[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PROPOSAL] Cluster RECENT-19 - 33 candidates



* Steven M. Christey (coley@LINUS.MITRE.ORG) [000615 02:52]:
> The next 3 RECENT-XX clusters identify a total of 92 candidates - it's
> been very busy these last few months.
> 
> The following cluster contains 33 candidates that were announced
> between 4/24/2000 and 5/10/2000.
> 
> The candidates are listed in order of priority.  Priority 1 and
> Priority 2 candidates both deal with varying levels of vendor
> confirmation, so they should be easy to review and it can be trusted
> that the problems are real.
> 
> If you discover that any RECENT-XX cluster is incomplete with respect
> to the problems discovered during the associated time frame, please
> send that information to me so that candidates can be assigned.
> 
> - Steve
> 
> 
> Summary of votes to use (in ascending order of "severity")
> ----------------------------------------------------------
> 
> ACCEPT - voter accepts the candidate as proposed
> NOOP - voter has no opinion on the candidate
> MODIFY - voter wants to change some MINOR detail (e.g. reference/description)
> REVIEWING - voter is reviewing/researching the candidate, or needs more info
> RECAST - candidate must be significantly modified, e.g. split or merged
> REJECT - candidate is "not a vulnerability", or a duplicate, etc.
> 
> 1) Please write your vote on the line that starts with "VOTE: ".  If
>    you want to add comments or details, add them to lines after the
>    VOTE: line.
> 
> 2) If you see any missing references, please mention them so that they
>    can be included.  References help greatly during mapping.
> 
> 3) Note that a "MODIFY" is treated as an "ACCEPT" when counting votes.
>    So if you don't have sufficient information for a candidate but you
>    don't want to NOOP, use a REVIEWING.
> 
> ********** NOTE ********** NOTE ********** NOTE ********** NOTE **********
> 
> Please keep in mind that your vote and comments will be recorded and
> publicly viewable in the mailing list archives or in other formats.
> 
> =================================
> Candidate: CAN-2000-0249
> Published:
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed: 20000615
> Assigned: 20000425
> Category: SF
> Reference: ISS:20000426 Insecure file handling in IBM AIX frcactrl program
> Reference: URL:http://xforce.iss.net/alerts/advise47.php3
> 
> The AIX Fast Response Cache Accelerator (FRCA) allows local users to
> modify arbitrary files via the configuration capability in the
> frcactrl program.
> 
> 
> ED_PRI CAN-2000-0249 1
> 
> 
> VOTE: MODIFY

Reference: BID 1152

> =================================
> Candidate: CAN-2000-0380
> Published:
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed: 20000615
> Assigned: 20000614
> Category: SF
> Reference: BUGTRAQ:20000426 Cisco HTTP possible bug:
> Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-04/0261.html
> Reference: CISCO:20000514 Cisco IOS HTTP Server Vulnerability
> Reference: URL:http://www.cisco.com/warp/public/707/ioshttpserver-pub.shtml
> Reference: XF:cisco-ios-http-dos
> 
> The IOS HTTP service in Cisco routers and switches running IOS 11.1
> through 12.1 allows remote attackers to cause a denial of service by
> requesting a URL that contains a %% string.
> 
> 
> ED_PRI CAN-2000-0380 1
> 
> 
> VOTE: MODIFY

Reference BID 1154

> =================================
> Candidate: CAN-2000-0382
> Published:
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed: 20000615
> Assigned: 20000614
> Category: SF
> Reference: ALLAIRE:ASB00-12
> Reference: URL:http://www.allaire.com/handlers/index.cfm?ID=15697&Method=Full
> Reference: BID:1179
> Reference: URL:http://www.securityfocus.com/bid/1179
> Reference: XF:allaire-clustercats-url-redirect
> 
> ColdFusion ClusterCATS appends stale query string arguments to a URL
> during HTML redirection, which may provide sensitive information to
> the redirected site.
> 
> 
> ED_PRI CAN-2000-0382 1
> 
> 
> VOTE: ACCEPT
> 
> =================================
> Candidate: CAN-2000-0387
> Published:
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed: 20000615
> Assigned: 20000614
> Category: SF
> Reference: FREEBSD:FreeBSD-SA-00:16
> Reference: URL:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:16.golddig.asc
> Reference: BID:1184
> Reference: URL:http://www.securityfocus.com/bid/1184
> 
> The makelev program in the golddig game from the FreeBSD ports
> collection allows local users to overwrite arbitrary files.
> 
> 
> ED_PRI CAN-2000-0387 1
> 
> 
> VOTE: ACCEPT
> 
> =================================
> Candidate: CAN-2000-0388
> Published:
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed: 20000615
> Assigned: 20000614
> Category: SF
> Reference: FREEBSD:FreeBSD-SA-00:17
> Reference: URL:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00%3A17.libmytinfo.asc
> Reference: BID:1185
> Reference: URL:http://www.securityfocus.com/bid/1185
> Reference: XF:libmytinfo-bo
> 
> Buffer overflow in FreeBSD libmytinfo library allows local users to
> execute commands via a long TERMCAP environmental variable.
> 
> 
> ED_PRI CAN-2000-0388 1
> 
> 
> VOTE: ACCEPT
> 
> =================================
> Candidate: CAN-2000-0414
> Published:
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed: 20000615
> Assigned: 20000614
> Category: SF
> Reference: HP:HPSBUX0005-113
> Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-05/0047.html
> Reference: XF:hp-shutdown-privileges
> Reference: BID:1214
> Reference: URL:http://www.securityfocus.com/bid/1214
> 
> Vulnerability in shutdown command in HP-UX 11.X and 10.X allows allows
> local users to gain privileges via malformed input variables.
> 
> 
> ED_PRI CAN-2000-0414 1
> 
> 
> VOTE: ACCEPT
> 
> =================================
> Candidate: CAN-2000-0433
> Published:
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed: 20000615
> Assigned: 20000614
> Category: SF
> Reference: SUSE:20000502 aaabase < 2000.5.2
> Reference: URL:http://www.suse.de/de/support/security/suse_security_announce_47.txt
> Reference: XF:aaabase-execute-dot-files
> 
> The SuSE aaa_base package installs some system accounts with home
> directories set to /tmp, which allows local users to gain privileges
> to those accounts by creating standard user startup scripts such as
> profiles.
> 
> 
> ED_PRI CAN-2000-0433 1
> 
> 
> VOTE:  REVIEWING
> 
> =================================
> Candidate: CAN-2000-0439
> Published:
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed: 20000615
> Assigned: 20000614
> Category: SF
> Reference: BUGTRAQ:20000510 IE Domain Confusion Vulnerability
> Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=20000511135609.D7774@securityfocus.com
> Reference: BUGTRAQ:20000511 IE Domain Confusion Vulnerability is an Email problem also
> Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=NDBBKGHPMKBKDDGLDEEHAEHMDIAA.rms2000@bellatlantic.net
> Reference: MS:MS00-033
> Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms00-033.asp
> Reference: BID:1194
> Reference: URL:http://www.securityfocus.com/bid/1194
> Reference: XF:ie-cookie-disclosure
> 
> Internet Explorer 4.0 and 5.0 allows a malicious web site to obtain
> client cookies from another domain by including that domain name and
> escaped characters in a URL, aka the "Unauthorized Cookie Access"
> vulnerability.
> 
> 
> ED_PRI CAN-2000-0439 1
> 
> 
> VOTE: ACCEPT
> 
> =================================
> Candidate: CAN-2000-0440
> Published:
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed: 20000615
> Assigned: 20000614
> Category: SF
> Reference: NETBSD:NetBSD-SA2000-002
> Reference: URL:ftp://ftp.netbsd.org/pub/NetBSD/misc/security/advisories/NetBSD-SA2000-002.txt.asc
> Reference: BUGTRAQ:20000506 [NHC20000504a.0: NetBSD Panics when sent unaligned IP options]
> Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-05/0088.html
> Reference: BID:1173
> Reference: URL:http://www.securityfocus.com/bid/1173
> 
> NetBSD 1.4.2 and earlier allows remote attackers to cause a denial of
> service by sending a packet with an unaligned IP timestamp option.
> 
> 
> ED_PRI CAN-2000-0440 1
> 
> 
> VOTE: ACCEPT
> 
> =================================
> Candidate: CAN-2000-0457
> Published:
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed: 20000615
> Assigned: 20000614
> Category: SF
> Reference: BUGTRAQ:20000511 Alert: IIS ism.dll exposes file contents
> Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=95810120719608&w=2
> Reference: MS:MS00-031
> Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms00-031.asp
> Reference: BID:1193
> Reference: URL:http://www.securityfocus.com/bid/1193
> 
> ISM.DLL in IIS 4.0 and 5.0 allows remote attackers to read file
> contents by requesting the file and appending a large number of
> encoded spaces (%20) and terminated with a .htr extension, aka the
> ".HTR File Fragment Reading" or "File Fragment Reading via .HTR"
> vulnerability.
> 
> 
> ED_PRI CAN-2000-0457 1
> 
> 
> VOTE: ACCEPT
> 
> =================================
> Candidate: CAN-2000-0379
> Published:
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed: 20000615
> Assigned: 20000614
> Category: SF
> Reference: BUGTRAQ:20000507 Advisory: Netopia R9100 router vulnerability
> Reference: http://www.securityfocus.com/templates/archive.pike?list=1&msg=200005082054.NAA32590@linux.mtndew.com
> Reference: CONFIRM:http://www.netopia.com/equipment/purchase/fmw_update.html
> Reference: BID:1177
> Reference: URL:http://www.securityfocus.com/bid/1177
> Reference: XF:netopia-snmp-comm-strings
> 
> The Netopia R9100 router does not prevent authenticated users from
> modifying SNMP tables, even if the administrator has configured it to
> do so.
> 
> 
> ED_PRI CAN-2000-0379 2
> 
> 
> VOTE: ACCEPT
> 
> =================================
> Candidate: CAN-2000-0427
> Published:
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed: 20000615
> Assigned: 20000614
> Category: unknown
> Reference: L0PHT:20000504 eToken Private Information Extraction and Physical Attack
> Reference: URL:http://www.l0pht.com/advisories/etoken-piepa.txt
> Reference: XF:aladdin-etoken-pin-reset
> Reference: BID:1170
> Reference: URL:http://www.securityfocus.com/bid/1170
> 
> The Aladdin Knowledge Systems eToken device allows attackers with
> physical access to the device to obtain sensitive information without
> knowing the PIN of the owner by resetting the PIN the EEPROM.
> 
> 
> ED_PRI CAN-2000-0427 2
> 
> 
> VOTE: ACCEPT
> 
> =================================
> Candidate: CAN-2000-0428
> Published:
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed: 20000615
> Assigned: 20000614
> Category: SF
> Reference: NAI:20000503 Trend Micro InterScan VirusWall Remote Overflow
> Reference: URL:http://www.nai.com/nai_labs/asp_set/advisory/39_Trend.asp
> Reference: BID:1168
> Reference: URL:http://www.securityfocus.com/bid/1168
> Reference: XF:interscan-viruswall-bo
> 
> Buffer overflow in the SMTP gateway for InterScan Virus Wall 3.32 and
> earlier allows a remote attacker to execute arbitrary commands via a
> long filename for a uuencoded attachment.
> 
> 
> ED_PRI CAN-2000-0428 2
> 
> 
> VOTE: ACCEPT
> 
> =================================
> Candidate: CAN-2000-0378
> Published:
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed: 20000615
> Assigned: 20000614
> Category: SF
> Reference: BUGTRAQ:20000502 pam_console bug
> Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-05/0023.html
> Reference: BID:1176
> Reference: URL:http://www.securityfocus.com/bid/1176
> 
> The pam_console PAM module in Linux systems performs a chown on
> various devices upon a user login, but the ownership of some devices
> is not reset when the user logs out, which allows that user to sniff
> activity on these devices when subsequent users log in.
> 
> 
> ED_PRI CAN-2000-0378 3
> 
> 
> VOTE: ACCEPT

Please note that its not that the ownership is not reset. Its that
a program can maintain an open file descriptor to the devices while
someone else uses them.

> =================================
> Candidate: CAN-2000-0381
> Published:
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed: 20000615
> Assigned: 20000614
> Category: SF
> Reference: BUGTRAQ:20000505 Black Watch Labs Vulnerability Alert
> Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-05/0067.html
> Reference: MISC:http://www.perfectotech.com/blackwatchlabs/vul5_05.html
> Reference: XF:http-cgi-dbman-db
> Reference: BID:1178
> Reference: URL:http://www.securityfocus.com/bid/1178
> 
> The Gossamer Threads DBMan db.cgi CGI script allows remote attackers
> to view environmental variables and setup information by referencing a
> non-existing database in the db parameter.
> 
> 
> ED_PRI CAN-2000-0381 3
> 
> 
> VOTE: ACCEPT
> 
> =================================
> Candidate: CAN-2000-0383
> Published:
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed: 20000615
> Assigned: 20000614
> Category: SF
> Reference: XF:aolim-file-path
> Reference: BugTraq Mailing List: "AOL Instant Messenger" at:
> Reference: http://www.securityfocus.com/templates/archive.pike?list=1&msg=002401bfb918$7310d5a0$1ef084ce@karemor.com
> Reference: BID:1180
> Reference: URL:http://www.securityfocus.com/bid/1180
> 
> The file transfer component of AOL Instant Messenger (AIM) reveals the
> physical path of the transferred file to the remote recipient.
> 
> 
> ED_PRI CAN-2000-0383 3
> 
> 
> VOTE: ACCEPT
> 
> =================================
> Candidate: CAN-2000-0384
> Published:
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed: 20000615
> Assigned: 20000614
> Category: CF
> Reference: L0PHT:20000508 NetStructure 7180 remote backdoor vulnerability
> Reference: URL:http://www.lopht.com/advisories/ipivot7110.html
> Reference: L0PHT:20000508 NetStructure 7110 console backdoor
> Reference: URL:http://www.l0pht.com/advisories/ipivot7180.html
> Reference: CONFIRM:http://216.188.41.136/
> Reference: XF:netstructure-root-compromise
> Reference: XF:netstructure-wizard-mode
> Reference: BID:1182
> Reference: URL:http://www.securityfocus.com/bid/1182
> Reference: BID:1183
> Reference: URL:http://www.securityfocus.com/bid/1183
> 
> NetStructure 7110 and 7180 have undocumented accounts (servnow, root,
> and wizard) whose passwords are easily guessable from the
> NetStructure's MAC address, which could allow remote attackers to gain
> root access.
> 
> 
> ED_PRI CAN-2000-0384 3
> 
> 
> VOTE: ACCEPT
> 
> =================================
> Candidate: CAN-2000-0385
> Published:
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed: 20000615
> Assigned: 20000614
> Category: SF
> Reference: MISC:http://www.blueworld.com/blueworld/news/05.01.00-FM5_Security.html
> Reference: CONFIRM:http://www.filemaker.com/support/webcompanion.html
> Reference: XF:macos-filemaker-xml
> Reference: XF:macos-filemaker-email
> 
> FileMaker Pro 5 Web Companion allows remote attackers to bypass
> Field-Level database security restrictions via the XML publishing
> or email capabilities.
> 
> 
> ED_PRI CAN-2000-0385 3
> 
> 
> VOTE: MODIFY

Reference: BID 1159

> =================================
> Candidate: CAN-2000-0386
> Published:
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed: 20000615
> Assigned: 20000614
> Category: SF
> Reference: MISC:http://www.blueworld.com/blueworld/news/05.01.00-FM5_Security.html
> Reference: CONFIRM:http://www.filemaker.com/support/webcompanion.html
> Reference: XF:macos-filemaker-anonymous-email
> 
> FileMaker Pro 5 Web Companion allows remote attackers to send
> anonymous or forged email.
> 
> 
> ED_PRI CAN-2000-0386 3
> 
> 
> VOTE: MODIFY

Reference: BID 1159

> =================================
> Candidate: CAN-2000-0409
> Published:
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed: 20000615
> Assigned: 20000614
> Category: SF
> Reference: BUGTRAQ:20000510 Possible symlink problems with Netscape 4.73
> Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-05/0126.html
> Reference: BID:1201
> Reference: URL:http://www.securityfocus.com/bid/1201
> Reference: XF:netscape-import-certificate-symlink
> 
> Netscape 4.73 and earlier follows symlinks when it imports a new
> certificate, which allows local users to overwrite files of the user
> importing the certificate.
> 
> 
> ED_PRI CAN-2000-0409 3
> 
> 
> VOTE: ACCEPT
> 
> =================================
> Candidate: CAN-2000-0410
> Published:
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed: 20000615
> Assigned: 20000614
> Category: SF
> Reference: NTBUGTRAQ:20000510 Cold Fusion Server 4.5.1 DoS Vulnerability.
> Reference: URL:http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0005&L=ntbugtraq&F=&S=&P=4843
> Reference: XF:coldfusion-cfcache-dos
> Reference: BID:1192
> Reference: URL:http://www.securityfocus.com/bid/1192
> 
> Cold Fusion Server 4.5.1 allows remote attackers to cause a denial of
> service by making repeated requests to a CFCACHE tagged cache file
> that is not stored in memory.
> 
> 
> ED_PRI CAN-2000-0410 3
> 
> 
> VOTE: ACCEPT
> 
> =================================
> Candidate: CAN-2000-0411
> Published:
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed: 20000615
> Assigned: 20000614
> Category: SF
> Reference: BUGTRAQ:20000510 Black Watch Labs Vulnerability Alert
> Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-05/0125.html
> Reference: MISC:http://www.perfectotech.com/blackwatchlabs/vul5_10.html
> Reference: XF:http-cgi-formmail-environment
> Reference: BID:1187
> Reference: URL:http://www.securityfocus.com/bid/1187
> 
> Matt Wright's FormMail CGI script allows remote attackers to obtain
> environmental variables via the env_report parameter.
> 
> 
> ED_PRI CAN-2000-0411 3
> 
> 
> VOTE: ACCEPT
> 
> =================================
> Candidate: CAN-2000-0412
> Published:
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed: 20000615
> Assigned: 20000614
> Category: SF
> Reference: BUGTRAQ:20000510 KNapster Vulnerability Compromises User-readable Files
> Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-05/0124.html
> Reference: BUGTRAQ:20000510 Gnapster Vulnerability Compromises User-readable Files
> Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-05/0127.html
> Reference: FREEBSD:FreeBSD-SA-00:18
> Reference: URL:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:18-gnapster.adv
> Reference: XF:gnapster-view-files
> Reference: BID:1186
> Reference: URL:http://www.securityfocus.com/bid/1186
> 
> The gnapster and knapster clients for Napster do not properly restrict
> access only to MP3 files, which allows remote attackers to read
> arbitrary files from the client by specifying the full pathname for
> the file.
> 
> 
> ED_PRI CAN-2000-0412 3
> 
> 
> VOTE: ACCEPT
> 
> =================================
> Candidate: CAN-2000-0413
> Published:
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed: 20000615
> Assigned: 20000614
> Category: SF
> Reference: BUGTRAQ:20000506 shtml.exe reveal local path of IIS web directory
> Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-05/0084.html
> Reference: BID:1174
> Reference: URL:http://www.securityfocus.com/bid/1174
> Reference: XF:iis-shtml-reveal-path
> 
> The shtml.exe program in the FrontPage extensions package of IIS 4.0
> and 5.0 allows remote attackers to determine the physical path of
> HTML, HTM, ASP, and SHTML files by requesting a file that does not
> exist, which generates an error message that reveals the path.
> 
> 
> ED_PRI CAN-2000-0413 3
> 
> 
> VOTE: ACCEPT
> 
> =================================
> Candidate: CAN-2000-0417
> Published:
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed: 20000615
> Assigned: 20000614
> Category: SF
> Reference: BUGTRAQ:20000505 Cayman 3220-H DSL Router DOS
> Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-05/0075.html
> Reference: BUGTRAQ:20000523 Cayman 3220H DSL Router Software Update and New Bonus Attack
> Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-05/0280.html
> Reference: BID:1219
> Reference: URL:http://www.securityfocus.com/bid/1219
> 
> The HTTP administration interface to the Cayman 3220-H DSL router
> allows remote attackers to cause a denial of service via a long
> username or password.
> 
> 
> ED_PRI CAN-2000-0417 3
> 
> 
> VOTE: ACCEPT
> 
> =================================
> Candidate: CAN-2000-0422
> Published:
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed: 20000615
> Assigned: 20000614
> Category: SF
> Reference: BUGTRAQ:20000504 Alert: DMailWeb buffer overflow
> Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=95749276827558&w=2
> Reference: XF:http-cgi-dmailweb-bo
> Reference: BID:1171
> Reference: URL:http://www.securityfocus.com/bid/1171
> 
> Buffer overflow in Netwin DMailWeb CGI program allows remote attackers
> to execute arbitrary commands via a long utoken parameter.
> 
> 
> ED_PRI CAN-2000-0422 3
> 
> 
> VOTE: ACCEPT
> 
> =================================
> Candidate: CAN-2000-0423
> Published:
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed: 20000615
> Assigned: 20000614
> Category: SF
> Reference: BUGTRAQ:20000505 Alert: DNewsWeb buffer overflow
> Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=95764950403250&w=2
> Reference: XF:http-cgi-dnews-bo
> Reference: BID:1172
> Reference: URL:http://www.securityfocus.com/bid/1172
> 
> Buffer overflow in Netwin DNEWSWEB CGI program allows remote attackers
> to execute arbitrary commands via long parameters such as group, cmd,
> and utag.
> 
> 
> ED_PRI CAN-2000-0423 3
> 
> 
> VOTE: ACCEPT
> 
> =================================
> Candidate: CAN-2000-0425
> Published:
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed: 20000615
> Assigned: 20000614
> Category: SF
> Reference: CONFIRM:http://www.lsoft.com/news/default.asp?item=Advisory0
> Reference: BUGTRAQ:20000505 Alert: Listserv Web Archives (wa) buffer overflow
> Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-05/0048.html
> Reference: XF:http-cgi-listserv-wa-bo
> Reference: BID:1167
> Reference: URL:http://www.securityfocus.com/bid/1167
> 
> Buffer overflow in the Web Archives component of L-Soft LISTSERV 1.8
> allows remote attackers to execute arbitrary commands.
> 
> 
> ED_PRI CAN-2000-0425 3
> 
> 
> VOTE: ACCEPT
> 
> =================================
> Candidate: CAN-2000-0426
> Published:
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed: 20000615
> Assigned: 20000614
> Category: SF
> Reference: BUGTRAQ:20000505 Re: Fun with UltraBoard V1.6X
> Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-05/0059.html
> Reference: BID:1175
> Reference: URL:http://www.securityfocus.com/bid/1175
> Reference: XF:ultraboard-cgi-dos
> 
> UltraBoard 1.6 and other versions allow remote attackers to cause a
> denial of service by referencing UltraBoard in the Session parameter,
> which causes UltraBoard to fork copies of itself.
> 
> 
> ED_PRI CAN-2000-0426 3
> 
> 
> VOTE: ACCEPT
> 
> =================================
> Candidate: CAN-2000-0429
> Published:
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed: 20000615
> Assigned: 20000614
> Category: SF
> Reference: BUGTRAQ:20000427 Alert: Cart32 secret password backdoor (CISADV000427)
> Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=95686068203138&w=2
> Reference: CONFIRM:http://www.cart32.com/kbshow.asp?article=c048
> 
> A backdoor password in Cart32 3.0 and earlier allows remote attackers
> to execute arbitrary commands.
> 
> 
> ED_PRI CAN-2000-0429 3
> 
> 
> VOTE: MDOFIY

Reference: BID 1153

> 
> =================================
> Candidate: CAN-2000-0430
> Published:
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed: 20000615
> Assigned: 20000614
> Category: SF
> Reference: BUGTRAQ:20000503 Another interesting Cart32 command
> Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=95738697301956&w=2
> Reference: XF:cart32-expdate
> 
> Cart32 allows remote attackers to access sensitive debugging
> information by appending /expdate to the URL request.
> 
> 
> ED_PRI CAN-2000-0430 3
> 
> 
> VOTE: REVIEWING
> 
> =================================
> Candidate: CAN-2000-0458
> Published:
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed: 20000615
> Assigned: 20000614
> Category: SF
> Reference: BUGTRAQ:20000424 Two Problems in IMP 2
> Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=95672120116627&w=2
> Reference: XF:imp-tmpfile-view
> 
> The MSWordView application in IMP creates world-readable files in the
> /tmp directory, which allows other local users to read potentially
> sensitive information.
> 
> 
> ED_PRI CAN-2000-0458 3
> 
> 
> VOTE: REVIEWING
> 
> =================================
> Candidate: CAN-2000-0459
> Published:
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed: 20000615
> Assigned: 20000614
> Category: SF
> Reference: BUGTRAQ:20000424 Two Problems in IMP 2
> Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=95672120116627&w=2
> Reference: XF:imp-wordfile-dos
> 
> IMP does not remove files properly if the MSWordView application
> quits, which allows local users to cause a denial of service by
> filling up the disk space by requesting a large number of documents
> and prematurely stopping the request.
> 
> 
> ED_PRI CAN-2000-0459 3
> 
> 
> VOTE: REVIEWING

-- 
Elias Levy
SecurityFocus.com
http://www.securityfocus.com/
Si vis pacem, para bellum

Page Last Updated or Reviewed: May 22, 2007