"CVE Version 20061101",,,,, "Date: 20090702",,,,, "Name","Status","Description","References","Phase","Votes","Comments" "Candidates must be reviewed and accepted by the CVE Editorial Board",,,,,, "before they can be added to the official CVE list. Therefore, these",,,,,, "candidates may be modified or even rejected in the future. They are",,,,,, "provided for use by individuals who have a need for an early",,,,,, "numbering scheme for items that have not been fully reviewed by",,,,,, "the Editorial Board.",,,,,, ,,,,,, CVE-1999-0001,Candidate,"ip_input.c in BSD-derived TCP/IP implementations allows remote attackers to cause a denial of service (crash or hang) via crafted packets.","CERT:CA-98-13-tcp-denial-of-service | BUGTRAQ:19981223 Re: CERT Advisory CA-98.13 - TCP/IP Denial of Service | CONFIRM:http://www.openbsd.org/errata23.html#tcpfix | OSVDB:5707 | URL:http://www.osvdb.org/5707",Modified (20051217)," MODIFY(1) Frech | NOOP(2) Northcutt, Wall | REVIEWING(1) Christey"," Christey> A Bugtraq posting indicates that the bug has to do with | ""short packets with certain options set,"" so the description | should be modified accordingly. | | But is this the same as CVE-1999-0052? That one is related | to nestea (CVE-1999-0257) and probably the one described in | BUGTRAQ:19981023 nestea v2 against freebsd 3.0-Release | The patch for nestea is in ip_input.c around line 750. | The patches for CVE-1999-0001 are in lines 388&446. So, | CVE-1999-0001 is different from CVE-1999-0257 and CVE-1999-0052. | The FreeBSD patch for CVE-1999-0052 is in line 750. | So, CVE-1999-0257 and CVE-1999-0052 may be the same, though | CVE-1999-0052 should be RECAST since this bug affects Linux | and other OSes besides FreeBSD. | Frech> XF:teardrop(338) | This assignment was based solely on references to the CERT advisory. | Christey> The description for BID:190, which links to CVE-1999-0052 (a | FreeBSD advisory), notes that the patches provided by FreeBSD in | CERT:CA-1998-13 suggest a connection between CVE-1999-0001 and | CVE-1999-0052. CERT:CA-1998-13 is too vague to be sure without | further analysis." CVE-1999-0002,Entry,"Buffer overflow in NFS mountd gives root access to remote attackers, mostly in Linux systems.","SGI:19981006-01-I | URL:ftp://patches.sgi.com/support/free/security/advisories/19981006-01-I | CERT:CA-98.12.mountd | CIAC:J-006 | URL:http://www.ciac.org/ciac/bulletins/j-006.shtml | BID:121 | URL:http://www.securityfocus.com/bid/121 | XF:linux-mountd-bo",,, CVE-1999-0003,Entry,"Execute commands as root via buffer overflow in Tooltalk database server (rpc.ttdbserverd).","NAI:NAI-29 | CERT:CA-98.11.tooltalk | SGI:19981101-01-A | URL:ftp://patches.sgi.com/support/free/security/advisories/19981101-01-A | SGI:19981101-01-PX | URL:ftp://patches.sgi.com/support/free/security/advisories/19981101-01-PX | XF:aix-ttdbserver | XF:tooltalk | BID:122 | URL:http://www.securityfocus.com/bid/122",,, CVE-1999-0004,Candidate,"MIME buffer overflow in email clients, e.g. Solaris mailtool and Outlook.","CERT:CA-98.10.mime_buffer_overflows | XF:outlook-long-name | SUN:00175 | MS:MS98-008 | URL:http://www.microsoft.com/technet/security/bulletin/ms98-008.asp",Modified (19990621-01)," ACCEPT(8) Magdych, Northcutt, Wall, Baker, Landfield, Cole, Dik, Collins | MODIFY(1) Frech | NOOP(1) Christey | REVIEWING(1) Shostack"," Frech> Extremely minor, but I believe e-mail is the correct term. (If you reject | this suggestion, I will not be devastated.) :-) | Christey> This issue seems to have been rediscovered in | BUGTRAQ:20000515 Eudora Pro & Outlook Overflow - too long filenames again | http://marc.theaimsgroup.com/?l=bugtraq&m=95842482413076&w=2 | | Also see | BUGTRAQ:19990320 Eudora Attachment Buffer Overflow | http://marc.theaimsgroup.com/?l=bugtraq&m=92195396912110&w=2 | Christey> | CVE-2000-0415 may be a later rediscovery of this problem | for Outlook. | Dik> Sun bug 4163471, | Christey> ADDREF BID:125 | Christey> BUGTRAQ:19980730 Long Filenames & Lotus Products | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221104526201&w=2" CVE-1999-0005,Entry,"Arbitrary command execution via IMAP buffer overflow in authenticate command.","CERT:CA-98.09.imapd | SUN:00177 | URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/177 | BID:130 | URL:http://www.securityfocus.com/bid/130 | XF:imap-authenticate-bo",,, CVE-1999-0006,Entry,"Buffer overflow in POP servers based on BSD/Qualcomm's qpopper allows remote attackers to gain root access using a long PASS command.","CERT:CA-98.08.qpopper_vul | SGI:19980801-01-I | URL:ftp://patches.sgi.com/support/free/security/advisories/19980801-01-I | AUSCERT:AA-98.01 | XF:qpopper-pass-overflow | BID:133 | URL:http://www.securityfocus.com/bid/133",,, CVE-1999-0007,Entry,"Information from SSL-encrypted sessions via PKCS #1.","CERT:CA-98.07.PKCS | MS:MS98-002 | URL:http://www.microsoft.com/technet/security/bulletin/ms98-002.mspx | XF:nt-ssl-fix",,, CVE-1999-0008,Entry,"Buffer overflow in NIS+, in Sun's rpc.nisd program.","CERT:CA-98.06.nisd | SUN:00170 | URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/170 | ISS:June10,1998 | XF:nisd-bo-check",,, CVE-1999-0009,Entry,"Inverse query buffer overflow in BIND 4.9 and BIND 8 Releases.","SGI:19980603-01-PX | URL:ftp://patches.sgi.com/support/free/security/advisories/19980603-01-PX | HP:HPSBUX9808-083 | URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9808-083 | SUN:00180 | URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/180 | CERT:CA-98.05.bind_problems | XF:bind-bo | BID:134 | URL:http://www.securityfocus.com/bid/134",,, CVE-1999-0010,Entry,"Denial of Service vulnerability in BIND 8 Releases via maliciously formatted DNS messages.","CERT:CA-98.05.bind_problems | SGI:19980603-01-PX | URL:ftp://patches.sgi.com/support/free/security/advisories/19980603-01-PX | HP:HPSBUX9808-083 | URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9808-083 | XF:bind-dos",,, CVE-1999-0011,Entry,"Denial of Service vulnerabilities in BIND 4.9 and BIND 8 Releases via CNAME record and zone transfer.","CERT:CA-98.05.bind_problems | SGI:19980603-01-PX | URL:ftp://patches.sgi.com/support/free/security/advisories/19980603-01-PX | HP:HPSBUX9808-083 | URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9808-083 | SUN:00180 | URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/180 | XF:bind-axfr-dos",,, CVE-1999-0012,Entry,"Some web servers under Microsoft Windows allow remote attackers to bypass access restrictions for files with long file names.","CERT:CA-98.04.Win32.WebServers | XF:nt-web8.3",,, CVE-1999-0013,Entry,"Stolen credentials from SSH clients via ssh-agent program, allowing other local users to access remote accounts belonging to the ssh-agent user.","CERT:CA-98.03.ssh-agent | NAI:NAI-24 | XF:ssh-agent",,, CVE-1999-0014,Entry,"Unauthorized privileged access or denial of service via dtappgather program in CDE.","HP:HPSBUX9801-075 | URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9801-075 | SUN:00185 | URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/185 | CERT:CA-98.02.CDE",,, CVE-1999-0015,Candidate,"Teardrop IP denial of service.","CERT:CA-97.28.Teardrop_Land | OVAL:oval:org.mitre.oval:def:5579 | URL:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:5579 | XF:teardrop",Modified (20090302)," ACCEPT(1) Wall | MODIFY(1) Frech | REVIEWING(1) Christey"," Frech> XF: teardrop-mod | Christey> Not sure how many separate ""instances"" of Teardrop there are. | See: CVE-1999-0015, CVE-1999-0104, CVE-1999-0257, CVE-1999-0258 | Christey> See the SCO advisory at: | http://www.securityfocus.com/templates/advisory.html?id=1411 | which may further clarify the issue. | Christey> MSKB:Q154174 | MSKB:Q154174 (CVE-1999-0015) and MSKB:Q179129 (CVE-1999-0104) | indicate that CVE-1999-0015 was fixed in NT SP3, but | CVE-1999-0104 was not. Thus CD:SF-LOC suggests that the | problems keep separate candidates because one problem appears | in a different version than the other. | Christey> BID:124 | http://www.securityfocus.com/bid/124 | Consider MSKB:Q154174 | http://support.microsoft.com/support/kb/articles/q154/1/74.asp | Consider BUGTRAQ:19971113 Linux IP fragment overlap bug | http://www.securityfocus.com/archive/1/8014" CVE-1999-0016,Entry,"Land IP denial of service.","CERT:CA-97.28.Teardrop_Land | FREEBSD:FreeBSD-SA-98:01 | HP:HPSBUX9801-076 | URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9801-076 | CISCO:http://www.cisco.com/warp/public/770/land-pub.shtml | XF:cisco-land | XF:land | XF:95-verv-tcp | XF:land-patch | XF:ver-tcpip-sys",,, CVE-1999-0017,Entry,"FTP servers can allow an attacker to connect to arbitrary ports on machines other than the FTP client, aka FTP bounce.","CERT:CA-97.27.FTP_bounce | XF:ftp-bounce | XF:ftp-privileged-port",,, CVE-1999-0018,Entry,"Buffer overflow in statd allows root privileges.","CERT:CA-97.26.statd | AUSCERT:AA-97.29 | XF:statd | BID:127 | URL:http://www.securityfocus.com/bid/127",,, CVE-1999-0019,Entry,"Delete or create a file via rpc.statd, due to invalid information.","CERT:CA-96.09.rpc.statd | XF:rpc-stat | SUN:00135 | URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/135",,, CVE-1999-0020,Candidate,"** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-1999-0032. Reason: This candidate is a duplicate of CVE-1999-0032. Notes: All CVE users should reference CVE-1999-0032 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.","",Modified (20050204)," MODIFY(1) Frech | NOOP(4) Levy, Northcutt, Wall, Shostack | REJECT(2) Christey, Baker"," Frech> XF:lpr-bo | Christey> DUPE CVE-1999-0032, which includes XF:lpr-bo" CVE-1999-0021,Entry,"Arbitrary command execution via buffer overflow in Count.cgi (wwwcount) cgi-bin program.","BUGTRAQ:19971010 Security flaw in Count.cgi (wwwcount) | CERT:CA-97.24.Count_cgi | XF:http-cgi-count | BID:128 | URL:http://www.securityfocus.com/bid/128",,, CVE-1999-0022,Entry,"Local user gains root privileges via buffer overflow in rdist, via expstr() function.","CERT:CA-97.23.rdist | SUN:00179 | URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/179 | XF:rdist-bo3 | XF:rdist-sept97",,, CVE-1999-0023,Entry,"Local user gains root privileges via buffer overflow in rdist, via lookup() function.","CERT:CA-96.14.rdist_vul | XF:rdist-bo | XF:rdist-bo2",,, CVE-1999-0024,Entry,"DNS cache poisoning via BIND, by predictable query IDs.","CERT:CA-97.22.bind | XF:bind | NAI:NAI-11",,, CVE-1999-0025,Entry,"root privileges via buffer overflow in df command on SGI IRIX systems.","CERT:CA-1997-21 | URL:http://www.cert.org/advisories/CA-1997-21.html | AUSCERT:AA-97.19.IRIX.df.buffer.overflow.vul | SGI:SGI:19970505-01-A | SGI:SGI:19970505-02-PX | CERT-VN:VU#20851 | URL:http://www.kb.cert.org/vuls/id/20851 | BID:346 | URL:http://www.securityfocus.com/bid/346 | XF:df-bo(440) | URL:http://xforce.iss.net/xforce/xfdb/440",,, CVE-1999-0026,Entry,"root privileges via buffer overflow in pset command on SGI IRIX systems.","CERT:CA-97.21.sgi_buffer_overflow | AUSCERT:AA-97.20.IRIX.pset.buffer.overflow.vul | XF:pset-bo",,, CVE-1999-0027,Entry,"root privileges via buffer overflow in eject command on SGI IRIX systems.","CERT:CA-97.21.sgi_buffer_overflow | AUSCERT:AA-97.21.IRIX.eject.buffer.overflow.vul | XF:eject-bo",,, CVE-1999-0028,Entry,"root privileges via buffer overflow in login/scheme command on SGI IRIX systems.","CERT:CA-97.21.sgi_buffer_overflow | AUSCERT:AA-97.22.IRIX.login.scheme.buffer.overflow.vul | XF:sgi-schemebo",,, CVE-1999-0029,Entry,"root privileges via buffer overflow in ordist command on SGI IRIX systems.","CERT:CA-97.21.sgi_buffer_overflow | AUSCERT:AA-97.23-IRIX.ordist.buffer.overflow.vul | XF:ordist-bo",,, CVE-1999-0030,Candidate,"root privileges via buffer overflow in xlock command on SGI IRIX systems.","CERT:CA-97.21.sgi_buffer_overflow | AUSCERT:AA-97.24.IRIX.xlock.buffer.overflow.vul | XF:sgi-xlockbo | SGI:19970508-02-PX",Proposed (19990623)," ACCEPT(3) Ozancin, Levy, Prosser | NOOP(1) Baker | RECAST(1) Frech | REJECT(1) Christey"," Frech> XF:xlock-bo (also add) | As per xlock-bo, also appears on AIX, BSDI, DG/UX, FreeBSD, Solaris, and | several Linii. | Also, don't you mean to cite SGI:19970502-02-PX? The one you list is | login/scheme. | Levy> Notice that this xlock overflow is the same as in | CA-97.13. CA-97.21 simply is a reminder. | Christey> As pointed out by Elias, CA-97.21 states: ""For more | information about vulnerabilities in xlock... see CA-97.13"" | CA-97.13 = CVE-1999-0038. | This may also be a duplicate with CVE-1999-0306. | | See exploits at: | | http://marc.theaimsgroup.com/?l=bugtraq&m=87602167418394&w=2 | http://marc.theaimsgroup.com/?l=bugtraq&m=87602167418404&w=2 | | Sun also has this problem, at | http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/150&type=0&nav=sec.sba" CVE-1999-0031,Entry,"JavaScript in Internet Explorer 3.x and 4.x, and Netscape 2.x, 3.x and 4.x, allows remote attackers to monitor a user's web activities, aka the Bell Labs vulnerability.","CERT:CA-97.20.javascript | HP:HPSBUX9707-065 | URL:http://www.codetalker.com/advisories/vendor/hp/hpsbux9707-065.html",,, CVE-1999-0032,Entry,"Buffer overflow in lpr, as used in BSD-based systems including Linux, allows local users to execute arbitrary code as root via a long -C (classification) command line option.","BUGTRAQ:19960813 Possible bufferoverflow condition in lpr, xterm and xload | BUGTRAQ:19961025 Linux & BSD's lpr exploit | MLIST:[freebsd-security] 19961025 Vadim Kolontsov: BoS: Linux & BSD's lpr exploit | MLIST:[linux-security] 19961122 LSF Update#14: Vulnerability of the lpr program. | CERT:CA-97.19.bsdlp | AUSCERT:AA-96.12 | CIAC:H-08 | CIAC:I-042 | URL:http://www.ciac.org/ciac/bulletins/i-042.shtml | SGI:19980402-01-PX | URL:ftp://patches.sgi.com/support/free/security/advisories/19980402-01-PX | BID:707 | URL:http://www.securityfocus.com/bid/707 | XF:bsd-lprbo2 | XF:bsd-lprbo | XF:lpr-bo",,, CVE-1999-0033,Candidate,"Command execution in Sun systems via buffer overflow in the at program.","CERT:CA-97.18.at | SUN:00160 | XF:sun-atbo",Modified (20040811)," ACCEPT(8) Hill, Northcutt, Wall, Baker, Cole, Dik, Shostack, Collins | NOOP(1) Christey | RECAST(1) Frech"," Frech> This vulnerability also manifests itself for the following | platforms: AIX, HPUX, IRIX, Solaris, SCO, NCR MP-RAS. In this light, | please add the following: | Reference: XF:at-bo | Dik> Sun bug 1265200, 4063161 | Christey> ADDREF SGI:19971102-01-PX | ftp://patches.sgi.com/support/free/security/advisories/19971102-01-PX | SCO:SB.97:01 | ftp://ftp.sco.com/SSE/security_bulletins/SB.97:01a | Christey> CIAC:F-15 | http://ciac.llnl.gov/ciac/bulletins/f-15.shtml | HP:HPSBUX9502-023 | Christey> Add period to the end of the description." CVE-1999-0034,Entry,"Buffer overflow in suidperl (sperl), Perl 4.x and 5.x.","CERT:CA-97.17.sperl | XF:perl-suid",,, CVE-1999-0035,Entry,"Race condition in signal handling routine in ftpd, allowing read/write arbitrary files.","XF:ftp-ftpd | CERT:CA-97.16.ftpd | AUSCERT:AA-97.03",,, CVE-1999-0036,Entry,"IRIX login program with a nonzero LOCKOUT parameter allows creation or damage to files.","CERT:CA-97.15.sgi_login | AUSCERT:AA-97.12 | CIAC:H-106 | URL:http://www.ciac.org/ciac/bulletins/h-106.shtml | SGI:19970508-02-PX | URL:ftp://patches.sgi.com/support/free/security/advisories/19970508-02-PX | OSVDB:990 | URL:http://www.osvdb.org/990 | XF:sgi-lockout(557) | URL:http://xforce.iss.net/xforce/xfdb/557",,, CVE-1999-0037,Entry,"Arbitrary command execution via metamail package using message headers, when user processes attacker's message using metamail.","CERT:CA-97.14.metamail | XF:metamail-header-commands",,, CVE-1999-0038,Entry,"Buffer overflow in xlock program allows local users to execute commands as root.","CERT:CA-97.13.xlock | XF:xlock-bo",,, CVE-1999-0039,Entry,"webdist CGI program (webdist.cgi) in SGI IRIX allows remote attackers to execute arbitrary commands via shell metacharacters in the distloc parameter.","BUGTRAQ:19970507 Re: SGI Security Advisory 19970501-01-A - Vulnerability in | BUGTRAQ:19970507 Re: SGI Advisory: webdist.cgi | CERT:CA-1997-12 | URL:http://www.cert.org/advisories/CA-1997-12.html | AUSCERT:AA-97.14 | SGI:19970501-02-PX | URL:ftp://patches.sgi.com/support/free/security/advisories/19970501-02-PX | BID:374 | URL:http://www.securityfocus.com/bid/374 | OSVDB:235 | URL:http://www.osvdb.org/235 | XF:http-sgi-webdist(333) | URL:http://xforce.iss.net/xforce/xfdb/333",,, CVE-1999-0040,Entry,"Buffer overflow in Xt library of X Windowing System allows local users to execute commands with root privileges.","CERT:CA-97.11.libXt | XF:libXt-bo",,, CVE-1999-0041,Entry,"Buffer overflow in NLS (Natural Language Service).","CERT:CA-97.10.nls | XF:nls-bo",,, CVE-1999-0042,Entry,"Buffer overflow in University of Washington's implementation of IMAP and POP servers.","NAI:NAI-21 | CERT:CA-97.09.imap_pop | XF:popimap-bo",,, CVE-1999-0043,Entry,"Command execution via shell metachars in INN daemon (innd) 1.5 using ""newgroup"" and ""rmgroup"" control messages, and others.","CERT:CA-97.08.innd | XF:inn-controlmsg",,, CVE-1999-0044,Entry,"fsdump command in IRIX allows local users to obtain root access by modifying sensitive files.","SGI:19970301-01-P | URL:ftp://patches.sgi.com/support/free/security/advisories/19970301-01-P | XF:sgi-fsdump",,, CVE-1999-0045,Entry,"List of arbitrary files on Web host via nph-test-cgi script.","CERT:CA-97.07.nph-test-cgi_script | XF:http-cgi-nph",,, CVE-1999-0046,Entry,"Buffer overflow of rlogin program using TERM environmental variable.","CERT:CA-97.06.rlogin-term | XF:rlogin-termbo",,, CVE-1999-0047,Entry,"MIME conversion buffer overflow in sendmail versions 8.8.3 and 8.8.4.","CERT:CA-97.05.sendmail | BID:685 | URL:http://www.securityfocus.com/bid/685 | XF:sendmail-mime-bo2",,, CVE-1999-0048,Entry,"Talkd, when given corrupt DNS information, can be used to execute arbitrary commands with root privileges.","CERT:CA-97.04.talkd | FREEBSD:FreeBSD-SA-96:21 | AUSCERT:AA-97.01 | SUN:00147 | URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/147 | XF:talkd-bo | XF:netkit-talkd",,, CVE-1999-0049,Entry,"Csetup under IRIX allows arbitrary file creation or overwriting.","XF:sgi-csetup | CERT:CA-97.03.csetup",,, CVE-1999-0050,Entry,"Buffer overflow in HP-UX newgrp program.","CERT:CA-97.02.hp_newgrp | AUSCERT:AA-96.16.HP-UX.newgrp.Buffer.Overrun.Vulnerability | XF:hp-newgrpbo",,, CVE-1999-0051,Entry,"Arbitrary file creation and program execution using FLEXlm LicenseManager, from versions 4.0 to 5.0, in IRIX.","XF:sgi-licensemanager | CERT:CA-97.01.flex_lm | AUSCERT:AA-96.03",,, CVE-1999-0052,Entry,"IP fragmentation denial of service in FreeBSD allows a remote attacker to cause a crash.","FREEBSD:FreeBSD-SA-98:08 | OSVDB:908 | URL:http://www.osvdb.org/908 | XF:freebsd-ip-frag-dos(1389) | URL:http://xforce.iss.net/xforce/xfdb/1389",,, CVE-1999-0053,Entry,"TCP RST denial of service in FreeBSD.","FREEBSD:FreeBSD-SA-98:07 | OSVDB:6094 | URL:http://www.osvdb.org/6094",,, CVE-1999-0054,Entry,"Sun's ftpd daemon can be subjected to a denial of service.","SUN:00171 | URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/171 | XF:sun-ftpd",,, CVE-1999-0055,Entry,"Buffer overflows in Sun libnsl allow root access.","SUN:00172 | URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/172 | AIXAPAR:IX80543 | URL:http://www-1.ibm.com/support/search.wss?rs=0&q=IX80543&apar=only | RSI:RSI.0005.05-14-98.SUN.LIBNSL | XF:sun-libnsl",,, CVE-1999-0056,Entry,"Buffer overflow in Sun's ping program can give root access to local users.","SUN:00174 | URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/174 | XF:sun-ping",,, CVE-1999-0057,Entry,"Vacation program allows command execution by remote users through a sendmail command.","NAI:NAI-19 | XF:vacation | HP:HPSBUX9811-087 | URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9811-087",,, CVE-1999-0058,Entry,"Buffer overflow in PHP cgi program, php.cgi allows shell access.","NAI:NAI-12 | BID:712 | URL:http://www.securityfocus.com/bid/712 | XF:http-cgi-phpbo",,, CVE-1999-0059,Entry,"IRIX fam service allows an attacker to obtain a list of all files on the server.","NAI:NAI-16 | BID:353 | URL:http://www.securityfocus.com/bid/353 | OSVDB:164 | URL:http://www.osvdb.org/164 | XF:irix-fam(325) | URL:http://xforce.iss.net/xforce/xfdb/325",,, CVE-1999-0060,Entry,"Attackers can cause a denial of service in Ascend MAX and Pipeline routers with a malformed packet to the discard port, which is used by the Java Configurator tool.","NAI:NAI-26 | XF:ascend-config-kill | ASCEND:http://www.ascend.com/2695.html",,, CVE-1999-0061,Candidate,"File creation and deletion, and remote execution, in the BSD line printer daemon (lpd).","NAI:NAI-20 | XF:bsd-lpd",Proposed (19990630)," ACCEPT(3) Hill, Northcutt, Frech | RECAST(1) Baker | REVIEWING(1) Christey"," Christey> This should be split into three separate problems based on | the SNI advisory. But there's newer information to further | complicate things. | | What do we do about this one? in 1997 or so, SNI did an | advisory on this problem. In early 2000, it was still | discovered to be present in some Linux systems. So an | SF-DISCOVERY content decision might say that this is a | long enough time between the two, so this should be recorded | separately. But they're the same codebase... so if we keep | them in the same entry, how do we make sure that this entry | reflects that some new information has been discovered? | | The use of dot notation may help in this regard, to use one | dot for the original problem as discovered in 1997, and | another dot for the resurgence of the problem in 2000. | Baker> We should merge these. | Christey> Perhaps this should be NAI-19 instead of NAI-20? | The original Bugtraq post for the SNI advisory suggests SNI-19: | BUGTRAQ:19971002 SNI-19:BSD lpd vulnerability | URL:SNI-19:BSD lpd vulnerability | | Also add: | BUGTRAQ:19971021 SNI-19: BSD lpd vulnerabilities (UPDATE) | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87747479514310&w=2 | | However, archives of ""NAI-0020"" point to the lpd vuln. | | If I recall correctly, some of the NAI advisory numbers got | switched when NAI acquired SNI." CVE-1999-0062,Entry,"The chpass command in OpenBSD allows a local user to gain root access through file descriptor leakage.","XF:openbsd-chpass | NAI:NAI-28 | OSVDB:7559 | URL:http://www.osvdb.org/7559",,, CVE-1999-0063,Entry,"Cisco IOS 12.0 and other versions can be crashed by malicious UDP packets to the syslog port.","AUSCERT:ESB-98.197 | CISCO:http://www.cisco.com/warp/public/770/iossyslog-pub.shtml | XF:cisco-syslog-crash",,, CVE-1999-0064,Entry,"Buffer overflow in AIX lquerylv program gives root access to local users.","BUGTRAQ:May28,1997 | XF:lquerylv-bo",,, CVE-1999-0065,Entry,"Multiple buffer overflows in how dtmail handles attachments allows a remote attacker to execute commands.","SUN:00181 | URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/181 | XF:hp-dtmail",,, CVE-1999-0066,Entry,"AnyForm CGI remote execution.","BUGTRAQ:19950731 SECURITY HOLE: ""AnyForm"" CGI | BID:719 | URL:http://www.securityfocus.com/bid/719 | XF:http-cgi-anyform",,, CVE-1999-0067,Entry,"phf CGI program allows remote command execution through shell metacharacters.","BUGTRAQ:19960923 PHF Attacks - Fun and games for the whole family | CERT:CA-1996-06 | URL:http://www.cert.org/advisories/CA-1996-06.html | AUSCERT:AA-96.01 | BID:629 | URL:http://www.securityfocus.com/bid/629 | OSVDB:136 | URL:http://www.osvdb.org/136 | XF:http-cgi-phf",,, CVE-1999-0068,Entry,"CGI PHP mylog script allows an attacker to read any file on the target server.","BUGTRAQ:19971019 Vulnerability in PHP Example Logging Scripts | XF:http-cgi-php-mylog | BID:713 | URL:http://www.securityfocus.com/bid/713 | OSVDB:3396 | URL:http://www.osvdb.org/3396",,, CVE-1999-0069,Entry,"Solaris ufsrestore buffer overflow.","SUN:00169 | URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/169 | XF:sun-ufsrestore | OSVDB:8158 | URL:http://www.osvdb.org/8158",,, CVE-1999-0070,Entry,"test-cgi program allows an attacker to list files on the server.","XF:http-cgi-test",,, CVE-1999-0071,Entry,"Apache httpd cookie buffer overflow for versions 1.1.1 and earlier.","XF:http-apache-cookie | NAI:NAI-2",,, CVE-1999-0072,Entry,"Buffer overflow in AIX xdat gives root access to local users.","ERS:ERS-SVA-E01-1997:004.1 | XF:ibm-xdat",,, CVE-1999-0073,Entry,"Telnet allows a remote client to specify environment variables including LD_LIBRARY_PATH, allowing an attacker to bypass the normal system libraries and gain root access.","CERT:CA-95:14.Telnetd_Environment_Vulnerability | XF:linkerbug",,, CVE-1999-0074,Entry,"Listening TCP ports are sequentially allocated, allowing spoofing attacks.","XF:seqport",,, CVE-1999-0075,Entry,"PASV core dump in wu-ftpd daemon when attacker uses a QUOTE PASV command after specifying a username and password.","BUGTRAQ:19961016 Re: ftpd bug? Was: bin/1805: Bug in ftpd | XF:ftp-pasvcore | OSVDB:5742 | URL:http://www.osvdb.org/5742",,, CVE-1999-0076,Candidate,"Buffer overflow in wu-ftp from PASV command causes a core dump.","XF:ftp-args",Modified (19990925-01)," ACCEPT(3) Ozancin, Baker, Frech | NOOP(1) Balinsky | REVIEWING(1) Christey"," Balinsky> Don't know what this is. Is this the LIST Core dump vulnerability? | Christey> Need to add more references and details." CVE-1999-0077,Entry,"Predictable TCP sequence numbers allow spoofing.","XF:tcp-seq-predict(139) | URL:http://xforce.iss.net/static/139.php",,, CVE-1999-0078,Candidate,"pcnfsd (aka rpc.pcnfsd) allows local users to change file permissions, or execute arbitrary commands through arguments in the RPC call.","CERT:CA-96.08.pcnfsd | XF:rpc-pcnfsd",Modified (19990621-01)," ACCEPT(5) Collins, Northcutt, Landfield, Frech, Shostack | NOOP(1) Baker | RECAST(1) Christey"," Christey> This candidate should be SPLIT, since there are two separate | software flaws. One is a symlink race and the other is a | shell metacharacter problem. | Christey> The permissions part of this vulnerability appears to | overlap with CVE-1999-0353 | Christey> SGI:20020802-01-I" CVE-1999-0079,Entry,"Remote attackers can cause a denial of service in FTP by issuing multiple PASV commands, causing the server to run out of available ports.","XF:ftp-pasv-dos | XF:ftp-pasvdos",,, CVE-1999-0080,Entry,"Certain configurations of wu-ftp FTP server 2.4 use a _PATH_EXECPATH setting to a directory with dangerous commands, such as /bin, which allows remote authenticated users to gain root access via the ""site exec"" command.","BUGTRAQ:19950531 SECURITY: problem with some wu-ftpd-2.4 binaries (fwd) | CERT:CA-95:16.wu-ftpd.vul | XF:ftp-execdotdot",,, CVE-1999-0081,Entry,"wu-ftp allows files to be overwritten via the rnfr command.","XF:ftp-rnfr",,, CVE-1999-0082,Entry,"CWD ~root command in ftpd allows root access.","XF:ftp-cwd | FarmerVenema:Improving the Security of Your Site by Breaking Into it | URL:http://www.alw.nih.gov/Security/Docs/admin-guide-to-cracking.101.html",,, CVE-1999-0083,Entry,"getcwd() file descriptor leak in FTP.","XF:cwdleak",,, CVE-1999-0084,Entry,"Certain NFS servers allow users to use mknod to gain privileges by creating a writable kmem device and setting the UID to 0.","XF:nfs-mknod(78) | URL:http://xforce.iss.net/xforce/xfdb/78",,, CVE-1999-0085,Entry,"Buffer overflow in rwhod on AIX and other operating systems allows remote attackers to execute arbitrary code via a UDP packet with a long hostname.","BUGTRAQ:19960821 rwhod buffer overflow | XF:rwhod(119) | URL:http://xforce.iss.net/xforce/xfdb/119 | XF:rwhod-vuln(118) | URL:http://xforce.iss.net/xforce/xfdb/118",,, CVE-1999-0086,Candidate,"AIX routed allows remote users to modify sensitive files.","ERS:ERS-SVA-E01-1998:001.1 | XF:ibm-routed",Interim (19990630)," ACCEPT(2) Northcutt, Shostack | MODIFY(2) Prosser, Frech | NOOP(1) Baker | REJECT(1) Christey"," Frech> Reference: XF:ibm-routed | Prosser> This vulnerability allows debug mode to be turned on which is | the problem. Should this be more specific in the description? This | one also affects SGI OSes, ref SGI Security Advisory 19981004-PX which | is in the SGI cluster, shouldn't these be cross-referenced as the same | vuln affects multiple OSes. | Christey> This appears to be subsumed by CVE-1999-0215" CVE-1999-0087,Entry,"Denial of service in AIX telnet can freeze a system and prevent users from accessing the server.","XF:ibm-telnetdos | ERS:ERS-SVA-E01-1998:003.1 | OSVDB:7992 | URL:http://www.osvdb.org/7992",,, CVE-1999-0088,Candidate,"IRIX and AIX automountd services (autofsd) allow remote users to execute root commands.","ERS:ERS-SVA-E01-1998:004.1 | URL:http://www-1.ibm.com/services/brs/brspwhub.nsf/advisories/852567CC004F9038852566BF007B6393/$file/ERS-SVA-E01-1998_004_1.txt",Proposed (19990617)," ACCEPT(2) Northcutt, Shostack | MODIFY(2) Prosser, Frech | RECAST(1) Baker | REVIEWING(1) Christey"," Frech> ERS (and other references, BTW) explicitly stipulate 'local and | remote'. | Reference: XF:irix-autofsd | Prosser> Include the SGI Alert as well since it is mentioned in the | description. | SGI Security Advisory 19981005-01-PX | Christey> DUPE CVE-1999-0210? | Christey> ADDREF CIAC:J-014 | Baker> It does look very similar to 1999-0210. Perhaps they should be a single entry" CVE-1999-0089,Candidate,"Buffer overflow in AIX libDtSvc library can allow local users to gain root access.","ERS:ERS-SVA-E01-1997:005.1 | XF:ibm-libDtSvc",Interim (19990630)," ACCEPT(2) Northcutt, Shostack | MODIFY(2) Prosser, Frech | RECAST(1) Baker | REVIEWING(1) Christey"," Frech> Reference: XF:ibm-libDtSvc | Prosser> The overflow is in the dtaction utility. Also affects | dtaction in the CDE on versions of SunOS (SUN 164). Probably should be | specific. | Christey> Same Codebase as CVE-1999-0121, so the two entries should be | merged." CVE-1999-0090,Entry,"Buffer overflow in AIX rcp command allows local users to obtain root access.","ERS:ERS-SVA-E01-1997:005.1 | XF:ibm-rcp",,, CVE-1999-0091,Entry,"Buffer overflow in AIX writesrv command allows local users to obtain root access.","ERS:ERS-SVA-E01-1997:005.1 | XF:ibm-writesrv",,, CVE-1999-0092,Candidate,"Various vulnerabilities in the AIX portmir command allows local users to obtain root access.","ERS:ERS-SVA-E01-1997:006.1",Proposed (19990623)," ACCEPT(2) Baker, Bollinger | MODIFY(1) Frech | NOOP(1) Ozancin"," Frech> XF:ibm-portmir" CVE-1999-0093,Entry,"AIX nslookup command allows local users to obtain root access by not dropping privileges correctly.","ERS:ERS-SVA-E01-1997:008.1 | XF:ibm-nslookup",,, CVE-1999-0094,Entry,"AIX piodmgrsu command allows local users to gain additional group privileges.","ERS:ERS-SVA-E01-1997:007.1 | XF:ibm-piodmgrsu",,, CVE-1999-0095,Entry,"The debug command in Sendmail is enabled, allowing attackers to execute commands as root.","CERT:CA-88.01 | CERT:CA-93.14 | BID:1 | URL:http://www.securityfocus.com/bid/1 | OSVDB:195 | URL:http://www.osvdb.org/195 | XF:smtp-debug",,, CVE-1999-0096,Entry,"Sendmail decode alias can be used to overwrite sensitive files.","CERT:CA-93.16 | CERT:CA-95.05 | CIAC:A-13 | CIAC:A-14 | SUN:00122 | URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/122&type=0&nav=sec.sba | XF:smtp-dcod",,, CVE-1999-0097,Entry,"The AIX FTP client can be forced to execute commands from a malicious server through shell metacharacters (e.g. a pipe character).","ERS:ERS-SVA-E01-1997:009.1 | XF:ibm-ftp",,, CVE-1999-0098,Candidate,"Buffer overflow in SMTP HELO command in Sendmail allows a remote attacker to hide activities.","XF:smtp-helo-bo",Proposed (19990726)," MODIFY(2) Baker, Frech | NOOP(1) Wall | REVIEWING(1) Christey"," Frech> (Accept XF reference.) | Our references do not mention hiding activities. This issue can crash the | SMTP server or execute arbitrary byte-code. Is there another reference | available? | Christey> Should this be merged with CVE-1999-0284, which is Sendmail | with SMTP HELO? | Christey> BUGTRAQ:19980522 about sendmail 8.8.8 HELO hole | http://marc.theaimsgroup.com/?l=bugtraq&m=90221101925991&w=2 | BUGTRAQ:19980527 about sendmail 8.8.8 HELO hole | http://marc.theaimsgroup.com/?l=bugtraq&m=90221101926003&w=2 | Baker> Apparently this XF reference is not for this issue, but for the other issue. This should be modified to have the Bugtraq references, and remove the XF reference." CVE-1999-0099,Entry,"Buffer overflow in syslog utility allows local or remote attackers to gain root privileges.","CERT:CA-95.13.syslog.vul | XF:smtp-syslog",,, CVE-1999-0100,Entry,"Remote access in AIX innd 1.5.1, using control messages.","ERS:ERS-SVA-E01-1997:002.1 | XF:inn-controlmsg",,, CVE-1999-0101,Entry,"Buffer overflow in AIX and Solaris ""gethostbyname"" library call allows root access through corrupt DNS host names.","ERS:ERS-SVA-E01-1997:001.1 | ERS:ERS-SVA-E01-1996:007.1 | SUN:00137a | CIAC:H-13 | URL:http://ciac.llnl.gov/ciac/bulletins/h-13.shtml | NAI:NAI-1 | XF:ghbn-bo",,, CVE-1999-0102,Entry,"Buffer overflow in SLmail 3.x allows attackers to execute commands using a large FROM line.","XF:slmail-fromheader-overflow",,, CVE-1999-0103,Entry,"Echo and chargen, or other combinations of UDP services, can be used in tandem to flood the server, a.k.a. UDP bomb or UDP packet storm.","CERT:CA-96.01.UDP_service_denial | XF:echo | XF:chargen | XF:chargen-patch",,, CVE-1999-0104,Candidate,"A later variation on the Teardrop IP denial of service attack, a.k.a. Teardrop-2.","CERT:CA-97.28.Teardrop_Land | OVAL:oval:org.mitre.oval:def:5743 | URL:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:5743 | XF:teardrop-mod",Modified (20090302)," ACCEPT(2) Wall, Frech | REVIEWING(1) Christey"," Wall> Another reference is Microsoft Knowledge Base Q179129. | Christey> Not sure how many separate ""instances"" of Teardrop there are. | See: CVE-1999-0015, CVE-1999-0104, CVE-1999-0257, CVE-1999-0258 | Christey> See the SCO advisory at: | http://www.securityfocus.com/templates/advisory.html?id=1411 | which may further clarify the issue. | Christey> MSKB:Q179129 | http://support.microsoft.com/support/kb/articles/q179/1/29.asp | Christey> MSKB:Q179129 | http://support.microsoft.com/support/kb/articles/q179/1/29.asp | Note that the hotfix name is teardrop2, but the keywords | included in the KB article specifically name bonk | (CVE-1999-0258) and boink. | Since teardrop2 was fixed in a slightly different version | (at least in a separate patch) than Teardrop, CD:SF-LOC | suggests keeping them separate. | Christey> Add period to the end of the description." CVE-1999-0105,Candidate,"finger allows recursive searches by using a long string of @ symbols.","",Proposed (19990726)," MODIFY(3) Shostack, Baker, Frech | NOOP(1) Christey | REJECT(1) Northcutt"," Shostack> fingerD | Frech> XF:finger-bomb | Christey> aka redirection or forwarding requests? (but then might | overlap CVE-1999-0106) | Baker> should change description to indicate the recursive searching can consume enough system resources to cause a DoS." CVE-1999-0106,Candidate,"Finger redirection allows finger bombs.","",Proposed (19990726)," ACCEPT(1) Northcutt | MODIFY(2) Shostack, Frech | RECAST(1) Baker | REVIEWING(1) Christey"," Shostack> fingerd allows redirection | This is a larger modification, since there are two applications of the | vulnerability, one that I can finger anonymously, and the other that I | can finger bomb anonymously. | Frech> XF:finger-bomb | Christey> need more refs | Baker> This should be merged with 1999-0105" CVE-1999-0107,Candidate,"Buffer overflow in Apache 1.2.5 and earlier allows a remote attacker to cause a denial of service with a large number of GET requests containing a large number of / characters.","XF:apache-dos | BUGTRAQ:19971230 Apache DoS attack?",Modified (19991223-01)," ACCEPT(1) Baker | MODIFY(1) Frech | NOOP(3) Shostack, Northcutt, Wall | REVIEWING(1) Levy | REVOTE(1) Christey"," Wall> - Although this is probably the phf hack. | Frech> XF:apache-dos | Christey> This sounds like the incident reported in: | NTBUGTRAQ:20000810 Apache Distributed Denial of Service | Levy> I belive this is the problem where sending lot of HTTP headers to apache resulted on a denial of service. | BUGTRAQ: http://www.securityfocus.com/archive/1/10228 | BUGTRAQ: http://www.securityfocus.com/archive/1/10516" CVE-1999-0108,Entry,"The printers program in IRIX has a buffer overflow that gives root access to local users.","BUGTRAQ:another day, another buffer overflow... | XF:printers-bo",,, CVE-1999-0109,Entry,"Buffer overflow in ffbconfig in Solaris 2.5.1.","SUN:00140 | URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/140 | AUSCERT:AA-97.06 | XF:ffbconfig-bo",,, CVE-1999-0110,Candidate,"** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-1999-0315. Reason: This candidate's original description had a typo that delayed it from being detected as a duplicate of CVE-1999-0315. Notes: All CVE users should reference CVE-1999-0315 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.","",Interim (19990810)," MODIFY(1) Frech | NOOP(4) Shostack, Levy, Northcutt, Wall | REJECT(3) Dik, Christey, Baker"," Frech> XF:fdformat-bo | Christey> Duplicate of CVE-1999-0315 | Dik> dup" CVE-1999-0111,Entry,"RIP v1 is susceptible to spoofing.","XF:rip",,, CVE-1999-0112,Entry,"Buffer overflow in AIX dtterm program for the CDE.","BUGTRAQ:19970520 AIX 4.2 dtterm exploit | XF:dtterm-bo(878) | URL:http://xforce.iss.net/xforce/xfdb/878",,, CVE-1999-0113,Entry,"Some implementations of rlogin allow root access if given a -froot parameter.","BUGTRAQ:19940729 -froot??? (AIX rlogin bug) | CERT:CA-94.09.bin.login.vulnerability | CIAC:E-26 | BID:458 | URL:http://www.securityfocus.com/bid/458 | XF:rlogin-froot",,, CVE-1999-0114,Candidate,"Local users can execute commands as other users, and read other users' files, through the filter command in the Elm elm-2.4 mail package using a symlink attack.","BUGTRAQ:19990912 elm filter program | BUGTRAQ:19951226 filter (elm package) security hole | XF:elm-filter2",Modified (20000106-01)," ACCEPT(7) Shostack, Bishop, Blake, Wall, Landfield, Cole, Armstrong | MODIFY(2) Baker, Frech | NOOP(3) Ozancin, Christey, Northcutt | REVIEWING(1) Levy"," Frech> XF:elm-filter2 | CHANGE> [Wall changed vote from NOOP to ACCEPT] | Landfield> with Frech modifications | Baker> ADD REF http://www.cert.org/ftp/cert_bulletins/VB-95:10a.elm Official Advisory | Christey> The correct URL is http://www.cert.org/vendor_bulletins/VB-95:10a.elm | Need to make sure that this CERT advisory describes the right | problem, especially since the CERT advisory is dated December | 18, 1995 and the original Bugtraq post was December 26, 1995. | Christey> BID:1802 | URL:http://www.securityfocus.com/bid/1802 | BID:1802 doesn't include the 1999 posting - does Security | Focus think that the 1999 post describes a different | vulnerability? | Christey> XF:elm-filter2 isn't on the X-Force web site. How about XF:elm-filter(402) ? | Its references point to the December 26, 1995 BUgtraq post. | | Also consider CIAC:G-36 and CERT:VB-95:10 | Frech> DELREF:XF:elm-filter2(711) | ADDREF:XF:elm-filter(402)" CVE-1999-0115,Entry,"AIX bugfiler program allows local users to gain root access.","BUGTRAQ:19970909 AIX bugfiler | XF:ibm-bugfiler | BID:1800 | URL:http://www.securityfocus.com/bid/1800",,, CVE-1999-0116,Entry,"Denial of service when an attacker sends many SYN packets to create multiple connections without ever sending an ACK to complete the connection, aka SYN flood.","CERT:CA-96.21.tcp_syn.flooding | SGI:19961202-01-PX | URL:ftp://patches.sgi.com/support/free/security/advisories/19961202-01-PX | SUN:00136 | URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/136",,, CVE-1999-0117,Entry,"AIX passwd allows local users to gain root access.","XF:ibm-passwd | CERT:CA-92:07.AIX.passwd.vulnerability",,, CVE-1999-0118,Entry,"AIX infod allows local users to gain root access through an X display.","BUGTRAQ:19981119 RSI.0011.11-09-98.AIX.INFOD | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91158980826979&w=2 | XF:aix-infod",,, CVE-1999-0119,Candidate,"Windows NT 4.0 beta allows users to read and delete shares.","",Proposed (19990728)," MODIFY(1) Frech | NOOP(2) Northcutt, Baker | REJECT(1) Wall"," Wall> Reject based on beta copy. | Frech> XF:nt-beta(11) | Reconsider reject, because this beta was in widespread use." CVE-1999-0120,Entry,"Sun/Solaris utmp file allows local users to gain root access if it is writable by users other than root.","SUN:00126 | URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/126 | CERT:CA-94.06.utmp.vulnerability | XF:utmp-write",,, CVE-1999-0121,Candidate,"Buffer overflow in dtaction command gives root access.","SUN:00164 | ERS:ERS-SVA-E01-1997:005.1",Proposed (19990617)," ACCEPT(2) Dik, Northcutt | MODIFY(3) Prosser, Baker, Frech | REVIEWING(1) Christey"," Frech> Reference: XF:dtaction-bo | Reference: XF:sun-dtaction | Prosser> Buffer overflow also affects /usr/dt/bin/dtaction in libDtSvc.a | library in AIX 4.x, but reference for this Sun vulnerability should | only reflect the Sun Bulletin or the CIAC I-032 version of the Sun | Bulletin | Christey> This is the Same Codebase as CVE-1999-0089, so the two entries | should be merged. | Frech> Replace sun-dtaction(732) with dtaction-bo(879) | Baker> Merge with 1999-0089" CVE-1999-0122,Entry,"Buffer overflow in AIX lchangelv gives root access.","BUGTRAQ:Jul21,1999 | XF:lchangelv-bo",,, CVE-1999-0123,Candidate,"Race condition in Linux mailx command allows local users to read user files.","XF:linux-mailx | BUGTRAQ:19951222 mailx-5.5 (slackware /bin/mail) security hole",Modified (20000105-01)," ACCEPT(3) Ozancin, Baker, Frech | NOOP(1) Wall", CVE-1999-0124,Entry,"Vulnerabilities in UMN gopher and gopher+ versions 1.12 and 2.0x allow an intruder to read any files that can be accessed by the gopher daemon.","CERT:CA-93:11.UMN.UNIX.gopher.vulnerability | XF:gopher-vuln",,, CVE-1999-0125,Entry,"Buffer overflow in SGI IRIX mailx program.","XF:sgi-mailx-bo | SGI:19980605-01-PX | URL:ftp://patches.sgi.com/support/free/security/advisories/19980605-01-PX",,, CVE-1999-0126,Entry,"SGI IRIX buffer overflow in xterm and Xaw allows root access.","CERT:VB-98.04.xterm.Xaw | CIAC:J-010 | URL:http://www.ciac.org/ciac/bulletins/j-010.shtml | XF:xfree86-xterm-xaw | XF:xfree86-xaw",,, CVE-1999-0127,Candidate,"swinstall and swmodify commands in SD-UX package in HP-UX systems allow local users to create or overwrite arbitrary files to gain root access.","CERT:CA-96.27.hp_sw_install | AUSCERT:AA-96.04 | XF:hpux-swinstall",Proposed (19990623)," ACCEPT(2) Prosser, Baker | MODIFY(1) Frech | NOOP(1) Christey"," Frech> (keep current XF: reference, and add) | XF:hpux-sqwmodify | Christey> Perhaps this should be split, per SF-LOC. | Christey> CIAC:H-81 | http://ciac.llnl.gov/ciac/bulletins/h-81.shtml | HP:HPSBUX9707-064 references CERT:CA-96.27 | http://ciac.llnl.gov/ciac/bulletins/h-81.shtml | | The original AUSCERT advisory says that the programs ""create | files in an insecure manner"" and ""Exploit details involving | this vulnerability have been made publicly available."" which | leads one to assume that the following original Bugtraq post | provides the details for a standard symlink problem: | | BUGTRAQ:19961005 swinst,bug | http://marc.theaimsgroup.com/?l=bugtraq&m=87602167419941&w=2" CVE-1999-0128,Entry,"Oversized ICMP ping packets can result in a denial of service, aka Ping o' Death.","XF:ping-death | CERT:CA-96.26.ping",,, CVE-1999-0129,Entry,"Sendmail allows local users to write to a file and gain group permissions via a .forward or :include: file.","CERT:CA-96.25.sendmail_groups",,, CVE-1999-0130,Entry,"Local users can start Sendmail in daemon mode and gain root privileges.","CERT:CA-96.24.sendmail.daemon.mode | BID:716 | URL:http://www.securityfocus.com/bid/716 | XF:sendmail-daemon-mode",,, CVE-1999-0131,Entry,"Buffer overflow and denial of service in Sendmail 8.7.5 and earlier through GECOS field gives root access to local users.","CERT:CA-96.20.sendmail_vul | XF:smtp-875bo | BID:717 | URL:http://www.securityfocus.com/bid/717",,, CVE-1999-0132,Entry,"Expreserve, as used in vi and ex, allows local users to overwrite arbitrary files and gain root access.","CERT:CA-1996-19 | URL:http://www.cert.org/advisories/CA-1996-19.html | OSVDB:11723 | URL:http://www.osvdb.org/11723 | XF:expreserve(401) | URL:http://xforce.iss.net/xforce/xfdb/401",,, CVE-1999-0133,Entry,"fm_fls license server for Adobe Framemaker allows local users to overwrite arbitrary files and gain root access.","CERT:CA-96.18.fm_fls | XF:fmaker-logfile",,, CVE-1999-0134,Entry,"vold in Solaris 2.x allows local users to gain root access.","XF:sol-voldtmp | CERT:CA-96.17.Solaris_vold_vul | AUSCERT:AL-96.04 | OSVDB:8159 | URL:http://www.osvdb.org/8159",,, CVE-1999-0135,Entry,"admintool in Solaris allows a local user to write to arbitrary files and gain root access.","XF:sun-admintool | CERT:CA-96.16.Solaris_admintool_vul | AUSCERT:AL-96.03",,, CVE-1999-0136,Entry,"Kodak Color Management System (KCMS) on Solaris allows a local user to write to arbitrary files and gain root access.","XF:sol-KCMSvuln | AUSCERT:AL-96.02 | CERT:CA-96.15.Solaris_KCMS_vul",,, CVE-1999-0137,Entry,"The dip program on many Linux systems allows local users to gain root access via a buffer overflow.","XF:linux-dipbo | CERT:CA-96.13.dip_vul | XF:dip-bo",,, CVE-1999-0138,Entry,"The suidperl and sperl program do not give up root privileges when changing UIDs back to the original users, allowing root access.","CERT:CA-96.12.suidperl_vul | XF:sperl-suid",,, CVE-1999-0139,Entry,"Buffer overflow in Solaris x86 mkcookie allows local users to obtain root access.","XF:sol-mkcookie | RSI:RSI.0012.12-03-98.SOLARIS.MKCOOKIE | OSVDB:8205 | URL:http://www.osvdb.org/8205",,, CVE-1999-0140,Candidate,"Denial of service in RAS/PPTP on NT systems.","",Proposed (19990630)," ACCEPT(1) Hill | MODIFY(2) Frech, Meunier | NOOP(1) Baker | REJECT(1) Christey"," Meunier> Add ""pptp invalid packet length in header"" to distinguish from other | vulnerabilities in RAS/PPTP on NT systems resulting in DOS, that might be | discovered in the future. | Frech> XF:nt-ras-bo | ONLY IF reference is to MS:MS99-016 | Christey> According to my mappings, this is not the MS:MS99-016 problem | referred to by Andre. However, I have yet to dig up a | source. | CHANGE> [Christey changed vote from NOOP to REVIEWING] | CHANGE> [Christey changed vote from REVIEWING to REJECT] | Christey> This is too general to know which problem is being discussed. | More precise candidates should be created. | Christey> Consider adding BID:2111" CVE-1999-0141,Entry,"Java Bytecode Verifier allows malicious applets to execute arbitrary commands as the user of the applet.","XF:http-java-applet | CERT:CA-96.07.java_bytecode_verifier | SUN:00134 | URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/134",,, CVE-1999-0142,Entry,"The Java Applet Security Manager implementation in Netscape Navigator 2.0 and Java Developer's Kit 1.0 allows an applet to connect to arbitrary hosts.","CERT:CA-96.05.java_applet_security_mgr | XF:http-java-appletsecmgr",,, CVE-1999-0143,Entry,"Kerberos 4 key servers allow a user to masquerade as another by breaking and generating session keys.","CERT:CA-96.03.kerberos_4_key_server | XF:kerberos-bf",,, CVE-1999-0144,Candidate,"Denial of service in Qmail by specifying a large number of recipients with the RCPT command.","BUGTRAQ:19970612 qmail-dos-2.c, another denial of service attack | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602558319024&w=2 | BUGTRAQ:19970612 Re: Denial of service (qmail-smtpd) | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602558319029&w=2 | MISC:http://cr.yp.to/qmail/venema.html | MISC:http://www.ornl.gov/its/archives/mailing-lists/qmail/1997/06/threads.html | BID:2237 | URL:http://www.securityfocus.com/bid/2237 | XF:qmail-rcpt | URL:http://xforce.iss.net/static/208.php",Modified (20010301-02)," ACCEPT(4) Frech, Meunier, Hill, Baker | REVIEWING(1) Christey"," Christey> DUPE CVE-1999-0418 and CVE-1999-0250? | Christey> Dan Bernstein, author of Qmail, says that this is not a | vulnerability in qmail because Unix has built-in resource | limits that can restrict the size of a qmail process; other | limits can be specified by the administrator. See | http://cr.yp.to/qmail/venema.html | | Significant discussion of this issue took place on the qmail | list. The fundamental question appears to be whether | application software should set its own limits, or rely | on limits set by the parent operating system (in this case, | UNIX). Also, some people said that the only problem was that | the suggested configuration was not well documented, but this | was refuted by others. | | See the following threads at | http://www.ornl.gov/its/archives/mailing-lists/qmail/1997/06/threads.html | ""Denial of service (qmail-smtpd)"" | ""qmail-dos-2.c, another denial of service"" | ""[PATCH] denial of service"" | ""just another qmail denial-of-service"" | ""the UNIX way"" | ""Time for a reality check"" | | Also see Bugtraq threads on a different vulnerability that | is related to this topic: | BUGTRAQ:19990903 Web servers / possible DOS Attack / mime header flooding | http://archives.neohapsis.com/archives/bugtraq/1998_3/0742.html | Baker> http://cr.yp.to/qmail/venema.html | Berstein rejects this as a vulnerability, claiming this is a slander campaign by Wietse Venema. | His page states this is not a qmail problem, rather it is a UNIX problem | that many apps can consume all available memory, and that the administrator | is responsible to set limits in the OS, rather than expect applications to | individually prevent memory exhaustion. CAN 1999-0250 does appear to | be a duplicate of this entry, based on the research I have done so far. | There were two different bugtraq postings, but the second one references | the first, stating that the new exploit uses perl instead of shell scripting | to accomplish the same attack/exploit. | Baker> http://www.securityfocus.com/archive/1/6970 | http://www.securityfocus.com/archive/1/6969 | http://cr.yp.to/qmail/venema.html | | Should probably reject CVE-1999-0250, and add these references to this | Candidate. | Baker> http://www.securityfocus.com/bid/2237 | CHANGE> [Baker changed vote from REVIEWING to ACCEPT] | Christey> qmail-dos-1.c, as published by Wietse Venema (CVE-1999-0250) | in ""BUGTRAQ:19970612 Denial of service (qmail-smtpd)"", does not | use any RCPT commands. Instead, it sends long strings | of ""X"" characters. A followup by ""super@UFO.ORG"" includes | an exploit that claims to do the same thing; however, that | exploit does not send long strings of X characters - it sends | a large number of RCPT commands. It appears that super@ufo.org | followed up to the wrong message. | | NOTE: the ufo.org domain was purchased by another party in | 2003, so the current owner is not associated with any | statements by ""super@ufo.org"" that were made before 2003. | | qmail-dos-2.c, as published by Wietse Venema (CVE-1999-0144) | in ""BUGTRAQ:19970612 qmail-dos-2.c, another denial of service attack"" | sends a large number of RCPT commands. | | ADDREF BID:2237 | ADDREF BUGTRAQ:19970612 qmail-dos-2.c, another denial of service attack | ADDREF BUGTRAQ:19970612 Re: Denial of service (qmail-smtpd) | | Also see a related thread: | BUGTRAQ:19990308 SMTP server account probing | http://marc.theaimsgroup.com/?l=bugtraq&m=92100018214316&w=2 | | This also describes a problem with mail servers not being able | to handle too many ""RCPT TO"" requests. A followup message | notes that application-level protection is used in Sendmail | to prevent this: | BUGTRAQ:19990309 Re: SMTP server account probing | http://marc.theaimsgroup.com/?l=bugtraq&m=92101584629263&w=2 | The person further says, ""This attack can easily be | prevented with configuration methods.""" CVE-1999-0145,Entry,"Sendmail WIZ command enabled, allowing root access.","CERT:CA-1990-11 | URL:http://www.cert.org/advisories/CA-1990-11.html | CERT:CA-1993-14 | URL:http://www.cert.org/advisories/CA-1993-14.html | BUGTRAQ:19950206 sendmail wizard thing... | URL:http://www2.dataguard.no/bugtraq/1995_1/0332.html | FarmerVenema:Improving the Security of Your Site by Breaking Into it | URL:http://www.alw.nih.gov/Security/Docs/admin-guide-to-cracking.101.html",,, CVE-1999-0146,Entry,"The campas CGI program provided with some NCSA web servers allows an attacker to execute arbitrary commands via encoded carriage return characters in the query string, as demonstrated by reading the password file.","BUGTRAQ:19970715 Bug CGI campas | BID:1975 | URL:http://www.securityfocus.com/bid/1975 | XF:http-cgi-campas(298) | URL:http://xforce.iss.net/xforce/xfdb/298",,, CVE-1999-0147,Entry,"The aglimpse CGI program of the Glimpse package allows remote execution of arbitrary commands.","XF:http-cgi-glimpse | AUSCERT:AA-97.28",,, CVE-1999-0148,Entry,"The handler CGI program in IRIX allows arbitrary command execution.","SGI:19970501-02-PX | URL:ftp://patches.sgi.com/support/free/security/advisories/19970501-02-PX | BID:380 | URL:http://www.securityfocus.com/bid/380 | XF:http-sgi-handler",,, CVE-1999-0149,Entry,"The wrap CGI program in IRIX allows remote attackers to view arbitrary directory listings via a .. (dot dot) attack.","BUGTRAQ:19970420 IRIX 6.x /cgi-bin/wrap bug | SGI:19970501-02-PX | URL:ftp://patches.sgi.com/support/free/security/advisories/19970501-02-PX | BID:373 | URL:http://www.securityfocus.com/bid/373 | OSVDB:247 | URL:http://www.osvdb.org/247 | XF:http-sgi-wrap(290) | URL:http://xforce.iss.net/xforce/xfdb/290",,, CVE-1999-0150,Entry,"The Perl fingerd program allows arbitrary command execution from remote users.","XF:perl-fingerd",,, CVE-1999-0151,Entry,"The SATAN session key may be disclosed if the user points the web browser to other sites, possibly allowing root access.","CERT:CA-95.07a.REVISED.satan.vul | CERT:CA-95.06.satan.vul",,, CVE-1999-0152,Entry,"The DG/UX finger daemon allows remote command execution through shell metacharacters.","BUGTRAQ:19970811 dgux in.fingerd vulnerability | XF:dgux-fingerd",,, CVE-1999-0153,Entry,"Windows 95/NT out of band (OOB) data denial of service through NETBIOS port, aka WinNuke.","XF:win-oob | OSVDB:1666 | URL:http://www.osvdb.org/1666",,, CVE-1999-0154,Candidate,"IIS 2.0 and 3.0 allows remote attackers to read the source code for ASP pages by appending a . (dot) to the end of the URL.","MSKB:Q163485 | MSKB:Q164059 | BUGTRAQ:19970220 ! [ADVISORY] Major Security Hole in MS ASP | XF:http-iis-aspdot | XF:http-iis-aspsource",Proposed (20010912)," ACCEPT(4) Frech, Stracener, Wall, Foat | NOOP(3) Christey, Baker, Cole"," Christey> This is the precursor to the problem that is identified in | CVE-1999-0253. | Christey> CIAC:H-48 | URL:http://ciac.llnl.gov/ciac/bulletins/h-48.shtml | CHANGE> [Foat changed vote from NOOP to ACCEPT]" CVE-1999-0155,Entry,"The ghostscript command with the -dSAFER option allows remote attackers to execute commands.","XF:gscript-dsafer | CERT:CA-95.10.ghostscript",,, CVE-1999-0156,Candidate,"wu-ftpd FTP daemon allows any user and password combination.","XF:ftp-pwless",Proposed (19990714)," ACCEPT(2) Shostack, Northcutt | NOOP(1) Baker | RECAST(1) Frech | REVIEWING(2) Christey, Prosser"," Prosser> but so far can find no reference to this one | Frech> Our records indicate that this does not necessarly affect just wu-ftp (ie, | also affects IIS FTP server). | Christey> The references for XF:ftp-pwless are not specific enough, | e.g. in terms of version numbers. Perhaps this candidate | should be rejected due to insufficient information." CVE-1999-0157,Entry,"Cisco PIX firewall and CBAC IP fragmentation attack results in a denial of service.","CISCO:http://www.cisco.com/warp/public/770/nifrag.shtml | XF:cisco-fragmented-attacks | OSVDB:1097 | URL:http://www.osvdb.org/1097",,, CVE-1999-0158,Entry,"Cisco PIX firewall manager (PFM) on Windows NT allows attackers to connect to port 8080 on the PFM server and retrieve any file whose name and location is known.","CISCO:20010913 Cisco PIX Firewall Manager File Exposure | URL:http://www.cisco.com/warp/public/770/pixmgrfile-pub.shtml | XF:cisco-pix-file-exposure | OSVDB:685 | URL:http://www.osvdb.org/685",,, CVE-1999-0159,Entry,"Attackers can crash a Cisco IOS router or device, provided they can get to an interactive prompt (such as a login). This applies to some IOS 9.x, 10.x, and 11.x releases.","CISCO:http://www.cisco.com/warp/public/770/ioslogin-pub.shtml | XF:cisco-ios-crash",,, CVE-1999-0160,Entry,"Some classic Cisco IOS devices have a vulnerability in the PPP CHAP authentication to establish unauthorized PPP connections.","CISCO:19971001 Vulnerabilities in Cisco CHAP Authentication | CIAC:I-002A | OSVDB:1099 | URL:http://www.osvdb.org/1099 | XF:cisco-chap",,, CVE-1999-0161,Entry,"In Cisco IOS 10.3, with the tacacs-ds or tacacs keyword, an extended IP access control list could bypass filtering.","CISCO:http://www.cisco.com/warp/public/707/1.html | XF:cisco-acl-tacacs | OSVDB:797 | URL:http://www.osvdb.org/797",,, CVE-1999-0162,Entry,"The ""established"" keyword in some Cisco IOS software allowed an attacker to bypass filtering.","CISCO:19950601 ""Established"" Keyword May Allow Packets to Bypass Filter | XF:cisco-acl-established",,, CVE-1999-0163,Candidate,"In older versions of Sendmail, an attacker could use a pipe character to execute root commands.","XF:smtp-pipe",Proposed (19990714)," ACCEPT(2) Frech, Northcutt | MODIFY(1) Prosser | NOOP(2) Christey, Baker | RECAST(1) Shostack"," Shostack> there was a 'To: |' and a 'From: |' attack, which I | think are seperate. | Prosser> older vulnerability, but one additional reference is- | The Ultimate Sendmail Hole List by Markus Hübner @ | bau2.uibk.ac.at/matic/buglist.htm | '|PROGRAM ' | Christey> Description needs to be more specific to distinguish between | this and CVE-1999-0203, as alluded to by Adam Shostack" CVE-1999-0164,Entry,"A race condition in the Solaris ps command allows an attacker to overwrite critical files.","XF:sol-pstmprace | AUSCERT:AA-95.07 | CERT:CA-95.09.Solaris.ps.vul | OSVDB:8346 | URL:http://www.osvdb.org/8346",,, CVE-1999-0165,Candidate,"NFS cache poisoning.","XF:nfs-cache",Modified (20040811)," ACCEPT(3) Frech, Northcutt, Baker | MODIFY(1) Shostack | NOOP(1) Prosser | REVIEWING(1) Christey"," Shostack> need more data | Christey> need more refs | Christey> Add period to the end of the description." CVE-1999-0166,Entry,"NFS allows users to use a ""cd .."" command to access other directories besides the exported file system.","XF:nfs-cd",,, CVE-1999-0167,Entry,"In SunOS, NFS file handles could be guessed, giving unauthorized access to the exported file system.","XF:nfs-guess | CERT:CA-91.21.SunOS.NFS.Jumbo.and.fsirand",,, CVE-1999-0168,Entry,"The portmapper may act as a proxy and redirect service requests from an attacker, making the request appear to come from the local host, possibly bypassing authentication that would otherwise have taken place. For example, NFS file systems could be mounted through the portmapper despite export restrictions.","XF:nfs-portmap",,, CVE-1999-0169,Candidate,"NFS allows attackers to read and write any file on the system by specifying a false UID.","XF:nfs-uid",Proposed (19990714)," ACCEPT(2) Frech, Northcutt | MODIFY(1) Baker | REJECT(1) Shostack"," Shostack> this is not a vulnerability but a design feature. | Baker> Maybe we should reword it so that it is clear that this was a problem to something like: | | ""A remote attacker could read/write files to the system with root-level permissions on NFS servers that fail to properly check the UID.""" CVE-1999-0170,Entry,"Remote attackers can mount an NFS file system in Ultrix or OSF, even if it is denied on the access list.","XF:nfs-ultrix",,, CVE-1999-0171,Candidate,"Denial of service in syslog by sending it a large number of superfluous messages.","XF:syslog-flood",Proposed (19990714)," ACCEPT(2) Frech, Northcutt | NOOP(1) Baker | REJECT(2) Shostack, Christey"," Shostack> design issue, not a vulnerability. Alternately, add: | DOS on server by opening a large number of telnet sessions.. | Christey> Duplicate of CVE-1999-0566" CVE-1999-0172,Entry,"FormMail CGI program allows remote execution of commands.","XF:http-cgi-formmail-exe | BUGTRAQ:Aug02,1995",,, CVE-1999-0173,Entry,"FormMail CGI program can be used by web servers other than the host server that the program resides on.","XF:http-cgi-formmail-use",,, CVE-1999-0174,Entry,"The view-source CGI program allows remote attackers to read arbitrary files via a .. (dot dot) attack.","BUGTRAQ:19970208 view-source | XF:http-cgi-viewsrc",,, CVE-1999-0175,Entry,"The convert.bas program in the Novell web server allows a remote attackers to read any file on the system that is internally accessible by the web server.","XF:http-nov-convert",,, CVE-1999-0176,Entry,"The Webgais program allows a remote user to execute arbitrary commands.","BUGTRAQ:Jul10,1997 | XF:http-webgais-query",,, CVE-1999-0177,Entry,"The uploader program in the WebSite web server allows a remote attacker to execute arbitrary programs.","NTBUGTRAQ:19970904 [Alert] Website's uploader.exe (from demo) vulnerable | NTBUGTRAQ:19970905 Re: FW: [Alert] Website's uploader.exe (from demo) vulnerable | BUGTRAQ:19970904 [Alert] Website's uploader.exe (from demo) vulnerable | XF:http-website-uploader",,, CVE-1999-0178,Entry,"Buffer overflow in the win-c-sample program (win-c-sample.exe) in the WebSite web server 1.1e allows remote attackers to execute arbitrary code via a long query string.","BUGTRAQ:19970106 Re: signal handling | URL:http://archives.neohapsis.com/archives/bugtraq/1997_1/0021.html | BID:2078 | URL:http://www.securityfocus.com/bid/2078 | OSVDB:8 | URL:http://www.osvdb.org/8 | XF:http-website-winsample(295) | URL:http://xforce.iss.net/xforce/xfdb/295",,, CVE-1999-0179,Entry,"Windows NT crashes or locks up when a Samba client executes a ""cd .."" command on a file share.","MSKB:Q140818 | URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q140818 | XF:nt-samba-dotdot | XF:nt-351 | XF:nt-35",,, CVE-1999-0180,Entry,"in.rshd allows users to login with a NULL username and execute commands.","XF:rsh-null",,, CVE-1999-0181,Entry,"The wall daemon can be used for denial of service, social engineering attacks, or to execute remote commands.","XF:walld",,, CVE-1999-0182,Entry,"Samba has a buffer overflow which allows a remote attacker to obtain root access by specifying a long password.","CIAC:H-110 | URL:http://www.ciac.org/ciac/bulletins/h-110.shtml | CERT:VB-97.10.samba | XF:nt-samba-bo",,, CVE-1999-0183,Entry,"Linux implementations of TFTP would allow access to files outside the restricted directory.","XF:linux-tftp",,, CVE-1999-0184,Entry,"When compiled with the -DALLOW_UPDATES option, bind allows dynamic updates to the DNS server, allowing for malicious modification of DNS records.","XF:dns-updates",,, CVE-1999-0185,Entry,"In SunOS or Solaris, a remote user could connect from an FTP server's data port to an rlogin server on a host that trusts the FTP server, allowing remote command execution.","SUN:00156 | URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/156 | XF:sun-ftpd/logind",,, CVE-1999-0186,Candidate,"In Solaris, an SNMP subagent has a default community string that allows remote attackers to execute arbitrary commands as root, or modify system parameters.","CONFIRM:http://support.novell.com/cgi-bin/search/searchtid.cgi?/10080762.htm | SUN:00178 | XF:snmp-backdoor-access",Modified (20071119)," ACCEPT(2) Dik, Baker | MODIFY(1) Frech | NOOP(1) Wall | REVIEWING(1) Christey"," Frech> Change XF:snmp-backdoor-access to XF:sol-hidden-commstr | Add ISS:Hidden Community String in SNMP Implementation | Christey> What is the proper level of abstraction to use here? Should | we have a separate entry for each different default community | string? See: | http://cve.mitre.org/Board_Sponsors/archives/msg00242.html and | http://cve.mitre.org/Board_Sponsors/archives/msg00250.html | http://cve.mitre.org/Board_Sponsors/archives/msg00251.html | | Until the associated content decisions have been approved | by the Editorial Board, this candidate cannot be accepted | for inclusion in CVE. | Christey> ADDREF BID:177 | Christey> ISS:19981102 Hidden community string in SNMP implementation | http://xforce.iss.net/alerts/advise11.php | | Change description to include ""hidden"" | Christey> XF:snmp-backdoor-access is missing." CVE-1999-0187,Candidate,"** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-1999-0022. Reason: This candidate is a duplicate of CVE-1999-0022. Notes: All CVE users should reference CVE-1999-0022 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.","",Modified (20050204)," ACCEPT(2) Hill, Northcutt | RECAST(3) Frech, Prosser, Baker | REJECT(1) Dik | REVIEWING(1) Christey"," Prosser> The Sun Patches in Ref roll-up fixes for an earlier BO in | rdist lookup( )(ref CERT 96.14)as well as the BO in rdist function expstr() | (ref CERT 97-23) and various vendor bulletins. However both of these rdist | BO's affect many more OSs than just Sun, i.e., BSD/OS 2.1, DEC OSF's, AIX, | FreeBSD, SCO, SGI, etc. Believe this falls into the SF-codebase content | decision | Frech> XF:rdist-bo (error msg formation) | XF:rdist-bo2 (execute code) | XF:rdist-bo3 (execute user-created code) | XF:rdist-sept97 (root from local) | Christey> Duplicate of CVE-1999-0022 (SUN:00179 is referenced in | CERT:CA-97.23.rdist), but as Mike and Andre noted, there | are multiple flaws here, so a RECAST may be necessary. | Dik> As currently phrasedm thissa duplicate of CVE-1999-0022 | Baker> Based on our new philosophy, this should be recast/merged or re-described." CVE-1999-0188,Entry,"The passwd command in Solaris can be subjected to a denial of service.","SUN:00182 | URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/182 | XF:sun-passwd-dos",,, CVE-1999-0189,Entry,"Solaris rpcbind listens on a high numbered UDP port, which may not be filtered since the standard port number is 111.","NAI:NAI-15 | SUN:00142 | URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/142 | XF:rpc-32771",,, CVE-1999-0190,Entry,"Solaris rpcbind can be exploited to overwrite arbitrary files and gain root access.","SUN:00167 | URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/167 | XF:sun-rpcbind",,, CVE-1999-0191,Entry,"IIS newdsn.exe CGI script allows remote users to overwrite files.","XF:http-cgi-newdsn | OSVDB:275 | URL:http://www.osvdb.org/275",,, CVE-1999-0192,Entry,"Buffer overflow in telnet daemon tgetent routing allows remote attackers to gain root access via the TERMCAP environmental variable.","SNI:SNI-20 | XF:bsd-tel-tgetent",,, CVE-1999-0193,Candidate,"Denial of service in Ascend and 3com routers, which can be rebooted by sending a zero length TCP option.","",Proposed (19990714)," ACCEPT(5) Shostack, Bishop, Ozancin, Northcutt, Cole | MODIFY(2) Blake, Baker | NOOP(4) Frech, Wall, Landfield, Armstrong | REVIEWING(2) Levy, Christey"," Frech> possibly XF:ascend-kill | I can't find a reference that lists both routers in the same reference. | Wall> Comment: There is a reference about the zero length TCP option in BugTraq on | Feb 5, 1999 | and it mentions Cisco, but not directly Ascend or 3Com. CIAC Advisory I-038 | mentions | vulnerabilities in Ascend, but does not mention TCP. CIAC Advisory I-052 | mentions | 3Com vulnerabilities, but not TCP. Too confusing withour better references. | Landfield> What are the references for this ? I cannot find a means to check it out. | CHANGE> [Frech changed vote from REVIEWING to NOOP] | Frech> Cannot reconcile to our database without further references. | Blake> I'm with Andre. I only remember and can find reference to the Ascend | issue. Do we have a refernce to the 3Coms? If not, that should be | removed from the description. | Baker> http://xforce.iss.net/static/614.php Misc Defensive Info | http://www.securityfocus.com/archive/1/5682 Misc Offensive Info | http://www.securityfocus.com/archive/1/5647 Misc Defensive Info | http://www.securityfocus.com/archive/1/5640 Misc Defensive Info | CHANGE> [Armstrong changed vote from REVIEWING to NOOP]" CVE-1999-0194,Entry,"Denial of service in in.comsat allows attackers to generate messages.","XF:comsat",,, CVE-1999-0195,Candidate,"Denial of service in RPC portmapper allows attackers to register or unregister RPC services or spoof RPC services using a spoofed source IP address such as 127.0.0.1.","BUGTRAQ:19990128 rpcbind: deceive, enveigle and obfuscate",Modified (19991130-01)," ACCEPT(2) Shostack, Balinsky | MODIFY(1) Frech | NOOP(3) Northcutt, Wall, Baker | REVIEWING(2) Levy, Christey"," Frech> XF:rpcbind-spoof | Christey> CVE-1999-0195 = CVE-1999-0461 ? | If this is approved over CVE-1999-0461, make sure it gets | XF:pmap-sset" CVE-1999-0196,Entry,"websendmail in Webgais 1.0 allows a remote user to access arbitrary files and execute arbitrary code via the receiver parameter ($VAR_receiver variable).","BUGTRAQ:19970704 Vulnerability in websendmail | BID:2077 | URL:http://www.securityfocus.com/bid/2077 | OSVDB:237 | URL:http://www.osvdb.org/237 | XF:http-webgais-smail",,, CVE-1999-0197,Candidate,"finger 0@host on some systems may print information on some user accounts.","",Proposed (19990726)," ACCEPT(1) Baker | MODIFY(2) Frech, Shostack | REJECT(1) Northcutt"," Shostack> fingerd may respond to 'finger 0@host' with account info | Frech> Need more reference to establish this 'exposure'. | CHANGE> [Frech changed vote from REVIEWING to MODIFY] | Frech> XF:finger-unused-accounts(8378) | We're entering it into our database solely to track | competition. The only references seem to be product listings: | http://hq.mcafeeasap.com/vulnerabilities/vuln_data/1000.asp (1002 | Finger 0@host check) | http://www.ipnsa.com/ipnsa_vuln.htm?step=1000 (Finger 0@host check) | http://cgi.nessus.org/plugins/dump.php3?id=10069 (Finger zero at host | feature)" CVE-1999-0198,Candidate,"finger .@host on some systems may print information on some user accounts.","",Proposed (19990726)," ACCEPT(1) Baker | MODIFY(2) Frech, Shostack | REJECT(1) Northcutt"," Shostack> as above | Frech> Need more reference to establish this 'exposure'. | CHANGE> [Frech changed vote from REVIEWING to MODIFY] | Frech> XF:finger-unused-accounts(8378) | We're entering it into our database solely to track | competition. The only references seem to be product listings: | http://hq.mcafeeasap.com/vulnerabilities/vuln_data/1000.asp (1004 | Finger .@target-host check) | http://www.ipnsa.com/ipnsa_vuln.htm?step=1000 (Finger .@target-host | check ) | http://cgi.nessus.org/plugins/dump.php3?id=10072 (Finger dot at host | feature)" CVE-1999-0200,Candidate,"Windows NT FTP server (WFTP) with the guest account enabled without a password allows an attacker to log into the FTP server using any username and password.","MSKB:Q137853",Modified (19991130-01)," ACCEPT(1) Baker | MODIFY(2) Frech, Shostack | NOOP(2) Northcutt, Wall | REJECT(1) Christey | REVIEWING(1) Levy"," Shostack> WFTP is not sufficient; is this wu-, ws-, war-, or another? | Frech> Other have mentioned this before, but it may be WU-FTP. | POSSIBLY XF:ftp-exec; does this have to do with the Site Exec allowing root | access without anon FTP or a regular account? | POSSIBLY XF:wu-ftpd-exec;same as above conditions, but instead from a | non-anon FTP account and gain root privs. | Christey> added MSKB reference | CHANGE> [Christey changed vote from REVOTE to REJECT] | Christey> The MSKB article may have confused things even more. There | were reports of problems in a Windows-based FTP server called | WFTP (http://www.wftpd.com/) that is not a Microsft FTP | server. It's best to just kill this candidate where it | stands and start fresh." CVE-1999-0201,Entry,"A quote cwd command on FTP servers can reveal the full path of the home directory of the ""ftp"" user.","XF:ftp-home",,, CVE-1999-0202,Entry,"The GNU tar command, when used in FTP sessions, may allow an attacker to execute arbitrary commands.","XF:ftp-exectar",,, CVE-1999-0203,Entry,"In Sendmail, attackers can gain root privileges via SMTP by specifying an improper ""mail from"" address and an invalid ""rcpt to"" address that would cause the mail to bounce to a program.","CERT:CA-95.08 | CIAC:E-03 | XF:smtp-sendmail-version5",,, CVE-1999-0204,Entry,"Sendmail 8.6.9 allows remote attackers to execute root commands, using ident.","XF:ident-bo | CIAC:F-13",,, CVE-1999-0205,Candidate,"Denial of service in Sendmail 8.6.11 and 8.6.12.","BUGTRAQ:19990708 SM 8.6.12",Modified (19990925-01)," ACCEPT(2) Hill, Northcutt | MODIFY(2) Frech, Prosser | NOOP(1) Baker | REVIEWING(2) Ozancin, Christey"," Frech> XF:sendmail-alias-dos | Prosser> additional source | Bugtraq | ""Re: SM 8.6.12"" | http://www.securityfocus.com | Christey> The Bugtraq thread does not provide any proof, including a | comment by Eric Allman that he hadn't been provided any | details either. | | See http://www.securityfocus.com/templates/archive.pike?list=1&date=1995-07-8&thread=199507131402.KAA02492@bedbugs.net.ohio-state.edu | for the thread. | Christey> Change Bugtraq reference date to 19950708." CVE-1999-0206,Entry,"MIME buffer overflow in Sendmail 8.8.0 and 8.8.1 gives root access.","XF:sendmail-mime-bo | AUSCERT:AA-96.06a",,, CVE-1999-0207,Entry,"Remote attacker can execute commands through Majordomo using the Reply-To field and a ""lists"" command.","XF:majordomo-exe | CERT:CA-94.11.majordomo.vulnerabilities",,, CVE-1999-0208,Entry,"rpc.ypupdated (NIS) allows remote users to execute arbitrary commands.","XF:rpc-update | CERT:CA-95.17.rpc.ypupdated.vul",,, CVE-1999-0209,Entry,"The SunView (SunTools) selection_svc facility allows remote users to read files.","CERT:CA-90.05.sunselection.vulnerability | BID:8 | URL:http://www.securityfocus.com/bid/8 | XF:selsvc",,, CVE-1999-0210,Entry,"Automount daemon automountd allows local or remote users to gain privileges via shell metacharacters.","BUGTRAQ:19971126 Solaris 2.5.1 automountd exploit (fwd) | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=88053459921223&w=2 | BUGTRAQ:19990103 SUN almost has a clue! (automountd) | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91547759121289&w=2 | HP:HPSBUX9910-104 | URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9910-104 | CERT:CA-99-05 | URL:http://www.cert.org/advisories/CA-99-05-statd-automountd.html | BID:235 | URL:http://www.securityfocus.com/bid/235",,, CVE-1999-0211,Entry,"Extra long export lists over 256 characters in some mount daemons allows NFS directories to be mounted by anyone.","CERT:CA-94.02.REVISED.SunOS.rpc.mountd.vulnerability | BID:24 | URL:http://www.securityfocus.com/bid/24",,, CVE-1999-0212,Entry,"Solaris rpc.mountd generates error messages that allow a remote attacker to determine what files are on the server.","SUN:00168 | URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/168 | CIAC:I-048 | URL:http://www.ciac.org/ciac/bulletins/i-048.shtml | XF:sun-mountd",,, CVE-1999-0213,Candidate,"libnsl in Solaris allowed an attacker to perform a denial of service of rpcbind.","XF:sun-libnsl | SUNBUG:4305859",Modified (20001009-01)," ACCEPT(6) Dik, Ozancin, Hill, Blake, Landfield, Cole | MODIFY(3) Frech, Levy, Baker | NOOP(4) Bishop, Meunier, Wall, Armstrong | REVIEWING(1) Christey"," Frech> XF:sun-libnsl | Dik> Sun bug #4305859 | Baker> http://xforce.iss.net/static/1204.php Misc Defensive Info | http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/172&type=0&nav=sec.sba Vendor Info | http://www-1.ibm.com/services/continuity/recover1.nsf/advisories/A1050E354364BF498525680F0077E414/$file/ERS-OAR-E01-1998_074_1.txt Vendor Info | http://www.securityfocus.com/archive/1/9749 Misc Defensive Info | Christey> I don't think this is the bug that everyone thinks it is. | This candidate came from CyberCop Scanner 2.4/2.5, which | only reports this as a DoS problem. If SUN:00172 is an | advisory for this, then it may be a duplicate of | CVE-1999-0055. There appears to be overlap with other | references as well. HOWEVER, this particular one deals with a | DoS in rpcbind - which isn't mentioned in the sources for | CVE-1999-0055. | Levy> BID 148" CVE-1999-0214,Entry,"Denial of service by sending forged ICMP unreachable packets.","XF:icmp-unreachable",,, CVE-1999-0215,Entry,"Routed allows attackers to append data to files.","SGI:19981004-01-PX | URL:ftp://patches.sgi.com/support/free/security/advisories/19981004-01-PX | CIAC:J-012 | URL:http://www.ciac.org/ciac/bulletins/j-012.shtml | XF:ripapp",,, CVE-1999-0216,Candidate,"Denial of service of inetd on Linux through SYN and RST packets.","BUGTRAQ:19971130 Linux inetd.. | XF:linux-inetd-dos | HP:HPSBUX9803-077 | XF:hp-inetd",Modified (19991203-01)," ACCEPT(1) Hill | MODIFY(2) Frech, Baker | RECAST(1) Meunier"," Meunier> The location of the vulnerability, whether in the Linux kernel or the | application, is debatable. Any program making the same (reasonnable) | assumption is vulnerable, i.e., implements the same vulnerability: | ""Assumption that TCP-three-way handshake is complete after calling Linux | kernel function accept(), which returns socket after getting SYN. Result | is process death by SIGPIPE"" | Moreover, whether it results in DOS (to third parties) depends on the | process that made the assumption. | I think that the present entry should be split, one entry for every | application that implements the vulnerability (really describing threat | instances, which is what other people think about when we talk about | vulnerabilities), and one entry for the Linux kernel that allows the | vulnerability to happen. | Frech> XF:hp-inetd | XF:linux-inetd-dos | Baker> Since we have an hpux bulletin, the description should not specifically say Linux, should it? It applies to mulitple OS and should be likely either modified, or in extreme case, recast" CVE-1999-0217,Entry,"Malicious option settings in UDP packets could force a reboot in SunOS 4.1.3 systems.","XF:udp-bomb",,, CVE-1999-0218,Entry,"Livingston portmaster machines could be rebooted via a series of commands.","XF:portmaster-reboot",,, CVE-1999-0219,Entry,"Buffer overflow in FTP Serv-U 2.5 allows remote authenticated users to cause a denial of service (crash) via a long (1) CWD or (2) LS (list) command.","NTBUGTRAQ:19990503 Buffer overflows in FTP Serv-U 2.5 | URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=92574916930144&w=2 | NTBUGTRAQ:19990504 Re: Buffer overflows in FTP Serv-U 2.5 | URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=92582581330282&w=2 | BUGTRAQ:19990909 Exploit: Serv-U Ver2.5 FTPd Win9x/NT | BID:269 | URL:http://www.securityfocus.com/bid/269 | XF:ftp-servu(205) | URL:http://xforce.iss.net/xforce/xfdb/205",,, CVE-1999-0220,Candidate,"Attackers can do a denial of service of IRC by crashing the server.","",Proposed (19990728)," NOOP(2) Northcutt, Baker | REJECT(2) Frech, Christey"," Frech> Would reconsider if any references were available. | Christey> No references available, combined with extremely vague | description, equals REJECT." CVE-1999-0221,Entry,"Denial of service of Ascend routers through port 150 (remote administration).","XF:ascend-150-kill",,, CVE-1999-0222,Candidate,"Denial of service in Cisco IOS web server allows attackers to reboot the router using a long URL.","",Proposed (19990714)," ACCEPT(1) Baker | MODIFY(3) Frech, Shostack, Levy | NOOP(3) Balinsky, Northcutt, Wall | RECAST(1) Ziese | REJECT(1) Christey"," Shostack> I follow cisco announcements and problems pretty closely, and haven't | seen this. Source? | Frech> XF:cisco-web-crash | Christey> XF:cisco-web-crash has no additional references. I can't find | any references in Bugtraq or Cisco either. This bug is | supposedly tested by at least one security product, but that | product's database doesn't have any references either. So | a question becomes, how did it make it into at least two | security companies' databases? | Levy> BUGTGRAQ: http://www.securityfocus.com/archive/1/60159 | BID 1154 | Ziese> The vulnerability is addressed by a vendor acknowledgement. This one, if | recast to reflect that ""...after using a long url..."" should be replaced | with | ""...A defect in multiple releases of Cisco IOS software will cause a Cisco | router or switch to halt and reload if the IOS HTTP service is enabled, | browsing to ""http://router-ip/anytext?/"" is attempted, and the enable | password is supplied when requested. This defect can be exploited to produce | a denial of service (DoS) attack."" | Then I can accept this and mark it as ""Verfied by my Company"". If it can't | be recast because this (long uri) is diffferent then our release (special | url construction). | CHANGE> [Christey changed vote from REVIEWING to REJECT] | Christey> Elias Levy's suggested reference is CVE-2000-0380. | I don't think that Kevin's description is really addressing | this either. The lack of references and a specific | description make this candidate unusable, so it should be | rejected." CVE-1999-0223,Entry,"Solaris syslogd crashes when receiving a message from a host that doesn't have an inverse DNS entry.","BUGTRAQ:19961109 Syslogd and Solaris 2.4 | SUNBUG:1249320 | CONFIRM:http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?patchid=103291&collection=fpatches | XF:sol-syslogd-crash | BID:1878 | URL:http://www.securityfocus.com/bid/1878",,, CVE-1999-0224,Entry,"Denial of service in Windows NT messenger service through a long username.","XF:nt-messenger",,, CVE-1999-0225,Entry,"Windows NT 4.0 allows remote attackers to cause a denial of service via a malformed SMB logon request in which the actual data size does not match the specified size.","NAI:19980214 Windows NT Logon Denial of Service | URL:http://www.nai.com/nai_labs/asp_set/advisory/25_windows_nt_dos_adv.asp | MSKB:Q180963 | URL:http://www.microsoft.com/technet/support/kb.asp?ID=180963 | XF:nt-logondos",,, CVE-1999-0226,Candidate,"Windows NT TCP/IP processes fragmented IP packets improperly, causing a denial of service.","",Proposed (19990728)," ACCEPT(1) Northcutt | MODIFY(1) Frech | NOOP(1) Baker | REJECT(1) Christey"," Christey> Too general, and no references. | Frech> XF:nt-frag(528) | See reference from BugTraq Mailing List, ""A New Fragmentation Attack"" at | http://www.securityfocus.com/templates/archive.pike?list=1&date=1997-07-8&ms | g=Pine.SUN.3.94.970710054440.11707A-100000@dfw.dfw.net" CVE-1999-0227,Entry,"Access violation in LSASS.EXE (LSA/LSARPC) program in Windows NT allows a denial of service.","MSKB:Q154087 | URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q154087 | XF:nt-lsass-crash",,, CVE-1999-0228,Entry,"Denial of service in RPCSS.EXE program (RPC Locator) in Windows NT.","XF:nt-rpc-ver | MSKB:Q162567 | URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q162567",,, CVE-1999-0229,Candidate,"Denial of service in Windows NT IIS server using ..\..","MSKB:Q115052",Modified (19991228-02)," ACCEPT(2) Shostack, Baker | MODIFY(2) Frech, Wall | NOOP(1) Northcutt | REJECT(1) Christey | REVIEWING(1) Levy"," Wall> Denial of service in Windows NT IIS Server 1.0 using ..\... | Source: Microsoft Knowledge Base Article Q115052 - IIS Server. | Frech> XF:http-dotdot (not necessarily IIS?) | Christey> DELREF XF:http-dotdot - it deals with a read/access dot dot | problem. | Christey> This actually looks like XF:iis-dot-dot-crash(1638) | http://xforce.iss.net/static/1638.php | If so, include the version number (2.0) | | CHANGE> [Christey changed vote from REVOTE to REJECT] | Christey> Bill Wall intended to suggest Q155052, but the affected | IIS version there is 1.0; the effect is to read files, | so this sounds like a directory traversal problem, | instead of an inability to process certain strings. | | As a result, this candidate is too general, since it could | apply to 2 different problems, so it should be REJECTed. | Christey> Consider adding BID:2218" CVE-1999-0230,Entry,"Buffer overflow in Cisco 7xx routers through the telnet service.","CISCO:http://www.cisco.com/warp/public/770/pwbuf-pub.shtml | OSVDB:1102 | URL:http://www.osvdb.org/1102",,, CVE-1999-0231,Candidate,"Buffer overflow in IP-Switch IMail and Seattle Labs Slmail 2.6 packages using a long VRFY command, causing a denial of service and possibly remote access.","BUGTRAQ:19990317 Re: SLMail 2.6 DoS - Imail also",Modified (19991207-01)," ACCEPT(2) Levy, Baker | NOOP(3) Christey, Northcutt, Landfield | RECAST(1) Frech | REVIEWING(1) Ozancin"," Frech> XF:slmail-vrfyexpn-overflow (for Slmail v3.2 and below) | XF:smtp-vrfy-bo (many mail packages) | Northcutt> (There is no way I will have access to these systems) | Christey> Some sources report that VRFY and EXPN are both affected." CVE-1999-0232,Candidate,"Buffer overflow in NCSA WebServer (version 1.5c) gives remote access.","",Modified (19991220-01)," ACCEPT(2) Hill, Northcutt | MODIFY(1) Frech | NOOP(1) Prosser | REJECT(1) Baker | REVIEWING(1) Christey"," Frech> Unable to provide a match due to vague/insufficient description/references. | Possible matches are: | XF:ftp-ncsa (probably not, considering you've mentioned the webserver.) | XF:http-ncsa-longurl (highest probability) | Christey> CVE-1999-0235 is the one associated with XF:http-ncsa-longurl | More research is necessary for this one. | Baker> Since this has no references at all, and is vague and we have a | CAN for the most likely issue, we should kill this one" CVE-1999-0233,Entry,"IIS 1.0 allows users to execute arbitrary commands using .bat or .cmd files.","MSKB:Q148188 | URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q148188 | MSKB:Q155056 | URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q155056 | XF:http-iis-cmd",,, CVE-1999-0234,Entry,"Bash treats any character with a value of 255 as a command separator.","XF:bash-cmd | CERT:CA-96.22.bash_vuls",,, CVE-1999-0235,Candidate,"Buffer overflow in NCSA WebServer (1.4.1 and below) gives remote access.","CERT:CA-95:04 | CIAC:F-11",Modified (19991220-01)," ACCEPT(3) Hill, Prosser, Northcutt | MODIFY(1) Frech | REJECT(2) Christey, Baker"," Frech> XF:http-ncsa-longurl | Christey> CVE-1999-0235 has the same ref's as CVE-1999-0267 | Baker> Not to mention, the X-force listings of http-ncsa-longurl and http-port both | refer to the same problem. This should be rejected as 1999-0267 is the same problem." CVE-1999-0236,Entry,"ScriptAlias directory in NCSA and Apache httpd allowed attackers to read CGI programs.","XF:http-scriptalias",,, CVE-1999-0237,Entry,"Remote execution of arbitrary commands through Guestbook CGI program.","XF:http-cgi-guestbook | CERT:VB-97.02",,, CVE-1999-0238,Candidate,"php.cgi allows attackers to read any file on the system.","XF:http-cgi-phpfileread",Proposed (19990623)," ACCEPT(5) Frech, Collins, Prosser, Northcutt, Baker | NOOP(1) Christey"," Prosser> additional source | AUSCERT External Security Bulletin ESB-97.047 | http://www.auscert.org.au | Christey> ADDREF BUGTRAQ:19970416 Update on PHP/FI hole | URL:http://www.dataguard.no/bugtraq/1997_2/0069.html | The attacker specifies the filename as an argument to the | program. | Add ""PHP/FI"" to description to facilitate search. | AUSCERT URL is ftp://ftp.auscert.org.au/pub/auscert/ESB/ESB-97.047 | Christey> Consider adding BID:2250" CVE-1999-0239,Entry,"Netscape FastTrack Web server lists files when a lowercase ""get"" command is used instead of an uppercase GET.","XF:fastrack-get-directory-list | OSVDB:122 | URL:http://www.osvdb.org/122",,, CVE-1999-0240,Candidate,"Some filters or firewalls allow fragmented SYN packets with IP reserved bits in violation of their implemented policy.","",Proposed (19990728)," ACCEPT(1) Northcutt | NOOP(1) Baker | REJECT(1) Frech"," Frech> Would reconsider if any references were available." CVE-1999-0241,Candidate,"Guessable magic cookies in X Windows allows remote attackers to execute commands, e.g. through xterm.","XF:http-xguess-cookie",Modified (19990925-01)," ACCEPT(3) Hill, Northcutt, Proctor | MODIFY(2) Frech, Prosser | NOOP(1) Baker | REVIEWING(1) Christey"," Frech> Also add to references: | XF:sol-mkcookie | Prosser> additional source | Bugtraq | ""X11 cookie hijacker"" | http://www.securityfocus.com | Christey> The cookie hijacker thread has to do with stealing cookies | through a file with bad permissions. I'm not sure the | X-Force reference identifies this problem either. | Christey> CIAC:G-04 | URL:http://ciac.llnl.gov/ciac/bulletins/g-04.shtml | SGI:19960601-01-I | URL:ftp://patches.sgi.com/support/free/security/advisories/19960601-01-I | CERT:VB-95:08" CVE-1999-0242,Candidate,"Remote attackers can access mail files via POP3 in some Linux systems that are using shadow passwords.","BUGTRAQ:19951222 mailx-5.5 (slackware /bin/mail) security hole | XF:linux-pop3d",Modified (20000106-01)," ACCEPT(1) Baker | MODIFY(1) Frech | NOOP(4) Shostack, Christey, Northcutt, Wall | REVIEWING(1) Levy"," Frech> Ambiguous description: need more detail. Possibly: | XF:linux-pop3d (mktemp() leads to reading e-mail) | Christey> At first glance this might look like CVE-1999-0123 or | CVE-1999-0125, however this particular candidate arises out | of a brief mention of the problem in a larger posting which | discusses CVE-1999-0123 (which may be the same bug as | CVE-1999-0125). See the following phrase in the Bugtraq | post: ""one such example of this is in.pop3d"" | | However, the original source of this candidate's description | explicitly mentions shadowed passwords, though it has no | references to help out here." CVE-1999-0243,Candidate,"Linux cfingerd could be exploited to gain root access.","",Proposed (19990714)," ACCEPT(1) Shostack | NOOP(4) Levy, Northcutt, Wall, Baker | REJECT(2) Frech, Christey"," Christey> This has no sources; neither does the original database that | this entry came from. It's a likely duplicate of | CVE-1999-0813. | Frech> I disagree on the dupe; see Linux-Security Mailing List, | ""[linux-security] Cfinger (Yet more :)"" at | http://www.geocrawler.com/archives/3/92/1996/9/0/2217716/. Seems as | if v1.2.3 is vulnerable, perhaps 1.3.0 also. CVE-1999-0813 pertains | to 1.4.x and below and shows up two years later. | CHANGE> [Frech changed vote from REVIEWING to REJECT] | Frech> If the reference I previously supplied is correct, then | it appears as if the poster modified the source using authorized | access to make it vulnerable. Modifying the source in this manner | does not qualify as being listed a vulnerability. | I disagree on the dupe; see Linux-Security Mailing List, | ""[linux-security] Cfinger (Yet more :)"" at | http://www.geocrawler.com/archives/3/92/1996/9/0/2217716/. Seems as | if v1.2.3 is vulnerable, perhaps 1.3.0 also. CVE-1999-0813 pertains | to 1.4.x and below and shows up two years later." CVE-1999-0244,Entry,"Livingston RADIUS code has a buffer overflow which can allow remote execution of commands as root.","NAI:NAI-23 | XF:radius-accounting-overflow",,, CVE-1999-0245,Entry,"Some configurations of NIS+ in Linux allowed attackers to log in as the user ""+"".","BUGTRAQ:19950907 Linux NIS security problem hole and fix | XF:linux-plus",,, CVE-1999-0246,Candidate,"HP Remote Watch allows a remote user to gain root access.","XF:hp-remote",Proposed (19990630)," ACCEPT(4) Frech, Hill, Prosser, Northcutt | NOOP(1) Baker | RECAST(1) Christey"," Frech> Comment: Determine if it's RemoteWatch or Remote Watch. | Christey> HP:HPSBUX9610-039 alludes to multiple vulnerabilities in | Remote Watch (the advisory uses two words, not one, for the | ""Remote Watch"" name) | | ADDREF BUGTRAQ:19961015 HP/UX Remote Watch (was Re: BoS: SOD remote exploit) | URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=199610151351.JAA18241@grymoire.crd.ge.com | Prosser> agree that the advisory mentions two vulnerabilities in Remote | Watch, one being a socket connection and other with the showdisk utility | which seems to be a suid vulnerability. Never get much details on this | anywhere since the recommendation is to remove the program since it is | obsolete and superceded by later tools. Believe the biggest concern here is | to just not run the tool at all. | Christey> CIAC:H-16 | Also, http://www.cert.org/vendor_bulletins/VB-96.20.hp | And possibly AUSCERT:AA-96.07 at | ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-96.07.HP-UX.Remote.Watch.vul | Christey> Also BUGTRAQ:19961013 BoS: SOD remote exploit | http://marc.theaimsgroup.com/?l=bugtraq&m=87602167419969&w=2 | Include ""remwatch"" in the description to facilitate search." CVE-1999-0247,Entry,"Buffer overflow in nnrpd program in INN up to version 1.6 allows remote users to execute arbitrary commands.","NAI:19970721 INN news server vulnerabilities | URL:http://www.nai.com/nai_labs/asp_set/advisory/17_inn_avd.asp | BID:1443 | URL:http://www.securityfocus.com/bid/1443 | XF:inn-bo",,, CVE-1999-0248,Entry,"A race condition in the authentication agent mechanism of sshd 1.2.17 allows an attacker to steal another user's credentials.","MISC:http://oliver.efri.hr/~crv/security/bugs/mUNIXes/ssh2.html | CONFIRM:http://www.uni-karlsruhe.de/~ig25/ssh-faq/ssh-faq-6.html#ss6.1",,, CVE-1999-0249,Candidate,"Windows NT RSHSVC program allows remote users to execute arbitrary commands.","",Proposed (19990714)," ACCEPT(1) Baker | MODIFY(2) Frech, Wall | NOOP(2) Shostack, Northcutt | RECAST(1) Christey | REVIEWING(1) Levy"," Wall> Windows NT Rshsvc.exe from the Windows NT Resource Kit allows | remote | users to execute arbitrary commands. | Source: rshsvc.txt from the Windows NT Resource Kit. | Frech> XF:rsh-svc | Christey> MSKB:Q158320, last reviewed in January 1999, refers to a case | where remote users coming from authorized machines are | allowed access regardless of what .rhosts says. XF:rsh-svc | refers to a bug circa 1997 where any remote entity could | execute commands as system." CVE-1999-0250,Candidate,"Denial of service in Qmail through long SMTP commands.","BUGTRAQ:19970612 qmail-dos-2.c, another denial of service attack | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602558319024&w=2 | MISC:http://cr.yp.to/qmail/venema.html | MISC:http://www.ornl.gov/its/archives/mailing-lists/qmail/1997/06/threads.html | XF:qmail-leng",Modified (20010301-01)," ACCEPT(2) Meunier, Hill | MODIFY(1) Frech | REJECT(1) Baker | REVIEWING(1) Christey"," Frech> XF:qmail-rcpt | Christey> DUPE CVE-1999-0418 and CVE-1999-0144? | Christey> Dan Bernstein, author of Qmail, says that this is not a | vulnerability in qmail because Unix has built-in resource | limits that can restrict the size of a qmail process; other | limits can be specified by the administrator. See | http://cr.yp.to/qmail/venema.html | | Significant discussion of this issue took place on the qmail | list. The fundamental question appears to be whether | application software should set its own limits, or rely | on limits set by the parent operating system (in this case, | UNIX). Also, some people said that the only problem was that | the suggested configuration was not well documented, but this | was refuted by others. | | See the following threads at | http://www.ornl.gov/its/archives/mailing-lists/qmail/1997/06/threads.html | ""Denial of service (qmail-smtpd)"" | ""qmail-dos-2.c, another denial of service"" | ""[PATCH] denial of service"" | ""just another qmail denial-of-service"" | ""the UNIX way"" | ""Time for a reality check"" | | Also see Bugtraq threads on a different vulnerability that | is related to this topic: | BUGTRAQ:19990903 Web servers / possible DOS Attack / mime header flooding | http://archives.neohapsis.com/archives/bugtraq/1998_3/0742.html | Baker> This appears to be the same vulnerability listed in CAN 1999-0144. In reading | through both bugtraq postings, the one that is referenced by 0144 is | based on a shell code exploit to cause memory exhaustion. The bugtraq | posting referenced by this entry refers explicitly to the prior | posting for 0144, and states that the same effect could be | accomplished by a perl exploit, which was then attached. | Baker> http://www.securityfocus.com/archive/1/6969 CVE-1999-0144 | http://www.securityfocus.com/archive/1/6970 CVE-1999-0250 | | Both references should be added to CVE-1999-0144, and CVE-1999-0250 | should likely be rejected. | CHANGE> [Baker changed vote from REVIEWING to REJECT] | Christey> XF:qmail-leng no longer exists; check with Andre to see if they | regarded it as a duplicate as well. | | qmail-dos-1.c, as published by Wietse Venema (CVE-1999-0250) | in ""BUGTRAQ:19970612 Denial of service (qmail-smtpd)"", does not | use any RCPT commands. Instead, it sends long strings | of ""X"" characters. A followup by ""super@UFO.ORG"" includes | an exploit that claims to do the same thing; however, that | exploit does not send long strings of X characters - it sends | a large number of RCPT commands. It appears that super@ufo.org | followed up to the wrong message. | | qmail-dos-2.c, as published by Wietse Venema (CVE-1999-0144) | in ""BUGTRAQ:19970612 qmail-dos-2.c, another denial of service attack"" | sends a large number of RCPT commands. | | ADDREF BUGTRAQ:19970612 Denial of service (qmail-smtpd) | ADDREF BUGTRAQ:19970612 qmail-dos-2.c, another denial of service attack | | Also see a related thread: | BUGTRAQ:19990308 SMTP server account probing | http://marc.theaimsgroup.com/?l=bugtraq&m=92100018214316&w=2 | | This also describes a problem with mail servers not being able | to handle too many ""RCPT TO"" requests. A followup message | notes that application-level protection is used in Sendmail | to prevent this: | BUGTRAQ:19990309 Re: SMTP server account probing | http://marc.theaimsgroup.com/?l=bugtraq&m=92101584629263&w=2 | The person further says, ""This attack can easily be | prevented with configuration methods.""" CVE-1999-0251,Entry,"Denial of service in talk program allows remote attackers to disrupt a user's display.","XF:talkd-flash",,, CVE-1999-0252,Entry,"Buffer overflow in listserv allows arbitrary command execution.","XF:smtp-listserv",,, CVE-1999-0253,Candidate,"IIS 3.0 with the iis-fix hotfix installed allows remote intruders to read source code for ASP programs by using a %2e instead of a . (dot) in the URL.","XF:http-iis-2e | L0PHT:19970319",Modified (20000106-01)," ACCEPT(9) Frech, Bishop, Collins, Blake, Northcutt, Baker, Landfield, Cole, Armstrong | MODIFY(1) LeBlanc | NOOP(3) Ozancin, Prosser, Wall | REVIEWING(1) Christey"," Christey> This is a problem that was introduced after patching a | previous dot bug with the iis-fix hotfix (see CVE-1999-0154). | Since the hotfix introduced the problem, this should be | treated as a seaprate issue. | Wall> Agree with the comment. | LeBlanc> - this one is so old, I don't remember it at all and can't verify or | deny the issue. If you can find some documentation that says we fixed it (KB | article, hotfix, something), then I would change this to ACCEPT | CHANGE> [Christey changed vote from NOOP to REVIEWING] | Christey> BID:1814 | URL:http://www.securityfocus.com/bid/1814" CVE-1999-0254,Candidate,"A hidden SNMP community string in HP OpenView allows remote attackers to modify MIB tables and obtain sensitive information.","ISS:Hidden SNMP community in HP OpenView | XF:hpov-hidden-snmp-comm",Proposed (19990726)," ACCEPT(2) Frech, Baker | NOOP(1) Wall | REVIEWING(1) Christey"," Christey> What is the proper level of abstraction to use here? Should | we have a separate entry for each different default community | string? See: | http://cve.mitre.org/Board_Sponsors/archives/msg00242.html and | http://cve.mitre.org/Board_Sponsors/archives/msg00250.html | http://cve.mitre.org/Board_Sponsors/archives/msg00251.html | | Until the associated content decisions have been approved | by the Editorial Board, this candidate cannot be accepted | for inclusion in CVE." CVE-1999-0255,Candidate,"Buffer overflow in ircd allows arbitrary command execution.","",Proposed (19990623)," ACCEPT(3) Hill, Northcutt, Baker | MODIFY(1) Frech | NOOP(1) Prosser | REJECT(1) Christey"," Frech> XF:irc-bo | Christey> This is too general and doesn't have any references. The | XF reference doesn't appear toe xist any more. | | Perhaps this reference would help: | BUGTRAQ:19970701 ircd buffer overflow | Baker> It appears that the XForce entry has been corrected, and there is a patch posted in the original bugtraq post." CVE-1999-0256,Entry,"Buffer overflow in War FTP allows remote execution of commands.","XF:war-ftpd | OSVDB:875 | URL:http://www.osvdb.org/875",,, CVE-1999-0257,Candidate,"Nestea variation of teardrop IP fragmentation denial of service.","",Proposed (19990726)," ACCEPT(1) Wall | MODIFY(1) Frech | REVIEWING(1) Christey"," Frech> XF:nestea-linux-dos | Christey> Not sure how many separate ""instances"" of Teardrop | and its ilk. Also see comments on CVE-1999-0001. | | See: CVE-1999-0015, CVE-1999-0104, CVE-1999-0257, CVE-1999-0258 | | Is CVE-1999-0001 the same as CVE-1999-0052? That one is related | to nestea (CVE-1999-0257) and probably the one described in | BUGTRAQ:19981023 nestea v2 against freebsd 3.0-Release | The patch for nestea is in ip_input.c around line 750. | The patches for CVE-1999-0001 are in lines 388&446. So, | CVE-1999-0001 is different from CVE-1999-0257 and CVE-1999-0052. | The FreeBSD patch for CVE-1999-0052 is in line 750. | So, CVE-1999-0257 and CVE-1999-0052 may be the same, though | CVE-1999-0052 should be RECAST since this bug affects Linux | and other OSes besides FreeBSD. | | Also see BUGTRAQ:19990909 CISCO and nestea. | | Finally, note that there is no fundamental difference between | nestea and nestea2/nestea-v2; they are different ports that | exploit the same problem. | | The original nestea advisory is at | http://www.technotronic.com/rhino9/advisories/06.htm | but notice that the suggested fix is in line 375 of | ip_fragment.c, not ip_input.c. | Christey> See the SCO advisory at: | http://www.securityfocus.com/templates/advisory.html?id=1411 | which may further clarify the issue. | Christey> BUGTRAQ:19980501 nestea does other things | http://marc.theaimsgroup.com/?l=bugtraq&m=90221101925819&w=2 | BUGTRAQ:19980508 nestea2 and HP Jet Direct cards. | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221101925870&w=2 | BUGTRAQ:19981027 nestea v2 against freebsd 3.0-Release | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90951521507669&w=2 | | Nestea source code is in | MISC:http://oliver.efri.hr/~crv/security/bugs/Linux/ipfrag6.html" CVE-1999-0258,Candidate,"Bonk variation of teardrop IP fragmentation denial of service.","",Proposed (19990726)," MODIFY(2) Frech, Wall | REVIEWING(1) Christey"," Wall> Reference Q179129 | Frech> XF:teardrop-mod | Christey> Not sure how many separate ""instances"" of Teardrop there are. | See: CVE-1999-0015, CVE-1999-0104, CVE-1999-0257, CVE-1999-0258 | Christey> See the SCO advisory at: | http://www.securityfocus.com/templates/advisory.html?id=1411 | which may further clarify the issue. | Christey> BUGTRAQ:19980108 bonk.c | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=88429524325956&w=2 | NTBUGTRAQ:19980108 bonk.c | URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=88433857200304&w=2 | NTBUGTRAQ:19980109 Re: Bonk.c | URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=88441302913269&w=2 | NTBUGTRAQ:19980304 Update on wide-spread NewTear Denial of Service attacks | URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=88901842000424&w=2 | BUGTRAQ:19980304 Update on wide-spread NewTear Denial of Service attacks | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=88903296104349&w=2 | CIAC:I-031a | http://ciac.llnl.gov/ciac/bulletins/i-031a.shtml | | CERT summary CS-98.02 implies that bonk, boink, and newtear | all exploit the same vulnerability." CVE-1999-0259,Entry,"cfingerd lists all users on a system via search.**@target.","BUGTRAQ:19970523 cfingerd vulnerability | XF:cfinger-user-enumeration",,, CVE-1999-0260,Entry,"The jj CGI program allows command execution via shell metacharacters.","BUGTRAQ:19961224 jj cgi | XF:http-cgi-jj",,, CVE-1999-0261,Candidate,"Netmanager Chameleon SMTPd has several buffer overflows that cause a crash.","BUGTRAQ:19980504 Netmanage Holes | MISC:http://www.insecure.org/sploits/netmanage.chameleon.overflows.html",Modified (20000827-01)," ACCEPT(1) Baker | MODIFY(2) Frech, Landfield | NOOP(3) Ozancin, Christey, Northcutt"," Frech> XF:chamelion-smtp-dos | Landfield> - Specify what ""a crash"" means. | Christey> ADDREF XF:chameleon-smtp-dos ? (but it's not on the web site) | Christey> Consider adding BID:2387" CVE-1999-0262,Entry,"Hylafax faxsurvey CGI script on Linux allows remote attackers to execute arbitrary commands via shell metacharacters in the query string.","BUGTRAQ:19980804 remote exploit in faxsurvey cgi-script | BUGTRAQ:19980804 PATCH: faxsurvey | BID:2056 | URL:http://www.securityfocus.com/bid/2056 | XF:http-cgi-faxsurvey(1532) | URL:http://xforce.iss.net/xforce/xfdb/1532",,, CVE-1999-0263,Entry,"Solaris SUNWadmap can be exploited to obtain root access.","SUN:00173 | URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/173 | XF:sun-sunwadmap",,, CVE-1999-0264,Entry,"htmlscript CGI program allows remote read access to files.","XF:http-htmlscript-file-access | BUGTRAQ:Jan27,1998",,, CVE-1999-0265,Entry,"ICMP redirect messages may crash or lock up a host.","MSKB:Q154174 | URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q154174 | ISS:ICMP Redirects Against Embedded Controllers | XF:icmp-redirect",,, CVE-1999-0266,Entry,"The info2www CGI script allows remote file access or remote command execution.","BUGTRAQ:19980303 Vulnerabilites in some versions of info2www CGI | BID:1995 | URL:http://www.securityfocus.com/bid/1995 | XF:http-cgi-info2www",,, CVE-1999-0267,Entry,"Buffer overflow in NCSA HTTP daemon v1.3 allows remote command execution.","XF:http-port | CERT:CA-95.04.NCSA.http.daemon.for.unix.vulnerability",,, CVE-1999-0268,Entry,"MetaInfo MetaWeb web server allows users to upload, execute, and read scripts.","BUGTRAQ:19980630 Security vulnerabilities in MetaInfo products | BUGTRAQ:19980703 Followup to MetaInfo vulnerabilities | OSVDB:110 | URL:http://www.osvdb.org/110 | OSVDB:3969 | URL:http://www.osvdb.org/3969 | XF:metaweb-server-dot-attack",,, CVE-1999-0269,Entry,"Netscape Enterprise servers may list files through the PageServices query.","XF:netscape-server-pageservices",,, CVE-1999-0270,Entry,"Directory traversal vulnerability in pfdispaly.cgi program (sometimes referred to as ""pfdisplay"") for SGI's Performer API Search Tool (performer_tools) allows remote attackers to read arbitrary files.","BUGTRAQ:19980317 IRIX performer_tools bug | SGI:19980401-01-P | URL:ftp://patches.sgi.com/support/free/security/advisories/19980401-01-P | CIAC:I-041 | URL:http://www.ciac.org/ciac/bulletins/i-041.shtml | BID:64 | URL:http://www.securityfocus.com/bid/64 | OSVDB:134 | URL:http://www.osvdb.org/134 | XF:sgi-pfdispaly(810) | URL:http://xforce.iss.net/xforce/xfdb/810",,, CVE-1999-0271,Candidate,"Progressive Networks Real Video server (pnserver) can be crashed remotely.","BUGTRAQ:19980115 pnserver exploit.. | BUGTRAQ:19980817 Re: Real Audio Server Version 5 bug?",Modified (19990925-01)," ACCEPT(3) Blake, Northcutt, Baker | MODIFY(1) Frech | NOOP(1) Prosser | REVIEWING(1) Christey"," Christey> Problem confirmed by RealServer vendor (URL listed in Bugtraq | posting), but may be multiple codebases since several | Real Audio servers are affected. | | Also, this may be the same as BUGTRAQ:19991105 RealNetworks RealServer G2 buffer overflow. | See CVE-1999-0896 | CHANGE> [Frech changed vote from REVIEWING to MODIFY] | Frech> ADDREF XF:realvideo-telnet-dos" CVE-1999-0272,Entry,"Denial of service in Slmail v2.5 through the POP3 port.","XF:slmail-username-bo",,, CVE-1999-0273,Entry,"Denial of service through Solaris 2.5.1 telnet by sending ^D characters.","XF:sun-telnet-kill",,, CVE-1999-0274,Entry,"Denial of service in Windows NT DNS servers through malicious packet which contains a response to a query that wasn't made.","NAI:NAI-5 | XF:nt-dns-dos",,, CVE-1999-0275,Entry,"Denial of service in Windows NT DNS servers by flooding port 53 with too many characters.","XF:nt-dnscrash | XF:nt-dnsver | MS:Q169461",,, CVE-1999-0276,Entry,"mSQL v2.0.1 and below allows remote execution through a buffer overflow.","XF:msql-debug-bo | SEKURE:sekure.01-99.msql",,, CVE-1999-0277,Entry,"The WorkMan program can be used to overwrite any file to get root access.","XF:workman | CERT:CA-96.23.workman_vul",,, CVE-1999-0278,Entry,"In IIS, remote attackers can obtain source code for ASP files by appending ""::$DATA"" to the URL.","MS:MS98-003 | URL:http://www.microsoft.com/technet/security/bulletin/ms98-003.mspx | XF:iis-asp-data-check | OVAL:oval:org.mitre.oval:def:913 | URL:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:913",,, CVE-1999-0279,Entry,"Excite for Web Servers (EWS) allows remote command execution via shell metacharacters.","BUGTRAQ:19971217 CGI security hole in EWS (Excite for Web Servers) | BUGTRAQ:19980115 Excite announcement | CERT:VB-98.01.excite | XF:excite-cgi-search-vuln",,, CVE-1999-0280,Entry,"Remote command execution in Microsoft Internet Explorer using .lnk and .url files.","NTBUGTRAQ:19970317 Internet Explorer Bug #4 | CIAC:H-38 | XF:http-ie-lnkurl",,, CVE-1999-0281,Entry,"Denial of service in IIS using long URLs.","XF:http-iis-longurl",,, CVE-1999-0282,Candidate,"** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-1999-1584, CVE-1999-1586. Reason: This candidate combined references from one issue with the description from another issue. Notes: Users should consult CVE-1999-1584 and CVE-1999-1586 to obtain the appropriate name. All references and descriptions in this candidate have been removed to prevent accidental usage.","",Modified (20050830)," ACCEPT(2) Dik, Baker | MODIFY(1) Frech | NOOP(1) Ozancin | RECAST(1) Prosser | REJECT(1) Christey"," Frech> XF:sun-loadmodule | XF:sun-modload (CERT CA-93.18 very old!) | Prosser> Believe the reference given, 95-12, is referencing a later | loadmodule(8) setuid problem in the X11/NeWS windowing system. There is an | earlier, similar setuid vulnerability in the CA-93.18, CIAC G-02 advisories | for the SunOS 4.1.x/Solbourne and OpenWindow 3.0. In fact, there may be the | same as the HP patches are 100448-02 for the 93 loadmodule/modload | vulnerability and 100448-03 for the 95 loadmodule vulnerability which | normally indicated a patch update. Looks like the original patch either | didn't completely fix the problem or it resurfaced in X11 NeWS. Can't tell | much beyond that and this is my opinion only as have no way to check it. | Which one is this CVE referencing? I accept both. | Dik> There are three similar Sun bug ids associated with the patches. | 1076118 loadmodule has a security vulnerability | 1148753 loadmodule has a security vulnerability | 1222192 loadmodule has a security vulnerability | as well as: | 1137491 | Ancient stuff. | Christey> Add period to the end of the description. | CHANGE> [Christey changed vote from NOOP to REVIEWING] | Christey> This is distinct from CVE-1999-1584 - CVE-1999-1584 is for | CA-93.18. | CHANGE> [Christey changed vote from REVIEWING to REJECT] | Christey> This candidate combines two separate issues. It uses the CERT | alert reference from 1995, from one issue, but a description that | is associated with a separate issue." CVE-1999-0283,Candidate,"The Java Web Server would allow remote users to obtain the source code for CGI programs.","BUGTRAQ:19970716 Viewable .jhtml source with JavaWebServer | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=88256790401004&w=2",Modified (19991203-01)," ACCEPT(7) Dik, Collins, Blake, Northcutt, Wall, Baker, Cole | MODIFY(1) Frech | NOOP(5) Armstrong, Bishop, Christey, Prosser, Landfield | REVIEWING(1) Ozancin"," Wall> Acknowledged by vendor at | http://www.sun.com/software/jwebserver/techinfo/jws112info.html. | Baker> Vulnerability Reference (HTML) Reference Type | http://www.securityfocus.com/archive/1/7260 Misc Defensive Info | http://www.sun.com/software/jwebserver/techinfo/jws112info.html Vendor Info | Christey> BID:1891 | URL:http://www.securityfocus.com/bid/1891 | Christey> Add version number (1.1 beta) and details of attack (appending | a . or a \) | | The Sun URL referenced by Dave Baker no longer exists, so I | wasn't able to verify that it addressed the problem described | in the Bugtraq post. This might not even be Sun's | ""Java Web Server,"" as CVE-2001-0186 describes some product | called ""Free Java Web Server"" | Dik> There appears to be some confusion. | | The particular bug seems to be on in JWS 1.1beta or 1.1 which was fixed | in 1.1.2 (get foo.jthml source by appending ""."" of ""\"" to URL) | | There are other bugs that give access and that require a configuration | change. | | http://www.sun.com/software/jwebserver/techinfo/security_advisory.html | Christey> Need to make sure to create CAN's for the other bugs, | as documented in: | NTBUGTRAQ:19980724 Alert: New Source Bug Affect Sun JWS | http://marc.theaimsgroup.com/?l=ntbugtraq&m=90222454131622&w=2 | BUGTRAQ:19980725 Alert: New Source Bug Affect Sun JWS | http://marc.theaimsgroup.com/?l=bugtraq&m=90221104526086&w=2 | The reported bugs are: | 1) file read by appending %20 | 2) Directly call /servlet/file | URL:http://www.sddt.com/cgi-bin/Subscriber?/library/98/07/24/tbd.html | #2 is explicitly mentioned in the Sun advisory for | CVE-1999-0283. | CHANGE> [Frech changed vote from REVIEWING to MODIFY] | Frech> XF:javawebserver-cgi-source(5383)" CVE-1999-0284,Candidate,"Denial of service to NT mail servers including Ipswitch, Mdaemon, and Exchange through a buffer overflow in the SMTP HELO command.","XF:smtp-helo-bo",Proposed (19990623)," ACCEPT(2) Blake, Northcutt | MODIFY(3) Frech, Ozancin, Levy | NOOP(1) Baker | REVIEWING(1) Christey"," Frech> ""Windows NT-based mail servers"" (A trademark thing, and for clarification) | XF:mdaemon-helo-bo | XF:lotus-notes-helo-crash | XF:slmail-helo-overflow | XF:smtp-helo-bo (mentions several products) | XF:smtp-exchangedos | Levy> - Need one per software. Each one should be its own | vulnerability. | Ozancin> => Windows NT is correct | Christey> These are probably multiple codebases, so we'll need to use | dot notation. Also need to see if this should be merged | with CVE-1999-0098 (Sendmail SMTP HELO)." CVE-1999-0285,Candidate,"Denial of service in telnet from the Windows NT Resource Kit, by opening then immediately closing a connection.","",Proposed (19990630)," ACCEPT(1) Hill | NOOP(2) Wall, Baker | REJECT(2) Frech, Christey"," Christey> No references, no information. | CHANGE> [Frech changed vote from REVIEWING to REJECT] | Frech> No references; closest documented match is with | CVE-2001-0346, but that's for Windows 2000." CVE-1999-0286,Candidate,"In some NT web servers, appending a space at the end of a URL may allow attackers to read source code for active pages.","",Proposed (19990714)," ACCEPT(3) Armstrong, Shostack, Cole | MODIFY(3) Levy, Blake, Wall | NOOP(5) Bishop, Ozancin, Northcutt, Baker, Landfield | REJECT(1) Frech | REVIEWING(1) Christey"," Wall> In some NT web servers, appending a dot at the end of a URL may | allows attackers to read source code for active pages. | Source: MS Knowledge Base Article Q163485 - ""Active Server Pages Script Appears | in Browser"" | Frech> In the meantime, reword description as 'Windows NT' (trademark issue) | Christey> Q163485 does not refer to a space, it refers to a dot. | However, I don't have other references. | | Reading source code with a dot appended is in CVE-1999-0154, | which will be proposed. A subsequent bug similar to the | dot bug is CVE-1999-0253. | Levy> NTBUGTRAQ: http://www.securityfocus.com/archive/2/22014 | NTBUGTRAQ: http://www.securityfocus.com/archive/2/22019 | BID 273 | Blake> Reference: http://www.allaire.com/handlers/index.cfm?ID=10967 | CHANGE> [Christey changed vote from NOOP to REVIEWING] | CHANGE> [Frech changed vote from REVIEWING to REJECT] | Frech> BID articles)" CVE-1999-0287,Candidate,"Vulnerability in the Wguest CGI program.","",Proposed (19990714)," MODIFY(2) Frech, Shostack | NOOP(4) Levy, Blake, Northcutt, Wall | REJECT(2) Christey, Baker"," Shostack> allows file reading | Frech> XF:http-cgi-webcom-guestbook | Christey> CVE-1999-0287 is probably a duplicate of CVE-1999-0467. In | NTBUGTRAQ:19990409 Webcom's CGI Guestbook for Win32 web servers | Mnemonix says that he had previously reported on a similar | problem. Let's refer to the NTBugtraq posting as | CVE-1999-0467. We will refer to the ""previous report"" as | CVE-1999-0287, which could be found at: | http://oliver.efri.hr/~crv/security/bugs/NT/httpd41.html | | 0287 describes an exploit via the ""template"" hidden variable. | The exploit describes manually editing the HTML form to | change the filename to read from the template variable. | | The exploit as described in 0467 encodes the template variable | directly into the URL. However, hidden variables are also | encoded into the URL, which would have looked the same to | the web server regardless of the exploit. Therefore 0287 | and 0467 are the same. | Christey> BID:2024" CVE-1999-0288,Entry,"The WINS server in Microsoft Windows NT 4.0 before SP4 allows remote attackers to cause a denial of service (process termination) via invalid UDP frames to port 137 (NETBIOS Name Service), as demonstrated via a flood of random packets.","NTBUGTRAQ:19970801 WINS flooding | BUGTRAQ:19970801 WINS flooding | BUGTRAQ:19970815 Re: WINS flooding | MISC:http://safenetworks.com/Windows/wins.html | MSKB:155701 | XF:nt-winsupd-fix(1233) | URL:http://xforce.iss.net/xforce/xfdb/1233",,, CVE-1999-0289,Entry,"The Apache web server for Win32 may provide access to restricted files when a . (dot) is appended to a requested URL.","",,, CVE-1999-0290,Entry,"The WinGate telnet proxy allows remote attackers to cause a denial of service via a large number of connections to localhost.","BUGTRAQ:19980221 WinGate DoS | BUGTRAQ:19980326 WinGate Intermediary Fix/Update | XF:wingate-dos",,, CVE-1999-0291,Entry,"The WinGate proxy is installed without a password, which allows remote attackers to redirect connections without authentication.","XF:wingate-unpassworded",,, CVE-1999-0292,Entry,"Denial of service through Winpopup using large user names.","XF:nt-winpopup",,, CVE-1999-0293,Entry,"AAA authentication on Cisco systems allows attackers to execute commands without authorization.","CISCO:http://www.cisco.com/warp/public/770/aaapair-pub.shtml | XF:cisco-ios-aaa-auth",,, CVE-1999-0294,Entry,"All records in a WINS database can be deleted through SNMP for a denial of service.","XF:nt-wins-snmp2",,, CVE-1999-0295,Entry,"Solaris sysdef command allows local users to read kernel memory, potentially leading to root privileges.","XF:sun-sysdef | SUN:00157 | URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/157",,, CVE-1999-0296,Entry,"Solaris volrmmount program allows attackers to read any file.","SUN:00162 | URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/162 | XF:sun-volrmmount",,, CVE-1999-0297,Entry,"Buffer overflow in Vixie Cron library up to version 3.0 allows local users to obtain root access via a long environmental variable.","NAI:NAI-3 | AUSCERT:AA-96.21 | CIAC:H-17 | XF:vixie-cron",,, CVE-1999-0298,Candidate,"ypbind with -ypset and -ypsetme options activated in Linux Slackware and SunOS allows local and remote attackers to overwrite files via a .. (dot dot) attack.","NAI:19970205 Vulnerabilities in Ypbind when run with -ypset/-ypsetme | URL:http://www.nai.com/nai_labs/asp_set/advisory/06_ypbindsetme_adv.asp",Modified (20000524-01)," ACCEPT(4) Cole, Dik, Levy, Northcutt | MODIFY(1) Frech | NOOP(3) Shostack, Christey, Baker"," Christey> ADDREF BID:1441 | URL:http://www.securityfocus.com/bid/1441 | Dik> If you run with ""-ypset"", then you're always insecure. | With ypsetme, only root on the local host | can run ypset in Solaris 2.x+. | Probably true for SunOS 4, hence my vote. | CHANGE> [Frech changed vote from REVIEWING to MODIFY] | Frech> ADDREF XF:ypbind-ypset-root | CHANGE> [Dik changed vote from REVIEWING to ACCEPT] | Dik> This vulnerability does exist in SunOS 4.x in non default configurations. | In Solaris 2.x, the vulnerability only applies to files named ""cache_binding"" | and not all files ending in .2 | Both releases are not vulnerable in the default configuration (both | disabllow ypset by default which prevents this problem from occurring)" CVE-1999-0299,Entry,"Buffer overflow in FreeBSD lpd through long DNS hostnames.","NAI:NAI-9 | OSVDB:6093 | URL:http://www.osvdb.org/6093",,, CVE-1999-0300,Entry,"nis_cachemgr for Solaris NIS+ allows attackers to add malicious NIS+ servers.","SUN:00155 | URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/155 | XF:sun-niscache",,, CVE-1999-0301,Entry,"Buffer overflow in SunOS/Solaris ps command.","SUN:00149 | URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/149 | AUSCERT:AUSCERT-97.17 | XF:sun-ps2bo",,, CVE-1999-0302,Entry,"SunOS/Solaris FTP clients can be forced to execute arbitrary commands from a malicious FTP server.","SUN:00176 | URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/176 | XF:sun-ftp-server",,, CVE-1999-0303,Entry,"Buffer overflow in BNU UUCP daemon (uucpd) through long hostnames.","XF:bnu-uucpd-bo | RSI:RSI.0002.05-18-98.BNU.UUCPD",,, CVE-1999-0304,Entry,"mmap function in BSD allows local attackers in the kmem group to modify memory through devices.","XF:bsd-mmap | FREEBSD:FreeBSD-SA-98:02",,, CVE-1999-0305,Entry,"The system configuration control (sysctl) facility in BSD based operating systems OpenBSD 2.2 and earlier, and FreeBSD 2.2.5 and earlier, does not properly restrict source routed packets even when the (1) dosourceroute or (2) forwarding variables are set, which allows remote attackers to spoof TCP connections.","OPENBSD:Feb15,1998 ""IP Source Routing Problem"" | MISC:http://www.openbsd.org/advisories/sourceroute.txt | OSVDB:11502 | URL:http://www.osvdb.org/11502 | XF:bsd-sourceroute(736) | URL:http://xforce.iss.net/xforce/xfdb/736",,, CVE-1999-0306,Candidate,"buffer overflow in HP xlock program.","XF:hp-xlock",Proposed (19990714)," ACCEPT(3) Frech, Northcutt, Baker | MODIFY(1) Prosser | NOOP(1) Shostack | REJECT(1) Christey"," Prosser> This is another of those with multiple affected OSs. | Refs: CA-97.13, http://207.237.120.45/linux/xlock-exploit.txt, | HPSBUX9711-073, SGI 19970502-02-PX, Sun Bulletin 000150 | Christey> XF:hp-xlock points to SGI:19970502-02-PX which says this is | the same problem as in CERT:CA-97.13, which is CVE-1999-0038." CVE-1999-0307,Candidate,"Buffer overflow in HP-UX cstm program allows local users to gain root privileges.","BUGTRAQ:19961116 This week: turn me on, dead man | XF:hpux-cstm-bo",Modified (19991207-01)," ACCEPT(2) Frech, Northcutt | NOOP(3) Shostack, Prosser, Baker | RECAST(1) Christey"," Prosser> only ref I can find is an old SOD exploit on | www.outpost9.com | Christey> MERGE CVE-1999-0336 (the exact exploit works with both | cstm and mstm, which are clearly part of the same package, | so CD:SF-EXEC says to merge them.) | | Also, there does not seem to be any recognition of this problem | by HP. The only other information besides the Bugtraq post | is the SOD exploit. | | See the original post: | http://www.securityfocus.com/templates/archive.pike?list=1&date=1996-11-15&msg=Pine.LNX.3.91.961116112242.15276J-100000@underground.org" CVE-1999-0308,Entry,"HP-UX gwind program allows users to modify arbitrary files.","HP:HPSBUX9410-018 | URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9410-018 | XF:hpux-gwind-overwrite | CIAC:H-03: HP-UX suid Vulnerabilities",,, CVE-1999-0309,Entry,"HP-UX vgdisplay program gives root access to local users.","HP:HPSBUX9702-056 | URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9702-056 | XF:hpux-vgdisplay | CIAC:H-27: HP-UX vgdisplay Buffer Overrun Vulnerability",,, CVE-1999-0310,Entry,"SSH 1.2.25 on HP-UX allows access to new user accounts.","XF:ssh-1225",,, CVE-1999-0311,Entry,"fpkg2swpk in HP-UX allows local users to gain root access.","XF:hpux-fpkg2swpk | HP:HPSBUX9612-042 | URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9612-042",,, CVE-1999-0312,Entry,"HP ypbind allows attackers with root privileges to modify NIS data.","XF:nis-ypbind | CERT:CA-93:01.REVISED.HP.NIS.ypbind.vulnerability",,, CVE-1999-0313,Entry,"disk_bandwidth on SGI IRIX 6.4 S2MP for Origin/Onyx2 allows local users to gain root access using relative pathnames.","MISC:http://www.securityfocus.com/bid/213/exploit | SGI:19980701-01-P | URL:ftp://patches.sgi.com/support/free/security/advisories/19980701-01-P | BID:214 | URL:http://www.securityfocus.com/bid/214 | OSVDB:936 | URL:http://www.osvdb.org/936 | XF:sgi-disk-bandwidth(1441) | URL:http://xforce.iss.net/xforce/xfdb/1441",,, CVE-1999-0314,Entry,"ioconfig on SGI IRIX 6.4 S2MP for Origin/Onyx2 allows local users to gain root access using relative pathnames.","MISC:http://www.securityfocus.com/bid/213/exploit | SGI:19980701-01-P | URL:ftp://patches.sgi.com/support/free/security/advisories/19980701-01-P | BID:213 | URL:http://www.securityfocus.com/bid/213 | OSVDB:6788 | URL:http://www.osvdb.org/6788 | XF:sgi-ioconfig(1199) | URL:http://xforce.iss.net/xforce/xfdb/1199",,, CVE-1999-0315,Entry,"Buffer overflow in Solaris fdformat command gives root access to local users.","XF:fdformat-bo | SUN:00138 | URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/138",,, CVE-1999-0316,Entry,"Buffer overflow in Linux splitvt command gives root access to local users.","XF:linux-splitvt | CIAC:G-08",,, CVE-1999-0317,Candidate,"Buffer overflow in Linux su command gives root access to local users.","BUGTRAQ:19990818 slackware-3.5 /bin/su buffer overflow | XF:su-bo",Modified (19991216-01)," ACCEPT(3) Frech, Hill, Northcutt | NOOP(1) Prosser | RECAST(1) Baker | REVIEWING(1) Christey"," Christey> DUPE CVE-1999-0845? | Also, ADDREF XF:unixware-su-username-bo | A report summary by Aleph One states that nobody was able to | confirm this problem on any Linux distribution. | Baker> If this is the same as the unixware, the n it is a dupe of 1999-0845. There is about a two and half month difference in the bugtraq reporting of these. | Sounds like the same bug however... | Christey> XF:su-bo no longer seems to exist. | How about XF:linux-subo(734) ? | http://xforce.iss.net/static/734.php | | BID:475 also seems to describe the same problem | (http://www.securityfocus.com/bid/475) in which case, | vsyslog is blamed in: | BUGTRAQ:19971220 Linux vsyslog() overflow | http://www.securityfocus.com/archive/1/8274" CVE-1999-0318,Entry,"Buffer overflow in xmcd 2.0p12 allows local users to gain access through an environmental variable.","BUGTRAQ:19961125 Security Problems in XMCD | BUGTRAQ:19961125 XMCD v2.1 released (was: Security Problems in XMCD) | XF:xmcd-envbo",,, CVE-1999-0319,Candidate,"Buffer overflow in xmcd 2.1 allows local users to gain access through a user resource setting.","XF:xmcd-tiflestr",Proposed (19990623)," ACCEPT(3) Frech, Hill, Northcutt | NOOP(2) Prosser, Baker | REVIEWING(1) Christey"," Christey> BUGTRAQ:19961126 Security Problems in XMCD 2.1 | A followup to this post says that xmcd is not suid here." CVE-1999-0320,Entry,"SunOS rpc.cmsd allows attackers to obtain root access by overwriting arbitrary files.","SUN:00166 | URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/166 | XF:sun-rpc.cmsd",,, CVE-1999-0321,Entry,"Buffer overflow in Solaris kcms_configure command allows local users to gain root access.","XF:sun-kcms-configure-bo",,, CVE-1999-0322,Entry,"The open() function in FreeBSD allows local attackers to write to arbitrary files.","FREEBSD:FreeBSD-SA-97:05 | XF:freebsd-open | OSVDB:6092 | URL:http://www.osvdb.org/6092",,, CVE-1999-0323,Entry,"FreeBSD mmap function allows users to modify append-only or immutable files.","FREEBSD:FreeBSD-SA-98:04 | NETBSD:1998-003 | URL:ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/advisories/NetBSD-SA1998-003.txt.asc | XF:bsd-mmap",,, CVE-1999-0324,Entry,"ppl program in HP-UX allows local users to create root files through symlinks.","HP:HPSBUX9702-053 | URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9702-053 | CIAC:H-31 | XF:hp-ppllog",,, CVE-1999-0325,Entry,"vhe_u_mnt program in HP-UX allows local users to create root files through symlinks.","XF:hp-vhe | HP:HPSBUX9406-013 | URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9406-013",,, CVE-1999-0326,Entry,"Vulnerability in HP-UX mediainit program.","HP:HPSBUX9710-071 | URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9710-071 | XF:hp-mediainit",,, CVE-1999-0327,Entry,"SGI syserr program allows local users to corrupt files.","SGI:19971103-01-PX | URL:ftp://patches.sgi.com/support/free/security/advisories/19971103-01-PX | XF:sgi-syserr",,, CVE-1999-0328,Entry,"SGI permissions program allows local users to gain root privileges.","SGI:19971103-01-PX | URL:ftp://patches.sgi.com/support/free/security/advisories/19971103-01-PX | XF:sgi-permtool",,, CVE-1999-0329,Entry,"SGI mediad program allows local users to gain root access.","SGI:19980602-01-PX | URL:ftp://patches.sgi.com/support/free/security/advisories/19980602-01-PX | XF:sgi-mediad",,, CVE-1999-0330,Candidate,"Linux bdash game has a buffer overflow that allows local users to gain root access.","BUGTRAQ:19940101 (No Subject) | XF:bdash-bo",Modified (20000105-01)," ACCEPT(1) Baker | MODIFY(1) Frech | NOOP(3) Shostack, Northcutt, Wall | REVIEWING(1) Levy"," Frech> XF:bdash-bo" CVE-1999-0331,Candidate,"Buffer overflow in Internet Explorer 4.0(1).","XF:msie-bo",Modified (20040811)," ACCEPT(2) Northcutt, Baker | MODIFY(2) Frech, Shostack | RECAST(1) Prosser | REJECT(2) Christey, LeBlanc"," Shostack> this is a high cardinality item | Prosser> needs to be more specific. | Frech> Replace reference with XF:iemk-bug (msie-bo is obsolete and a vague | duplicate) | Description (from xfdb): Some versions of Internet Explorer for Windows | contain a vulnerability that may crash the broswer when a malicious web site | contains a certain kind of URL (that begins with ""mk://"") with more | characters than the browser supports. | Christey> The description is too vague. | LeBlanc> too vague | Christey> Add period to the end of the description." CVE-1999-0332,Entry,"Buffer overflow in NetMeeting allows denial of service and remote command execution.","XF:nt-netmeeting | MSKB:Q184346 | URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q184346",,, CVE-1999-0333,Candidate,"HP OpenView Omniback allows remote execution of commands as root via spoofing, and local users can gain root access via a symlink attack.","RSI:RSI.0009.09-08-98.HP-UX.OMNIBACK | HP:HPSBUX9810-085 | XF:omniback-remote",Modified (19990925-01)," ACCEPT(2) Frech, Baker | MODIFY(1) Prosser | RECAST(1) Christey"," Prosser> additional source | HP Security Bulletin 85 | http://us-support.external.hp.com | http://europe-support.external.hp.com | Christey> Two separate bugs, so SF-LOC says this candidate should be | split | Christey> ADDREF CIAC:J-007 | URL:http://ciac.llnl.gov/ciac/bulletins/j-007.shtml" CVE-1999-0334,Entry,"In Solaris 2.2 and 2.3, when fsck fails on startup, it allows a local user with physical access to obtain root access.","XF:sol-startup | CERT:CA-93.19.Solaris.Startup.vulnerability",,, CVE-1999-0335,Entry,"DEPRECATED. This entry has been deprecated. It is a duplicate of CVE-1999-0032.","",,, CVE-1999-0336,Candidate,"Buffer overflow in mstm in HP-UX allows local users to gain root access.","BUGTRAQ:19961116 This week: turn me on, dead man | XF:hpux-mstm-bo",Modified (19991207-01)," ACCEPT(2) Frech, Northcutt | NOOP(3) Shostack, Prosser, Baker | RECAST(1) Christey"," Prosser> same as CVE-1999-0307, only ref I can find is an old SOD | exploit on www.outpost9.com | Christey> MERGE CVE-1999-0307 (the exact exploit works with both | cstm and mstm, which are clearly part of the same package, | so CD:SF-EXEC says to merge them.) | | Also, there does not seem to be any recognition of this problem | by HP. The only other information besides the Bugtraq post | is the SOD exploit." CVE-1999-0337,Entry,"AIX batch queue (bsh) allows local and remote users to gain additional privileges when network printing is enabled.","CERT:CA-94.10.IBM.AIX.bsh.vulnerability.html | XF:ibm-bsh",,, CVE-1999-0338,Entry,"AIX Licensed Program Product performance tools allow local users to gain root access.","XF:ibm-perf-tools | CERT:CA-94.03.AIX.performance.tools",,, CVE-1999-0339,Entry,"Buffer overflow in the libauth library in Solaris allows local users to gain additional privileges, possibly root access.","XF:sol-sun-libauth | RSI:RSI.0007.05-26-98",,, CVE-1999-0340,Entry,"Buffer overflow in Linux Slackware crond program allows local users to gain root access.","KSRT:005 | XF:linux-crond",,, CVE-1999-0341,Entry,"Buffer overflow in the Linux mail program ""deliver"" allows local users to gain root access.","KSRT:006 | XF:linux-deliver",,, CVE-1999-0342,Entry,"Linux PAM modules allow local users to gain root access using temporary files.","REDHAT:http://www.redhat.com/corp/support/errata/rh42-errata-general.html#pam | XF:linux-pam-passwd-tmprace",,, CVE-1999-0343,Entry,"A malicious Palace server can force a client to execute arbitrary programs.","BUGTRAQ:19981002 Announcements from The Palace (fwd) | XF:palace-malicious-servers-vuln",,, CVE-1999-0344,Entry,"NT users can gain debug-level access on a system process using the Sechole exploit.","MS:MS98-009 | URL:http://www.microsoft.com/technet/security/bulletin/ms98-009.mspx | MSKB:Q190288 | URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q190288 | XF:nt-priv-fix",,, CVE-1999-0345,Candidate,"Jolt ICMP attack causes a denial of service in Windows 95 and Windows NT systems.","",Proposed (19990728)," ACCEPT(2) Cole, Blake | MODIFY(2) Frech, Wall | NOOP(4) Landfield, Bishop, Ozancin, Northcutt | RECAST(1) Meunier | REJECT(4) Armstrong, Levy, LeBlanc, Baker | REVIEWING(1) Christey"," Wall> Invalid ICMP datagram fragments causes a denial of service in Windows 95 and | Windows NT systems. | Reference: Q154174. | Jolt is also known as sPING, ICMP bug, Icenewk, and Ping of Death. | It is a modified teardrop 2 attack. | Frech> XF:nt-ssping | ADDREF XF:ping-death | ADDREF XF:teardrop-mod | ADDREF XF:mpeix-echo-request-dos | Christey> I can't tell whether the Jolt exploit at: | | http://www.securityfocus.com/templates/archive.pike?list=1&date=1997-06-28&msg=Pine.BSF.3.95q.970629163422.3264A-200000@apollo.tomco.net | | is exploiting any different flaw than teardrop does. | CHANGE> [Christey changed vote from NOOP to REVIEWING] | Baker> Jolt (original) is basically just a fragmented oversized ICMP that | kills Win boxes ala Ping of Death. | Teardrop is altering the offset in fragmented tcp packets so that the | end of subsequent fragments is inside first packet... | Teardrop 2 is UDP packets, if I remember right. | Seems like Jolt (original, not jolt 2) is just exploit code that | creates a ping of death (CVE 1999-0128) | Levy> I tend to agree with Baker. | CHANGE> [Armstrong changed vote from REVIEWING to REJECT] | Armstrong> This code does not use fragment overlap. It is simply a large ICMP echo request. | Christey> See the SCO advisory at: | http://www.securityfocus.com/templates/advisory.html?id=1411 | which may further clarify the issue. | LeBlanc> This is a hodge-podge of DoS attacks. Jolt isn't the same | thing as ping of death - POD was an oversized ICMP packet, Jolt froze | Linux and Solaris (and I think not NT), IIRC Jolt2 did get NT boxes. | Teardrop and teardrop2 were related attacks (usually ICMP frag attacks), | but each of these is a distinct vulnerability, affected a discrete group | of systems, and should have distinct CVE numbers. CVE entries should be | precise as to what the problem is. | Meunier> I agree with Leblanc in that Jolt is multi-faceted. Jolt has | characteristics of Ping of Death AND teardrop, but it doesn't do | either exactly. Moreover, it sends a truncated IP fragment. I | disagree with Armstrong; jolt uses overlapping fragments. It's not a | simple ping of death either. It may be that the author's intent was | to construct a ""super attack"" somehow combining elements of other | vulnerabilities to try to make it more potent. In any case it | succeeded in confusing the CVE board :-). | | I notice that Jolt uses echo replies (type 0) instead of echo | requests (to get past firewalls?). Jolt is peculiar in that it also | sends numerous overlapping fragments. The ""Pascal Simulator"" :-) says | it sends: | | - 172 fragments of length 400 with offset starting at 5120 and | increasing by about 47 (odd arithmetic of 5120 OR ((n* 380) >> 3)), | which eventually results in sending fragments inside an already | covered area once ((n* 380) >> 3) is greater than 5120, which occurs | when n is reaches 108. This would look a bit like TearDrop if | fragments were reassembled on-the-fly. | | - 1 fragment such that the total length of all the fragments | is greater than 65535 (my calculation is 172*380 + 418 = 65778; the | comment about 65538 must be wrong). The last packet is size 418 | according to the IP header but the buffer is of size 400. The sendto | takes as argument the size of the buffer so a truncated packet is | sent. | | So, I am not sure if the problem is because the last packet | doesn't extend to the payload it says it has or because the total size | of all fragments is greater than 65535. The author says it may take | more than one sending, so perhaps this has to do with an incorrect | error handling and recovery. One would need to experiment and isolate | each of those characteristics and test them independently. Inasmuch | as each of those things is likely a different vulnerability, then I | agree with Leblanc that this entry should be split. I'll try that if | I ever get bored. Jolt 2 should also have a different entry (see | below). | | Jolt 2 runs in an infinite loop, sending the same fragmented | IP packet, which can pretend to be ""ICMP"" or ""UDP"" data; however this | is meaningless, as it's just a late fragment of an IP packet. The | attack works only as long as packets are sent. According to | http://www.securityfocus.com/archive/1/62170 the packets are | truncated, and would overflow over the 65535 byte limit, which is | similar to Jolt. Note that Jolt does send that much data whereas | jolt2 doesn't. Since jolt2 is simpler and narrower than jolt, and it | has weaker consequences, I believe that it's a different | vulnerability. | | ""Jolt 2 vulnerability causes a temporary denial-of-service in | Windows-type OSes"" would be a title for it." CVE-1999-0346,Entry,"CGI PHP mlog script allows an attacker to read any file on the target server.","BUGTRAQ:19971019 Vulnerability in PHP Example Logging Scripts | BID:713 | URL:http://www.securityfocus.com/bid/713 | XF:http-cgi-php-mlog | OSVDB:3397 | URL:http://www.osvdb.org/3397",,, CVE-1999-0347,Candidate,"Internet Explorer 4.01 allows remote attackers to read local files and spoof web pages via a ""%01"" character in an ""about:"" Javascript URL, which causes Internet Explorer to use the domain specified after the character.","BUGTRAQ:19990126 Javascript ecurity bug in Internet Explorer | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91745430007021&w=2 | NTBUGTRAQ:19990126 Javascript ecurity bug in Internet Explorer | URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=91756771207719&w=2",Modified (20051028)," ACCEPT(4) Levy, LeBlanc, Northcutt, Baker | MODIFY(2) Frech, Prosser | REVIEWING(1) Christey"," Prosser> this is a modified Cross-Frame vulnerability that circumvents | the original Cross-Frame Patch. Addressed in MS Bulletin MS99.012 | http://www.microsoft.com/security/bulletins/ms99-012.asp | Christey> Duplicate of CVE-1999-0490? | LeBlanc> If Prosser is correct that this is MS99-012, accept | Christey> BUGTRAQ:19990126 Javascript ecurity bug in Internet Explorer | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91745430007021&w=2 | NTBUGTRAQ:19990128 Javascript %01 bug in Internet Explorer | URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=91756771207719&w=2 | BID:197 | URL:http://www.securityfocus.com/bid/197 | CHANGE> [Frech changed vote from REVIEWING to MODIFY] | Frech> XF:ie-window-spoof(2069)" CVE-1999-0348,Entry,"IIS ASP caching problem releases sensitive information when two virtual servers share the same physical directory.","NTBUGTRAQ:Jan27,1999 | MSKB:Q197003 | URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q197003 | OSVDB:930 | URL:http://www.osvdb.org/930",,, CVE-1999-0349,Entry,"A buffer overflow in the FTP list (ls) command in IIS allows remote attackers to conduct a denial of service and, in some cases, execute arbitrary commands.","EEYE:IIS Remote FTP Exploit/DoS Attack | URL:http://www.eeye.com/html/Research/Advisories/IIS Remote FTP Exploit/DoS Attack.html | MS:MS99-003 | URL:http://www.microsoft.com/technet/security/bulletin/ms99-003.mspx | MSKB:Q188348 | URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q188348 | BUGTRAQ:Jan27,1999 | XF:iis-remote-ftp",,, CVE-1999-0350,Entry,"Race condition in the db_loader program in ClearCase gives local users root access by setting SUID bits.","L0PHT:Feb8,1999 | XF:clearcase-temp-race",,, CVE-1999-0351,Entry,"FTP PASV ""Pizza Thief"" denial of service and unauthorized data access. Attackers can steal data by connecting to a port that was intended for use by a client.","INFOWAR:01 | MISC:http://attrition.org/security/advisory/misc/infowar/iw_sec_01.txt | XF:pasv-pizza-thief-dos(3389) | URL:http://xforce.iss.net/xforce/xfdb/3389",,, CVE-1999-0352,Candidate,"ControlIT 4.5 and earlier (aka Remotely Possible) has weak password encryption.","ISS:Multiple vulnerabilities in ControlIT(tm) (formerly Remotely Possible/32) enterprise management software | XF:controlit-passwd-encrypt",Proposed (19990721)," ACCEPT(2) Frech, Baker | NOOP(2) Northcutt, Wall | RECAST(1) Ozancin"," Ozancin> Can we combine this with CVE-1999-0356 - ControlIT(tm) 4.5 and earlier uses | weak encryption." CVE-1999-0353,Entry,"rpc.pcnfsd in HP gives remote root access by changing the permissions on the main printer spool directory.","HP:HPSBUX9902-091 | URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9902-091 | CIAC:J-026 | URL:http://www.ciac.org/ciac/bulletins/j-026.shtml | XF:pcnfsd-world-write",,, CVE-1999-0354,Candidate,"Internet Explorer 4.x or 5.x with Word 97 allows arbitrary execution of Visual Basic programs to the IE client through the Word 97 template, which doesn't warn the user that the template contains executable content. Also applies to Outlook when the client views a malicious email message.","NTBUGTRAQ:Jan27,1999 | MS:MS99-002 | URL:http://www.microsoft.com/technet/security/bulletin/ms99-002.asp",Proposed (19990623)," ACCEPT(3) Ozancin, Wall, Baker | MODIFY(1) Frech | NOOP(1) Christey"," Frech> XF:word97-template-macro | Christey> CHANGEREF NTBUGTRAQ:19990127 IE 4/5/Outlook + Word 97 security hole | URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=91747570922757&w=2 | BID:196 | http://www.securityfocus.com/bid/196 | Christey> MSKB:Q214652 | http://support.microsoft.com/support/kb/articles/q214/6/52.asp" CVE-1999-0355,Entry,"Local or remote users can force ControlIT 4.5 to reboot or force a user to log out, resulting in a denial of service.","ISS:Multiple vulnerabilities in ControlIT(tm) (formerly Remotely Possible/32) enterprise management software | XF:controlit-reboot",,, CVE-1999-0356,Candidate,"ControlIT v4.5 and earlier uses weak encryption to store usernames and passwords in an address book.","ISS:Multiple vulnerabilities in ControlIT(tm) (formerly Remotely Possible/32) enterprise management software | XF:controlit-bookfile-access",Proposed (19990721)," ACCEPT(2) Frech, Baker | NOOP(2) Northcutt, Wall | RECAST(1) Ozancin", CVE-1999-0357,Entry,"Windows 98 and other operating systems allows remote attackers to cause a denial of service via crafted ""oshare"" packets, possibly involving invalid fragmentation offsets.","BUGTRAQ:19990125 Win98 crash? | XF:win98-oshare-dos",,, CVE-1999-0358,Entry,"Digital Unix 4.0 has a buffer overflow in the inc program of the mh package.","BUGTRAQ:19990125 Digital Unix 4.0 exploitable buffer overflows | URL:http://www.securityfocus.com/archive/1/12121 | COMPAQ:SSRT0583U | XF:du-inc | CIAC:J-027 | URL:http://www.ciac.org/ciac/bulletins/j-027.shtml",,, CVE-1999-0359,Candidate,"ptylogin in Unix systems allows users to perform a denial of service by locking out modems, dial out with that modem, or obtain passwords.","BUGTRAQ:19990127 UNIX shell modem access vulnerabilities | XF:ptylogin-dos",Proposed (20010214)," ACCEPT(2) Cole, Frech | MODIFY(1) Baker"," Frech> XF:ptylogin-dos | Baker> Should say ""... lock out a modem, ..."" rather than ""... locking out modems...""" CVE-1999-0360,Candidate,"MS Site Server 2.0 with IIS 4 can allow users to upload content, including ASP, to the target web site, thus allowing them to execute commands remotely.","BUGTRAQ:19990130 Security Advisory for Internet Information Server 4 with Site | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91763097004101&w=2 | NTBUGTRAQ:Jan29,1999",Modified (20000530-01)," ACCEPT(6) Landfield, Cole, Collins, Blake, Northcutt, Wall | MODIFY(3) Frech, LeBlanc, Baker | NOOP(4) Armstrong, Ozancin, Christey, Prosser"," Christey> I can't find the original Bugtraq posting (it appears that | mnemonix discovered the problem). | LeBlanc> - if there was a fix or a KB article, I'd ACCEPT. A vuln based on a | BUGTRAQ posting we can't find could be anything. | Baker> Vulnerability Reference (HTML) Reference Type | http://www.securityfocus.com/archive/1/12218 Misc Defensive InfoVulnerability Reference (HTML) Reference Type | THis is the URL for the Bugtraq posting. It was cross posted to | NT Bugtraq as well, but identical text. It was Mnemonix... | Christey> BID:1811 | URL:http://www.securityfocus.com/bid/1811 | Christey> CHANGEREF BUGTRAQ add ""Server 2."" to the subject. | Also standardize NTBUGTRAQ reference title. | Christey> Add ""uploadn.asp"" to the description. | CHANGE> [Frech changed vote from REVIEWING to MODIFY] | Frech> XF:siteserver-user-dir-permissions(5384)" CVE-1999-0361,Candidate,"NetWare version of LaserFiche stores usernames and passwords unencrypted, and allows administrative changes without logging.","BUGTRAQ:Jan29,1999",Proposed (19990728)," ACCEPT(1) Baker | MODIFY(1) Frech | NOOP(2) Northcutt, Wall"," Frech> XF:compulink-pw-laserfiche(1679) | Normalize BUGTRAQ reference to: | BUGTRAQ:19990129 Compulink LaserFiche Client/Server - unencrypted passwords" CVE-1999-0362,Entry,"WS_FTP server remote denial of service through cwd command.","EEYE:AD02021999 | URL:http://www.eeye.com/html/Research/Advisories/AD02021999.html | XF:wsftp-remote-dos | BID:217 | URL:http://www.securityfocus.com/bid/217",,, CVE-1999-0363,Entry,"SuSE 5.2 PLP lpc program has a buffer overflow that leads to root compromise.","BUGTRAQ:Feb02,1999 | XF:plp-lpc-bo | BID:328 | URL:http://www.securityfocus.com/bid/328",,, CVE-1999-0364,Candidate,"Microsoft Access 97 stores a database password as plaintext in a foreign mdb, allowing access to data.","BUGTRAQ:19990204 Microsoft Access 97 Stores Database Password as Plaintext | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91816470220259&w=2",Modified (20000426-01)," ACCEPT(2) LeBlanc, Baker | MODIFY(1) Frech | NOOP(2) Northcutt, Wall"," CHANGE> [Frech changed vote from REVIEWING to MODIFY] | Frech> XF:access-weak-passwords(1774) | An older published reference (from our own Adam) would be | better: | ailab.coderpunks Newsgroup, 1998/06/23 ""Re: MS Access 2.0"" | http://x15.dejanews.com/[ST_rn=ps]/getdoc.xp?AN=365308578&CONTEXT=9192 | 07028.1462108427&hitnum=1" CVE-1999-0365,Entry,"The metamail package allows remote command execution using shell metacharacters that are not quoted in a mailcap entry.","BUGTRAQ:Feb04,1999 | XF:metamail-header-commands",,, CVE-1999-0366,Entry,"In some cases, Service Pack 4 for Windows NT 4.0 can allow access to network shares using a blank password, through a problem with a null NT hash value.","MS:MS99-004 | URL:http://www.microsoft.com/technet/security/bulletin/ms99-004.mspx | MSKB:Q214840 | URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q214840 | XF:nt-sp4-auth-error",,, CVE-1999-0367,Entry,"NetBSD netstat command allows local users to access kernel memory.","NETBSD:1999-002 | OSVDB:7571 | URL:http://www.osvdb.org/7571",,, CVE-1999-0368,Entry,"Buffer overflows in wuarchive ftpd (wu-ftpd) and ProFTPD lead to remote root access, a.k.a. palmetto.","NETECT:palmetto.ftpd | CERT:CA-99.03 | XF:palmetto-ftpd-bo",,, CVE-1999-0369,Entry,"The Sun sdtcm_convert calendar utility for OpenWindows has a buffer overflow which can gain root access.","SUN:00183 | URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/183 | XF:sun-sdtcm-convert-bo",,, CVE-1999-0370,Candidate,"In Sun Solaris and SunOS, man and catman contain vulnerabilities that allow overwriting arbitrary files.","SUN:00184 | BID:165 | URL:http://www.securityfocus.com/bid/165",Modified (19991210-01)," ACCEPT(4) Dik, Prosser, Northcutt, Baker | MODIFY(1) Frech | REVIEWING(1) Christey"," Frech> Reference: XF:sun-man | Christey> ADDREF CIAC:J-028 | | Is the Linux man symlink problem the same as the one for Sun? | See BUGTRAQ:19990602 /tmp symlink problems in SuSE Linux 6.1 | Also see BID:305 | Dik> sun bug 4154565" CVE-1999-0371,Entry,"Lynx allows a local user to overwrite sensitive files through /tmp symlinks.","BUGTRAQ:19990211 Lynx /tmp problem | CERT:VB-97.05.lynx | XF:lynx-temp-files-race",,, CVE-1999-0372,Entry,"The installer for BackOffice Server includes account names and passwords in a setup file (reboot.ini) which is not deleted.","MS:MS99-005 | URL:http://www.microsoft.com/technet/security/bulletin/ms99-005.mspx | XF:nt-backoffice-setup | MSKB:Q217004 | URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q217004",,, CVE-1999-0373,Entry,"Buffer overflow in the ""Super"" utility in Debian GNU/Linux, and other operating systems, allows local users to execute commands as root.","ISS:Buffer Overflow in ""Super"" package in Debian Linux | XF:linux-super-bo | XF:linux-super-logging-bo",,, CVE-1999-0374,Entry,"Debian GNU/Linux cfengine package is susceptible to a symlink attack.","DEBIAN:19990215 | BUGTRAQ:Feb16,1999 | XF:linux-cfengine-symlinks",,, CVE-1999-0375,Entry,"Buffer overflow in webd in Network Flight Recorder (NFR) 2.0.2-Research allows remote attackers to execute commands.","NAI:February 16, 1999 | BUGTRAQ:Feb16,1999 | XF:nfr-webd-overflow",,, CVE-1999-0376,Entry,"Local users in Windows NT can obtain administrator privileges by changing the KnownDLLs list to reference malicious programs.","MS:MS99-006 | URL:http://www.microsoft.com/technet/security/bulletin/ms99-006.mspx | BUGTRAQ:Feb20,1999 | L0PHT:Feb18,1999 | XF:nt-knowndlls-list",,, CVE-1999-0377,Entry,"Process table attack in Unix systems allows a remote attacker to perform a denial of service by filling a machine's process tables through multiple connections to network services.","BUGTRAQ:Feb22,1999",,, CVE-1999-0378,Entry,"InterScan VirusWall for Solaris doesn't scan files for viruses when a single HTTP request includes two GET commands.","BUGTRAQ:19990222 BlackHats Advisory -- InterScan VirusWall | BUGTRAQ:19990225 Patch for InterScan VirusWall for Unix now available | XF:viruswall-http-request | OSVDB:6167 | URL:http://www.osvdb.org/6167",,, CVE-1999-0379,Entry,"Microsoft Taskpads allows remote web sites to execute commands on the visiting user's machine via certain methods that are marked as Safe for Scripting.","MS:MS99-007 | URL:http://www.microsoft.com/technet/security/bulletin/ms99-007.mspx | BUGTRAQ:19990223 Microsoft Security Bulletin (MS99-007) | BID:498 | URL:http://www.securityfocus.com/bid/498 | OSVDB:1019 | URL:http://www.osvdb.org/1019 | XF:win-resourcekit-taskpads",,, CVE-1999-0380,Entry,"SLMail 3.1 and 3.2 allows local users to access any file in the NTFS file system when the Remote Administration Service (RAS) is enabled by setting a user's Finger File to point to the target file, then running finger on the user.","NTBUGTRAQ:199902225 ALERT: SLMail 3.2 (and 3.1) with the Remote Administration Service | URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=91999015212415&w=2 | BUGTRAQ:19990225 ALERT: SLMail 3.2 (and 3.1) with the Remote Administration Service | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91996412724720&w=2 | NTBUGTRAQ:SLmail 3.2 Build 3113 (Web Administration Security Fix) | URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=92110501504997&w=2 | BID:497 | URL:http://www.securityfocus.com/bid/497 | XF:slmail-ras-ntfs-bypass(5392) | URL:http://xforce.iss.net/static/5392.php",,, CVE-1999-0381,Candidate,"super 3.11.6 and other versions have a buffer overflow in the syslog utility which allows a local user to gain root access.","BUGTRAQ:19990225 SUPER buffer overflow | URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.3.96.990225011801.12757A-100000@eleet | XF:linux-super-logging-bo | BID:342 | URL:http://www.securityfocus.com/bid/342",Proposed (19990726)," ACCEPT(7) Landfield, Cole, Frech, Ozancin, Levy, Blake, Baker | MODIFY(1) Bishop | NOOP(2) Armstrong, Wall | REVIEWING(1) Christey"," Christey> Is this the same as CVE-1999-0373? They both have the same | X-Force reference. | | BID:342 suggests that there are two. | | http://www.debian.org/security/1999/19990215a suggests | that there are two. However, CVE-1999-0373 is written up in | a fashion that is too general; and both XF:linux-super-bo and | XF:linux-super-logging-bo refer to CVE-1999-0373. | CVE-1999-0373 may need to be split. | | Frech> From what I can surmise, ISS released the original advisory (attached to | linux-super-bo), and Sekure SDI expanded on it by releasing another related | overflow in syslog (which is linux-super-logging-bo). | | When I was originally assigning these issues, I placed both XF references | and the ISS advisory on the -0373 candidate, since there was nothing else | available. Based on the information above, I'd request that | XF:linux-super-logging-bo be removed from CVE-1999-0373. | Christey> Given Andre's feedback, these are different issues. | CVE-1999-0373 does not need to be split because the ISS | reference is sufficient to distinguish that CVE from this | candidate; however, the CVE-1999-0373 description should | probably be modified slightly. | Bishop> (as indicated by Christey) | CHANGE> [Cole changed vote from NOOP to ACCEPT] | CHANGE> [Christey changed vote from NOOP to REVIEWING] | Christey> There are 2 bugs, as confirmed by the super author at: | BUGTRAQ:19990226 Buffer Overflow in Super (new) | http://www.securityfocus.com/archive/1/12713 | BID:397 also seems to cover this one, and it may cover | CVE-1999-0373 as well." CVE-1999-0382,Entry,"The screen saver in Windows NT does not verify that its security context has been changed properly, allowing attackers to run programs with elevated privileges.","MS:MS99-008 | URL:http://www.microsoft.com/technet/security/bulletin/ms99-008.mspx | XF:nt-screen-saver",,, CVE-1999-0383,Entry,"ACC Tigris allows public access without a login.","BUGTRAQ:19990103 Tigris vulnerability | BID:183 | URL:http://www.securityfocus.com/bid/183 | OSVDB:267 | URL:http://www.osvdb.org/267 | XF:acc-tigris-login",,, CVE-1999-0384,Entry,"The Forms 2.0 ActiveX control (included with Visual Basic for Applications 5.0) can be used to read text from a user's clipboard when the user accesses documents with ActiveX content.","XF:forms-vuln-patch | MS:MS99-001 | URL:http://www.microsoft.com/technet/security/bulletin/ms99-001.mspx",,, CVE-1999-0385,Entry,"The LDAP bind function in Exchange 5.5 has a buffer overflow that allows a remote attacker to conduct a denial of service or execute commands.","MS:MS99-009 | URL:http://www.microsoft.com/technet/security/bulletin/ms99-009.mspx | ISS:LDAP Buffer overflow against Microsoft Directory Services | XF:ldap-exchange-overflow | XF:ldap-mds-dos",,, CVE-1999-0386,Entry,"Microsoft Personal Web Server and FrontPage Personal Web Server in some Windows systems allows a remote attacker to read files on the server by using a nonstandard URL.","MS:MS99-010 | URL:http://www.microsoft.com/technet/security/bulletin/ms99-010.mspx | XF:pws-file-access | OSVDB:111 | URL:http://www.osvdb.org/111",,, CVE-1999-0387,Entry,"A legacy credential caching mechanism used in Windows 95 and Windows 98 systems allows attackers to read plaintext network passwords.","MS:MS99-052 | URL:http://www.microsoft.com/technet/security/bulletin/ms99-052.asp | MSKB:Q168115 | URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q168115 | BID:829 | URL:http://www.securityfocus.com/bid/829 | XF:9x-plaintext-pwd",,, CVE-1999-0388,Entry,"DataLynx suGuard trusts the PATH environment variable to execute the ps command, allowing local users to execute commands as root.","XF:datalynx-suguard-relative-paths | L0PHT:Jan3,1999 | OSVDB:3186 | URL:http://www.osvdb.org/3186",,, CVE-1999-0389,Candidate,"Buffer overflow in the bootp server in the Debian Linux netstd package.","DEBIAN:19990104 | BUGTRAQ:19990103 [SECURITY] New versions of netstd fixes buffer overflows | BID:324 | URL:http://www.securityfocus.com/bid/324",Modified (19991207-01)," ACCEPT(3) Ozancin, Stracener, Baker | MODIFY(1) Frech | REVIEWING(1) Christey"," Christey> Is CVE-1999-0389 a duplicate of CVE-1999-0798? CVE-1999-0389 | has January 1999 dates associated with it, while CVE-1999-0798 | was reported in late December. | | Also, is this the same line of code as CVE-1999-0914? Both are in | the netstd package, it could look like a library problem. | | However, deep in the changelog in the | netstd_3.07-7slink.3.diff on Debian, Herbert Xu includes | the following entry: | | +netstd (3.07-7slink.1) frozen; urgency=high | + | + * bootpd: Applied patch from Redhat as well as a fix for the overflow in | + report() (fixes #30675). | + * netkit-ftp: Applied patch from RedHat that fixes some obscure overflow | + bugs. | + | + -- Herbert Xu Sat, 19 Dec 1998 14:36:48 +1100 | | This tells me that two separate bugs are involved. | | Note that Red Hat posted *some* fix for *some* bootp problem | in June 1998. See: | http://www.redhat.com/support/errata/rh42-errata-general.html#bootp | Frech> XF:debian-netstd-bo | Christey> Further analysis indicates that this is a duplicate of CVE-1999-0799 | CHANGE> [Christey changed vote from REJECT to REVIEWING] | Christey> The fix information for BID:324 suggests that there are two | overflows, one of which is in handle_request (bootpd.c) and is | likely related to a file name; but there is another issue in | report (report.c) which also looks like a straightforward | overflow, which would suggest that this is not a duplicate of | CVE-1999-0798 or CVE-1999-0799. | | Note: see comments for CVE-1999-0798 which explain how that | candidate is not related to CVE-1999-0799." CVE-1999-0390,Entry,"Buffer overflow in Dosemu Slang library in Linux.","BUGTRAQ:19990104 Dosemu/S-Lang Overflow + sploit | CALDERA:CSSA-1999-006.1 | URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-1999-006.1.txt | BID:187 | URL:http://www.securityfocus.com/bid/187",,, CVE-1999-0391,Entry,"The cryptographic challenge of SMB authentication in Windows 95 and Windows 98 can be reused, allowing an attacker to replay the response and impersonate a user.","L0PHT:Jan. 5, 1999",,, CVE-1999-0392,Entry,"Buffer overflow in Thomas Boutell's cgic library version up to 1.05.","BUGTRAQ:Jan10,1999 | XF:http-cgic-library-bo",,, CVE-1999-0393,Entry,"Remote attackers can cause a denial of service in Sendmail 8.8.x and 8.9.2 by sending messages with a large number of headers.","BUGTRAQ:19981212 ** Sendmail 8.9.2 DoS - exploit ** get what you want! | BUGTRAQ:19990121 Sendmail 8.8.x/8.9.x bugware | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91694391227372&w=2 | XF:sendmail-parsing-redirection",,, CVE-1999-0394,Candidate,"DPEC Online Courseware allows an attacker to change another user's password without knowing the original password.","BUGTRAQ:19990115 DPEC Online Courseware",Proposed (19990728)," ACCEPT(1) Baker | NOOP(1) Christey | REJECT(1) Frech"," Frech> If I understand the issue, this HIGHCARD involves insecure web programming. | If I don't understand, mark this as my first NOOP. | Christey> CONFIRM:http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26msg%3D19990803132618.16407.qmail%40securityfocus.com | ADDREF BID:565 | URL:http://www.securityfocus.com/vdb/bottom.html?vid=565" CVE-1999-0395,Entry,"A race condition in the BackWeb Polite Agent Protocol allows an attacker to spoof a BackWeb server.","ISS:19990118 Vulnerability in the BackWeb Polite Agent Protocol | URL:http://xforce.iss.net/alerts/advise17.php | XF:backweb-polite-agent-protocol",,, CVE-1999-0396,Entry,"A race condition between the select() and accept() calls in NetBSD TCP servers allows remote attackers to cause a denial of service.","NETBSD:1999-001 | OPENBSD:Feb17,1999 | XF:netbsd-tcp-race",,, CVE-1999-0397,Candidate,"The demo version of the Quakenbush NT Password Appraiser sends passwords across the network in plaintext.","L0PHT:Jan21,1999 | BUGTRAQ:Jan21,1999",Proposed (19990728)," ACCEPT(1) Northcutt | MODIFY(1) Frech | NOOP(1) Baker | REJECT(1) Wall"," Wall> Reject based on beta copy. | Frech> XF:quakenbush-pw-appraiser(1652)" CVE-1999-0398,Candidate,"In some instances of SSH 1.2.27 and 2.0.11 on Linux systems, SSH will allow users with expired accounts to login.","BUGTRAQ:19990123 SSH 1.x and 2.x Daemon | BUGTRAQ:19990124 SSH Daemon | XF:ssh-exp-account-access",Modified (20000106-01)," ACCEPT(1) Baker | MODIFY(1) Frech"," Frech> Followups to the bugtraq message (1/24/99) indicate that 1.2.27 was not yet | released. v1.2.26 should be substituted in the description for '27. | XF:ssh-exp-account-access" CVE-1999-0399,Candidate,"The DCC server command in the Mirc 5.5 client doesn't filter characters from file names properly, allowing remote attackers to place a malicious file in a different location, possibly allowing the attacker to execute commands.","BUGTRAQ:19990124 Mirc 5.5 'DCC Server' hole | XF:mirc-dcc-metachar-filename",Modified (20000105-01)," ACCEPT(1) Baker | MODIFY(1) Frech"," Frech> XF:mirc-dcc-metachar-filename" CVE-1999-0400,Candidate,"Denial of service in Linux 2.2.0 running the ldd command on a core file.","BUGTRAQ:19990127 2.2.0 SECURITY (fwd) | XF:linux-kernel-ldd-dos | BID:344 | URL:http://www.securityfocus.com/bid/344",Modified (20000105-01)," ACCEPT(1) Baker | MODIFY(1) Frech"," Frech> BUGTRAQ:Jan27,1999 | (http://www.securityfocus.com/templates/archive.pike?list=1&date=1999-01-22& | msg=Pine.LNX.4.05.9901270538380.539-100000@vitelus.com) | XF:linux-kernel-ldd-dos" CVE-1999-0401,Candidate,"A race condition in Linux 2.2.1 allows local users to read arbitrary memory from /proc files.","BUGTRAQ:19990202 [patch] /proc race fixes for 2.2.1 (fwd) | XF:linux-race-condition-proc",Modified (20000105-01)," ACCEPT(1) Baker | MODIFY(1) Frech"," Frech> XF:linux-race-condition-proc" CVE-1999-0402,Entry,"wget 1.5.3 follows symlinks to change permissions of the target file instead of the symlink itself.","BUGTRAQ:Feb2,1999 | XF:wget-permissions | DEBIAN:19990220",,, CVE-1999-0403,Entry,"A bug in Cyrix CPUs on Linux allows local users to perform a denial of service.","BUGTRAQ:19990204 Cyrix bug: freeze in hell, badboy | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91821080015725&w=2 | XF:cyrix-hang",,, CVE-1999-0404,Entry,"Buffer overflow in the Mail-Max SMTP server for Windows systems allows remote command execution.","BUGTRAQ:Feb14,1999 | XF:mailmax-bo",,, CVE-1999-0405,Entry,"A buffer overflow in lsof allows local users to obtain root privilege.","HERT:002 | BUGTRAQ:Feb18,1999 | DEBIAN:19990220a | XF:lsof-bo | OSVDB:3163 | URL:http://www.osvdb.org/3163",,, CVE-1999-0406,Candidate,"Digital Unix Networker program nsralist has a buffer overflow which allows local users to obtain root privilege.","BUGTRAQ:Feb19,1999 | XF:digital-networker-bo",Proposed (19990728)," ACCEPT(1) Baker | MODIFY(1) Frech"," Frech> In description, change 'which' to 'that'." CVE-1999-0407,Entry,"By default, IIS 4.0 has a virtual directory /IISADMPWD which contains files that can be used as proxies for brute force password attacks, or to identify valid users on the system.","BUGTRAQ:19990209 ALERT: IIS4 allows proxied password attacks over NetBIOS | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91983486431506&w=2 | BUGTRAQ:19990209 Re: IIS4 allows proxied password attacks over NetBIOS | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92000623021036&w=2 | XF:iis-iisadmpwd",,, CVE-1999-0408,Entry,"Files created from interactive shell sessions in Cobalt RaQ microservers (e.g. .bash_history) are world readable, and thus are accessible from the web server.","BUGTRAQ:19990225 Cobalt root exploit | XF:cobalt-raq-history-exposure | BID:337 | URL:http://www.securityfocus.com/bid/337",,, CVE-1999-0409,Entry,"Buffer overflow in gnuplot in Linux version 3.5 allows local users to obtain root access.","BUGTRAQ:19990304 Linux /usr/bin/gnuplot overflow | XF:gnuplot-home-overflow | BID:319 | URL:http://www.securityfocus.com/bid/319",,, CVE-1999-0410,Entry,"The cancel command in Solaris 2.6 (i386) has a buffer overflow that allows local users to obtain root access.","BUGTRAQ:Mar5,1999 | XF:sol-cancel | BID:293 | URL:http://www.securityfocus.com/bid/293",,, CVE-1999-0411,Candidate,"Several startup scripts in SCO OpenServer Enterprise System v 5.0.4p, including S84rpcinit, S95nis, S85tcp, and S89nfs, are vulnerable to a symlink attack, allowing a local user to gain root access.","BUGTRAQ:Feb19,1999 | XF:sco-startup-scripts",Proposed (19990726)," MODIFY(2) Baker, Frech | NOOP(2) Christey, Wall"," Frech> Neither XFDB nor the BugTraq article (incidentally, shows up as 7 March, not | 19 February) does not mention gaining root access... it says a local user | could | ""delete or overwrite arbitrary files on the system."" | Baker> By overwriting arbitrary files, one could then gain root access. I agree with a minor description change to reflect this. | Christey> Normalize Bugtraq reference to: | BUGTRAQ:19990307 Little exploit for startup scripts (SCO 5.0.4p). | http://marc.theaimsgroup.com/?l=bugtraq&m=92087765014242&w=2 | Also, SCO:SB-99.17 | ftp://ftp.sco.com/SSE/security_bulletins/SB-99.17c" CVE-1999-0412,Entry,"In IIS and other web servers, an attacker can attack commands as SYSTEM if the server is running as SYSTEM and loading an ISAPI extension.","BUGTRAQ:Feb19,1999 | XF:iis-isapi-execute | BID:501 | URL:http://www.securityfocus.com/bid/501",,, CVE-1999-0413,Entry,"A buffer overflow in the SGI X server allows local users to gain root access through the X server font path.","SGI:19990301-01-PX | URL:ftp://patches.sgi.com/support/free/security/advisories/19990301-01-PX | XF:irix-font-path-overflow",,, CVE-1999-0414,Entry,"In Linux before version 2.0.36, remote attackers can spoof a TCP connection and pass data to the application layer before fully establishing the connection.","NAI:Linux Blind TCP Spoofing | XF:linux-blind-spoof",,, CVE-1999-0415,Entry,"The HTTP server in Cisco 7xx series routers 3.2 through 4.2 is enabled by default, which allows remote attackers to change the router's configuration.","ISS:19990311 Remote Reconfiguration and Denial of Service Vulnerabilities in Cisco 700 ISDN Routers | CISCO:19990311 Cisco 7xx TCP and HTTP Vulnerabilities | URL:http://www.cisco.com/warp/public/770/7xxconn-pub.shtml | CIAC:J-034 | URL:http://ciac.llnl.gov/ciac/bulletins/j-034.shtml | XF:cisco-router-commands | XF:cisco-web-config",,, CVE-1999-0416,Entry,"Vulnerability in Cisco 7xx series routers allows a remote attacker to cause a system reload via a TCP connection to the router's TELNET port.","ISS:19990311 Remote Reconfiguration and Denial of Service Vulnerabilities in Cisco 700 ISDN Routers | CISCO:19990311 Cisco 7xx TCP and HTTP Vulnerabilities | URL:http://www.cisco.com/warp/public/770/7xxconn-pub.shtml | CIAC:J-034 | URL:http://ciac.llnl.gov/ciac/bulletins/j-034.shtml | XF:cisco-web-crash",,, CVE-1999-0417,Entry,"64 bit Solaris 7 procfs allows local users to perform a denial of service.","BUGTRAQ:Mar9,1999 | XF:solaris-psinfo-crash | BID:448 | URL:http://www.securityfocus.com/bid/448 | OSVDB:1001 | URL:http://www.osvdb.org/1001",,, CVE-1999-0418,Candidate,"Denial of service in SMTP applications such as Sendmail, when a remote attacker (e.g. spammer) uses many ""RCPT TO"" commands in the same connection.","BUGTRAQ:19990308 SMTP server account probing | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92100018214316&w=2",Proposed (20010912)," ACCEPT(1) Cole | MODIFY(1) Frech | NOOP(3) Baker, Foat, Wall | REVIEWING(1) Christey"," Christey> DUPE CVE-1999-0144 and CVE-1999-0250? | Frech> XF:smtp-rctpto-dos(7499)" CVE-1999-0419,Candidate,"When the Microsoft SMTP service attempts to send a message to a server and receives a 4xx error code, it quickly and repeatedly attempts to redeliver the message, causing a denial of service.","BUGTRAQ:19990319 Microsoft's SMTP service broken/stupid | XF:smtp-4xx-error-dos",Modified (20000105-01)," ACCEPT(1) Baker | MODIFY(2) Frech, LeBlanc | REVIEWING(1) Christey"," Frech> XF:smtp-4xx-error-dos | LeBlanc> - if we can find a KB or something that shows that this wasn't just | user error, I'd vote ACCEPT. | Christey> David Lemson, Microsoft SMTP Service Program Manager, | posted a followup that said ""We have confirmed this as a | problem..."" | http://marc.theaimsgroup.com/?l=bugtraq&m=92171608127206&w=2" CVE-1999-0420,Entry,"umapfs allows local users to gain root privileges by changing their uid through a malicious mount_umap program.","NETBSD:1999-006",,, CVE-1999-0421,Entry,"During a reboot after an installation of Linux Slackware 3.6, a remote attacker can obtain root access by logging in to the root account without a password.","ISS:Short-Term High-Risk Vulnerability During Slackware 3.6 Network Installations | XF:linux-slackware-install | BID:338 | URL:http://www.securityfocus.com/bid/338 | OSVDB:981 | URL:http://www.osvdb.org/981",,, CVE-1999-0422,Entry,"In some cases, NetBSD 1.3.3 mount allows local users to execute programs in some file systems that have the ""noexec"" flag set.","NETBSD:1999-007",,, CVE-1999-0423,Entry,"Vulnerability in hpterm on HP-UX 10.20 allows local users to gain additional privileges.","HP:HPSBUX9903-093 | URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9903-093 | XF:hp-hpterm-files",,, CVE-1999-0424,Entry,"talkback in Netscape 4.5 allows a local user to overwrite arbitrary files of another user whose Netscape crashes.","SUSE:Mar18,1999 | XF:netscape-talkback-overwrite",,, CVE-1999-0425,Entry,"talkback in Netscape 4.5 allows a local user to kill an arbitrary process of another user whose Netscape crashes.","SUSE:Mar18,1999 | XF:netscape-talkback-kill",,, CVE-1999-0426,Candidate,"The default permissions of /dev/kmem in Linux versions before 2.0.36 allows IP spoofing.","BUGTRAQ:19990319 The default permissions on /dev/kmem is insecure.",Proposed (19990728)," MODIFY(1) Frech | NOOP(1) Baker | REJECT(1) Christey"," Frech> XF:linux-dev-kmem-spoof | Christey> DUPE CVE-1999-0414 | XF:linux-dev-kmem-spoof does not exist. | Christey> *Now* XF:linux-dev-kmem-spoof(3500) exists..." CVE-1999-0427,Candidate,"Eudora 4.1 allows remote attackers to perform a denial of service by sending attachments with long file names.","BUGTRAQ:19990320 Eudora Attachment Buffer Overflow | XF:eudora-long-attachments",Proposed (19990728)," ACCEPT(1) Baker | MODIFY(1) Frech | NOOP(1) Christey"," Frech> Change version number to 4.2beta. Second to last paragraph in bugtraq | reference states: ""Both the Win 95 and Win NT versions, along with the 4.2 | beta of Eudora are affected."" | Christey> This issue seems to have been rediscovered in | BUGTRAQ:20000515 Eudora Pro & Outlook Overflow - too long filenames again | http://marc.theaimsgroup.com/?l=bugtraq&m=95842482413076&w=2 | | Also see | BUGTRAQ:19990320 Eudora Attachment Buffer Overflow | http://marc.theaimsgroup.com/?l=bugtraq&m=92195396912110&w=2 | | Is this a duplicate/subsumed by CVE-1999-0004?" CVE-1999-0428,Entry,"OpenSSL and SSLeay allow remote attackers to reuse SSL sessions and bypass access controls.","BUGTRAQ:19990322 OpenSSL/SSLeay Security Alert | XF:ssl-session-reuse | OSVDB:3936 | URL:http://www.osvdb.org/3936",,, CVE-1999-0429,Entry,"The Lotus Notes 4.5 client may send a copy of encrypted mail in the clear across the network if the user does not set the ""Encrypt Saved Mail"" preference.","BUGTRAQ:19990323 | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92221437025743&w=2 | BUGTRAQ:19990324 Re: LNotes encryption | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92241547418689&w=2 | BUGTRAQ:19990326 Lotus Notes Encryption Bug | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92246997917866&w=2 | BUGTRAQ:19990326 Re: Lotus Notes security advisory | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92249282302994&w=2 | XF:lotus-client-encryption",,, CVE-1999-0430,Entry,"Cisco Catalyst LAN switches running Catalyst 5000 supervisor software allows remote attackers to perform a denial of service by forcing the supervisor module to reload.","ISS:Remote Denial of Service Vulnerability in Cisco Catalyst Series Ethernet Switches | CISCO:Cisco Catalyst Supervisor Remote Reload | XF:cisco-catalyst-crash | OSVDB:1103 | URL:http://www.osvdb.org/1103",,, CVE-1999-0431,Candidate,"Linux 2.2.3 and earlier allow a remote attacker to perform an IP fragmentation attack, causing a denial of service.","BUGTRAQ:19990324 DoS for Linux 2.1.89 - 2.2.3: 0 length fragment bug | XF:linux-zerolength-fragment",Modified (20000106-01)," ACCEPT(1) Baker | MODIFY(1) Frech | NOOP(1) Christey"," Frech> XF:linux-zerolength-fragment | Christey> Consider adding BID:2247" CVE-1999-0432,Entry,"ftp on HP-UX 11.00 allows local users to gain privileges.","HP:HPSBUX9903-094 | URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9903-094 | XF:hp-ftp",,, CVE-1999-0433,Entry,"XFree86 startx command is vulnerable to a symlink attack, allowing local users to create files in restricted directories, possibly allowing them to gain privileges or cause a denial of service.","SUSE:Mar28,1999 | BUGTRAQ:19990321 X11R6 NetBSD Security Problem | XF:xfree86-temp-directories",,, CVE-1999-0434,Candidate,"XFree86 xfs command is vulnerable to a symlink attack, allowing local users to create files in restricted directories, possibly allowing them to gain privileges or cause a denial of service.","BUGTRAQ:19990331 Bug in xfs | BID:359 | URL:http://www.securityfocus.com/bid/359",Proposed (19990728)," ACCEPT(1) Baker | MODIFY(1) Frech | NOOP(1) Christey"," Frech> XF:xfree86-xfs-symlink-dos | Christey> Is this the same problem as CVE-1999-0433? CVE-1999-0433 | deals with a symlink attack on one file (/tmp/.X11-unix), | while xfs (this candidate) deals with /tmp/.font-unix | XF:xfree86-xfs-symlink-dos doesn't exist. | Christey> ADDREF DEBIAN:19990331 symbolic link can be used to make any file world readable | Note: Debian's advisory says that this is not a problem for Debian." CVE-1999-0435,Candidate,"MC/ServiceGuard and MC/LockManager in HP-UX allows local users to gain privileges through SAM.","HP:HPSBUX9903-096",Proposed (19990623)," ACCEPT(2) Baker, Ozancin | MODIFY(1) Frech | NOOP(1) Christey"," Frech> XF:hp-servicegaurd | Christey> ADDREF CIAC:J-039 | Christey> Note the typo in Andre's suggested reference. | Normalize to XF:hp-serviceguard(2046)" CVE-1999-0436,Entry,"Domain Enterprise Server Management System (DESMS) in HP-UX allows local users to gain privileges.","HP:HPSBUX9903-095 | URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9903-095 | XF:hp-desms-servers",,, CVE-1999-0437,Entry,"Remote attackers can perform a denial of service in WebRamp systems by sending a malicious string to the HTTP port.","ISS:WebRamp Denial of Service Attacks | XF:webramp-device-crash",,, CVE-1999-0438,Entry,"Remote attackers can perform a denial of service in WebRamp systems by sending a malicious UDP packet to port 5353, changing its IP address.","ISS:WebRamp Denial of Service Attacks | XF:webramp-ipchange",,, CVE-1999-0439,Entry,"Buffer overflow in procmail before version 3.12 allows remote or local attackers to execute commands via expansions in the procmailrc configuration file.","BUGTRAQ:19990405 Re: [SECURITY] new version of procmail with security fixes | DEBIAN:19990422 | CALDERA:CSSA-1999:007 | XF:procmail-overflow",,, CVE-1999-0440,Entry,"The byte code verifier component of the Java Virtual Machine (JVM) allows remote execution through malicious web pages.","BUGTRAQ:19990405 Security Hole in Java 2 (and JDK 1.1.x) | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92333596624452&w=2 | CONFIRM:http://java.sun.com/pr/1999/03/pr990329-01.html | BID:1939 | URL:http://www.securityfocus.com/bid/1939 | XF:java-unverified-code",,, CVE-1999-0441,Entry,"Remote attackers can perform a denial of service in WinGate machines using a buffer overflow in the Winsock Redirector Service.","EEYE:AD02221999 | URL:http://www.eeye.com/html/Research/Advisories/AD02221999.html | XF:wingate-redirector-dos | BID:509 | URL:http://www.securityfocus.com/bid/509",,, CVE-1999-0442,Entry,"Solaris ff.core allows local users to modify files.","BUGTRAQ:19990107 really silly ff.core exploit for Solaris | BUGTRAQ:19990108 ff.core exploit on Solaris (2.)7 | BUGTRAQ:19990408 Solaris7 and ff.core | BID:327 | URL:http://www.securityfocus.com/bid/327",,, CVE-1999-0443,Candidate,"Patrol management software allows a remote attacker to conduct a replay attack to steal the administrator password.","BUGTRAQ:19990409 Patrol security bugs | URL:http://www.securityfocus.com/archive/1/13204 | XF:bmc-patrol-replay",Proposed (19990728)," ACCEPT(1) Baker | MODIFY(1) Frech"," Frech> Change ""Patrol management software"" to ""The PATROL management product from | BMC Software""." CVE-1999-0444,Candidate,"Remote attackers can perform a denial of service in Windows machines using malicious ARP packets, forcing a message box display for each packet or filling up log files.","BUGTRAQ:19990412 ARP problem in Windows9X/NT | XF:windows-arp-dos",Modified (20000106-01)," ACCEPT(1) Baker | MODIFY(1) Frech"," Frech> ADDREF: XF:windows-arp-dos" CVE-1999-0445,Entry,"In Cisco routers under some versions of IOS 12.0 running NAT, some packets may not be filtered by input access list filters.","CISCO:Cisco IOS(R) Software Input Access List Leakage with NAT | XF:cisco-natacl-leakage | OSVDB:1104 | URL:http://www.osvdb.org/1104",,, CVE-1999-0446,Entry,"Local users can perform a denial of service in NetBSD 1.3.3 and earlier versions by creating an unusual symbolic link with the ln command, triggering a bug in VFS.","NETBSD:1999-008 | XF:netbsd-vfslocking-panic | OSVDB:7051 | URL:http://www.osvdb.org/7051",,, CVE-1999-0447,Entry,"Local users can gain privileges using the debug utility in the MPE/iX operating system.","HP:HPSBMP9904-006 | URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBMP9904-006 | XF:mpeix-debug",,, CVE-1999-0448,Entry,"IIS 4.0 and Apache log HTTP request methods, regardless of how long they are, allowing a remote attacker to hide the URL they really request.","BUGTRAQ:19990121 IIS 4 Request Logging Security Advisory | XF:iis-http-request-logging",,, CVE-1999-0449,Entry,"The ExAir sample site in IIS 4 allows remote attackers to cause a denial of service (CPU consumption) via a direct request to the (1) advsearch.asp, (2) query.asp, or (3) search.asp scripts.","BUGTRAQ:19990126 IIS 4 Advisory - ExAir sample site DoS | NTBUGTRAQ:19990126 IIS 4 Advisory - ExAir sample site DoS | BUGTRAQ:19990125 Re: [NTSEC] IIS 4 Advisory - ExAir sample site DoS | BID:193 | URL:http://www.securityfocus.com/bid/193 | OSVDB:2 | URL:http://www.osvdb.org/2 | OSVDB:3 | URL:http://www.osvdb.org/3 | OSVDB:4 | URL:http://www.osvdb.org/4 | XF:iis-exair-dos",,, CVE-1999-0450,Candidate,"In IIS, an attacker could determine a real path using a request for a non-existent URL that would be interpreted by Perl (perl.exe).","BUGTRAQ:19990122 Perl.exe and IIS security advisory | BID:194 | URL:http://www.securityfocus.com/bid/194",Modified (20090622)," ACCEPT(2) Ozancin, Wall | NOOP(2) Baker, Christey | REJECT(2) Frech, LeBlanc"," Frech> Can't find in database. | Christey> This looks like another discovery of CVE-2000-0071 | LeBlanc> - I just tried to repro this based on the BUGTRAQ vuln information, | and it does not repro - | GET /bogus.pl HTTP/1.0 | HTTP/1.1 404 Object Not Found | Server: Microsoft-IIS/5.0 | Date: Thu, 05 Oct 2000 21:04:20 GMT | Content-Length: 3243 | Content-Type: text/html | No path is returned whatsoever. This may have been a problem on some version | of IIS in the past, but the BUGTRAQ ID says all versions are vulnerable. | Let's try and figure out what version had the problem, whether it is | intrinsic to IIS or the result of adding a 3rd party implementation of perl, | and when it got fixed, then we can try again. | CHANGE> [Frech changed vote from REVIEWING to REJECT] | Christey> Add ""no-such-file.pl"" as an example to the desc, to facilitate | search (it's used by CGI scanners and in the original example)" CVE-1999-0451,Candidate,"Denial of service in Linux 2.0.36 allows local users to prevent any server from listening on any non-privileged port.","BUGTRAQ:Jan19,1999 | BID:343 | URL:http://www.securityfocus.com/bid/343",Proposed (19990726)," ACCEPT(2) Baker, Ozancin | MODIFY(1) Frech | NOOP(1) Wall"," CHANGE> [Frech changed vote from REVIEWING to MODIFY] | Frech> XF:linux-ports-dos(8364)" CVE-1999-0452,Candidate,"A service or application has a backdoor password that was placed there by the developer.","",Proposed (19990726)," ACCEPT(2) Baker, Wall | REJECT(1) Frech"," Frech> Much too broad. Also may be HIGHCARD (or will be in the future). | Baker> I think we want to address this using the dot notation idea. We do need to address this, just not a separate entry for every single occurance." CVE-1999-0453,Candidate,"An attacker can identify a CISCO device by sending a SYN packet to port 1999, which is for the Cisco Discovery Protocol (CDP).","BUGTRAQ:19990118 Remote Cisco Identification",Modified (20040512-02)," ACCEPT(2) Baker, Balinsky | MODIFY(1) Frech | NOOP(2) Northcutt, Wall | REVIEWING(1) Christey"," Frech> XF:cisco-ident(2289) | ADDREF BUGTRAQ:19990118 Remote Cisco Identification | In description, probably better to use ""Cisco"" as product/company name. | Balinsky> CiscoSecure IDS has a signature for this...ID 3602 Cisco IOS Identity. | Christey> There may be a slight abstraction problem here, e.g. look | at the candidate for queso/nmap; also see followup Bugtraq post | from ""Basement Research"" on 19990120 which says that there are | many other features in Cisco products that allow remote | identification. | Christey> fix typo: ""Dicsovery""" CVE-1999-0454,Candidate,"A remote attacker can sometimes identify the operating system of a host based on how it reacts to some IP or ICMP packets, using a tool such as nmap or queso.","",Proposed (19990728)," MODIFY(1) Frech | NOOP(2) Christey, Wall | REJECT(2) Baker, Northcutt"," Northcutt> Nmap and queso are the tip of the iceberg and not the most advanced | ways to accomplish this. To pursue making the world signature free | is as much a vulnerability as having signatures, nay more. | Frech> XF:decod-nmap(2053) | XF:decod-queso(2048) | Christey> Add ""fingerprinting"" to facilitate search. | Some references: | MISC:http://www.insecure.org/nmap/nmap-fingerprinting-article.html | BUGTRAQ:19981228 A few more fingerprinting techniques - time and netmask | http://marc.theaimsgroup.com/?l=bugtraq&m=91489155019895&w=2 | BUGTRAQ:19990222 Preventing remote OS detection | http://marc.theaimsgroup.com/?l=bugtraq&m=91971553006937&w=2 | BUGTRAQ:20000901 ICMP Usage In Scanning v2.0 - Research Paper | http://marc.theaimsgroup.com/?l=bugtraq&m=96791499611849&w=2 | BUGTRAQ:20000912 Using the Unused (Identifying OpenBSD, | http://marc.theaimsgroup.com/?l=bugtraq&m=96879267724690&w=2 | BUGTRAQ:20000912 The DF Bit Playground (Identifying Sun Solaris & OpenBSD OSs) | http://marc.theaimsgroup.com/?l=bugtraq&m=96879481129637&w=2 | BUGTRAQ:20000816 TOSing OSs out of the window / Fingerprinting Windows 2000 with | http://marc.theaimsgroup.com/?l=bugtraq&m=96644121403569&w=2 | BUGTRAQ:20000609 p0f - passive os fingerprinting tool | http://marc.theaimsgroup.com/?l=bugtraq&m=96062535628242&w=2 | Baker> I think we can probably reject this as the corollary is that you can identify OS from a IP/TCP packet sent by a system, looking at various parts of the SYN packet. Unless we believe that all systems should always use identical packet header/identical responses, in which case the protocol should not permit variation." CVE-1999-0455,Candidate,"The Expression Evaluator sample application in ColdFusion allows remote attackers to read or delete files on the server via exprcalc.cfm, which does not restrict access to the server properly.","ALLAIRE:ASB-001 | XF:coldfusion-expression-evaluator | BID:115 | URL:http://www.securityfocus.com/bid/115",Modified (19991210-01)," ACCEPT(3) Frech, Ozancin, Balinsky | MODIFY(1) Wall | NOOP(1) Baker | REVIEWING(1) Christey"," Wall> The reference should be ASB99-01 (Expression Evaluator Security Issues) | make application plural since there are three sample applications | (openfile.cfm, displayopenedfile.cfm, and exprcalc.cfm). | Christey> The CD:SF-EXEC and CD:SF-LOC content decisions apply here. | Since there are 3 separate ""executables"" with the same | (or similar) problem, we need to make sure that CD:SF-EXEC | determines what to do here. There is evidence that some | of these .cfm scripts have an ""include"" file, and if so, | then CD:SF-LOC says that we shouldn't make separate entries | for each of these scripts. On the other hand, the initial | L0pht discovery didn't include all 3 of these scripts, and | as far as I can tell, Allaire had patched the first problem | before the others were discovered. So, CD:DISCOVERY-DATE | may argue that we should split these because the problems | were discovered and patched at different times. | | In any case, this candidate can not be accepted until the | Editorial Board has accepted the CD:SF-EXEC, CD:SF-LOC, | and CD:DISCOVERY-DATE content decisions." CVE-1999-0457,Entry,"Linux ftpwatch program allows local users to gain root privileges.","BUGTRAQ:Jan17,1999 | DEBIAN:19990117 | XF:ftpwatch-vuln | BID:317 | URL:http://www.securityfocus.com/bid/317",,, CVE-1999-0458,Entry,"L0phtcrack 2.5 used temporary files in the system TEMP directory which could contain password information.","BUGTRAQ:Jan6,1999 | XF:l0phtcrack-temp-files | OSVDB:915 | URL:http://www.osvdb.org/915",,, CVE-1999-0459,Candidate,"Local users can perform a denial of service in Alpha Linux, using MILO to force a reboot.","XF:linux-milo-halt",Proposed (19990728)," ACCEPT(1) Frech | NOOP(2) Baker, Northcutt | REJECT(1) Wall"," Wall> Reject based on beta copy." CVE-1999-0460,Candidate,"Buffer overflow in Linux autofs module through long directory names allows local users to perform a denial of service.","BUGTRAQ:19990218 Linux autofs overflow in 2.0.36+ | BID:312 | URL:http://www.securityfocus.com/bid/312",Proposed (19990726)," ACCEPT(2) Baker, Ozancin | MODIFY(1) Frech | NOOP(1) Wall"," CHANGE> [Frech changed vote from REVIEWING to MODIFY] | Frech> XF:linux-autofs-bo(8365)" CVE-1999-0461,Candidate,"Versions of rpcbind including Linux, IRIX, and Wietse Venema's rpcbind allow a remote attacker to insert and delete entries by spoofing a source address.","",Proposed (19990728)," MODIFY(1) Frech | RECAST(1) Baker | REVIEWING(1) Christey"," Frech> ADDREF XF:pmap-sset | Christey> CVE-1999-0195 = CVE-1999-0461 ? | If this is approved over CVE-1999-0195, make sure it gets | XF:pmap-sset | Baker> THis does appear to be a duplicate. We should accept 1999-0195, since it already has the votes and get rid of this one" CVE-1999-0462,Candidate,"suidperl in Linux Perl does not check the nosuid mount option on file systems, allowing local users to gain root access by placing a setuid script in a mountable file system, e.g. a CD-ROM or floppy disk.","BUGTRAQ:19990114 Secuity hole with perl (suidperl) and nosuid mounts on Linux | BID:339 | URL:http://www.securityfocus.com/bid/339",Proposed (19990728)," ACCEPT(1) Baker | MODIFY(1) Frech | NOOP(1) Christey"," Frech> XF:perl-suidperl-bo | Christey> XF:perl-suidperl-bo doesn't exist." CVE-1999-0463,Entry,"Remote attackers can perform a denial of service using IRIX fcagent.","SGI:19981201-01-PX | URL:ftp://patches.sgi.com/support/free/security/advisories/19981201-01-PX | XF:sgi-fcagent-dos",,, CVE-1999-0464,Entry,"Local users can perform a denial of service in Tripwire 1.2 and earlier using long filenames.","BUGTRAQ:19990104 Tripwire mess.. | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91553066310826&w=2 | CONFIRM:http://marc.theaimsgroup.com/?l=bugtraq&m=91592136122066&w=2 | OSVDB:6609 | URL:http://www.osvdb.org/6609",,, CVE-1999-0465,Candidate,"Remote attackers can crash Lynx and Internet Explorer using an IMG tag with a large width parameter.","XF:http-img-overflow",Proposed (19990728)," ACCEPT(2) Frech, Northcutt | NOOP(1) Baker | REJECT(2) LeBlanc, Wall"," Wall> Reject based on client-side DoS | LeBlanc> Client side DOS" CVE-1999-0466,Entry,"The SVR4 /dev/wabi special device file in NetBSD 1.3.3 and earlier allows a local user to read or write arbitrary files on the disk associated with that device.","NETBSD:1999-009 | OSVDB:905 | URL:http://www.osvdb.org/905",,, CVE-1999-0467,Candidate,"The Webcom CGI Guestbook programs wguest.exe and rguest.exe allow a remote attacker to read arbitrary files using the ""template"" parameter.","NTBUGTRAQ:19990409 Webcom's CGI Guestbook for Win32 web servers | XF:http-cgi-webcom-guestbook",Modified (20000106-01)," ACCEPT(4) Landfield, Frech, Ozancin, Blake | NOOP(3) Baker, Christey, Northcutt"," Christey> CVE-1999-0287 is probably a duplicate of CVE-1999-0467. In | NTBUGTRAQ:19990409 Webcom's CGI Guestbook for Win32 web servers | Mnemonix says that he had previously reported on a similar | problem. Let's refer to the NTBugtraq posting as | CVE-1999-0467. We will refer to the ""previous report"" as | CVE-1999-0287, which can be found at: | http://oliver.efri.hr/~crv/security/bugs/NT/httpd41.html | | 0287 describes an exploit via the ""template"" hidden variable. | The exploit describes manually editing the HTML form to | change the filename to read from the template variable. | | The exploit as described in 0467 encodes the template variable | directly into the URL. However, hidden variables are also | encoded into the URL, which would have looked the same to | the web server regardless of the exploit. Therefore 0287 | and 0467 are the same. | Christey> | The CD:SF-EXEC content decision also applies here. We have 2 | programs, wguest.exe and rguest.exe, which appear to have the | same problem. CD:SF-EXEC needs to be accepted by the Editorial | Board before this candidate can be converted into a CVE | entry. When finalized, CD:SF-EXEC will decide whether | this candidate should be split or not. | Christey> BID:2024" CVE-1999-0468,Entry,"Internet Explorer 5.0 allows a remote server to read arbitrary files on the client's file system using the Microsoft Scriptlet Component.","MS:MS99-012 | URL:http://www.microsoft.com/technet/security/bulletin/ms99-012.asp | XF:ie-scriplet-fileread | BUGTRAQ:Apr9,1999",,, CVE-1999-0469,Candidate,"Internet Explorer 5.0 allows window spoofing, allowing a remote attacker to spoof a legitimate web site and capture information from the client.","BUGTRAQ:19990409 IE 5.0 security vulnerabilities - %01 bug again | XF:ie-window-spoof",Proposed (19990728)," ACCEPT(1) Wall | NOOP(2) Baker, Northcutt | REJECT(3) Frech, Christey, LeBlanc"," Wall> Reference: Microsoft Security Bulletin MS99-012 | Christey> DUPE CVE-1999-0488 | Frech> Defer to Christey's vote. | However, XF:ie-mshtml-crossframe(2216) assigned to CVE-1999-0488. | LeBlanc> Duplicate" CVE-1999-0470,Entry,"A weak encryption algorithm is used for passwords in Novell Remote.NLM, allowing them to be easily decrypted.","BUGTRAQ:19990409 New Novell Remote.NLM Password Decryption Algorithm with Exploit | BID:482 | URL:http://www.securityfocus.com/bid/482 | XF:netware-remotenlm-passwords",,, CVE-1999-0471,Entry,"The remote proxy server in Winroute allows a remote attacker to reconfigure the proxy without authentication through the ""cancel"" button.","XF:winroute-config | BUGTRAQ:Apr9,1999",,, CVE-1999-0472,Entry,"The SNMP default community name ""public"" is not properly removed in NetApps C630 Netcache, even if the administrator tries to disable it.","XF:netcache-snmp | BUGTRAQ:Apr7,1999",,, CVE-1999-0473,Entry,"The rsync command before rsync 2.3.1 may inadvertently change the permissions of the client's working directory to the permissions of the directory being transferred.","BUGTRAQ:19990407 rsync 2.3.1 release - security fix | CALDERA:CSSA-1999:010.0 | DEBIAN:19990823 | BID:145 | URL:http://www.securityfocus.com/bid/145 | XF:rsync-permissions",,, CVE-1999-0474,Entry,"The ICQ Webserver allows remote attackers to use .. to access arbitrary files outside of the user's personal directory.","XF:icq-webserver-read | BUGTRAQ:Apr5,1999",,, CVE-1999-0475,Entry,"A race condition in how procmail handles .procmailrc files allows a local user to read arbitrary files available to the user who is running procmail.","XF:procmail-race | BUGTRAQ:Apr5,1999",,, CVE-1999-0476,Candidate,"A weak encryption algorithm is used for passwords in SCO TermVision, allowing them to be easily decrypted by a local user.","BUGTRAQ:19990331 Potential vulnerability in SCO TermVision Windows 95 client | XF:sco-termvision-password",Proposed (19990721)," ACCEPT(3) Baker, Frech, Ozancin | NOOP(3) LeBlanc, Northcutt, Wall", CVE-1999-0477,Candidate,"The Expression Evaluator in the ColdFusion Application Server allows a remote attacker to upload files to the server via openfile.cfm, which does not restrict access to the server properly.","L0PHT:Cold Fusion App Server | XF:coldfusion-expression-evaluator | BID:115 | URL:http://www.securityfocus.com/bid/115",Modified (19991210-01)," ACCEPT(4) Baker, Frech, Ozancin, Christey | REJECT(1) Wall"," Wall> Duplicate of 0455 | Christey> CVE-1999-0477 and CVE-1999-0455 were discovered at different | times. Also, the attack was different. So ""Same Attack"" and | ""Same Time of Discovery"" dictate that these should remain | separate." CVE-1999-0478,Entry,"Denial of service in HP-UX sendmail 8.8.6 related to accepting connections.","HP:HPSBUX9904-097 | URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9904-097 | XF:sendmail-headers-dos",,, CVE-1999-0479,Entry,"Denial of service Netscape Enterprise Server with VirtualVault on HP-UX VVOS systems.","HP:HPSBUX9903-092 | URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9903-092 | XF:netscape-server-dos",,, CVE-1999-0480,Candidate,"Local attackers can conduct a denial of service in Midnight Commander 4.x with a symlink attack.","BUGTRAQ:19980315 Midnight Commander /tmp race",Modified (20000106-01)," ACCEPT(1) Baker | MODIFY(1) Frech | NOOP(1) Christey"," Frech> XF:midnight-commander-symlink-dos | Christey> XF:midnight-commander-symlink-dos(3505)" CVE-1999-0481,Entry,"Denial of service in ""poll"" in OpenBSD.","OPENBSD:Mar22,1999 | OSVDB:7556 | URL:http://www.osvdb.org/7556",,, CVE-1999-0482,Entry,"OpenBSD kernel crash through TSS handling, as caused by the crashme program.","OPENBSD:Mar21,1999 | OSVDB:7557 | URL:http://www.osvdb.org/7557",,, CVE-1999-0483,Entry,"OpenBSD crash using nlink value in FFS and EXT2FS filesystems.","OPENBSD:Feb25,1999 | OSVDB:6129 | URL:http://www.osvdb.org/6129",,, CVE-1999-0484,Entry,"Buffer overflow in OpenBSD ping.","OPENBSD:Feb23,1999 | OSVDB:6130 | URL:http://www.osvdb.org/6130",,, CVE-1999-0485,Entry,"Remote attackers can cause a system crash through ipintr() in ipq in OpenBSD.","OPENBSD:Feb19,1999 | XF:openbsd-ipintr-race | OSVDB:7558 | URL:http://www.osvdb.org/7558",,, CVE-1999-0486,Candidate,"Denial of service in AOL Instant Messenger when a remote attacker sends a malicious hyperlink to the receiving client, potentially causing a system crash.","BUGTRAQ:19990420 AOL Instant Messenger URL Crash",Modified (20000106-01)," ACCEPT(1) Baker | MODIFY(1) Frech | NOOP(1) Christey"," Frech> XF:aol-im. | Christey> XF:aol-im appears to be related to the problem discussed in | BUGTRAQ:19980224 AOL Instant Messanger Bug | | This one is related to BUGTRAQ:19990420 AOL Instant Messenger URL Crash" CVE-1999-0487,Entry,"The DHTML Edit ActiveX control in Internet Explorer allows remote attackers to read arbitrary files.","MS:MS99-011 | URL:http://www.microsoft.com/technet/security/bulletin/ms99-011.mspx | XF:ie-dhtml-control",,, CVE-1999-0488,Candidate,"Internet Explorer 4.0 and 5.0 allows a remote attacker to execute security scripts in a different security context using malicious URLs, a variant of the ""cross frame"" vulnerability.","MS:MS99-012 | URL:http://www.microsoft.com/technet/security/bulletin/ms99-012.asp",Modified (19991205-01)," ACCEPT(2) Baker, Landfield | MODIFY(2) Frech, Wall | NOOP(2) Ozancin, Christey"," Frech> XF:ie-mshtml-crossframe | Wall> (source: MSKB:Q168485) | Christey> CVE-1999-0469 appears to be a duplicate; prefer this one over | that one, since this one has an MS advisory. Confirm with | Microsoft that these are really duplicates. | | Also review CVE-1999-0487, which appears to be a similar | bug." CVE-1999-0489,Candidate,"MSHTML.DLL in Internet Explorer 5.0 allows a remote attacker to paste a file name into the file upload intrinsic control, a variant of ""untrusted scripted paste"" as described in MS:MS98-013.","MS:MS99-015 | URL:http://www.microsoft.com/technet/security/bulletin/ms99-015.asp",Modified (19991205-01)," ACCEPT(1) Levy | MODIFY(1) Wall | NOOP(2) Baker, Ozancin | RECAST(1) Prosser | REJECT(1) Christey | REVIEWING(1) Frech"," Frech> Wasn't Untrusted scripted paste MS98-015? I can find no mention of a | clipboard in either. | I cannot proceed on this one without further clarification. | Wall> (source: MS:MS99-012) | Prosser> agree with Andre here. The Untrusted Scripted paste | vulnerability was originally addressed in MS98-015 and it is in the file | upload intrinsic control in which an attacker can paste the name of a file | on the target's drive in the control and a form submission would then send | that file from the attacked machine to the remote web site. This one has | nothing to do with the clipboard. What the advisory mentioned here, | MS99-012, does is replace the MSHTML parsing engine which is supposed to fix | the original Untrusted Scripted Paste issue and a variant, as well as the | two Cross-Frame variants and a privacy issue in IMG SRC. | The vulnerability that allowed reading of a user's clipboard is the Forms | 2.0 Active X control vulnerability discussed in MS99-01 | Christey> The advisory should have been listed as MS99-012. | CVE-1999-0468 describes the untrusted scripted paste problem | in MS99-012. | Frech> Pending response to guidance request. 12/6/01." CVE-1999-0490,Candidate,"MSHTML.DLL in Internet Explorer 5.0 allows a remote attacker to learn information about a local user's files via an IMG SRC tag.","MS:MS99-012 | URL:http://www.microsoft.com/technet/security/bulletin/ms99-012.asp",Modified (19991205-01)," ACCEPT(2) Landfield, Wall | MODIFY(1) Frech | NOOP(2) Baker, Ozancin | REVIEWING(1) Christey"," Frech> XF:ie-scriplet-fileread | Christey> Duplicate of CVE-1999-0347?" CVE-1999-0491,Entry,"The prompt parsing in bash allows a local user to execute commands as another user by creating a directory with the name of the command to execute.","BUGTRAQ:19990420 Bash Bug | URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.4.10.9904202114070.6623-100000@smooth.Operator.org | CALDERA:CSSA-1999-008.0 | URL:ftp://ftp.calderasystems.com/pub/OpenLinux/security/CSSA-1999-008.0.txt | BID:119 | URL:http://www.securityfocus.com/bid/119",,, CVE-1999-0492,Candidate,"The ffingerd 1.19 allows remote attackers to identify users on the target system based on its responses.","BUGTRAQ:Apr23,1999",Proposed (19990726)," ACCEPT(3) Armstrong, Collins, Northcutt | MODIFY(4) Baker, Frech, Shostack, Blake | NOOP(4) Landfield, Cole, Christey, Wall | REVIEWING(1) Ozancin"," Shostack> isn't that what finger is supposed to do? | Landfield> Maybe we need a new category of ""unsafe system utilities and protocols"" | Blake> Ffingerd 1.19 allows remote attackers to differentiate valid and invalid | usernames on the target system based on its responses to finger queries. | Christey> CHANGEREF BUGTRAQ [canonicalize] | BUGTRAQ:19990423 Ffingerd privacy issues | http://marc.theaimsgroup.com/?l=bugtraq&m=92488772121313&w=2 | | Here's the nature of the problem. | (1) FFingerd allows users to decide not to be fingered, | printing a message ""That user does not want to be fingered"" | (2) If the fingered user does not exist, then FFingerd's | intended default is to print that the user does not | want to be fingered; however, the error message has a | period at the end. | Thus, ffingerd can allow someone to determine who valid users | on the server are, *in spite of* the intended functionality of | ffingerd itself. Thus this exposure should be viewed in light | of the intended functionality of the application, as opposed | to the common usage of the finger protocol in general. | | Also, the vendor posted a followup and said that a patch was | available. See: | http://marc.theaimsgroup.com/?l=bugtraq&m=92489375428016&w=2 | Baker> Vulnerability Reference (HTML) Reference Type | http://www.securityfocus.com/archive/1/13422 Misc Defensive Info | CHANGE> [Frech changed vote from REVIEWING to MODIFY] | Frech> XF:ffinger-user-info(5393)" CVE-1999-0493,Entry,"rpc.statd allows remote attackers to forward RPC calls to the local operating system via the SM_MON and SM_NOTIFY commands, which in turn could be used to remotely exploit other bugs such as in automountd.","CERT:CA-99-05 | URL:http://www.cert.org/advisories/CA-99-05-statd-automountd.html | SUN:00186 | URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/186&type=0&nav=sec.sba | CIAC:J-045 | URL:http://www.ciac.org/ciac/bulletins/j-045.shtml | BUGTRAQ:19990103 SUN almost has a clue! (automountd) | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91547759121289&w=2 | BID:450 | URL:http://www.securityfocus.com/bid/450",,, CVE-1999-0494,Entry,"Denial of service in WinGate proxy through a buffer overflow in POP3.","XF:wingate-pop3-user-bo",,, CVE-1999-0495,Candidate,"A remote attacker can gain access to a file system using .. (dot dot) when accessing SMB shares.","",Proposed (19990728)," ACCEPT(6) Baker, Cole, Collins, Ozancin, Blake, Northcutt | MODIFY(1) Frech | NOOP(4) Landfield, Armstrong, Bishop, Wall | REVIEWING(2) Levy, Christey"," Frech> XF:nb-dotdotknown(837) | References would be appreciated. We've got no reference for this issue; | confidence rating is consequently low. | Levy> Some refernces: | http://www.securityfocus.com/archive/1/3894 | http://www.securityfocus.com/archive/1/3533 | http://www.securityfocus.com/archive/1/3535" CVE-1999-0496,Entry,"A Windows NT 4.0 user can gain administrative rights by forcing NtOpenProcessToken to succeed regardless of the user's permissions, aka GetAdmin.","MSKB:Q146965 | URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q146965 | XF:nt-getadmin | XF:nt-getadmin-present",,, CVE-1999-0497,Candidate,"Anonymous FTP is enabled.","",Modified (20040811)," ACCEPT(1) Shostack | MODIFY(1) Frech | NOOP(2) Baker, Christey | REJECT(1) Northcutt"," Frech> ftp-anon(52) at http://xforce.iss.net/static/52.php | ftp-anon2(543) at http://xforce.iss.net/static/543.php | Christey> Add period to the end of the description. | Baker> DOn't know about this, but it may be the only easy way to allow access to data for some folks." CVE-1999-0498,Candidate,"TFTP is not running in a restricted directory, allowing a remote attacker to access sensitive information such as password files.","CERT:CA-91.18.Active.Internet.tftp.Attacks",Modified (19990925-01)," ACCEPT(3) Hill, Blake, Northcutt | MODIFY(1) Frech | NOOP(1) Baker | REVIEWING(1) Christey"," Frech> XF:linux-tftp | Christey> XF:linux-tftp refers to CVE-1999-0183" CVE-1999-0499,Candidate,"NETBIOS share information may be published through SNMP registry keys in NT.","",Proposed (19990721)," ACCEPT(5) Baker, Shostack, Ozancin, Northcutt, Wall | MODIFY(1) Frech | REJECT(1) LeBlanc"," Frech> Change wording to 'Windows NT.' | XF:snmp-netbios | LeBlanc> Share info can be obtained via SNMP queries, but I question | whether this is a vulnerability. The system can be configured not to do | this, and one may argue that SNMP itself is an insecure configuration. | Furthermore, the share information isn't published via registry keys - | the description could refer to more than one actual issue. SNMP is meant | to allow people to obtain information about systems. I'm willing to | discuss this with the rest of the board." CVE-1999-0501,Candidate,"A Unix account has a guessable password.","",Proposed (19990714)," ACCEPT(3) Baker, Shostack, Northcutt | RECAST(2) Frech, Meunier | REVIEWING(1) Christey"," Frech> Guessable falls into the class of CVE-1999-0502, since I can guess a | default, null, etc. password. | Suggest changing to something like ""has an existing non-default password | that can be guessed."" | I'm also including default passwords in this entry. | In that vein, we show the following references: | XF:user-password | XF:passwd-username | XF:default-unix-sync | XF:default-unix-4dgifts | XF:default-unix-bin | XF:default-unix-daemon | XF:default-unix-lp | XF:default-unix-me | XF:default-unix-nuucp | XF:default-unix-root | XF:default-unix-toor | XF:default-unix-tour | XF:default-unix-tty | XF:default-unix-uucp | Christey> This candidate is affected by the CD:CF-PASS content decision, | which determines the appropriate level of abstraction to | use for password problems. CD:CF-PASS needs to be accepted | by the Editorial Board before this candidate can be | converted into a CVE entry; the final version of CD:CF-PASS | may require using a different LOA than this candidate is | currently using. | CHANGE> [Meunier changed vote from ACCEPT to RECAST] | Meunier> This relates only to account password technology, so this candidate is | independent of the operating system, application, web site or other | application of this technology. The appropriate (natural) level of | abstraction is therefore without specifying that it is for UNIX. | Change the description to ""An account has a guessable password other | than default, null, blank."" This should satisfy Andre's objection. | | This Candidate should be merged with any candidate relating to | account password technology where ""Unix"" in the original description | can be replaced by something else." CVE-1999-0502,Candidate,"A Unix account has a default, null, blank, or missing password.","",Proposed (19990714)," ACCEPT(4) Baker, Shostack, Meunier, Northcutt | MODIFY(1) Frech | REVIEWING(1) Christey"," Frech> XF:passwd-blank | XF:no-pass | XF:dict | XF:sgi-accounts | XF:linux-caldera-lisa | Christey> This candidate is affected by the CD:CF-PASS content decision, | which determines the appropriate level of abstraction to | use for password problems. CD:CF-PASS needs to be accepted | by the Editorial Board before this candidate can be | converted into a CVE entry; the final version of CD:CF-PASS | may require using a different LOA than this candidate is | currently using." CVE-1999-0503,Candidate,"A Windows NT local user or administrator account has a guessable password.","",Proposed (19990714)," ACCEPT(4) Baker, Shostack, Meunier, Northcutt | MODIFY(1) Frech | REVIEWING(1) Christey"," Frech> Note: I am assuming that this entry includes Windows 2000 accounts and | machine/service accounts listed in User Manager. | XF:nt-guess-admin | XF:nt-guess-user | XF:nt-guess-guest | XF:nt-guessed-operpwd | XF:nt-guessed-powerwd | XF:nt-guessed-disabled | XF:nt-guessed-backup | XF:nt-guessed-acctoper-pwd | XF:nt-adminuserpw | XF:nt-guestuserpw | XF:nt-accountuserpw | XF:nt-operator-userpw | XF:nt-service-user-pwd | XF:nt-server-oper-user-pwd | XF:nt-power-user-pwd | XF:nt-backup-operator-userpwd | XF:nt-disabled-account-userpwd | Christey> This candidate is affected by the CD:CF-PASS content decision, | which determines the appropriate level of abstraction to | use for password problems. CD:CF-PASS needs to be accepted | by the Editorial Board before this candidate can be | converted into a CVE entry; the final version of CD:CF-PASS | may require using a different LOA than this candidate is | currently using." CVE-1999-0504,Candidate,"A Windows NT local user or administrator account has a default, null, blank, or missing password.","",Proposed (19990714)," ACCEPT(4) Baker, Shostack, Meunier, Northcutt | MODIFY(1) Frech | REVIEWING(1) Christey"," Frech> XF:nt-guestblankpw | XF:nt-adminblankpw | XF:nt-adminnopw | XF:nt-usernopw | XF:nt-guestnopw | XF:nt-accountblankpw | XF:nt-nopw | XF:nt-operator-blankpwd | XF:nt-server-oper-blank-pwd | XF:nt-power-user-blankpwd | XF:nt-backup-operator-blankpwd | XF:nt-disabled-account-blankpwd | Christey> This candidate is affected by the CD:CF-PASS content decision, | which determines the appropriate level of abstraction to | use for password problems. CD:CF-PASS needs to be accepted | by the Editorial Board before this candidate can be | converted into a CVE entry; the final version of CD:CF-PASS | may require using a different LOA than this candidate is | currently using." CVE-1999-0505,Candidate,"A Windows NT domain user or administrator account has a guessable password.","",Proposed (19990714)," ACCEPT(4) Baker, Shostack, Meunier, Northcutt | MODIFY(1) Frech"," Frech> XF:nt-guessed-domain-userpwd | XF:nt-guessed-domain-guestpwd | XF:nt-guessed-domain-adminpwd | XF:nt-domain-userpwd | XF:nt-domain-admin-userpwd | XF:nt-domain-guest-userpwd | XF:win2k-certpub-usrpwd | XF:win2k-dhcpadm-usrpwd | XF:win2k-dnsadm-usrpwd | XF:win2k-entadm-usrpwd | XF:win2k-schema-usrpwd | XF:win2k-guessed-certpub | XF:win2k-guessed-dhcpadm | XF:win2k-guessed-dnsadm | XF:win2k-guessed-entadm | XF:win2k-guessed-schema" CVE-1999-0506,Candidate,"A Windows NT domain user or administrator account has a default, null, blank, or missing password.","",Proposed (19990714)," ACCEPT(4) Baker, Shostack, Meunier, Northcutt | MODIFY(1) Frech"," Frech> XF:nt-domain-admin-blankpwd | XF:nt-domain-admin-nopwd | XF:nt-domain-guest-blankpwd | XF:nt-domain-guest-nopwd | XF:nt-domain-user-blankpwd | XF:nt-domain-user-nopwd | XF:win2k-certpub-blnkpwd | XF:win2k-dhcpadm-blnkpwd | XF:win2k-dnsadm-blnkpwd | XF:win2k-entadm-blnkpwd | XF:win2k-schema-blnkpwd" CVE-1999-0507,Candidate,"An account on a router, firewall, or other network device has a guessable password.","",Proposed (19990714)," ACCEPT(4) Baker, Shostack, Meunier, Northcutt | MODIFY(1) Frech"," Frech> XF:firewall-tisopen | XF:firewall-raptoropen | XF:firewall-msopen | XF:firewall-checkpointopen | XF:firewall-ciscoopen" CVE-1999-0508,Candidate,"An account on a router, firewall, or other network device has a default, null, blank, or missing password.","",Proposed (19990714)," ACCEPT(4) Baker, Shostack, Meunier, Northcutt | MODIFY(1) Frech | NOOP(1) Christey"," Frech> Note: Because the distinction between network hardware and software is not | distinct, | the term 'network device' was liberally interpreted. Feel free to reject any | of the | below terms. | XF:default-netranger | XF:cayman-gatorbox | XF:breezecom-default-passwords | XF:default-portmaster | XF:wingate-unpassworded | XF:netopia-unpassworded | XF:default-bay-switches | XF:motorola-cable-default-pass | XF:default-flowpoint | XF:qms-2060-no-root-password | XF:avirt-ras-password | XF:webtrends-rtp-serv-install-password | XF:cisco-bruteforce | XF:cisco-bruteadmin | XF:sambar-server-defaults | XF:management-pfcuser | XF:http-cgi-wwwboard-default | Christey> DELREF XF:avirt-ras-password - does not fit CVE-1999-0508." CVE-1999-0509,Candidate,"Perl, sh, csh, or other shell interpreters are installed in the cgi-bin directory on a WWW site, which allows remote attackers to execute arbitrary commands.","CERT:CA-96.11",Modified (20000114-01)," ACCEPT(2) Northcutt, Wall | MODIFY(1) Frech | NOOP(1) Baker | REVIEWING(1) Christey"," Christey> What is the right level of abstraction to use here? Should | we combine all possible interpreters into a single entry, | or have a different entry for each one? I've often seen | Perl separated from other interpreters - is it included | by default in some Windows web server configurations? | Christey> Add tcsh, zsh, bash, rksh, ksh, ash, to support search. | Frech> XF:http-cgi-vuln(146)" CVE-1999-0510,Candidate,"A router or firewall allows source routed packets from arbitrary hosts.","",Proposed (19990726)," ACCEPT(2) Baker, Northcutt | MODIFY(1) Frech"," Frech> XF:source-routing" CVE-1999-0511,Candidate,"IP forwarding is enabled on a machine which is not a router or firewall.","",Proposed (19990726)," ACCEPT(2) Baker, Northcutt | MODIFY(1) Frech"," Frech> XF:ip-forwarding" CVE-1999-0512,Candidate,"A mail server is explicitly configured to allow SMTP mail relay, which allows abuse by spammers.","",Modified (20020427-01)," ACCEPT(3) Baker, Shostack, Northcutt | MODIFY(1) Frech | NOOP(1) Christey"," Frech> XF:smtp-sendmail-relay(210) | XF:ntmail-relay(2257) | XF:exchange-relay(3107) (also assigned to CVE-1999-0682) | XF:smtp-relay-uucp(3470) | XF:sco-sendmail-spam(4342) | XF:sco-openserver-mmdf-spam(4343) | XF:lotus-domino-smtp-mail-relay(6591) | XF:win2k-smtp-mail-relay(6803) | XF:cobalt-poprelayd-mail-relay(6806) | | Candidate implicitly may refer to relaying settings enabled by default, or | the bypass/circumvention of relaying. Both interpretations were used in | assigning this candidate. | Christey> The intention of this candidate is to cover configurations in | which the admin has explicitly enabled relaying. Other cases | in which the application *intends* to prvent relaying, but | there is some specific input that bypasses/tricks it, count | as vulnerabilities (or exposures?) and as such would be | assigned different numbers. | | http://www.sendmail.org/~ca/email/spam.html seems like a good | general resource, as does ftp://ftp.isi.edu/in-notes/rfc2505.txt | Christey> I changed the description to make it more clear that the issue | is that of explicit configuration, as opposed to being the | result of a vulnerability." CVE-1999-0513,Entry,"ICMP messages to broadcast addresses are allowed, allowing for a Smurf attack that can cause a denial of service.","CERT:CA-98.01.smurf | FREEBSD:FreeBSD-SA-98:06 | XF:smurf",,, CVE-1999-0514,Entry,"UDP messages to broadcast addresses are allowed, allowing for a Fraggle attack that can cause a denial of service by flooding the target.","XF:fraggle",,, CVE-1999-0515,Candidate,"An unrestricted remote trust relationship for Unix systems has been set up, e.g. by using a + sign in /etc/hosts.equiv.","",Proposed (19990728)," ACCEPT(2) Baker, Northcutt | MODIFY(1) Frech | REJECT(1) Shostack"," Shostack> Overly broad | Frech> XF:rsh-equiv(111) | Baker> Since this is unrestricted trust, I agree this is a problem" CVE-1999-0516,Candidate,"An SNMP community name is guessable.","",Proposed (19990714)," ACCEPT(4) Baker, Shostack, Meunier, Northcutt | MODIFY(1) Frech | REVIEWING(1) Christey"," Frech> XF:snmp-get-guess | XF:snmp-set-guess | XF:sol-hidden-commstr | XF:hpov-hidden-snmp-comm | Christey> This candidate is affected by the CD:CF-PASS content decision, | which determines the appropriate level of abstraction to | use for password problems. CD:CF-PASS needs to be accepted | by the Editorial Board before this candidate can be | converted into a CVE entry; the final version of CD:CF-PASS | may require using a different LOA than this candidate is | currently using." CVE-1999-0517,Candidate,"An SNMP community name is the default (e.g. public), null, or missing.","",Proposed (19990714)," ACCEPT(4) Baker, Shostack, Meunier, Northcutt | MODIFY(1) Frech | REVIEWING(1) Christey"," Frech> XF:nt-snmp | XF:snmp-comm | XF:snmp-set-any | XF:snmp-get-public | XF:snmp-set-public | XF:snmp-get-any | Christey> This candidate is affected by the CD:CF-PASS content decision, | which determines the appropriate level of abstraction to | use for password problems. CD:CF-PASS needs to be accepted | by the Editorial Board before this candidate can be | converted into a CVE entry; the final version of CD:CF-PASS | may require using a different LOA than this candidate is | currently using. | Christey> Consider adding BID:2112" CVE-1999-0518,Candidate,"A NETBIOS/SMB share password is guessable.","",Proposed (19990714)," ACCEPT(5) Baker, Shostack, Meunier, LeBlanc, Northcutt | MODIFY(1) Frech"," Frech> Change description term to NetBIOS. | XF:nt-netbios-perm | XF:sharepass | XF:win95-smb-password | XF:nt-netbios-dict" CVE-1999-0519,Candidate,"A NETBIOS/SMB share password is the default, null, or missing.","",Proposed (19990714)," ACCEPT(5) Baker, Shostack, Meunier, LeBlanc, Northcutt | MODIFY(1) Frech"," Frech> Change description term to NetBIOS. | XF:decod-smb-password-empty | XF:nt-netbios-everyoneaccess | XF:nt-netbios-guestaccess | XF:nt-netbios-allaccess | XF:nt-netbios-open | XF:nt-netbios-write | XF:nt-netbios-shareguest | XF:nt-writable-netbios | XF:nt-netbios-everyoneaccess-printer | XF:nt-netbios-share-print-guest" CVE-1999-0520,Candidate,"A system-critical NETBIOS/SMB share has inappropriate access control.","",Proposed (19990803)," ACCEPT(1) Wall | MODIFY(1) Frech | NOOP(1) Baker | RECAST(1) Northcutt | REJECT(1) LeBlanc | REVIEWING(1) Christey"," Northcutt> I think we need to enumerate the shares and or the access control | Christey> One question is, what is ""inappropriate""? It's probably | very dependent on the policy of the enterprise on which | this is found. And should writable shares be different | from readable shares? (Or file systems, mail spools, etc.) | Yes, the impact may be different, but we could have a | large number of entries for each possible type of access. | A content decision (CD:CF-DATA) needs to be reviewed | and accepted by the Editorial Board in order to resolve | this question. | LeBlanc> Unacceptably vague - agree with Christey's comments. | Frech> associated to: | XF:nt-netbios-everyoneaccess(1) | XF:nt-netbios-guestaccess(2) | XF:nt-netbios-allaccess(3) | XF:nt-netbios-open(15) | XF:nt-netbios-write(19) | XF:nt-netbios-shareguest(20) | XF:nt-writable-netbios(26) | XF:nb-rootshare(393) | XF:decod-smb-password-empty(2358)" CVE-1999-0521,Candidate,"An NIS domain name is easily guessable.","",Proposed (19990714)," ACCEPT(4) Baker, Shostack, Meunier, Northcutt | MODIFY(1) Frech | NOOP(1) Christey"," Frech> XF:nis-dom | Christey> Consider http://www.cert.org/advisories/CA-1992-13.html | as well as ftp://ciac.llnl.gov/pub/ciac/bulletin/c-fy92/c-25.ciac-sunos-nis-patch" CVE-1999-0522,Candidate,"The permissions for a system-critical NIS+ table (e.g. passwd) are inappropriate.","CERT:CA-96.10",Proposed (19990803)," ACCEPT(2) Baker, Wall | NOOP(1) Christey | RECAST(1) Northcutt"," Northcutt> Why not say world readable, this is what you do further down in the | file (world exportable in CVE-1999-0554) | Christey> ADDREF AUSCERT:AA-96.02" CVE-1999-0523,Candidate,"ICMP echo (ping) is allowed from arbitrary hosts.","",Proposed (19990726)," MODIFY(1) Meunier | NOOP(1) Baker | REJECT(2) Frech, Northcutt"," Northcutt> (Though I sympathize with this one :) | CHANGE> [Frech changed vote from REVIEWING to REJECT] | Frech> Ping is a utility that can be run on demand; ICMP echo is a | message | type. As currently worded, this candidate seems as if an arbitrary | host | is vulnerable because it is capable of running an arbitrary program | or | function (in this case, ping/ICMP echo). There are many | programs/functions that | 'shouldn't' be on a computer, from a security admin's perspective. | Even if this | were a vulnerability, it would be impacted by CD-HIGHCARD. | Meunier> Every ICMP message type presents a vulnerability or an | exposure, if access is not controlled. By that I mean not only those | in RFC 792, but also those in RFC 1256, 950, and more. I think that | the description should be changed to ""ICMP messages are acted upon | without any access control"". ICMP is an error and debugging protocol. | We complain about vendors leaving testing backdoors in their programs. | ICMP is the equivalent for TCP/IP. ICMP should be in the dog house, | unless you are trying to troubleshoot something. MTU discovery is | just a performance tweak -- it's not necessary. I don't know of any | ICMP message type that is necessary if the network is functional. | Limited logging of ICMP messages could be useful, but acting upon them | and allowing the modification of routing tables, the behavior of the | TCP/IP stack, etc... without any form of authentication is just crazy." CVE-1999-0524,Candidate,"ICMP information such as (1) netmask and (2) timestamp is allowed from arbitrary hosts.","MISC:http://descriptions.securescout.com/tc/11010 | MISC:http://descriptions.securescout.com/tc/11011 | MISC:http://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&externalId=1434 | OSVDB:95 | URL:http://www.osvdb.org/95 | XF:icmp-netmask(306) | URL:http://xforce.iss.net/xforce/xfdb/306 | XF:icmp-timestamp(322) | URL:http://xforce.iss.net/xforce/xfdb/322",Modified (20070716)," MODIFY(3) Baker, Frech, Meunier | REJECT(1) Northcutt"," Frech> XF:icmp-timestamp | XF:icmp-netmask | Meunier> If this is not merged with 1999-0523 as I commented for that | CVE, then the description should be changed to ""ICMP messages of types | 13 and 14 (timestamp request and reply) and 17 and 18 (netmask request | and reply) are acted upon without any access control"". It's a more | precise and correct language. I believe that this is a valid CVE | entry (it's a common source of vulnerabilities or exposures) even | though I see that the inferred action was ""reject"". Knowing the time | of a host also allows attacks against random number generators that | are seeded with the current time. I want to push to have it accepted. | Baker> I agree with the description changes suggested by Pascal" CVE-1999-0525,Candidate,"IP traceroute is allowed from arbitrary hosts.","",Proposed (19990726)," MODIFY(1) Frech | NOOP(1) Baker | REJECT(1) Northcutt"," Frech> XF:traceroute" CVE-1999-0526,Entry,"An X server's access control is disabled (e.g. through an ""xhost +"" command) and allows anyone to connect to the server.","XF:xcheck-keystroke | CERT-VN:VU#704969 | URL:http://www.kb.cert.org/vuls/id/704969",,, CVE-1999-0527,Candidate,"The permissions for system-critical data in an anonymous FTP account are inappropriate. For example, the root directory is writeable by world, a real password file is obtainable, or executable commands such as ""ls"" can be overwritten.","",Proposed (19990803)," ACCEPT(3) Baker, Northcutt, Wall | MODIFY(1) Frech"," Northcutt> That that starts to get specific :) | Frech> ftp-writable-directory(6253) | ftp-write(53) | ""writeable"" in the description should be ""writable.""" CVE-1999-0528,Candidate,"A router or firewall forwards external packets that claim to come from inside the network that the router/firewall is in front of.","",Proposed (19990726)," ACCEPT(3) Baker, Meunier, Northcutt | MODIFY(1) Frech"," Frech> possibly XF:nisd-dns-fwd-check | CHANGE> [Frech changed vote from REVIEWING to MODIFY] | Frech> XF:firewall-external-packet-forwarding(8372)" CVE-1999-0529,Candidate,"A router or firewall forwards packets that claim to come from IANA reserved or private addresses, e.g. 10.x.x.x, 127.x.x.x, 217.x.x.x, etc.","",Proposed (19990726)," ACCEPT(1) Frech | MODIFY(2) Baker, Meunier | REJECT(1) Northcutt"," Northcutt> I have seen ISPs ""assign"" private addresses within their domain | Meunier> A border router or firewall forwards packets that claim to come from IANA | reserved or private addresses, e.g. 10.x.x.x, 127.x.x.x, 217.x.x.x, | etc, outside of their area of validity. | CHANGE> [Frech changed vote from REVIEWING to ACCEPT] | Baker> I think the description should be modified to say they accept this type of traffic from an interface not residing on private/reserved network." CVE-1999-0530,Candidate,"A system is operating in ""promiscuous"" mode which allows it to perform packet sniffing.","",Proposed (19990728)," ACCEPT(2) Baker, Northcutt | MODIFY(1) Frech | REJECT(1) Shostack"," Frech> XF:etherstatd(264) | XF:sniffer-attack(778) | XF:decod-packet-capture-remote(1072) | XF:netmon-running(1448) | XF:netxray3-probe(1450) | XF:sol-snoop-getquota-bo(3670) (also assigned to CVE-1999-0974) | Baker> Does pose a problem in non-switched environments" CVE-1999-0531,Candidate,"** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: ""An SMTP service supports EXPN, VRFY, HELP, ESMTP, and/or EHLO.""","",Modified (20080731)," MODIFY(1) Frech | NOOP(1) Christey | RECAST(1) Shostack | REJECT(1) Northcutt"," Shostack> I think expn != vrfy, help, esmtp. | Frech> XF:lotus-domino-esmtp-bo(4499) (also assigned to CVE-2000-0452 and | CVE-2000-1046) | XF:smtp-expn(128) | XF:smtp-vrfy(130) | XF:smtp-helo-bo(886) | XF:smtp-vrfy-bo(887) | XF:smtp-expn-bo(888) | XF:slmail-vrfyexpn-overflow(1721) | XF:smtp-ehlo(323) | | Perhaps add RCPT? If so, add XF:smtp-rcpt(1928) | Christey> XF:smtp-vrfy(130) ?" CVE-1999-0532,Candidate,"A DNS server allows zone transfers.","",Proposed (19990726)," MODIFY(1) Frech | NOOP(1) Baker | REJECT(1) Northcutt"," Northcutt> (With split DNS implementations this is quite appropriate) | Frech> XF:dns-zonexfer" CVE-1999-0533,Candidate,"A DNS server allows inverse queries.","",Proposed (19990726)," MODIFY(1) Frech | NOOP(1) Baker | REJECT(1) Northcutt"," Northcutt> (rule of thumb) | Frech> XF:dns-iquery" CVE-1999-0534,Candidate,"A Windows NT user has inappropriate rights or privileges, e.g. Act as System, Add Workstation, Backup, Change System Time, Create Pagefile, Create Permanent Object, Create Token Name, Debug, Generate Security Audit, Increase Priority, Increase Quota, Load Driver, Lock Memory, Profile Single Process, Remote Shutdown, Replace Process Token, Restore, System Environment, Take Ownership, or Unsolicited Input.","",Proposed (19990721)," ACCEPT(5) Baker, Shostack, Ozancin, Christey, Wall | MODIFY(2) Frech, Northcutt"," Northcutt> If we are going to write a laundry list put access to the scheduler in it. | Christey> The list of privileges is very useful for lookup. | Frech> XF:nt-create-token | XF:nt-replace-token | XF:nt-lock-memory | XF:nt-increase-quota | XF:nt-unsol-input | XF:nt-act-system | XF:nt-create-object | XF:nt-sec-audit | XF:nt-add-workstation | XF:nt-manage-log | XF:nt-take-owner | XF:nt-load-driver | XF:nt-profile-system | XF:nt-system-time | XF:nt-single-process | XF:nt-increase-priority | XF:nt-create-pagefile | XF:nt-backup | XF:nt-restore | XF:nt-debug | XF:nt-system-env | XF:nt-remote-shutdown" CVE-1999-0535,Candidate,"A Windows NT account policy for passwords has inappropriate, security-critical settings, e.g. for password length, password age, or uniqueness.","",Proposed (19990721)," ACCEPT(2) Shostack, Wall | MODIFY(2) Baker, Frech | RECAST(2) Ozancin, Northcutt"," Northcutt> inappropriate implies there is appropriate. As a guy who has been | monitoring | networks for years I have deep reservations about justiying the existance | of any fixed cleartext password. For appropriate to exist, some ""we"" would | have to establish some criteria for appropriate passwords. | Baker> Perhaps this could be re-worded a bit. The CVE CVE-1999-00582 | specifies ""...settings for lockouts"". To remain consistent with the | other, maybe it should specify ""...settings for passwords"" I think | most people would agree that passwords should be at least 8 | characters; contain letters (upper and lowercase), numbers and at | least one non-alphanumeric; should only be good a limited time 30-90 | days; and should not contain character combinations from user's prior | 2 or 3 passwords. | Suggested rewrite - | A Windows NT account policy does not enforce reasonable minimum | security-critical settings for passwords, e.g. passwords of sufficient | length, periodic required password changes, or new password uniqueness | Ozancin> What is appropriate? | Frech> XF:nt-autologonpwd | XF:nt-pwlen | XF:nt-maxage | XF:nt-minage | XF:nt-pw-history | XF:nt-user-pwnoexpire | XF:nt-unknown-pwdfilter | XF:nt-pwd-never-expire | XF:nt-pwd-nochange | XF:nt-pwdcache-enable | XF:nt-guest-change-passwords" CVE-1999-0537,Candidate,"A configuration in a web browser such as Internet Explorer or Netscape Navigator allows execution of active content such as ActiveX, Java, Javascript, etc.","",Proposed (19990726)," ACCEPT(1) Wall | NOOP(1) Baker | RECAST(1) Frech | REJECT(1) LeBlanc"," Frech> Good candidate for dot notation. | XF:nav-java-enabled | XF:nav-javascript-enabled | XF:ie-active-content | XF:ie-active-download | XF:ie-active-scripting | XF:ie-activex-execution | XF:ie-java-enabled | XF:netscape-javascript | XF:netscape-java | XF:zone-active-scripting | XF:zone-activex-execution | XF:zone-desktop-install | XF:zone-low-channel | XF:zone-file-download | XF:zone-file-launch | XF:zone-java-scripting | XF:zone-low-java | XF:zone-safe-scripting | XF:zone-unsafe-scripting | LeBlanc> Not a vulnerability. These are just checks for configuration | settings that a user might have changed. I understand need to increase | number of checks in a scanning product, but don't feel like these belong | in CVE. Scanner vendors could argue that these entries are needed to | keep a common language. | Baker> Not sure about whether we should bother to include this type issue or not. It does provide a stepping stone for further actions, but in and of itself it isn't a specific vulnerability." CVE-1999-0539,Candidate,"A trust relationship exists between two Unix hosts.","",Proposed (19990728)," MODIFY(1) Frech | NOOP(1) Baker | REJECT(2) Shostack, Northcutt"," Northcutt> Too non specific | Frech> XF:trusted-host(341) | XF:trust-remote-same(717) | XF:trust-remote-root(718) | XF:trust-remote-nonroot(719) | XF:trust-remote-any(720) | XF:trust-other-host(723) | XF:trust-all-nonroot(726) | XF:trust-any-remote(727) | XF:trust-local-acct(728) | XF:trust-local-any(729) | XF:trust-local-nonroot(730) | XF:trust-all-hosts(731) | XF:nt-trusted-domain(1284) | XF:rsagent-trusted-domainadded(1588) | XF:trust-remote-user(2955) | XF:user-trust-hosts(3074) | XF:user-trust-other-host(3077) | XF:user-trust-remote-account(3079)" CVE-1999-0541,Candidate,"A password for accessing a WWW URL is guessable.","",Proposed (19990714)," ACCEPT(4) Baker, Shostack, Meunier, Northcutt | MODIFY(1) Frech"," Frech> XF:http-password" CVE-1999-0546,Candidate,"The Windows NT guest account is enabled.","",Proposed (19990721)," ACCEPT(5) Baker, Shostack, Ozancin, Northcutt, Wall | MODIFY(1) Frech"," Frech> XF:nt-guest-account" CVE-1999-0547,Candidate,"An SSH server allows authentication through the .rhosts file.","",Proposed (19990728)," ACCEPT(2) Baker, Shostack | MODIFY(1) Frech | NOOP(1) Northcutt"," Frech> XF:sshd-rhosts(315)" CVE-1999-0548,Candidate,"A superfluous NFS server is running, but it is not importing or exporting any file systems.","",Proposed (19990728)," ACCEPT(1) Shostack | NOOP(1) Baker | REJECT(1) Northcutt", CVE-1999-0549,Candidate,"Windows NT automatically logs in an administrator upon rebooting.","",Proposed (19990630)," ACCEPT(1) Hill | MODIFY(3) Frech, Ozancin, Blake | NOOP(1) Wall | REJECT(1) Baker"," Wall> Don't know what this is. Don't think it is a vulnerability and would | initially reject. This is different than just renaming the | administrator account. | Frech> Would appreciate more information on this one, as in a reference. | Blake> Reference: XF:nt-autologin | Ozancin> Needs more detail | Baker> I tried to find the XF:nt-autologin reference, and got no matching records from their search engine. | No refs, no details, should reject | CHANGE> [Frech changed vote from REVIEWING to MODIFY] | Frech> XF:nt-autologon(5)" CVE-1999-0550,Candidate,"A router's routing tables can be obtained from arbitrary hosts.","",Proposed (19990726)," ACCEPT(1) Baker | MODIFY(1) Frech | RECAST(1) Northcutt"," Northcutt> Don't you mean obtained by arbitrary hosts | Frech> XF:routed | XF:decod-rip-entry | XF:rip | Baker> Concur with this as a security issue" CVE-1999-0551,Entry,"HP OpenMail can be misconfigured to allow users to run arbitrary commands using malicious print requests.","HP:HPSBUX9804-078 | URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9804-078 | XF:hp-openmail",,, CVE-1999-0554,Candidate,"NFS exports system-critical data to the world, e.g. / or a password file.","",Proposed (19990803)," ACCEPT(2) Northcutt, Wall | NOOP(1) Baker | REVIEWING(1) Christey"," Christey> A content decision (CD:CF-DATA) needs to be reviewed | and accepted by the Editorial Board in order to resolve | this question." CVE-1999-0555,Candidate,"A Unix account with a name other than ""root"" has UID 0, i.e. root privileges.","",Proposed (19990728)," NOOP(1) Baker | REJECT(2) Shostack, Northcutt"," Northcutt> This is very bogus" CVE-1999-0556,Candidate,"Two or more Unix accounts have the same UID.","",Proposed (19990728)," NOOP(2) Baker, Christey | REJECT(2) Shostack, Northcutt"," Christey> XF:duplicate-uid(876) | Christey> Add terms ""duplicate"" and ""user ID"" to facilitate search. | ftp://ftp.auscert.org.au/pub/auscert/papers/unix_security_checklist" CVE-1999-0559,Candidate,"A system-critical Unix file or directory has inappropriate permissions.","",Proposed (19990803)," ACCEPT(2) Baker, Wall | RECAST(2) Shostack, Northcutt"," Northcutt> Writable other than by root/bin/wheelgroup?" CVE-1999-0560,Candidate,"A system-critical Windows NT file or directory has inappropriate permissions.","",Proposed (19990803)," ACCEPT(2) Baker, Wall | RECAST(1) Northcutt"," Northcutt> I think we should specify these" CVE-1999-0561,Candidate,"IIS has the #exec function enabled for Server Side Include (SSI) files.","",Proposed (19990728)," NOOP(2) Baker, Northcutt | RECAST(1) Shostack | REJECT(1) LeBlanc"," LeBlanc> Does not meet definition of a vulnerability. This function is | just enabled. You can turn it off if you want. if you trust the people | putting up your web pages, this isn't a problem. If you don't, this is | just one of many things you need to change." CVE-1999-0562,Candidate,"The registry in Windows NT can be accessed remotely by users who are not administrators.","OVAL:oval:org.mitre.oval:def:1023 | URL:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:1023",Modified (20061101)," ACCEPT(4) Baker, Shostack, Ozancin, Wall | MODIFY(1) Frech | RECAST(1) Northcutt"," Northcutt> This isn't all or nothing, users may be allowed to access part of the | registry. | Frech> XF:nt-winreg-all | XF:nt-winreg-net" CVE-1999-0564,Candidate,"An attacker can force a printer to print arbitrary documents (e.g. if the printer doesn't require a password) or to become disabled.","",Proposed (19990728)," ACCEPT(2) Baker, Shostack | NOOP(1) Northcutt", CVE-1999-0565,Candidate,"A Sendmail alias allows input to be piped to a program.","",Proposed (19990728)," ACCEPT(1) Northcutt | NOOP(1) Baker | RECAST(1) Shostack | REVIEWING(1) Christey"," Shostack> Is this a default alias? Is my .procmailrc an instance of this? | Christey> It is not entirely clear whether the simple fact that an alias | pipes into a program should be considered a vulnerability. It | all depends on the behavior of that particular program. This | is one of a number of configuration-related issues from the | ""draft"" CVE that came from vulnerability scanners. In | general, when we get to general configuration and ""policy,"" | it becomes more difficult to use the current CVE model to | represent them. So at the very least, this candidate (and | similar ones) should be given close consideration and | discussion before being added to the official CVE list. | | Because this candidate is related to general configuration | issues, and we have not completely determined how to handle | such issues in CVE, this candidate cannot be promoted to an | official CVE entry until such issues are resolved." CVE-1999-0566,Entry,"An attacker can write to syslog files from any location, causing a denial of service by filling up the logs, and hiding activities.","XF:ibm-syslogd | XF:syslog-flood",,, CVE-1999-0568,Candidate,"rpc.admind in Solaris is not running in a secure mode.","",Proposed (19990728)," ACCEPT(1) Northcutt | NOOP(2) Baker, Christey | RECAST(2) Dik, Shostack"," Shostack> are there secure modes? | Dik> Several: | 1) there is no ""rpc.admind"" daemon. | there used to be a ""admind"" RPC daemon (100087/10) | and there's now an ""sadmind"" daemon (100232/10) | The switch over was somewhere around Solaris 2.4. | 2) Neither defaults to ""secure mode"" | 3) secure mode is ""using secure RPC"" which does | proper over the wire authentication by specifying | the ""-S 2"" option in inetd.conf | (security level 2) | Christey> XF:rpc-admind(626) | http://xforce.iss.net/static/626.php | MISC:http://pulhas.org/xploitsdb/mUNIXes/admind.html" CVE-1999-0569,Candidate,"A URL for a WWW directory allows auto-indexing, which provides a list of all files in that directory if it does not contain an index.html file.","",Modified (19991130-01)," ACCEPT(1) Wall | NOOP(2) Baker, Christey | REJECT(1) Northcutt"," Northcutt> I do this intentionally somethings in high content directories | Christey> XF:http-noindex(90) ?" CVE-1999-0570,Candidate,"Windows NT is not using a password filter utility, e.g. PASSFILT.DLL.","",Proposed (19990728)," ACCEPT(1) Northcutt | MODIFY(1) Frech | NOOP(2) Baker, Christey | REJECT(1) Wall"," Northcutt> Here we are crossing into the best practices arena again. However since | passfilt does establish a measurable standard and since we aren't the | ones defining the stanard, simply saying it should be employed I will | vote for this. | Frech> XF:nt-passfilt-not-inst(1308) | XF:nt-passfilt-not-found(1309) | Christey> Consider MSKB:Q161990 and MSKB:Q151082" CVE-1999-0571,Candidate,"A router's configuration service or management interface (such as a web server or telnet) is configured to allow connections from arbitrary hosts.","BUGTRAQ:Feb5,1999",Modified (20020312-01)," ACCEPT(1) Baker | MODIFY(1) Frech | NOOP(2) Christey, Northcutt"," CHANGE> [Frech changed vote from REVIEWING to MODIFY] | Frech> XF:ascend-config-kill(889) | XF:cisco-ios-crash(1238) | XF:webramp-remote-access(1670) | XF:ascom-timeplex-debug(1824) | XF:netopia-unpassworded(1850) | XF:cisco-web-crash(1886) | XF:cisco-router-commands(1951) | XF:motorola-cable-default-pass(2002) | XF:default-flowpoint(2091) | XF:netgear-router-idle-dos(4003) | XF:cisco-cbos-telnet(4251) | XF:routermate-snmp-community(4290) | XF:cayman-router-dos(4479) | XF:wavelink-authentication(5185) | XF:ciscosecure-ldap-bypass-authentication(5274) | XF:foundry-firmware-telnet-dos(5514) | XF:netopia-view-system-log(5536) | XF:cisco-webadmin-remote-dos(5595) | XF:cisco-cbos-web-access(5626) | XF:netopia-telnet-dos(6001) | XF:cisco-sn-gain-access(6827) | XF:cayman-dsl-insecure-permissions(6841) | XF:linksys-etherfast-reveal-passwords(6949) | XF:zyxel-router-default-password(6968) | XF:cisco-cbos-web-config(7027) | XF:prestige-wan-bypass-filter(7146) | Christey> I changed the description to make it more explicit that this | candidate is about router configuration, as opposed to | vulnerabilities that accidentally make a configuration | service accessible to anyone." CVE-1999-0572,Candidate,".reg files are associated with the Windows NT registry editor (regedit), making the registry susceptible to Trojan Horse attacks.","",Modified (20041017)," ACCEPT(4) Baker, Shostack, Ozancin, Wall | MODIFY(1) Frech | NOOP(2) Christey, Northcutt"," Northcutt> I don't quite get what this means, sorry | Frech> XF:nt-regfile(178) | Christey> MISC:http://security-archive.merton.ox.ac.uk/nt-security-199902/0087.html" CVE-1999-0575,Candidate,"A Windows NT system's user audit policy does not log an event success or failure, e.g. for Logon and Logoff, File and Object Access, Use of User Rights, User and Group Management, Security Policy Changes, Restart, Shutdown, and System, and Process Tracking.","",Proposed (19990721)," ACCEPT(4) Shostack, Ozancin, Christey, Wall | MODIFY(1) Frech | RECAST(2) Baker, Northcutt"," Northcutt> It isn't a great truth that you should enable all or the above, if you | do you potentially introduce a vulnerbility of filling up the file | system with stuff you will never look at. | Ozancin> It is far less interesting what a user does successfully that what they | attempt and fail at. | Christey> The list of event types is very useful for lookup. | Frech> XF:nt-system-audit | XF:nt-logon-audit | XF:nt-object-audit | XF:nt-privil-audit | XF:nt-process-audit | XF:nt-policy-audit | XF:nt-account-audit | CHANGE> [Baker changed vote from REVIEWING to RECAST]" CVE-1999-0576,Candidate,"A Windows NT system's file audit policy does not log an event success or failure for security-critical files or directories.","",Proposed (19990721)," ACCEPT(3) Baker, Shostack, Wall | MODIFY(2) Frech, Ozancin | REJECT(1) Northcutt"," Northcutt> 1.) Too general are we ready to state what the security-critical files | and directories are | 2.) Does Ataris, Windows CE, PalmOS, Linux have such a capability | Ozancin> Some files and directories are clearly understood to be critical. Others are | unclear. We need to clarify that critical is. | Frech> XF:nt-object-audit" CVE-1999-0577,Candidate,"A Windows NT system's file audit policy does not log an event success or failure for non-critical files or directories.","",Proposed (19990721)," ACCEPT(2) Shostack, Wall | MODIFY(3) Baker, Frech, Ozancin | REJECT(1) Northcutt"," Ozancin> It is far less interesting what a user does successfully that what they | attempt and fail at. | Perhaps only failure should be logged. | Frech> XF:nt-object-audit | CHANGE> [Baker changed vote from REVIEWING to MODIFY] | Baker> Failure on non-critical files is what should be monitored." CVE-1999-0578,Candidate,"A Windows NT system's registry audit policy does not log an event success or failure for security-critical registry keys.","",Proposed (19990721)," ACCEPT(4) Baker, Shostack, Ozancin, Wall | MODIFY(1) Frech | REJECT(1) Northcutt"," Ozancin> with reservation | Again what is defined as critical | CHANGE> [Frech changed vote from REVIEWING to MODIFY] | Frech> XF:nt-object-audit(228)" CVE-1999-0579,Candidate,"A Windows NT system's registry audit policy does not log an event success or failure for non-critical registry keys.","",Proposed (19990721)," ACCEPT(3) Baker, Shostack, Wall | MODIFY(2) Frech, Ozancin | REJECT(1) Northcutt"," Ozancin> Again only failure may be of interest. It would be impractical to wad | through the incredibly large amount of logging that this would generate. It | could overwhelm log entries that you might find interesting. | CHANGE> [Frech changed vote from REVIEWING to MODIFY] | Frech> XF:nt-object-audit(228)" CVE-1999-0580,Candidate,"The HKEY_LOCAL_MACHINE key in a Windows NT system has inappropriate, system-critical permissions.","",Proposed (19990803)," ACCEPT(1) Wall | NOOP(1) Baker | RECAST(1) Northcutt"," Northcutt> I think we can define appropriate, take a look at the nt security .pdf | and see if you can't see a way to phrase specific keys in a way that | defines inappropriate. | Baker> This is way vague..." CVE-1999-0581,Candidate,"The HKEY_CLASSES_ROOT key in a Windows NT system has inappropriate, system-critical permissions.","",Proposed (19990803)," ACCEPT(1) Wall | NOOP(1) Baker | RECAST(1) Northcutt"," Northcutt> I think we can define appropriate, take a look at the nt security .pdf | and see if you can't see a way to phrase specific keys in a way that | defines inappropriate. | Baker> way too vague" CVE-1999-0582,Candidate,"A Windows NT account policy has inappropriate, security-critical settings for lockout, e.g. lockout duration, lockout after bad logon attempts, etc.","",Proposed (19990721)," ACCEPT(3) Shostack, Ozancin, Wall | MODIFY(2) Baker, Frech | REJECT(1) Northcutt"," Northcutt> The definition is? | Baker> Maybe a rewording of this one too. I think most people would agree on | some ""minimum"" policies like 3-5 bad attempts lockout for an hour or | until the administrator unlocks the account. | Suggested rewrite - | A Windows NT account policy does not enforce reasonable minimum | security-critical settings for lockouts, e.g. lockout duration, | lockout after bad logon attempts, etc. | Ozancin> with reservations | What is appropriate? | Frech> XF:nt-thres-lockout | XF:nt-lock-duration | XF:nt-lock-window | XF:nt-perm-lockout | XF:lockout-disabled" CVE-1999-0583,Candidate,"There is a one-way or two-way trust relationship between Windows NT domains.","",Proposed (19990728)," NOOP(2) Baker, Christey | REJECT(2) Shostack, Northcutt"," Christey> XF:nt-trusted-domain(1284)" CVE-1999-0584,Candidate,"A Windows NT file system is not NTFS.","",Proposed (19990728)," ACCEPT(2) Northcutt, Wall | MODIFY(1) Frech | NOOP(2) Baker, Christey"," Wall> NTFS partition provides the security. This could be re-worded | to ""A Windows NT file system is FAT"" since it is either NTFS or FAT | and FAT is less secure. | Frech> XF:nt-filesys(195) | Christey> MSKB:Q214579 | MSKB:Q214579 | http://support.microsoft.com/support/kb/articles/Q100/1/08.ASP" CVE-1999-0585,Candidate,"A Windows NT administrator account has the default name of Administrator.","",Proposed (19990721)," ACCEPT(1) Ozancin | MODIFY(1) Frech | REJECT(3) Baker, Shostack, Northcutt | REVIEWING(1) Wall"," Wall> Some sources say this is not a vulnerability, but a warning. It just | slows down the search for the admin account (SID = 500) which can | always be found. | Northcutt> I change this on all NT systems I am responsible for, but is | root a vulnerability? | Baker> There are ways to identify the administrator account anyway, so this | is only a minor delay to someone that is knowledgeable. This, in and | of itself, doesn't really strike me as a vulnerability, anymore than | the root account on a Unix box. | Shostack> (there is no way to hide the account name today) | Frech> XF:nt-adminexists" CVE-1999-0586,Candidate,"A network service is running on a nonstandard port.","",Proposed (19990728)," NOOP(1) Baker | RECAST(1) Shostack | REJECT(1) Northcutt"," Shostack> Might be acceptable if clearer; is that a standard service on a | non-standard port, or any service on an unassigned port? | Baker> It might actually be an enhancement rather than a problem to run a service on a non-standard port" CVE-1999-0587,Candidate,"A WWW server is not running in a restricted file system, e.g. through a chroot, thus allowing access to system-critical data.","",Proposed (19990803)," ACCEPT(1) Wall | NOOP(1) Baker | RECAST(1) Northcutt"," Northcutt> While I would accept this for Unix, I am not sure this applies to NT, | VMS, palm pilots, or commodore 64" CVE-1999-0588,Candidate,"A filter in a router or firewall allows unusual fragmented packets.","",Proposed (19990726)," MODIFY(2) Baker, Frech | REJECT(1) Northcutt"," Northcutt> I want to vote to accept this one, but unusual is a shade broad. | Frech> XF:nt-rras | XF:cisco-fragmented-attacks | XF:ip-frag | Baker> Perhaps we should use the word abnormally fragmented or some other descriptor." CVE-1999-0589,Candidate,"A system-critical Windows NT registry key has inappropriate permissions.","",Proposed (19990803)," ACCEPT(1) Wall | NOOP(1) Baker | RECAST(2) Christey, Northcutt"," Northcutt> I think we can define appropriate, take a look at the nt security .pdf | and see if you can't see a way to phrase specific keys in a way that | defines inappropriate. | Christey> Upon further reflection, this is too high-level for CVE. | Specific registry keys with bad permissions is roughly | equivalent to Unix configuration files that have bad | permissions; those permission problems can be created by | any vendor, not just a specific one. Therefore this | candidate should be RECAST into each separate registry | key that has this problem." CVE-1999-0590,Candidate,"A system does not present an appropriate legal message or warning to a user who is accessing it.","",Proposed (19990728)," ACCEPT(2) Baker, Northcutt | MODIFY(1) Christey | RECAST(1) Shostack"," Christey> ADDREF CIAC:J-043 | URL:http://ciac.llnl.gov/ciac/bulletins/j-043.shtml | Also add ""banner"" to the description to facilitate search. | Baker> Should be in place where ever it is possible" CVE-1999-0591,Candidate,"An event log in Windows NT has inappropriate access permissions.","",Proposed (19990803)," ACCEPT(2) Baker, Wall | RECAST(1) Northcutt"," Northcutt> splain Lucy, splain" CVE-1999-0592,Candidate,"The Logon box of a Windows NT system displays the name of the last user who logged in.","",Proposed (19990728)," MODIFY(1) Frech | NOOP(2) Baker, Christey | REJECT(2) Northcutt, Wall"," Wall> Information gathering, not vulnerability | Northcutt> Ah a C2 weenie must have snuck this in, this can be a good thing | not just vulnerability | Frech> XF:nt-display-last-username(1353) | Use it if you will. :-) If not, let us know so I can remove the CAN | reference from our database. | Christey> MSKB:Q114463 | http://support.microsoft.com/support/kb/articles/q114/4/63.asp" CVE-1999-0593,Candidate,"The default setting for the Winlogon key entry ShutdownWithoutLogon in Windows NT allows users with physical access to shut down a Windows NT system without logging in.","MISC:http://www.microsoft.com/technet/archive/winntas/deploy/confeat/06wntpcc.mspx?mfr=true",Modified (20070307)," ACCEPT(1) Wall | MODIFY(1) Frech | NOOP(1) Baker | REJECT(1) Northcutt"," Wall> Still a denial of service. | Northcutt> May well be appropriate | Frech> XF:nt-shutdown-without-logon(1291)" CVE-1999-0594,Candidate,"A Windows NT system does not restrict access to removable media drives such as a floppy disk drive or CDROM drive.","",Proposed (19990728)," ACCEPT(1) Wall | MODIFY(1) Frech | NOOP(2) Baker, Christey | REJECT(1) Northcutt"," Wall> Perhaps it can be re-worded to ""removable media drives | such as a floppy disk drive or CDROM drive can be accessed (shared) in a | Windows NT system."" | Northcutt> - what good is my NT w/o its floppy | Frech> XF:nt-allocate-cdroms(1294) | XF:nt-allocate-floppy(1318) | Christey> MSKB:Q172520 | URL:http://support.microsoft.com/support/kb/articles/q172/5/20.asp" CVE-1999-0595,Candidate,"A Windows NT system does not clear the system page file during shutdown, which might allow sensitive information to be recorded.","MSKB:Q182086",Proposed (19990728)," ACCEPT(2) Baker, Wall | MODIFY(1) Frech | NOOP(1) Northcutt"," Frech> XF:nt-clearpage(216) | XF:reg-pagefile-clearing(2551)" CVE-1999-0596,Candidate,"A Windows NT log file has an inappropriate maximum size or retention period.","",Proposed (19990728)," MODIFY(1) Frech | NOOP(1) Baker | REJECT(2) Northcutt, Wall"," Northcutt> define appropriate | Frech> XF:reg-app-log-small(2521) | XF:reg-sec-log-maxsize(2577) | XF:reg-sys-log-small(2586)" CVE-1999-0597,Candidate,"A Windows NT account policy does not forcibly disconnect remote users from the server when their logon hours expire.","",Proposed (19990728)," ACCEPT(1) Northcutt | MODIFY(1) Frech | NOOP(1) Baker | REJECT(1) Wall"," Frech> XF:nt-forced-logoff(1343)" CVE-1999-0598,Candidate,"A network intrusion detection system (IDS) does not properly handle packets that are sent out of order, allowing an attacker to escape detection.","",Proposed (19990726)," ACCEPT(3) Baker, Armstrong, Northcutt | NOOP(1) Frech | REVIEWING(1) Christey"," Frech> Waiting for CIEL. | Christey> This is a design flaw, along with the other reported IDS | problems; at least reference Ptacek/Newsham's paper. | Christey> URL:http://www.robertgraham.com/mirror/Ptacek-Newsham-Evasion-98.html" CVE-1999-0599,Candidate,"A network intrusion detection system (IDS) does not properly handle packets with improper sequence numbers.","",Proposed (19990726)," ACCEPT(2) Baker, Northcutt | NOOP(1) Frech | REVIEWING(1) Christey"," Frech> Waiting for CIEL. | Christey> This is a design flaw, along with the other reported IDS | problems; at least reference Ptacek/Newsham's paper. | Christey> URL:http://www.robertgraham.com/mirror/Ptacek-Newsham-Evasion-98.html" CVE-1999-0600,Candidate,"A network intrusion detection system (IDS) does not verify the checksum on a packet.","",Proposed (19990726)," ACCEPT(2) Baker, Northcutt | NOOP(1) Frech | REVIEWING(1) Christey"," Frech> Waiting for CIEL. | Christey> This is a design flaw, along with the other reported IDS | problems; at least reference Ptacek/Newsham's paper. | Christey> URL:http://www.robertgraham.com/mirror/Ptacek-Newsham-Evasion-98.html" CVE-1999-0601,Candidate,"A network intrusion detection system (IDS) does not properly handle data within TCP handshake packets.","",Proposed (19990726)," ACCEPT(2) Baker, Northcutt | NOOP(1) Frech | REVIEWING(1) Christey"," Frech> Waiting for Godot, er, CIEL. | Christey> This is a design flaw, along with the other reported IDS | problems; at least reference Ptacek/Newsham's paper. | Christey> URL:http://www.robertgraham.com/mirror/Ptacek-Newsham-Evasion-98.html" CVE-1999-0602,Candidate,"A network intrusion detection system (IDS) does not properly reassemble fragmented packets.","",Proposed (19990726)," ACCEPT(2) Baker, Northcutt | NOOP(1) Frech | REVIEWING(1) Christey"," Frech> Waiting for CIEL. | Christey> This is a design flaw, along with the other reported IDS | problems; at least reference Ptacek/Newsham's paper. | Christey> URL:http://www.robertgraham.com/mirror/Ptacek-Newsham-Evasion-98.html" CVE-1999-0603,Candidate,"In Windows NT, an inappropriate user is a member of a group, e.g. Administrator, Backup Operators, Domain Admins, Domain Guests, Power Users, Print Operators, Replicators, System Operators, etc.","",Proposed (19990728)," MODIFY(1) Frech | NOOP(1) Baker | REJECT(2) Wall, Northcutt"," Frech> XF:nt-system-operator | XF:nt-admin-group | XF:nt-replicator | XF:nt-print-operator | XF:nt-power-user | XF:nt-guest-in-group | XF:nt-backup-operator | XF:nt-domain-admin | XF:nt-domain-guest | XF:win2k-acct-oper-grp | XF:win2k-admin-grp | XF:win2k-backup-oper-grp | XF:win2k-certpublishers-grp | XF:win2k-dhcp-admin-grp | XF:win2k-dnsadm-grp | XF:win2k-domainadm-grp | XF:win2k-entadm-grp | XF:win2k-printoper-grp | XF:win2k-replicator-grp | XF:win2k-schemaadm-grp | XF:win2k-serveroper-grp | You asked for it... :-) Use or reject at your discretion. If rejected, | please let us know so we can remove CAN references from database." CVE-1999-0604,Candidate,"An incorrect configuration of the WebStore 1.0 shopping cart CGI program ""web_store.cgi"" could disclose private information.","BUGTRAQ:19990420 Shopping Carts exposing CC data | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92462991805485&w=2",Proposed (19990728)," ACCEPT(1) Baker | MODIFY(1) Frech | NOOP(2) Wall, Northcutt"," Frech> XF:webstore-misconfig(3861)" CVE-1999-0605,Candidate,"An incorrect configuration of the Order Form 1.0 shopping cart CGI program could disclose private information.","BUGTRAQ:19990420 Shopping Carts exposing CC data | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92462991805485&w=2",Proposed (19990728)," ACCEPT(1) Baker | MODIFY(1) Frech | NOOP(3) Wall, Christey, Northcutt"," Frech> XF:orderform-misconfig(3860) | Christey> BID:2021 | Christey> Mention affected files: order_log_v12.dat and order_log.dat | fix version number (1.2)" CVE-1999-0606,Candidate,"An incorrect configuration of the EZMall 2000 shopping cart CGI program ""mall2000.cgi"" could disclose private information.","BUGTRAQ:19990420 Shopping Carts exposing CC data | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92462991805485&w=2",Proposed (19990728)," ACCEPT(1) Baker | MODIFY(1) Frech | NOOP(3) Wall, Christey, Northcutt"," Frech> XF:ezmall2000-misconfig(3859) | Christey> Add mall_log_files/order.log to desc" CVE-1999-0607,Candidate,"quikstore.cgi in QuikStore shopping cart stores quikstore.cfg under the web document root with insufficient access control, which allows remote attackers to obtain the cleartext administrator password and gain privileges.","BUGTRAQ:19990420 Shopping Carts exposing CC data | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92462991805485&w=2",Modified (20060608)," ACCEPT(1) Baker | MODIFY(1) Frech | NOOP(3) Wall, Christey, Northcutt"," Frech> XF:quikstore-misconfig(3858) | Christey> http://www.quikstore.com/help/pages/Security/security.htm says: | | ""It is IMPORTANT that during the setup of the QuikStore program, you | check to make sure that the cgi-bin or executable program directory | of your web site not be viewable from the outside world. You don't | want the users to have access to your programs or log files that could | be stored there! | | ... | | If you can view or download these files from the browser, someone | else can too"" | | So is this a configuration problem? See the configuration file at | http://www.quikstore.com/help/pages/Configuration/configparametersfull.htm | The [DIRECTORY_PATHS] section identifies pathnames and describes how | pathnames are constructed. It clearly uses relative pathnames, | so all data is underneath the base directory!! | | If we call this a configuration problem, then maybe this (and | all other ""CGI-data-in-web-tree"" configuration problems) should | be combined. | Christey> Consider adding BID:1983" CVE-1999-0608,Entry,"An incorrect configuration of the PDG Shopping Cart CGI program ""shopper.cgi"" could disclose private information.","BUGTRAQ:19990420 Shopping Carts exposing CC data | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92462991805485&w=2 | CONFIRM:http://www.pdgsoft.com/Security/security.html. | XF:pdgsoftcart-misconfig(3857) | URL:http://xforce.iss.net/xforce/xfdb/3857",,, CVE-1999-0609,Candidate,"An incorrect configuration of the SoftCart CGI program ""SoftCart.exe"" could disclose private information.","BUGTRAQ:19990420 Shopping Carts exposing CC data | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92462991805485&w=2",Proposed (19990728)," ACCEPT(1) Baker | MODIFY(1) Frech | NOOP(3) Wall, Christey, Northcutt"," Frech> XF:softcart-misconfig(3856) | Christey> Consider adding BID:2055" CVE-1999-0610,Candidate,"An incorrect configuration of the Webcart CGI program could disclose private information.","BUGTRAQ:19990420 Shopping Carts exposing CC data | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92462991805485&w=2",Proposed (19990728)," ACCEPT(1) Baker | MODIFY(1) Frech | NOOP(2) Wall, Northcutt"," Frech> Cite reference as: | BUGTRAQ:19990424 Re: Shopping Carts exposing CC data | URL: | http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist% | 3D1%26date%3D2000-08-22%26msg%3D3720E2B6.6031A2E7@datashopper.dk | CHANGE> [Frech changed vote from REVIEWING to MODIFY] | Frech> XF:webcart-data-exposure(8374)" CVE-1999-0611,Candidate,"A system-critical Windows NT registry key has an inappropriate value.","",Proposed (19990803)," ACCEPT(1) Wall | NOOP(1) Baker | RECAST(1) Northcutt"," Northcutt> I think we can define appropriate, take a look at the nt security .pdf | and see if you can't see a way to phrase specific keys in a way that | defines inappropriate. | Baker> too vague" CVE-1999-0612,Entry,"A version of finger is running that exposes valid user information to any entity on the network.","XF:finger-out | XF:finger-running",,, CVE-1999-0613,Candidate,"The rpc.sprayd service is running.","",Proposed (19990721)," ACCEPT(2) Baker, Ozancin | MODIFY(1) Frech | NOOP(1) Wall | REJECT(1) Northcutt"," Frech> XF:sprayd" CVE-1999-0614,Candidate,"** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: ""The FTP service is running.""","",Modified (20080731)," ACCEPT(2) Wall, Baker | REJECT(1) Northcutt", CVE-1999-0615,Candidate,"** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: ""The SNMP service is running.""","",Modified (20080731)," ACCEPT(3) Wall, Baker, Prosser | NOOP(1) Christey | REJECT(1) Northcutt"," Baker> Although newer versions on snmp are not as vulnerable as prior versions, | this can still be a significant risk of exploitation, as seen in recent | attacks on snmp services via automated worms | Christey> XF:snmp(132) ? | Prosser> This fits the ""exposure"" description although we also know there are many vulnerabilities in SNMP. This is more of a policy/best practice issue for administrators. If you need SNMP lock it down as tight as you can, if you don't need it, don't run it." CVE-1999-0616,Candidate,"** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: ""The TFTP service is running.""","",Modified (20080731)," ACCEPT(2) Wall, Baker | REJECT(1) Northcutt", CVE-1999-0617,Candidate,"** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: ""The SMTP service is running.""","",Modified (20080731)," ACCEPT(2) Wall, Baker | REJECT(1) Northcutt", CVE-1999-0618,Candidate,"The rexec service is running.","XF:rexec",Modified (19990921-01)," ACCEPT(4) Wall, Baker, Ozancin, Northcutt | MODIFY(1) Frech"," Frech> XF:decod-rexec | XF:rexec" CVE-1999-0619,Candidate,"** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: ""The Telnet service is running.""","",Modified (20080731)," ACCEPT(2) Wall, Baker | REJECT(1) Northcutt", CVE-1999-0620,Candidate,"** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: ""A component service related to NIS is running.""","",Modified (20080731)," ACCEPT(2) Wall, Baker | NOOP(1) Christey | REJECT(1) Northcutt"," Christey> XF:ypserv(261)" CVE-1999-0621,Candidate,"** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: ""A component service related to NETBIOS is running.""","OVAL:oval:org.mitre.oval:def:1024 | URL:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:1024",Modified (20080731)," ACCEPT(2) Wall, Baker | MODIFY(1) Frech | REJECT(2) LeBlanc, Northcutt"," LeBlanc> There is insufficient description to even know what this is. | Lots of component services related to NetBIOS run, and usually do not | constitute a problem. | Frech> associated to: | XF:nt-alerter(29) | XF:nt-messenger(69) | XF:reg-ras-gateway-enabled(2567)" CVE-1999-0622,Candidate,"** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: ""A component service related to DNS service is running.""","",Modified (20080731)," ACCEPT(2) Wall, Baker | REJECT(1) Northcutt", CVE-1999-0623,Candidate,"** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: ""The X Windows service is running.""","",Modified (20080731)," ACCEPT(2) Wall, Baker | NOOP(1) Christey | REJECT(1) Northcutt"," Christey> Add ""X11"" to facilitate search." CVE-1999-0624,Candidate,"The rstat/rstatd service is running.","XF:rstat-out | XF:rstatd",Interim (19990925)," ACCEPT(3) Baker, Ozancin, Northcutt | MODIFY(1) Frech | NOOP(2) Wall, Meunier"," Frech> XF:rstat-out | XF:rstatd" CVE-1999-0625,Candidate,"The rpc.rquotad service is running.","",Proposed (19990721)," ACCEPT(3) Baker, Ozancin, Northcutt | MODIFY(1) Frech | NOOP(1) Wall"," Frech> XF:rquotad" CVE-1999-0626,Entry,"A version of rusers is running that exposes valid user information to any entity on the network.","XF:rusersd | XF:ruser",,, CVE-1999-0627,Entry,"The rexd service is running, which uses weak authentication that can allow an attacker to execute commands.","XF:rexd",,, CVE-1999-0628,Entry,"The rwho/rwhod service is running, which exposes machine status and user information.","XF:rwhod",,, CVE-1999-0629,Candidate,"The ident/identd service is running.","",Proposed (19990721)," ACCEPT(2) Baker, Ozancin | MODIFY(1) Frech | NOOP(2) Wall, Christey | REJECT(1) Northcutt"," Frech> possibly XF:identd? | Christey> XF:ident-users(318) ? | CHANGE> [Frech changed vote from REVIEWING to MODIFY] | Frech> XF:identd-vuln(61) | XF:ident-users(318)" CVE-1999-0630,Candidate,"The NT Alerter and Messenger services are running.","",Proposed (19990804)," ACCEPT(2) Wall, Baker | NOOP(1) Christey | REJECT(1) Northcutt"," Christey> http://support.microsoft.com/support/kb/articles/q189/2/71.asp" CVE-1999-0631,Candidate,"** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: ""The NFS service is running.""","",Modified (20080731)," ACCEPT(2) Wall, Baker | NOOP(1) Christey | REJECT(1) Northcutt"," Christey> XF:nfs-nfsd(76) ? | Christey> Add rpc.mountd/mountd to facilitate search." CVE-1999-0632,Candidate,"The RPC portmapper service is running.","",Proposed (19990804)," ACCEPT(2) Wall, Baker | REJECT(1) Northcutt", CVE-1999-0633,Candidate,"** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: ""The HTTP/WWW service is running.""","",Modified (20080731)," ACCEPT(2) Wall, Baker | REJECT(1) Northcutt", CVE-1999-0634,Candidate,"** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: ""The SSH service is running.""","",Modified (20080731)," ACCEPT(2) Wall, Baker | REJECT(1) Northcutt", CVE-1999-0635,Candidate,"The echo service is running.","FULLDISC:20060116 ACT P202S VoIP wireless phone multiple undocumented ports/services | URL:http://lists.grok.org.uk/pipermail/full-disclosure/2006-January/041434.html | SECUNIA:18514 | URL:http://secunia.com/advisories/18514",Modified (20060122)," ACCEPT(3) Wall, Baker, Northcutt | REVIEWING(1) Christey"," Northcutt> The method to my madness is echo is the common denom in the dos attack | Christey> How much of this is an overlap with the echo/chargen flood | problem (CVE-1999-0103)? If this is only an exposure because | of CVE-1999-0103, then maybe this should be REJECTed." CVE-1999-0636,Candidate,"The discard service is running.","",Proposed (19990804)," ACCEPT(1) Baker | NOOP(1) Wall | REJECT(1) Northcutt", CVE-1999-0637,Candidate,"The systat service is running.","",Proposed (19990804)," ACCEPT(2) Wall, Baker | REJECT(1) Northcutt", CVE-1999-0638,Candidate,"The daytime service is running.","",Proposed (19990804)," ACCEPT(1) Baker | NOOP(1) Wall | REJECT(1) Northcutt", CVE-1999-0639,Candidate,"The chargen service is running.","",Proposed (19990804)," ACCEPT(2) Wall, Baker | REJECT(1) Northcutt | REVIEWING(1) Christey"," Christey> How much of this is an overlap with the echo/chargen flood | problem (CVE-1999-0103)? If this is only an exposure because | of CVE-1999-0103, then maybe this should be REJECTed." CVE-1999-0640,Candidate,"The Gopher service is running.","",Proposed (19990804)," ACCEPT(2) Wall, Baker | REJECT(1) Northcutt", CVE-1999-0641,Candidate,"The UUCP service is running.","",Proposed (19990804)," ACCEPT(2) Wall, Baker | REJECT(1) Northcutt", CVE-1999-0642,Candidate,"** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: ""A POP service is running.""","",Modified (20080731)," ACCEPT(2) Wall, Baker | REJECT(1) Northcutt", CVE-1999-0643,Candidate,"** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: ""The IMAP service is running.""","",Modified (20080731)," ACCEPT(2) Wall, Baker | REJECT(1) Northcutt", CVE-1999-0644,Candidate,"** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: ""The NNTP news service is running.""","",Modified (20080731)," ACCEPT(2) Wall, Baker | NOOP(1) Christey | REJECT(1) Northcutt"," Christey> XF:nntp-post(88) ?" CVE-1999-0645,Candidate,"** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: ""The IRC service is running.""","",Modified (20080731)," ACCEPT(2) Wall, Baker | NOOP(1) Christey | REJECT(1) Northcutt"," Christey> XF:irc-server(767) ?" CVE-1999-0646,Candidate,"** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: ""The LDAP service is running.""","",Modified (20080731)," ACCEPT(2) Wall, Baker | REJECT(1) Northcutt", CVE-1999-0647,Candidate,"** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: ""The bootparam (bootparamd) service is running.""","",Modified (20080731)," ACCEPT(2) Baker, Ozancin | MODIFY(1) Frech | NOOP(1) Wall | REJECT(1) Northcutt"," Frech> XF:bootp" CVE-1999-0648,Candidate,"** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: ""The X25 service is running.""","",Modified (20080731)," ACCEPT(2) Wall, Baker | REJECT(1) Northcutt", CVE-1999-0649,Candidate,"** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: ""The FSP service is running.""","",Modified (20080731)," ACCEPT(1) Baker | NOOP(1) Wall | REJECT(1) Northcutt", CVE-1999-0650,Candidate,"The netstat service is running, which provides sensitive information to remote attackers.","XF:netstat(72)",Modified (20060608)," ACCEPT(2) Wall, Baker | REJECT(1) Northcutt", CVE-1999-0651,Candidate,"The rsh/rlogin service is running.","",Proposed (19990804)," ACCEPT(2) Wall, Baker | MODIFY(1) Frech | NOOP(1) Christey | REJECT(1) Northcutt"," Christey> aka ""shell"" on UNIX systems (at least Solaris) in the | /etc/inetd.conf file. | Frech> associated to: | XF:nt-rlogin(92) | XF:rsh-svc(114) | XF:rshd(2995)" CVE-1999-0652,Candidate,"** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: ""A database service is running, e.g. a SQL server, Oracle, or mySQL.""","",Modified (20080731)," ACCEPT(1) Baker | MODIFY(1) Frech | NOOP(1) Wall | REJECT(1) Northcutt"," Frech> XF:nt-sql-server(1289) | XF:msql-detect(2211) | XF:oracle-detect(2388) | XF:sybase-detect-namedpipes(1461)" CVE-1999-0653,Candidate,"A component service related to NIS+ is running.","",Proposed (19990804)," ACCEPT(2) Wall, Baker | REJECT(1) Northcutt", CVE-1999-0654,Candidate,"The OS/2 or POSIX subsystem in NT is enabled.","",Proposed (19990728)," ACCEPT(1) Wall | MODIFY(1) Frech | NOOP(2) Baker, Christey | REJECT(1) Northcutt"," Wall> These subsystems could still allow a process to persist across logins. | Frech> XF:nt-posix(217) | XF:nt-posix-sub-c2(2397) | XF:nt-posix-sub-onceonly(2478) | XF:nt-os2-sub(218) | XF:nt-os2-sub-c2(2396) | XF:nt-os2-sub-onceonly(2477) | XF:nt-os2-registry(2550) | Christey> s2-file-os2(1865)" CVE-1999-0655,Candidate,"** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is not about any specific product, protocol, or design, so it is out of scope of CVE. Notes: the former description is: ""A service may include useful information in its banner or help function (such as the name and version), making it useful for information gathering activities.""","",Modified (20080731)," ACCEPT(5) Wall, Baker, Frech, Ozancin, Northcutt"," CHANGE> [Frech changed vote from REVIEWING to ACCEPT]" CVE-1999-0656,Candidate,"The ugidd RPC interface, by design, allows remote attackers to enumerate valid usernames by specifying arbitrary UIDs that ugidd maps to local user and group names.","MISC:http://ca.com/au/securityadvisor/vulninfo/Vuln.aspx?ID=1638 | XF:linux-ugidd(348) | URL:http://xforce.iss.net/xforce/xfdb/348",Modified (20080731)," ACCEPT(1) Baker | NOOP(1) Wall | REJECT(1) Northcutt", CVE-1999-0657,Candidate,"WinGate is being used.","",Proposed (19990804)," ACCEPT(1) Baker | NOOP(1) Wall | REJECT(1) Northcutt", CVE-1999-0658,Candidate,"** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: ""DCOM is running.""","",Modified (20080731)," ACCEPT(2) Wall, Baker | REJECT(1) Northcutt", CVE-1999-0659,Candidate,"** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: ""A Windows NT Primary Domain Controller (PDC) or Backup Domain Controller (BDC) is present.""","",Modified (20080731)," REJECT(3) Wall, Baker, Northcutt"," Wall> Don't consider this a service or a problem. | Baker> concur with wall on this" CVE-1999-0660,Candidate,"** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is not about any specific product, protocol, or design, so it is out of scope of CVE. It might be more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: ""A hacker utility, back door, or Trojan Horse is installed on a system, e.g. NetBus, Back Orifice, Rootkit, etc.""","",Modified (20080730)," ACCEPT(4) Wall, Baker, Hill, Northcutt | NOOP(1) Christey"," Christey> Add ""back door"" to description." CVE-1999-0661,Candidate,"A system is running a version of software that was replaced with a Trojan Horse at one of its distribution points, such as (1) TCP Wrappers 7.6, (2) util-linux 2.9g, (3) wuarchive ftpd (wuftpd) 2.2 and 2.1f, (4) IRC client (ircII) ircII 2.2.9, (5) OpenSSH 3.4p1, or (6) Sendmail 8.12.6.","CERT:CA-1994-07 | URL:http://www.cert.org/advisories/CA-1994-07.html | CERT:CA-1994-14 | URL:http://www.cert.org/advisories/CA-1994-14.html | CERT:CA-1999-01 | URL:http://www.cert.org/advisories/CA-1999-01.html | CERT:CA-1999-02 | URL:http://www.cert.org/advisories/CA-1999-02.html | CERT:CA-2002-28 | URL:http://www.cert.org/advisories/CA-2002-28.html | BUGTRAQ:20020801 trojan horse in recent openssh (version 3.4 portable 1) | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102820843403741&w=2 | BUGTRAQ:20020801 OpenSSH Security Advisory: Trojaned Distribution Files | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102821663814127&w=2 | BUGTRAQ:20021009 Re: CERT Advisory CA-2002-28 Trojan Horse Sendmail | URL:http://online.securityfocus.com/archive/1/294539 | BID:5921 | URL:http://www.securityfocus.com/bid/5921 | XF:sendmail-backdoor(10313) | URL:http://www.iss.net/security_center/static/10313.php",Modified (20050529)," ACCEPT(4) Wall, Baker, Hill, Northcutt | REVIEWING(1) Christey"," Christey> Should add the specific CERT advisory references for | well-known Trojaned software. | TCP Wrappers -> CERT:CA-1999-01 | CERT:CA-1999-02 includes util-linux | wuarchive - CERT:CA-94.07 | IRC client - CERT:CA-1994-14 | Christey> BUGTRAQ:20020801 trojan horse in recent openssh (version 3.4 portable 1) | Modify description to use dot notation. | Christey> CERT:CA-2002-24 | URL:http://www.cert.org/advisories/CA-2002-24.html | XF:openssh-backdoor(9763) | URL:http://www.iss.net/security_center/static/9763.php | BID:5374 | URL:http://www.securityfocus.com/bid/5374 | CHANGE> [Christey changed vote from NOOP to REVIEWING] | Christey> Add libpcap and tcpdump: | BUGTRAQ:20021113 Latest libpcap & tcpdump sources from tcpdump.org contain a trojan | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103722456708471&w=2 | CERT:CA-2002-30 | URL:http://www.cert.org/advisories/CA-2002-30.html | | This CAN has been active for over 4 years. At this moment, my | thinking is that we should SPLIT this CAN into each separate | trojaned product, then create some criteria that restrict | creation of new CANs to ""widespread"" or ""important"" products only." CVE-1999-0662,Candidate,"A system-critical program or library does not have the appropriate patch, hotfix, or service pack installed, or is outdated or obsolete.","",Proposed (19990804)," ACCEPT(4) Wall, Baker, Hill, Northcutt", CVE-1999-0663,Candidate,"A system-critical program, library, or file has a checksum or other integrity measurement that indicates that it has been modified.","",Proposed (19990804)," ACCEPT(3) Wall, Baker, Hill | RECAST(1) Northcutt"," Northcutt> This needs to be worded carefully. | 1. Rootkits evade checksum detection. | 2. The modification could be positive (a patch)" CVE-1999-0664,Candidate,"An application-critical Windows NT registry key has inappropriate permissions.","",Proposed (19990803)," ACCEPT(1) Wall | NOOP(1) Baker | RECAST(2) Christey, Northcutt"," Northcutt> I think we can define appropriate, take a look at the nt security .pdf | and see if you can't see a way to phrase specific keys in a way that | defines inappropriate. | Christey> Upon further reflection, this is too high-level for CVE. | Specific registry keys with bad permissions is roughly | equivalent to Unix configuration files that have bad | permissions; those permission problems can be created by | any vendor, not just a specific one. Therefore this | candidate should be RECAST into each separate registry | key that has this problem." CVE-1999-0665,Candidate,"An application-critical Windows NT registry key has an inappropriate value.","",Proposed (19990803)," ACCEPT(1) Wall | NOOP(1) Baker | RECAST(1) Northcutt"," Northcutt> I think we can define appropriate, take a look at the nt security .pdf | and see if you can't see a way to phrase specific keys in a way that | defines inappropriate. | Baker> very vague" CVE-1999-0667,Candidate,"The ARP protocol allows any host to spoof ARP replies and poison the ARP cache to conduct IP address spoofing or a denial of service.","",Proposed (19991222)," ACCEPT(2) Cole, Blake | MODIFY(1) Stracener | NOOP(2) Baker, Christey | REJECT(1) Frech"," Stracener> Add Ref: BUGTRAQ:19970919 Playing redir games with ARP and ICMP | Frech> Cannot proceed without a reference. Too vague, and resembles XF:netbsd-arp: | CVE-1999-0763: NetBSD on a multi-homed host allows ARP packets on one | network to modify ARP entries on another connected network. | CVE-1999-0764: NetBSD allows ARP packets to overwrite static ARP entries. | Will reconsider if reference provides enough information to render a | distinction. | Christey> This particular vulnerability was exploited by an attacker | during the ID'Net IDS test network exercise at the SANS | Network Security '99 conference. The attacker adapted a | publicly available program that was able to spoof another | machine on the same physical network. | | See http://marc.theaimsgroup.com/?l=bugtraq&m=87602880019797&w=2 | for the Bugtraq reference that Tom Stracener suggested. | This generated a long thread on Bugtraq in 1997. | Blake> I'll second Tom's request to add the reference, it's a very | posting good and the vulnerability is clearly derivative of | the work. | | (I do recall talking to the guy and drafting a description.)" CVE-1999-0668,Entry,"The scriptlet.typelib ActiveX control is marked as ""safe for scripting"" for Internet Explorer, which allows a remote attacker to execute arbitrary commands as demonstrated by Bubbleboy.","BUGTRAQ:19990821 IE 5.0 allows executing programs | MS:MS99-032 | URL:http://www.microsoft.com/technet/security/bulletin/ms99-032.asp | CIAC:J-064 | URL:http://ciac.llnl.gov/ciac/bulletins/j-064.shtml | BID:598 | URL:http://www.securityfocus.com/bid/598 | XF:ms-scriptlet-eyedog-unsafe | MSKB:Q240308 | URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q240308",,, CVE-1999-0669,Candidate,"The Eyedog ActiveX control is marked as ""safe for scripting"" for Internet Explorer, which allows a remote attacker to execute arbitrary commands as demonstrated by Bubbleboy.","MS:MS99-032 | CIAC:J-064 | URL:http://ciac.llnl.gov/ciac/bulletins/j-064.shtml | XF:ms-scriptlet-eyedog-unsafe | MSKB:Q240308",Interim (19991229)," ACCEPT(5) Wall, Baker, Cole, Ozancin, Prosser | MODIFY(2) Frech, Stracener | REVIEWING(1) Christey"," Frech> XF:ms-scriptlet-eyedog-unsafe | Stracener> Add Ref: MSKB Q240308 | Christey> Should CVE-1999-0669 and 668 be merged? If not, then this is | a reason for not merging CVE-1999-0988 and CVE-1999-0828." CVE-1999-0670,Candidate,"Buffer overflow in the Eyedog ActiveX control allows a remote attacker to execute arbitrary commands.","MS:MS99-032 | URL:http://www.microsoft.com/technet/security/bulletin/ms99-032.asp | CIAC:J-064 | URL:http://ciac.llnl.gov/ciac/bulletins/j-064.shtml",Proposed (19991208)," ACCEPT(3) Wall, Ozancin, Prosser | MODIFY(2) Frech, Stracener | REJECT(2) Baker, Cole"," Frech> XF:ie-eyedog-bo | Cole> Based on the references and information listed this is the same as | CVE-1999-0669 | Stracener> Add Ref: MSKB Q240308 | Baker> Duplicate" CVE-1999-0671,Entry,"Buffer overflow in ToxSoft NextFTP client through CWD command.","BID:572 | URL:http://www.securityfocus.com/bid/572 | XF:toxsoft-nextftp-cwd-bo",,, CVE-1999-0672,Entry,"Buffer overflow in Fujitsu Chocoa IRC client via IRC channel topics.","XF:fujitsu-topic-bo | BID:573 | URL:http://www.securityfocus.com/bid/573",,, CVE-1999-0673,Candidate,"Buffer overflow in ALMail32 POP3 client via From: or To: headers.","BID:574 | URL:http://www.securityfocus.com/bid/574",Proposed (19991222)," ACCEPT(6) Wall, Baker, Cole, Collins, Levy, Blake | MODIFY(2) Frech, Stracener | NOOP(3) Landfield, Armstrong, Oliver | REVIEWING(1) Ozancin"," Stracener> AddRef: ShadowPenguinSecurity:PenguinToolbox,No.037 | Frech> XF:almail-bo | CHANGE> [Cole changed vote from NOOP to ACCEPT]" CVE-1999-0674,Entry,"The BSD profil system call allows a local user to modify the internal data space of a program via profiling and execve.","NETBSD:1999-011 | OPENBSD:Aug 9,1999 | FREEBSD:FreeBSD-SA-99:02 | BUGTRAQ:19990809 profil(2) bug, a simple test program | BID:570 | URL:http://www.securityfocus.com/bid/570 | CIAC:J-067 | URL:http://www.ciac.org/ciac/bulletins/j-067.shtml | XF:netbsd-profil",,, CVE-1999-0675,Entry,"Check Point FireWall-1 can be subjected to a denial of service via UDP packets that are sent through VPN-1 to port 0 of a host.","BUGTRAQ:19990809 FW1 UDP Port 0 DoS | URL:http://www.securityfocus.com/archive/1/23615 | BID:576 | URL:http://www.securityfocus.com/bid/576 | XF:checkpoint-port | OSVDB:1038 | URL:http://www.osvdb.org/1038",,, CVE-1999-0676,Entry,"sdtcm_convert in Solaris 2.6 allows a local user to overwrite sensitive files via a symlink attack.","BUGTRAQ:19990808 sdtcm_convert | URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=19990809134220.A1191@hades.chaoz.org | XF:sun-sdtcm-convert | BID:575 | URL:http://www.securityfocus.com/bid/575",,, CVE-1999-0677,Candidate,"The WebRamp web administration utility has a default password.","BUGTRAQ:19990802 [LoWNOISE] Password hunting with webramp | BID:577 | URL:http://www.securityfocus.com/bid/577",Modified (19991228-01)," ACCEPT(3) Baker, Stracener, Blake | MODIFY(2) Cole, Frech | NOOP(2) Armstrong, Christey"," Cole> I would add that is is not forced to be changed. | Frech> XF:webramp-default-password | Christey> This problem may have been detected in January 1999: | BUGTRAQ:19990121 Re: WebRamp M3 remote network access bug | http://marc.theaimsgroup.com/?l=bugtraq&m=91702375402055&w=2" CVE-1999-0678,Entry,"A default configuration of Apache on Debian GNU/Linux sets the ServerRoot to /usr/doc, which allows remote users to read documentation files for the entire server.","XF:apache-debian-usrdoc | BUGTRAQ:19990405 An issue with Apache on Debian | BID:318 | URL:http://www.securityfocus.com/bid/318",,, CVE-1999-0679,Entry,"Buffer overflow in hybrid-6 IRC server commonly used on EFnet allows remote attackers to execute commands via m_invite invite option.","BUGTRAQ:19990813 w00w00's efnet ircd advisory (exploit included) | CONFIRM:http://www.efnet.org/archive/servers/hybrid/ChangeLog | BID:581 | URL:http://www.securityfocus.com/bid/581 | XF:hybrid-ircd-minvite-bo",,, CVE-1999-0680,Entry,"Windows NT Terminal Server performs extra work when a client opens a new connection but before it is authenticated, allowing for a denial of service.","MS:MS99-028 | URL:http://www.microsoft.com/technet/security/bulletin/ms99-028.mspx | MSKB:Q238600 | URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q238600 | CIAC:J-057 | URL:http://www.ciac.org/ciac/bulletins/j-057.shtml | BID:571 | URL:http://www.securityfocus.com/bid/571 | XF:nt-terminal-dos",,, CVE-1999-0681,Entry,"Buffer overflow in Microsoft FrontPage Server Extensions (PWS) 3.0.2.926 on Windows 95, and possibly other versions, allows remote attackers to cause a denial of service via a long URL.","BUGTRAQ:19990807 Crash FrontPage Remotely... | URL:http://archives.neohapsis.com/archives/bugtraq/1999-q3/0381.html | XF:frontpage-pws-dos | URL:http://xforce.iss.net/static/3117.php | BID:568 | URL:http://www.securityfocus.com/bid/568",,, CVE-1999-0682,Entry,"Microsoft Exchange 5.5 allows a remote attacker to relay email (i.e. spam) using encapsulated SMTP addresses, even if the anti-relaying features are enabled.","MS:MS99-027 | URL:http://www.microsoft.com/technet/security/bulletin/ms99-027.mspx | MSKB:Q237927 | URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q237927 | BID:567 | URL:http://www.securityfocus.com/bid/567 | CIAC:J-056 | URL:http://www.ciac.org/ciac/bulletins/j-056.shtml | XF:exchange-relay",,, CVE-1999-0683,Entry,"Denial of service in Gauntlet Firewall via a malformed ICMP packet.","XF:gauntlet-dos | BUGTRAQ:19990729 Remotely Lock Up Gauntlet 5.0 | BID:556 | URL:http://www.securityfocus.com/bid/556 | OSVDB:1029 | URL:http://www.osvdb.org/1029",,, CVE-1999-0684,Candidate,"Denial of service in Sendmail 8.8.6 in HPUX.","HP:HPSBUX9904-097",Proposed (19991214)," ACCEPT(2) Cole, Blake | MODIFY(3) Frech, Stracener, Prosser | NOOP(1) Baker | REJECT(1) Christey"," Stracener> Add Ref: CIAC: J-040 | Prosser> Might change description to indicate DoS caused by multiple connections | Christey> Andre's right. This is a duplicate of CVE-1999-0684. | Frech> Without further information and/or references, this issue looks like an | ambiguous version of CVE-1999-0478: Denial of service in HP-UX sendmail | 8.8.6 related to accepting connections. | | (was REJECT) | XF:hp-sendmail-connect-dos" CVE-1999-0685,Entry,"Buffer overflow in Netscape Communicator via EMBED tags in the pluginspage option.","BUGTRAQ:19991209 Netscape communicator 4.06J, 4.5J-4.6J, 4.61e Buffer Overflow | BID:618 | URL:http://www.securityfocus.com/bid/618",,, CVE-1999-0686,Entry,"Denial of service in Netscape Enterprise Server (NES) in HP Virtual Vault (VVOS) via a long URL.","BUGTRAQ:19990514 TGAD DoS | BUGTRAQ:19990610 Re: VVOS/Netscape Bug | HP:HPSBUX9906-098 | URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9906-098 | CIAC:J-046 | URL:http://www.ciac.org/ciac/bulletins/j-046.shtml | XF:hp-tgad-dos",,, CVE-1999-0687,Entry,"The ToolTalk ttsession daemon uses weak RPC authentication, which allows a remote attacker to execute commands.","BUGTRAQ:19990913 Vulnerability in ttsession | SUN:00192 | URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/192 | HP:HPSBUX9909-103 | URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9909-103 | COMPAQ:SSRT0617U_TTSESSION | CIAC:K-001 | URL:http://www.ciac.org/ciac/bulletins/k-001.shtml | CERT:CA-99-11 | BID:637 | URL:http://www.securityfocus.com/bid/637 | XF:cde-ttsession-rpc-auth",,, CVE-1999-0688,Entry,"Buffer overflows in HP Software Distributor (SD) for HPUX 10.x and 11.x.","HP:HPSBUX9907-101 | URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9907-101 | BID:545 | URL:http://www.securityfocus.com/bid/545 | XF:hp-sd-bo",,, CVE-1999-0689,Entry,"The CDE dtspcd daemon allows local users to execute arbitrary commands via a symlink attack.","BUGTRAQ:19990913 Vulnerability in dtspcd | SUN:00192 | URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/192 | HP:HPSBUX9909-103 | URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9909-103 | CERT:CA-99-11 | OVAL:oval:org.mitre.oval:def:1880 | URL:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:1880 | XF:cde-dtspcd-file-auth | BID:636 | URL:http://www.securityfocus.com/bid/636",,, CVE-1999-0690,Entry,"HP CDE program includes the current directory in root's PATH variable.","HP:HPSBUX9907-100 | URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9907-100 | CIAC:J-053 | URL:http://www.ciac.org/ciac/bulletins/j-053.shtml | XF:hp-cde-directory",,, CVE-1999-0691,Entry,"Buffer overflow in the AddSuLog function of the CDE dtaction utility allows local users to gain root privileges via a long user name.","BUGTRAQ:19990913 Vulnerability in dtaction | SUN:00192 | URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/192 | HP:HPSBUX9909-103 | URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9909-103 | COMPAQ:SSRTO615U_DTACTION | CERT:CA-99-11 | BID:635 | URL:http://www.securityfocus.com/bid/635 | OVAL:oval:org.mitre.oval:def:3078 | URL:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:3078 | XF:cde-dtaction-username-bo",,, CVE-1999-0692,Entry,"The default configuration of the Array Services daemon (arrayd) disables authentication, allowing remote users to gain root privileges.","CERT:CA-99-09 | CIAC:J-052 | URL:http://www.ciac.org/ciac/bulletins/j-052.shtml | SGI:19990701-01-P | URL:ftp://patches.sgi.com/support/free/security/advisories/19990701-01-P | XF:sgi-arrayd",,, CVE-1999-0693,Entry,"Buffer overflow in TT_SESSION environment variable in ToolTalk shared library allows local users to gain root privileges.","CERT:CA-99-11 | SUN:00192 | URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/192 | HP:HPSBUX9909-103 | URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9909-103 | BID:641 | URL:http://www.securityfocus.com/bid/641 | OVAL:oval:org.mitre.oval:def:4374 | URL:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:4374 | XF:cde-dtsession-env-bo",,, CVE-1999-0694,Entry,"Denial of service in AIX ptrace system call allows local users to crash the system.","CIAC:J-055 | URL:http://www.ciac.org/ciac/bulletins/j-055.shtml | IBM:ERS-SVA-E01-1999:002.1 | XF:aix-ptrace-halt",,, CVE-1999-0695,Entry,"The Sybase PowerDynamo personal web server allows attackers to read arbitrary files through a .. (dot dot) attack.","BUGTRAQ:19990904 [Sybase] software vendors do not think about old bugs | XF:http-powerdynamo-dotdotslash | BID:620 | URL:http://www.securityfocus.com/bid/620 | OSVDB:1064 | URL:http://www.osvdb.org/1064",,, CVE-1999-0696,Entry,"Buffer overflow in CDE Calendar Manager Service Daemon (rpc.cmsd).","BUGTRAQ:19990709 Exploit of rpc.cmsd | SCO:SB-99.12 | SUN:00188 | URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/188 | SUNBUG:4230754 | HP:HPSBUX9908-102 | URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9908-102 | COMPAQ:SSRT0614U_RPC_CMSD | CERT:CA-99-08 | CIAC:J-051 | URL:http://www.ciac.org/ciac/bulletins/j-051.shtml | XF:sun-cmsd-bo",,, CVE-1999-0697,Entry,"SCO Doctor allows local users to gain root privileges through a Tools option.","BUGTRAQ:19990908 SCO 5.0.5 /bin/doctor nightmare | BID:621 | URL:http://www.securityfocus.com/bid/621 | XF:sco-doctor-execute",,, CVE-1999-0698,Candidate,"Denial of service in IP protocol logger (ippl) on Red Hat and Debian Linux.","",Proposed (19991222)," ACCEPT(6) Baker, Cole, Armstrong, Collins, Ozancin, Blake | MODIFY(1) Frech | NOOP(4) Wall, Landfield, Stracener, Levy | REJECT(1) Christey"," Stracener> Is the candidate referring to the denial of service problem mentioned in | the | changelogs for versions previous to 1.4.3-1 or does it pertain to some | problem with or | 1.4.8-1? | Frech> Depending on the version, this could be any number of DoSes | related to ippl. | From http://www.larve.net/ippl/: | 9 April 1999: version 1.4.3 released, correctly fixing a | potential denial of service attack. | 7 April 1999: version 1.4.2 released, fixing a potential | denial of service attack. | XF:linux-ippl-dos | Christey> Changelog: http://pltplp.net/ippl/docs/HISTORY | | See comments for version 1.4.2 and 1.4.3 | Another source: http://freshmeat.net/news/1999/04/08/923586598.html | CHANGE> [Stracener changed vote from REVIEWING to NOOP] | CHANGE> [Christey changed vote from NOOP to REJECT] | Christey> As mentioned by others, this could apply to several different | versions. Since the description is too vague, this CAN should | be REJECTED and recast into other candidates." CVE-1999-0699,Entry,"The Bluestone Sapphire web server allows session hijacking via easily guessable session IDs.","BUGTRAQ:19990908 [Security] Spoofed Id in Bluestone Sapphire/Web | BID:623 | URL:http://www.securityfocus.com/bid/623",,, CVE-1999-0700,Entry,"Buffer overflow in Microsoft Phone Dialer (dialer.exe), via a malformed dialer entry in the dialer.ini file.","MSKB:Q237185 | URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q237185 | MS:MS99-026 | URL:http://www.microsoft.com/technet/security/bulletin/ms99-026.mspx | XF:nt-malformed-dialer",,, CVE-1999-0701,Entry,"After an unattended installation of Windows NT 4.0, an installation file could include sensitive information such as the local Administrator password.","MS:MS99-036 | URL:http://www.microsoft.com/technet/security/bulletin/ms99-036.mspx | MSKB:Q173039 | URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q173039 | BID:626 | URL:http://www.securityfocus.com/bid/626 | XF:nt-install-unattend-file",,, CVE-1999-0702,Entry,"Internet Explorer 5.0 and 5.01 allows remote attackers to modify or execute files via the Import/Export Favorites feature, aka the ""ImportExportFavorites"" vulnerability.","BUGTRAQ:19990909 IE 5.0 security vulnerabilities - ImportExportFavorites - at least creating and overwriting files, probably executing programs | MS:MS99-037 | URL:http://www.microsoft.com/technet/security/bulletin/ms99-037.mspx | MSKB:Q241361 | URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q241361 | XF:ie5-import-export-favorites | BID:627 | URL:http://www.securityfocus.com/bid/627",,, CVE-1999-0703,Entry,"OpenBSD, BSDI, and other Unix operating systems allow users to set chflags and fchflags on character and block devices.","BUGTRAQ:19990805 4.4 BSD issue -- chflags | OPENBSD:Jul30,1999 | FREEBSD:FreeBSD-SA-99:01 | CIAC:J-066 | URL:http://www.ciac.org/ciac/bulletins/j-066.shtml | XF:openbsd-chflags-fchflags-permitted",,, CVE-1999-0704,Entry,"Buffer overflow in Berkeley automounter daemon (amd) logging facility provided in the Linux am-utils package and others.","REDHAT:RHSA-1999:032-01 | CALDERA:CSSA-1999:024.0 | FREEBSD:SA-99:06 | DEBIAN:19991018 | BID:614 | URL:http://www.securityfocus.com/bid/614 | CERT:CA-99-12 | XF:amd-bo",,, CVE-1999-0705,Entry,"Buffer overflow in INN inews program.","XF:inn-inews-bo | REDHAT:RHSA1999033_01 | CALDERA:CSSA-1999-026 | SUSE:19990831 Security hole in INN | DEBIAN:19990907 | BID:616 | URL:http://www.securityfocus.com/bid/616",,, CVE-1999-0706,Entry,"Linux xmonisdn package allows local users to gain root privileges by modifying the IFS or PATH environmental variables.","DEBIAN:19990807 | SUSE:19990817 Security hole in i4l (xmonisdn) | BID:583 | URL:http://www.securityfocus.com/bid/583",,, CVE-1999-0707,Entry,"The default FTP configuration in HP Visualize Conference allows conference users to send a file to other participants without authorization.","HP:HPSBUX9906-099 | URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9906-099 | CIAC:J-050 | URL:http://www.ciac.org/ciac/bulletins/j-050.shtml | BID:493 | URL:http://www.securityfocus.com/bid/493 | XF:hp-visualize-conference-ftp",,, CVE-1999-0708,Entry,"Buffer overflow in cfingerd allows local users to gain root privileges via a long GECOS field.","BUGTRAQ:19990921 BP9909-00: cfingerd local buffer overflow | BID:651 | URL:http://www.securityfocus.com/bid/651",,, CVE-1999-0710,Entry,"The Squid package in Red Hat Linux 5.2 and 6.0, and other distributions, installs cachemgr.cgi in a public web directory, which allows remote attackers to use it as an intermediary to connect to other systems.","BUGTRAQ:19990725 Redhat 6.0 cachemgr.cgi lameness | CONFIRM:http://www.redhat.com/support/errata/archives/rh52-errata-general.html#squid | DEBIAN:DSA-576 | URL:http://www.debian.org/security/2004/dsa-576 | FEDORA:FEDORA-2005-373 | URL:http://www.redhat.com/archives/fedora-announce-list/2005-May/msg00025.html | FEDORA:FLSA-2006:152809 | URL:http://fedoranews.org/updates/FEDORA--.shtml | REDHAT:RHSA-1999:025 | URL:http://www.redhat.com/support/errata/RHSA-1999-025.html | REDHAT:RHSA-2005:489 | URL:http://www.redhat.com/support/errata/RHSA-2005-489.html | BID:2059 | URL:http://www.securityfocus.com/bid/2059 | XF:http-cgi-cachemgr(2385) | URL:http://xforce.iss.net/xforce/xfdb/2385",,, CVE-1999-0711,Entry,"The oratclsh interpreter in Oracle 8.x Intelligent Agent for Unix allows local users to execute Tcl commands as root.","BUGTRAQ:19990430 *Huge* security hole in Oracle 8.0.5 with Intellegent agent installed | URL:http://marc.theaimsgroup.com/?t=92550157100002&w=2&r=1 | BUGTRAQ:19990506 Oracle Security Followup, patch and FAQ: setuid on oratclsh | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92609807906778&w=2 | XF:oracle-oratclsh",,, CVE-1999-0712,Candidate,"A vulnerability in Caldera Open Administration System (COAS) allows the /etc/shadow password file to be made world-readable.","CALDERA:CSSA-1999:009 | XF:linux-coas",Proposed (19991214)," ACCEPT(4) Baker, Cole, Frech, Stracener | MODIFY(1) Blake | NOOP(1) Armstrong | REVIEWING(1) Christey"," Blake> This obscurely-written advisory seems to state that COAS will make the | file world-readable, not that it allows the user to make it so. I hardly | think that allowing the user to turn off security is a vulnerability. | Christey> It's difficult to write the description based on what's in | the advisory. If COAS inadvertently changes permissions | without user confirmation, then it should be ACCEPTed with | appropriate modification to the description. | Christey> ADDREF BID:137 | CHANGE> [Armstrong changed vote from REVIEWING to NOOP]" CVE-1999-0713,Entry,"The dtlogin program in Compaq Tru64 UNIX allows local users to gain root privileges.","BUGTRAQ:19990404 Digital Unix 4.0E /var permission | CIAC:J-044 | URL:http://www.ciac.org/ciac/bulletins/j-044.shtml | XF:cde-dtlogin | COMPAQ:SSRT0600U",,, CVE-1999-0714,Entry,"Vulnerability in Compaq Tru64 UNIX edauth command.","COMPAQ:SSRT0588U | XF:du-edauth",,, CVE-1999-0715,Entry,"Buffer overflow in Remote Access Service (RAS) client allows an attacker to execute commands or cause a denial of service via a malformed phonebook entry.","BUGTRAQ:19990519 Buffer Overruns in RAS allows execution of arbitary code as system | MS:MS99-016 | URL:http://www.microsoft.com/technet/security/bulletin/ms99-016.mspx | MSKB:Q230677 | URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q230677 | XF:nt-ras-bo",,, CVE-1999-0716,Entry,"Buffer overflow in Windows NT 4.0 help file utility via a malformed help file.","XF:nt-helpfile-bo | MSKB:Q231605 | URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q231605 | MS:MS99-015 | URL:http://www.microsoft.com/technet/security/bulletin/ms99-015.asp",,, CVE-1999-0717,Entry,"A remote attacker can disable the virus warning mechanism in Microsoft Excel 97.","MS:MS99-014 | URL:http://www.microsoft.com/technet/security/bulletin/ms99-014.mspx | MSKB:Q231304 | URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q231304 | XF:excel-virus-warning",,, CVE-1999-0718,Entry,"IBM GINA, when used for OS/2 domain authentication of Windows NT users, allows local users to gain administrator privileges by changing the GroupMapping registry key.","NTBUGTRAQ:19990823 IBM Gina security warning | URL:http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind9908&L=ntbugtraq&F=&S=&P=5534 | BID:608 | URL:http://www.securityfocus.com/bid/608 | XF:ibm-gina-group-add | URL:http://xforce.iss.net/static/3166.php",,, CVE-1999-0719,Entry,"The Guile plugin for the Gnumeric spreadsheet package allows attackers to execute arbitrary code.","BUGTRAQ:19990802 Gnumeric potential security hole. | REDHAT:RHSA-1999:023-01 | XF:gnu-guile-plugin-export | BID:563 | URL:http://www.securityfocus.com/bid/563",,, CVE-1999-0720,Entry,"The pt_chown command in Linux allows local users to modify TTY terminal devices that belong to other users.","BUGTRAQ:19990823 [Linux] glibc 2.1.x / wu-ftpd <=2.5 / BeroFTPD / lynx / vlock / mc / glibc 2.0.x | URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=lcamtuf.4.05.9907041223290.355-300000@nimue.ids.pl | BID:597 | URL:http://www.securityfocus.com/bid/597 | XF:linux-pt-chown",,, CVE-1999-0721,Entry,"Denial of service in Windows NT Local Security Authority (LSA) through a malformed LSA request.","BINDVIEW:Phantom Technical Advisory | MSKB:Q231457 | URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q231457 | MS:MS99-020 | URL:http://www.microsoft.com/technet/security/bulletin/ms99-020.mspx | CIAC:J-049 | URL:http://www.ciac.org/ciac/bulletins/j-049.shtml | XF:msrpc-lsa-lookupnames-dos",,, CVE-1999-0722,Entry,"The default configuration of Cobalt RaQ2 servers allows remote users to install arbitrary software packages.","CERT:CA-99-10 | BID:558 | URL:http://www.securityfocus.com/bid/558 | XF:cobalt-raq2-default-config",,, CVE-1999-0723,Entry,"The Windows NT Client Server Runtime Subsystem (CSRSS) can be subjected to a denial of service when all worker threads are waiting for user input.","NTBUGTRAQ:19990411 Death by MessageBox | MS:MS99-021 | URL:http://www.microsoft.com/technet/security/bulletin/ms99-021.mspx | MSKB:Q233323 | URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q233323 | CIAC:J-049 | URL:http://www.ciac.org/ciac/bulletins/j-049.shtml | BID:478 | URL:http://www.securityfocus.com/bid/478 | XF:nt-csrss-dos",,, CVE-1999-0724,Entry,"Buffer overflow in OpenBSD procfs and fdescfs file systems via uio_offset in the readdir() function.","OPENBSD:Aug12,1999 | XF:openbsd-uio_offset-bo | OSVDB:6128 | URL:http://www.osvdb.org/6128",,, CVE-1999-0725,Entry,"When IIS is run with a default language of Chinese, Korean, or Japanese, it allows a remote attacker to view the source code of certain files, a.k.a. ""Double Byte Code Page"".","MSKB:Q233335 | URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q233335 | MS:MS99-022 | URL:http://www.microsoft.com/technet/security/bulletin/ms99-022.mspx | BID:477 | URL:http://www.securityfocus.com/bid/477 | XF:iis-double-byte-code-page(2302) | URL:http://xforce.iss.net/xforce/xfdb/2302",,, CVE-1999-0726,Entry,"An attacker can conduct a denial of service in Windows NT by executing a program with a malformed file image header.","MS:MS99-023 | URL:http://www.microsoft.com/technet/security/bulletin/ms99-023.mspx | MSKB:Q234557 | URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q234557 | BID:499 | URL:http://www.securityfocus.com/bid/499 | XF:nt-malformed-image-header",,, CVE-1999-0727,Entry,"A kernel leak in the OpenBSD kernel allows IPsec packets to be sent unencrypted.","OPENBSD:19990608 Packets that should have been handled by IPsec may be transmitted as cleartext | XF:openbsd-ipsec-cleartext | OSVDB:6127 | URL:http://www.osvdb.org/6127",,, CVE-1999-0728,Entry,"A Windows NT user can disable the keyboard or mouse by directly calling the IOCTLs which control them.","MS:MS99-024 | URL:http://www.microsoft.com/technet/security/bulletin/ms99-024.mspx | MSKB:Q236359 | URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q236359 | XF:nt-ioctl-dos",,, CVE-1999-0729,Entry,"Buffer overflow in Lotus Notes LDAP (NLDAP) allows an attacker to conduct a denial of service through the ldap_search request.","ISS:19990823 Denial of Service Attack against Lotus Notes Domino Server 4.6 | URL:http://xforce.iss.net/alerts/advise34.php | CIAC:J-061 | URL:http://www.ciac.org/ciac/bulletins/j-061.shtml | BID:601 | URL:http://www.securityfocus.com/bid/601 | XF:lotus-ldap-bo | OSVDB:1057 | URL:http://www.osvdb.org/1057",,, CVE-1999-0730,Entry,"The zsoelim program in the Debian man-db package allows local users to overwrite files via a symlink attack.","DEBIAN:19990612",,, CVE-1999-0731,Entry,"The KDE klock program allows local users to unlock a session using malformed input.","BUGTRAQ:19990623 Security flaw in klock | CALDERA:CSSA-1999:017 | SUSE:19990629 Security hole in Klock | BID:489 | URL:http://www.securityfocus.com/bid/489",,, CVE-1999-0732,Entry,"The logging facilitity of the Debian smtp-refuser package allows local users to delete arbitrary files using symbolic links.","DEBIAN:19990823b | XF:smtp-refuser-tmp",,, CVE-1999-0733,Entry,"Buffer overflow in VMWare 1.0.1 for Linux via a long HOME environmental variable.","BUGTRAQ:19990626 VMWare Advisory - buffer overflows | BUGTRAQ:19990626 VMware Security Alert | BUGTRAQ:19990705 Re: VMWare Advisory.. - exploit | BID:490 | URL:http://www.securityfocus.com/bid/490 | XF:vmware-bo",,, CVE-1999-0734,Entry,"A default configuration of CiscoSecure Access Control Server (ACS) allows remote users to modify the server database without authentication.","CISCO: CiscoSecure Access Control Server for UNIX Remote Administration Vulnerability | XF:ciscosecure-read-write",,, CVE-1999-0735,Entry,"KDE K-Mail allows local users to gain privileges via a symlink attack in temporary user directories.","ISS:KDE K-Mail File Creation Vulnerability | CALDERA:CSSA-1999:016 | REDHAT:RHSA-1999:015-01 | URL:http://www.redhat.com/support/errata/RHSA1999015_01.html | BID:300 | URL:http://www.securityfocus.com/bid/300",,, CVE-1999-0736,Candidate,"The showcode.asp sample file in IIS and Site Server allows remote attackers to read arbitrary files.","L0PHT:May7,1999 | MS:MS99-013 | URL:http://www.microsoft.com/technet/security/bulletin/ms99-013.asp | MSKB:Q232449 | MSKB:Q231368 | OVAL:oval:org.mitre.oval:def:932 | URL:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:932",Modified (20061101)," ACCEPT(4) Prosser, Wall, Ozancin, Stracener | MODIFY(2) Cole, Frech | NOOP(1) Baker | REVIEWING(1) Christey"," Frech> XF:iis-samples-showcode | Cole> There are several sample files that allow this. I would quote | showcode.asp but make it more generic. | Prosser> (Modify) | Have a question on this and on the following three candidates as well. All | of these are part of the file viewers utilities that allow unauthorized | files reading, but MSKB Q231368 also mentioned the diagnostics | program,Winmsdp.exe, as another vulnerable viewer in this same set of | viewers. If we are going to split out the seperate viewer tools then | shouldn't there should be a seperate CAN for Winmsdp.exe also. | Christey> Mike's question basically touches on the CD:SF-EXEC | content decision - what do you do when you have the same bug | in multiple executables? CD:SF-EXEC needs to be reviewed | and approved by the Editorial Board before we can decide | what to do with this candidate. | Christey> Mark Burnett says that Microsoft's mention of winmsdp.exe in | MSKB:Q231368 may be an error, and that winmsdp.exe is a | Microsoft Diagnostics Report Generator which may not even | be installed as part of IIS. | | Also see http://www.securityfocus.com/focus/microsoft/iis/showcode.html | Christey> ADDREF BID:167 | URL:http://www.securityfocus.com/vdb/bottom.html?vid=167 | Christey> MISC:http://p.ulh.as/xploitsdb/NT/iis38.html covers a showcode.asp | directory traversal vulnerability and refers to the L0pht advisory. | | Mark Burnett's article is at: | MISC:http://www.securityfocus.com/infocus/1317" CVE-1999-0737,Candidate,"The viewcode.asp sample file in IIS and Site Server allows remote attackers to read arbitrary files.","MS:MS99-013 | URL:http://www.microsoft.com/technet/security/bulletin/ms99-013.asp | MSKB:Q231656",Proposed (19991208)," ACCEPT(4) Prosser, Wall, Ozancin, Stracener | MODIFY(1) Frech | NOOP(2) Baker, Christey | REJECT(1) Cole"," Frech> XF:iis-samples-viewcode | Cole> I would combine this with the previous. | Prosser> (modify) | See comments in 0736 above | Christey> See http://www.securityfocus.com/focus/microsoft/iis/showcode.html | for additional details. | Christey> Mark Burnett's article is at: | MISC:http://www.securityfocus.com/infocus/1317" CVE-1999-0738,Candidate,"The code.asp sample file in IIS and Site Server allows remote attackers to read arbitrary files.","MS:MS99-013 | URL:http://www.microsoft.com/technet/security/bulletin/ms99-013.asp | MSKB:Q232449 | MSKB:Q231368",Proposed (19991208)," ACCEPT(4) Prosser, Wall, Ozancin, Stracener | MODIFY(1) Frech | NOOP(2) Baker, Christey | REJECT(1) Cole"," Frech> XF:iis-samples-code | Cole> Same as above | Prosser> (modify) | See comments in 0736 above | Christey> See http://www.securityfocus.com/focus/microsoft/iis/showcode.html | for additional details. | Christey> Mark Burnett's article is at: | MISC:http://www.securityfocus.com/infocus/1317" CVE-1999-0739,Candidate,"The codebrws.asp sample file in IIS and Site Server allows remote attackers to read arbitrary files.","MS:MS99-013 | URL:http://www.microsoft.com/technet/security/bulletin/ms99-013.asp | MSKB:Q232449 | MSKB:Q231368",Proposed (19991208)," ACCEPT(4) Prosser, Wall, Ozancin, Stracener | MODIFY(1) Frech | NOOP(2) Baker, Christey | REJECT(1) Cole"," Frech> XF:iis-samples-codebrws | Cole> Same as above. | Prosser> (modify) | See comments in 0736 above | Christey> codebrw2.asp and Codebrw1.asp also need to be included | somewhere. | | Also see http://www.securityfocus.com/focus/microsoft/iis/showcode.html | Christey> Mark Burnett's article is at: | MISC:http://www.securityfocus.com/infocus/1317" CVE-1999-0740,Entry,"Remote attackers can cause a denial of service on Linux in.telnetd telnet daemon through a malformed TERM environmental variable.","BID:594 | URL:http://www.securityfocus.com/bid/594 | XF:linux-telnetd-term | CALDERA:CSSA-1999:022 | REDHAT:RHSA1999029_01",,, CVE-1999-0741,Candidate,"QMS CrownNet Unix Utilities for 2060 allows root to log on without a password.","BUGTRAQ:19990818 QMS 2060 printer security hole | BID:593 | URL:http://www.securityfocus.com/bid/593 | XF:qms-2060-no-root-password",Proposed (19991222)," ACCEPT(4) Baker, Frech, Stracener, Levy | NOOP(2) Christey, Oliver"," Christey> change description - anyone can log on *as* root | Frech> (Note: this XF also cataloged under CVE-1999-0508.)" CVE-1999-0742,Entry,"The Debian mailman package uses weak authentication, which allows attackers to gain privileges.","DEBIAN:19990623 | BID:480 | URL:http://www.securityfocus.com/bid/480",,, CVE-1999-0743,Entry,"Trn allows local users to overwrite other users' files via symlinks.","BUGTRAQ:19990819 Insecure use of file in /tmp by trn | DEBIAN:19990823c | SUSE:19990824 Security hole in trn | XF:trn-symlinks(3144) | URL:http://xforce.iss.net/xforce/xfdb/3144",,, CVE-1999-0744,Entry,"Buffer overflow in Netscape Enterprise Server and FastTrask Server allows remote attackers to gain privileges via a long HTTP GET request.","ISS:Buffer Overflow in Netscape Enterprise and FastTrack Web Servers | BID:603 | URL:http://www.securityfocus.com/bid/603",,, CVE-1999-0745,Entry,"Buffer overflow in Source Code Browser Program Database Name Server Daemon (pdnsd) for the IBM AIX C Set ++ compiler.","IBM:ERS-SVA-E01-1999:003.1 | CIAC:J-059 | URL:http://www.ciac.org/ciac/bulletins/j-059.shtml | BID:590 | URL:http://www.securityfocus.com/bid/590 | XF:aix-pdnsd-bo",,, CVE-1999-0746,Entry,"A default configuration of in.identd in SuSE Linux waits 120 seconds between requests, allowing a remote attacker to conduct a denial of service.","BUGTRAQ:19990814 DOS against SuSE's identd | SUSE:19990824 Security hole in netcfg | BID:587 | URL:http://www.securityfocus.com/bid/587 | XF:suse-identd-dos",,, CVE-1999-0747,Entry,"Denial of service in BSDi Symmetric Multiprocessing (SMP) when an fstat call is made when the system has a high CPU load.","BUGTRAQ:19990816 Symmetric Multiprocessing (SMP) Vulnerbility in BSDi 4.0.1 | URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.BSI.4.10.9908170253560.19291-100000@saturn.psn.net | BID:589 | URL:http://www.securityfocus.com/bid/589 | XF:bsdi-smp-dos",,, CVE-1999-0748,Candidate,"Buffer overflows in Red Hat net-tools package.","REDHAT:RHSA-1999:017-01",Proposed (19991214)," ACCEPT(4) Baker, Cole, Armstrong, Stracener | MODIFY(1) Frech | REJECT(1) Blake"," Blake> RHSA-1999:017-01 describes ""potential security problem fixed"" in the | absence of knowing whether or not the problems actually existed, I don't | think we have an entry here. | Frech> XF:redhat-net-tool-bo" CVE-1999-0749,Entry,"Buffer overflow in Microsoft Telnet client in Windows 95 and Windows 98 via a malformed Telnet argument.","BUGTRAQ:19990815 telnet.exe heap overflow - remotely exploitable | MS:MS99-033 | URL:http://www.microsoft.com/technet/security/bulletin/ms99-033.mspx | XF:win-ie5-telnet-heap-overflow | BID:586 | URL:http://www.securityfocus.com/bid/586",,, CVE-1999-0750,Candidate,"Hotmail allows Javascript to be executed via the HTML STYLE tag, allowing remote attackers to execute commands on the user's Hotmail account.","BUGTRAQ:19990913 Hotmail security vulnerability - injecting JavaScript using 'STYLE' tag | BID:630 | URL:http://www.securityfocus.com/bid/630",Proposed (19991222)," ACCEPT(1) Levy | MODIFY(2) Frech, Stracener | NOOP(1) Baker"," Stracener> Many sites are vulnerable to this problem. I recommend removing the | explicit references to Hotmail and making the description more generic. | Suggest: Javascript can be injected using the STYLE tag in an HTML | formatted e-mail, allowing remote attackers to execute commands on user | accounts. | Frech> XF:hotmail-html-style-embed" CVE-1999-0751,Entry,"Buffer overflow in Accept command in Netscape Enterprise Server 3.6 with the SSL Handshake Patch.","BUGTRAQ:19990913 Accept overflow on Netscape Enterprise Server 3.6 SP2 | BID:631 | URL:http://www.securityfocus.com/bid/631 | XF:netscape-accept-bo(3256) | URL:http://xforce.iss.net/xforce/xfdb/3256",,, CVE-1999-0752,Entry,"Denial of service in Netscape Enterprise Server via a buffer overflow in the SSL handshake.","BUGTRAQ:19990706 Netscape Enterprise Server SSL Handshake Bug",,, CVE-1999-0753,Entry,"The w3-msql CGI script provided with Mini SQL allows remote attackers to view restricted directories.","BUGTRAQ:19990817 Stupid bug in W3-msql | XF:mini-sql-w3-msql-cgi | BID:591 | URL:http://www.securityfocus.com/bid/591",,, CVE-1999-0754,Entry,"The INN inndstart program allows local users to gain privileges by specifying an alternate configuration file using the INNCONF environmental variable.","BUGTRAQ:19990511 INN 2.0 and higher. Root compromise potential | CALDERA:CSSA-1999-011.0 | URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-1999-011.0.txt | SUSE:19990518 Security hole in INN | MISC:http://www.redhat.com/corp/support/errata/inn99_05_22.html | BID:255 | URL:http://www.securityfocus.com/bid/255 | XF:inn-innconf-env",,, CVE-1999-0755,Entry,"Windows NT RRAS and RAS clients cache a user's password even if the user has not selected the ""Save password"" option.","XF:nt-ras-pwcache | MSKB:Q230681 | URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q230681 | MS:MS99-017 | URL:http://www.microsoft.com/technet/security/bulletin/ms99-017.mspx",,, CVE-1999-0756,Entry,"ColdFusion Administrator with Advanced Security enabled allows remote users to stop the ColdFusion server via the Start/Stop utility.","ALLAIRE:ASB99-07 | URL:http://www.allaire.com/handlers/index.cfm?ID=10968&Method=Full | XF:coldfusion-admin-dos(2207) | URL:http://xforce.iss.net/static/2207.php",,, CVE-1999-0757,Candidate,"The ColdFusion CFCRYPT program for encrypting CFML templates has weak encryption, allowing attackers to decrypt the templates.","ALLAIRE:ASB99-08 | URL:http://www.allaire.com/handlers/index.cfm?ID=10969&Method=Full | XF:coldfusion-encryption | URL:http://xforce.iss.net/static/2208.php",Proposed (20010214)," ACCEPT(3) Baker, Cole, Frech | NOOP(1) Christey"," Frech> XF:coldfusion-encryption | Christey> BUGTRAQ:19990724 Re: New Allaire Security Zone Bulletins and KB Articles | URL:http://www.securityfocus.com/archive/1/19471 | Christey> ADDREF BID:275 | URL:http://www.securityfocus.com/bid/275" CVE-1999-0758,Entry,"Netscape Enterprise 3.5.1 and FastTrack 3.01 servers allow a remote attacker to view source code to scripts by appending a %20 to the script's URL.","ALLAIRE:ASB99-06 | XF:netscape-space-view",,, CVE-1999-0759,Entry,"Buffer overflow in FuseMAIL POP service via long USER and PASS commands.","BUGTRAQ:19990913 Many kind of POP3/SMTP server softwares for Windows have buffer overflow bug | CONFIRM:http://www.crosswinds.net/~fuseware/faq.html#8 | BID:634 | URL:http://www.securityfocus.com/bid/634 | XF:fuseware-popmail-bo",,, CVE-1999-0760,Entry,"Undocumented ColdFusion Markup Language (CFML) tags and functions in the ColdFusion Administrator allow users to gain additional privileges.","ALLAIRE:ASB99-10 | URL:http://www.allaire.com/handlers/index.cfm?ID=11714&Method=Full | BID:550 | URL:http://www.securityfocus.com/bid/550 | XF:coldfusion-server-cfml-tags | URL:http://xforce.iss.net/static/3288.php",,, CVE-1999-0761,Entry,"Buffer overflow in FreeBSD fts library routines allows local user to modify arbitrary files via the periodic program.","FREEBSD:FreeBSD-SA-99:05 | XF:freebsd-fts-lib-bo | BID:644 | URL:http://www.securityfocus.com/bid/644 | OSVDB:1074 | URL:http://www.osvdb.org/1074",,, CVE-1999-0762,Entry,"When Javascript is embedded within the TITLE tag, Netscape Communicator allows a remote attacker to use the ""about"" protocol to gain access to browser information.","XF:netscape-title | BUGTRAQ:19990524 Netscape Communicator JavaScript in security vulnerability",,, CVE-1999-0763,Entry,"NetBSD on a multi-homed host allows ARP packets on one network to modify ARP entries on another connected network.","NETBSD:1999-010 | XF:netbsd-arp | OSVDB:6540 | URL:http://www.osvdb.org/6540",,, CVE-1999-0764,Entry,"NetBSD allows ARP packets to overwrite static ARP entries.","NETBSD:1999-010 | XF:netbsd-arp | OSVDB:6539 | URL:http://www.osvdb.org/6539",,, CVE-1999-0765,Entry,"SGI IRIX midikeys program allows local users to modify arbitrary files via a text editor.","BUGTRAQ:19990619 IRIX midikeys root exploit. | SGI:19990501-01-A | URL:ftp://patches.sgi.com/support/free/security/advisories/19990501-01-A | BID:262 | URL:http://www.securityfocus.com/bid/262 | XF:irix-midikeys",,, CVE-1999-0766,Entry,"The Microsoft Java Virtual Machine allows a malicious Java applet to execute arbitrary commands outside of the sandbox environment.","MS:MS99-031 | URL:http://www.microsoft.com/technet/security/bulletin/ms99-031.mspx | MSKB:Q240346 | URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q240346 | BID:600 | URL:http://www.securityfocus.com/bid/600 | XF:msvm-verifier-java",,, CVE-1999-0767,Candidate,"Buffer overflow in Solaris libc, ufsrestore, and rcp via LC_MESSAGES environmental variable.","SUN:00189",Proposed (19991214)," ACCEPT(4) Baker, Cole, Dik, Blake | MODIFY(2) Frech, Stracener | REVIEWING(2) Prosser, Christey"," Stracener> Add Ref: CIAC: J-069 | Frech> XF:sun-libc-lcmessages | Prosser> BID 268 is an additional reference for this one as it has info on the Sun | vulnerability. However, BID 268 also includes AIX in this vulnerability and | refs APARS issued to fix a vulnerability in various 'nixs with the Natural | Language Service environmental variables NSLPATH and PATH_LOCALE depending | on the 'nix, ref CERT CA-97.10, CVE-1999-0041. However, Georgi Guninski | reported a BO in AIX with LC_MESSAGES + mount, also refed in BID 268, so it | is possible the AIX APARs fix an earlier, similar vulnerability to the Sun | BO in LC_MESSAGES. This should probably be considered under a different | CAN. Any ideas? | Christey> Given that the buffer overflows in CVE-1999-0041 are NLSPATH | and PATH_LOCALE, I'd say that's good evidence that this is not | the same problem. But a buffer overflow in libc in | LC_MESSAGES... We must ask if these are basically the same | codebase. | | ADDREF CIAC:J-069 | Christey> While the description indicates multiple programs, CD:SF-EXEC | does not apply because the vulnerability was in libc, and | rcp and ufsrestore were both statically linked against libc. | Thus CD:SF-LOC applies, and a single candidate is maintained | because the problem occurred in a library. | Dik> Sun bug 4240566 | Christey> I'm consulting with Casper Dik and Troy Bollinger to see if | this should be combined with the AIX buffer overflows for | LC_MESSAGES; current indications are that they should be | split. | Christey> For further consultation, consider this post, though it's | associated with CVE-1999-0041: | BUGTRAQ:19970213 Linux NLSPATH buffer overflow | http://www.securityfocus.com/archive/1/6296 | Also add ""NLSPATH"" and ""PATH_LOCALE"" to the description to | facilitate search." CVE-1999-0768,Entry,"Buffer overflow in Vixie Cron on Red Hat systems via the MAILTO environmental variable.","BID:602 | URL:http://www.securityfocus.com/bid/602 | REDHAT:RHSA-1999:030-02 | SUSE:19990829 Security hole in cron",,, CVE-1999-0769,Entry,"Vixie Cron on Linux systems allows local users to set parameters of sendmail commands via the MAILTO environmental variable.","REDHAT:RHSA-1999:030-02 | CALDERA:CSSA-1999:023.0 | SUSE:19990829 Security hole in cron | DEBIAN:19990830 cron | BID:611 | URL:http://www.securityfocus.com/bid/611",,, CVE-1999-0770,Entry,"Firewall-1 sets a long timeout for connections that begin with ACK or other packets except SYN, allowing an attacker to conduct a denial of service via a large number of connection attempts to unresponsive systems.","BUGTRAQ:19990729 Simple DOS attack on FW-1 | BID:549 | URL:http://www.securityfocus.com/bid/549 | CHECKPOINT:ACK DOS ATTACK | OSVDB:1027 | URL:http://www.osvdb.org/1027",,, CVE-1999-0771,Entry,"The web components of Compaq Management Agents and the Compaq Survey Utility allow a remote attacker to read arbitrary files via a .. (dot dot) attack.","BUGTRAQ:19990526 Infosec.19990526.compaq-im.a | COMPAQ:SSRT0612U | XF:management-agent-file-read",,, CVE-1999-0772,Entry,"Denial of service in Compaq Management Agents and the Compaq Survey Utility via a long string sent to port 2301.","BUGTRAQ:19990527 Re: Infosec.19990526.compaq-im.a (New DoS and correction to my previous post) | COMPAQ:SSRT0612U | XF:management-agent-dos",,, CVE-1999-0773,Entry,"Buffer overflow in Solaris lpset program allows local users to gain root access.","BUGTRAQ:19990511 Solaris2.6 and 2.7 lpset overflow | URL:http://www.netspace.org/cgi-bin/wa?A2=ind9905B&L=bugtraq&P=R2017 | XF:sol-lpset-bo",,, CVE-1999-0774,Entry,"Buffer overflows in Mars NetWare Emulation (NWE, mars_nwe) package via long directory names.","BUGTRAQ:19990830 Babcia Padlina Ltd. security advisory: mars_nwe buffer overf | REDHAT:RHSA1999037_01 | SUSE:19990916 Security hole in mars nwe | BID:617 | URL:http://www.securityfocus.com/bid/617",,, CVE-1999-0775,Entry,"Cisco Gigabit Switch routers running IOS allow remote attackers to forward unauthorized packets due to improper handling of the ""established"" keyword in an access list.","CISCO:19990610 Cisco IOS Software established Access List Keyword Error | XF:cisco-gigaswitch",,, CVE-1999-0776,Candidate,"Alibaba HTTP server allows remote attackers to read files via a .. (dot dot) attack.","NTBUGTRAQ:19990506 ""..""-hole in Alibaba 2.0 | URL:http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind9905&L=NTBUGTRAQ&P=R1533 | XF:http-alibaba-dotdot",Proposed (19991214)," ACCEPT(4) Frech, Ozancin, Stracener, Levy | MODIFY(1) Baker | NOOP(6) Wall, Landfield, Cole, Armstrong, Blake, LeBlanc | REVIEWING(1) Christey"," Christey> This candidate is unconfirmed by the vendor. | | Posted by Arne Vidstrom. | Blake> I'd like to change my vote on this from ACCEPT to NOOP. I did some | digging and the vendor seems to have discontinued the product, so no | information is available beyond Arne's post. Unless Andre has a copy | in his archive and can test it, I think we have to leave it out. | Wall> I agree with Blake. We have not seen the product and it has been discontinued. | CHANGE> [Christey changed vote from NOOP to REVIEWING] | Christey> If this is (or was) tested by some tool, we should ACCEPT it. | Baker> http://www.securityfocus.com/bid/270 | Christey> BID:270 | URL:http://www.securityfocus.com/bid/270" CVE-1999-0777,Entry,"IIS FTP servers may allow a remote attacker to read or delete files on the server, even if they have ""No Access"" permissions.","MS:MS99-039 | URL:http://www.microsoft.com/technet/security/bulletin/ms99-039.asp | MSKB:Q241407 | URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q241407 | MSKB:Q242559 | URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q242559 | XF:iis-ftp-no-access-files | BID:658 | URL:http://www.securityfocus.com/bid/658",,, CVE-1999-0778,Entry,"Buffer overflow in Xi Graphics Accelerated-X server allows local users to gain root access via a long display or query parameter.","BUGTRAQ:19990626 KSR[T] #011: Accelerated-X | KSRT:011 | BID:488 | URL:http://www.securityfocus.com/bid/488 | XF:accelx-display-bo",,, CVE-1999-0779,Entry,"Denial of service in HP-UX SharedX recserv program.","HP:HPSBUX9810-086 | URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9810-086 | XF:hp-sharedx",,, CVE-1999-0780,Entry,"KDE klock allows local users to kill arbitrary processes by specifying an arbitrary PID in the .kss.pid file.","BUGTRAQ:19981118 Multiple KDE security vulnerabilities (root compromise) | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91141486301691&w=2 | XF:kde-klock-process-kill",,, CVE-1999-0781,Entry,"KDE allows local users to execute arbitrary commands by setting the KDEDIR environmental variable to modify the search path that KDE uses to locate its executables.","BUGTRAQ:19981118 Multiple KDE security vulnerabilities (root compromise) | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91141486301691&w=2 | XF:kde-klock-bindir-trojans",,, CVE-1999-0782,Entry,"KDE kppp allows local users to create a directory in an arbitrary location via the HOME environmental variable.","BUGTRAQ:19981118 Multiple KDE security vulnerabilities (root compromise) | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91141486301691&w=2 | XF:kde-kppp-directory-create",,, CVE-1999-0783,Entry,"FreeBSD allows local users to conduct a denial of service by creating a hard link from a device special file to a file on an NFS file system.","FREEBSD:FreeBSD-SA-98:05 | CIAC:I-057 | URL:http://www.ciac.org/ciac/bulletins/i-057.shtml | XF:freebsd-nfs-link-dos | OSVDB:6090 | URL:http://www.osvdb.org/6090",,, CVE-1999-0784,Candidate,"Denial of service in Oracle TNSLSNR SQL*Net Listener via a malformed string to the listener port, aka NERP.","NTBUGTRAQ:19980827 NERP DoS attack possible in Oracle | URL:http://archives.neohapsis.com/archives/ntbugtraq/1998/msg00536.html | BUGTRAQ:19990104 Re: Fw:""NERP"" DoS attack possible in Oracle | URL:http://archives.neohapsis.com/archives/bugtraq/1999_1/0056.html | BUGTRAQ:19981228 Oracle8 TNSLSNR DoS | URL:http://archives.neohapsis.com/archives/bugtraq/1998_4/0764.html",Proposed (20010214)," ACCEPT(1) Baker | MODIFY(1) Frech | NOOP(1) Cole"," Frech> XF:oracle-tnslsnr-dos(1551)" CVE-1999-0785,Entry,"The INN inndstart program allows local users to gain root privileges via the ""pathrun"" parameter in the inn.conf file.","BUGTRAQ:19990511 INN 2.0 and higher. Root compromise potential | SUSE:19990518 Security hole in INN | XF:inn-pathrun | BID:254 | URL:http://www.securityfocus.com/bid/254",,, CVE-1999-0786,Entry,"The dynamic linker in Solaris allows a local user to create arbitrary files via the LD_PROFILE environmental variable and a symlink attack.","BUGTRAQ:19990922 LD_PROFILE local root exploit for solaris 2.6 | BID:659 | URL:http://www.securityfocus.com/bid/659",,, CVE-1999-0787,Entry,"The SSH authentication agent follows symlinks via a UNIX domain socket.","BUGTRAQ:19990917 A few bugs... | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93760201002154&w=2 | BUGTRAQ:19990924 [Fwd: Truth about ssh 1.2.27 vulnerability] | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93832856804415&w=2 | XF:ssh-socket-auth-symlink-dos | BID:660 | URL:http://www.securityfocus.com/bid/660",,, CVE-1999-0788,Entry,"Arkiea nlservd allows remote attackers to conduct a denial of service.","BUGTRAQ:19990924 Multiple vendor Knox Arkiea local root/remote DoS | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93837184228248&w=2 | BID:662 | URL:http://www.securityfocus.com/bid/662 | XF:arkiea-backup-nlserverd-remote-dos",,, CVE-1999-0789,Entry,"Buffer overflow in AIX ftpd in the libc library.","BUGTRAQ:19990928 Remote bufferoverflow exploit for ftpd from AIX 4.3.2 running on an RS6000 | IBM:ERS-SVA-E01-1999:004.1 | CIAC:J-072 | URL:http://www.ciac.org/ciac/bulletins/j-072.shtml | XF:aix-ftpd-bo | BID:679 | URL:http://www.securityfocus.com/bid/679",,, CVE-1999-0790,Entry,"A remote attacker can read information from a Netscape user's cache via JavaScript.","MISC:http://home.netscape.com/security/notes/jscachebrowsing.html | XF:netscape-javascript",,, CVE-1999-0791,Entry,"Hybrid Network cable modems do not include an authentication mechanism for administration, allowing remote attackers to compromise the system through the HSMP protocol.","BUGTRAQ:19991006 KSR[T] Advisories #012: Hybrid Network's Cable Modems | KSRT:012 | BID:695 | URL:http://www.securityfocus.com/bid/695 | XF:hybrid-anon-cable-modem-reconfig",,, CVE-1999-0792,Candidate,"ROUTERmate has a default SNMP community name which allows remote attackers to modify its configuration.","MISC:http://www2.merton.ox.ac.uk/~security/rootshell/0022.html",Modified (20000827)," ACCEPT(1) Baker | MODIFY(2) Frech, Stracener | NOOP(1) Christey | REVIEWING(1) Levy"," Stracener> Change the Ref to read: ROOTSHELL: Osicom Technologies ROUTERmate | Security | Advisory | Frech> XF:routermate-snmp-community | Christey> BUGTRAQ:19980914 [rootshell] Security Bulletin #23 | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90581019105693&w=2" CVE-1999-0793,Entry,"Internet Explorer allows remote attackers to read files by redirecting data to a Javascript applet.","MS:MS99-043 | URL:http://www.microsoft.com/technet/security/bulletin/ms99-043.mspx | XF:ie-java-redirect",,, CVE-1999-0794,Entry,"Microsoft Excel does not warn a user when a macro is present in a Symbolic Link (SYLK) format file.","MS:MS99-044 | URL:http://www.microsoft.com/technet/security/bulletin/ms99-044.mspx | XF:excel-sylk | MSKB:Q241900 | URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q241900 | MSKB:Q241901 | URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q241901 | MSKB:Q241902 | URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q241902",,, CVE-1999-0795,Candidate,"The NIS+ rpc.nisd server allows remote attackers to execute certain RPC calls without authentication to obtain system information, disable logging, or modify caches.","NAI:NAI-27",Proposed (19991222)," ACCEPT(2) Baker, Stracener | MODIFY(1) Frech | NOOP(1) Ozancin"," Frech> XF:sun-nisplus" CVE-1999-0796,Entry,"FreeBSD T/TCP Extensions for Transactions can be subjected to spoofing attacks.","FREEBSD:SA-98.03 | XF:freebsd-ttcp-spoof | OSVDB:6089 | URL:http://www.osvdb.org/6089",,, CVE-1999-0797,Entry,"NIS finger allows an attacker to conduct a denial of service via a large number of finger requests, resulting in a large number of NIS queries.","ISS:19980629 Distributed DoS attack against NIS/NIS+ based networks. | CIAC:I-070 | URL:http://www.ciac.org/ciac/bulletins/i-070.shtml | XF:sun-nis-nisplus",,, CVE-1999-0798,Candidate,"Buffer overflow in bootpd on OpenBSD, FreeBSD, and Linux systems via a malformed header type.","BUGTRAQ:19981204 bootpd remote vulnerability | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91278867118128&w=2",Proposed (19991222)," ACCEPT(3) Baker, Ozancin, Stracener | MODIFY(1) Frech | NOOP(1) Christey"," Christey> Is CVE-1999-0389 a duplicate of CVE-1999-0798? CVE-1999-0389 | has January 1999 dates associated with it, while CVE-1999-0798 | was reported in late December. | | http://marc.theaimsgroup.com/?l=bugtraq&m=91278867118128&w=2 | | SCO appears to have acknowledged this as well: | ftp://ftp.sco.com/SSE/security_bulletins/SB-99.01a | | The poster also claims that OpenBSD fixed this as well. | Frech> XF:bootp-remote-bo | Christey> Further analysis indicates that this is a duplicate of CVE-1999-0799 | CHANGE> [Christey changed vote from REJECT to NOOP] | Christey> What was I thinking? Brian Caswell pointed out that this is | *not* the same bug as CVE-1999-0799. As reported in the | 1998 Bugtraq post, the bug is in bootpd.c, and is related | to providing an htype value that is used as an index | into an array, and exceeds the intended boundaries of that | array." CVE-1999-0799,Entry,"Buffer overflow in bootpd 2.4.3 and earlier via a long boot file location.","BUGTRAQ:19970725 Exploitable buffer overflow in bootpd (most unices) | XF:bootpd-bo",,, CVE-1999-0800,Entry,"The GetFile.cfm file in Allaire Forums allows remote attackers to read files through a parameter to GetFile.cfm.","ALLAIRE:ASB99-05 | URL:http://www.allaire.com/handlers/index.cfm?ID=9602&Method=Full | NTBUGTRAQ:19990211 ACFUG List: Alert: Allaire Forums GetFile bug | URL:http://archives.neohapsis.com/archives/ntbugtraq/1998-1999/msg00332.html | XF:allaire-forums-file-read(1748) | URL:http://xforce.iss.net/xforce/xfdb/1748 | OSVDB:944 | URL:http://www.osvdb.org/944",,, CVE-1999-0801,Entry,"BMC Patrol allows remote attackers to gain access to an agent by spoofing frames.","BUGTRAQ:19990409 Patrol security bugs | URL:http://www.securityfocus.com/archive/1/13204 | XF:bmc-patrol-frames(2075) | URL:http://www.iss.net/security_center/static/2075.php",,, CVE-1999-0802,Entry,"Buffer overflow in Internet Explorer 5 allows remote attackers to execute commands via a malformed Favorites icon.","BUGTRAQ:19990503 MSIE 5 FAVICON BUG | MS:MS99-018 | URL:http://www.microsoft.com/technet/security/bulletin/ms99-018.mspx | MSKB:Q231450 | URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q231450 | XF:ie-favicon",,, CVE-1999-0803,Entry,"The fwluser script in AIX eNetwork Firewall allows local users to write to arbitrary files via a symlink attack.","BUGTRAQ:19990525 IBM eNetwork Firewall for AIX | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92765973207648&w=2 | XF:ibm-enfirewall-tmpfiles | OSVDB:962 | URL:http://www.osvdb.org/962",,, CVE-1999-0804,Entry,"Denial of service in Linux 2.2.x kernels via malformed ICMP packets containing unusual types, codes, and IP header lengths.","BUGTRAQ:19990601 Linux kernel 2.2.x vulnerability/exploit | DEBIAN:19990607 | CALDERA:CSSA-1999:013 | SUSE:19990602 Denial of Service on the 2.2 kernel | REDHAT:19990603 Kernel Update | BID:302 | URL:http://www.securityfocus.com/bid/302",,, CVE-1999-0805,Candidate,"Novell NetWare Transaction Tracking System (TTS) in Novell 4.11 and earlier allows remote attackers to cause a denial of service via a large number of requests.","BUGTRAQ:19990512 DoS with Netware 4.x's TTS | URL:http://archives.neohapsis.com/archives/bugtraq/1999_2/0439.html | XF:novell-tts-dos | URL:http://xforce.iss.net/static/2184.php",Proposed (20010214)," ACCEPT(2) Baker, Frech | NOOP(2) Cole, Christey"," Christey> BID:276 | URL:http://www.securityfocus.com/vdb/bottom.html?vid=276 | Frech> XF:novell-tts-dos" CVE-1999-0806,Entry,"Buffer overflow in Solaris dtprintinfo program.","BUGTRAQ:19990510 Solaris2.6,2.7 dtprintinfo exploits | XF:cde-dtprintinfo | OSVDB:6552 | URL:http://www.osvdb.org/6552",,, CVE-1999-0807,Entry,"The Netscape Directory Server installation procedure leaves sensitive information in a file that is accessible to local users.","XF:netscape-dirsvc-password",,, CVE-1999-0808,Candidate,"Multiple buffer overflows in ISC DHCP Distribution server (dhcpd) 1.0 and 2.0 allow a remote attacker to cause a denial of service (crash) and possibly execute arbitrary commands via long options.","BUGTRAQ:19980518 DHCP 1.0 and 2.0 SECURITY ALERT! (fwd) | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221101925960&w=2 | CIAC:I-053 | URL:http://ciac.llnl.gov/ciac/bulletins/i-053.shtml | MISC:ftp://ftp.isc.org/isc/dhcp/dhcp-1.0-history/dhcp-1.0.0-1.0pl1.diff.gz",Proposed (20010912)," ACCEPT(4) Foat, Cole, Armstrong, Stracener | MODIFY(1) Frech | NOOP(1) Wall"," Frech> XF:dhcp-remote-dos(7248)" CVE-1999-0809,Entry,"Netscape Communicator 4.x with Javascript enabled does not warn a user of cookie settings, even if they have selected the option to ""Only accept cookies originating from the same server as the page being viewed"".","BUGTRAQ:19990709 Communicator 4.[56]x, JavaScript used to bypass cookie settings",,, CVE-1999-0810,Entry,"Denial of service in Samba NETBIOS name service daemon (nmbd).","BUGTRAQ:19990721 Samba 2.0.5 security fixes | CALDERA:CSSA-1999:018.0 | DEBIAN:19990731 | DEBIAN:19990804 | REDHAT:RHSA-1999:022-02 | SUSE:19990816 Security hole in Samba",,, CVE-1999-0811,Entry,"Buffer overflow in Samba smbd program via a malformed message command.","BUGTRAQ:19990721 Samba 2.0.5 security fixes | REDHAT:RHSA-1999:022-02 | CALDERA:CSSA-1999:018.0 | SUSE:19990816 Security hole in Samba | DEBIAN:19990731 Samba | XF:samba-message-bo | BID:536 | URL:http://www.securityfocus.com/bid/536",,, CVE-1999-0812,Entry,"Race condition in Samba smbmnt allows local users to mount file systems in arbitrary locations.","BUGTRAQ:19990721 Samba 2.0.5 security fixes | DEBIAN:19990731 | DEBIAN:19990804 | CALDERA:CSSA-1999:018.0 | REDHAT:RHSA-1999:022-02 | SUSE:19990816 Security hole in Samba",,, CVE-1999-0813,Entry,"Cfingerd with ALLOW_EXECUTION enabled does not properly drop privileges when it executes a program on behalf of the user, allowing local users to gain root privileges.","BUGTRAQ:19990810 Severe bug in cfingerd before 1.4.0 | BUGTRAQ:19980724 CFINGERD root security hole | DEBIAN:19990814 | XF:cfingerd-privileges",,, CVE-1999-0814,Entry,"Red Hat pump DHCP client allows remote attackers to gain root access in some configurations.","REDHAT:RHSA-1999:027 | URL:http://www.redhat.com/support/errata/RHSA-1999-027.html",,, CVE-1999-0815,Entry,"Memory leak in SNMP agent in Windows NT 4.0 before SP5 allows remote attackers to conduct a denial of service (memory exhaustion) via a large number of queries.","MSKB:Q196270 | URL:http://support.microsoft.com/support/kb/articles/q196/2/70.asp | XF:nt-snmpagent-leak(1974) | URL:http://xforce.iss.net/static/1974.php | OVAL:oval:org.mitre.oval:def:952 | URL:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:952",,, CVE-1999-0816,Candidate,"The Motorola CableRouter allows any remote user to connect to and configure the router on port 1024.","BUGTRAQ:19980510 Security Vulnerability in Motorola CableRouters | URL:http://www.netspace.org/cgi-bin/wa?A2=ind9805B&L=bugtraq&P=R1621 | XF:motorola-cable-default-pass",Modified (20000313-01)," ACCEPT(3) Baker, Cole, Stracener | MODIFY(1) Frech | NOOP(2) LeBlanc, Christey"," Christey> This candidate is unconfirmed by the vendor. | Frech> XF:motorola-cable-default-pass" CVE-1999-0817,Entry,"Lynx WWW client allows a remote attacker to specify command-line parameters which Lynx uses when calling external programs to handle certain protocols, e.g. telnet.","SUSE:19990915 Security hole in lynx",,, CVE-1999-0818,Candidate,"Buffer overflow in Solaris kcms_configure via a long NETPATH environmental variable.","BUGTRAQ:19991130 another hole of Solaris7 kcms_configure | URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=38433B7F5A.53F4SHADOWPENGUIN@fox.nightland.net | BID:831 | URL:http://www.securityfocus.com/bid/831",Proposed (19991208)," ACCEPT(2) Armstrong, Stracener | MODIFY(4) Prosser, Cole, Frech, Dik | NOOP(1) Baker | REVIEWING(1) Christey"," Cole> This can cause code to be executed. | Frech> XF:sol-kcms-conf-netpath-bo | Dik> the bug has nothing to do with kcms_configure; it's a bug | in libnsl.so. All set-uid executables that trigger this code path are | vulnerable. Sun bug 4295834; fixed in Solaris 8. | Prosser> Okay, I am confused. Based on Casper's comments and checking | on the Sun patch site, I found the 4295834 bug(4295834 NETPATH security | problem in libnsl) fixed in SunOS 5.4, Patch 101974-37(x86) 101973 (sparc). | Multiple libnsl vulnerabilities was first reported in an 98 Sun Bulletin | #00172 for 5.4 up through 2.6. Was this NETPATH a problem that resurfaced | in 7 (looks like in 5.4 as well) and was fixed in 8? | Christey> Need to dig up my offline email on this. | Christey> May be a duplicate of CVE-1999-0321, whose sole reference | (XF:sun-kcms-configure-bo) no longer exists. Also examine | BID:452 and | BUGTRAQ:19981223 Merry Christmas to Sun! (Was: L0pht NFR N-Code | Modules Updated) | | which are the same as XF:sol-kcms-conf-p-bo(3652), which could | be the new name for XF:sun-kcms-configure-bo." CVE-1999-0819,Entry,"NTMail does not disable the VRFY command, even if the administrator has explicitly disabled it.","NTBUGTRAQ:19991130 NTmail and VRFY | BUGTRAQ:19991130 NTmail and VRFY | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94398141118586&w=2 | XF:nt-mail-vrfy",,, CVE-1999-0820,Entry,"FreeBSD seyon allows users to gain privileges via a modified PATH variable for finding the xterm and seyon-emu commands.","BUGTRAQ:19991130 Several FreeBSD-3.3 vulnerabilities | BID:838 | URL:http://www.securityfocus.com/bid/838 | XF:freebsd-seyon-dir-add | OSVDB:5996 | URL:http://www.osvdb.org/5996",,, CVE-1999-0821,Candidate,"FreeBSD seyon allows local users to gain privileges by providing a malicious program in the -emulator argument.","BUGTRAQ:19991130 Several FreeBSD-3.3 vulnerabilities | BID:838 | URL:http://www.securityfocus.com/bid/838",Proposed (19991208)," ACCEPT(2) Armstrong, Stracener | MODIFY(1) Frech | NOOP(2) Baker, Christey | REJECT(1) Cole | REVIEWING(1) Prosser"," Cole> I would combine this with the previous. To me the general | vulnerabilities are similar it is just the end result that changes. | Frech> XF:freebsd-seyon-setgid | Christey> ADDREF? CALDERA:CSSA-1999-037.0" CVE-1999-0822,Candidate,"Buffer overflow in Qpopper (qpop) 3.0 allows remote root access via AUTH command.","BUGTRAQ:19991130 serious Qpopper 3.0 vulnerability | BUGTRAQ:19991130 qpop3.0b20 and below - notes and exploit | BID:830 | URL:http://www.securityfocus.com/bid/830",Proposed (19991208)," ACCEPT(4) Baker, Cole, Armstrong, Stracener | MODIFY(1) Frech | NOOP(1) Christey | REVIEWING(1) Prosser"," Frech> XF:qpopper-auth-bo | Christey> ADDREF? DEBIAN:19991215 buffer overflow in qpopper v3.0 | ADDREF XF:qpopper-auth-bo" CVE-1999-0823,Entry,"Buffer overflow in FreeBSD xmindpath allows local users to gain privileges via -f argument.","BUGTRAQ:19991130 Several FreeBSD-3.3 vulnerabilities | BID:839 | URL:http://www.securityfocus.com/bid/839 | XF:freebsd-xmindpath | OSVDB:1150 | URL:http://www.osvdb.org/1150",,, CVE-1999-0824,Entry,"A Windows NT user can use SUBST to map a drive letter to a folder, which is not unmapped after the user logs off, potentially allowing that user to modify the location of folders accessed by later users.","BID:833 | URL:http://www.securityfocus.com/bid/833 | NTBUGTRAQ:19991130 SUBST problem | BUGTRAQ:19991130 Subst.exe carelessness (fwd)",,, CVE-1999-0825,Candidate,"The default permissions for UnixWare /var/mail allow local users to read and modify other users' mail.","BUGTRAQ:19991203 UnixWare read/modify users' mail | BUGTRAQ:19991215 Recent postings about SCO UnixWare 7 | BUGTRAQ:19991223 FYI, SCO Security patches available. | BID:849 | URL:http://www.securityfocus.com/bid/849",Modified (20000121-01)," ACCEPT(4) Baker, Cole, Armstrong, Stracener | MODIFY(1) Frech | NOOP(1) Christey | REVIEWING(1) Prosser"," Frech> XF:sco-mail-permissions | Christey> ADDREF ftp://ftp.sco.com/SSE/security_bulletins/SB-99.25a" CVE-1999-0826,Entry,"Buffer overflow in FreeBSD angband allows local users to gain privileges.","BUGTRAQ:19991130 Several FreeBSD-3.3 vulnerabilities | BID:840 | URL:http://www.securityfocus.com/bid/840 | XF:angband-bo | OSVDB:1151 | URL:http://www.osvdb.org/1151",,, CVE-1999-0827,Candidate,"By default, Internet Explorer 5.0 and other versions enables the ""Navigate sub-frames across different domains"" option, which allows frame spoofing.","BUGTRAQ:19991130 Default IE 5.0 security settings allow frame spoofing",Proposed (19991208)," ACCEPT(4) LeBlanc, Baker, Armstrong, Stracener | MODIFY(2) Cole, Frech | REVIEWING(1) Prosser"," Cole> The BID is 855. If I have the right vulnerability, this allows an | attacker to access URL's of there choosing which could lead to a compromise | of private information. | Frech> XF:http-frame-spoof | Question: Similar vulnerability to MS98-020 / CVE-1999-0869? | LeBlanc> MSRC tells me this is patched in MS00-009" CVE-1999-0828,Candidate,"UnixWare pkg commands such as pkginfo, pkgcat, and pkgparam allow local users to read arbitrary files via the dacread permission.","BUGTRAQ:19991203 UnixWare and the dacread permission | BUGTRAQ:19991204 UnixWare pkg* command exploits | BUGTRAQ:19991223 FYI, SCO Security patches available. | BUGTRAQ:19991220 SCO OpenServer Security Status | BID:853 | URL:http://www.securityfocus.com/bid/853",Modified (20000121-01)," ACCEPT(3) Baker, Armstrong, Stracener | MODIFY(2) Cole, Frech | REVIEWING(2) Prosser, Christey"," Cole> This is BID 850. | Christey> See comments on CVE-1999-0988. Perhaps these two should be | merged. ftp://ftp.sco.com/SSE/security_bulletins/SB-99.28a | loosely alludes to this problem; the README for patch SSE053 | effectively confirms it. | Frech> XF:sco-pkg-dacread-fileread" CVE-1999-0829,Candidate,"HP Secure Web Console uses weak encryption.","BUGTRAQ:19991201 HP Secure Web Console",Proposed (19991208)," ACCEPT(2) Armstrong, Stracener | MODIFY(1) Frech | NOOP(2) Baker, Cole | REVIEWING(1) Prosser"," Cole> I could not find details on this using the above references. | Frech> XF:hp-secure-console" CVE-1999-0830,Candidate,"Buffer overflow in SCO UnixWare Xsco command via a long argument.","BUGTRAQ:19991126 [w00giving '99 #6]: UnixWare 7's Xsco",Proposed (19991208)," ACCEPT(3) Baker, Armstrong, Stracener | MODIFY(3) Prosser, Cole, Frech | REVIEWING(1) Christey"," Cole> This is BID 824 and the BUGTRAQ reference is 19991125. | Frech> XF:sco-unixware-xsco | Christey> Confirmed by vendor, albeit vaguely: | http://marc.theaimsgroup.com/?l=bugtraq&m=94581379905584&w=2 | | Prosser> agree with Steve on vendor confirmation, however not sure the | fix ref'd in BID 824 (SSE041) is right. It lists fixes for libnsl and | tcpip.so, nothing about xsco. SSE050b | (ftp://ftp.sco.com/SSE/security_bulletins/SB-99.26b) fixes a buffer overflow | in xsco on OpenServer (the vendor message Steve refers to) but not the | UnixWare vulnerability reported on Bugtraq and in BID824. Anyone more | familar with SCO shed some light on this? Are they the same codebase so fix | would be same? From the SCO site it seems the UnixWare and OpenSever | products are similar but have differences. | CHANGE> [Christey changed vote from NOOP to REVIEWING] | Christey> BID:824 | http://www.securityfocus.com/bid/824" CVE-1999-0831,Entry,"Denial of service in Linux syslogd via a large number of connections.","CALDERA:CSSA-1999-035.0 | URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-1999-035.0.txt | REDHAT:RHSA1999055-01 | SUSE:19991118 syslogd-1.3.33 (a1) | BUGTRAQ:19991130 [david@slackware.com: New Patches for Slackware 4.0 Available] | BID:809 | URL:http://www.securityfocus.com/bid/809 | XF:slackware-syslogd-dos",,, CVE-1999-0832,Entry,"Buffer overflow in NFS server on Linux allows attackers to execute commands via a long pathname.","BUGTRAQ:19991109 undocumented bugs - nfsd | URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.4.20.9911091058140.12964-100000@mail.zigzag.pl | DEBIAN:19991111 buffer overflow in nfs server | URL:http://www.debian.org/security/1999/19991111 | SUSE:19991110 Security hole in nfs-server < 2.2beta47 within nkita | URL:http://www.novell.com/linux/security/advisories/suse_security_announce_29.html | CALDERA:CSSA-1999-033.0 | URL:ftp://ftp.calderasystems.com/pub/OpenLinux/security/CSSA-1999-033.0.txt | REDHAT:RHSA-1999:053-01 | URL:http://www.redhat.com/support/errata/rh42-errata-general.html#NFS | BUGTRAQ:19991130 [david@slackware.com: New Patches for Slackware 4.0 Available] | XF:linux-nfs-maxpath-bo | BID:782 | URL:http://www.securityfocus.com/bid/782",,, CVE-1999-0833,Entry,"Buffer overflow in BIND 8.2 via NXT records.","SUSE:19991111 Security hole in bind8 < 8.2.2p2 and bind4 < 4.9.7-REL | DEBIAN:19991116 Denial of service vulnerabilities in bind | CALDERA:CSSA-1999-034.1 | URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-1999-034.1.txt | REDHAT:RHSA-1999:054-01 | CERT:CA-99-14 | BID:788 | URL:http://www.securityfocus.com/bid/788 | XF:bind-nxt-bo",,, CVE-1999-0834,Entry,"Buffer overflow in RSAREF2 via the encryption and decryption functions in the RSAREF library.","BUGTRAQ:19991201 Security Advisory: Buffer overflow in RSAREF2 | BUGTRAQ:19991202 OpenBSD sslUSA26 advisory (Re: CORE-SDI: Buffer overflow in RSAREF2) | CERT:CA-99-15 | BID:843 | URL:http://www.securityfocus.com/bid/843 | XF:rsaref-bo",,, CVE-1999-0835,Entry,"Denial of service in BIND named via malformed SIG records.","SUSE:19991111 Security hole in bind8 < 8.2.2p2 and bind4 < 4.9.7-REL | DEBIAN:19991116 Denial of service vulnerabilities in bind | CALDERA:CSSA-1999-034.1 | URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-1999-034.1.txt | REDHAT:RHSA-1999:054-01 | CERT:CA-99-14 | XF:bind-sigrecord-dos | BID:788 | URL:http://www.securityfocus.com/bid/788",,, CVE-1999-0836,Entry,"UnixWare uidadmin allows local users to modify arbitrary files via a symlink attack.","BUGTRAQ:19991202 UnixWare 7 uidadmin exploit + discussion | URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=19991202160111.20553.qmail@nwcst282.netaddress.usa.net | SCO:SB-99.22a | URL:ftp://ftp.sco.com/SSE/security_bulletins/SB-99.22a | BID:842 | URL:http://www.securityfocus.com/bid/842 | XF:unixware-uid-admin",,, CVE-1999-0837,Entry,"Denial of service in BIND by improperly closing TCP sessions via so_linger.","SUSE:19991111 Security hole in bind8 < 8.2.2p2 and bind4 < 4.9.7-REL | DEBIAN:19991116 Denial of service vulnerabilities in bind | CALDERA:CSSA-1999-034.1 | URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-1999-034.1.txt | REDHAT:RHSA-1999:054-01 | SUN:00194 | URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/194 | CERT:CA-99-14 | XF:bind-solinger-dos | BID:788 | URL:http://www.securityfocus.com/bid/788",,, CVE-1999-0838,Entry,"Buffer overflow in Serv-U FTP 2.5 allows remote users to conduct a denial of service via the SITE command.","BUGTRAQ:19991202 Remote DoS Attack in Serv-U FTP-Server v2.5a Vulnerability | BID:859 | URL:http://www.securityfocus.com/bid/859 | XF:servu-ftp-site-bo",,, CVE-1999-0839,Entry,"Windows NT Task Scheduler installed with Internet Explorer 5 allows a user to gain privileges by modifying the job after it has been scheduled.","NTBUGTRAQ:19991130 Windows NT Task Scheduler vulnerability allows user to administrator elevation | MS:MS99-051 | URL:http://www.microsoft.com/technet/security/bulletin/ms99-051.mspx | MSKB:Q246972 | URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q246972 | XF:ie-task-scheduler-privs | BID:828 | URL:http://www.securityfocus.com/bid/828",,, CVE-1999-0840,Candidate,"Buffer overflow in CDE dtmail and dtmailpr programs allows local users to gain privileges via a long -f option.","BUGTRAQ:19991129 Solaris7 dtmail/dtmailpr/mailtool Buffer Overflow | URL:http://www.security-express.com/archives/bugtraq/1999-q4/0122.html | MISC:http://www.securiteam.com/exploits/3J5QQPPQ0O.html | BID:832 | URL:http://www.securityfocus.com/bid/832 | MISC:http://www.securiteam.com/exploits/3J5QQPPQ0O.html | XF:solaris-dtmail-overflow(3579) | URL:http://xforce.iss.net/xforce/xfdb/3579 | XF:solaris-dtmailpr-overflow(3580) | URL:http://xforce.iss.net/xforce/xfdb/3580",Modified (20071022)," ACCEPT(4) Baker, Armstrong, Dik, Stracener | MODIFY(1) Frech | NOOP(1) Cole | REVIEWING(1) Prosser"," Cole> I went to 1129 and it looks like a reference for a different | vulnerability. | Frech> In the description, should dtmailptr be dtmailpr? | XF:solaris-dtmailpr-overflow | XF:solaris-dtmail-overflow | Dik> sun bug: 4166321" CVE-1999-0841,Candidate,"Buffer overflow in CDE mailtool allows local users to gain root privileges via a long MIME Content-Type.","BUGTRAQ:19991129 Solaris7 dtmail/dtmailpr/mailtool Buffer Overflow | URL:http://www.security-express.com/archives/bugtraq/1999-q4/0122.html | MISC:http://www.securiteam.com/exploits/3J5QQPPQ0O.html | BID:832 | URL:http://www.securityfocus.com/bid/832 | MISC:http://www.securiteam.com/exploits/3J5QQPPQ0O.html | XF:cde-mailtool-bo(3732) | URL:http://xforce.iss.net/xforce/xfdb/3732",Modified (20071022)," ACCEPT(5) Baker, Cole, Armstrong, Dik, Stracener | MODIFY(1) Frech | REVIEWING(1) Prosser"," Frech> XF:cde-mailtool-bo | Dik> bug 4163471 | (Root access is only possible when mail is send to root and he | uses dtmail to read it)" CVE-1999-0842,Entry,"Symantec Mail-Gear 1.0 web interface server allows remote users to read arbitrary files via a .. (dot dot) attack.","NTBUGTRAQ:19991129 Symantec Mail-Gear 1.0 Web interface Server Directory Traversal Vulnerability | BUGTRAQ:19991129 Symantec Mail-Gear 1.0 Web interface Server Directory Traversal Vulnerability | URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=NCBBKFKDOLAGKIAPMILPCEAFCBAA.labs@ussrback.com | BID:827 | URL:http://www.securityfocus.com/bid/827 | XF:symantec-mail-dir-traversal | OSVDB:1144 | URL:http://www.osvdb.org/1144",,, CVE-1999-0843,Candidate,"Denial of service in Cisco routers running NAT via a PORT command from an FTP client to a Telnet port.","BUGTRAQ:19991104 Cisco NAT DoS (VD#1) | BUGTRAQ:19991128 Re: Cisco NAT DoS (VD#1)",Proposed (19991208)," ACCEPT(3) Cole, Stracener, Balinsky | MODIFY(1) Frech | NOOP(2) Baker, Armstrong | REVIEWING(3) Prosser, Ziese, Christey"," Frech> XF:cisco-nat-dos | Christey> Mike Prosser's REVIEWING vote expires July 17, 2000 | Ziese> After reviewing | http://www.cisco.com/warp/public/707/iostelnetopt-pub.shtml | I can not confirm this exists unless it's restructred to | describe a problem against IOS per se; not NAT per se. I am | reviewing this and it may take some time. | CHANGE> [Christey changed vote from NOOP to REVIEWING] | Christey> Not sure if Kevin's suggested reference really describes this | one. However, a followup email by Jim Duncan of Cisco does | acknowledge the problem as discussed in the Bugtraq post: | http://marc.theaimsgroup.com/?l=vuln-dev&m=94385601831585&w=2 | The original post is: | http://marc.theaimsgroup.com/?l=bugtraq&m=94184947504814&w=2 | | It could be that the researcher believed that the problem was | NAT, but in fact it wasn't. | | I need to follow up with Ziese/Balinsky on this one." CVE-1999-0844,Candidate,"Denial of service in MDaemon WorldClient and WebConfig services via a long URL.","NTBUGTRAQ:19991124 Remote DoS Attack in WorldClient Server v2.0.0.0 Vulnerability | BUGTRAQ:19991130 Fwd: RE: Multiples Remotes DoS Attacks in MDaemon Server v2.8.5.0 Vulnerability | BID:823 | URL:http://www.securityfocus.com/bid/823 | BID:820 | URL:http://www.securityfocus.com/bid/820",Proposed (19991208)," ACCEPT(2) Baker, Stracener | MODIFY(2) Cole, Frech | NOOP(1) Armstrong | RECAST(1) Christey | REVIEWING(1) Prosser"," Cole> 823 and 820 are two different vulnerabilities and should be | separated out. They are both buffer overflows but accomplish it in a | different fashion and the end exploit is different. | Frech> (RECAST?) | XF:mdaemon-worldclient-dos | XF:mdaemon-webconfig-dos | Recast request: This is really two services exhibiting the same problem. | Christey> as suggested by others. | | Also see confirmation at: | http://mdaemon.deerfield.com/helpdesk/hotfix.cfm" CVE-1999-0845,Candidate,"Buffer overflow in SCO su program allows local users to gain root access via a long username.","BUGTRAQ:19991126 [w00giving '99 #5 and w00news]: UnixWare 7's su | SCO:99.19 | BUGTRAQ:19991128 SCO su patches",Proposed (19991208)," ACCEPT(4) Prosser, Cole, Armstrong, Stracener | MODIFY(1) Frech | RECAST(1) Baker | REVIEWING(1) Christey"," Christey> DUPE CVE-1999-0317? | Frech> XF:sco-su-username-bo | Christey> ADDREF BID:826 | CONFIRM:ftp://ftp.sco.com/SSE/sse039.tar.Z" CVE-1999-0846,Candidate,"Denial of service in MDaemon 2.7 via a large number of connection attempts.","BUGTRAQ:19991129 MDaemon 2.7 J DoS | BUGTRAQ:19991130 Fwd: RE: Multiples Remotes DoS Attacks in MDaemon Server v2.8.5.0 Vulnerability",Proposed (19991208)," ACCEPT(5) Prosser, Baker, Cole, Armstrong, Stracener | MODIFY(1) Frech | REVIEWING(1) Christey"," Frech> XF:mdaemon-dos | Christey> CVE-1999-0844 is confirmed by MDaemon at | http://mdaemon.deerfield.com/helpdesk/hotfix.cfm but there | is no apparent confirmation for this problem, even | though it was posted the same day. | Prosser> Looks like from a follow-on message on Bugtraq from Nobuo | <http://www.securityfocus.com/templates/archive.pike?list=1&date=1999-11-28&msg=199912011604.HJI39569.BX-NOJ@lac.co.jp> Deerfield sent a reply about the | DoS problems in MDaemon 2.8.5, that also talks about fixing the 2.7 J DoS | that Nobuo initially reported. Can't find the original message, so may have | been limited distro. Looks like an upgrade to the latest release might be | the final solution here." CVE-1999-0847,Entry,"Buffer overflow in free internet chess server (FICS) program, xboard.","BUGTRAQ:19991129 FICS buffer overflow | XF:fics-board-bo",,, CVE-1999-0848,Entry,"Denial of service in BIND named via consuming more than ""fdmax"" file descriptors.","SUSE:19991111 Security hole in bind8 < 8.2.2p2 and bind4 < 4.9.7-REL | DEBIAN:19991116 Denial of service vulnerabilities in bind | CALDERA:CSSA-1999-034.1 | URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-1999-034.1.txt | REDHAT:RHSA-1999:054-01 | SUN:00194 | URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/194 | CERT:CA-99-14 | BID:788 | URL:http://www.securityfocus.com/bid/788 | XF:bind-fdmax-dos",,, CVE-1999-0849,Entry,"Denial of service in BIND named via maxdname.","SUSE:19991111 Security hole in bind8 < 8.2.2p2 and bind4 < 4.9.7-REL | DEBIAN:19991116 Denial of service vulnerabilities in bind | CALDERA:CSSA-1999-034.1 | URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-1999-034.1.txt | REDHAT:RHSA-1999:054-01 | SUN:00194 | URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/194 | CERT:CA-99-14 | BID:788 | URL:http://www.securityfocus.com/bid/788 | XF:bind-maxdname-bo",,, CVE-1999-0850,Candidate,"The default permissions for Endymion MailMan allow local users to read email or modify files.","BID:845 | URL:http://www.securityfocus.com/bid/845 | BUGTRAQ:19991202 Insecure default permissions for MailMan Professional Edition, version 3.0.18",Proposed (19991208)," ACCEPT(2) Cole, Stracener | MODIFY(1) Frech | NOOP(2) Baker, Armstrong | REVIEWING(1) Prosser"," Frech> XF:endymion-mailman-perms" CVE-1999-0851,Entry,"Denial of service in BIND named via naptr.","SUSE:19991111 Security hole in bind8 < 8.2.2p2 and bind4 < 4.9.7-REL | DEBIAN:19991116 Denial of service vulnerabilities in bind | CALDERA:CSSA-1999-034.1 | URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-1999-034.1.txt | REDHAT:RHSA-1999:054-01 | SUN:00194 | URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/194 | CERT:CA-99-14 | BID:788 | URL:http://www.securityfocus.com/bid/788 | XF:bind-naptr-dos",,, CVE-1999-0852,Candidate,"IBM WebSphere sets permissions that allow a local user to modify a deinstallation script or its data files stored in /usr/bin.","BID:844 | URL:http://www.securityfocus.com/bid/844 | BUGTRAQ:19991202 WebSphere protections from installation",Proposed (19991208)," ACCEPT(3) Cole, Armstrong, Stracener | MODIFY(1) Frech | NOOP(1) Baker | REVIEWING(1) Prosser"," Frech> XF:websphere-protect" CVE-1999-0853,Entry,"Buffer overflow in Netscape Enterprise Server and Netscape FastTrack Server allows remote attackers to gain privileges via the HTTP Basic Authentication procedure.","BID:847 | URL:http://www.securityfocus.com/bid/847 | ISS:19991201 Buffer Overflow in Netscape Enterprise and FastTrack Authentication Procedure | XF:netscape-fasttrack-auth-bo",,, CVE-1999-0854,Entry,"Ultimate Bulletin Board stores data files in the cgi-bin directory, allowing remote attackers to view the data if an error occurs when the HTTP server attempts to execute the file.","BUGTRAQ:19991130 Ultimate Bulletin Board v5.3x? Bug | BUGTRAQ:20000225 FW: Important UBB News For Licensed Users | URL:http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-02-22&msg=NDBBLKOPOLNKELHPDEFKIEPGCAAA.renzo.toma@veronica.nl | CONFIRM:http://www.ultimatebb.com/home/versions.shtml | XF:http-ultimate-bbs",,, CVE-1999-0855,Candidate,"Buffer overflow in FreeBSD gdc program.","BID:834 | URL:http://www.securityfocus.com/bid/834 | BUGTRAQ:19991130 FreeBSD 3.3 gated-3.1.5 local exploit",Proposed (19991208)," ACCEPT(3) Prosser, Armstrong, Stracener | MODIFY(2) Cole, Frech | NOOP(2) Baker, Christey"," Cole> The BID is 834 and the reference is 19991201 not 1130. | Frech> XF:freebsd-gdc-bo | Christey> ADDREF BID:780 ?" CVE-1999-0856,Entry,"login in Slackware 7.0 allows remote attackers to identify valid users on the system by reporting an encryption error when an account is locked or does not exist.","BUGTRAQ:19991202 Slackware 7.0 - login bug | XF:slackware-remote-login",,, CVE-1999-0857,Candidate,"FreeBSD gdc program allows local users to modify files via a symlink attack.","BUGTRAQ:19991130 FreeBSD 3.3 gated-3.1.5 local exploit | BID:835 | URL:http://www.securityfocus.com/bid/835",Proposed (19991208)," ACCEPT(3) Prosser, Armstrong, Stracener | MODIFY(2) Cole, Frech | NOOP(1) Baker"," Cole> This is via debug output. | Frech> XF:freebsd-gdc" CVE-1999-0858,Entry,"Internet Explorer 5 allows a remote attacker to modify the IE client's proxy configuration via a malicious Web Proxy Auto-Discovery (WPAD) server.","MS:MS99-054 | URL:http://www.microsoft.com/technet/security/bulletin/ms99-054.mspx | MSKB:Q247333 | URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q247333 | BID:846 | URL:http://www.securityfocus.com/bid/846 | XF:ie-wpad-proxy-settings",,, CVE-1999-0859,Entry,"Solaris arp allows local users to read files via the -f parameter, which lists lines in the file that do not parse properly.","BUGTRAQ:19991130 Solaris 2.x chkperm/arp vulnerabilities | SUNBUG:4296166 | BID:837 | URL:http://www.securityfocus.com/bid/837 | XF:sol-arp-parse | OSVDB:6994 | URL:http://www.osvdb.org/6994",,, CVE-1999-0860,Candidate,"Solaris chkperm allows local users to read files owned by bin via the VMSYS environmental variable and a symlink attack.","BUGTRAQ:19991130 Solaris 2.x chkperm/arp vulnerabilities | BID:837 | URL:http://www.securityfocus.com/bid/837",Proposed (19991208)," ACCEPT(2) Armstrong, Stracener | MODIFY(2) Frech, Dik | NOOP(2) Baker, Christey | REJECT(1) Cole | REVIEWING(1) Prosser"," Cole> This is the same as the pervious. | Frech> XF:sol-chkperm-vmsys | Dik> include reference to Sun bug 4296167 | Christey> Remove BID:837, which is for arp, not chkperm" CVE-1999-0861,Entry,"Race condition in the SSL ISAPI filter in IIS and other servers may leak information in plaintext.","MS:MS99-053 | URL:http://www.microsoft.com/technet/security/bulletin/ms99-053.mspx | MSKB:Q244613 | URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q244613 | XF:iis-ssl-isapi-filter",,, CVE-1999-0862,Candidate,"Insecure directory permissions in RPM distribution for PostgreSQL allows local users to gain privileges by reading a plaintext password file.","BUGTRAQ:19991202 PostgreSQL RPM's permission problems",Proposed (19991208)," ACCEPT(3) Cole, Armstrong, Stracener | MODIFY(1) Frech | NOOP(1) Baker | REVIEWING(1) Prosser"," Frech> XF:postgresql-insecure-perms" CVE-1999-0863,Candidate,"Buffer overflow in FreeBSD seyon via HOME environmental variable, -emulator argument, -modems argument, or the GUI.","BUGTRAQ:19970617 Seyon vulnerability - IRIX | BUGTRAQ:19991108 FreeBSD 3.3's seyon vulnerability | BUGTRAQ:19991130 Several FreeBSD-3.3 vulnerabilities",Proposed (19991208)," ACCEPT(4) Prosser, Cole, Armstrong, Stracener | MODIFY(1) Frech | NOOP(1) Baker | REVIEWING(1) Christey"," Frech> XF:freebsd-seyon-bo | Christey> ADDREF? CALDERA:CSSA-1999-037.0 | Christey> May be multiple bugs here, or a single library problem. | CD:SF-LOC needs to be resolved before determining if this | candidate should be SPLIT. Also see CVE-1999-0821." CVE-1999-0864,Entry,"UnixWare programs that dump core allow a local user to modify files via a symlink attack on the ./core.pid file.","BUGTRAQ:19991202 UnixWare coredumps follow symlinks | URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=19991203020720.13115.qmail@nwcst289.netaddress.usa.net | BUGTRAQ:19991215 Recent postings about SCO UnixWare 7 | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94530783815434&w=2 | BUGTRAQ:19991223 FYI, SCO Security patches available. | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94606167110764&w=2 | BUGTRAQ:19991220 SCO OpenServer Security Status | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94581379905584&w=2 | XF:sco-coredump-symlink | BID:851 | URL:http://www.securityfocus.com/bid/851",,, CVE-1999-0865,Entry,"Buffer overflow in CommuniGatePro via a long string to the HTTP configuration port.","BUGTRAQ:19991203 CommuniGatePro 3.1 for NT DoS | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94426440413027&w=2 | NTBUGTRAQ:19991203 CommuniGatePro 3.1 for NT Buffer Overflow | URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=94454565726775&w=2 | BID:860 | URL:http://www.securityfocus.com/bid/860 | XF:communigate-pro-bo",,, CVE-1999-0866,Entry,"Buffer overflow in UnixWare xauto program allows local users to gain root privilege.","BUGTRAQ:19991203 UnixWare gain root with non-su/gid binaries | BUGTRAQ:19991215 Recent postings about SCO UnixWare 7 | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94530783815434&w=2 | BUGTRAQ:19991223 FYI, SCO Security patches available. | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94606167110764&w=2 | BUGTRAQ:19991220 SCO OpenServer Security Status | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94581379905584&w=2 | SCO:SB-99.24a | URL:ftp://ftp.sco.com/SSE/security_bulletins/SB-99.24a | XF:sco-xauto-bo | BID:848 | URL:http://www.securityfocus.com/bid/848",,, CVE-1999-0867,Entry,"Denial of service in IIS 4.0 via a flood of HTTP requests with malformed headers.","MS:MS99-029 | URL:http://www.microsoft.com/technet/security/bulletin/ms99-029.mspx | MSKB:Q238349 | URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q238349 | CIAC:J-058 | URL:http://www.ciac.org/ciac/bulletins/j-058.shtml | XF:http-iis-malformed-header | BID:579 | URL:http://www.securityfocus.com/bid/579",,, CVE-1999-0868,Entry,"ucbmail allows remote attackers to execute commands via shell metacharacters that are passed to it from INN.","CERT:CA-97.08 | XF:inn-ucbmail-shell-meta",,, CVE-1999-0869,Entry,"Internet Explorer 3.x to 4.01 allows a remote attacker to insert malicious content into a frame of another web site, aka frame spoofing.","MS:MS98-020 | URL:http://www.microsoft.com/technet/security/bulletin/ms98-020.mspx | MSKB:167614 | XF:http-frame-spoof",,, CVE-1999-0870,Entry,"Internet Explorer 4.01 allows remote attackers to read arbitrary files by pasting a file name into the file upload control, aka untrusted scripted paste.","MS:MS98-015 | URL:http://www.microsoft.com/technet/security/bulletin/ms98-015.mspx | MSKB:169245 | XF:ie-usp-cuartango",,, CVE-1999-0871,Entry,"Internet Explorer 4.0 and 4.01 allow a remote attacker to read files via IE's cross frame security, aka the ""Cross Frame Navigate"" vulnerability.","MS:MS98-013 | URL:http://www.microsoft.com/technet/security/bulletin/ms98-013.mspx | OSVDB:7837 | URL:http://www.osvdb.org/7837 | XF:ie-crossframe-file-read(3668) | URL:http://xforce.iss.net/xforce/xfdb/3668",,, CVE-1999-0872,Candidate,"Buffer overflow in Vixie cron allows local users to gain root access via a long MAILTO environment variable in a crontab file.","BID:759 | URL:http://www.securityfocus.com/bid/759 | BID:611 | URL:http://www.securityfocus.com/bid/611 | REDHAT:RHSA-1999:030-02",Proposed (19991214)," MODIFY(2) Cole, Frech | NOOP(1) Baker | REJECT(3) Stracener, Christey, Blake"," Cole> 611 is the mail to listed above but 759 is for the mail from and | should be listed as a separate vulenrability. | Blake> This does not appear materially different from CVE-1999-0768 | Christey> This is an apparent duplicate of CVE-1999-0768. | REDHAT:RHSA-1999:030-02 describes two issues, one of which is | CVE-1999-0768, and the other is CVE-1999-0769. | Stracener> This is a duplicate of candidate CVE-1999-0768. | Frech> XF:cron-sendmail-bo-root | Christey> BID:759 is improperly assigned to this candidate and doesn't | even describe it. It may have been inadvertently copied | from CVE-1999-0873." CVE-1999-0873,Entry,"Buffer overflow in Skyfull mail server via MAIL FROM command.","BID:759 | URL:http://www.securityfocus.com/bid/759 | XF:skyfull-mail-from-bo",,, CVE-1999-0874,Entry,"Buffer overflow in IIS 4.0 allows remote attackers to cause a denial of service via a malformed request for files with .HTR, .IDC, or .STM extensions.","MS:MS99-019 | URL:http://www.microsoft.com/technet/security/bulletin/ms99-019.asp | MSKB:Q234905 | URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q234905 | EEYE:AD06081999 | URL:http://www.eeye.com/html/Research/Advisories/AD06081999.html | CERT:CA-99-07 | CIAC:J-048 | URL:http://www.ciac.org/ciac/bulletins/j-048.shtml | XF:iis-htr-overflow | OVAL:oval:org.mitre.oval:def:915 | URL:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:915",,, CVE-1999-0875,Entry,"DHCP clients with ICMP Router Discovery Protocol (IRDP) enabled allow remote attackers to modify their default routes.","L0PHT:19990811 | MSKB:Q216141 | URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q216141 | BID:578 | URL:http://www.securityfocus.com/bid/578 | XF:irdp-gateway-spoof",,, CVE-1999-0876,Entry,"Buffer overflow in Internet Explorer 4.0 via EMBED tag.","MSKB:Q185959 | URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q185959 | MSKB:Q176697 | URL:http://support.microsoft.com/support/kb/articles/q176/6/97.asp",,, CVE-1999-0877,Entry,"Internet Explorer 5 allows remote attackers to read files via an ExecCommand method called on an IFRAME.","MSKB:Q243638 | URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q243638 | MS:MS99-042 | URL:http://www.microsoft.com/technet/security/bulletin/ms99-042.mspx | XF:ie-iframe-exec",,, CVE-1999-0878,Entry,"Buffer overflow in WU-FTPD and related FTP servers allows remote attackers to gain root privileges via MAPPING_CHDIR.","COMPAQ:SSRT0622 | REDHAT:RHSA1999031_01 | AUSCERT:AA-1999.01 | CERT:CA-99-13 | BID:599 | URL:http://www.securityfocus.com/bid/599 | XF:wu-ftpd-dir-name",,, CVE-1999-0879,Entry,"Buffer overflow in WU-FTPD and related FTP servers allows remote attackers to gain root privileges via macro variables in a message file.","CERT:CA-99-13 | XF:wuftp-message-file-root",,, CVE-1999-0880,Entry,"Denial of service in WU-FTPD via the SITE NEWER command, which does not free memory properly.","CERT:CA-99-13 | XF:wuftp-site-newer-dos",,, CVE-1999-0881,Entry,"Falcon web server allows remote attackers to read arbitrary files via a .. (dot dot) attack.","BUGTRAQ:19991025 Falcon Web Server | BINDVIEW:Falcon Web Server | BID:743 | URL:http://www.securityfocus.com/bid/743 | XF:falcon-path-parsing | OSVDB:1127 | URL:http://www.osvdb.org/1127",,, CVE-1999-0882,Candidate,"Falcon web server allows remote attackers to determine the absolute path of the web root via long file names.","BUGTRAQ:19991025 Falcon Web Server | BINDVIEW:Falcon Web Server",Proposed (19991214)," ACCEPT(3) Baker, Stracener, Blake | MODIFY(1) Frech | NOOP(2) Cole, Armstrong"," Frech> XF:falcon-server-long-filename" CVE-1999-0883,Entry,"Zeus web server allows remote attackers to read arbitrary files by specifying the file name in an option to the search engine.","BUGTRAQ:19991024 RFP9905: Zeus webserver remote root compromise | BID:742 | URL:http://www.securityfocus.com/bid/742 | OSVDB:1126 | URL:http://www.osvdb.org/1126 | XF:zeus-remote-root(3380) | URL:http://xforce.iss.net/xforce/xfdb/3380",,, CVE-1999-0884,Entry,"The Zeus web server administrative interface uses weak encryption for its passwords.","BUGTRAQ:19991024 RFP9905: Zeus webserver remote root compromise | BID:742 | URL:http://www.securityfocus.com/bid/742 | OSVDB:8186 | URL:http://www.osvdb.org/8186 | XF:zeus-weak-password(3833) | URL:http://xforce.iss.net/xforce/xfdb/3833",,, CVE-1999-0885,Candidate,"Alibaba web server allows remote attackers to execute commands via a pipe character in a malformed URL.","BUGTRAQ:19991103 More Alibaba Web Server problems... | URL:http://www.securityfocus.com/templates/archive.pike?list=1&date=1999-11-01&msg=01BF261F.928821E0.kerb@fnusa.com | BID:770 | URL:http://www.securityfocus.com/bid/770 | XF:alibaba-url-file-manipulation",Modified (20000313-01)," ACCEPT(2) Baker, Stracener | MODIFY(1) Frech | NOOP(5) LeBlanc, Cole, Armstrong, Christey, Blake"," Christey> This candidate is unconfirmed by the vendor. | Blake> Same as CVE-1999-0776. | Frech> XF:alibaba-url-file-manipulation | Christey> CD:SF-LOC and CD:SF-EXEC may say to merge this candidate with | the problems described in: | BUGTRAQ:20000718 Multiple bugs in Alibaba 2.0 | URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0237.html | | If so, then ADDREF BID:1485 as well. | Christey> Include the names of the affected CGI's, including tst.bat, | get32.exe, alibaba.pl, etc." CVE-1999-0886,Entry,"The security descriptor for RASMAN allows users to point to an alternate location via the Windows NT Service Control Manager.","MSKB:Q242294 | URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q242294 | MS:MS99-041 | URL:http://www.microsoft.com/technet/security/bulletin/ms99-041.mspx | BID:645 | URL:http://www.securityfocus.com/bid/645 | XF:nt-rasman-pathname",,, CVE-1999-0887,Entry,"FTGate web interface server allows remote attackers to read files via a .. (dot dot) attack.","BUGTRAQ:19991104 FTGate Version 2.1 Web interface Server Directory Traversal Vulnerability | EEYE:AD05261999 | URL:http://www.eeye.com/html/Research/Advisories/AD05261999.html | OSVDB:1137 | URL:http://www.osvdb.org/1137",,, CVE-1999-0888,Entry,"dbsnmp in Oracle Intelligent Agent allows local users to gain privileges by setting the ORACLE_HOME environmental variable, which dbsnmp uses to find the nmiconf.tcl script.","BUGTRAQ:19990817 Security Bug in Oracle | XF:oracle-dbsnmp | BID:585 | URL:http://www.securityfocus.com/bid/585",,, CVE-1999-0889,Entry,"Cisco 675 routers running CBOS allow remote attackers to establish telnet sessions if an exec or superuser password has not been set.","BUGTRAQ:19990810 Cisco 675 password nonsense | XF:cisco-cbos-telnet | OSVDB:39 | URL:http://www.osvdb.org/39",,, CVE-1999-0890,Entry,"iHTML Merchant allows remote attackers to obtain sensitive information or execute commands via a code parsing error.","BUGTRAQ:19990928 Team Asylum: iHTML Merchant Vulnerabilities | CONFIRM:http://www.ihtmlmerchant.com/support_patches_feedback.htm | BID:694 | URL:http://www.securityfocus.com/bid/694 | XF:ihtml-merchant-file-access",,, CVE-1999-0891,Entry,"The ""download behavior"" in Internet Explorer 5 allows remote attackers to read arbitrary files via a server-side redirect.","MS:MS99-040 | URL:http://www.microsoft.com/technet/security/bulletin/ms99-040.mspx | MSKB:Q242542 | URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q242542 | CERT-VN:VU#37828 | URL:http://www.kb.cert.org/vuls/id/37828 | CIAC:K-002 | URL:http://www.ciac.org/ciac/bulletins/k-002.shtml | BID:674 | URL:http://www.securityfocus.com/bid/674 | OSVDB:11274 | URL:http://www.osvdb.org/11274 | XF:ie-download-behavior",,, CVE-1999-0892,Entry,"Buffer overflow in Netscape Communicator before 4.7 via a dynamic font whose length field is less than the size of the font.","BUGTRAQ:19991018 Netscape 4.x buffer overflow",,, CVE-1999-0893,Entry,"userOsa in SCO OpenServer allows local users to corrupt files via a symlink attack.","BUGTRAQ:19991011 SCO OpenServer 5.0.5 overwrite /etc/shadow | XF:sco-openserver-userosa-script",,, CVE-1999-0894,Entry,"Red Hat Linux screen program does not use Unix98 ptys, allowing local users to write to other terminals.","REDHAT:RHSA1999042-01",,, CVE-1999-0895,Entry,"Firewall-1 does not properly restrict access to LDAP attributes.","BUGTRAQ:19991020 Checkpoint FireWall-1 V4.0: possible bug in LDAP authentication | URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=19991020150002.21047.qmail@tarjan.mediaways.net | BID:725 | URL:http://www.securityfocus.com/bid/725 | XF:checkpoint-ldap-auth | OSVDB:1117 | URL:http://www.osvdb.org/1117",,, CVE-1999-0896,Entry,"Buffer overflow in RealNetworks RealServer administration utility allows remote attackers to execute arbitrary commands via a long username and password.","BUGTRAQ:19991109 RealNetworks RealServer G2 buffer overflow. | MISC:http://service.real.com/help/faq/servg260.html | XF:realserver-g2-pw-bo | BID:767 | URL:http://www.securityfocus.com/bid/767",,, CVE-1999-0897,Entry,"iChat ROOMS Webserver allows remote attackers to read arbitrary files via a .. (dot dot) attack.","BUGTRAQ:19980908 bug in iChat 3.0 (maybe others) | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90538488231977&w=2 | XF:ichat-file-read-vuln",,, CVE-1999-0898,Entry,"Buffer overflows in Windows NT 4.0 print spooler allow remote attackers to gain privileges or cause a denial of service via a malformed spooler request.","MS:MS99-047 | URL:http://www.microsoft.com/technet/security/bulletin/ms99-047.mspx | MSKB:Q243649 | URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q243649 | XF:nt-printer-spooler-bo | BID:768 | URL:http://www.securityfocus.com/bid/768",,, CVE-1999-0899,Entry,"The Windows NT 4.0 print spooler allows a local user to execute arbitrary commands due to inappropriate permissions that allow the user to specify an alternate print provider.","MS:MS99-047 | URL:http://www.microsoft.com/technet/security/bulletin/ms99-047.mspx | MSKB:Q243649 | URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q243649 | BID:769 | URL:http://www.securityfocus.com/bid/769 | XF:nt-printer-spooler-bo",,, CVE-1999-0900,Entry,"Buffer overflow in rpc.yppasswdd allows a local user to gain privileges via MD5 hash generation.","REDHAT:RHSA1999046-01 | SUSE:19991023 Security hole in ypserv < 1.3.9 | DEBIAN:19991027 nis",,, CVE-1999-0901,Entry,"ypserv allows a local user to modify the GECOS and login shells of other users.","REDHAT:RHSA1999046-01 | SUSE:19991023 Security hole in ypserv < 1.3.9 | DEBIAN:19991027 nis",,, CVE-1999-0902,Entry,"ypserv allows local administrators to modify password tables.","REDHAT:RHSA1999046-01 | SUSE:19991023 Security hole in ypserv < 1.3.9 | DEBIAN:19991027 nis",,, CVE-1999-0903,Entry,"genfilt in the AIX Packet Filtering Module does not properly filter traffic to destination ports greater than 32767.","BUGTRAQ:19991025 IBM AIX Packet Filter module | BUGTRAQ:19991027 Re: IBM AIX Packet Filter module (followup) | XF:aix-genfilt-filtering",,, CVE-1999-0904,Entry,"Buffer overflow in BFTelnet allows remote attackers to cause a denial of service via a long username.","BUGTRAQ:19991103 Remote DoS Attack in BFTelnet Server v1.1 for Windows NT | XF:bftelnet-username-dos | BID:771 | URL:http://www.securityfocus.com/bid/771",,, CVE-1999-0905,Entry,"Denial of service in Axent Raptor firewall via malformed zero-length IP options.","BUGTRAQ:19991020 Remote DoS in Axent's Raptor 6.0 | BID:736 | URL:http://www.securityfocus.com/bid/736 | XF:raptor-ipoptions-dos | OSVDB:1121 | URL:http://www.osvdb.org/1121",,, CVE-1999-0906,Entry,"Buffer overflow in sccw allows local users to gain root access via the HOME environmental variable.","BUGTRAQ:19990923 SuSE 6.2 sccw overflow exploit | SUSE:19990926 Security hole in sccw (Part II) | BID:656 | URL:http://www.securityfocus.com/bid/656 | XF:linux-sccw-bo",,, CVE-1999-0907,Entry,"sccw allows local users to read arbitrary files.","BUGTRAQ:19990916 SuSE 6.2 /usr/bin/sccw read any file | SUSE:19990921 Security Hole in sccw-1.1 and earlier",,, CVE-1999-0908,Entry,"Denial of service in Solaris TCP streams driver via a malicious connection that causes the server to panic as a result of recursive calls to mutex_enter.","BUGTRAQ:19990921 solaris DoS | BID:655 | URL:http://www.securityfocus.com/bid/655 | XF:sun-tcp-mutex-enter-dos",,, CVE-1999-0909,Entry,"Multihomed Windows systems allow a remote attacker to bypass IP source routing restrictions via a malformed packet with IP options, aka the ""Spoofed Route Pointer"" vulnerability.","NAI:Windows IP Source Routing Vulnerability | MS:MS99-038 | URL:http://www.microsoft.com/technet/security/bulletin/ms99-038.mspx | MSKB:Q238453 | URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q238453 | BID:646 | URL:http://www.securityfocus.com/bid/646 | XF:nt-ip-source-route",,, CVE-1999-0910,Candidate,"Microsoft Site Server and Commercial Internet System (MCIS) do not set an expiration for a cookie, which could then be cached by a proxy and inadvertently used by a different user.","MS:MS99-035 | URL:http://www.microsoft.com/technet/security/bulletin/ms99-035.asp | BID:625 | URL:http://www.securityfocus.com/bid/625",Proposed (19991208)," ACCEPT(4) Prosser, Wall, Baker, Ozancin | MODIFY(2) Frech, Stracener | REJECT(1) Cole"," Frech> XF:siteserver-cis-cookie-cache | Cole> Whether cookies are a vulnerbality is a debate for another time, the | question here is whether the | expiration feature is a vulnerability and I do not think it is | because the underlying concerns for this | are present even without this feature. The expiration feature does | not add any new vulenrabilities | that are not already present with cookies. | Stracener> Add Ref: MSKB Q238647" CVE-1999-0911,Candidate,"Buffer overflow in ProFTPD, wu-ftpd, and beroftpd allows remote attackers to gain root access via a series of MKD and CWD commands that create nested directories.","BUGTRAQ:19990827 ProFTPD | BUGTRAQ:19990907 ProFTP-1.2.0pre4 buffer overflow -- once more | DEBIAN:19990210 | URL:http://www.debian.org/security/1999/19990210 | FREEBSD:FreeBSD-SA-99:03 | BID:612 | URL:http://www.securityfocus.com/bid/612",Modified (20050309)," ACCEPT(5) Blake, Prosser, Baker, Cole, Stracener | MODIFY(1) Frech | REVIEWING(1) Christey"," Frech> XF:proftpd-long-dir-bo(3399) | Christey> Not absolutely sure if this isn't the same as Palmetto | (CVE-1999-0368), which describes a similar type of overflow. | | NETBSD:NetBSD-SA1999-003 may refer to CVE-1999-0368: | ADDREF URL:ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/advisories/NetBSD-SA1999-003.txt.asc | Christey> ADDREF CIAC:J-068 | Include version numbers; too many wu-ftp/etc. problems | were published in summer/fall 1999" CVE-1999-0912,Entry,"FreeBSD VFS cache (vfs_cache) allows local users to cause a denial of service by opening a large number of files.","BUGTRAQ:19990921 FreeBSD-specific denial of service | BID:653 | URL:http://www.securityfocus.com/bid/653 | XF:freebsd-vfscache-dos | OSVDB:1079 | URL:http://www.osvdb.org/1079",,, CVE-1999-0913,Candidate,"dfire.cgi script in Dragon-Fire IDS allows remote users to execute commands via shell metacharacters.","BUGTRAQ:19990804 NSW Dragon Fire gets drowned | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93383593909438&w=2 | BID:564 | URL:http://www.securityfocus.com/bid/564",Proposed (19991214)," ACCEPT(2) Blake, Stracener | MODIFY(1) Frech | NOOP(4) LeBlanc, Baker, Cole, Armstrong | REVIEWING(1) Christey"," Christey> Some voters should use ABSTAIN. | Frech> XF:dragon-fire-ids-metachar(3834) | CHANGE> [Armstrong changed vote from REVIEWING to NOOP]" CVE-1999-0914,Entry,"Buffer overflow in the FTP client in the Debian GNU/Linux netstd package.","DEBIAN:19990104 | BUGTRAQ:19990103 [SECURITY] New versions of netstd fixes buffer overflows | BID:324 | URL:http://www.securityfocus.com/bid/324",,, CVE-1999-0915,Entry,"URL Live! web server allows remote attackers to read arbitrary files via a .. (dot dot) attack.","BUGTRAQ:19991028 URL Live! 1.0 WebServer | BID:746 | URL:http://www.securityfocus.com/bid/746 | OSVDB:1129 | URL:http://www.osvdb.org/1129",,, CVE-1999-0916,Entry,"WebTrends software stores account names and passwords in a file which does not have restricted access permissions.","ISS:19990629 Bad Permissions on Passwords Stored by WebTrends Software",,, CVE-1999-0917,Entry,"The Preloader ActiveX control used by Internet Explorer allows remote attackers to read arbitrary files.","MS:MS99-018 | URL:http://www.microsoft.com/technet/security/bulletin/ms99-018.mspx | MSKB:Q231452 | URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q231452 | XF:legacy-activex-local-drive",,, CVE-1999-0918,Entry,"Denial of service in various Windows systems via malformed, fragmented IGMP packets.","BUGTRAQ:19990703 IGMP fragmentation bug in Windows 98/2000 | MSKB:Q238329 | URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q238329 | MS:MS99-034 | URL:http://www.microsoft.com/technet/security/bulletin/ms99-034.mspx | XF:igmp-dos | BID:514 | URL:http://www.securityfocus.com/bid/514",,, CVE-1999-0919,Candidate,"A memory leak in a Motorola CableRouter allows remote attackers to conduct a denial of service via a large number of telnet connections.","BUGTRAQ:19980510 Security Vulnerability in Motorola CableRouters | URL:http://www.netspace.org/cgi-bin/wa?A2=ind9805B&L=bugtraq&P=R1621 | XF:motorola-cable-crash(2004) | URL:http://xforce.iss.net/static/2004.php",Modified (20020226-02)," ACCEPT(2) Baker, Cole | MODIFY(1) Frech | NOOP(7) LeBlanc, Wall, Landfield, Armstrong, Ozancin, Stracener, Christey | REVIEWING(1) Levy"," Christey> This candidate is unconfirmed by the vendor. | Frech> XF:motorola-cable-crash | Christey> This has enough votes, but not the ""confidence"" yet (until we | resolve the question of the amount of verification needed | for CVE)." CVE-1999-0920,Entry,"Buffer overflow in the pop-2d POP daemon in the IMAP package allows remote attackers to gain privileges via the FOLD command.","BUGTRAQ:19990526 Remote vulnerability in pop2d | DEBIAN:19990607a | BID:283 | URL:http://www.securityfocus.com/bid/283 | XF:pop2-fold-bo",,, CVE-1999-0921,Entry,"BMC Patrol allows any remote attacker to flood its UDP port, causing a denial of service.","BUGTRAQ:19990409 Patrol security bugs | URL:http://www.securityfocus.com/archive/1/13204 | XF:bmc-patrol-udp-dos(4291) | URL:http://www.iss.net/security_center/static/4291.php | BID:1879 | URL:http://www.securityfocus.com/bid/1879",,, CVE-1999-0922,Entry,"An example application in ColdFusion Server 4.0 allows remote attackers to view source code via the sourcewindow.cfm file.","ALLAIRE:ASB99-02 | URL:http://www.allaire.com/handlers/index.cfm?ID=8739&Method=Full | XF:coldfusion-sourcewindow",,, CVE-1999-0923,Candidate,"Sample runnable code snippets in ColdFusion Server 4.0 allow remote attackers to read files, conduct a denial of service, or use the server as a proxy for other HTTP calls.","ALLAIRE:ASB99-02 | URL:http://www.allaire.com/handlers/index.cfm?ID=8739&Method=Full",Proposed (20010214)," ACCEPT(2) Baker, Cole | MODIFY(1) Frech | NOOP(1) Christey"," Frech> XF:coldfusion-source-display(1741) | XF:coldfusion-syntax-checker(1742) | XF:coldfusion-file-existence(1743) | XF:coldfusion-sourcewindow(1744) | Christey> List all affected runnable code snippets to facilitate | search, which may include: | viewexample.cfm (though could that be part of CVE-1999-0922?)" CVE-1999-0924,Entry,"The Syntax Checker in ColdFusion Server 4.0 allows remote attackers to conduct a denial of service.","ALLAIRE:ASB99-02 | URL:http://www.allaire.com/handlers/index.cfm?ID=8739&Method=Full | XF:coldfusion-syntax-checker(1742) | URL:http://xforce.iss.net/xforce/xfdb/1742 | OSVDB:3236 | URL:http://www.osvdb.org/3236",,, CVE-1999-0925,Candidate,"UnityMail allows remote attackers to conduct a denial of service via a large number of MIME headers.","BUGTRAQ:19980903 Web servers / possible DOS Attack / mime header flooding | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90486243124867&w=2",Modified (20020829-01)," ACCEPT(2) Baker, Stracener | MODIFY(1) Frech | NOOP(1) Christey | REVIEWING(1) Levy"," Frech> XF:unitymail-web-dos(1630) | Christey> BID:1760 | URL:http://www.securityfocus.com/bid/1760 | Christey> Affected version is 2.0 | Change date of Bugtraq post - it was 1998." CVE-1999-0926,Candidate,"Apache allows remote attackers to conduct a denial of service via a large number of MIME headers.","BUGTRAQ:19990903 Web servers / possible DOS Attack / mime header flooding | URL:http://archives.neohapsis.com/archives/bugtraq/1998_3/0742.html",Proposed (20010912)," ACCEPT(1) Cole | MODIFY(1) Frech | NOOP(3) Wall, Foat, Christey"," Christey> BID:1760 | URL:http://www.securityfocus.com/bid/1760 | Frech> XF:unitymail-web-dos(1630)" CVE-1999-0927,Entry,"NTMail allows remote attackers to read arbitrary files via a .. (dot dot) attack.","EEYE:AD05261999 | URL:http://www.eeye.com/html/Research/Advisories/AD05261999.html | BID:279 | URL:http://www.securityfocus.com/bid/279 | XF:ntmail-fileread",,, CVE-1999-0928,Entry,"Buffer overflow in SmartDesk WebSuite allows remote attackers to cause a denial of service via a long URL.","BUGTRAQ:19990525 Buffer overflow in SmartDesk WebSuite v2.1 | XF:websuite-dos | BID:278 | URL:http://www.securityfocus.com/bid/278",,, CVE-1999-0929,Candidate,"Novell NetWare with Novell-HTTP-Server or YAWN web servers allows remote attackers to conduct a denial of service via a large number of HTTP GET requests.","BUGTRAQ:19990616 Novell NetWare webservers DoS",Interim (19991229)," ACCEPT(4) Blake, Cole, Armstrong, Stracener | MODIFY(1) Frech | NOOP(1) Baker"," Frech> XF:novell-webserver-dos(2287)" CVE-1999-0930,Entry,"wwwboard allows a remote attacker to delete message board articles via a malformed argument.","BUGTRAQ:19980903 wwwboard.pl vulnerability | CONFIRM:http://www.worldwidemart.com/scripts/faq/wwwboard/q5.shtml | XF:http-cgi-wwwboard(2344) | URL:http://xforce.iss.net/static/2344.php | BID:1795 | URL:http://www.securityfocus.com/bid/1795",,, CVE-1999-0931,Entry,"Buffer overflow in Mediahouse Statistics Server allows remote attackers to execute commands.","BUGTRAQ:19990930 Security flaw in Mediahouse Statistics Server v4.28 & 5.01 | BID:734 | URL:http://www.securityfocus.com/bid/734 | XF:mediahouse-stats-login-bo",,, CVE-1999-0932,Entry,"Mediahouse Statistics Server allows remote attackers to read the administrator password, which is stored in cleartext in the ss.cfg file.","BUGTRAQ:19990930 Security flaw in Mediahouse Statistics Server v4.28 & 5.01 | BID:735 | URL:http://www.securityfocus.com/bid/735 | XF:mediahouse-stats-adminpw-cleartext",,, CVE-1999-0933,Entry,"TeamTrack web server allows remote attackers to read arbitrary files via a .. (dot dot) attack.","BUGTRAQ:19991001 RFP9904: TeamTrack webserver vulnerability | BID:689 | URL:http://www.securityfocus.com/bid/689 | OSVDB:1096 | URL:http://www.osvdb.org/1096",,, CVE-1999-0934,Entry,"classifieds.cgi allows remote attackers to read arbitrary files via shell metacharacters.","EL8:19991215 Classifieds (classifieds.cgi) | BID:2020 | URL:http://www.securityfocus.com/bid/2020 | XF:http-cgi-classifieds-read(3102) | URL:http://xforce.iss.net/xforce/xfdb/3102",,, CVE-1999-0935,Entry,"classifieds.cgi allows remote attackers to execute arbitrary commands by specifying them in a hidden variable in a CGI form.","EL8:19991215 Classifieds (classifieds.cgi)",,, CVE-1999-0936,Entry,"BNBSurvey survey.cgi program allows remote attackers to execute commands via shell metacharacters.","EL8:19981203 BNBSurvey (survey.cgi)",,, CVE-1999-0937,Entry,"BNBForm allows remote attackers to read arbitrary files via the automessage hidden form variable.","EL8:19981203 BNBForm (bnbform.cgi)",,, CVE-1999-0938,Entry,"MBone SDR Package allows remote attackers to execute commands via shell metacharacters in Sesion Initiation Protocol (SIP) messages.","CERT:VN-99-03 | XF:sdr-execute",,, CVE-1999-0939,Entry,"Denial of service in Debian IRC Epic/epic4 client via a long string.","BUGTRAQ:19990826 [SECURITY] New versions of epic4 fixes possible DoS vulnerability | DEBIAN:19990826 | BID:605 | URL:http://www.securityfocus.com/bid/605",,, CVE-1999-0940,Entry,"Buffer overflow in mutt mail client allows remote attackers to execute commands via malformed MIME messages.","CALDERA:CSSA-1999-031 | SUSE:19990927 Security hole in mutt",,, CVE-1999-0941,Candidate,"Mutt mail client allows a remote attacker to execute commands via shell metacharacters.","BUGTRAQ:19980728 mutt x.x | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221104526154&w=2",Proposed (19991222)," ACCEPT(1) Stracener | NOOP(2) Baker, Christey | REJECT(1) Frech | REVIEWING(1) Levy"," Frech> References are vague, but seem to be identical to CVE-1999-0940 | (XF:mutt-text-enriched-mime-bo). According to the references, the malformed | messages consist of metacharacters. In addition, -0941's reference and | -0940's SuSE reference both refer to fixes in 1.0pre3 release. Will | reconsider vote if other clearer references are forthcoming. | Christey> Modify to mention that the metachar's are in the Content-Type header. | http://marc.theaimsgroup.com/?l=bugtraq&m=90221104526154&w=2" CVE-1999-0942,Entry,"UnixWare dos7utils allows a local user to gain root privileges by using the STATICMERGE environmental variable to find a script which it executes.","BUGTRAQ:19991005 SCO UnixWare 7.1 local root exploit | XF:sco-unixware-dos7utils-root-privs",,, CVE-1999-0943,Entry,"Buffer overflow in OpenLink 3.2 allows remote attackers to gain privileges via a long GET request to the web configurator.","BUGTRAQ:19991015 OpenLink 3.2 Advisory | BID:720 | URL:http://www.securityfocus.com/bid/720",,, CVE-1999-0944,Candidate,"IBM WebSphere ikeyman tool uses weak encryption to store a password for a key database that is used for SSL connections.","BUGTRAQ:19991024 password leak in IBM WebSphere / HTTP Server / ikeyman",Proposed (19991222)," ACCEPT(2) Baker, Stracener | MODIFY(1) Frech | NOOP(2) Bollinger, Christey | REVIEWING(1) Levy"," Frech> XF:websphere-database-pwd-accessible | Christey> ADDREF BID:1763 | URL:http://www.securityfocus.com/bid/1763" CVE-1999-0945,Entry,"Buffer overflow in Internet Mail Service (IMS) for Microsoft Exchange 5.5 and 5.0 allows remote attackers to conduct a denial of service via AUTH or AUTHINFO commands.","ISS:19980724 Denial of Service attacks against Microsoft Exchange 5.0 to 5.5 | URL:http://xforce.iss.net/alerts/advise4.php | CIAC:I-080 | URL:http://www.ciac.org/ciac/bulletins/i-080.shtml | MSKB:Q169174 | URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q169174 | XF:exchange-dos(1223) | URL:http://xforce.iss.net/xforce/xfdb/1223",,, CVE-1999-0946,Entry,"Buffer overflow in Yamaha MidiPlug via a Text variable in an EMBED tag.","BUGTRAQ:19991102 Some holes for Win/UNIX softwares | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94157187815629&w=2 | XF:yamaha-midiplug-embed | BID:760 | URL:http://www.securityfocus.com/bid/760",,, CVE-1999-0947,Entry,"AN-HTTPd provides example CGI scripts test.bat, input.bat, input2.bat, and envout.bat, which allow remote attackers to execute commands via shell metacharacters.","BUGTRAQ:19991102 Some holes for Win/UNIX softwares | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94157187815629&w=2 | BID:762 | URL:http://www.securityfocus.com/bid/762",,, CVE-1999-0948,Candidate,"Buffer overflow in uum program for Canna input system allows local users to gain root privileges.","BID:757 | URL:http://www.securityfocus.com/bid/757 | BUGTRAQ:19991102 Some holes for Win/UNIX softwares",Proposed (19991222)," ACCEPT(2) Stracener, Levy | MODIFY(1) Frech | NOOP(2) Baker, Christey"," Christey> CVE-1999-0948 and CVE-1999-0949 are extremely similar. | uum (0948) is exploitable through a different set of options | than canuum (0949). If it's the same generic option parsing | routine used by both programs, then CD:SF-CODEBASE says to | merge them. But if it's not, then CD:SF-LOC and CD:SF-EXEC | says to split them. However, this is a prime example of | how SF-EXEC might be modified - uum and canuum are clearly | part of the same package, so in the absence of clear | information, maybe we should merge them. | Frech> XF:canna-uum-bo" CVE-1999-0949,Candidate,"Buffer overflow in canuum program for Canna input system allows local users to gain root privileges.","BID:757 | URL:http://www.securityfocus.com/bid/757 | BUGTRAQ:19991102 Some holes for Win/UNIX softwares",Proposed (19991222)," ACCEPT(2) Stracener, Levy | MODIFY(1) Frech | NOOP(2) Baker, Christey"," Christey> CVE-1999-0948 and CVE-1999-0949 are extremely similar. | uum (0948) is exploitable through a different set of options | than canuum (0949). If it's the same generic option parsing | routine used by both programs, then CD:SF-CODEBASE says to | merge them. But if it's not, then CD:SF-LOC and CD:SF-EXEC | says to split them. However, this is a prime example of | how SF-EXEC might be modified - uum and canuum are clearly | part of the same package, so in the absence of clear | information, maybe we should merge them. | | Also review BID:758 and BID:757 - may need to change the BID | here. | Frech> XF:canna-uum-bo | Christey> CHANGEREF BID:757 BID:758 | Christey> The following page says that canuum is a ""Japanese input tty | frontend for Canna using uum,"" which suggests that it is, at | the least, a different package, so perhaps this should stay SPLIT. | | http://wuarchive.wustl.edu/mirrors/NetBSD/NetBSD-current/pkgsrc/inputmethod/canuum/README.html" CVE-1999-0950,Entry,"Buffer overflow in WFTPD FTP server allows remote attackers to gain root access via a series of MKD and CWD commands that create nested directories.","BUGTRAQ:19991027 WFTPD v2.40 FTPServer remotely exploitable buffer overflow vulnerability | BID:747 | URL:http://www.securityfocus.com/bid/747 | XF:wftpd-mkd-bo",,, CVE-1999-0951,Entry,"Buffer overflow in OmniHTTPd CGI program imagemap.exe allows remote attackers to execute commands.","BUGTRAQ:19991022 Imagemap CGI overflow exploit | BID:739 | URL:http://www.securityfocus.com/bid/739 | XF:http-cgi-imagemap-bo | OSVDB:3380 | URL:http://www.osvdb.org/3380",,, CVE-1999-0952,Candidate,"Buffer overflow in Solaris lpstat via class argument allows local users to gain root access.","BUGTRAQ:19990126 Buffer overflow in Solaris 2.6/2.7 /usr/bin/lpstat | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91759216618637&w=2",Proposed (19991222)," ACCEPT(3) Baker, Ozancin, Stracener | MODIFY(2) Frech, Dik | REVIEWING(1) Christey"," Frech> XF:solaris-lpstat-bo | Christey> It is unclear from Casper Dik's followup whether this is | exploitable or not. | Dik> Sunbug 4129917 | (other reports in the same thread suggest that the then current patchd id | fix the problem) | Christey> Confirm with Casper Dik that the overflow is in the -c option, | and if so, include it in the description to differentiate | it from the lpstat -n buffer overflow." CVE-1999-0953,Entry,"WWWBoard stores encrypted passwords in a password file that is under the web root and thus accessible by remote attackers.","BUGTRAQ:19980903 wwwboard.pl vulnerability | BUGTRAQ:19990916 More fun with WWWBoard",,, CVE-1999-0954,Entry,"WWWBoard has a default username and default password.","BUGTRAQ:19990916 More fun with WWWBoard | BID:649 | URL:http://www.securityfocus.com/bid/649",,, CVE-1999-0955,Entry,"Race condition in wu-ftpd and BSDI ftpd allows remote attackers gain root access via the SITE EXEC command.","CERT:CA-94.08 | CIAC:E-17 | XF:ftp-exec",,, CVE-1999-0956,Entry,"The NeXT NetInfo _writers property allows local users to gain root privileges or conduct a denial of service.","CERT:CA-93.02a | XF:next-netinfo",,, CVE-1999-0957,Entry,"MajorCool mj_key_cache program allows local users to modify files via a symlink attack.","BUGTRAQ:19970618 Security hole in MajorCool 1.0.3 | XF:majorcool-file-overwrite-vuln",,, CVE-1999-0958,Entry,"sudo 1.5.x allows local users to execute arbitrary commands via a .. (dot dot) attack.","BUGTRAQ:19980112 Re: hole in sudo for MP-RAS. | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=88465708614896&w=2 | XF:sudo-dot-dot-attack",,, CVE-1999-0959,Entry,"IRIX startmidi program allows local users to modify arbitrary files via a symlink attack.","BUGTRAQ:19970209 IRIX: Bug in startmidi | AUSCERT:AA-97-05 | SGI:19980301-01-PX | URL:ftp://patches.sgi.com/support/free/security/advisories/19980301-01-PX | BID:469 | URL:http://www.securityfocus.com/bid/469 | OSVDB:8447 | URL:http://www.osvdb.org/8447 | XF:irix-startmidi-file-creation((1634)",,, CVE-1999-0960,Entry,"IRIX cdplayer allows local users to create directories in arbitrary locations via a command line option.","AUSCERT:AA-96.11 | SGI:19980301-01-PX | URL:ftp://patches.sgi.com/support/free/security/advisories/19980301-01-PX | XF:irix-cdplayer-directory-create",,, CVE-1999-0961,Entry,"HPUX sysdiag allows local users to gain root privileges via a symlink attack during log file creation.","BUGTRAQ:19960921 Vunerability in HP sysdiag ? | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167419906&w=2 | CIAC:H-03 | XF:hp-sysdiag-symlink",,, CVE-1999-0962,Entry,"Buffer overflow in HPUX passwd command allows local users to gain root privileges via a command line option.","AUSCERT:AA-96.13 | HP:HPSBUX9701-045 | URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9701-045 | XF:hp-password-cmd-bo | OSVDB:6415 | URL:http://www.osvdb.org/6415",,, CVE-1999-0963,Entry,"FreeBSD mount_union command allows local users to gain root privileges via a symlink attack.","BUGTRAQ:19960517 BoS: SECURITY BUG in FreeBSD | CERT:VB-96.06 | XF:freebsd-mount-union-root | OSVDB:6088 | URL:http://www.osvdb.org/6088",,, CVE-1999-0964,Entry,"Buffer overflow in FreeBSD setlocale in the libc module allows attackers to execute arbitrary code via a long PATH_LOCALE environment variable.","FREEBSD:FreeBSD-SA-97:01 | XF:freebsd-setlocale-bo | OSVDB:6086 | URL:http://www.osvdb.org/6086",,, CVE-1999-0965,Entry,"Race condition in xterm allows local users to modify arbitrary files via the logging option.","CERT:CA-93.17 | XF:xterm",,, CVE-1999-0966,Entry,"Buffer overflow in Solaris getopt in libc allows local users to gain root privileges via a long argv[0].","L0PHT:19970127 Solaris libc - getopt(3)",,, CVE-1999-0967,Entry,"Buffer overflow in the HTML library used by Internet Explorer, Outlook Express, and Windows Explorer via the res: local resource protocol.","L0PHT:19971101 Microsoft Internet Explorer 4.0 Suite",,, CVE-1999-0968,Entry,"Buffer overflow in BNC IRC proxy allows remote attackers to gain privileges.","BUGTRAQ:19981226 bnc exploit | URL:http://www.securityfocus.com/archive/1/11711 | XF:bnc-proxy-bo(1546) | URL:http://xforce.iss.net/static/1546.php | BID:1927 | URL:http://www.securityfocus.com/bid/1927",,, CVE-1999-0969,Entry,"The Windows NT RPC service allows remote attackers to conduct a denial of service using spoofed malformed RPC packets which generate an error message that is sent to the spoofed host, potentially setting up a loop, aka Snork.","ISS:19980929 ""Snork"" Denial of Service Attack Against Windows NT RPC Service | NTBUGTRAQ:19980929 ISS Security Advisory: Snork | MS:MS98-014 | URL:http://www.microsoft.com/technet/security/bulletin/ms98-014.mspx | MSKB:Q193233 | URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q193233 | XF:snork-dos",,, CVE-1999-0970,Candidate,"The OmniHTTPD visadmin.exe program allows a remote attacker to conduct a denial of service via a malformed URL which causes a large number of temporary files to be created.","BUGTRAQ:19990605 Remote Exploit (Bug) in OmniHTTPd Web Server | URL:http://www.securityfocus.com/archive/1/14311 | XF:omnihttpd-dos(2271) | URL:http://xforce.iss.net/static/2271.php | BID:1808 | URL:http://www.securityfocus.com/bid/1808",Modified (20020226-01)," ACCEPT(3) Blake, Baker, Stracener | MODIFY(1) Frech | NOOP(1) Christey | REVIEWING(1) Levy"," Frech> XF:omnihttpd-dos | Christey> Some sort of confirmation might be findable at: | http://www.omnicron.ab.ca/httpd/docs/release.html | Christey> See http://www.omnicron.ab.ca/index.html | The August 16, 2000 news item says ""This release fixes some | security problems."" It's for version 2.07, but the discloser | didn't say what version was available. | | Other security fixes are in the release notes at | http://www.omnicron.ab.ca/httpd/docs/release.html Notes for | Professional Version 1.01 say ""Patched up two security weaknesses."" | Notes for version 2.07 say ""Fixes dot-appending vulnerability."" | Professional Alpha 7 says ""Revamped CGI launching and security,"" | Professional Alpha 4 says ""Fixed SSI path mapping and security | problems,"" Alpha 5 says ""Security fixup."" | | In other words, you can't tell whether they've fixed this bug | or not. | Christey> BID:1808 | URL:http://www.securityfocus.com/bid/1808" CVE-1999-0971,Entry,"Buffer overflow in Exim allows local users to gain root privileges via a long :include: option in a .forward file.","BUGTRAQ:19970722 Security hole in exim 1.62: local root exploit | URL:http://www.securityfocus.com/archive/1/7301 | XF:exim-include-overflow",,, CVE-1999-0972,Entry,"Buffer overflow in Xshipwars xsw program.","BUGTRAQ:19991209 xsw 1.24 remote buffer overflow | BID:863 | URL:http://www.securityfocus.com/bid/863",,, CVE-1999-0973,Entry,"Buffer overflow in Solaris snoop program allows remote attackers to gain root privileges via a long domain name when snoop is running in verbose mode.","BUGTRAQ:19991206 [w00giving #8] Solaris 2.7's snoop | BUGTRAQ:19991209 Clarification needed on the snoop vuln(s) (fwd) | BID:858 | URL:http://www.securityfocus.com/bid/858",,, CVE-1999-0974,Entry,"Buffer overflow in Solaris snoop allows remote attackers to gain root privileges via GETQUOTA requests to the rpc.rquotad service.","ISS:19991209 Buffer Overflow in Solaris Snoop | SUN:00190 | URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/190 | BUGTRAQ:19991209 Clarification needed on the snoop vuln(s) (fwd) | BID:864 | URL:http://www.securityfocus.com/bid/864",,, CVE-1999-0975,Entry,"The Windows help system can allow a local user to execute commands as another user by editing a table of contents metafile with a .CNT extension and modifying the topic action to include the commands to be executed when the .hlp file is accessed.","BUGTRAQ:19991207 Local user can fool another to run executable. .CNT/.GID/.HLP M$WINNT | BID:868 | URL:http://www.securityfocus.com/bid/868",,, CVE-1999-0976,Entry,"Sendmail allows local users to reinitialize the aliases database via the newaliases command, then cause a denial of service by interrupting Sendmail.","OPENBSD:19991204 | BUGTRAQ:19991207 [Debian] New version of sendmail released | XF:sendmail-bi-alias | BID:857 | URL:http://www.securityfocus.com/bid/857",,, CVE-1999-0977,Entry,"Buffer overflow in Solaris sadmind allows remote attackers to gain root privileges using a NETMGT_PROC_SERVICE request.","SF-INCIDENTS:19991209 sadmind | BUGTRAQ:19991210 Solaris sadmind Buffer Overflow Vulnerability | BUGTRAQ:19991210 Re: Solaris sadmind Buffer Overflow Vulnerability | CERT:CA-99-16 | SUN:00191 | URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/191 | BID:866 | URL:http://www.securityfocus.com/bid/866 | BID:2354 | URL:http://www.securityfocus.com/bid/2354 | XF:sol-sadmind-amslverify-bo | OSVDB:2558 | URL:http://www.osvdb.org/2558",,, CVE-1999-0978,Entry,"htdig allows remote attackers to execute commands via filenames with shell metacharacters.","DEBIAN:19991209 | BID:867 | URL:http://www.securityfocus.com/bid/867",,, CVE-1999-0979,Entry,"The SCO UnixWare privileged process system allows local users to gain root privileges by using a debugger such as gdb to insert traps into _init before the privileged process is executed.","BUGTRAQ:19991209 Fundamental flaw in UnixWare 7 security | BUGTRAQ:19991215 Recent postings about SCO UnixWare 7 | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94530783815434&w=2 | BID:869 | URL:http://www.securityfocus.com/bid/869",,, CVE-1999-0980,Entry,"Windows NT Service Control Manager (SCM) allows remote attackers to cause a denial of service via a malformed argument in a resource enumeration request.","MS:MS99-055 | URL:http://www.microsoft.com/technet/security/bulletin/ms99-055.mspx | MSKB:Q246045 | URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q246045",,, CVE-1999-0981,Entry,"Internet Explorer 5.01 and earlier allows a remote attacker to create a reference to a client window and use a server-side redirect to access local files via that window, aka ""Server-side Page Reference Redirect.""","MS:MS99-050 | URL:http://www.microsoft.com/technet/security/bulletin/ms99-050.mspx | MSKB:Q246094 | URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q246094",,, CVE-1999-0982,Entry,"The Sun Web-Based Enterprise Management (WBEM) installation script stores a password in plaintext in a world readable file.","BUGTRAQ:19991206 Solaris WBEM 1.0: plaintext password stored in world readable file",,, CVE-1999-0983,Candidate,"Whois Internic Lookup program whois.cgi allows remote attackers to execute commands via shell metacharacters in the domain entry.","BUGTRAQ:19991109 Whois.cgi - ADVISORY.",Proposed (19991214)," ACCEPT(3) Blake, Cole, Stracener | MODIFY(1) Frech | NOOP(1) Baker | REVIEWING(1) Christey"," Christey> More examination is required to determine if CVE-1999-0983, | CVE-1999-0984, or CVE-1999-0985 are the same codebase. | Frech> XF:whois-internic-shell-meta | Christey> ADDREF BID:2000 | Christey> The XF appears to be gone. Perhaps it's this one: | XF:http-cgi-whois-meta(3798)" CVE-1999-0984,Candidate,"Matt's Whois program whois.cgi allows remote attackers to execute commands via shell metacharacters in the domain entry.","BUGTRAQ:19991109 Whois.cgi - ADVISORY.",Proposed (19991214)," ACCEPT(2) Blake, Stracener | MODIFY(1) Frech | NOOP(2) Baker, Cole | REVIEWING(1) Christey"," Cole> How is this different than the previous? | Christey> More examination is required to determine if CVE-1999-0983, | CVE-1999-0984, or CVE-1999-0985 are the same codebase. | Frech> XF:matts-whois-meta | Christey> ADDREF BID:2000 | Christey> XF reference is gone. Replace with http-cgi-matts-whois-meta(3799) ?" CVE-1999-0985,Candidate,"CC Whois program whois.cgi allows remote attackers to execute commands via shell metacharacters in the domain entry.","BUGTRAQ:19991109 Whois.cgi - ADVISORY.",Proposed (19991214)," ACCEPT(2) Blake, Stracener | MODIFY(1) Frech | NOOP(2) Baker, Cole | REVIEWING(1) Christey"," Cole> I would combine all of these. | Christey> More examination is required to determine if CVE-1999-0983, | CVE-1999-0984, or CVE-1999-0985 are the same codebase. | Frech> XF:cc-whois-meta | Christey> ADDREF BID:2000 | Frech> Change cc-whois-meta(3800) to http-cgi-ccwhois(3747) | Christey> Replace XF reference with XF:cc-whois-meta(3800) ?" CVE-1999-0986,Entry,"The ping command in Linux 2.0.3x allows local users to cause a denial of service by sending large packets with the -R (record route) option.","BUGTRAQ:19991209 Big problem on 2.0.x? | BID:870 | URL:http://www.securityfocus.com/bid/870",,, CVE-1999-0987,Entry,"Windows NT does not properly download a system policy if the domain user logs into the domain with a space at the end of the domain name.","NTBUGTRAQ:19991118 NT System Policy for Win95 Not downloaded when adding a space after domain name | MSKB:Q237923 | URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q237923",,, CVE-1999-0988,Candidate,"UnixWare pkgtrans allows local users to read arbitrary files via a symlink attack.","BUGTRAQ:19991204 UnixWare pkg* command exploits | BUGTRAQ:19991215 Recent postings about SCO UnixWare 7 | BUGTRAQ:19991223 FYI, SCO Security patches available. | BUGTRAQ:19991220 SCO OpenServer Security Status",Modified (20000121-01)," ACCEPT(3) Blake, Baker, Cole | MODIFY(1) Frech | RECAST(1) Stracener | REVIEWING(1) Christey"," Stracener> The pkg* programs pkgtrans, pkginfo, pkgcat, pkginstall, and pkgparam | can be used to mount etc/shadow printing attacks as a result of the | ""dacread"" permission (cf. /etc/security/tcb/privs). The procedural | differences between the individual exploits for each of these utilities | are therefore inconsequential. CVE-1999-0988 should be merged with | CVE-1999-0828. From the standpoint of maintaining consistency of the | level of abstraction used in CVE, the co-existence of CANS | 1999-0988/1999-0828 present two choices: either merge 0988 with 0828, or | split 0828 into 4 distinct candidates, keeping 0988 intact. Due to the | very small differences (in principle) between the exploits subsumed by | 0828 and 0988 and the shared dacread permissions of the pkg* suite, I | suggest a merge. Below is a summary of the data upon which my decision | was based. | utility exploit | -------- ---------------------------------- | pkgtrans --> symlink + dacread permission prob | pkginfo --> truss (debugging utility) in conjunction with pkginfio -d | etc/shadow. In this case, it captures the interaction between | pkginfo the shadow file. Once again: dacread. | pkgcat --> buffer overflow + dacread permission prob | pkginstall -> buffer overflow + dacread permission prob | pkgparam --> -f etc/shadow (works because of dacread). | Christey> This is a tough one. While there are few procedural | differences, one could view ""assignment of an improper | permission"" as a ""class"" of problems along the lines of | buffer overflows and the like. Just like some programs | were fine until they got turned into CGI scripts, this | could be an emerging pattern which should be given | consideration. Consider the Eyedog and scriptlet.typelib | ActiveX utilities being marked as safe for scripting | (CVE-1999-0668 and 0669). | | ftp://ftp.sco.com/SSE/security_bulletins/SB-99.28a loosely | alludes to this problem; the README for patch SSE053 | effectively confirms it. | Frech> XF:unixware-pkgtrans-symlink" CVE-1999-0989,Entry,"Buffer overflow in Internet Explorer 5 directshow filter (MSDXM.OCX) allows remote attackers to execute commands via the vnd.ms.radio protocol.","NTBUGTRAQ:19991205 new IE5 remote exploit | BUGTRAQ:19991205 new IE5 remote exploit | BID:861 | URL:http://www.securityfocus.com/bid/861",,, CVE-1999-0990,Candidate,"Error messages generated by gdm with the VerboseAuth setting allows an attacker to identify valid users on a system.","BUGTRAQ:19991205 gdm thing",Interim (19991229)," ACCEPT(3) Blake, Cole, Stracener | MODIFY(1) Frech | NOOP(1) Baker"," Frech> XF:verbose-auth-identify-user(3804)" CVE-1999-0991,Entry,"Buffer overflow in GoodTech Telnet Server NT allows remote users to cause a denial of service via a long login name.","NTBUGTRAQ:19991206 Remote DoS Attack in GoodTech Telnet Server NT v2.2.1 Vulnerability | BUGTRAQ:19991206 Remote DoS Attack in GoodTech Telnet Server NT v2.2.1 Vulnerability | BID:862 | URL:http://www.securityfocus.com/bid/862",,, CVE-1999-0992,Entry,"HP VirtualVault with the PHSS_17692 patch allows unprivileged processes to bypass access restrictions via the Trusted Gateway Proxy (TGP).","HP:HPSBUX9912-107 | URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9912-107",,, CVE-1999-0993,Candidate,"Modifications to ACLs (Access Control Lists) in Microsoft Exchange 5.5 do not take effect until the directory store cache is refreshed.","NTBUGTRAQ:19991213 Changing ACL's in Exchange Server",Proposed (19991222)," ACCEPT(2) Wall, Stracener | MODIFY(1) Frech | NOOP(2) Baker, Cole | REJECT(1) LeBlanc"," Frech> XF:exchange-acl-changes(3916) | LeBlanc> Not a vulnerability" CVE-1999-0994,Entry,"Windows NT with SYSKEY reuses the keystream that is used for encrypting SAM password hashes, allowing an attacker to crack passwords.","BINDVIEW:19991216 Windows NT's SYSKEY feature | MS:MS99-056 | URL:http://www.microsoft.com/technet/security/bulletin/ms99-056.mspx | MSKB:Q248183 | URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q248183 | BID:873 | URL:http://www.securityfocus.com/bid/873",,, CVE-1999-0995,Entry,"Windows NT Local Security Authority (LSA) allows remote attackers to cause a denial of service via malformed arguments to the LsaLookupSids function which looks up the SID, aka ""Malformed Security Identifier Request.""","NAI:19991216 Windows NT LSA Remote Denial of Service | MS:MS99-057 | URL:http://www.microsoft.com/technet/security/bulletin/ms99-057.mspx | MSKB:Q248185 | URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q248185 | BID:875 | URL:http://www.securityfocus.com/bid/875",,, CVE-1999-0996,Entry,"Buffer overflow in Infoseek Ultraseek search engine allows remote attackers to execute commands via a long GET request.","EEYE:AD19991215 | URL:http://www.eeye.com/html/Research/Advisories/AD19991215.html | BUGTRAQ:19991216 Infoseek Ultraseek Remote Buffer Overflow | NTBUGTRAQ:19991216 Infoseek Ultraseek Remote Buffer Overflow | XF:infoseek-ultraseek-bo | OSVDB:6490 | URL:http://www.osvdb.org/6490",,, CVE-1999-0997,Entry,"wu-ftp with FTP conversion enabled allows an attacker to execute commands via a malformed file name that is interpreted as an argument to the program that does the conversion, e.g. tar or uncompress.","BUGTRAQ:19991220 Security vulnerability in certain wu-ftpd (and derivitives) configurations (fwd) | DEBIAN:DSA-377 | URL:http://www.debian.org/security/2003/dsa-377 | XF:wuftp-ftp-conversion",,, CVE-1999-0998,Entry,"Cisco Cache Engine allows an attacker to replace content in the cache.","CISCO:19991216 Cisco Cache Engine Authentication Vulnerabilities | BUGTRAQ:19991216 Cisco Security Advisory: Cisco Cache Engine Authentication Vulnerabilities | XF:cisco-cache-engine-replace",,, CVE-1999-0999,Entry,"Microsoft SQL 7.0 server allows a remote attacker to cause a denial of service via a malformed TDS packet.","MS:MS99-059 | URL:http://www.microsoft.com/technet/security/bulletin/ms99-059.mspx | MSKB:Q248749 | URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q248749 | BID:817 | URL:http://www.securityfocus.com/bid/817",,, CVE-1999-1000,Entry,"The web administration interface for Cisco Cache Engine allows remote attackers to view performance statistics.","CISCO:19991216 Cisco Cache Engine Authentication Vulnerabilities | BUGTRAQ:19991216 Cisco Security Advisory: Cisco Cache Engine Authentication Vulnerabilities | XF:cisco-cache-engine-performance",,, CVE-1999-1001,Entry,"Cisco Cache Engine allows a remote attacker to gain access via a null username and password.","CISCO:19991216 Cisco Cache Engine Authentication Vulnerabilities | BUGTRAQ:19991216 Cisco Security Advisory: Cisco Cache Engine Authentication Vulnerabilities",,, CVE-1999-1002,Candidate,"Netscape Navigator uses weak encryption for storing a user's Netscape mail password.","MISC:http://www.rstcorp.com/news/bad-crypto.html | BUGTRAQ:19991216 Reinventing the wheel (aka ""Decoding Netscape Mail passwords"") | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94536309217214&w=2 | BUGTRAQ:19991220 Netscape password scrambling | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94570673523998&w=2",Modified (20030619-01)," ACCEPT(4) Baker, Cole, Stracener, Wall | MODIFY(1) Frech | NOOP(1) Christey"," Frech> XF:netscape-mail-encryption(3921) | Christey> CHANGEREF make the RCA URL a ""MISC"" reference" CVE-1999-1003,Candidate,"War FTP Daemon 1.70 allows remote attackers to cause a denial of service by flooding it with connections.","BUGTRAQ:19991214 Local / Remote D.o.S Attack in War FTP Daemon 1.70 Vulnerability | BUGTRAQ:19991216 Statement: Local / Remote D.o.S Attack in War FTP Daemon 1.70",Proposed (19991222)," ACCEPT(3) Baker, Cole, Stracener | MODIFY(1) Frech | NOOP(1) Wall"," Frech> XF:warftp-connection-flood" CVE-1999-1004,Entry,"Buffer overflow in the POP server POProxy for the Norton Anti-Virus protection NAV2000 program via a large USER command.","BUGTRAQ:19991217 NAV2000 Email Protection DoS | URL:http://www.securityfocus.com/archive/1/38970 | BUGTRAQ:19991220 Norton Email Protection Remote Overflow (Addendum) | URL:http://www.securityfocus.com/archive/1/39194 | CONFIRM:http://service1.symantec.com/SUPPORT/nav.nsf/df0a595864594c86852567ac0063608c/6206f660a1f2516a882568660082c930?OpenDocument&Highlight=0,poproxy | OSVDB:6267 | URL:http://www.osvdb.org/6267",,, CVE-1999-1005,Entry,"Groupwise web server GWWEB.EXE allows remote attackers to read arbitrary files with .htm extensions via a .. (dot dot) attack using the HELP parameter.","BUGTRAQ:19991219 Groupewise Web Interface | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94571433731824&w=2 | XF:groupwise-web-read-files | BID:879 | URL:http://www.securityfocus.com/bid/879 | OSVDB:3413 | URL:http://www.osvdb.org/3413",,, CVE-1999-1006,Candidate,"Groupwise web server GWWEB.EXE allows remote attackers to determine the real path of the web server via the HELP parameter.","BUGTRAQ:19991219 Groupewise Web Interface | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94571433731824&w=2",Proposed (19991222)," ACCEPT(4) Baker, Cole, Stracener, Prosser | MODIFY(1) Frech | NOOP(2) Christey, Wall"," Frech> XF:groupwise-web-path | Prosser> Pretty well confirmed by testing with responses to BugTraq list. | | additional ref: BugTraq ID 879 http://www.securityfocus.com/bid/879 | Christey> A later discovery almost 2 years later is at: | BUGTRAQ:20020227 SecurityOffice Security Advisory:// Novell | GroupWise Web Access Path Disclosure Vulnerability | http://marc.theaimsgroup.com/?l=bugtraq&m=101494830315071&w=2 | CD:SF-LOC might suggest merging these together." CVE-1999-1007,Entry,"Buffer overflow in VDO Live Player allows remote attackers to execute commands on the VDO client via a malformed .vdo file.","BUGTRAQ:19991213 VDO Live Player 3.02 Buffer Overflow | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94512259331599&w=2 | XF:vdolive-bo-execute | BID:872 | URL:http://www.securityfocus.com/bid/872",,, CVE-1999-1008,Entry,"xsoldier program allows local users to gain root access via a long argument.","BUGTRAQ:19991215 FreeBSD 3.3 xsoldier root exploit | MISC:http://marc.theaimsgroup.com/?l=freebsd-security&m=94531826621620&w=2 | BID:871 | URL:http://www.securityfocus.com/bid/871 | XF:unix-xsoldier-overflow",,, CVE-1999-1009,Candidate,"The Disney Go Express Search allows remote attackers to access and modify search information for users by connecting to an HTTP server on the user's system.","BUGTRAQ:19991213 Privacy hole in Go Express Search",Proposed (19991222)," ACCEPT(1) Baker | MODIFY(1) Frech | NOOP(4) Cole, Stracener, Balinsky, Wall"," Frech> XF:disney-search-info(3955) | Balinsky> The go.express.com web site does not mention the existence of the Express web server mentioned in the advisory. There appears to be no way of verifying this." CVE-1999-1010,Entry,"An SSH 1.2.27 server allows a client to use the ""none"" cipher, even if it is not allowed by the server policy.","BUGTRAQ:19991214 sshd1 allows unencrypted sessions regardless of server policy | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94519142415338&w=2 | XF:ssh-policy-bypass",,, CVE-1999-1011,Entry,"The Remote Data Service (RDS) DataFactory component of Microsoft Data Access Components (MDAC) in IIS 3.x and 4.x exposes unsafe methods, which allows remote attackers to execute arbitrary commands.","MS:MS98-004 | URL:http://www.microsoft.com/technet/security/bulletin/ms98-004.asp | MS:MS99-025 | URL:http://www.microsoft.com/technet/security/bulletin/ms99-025.asp | CIAC:J-054 | URL:http://www.ciac.org/ciac/bulletins/j-054.shtml | ISS:19990809 Vulnerabilities in Microsoft Remote Data Service | BID:529 | URL:http://www.ciac.org/ciac/bulletins/j-054.shtml | XF:nt-iis-rds | OSVDB:272 | URL:http://www.osvdb.org/272",,, CVE-1999-1012,Candidate,"SMTP component of Lotus Domino 4.6.1 on AS/400, and possibly other operating systems, allows a remote attacker to crash the mail server via a long string.","BUGTRAQ:19990504 AS/400 | URL:http://www.securityfocus.com/archive/1/13527 | BID:173 | URL:http://www.securityfocus.com/bid/173",Proposed (20010912)," ACCEPT(1) Cole | MODIFY(1) Frech | NOOP(2) Foat, Wall"," Frech> (Task 1770) | CHANGE> [Frech changed vote from REVIEWING to MODIFY] | Frech> XF:lotus-domino-smtp-dos(8790)" CVE-1999-1013,Candidate,"named-xfer in AIX 4.1.5 and 4.2.1 allows members of the system group to overwrite system files to gain root access via the -f parameter and a malformed zone file.","BID:673 | URL:http://www.securityfocus.com/bid/673 | BUGTRAQ:19990923 named-xfer hole on AIX (fwd) | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93837026726954&w=2",Proposed (20010912)," MODIFY(1) Frech | NOOP(3) Foat, Cole, Wall"," Frech> XF:aix-named-xfer-root-access(3308)" CVE-1999-1014,Entry,"Buffer overflow in mail command in Solaris 2.7 and 2.7 allows local users to gain privileges via a long -m argument.","BUGTRAQ:19990913 Solaris 2.7 /usr/bin/mail | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93727925026476&w=2 | BUGTRAQ:19990927 Working Solaris x86 /usr/bin/mail exploit | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93846422810162&w=2 | SUNBUG:4276509 | XF:sun-usrbinmail-local-bo(3297) | URL:http://xforce.iss.net/static/3297.php | BID:672 | URL:http://www.securityfocus.com/bid/672",,, CVE-1999-1015,Candidate,"Buffer overflow in Apple AppleShare Mail Server 5.0.3 on MacOS 8.1 and earlier allows a remote attacker to cause a denial of service (crash) via a long HELO command.","BUGTRAQ:19980408 AppleShare IP Mail Server | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=89200657216213&w=2 | BID:61 | URL:http://www.securityfocus.com/bid/61",Proposed (20010912)," MODIFY(1) Frech | NOOP(3) Foat, Cole, Wall"," Frech> XF:smtp-helo-bo(886)" CVE-1999-1016,Candidate,"Microsoft HTML control as used in (1) Internet Explorer 5.0, (2) FrontPage Express, (3) Outlook Express 5, and (4) Eudora, and possibly others, allows remote malicious web site or HTML emails to cause a denial of service (100% CPU consumption) via large HTML form fields such as text inputs in a table cell.","NTBUGTRAQ:19990827 HTML code to crash IE5 and Outlook Express 5 | URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=93578772920970&w=2 | BID:606 | URL:http://www.securityfocus.com/bid/606",Modified (20040811)," ACCEPT(2) Cole, Wall | MODIFY(1) Frech | NOOP(2) Foat, Christey"," Frech> XF:ms-html-table-form-dos(3246) | Frech> XF:ms-html-table-form-dos(3246) | Christey> Add period to the end of the description." CVE-1999-1017,Candidate,"Seattle Labs Emurl 2.0, and possibly earlier versions, stores e-mail attachments in a specific directory with scripting enabled, which allows a malicious ASP file attachment to execute when the recipient opens the message.","NTBUGTRAQ:19990728 Seattle Labs EMURL Vulnerability | URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=93316253431588&w=2 | BID:544 | URL:http://www.securityfocus.com/bid/544",Proposed (20010912)," MODIFY(1) Frech | NOOP(3) Foat, Cole, Wall"," Frech> (Task 2281) | CHANGE> [Frech changed vote from REVIEWING to MODIFY] | Frech> XF:emurl-attachment-execution(8794)" CVE-1999-1018,Candidate,"IPChains in Linux kernels 2.2.10 and earlier does not reassemble IP fragments before checking the header information, which allows a remote attacker to bypass the filtering rules using several fragments with 0 offsets.","BUGTRAQ:19990727 Linux 2.2.10 ipchains Advisory | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93312523904591&w=2 | BID:543 | URL:http://www.securityfocus.com/bid/543",Proposed (20010912)," ACCEPT(1) Cole | MODIFY(1) Frech | NOOP(2) Foat, Wall"," Frech> XF:linux-ipchains-bypass-filter(6516) | Frech> XF:linux-ipchains-bypass-filter(6516)" CVE-1999-1019,Entry,"SpectroSERVER in Cabletron Spectrum Enterprise Manager 5.0 installs a directory tree with insecure permissions, which allows local users to replace a privileged executable (processd) with a Trojan horse, facilitating a root or Administrator compromise.","BUGTRAQ:19990623 Cabletron Spectrum security vulnerability | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93024398713491&w=2 | BUGTRAQ:19990624 Re: Cabletron Spectrum security vulnerability | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93024398513475&w=2 | BID:495 | URL:http://www.securityfocus.com/bid/495",,, CVE-1999-1020,Candidate,"The installation of Novell Netware NDS 5.99 provides an unauthenticated client with Read access for the tree, which allows remote attackers to access sensitive information such as users, groups, and readable objects via CX.EXE and NLIST.EXE.","BUGTRAQ:19980918 NMRC Advisory - Default NDS Rights | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90613355902262&w=2 | BID:484 | URL:http://www.securityfocus.com/bid/484 | XF:novell-nds(1364) | URL:http://xforce.iss.net/static/1364.php",Proposed (20010912)," ACCEPT(2) Cole, Frech | NOOP(2) Foat, Wall", CVE-1999-1021,Entry,"NFS on SunOS 4.1 through 4.1.2 ignores the high order 16 bits in a 32 bit UID, which allows a local user to gain root access if the lower 16 bits are set to 0, as fixed by the NFS jumbo patch upgrade.","CERT:CA-1992-15 | URL:http://www.cert.org/advisories/CA-1992-15.html | SUN:00117 | URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/117&type=0&nav=sec.sba | BID:47 | URL:http://www.securityfocus.com/bid/47 | XF:nfs-uid(82) | URL:http://xforce.iss.net/static/82.php",,, CVE-1999-1022,Candidate,"serial_ports administrative program in IRIX 4.x and 5.x trusts the user's PATH environmental variable to find and execute the ls program, which allows local users to gain root privileges via a Trojan horse ls program.","BUGTRAQ:19941002 | URL:http://www.securityfocus.com/archive/1/930 | XF:sgi-serialports(2111) | URL:http://xforce.iss.net/static/2111.php | BID:464 | URL:http://www.securityfocus.com/bid/464",Proposed (20010912)," ACCEPT(2) Cole, Frech | NOOP(2) Foat, Christey"," Christey> Note: CVE-1999-1310 is a duplicate of this candidate. | CVE-1999-1310 will be REJECTed; this is the proper CAN to use. | | CIAC:F-01 | URL:http://ciac.llnl.gov/ciac/bulletins/f-01.shtml | SGI:19941001-01-P | URL:ftp://patches.sgi.com/support/free/security/advisories/19941001-01-P | MISC:http://www.netsys.com/firewalls/firewalls-9410/0019.html" CVE-1999-1023,Candidate,"useradd in Solaris 7.0 does not properly interpret certain date formats as specified in the ""-e"" (expiration date) argument, which could allow users to login after their accounts have expired.","BUGTRAQ:19990610 Sun Useradd program expiration date bug | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92904175406756&w=2 | BID:426 | URL:http://www.securityfocus.com/bid/426",Proposed (20010912)," ACCEPT(1) Dik | MODIFY(1) Frech | NOOP(3) Foat, Cole, Wall"," Dik> sun bug: 4222400 | Frech> XF:solaris-useradd-expired-accounts(8375) | CONFIRM:(2.6)110883-01, (2.6_x86) 110884-01, (7)110869-01, | (7_x86) 110870-01" CVE-1999-1024,Candidate,"ip_print procedure in Tcpdump 3.4a allows remote attackers to cause a denial of service via a packet with a zero length header, which causes an infinite loop and core dump when tcpdump prints the packet.","BUGTRAQ:19990616 tcpdump 3.4 bug? | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92955903802773&w=2 | BUGTRAQ:19990617 Re: tcpdump 3.4 bug? | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92963447601748&w=2 | BUGTRAQ:19990620 Re: tcpdump 3.4 bug? (final) | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92989907627051&w=2 | BID:313 | URL:http://www.securityfocus.com/bid/313",Proposed (20010912)," ACCEPT(1) Cole | MODIFY(1) Frech | NOOP(2) Foat, Wall"," Frech> XF:tcpdump-ipprint-dos(8373)" CVE-1999-1025,Candidate,"CDE screen lock program (screenlock) on Solaris 2.6 does not properly lock an unprivileged user's console session when the host is an NIS+ client, which allows others with physical access to login with any string.","BUGTRAQ:19981012 Annoying Solaris/CDE/NIS+ bug | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90831127921062&w=2 | SUNBUG:4115685 | URL:http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fpatches%2F106027&zone_32=411568%2A%20 | BID:294 | URL:http://www.securityfocus.com/bid/294",Proposed (20010912)," ACCEPT(4) Foat, Cole, Dik, Stracener | MODIFY(1) Frech"," Frech> XF:solaris-cde-nisplus-lock(7473) | Dik> sun bug: 4115685" CVE-1999-1026,Candidate,"aspppd on Solaris 2.5 x86 allows local users to modify arbitrary files and gain root privileges via a symlink attack on the /tmp/.asppp.fifo file.","BUGTRAQ:19961220 Solaris 2.5 x86 aspppd (semi-exploitable-hole) | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167420343&w=2 | BID:292 | URL:http://www.securityfocus.com/bid/292",Proposed (20010912)," ACCEPT(1) Cole | MODIFY(1) Frech | NOOP(1) Foat"," Frech> XF:sun-aspppd-tmp-symlink(7173)" CVE-1999-1027,Entry,"Solaris 2.6 HW3/98 installs admintool with world-writable permissions, which allows local users to gain privileges by replacing it with a Trojan horse program.","BUGTRAQ:19980507 admintool mode 0777 in Solaris 2.6 HW3/98 | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221101925880&w=2 | SUNBUG:4178998 | XF:solaris-admintool-world-writable(7296) | URL:http://xforce.iss.net/static/7296.php | BID:290 | URL:http://www.securityfocus.com/bid/290",,, CVE-1999-1028,Entry,"Symantec pcAnywhere 8.0 allows remote attackers to cause a denial of service (CPU utilization) via a large amount of data to port 5631.","NTBUGTRAQ:19990528 DoS against PC Anywhere | URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=92807524225090&w=2 | BID:288 | URL:http://www.securityfocus.com/bid/288 | XF:pcanywhere-dos(2256) | URL:http://www.iss.net/security_center/static/2256.php",,, CVE-1999-1029,Candidate,"SSH server (sshd2) before 2.0.12 does not properly record login attempts if the connection is closed before the maximum number of tries, allowing a remote attacker to guess the password without showing up in the audit logs.","BUGTRAQ:19990513 - J.J.F. / Hackers Team warns for SSHD 2.x brute force password hacking | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92663402004280&w=2 | BID:277 | URL:http://www.securityfocus.com/bid/277 | XF:ssh2-bruteforce(2193) | URL:http://xforce.iss.net/static/2193.php",Proposed (20010912)," ACCEPT(2) Cole, Frech | NOOP(2) Foat, Wall", CVE-1999-1030,Candidate,"counter.exe 2.70 allows a remote attacker to cause a denial of service (hang) via an HTTP request that ends in %0A (newline), which causes a malformed entry in the counter log that produces an access violation.","BUGTRAQ:19990519 Denial of Service in Counter.exe version 2.70 | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92713790426690&w=2 | NTBUGTRAQ:19990519 Denial of Service in Counter.exe version 2.70 | URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=92707671717292&w=2 | BID:267 | URL:http://www.securityfocus.com/bid/267",Proposed (20010912)," MODIFY(1) Frech | NOOP(3) Foat, Cole, Wall"," Frech> XF:http-cgi-counter-long(2196) | Frech> XF:http-cgi-counter-long(2196)" CVE-1999-1031,Candidate,"counter.exe 2.70 allows a remote attacker to cause a denial of service (hang) via a long argument.","BUGTRAQ:19990519 Denial of Service in Counter.exe version 2.70 | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92713790426690&w=2 | NTBUGTRAQ:19990519 Denial of Service in Counter.exe version 2.70 | URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=92707671717292&w=2 | BID:267 | URL:http://www.securityfocus.com/bid/267",Proposed (20010912)," MODIFY(1) Frech | NOOP(3) Foat, Cole, Wall"," Frech> XF:http-cgi-counter-long(2196) | Frech> XF:http-cgi-counter-long(2196)" CVE-1999-1032,Entry,"Vulnerability in LAT/Telnet Gateway (lattelnet) on Ultrix 4.1 and 4.2 allows attackers to gain root privileges.","CERT:CA-1991-11 | URL:http://www.cert.org/advisories/CA-1991-11.html | CIAC:B-36 | URL:http://ciac.llnl.gov/ciac/bulletins/b-36.shtml | BID:26 | URL:http://www.securityfocus.com/bid/26 | XF:ultrix-telnet(584) | URL:http://xforce.iss.net/static/584.php",,, CVE-1999-1033,Candidate,"Microsoft Outlook Express before 4.72.3612.1700 allows a malicious user to send a message that contains a .., which can inadvertently cause Outlook to re-enter POP3 command mode and cause the POP3 session to hang.","BUGTRAQ:19990511 Outlook Express Win98 bug | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92647407427342&w=2 | BUGTRAQ:19990512 Outlook Express Win98 bug, addition. | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92663402004275&w=2 | BID:252 | URL:http://www.securityfocus.com/bid/252",Proposed (20010912)," ACCEPT(2) Cole, Wall | MODIFY(1) Frech | NOOP(1) Foat"," Frech> (Task 2241) | CHANGE> [Frech changed vote from REVIEWING to MODIFY] | Frech> XF:outlook-pop3-dot-dos(8926)" CVE-1999-1034,Entry,"Vulnerability in login in AT&T System V Release 4 allows local users to gain privileges.","CERT:CA-1991-08 | URL:http://www.cert.org/advisories/CA-1991-08.html | CIAC:B-28 | URL:http://www.ciac.org/ciac/bulletins/b-28.shtml | BID:23 | URL:http://www.securityfocus.com/bid/23 | XF:sysv-login(583) | URL:http://xforce.iss.net/static/583.php",,, CVE-1999-1035,Entry,"IIS 3.0 and 4.0 on x86 and Alpha allows remote attackers to cause a denial of service (hang) via a malformed GET request, aka the IIS ""GET"" vulnerability.","MS:MS98-019 | URL:http://www.microsoft.com/technet/security/bulletin/ms98-019.asp | MSKB:Q192296 | URL:http://support.microsoft.com/support/kb/articles/q192/2/96.asp | XF:iis-get-dos(1823) | URL:http://xforce.iss.net/static/1823.php",,, CVE-1999-1036,Candidate,"COPS 1.04 allows local users to overwrite or create arbitrary files via a symlink attack on temporary files in (1) res_diff, (2) ca.src, and (3) mail.chk.","BUGTRAQ:19980626 vulnerability in satan, cops & tiger | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221103125976&w=2",Proposed (20010912)," ACCEPT(1) Foat | MODIFY(1) Frech | NOOP(2) Cole, Wall"," Frech> XF:cops-temp-file-symlink(7325)" CVE-1999-1037,Entry,"rex.satan in SATAN 1.1.1 allows local users to overwrite arbitrary files via a symlink attack on the /tmp/rex.$$ file.","BUGTRAQ:19980626 vulnerability in satan, cops & tiger | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221103125976&w=2 | BUGTRAQ:19980627 Re: vulnerability in satan, cops & tiger | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221103125986&w=2 | XF:satan-rexsatan-symlink(7167) | URL:http://www.iss.net/security_center/static/7167.php | OSVDB:3147 | URL:http://www.osvdb.org/3147",,, CVE-1999-1038,Candidate,"Tiger 2.2.3 allows local users to overwrite arbitrary files via a symlink attack on various temporary files in Tiger's default working directory, as defined by the WORKDIR variable.","BUGTRAQ:19980626 vulnerability in satan, cops & tiger | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221103125976&w=2",Proposed (20010912)," ACCEPT(1) Foat | MODIFY(1) Frech | NOOP(2) Cole, Wall"," Frech> XF:tiger-workdir-symlink(7326)" CVE-1999-1039,Candidate,"Vulnerability in (1) diskalign and (2) diskperf in IRIX 6.4 patches 2291 and 2848 allow a local user to create root-owned files leading to a root compromise.","SGI:19980502-01-P3030 | URL:ftp://patches.sgi.com/support/free/security/advisories/19980502-01-P3030",Proposed (20010912)," ACCEPT(3) Foat, Cole, Stracener | REJECT(1) Frech", CVE-1999-1040,Candidate,"Vulnerabilities in (1) ipxchk and (2) ipxlink in NetWare Client 1.0 on IRIX 6.3 and 6.4 allows local users to gain root access via a modified IFS environmental variable.","BUGTRAQ:19980408 SGI O2 ipx security issue | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=89217373930054&w=2 | SGI:19980501-01-P | URL:ftp://patches.sgi.com/support/free/security/advisories/19980501-01-P2869 | CIAC:I-055 | URL:http://ciac.llnl.gov/ciac/bulletins/i-055.shtml",Proposed (20010912)," ACCEPT(3) Foat, Cole, Stracener | NOOP(1) Christey | REJECT(1) Frech"," Christey> This candidate and CVE-1999-1501 are duplicates. However, | CVE-1999-1501 will be REJECTed in favor of this candidate. | Add the following references: | BID:70 | URL:http://www.securityfocus.com/bid/70 | BID:71 | URL:http://www.securityfocus.com/bid/71 | XF:irix-ipxchk-ipxlink-ifs-commands(7365) | URL:http://xforce.iss.net/static/7365.php" CVE-1999-1041,Candidate,"Buffer overflow in mscreen on SCO OpenServer 5.0 and SCO UNIX 3.2v4 allows a local user to gain root access via (1) a long TERM environmental variable and (2) a long entry in the .mscreenrc file.","BUGTRAQ:19980827 SCO mscreen vul. | URL:http://www.securityfocus.com/archive/1/10420 | BUGTRAQ:19980926 Root exploit for SCO OpenServer. | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90686250717719&w=2 | SCO:SB-98.05a | URL:ftp://ftp.sco.com/SSE/security_bulletins/SB-98.05a | CERT:VB-98.10 | URL:http://www.cert.org/vendor_bulletins/VB-98.10.sco.mscreen",Proposed (20010912)," ACCEPT(3) Foat, Cole, Stracener | MODIFY(1) Frech | NOOP(1) Wall | REVIEWING(1) Christey"," Frech> XF:sco-openserver-mscreen-bo(1379) | Christey> Possible dupe with CVE-1999-1185." CVE-1999-1042,Candidate,"Cisco Resource Manager (CRM) 1.0 and 1.1 creates world-readable log files and temporary files, which may expose sensitive information, to local users such as user IDs, passwords and SNMP community strings.","CISCO:19980813 CRM Temporary File Vulnerability | URL:http://www.cisco.com/warp/public/770/crmtmp-pub.shtml",Proposed (20010912)," ACCEPT(3) Foat, Cole, Stracener | MODIFY(1) Frech | NOOP(1) Wall | REJECT(3) Armstrong, Balinsky, Christey"," Frech> XF:cisco-crm-file-vuln(1575) | Armstrong> I think that this is the same as Can-1999-1126 | Balinsky> This is the same as CVE-1999-1126. Merge them. | Christey> DUPE CVE-1999-1126, as noted by others. | This candidate will be rejected. CVE-1999-1126 will be | promoted." CVE-1999-1043,Candidate,"Microsoft Exchange Server 5.5 and 5.0 does not properly handle (1) malformed NNTP data, or (2) malformed SMTP data, which allows remote attackers to cause a denial of service (application error).","MS:MS98-007 | URL:http://www.microsoft.com/technet/security/bulletin/ms98-007.asp",Proposed (20010912)," ACCEPT(3) Foat, Cole, Wall | MODIFY(1) Frech"," Frech> XF:exchange-dos(1223)" CVE-1999-1044,Entry,"Vulnerability in Advanced File System Utility (advfs) in Digital UNIX 4.0 through 4.0d allows local users to gain privileges.","COMPAQ:SSRT0495U | URL:http://ciac.llnl.gov/ciac/bulletins/i-050.shtml | CIAC:I-050 | URL:http://ciac.llnl.gov/ciac/bulletins/i-050.shtml | XF:dgux-advfs-softlinks(7431) | URL:http://www.iss.net/security_center/static/7431.php",,, CVE-1999-1045,Entry,"pnserver in RealServer 5.0 and earlier allows remote attackers to cause a denial of service by sending a short, malformed request.","BUGTRAQ:19980115 pnserver exploit.. | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=88492978527261&w=2 | BUGTRAQ:19980115 [rootshell] Security Bulletin #7 | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=88490880523890&w=2 | BUGTRAQ:19980817 Re: Real Audio Server Version 5 bug? | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90338245305236&w=2 | MISC:http://service.real.com/help/faq/serv501.html | XF:realserver-pnserver-remote-dos(7297) | URL:http://www.iss.net/security_center/static/7297.php | OSVDB:6979 | URL:http://www.osvdb.org/6979",,, CVE-1999-1046,Candidate,"Buffer overflow in IMonitor in IMail 5.0 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long string to port 8181.","BUGTRAQ:19990302 Multiple IMail Vulnerabilites | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92038879607336&w=2 | BID:504 | URL:http://www.securityfocus.com/bid/504 | XF:imail-imonitor-overflow(1897) | URL:http://xforce.iss.net/static/1897.php",Proposed (20010912)," ACCEPT(2) Cole, Frech | NOOP(2) Foat, Wall", CVE-1999-1047,Entry,"When BSDI patches for Gauntlet 5.0 BSDI are installed in a particular order, Gauntlet allows remote attackers to bypass firewall access restrictions, and does not log the activities.","BUGTRAQ:19991018 Gauntlet 5.0 BSDI warning | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94026690521279&w=2 | BUGTRAQ:19991019 Re: Gauntlet 5.0 BSDI warning | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94036662326185&w=2 | XF:gauntlet-bsdi-bypass(3397) | URL:http://www.iss.net/security_center/static/3397.php",,, CVE-1999-1048,Entry,"Buffer overflow in bash 2.0.0, 1.4.17, and other versions allows local attackers to gain privileges by creating an extremely large directory name, which is inserted into the password prompt via the \w option in the PS1 environmental variable when another user changes into that directory.","BUGTRAQ:19980905 BASH buffer overflow, LiNUX x86 exploit | URL:http://www.securityfocus.com/archive/1/10542 | BUGTRAQ:19970821 Buffer overflow in /bin/bash | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602746719555&w=2 | DEBIAN:19980909 problem with very long pathnames | URL:http://www.debian.org/security/1998/19980909 | XF:linux-bash-bo(3414) | URL:http://xforce.iss.net/static/3414.php | OSVDB:8345 | URL:http://www.osvdb.org/8345",,, CVE-1999-1049,Candidate,"ARCserve NT agents use weak encryption (XOR) for passwords, which allows remote attackers to sniff the authentication request to port 6050 and decrypt the password.","BUGTRAQ:19990222 Severe Security Hole in ARCserve NT agents (fwd) | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91972006211238&w=2",Proposed (20010912)," MODIFY(1) Frech | NOOP(3) Foat, Cole, Wall"," Frech> XF:arcserve-agent-passwords(1822)" CVE-1999-1050,Candidate,"Directory traversal vulnerability in Matt Wright FormHandler.cgi script allows remote attackers to read arbitrary files via (1) a .. (dot dot) in the reply_message_attach attachment parameter, or (2) by specifying the filename as a template.","BUGTRAQ:19991112 FormHandler.cgi | URL:http://www.securityfocus.com/archive/1/34600 | BUGTRAQ:19991116 Re: FormHandler.cgi | URL:http://www.securityfocus.com/archive/1/34939 | BID:798 | URL:http://www.securityfocus.com/bid/798 | BID:799 | URL:http://www.securityfocus.com/bid/799 | XF:formhandler-cgi-absolute-path(3550) | URL:http://xforce.iss.net/static/3550.php",Proposed (20010912)," ACCEPT(1) Frech | NOOP(3) Foat, Cole, Wall | REVIEWING(1) Christey"," Christey> Abstraction and definition issue: CD:SF-LOC suggests combining | issues of the same type. Some people refer to ""directory | traversal"" and just mean .. problems; but there are other | issues (specifying an absolute pathname, using C: drive | letters, doing encodings) that, to my way of thinking, are | ""different."" Perhaps this should be split. | | My brain hurts too much right now. There are a couple | problems with the references and descriptions of CVE-1999-1050 | and CVE-1999-1051. I'm interpreting the underlying nature | of the problem(s) a little differently than others are. | Some of it may be due to differing definitions or thoughts | about what ""directory traversal vulnerabilities"" are." CVE-1999-1051,Candidate,"Default configuration in Matt Wright FormHandler.cgi script allows arbitrary directories to be used for attachments, and only restricts access to the /etc/ directory, which allows remote attackers to read arbitrary files via the reply_message_attach attachment parameter.","BUGTRAQ:19991116 Re: FormHandler.cgi | URL:http://www.securityfocus.com/archive/1/34939",Proposed (20010912)," MODIFY(1) Frech | NOOP(3) Foat, Cole, Wall | REVIEWING(1) Christey"," Frech> XF:formhandler-cgi-reply-message(7782) | Christey> I view one of these as a configuration issue: FormHandler.cgi | *could* be configured to limit hard-coded pathnames to a single | directory which, while being an information leak, would still be | ""reasonably secure."" But by default, it's just not configured that | way. | | My brain hurts too much right now. There are a couple | problems with the references and descriptions of CVE-1999-1050 | and CVE-1999-1051. I'm interpreting the underlying nature | of the problem(s) a little differently than others are. | Some of it may be due to differing definitions or thoughts | about what ""directory traversal vulnerabilities"" are." CVE-1999-1052,Candidate,"Microsoft FrontPage stores form results in a default location in /_private/form_results.txt, which is world-readable and accessible in the document root, which allows remote attackers to read possibly sensitive information submitted by other users.","BUGTRAQ:19990824 Front Page form_results | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93582550911564&w=2",Proposed (20010912)," ACCEPT(1) Wall | MODIFY(1) Frech | NOOP(2) Foat, Cole"," Frech> XF:frontpage-formresults-world-readable(8362)" CVE-1999-1053,Candidate,"guestbook.pl cleanses user-inserted SSI commands by removing text between ""<!--"" and ""-->"" separators, which allows remote attackers to execute arbitrary commands when guestbook.pl is run on Apache 1.3.9 and possibly other versions, since Apache allows other closing sequences besides ""-->"".","VULN-DEV:19990913 Guestbook perl script (long) | URL:http://www.securityfocus.com/archive/82/27296 | VULN-DEV:19990916 Re: Guestbook perl script (error fix) | URL:http://www.securityfocus.com/archive/82/27560 | BUGTRAQ:19991105 Guestbook.pl, sloppy SSI handling in Apache? (VD#2) | URL:http://www.securityfocus.com/archive/1/33674 | BID:776 | URL:http://www.securityfocus.com/bid/776",Proposed (20010912)," MODIFY(1) Frech | NOOP(3) Foat, Cole, Wall"," Frech> XF:guestbook-cgi-command-execution(7783)" CVE-1999-1054,Candidate,"The default configuration of FLEXlm license manager 6.0d, and possibly other versions, allows remote attackers to shut down the server via the lmdown command.","BUGTRAQ:19980925 Globetrotter FlexLM 'lmdown' bogosity | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90675672323825&w=2",Proposed (20010912)," ACCEPT(1) Cole | NOOP(2) Foat, Wall", CVE-1999-1055,Entry,"Microsoft Excel 97 does not warn the user before executing worksheet functions, which could allow attackers to execute arbitrary commands by using the CALL function to execute a malicious DLL, aka the Excel ""CALL Vulnerability.""","MS:MS98-018 | URL:http://www.microsoft.com/technet/security/bulletin/ms98-018.asp | BID:179 | URL:http://www.securityfocus.com/bid/179 | XF:excel-call(1737) | URL:http://xforce.iss.net/static/1737.php",,, CVE-1999-1056,Candidate,"** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-1999-1395. Reason: This candidate is a duplicate of CVE-1999-1395. Notes: All CVE users should reference CVE-1999-1395 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.","",Modified (20050204)," ACCEPT(3) Foat, Cole, Stracener | MODIFY(1) Frech | NOOP(1) Wall | REJECT(1) Christey"," Frech> XF:vms-monitor-gain-privileges(7136) | Christey> DUPE CVE-1999-1395 | This CAN is being rejected in favor of CVE-1999-1395 because | CVE-1999-1395 has more references." CVE-1999-1057,Entry,"VMS 4.0 through 5.3 allows local users to gain privileges via the ANALYZE/PROCESS_DUMP dcl command.","CERT:CA-1990-07 | URL:http://www.cert.org/advisories/CA-1990-07.html | CIAC:B-04 | URL:http://ciac.llnl.gov/ciac/bulletins/b-04.shtml | BID:12 | URL:http://www.securityfocus.com/bid/12 | XF:vms-analyze-processdump-privileges(7137) | URL:http://www.iss.net/security_center/static/7137.php",,, CVE-1999-1058,Candidate,"Buffer overflow in Vermillion FTP Daemon VFTPD 1.23 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via several long CWD commands.","NTBUGTRAQ:19991122 Remote DoS Attack in Vermillion FTP Daemon (VFTPD) v1.23 Vulnerability | URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=94337185023159&w=2 | BUGTRAQ:19991122 Remote DoS Attack in Vermillion FTP Daemon (VFTPD) v1.23 Vulnerability | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94329968617085&w=2 | XF:vermillion-ftp-cwd-overflow(3543) | URL:http://xforce.iss.net/static/3543.php | BID:818 | URL:http://www.securityfocus.com/bid/818",Proposed (20010912)," ACCEPT(2) Cole, Frech | NOOP(2) Foat, Wall", CVE-1999-1059,Entry,"Vulnerability in rexec daemon (rexecd) in AT&T TCP/IP 4.0 for various SVR4 systems allows remote attackers to execute arbitrary commands.","CERT:CA-1992-04 | URL:http://www.cert.org/advisories/CA-1992-04.html | BID:36 | URL:http://www.securityfocus.com/bid/36 | XF:att-rexecd(3159) | URL:http://www.iss.net/security_center/static/3159.php",,, CVE-1999-1060,Candidate,"Buffer overflow in Tetrix TetriNet daemon 1.13.16 allows remote attackers to cause a denial of service and possibly execute arbitrary commands by connecting to port 31457 from a host with a long DNS hostname.","BUGTRAQ:19990217 Tetrix 1.13.16 is Vulnerable | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91937090211855&w=2 | BID:340 | URL:http://www.securityfocus.com/bid/340",Proposed (20010912)," MODIFY(1) Frech | NOOP(3) Foat, Cole, Wall"," Frech> XF:tetrinet-dns-hostname-bo(7500)" CVE-1999-1061,Candidate,"HP Laserjet printers with JetDirect cards, when configured with TCP/IP, can be configured without a password, which allows remote attackers to connect to the printer and change its IP address or disable logging.","BUGTRAQ:19971004 HP Laserjet 4M Plus DirectJet Problem | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602248518480&w=2 | XF:laserjet-unpassworded(1876) | URL:http://xforce.iss.net/static/1876.php",Proposed (20010912)," ACCEPT(2) Cole, Frech | NOOP(1) Foat"," Frech> CONFIRM:http://www.hp.com/cposupport/printers/support_doc/bpl | 02914.html" CVE-1999-1062,Candidate,"HP Laserjet printers with JetDirect cards, when configured with TCP/IP, allow remote attackers to bypass print filters by directly sending PostScript documents to TCP ports 9099 and 9100.","BUGTRAQ:19971004 HP Laserjet 4M Plus DirectJet Problem | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602248518480&w=2 | XF:laserjet-unpassworded(1876) | URL:http://xforce.iss.net/static/1876.php",Proposed (20010912)," ACCEPT(1) Cole | MODIFY(1) Frech | NOOP(1) Foat"," Frech> DELREF:XF:laserjet-unpassworded(1876) | ADDREF:XF:hp-printer-flood(1818)" CVE-1999-1063,Candidate,"CDomain whois_raw.cgi whois CGI script allows remote attackers to execute arbitrary commands via shell metacharacters in the fqdn parameter.","BUGTRAQ:19990601 whois_raw.cgi problem | URL:http://www.securityfocus.com/archive/1/14019 | BID:304 | URL:http://www.securityfocus.com/bid/304 | XF:http-cgi-cdomain(2251) | URL:http://xforce.iss.net/static/2251.php",Proposed (20010912)," ACCEPT(1) Frech | NOOP(3) Foat, Cole, Wall", CVE-1999-1064,Candidate,"Multiple buffer overflows in WindowMaker 0.52 through 0.60.0 allow attackers to cause a denial of service and possibly execute arbitrary commands by executing WindowMaker with a long program name (argv[0]).","BUGTRAQ:19990822 | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93555317429630&w=2 | BUGTRAQ:19990824 Re: WindowMaker bugs (was sub:none ) | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93582070508957&w=2 | BID:596 | URL:http://www.securityfocus.com/bid/596",Proposed (20010912)," MODIFY(1) Frech | NOOP(3) Foat, Cole, Wall"," Frech> XF:windowmaker-bo(3249) | Frech> XF:windowmaker-bo(3249)" CVE-1999-1065,Candidate,"Palm Pilot HotSync Manager 3.0.4 in Windows 98 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long string to port 14238 while the manager is in network mode.","BUGTRAQ:19991104 Palm Hotsync vulnerable to DoS attack | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94175465525422&w=2",Proposed (20010912)," ACCEPT(1) Cole | MODIFY(1) Frech | NOOP(2) Foat, Wall"," Frech> XF:palm-hotsync-bo(7785)" CVE-1999-1066,Candidate,"Quake 1 server responds to an initial UDP game connection request with a large amount of traffic, which allows remote attackers to use the server as an amplifier in a ""Smurf"" style attack on another host, by spoofing the connection request.","BUGTRAQ:19991222 Quake ""smurf"" - Quake War Utils | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94589559631535&w=2",Proposed (20010912)," MODIFY(1) Frech | NOOP(4) Foat, Cole, Christey, Wall"," Christey> This is apparently a problem with the connection protocol. | See BUGTRAQ:19980522 NetQuake Protocol problem resulting in smurf like effect. | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221101925989&w=2 | Frech> XF:quake-udp-connection-dos(7862)" CVE-1999-1067,Candidate,"SGI MachineInfo CGI program, installed by default on some web servers, prints potentially sensitive system status information, which could be used by remote attackers for information gathering activities.","BUGTRAQ:19970507 Re: SGI Security Advisory 19970501-01-A - Vulnerability in webdist.cgi | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167420919&w=2 | XF:sgi-machineinfo",Proposed (20010912)," ACCEPT(1) Frech | NOOP(2) Foat, Cole"," Frech> I'd be a lot more confident in this vote if there was a more | concrete reference strongly associating webdist.cgi and machineinfo." CVE-1999-1068,Candidate,"Oracle Webserver 2.1, when serving PL/SQL stored procedures, allows remote attackers to cause a denial of service via a long HTTP GET request.","BUGTRAQ:19970723 DoS against Oracle Webserver 2.1 with PL/SQL stored procedures | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602661419366&w=2",Proposed (20010912)," MODIFY(1) Frech | NOOP(2) Foat, Cole"," Frech> XF:oracle-webserver-dos(1812)" CVE-1999-1069,Candidate,"Directory traversal vulnerability in carbo.dll in iCat Carbo Server 3.0.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the icatcommand parameter.","BUGTRAQ:19971108 Security bug in iCat Suite version 3.0 | URL:http://www.securityfocus.com/archive/1/7943 | BID:2126 | URL:http://www.securityfocus.com/bid/2126 | XF:icat-carbo-server-vuln(1620) | URL:http://xforce.iss.net/static/1620.php",Proposed (20010912)," ACCEPT(2) Cole, Frech | NOOP(1) Foat"," Frech> iCat's site at http://www.icat.com/ is shut down, and no | further support seems to be available." CVE-1999-1070,Candidate,"Buffer overflow in ping CGI program in Xylogics Annex terminal service allows remote attackers to cause a denial of service via a long query parameter.","BUGTRAQ:19980725 Annex DoS | URL:http://www.securityfocus.com/archive/1/10021",Proposed (20010912)," MODIFY(1) Frech | NOOP(3) Foat, Cole, Wall"," Frech> XF:annex-ping-crash(2090)" CVE-1999-1071,Candidate,"Excite for Web Servers (EWS) 1.1 installs the Architext.conf authentication file with world-writeable permissions, which allows local users to gain access to Excite accounts by modifying the file.","BUGTRAQ:19981130 Security bugs in Excite for Web Servers 1.1 | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91248445931140&w=2 | XF:excite-world-write(1417) | URL:http://xforce.iss.net/static/1417.php",Proposed (20010912)," ACCEPT(1) Frech | NOOP(3) Foat, Cole, Wall", CVE-1999-1072,Candidate,"Excite for Web Servers (EWS) 1.1 allows local users to gain privileges by obtaining the encrypted password from the world-readable Architext.conf authentication file and replaying the encrypted password in an HTTP request to AT-generated.cgi or AT-admin.cgi.","BUGTRAQ:19981130 Security bugs in Excite for Web Servers 1.1 | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91248445931140&w=2",Proposed (20010912)," NOOP(3) Foat, Cole, Wall", CVE-1999-1073,Candidate,"Excite for Web Servers (EWS) 1.1 records the first two characters of a plaintext password in the beginning of the encrypted password, which makes it easier for an attacker to guess passwords via a brute force or dictionary attack.","BUGTRAQ:19981130 Security bugs in Excite for Web Servers 1.1 | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91248445931140&w=2",Proposed (20010912)," NOOP(3) Foat, Cole, Wall", CVE-1999-1074,Entry,"Webmin before 0.5 does not restrict the number of invalid passwords that are entered for a valid username, which could allow remote attackers to gain privileges via brute force password cracking.","BUGTRAQ:19980501 Warning! Webmin Security Advisory | URL:http://www.securityfocus.com/archive/1/9138 | CONFIRM:http://www.webmin.com/webmin/changes.html | BID:98 | URL:http://www.securityfocus.com/bid/98",,, CVE-1999-1075,Candidate,"inetd in AIX 4.1.5 dynamically assigns a port N when starting ttdbserver (ToolTalk server), but also inadvertently listens on port N-1 without passing control to ttdbserver, which allows remote attackers to cause a denial of service via a large number of connections to port N-1, which are not properly closed by inetd.","BUGTRAQ:19980318 AIX 4.1.5 DoS attack (aka ""Port 1025 problem"") | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=89025820612530&w=2",Proposed (20010912)," MODIFY(1) Frech | NOOP(3) Foat, Cole, Wall"," Frech> XF:aix-ttdbserver(813) | CONFIRM:APAR IX70400" CVE-1999-1076,Candidate,"Idle locking function in MacOS 9 allows local users to bypass the password protection of idled sessions by selecting the ""Log Out"" option and selecting a ""Cancel"" option in the dialog box for an application that attempts to verify that the user wants to log out, which returns the attacker into the locked session.","BUGTRAQ:19991026 Mac OS 9 Idle Lock Bug | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94096348604173&w=2 | BID:745 | URL:http://www.securityfocus.com/bid/745",Proposed (20010912)," ACCEPT(2) Foat, Cole | MODIFY(1) Frech | NOOP(1) Wall"," Frech> XF:macos-idle-screenlock-bypass(7794)" CVE-1999-1077,Candidate,"Idle locking function in MacOS 9 allows local attackers to bypass the password protection of idled sessions via the programmer's switch or CMD-PWR keyboard sequence, which brings up a debugger that the attacker can use to disable the lock.","BUGTRAQ:19991101 Re: Mac OS 9 Idle Lock Bug | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94149318124548&w=2 | BID:756 | URL:http://www.securityfocus.com/bid/756",Proposed (20010912)," ACCEPT(2) Foat, Cole | MODIFY(1) Frech | NOOP(1) Wall"," Frech> XF:macos-debug-screenlock-access(3426)" CVE-1999-1078,Candidate,"WS_FTP Pro 6.0 uses weak encryption for passwords in its initialization files, which allows remote attackers to easily decrypt the passwords and gain privileges.","NTBUGTRAQ:19990729 WS_FTP Pro 6.0 Weak Password Encryption Vulnerability | URL:http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind9907&L=ntbugtraq&D=0&P=10370&F=P | BID:547 | URL:http://www.securityfocus.com/bid/547",Proposed (20010912)," MODIFY(1) Frech | NOOP(3) Foat, Cole, Wall"," Frech> XF:wsftp-weak-password-encryption(8349)" CVE-1999-1079,Candidate,"Vulnerability in ptrace in AIX 4.3 allows local users to gain privileges by attaching to a setgid program.","BUGTRAQ:19990506 AIX Security Fixes Update | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92601792420088&w=2 | BUGTRAQ:19990825 AIX security summary | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93587956513233&w=2 | AIXAPAR:IX80470 | URL:http://www-1.ibm.com/servlet/support/manager?rs=0&rt=0&org=apars&doc=08E0B1A1B85472A1852567C90031BB36 | BID:439 | URL:http://www.securityfocus.com/bid/439",Proposed (20010912)," ACCEPT(3) Foat, Cole, Stracener | MODIFY(1) Frech"," Frech> XF:aix-ptrace-setgid(7487)" CVE-1999-1080,Entry,"rmmount in SunOS 5.7 may mount file systems without the nosuid flag set, contrary to the documentation and its use in previous versions of SunOS, which could allow local users with physical access to gain root privileges by mounting a floppy or CD-ROM that contains a setuid program and running volcheck, when the file systems do not have the nosuid option specified in rmmount.conf.","BUGTRAQ:19990510 SunOS 5.7 rmmount, no nosuid. | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92633694100270&w=2 | BUGTRAQ:19991011 | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93971288323395&w=2 | BID:250 | URL:http://www.securityfocus.com/bid/250 | SUNBUG:4205437 | XF:solaris-rmmount-gain-root(8350) | URL:http://xforce.iss.net/xforce/xfdb/8350",,, CVE-1999-1081,Candidate,"Vulnerability in files.pl script in Novell WebServer Examples Toolkit 2 allows remote attackers to read arbitrary files.","MISC:http://www.w3.org/Security/Faq/wwwsf8.html#Q87 | MISC:http://www.roxanne.org/faqs/www-secure/wwwsf4.html#Q35 | XF:http-nov-files(2054) | URL:http://xforce.iss.net/static/2054.php",Proposed (20010912)," ACCEPT(2) Cole, Frech | NOOP(1) Foat", CVE-1999-1082,Candidate,"Directory traversal vulnerability in Jana proxy web server 1.40 allows remote attackers to ready arbitrary files via a ""......"" (modified dot dot) attack.","BUGTRAQ:19991008 Jana webserver exploit | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93941794201059&w=2 | BID:699 | URL:http://www.securityfocus.com/bid/699",Proposed (20010912)," ACCEPT(1) Cole | MODIFY(1) Frech | NOOP(2) Foat, Wall"," Frech> XF:jana-server-directory-traversal(6513)" CVE-1999-1083,Candidate,"Directory traversal vulnerability in Jana proxy web server 1.45 allows remote attackers to ready arbitrary files via a .. (dot dot) attack.","BUGTRAQ:20000502 Security Bug in Jana HTTP Server | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=95730430727064&w=2 | BID:699 | URL:http://www.securityfocus.com/bid/699",Proposed (20010912)," ACCEPT(1) Cole | MODIFY(1) Frech | NOOP(3) Foat, Christey, Wall"," Frech> XF:jana-server-directory-traversal(6513) | Christey> MODIFY description - the attack is of the form ""/./../"" | (single dot followed by double-dot)" CVE-1999-1084,Candidate,"The ""AEDebug"" registry key is installed with insecure permissions, which allows local users to modify the key to specify a Trojan Horse debugger which is automatically executed on a system crash.","NTBUGTRAQ:19980622 Yet another ""get yourself admin rights exploit"": | URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=90222453431604&w=2 | MSKB:Q103861 | URL:http://support.microsoft.com/support/kb/articles/q103/8/61.asp | MS:MS00-008 | URL:http://www.microsoft.com/technet/security/bulletin/ms00-008.asp | CIAC:K-029 | URL:http://www.ciac.org/ciac/bulletins/k-029.shtml | BID:1044 | URL:http://www.securityfocus.com/bid/1044",Proposed (20010912)," ACCEPT(3) Foat, Cole, Wall | MODIFY(1) Frech"," Frech> XF:nt-registry-permissions(4111)" CVE-1999-1085,Entry,"SSH 1.2.25, 1.2.23, and other versions, when used in in CBC (Cipher Block Chaining) or CFB (Cipher Feedback 64 bits) modes, allows remote attackers to insert arbitrary data into an existing stream between an SSH client and server by using a known plaintext attack and computing a valid CRC-32 checksum for the packet, aka the ""SSH insertion attack.""","BUGTRAQ:19980612 CORE-SDI-04: SSH insertion attack | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221103125884&w=2 | BUGTRAQ:19980703 UPDATE: SSH insertion attack | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221104525878&w=2 | CISCO:20010627 Multiple SSH Vulnerabilities | CERT-VN:VU#13877 | URL:http://www.kb.cert.org/vuls/id/13877 | XF:ssh-insert(1126) | URL:http://www.iss.net/security_center/static/1126.php",,, CVE-1999-1086,Candidate,"Novell 5 and earlier, when running over IPX with a packet signature level less than 3, allows remote attackers to gain administrator privileges by spoofing the MAC address in IPC fragmented packets that make NetWare Core Protocol (NCP) calls.","BUGTRAQ:19990715 NMRC Advisory: Netware 5 Client Hijacking | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93214475111651&w=2 | BID:528 | URL:http://www.securityfocus.com/bid/528",Proposed (20010912)," ACCEPT(1) Cole | MODIFY(1) Frech | NOOP(2) Foat, Wall"," Frech> XF:netware-ipx-session-spoof(2350)" CVE-1999-1087,Entry,"Internet Explorer 4 treats a 32-bit number (""dotless IP address"") in the a URL as the hostname instead of an IP address, which causes IE to apply Local Intranet Zone settings to the resulting web page, allowing remote malicious web servers to conduct unauthorized activities by using URLs that contain the dotless IP address for their server.","MS:MS98-016 | URL:http://www.microsoft.com/technet/security/bulletin/MS98-016.asp | MSKB:Q168617 | URL:http://support.microsoft.com/support/kb/articles/q168/6/17.asp | CONFIRM:http://www.microsoft.com/Windows/Ie/security/dotless.asp | OSVDB:7828 | URL:http://www.osvdb.org/7828 | XF:ie-dotless(2209) | URL:http://xforce.iss.net/static/2209.php",,, CVE-1999-1088,Candidate,"Vulnerability in chsh command in HP-UX 9.X through 10.20 allows local users to gain privileges.","HP:HPSBUX9701-050 | CIAC:H-21 | URL:http://ciac.llnl.gov/ciac/bulletins/h-21.shtml | XF:hp-chsh(2012) | URL:http://xforce.iss.net/static/2012.php",Proposed (20010912)," ACCEPT(4) Foat, Cole, Frech, Stracener", CVE-1999-1089,Candidate,"Buffer overflow in chfn command in HP-UX 9.X through 10.20 allows local users to gain privileges via a long command line argument.","BUGTRAQ:19961209 the HP Bug of the Week! | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167420285&w=2 | HP:HPSBUX9701-049 | CIAC:H-21 | URL:http://ciac.llnl.gov/ciac/bulletins/h-21.shtml | CIAC:H-16 | URL:http://ciac.llnl.gov/ciac/bulletins/h-16.shtml | AUSCERT:AA-96.18 | XF:hp-chfn(2008)",Proposed (20010912)," ACCEPT(4) Foat, Cole, Frech, Stracener", CVE-1999-1090,Entry,"The default configuration of NCSA Telnet package for Macintosh and PC enables FTP, even though it does not include an ""ftp=yes"" line, which allows remote attackers to read and modify arbitrary files.","CERT:CA-1991-15 | URL:http://www.cert.org/advisories/CA-1991-15.html | XF:ftp-ncsa(1844) | URL:http://xforce.iss.net/static/1844.php",,, CVE-1999-1091,Candidate,"UNIX news readers tin and rtin create the /tmp/.tin_log file with insecure permissions and follow symlinks, which allows attackers to modify the permissions of files writable by the user via a symlink attack.","BUGTRAQ:19960903 [BUG] Vulnerability in TIN | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167419835&w=2 | BUGTRAQ:19960903 Re: BoS: [BUG] Vulnerability in TIN | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167419839&w=2 | BUGTRAQ:19970329 symlink bug in tin/rtin | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167420726&w=2 | XF:tin-tmpfile(431) | URL:http://xforce.iss.net/static/431.php",Proposed (20010912)," ACCEPT(1) Frech | NOOP(2) Foat, Cole", CVE-1999-1092,Candidate,"tin 1.40 creates the .tin directory with insecure permissions, which allows local users to read passwords from the .inputhistory file.","BUGTRAQ:19991117 default permissions for tin | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94286179032648&w=2",Proposed (20010912)," MODIFY(1) Frech | NOOP(3) Foat, Cole, Wall"," Frech> XF:tin-insecure-permissions(7796) | Confirmed in changelog for 1.4.1 | http://ftp.kreonet.re.kr/pub/tools/news/tin/v1.4/CHANGES" CVE-1999-1093,Entry,"Buffer overflow in the Window.External function in the JScript Scripting Engine in Internet Explorer 4.01 SP1 and earlier allows remote attackers to execute arbitrary commands via a malicious web page.","MS:MS98-011 | URL:http://www.microsoft.com/technet/security/bulletin/MS98-011.asp | MSKB:Q191200 | URL:http://support.microsoft.com/support/kb/articles/q191/2/00.asp | XF:java-script-patch(1276) | URL:http://www.iss.net/security_center/static/1276.php",,, CVE-1999-1094,Entry,"Buffer overflow in Internet Explorer 4.01 and earlier allows remote attackers to execute arbitrary commands via a long URL with the ""mk:"" protocol, aka the ""MK Overrun security issue.""","MSKB:Q176697 | URL:http://support.microsoft.com/support/kb/articles/q176/6/97.asp | BUGTRAQ:19980114 L0pht Advisory MSIE4.0(1) | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=88480839506155&w=2 | XF:iemk-bug(917) | URL:http://xforce.iss.net/static/917.php",,, CVE-1999-1095,Candidate,"sort creates temporary files and follows symbolic links, which allows local users to modify arbitrary files that are writable by the user running sort, as observed in updatedb and other programs that use sort.","BUGTRAQ:19971006 KSR[T] Advisory #3: updatedb / crontabs | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87619953510834&w=2 | BUGTRAQ:19980303 updatedb stuff | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=88890116304676&w=2 | BUGTRAQ:19980303 updatedb: sort patch | BUGTRAQ:19980302 overwrite any file with updatedb | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=88886870129518&w=2",Proposed (20010912)," MODIFY(1) Frech | NOOP(3) Foat, Cole, Christey"," Frech> XF:sort-tmp-file-symlink(7182) | Christey> This issue clearly has a long history. | CALDERA:CSSA-2002-SCO.21 | URL:http://archives.neohapsis.com/archives/linux/caldera/2002-q2/0018.html | CALDERA:CSSA-2002-SCO.2 | URL:http://archives.neohapsis.com/archives/linux/caldera/2002-q1/0002.html | (There are 2 Caldera advisories because one is for Open UNIX | and UnixWare, and the other is for OpenServer) | | XF:openserver-sort-symlink(9218) | URL:http://www.iss.net/security_center/static/9218.php" CVE-1999-1096,Candidate,"Buffer overflow in kscreensaver in KDE klock allows local users to gain root privileges via a long HOME environmental variable.","BUGTRAQ:19980516 kde exploit | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221101925954&w=2 | BUGTRAQ:19980517 simple kde exploit fix | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221101925959&w=2 | XF:kde-klock-home-bo(1644) | URL:http://xforce.iss.net/static/1644.php",Proposed (20010912)," ACCEPT(1) Frech | NOOP(3) Foat, Cole, Wall", CVE-1999-1097,Candidate,"Microsoft NetMeeting 2.1 allows one client to read the contents of another client's clipboard via a CTRL-C in the chat box when the box is empty.","BUGTRAQ:19990504 Microsoft Netmeeting Hole | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92586457816446&w=2 | XF:netmeeting-clipboard(2187) | URL:http://xforce.iss.net/static/2187.php",Proposed (20010912)," ACCEPT(1) Frech | NOOP(3) Foat, Cole, Wall", CVE-1999-1098,Entry,"Vulnerability in BSD Telnet client with encryption and Kerberos 4 authentication allows remote attackers to decrypt the session via sniffing.","CERT:CA-1995-03 | URL:http://www.cert.org/advisories/CA-1995-03.html | CIAC:F-12 | URL:http://www.ciac.org/ciac/bulletins/f-12.shtml | XF:bsd-telnet(516) | URL:http://www.iss.net/security_center/static/516.php | OSVDB:4881 | URL:http://www.osvdb.org/4881",,, CVE-1999-1099,Entry,"Kerberos 4 allows remote attackers to obtain sensitive information via a malformed UDP packet that generates an error string that inadvertently includes the realm name and the last user.","BUGTRAQ:19961122 L0pht Kerberos Advisory | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167420184&w=2 | XF:kerberos-user-grab(65) | URL:http://xforce.iss.net/static/65.php",,, CVE-1999-1100,Entry,"Cisco PIX Private Link 4.1.6 and earlier does not properly process certain commands in the configuration file, which reduces the effective key length of the DES key to 48 bits instead of 56 bits, which makes it easier for an attacker to find the proper key via a brute force attack.","CISCO:19980616 PIX Private Link Key Processing and Cryptography Issues | URL:http://www.cisco.com/warp/public/770/pixkey-pub.shtml | CIAC:I-056 | URL:http://ciac.llnl.gov/ciac/bulletins/i-056.shtml | XF:cisco-pix-parse-error(1579) | URL:http://xforce.iss.net/static/1579.php",,, CVE-1999-1101,Candidate,"Kabsoftware Lydia utility uses weak encryption to store user passwords in the lydia.ini file, which allows local users to easily decrypt the passwords and gain privileges.","BUGTRAQ:19990219 Yet Another password storing problem (was: Re: Possible Netscape Crypto Security Flaw) | URL:http://www.securityfocus.com/archive/1/12618",Proposed (20010912)," MODIFY(1) Frech | NOOP(3) Foat, Cole, Wall"," Frech> XF:lydia-ini-passwords(7501) | ADDREF:http://www.kabsoftware.com/lydia_history.txt (Version | History for Lydia, V3.3 - 11/24/00)" CVE-1999-1102,Entry,"lpr on SunOS 4.1.1, BSD 4.3, A/UX 2.0.1, and other BSD-based operating systems allows local users to create or overwrite arbitrary files via a symlink attack that is triggered after invoking lpr 1000 times.","MISC:http://www.phreak.org/archives/security/8lgm/8lgm.lpr | BUGTRAQ:19940307 8lgm Advisory Releases | URL:http://www.aenigma.net/resources/maillist/bugtraq/1994/0091.htm | CIAC:E-25a | URL:http://ciac.llnl.gov/ciac/bulletins/e-25.shtml",,, CVE-1999-1103,Entry,"dxconsole in DEC OSF/1 3.2C and earlier allows local users to read arbitrary files by specifying the file with the -file parameter.","CERT:VB-96.05 | URL:http://www.cert.org/vendor_bulletins/VB-96.05.dec | CIAC:G-18 | URL:http://ciac.llnl.gov/ciac/bulletins/g-18.shtml | MISC:http://www.tao.ca/fire/bos/0209.html | XF:osf-dxconsole-gain-privileges(7138) | URL:http://www.iss.net/security_center/static/7138.php",,, CVE-1999-1104,Entry,"Windows 95 uses weak encryption for the password list (.pwl) file used when password caching is enabled, which allows local users to gain privileges by decrypting the passwords.","BUGTRAQ:19951205 Cracked: WINDOWS.PWL | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167418931&w=2 | NTBUGTRAQ:19980121 How to recover private keys for various Microsoft products | URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=88540877601866&w=2 | BUGTRAQ:19980120 How to recover private keys for various Microsoft products | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=88536273725787&w=2 | MSKB:Q140557 | URL:http://support.microsoft.com/support/kb/articles/q140/5/57.asp | XF:win95-nbsmbpwl(71) | URL:http://www.iss.net/security_center/static/71.php",,, CVE-1999-1105,Entry,"Windows 95, when Remote Administration and File Sharing for NetWare Networks is enabled, creates a share (C$) when an administrator logs in remotely, which allows remote attackers to read arbitrary files by mapping the network drive.","CONFIRM:http://www.zdnet.com/eweek/reviews/1016/tr42bug.html | MISC:http://www.net-security.sk/bugs/NT/netware1.html | XF:win95-netware-hidden-share(7231) | URL:http://www.iss.net/security_center/static/7231.php",,, CVE-1999-1106,Candidate,"Buffer overflow in kppp in KDE allows local users to gain root access via a long -c (account_name) command line argument.","BUGTRAQ:19980429 Security hole in kppp | URL:http://www.securityfocus.com/archive/1/9121 | XF:kde-kppp-account-bo(1643) | URL:http://xforce.iss.net/static/1643.php | BID:92 | URL:http://www.securityfocus.com/bid/92",Proposed (20010912)," ACCEPT(2) Cole, Frech | NOOP(2) Foat, Wall", CVE-1999-1107,Candidate,"Buffer overflow in kppp in KDE allows local users to gain root access via a long PATH environmental variable.","BUGTRAQ:19981118 Multiple KDE security vulnerabilities (root compromise) | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91141486301691&w=2 | XF:kde-kppp-path-bo(1650) | URL:http://xforce.iss.net/static/1650.php",Proposed (20010912)," ACCEPT(1) Frech | NOOP(3) Foat, Cole, Wall", CVE-1999-1108,Candidate,"** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-1999-1107. Reason: This candidate is a duplicate of CVE-1999-1107. Notes: All CVE users should reference CVE-1999-1107 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.","",Modified (20050204)," ACCEPT(1) Cole | NOOP(2) Foat, Wall | REJECT(2) Frech, Christey"," Frech> Has exactly the same attributes as CVE-1999-1107. | Christey> DUPE CVE-1999-1107." CVE-1999-1109,Entry,"Sendmail before 8.10.0 allows remote attackers to cause a denial of service by sending a series of ETRN commands then disconnecting from the server, while Sendmail continues to process the commands after the connection has been terminated.","BUGTRAQ:19991222 Re: procmail / Sendmail - five bugs | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94632241202626&w=2 | BUGTRAQ:20000113 Re: procmail / Sendmail - five bugs | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94780566911948&w=2 | BID:904 | URL:http://www.securityfocus.com/bid/904 | XF:sendmail-etrn-dos(7760) | URL:http://www.iss.net/security_center/static/7760.php",,, CVE-1999-1110,Candidate,"Windows Media Player ActiveX object as used in Internet Explorer 5.0 returns a specific error code when a file does not exist, which allows remote malicious web sites to determine the existence of files on the client.","BUGTRAQ:19991114 IE 5.0 and Windows Media Player ActiveX object allow checking the existence of local files and directories | URL:http://www.securityfocus.com/archive/1/34675 | BID:793 | URL:http://www.securityfocus.com/bid/793",Proposed (20010912)," ACCEPT(1) Wall | MODIFY(1) Frech | NOOP(2) Foat, Cole"," Frech> XF:ie-mediaplayer-activex(7800)" CVE-1999-1111,Entry,"Vulnerability in StackGuard before 1.21 allows remote attackers to bypass the Random and Terminator Canary security mechanisms by using a non-linear attack which directly modifies a pointer to a return address instead of using a buffer overflow to reach the return address entry itself.","BUGTRAQ:19911109 ImmuniX OS Security Alert: StackGuard 1.21 Released | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94218618329838&w=2 | BID:786 | URL:http://www.securityfocus.com/bid/786 | XF:immunix-stackguard-bo(3524) | URL:http://xforce.iss.net/static/3524.php",,, CVE-1999-1112,Candidate,"Buffer overflow in IrfanView32 3.07 and earlier allows attackers to execute arbitrary commands via a long string after the ""8BPS"" image type in a Photo Shop image header.","BUGTRAQ:19991109 Irfan view 3.07 buffer overflow | URL:http://www.securityfocus.com/archive/1/34066 | MISC:http://stud4.tuwien.ac.at/~e9227474/main2.html | XF:irfan-view32-bo(3549) | URL:http://xforce.iss.net/static/3549.php | BID:781 | URL:http://www.securityfocus.com/bid/781",Proposed (20010912)," ACCEPT(1) Frech | NOOP(3) Foat, Cole, Wall", CVE-1999-1113,Candidate,"Buffer overflow in Eudora Internet Mail Server (EIMS) 2.01 and earlier on MacOS systems allows remote attackers to cause a denial of service via a long USER command to port 106.","BUGTRAQ:19980414 MacOS based buffer overflows... | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=89258194718577&w=2 | BID:75 | URL:http://www.securityfocus.com/bid/75",Proposed (20010912)," MODIFY(1) Frech | NOOP(3) Foat, Cole, Wall"," Frech> XF:eudora-ims-user-dos(7300)" CVE-1999-1114,Entry,"Buffer overflow in Korn Shell (ksh) suid_exec program on IRIX 6.x and earlier, and possibly other operating systems, allows local users to gain root privileges.","CIAC:H-15A | URL:http://ciac.llnl.gov/ciac/bulletins/h-15a.shtml | AUSCERT:AA-96.17 | URL:ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-96.17.suid_exec.vul | SGI:19980405-01-I | URL:ftp://patches.sgi.com/support/free/security/advisories/19980405-01-I | XF:ksh-suid_exec(2100) | URL:http://xforce.iss.net/static/2100.php | BID:467 | URL:http://www.securityfocus.com/bid/467",,, CVE-1999-1115,Entry,"Vulnerability in the /etc/suid_exec program in HP Apollo Domain/OS sr10.2 and sr10.3 beta, related to the Korn Shell (ksh).","CERT:CA-1990-04 | URL:http://www.cert.org/advisories/CA-1990-04.html | CIAC:A-30 | URL:http://www.ciac.org/ciac/bulletins/a-30.shtml | BID:7 | URL:http://www.securityfocus.com/bid/7 | XF:apollo-suidexec-unauthorized-access(6721) | URL:http://www.iss.net/security_center/static/6721.php",,, CVE-1999-1116,Entry,"Vulnerability in runpriv in Indigo Magic System Administration subsystem of SGI IRIX 6.3 and 6.4 allows local users to gain root privileges.","SGI:19970503-01-PX | URL:ftp://patches.sgi.com/support/free/security/advisories/19970503-01-PX | BID:462 | URL:http://www.securityfocus.com/bid/462 | OSVDB:1009 | URL:http://www.osvdb.org/1009 | XF:sgi-runpriv(2108) | URL:http://xforce.iss.net/static/2108.php",,, CVE-1999-1117,Entry,"lquerypv in AIX 4.1 and 4.2 allows local users to read arbitrary files by specifying the file in the -h command line parameter.","BUGTRAQ:19961124 | URL:http://marc.theaimsgroup.com/?l=bugtraq&w=2&r=1&s=lquerypv&q=b | BUGTRAQ:19961125 lquerypv fix | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167420195&w=2 | BUGTRAQ:19961125 AIX lquerypv | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167420196&w=2 | CIAC:H-13 | URL:http://ciac.llnl.gov/ciac/bulletins/h-13.shtml | BID:455 | URL:http://www.securityfocus.com/bid/455 | XF:ibm-lquerypv(1752) | URL:http://xforce.iss.net/static/1752.php",,, CVE-1999-1118,Entry,"ndd in Solaris 2.6 allows local users to cause a denial of service by modifying certain TCP/IP parameters.","SUN:00165 | URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/165&type=0&nav=sec.sba | BID:433 | URL:http://www.securityfocus.com/bid/433 | XF:sun-ndd(817) | URL:http://xforce.iss.net/static/817.php",,, CVE-1999-1119,Entry,"FTP installation script anon.ftp in AIX insecurely configures anonymous FTP, which allows remote attackers to execute arbitrary commands.","CERT:CA-1992-09 | URL:http://www.cert.org/advisories/CA-1992-09.html | BID:41 | URL:http://www.securityfocus.com/bid/41 | XF:aix-anon-ftp(3154) | URL:http://xforce.iss.net/static/3154.php",,, CVE-1999-1120,Entry,"netprint in SGI IRIX 6.4 and earlier trusts the PATH environmental variable for finding and executing the disable program, which allows local users to gain privileges.","BUGTRAQ:19970104 Irix: netprint story | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167420403&w=2 | SGI:19961203-01-PX | URL:ftp://patches.sgi.com/support/free/security/advisories/19961203-01-PX | SGI:19961203-02-PX | URL:ftp://patches.sgi.com/support/free/security/advisories/19961203-02-PX | BID:395 | URL:http://www.securityfocus.com/bid/395 | OSVDB:993 | URL:http://www.osvdb.org/993 | XF:sgi-netprint(2107) | URL:http://xforce.iss.net/static/2107.php",,, CVE-1999-1121,Entry,"The default configuration for UUCP in AIX before 3.2 allows local users to gain root privileges.","CERT:CA-1992-06 | URL:http://www.cert.org/advisories/CA-1992-06.html | BID:38 | URL:http://www.securityfocus.com/bid/38 | XF:ibm-uucp(554) | URL:http://xforce.iss.net/static/554.php | OSVDB:891 | URL:http://www.osvdb.org/891",,, CVE-1999-1122,Entry,"Vulnerability in restore in SunOS 4.0.3 and earlier allows local users to gain privileges.","CERT:CA-1989-02 | URL:http://www.cert.org/advisories/CA-1989-02.html | CIAC:CIAC-08 | URL:http://www.ciac.org/ciac/bulletins/ciac-08.shtml | SUNBUG:1019265 | BID:3 | URL:http://www.securityfocus.com/bid/3 | XF:sun-restore-gain-privileges(6695) | URL:http://xforce.iss.net/xforce/xfdb/6695",,, CVE-1999-1123,Candidate,"The installation of Sun Source (sunsrc) tapes allows local users to gain root privileges via setuid root programs (1) makeinstall or (2) winstall.","CERT:CA-1991-07 | URL:http://www.cert.org/advisories/CA-1991-07.html | SUN:00107 | URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/107&type=0&nav=sec.sba | BID:21 | URL:http://www.securityfocus.com/bid/21 | BID:22 | URL:http://www.securityfocus.com/bid/22 | XF:sun-sourcetapes(582) | URL:http://xforce.iss.net/static/582.php",Proposed (20010912)," ACCEPT(5) Foat, Cole, Frech, Dik, Stracener | NOOP(1) Wall"," Dik> sun bug: 1059621" CVE-1999-1124,Candidate,"HTTP Client application in ColdFusion allows remote attackers to bypass access restrictions for web pages on other ports by providing the target page to the mainframeset.cfm application, which requests the page from the server, making it look like the request is coming from the local host.","MISC:http://packetstorm.securify.com/mag/phrack/phrack54/P54-08",Proposed (20010912)," ACCEPT(2) Cole, Wall | NOOP(1) Foat", CVE-1999-1125,Candidate,"Oracle Webserver 2.1 and earlier runs setuid root, but the configuration file is owned by the oracle account, which allows any local or remote attacker who obtains access to the oracle account to gain privileges or modify arbitrary files by modifying the configuration fi