Entry Buffer overflow in NFS mountd gives root access to remote attackers, mostly in Linux systems. 19981006-01-I CA-98.12.mountd J-006 121 linux-mountd-bo Entry Execute commands as root via buffer overflow in Tooltalk database server (rpc.ttdbserverd). NAI-29 CA-98.11.tooltalk 19981101-01-A 19981101-01-PX aix-ttdbserver tooltalk 122 Entry Arbitrary command execution via IMAP buffer overflow in authenticate command. CA-98.09.imapd 00177 130 imap-authenticate-bo Entry Buffer overflow in POP servers based on BSD/Qualcomm's qpopper allows remote attackers to gain root access using a long PASS command. CA-98.08.qpopper_vul 19980801-01-I AA-98.01 qpopper-pass-overflow 133 Entry Information from SSL-encrypted sessions via PKCS #1. CA-98.07.PKCS MS98-002 nt-ssl-fix Entry Buffer overflow in NIS+, in Sun's rpc.nisd program. CA-98.06.nisd 00170 June10,1998 nisd-bo-check Entry Inverse query buffer overflow in BIND 4.9 and BIND 8 Releases. 19980603-01-PX HPSBUX9808-083 00180 CA-98.05.bind_problems bind-bo 134 Entry Denial of Service vulnerability in BIND 8 Releases via maliciously formatted DNS messages. CA-98.05.bind_problems 19980603-01-PX HPSBUX9808-083 bind-dos Entry Denial of Service vulnerabilities in BIND 4.9 and BIND 8 Releases via CNAME record and zone transfer. CA-98.05.bind_problems 19980603-01-PX HPSBUX9808-083 00180 bind-axfr-dos Entry Some web servers under Microsoft Windows allow remote attackers to bypass access restrictions for files with long file names. CA-98.04.Win32.WebServers nt-web8.3 Entry Stolen credentials from SSH clients via ssh-agent program, allowing other local users to access remote accounts belonging to the ssh-agent user. CA-98.03.ssh-agent NAI-24 ssh-agent Entry Unauthorized privileged access or denial of service via dtappgather program in CDE. HPSBUX9801-075 00185 CA-98.02.CDE Entry Land IP denial of service. CA-97.28.Teardrop_Land FreeBSD-SA-98:01 HPSBUX9801-076 http://www.cisco.com/warp/public/770/land-pub.shtml cisco-land land 95-verv-tcp land-patch ver-tcpip-sys Entry FTP servers can allow an attacker to connect to arbitrary ports on machines other than the FTP client, aka FTP bounce. CA-97.27.FTP_bounce ftp-bounce ftp-privileged-port Entry Buffer overflow in statd allows root privileges. CA-97.26.statd AA-97.29 statd 127 Entry Delete or create a file via rpc.statd, due to invalid information. CA-96.09.rpc.statd rpc-stat 00135 Entry Arbitrary command execution via buffer overflow in Count.cgi (wwwcount) cgi-bin program. 19971010 Security flaw in Count.cgi (wwwcount) CA-97.24.Count_cgi http-cgi-count 128 Entry Local user gains root privileges via buffer overflow in rdist, via expstr() function. CA-97.23.rdist 00179 rdist-bo3 rdist-sept97 Entry Local user gains root privileges via buffer overflow in rdist, via lookup() function. CA-96.14.rdist_vul rdist-bo rdist-bo2 Entry DNS cache poisoning via BIND, by predictable query IDs. CA-97.22.bind bind NAI-11 Entry root privileges via buffer overflow in df command on SGI IRIX systems. CA-1997-21 AA-97.19.IRIX.df.buffer.overflow.vul SGI:19970505-01-A SGI:19970505-02-PX VU#20851 346 df-bo(440) Entry root privileges via buffer overflow in pset command on SGI IRIX systems. CA-97.21.sgi_buffer_overflow AA-97.20.IRIX.pset.buffer.overflow.vul pset-bo Entry root privileges via buffer overflow in eject command on SGI IRIX systems. CA-97.21.sgi_buffer_overflow AA-97.21.IRIX.eject.buffer.overflow.vul eject-bo Entry root privileges via buffer overflow in login/scheme command on SGI IRIX systems. CA-97.21.sgi_buffer_overflow AA-97.22.IRIX.login.scheme.buffer.overflow.vul sgi-schemebo Entry root privileges via buffer overflow in ordist command on SGI IRIX systems. CA-97.21.sgi_buffer_overflow AA-97.23-IRIX.ordist.buffer.overflow.vul ordist-bo Entry JavaScript in Internet Explorer 3.x and 4.x, and Netscape 2.x, 3.x and 4.x, allows remote attackers to monitor a user's web activities, aka the Bell Labs vulnerability. CA-97.20.javascript HPSBUX9707-065 Entry Buffer overflow in lpr, as used in BSD-based systems including Linux, allows local users to execute arbitrary code as root via a long -C (classification) command line option. 19960813 Possible bufferoverflow condition in lpr, xterm and xload 19961025 Linux & BSD's lpr exploit [freebsd-security] 19961025 Vadim Kolontsov: BoS: Linux & BSD's lpr exploit [linux-security] 19961122 LSF Update#14: Vulnerability of the lpr program. CA-97.19.bsdlp AA-96.12 H-08 I-042 19980402-01-PX 707 bsd-lprbo2 bsd-lprbo lpr-bo Entry Buffer overflow in suidperl (sperl), Perl 4.x and 5.x. CA-97.17.sperl perl-suid Entry Race condition in signal handling routine in ftpd, allowing read/write arbitrary files. ftp-ftpd CA-97.16.ftpd AA-97.03 Entry IRIX login program with a nonzero LOCKOUT parameter allows creation or damage to files. CA-97.15.sgi_login AA-97.12 H-106 19970508-02-PX 990 sgi-lockout(557) Entry Arbitrary command execution via metamail package using message headers, when user processes attacker's message using metamail. CA-97.14.metamail metamail-header-commands Entry Buffer overflow in xlock program allows local users to execute commands as root. CA-97.13.xlock xlock-bo Entry webdist CGI program (webdist.cgi) in SGI IRIX allows remote attackers to execute arbitrary commands via shell metacharacters in the distloc parameter. 19970507 Re: SGI Security Advisory 19970501-01-A - Vulnerability in 19970507 Re: SGI Advisory: webdist.cgi CA-1997-12 AA-97.14 19970501-02-PX 374 235 http-sgi-webdist(333) Entry Buffer overflow in Xt library of X Windowing System allows local users to execute commands with root privileges. CA-97.11.libXt libXt-bo Entry Buffer overflow in NLS (Natural Language Service). CA-97.10.nls nls-bo Entry Buffer overflow in University of Washington's implementation of IMAP and POP servers. NAI-21 CA-97.09.imap_pop popimap-bo Entry Command execution via shell metachars in INN daemon (innd) 1.5 using "newgroup" and "rmgroup" control messages, and others. CA-97.08.innd inn-controlmsg Entry fsdump command in IRIX allows local users to obtain root access by modifying sensitive files. 19970301-01-P sgi-fsdump Entry List of arbitrary files on Web host via nph-test-cgi script. CA-97.07.nph-test-cgi_script http-cgi-nph Entry Buffer overflow of rlogin program using TERM environmental variable. CA-97.06.rlogin-term rlogin-termbo Entry MIME conversion buffer overflow in sendmail versions 8.8.3 and 8.8.4. CA-97.05.sendmail 685 sendmail-mime-bo2 Entry Talkd, when given corrupt DNS information, can be used to execute arbitrary commands with root privileges. CA-97.04.talkd FreeBSD-SA-96:21 AA-97.01 00147 talkd-bo netkit-talkd Entry Csetup under IRIX allows arbitrary file creation or overwriting. sgi-csetup CA-97.03.csetup Entry Buffer overflow in HP-UX newgrp program. CA-97.02.hp_newgrp AA-96.16.HP-UX.newgrp.Buffer.Overrun.Vulnerability hp-newgrpbo Entry Arbitrary file creation and program execution using FLEXlm LicenseManager, from versions 4.0 to 5.0, in IRIX. sgi-licensemanager CA-97.01.flex_lm AA-96.03 Entry IP fragmentation denial of service in FreeBSD allows a remote attacker to cause a crash. FreeBSD-SA-98:08 908 freebsd-ip-frag-dos(1389) Entry TCP RST denial of service in FreeBSD. FreeBSD-SA-98:07 6094 Entry Sun's ftpd daemon can be subjected to a denial of service. 00171 sun-ftpd Entry Buffer overflows in Sun libnsl allow root access. 00172 IX80543 RSI.0005.05-14-98.SUN.LIBNSL sun-libnsl Entry Buffer overflow in Sun's ping program can give root access to local users. 00174 sun-ping Entry Vacation program allows command execution by remote users through a sendmail command. NAI-19 vacation HPSBUX9811-087 Entry Buffer overflow in PHP cgi program, php.cgi allows shell access. NAI-12 712 http-cgi-phpbo Entry IRIX fam service allows an attacker to obtain a list of all files on the server. NAI-16 353 164 irix-fam(325) Entry Attackers can cause a denial of service in Ascend MAX and Pipeline routers with a malformed packet to the discard port, which is used by the Java Configurator tool. NAI-26 ascend-config-kill http://www.ascend.com/2695.html Entry The chpass command in OpenBSD allows a local user to gain root access through file descriptor leakage. openbsd-chpass NAI-28 7559 Entry Cisco IOS 12.0 and other versions can be crashed by malicious UDP packets to the syslog port. ESB-98.197 http://www.cisco.com/warp/public/770/iossyslog-pub.shtml cisco-syslog-crash Entry Buffer overflow in AIX lquerylv program gives root access to local users. May28,1997 lquerylv-bo Entry Multiple buffer overflows in how dtmail handles attachments allows a remote attacker to execute commands. 00181 hp-dtmail Entry AnyForm CGI remote execution. 19950731 SECURITY HOLE: "AnyForm" CGI 719 http-cgi-anyform Entry phf CGI program allows remote command execution through shell metacharacters. 19960923 PHF Attacks - Fun and games for the whole family CA-1996-06 AA-96.01 629 136 http-cgi-phf Entry CGI PHP mylog script allows an attacker to read any file on the target server. 19971019 Vulnerability in PHP Example Logging Scripts http-cgi-php-mylog 713 3396 Entry Solaris ufsrestore buffer overflow. 00169 sun-ufsrestore 8158 Entry test-cgi program allows an attacker to list files on the server. http-cgi-test Entry Apache httpd cookie buffer overflow for versions 1.1.1 and earlier. http-apache-cookie NAI-2 Entry Buffer overflow in AIX xdat gives root access to local users. ERS-SVA-E01-1997:004.1 ibm-xdat Entry Telnet allows a remote client to specify environment variables including LD_LIBRARY_PATH, allowing an attacker to bypass the normal system libraries and gain root access. CA-95:14.Telnetd_Environment_Vulnerability linkerbug Entry Listening TCP ports are sequentially allocated, allowing spoofing attacks. seqport Entry PASV core dump in wu-ftpd daemon when attacker uses a QUOTE PASV command after specifying a username and password. 19961016 Re: ftpd bug? Was: bin/1805: Bug in ftpd ftp-pasvcore 5742 Entry Predictable TCP sequence numbers allow spoofing. tcp-seq-predict(139) Entry Remote attackers can cause a denial of service in FTP by issuing multiple PASV commands, causing the server to run out of available ports. ftp-pasv-dos ftp-pasvdos Entry Certain configurations of wu-ftp FTP server 2.4 use a _PATH_EXECPATH setting to a directory with dangerous commands, such as /bin, which allows remote authenticated users to gain root access via the "site exec" command. 19950531 SECURITY: problem with some wu-ftpd-2.4 binaries (fwd) CA-95:16.wu-ftpd.vul ftp-execdotdot Entry wu-ftp allows files to be overwritten via the rnfr command. ftp-rnfr Entry CWD ~root command in ftpd allows root access. ftp-cwd Improving the Security of Your Site by Breaking Into it Entry getcwd() file descriptor leak in FTP. cwdleak Entry Certain NFS servers allow users to use mknod to gain privileges by creating a writable kmem device and setting the UID to 0. nfs-mknod(78) Entry Buffer overflow in rwhod on AIX and other operating systems allows remote attackers to execute arbitrary code via a UDP packet with a long hostname. 19960821 rwhod buffer overflow rwhod(119) rwhod-vuln(118) Entry Denial of service in AIX telnet can freeze a system and prevent users from accessing the server. ibm-telnetdos ERS-SVA-E01-1998:003.1 7992 Entry Buffer overflow in AIX rcp command allows local users to obtain root access. ERS-SVA-E01-1997:005.1 ibm-rcp Entry Buffer overflow in AIX writesrv command allows local users to obtain root access. ERS-SVA-E01-1997:005.1 ibm-writesrv Entry AIX nslookup command allows local users to obtain root access by not dropping privileges correctly. ERS-SVA-E01-1997:008.1 ibm-nslookup Entry AIX piodmgrsu command allows local users to gain additional group privileges. ERS-SVA-E01-1997:007.1 ibm-piodmgrsu Entry The debug command in Sendmail is enabled, allowing attackers to execute commands as root. CA-88.01 CA-93.14 1 195 smtp-debug Entry Sendmail decode alias can be used to overwrite sensitive files. CA-93.16 CA-95.05 A-13 A-14 00122 smtp-dcod Entry The AIX FTP client can be forced to execute commands from a malicious server through shell metacharacters (e.g. a pipe character). ERS-SVA-E01-1997:009.1 ibm-ftp Entry Buffer overflow in syslog utility allows local or remote attackers to gain root privileges. CA-95.13.syslog.vul smtp-syslog Entry Remote access in AIX innd 1.5.1, using control messages. ERS-SVA-E01-1997:002.1 inn-controlmsg Entry Buffer overflow in AIX and Solaris "gethostbyname" library call allows root access through corrupt DNS host names. ERS-SVA-E01-1997:001.1 ERS-SVA-E01-1996:007.1 00137a H-13 NAI-1 ghbn-bo Entry Buffer overflow in SLmail 3.x allows attackers to execute commands using a large FROM line. slmail-fromheader-overflow Entry Echo and chargen, or other combinations of UDP services, can be used in tandem to flood the server, a.k.a. UDP bomb or UDP packet storm. CA-96.01.UDP_service_denial echo chargen chargen-patch Entry The printers program in IRIX has a buffer overflow that gives root access to local users. another day, another buffer overflow... printers-bo Entry Buffer overflow in ffbconfig in Solaris 2.5.1. 00140 AA-97.06 ffbconfig-bo Entry RIP v1 is susceptible to spoofing. rip Entry Buffer overflow in AIX dtterm program for the CDE. 19970520 AIX 4.2 dtterm exploit dtterm-bo(878) Entry Some implementations of rlogin allow root access if given a -froot parameter. 19940729 -froot??? (AIX rlogin bug) CA-94.09.bin.login.vulnerability E-26 458 rlogin-froot Entry AIX bugfiler program allows local users to gain root access. 19970909 AIX bugfiler ibm-bugfiler 1800 Entry Denial of service when an attacker sends many SYN packets to create multiple connections without ever sending an ACK to complete the connection, aka SYN flood. CA-96.21.tcp_syn.flooding 19961202-01-PX 00136 Entry AIX passwd allows local users to gain root access. ibm-passwd CA-92:07.AIX.passwd.vulnerability Entry AIX infod allows local users to gain root access through an X display. 19981119 RSI.0011.11-09-98.AIX.INFOD aix-infod Entry Sun/Solaris utmp file allows local users to gain root access if it is writable by users other than root. 00126 CA-94.06.utmp.vulnerability utmp-write Entry Buffer overflow in AIX lchangelv gives root access. Jul21,1999 lchangelv-bo Entry Vulnerabilities in UMN gopher and gopher+ versions 1.12 and 2.0x allow an intruder to read any files that can be accessed by the gopher daemon. CA-93:11.UMN.UNIX.gopher.vulnerability gopher-vuln Entry Buffer overflow in SGI IRIX mailx program. sgi-mailx-bo 19980605-01-PX Entry SGI IRIX buffer overflow in xterm and Xaw allows root access. VB-98.04.xterm.Xaw J-010 xfree86-xterm-xaw xfree86-xaw Entry Oversized ICMP ping packets can result in a denial of service, aka Ping o' Death. ping-death CA-96.26.ping Entry Sendmail allows local users to write to a file and gain group permissions via a .forward or :include: file. CA-96.25.sendmail_groups Entry Local users can start Sendmail in daemon mode and gain root privileges. CA-96.24.sendmail.daemon.mode 716 sendmail-daemon-mode Entry Buffer overflow and denial of service in Sendmail 8.7.5 and earlier through GECOS field gives root access to local users. CA-96.20.sendmail_vul smtp-875bo 717 Entry Expreserve, as used in vi and ex, allows local users to overwrite arbitrary files and gain root access. CA-1996-19 11723 expreserve(401) Entry fm_fls license server for Adobe Framemaker allows local users to overwrite arbitrary files and gain root access. CA-96.18.fm_fls fmaker-logfile Entry vold in Solaris 2.x allows local users to gain root access. sol-voldtmp CA-96.17.Solaris_vold_vul AL-96.04 8159 Entry admintool in Solaris allows a local user to write to arbitrary files and gain root access. sun-admintool CA-96.16.Solaris_admintool_vul AL-96.03 Entry Kodak Color Management System (KCMS) on Solaris allows a local user to write to arbitrary files and gain root access. sol-KCMSvuln AL-96.02 CA-96.15.Solaris_KCMS_vul Entry The dip program on many Linux systems allows local users to gain root access via a buffer overflow. linux-dipbo CA-96.13.dip_vul dip-bo Entry The suidperl and sperl program do not give up root privileges when changing UIDs back to the original users, allowing root access. CA-96.12.suidperl_vul sperl-suid Entry Buffer overflow in Solaris x86 mkcookie allows local users to obtain root access. sol-mkcookie RSI.0012.12-03-98.SOLARIS.MKCOOKIE 8205 Entry Java Bytecode Verifier allows malicious applets to execute arbitrary commands as the user of the applet. http-java-applet CA-96.07.java_bytecode_verifier 00134 Entry The Java Applet Security Manager implementation in Netscape Navigator 2.0 and Java Developer's Kit 1.0 allows an applet to connect to arbitrary hosts. CA-96.05.java_applet_security_mgr http-java-appletsecmgr Entry Kerberos 4 key servers allow a user to masquerade as another by breaking and generating session keys. CA-96.03.kerberos_4_key_server kerberos-bf Entry Sendmail WIZ command enabled, allowing root access. CA-1990-11 CA-1993-14 19950206 sendmail wizard thing... Improving the Security of Your Site by Breaking Into it Entry The campas CGI program provided with some NCSA web servers allows an attacker to execute arbitrary commands via encoded carriage return characters in the query string, as demonstrated by reading the password file. 19970715 Bug CGI campas 1975 http-cgi-campas(298) Entry The aglimpse CGI program of the Glimpse package allows remote execution of arbitrary commands. http-cgi-glimpse AA-97.28 Entry The handler CGI program in IRIX allows arbitrary command execution. 19970501-02-PX 380 http-sgi-handler Entry The wrap CGI program in IRIX allows remote attackers to view arbitrary directory listings via a .. (dot dot) attack. 19970420 IRIX 6.x /cgi-bin/wrap bug 19970501-02-PX 373 247 http-sgi-wrap(290) Entry The Perl fingerd program allows arbitrary command execution from remote users. perl-fingerd Entry The SATAN session key may be disclosed if the user points the web browser to other sites, possibly allowing root access. CA-95.07a.REVISED.satan.vul CA-95.06.satan.vul Entry The DG/UX finger daemon allows remote command execution through shell metacharacters. 19970811 dgux in.fingerd vulnerability dgux-fingerd Entry Windows 95/NT out of band (OOB) data denial of service through NETBIOS port, aka WinNuke. win-oob 1666 Entry The ghostscript command with the -dSAFER option allows remote attackers to execute commands. gscript-dsafer CA-95.10.ghostscript Entry Cisco PIX firewall and CBAC IP fragmentation attack results in a denial of service. http://www.cisco.com/warp/public/770/nifrag.shtml cisco-fragmented-attacks 1097 Entry Cisco PIX firewall manager (PFM) on Windows NT allows attackers to connect to port 8080 on the PFM server and retrieve any file whose name and location is known. 20010913 Cisco PIX Firewall Manager File Exposure cisco-pix-file-exposure 685 Entry Attackers can crash a Cisco IOS router or device, provided they can get to an interactive prompt (such as a login). This applies to some IOS 9.x, 10.x, and 11.x releases. http://www.cisco.com/warp/public/770/ioslogin-pub.shtml cisco-ios-crash Entry Some classic Cisco IOS devices have a vulnerability in the PPP CHAP authentication to establish unauthorized PPP connections. 19971001 Vulnerabilities in Cisco CHAP Authentication I-002A 1099 cisco-chap Entry In Cisco IOS 10.3, with the tacacs-ds or tacacs keyword, an extended IP access control list could bypass filtering. http://www.cisco.com/warp/public/707/1.html cisco-acl-tacacs 797 Entry The "established" keyword in some Cisco IOS software allowed an attacker to bypass filtering. 19950601 "Established" Keyword May Allow Packets to Bypass Filter cisco-acl-established Entry A race condition in the Solaris ps command allows an attacker to overwrite critical files. sol-pstmprace AA-95.07 CA-95.09.Solaris.ps.vul 8346 Entry NFS allows users to use a "cd .." command to access other directories besides the exported file system. nfs-cd Entry In SunOS, NFS file handles could be guessed, giving unauthorized access to the exported file system. nfs-guess CA-91.21.SunOS.NFS.Jumbo.and.fsirand Entry The portmapper may act as a proxy and redirect service requests from an attacker, making the request appear to come from the local host, possibly bypassing authentication that would otherwise have taken place. For example, NFS file systems could be mounted through the portmapper despite export restrictions. nfs-portmap Entry Remote attackers can mount an NFS file system in Ultrix or OSF, even if it is denied on the access list. nfs-ultrix Entry FormMail CGI program allows remote execution of commands. http-cgi-formmail-exe Aug02,1995 Entry FormMail CGI program can be used by web servers other than the host server that the program resides on. http-cgi-formmail-use Entry The view-source CGI program allows remote attackers to read arbitrary files via a .. (dot dot) attack. 19970208 view-source http-cgi-viewsrc Entry The convert.bas program in the Novell web server allows a remote attackers to read any file on the system that is internally accessible by the web server. http-nov-convert Entry The Webgais program allows a remote user to execute arbitrary commands. Jul10,1997 http-webgais-query Entry The uploader program in the WebSite web server allows a remote attacker to execute arbitrary programs. 19970904 [Alert] Website's uploader.exe (from demo) vulnerable 19970905 Re: FW: [Alert] Website's uploader.exe (from demo) vulnerable 19970904 [Alert] Website's uploader.exe (from demo) vulnerable http-website-uploader Entry Buffer overflow in the win-c-sample program (win-c-sample.exe) in the WebSite web server 1.1e allows remote attackers to execute arbitrary code via a long query string. 19970106 Re: signal handling 2078 8 http-website-winsample(295) Entry Windows NT crashes or locks up when a Samba client executes a "cd .." command on a file share. Q140818 nt-samba-dotdot nt-351 nt-35 Entry in.rshd allows users to login with a NULL username and execute commands. rsh-null Entry The wall daemon can be used for denial of service, social engineering attacks, or to execute remote commands. walld Entry Samba has a buffer overflow which allows a remote attacker to obtain root access by specifying a long password. H-110 VB-97.10.samba nt-samba-bo Entry Linux implementations of TFTP would allow access to files outside the restricted directory. linux-tftp Entry When compiled with the -DALLOW_UPDATES option, bind allows dynamic updates to the DNS server, allowing for malicious modification of DNS records. dns-updates Entry In SunOS or Solaris, a remote user could connect from an FTP server's data port to an rlogin server on a host that trusts the FTP server, allowing remote command execution. 00156 sun-ftpd/logind Entry The passwd command in Solaris can be subjected to a denial of service. 00182 sun-passwd-dos Entry Solaris rpcbind listens on a high numbered UDP port, which may not be filtered since the standard port number is 111. NAI-15 00142 rpc-32771 Entry Solaris rpcbind can be exploited to overwrite arbitrary files and gain root access. 00167 sun-rpcbind Entry IIS newdsn.exe CGI script allows remote users to overwrite files. http-cgi-newdsn 275 Entry Buffer overflow in telnet daemon tgetent routing allows remote attackers to gain root access via the TERMCAP environmental variable. SNI-20 bsd-tel-tgetent Entry Denial of service in in.comsat allows attackers to generate messages. comsat Entry websendmail in Webgais 1.0 allows a remote user to access arbitrary files and execute arbitrary code via the receiver parameter ($VAR_receiver variable). 19970704 Vulnerability in websendmail 2077 237 http-webgais-smail Entry A quote cwd command on FTP servers can reveal the full path of the home directory of the "ftp" user. ftp-home Entry The GNU tar command, when used in FTP sessions, may allow an attacker to execute arbitrary commands. ftp-exectar Entry In Sendmail, attackers can gain root privileges via SMTP by specifying an improper "mail from" address and an invalid "rcpt to" address that would cause the mail to bounce to a program. CA-95.08 E-03 smtp-sendmail-version5 Entry Sendmail 8.6.9 allows remote attackers to execute root commands, using ident. ident-bo F-13 Entry MIME buffer overflow in Sendmail 8.8.0 and 8.8.1 gives root access. sendmail-mime-bo AA-96.06a Entry Remote attacker can execute commands through Majordomo using the Reply-To field and a "lists" command. majordomo-exe CA-94.11.majordomo.vulnerabilities Entry rpc.ypupdated (NIS) allows remote users to execute arbitrary commands. rpc-update CA-95.17.rpc.ypupdated.vul Entry The SunView (SunTools) selection_svc facility allows remote users to read files. CA-90.05.sunselection.vulnerability 8 selsvc Entry Automount daemon automountd allows local or remote users to gain privileges via shell metacharacters. 19971126 Solaris 2.5.1 automountd exploit (fwd) 19990103 SUN almost has a clue! (automountd) HPSBUX9910-104 CA-99-05 235 Entry Extra long export lists over 256 characters in some mount daemons allows NFS directories to be mounted by anyone. CA-94.02.REVISED.SunOS.rpc.mountd.vulnerability 24 Entry Solaris rpc.mountd generates error messages that allow a remote attacker to determine what files are on the server. 00168 I-048 sun-mountd Entry Denial of service by sending forged ICMP unreachable packets. icmp-unreachable Entry Routed allows attackers to append data to files. 19981004-01-PX J-012 ripapp Entry Malicious option settings in UDP packets could force a reboot in SunOS 4.1.3 systems. udp-bomb Entry Livingston portmaster machines could be rebooted via a series of commands. portmaster-reboot Entry Buffer overflow in FTP Serv-U 2.5 allows remote authenticated users to cause a denial of service (crash) via a long (1) CWD or (2) LS (list) command. 19990503 Buffer overflows in FTP Serv-U 2.5 19990504 Re: Buffer overflows in FTP Serv-U 2.5 19990909 Exploit: Serv-U Ver2.5 FTPd Win9x/NT 269 ftp-servu(205) Entry Denial of service of Ascend routers through port 150 (remote administration). ascend-150-kill Entry Solaris syslogd crashes when receiving a message from a host that doesn't have an inverse DNS entry. 19961109 Syslogd and Solaris 2.4 1249320 http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?patchid=103291&collection=fpatches sol-syslogd-crash 1878 Entry Denial of service in Windows NT messenger service through a long username. nt-messenger Entry Windows NT 4.0 allows remote attackers to cause a denial of service via a malformed SMB logon request in which the actual data size does not match the specified size. 19980214 Windows NT Logon Denial of Service Q180963 nt-logondos Entry Access violation in LSASS.EXE (LSA/LSARPC) program in Windows NT allows a denial of service. Q154087 nt-lsass-crash Entry Denial of service in RPCSS.EXE program (RPC Locator) in Windows NT. nt-rpc-ver Q162567 Entry Buffer overflow in Cisco 7xx routers through the telnet service. http://www.cisco.com/warp/public/770/pwbuf-pub.shtml 1102 Entry IIS 1.0 allows users to execute arbitrary commands using .bat or .cmd files. Q148188 Q155056 http-iis-cmd Entry Bash treats any character with a value of 255 as a command separator. bash-cmd CA-96.22.bash_vuls Entry ScriptAlias directory in NCSA and Apache httpd allowed attackers to read CGI programs. http-scriptalias Entry Remote execution of arbitrary commands through Guestbook CGI program. http-cgi-guestbook VB-97.02 Entry Netscape FastTrack Web server lists files when a lowercase "get" command is used instead of an uppercase GET. fastrack-get-directory-list 122 Entry Livingston RADIUS code has a buffer overflow which can allow remote execution of commands as root. NAI-23 radius-accounting-overflow Entry Some configurations of NIS+ in Linux allowed attackers to log in as the user "+". 19950907 Linux NIS security problem hole and fix linux-plus Entry Buffer overflow in nnrpd program in INN up to version 1.6 allows remote users to execute arbitrary commands. 19970721 INN news server vulnerabilities 1443 inn-bo Entry A race condition in the authentication agent mechanism of sshd 1.2.17 allows an attacker to steal another user's credentials. http://oliver.efri.hr/~crv/security/bugs/mUNIXes/ssh2.html http://www.uni-karlsruhe.de/~ig25/ssh-faq/ssh-faq-6.html#ss6.1 Entry Denial of service in talk program allows remote attackers to disrupt a user's display. talkd-flash Entry Buffer overflow in listserv allows arbitrary command execution. smtp-listserv Entry Buffer overflow in War FTP allows remote execution of commands. war-ftpd 875 Entry cfingerd lists all users on a system via search.**@target. 19970523 cfingerd vulnerability cfinger-user-enumeration Entry The jj CGI program allows command execution via shell metacharacters. 19961224 jj cgi http-cgi-jj Entry Hylafax faxsurvey CGI script on Linux allows remote attackers to execute arbitrary commands via shell metacharacters in the query string. 19980804 remote exploit in faxsurvey cgi-script 19980804 PATCH: faxsurvey 2056 http-cgi-faxsurvey(1532) Entry Solaris SUNWadmap can be exploited to obtain root access. 00173 sun-sunwadmap Entry htmlscript CGI program allows remote read access to files. http-htmlscript-file-access Jan27,1998 Entry ICMP redirect messages may crash or lock up a host. Q154174 ICMP Redirects Against Embedded Controllers icmp-redirect Entry The info2www CGI script allows remote file access or remote command execution. 19980303 Vulnerabilites in some versions of info2www CGI 1995 http-cgi-info2www Entry Buffer overflow in NCSA HTTP daemon v1.3 allows remote command execution. http-port CA-95.04.NCSA.http.daemon.for.unix.vulnerability Entry MetaInfo MetaWeb web server allows users to upload, execute, and read scripts. 19980630 Security vulnerabilities in MetaInfo products 19980703 Followup to MetaInfo vulnerabilities 110 3969 metaweb-server-dot-attack Entry Netscape Enterprise servers may list files through the PageServices query. netscape-server-pageservices Entry Directory traversal vulnerability in pfdispaly.cgi program (sometimes referred to as "pfdisplay") for SGI's Performer API Search Tool (performer_tools) allows remote attackers to read arbitrary files. 19980317 IRIX performer_tools bug 19980401-01-P I-041 64 134 sgi-pfdispaly(810) Entry Denial of service in Slmail v2.5 through the POP3 port. slmail-username-bo Entry Denial of service through Solaris 2.5.1 telnet by sending ^D characters. sun-telnet-kill Entry Denial of service in Windows NT DNS servers through malicious packet which contains a response to a query that wasn't made. NAI-5 nt-dns-dos Entry Denial of service in Windows NT DNS servers by flooding port 53 with too many characters. nt-dnscrash nt-dnsver Q169461 Entry mSQL v2.0.1 and below allows remote execution through a buffer overflow. msql-debug-bo sekure.01-99.msql Entry The WorkMan program can be used to overwrite any file to get root access. workman CA-96.23.workman_vul Entry In IIS, remote attackers can obtain source code for ASP files by appending "::$DATA" to the URL. MS98-003 iis-asp-data-check oval:org.mitre.oval:def:913 Entry Excite for Web Servers (EWS) allows remote command execution via shell metacharacters. 19971217 CGI security hole in EWS (Excite for Web Servers) 19980115 Excite announcement VB-98.01.excite excite-cgi-search-vuln Entry Remote command execution in Microsoft Internet Explorer using .lnk and .url files. 19970317 Internet Explorer Bug #4 H-38 http-ie-lnkurl Entry Denial of service in IIS using long URLs. http-iis-longurl Entry The WINS server in Microsoft Windows NT 4.0 before SP4 allows remote attackers to cause a denial of service (process termination) via invalid UDP frames to port 137 (NETBIOS Name Service), as demonstrated via a flood of random packets. 19970801 WINS flooding 19970801 WINS flooding 19970815 Re: WINS flooding http://safenetworks.com/Windows/wins.html 155701 nt-winsupd-fix(1233) Entry The Apache web server for Win32 may provide access to restricted files when a . (dot) is appended to a requested URL. Entry The WinGate telnet proxy allows remote attackers to cause a denial of service via a large number of connections to localhost. 19980221 WinGate DoS 19980326 WinGate Intermediary Fix/Update wingate-dos Entry The WinGate proxy is installed without a password, which allows remote attackers to redirect connections without authentication. wingate-unpassworded Entry Denial of service through Winpopup using large user names. nt-winpopup Entry AAA authentication on Cisco systems allows attackers to execute commands without authorization. http://www.cisco.com/warp/public/770/aaapair-pub.shtml cisco-ios-aaa-auth Entry All records in a WINS database can be deleted through SNMP for a denial of service. nt-wins-snmp2 Entry Solaris sysdef command allows local users to read kernel memory, potentially leading to root privileges. sun-sysdef 00157 Entry Solaris volrmmount program allows attackers to read any file. 00162 sun-volrmmount Entry Buffer overflow in Vixie Cron library up to version 3.0 allows local users to obtain root access via a long environmental variable. NAI-3 AA-96.21 H-17 vixie-cron Entry Buffer overflow in FreeBSD lpd through long DNS hostnames. NAI-9 6093 Entry nis_cachemgr for Solaris NIS+ allows attackers to add malicious NIS+ servers. 00155 sun-niscache Entry Buffer overflow in SunOS/Solaris ps command. 00149 AUSCERT-97.17 sun-ps2bo Entry SunOS/Solaris FTP clients can be forced to execute arbitrary commands from a malicious FTP server. 00176 sun-ftp-server Entry Buffer overflow in BNU UUCP daemon (uucpd) through long hostnames. bnu-uucpd-bo RSI.0002.05-18-98.BNU.UUCPD Entry mmap function in BSD allows local attackers in the kmem group to modify memory through devices. bsd-mmap FreeBSD-SA-98:02 Entry The system configuration control (sysctl) facility in BSD based operating systems OpenBSD 2.2 and earlier, and FreeBSD 2.2.5 and earlier, does not properly restrict source routed packets even when the (1) dosourceroute or (2) forwarding variables are set, which allows remote attackers to spoof TCP connections. Feb15,1998 "IP Source Routing Problem" http://www.openbsd.org/advisories/sourceroute.txt 11502 bsd-sourceroute(736) Entry HP-UX gwind program allows users to modify arbitrary files. HPSBUX9410-018 hpux-gwind-overwrite H-03: HP-UX suid Vulnerabilities Entry HP-UX vgdisplay program gives root access to local users. HPSBUX9702-056 hpux-vgdisplay H-27: HP-UX vgdisplay Buffer Overrun Vulnerability Entry SSH 1.2.25 on HP-UX allows access to new user accounts. ssh-1225 Entry fpkg2swpk in HP-UX allows local users to gain root access. hpux-fpkg2swpk HPSBUX9612-042 Entry HP ypbind allows attackers with root privileges to modify NIS data. nis-ypbind CA-93:01.REVISED.HP.NIS.ypbind.vulnerability Entry disk_bandwidth on SGI IRIX 6.4 S2MP for Origin/Onyx2 allows local users to gain root access using relative pathnames. http://www.securityfocus.com/bid/213/exploit 19980701-01-P 214 936 sgi-disk-bandwidth(1441) Entry ioconfig on SGI IRIX 6.4 S2MP for Origin/Onyx2 allows local users to gain root access using relative pathnames. http://www.securityfocus.com/bid/213/exploit 19980701-01-P 213 6788 sgi-ioconfig(1199) Entry Buffer overflow in Solaris fdformat command gives root access to local users. fdformat-bo 00138 Entry Buffer overflow in Linux splitvt command gives root access to local users. linux-splitvt G-08 Entry Buffer overflow in xmcd 2.0p12 allows local users to gain access through an environmental variable. 19961125 Security Problems in XMCD 19961125 XMCD v2.1 released (was: Security Problems in XMCD) xmcd-envbo Entry SunOS rpc.cmsd allows attackers to obtain root access by overwriting arbitrary files. 00166 sun-rpc.cmsd Entry Buffer overflow in Solaris kcms_configure command allows local users to gain root access. sun-kcms-configure-bo Entry The open() function in FreeBSD allows local attackers to write to arbitrary files. FreeBSD-SA-97:05 freebsd-open 6092 Entry FreeBSD mmap function allows users to modify append-only or immutable files. FreeBSD-SA-98:04 1998-003 bsd-mmap Entry ppl program in HP-UX allows local users to create root files through symlinks. HPSBUX9702-053 H-31 hp-ppllog Entry vhe_u_mnt program in HP-UX allows local users to create root files through symlinks. hp-vhe HPSBUX9406-013 Entry Vulnerability in HP-UX mediainit program. HPSBUX9710-071 hp-mediainit Entry SGI syserr program allows local users to corrupt files. 19971103-01-PX sgi-syserr Entry SGI permissions program allows local users to gain root privileges. 19971103-01-PX sgi-permtool Entry SGI mediad program allows local users to gain root access. 19980602-01-PX sgi-mediad Entry Buffer overflow in NetMeeting allows denial of service and remote command execution. nt-netmeeting Q184346 Entry In Solaris 2.2 and 2.3, when fsck fails on startup, it allows a local user with physical access to obtain root access. sol-startup CA-93.19.Solaris.Startup.vulnerability Entry DEPRECATED. This entry has been deprecated. It is a duplicate of CVE-1999-0032. Entry AIX batch queue (bsh) allows local and remote users to gain additional privileges when network printing is enabled. CA-94.10.IBM.AIX.bsh.vulnerability.html ibm-bsh Entry AIX Licensed Program Product performance tools allow local users to gain root access. ibm-perf-tools CA-94.03.AIX.performance.tools Entry Buffer overflow in the libauth library in Solaris allows local users to gain additional privileges, possibly root access. sol-sun-libauth RSI.0007.05-26-98 Entry Buffer overflow in Linux Slackware crond program allows local users to gain root access. 005 linux-crond Entry Buffer overflow in the Linux mail program "deliver" allows local users to gain root access. 006 linux-deliver Entry Linux PAM modules allow local users to gain root access using temporary files. http://www.redhat.com/corp/support/errata/rh42-errata-general.html#pam linux-pam-passwd-tmprace Entry A malicious Palace server can force a client to execute arbitrary programs. 19981002 Announcements from The Palace (fwd) palace-malicious-servers-vuln Entry NT users can gain debug-level access on a system process using the Sechole exploit. MS98-009 Q190288 nt-priv-fix Entry CGI PHP mlog script allows an attacker to read any file on the target server. 19971019 Vulnerability in PHP Example Logging Scripts 713 http-cgi-php-mlog 3397 Entry IIS ASP caching problem releases sensitive information when two virtual servers share the same physical directory. Jan27,1999 Q197003 930 Entry A buffer overflow in the FTP list (ls) command in IIS allows remote attackers to conduct a denial of service and, in some cases, execute arbitrary commands. IIS Remote FTP Exploit/DoS Attack MS99-003 Q188348 Jan27,1999 iis-remote-ftp Entry Race condition in the db_loader program in ClearCase gives local users root access by setting SUID bits. Feb8,1999 clearcase-temp-race Entry FTP PASV "Pizza Thief" denial of service and unauthorized data access. Attackers can steal data by connecting to a port that was intended for use by a client. 01 http://attrition.org/security/advisory/misc/infowar/iw_sec_01.txt pasv-pizza-thief-dos(3389) Entry rpc.pcnfsd in HP gives remote root access by changing the permissions on the main printer spool directory. HPSBUX9902-091 J-026 pcnfsd-world-write Entry Local or remote users can force ControlIT 4.5 to reboot or force a user to log out, resulting in a denial of service. Multiple vulnerabilities in ControlIT(tm) (formerly Remotely Possible/32) enterprise management software controlit-reboot Entry Windows 98 and other operating systems allows remote attackers to cause a denial of service via crafted "oshare" packets, possibly involving invalid fragmentation offsets. 19990125 Win98 crash? win98-oshare-dos Entry Digital Unix 4.0 has a buffer overflow in the inc program of the mh package. 19990125 Digital Unix 4.0 exploitable buffer overflows SSRT0583U du-inc J-027 Entry WS_FTP server remote denial of service through cwd command. AD02021999 wsftp-remote-dos 217 Entry SuSE 5.2 PLP lpc program has a buffer overflow that leads to root compromise. Feb02,1999 plp-lpc-bo 328 Entry The metamail package allows remote command execution using shell metacharacters that are not quoted in a mailcap entry. Feb04,1999 metamail-header-commands Entry In some cases, Service Pack 4 for Windows NT 4.0 can allow access to network shares using a blank password, through a problem with a null NT hash value. MS99-004 Q214840 nt-sp4-auth-error Entry NetBSD netstat command allows local users to access kernel memory. 1999-002 7571 Entry Buffer overflows in wuarchive ftpd (wu-ftpd) and ProFTPD lead to remote root access, a.k.a. palmetto. palmetto.ftpd CA-99.03 palmetto-ftpd-bo Entry The Sun sdtcm_convert calendar utility for OpenWindows has a buffer overflow which can gain root access. 00183 sun-sdtcm-convert-bo Entry Lynx allows a local user to overwrite sensitive files through /tmp symlinks. 19990211 Lynx /tmp problem VB-97.05.lynx lynx-temp-files-race Entry The installer for BackOffice Server includes account names and passwords in a setup file (reboot.ini) which is not deleted. MS99-005 nt-backoffice-setup Q217004 Entry Buffer overflow in the "Super" utility in Debian GNU/Linux, and other operating systems, allows local users to execute commands as root. Buffer Overflow in "Super" package in Debian Linux linux-super-bo linux-super-logging-bo Entry Debian GNU/Linux cfengine package is susceptible to a symlink attack. 19990215 Feb16,1999 linux-cfengine-symlinks Entry Buffer overflow in webd in Network Flight Recorder (NFR) 2.0.2-Research allows remote attackers to execute commands. February 16, 1999 Feb16,1999 nfr-webd-overflow Entry Local users in Windows NT can obtain administrator privileges by changing the KnownDLLs list to reference malicious programs. MS99-006 Feb20,1999 Feb18,1999 nt-knowndlls-list Entry Process table attack in Unix systems allows a remote attacker to perform a denial of service by filling a machine's process tables through multiple connections to network services. Feb22,1999 Entry InterScan VirusWall for Solaris doesn't scan files for viruses when a single HTTP request includes two GET commands. 19990222 BlackHats Advisory -- InterScan VirusWall 19990225 Patch for InterScan VirusWall for Unix now available viruswall-http-request 6167 Entry Microsoft Taskpads allows remote web sites to execute commands on the visiting user's machine via certain methods that are marked as Safe for Scripting. MS99-007 19990223 Microsoft Security Bulletin (MS99-007) 498 1019 win-resourcekit-taskpads Entry SLMail 3.1 and 3.2 allows local users to access any file in the NTFS file system when the Remote Administration Service (RAS) is enabled by setting a user's Finger File to point to the target file, then running finger on the user. 199902225 ALERT: SLMail 3.2 (and 3.1) with the Remote Administration Service 19990225 ALERT: SLMail 3.2 (and 3.1) with the Remote Administration Service SLmail 3.2 Build 3113 (Web Administration Security Fix) 497 slmail-ras-ntfs-bypass(5392) Entry The screen saver in Windows NT does not verify that its security context has been changed properly, allowing attackers to run programs with elevated privileges. MS99-008 nt-screen-saver Entry ACC Tigris allows public access without a login. 19990103 Tigris vulnerability 183 267 acc-tigris-login Entry The Forms 2.0 ActiveX control (included with Visual Basic for Applications 5.0) can be used to read text from a user's clipboard when the user accesses documents with ActiveX content. forms-vuln-patch MS99-001 Entry The LDAP bind function in Exchange 5.5 has a buffer overflow that allows a remote attacker to conduct a denial of service or execute commands. MS99-009 LDAP Buffer overflow against Microsoft Directory Services ldap-exchange-overflow ldap-mds-dos Entry Microsoft Personal Web Server and FrontPage Personal Web Server in some Windows systems allows a remote attacker to read files on the server by using a nonstandard URL. MS99-010 pws-file-access 111 Entry A legacy credential caching mechanism used in Windows 95 and Windows 98 systems allows attackers to read plaintext network passwords. MS99-052 Q168115 829 9x-plaintext-pwd Entry DataLynx suGuard trusts the PATH environment variable to execute the ps command, allowing local users to execute commands as root. datalynx-suguard-relative-paths Jan3,1999 3186 Entry Buffer overflow in Dosemu Slang library in Linux. 19990104 Dosemu/S-Lang Overflow + sploit CSSA-1999-006.1 187 Entry The cryptographic challenge of SMB authentication in Windows 95 and Windows 98 can be reused, allowing an attacker to replay the response and impersonate a user. Jan. 5, 1999 Entry Buffer overflow in Thomas Boutell's cgic library version up to 1.05. Jan10,1999 http-cgic-library-bo Entry Remote attackers can cause a denial of service in Sendmail 8.8.x and 8.9.2 by sending messages with a large number of headers. 19981212 ** Sendmail 8.9.2 DoS - exploit ** get what you want! 19990121 Sendmail 8.8.x/8.9.x bugware sendmail-parsing-redirection Entry A race condition in the BackWeb Polite Agent Protocol allows an attacker to spoof a BackWeb server. 19990118 Vulnerability in the BackWeb Polite Agent Protocol backweb-polite-agent-protocol Entry A race condition between the select() and accept() calls in NetBSD TCP servers allows remote attackers to cause a denial of service. 1999-001 Feb17,1999 netbsd-tcp-race Entry wget 1.5.3 follows symlinks to change permissions of the target file instead of the symlink itself. Feb2,1999 wget-permissions 19990220 Entry A bug in Cyrix CPUs on Linux allows local users to perform a denial of service. 19990204 Cyrix bug: freeze in hell, badboy cyrix-hang Entry Buffer overflow in the Mail-Max SMTP server for Windows systems allows remote command execution. Feb14,1999 mailmax-bo Entry A buffer overflow in lsof allows local users to obtain root privilege. 002 Feb18,1999 19990220a lsof-bo 3163 Entry By default, IIS 4.0 has a virtual directory /IISADMPWD which contains files that can be used as proxies for brute force password attacks, or to identify valid users on the system. 19990209 ALERT: IIS4 allows proxied password attacks over NetBIOS 19990209 Re: IIS4 allows proxied password attacks over NetBIOS iis-iisadmpwd Entry Files created from interactive shell sessions in Cobalt RaQ microservers (e.g. .bash_history) are world readable, and thus are accessible from the web server. 19990225 Cobalt root exploit cobalt-raq-history-exposure 337 Entry Buffer overflow in gnuplot in Linux version 3.5 allows local users to obtain root access. 19990304 Linux /usr/bin/gnuplot overflow gnuplot-home-overflow 319 Entry The cancel command in Solaris 2.6 (i386) has a buffer overflow that allows local users to obtain root access. Mar5,1999 sol-cancel 293 Entry In IIS and other web servers, an attacker can attack commands as SYSTEM if the server is running as SYSTEM and loading an ISAPI extension. Feb19,1999 iis-isapi-execute 501 Entry A buffer overflow in the SGI X server allows local users to gain root access through the X server font path. 19990301-01-PX irix-font-path-overflow Entry In Linux before version 2.0.36, remote attackers can spoof a TCP connection and pass data to the application layer before fully establishing the connection. Linux Blind TCP Spoofing linux-blind-spoof Entry The HTTP server in Cisco 7xx series routers 3.2 through 4.2 is enabled by default, which allows remote attackers to change the router's configuration. 19990311 Remote Reconfiguration and Denial of Service Vulnerabilities in Cisco 700 ISDN Routers 19990311 Cisco 7xx TCP and HTTP Vulnerabilities J-034 cisco-router-commands cisco-web-config Entry Vulnerability in Cisco 7xx series routers allows a remote attacker to cause a system reload via a TCP connection to the router's TELNET port. 19990311 Remote Reconfiguration and Denial of Service Vulnerabilities in Cisco 700 ISDN Routers 19990311 Cisco 7xx TCP and HTTP Vulnerabilities J-034 cisco-web-crash Entry 64 bit Solaris 7 procfs allows local users to perform a denial of service. Mar9,1999 solaris-psinfo-crash 448 1001 Entry umapfs allows local users to gain root privileges by changing their uid through a malicious mount_umap program. 1999-006 Entry During a reboot after an installation of Linux Slackware 3.6, a remote attacker can obtain root access by logging in to the root account without a password. Short-Term High-Risk Vulnerability During Slackware 3.6 Network Installations linux-slackware-install 338 981 Entry In some cases, NetBSD 1.3.3 mount allows local users to execute programs in some file systems that have the "noexec" flag set. 1999-007 Entry Vulnerability in hpterm on HP-UX 10.20 allows local users to gain additional privileges. HPSBUX9903-093 hp-hpterm-files Entry talkback in Netscape 4.5 allows a local user to overwrite arbitrary files of another user whose Netscape crashes. Mar18,1999 netscape-talkback-overwrite Entry talkback in Netscape 4.5 allows a local user to kill an arbitrary process of another user whose Netscape crashes. Mar18,1999 netscape-talkback-kill Entry OpenSSL and SSLeay allow remote attackers to reuse SSL sessions and bypass access controls. 19990322 OpenSSL/SSLeay Security Alert ssl-session-reuse 3936 Entry The Lotus Notes 4.5 client may send a copy of encrypted mail in the clear across the network if the user does not set the "Encrypt Saved Mail" preference. 19990323 19990324 Re: LNotes encryption 19990326 Lotus Notes Encryption Bug 19990326 Re: Lotus Notes security advisory lotus-client-encryption Entry Cisco Catalyst LAN switches running Catalyst 5000 supervisor software allows remote attackers to perform a denial of service by forcing the supervisor module to reload. Remote Denial of Service Vulnerability in Cisco Catalyst Series Ethernet Switches Cisco Catalyst Supervisor Remote Reload cisco-catalyst-crash 1103 Entry ftp on HP-UX 11.00 allows local users to gain privileges. HPSBUX9903-094 hp-ftp Entry XFree86 startx command is vulnerable to a symlink attack, allowing local users to create files in restricted directories, possibly allowing them to gain privileges or cause a denial of service. Mar28,1999 19990321 X11R6 NetBSD Security Problem xfree86-temp-directories Entry Domain Enterprise Server Management System (DESMS) in HP-UX allows local users to gain privileges. HPSBUX9903-095 hp-desms-servers Entry Remote attackers can perform a denial of service in WebRamp systems by sending a malicious string to the HTTP port. WebRamp Denial of Service Attacks webramp-device-crash Entry Remote attackers can perform a denial of service in WebRamp systems by sending a malicious UDP packet to port 5353, changing its IP address. WebRamp Denial of Service Attacks webramp-ipchange Entry Buffer overflow in procmail before version 3.12 allows remote or local attackers to execute commands via expansions in the procmailrc configuration file. 19990405 Re: [SECURITY] new version of procmail with security fixes 19990422 CSSA-1999:007 procmail-overflow Entry The byte code verifier component of the Java Virtual Machine (JVM) allows remote execution through malicious web pages. 19990405 Security Hole in Java 2 (and JDK 1.1.x) http://java.sun.com/pr/1999/03/pr990329-01.html 1939 java-unverified-code Entry Remote attackers can perform a denial of service in WinGate machines using a buffer overflow in the Winsock Redirector Service. AD02221999 wingate-redirector-dos 509 Entry Solaris ff.core allows local users to modify files. 19990107 really silly ff.core exploit for Solaris 19990108 ff.core exploit on Solaris (2.)7 19990408 Solaris7 and ff.core 327 Entry In Cisco routers under some versions of IOS 12.0 running NAT, some packets may not be filtered by input access list filters. Cisco IOS(R) Software Input Access List Leakage with NAT cisco-natacl-leakage 1104 Entry Local users can perform a denial of service in NetBSD 1.3.3 and earlier versions by creating an unusual symbolic link with the ln command, triggering a bug in VFS. 1999-008 netbsd-vfslocking-panic 7051 Entry Local users can gain privileges using the debug utility in the MPE/iX operating system. HPSBMP9904-006 mpeix-debug Entry IIS 4.0 and Apache log HTTP request methods, regardless of how long they are, allowing a remote attacker to hide the URL they really request. 19990121 IIS 4 Request Logging Security Advisory iis-http-request-logging Entry The ExAir sample site in IIS 4 allows remote attackers to cause a denial of service (CPU consumption) via a direct request to the (1) advsearch.asp, (2) query.asp, or (3) search.asp scripts. 19990126 IIS 4 Advisory - ExAir sample site DoS 19990126 IIS 4 Advisory - ExAir sample site DoS 19990125 Re: [NTSEC] IIS 4 Advisory - ExAir sample site DoS 193 2 3 4 iis-exair-dos Entry Linux ftpwatch program allows local users to gain root privileges. Jan17,1999 19990117 ftpwatch-vuln 317 Entry L0phtcrack 2.5 used temporary files in the system TEMP directory which could contain password information. Jan6,1999 l0phtcrack-temp-files 915 Entry Remote attackers can perform a denial of service using IRIX fcagent. 19981201-01-PX sgi-fcagent-dos Entry Local users can perform a denial of service in Tripwire 1.2 and earlier using long filenames. 19990104 Tripwire mess.. http://marc.theaimsgroup.com/?l=bugtraq&m=91592136122066&w=2 6609 Entry The SVR4 /dev/wabi special device file in NetBSD 1.3.3 and earlier allows a local user to read or write arbitrary files on the disk associated with that device. 1999-009 905 Entry Internet Explorer 5.0 allows a remote server to read arbitrary files on the client's file system using the Microsoft Scriptlet Component. MS99-012 ie-scriplet-fileread Apr9,1999 Entry A weak encryption algorithm is used for passwords in Novell Remote.NLM, allowing them to be easily decrypted. 19990409 New Novell Remote.NLM Password Decryption Algorithm with Exploit 482 netware-remotenlm-passwords Entry The remote proxy server in Winroute allows a remote attacker to reconfigure the proxy without authentication through the "cancel" button. winroute-config Apr9,1999 Entry The SNMP default community name "public" is not properly removed in NetApps C630 Netcache, even if the administrator tries to disable it. netcache-snmp Apr7,1999 Entry The rsync command before rsync 2.3.1 may inadvertently change the permissions of the client's working directory to the permissions of the directory being transferred. 19990407 rsync 2.3.1 release - security fix CSSA-1999:010.0 19990823 145 rsync-permissions Entry The ICQ Webserver allows remote attackers to use .. to access arbitrary files outside of the user's personal directory. icq-webserver-read Apr5,1999 Entry A race condition in how procmail handles .procmailrc files allows a local user to read arbitrary files available to the user who is running procmail. procmail-race Apr5,1999 Entry Denial of service in HP-UX sendmail 8.8.6 related to accepting connections. HPSBUX9904-097 sendmail-headers-dos Entry Denial of service Netscape Enterprise Server with VirtualVault on HP-UX VVOS systems. HPSBUX9903-092 netscape-server-dos Entry Denial of service in "poll" in OpenBSD. Mar22,1999 7556 Entry OpenBSD kernel crash through TSS handling, as caused by the crashme program. Mar21,1999 7557 Entry OpenBSD crash using nlink value in FFS and EXT2FS filesystems. Feb25,1999 6129 Entry Buffer overflow in OpenBSD ping. Feb23,1999 6130 Entry Remote attackers can cause a system crash through ipintr() in ipq in OpenBSD. Feb19,1999 openbsd-ipintr-race 7558 Entry The DHTML Edit ActiveX control in Internet Explorer allows remote attackers to read arbitrary files. MS99-011 ie-dhtml-control Entry The prompt parsing in bash allows a local user to execute commands as another user by creating a directory with the name of the command to execute. 19990420 Bash Bug CSSA-1999-008.0 119 Entry rpc.statd allows remote attackers to forward RPC calls to the local operating system via the SM_MON and SM_NOTIFY commands, which in turn could be used to remotely exploit other bugs such as in automountd. CA-99-05 00186 J-045 19990103 SUN almost has a clue! (automountd) 450 Entry Denial of service in WinGate proxy through a buffer overflow in POP3. wingate-pop3-user-bo Entry A Windows NT 4.0 user can gain administrative rights by forcing NtOpenProcessToken to succeed regardless of the user's permissions, aka GetAdmin. Q146965 nt-getadmin nt-getadmin-present Entry ICMP messages to broadcast addresses are allowed, allowing for a Smurf attack that can cause a denial of service. CA-98.01.smurf FreeBSD-SA-98:06 smurf Entry UDP messages to broadcast addresses are allowed, allowing for a Fraggle attack that can cause a denial of service by flooding the target. fraggle Entry An X server's access control is disabled (e.g. through an "xhost +" command) and allows anyone to connect to the server. xcheck-keystroke VU#704969 Entry HP OpenMail can be misconfigured to allow users to run arbitrary commands using malicious print requests. HPSBUX9804-078 hp-openmail Entry An attacker can write to syslog files from any location, causing a denial of service by filling up the logs, and hiding activities. ibm-syslogd syslog-flood Entry An incorrect configuration of the PDG Shopping Cart CGI program "shopper.cgi" could disclose private information. 19990420 Shopping Carts exposing CC data http://www.pdgsoft.com/Security/security.html. pdgsoftcart-misconfig(3857) Entry A version of finger is running that exposes valid user information to any entity on the network. finger-out finger-running Entry A version of rusers is running that exposes valid user information to any entity on the network. rusersd ruser Entry The rexd service is running, which uses weak authentication that can allow an attacker to execute commands. rexd Entry The rwho/rwhod service is running, which exposes machine status and user information. rwhod Entry The scriptlet.typelib ActiveX control is marked as "safe for scripting" for Internet Explorer, which allows a remote attacker to execute arbitrary commands as demonstrated by Bubbleboy. 19990821 IE 5.0 allows executing programs MS99-032 J-064 598 ms-scriptlet-eyedog-unsafe Q240308 Entry Buffer overflow in ToxSoft NextFTP client through CWD command. 572 toxsoft-nextftp-cwd-bo Entry Buffer overflow in Fujitsu Chocoa IRC client via IRC channel topics. fujitsu-topic-bo 573 Entry The BSD profil system call allows a local user to modify the internal data space of a program via profiling and execve. 1999-011 Aug 9,1999 FreeBSD-SA-99:02 19990809 profil(2) bug, a simple test program 570 J-067 netbsd-profil Entry Check Point FireWall-1 can be subjected to a denial of service via UDP packets that are sent through VPN-1 to port 0 of a host. 19990809 FW1 UDP Port 0 DoS 576 checkpoint-port 1038 Entry sdtcm_convert in Solaris 2.6 allows a local user to overwrite sensitive files via a symlink attack. 19990808 sdtcm_convert sun-sdtcm-convert 575 Entry A default configuration of Apache on Debian GNU/Linux sets the ServerRoot to /usr/doc, which allows remote users to read documentation files for the entire server. apache-debian-usrdoc 19990405 An issue with Apache on Debian 318 Entry Buffer overflow in hybrid-6 IRC server commonly used on EFnet allows remote attackers to execute commands via m_invite invite option. 19990813 w00w00's efnet ircd advisory (exploit included) http://www.efnet.org/archive/servers/hybrid/ChangeLog 581 hybrid-ircd-minvite-bo Entry Windows NT Terminal Server performs extra work when a client opens a new connection but before it is authenticated, allowing for a denial of service. MS99-028 Q238600 J-057 571 nt-terminal-dos Entry Buffer overflow in Microsoft FrontPage Server Extensions (PWS) 3.0.2.926 on Windows 95, and possibly other versions, allows remote attackers to cause a denial of service via a long URL. 19990807 Crash FrontPage Remotely... frontpage-pws-dos 568 Entry Microsoft Exchange 5.5 allows a remote attacker to relay email (i.e. spam) using encapsulated SMTP addresses, even if the anti-relaying features are enabled. MS99-027 Q237927 567 J-056 exchange-relay Entry Denial of service in Gauntlet Firewall via a malformed ICMP packet. gauntlet-dos 19990729 Remotely Lock Up Gauntlet 5.0 556 1029 Entry Buffer overflow in Netscape Communicator via EMBED tags in the pluginspage option. 19991209 Netscape communicator 4.06J, 4.5J-4.6J, 4.61e Buffer Overflow 618 Entry Denial of service in Netscape Enterprise Server (NES) in HP Virtual Vault (VVOS) via a long URL. 19990514 TGAD DoS 19990610 Re: VVOS/Netscape Bug HPSBUX9906-098 J-046 hp-tgad-dos Entry The ToolTalk ttsession daemon uses weak RPC authentication, which allows a remote attacker to execute commands. 19990913 Vulnerability in ttsession 00192 HPSBUX9909-103 SSRT0617U_TTSESSION K-001 CA-99-11 637 cde-ttsession-rpc-auth Entry Buffer overflows in HP Software Distributor (SD) for HPUX 10.x and 11.x. HPSBUX9907-101 545 hp-sd-bo Entry The CDE dtspcd daemon allows local users to execute arbitrary commands via a symlink attack. 19990913 Vulnerability in dtspcd 00192 HPSBUX9909-103 CA-99-11 oval:org.mitre.oval:def:1880 cde-dtspcd-file-auth 636 Entry HP CDE program includes the current directory in root's PATH variable. HPSBUX9907-100 J-053 hp-cde-directory Entry Buffer overflow in the AddSuLog function of the CDE dtaction utility allows local users to gain root privileges via a long user name. 19990913 Vulnerability in dtaction 00192 HPSBUX9909-103 SSRTO615U_DTACTION CA-99-11 635 oval:org.mitre.oval:def:3078 cde-dtaction-username-bo Entry The default configuration of the Array Services daemon (arrayd) disables authentication, allowing remote users to gain root privileges. CA-99-09 J-052 19990701-01-P sgi-arrayd Entry Buffer overflow in TT_SESSION environment variable in ToolTalk shared library allows local users to gain root privileges. CA-99-11 00192 HPSBUX9909-103 641 oval:org.mitre.oval:def:4374 cde-dtsession-env-bo Entry Denial of service in AIX ptrace system call allows local users to crash the system. J-055 ERS-SVA-E01-1999:002.1 aix-ptrace-halt Entry The Sybase PowerDynamo personal web server allows attackers to read arbitrary files through a .. (dot dot) attack. 19990904 [Sybase] software vendors do not think about old bugs http-powerdynamo-dotdotslash 620 1064 Entry Buffer overflow in CDE Calendar Manager Service Daemon (rpc.cmsd). 19990709 Exploit of rpc.cmsd SB-99.12 00188 4230754 HPSBUX9908-102 SSRT0614U_RPC_CMSD CA-99-08 J-051 sun-cmsd-bo Entry SCO Doctor allows local users to gain root privileges through a Tools option. 19990908 SCO 5.0.5 /bin/doctor nightmare 621 sco-doctor-execute Entry The Bluestone Sapphire web server allows session hijacking via easily guessable session IDs. 19990908 [Security] Spoofed Id in Bluestone Sapphire/Web 623 Entry Buffer overflow in Microsoft Phone Dialer (dialer.exe), via a malformed dialer entry in the dialer.ini file. Q237185 MS99-026 nt-malformed-dialer Entry After an unattended installation of Windows NT 4.0, an installation file could include sensitive information such as the local Administrator password. MS99-036 Q173039 626 nt-install-unattend-file Entry Internet Explorer 5.0 and 5.01 allows remote attackers to modify or execute files via the Import/Export Favorites feature, aka the "ImportExportFavorites" vulnerability. 19990909 IE 5.0 security vulnerabilities - ImportExportFavorites - at least creating and overwriting files, probably executing programs MS99-037 Q241361 ie5-import-export-favorites 627 Entry OpenBSD, BSDI, and other Unix operating systems allow users to set chflags and fchflags on character and block devices. 19990805 4.4 BSD issue -- chflags Jul30,1999 FreeBSD-SA-99:01 J-066 openbsd-chflags-fchflags-permitted Entry Buffer overflow in Berkeley automounter daemon (amd) logging facility provided in the Linux am-utils package and others. RHSA-1999:032-01 CSSA-1999:024.0 SA-99:06 19991018 614 CA-99-12 amd-bo Entry Buffer overflow in INN inews program. inn-inews-bo RHSA1999033_01 CSSA-1999-026 19990831 Security hole in INN 19990907 616 Entry Linux xmonisdn package allows local users to gain root privileges by modifying the IFS or PATH environmental variables. 19990807 19990817 Security hole in i4l (xmonisdn) 583 Entry The default FTP configuration in HP Visualize Conference allows conference users to send a file to other participants without authorization. HPSBUX9906-099 J-050 493 hp-visualize-conference-ftp Entry Buffer overflow in cfingerd allows local users to gain root privileges via a long GECOS field. 19990921 BP9909-00: cfingerd local buffer overflow 651 Entry The Squid package in Red Hat Linux 5.2 and 6.0, and other distributions, installs cachemgr.cgi in a public web directory, which allows remote attackers to use it as an intermediary to connect to other systems. 19990725 Redhat 6.0 cachemgr.cgi lameness http://www.redhat.com/support/errata/archives/rh52-errata-general.html#squid DSA-576 FEDORA-2005-373 FLSA-2006:152809 RHSA-1999:025 RHSA-2005:489 2059 http-cgi-cachemgr(2385) Entry The oratclsh interpreter in Oracle 8.x Intelligent Agent for Unix allows local users to execute Tcl commands as root. 19990430 *Huge* security hole in Oracle 8.0.5 with Intellegent agent installed 19990506 Oracle Security Followup, patch and FAQ: setuid on oratclsh oracle-oratclsh Entry The dtlogin program in Compaq Tru64 UNIX allows local users to gain root privileges. 19990404 Digital Unix 4.0E /var permission J-044 cde-dtlogin SSRT0600U Entry Vulnerability in Compaq Tru64 UNIX edauth command. SSRT0588U du-edauth Entry Buffer overflow in Remote Access Service (RAS) client allows an attacker to execute commands or cause a denial of service via a malformed phonebook entry. 19990519 Buffer Overruns in RAS allows execution of arbitary code as system MS99-016 Q230677 nt-ras-bo Entry Buffer overflow in Windows NT 4.0 help file utility via a malformed help file. nt-helpfile-bo Q231605 MS99-015 Entry A remote attacker can disable the virus warning mechanism in Microsoft Excel 97. MS99-014 Q231304 excel-virus-warning Entry IBM GINA, when used for OS/2 domain authentication of Windows NT users, allows local users to gain administrator privileges by changing the GroupMapping registry key. 19990823 IBM Gina security warning 608 ibm-gina-group-add Entry The Guile plugin for the Gnumeric spreadsheet package allows attackers to execute arbitrary code. 19990802 Gnumeric potential security hole. RHSA-1999:023-01 gnu-guile-plugin-export 563 Entry The pt_chown command in Linux allows local users to modify TTY terminal devices that belong to other users. 19990823 [Linux] glibc 2.1.x / wu-ftpd <=2.5 / BeroFTPD / lynx / vlock / mc / glibc 2.0.x 597 linux-pt-chown Entry Denial of service in Windows NT Local Security Authority (LSA) through a malformed LSA request. Phantom Technical Advisory Q231457 MS99-020 J-049 msrpc-lsa-lookupnames-dos Entry The default configuration of Cobalt RaQ2 servers allows remote users to install arbitrary software packages. CA-99-10 558 cobalt-raq2-default-config Entry The Windows NT Client Server Runtime Subsystem (CSRSS) can be subjected to a denial of service when all worker threads are waiting for user input. 19990411 Death by MessageBox MS99-021 Q233323 J-049 478 nt-csrss-dos Entry Buffer overflow in OpenBSD procfs and fdescfs file systems via uio_offset in the readdir() function. Aug12,1999 openbsd-uio_offset-bo 6128 Entry When IIS is run with a default language of Chinese, Korean, or Japanese, it allows a remote attacker to view the source code of certain files, a.k.a. "Double Byte Code Page". Q233335 MS99-022 477 iis-double-byte-code-page(2302) Entry An attacker can conduct a denial of service in Windows NT by executing a program with a malformed file image header. MS99-023 Q234557 499 nt-malformed-image-header Entry A kernel leak in the OpenBSD kernel allows IPsec packets to be sent unencrypted. 19990608 Packets that should have been handled by IPsec may be transmitted as cleartext openbsd-ipsec-cleartext 6127 Entry A Windows NT user can disable the keyboard or mouse by directly calling the IOCTLs which control them. MS99-024 Q236359 nt-ioctl-dos Entry Buffer overflow in Lotus Notes LDAP (NLDAP) allows an attacker to conduct a denial of service through the ldap_search request. 19990823 Denial of Service Attack against Lotus Notes Domino Server 4.6 J-061 601 lotus-ldap-bo 1057 Entry The zsoelim program in the Debian man-db package allows local users to overwrite files via a symlink attack. 19990612 Entry The KDE klock program allows local users to unlock a session using malformed input. 19990623 Security flaw in klock CSSA-1999:017 19990629 Security hole in Klock 489 Entry The logging facilitity of the Debian smtp-refuser package allows local users to delete arbitrary files using symbolic links. 19990823b smtp-refuser-tmp Entry Buffer overflow in VMWare 1.0.1 for Linux via a long HOME environmental variable. 19990626 VMWare Advisory - buffer overflows 19990626 VMware Security Alert 19990705 Re: VMWare Advisory.. - exploit 490 vmware-bo Entry A default configuration of CiscoSecure Access Control Server (ACS) allows remote users to modify the server database without authentication. CiscoSecure Access Control Server for UNIX Remote Administration Vulnerability ciscosecure-read-write Entry KDE K-Mail allows local users to gain privileges via a symlink attack in temporary user directories. KDE K-Mail File Creation Vulnerability CSSA-1999:016 RHSA-1999:015-01 300 Entry Remote attackers can cause a denial of service on Linux in.telnetd telnet daemon through a malformed TERM environmental variable. 594 linux-telnetd-term CSSA-1999:022 RHSA1999029_01 Entry The Debian mailman package uses weak authentication, which allows attackers to gain privileges. 19990623 480 Entry Trn allows local users to overwrite other users' files via symlinks. 19990819 Insecure use of file in /tmp by trn 19990823c 19990824 Security hole in trn trn-symlinks(3144) Entry Buffer overflow in Netscape Enterprise Server and FastTrask Server allows remote attackers to gain privileges via a long HTTP GET request. Buffer Overflow in Netscape Enterprise and FastTrack Web Servers 603 Entry Buffer overflow in Source Code Browser Program Database Name Server Daemon (pdnsd) for the IBM AIX C Set ++ compiler. ERS-SVA-E01-1999:003.1 J-059 590 aix-pdnsd-bo Entry A default configuration of in.identd in SuSE Linux waits 120 seconds between requests, allowing a remote attacker to conduct a denial of service. 19990814 DOS against SuSE's identd 19990824 Security hole in netcfg 587 suse-identd-dos Entry Denial of service in BSDi Symmetric Multiprocessing (SMP) when an fstat call is made when the system has a high CPU load. 19990816 Symmetric Multiprocessing (SMP) Vulnerbility in BSDi 4.0.1 589 bsdi-smp-dos Entry Buffer overflow in Microsoft Telnet client in Windows 95 and Windows 98 via a malformed Telnet argument. 19990815 telnet.exe heap overflow - remotely exploitable MS99-033 win-ie5-telnet-heap-overflow 586 Entry Buffer overflow in Accept command in Netscape Enterprise Server 3.6 with the SSL Handshake Patch. 19990913 Accept overflow on Netscape Enterprise Server 3.6 SP2 631 netscape-accept-bo(3256) Entry Denial of service in Netscape Enterprise Server via a buffer overflow in the SSL handshake. 19990706 Netscape Enterprise Server SSL Handshake Bug Entry The w3-msql CGI script provided with Mini SQL allows remote attackers to view restricted directories. 19990817 Stupid bug in W3-msql mini-sql-w3-msql-cgi 591 Entry The INN inndstart program allows local users to gain privileges by specifying an alternate configuration file using the INNCONF environmental variable. 19990511 INN 2.0 and higher. Root compromise potential CSSA-1999-011.0 19990518 Security hole in INN http://www.redhat.com/corp/support/errata/inn99_05_22.html 255 inn-innconf-env Entry Windows NT RRAS and RAS clients cache a user's password even if the user has not selected the "Save password" option. nt-ras-pwcache Q230681 MS99-017 Entry ColdFusion Administrator with Advanced Security enabled allows remote users to stop the ColdFusion server via the Start/Stop utility. ASB99-07 coldfusion-admin-dos(2207) Entry Netscape Enterprise 3.5.1 and FastTrack 3.01 servers allow a remote attacker to view source code to scripts by appending a %20 to the script's URL. ASB99-06 netscape-space-view Entry Buffer overflow in FuseMAIL POP service via long USER and PASS commands. 19990913 Many kind of POP3/SMTP server softwares for Windows have buffer overflow bug http://www.crosswinds.net/~fuseware/faq.html#8 634 fuseware-popmail-bo Entry Undocumented ColdFusion Markup Language (CFML) tags and functions in the ColdFusion Administrator allow users to gain additional privileges. ASB99-10 550 coldfusion-server-cfml-tags Entry Buffer overflow in FreeBSD fts library routines allows local user to modify arbitrary files via the periodic program. FreeBSD-SA-99:05 freebsd-fts-lib-bo 644 1074 Entry When Javascript is embedded within the TITLE tag, Netscape Communicator allows a remote attacker to use the "about" protocol to gain access to browser information. netscape-title 19990524 Netscape Communicator JavaScript in <TITLE> security vulnerability Entry NetBSD on a multi-homed host allows ARP packets on one network to modify ARP entries on another connected network. 1999-010 netbsd-arp 6540 Entry NetBSD allows ARP packets to overwrite static ARP entries. 1999-010 netbsd-arp 6539 Entry SGI IRIX midikeys program allows local users to modify arbitrary files via a text editor. 19990619 IRIX midikeys root exploit. 19990501-01-A 262 irix-midikeys Entry The Microsoft Java Virtual Machine allows a malicious Java applet to execute arbitrary commands outside of the sandbox environment. MS99-031 Q240346 600 msvm-verifier-java Entry Buffer overflow in Vixie Cron on Red Hat systems via the MAILTO environmental variable. 602 RHSA-1999:030-02 19990829 Security hole in cron Entry Vixie Cron on Linux systems allows local users to set parameters of sendmail commands via the MAILTO environmental variable. RHSA-1999:030-02 CSSA-1999:023.0 19990829 Security hole in cron 19990830 cron 611 Entry Firewall-1 sets a long timeout for connections that begin with ACK or other packets except SYN, allowing an attacker to conduct a denial of service via a large number of connection attempts to unresponsive systems. 19990729 Simple DOS attack on FW-1 549 ACK DOS ATTACK 1027 Entry The web components of Compaq Management Agents and the Compaq Survey Utility allow a remote attacker to read arbitrary files via a .. (dot dot) attack. 19990526 Infosec.19990526.compaq-im.a SSRT0612U management-agent-file-read Entry Denial of service in Compaq Management Agents and the Compaq Survey Utility via a long string sent to port 2301. 19990527 Re: Infosec.19990526.compaq-im.a (New DoS and correction to my previous post) SSRT0612U management-agent-dos Entry Buffer overflow in Solaris lpset program allows local users to gain root access. 19990511 Solaris2.6 and 2.7 lpset overflow sol-lpset-bo Entry Buffer overflows in Mars NetWare Emulation (NWE, mars_nwe) package via long directory names. 19990830 Babcia Padlina Ltd. security advisory: mars_nwe buffer overf RHSA1999037_01 19990916 Security hole in mars nwe 617 Entry Cisco Gigabit Switch routers running IOS allow remote attackers to forward unauthorized packets due to improper handling of the "established" keyword in an access list. 19990610 Cisco IOS Software established Access List Keyword Error cisco-gigaswitch Entry IIS FTP servers may allow a remote attacker to read or delete files on the server, even if they have "No Access" permissions. MS99-039 Q241407 Q242559 iis-ftp-no-access-files 658 Entry Buffer overflow in Xi Graphics Accelerated-X server allows local users to gain root access via a long display or query parameter. 19990626 KSR[T] #011: Accelerated-X 011 488 accelx-display-bo Entry Denial of service in HP-UX SharedX recserv program. HPSBUX9810-086 hp-sharedx Entry KDE klock allows local users to kill arbitrary processes by specifying an arbitrary PID in the .kss.pid file. 19981118 Multiple KDE security vulnerabilities (root compromise) kde-klock-process-kill Entry KDE allows local users to execute arbitrary commands by setting the KDEDIR environmental variable to modify the search path that KDE uses to locate its executables. 19981118 Multiple KDE security vulnerabilities (root compromise) kde-klock-bindir-trojans Entry KDE kppp allows local users to create a directory in an arbitrary location via the HOME environmental variable. 19981118 Multiple KDE security vulnerabilities (root compromise) kde-kppp-directory-create Entry FreeBSD allows local users to conduct a denial of service by creating a hard link from a device special file to a file on an NFS file system. FreeBSD-SA-98:05 I-057 freebsd-nfs-link-dos 6090 Entry The INN inndstart program allows local users to gain root privileges via the "pathrun" parameter in the inn.conf file. 19990511 INN 2.0 and higher. Root compromise potential 19990518 Security hole in INN inn-pathrun 254 Entry The dynamic linker in Solaris allows a local user to create arbitrary files via the LD_PROFILE environmental variable and a symlink attack. 19990922 LD_PROFILE local root exploit for solaris 2.6 659 Entry The SSH authentication agent follows symlinks via a UNIX domain socket. 19990917 A few bugs... 19990924 [Fwd: Truth about ssh 1.2.27 vulnerability] ssh-socket-auth-symlink-dos 660 Entry Arkiea nlservd allows remote attackers to conduct a denial of service. 19990924 Multiple vendor Knox Arkiea local root/remote DoS 662 arkiea-backup-nlserverd-remote-dos Entry Buffer overflow in AIX ftpd in the libc library. 19990928 Remote bufferoverflow exploit for ftpd from AIX 4.3.2 running on an RS6000 ERS-SVA-E01-1999:004.1 J-072 aix-ftpd-bo 679 Entry A remote attacker can read information from a Netscape user's cache via JavaScript. http://home.netscape.com/security/notes/jscachebrowsing.html netscape-javascript Entry Hybrid Network cable modems do not include an authentication mechanism for administration, allowing remote attackers to compromise the system through the HSMP protocol. 19991006 KSR[T] Advisories #012: Hybrid Network's Cable Modems 012 695 hybrid-anon-cable-modem-reconfig Entry Internet Explorer allows remote attackers to read files by redirecting data to a Javascript applet. MS99-043 ie-java-redirect Entry Microsoft Excel does not warn a user when a macro is present in a Symbolic Link (SYLK) format file. MS99-044 excel-sylk Q241900 Q241901 Q241902 Entry FreeBSD T/TCP Extensions for Transactions can be subjected to spoofing attacks. SA-98.03 freebsd-ttcp-spoof 6089 Entry NIS finger allows an attacker to conduct a denial of service via a large number of finger requests, resulting in a large number of NIS queries. 19980629 Distributed DoS attack against NIS/NIS+ based networks. I-070 sun-nis-nisplus Entry Buffer overflow in bootpd 2.4.3 and earlier via a long boot file location. 19970725 Exploitable buffer overflow in bootpd (most unices) bootpd-bo Entry The GetFile.cfm file in Allaire Forums allows remote attackers to read files through a parameter to GetFile.cfm. ASB99-05 19990211 ACFUG List: Alert: Allaire Forums GetFile bug allaire-forums-file-read(1748) 944 Entry BMC Patrol allows remote attackers to gain access to an agent by spoofing frames. 19990409 Patrol security bugs bmc-patrol-frames(2075) Entry Buffer overflow in Internet Explorer 5 allows remote attackers to execute commands via a malformed Favorites icon. 19990503 MSIE 5 FAVICON BUG MS99-018 Q231450 ie-favicon Entry The fwluser script in AIX eNetwork Firewall allows local users to write to arbitrary files via a symlink attack. 19990525 IBM eNetwork Firewall for AIX ibm-enfirewall-tmpfiles 962 Entry Denial of service in Linux 2.2.x kernels via malformed ICMP packets containing unusual types, codes, and IP header lengths. 19990601 Linux kernel 2.2.x vulnerability/exploit 19990607 CSSA-1999:013 19990602 Denial of Service on the 2.2 kernel 19990603 Kernel Update 302 Entry Buffer overflow in Solaris dtprintinfo program. 19990510 Solaris2.6,2.7 dtprintinfo exploits cde-dtprintinfo 6552 Entry The Netscape Directory Server installation procedure leaves sensitive information in a file that is accessible to local users. netscape-dirsvc-password Entry Netscape Communicator 4.x with Javascript enabled does not warn a user of cookie settings, even if they have selected the option to "Only accept cookies originating from the same server as the page being viewed". 19990709 Communicator 4.[56]x, JavaScript used to bypass cookie settings Entry Denial of service in Samba NETBIOS name service daemon (nmbd). 19990721 Samba 2.0.5 security fixes CSSA-1999:018.0 19990731 19990804 RHSA-1999:022-02 19990816 Security hole in Samba Entry Buffer overflow in Samba smbd program via a malformed message command. 19990721 Samba 2.0.5 security fixes RHSA-1999:022-02 CSSA-1999:018.0 19990816 Security hole in Samba 19990731 Samba samba-message-bo 536 Entry Race condition in Samba smbmnt allows local users to mount file systems in arbitrary locations. 19990721 Samba 2.0.5 security fixes 19990731 19990804 CSSA-1999:018.0 RHSA-1999:022-02 19990816 Security hole in Samba Entry Cfingerd with ALLOW_EXECUTION enabled does not properly drop privileges when it executes a program on behalf of the user, allowing local users to gain root privileges. 19990810 Severe bug in cfingerd before 1.4.0 19980724 CFINGERD root security hole 19990814 cfingerd-privileges Entry Red Hat pump DHCP client allows remote attackers to gain root access in some configurations. RHSA-1999:027 Entry Memory leak in SNMP agent in Windows NT 4.0 before SP5 allows remote attackers to conduct a denial of service (memory exhaustion) via a large number of queries. Q196270 nt-snmpagent-leak(1974) oval:org.mitre.oval:def:952 Entry Lynx WWW client allows a remote attacker to specify command-line parameters which Lynx uses when calling external programs to handle certain protocols, e.g. telnet. 19990915 Security hole in lynx Entry NTMail does not disable the VRFY command, even if the administrator has explicitly disabled it. 19991130 NTmail and VRFY 19991130 NTmail and VRFY nt-mail-vrfy Entry FreeBSD seyon allows users to gain privileges via a modified PATH variable for finding the xterm and seyon-emu commands. 19991130 Several FreeBSD-3.3 vulnerabilities 838 freebsd-seyon-dir-add 5996 Entry Buffer overflow in FreeBSD xmindpath allows local users to gain privileges via -f argument. 19991130 Several FreeBSD-3.3 vulnerabilities 839 freebsd-xmindpath 1150 Entry A Windows NT user can use SUBST to map a drive letter to a folder, which is not unmapped after the user logs off, potentially allowing that user to modify the location of folders accessed by later users. 833 19991130 SUBST problem 19991130 Subst.exe carelessness (fwd) Entry Buffer overflow in FreeBSD angband allows local users to gain privileges. 19991130 Several FreeBSD-3.3 vulnerabilities 840 angband-bo 1151 Entry Denial of service in Linux syslogd via a large number of connections. CSSA-1999-035.0 RHSA1999055-01 19991118 syslogd-1.3.33 (a1) 19991130 [david@slackware.com: New Patches for Slackware 4.0 Available] 809 slackware-syslogd-dos Entry Buffer overflow in NFS server on Linux allows attackers to execute commands via a long pathname. 19991109 undocumented bugs - nfsd 19991111 buffer overflow in nfs server 19991110 Security hole in nfs-server < 2.2beta47 within nkita CSSA-1999-033.0 RHSA-1999:053-01 19991130 [david@slackware.com: New Patches for Slackware 4.0 Available] linux-nfs-maxpath-bo 782 Entry Buffer overflow in BIND 8.2 via NXT records. 19991111 Security hole in bind8 < 8.2.2p2 and bind4 < 4.9.7-REL 19991116 Denial of service vulnerabilities in bind CSSA-1999-034.1 RHSA-1999:054-01 CA-99-14 788 bind-nxt-bo Entry Buffer overflow in RSAREF2 via the encryption and decryption functions in the RSAREF library. 19991201 Security Advisory: Buffer overflow in RSAREF2 19991202 OpenBSD sslUSA26 advisory (Re: CORE-SDI: Buffer overflow in RSAREF2) CA-99-15 843 rsaref-bo Entry Denial of service in BIND named via malformed SIG records. 19991111 Security hole in bind8 < 8.2.2p2 and bind4 < 4.9.7-REL 19991116 Denial of service vulnerabilities in bind CSSA-1999-034.1 RHSA-1999:054-01 CA-99-14 bind-sigrecord-dos 788 Entry UnixWare uidadmin allows local users to modify arbitrary files via a symlink attack. 19991202 UnixWare 7 uidadmin exploit + discussion SB-99.22a 842 unixware-uid-admin Entry Denial of service in BIND by improperly closing TCP sessions via so_linger. 19991111 Security hole in bind8 < 8.2.2p2 and bind4 < 4.9.7-REL 19991116 Denial of service vulnerabilities in bind CSSA-1999-034.1 RHSA-1999:054-01 00194 CA-99-14 bind-solinger-dos 788 Entry Buffer overflow in Serv-U FTP 2.5 allows remote users to conduct a denial of service via the SITE command. 19991202 Remote DoS Attack in Serv-U FTP-Server v2.5a Vulnerability 859 servu-ftp-site-bo Entry Windows NT Task Scheduler installed with Internet Explorer 5 allows a user to gain privileges by modifying the job after it has been scheduled. 19991130 Windows NT Task Scheduler vulnerability allows user to administrator elevation MS99-051 Q246972 ie-task-scheduler-privs 828 Entry Symantec Mail-Gear 1.0 web interface server allows remote users to read arbitrary files via a .. (dot dot) attack. 19991129 Symantec Mail-Gear 1.0 Web interface Server Directory Traversal Vulnerability 19991129 Symantec Mail-Gear 1.0 Web interface Server Directory Traversal Vulnerability 827 symantec-mail-dir-traversal 1144 Entry Buffer overflow in free internet chess server (FICS) program, xboard. 19991129 FICS buffer overflow fics-board-bo Entry Denial of service in BIND named via consuming more than "fdmax" file descriptors. 19991111 Security hole in bind8 < 8.2.2p2 and bind4 < 4.9.7-REL 19991116 Denial of service vulnerabilities in bind CSSA-1999-034.1 RHSA-1999:054-01 00194 CA-99-14 788 bind-fdmax-dos Entry Denial of service in BIND named via maxdname. 19991111 Security hole in bind8 < 8.2.2p2 and bind4 < 4.9.7-REL 19991116 Denial of service vulnerabilities in bind CSSA-1999-034.1 RHSA-1999:054-01 00194 CA-99-14 788 bind-maxdname-bo Entry Denial of service in BIND named via naptr. 19991111 Security hole in bind8 < 8.2.2p2 and bind4 < 4.9.7-REL 19991116 Denial of service vulnerabilities in bind CSSA-1999-034.1 RHSA-1999:054-01 00194 CA-99-14 788 bind-naptr-dos Entry Buffer overflow in Netscape Enterprise Server and Netscape FastTrack Server allows remote attackers to gain privileges via the HTTP Basic Authentication procedure. 847 19991201 Buffer Overflow in Netscape Enterprise and FastTrack Authentication Procedure netscape-fasttrack-auth-bo Entry Ultimate Bulletin Board stores data files in the cgi-bin directory, allowing remote attackers to view the data if an error occurs when the HTTP server attempts to execute the file. 19991130 Ultimate Bulletin Board v5.3x? Bug 20000225 FW: Important UBB News For Licensed Users http://www.ultimatebb.com/home/versions.shtml http-ultimate-bbs Entry login in Slackware 7.0 allows remote attackers to identify valid users on the system by reporting an encryption error when an account is locked or does not exist. 19991202 Slackware 7.0 - login bug slackware-remote-login Entry Internet Explorer 5 allows a remote attacker to modify the IE client's proxy configuration via a malicious Web Proxy Auto-Discovery (WPAD) server. MS99-054 Q247333 846 ie-wpad-proxy-settings Entry Solaris arp allows local users to read files via the -f parameter, which lists lines in the file that do not parse properly. 19991130 Solaris 2.x chkperm/arp vulnerabilities 4296166 837 sol-arp-parse 6994 Entry Race condition in the SSL ISAPI filter in IIS and other servers may leak information in plaintext. MS99-053 Q244613 iis-ssl-isapi-filter Entry UnixWare programs that dump core allow a local user to modify files via a symlink attack on the ./core.pid file. 19991202 UnixWare coredumps follow symlinks 19991215 Recent postings about SCO UnixWare 7 19991223 FYI, SCO Security patches available. 19991220 SCO OpenServer Security Status sco-coredump-symlink 851 Entry Buffer overflow in CommuniGatePro via a long string to the HTTP configuration port. 19991203 CommuniGatePro 3.1 for NT DoS 19991203 CommuniGatePro 3.1 for NT Buffer Overflow 860 communigate-pro-bo Entry Buffer overflow in UnixWare xauto program allows local users to gain root privilege. 19991203 UnixWare gain root with non-su/gid binaries 19991215 Recent postings about SCO UnixWare 7 19991223 FYI, SCO Security patches available. 19991220 SCO OpenServer Security Status SB-99.24a sco-xauto-bo 848 Entry Denial of service in IIS 4.0 via a flood of HTTP requests with malformed headers. MS99-029 Q238349 J-058 http-iis-malformed-header 579 Entry ucbmail allows remote attackers to execute commands via shell metacharacters that are passed to it from INN. CA-97.08 inn-ucbmail-shell-meta Entry Internet Explorer 3.x to 4.01 allows a remote attacker to insert malicious content into a frame of another web site, aka frame spoofing. MS98-020 167614 http-frame-spoof Entry Internet Explorer 4.01 allows remote attackers to read arbitrary files by pasting a file name into the file upload control, aka untrusted scripted paste. MS98-015 169245 ie-usp-cuartango Entry Internet Explorer 4.0 and 4.01 allow a remote attacker to read files via IE's cross frame security, aka the "Cross Frame Navigate" vulnerability. MS98-013 7837 ie-crossframe-file-read(3668) Entry Buffer overflow in Skyfull mail server via MAIL FROM command. 759 skyfull-mail-from-bo Entry Buffer overflow in IIS 4.0 allows remote attackers to cause a denial of service via a malformed request for files with .HTR, .IDC, or .STM extensions. MS99-019 Q234905 AD06081999 CA-99-07 J-048 iis-htr-overflow oval:org.mitre.oval:def:915 Entry DHCP clients with ICMP Router Discovery Protocol (IRDP) enabled allow remote attackers to modify their default routes. 19990811 Q216141 578 irdp-gateway-spoof Entry Buffer overflow in Internet Explorer 4.0 via EMBED tag. Q185959 Q176697 Entry Internet Explorer 5 allows remote attackers to read files via an ExecCommand method called on an IFRAME. Q243638 MS99-042 ie-iframe-exec Entry Buffer overflow in WU-FTPD and related FTP servers allows remote attackers to gain root privileges via MAPPING_CHDIR. SSRT0622 RHSA1999031_01 AA-1999.01 CA-99-13 599 wu-ftpd-dir-name Entry Buffer overflow in WU-FTPD and related FTP servers allows remote attackers to gain root privileges via macro variables in a message file. CA-99-13 wuftp-message-file-root Entry Denial of service in WU-FTPD via the SITE NEWER command, which does not free memory properly. CA-99-13 wuftp-site-newer-dos Entry Falcon web server allows remote attackers to read arbitrary files via a .. (dot dot) attack. 19991025 Falcon Web Server Falcon Web Server 743 falcon-path-parsing 1127 Entry Zeus web server allows remote attackers to read arbitrary files by specifying the file name in an option to the search engine. 19991024 RFP9905: Zeus webserver remote root compromise 742 1126 zeus-remote-root(3380) Entry The Zeus web server administrative interface uses weak encryption for its passwords. 19991024 RFP9905: Zeus webserver remote root compromise 742 8186 zeus-weak-password(3833) Entry The security descriptor for RASMAN allows users to point to an alternate location via the Windows NT Service Control Manager. Q242294 MS99-041 645 nt-rasman-pathname Entry FTGate web interface server allows remote attackers to read files via a .. (dot dot) attack. 19991104 FTGate Version 2.1 Web interface Server Directory Traversal Vulnerability AD05261999 1137 Entry dbsnmp in Oracle Intelligent Agent allows local users to gain privileges by setting the ORACLE_HOME environmental variable, which dbsnmp uses to find the nmiconf.tcl script. 19990817 Security Bug in Oracle oracle-dbsnmp 585 Entry Cisco 675 routers running CBOS allow remote attackers to establish telnet sessions if an exec or superuser password has not been set. 19990810 Cisco 675 password nonsense cisco-cbos-telnet 39 Entry iHTML Merchant allows remote attackers to obtain sensitive information or execute commands via a code parsing error. 19990928 Team Asylum: iHTML Merchant Vulnerabilities http://www.ihtmlmerchant.com/support_patches_feedback.htm 694 ihtml-merchant-file-access Entry The "download behavior" in Internet Explorer 5 allows remote attackers to read arbitrary files via a server-side redirect. MS99-040 Q242542 VU#37828 K-002 674 11274 ie-download-behavior Entry Buffer overflow in Netscape Communicator before 4.7 via a dynamic font whose length field is less than the size of the font. 19991018 Netscape 4.x buffer overflow Entry userOsa in SCO OpenServer allows local users to corrupt files via a symlink attack. 19991011 SCO OpenServer 5.0.5 overwrite /etc/shadow sco-openserver-userosa-script Entry Red Hat Linux screen program does not use Unix98 ptys, allowing local users to write to other terminals. RHSA1999042-01 Entry Firewall-1 does not properly restrict access to LDAP attributes. 19991020 Checkpoint FireWall-1 V4.0: possible bug in LDAP authentication 725 checkpoint-ldap-auth 1117 Entry Buffer overflow in RealNetworks RealServer administration utility allows remote attackers to execute arbitrary commands via a long username and password. 19991109 RealNetworks RealServer G2 buffer overflow. http://service.real.com/help/faq/servg260.html realserver-g2-pw-bo 767 Entry iChat ROOMS Webserver allows remote attackers to read arbitrary files via a .. (dot dot) attack. 19980908 bug in iChat 3.0 (maybe others) ichat-file-read-vuln Entry Buffer overflows in Windows NT 4.0 print spooler allow remote attackers to gain privileges or cause a denial of service via a malformed spooler request. MS99-047 Q243649 nt-printer-spooler-bo 768 Entry The Windows NT 4.0 print spooler allows a local user to execute arbitrary commands due to inappropriate permissions that allow the user to specify an alternate print provider. MS99-047 Q243649 769 nt-printer-spooler-bo Entry Buffer overflow in rpc.yppasswdd allows a local user to gain privileges via MD5 hash generation. RHSA1999046-01 19991023 Security hole in ypserv < 1.3.9 19991027 nis Entry ypserv allows a local user to modify the GECOS and login shells of other users. RHSA1999046-01 19991023 Security hole in ypserv < 1.3.9 19991027 nis Entry ypserv allows local administrators to modify password tables. RHSA1999046-01 19991023 Security hole in ypserv < 1.3.9 19991027 nis Entry genfilt in the AIX Packet Filtering Module does not properly filter traffic to destination ports greater than 32767. 19991025 IBM AIX Packet Filter module 19991027 Re: IBM AIX Packet Filter module (followup) aix-genfilt-filtering Entry Buffer overflow in BFTelnet allows remote attackers to cause a denial of service via a long username. 19991103 Remote DoS Attack in BFTelnet Server v1.1 for Windows NT bftelnet-username-dos 771 Entry Denial of service in Axent Raptor firewall via malformed zero-length IP options. 19991020 Remote DoS in Axent's Raptor 6.0 736 raptor-ipoptions-dos 1121 Entry Buffer overflow in sccw allows local users to gain root access via the HOME environmental variable. 19990923 SuSE 6.2 sccw overflow exploit 19990926 Security hole in sccw (Part II) 656 linux-sccw-bo Entry sccw allows local users to read arbitrary files. 19990916 SuSE 6.2 /usr/bin/sccw read any file 19990921 Security Hole in sccw-1.1 and earlier Entry Denial of service in Solaris TCP streams driver via a malicious connection that causes the server to panic as a result of recursive calls to mutex_enter. 19990921 solaris DoS 655 sun-tcp-mutex-enter-dos Entry Multihomed Windows systems allow a remote attacker to bypass IP source routing restrictions via a malformed packet with IP options, aka the "Spoofed Route Pointer" vulnerability. Windows IP Source Routing Vulnerability MS99-038 Q238453 646 nt-ip-source-route Entry FreeBSD VFS cache (vfs_cache) allows local users to cause a denial of service by opening a large number of files. 19990921 FreeBSD-specific denial of service 653 freebsd-vfscache-dos 1079 Entry Buffer overflow in the FTP client in the Debian GNU/Linux netstd package. 19990104 19990103 [SECURITY] New versions of netstd fixes buffer overflows 324 Entry URL Live! web server allows remote attackers to read arbitrary files via a .. (dot dot) attack. 19991028 URL Live! 1.0 WebServer 746 1129 Entry WebTrends software stores account names and passwords in a file which does not have restricted access permissions. 19990629 Bad Permissions on Passwords Stored by WebTrends Software Entry The Preloader ActiveX control used by Internet Explorer allows remote attackers to read arbitrary files. MS99-018 Q231452 legacy-activex-local-drive Entry Denial of service in various Windows systems via malformed, fragmented IGMP packets. 19990703 IGMP fragmentation bug in Windows 98/2000 Q238329 MS99-034 igmp-dos 514 Entry Buffer overflow in the pop-2d POP daemon in the IMAP package allows remote attackers to gain privileges via the FOLD command. 19990526 Remote vulnerability in pop2d 19990607a 283 pop2-fold-bo Entry BMC Patrol allows any remote attacker to flood its UDP port, causing a denial of service. 19990409 Patrol security bugs bmc-patrol-udp-dos(4291) 1879 Entry An example application in ColdFusion Server 4.0 allows remote attackers to view source code via the sourcewindow.cfm file. ASB99-02 coldfusion-sourcewindow Entry The Syntax Checker in ColdFusion Server 4.0 allows remote attackers to conduct a denial of service. ASB99-02 coldfusion-syntax-checker(1742) 3236 Entry NTMail allows remote attackers to read arbitrary files via a .. (dot dot) attack. AD05261999 279 ntmail-fileread Entry Buffer overflow in SmartDesk WebSuite allows remote attackers to cause a denial of service via a long URL. 19990525 Buffer overflow in SmartDesk WebSuite v2.1 websuite-dos 278 Entry wwwboard allows a remote attacker to delete message board articles via a malformed argument. 19980903 wwwboard.pl vulnerability http://www.worldwidemart.com/scripts/faq/wwwboard/q5.shtml http-cgi-wwwboard(2344) 1795 Entry Buffer overflow in Mediahouse Statistics Server allows remote attackers to execute commands. 19990930 Security flaw in Mediahouse Statistics Server v4.28 & 5.01 734 mediahouse-stats-login-bo Entry Mediahouse Statistics Server allows remote attackers to read the administrator password, which is stored in cleartext in the ss.cfg file. 19990930 Security flaw in Mediahouse Statistics Server v4.28 & 5.01 735 mediahouse-stats-adminpw-cleartext Entry TeamTrack web server allows remote attackers to read arbitrary files via a .. (dot dot) attack. 19991001 RFP9904: TeamTrack webserver vulnerability 689 1096 Entry classifieds.cgi allows remote attackers to read arbitrary files via shell metacharacters. 19991215 Classifieds (classifieds.cgi) 2020 http-cgi-classifieds-read(3102) Entry classifieds.cgi allows remote attackers to execute arbitrary commands by specifying them in a hidden variable in a CGI form. 19991215 Classifieds (classifieds.cgi) Entry BNBSurvey survey.cgi program allows remote attackers to execute commands via shell metacharacters. 19981203 BNBSurvey (survey.cgi) Entry BNBForm allows remote attackers to read arbitrary files via the automessage hidden form variable. 19981203 BNBForm (bnbform.cgi) Entry MBone SDR Package allows remote attackers to execute commands via shell metacharacters in Sesion Initiation Protocol (SIP) messages. VN-99-03 sdr-execute Entry Denial of service in Debian IRC Epic/epic4 client via a long string. 19990826 [SECURITY] New versions of epic4 fixes possible DoS vulnerability 19990826 605 Entry Buffer overflow in mutt mail client allows remote attackers to execute commands via malformed MIME messages. CSSA-1999-031 19990927 Security hole in mutt Entry UnixWare dos7utils allows a local user to gain root privileges by using the STATICMERGE environmental variable to find a script which it executes. 19991005 SCO UnixWare 7.1 local root exploit sco-unixware-dos7utils-root-privs Entry Buffer overflow in OpenLink 3.2 allows remote attackers to gain privileges via a long GET request to the web configurator. 19991015 OpenLink 3.2 Advisory 720 Entry Buffer overflow in Internet Mail Service (IMS) for Microsoft Exchange 5.5 and 5.0 allows remote attackers to conduct a denial of service via AUTH or AUTHINFO commands. 19980724 Denial of Service attacks against Microsoft Exchange 5.0 to 5.5 I-080 Q169174 exchange-dos(1223) Entry Buffer overflow in Yamaha MidiPlug via a Text variable in an EMBED tag. 19991102 Some holes for Win/UNIX softwares yamaha-midiplug-embed 760 Entry AN-HTTPd provides example CGI scripts test.bat, input.bat, input2.bat, and envout.bat, which allow remote attackers to execute commands via shell metacharacters. 19991102 Some holes for Win/UNIX softwares 762 Entry Buffer overflow in WFTPD FTP server allows remote attackers to gain root access via a series of MKD and CWD commands that create nested directories. 19991027 WFTPD v2.40 FTPServer remotely exploitable buffer overflow vulnerability 747 wftpd-mkd-bo Entry Buffer overflow in OmniHTTPd CGI program imagemap.exe allows remote attackers to execute commands. 19991022 Imagemap CGI overflow exploit 739 http-cgi-imagemap-bo 3380 Entry WWWBoard stores encrypted passwords in a password file that is under the web root and thus accessible by remote attackers. 19980903 wwwboard.pl vulnerability 19990916 More fun with WWWBoard Entry WWWBoard has a default username and default password. 19990916 More fun with WWWBoard 649 Entry Race condition in wu-ftpd and BSDI ftpd allows remote attackers gain root access via the SITE EXEC command. CA-94.08 E-17 ftp-exec Entry The NeXT NetInfo _writers property allows local users to gain root privileges or conduct a denial of service. CA-93.02a next-netinfo Entry MajorCool mj_key_cache program allows local users to modify files via a symlink attack. 19970618 Security hole in MajorCool 1.0.3 majorcool-file-overwrite-vuln Entry sudo 1.5.x allows local users to execute arbitrary commands via a .. (dot dot) attack. 19980112 Re: hole in sudo for MP-RAS. sudo-dot-dot-attack Entry IRIX startmidi program allows local users to modify arbitrary files via a symlink attack. 19970209 IRIX: Bug in startmidi AA-97-05 19980301-01-PX 469 8447 irix-startmidi-file-creation((1634) Entry IRIX cdplayer allows local users to create directories in arbitrary locations via a command line option. AA-96.11 19980301-01-PX irix-cdplayer-directory-create Entry HPUX sysdiag allows local users to gain root privileges via a symlink attack during log file creation. 19960921 Vunerability in HP sysdiag ? H-03 hp-sysdiag-symlink Entry Buffer overflow in HPUX passwd command allows local users to gain root privileges via a command line option. AA-96.13 HPSBUX9701-045 hp-password-cmd-bo 6415 Entry FreeBSD mount_union command allows local users to gain root privileges via a symlink attack. 19960517 BoS: SECURITY BUG in FreeBSD VB-96.06 freebsd-mount-union-root 6088 Entry Buffer overflow in FreeBSD setlocale in the libc module allows attackers to execute arbitrary code via a long PATH_LOCALE environment variable. FreeBSD-SA-97:01 freebsd-setlocale-bo 6086 Entry Race condition in xterm allows local users to modify arbitrary files via the logging option. CA-93.17 xterm Entry Buffer overflow in Solaris getopt in libc allows local users to gain root privileges via a long argv[0]. 19970127 Solaris libc - getopt(3) Entry Buffer overflow in the HTML library used by Internet Explorer, Outlook Express, and Windows Explorer via the res: local resource protocol. 19971101 Microsoft Internet Explorer 4.0 Suite Entry Buffer overflow in BNC IRC proxy allows remote attackers to gain privileges. 19981226 bnc exploit bnc-proxy-bo(1546) 1927 Entry The Windows NT RPC service allows remote attackers to conduct a denial of service using spoofed malformed RPC packets which generate an error message that is sent to the spoofed host, potentially setting up a loop, aka Snork. 19980929 "Snork" Denial of Service Attack Against Windows NT RPC Service 19980929 ISS Security Advisory: Snork MS98-014 Q193233 snork-dos Entry Buffer overflow in Exim allows local users to gain root privileges via a long :include: option in a .forward file. 19970722 Security hole in exim 1.62: local root exploit exim-include-overflow Entry Buffer overflow in Xshipwars xsw program. 19991209 xsw 1.24 remote buffer overflow 863 Entry Buffer overflow in Solaris snoop program allows remote attackers to gain root privileges via a long domain name when snoop is running in verbose mode. 19991206 [w00giving #8] Solaris 2.7's snoop 19991209 Clarification needed on the snoop vuln(s) (fwd) 858 Entry Buffer overflow in Solaris snoop allows remote attackers to gain root privileges via GETQUOTA requests to the rpc.rquotad service. 19991209 Buffer Overflow in Solaris Snoop 00190 19991209 Clarification needed on the snoop vuln(s) (fwd) 864 Entry The Windows help system can allow a local user to execute commands as another user by editing a table of contents metafile with a .CNT extension and modifying the topic action to include the commands to be executed when the .hlp file is accessed. 19991207 Local user can fool another to run executable. .CNT/.GID/.HLP M$WINNT 868 Entry Sendmail allows local users to reinitialize the aliases database via the newaliases command, then cause a denial of service by interrupting Sendmail. 19991204 19991207 [Debian] New version of sendmail released sendmail-bi-alias 857 Entry Buffer overflow in Solaris sadmind allows remote attackers to gain root privileges using a NETMGT_PROC_SERVICE request. 19991209 sadmind 19991210 Solaris sadmind Buffer Overflow Vulnerability 19991210 Re: Solaris sadmind Buffer Overflow Vulnerability CA-99-16 00191 866 2354 sol-sadmind-amslverify-bo 2558 Entry htdig allows remote attackers to execute commands via filenames with shell metacharacters. 19991209 867 Entry The SCO UnixWare privileged process system allows local users to gain root privileges by using a debugger such as gdb to insert traps into _init before the privileged process is executed. 19991209 Fundamental flaw in UnixWare 7 security 19991215 Recent postings about SCO UnixWare 7 869 Entry Windows NT Service Control Manager (SCM) allows remote attackers to cause a denial of service via a malformed argument in a resource enumeration request. MS99-055 Q246045 Entry Internet Explorer 5.01 and earlier allows a remote attacker to create a reference to a client window and use a server-side redirect to access local files via that window, aka "Server-side Page Reference Redirect." MS99-050 Q246094 Entry The Sun Web-Based Enterprise Management (WBEM) installation script stores a password in plaintext in a world readable file. 19991206 Solaris WBEM 1.0: plaintext password stored in world readable file Entry The ping command in Linux 2.0.3x allows local users to cause a denial of service by sending large packets with the -R (record route) option. 19991209 Big problem on 2.0.x? 870 Entry Windows NT does not properly download a system policy if the domain user logs into the domain with a space at the end of the domain name. 19991118 NT System Policy for Win95 Not downloaded when adding a space after domain name Q237923 Entry Buffer overflow in Internet Explorer 5 directshow filter (MSDXM.OCX) allows remote attackers to execute commands via the vnd.ms.radio protocol. 19991205 new IE5 remote exploit 19991205 new IE5 remote exploit 861 Entry Buffer overflow in GoodTech Telnet Server NT allows remote users to cause a denial of service via a long login name. 19991206 Remote DoS Attack in GoodTech Telnet Server NT v2.2.1 Vulnerability 19991206 Remote DoS Attack in GoodTech Telnet Server NT v2.2.1 Vulnerability 862 Entry HP VirtualVault with the PHSS_17692 patch allows unprivileged processes to bypass access restrictions via the Trusted Gateway Proxy (TGP). HPSBUX9912-107 Entry Windows NT with SYSKEY reuses the keystream that is used for encrypting SAM password hashes, allowing an attacker to crack passwords. 19991216 Windows NT's SYSKEY feature MS99-056 Q248183 873 Entry Windows NT Local Security Authority (LSA) allows remote attackers to cause a denial of service via malformed arguments to the LsaLookupSids function which looks up the SID, aka "Malformed Security Identifier Request." 19991216 Windows NT LSA Remote Denial of Service MS99-057 Q248185 875 Entry Buffer overflow in Infoseek Ultraseek search engine allows remote attackers to execute commands via a long GET request. AD19991215 19991216 Infoseek Ultraseek Remote Buffer Overflow 19991216 Infoseek Ultraseek Remote Buffer Overflow infoseek-ultraseek-bo 6490 Entry wu-ftp with FTP conversion enabled allows an attacker to execute commands via a malformed file name that is interpreted as an argument to the program that does the conversion, e.g. tar or uncompress. 19991220 Security vulnerability in certain wu-ftpd (and derivitives) configurations (fwd) DSA-377 wuftp-ftp-conversion Entry Cisco Cache Engine allows an attacker to replace content in the cache. 19991216 Cisco Cache Engine Authentication Vulnerabilities 19991216 Cisco Security Advisory: Cisco Cache Engine Authentication Vulnerabilities cisco-cache-engine-replace Entry Microsoft SQL 7.0 server allows a remote attacker to cause a denial of service via a malformed TDS packet. MS99-059 Q248749 817 Entry The web administration interface for Cisco Cache Engine allows remote attackers to view performance statistics. 19991216 Cisco Cache Engine Authentication Vulnerabilities 19991216 Cisco Security Advisory: Cisco Cache Engine Authentication Vulnerabilities cisco-cache-engine-performance Entry Cisco Cache Engine allows a remote attacker to gain access via a null username and password. 19991216 Cisco Cache Engine Authentication Vulnerabilities 19991216 Cisco Security Advisory: Cisco Cache Engine Authentication Vulnerabilities Entry Buffer overflow in the POP server POProxy for the Norton Anti-Virus protection NAV2000 program via a large USER command. 19991217 NAV2000 Email Protection DoS 19991220 Norton Email Protection Remote Overflow (Addendum) http://service1.symantec.com/SUPPORT/nav.nsf/df0a595864594c86852567ac0063608c/6206f660a1f2516a882568660082c930?OpenDocument&Highlight=0,poproxy 6267 Entry Groupwise web server GWWEB.EXE allows remote attackers to read arbitrary files with .htm extensions via a .. (dot dot) attack using the HELP parameter. 19991219 Groupewise Web Interface groupwise-web-read-files 879 3413 Entry Buffer overflow in VDO Live Player allows remote attackers to execute commands on the VDO client via a malformed .vdo file. 19991213 VDO Live Player 3.02 Buffer Overflow vdolive-bo-execute 872 Entry xsoldier program allows local users to gain root access via a long argument. 19991215 FreeBSD 3.3 xsoldier root exploit http://marc.theaimsgroup.com/?l=freebsd-security&m=94531826621620&w=2 871 unix-xsoldier-overflow Entry An SSH 1.2.27 server allows a client to use the "none" cipher, even if it is not allowed by the server policy. 19991214 sshd1 allows unencrypted sessions regardless of server policy ssh-policy-bypass Entry The Remote Data Service (RDS) DataFactory component of Microsoft Data Access Components (MDAC) in IIS 3.x and 4.x exposes unsafe methods, which allows remote attackers to execute arbitrary commands. MS98-004 MS99-025 J-054 19990809 Vulnerabilities in Microsoft Remote Data Service 529 nt-iis-rds 272 Entry Buffer overflow in mail command in Solaris 2.7 and 2.7 allows local users to gain privileges via a long -m argument. 19990913 Solaris 2.7 /usr/bin/mail 19990927 Working Solaris x86 /usr/bin/mail exploit 4276509 sun-usrbinmail-local-bo(3297) 672 Entry SpectroSERVER in Cabletron Spectrum Enterprise Manager 5.0 installs a directory tree with insecure permissions, which allows local users to replace a privileged executable (processd) with a Trojan horse, facilitating a root or Administrator compromise. 19990623 Cabletron Spectrum security vulnerability 19990624 Re: Cabletron Spectrum security vulnerability 495 Entry NFS on SunOS 4.1 through 4.1.2 ignores the high order 16 bits in a 32 bit UID, which allows a local user to gain root access if the lower 16 bits are set to 0, as fixed by the NFS jumbo patch upgrade. CA-1992-15 00117 47 nfs-uid(82) Entry Solaris 2.6 HW3/98 installs admintool with world-writable permissions, which allows local users to gain privileges by replacing it with a Trojan horse program. 19980507 admintool mode 0777 in Solaris 2.6 HW3/98 4178998 solaris-admintool-world-writable(7296) 290 Entry Symantec pcAnywhere 8.0 allows remote attackers to cause a denial of service (CPU utilization) via a large amount of data to port 5631. 19990528 DoS against PC Anywhere 288 pcanywhere-dos(2256) Entry Vulnerability in LAT/Telnet Gateway (lattelnet) on Ultrix 4.1 and 4.2 allows attackers to gain root privileges. CA-1991-11 B-36 26 ultrix-telnet(584) Entry Vulnerability in login in AT&T System V Release 4 allows local users to gain privileges. CA-1991-08 B-28 23 sysv-login(583) Entry IIS 3.0 and 4.0 on x86 and Alpha allows remote attackers to cause a denial of service (hang) via a malformed GET request, aka the IIS "GET" vulnerability. MS98-019 Q192296 iis-get-dos(1823) Entry rex.satan in SATAN 1.1.1 allows local users to overwrite arbitrary files via a symlink attack on the /tmp/rex.$$ file. 19980626 vulnerability in satan, cops & tiger 19980627 Re: vulnerability in satan, cops & tiger satan-rexsatan-symlink(7167) 3147 Entry Vulnerability in Advanced File System Utility (advfs) in Digital UNIX 4.0 through 4.0d allows local users to gain privileges. SSRT0495U I-050 dgux-advfs-softlinks(7431) Entry pnserver in RealServer 5.0 and earlier allows remote attackers to cause a denial of service by sending a short, malformed request. 19980115 pnserver exploit.. 19980115 [rootshell] Security Bulletin #7 19980817 Re: Real Audio Server Version 5 bug? http://service.real.com/help/faq/serv501.html realserver-pnserver-remote-dos(7297) 6979 Entry When BSDI patches for Gauntlet 5.0 BSDI are installed in a particular order, Gauntlet allows remote attackers to bypass firewall access restrictions, and does not log the activities. 19991018 Gauntlet 5.0 BSDI warning 19991019 Re: Gauntlet 5.0 BSDI warning gauntlet-bsdi-bypass(3397) Entry Buffer overflow in bash 2.0.0, 1.4.17, and other versions allows local attackers to gain privileges by creating an extremely large directory name, which is inserted into the password prompt via the \w option in the PS1 environmental variable when another user changes into that directory. 19980905 BASH buffer overflow, LiNUX x86 exploit 19970821 Buffer overflow in /bin/bash 19980909 problem with very long pathnames linux-bash-bo(3414) 8345 Entry Microsoft Excel 97 does not warn the user before executing worksheet functions, which could allow attackers to execute arbitrary commands by using the CALL function to execute a malicious DLL, aka the Excel "CALL Vulnerability." MS98-018 179 excel-call(1737) Entry VMS 4.0 through 5.3 allows local users to gain privileges via the ANALYZE/PROCESS_DUMP dcl command. CA-1990-07 B-04 12 vms-analyze-processdump-privileges(7137) Entry Vulnerability in rexec daemon (rexecd) in AT&T TCP/IP 4.0 for various SVR4 systems allows remote attackers to execute arbitrary commands. CA-1992-04 36 att-rexecd(3159) Entry Webmin before 0.5 does not restrict the number of invalid passwords that are entered for a valid username, which could allow remote attackers to gain privileges via brute force password cracking. 19980501 Warning! Webmin Security Advisory http://www.webmin.com/webmin/changes.html 98 Entry rmmount in SunOS 5.7 may mount file systems without the nosuid flag set, contrary to the documentation and its use in previous versions of SunOS, which could allow local users with physical access to gain root privileges by mounting a floppy or CD-ROM that contains a setuid program and running volcheck, when the file systems do not have the nosuid option specified in rmmount.conf. 19990510 SunOS 5.7 rmmount, no nosuid. 19991011 250 4205437 solaris-rmmount-gain-root(8350) Entry SSH 1.2.25, 1.2.23, and other versions, when used in in CBC (Cipher Block Chaining) or CFB (Cipher Feedback 64 bits) modes, allows remote attackers to insert arbitrary data into an existing stream between an SSH client and server by using a known plaintext attack and computing a valid CRC-32 checksum for the packet, aka the "SSH insertion attack." 19980612 CORE-SDI-04: SSH insertion attack 19980703 UPDATE: SSH insertion attack 20010627 Multiple SSH Vulnerabilities VU#13877 ssh-insert(1126) Entry Internet Explorer 4 treats a 32-bit number ("dotless IP address") in the a URL as the hostname instead of an IP address, which causes IE to apply Local Intranet Zone settings to the resulting web page, allowing remote malicious web servers to conduct unauthorized activities by using URLs that contain the dotless IP address for their server. MS98-016 Q168617 http://www.microsoft.com/Windows/Ie/security/dotless.asp 7828 ie-dotless(2209) Entry The default configuration of NCSA Telnet package for Macintosh and PC enables FTP, even though it does not include an "ftp=yes" line, which allows remote attackers to read and modify arbitrary files. CA-1991-15 ftp-ncsa(1844) Entry Buffer overflow in the Window.External function in the JScript Scripting Engine in Internet Explorer 4.01 SP1 and earlier allows remote attackers to execute arbitrary commands via a malicious web page. MS98-011 Q191200 java-script-patch(1276) Entry Buffer overflow in Internet Explorer 4.01 and earlier allows remote attackers to execute arbitrary commands via a long URL with the "mk:" protocol, aka the "MK Overrun security issue." Q176697 19980114 L0pht Advisory MSIE4.0(1) iemk-bug(917) Entry Vulnerability in BSD Telnet client with encryption and Kerberos 4 authentication allows remote attackers to decrypt the session via sniffing. CA-1995-03 F-12 bsd-telnet(516) 4881 Entry Kerberos 4 allows remote attackers to obtain sensitive information via a malformed UDP packet that generates an error string that inadvertently includes the realm name and the last user. 19961122 L0pht Kerberos Advisory kerberos-user-grab(65) Entry Cisco PIX Private Link 4.1.6 and earlier does not properly process certain commands in the configuration file, which reduces the effective key length of the DES key to 48 bits instead of 56 bits, which makes it easier for an attacker to find the proper key via a brute force attack. 19980616 PIX Private Link Key Processing and Cryptography Issues I-056 cisco-pix-parse-error(1579) Entry lpr on SunOS 4.1.1, BSD 4.3, A/UX 2.0.1, and other BSD-based operating systems allows local users to create or overwrite arbitrary files via a symlink attack that is triggered after invoking lpr 1000 times. http://www.phreak.org/archives/security/8lgm/8lgm.lpr 19940307 8lgm Advisory Releases E-25a Entry dxconsole in DEC OSF/1 3.2C and earlier allows local users to read arbitrary files by specifying the file with the -file parameter. VB-96.05 G-18 http://www.tao.ca/fire/bos/0209.html osf-dxconsole-gain-privileges(7138) Entry Windows 95 uses weak encryption for the password list (.pwl) file used when password caching is enabled, which allows local users to gain privileges by decrypting the passwords. 19951205 Cracked: WINDOWS.PWL 19980121 How to recover private keys for various Microsoft products 19980120 How to recover private keys for various Microsoft products Q140557 win95-nbsmbpwl(71) Entry Windows 95, when Remote Administration and File Sharing for NetWare Networks is enabled, creates a share (C$) when an administrator logs in remotely, which allows remote attackers to read arbitrary files by mapping the network drive. http://www.zdnet.com/eweek/reviews/1016/tr42bug.html http://www.net-security.sk/bugs/NT/netware1.html win95-netware-hidden-share(7231) Entry Sendmail before 8.10.0 allows remote attackers to cause a denial of service by sending a series of ETRN commands then disconnecting from the server, while Sendmail continues to process the commands after the connection has been terminated. 19991222 Re: procmail / Sendmail - five bugs 20000113 Re: procmail / Sendmail - five bugs 904 sendmail-etrn-dos(7760) Entry Vulnerability in StackGuard before 1.21 allows remote attackers to bypass the Random and Terminator Canary security mechanisms by using a non-linear attack which directly modifies a pointer to a return address instead of using a buffer overflow to reach the return address entry itself. 19911109 ImmuniX OS Security Alert: StackGuard 1.21 Released 786 immunix-stackguard-bo(3524) Entry Buffer overflow in Korn Shell (ksh) suid_exec program on IRIX 6.x and earlier, and possibly other operating systems, allows local users to gain root privileges. H-15A AA-96.17 19980405-01-I ksh-suid_exec(2100) 467 Entry Vulnerability in the /etc/suid_exec program in HP Apollo Domain/OS sr10.2 and sr10.3 beta, related to the Korn Shell (ksh). CA-1990-04 A-30 7 apollo-suidexec-unauthorized-access(6721) Entry Vulnerability in runpriv in Indigo Magic System Administration subsystem of SGI IRIX 6.3 and 6.4 allows local users to gain root privileges. 19970503-01-PX 462 1009 sgi-runpriv(2108) Entry lquerypv in AIX 4.1 and 4.2 allows local users to read arbitrary files by specifying the file in the -h command line parameter. 19961124 19961125 lquerypv fix 19961125 AIX lquerypv H-13 455 ibm-lquerypv(1752) Entry ndd in Solaris 2.6 allows local users to cause a denial of service by modifying certain TCP/IP parameters. 00165 433 sun-ndd(817) Entry FTP installation script anon.ftp in AIX insecurely configures anonymous FTP, which allows remote attackers to execute arbitrary commands. CA-1992-09 41 aix-anon-ftp(3154) Entry netprint in SGI IRIX 6.4 and earlier trusts the PATH environmental variable for finding and executing the disable program, which allows local users to gain privileges. 19970104 Irix: netprint story 19961203-01-PX 19961203-02-PX 395 993 sgi-netprint(2107) Entry The default configuration for UUCP in AIX before 3.2 allows local users to gain root privileges. CA-1992-06 38 ibm-uucp(554) 891 Entry Vulnerability in restore in SunOS 4.0.3 and earlier allows local users to gain privileges. CA-1989-02 CIAC-08 1019265 3 sun-restore-gain-privileges(6695) Entry Windows NT 4.0 does not properly shut down invalid named pipe RPC connections, which allows remote attackers to cause a denial of service (resource exhaustion) via a series of connections containing malformed data, aka the "Named Pipes Over RPC" vulnerability. MS98-017 Q195733 nt-spoolss(523) Entry Buffer overflow in OSF Distributed Computing Environment (DCE) security demon (secd) in IRIX 6.4 and earlier allows attackers to cause a denial of service via a long principal, group, or organization. VB-97.12 I-060 19980601-01-PX sgi-osf-dce-dos(1123) Entry Windows NT 4.0 allows remote attackers to cause a denial of service (crash) via extra source routing data such as (1) a Routing Information Field (RIF) field with a hop count greater than 7, or (2) a list containing duplicate Token Ring IDs. 19981005 NMRC Advisory - Lame NT Token Ring DoS 19981002 NMRC Advisory - Lame NT Token Ring DoS Q179157 token-ring-dos(1399) Entry Vulnerability in Predictive on HP-UX 11.0 and earlier, and MPE/iX 5.5 and earlier, allows attackers to compromise data transfer for Predictive messages (using e-mail or modem) between customer and Response Center Predictive systems. HPSBUX9807-081 HPSBMP9807-005 19980729 HP-UX Predictive & Netscape SSL Vulnerabilities I-081 mpeix-predictive(1413) Entry The permissions for the /dev/audio device on Solaris 2.2 and earlier, and SunOS 4.1.x, allow any local user to read from the device, which could be used by an attacker to monitor conversations happening near a machine that has a microphone. E-01 00122 sun-audio(549) 6436 Entry SCO UNIX System V/386 Release 3.2, and other SCO products, installs the home directories (1) /tmp for the dos user, and (2) /usr/tmp for the asg user, which allows other users to gain access to those accounts since /tmp and /usr/tmp are world-writable. CA-1993-13 sco-homedir(546) Entry Character-Terminal User Environment (CUE) in HP-UX 11.0 and earlier allows local users to overwrite arbitrary files and gain root privileges via a symlink attack on the IOERROR.mytty file. 19980121 HP-UX CUE, CUD and LAND vulnerabilities 19970901 HP UX Bug :) HPSBUX9801-074 I-027B hp-cue(2007) Entry Buffer overflow in CrackLib 2.5 may allow local users to gain root privileges via a long GECOS field. 19971214 buffer overflows in cracklib?! VB-97.16 cracklib-bo(1539) Entry SunOS 4.1.2 and earlier allows local users to gain privileges via "LD_*" environmental variables to certain dynamically linked setuid or setgid programs such as (1) login, (2) su, or (3) sendmail, that change the real and effective user ids to the same user. CA-1992-11 00116 sun-env(3152) Entry Vulnerability in runtime linker program rld in SGI IRIX 6.x and earlier allows local users to gain privileges via setuid and setgid programs. H-065 19970504-01-PX sgi-rld(2109) Entry Certain files in MPower in HP-UX 10.x are installed with insecure permissions, which allows local users to gain privileges. HPSBUX9701-051 hp-mpower(2056) Entry Vulnerability in Glance programs in GlancePlus for HP-UX 10.20 and earlier allows local users to access arbitrary files and gain privileges. HPSBUX9701-044 H-21 hp-glanceplus(2059) Entry Vulnerability in Glance and gpm programs in GlancePlus for HP-UX 9.x and earlier allows local users to access arbitrary files and gain privileges. HPSBUX9405-011 hp-glanceplus-gpm(2060) Entry Buffer overflow in Platinum Policy Compliance Manager (PCM) 7.0 allows remote attackers to execute arbitrary commands via a long string to the Agent port (1827), which is handled by smaxagent.exe. 19981204 [SAFER-981204.DOS.1.3] Buffer Overflow in Platinum PCM 7.0 19981207 Re: [SAFER-981204.DOS.1.3] Buffer Overflow in Platinum PCM 7.0 pcm-dos-execute(1430) 3164 Entry FTP service in IIS 4.0 and earlier allows remote attackers to cause a denial of service (resource exhaustion) via many passive (PASV) connections at the same time. MS98-006 Q189262 iis-passive-ftp(1215) Entry BisonWare FTP Server 4.1 and earlier allows remote attackers to cause a denial of service via a malformed PORT command that contains a non-numeric character and a large number of carriage returns. 19990517 Vulnerabilities in BisonWare FTP Server 3.5 bisonware-port-crash(2254) Entry Tcpip.sys in Windows NT 4.0 before SP4 allows remote attackers to cause a denial of service via an ICMP Subnet Mask Address Request packet, when certain multiple IP addresses are bound to the same network interface. Q192774 tcpipsys-icmp-dos(3894) Entry SSH 2.0.11 and earlier allows local users to request remote forwarding from privileged ports without being root. 19981229 ssh2 security problem (and patch) (fwd) ssh-privileged-port-forward(1471) Entry Vulnerability in ftpd/kftpd in HP-UX 10.x and 9.x allows local and possibly remote users to gain root privileges. HPSBUX9702-055 H-33 hp-ftpd-kftpd(7437) Entry Vulnerability in ppl in HP-UX 10.x and earlier allows local users to gain root privileges by forcing ppl to core dump. 19961103 Re: Untitled 19961104 ppl bugs HPSBUX9704-057 H-32 AA-97.07 hp-ppl(7438) Entry Vulnerability in passwd in SCO UNIX 4.0 and earlier allows attackers to cause a denial of service by preventing users from being able to log into the system. CA-1993-08 sco-passwd-deny(542) Entry Vulnerability in HP Series 800 S/X/V Class servers allows remote attackers to gain access to the S/X/V Class console via the Service Support Processor (SSP) Teststation. HPSBUX9911-105 hp-ssp(7439) Entry Cross-site scripting vulnerability in Third Voice Web annotation utility allows remote users to read sensitive data and generate fake web pages for other Third Voice users by injecting malicious Javascript into an annotation. http://www.wired.com/news/technology/0,1282,20677,00.html http://www.wired.com/news/technology/0,1282,20636,00.html thirdvoice-cross-site-scripting(7252) Entry Web Cache Control Protocol (WCCP) in Cisco Cache Engine for Cisco IOS 11.2 and earlier does not use authentication, which allows remote attackers to redirect HTTP traffic to arbitrary hosts via WCCP packets to UDP port 2048. 19980513 Cisco Web Cache Control Protocol Router Vulnerability I-054 cisco-wccp-vuln(1577) Entry Directory traversal vulnerability in nph-publish before 1.2 allows remote attackers to overwrite arbitrary files via a .. (dot dot) in the pathname for an upload operation. http://www.w3.org/Security/Faq/wwwsf4.html http://www-genome.wi.mit.edu/WWW/tools/CGI_scripts/server_publish/nph-publish http-cgi-nphpublish(2055) Entry Vulnerability in On-Line Customer Registration software for IRIX 6.2 through 6.4 allows local users to gain root privileges. 19980901-01-PX J-003 irix-register(7441) Entry mysqld in MySQL 3.21 creates log files with world-readable permissions, which allows local users to obtain passwords for users who are added to the user database. 19981227 mysql: mysqld creates world readable logs.. mysql-readable-log-files(1568) Entry Buffer overflow in Netscape Navigator/Communicator 4.7 for Windows 95 and Windows 98 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long argument after the ? character in a URL that references an .asp, .cgi, .html, or .pl file. 19991124 Netscape Communicator 4.7 - Navigator Overflows 19991127 Netscape Communicator 4.7 - Navigator Overflows 822 netscape-long-argument-bo(7884) Entry Buffer overflow in chkey in Solaris 2.5.1 and earlier allows local users to gain root privileges via a long command line argument. 19970519 Re: Finally, most of an exploit for Solaris 2.5.1's ps. AA-97.18 00144 207 solaris-chkey-bo(7442) Entry Buffer overflow in eeprom in Solaris 2.5.1 and earlier allows local users to gain root privileges via a long command line argument. 00143 206 solaris-eeprom-bo(7444) Entry The "me" user in NeXT NeXTstep 2.1 and earlier has wheel group privileges, which could allow the me user to use the su command to become root. CA-1991-06 next-me(581) 20 Entry chroot in Digital Ultrix 4.1 and 4.0 is insecurely installed, which allows local users to gain privileges. CA-1991-05 17 dec-chroot(577) Entry TIOCCONS in SunOS 4.1.1 does not properly check the permissions of a user who tries to redirect console output and input, which could allow a local user to gain privileges. CA-1990-12 14 sunos-tioccons-console-redirection(7140) Entry BuildDisk program on NeXT systems before 2.0 does not prompt users for the root password, which allows local users to gain root privileges. CA-1990-06 B-01 11 nextstep-builddisk-root-access(7141) Entry Apache WWW server 1.3.1 and earlier allows remote attackers to cause a denial of service (resource exhaustion) via a large number of MIME headers with the same name, aka the "sioux" vulnerability. 19980807 YA Apache DoS attack 19980808 Debian Apache Security Update 19980810 Apache DoS Attack 19980811 Apache 'sioux' DOS fix for TurboLinux http://www.redhat.com/support/errata/rh51-errata-general.html#apache Entry Windows 95 and Windows 98 systems, when configured with multiple TCP/IP stacks bound to the same MAC address, allow remote attackers to cause a denial of service (traffic amplification) via a certain ICMP echo (ping) packet, which causes all stacks to send a ping response, aka TCP Chorusing. 19990206 New Windows 9x Bug: TCP Chorusing 225 win-multiple-ip-dos(7542) Entry Multilink PPP for ISDN dialup users in Ascend before 4.6 allows remote attackers to cause a denial of service via a spoofed endpoint identifier. 19990210 Security problems in ISDN equipment authentication 19990212 PPP/ISDN multilink security issue - summary ascend-ppp-isdn-dos(7498) Entry Check Point Firewall-1 does not properly handle certain restricted keywords (e.g., Mail, auth, time) in user-defined objects, which could produce a rule with a default "ANY" address and result in access to more systems than intended by the administrator. 19980511 Firewall-1 Reserved Keywords Vulnerability http://www.checkpoint.com/techsupport/config/keywords.html fw1-user-defined-keywords-access(7293) 4416 Entry nettune in HP-UX 10.01 and 10.00 is installed setuid root, which allows local users to cause a denial of service by modifying critical networking configuration information. 19960607 HP-UX B.10.01 vulnerability HPSBUX9607-035 G-34 hp-nettune(414) Entry Buffer overflow in ping in AIX 4.2 and earlier allows local users to gain root privileges via a long command line argument. 19970721 AIX ping, lchangelv, xlock fixes 19970721 AIX ping (Exploit) ping-bo(803) Entry Vulnerability in scoterm in SCO OpenServer 5.0 and SCO Open Desktop/Open Server 3.0 allows local users to gain root privileges. 19971204 scoterm exploit VB-97.14 sco-scoterm(690) Entry The asynchronous I/O facility in 4.4 BSD kernel does not check user credentials when setting the recipient of I/O notification, which allows local users to cause a denial of service by using certain ioctl and fcntl calls to cause the signal to be sent to an arbitrary process ID. 19970915 Vulnerability in I/O Signal Handling http://www.openbsd.com/advisories/signals.txt 11062 openbsd-iosig(556) Entry LOGIN.EXE program in Novell Netware 4.0 and 4.01 temporarily writes user name and password information to disk, which could allow local users to gain privileges. D-21 CA-1993-12 novell-login(545) Entry The PATH in Windows NT includes the current working directory (.), which could allow local users to gain privileges by placing Trojan horse programs with the same name as commonly used system programs into certain directories. 19970725 Re: NT security - why bother? 19970723 NT security - why bother? nt-path(526) Entry Netbt.sys in Windows NT 4.0 allows remote malicious DNS servers to cause a denial of service (crash) by returning 0.0.0.0 as the IP address for a DNS host name lookup. Q188571 dns-netbtsys-dos(3893) Entry IIS 3.0 allows remote attackers to cause a denial of service via a request to an ASP page in which the URL contains a large number of / (forward slash) characters. Q187503 url-asp-av(3892) Entry Netscape Communicator 4.7 and earlier allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long certificate key. http://www.securiteam.com/exploits/Netscape_4_7_and_earlier_vulnerable_to__Huge_Key__DoS.html netscape-huge-key-dos(3436) Entry IIS 4.0 does not properly restrict access for the initial session request from a user's IP address if the address does not resolve to a DNS domain, aka the "Domain Resolution" vulnerability. MS99-039 241562 657 iis-unresolved-domain-access(3306) Entry SGI Desktop Permissions Tool in IRIX 6.0.1 and earlier allows local users to modify permissions for arbitrary files and gain privileges. F-16 19950301-01-P373 sgi-permissions(2113) Entry Direct Mailer feature in Microsoft Site Server 3.0 saves user domain names and passwords in plaintext in the TMLBQueue network share, which has insecure default permissions, allowing remote attackers to read the passwords and gain privileges. Q229972 siteserver-directmail-passwords(2068) Entry movemail in HP-UX 10.20 has insecure permissions, which allows local users to gain privileges. HPSBUX9701-047 hp-movemail(2057) 8099 Entry rpc.pwdauthd in SunOS 4.1.1 and earlier does not properly prevent remote access to the daemon, which allows remote attackers to obtain sensitive system information. 00102 sun-pwdauthd(1782) Entry Microsoft Office 98, Macintosh Edition, does not properly initialize the disk space used by Office 98 files and effectively inserts data from previously deleted files into the Office file, which could allow attackers to obtain sensitive information. Q189529 office-extraneous-data(1780) Entry Java in Netscape 4.5 does not properly restrict applets from connecting to other hosts besides the one from which the applet was loaded, which violates the Java security model and could allow remote attackers to conduct unauthorized activities. 19990202 Unsecured server in applets under Netscape java-socket-open(1727) Entry Metamail before 2.7-7.2 allows remote attackers to overwrite arbitrary files via an e-mail message containing a uuencoded attachment that specifies the full pathname for the file to be modified, which is processed by uuencode in Metamail scripts such as sun-audio-file. 19971024 Vulnerability in metamail metamail-file-creation(1677) Entry fte-console in the fte package before 0.46b-4.1 does not drop root privileges, which allows local users to gain root access via the virtual console device. 19981207 fte-console: does not drop its root priviliges fte-console-privileges(1609) Entry An interaction between the AS/400 shared folders feature and Microsoft SNA Server 3.0 and earlier allows users to view each other's folders when the users share the same Local APPC LU. Q138001 snaserver-shared-folders(1548) Entry NukeNabber allows remote attackers to cause a denial of service by connecting to the NukeNabber port (1080) without sending any data, which causes the CPU usage to rise to 100% from the report.exe program that is executed upon the connection. 19981105 various *lame* DoS attacks 19981107 Re: various *lame* DoS attacks http://www.dynamsol.com/puppet/text/new.txt nukenabber-timeout-dos(1540) Entry Samba 1.9.18 inadvertently includes a prototype application, wsmbconf, which is installed with incorrect permissions including the setgid bit, which allows local users to read and write files and possibly gain privileges via bugs in the program. 19981119 Vulnerability in Samba on RedHat, Caldera and PHT TurboLinux SA-1998.35 samba-wsmbconf(1406) Entry Buffer overflow in nftp FTP client version 1.40 allows remote malicious FTP servers to cause a denial of service, and possibly execute arbitrary commands, via a long response string. 19981117 nftp vulnerability (fwd) http://www.ayukov.com/nftp/history.html nftp-bo(1397) Entry Office Shortcut Bar (OSB) in Windows 3.51 enables backup and restore permissions, which are inherited by programs such as File Manager that are started from the Shortcut Bar, which could allow local users to read folders for which they do not have permission. Q146604 nt-filemgr(562) Entry cmdtool in OpenWindows 3.0 and XView 3.0 in SunOS 4.1.4 and earlier allows attackers with physical access to the system to display unechoed characters (such as those from password prompts) via the L2/AGAIN key. 1077164 sun-cmdtool-echo(7482) Entry Sysinstall in FreeBSD 2.2.1 and earlier, when configuring anonymous FTP, creates the ftp user without a password and with /bin/date as the shell, which could allow attackers to gain access to certain system resources. FreeBSD-SA-97:03 freebsd-sysinstall-ftp-password(7537) 6087 Entry A design flaw in the Z-Modem protocol allows the remote sender of a file to execute arbitrary programs on the client, as implemented in rz in the rzsz module of FreeBSD before 2.1.5, and possibly other programs. G-31 FreeBSD-SA-96:17 rzsz-command-execution(7540) Entry Sendmail before 8.6.7 allows local users to gain root access via a large value in the debug (-d) command line option. 19940314 sendmail -d problem (OLD yet still here) 19940315 so... 19940315 anyone know details? 19940315 Security problem in sendmail versions 8.x.x 19940327 sendmail exploit script - resend CA-1994-12 sendmail-debug-gain-root(7155) Entry Passfilt.dll in Windows NT SP2 allows users to create a password that contains the user's name, which could make it easier for an attacker to guess. Q247975 passfilt-fullname(7391) Entry Windows NT 4.0 SP4 and earlier allows local users to gain privileges by modifying the symbolic link table in the \?? object folder using a different case letter (upper or lower) to point to a different device. 19990312 [ ALERT ] Case Sensitivity and Symbolic Links 19990314 AW: [ ALERT ] Case Sensitivity and Symbolic Links Q222159 nt-symlink-case(7398) Entry /usr/5bin/su in SunOS 4.1.3 and earlier uses a search path that includes the current working directory (.), which allows local users to gain privileges via Trojan horse programs. 1121935 sun-su-path(7480) Entry Vulnerability in Novell NetWare 3.x and earlier allows local users to gain privileges via packet spoofing. D-01 netware-packet-spoofing-privileges(7213) Entry Buffer overflow in ssh 1.2.26 client with Kerberos V enabled could allow remote attackers to cause a denial of service or execute arbitrary commands via a long DNS hostname that is not properly handled during TGT ticket passing. 19981105 security patch for ssh-1.2.26 kerberos code 4883 Entry VAXstations running Open VMS 5.3 through 5.5-2 with VMS DECwindows or MOTIF do not properly disable access to user accounts that exceed the break-in limit threshold for failed login attempts, which makes it easier for attackers to conduct brute force password guessing. D-06 openvms-sysgen-enabled(7225) Entry SAS System 5.18 on VAX/VMS is installed with insecure permissions for its directories and startup file, which allows local users to gain privileges. C-19 vaxvms-sas-gain-privileges(7261) Entry wu-ftpd 2.4 FTP server does not properly drop privileges when an ABOR (abort file transfer) command is executed during a file transfer, which causes a signal to be handled incorrectly and allows local and possibly remote attackers to read arbitrary files. 19970104 serious security bug in wu-ftpd v2.4 19970105 BoS: serious security bug in wu-ftpd v2.4 -- PATCH wuftpd-abor-gain-privileges(7169) Entry Buffer overflow in linuxconf 1.11r11-rh2 on Red Hat Linux 5.1 allows local users to gain root privileges via a long LANG environmental variable. 19980601 Re: SECURITY: Red Hat Linux 5.1 linuxconf bug (fwd) http://www.redhat.com/support/errata/rh51-errata-general.html#linuxconf linuxconf-lang-bo(7239) 6065 Entry linuxconf before 1.11.r11-rh3 on Red Hat Linux 5.1 allows local users to overwrite arbitrary files and gain root access via a symlink attack. 19980826 [djb@redhat.com: Unidentified subject!] 19980823 Security concerns in linuxconf shipped w/RedHat 5.1 http://www.redhat.com/support/errata/rh51-errata-general.html#linuxconf linuxconf-symlink-gain-privileges(7232) 6068 Entry Buffer overflow in SysVInit in Red Hat Linux 5.1 and earlier allows local users to gain privileges. http://www.redhat.com/support/errata/rh50-errata-general.html#SysVinit sysvinit-root-bo(7250) Entry The snprintf function in the db library 1.85.4 ignores the size parameter, which could allow attackers to exploit buffer overflows that would be prevented by a properly implemented snprintf. 19970709 [linux-security] so-called snprintf() in db-1.85.4 (fwd) http://lists.openresources.com/Debian/debian-bugs-closed/msg00581.html http://www.redhat.com/support/errata/rh42-errata-general.html#db linux-libdb-snprintf-bo(7244) Entry netcfg 2.16-1 in Red Hat Linux 4.2 allows the Ethernet interface to be controlled by users on reboot when an option is set, which allows local users to cause a denial of service by shutting down the interface. http://www.redhat.com/support/errata/rh42-errata-general.html#netcfg netcfg-ethernet-dos(7245) Entry gzexe in the gzip package on Red Hat Linux 5.0 and earlier allows local users to overwrite files of other users via a symlink attack on a temporary file. 19980128 GZEXE - the big problem http://www.redhat.com/support/errata/rh50-errata-general.html#gzip DSA-308 7845 3812 gzip-gzexe-tmp-symlink(7241) Entry automatic download option in ncftp 2.4.2 FTP client in Red Hat Linux 5.0 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in the names of files that are to be downloaded. 19980319 ncftp 2.4.2 MkDirs bug http://www.redhat.com/support/errata/rh50-errata-general.html#ncftp ncftp-autodownload-command-execution(7240) 6111 Entry snmpd server in cmu-snmp SNMP package before 3.3-1 in Red Hat Linux 4.0 is configured to allow remote attackers to read and write sensitive information. http://www.redhat.com/support/errata/rh40-errata-general.html#cmu-snmp cmusnmp-read-write(7251) Entry 3Com HiPer Access Router Card (HiperARC) 4.0 through 4.2.29 allows remote attackers to cause a denial of service (reboot) via a flood of IAC packets to the telnet port. 19990812 3com hiperarch flaw [hiperbomb.c] 19990816 Re: 3com hiperarch flaw [hiperbomb.c] 6057 Entry FTP client in Midnight Commander (mc) before 4.5.11 stores usernames and passwords for visited sites in plaintext in the world-readable history file, which allows other local users to gain privileges. 19990801 midnight commander vulnerability(?) (fwd) midnight-commander-data-disclosure(9873) 5921 Entry Vulnerability when Network Address Translation (NAT) is enabled in Linux 2.2.10 and earlier with ipchains, or FreeBSD 3.2 with ipfw, allows remote attackers to cause a denial of service (kernel panic) via a ping -R (record route) command. 19990722 Re: ping -R causes kernel panic on a forwarding machine ( 2.2.5 a nd 2 .2.10) 19990722 Linux +ipchains+ ping -R http://www.kernel.org/pub/linux/kernel/v2.2/patch-2.2.11.gz ipchains-ping-route-dos(7257) 6105 Entry Linux kernel before 2.3.18 or 2.2.13pre15, with SLIP and PPP options, allows local unprivileged users to forge IP packets via the TIOCSETD option on tty devices. 19991022 Local user can send forged packets linux-tiocsetd-forge-packets(7858) Entry Directory traversal vulnerability in KVIrc IRC client 0.9.0 with the "Listen to !nick <soundname> requests" option enabled allows remote attackers to read arbitrary files via a .. (dot dot) in a DCC GET request. 19990924 Kvirc bug kvirc-dot-directory-traversal(7761) Entry Compaq Integration Maintenance Utility as used in Compaq Insight Manager agent before SmartStart 4.50 modifies the legal notice caption (LegalNoticeCaption) and text (LegalNoticeText) in Windows NT, which could produce a legal notice that is in violation of the security policy. 19990902 Compaq CIM UG Overwrites Legal Notice 19990902 Compaq CIM UG Overwrites Legal Notice 19990917 Re: Compaq CIM UG Overwrites Legal Notice compaq-smartstart-legal-notice(7763) Entry When an administrator in Windows NT or Windows 2000 changes a user policy, the policy is not properly updated if the local ntconfig.pol is not writable by the user, which could allow local users to bypass restrictions that would otherwise be enforced by the policy, possibly by changing the policy file to be read-only. Q157673 nt-user-policy-update(7400) Entry When the Ntconfig.pol file is used on a server whose name is longer than 13 characters, Windows NT does not properly enforce policies for global groups, which could allow users to bypass restrictions that were intended by those policies. Q163875 nt-group-policy-longname(7401) Entry Windows NT 4.0 allows local users to cause a denial of service via a user mode application that closes a handle that was opened in kernel mode, which causes a crash when the kernel attempts to close the handle. Q160650 nt-kernel-handle-dos(7402) Entry Win32k.sys in Windows NT 4.0 before SP2 allows local users to cause a denial of service (crash) by calling certain WIN32K functions with incorrect parameters. Q160601 nt-win32k-dos(7403) Entry Windows NT 3.51 and 4.0 allow local users to cause a denial of service (crash) by running a program that creates a large number of locks on a file, which exhausts the NonPagedPool. Q163143 nt-nonpagedpool-dos(7405) Entry Windows NT searches a user's home directory (%systemroot% by default) before other directories to find critical programs such as NDDEAGNT.EXE, EXPLORER.EXE, USERINIT.EXE or TASKMGR.EXE, which could allow local users to bypass access restrictions or gain privileges by placing a Trojan horse program into the root directory, which is writable by default. 19990628 NT runs Explorer.exe, Taskmgr.exe etc. from wrong location 19990630 Update: NT runs explorer.exe, etc... nt-login-default-folder(2336) 0515 Entry DNS allows remote attackers to use DNS name servers as traffic amplifiers via a UDP DNS query with a spoofed source address, which produces more traffic to the victim than was sent by the attacker. 19990730 Possible Denial Of Service using DNS 19990810 Possible Denial Of Service using DNS AL-1999.004 J-063 dns-udp-query-dos(7238) Entry Symantec Norton Utilities 2.0 for Windows 95 marks the TUNEOCX.OCX ActiveX control as safe for scripting, which allows remote attackers to execute arbitrary commands via the run option through malicious web pages that are accessed by browsers such as Internet Explorer 3.0. http://www.net-security.sk/bugs/NT/nu20.html http://mlarchive.ima.com/win95/1997/May/0342.html http://news.zdnet.co.uk/story/0,,s2065518,00.html nu-tuneocx-activex-control(7188) Entry NetWare NFS mode 1 and 2 implements the "Read Only" flag in Unix by changing the ownership of a file to root, which allows local users to gain root privileges by creating a setuid program and setting it to "Read Only," which NetWare-NFS changes to a setuid root program. 19980108 NetWare NFS 19980812 Re: Netware NFS (fwd) http://support.novell.com/cgi-bin/search/tidfinder.cgi?2940551 netware-nfs-file-ownership(7246) Entry Indigo Magic System Tour in the SGI system tour package (systour) for IRIX 5.x through 6.3 allows local users to gain root privileges via a Trojan horse .exitops program, which is called by the inst command that is executed by the RemoveSystemTour program. 19961030 (Another) vulnerability in new SGIs AA-96.08 19961101-01-I 470 irix-systour(7456) Entry Buffer overflow in ppp program in FreeBSD 2.1 and earlier allows local users to gain privileges via a long HOME environment variable. 19961219 Exploit for ppp bug (FreeBSD 2.1.0). FreeBSD-SA-96:20 ppp-bo(7465) 6085 Entry Perl 5.004_04 and earlier follows symbolic links when running with the -e option, which allows local users to overwrite arbitrary files via a symlink attack on the /tmp/perl-eaXXXXX file. 19980308 another /tmp race: `perl -e' opens temp file not safely http://www.redhat.com/support/errata/rh50-errata-general.html#perl perl-e-tmp-symlink(7243) Entry Index Server 2.0 on IIS 4.0 stores physical path information in the ContentIndex\Catalogs subkey of the AllowedPaths registry key, whose permissions allows local and remote users to obtain the physical paths of directories that are being indexed. 19990323 Index Server 2.0 and the Registry 19990323 Index Server 2.0 and the Registry 476 iis-indexserver-reveal-path(7559) Entry The access permissions for a UNIX domain socket are ignored in Solaris 2.x and SunOS 4.x, and other BSD-based operating systems before 4.4, which could allow local users to connect to the socket and possibly disrupt or control the operations of the program using that socket. 19970517 UNIX domain socket (Solarisx86 2.5) 19971003 Solaris 2.6 and sockets 456 sun-domain-socket-permissions(7172) Entry ifdhcpc-done script for configuring DHCP on Red Hat Linux 5 allows local users to append text to arbitrary files via a symlink attack on the dhcplog file. 19980309 *sigh* another RH5 /tmp problem 368 initscripts-ifdhcpdone-dhcplog-symlink(7294) http://www.redhat.com/support/errata/rh50-errata-general.html#initscripts Entry The at program in IRIX 6.2 and NetBSD 1.3.2 and earlier allows local users to read portions of arbitrary files by submitting the file to at with the -f argument, which generates error messages that at sends to the user via e-mail. 19980703 more about 'at' 19980805 irix-6.2 "at -f" vulnerability NetBSD-SA1998-004 331 at-f-read-files(7577) Entry The installation of the fsp package 2.71-10 in Debian GNU/Linux 2.0 adds the anonymous FTP user without notifying the administrator, which could automatically enable anonymous FTP on some servers such as wu-ftp. 19981126 new version of fsp fixes security flaw 19981128 Debian: Security flaw in FSP 19981130 Debian: Security flaw in FSP 19990217 Debian GNU/Linux 2.0r5 released (fwd) 316 fsp-anon-ftp-access(7574) Entry IBM Netfinity Remote Control allows local users to gain administrator privileges by starting programs from the process manager, which runs with system level privileges. 19990525 Security Leak with IBM Netfinity Remote Control Software 19990609 IBM's response to "Security Leak with IBM Netfinity Remote Control Software 284 Entry Buffer overflow in nss_nisplus.so.1 library in NIS+ in Solaris 2.3 and 2.4 allows local users to gain root privileges. 00148 219 sun-nisplus-bo(7535) Entry ping in Solaris 2.3 through 2.6 allows local users to cause a denial of service (crash) via a ping request to a multicast address through the loopback interface, e.g. via ping -i. 19970626 Solaris Ping bug (DoS) 19970627 SUMMARY: Solaris Ping bug (DoS) 19970627 Solaris Ping bug(inetsvc) 19971005 Solaris Ping Bug and other [bc] oddities 00146 209 ping-multicast-loopback-dos(7492) Entry Power management (Powermanagement) on Solaris 2.4 through 2.6 does not start the xlock process until after the sys-suspend has completed, which allows an attacker with physical access to input characters to the last active application from the keyboard for a short period after the system is restoring, which could lead to increased privileges. 19980716 Security risk with powermanagemnet on Solaris 2.6 160 4024179 Entry HP JetAdmin D.01.09 on Solaris allows local users to change the permissions of arbitrary files via a symlink attack on the /tmp/jetadmin.log file. 19980715 JetAdmin software 19980722 Re: JetAdmin software 157 Entry ePerl 2.2.12 allows remote attackers to read arbitrary files and possibly execute certain commands by specifying a full pathname of the target file as an argument to bar.phtml. 19980707 ePerl: bad handling of ISINDEX queries 19980710 ePerl Security Update Available 151 Entry GINA in Windows NT 4.0 allows attackers with physical access to display a portion of the clipboard of the user who has locked the workstation by pasting (CTRL-V) the contents into the username prompt. 19990129 ole objects in a "secured" environment? 19990205 Alert: MS releases GINA-fix for SP3, SP4, and TS 19990129 ole objects in a "secured" environment? Q214802 198 nt-gina-clipboard(1975) Entry RSH service utility RSHSVC in Windows NT 3.5 through 4.0 does not properly restrict access as specified in the .Rhosts file when a user comes from an authorized host, which could allow unauthorized users to access the service by logging in from an authorized host. Q158320 nt-rshsvc-ale-bypass(7422) Entry thttpd HTTP server 2.03 and earlier allows remote attackers to read arbitrary files via a GET request with more than one leading / (slash) character in the filename. 19980819 thttpd 2.04 released (fwd) http://www.acme.com/software/thttpd/thttpd.html#releasenotes thttpd-file-read(1809) Entry rdist in various UNIX systems uses popen to execute sendmail, which allows local users to gain root privileges by modifying the IFS (Internal Field Separator) variable. http://www.alw.nih.gov/Security/8lgm/8lgm-Advisory-01.html CA-91.20 31 rdist-popen-gain-privileges(7160) 8106 Entry Internet Explorer 4.0 allows remote attackers to read arbitrary text and HTML files on the user's machine via a small IFRAME that uses Dynamic HTML (DHTML) to send the data to the attacker, aka the Freiburg text-viewing issue. 19971017 Security Hole in Explorer 4.0 http://www.insecure.org/sploits/Internet_explorer_4.0.hack.html http://www.microsoft.com/Windows/ie/security/freiburg.asp Q176794 Q176697 http-ie-spy(587) 7819 Entry When a Web site redirects the browser to another site, Internet Explorer 3.02 and 4.0 automatically resends authentication information to the second site, aka the "Page Redirect Issue." Q176697 ie-page-redirect(7426) 7818 Entry A bug in Intel Pentium processor (MMX and Overdrive) allows local users to cause a denial of service (hang) in Intel-based operating systems such as Windows NT and Windows 95, via an invalid instruction, aka the "Invalid Operand with Locked CMPXCHG8B Instruction" problem. Q163852 pentium-crash(704) Entry The Sun HotSpot Performance Engine VM allows a remote attacker to cause a denial of service on any server running HotSpot via a URL that includes the [ character. 19990706 Bug in SUN's Hotspot VM 19990716 FW: (Review ID: 85125) Hotspot crashes bringing down webserver 522 sun-hotspot-vm(2348) Entry Squid 2.2.STABLE5 and below, when using external authentication, allows attackers to bypass access controls via a newline in the user/password pair. 19991025 [squid] exploit for external authentication problem 19991103 [squid]exploit for external authentication problem http://www.squid-cache.org/Versions/v2/2.2/bugs/ 741 squid-proxy-auth-access(3433) Entry sadc in IBM AIX 4.1 through 4.3, when called from programs such as timex that are setgid adm, allows local users to overwrite arbitrary files via a symlink attack. http://techsupport.services.ibm.com/aix/fixes/v4/os/bos.acct.4.3.1.0.info IX75554 IX76853 IX76330 408 aix-sadc-timex(7675) Entry sdrd daemon in IBM SP2 System Data Repository (SDR) allows remote attackers to read files without authentication. I-079A 371 ibm-sdr-read-files(7217) Entry xosview 1.5.1 in Red Hat 5.1 allows local users to gain root access via a long HOME environmental variable. 19980528 ALERT: Tiresome security hole in "xosview", RedHat5.1? 19980529 Re: Tiresome security hole in "xosview" (xosexp.c) 362 linux-xosview-bo(8787) Entry colorview in Silicon Graphics IRIX 5.1, 5.2, and 6.0 allows local attackers to read arbitrary files via the -text argument. 19940809 Re: IRIX 5.2 Security Advisory 19950307 sigh. another Irix 5.2 hole. 19950209-00-P sgi-colorview(2112) 336 Entry Sun SunOS 4.1 through 4.1.3 allows local attackers to gain root access via insecure permissions on files and directories such as crash. CA-1993-03 59 sun-dir(521) Entry The AMaViS virus scanner 0.2.0-pre4 and earlier allows remote attackers to execute arbitrary commands as root via an infected mail message with shell metacharacters in the reply-to field. 19990716 AMaViS virus scanner for Linux - root exploit http://www.amavis.org/ChangeLog.txt 527 amavis-command-execute(2349) Entry A configuration problem in the Ad Server Sample directory (AdSamples) in Microsoft Site Server 3.0 allows an attacker to obtain the SITE.CSC file, which exposes sensitive SQL database information. 19990511 [ALERT] Site Server 3.0 May Expose SQL IDs and PSWs 256 siteserver-site-csc(2270) Entry cgiwrap as used on Cobalt RaQ 2.0 and RaQ 3i does not properly identify the user for running certain scripts, which allows a malicious site administrator to view or modify data located at another virtual site on the same system. 19991108 Security flaw in Cobalt RaQ2 cgiwrap 19991109 [Cobalt] Security Advisory - cgiwrap 777 cobalt-cgiwrap-incorrect-permissions(7764) 35 Entry Buffer overflow in IBM HomePagePrint 1.0.7 for Windows98J allows a malicious Web site to execute arbitrary code on a viewer's system via a long IMG_SRC HTML tag. 19991102 Some holes for Win/UNIX softwares 763 ibm-homepageprint-bo(7767) Entry Buffer overflow in AspUpload.dll in Persits Software AspUpload before 1.4.0.2 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long argument in the HTTP request. 19990720 Buffer overflow in AspUpload 1.4 19990818 AspUpload Buffer Overflow Fixed 592 http-aspupload-bo(3291) Entry IIS 3.x and 4.x does not distinguish between pages requiring encryption and those that do not, which allows remote attackers to cause a denial of service (resource exhaustion) via SSL requests to the HTTPS port for normally unencrypted files, which will cause IIS to perform extra work to send the files over SSL. 19990707 SSL and IIS. 521 ssl-iis-dos(2352) Entry RPMMail before 1.4 allows remote attackers to execute commands via an e-mail message with shell metacharacters in the "MAIL FROM" command. 19991004 RH6.0 local/remote command execution 19991006 Fwd: [Re: RH6.0 local/remote command execution] linux-rh-rpmmail(3353) Entry bigconf.conf in F5 BIG/ip 2.1.2 and earlier allows remote attackers to read arbitrary files by specifying the target file in the "file" parameter. 19991108 BigIP - bigconf.cgi holes 19991109 Re: BigIP - bigconf.cgi holes 19991109 778 bigip-bigconf-view-files(7771) Entry Microsoft SQL Server 6.5 uses weak encryption for the password for the SQLExecutiveCmdExec account and stores it in an accessible portion of the registry, which could allow local users to gain privileges by reading and decrypting the CmdExecAccount value. 19980629 MS SQL Server 6.5 stores password in unprotected registry keys 109 mssql-sqlexecutivecmdexec-password(7354) Entry Man2html 2.1 and earlier allows local users to overwrite arbitrary files via a symlink attack on a temporary file. 19990820 [SECURITY] New versions of man2html fixes postinst glitch 6291 Entry Off-by-one error in NcFTPd FTP server before 2.4.1 allows a remote attacker to cause a denial of service (crash) via a long PORT command. 19990223 NcFTPd remote buffer overflow 19990223 Comments on NcFTPd "theoretical root compromise" ncftpd-port-bo(1833) Entry RealMedia server allows remote attackers to cause a denial of service via a long ramgen request. 19991222 RealMedia Server 5.0 Crasher (rmscrash.c) 888 realserver-ramgen-dos Entry Buffer overflow in ZBServer Pro 1.50 allows remote attackers to execute commands via a long GET request. 19991223 Local / Remote GET Buffer Overflow Vulnerability in ZBServer 1.5 Pro Edition for Win98/NT 19991223 Local / Remote GET Buffer Overflow Vulnerability in ZBServer 1.5 Pro Edition for Win98/NT 20000128 ZBServer 1.50-r1x exploit (WinNT) 20020114 ZBServer Pro DoS Vulnerability 889 zbserver-get-bo Entry Buffer overflow in UnixWare rtpm program allows local users to gain privileges via a long environmental variable. 19991230 UnixWare rtpm exploit + discussion 20000127 New SCO patches... Entry ZBServer Pro allows remote attackers to read source code for executable files by inserting a . (dot) into the URL. 19991223 Local / Remote GET Buffer Overflow Vulnerability in ZBServer 1.5 Pro Edition for Win98/NT 19991223 Re: Local / Remote GET Buffer Overflow Vulnerability in ZBServer 1.5 Pro Edition for Win98/NT zbserver-url-dot Entry strace allows local users to read arbitrary files via memory mapped file names. 19991225 strace can lie linux-strace(4554) Entry Trend Micro PC-Cillin does not restrict access to its internal proxy port, allowing remote attackers to conduct a denial of service. 19991230 PC-Cillin 6.x DoS Attack pccillin-proxy-remote-dos(4491) 1740 Entry The bna_pass program in Optivity NETarchitect uses the PATH environmental variable for finding the "rm" program, which allows local users to execute arbitrary commands. 19991230 bna,sh netarchitect-path-vulnerability 907 Entry WebWho+ whois.cgi program allows remote attackers to execute commands via shell metacharacters in the TLD parameter. 19991226 WebWho+ ADVISORY http-cgi-webwhoplus Entry Buffer overflow in AnalogX SimpleServer:WWW HTTP server allows remote attackers to execute commands via a long GET request. 19991231 Local / Remote GET Buffer Overflow Vulnerability in AnalogX SimpleServer:WWW HTTP Server v1.1 http://www.analogx.com/contents/download/network/sswww.htm simpleserver-get-bo 906 1184 Entry Buffer overflow in w3-msql CGI program in miniSQL package allows remote attackers to execute commands. 19991227 remote buffer overflow in miniSQL 898 w3-msql-scanf-bo Entry IRIX soundplayer program allows local users to gain privileges by including shell metacharacters in a .wav file, which is executed via the midikeys program. 19991231 irix-soundplayer.sh irix-soundplayer-symlink 909 Entry Denial of service in Savant web server via a null character in the requested URL. 19991228 Local / Remote D.o.S Attack in Savant Web Server V2.0 WIN9X / NT / 2K 897 savant-server-null-dos Entry CascadeView TFTP server allows local users to gain privileges via a symlink attack. 19991231 tftpserv.sh 910 cascadeview-tftp-symlink Entry wmmon in FreeBSD allows local users to gain privileges via the .wmmonrc configuration file. 19991221 Wmmon under FreeBSD 885 freebsd-wmmon-root-exploit 1169 Entry DNS PRO allows remote attackers to conduct a denial of service via a large number of connections. 19991221 Remote D.o.S Attack in DNS PRO v5.7 WinNT From FBLI Software Vulnerability 19991221 Remote D.o.S Attack in DNS PRO v5.7 WinNT From FBLI Software Vulnerability dnspro-flood-dos Entry Lotus Domino HTTP server does not properly disable anonymous access for the cgi-bin directory. 19991221 serious Lotus Domino HTTP denial of service 19991227 Re: Lotus Domino HTTP denial of service attack 881 Entry Buffer overflow in Lotus Domino HTTP server allows remote attackers to cause a denial of service via a long URL. 19991221 serious Lotus Domino HTTP denial of service 19991222 Lotus Notes HTTP cgi-bin vulnerability: possible workaround 19991227 Re: Lotus Domino HTTP denial of service attack 881 51 Entry IIS does not properly canonicalize URLs, potentially allowing remote attackers to bypass access restrictions in third-party software via escape characters, aka the "Escape Character Parsing" vulnerability. http://www.acrossecurity.com/aspr/ASPR-1999-11-10-1-PUB.txt MS99-061 19991228 Third Party Software Affected by IIS "Escape Character Parsing" Vulnerability 19991229 More info on MS99-061 (IIS escape character vulnerability) iis-badescapes Q246401 Entry IIS 4.0 and Site Server 3.0 allow remote attackers to read source code for ASP files if the file is in a virtual directory whose name includes extensions such as .com, .exe, .sh, .cgi, or .dll, aka the "Virtual Directory Naming" vulnerability. MS99-058 Q238606 8098 Entry Buffer overflow in UnixWare i2odialogd daemon allows remote attackers to gain root access via a long username/password authorization string. 19991222 UnixWare i2odialogd remote root exploit 19991223 FYI, SCO Security patches available. 876 6310 Entry IBM Network Station Manager NetStation allows local users to gain privileges via a symlink attack. 19991227 IBM NetStation/UnixWare local root exploit 900 ibm-netstat-race-condition(5381) Entry UnixWare pis and mkpis commands allow local users to gain privileges via a symlink attack. 19991227 UnixWare local pis exploit 20000113 Info on some security holes reported against SCO Unixware. 901 Entry Solaris dmispd dmi_cmd allows local users to fill up restricted disk space by adding files to the /var/dmi/db database. 19991222 Solaris 2.7 dmispd local/remote problems sol-dmispd-fill-disk 878 Entry The initscripts package in Red Hat Linux allows local users to gain privileges via a symlink attack. 19991227 initscripts-4.48-1 RedHat Linux 6.1 RHSA-1999:052-04 Entry Solaris dmi_cmd allows local users to crash the dmispd daemon by adding a malformed file to the /var/dmi/db database. 19991222 Solaris 2.7 dmispd local/remote problems sol-dmispd-dos 878 7582 Entry InterScan VirusWall SMTP scanner does not properly scan messages with malformed attachments. 19991227 Trend Micro InterScan VirusWall SMTP bug 899 interscan-viruswall-bypass Entry Netscape 4.7 records user passwords in the preferences.js file during an IMAP or POP session, even if the user has not enabled "remember passwords." 19991222 More Netscape Passwords Available. netscape-password-preferences Entry Outlook Express 5 for Macintosh downloads attachments to HTML mail without prompting the user, aka the "HTML Mail Attachment" vulnerability. MS99-060 Q249082 Entry Majordomo wrapper allows local users to gain privileges by specifying an alternate configuration file. 19991228 majordomo local exploit 20000113 Info on some security holes reported against SCO Unixware. 20000124 majordomo 1.94.5 does not fix all vulnerabilities RHSA-2000:005 903 Entry AltaVista search engine allows remote attackers to read files above the document root via a .. (dot dot) in the query.cgi CGI program. 19991229 AltaVista 19991230 Follow UP AltaVista 19991229 AltaVista followup and monitor script 20000103 FW: Patch issued for AltaVista Search Engine Directory TraversalVulnerability 20000109 Altavista followup 896 15 Entry glFtpD allows local users to gain privileges via metacharacters in the SITE ZIPCHK command. 19991223 Multiple vulnerabilites in glFtpD (current versions) Entry Macintosh systems generate large ICMP datagrams in response to malformed datagrams, allowing them to be used as amplifiers in a flood attack. 19991229 The "Mac DoS Attack," a Scheme for Blocking Internet Connections 890 Entry Buffer overflow in CSM mail server allows remote attackers to cause a denial of service or execute commands via a long HELO command. 19991229 Local / Remote D.o.S Attack in CSM Mail Server for Windows 95/NT v.2000.08.A csm-server-bo 895 Entry Buffer overflow in CamShot WebCam HTTP server allows remote attackers to execute commands via a long GET request. 19991230 Local / Remote GET Buffer Overflow Vulnerability in CamShot WebCam HTTP Server v2.5 for Win9x/NT 905 camshot-http-get-overflow Entry Macros in War FTP 1.70 and 1.67b2 allow local or remote attackers to read arbitrary files or execute commands. 20000105 SECURITY ALERT - WAR FTP DAEMON ALL VERSIONS 919 warftp-macro-access-files Entry MySQL allows local users to modify passwords for arbitrary MySQL users via the GRANT privilege. 20000111 Serious bug in MySQL password handling. 20000113 New MySQL Available mysql-pwd-grant 926 Entry get_it program in Corel Linux Update allows local users to gain root access by specifying an alternate PATH for the cp program. 20000112 Serious Bug in Corel Linux.(Local root exploit) 928 http://linux.corel.com/support/clos_patch1.htm linux-corel-update Entry The Allaire Spectra Webtop allows authenticated users to access other Webtop sections by specifying explicit URLs. ASB00-01 allaire-webtop-access 915 Entry The Allaire Spectra Configuration Wizard allows remote attackers to cause a denial of service by repeatedly resubmitting data collections for indexing via a URL. ASB00-02 916 allaire-spectra-config-dos Entry Red Hat userhelper program in the usermode package allows local users to gain root access via PAM and a .. (dot dot) attack. 20000104 PamSlam RHSA-2000:001 linux-pam-userhelper 913 Entry Microsoft Commercial Internet System (MCIS) IMAP server allows remote attackers to cause a denial of service via a malformed IMAP request. MS00-001 Q246731 912 mcis-malformed-imap Entry IMail IMONITOR status.cgi CGI script allows remote attackers to cause a denial of service with many calls to status.cgi. 20000105 Local / Remote D.o.S Attack in IMail IMONITOR Server for WinNT Version 5.08 914 imail-imonitor-status-dos Entry Cold Fusion CFCACHE tag places temporary cache files within the web document root, allowing remote attackers to obtain sensitive system information. ASB00-03 coldfusion-cfcache 917 Entry Buffer overflow in aVirt Rover POP3 server 1.1 allows remote attackers to cause a denial of service via a long user name. 19991227 Local / Remote Remote DoS Attack in Rover POP3 Server V1.1 NT From aVirt 19991227 Local / Remote Remote DoS Attack in Rover POP3 Server V1.1 NT From aVirt 894 avirt-rover-pop3-dos(3765) Entry The DTML implementation in the Z Object Publishing Environment (Zope) allows remote attackers to conduct unauthorized activities. 20000104 [petrilli@digicool.com: [Zope] SECURITY ALERT] 922 zope-dtml Entry cgiproc CGI script in Nortel Contivity HTTP server allows remote attackers to read arbitrary files by specifying the filename in a parameter to the script. 20000118 Nortel Contivity Vulnerability http-cgi-cgiproc-file-read 938 Entry cgiproc CGI script in Nortel Contivity HTTP server allows remote attackers to cause a denial of service via a malformed URL that includes shell metacharacters. 20000118 Nortel Contivity Vulnerability 938 http-cgi-cgiproc-dos 7583 Entry Buffer overflow in InetServ 3.0 allows remote attackers to execute commands via a long GET request. 20000117 Remote Buffer Exploit - InetServ 3.0 inetserv-get-bo Entry NtImpersonateClientOfPort local procedure call in Windows NT 4.0 allows local users to gain privileges, aka "Spoofed LPC Port Request." 20000113 Local Promotion Vulnerability in Windows NT 4 MS00-003 Q247869 nt-spoofed-lpc-port 934 Entry Visual Casel (Vcasel) does not properly prevent users from executing files, which allows local users to use a relative pathname to specify an alternate file which has an approved name and possibly gain privileges. 20000118 Warning: VCasel security hole. 937 vcasel-filename-trusting(3867) Entry Buffer overflow in Microsoft Rich Text Format (RTF) reader allows attackers to cause a denial of service via a malformed control word. MS00-005 Q249973 win-malformed-rtf-control-word Entry Super Mail Transfer Package (SMTP), later called MsgCore, has a memory leak which allows remote attackers to cause a denial of service by repeating multiple HELO, MAIL FROM, RCPT TO, and DATA commands in the same session. 20000113 Local / Remote D.o.S Attack in Super Mail Transfer Package (SMTP) Server for WinNT Version 1.9x 20000113 Local / Remote D.o.S Attack in Super Mail Transfer Package (SMTP) Server for WinNT Version 1.9x 930 supermail-memleak-dos Entry nviboot boot script in the Debian nvi package allows local users to delete files via malformed entries in vi.recover. 19991230 vibackup.sh 20000108 nvi-delete-files 1439 Entry AIX techlibss allows local users to overwrite files via a symlink attack. 20000110 2nd attempt: AIX techlibss follows links 931 aix-techlibss-symbolic-link Entry HP asecure creates the Audio Security File audio.sec with insecure permissions, which allows local users to cause a denial of service or gain additional privileges. HPSBUX0001-109 hp-audio-security-perms Entry Netscape Mail Notification (nsnotify) utility in Netscape Communicator uses IMAP without SSL, even if the user has set a preference for Communicator to use an SSL connection, allowing a remote attacker to sniff usernames and passwords in plaintext. 20000113 Misleading sense of security in Netscape netscape-mail-notify-plaintext(4385) Entry Buffer overflow in the conversion utilities for Japanese, Korean and Chinese Word 5 documents allows an attacker to execute commands, aka the "Malformed Conversion Data" vulnerability. MS00-002 office-malformed-convert 946 Entry The rdisk utility in Microsoft Terminal Server Edition and Windows NT 4.0 stores registry hive information in a temporary file with permissions that allow local users to read it, aka the "RDISK Registry Enumeration File" vulnerability. 20000121 RDISK registry enumeration file vulnerability in Windows NT 4.0 Terminal Server Edition 20000122 RDISK registry enumeration file vulnerability in Windows NT 4.0 Terminal Server Edition MS00-004 Q249108 947 nt-rdisk-enum-file Entry VMWare 1.1.2 allows local users to cause a denial of service via a symlink attack. 20000124 VMware 1.1.2 Symlink Vulnerability linux-vmware-symlink 943 1205 Entry Buffer overflow in vchkpw/vpopmail POP authentication package allows remote attackers to gain root privileges via a long username or password. 20000122 remote root qmail-pop with vpopmail advisory and exploit with patch 20000123 Re: vpopmail/vchkpw remote root exploit 942 http://www.inter7.com/vpopmail/ChangeLog http://www.inter7.com/vpopmail/ Entry The BSD make program allows local users to modify files via a symlink attack when the -j option is being used. FreeBSD-SA-00:01 939 gnu-makefile-tmp-root Entry procfs in BSD systems allows local users to gain root privileges by modifying the /proc/pid/mem interface via a modified file descriptor for stderr. 20000121 *BSD procfs vulnerability FreeBSD-SA-00:02 NetBSD-SA2000-001 20000120 [2.6] 018: SECURITY FIX: Jan 20, 2000 940 20760 netbsd-procfs(3995) Entry The PMTU discovery procedure used by HP-UX 10.30 and 11.00 for determining the optimum MTU generates large amounts of traffic in response to small packets, allowing remote attackers to cause the system to be used as a packet amplifier. HPSBUX0001-110 944 Entry The WebHits ISAPI filter in Microsoft Index Server allows remote attackers to read arbitrary files, aka the "Malformed Hit-Highlighting Argument" vulnerability. 20000127 Alert: MS IIS 4 / IS 2 (Cerberus Security Advisory CISADV000126) MS00-006 950 http-indexserver-dirtrans 1210 Entry Microsoft Index Server allows remote attackers to determine the real path for a web directory via a request to an Internet Data Query file that does not exist. MS00-006 Entry Buffer overflow in UnixWare ppptalk command allows local users to gain privileges via a long prompt argument. 20000119 Unixware ppptalk Entry The SMS Remote Control program is installed with insecure permissions, which allows local users to gain privileges by modifying or replacing the program. 20000115 Security Vulnerability with SMS 2.0 Remote Control MS00-012 Entry Linux apcd program allows local attackers to modify arbitrary files via a symlink attack. 20000201 958 Entry The RightFax web client uses predictable session numbers, which allows remote attackers to hijack user sessions. 20000129 [LoWNOISE] Rightfax web client 5.2 953 avt-rightfax-predict-session Entry The default installation of Debian GNU/Linux uses an insecure Master Boot Record (MBR) which allows a local user to boot from a floppy disk during the installation. 20000202 vulnerability in Linux Debian default boot configuration 960 debian-mbr-bypass-security Entry The SyGate Remote Management program does not properly restrict access to its administration service, which allows remote attackers to cause a denial of service, or access network traffic statistics. 20000128 SyGate 3.11 Port 7323 / Remote Admin hole 20000202 SV: SyGate 3.11 Port 7323 / Remote Admin hole 20000203 UPDATE: Sygate 3.11 Port 7323 Telnet Hole http://www.sybergen.com/support/fix.htm 952 Entry Firewall-1 does not properly filter script tags, which allows remote attackers to bypass the "Strip Script Tags" restriction by including an extra < in front of the SCRIPT tag. 20000129 "Strip Script Tags" in FW-1 can be circumvented 20000129 "Strip Script Tags" in FW-1 can be circumvented 954 http-script-bypass 1212 Entry The siteUserMod.cgi program in Cobalt RaQ2 servers allows any Site Administrator to modify passwords for other users, site administrators, and possibly admin (root). 20000127 Cobalt RaQ2 - a user of mine changed my admin password.. 20000131 [ Cobalt ] Security Advisory -- 01.31.2000 http-cgi-cobalt-passwords 951 Entry The Remote Access Service invoke.cfm template in Allaire Spectra 1.0 allows users to bypass authentication via the bAuthenticated parameter. ASB00-04 955 allaire-spectra-ras-access(4025) Entry The Recycle Bin utility in Windows NT and Windows 2000 allows local users to read or modify files by creating a subdirectory with the victim's SID in the recycler directory, aka the "Recycle Bin Creation" vulnerability. 20000201 "Recycle Bin Creation" Vulnerability in Windows NT / Windows 2000 MS00-007 Q248399 963 Entry The Webspeed configuration program does not properly disable access to the WSMadmin utility, which allows remote attackers to gain privileges via wsisa.dll. 20000203 Webspeed security issue http://www.progress.com/services/support/cgi-bin/techweb-kbase.cgi/webkb.html?kbid=19412&keywords=security%20Webspeed 969 webspeed-adminutil-auth Entry The Finger Server 0.82 allows remote attackers to execute commands via shell metacharacters. 20000204 "The Finger Server" http://www.glazed.org/finger/changelog.txt finger-server-input 7610 Entry Buffer overflow in SCO scohelp program allows remote attackers to execute commands. 20000127 New SCO patches... SB-00.02a sco-help-bo Entry Buffer overflow in War FTPd 1.6x allows users to cause a denial of service via long MKD and CWD commands. 20000201 war-ftpd 1.6x DoS 966 4677 Entry Internet Anywhere POP3 Mail Server allows local users to cause a denial of service via a malformed RETR command. 20000210 remote DoS on Internet Anywhere Mail Server Ver.3.1.3 982 Entry Internet Anywhere POP3 Mail Server allows remote attackers to cause a denial of service via a large number of connections. 20000210 remote DoS on Internet Anywhere Mail Server Ver.3.1.3 20000210 remote DoS on Internet Anywhere Mail Server Ver.3.1.3 980 Entry Infopop Ultimate Bulletin Board (UBB) allows remote attackers to execute commands via shell metacharacters in the topic hidden field. 20000211 perl-cgi hole in UltimateBB by Infopop Corp. 20000225 FW: Important UBB News For Licensed Users 991 http://www.ultimatebb.com/home/versions.shtml http-cgi-ultimatebb Entry Axis 700 Network Scanner does not properly restrict access to administrator URLs, which allows users to bypass the password protection via a .. (dot dot) attack. 20000207 Infosec.20000207.axis700.a 971 Entry The libguile.so library file used by gnucash in Debian GNU/Linux is installed with world-writable permissions. 20000205 Debian (frozen): Perms on /usr/lib/libguile.so.6.0.0 Entry The Java Server in the Novell GroupWise Web Access Enhancement Pack allows remote attackers to cause a denial of service via a long URL to the servlet. 20000207 Novell GroupWise 5.5 Enhancement Pack Web Access Denial of Servic e 972 novell-groupwise-url-dos Entry MySQL 3.22 allows remote attackers to bypass password authentication and access a database via a short check string. 20000208 Remote access vulnerability in all MySQL server versions 20000214 MySQL 3.22.32 released 975 Entry Zeus web server allows remote attackers to view the source code for CGI programs via a null character (%00) at the end of a URL. 20000209 [SAFER 000209.EXP.1.2] Zeus Web Server - obtaining source of CGI scripts 20000208 Zeus Web Server: Null Terminated Strings 977 254 zeus-server-null-string(3982) Entry Check Point Firewall-1 allows remote attackers to bypass port access restrictions on an FTP server by forcing it to send malicious packets that Firewall-1 misinterprets as a valid 227 response to a client's PASV attempt. 20000209 FireWall-1 FTP Server Vulnerability 20000212 Re: FireWall-1 FTP Server Vulnerability 20000210 Multiple firewalls: FTP Application Level Gateway "PASV" Vulnerability VU#328867 979 4417 Entry Remote attackers can cause a denial of service in Novell BorderManager 3.5 by pressing the enter key in a telnet connection to port 2000. 20000209 Novell BorderManager 3.5 Remote Slow Death 20000211 BorderManager csatpxy.nlm fix avalable. 976 7468 Entry Internet Explorer 4.x and 5.x allows remote web servers to access files on the client that are outside of its security domain, aka the "Image Source Redirect" vulnerability. MS00-009 7827 ie-image-source-redirect(3996) Entry NetBSD ptrace call on VAX allows local users to gain privileges by modifying the PSL contents in the debugging process. 1999-012 992 netbsd-ptrace Entry HP Ignite-UX does not save /etc/passwd when it creates an image of a trusted system, which can set the password field to a blank and allow an attacker to gain privileges. HPSBUX0002-111 Entry Sample web sites on Microsoft Site Server 3.0 Commerce Edition do not validate an identification number, which allows remote attackers to execute SQL commands. MS00-010 994 Entry The Microsoft virtual machine (VM) in Internet Explorer 4.x and 5.x allows a remote attacker to read files via a malicious Java applet that escapes the Java sandbox, aka the "VM File Reading" vulnerability. MS00-011 Entry The installation of Sun Internet Mail Server (SIMS) creates a world-readable file that allows local users to obtain passwords. 20000220 Sun Internet Mail Server 4316521 1004 sims-temp-world-readable Entry The Delegate application proxy has several buffer overflows which allow a remote attacker to execute commands. 20000210 Re: application proxies? FreeBSD-SA-00:04 K-023 delegate-proxy-bo Entry Buffer overflow in the InterAccess telnet server TelnetD allows remote attackers to execute commands via a long login name. 20000221 Local / Remote Exploiteable Buffer Overflow Vulnerability in InterAccess TelnetD Server 4.0 for Windows NT 20000223 Pragma Systems response to USSRLabs report 995 interaccess-telnet-login-bo Entry Microsoft Windows 9x operating systems allow an attacker to cause a denial of service via a pathname that includes file device names, aka the "DOS Device in Path Name" vulnerability. 20000306 con\con is a old thing (anyway is cool) MS00-017 1043 win-dos-devicename-dos Entry Batch files in the Oracle web listener ows-bin directory allow remote attackers to execute commands via a malformed URL that includes '?&'. 20000314 Oracle Web Listener 4.0.x 1053 oracle-weblistener-remote-attack Entry Buffer overflow in the man program in Linux allows local users to gain privileges via the MANPAGER environmental variable. 20000226 man bugs might lead to root compromise (RH 6.1 and other boxes) 1011 Entry atsadc in the atsar package for Linux does not properly check the permissions of an output file, which allows local users to gain root privileges. 20000311 TESO advisory -- atsadc atsar-root-access 1048 Entry The mtr program only uses a seteuid call when attempting to drop privileges, which could allow local users to gain root privileges. 20000303 Potential security problem with mtr 20000309 mtr FreeBSD-SA-00:09 20000308 [TL-Security-Announce] mtr-0.41 and earlier TLSA2000003-1 (fwd) 1038 Entry StarOffice StarScheduler web server allows remote attackers to read arbitrary files via a .. (dot dot) attack. 20000308 [SAFER 000309.EXP.1.4] StarScheduler (StarOffice) vulnerabilities 1040 staroffice-scheduler-fileread Entry Buffer overflow in StarOffice StarScheduler web server allows remote attackers to gain root access via a long GET command. 20000308 [SAFER 000309.EXP.1.4] StarScheduler (StarOffice) vulnerabilities staroffice-scheduler-bo 1039 Entry ServerIron switches by Foundry Networks have predictable TCP/IP sequence numbers, which allows remote attackers to spoof or hijack sessions. 20000227 Advisory: Foundry Networks ServerIron TCP/IP sequence predictability http://www.foundrynet.com/bugTraq.html 1017 Entry HP OpenView OmniBack 2.55 allows remote attackers to cause a denial of service via a large number of connections to port 5555. 20000228 HP Omniback remote DoS HPSBUX0006-115 1015 omniback-connection-dos Entry Sojourn search engine allows remote attackers to read arbitrary files via a .. (dot dot) attack. 20000313 SOJOURN Search engine exposes files 1052 sojourn-file-read(4197) Entry Firewall-1 3.0 and 4.0 leaks packets with private IP address information, which could allow remote attackers to determine the real IP address of the host that is making the connection. 20000311 Our old friend Firewall-1 1054 1256 Entry iPlanet Web Server 4.1 allows remote attackers to cause a denial of service via a large number of GET commands, which consumes memory and causes a kernel panic. 20000223 DoS for the iPlanet Web Server, Enterprise Edition 4.1 Entry Buffer overflow in ircII 4.4 IRC client allows remote attackers to execute commands via the DCC chat capability. 20000310 Fwd: ircii-4.4 buffer overflow FreeBSD-SA-00:11 RHSA-2000:008 1046 Entry Linux printtool sets the permissions of printer configuration files to be world-readable, which allows local attackers to obtain printer share passwords. 20000309 1037 Entry RealMedia RealServer reveals the real IP address of a Real Server, even if the address is supposed to be private. 20000308 RealServer exposes internal IP addresses 1049 Entry Buffer overflow in the dump utility in the Linux ext2fs backup package allows local users to gain privileges via a long command line argument. 20000228 [ Hackerslab bug_paper ] Linux dump buffer overflow TLSA200007-1 RHSA-2000:100 1020 Entry ColdFusion Server 4.x allows remote attackers to determine the real pathname of the server via an HTTP request to the application.cfm or onrequestend.cfm files. 20000301 ColdFusions application.cfm shows full path 20000305 ColdFusion Bug: Application.cfm shows full path 1021 Entry Axis StorPoint CD allows remote attackers to access administrator URLs without authentication via a .. (dot dot) attack. 20000229 Infosec.20000229.axisstorpointcd.a axis-storpoint-auth 1025 19 Entry The default installation of Caldera OpenLinux 2.3 includes the CGI program rpm_query, which allows remote attackers to determine what packages are installed on the system. 20000304 OpenLinux 2.3: rpm_query 1036 Entry The default configuration of Dosemu in Corel Linux 1.0 allows local users to execute the system.com program and gain privileges. 20000302 Corel Linux 1.0 dosemu default configuration: Local root vuln 1030 linux-dosemu-config Entry buildxconf in Corel Linux allows local users to modify or create arbitrary files via the -x or -f parameters. 20000224 Corel Linux 1.0 local root compromise 1007 Entry setxconf in Corel Linux allows local users to gain root access via the -T parameter, which executes the user's .xserverrc file. 20000224 Corel Linux 1.0 local root compromise 1008 corel-linux-setxconf-root Entry Buffer overflow in mhshow in the Linux nmh package allows remote attackers to execute commands via malformed MIME headers in an email message. 20000229 RHSA-2000:006 1018 Entry Buffer overflow in Microsoft Clip Art Gallery allows remote attackers to cause a denial of service or execute commands via a malformed CIL (clip art library) file, aka the "Clip Art Buffer Overrun" vulnerability. MS00-015 1034 Entry The window.showHelp() method in Internet Explorer 5.x does not restrict HTML help files (.chm) to be executed from the local host, which allows remote attackers to execute arbitrary commands via Microsoft Networking. 20000301 IE 5.x allows executing arbitrary programs using .chm files 1033 Entry Microsoft SQL Server 7.0 and Microsoft Data Engine (MSDE) 1.0 allow remote attackers to gain privileges via a malformed Select statement in an SQL query. MS00-014 1041 Entry The installation of Oracle 8.1.5.x on Linux follows symlinks and creates the orainstRoot.sh file with world-writeable permissions, which allows local users to gain privileges. 20000305 Oracle installer problem 1035 Entry SGI InfoSearch CGI program infosrch.cgi allows remote attackers to execute commands via shell metacharacters. 20000301 infosrch.cgi vulnerability (IRIX 6.5) 20000501-01-P irix-infosrch-fname 1031 Entry The htdig (ht://Dig) CGI program htsearch allows remote attackers to read arbitrary files by enclosing the file name with backticks (`) in parameters to htsearch. 20000228 ht://Dig remote information exposure FreeBSD-SA-00:06 20000227 TLSA200005-1 1026 Entry Buffer overflow in Lynx 2.x allows remote attackers to crash Lynx and possibly execute commands via a long URL in a malicious web page. 20000227 lynx - someone is deaf and blind ;) FreeBSD-SA-00:08 1012 Entry The lit program in Sun Flex License Manager (FlexLM) follows symlinks, which allows local users to modify arbitrary files. 20000221 flex license manager tempfile predictable name... 998 Entry The Windows Media server allows remote attackers to cause a denial of service via a series of client handshake packets that are sent in an improper sequence, aka the "Misordered Windows Media Services Handshake" vulnerability. MS00-013 win-media-dos 1000 Entry InterAccess TelnetID Server 4.0 allows remote attackers to conduct a denial of service via malformed terminal client configuration information. 20000224 Local / Remote D.o.S Attack in InterAccess TelnetD Server Release 4.0 *ALL BUILDS* for WinNT Vulnerability 1001 interaccess-telnet-dos(4033) Entry Vulnerability in SCO cu program in UnixWare 7.x allows local users to gain privileges. SB-00.05 1019 Entry The default configuration of SSH allows X forwarding, which could allow a remote attacker to control a client's X sessions via a malicious xauth program. 20000224 SSH & xauth 1006 Entry Buffer overflow in Linux mount and umount allows local users to gain root privileges via a long relative pathname. 20000210 util < 2.10f CSSA-2000-002.0 6980 7004 Entry The Nautica Marlin bridge allows remote attackers to cause a denial of service via a zero length UDP packet to the SNMP port. 20000225 Scorpion Marlin 1009 Entry The installation for Windows 2000 does not activate the Administrator password until the system has rebooted, which allows remote attackers to connect to the ADMIN$ share without a password until the reboot occurs. 20000215 Windows 2000 installation process weakness 990 Entry Buffer overflow in the wmcdplay CD player program for the WindowMaker desktop allows local users to gain root privileges via a long parameter. 20000311 TESO advisory -- wmcdplay 1047 Entry ARCserve agent in SCO UnixWare 7.x allows local attackers to gain root privileges via a symlink attack. 20000215 ARCserve symlink vulnerability SSE063 sco-openserver-arc-symlink Entry The Pocsag POC32 program does not properly prevent remote users from accessing its server port, even if the option has been disabled. 20000303 Pocsag remote access to client can't be disabled. 1032 telnet-pocsag 259 Entry IIS 4.0 allows attackers to cause a denial of service by requesting a large buffer in a POST or PUT command which consumes memory, aka the "Chunked Transfer Encoding Buffer Overflow Vulnerability." MS00-018 1066 iis-chunked-encoding-dos Entry Microsoft Windows Media License Manager allows remote attackers to cause a denial of service by sending a malformed request that causes the manager to halt, aka the "Malformed Media License Request" Vulnerability. MS00-016 1058 mwmt-malformed-media-license Entry gpm-root in the gpm package does not properly drop privileges, which allows local users to gain privileges by starting a utility from gpm-root. 20000322 gpm-root 20000405 Security hole in gpm < 1.18.1 RHSA-2000:009 RHSA-2000:045 1069 linux-gpm-root Entry Buffer overflow in imwheel allows local users to gain root privileges via the imwheel-solo script and a long HOME environmental variable. 20000316 TESO & C-Skills development advisory -- imwheel RHSA-2000:016 linux-imwheel-bo 1060 Entry Linux kreatecd trusts a user-supplied path that is used to find the cdrecord program, allowing local users to gain root privileges. 20000316 "TESO & C-Skills development advisory -- kreatecd" at: 20000405 Security hole in kreatecd < 0.3.8b linux-kreatecd-path 1061 Entry Microsoft TCP/IP Printing Services, aka Print Services for Unix, allows an attacker to cause a denial of service via a malformed TCP/IP print request. MS00-021 20000330 Remote DoS Attack in Windows 2000/NT 4.0 TCP/IP Print Request Server Vulnerability 1082 win-tcpip-printing-dos Entry SuSE Linux IMAP server allows remote attackers to bypass IMAP authentication and gain privileges. 20000327 Security hole in SuSE Linux IMAP Server linux-imap-remote-unauthorized-access Entry The default configuration of Cobalt RaQ2 and RaQ3 as specified in access.conf allows remote attackers to view sensitive contents of a .htaccess file. 20000330 Cobalt apache configuration exposes .htaccess http://www.securityfocus.com/templates/advisory.html?id=2150 1083 cobalt-raq-remote-access Entry Buffer overflow in the huh program in the orville-write package allows local users to gain root privileges. FreeBSD-SA-00:10 1070 freebsd-orvillewrite-bo 1263 Entry Netscape Enterprise Server with Directory Indexing enabled allows remote attackers to list server directories via web publishing tags such as ?wp-ver-info and ?wp-cs-dump. 20000317 [SAFER 000317.EXP.1.5] Netscape Enterprise Server and '?wp' tags 1063 netscape-server-directory-indexing Entry Netscape Enterprise Server with Web Publishing enabled allows remote attackers to list arbitrary directories via a GET request for the /publisher directory, which provides a Java applet that allows the attacker to browse the directories. http://zsh.stupidphat.com/advisory.cgi?000311-1 1075 netscape-webpublisher-invalid-access Entry Buffer overflow in the web server for Norton AntiVirus for Internet Email Gateways allows remote attackers to cause a denial of service via a long URL. 20000317 DoS with NAVIEG nav-email-gateway-dos 1064 Entry vqSoft vqServer program allows remote attackers to read arbitrary files via a /........../ in the URL, a variation of a .. (dot dot) attack. 20000321 vqserver /........../ http://www.vqsoft.com/vq/server/faqs/dotdotbug.html vqserver-dir-traverse 1067 270 Entry AnalogX SimpleServer:WWW HTTP server 1.03 allows remote attackers to cause a denial of service via a short GET request to cgi-bin. 20000324 AnalogX SimpleServer 1.03 Remote Crash" at: http://www.analogx.com/contents/download/network/sswww.htm simpleserver-exception-dos(4189) 1076 1265 Entry Vulnerability in SGI IRIX objectserver daemon allows remote attackers to create user accounts. 20000328 Objectserver vulnerability 20000303-01-PX K-030 1079 1267 irix-objectserver-create-accounts(4206) Entry IIS 4.0 and 5.0 does not properly perform ISAPI extension processing if a virtual directory is mapped to a UNC share, which allows remote attackers to read the source code of ASP and other files, aka the "Virtualized UNC Share" vulnerability. MS00-019 Q249599 1081 iis-virtual-unc-share Entry Unknown vulnerability in Generic-NQS (GNQS) allows local users to gain root privileges. 20000322 Local root compromise in GNQS 3.50.6 and 3.50.7 http://ftp.gnqs.org/pub/gnqs/source/by-version-number/v3.50/Generic-NQS-3.50.8-ChangeLog.txt FreeBSD-SA-00:13 1842 generic-nqs-local-root(4306) Entry The AIX Fast Response Cache Accelerator (FRCA) allows local users to modify arbitrary files via the configuration capability in the frcactrl program. 20000426 Insecure file handling in IBM AIX frcactrl program ERS-OAR-E01-2000:075.1 aix-frcactrl 1152 Entry HP-UX 11.04 VirtualVault (VVOS) sends data to unprivileged processes via an interface that has multiple aliased IP addresses. HPSBUX0004-112 1090 hp-virtual-vault Entry The dansie shopping cart application cart.pl allows remote attackers to execute commands via a shell metacharacters in a form variable. 20000411 Back Door in Commercial Shopping Cart 1115 dansie-shell-metacharacters Entry The dansie shopping cart application cart.pl allows remote attackers to modify sensitive purchase information via hidden form fields. 20000411 Re: Back Door in Commercial Shopping Cart 1115 shopping-cart-form-tampering Entry The dansie shopping cart application cart.pl allows remote attackers to obtain the shopping cart database and configuration information via a URL that references either the env, db, or vars form variables. 20000411 Re: Back Door in Commercial Shopping Cart 1115 dansie-form-variables Entry The Nbase-Xyplex EdgeBlaster router allows remote attackers to cause a denial of service via a scan for the FormMail CGI program. 20000405 SilverBack Security Advisory: Nbase-Xyplex DoS 1091 nbase-xyplex-router Entry Buffer overflow in the NetWare remote web administration utility allows remote attackers to cause a denial of service or execute commands via a long URL. 20000418 Novell Netware 5.1 (server 5.00h, Dec 11, 1999)... 1118 netware-remote-admin-overflow Entry IIS 4.0 and 5.0 allows remote attackers to cause a denial of service by sending many URLs with a large number of escaped characters, aka the "Myriad Escaped Characters" Vulnerability. MS00-023 1101 Entry Buffer overflow in the dvwssr.dll DLL in Microsoft Visual Interdev 1.0 allows users to cause a denial of service or execute commands, aka the "Link View Server-Side Component" vulnerability. MS00-025 1109 282 Entry The AVM KEN! web server allows remote attackers to read arbitrary files via a .. (dot dot) attack. 20000415 (no subject) 20000418 AVM's Statement ken-download-files 1103 1282 Entry The AVM KEN! ISDN Proxy server allows remote attackers to cause a denial of service via a malformed request. 20000415 (no subject) 20000418 AVM's Statement 1103 ken-dos Entry The X font server xfs in Red Hat Linux 6.x allows an attacker to cause a denial of service via a malformed request. 20000416 xfs redhat-fontserver-dos 1111 Entry Panda Security 3.0 with registry editing disabled allows users to edit the registry and gain privileges by directly executing a .reg file or using other methods. 20000417 bugs in Panda Security 3.0 http://updates.pandasoftware.com/docs/us/Avoidvulnerability.zip panda-admin-privileges 1119 Entry Panda Security 3.0 allows users to uninstall the Panda software via its Add/Remove Programs applet. 20000417 bugs in Panda Security 3.0 http://updates.pandasoftware.com/docs/us/Avoidvulnerability.zip 1119 panda-uninstall-program Entry Cisco Catalyst 5.4.x allows a user to gain access to the "enable" mode without a password. 20000419 Cisco Catalyst Enable Password Bypass Vulnerability cisco-catalyst-password-bypass 1122 1288 Entry Cisco IOS 11.x and 12.x allows remote attackers to cause a denial of service by sending the ENVIRON option to the Telnet daemon before it is ready to accept it, which causes the system to reboot. 20000420 Cisco IOS Software TELNET Option Handling Vulnerability 1123 cisco-ios-option-handling 1289 Entry RealNetworks RealServer allows remote attackers to cause a denial of service by sending malformed input to the server at port 7070. 20000420 Remote DoS attack in Real Networks Real Server Vulnerability http://service.real.com/help/faq/servg270.html realserver-remote-dos 1128 Entry PCAnywhere allows remote attackers to cause a denial of service by terminating the connection before PCAnywhere provides a login prompt. 20000409 A funny way to DOS pcANYWHERE8.0 and 9.0 1095 pcanywhere-login-dos Entry The Linux trustees kernel patch allows attackers to cause a denial of service by accessing a file or directory with a long name. 20000410 linux trustees 1.5 long path name vulnerability http://www.braysystems.com/linux/trustees.html linux-trustees-patch-dos 1096 Entry BeOS 4.5 and 5.0 allow local users to cause a denial of service via malformed direct system calls using interrupt 37. 20000410 BeOS syscall bug 1098 beos-syscall-dos Entry Microsoft Excel 97 and 2000 does not warn the user when executing Excel Macro Language (XLM) macros in external text files, which could allow an attacker to execute a macro virus, aka the "XLM Text Macro" vulnerability. MS00-022 1087 1272 Entry The SalesLogix Eviewer allows remote attackers to cause a denial of service by accessing the URL for the slxweb.dll administration program, which does not authenticate the user. 20000331 SalesLogix Eviewer Web App Bug: URL request crashes eviewer web application 1089 eviewer-admin-request-dos Entry BeOS allows remote attackers to cause a denial of service via malformed packets whose length field is less than the length of the headers. 20000407 BeOS Networking DOS http://bebugs.be.com/devbugs/detail.php3?oid=2505312 1100 beos-networking-dos Entry TalentSoft webpsvr daemon in the Web+ shopping cart application allows remote attackers to read arbitrary files via a .. (dot dot) attack on the webplus CGI program. 20000412 TalentSoft Web+ Input Validation Bug Vulnerability ftp://ftp.talentsoft.com/Download/Webplus/Unix/Patches/Webplus46p%20Read%20me.html 1102 talentsoft-web-input Entry The default installation of IRIX Performance Copilot allows remote attackers to access sensitive system information via the pmcd daemon. 20000412 Performance Copilot for IRIX 6.5 1106 irix-pmcd-info Entry Buffer overflow in XFree86 3.3.x allows local users to execute arbitrary commands via a long -xkbmap parameter. 20000416 XFree86 server overflow 1306 xfree86-xkbmap-parameter-bo Entry The BizDB CGI script bizdb-search.cgi allows remote attackers to execute arbitrary commands via shell metacharacters in the dbname parameter. 20000412 BizDB Search Script Enables Shell Command Execution at the Server 1104 http-cgi-bizdb Entry IP masquerading in Linux 2.2.x allows remote attackers to route UDP packets through the internal interface by modifying the external source IP address and port number to match those of an established connection. 20000327 Security Problems with Linux 2.2.x IP Masquerading 20000520 Security hole in kernel < 2.2.15 1078 linux-masquerading-dos Entry Buffer overflow in Webstar HTTP server allows remote attackers to cause a denial of service via a long GET request. 20000331 Webstar 4.0 Buffer overflow vulnerability macos-webstar-get-bo(4792) 1822 Entry The Adtran MX2800 M13 Multiplexer allows remote attackers to cause a denial of service via a ping flood to the Ethernet interface, which causes the device to crash. 20000418 Adtran DoS 1129 adtran-ping-dos Entry Buffer overflow in healthd for FreeBSD allows local users to gain root privileges. FreeBSD-SA-00:12 1107 freebsd-healthd 606 Entry fcheck allows local users to gain privileges by embedding shell metacharacters into file names that are processed by fcheck. 20000331 fcheck v.2.7.45 and insecure use of Perl's system() 1086 fcheck-shell Entry Allaire Forums 2.0.5 allows remote attackers to bypass access restrictions to secure conferences via the rightAccessAllForums or rightModerateAllForums variables. ASB00-06 1085 allaire-forums-allaccess 1270 Entry The unattended installation of Windows 2000 with the OEMPreinstall option sets insecure permissions for the All Users and Default Users directories. 20000407 All Users startup folder left open if unattended install and OEMP reinstall=1 win2k-unattended-install(4278) 1758 Entry Ipswitch IMAIL server 6.02 and earlier allows remote attackers to cause a denial of service via the AUTH CRAM-MD5 command. 20000405 Re: IMAIL (Ipswitch) DoS with Eudora (Qualcomm) http://support.ipswitch.com/kb/IM-20000208-DM02.htm 1094 ipswitch-imail-dos Entry Microsoft Index Server allows remote attackers to view the source code of ASP files by appending a %20 to the filename in the CiWebHitsFile argument to the null.htw URL. 20000331 Alert: MS Index Server (CISADV000330) MS00-006 1084 http-indexserver-asp-source 271 Entry Quake3 Arena allows malicious server operators to read or modify files on a client via a dot dot (..) attack. 20000503 Vulnerability in Quake3Arena Auto-Download Feature http://www.quake3arena.com/news/index.html 1169 quake3-auto-download 7531 Entry Microsoft IIS 4.0 and 5.0 with the IISADMPWD virtual directory installed allows a remote attacker to cause a denial of service via a malformed request to the inetinfo.exe program, aka the "Undelimited .HTR Request" vulnerability. 20000511 Microsoft IIS Remote Denial of Service Attack MS00-031 1191 iis-authchangeurl-dos Entry Windows 95, Windows 98, Windows 2000, Windows NT 4.0, and Terminal Server systems allow a remote attacker to cause a denial of service by sending a large number of identical fragmented IP packets, aka jolt2 or the "IP Fragment Reassembly" vulnerability. 20000519 jolt2 - Remote DoS against NT, W2K, 9x MS00-029 1236 ip-fragment-reassembly-dos Entry Buffer overflow in calserver in SCO OpenServer allows remote attackers to gain root access via a long message. SB-99.02 19981229 Local/remote exploit for SCO UNIX. Entry Vulnerability in xserver in SCO UnixWare 2.1.x and OpenServer 5.05 and earlier allows an attacker to cause a denial of service which prevents access to reserved port numbers below 1024. SB-99.07 Entry Insecure file permissions for Netscape FastTrack Server 2.x, Enterprise Server 2.0, and Proxy Server 2.5 in SCO UnixWare 7.0.x and 2.1.3 allow an attacker to gain root privileges. SB-99.08 Entry The i386 trace-trap handling in OpenBSD 2.4 with DDB enabled allows a local user to cause a denial of service. 19990212 i386 trace-trap handling when DDB was configured could cause a system crash. 6126 Entry IP fragment assembly in OpenBSD 2.4 allows a remote attacker to cause a denial of service by sending a large number of fragmented packets. 19990217 IP fragment assembly can bog the machine excessively and cause problems. 7539 Entry The Windows 2000 domain controller allows a malicious user to modify Active Directory information by modifying an unprotected attribute, aka the "Mixed Object Access" vulnerability. MS00-026 ms-mixed-object 1145 Entry Vulnerability in OpenBSD 2.6 allows a local user to change interface media configurations. 19991109 Any user can change interface media configurations. 7540 Entry traceroute in NetBSD 1.3.3 and Linux systems allows local users to flood other systems by providing traceroute with a large waittime (-w) option, which is not parsed properly and sets the time delay for sending packets to zero. 19990213 traceroute as a flooder NetBSD-SA1999-004 7574 Entry traceroute in NetBSD 1.3.3 and Linux systems allows local unprivileged users to modify the source address of the packets, which could be used in spoofing attacks. 19990213 traceroute as a flooder NetBSD-SA1999-004 7575 Entry Buffer overflow in Solaris 7 lp allows local users to gain root privileges via a long -d option. 20000424 Solaris 7 x86 lp exploit 4314312 1143 solaris-lp-bo Entry Atrium Mercur Mail Server 3.2 allows local attackers to read other user's email and create arbitrary files via a dot dot (..) attack. 20000413 Security problems with Atrium Mercur Mailserver 3.20 1144 mercur-remote-dot-attack Entry mail.local in Sendmail 8.10.x does not properly identify the .\n string which identifies the end of message text, which allows a remote attacker to cause a denial of service or corrupt mailboxes via a message line that is 2047 characters long and ends in .\n. 20000424 unsafe fgets() in sendmail's mail.local sendmail-maillocal-dos 1146 Entry Qpopper 2.53 and 3.0 does not properly identify the \n string which identifies the end of message text, which allows a remote attacker to cause a denial of service or corrupt mailboxes via a message line that is 1023 characters long and ends in \n. 20000421 unsafe fgets() in qpopper 1133 qpopper-fgets-spoofing Entry The passwd.php3 CGI script in the Red Hat Piranha Virtual Server Package allows local users to execure arbitrary commands via shell metacharacters. 20000424 piranha default password/exploit RHSA-2000:014 1149 piranha-passwd-execute Entry The Microsoft Jet database engine allows an attacker to modify text files via a database query, aka the "Text I-ISAM" vulnerability. 19990728 Alert : MS Office 97 Vulnerability MS99-030 jet-text-isam 595 Entry pcAnywhere 8.x and 9.0 allows remote attackers to cause a denial of service via a TCP SYN scan, e.g. by nmap. 20000425 Denial of Service Against pcAnywhere. 20010211 Symantec pcAnywhere 9.0 DoS / Buffer Overflow 20010212 Re: Symantec pcAnywhere 9.0 DoS / Buffer Overflow 1150 pcanywhere-tcpsyn-dos(4347) 1301 Entry Microsoft Virtual Machine (VM) allows remote attackers to escape the Java sandbox and execute commands via an applet containing an illegal cast operation, aka the "Virtual Machine Verifier" vulnerability. 19991014 Another Microsoft Java Flaw Disovered MS99-045 msvm-verifier-java Entry Windows NT 4.0 generates predictable random TCP initial sequence numbers (ISN), which allows remote attackers to perform spoofing and session hijacking. 19990824 NT Predictable Initial TCP Sequence numbers - changes observed with SP4 MS99-046 604 nt-sequence-prediction-sp4 tcp-seq-predict Entry A Microsoft ActiveX control allows a remote attacker to execute a malicious cabinet file via an attachment and an embedded script in an HTML mail, aka the "Active Setup Control" vulnerability. MS99-048 ie-active-setup-control Entry The networking software in Windows 95 and Windows 98 allows remote attackers to execute commands via a long file name string, aka the "File Access URL" vulnerability. MS99-049 win-fileurl-overflow Entry Buffer overflow in Microsoft command processor (CMD.EXE) for Windows NT and Windows 2000 allows a local user to cause a denial of service via a long environment variable, aka the "Malformed Environment Variable" vulnerability. 20000421 CMD.EXE overflow (CISADV000420) MS00-027 1135 nt-cmd-overflow Entry UltraBoard.pl or UltraBoard.cgi CGI scripts in UltraBoard 1.6 allows remote attackers to read arbitrary files via a pathname string that includes a dot dot (..) and ends with a null byte. 20000502 Fun with UltraBoard V1.6X 1164 ultraboard-printabletopic-fileread 1309 4065 Entry The Allaire Spectra container editor preview tool does not properly enforce object security, which allows an attacker to conduct unauthorized activities via an object-method that is added to the container object with a publishing rule. ASB00-10 1181 allaire-spectra-container-editor-preview Entry The resolver in glibc 2.1.3 uses predictable IDs, which allows a local attacker to spoof DNS query results. 20000502 glibc resolver weakness 1166 glibc-resolver-id-predictable Entry Linux OpenLDAP server allows local users to modify arbitrary files via a symlink attack. RHSA-2000:012 CSSA-2000-009.0 TLSA2000010-1 1232 openldap-symlink-attack Entry Buffer overflow in Xsun X server in Solaris 7 allows local users to gain root privileges via a long -dev parameter. 20000424 Solaris x86 Xsun overflow. 4335411 solaris-xsun-bo 1140 Entry Concurrent Versions Software (CVS) uses predictable temporary file names for locking, which allows local users to cause a denial of service by creating the lock directory before it is created for use by a legitimate CVS user. 20000423 CVS DoS 1136 cvs-tempfile-dos Entry ZoneAlarm 2.1.10 and earlier does not filter UDP packets with a source port of 67, which allows remote attackers to bypass the firewall rules. 20000420 ZoneAlarm 1137 zonealarm-portscan 1294 Entry Buffer overflow in Gnomelib in SuSE Linux 6.3 allows local users to execute arbitrary commands via the DISPLAY environmental variable. 20000428 SuSE 6.3 Gnomelib buffer overflow http://www.suse.com/us/support/download/updates/axp_63.html 1155 linux-gnomelib-bo Entry ATRIUM Cassandra NNTP Server 1.10 allows remote attackers to cause a denial of service via a long login name. 20000501 Remote DoS attack in CASSANDRA NNTPServer v1.10 from ATRIUM 1156 nntpserver-cassandra-bo Entry Eudora 4.x allows remote attackers to bypass the user warning for executable attachments such as .exe, .com, and .bat by using a .lnk file that refers to the attachment, aka "Stealth Attachment." http://www.peacefire.org/security/stealthattach/explanation.html http://news.cnet.com/news/0-1005-200-1773077.html?tag=st.ne.fd.lthd.1005-200-1773077 1157 eudora-warning-message Entry The knfsd NFS server in Linux kernel 2.2.x allows remote attackers to cause a denial of service via a negative size value. 20000501 Linux knfsd DoS issue 1160 linux-knfsd-dos Entry AppleShare IP 6.1 and later allows a remote at