[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PROPOSAL] Cluster RECENT-94 - 31 candidates



I am proposing cluster RECENT-94 for review and voting by the
Editorial Board.

Name: RECENT-94
Description: Misc. candidates, some from 2001 and most from April 2002
Size: 31

You may vote on candidates by modifying this email ballot and sending
it back to me, or by using the CVE voting web site.

The candidates are listed in order of priority.  Priority 1 and
Priority 2 candidates both deal with varying levels of vendor
confirmation, so they should be easy to review and it can be trusted
that the problems are real.

If you discover that any RECENT-XX cluster is incomplete with respect
to the problems discovered during the associated time frame, please
send that information to me so that candidates can be assigned.

- Steve







Summary of votes to use (in ascending order of "severity")
----------------------------------------------------------

ACCEPT - voter accepts the candidate as proposed
NOOP - voter has no opinion on the candidate
MODIFY - voter wants to change some MINOR detail (e.g. reference/description)
REVIEWING - voter is reviewing/researching the candidate, or needs more info
RECAST - candidate must be significantly modified, e.g. split or merged
REJECT - candidate is "not a vulnerability", or a duplicate, etc.

1) Please write your vote on the line that starts with "VOTE: ".  If
   you want to add comments or details, add them to lines after the
   VOTE: line.

2) If you see any missing references, please mention them so that they
   can be included.  References help greatly during mapping.

3) Note that a "MODIFY" is treated as an "ACCEPT" when counting votes.
   So if you don't have sufficient information for a candidate but you
   don't want to NOOP, use a REVIEWING.

********** NOTE ********** NOTE ********** NOTE ********** NOTE **********

Please keep in mind that your vote and comments will be recorded and
publicly viewable in the mailing list archives or in other formats.

======================================================
Candidate: CAN-2001-1378
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1378
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020726
Assigned: 20020715
Category: SF
Reference: MISC:http://lists.ccil.org/pipermail/fetchmail-announce/2001-March/000015.html
Reference: REDHAT:RHSA-2001:103
Reference: URL:http://www.redhat.com/support/errata/RHSA-2001-103.html

fetchmailconf in fetchmail before 5.7.4 allows local users to
overwrite files of other users via a symlink attack on temporary
files.

Analysis
----------------
ED_PRI CAN-2001-1378 1
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-1380
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1380
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020726
Assigned: 20020725
Category: SF
Reference: BUGTRAQ:20011018 Immunix OS update for OpenSSH
Reference: BUGTRAQ:20011017 TSLSA-2001-0023 - OpenSSH
Reference: BUGTRAQ:20010926 OpenSSH Security Advisory (adv.option)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100154541809940&w=2
Reference: BUGTRAQ:20011019 TSLSA-2001-0026 - OpenSSH
Reference: REDHAT:RHSA-2001:114
Reference: URL:http://rhn.redhat.com/errata/RHSA-2001-114.html
Reference: MANDRAKE:MDKSA-2001:081
Reference: URL:http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-081.php

OpenSSH before 2.9.9, while using keypairs and multiple keys of
different types in the ~/.ssh/authorized_keys2 file, may not properly
handle the "from" option associated with a key, which could allow
remote attackers to login from unauthorized IP addresses.

Analysis
----------------
ED_PRI CAN-2001-1380 1
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-1382
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1382
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020726
Assigned: 20020725
Category: SF
Reference: CONFIRM:http://www.openwall.com/Owl/CHANGES-stable.shtml

The "echo simulation" traffic analysis countermeasure in OpenSSH
before 2.9.9p2 sends an additional echo packet after the password and
carriage return is entered, which could allow remote attackers to
determine that the countermeasure is being used.

Analysis
----------------
ED_PRI CAN-2001-1382 1
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-1383
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1383
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020726
Assigned: 20020725
Category: SF
Reference: REDHAT:RHSA-2001:110
Reference: URL:http://rhn.redhat.com/errata/RHSA-2001-110.html
Reference: XF:linux-setserial-initscript-symlink(7177)
Reference: URL:http://www.iss.net/security_center/static/7177.php
Reference: BID:3367
Reference: URL:http://online.securityfocus.com/bid/3367

initscript in setserial 2.17-4 and earlier uses predictable temporary
file names, which could allow local users to conduct unauthorized
operations on files.

Analysis
----------------
ED_PRI CAN-2001-1383 1
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0014
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0014
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020726
Assigned: 20020110
Category: SF
Reference: BUGTRAQ:20020105 Pine 4.33 (at least) URL handler allows embedded commands.
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101027841605918&w=2
Reference: REDHAT:RHSA-2002:009
Reference: URL:http://rhn.redhat.com/errata/RHSA-2002-009.html
Reference: ENGARDE:ESA-20020114-002
Reference: CONECTIVA:CLA-2002:460
Reference: FREEBSD:FreeBSD-SA-02:05
Reference: HP:HPSBTL0201-015
Reference: BID:3815
Reference: URL:http://online.securityfocus.com/bid/3815

URL-handling code in Pine 4.43 and earlier allows remote attackers to
execute arbitrary commands via a URL enclosed in single quotes and
containing shell metacharacters (&).

Analysis
----------------
ED_PRI CAN-2002-0014 1
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0687
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0687
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020726
Assigned: 20020712
Category: SF
Reference: CONFIRM:http://www.zope.org/Products/Zope/Hotfix_2002-04-15/security_alert

The "through the web code" capability for Zope 2.0 through 2.5.1 b1
allows untrusted users to shut down the Zope server via certain
headers.

Analysis
----------------
ED_PRI CAN-2002-0687 1
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0733
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0733
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020726
Assigned: 20020725
Category: SF
Reference: VULNWATCH:20020417 Smalls holes on 5 products #1
Reference: URL:http://archives.neohapsis.com/archives/vuln-dev/2002-q2/0155.html
Reference: CONFIRM:http://www.acme.com/software/thttpd/#releasenotes
Reference: MISC:http://www.ifrance.com/kitetoua/tuto/5holes1.txt
Reference: XF:thttpd-error-page-css(9029)
Reference: URL:http://www.iss.net/security_center/static/9029.php
Reference: BID:4601
Reference: URL:http://www.securityfocus.com/bid/4601

Cross-site scripting vulnerability in thttpd 2.20 and earlier allows
remote attackers to execute arbitrary script via a URL to a
nonexistent page, which causes thttpd to insert the script into a 404
error message.

Analysis
----------------
ED_PRI CAN-2002-0733 1
Vendor Acknowledgement: yes changelog

ACKNOWLEDGEMENT: In the release notes for 2.21, the vendor states
"Fixed cross-site scripting bug relating to the built-in error pages."

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0736
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0736
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020726
Assigned: 20020725
Category: SF
Reference: BUGTRAQ:20020416 Back Office Web Administrator Authentication Bypass (#NISR17042002A)
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-04/0208.html
Reference: MSKB:Q316838
Reference: URL:http://support.microsoft.com/support/kb/articles/q316/8/38.asp
Reference: BID:4528
Reference: URL:http://www.securityfocus.com/bid/4528
Reference: XF:backoffice-bypass-authentication(8862)
Reference: URL:http://www.iss.net/security_center/static/8862.php

Microsoft BackOffice 4.0 and 4.5, when configured to be accessible by
other systems, allows remote attackers to bypass authentication and
access the administrative ASP pages via an HTTP request with an
authorization type (auth_type) that is not blank.

Analysis
----------------
ED_PRI CAN-2002-0736 1
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0737
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0737
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020726
Assigned: 20020725
Category: SF
Reference: BUGTRAQ:20020417 KPMG-2002012: Sambar Webserver Serverside Fileparse Bypass
Reference: URL:http://online.securityfocus.com/archive/1/268121
Reference: VULNWATCH:20020417 [VulnWatch] KPMG-2002012: Sambar Webserver Serverside Fileparse Bypass
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0026.html
Reference: CONFIRM:http://www.sambar.com/security.htm
Reference: XF:sambar-script-source-disclosure(8876)
Reference: URL:http://www.iss.net/security_center/static/8876.php
Reference: BID:4533
Reference: URL:http://www.securityfocus.com/bid/4533

Sambar web server before 5.2 beta 1 allows remote attackers to obtain
source code of server-side scripts, or cause a denial of service
(resource exhaustion) via DOS devices, using a URL that ends with a
space and a null character.

Analysis
----------------
ED_PRI CAN-2002-0737 1
Vendor Acknowledgement: yes

ACKNOWLEDGEMENT: on the security page, last updated the day after the
initial disclosure, the vendor states that "All releases prior to the
5.2 beta 1 release are vulnerable to having the source code associated
with CGI scripts and JSP files exposed via an URL sequence."

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0738
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0738
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020726
Assigned: 20020725
Category: SF
Reference: BUGTRAQ:20020418 MHonArc v2.5.2 Script Filtering Bypass Vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-04/0260.html
Reference: CONFIRM:http://www.mhonarc.org/MHonArc/CHANGES
Reference: XF:mhonarc-script-filtering-bypass(8894)
Reference: URL:http://www.iss.net/security_center/static/8894.php
Reference: BID:4546
Reference: URL:http://www.securityfocus.com/bid/4546

MHonArc 2.5.2 and earlier does not properly filter Javascript from
archived e-mail messages, which could allow remote attackers to
execute script in web clients by (1) splitting the SCRIPT tag into
smaller pieces, (2) including the script in a SRC argument to an IMG
tag, or (3) using "&={script}" syntax.

Analysis
----------------
ED_PRI CAN-2002-0738 1
Vendor Acknowledgement: yes changelog

ACKNOWLEDGEMENT: In the changelog for 2002/04/18 (version 2.5.3), the
vendor states "Beefed up HTML filtering in mhtxthtml.pl to eliminate
some security exploits" and credits the Bugtraq researchers.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0748
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0748
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020726
Assigned: 20020725
Category: SF
Reference: BUGTRAQ:20020423 LabVIEW Web Server DoS Vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-04/0323.html
Reference: CONFIRM:http://digital.ni.com/public.nsf/websearch/4C3F86E655E5389886256BA00064B22F?OpenDocument
Reference: XF:labview-http-get-dos(8919)
Reference: URL:http://www.iss.net/security_center/static/8919.php
Reference: BID:4577
Reference: URL:http://www.securityfocus.com/bid/4577

LabVIEW Web Server 5.1.1 through 6.1 allows remote attackers to cause
a denial of service (crash) via an HTTP GET request that ends in two
newline characters, instead of the expected carriage return/newline
combinations.

Analysis
----------------
ED_PRI CAN-2002-0748 1
Vendor Acknowledgement: yes

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0754
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0754
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020726
Assigned: 20020725
Category: SF
Reference: FREEBSD:FreeBSD-SA-02:07
Reference: URL:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:07.k5su.asc
Reference: BID:3919
Reference: URL:http://www.securityfocus.com/bid/3919
Reference: XF:kerberos5-k5su-elevate-privileges(7956)
Reference: URL:http://www.iss.net/security_center/static/7956.php

Kerberos 5 su (k5su) in FreeBSD 4.4 and earlier relies on the getlogin
system call to determine if the user running k5su is root, which could
allow an unprivileged process to gain privileges if that process has a
getlogin as root.

Analysis
----------------
ED_PRI CAN-2002-0754 1
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0741
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0741
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020726
Assigned: 20020725
Category: SF
Reference: BUGTRAQ:20020423 PsyBNC Remote Dos POC
Reference: URL:http://online.securityfocus.com/archive/1/269131
Reference: BUGTRAQ:20020422 Re: psyBNC 2.3 DoS / Bug
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-04/0322.html
Reference: BID:4570
Reference: URL:http://www.securityfocus.com/bid/4570
Reference: XF:psybnc-long-password-dos(8912)
Reference: URL:http://www.iss.net/security_center/static/8912.php

psyBNC 2.3 allows remote attackers to cause a denial of service (CPU
consumption and resource exhaustion) by sending a PASS command with a
long password argument and quickly killing the connection, which is
not properly terminated by psyBNC.

Analysis
----------------
ED_PRI CAN-2002-0741 2
Vendor Acknowledgement: yes followup

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-0890
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0890
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020726
Assigned: 20011221
Category:
Reference: REDHAT:RHSA-2001:171
Reference: URL:http://rhn.redhat.com/errata/RHSA-2001-171.html
Reference: BID:3987
Reference: URL:http://online.securityfocus.com/bid/3987
Reference: XF:xsane-temp-symlink(7714)
Reference: URL:http://www.iss.net/security_center/static/7714.php

Certain backend drivers in the SANE library 1.0.3 and earlier, as used
in frontend software such as XSane, allows local users to modify files
via a symlink attack on temporary files.

Analysis
----------------
ED_PRI CAN-2001-0890 3
Vendor Acknowledgement: yes advisory
Content Decisions: SF-CODEBASE

ABSTRACTION/INCLUSION: this is NOT a duplicate of CVE-2001-0887,
although there are close relationships.  SANE is a different codebase
than XSane; XSane is a front end for SANE; but they are different
products offered by different developers, so these issues are SPLIT.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-1379
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1379
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020726
Assigned: 20020725
Category: SF
Reference: BUGTRAQ:20010829 RUS-CERT Advisory 2001-08:01
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=99911895901812&w=2
Reference: VULNWATCH:20010829 [VulnWatch] RUS-CERT Advisory 2001-08:01
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2001-q3/0040.html
Reference: FREEBSD:FreeBSD-SA-02:03
Reference: URL:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:03.mod_auth_pgsql.asc
Reference: CONECTIVA:CLA-2001:427
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000427
Reference: REDHAT:RHSA-2001:124
Reference: URL:http://rhn.redhat.com/errata/RHSA-2001-124.html
Reference: XF:apache-postgresql-authentication-module(7054)
Reference: URL:http://www.iss.net/security_center/static/7054.php
Reference: BID:3251
Reference: URL:http://online.securityfocus.com/bid/3251
Reference: BID:3253
Reference: XF:apache-postgresqlsys-authentication-module(7059)

The PostgreSQL authentication modules (1) mod_auth_pgsql 0.9.5, and
(2) mod_auth_pgsql_sys 0.9.4, allow remote attackers to bypass
authentication and execute arbitrary SQL via a SQL injection attack on
the user name.

Analysis
----------------
ED_PRI CAN-2001-1379 3
Vendor Acknowledgement: yes advisory
Content Decisions: SF-CODEBASE

ABSTRACTION: mod_auth_pgsql and mod_auth_pgsql_sys were by the same
authors, which suggests a common codebase. So, CD:SF-CODEBASE suggests
a MERGE.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0730
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0730
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020726
Assigned: 20020725
Category: SF
Reference: BUGTRAQ:20020421 Philip Chinery's Guestbook 1.1 fails to filter out js/html
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-04/0309.html
Reference: XF:guestbook-pl-css(8916)
Reference: URL:http://www.iss.net/security_center/static/8916.php
Reference: BID:4566
Reference: URL:http://www.securityfocus.com/bid/4566

Cross-site scripting vulnerability in guestbook.pl for Philip
Chinery's Guestbook 1.1 allows remote attackers to execute Javascript
or HTML via fields such as (1) Name, (2) EMail, or (3) Homepage.

Analysis
----------------
ED_PRI CAN-2002-0730 3
Vendor Acknowledgement: unknown
Content Decisions: SF-LOC

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0731
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0731
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020726
Assigned: 20020725
Category: SF
Reference: BUGTRAQ:20020421 vqServer Demo Files Cross-Site Scripting
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-04/0313.html
Reference: XF:vqserver-samples-css(8935)
Reference: URL:http://www.iss.net/security_center/static/8935.php
Reference: BID:4573
Reference: URL:http://www.securityfocus.com/bid/4573

Cross-site scripting vulnerability in demonstration scripts for
vqServer allows remote attackers to execute arbitrary script via a
link that contains the script in arguments to demo scripts such as
respond.pl.

Analysis
----------------
ED_PRI CAN-2002-0731 3
Vendor Acknowledgement:
Content Decisions: SF-EXEC

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0732
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0732
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020726
Assigned: 20020725
Category: SF
Reference: BUGTRAQ:20020430 Levcgi.coms MyGuestbook JavaScript Injection Vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-04/0422.html
Reference: CONFIRM:http://www.levcgi.com/programs.cgi?program=myguestbook&action=history
Reference: XF:myguestbook-cgi-css(8968)
Reference: URL:http://www.iss.net/security_center/static/8968.php
Reference: BID:4651
Reference: URL:http://www.securityfocus.com/bid/4651

Cross-site scripting vulnerability in MyGuestbook 1.0 allows remote
attackers to execute arbitrary script or inject HTML via fields such
as (1) user name or (2) comments.

Analysis
----------------
ED_PRI CAN-2002-0732 3
Vendor Acknowledgement: yes changelog
Content Decisions: SF-LOC

ACKNOWLEDGEMENT: in the history file for 1.1 released May 03, 2002,
the vendor states that the new version "prevents any javascript from
being posted" and "prevents HTML being used in the name field."

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0739
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0739
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020726
Assigned: 20020725
Category: SF
Reference: BUGTRAQ:20020420 Vulnerability in PostCalendar
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-04/0288.html
Reference: BID:4563
Reference: URL:http://www.securityfocus.com/bid/4563
Reference: XF:postcalendar-calendar-event-css(8899)
Reference: URL:http://www.iss.net/security_center/static/8899.php

Cross-site scripting in PostCalendar 3.02 allows remote attackers to
insert arbitrary HTML and script, and steal cookies, by modifying a
calendar entry in its preview page.

Analysis
----------------
ED_PRI CAN-2002-0739 3
Vendor Acknowledgement: unknown discloser-claimed

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0740
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0740
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020726
Assigned: 20020725
Category: SF
Reference: BUGTRAQ:20020422 Slrnpull Buffer Overflow (-d parameter)
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-04/0302.html
Reference: BUGTRAQ:20020425 slrnpull -d PoC
Reference: URL:http://online.securityfocus.com/archive/1/269667
Reference: BUGTRAQ:20020430 Re: Slrnpull Buffer Overflow (-d parameter)
Reference: URL:http://online.securityfocus.com/archive/1/270235
Reference: XF:slrnpull-d-spooldir-bo(8910)
Reference: URL:http://www.iss.net/security_center/static/8910.php
Reference: BID:4569
Reference: URL:http://www.securityfocus.com/bid/4569

Buffer overflow in slrnpull for the SLRN package, when installed
setuid or setgid, allows local users to gain privileges via a long -d
(SPOOLDIR) argument.

Analysis
----------------
ED_PRI CAN-2002-0740 3
Vendor Acknowledgement: no disputed

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0742
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0742
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020726
Assigned: 20020725
Category: SF
Reference: AIXAPAR:IY28880
Reference: URL:http://archives.neohapsis.com/archives/aix/2002-q2/0005.html

Buffer overflow in pioout on AIX 4.3.3.

Analysis
----------------
ED_PRI CAN-2002-0742 3
Vendor Acknowledgement: yes
Content Decisions: VAGUE

INCLUSION: this APAR description is too vague to be absolutely certain
that it is a different issue than the pioout buffer overflow that is
identified in CVE-2000-1123; however, that issue has its own APAR, so
there is enough other evidence that the issues are different.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0743
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0743
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020726
Assigned: 20020725
Category: SF
Reference: AIXAPAR:IY29516
Reference: URL:http://archives.neohapsis.com/archives/aix/2002-q2/0005.html

mail and mailx in AIX 4.3.3 core dump when called with a very long
argument, an indication of a buffer overflow.

Analysis
----------------
ED_PRI CAN-2002-0743 3
Vendor Acknowledgement: yes
Content Decisions: VAGUE

INCLUSION: this APAR description is too vague to be absolutely certain
that it is a buffer overflow. In addition, there is insufficient
information to know if it's addressing a previously identified
vulnerability such as CAN-2002-0041, CVE-2001-0565, or CAN-2000-0545.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0744
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0744
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020726
Assigned: 20020725
Category: SF
Reference: AIXAPAR:IY29517
Reference: URL:http://archives.neohapsis.com/archives/aix/2002-q2/0005.html

namerslv in AIX 4.3.3 core dumps when called with a very long
argument, possibly as a result of a buffer overflow.

Analysis
----------------
ED_PRI CAN-2002-0744 3
Vendor Acknowledgement: yes
Content Decisions: VAGUE

This APAR description is too vague to be absolutely certain that it is
a buffer overflow.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0745
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0745
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020726
Assigned: 20020725
Category: SF
Reference: AIXAPAR:IY29518
Reference: URL:http://archives.neohapsis.com/archives/aix/2002-q2/0005.html

Buffer overflow in uucp in AIX 4.3.3.

Analysis
----------------
ED_PRI CAN-2002-0745 3
Vendor Acknowledgement: yes
Content Decisions: VAGUE

INCLUSION/ABSTRACTION: There is insufficient information to know
whether this is the same issue as CAN-2001-1164, which itself is
described in a vague advisory.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0746
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0746
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020726
Assigned: 20020725
Category: SF
Reference: AIXAPAR:IY29583
Reference: URL:http://archives.neohapsis.com/archives/aix/2002-q2/0005.html

Vulnerability in template.dhcpo in AIX 4.3.3 related to an insecure
linker argument.

Analysis
----------------
ED_PRI CAN-2002-0746 3
Vendor Acknowledgement: yes
Content Decisions: VAGUE

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0747
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0747
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020726
Assigned: 20020725
Category: SF
Reference: AIXAPAR:IY29589
Reference: URL:http://archives.neohapsis.com/archives/aix/2002-q2/0005.html

Buffer overflow in lsmcode in AIX 4.3.3.

Analysis
----------------
ED_PRI CAN-2002-0747 3
Vendor Acknowledgement: yes
Content Decisions: VAGUE

INCLUSION/ABSTRACTION: Due to the vagueness of this description, and
especially the description of CAN-2001-1061, it is uncertain whether
the two items are the same or not; however, CAN-2001-1061 has a
separate APAR than this item, so there is sufficient evidence that
they're somehow different.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0749
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0749
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020726
Assigned: 20020725
Category: SF
Reference: BUGTRAQ:20020423 CGIscript.net - csMailto.cgi - Remote Command Execution
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-04/0326.html
Reference: XF:cgiscript-csmailto-command-execution(8930)
Reference: URL:http://www.iss.net/security_center/static/8930.php
Reference: BID:4579
Reference: URL:http://www.securityfocus.com/bid/4579

CGIscript.net csMailto.cgi allows remote attackers to execute
arbitrary commands via shell metacharacters in the form-attachment
field.

Analysis
----------------
ED_PRI CAN-2002-0749 3
Vendor Acknowledgement:
Content Decisions: SF-LOC

ACKNOWLEDGEMENT: the change report for csMailto version 2 says "Added
security. The form options are stored in a separate file." This would
address the specified problem, but is it sufficient to indicate vendor
acknowledgement?

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0750
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0750
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020726
Assigned: 20020725
Category: SF
Reference: BUGTRAQ:20020423 CGIscript.net - csMailto.cgi - Remote Command Execution
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-04/0326.html
Reference: MISC:http://www.cgiscript.net/cgi-script/csNews/csNews.cgi?database=cgi.db&command=viewone&id=5

CGIscript.net csMailto.cgi program allows remote attackers to read
arbitrary files by specifying the target filename in the
form-attachment field.

Analysis
----------------
ED_PRI CAN-2002-0750 3
Vendor Acknowledgement: unknown vague
Content Decisions: SF-LOC

ACKNOWLEDGEMENT: the change report for csMailto version 2 says "Added
security. The form options are stored in a separate file." This would
address the specified problem, but is it sufficient to indicate vendor
acknowledgement?

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0751
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0751
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020726
Assigned: 20020725
Category: SF
Reference: BUGTRAQ:20020423 CGIscript.net - csMailto.cgi - Remote Command Execution
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-04/0326.html
Reference: MISC:http://www.cgiscript.net/cgi-script/csNews/csNews.cgi?database=cgi.db&command=viewone&id=5
Reference: BID:4579
Reference: URL:http://www.securityfocus.com/bid/4579

CGIscript.net csMailto.cgi program allows remote attackers to use
csMailto as a "spam proxy" and send mail to arbitrary users via
modified (1) form-to, (2) form-from, and (3) form-results parameters.

Analysis
----------------
ED_PRI CAN-2002-0751 3
Vendor Acknowledgement: unknown vague
Content Decisions: SF-LOC

ACKNOWLEDGEMENT: the change report for csMailto version 2 says "Added
security. The form options are stored in a separate file." This would
address the specified problem, but is it sufficient to indicate vendor
acknowledgement?

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0752
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0752
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020726
Assigned: 20020725
Category: CF
Reference: BUGTRAQ:20020423 CGIscript.net - csMailto.cgi - Remote Command Execution
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-04/0326.html

CGIscript.net csMailto.cgi program exports feedback to a file that is
accessible from the web document root, which could allow remote
attackers to obtain sensitive information by directly accessing the
file.

Analysis
----------------
ED_PRI CAN-2002-0752 3
Vendor Acknowledgement: unknown
Content Decisions: SF-LOC

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2002-0753
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0753
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020726
Assigned: 20020725
Category: SF
Reference: BUGTRAQ:20020416 Buffer Overrun in Talentsoft's Web+ (3) (#NISR17042002B)
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-04/0210.html
Reference: XF:webplus-long-cookie-bop(8861)
Reference: URL:http://www.iss.net/security_center/static/8861.php
Reference: BID:4530
Reference: URL:http://www.securityfocus.com/bid/4530

Buffer overflow in Talentsoft Web+ 5.0 allows remote attackers to
execute arbitrary code via an HTTP request with a long cookie.

Analysis
----------------
ED_PRI CAN-2002-0753 3
Vendor Acknowledgement: unknown discloser-claimed

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

Page Last Updated or Reviewed: May 22, 2007