[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PROPOSAL] Cluster RECENT-75 - 47 candidates



I am proposing cluster RECENT-75 for review and voting by the
Editorial Board.

Name: RECENT-75
Description: Candidates announced between 1/12/2001 and 7/31/2001
Size: 47

You may vote on candidates by modifying this email ballot and sending
it back to me, or by using the CVE voting web site.

The candidates are listed in order of priority.  Priority 1 and
Priority 2 candidates both deal with varying levels of vendor
confirmation, so they should be easy to review and it can be trusted
that the problems are real.

If you discover that any RECENT-XX cluster is incomplete with respect
to the problems discovered during the associated time frame, please
send that information to me so that candidates can be assigned.

- Steve





Summary of votes to use (in ascending order of "severity")
----------------------------------------------------------

ACCEPT - voter accepts the candidate as proposed
NOOP - voter has no opinion on the candidate
MODIFY - voter wants to change some MINOR detail (e.g. reference/description)
REVIEWING - voter is reviewing/researching the candidate, or needs more info
RECAST - candidate must be significantly modified, e.g. split or merged
REJECT - candidate is "not a vulnerability", or a duplicate, etc.

1) Please write your vote on the line that starts with "VOTE: ".  If
   you want to add comments or details, add them to lines after the
   VOTE: line.

2) If you see any missing references, please mention them so that they
   can be included.  References help greatly during mapping.

3) Note that a "MODIFY" is treated as an "ACCEPT" when counting votes.
   So if you don't have sufficient information for a candidate but you
   don't want to NOOP, use a REVIEWING.

********** NOTE ********** NOTE ********** NOTE ********** NOTE **********

Please keep in mind that your vote and comments will be recorded and
publicly viewable in the mailing list archives or in other formats.

======================================================
Candidate: CAN-2001-0550
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0550
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020131
Assigned: 20010718
Category: SF
Reference: VULN-DEV:20010430 some ftpd implementations mishandle CWD ~{
Reference: URL:http://www.securityfocus.com/archive/82/180823
Reference: BUGTRAQ:20011128 CORE-20011001: Wu-FTP glob heap corruption vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100700363414799&w=2
Reference: CERT:CA-2001-33
Reference: URL:http://www.cert.org/advisories/CA-2001-33.html
Reference: CERT-VN:VU#886083
Reference: URL:http://www.kb.cert.org/vuls/id/886083
Reference: REDHAT:RHSA-2001-157
Reference: URL:http://www.redhat.com/support/errata/RHSA-2001-157.html
Reference: CALDERA:CSSA-2001-041.0
Reference: URL:http://www.caldera.com/support/security/advisories/CSSA-2001-041.0.txt
Reference: MANDRAKE:MDKSA-2001:090
Reference: URL:http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-090.php3
Reference: HP:HPSBUX0107-162
Reference: ISS:20011129 WU-FTPD Heap Corruption Vulnerability
Reference: BID:3581
Reference: URL:http://www.securityfocus.com/bid/3581

wu-ftpd 2.6.1 allows remote attackers to execute arbitrary commands
via a "~{" argument to commands such as CWD, which is not properly
handled by the glob function (ftpglob).

Analysis
----------------
ED_PRI CAN-2001-0550 1
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-0905
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0905
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: DEBIAN:DSA-083
Reference: URL:http://www.debian.org/security/2001/dsa-083
Reference: REDHAT:RHSA-2001:093
Reference: URL:http://www.redhat.com/support/errata/RHSA-2001-093.html
Reference: MANDRAKE:MDKSA-2001:085
Reference: URL:http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-085.php3
Reference: FREEBSD:FreeBSD-SA-01:60
Reference: URL:ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:60.procmail.asc
Reference: BID:3071
Reference: URL:http://www.securityfocus.com/bid/3071

Race condition in signal handling of procmail 3.20 and earlier, when
running setuid, allows local users to cause a denial of service or
gain root privileges by sending a signal while a signal handling
routine is already running.

Analysis
----------------
ED_PRI CAN-2001-0905 1
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-0906
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0906
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: BUGTRAQ:20010622 LPRng + tetex tmpfile race - uid lp exploit
Reference: URL:http://www.securityfocus.com/archive/1/192647
Reference: REDHAT:RHSA-2001:102
Reference: URL:http://www.redhat.com/support/errata/RHSA-2001-102.html
Reference: MANDRAKE:MDKSA-2001:086
Reference: URL:http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-086.php3
Reference: IMMUNIX:IMNX-2001-70-030-01
Reference: URL:http://download.immunix.org/ImmunixOS/7.0/updates/IMNX-2001-70-030-01
Reference: BID:2974
Reference: URL:http://www.securityfocus.com/bid/2974
Reference: XF:tetex-lprng-tmp-race(6785)
Reference: URL:http://xforce.iss.net/static/6785.php

teTeX filter before 1.0.7 allows local users to gain privileges via a
symlink attack on temporary files that are produced when printing .dvi
files using lpr.

Analysis
----------------
ED_PRI CAN-2001-0906 1
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-0925
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0925
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: BUGTRAQ:20010312 FORW: [ANNOUNCE] Apache 1.3.19 Released
Reference: URL:http://www.securityfocus.com/archive/1/168497
Reference: BUGTRAQ:20010624 Fw: Bugtraq ID 2503 : Apache Artificially Long Slash Path Directory Listing Exploit
Reference: URL:http://www.securityfocus.com/archive/1/193081
Reference: BUGTRAQ:20010419 OpenBSD 2.8patched Apache vuln!
Reference: URL:http://www.securityfocus.com/archive/1/178066
Reference: BUGTRAQ:20010726 Apache Artificially Long Slash Path Directory Listing Vulnerabili ty -- FILE READ ACCESS
Reference: URL:http://www.securityfocus.com/cgi-bin/archive.pl?id=1&start=2002-01-27&end=2002-02-02&mid=199857&threads=1
Reference: CONFIRM:http://www.apacheweek.com/features/security-13
Reference: MANDRAKE:MDKSA-2001:077
Reference: URL:http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-077.php3
Reference: DEBIAN:DSA-067
Reference: URL:http://www.debian.org/security/2001/dsa-067
Reference: ENGARDE:ESA-20010620-02
Reference: URL:http://www.linuxsecurity.com/advisories/other_advisory-1452.html
Reference: BID:2503
Reference: URL:http://www.securityfocus.com/bid/2503
Reference: XF:apache-slash-directory-listing(6921)
Reference: URL:http://xforce.iss.net/static/6921.php

The default installation of Apache before 1.3.19 allows remote
attackers to list directories instead of the multiview index.html file
via an HTTP request for a path that contains many / (slash)
characters, which causes the path to be mishandled by (1)
mod_negotiation, (2) mod_dir, or (3) mod_autoindex.

Analysis
----------------
ED_PRI CAN-2001-0925 1
Vendor Acknowledgement:

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-0974
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0974
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: CERT:CA-2001-18
Reference: URL:http://www.cert.org/advisories/CA-2001-18.html
Reference: CIAC:L-116
Reference: URL:http://www.ciac.org/ciac/bulletins/l-116.shtml
Reference: CERT-VN:VU#869184
Reference: URL:http://www.kb.cert.org/vuls/id/869184
Reference: BID:3048
Reference: URL:http://www.securityfocus.com/bid/3048
Reference: XF:oracle-ldap-protos-format-string(6903)
Reference: URL:http://xforce.iss.net/static/6903.php

Format string vulnerabilities in Oracle Internet Directory Server
(LDAP) 2.1.1.x and 3.0.1 allow remote attackers to execute arbitrary
code.

Analysis
----------------
ED_PRI CAN-2001-0974 1
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-0975
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0975
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: CERT:CA-2001-18
Reference: URL:http://www.cert.org/advisories/CA-2001-18.html
Reference: CIAC:L-116
Reference: URL:http://www.ciac.org/ciac/bulletins/l-116.shtml
Reference: CERT-VN:VU#869184
Reference: URL:http://www.kb.cert.org/vuls/id/869184
Reference: CONFIRM:http://otn.oracle.com/deploy/security/pdf/oid_cert_bof.pdf
Reference: XF:oracle-ldap-protos-bo(6902)
Reference: URL:http://xforce.iss.net/static/6902.php
Reference: BID:3047
Reference: URL:http://www.securityfocus.com/bid/3047

Buffer overflow vulnerabilities in Oracle Internet Directory Server
(LDAP) 2.1.1.x and 3.0.1 allow remote attackers to execute arbitrary
code.

Analysis
----------------
ED_PRI CAN-2001-0975 1
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-0977
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0977
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: CERT:CA-2001-18
Reference: URL:http://www.cert.org/advisories/CA-2001-18.html
Reference: CERT-VN:VU#935800
Reference: URL:http://www.kb.cert.org/vuls/id/935800
Reference: DEBIAN:DSA-068
Reference: URL:http://www.debian.org/security/2001/dsa-068
Reference: REDHAT:RHSA-2001:098
Reference: URL:http://www.redhat.com/support/errata/RHSA-2001-098.html
Reference: CONECTIVA:CLA-2001:417
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000417
Reference: MANDRAKE:MDKSA-2001:069
Reference: URL:http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-069.php3
Reference: BID:3049
Reference: URL:http://www.securityfocus.com/bid/3049
Reference: XF:openldap-ldap-protos-dos(6904)
Reference: URL:http://xforce.iss.net/static/6904.php

slapd in OpenLDAP 1.x before 1.2.12, and 2.x before 2.0.8, allows
remote attackers to cause a denial of service (crash) via an invalid
Basic Encoding Rules (BER) length field.

Analysis
----------------
ED_PRI CAN-2001-0977 1
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-0980
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0980
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: CALDERA:CSSA-2001-026.0
Reference: URL:http://www.calderasystems.com/support/security/advisories/CSSA-2001-026.0.txt
Reference: XF:docview-httpd-command-execution(6854)
Reference: URL:http://xforce.iss.net/static/6854.php
Reference: BID:3052
Reference: URL:http://www.securityfocus.com/bid/3052

docview before 1.0-15 allows remote attackers to execute arbitrary
commands via shell metacharacters that are processed when converting a
man page to a web page.

Analysis
----------------
ED_PRI CAN-2001-0980 1
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-0993
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0993
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: NETBSD:NetBSD-SA2001-011
Reference: URL:http://archives.neohapsis.com/archives/netbsd/2001-q3/0102.html
Reference: XF:bsd-kernel-sendmsg-dos(6908)
Reference: URL:http://xforce.iss.net/static/6908.php
Reference: BID:3088
Reference: URL:http://www.securityfocus.com/bid/3088

sendmsg function in NetBSD 1.3 through 1.5 allows local users to cause
a denial of service (kernel trap or panic) via a msghdr structure with
a large msg_controllen length.

Analysis
----------------
ED_PRI CAN-2001-0993 1
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-1022
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1022
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: BUGTRAQ:20010727 ADV/EXP:pic/lpd remote exploit - RH 7.0
Reference: URL:http://www.securityfocus.com/archive/1/199706
Reference: DEBIAN:DSA-072
Reference: URL:http://www.debian.org/security/2001/dsa-072
Reference: CONECTIVA:CLA-2001:428
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000428
Reference: XF:linux-groff-format-string(6918)
Reference: URL:http://xforce.iss.net/static/6918.php
Reference: BID:3103
Reference: URL:http://www.securityfocus.com/bid/3103

Format string vulnerability in pic utility in groff 1.16.1 and other
versions allows remote attackers to bypass the -S option and execute
arbitrary commands via format string specifiers in the plot command.

Analysis
----------------
ED_PRI CAN-2001-1022 1
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-1030
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1030
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: BUGTRAQ:20010718 Squid httpd acceleration acl bug enables portscanning
Reference: URL:http://www.securityfocus.com/archive/1/197727
Reference: BUGTRAQ:20010719 TSLSA-2001-0013 - Squid
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-07/0362.html
Reference: IMMUNIX:IMNX-2001-70-031-01
Reference: URL:http://download.immunix.org/ImmunixOS/7.0/updates/IMNX-2001-70-031-01
Reference: CALDERA:CSSA-2001-029.0
Reference: URL:http://www.calderasystems.com/support/security/advisories/CSSA-2001-029.0.txt
Reference: MANDRAKE:MDKSA-2001:066
Reference: URL:http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-066.php3
Reference: REDHAT:RHSA-2001:097
Reference: URL:http://www.redhat.com/support/errata/RHSA-2001-097.html
Reference: XF:squid-http-accelerator-portscanning(6862)
Reference: URL:http://xforce.iss.net/static/6862.php

Squid before 2.3STABLE5 in HTTP accelerator mode does not enable
access control lists (ACLs) when the httpd_accel_host and
http_accel_with_proxy off settings are used, which allows attackers to
bypass the ACLs and conduct unauthorized activities such as port
scanning.

Analysis
----------------
ED_PRI CAN-2001-1030 1
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-1037
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1037
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: CISCO:20010711 Vulnerabilities in Cisco SN 5420 Storage Routers
Reference: URL:http://www.cisco.com/warp/public/707/SN-kernel-pub.html
Reference: XF:cisco-sn-gain-access(6827)
Reference: URL:http://xforce.iss.net/static/6827.php
Reference: BID:3131
Reference: URL:http://www.securityfocus.com/bid/3131

Cisco SN 5420 Storage Router 1.1(3) and earlier allows local users to
access a developer's shell without a password and execute certain
restricted commands without being logged.

Analysis
----------------
ED_PRI CAN-2001-1037 1
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-1038
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1038
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: CISCO:20010711 Vulnerabilities in Cisco SN 5420 Storage Routers
Reference: URL:http://www.cisco.com/warp/public/707/SN-kernel-pub.html
Reference: CIAC:L-112
Reference: URL:http://www.ciac.org/ciac/bulletins/l-112.shtml
Reference: XF:cisco-sn-dos(6826)
Reference: URL:http://xforce.iss.net/static/6826.php

Cisco SN 5420 Storage Router 1.1(3) and earlier allows remote
attackers to cause a denial of service (reboot) via a series of
connections to TCP port 8023.

Analysis
----------------
ED_PRI CAN-2001-1038 1
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-1046
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1046
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: BUGTRAQ:20010602 Qpopper 4.0.3 **** Fixes Buffer Overflow **** (fwd)
Reference: URL:http://www.securityfocus.com/archive/1/188267
Reference: VULN-DEV:20010420 Qpopper 4.0 Buffer Overflow
Reference: URL:http://marc.theaimsgroup.com/?l=vuln-dev&m=98777649031406&w=2
Reference: CALDERA:CSSA-2001-SCO.8
Reference: URL:http://archives.neohapsis.com/archives/linux/caldera/2001-q3/0006.html
Reference: BID:2811
Reference: URL:http://www.securityfocus.com/bid/2811
Reference: XF:qpopper-username-bo(6647)
Reference: URL:http://xforce.iss.net/static/6647.php

Buffer overflow in qpopper (aka qpop or popper) 4.0 through 4.0.2
allows remote attackers gain privileges via a long username.

Analysis
----------------
ED_PRI CAN-2001-1046 1
Vendor Acknowledgement: yes advisory

ACKNOWLEDGEMENT: The Caldera advisory does not provide enough details
to be certain that it fixes the reported problem, but it is released a
month after the initial announcement, and it provides credits to the
same people who are credited in the initial announcement, so there is
enough evidence to determine that the Caldera advisory is addressing
this problem.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-1074
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1074
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: BUGTRAQ:20010526 Webmin Doesn't Clean Env (root exploit)
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-05/0262.html
Reference: CALDERA:CSSA-2001-019.1
Reference: URL:http://www.calderasystems.com/support/security/advisories/CSSA-2001-019.1.txt
Reference: MANDRAKE:MDKSA-2001:059
Reference: URL:http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-059.php3
Reference: XF:webmin-gain-information(6627)
Reference: URL:http://xforce.iss.net/static/6627.php
Reference: BID:2795
Reference: URL:http://www.securityfocus.com/bid/2795

Webmin 0.84 and earlier does not properly clear the HTTP_AUTHORIZATION
environment variable when the web server is restarted, which makes
authentication information available to all CGI programs and allows
local users to gain privileges.

Analysis
----------------
ED_PRI CAN-2001-1074 1
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-1080
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1080
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: IBM:MSS-OAR-E01-2001:225.1
Reference: URL:http://www-1.ibm.com/services/continuity/recover1.nsf/MSS/MSS-OAR-E01-2001.225.1/$file/oar225.txt
Reference: XF:aix-diagrpt-root-shell(6734)
Reference: URL:http://xforce.iss.net/static/6734.php

diagrpt in AIX 4.3.x and 5.1 uses the DIAGDATADIR environment variable
to find and execute certain programs, which allows local users to gain
privileges by modifying the variable to point to a Trojan horse
program.

Analysis
----------------
ED_PRI CAN-2001-1080 1
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-0982
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0982
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: BUGTRAQ:20010723 iXsecurity.20010618.policy_director.a
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-07/0497.html
Reference: AIXAPAR:IY18152
Reference: CONFIRM:ftp://ftp.tivoli.com/support/patches/patches_3.7.1/3.7.1-POL-0003/3.7.1-POL-0003.README
Reference: XF:tivoli-secureway-dot-directory-traversal(6884)
Reference: URL:http://xforce.iss.net/static/6884.php
Reference: BID:3080
Reference: URL:http://www.securityfocus.com/bid/3080

Directory traversal vulnerability in IBM Tivoli WebSEAL Policy
Director 3.01 through 3.7.1 allows remote attackers to read arbitrary
files or directories via encoded .. (dot dot) sequences containing
"%2e" strings.

Analysis
----------------
ED_PRI CAN-2001-0982 2
Vendor Acknowledgement: yes

ACKNOWLEDGEMENT: 3.7.1-POL-0003.README, dated June 29, 2001, says
"Specific URI-encoding can bypass security" and "%-encoded characters
are not being decoded properly in WebSEAL," which is sufficient
evidence that the document identifies the problem described in this
CVE item.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-0987
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0987
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: BUGTRAQ:20010722 Re: [cgiwrap-users] Re: Security hole in CGIWrap (cross-site scripting vulnerability)
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-07/0499.html
Reference: CONFIRM:http://cgiwrap.sourceforge.net/changes.html
Reference: BID:3084
Reference: URL:http://www.securityfocus.com/bid/3084
Reference: XF:cgiwrap-cross-site-scripting(6886)
Reference: URL:http://xforce.iss.net/static/6886.php

Cross-site scripting vulnerability in CGIWrap before 3.7 allows remote
attackers to execute arbitrary Javascript on other web clients by
causing the Javascript to be inserted into error messages that are
generated by CGIWrap.

Analysis
----------------
ED_PRI CAN-2001-0987 2
Vendor Acknowledgement: yes changelog

ACKNOWLEDGEMENT: In the CGIWrap change log, version 3.7 includes the
following: "Encode user supplied output in error messages to fix
cross-site scripting vulnerability reported by Hiromitsu Takagi."

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-1010
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1010
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: BUGTRAQ:20010721 Sambar Web Server pagecount exploit code
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-07/0565.html
Reference: CONFIRM:http://www.sambar.com/security.htm
Reference: XF:sambar-pagecount-overwrite-files(6916)
Reference: URL:http://xforce.iss.net/static/6916.php
Reference: BID:3092
Reference: URL:http://www.securityfocus.com/bid/3092

Directory traversal vulnerability in pagecount CGI script in Sambar
Server before 5.0 beta 5 allows remote attackers to overwrite arbitrary
files via a .. (dot dot) attack on the page parameter.

Analysis
----------------
ED_PRI CAN-2001-1010 2
Vendor Acknowledgement: yes advisory

ACKNOWLEDGEMENT: http://www.sambar.com/security.htm, which had been
updated on 7/27/2001 according to the Sambar home page, says "All
versions of the Sambar WWW Server with the exception of 5.0 beta 5 and
later releases have a security vulnerability associated with the
pagecount sample code."

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-1011
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1011
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: BUGTRAQ:20010725 Serious security hole in Mambo Site Server version 3.0.X
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-07/0569.html
Reference: CONFIRM:http://prdownloads.sourceforge.net/mambo/mambov3.0.6.tar.gz
Reference: BID:3093
Reference: URL:http://www.securityfocus.com/bid/3093
Reference: XF:mambo-phpsessid-gain-privileges(6910)
Reference: URL:http://xforce.iss.net/static/6910.php

index2.php in Mambo Site Server 3.0.0 through 3.0.5 allows remote
attackers to gain Mambo administrator privileges by setting the
PHPSESSID parameter and providing the appropriate administrator
information in other parameters.

Analysis
----------------
ED_PRI CAN-2001-1011 2
Vendor Acknowledgement: yes changelog

ACKNOWLEDGEMENT: security_release.dat in the tar file for version
3.0.6 states "Users can get into the back-end of Mambo administration
and change content by entering the following url:
http://yoursite/administrator/index2.php?PHPSESSID=1" The web site
itself vaguely alludes to security problems, but the changelog is the
only conclusive evidence of vendor acknowledgement.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-1053
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1053
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: BUGTRAQ:20010713 AdCycle SQL Command Insertion Vulnerability - qDefense Advisory Number QDAV-2001-7-2
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-07/0249.html
Reference: CONFIRM:http://www.adcycle.com/cgi-bin/download.cgi?type=UNIX&version=1.17
Reference: XF:adcycle-insert-sql-command(6837)
Reference: URL:http://xforce.iss.net/static/6837.php
Reference: BID:3032
Reference: URL:http://www.securityfocus.com/bid/3032
Reference: XF:php-includedir-code-execution(7215)
Reference: URL:http://xforce.iss.net/static/7215.php

AdLogin.pm in AdCycle 1.15 and earlier allows remote attackers to
bypass authentication and gain privileges by injecting SQL code in the
$password argument.

Analysis
----------------
ED_PRI CAN-2001-1053 2
Vendor Acknowledgement: yes changelog

ACKNOWLEDGEMENT: In the README.txt file bundled with the software, the
"[v1.16] July 5, 2001" entry states "fixed security hole (with help
from qDefense.com)."

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-1056
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1056
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: BUGTRAQ:20010730 [RAZOR] Linux kernel IP masquerading vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-07/0733.html
Reference: BUGTRAQ:20010730 Re: [RAZOR] Linux kernel IP masquerading vulnerability (_actual_ patch)
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-07/0750.html
Reference: BID:3117
Reference: URL:http://www.securityfocus.com/bid/3117

IRC DCC helper in the ip_masq_irc IP masquerading module 2.2 allows
remote attackers to bypass intended firewall restrictions by causing
the target system to send a "DCC SEND" request to a malicious server
which listens on port 6667, which may cause the module to believe that
the traffic is a valid request and allow the connection to the port
specified in the DCC SEND request.

Analysis
----------------
ED_PRI CAN-2001-1056 2
Vendor Acknowledgement: yes followup

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-1075
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1075
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: BUGTRAQ:20010703 poprelayd and sendmail relay authentication problem (Cobalt Raq3)
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-07/0064.html
Reference: BUGTRAQ:20010709 Re: poprelayd and sendmail relay authentication problem (Cobalt Raq3)
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-07/0150.html
Reference: XF:cobalt-poprelayd-mail-relay(6806)
Reference: URL:http://xforce.iss.net/static/6806.php
Reference: BID:2986
Reference: URL:http://www.securityfocus.com/bid/2986

poprelayd script before 2.0 in Cobalt RaQ3 servers allows remote
attackers to bypass authentication for relaying by causing a "POP
login by user" string that includes the attacker's IP address to be
injected into the maillog log file.

Analysis
----------------
ED_PRI CAN-2001-1075 2
Vendor Acknowledgement: yes followup

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-1079
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1079
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020131
Assigned: 20020131
Category: CF
Reference: AIXAPAR:IY19069
Reference: URL:http://archives.neohapsis.com/archives/aix/2001-q3/0000.html

create_keyfiles in PSSP 3.2 with DCE 3.1 authentication on AIX 3.2.0
creates keyfile directories with world-writable permissions, which
could allow a local user to delete key files and cause a denial of
service.

Analysis
----------------
ED_PRI CAN-2001-1079 2
Vendor Acknowledgement: yes

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-1081
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1081
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: CONFIRM:http://freshmeat.net/releases/52020/
Reference: BID:2994
Reference: URL:http://www.securityfocus.com/bid/2994

Format string vulnerabilities in Livingston/Lucent RADIUS before
2.1.va.1 may allow local or remote attackers to cause a denial of
service and possibly execute arbitrary code via format specifiers that
are injected into log messages.

Analysis
----------------
ED_PRI CAN-2001-1081 2
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-0749
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0749
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020131
Assigned: 20011012
Category: SF
Reference: BID:2775
Reference: URL:http://www.securityfocus.com/bid/2775
Reference: BUGTRAQ:20010524 IPC@Chip Security
Reference: URL:http://www.securityfocus.com/archive/1/186418

Beck IPC GmbH IPC@CHIP Embedded-Webserver allows remote attacker to
retrieve arbitrary files via webserver root directory set to system root.

Analysis
----------------
ED_PRI CAN-2001-0749 3
Vendor Acknowledgement:

This is an embedded system- hardware and software on a chip. The audit
was done as if it were a standard server.  On the vendor website it
stats- "Should your IPC@CHIP application have direct access to the
Internet, you can turn off unnecessary services, e.g. HTTP-, FTP-, and
Telnet server, completely and thus further increase the security."
All 24 of these submissions come from one vulnerability report-
http://www.securityfocus.com/archive/1/186418 There are 11 issues
covered and most of these are configuration related.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-0988
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0988
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: BUGTRAQ:20010723 permission probs with Arkeia
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-07/0521.html
Reference: BID:3085
Reference: URL:http://www.securityfocus.com/bid/3085
Reference: XF:arkeia-insecure-file-permissions(6885)
Reference: URL:http://xforce.iss.net/static/6885.php

Arkeia backup server 4.2.8-2 and earlier creates its database files
with world-writable permissions, which could allow local users to
overwrite the files or obtain sensitive information.

Analysis
----------------
ED_PRI CAN-2001-0988 3
Vendor Acknowledgement:

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-0989
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0989
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: BUGTRAQ:20010723 pileup 1.2
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-07/0512.html
Reference: CONFIRM:http://www.babbage.demon.co.uk/linux/pileup-1.2/pileup-1.2.tar.gz
Reference: BID:3086
Reference: URL:http://www.securityfocus.com/bid/3086

Buffer overflows in Pileup before 1.2 allows local users to gain root
privileges via (1) long command line arguments, or (2) a long
callsign.

Analysis
----------------
ED_PRI CAN-2001-0989 3
Vendor Acknowledgement: yes changelog
Content Decisions: SF-LOC

ACKNOWLEDGEMENT: The pileup home page says "Version 1.2 released to
correct security vulnerabilities." But the README file in pileup 1.2
states more precisely: "Fixed scanf() security buffer overflows."
ABSTRACTION: CD:SF-LOC states that problems of the same type, and in
the same version, should be merged together.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-0991
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0991
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: BUGTRAQ:20010724 Proxomitron Cross-site Scripting Vulnerability
Reference: URL:http://www.securityfocus.com/archive/1/198954
Reference: XF:proxomitron-cross-site-scripting(6887)
Reference: URL:http://xforce.iss.net/static/6887.php
Reference: BID:3087
Reference: URL:http://www.securityfocus.com/bid/3087

Cross-site scripting vulnerability in Proxomitron Naoko-4 BetaFour and
earlier allows remote attackers to execute arbitrary script on other
clients via an incorrect URL containing the malicious script, which is
printed back in an error message.

Analysis
----------------
ED_PRI CAN-2001-0991 3
Vendor Acknowledgement: unknown discloser-claimed

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-1021
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1021
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: BUGTRAQ:20010726 def-2001-28 - WS_FTP server 2.0.2 Buffer Overflow and possible DOS
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-07/0610.html
Reference: MISC:http://www.ipswitch.com/Support/WS_FTP-Server/patch-upgrades.html
Reference: XF:wsftp-long-command-bo(6911)
Reference: URL:http://xforce.iss.net/static/6911.php

Buffer overflows in WS_FTP 2.02 allow remote attackers to execute
arbitrary code via long arguments to (1) DELE, (2) MDTM, (3) MLST, (4)
MKD, (5) RMD, (6) RNFR, (7) RNTO, (8) SIZE, (9) STAT, (10) XMKD, or
(11) XRMD.

Analysis
----------------
ED_PRI CAN-2001-1021 3
Vendor Acknowledgement: yes advisory
Content Decisions: SF-LOC

ACKNOWLEDGEMENT: The patch upgrade comments for WS_FTP Server 2.04 say
"Fix of buffer overrun in STAT command," but it is not clear if the
other overflows were also addressed.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-1024
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1024
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: BUGTRAQ:20010727 Entrust - getAccess
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-07/0662.html
Reference: XF:entrust-getaccess-execute-commands(6915)
Reference: URL:http://xforce.iss.net/static/6915.php

login.gas.bat and other CGI scripts in Entrust getAccess allow remote
attackers to execute Java programs, and possibly arbitrary commands,
by specifying an alternate -classpath argument.

Analysis
----------------
ED_PRI CAN-2001-1024 3
Vendor Acknowledgement:

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-1026
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1026
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: BUGTRAQ:20010709 Various problems in Ternd Micro AppletTrap URL filtering
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-07/0129.html
Reference: XF:applettrap-bypass-ip-restrictions(6818)
Reference: URL:http://xforce.iss.net/static/6818.php
Reference: XF:content-slash-bypass-filter(6816)
Reference: URL:http://xforce.iss.net/static/6816.php
Reference: XF:applettrap-unicode-bypass-filter(6817)
Reference: URL:http://xforce.iss.net/static/6817.php
Reference: XF:applettrap-zero-bypass-restrictions(6819)
Reference: URL:http://xforce.iss.net/static/6819.php

Trend Micro InterScan AppletTrap 2.0 does not properly filter URLs
when they are modified in certain ways such as (1) using a double
slash (//) instead of a single slash, (2) URL-encoded characters, (3)
requesting the IP address instead of the domain name, or (4) using
leading a leading 0 in an octet of an IP address.

Analysis
----------------
ED_PRI CAN-2001-1026 3
Vendor Acknowledgement: unknown discloser-claimed
Content Decisions: SF-LOC

ABSTRACTION: each of these attack vectors is of the same general type
"inability to recognize alternate encodings," a.k.a. a
canonicalization problem as discussed on the webappsec/OWASP mailing
list in December 2001. CD:SF-LOC would argue for combining them.
However, it might be argued that "poor canonicalization" is too high
level, and this candidate should be SPLIT into separate items.
ACKNOWLEDGEMENT: the researchers claim that Trend Micro said they
would address the problem in version 2.5, but the release information
does not mention any vulnrabilities, and a search on the web site's
knowledge base for "security" and "vulnerability" were not successful,
and Trend's "security" page is devoted exclusively to viruses.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-1042
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1042
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: BUGTRAQ:20010701 Broker 5.9.5.0 Directory Traversal
Reference: URL:http://www.securityfocus.com/archive/1/194443
Reference: BID:2960
Reference: URL:http://www.securityfocus.com/bid/2960
Reference: XF:ftp-lnk-directory-traversal(6760)
Reference: URL:http://xforce.iss.net/static/6760.php

Transsoft Broker 5.9.5.0 allows remote attackers to read arbitrary
files and directories by uploading a .lnk (link) file that points to
the target file.

Analysis
----------------
ED_PRI CAN-2001-1042 3
Vendor Acknowledgement:

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-1043
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1043
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: BUGTRAQ:20010701 ArGoSoft 1.2.2.2 *.lnk upload Directory Traversal
Reference: URL:http://www.securityfocus.com/archive/1/194445
Reference: BID:2961
Reference: URL:http://www.securityfocus.com/bid/2961
Reference: XF:ftp-lnk-directory-traversal(6760)
Reference: URL:http://xforce.iss.net/static/6760.php

ArGoSoft FTP Server 1.2.2.2 allows remote attackers to read arbitrary
files and directories by uploading a .lnk (link) file that points to
the target file.

Analysis
----------------
ED_PRI CAN-2001-1043 3
Vendor Acknowledgement:

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-1044
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1044
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: BUGTRAQ:20010112 Basilix Webmail System *.class *.inc Permission Vulnerability
Reference: URL:http://www.securityfocus.com/archive/1/155897
Reference: XF:basilix-webmail-retrieve-files(5934)
Reference: URL:http://xforce.iss.net/static/5934.php
Reference: BID:2198
Reference: URL:http://www.securityfocus.com/bid/2198

Basilix Webmail 0.9.7beta, and possibly other versions, stores *.class
and *.inc files under the document root and does not restrict access,
which could allows remote attackers to obtain sensitive information
such as MySQL passwords and usernames from the mysql.class file.

Analysis
----------------
ED_PRI CAN-2001-1044 3
Vendor Acknowledgement:

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-1045
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1045
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: BUGTRAQ:20010706 basilix bug
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-07/0114.html
Reference: BID:2995
Reference: URL:http://www.securityfocus.com/bid/2995
Reference: XF:basilix-webmail-view-files(6873)
Reference: URL:http://xforce.iss.net/static/6873.php

Directory traversal vulnerability in basilix.php3 in Basilix Webmail
1.0.3beta and earlier allows remote attackers to read arbitrary files
via a .. (dot dot) in the request_id[DUMMY] parameter.

Analysis
----------------
ED_PRI CAN-2001-1045 3
Vendor Acknowledgement: unknown discloser-claimed

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-1047
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1047
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: BUGTRAQ:20010602 Locally exploitable races in OpenBSD VFS
Reference: URL:http://www.securityfocus.com/archive/1/188474
Reference: BID:2817
Reference: URL:http://www.securityfocus.com/bid/2817
Reference: BID:2818
Reference: URL:http://www.securityfocus.com/bid/2818
Reference: XF:openbsd-pipe-race-dos(6661)
Reference: URL:http://xforce.iss.net/static/6661.php
Reference: XF:openbsd-dup2-race-dos(6660)
Reference: URL:http://xforce.iss.net/static/6660.php

Race condition in OpenBSD VFS allows local users to cause a denial of
service (kernel panic) by (1) creating a pipe in one thread and
causing another thread to set one of the file descriptors to NULL via
a close, or (2) calling dup2 on a file descriptor in one process, then
setting the descriptor to NULL via a close in another process that is
created via rfork.

Analysis
----------------
ED_PRI CAN-2001-1047 3
Vendor Acknowledgement: unknown
Content Decisions: SF-LOC

ABSTRACTION: CD:SF-LOC suggests that problems of the same type (in
this case, race condition) that appear in the same version should be
combined into a single item.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-1055
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1055
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: BUGTRAQ:20010730 ARPNuke - 80 kb/s kills a whole subnet
Reference: URL:http://www.securityfocus.com/archive/1/200323
Reference: BID:3113
Reference: URL:http://www.securityfocus.com/bid/3113

Vulnerability in the Microsoft Windows network stack allows remote
attackers to cause a denial of service (CPU consumption) via a flood
of malformed ARP request packets with random source IP and MAC
addresses.

Analysis
----------------
ED_PRI CAN-2001-1055 3
Vendor Acknowledgement:

There is insufficient information to be able to narrow down which
operating systems are affected; the disclosers did not mention these
specifics.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-1057
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1057
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: BUGTRAQ:20010730 a couple minor issues with mathematica license manager
Reference: URL:http://www.securityfocus.com/archive/1/200462
Reference: BID:3120
Reference: URL:http://www.securityfocus.com/bid/3120
Reference: XF:mathematica-license-dos(6926)
Reference: URL:http://xforce.iss.net/static/6926.php

The License Manager (mathlm) for Mathematica 4.0 and 4.1 allows remote
attackers to cause a denial of service (resource exhaustion) by
connecting to port 16286 and not disconnecting, which prevents users
from making license requests.

Analysis
----------------
ED_PRI CAN-2001-1057 3
Vendor Acknowledgement:

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-1058
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1058
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: BUGTRAQ:20010730 a couple minor issues with mathematica license manager
Reference: URL:http://www.securityfocus.com/archive/1/200462
Reference: BID:3118
Reference: URL:http://www.securityfocus.com/bid/3118
Reference: XF:mathematica-license-retrieval(6927)
Reference: URL:http://xforce.iss.net/static/6927.php

The License Manager (mathlm) for Mathematica 4.0 and 4.1 allows remote
attackers to bypass access control (specified by the -restrict
argument) and steal a license via a client request that includes the
name of a host that is allowed to obtain the license.

Analysis
----------------
ED_PRI CAN-2001-1058 3
Vendor Acknowledgement:

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-1059
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1059
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020131
Assigned: 20020131
Category: CF
Reference: BUGTRAQ:20010730 vmware bug?
Reference: URL:http://www.securityfocus.com/archive/1/200455
Reference: BID:3119
Reference: URL:http://www.securityfocus.com/bid/3119
Reference: XF:vmware-obtain-license-info(6925)
Reference: URL:http://xforce.iss.net/static/6925.php

VMWare creates a temporary file vmware-log.USERNAME with insecure
permissions, which allows local users to read or modify license
information.

Analysis
----------------
ED_PRI CAN-2001-1059 3
Vendor Acknowledgement:

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-1060
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1060
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: BUGTRAQ:20010731 New command execution vulnerability in myPhpAdmin
Reference: URL:http://www.securityfocus.com/archive/1/200596
Reference: MISC:http://freshmeat.net/redir/phpmyadmin/8001/url_changelog/
Reference: BID:3121
Reference: URL:http://www.securityfocus.com/bid/3121

phpMyAdmin 2.2.0rc3 and earlier allows remote attackers to execute
arbirtrary commands by inserting them into (1) the strCopyTableOK
argument in tbl_copy.php, or (2) the strRenameTableOK argument in
tbl_rename.php.

Analysis
----------------
ED_PRI CAN-2001-1060 3
Vendor Acknowledgement: unknown vague
Content Decisions: SF-EXEC

ACKNOWLEDGEMENT: The Change Log has various references to a "security
issue," but does not provide enough details to know if it's fixed
*this* security issue.
ABSTRACTION: CD:SF-EXEC suggests combining issues of the same types
that appear in multiple executables of the same version of the same
package.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-1076
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1076
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: BUGTRAQ:20010705 Solaris whodo Vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-07/0076.html
Reference: BID:2935
Reference: URL:http://www.securityfocus.com/bid/2935
Reference: XF:solaris-whodo-bo(6802)
Reference: URL:http://xforce.iss.net/static/6802.php

Buffer overflow in whodo in Solaris SunOS 5.5.1 through 5.8 allows
local users to execute arbitrary code via a long (1) SOR or (2) CFIME
environment variable.

Analysis
----------------
ED_PRI CAN-2001-1076 3
Vendor Acknowledgement:
Content Decisions: SF-LOC

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-1077
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1077
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: BUGTRAQ:20010615 Rxvt vulnerability
Reference: URL:http://www.securityfocus.com/archive/1/191510
Reference: DEBIAN:DSA-062
Reference: URL:http://www.debian.org/security/2001/dsa-062
Reference: IMMUNIX:IMNX-2001-70-028-01
Reference: URL:http://download.immunix.org/ImmunixOS/7.0/updates/IMNX-2001-70-028-01
Reference: XF:rxvt-ttprintf-bo(6701)
Reference: URL:http://xforce.iss.net/static/6701.php

Buffer overflow in tt_printf function of rxvt 2.6.2 allows local users
to gain privileges via a long (1) -T or (2) -name argument.

Analysis
----------------
ED_PRI CAN-2001-1077 3
Vendor Acknowledgement: yes advisory
Content Decisions: SF-LOC

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-1078
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1078
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: BUGTRAQ:20010622 eXtremail Remote Format String ('s)
Reference: URL:http://www.securityfocus.com/archive/1/192791
Reference: CONFIRM:http://www.extremail.com/history.htm
Reference: CONFIRM:http://www.extremail.com/news.htm
Reference: XF:extremail-flog-format-string(6733)
Reference: URL:http://xforce.iss.net/static/6733.php
Reference: BID:2908
Reference: URL:http://www.securityfocus.com/bid/2908

Format string vulnerability in flog function of eXtremail 1.1.9 and
earlier allows remote attackers to gain root privileges via format
specifiers in the SMTP commands (1) HELO, (2) EHLO, (3) MAIL FROM, or
(4) RCPT TO, and the POP3 commands (5) USER and (6) other commands
that can be executed after POP3 authentication.

Analysis
----------------
ED_PRI CAN-2001-1078 3
Vendor Acknowledgement: yes advisory
Content Decisions: SF-LOC

ACKNOWLEDGEMENT: In the product history page, the vendor states for
version 1.1.10: "There were a bug on the logging function that arised
a SIG when a '%' was encountered on some strings." This sounds close
to a description of the problem, but it is not absolutely clear as the
version is dated in April and the problem was announced to Bugtraq in
June. However, in the "news" section on June 2001, the vendor states
"A security bug is encountered on previous versions of eXtremail
(prior 1.1.10)... [which has] been released for more than two months."

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-1082
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1082
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: CONFIRM:http://freshmeat.net/releases/52020/

Directory traversal vulnerability in Livingston/Lucent RADIUS before
2.1.va.1 may allow attackers to read arbitrary files via a .. (dot
dot) attack.

Analysis
----------------
ED_PRI CAN-2001-1082 3
Vendor Acknowledgement: yes advisory
Content Decisions: VAGUE

ACKNOWLEDGEMENT/INCLUSION: the vendor alludes to the directory
traversal vulnerability but does not describe exploit scenarios: "All
fopen() calls are preceded by a check to ensure that the filename only
contains legal character sequences. In particular, filenames
containing '..' will not be opened."

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-1083
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1083
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: BUGTRAQ:20010626 Advisory
Reference: URL:http://www.securityfocus.com/archive/1/193516
Reference: MISC:http://www.icecast.org/index.html
Reference: BID:2933
Reference: URL:http://www.securityfocus.com/bid/2933
Reference: XF:icecast-http-remote-dos(6751)
Reference: URL:http://xforce.iss.net/static/6751.php

Icecast 1.3.8beta2 and earlier with HTTP server file streaming support
enabled allows remote attackers to cause a denial of service (crash)
via a URL that ends in . (dot), / (forward slash), or \ (backward
slash).

Analysis
----------------
ED_PRI CAN-2001-1083 3
Vendor Acknowledgement: unknown vague

ACKNOWLEDGEMENT: On August 7, 2001 (more than a month after the
initial disclosure), the news page states "contains a couple security
updates." There is insufficient information to be confident whether
the vendor is fixing the DoS or directory traversal problems
identified on Bugtraq.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

Page Last Updated or Reviewed: May 22, 2007