[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PROPOSAL] Cluster RECENT-12 - 20 candidates

The following cluster contains 20 candidates that were announced
between February 27 and March 3, 2000.

The candidates are listed in order of priority.  Priority 1 and
Priority 2 candidates both deal with varying levels of vendor
confirmation, so they should be easy to review and it can be trusted
that the problems are real.

If you discover that any RECENT-XX cluster is incomplete with respect
to the problems discovered during the associated time frame, please
send that information to me so that candidates can be assigned.

- Steve


Summary of votes to use (in ascending order of "severity")
----------------------------------------------------------

ACCEPT - voter accepts the candidate as proposed
NOOP - voter has no opinion on the candidate
MODIFY - voter wants to change some MINOR detail (e.g. reference/description)
REVIEWING - voter is reviewing/researching the candidate, or needs more info
RECAST - candidate must be significantly modified, e.g. split or merged
REJECT - candidate is "not a vulnerability", or a duplicate, etc.

1) Please write your vote on the line that starts with "VOTE: ".  If
   you want to add comments or details, add them to lines after the
   VOTE: line.

2) If you see any missing references, please mention them so that they
   can be included.  References help greatly during mapping.

3) Note that a "MODIFY" is treated as an "ACCEPT" when counting votes.
   So if you don't have sufficient information for a candidate but you
   don't want to NOOP, use a REVIEWING.

********** NOTE ********** NOTE ********** NOTE ********** NOTE **********

Please keep in mind that your vote and comments will be recorded and
publicly viewable in the mailing list archives or in other formats.

=================================
Candidate: CAN-2000-0172
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000322
Assigned: 20000322
Category: SF
Reference: BUGTRAQ:20000303 Potential security problem with mtr
Reference: DEBIAN:20000309 mtr
Reference: URL:http://archives.neohapsis.com/archives/vendor/2000-q1/0032.html
Reference: FREEBSD:FreeBSD-SA-00:09
Reference: URL:http://www.securityfocus.com/templates/advisory.html?id=2131
Reference: BUGTRAQ:20000308 [TL-Security-Announce] mtr-0.41 and earlier TLSA2000003-1 (fwd)
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-03/0072.html
Reference: BID:1038
Reference: URL:http://www.securityfocus.com/bid/1038

The mtr program does not properly drop privileges, which could allow
local users to gain privileges.


ED_PRI CAN-2000-0172 1


VOTE:

=================================
Candidate: CAN-2000-0196
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000322
Assigned: 20000322
Category: SF
Reference: DEBIAN:20000228 remote exploit in nmh
Reference: URL:http://www.debian.org/security/2000/20000229
Reference: URL:
Reference: BID:1018
Reference: URL:http://www.securityfocus.com/bid/1018

Buffer overflow in mhshow in the Linux nmh package allows remote
attackers to execute commands via malformed MIME headers in an email
message.


ED_PRI CAN-2000-0196 1


VOTE:

=================================
Candidate: CAN-2000-0208
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000322
Assigned: 20000322
Category: SF/CF/MP/SA/AN/unknown
Reference: BUGTRAQ:20000228 ht://Dig remote information exposure
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.4.10.10002281422420.30728-100000@wso.williams.edu
Reference: FREEBSD:FreeBSD-SA-00:06
Reference: URL:http://www.securityfocus.com/templates/advisory.html?id=2107
Reference: DEBIAN:20000226 remote users can read files with webserver uid
Reference: URL:http://www.debian.org/security/2000/20000227
Reference: TURBO:TLSA200005-1
Reference: URL:http://www.securityfocus.com/templates/advisory.html?id=2113
Reference: BID:1026
Reference: URL:http://www.securityfocus.com/bid/1026

The htdig (ht://Dig) CGI program htsearch allows remote attackers to
read arbitrary files by enclosing the file name with backticks (`) in
parameters to htsearch.


ED_PRI CAN-2000-0208 1


VOTE:

=================================
Candidate: CAN-2000-0209
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000322
Assigned: 20000322
Category: SF/CF/MP/SA/AN/unknown
Reference: BUGTRAQ:20000227 lynx - someone is deaf and blind ;)
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.4.21.0002271629490.15796-100000@dione.ids.pl
Reference: FREEBSD:FreeBSD-SA-00:08
Reference: URL:http://www.securityfocus.com/templates/advisory.html?id=2127
Reference: BID:1012
Reference: URL:http://www.securityfocus.com/bid/1012

Buffer overflow in Lynx 2.x allows remote attackers to crash Lynx and
possibly execute commands via a long URL in a malicious web page.


ED_PRI CAN-2000-0209 1


VOTE:

=================================
Candidate: CAN-2000-0178
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000322
Assigned: 20000322
Category: SF/CF/MP/SA/AN/unknown
Reference: BUGTRAQ:20000227 Advisory: Foundry Networks ServerIron TCP/IP sequence predictability
Reference: MISC:http://www.foundrynet.com/bugTraq.html
Reference: BID:1017
Reference: URL:http://www.securityfocus.com/bid/1017

ServerIron switches by Foundry Networks have predictable TCP/IP
sequence numbers, which allows remote attackers to spoof or hijack
sessions.


ED_PRI CAN-2000-0178 2


VOTE:

=================================
Candidate: CAN-2000-0186
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000322
Assigned: 20000322
Category: SF/CF/MP/SA/AN/unknown
Reference: BUGTRAQ:20000228 [ Hackerslab bug_paper ] Linux dump buffer overflow
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-02/0375.html
Reference: TURBO:TLSA200007-1
Reference: URL:http://www.securityfocus.com/templates/advisory.html?id=2130
Reference: BID:1020
Reference: URL:http://www.securityfocus.com/bid/1020

Buffer overflow in the dump utility in the Linux ext2fs backup package
allows local users to gain privileges via a long command line
argument.


ED_PRI CAN-2000-0186 2


VOTE:

=================================
Candidate: CAN-2000-0189
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000322
Assigned: 20000322
Category: SF/CF/MP/SA/AN/unknown
Reference: NTBUGTRAQ:20000301 ColdFusions application.cfm shows full path
Reference: URL:http://archives.neohapsis.com/archives/ntbugtraq/current/0178.html
Reference: BUGTRAQ:20000305 ColdFusion Bug: Application.cfm shows full path
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/current/0033.html
Reference: BID:1021
Reference: URL:http://www.securityfocus.com/bid/1021

ColdFusion Server 4.x allows remote attackers to determine the real
pathname of the server via an HTTP request to the application.cfm or
onrequestend.cfm files.


ED_PRI CAN-2000-0189 2


VOTE:

=================================
Candidate: CAN-2000-0191
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000322
Assigned: 20000322
Category: SF/CF/MP/SA/AN/unknown
Reference: BUGTRAQ:20000229 Infosec.20000229.axisstorpointcd.a
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=41256894.00492503.00@mailgw.backupcentralen.se
Reference: BID:1025
Reference: URL:http://www.securityfocus.com/bid/1025

Axis StorPoint CD allows remote attackers to access administrator URLs
without authentication via a .. (dot dot) attack.


ED_PRI CAN-2000-0191 2


VOTE:

=================================
Candidate: CAN-2000-0176
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000322
Assigned: 20000322
Category: SF/CF/MP/SA/AN/unknown
Reference: BUGTRAQ:20000228 Serv-U FTP-Server v2.4a showing real path
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-02/0417.html
Reference: SecurityFocus, February 20, 2000
Reference: BID:1016
Reference: URL:http://www.securityfocus.com/bid/1016

The default configuration of Serv-U 2.5d and earlier allows remote
attackers to determine the real pathname of the server by requesting a
URL for a directory or file that does not exist.


ED_PRI CAN-2000-0176 3


VOTE:

=================================
Candidate: CAN-2000-0177
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000322
Assigned: 20000322
Category: SF/CF/MP/SA/AN/unknown
Reference: BUGTRAQ:20000302 DNSTools v1.08 has no input validation
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-03/0000.html
Reference: BID:1028
Reference: URL:http://www.securityfocus.com/bid/1028

DNSTools CGI applications allow remote attackers to execute arbitrary
commands via shell metacharacters.


ED_PRI CAN-2000-0177 3


VOTE:

=================================
Candidate: CAN-2000-0179
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000322
Assigned: 20000322
Category: SF/CF/MP/SA/AN/unknown
Reference: BUGTRAQ:20000228 HP Omniback remote DoS
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-02/0387.html
Reference: BID:1015
Reference: URL:http://www.securityfocus.com/bid/1015

HP OpenView OmniBack 2.55 allows remote attackers to cause a denial of
service via a large number of connections to port 5555.


ED_PRI CAN-2000-0179 3


VOTE:

=================================
Candidate: CAN-2000-0187
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000322
Assigned: 20000322
Category: SF
Reference: BUGTRAQ:20000227 EZ Shopper 3.0 shopping cart CGI remote command execution
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-02/0356.html
Reference: BID:1014
Reference: URL:http://www.securityfocus.com/bid/1014

EZShopper 3.0 loadpage.cgi CGI script allows remote attackers to read
arbitrary files via a .. (dot dot) attack or execute commands via
shell metacharacters.


ED_PRI CAN-2000-0187 3


VOTE:

=================================
Candidate: CAN-2000-0188
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000322
Assigned: 20000322
Category: SF
Reference: BUGTRAQ:20000227 EZ Shopper 3.0 shopping cart CGI remote command execution
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-02/0356.html
Reference: BID:1014
Reference: URL:http://www.securityfocus.com/bid/1014

EZShopper 3.0 search.cgi CGI script allows remote attackers to read
arbitrary files via a .. (dot dot) attack or execute commands via
shell metacharacters.


ED_PRI CAN-2000-0188 3


VOTE:

=================================
Candidate: CAN-2000-0190
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000322
Assigned: 20000322
Category: SF
Reference: BUGTRAQ:20000303 Aol Instant Messenger DoS vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-03/0016.html

AOL Instant Messenger (AIM) client allows remote attackers to cause a
denial of service via a message with a malformed ASCII value.


ED_PRI CAN-2000-0190 3


VOTE:

=================================
Candidate: CAN-2000-0193
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000322
Assigned: 20000322
Category: SF/CF/MP/SA/AN/unknown
Reference: BUGTRAQ:20000302 Corel Linux 1.0 dosemu default configuration: Local root vuln
Reference: http://www.securityfocus.com/templates/archive.pike?list=1&msg=200003020436.PAA20168@jawa.chilli.net.au
Reference: BID:1030
Reference: URL:http://www.securityfocus.com/bid/1030

The default configuration of Dosemu in Corel Linux 1.0 allows local
users to execute the system.com program and gain privileges.


ED_PRI CAN-2000-0193 3


VOTE:

=================================
Candidate: CAN-2000-0201
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000322
Assigned: 20000322
Category: SF/CF/MP/SA/AN/unknown
Reference: BUGTRAQ:20000301 IE 5.x allows executing arbitrary programs using .chm files
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-02/0408.html
Reference: BID:1033
Reference: URL:http://www.securityfocus.com/bid/1033

The window.showHelp() method in Internet Explorer 5.x does not
restrict HTML help files (.chm) to be executed from the local host,
which allows remote attackers to execute arbitrary commands via
Microsoft Networking.


ED_PRI CAN-2000-0201 3


VOTE:

=================================
Candidate: CAN-2000-0205
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000322
Assigned: 20000322
Category: SF/CF/MP/SA/AN/unknown
Reference: BUGTRAQ:20000303 TrendMicro OfficeScan, numerous security holes, remote files modification.
Reference: http://archives.neohapsis.com/archives/bugtraq/2000-03/0015.html
Reference: BUGTRAQ:20000315 Trend Micro release patch for "OfficeScan DoS & Message Replay" V ulnerabilies
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=D129BBE1730AD2118A0300805FC1C2FE038AF28B@209-76-212-10.trendmicro.com
Reference: MISC:http://www.antivirus.com/download/ofce_patch_35.htm
Reference: BID:1013
Reference: URL:http://www.securityfocus.com/bid/1013

Trend Micro OfficeScan allows remote attackers to replay
administrative commands and modify the configuration of OfficeScan
clients.


ED_PRI CAN-2000-0205 3


VOTE:

=================================
Candidate: CAN-2000-0207
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000322
Assigned: 20000322
Category: SF/CF/MP/SA/AN/unknown
Reference: BUGTRAQ:20000301 infosrch.cgi vulnerability (IRIX 6.5)
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.4.10.10003021059360.21162-100000@inetarena.com
Reference: BID:1031
Reference: URL:http://www.securityfocus.com/bid/1031

SGI InfoSearch CGI program infosrch.cgi allows remote attackers to
execute commands via shell metacharacters.


ED_PRI CAN-2000-0207 3


VOTE:

=================================
Candidate: CAN-2000-0216
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000322
Assigned: 20000322
Category: SF/CF/MP/SA/AN/unknown
Reference: NTBUGTRAQ:20000229 mailbombing DoS easily exploitable against mail systems using MS mail clients.
Reference: URL:http://archives.neohapsis.com/archives/ntbugtraq/2000-q1/0176.html

Microsoft email clients in Outlook, Exchange, and Windows Messaging
automatically respond to Read Receipt and Delivery Receipt tags, which
could allow an attacker to flood a mail system with responses by
forging a Read Receipt request that is redirected to a large
distribution list.


ED_PRI CAN-2000-0216 3


VOTE:

=================================
Candidate: CAN-2000-0225
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000322
Assigned: 20000322
Category: SF/CF/MP/SA/AN/unknown
Reference: BUGTRAQ:20000303 Pocsag remote access to client can't be disabled.
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=003601bf854b$6893a090$0100a8c0@FIREWALKER
Reference: BID:1032
Reference: URL:http://www.securityfocus.com/bid/1032

The Pocsag POC32 program does not properly prevent remote users from
accessing its server port, even if the option has been disabled.


ED_PRI CAN-2000-0225 3


VOTE:
Page Last Updated or Reviewed: May 22, 2007