the target server. 19971019 Vulnerability in PHP Example Logging Scripts 713 http-cgi-php-mlog 3397 Entry IIS ASP caching problem releases sensitive information when two virtual servers share the same physical directory. Jan27,1999 Q197003 930 Entry A buffer overflow in the FTP list (ls) command in IIS allows remote attackers to conduct a denial of service and, in some cases, execute arbitrary commands. IIS Remote FTP Exploit/DoS Attack MS99-003 Q188348 Jan27,1999 iis-remote-ftp Entry Race condition in the db_loader program in ClearCase gives local users root access by setting SUID bits. Feb8,1999 clearcase-temp-race Entry FTP PASV "Pizza Thief" denial of service and unauthorized data access. Attackers can steal data by connecting to a port that was intended for use by a client. 01 http://attrition.org/security/advisory/misc/infowar/iw_sec_01.txt pasv-pizza-thief-dos(3389) Entry rpc.pcnfsd in HP gives remote root access by changing the permissions on the main printer spool directory. HPSBUX9902-091 J-026 pcnfsd-world-write Entry Local or remote users can force ControlIT 4.5 to reboot or force a user to log out, resulting in a denial of service. Multiple vulnerabilities in ControlIT(tm) (formerly Remotely Possible/32) enterprise management software controlit-reboot Entry Windows 98 and other operating systems allows remote attackers to cause a denial of service via crafted "oshare" packets, possibly involving invalid fragmentation offsets. 19990125 Win98 crash? win98-oshare-dos Entry Digital Unix 4.0 has a buffer overflow in the inc program of the mh package. 19990125 Digital Unix 4.0 exploitable buffer overflows SSRT0583U du-inc J-027 Entry WS_FTP server remote denial of service through cwd command. AD02021999 wsftp-remote-dos 217 Entry SuSE 5.2 PLP lpc program has a buffer overflow that leads to root compromise. Feb02,1999 plp-lpc-bo 328 Entry The metamail package allows remote command execution using shell metacharacters that are not quoted in a mailcap entry. Feb04,1999 metamail-header-commands Entry In some cases, Service Pack 4 for Windows NT 4.0 can allow access to network shares using a blank password, through a problem with a null NT hash value. MS99-004 Q214840 nt-sp4-auth-error Entry NetBSD netstat command allows local users to access kernel memory. 1999-002 7571 Entry Buffer overflows in wuarchive ftpd (wu-ftpd) and ProFTPD lead to remote root access, a.k.a. palmetto. palmetto.ftpd CA-99.03 palmetto-ftpd-bo Entry The Sun sdtcm_convert calendar utility for OpenWindows has a buffer overflow which can gain root access. 00183 sun-sdtcm-convert-bo Entry Lynx allows a local user to overwrite sensitive files through /tmp symlinks. 19990211 Lynx /tmp problem VB-97.05.lynx lynx-temp-files-race Entry The installer for BackOffice Server includes account names and passwords in a setup file (reboot.ini) which is not deleted. MS99-005 nt-backoffice-setup Q217004 Entry Buffer overflow in the "Super" utility in Debian GNU/Linux, and other operating systems, allows local users to execute commands as root. Buffer Overflow in "Super" package in Debian Linux linux-super-bo linux-super-logging-bo Entry Debian GNU/Linux cfengine package is susceptible to a symlink attack. 19990215 Feb16,1999 linux-cfengine-symlinks Entry Buffer overflow in webd in Network Flight Recorder (NFR) 2.0.2-Research allows remote attackers to execute commands. February 16, 1999 Feb16,1999 nfr-webd-overflow Entry Local users in Windows NT can obtain administrator privileges by changing the KnownDLLs list to reference malicious programs. MS99-006 Feb20,1999 Feb18,1999 nt-knowndlls-list Entry Process table attack in Unix systems allows a remote attacker to perform a denial of service by filling a machine's process tables through multiple connections to network services. Feb22,1999 Entry InterScan VirusWall for Solaris doesn't scan files for viruses when a single HTTP request includes two GET commands. 19990222 BlackHats Advisory -- InterScan VirusWall 19990225 Patch for InterScan VirusWall for Unix now available viruswall-http-request 6167 Entry Microsoft Taskpads allows remote web sites to execute commands on the visiting user's machine via certain methods that are marked as Safe for Scripting. MS99-007 19990223 Microsoft Security Bulletin (MS99-007) 498 1019 win-resourcekit-taskpads Entry SLMail 3.1 and 3.2 allows local users to access any file in the NTFS file system when the Remote Administration Service (RAS) is enabled by setting a user's Finger File to point to the target file, then running finger on the user. 199902225 ALERT: SLMail 3.2 (and 3.1) with the Remote Administration Service 19990225 ALERT: SLMail 3.2 (and 3.1) with the Remote Administration Service SLmail 3.2 Build 3113 (Web Administration Security Fix) 497 slmail-ras-ntfs-bypass(5392) Entry The screen saver in Windows NT does not verify that its security context has been changed properly, allowing attackers to run programs with elevated privileges. MS99-008 nt-screen-saver Entry ACC Tigris allows public access without a login. 19990103 Tigris vulnerability 183 267 acc-tigris-login Entry The Forms 2.0 ActiveX control (included with Visual Basic for Applications 5.0) can be used to read text from a user's clipboard when the user accesses documents with ActiveX content. forms-vuln-patch MS99-001 Entry The LDAP bind function in Exchange 5.5 has a buffer overflow that allows a remote attacker to conduct a denial of service or execute commands. MS99-009 LDAP Buffer overflow against Microsoft Directory Services ldap-exchange-overflow ldap-mds-dos Entry Microsoft Personal Web Server and FrontPage Personal Web Server in some Windows systems allows a remote attacker to read files on the server by using a nonstandard URL. MS99-010 pws-file-access 111 Entry A legacy credential caching mechanism used in Windows 95 and Windows 98 systems allows attackers to read plaintext network passwords. MS99-052 Q168115 829 9x-plaintext-pwd Entry DataLynx suGuard trusts the PATH environment variable to execute the ps command, allowing local users to execute commands as root. datalynx-suguard-relative-paths Jan3,1999 3186 Entry Buffer overflow in Dosemu Slang library in Linux. 19990104 Dosemu/S-Lang Overflow + sploit CSSA-1999-006.1 187 Entry The cryptographic challenge of SMB authentication in Windows 95 and Windows 98 can be reused, allowing an attacker to replay the response and impersonate a user. Jan. 5, 1999 Entry Buffer overflow in Thomas Boutell's cgic library version up to 1.05. Jan10,1999 http-cgic-library-bo Entry Remote attackers can cause a denial of service in Sendmail 8.8.x and 8.9.2 by sending messages with a large number of headers. 19981212 ** Sendmail 8.9.2 DoS - exploit ** get what you want! 19990121 Sendmail 8.8.x/8.9.x bugware sendmail-parsing-redirection Entry A race condition in the BackWeb Polite Agent Protocol allows an attacker to spoof a BackWeb server. 19990118 Vulnerability in the BackWeb Polite Agent Protocol backweb-polite-agent-protocol Entry A race condition between the select() and accept() calls in NetBSD TCP servers allows remote attackers to cause a denial of service. 1999-001 Feb17,1999 netbsd-tcp-race Entry wget 1.5.3 follows symlinks to change permissions of the target file instead of the symlink itself. Feb2,1999 wget-permissions 19990220 Entry A bug in Cyrix CPUs on Linux allows local users to perform a denial of service. 19990204 Cyrix bug: freeze in hell, badboy cyrix-hang Entry Buffer overflow in the Mail-Max SMTP server for Windows systems allows remote command execution. Feb14,1999 mailmax-bo Entry A buffer overflow in lsof allows local users to obtain root privilege. 002 Feb18,1999 19990220a lsof-bo 3163 Entry By default, IIS 4.0 has a virtual directory /IISADMPWD which contains files that can be used as proxies for brute force password attacks, or to identify valid users on the system. 19990209 ALERT: IIS4 allows proxied password attacks over NetBIOS 19990209 Re: IIS4 allows proxied password attacks over NetBIOS iis-iisadmpwd Entry Files created from interactive shell sessions in Cobalt RaQ microservers (e.g. .bash_history) are world readable, and thus are accessible from the web server. 19990225 Cobalt root exploit cobalt-raq-history-exposure 337 Entry Buffer overflow in gnuplot in Linux version 3.5 allows local users to obtain root access. 19990304 Linux /usr/bin/gnuplot overflow gnuplot-home-overflow 319 Entry The cancel command in Solaris 2.6 (i386) has a buffer overflow that allows local users to obtain root access. Mar5,1999 sol-cancel 293 Entry In IIS and other web servers, an attacker can attack commands as SYSTEM if the server is running as SYSTEM and loading an ISAPI extension. Feb19,1999 iis-isapi-execute 501 Entry A buffer overflow in the SGI X server allows local users to gain root access through the X server font path. 19990301-01-PX irix-font-path-overflow Entry In Linux before version 2.0.36, remote attackers can spoof a TCP connection and pass data to the application layer before fully establishing the connection. Linux Blind TCP Spoofing linux-blind-spoof Entry The HTTP server in Cisco 7xx series routers 3.2 through 4.2 is enabled by default, which allows remote attackers to change the router's configuration. 19990311 Remote Reconfiguration and Denial of Service Vulnerabilities in Cisco 700 ISDN Routers 19990311 Cisco 7xx TCP and HTTP Vulnerabilities J-034 cisco-router-commands cisco-web-config Entry Vulnerability in Cisco 7xx series routers allows a remote attacker to cause a system reload via a TCP connection to the router's TELNET port. 19990311 Remote Reconfiguration and Denial of Service Vulnerabilities in Cisco 700 ISDN Routers 19990311 Cisco 7xx TCP and HTTP Vulnerabilities J-034 cisco-web-crash Entry 64 bit Solaris 7 procfs allows local users to perform a denial of service. Mar9,1999 solaris-psinfo-crash 448 1001 Entry umapfs allows local users to gain root privileges by changing their uid through a malicious mount_umap program. 1999-006 Entry During a reboot after an installation of Linux Slackware 3.6, a remote attacker can obtain root access by logging in to the root account without a password. Short-Term High-Risk Vulnerability During Slackware 3.6 Network Installations linux-slackware-install 338 981 Entry In some cases, NetBSD 1.3.3 mount allows local users to execute programs in some file systems that have the "noexec" flag set. 1999-007 Entry Vulnerability in hpterm on HP-UX 10.20 allows local users to gain additional privileges. HPSBUX9903-093 hp-hpterm-files Entry talkback in Netscape 4.5 allows a local user to overwrite arbitrary files of another user whose Netscape crashes. Mar18,1999 netscape-talkback-overwrite Entry talkback in Netscape 4.5 allows a local user to kill an arbitrary process of another user whose Netscape crashes. Mar18,1999 netscape-talkback-kill Entry OpenSSL and SSLeay allow remote attackers to reuse SSL sessions and bypass access controls. 19990322 OpenSSL/SSLeay Security Alert ssl-session-reuse 3936 Entry The Lotus Notes 4.5 client may send a copy of encrypted mail in the clear across the network if the user does not set the "Encrypt Saved Mail" preference. 19990323 19990324 Re: LNotes encryption 19990326 Lotus Notes Encryption Bug 19990326 Re: Lotus Notes security advisory lotus-client-encryption Entry Cisco Catalyst LAN switches running Catalyst 5000 supervisor software allows remote attackers to perform a denial of service by forcing the supervisor module to reload. Remote Denial of Service Vulnerability in Cisco Catalyst Series Ethernet Switches Cisco Catalyst Supervisor Remote Reload cisco-catalyst-crash 1103 Entry ftp on HP-UX 11.00 allows local users to gain privileges. HPSBUX9903-094 hp-ftp Entry XFree86 startx command is vulnerable to a symlink attack, allowing local users to create files in restricted directories, possibly allowing them to gain privileges or cause a denial of service. Mar28,1999 19990321 X11R6 NetBSD Security Problem xfree86-temp-directories Entry Domain Enterprise Server Management System (DESMS) in HP-UX allows local users to gain privileges. HPSBUX9903-095 hp-desms-servers Entry Remote attackers can perform a denial of service in WebRamp systems by sending a malicious string to the HTTP port. WebRamp Denial of Service Attacks webramp-device-crash Entry Remote attackers can perform a denial of service in WebRamp systems by sending a malicious UDP packet to port 5353, changing its IP address. WebRamp Denial of Service Attacks webramp-ipchange Entry Buffer overflow in procmail before version 3.12 allows remote or local attackers to execute commands via expansions in the procmailrc configuration file. 19990405 Re: [SECURITY] new version of procmail with security fixes 19990422 CSSA-1999:007 procmail-overflow Entry The byte code verifier component of the Java Virtual Machine (JVM) allows remote execution through malicious web pages. 19990405 Security Hole in Java 2 (and JDK 1.1.x) http://java.sun.com/pr/1999/03/pr990329-01.html 1939 java-unverified-code Entry Remote attackers can perform a denial of service in WinGate machines using a buffer overflow in the Winsock Redirector Service. AD02221999 wingate-redirector-dos 509 Entry Solaris ff.core allows local users to modify files. 19990107 really silly ff.core exploit for Solaris 19990108 ff.core exploit on Solaris (2.)7 19990408 Solaris7 and ff.core 327 Entry In Cisco routers under some versions of IOS 12.0 running NAT, some packets may not be filtered by input access list filters. Cisco IOS(R) Software Input Access List Leakage with NAT cisco-natacl-leakage 1104 Entry Local users can perform a denial of service in NetBSD 1.3.3 and earlier versions by creating an unusual symbolic link with the ln command, triggering a bug in VFS. 1999-008 netbsd-vfslocking-panic 7051 Entry Local users can gain privileges using the debug utility in the MPE/iX operating system. HPSBMP9904-006 mpeix-debug Entry IIS 4.0 and Apache log HTTP request methods, regardless of how long they are, allowing a remote attacker to hide the URL they really request. 19990121 IIS 4 Request Logging Security Advisory iis-http-request-logging Entry The ExAir sample site in IIS 4 allows remote attackers to cause a denial of service (CPU consumption) via a direct request to the (1) advsearch.asp, (2) query.asp, or (3) search.asp scripts. 19990126 IIS 4 Advisory - ExAir sample site DoS 19990126 IIS 4 Advisory - ExAir sample site DoS 19990125 Re: [NTSEC] IIS 4 Advisory - ExAir sample site DoS 193 2 3 4 iis-exair-dos Entry Linux ftpwatch program allows local users to gain root privileges. Jan17,1999 19990117 ftpwatch-vuln 317 Entry L0phtcrack 2.5 used temporary files in the system TEMP directory which could contain password information. Jan6,1999 l0phtcrack-temp-files 915 Entry Remote attackers can perform a denial of service using IRIX fcagent. 19981201-01-PX sgi-fcagent-dos Entry Local users can perform a denial of service in Tripwire 1.2 and earlier using long filenames. 19990104 Tripwire mess.. http://marc.theaimsgroup.com/?l=bugtraq&m=91592136122066&w=2 6609 Entry The SVR4 /dev/wabi special device file in NetBSD 1.3.3 and earlier allows a local user to read or write arbitrary files on the disk associated with that device. 1999-009 905 Entry Internet Explorer 5.0 allows a remote server to read arbitrary files on the client's file system using the Microsoft Scriptlet Component. MS99-012 ie-scriplet-fileread Apr9,1999 Entry A weak encryption algorithm is used for passwords in Novell Remote.NLM, allowing them to be easily decrypted. 19990409 New Novell Remote.NLM Password Decryption Algorithm with Exploit 482 netware-remotenlm-passwords Entry The remote proxy server in Winroute allows a remote attacker to reconfigure the proxy without authentication through the "cancel" button. winroute-config Apr9,1999 Entry The SNMP default community name "public" is not properly removed in NetApps C630 Netcache, even if the administrator tries to disable it. netcache-snmp Apr7,1999 Entry The rsync command before rsync 2.3.1 may inadvertently change the permissions of the client's working directory to the permissions of the directory being transferred. 19990407 rsync 2.3.1 release - security fix CSSA-1999:010.0 19990823 145 rsync-permissions Entry The ICQ Webserver allows remote attackers to use .. to access arbitrary files outside of the user's personal directory. icq-webserver-read Apr5,1999 Entry A race condition in how procmail handles .procmailrc files allows a local user to read arbitrary files available to the user who is running procmail. procmail-race Apr5,1999 Entry Denial of service in HP-UX sendmail 8.8.6 related to accepting connections. HPSBUX9904-097 sendmail-headers-dos Entry Denial of service Netscape Enterprise Server with VirtualVault on HP-UX VVOS systems. HPSBUX9903-092 netscape-server-dos Entry Denial of service in "poll" in OpenBSD. Mar22,1999 7556 Entry OpenBSD kernel crash through TSS handling, as caused by the crashme program. Mar21,1999 7557 Entry OpenBSD crash using nlink value in FFS and EXT2FS filesystems. Feb25,1999 6129 Entry Buffer overflow in OpenBSD ping. Feb23,1999 6130 Entry Remote attackers can cause a system crash through ipintr() in ipq in OpenBSD. Feb19,1999 openbsd-ipintr-race 7558 Entry The DHTML Edit ActiveX control in Internet Explorer allows remote attackers to read arbitrary files. MS99-011 ie-dhtml-control Entry The prompt parsing in bash allows a local user to execute commands as another user by creating a directory with the name of the command to execute. 19990420 Bash Bug CSSA-1999-008.0 119 Entry rpc.statd allows remote attackers to forward RPC calls to the local operating system via the SM_MON and SM_NOTIFY commands, which in turn could be used to remotely exploit other bugs such as in automountd. CA-99-05 00186 J-045 19990103 SUN almost has a clue! (automountd) 450 Entry Denial of service in WinGate proxy through a buffer overflow in POP3. wingate-pop3-user-bo Entry A Windows NT 4.0 user can gain administrative rights by forcing NtOpenProcessToken to succeed regardless of the user's permissions, aka GetAdmin. Q146965 nt-getadmin nt-getadmin-present Entry ICMP messages to broadcast addresses are allowed, allowing for a Smurf attack that can cause a denial of service. CA-98.01.smurf FreeBSD-SA-98:06 smurf Entry UDP messages to broadcast addresses are allowed, allowing for a Fraggle attack that can cause a denial of service by flooding the target. fraggle Entry An X server's access control is disabled (e.g. through an "xhost +" command) and allows anyone to connect to the server. xcheck-keystroke VU#704969 Entry HP OpenMail can be misconfigured to allow users to run arbitrary commands using malicious print requests. HPSBUX9804-078 hp-openmail Entry An attacker can write to syslog files from any location, causing a denial of service by filling up the logs, and hiding activities. ibm-syslogd syslog-flood Entry An incorrect configuration of the PDG Shopping Cart CGI program "shopper.cgi" could disclose private information. 19990420 Shopping Carts exposing CC data http://www.pdgsoft.com/Security/security.html. pdgsoftcart-misconfig(3857) Entry A version of finger is running that exposes valid user information to any entity on the network. finger-out finger-running Entry A version of rusers is running that exposes valid user information to any entity on the network. rusersd ruser Entry The rexd service is running, which uses weak authentication that can allow an attacker to execute commands. rexd Entry The rwho/rwhod service is running, which exposes machine status and user information. rwhod Entry The scriptlet.typelib ActiveX control is marked as "safe for scripting" for Internet Explorer, which allows a remote attacker to execute arbitrary commands as demonstrated by Bubbleboy. 19990821 IE 5.0 allows executing programs MS99-032 J-064 598 ms-scriptlet-eyedog-unsafe Q240308 Entry Buffer overflow in ToxSoft NextFTP client through CWD command. 572 toxsoft-nextftp-cwd-bo Entry Buffer overflow in Fujitsu Chocoa IRC client via IRC channel topics. fujitsu-topic-bo 573 Entry The BSD profil system call allows a local user to modify the internal data space of a program via profiling and execve. 1999-011 Aug 9,1999 FreeBSD-SA-99:02 19990809 profil(2) bug, a simple test program 570 J-067 netbsd-profil Entry Check Point FireWall-1 can be subjected to a denial of service via UDP packets that are sent through VPN-1 to port 0 of a host. 19990809 FW1 UDP Port 0 DoS 576 checkpoint-port 1038 Entry sdtcm_convert in Solaris 2.6 allows a local user to overwrite sensitive files via a symlink attack. 19990808 sdtcm_convert sun-sdtcm-convert 575 Entry A default configuration of Apache on Debian GNU/Linux sets the ServerRoot to /usr/doc, which allows remote users to read documentation files for the entire server. apache-debian-usrdoc 19990405 An issue with Apache on Debian 318 Entry Buffer overflow in hybrid-6 IRC server commonly used on EFnet allows remote attackers to execute commands via m_invite invite option. 19990813 w00w00's efnet ircd advisory (exploit included) http://www.efnet.org/archive/servers/hybrid/ChangeLog 581 hybrid-ircd-minvite-bo Entry Windows NT Terminal Server performs extra work when a client opens a new connection but before it is authenticated, allowing for a denial of service. MS99-028 Q238600 J-057 571 nt-terminal-dos Entry Buffer overflow in Microsoft FrontPage Server Extensions (PWS) 3.0.2.926 on Windows 95, and possibly other versions, allows remote attackers to cause a denial of service via a long URL. 19990807 Crash FrontPage Remotely... frontpage-pws-dos 568 Entry Microsoft Exchange 5.5 allows a remote attacker to relay email (i.e. spam) using encapsulated SMTP addresses, even if the anti-relaying features are enabled. MS99-027 Q237927 567 J-056 exchange-relay Entry Denial of service in Gauntlet Firewall via a malformed ICMP packet. gauntlet-dos 19990729 Remotely Lock Up Gauntlet 5.0 556 1029 Entry Buffer overflow in Netscape Communicator via EMBED tags in the pluginspage option. 19991209 Netscape communicator 4.06J, 4.5J-4.6J, 4.61e Buffer Overflow 618 Entry Denial of service in Netscape Enterprise Server (NES) in HP Virtual Vault (VVOS) via a long URL. 19990514 TGAD DoS 19990610 Re: VVOS/Netscape Bug HPSBUX9906-098 J-046 hp-tgad-dos Entry The ToolTalk ttsession daemon uses weak RPC authentication, which allows a remote attacker to execute commands. 19990913 Vulnerability in ttsession 00192 HPSBUX9909-103 SSRT0617U_TTSESSION K-001 CA-99-11 637 cde-ttsession-rpc-auth Entry Buffer overflows in HP Software Distributor (SD) for HPUX 10.x and 11.x. HPSBUX9907-101 545 hp-sd-bo Entry The CDE dtspcd daemon allows local users to execute arbitrary commands via a symlink attack. 19990913 Vulnerability in dtspcd 00192 HPSBUX9909-103 CA-99-11 oval:org.mitre.oval:def:1880 cde-dtspcd-file-auth 636 Entry HP CDE program includes the current directory in root's PATH variable. HPSBUX9907-100 J-053 hp-cde-directory Entry Buffer overflow in the AddSuLog function of the CDE dtaction utility allows local users to gain root privileges via a long user name. 19990913 Vulnerability in dtaction 00192 HPSBUX9909-103 SSRTO615U_DTACTION CA-99-11 635 oval:org.mitre.oval:def:3078 cde-dtaction-username-bo Entry The default configuration of the Array Services daemon (arrayd) disables authentication, allowing remote users to gain root privileges. CA-99-09 J-052 19990701-01-P sgi-arrayd Entry Buffer overflow in TT_SESSION environment variable in ToolTalk shared library allows local users to gain root privileges. CA-99-11 00192 HPSBUX9909-103 641 oval:org.mitre.oval:def:4374 cde-dtsession-env-bo Entry Denial of service in AIX ptrace system call allows local users to crash the system. J-055 ERS-SVA-E01-1999:002.1 aix-ptrace-halt Entry The Sybase PowerDynamo personal web server allows attackers to read arbitrary files through a .. (dot dot) attack. 19990904 [Sybase] software vendors do not think about old bugs http-powerdynamo-dotdotslash 620 1064 Entry Buffer overflow in CDE Calendar Manager Service Daemon (rpc.cmsd). 19990709 Exploit of rpc.cmsd SB-99.12 00188 4230754 HPSBUX9908-102 SSRT0614U_RPC_CMSD CA-99-08 J-051 sun-cmsd-bo Entry SCO Doctor allows local users to gain root privileges through a Tools option. 19990908 SCO 5.0.5 /bin/doctor nightmare 621 sco-doctor-execute Entry The Bluestone Sapphire web server allows session hijacking via easily guessable session IDs. 19990908 [Security] Spoofed Id in Bluestone Sapphire/Web 623 Entry Buffer overflow in Microsoft Phone Dialer (dialer.exe), via a malformed dialer entry in the dialer.ini file. Q237185 MS99-026 nt-malformed-dialer Entry After an unattended installation of Windows NT 4.0, an installation file could include sensitive information such as the local Administrator password. MS99-036 Q173039 626 nt-install-unattend-file Entry Internet Explorer 5.0 and 5.01 allows remote attackers to modify or execute files via the Import/Export Favorites feature, aka the "ImportExportFavorites" vulnerability. 19990909 IE 5.0 security vulnerabilities - ImportExportFavorites - at least creating and overwriting files, probably executing programs MS99-037 Q241361 ie5-import-export-favorites 627 Entry OpenBSD, BSDI, and other Unix operating systems allow users to set chflags and fchflags on character and block devices. 19990805 4.4 BSD issue -- chflags Jul30,1999 FreeBSD-SA-99:01 J-066 openbsd-chflags-fchflags-permitted Entry Buffer overflow in Berkeley automounter daemon (amd) logging facility provided in the Linux am-utils package and others. RHSA-1999:032-01 CSSA-1999:024.0 SA-99:06 19991018 614 CA-99-12 amd-bo Entry Buffer overflow in INN inews program. inn-inews-bo RHSA1999033_01 CSSA-1999-026 19990831 Security hole in INN 19990907 616 Entry Linux xmonisdn package allows local users to gain root privileges by modifying the IFS or PATH environmental variables. 19990807 19990817 Security hole in i4l (xmonisdn) 583 Entry The default FTP configuration in HP Visualize Conference allows conference users to send a file to other participants without authorization. HPSBUX9906-099 J-050 493 hp-visualize-conference-ftp Entry Buffer overflow in cfingerd allows local users to gain root privileges via a long GECOS field. 19990921 BP9909-00: cfingerd local buffer overflow 651 Entry The Squid package in Red Hat Linux 5.2 and 6.0, and other distributions, installs cachemgr.cgi in a public web directory, which allows remote attackers to use it as an intermediary to connect to other systems. 19990725 Redhat 6.0 cachemgr.cgi lameness http://www.redhat.com/support/errata/archives/rh52-errata-general.html#squid DSA-576 FEDORA-2005-373 FLSA-2006:152809 RHSA-1999:025 RHSA-2005:489 2059 http-cgi-cachemgr(2385) Entry The oratclsh interpreter in Oracle 8.x Intelligent Agent for Unix allows local users to execute Tcl commands as root. 19990430 *Huge* security hole in Oracle 8.0.5 with Intellegent agent installed 19990506 Oracle Security Followup, patch and FAQ: setuid on oratclsh oracle-oratclsh Entry The dtlogin program in Compaq Tru64 UNIX allows local users to gain root privileges. 19990404 Digital Unix 4.0E /var permission J-044 cde-dtlogin SSRT0600U Entry Vulnerability in Compaq Tru64 UNIX edauth command. SSRT0588U du-edauth Entry Buffer overflow in Remote Access Service (RAS) client allows an attacker to execute commands or cause a denial of service via a malformed phonebook entry. 19990519 Buffer Overruns in RAS allows execution of arbitary code as system MS99-016 Q230677 nt-ras-bo Entry Buffer overflow in Windows NT 4.0 help file utility via a malformed help file. nt-helpfile-bo Q231605 MS99-015 Entry A remote attacker can disable the virus warning mechanism in Microsoft Excel 97. MS99-014 Q231304 excel-virus-warning Entry IBM GINA, when used for OS/2 domain authentication of Windows NT users, allows local users to gain administrator privileges by changing the GroupMapping registry key. 19990823 IBM Gina security warning 608 ibm-gina-group-add Entry The Guile plugin for the Gnumeric spreadsheet package allows attackers to execute arbitrary code. 19990802 Gnumeric potential security hole. RHSA-1999:023-01 gnu-guile-plugin-export 563 Entry The pt_chown command in Linux allows local users to modify TTY terminal devices that belong to other users. 19990823 [Linux] glibc 2.1.x / wu-ftpd <=2.5 / BeroFTPD / lynx / vlock / mc / glibc 2.0.x 597 linux-pt-chown Entry Denial of service in Windows NT Local Security Authority (LSA) through a malformed LSA request. Phantom Technical Advisory Q231457 MS99-020 J-049 msrpc-lsa-lookupnames-dos Entry The default configuration of Cobalt RaQ2 servers allows remote users to install arbitrary software packages. CA-99-10 558 cobalt-raq2-default-config Entry The Windows NT Client Server Runtime Subsystem (CSRSS) can be subjected to a denial of service when all worker threads are waiting for user input. 19990411 Death by MessageBox MS99-021 Q233323 J-049 478 nt-csrss-dos Entry Buffer overflow in OpenBSD procfs and fdescfs file systems via uio_offset in the readdir() function. Aug12,1999 openbsd-uio_offset-bo 6128 Entry When IIS is run with a default language of Chinese, Korean, or Japanese, it allows a remote attacker to view the source code of certain files, a.k.a. "Double Byte Code Page". Q233335 MS99-022 477 iis-double-byte-code-page(2302) Entry An attacker can conduct a denial of service in Windows NT by executing a program with a malformed file image header. MS99-023 Q234557 499 nt-malformed-image-header Entry A kernel leak in the OpenBSD kernel allows IPsec packets to be sent unencrypted. 19990608 Packets that should have been handled by IPsec may be transmitted as cleartext openbsd-ipsec-cleartext 6127 Entry A Windows NT user can disable the keyboard or mouse by directly calling the IOCTLs which control them. MS99-024 Q236359 nt-ioctl-dos Entry Buffer overflow in Lotus Notes LDAP (NLDAP) allows an attacker to conduct a denial of service through the ldap_search request. 19990823 Denial of Service Attack against Lotus Notes Domino Server 4.6 J-061 601 lotus-ldap-bo 1057 Entry The zsoelim program in the Debian man-db package allows local users to overwrite files via a symlink attack. 19990612 Entry The KDE klock program allows local users to unlock a session using malformed input. 19990623 Security flaw in klock CSSA-1999:017 19990629 Security hole in Klock 489 Entry The logging facilitity of the Debian smtp-refuser package allows local users to delete arbitrary files using symbolic links. 19990823b smtp-refuser-tmp Entry Buffer overflow in VMWare 1.0.1 for Linux via a long HOME environmental variable. 19990626 VMWare Advisory - buffer overflows 19990626 VMware Security Alert 19990705 Re: VMWare Advisory.. - exploit 490 vmware-bo Entry A default configuration of CiscoSecure Access Control Server (ACS) allows remote users to modify the server database without authentication. CiscoSecure Access Control Server for UNIX Remote Administration Vulnerability ciscosecure-read-write Entry KDE K-Mail allows local users to gain privileges via a symlink attack in temporary user directories. KDE K-Mail File Creation Vulnerability CSSA-1999:016 RHSA-1999:015-01 300 Entry Remote attackers can cause a denial of service on Linux in.telnetd telnet daemon through a malformed TERM environmental variable. 594 linux-telnetd-term CSSA-1999:022 RHSA1999029_01 Entry The Debian mailman package uses weak authentication, which allows attackers to gain privileges. 19990623 480 Entry Trn allows local users to overwrite other users' files via symlinks. 19990819 Insecure use of file in /tmp by trn 19990823c 19990824 Security hole in trn trn-symlinks(3144) Entry Buffer overflow in Netscape Enterprise Server and FastTrask Server allows remote attackers to gain privileges via a long HTTP GET request. Buffer Overflow in Netscape Enterprise and FastTrack Web Servers 603 Entry Buffer overflow in Source Code Browser Program Database Name Server Daemon (pdnsd) for the IBM AIX C Set ++ compiler. ERS-SVA-E01-1999:003.1 J-059 590 aix-pdnsd-bo Entry A default configuration of in.identd in SuSE Linux waits 120 seconds between requests, allowing a remote attacker to conduct a denial of service. 19990814 DOS against SuSE's identd 19990824 Security hole in netcfg 587 suse-identd-dos Entry Denial of service in BSDi Symmetric Multiprocessing (SMP) when an fstat call is made when the system has a high CPU load. 19990816 Symmetric Multiprocessing (SMP) Vulnerbility in BSDi 4.0.1 589 bsdi-smp-dos Entry Buffer overflow in Microsoft Telnet client in Windows 95 and Windows 98 via a malformed Telnet argument. 19990815 telnet.exe heap overflow - remotely exploitable MS99-033 win-ie5-telnet-heap-overflow 586 Entry Buffer overflow in Accept command in Netscape Enterprise Server 3.6 with the SSL Handshake Patch. 19990913 Accept overflow on Netscape Enterprise Server 3.6 SP2 631 netscape-accept-bo(3256) Entry Denial of service in Netscape Enterprise Server via a buffer overflow in the SSL handshake. 19990706 Netscape Enterprise Server SSL Handshake Bug Entry The w3-msql CGI script provided with Mini SQL allows remote attackers to view restricted directories. 19990817 Stupid bug in W3-msql mini-sql-w3-msql-cgi 591 Entry The INN inndstart program allows local users to gain privileges by specifying an alternate configuration file using the INNCONF environmental variable. 19990511 INN 2.0 and higher. Root compromise potential CSSA-1999-011.0 19990518 Security hole in INN http://www.redhat.com/corp/support/errata/inn99_05_22.html 255 inn-innconf-env Entry Windows NT RRAS and RAS clients cache a user's password even if the user has not selected the "Save password" option. nt-ras-pwcache Q230681 MS99-017 Entry ColdFusion Administrator with Advanced Security enabled allows remote users to stop the ColdFusion server via the Start/Stop utility. ASB99-07 coldfusion-admin-dos(2207) Entry Netscape Enterprise 3.5.1 and FastTrack 3.01 servers allow a remote attacker to view source code to scripts by appending a %20 to the script's URL. ASB99-06 netscape-space-view Entry Buffer overflow in FuseMAIL POP service via long USER and PASS commands. 19990913 Many kind of POP3/SMTP server softwares for Windows have buffer overflow bug http://www.crosswinds.net/~fuseware/faq.html#8 634 fuseware-popmail-bo Entry Undocumented ColdFusion Markup Language (CFML) tags and functions in the ColdFusion Administrator allow users to gain additional privileges. ASB99-10 550 coldfusion-server-cfml-tags Entry Buffer overflow in FreeBSD fts library routines allows local user to modify arbitrary files via the periodic program. FreeBSD-SA-99:05 freebsd-fts-lib-bo 644 1074 Entry When Javascript is embedded within the TITLE tag, Netscape Communicator allows a remote attacker to use the "about" protocol to gain access to browser information. netscape-title 19990524 Netscape Communicator JavaScript in <TITLE> security vulnerability Entry NetBSD on a multi-homed host allows ARP packets on one network to modify ARP entries on another connected network. 1999-010 netbsd-arp 6540 Entry NetBSD allows ARP packets to overwrite static ARP entries. 1999-010 netbsd-arp 6539 Entry SGI IRIX midikeys program allows local users to modify arbitrary files via a text editor. 19990619 IRIX midikeys root exploit. 19990501-01-A 262 irix-midikeys Entry The Microsoft Java Virtual Machine allows a malicious Java applet to execute arbitrary commands outside of the sandbox environment. MS99-031 Q240346 600 msvm-verifier-java Entry Buffer overflow in Vixie Cron on Red Hat systems via the MAILTO environmental variable. 602 RHSA-1999:030-02 19990829 Security hole in cron Entry Vixie Cron on Linux systems allows local users to set parameters of sendmail commands via the MAILTO environmental variable. RHSA-1999:030-02 CSSA-1999:023.0 19990829 Security hole in cron 19990830 cron 611 Entry Firewall-1 sets a long timeout for connections that begin with ACK or other packets except SYN, allowing an attacker to conduct a denial of service via a large number of connection attempts to unresponsive systems. 19990729 Simple DOS attack on FW-1 549 ACK DOS ATTACK 1027 Entry The web components of Compaq Management Agents and the Compaq Survey Utility allow a remote attacker to read arbitrary files via a .. (dot dot) attack. 19990526 Infosec.19990526.compaq-im.a SSRT0612U management-agent-file-read Entry Denial of service in Compaq Management Agents and the Compaq Survey Utility via a long string sent to port 2301. 19990527 Re: Infosec.19990526.compaq-im.a (New DoS and correction to my previous post) SSRT0612U management-agent-dos Entry Buffer overflow in Solaris lpset program allows local users to gain root access. 19990511 Solaris2.6 and 2.7 lpset overflow sol-lpset-bo Entry Buffer overflows in Mars NetWare Emulation (NWE, mars_nwe) package via long directory names. 19990830 Babcia Padlina Ltd. security advisory: mars_nwe buffer overf RHSA1999037_01 19990916 Security hole in mars nwe 617 Entry Cisco Gigabit Switch routers running IOS allow remote attackers to forward unauthorized packets due to improper handling of the "established" keyword in an access list. 19990610 Cisco IOS Software established Access List Keyword Error cisco-gigaswitch Entry IIS FTP servers may allow a remote attacker to read or delete files on the server, even if they have "No Access" permissions. MS99-039 Q241407 Q242559 iis-ftp-no-access-files 658 Entry Buffer overflow in Xi Graphics Accelerated-X server allows local users to gain root access via a long display or query parameter. 19990626 KSR[T] #011: Accelerated-X 011 488 accelx-display-bo Entry Denial of service in HP-UX SharedX recserv program. HPSBUX9810-086 hp-sharedx Entry KDE klock allows local users to kill arbitrary processes by specifying an arbitrary PID in the .kss.pid file. 19981118 Multiple KDE security vulnerabilities (root compromise) kde-klock-process-kill Entry KDE allows local users to execute arbitrary commands by setting the KDEDIR environmental variable to modify the search path that KDE uses to locate its executables. 19981118 Multiple KDE security vulnerabilities (root compromise) kde-klock-bindir-trojans Entry KDE kppp allows local users to create a directory in an arbitrary location via the HOME environmental variable. 19981118 Multiple KDE security vulnerabilities (root compromise) kde-kppp-directory-create Entry FreeBSD allows local users to conduct a denial of service by creating a hard link from a device special file to a file on an NFS file system. FreeBSD-SA-98:05 I-057 freebsd-nfs-link-dos 6090 Entry The INN inndstart program allows local users to gain root privileges via the "pathrun" parameter in the inn.conf file. 19990511 INN 2.0 and higher. Root compromise potential 19990518 Security hole in INN inn-pathrun 254 Entry The dynamic linker in Solaris allows a local user to create arbitrary files via the LD_PROFILE environmental variable and a symlink attack. 19990922 LD_PROFILE local root exploit for solaris 2.6 659 Entry The SSH authentication agent follows symlinks via a UNIX domain socket. 19990917 A few bugs... 19990924 [Fwd: Truth about ssh 1.2.27 vulnerability] ssh-socket-auth-symlink-dos 660 Entry Arkiea nlservd allows remote attackers to conduct a denial of service. 19990924 Multiple vendor Knox Arkiea local root/remote DoS 662 arkiea-backup-nlserverd-remote-dos Entry Buffer overflow in AIX ftpd in the libc library. 19990928 Remote bufferoverflow exploit for ftpd from AIX 4.3.2 running on an RS6000 ERS-SVA-E01-1999:004.1 J-072 aix-ftpd-bo 679 Entry A remote attacker can read information from a Netscape user's cache via JavaScript. http://home.netscape.com/security/notes/jscachebrowsing.html netscape-javascript Entry Hybrid Network cable modems do not include an authentication mechanism for administration, allowing remote attackers to compromise the system through the HSMP protocol. 19991006 KSR[T] Advisories #012: Hybrid Network's Cable Modems 012 695 hybrid-anon-cable-modem-reconfig Entry Internet Explorer allows remote attackers to read files by redirecting data to a Javascript applet. MS99-043 ie-java-redirect Entry Microsoft Excel does not warn a user when a macro is present in a Symbolic Link (SYLK) format file. MS99-044 excel-sylk Q241900 Q241901 Q241902 Entry FreeBSD T/TCP Extensions for Transactions can be subjected to spoofing attacks. SA-98.03 freebsd-ttcp-spoof 6089 Entry NIS finger allows an attacker to conduct a denial of service via a large number of finger requests, resulting in a large number of NIS queries. 19980629 Distributed DoS attack against NIS/NIS+ based networks. I-070 sun-nis-nisplus Entry Buffer overflow in bootpd 2.4.3 and earlier via a long boot file location. 19970725 Exploitable buffer overflow in bootpd (most unices) bootpd-bo Entry The GetFile.cfm file in Allaire Forums allows remote attackers to read files through a parameter to GetFile.cfm. ASB99-05 19990211 ACFUG List: Alert: Allaire Forums GetFile bug allaire-forums-file-read(1748) 944 Entry BMC Patrol allows remote attackers to gain access to an agent by spoofing frames. 19990409 Patrol security bugs bmc-patrol-frames(2075) Entry Buffer overflow in Internet Explorer 5 allows remote attackers to execute commands via a malformed Favorites icon. 19990503 MSIE 5 FAVICON BUG MS99-018 Q231450 ie-favicon Entry The fwluser script in AIX eNetwork Firewall allows local users to write to arbitrary files via a symlink attack. 19990525 IBM eNetwork Firewall for AIX ibm-enfirewall-tmpfiles 962 Entry Denial of service in Linux 2.2.x kernels via malformed ICMP packets containing unusual types, codes, and IP header lengths. 19990601 Linux kernel 2.2.x vulnerability/exploit 19990607 CSSA-1999:013 19990602 Denial of Service on the 2.2 kernel 19990603 Kernel Update 302 Entry Buffer overflow in Solaris dtprintinfo program. 19990510 Solaris2.6,2.7 dtprintinfo exploits cde-dtprintinfo 6552 Entry The Netscape Directory Server installation procedure leaves sensitive information in a file that is accessible to local users. netscape-dirsvc-password Entry Netscape Communicator 4.x with Javascript enabled does not warn a user of cookie settings, even if they have selected the option to "Only accept cookies originating from the same server as the page being viewed". 19990709 Communicator 4.[56]x, JavaScript used to bypass cookie settings Entry Denial of service in Samba NETBIOS name service daemon (nmbd). 19990721 Samba 2.0.5 security fixes CSSA-1999:018.0 19990731 19990804 RHSA-1999:022-02 19990816 Security hole in Samba Entry Buffer overflow in Samba smbd program via a malformed message command. 19990721 Samba 2.0.5 security fixes RHSA-1999:022-02 CSSA-1999:018.0 19990816 Security hole in Samba 19990731 Samba samba-message-bo 536 Entry Race condition in Samba smbmnt allows local users to mount file systems in arbitrary locations. 19990721 Samba 2.0.5 security fixes 19990731 19990804 CSSA-1999:018.0 RHSA-1999:022-02 19990816 Security hole in Samba Entry Cfingerd with ALLOW_EXECUTION enabled does not properly drop privileges when it executes a program on behalf of the user, allowing local users to gain root privileges. 19990810 Severe bug in cfingerd before 1.4.0 19980724 CFINGERD root security hole 19990814 cfingerd-privileges Entry Red Hat pump DHCP client allows remote attackers to gain root access in some configurations. RHSA-1999:027 Entry Memory leak in SNMP agent in Windows NT 4.0 before SP5 allows remote attackers to conduct a denial of service (memory exhaustion) via a large number of queries. Q196270 nt-snmpagent-leak(1974) oval:org.mitre.oval:def:952 Entry Lynx WWW client allows a remote attacker to specify command-line parameters which Lynx uses when calling external programs to handle certain protocols, e.g. telnet. 19990915 Security hole in lynx Entry NTMail does not disable the VRFY command, even if the administrator has explicitly disabled it. 19991130 NTmail and VRFY 19991130 NTmail and VRFY nt-mail-vrfy Entry FreeBSD seyon allows users to gain privileges via a modified PATH variable for finding the xterm and seyon-emu commands. 19991130 Several FreeBSD-3.3 vulnerabilities 838 freebsd-seyon-dir-add 5996 Entry Buffer overflow in FreeBSD xmindpath allows local users to gain privileges via -f argument. 19991130 Several FreeBSD-3.3 vulnerabilities 839 freebsd-xmindpath 1150 Entry A Windows NT user can use SUBST to map a drive letter to a folder, which is not unmapped after the user logs off, potentially allowing that user to modify the location of folders accessed by later users. 833 19991130 SUBST problem 19991130 Subst.exe carelessness (fwd) Entry Buffer overflow in FreeBSD angband allows local users to gain privileges. 19991130 Several FreeBSD-3.3 vulnerabilities 840 angband-bo 1151 Entry Denial of service in Linux syslogd via a large number of connections. CSSA-1999-035.0 RHSA1999055-01 19991118 syslogd-1.3.33 (a1) 19991130 [david@slackware.com: New Patches for Slackware 4.0 Available] 809 slackware-syslogd-dos Entry Buffer overflow in NFS server on Linux allows attackers to execute commands via a long pathname. 19991109 undocumented bugs - nfsd 19991111 buffer overflow in nfs server 19991110 Security hole in nfs-server < 2.2beta47 within nkita CSSA-1999-033.0 RHSA-1999:053-01 19991130 [david@slackware.com: New Patches for Slackware 4.0 Available] linux-nfs-maxpath-bo 782 Entry Buffer overflow in BIND 8.2 via NXT records. 19991111 Security hole in bind8 < 8.2.2p2 and bind4 < 4.9.7-REL 19991116 Denial of service vulnerabilities in bind CSSA-1999-034.1 RHSA-1999:054-01 CA-99-14 788 bind-nxt-bo Entry Buffer overflow in RSAREF2 via the encryption and decryption functions in the RSAREF library. 19991201 Security Advisory: Buffer overflow in RSAREF2 19991202 OpenBSD sslUSA26 advisory (Re: CORE-SDI: Buffer overflow in RSAREF2) CA-99-15 843 rsaref-bo Entry Denial of service in BIND named via malformed SIG records. 19991111 Security hole in bind8 < 8.2.2p2 and bind4 < 4.9.7-REL 19991116 Denial of service vulnerabilities in bind CSSA-1999-034.1 RHSA-1999:054-01 CA-99-14 bind-sigrecord-dos 788 Entry UnixWare uidadmin allows local users to modify arbitrary files via a symlink attack. 19991202 UnixWare 7 uidadmin exploit + discussion SB-99.22a 842 unixware-uid-admin Entry Denial of service in BIND by improperly closing TCP sessions via so_linger. 19991111 Security hole in bind8 < 8.2.2p2 and bind4 < 4.9.7-REL 19991116 Denial of service vulnerabilities in bind CSSA-1999-034.1 RHSA-1999:054-01 00194 CA-99-14 bind-solinger-dos 788 Entry Buffer overflow in Serv-U FTP 2.5 allows remote users to conduct a denial of service via the SITE command. 19991202 Remote DoS Attack in Serv-U FTP-Server v2.5a Vulnerability 859 servu-ftp-site-bo Entry Windows NT Task Scheduler installed with Internet Explorer 5 allows a user to gain privileges by modifying the job after it has been scheduled. 19991130 Windows NT Task Scheduler vulnerability allows user to administrator elevation MS99-051 Q246972 ie-task-scheduler-privs 828 Entry Symantec Mail-Gear 1.0 web interface server allows remote users to read arbitrary files via a .. (dot dot) attack. 19991129 Symantec Mail-Gear 1.0 Web interface Server Directory Traversal Vulnerability 19991129 Symantec Mail-Gear 1.0 Web interface Server Directory Traversal Vulnerability 827 symantec-mail-dir-traversal 1144 Entry Buffer overflow in free internet chess server (FICS) program, xboard. 19991129 FICS buffer overflow fics-board-bo Entry Denial of service in BIND named via consuming more than "fdmax" file descriptors. 19991111 Security hole in bind8 < 8.2.2p2 and bind4 < 4.9.7-REL 19991116 Denial of service vulnerabilities in bind CSSA-1999-034.1 RHSA-1999:054-01 00194 CA-99-14 788 bind-fdmax-dos Entry Denial of service in BIND named via maxdname. 19991111 Security hole in bind8 < 8.2.2p2 and bind4 < 4.9.7-REL 19991116 Denial of service vulnerabilities in bind CSSA-1999-034.1 RHSA-1999:054-01 00194 CA-99-14 788 bind-maxdname-bo Entry Denial of service in BIND named via naptr. 19991111 Security hole in bind8 < 8.2.2p2 and bind4 < 4.9.7-REL 19991116 Denial of service vulnerabilities in bind CSSA-1999-034.1 RHSA-1999:054-01 00194 CA-99-14 788 bind-naptr-dos Entry Buffer overflow in Netscape Enterprise Server and Netscape FastTrack Server allows remote attackers to gain privileges via the HTTP Basic Authentication procedure. 847 19991201 Buffer Overflow in Netscape Enterprise and FastTrack Authentication Procedure netscape-fasttrack-auth-bo Entry Ultimate Bulletin Board stores data files in the cgi-bin directory, allowing remote attackers to view the data if an error occurs when the HTTP server attempts to execute the file. 19991130 Ultimate Bulletin Board v5.3x? Bug 20000225 FW: Important UBB News For Licensed Users http://www.ultimatebb.com/home/versions.shtml http-ultimate-bbs Entry login in Slackware 7.0 allows remote attackers to identify valid users on the system by reporting an encryption error when an account is locked or does not exist. 19991202 Slackware 7.0 - login bug slackware-remote-login Entry Internet Explorer 5 allows a remote attacker to modify the IE client's proxy configuration via a malicious Web Proxy Auto-Discovery (WPAD) server. MS99-054 Q247333 846 ie-wpad-proxy-settings Entry Solaris arp allows local users to read files via the -f parameter, which lists lines in the file that do not parse properly. 19991130 Solaris 2.x chkperm/arp vulnerabilities 4296166 837 sol-arp-parse 6994 Entry Race condition in the SSL ISAPI filter in IIS and other servers may leak information in plaintext. MS99-053 Q244613 iis-ssl-isapi-filter Entry UnixWare programs that dump core allow a local user to modify files via a symlink attack on the ./core.pid file. 19991202 UnixWare coredumps follow symlinks 19991215 Recent postings about SCO UnixWare 7 19991223 FYI, SCO Security patches available. 19991220 SCO OpenServer Security Status sco-coredump-symlink 851 Entry Buffer overflow in CommuniGatePro via a long string to the HTTP configuration port. 19991203 CommuniGatePro 3.1 for NT DoS 19991203 CommuniGatePro 3.1 for NT Buffer Overflow 860 communigate-pro-bo Entry Buffer overflow in UnixWare xauto program allows local users to gain root privilege. 19991203 UnixWare gain root with non-su/gid binaries 19991215 Recent postings about SCO UnixWare 7 19991223 FYI, SCO Security patches available. 19991220 SCO OpenServer Security Status SB-99.24a sco-xauto-bo 848 Entry Denial of service in IIS 4.0 via a flood of HTTP requests with malformed headers. MS99-029 Q238349 J-058 http-iis-malformed-header 579 Entry ucbmail allows remote attackers to execute commands via shell metacharacters that are passed to it from INN. CA-97.08 inn-ucbmail-shell-meta Entry Internet Explorer 3.x to 4.01 allows a remote attacker to insert malicious content into a frame of another web site, aka frame spoofing. MS98-020 167614 http-frame-spoof Entry Internet Explorer 4.01 allows remote attackers to read arbitrary files by pasting a file name into the file upload control, aka untrusted scripted paste. MS98-015 169245 ie-usp-cuartango Entry Internet Explorer 4.0 and 4.01 allow a remote attacker to read files via IE's cross frame security, aka the "Cross Frame Navigate" vulnerability. MS98-013 7837 ie-crossframe-file-read(3668) Entry Buffer overflow in Skyfull mail server via MAIL FROM command. 759 skyfull-mail-from-bo Entry Buffer overflow in IIS 4.0 allows remote attackers to cause a denial of service via a malformed request for files with .HTR, .IDC, or .STM extensions. MS99-019 Q234905 AD06081999 CA-99-07 J-048 iis-htr-overflow oval:org.mitre.oval:def:915 Entry DHCP clients with ICMP Router Discovery Protocol (IRDP) enabled allow remote attackers to modify their default routes. 19990811 Q216141 578 irdp-gateway-spoof Entry Buffer overflow in Internet Explorer 4.0 via EMBED tag. Q185959 Q176697 Entry Internet Explorer 5 allows remote attackers to read files via an ExecCommand method called on an IFRAME. Q243638 MS99-042 ie-iframe-exec Entry Buffer overflow in WU-FTPD and related FTP servers allows remote attackers to gain root privileges via MAPPING_CHDIR. SSRT0622 RHSA1999031_01 AA-1999.01 CA-99-13 599 wu-ftpd-dir-name Entry Buffer overflow in WU-FTPD and related FTP servers allows remote attackers to gain root privileges via macro variables in a message file. CA-99-13 wuftp-message-file-root Entry Denial of service in WU-FTPD via the SITE NEWER command, which does not free memory properly. CA-99-13 wuftp-site-newer-dos Entry Falcon web server allows remote attackers to read arbitrary files via a .. (dot dot) attack. 19991025 Falcon Web Server Falcon Web Server 743 falcon-path-parsing 1127 Entry Zeus web server allows remote attackers to read arbitrary files by specifying the file name in an option to the search engine. 19991024 RFP9905: Zeus webserver remote root compromise 742 1126 zeus-remote-root(3380) Entry The Zeus web server administrative interface uses weak encryption for its passwords. 19991024 RFP9905: Zeus webserver remote root compromise 742 8186 zeus-weak-password(3833) Entry The security descriptor for RASMAN allows users to point to an alternate location via the Windows NT Service Control Manager. Q242294 MS99-041 645 nt-rasman-pathname Entry FTGate web interface server allows remote attackers to read files via a .. (dot dot) attack. 19991104 FTGate Version 2.1 Web interface Server Directory Traversal Vulnerability AD05261999 1137 Entry dbsnmp in Oracle Intelligent Agent allows local users to gain privileges by setting the ORACLE_HOME environmental variable, which dbsnmp uses to find the nmiconf.tcl script. 19990817 Security Bug in Oracle oracle-dbsnmp 585 Entry Cisco 675 routers running CBOS allow remote attackers to establish telnet sessions if an exec or superuser password has not been set. 19990810 Cisco 675 password nonsense cisco-cbos-telnet 39 Entry iHTML Merchant allows remote attackers to obtain sensitive information or execute commands via a code parsing error. 19990928 Team Asylum: iHTML Merchant Vulnerabilities http://www.ihtmlmerchant.com/support_patches_feedback.htm 694 ihtml-merchant-file-access Entry The "download behavior" in Internet Explorer 5 allows remote attackers to read arbitrary files via a server-side redirect. MS99-040 Q242542 VU#37828 K-002 674 11274 ie-download-behavior Entry Buffer overflow in Netscape Communicator before 4.7 via a dynamic font whose length field is less than the size of the font. 19991018 Netscape 4.x buffer overflow Entry userOsa in SCO OpenServer allows local users to corrupt files via a symlink attack. 19991011 SCO OpenServer 5.0.5 overwrite /etc/shadow sco-openserver-userosa-script Entry Red Hat Linux screen program does not use Unix98 ptys, allowing local users to write to other terminals. RHSA1999042-01 Entry Firewall-1 does not properly restrict access to LDAP attributes. 19991020 Checkpoint FireWall-1 V4.0: possible bug in LDAP authentication 725 checkpoint-ldap-auth 1117 Entry Buffer overflow in RealNetworks RealServer administration utility allows remote attackers to execute arbitrary commands via a long username and password. 19991109 RealNetworks RealServer G2 buffer overflow. http://service.real.com/help/faq/servg260.html realserver-g2-pw-bo 767 Entry iChat ROOMS Webserver allows remote attackers to read arbitrary files via a .. (dot dot) attack. 19980908 bug in iChat 3.0 (maybe others) ichat-file-read-vuln Entry Buffer overflows in Windows NT 4.0 print spooler allow remote attackers to gain privileges or cause a denial of service via a malformed spooler request. MS99-047 Q243649 nt-printer-spooler-bo 768 Entry The Windows NT 4.0 print spooler allows a local user to execute arbitrary commands due to inappropriate permissions that allow the user to specify an alternate print provider. MS99-047 Q243649 769 nt-printer-spooler-bo Entry Buffer overflow in rpc.yppasswdd allows a local user to gain privileges via MD5 hash generation. RHSA1999046-01 19991023 Security hole in ypserv < 1.3.9 19991027 nis Entry ypserv allows a local user to modify the GECOS and login shells of other users. RHSA1999046-01 19991023 Security hole in ypserv < 1.3.9 19991027 nis Entry ypserv allows local administrators to modify password tables. RHSA1999046-01 19991023 Security hole in ypserv < 1.3.9 19991027 nis Entry genfilt in the AIX Packet Filtering Module does not properly filter traffic to destination ports greater than 32767. 19991025 IBM AIX Packet Filter module 19991027 Re: IBM AIX Packet Filter module (followup) aix-genfilt-filtering Entry Buffer overflow in BFTelnet allows remote attackers to cause a denial of service via a long username. 19991103 Remote DoS Attack in BFTelnet Server v1.1 for Windows NT bftelnet-username-dos 771 Entry Denial of service in Axent Raptor firewall via malformed zero-length IP options. 19991020 Remote DoS in Axent's Raptor 6.0 736 raptor-ipoptions-dos 1121 Entry Buffer overflow in sccw allows local users to gain root access via the HOME environmental variable. 19990923 SuSE 6.2 sccw overflow exploit 19990926 Security hole in sccw (Part II) 656 linux-sccw-bo Entry sccw allows local users to read arbitrary files. 19990916 SuSE 6.2 /usr/bin/sccw read any file 19990921 Security Hole in sccw-1.1 and earlier Entry Denial of service in Solaris TCP streams driver via a malicious connection that causes the server to panic as a result of recursive calls to mutex_enter. 19990921 solaris DoS 655 sun-tcp-mutex-enter-dos Entry Multihomed Windows systems allow a remote attacker to bypass IP source routing restrictions via a malformed packet with IP options, aka the "Spoofed Route Pointer" vulnerability. Windows IP Source Routing Vulnerability MS99-038 Q238453 646 nt-ip-source-route Entry FreeBSD VFS cache (vfs_cache) allows local users to cause a denial of service by opening a large number of files. 19990921 FreeBSD-specific denial of service 653 freebsd-vfscache-dos 1079 Entry Buffer overflow in the FTP client in the Debian GNU/Linux netstd package. 19990104 19990103 [SECURITY] New versions of netstd fixes buffer overflows 324 Entry URL Live! web server allows remote attackers to read arbitrary files via a .. (dot dot) attack. 19991028 URL Live! 1.0 WebServer 746 1129 Entry WebTrends software stores account names and passwords in a file which does not have restricted access permissions. 19990629 Bad Permissions on Passwords Stored by WebTrends Software Entry The Preloader ActiveX control used by Internet Explorer allows remote attackers to read arbitrary files. MS99-018 Q231452 legacy-activex-local-drive Entry Denial of service in various Windows systems via malformed, fragmented IGMP packets. 19990703 IGMP fragmentation bug in Windows 98/2000 Q238329 MS99-034 igmp-dos 514 Entry Buffer overflow in the pop-2d POP daemon in the IMAP package allows remote attackers to gain privileges via the FOLD command. 19990526 Remote vulnerability in pop2d 19990607a 283 pop2-fold-bo Entry BMC Patrol allows any remote attacker to flood its UDP port, causing a denial of service. 19990409 Patrol security bugs bmc-patrol-udp-dos(4291) 1879 Entry An example application in ColdFusion Server 4.0 allows remote attackers to view source code via the sourcewindow.cfm file. ASB99-02 coldfusion-sourcewindow Entry The Syntax Checker in ColdFusion Server 4.0 allows remote attackers to conduct a denial of service. ASB99-02 coldfusion-syntax-checker(1742) 3236 Entry NTMail allows remote attackers to read arbitrary files via a .. (dot dot) attack. AD05261999 279 ntmail-fileread Entry Buffer overflow in SmartDesk WebSuite allows remote attackers to cause a denial of service via a long URL. 19990525 Buffer overflow in SmartDesk WebSuite v2.1 websuite-dos 278 Entry wwwboard allows a remote attacker to delete message board articles via a malformed argument. 19980903 wwwboard.pl vulnerability http://www.worldwidemart.com/scripts/faq/wwwboard/q5.shtml http-cgi-wwwboard(2344) 1795 Entry Buffer overflow in Mediahouse Statistics Server allows remote attackers to execute commands. 19990930 Security flaw in Mediahouse Statistics Server v4.28 & 5.01 734 mediahouse-stats-login-bo Entry Mediahouse Statistics Server allows remote attackers to read the administrator password, which is stored in cleartext in the ss.cfg file. 19990930 Security flaw in Mediahouse Statistics Server v4.28 & 5.01 735 mediahouse-stats-adminpw-cleartext Entry TeamTrack web server allows remote attackers to read arbitrary files via a .. (dot dot) attack. 19991001 RFP9904: TeamTrack webserver vulnerability 689 1096 Entry classifieds.cgi allows remote attackers to read arbitrary files via shell metacharacters. 19991215 Classifieds (classifieds.cgi) 2020 http-cgi-classifieds-read(3102) Entry classifieds.cgi allows remote attackers to execute arbitrary commands by specifying them in a hidden variable in a CGI form. 19991215 Classifieds (classifieds.cgi) Entry BNBSurvey survey.cgi program allows remote attackers to execute commands via shell metacharacters. 19981203 BNBSurvey (survey.cgi) Entry BNBForm allows remote attackers to read arbitrary files via the automessage hidden form variable. 19981203 BNBForm (bnbform.cgi) Entry MBone SDR Package allows remote attackers to execute commands via shell metacharacters in Sesion Initiation Protocol (SIP) messages. VN-99-03 sdr-execute Entry Denial of service in Debian IRC Epic/epic4 client via a long string. 19990826 [SECURITY] New versions of epic4 fixes possible DoS vulnerability 19990826 605 Entry Buffer overflow in mutt mail client allows remote attackers to execute commands via malformed MIME messages. CSSA-1999-031 19990927 Security hole in mutt Entry UnixWare dos7utils allows a local user to gain root privileges by using the STATICMERGE environmental variable to find a script which it executes. 19991005 SCO UnixWare 7.1 local root exploit sco-unixware-dos7utils-root-privs Entry Buffer overflow in OpenLink 3.2 allows remote attackers to gain privileges via a long GET request to the web configurator. 19991015 OpenLink 3.2 Advisory 720 Entry Buffer overflow in Internet Mail Service (IMS) for Microsoft Exchange 5.5 and 5.0 allows remote attackers to conduct a denial of service via AUTH or AUTHINFO commands. 19980724 Denial of Service attacks against Microsoft Exchange 5.0 to 5.5 I-080 Q169174 exchange-dos(1223) Entry Buffer overflow in Yamaha MidiPlug via a Text variable in an EMBED tag. 19991102 Some holes for Win/UNIX softwares yamaha-midiplug-embed 760 Entry AN-HTTPd provides example CGI scripts test.bat, input.bat, input2.bat, and envout.bat, which allow remote attackers to execute commands via shell metacharacters. 19991102 Some holes for Win/UNIX softwares 762 Entry Buffer overflow in WFTPD FTP server allows remote attackers to gain root access via a series of MKD and CWD commands that create nested directories. 19991027 WFTPD v2.40 FTPServer remotely exploitable buffer overflow vulnerability 747 wftpd-mkd-bo Entry Buffer overflow in OmniHTTPd CGI program imagemap.exe allows remote attackers to execute commands. 19991022 Imagemap CGI overflow exploit 739 http-cgi-imagemap-bo 3380 Entry WWWBoard stores encrypted passwords in a password file that is under the web root and thus accessible by remote attackers. 19980903 wwwboard.pl vulnerability 19990916 More fun with WWWBoard Entry WWWBoard has a default username and default password. 19990916 More fun with WWWBoard 649 Entry Race condition in wu-ftpd and BSDI ftpd allows remote attackers gain root access via the SITE EXEC command. CA-94.08 E-17 ftp-exec Entry The NeXT NetInfo _writers property allows local users to gain root privileges or conduct a denial of service. CA-93.02a next-netinfo Entry MajorCool mj_key_cache program allows local users to modify files via a symlink attack. 19970618 Security hole in MajorCool 1.0.3 majorcool-file-overwrite-vuln Entry sudo 1.5.x allows local users to execute arbitrary commands via a .. (dot dot) attack. 19980112 Re: hole in sudo for MP-RAS. sudo-dot-dot-attack Entry IRIX startmidi program allows local users to modify arbitrary files via a symlink attack. 19970209 IRIX: Bug in startmidi AA-97-05 19980301-01-PX 469 8447 irix-startmidi-file-creation((1634) Entry IRIX cdplayer allows local users to create directories in arbitrary locations via a command line option. AA-96.11 19980301-01-PX irix-cdplayer-directory-create Entry HPUX sysdiag allows local users to gain root privileges via a symlink attack during log file creation. 19960921 Vunerability in HP sysdiag ? H-03 hp-sysdiag-symlink Entry Buffer overflow in HPUX passwd command allows local users to gain root privileges via a command line option. AA-96.13 HPSBUX9701-045 hp-password-cmd-bo 6415 Entry FreeBSD mount_union command allows local users to gain root privileges via a symlink attack. 19960517 BoS: SECURITY BUG in FreeBSD VB-96.06 freebsd-mount-union-root 6088 Entry Buffer overflow in FreeBSD setlocale in the libc module allows attackers to execute arbitrary code via a long PATH_LOCALE environment variable. FreeBSD-SA-97:01 freebsd-setlocale-bo 6086 Entry Race condition in xterm allows local users to modify arbitrary files via the logging option. CA-93.17 xterm Entry Buffer overflow in Solaris getopt in libc allows local users to gain root privileges via a long argv[0]. 19970127 Solaris libc - getopt(3) Entry Buffer overflow in the HTML library used by Internet Explorer, Outlook Express, and Windows Explorer via the res: local resource protocol. 19971101 Microsoft Internet Explorer 4.0 Suite Entry Buffer overflow in BNC IRC proxy allows remote attackers to gain privileges. 19981226 bnc exploit bnc-proxy-bo(1546) 1927 Entry The Windows NT RPC service allows remote attackers to conduct a denial of service using spoofed malformed RPC packets which generate an error message that is sent to the spoofed host, potentially setting up a loop, aka Snork. 19980929 "Snork" Denial of Service Attack Against Windows NT RPC Service 19980929 ISS Security Advisory: Snork MS98-014 Q193233 snork-dos Entry Buffer overflow in Exim allows local users to gain root privileges via a long :include: option in a .forward file. 19970722 Security hole in exim 1.62: local root exploit exim-include-overflow Entry Buffer overflow in Xshipwars xsw program. 19991209 xsw 1.24 remote buffer overflow 863 Entry Buffer overflow in Solaris snoop program allows remote attackers to gain root privileges via a long domain name when snoop is running in verbose mode. 19991206 [w00giving #8] Solaris 2.7's snoop 19991209 Clarification needed on the snoop vuln(s) (fwd) 858 Entry Buffer overflow in Solaris snoop allows remote attackers to gain root privileges via GETQUOTA requests to the rpc.rquotad service. 19991209 Buffer Overflow in Solaris Snoop 00190 19991209 Clarification needed on the snoop vuln(s) (fwd) 864 Entry The Windows help system can allow a local user to execute commands as another user by editing a table of contents metafile with a .CNT extension and modifying the topic action to include the commands to be executed when the .hlp file is accessed. 19991207 Local user can fool another to run executable. .CNT/.GID/.HLP M$WINNT 868 Entry Sendmail allows local users to reinitialize the aliases database via the newaliases command, then cause a denial of service by interrupting Sendmail. 19991204 19991207 [Debian] New version of sendmail released sendmail-bi-alias 857 Entry Buffer overflow in Solaris sadmind allows remote attackers to gain root privileges using a NETMGT_PROC_SERVICE request. 19991209 sadmind 19991210 Solaris sadmind Buffer Overflow Vulnerability 19991210 Re: Solaris sadmind Buffer Overflow Vulnerability CA-99-16 00191 866 2354 sol-sadmind-amslverify-bo 2558 Entry htdig allows remote attackers to execute commands via filenames with shell metacharacters. 19991209 867 Entry The SCO UnixWare privileged process system allows local users to gain root privileges by using a debugger such as gdb to insert traps into _init before the privileged process is executed. 19991209 Fundamental flaw in UnixWare 7 security 19991215 Recent postings about SCO UnixWare 7 869 Entry Windows NT Service Control Manager (SCM) allows remote attackers to cause a denial of service via a malformed argument in a resource enumeration request. MS99-055 Q246045 Entry Internet Explorer 5.01 and earlier allows a remote attacker to create a reference to a client window and use a server-side redirect to access local files via that window, aka "Server-side Page Reference Redirect." MS99-050 Q246094 Entry The Sun Web-Based Enterprise Management (WBEM) installation script stores a password in plaintext in a world readable file. 19991206 Solaris WBEM 1.0: plaintext password stored in world readable file Entry The ping command in Linux 2.0.3x allows local users to cause a denial of service by sending large packets with the -R (record route) option. 19991209 Big problem on 2.0.x? 870 Entry Windows NT does not properly download a system policy if the domain user logs into the domain with a space at the end of the domain name. 19991118 NT System Policy for Win95 Not downloaded when adding a space after domain name Q237923 Entry Buffer overflow in Internet Explorer 5 directshow filter (MSDXM.OCX) allows remote attackers to execute commands via the vnd.ms.radio protocol. 19991205 new IE5 remote exploit 19991205 new IE5 remote exploit 861 Entry Buffer overflow in GoodTech Telnet Server NT allows remote users to cause a denial of service via a long login name. 19991206 Remote DoS Attack in GoodTech Telnet Server NT v2.2.1 Vulnerability 19991206 Remote DoS Attack in GoodTech Telnet Server NT v2.2.1 Vulnerability 862 Entry HP VirtualVault with the PHSS_17692 patch allows unprivileged processes to bypass access restrictions via the Trusted Gateway Proxy (TGP). HPSBUX9912-107 Entry Windows NT with SYSKEY reuses the keystream that is used for encrypting SAM password hashes, allowing an attacker to crack passwords. 19991216 Windows NT's SYSKEY feature MS99-056 Q248183 873 Entry Windows NT Local Security Authority (LSA) allows remote attackers to cause a denial of service via malformed arguments to the LsaLookupSids function which looks up the SID, aka "Malformed Security Identifier Request." 19991216 Windows NT LSA Remote Denial of Service MS99-057 Q248185 875 Entry Buffer overflow in Infoseek Ultraseek search engine allows remote attackers to execute commands via a long GET request. AD19991215 19991216 Infoseek Ultraseek Remote Buffer Overflow 19991216 Infoseek Ultraseek Remote Buffer Overflow infoseek-ultraseek-bo 6490 Entry wu-ftp with FTP conversion enabled allows an attacker to execute commands via a malformed file name that is interpreted as an argument to the program that does the conversion, e.g. tar or uncompress. 19991220 Security vulnerability in certain wu-ftpd (and derivitives) configurations (fwd) DSA-377 wuftp-ftp-conversion Entry Cisco Cache Engine allows an attacker to replace content in the cache. 19991216 Cisco Cache Engine Authentication Vulnerabilities 19991216 Cisco Security Advisory: Cisco Cache Engine Authentication Vulnerabilities cisco-cache-engine-replace Entry Microsoft SQL 7.0 server allows a remote attacker to cause a denial of service via a malformed TDS packet. MS99-059 Q248749 817 Entry The web administration interface for Cisco Cache Engine allows remote attackers to view performance statistics. 19991216 Cisco Cache Engine Authentication Vulnerabilities 19991216 Cisco Security Advisory: Cisco Cache Engine Authentication Vulnerabilities cisco-cache-engine-performance Entry Cisco Cache Engine allows a remote attacker to gain access via a null username and password. 19991216 Cisco Cache Engine Authentication Vulnerabilities 19991216 Cisco Security Advisory: Cisco Cache Engine Authentication Vulnerabilities Entry Buffer overflow in the POP server POProxy for the Norton Anti-Virus protection NAV2000 program via a large USER command. 19991217 NAV2000 Email Protection DoS 19991220 Norton Email Protection Remote Overflow (Addendum) http://service1.symantec.com/SUPPORT/nav.nsf/df0a595864594c86852567ac0063608c/6206f660a1f2516a882568660082c930?OpenDocument&Highlight=0,poproxy 6267 Entry Groupwise web server GWWEB.EXE allows remote attackers to read arbitrary files with .htm extensions via a .. (dot dot) attack using the HELP parameter. 19991219 Groupewise Web Interface groupwise-web-read-files 879 3413 Entry Buffer overflow in VDO Live Player allows remote attackers to execute commands on the VDO client via a malformed .vdo file. 19991213 VDO Live Player 3.02 Buffer Overflow vdolive-bo-execute 872 Entry xsoldier program allows local users to gain root access via a long argument. 19991215 FreeBSD 3.3 xsoldier root exploit http://marc.theaimsgroup.com/?l=freebsd-security&m=94531826621620&w=2 871 unix-xsoldier-overflow Entry An SSH 1.2.27 server allows a client to use the "none" cipher, even if it is not allowed by the server policy. 19991214 sshd1 allows unencrypted sessions regardless of server policy ssh-policy-bypass Entry The Remote Data Service (RDS) DataFactory component of Microsoft Data Access Components (MDAC) in IIS 3.x and 4.x exposes unsafe methods, which allows remote attackers to execute arbitrary commands. MS98-004 MS99-025 J-054 19990809 Vulnerabilities in Microsoft Remote Data Service 529 nt-iis-rds 272 Entry Buffer overflow in mail command in Solaris 2.7 and 2.7 allows local users to gain privileges via a long -m argument. 19990913 Solaris 2.7 /usr/bin/mail 19990927 Working Solaris x86 /usr/bin/mail exploit 4276509 sun-usrbinmail-local-bo(3297) 672 Entry SpectroSERVER in Cabletron Spectrum Enterprise Manager 5.0 installs a directory tree with insecure permissions, which allows local users to replace a privileged executable (processd) with a Trojan horse, facilitating a root or Administrator compromise. 19990623 Cabletron Spectrum security vulnerability 19990624 Re: Cabletron Spectrum security vulnerability 495 Entry NFS on SunOS 4.1 through 4.1.2 ignores the high order 16 bits in a 32 bit UID, which allows a local user to gain root access if the lower 16 bits are set to 0, as fixed by the NFS jumbo patch upgrade. CA-1992-15 00117 47 nfs-uid(82) Entry Solaris 2.6 HW3/98 installs admintool with world-writable permissions, which allows local users to gain privileges by replacing it with a Trojan horse program. 19980507 admintool mode 0777 in Solaris 2.6 HW3/98 4178998 solaris-admintool-world-writable(7296) 290 Entry Symantec pcAnywhere 8.0 allows remote attackers to cause a denial of service (CPU utilization) via a large amount of data to port 5631. 19990528 DoS against PC Anywhere 288 pcanywhere-dos(2256) Entry Vulnerability in LAT/Telnet Gateway (lattelnet) on Ultrix 4.1 and 4.2 allows attackers to gain root privileges. CA-1991-11 B-36 26 ultrix-telnet(584) Entry Vulnerability in login in AT&T System V Release 4 allows local users to gain privileges. CA-1991-08 B-28 23 sysv-login(583) Entry IIS 3.0 and 4.0 on x86 and Alpha allows remote attackers to cause a denial of service (hang) via a malformed GET request, aka the IIS "GET" vulnerability. MS98-019 Q192296 iis-get-dos(1823) Entry rex.satan in SATAN 1.1.1 allows local users to overwrite arbitrary files via a symlink attack on the /tmp/rex.$$ file. 19980626 vulnerability in satan, cops & tiger 19980627 Re: vulnerability in satan, cops & tiger satan-rexsatan-symlink(7167) 3147 Entry Vulnerability in Advanced File System Utility (advfs) in Digital UNIX 4.0 through 4.0d allows local users to gain privileges. SSRT0495U I-050 dgux-advfs-softlinks(7431) Entry pnserver in RealServer 5.0 and earlier allows remote attackers to cause a denial of service by sending a short, malformed request. 19980115 pnserver exploit.. 19980115 [rootshell] Security Bulletin #7 19980817 Re: Real Audio Server Version 5 bug? http://service.real.com/help/faq/serv501.html realserver-pnserver-remote-dos(7297) 6979 Entry When BSDI patches for Gauntlet 5.0 BSDI are installed in a particular order, Gauntlet allows remote attackers to bypass firewall access restrictions, and does not log the activities. 19991018 Gauntlet 5.0 BSDI warning 19991019 Re: Gauntlet 5.0 BSDI warning gauntlet-bsdi-bypass(3397) Entry Buffer overflow in bash 2.0.0, 1.4.17, and other versions allows local attackers to gain privileges by creating an extremely large directory name, which is inserted into the password prompt via the \w option in the PS1 environmental variable when another user changes into that directory. 19980905 BASH buffer overflow, LiNUX x86 exploit 19970821 Buffer overflow in /bin/bash 19980909 problem with very long pathnames linux-bash-bo(3414) 8345 Entry Microsoft Excel 97 does not warn the user before executing worksheet functions, which could allow attackers to execute arbitrary commands by using the CALL function to execute a malicious DLL, aka the Excel "CALL Vulnerability." MS98-018 179 excel-call(1737) Entry VMS 4.0 through 5.3 allows local users to gain privileges via the ANALYZE/PROCESS_DUMP dcl command. CA-1990-07 B-04 12 vms-analyze-processdump-privileges(7137) Entry Vulnerability in rexec daemon (rexecd) in AT&T TCP/IP 4.0 for various SVR4 systems allows remote attackers to execute arbitrary commands. CA-1992-04 36 att-rexecd(3159) Entry Webmin before 0.5 does not restrict the number of invalid passwords that are entered for a valid username, which could allow remote attackers to gain privileges via brute force password cracking. 19980501 Warning! Webmin Security Advisory http://www.webmin.com/webmin/changes.html 98 Entry rmmount in SunOS 5.7 may mount file systems without the nosuid flag set, contrary to the documentation and its use in previous versions of SunOS, which could allow local users with physical access to gain root privileges by mounting a floppy or CD-ROM that contains a setuid program and running volcheck, when the file systems do not have the nosuid option specified in rmmount.conf. 19990510 SunOS 5.7 rmmount, no nosuid. 19991011 250 4205437 solaris-rmmount-gain-root(8350) Entry SSH 1.2.25, 1.2.23, and other versions, when used in in CBC (Cipher Block Chaining) or CFB (Cipher Feedback 64 bits) modes, allows remote attackers to insert arbitrary data into an existing stream between an SSH client and server by using a known plaintext attack and computing a valid CRC-32 checksum for the packet, aka the "SSH insertion attack." 19980612 CORE-SDI-04: SSH insertion attack 19980703 UPDATE: SSH insertion attack 20010627 Multiple SSH Vulnerabilities VU#13877 ssh-insert(1126) Entry Internet Explorer 4 treats a 32-bit number ("dotless IP address") in the a URL as the hostname instead of an IP address, which causes IE to apply Local Intranet Zone settings to the resulting web page, allowing remote malicious web servers to conduct unauthorized activities by using URLs that contain the dotless IP address for their server. MS98-016 Q168617 http://www.microsoft.com/Windows/Ie/security/dotless.asp 7828 ie-dotless(2209) Entry The default configuration of NCSA Telnet package for Macintosh and PC enables FTP, even though it does not include an "ftp=yes" line, which allows remote attackers to read and modify arbitrary files. CA-1991-15 ftp-ncsa(1844) Entry Buffer overflow in the Window.External function in the JScript Scripting Engine in Internet Explorer 4.01 SP1 and earlier allows remote attackers to execute arbitrary commands via a malicious web page. MS98-011 Q191200 java-script-patch(1276) Entry Buffer overflow in Internet Explorer 4.01 and earlier allows remote attackers to execute arbitrary commands via a long URL with the "mk:" protocol, aka the "MK Overrun security issue." Q176697 19980114 L0pht Advisory MSIE4.0(1) iemk-bug(917) Entry Vulnerability in BSD Telnet client with encryption and Kerberos 4 authentication allows remote attackers to decrypt the session via sniffing. CA-1995-03 F-12 bsd-telnet(516) 4881 Entry Kerberos 4 allows remote attackers to obtain sensitive information via a malformed UDP packet that generates an error string that inadvertently includes the realm name and the last user. 19961122 L0pht Kerberos Advisory kerberos-user-grab(65) Entry Cisco PIX Private Link 4.1.6 and earlier does not properly process certain commands in the configuration file, which reduces the effective key length of the DES key to 48 bits instead of 56 bits, which makes it easier for an attacker to find the proper key via a brute force attack. 19980616 PIX Private Link Key Processing and Cryptography Issues I-056 cisco-pix-parse-error(1579) Entry lpr on SunOS 4.1.1, BSD 4.3, A/UX 2.0.1, and other BSD-based operating systems allows local users to create or overwrite arbitrary files via a symlink attack that is triggered after invoking lpr 1000 times. http://www.phreak.org/archives/security/8lgm/8lgm.lpr 19940307 8lgm Advisory Releases E-25a Entry dxconsole in DEC OSF/1 3.2C and earlier allows local users to read arbitrary files by specifying the file with the -file parameter. VB-96.05 G-18 http://www.tao.ca/fire/bos/0209.html osf-dxconsole-gain-privileges(7138) Entry Windows 95 uses weak encryption for the password list (.pwl) file used when password caching is enabled, which allows local users to gain privileges by decrypting the passwords. 19951205 Cracked: WINDOWS.PWL 19980121 How to recover private keys for various Microsoft products 19980120 How to recover private keys for various Microsoft products Q140557 win95-nbsmbpwl(71) Entry Windows 95, when Remote Administration and File Sharing for NetWare Networks is enabled, creates a share (C$) when an administrator logs in remotely, which allows remote attackers to read arbitrary files by mapping the network drive. http://www.zdnet.com/eweek/reviews/1016/tr42bug.html http://www.net-security.sk/bugs/NT/netware1.html win95-netware-hidden-share(7231) Entry Sendmail before 8.10.0 allows remote attackers to cause a denial of service by sending a series of ETRN commands then disconnecting from the server, while Sendmail continues to process the commands after the connection has been terminated. 19991222 Re: procmail / Sendmail - five bugs 20000113 Re: procmail / Sendmail - five bugs 904 sendmail-etrn-dos(7760) Entry Vulnerability in StackGuard before 1.21 allows remote attackers to bypass the Random and Terminator Canary security mechanisms by using a non-linear attack which directly modifies a pointer to a return address instead of using a buffer overflow to reach the return address entry itself. 19911109 ImmuniX OS Security Alert: StackGuard 1.21 Released 786 immunix-stackguard-bo(3524) Entry Buffer overflow in Korn Shell (ksh) suid_exec program on IRIX 6.x and earlier, and possibly other operating systems, allows local users to gain root privileges. H-15A AA-96.17 19980405-01-I ksh-suid_exec(2100) 467 Entry Vulnerability in the /etc/suid_exec program in HP Apollo Domain/OS sr10.2 and sr10.3 beta, related to the Korn Shell (ksh). CA-1990-04 A-30 7 apollo-suidexec-unauthorized-access(6721) Entry Vulnerability in runpriv in Indigo Magic System Administration subsystem of SGI IRIX 6.3 and 6.4 allows local users to gain root privileges. 19970503-01-PX 462 1009 sgi-runpriv(2108) Entry lquerypv in AIX 4.1 and 4.2 allows local users to read arbitrary files by specifying the file in the -h command line parameter. 19961124 19961125 lquerypv fix 19961125 AIX lquerypv H-13 455 ibm-lquerypv(1752) Entry ndd in Solaris 2.6 allows local users to cause a denial of service by modifying certain TCP/IP parameters. 00165 433 sun-ndd(817) Entry FTP installation script anon.ftp in AIX insecurely configures anonymous FTP, which allows remote attackers to execute arbitrary commands. CA-1992-09 41 aix-anon-ftp(3154) Entry netprint in SGI IRIX 6.4 and earlier trusts the PATH environmental variable for finding and executing the disable program, which allows local users to gain privileges. 19970104 Irix: netprint story 19961203-01-PX 19961203-02-PX 395 993 sgi-netprint(2107) Entry The default configuration for UUCP in AIX before 3.2 allows local users to gain root privileges. CA-1992-06 38 ibm-uucp(554) 891 Entry Vulnerability in restore in SunOS 4.0.3 and earlier allows local users to gain privileges. CA-1989-02 CIAC-08 1019265 3 sun-restore-gain-privileges(6695) Entry Windows NT 4.0 does not properly shut down invalid named pipe RPC connections, which allows remote attackers to cause a denial of service (resource exhaustion) via a series of connections containing malformed data, aka the "Named Pipes Over RPC" vulnerability. MS98-017 Q195733 nt-spoolss(523) Entry Buffer overflow in OSF Distributed Computing Environment (DCE) security demon (secd) in IRIX 6.4 and earlier allows attackers to cause a denial of service via a long principal, group, or organization. VB-97.12 I-060 19980601-01-PX sgi-osf-dce-dos(1123) Entry Windows NT 4.0 allows remote attackers to cause a denial of service (crash) via extra source routing data such as (1) a Routing Information Field (RIF) field with a hop count greater than 7, or (2) a list containing duplicate Token Ring IDs. 19981005 NMRC Advisory - Lame NT Token Ring DoS 19981002 NMRC Advisory - Lame NT Token Ring DoS Q179157 token-ring-dos(1399) Entry Vulnerability in Predictive on HP-UX 11.0 and earlier, and MPE/iX 5.5 and earlier, allows attackers to compromise data transfer for Predictive messages (using e-mail or modem) between customer and Response Center Predictive systems. HPSBUX9807-081 HPSBMP9807-005 19980729 HP-UX Predictive & Netscape SSL Vulnerabilities I-081 mpeix-predictive(1413) Entry The permissions for the /dev/audio device on Solaris 2.2 and earlier, and SunOS 4.1.x, allow any local user to read from the device, which could be used by an attacker to monitor conversations happening near a machine that has a microphone. E-01 00122 sun-audio(549) 6436 Entry SCO UNIX System V/386 Release 3.2, and other SCO products, installs the home directories (1) /tmp for the dos user, and (2) /usr/tmp for the asg user, which allows other users to gain access to those accounts since /tmp and /usr/tmp are world-writable. CA-1993-13 sco-homedir(546) Entry Character-Terminal User Environment (CUE) in HP-UX 11.0 and earlier allows local users to overwrite arbitrary files and gain root privileges via a symlink attack on the IOERROR.mytty file. 19980121 HP-UX CUE, CUD and LAND vulnerabilities 19970901 HP UX Bug :) HPSBUX9801-074 I-027B hp-cue(2007) Entry Buffer overflow in CrackLib 2.5 may allow local users to gain root privileges via a long GECOS field. 19971214 buffer overflows in cracklib?! VB-97.16 cracklib-bo(1539) Entry SunOS 4.1.2 and earlier allows local users to gain privileges via "LD_*" environmental variables to certain dynamically linked setuid or setgid programs such as (1) login, (2) su, or (3) sendmail, that change the real and effective user ids to the same user. CA-1992-11 00116 sun-env(3152) Entry Vulnerability in runtime linker program rld in SGI IRIX 6.x and earlier allows local users to gain privileges via setuid and setgid programs. H-065 19970504-01-PX sgi-rld(2109) Entry Certain files in MPower in HP-UX 10.x are installed with insecure permissions, which allows local users to gain privileges. HPSBUX9701-051 hp-mpower(2056) Entry Vulnerability in Glance programs in GlancePlus for HP-UX 10.20 and earlier allows local users to access arbitrary files and gain privileges. HPSBUX9701-044 H-21 hp-glanceplus(2059) Entry Vulnerability in Glance and gpm programs in GlancePlus for HP-UX 9.x and earlier allows local users to access arbitrary files and gain privileges. HPSBUX9405-011 hp-glanceplus-gpm(2060) Entry Buffer overflow in Platinum Policy Compliance Manager (PCM) 7.0 allows remote attackers to execute arbitrary commands via a long string to the Agent port (1827), which is handled by smaxagent.exe. 19981204 [SAFER-981204.DOS.1.3] Buffer Overflow in Platinum PCM 7.0 19981207 Re: [SAFER-981204.DOS.1.3] Buffer Overflow in Platinum PCM 7.0 pcm-dos-execute(1430) 3164 Entry FTP service in IIS 4.0 and earlier allows remote attackers to cause a denial of service (resource exhaustion) via many passive (PASV) connections at the same time. MS98-006 Q189262 iis-passive-ftp(1215) Entry BisonWare FTP Server 4.1 and earlier allows remote attackers to cause a denial of service via a malformed PORT command that contains a non-numeric character and a large number of carriage returns. 19990517 Vulnerabilities in BisonWare FTP Server 3.5 bisonware-port-crash(2254) Entry Tcpip.sys in Windows NT 4.0 before SP4 allows remote attackers to cause a denial of service via an ICMP Subnet Mask Address Request packet, when certain multiple IP addresses are bound to the same network interface. Q192774 tcpipsys-icmp-dos(3894) Entry SSH 2.0.11 and earlier allows local users to request remote forwarding from privileged ports without being root. 19981229 ssh2 security problem (and patch) (fwd) ssh-privileged-port-forward(1471) Entry Vulnerability in ftpd/kftpd in HP-UX 10.x and 9.x allows local and possibly remote users to gain root privileges. HPSBUX9702-055 H-33 hp-ftpd-kftpd(7437) Entry Vulnerability in ppl in HP-UX 10.x and earlier allows local users to gain root privileges by forcing ppl to core dump. 19961103 Re: Untitled 19961104 ppl bugs HPSBUX9704-057 H-32 AA-97.07 hp-ppl(7438) Entry Vulnerability in passwd in SCO UNIX 4.0 and earlier allows attackers to cause a denial of service by preventing users from being able to log into the system. CA-1993-08 sco-passwd-deny(542) Entry Vulnerability in HP Series 800 S/X/V Class servers allows remote attackers to gain access to the S/X/V Class console via the Service Support Processor (SSP) Teststation. HPSBUX9911-105 hp-ssp(7439) Entry Cross-site scripting vulnerability in Third Voice Web annotation utility allows remote users to read sensitive data and generate fake web pages for other Third Voice users by injecting malicious Javascript into an annotation. http://www.wired.com/news/technology/0,1282,20677,00.html http://www.wired.com/news/technology/0,1282,20636,00.html thirdvoice-cross-site-scripting(7252) Entry Web Cache Control Protocol (WCCP) in Cisco Cache Engine for Cisco IOS 11.2 and earlier does not use authentication, which allows remote attackers to redirect HTTP traffic to arbitrary hosts via WCCP packets to UDP port 2048. 19980513 Cisco Web Cache Control Protocol Router Vulnerability I-054 cisco-wccp-vuln(1577) Entry Directory traversal vulnerability in nph-publish before 1.2 allows remote attackers to overwrite arbitrary files via a .. (dot dot) in the pathname for an upload operation. http://www.w3.org/Security/Faq/wwwsf4.html http://www-genome.wi.mit.edu/WWW/tools/CGI_scripts/server_publish/nph-publish http-cgi-nphpublish(2055) Entry Vulnerability in On-Line Customer Registration software for IRIX 6.2 through 6.4 allows local users to gain root privileges. 19980901-01-PX J-003 irix-register(7441) Entry mysqld in MySQL 3.21 creates log files with world-readable permissions, which allows local users to obtain passwords for users who are added to the user database. 19981227 mysql: mysqld creates world readable logs.. mysql-readable-log-files(1568) Entry Buffer overflow in Netscape Navigator/Communicator 4.7 for Windows 95 and Windows 98 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long argument after the ? character in a URL that references an .asp, .cgi, .html, or .pl file. 19991124 Netscape Communicator 4.7 - Navigator Overflows 19991127 Netscape Communicator 4.7 - Navigator Overflows 822 netscape-long-argument-bo(7884) Entry Buffer overflow in chkey in Solaris 2.5.1 and earlier allows local users to gain root privileges via a long command line argument. 19970519 Re: Finally, most of an exploit for Solaris 2.5.1's ps. AA-97.18 00144 207 solaris-chkey-bo(7442) Entry Buffer overflow in eeprom in Solaris 2.5.1 and earlier allows local users to gain root privileges via a long command line argument. 00143 206 solaris-eeprom-bo(7444) Entry The "me" user in NeXT NeXTstep 2.1 and earlier has wheel group privileges, which could allow the me user to use the su command to become root. CA-1991-06 next-me(581) 20 Entry chroot in Digital Ultrix 4.1 and 4.0 is insecurely installed, which allows local users to gain privileges. CA-1991-05 17 dec-chroot(577) Entry TIOCCONS in SunOS 4.1.1 does not properly check the permissions of a user who tries to redirect console output and input, which could allow a local user to gain privileges. CA-1990-12 14 sunos-tioccons-console-redirection(7140) Entry BuildDisk program on NeXT systems before 2.0 does not prompt users for the root password, which allows local users to gain root privileges. CA-1990-06 B-01 11 nextstep-builddisk-root-access(7141) Entry Apache WWW server 1.3.1 and earlier allows remote attackers to cause a denial of service (resource exhaustion) via a large number of MIME headers with the same name, aka the "sioux" vulnerability. 19980807 YA Apache DoS attack 19980808 Debian Apache Security Update 19980810 Apache DoS Attack 19980811 Apache 'sioux' DOS fix for TurboLinux http://www.redhat.com/support/errata/rh51-errata-general.html#apache Entry Windows 95 and Windows 98 systems, when configured with multiple TCP/IP stacks bound to the same MAC address, allow remote attackers to cause a denial of service (traffic amplification) via a certain ICMP echo (ping) packet, which causes all stacks to send a ping response, aka TCP Chorusing. 19990206 New Windows 9x Bug: TCP Chorusing 225 win-multiple-ip-dos(7542) Entry Multilink PPP for ISDN dialup users in Ascend before 4.6 allows remote attackers to cause a denial of service via a spoofed endpoint identifier. 19990210 Security problems in ISDN equipment authentication 19990212 PPP/ISDN multilink security issue - summary ascend-ppp-isdn-dos(7498) Entry Check Point Firewall-1 does not properly handle certain restricted keywords (e.g., Mail, auth, time) in user-defined objects, which could produce a rule with a default "ANY" address and result in access to more systems than intended by the administrator. 19980511 Firewall-1 Reserved Keywords Vulnerability http://www.checkpoint.com/techsupport/config/keywords.html fw1-user-defined-keywords-access(7293) 4416 Entry nettune in HP-UX 10.01 and 10.00 is installed setuid root, which allows local users to cause a denial of service by modifying critical networking configuration information. 19960607 HP-UX B.10.01 vulnerability HPSBUX9607-035 G-34 hp-nettune(414) Entry Buffer overflow in ping in AIX 4.2 and earlier allows local users to gain root privileges via a long command line argument. 19970721 AIX ping, lchangelv, xlock fixes 19970721 AIX ping (Exploit) ping-bo(803) Entry Vulnerability in scoterm in SCO OpenServer 5.0 and SCO Open Desktop/Open Server 3.0 allows local users to gain root privileges. 19971204 scoterm exploit VB-97.14 sco-scoterm(690) Entry The asynchronous I/O facility in 4.4 BSD kernel does not check user credentials when setting the recipient of I/O notification, which allows local users to cause a denial of service by using certain ioctl and fcntl calls to cause the signal to be sent to an arbitrary process ID. 19970915 Vulnerability in I/O Signal Handling http://www.openbsd.com/advisories/signals.txt 11062 openbsd-iosig(556) Entry LOGIN.EXE program in Novell Netware 4.0 and 4.01 temporarily writes user name and password information to disk, which could allow local users to gain privileges. D-21 CA-1993-12 novell-login(545) Entry The PATH in Windows NT includes the current working directory (.), which could allow local users to gain privileges by placing Trojan horse programs with the same name as commonly used system programs into certain directories. 19970725 Re: NT security - why bother? 19970723 NT security - why bother? nt-path(526) Entry Netbt.sys in Windows NT 4.0 allows remote malicious DNS servers to cause a denial of service (crash) by returning 0.0.0.0 as the IP address for a DNS host name lookup. Q188571 dns-netbtsys-dos(3893) Entry IIS 3.0 allows remote attackers to cause a denial of service via a request to an ASP page in which the URL contains a large number of / (forward slash) characters. Q187503 url-asp-av(3892) Entry Netscape Communicator 4.7 and earlier allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long certificate key. http://www.securiteam.com/exploits/Netscape_4_7_and_earlier_vulnerable_to__Huge_Key__DoS.html netscape-huge-key-dos(3436) Entry IIS 4.0 does not properly restrict access for the initial session request from a user's IP address if the address does not resolve to a DNS domain, aka the "Domain Resolution" vulnerability. MS99-039 241562 657 iis-unresolved-domain-access(3306) Entry SGI Desktop Permissions Tool in IRIX 6.0.1 and earlier allows local users to modify permissions for arbitrary files and gain privileges. F-16 19950301-01-P373 sgi-permissions(2113) Entry Direct Mailer feature in Microsoft Site Server 3.0 saves user domain names and passwords in plaintext in the TMLBQueue network share, which has insecure default permissions, allowing remote attackers to read the passwords and gain privileges. Q229972 siteserver-directmail-passwords(2068) Entry movemail in HP-UX 10.20 has insecure permissions, which allows local users to gain privileges. HPSBUX9701-047 hp-movemail(2057) 8099 Entry rpc.pwdauthd in SunOS 4.1.1 and earlier does not properly prevent remote access to the daemon, which allows remote attackers to obtain sensitive system information. 00102 sun-pwdauthd(1782) Entry Microsoft Office 98, Macintosh Edition, does not properly initialize the disk space used by Office 98 files and effectively inserts data from previously deleted files into the Office file, which could allow attackers to obtain sensitive information. Q189529 office-extraneous-data(1780) Entry Java in Netscape 4.5 does not properly restrict applets from connecting to other hosts besides the one from which the applet was loaded, which violates the Java security model and could allow remote attackers to conduct unauthorized activities. 19990202 Unsecured server in applets under Netscape java-socket-open(1727) Entry Metamail before 2.7-7.2 allows remote attackers to overwrite arbitrary files via an e-mail message containing a uuencoded attachment that specifies the full pathname for the file to be modified, which is processed by uuencode in Metamail scripts such as sun-audio-file. 19971024 Vulnerability in metamail metamail-file-creation(1677) Entry fte-console in the fte package before 0.46b-4.1 does not drop root privileges, which allows local users to gain root access via the virtual console device. 19981207 fte-console: does not drop its root priviliges fte-console-privileges(1609) Entry An interaction between the AS/400 shared folders feature and Microsoft SNA Server 3.0 and earlier allows users to view each other's folders when the users share the same Local APPC LU. Q138001 snaserver-shared-folders(1548) Entry NukeNabber allows remote attackers to cause a denial of service by connecting to the NukeNabber port (1080) without sending any data, which causes the CPU usage to rise to 100% from the report.exe program that is executed upon the connection. 19981105 various *lame* DoS attacks 19981107 Re: various *lame* DoS attacks http://www.dynamsol.com/puppet/text/new.txt nukenabber-timeout-dos(1540) Entry Samba 1.9.18 inadvertently includes a prototype application, wsmbconf, which is installed with incorrect permissions including the setgid bit, which allows local users to read and write files and possibly gain privileges via bugs in the program. 19981119 Vulnerability in Samba on RedHat, Caldera and PHT TurboLinux SA-1998.35 samba-wsmbconf(1406) Entry Buffer overflow in nftp FTP client version 1.40 allows remote malicious FTP servers to cause a denial of service, and possibly execute arbitrary commands, via a long response string. 19981117 nftp vulnerability (fwd) http://www.ayukov.com/nftp/history.html nftp-bo(1397) Entry Office Shortcut Bar (OSB) in Windows 3.51 enables backup and restore permissions, which are inherited by programs such as File Manager that are started from the Shortcut Bar, which could allow local users to read folders for which they do not have permission. Q146604 nt-filemgr(562) Entry cmdtool in OpenWindows 3.0 and XView 3.0 in SunOS 4.1.4 and earlier allows attackers with physical access to the system to display unechoed characters (such as those from password prompts) via the L2/AGAIN key. 1077164 sun-cmdtool-echo(7482) Entry Sysinstall in FreeBSD 2.2.1 and earlier, when configuring anonymous FTP, creates the ftp user without a password and with /bin/date as the shell, which could allow attackers to gain access to certain system resources. FreeBSD-SA-97:03 freebsd-sysinstall-ftp-password(7537) 6087 Entry A design flaw in the Z-Modem protocol allows the remote sender of a file to execute arbitrary programs on the client, as implemented in rz in the rzsz module of FreeBSD before 2.1.5, and possibly other programs. G-31 FreeBSD-SA-96:17 rzsz-command-execution(7540) Entry Sendmail before 8.6.7 allows local users to gain root access via a large value in the debug (-d) command line option. 19940314 sendmail -d problem (OLD yet still here) 19940315 so... 19940315 anyone know details? 19940315 Security problem in sendmail versions 8.x.x 19940327 sendmail exploit script - resend CA-1994-12 sendmail-debug-gain-root(7155) Entry Passfilt.dll in Windows NT SP2 allows users to create a password that contains the user's name, which could make it easier for an attacker to guess. Q247975 passfilt-fullname(7391) Entry Windows NT 4.0 SP4 and earlier allows local users to gain privileges by modifying the symbolic link table in the \?? object folder using a different case letter (upper or lower) to point to a different device. 19990312 [ ALERT ] Case Sensitivity and Symbolic Links 19990314 AW: [ ALERT ] Case Sensitivity and Symbolic Links Q222159 nt-symlink-case(7398) Entry /usr/5bin/su in SunOS 4.1.3 and earlier uses a search path that includes the current working directory (.), which allows local users to gain privileges via Trojan horse programs. 1121935 sun-su-path(7480) Entry Vulnerability in Novell NetWare 3.x and earlier allows local users to gain privileges via packet spoofing. D-01 netware-packet-spoofing-privileges(7213) Entry Buffer overflow in ssh 1.2.26 client with Kerberos V enabled could allow remote attackers to cause a denial of service or execute arbitrary commands via a long DNS hostname that is not properly handled during TGT ticket passing. 19981105 security patch for ssh-1.2.26 kerberos code 4883 Entry VAXstations running Open VMS 5.3 through 5.5-2 with VMS DECwindows or MOTIF do not properly disable access to user accounts that exceed the break-in limit threshold for failed login attempts, which makes it easier for attackers to conduct brute force password guessing. D-06 openvms-sysgen-enabled(7225) Entry SAS System 5.18 on VAX/VMS is installed with insecure permissions for its directories and startup file, which allows local users to gain privileges. C-19 vaxvms-sas-gain-privileges(7261) Entry wu-ftpd 2.4 FTP server does not properly drop privileges when an ABOR (abort file transfer) command is executed during a file transfer, which causes a signal to be handled incorrectly and allows local and possibly remote attackers to read arbitrary files. 19970104 serious security bug in wu-ftpd v2.4 19970105 BoS: serious security bug in wu-ftpd v2.4 -- PATCH wuftpd-abor-gain-privileges(7169) Entry Buffer overflow in linuxconf 1.11r11-rh2 on Red Hat Linux 5.1 allows local users to gain root privileges via a long LANG environmental variable. 19980601 Re: SECURITY: Red Hat Linux 5.1 linuxconf bug (fwd) http://www.redhat.com/support/errata/rh51-errata-general.html#linuxconf linuxconf-lang-bo(7239) 6065 Entry linuxconf before 1.11.r11-rh3 on Red Hat Linux 5.1 allows local users to overwrite arbitrary files and gain root access via a symlink attack. 19980826 [djb@redhat.com: Unidentified subject!] 19980823 Security concerns in linuxconf shipped w/RedHat 5.1 http://www.redhat.com/support/errata/rh51-errata-general.html#linuxconf linuxconf-symlink-gain-privileges(7232) 6068 Entry Buffer overflow in SysVInit in Red Hat Linux 5.1 and earlier allows local users to gain privileges. http://www.redhat.com/support/errata/rh50-errata-general.html#SysVinit sysvinit-root-bo(7250) Entry The snprintf function in the db library 1.85.4 ignores the size parameter, which could allow attackers to exploit buffer overflows that would be prevented by a properly implemented snprintf. 19970709 [linux-security] so-called snprintf() in db-1.85.4 (fwd) http://lists.openresources.com/Debian/debian-bugs-closed/msg00581.html http://www.redhat.com/support/errata/rh42-errata-general.html#db linux-libdb-snprintf-bo(7244) Entry netcfg 2.16-1 in Red Hat Linux 4.2 allows the Ethernet interface to be controlled by users on reboot when an option is set, which allows local users to cause a denial of service by shutting down the interface. http://www.redhat.com/support/errata/rh42-errata-general.html#netcfg netcfg-ethernet-dos(7245) Entry gzexe in the gzip package on Red Hat Linux 5.0 and earlier allows local users to overwrite files of other users via a symlink attack on a temporary file. 19980128 GZEXE - the big problem http://www.redhat.com/support/errata/rh50-errata-general.html#gzip DSA-308 7845 3812 gzip-gzexe-tmp-symlink(7241) Entry automatic download option in ncftp 2.4.2 FTP client in Red Hat Linux 5.0 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in the names of files that are to be downloaded. 19980319 ncftp 2.4.2 MkDirs bug http://www.redhat.com/support/errata/rh50-errata-general.html#ncftp ncftp-autodownload-command-execution(7240) 6111 Entry snmpd server in cmu-snmp SNMP package before 3.3-1 in Red Hat Linux 4.0 is configured to allow remote attackers to read and write sensitive information. http://www.redhat.com/support/errata/rh40-errata-general.html#cmu-snmp cmusnmp-read-write(7251) Entry 3Com HiPer Access Router Card (HiperARC) 4.0 through 4.2.29 allows remote attackers to cause a denial of service (reboot) via a flood of IAC packets to the telnet port. 19990812 3com hiperarch flaw [hiperbomb.c] 19990816 Re: 3com hiperarch flaw [hiperbomb.c] 6057 Entry FTP client in Midnight Commander (mc) before 4.5.11 stores usernames and passwords for visited sites in plaintext in the world-readable history file, which allows other local users to gain privileges. 19990801 midnight commander vulnerability(?) (fwd) midnight-commander-data-disclosure(9873) 5921 Entry Vulnerability when Network Address Translation (NAT) is enabled in Linux 2.2.10 and earlier with ipchains, or FreeBSD 3.2 with ipfw, allows remote attackers to cause a denial of service (kernel panic) via a ping -R (record route) command. 19990722 Re: ping -R causes kernel panic on a forwarding machine ( 2.2.5 a nd 2 .2.10) 19990722 Linux +ipchains+ ping -R http://www.kernel.org/pub/linux/kernel/v2.2/patch-2.2.11.gz ipchains-ping-route-dos(7257) 6105 Entry Linux kernel before 2.3.18 or 2.2.13pre15, with SLIP and PPP options, allows local unprivileged users to forge IP packets via the TIOCSETD option on tty devices. 19991022 Local user can send forged packets linux-tiocsetd-forge-packets(7858) Entry Directory traversal vulnerability in KVIrc IRC client 0.9.0 with the "Listen to !nick <soundname> requests" option enabled allows remote attackers to read arbitrary files via a .. (dot dot) in a DCC GET request. 19990924 Kvirc bug kvirc-dot-directory-traversal(7761) Entry Compaq Integration Maintenance Utility as used in Compaq Insight Manager agent before SmartStart 4.50 modifies the legal notice caption (LegalNoticeCaption) and text (LegalNoticeText) in Windows NT, which could produce a legal notice that is in violation of the security policy. 19990902 Compaq CIM UG Overwrites Legal Notice 19990902 Compaq CIM UG Overwrites Legal Notice 19990917 Re: Compaq CIM UG Overwrites Legal Notice compaq-smartstart-legal-notice(7763) Entry When an administrator in Windows NT or Windows 2000 changes a user policy, the policy is not properly updated if the local ntconfig.pol is not writable by the user, which could allow local users to bypass restrictions that would otherwise be enforced by the policy, possibly by changing the policy file to be read-only. Q157673 nt-user-policy-update(7400) Entry When the Ntconfig.pol file is used on a server whose name is longer than 13 characters, Windows NT does not properly enforce policies for global groups, which could allow users to bypass restrictions that were intended by those policies. Q163875 nt-group-policy-longname(7401) Entry Windows NT 4.0 allows local users to cause a denial of service via a user mode application that closes a handle that was opened in kernel mode, which causes a crash when the kernel attempts to close the handle. Q160650 nt-kernel-handle-dos(7402) Entry Win32k.sys in Windows NT 4.0 before SP2 allows local users to cause a denial of service (crash) by calling certain WIN32K functions with incorrect parameters. Q160601 nt-win32k-dos(7403) Entry Windows NT 3.51 and 4.0 allow local users to cause a denial of service (crash) by running a program that creates a large number of locks on a file, which exhausts the NonPagedPool. Q163143 nt-nonpagedpool-dos(7405) Entry Windows NT searches a user's home directory (%systemroot% by default) before other directories to find critical programs such as NDDEAGNT.EXE, EXPLORER.EXE, USERINIT.EXE or TASKMGR.EXE, which could allow local users to bypass access restrictions or gain privileges by placing a Trojan horse program into the root directory, which is writable by default. 19990628 NT runs Explorer.exe, Taskmgr.exe etc. from wrong location 19990630 Update: NT runs explorer.exe, etc... nt-login-default-folder(2336) 0515 Entry DNS allows remote attackers to use DNS name servers as traffic amplifiers via a UDP DNS query with a spoofed source address, which produces more traffic to the victim than was sent by the attacker. 19990730 Possible Denial Of Service using DNS 19990810 Possible Denial Of Service using DNS AL-1999.004 J-063 dns-udp-query-dos(7238) Entry Symantec Norton Utilities 2.0 for Windows 95 marks the TUNEOCX.OCX ActiveX control as safe for scripting, which allows remote attackers to execute arbitrary commands via the run option through malicious web pages that are accessed by browsers such as Internet Explorer 3.0. http://www.net-security.sk/bugs/NT/nu20.html http://mlarchive.ima.com/win95/1997/May/0342.html http://news.zdnet.co.uk/story/0,,s2065518,00.html nu-tuneocx-activex-control(7188) Entry NetWare NFS mode 1 and 2 implements the "Read Only" flag in Unix by changing the ownership of a file to root, which allows local users to gain root privileges by creating a setuid program and setting it to "Read Only," which NetWare-NFS changes to a setuid root program. 19980108 NetWare NFS 19980812 Re: Netware NFS (fwd) http://support.novell.com/cgi-bin/search/tidfinder.cgi?2940551 netware-nfs-file-ownership(7246) Entry Indigo Magic System Tour in the SGI system tour package (systour) for IRIX 5.x through 6.3 allows local users to gain root privileges via a Trojan horse .exitops program, which is called by the inst command that is executed by the RemoveSystemTour program. 19961030 (Another) vulnerability in new SGIs AA-96.08 19961101-01-I 470 irix-systour(7456) Entry Buffer overflow in ppp program in FreeBSD 2.1 and earlier allows local users to gain privileges via a long HOME environment variable. 19961219 Exploit for ppp bug (FreeBSD 2.1.0). FreeBSD-SA-96:20 ppp-bo(7465) 6085 Entry Perl 5.004_04 and earlier follows symbolic links when running with the -e option, which allows local users to overwrite arbitrary files via a symlink attack on the /tmp/perl-eaXXXXX file. 19980308 another /tmp race: `perl -e' opens temp file not safely http://www.redhat.com/support/errata/rh50-errata-general.html#perl perl-e-tmp-symlink(7243) Entry Index Server 2.0 on IIS 4.0 stores physical path information in the ContentIndex\Catalogs subkey of the AllowedPaths registry key, whose permissions allows local and remote users to obtain the physical paths of directories that are being indexed. 19990323 Index Server 2.0 and the Registry 19990323 Index Server 2.0 and the Registry 476 iis-indexserver-reveal-path(7559) Entry The access permissions for a UNIX domain socket are ignored in Solaris 2.x and SunOS 4.x, and other BSD-based operating systems before 4.4, which could allow local users to connect to the socket and possibly disrupt or control the operations of the program using that socket. 19970517 UNIX domain socket (Solarisx86 2.5) 19971003 Solaris 2.6 and sockets 456 sun-domain-socket-permissions(7172) Entry ifdhcpc-done script for configuring DHCP on Red Hat Linux 5 allows local users to append text to arbitrary files via a symlink attack on the dhcplog file. 19980309 *sigh* another RH5 /tmp problem 368 initscripts-ifdhcpdone-dhcplog-symlink(7294) http://www.redhat.com/support/errata/rh50-errata-general.html#initscripts Entry The at program in IRIX 6.2 and NetBSD 1.3.2 and earlier allows local users to read portions of arbitrary files by submitting the file to at with the -f argument, which generates error messages that at sends to the user via e-mail. 19980703 more about 'at' 19980805 irix-6.2 "at -f" vulnerability NetBSD-SA1998-004 331 at-f-read-files(7577) Entry The installation of the fsp package 2.71-10 in Debian GNU/Linux 2.0 adds the anonymous FTP user without notifying the administrator, which could automatically enable anonymous FTP on some servers such as wu-ftp. 19981126 new version of fsp fixes security flaw 19981128 Debian: Security flaw in FSP 19981130 Debian: Security flaw in FSP 19990217 Debian GNU/Linux 2.0r5 released (fwd) 316 fsp-anon-ftp-access(7574) Entry IBM Netfinity Remote Control allows local users to gain administrator privileges by starting programs from the process manager, which runs with system level privileges. 19990525 Security Leak with IBM Netfinity Remote Control Software 19990609 IBM's response to "Security Leak with IBM Netfinity Remote Control Software 284 Entry Buffer overflow in nss_nisplus.so.1 library in NIS+ in Solaris 2.3 and 2.4 allows local users to gain root privileges. 00148 219 sun-nisplus-bo(7535) Entry ping in Solaris 2.3 through 2.6 allows local users to cause a denial of service (crash) via a ping request to a multicast address through the loopback interface, e.g. via ping -i. 19970626 Solaris Ping bug (DoS) 19970627 SUMMARY: Solaris Ping bug (DoS) 19970627 Solaris Ping bug(inetsvc) 19971005 Solaris Ping Bug and other [bc] oddities 00146 209 ping-multicast-loopback-dos(7492) Entry Power management (Powermanagement) on Solaris 2.4 through 2.6 does not start the xlock process until after the sys-suspend has completed, which allows an attacker with physical access to input characters to the last active application from the keyboard for a short period after the system is restoring, which could lead to increased privileges. 19980716 Security risk with powermanagemnet on Solaris 2.6 160 4024179 Entry HP JetAdmin D.01.09 on Solaris allows local users to change the permissions of arbitrary files via a symlink attack on the /tmp/jetadmin.log file. 19980715 JetAdmin software 19980722 Re: JetAdmin software 157 Entry ePerl 2.2.12 allows remote attackers to read arbitrary files and possibly execute certain commands by specifying a full pathname of the target file as an argument to bar.phtml. 19980707 ePerl: bad handling of ISINDEX queries 19980710 ePerl Security Update Available 151 Entry GINA in Windows NT 4.0 allows attackers with physical access to display a portion of the clipboard of the user who has locked the workstation by pasting (CTRL-V) the contents into the username prompt. 19990129 ole objects in a "secured" environment? 19990205 Alert: MS releases GINA-fix for SP3, SP4, and TS 19990129 ole objects in a "secured" environment? Q214802 198 nt-gina-clipboard(1975) Entry RSH service utility RSHSVC in Windows NT 3.5 through 4.0 does not properly restrict access as specified in the .Rhosts file when a user comes from an authorized host, which could allow unauthorized users to access the service by logging in from an authorized host. Q158320 nt-rshsvc-ale-bypass(7422) Entry thttpd HTTP server 2.03 and earlier allows remote attackers to read arbitrary files via a GET request with more than one leading / (slash) character in the filename. 19980819 thttpd 2.04 released (fwd) http://www.acme.com/software/thttpd/thttpd.html#releasenotes thttpd-file-read(1809) Entry rdist in various UNIX systems uses popen to execute sendmail, which allows local users to gain root privileges by modifying the IFS (Internal Field Separator) variable. http://www.alw.nih.gov/Security/8lgm/8lgm-Advisory-01.html CA-91.20 31 rdist-popen-gain-privileges(7160) 8106 Entry Internet Explorer 4.0 allows remote attackers to read arbitrary text and HTML files on the user's machine via a small IFRAME that uses Dynamic HTML (DHTML) to send the data to the attacker, aka the Freiburg text-viewing issue. 19971017 Security Hole in Explorer 4.0 http://www.insecure.org/sploits/Internet_explorer_4.0.hack.html http://www.microsoft.com/Windows/ie/security/freiburg.asp Q176794 Q176697 http-ie-spy(587) 7819 Entry When a Web site redirects the browser to another site, Internet Explorer 3.02 and 4.0 automatically resends authentication information to the second site, aka the "Page Redirect Issue." Q176697 ie-page-redirect(7426) 7818 Entry A bug in Intel Pentium processor (MMX and Overdrive) allows local users to cause a denial of service (hang) in Intel-based operating systems such as Windows NT and Windows 95, via an invalid instruction, aka the "Invalid Operand with Locked CMPXCHG8B Instruction" problem. Q163852 pentium-crash(704) Entry The Sun HotSpot Performance Engine VM allows a remote attacker to cause a denial of service on any server running HotSpot via a URL that includes the [ character. 19990706 Bug in SUN's Hotspot VM 19990716 FW: (Review ID: 85125) Hotspot crashes bringing down webserver 522 sun-hotspot-vm(2348) Entry Squid 2.2.STABLE5 and below, when using external authentication, allows attackers to bypass access controls via a newline in the user/password pair. 19991025 [squid] exploit for external authentication problem 19991103 [squid]exploit for external authentication problem http://www.squid-cache.org/Versions/v2/2.2/bugs/ 741 squid-proxy-auth-access(3433) Entry sadc in IBM AIX 4.1 through 4.3, when called from programs such as timex that are setgid adm, allows local users to overwrite arbitrary files via a symlink attack. http://techsupport.services.ibm.com/aix/fixes/v4/os/bos.acct.4.3.1.0.info IX75554 IX76853 IX76330 408 aix-sadc-timex(7675) Entry sdrd daemon in IBM SP2 System Data Repository (SDR) allows remote attackers to read files without authentication. I-079A 371 ibm-sdr-read-files(7217) Entry xosview 1.5.1 in Red Hat 5.1 allows local users to gain root access via a long HOME environmental variable. 19980528 ALERT: Tiresome security hole in "xosview", RedHat5.1? 19980529 Re: Tiresome security hole in "xosview" (xosexp.c) 362 linux-xosview-bo(8787) Entry colorview in Silicon Graphics IRIX 5.1, 5.2, and 6.0 allows local attackers to read arbitrary files via the -text argument. 19940809 Re: IRIX 5.2 Security Advisory 19950307 sigh. another Irix 5.2 hole. 19950209-00-P sgi-colorview(2112) 336 Entry Sun SunOS 4.1 through 4.1.3 allows local attackers to gain root access via insecure permissions on files and directories such as crash. CA-1993-03 59 sun-dir(521) Entry The AMaViS virus scanner 0.2.0-pre4 and earlier allows remote attackers to execute arbitrary commands as root via an infected mail message with shell metacharacters in the reply-to field. 19990716 AMaViS virus scanner for Linux - root exploit http://www.amavis.org/ChangeLog.txt 527 amavis-command-execute(2349) Entry A configuration problem in the Ad Server Sample directory (AdSamples) in Microsoft Site Server 3.0 allows an attacker to obtain the SITE.CSC file, which exposes sensitive SQL database information. 19990511 [ALERT] Site Server 3.0 May Expose SQL IDs and PSWs 256 siteserver-site-csc(2270) Entry cgiwrap as used on Cobalt RaQ 2.0 and RaQ 3i does not properly identify the user for running certain scripts, which allows a malicious site administrator to view or modify data located at another virtual site on the same system. 19991108 Security flaw in Cobalt RaQ2 cgiwrap 19991109 [Cobalt] Security Advisory - cgiwrap 777 cobalt-cgiwrap-incorrect-permissions(7764) 35 Entry Buffer overflow in IBM HomePagePrint 1.0.7 for Windows98J allows a malicious Web site to execute arbitrary code on a viewer's system via a long IMG_SRC HTML tag. 19991102 Some holes for Win/UNIX softwares 763 ibm-homepageprint-bo(7767) Entry Buffer overflow in AspUpload.dll in Persits Software AspUpload before 1.4.0.2 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long argument in the HTTP request. 19990720 Buffer overflow in AspUpload 1.4 19990818 AspUpload Buffer Overflow Fixed 592 http-aspupload-bo(3291) Entry IIS 3.x and 4.x does not distinguish between pages requiring encryption and those that do not, which allows remote attackers to cause a denial of service (resource exhaustion) via SSL requests to the HTTPS port for normally unencrypted files, which will cause IIS to perform extra work to send the files over SSL. 19990707 SSL and IIS. 521 ssl-iis-dos(2352) Entry RPMMail before 1.4 allows remote attackers to execute commands via an e-mail message with shell metacharacters in the "MAIL FROM" command. 19991004 RH6.0 local/remote command execution 19991006 Fwd: [Re: RH6.0 local/remote command execution] linux-rh-rpmmail(3353) Entry bigconf.conf in F5 BIG/ip 2.1.2 and earlier allows remote attackers to read arbitrary files by specifying the target file in the "file" parameter. 19991108 BigIP - bigconf.cgi holes 19991109 Re: BigIP - bigconf.cgi holes 19991109 778 bigip-bigconf-view-files(7771) Entry Microsoft SQL Server 6.5 uses weak encryption for the password for the SQLExecutiveCmdExec account and stores it in an accessible portion of the registry, which could allow local users to gain privileges by reading and decrypting the CmdExecAccount value. 19980629 MS SQL Server 6.5 stores password in unprotected registry keys 109 mssql-sqlexecutivecmdexec-password(7354) Entry Man2html 2.1 and earlier allows local users to overwrite arbitrary files via a symlink attack on a temporary file. 19990820 [SECURITY] New versions of man2html fixes postinst glitch 6291 Entry Off-by-one error in NcFTPd FTP server before 2.4.1 allows a remote attacker to cause a denial of service (crash) via a long PORT command. 19990223 NcFTPd remote buffer overflow 19990223 Comments on NcFTPd "theoretical root compromise" ncftpd-port-bo(1833) Entry RealMedia server allows remote attackers to cause a denial of service via a long ramgen request. 19991222 RealMedia Server 5.0 Crasher (rmscrash.c) 888 realserver-ramgen-dos Entry Buffer overflow in ZBServer Pro 1.50 allows remote attackers to execute commands via a long GET request. 19991223 Local / Remote GET Buffer Overflow Vulnerability in ZBServer 1.5 Pro Edition for Win98/NT 19991223 Local / Remote GET Buffer Overflow Vulnerability in ZBServer 1.5 Pro Edition for Win98/NT 20000128 ZBServer 1.50-r1x exploit (WinNT) 20020114 ZBServer Pro DoS Vulnerability 889 zbserver-get-bo Entry Buffer overflow in UnixWare rtpm program allows local users to gain privileges via a long environmental variable. 19991230 UnixWare rtpm exploit + discussion 20000127 New SCO patches... Entry ZBServer Pro allows remote attackers to read source code for executable files by inserting a . (dot) into the URL. 19991223 Local / Remote GET Buffer Overflow Vulnerability in ZBServer 1.5 Pro Edition for Win98/NT 19991223 Re: Local / Remote GET Buffer Overflow Vulnerability in ZBServer 1.5 Pro Edition for Win98/NT zbserver-url-dot Entry strace allows local users to read arbitrary files via memory mapped file names. 19991225 strace can lie linux-strace(4554) Entry Trend Micro PC-Cillin does not restrict access to its internal proxy port, allowing remote attackers to conduct a denial of service. 19991230 PC-Cillin 6.x DoS Attack pccillin-proxy-remote-dos(4491) 1740 Entry The bna_pass program in Optivity NETarchitect uses the PATH environmental variable for finding the "rm" program, which allows local users to execute arbitrary commands. 19991230 bna,sh netarchitect-path-vulnerability 907 Entry WebWho+ whois.cgi program allows remote attackers to execute commands via shell metacharacters in the TLD parameter. 19991226 WebWho+ ADVISORY http-cgi-webwhoplus Entry Buffer overflow in AnalogX SimpleServer:WWW HTTP server allows remote attackers to execute commands via a long GET request. 19991231 Local / Remote GET Buffer Overflow Vulnerability in AnalogX SimpleServer:WWW HTTP Server v1.1 http://www.analogx.com/contents/download/network/sswww.htm simpleserver-get-bo 906 1184 Entry Buffer overflow in w3-msql CGI program in miniSQL package allows remote attackers to execute commands. 19991227 remote buffer overflow in miniSQL 898 w3-msql-scanf-bo Entry IRIX soundplayer program allows local users to gain privileges by including shell metacharacters in a .wav file, which is executed via the midikeys program. 19991231 irix-soundplayer.sh irix-soundplayer-symlink 909 Entry Denial of service in Savant web server via a null character in the requested URL. 19991228 Local / Remote D.o.S Attack in Savant Web Server V2.0 WIN9X / NT / 2K 897 savant-server-null-dos Entry CascadeView TFTP server allows local users to gain privileges via a symlink attack. 19991231 tftpserv.sh 910 cascadeview-tftp-symlink Entry wmmon in FreeBSD allows local users to gain privileges via the .wmmonrc configuration file. 19991221 Wmmon under FreeBSD 885 freebsd-wmmon-root-exploit 1169 Entry DNS PRO allows remote attackers to conduct a denial of service via a large number of connections. 19991221 Remote D.o.S Attack in DNS PRO v5.7 WinNT From FBLI Software Vulnerability 19991221 Remote D.o.S Attack in DNS PRO v5.7 WinNT From FBLI Software Vulnerability dnspro-flood-dos Entry Lotus Domino HTTP server does not properly disable anonymous access for the cgi-bin directory. 19991221 serious Lotus Domino HTTP denial of service 19991227 Re: Lotus Domino HTTP denial of service attack 881 Entry Buffer overflow in Lotus Domino HTTP server allows remote attackers to cause a denial of service via a long URL. 19991221 serious Lotus Domino HTTP denial of service 19991222 Lotus Notes HTTP cgi-bin vulnerability: possible workaround 19991227 Re: Lotus Domino HTTP denial of service attack 881 51 Entry IIS does not properly canonicalize URLs, potentially allowing remote attackers to bypass access restrictions in third-party software via escape characters, aka the "Escape Character Parsing" vulnerability. http://www.acrossecurity.com/aspr/ASPR-1999-11-10-1-PUB.txt MS99-061 19991228 Third Party Software Affected by IIS "Escape Character Parsing" Vulnerability 19991229 More info on MS99-061 (IIS escape character vulnerability) iis-badescapes Q246401 Entry IIS 4.0 and Site Server 3.0 allow remote attackers to read source code for ASP files if the file is in a virtual directory whose name includes extensions such as .com, .exe, .sh, .cgi, or .dll, aka the "Virtual Directory Naming" vulnerability. MS99-058 Q238606 8098 Entry Buffer overflow in UnixWare i2odialogd daemon allows remote attackers to gain root access via a long username/password authorization string. 19991222 UnixWare i2odialogd remote root exploit 19991223 FYI, SCO Security patches available. 876 6310 Entry IBM Network Station Manager NetStation allows local users to gain privileges via a symlink attack. 19991227 IBM NetStation/UnixWare local root exploit 900 ibm-netstat-race-condition(5381) Entry UnixWare pis and mkpis commands allow local users to gain privileges via a symlink attack. 19991227 UnixWare local pis exploit 20000113 Info on some security holes reported against SCO Unixware. 901 Entry Solaris dmispd dmi_cmd allows local users to fill up restricted disk space by adding files to the /var/dmi/db database. 19991222 Solaris 2.7 dmispd local/remote problems sol-dmispd-fill-disk 878 Entry The initscripts package in Red Hat Linux allows local users to gain privileges via a symlink attack. 19991227 initscripts-4.48-1 RedHat Linux 6.1 RHSA-1999:052-04 Entry Solaris dmi_cmd allows local users to crash the dmispd daemon by adding a malformed file to the /var/dmi/db database. 19991222 Solaris 2.7 dmispd local/remote problems sol-dmispd-dos 878 7582 Entry InterScan VirusWall SMTP scanner does not properly scan messages with malformed attachments. 19991227 Trend Micro InterScan VirusWall SMTP bug 899 interscan-viruswall-bypass Entry Netscape 4.7 records user passwords in the preferences.js file during an IMAP or POP session, even if the user has not enabled "remember passwords." 19991222 More Netscape Passwords Available. netscape-password-preferences Entry Outlook Express 5 for Macintosh downloads attachments to HTML mail without prompting the user, aka the "HTML Mail Attachment" vulnerability. MS99-060 Q249082 Entry Majordomo wrapper allows local users to gain privileges by specifying an alternate configuration file. 19991228 majordomo local exploit 20000113 Info on some security holes reported against SCO Unixware. 20000124 majordomo 1.94.5 does not fix all vulnerabilities RHSA-2000:005 903 Entry AltaVista search engine allows remote attackers to read files above the document root via a .. (dot dot) in the query.cgi CGI program. 19991229 AltaVista 19991230 Follow UP AltaVista 19991229 AltaVista followup and monitor script 20000103 FW: Patch issued for AltaVista Search Engine Directory TraversalVulnerability 20000109 Altavista followup 896 15 Entry glFtpD allows local users to gain privileges via metacharacters in the SITE ZIPCHK command. 19991223 Multiple vulnerabilites in glFtpD (current versions) Entry Macintosh systems generate large ICMP datagrams in response to malformed datagrams, allowing them to be used as amplifiers in a flood attack. 19991229 The "Mac DoS Attack," a Scheme for Blocking Internet Connections 890 Entry Buffer overflow in CSM mail server allows remote attackers to cause a denial of service or execute commands via a long HELO command. 19991229 Local / Remote D.o.S Attack in CSM Mail Server for Windows 95/NT v.2000.08.A csm-server-bo 895 Entry Buffer overflow in CamShot WebCam HTTP server allows remote attackers to execute commands via a long GET request. 19991230 Local / Remote GET Buffer Overflow Vulnerability in CamShot WebCam HTTP Server v2.5 for Win9x/NT 905 camshot-http-get-overflow Entry Macros in War FTP 1.70 and 1.67b2 allow local or remote attackers to read arbitrary files or execute commands. 20000105 SECURITY ALERT - WAR FTP DAEMON ALL VERSIONS 919 warftp-macro-access-files Entry MySQL allows local users to modify passwords for arbitrary MySQL users via the GRANT privilege. 20000111 Serious bug in MySQL password handling. 20000113 New MySQL Available mysql-pwd-grant 926 Entry get_it program in Corel Linux Update allows local users to gain root access by specifying an alternate PATH for the cp program. 20000112 Serious Bug in Corel Linux.(Local root exploit) 928 http://linux.corel.com/support/clos_patch1.htm linux-corel-update Entry The Allaire Spectra Webtop allows authenticated users to access other Webtop sections by specifying explicit URLs. ASB00-01 allaire-webtop-access 915 Entry The Allaire Spectra Configuration Wizard allows remote attackers to cause a denial of service by repeatedly resubmitting data collections for indexing via a URL. ASB00-02 916 allaire-spectra-config-dos Entry Red Hat userhelper program in the usermode package allows local users to gain root access via PAM and a .. (dot dot) attack. 20000104 PamSlam RHSA-2000:001 linux-pam-userhelper 913 Entry Microsoft Commercial Internet System (MCIS) IMAP server allows remote attackers to cause a denial of service via a malformed IMAP request. MS00-001 Q246731 912 mcis-malformed-imap Entry IMail IMONITOR status.cgi CGI script allows remote attackers to cause a denial of service with many calls to status.cgi. 20000105 Local / Remote D.o.S Attack in IMail IMONITOR Server for WinNT Version 5.08 914 imail-imonitor-status-dos Entry Cold Fusion CFCACHE tag places temporary cache files within the web document root, allowing remote attackers to obtain sensitive system information. ASB00-03 coldfusion-cfcache 917 Entry Buffer overflow in aVirt Rover POP3 server 1.1 allows remote attackers to cause a denial of service via a long user name. 19991227 Local / Remote Remote DoS Attack in Rover POP3 Server V1.1 NT From aVirt 19991227 Local / Remote Remote DoS Attack in Rover POP3 Server V1.1 NT From aVirt 894 avirt-rover-pop3-dos(3765) Entry The DTML implementation in the Z Object Publishing Environment (Zope) allows remote attackers to conduct unauthorized activities. 20000104 [petrilli@digicool.com: [Zope] SECURITY ALERT] 922 zope-dtml Entry cgiproc CGI script in Nortel Contivity HTTP server allows remote attackers to read arbitrary files by specifying the filename in a parameter to the script. 20000118 Nortel Contivity Vulnerability http-cgi-cgiproc-file-read 938 Entry cgiproc CGI script in Nortel Contivity HTTP server allows remote attackers to cause a denial of service via a malformed URL that includes shell metacharacters. 20000118 Nortel Contivity Vulnerability 938 http-cgi-cgiproc-dos 7583 Entry Buffer overflow in InetServ 3.0 allows remote attackers to execute commands via a long GET request. 20000117 Remote Buffer Exploit - InetServ 3.0 inetserv-get-bo Entry NtImpersonateClientOfPort local procedure call in Windows NT 4.0 allows local users to gain privileges, aka "Spoofed LPC Port Request." 20000113 Local Promotion Vulnerability in Windows NT 4 MS00-003 Q247869 nt-spoofed-lpc-port 934 Entry Visual Casel (Vcasel) does not properly prevent users from executing files, which allows local users to use a relative pathname to specify an alternate file which has an approved name and possibly gain privileges. 20000118 Warning: VCasel security hole. 937 vcasel-filename-trusting(3867) Entry Buffer overflow in Microsoft Rich Text Format (RTF) reader allows attackers to cause a denial of service via a malformed control word. MS00-005 Q249973 win-malformed-rtf-control-word Entry Super Mail Transfer Package (SMTP), later called MsgCore, has a memory leak which allows remote attackers to cause a denial of service by repeating multiple HELO, MAIL FROM, RCPT TO, and DATA commands in the same session. 20000113 Local / Remote D.o.S Attack in Super Mail Transfer Package (SMTP) Server for WinNT Version 1.9x 20000113 Local / Remote D.o.S Attack in Super Mail Transfer Package (SMTP) Server for WinNT Version 1.9x 930 supermail-memleak-dos Entry nviboot boot script in the Debian nvi package allows local users to delete files via malformed entries in vi.recover. 19991230 vibackup.sh 20000108 nvi-delete-files 1439 Entry AIX techlibss allows local users to overwrite files via a symlink attack. 20000110 2nd attempt: AIX techlibss follows links 931 aix-techlibss-symbolic-link Entry HP asecure creates the Audio Security File audio.sec with insecure permissions, which allows local users to cause a denial of service or gain additional privileges. HPSBUX0001-109 hp-audio-security-perms Entry Netscape Mail Notification (nsnotify) utility in Netscape Communicator uses IMAP without SSL, even if the user has set a preference for Communicator to use an SSL connection, allowing a remote attacker to sniff usernames and passwords in plaintext. 20000113 Misleading sense of security in Netscape netscape-mail-notify-plaintext(4385) Entry Buffer overflow in the conversion utilities for Japanese, Korean and Chinese Word 5 documents allows an attacker to execute commands, aka the "Malformed Conversion Data" vulnerability. MS00-002 office-malformed-convert 946 Entry The rdisk utility in Microsoft Terminal Server Edition and Windows NT 4.0 stores registry hive information in a temporary file with permissions that allow local users to read it, aka the "RDISK Registry Enumeration File" vulnerability. 20000121 RDISK registry enumeration file vulnerability in Windows NT 4.0 Terminal Server Edition 20000122 RDISK registry enumeration file vulnerability in Windows NT 4.0 Terminal Server Edition MS00-004 Q249108 947 nt-rdisk-enum-file Entry VMWare 1.1.2 allows local users to cause a denial of service via a symlink attack. 20000124 VMware 1.1.2 Symlink Vulnerability linux-vmware-symlink 943 1205 Entry Buffer overflow in vchkpw/vpopmail POP authentication package allows remote attackers to gain root privileges via a long username or password. 20000122 remote root qmail-pop with vpopmail advisory and exploit with patch 20000123 Re: vpopmail/vchkpw remote root exploit 942 http://www.inter7.com/vpopmail/ChangeLog http://www.inter7.com/vpopmail/ Entry The BSD make program allows local users to modify files via a symlink attack when the -j option is being used. FreeBSD-SA-00:01 939 gnu-makefile-tmp-root Entry procfs in BSD systems allows local users to gain root privileges by modifying the /proc/pid/mem interface via a modified file descriptor for stderr. 20000121 *BSD procfs vulnerability FreeBSD-SA-00:02 NetBSD-SA2000-001 20000120 [2.6] 018: SECURITY FIX: Jan 20, 2000 940 20760 netbsd-procfs(3995) Entry The PMTU discovery procedure used by HP-UX 10.30 and 11.00 for determining the optimum MTU generates large amounts of traffic in response to small packets, allowing remote attackers to cause the system to be used as a packet amplifier. HPSBUX0001-110 944 Entry The WebHits ISAPI filter in Microsoft Index Server allows remote attackers to read arbitrary files, aka the "Malformed Hit-Highlighting Argument" vulnerability. 20000127 Alert: MS IIS 4 / IS 2 (Cerberus Security Advisory CISADV000126) MS00-006 950 http-indexserver-dirtrans 1210 Entry Microsoft Index Server allows remote attackers to determine the real path for a web directory via a request to an Internet Data Query file that does not exist. MS00-006 Entry Buffer overflow in UnixWare ppptalk command allows local users to gain privileges via a long prompt argument. 20000119 Unixware ppptalk Entry The SMS Remote Control program is installed with insecure permissions, which allows local users to gain privileges by modifying or replacing the program. 20000115 Security Vulnerability with SMS 2.0 Remote Control MS00-012 Entry Linux apcd program allows local attackers to modify arbitrary files via a symlink attack. 20000201 958 Entry The RightFax web client uses predictable session numbers, which allows remote attackers to hijack user sessions. 20000129 [LoWNOISE] Rightfax web client 5.2 953 avt-rightfax-predict-session Entry The default installation of Debian GNU/Linux uses an insecure Master Boot Record (MBR) which allows a local user to boot from a floppy disk during the installation. 20000202 vulnerability in Linux Debian default boot configuration 960 debian-mbr-bypass-security Entry The SyGate Remote Management program does not properly restrict access to its administration service, which allows remote attackers to cause a denial of service, or access network traffic statistics. 20000128 SyGate 3.11 Port 7323 / Remote Admin hole 20000202 SV: SyGate 3.11 Port 7323 / Remote Admin hole 20000203 UPDATE: Sygate 3.11 Port 7323 Telnet Hole http://www.sybergen.com/support/fix.htm 952 Entry Firewall-1 does not properly filter script tags, which allows remote attackers to bypass the "Strip Script Tags" restriction by including an extra < in front of the SCRIPT tag. 20000129 "Strip Script Tags" in FW-1 can be circumvented 20000129 "Strip Script Tags" in FW-1 can be circumvented 954 http-script-bypass 1212 Entry The siteUserMod.cgi program in Cobalt RaQ2 servers allows any Site Administrator to modify passwords for other users, site administrators, and possibly admin (root). 20000127 Cobalt RaQ2 - a user of mine changed my admin password.. 20000131 [ Cobalt ] Security Advisory -- 01.31.2000 http-cgi-cobalt-passwords 951 Entry The Remote Access Service invoke.cfm template in Allaire Spectra 1.0 allows users to bypass authentication via the bAuthenticated parameter. ASB00-04 955 allaire-spectra-ras-access(4025) Entry The Recycle Bin utility in Windows NT and Windows 2000 allows local users to read or modify files by creating a subdirectory with the victim's SID in the recycler directory, aka the "Recycle Bin Creation" vulnerability. 20000201 "Recycle Bin Creation" Vulnerability in Windows NT / Windows 2000 MS00-007 Q248399 963 Entry The Webspeed configuration program does not properly disable access to the WSMadmin utility, which allows remote attackers to gain privileges via wsisa.dll. 20000203 Webspeed security issue http://www.progress.com/services/support/cgi-bin/techweb-kbase.cgi/webkb.html?kbid=19412&keywords=security%20Webspeed 969 webspeed-adminutil-auth Entry The Finger Server 0.82 allows remote attackers to execute commands via shell metacharacters. 20000204 "The Finger Server" http://www.glazed.org/finger/changelog.txt finger-server-input 7610 Entry Buffer overflow in SCO scohelp program allows remote attackers to execute commands. 20000127 New SCO patches... SB-00.02a sco-help-bo Entry Buffer overflow in War FTPd 1.6x allows users to cause a denial of service via long MKD and CWD commands. 20000201 war-ftpd 1.6x DoS 966 4677 Entry Internet Anywhere POP3 Mail Server allows local users to cause a denial of service via a malformed RETR command. 20000210 remote DoS on Internet Anywhere Mail Server Ver.3.1.3 982 Entry Internet Anywhere POP3 Mail Server allows remote attackers to cause a denial of service via a large number of connections. 20000210 remote DoS on Internet Anywhere Mail Server Ver.3.1.3 20000210 remote DoS on Internet Anywhere Mail Server Ver.3.1.3 980 Entry Infopop Ultimate Bulletin Board (UBB) allows remote attackers to execute commands via shell metacharacters in the topic hidden field. 20000211 perl-cgi hole in UltimateBB by Infopop Corp. 20000225 FW: Important UBB News For Licensed Users 991 http://www.ultimatebb.com/home/versions.shtml http-cgi-ultimatebb Entry Axis 700 Network Scanner does not properly restrict access to administrator URLs, which allows users to bypass the password protection via a .. (dot dot) attack. 20000207 Infosec.20000207.axis700.a 971 Entry The libguile.so library file used by gnucash in Debian GNU/Linux is installed with world-writable permissions. 20000205 Debian (frozen): Perms on /usr/lib/libguile.so.6.0.0 Entry The Java Server in the Novell GroupWise Web Access Enhancement Pack allows remote attackers to cause a denial of service via a long URL to the servlet. 20000207 Novell GroupWise 5.5 Enhancement Pack Web Access Denial of Servic e 972 novell-groupwise-url-dos Entry MySQL 3.22 allows remote attackers to bypass password authentication and access a database via a short check string. 20000208 Remote access vulnerability in all MySQL server versions 20000214 MySQL 3.22.32 released 975 Entry Zeus web server allows remote attackers to view the source code for CGI programs via a null character (%00) at the end of a URL. 20000209 [SAFER 000209.EXP.1.2] Zeus Web Server - obtaining source of CGI scripts 20000208 Zeus Web Server: Null Terminated Strings 977 254 zeus-server-null-string(3982) Entry Check Point Firewall-1 allows remote attackers to bypass port access restrictions on an FTP server by forcing it to send malicious packets that Firewall-1 misinterprets as a valid 227 response to a client's PASV attempt. 20000209 FireWall-1 FTP Server Vulnerability 20000212 Re: FireWall-1 FTP Server Vulnerability 20000210 Multiple firewalls: FTP Application Level Gateway "PASV" Vulnerability VU#328867 979 4417 Entry Remote attackers can cause a denial of service in Novell BorderManager 3.5 by pressing the enter key in a telnet connection to port 2000. 20000209 Novell BorderManager 3.5 Remote Slow Death 20000211 BorderManager csatpxy.nlm fix avalable. 976 7468 Entry Internet Explorer 4.x and 5.x allows remote web servers to access files on the client that are outside of its security domain, aka the "Image Source Redirect" vulnerability. MS00-009 7827 ie-image-source-redirect(3996) Entry NetBSD ptrace call on VAX allows local users to gain privileges by modifying the PSL contents in the debugging process. 1999-012 992 netbsd-ptrace Entry HP Ignite-UX does not save /etc/passwd when it creates an image of a trusted system, which can set the password field to a blank and allow an attacker to gain privileges. HPSBUX0002-111 Entry Sample web sites on Microsoft Site Server 3.0 Commerce Edition do not validate an identification number, which allows remote attackers to execute SQL commands. MS00-010 994 Entry The Microsoft virtual machine (VM) in Internet Explorer 4.x and 5.x allows a remote attacker to read files via a malicious Java applet that escapes the Java sandbox, aka the "VM File Reading" vulnerability. MS00-011 Entry The installation of Sun Internet Mail Server (SIMS) creates a world-readable file that allows local users to obtain passwords. 20000220 Sun Internet Mail Server 4316521 1004 sims-temp-world-readable Entry The Delegate application proxy has several buffer overflows which allow a remote attacker to execute commands. 20000210 Re: application proxies? FreeBSD-SA-00:04 K-023 delegate-proxy-bo Entry Buffer overflow in the InterAccess telnet server TelnetD allows remote attackers to execute commands via a long login name. 20000221 Local / Remote Exploiteable Buffer Overflow Vulnerability in InterAccess TelnetD Server 4.0 for Windows NT 20000223 Pragma Systems response to USSRLabs report 995 interaccess-telnet-login-bo Entry Microsoft Windows 9x operating systems allow an attacker to cause a denial of service via a pathname that includes file device names, aka the "DOS Device in Path Name" vulnerability. 20000306 con\con is a old thing (anyway is cool) MS00-017 1043 win-dos-devicename-dos Entry Batch files in the Oracle web listener ows-bin directory allow remote attackers to execute commands via a malformed URL that includes '?&'. 20000314 Oracle Web Listener 4.0.x 1053 oracle-weblistener-remote-attack Entry Buffer overflow in the man program in Linux allows local users to gain privileges via the MANPAGER environmental variable. 20000226 man bugs might lead to root compromise (RH 6.1 and other boxes) 1011 Entry atsadc in the atsar package for Linux does not properly check the permissions of an output file, which allows local users to gain root privileges. 20000311 TESO advisory -- atsadc atsar-root-access 1048 Entry The mtr program only uses a seteuid call when attempting to drop privileges, which could allow local users to gain root privileges. 20000303 Potential security problem with mtr 20000309 mtr FreeBSD-SA-00:09 20000308 [TL-Security-Announce] mtr-0.41 and earlier TLSA2000003-1 (fwd) 1038 Entry StarOffice StarScheduler web server allows remote attackers to read arbitrary files via a .. (dot dot) attack. 20000308 [SAFER 000309.EXP.1.4] StarScheduler (StarOffice) vulnerabilities 1040 staroffice-scheduler-fileread Entry Buffer overflow in StarOffice StarScheduler web server allows remote attackers to gain root access via a long GET command. 20000308 [SAFER 000309.EXP.1.4] StarScheduler (StarOffice) vulnerabilities staroffice-scheduler-bo 1039 Entry ServerIron switches by Foundry Networks have predictable TCP/IP sequence numbers, which allows remote attackers to spoof or hijack sessions. 20000227 Advisory: Foundry Networks ServerIron TCP/IP sequence predictability http://www.foundrynet.com/bugTraq.html 1017 Entry HP OpenView OmniBack 2.55 allows remote attackers to cause a denial of service via a large number of connections to port 5555. 20000228 HP Omniback remote DoS HPSBUX0006-115 1015 omniback-connection-dos Entry Sojourn search engine allows remote attackers to read arbitrary files via a .. (dot dot) attack. 20000313 SOJOURN Search engine exposes files 1052 sojourn-file-read(4197) Entry Firewall-1 3.0 and 4.0 leaks packets with private IP address information, which could allow remote attackers to determine the real IP address of the host that is making the connection. 20000311 Our old friend Firewall-1 1054 1256 Entry iPlanet Web Server 4.1 allows remote attackers to cause a denial of service via a large number of GET commands, which consumes memory and causes a kernel panic. 20000223 DoS for the iPlanet Web Server, Enterprise Edition 4.1 Entry Buffer overflow in ircII 4.4 IRC client allows remote attackers to execute commands via the DCC chat capability. 20000310 Fwd: ircii-4.4 buffer overflow FreeBSD-SA-00:11 RHSA-2000:008 1046 Entry Linux printtool sets the permissions of printer configuration files to be world-readable, which allows local attackers to obtain printer share passwords. 20000309 1037 Entry RealMedia RealServer reveals the real IP address of a Real Server, even if the address is supposed to be private. 20000308 RealServer exposes internal IP addresses 1049 Entry Buffer overflow in the dump utility in the Linux ext2fs backup package allows local users to gain privileges via a long command line argument. 20000228 [ Hackerslab bug_paper ] Linux dump buffer overflow TLSA200007-1 RHSA-2000:100 1020 Entry ColdFusion Server 4.x allows remote attackers to determine the real pathname of the server via an HTTP request to the application.cfm or onrequestend.cfm files. 20000301 ColdFusions application.cfm shows full path 20000305 ColdFusion Bug: Application.cfm shows full path 1021 Entry Axis StorPoint CD allows remote attackers to access administrator URLs without authentication via a .. (dot dot) attack. 20000229 Infosec.20000229.axisstorpointcd.a axis-storpoint-auth 1025 19 Entry The default installation of Caldera OpenLinux 2.3 includes the CGI program rpm_query, which allows remote attackers to determine what packages are installed on the system. 20000304 OpenLinux 2.3: rpm_query 1036 Entry The default configuration of Dosemu in Corel Linux 1.0 allows local users to execute the system.com program and gain privileges. 20000302 Corel Linux 1.0 dosemu default configuration: Local root vuln 1030 linux-dosemu-config Entry buildxconf in Corel Linux allows local users to modify or create arbitrary files via the -x or -f parameters. 20000224 Corel Linux 1.0 local root compromise 1007 Entry setxconf in Corel Linux allows local users to gain root access via the -T parameter, which executes the user's .xserverrc file. 20000224 Corel Linux 1.0 local root compromise 1008 corel-linux-setxconf-root Entry Buffer overflow in mhshow in the Linux nmh package allows remote attackers to execute commands via malformed MIME headers in an email message. 20000229 RHSA-2000:006 1018 Entry Buffer overflow in Microsoft Clip Art Gallery allows remote attackers to cause a denial of service or execute commands via a malformed CIL (clip art library) file, aka the "Clip Art Buffer Overrun" vulnerability. MS00-015 1034 Entry The window.showHelp() method in Internet Explorer 5.x does not restrict HTML help files (.chm) to be executed from the local host, which allows remote attackers to execute arbitrary commands via Microsoft Networking. 20000301 IE 5.x allows executing arbitrary programs using .chm files 1033 Entry Microsoft SQL Server 7.0 and Microsoft Data Engine (MSDE) 1.0 allow remote attackers to gain privileges via a malformed Select statement in an SQL query. MS00-014 1041 Entry The installation of Oracle 8.1.5.x on Linux follows symlinks and creates the orainstRoot.sh file with world-writeable permissions, which allows local users to gain privileges. 20000305 Oracle installer problem 1035 Entry SGI InfoSearch CGI program infosrch.cgi allows remote attackers to execute commands via shell metacharacters. 20000301 infosrch.cgi vulnerability (IRIX 6.5) 20000501-01-P irix-infosrch-fname 1031 Entry The htdig (ht://Dig) CGI program htsearch allows remote attackers to read arbitrary files by enclosing the file name with backticks (`) in parameters to htsearch. 20000228 ht://Dig remote information exposure FreeBSD-SA-00:06 20000227 TLSA200005-1 1026 Entry Buffer overflow in Lynx 2.x allows remote attackers to crash Lynx and possibly execute commands via a long URL in a malicious web page. 20000227 lynx - someone is deaf and blind ;) FreeBSD-SA-00:08 1012 Entry The lit program in Sun Flex License Manager (FlexLM) follows symlinks, which allows local users to modify arbitrary files. 20000221 flex license manager tempfile predictable name... 998 Entry The Windows Media server allows remote attackers to cause a denial of service via a series of client handshake packets that are sent in an improper sequence, aka the "Misordered Windows Media Services Handshake" vulnerability. MS00-013 win-media-dos 1000 Entry InterAccess TelnetID Server 4.0 allows remote attackers to conduct a denial of service via malformed terminal client configuration information. 20000224 Local / Remote D.o.S Attack in InterAccess TelnetD Server Release 4.0 *ALL BUILDS* for WinNT Vulnerability 1001 interaccess-telnet-dos(4033) Entry Vulnerability in SCO cu program in UnixWare 7.x allows local users to gain privileges. SB-00.05 1019 Entry The default configuration of SSH allows X forwarding, which could allow a remote attacker to control a client's X sessions via a malicious xauth program. 20000224 SSH & xauth 1006 Entry Buffer overflow in Linux mount and umount allows local users to gain root privileges via a long relative pathname. 20000210 util < 2.10f CSSA-2000-002.0 6980 7004 Entry The Nautica Marlin bridge allows remote attackers to cause a denial of service via a zero length UDP packet to the SNMP port. 20000225 Scorpion Marlin 1009 Entry The installation for Windows 2000 does not activate the Administrator password until the system has rebooted, which allows remote attackers to connect to the ADMIN$ share without a password until the reboot occurs. 20000215 Windows 2000 installation process weakness 990 Entry Buffer overflow in the wmcdplay CD player program for the WindowMaker desktop allows local users to gain root privileges via a long parameter. 20000311 TESO advisory -- wmcdplay 1047 Entry ARCserve agent in SCO UnixWare 7.x allows local attackers to gain root privileges via a symlink attack. 20000215 ARCserve symlink vulnerability SSE063 sco-openserver-arc-symlink Entry The Pocsag POC32 program does not properly prevent remote users from accessing its server port, even if the option has been disabled. 20000303 Pocsag remote access to client can't be disabled. 1032 telnet-pocsag 259 Entry IIS 4.0 allows attackers to cause a denial of service by requesting a large buffer in a POST or PUT command which consumes memory, aka the "Chunked Transfer Encoding Buffer Overflow Vulnerability." MS00-018 1066 iis-chunked-encoding-dos Entry Microsoft Windows Media License Manager allows remote attackers to cause a denial of service by sending a malformed request that causes the manager to halt, aka the "Malformed Media License Request" Vulnerability. MS00-016 1058 mwmt-malformed-media-license Entry gpm-root in the gpm package does not properly drop privileges, which allows local users to gain privileges by starting a utility from gpm-root. 20000322 gpm-root 20000405 Security hole in gpm < 1.18.1 RHSA-2000:009 RHSA-2000:045 1069 linux-gpm-root Entry Buffer overflow in imwheel allows local users to gain root privileges via the imwheel-solo script and a long HOME environmental variable. 20000316 TESO & C-Skills development advisory -- imwheel RHSA-2000:016 linux-imwheel-bo 1060 Entry Linux kreatecd trusts a user-supplied path that is used to find the cdrecord program, allowing local users to gain root privileges. 20000316 "TESO & C-Skills development advisory -- kreatecd" at: 20000405 Security hole in kreatecd < 0.3.8b linux-kreatecd-path 1061 Entry Microsoft TCP/IP Printing Services, aka Print Services for Unix, allows an attacker to cause a denial of service via a malformed TCP/IP print request. MS00-021 20000330 Remote DoS Attack in Windows 2000/NT 4.0 TCP/IP Print Request Server Vulnerability 1082 win-tcpip-printing-dos Entry SuSE Linux IMAP server allows remote attackers to bypass IMAP authentication and gain privileges. 20000327 Security hole in SuSE Linux IMAP Server linux-imap-remote-unauthorized-access Entry The default configuration of Cobalt RaQ2 and RaQ3 as specified in access.conf allows remote attackers to view sensitive contents of a .htaccess file. 20000330 Cobalt apache configuration exposes .htaccess http://www.securityfocus.com/templates/advisory.html?id=2150 1083 cobalt-raq-remote-access Entry Buffer overflow in the huh program in the orville-write package allows local users to gain root privileges. FreeBSD-SA-00:10 1070 freebsd-orvillewrite-bo 1263 Entry Netscape Enterprise Server with Directory Indexing enabled allows remote attackers to list server directories via web publishing tags such as ?wp-ver-info and ?wp-cs-dump. 20000317 [SAFER 000317.EXP.1.5] Netscape Enterprise Server and '?wp' tags 1063 netscape-server-directory-indexing Entry Netscape Enterprise Server with Web Publishing enabled allows remote attackers to list arbitrary directories via a GET request for the /publisher directory, which provides a Java applet that allows the attacker to browse the directories. http://zsh.stupidphat.com/advisory.cgi?000311-1 1075 netscape-webpublisher-invalid-access Entry Buffer overflow in the web server for Norton AntiVirus for Internet Email Gateways allows remote attackers to cause a denial of service via a long URL. 20000317 DoS with NAVIEG nav-email-gateway-dos 1064 Entry vqSoft vqServer program allows remote attackers to read arbitrary files via a /........../ in the URL, a variation of a .. (dot dot) attack. 20000321 vqserver /........../ http://www.vqsoft.com/vq/server/faqs/dotdotbug.html vqserver-dir-traverse 1067 270 Entry AnalogX SimpleServer:WWW HTTP server 1.03 allows remote attackers to cause a denial of service via a short GET request to cgi-bin. 20000324 AnalogX SimpleServer 1.03 Remote Crash" at: http://www.analogx.com/contents/download/network/sswww.htm simpleserver-exception-dos(4189) 1076 1265 Entry Vulnerability in SGI IRIX objectserver daemon allows remote attackers to create user accounts. 20000328 Objectserver vulnerability 20000303-01-PX K-030 1079 1267 irix-objectserver-create-accounts(4206) Entry IIS 4.0 and 5.0 does not properly perform ISAPI extension processing if a virtual directory is mapped to a UNC share, which allows remote attackers to read the source code of ASP and other files, aka the "Virtualized UNC Share" vulnerability. MS00-019 Q249599 1081 iis-virtual-unc-share Entry Unknown vulnerability in Generic-NQS (GNQS) allows local users to gain root privileges. 20000322 Local root compromise in GNQS 3.50.6 and 3.50.7 http://ftp.gnqs.org/pub/gnqs/source/by-version-number/v3.50/Generic-NQS-3.50.8-ChangeLog.txt FreeBSD-SA-00:13 1842 generic-nqs-local-root(4306) Entry The AIX Fast Response Cache Accelerator (FRCA) allows local users to modify arbitrary files via the configuration capability in the frcactrl program. 20000426 Insecure file handling in IBM AIX frcactrl program ERS-OAR-E01-2000:075.1 aix-frcactrl 1152 Entry HP-UX 11.04 VirtualVault (VVOS) sends data to unprivileged processes via an interface that has multiple aliased IP addresses. HPSBUX0004-112 1090 hp-virtual-vault Entry The dansie shopping cart application cart.pl allows remote attackers to execute commands via a shell metacharacters in a form variable. 20000411 Back Door in Commercial Shopping Cart 1115 dansie-shell-metacharacters Entry The dansie shopping cart application cart.pl allows remote attackers to modify sensitive purchase information via hidden form fields. 20000411 Re: Back Door in Commercial Shopping Cart 1115 shopping-cart-form-tampering Entry The dansie shopping cart application cart.pl allows remote attackers to obtain the shopping cart database and configuration information via a URL that references either the env, db, or vars form variables. 20000411 Re: Back Door in Commercial Shopping Cart 1115 dansie-form-variables Entry The Nbase-Xyplex EdgeBlaster router allows remote attackers to cause a denial of service via a scan for the FormMail CGI program. 20000405 SilverBack Security Advisory: Nbase-Xyplex DoS 1091 nbase-xyplex-router Entry Buffer overflow in the NetWare remote web administration utility allows remote attackers to cause a denial of service or execute commands via a long URL. 20000418 Novell Netware 5.1 (server 5.00h, Dec 11, 1999)... 1118 netware-remote-admin-overflow Entry IIS 4.0 and 5.0 allows remote attackers to cause a denial of service by sending many URLs with a large number of escaped characters, aka the "Myriad Escaped Characters" Vulnerability. MS00-023 1101 Entry Buffer overflow in the dvwssr.dll DLL in Microsoft Visual Interdev 1.0 allows users to cause a denial of service or execute commands, aka the "Link View Server-Side Component" vulnerability. MS00-025 1109 282 Entry The AVM KEN! web server allows remote attackers to read arbitrary files via a .. (dot dot) attack. 20000415 (no subject) 20000418 AVM's Statement ken-download-files 1103 1282 Entry The AVM KEN! ISDN Proxy server allows remote attackers to cause a denial of service via a malformed request. 20000415 (no subject) 20000418 AVM's Statement 1103 ken-dos Entry The X font server xfs in Red Hat Linux 6.x allows an attacker to cause a denial of service via a malformed request. 20000416 xfs redhat-fontserver-dos 1111 Entry Panda Security 3.0 with registry editing disabled allows users to edit the registry and gain privileges by directly executing a .reg file or using other methods. 20000417 bugs in Panda Security 3.0 http://updates.pandasoftware.com/docs/us/Avoidvulnerability.zip panda-admin-privileges 1119 Entry Panda Security 3.0 allows users to uninstall the Panda software via its Add/Remove Programs applet. 20000417 bugs in Panda Security 3.0 http://updates.pandasoftware.com/docs/us/Avoidvulnerability.zip 1119 panda-uninstall-program Entry Cisco Catalyst 5.4.x allows a user to gain access to the "enable" mode without a password. 20000419 Cisco Catalyst Enable Password Bypass Vulnerability cisco-catalyst-password-bypass 1122 1288 Entry Cisco IOS 11.x and 12.x allows remote attackers to cause a denial of service by sending the ENVIRON option to the Telnet daemon before it is ready to accept it, which causes the system to reboot. 20000420 Cisco IOS Software TELNET Option Handling Vulnerability 1123 cisco-ios-option-handling 1289 Entry RealNetworks RealServer allows remote attackers to cause a denial of service by sending malformed input to the server at port 7070. 20000420 Remote DoS attack in Real Networks Real Server Vulnerability http://service.real.com/help/faq/servg270.html realserver-remote-dos 1128 Entry PCAnywhere allows remote attackers to cause a denial of service by terminating the connection before PCAnywhere provides a login prompt. 20000409 A funny way to DOS pcANYWHERE8.0 and 9.0 1095 pcanywhere-login-dos Entry The Linux trustees kernel patch allows attackers to cause a denial of service by accessing a file or directory with a long name. 20000410 linux trustees 1.5 long path name vulnerability http://www.braysystems.com/linux/trustees.html linux-trustees-patch-dos 1096 Entry BeOS 4.5 and 5.0 allow local users to cause a denial of service via malformed direct system calls using interrupt 37. 20000410 BeOS syscall bug 1098 beos-syscall-dos Entry Microsoft Excel 97 and 2000 does not warn the user when executing Excel Macro Language (XLM) macros in external text files, which could allow an attacker to execute a macro virus, aka the "XLM Text Macro" vulnerability. MS00-022 1087 1272 Entry The SalesLogix Eviewer allows remote attackers to cause a denial of service by accessing the URL for the slxweb.dll administration program, which does not authenticate the user. 20000331 SalesLogix Eviewer Web App Bug: URL request crashes eviewer web application 1089 eviewer-admin-request-dos Entry BeOS allows remote attackers to cause a denial of service via malformed packets whose length field is less than the length of the headers. 20000407 BeOS Networking DOS http://bebugs.be.com/devbugs/detail.php3?oid=2505312 1100 beos-networking-dos Entry TalentSoft webpsvr daemon in the Web+ shopping cart application allows remote attackers to read arbitrary files via a .. (dot dot) attack on the webplus CGI program. 20000412 TalentSoft Web+ Input Validation Bug Vulnerability ftp://ftp.talentsoft.com/Download/Webplus/Unix/Patches/Webplus46p%20Read%20me.html 1102 talentsoft-web-input Entry The default installation of IRIX Performance Copilot allows remote attackers to access sensitive system information via the pmcd daemon. 20000412 Performance Copilot for IRIX 6.5 1106 irix-pmcd-info Entry Buffer overflow in XFree86 3.3.x allows local users to execute arbitrary commands via a long -xkbmap parameter. 20000416 XFree86 server overflow 1306 xfree86-xkbmap-parameter-bo Entry The BizDB CGI script bizdb-search.cgi allows remote attackers to execute arbitrary commands via shell metacharacters in the dbname parameter. 20000412 BizDB Search Script Enables Shell Command Execution at the Server 1104 http-cgi-bizdb Entry IP masquerading in Linux 2.2.x allows remote attackers to route UDP packets through the internal interface by modifying the external source IP address and port number to match those of an established connection. 20000327 Security Problems with Linux 2.2.x IP Masquerading 20000520 Security hole in kernel < 2.2.15 1078 linux-masquerading-dos Entry Buffer overflow in Webstar HTTP server allows remote attackers to cause a denial of service via a long GET request. 20000331 Webstar 4.0 Buffer overflow vulnerability macos-webstar-get-bo(4792) 1822 Entry The Adtran MX2800 M13 Multiplexer allows remote attackers to cause a denial of service via a ping flood to the Ethernet interface, which causes the device to crash. 20000418 Adtran DoS 1129 adtran-ping-dos Entry Buffer overflow in healthd for FreeBSD allows local users to gain root privileges. FreeBSD-SA-00:12 1107 freebsd-healthd 606 Entry fcheck allows local users to gain privileges by embedding shell metacharacters into file names that are processed by fcheck. 20000331 fcheck v.2.7.45 and insecure use of Perl's system() 1086 fcheck-shell Entry Allaire Forums 2.0.5 allows remote attackers to bypass access restrictions to secure conferences via the rightAccessAllForums or rightModerateAllForums variables. ASB00-06 1085 allaire-forums-allaccess 1270 Entry The unattended installation of Windows 2000 with the OEMPreinstall option sets insecure permissions for the All Users and Default Users directories. 20000407 All Users startup folder left open if unattended install and OEMP reinstall=1 win2k-unattended-install(4278) 1758 Entry Ipswitch IMAIL server 6.02 and earlier allows remote attackers to cause a denial of service via the AUTH CRAM-MD5 command. 20000405 Re: IMAIL (Ipswitch) DoS with Eudora (Qualcomm) http://support.ipswitch.com/kb/IM-20000208-DM02.htm 1094 ipswitch-imail-dos Entry Microsoft Index Server allows remote attackers to view the source code of ASP files by appending a %20 to the filename in the CiWebHitsFile argument to the null.htw URL. 20000331 Alert: MS Index Server (CISADV000330) MS00-006 1084 http-indexserver-asp-source 271 Entry Quake3 Arena allows malicious server operators to read or modify files on a client via a dot dot (..) attack. 20000503 Vulnerability in Quake3Arena Auto-Download Feature http://www.quake3arena.com/news/index.html 1169 quake3-auto-download 7531 Entry Microsoft IIS 4.0 and 5.0 with the IISADMPWD virtual directory installed allows a remote attacker to cause a denial of service via a malformed request to the inetinfo.exe program, aka the "Undelimited .HTR Request" vulnerability. 20000511 Microsoft IIS Remote Denial of Service Attack MS00-031 1191 iis-authchangeurl-dos Entry Windows 95, Windows 98, Windows 2000, Windows NT 4.0, and Terminal Server systems allow a remote attacker to cause a denial of service by sending a large number of identical fragmented IP packets, aka jolt2 or the "IP Fragment Reassembly" vulnerability. 20000519 jolt2 - Remote DoS against NT, W2K, 9x MS00-029 1236 ip-fragment-reassembly-dos Entry Buffer overflow in calserver in SCO OpenServer allows remote attackers to gain root access via a long message. SB-99.02 19981229 Local/remote exploit for SCO UNIX. Entry Vulnerability in xserver in SCO UnixWare 2.1.x and OpenServer 5.05 and earlier allows an attacker to cause a denial of service which prevents access to reserved port numbers below 1024. SB-99.07 Entry Insecure file permissions for Netscape FastTrack Server 2.x, Enterprise Server 2.0, and Proxy Server 2.5 in SCO UnixWare 7.0.x and 2.1.3 allow an attacker to gain root privileges. SB-99.08 Entry The i386 trace-trap handling in OpenBSD 2.4 with DDB enabled allows a local user to cause a denial of service. 19990212 i386 trace-trap handling when DDB was configured could cause a system crash. 6126 Entry IP fragment assembly in OpenBSD 2.4 allows a remote attacker to cause a denial of service by sending a large number of fragmented packets. 19990217 IP fragment assembly can bog the machine excessively and cause problems. 7539 Entry The Windows 2000 domain controller allows a malicious user to modify Active Directory information by modifying an unprotected attribute, aka the "Mixed Object Access" vulnerability. MS00-026 ms-mixed-object 1145 Entry Vulnerability in OpenBSD 2.6 allows a local user to change interface media configurations. 19991109 Any user can change interface media configurations. 7540 Entry traceroute in NetBSD 1.3.3 and Linux systems allows local users to flood other systems by providing traceroute with a large waittime (-w) option, which is not parsed properly and sets the time delay for sending packets to zero. 19990213 traceroute as a flooder NetBSD-SA1999-004 7574 Entry traceroute in NetBSD 1.3.3 and Linux systems allows local unprivileged users to modify the source address of the packets, which could be used in spoofing attacks. 19990213 traceroute as a flooder NetBSD-SA1999-004 7575 Entry Buffer overflow in Solaris 7 lp allows local users to gain root privileges via a long -d option. 20000424 Solaris 7 x86 lp exploit 4314312 1143 solaris-lp-bo Entry Atrium Mercur Mail Server 3.2 allows local attackers to read other user's email and create arbitrary files via a dot dot (..) attack. 20000413 Security problems with Atrium Mercur Mailserver 3.20 1144 mercur-remote-dot-attack Entry mail.local in Sendmail 8.10.x does not properly identify the .\n string which identifies the end of message text, which allows a remote attacker to cause a denial of service or corrupt mailboxes via a message line that is 2047 characters long and ends in .\n. 20000424 unsafe fgets() in sendmail's mail.local sendmail-maillocal-dos 1146 Entry Qpopper 2.53 and 3.0 does not properly identify the \n string which identifies the end of message text, which allows a remote attacker to cause a denial of service or corrupt mailboxes via a message line that is 1023 characters long and ends in \n. 20000421 unsafe fgets() in qpopper 1133 qpopper-fgets-spoofing Entry The passwd.php3 CGI script in the Red Hat Piranha Virtual Server Package allows local users to execure arbitrary commands via shell metacharacters. 20000424 piranha default password/exploit RHSA-2000:014 1149 piranha-passwd-execute Entry The Microsoft Jet database engine allows an attacker to modify text files via a database query, aka the "Text I-ISAM" vulnerability. 19990728 Alert : MS Office 97 Vulnerability MS99-030 jet-text-isam 595 Entry pcAnywhere 8.x and 9.0 allows remote attackers to cause a denial of service via a TCP SYN scan, e.g. by nmap. 20000425 Denial of Service Against pcAnywhere. 20010211 Symantec pcAnywhere 9.0 DoS / Buffer Overflow 20010212 Re: Symantec pcAnywhere 9.0 DoS / Buffer Overflow 1150 pcanywhere-tcpsyn-dos(4347) 1301 Entry Microsoft Virtual Machine (VM) allows remote attackers to escape the Java sandbox and execute commands via an applet containing an illegal cast operation, aka the "Virtual Machine Verifier" vulnerability. 19991014 Another Microsoft Java Flaw Disovered MS99-045 msvm-verifier-java Entry Windows NT 4.0 generates predictable random TCP initial sequence numbers (ISN), which allows remote attackers to perform spoofing and session hijacking. 19990824 NT Predictable Initial TCP Sequence numbers - changes observed with SP4 MS99-046 604 nt-sequence-prediction-sp4 tcp-seq-predict Entry A Microsoft ActiveX control allows a remote attacker to execute a malicious cabinet file via an attachment and an embedded script in an HTML mail, aka the "Active Setup Control" vulnerability. MS99-048 ie-active-setup-control Entry The networking software in Windows 95 and Windows 98 allows remote attackers to execute commands via a long file name string, aka the "File Access URL" vulnerability. MS99-049 win-fileurl-overflow Entry Buffer overflow in Microsoft command processor (CMD.EXE) for Windows NT and Windows 2000 allows a local user to cause a denial of service via a long environment variable, aka the "Malformed Environment Variable" vulnerability. 20000421 CMD.EXE overflow (CISADV000420) MS00-027 1135 nt-cmd-overflow Entry UltraBoard.pl or UltraBoard.cgi CGI scripts in UltraBoard 1.6 allows remote attackers to read arbitrary files via a pathname string that includes a dot dot (..) and ends with a null byte. 20000502 Fun with UltraBoard V1.6X 1164 ultraboard-printabletopic-fileread 1309 4065 Entry The Allaire Spectra container editor preview tool does not properly enforce object security, which allows an attacker to conduct unauthorized activities via an object-method that is added to the container object with a publishing rule. ASB00-10 1181 allaire-spectra-container-editor-preview Entry The resolver in glibc 2.1.3 uses predictable IDs, which allows a local attacker to spoof DNS query results. 20000502 glibc resolver weakness 1166 glibc-resolver-id-predictable Entry Linux OpenLDAP server allows local users to modify arbitrary files via a symlink attack. RHSA-2000:012 CSSA-2000-009.0 TLSA2000010-1 1232 openldap-symlink-attack Entry Buffer overflow in Xsun X server in Solaris 7 allows local users to gain root privileges via a long -dev parameter. 20000424 Solaris x86 Xsun overflow. 4335411 solaris-xsun-bo 1140 Entry Concurrent Versions Software (CVS) uses predictable temporary file names for locking, which allows local users to cause a denial of service by creating the lock directory before it is created for use by a legitimate CVS user. 20000423 CVS DoS 1136 cvs-tempfile-dos Entry ZoneAlarm 2.1.10 and earlier does not filter UDP packets with a source port of 67, which allows remote attackers to bypass the firewall rules. 20000420 ZoneAlarm 1137 zonealarm-portscan 1294 Entry Buffer overflow in Gnomelib in SuSE Linux 6.3 allows local users to execute arbitrary commands via the DISPLAY environmental variable. 20000428 SuSE 6.3 Gnomelib buffer overflow http://www.suse.com/us/support/download/updates/axp_63.html 1155 linux-gnomelib-bo Entry ATRIUM Cassandra NNTP Server 1.10 allows remote attackers to cause a denial of service via a long login name. 20000501 Remote DoS attack in CASSANDRA NNTPServer v1.10 from ATRIUM 1156 nntpserver-cassandra-bo Entry Eudora 4.x allows remote attackers to bypass the user warning for executable attachments such as .exe, .com, and .bat by using a .lnk file that refers to the attachment, aka "Stealth Attachment." http://www.peacefire.org/security/stealthattach/explanation.html http://news.cnet.com/news/0-1005-200-1773077.html?tag=st.ne.fd.lthd.1005-200-1773077 1157 eudora-warning-message Entry The knfsd NFS server in Linux kernel 2.2.x allows remote attackers to cause a denial of service via a negative size value. 20000501 Linux knfsd DoS issue 1160 linux-knfsd-dos Entry AppleShare IP 6.1 and later allows a remote attacker to read potentially sensitive information via an invalid range request to the web server. 20000502 INFO:AppleShare IP 6.3.2 squashes security bug http://asu.info.apple.com/swupdates.nsf/artnum/n11670 macos-appleshare-invalid-range 1162 Entry Windows 95 and Windows 98 allow a remote attacker to cause a denial of service via a NetBIOS session request packet with a NULL source name. 20000501 el8.org advisory - Win 95/98 DoS (RFParalyze.c) 1163 win-netbios-source-null Entry A vulnerability in the Sendmail configuration file sendmail.cf as installed in SCO UnixWare 7.1.0 and earlier allows an attacker to gain root privileges. SB-99.10 Entry Vulnerability in the passthru driver in SCO UnixWare 7.1.0 allows an attacker to cause a denial of service. SB-99.13 Entry A debugging feature in NetworkICE ICEcap 2.0.23 and earlier is enabled, which allows a remote attacker to bypass the weak authentication and post unencrypted events. http://www.securityfocus.com/templates/advisory.html?id=2220 http://advice.networkice.com/advice/Support/KB/q000166/ 1216 netice-icecap-alert-execute netice-icecap-default 312 Entry Some packaging commands in SCO UnixWare 7.1.0 have insecure privileges, which allows local users to add or remove software packages. SB-99.09 Entry Pine before version 4.21 does not properly filter shell metacharacters from URLs, which allows remote attackers to execute arbitrary commands via a malformed URL. 19991117 Pine: expanding env vars in URLs (seems to be fixed as of 4.21) CSSA-1999-036.0 19991227 Security hole in Pine < 4.21 pine-remote-exe 810 Entry Pine 4.x allows a remote attacker to execute arbitrary commands via an index.html file which executes lynx and obtains a uudecoded file from a malicious web server, which is then executed by Pine. http://www.securiteam.com/unixfocus/HHP-Pine_remote_exploit.html 19990628 Execution of commands in Pine 4.x 19990911 Update for Pine (fixed IMAP support) 1247 pine-lynx-execute-commands Entry mirror 2.8.x in Linux systems allows remote attackers to create files one level above the local target directory. 19990928 mirror 2.9 hole 19991018 Incorrect directory name handling in mirror 19991001 Security hole in mirror 681 mirror-perl-remote-file-creation Entry Pluggable Authentication Modules (PAM) in Red Hat Linux 6.1 does not properly lock access to disabled NIS accounts. RHSA-1999:040 linux-pam-nis-login 697 Entry Buffer overflow in Trivial HTTP (THTTPd) allows remote attackers to cause a denial of service or execute arbitrary commands via a long If-Modified-Since header. 19991113 thttpd 2.04 stack overflow (VD#6) 19991116 Security hole in thttpd 1.90a - 2.04 thttpd-ifmodifiedsince-header-dos 1248 Entry Buffer overflow in INN 2.2.1 and earlier allows remote attackers to cause a denial of service via a maliciously formatted article. 19991124 Security hole in inn <= 2.2.1 CSSA-1999-038.0 inn-remote-dos 1249 Entry The PPP wvdial.lxdialog script in wvdial 1.4 and earlier creates a .config file with world readable permissions, which allows a local attacker in the dialout group to access login and password information. 19991214 Security hole in wvdial <= 1.4 wvdial-gain-dialup-info Entry Buffer overflows in Linux cdwtools 093 and earlier allows local users to gain root privileges. 19991019 Security hole in cdwtools < 093 738 linux-cdda2cdr Entry Linux cdwtools 093 and earlier allows local users to gain root privileges via the /tmp directory. 19991019 Security hole in cdwtools < 093 738 linux-cdda2cdr Entry dump in Debian GNU/Linux 2.1 does not properly restore symlinks, which allows a local user to modify the ownership of arbitrary files. 19991202 problem restoring symlinks debian-dump-modify-ownership 1442 Entry Vulnerability in eterm 0.8.8 in Debian GNU/Linux allows an attacker to gain root privileges. 19990218 Root exploit in eterm linux-eterm Entry Classic Cisco IOS 9.1 and later allows attackers with access to the loging prompt to obtain portions of the command history of previous users, which may allow the attacker to access sensitive data. 19981014 Cisco IOS Command History Release at Login Prompt J-009 Entry The IDENT server in Caldera Linux 2.3 creates multiple threads for each IDENT request, which allows remote attackers to cause a denial of service. CSSA-1999-029.1 1266 caldera-ident-server-dos Entry The debug option in Caldera Linux smail allows remote attackers to execute commands via shell metacharacters in the -D option for the rmail command. CSSA-1999-001.0 1268 caldera-smail-rmail-command Entry The libmediatool library used for the KDE mediatool allows local users to create arbitrary files via a symlink attack. CSSA-1999-005.0 1269 kde-mediatool Entry Vulnerability in Caldera rmt command in the dump package 0.4b4 allows a local user to gain root privileges. CSSA-1999-014.0 linux-rmt 7940 Entry Vulnerabilities in the KDE kvt terminal program allow local users to gain root privileges. CSSA-1999-015.0 RHSA-1999:015-01 kde-kvt Entry The default configuration of kdm in Caldera and Mandrake Linux, and possibly other distributions, allows XDMCP connections from any host, which allows remote attackers to obtain sensitive information or bypass additional access restrictions. CSSA-1999-021.0 MDKSA-2002:025 1446 xdmcp-kdm-default-configuration(4856) Entry The kernel in FreeBSD 3.2 follows symbolic links when it creates core dump files, which allows local attackers to modify arbitrary files. FreeBSD-SA-99:04 6084 Entry Buffer overflow in the HTTP proxy server for the i-drive Filo software allows remote attackers to execute arbitrary commands via a long HTTP GET request. 20000607 Buffer Overflow in i-drive Filo (tm) software 1324 idrive-filo-bo Entry The Remote Registry server in Windows NT 4.0 allows local authenticated users to cause a denial of service via a malformed request, which causes the winlogon process to fail, aka the "Remote Registry Access Authentication" vulnerability. MS00-040 Q264684 nt-registry-request-dos 1331 oval:org.mitre.oval:def:1021 Entry The pam_console PAM module in Linux systems performs a chown on various devices upon a user login, but an open file descriptor for those devices can be maintained after the user logs out, which allows that user to sniff activity on these devices when subsequent users log in. 20000502 pam_console bug 1176 linux-pam-sniff-activities Entry The Netopia R9100 router does not prevent authenticated users from modifying SNMP tables, even if the administrator has configured it to do so. 20000507 Advisory: Netopia R9100 router vulnerability http://www.netopia.com/equipment/purchase/fmw_update.html 1177 netopia-snmp-comm-strings Entry The IOS HTTP service in Cisco routers and switches running IOS 11.1 through 12.1 allows remote attackers to cause a denial of service by requesting a URL that contains a %% string. 20000426 Cisco HTTP possible bug: 20000514 Cisco IOS HTTP Server Vulnerability cisco-ios-http-dos 1154 1302 Entry The Gossamer Threads DBMan db.cgi CGI script allows remote attackers to view environmental variables and setup information by referencing a non-existing database in the db parameter. 20000505 Black Watch Labs Vulnerability Alert http://www.perfectotech.com/blackwatchlabs/vul5_05.html http-cgi-dbman-db 1178 Entry ColdFusion ClusterCATS appends stale query string arguments to a URL during HTML redirection, which may provide sensitive information to the redirected site. ASB00-12 1179 allaire-clustercats-url-redirect Entry The makelev program in the golddig game from the FreeBSD ports collection allows local users to overwrite arbitrary files. FreeBSD-SA-00:16 1184 golddig-overwrite-files Entry Buffer overflow in FreeBSD libmytinfo library allows local users to execute commands via a long TERMCAP environmental variable. FreeBSD-SA-00:17 1185 libmytinfo-bo Entry Buffer overflow in krb_rd_req function in Kerberos 4 and 5 allows remote attackers to gain root privileges. 20000516 BUFFER OVERRUN VULNERABILITIES IN KERBEROS CA-2000-06 FreeBSD-SA-00:20 RHSA-2000:025 kerberos-krb-rd-req-bo 1220 Entry Buffer overflow in krb425_conv_principal function in Kerberos 5 allows remote attackers to gain root privileges. 20000516 BUFFER OVERRUN VULNERABILITIES IN KERBEROS CA-2000-06 FreeBSD-SA-00:20 RHSA-2000:025 1220 kerberos-krb425-conv-principal-bo 4884 Entry Buffer overflow in krshd in Kerberos 5 allows remote attackers to gain root privileges. 20000516 BUFFER OVERRUN VULNERABILITIES IN KERBEROS CA-2000-06 FreeBSD-SA-00:20 RHSA-2000:025 kerberos-krshd-bo 1220 4876 Entry Buffer overflow in ksu in Kerberos 5 allows local users to gain root privileges. 20000516 BUFFER OVERRUN VULNERABILITIES IN KERBEROS CA-2000-06 FreeBSD-SA-00:20 RHSA-2000:025 kerberos-ksu-bo 1220 Entry The KDE kscd program does not drop privileges when executing a program specified in a user's SHELL environmental variable, which allows the user to gain privileges by specifying an alternate program to execute. 20000516 kscd vulnerability 20000529 kmulti <= 1.1.2 kscd-shell-env-variable 1206 Entry NetProwler 3.0 allows remote attackers to cause a denial of service by sending malformed IP packets that trigger NetProwler's Man-in-the-Middle signature. 20000519 RFP2K05: NetProwler vs. RFProwler 20000522 RFP2K05 - NetProwler "Fragmentation" Issue axent-netprowler-ipfrag-dos 1225 Entry Buffer overflow in CProxy 3.3 allows remote users to cause a denial of service via a long HTTP request. 20000516 CProxy v3.3 SP 2 DoS cproxy-http-dos 1213 Entry The add.exe program in the Carello shopping cart software allows remote attackers to duplicate files on the server, which could allow the attacker to read source code for web scripts such as .ASP files. 20000524 Alert: Carello File Creation flaw 1245 carello-file-duplication Entry The EMURL web-based email account software encodes predictable identifiers in user session URLs, which allows a remote attacker to access a user's email account. 20000515 Vulnerability in EMURL-based e-mail providers emurl-account-access 1203 Entry Buffer overflow in wconsole.dll in Rockliffe MailSite Management Agent allows remote attackers to execute arbitrary commands via a long query_string parameter in the HTTP GET request. 20000524 Alert: Buffer overflow in Rockliffe's MailSite 1244 mailsite-get-overflow Entry Buffer overflow in MDaemon POP server allows remote attackers to cause a denial of service via a long user name. 20000524 Deerfield Communications MDaemon Mail Server DoS deerfield-mdaemon-dos 1250 Entry The Mixed Mode authentication capability in Microsoft SQL Server 7.0 stores the System Administrator (sa) account in plaintext in a log file which is readable by any user, aka the "SQL Server 7.0 Service Pack Password" vulnerability. MS00-035 Q263968 1281 mssql-agent-stored-pw mssql-sa-pw-in-sqlsplog Entry The CIFS Computer Browser service on Windows NT 4.0 allows a remote attacker to cause a denial of service by sending a large number of host announcement requests to the master browse tables, aka the "HostAnnouncement Flooding" or "HostAnnouncement Frame" vulnerability. MS00-036 Q263307 win-browser-hostannouncement 1261 Entry The CIFS Computer Browser service allows remote attackers to cause a denial of service by sending a ResetBrowser frame to the Master Browser, aka the "ResetBrowser Frame" vulnerability. MS00-036 Q262694 1262 win-browser-reset-frame Entry Buffer overflow in L0pht AntiSniff allows remote attackers to execute arbitrary commands via a malformed DNS response packet. 20000515 AntiSniff version 1.01 and Researchers version 1 DNS overflow 1207 antisniff-dns-overflow 3179 Entry Netscape Communicator before version 4.73 and Navigator 4.07 do not properly validate SSL certificates, which allows remote attackers to steal information by redirecting traffic from a legitimate web server to their own malicious server, aka the "Acros-Suencksen SSL" vulnerability. http://www.acrossecurity.com/aspr/ASPR-2000-04-06-1-PUB.txt CA-2000-05 RHSA-2000:028 1188 netscape-invalid-ssl-sessions Entry Buffer overflow in Solaris netpr program allows local users to execute arbitrary commands via a long -p option. 20000512 New Solaris root exploit for /usr/lib/lp/bin/netpr sol-netpr-bo 1200 Entry IIS 4.05 and 5.0 allow remote attackers to cause a denial of service via a long, complex URL that appears to contain a large number of file extensions, aka the "Malformed Extension Data in URL" vulnerability. http://www.ussrback.com/labs40.html MS00-030 Q260205 iis-url-extension-data-dos 1190 Entry Netscape 4.73 and earlier follows symlinks when it imports a new certificate, which allows local users to overwrite files of the user importing the certificate. 20000510 Possible symlink problems with Netscape 4.73 1201 netscape-import-certificate-symlink Entry ColdFusion Server 4.5.1 allows remote attackers to cause a denial of service by making repeated requests to a CFCACHE tagged cache file that is not stored in memory. 20000510 Cold Fusion Server 4.5.1 DoS Vulnerability. coldfusion-cfcache-dos 1192 Entry Matt Wright's FormMail CGI script allows remote attackers to obtain environmental variables via the env_report parameter. 20000510 Black Watch Labs Vulnerability Alert http://www.perfectotech.com/blackwatchlabs/vul5_10.html http-cgi-formmail-environment 1187 Entry Vulnerability in shutdown command for HP-UX 11.X and 10.X allows allows local users to gain privileges via malformed input variables. HPSBUX0005-113 hp-shutdown-privileges 1214 Entry NTMail 5.x allows network users to bypass the NTMail proxy restrictions by redirecting their requests to NTMail's web configuration server. 20000511 NTMail Proxy Exploit http://www.gordano.com/support/archives/ntmail/2000-05/00001114.htm ntmail-bypass-proxy 1196 Entry The HTTP administration interface to the Cayman 3220-H DSL router allows remote attackers to cause a denial of service via a long username or password. 20000505 Cayman 3220-H DSL Router DOS 20000523 Cayman 3220H DSL Router Software Update and New Bonus Attack cayman-router-dos 1219 Entry The Cayman 3220-H DSL router allows remote attackers to cause a denial of service via oversized ICMP echo (ping) requests. 20000523 Cayman 3220H DSL Router Software Update and New Bonus Attack cayman-dsl-dos 1240 Entry The Office 2000 UA ActiveX Control is marked as "safe for scripting," which allows remote attackers to conduct unauthorized activities via the "Show Me" function in Office Help, aka the "Office 2000 UA Control" vulnerability. MS00-034 Q262767 CA-2000-07 1197 office-ua-control Entry The process_bug.cgi script in Bugzilla allows remote attackers to execute arbitrary commands via shell metacharacters. 20000510 Advisory: Unchecked system(blaat $var blaat) call in Bugzilla 2.8 bugzilla-unchecked-system-call 1199 Entry The CGI counter 4.0.7 by George Burgyan allows remote attackers to execute arbitrary commands via shell metacharacters. 20000514 Vulnerability in CGI counter 4.0.7 by George Burgyan 1202 http-cgi-burgyan-counter Entry Buffer overflow in the Web Archives component of L-Soft LISTSERV 1.8 allows remote attackers to execute arbitrary commands. http://www.lsoft.com/news/default.asp?item=Advisory0 20000505 Alert: Listserv Web Archives (wa) buffer overflow http-cgi-listserv-wa-bo 1167 Entry UltraBoard 1.6 and other versions allow remote attackers to cause a denial of service by referencing UltraBoard in the Session parameter, which causes UltraBoard to fork copies of itself. 20000505 Re: Fun with UltraBoard V1.6X 1175 ultraboard-cgi-dos Entry The Aladdin Knowledge Systems eToken device allows attackers with physical access to the device to obtain sensitive information without knowing the PIN of the owner by resetting the PIN in the EEPROM. 20000504 eToken Private Information Extraction and Physical Attack aladdin-etoken-pin-reset 1170 3266 Entry Buffer overflow in the SMTP gateway for InterScan Virus Wall 3.32 and earlier allows a remote attacker to execute arbitrary commands via a long filename for a uuencoded attachment. 20000503 Trend Micro InterScan VirusWall Remote Overflow 1168 interscan-viruswall-bo Entry Cart32 allows remote attackers to access sensitive debugging information by appending /expdate to the URL request. 20000503 Another interesting Cart32 command cart32-expdate 1358 Entry Cobalt RaQ2 and RaQ3 does not properly set the access permissions and ownership for files that are uploaded via FrontPage, which allows attackers to bypass cgiwrap and modify files. 20000522 Problem with FrontPage on Cobalt RaQ2/RaQ3 20000525 Cobalt Networks - Security Advisory - Frontpage http://archives.neohapsis.com/archives/bugtraq/2000-05/0305.html 1238 cobalt-cgiwrap-bypass 1346 Entry The calender.pl and the calendar_admin.pl calendar scripts by Matt Kruse allow remote attackers to execute arbitrary commands via shell metacharacters. 20000516 Vuln in calender.pl (Matt Kruse calender script) 1215 http-cgi-calendar-execute Entry The allmanageup.pl file upload CGI script in the Allmanage Website administration software 2.6 can be called directly by remote attackers, which allows them to modify user accounts or web pages. 20000516 Allmanage.pl Vulnerabilities http-cgi-allmanage-account-access 1217 1337 Entry MetaProducts Offline Explorer 1.2 and earlier allows remote attackers to access arbitrary files via a .. (dot dot) attack. 20000522 MetaProducts Offline Explorer Directory Traversal Vulnerability http://www.metaproducts.com/mpOE-HY.html 1231 offline-explorer-directory-traversal Entry Buffer overflow in the CyberPatrol daemon "cyberdaemon" used in gauntlet and WebShield allows remote attackers to cause a denial of service or execute arbitrary commands. http://www.tis.com/support/cyberadvisory.html http://www.pgp.com/jump/gauntlet_advisory.asp 20000522 Gauntlet CyberPatrol Buffer Overflow gauntlet-cyberdaemon-bo 1234 322 Entry Buffer overflow in fdmount on Linux systems allows local users in the "floppy" group to execute arbitrary commands via a long mountpoint parameter. 20000522 fdmount buffer overflow linux-fdmount-bo 1239 Entry Internet Explorer 4.0 and 5.0 allows a malicious web site to obtain client cookies from another domain by including that domain name and escaped characters in a URL, aka the "Unauthorized Cookie Access" vulnerability. 20000510 IE Domain Confusion Vulnerability 20000511 IE Domain Confusion Vulnerability is an Email problem also MS00-033 1194 1326 ie-cookie-disclosure(4447) Entry NetBSD 1.4.2 and earlier allows remote attackers to cause a denial of service by sending a packet with an unaligned IP timestamp option. NetBSD-SA2000-002 FreeBSD-SA-00:23 20000506 [NHC20000504a.0: NetBSD Panics when sent unaligned IP options] 1173 netbsd-unaligned-ip-options Entry Vulnerability in AIX 3.2.x and 4.x allows local users to gain write access to files on locally or remotely mounted AIX filesystems. ERS-OAR-E01-2000:087.1 1241 aix-local-filesystem Entry Qpopper 2.53 and earlier allows local users to gain privileges via a formatting string in the From: header, which is processed by the euidl command. 20000523 Qpopper 2.53 remote problem, user can gain gid=mail 20000608 pop <= 2000.3.4 1242 qualcomm-qpopper-euidl Entry The web interface server in HP Web JetAdmin 5.6 allows remote attackers to read arbitrary files via a .. (dot dot) attack. 20000524 HP Web JetAdmin Version 5.6 Web interface Server Directory Traversal Vulnerability hp-jetadmin-directory-traversal 1243 1350 Entry The pgpk command in PGP 5.x on Unix systems uses an insufficiently random data source for non-interactive key pair generation, which may produce predictable keys. 20000523 Key Generation Security Flaw in PGP 5.0 CA-2000-09 1251 pgp-key-predictable 1355 Entry Buffer overflow in MDBMS database server allows remote attackers to execute arbitrary commands via a long string. 20000524 Remote xploit for MDBMS mdbms-bo 1252 Entry Buffer overflow in WebShield SMTP 4.5.44 allows remote attackers to execute arbitrary commands via a long configuration parameter to the WebShield remote management service. 20000525 DST2K0003 : Buffer Overrun in NAI WebShield SMTP v4.5.44 Managem ent Tool nai-webshield-bo 1254 327 Entry The WebShield SMTP Management Tool version 4.5.44 does not properly restrict access to the management port when an IP address does not resolve to a hostname, which allows remote attackers to access the configuration via the GET_CONFIG command. 20000525 DST2K0003 : Buffer Overrun in NAI WebShield SMTP v4.5.44 Managem ent Tool nai-webshield-getconfig 1253 326 Entry The Intel express 8100 ISDN router allows remote attackers to cause a denial of service via oversized or fragmented ICMP packets. 20000518 Remote Dos attack against Intel express 8100 router intel-8100-remote-dos 1228 Entry Buffer overflow in the ESMTP service of Lotus Domino Server 5.0.1 allows remote attackers to cause a denial of service via a long MAIL FROM command. 20000518 Lotus ESMTP Service (Lotus Domino Release 5.0.1 (Intl)) lotus-domino-esmtp-bo 1229 321 Entry XFree86 3.3.x and 4.0 allows a user to cause a denial of service via a negative counter value in a malformed TCP packet that is sent to port 6000. 20000518 Nasty XFree Xserver DoS CSSA-2000-012.0 1235 Entry Buffer overflow in Linux cdrecord allows local users to gain privileges via the dev parameter. 20000527 Mandrake 7.0: /usr/bin/cdrecord gid=80 (strike #2) 20000603 [Gael Duval ] [Security Announce] cdrecord 20000607 Conectiva Linux Security Announcement - cdrecord 1265 linux-cdrecord-execute Entry Buffer overflow in xlockmore xlock program version 4.16 and earlier allows local users to read sensitive data from memory via a long -mode option. 20000529 Initialized Data Overflow in Xlock NetBSD-SA2000-003 TLSA2000012-1 1267 xlock-bo-read-passwd Entry NetBSD 1.4.2 and earlier allows local users to cause a denial of service by repeatedly running certain system calls in the kernel which do not yield the CPU, aka "cpu-hog". NetBSD-SA2000-005 1272 bsd-syscall-cpu-dos 1365 Entry ISM.DLL in IIS 4.0 and 5.0 allows remote attackers to read file contents by requesting the file and appending a large number of encoded spaces (%20) and terminated with a .htr extension, aka the ".HTR File Fragment Reading" or "File Fragment Reading via .HTR" vulnerability. 20000511 Alert: IIS ism.dll exposes file contents MS00-031 1193 iis-ism-file-access(4448) Entry The MSWordView application in IMP creates world-readable files in the /tmp directory, which allows other local users to read potentially sensitive information. 20000424 Two Problems in IMP 2 1360 imp-tmpfile-view Entry IMP does not remove files properly if the MSWordView application quits, which allows local users to cause a denial of service by filling up the disk space by requesting a large number of documents and prematurely stopping the request. 20000424 Two Problems in IMP 2 1361 imp-wordfile-dos Entry Buffer overflow in KDE kdesud on Linux allows local uses to gain privileges via a long DISPLAY environmental variable. 20000526 KDE: /usr/bin/kdesud, gid = 0 exploit 1274 kde-display-environment-overflow Entry The undocumented semconfig system call in BSD freezes the state of semaphores, which allows local users to cause a denial of service of the semaphore system by using the semconfig call. 20000526 NetBSD-SA2000-004 FreeBSD-SA-00:19 bsd-semaphore-dos 1270 Entry ftpd in NetBSD 1.4.2 does not properly parse entries in /etc/ftpchroot and does not chroot the specified users, which allows those users to access other files outside of their home directory. NetBSD-SA2000-006 1273 netbsd-ftpchroot-parsing 1366 Entry BeOS 5.0 allows remote attackers to cause a denial of service via fragmented TCP packets. 20000517 AUX Security Advisory on Be/OS 5.0 (DoS) beos-tcp-frag-dos 1222 Entry Internet Explorer 4.x and 5.x allows remote attackers to execute arbitrary commands via a buffer overflow in the ActiveX parameter parsing capability, aka the "Malformed Component Attribute" vulnerability. MS00-033 Q261257 ie-malformed-component-attribute 1223 Entry Internet Explorer 4.x and 5.x does properly verify the domain of a frame within a browser window, which allows a remote attacker to read client files via the frame, aka the "Frame Domain Verification" vulnerability. MS00-033 Q251108 Q255676 1224 ie-frame-domain-verification Entry AIX cdmount allows local users to gain root privileges via shell metacharacters. 20000620 Insecure call of external program in AIX cdmount aix-cdmount-insecure-call 1384 Entry Buffer overflow in Linux splitvt 1.6.3 and earlier allows local users to gain root privileges via a long password in the screen locking function. 20000614 Splitvt exploit 20000605a 1346 splitvt-screen-lock-bo Entry man in HP-UX 10.20 and 11 allows local attackers to overwrite files via a symlink attack. 20000601 HP Security vulnerability in the man command 1302 hp-man-file-overwrite Entry Selena Sol WebBanner 4.0 allows remote attackers to read arbitrary files via a .. (dot dot) attack. 20000613 CGI: Selena Sol's WebBanner ( Random Banner Generator ) Vulnerability 20000620 Re: CGI: Selena Sol's WebBanner ( Random Banner Generator ) Vulnerability 1347 webbanner-input-validation-exe Entry Allegro RomPager HTTP server allows remote attackers to cause a denial of service via a malformed authentication request. 20000601 Hardware Exploit - Gets network Down 1290 rompager-malformed-dos Entry Buffer overflow in ufsrestore in Solaris 8 and earlier allows local users to gain root privileges via a long pathname. 20000614 Vulnerability in Solaris ufsrestore 4339366 00210 VU#36866 1348 1398 sol-ufsrestore-bo Entry Buffer overflow in innd 2.2.2 allows remote attackers to execute arbitrary commands via a cancel request containing a long message ID. 20000106 innd 2.2.2 remote buffer overflow CSSA-2000-016.0 20000707 inn update 20000721 [ANNOUNCE] INN 2.2.3 available 20000722 MDKSA-2000:023 inn update 1316 innd-cancel-overflow Entry Real Networks RealServer 7.x allows remote attackers to cause a denial of service via a malformed request for a page in the viewsource directory. 20000601 Remote DoS attack in Real Networks Real Server (Strike #2) Vulnerability 20000601 Remote DoS attack in RealServer: USSR-2000043 1288 realserver-malformed-remote-dos Entry Windows 2000 allows a local user process to access another user's desktop within the same windows station, aka the "Desktop Separation" vulnerability. MS00-020 1350 win2k-desktop-separation Entry Buffer overflow in Norton Antivirus for Exchange (NavExchange) allows remote attackers to cause a denial of service via a .zip file that contains long file names. 20000614 Vulnerabilities in Norton Antivirus for Exchange 1351 antivirus-nav-zip-bo Entry In some cases, Norton Antivirus for Exchange (NavExchange) enters a "fail-open" state which allows viruses to pass through the server. 20000614 Vulnerabilities in Norton Antivirus for Exchange 1351 antivirus-nav-fail-open 6266 Entry Buffer overflow in KDE Kmail allows a remote attacker to cause a denial of service via an attachment with a long file name. 20000601 Kmail heap overflow 1380 kde-kmail-attachment-dos Entry Check Point Firewall-1 allows remote attackers to cause a denial of service by sending a large number of malformed fragmented IP packets. 20000605 FW-1 IP Fragmentation Vulnerability http://www.checkpoint.com/techsupport/alerts/list_vun.html#IP_Fragmentation 1312 fw1-packet-fragment-dos 1379 Entry The DocumentTemplate package in Zope 2.2 and earlier allows a remote attacker to modify DTMLDocuments or DTMLMethods without authorization. 20000615 [Brian@digicool.com: [Zope] Zope security alert and 2.1.7 update [*important*]] http://www.zope.org/Products/Zope/Hotfix_06_16_2000/security_alert RHSA-2000:038 FreeBSD-SA-00:38 20000728 MDKSA-2000:026 Zope update 2000615 Conectiva Linux Security Announcement - ZOPE 1354 zope-dtml-remote-modify Entry Buffer overflow in Small HTTP Server allows remote attackers to cause a denial of service via a long GET request. 20000616 Remote DoS Attack in Small HTTP Server ver. 1.212 Vulnerability 20000616 Remote DoS Attack in Small HTTP Server ver. 1.212 Vulnerability 1355 small-http-get-overflow-dos Entry Microsoft SQL Server allows local users to obtain database passwords via the Data Transformation Service (DTS) package Properties dialog, aka the "DTS Password" vulnerability. 20000530 Fw: Steal Passwords Using SQL Server EM MS00-041 1292 mssql-dts-reveal-passwords Entry Buffer overflow in Cisco TACACS+ tac_plus server allows remote attackers to cause a denial of service via a malformed packet with a long length field. 20000530 An Analysis of the TACACS+ Protocol and its Implementations http://archives.neohapsis.com/archives/bugtraq/2000-05/0370.html 1293 tacacsplus-packet-length-dos Entry Buffer overflow in ITHouse mail server 1.04 allows remote attackers to execute arbitrary commands via a long RCPT TO mail command. 20000601 DST2K0007: Buffer Overrun in ITHouse Mail Server v1.04 1285 ithouse-rcpt-overflow(4580) Entry FreeBSD, NetBSD, and OpenBSD allow an attacker to cause a denial of service by creating a large number of socket pairs using the socketpair function, setting a large buffer size via setsockopt, then writing large buffers. 19990826 Local DoS in FreeBSD 20000601 Local FreeBSD, Openbsd, NetBSD, DoS Vulnerability - Mac OS X affected 622 bsd-setsockopt-dos Entry Buffer overflow in the NetWin DSMTP 2.7q in the NetWin dmail package allows remote attackers to execute arbitrary commands via a long ETRN request. 20000601 Netwin's Dmail package http://netwinsite.com/dmail/security.htm 1297 dmail-etrn-dos Entry Buffer overflow in Simple Network Time Sync (SMTS) daemon allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long string. 20000601 Vulnerability in SNTS 1289 timesync-bo-execute Entry Veritas Volume Manager creates a world writable .server_pids file, which allows local users to add arbitrary commands into the file, which is then executed by the vmsa_server script. 20000616 Veritas Volume Manager 3.0.x hole http://seer.support.veritas.com/tnotes/volumeman/230053.htm 1356 veritas-volume-manager Entry Microsoft Windows Media Encoder allows remote attackers to cause a denial of service via a malformed request, aka the "Malformed Windows Media Encoder Request" vulnerability. MS00-038 1282 ms-malformed-media-dos Entry IBM WebSphere server 3.0.2 allows a remote attacker to view source code of a JSP program by requesting a URL which provides the JSP extension in upper case. 20000612 IBM WebSphere JSP showcode vulnerability http://www-4.ibm.com/software/webservers/appserv/efix.html 1328 websphere-jsp-source-read Entry Unify eWave ServletExec allows a remote attacker to view source code of a JSP program by requesting a URL which provides the JSP extension in upper case. 20000608 Potential vulnerability in Unify eWave ServletExec 1328 ewave-servletexec-jsp-source-read(4649) Entry The default configuration of BEA WebLogic 3.1.8 through 4.5.1 allows a remote attacker to view source code of a JSP program by requesting a URL which provides the JSP extension in upper case. 20000612 BEA WebLogic JSP showcode vulnerability http://developer.bea.com/alerts/security_000612.html 1328 weblogic-jsp-source-read Entry The default configuration of BEA WebLogic 5.1.0 allows a remote attacker to view source code of programs by requesting a URL beginning with /file/, which causes the default servlet to display the file without further processing. http://www.weblogic.com/docs51/admindocs/http.html#file 20000621 BEA WebLogic /file/ showcode vulnerability 1378 weblogic-file-source-read Entry Race condition in MDaemon 2.8.5.0 POP server allows local users to cause a denial of service by entering a UIDL command and quickly exiting the server. 20000616 mdaemon 2.8.5.0 WinNT and Win9x remote DoS 1366 mdaemon-pass-dos Entry Mcafee VirusScan 4.03 does not properly restrict access to the alert text file before it is sent to the Central Alert Server, which allows local users to modify alerts in an arbitrary fashion. 20000607 Mcafee Alerting DOS vulnerability 1326 mcafee-alerting-dos(4641) 6287 Entry libICE in XFree86 allows remote attackers to cause a denial of service by specifying a large value which is not properly checked by the SKIP_STRING macro. 20000619 XFree86: libICE DoS http://www.xfree86.org/security/ 1369 linux-libice-dos Entry The Apache 1.3.x HTTP server for Windows platforms allows remote attackers to list directory contents by requesting a URL containing a large number of / characters. 20000603 Re: IBM HTTP SERVER / APACHE 1284 ibm-http-file-retrieve Entry The "capabilities" feature in Linux before 2.2.16 allows local users to cause a denial of service or gain privileges by setting the capabilities to prevent a setuid program from dropping privileges, aka the "Linux kernel setuid/setcap vulnerability." 20000609 Sendmail & procmail local root exploits on Linux kernel up to 2.2.16pre5 RHSA-2000:037 TLSA2000013-1 20000802-01-P 20000609 Trustix Security Advisory 20000608 CONECTIVA LINUX SECURITY ANNOUNCEMENT - kernel 1322 linux-kernel-capabilities Entry Imate Webmail Server 2.5 allows remote attackers to cause a denial of service via a long HELO command. 20000601 DST2K0006: Denial of Service Possibility in Imate WebMail Server 1286 nt-webmail-dos Entry rpc.lockd in Red Hat Linux 6.1 and 6.2 allows remote attackers to cause a denial of service via a malformed request. 20000608 Remote DOS in linux rpc.lockd 1372 linux-lockd-remote-dos Entry CUPS (Common Unix Printing System) 1.04 and earlier allows remote attackers to cause a denial of service via a malformed IPP request. 20000620 CUPS DoS Bugs ftp://ftp.easysw.com/pub/cups/1.0.5/cups-DoS.patch 1373 debian-cups-malformed-ipp Entry CUPS (Common Unix Printing System) 1.04 and earlier allows remote attackers to cause a denial of service via a CGI POST request. 20000620 CUPS DoS Bugs ftp://ftp.easysw.com/pub/cups/1.0.5/cups-DoS.patch 1373 debian-cups-posts Entry CUPS (Common Unix Printing System) 1.04 and earlier does not properly delete request files, which allows a remote attacker to cause a denial of service. 20000620 CUPS DoS Bugs ftp://ftp.easysw.com/pub/cups/1.0.5/cups-DoS.patch 1373 debian-cups-posts Entry CUPS (Common Unix Printing System) 1.04 and earlier allows remote attackers to cause a denial of service by authenticating with a user name that does not exist or does not have a shadow password. 20000620 CUPS DoS Bugs ftp://ftp.easysw.com/pub/cups/1.0.5/cups-DoS.patch 1373 debian-cups-posts Entry GSSFTP FTP daemon in Kerberos 5 1.1.x does not properly restrict access to some FTP commands, which allows remote attackers to cause a denial of service, and local users to gain root privileges. 20000614 Security Advisory: REMOTE ROOT VULNERABILITY IN GSSFTP DAEMON http://web.mit.edu/kerberos/www/advisories/ftp.txt 1374 kerberos-gssftpd-dos 4885 Entry The snmpd.conf configuration file for the SNMP daemon (snmpd) in HP-UX 11.0 is world writable, which allows local users to modify SNMP configuration or gain privileges. 20000607 [ Hackerslab bug_paper ] HP-UX SNMP daemon vulnerability 20000608 Re: HP-UX SNMP daemon vulnerability 1327 hpux-snmp-daemon Entry When configured to store configuration information in an LDAP directory, Shiva Access Manager 5.0.0 stores the root DN (Distinguished Name) name and password in cleartext in a file that is world readable, which allows local users to compromise the LDAP server. 20000606 Shiva Access Manager 5.0.0 Plaintext LDAP root password. 1329 shiva-plaintext-ldap-password Entry Netscape 4.73 and earlier does not properly warn users about a potentially invalid certificate if the user has previously accepted the certificate for a different web site, which could allow remote attackers to spoof a legitimate web site by compromising that site's DNS information. CA-2000-08 1260 netscape-ssl-certificate Entry Internet Explorer 4.x and 5.x does not properly verify all contents of an SSL certificate if a connection is made to the server via an image or a frame, aka one of two different "SSL Certificate Validation" vulnerabilities. http://www.acrossecurity.com/aspr/ASPR-1999-12-15-1-PUB.txt MS00-039 CA-2000-10 1309 ie-invalid-frame-image-certificate Entry Internet Explorer 4.x and 5.x does not properly re-validate an SSL certificate if the user establishes a new SSL session with the same server during the same Internet Explorer session, aka one of two different "SSL Certificate Validation" vulnerabilities. http://www.acrossecurity.com/aspr/ASPR-1999-12-15-1-PUB.txt MS00-039 CA-2000-10 1309 ie-revalidate-certificate Entry Savant web server allows remote attackers to read source code of CGI scripts via a GET request that does not include the HTTP version number. 20000605 MDMA Advisory #5: Reading of CGI Scripts under Savant Webserver 1313 savant-source-read Entry RSA ACE/Server allows remote attackers to cause a denial of service by flooding the server's authentication request port with UDP packets, which causes the server to crash. 20000608 Potential DoS Attack on RSA's ACE/Server ftp://ftp.securid.com/support/outgoing/dos/readme.txt 20000714 Re: RSA Aceserver UDP Flood Vulnerability 1332 aceserver-udp-packet-dos Entry Buffer overflow in the logging feature of EServ 2.9.2 and earlier allows an attacker to execute arbitrary commands via a long MKD command. 20000606 MDMA Advisory #6: EServ Logging Heap Overflow Vulnerability 1315 eserv-logging-overflow Entry OpenSSH does not properly drop privileges when the UseLogin option is enabled, which allows local users to execute arbitrary commands by providing the command to the ssh daemon. 20000609 OpenSSH's UseLogin option allows remote access with root privilege. 20000606 The non-default UseLogin feature in /etc/sshd_config is broken and should not be used. 1334 openssh-uselogin-remote-exec 341 Entry Net Tools PKI Server does not properly restrict access to remote attackers when the XUDA template files do not contain absolute pathnames for other files. 20000619 Net Tools PKI server exploits ftp://ftp.tis.com/gauntlet/hide/pki/hotfix.txt 1364 nettools-pki-unauthenticated-access 4353 Entry Net Tools PKI Server allows remote attackers to cause a denial of service via a long HTTP request. 20000619 Net Tools PKI server exploits ftp://ftp.tis.com/gauntlet/hide/pki/hotfix.txt 1363 nettools-pki-http-bo 4352 Entry The KApplication class in the KDE 1.1.2 configuration file management capability allows local users to overwrite arbitrary files. 20000531 KDE::KApplication feature? CSSA-2000-015.0 RHSA-2000:032 1291 kde-configuration-file-creation Entry A FreeBSD patch for SSH on 2000-01-14 configures ssh to listen on port 722 as well as port 22, which might allow remote attackers to access SSH through port 722 even if port 22 is otherwise filtered. FreeBSD-SA-00:21 1323 freebsd-ssh-ports 1387 Entry Vulnerability in cvconnect in SGI IRIX WorkShop allows local users to overwrite arbitrary files. 20000601-01-P 1379 irix-workshop-cvconnect-overwrite Entry The apsfilter software in the FreeBSD ports package does not properly read user filter configurations, which allows local users to execute commands as the lpd user. FreeBSD-SA-00:22 1325 apsfilter-elevate-privileges 1389 Entry xinetd 2.1.8.x does not properly restrict connections if hostnames are used for access control and the connecting host does not have a reverse DNS entry. http://www.synack.net/xinetd/ 20000619 xinetd: bug in access control mechanism 1381 xinetd-improper-restrictions Entry BRU backup software allows local users to append data to arbitrary files by specifying an alternate configuration file with the BRUEXECLOG environmental variable. 20000606 BRU Vulnerability CSSA-2000-018.0 1321 bru-execlog-env-variable Entry ColdFusion Administrator for ColdFusion 4.5.1 and earlier allows remote attackers to cause a denial of service via a long login password. 20000607 New Allaire ColdFusion DoS ASB00-14 1314 coldfusion-parse-dos 3399 Entry Servlet examples in Allaire JRun 2.3.x allow remote attackers to obtain sensitive information, e.g. listing HttpSession ID's via the SessionServlet servlet. ASB00-015 1386 jrun-read-sample-files 818 Entry JSP sample files in Allaire JRun 2.3.x allow remote attackers to access arbitrary files (e.g. via viewsource.jsp) or obtain configuration information. ASB00-015 1386 jrun-read-sample-files 2713 Entry The Panda Antivirus console on port 2001 allows local users to execute arbitrary commands without authentication via the CMD command. 20000617 Infosec.20000617.panda.a panda-antivirus-remote-admin(4707) 1359 Entry Tigris remote access server before 11.5.4.22 does not properly record Radius accounting information when a user fails the initial login authentication but subsequently succeeds. 20000612 ACC/Ericsson Tigris Accounting Failure 1345 tigris-radius-login-failure Entry Buffer overflow in Kerberos 4 KDC program allows remote attackers to cause a denial of service via the e_msg variable in the kerb_err_reply function. 20000609 Security Advisory: MULTIPLE DENIAL OF SERVICE VULNERABILITIES IN KRB4 KDC http://web.mit.edu/kerberos/www/advisories/krb4kdc.txt RHSA-2000:031 CA-2000-11 K-051 kerberos-emsg-bo 4875 Entry Kerberos 4 KDC program does not properly check for null termination of AUTH_MSG_KDC_REQUEST requests, which allows remote attackers to cause a denial of service via a malformed request. 20000609 Security Advisory: MULTIPLE DENIAL OF SERVICE VULNERABILITIES IN KRB4 KDC http://web.mit.edu/kerberos/www/advisories/krb4kdc.txt RHSA-2000:031 CA-2000-11 K-051 Entry Kerberos 4 KDC program improperly frees memory twice (aka "double-free"), which allows remote attackers to cause a denial of service. 20000609 Security Advisory: MULTIPLE DENIAL OF SERVICE VULNERABILITIES IN KRB4 KDC http://web.mit.edu/kerberos/www/advisories/krb4kdc.txt RHSA-2000:031 CA-2000-11 K-051 kerberos-free-memory 1465 Entry The file transfer mechanism in Danware NetOp 6.0 does not provide authentication, which allows remote attackers to access and modify arbitrary files. 20000523 I think 1263 danware-netop-bypass-security(4569) Entry ICQwebmail client for ICQ 2000A creates a world readable temporary file during login and does not delete it, which allows local users to obtain sensitive information. 20000606 ICQ2000A ICQmail temparary internet link vulnearbility 1307 icq-temp-link Entry Race condition in IPFilter firewall 3.4.3 and earlier, when configured with overlapping "return-rst" and "keep state" rules, allows remote attackers to bypass access restrictions. 20000525 Security Vulnerability in IPFilter 3.3.15 and 3.4.3 1308 ipfilter-firewall-race-condition 1377 Entry Ceilidh allows remote attackers to cause a denial of service via a large number of POST requests. 20000608 DST2K0010: DoS & Path Revealing Vulnerability in Ceilidh v2.60a 1320 ceilidh-post-dos Entry Buffer overflow in the web interface for Cmail 2.4.7 allows remote attackers to cause a denial of service by sending a large user name to the user dialog running on port 8002. 20000608 DST2K0011: DoS & BufferOverrun in CMail v2.4.7 WebMail http://www.computalynx.net/news/Jun2000/news0806200001.html 1319 cmail-long-username-dos Entry Buffer overflow in the web interface for Cmail 2.4.7 allows remote attackers to execute arbitrary commands via a long GET request. 20000608 DST2K0011: DoS & BufferOverrun in CMail v2.4.7 WebMail 1318 cmail-get-overflow-execute Entry Buffer overflow in HP Openview Network Node Manager 6.1 allows remote attackers to execute arbitrary commands via the Alarm service (OVALARMSRV) on port 2345. 20000608 DST2K0012: BufferOverrun in HP Openview Network Node Manager v6.1 1317 Entry Buffer overflow in WebBBS 1.15 allows remote attackers to execute arbitrary commands via a long HTTP GET request. 20000620 DST2K0018: Multiple BufferOverruns in WebBBS HTTP Server v1.15 1365 webbbs-get-request-overflow 3544 Entry SmartFTP Daemon 0.2 allows a local user to access arbitrary files by uploading and specifying an alternate user configuration file via a .. (dot dot) attack. 20000613 SmartFTP Daemon v0.2 Beta Build 9 - Remote Exploit 1344 smartftp-directory-traversal 1394 Entry makewhatis in Linux man package allows local users to overwrite files via a symlink attack. 20000712 Insecure temporary file handling in Linux makewhatis RHSA-2000:041 CSSA-2000-021.0 MDKSA-2000:015 20000707 [Security Announce] man update 20000727 CONECTIVA LINUX SECURITY ANNOUNCEMENT - MAN 1434 linux-man-makewhatis-tmp Entry Buffer overflow in Microsoft Outlook and Outlook Express allows remote attackers to execute arbitrary commands via a long Date field in an email header, aka the "Malformed E-mail Header" vulnerability. MS00-043 20000719 Buffer Overflow in MS Outlook Email Clients 20000719 Aaron Drew - Security Advisory: Buffer Overflow in MS Outlook & Outlook Express Email Clients 1481 outlook-date-overflow Entry Sybergen Secure Desktop 2.1 does not properly protect against false router advertisements (ICMP type 9), which allows remote attackers to modify default routes. 20000630 Multiple vulnerabilities in Sybergen Secure Desktop sybergen-routing-table-modify 1417 Entry Sybergen Sygate allows remote attackers to cause a denial of service by sending a malformed DNS UDP packet to its internal interface. 20000630 Any LAN user can crash Sygate 1420 sygate-udp-packet-dos(5049) Entry FirstClass Internet Services server 5.770, and other versions before 6.1, allows remote attackers to cause a denial of service by sending an email with a long To: mail header. 20000627 DoS in FirstClass Internet Services 5.770 firstclass-large-bcc-dos(4843) 1421 5718 Entry LocalWEB HTTP server 1.2.0 allows remote attackers to cause a denial of service via a long GET request. 20000703 Remote DoS Attack in LocalWEB HTTP Server 1.2.0 Vulnerability 1423 localweb-get-bo Entry The lreply function in wu-ftpd 2.6.0 and earlier does not properly cleanse an untrusted format string, which allows remote attackers to execute arbitrary commands via the SITE EXEC command. 20000622 WuFTPD: Providing *remote* root since at least1994 20000623 WUFTPD 2.6.0 remote root exploit 20000707 New Released Version of the WuFTPD Sploit 20000623 ftpd: the advisory version AA-2000.02 CA-2000-13 20000623 CSSA-2000-020.0 RHSA-2000:039 20000723 CONECTIVA LINUX SECURITY ANNOUNCEMENT - WU-FTPD (re-release) 20000702 [Security Announce] wu-ftpd update 20000929 [slackware-security] wuftpd vulnerability - Slackware 4.0, 7.0, 7.1, -current FreeBSD-SA-00:29 NetBSD-SA2000-009 wuftp-format-string-stack-overwrite 1387 wuftp-format-string-stack-overwrite(4773) Entry SSH 1.2.27 with Kerberos authentication support stores Kerberos tickets in a file which is created in the current directory of the user who is logging in, which could allow remote attackers to sniff the ticket cache if the home directory is installed on NFS. 20000630 Kerberos security vulnerability in SSH-1.2.27 1426 ssh-kerberos-tickets-disclosure(4903) Entry Oracle Web Listener for AIX versions 4.0.7.0.0 and 4.0.8.1.0 allows remote attackers to cause a denial of service via a malformed URL. 20000704 Oracle Web Listener for AIX DoS 1427 Entry Netscape Professional Services FTP Server 1.3.6 allows remote attackers to read arbitrary files via a .. (dot dot) attack. 20000621 Netscape FTP Server - "Professional" as hell :> 20000629 (forw) Re: Netscape ftp Server (fwd) 1411 netscape-ftpserver-chroot Entry IRIX crontab creates temporary files with predictable file names and with the umask of the user, which could allow local users to modify another user's crontab file as it is being edited. 20000621 Predictability Problems in IRIX Cron and Compilers 1413 irix-cron-modify-crontab Entry Windows 2000 Telnet Server allows remote attackers to cause a denial of service by sending a continuous stream of binary zeros, which causes the server to crash. 20000630 SecureXpert Advisory [SX-20000620-1] win2k-telnetserver-dos 1414 Entry Check Point FireWall-1 4.0 and 4.1 allows remote attackers to cause a denial of service by sending a stream of invalid commands (such as binary zeros) to the SMTP Security Server proxy. 20000630 SecureXpert Advisory [SX-20000620-3] http://www.checkpoint.com/techsupport/alerts/list_vun.html#SMTP_Security fw1-resource-overload-dos 1416 1438 Entry vchkpw program in vpopmail before version 4.8 does not properly cleanse an untrusted format string used in a call to syslog, which allows remote attackers to cause a denial of service via a USER or PASS command that contains arbitrary formatting directives. 20000626 vpopmail-3.4.11 problems http://www.vpopmail.cx/vpopmail-ChangeLog 1418 vpopmail-format-string Entry Buffer overflow in Canna input system allows remote attackers to execute arbitrary commands via an SR_INIT command with a long user name or group name. http://shadowpenguin.backsection.net/advisories/advisory038.html 20000702 FreeBSD-SA-00:31 1445 canna-bin-execute-bo Entry ISC DHCP client program dhclient allows remote attackers to execute arbitrary commands via shell metacharacters. 20000624 Possible root exploit in ISC DHCP client. 20000624 A serious bug in dhclient(8) could allow strings from a malicious dhcp server to be executed in the shell as root. 20000628 dhcp client: remote root exploit in dhcp client FreeBSD-SA-00:34 20000702 [Security Announce] dhcp update 20000711 Security Hole in dhclient < 2.0 NetBSD-SA2000-008 1388 openbsd-isc-dhcp Entry Buffer overflow in Dalnet IRC server 4.6.5 allows remote attackers to cause a denial of service or execute arbitrary commands via the SUMMON command. 20000628 dalnet 4.6.5 remote vulnerability ircd-dalnet-summon-bo 1404 Entry The privpath directive in glftpd 1.18 allows remote attackers to bypass access restrictions for directories by using the file name completion capability. glftpd-privpath-directive 20000626 Glftpd privpath bugs... +fix 20000627 Re: Glftpd privpath bugs... +fix 1401 Entry SawMill 5.0.21 CGI program allows remote attackers to read the first line of arbitrary files by listing the file in the rfcf parameter, whose contents SawMill attempts to parse as configuration commands. 20000626 sawmill5.0.21 old path bug & weak hash algorithm 20000706 Patch for Flowerfire Sawmill Vulnerabilities Available 1402 sawmill-file-access Entry Poll It 2.0 CGI script allows remote attackers to read arbitrary files by specifying the file name in the data_dir parameter. 20000706 Vulnerability in Poll_It cgi v2.0 1431 http-cgi-pollit-variable-overwrite(4878) Entry Novell BorderManager 3.0 and 3.5 allows remote attackers to bypass URL filtering by encoding characters in the requested URL. 20000705 Novell BorderManager 3.0 EE - Encoded URL rule bypass 1432 bordermanager-bypass-url-restriction Entry WinProxy 2.0 and 2.0.1 allows remote attackers to cause a denial of service by sending an HTTP GET request without listing an HTTP version number. 20000627 [SPSadvisory #37]WinProxy 2.0.0/2.0.1 DoS and Exploitable Buffer Overflow winproxy-get-dos(4831) 1400 Entry BitchX IRC client does not properly cleanse an untrusted format string, which allows remote attackers to cause a denial of service via an invite to a channel whose name includes special formatting characters. 20000704 BitchX /ignore bug 20000704 BitchX exploit possibly waiting to happen, certain DoS RHSA-2000:042 FreeBSD-SA-00:32 CSSA-2000-022.0 20000707 BitchX update 20000707 CONECTIVA LINUX SECURITY ANNOUNCEMENT - BitchX 1436 irc-bitchx-invite-dos Entry libedit searches for the .editrc file in the current directory instead of the user's home directory, which may allow local users to execute arbitrary commands by installing a modified .editrc in another directory. FreeBSD-SA-00:24 1437 bsd-libedit-editrc 1446 Entry Internet Explorer 5.x does not warn a user before opening a Microsoft Access database file that is referenced within ActiveX OBJECT tags in an HTML document, which could allow remote attackers to execute arbitrary commands, aka the "IE Script" vulnerability. 20000627 IE 5 and Access 2000 vulnerability - executing programs 20000627 FW: IE 5 and Access 2000 vulnerability - executing programs MS00-049 CA-2000-16 ie-access-vba-code-execute 1398 Entry Microsoft Office 2000 (Excel and PowerPoint) and PowerPoint 97 are marked as safe for scripting, which allows remote attackers to force Internet Explorer or some email clients to save files to arbitrary locations via the Visual Basic for Applications (VBA) SaveAs function, aka the "Office HTML Script" vulnerability. 20000627 IE 5 and Excel 2000, PowerPoint 2000 vulnerability - executing programs MS00-049 1399 ie-powerpoint-activex-object-execute Entry Fortech Proxy+ allows remote attackers to bypass access restrictions for to the administration service by redirecting their connections through the telnet proxy. 20000626 Proxy+ Telnet Gateway Problems http://www.proxyplus.cz/faq/articles/EN/art01002.htm 1395 fortech-proxy-telnet-gateway Entry Buffer overflow in iMesh 1.02 allows remote attackers to execute arbitrary commands via a long string to the iMesh port. 20000629 iMesh 1.02 vulnerability http://www.imesh.com/download/download.html imesh-tcp-port-overflow 1407 Entry Netscape Enterprise Server in NetWare 5.1 allows remote attackers to cause a denial of service or execute arbitrary commands via a malformed URL. 20000626 Netscape Enterprise Server for NetWare Virtual Directory Vulnerab ility 1393 netscape-virtual-directory-bo(4780) Entry LeafChat 1.7 IRC client allows a remote IRC server to cause a denial of service by rapidly sending a large amount of error messages. 20000625 LeafChat Denial of Service http://www.leafdigital.com/Software/leafChat/history.html irc-leafchat-dos 1396 Entry Secure Locate (slocate) in Red Hat Linux allows local users to gain privileges via a malformed configuration file that is specified in the LOCATE_PATH environmental variable. 20000621 rh 6.2 - gid compromises, etc redhat-secure-locate-path 1385 Entry Microsoft SQL Server 7.0 allows a local user to bypass permissions for stored procedures by referencing them via a temporary stored procedure, aka the "Stored Procedure Permissions" vulnerability. MS00-048 1444 mssql-procedure-perms Entry gkermit in Red Hat Linux is improperly installed with setgid uucp, which allows local users to modify files owned by uucp. 20000621 rh 6.2 - gid compromises, etc 1383 redhat-gkermit Entry NetWin dMailWeb and cwMail 2.6g and earlier allows remote attackers to bypass authentication and use the server for mail relay via a username that contains a carriage return. 20000623 NetWin dMailWeb Unrestricted Mail Relay 1390 netwin-dmailweb-newline Entry The default configuration of NetWin dMailWeb and cwMail trusts all POP servers, which allows attackers to bypass normal authentication and cause a denial of service. 20000623 NetWin dMailWeb Unrestricted Mail Relay 1391 netwin-dmailweb-auth Entry Cisco Secure PIX Firewall does not properly identify forged TCP Reset (RST) packets, which allows remote attackers to force the firewall to close legitimate connections. 20000320 PIX DMZ Denial of Service - TCP Resets 20000711 Cisco Secure PIX Firewall TCP Reset Vulnerability 1454 cisco-pix-firewall-tcp 1457 Entry LPRng 3.6.x improperly installs lpd as setuid root, which can allow local users to append lpd trace and logging messages to files. 20000709 LPRng lpd should not be SETUID root 1447 lpd-suid-root(7361) Entry Vulnerability in HP TurboIMAGE DBUTIL allows local users to gain additional privileges via DBUTIL.PUB.SYS. HPSBMP0006-007 1405 hp-turboimage-dbutil Entry Top Layer AppSwitch 2500 allows remote attackers to cause a denial of service via malformed ICMP packets. 20000520 TopLayer layer 7 switch Advisory 20000614 Update on TopLayer Advisory 1258 toplayer-icmp-dos(7364) Entry libX11 X library allows remote attackers to cause a denial of service via a resource mask of 0, which causes libX11 to go into an infinite loop. 20000619 XFree86: Various nasty libX11 holes 1409 libx11-infinite-loop-dos(4996) Entry Microsoft Outlook 98 and 2000, and Outlook Express 4.0x and 5.0x, allow remote attackers to read files on the client's system via a malformed HTML message that stores files outside of the cache, aka the "Cache Bypass" vulnerability. MS00-046 CA-2000-14 1501 outlook-cache-bypass Entry Buffer overflow in Webfind CGI program in O'Reilly WebSite Professional web server 2.x allows remote attackers to execute arbitrary commands via a URL containing a long "keywords" parameter. 20000719 O'Reilly WebSite Professional Overflow http://website.oreilly.com/support/software/wspro25_releasenotes.txt website-webfind-bo(4962) 1487 Entry Buffer overflow in Winamp 2.64 and earlier allows remote attackers to execute arbitrary commands via a long #EXTINF: extension in the M3U playlist. 20000720 Winamp M3U playlist parser buffer overflow security vulnerability http://www.winamp.com/getwinamp/newfeatures.jhtml 1496 winamp-playlist-parser-bo Entry BlackBoard CourseInfo 4.0 does not properly authenticate users, which allows local users to modify CourseInfo database information and gain privileges by directly calling the supporting CGI programs such as user_update_passwd.pl and user_update_admin.pl. 20000718 Blackboard Courseinfo v4.0 User Authentication 20000719 Security Fix for Blackboard CourseInfo 4.0 1486 blackboard-courseinfo-dbase-modification Entry The source.asp example script in the Apache ASP module Apache::ASP 1.93 and earlier allows remote attackers to modify files. 20000710 ANNOUNCE Apache::ASP v1.95 - Security Hole Fixed http://www.nodeworks.com/asp/changes.html 1457 apache-source-asp-file-write Entry IIS 4.0 and 5.0 allows remote attackers to obtain fragments of source code by appending a +.htr to the URL, a variant of the "File Fragment Reading via .HTR" vulnerability. MS00-044 1488 iis-htr-obtain-code Entry An administrative script from IIS 3.0, later included in IIS 4.0 and 5.0, allows remote attackers to cause a denial of service by accessing the script without a particular argument, aka the "Absent Directory Browser Argument" vulnerability. 20000718 ISBASE Security Advisory(SA2000-02) MS00-044 1476 iis-absent-directory-dos Entry Buffer overflow in the web archive component of L-Soft Listserv 1.8d and earlier allows remote attackers to execute arbitrary commands via a long query string. 20000717 [COVERT-2000-07] LISTSERV Web Archive Remote Overflow http://www.lsoft.com/news/default.asp?item=Advisory1 1490 lsoft-listserv-querystring-bo Entry Vulnerability in Mandrake Linux usermode package allows local users to to reboot or halt the system. RHSA-2000:053 20000718 MDKSA-2000:020 usermode update 20000812 Conectiva Linux security announcement - usermode 1489 linux-usermode-dos Entry The web administration interface for CommuniGate Pro 3.2.5 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) attack. 20000717 S21SEC-003: Vulnerabilities in CommuniGate Pro v3.2.4 1493 communigate-pro-file-read 5774 Entry The view_page.html sample page in the MiniVend shopping cart program allows remote attackers to execute arbitrary commands via shell metacharacters. 20000711 Akopia MiniVend Piped Command Execution Vulnerability http://www.zdnet.com/zdnn/stories/news/0,4586,2600258,00.html 1449 minivend-viewpage-sample Entry HP JetDirect printers versions G.08.20 and H.08.20 and earlier allow remote attackers to cause a denial of service via a malformed FTP quote command. 20000719 HP Jetdirect - Invalid FTP Command DoS 1491 hp-jetdirect-quote-dos Entry Microsoft Excel 97 and 2000 allows an attacker to execute arbitrary commands by specifying a malicious .dll using the Register.ID function, aka the "Excel REGISTER.ID Function" vulnerability. 20000711 Excel 2000 vulnerability - executing programs MS00-051 1451 excel-register-function Entry bb-hostsvc.sh in Big Brother 1.4h1 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) attack on the HOSTSVC parameter. 20000711 BIG BROTHER EXPLOIT 20000711 REMOTE EXPLOIT IN ALL CURRENT VERSIONS OF BIG BROTHER http://bb4.com/README.CHANGES 1455 http-cgi-bigbrother-bbhostsvc Entry The default configuration of Big Brother 1.4h2 and earlier does not include proper access restrictions, which allows remote attackers to execute arbitrary commands by using bbd to upload a file whose extension will cause it to be executed as a CGI script by the web server. 20000711 Big Brother filename extension vulnerability 1494 big-brother-filename-extension 1472 Entry Guild FTPd allows remote attackers to determine the existence of files outside the FTP root via a .. (dot dot) attack, which provides different error messages depending on whether the file exists or not. 20000708 gnu-pop3d (FTGate problem), Savant Webserver, Guild FTPd 1452 guild-ftpd-disclosure 573 Entry Savant web server allows remote attackers to execute arbitrary commands via a long GET request. 20000708 gnu-pop3d (FTGate problem), Savant Webserver, Guild FTPd 1453 savant-get-bo Entry The default configuration of WebActive HTTP Server 1.00 stores the web access log active.log in the document root, which allows remote attackers to view the logs by directly requesting the page. 20000711 Lame DoS in WEBactive win65/NT server 1497 webactive-active-log Entry Buffer overflow in WebActive HTTP Server 1.00 allows remote attackers to cause a denial of service via a long URL. 20000711 Lame DoS in WEBactive win65/NT server 1470 webactive-long-get-dos Entry WFTPD and WFTPD Pro 2.41 allows remote attackers to cause a denial of service by executing a STAT command while the LIST command is still executing. 20000721 WFTPD/WFTPD Pro 2.41 RC11 vulnerabilities. 1506 wftpd-stat-dos 1477 Entry The default installation of VirusScan 4.5 and NetShield 4.5 has insecure permissions for the registry key that identifies the AutoUpgrade directory, which allows local users to execute arbitrary commands by replacing SETUP.EXE in that directory with a Trojan Horse. 20000711 Potential Vulnerability in McAfee Netshield and VirusScan 4.5 1458 nai-virusscan-netshield-autoupgrade(5177) 1458 4200 Entry The ClientTrust program in Novell BorderManager does not properly verify the origin of authentication requests, which could allow remote attackers to impersonate another user by replaying the authentication requests and responses from port 3024 of the victim's machine. 20000707 Novell Border Manger - Anyone can pose as an authenticated user 1440 novell-bordermanager-verification Entry IBM WebSphere allows remote attackers to read source code for executable web files by directly calling the default InvokerServlet using a URL which contains the "/servlet/file" string. 20000723 IBM WebSphere default servlet handler showcode vulnerability 1500 websphere-showcode Entry Microsoft Enterprise Manager allows local users to obtain database passwords via the Data Transformation Service (DTS) package Registered Servers Dialog dialog, aka a variant of the "DTS Password" vulnerability. MS00-041 1466 mssql-dts-reveal-passwords Entry Netscape Communicator 4.73 and earlier allows remote attackers to cause a denial of service or execute arbitrary commands via a JPEG image containing a comment with an illegal field length of 1. 20000724 JPEG COM Marker Processing Vulnerability in Netscape Browsers RHSA-2000:046 20000823 Security Hole in Netscape, Versions 4.x, possibly others TLSA2000017-1 NetBSD-SA2000-011 FreeBSD-SA-00:39 20000801 MDKSA-2000:027-1 netscape update 20000810 Conectiva Linux Security Announcement - netscape 1503 netscape-jpg-comment Entry The WDaemon web server for WorldClient 2.1 allows remote attackers to read arbitrary files via a .. (dot dot) attack. 20000712 Infosec.20000712.worldclient.2.1 http://www.altn.com/Downloads/WorldClient/Release/RelNotes.txt 1462 worldclient-dir-traverse 1459 Entry WircSrv IRC Server 5.07s allows remote attackers to cause a denial of service via a long string to the server port. 20000710 Remote DoS Attack in WircSrv Irc Server v5.07s Vulnerability 1448 wircsrv-character-flood-dos Entry Internet Explorer 5.x and Microsoft Outlook allows remote attackers to read arbitrary files by redirecting the contents of an IFRAME using the DHTML Edit Control (DHTMLED). 20000714 IE 5.5 and 5.01 vulnerability - reading at least local and from any host text and parsed html files 1474 ie-dhtmled-file-read(5107) Entry The registry entry for the Windows Shell executable (Explorer.exe) in Windows NT and Windows 2000 uses a relative path name, which allows local users to execute arbitrary commands by inserting a Trojan Horse named Explorer.exe into the %Systemdrive% directory, aka the "Relative Shell Path" vulnerability. MS00-052 Q269049 1507 explorer-relative-path-name Entry AnalogX SimpleServer:WWW 1.06 and earlier allows remote attackers to read arbitrary files via a modified .. (dot dot) attack that uses the %2E URL encoding for the dots. 20000726 AnalogX "SimpleServer:WWW" dot dot bug http://www.analogx.com/contents/download/network/sswww.htm 1508 analogx-simpleserver-directory-path 388 Entry GAMSoft TelSrv telnet server 1.5 and earlier allows remote attackers to cause a denial of service via a long username. 20000717 DoS in Gamsoft TelSrv telnet server for MS Windows 95/98/NT/2k. 20000729 TelSrv Reveals Usernames & Passwords After DoS Attack 1478 gamsoft-telsrv-dos 373 Entry rpc.statd in the nfs-utils package in various Linux distributions does not properly cleanse untrusted format strings, which allows remote attackers to gain root privileges. 20000716 Lots and lots of fun with rpc.statd 20000719a RHSA-2000:043 20000717 CONECTIVA LINUX SECURITY ANNOUNCEMENT - nfs-utils 20000718 Trustix Security Advisory - nfs-utils 20000718 [Security Announce] MDKSA-2000:021 nfs-utils update CSSA-2000-025.0 CA-2000-17 1480 linux-rpcstatd-format-overwrite Entry pam_console PAM module in Linux systems allows a user to access the system console and reboot the system when a display manager such as gdm or kdm has XDMCP enabled. RHSA-2000:044 20000727 CONECTIVA LINUX SECURITY ANNOUNCEMENT - PAM 20000801 MDKSA-2000:029 pam update 1513 linux-pam-console Entry Novell NetWare 5.0 allows remote attackers to cause a denial of service by flooding port 40193 with random data. 20000711 Remote Denial Of Service -- NetWare 5.0 with SP 5 1467 netware-port40193-dos Entry The cvsweb CGI script in CVSWeb 1.80 allows remote attackers with write access to a CVS repository to execute arbitrary commands via shell metacharacters. 20000712 cvsweb: remote shell for cvs committers 20000714 MDKSA-2000:019 cvsweb update 20000719b FreeBSD-SA-00:37 TLSA2000016-1 1469 cvsweb-shell-access Entry Roxen web server earlier than 2.0.69 allows allows remote attackers to bypass access restrictions, list directory contents, and read source code by inserting a null character (%00) to the URL. 20000721 Roxen security alert: Problems with URLs containing null characters. 20000721 Roxen Web Server Vulnerability 1510 roxen-null-char-url Entry The default configuration of Jakarta Tomcat does not restrict access to the /admin context, which allows remote attackers to read arbitrary files by directly calling the administrative servlets to add a context for the root directory. 20000721 Jakarta-tomcat.../admin 1548 jakarta-tomcat-admin Entry The NetBIOS Name Server (NBNS) protocol does not perform authentication, which allows remote attackers to cause a denial of service by sending a spoofed Name Conflict or Name Release datagram, aka the "NetBIOS Name Server Protocol Spoofing" vulnerability. 20000727 Windows NetBIOS Name Conflicts MS00-047 1514 1515 netbios-name-server-spoofing Entry ftp.pl CGI program for Virtual Visions FTP browser allows remote attackers to read directories outside of the document root via a .. (dot dot) attack. 20000712 ftp.pl vulnerability 1471 virtualvision-ftp-browser Entry Buffer overflow in Infopulse Gatekeeper 3.5 and earlier allows remote attackers to execute arbitrary commands via a long string. 20000713 The MDMA Crew's GateKeeper Exploit 1477 gatekeeper-long-string-bo Entry Netscape Communicator and Navigator 4.04 through 4.74 allows remote attackers to read arbitrary files by using a Java applet to open a connection to a URL using the "file", "http", "https", and "ftp" protocols, as demonstrated by Brown Orifice. 20000804 Dangerous Java/Netscape Security Hole RHSA-2000:054 CSSA-2000-027.1 FreeBSD-SA-00:39 20000823 Security Hole in Netscape, Versions 4.x, possibly others 20000810 MDKSA-2000:033 Netscape Java vulnerability 20000821 MDKSA-2000:036 - netscape update 20000818 Conectiva Linux Security Announcement - netscape CA-2000-15 1546 java-brownorifice Entry Buffer overflow in IBM Net.Data db2www CGI program allows remote attackers to execute arbitrary commands via a long PATH_INFO environmental variable. 20000907 Buffer Overflow in IBM Net.Data db2www CGI program. ibm-netdata-db2www-bo Entry PGP 5.5.x through 6.5.3 does not properly check if an Additional Decryption Key (ADK) is stored in the signed portion of a public certificate, which allows an attacker who can modify a victim's public certificate to decrypt any data that has been encrypted with the modified certificate. CA-2000-18 1606 4354 Entry The CVS 1.10.8 client trusts pathnames that are provided by the CVS server, which allows the server to force the client to create arbitrary files. 20000728 cvs security problem 1523 cvs-client-creates-file Entry Buffer overflow in BEA WebLogic server proxy plugin allows remote attackers to execute arbitrary commands via a long URL with a .JSP extension. 20000815 BEA Weblogic server proxy library vulnerabilities 1570 weblogic-plugin-bo Entry BEA WebLogic 5.1.x allows remote attackers to read source code for parsed pages by inserting /ConsoleHelp/ into the URL, which invokes the FileServlet. 20000728 BEA's WebLogic force handlers show code vulnerability http://developer.bea.com/alerts/security_000731.html 1518 weblogic-fileservlet-show-code 1481 Entry BEA WebLogic 5.1.x allows remote attackers to read source code for parsed pages by inserting /*.shtml/ into the URL, which invokes the SSIServlet. 20000728 BEA's WebLogic force handlers show code vulnerability http://developer.bea.com/alerts/security_000728.html 1517 1480 Entry BEA WebLogic 5.1.x does not properly restrict access to the JSPServlet, which could allow remote attackers to compile and execute Java JSP code by directly invoking the servlet on any source file. 20000731 BEA's WebLogic *.jsp/*.jhtml remote command execution http://developer.bea.com/alerts/security_000731.html 1525 html-malicious-tags Entry BEA WebLogic 5.1.x does not properly restrict access to the PageCompileServlet, which could allow remote attackers to compile and execute Java JHTML code by directly invoking the servlet on any source file. 20000731 BEA's WebLogic *.jsp/*.jhtml remote command execution http://developer.bea.com/alerts/security_000731.html 1525 html-malicious-tags Entry pgxconfig in the Raptor GFX configuration tool uses a relative path name for a system call to the "cp" program, which allows local users to execute arbitrary commands by modifying their path to point to an alternate "cp" program. 20000802 Local root compromise in PGX Config Sun Sparc Solaris 1563 1501 Entry pgxconfig in the Raptor GFX configuration tool allows local users to gain privileges via a symlink attack. 20000802 Local root compromise in PGX Config Sun Sparc Solaris 5740 Entry Minicom 1.82.1 and earlier on some Linux systems allows local users to create arbitrary files owned by the uucp user via a symlink attack. 20000819 RH 6.1 / 6.2 minicom vulnerability 1599 minicom-capture-groupown Entry Format string vulnerability in ftpd in HP-UX 10.20 allows remote attackers to cause a denial of service or execute arbitrary commands via format strings in the PASS command. 20000806 HPUX FTPd vulnerability 1560 Entry Cisco Gigabit Switch Routers (GSR) with Fast Ethernet / Gigabit Ethernet cards, from IOS versions 11.2(15)GS1A up to 11.2(19)GS0.2 and some versions of 12.0, do not properly handle line card failures, which allows remote attackers to bypass ACLs or force the interface to stop forwarding packets. 20000803 Possible Access Control Bypass and Denial of Service in Gigabit Switch Routers Using Gigabit Ethernet or Fast Ethernet Cards 1541 793 798 Entry The net.init rc script in HP-UX 11.00 (S008net.init) allows local users to overwrite arbitrary files via a symlink attack that points from /tmp/stcp.conf to the targeted file. 20000821 [HackersLab bugpaper] HP-UX net.init rc script 1602 hp-netinit-symlink Entry suidperl (aka sperl) does not properly cleanse the escape sequence "~!" before calling /bin/mail to send an error report, which allows local users to gain privileges by setting the "interactive" environmental variable and calling suidperl with a filename that contains the escape sequence. 20000805 sperl 5.00503 (and newer ;) exploit 20000810 Security Hole in perl, all versions CSSA-2000-026.0 20000810 RHSA-2000:048 TLSA2000018-1 20000814 Trustix Security Advisory - perl and mailx 20000808 MDKSA-2000:031 perl update 20000810 Conectiva Linux security announcemente - PERL 1547 perl-shell-escape Entry ntop running in web mode allows remote attackers to read arbitrary files via a .. (dot dot) attack. 20000802 [ Hackerslab bug_paper ] ntop web mode vulnerabliity RHSA-2000:049 1550 ntop-remote-file-access 1496 Entry Buffer overflows in ntop running in web mode allows remote attackers to execute arbitrary commands. FreeBSD-SA-00:36 20000830 ntop: Still remotely exploitable using buffer overflows 1576 ntop-bo 1513 Entry PCCS MySQLDatabase Admin Tool Manager 1.2.4 and earlier installs the file dbconnect.inc within the web root, which allows remote attackers to obtain sensitive information such as the administrative password. 20000804 PCCS MySQL DB Admin Tool v1.2.3- Advisory http://pccs-linux.com/public/view.php3?bn=agora_pccslinux&key=965951324 1557 pccs-mysql-admin-tool Entry Buffer overflow in Pragma Systems TelnetServer 2000 version 4.0 allows remote attackers to cause a denial of service via a long series of null characters to the rexec port. 20000824 Remote DoS Attack in Pragma TelnetServer 2000 (Remote Execute Daemon) Vulnerability http://www.pragmasys.com/TelnetServer/ 1605 telnetserver-rpc-bo Entry Netscape Communicator does not properly prevent a ServerSocket object from being created by untrusted entities, which allows remote attackers to create a server on the victim's system via a malicious applet, as demonstrated by Brown Orifice. 20000816 JDK 1.1.x Listening Socket Vulnerability (was Re: BrownOrifice can break firewalls!) 20000805 Dangerous Java/Netscape Security Hole CA-2000-15 1545 Entry Linux Intrusion Detection System (LIDS) 0.9.7 allows local users to gain root privileges when LIDS is disabled via the security=0 boot option. http://www.egroups.com/message/lids/1038 2000803 LIDS severe bug http://www.lids.org/changelog.html 1549 1495 Entry WorldClient email client in MDaemon 2.8 includes the session ID in the referer field of an HTTP request when the user clicks on a URL, which allows the visited web site to hijcak the session ID and read the user's email. 20000809 Session hijacking in Alt-N's MDaemon 2.8 1553 mdaemon-session-id-hijack Entry GoodTech FTP server allows remote attackers to cause a denial of service via a large number of RNTO commands. 20000830 [EXPL] GoodTech's FTP Server vulnerable to a DoS (RNTO) 1619 ftp-goodtech-rnto-dos(5166) Entry A race condition in MandrakeUpdate allows local users to modify RPM files while they are in the /tmp directory before they are installed. 20000812 MDKSA-2000:034 MandrakeUpdate update 1567 Entry news.cgi in GWScripts News Publisher does not properly authenticate requests to add an author to the author index, which allows remote attackers to add new authors by directly posting an HTTP request to the new.cgi program with an addAuthor parameter, and setting the Referer to the news.cgi program. 20000829 News Publisher CGI Vulnerability 1621 news-publisher-add-author(5169) Entry Zope before 2.2.1 does not properly restrict access to the getRoles method, which allows users who can edit DTML to add or modify roles by modifying the roles list that is included in a request. http://www.zope.org/Products/Zope/Hotfix_08_09_2000/security_alert RHSA-2000:052 20000821 zope: unauthorized escalation of privilege (update) 20000821 Conectiva Linux Security Announcement - Zope 20000816 MDKSA-2000:035 Zope update 1577 Entry CGIMail.exe CGI program in Stalkerlab Mailers 1.1.2 allows remote attackers to read arbitrary files by specifying the file in the $Attach$ hidden form variable. 20000829 Stalker's CGImail Gives Read Access to All Server Files 1623 mailers-cgimail-spoof(5165) Entry xpdf PDF viewer client earlier than 0.91 does not properly launch a web browser for embedded URL's, which allows an attacker to execute arbitrary commands via a URL that contains shell metacharacters. 20000829 MDKSA-2000:041 - xpdf update 20000913 Conectiva Linux Security Announcement - xpdf 20000910 xpdf: local exploit RHSA-2000:060 CSSA-2000-031.0 1624 Entry xpdf PDF viewer client earlier than 0.91 allows local users to overwrite arbitrary files via a symlink attack. 20000829 MDKSA-2000:041 - xpdf update 20000913 Conectiva Linux Security Announcement - xpdf 20000910a RHSA-2000:060 CSSA-2000-031.0 1624 Entry FreeBSD 5.x, 4.x, and 3.x allows local users to cause a denial of service by executing a program with a malformed ELF image header. FreeBSD-SA-00:41 1625 freebsd-elf-dos(5967) 1534 Entry Vulnerability in newgrp command in HP-UX 11.0 allows local users to gain privileges. HPSBUX0008-118 1580 Entry Directory traversal vulnerability in Worm HTTP server allows remote attackers to read arbitrary files via a .. (dot dot) attack. 20000825 DST2K0023: Directory Traversal Possible & Denial of Service in Wo rm HTTP Server 1626 wormhttp-dir-traverse(5148) 1535 Entry Worm HTTP server allows remote attackers to cause a denial of service via a long URL. 20000825 DST2K0023: Directory Traversal Possible & Denial of Service in Wo rm HTTP Server 1626 wormhttp-filename-dos Entry Telnetd telnet server in IRIX 5.2 through 6.1 does not properly cleans user-injected format strings, which allows remote attackers to execute arbitrary commands via a long RLD variable in the IAC-SB-TELOPT_ENVIRON request. 20000814 [LSD] IRIX telnetd remote vulnerability 20000801-02-P 1572 Entry The Service Control Manager (SCM) in Windows 2000 creates predictable named pipes, which allows a local user with console access to gain administrator privileges, aka the "Service Control Manager Named Pipe Impersonation" vulnerability. MS00-053 1535 Entry WebShield SMTP 4.5 allows remote attackers to cause a denial of service by sending e-mail with a From: address that has a . (period) at the end, which causes WebShield to continuously send itself copies of the e-mail. 20000818 WebShield SMTP infinite loop DoS Attack 1589 webshield-smtp-dos Entry Directory traversal vulnerability in strong.exe program in NAI Net Tools PKI server 1.0 before HotFix 3 allows remote attackers to read arbitrary files via a .. (dot dot) attack in an HTTPS request to the enrollment server. 20000802 NAI Net Tools PKI Server vulnerabilities http://download.nai.com/products/licensed/pgp/hf3pki10.txt 1537 nettools-pki-dir-traverse(5066) 1489 Entry Buffer overflow in strong.exe program in NAI Net Tools PKI server 1.0 before HotFix 3 allows remote attackers to execute arbitrary commands via a long URL in the HTTPS port. 20000802 NAI Net Tools PKI Server vulnerabilities http://download.nai.com/products/licensed/pgp/hf3pki10.txt 1536 nai-nettools-strong-bo(5026) 1488 Entry Format string vulnerability in strong.exe program in NAI Net Tools PKI server 1.0 before HotFix 3 allows remote attackers to execute arbitrary code via format strings in a URL with a .XUDA extension. 20000802 NAI Net Tools PKI Server vulnerabilities http://download.nai.com/products/licensed/pgp/hf3pki10.txt 1538 1490 Entry The IPX protocol implementation in Microsoft Windows 95 and 98 allows remote attackers to cause a denial of service by sending a ping packet with a source IP address that is a broadcast address, aka the "Malformed IPX Ping Packet" vulnerability. 20000602 ipx storm MS00-054 1544 win-ipx-ping-packet(5079) Entry Buffer overflow in University of Minnesota (UMN) gopherd 2.x allows remote attackers to execute arbitrary commands via a DES key generation request (GDESkey) that contains a long ticket value. 20000810 Remote vulnerability in Gopherd 2.x 1569 Entry DEPRECATED. This entry has been deprecated. It is a duplicate of CVE-2000-0743. Entry admin.php3 in PHP-Nuke does not properly verify the PHP-Nuke administrator password, which allows remote attackers to gain privileges by requesting a URL that does not specify the aid or pwd parameter. 20000821 Vuln. in all sites using PHP-Nuke, versions less than 3 1592 1521 Entry The logrotate script for OpenLDAP before 1.2.11 in Conectiva Linux sends an improper signal to the kernel log daemon (klogd) and kills it. 20000726 CONECTIVA LINUX SECURITY ANNOUNCEMENT - OPENLDAP openldap-logrotate-script-dos(5036) Entry Buffer overflow in the Linux binary compatibility module in FreeBSD 3.x through 5.x allows local users to gain root privileges via long filenames in the linux shadow file system. FreeBSD-SA-00:42 1628 freebsd-linux-module-bo(5968) 1536 Entry Buffer overflow in mopd (Maintenance Operations Protocol loader daemon) allows remote attackers to execute arbitrary commands via a long file name. 20000808 OpenBSD 2.7 / NetBSD 1.4.2 mopd buffer overflow FreeBSD-SA-00:40 20000705 Mopd contained a buffer overflow. RHSA-2000:050 http://cvsweb.netbsd.org/bsdweb.cgi/basesrc/usr.sbin/mopd/mopd/process.c.diff?r1=1.7&r2=1.8&f=h 1558 Entry mopd (Maintenance Operations Protocol loader daemon) does not properly cleanse user-injected format strings, which allows remote attackers to execute arbitrary commands. 20000808 OpenBSD 2.7 / NetBSD 1.4.2 mopd buffer overflow FreeBSD-SA-00:40 20000705 Mopd contained a buffer overflow. RHSA-2000:050 http://cvsweb.netbsd.org/bsdweb.cgi/basesrc/usr.sbin/mopd/mopd/process.c.diff?r1=1.7&r2=1.8&f=h 1559 Entry The Microsoft Outlook mail client identifies the physical path of the sender's machine within a winmail.dat attachment to Rich Text Format (RTF) files. 20000824 Outlook winmail.dat 20010802 Outlook 2000 Rich Text information disclosure 1631 outlook-reveal-path(5508) Entry Vulnerability in HP OpenView Network Node Manager (NMM) version 6.1 related to passwords. HPSBUX0008-119 1581 Entry The web interface for Lyris List Manager 3 and 4 allows list subscribers to obtain administrative access by modifying the value of the list_admin hidden form field. 20000811 Lyris List Manager Administration Hole http://www.lyris.com/lm/lm_updates.html 1584 Entry OS2/Warp 4.5 FTP server allows remote attackers to cause a denial of service via a long username. 20000815 OS/2 Warp 4.5 FTP Server DoS ftp://ftp.software.ibm.com/ps/products/tcpip/fixes/v4.3os2/ic27721/README 1582 Entry The default installation of eTrust Access Control (formerly SeOS) uses a default encryption key, which allows remote attackers to spoof the eTrust administrator and gain privileges. 20000811 eTrust Access Control - Root compromise for default install http://support.ca.com/techbases/eTrust/etrust_access_control-response.html 1583 etrust-access-control-default 1517 Entry xlockmore and xlockf do not properly cleanse user-injected format strings, which allows local users to gain root privileges via the -d option. 20000816 xlock vulnerability 20000816 xlockmore: possible shadow file compromise FreeBSD-SA-00:44.xlockmore 20000817 Conectiva Linux Security Announcement - xlockmore 20000823 MDKSA-2000:038 - xlockmore update 1585 Entry Intel Express 500 series switches allow a remote attacker to cause a denial of service via a malformed IP packet. 20000828 Intel Express Switch 500 series DoS 1609 intel-express-switch-dos Entry Buffer overflow in the HTML interpreter in Microsoft Office 2000 allows an attacker to execute arbitrary commands via a long embedded object tag, aka the "Microsoft Office HTML Object Tag" vulnerability. MS00-056 1561 Entry Buffer overflow in vqSoft vqServer 1.4.49 allows remote attackers to cause a denial of service or possibly gain privileges via a long HTTP GET request. 20000819 D.o.S Vulnerability in vqServer 1610 vqserver-get-dos Entry The ActiveX control for invoking a scriptlet in Internet Explorer 4.x and 5.x renders arbitrary file types instead of HTML, which allows an attacker to read arbitrary files, aka the "Scriptlet Rendering" vulnerability. MS00-055 1564 Entry A function in Internet Explorer 4.x and 5.x does not properly verify the domain of a frame within a browser window, which allows a remote attacker to read client files, aka a variant of the "Frame Domain Verification" vulnerability. MS00-055 1564 Entry IIS 4.0 and 5.0 does not properly restrict access to certain types of files when their parent folders have less restrictive permissions, which could allow remote attackers to bypass access restrictions to some files, aka the "File Permission Canonicalization" vulnerability. MS00-057 1565 Entry Microsoft Windows 2000 allows local users to cause a denial of service by corrupting the local security policy via malformed RPC traffic, aka the "Local Security Policy Corruption" vulnerability. MS00-062 1613 Entry Bajie HTTP web server 0.30a allows remote attackers to read arbitrary files via a URL that contains a "....", a variant of the dot dot directory traversal attack. 20000731 Two security flaws in Bajie Webserver 1522 bajie-view-arbitrary-files(5021) Entry Mediahouse Statistics Server 5.02x allows remote attackers to execute arbitrary commands via a long HTTP GET request. 20000810 [DeepZone Advisory] Statistics Server 5.02x stack overflow (Win2k remote exploit) 1568 mediahouse-stats-livestats-bo(5113) Entry The password protection feature of Microsoft Money can store the password in plaintext, which allows attackers with physical access to the system to obtain the password, aka the "Money Password" vulnerability. MS00-061 1615 Entry IIS 5.0 allows remote attackers to obtain source code for .ASP files and other scripts via an HTTP GET request with a "Translate: f" header, aka the "Specialized Header" vulnerability. MS00-058 20000815 Translate:f summary, history and thoughts 20000816 Translate: f 1578 oval:org.mitre.oval:def:927 Entry Checkpoint Firewall-1 with the RSH/REXEC setting enabled allows remote attackers to bypass access restrictions and connect to a RSH/REXEC client via malformed connection requests. http://www.checkpoint.com/techsupport/alerts/list_vun.html#Improper_stderr 1534 1487 Entry The web server in IPSWITCH IMail 6.04 and earlier allows remote attackers to read and delete arbitrary files via a .. (dot dot) attack. 20000830 Vulnerability Report On IPSWITCH's IMail http://www.ipswitch.com/Support/IMail/news.html 1617 Entry uagentsetup in ARCServeIT Client Agent 6.62 does not properly check for the existence or ownership of a temporary file which is moved to the agent.cfg configuration file, which allows local users to execute arbitrary commands by modifying the temporary file before it is moved. 20000728 Client Agent 6.62 for Unix Vulnerability 1519 arcserveit-clientagent-temp-file(5023) Entry netauth.cgi program in Netwin Netauth 4.2e and earlier allows remote attackers to read arbitrary files via a .. (dot dot) attack. 20000817 Netauth: Web Based Email Management System http://netwinsite.com/netauth/updates.htm 1587 netwin-netauth-dir-traverse(5090) Entry Watchguard Firebox II allows remote attackers to cause a denial of service by sending a malformed URL to the authentication service on port 4100. 20000815 Watchguard Firebox Authentication DoS 1573 firebox-url-dos Entry GNU userv 1.0.0 and earlier does not properly perform file descriptor swapping, which can corrupt the USERV_GROUPS and USERV_GIDS environmental variables and allow local users to bypass some access restrictions. 20000726 userv security boundary tool 1.0.1 (SECURITY FIX) 20000727 userv: local exploit http://marc.theaimsgroup.com/?l=bugtraq&m=96473640717095&w=2 1516 Entry IRC Xchat client versions 1.4.2 and earlier allows remote attackers to execute arbitrary commands by encoding shell metacharacters into a URL which XChat uses to launch a web browser. 20000817 XChat URL handler vulnerabilty 1601 RHSA-2000:055 20000824 MDKSA-2000:039 - xchat update 20000825 Conectiva Linux Security Announcement - xchat Entry The Mail Merge tool in Microsoft Word does not prompt the user before executing Visual Basic (VBA) scripts in an Access database, which could allow an attacker to execute arbitrary commands. 20000807 MS Word and MS Access vulnerability - executing arbitrary programs, may be exploited by IE/Outlook MS00-071 1566 word-mail-merge(5322) Entry The web-based folder display capability in Microsoft Internet Explorer 5.5 on Windows 98 allows local users to insert Trojan horse programs by modifying the Folder.htt file and using the InvokeVerb method in the ShellDefView ActiveX control to specify a default execute option for the first file that is listed in the folder. 20000828 IE 5.5/5.x for Win98 may execute arbitrary files that can be accessed thru Microsoft Networking. Also local Administrator compromise at least on default Windows 2000. 1571 ie-folder-remote-exe(5097) Entry Gnome Lokkit firewall package before 0.41 does not properly restrict access to some ports, even if a user does not make any services available. 20000819 Security update for Gnome-Lokkit 1590 1520 Entry Buffer overflow in lpstat in IRIX 6.2 and 6.3 allows local users to gain root privileges via a long -n option. 20000802 [LSD] some unpublished LSD exploit codes 1529 1485 Entry Buffer overflow in dmplay in IRIX 6.2 and 6.3 allows local users to gain root privileges via a long command line option. 20000802 [LSD] some unpublished LSD exploit codes 1528 1484 irix-dmplay-bo(5064) Entry Buffer overflow in gr_osview in IRIX 6.2 and 6.3 allows local users to gain privileges via a long -D option. 20000802 [LSD] some unpublished LSD exploit codes 20040104-01-P 1526 irix-grosview-bo(5062) 3815 Entry inpview in InPerson in SGI IRIX 5.3 through IRIX 6.5.10 allows local users to gain privileges via a symlink attack on the .ilmpAAA temporary file. 20000802 [LSD] some unpublished LSD exploit codes 20001101-01-I 1530 irix-inpview-symlink(5065) Entry GNU Groff uses the current working directory to find a device description file, which allows a local user to gain additional privileges by including a malicious postpro directive in the description file, which is executed when another user runs groff. 20001004 GNU Groff utilities read untrusted commands from current working directory gnu-groff-utilities(5280) Entry Check Point VPN-1/FireWall-1 4.1 and earlier allows remote attackers to bypass the directionality check via fragmented TCP connection requests or reopening closed TCP connection requests, aka "One-way Connection Enforcement Bypass." http://www.checkpoint.com/techsupport/alerts/list_vun.html#One-way_Connection fw1-remote-bypass 4419 Entry Check Point VPN-1/FireWall-1 4.1 and earlier improperly retransmits encapsulated FWS packets, even if they do not come from a valid FWZ client, aka "Retransmission of Encapsulated Packets." http://www.checkpoint.com/techsupport/alerts/list_vun.html#Retransmission_of fw1-client-spoof 4415 Entry The inter-module authentication mechanism (fwa1) in Check Point VPN-1/FireWall-1 4.1 and earlier may allow remote attackers to conduct a denial of service, aka "Inter-module Communications Bypass." http://www.checkpoint.com/techsupport/alerts/list_vun.html#Inter-module_Communications fw1-fwa1-auth-replay 4413 Entry The OPSEC communications authentication mechanism (fwn1) in Check Point VPN-1/FireWall-1 4.1 and earlier allows remote attackers to spoof connections, aka the "OPSEC Authentication Vulnerability." http://www.checkpoint.com/techsupport/alerts/list_vun.html#OPSEC_Authentication fw1-opsec-auth-spoof 4420 Entry The seed generation mechanism in the inter-module S/Key authentication mechanism in Check Point VPN-1/FireWall-1 4.1 and earlier allows remote attackers to bypass authentication via a brute force attack, aka "One-time (s/key) Password Authentication." http://www.checkpoint.com/techsupport/alerts/list_vun.html#One-time_Password fw1-localhost-auth 4421 Entry Buffer overflow in Getkey in the protocol checker in the inter-module communication mechanism in Check Point VPN-1/FireWall-1 4.1 and earlier allows remote attackers to cause a denial of service. http://www.checkpoint.com/techsupport/alerts/list_vun.html#Getkey_Buffer fw1-getkey-bo 4422 Entry Auction Weaver 1.0 through 1.04 does not properly validate the names of form fields, which allows remote attackers to delete arbitrary files and directories via a .. (dot dot) attack. 20001016 File deletion and other bugs in Auction Weaver LITE 1.0 - 1.04 1782 auction-weaver-delete-files 1600 Entry Auction Weaver 1.0 through 1.04 allows remote attackers to read arbitrary files via a .. (dot dot) attack on the username or bidfile form fields. 20001016 File deletion and other bugs in Auction Weaver LITE 1.0 - 1.04 1783 auction-weaver-username-bidfile 4053 Entry Check Point VPN-1/FireWall-1 4.1 and earlier allows remote attackers to redirect FTP connections to other servers ("FTP Bounce") via invalid FTP commands that are processed improperly by FireWall-1, aka "FTP Connection Enforcement Bypass." http://www.checkpoint.com/techsupport/alerts/list_vun.html#FTP_Connection fw1-ftp-redirect 4434 Entry Linux tmpwatch --fuser option allows local users to execute arbitrary commands by creating files whose names contain shell metacharacters. 20001006 Insecure call of external programs in Red Hat Linux tmpwatch RHSA-2000:080 MDKSA-2000:056 1785 linux-tmpwatch-fuser(5320) Entry The default installation for the Oracle listener program 7.3.4, 8.0.6, and 8.1.6 allows an attacker to cause logging information to be appended to arbitrary files and execute commands via the SET TRC_FILE or SET LOG_FILE commands. 20001025 Vulnerability in the Oracle Listener Program http://otn.oracle.com/deploy/security/pdf/listener_alert.pdf oracle-listener-connect-statements(5380) Entry The unsetenv function in glibc 2.1.1 does not properly unset an environmental variable if the variable is provided twice to a program, which could allow local users to execute arbitrary commands in setuid programs by specifying their own duplicate environmental variables such as LD_PRELOAD or LD_LIBRARY_PATH. 19990917 A few bugs... 20000831 glibc unsetenv bug CSSA-2000-028.0 20000902 glibc: local root exploit MDKSA-2000:040 MDKSA-2000:045 RHSA-2000:057 TLSA2000020-1 20000924 glibc locale security problem 20000902 Conectiva Linux Security Announcement - glibc 20000905 Conectiva Linux Security Announcement - glibc 20000906 [slackware-security]: glibc 2.1.3 vulnerabilities patched 648 1639 glibc-ld-unsetenv Entry Ipswitch Imail 6.0 allows remote attackers to cause a denial of service via a large number of connections in which a long Host: header is sent, which causes a thread to crash. 20000817 Imail Web Service Remote DoS Attack v.2 20000817 Imail Web Service Remote DoS Attack v.2 20000817 Imail Web Service Remote DoS Attack v.2 ipswitch-imail-remote-dos(5475) 2011 Entry The tmpwatch utility in Red Hat Linux forks a new process for each directory level, which allows local users to cause a denial of service by creating deeply nested directories in /tmp or /var/tmp/. 20000909 tmpwatch: local DoS : fork()bomb as root RHSA-2000:080 1664 linux-tmpwatch-fork-dos Entry annclist.exe in webTV for Windows allows remote attackers to cause a denial of service by via a large, malformed UDP packet to ports 22701 through 22705. 20000913 trivial DoS in webTV MS00-074 1671 webtv-udp-dos Entry The Windows 2000 telnet client attempts to perform NTLM authentication by default, which allows remote attackers to capture and replay the NTLM challenge/response via a telnet:// URL that points to the malicious server, aka the "Windows 2000 Telnet Client NTLM Authentication" vulnerability. A091400-1 MS00-067 1683 win2k-telnet-ntlm-authentication Entry FTP Serv-U 2.5e allows remote attackers to cause a denial of service by sending a large number of null bytes. 20000804 FTP Serv-U 2.5e vulnerability. 1543 servu-null-character-dos Entry Fastream FUR HTTP server 1.0b allows remote attackers to cause a denial of service via a long GET request. 20000914 DST2K0028: DoS in FUR HTTP Server v1.0b fur-get-dos(5237) Entry WinCOM LPD 1.00.90 allows remote attackers to cause a denial of service via a large number of LPD options to the LPD port (515). 20000919 VIGILANTE-2000013: WinCOM LPD DoS 1701 wincom-lpd-dos(5258) Entry Some functions that implement the locale subsystem on Unix do not properly cleanse user-injected format strings, which allows local attackers to execute arbitrary commands via functions such as gettext and catopen. 20000904 UNIX locale format string vulnerability 20000902 glibc: local root exploit CSSA-2000-030.0 RHSA-2000:057 20000906 glibc locale security problem TLSA2000020-1 IY13753 SSRT0689U 20000901-01-P 20000902 Conectiva Linux Security Announcement - glibc 1634 unix-locale-format-string(5176) Entry Buffer overflow in Darxite 0.4 and earlier allows a remote attacker to execute arbitrary commands via a long username or password. 20000821 Darxite daemon remote exploit/DoS problem 1598 darxite-login-bo Entry Buffer overflow in University of Washington c-client library (used by pine and other programs) allows remote attackers to execute arbitrary commands via a long X-Keywords header. 20000901 UW c-client library vulnerability 20000901 More about UW c-client library FreeBSD-SA-00:47.pine 1646 1687 c-client-dos(5223) Entry Buffer overflow in IBM WebSphere web application server (WAS) allows remote attackers to execute arbitrary commands via a long Host: request header. 20000915 WebSphere application server plugin issue & vendor fix http://www-4.ibm.com/software/webservers/appserv/doc/v3022/fxpklst.htm#Security 1691 websphere-header-dos Entry Race condition in Microsoft Windows Media server allows remote attackers to cause a denial of service in the Windows Media Unicast Service via a malformed request, aka the "Unicast Service Race Condition" vulnerability. MS00-064 1655 unicast-service-dos(5193) Entry Netegrity SiteMinder before 4.11 allows remote attackers to bypass its authentication mechanism by appending "$/FILENAME.ext" (where ext is .ccc, .class, or .jpg) to the requested URL. A091100-1 1681 siteminder-bypass-authentication Entry Buffer overflow in the Still Image Service in Windows 2000 allows local users to gain additional privileges via a long WM_USER message, aka the "Still Image Service Privilege Escalation" vulnerability. A090700-1 MS00-065 1651 w2k-still-image-service Entry Multiple buffer overflows in eject on FreeBSD and possibly other OSes allows local users to gain root privileges. FreeBSD-SA-00:49 1686 freebsd-eject-port 1559 Entry YaBB Bulletin Board 9.1.2000 allows remote attackers to read arbitrary files via a .. (dot dot) attack. 20000909 YaBB 1.9.2000 Vulnerabilitie 1668 yabb-file-access Entry When a Microsoft Office 2000 document is launched, the directory of that document is first used to locate DLL's such as riched20.dll and msi.dll, which could allow an attacker to execute arbitrary commands by inserting a Trojan Horse DLL into the same directory as the document. 20000918 Double clicking on MS Office documents from Windows Explorer may execute arbitrary programs in some cases 20000922 Eudora + riched20.dll affects WinZip v8.0 as well 1699 20000921 Mitigators for possible exploit of Eudora via Guninski #21,2000 office-dll-execution(5263) Entry Buffer overflow in SunFTP build 9(1) allows remote attackers to cause a denial of service or possibly execute arbitrary commands via a long GET request. 20000901 [EXPL] SunFTP vulnerable to two Denial-of-Service attacks (long buffer, half-open) 1638 Entry Vulnerability in Microsoft Windows NT 4.0 allows remote attackers to cause a denial of service in IIS by sending it a series of malformed requests which cause INETINFO.EXE to fail, aka the "Invalid URL" vulnerability. 20000906 VIGILANTE-2000009: "Invalid URL" DoS MS00-063 1642 iis-invald-url-dos Entry The web configuration server for NTMail V5 and V6 allows remote attackers to cause a denial of service via a series of partial HTTP requests. 20000904 VIGILANTE-2000008: NTMail Configuration Service DoS 1640 ntmail-incomplete-http-requests Entry The file upload capability in PHP versions 3 and 4 allows remote attackers to read arbitrary files by setting hidden form fields whose names match the names of internal PHP script variables. 20000903 (SRADV00001) Arbitrary file disclosure through PHP file upload 20000904 Re: [PHP-DEV] RE: (SRADV00001) Arbitrary file disclosure through PHP file upload http://cvsweb.php.net/viewcvs.cgi/php4/main/rfc1867.c.diff?r1=1.38%3Aphp_4_0_2&tr1=1.1&r2=text&tr2=1.45&diff_format=u MDKSA-2000:048 1649 php-file-upload Entry Mailman 1.1 allows list administrators to execute arbitrary commands via shell metacharacters in the %(listname) macro expansion. 20000907 Mailman 1.1 + external archiver vulnerability FreeBSD-SA-00:51 1667 mailman-execute-external-commands(5493) Entry Vulnerability in an administrative interface utility for Allaire Spectra 1.0.1 allows remote attackers to read and modify sensitive configuration information. ASB00-23 allaire-spectra-admin-access Entry Buffer overflow in listmanager earlier than 2.105.1 allows local users to gain additional privileges. FreeBSD-SA-00:50 listmanager-port-bo Entry Race condition in the creation of a Unix domain socket in GNOME esound 0.2.19 and earlier allows a local user to change the permissions of arbitrary files and directories, and gain additional privileges, via a symlink attack. FreeBSD-SA-00:45 20000911 Patch for esound-0.2.19 MDKSA-2000:051 RHSA-2000:077 20001008 esound: race condition 20001006 Immunix OS Security Update for esound 20001012 esound daemon race condition 1659 gnome-esound-symlink Entry Buffer overflow in dvtermtype in Tridia Double Vision 3.07.00 allows local users to gain root privileges via a long terminal type argument. 20000916 Advisory: Tridia DoubleVision / SCO UnixWare 1697 doublevision-dvtermtype-bo Entry Kernel logging daemon (klogd) in Linux does not properly cleanse user-injected format strings, which allows local users to gain root privileges by triggering malformed kernel messages. 20000917 klogd format bug RHSA-2000:061 20000919 MDKSA-2000:050 CSSA-2000-032.0 TLSA2000022-2 20000920 syslogd + klogd format string parsing error 20000918 Conectiva Linux Security Announcement - sysklogd klogd-format-string 5824 Entry The default configuration of Apache 1.3.12 in SuSE Linux 6.4 allows remote attackers to read source code for CGI scripts by replacing the /cgi-bin/ in the requested URL with /cgi-bin-sdb/. A090700-2 20000907 1658 suse-apache-cgi-source-code Entry The default configuration of Apache 1.3.12 in SuSE Linux 6.4 enables WebDAV, which allows remote attackers to list arbitrary diretories via the PROPFIND HTTP request method. A090700-3 20000907 1656 apache-webdav-directory-listings Entry Buffer overflow in EFTP allows remote attackers to cause a denial of service via a long string. 20000911[EXPL] EFTP vulnerable to two DoS attacks 1675 eftp-bo 1555 Entry Buffer overflow in EFTP allows remote attackers to cause a denial of service by sending a string that does not contain a newline, then disconnecting from the server. 20000911[EXPL] EFTP vulnerable to two DoS attacks 1677 eftp-newline-dos 409 Entry netstat in AIX 4.x.x does not properly restrict access to the -Zi option, which allows local users to clear network interface statistics and possibly hide evidence of unusual network activities. 20000903 aix allows clearing the interface stats 1660 aix-clear-netstat Entry Eudora mail client includes the absolute path of the sender's host within a virtual card (VCF). 20000907 Eudora disclosure 1653 eudora-path-disclosure 1545 Entry WFTPD and WFTPD Pro 2.41 RC12 allows remote attackers to cause a denial of service by sending a long string of unprintable characters. 20000905 WFTPD/WFTPD Pro 2.41 RC12 vulnerabilities http://www.wftpd.com/bug_gpf.htm wftpd-long-string-dos Entry WFTPD and WFTPD Pro 2.41 RC12 allows remote attackers to obtain the full pathname of the server via a "%C" command, which generates an error message that includes the pathname. 20000905 WFTPD/WFTPD Pro 2.41 RC12 vulnerabilities wftpd-path-disclosure 5829 Entry mailform.pl CGI script in MailForm 2.0 allows remote attackers to read arbitrary files by specifying the file name in the XX-attach_file parameter, which MailForm then sends to the attacker. 20000911 Unsafe passing of variables to mailform.pl in MailForm V2.0 1670 mailform-attach-file Entry The mailto CGI script allows remote attacker to execute arbitrary commands via shell metacharacters in the emailadd form field. 20000911 Fwd: Poor variable checking in mailto.cgi 1669 mailto-piped-address Entry The default configuration of mod_perl for Apache as installed on Mandrake Linux 6.1 through 7.1 sets the /perl/ directory to be browseable, which allows remote attackers to list the contents of that directory. MDKSA-2000:046 1678 linux-mod-perl Entry IIS 4.0 and 5.0 allows remote attackers to read documents outside of the web root, and possibly execute arbitrary commands, via malformed URLs that contain UNICODE encoded characters, aka the "Web Server Folder Traversal" vulnerability. 20001017 IIS %c1%1c remote command execution MS00-078 1806 iis-unicode-translation 436 oval:org.mitre.oval:def:44 Entry IIS 5.0 allows remote attackers to execute arbitrary commands via a malformed request for an executable file whose name is appended with operating system commands, aka the "Web Server File Request Parsing" vulnerability. 20001107 NSFOCUS SA2000-07 : Microsoft IIS 4.0/5.0 CGI File Name Inspection Vulnerability MS00-086 1912 iis-invalid-filename-passing(5470) oval:org.mitre.oval:def:191 Entry named in BIND 8.2 through 8.2.2-P6 allows remote attackers to cause a denial of service by making a compressed zone transfer (ZXFR) request and performing a name service query on an authoritative record that is not cached, aka the "zxfr bug." 20001107 BIND 8.2.2-P5 Possible DOS 20001107 Possible DOS in Bind 8.2.2-P5 20001109 Re: Possible DOS in Bind 8.2.2-P5 CA-2000-20 RHSA-2000:107 20001112 bind: remote Denial of Service 20001115 Trustix Security Advisory - bind and openssh (and modutils) SuSE-SA:2000:45 ERS-SVA-E01-2000:005.1 MDKSA-2000:067 CLSA-2000:338 CLSA-2000:339 1923 bind-zxfr-dos(5540) Entry named in BIND 8.2 through 8.2.2-P6 allows remote attackers to cause a denial of service by sending an SRV record to the server, aka the "srv bug." CA-2000-20 RHSA-2000:107 MDKSA-2000:067 CLSA-2000:338 CLSA-2000:339 20001112 bind: remote Denial of Service ERS-SVA-E01-2000:005.1 SuSE-SA:2000:45 bind-srv-dos(5814) Entry periodic in FreeBSD 4.1.1 and earlier, and possibly other operating systems, allows local users to overwrite arbitrary files via a symlink attack. VU#626919 FreeBSD-SA-01:12 periodic-temp-file-symlink(6047) 2325 1754 Entry A default ECL in Lotus Notes before 5.02 allows remote attackers to execute arbitrary commands by attaching a malicious program in an email message that is automatically executed when the user opens the email. VU#5962 http://www.notes.net/R5FixList.nsf/Search!SearchView&Query=CBAT45TU9S lotus-notes-bypass-ecl(5045) Entry Some telnet clients allow remote telnet servers to request environment variables from the client that may contain sensitive information, or remote web servers to obtain the information via a telnet: URL. VU#22404 telnet-obtain-env-variable(6644) Entry HTTP server on the WatchGuard SOHO firewall does not properly restrict access to administrative functions such as password resets or rebooting, which allows attackers to cause a denial of service or conduct unauthorized activities. 20001214 Multiple vulnerabilities in the WatchGuard SOHO Firewall watchguard-soho-web-auth(5554) 2119 4404 Entry Buffer overflow in HTTP server on the WatchGuard SOHO firewall allows remote attackers to cause a denial of service and possibly execute arbitrary code via a long GET request. 20001214 Multiple vulnerabilities in the WatchGuard SOHO Firewall 2114 watchguard-soho-web-dos(5218) 4403 Entry WatchGuard SOHO firewall allows remote attackers to cause a denial of service via a flood of fragmented IP packets, which causes the firewall to drop connections and stop forwarding packets. 20001214 Multiple vulnerabilities in the WatchGuard SOHO Firewall watchguard-soho-fragmented-packets 2113 1690 Entry Small HTTP Server 2.03 and earlier allows remote attackers to cause a denial of service by repeatedly requesting a URL that references a directory that does not contain an index.html file, which consumes memory that is not released after the request is completed. 20001114 Vulnerabilites in SmallHTTP Server http://home.lanck.net/mf/srv/index.htm 1941 small-http-nofile-dos(5524) Entry Directory traversal vulnerability in ssi CGI program in thttpd 2.19 and earlier allows remote attackers to read arbitrary files via a "%2e%2e" string, a variation of the .. (dot dot) attack. 20001002 thttpd ssi: retrieval of arbitrary world-readable files FreeBSD-SA-00:73 acme-thttpd-ssi 1737 Entry Format string vulnerability in screen 3.9.5 and earlier allows local users to gain root privileges via format characters in the vbell_msg initialization variable. 20000906 Screen-3.7.6 local compromise 20000905 screen 3.9.5 root vulnerability 20000902a MDKSA-2000:044 20000906 screen format string parsing security problem RHSA-2000:058 FreeBSD-SA-00:46 1641 screen-format-string Entry BrowseGate 2.80 allows remote attackers to cause a denial of service and possibly execute arbitrary commands via long Authorization or Referer MIME headers in the HTTP request. 20000921 DST2K0031: DoS in BrowseGate(Home) v2.80(H) 20000921 DST2K0031: DoS in BrowseGate(Home) v2.80(H) http://www.netcplus.com/browsegate.htm#BGLatest browsegate-http-dos 1702 Entry Buffer overflow in the automatic mail checking component of Pine 4.21 and earlier allows remote attackers to execute arbitrary commands via a long From: header. 20000922 [ no subject ] 20001031 FW: Pine 4.30 now available FreeBSD-SA-00:59 RHSA-2000:102 MDKSA-2000:073 1709 pine-check-mail-bo Entry Horde library 1.02 allows attackers to execute arbitrary commands via shell metacharacters in the "from" address. 20000908 horde library bug - unchecked from-address 20000910 imp: remote compromise http://ssl.coc-ag.de/sec/hordelib-1.2.0.frombug.patch 1674 horde-imp-sendmail-command Entry IMP 2.2 and earlier allows attackers to read and delete arbitrary files by modifying the attachment_name hidden form variable, which causes IMP to send the file to the attacker as an attachment. 20000912 (SRADV00003) Arbitrary file disclosure through IMP 1679 imp-attach-file Entry MultiHTML CGI script allows remote attackers to read arbitrary files and possibly execute arbitrary commands by specifying the file name to the "multi" parameter. 20000913 MultiHTML vulnerability http-cgi-multihtml Entry mod_rewrite in Apache 1.3.12 and earlier allows remote attackers to read arbitrary files if a RewriteRule directive is expanded to include a filename whose name contains a regular expression. 20000929 Security vulnerability in Apache mod_rewrite MDKSA-2000:060 RHSA-2000:088 RHSA-2000:095 CSSA-2000-035.0 HPSBUX0010-126 20001011 Conectiva Linux Security Announcement - apache 1728 apache-rewrite-view-files Entry OpenBSD 2.6 and earlier allows remote attackers to cause a denial of service by flooding the server with ARP requests. 20001005 obsd_fun.c 1759 bsd-arp-request-dos 1592 Entry fingerd in FreeBSD 4.1.1 allows remote attackers to read arbitrary files by specifying the target file name instead of a regular user name. 20001002 [sa2c@and.or.jp: bin/21704: enabling fingerd makes files world readable] FreeBSD-SA-00:54 1803 freebsd-fingerd-files 433 Entry Format string vulnerability in use_syslog() function in LPRng 3.6.24 allows remote attackers to execute arbitrary commands. 20000925 Format strings: bug #2: LPRng CA-2000-22 CSSA-2000-033.0 RHSA-2000:065 FreeBSD-SA-00:56 lprng-format-string 1712 Entry Directory traversal vulnerability in PHPix Photo Album 1.0.2 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) attack. 20001007 PHPix advisory 1773 phpix-dir-traversal 472 Entry Directory traversal vulnerability in BOA web server 0.94.8.2 and earlier allows remote attackers to read arbitrary files via a modified .. (dot dot) attack in the GET HTTP request that uses a "%2E" instead of a "." 20001006 Vulnerability in BOA web server v0.94.8.2 FreeBSD-SA-00:60 20001009 boa: exposes contents of local files 1770 boa-webserver-get-dir-traversal Entry Directory traversal vulnerability in Hassan Consulting shop.cgi shopping cart program allows remote attackers to read arbitrary files via a .. (dot dot) attack on the page parameter. 20001007 Security Advisory: Hassan Consulting's shop.cgi Directory Traversal Vulnerability. 1777 hassan-shopping-cart-dir-traversal 1596 Entry Directory traversal vulnerability in Bytes Interactive Web Shopper shopping cart program (shopper.cgi) 2.0 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) attack on the newpage parameter. 20001008 Security Advisory: Bytes Interactive's Web Shopper (shopper.cgi) Directory Traversal Vulnerability 1776 web-shopper-directory-traversal Entry authenticate.cgi CGI program in Aplio PRO allows remote attackers to execute arbitrary commands via shell metacharacters in the password parameter. 20001006 Fwd: APlio PRO web shell uclinux-apliophone-bin-execute 1784 Entry Directory traversal vulnerability in search.cgi CGI script in Armada Master Index allows remote attackers to read arbitrary files via a .. (dot dot) attack in the "catigory" parameter. 20001009 Master Index traverse advisory 1772 master-index-directory-traversal 461 Entry The default installation of SmartWin CyberOffice Shopping Cart 2 (aka CyberShop) installs the _private directory with world readable permissions, which allows remote attackers to obtain sensitive information. 20001002 DST2K0035: Credit card (customer) details exposed within CyberOff ice Shopping Cart v2 20001002 DST2K0035: Credit card (customer) details exposed within CyberOff ice Shopping Cart v2 1734 cyberoffice-world-readable-directory Entry SmartWin CyberOffice Shopping Cart 2 (aka CyberShop) allows remote attackers to modify price information by changing the "Price" hidden form variable. 20001002 DST2K0036: Price modification possible in CyberOffice Shopping Cart 20001002 DST2K0036: Price modification possible in CyberOffice Shopping Ca rt 1733 cyberoffice-price-modification Entry WQuinn QuotaAdvisor 4.1 does not properly record file sizes if they are stored in alternative data streams, which allows users to bypass quota restrictions. 20000928 DST2K0037: QuotaAdvisor 4.1 by WQuinn is susceptible to alternati ve datastreams to bypass quotas. 20000928 DST2K0037: QuotaAdvisor 4.1 by WQuinn is susceptible to alternati ve datastreams to bypass quotas. 1724 quotaadvisor-quota-bypass Entry WQuinn QuotaAdvisor 4.1 allows users to list directories and files by running a report on the targeted shares. 20001006 DST2K0040: QuotaAdvisor 4.1 by WQuinn susceptible to any user bei ng able to list (not read) all files on any server running QuotaAdvisor. 1765 quotaadvisor-list-files Entry Microsoft Windows Media Player 7 allows attackers to cause a denial of service in RTF-enabled email clients via an embedded OCX control that is not closed properly, aka the "OCX Attachment" vulnerability. 20000929 Malformed Embedded Windows Media Player 7 "OCX Attachment" MS00-068 1714 mediaplayer-outlook-dos Entry Pegasus Mail 3.12 allows remote attackers to read arbitrary files via an embedded URL that calls the mailto: protocol with a -F switch. 20001003 Pegasus mail file reading vulnerability 20001030 Pegasus Mail file reading vulnerability 1738 pegasus-file-forwarding Entry MAILsweeper for SMTP 3.x does not properly handle corrupt CDA documents in a ZIP file and hangs, which allows remote attackers to cause a denial of service. 20000926 FW: DOS for Content Technologies' MAILsweeper for SMTP. mailsweeper-smtp-dos Entry The Input Method Editor (IME) in the Simplified Chinese version of Windows 2000 does not disable access to privileged functionality that should normally be restricted, which allows local users to gain privileges, aka the "Simplified Chinese IME State Recognition" vulnerability. MS00-069 1729 win2k-simplified-chinese-ime Entry Glint in Red Hat Linux 5.2 allows local users to overwrite arbitrary files and cause a denial of service via a symlink attack. RHSA-2000:062 1703 glint-symlink Entry Samba Web Administration Tool (SWAT) in Samba 2.0.7 allows local users to overwrite arbitrary files via a symlink attack on the cgi.log file. 20001030 Samba 2.0.7 SWAT vulnerabilities 1872 samba-swat-logging-sym-link Entry Samba Web Administration Tool (SWAT) in Samba 2.0.7 installs the cgi.log logging file with world readable permissions, which allows local users to read sensitive information such as user names and passwords. 20001030 Samba 2.0.7 SWAT vulnerabilities 1874 samba-swat-logfile-info Entry Samba Web Administration Tool (SWAT) in Samba 2.0.7 does not log login attempts in which the username is correct but the password is wrong, which allows remote attackers to conduct brute force password guessing attacks. 20001030 Samba 2.0.7 SWAT vulnerabilities 1873 samba-swat-brute-force Entry Samba Web Administration Tool (SWAT) in Samba 2.0.7 supplies a different error message when a valid username is provided versus an invalid name, which allows remote attackers to identify valid users on the server. 20001030 Samba 2.0.7 SWAT vulnerabilities samba-swat-brute-force(5442) Entry Kootenay Web KW Whois 1.0 CGI program allows remote attackers to execute arbitrary commands via shell metacharacters in the "whois" parameter. 20001029 Remote command execution via KW Whois 1.0 20001029 Re: Remote command execution via KW Whois 1.0 (addition) http://www.kootenayweb.bc.ca/scripts/whois.txt 1883 kw-whois-meta Entry The CiWebHitsFile component in Microsoft Indexing Services for Windows 2000 allows remote attackers to conduct a cross site scripting (CSS) attack via a CiRestriction parameter in a .htw request, aka the "Indexing Services Cross Site Scripting" vulnerability. 20001028 IIS 5.0 cross site scripting vulnerability - using .htw MS00-084 1861 iis-htw-cross-scripting Entry Buffer overflow in bftp daemon (bftpd) 1.0.11 allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long USER command. 20001027 Potential Security Problem in bftpd-1.0.11 1858 bftpd-user-bo Entry CGI Script Center News Update 1.1 does not properly validate the original news administration password during a password change operation, which allows remote attackers to modify the password without knowing the original password. 20001027 CGI-Bug: News Update 1.1 administration password bug 1881 news-update-bypass-password Entry The web configuration interface for Catalyst 3500 XL switches allows remote attackers to execute arbitrary commands without authentication when the enable password is not set, via a URL containing the /exec/ directory. 20001026 Advisory def-2000-02: Cisco Catalyst remote command execution 20001113 Re: 3500XL cisco-catalyst-remote-commands(5415) 1846 444 Entry Compaq Easy Access Keyboard software 1.3 does not properly disable access to custom buttons when the screen is locked, which could allow an attacker to gain privileges or execute programs without authorization. 20001012 Security issue with Compaq Easy Access Keyboard software http://www5.compaq.com/support/files/desktops/us/revision/1723.html compaq-ea-elevate-privileges 5831 Entry Format string vulnerability in cfd daemon in GNU CFEngine before 1.6.0a11 allows attackers to execute arbitrary commands via format characters in the CAUTH command. 20001002 Very probable remote root vulnerability in cfengine MDKSA-2000:061 NetBSD-SA2000-013 1757 cfengine-cfd-format-string Entry GnoRPM before 0.95 allows local users to modify arbitrary files via a symlink attack. 20001002 GnoRPM local /tmp vulnerability 20001003 Conectiva Linux Security Announcement - gnorpm MDKSA-2000:055 RHSA-2000:072 20001011 Immunix OS Security Update for gnorpm package 1761 gnorpm-temp-symlink Entry Heap overflow in savestr function in LBNL traceroute 1.4a5 and earlier allows a local user to execute arbitrary commands via the -g option. 20000928 Very interesting traceroute flaw CSSA-2000-034.0 MDKSA-2000:053 RHSA-2000:078 20001013 traceroute: local root exploit TLSA2000023-1 20000930 Conectiva Linux Security Announcement - traceroute 1739 traceroute-heap-overflow Entry A misconfiguration in IIS 5.0 with Index Server enabled and the Index property set allows remote attackers to list directories in the web root via a Web Distributed Authoring and Versioning (WebDAV) search. A100400-1 Q272079 1756 iis-index-dir-traverse Entry global.cgi CGI program in Global 3.55 and earlier on NetBSD allows remote attackers to execute arbitrary commands via shell metacharacters. FreeBSD-SA-00:64 NetBSD-SA2000-014 6486 global-execute-remote-commands Entry Shambala Server 4.5 allows remote attackers to cause a denial of service by opening then closing a connection. 20001009 Shambala 4.5 vulnerability 1778 shambala-connection-dos Entry cyrus-sasl before 1.5.24 in Red Hat Linux 7.0 does not properly verify the authorization for a local user, which could allow the users to bypass specified access restrictions. RHSA-2000:094 1875 cyrus-sasl-gain-access Entry The pluggable authentication module for mysql (pam_mysql) before 0.4.7 does not properly cleanse user input when constructing SQL statements, which allows attackers to obtain plaintext passwords or hashes. 20001026 (SRADV00004) Remote and local vulnerabilities in pam_mysql pammysql-auth-input Entry HotJava Browser 3.0 allows remote attackers to access the DOM of a web page by opening a javascript: URL in a named window. 20001025 HotJava Browser 3.0 JavaScript security vulnerability hotjava-browser-dom-access Entry glibc2 does not properly clear the LD_DEBUG_OUTPUT and LD_DEBUG environmental variables when a program is spawned from a setuid program, which could allow local users to overwrite files via a symlink attack. 20000926 ld.so bug - LD_DEBUG_OUTPUT follows symlinks 1719 glibc-unset-symlink Entry The POP3 server in Netscape Messaging Server 4.15p1 generates different error messages for incorrect user names versus incorrect passwords, which allows remote attackers to determine valid users on the system and harvest email addresses for spam abuse. 20001011 Netscape Messaging server 4.15 poor error strings 1787 netscape-messaging-email-verify Entry Buffer overflow in IMAP server in Netscape Messaging Server 4.15 Patch 2 allows local users to execute arbitrary commands via a long LIST command. 20000928 commercial products and security [ + new bug ] 1721 netscape-messaging-list-dos Entry The IPSEC implementation in OpenBSD 2.7 does not properly handle empty AH/ESP packets, which allows remote attackers to cause a denial of service. 20000925 Nmap Protocol Scanning DoS against OpenBSD IPSEC 20000918 Bad ESP/AH packets could cause a crash under certain conditions. 1723 openbsd-nmap-dos 1574 Entry Buffer overflow in the web administration service for the HiNet LP5100 IP-phone allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long GET request. 20000928 Another thingy. 1727 hinet-ipphone-get-bo Entry The NSAPI plugins for TGA and the Java Servlet proxy in HP-UX VVOS 10.24 and 11.04 allows an attacker to cause a denial of service (high CPU utilization). hp-virtualvault-nsapi-dos HPSBUX0010-124 Entry Buffer overflows in lpspooler in the fileset PrinterMgmt.LP-SPOOL of HP-UX 11.0 and earlier allows local users to gain privileges. HPSBUX0010-125 hp-lpspooler-bo 7244 Entry PHP 3 and 4 do not properly cleanse user-injected format strings, which allows remote attackers to execute arbitrary commands by triggering error messages that are improperly written to the error logs. A101200-1 MDKSA-2000:062 20001014a 20001014b CSSA-2000-037.0 FreeBSD-SA-00:75 RHSA-2000:088 RHSA-2000:095 20001012 Conectiva Linux Security Announcement - mod_php3 1786 php-logging-format-string Entry Buffer overflow in Half Life dedicated server before build 3104 allows remote attackers to execute arbitrary commands via a long rcon command. 20001016 Half-Life Dedicated Server Vulnerability 20001024 Tamandua Sekure Labs Security Advisory 2000-01 20001027 Re: Half Life dedicated server Patch 1799 halflife-server-changelevel-bo Entry Format string vulnerability in Half Life dedicated server build 3104 and earlier allows remote attackers to execute arbitrary commands by injecting format strings into the changelevel command, via the system console or rcon. 20001016 Half-Life Dedicated Server Vulnerability 20001024 Tamandua Sekure Labs Security Advisory 2000-01 20001027 Re: Half Life dedicated server Patch halflife-rcon-format-string 6983 Entry IIS 4.0 and 5.0 .ASP pages send the same Session ID cookie for secure and insecure web sessions, which could allow remote attackers to hijack the secure web session of the user if that user moves to an insecure session, aka the "Session ID Cookie Marking" vulnerability. http://www.acrossecurity.com/aspr/ASPR-2000-07-22-1-PUB.txt MS00-080 session-cookie-remote-retrieval 7265 Entry HP-UX 11.00 crontab allows local users to read arbitrary files via the -e option by creating a symlink to the target file during the crontab session, quitting the session, and reading the error messages that crontab generates. 20001020 [ Hackerslab bug_paper ] HP-UX crontab temporary file symbolic link vulnerability hp-crontab-read-files Entry Buffer overflow in curl earlier than 6.0-1.1, and curl-ssl earlier than 6.0-1.2, allows remote attackers to execute arbitrary commands by forcing a long error message to be generated. 20001013a RHBA-2000:092-01 FreeBSD-SA-00:72 1804 curl-error-bo Entry GnuPG (gpg) 1.0.3 does not properly check all signatures of a file containing multiple documents, which allows an attacker to modify contents of all documents but the first without detection. 20001011 GPG 1.0.3 doesn't detect modifications to files with multiple signatures 20001111 gnupg: incorrect signature verification FreeBSD-SA-00:67 RHSA-2000:089 CSSA-2000-038.0 MDKSA-2000:063-1 CLSA-2000:334 20001025 Immunix OS Security Update for gnupg package gnupg-message-modify 1797 1608 Entry Directory traversal vulnerability in apexec.pl in Anaconda Foundation Directory allows remote attackers to read arbitrary files via a .. (dot dot) attack. 20001012 Anaconda Advisory anaconda-apexec-directory-traversal 435 Entry Buffer overflow in xlib in XFree 3.3.x possibly allows local users to execute arbitrary commands via a long DISPLAY environment variable or a -display command line parameter. 20001012 another Xlib buffer overflow 20020502-01-I 1805 xfree-xlib-bo(5751) Entry mailfile.cgi CGI program in MailFile 1.10 allows remote attackers to read arbitrary files by specifying the target file name in the "filename" parameter in a POST request, which is then sent by email to the address specified in the "email" parameter. 20001011 Mail File POST Vulnerability 1807 mailfile-post-file-read Entry bbd server in Big Brother System and Network Monitor before 1.5c2 allows remote attackers to execute arbitrary commands via the "&" shell metacharacter. 20001010 Big Brother Systems and Network Monitor vulnerability 1779 bb4-netmon-execute-commands Entry File and Print Sharing service in Windows 95, Windows 98, and Windows Me does not properly check the password for a file share, which allows remote attackers to bypass share access controls by sending a 1-byte password that matches the first character of the real password, aka the "Share Level Password" vulnerability. 20001012 NSFOCUS SA2000-05: Microsoft Windows 9x NETBIOS password MS00-072 1780 win9x-share-level-password oval:org.mitre.oval:def:996 Entry NMPI (Name Management Protocol on IPX) listener in Microsoft NWLink does not properly filter packets from a broadcast address, which allows remote attackers to cause a broadcast storm and flood the network. MS00-073 1781 win-nmpi-packet-dos Entry MySQL Database Engine uses a weak authentication method which leaks information that could be used by a remote attacker to recover the password. 20001023 [CORE SDI ADVISORY] MySQL weak authentication http://www.mysql.com/documentation/mysql/commented/manual.php?section=Security mysql-authentication Entry Internet Explorer before 5.5 forwards cached user credentials for a secure web site to insecure pages on the same web site, which could allow remote attackers to obtain the credentials by monitoring connections to the web server, aka the "Cached Web Credentials" vulnerability. http://www.acrossecurity.com/aspr/ASPR-2000-07-22-2-PUB.txt MS00-076 1793 ie-cache-info Entry Microsoft NetMeeting with Remote Desktop Sharing enabled allows remote attackers to cause a denial of service (CPU utilization) via a sequence of null bytes to the NetMeeting port, aka the "NetMeeting Desktop Sharing" vulnerability. 20001018 Denial of Service attack against computers running Microsoft NetMeeting MS00-077 Q273854 1798 netmeeting-desktop-sharing-dos Entry The HTTP server in Cisco IOS 12.0 through 12.1 allows local users to cause a denial of service (crash and reload) via a URL containing a "?/" string. 20001026 [CORE SDI ADVISORY] Cisco IOS HTTP server DoS 20001025 Cisco IOS HTTP Server Query Vulnerability 1838 cisco-ios-query-dos(5412) Entry Buffer overflow in Intel InBusiness eMail Station 1.04.87 POP service allows remote attackers to cause a denial of service and possibly execute commands via a long username. 20001020 DoS in Intel corporation 'InBusiness eMail Station' intel-email-username-bo 6488 Entry cmd5checkpw 0.21 and earlier allows remote attackers to cause a denial of service via an "SMTP AUTH" command with an unknown username. 20001016 Authentication failure in cmd5checkpw 0.21 http://members.elysium.pl/brush/cmd5checkpw/changes.html 1809 cmd5checkpw-qmail-bypass-authentication Entry Buffer overflow in Hilgraeve, Inc. HyperTerminal client on Windows 98, ME, and 2000 allows remote attackers to execute arbitrary commands via a long telnet URL, aka the "HyperTerminal Buffer Overflow" vulnerability. MS00-079 1815 win-hyperterminal-telnet-bo Entry Directory traversal vulnerability in scp in sshd 1.2.xx allows a remote malicious scp server to overwrite arbitrary files via a .. (dot dot) attack. 20000930 scp file transfer hole 20001001 openssh2.2.p1 - Re: scp file transfer hole MDKSA-2000:057 1742 scp-overwrite-files Entry Format string vulnerability in pw_error function in BSD libutil library allows local users to gain root privileges via a malformed password in commands such as chpass or passwd. 20001003 A format string vulnerability exists in the pw_error(3) function. NetBSD-SA2000-015 FreeBSD-SA-00:58 20001004 Re: OpenBSD Security Advisory 1744 bsd-libutil-format Entry Format string vulnerability in OpenBSD fstat program (and possibly other BSD-based operating systems) allows local users to gain root privileges via the PWD environmental variable. 20001004 Re: OpenBSD Security Advisory 20001006 There are printf-style format string bugs in several privileged programs. ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.7/common/028_format_strings.patch 1746 bsd-fstat-format Entry Format string vulnerability in OpenBSD yp_passwd program (and possibly other BSD-based operating systems) allows attackers to gain root privileges a malformed name. 20001006 There are printf-style format string bugs in several privileged programs. ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.7/common/028_format_strings.patch bsd-yp-passwd-format 6125 Entry Format string vulnerability in OpenBSD su program (and possibly other BSD-based operating systems) allows local attackers to gain root privileges via a malformed shell. 20001006 There are printf-style format string bugs in several privileged programs. ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.7/common/028_format_strings.patch bsd-su-format 6124 Entry Format string vulnerability in AOL Instant Messenger (AIM) 4.1.2010 allows remote attackers to cause a denial of service and possibly execute arbitrary commands by transferring a file whose name includes format characters. 20001003 AOL Instant Messenger DoS 1747 aim-file-transfer-dos Entry add_2_basket.asp in Element InstantShop allows remote attackers to modify price information via the "price" hidden form variable. 20001024 Price modification in Element InstantShop instantshop-modify-price 6487 Entry POP3 daemon in Stalker CommuniGate Pro 3.3.2 generates different error messages for invalid usernames versus invalid passwords, which allows remote attackers to determine valid email addresses on the server for SPAM attacks. 20001012 Re: Netscape Messaging server 4.15 poor error strings communigate-email-verify 1792 Entry NETBIOS client in Windows 95 and Windows 98 allows a remote attacker to cause a denial of service by changing a file sharing service to return an unknown driver type, which causes the client to crash. 20001012 NSFOCUS SA2000-04: Microsoft Win9x client driver type comparing vulnerability 1794 win-netbios-driver-type-dos Entry Format string vulnerability in OpenBSD photurisd allows local users to execute arbitrary commands via a configuration file directory name that contains formatting characters. 20001004 Re: OpenBSD Security Advisory bsd-photurisd-format 6123 Entry Directory traversal vulnerability in html_web_store.cgi and web_store.cgi CGI programs in eXtropia WebStore allows remote attackers to read arbitrary files via a .. (dot dot) attack on the page parameter. 20001009 Security Advisory : eXtropia WebStore (web_store.cgi) Directory Traversal Vulnerability 1774 extropia-webstore-fileread Entry Microsoft Exchange Server 5.5 does not properly handle a MIME header with a blank charset specified, which allows remote attackers to cause a denial of service via a charset="" command, aka the "Malformed MIME Header" vulnerability. MS00-082 ms-exchange-mime-dos 1869 Entry I-gear 3.5.7 and earlier does not properly process log entries in which a URL is longer than 255 characters, which allows an attacker to cause reporting errors. 20001025 I-gear 3.5.x for Microsoft Proxy logging vulnerability + temporary fix. igear-invalid-log(5791) Entry Format string vulnerability in talkd in OpenBSD and possibly other BSD-based OSes allows remote attackers to execute arbitrary commands via a user name that contains format characters. 20001006 talkd [WAS: Re: OpenBSD Security Advisory] 1764 linux-talkd-overwrite-root Entry Buffer overflow in catopen() function in FreeBSD 5.0 and earlier, and possibly other OSes, allows local users to gain root privileges via a long environmental variable. FreeBSD-SA-00:53 freebsd-catopen-bo 6070 Entry Format string vulnerability in the search97.cgi CGI script in SCO help http server for Unixware 7 allows remote attackers to execute arbitrary commands via format characters in the queryText parameter. 20000927 Unixware SCOhelp http server format string vulnerability 1717 unixware-scohelp-format 3240 Entry The default configuration of Apache (httpd.conf) on SuSE 6.4 includes an alias for the /usr/doc directory, which allows remote attackers to read package documentation and obtain system configuration information via an HTTP request for the /doc/packages URL. 20000921 httpd.conf in Suse 6.4 1707 suse-installed-packages-exposed Entry shred 1.0 file wiping utility does not properly open a file for overwriting or flush its buffers, which prevents shred from properly replacing the file's data and allows local users to recover the file. 20001010 Shred 1.0 Bug Report 20001011 Shred v1.0 Fix 1788 shred-recover-files Entry Search engine in Ultraseek 3.1 and 3.1.10 (aka Inktomi Search) allows remote attackers to cause a denial of service via a malformed URL. 20001030 Ultraseek 3.1.x Remote DoS Vulnerability 1866 ultraseek-malformed-url-dos Entry The mailguard feature in Cisco Secure PIX Firewall 5.2(2) and earlier does not properly restrict access to SMTP commands, which allows remote attackers to execute restricted commands by sending a DATA command before sending the restricted commands. 20000919 Cisco PIX Firewall (smtp content filtering hack) 20000920 Re: Cisco PIX Firewall (smtp content filtering hack) - Version 4.2(1) not exploitable 20001005 Cisco Secure PIX Firewall Mailguard Vulnerability 1698 cisco-pix-smtp-filtering Entry eWave ServletExec 3.0C and earlier does not restrict access to the UploadServlet Java/JSP servlet, which allows remote attackers to upload files and execute arbitrary commands. 20001101 Unify eWave ServletExec upload 1876 ewave-servletexec-file-upload Entry Multiple buffer overflows in LBNL tcpdump allow remote attackers to execute arbitrary commands. FreeBSD-SA-00:61 SuSE-SA:2000:46 20001120a 1870 tcpdump-afs-packet-overflow(5480) Entry Cisco Secure PIX Firewall 5.2(2) allows remote attackers to determine the real IP address of a target FTP server by flooding the server with PASV requests, which includes the real IP address in the response when passive mode is established. 20001003 Cisco PIX Firewall allow external users to discover internal IPs 1877 cisco-pix-reveal-address 1623 Entry Buffer overflow in dtterm in HP-UX 11.0 and HP Tru64 UNIX 4.0f through 5.1a allows local users to execute arbitrary code via a long -tn option. 20000810 Re: Possible vulnerability in HPUX ( Add vulnerability List ) 20020902 Happy Labor Day from Snosoft 20020919 iDEFENSE OSF1/Tru64 3.x vuln clarification 20020919 iDEFENSE OSF1/Tru64 3.x vuln clarification HPSBUX0011-128 SSRT2275 SSRT2280 VU#320067 1889 hp-dtterm(5461) Entry The client authentication interface for Check Point Firewall-1 4.0 and earlier generates different error messages for invalid usernames versus invalid passwords, which allows remote attackers to identify valid usernames on the firewall. 20001101 Re: Samba 2.0.7 SWAT vulnerabilities 1890 fw1-login-response(5816) 1632 Entry Buffer overflow in the System Monitor ActiveX control in Windows 2000 allows remote attackers to execute arbitrary commands via a long LogFileName parameter in HTML source code, aka the "ActiveX Parameter Validation" vulnerability. 20001106 System Monitor ActiveX Buffer Overflow Vulnerability MS00-085 1899 system-monitor-activex-bo(5467) Entry Directory traversal vulnerability in Extent RBS ISP web server allows remote attackers to read sensitive information via a .. (dot dot) attack on the Image parameter. 20000920 Extent RBS directory Transversal. 1704 rbs-isp-directory-traversal Entry The web administration interface for IBM AS/400 Firewall allows remote attackers to cause a denial of service via an empty GET request. SA90544 http://as400service.rochester.ibm.com/n_dir/nas4apar.NSF/5ec6cdc6ab42894a862568f90073c74a/9ce636030a58807186256955003d128d?OpenDocument as400-firewall-dos Entry Format string vulnerability in logging function of ypbind 3.3, while running in debug mode, leaks file descriptors and allows an attacker to cause a denial of service. 20001014 nis: local exploit MDKSA-2000:064 SuSE-SA:2000:042 RHSA-2000:086 CSSA-2000-039.0 20001025 Immunix OS Security Update for ypbind package 20001030 Trustix Security Advisory - ping gnupg ypbind ypbind-printf-format-string 1820 Entry Buffer overflow in ypbind 3.3 possibly allows an attacker to gain root privileges. MDKSA-2000:064 SuSE-SA:2000:042 CSSA-2000-039.0 ypbind-remote-bo Entry Buffer overflow in ypserv in Mandrake Linux 7.1 and earlier, and possibly other Linux operating systems, allows an attacker to gain root privileges when ypserv is built without a vsyslog() function. MDKSA-2000:064 linux-ypserv-bo Entry Format string vulnerability in ypserv in Mandrake Linux 7.1 and earlier, and possibly other Linux operating systems, allows an attacker to gain root privileges when ypserv is built without a vsyslog() function. MDKSA-2000:064 linux-ypserv-format-string Entry Format string vulnerability in ypbind-mt in SuSE SuSE-6.2, and possibly other Linux operating systems, allows an attacker to gain root privileges. SuSE-SA:2000:042 1820 ypbind-printf-format-string Entry nss_ldap earlier than 121, when run with nscd (name service caching daemon), allows remote attackers to cause a denial of service via a flood of LDAP requests. RHSA-2000:024 MDKSA-2000-066 1863 nssldap-nscd-dos Entry Buffer overflow in SMTP service of Lotus Domino 5.0.4 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long ENVID keyword in the "MAIL FROM" command. 20001103 [SAFER] Buffer overflow in Lotus Domino SMTP Server lotus-domino-smtp-envid(5488) 1905 442 Entry Allaire JRun 3.0 http servlet server allows remote attackers to cause a denial of service via a URL that contains a long string of "." characters. 20001101 Allaire's JRUN DoS ASB00-030 allaire-jrun-servlet-dos Entry Allaire JRun 3.0 http servlet server allows remote attackers to directly access the WEB-INF directory via a URL request that contains an extra "/" in the beginning of the request (aka the "extra leading slash"). 20001023 Allaire's JRUN Unauthenticated Access to WEB-INF directory ASB00-027 allaire-jrun-webinf-access 500 Entry Directory traversal vulnerability in Allaire JRun 2.3 server allows remote attackers to read arbitrary files via the SSIFilter servlet. 20001023 Allaire JRUN 2.3 Arbitrary File Retrieval ASB00-028 allaire-jrun-ssifilter-url Entry Buffer overflow in CSAdmin module in CiscoSecure ACS Server 2.4(2) and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a large packet. 20000921 Multiple Vulnerabilities in CiscoSecure ACS for Windows NT Server 1705 ciscosecure-csadmin-bo Entry Buffer overflow in CiscoSecure ACS Server 2.4(2) and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a large TACACS+ packet. 20000921 Multiple Vulnerabilities in CiscoSecure ACS for Windows NT Server 1706 ciscosecure-tacacs-dos 1569 Entry CiscoSecure ACS Server 2.4(2) and earlier allows remote attackers to bypass LDAP authentication on the server if the LDAP server allows null passwords. 20000921 Multiple Vulnerabilities in CiscoSecure ACS for Windows NT Server 1708 ciscosecure-ldap-bypass-authentication Entry Vulnerabilities in database configuration scripts in HP OpenView Network Node Manager (NNM) 6.1 and earlier allows local users to gain privileges, possibly via insecure permissions. HPSBUX0009-120 1682 hp-openview-nnm-scripts Entry Buffer overflow in OverView5 CGI program in HP OpenView Network Node Manager (NNM) 6.1 and earlier allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, in the SNMP service (snmp.exe), aka the "Java SNMP MIB Browser Object ID parsing problem." 20000926 DST2K0014: BufferOverrun in HP Openview Network Node Manager v6.1 (Round2) HPSBUX0009-121 openview-nmm-snmp-bo Entry The default configuration of the Xsession file in Mandrake Linux 7.1 and 7.0 bypasses the Xauthority access control mechanism with an "xhost + localhost" command, which allows local users to sniff X Windows events and gain privileges. 20000929 Mandrake 7.1 bypasses Xauthority X session security. MDKSA-2000:052 1735 xinitrc-bypass-xauthority Entry The default configuration of XFCE 3.5.1 bypasses the Xauthority access control mechanism with an "xhost + localhost" command in the xinitrc program, which allows local users to sniff X Windows traffic and gain privileges. 20001002 Local vulnerability in XFCE 3.5.1 FreeBSD-SA-00:65 1736 xinitrc-bypass-xauthority Entry Microsoft Virtual Machine (VM) in Internet Explorer 4.x and 5.x allows an unsigned applet to create and use ActiveX controls, which allows a remote attacker to bypass Internet Explorer's security settings and execute arbitrary commands via a malicious web page or email, aka the "Microsoft VM ActiveX Component" vulnerability. MS00-075 java-vm-applet Entry pollit.cgi in Poll It 2.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the poll_options parameter. 20001023 Re: Poll It v2.0 cgi (again) http://www.cgi-world.com/pollit.html pollit-polloptions-execute-commands Entry pollit.cgi in Poll It 2.01 and earlier allows remote attackers to access administrative functions without knowing the real password by specifying the same value to the entered_password and admin_password parameters. 20001023 Re: Poll It v2.0 cgi (again) pollit-admin-password-var Entry pollit.cgi in Poll It 2.01 and earlier uses data files that are located under the web document root, which allows remote attackers to access sensitive or private information. 20001023 Re: Poll It v2.0 cgi (again) pollit-webroot-gain-access Entry The GUI installation for iCal 2.1 Patch 2 disables access control for the X server using an "xhost +" command, which allows remote attackers to monitor X Windows events and gain privileges. A100900-1 1767 ical-xhost-gain-privileges 7213 Entry iCal 2.1 Patch 2 installs many files with world-writeable permissions, which allows local users to modify the iCal configuration and execute arbitrary commands by replacing the iplncal.sh program with a Trojan horse. A100900-1 1768 ical-iplncal-gain-access 7212 Entry csstart program in iCal 2.1 Patch 2 searches for the cshttpd program in the current working directory, which allows local users to gain root privileges by creating a Trojan Horse cshttpd program in a directory and calling csstart from that directory. A100900-1 1769 ical-csstart-gain-access 7210 Entry csstart program in iCal 2.1 Patch 2 uses relative pathnames to install the libsocket and libnsl libraries, which could allow the icsuser account to gain root privileges by creating a Trojan Horse library in the current or parent directory. A100900-1 1769 ical-csstart-gain-access 7209 Entry Directory traversal vulnerability in iPlanet Certificate Management System 4.2 and Directory Server 4.12 allows remote attackers to read arbitrary files via a .. (dot dot) attack in the Agent, End Entity, or Administrator services. 20001026 [CORE SDI ADVISORY] iPlanet Certificate Management System 4.2 path traversal bug http://www.iplanet.com/downloads/patches/0122.html 1839 iplanet-netscape-directory-traversal 4086 486 Entry Buffer overflow in the SHTML logging functionality of iPlanet Web Server 4.x allows remote attackers to execute arbitrary commands via a long filename with a .shtml extension. 20001026 Buffer overflow in iPlanet Web Server 4 server side SHTML parsing module iplanet-web-server-shtml-bo Entry Quake 1 (quake1) and ProQuake 1.01 and earlier allow remote attackers to cause a denial of service via a malformed (empty) UDP packet. 20001102 dos on quake1 servers http://proquake.ai.mit.edu/ 1900 quake-empty-udp-dos(5527) Entry Buffer overflow in Microsoft Phone Book Service allows local users to execute arbitrary commands, aka the "Phone Book Service Buffer Overflow" vulnerability. A120400-1 MS00-094 2048 phone-book-service-bo(5623) Entry Buffer overflow in AOL Instant Messenger (AIM) before 4.3.2229 allows remote attackers to execute arbitrary commands via a "buddyicon" command with a long "src" argument. A121200-1 20001213 Administrivia & AOL IM Advisory 20001214 Re: AIM & @stake's advisory aolim-buddyicon-bo 1692 Entry modprobe in the modutils 2.3.x package on Linux systems allows a local user to execute arbitrary commands via shell metacharacters. 20001112 RedHat 7.0 (and SuSE): modutils + netkit = root compromise. (fwd) SuSE-SA:2000:44 MDKSA-2000:071 RHSA-2000:108 20001120 modutils: local exploit CLSA-2000:340 1936 linux-modprobe-execute-code Entry crontab by Paul Vixie uses predictable file names for a temporary file and does not properly ensure that the file is owned by the user executing the crontab -e command, which allows local users with write access to the crontab spool directory to execute arbitrary commands by creating world-writeable temporary files and modifying them while the victim is editing the file. 20001116 vixie cron... 20001118a 1960 vixie-cron-execute-commands(5543) Entry The web server for the SonicWALL SOHO firewall allows remote attackers to cause a denial of service via a long username in the authentication page. 20001129 DoS in Sonicwall SOHO firewall 20001201 FW: SonicWALL SOHO Vulnerability (fwd) 2013 sonicwall-soho-dos(5596) 1667 Entry Java Runtime Environment in Java Development Kit (JDK) 1.2.2_05 and earlier can allow an untrusted Java class to call into a disallowed class, which could allow an attacker to escape the Java sandbox and conduct unauthorized activities. 00199 HPSBUX0011-132 jdk-untrusted-java-class(5605) 7255 Entry Directory traversal vulnerability in Winsock FTPd (WFTPD) 3.00 and 2.41 with the "Restrict to home directory" option enabled allows local users to escape the home directory via a "/../" string, a variation of the .. (dot dot) attack. 20001127 Vulnerability in Winsock FTPD 2.41/3.00 (Pro) 2005 wftpd-dir-traverse(5608) Entry Trend Micro InterScan VirusWall creates an "Intscan" share to the "InterScan" directory with permissions that grant Full Control permissions to the Everyone group, which allows attackers to gain privileges by modifying the VirusWall programs. 20001128 TrendMicro InterScan VirusWall shared folder problem 20001201 Responding to BugTraq ID 2014 - "Trend Micro InterScan VirusWall Shared Directory Vulnerability" 2014 interscan-viruswall-unauth-access Entry in.identd ident server in SuSE Linux 6.x and 7.0 allows remote attackers to cause a denial of service via a long request, which causes the server to access a NULL pointer and crash. 20001128 SuSE Linux 6.x 7.0 Ident buffer overflow 2015 linux-ident-bo Entry cons.saver in Midnight Commander (mc) 4.5.42 and earlier does not properly verify if an output file descriptor is a TTY, which allows local users to corrupt files by creating a symbolic link to the target file, calling mc, and specifying that link as a TTY argument. 20001113 Problems with cons.saver 20001125 mc: local DoS MDKSA-2000:078 1945 midnight-commander-conssaver-symlink(5519) Entry Midnight Commander (mc) 4.5.51 and earlier does not properly process malformed directory names when a user opens a directory, which allows other local users to gain privileges by creating directories that contain special characters followed by the commands to be executed. 20001127 Midnight Commander DSA-036 SuSE-SA:2001:11 2016 midnight-commander-elevate-privileges(5929) Entry Telnet Service for Windows 2000 Professional does not properly terminate incomplete connection attempts, which allows remote attackers to cause a denial of service by connecting to the server and not providing any input. 20001129 Windows 2000 Telnet Service DoS 2018 win2k-telnet-dos(5598) Entry Microsoft Windows Media Player 7 executes scripts in custom skin (.WMS) files, which could allow remote attackers to gain privileges via a skin that contains a malicious script, aka the ".WMS Script Execution" vulnerability. MS00-090 1976 mediaplayer-wms-script-exe Entry Buffer overflow in Microsoft Windows Media Player allows remote attackers to execute arbitrary commands via a malformed Active Stream Redirector (.ASX) file, aka the ".ASX Buffer Overrun" vulnerability. A112300-1 MS00-090 1980 mediaplayer-asx-bo Entry Buffer overflow in remote web administration component (webprox.dll) of 602Pro LAN SUITE before 2000.0.1.33 allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long GET request. 20001122 602Pro Lan Suite Web Admin Overflow http://www.software602.com/products/ls/support/newbuild.html 1979 software602-lan-suite-bo Entry Buffer overflow in setsenv command in IBM AIX 4.3.x and earlier allows local users to execute arbitrary commands via a long "x=" argument. 20001201 Fixed local AIX V43 vulnerabilities IY08812 IY10721 2032 aix-setsenv-bo(5621) 1676 Entry Buffer overflow in digest command in IBM AIX 4.3.x and earlier allows local users to execute arbitrary commands. 20001201 Fixed local AIX V43 vulnerabilities IY08143 IY08287 2033 aix-digest-bo(5620) Entry Buffer overflow in enq command in IBM AIX 4.3.x and earlier may allow local users to execute arbitrary commands via a long -M argument. 20001201 Fixed local AIX V43 vulnerabilities IY08143 IY08287 2034 aix-enq-bo(5619) Entry Buffer overflow in setclock command in IBM AIX 4.3.x and earlier may allow local users to execute arbitrary commands via a long argument. 20001201 Fixed local AIX V43 vulnerabilities IY07831 IY07790 2035 Entry Buffer overflow in pioout command in IBM AIX 4.3.x and earlier may allow local users to execute arbitrary commands. 20001201 Fixed local AIX V43 vulnerabilities IY12638 2036 aix-pioout-bo Entry Buffer overflow in piobe command in IBM AIX 4.3.x allows local users to gain privileges via long environmental variables. 20001201 Fixed local AIX V43 vulnerabilities IY12638 2037 aix-piobe-bo(5616) Entry Bill Kendrick web site guestbook (GBook) allows remote attackers to execute arbitrary commands via shell metacharacters in the _MAILTO form variable. 20001110 [hacksware] gbook.cgi remote command execution vulnerability 1940 gbook-cgi-remote-execution Entry DCForum cgforum.cgi CGI script allows remote attackers to read arbitrary files, and delete the program itself, via a malformed "forum" variable. 20001114 Cgisecurity.com advisory on dcforum 1951 http://www.dcscripts.com/dcforum/dcfNews/124.html#1 dcforum-cgi-view-files(5533) 1646 Entry fshd (fsh daemon) in Debian GNU/Linux allows local users to overwrite files of other users via a symlink attack. 20001130 DSA-002-1 fsh: symlink attack linux-fsh-symlink(5633) 7208 Entry elvis-tiny before 1.4-10 in Debian GNU/Linux, and possibly other Linux operating systems, allows local users to overwrite files of other users via a symlink attack. 20001122 New version of elvis-tiny released 1984 linux-tinyelvis-tmpfiles Entry GNU ed before 0.2-18.1 allows local users to overwrite the files of other users via a symlink attack. 20001129 DSA-001-1 ed: symlink attack MDKSA-2000:076 RHSA-2000:123 20001211 Immunix OS Security update for ed CLA-2000:359-2 gnu-ed-symlink(5723) 6491 Entry The installation of Microsoft Exchange 2000 before Rev. A creates a user account with a known password, which could allow attackers to gain privileges, aka the "Exchange User Account" vulnerability. MS00-088 1958 ms-exchange-username-pwd(5537) Entry Recourse ManTrap 1.6 does not properly hide processes from attackers, which could allow attackers to determine that they are in a honeypot system by comparing the results from kill commands with the process listing in the /proc filesystem. 20001102 Mantrap By Recourse Technologies - Fate Advisory (11-01-00) 20001107 Vendor Response Re: Mantrap Advisory Vendor Followup - Fate Research Labs 1908 mantrap-hidden-processes Entry Recourse ManTrap 1.6 modifies the kernel so that ".." does not appear in the /proc listing, which allows attackers to determine that they are in a honeypot system. 20001102 Mantrap By Recourse Technologies - Fate Advisory (11-01-00) 20001107 Vendor Response Re: Mantrap Advisory Vendor Followup - Fate Research Labs 20001105 Mantrap Advisory Vendor Followup - Fate Research Labs mantrap-hidden-processes Entry Recourse ManTrap 1.6 generates an error when an attacker cd's to /proc/self/cwd and executes the pwd command, which allows attackers to determine that they are in a honeypot system. 20001102 Mantrap By Recourse Technologies - Fate Advisory (11-01-00) 20001107 Vendor Response Re: Mantrap Advisory Vendor Followup - Fate Research Labs 20001105 Mantrap Advisory Vendor Followup - Fate Research Labs mantrap-pwd-reveal-information Entry Recourse ManTrap 1.6 hides the first 4 processes that run on a Solaris system, which allows attackers to determine that they are in a honeypot system. 20001102 Mantrap By Recourse Technologies - Fate Advisory (11-01-00) 20001107 Vendor Response Re: Mantrap Advisory Vendor Followup - Fate Research Labs 20001105 Mantrap Advisory Vendor Followup - Fate Research Labs mantrap-hidden-processes Entry Recourse ManTrap 1.6 sets up a chroot environment to hide the fact that it is running, but the inode number for the resulting "/" file system is higher than normal, which allows attackers to determine that they are in a chroot environment. 20001102 Mantrap By Recourse Technologies - Fate Advisory (11-01-00) 20001107 Vendor Response Re: Mantrap Advisory Vendor Followup - Fate Research Labs 1909 20001105 Mantrap Advisory Vendor Followup - Fate Research Labs mantrap-inode-disclosure Entry Recourse ManTrap 1.6 allows attackers who have gained root access to use utilities such as crash or fsdb to read /dev/mem and raw disk devices to identify ManTrap processes or modify arbitrary data files. 20001102 Mantrap By Recourse Technologies - Fate Advisory (11-01-00) 20001107 Vendor Response Re: Mantrap Advisory Vendor Followup - Fate Research Labs 20001105 Mantrap Advisory Vendor Followup - Fate Research Labs mantrap-identify-processes Entry Recourse ManTrap 1.6 allows attackers to cause a denial of service via a sequence of commands that navigate into and out of the /proc/self directory and executing various commands such as ls or pwd. 20001102 Mantrap By Recourse Technologies - Fate Advisory (11-01-00) 20001107 Vendor Response Re: Mantrap Advisory Vendor Followup - Fate Research Labs 1913 20001105 Mantrap Advisory Vendor Followup - Fate Research Labs mantrap-dir-dos Entry The installation of VolanoChatPro chat server sets world-readable permissions for its configuration file and stores the server administrator passwords in plaintext, which allows local users to gain privileges on the server. 20001104 Filesystem Access + VolanoChat = VChat admin (fwd) 20001106 Re: FW: Filesystem Access + VolanoChat = VChat admin (fwd) 1906 volanochatpro-plaintext-password Entry Buffer overflow in RegAPI.DLL used by Windows NT 4.0 Terminal Server allows remote attackers to execute arbitrary commands via a long username, aka the "Terminal Server Login Buffer Overflow" vulnerability. 20001108 [CORE SDI ADVISORY] MS NT4.0 Terminal Server Edition GINA buffer overflow MS00-087 1924 nt-termserv-gina-bo Entry ghostscript before 5.10-16 allows local users to overwrite files of other users via a symlink attack. CSSA-2000-041 MDKSA-2000:074 CLSA-2000:343 RHSA-2000:114 20001123 ghostscript: symlink attack 1990 ghostscript-sym-link Entry ghostscript before 5.10-16 uses an empty LD_RUN_PATH environmental variable to find libraries in the current directory, which could allow local users to execute commands as other users by placing a Trojan horse library into a directory from which another user executes ghostscript. CSSA-2000-041 MDKSA-2000:074 CLSA-2000:343 20001123 ghostscript: symlink attack 1991 ghostscript-env-variable Entry WinVNC installs the WinVNC3 registry key with permissions that give Special Access (read and modify) to the Everybody group, which allows users to read and modify sensitive information such as passwords and gain access to the system. 20001118 WinVNC 3.3.x 1961 winvnc-modify-registry(5545) Entry Balabit syslog-ng allows remote attackers to cause a denial of service (application crash) via a malformed log message that does not have a closing > in the priority specifier. 20001122 DoS possibility in syslog-ng FreeBSD-SA-01:02 http://www.balabit.hu/products/syslog-ng/ 1981 balabit-syslog-ng-dos(5576) Entry Twig webmail system does not properly set the "vhosts" variable if it is not configured on the site, which allows remote attackers to insert arbitrary PHP (PHP3) code by specifying an alternate vhosts as an argument to the index.php3 program. 20001124 Security problems with TWIG webmail system http://twig.screwdriver.net/file.php3?file=CHANGELOG 1998 twig-php3-script-execute(5581) Entry ppp utility in FreeBSD 4.1.1 and earlier does not properly restrict access as specified by the "nat deny_incoming" command, which allows remote attackers to connect to the target system. FreeBSD-SA-00:70 1974 freebsd-ppp-bypass-gateway(5584) 1655 Entry OpenSSH SSH client before 2.3.0 does not properly disable X11 or agent forwarding, which could allow a malicious SSH server to gain access to the X11 display and sniff X11 events, or gain access to the ssh-agent. 20001123 OpenSSH Security Advisory (adv.fwd) MDKSA-2000:068 20001115 Trustix Security Advisory - bind and openssh (and modutils) 20001118 openssh: possible remote exploit CLSA-2000:345 RHSA-2000:111 SuSE-SA:2000:47 1949 openssh-unauthorized-access(5517) 2114 6248 Entry Buffer overflow in Netsnap webcam HTTP server before 1.2.9 allows remote attackers to execute arbitrary commands via a long GET request. 20001115 Netsnap Webcam Software Remote Overflow http://www.netsnap.com/new.htm 1956 netsnap-remote-bo(5534) Entry Directory traversal vulnerability in cgiforum.pl script in CGIForum 1.0 allows remote attackers to ready arbitrary files via a .. (dot dot) attack in the "thesection" parameter. 20001120 CGIForum 1.0 Vulnerability cgiforum-view-files(5553) 1963 Entry Multiple buffer overflows in AFS ACL parser for Ethereal 0.8.13 and earlier allows remote attackers to execute arbitrary commands via a packet with a long username. 20001118 [hacksware] Ethereal 0.8.13 AFS ACL parsing buffer overflow bug 20001121 ethereal: remote exploit CLSA-2000:342 RHSA-2000:116 FreeBSD-SA-00:81 ethereal-afs-bo(5557) 1972 Entry Joe text editor follows symbolic links when creating a rescue copy called DEADJOE during an abnormal exit, which allows local users to overwrite the files of other users whose joe session crashes. 20001116 Joe's Own Editor File Link Vulnerability RHSA-2000:110 MDKSA-2000:072 CLA-2000:356 20001122 20001201 DSA-003-1 joe: symlink attack 20001121 Immunix OS Security update for joe 1959 joe-symlink-corruption(5546) Entry Netopia ISDN Router 650-ST before 4.3.5 allows remote attackers to read system logs without authentication by directly connecting to the login screen and typing certain control characters. 20001115 Netopia ISDN Router 650-ST: Viewing of all system logs without login 1952 netopia-view-system-log(5536) Entry Buffer overflow in cmctl program in Oracle 8.1.5 Connection Manager Control allows local users to gain privileges via a long command line argument. 20001120 vulnerability in Connection Manager Control binary in Oracle 20010118 Patch for Potential Security Vulnerability in Oracle Connection Manager Control 1968 oracle-cmctl-bo(5551) Entry Real Networks RealServer 7 and earlier allows remote attackers to obtain portions of RealServer's memory contents, possibly including sensitive information, by accessing the /admin/includes/ URL. 20001116 [CORE SDI ADVISORY] RealServer memory contents disclosure http://service.real.com/help/faq/security/memory.html 1957 realserver-gain-access(5538) Entry WatchGuard Firebox II allows remote attackers to cause a denial of service by flooding the Firebox with a large number of FTP or SMTP requests, which disables proxy handling. 20001116 Possible Watchguard Firebox II DoS https://www.watchguard.com/support/patches.html 1953 watchguard-firebox-ftp-dos(5535) Entry telnetd in FreeBSD 4.2 and earlier, and possibly other operating systems, allows remote attackers to cause a denial of service by specifying an arbitrary large file in the TERMCAP environmental variable, which consumes resources as the server processes the file. FreeBSD-SA-00:69 telnetd-termcap-dos(5959) 6083 Entry Buffer overflow in the HTML parser for Netscape 4.75 and earlier allows remote attackers to execute arbitrary commands via a long password value in a form field. RHSA-2000:109 CLSA-2000:344 SuSE-SA:2000:48 FreeBSD-SA-00:66 20001121 Immunix OS Security update for netscape netscape-client-html-bo 7207 Entry Buffer overflow in pam_localuser PAM module in Red Hat Linux 7.x and 6.x allows attackers to gain privileges. RHSA-2000:120 CLA-2000:358 MDKSA-2000:082-1 pam-localuser-bo(5747) Entry imwheel-solo in imwheel package allows local users to modify arbitrary files via a symlink attack from the .imwheelrc file. 20000531 Re: strike#2 RHSA-2000:016 linux-imwheel-symlink(4941) Entry Performance Metrics Collector Daemon (PMCD) in Performance Copilot in IRIX 6.x allows remote attackers to cause a denial of service (resource exhaustion) via an extremely long string to the PMCD port. 20000412 Performance Copilot for IRIX 6.5 irix-pcp-pmcd-dos(4284) 20020407-01-I Entry telnet daemon (telnetd) from the Linux netkit package before netkit-telnet-0.16 allows remote attackers to bypass authentication when telnetd is running with the -L command line option. CSSA-2000-008.0 telnetd-login-bypass(4225) Entry PSCOErrPage.htm in Netscape PublishingXpert 2.5 before SP2 allows remote attackers to read arbitrary files by specifying the target file in the errPagePath parameter. http://docs.iplanet.com/docs/manuals/pubx/2.5.2_Relnotes.html http://packetstormsecurity.org/0004-exploits/ooo1.txt publishingxpert-pscoerrpage-url(7362) Entry Windows NT allows remote attackers to list all users in a domain by obtaining the domain SID with the LsaQueryInformationPolicy policy function via a null session and using the SID to list the users. 20000201 Windows NT and account list leak ! A new SID usage nt-lsa-domain-sid(4015) 959 Entry Lotus Domino SMTP server 4.63 through 5.08 allows remote attackers to cause a denial of service (CPU consumption) by forging an email message with the sender as bounce@[127.0.0.1] (localhost), which causes Domino to enter a mail loop. 20000520 Infinite loop in LOTUS NOTE 5.0.3. SMTP SERVER 20010820 Lotus Domino DoS 20010823 Lotus Domino DoS solution 3212 lotus-domino-bounced-message-dos(7012) Entry Directory traversal vulnerability in source.jsp of Apache Tomcat before 3.1 allows remote attackers to read arbitrary files via a .. (dot dot) in the argument to source.jsp. 20000322 Security bug in Apache project: Jakarta Tomcat apache-tomcat-file-contents(4205) Entry Zope 2.2.0 through 2.2.4 does not properly perform security registration for legacy names of object constructors such as DTML method objects, which could allow attackers to perform unauthorized activities. 20001222 Zope DTML Role Issue RHSA-2000:125 http://www.zope.org/Products/Zope/Hotfix_2000-12-08/security_alert MDKSA-2000:083 zope-legacy-names(5824) 6282 Entry Zope 2.2.0 through 2.2.4 does not properly protect a data updating method on Image and File objects, which allows attackers with DTML editing privileges to modify the raw data of these objects. MDKSA-2000:086 CLA-2000:365 DSA-007 http://www.zope.org/Products/Zope/Hotfix_2000-12-18/security_alert RHSA-2000:135 zope-image-file(5778) 6283 Entry cookiedecode function in PHP-Nuke 4.4 allows users to bypass authentication and gain access to other user accounts by extracting the authentication information from a cookie. 20010213 RFP2101: RFPlutonium to fuel your PHP-Nuke php-nuke-elevate-privileges(6183) Entry Internet Explorer 5.5 and earlier allows remote attackers to obtain the physical location of cached content and open the content in the Local Computer Zone, then use compiled HTML help (.chm) files to execute arbitrary programs. MS01-015 20001120 IE 5.x/Outlook allows executing arbitrary programs using .chm files and temporary internet files folder http://www.guninski.com/chmtempmain.html 2456 7823 oval:org.mitre.oval:def:920 ie-chm-execute-files(5567) Entry Web Extender Client (WEC) in Microsoft Office 2000, Windows 2000, and Windows Me does not properly process Internet Explorer security settings for NTLM authentication, which allows attackers to obtain NTLM credentials and possibly obtain the password, aka the "Web Client NTLM Authentication" vulnerability. MS01-001 wec-ntlm-authentication 2199 Entry IIS 5.0 and 4.0 allows remote attackers to read the source code for executable web server programs by appending "%3F+.htr" to the requested URL, which causes the files to be parsed by the .HTR ISAPI extension, aka a variant of the "File Fragment Reading via .HTR" vulnerability. 20010108 IIS 5.0 allows viewing files using %3F+.htr MS01-004 2313 iis-read-files(5903) Entry Buffer overflow in the parsing mechanism of the file loader in Microsoft PowerPoint 2000 allows attackers to execute arbitrary commands. A012301-1 MS01-002 powerpoint-execute-code(5996) Entry The Winsock2ProtocolCatalogMutex mutex in Windows NT 4.0 has inappropriate Everyone/Full Control permissions, which allows local users to modify the permissions to "No Access" and disable Winsock network connectivity to cause a denial of service, aka the "Winsock Mutex" vulnerability. 20010126 ntsecurity.nu advisory: Winsock Mutex Vulnerability in Windows NT 4.0 SP6 and below MS01-003 winnt-mutex-dos(6006) Entry Buffer overflow in NetScreen Firewall WebUI allows remote attackers to cause a denial of service via a long URL request to the web administration interface. 20010109 NSFOCUS SA2001-01: NetScreen Firewall WebUI Buffer Overflow vulnerability 2176 netscreen-webui-bo(5908) 1707 Entry Backdoor account in Interbase database server allows remote attackers to overwrite arbitrary files using stored procedures. CA-2001-01 2192 interbase-backdoor-account(5911) Entry Directory traversal vulnerability in Lotus Domino 5.0.5 web server allows remote attackers to read arbitrary files via a .. attack. 20010105 Lotus Domino 5.0.5 Web Server vulnerability - reading files outside the web root 20010109 bugtraq id 2173 Lotus Domino Server 2173 lotus-domino-directory-traversal(5899) 1703 Entry Buffer overflow in transaction signature (TSIG) handling code in BIND 8 allows remote attackers to gain root privileges. 20010129 Vulnerabilities in BIND 4 and 8 CA-2001-02 ERS-SVA-E01-2001:002.1 DSA-026 MDKSA-2001-017 RHSA-2001:007 000377 FreeBSD-SA-01:18 bind-tsig-bo 2302 Entry Buffer overflow in nslookupComplain function in BIND 4 allows remote attackers to gain root privileges. 20010129 Vulnerabilities in BIND 4 and 8 CA-2001-02 ERS-SVA-E01-2001:002.1 MDKSA-2001-017 RHSA-2001:007 000377 FreeBSD-SA-01:18 bind-complain-bo 2307 Entry BIND 4 and BIND 8 allow remote attackers to access sensitive information such as environment variables. 20010129 Vulnerabilities in BIND 4 and 8 CA-2001-02 DSA-026 ERS-SVA-E01-2001:002.1 MDKSA-2001-017 RHSA-2001:007 000377 FreeBSD-SA-01:18 bind-inverse-query-disclosure 2321 Entry Format string vulnerability in nslookupComplain function in BIND 4 allows remote attackers to gain root privileges. 20010129 Vulnerabilities in BIND 4 and 8 CA-2001-02 ERS-SVA-E01-2001:002.1 MDKSA-2001-017 RHSA-2001:007 000377 FreeBSD-SA-01:18 bind-complain-format-string 2309 Entry Remote Data Protocol (RDP) in Windows 2000 Terminal Service does not properly handle certain malformed packets, which allows remote attackers to cause a denial of service, aka the "Invalid RDP Data" vulnerability. MS01-006 win2k-rdp-dos 2326 Entry Network Dynamic Data Exchange (DDE) in Windows 2000 allows local users to gain SYSTEM privileges via a "WM_COPYDATA" message to an invisible window that is running with the privileges of the WINLOGON process. A020501-1 MS01-007 2341 win-dde-elevate-privileges(6062) Entry NTLM Security Support Provider (NTLMSSP) service does not properly check the function number in an LPC request, which could allow local users to gain administrator level access. 20010207 Local promotion vulnerability in NT4's NTLM Security Support Provider MS01-008 2348 ntlm-ssp-elevate-privileges(6076) Entry Memory leak in PPTP server in Windows NT 4.0 allows remote attackers to cause a denial of service via a malformed data packet, aka the "Malformed PPTP Packet Stream" vulnerability. MS01-009 2368 winnt-pptp-dos(6103) Entry Windows 2000 domain controller in Windows 2000 Server, Advanced Server, or Datacenter Server allows remote attackers to cause a denial of service via a flood of malformed service requests. 20001202 UDP Ping-pong in Win2k MS01-011 win2k-domain-controller-dos(6136) L-049 Entry Directory traversal vulnerability in Arrowpoint (aka Cisco Content Services, or CSS) allows local unprivileged users to read arbitrary files via a .. (dot dot) attack. A013101-1 20010131 Cisco Content Services Switch Vulnerability cisco-ccs-file-access(6031) 2331 1757 Entry MailMan Webmail 3.0.25 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in the alternate_template parameter. 20001206 (SRADV00005) Remote command execution vulnerabilities in MailMan Webmail http://www.endymion.com/products/mailman/history.htm 2063 mailman-alternate-templates Entry rp-pppoe PPPoE client allows remote attackers to cause a denial of service via the Clamp MSS option and a TCP packet with a zero-length TCP option. 20001211 DoS vulnerability in rp-pppoe versions <= 2.4 CLA-2000:357 MDKSA-2000:084 RHSA-2000:130 2098 rppppoe-zero-length-dos Entry Buffer overflow in the HTML parsing code in oops WWW proxy server 1.5.2 and earlier allows remote attackers to execute arbitrary commands via a large number of " (quotation) characters. 20001211 [pkc] remote heap buffer overflow in oops FreeBSD-SA-00:79 2099 oops-ftputils-bo Entry KTH Kerberos IV allows local users to change the configuration of a Kerberos server running at an elevated privilege by specifying an alternate directory using with the KRBCONFDIR environmental variable, which allows the user to gain additional privileges. 20001208 Vulnerabilities in KTH Kerberos IV 20001210 KTH upgrade and FIX kerberos4-user-config Entry KTH Kerberos IV allows local users to specify an alternate proxy using the krb4_proxy variable, which allows the user to generate false proxy responses and possibly gain privileges. 20001208 Vulnerabilities in KTH Kerberos IV 20001210 KTH upgrade and FIX kerberos4-arbitrary-proxy Entry Buffer overflow in the kdc_reply_cipher function in KTH Kerberos IV allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long authentication request. 20001208 Vulnerabilities in KTH Kerberos IV 20001210 KTH upgrade and FIX 20010130 Buffer overflow in old ssh-1.2.2x-afs-kerberosv4 patches kerberos4-auth-packet-overflow Entry KTH Kerberos IV allows local users to overwrite arbitrary files via a symlink attack on a ticket file. 20001208 Vulnerabilities in KTH Kerberos IV 20001210 KTH upgrade and FIX RHSA-2001:025 kerberos4-tmpfile-dos Entry IPSwitch IMail 6.0.5 allows remote attackers to cause a denial of service using the SMTP AUTH command by sending a base64-encoded user password whose length is between 80 and 136 bytes. 20001206 DoS by SMTP AUTH command in IPSwitch IMail server 2083 http://www.ipswitch.com/Support/IMail/news.html imail-smtp-auth-dos Entry APC UPS daemon, apcupsd, saves its process ID in a world-writable file, which allows local users to kill an arbitrary process by specifying the target process ID in the apcupsd.pid file. 20001206 apcupsd 3.7.2 Denial of Service MDKSA-2000:077 2070 apc-apcupsd-dos Entry Memory leak in Cisco Catalyst 4000, 5000, and 6000 series switches allows remote attackers to cause a denial of service via a series of failed telnet authentication attempts. 20001206 Cisco Catalyst Memory Leak Vulnerability 2072 cisco-catalyst-telnet-dos 801 Entry PHP 3.x (PHP3) on Apache 1.3.6 allows remote attackers to read arbitrary files via a modified .. (dot dot) attack containing "%5c" (encoded backslash) sequences. 20001206 CHINANSL Security Advisory(CSA-200011) 2060 apache-php-disclose-files Entry phpGroupWare before 0.9.7 allows remote attackers to execute arbitrary PHP commands by specifying a malicious include file in the phpgw_info parameter of the phpgw.inc.php program. 20001206 (SRADV00006) Remote command execution vulnerabilities in phpGroupWare http://sourceforge.net/project/shownotes.php?release_id=17604 2069 phpgroupware-include-files 1682 Entry Buffer overflow in BitchX IRC client allows remote attackers to cause a denial of service and possibly execute arbitrary commands via an IP address that resolves to a long DNS hostname or domain name. 20001207 BitchX DNS Overflow Patch 20001207 bitchx/ircd DNS overflow demonstration RHSA-2000:126 MDKSA-2000:079 FreeBSD-SA-00:78 CLA-2000:364 2087 irc-bitchx-dns-bo Entry One-byte buffer overflow in replydirname function in BSD-based ftpd allows remote attackers to gain root privileges. 20001218 NetBSD-SA2000-018 20001218 Trustix Security Advisory - ed, tcsh, and ftpd-BSD 2124 bsd-ftpd-replydirname-bo Entry Directory traversal vulnerability in FTP Serv-U before 2.5i allows remote attackers to escape the FTP root and read arbitrary files by appending a string such as "/..%20." to a CD command, a variant of a .. (dot dot) attack. 20001205 Serv-U FTP directory traversal vunerability (all versions) 20001205 (no subject) 2052 ftp-servu-homedir-travers 464 Entry CBOS 2.4.1 and earlier in Cisco 600 routers allows remote attackers to cause a denial of service via a slow stream of TCP SYN packets. 20001204 Multiple Vulnerabilities in CBOS cisco-cbos-syn-packets Entry The Cisco Web Management interface in routers running CBOS 2.4.1 and earlier does not log invalid logins, which allows remote attackers to guess passwords without detection. 20001204 Multiple Vulnerabilities in CBOS cisco-cbos-invalid-login Entry Cisco 600 routers running CBOS 2.4.1 and earlier allow remote attackers to cause a denial of service via a large ICMP echo (ping) packet. 20001204 Multiple Vulnerabilities in CBOS cisco-cbos-icmp-echo Entry The Web interface to Cisco 600 routers running CBOS 2.4.1 and earlier allow remote attackers to cause a denial of service via a URL that does not end in a space character. 20001204 Multiple Vulnerabilities in CBOS cisco-cbos-web-access 460 Entry patchadd in Solaris allows local users to overwrite arbitrary files via a symlink attack. 20001218 Solaris patchadd(1) (3) symlink vulnerabilty 2127 solaris-patchadd-symlink Entry Format string vulnerability in stunnel 3.8 and earlier allows attackers to execute arbitrary commands via a malformed ident username. 20001218 Stunnel format bug RHSA-2000:129 CLA-2000:363 20001209 Trustix Security Advisory - stunnel DSA-009 FreeBSD-SA-01:05 stunnel-format-logfile 2128 Entry procfs in FreeBSD and possibly other operating systems does not properly restrict access to per-process mem and ctl files, which allows local users to gain root privileges by forking a child process and executing a privileged process from the child, while the parent retains access to the child's address space. FreeBSD-SA-00:77 2130 procfs-elevate-privileges(6106) 1697 Entry procfs in FreeBSD and possibly other operating systems allows local users to cause a denial of service by calling mmap on the process' own mem file, which causes the kernel to hang. FreeBSD-SA-00:77 2131 procfs-mmap-dos(6107) 1698 6082 Entry procfs in FreeBSD and possibly other operating systems allows local users to bypass access control restrictions for a jail environment and gain additional privileges. FreeBSD-SA-00:77 2132 procfs-access-control-bo(6108) 1691 Entry Secure Locate (slocate) allows local users to corrupt memory via a malformed database file that specifies an offset value that accesses memory outside of the intended buffer. 20001126 [MSY] S(ecure)Locate heap corruption vulnerability DSA-005-1 20001217a MDKSA-2000:085 RHSA-2000:128 CLA-2001:369 TLSA2001002-1 slocate-heap-execute-code(5594) 2004 Entry dialog before 0.9a-20000118-3bis in Debian GNU/Linux allows local users to overwrite arbitrary files via a symlink attack. DSA-008-1 2151 dialog-symlink Entry gpg (aka GnuPG) 1.0.4 and other versions does not properly verify detached signatures, which allows attackers to modify the contents of a file without detection. RHSA-2000:131 MDKSA-2000-087 DSA-010-1 gnupg-detached-sig-modify CLA-2000:368 2141 20001220 Trustix Security Advisory - gnupg, ftpd-BSD 1699 Entry gpg (aka GnuPG) 1.0.4 and other versions imports both public and private keys from public key servers without notifying the user about the private keys, which could allow an attacker to break the web of trust. RHSA-2000:131 MDKSA-2000-087 DSA-010-1 CLA-2000:368 20001220 Trustix Security Advisory - gnupg, ftpd-BSD 2153 gnupg-reveal-private 1702 Entry The clustmon service in Sun Cluster 2.x does not require authentication, which allows remote attackers to obtain sensitive information such as system logs and cluster configurations. 20001212 Two Holes in Sun Cluster 2.x clustmon-no-authentication(6123) Entry in.mond in Sun Cluster 2.x allows local users to read arbitrary files via a symlink attack on the status file of a host running HA-NFS. 20001212 Two Holes in Sun Cluster 2.x ha-nfs-symlink(6125) 6437 Entry Cisco Catalyst 6000, 5000, or 4000 switches allow remote attackers to cause a denial of service by connecting to the SSH service with a non-SSH client, which generates a protocol mismatch error. 20001213 Cisco Catalyst SSH Protocol Mismatch Vulnerability 2117 cisco-catalyst-ssh-mismatch Entry swinit in nCipher does not properly disable the Operator Card Set recovery feature even when explicitly disabled by the user, which could allow attackers to gain access to application keys. 20001212 nCipher Security Advisory: Operator Cards unexpectedly recoverable http://active.ncipher.com/updates/advisory.txt ncipher-recover-operator-cards(5999) 4849 Entry Windows Media Unicast Service in Windows Media Services 4.0 and 4.1 does not properly shut down some types of connections, producing a memory leak that allows remote attackers to cause a denial of service via a series of severed connections, aka the "Severed Windows Media Server Connection" vulnerability. MS00-097 Q281256 mediaservices-dropped-connection-dos Entry Buffer overflow in Kermit communications software in HP-UX 11.0 and earlier allows local users to cause a denial of service and possibly execute arbitrary commands. HPSBUX0012-135 2170 hpux-kermit-bo Entry Internet Explorer 5.0 through 5.5 allows remote attackers to read arbitrary files from the client via the INPUT TYPE element in an HTML form, aka the "File Upload via Form" vulnerability. MS00-093 ie-form-file-upload Entry The Print Templates feature in Internet Explorer 5.5 executes arbitrary custom print templates without prompting the user, which could allow an attacker to execute arbitrary ActiveX controls, aka the "Browser Print Template" vulnerability. MS00-093 2046 ie-print-template(5614) Entry The ActiveX control for invoking a scriptlet in Internet Explorer 5.0 through 5.5 renders arbitrary file types instead of HTML, which allows an attacker to read arbitrary files, aka a variant of the "Scriptlet Rendering" vulnerability. MS00-093 ie-scriptlet-rendering-read-files(6085) 7820 Entry A function in Internet Explorer 5.0 through 5.5 does not properly verify the domain of a frame within a browser window, which allows a remote attacker to read client files, aka a new variant of the "Frame Domain Verification" vulnerability. MS00-093 ie-frame-verification-read-files(6086) 7817 Entry Buffer overflow in kdc_reply_cipher of libkrb (Kerberos 4 authentication library) in NetBSD 1.5 and FreeBSD 4.2 and earlier, as used in Kerberised applications such as telnetd and login, allows local users to gain root privileges. NetBSD-SA2000-017 FreeBSD-SA-01:25 kerberos4-auth-packet-overflow(5734) Entry catman in Solaris 2.7 and 2.8 allows local users to overwrite arbitrary files via a symlink attack on the sman_PID temporary file. 20001218 Catman file clobbering vulnerability Solaris 2.x 4392144 solaris-catman-symlink(5788) 6024 Entry FrontPage Server Extensions (FPSE) in IIS 4.0 and 5.0 allows remote attackers to cause a denial of service via a malformed form, aka the "Malformed Web Form Submission" vulnerability. MS00-100 iis-web-form-submit Entry bsguest.cgi guestbook script allows remote attackers to execute arbitrary commands via shell metacharacters in the email address. 20001221 BS Scripts Vulnerabilities http://www.stanback.net/ bsguest-cgi-execute-commands Entry bslist.cgi mailing list script allows remote attackers to execute arbitrary commands via shell metacharacters in the email address. 20001221 BS Scripts Vulnerabilities http://www.stanback.net/ bslist-cgi-execute-commands Entry Vulnerability in top in HP-UX 11.04 and earlier allows local users to overwrite files owned by the "sys" group. HPSBUX0012-134 hp-top-sys-files Entry Vulnerability in inetd server in HP-UX 11.04 and earlier allows attackers to cause a denial of service when the "swait" state is used by a server. HPSBUX0101-136 hp-inetd-swait-dos(5904) Entry PHP Apache module 4.0.4 and earlier allows remote attackers to bypass .htaccess access restrictions via a malformed HTTP request on an unrestricted page that causes PHP to use those access controls on the next page that is requested. 20010112 PHP Security Advisory - Apache Module bugs MDKSA-2001:013 CLA-2001:373 DSA-020 RHSA-2000:136 php-htaccess-unauth-access(5940) 2206 Entry rctab in SuSE 7.0 and earlier allows local users to create or overwrite arbitrary files via a symlink attack on the rctmp temporary file. 20010113 Serious security flaw in SuSE rctab 20010117 Re: Serious security flaw in SuSE rctab 2207 rctab-elevate-privileges(5945) Entry Buffer overflow in jaZip Zip/Jaz drive manager allows local users to gain root privileges via a long DISPLAY environmental variable. 20010114 Vulnerability in jaZip. DSA-017 jazip-display-bo(5942) 2209 Entry Format string vulnerability in splitvt before 1.6.5 allows local users to execute arbitrary commands via the -rcfile command line argument. 20010114 [MSY] Multiple vulnerabilities in splitvt DSA-014-1 splitvt-perserc-format-string(5948) 2210 Entry Buffer overflow in arp command in Solaris 7 and earlier allows local users to execute arbitrary commands via a long -f parameter. 20010111 Solaris Arp Vulnerability 20010112 arp exploit 00200 solaris-arp-bo(5928) 2193 Entry gpm 1.19.3 allows local users to overwrite arbitrary files via a symlink attack. 20010110 Immunix OS Security update for lots of temp file problems MDKSA-2001:006 2188 linux-gpm-symlink(5917) Entry sdiff 2.7 in the diffutils package allows local users to overwrite files via a symlink attack. 20010110 Immunix OS Security update for lots of temp file problems IMNX-2000-70-028-01 MDKSA-2001:008-1 RHSA-2001:116 VU#579928 linux-diffutils-sdiff-symlink(5914) 2191 Entry rdist 6.1.5 allows local users to overwrite arbitrary files via a symlink attack. 20010110 Immunix OS Security update for lots of temp file problems MDKSA-2001-005 2195 rdist-symlink(5925) Entry getty_ps 2.0.7j allows local users to overwrite arbitrary files via a symlink attack. 20010110 Immunix OS Security update for lots of temp file problems MDKSA-2001:004 2194 gettyps-symlink(5924) Entry useradd program in shadow-utils program may allow local users to overwrite arbitrary files via a symlink attack. 20010110 Immunix OS Security update for lots of temp file problems MDKSA-2001:007 2196 shadow-utils-useradd-symlink(5927) Entry ImageCast Control Center 4.1.0 allows remote attackers to cause a denial of service (resource exhaustion or system crash) via a long string to port 12002. 20010108 def-2001-01: ImageCast IC3 Control Center DoS storagesoft-imagecast-dos(5901) 2174 Entry Kernel leak in AfpaCache module of the Fast Response Cache Accelerator (FRCA) component of IBM HTTP Server 1.3.x and Websphere 3.52 allows remote attackers to cause a denial of service via a series of malformed HTTP requests that generate a "bad request" error. 20010108 def-2001-02: IBM Websphere 3.52 Kernel Leak DoS 20010307 def-2001-02: IBM HTTP Server Kernel Leak DoS (re-release) http://www-4.ibm.com/software/webservers/security.html 2175 ibm-websphere-dos(5900) Entry Directory traversal vulnerability in eXtropia bbs_forum.cgi 1.0 allows remote attackers to read arbitrary files via a .. (dot dot) attack on the file parameter. 20010107 Cgisecurity.com Advisory #3.1 http://www.extropia.com/hacks/bbs_security.html 2177 http-cgi-bbs-forum(5906) 3546 Entry Buffer overflow in exrecover in Solaris 2.6 and earlier possibly allows local users to gain privileges via a long command line argument. 20010109 Solaris /usr/lib/exrecover buffer overflow 4161925 solaris-exrecover-bo(5913) 2179 Entry exmh 2.2 and earlier allows local users to overwrite arbitrary files via a symlink attack on the exmhErrorMsg temporary file. 20001231 Advisory: exmh symlink vulnerability 20010112 exmh security vulnerability http://www.beedub.com/exmh/symlink.html FreeBSD-SA-01:17 MDKSA-2001:015 DSA-022 exmh-error-symlink Entry Oracle XSQL servlet 1.0.3.0 and earlier allows remote attackers to execute arbitrary Java code by redirecting the XSQL server to another source via the xml-stylesheet parameter in the xslt stylesheet. 20010109 Oracle XSQL servlet and xml-stylesheet allow executing java on the web server 20010123 Patch for Potential Vulnerability in Oracle XSQL Servlet oracle-xsql-execute-code(5905) Entry Zope before 2.2.4 does not properly compute local roles, which could allow users to bypass specified access restrictions and gain privileges. MDKSA-2000-083 CLA-2000:365 RHSA-2000:127 DSA-006-1 FreeBSD-SA-01:06 zope-calculate-roles 6284 Entry Buffer overflow in Tinyproxy HTTP proxy 1.3.3 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long connect request. 20010117 [pkc] remote heap overflow in tinyproxy DSA-018 FreeBSD-SA-01:15 2217 tinyproxy-remote-bo(5954) Entry Buffer overflow in HTML parser of the Lotus R5 Domino Server before 5.06, and Domino Client before 5.05, allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a malformed font size specifier. http://service1.symantec.com/sarc/sarc.nsf/info/html/Lotus.Domino.Denial.of.Service.Malformed.HTML.Email.html lotus-html-bo(6207) Entry Memory leak in ProFTPd 1.2.0rc2 allows remote attackers to cause a denial of service via a series of USER commands, and possibly SIZE commands if the server has been improperly installed. 20001220 ProFTPD 1.2.0 Memory leakage - denial of service 20010109 Memory leakage in ProFTPd leads to remote DoS (SIZE FTP); (Exploit Code) 20010110 Re: Memory leakage in ProFTPd leads to remote DoS (SIZE FTP); (Exploit Code) MDKSA-2001:021 DSA-029 CLA-2001:380 20010213 Trustix Security Advisory - proftpd, kernel proftpd-size-memory-leak Entry Windows Media Player 7 allows remote attackers to execute malicious Java applets in Internet Explorer clients by enclosing the applet in a skin file named skin.wmz, then referencing that skin in the codebase parameter to an applet tag, aka the Windows Media Player Skins File Download" vulnerability. 20010115 Windows Media Player 7 and IE java vulnerability - executing arbitrary programs MS01-010 win-mediaplayer-arbitrary-code(5937) 2203 Entry privatepw program in wu-ftpd before 2.6.1-6 allows local users to overwrite arbitrary files via a symlink attack. 20010110 Immunix OS Security update for lots of temp file problems MDKSA-2001-001 DSA-016 2189 linux-wuftpd-privatepw-symlink(5915) Entry inn 2.2.3 allows local users to overwrite arbitrary files via a symlink attack in some configurations. 20010110 Immunix OS Security update for lots of temp file problems MDKSA-2001:010 CSSA-2001-001.0 linux-inn-symlink(5916) 2190 Entry arpwatch 2.1a4 allows local users to overwrite arbitrary files via a symlink attack in some configurations. 20010110 Immunix OS Security update for lots of temp file problems MDKSA-2001:002 tcpdump-arpwatch-symlink(5922) 2183 Entry mgetty 1.1.22 allows local users to overwrite arbitrary files via a symlink attack in some configurations. 20010110 Immunix OS Security update for lots of temp file problems MDKSA-2001:009 DSA-011 CSSA-2001-002.0 RHSA-2001:050 2187 linux-mgetty-symlink(5918) Entry squid 2.3 and earlier allows local users to overwrite arbitrary files via a symlink attack in some configurations. 20010112 Trustix Security Advisory - diffutils squid 20010110 Immunix OS Security update for lots of temp file problems MDKSA-2001:003 DSA-019 squid-email-symlink(5921) 2184 Entry vpop3d program in linuxconf 1.23r and earlier allows local users to overwrite arbitrary files via a symlink attack. 20010110 Immunix OS Security update for lots of temp file problems MDKSA-2001:011 2186 linuxconf-vpop3d-symlink(5923) Entry CORE SDI SSH1 CRC-32 compensation attack detector allows remote attackers to execute arbitrary commands on an SSH server or client via an integer overflow. 20010208 Remote vulnerability in SSH daemon crc32 compensation attack detector 20010208 [CORE SDI ADVISORY] SSH1 CRC-32 compensation attack detector 20011122 Secure Computing SafeWord uses vulnerable ssh server CA-2001-35 2347 503 795 ssh-deattack-overwrite-memory(6083) Entry Buffer overflow in Windows 2000 event viewer snap-in allows attackers to execute arbitrary commands via a malformed field that is improperly handled during the detailed view of event records. MS01-013 Entry The WMP ActiveX Control in Windows Media Player 7 allows remote attackers to execute commands in Internet Explorer via javascript URLs, a variant of the "Frame Domain Verification" vulnerability. 20010101 Windows Media Player 7 and IE vulnerability - executing arbitrary programs MS01-015 media-player-execute-commands(6227) Entry Windows Scripting Host in Internet Explorer 5.5 and earlier allows remote attackers to read arbitrary files via the GetObject Javascript function and the htmlfile ActiveX object. 20000926 IE 5.5/Outlook Express security vulnerability - GetObject() expose user's files 20000926 IE 5.5/Outlook Express security vulnerability - GetObject() expose user's files MS01-015 1718 ie-getobject-expose-files(5293) Entry Internet Explorer 5.5 and earlier executes Telnet sessions using command line arguments that are specified by the web site, which could allow remote attackers to execute arbitrary commands if the IE client is using the Telnet client provided in Services for Unix (SFU) 2.0, which creates session transcripts. 20010313 Internet Explorer and Services for Unix 2.0 Telnet Client MS01-015 2463 7816 ie-telnet-execute-commands(6230) Entry IIS 5.0 allows remote attackers to cause a denial of service via a series of malformed WebDAV requests. MS01-016 iis-webdav-dos(6205) oval:org.mitre.oval:def:90 Entry The password protection option for the Compressed Folders feature in Plus! for Windows 98 and Windows Me writes password information to a file, which allows local users to recover the passwords and read the compressed folders. MS01-019 Entry Buffer overflow in VB-TSQL debugger object (vbsdicli.exe) in Visual Studio 6.0 Enterprise Edition allows remote attackers to execute arbitrary commands. 20010327 Remote buffer overflow in DCOM VB T-SQL debugger MS01-018 Entry HTML e-mail feature in Internet Explorer 5.5 and earlier allows attackers to execute attachments by setting an unusual MIME type for the attachment, which Internet Explorer does not process correctly. 20010330 Incorrect MIME Header Can Cause IE to Execute E-mail Attachment MS01-020 CA-2001-06 L-066 2524 7806 oval:org.mitre.oval:def:141 1001197 ie-mime-execute-code(6306) Entry Format string vulnerability in VShell SSH gateway 1.0.1 and earlier allows remote attackers to execute arbitrary commands via a user name that contains format string specifiers. A021601-1 http://www.vandyke.com/products/vshell/security102.html Entry VShell SSH gateway 1.0.1 and earlier has a default port forwarding rule of 0.0.0.0/0.0.0.0, which could allow local users conduct arbitrary port forwarding to other systems. A021601-1 http://www.vandyke.com/products/vshell/security102.html vshell-port-forwarding-rule(6148) 2402 Entry Debugging utility in the backdoor mode of Palm OS 3.5.2 and earlier allows attackers with physical access to a Palm device to bypass access restrictions and obtain passwords, even if the system lockout mechanism is enabled. A030101-1 palm-debug-bypass-password(6196) Entry Buffer overflow in Netscape Directory Server 4.12 and earlier allows remote attackers to cause a denial of service or execute arbitrary commands via a malformed recipient field. A030701-1 netscape-directory-server-bo(6233) Entry Buffer overflow in ximp40 shared library in Solaris 7 and Solaris 8 allows local users to gain privileges via a long "arg0" (process name) argument. 20010131 [SPSadvisory#40]Solaris7/8 ximp40 shared library buffer overflow 4409148 solaris-ximp40-bo 2322 Entry Macromedia Shockwave Flash plugin version 8 and earlier allows remote attackers to cause a denial of service via malformed tag length specifiers in a SWF file. 20001229 Shockwave Flash buffer overflow shockwave-flash-swf-bo Entry When using the LD_PRELOAD environmental variable in SUID or SGID applications, glibc does not verify that preloaded libraries in /etc/ld.so.cache are also SUID/SGID, which could allow a local user to overwrite arbitrary files by loading a library from /lib or /usr/lib. MDKSA-2001:012 SuSE-SA:2001:01 CSSA-2001-007 RHSA-2001:002 DSA-039 TLSA2000021-2 20010121 Trustix Security Advisory - glibc 2223 linux-glibc-preload-overwrite Entry glibc 2.1.9x and earlier does not properly clear the RESOLV_HOST_CONF, HOSTALIASES, or RES_OPTIONS environmental variables when executing setuid/setgid programs, which could allow local users to read arbitrary files. 20010110 Glibc Local Root Exploit 20010110 [slackware-security] glibc 2.2 local vulnerability on setuid binaries RHSA-2001:001 2181 linux-glibc-read-files Entry Buffer overflow in Trend Micro Virus Buster 2001 8.00 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a large "To" address. 20010130 Security hole in Virus Buster 2001 virusbuster-mua-bo(6034) 6138 Entry The caching module in Netscape Fasttrack Server 4.1 allows remote attackers to cause a denial of service (resource exhaustion) by requesting a large number of non-existent URLs. 20010122 def-2001-05: Netscape Fasttrack Server Caching DoS 20010124 iPlanet FastTrack/Enterprise 4.1 DoS clarifications 2273 netscape-fasttrack-cache-dos(5985) Entry The setuid doroot program in Voyant Sonata 3.x executes arbitrary command line arguments, which allows local users to gain root privileges. 20001218 More Sonata Conferencing software vulnerabilities. 2125 sonata-command-execute(5787) Entry kdesu program in KDE2 (KDE before 2.2.0-6) does not properly verify the owner of a UNIX socket that is used to send a password, which allows local users to steal passwords and gain privileges. MDKSA-2001:018 CSSA-2001-005.0 SuSE-SA:2001:02 kde2-kdesu-retrieve-passwords Entry Allaire JRun 3.0 allows remote attackers to list contents of the WEB-INF directory, and the web.xml file in the WEB-INF directory, via a malformed URL that contains a "." ASB01-02 jrun-webinf-file-retrieval Entry FireWall-1 4.1 with a limited-IP license allows remote attackers to cause a denial of service by sending a large number of spoofed IP packets with various source addresses to the inside interface, which floods the console with warning messages and consumes CPU resources. 20010117 Licensing Firewall-1 DoS Attack fw1-limited-license-dos 2238 1733 Entry ipfw and ip6fw in FreeBSD 4.2 and earlier allows remote attackers to bypass access restrictions by setting the ECE flag in a TCP packet, which makes the packet appear to be part of an established connection. 20010125 ecepass - proof of concept code for FreeBSD ipfw bypass FreeBSD-SA-01:08 L-029 2293 1743 ipfw-bypass-firewall(5998) Entry Netopia R9100 router version 4.6 allows authenticated users to cause a denial of service by using the router's telnet program to connect to the router's IP address, which causes a crash. 20010123 Make The Netopia R9100 Router To Crash 2287 netopia-telnet-dos Entry Format string vulnerability in wu-ftp 2.6.1 and earlier, when running with debug mode enabled, allows remote attackers to execute arbitrary commands via a malformed argument that is recorded in a PASV port assignment. DSA-016 ftp://ftp.wu-ftpd.org/pub/wu-ftpd/patches/apply_to_current/missing_format_strings.patch CLA-2001:443 2296 wuftp-debug-format-string Entry Directory traversal vulnerability in LocalWEB2000 HTTP server allows remote attackers to read arbitrary commands via a .. (dot dot) attack in an HTTP GET request. 20010119 LocalWEB2000 Directory Traversal Vulnerability 2268 localweb2k-directory-traversal Entry Buffer overflow in /usr/bin/cu in Solaris 2.8 and earlier, and possibly other operating systems, allows local users to gain privileges by executing cu with a long program name (arg0). 20010117 Solaris /usr/bin/cu Vulnerability 20010123 Solaris /usr/bin/cu Vulnerability 4406722 cu-argv-bo(6224) Entry gnuserv before 3.12, as shipped with XEmacs, does not properly check the specified length of an X Windows MIT-MAGIC-COOKIE cookie, which allows remote attackers to execute arbitrary commands via a buffer overflow, or brute force authentication by using a short cookie length. 20010202 Remote vulnerability in gnuserv/XEmacs RHSA-2001:010 RHSA-2001:011 MDKSA-2001:019 gnuserv-tcp-cookie-overflow(6056) Entry Format string vulnerability in man in some Linux distributions allows local users to gain privileges via a malformed -l parameter. 20010131 SuSe / Debian man package format string vulnerability DSA-028 2327 man-i-format-string(6059) Entry Buffer overflow in httpGets function in CUPS 1.1.5 allows remote attackers to execute arbitrary commands via a long input line. MDKSA-2001:020-1 cups-httpgets-dos(6043) 6064 Entry sash before 3.4-4 in Debian GNU/Linux does not properly clone /etc/shadow, which makes it world-readable and could allow local users to gain privileges via password cracking. DSA-015 linux-sash-shadow-readable Entry inetd ident server in FreeBSD 4.x and earlier does not properly set group permissions, which allows remote attackers to read the first 16 bytes of files that are accessible by the wheel group. FreeBSD-SA-01:11 2324 inetd-ident-read-files(6052) 1753 Entry Format string vulnerability in print_client in icecast 1.3.8beta2 and earlier allows remote attackers to execute arbitrary commands. 20010121 [pkc] format bugs in icecast 1.3.8b2 and prior CLA-2001:374 RHSA-2001:004 icecast-format-string 2264 Entry Watchguard Firebox II firewall allows users with read-only access to gain read-write access, and administrative privileges, by accessing a file that contains hashed passphrases, and using the hashes during authentication. 20010120 Watchguard Firewall Elevated Privilege Vulnerability 2284 watchguard-firebox-obtain-passphrase Entry Watchguard Firebox II allows remote attackers to cause a denial of service by establishing multiple connections and sending malformed PPTP packets. 20010214 def-2001-07: Watchguard Firebox II PPTP DoS 2369 firebox-pptp-dos(6109) Entry Buffer overflow in bing allows remote attackers to execute arbitrary commands via a long hostname, which is copied to a small buffer after a reverse DNS lookup using the gethostbyaddr function. 20010119 Buffer overflow in bing linux-bing-bo 2279 Entry ROADS search.pl program allows remote attackers to read arbitrary files by specifying the file name in the form parameter and terminating the filename with a null byte. 20010212 ROADS search system "show files" Vulnerability with "null bite" bug http://www.roads.lut.ac.uk/lists/open-roads/2001/02/0001.html roads-search-view-files(6097) 2371 Entry Format string vulnerability in mars_nwe 0.99.pl19 allows remote attackers to execute arbitrary commands. 20010126 format string vulnerability in mars_nwe 0.99pl19 FreeBSD-SA-01:20 mars-nwe-format-string(6019) Entry Vulnerability in Support Tools Manager (xstm,cstm,stm) in HP-UX 11.11 and earlier allows local users to cause a denial of service. HPSBUX0101-137 hp-stm-dos 2239 6991 7029 7030 Entry Buffer overflow in ja-xklock 2.7.1 and earlier allows local users to gain root privileges. FreeBSD-SA-01:19 ja-xklock-bo(6073) Entry webmin 0.84 and earlier allows local users to overwrite and create arbitrary files via a symlink attack. MDKSA-2001-016 CSSA-2001-004.0 linux-webmin-tmpfiles Entry Buffer overflow in dc20ctrl before 0.4_1 in FreeBSD, and possibly other operating systems, allows local users to gain privileges. FreeBSD-SA-01:22 dc20ctrl-port-bo(6077) 6081 Entry Buffer overflow in micq client 0.4.6 and earlier allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long Description field. 20010124 patch Re: [PkC] Advisory #003: micq-0.4.6 remote buffer overflow 20010118 [PkC] Advisory #003: micq-0.4.6 remote buffer overflow DSA-012 FreeBSD-SA-01:14 RHSA-2001:005 micq-sprintf-remote-bo(5962) Entry NewsDaemon before 0.21b allows remote attackers to execute arbitrary SQL queries and gain privileges via a malformed user_username parameter. 20010126 NewsDaemon remote administrator access http://sourceforge.net/forum/forum.php?forum_id=60570 newsdaemon-gain-admin-access Entry Vulnerability in crontab allows local users to read crontab files of other users by replacing the temporary file that is being edited while crontab is running. DSA-024 FreeBSD-SA-01:09 2332 crontab-read-files(6225) Entry Buffer overflow in Solaris snmpXdmid SNMP to DMI mapper daemon allows remote attackers to execute arbitrary commands via a long "indication" event. 20010314 Solaris /usr/lib/dmi/snmpXdmid vulnerability CA-2001-05 L-065 00207 solaris-snmpxdmid-bo(6245) 2417 Entry Memory leak in Microsoft 2000 domain controller allows remote attackers to cause a denial of service by repeatedly connecting to the Kerberos service and then disconnecting without sending any data. 20010509 def-2001-24: Windows 2000 Kerberos DoS MS01-024 L-079 win2k-kerberos-dos(6506) 2707 Entry Microsoft Data Access Component Internet Publishing Provider 8.103.2519.0 and earlier allows remote attackers to bypass Security Zone restrictions via WebDAV requests. MS01-022 L-074 ms-dacipp-webdav-access(6405) Entry Microsoft Internet Security and Acceleration (ISA) Server 2000 Web Proxy allows remote attackers to cause a denial of service via a long web request with a specific type. 20010416 [SX-20010320-2] - Microsoft ISA Server Denial of Service 20010427 Microsoft ISA Server Vulnerability 20010417 [SX-20010320-2b] - Followup re. Microsoft ISA Server Denial of Service MS01-021 L-073 2600 isa-web-proxy-dos(6383) Entry Microsoft Word before Word 2002 allows attackers to automatically execute macros without warning the user via a Rich Text Format (RTF) document that links to a template with the embedded macro. MS01-028 word-rtf-macro-execution(6571) 2753 Entry Buffer overflow in Internet Printing ISAPI extension in Windows 2000 allows remote attackers to gain root privileges via a long print request that is passed to the extension through IIS 5.0. 20010501 Windows 2000 IIS 5.0 Remote buffer overflow vulnerability (Remote SYSTEM Level Access) MS01-023 CA-2001-10 2674