[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PROPOSAL] Cluster MISC-2001-004 - 28 candidates

To: cve-editorial-board-list@lists.mitre.org
Subject: [PROPOSAL] Cluster MISC-2001-004 - 28 candidates
From: "Steven M. Christey" <coley@linus.mitre.org>
Date: Tue, 11 Jun 2002 01:20:22 -0400 (EDT)
Delivery-Date: Tue Jun 11 01:20:33 2002
Sender: owner-cve-editorial-board-list@lists.mitre.org
I am proposing cluster MISC-2001-004 for review and voting by the
Editorial Board.

Name: MISC-2001-004
Description: Misc. candidates announsed between 5/31/2001 and 12/27/2001
Size: 28

You may vote on candidates by modifying this email ballot and sending
it back to me, or by using the CVE voting web site.

The candidates are listed in order of priority.  Priority 1 and
Priority 2 candidates both deal with varying levels of vendor
confirmation, so they should be easy to review and it can be trusted
that the problems are real.


Summary of votes to use (in ascending order of "severity")
----------------------------------------------------------

ACCEPT - voter accepts the candidate as proposed
NOOP - voter has no opinion on the candidate
MODIFY - voter wants to change some MINOR detail (e.g. reference/description)
REVIEWING - voter is reviewing/researching the candidate, or needs more info
RECAST - candidate must be significantly modified, e.g. split or merged
REJECT - candidate is "not a vulnerability", or a duplicate, etc.

1) Please write your vote on the line that starts with "VOTE: ".  If
   you want to add comments or details, add them to lines after the
   VOTE: line.

2) If you see any missing references, please mention them so that they
   can be included.  References help greatly during mapping.

3) Note that a "MODIFY" is treated as an "ACCEPT" when counting votes.
   So if you don't have sufficient information for a candidate but you
   don't want to NOOP, use a REVIEWING.

********** NOTE ********** NOTE ********** NOTE ********** NOTE **********

Please keep in mind that your vote and comments will be recorded and
publicly viewable in the mailing list archives or in other formats.

======================================================
Candidate: CAN-2001-1350
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1350
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020602
Category: SF
Reference: REDHAT:RHSA-2001:162
Reference: MISC:http://search.namazu.org/ml/namazu-devel-ja/msg02114.html

Cross-site scripting vulnerability in namazu.cgi for Namazu 2.0.7 and
earlier allows remote attackers to execute arbitrary Javascript as
other web users via the lang parameter.

Analysis
----------------
ED_PRI CAN-2001-1350 1
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-1351
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1351
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020602
Category: SF/CF/MP/SA/AN/unknown
Reference: REDHAT:RHSA-2001:162
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&w=2&r=1&s=namazu&q=b

Cross-site scripting vulnerability in Namazu 2.0.8 and earlier allows
remote attackers to execute arbitrary Javascript as other web users
via the index file name that is displayed when displaying hit numbers.

Analysis
----------------
ED_PRI CAN-2001-1351 1
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-1352
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1352
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020602
Category: SF
Reference: REDHAT:RHSA-2001:179
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101060476404565&w=2
Reference: BUGTRAQ:20011227 Re: [RHSA-2001:162-04] Updated namazu packages are available
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100947261916155&w=2
Reference: BUGTRAQ:20020109 Details on the updated namazu packages that are available
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101068116016472&w=2

Cross-site scripting vulnerability in Namazu 2.0.9 and earlier allows
remote attackers to execute arbitrary Javascript as other web users
via an error message that is returned when an invalid index file is
specified in the idxname parameter.

Analysis
----------------
ED_PRI CAN-2001-1352 1
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-1353
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1353
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020602
Category: SF
Reference: MISC:http://marc.theaimsgroup.com/?l=lprng&m=100083210910857&w=2
Reference: REDHAT:RHSA-2001:138
Reference: URL:http://www.redhat.com/support/errata/RHSA-2001-138.html

ghostscript before 6.51 allows local users to read and write arbitrary
files as the 'lp' user via the file operator, even with -dSAFER
enabled.

Analysis
----------------
ED_PRI CAN-2001-1353 1
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-1359
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1359
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: CF
Reference: CALDERA:CSSA-2001-021.0
Reference: URL:http://www.caldera.com/support/security/advisories/CSSA-2001-021.0.txt
Reference: BID:2850
Reference: URL:http://www.securityfocus.com/bid/2850
Reference: XF:volution-authentication-failure-access(6672)
Reference: URL:http://xforce.iss.net/static/6672.php

Volution clients 1.0.7 and earlier attempt to contact the computer
creation daemon (CCD) when an LDAP authentication failure occurs,
which allows remote attackers to fully control clients via a Trojan
horse Volution server.

Analysis
----------------
ED_PRI CAN-2001-1359 1
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-1367
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1367
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: CONFIRM:http://phpslice.org/comments.php?aid=1031&;
Reference: VULNWATCH:20010719 [VulnWatch] Changelog maddness (14 various broken apps)
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2001-q3/0005.html

The checkAccess function in PHPSlice 0.1.4, and all other versions
between 0.1.1 and 0.1.6, does not properly verify the administrative
access level, which could allow remote attackers to gain privileges.

Analysis
----------------
ED_PRI CAN-2001-1367 1
Vendor Acknowledgement: yes changelog

ACKNOWLEDGEMENT: a post on the vendor web page states "Due to a stupid
mistake on a line in the checkAccess() function, PHPSlice 0.1.4 (and
potentially all earlier releases as well) has a gaping security hole
that allows any user to perform administrative tasks if they enter the
correct URL."
ACCURACY: while the vendor's statement implies that the problem was
fixed after 0.1.4, a review of the source code indicates that it
actually wasn't fixed until 0.1.7.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-1369
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1369
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: FREEBSD:FreeBSD-SA-02:14
Reference: URL:ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:14.pam-pgsql.asc
Reference: BID:3319
Reference: URL:http://online.securityfocus.com/bid/3319
Reference: XF:postgresql-pam-authentication-module(7110)
Reference: URL:http://www.iss.net/security_center/static/7110.php

Leon J Breedt pam-pgsql before 0.5.2 allows remote attackers to
execute arbitrary SQL code and bypass authentication or modify user
account records by injecting SQL statements into user or password
fields.

Analysis
----------------
ED_PRI CAN-2001-1369 1
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-1370
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1370
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20010722 [SEC] Hole in PHPLib 7.2 prepend.php3
Reference: URL:http://www.securityfocus.com/archive/1/198768
Reference: BUGTRAQ:20010726 TSLSA-2001-0014 - PHPLib
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=99616122712122&w=2
Reference: BUGTRAQ:20010721 IMP 2.2.6 (SECURITY) released
Reference: URL:http://online.securityfocus.com/archive/1/198495
Reference: CONECTIVA:CLA-2001:410
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000410
Reference: CALDERA:CSSA-2001-027.0
Reference: URL:http://www.calderasystems.com/support/security/advisories/CSSA-2001-027.0.txt
Reference: DEBIAN:DSA-073
Reference: URL:http://www.debian.org/security/2001/dsa-073
Reference: BID:3079
Reference: URL:http://www.securityfocus.com/bid/3079
Reference: XF:phplib-script-execution(6892)
Reference: URL:http://www.iss.net/security_center/static/6892.php

prepend.php3 in PHPLib before 7.2d, when register_globals is enabled
for PHP, allows remote attackers to execute arbitrary scripts via an
HTTP request that modifies $_PHPLIB[libdir] to point to malicious code
on another server, as seen in Horde 1.2.5 and earlier, IMP before
2.2.6, and other packages that use PHPLib.

Analysis
----------------
ED_PRI CAN-2001-1370 1
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-1371
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1371
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020206 Hackproofing Oracle Application Server paper
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101301813117562&w=2
Reference: MISC:http://www.nextgenss.com/papers/hpoas.pdf
Reference: CERT-VN:VU#736923
Reference: URL:http://www.kb.cert.org/vuls/id/736923
Reference: CERT:CA-2002-08
Reference: URL:http://www.cert.org/advisories/CA-2002-08.html
Reference: CONFIRM:http://technet.oracle.com/deploy/security/pdf/ias_soap_alert.pdf
Reference: BID:4289
Reference: URL:http://www.securityfocus.com/bid/4289

The default configuration of Oracle Application Server 9iAS 1.0.2.2
enables SOAP and allows anonymous users to deploy applications by
default via urn:soap-service-manager and urn:soap-provider-manager.

Analysis
----------------
ED_PRI CAN-2001-1371 1
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-1372
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1372
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20010917 Yet another path disclosure vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100074087824021&w=2
Reference: BUGTRAQ:20010921 Response to "Path disclosure vulnerability in Oracle 9i and 8i
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100119633925473&w=2
Reference: CERT:CA-2002-08
Reference: URL:http://www.cert.org/advisories/CA-2002-08.html
Reference: CERT-VN:VU#278971
Reference: URL:http://www.kb.cert.org/vuls/id/278971
Reference: CONFIRM:http://otn.oracle.com/deploy/security/pdf/jspexecute_alert.pdf
Reference: BID:3341
Reference: URL:http://www.securityfocus.com/bid/3341
Reference: XF:oracle-jsp-reveal-path(7135)
Reference: URL:http://xforce.iss.net/static/7135.php

Oracle 9i Application Server 1.0.2 allows remote attackers to obtain
the physical path of a file under the server root via a request for a
non-existent .JSP file, which leaks the pathname in an error message.

Analysis
----------------
ED_PRI CAN-2001-1372 1
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-1373
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1373
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20010718 ZoneAlarm Pro
Reference: URL:http://www.securityfocus.com/archive/1/197681
Reference: CONFIRM:http://www.zonelabs.com/products/zap/rel_history.html#2.6.362
Reference: XF:zonealarm-bypass-mailsafe(6877)
Reference: URL:http://xforce.iss.net/static/6877.php
Reference: BID:3055
Reference: URL:http://www.securityfocus.com/bid/3055

MailSafe in Zone Labs ZoneAlarm 2.6 and earlier and ZoneAlarm Pro 2.6
and 2.4 does not block prohibited file types with long file names,
which allows remote attackers to send potentially dangerous
attachments.

Analysis
----------------
ED_PRI CAN-2001-1373 1
Vendor Acknowledgement: yes changelog

ACKNOWLEDGEMENT: the product's release history includes a heading
titled "New and improved features in ZoneAlarm Pro version 2.6.231,"
which states: "MailSafe improvements to better handle attachments of
long file names"

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-1374
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1374
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: CONFIRM:https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=22187
Reference: CONFIRM:https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=28224
Reference: CONECTIVA:CLA-2001:409
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000409
Reference: XF:expect-insecure-library-search(6870)
Reference: URL:http://xforce.iss.net/static/6870.php
Reference: BID:3074
Reference: URL:http://www.securityfocus.com/bid/3074

expect before 5.32 searches for its libraries in /var/tmp before other
directories, which could allow local users to gain root privileges via
a Trojan horse library that is accessed by mkpasswd.

Analysis
----------------
ED_PRI CAN-2001-1374 1
Vendor Acknowledgement: yes changelog

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-1375
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1375
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: CONFIRM:https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=28226
Reference: CONECTIVA:CLA-2001:409
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000409
Reference: XF:tcltk-insecure-library-search(6869)
Reference: URL:http://www.iss.net/security_center/static/6869.php
Reference: BID:3073
Reference: URL:http://www.securityfocus.com/bid/3073

tcl/tk package (tcltk) 8.3.1 searches for its libraries in the current
working directory before other directories, which could allow local
users to execute arbitrary code via a Trojan horse library that is
under a user-controlled directory.

Analysis
----------------
ED_PRI CAN-2001-1375 1
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-1354
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1354
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20010720 NetWin Authentication Module 3.0b password storage vulnerabilities / buffer overflows
Reference: URL:http://online.securityfocus.com/archive/1/198293
Reference: XF:netwin-nwauth-weak-encryption(6866)
Reference: URL:http://xforce.iss.net/static/6866.php
Reference: BID:3075
Reference: URL:http://www.securityfocus.com/bid/3075

NetWin Authentication module (NWAuth) 2.0 and 3.0b, as implemented in
SurgeFTP, DMail, and possibly other packages, uses weak password
hashing, which could allow local users to decrypt passwords or use a
different password that has the same hash value as the correct
password.

Analysis
----------------
ED_PRI CAN-2001-1354 3
Vendor Acknowledgement: unknown
Content Decisions: DESIGN-WEAK-ENCRYPTION

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-1355
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1355
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20010720 NetWin Authentication Module 3.0b password storage vulnerabilities / buffer overflows
Reference: URL:http://online.securityfocus.com/archive/1/198293
Reference: BID:3077
Reference: URL:http://www.securityfocus.com/bid/3077
Reference: XF:netwin-nwauth-bo(6865)
Reference: URL:http://xforce.iss.net/static/6865.php

Buffer overflows in NetWin Authentication Module (NWAuth) 3.0b and
earlier, as implemented in DMail, SurgeFTP, and possibly other
packages, could allow attackers to execute arbitrary code via long
arguments to (1) the -del command or (2) the -lookup command.

Analysis
----------------
ED_PRI CAN-2001-1355 3
Vendor Acknowledgement: unknown
Content Decisions: SF-LOC

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-1356
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1356
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20010804 SurgeFTP admin account bruteforcable
Reference: URL:http://online.securityfocus.com/archive/1/201951
Reference: XF:surgeftp-weak-password-encryption(6961)
Reference: URL:http://www.iss.net/security_center/static/6961.php
Reference: BID:3157
Reference: URL:http://www.securityfocus.com/bid/3157

NetWin SurgeFTP 2.0f and earlier encrypts passwords using weak
hashing, a fixed salt value and modulo 40 calculations, which allows
remote attackers to conduct brute force password guessing attacks
against the administrator account on port 7021.

Analysis
----------------
ED_PRI CAN-2001-1356 3
Vendor Acknowledgement: unknown
Content Decisions: DESIGN-WEAK-ENCRYPTION

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-1357
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1357
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: CONFIRM:http://www.phpheaven.net/projects/phpMyChat/changes.php3

Multiple vulnerabilities in phpMyChat before 0.14.5 exist in (1)
input.php3, (2) handle_inputH.php3, or (3) index.lib.php3 with unknown
consequences, possibly related to user spoofing or improperly
initialized variables.

Analysis
----------------
ED_PRI CAN-2001-1357 3
Vendor Acknowledgement: yes changelog
Content Decisions: VAGUE, SF-LOC, SF-EXEC

ABSTRACTION/ACCURACY: The vendor's change log merely says that "two
security issues [have] been fixed," but provides no additional
details.  The affected files were inferred from "security fix"
comments in a diff report between 0.14.4 and 0.14.5.  There is
insufficient time to spend on this item by researching the issue more
closely, but the addition of a check for an IP address suggests user
spoofing.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-1358
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1358
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: CONFIRM:http://www.phpheaven.net/projects/phpMyChat/changes.php3

Vulnerabilities in phpMyChat before 0.14.4 allow local and possibly
remote attackers to gain privileges by specifying an alternate library
file in the L (localization) parameter.

Analysis
----------------
ED_PRI CAN-2001-1358 3
Vendor Acknowledgement: yes changelog
Content Decisions: VAGUE, SF-LOC, SF-EXEC

ABSTRACTION/ACCURACY: The vendor's change log for 0.14.4, dated
20010531, merely says that "some important security fixes have been
merged."  While that is not enough detail to support this item's
description, some diffs between 0.14.4 and 0.14.3 makes it clear that
at the very least, the localization parameter is affected.  However,
there may be other issues as well.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-1360
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1360
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: CONFIRM:ftp://ftp.mostang.com/pub/sane/sane-1.0.8/sane-backends-1.0.8.tar.gz
Reference: VULNWATCH:20010719 [VulnWatch] Changelog maddness (14 various broken apps)
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2001-q3/0005.html

Vulnerability in Scanner Access Now Easy (SANE) before 1.0.5, related
to pnm and saned.

Analysis
----------------
ED_PRI CAN-2001-1360 3
Vendor Acknowledgement: yes changelog
Content Decisions: VAGUE

ACKNOWLEDGEMENT: The ChangeLog-1.0.5 file, dated 2001-04-22, says
"Point to pnm/saned security risks".  There isn't any more
information, but CD:VAGUE suggests that even vulnerabilities that are
vaguely described by the vendor, should be included in CVE.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-1361
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1361
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: CONFIRM:http://twig.screwdriver.net/file.php3?file=CHANGELOG
Reference: VULNWATCH:20010719 [VulnWatch] Changelog maddness (14 various broken apps)
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2001-q3/0005.html

Vulnerability in The Web Information Gateway (TWIG) 2.7.1, possibly
related to incorrect security rights and/or the generation of mailto
links.

Analysis
----------------
ED_PRI CAN-2001-1361 3
Vendor Acknowledgement: yes changelog
Content Decisions: VAGUE

ACKNOWLEDGEMENT: The changelog for 2.7.1 says [1] "added security
rights to search module" and [2] "fixed bug in generating mailto links
not properly checking the security."  [1] seems like a security
enhancement, not a vulnerability, although perhaps it is an
enhancement that's designed to overcome a design flaw.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-1362
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1362
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: unknown
Reference: VULNWATCH:20010719 [VulnWatch] Changelog maddness (14 various broken apps)
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2001-q3/0005.html
Reference: CONFIRM:http://freshmeat.net/releases/51981/

Vulnerability in the server for nPULSE before 0.53p4.

Analysis
----------------
ED_PRI CAN-2001-1362 3
Vendor Acknowledgement: yes changelog
Content Decisions: EX-BETA, VAGUE

INCLUSION: CD:VAGUE states that vaguely written security advisories
from vendors should still be included in CVE.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-1363
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1363
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: CONFIRM:http://phpwebsite.appstate.edu/downloads/0.7.9/phpWebSite-en-0.7.9.tar.gz
Reference: VULNWATCH:20010719 [VulnWatch] Changelog maddness (14 various broken apps)
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2001-q3/0005.html

Vulnerability in phpWebSite before 0.7.9 related to running multiple
instances in the same domain, which may allow attackers to gain
administrative privileges.

Analysis
----------------
ED_PRI CAN-2001-1363 3
Vendor Acknowledgement: yes changelog
Content Decisions: VAGUE

ACKNOWLEDGEMENT: The original poster quoted this phrase: "Minor
bugfixes, including a fix for a minor security flaw (only effects
sites running multiple instances of phpWebSite under a single
domain)."  That could not be found in the download, but the comments
for config.php are fairly clear, starting on line 118: "You need to
change this [security hash] to a random string, it can be any length
but longer is better. This fixes the security problem that occurs when
multiple instances of phpWebSite are installed under a single
domain. If you only have a single instance of phpWebSite per domain,
you need not worry about this fix - although setting the security hash
to a random string won't hurt :-)" There is a comparison "if
($admintest == $security_hash)" in various files, and admin.php
contains the comment "The seesion variable admintest is used to make
sure an administrator has logged in. If NOT then it calls the login()
function at the bottom of this switch statement."  Version 0.7.8 does
not have the $security_hash variable.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-1364
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1364
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: VULNWATCH:20010719 [VulnWatch] Changelog maddness (14 various broken apps)
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2001-q3/0005.html
Reference: CONFIRM:ftp://ftp.earth.li/pub/projectpurple/autodns-0.0.4.tar.gz

Vulnerability in autodns.pl for AutoDNS before 0.0.4 related to domain
names that are not fully qualified.

Analysis
----------------
ED_PRI CAN-2001-1364 3
Vendor Acknowledgement: yes changelog
Content Decisions: VAGUE, EX-BETA

ACKNOWLEDGEMENT: the original discloser quotes a statement from the
vendor, "Minor security fixes in terms of checking of domain names,
and locking of file access."  A diff between autodns-0.0.3 and
autodns-0.0.4 does not make it clear what the nature of an exploit
might be, though it may be related to zone entries that do not have at
least one valid "." in them.  The valid_domain() function, new in
0.0.4, clearly checks that domain names end in .org, .com, etc. (some
sort of .ZONE), whereas the check in 0.0.3 did not go to this level,
although it did at least verify that the domain contained only
alphanumeric characters, periods, and hyhens.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-1365
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1365
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: unknown
Reference: VULNWATCH:20010719 [VulnWatch] Changelog maddness (14 various broken apps)
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2001-q3/0005.html
Reference: CONFIRM:http://archives.neohapsis.com/archives/apps/freshmeat/2001-07/0011.html

Vulnerability in IntraGnat before 1.4.

Analysis
----------------
ED_PRI CAN-2001-1365 3
Vendor Acknowledgement: yes changelog
Content Decisions: VAGUE

ACKNOWLEDGEMENT: the vendor web site is down, and apparently the
product has been discontinued.  However, a change notice to Freshmeat
for version 1.4 says "A security update was added."  This implies that
*some* vulnerability was fixed.  By CD:VAGUE, even this vague
notification is good enough to be included in CVE, since it comes from
the vendor.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-1366
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1366
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: VULNWATCH:20010719 [VulnWatch] Changelog maddness (14 various broken apps)
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2001-q3/0005.html
Reference: CONFIRM:http://netscript.sourceforge.net/netscript-1.6.2.tgz

netscript before 1.6.3 parses dynamic variables, which could allow
remote attackers to alter program behavior or obtain sensitive
information.

Analysis
----------------
ED_PRI CAN-2001-1366 3
Vendor Acknowledgement: yes changelog
Content Decisions: VAGUE

ACKNOWLEDGEMENT: The ChangeLog in version 1.6.3 says: "Changed support
of parsing remote data, to not parse dynamic variables. this will
remove some funcationality. but, it is much more of a security risk to
disclose, or use dynamic variables via remote input."

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-1368
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1368
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: HP:HPSBUX0106-152
Reference: URL:http://archives.neohapsis.com/archives/hp/2001-q2/0059.html
Reference: XF:hp-virtualvault-iws-corrupt-data(6697)
Reference: URL:http://xforce.iss.net/static/6697.php

Vulnerability in iPlanet Web Server 4 included in Virtualvault
Operating System (VVOS) 4.0 running HP-UX 11.04 could allow attackers
to corrupt data.

Analysis
----------------
ED_PRI CAN-2001-1368 3
Vendor Acknowledgement: yes advisory
Content Decisions: VAGUE

ABSTRACTION/INCLUSION: HP:HPSBUX0106-152 may already address
CAN-2001-0431, CAN-2001-0746, or CAN-2001-0747, but the advisory is so
vague that it cannot be certain.  The advisory only refers to "a"
vulnerability and not multiple vulnerabilities, so it clearly only
addresses one of the pre-existing CANs, at most.  It is safest to
create a separate item.  This is a good poster child for CD:VAGUE.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-1376
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1376
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020611
Category: SF
Reference: BUGTRAQ:20011113 More problems with RADIUS (protocol and implementations)
Reference: URL:http://online.securityfocus.com/archive/1/239784
Reference: BUGTRAQ:20020305 SECURITY.NNOV: few vulnerabilities in multiple RADIUS implementations
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101537153021792&w=2
Reference: CERT:CA-2002-06
Reference: URL:http://www.cert.org/advisories/CA-2002-06.html
Reference: CERT-VN:VU#589523
Reference: URL:http://www.kb.cert.org/vuls/id/589523
Reference: SUSE:SuSE-SA:2002:013
Reference: URL:http://archives.neohapsis.com/archives/linux/suse/2002-q2/0362.html
Reference: CONECTIVA:CLA-2002:466
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000466
Reference: REDHAT:RHSA-2002:030
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-030.html
Reference: BID:3530
Reference: URL:http://www.securityfocus.com/bid/3530
Reference: XF:radius-message-digest-bo(7534)

Buffer overflow in digest calculation function of multiple RADIUS
implementations allows remote attackers to cause a denial of service
and possibly execute arbitrary code via shared secret data.

Analysis
----------------
ED_PRI CAN-2001-1376 3
Vendor Acknowledgement: yes advisory
Content Decisions: SF-CODEBASE

ABSTRACTION: There are many RADIUS implementations with a common
codebase. While CD:SF-CODEBASE suggests that we SPLIT items for each
codebase, the history is complicated, and all (or most)
implementations are derived from the same one or two original
codebases.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-1377
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1377
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020611
Assigned: 20020611
Category: SF
Reference: BUGTRAQ:20020305 SECURITY.NNOV: few vulnerabilities in multiple RADIUS implementations
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101537153021792&w=2
Reference: CERT-VN:VU#936683
Reference: URL:http://www.kb.cert.org/vuls/id/936683
Reference: CERT:CA-2002-06
Reference: URL:http://www.cert.org/advisories/CA-2002-06.html
Reference: FREEBSD:FreeBSD-SN-02:02
Reference: URL:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SN-02:02.asc
Reference: REDHAT:RHSA-2002:030
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-030.html
Reference: SUSE:SuSE-SA:2002:013
Reference: URL:http://archives.neohapsis.com/archives/linux/suse/2002-q2/0362.html
Reference: CONECTIVA:CLA-2002:466
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000466
Reference: XF:radius-vendor-attribute-dos(8354)
Reference: URL:http://www.iss.net/security_center/static/8354.php
Reference: BID:4230
Reference: URL:http://www.securityfocus.com/bid/4230

Multiple RADIUS implementations do not properly validate the
Vendor-Length of the Vendor-Specific attribute, which allows remote
attackers to cause a denial of service (crash) via a Vendor-Length
that is less than 2.

Analysis
----------------
ED_PRI CAN-2001-1377 3
Vendor Acknowledgement: yes advisory
Content Decisions: SF-CODEBASE

ABSTRACTION: There are many RADIUS implementations with a common
codebase. While CD:SF-CODEBASE suggests that we SPLIT items for each
codebase, the history is complicated, and all (or most)
implementations are derived from the same one or two original
codebases.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:
Next by Date: [PROPOSAL] Cluster RECENT-89 - 50 candidates
Next by thread: [PROPOSAL] Cluster RECENT-89 - 50 candidates
Index(es):
- Date
- Thread