[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PROPOSAL] Clusters RECENT-33 and RECENT-34 - 56 candidates



This message contains candidates from 2 clusters, due to the volume of
candidates being proposed this week.  The clusters are separated on
the voting web site.  Board members can use the voting web site
instead of this ballot, which is posted for other Board members and as
a part of the public record.

These voting ballots include the new Analysis field as discussed in a
previous post with explanations of applications of content decisions.
The degree of vendor acknowledgement is also made more prominent.
Finally, a new ACCEPT_REASON form has been added for Board members to
include the reason why they vote to ACCEPT or MODIFY an item.

RECENT-33 contains 30 candidates that were announced between 8/9/2000
and 8/16/2000.  RECENT-34 contains 26 problems that were announced
between 8/17/2000 and 8/24/2000.

- Steve


Summary of votes to use (in ascending order of "severity")
----------------------------------------------------------

ACCEPT - voter accepts the candidate as proposed
NOOP - voter has no opinion on the candidate
MODIFY - voter wants to change some MINOR detail (e.g. reference/description)
REVIEWING - voter is reviewing/researching the candidate, or needs more info
RECAST - candidate must be significantly modified, e.g. split or merged
REJECT - candidate is "not a vulnerability", or a duplicate, etc.

1) Please write your vote on the line that starts with "VOTE: ".  If
   you want to add comments or details, add them to lines after the
   VOTE: line.

2) If you see any missing references, please mention them so that they
   can be included.  References help greatly during mapping.

3) Note that a "MODIFY" is treated as an "ACCEPT" when counting votes.
   So if you don't have sufficient information for a candidate but you
   don't want to NOOP, use a REVIEWING.

********** NOTE ********** NOTE ********** NOTE ********** NOTE **********

Please keep in mind that your vote and comments will be recorded and
publicly viewable in the mailing list archives or in other formats.

======================================================
Candidate: CAN-2000-0677
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000823
Category: SF
Reference: ISS:20000907 Buffer Overflow in IBM Net.Data db2www CGI program.
Reference: URL:http://xforce.iss.net/alerts/

Buffer overflow in IBM Net.Data db2www CGI program allows remote
attackers to execute arbitrary commands via a long PATH_INFO
environmental variable.

Analysis
----------------
ED_PRI CAN-2000-0677 1
Vendor Acknowledgement: yes

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0678
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000825
Category: SF
Reference: CERT:CA-2000-18
Reference: URL:http://www.cert.org/advisories/CA-2000-18.html
Reference: BID:1606
Reference: URL:http://www.securityfocus.com/bid/1606

PGP 5.5.x through 6.5.3 does not properly check if an Additional
Decryption Key (ADK) is stored in the signed portion of a public
certificate, which allows an attacker who can modify a victim's public
certificate to decrypt any data that has been encrypted with the
modified certificate.

Analysis
----------------
ED_PRI CAN-2000-0678 1
Vendor Acknowledgement: yes

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0706
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: FREEBSD:FreeBSD-SA-00:36
Reference: URL:http://archives.neohapsis.com/archives/freebsd/2000-08/0095.html
Reference: DEBIAN:20000830 ntop: Still remotely exploitable using buffer overflows
Reference: URL:http://www.debian.org/security/2000/20000830
Reference: BID:1576
Reference: URL:http://www.securityfocus.com/bid/1576

Buffer overflows in ntop running in web mode allows remote attackers
to execute arbitrary commands.

Analysis
----------------
ED_PRI CAN-2000-0706 1
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0725
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: CONFIRM:http://www.zope.org/Products/Zope/Hotfix_08_09_2000/security_alert
Reference: REDHAT:RHSA-2000:052-02
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0131.html
Reference: DEBIAN:20000821 zope: unauthorized escalation of privilege (update)
Reference: URL:http://www.debian.org/security/2000/20000821
Reference: BUGTRAQ:20000821 Conectiva Linux Security Announcement - Zope
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0259.html
Reference: BUGTRAQ:20000816 MDKSA-2000:035 Zope update
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0198.html
Reference: BID:1577
Reference: URL:http://www.securityfocus.com/bid/1577

Zope before 2.2.1 does not properly restrict access to the getRoles
method, which allows users who can edit DTML to add or modify roles by
modifying the roles list that is included in a request.

Analysis
----------------
ED_PRI CAN-2000-0725 1
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0730
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: HP:HPSBUX0008-118
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0144.html
Reference: BID:1580
Reference: URL:http://www.securityfocus.com/bid/1580

Vulnerability in newgrp command in HP-UX 11.0 allows local users to
gain privileges.

Analysis
----------------
ED_PRI CAN-2000-0730 1
Vendor Acknowledgement: yes advisory

There is insufficient information to determine if this is the same
vulnerability as CVE-1999-0050, which was announced several years
earlier.  To be safe, this is being recorded separately.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0733
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: BUGTRAQ:20000814 [LSD] IRIX telnetd remote vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0154.html
Reference: SGI:20000801-02-P
Reference: URL:ftp://sgigate.sgi.com/security/20000801-02-P
Reference: BID:1572
Reference: URL:http://www.securityfocus.com/bid/1572

Telnetd telnet server in IRIX 5.2 through 6.1 does not properly cleans
user-injected format strings, which allows remote attackers to execute
arbitrary commands via a long RLD variable in the
IAC-SB-TELOPT_ENVIRON request.

Analysis
----------------
ED_PRI CAN-2000-0733 1
Vendor Acknowledgement: yes advisory

While the SGI advisory describes this as a buffer overflow problem, it
is actually a format string problem, as indicated by the references
that SGI includes in its advisory.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0754
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: HP:HPSBUX0008-119
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0144.html
Reference: BID:1581
Reference: URL:http://www.securityfocus.com/bid/1581

Vulnerability in HP OpenView Network Node Manager (NMM) version 6.1
related to passwords.

Analysis
----------------
ED_PRI CAN-2000-0754 1
Vendor Acknowledgement: yes advisory

The HP advisory does not provide additional details.  It is difficult
to tell what the impact/damage is, or whether the problem is locally
or remotely exploitable.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0763
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: BUGTRAQ:20000816 xlock vulnerability
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=20000815231724.A14694@subterrain.net
Reference: DEBIAN:20000816 xlockmore: possible shadow file compromise
Reference: URL:http://www.debian.org/security/2000/20000816
Reference: FREEBSD:FreeBSD-SA-00:44.xlockmore
Reference: URL:http://archives.neohapsis.com/archives/freebsd/2000-08/0340.html
Reference: BUGTRAQ:20000817 Conectiva Linux Security Announcement - xlockmore
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0212.html
Reference: BUGTRAQ:20000823 MDKSA-2000:038 - xlockmore update
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0294.html
Reference: BID:1585
Reference: URL:http://www.securityfocus.com/bid/1585

xlockmore and xlockf do not properly cleanse user-injected format
strings, which allows local users to gain root privileges via the -d
option.

Analysis
----------------
ED_PRI CAN-2000-0763 1
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0765
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: MS:MS00-056
Reference: URL:http://www.microsoft.com/technet/security/bulletin/MS00-056.asp
Reference: BID:1561
Reference: URL:http://www.securityfocus.com/bid/1561

Buffer overflow in the HTML interpreter in Microsoft Office 2000
allows an attacker to execute arbitrary commands via a long embedded
object tag, aka the "Microsoft Office HTML Object Tag" vulnerability.

Analysis
----------------
ED_PRI CAN-2000-0765 1
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0767
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: MS:MS00-055
Reference: URL:http://www.microsoft.com/technet/security/bulletin/MS00-055.asp
Reference: BID:1564
Reference: URL:http://www.securityfocus.com/bid/1564

The ActiveX control for invoking a scriptlet in Internet Explorer 4.x
and 5.x renders arbitrary file types instead of HTML, which allows an
attacker to read arbitrary files, aka the "Scriptlet Rendering"
vulnerability.

Analysis
----------------
ED_PRI CAN-2000-0767 1
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0768
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: MS:MS00-055
Reference: URL:http://www.microsoft.com/technet/security/bulletin/MS00-055.asp
Reference: BID:1564
Reference: URL:http://www.securityfocus.com/bid/1564

A function in Internet Explorer 4.x and 5.x does not properly verify
the domain of a frame within a browser window, which allows a remote
attacker to read client files, aka a variant of the "Frame Domain
Verification" vulnerability.

Analysis
----------------
ED_PRI CAN-2000-0768 1
Vendor Acknowledgement: yes advisory

The original "Frame Domain Verification" problem is described in
MS:MS00-033 and CVE-2000-0465.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0770
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: MS:MS00-057
Reference: http://www.microsoft.com/technet/security/bulletin/MS00-057.asp
Reference: BID:1565
Reference: URL:http://www.securityfocus.com/bid/1565

IIS 4.0 and 5.0 does not properly restrict access to certain types of
files when their parent folders have less restrictive permissions,
which could allow remote attackers to bypass access restrictions to
some files, aka the "File Permission Canonicalization" vulnerability.

Analysis
----------------
ED_PRI CAN-2000-0770 1
Vendor Acknowledgement: yes

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0778
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: MS:MS00-058
Reference: URL:http://www.microsoft.com/technet/security/bulletin/MS00-058.asp
Reference: BUGTRAQ:20000815 Translate:f summary, history and thoughts
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=080D5336D882D211B56B0060080F2CD696A7C9@beta.mia.cz
Reference: NTBUGTRAQ:20000816 Translate: f
Reference: URL:http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0008&L=ntbugtraq&F=&S=&P=5212
Reference: BID:1578
Reference: URL:http://www.securityfocus.com/bid/1578

IIS 5.0 allows remote attackers to obtain source code for .ASP files
and other scripts via an HTTP GET request with a "Translate: f"
header, aka the "Specialized Header" vulnerability.

Analysis
----------------
ED_PRI CAN-2000-0778 1
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0787
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: BUGTRAQ: 20000817 XChat URL handler vulnerabilty
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0215.html
Reference: BID:1601
Reference: URL:http://www.securityfocus.com/bid/1601
Reference: REDHAT:RHSA-2000:055-03
Reference: URL:http://www.redhat.com/support/errata/RHSA-2000-055-03.html
Reference: BUGTRAQ:20000824 MDKSA-2000:039 - xchat update
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0301.html
Reference: BUGTRAQ:20000825 Conectiva Linux Security Announcement - xchat
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0305.html

IRC Xchat client versions 1.4.2 and earlier allows remote attackers to
execute arbitrary commands by encoding shell metacharacters into a URL
which XChat uses to launch a web browser.

Analysis
----------------
ED_PRI CAN-2000-0787 1
Vendor Acknowledgement: yes

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0800
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: SUSE:20000810 Security Hole in knfsd, all versions
Reference: URL:http://www.suse.de/de/support/security/suse_security_announce_58.txt

String parsing error in rpc.kstatd in the linuxnfs or knfsd packages
in SuSE and possibly other Linux systems allows remote attackers to
gain root privileges.

Analysis
----------------
ED_PRI CAN-2000-0800 1
Vendor Acknowledgement: yes

DESCRIPTION:

This sounds like one of the new format string problems, but the
wording of the advisory is unclear.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0708
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: NTBUGTRAQ:20000824 Remote DoS Attack in Pragma TelnetServer 2000 (Remote Execute Daemon) Vulnerability
Reference: URL:http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0008&L=NTBUGTRAQ&P=R4247
Reference: BID:1605
Reference: URL:http://www.securityfocus.com/bid/1605

Buffer overflow in Pragma Systems TelnetServer 2000 version 4.0 allows
remote attackers to cause a denial of service via a long series of
null characters to the rexec port.

Analysis
----------------
ED_PRI CAN-2000-0708 2
Vendor Acknowledgement: yes web-page

Vendor acknowledgement at http://www.pragmasys.com/TelnetServer/ :

  "USSRLabs reported a buffer overflow security breach for TelnetD
   Server Version 4 Build 4 for NT. This problem has been corrected
   and is now available for download"

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0709
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: BUGTRAQ:20000823 Xato Advisory: FrontPage DOS Device DoS
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0288.html
Reference: CONFIRM:http://msdn.microsoft.com/workshop/languages/fp/2000/sr12.asp
Reference: BID:1608
Reference: URL:http://www.securityfocus.com/bid/1608

The shtml.exe component of Microsoft FrontPage 2000 Server Extensions
1.1 allows remote attackers to cause a denial of service in some
components by requesting a URL whose name includes a standard DOS
device name.

Analysis
----------------
ED_PRI CAN-2000-0709 2
Vendor Acknowledgement: yes patch

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0718
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: BUGTRAQ:20000812 MDKSA-2000:034 MandrakeUpdate update
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0146.html
Reference: BID:1567
Reference: URL:http://www.securityfocus.com/vdb/bottom.html?vid=1567

A race condition in MandrakeUpdate allows local users to modify RPM
files while they are in the /tmp directory before they are installed.

Analysis
----------------
ED_PRI CAN-2000-0718 2
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0743
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: BUGTRAQ:20000810 Remote vulnerability in Gopherd 2.x
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0112.html
Reference: BID:1569
Reference: URL:http://www.securityfocus.com/bid/1569

Buffer overflow in University of Minnesota (UMN) gopherd 2.x allows
remote attackers to execute arbitrary commands via a DES key
generation request (GDESkey) that contains a long ticket value.

Analysis
----------------
ED_PRI CAN-2000-0743 2
Vendor Acknowledgement: yes patch

ACKNOWLEDGEMENT:

Lines 501-503 of gopher2_3.1/gopherd/authenticate.c in the following
distribution provide the patch as suggested in the original post:

  ftp://boombox.micro.umn.edu/pub/gopher/Unix/gopher2_3.1.tar.gz

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0744
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: BUGTRAQ:20000810 Remote vulnerability in Gopherd 2.x
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0112.html
Reference: BID:1569
Reference: URL:http://www.securityfocus.com/bid/1569

Buffer overflow in University of Minnesota (UMN) gopherd 2.x allows
remote attackers to execute arbitrary commands via a DES key
generation request (GDESkey) that contains a long ticket value.

Analysis
----------------
ED_PRI CAN-2000-0744 2
Vendor Acknowledgement: yes patch

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0745
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: BUGTRAQ:20000821 Vuln. in all sites using PHP-Nuke, versions less than 3
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0243.html
Reference: BID:1592
Reference: URL:http://www.securityfocus.com/bid/1592

admin.php3 in PHP-Nuke does not properly verify the PHP-Nuke
administrator password, which allows remote attackers to gain
privileges by requesting a URL that does not specify the aid or pwd
parameter.

Analysis
----------------
ED_PRI CAN-2000-0745 2
Vendor Acknowledgement: yes changelog

ACKNOWLEDGEMENT:

The CHANGES file in the PHP-Nuke-3.0.tar.gz distribution at:
  http://www.ncc.org.ve/php-nuke.php3?op=download&location=&file=

includes the following:

>August 2000: Version 3.0
>========================
>- Fixed security bug in admin.php3 that allows anyone to enter to the
>  admin section without login and password

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0758
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: BUGTRAQ:20000811 Lyris List Manager Administration Hole
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0149.html
Reference: CONFIRM:http://www.lyris.com/lm/lm_updates.html
Reference: BID:1584
Reference: URL:http://www.securityfocus.com/bid/1584

The web interface for Lyris List Manager 3 and 4 allows list
subscribers to obtain administrative access by modifying the value of
the list_admin hidden form field.

Analysis
----------------
ED_PRI CAN-2000-0758 2
Vendor Acknowledgement: yes web-page

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0761
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: BUGTRAQ:20000815 OS/2 Warp 4.5 FTP Server DoS
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0166.html
Reference: CONFIRM:ftp://ftp.software.ibm.com/ps/products/tcpip/fixes/v4.3os2/ic27721/README
Reference: BID:1582
Reference: URL:http://www.securityfocus.com/bid/1582

OS2/Warp 4.5 FTP server allows remote attackers to cause a denial of
service via a long username.

Analysis
----------------
ED_PRI CAN-2000-0761 2
Vendor Acknowledgement: yes patch

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0780
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: BUGTRAQ:20000830 Vulnerability Report On IPSWITCH's IMail
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=96767207207553&w=2
Reference: CONFIRM:http://www.ipswitch.com/Support/IMail/news.html
Reference: BID:1617
Reference: URL:http://www.securityfocus.com/bid/1617

The web server in IPSWITCH IMail 6.04 and earlier allows remote
attackers to read and delete arbitrary files via a .. (dot dot) attack.

Analysis
----------------
ED_PRI CAN-2000-0780 2
Vendor Acknowledgement: yes news

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0782
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: BUGTRAQ:20000817 Netauth: Web Based Email Management System
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=NEBBJCLKGNOGCOIOBJNAGEHLCPAA.marc@eeye.com
Reference: CONFIRM:http://netwinsite.com/netauth/updates.htm
Reference: BID:1587
Reference: URL:http://www.securityfocus.com/bid/1587

netauth.cgi program in Netwin Netauth 4.2e and earlier allows remote
attackers to read arbitrary files via a .. (dot dot) attack.

Analysis
----------------
ED_PRI CAN-2000-0782 2
Vendor Acknowledgement: yes changelog

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0792
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: BUGTRAQ:20000819 Security update for Gnome-Lokkit
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0252.html
Reference: BID:1590
Reference: URL:http://www.securityfocus.com/bid/1590

Gnome Lokkit firewall package before 0.41 does not properly restrict
access to some ports, even if a user does not make any services
available.

Analysis
----------------
ED_PRI CAN-2000-0792 2
Vendor Acknowledgement: yes post

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0686
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: BUGTRAQ:20000823 Auction WeaverT LITE 1.0
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0310.html
Reference: BID:1630
Reference: URL:http://www.securityfocus.com/bid/1630

Auction Weaver CGI script 1.03 and earlier allows remote attackers to
read arbitrary files via a .. (dot dot) attack in the fromfile
parameter.

Analysis
----------------
ED_PRI CAN-2000-0686 3
Vendor Acknowledgement: yes patch
Content Decisions: SF-LOC

It is not certain if this problem was fixed in 1.02 or 1.03.

The source code from http://www.cgiscriptcenter.com/awl/awl10.zip
indicates that the catdir parameter is cleansed in different lines of
code than the fromfile parameter.  Thus CD:SF-LOC says to have
separate entries for fromfile vs. catdir.

The fromfile and catdir parameters also suffered from a shell
metacharacter problem, so CD:SF-LOC says to keep them separate
as well.  Also, there was at least one version that had this problem
but not the shell metacharacter problem.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0687
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: BUGTRAQ:20000823 Auction WeaverT LITE 1.0
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0310.html
Reference: BID:1630
Reference: URL:http://www.securityfocus.com/bid/1630

Auction Weaver CGI script 1.03 and earlier allows remote attackers to
read arbitrary files via a .. (dot dot) attack in the catdir
parameter.

Analysis
----------------
ED_PRI CAN-2000-0687 3
Vendor Acknowledgement: yes patch
Content Decisions: SF-LOC

It is not certain if this problem was fixed in 1.02 or 1.03.

A look at the source code from
http://www.cgiscriptcenter.com/awl/awl10.zip indicates that the catdir
parameter is cleansed in different lines of code than the fromfile
parameter.  Thus CD:SF-LOC says to have separate entries for fromfile
vs. catdir.

The fromfile and catdir parameters also suffered from a shell
metacharacter problem, so CD:SF-LOC says to keep them separate
as well.  Also, there was at least one version that had this problem
but not the shell metacharacter problem.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0688
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: BUGTRAQ:20000823 Subscribe Me Vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0292.html
Reference: BUGTRAQ:20000823 Re: Subscribe Me CGI Vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=96722957421029&w=2
Reference: CONFIRM:http://www.cgiscriptcenter.com/subscribe/
Reference: BID:1607
Reference: URL:http://www.securityfocus.com/bid/1607

Subscribe Me LITE does not properly authenticate attempts to change
the administrator password, which allows remote attackers to gain
privileges for the Account Manager by directly calling the
subscribe.pl script with the setpwd parameter.

Analysis
----------------
ED_PRI CAN-2000-0688 3
Vendor Acknowledgement: yes email-followup
Content Decisions: SF-EXEC

This is the same type of problem as the one in Account Manager LITE.
Although the two products are provided by the same vendor, they are
distributed separately, thus aren't part of the same package.
Therefore CD:SF-EXEC says to keep this one separate from the Subscribe
Me LITE problem.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0689
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: BUGTRAQ:20000823 Account Manager CGI Vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0291.html
Reference: CONFIRM:http://www.cgiscriptcenter.com/acctlite/
Reference: BID:1604
Reference: URL:http://www.securityfocus.com/bid/1604

Account Manager LITE does not properly authenticate attempts to change
the administrator password, which allows remote attackers to gain
privileges for the Account Manager by directly calling the amadmin.pl
script with the setpasswd parameter.

Analysis
----------------
ED_PRI CAN-2000-0689 3
Vendor Acknowledgement: unknown
Content Decisions: SF-EXEC

This is the same type of problem as the one in Subscribe Me LITE.
Although the two products are provided by the same vendor, they are
distributed separately, thus aren't part of the same package.
Therefore CD:SF-EXEC says to keep this one separate from the Subscribe
Me LITE problem.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0692
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: BUGTRAQ:20000822 DOS on RealSecure 3.2
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0267.html
Reference: BID:1597
Reference: URL:http://www.securityfocus.com/bid/1597

ISS RealSecure 3.2.1 and 3.2.2 allows remote attackers to cause a
denial of service via a flood of fragmented packets with the SYN flag
set.

Analysis
----------------
ED_PRI CAN-2000-0692 3
Vendor Acknowledgement: unknown

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0698
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: BUGTRAQ:20000819 RH 6.1 / 6.2 minicom vulnerability
Reference: URL:http://www.securityfocus.com/archive/1/77361
Reference: BID:1599
Reference: URL:http://www.securityfocus.com/bid/1599

Minicom 1.82.1 and earlier on some Linux systems allows local users to
create arbitrary files via a symlink attack.

Analysis
----------------
ED_PRI CAN-2000-0698 3
Vendor Acknowledgement: unknown

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0702
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: BUGTRAQ:20000821 [HackersLab bugpaper] HP-UX net.init rc script
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0261.html
Reference: BID:1602
Reference: URL:http://www.securityfocus.com/bid/1602

The net.init rc script in HP-UX 11.00 (S008net.init) allows local
users to overwrite arbitrary files via a symlink attack that points
from /tmp/stcp.conf to the targeted file.

Analysis
----------------
ED_PRI CAN-2000-0702 3
Vendor Acknowledgement: unknown

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0710
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: BUGTRAQ:20000823 Xato Advisory: FrontPage DOS Device DoS
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0288.html
Reference: CONFIRM:http://msdn.microsoft.com/workshop/languages/fp/2000/sr12.asp
Reference: BID:1608
Reference: URL:http://www.securityfocus.com/bid/1608

The shtml.exe component of Microsoft FrontPage 2000 Server Extensions
1.1 allows remote attackers determine the physical path of the server
components by requesting an invalid URL whose name includes a standard
DOS device name.

Analysis
----------------
ED_PRI CAN-2000-0710 3
Vendor Acknowledgement: yes patch
Content Decisions: DESIGN-REAL-PATH

CD:DESIGN-REAL-PATH says that revealing physical path information to
remote attackers is an exposure, and thus should be included in CVE.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0716
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: NTBUGTRAQ:20000809 Session hijacking in Alt-N's MDaemon 2.8
Reference: URL:http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0008&L=ntbugtraq&F=&S=&P=459
Reference: BID:1553
Reference: URL:http://www.securityfocus.com/bid/1553

WorldClient email client in MDaemon 2.8 includes the session ID in the
referer field of an HTTP request when the user clicks on a URL, which
allows the visited web site to hijcak the session ID and read the
user's email.

Analysis
----------------
ED_PRI CAN-2000-0716 3
Vendor Acknowledgement: unknown

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0719
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: BUGTRAQ:20000810 VariCAD 7.0 premission vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0126.html

VariCAD 7.0 is installed with world-writeable files, which allows
local users to replace the VariCAD programs with a Trojan horse program.

Analysis
----------------
ED_PRI CAN-2000-0719 3
Vendor Acknowledgement: unknown
Content Decisions: INSTALL-PERM

ABSTRACTION ISSUE:

Some problems like this one are related to installations of files that
set improper permissions.  Should each separate file get a separate
CVE entry?  Or should dot notation be used?  This question has been
labeled as CD:INSTALL-PERM.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0721
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: BUGTRAQ:20000810 FlagShip v4.48.7449 premission vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0114.html
Reference: BID:1586
Reference: URL:http://www.securityfocus.com/bid/1586

The FSserial, FlagShip_c, and FlagShip_p programs in the FlagShip
package are installed world-writeable, which allows local users to
replace them with Trojan horses.

Analysis
----------------
ED_PRI CAN-2000-0721 3
Vendor Acknowledgement: unknown
Content Decisions: INSTALL-PERM

ABSTRACTION ISSUE:

Some problems like this one are related to installations of files that
set improper permissions.  Should each separate file get a separate
CVE entry?  Or should dot notation be used?  This question has been
labeled as CD:INSTALL-PERM.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0722
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: BUGTRAQ:20000819 Multiple Local Vulnerabilities in Helix Gnome Installer
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=E13QAYl-0007il-00@the-village.bc.nu
Reference: BUGTRAQ:20000820 Helix Code Security Advisory - Helix GNOME Update
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0240.html
Reference: BUGTRAQ:20000820 [Helix Beta] Helix Code Security Advisory - Helix GNOME Installer
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0251.html
Reference: BID:1593
Reference: URL:http://www.securityfocus.com/bid/1593

Helix GNOME Updater helix-update 0.5 and earlier allows local users to
install arbitrary RPM packages by creating the /tmp/helix-install
installation directory before root has begun installing packages.

Analysis
----------------
ED_PRI CAN-2000-0722 3
Vendor Acknowledgement: yes advisory
Content Decisions: SF-LOC, EX-BETA

INCLUSION:

A poster suggests that this software is in beta, in which case
CD:EX-BETA might suggest that this problem should be excluded from
CVE.  However, the poster also says that it appears that many people
may be using the products, in which case CD:EX-BETA would make an
exception and suggest that this should be included.

ABSTRACTION:

CD:SF-LOC applies because there may be multiple bugs in the same
software, namely this one and the overwriting of various /etc files.
However, the /etc problem only applies to some affected OSes, which is
an indicator that the bugs did not occur on the same line of code.
Thus CD:SF-LOC, in the absence of additional information, suggests
that these problems remain split.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0723
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: BUGTRAQ:20000819 Multiple Local Vulnerabilities in Helix Gnome Installer
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=E13QAYl-0007il-00@the-village.bc.nu
Reference: BUGTRAQ:20000820 [Helix Beta] Helix Code Security Advisory - Helix GNOME Installer
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0251.html
Reference: BID:1596
Reference: URL:http://www.securityfocus.com/bid/1596

Helix GNOME Updater helix-update 0.5 and earlier does not properly
create /tmp directories, which allows local users to create empty
system configuration files such as /etc/config.d/bashrc,
/etc/config.d/csh.cshrc, and /etc/rc.config.

Analysis
----------------
ED_PRI CAN-2000-0723 3
Vendor Acknowledgement: yes advisory
Content Decisions: SF-LOC, EX-BETA

INCLUSION:

A poster suggests that this software is in beta, in which case
CD:EX-BETA might suggest that this problem should be excluded from
CVE.  However, the poster also says that it appears that many people
may be using the products, in which case CD:EX-BETA would make an
exception and suggest that this should be included.

ABSTRACTION:

CD:SF-LOC applies because there may be multiple bugs in the same
software, namely this one and the installation of RPMs in
/tmp/helix-install.  However, the /etc problem only applies to some
affected OSes, which is an indicator that the bugs did not occur on
the same line of code.  Thus CD:SF-LOC, in the absence of additional
information, suggests that these problems remain split.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0724
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: BUGTRAQ:20000829 More Helix Code installation problems (go-gnome)
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0351.html
Reference: BUGTRAQ:20000829 Helix Code Security Advisory - go-gnome pre-installer
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0356.html
Reference: BID:1622
Reference: URL:http://www.securityfocus.com/bid/1622

The go-gnome Helix GNOME pre-installer allows local users to overwrite
arbitrary files via a symlink attack on various files in /tmp,
including uudecode, snarf, and some installer files.

Analysis
----------------
ED_PRI CAN-2000-0724 3
Vendor Acknowledgement: yes advisory
Content Decisions: EX-BETA

INCLUSION:

A poster suggests that this software is in beta, in which case
CD:EX-BETA might suggest that this problem should be excluded from
CVE.  However, the poster also says that it appears that many people
may be using the products, in which case CD:EX-BETA would make an
exception and suggest that this should be included.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0735
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: BUGTRAQ:20000818 Becky! Internet Mail Buffer overflow
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0234.html
Reference: CONFIRM:http://member.nifty.ne.jp/rimarts/becky-e/Readme.txt
Reference: BID:1588
Reference: URL:http://www.securityfocus.com/bid/1588

Buffer overflow in Becky! Internet Mail client 1.26.03 and earlier
allows remote attackers to cause a denial of service via a long
Content-type: MIME header when the user replies to a message.

Analysis
----------------
ED_PRI CAN-2000-0735 3
Vendor Acknowledgement: yes change-log
Content Decisions: SF-LOC

ABSTRACTION:

While this vulnerability is almost exactly the same as that for when
the user forwards a message, the forwarding problem was not fixed
until 1.26.04.  Since the forwarding bug was still present after this
one was fixed, CD:SF-LOC suggests that these 2 items should remain
split.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0736
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: BUGTRAQ:20000818 Becky! Internet Mail Buffer overflow
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0234.html
Reference: CONFIRM:http://member.nifty.ne.jp/rimarts/becky-e/Readme.txt
Reference: BID:1588
Reference: URL:http://www.securityfocus.com/bid/1588

Buffer overflow in Becky! Internet Mail client 1.26.04 and earlier
allows remote attackers to cause a denial of service via a long
Content-type: MIME header when the user forwards a message.

Analysis
----------------
ED_PRI CAN-2000-0736 3
Vendor Acknowledgement: yes change-log
Content Decisions: SF-LOC

ABSTRACTION:

While this vulnerability is almost exactly the same as that for when
the user replies to a message, the replying bug was fixed in 1.26.03.
Since this bug was still present after the reply bug was fixed,
CD:SF-LOC suggests that these 2 items should remain split.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0738
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: NTBUGTRAQ:20000818 WebShield SMTP infinite loop DoS Attack
Reference: URL:http://archives.neohapsis.com/archives/ntbugtraq/2000-q3/0101.html
Reference: BID:1589
Reference: URL:http://www.securityfocus.com/bid/1589

WebShield SMTP 4.5 allows remote attackers to cause a denial of
service by sending e-mail with a From: address that has a . (period)
at the end, which causes WebShield to continuously send itself copies
of the e-mail.

Analysis
----------------
ED_PRI CAN-2000-0738 3
Vendor Acknowledgement: unknown

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0746
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: BUGTRAQ:20000821 IIS 5.0 cross site scripting vulnerability - using .shtml files or /_vti_bin/shtml.dll
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=39A12BD6.E811BF4F@nat.bg
Reference: MS:MS00-060
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms00-060.asp
Reference: BID:1594
Reference: URL:http://www.securityfocus.com/bid/1594
Reference: BID:1595
Reference: URL:http://www.securityfocus.com/bid/1595

Vulnerabilities in IIS 4.0 and 5.0 do not properly protect against
cross-site scripting (CSS) attacks.  They allow a malicious web site
operator to embed scripts in a link to a trusted site, which are
returned without quoting in an error message back to the client.  The
client then executes those scripts in the same context as the trusted
site, aka the "IIS Cross-Site Scripting" vulnerabilities.

Analysis
----------------
ED_PRI CAN-2000-0746 3
Vendor Acknowledgement: yes advisory
Content Decisions: SF-LOC, SF-EXEC

ABSTRACTION:

CD:SF-LOC suggests creating a separate entry for each different CSS
item, but the advisory and the FAQ do not provide enough details to do
so.

The original Bugtraq post claims that there are 2 separate issues, one
in FrontPage Extensions through /_vti_bin/shtml.dll, and another
through any filename that ends in .shtml.  However, it may be that
.shtml files are redirected to shtml.dll; if so, then there may only
nbe one bug (in shtml.dll), and CD:SF-LOC would apply and suggest using
only one entry.

However, since FrontPage is not required with all IIS installations,
then these 2 problems are not part of the same "fundamental" software
package.  So CD:SF-EXEC suggests providing separate entries, one for
FrontPage Extensions, and another for IIS.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0753
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: BUGTRAQ:20000824 Outlook winmail.dat
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=LAW2-F305bYiMCIqtQv0000069d@hotmail.com
Reference: BID:1631
Reference: URL:http://www.securityfocus.com/bid/1631

The Microsoft Outlook mail client identifies the physical path of the
sender's machine within a winmail.dat attachment to Rich Text Format
(RTF) files.

Analysis
----------------
ED_PRI CAN-2000-0753 3
Vendor Acknowledgement: unknown
Content Decisions: DESIGN-REAL-PATH

CD:DESIGN-REAL-PATH says that revealing physical path information to
remote attackers is an exposure, and thus should be included in CVE.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0755
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: HP:HPSBUX0008-118
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0144.html
Reference: BID:1581
Reference: URL:http://www.securityfocus.com/bid/1581

Vulnerability in the newgrp command in HP-UX 11.00 allows local users
to gain privileges.

Analysis
----------------
ED_PRI CAN-2000-0755 3
Vendor Acknowledgement: yes advisory
Content Decisions: DISCOVERY-DATE

INCLUSION:

The HP advisory does not provide additional details, but this looks
like it could be a repeat of CVE-1999-0050.  In the absence of further
information, however, this problem should probably remain SPLIT from
CVE-1999-0050.

ABSTRACTION:

CD:DISCOVERY-DATE also suggests that if a problem appears in version
X, goes away in version X+n, and reappears in X+n+1, then separate
entries should be created, since (a) a problem in the vendor's process
re-introduced the bug, and (b) tools and system administrators may not
be aware of the new variation, so having a separate entry is a way of
handling this.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0762
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: CF
Reference: BUGTRAQ:20000811 eTrust Access Control - Root compromise for default install
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=004601c003a1$ba473260$ddeaa2cd@itradefair.net
Reference: CONFIRM:http://support.ca.com/techbases/eTrust/etrust_access_control-response.html
Reference: BID:1583
Reference: URL:http://www.securityfocus.com/bid/1583

The default installation of eTrust Access Control (formerly SeOS) uses
a default encryption key, which allows remote attackers to spoof the
eTrust administrator and gain privileges.

Analysis
----------------
ED_PRI CAN-2000-0762 3
Vendor Acknowledgement: unknown

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0766
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: BUGTRAQ:20000819 D.o.S Vulnerability in vqServer
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=200008270354.UAA10952@user4.hushmail.com
Reference: BID:1610
Reference: URL:http://www.securityfocus.com/bid/1610

Buffer overflow in vqSoft vqServer 1.4.49 allows remote attackers to
cause a denial of service or possibly gain privileges via a long HTTP
GET request.

Analysis
----------------
ED_PRI CAN-2000-0766 3
Vendor Acknowledgement: unknown poster-claimed

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0769
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: BUGTRAQ:20000824 WebServer Pro 2.3.7 Vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=96715834610888&w=2
Reference: BID:1611
Reference: URL:http://www.securityfocus.com/bid/1611

O'Reilly WebSite Pro 2.3.7 installs the uploader.exe program with
execute permissions for all users, which allows remote attackers to
create and execute arbitrary files by directly calling uploader.exe.

Analysis
----------------
ED_PRI CAN-2000-0769 3
Vendor Acknowledgement: unknown
Content Decisions: DISCOVERY-DATE

INCLUSION:

This could be a duplicate of CVE-1999-0177, which affected WebSite 1.1
and 2.0 beta according to XF:http-website-uploader at
http://xforce.iss.net/static/294.php.  Also see the original post at
http://marc.theaimsgroup.com/?l=bugtraq&m=87602880019759&w=2

Also see http://ora.leftcoast.net/archives/website-talk/msg02835.html
for a reply from "michael@oreilly.com" to a tech support query on July
13, 2000, which appears to be roughly akin to vendor acknowledgement.

However, the poster for this candidate said that the problem did not
exist on version 2.3.3, so this may be a reappearance of an old bug.

Thus CD:DISCOVERY-DATE applies.  Assume this is the same bug.
CVE-1999-0177 < "safe" version 2.3.3 < vulnerable version 2.3.7.  Thus
this item should remain separate from CVE-1999-0177.

CD:DISCOVERY-DATE suggests that if a problem appears in version X,
goes away in version X+n, and reappears in X+n+1, then separate
entries should be created, since (a) a problem in the vendor's process
re-introduced the bug, and (b) tools and system administrators may not
be aware of the new variation, so having a separate entry is a way of
handling this.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0772
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: CF
Reference: BUGTRAQ:20000810 Tumbleweed Worldsecure (MMS) BLANK 'sa' account password vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0098.html
Reference: CONFIRM:http://thompson.tumbleweed.com/NewKB/bulletin/UPFiles/sa-official.htm
Reference: BID:1562
Reference: URL:http://www.securityfocus.com/bid/1562

The installation of Tumbleweed Messaging Management System (MMS) 4.6
and earlier (formerly Worldtalk Worldsecure) creates a default account
"sa" with no password.

Analysis
----------------
ED_PRI CAN-2000-0772 3
Vendor Acknowledgement: unknown

ABSTRACTION:

CD:CF-PASS suggests that separate entries should be created for each
"service" that has default passwords, no matter how many defaults
there are.  If this approach is adopted, then this should probably be
MERGED with other database default accounts/passwords.

The thread generated by this discussion is a good indicator of the
disparate perspectives as to whether documented default passwords are
a "real" vulnerability or not.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0776
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: BUGTRAQ:20000810 [DeepZone Advisory] Statistics Server 5.02x stack overflow (Win2k remote exploit)
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0118.html
Reference: BID:1568
Reference: URL:http://www.securityfocus.com/bid/1568

Mediahouse Statistics Server 5.02x allows remote attackers to execute
arbitrary commands via a long HTTP GET request.

Analysis
----------------
ED_PRI CAN-2000-0776 3
Vendor Acknowledgement: unknown

INCLUSION:

This ostensibly looks like a dupe of CVE-1999-0931, but the announcer
claims that some versions older than 5.02x did not exhibit the
problem.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0783
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: BUGTRAQ:20000815 Watchguard Firebox Authentication DoS
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0162.html
Reference: BID:1573
Reference: URL:http://www.securityfocus.com/bid/1573

Watchguard Firebox II allows remote attackers to cause a denial of
service by sending a malformed URL to the authentication service on
port 4100.

Analysis
----------------
ED_PRI CAN-2000-0783 3
Vendor Acknowledgement: unknown claimed

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0784
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: BUGTRAQ:20000816 Remote Root Compromise On All RapidStream VPN Appliances
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0216.html
Reference: BID:1574
Reference: URL:http://www.securityfocus.com/bid/1574

sshd program in the Rapidstream 2.1 Beta VPN appliance has a
hard-coded "rsadmin" account with a null password, which allows remote
attackers to execute arbitrary commands via ssh.

Analysis
----------------
ED_PRI CAN-2000-0784 3
Vendor Acknowledgement: yes followup
Content Decisions: EX-BETA

INCLUSION:

CD:EX-BETA suggests that this should not be included in CVE because it
is a beta version, unless this has been widely distributed.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0789
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: BUGTRAQ:20000816 WinU 4/5 weak password vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0201.html

WinU 5.x and earlier uses weak encryption to store its configuration
password, which allows local users to decrypt the password and gain
privileges.

Analysis
----------------
ED_PRI CAN-2000-0789 3
Vendor Acknowledgement: unknown
Content Decisions: DESIGN-WEAK-ENCRYPTION

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0790
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: BUGTRAQ:20000828 IE 5.5/5.x for Win98 may execute arbitrary files that can be accessed thru Microsoft Networking. Also local Administrator compromise at least on default Windows 2000.
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=3998370D.732A03F1@nat.bg
Reference: BID:1571
Reference: URL:http://www.securityfocus.com/bid/1571

The web-based folder display capability in Microsoft Internet Explorer
5.5 on Windows 98 allows local users to insert Trojan horse programs
by modifying the Folder.htt file and using the InvokeVerb method in
the ShellDefView ActiveX control to specify a default execute option
for the first file that is listed in the folder.

Analysis
----------------
ED_PRI CAN-2000-0790 3
Vendor Acknowledgement: unknown

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0791
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: BUGTRAQ:20000815 Trustix security advisory - apache-ssl
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0179.html
Reference: BID:1575
Reference: URL:http://www.securityfocus.com/bid/1575

Trustix installs the httpsd program for Apache-SSL with
world-writeable permissions, which allows local users to replace it
with a Trojan horse.

Analysis
----------------
ED_PRI CAN-2000-0791 3
Vendor Acknowledgement: yes post
Content Decisions: INSTALL-PERM

ABSTRACTION:

Some problems like this one are related to installations of files that
set improper permissions.  Should each separate file get a separate
CVE entry?  Or should dot notation be used?  This question has been
labeled as CD:INSTALL-PERM.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

Page Last Updated or Reviewed: May 22, 2007