CVE (version 20061101) and Candidates as of 20190824

Candidates must be reviewed and accepted by the CVE Editorial Board before they can be added to the official CVE list. Therefore, these candidates may be modified or even rejected in the future. They are provided for use by individuals who have a need for an early numbering scheme for items that have not been fully reviewed by the Editorial Board.
Name: CVE-1999-0001

Description:

ip_input.c in BSD-derived TCP/IP implementations allows remote attackers to cause a denial of service (crash or hang) via crafted packets.

Status:Candidate
Phase: Modified (20051217)
Reference: BUGTRAQ:19981223 Re: CERT Advisory CA-98.13 - TCP/IP Denial of Service
Reference: CERT:CA-98-13-tcp-denial-of-service
Reference: CONFIRM:http://www.openbsd.org/errata23.html#tcpfix
Reference: OSVDB:5707
Reference: URL:http://www.osvdb.org/5707

Votes:
MODIFY(1)  Frech<br>
NOOP(2)  Northcutt, Wall<br>
REVIEWING(1)  Christey<br>
Voter Comments:
Christey>  A Bugtraq posting indicates that the bug has to do with
"short packets with certain options set," so the description
should be modified accordingly.

But is this the same as CVE-1999-0052?  That one is related
to nestea (CVE-1999-0257) and probably the one described in
BUGTRAQ:19981023 nestea v2 against freebsd 3.0-Release
The patch for nestea is in ip_input.c around line 750.
The patches for CVE-1999-0001 are in lines 388&446.  So, 
CVE-1999-0001 is different from CVE-1999-0257 and CVE-1999-0052.
The FreeBSD patch for CVE-1999-0052 is in line 750.
So, CVE-1999-0257 and CVE-1999-0052 may be the same, though
CVE-1999-0052 should be RECAST since this bug affects Linux
and other OSes besides FreeBSD.<br>
Frech>  XF:teardrop(338)
This assignment was based solely on references to the CERT advisory.<br>
Christey>  The description for BID:190, which links to CVE-1999-0052 (a
FreeBSD advisory), notes that the patches provided by FreeBSD in
CERT:CA-1998-13 suggest a connection between CVE-1999-0001 and
CVE-1999-0052.  CERT:CA-1998-13 is too vague to be sure without
further analysis.<br>

Name: CVE-1999-0002

Description:

Buffer overflow in NFS mountd gives root access to remote attackers, mostly in Linux systems.

Status:Entry
Reference: BID:121
Reference: URL:http://www.securityfocus.com/bid/121
Reference: CERT:CA-98.12.mountd
Reference: CIAC:J-006
Reference: URL:http://www.ciac.org/ciac/bulletins/j-006.shtml
Reference: SGI:19981006-01-I
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19981006-01-I
Reference: XF:linux-mountd-bo

Name: CVE-1999-0003

Description:

Execute commands as root via buffer overflow in Tooltalk database server (rpc.ttdbserverd).

Status:Entry
Reference: BID:122
Reference: URL:http://www.securityfocus.com/bid/122
Reference: CERT:CA-98.11.tooltalk
Reference: NAI:NAI-29
Reference: SGI:19981101-01-A
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19981101-01-A
Reference: SGI:19981101-01-PX
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19981101-01-PX
Reference: XF:aix-ttdbserver
Reference: XF:tooltalk

Name: CVE-1999-0004

Description:

MIME buffer overflow in email clients, e.g. Solaris mailtool and Outlook.

Status:Candidate
Phase: Modified (19990621)
Reference: CERT:CA-98.10.mime_buffer_overflows
Reference: MS:MS98-008
Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1998/ms98-008
Reference: SUN:00175
Reference: XF:outlook-long-name

Votes:
ACCEPT(8)  Baker, Cole, Collins, Dik, Landfield, Magdych, Northcutt, Wall<br>
MODIFY(1)  Frech<br>
NOOP(1)  Christey<br>
REVIEWING(1)  Shostack<br>
Voter Comments:
Frech>  Extremely minor, but I believe e-mail is the correct term. (If you reject
this suggestion, I will not be devastated.) :-)<br>
Christey>  This issue seems to have been rediscovered in
BUGTRAQ:20000515 Eudora Pro & Outlook Overflow - too long filenames again
http://marc.theaimsgroup.com/?l=bugtraq&m=95842482413076&w=2

Also see
BUGTRAQ:19990320 Eudora Attachment Buffer Overflow
http://marc.theaimsgroup.com/?l=bugtraq&m=92195396912110&w=2<br>
Christey>   
CVE-2000-0415 may be a later rediscovery of this problem
for Outlook.<br>
Dik>  Sun bug 4163471,<br>
Christey>  ADDREF BID:125<br>
Christey>  BUGTRAQ:19980730 Long Filenames & Lotus Products
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221104526201&w=2<br>

Name: CVE-1999-0005

Description:

Arbitrary command execution via IMAP buffer overflow in authenticate command.

Status:Entry
Reference: BID:130
Reference: URL:http://www.securityfocus.com/bid/130
Reference: CERT:CA-98.09.imapd
Reference: SUN:00177
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/177
Reference: XF:imap-authenticate-bo

Name: CVE-1999-0006

Description:

Buffer overflow in POP servers based on BSD/Qualcomm's qpopper allows remote attackers to gain root access using a long PASS command.

Status:Entry
Reference: AUSCERT:AA-98.01
Reference: BID:133
Reference: URL:http://www.securityfocus.com/bid/133
Reference: CERT:CA-98.08.qpopper_vul
Reference: SGI:19980801-01-I
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19980801-01-I
Reference: XF:qpopper-pass-overflow

Name: CVE-1999-0007

Description:

Information from SSL-encrypted sessions via PKCS #1.

Status:Entry
Reference: CERT:CA-98.07.PKCS
Reference: MS:MS98-002
Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1998/ms98-002
Reference: XF:nt-ssl-fix

Name: CVE-1999-0008

Description:

Buffer overflow in NIS+, in Sun's rpc.nisd program.

Status:Entry
Reference: CERT:CA-98.06.nisd
Reference: ISS:June10,1998
Reference: SUN:00170
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/170
Reference: XF:nisd-bo-check

Name: CVE-1999-0009

Description:

Inverse query buffer overflow in BIND 4.9 and BIND 8 Releases.

Status:Entry
Reference: BID:134
Reference: URL:http://www.securityfocus.com/bid/134
Reference: CERT:CA-98.05.bind_problems
Reference: HP:HPSBUX9808-083
Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9808-083
Reference: SGI:19980603-01-PX
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19980603-01-PX
Reference: SUN:00180
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/180
Reference: XF:bind-bo

Name: CVE-1999-0010

Description:

Denial of Service vulnerability in BIND 8 Releases via maliciously formatted DNS messages.

Status:Entry
Reference: CERT:CA-98.05.bind_problems
Reference: HP:HPSBUX9808-083
Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9808-083
Reference: SGI:19980603-01-PX
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19980603-01-PX
Reference: XF:bind-dos

Name: CVE-1999-0011

Description:

Denial of Service vulnerabilities in BIND 4.9 and BIND 8 Releases via CNAME record and zone transfer.

Status:Entry
Reference: CERT:CA-98.05.bind_problems
Reference: HP:HPSBUX9808-083
Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9808-083
Reference: SGI:19980603-01-PX
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19980603-01-PX
Reference: SUN:00180
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/180
Reference: XF:bind-axfr-dos

Name: CVE-1999-0012

Description:

Some web servers under Microsoft Windows allow remote attackers to bypass access restrictions for files with long file names.

Status:Entry
Reference: CERT:CA-98.04.Win32.WebServers
Reference: XF:nt-web8.3

Name: CVE-1999-0013

Description:

Stolen credentials from SSH clients via ssh-agent program, allowing other local users to access remote accounts belonging to the ssh-agent user.

Status:Entry
Reference: CERT:CA-98.03.ssh-agent
Reference: NAI:NAI-24
Reference: XF:ssh-agent

Name: CVE-1999-0014

Description:

Unauthorized privileged access or denial of service via dtappgather program in CDE.

Status:Entry
Reference: CERT:CA-98.02.CDE
Reference: HP:HPSBUX9801-075
Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9801-075
Reference: SUN:00185
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/185

Name: CVE-1999-0015

Description:

Teardrop IP denial of service.

Status:Candidate
Phase: Modified (20090302)
Reference: CERT:CA-97.28.Teardrop_Land
Reference: OVAL:oval:org.mitre.oval:def:5579
Reference: URL:https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5579
Reference: XF:teardrop

Votes:
ACCEPT(1)  Wall<br>
MODIFY(1)  Frech<br>
REVIEWING(1)  Christey<br>
Voter Comments:
Frech>  XF: teardrop-mod<br>
Christey>  Not sure how many separate "instances" of Teardrop there are.
See: CVE-1999-0015, CVE-1999-0104, CVE-1999-0257, CVE-1999-0258<br>
Christey>  See the SCO advisory at:
http://www.securityfocus.com/templates/advisory.html?id=1411
which may further clarify the issue.<br>
Christey>  MSKB:Q154174
MSKB:Q154174 (CVE-1999-0015) and MSKB:Q179129 (CVE-1999-0104)
indicate that CVE-1999-0015 was fixed in NT SP3, but
CVE-1999-0104 was not.  Thus CD:SF-LOC suggests that the
problems keep separate candidates because one problem appears
in a different version than the other.<br>
Christey>  BID:124
http://www.securityfocus.com/bid/124
Consider MSKB:Q154174
http://support.microsoft.com/support/kb/articles/q154/1/74.asp
Consider BUGTRAQ:19971113 Linux IP fragment overlap bug
http://www.securityfocus.com/archive/1/8014<br>

Name: CVE-1999-0016

Description:

Land IP denial of service.

Status:Entry
Reference: CERT:CA-97.28.Teardrop_Land
Reference: CISCO:http://www.cisco.com/warp/public/770/land-pub.shtml
Reference: FREEBSD:FreeBSD-SA-98:01
Reference: HP:HPSBUX9801-076
Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9801-076
Reference: XF:95-verv-tcp
Reference: XF:cisco-land
Reference: XF:land
Reference: XF:land-patch
Reference: XF:ver-tcpip-sys

Name: CVE-1999-0017

Description:

FTP servers can allow an attacker to connect to arbitrary ports on machines other than the FTP client, aka FTP bounce.

Status:Entry
Reference: CERT:CA-97.27.FTP_bounce
Reference: XF:ftp-bounce
Reference: XF:ftp-privileged-port

Name: CVE-1999-0018

Description:

Buffer overflow in statd allows root privileges.

Status:Entry
Reference: AUSCERT:AA-97.29
Reference: BID:127
Reference: URL:http://www.securityfocus.com/bid/127
Reference: CERT:CA-97.26.statd
Reference: XF:statd

Name: CVE-1999-0019

Description:

Delete or create a file via rpc.statd, due to invalid information.

Status:Entry
Reference: CERT:CA-96.09.rpc.statd
Reference: SUN:00135
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/135
Reference: XF:rpc-stat

Name: CVE-1999-0020

Description:

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-1999-0032. Reason: This candidate is a duplicate of CVE-1999-0032. Notes: All CVE users should reference CVE-1999-0032 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.

Status:Candidate
Phase: Modified (20050204)

Votes:
MODIFY(1)  Frech<br>
NOOP(4)  Levy, Northcutt, Shostack, Wall<br>
REJECT(2)  Baker, Christey<br>
Voter Comments:
Frech>  XF:lpr-bo<br>
Christey>  DUPE CVE-1999-0032, which includes XF:lpr-bo<br>

Name: CVE-1999-0021

Description:

Arbitrary command execution via buffer overflow in Count.cgi (wwwcount) cgi-bin program.

Status:Entry
Reference: BID:128
Reference: URL:http://www.securityfocus.com/bid/128
Reference: BUGTRAQ:19971010 Security flaw in Count.cgi (wwwcount)
Reference: CERT:CA-97.24.Count_cgi
Reference: XF:http-cgi-count

Name: CVE-1999-0022

Description:

Local user gains root privileges via buffer overflow in rdist, via expstr() function.

Status:Entry
Reference: CERT:CA-97.23.rdist
Reference: SUN:00179
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/179
Reference: XF:rdist-bo3
Reference: XF:rdist-sept97

Name: CVE-1999-0023

Description:

Local user gains root privileges via buffer overflow in rdist, via lookup() function.

Status:Entry
Reference: CERT:CA-96.14.rdist_vul
Reference: XF:rdist-bo
Reference: XF:rdist-bo2

Name: CVE-1999-0024

Description:

DNS cache poisoning via BIND, by predictable query IDs.

Status:Entry
Reference: CERT:CA-97.22.bind
Reference: NAI:NAI-11
Reference: XF:bind

Name: CVE-1999-0025

Description:

root privileges via buffer overflow in df command on SGI IRIX systems.

Status:Entry
Reference: AUSCERT:AA-97.19.IRIX.df.buffer.overflow.vul
Reference: BID:346
Reference: URL:http://www.securityfocus.com/bid/346
Reference: CERT:CA-1997-21
Reference: URL:http://www.cert.org/advisories/CA-1997-21.html
Reference: CERT-VN:VU#20851
Reference: URL:http://www.kb.cert.org/vuls/id/20851
Reference: SGI:SGI:19970505-01-A
Reference: SGI:SGI:19970505-02-PX
Reference: XF:df-bo(440)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/440

Name: CVE-1999-0026

Description:

root privileges via buffer overflow in pset command on SGI IRIX systems.

Status:Entry
Reference: AUSCERT:AA-97.20.IRIX.pset.buffer.overflow.vul
Reference: CERT:CA-97.21.sgi_buffer_overflow
Reference: XF:pset-bo

Name: CVE-1999-0027

Description:

root privileges via buffer overflow in eject command on SGI IRIX systems.

Status:Entry
Reference: AUSCERT:AA-97.21.IRIX.eject.buffer.overflow.vul
Reference: CERT:CA-97.21.sgi_buffer_overflow
Reference: XF:eject-bo

Name: CVE-1999-0028

Description:

root privileges via buffer overflow in login/scheme command on SGI IRIX systems.

Status:Entry
Reference: AUSCERT:AA-97.22.IRIX.login.scheme.buffer.overflow.vul
Reference: CERT:CA-97.21.sgi_buffer_overflow
Reference: XF:sgi-schemebo

Name: CVE-1999-0029

Description:

root privileges via buffer overflow in ordist command on SGI IRIX systems.

Status:Entry
Reference: AUSCERT:AA-97.23-IRIX.ordist.buffer.overflow.vul
Reference: CERT:CA-97.21.sgi_buffer_overflow
Reference: XF:ordist-bo

Name: CVE-1999-0030

Description:

root privileges via buffer overflow in xlock command on SGI IRIX systems.

Status:Candidate
Phase: Proposed (19990623)
Reference: AUSCERT:AA-97.24.IRIX.xlock.buffer.overflow.vul
Reference: CERT:CA-97.21.sgi_buffer_overflow
Reference: SGI:19970508-02-PX
Reference: XF:sgi-xlockbo

Votes:
ACCEPT(3)  Levy, Ozancin, Prosser<br>
NOOP(1)  Baker<br>
RECAST(1)  Frech<br>
REJECT(1)  Christey<br>
Voter Comments:
Frech>  XF:xlock-bo (also add)
As per xlock-bo, also appears on AIX, BSDI, DG/UX, FreeBSD, Solaris, and
several Linii.
Also, don't you mean to cite SGI:19970502-02-PX? The one you list is
login/scheme.<br>
Levy>  Notice that this xlock overflow is the same as in
CA-97.13. CA-97.21 simply is a reminder.<br>
Christey>  As pointed out by Elias, CA-97.21 states: "For more
information about vulnerabilities in xlock... see CA-97.13"
CA-97.13 = CVE-1999-0038.
This may also be a duplicate with CVE-1999-0306.

See exploits at:

http://marc.theaimsgroup.com/?l=bugtraq&m=87602167418394&w=2
http://marc.theaimsgroup.com/?l=bugtraq&m=87602167418404&w=2

Sun also has this problem, at
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/150&type=0&nav=sec.sba<br>

Name: CVE-1999-0031

Description:

JavaScript in Internet Explorer 3.x and 4.x, and Netscape 2.x, 3.x and 4.x, allows remote attackers to monitor a user's web activities, aka the Bell Labs vulnerability.

Status:Entry
Reference: CERT:CA-97.20.javascript
Reference: HP:HPSBUX9707-065
Reference: URL:http://www.codetalker.com/advisories/vendor/hp/hpsbux9707-065.html

Name: CVE-1999-0032

Description:

Buffer overflow in lpr, as used in BSD-based systems including Linux, allows local users to execute arbitrary code as root via a long -C (classification) command line option.

Status:Entry
Reference: AUSCERT:AA-96.12
Reference: BID:707
Reference: URL:http://www.securityfocus.com/bid/707
Reference: BUGTRAQ:19960813 Possible bufferoverflow condition in lpr, xterm and xload
Reference: BUGTRAQ:19961025 Linux & BSD's lpr exploit
Reference: CERT:CA-97.19.bsdlp
Reference: CIAC:H-08
Reference: CIAC:I-042
Reference: URL:http://www.ciac.org/ciac/bulletins/i-042.shtml
Reference: MLIST:[freebsd-security] 19961025 Vadim Kolontsov: BoS: Linux & BSD's lpr exploit
Reference: MLIST:[linux-security] 19961122 LSF Update#14: Vulnerability of the lpr program.
Reference: SGI:19980402-01-PX
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19980402-01-PX
Reference: XF:bsd-lprbo
Reference: XF:bsd-lprbo2
Reference: XF:lpr-bo

Name: CVE-1999-0033

Description:

Command execution in Sun systems via buffer overflow in the at program.

Status:Candidate
Phase: Modified (20040811)
Reference: CERT:CA-97.18.at
Reference: SUN:00160
Reference: XF:sun-atbo

Votes:
ACCEPT(8)  Baker, Cole, Collins, Dik, Hill, Northcutt, Shostack, Wall<br>
NOOP(1)  Christey<br>
RECAST(1)  Frech<br>
Voter Comments:
Frech>  This vulnerability also manifests itself for the following 
platforms: AIX, HPUX, IRIX, Solaris, SCO, NCR MP-RAS. In this light,
please add the following:
Reference: XF:at-bo<br>
Dik>  Sun bug 1265200, 4063161<br>
Christey>  ADDREF SGI:19971102-01-PX
ftp://patches.sgi.com/support/free/security/advisories/19971102-01-PX
SCO:SB.97:01
ftp://ftp.sco.com/SSE/security_bulletins/SB.97:01a<br>
Christey>  CIAC:F-15
http://ciac.llnl.gov/ciac/bulletins/f-15.shtml
HP:HPSBUX9502-023<br>
Christey>  Add period to the end of the description.<br>

Name: CVE-1999-0034

Description:

Buffer overflow in suidperl (sperl), Perl 4.x and 5.x.

Status:Entry
Reference: CERT:CA-97.17.sperl
Reference: XF:perl-suid

Name: CVE-1999-0035

Description:

Race condition in signal handling routine in ftpd, allowing read/write arbitrary files.

Status:Entry
Reference: AUSCERT:AA-97.03
Reference: CERT:CA-97.16.ftpd
Reference: XF:ftp-ftpd

Name: CVE-1999-0036

Description:

IRIX login program with a nonzero LOCKOUT parameter allows creation or damage to files.

Status:Entry
Reference: AUSCERT:AA-97.12
Reference: CERT:CA-97.15.sgi_login
Reference: CIAC:H-106
Reference: URL:http://www.ciac.org/ciac/bulletins/h-106.shtml
Reference: OSVDB:990
Reference: URL:http://www.osvdb.org/990
Reference: SGI:19970508-02-PX
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19970508-02-PX
Reference: XF:sgi-lockout(557)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/557

Name: CVE-1999-0037

Description:

Arbitrary command execution via metamail package using message headers, when user processes attacker's message using metamail.

Status:Entry
Reference: CERT:CA-97.14.metamail
Reference: XF:metamail-header-commands

Name: CVE-1999-0038

Description:

Buffer overflow in xlock program allows local users to execute commands as root.

Status:Entry
Reference: CERT:CA-97.13.xlock
Reference: XF:xlock-bo

Name: CVE-1999-0039

Description:

webdist CGI program (webdist.cgi) in SGI IRIX allows remote attackers to execute arbitrary commands via shell metacharacters in the distloc parameter.

Status:Entry
Reference: AUSCERT:AA-97.14
Reference: BID:374
Reference: URL:http://www.securityfocus.com/bid/374
Reference: BUGTRAQ:19970507 Re: SGI Advisory: webdist.cgi
Reference: BUGTRAQ:19970507 Re: SGI Security Advisory 19970501-01-A - Vulnerability in
Reference: CERT:CA-1997-12
Reference: URL:http://www.cert.org/advisories/CA-1997-12.html
Reference: OSVDB:235
Reference: URL:http://www.osvdb.org/235
Reference: SGI:19970501-02-PX
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19970501-02-PX
Reference: XF:http-sgi-webdist(333)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/333

Name: CVE-1999-0040

Description:

Buffer overflow in Xt library of X Windowing System allows local users to execute commands with root privileges.

Status:Entry
Reference: CERT:CA-97.11.libXt
Reference: XF:libXt-bo

Name: CVE-1999-0041

Description:

Buffer overflow in NLS (Natural Language Service).

Status:Entry
Reference: CERT:CA-97.10.nls
Reference: XF:nls-bo

Name: CVE-1999-0042

Description:

Buffer overflow in University of Washington's implementation of IMAP and POP servers.

Status:Entry
Reference: CERT:CA-97.09.imap_pop
Reference: NAI:NAI-21
Reference: XF:popimap-bo

Name: CVE-1999-0043

Description:

Command execution via shell metachars in INN daemon (innd) 1.5 using "newgroup" and "rmgroup" control messages, and others.

Status:Entry
Reference: CERT:CA-97.08.innd
Reference: XF:inn-controlmsg

Name: CVE-1999-0044

Description:

fsdump command in IRIX allows local users to obtain root access by modifying sensitive files.

Status:Entry
Reference: SGI:19970301-01-P
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19970301-01-P
Reference: XF:sgi-fsdump

Name: CVE-1999-0045

Description:

List of arbitrary files on Web host via nph-test-cgi script.

Status:Entry
Reference: CERT:CA-97.07.nph-test-cgi_script
Reference: XF:http-cgi-nph

Name: CVE-1999-0046

Description:

Buffer overflow of rlogin program using TERM environmental variable.

Status:Entry
Reference: CERT:CA-97.06.rlogin-term
Reference: XF:rlogin-termbo

Name: CVE-1999-0047

Description:

MIME conversion buffer overflow in sendmail versions 8.8.3 and 8.8.4.

Status:Entry
Reference: BID:685
Reference: URL:http://www.securityfocus.com/bid/685
Reference: CERT:CA-97.05.sendmail
Reference: XF:sendmail-mime-bo2

Name: CVE-1999-0048

Description:

Talkd, when given corrupt DNS information, can be used to execute arbitrary commands with root privileges.

Status:Entry
Reference: AUSCERT:AA-97.01
Reference: CERT:CA-97.04.talkd
Reference: FREEBSD:FreeBSD-SA-96:21
Reference: SUN:00147
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/147
Reference: XF:netkit-talkd
Reference: XF:talkd-bo

Name: CVE-1999-0049

Description:

Csetup under IRIX allows arbitrary file creation or overwriting.

Status:Entry
Reference: CERT:CA-97.03.csetup
Reference: XF:sgi-csetup

Name: CVE-1999-0050

Description:

Buffer overflow in HP-UX newgrp program.

Status:Entry
Reference: AUSCERT:AA-96.16.HP-UX.newgrp.Buffer.Overrun.Vulnerability
Reference: CERT:CA-97.02.hp_newgrp
Reference: XF:hp-newgrpbo

Name: CVE-1999-0051

Description:

Arbitrary file creation and program execution using FLEXlm LicenseManager, from versions 4.0 to 5.0, in IRIX.

Status:Entry
Reference: AUSCERT:AA-96.03
Reference: CERT:CA-97.01.flex_lm
Reference: XF:sgi-licensemanager

Name: CVE-1999-0052

Description:

IP fragmentation denial of service in FreeBSD allows a remote attacker to cause a crash.

Status:Entry
Reference: FREEBSD:FreeBSD-SA-98:08
Reference: OSVDB:908
Reference: URL:http://www.osvdb.org/908
Reference: XF:freebsd-ip-frag-dos(1389)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1389

Name: CVE-1999-0053

Description:

TCP RST denial of service in FreeBSD.

Status:Entry
Reference: FREEBSD:FreeBSD-SA-98:07
Reference: OSVDB:6094
Reference: URL:http://www.osvdb.org/6094

Name: CVE-1999-0054

Description:

Sun's ftpd daemon can be subjected to a denial of service.

Status:Entry
Reference: SUN:00171
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/171
Reference: XF:sun-ftpd

Name: CVE-1999-0055

Description:

Buffer overflows in Sun libnsl allow root access.

Status:Entry
Reference: AIXAPAR:IX80543
Reference: URL:http://www-1.ibm.com/support/search.wss?rs=0&q=IX80543&apar=only
Reference: RSI:RSI.0005.05-14-98.SUN.LIBNSL
Reference: SUN:00172
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/172
Reference: XF:sun-libnsl

Name: CVE-1999-0056

Description:

Buffer overflow in Sun's ping program can give root access to local users.

Status:Entry
Reference: SUN:00174
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/174
Reference: XF:sun-ping

Name: CVE-1999-0057

Description:

Vacation program allows command execution by remote users through a sendmail command.

Status:Entry
Reference: HP:HPSBUX9811-087
Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9811-087
Reference: NAI:NAI-19
Reference: XF:vacation

Name: CVE-1999-0058

Description:

Buffer overflow in PHP cgi program, php.cgi allows shell access.

Status:Entry
Reference: BID:712
Reference: URL:http://www.securityfocus.com/bid/712
Reference: NAI:NAI-12
Reference: XF:http-cgi-phpbo

Name: CVE-1999-0059

Description:

IRIX fam service allows an attacker to obtain a list of all files on the server.

Status:Entry
Reference: BID:353
Reference: URL:http://www.securityfocus.com/bid/353
Reference: NAI:NAI-16
Reference: OSVDB:164
Reference: URL:http://www.osvdb.org/164
Reference: XF:irix-fam(325)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/325

Name: CVE-1999-0060

Description:

Attackers can cause a denial of service in Ascend MAX and Pipeline routers with a malformed packet to the discard port, which is used by the Java Configurator tool.

Status:Entry
Reference: ASCEND:http://www.ascend.com/2695.html
Reference: NAI:NAI-26
Reference: XF:ascend-config-kill

Name: CVE-1999-0061

Description:

File creation and deletion, and remote execution, in the BSD line printer daemon (lpd).

Status:Candidate
Phase: Proposed (19990630)
Reference: NAI:NAI-20
Reference: XF:bsd-lpd

Votes:
ACCEPT(3)  Frech, Hill, Northcutt<br>
RECAST(1)  Baker<br>
REVIEWING(1)  Christey<br>
Voter Comments:
Christey>  This should be split into three separate problems based on
the SNI advisory.  But there's newer information to further
complicate things.

What do we do about this one?  in 1997 or so, SNI did an
advisory on this problem.  In early 2000, it was still
discovered to be present in some Linux systems.  So an 
SF-DISCOVERY content decision might say that this is a
long enough time between the two, so this should be recorded
separately.  But they're the same codebase... so if we keep
them in the same entry, how do we make sure that this entry
reflects that some new information has been discovered?

The use of dot notation may help in this regard, to use one
dot for the original problem as discovered in 1997, and
another dot for the resurgence of the problem in 2000.<br>
Baker>  We should merge these.<br>
Christey>  Perhaps this should be NAI-19 instead of NAI-20?
The original Bugtraq post for the SNI advisory suggests SNI-19:
BUGTRAQ:19971002 SNI-19:BSD lpd vulnerability
URL:SNI-19:BSD lpd vulnerability

Also add:
BUGTRAQ:19971021 SNI-19: BSD lpd vulnerabilities (UPDATE)
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87747479514310&w=2

However, archives of "NAI-0020" point to the lpd vuln.

If I recall correctly, some of the NAI advisory numbers got
switched when NAI acquired SNI.<br>

Name: CVE-1999-0062

Description:

The chpass command in OpenBSD allows a local user to gain root access through file descriptor leakage.

Status:Entry
Reference: NAI:NAI-28
Reference: OSVDB:7559
Reference: URL:http://www.osvdb.org/7559
Reference: XF:openbsd-chpass

Name: CVE-1999-0063

Description:

Cisco IOS 12.0 and other versions can be crashed by malicious UDP packets to the syslog port.

Status:Entry
Reference: AUSCERT:ESB-98.197
Reference: CISCO:http://www.cisco.com/warp/public/770/iossyslog-pub.shtml
Reference: XF:cisco-syslog-crash

Name: CVE-1999-0064

Description:

Buffer overflow in AIX lquerylv program gives root access to local users.

Status:Entry
Reference: BUGTRAQ:May28,1997
Reference: XF:lquerylv-bo

Name: CVE-1999-0065

Description:

Multiple buffer overflows in how dtmail handles attachments allows a remote attacker to execute commands.

Status:Entry
Reference: SUN:00181
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/181
Reference: XF:hp-dtmail

Name: CVE-1999-0066

Description:

AnyForm CGI remote execution.

Status:Entry
Reference: BID:719
Reference: URL:http://www.securityfocus.com/bid/719
Reference: BUGTRAQ:19950731 SECURITY HOLE: "AnyForm" CGI
Reference: XF:http-cgi-anyform

Name: CVE-1999-0067

Description:

phf CGI program allows remote command execution through shell metacharacters.

Status:Entry
Reference: AUSCERT:AA-96.01
Reference: BID:629
Reference: URL:http://www.securityfocus.com/bid/629
Reference: BUGTRAQ:19960923 PHF Attacks - Fun and games for the whole family
Reference: CERT:CA-1996-06
Reference: URL:http://www.cert.org/advisories/CA-1996-06.html
Reference: OSVDB:136
Reference: URL:http://www.osvdb.org/136
Reference: XF:http-cgi-phf

Name: CVE-1999-0068

Description:

CGI PHP mylog script allows an attacker to read any file on the target server.

Status:Entry
Reference: BID:713
Reference: URL:http://www.securityfocus.com/bid/713
Reference: BUGTRAQ:19971019 Vulnerability in PHP Example Logging Scripts
Reference: OSVDB:3396
Reference: URL:http://www.osvdb.org/3396
Reference: XF:http-cgi-php-mylog

Name: CVE-1999-0069

Description:

Solaris ufsrestore buffer overflow.

Status:Entry
Reference: OSVDB:8158
Reference: URL:http://www.osvdb.org/8158
Reference: SUN:00169
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/169
Reference: XF:sun-ufsrestore

Name: CVE-1999-0070

Description:

test-cgi program allows an attacker to list files on the server.

Status:Entry
Reference: XF:http-cgi-test

Name: CVE-1999-0071

Description:

Apache httpd cookie buffer overflow for versions 1.1.1 and earlier.

Status:Entry
Reference: NAI:NAI-2
Reference: XF:http-apache-cookie

Name: CVE-1999-0072

Description:

Buffer overflow in AIX xdat gives root access to local users.

Status:Entry
Reference: ERS:ERS-SVA-E01-1997:004.1
Reference: XF:ibm-xdat

Name: CVE-1999-0073

Description:

Telnet allows a remote client to specify environment variables including LD_LIBRARY_PATH, allowing an attacker to bypass the normal system libraries and gain root access.

Status:Entry
Reference: CERT:CA-95:14.Telnetd_Environment_Vulnerability
Reference: XF:linkerbug

Name: CVE-1999-0074

Description:

Listening TCP ports are sequentially allocated, allowing spoofing attacks.

Status:Entry
Reference: XF:seqport

Name: CVE-1999-0075

Description:

PASV core dump in wu-ftpd daemon when attacker uses a QUOTE PASV command after specifying a username and password.

Status:Entry
Reference: BUGTRAQ:19961016 Re: ftpd bug? Was: bin/1805: Bug in ftpd
Reference: OSVDB:5742
Reference: URL:http://www.osvdb.org/5742
Reference: XF:ftp-pasvcore

Name: CVE-1999-0076

Description:

Buffer overflow in wu-ftp from PASV command causes a core dump.

Status:Candidate
Phase: Modified (19990925)
Reference: XF:ftp-args

Votes:
ACCEPT(3)  Baker, Frech, Ozancin<br>
NOOP(1)  Balinsky<br>
REVIEWING(1)  Christey<br>
Voter Comments:
Balinsky>  Don't know what this is.  Is this the LIST Core dump vulnerability?<br>
Christey>  Need to add more references and details.<br>

Name: CVE-1999-0077

Description:

Predictable TCP sequence numbers allow spoofing.

Status:Entry
Reference: XF:tcp-seq-predict(139)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/139

Name: CVE-1999-0078

Description:

pcnfsd (aka rpc.pcnfsd) allows local users to change file permissions, or execute arbitrary commands through arguments in the RPC call.

Status:Candidate
Phase: Modified (19990621)
Reference: CERT:CA-96.08.pcnfsd
Reference: XF:rpc-pcnfsd

Votes:
ACCEPT(5)  Collins, Frech, Landfield, Northcutt, Shostack<br>
NOOP(1)  Baker<br>
RECAST(1)  Christey<br>
Voter Comments:
Christey>  This candidate should be SPLIT, since there are two separate
software flaws.  One is a symlink race and the other is a
shell metacharacter problem.<br>
Christey>  The permissions part of this vulnerability appears to
overlap with CVE-1999-0353<br>
Christey>  SGI:20020802-01-I<br>

Name: CVE-1999-0079

Description:

Remote attackers can cause a denial of service in FTP by issuing multiple PASV commands, causing the server to run out of available ports.

Status:Entry
Reference: XF:ftp-pasv-dos
Reference: XF:ftp-pasvdos

Name: CVE-1999-0080

Description:

Certain configurations of wu-ftp FTP server 2.4 use a _PATH_EXECPATH setting to a directory with dangerous commands, such as /bin, which allows remote authenticated users to gain root access via the "site exec" command.

Status:Entry
Reference: BUGTRAQ:19950531 SECURITY: problem with some wu-ftpd-2.4 binaries (fwd)
Reference: CERT:CA-95:16.wu-ftpd.vul
Reference: XF:ftp-execdotdot

Name: CVE-1999-0081

Description:

wu-ftp allows files to be overwritten via the rnfr command.

Status:Entry
Reference: XF:ftp-rnfr

Name: CVE-1999-0082

Description:

CWD ~root command in ftpd allows root access.

Status:Entry
Reference: FARMERVENEMA:Improving the Security of Your Site by Breaking Into it
Reference: URL:http://www.alw.nih.gov/Security/Docs/admin-guide-to-cracking.101.html
Reference: XF:ftp-cwd

Name: CVE-1999-0083

Description:

getcwd() file descriptor leak in FTP.

Status:Entry
Reference: XF:cwdleak

Name: CVE-1999-0084

Description:

Certain NFS servers allow users to use mknod to gain privileges by creating a writable kmem device and setting the UID to 0.

Status:Entry
Reference: XF:nfs-mknod(78)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/78

Name: CVE-1999-0085

Description:

Buffer overflow in rwhod on AIX and other operating systems allows remote attackers to execute arbitrary code via a UDP packet with a long hostname.

Status:Entry
Reference: BUGTRAQ:19960821 rwhod buffer overflow
Reference: XF:rwhod(119)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/119
Reference: XF:rwhod-vuln(118)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/118

Name: CVE-1999-0086

Description:

AIX routed allows remote users to modify sensitive files.

Status:Candidate
Phase: Interim (19990630)
Reference: ERS:ERS-SVA-E01-1998:001.1
Reference: XF:ibm-routed

Votes:
ACCEPT(2)  Northcutt, Shostack<br>
MODIFY(2)  Frech, Prosser<br>
NOOP(1)  Baker<br>
REJECT(1)  Christey<br>
Voter Comments:
Frech>  Reference: XF:ibm-routed<br>
Prosser>  This vulnerability allows debug mode to be turned on which is
the problem.  Should this be more specific in the description? This
one also affects SGI OSes, ref SGI Security Advisory 19981004-PX which
is in the SGI cluster, shouldn't these be cross-referenced as the same
vuln affects multiple OSes.<br>
Christey>  This appears to be subsumed by CVE-1999-0215<br>

Name: CVE-1999-0087

Description:

Denial of service in AIX telnet can freeze a system and prevent users from accessing the server.

Status:Entry
Reference: ERS:ERS-SVA-E01-1998:003.1
Reference: OSVDB:7992
Reference: URL:http://www.osvdb.org/7992
Reference: XF:ibm-telnetdos

Name: CVE-1999-0088

Description:

IRIX and AIX automountd services (autofsd) allow remote users to execute root commands.

Status:Candidate
Phase: Proposed (19990617)
Reference: ERS:ERS-SVA-E01-1998:004.1
Reference: URL:http://www-1.ibm.com/services/brs/brspwhub.nsf/advisories/852567CC004F9038852566BF007B6393/$file/ERS-SVA-E01-1998_004_1.txt

Votes:
ACCEPT(2)  Northcutt, Shostack<br>
MODIFY(2)  Frech, Prosser<br>
RECAST(1)  Baker<br>
REVIEWING(1)  Christey<br>
Voter Comments:
Frech>  ERS (and other references, BTW) explicitly stipulate 'local and
remote'.
Reference: XF:irix-autofsd<br>
Prosser>  Include the SGI Alert as well since it is mentioned in the
description.
SGI Security Advisory 19981005-01-PX<br>
Christey>  DUPE CVE-1999-0210?<br>
Christey>  ADDREF CIAC:J-014<br>
Baker>  It does look very similar to 1999-0210.  Perhaps they should be a single entry<br>

Name: CVE-1999-0089

Description:

Buffer overflow in AIX libDtSvc library can allow local users to gain root access.

Status:Candidate
Phase: Interim (19990630)
Reference: ERS:ERS-SVA-E01-1997:005.1
Reference: XF:ibm-libDtSvc

Votes:
ACCEPT(2)  Northcutt, Shostack<br>
MODIFY(2)  Frech, Prosser<br>
RECAST(1)  Baker<br>
REVIEWING(1)  Christey<br>
Voter Comments:
Frech>  Reference: XF:ibm-libDtSvc<br>
Prosser>  The overflow is in the dtaction utility.  Also affects
dtaction in the CDE on versions of SunOS (SUN 164). Probably should be
specific.<br>
Christey>  Same Codebase as CVE-1999-0121, so the two entries should be
merged.<br>

Name: CVE-1999-0090

Description:

Buffer overflow in AIX rcp command allows local users to obtain root access.

Status:Entry
Reference: ERS:ERS-SVA-E01-1997:005.1
Reference: XF:ibm-rcp

Name: CVE-1999-0091

Description:

Buffer overflow in AIX writesrv command allows local users to obtain root access.

Status:Entry
Reference: ERS:ERS-SVA-E01-1997:005.1
Reference: XF:ibm-writesrv

Name: CVE-1999-0092

Description:

Various vulnerabilities in the AIX portmir command allows local users to obtain root access.

Status:Candidate
Phase: Proposed (19990623)
Reference: ERS:ERS-SVA-E01-1997:006.1

Votes:
ACCEPT(2)  Baker, Bollinger<br>
MODIFY(1)  Frech<br>
NOOP(1)  Ozancin<br>
Voter Comments:
Frech>  XF:ibm-portmir<br>

Name: CVE-1999-0093

Description:

AIX nslookup command allows local users to obtain root access by not dropping privileges correctly.

Status:Entry
Reference: ERS:ERS-SVA-E01-1997:008.1
Reference: XF:ibm-nslookup

Name: CVE-1999-0094

Description:

AIX piodmgrsu command allows local users to gain additional group privileges.

Status:Entry
Reference: ERS:ERS-SVA-E01-1997:007.1
Reference: XF:ibm-piodmgrsu

Name: CVE-1999-0095

Description:

The debug command in Sendmail is enabled, allowing attackers to execute commands as root.

Status:Entry
Reference: BID:1
Reference: URL:http://www.securityfocus.com/bid/1
Reference: CERT:CA-88.01
Reference: CERT:CA-93.14
Reference: FULLDISC:20190611 The Return of the WIZard: RCE in Exim (CVE-2019-10149)
Reference: URL:http://seclists.org/fulldisclosure/2019/Jun/16
Reference: MLIST:[oss-security] 20190605 Re: CVE-2019-10149: Exim 4.87 to 4.91: possible remote exploit
Reference: URL:http://www.openwall.com/lists/oss-security/2019/06/05/4
Reference: MLIST:[oss-security] 20190606 Re: CVE-2019-10149: Exim 4.87 to 4.91: possible remote exploit
Reference: URL:http://www.openwall.com/lists/oss-security/2019/06/06/1
Reference: OSVDB:195
Reference: URL:http://www.osvdb.org/195
Reference: XF:smtp-debug

Name: CVE-1999-0096

Description:

Sendmail decode alias can be used to overwrite sensitive files.

Status:Entry
Reference: CERT:CA-93.16
Reference: CERT:CA-95.05
Reference: CIAC:A-13
Reference: CIAC:A-14
Reference: SUN:00122
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/122&type=0&nav=sec.sba
Reference: XF:smtp-dcod

Name: CVE-1999-0097

Description:

The AIX FTP client can be forced to execute commands from a malicious server through shell metacharacters (e.g. a pipe character).

Status:Entry
Reference: ERS:ERS-SVA-E01-1997:009.1
Reference: XF:ibm-ftp

Name: CVE-1999-0098

Description:

Buffer overflow in SMTP HELO command in Sendmail allows a remote attacker to hide activities.

Status:Candidate
Phase: Proposed (19990726)
Reference: XF:smtp-helo-bo

Votes:
MODIFY(2)  Baker, Frech<br>
NOOP(1)  Wall<br>
REVIEWING(1)  Christey<br>
Voter Comments:
Frech>  (Accept XF reference.)
Our references do not mention hiding activities. This issue can crash the
SMTP server or execute arbitrary byte-code. Is there another reference
available?<br>
Christey>  Should this be merged with CVE-1999-0284, which is Sendmail
with SMTP HELO?<br>
Christey>  BUGTRAQ:19980522 about sendmail 8.8.8 HELO hole
http://marc.theaimsgroup.com/?l=bugtraq&m=90221101925991&w=2
BUGTRAQ:19980527 about sendmail 8.8.8 HELO hole
http://marc.theaimsgroup.com/?l=bugtraq&m=90221101926003&w=2<br>
Baker>  Apparently this XF reference is not for this issue, but for the other issue.  This should be modified to have the Bugtraq references, and remove the XF reference.<br>

Name: CVE-1999-0099

Description:

Buffer overflow in syslog utility allows local or remote attackers to gain root privileges.

Status:Entry
Reference: CERT:CA-95.13.syslog.vul
Reference: XF:smtp-syslog

Name: CVE-1999-0100

Description:

Remote access in AIX innd 1.5.1, using control messages.

Status:Entry
Reference: ERS:ERS-SVA-E01-1997:002.1
Reference: XF:inn-controlmsg

Name: CVE-1999-0101

Description:

Buffer overflow in AIX and Solaris "gethostbyname" library call allows root access through corrupt DNS host names.

Status:Entry
Reference: CIAC:H-13
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/h-13.shtml
Reference: ERS:ERS-SVA-E01-1996:007.1
Reference: ERS:ERS-SVA-E01-1997:001.1
Reference: NAI:NAI-1
Reference: SUN:00137a
Reference: XF:ghbn-bo

Name: CVE-1999-0102

Description:

Buffer overflow in SLmail 3.x allows attackers to execute commands using a large FROM line.

Status:Entry
Reference: XF:slmail-fromheader-overflow

Name: CVE-1999-0103

Description:

Echo and chargen, or other combinations of UDP services, can be used in tandem to flood the server, a.k.a. UDP bomb or UDP packet storm.

Status:Entry
Reference: CERT:CA-96.01.UDP_service_denial
Reference: MISC:https://ics-cert.us-cert.gov/advisories/ICSMA-18-233-01
Reference: XF:chargen
Reference: XF:chargen-patch
Reference: XF:echo

Name: CVE-1999-0104

Description:

A later variation on the Teardrop IP denial of service attack, a.k.a. Teardrop-2.

Status:Candidate
Phase: Modified (20180822)
Reference: BID:80175
Reference: URL:http://www.securityfocus.com/bid/80175
Reference: CERT:CA-97.28.Teardrop_Land
Reference: OVAL:oval:org.mitre.oval:def:5743
Reference: URL:https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5743
Reference: XF:teardrop-mod

Votes:
ACCEPT(2)  Frech, Wall<br>
REVIEWING(1)  Christey<br>
Voter Comments:
Wall>  Another reference is Microsoft Knowledge Base Q179129.<br>
Christey>  Not sure how many separate "instances" of Teardrop there are.
See: CVE-1999-0015, CVE-1999-0104, CVE-1999-0257, CVE-1999-0258<br>
Christey>  See the SCO advisory at:
http://www.securityfocus.com/templates/advisory.html?id=1411
which may further clarify the issue.<br>
Christey>  MSKB:Q179129
http://support.microsoft.com/support/kb/articles/q179/1/29.asp<br>
Christey>  MSKB:Q179129
http://support.microsoft.com/support/kb/articles/q179/1/29.asp
Note that the hotfix name is teardrop2, but the keywords
included in the KB article specifically name bonk
(CVE-1999-0258) and boink.
Since teardrop2 was fixed in a slightly different version
(at least in a separate patch) than Teardrop, CD:SF-LOC
suggests keeping them separate.<br>
Christey>  Add period to the end of the description.<br>

Name: CVE-1999-0105

Description:

finger allows recursive searches by using a long string of @ symbols.

Status:Candidate
Phase: Proposed (19990726)

Votes:
MODIFY(3)  Baker, Frech, Shostack<br>
NOOP(1)  Christey<br>
REJECT(1)  Northcutt<br>
Voter Comments:
Shostack>  fingerD<br>
Frech>  XF:finger-bomb<br>
Christey>  aka redirection or forwarding requests? (but then might
overlap CVE-1999-0106)<br>
Baker>  should change description to indicate the recursive searching can consume enough system resources to cause a DoS.<br>

Name: CVE-1999-0106

Description:

Finger redirection allows finger bombs.

Status:Candidate
Phase: Proposed (19990726)

Votes:
ACCEPT(1)  Northcutt<br>
MODIFY(2)  Frech, Shostack<br>
RECAST(1)  Baker<br>
REVIEWING(1)  Christey<br>
Voter Comments:
Shostack>  fingerd allows redirection
This is a larger modification, since there are two applications of the 
vulnerability, one that I can finger anonymously, and the other that I 
can finger bomb anonymously.<br>
Frech>  XF:finger-bomb<br>
Christey>  need more refs<br>
Baker>  This should be merged with 1999-0105<br>

Name: CVE-1999-0107

Description:

Buffer overflow in Apache 1.2.5 and earlier allows a remote attacker to cause a denial of service with a large number of GET requests containing a large number of / characters.

Status:Candidate
Phase: Modified (19991223)
Reference: BUGTRAQ:19971230 Apache DoS attack?
Reference: XF:apache-dos

Votes:
ACCEPT(1)  Baker<br>
MODIFY(1)  Frech<br>
NOOP(3)  Northcutt, Shostack, Wall<br>
REVIEWING(1)  Levy<br>
REVOTE(1)  Christey<br>
Voter Comments:
Wall>  - Although this is probably the phf hack.<br>
Frech>  XF:apache-dos<br>
Christey>  This sounds like the incident reported in:
NTBUGTRAQ:20000810 Apache Distributed Denial of Service<br>
Levy>  I belive this is the problem where sending lot of HTTP headers to apache resulted on a denial of service.
BUGTRAQ: http://www.securityfocus.com/archive/1/10228
BUGTRAQ: http://www.securityfocus.com/archive/1/10516<br>

Name: CVE-1999-0108

Description:

The printers program in IRIX has a buffer overflow that gives root access to local users.

Status:Entry
Reference: BUGTRAQ:19970527 another day, another buffer overflow....
Reference: URL:http://seclists.org/bugtraq/1997/May/191
Reference: XF:printers-bo

Name: CVE-1999-0109

Description:

Buffer overflow in ffbconfig in Solaris 2.5.1.

Status:Entry
Reference: AUSCERT:AA-97.06
Reference: SUN:00140
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/140
Reference: XF:ffbconfig-bo

Name: CVE-1999-0110

Description:

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-1999-0315. Reason: This candidate's original description had a typo that delayed it from being detected as a duplicate of CVE-1999-0315. Notes: All CVE users should reference CVE-1999-0315 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.

Status:Candidate
Phase: Interim (19990810)

Votes:
MODIFY(1)  Frech<br>
NOOP(4)  Levy, Northcutt, Shostack, Wall<br>
REJECT(3)  Baker, Christey, Dik<br>
Voter Comments:
Frech>  XF:fdformat-bo<br>
Christey>  Duplicate of CVE-1999-0315<br>
Dik>  dup<br>

Name: CVE-1999-0111

Description:

RIP v1 is susceptible to spoofing.

Status:Entry
Reference: XF:rip

Name: CVE-1999-0112

Description:

Buffer overflow in AIX dtterm program for the CDE.

Status:Entry
Reference: BUGTRAQ:19970520 AIX 4.2 dtterm exploit
Reference: XF:dtterm-bo(878)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/878

Name: CVE-1999-0113

Description:

Some implementations of rlogin allow root access if given a -froot parameter.

Status:Entry
Reference: BID:458
Reference: URL:http://www.securityfocus.com/bid/458
Reference: BUGTRAQ:19940729 -froot??? (AIX rlogin bug)
Reference: CERT:CA-94.09.bin.login.vulnerability
Reference: CIAC:E-26
Reference: XF:rlogin-froot

Name: CVE-1999-0114

Description:

Local users can execute commands as other users, and read other users' files, through the filter command in the Elm elm-2.4 mail package using a symlink attack.

Status:Candidate
Phase: Modified (20000106)
Reference: BUGTRAQ:19951226 filter (elm package) security hole
Reference: BUGTRAQ:19990912 elm filter program
Reference: XF:elm-filter2

Votes:
ACCEPT(7)  Armstrong, Bishop, Blake, Cole, Landfield, Shostack, Wall<br>
MODIFY(2)  Baker, Frech<br>
NOOP(3)  Christey, Northcutt, Ozancin<br>
REVIEWING(1)  Levy<br>
Voter Comments:
Frech>  XF:elm-filter2<br>
CHANGE>  [Wall changed vote from NOOP to ACCEPT]<br>
Landfield>  with Frech modifications<br>
Baker>  ADD REF http://www.cert.org/ftp/cert_bulletins/VB-95:10a.elm	Official Advisory<br>
Christey>  The correct URL is http://www.cert.org/vendor_bulletins/VB-95:10a.elm
Need to make sure that this CERT advisory describes the right
problem, especially since the CERT advisory is dated December
18, 1995 and the original Bugtraq post was December 26, 1995.<br>
Christey>  BID:1802
URL:http://www.securityfocus.com/bid/1802
BID:1802 doesn't include the 1999 posting - does Security
Focus think that the 1999 post describes a different
vulnerability?<br>
Christey>  XF:elm-filter2 isn't on the X-Force web site.  How about XF:elm-filter(402) ?
Its references point to the December 26, 1995 BUgtraq post.

Also consider CIAC:G-36 and CERT:VB-95:10<br>
Frech>  DELREF:XF:elm-filter2(711)
ADDREF:XF:elm-filter(402)<br>

Name: CVE-1999-0115

Description:

AIX bugfiler program allows local users to gain root access.

Status:Entry
Reference: BID:1800
Reference: URL:http://www.securityfocus.com/bid/1800
Reference: BUGTRAQ:19970909 AIX bugfiler
Reference: XF:ibm-bugfiler

Name: CVE-1999-0116

Description:

Denial of service when an attacker sends many SYN packets to create multiple connections without ever sending an ACK to complete the connection, aka SYN flood.

Status:Entry
Reference: CERT:CA-96.21.tcp_syn.flooding
Reference: SGI:19961202-01-PX
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19961202-01-PX
Reference: SUN:00136
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/136

Name: CVE-1999-0117

Description:

AIX passwd allows local users to gain root access.

Status:Entry
Reference: CERT:CA-92:07.AIX.passwd.vulnerability
Reference: XF:ibm-passwd

Name: CVE-1999-0118

Description:

AIX infod allows local users to gain root access through an X display.

Status:Entry
Reference: BUGTRAQ:19981119 RSI.0011.11-09-98.AIX.INFOD
Reference: URL:http://marc.info/?l=bugtraq&m=91158980826979&w=2
Reference: XF:aix-infod

Name: CVE-1999-0119

Description:

Windows NT 4.0 beta allows users to read and delete shares.

Status:Candidate
Phase: Proposed (19990728)

Votes:
MODIFY(1)  Frech<br>
NOOP(2)  Baker, Northcutt<br>
REJECT(1)  Wall<br>
Voter Comments:
Wall>  Reject based on beta copy.<br>
Frech>  XF:nt-beta(11)
Reconsider reject, because this beta was in widespread use.<br>

Name: CVE-1999-0120

Description:

Sun/Solaris utmp file allows local users to gain root access if it is writable by users other than root.

Status:Entry
Reference: CERT:CA-94.06.utmp.vulnerability
Reference: SUN:00126
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/126
Reference: XF:utmp-write

Name: CVE-1999-0121

Description:

Buffer overflow in dtaction command gives root access.

Status:Candidate
Phase: Proposed (19990617)
Reference: ERS:ERS-SVA-E01-1997:005.1
Reference: SUN:00164

Votes:
ACCEPT(2)  Dik, Northcutt<br>
MODIFY(3)  Baker, Frech, Prosser<br>
REVIEWING(1)  Christey<br>
Voter Comments:
Frech>  Reference: XF:dtaction-bo
Reference: XF:sun-dtaction<br>
Prosser>  Buffer overflow also affects /usr/dt/bin/dtaction in libDtSvc.a
library in AIX 4.x, but reference for this Sun vulnerability should
only reflect the Sun Bulletin or the CIAC I-032 version of the Sun
Bulletin<br>
Christey>  This is the Same Codebase as CVE-1999-0089, so the two entries
should be merged.<br>
Frech>  Replace sun-dtaction(732) with dtaction-bo(879)<br>
Baker>  Merge with 1999-0089<br>

Name: CVE-1999-0122

Description:

Buffer overflow in AIX lchangelv gives root access.

Status:Entry
Reference: BUGTRAQ:Jul21,1999
Reference: XF:lchangelv-bo

Name: CVE-1999-0123

Description:

Race condition in Linux mailx command allows local users to read user files.

Status:Candidate
Phase: Modified (20000105)
Reference: BUGTRAQ:19951222 mailx-5.5 (slackware /bin/mail) security hole
Reference: XF:linux-mailx

Votes:
ACCEPT(3)  Baker, Frech, Ozancin<br>
NOOP(1)  Wall<br>
Voter Comments:


Name: CVE-1999-0124

Description:

Vulnerabilities in UMN gopher and gopher+ versions 1.12 and 2.0x allow an intruder to read any files that can be accessed by the gopher daemon.

Status:Entry
Reference: CERT:CA-93:11.UMN.UNIX.gopher.vulnerability
Reference: XF:gopher-vuln

Name: CVE-1999-0125

Description:

Buffer overflow in SGI IRIX mailx program.

Status:Entry
Reference: SGI:19980605-01-PX
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19980605-01-PX
Reference: XF:sgi-mailx-bo

Name: CVE-1999-0126

Description:

SGI IRIX buffer overflow in xterm and Xaw allows root access.

Status:Entry
Reference: CERT:VB-98.04.xterm.Xaw
Reference: CIAC:J-010
Reference: URL:http://www.ciac.org/ciac/bulletins/j-010.shtml
Reference: XF:xfree86-xaw
Reference: XF:xfree86-xterm-xaw

Name: CVE-1999-0127

Description:

swinstall and swmodify commands in SD-UX package in HP-UX systems allow local users to create or overwrite arbitrary files to gain root access.

Status:Candidate
Phase: Proposed (19990623)
Reference: AUSCERT:AA-96.04
Reference: CERT:CA-96.27.hp_sw_install
Reference: XF:hpux-swinstall

Votes:
ACCEPT(2)  Baker, Prosser<br>
MODIFY(1)  Frech<br>
NOOP(1)  Christey<br>
Voter Comments:
Frech>  (keep current XF: reference, and add)
XF:hpux-sqwmodify<br>
Christey>  Perhaps this should be split, per SF-LOC.<br>
Christey>  CIAC:H-81
http://ciac.llnl.gov/ciac/bulletins/h-81.shtml
HP:HPSBUX9707-064  references CERT:CA-96.27
http://ciac.llnl.gov/ciac/bulletins/h-81.shtml

The original AUSCERT advisory says that the programs "create
files in an insecure manner" and "Exploit details involving
this vulnerability have been made publicly available." which
leads one to assume that the following original Bugtraq post
provides the details for a standard symlink problem:

BUGTRAQ:19961005 swinst,bug
http://marc.theaimsgroup.com/?l=bugtraq&m=87602167419941&w=2<br>

Name: CVE-1999-0128

Description:

Oversized ICMP ping packets can result in a denial of service, aka Ping o' Death.

Status:Entry
Reference: CERT:CA-96.26.ping
Reference: XF:ping-death

Name: CVE-1999-0129

Description:

Sendmail allows local users to write to a file and gain group permissions via a .forward or :include: file.

Status:Entry
Reference: CERT:CA-96.25.sendmail_groups

Name: CVE-1999-0130

Description:

Local users can start Sendmail in daemon mode and gain root privileges.

Status:Entry
Reference: BID:716
Reference: URL:http://www.securityfocus.com/bid/716
Reference: CERT:CA-96.24.sendmail.daemon.mode
Reference: XF:sendmail-daemon-mode

Name: CVE-1999-0131

Description:

Buffer overflow and denial of service in Sendmail 8.7.5 and earlier through GECOS field gives root access to local users.

Status:Entry
Reference: BID:717
Reference: URL:http://www.securityfocus.com/bid/717
Reference: CERT:CA-96.20.sendmail_vul
Reference: XF:smtp-875bo

Name: CVE-1999-0132

Description:

Expreserve, as used in vi and ex, allows local users to overwrite arbitrary files and gain root access.

Status:Entry
Reference: CERT:CA-1996-19
Reference: URL:http://www.cert.org/advisories/CA-1996-19.html
Reference: OSVDB:11723
Reference: URL:http://www.osvdb.org/11723
Reference: XF:expreserve(401)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/401

Name: CVE-1999-0133

Description:

fm_fls license server for Adobe Framemaker allows local users to overwrite arbitrary files and gain root access.

Status:Entry
Reference: CERT:CA-96.18.fm_fls
Reference: XF:fmaker-logfile

Name: CVE-1999-0134

Description:

vold in Solaris 2.x allows local users to gain root access.

Status:Entry
Reference: AUSCERT:AL-96.04
Reference: CERT:CA-96.17.Solaris_vold_vul
Reference: OSVDB:8159
Reference: URL:http://www.osvdb.org/8159
Reference: XF:sol-voldtmp

Name: CVE-1999-0135

Description:

admintool in Solaris allows a local user to write to arbitrary files and gain root access.

Status:Entry
Reference: AUSCERT:AL-96.03
Reference: CERT:CA-96.16.Solaris_admintool_vul
Reference: XF:sun-admintool

Name: CVE-1999-0136

Description:

Kodak Color Management System (KCMS) on Solaris allows a local user to write to arbitrary files and gain root access.

Status:Entry
Reference: AUSCERT:AL-96.02
Reference: CERT:CA-96.15.Solaris_KCMS_vul
Reference: XF:sol-KCMSvuln

Name: CVE-1999-0137

Description:

The dip program on many Linux systems allows local users to gain root access via a buffer overflow.

Status:Entry
Reference: CERT:CA-96.13.dip_vul
Reference: XF:dip-bo
Reference: XF:linux-dipbo

Name: CVE-1999-0138

Description:

The suidperl and sperl program do not give up root privileges when changing UIDs back to the original users, allowing root access.

Status:Entry
Reference: CERT:CA-96.12.suidperl_vul
Reference: XF:sperl-suid

Name: CVE-1999-0139

Description:

Buffer overflow in Solaris x86 mkcookie allows local users to obtain root access.

Status:Entry
Reference: OSVDB:8205
Reference: URL:http://www.osvdb.org/8205
Reference: RSI:RSI.0012.12-03-98.SOLARIS.MKCOOKIE
Reference: XF:sol-mkcookie

Name: CVE-1999-0140

Description:

Denial of service in RAS/PPTP on NT systems.

Status:Candidate
Phase: Proposed (19990630)

Votes:
ACCEPT(1)  Hill<br>
MODIFY(2)  Frech, Meunier<br>
NOOP(1)  Baker<br>
REJECT(1)  Christey<br>
Voter Comments:
Meunier>  Add "pptp invalid packet length in header" to distinguish from other
vulnerabilities in RAS/PPTP on NT systems resulting in DOS, that might be
discovered in the future.<br>
Frech>  XF:nt-ras-bo
ONLY IF reference is to MS:MS99-016<br>
Christey>  According to my mappings, this is not the MS:MS99-016 problem
referred to by Andre.  However, I have yet to dig up a
source.<br>
CHANGE>  [Christey changed vote from NOOP to REVIEWING]<br>
CHANGE>  [Christey changed vote from REVIEWING to REJECT]<br>
Christey>  This is too general to know which problem is being discussed.
More precise candidates should be created.<br>
Christey>  Consider adding BID:2111<br>

Name: CVE-1999-0141

Description:

Java Bytecode Verifier allows malicious applets to execute arbitrary commands as the user of the applet.

Status:Entry
Reference: CERT:CA-96.07.java_bytecode_verifier
Reference: SUN:00134
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/134
Reference: XF:http-java-applet

Name: CVE-1999-0142

Description:

The Java Applet Security Manager implementation in Netscape Navigator 2.0 and Java Developer's Kit 1.0 allows an applet to connect to arbitrary hosts.

Status:Entry
Reference: CERT:CA-96.05.java_applet_security_mgr
Reference: XF:http-java-appletsecmgr

Name: CVE-1999-0143

Description:

Kerberos 4 key servers allow a user to masquerade as another by breaking and generating session keys.

Status:Entry
Reference: CERT:CA-96.03.kerberos_4_key_server
Reference: XF:kerberos-bf

Name: CVE-1999-0144

Description:

Denial of service in Qmail by specifying a large number of recipients with the RCPT command.

Status:Candidate
Phase: Modified (20010301)
Reference: BID:2237
Reference: URL:http://www.securityfocus.com/bid/2237
Reference: BUGTRAQ:19970612 Re: Denial of service (qmail-smtpd)
Reference: URL:http://marc.info/?l=bugtraq&m=87602558319029&w=2
Reference: BUGTRAQ:19970612 qmail-dos-2.c, another denial of service attack
Reference: URL:http://marc.info/?l=bugtraq&m=87602558319024&w=2
Reference: MISC:http://cr.yp.to/qmail/venema.html
Reference: MISC:http://www.ornl.gov/its/archives/mailing-lists/qmail/1997/06/threads.html
Reference: XF:qmail-rcpt(208)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/208

Votes:
ACCEPT(4)  Baker, Frech, Hill, Meunier<br>
REVIEWING(1)  Christey<br>
Voter Comments:
Christey>  DUPE CVE-1999-0418 and CVE-1999-0250?<br>
Christey>  Dan Bernstein, author of Qmail, says that this is not a
vulnerability in qmail because Unix has built-in resource
limits that can restrict the size of a qmail process; other
limits can be specified by the administrator.  See
http://cr.yp.to/qmail/venema.html

Significant discussion of this issue took place on the qmail
list.  The fundamental question appears to be whether 
application software should set its own limits, or rely
on limits set by the parent operating system (in this case,
UNIX).  Also, some people said that the only problem was that
the suggested configuration was not well documented, but this
was refuted by others.

See the following threads at
http://www.ornl.gov/its/archives/mailing-lists/qmail/1997/06/threads.html
"Denial of service (qmail-smtpd)"
"qmail-dos-2.c, another denial of service"
"[PATCH] denial of service"
"just another qmail denial-of-service"
"the UNIX way"
"Time for a reality check"

Also see Bugtraq threads on a different vulnerability that
is related to this topic:
BUGTRAQ:19990903 Web servers / possible DOS Attack / mime header flooding
http://archives.neohapsis.com/archives/bugtraq/1998_3/0742.html<br>
Baker>  http://cr.yp.to/qmail/venema.html
Berstein rejects this as a vulnerability, claiming this is a slander campaign by Wietse Venema.
His page states this is not a qmail problem, rather it is a UNIX problem
that many apps can consume all available memory, and that the administrator
is responsible to set limits in the OS, rather than expect applications to
individually prevent memory exhaustion.  CAN 1999-0250 does appear to
be a duplicate of this entry, based on the research I have done so far.
There were two different bugtraq postings, but the second one references
the first, stating that the new exploit uses perl instead of shell scripting
to accomplish the same attack/exploit.<br>
Baker>  http://www.securityfocus.com/archive/1/6970
http://www.securityfocus.com/archive/1/6969
http://cr.yp.to/qmail/venema.html

Should probably reject CVE-1999-0250, and add these references to this
Candidate.<br>
Baker>  http://www.securityfocus.com/bid/2237<br>
CHANGE>  [Baker changed vote from REVIEWING to ACCEPT]<br>
Christey>  qmail-dos-1.c, as published by Wietse Venema (CVE-1999-0250)
in "BUGTRAQ:19970612 Denial of service (qmail-smtpd)", does not
use any RCPT commands.  Instead, it sends long strings
of "X" characters.  A followup by "super@UFO.ORG" includes
an exploit that claims to do the same thing; however, that
exploit does not send long strings of X characters - it sends
a large number of RCPT commands.  It appears that super@ufo.org
followed up to the wrong message.

NOTE: the ufo.org domain was purchased by another party in
2003, so the current owner is not associated with any
statements by "super@ufo.org" that were made before 2003.

qmail-dos-2.c, as published by Wietse Venema (CVE-1999-0144)
in "BUGTRAQ:19970612 qmail-dos-2.c, another denial of service attack"
sends a large number of RCPT commands.

ADDREF BID:2237
ADDREF BUGTRAQ:19970612 qmail-dos-2.c, another denial of service attack
ADDREF BUGTRAQ:19970612 Re: Denial of service (qmail-smtpd)

Also see a related thread:
BUGTRAQ:19990308 SMTP server account probing
http://marc.theaimsgroup.com/?l=bugtraq&m=92100018214316&w=2

This also describes a problem with mail servers not being able
to handle too many "RCPT TO" requests.  A followup message
notes that application-level protection is used in Sendmail
to prevent this:
BUGTRAQ:19990309 Re: SMTP server account probing
http://marc.theaimsgroup.com/?l=bugtraq&m=92101584629263&w=2
The person further says, "This attack can easily be
prevented with configuration methods."<br>

Name: CVE-1999-0145

Description:

Sendmail WIZ command enabled, allowing root access.

Status:Entry
Reference: BUGTRAQ:19950206 sendmail wizard thing...
Reference: URL:http://www2.dataguard.no/bugtraq/1995_1/0332.html
Reference: CERT:CA-1990-11
Reference: URL:http://www.cert.org/advisories/CA-1990-11.html
Reference: CERT:CA-1993-14
Reference: URL:http://www.cert.org/advisories/CA-1993-14.html
Reference: FARMERVENEMA:Improving the Security of Your Site by Breaking Into it
Reference: URL:http://www.alw.nih.gov/Security/Docs/admin-guide-to-cracking.101.html
Reference: FULLDISC:20190611 The Return of the WIZard: RCE in Exim (CVE-2019-10149)
Reference: URL:http://seclists.org/fulldisclosure/2019/Jun/16
Reference: MLIST:[oss-security] 20190605 Re: CVE-2019-10149: Exim 4.87 to 4.91: possible remote exploit
Reference: URL:http://www.openwall.com/lists/oss-security/2019/06/05/4
Reference: MLIST:[oss-security] 20190606 Re: CVE-2019-10149: Exim 4.87 to 4.91: possible remote exploit
Reference: URL:http://www.openwall.com/lists/oss-security/2019/06/06/1

Name: CVE-1999-0146

Description:

The campas CGI program provided with some NCSA web servers allows an attacker to execute arbitrary commands via encoded carriage return characters in the query string, as demonstrated by reading the password file.

Status:Entry
Reference: BID:1975
Reference: URL:http://www.securityfocus.com/bid/1975
Reference: BUGTRAQ:19970715 Bug CGI campas
Reference: XF:http-cgi-campas(298)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/298

Name: CVE-1999-0147

Description:

The aglimpse CGI program of the Glimpse package allows remote execution of arbitrary commands.

Status:Entry
Reference: AUSCERT:AA-97.28
Reference: XF:http-cgi-glimpse

Name: CVE-1999-0148

Description:

The handler CGI program in IRIX allows arbitrary command execution.

Status:Entry
Reference: BID:380
Reference: URL:http://www.securityfocus.com/bid/380
Reference: SGI:19970501-02-PX
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19970501-02-PX
Reference: XF:http-sgi-handler

Name: CVE-1999-0149

Description:

The wrap CGI program in IRIX allows remote attackers to view arbitrary directory listings via a .. (dot dot) attack.

Status:Entry
Reference: BID:373
Reference: URL:http://www.securityfocus.com/bid/373
Reference: BUGTRAQ:19970420 IRIX 6.x /cgi-bin/wrap bug
Reference: OSVDB:247
Reference: URL:http://www.osvdb.org/247
Reference: SGI:19970501-02-PX
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19970501-02-PX
Reference: XF:http-sgi-wrap(290)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/290

Name: CVE-1999-0150

Description:

The Perl fingerd program allows arbitrary command execution from remote users.

Status:Entry
Reference: XF:perl-fingerd

Name: CVE-1999-0151

Description:

The SATAN session key may be disclosed if the user points the web browser to other sites, possibly allowing root access.

Status:Entry
Reference: CERT:CA-95.06.satan.vul
Reference: CERT:CA-95.07a.REVISED.satan.vul

Name: CVE-1999-0152

Description:

The DG/UX finger daemon allows remote command execution through shell metacharacters.

Status:Entry
Reference: BUGTRAQ:19970811 dgux in.fingerd vulnerability
Reference: XF:dgux-fingerd

Name: CVE-1999-0153

Description:

Windows 95/NT out of band (OOB) data denial of service through NETBIOS port, aka WinNuke.

Status:Entry
Reference: OSVDB:1666
Reference: URL:http://www.osvdb.org/1666
Reference: XF:win-oob

Name: CVE-1999-0154

Description:

IIS 2.0 and 3.0 allows remote attackers to read the source code for ASP pages by appending a . (dot) to the end of the URL.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19970220 ! [ADVISORY] Major Security Hole in MS ASP
Reference: MSKB:Q163485
Reference: MSKB:Q164059
Reference: XF:http-iis-aspdot
Reference: XF:http-iis-aspsource

Votes:
ACCEPT(4)  Foat, Frech, Stracener, Wall<br>
NOOP(3)  Baker, Christey, Cole<br>
Voter Comments:
Christey>  This is the precursor to the problem that is identified in
CVE-1999-0253.  <br>
Christey>  CIAC:H-48
URL:http://ciac.llnl.gov/ciac/bulletins/h-48.shtml<br>
CHANGE>  [Foat changed vote from NOOP to ACCEPT]<br>

Name: CVE-1999-0155

Description:

The ghostscript command with the -dSAFER option allows remote attackers to execute commands.

Status:Entry
Reference: CERT:CA-95.10.ghostscript
Reference: XF:gscript-dsafer

Name: CVE-1999-0156

Description:

wu-ftpd FTP daemon allows any user and password combination.

Status:Candidate
Phase: Proposed (19990714)
Reference: XF:ftp-pwless

Votes:
ACCEPT(2)  Northcutt, Shostack<br>
NOOP(1)  Baker<br>
RECAST(1)  Frech<br>
REVIEWING(2)  Christey, Prosser<br>
Voter Comments:
Prosser>  but so far can find no reference to this one<br>
Frech>  Our records indicate that this does not necessarly affect just wu-ftp (ie,
also affects IIS FTP server).<br>
Christey>  The references for XF:ftp-pwless are not specific enough,
e.g. in terms of version numbers.  Perhaps this candidate
should be rejected due to insufficient information.<br>

Name: CVE-1999-0157

Description:

Cisco PIX firewall and CBAC IP fragmentation attack results in a denial of service.

Status:Entry
Reference: CISCO:http://www.cisco.com/warp/public/770/nifrag.shtml
Reference: OSVDB:1097
Reference: URL:http://www.osvdb.org/1097
Reference: XF:cisco-fragmented-attacks

Name: CVE-1999-0158

Description:

Cisco PIX firewall manager (PFM) on Windows NT allows attackers to connect to port 8080 on the PFM server and retrieve any file whose name and location is known.

Status:Entry
Reference: CISCO:20010913 Cisco PIX Firewall Manager File Exposure
Reference: URL:http://www.cisco.com/warp/public/770/pixmgrfile-pub.shtml
Reference: OSVDB:685
Reference: URL:http://www.osvdb.org/685
Reference: XF:cisco-pix-file-exposure

Name: CVE-1999-0159

Description:

Attackers can crash a Cisco IOS router or device, provided they can get to an interactive prompt (such as a login). This applies to some IOS 9.x, 10.x, and 11.x releases.

Status:Entry
Reference: CISCO:http://www.cisco.com/warp/public/770/ioslogin-pub.shtml
Reference: XF:cisco-ios-crash

Name: CVE-1999-0160

Description:

Some classic Cisco IOS devices have a vulnerability in the PPP CHAP authentication to establish unauthorized PPP connections.

Status:Entry
Reference: CIAC:I-002A
Reference: CISCO:19971001 Vulnerabilities in Cisco CHAP Authentication
Reference: OSVDB:1099
Reference: URL:http://www.osvdb.org/1099
Reference: XF:cisco-chap

Name: CVE-1999-0161

Description:

In Cisco IOS 10.3, with the tacacs-ds or tacacs keyword, an extended IP access control list could bypass filtering.

Status:Entry
Reference: CISCO:http://www.cisco.com/warp/public/707/1.html
Reference: OSVDB:797
Reference: URL:http://www.osvdb.org/797
Reference: XF:cisco-acl-tacacs

Name: CVE-1999-0162

Description:

The "established" keyword in some Cisco IOS software allowed an attacker to bypass filtering.

Status:Entry
Reference: CISCO:19950601 "Established" Keyword May Allow Packets to Bypass Filter
Reference: XF:cisco-acl-established

Name: CVE-1999-0163

Description:

In older versions of Sendmail, an attacker could use a pipe character to execute root commands.

Status:Candidate
Phase: Proposed (19990714)
Reference: XF:smtp-pipe

Votes:
ACCEPT(2)  Frech, Northcutt<br>
MODIFY(1)  Prosser<br>
NOOP(2)  Baker, Christey<br>
RECAST(1)  Shostack<br>
Voter Comments:
Shostack>  there was a 'To: |' and a 'From: |' attack, which I
think are seperate.<br>
Prosser>  older vulnerability, but one additional reference is-
The Ultimate Sendmail Hole List by Markus Hübner @
bau2.uibk.ac.at/matic/buglist.htm
'|PROGRAM '<br>
Christey>  Description needs to be more specific to distinguish between
this and CVE-1999-0203, as alluded to by Adam Shostack<br>

Name: CVE-1999-0164

Description:

A race condition in the Solaris ps command allows an attacker to overwrite critical files.

Status:Entry
Reference: AUSCERT:AA-95.07
Reference: CERT:CA-95.09.Solaris.ps.vul
Reference: OSVDB:8346
Reference: URL:http://www.osvdb.org/8346
Reference: XF:sol-pstmprace

Name: CVE-1999-0165

Description:

NFS cache poisoning.

Status:Candidate
Phase: Modified (20040811)
Reference: XF:nfs-cache

Votes:
ACCEPT(3)  Baker, Frech, Northcutt<br>
MODIFY(1)  Shostack<br>
NOOP(1)  Prosser<br>
REVIEWING(1)  Christey<br>
Voter Comments:
Shostack>  need more data<br>
Christey>  need more refs<br>
Christey>  Add period to the end of the description.<br>

Name: CVE-1999-0166

Description:

NFS allows users to use a "cd .." command to access other directories besides the exported file system.

Status:Entry
Reference: XF:nfs-cd

Name: CVE-1999-0167

Description:

In SunOS, NFS file handles could be guessed, giving unauthorized access to the exported file system.

Status:Entry
Reference: CERT:CA-91.21.SunOS.NFS.Jumbo.and.fsirand
Reference: XF:nfs-guess

Name: CVE-1999-0168

Description:

The portmapper may act as a proxy and redirect service requests from an attacker, making the request appear to come from the local host, possibly bypassing authentication that would otherwise have taken place. For example, NFS file systems could be mounted through the portmapper despite export restrictions.

Status:Entry
Reference: XF:nfs-portmap

Name: CVE-1999-0169

Description:

NFS allows attackers to read and write any file on the system by specifying a false UID.

Status:Candidate
Phase: Proposed (19990714)
Reference: XF:nfs-uid

Votes:
ACCEPT(2)  Frech, Northcutt<br>
MODIFY(1)  Baker<br>
REJECT(1)  Shostack<br>
Voter Comments:
Shostack>  this is not a vulnerability but a design feature.<br>
Baker>  Maybe we should reword it so that it is clear that this was a problem to something like:

"A remote attacker could read/write files to the system with root-level permissions on NFS servers that fail to properly check the UID."<br>

Name: CVE-1999-0170

Description:

Remote attackers can mount an NFS file system in Ultrix or OSF, even if it is denied on the access list.

Status:Entry
Reference: XF:nfs-ultrix

Name: CVE-1999-0171

Description:

Denial of service in syslog by sending it a large number of superfluous messages.

Status:Candidate
Phase: Proposed (19990714)
Reference: XF:syslog-flood

Votes:
ACCEPT(2)  Frech, Northcutt<br>
NOOP(1)  Baker<br>
REJECT(2)  Christey, Shostack<br>
Voter Comments:
Shostack>  design issue, not a vulnerability.  Alternately, add:
DOS on server by opening a large number of telnet sessions..<br>
Christey>  Duplicate of CVE-1999-0566<br>

Name: CVE-1999-0172

Description:

FormMail CGI program allows remote execution of commands.

Status:Entry
Reference: BUGTRAQ:Aug02,1995
Reference: XF:http-cgi-formmail-exe

Name: CVE-1999-0173

Description:

FormMail CGI program can be used by web servers other than the host server that the program resides on.

Status:Entry
Reference: XF:http-cgi-formmail-use

Name: CVE-1999-0174

Description:

The view-source CGI program allows remote attackers to read arbitrary files via a .. (dot dot) attack.

Status:Entry
Reference: BUGTRAQ:19970208 view-source
Reference: XF:http-cgi-viewsrc

Name: CVE-1999-0175

Description:

The convert.bas program in the Novell web server allows a remote attackers to read any file on the system that is internally accessible by the web server.

Status:Entry
Reference: XF:http-nov-convert

Name: CVE-1999-0176

Description:

The Webgais program allows a remote user to execute arbitrary commands.

Status:Entry
Reference: BUGTRAQ:Jul10,1997
Reference: XF:http-webgais-query

Name: CVE-1999-0177

Description:

The uploader program in the WebSite web server allows a remote attacker to execute arbitrary programs.

Status:Entry
Reference: BUGTRAQ:19970904 [Alert] Website's uploader.exe (from demo) vulnerable
Reference: NTBUGTRAQ:19970904 [Alert] Website's uploader.exe (from demo) vulnerable
Reference: NTBUGTRAQ:19970905 Re: FW: [Alert] Website's uploader.exe (from demo) vulnerable
Reference: XF:http-website-uploader

Name: CVE-1999-0178

Description:

Buffer overflow in the win-c-sample program (win-c-sample.exe) in the WebSite web server 1.1e allows remote attackers to execute arbitrary code via a long query string.

Status:Entry
Reference: BID:2078
Reference: URL:http://www.securityfocus.com/bid/2078
Reference: BUGTRAQ:19970106 Re: signal handling
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/1997_1/0021.html
Reference: OSVDB:8
Reference: URL:http://www.osvdb.org/8
Reference: XF:http-website-winsample(295)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/295

Name: CVE-1999-0179

Description:

Windows NT crashes or locks up when a Samba client executes a "cd .." command on a file share.

Status:Entry
Reference: MSKB:Q140818
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q140818
Reference: XF:nt-35
Reference: XF:nt-351
Reference: XF:nt-samba-dotdot

Name: CVE-1999-0180

Description:

in.rshd allows users to login with a NULL username and execute commands.

Status:Entry
Reference: XF:rsh-null

Name: CVE-1999-0181

Description:

The wall daemon can be used for denial of service, social engineering attacks, or to execute remote commands.

Status:Entry
Reference: XF:walld

Name: CVE-1999-0182

Description:

Samba has a buffer overflow which allows a remote attacker to obtain root access by specifying a long password.

Status:Entry
Reference: CERT:VB-97.10.samba
Reference: CIAC:H-110
Reference: URL:http://www.ciac.org/ciac/bulletins/h-110.shtml
Reference: XF:nt-samba-bo

Name: CVE-1999-0183

Description:

Linux implementations of TFTP would allow access to files outside the restricted directory.

Status:Entry
Reference: XF:linux-tftp

Name: CVE-1999-0184

Description:

When compiled with the -DALLOW_UPDATES option, bind allows dynamic updates to the DNS server, allowing for malicious modification of DNS records.

Status:Entry
Reference: XF:dns-updates

Name: CVE-1999-0185

Description:

In SunOS or Solaris, a remote user could connect from an FTP server's data port to an rlogin server on a host that trusts the FTP server, allowing remote command execution.

Status:Entry
Reference: SUN:00156
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/156
Reference: XF:sun-ftpd/logind

Name: CVE-1999-0186

Description:

In Solaris, an SNMP subagent has a default community string that allows remote attackers to execute arbitrary commands as root, or modify system parameters.

Status:Candidate
Phase: Modified (20071119)
Reference: CONFIRM:http://support.novell.com/cgi-bin/search/searchtid.cgi?/10080762.htm
Reference: SUN:00178
Reference: XF:snmp-backdoor-access

Votes:
ACCEPT(2)  Baker, Dik<br>
MODIFY(1)  Frech<br>
NOOP(1)  Wall<br>
REVIEWING(1)  Christey<br>
Voter Comments:
Frech>  Change XF:snmp-backdoor-access to XF:sol-hidden-commstr
Add ISS:Hidden Community String in SNMP Implementation<br>
Christey>  What is the proper level of abstraction to use here?  Should
we have a separate entry for each different default community
string?  See:
http://cve.mitre.org/Board_Sponsors/archives/msg00242.html and
http://cve.mitre.org/Board_Sponsors/archives/msg00250.html
http://cve.mitre.org/Board_Sponsors/archives/msg00251.html

Until the associated content decisions have been approved
by the Editorial Board, this candidate cannot be accepted
for inclusion in CVE.<br>
Christey>  ADDREF BID:177<br>
Christey>  ISS:19981102 Hidden community string in SNMP implementation
http://xforce.iss.net/alerts/advise11.php

Change description to include "hidden"<br>
Christey>  XF:snmp-backdoor-access is missing.<br>

Name: CVE-1999-0187

Description:

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-1999-0022. Reason: This candidate is a duplicate of CVE-1999-0022. Notes: All CVE users should reference CVE-1999-0022 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.

Status:Candidate
Phase: Modified (20050204)

Votes:
ACCEPT(2)  Hill, Northcutt<br>
RECAST(3)  Baker, Frech, Prosser<br>
REJECT(1)  Dik<br>
REVIEWING(1)  Christey<br>
Voter Comments:
Prosser>  The Sun Patches in Ref roll-up fixes for an earlier BO in
rdist lookup( )(ref CERT 96.14)as well as the BO in rdist function expstr()
(ref CERT 97-23) and various vendor bulletins.  However both of these rdist
BO's affect many more OSs than just Sun, i.e., BSD/OS 2.1, DEC OSF's, AIX,
FreeBSD, SCO, SGI, etc.  Believe this falls into the SF-codebase content
decision<br>
Frech>  XF:rdist-bo (error msg formation)
XF:rdist-bo2 (execute code)
XF:rdist-bo3 (execute user-created code)
XF:rdist-sept97 (root from local)<br>
Christey>  Duplicate of CVE-1999-0022 (SUN:00179 is referenced in
CERT:CA-97.23.rdist), but as Mike and Andre noted, there
are multiple flaws here, so a RECAST may be necessary.<br>
Dik>  As currently phrasedm thissa duplicate of CVE-1999-0022<br>
Baker>  Based on our new philosophy, this should be recast/merged or re-described.<br>

Name: CVE-1999-0188

Description:

The passwd command in Solaris can be subjected to a denial of service.

Status:Entry
Reference: SUN:00182
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/182
Reference: XF:sun-passwd-dos

Name: CVE-1999-0189

Description:

Solaris rpcbind listens on a high numbered UDP port, which may not be filtered since the standard port number is 111.

Status:Entry
Reference: NAI:NAI-15
Reference: SUN:00142
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/142
Reference: XF:rpc-32771

Name: CVE-1999-0190

Description:

Solaris rpcbind can be exploited to overwrite arbitrary files and gain root access.

Status:Entry
Reference: SUN:00167
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/167
Reference: XF:sun-rpcbind

Name: CVE-1999-0191

Description:

IIS newdsn.exe CGI script allows remote users to overwrite files.

Status:Entry
Reference: OSVDB:275
Reference: URL:http://www.osvdb.org/275
Reference: XF:http-cgi-newdsn

Name: CVE-1999-0192

Description:

Buffer overflow in telnet daemon tgetent routing allows remote attackers to gain root access via the TERMCAP environmental variable.

Status:Entry
Reference: SNI:SNI-20
Reference: XF:bsd-tel-tgetent

Name: CVE-1999-0193

Description:

Denial of service in Ascend and 3com routers, which can be rebooted by sending a zero length TCP option.

Status:Candidate
Phase: Proposed (19990714)

Votes:
ACCEPT(5)  Bishop, Cole, Northcutt, Ozancin, Shostack<br>
MODIFY(2)  Baker, Blake<br>
NOOP(4)  Armstrong, Frech, Landfield, Wall<br>
REVIEWING(2)  Christey, Levy<br>
Voter Comments:
Frech>  possibly XF:ascend-kill
I can't find a reference that lists both routers in the same reference.<br>
Wall>  Comment:  There is a reference about the zero length TCP option in BugTraq on
Feb 5, 1999
and it mentions Cisco, but not directly Ascend or 3Com.  CIAC Advisory I-038
mentions
vulnerabilities in Ascend, but does not mention TCP.  CIAC Advisory I-052
mentions
3Com vulnerabilities, but not TCP.  Too confusing withour better references.<br>
Landfield>  What are the references for this ? I cannot find a means to check it out.<br>
CHANGE>  [Frech changed vote from REVIEWING to NOOP]<br>
Frech>  Cannot reconcile to our database without further references.<br>
Blake>  I'm with Andre.  I only remember and can find reference to the Ascend
issue.  Do we have a refernce to the 3Coms?  If not, that should be
removed from the description.<br>
Baker>  http://xforce.iss.net/static/614.php	Misc Defensive Info
http://www.securityfocus.com/archive/1/5682	Misc Offensive Info
http://www.securityfocus.com/archive/1/5647	Misc Defensive Info
http://www.securityfocus.com/archive/1/5640	Misc Defensive Info<br>
CHANGE>  [Armstrong changed vote from REVIEWING to NOOP]<br>

Name: CVE-1999-0194

Description:

Denial of service in in.comsat allows attackers to generate messages.

Status:Entry
Reference: XF:comsat

Name: CVE-1999-0195

Description:

Denial of service in RPC portmapper allows attackers to register or unregister RPC services or spoof RPC services using a spoofed source IP address such as 127.0.0.1.

Status:Candidate
Phase: Modified (19991130)
Reference: BUGTRAQ:19990128 rpcbind: deceive, enveigle and obfuscate

Votes:
ACCEPT(2)  Balinsky, Shostack<br>
MODIFY(1)  Frech<br>
NOOP(3)  Baker, Northcutt, Wall<br>
REVIEWING(2)  Christey, Levy<br>
Voter Comments:
Frech>  XF:rpcbind-spoof<br>
Christey>  CVE-1999-0195 = CVE-1999-0461 ?
If this is approved over CVE-1999-0461, make sure it gets
XF:pmap-sset<br>

Name: CVE-1999-0196

Description:

websendmail in Webgais 1.0 allows a remote user to access arbitrary files and execute arbitrary code via the receiver parameter ($VAR_receiver variable).

Status:Entry
Reference: BID:2077
Reference: URL:http://www.securityfocus.com/bid/2077
Reference: BUGTRAQ:19970704 Vulnerability in websendmail
Reference: OSVDB:237
Reference: URL:http://www.osvdb.org/237
Reference: XF:http-webgais-smail

Name: CVE-1999-0197

Description:

finger 0@host on some systems may print information on some user accounts.

Status:Candidate
Phase: Proposed (19990726)

Votes:
ACCEPT(1)  Baker<br>
MODIFY(2)  Frech, Shostack<br>
REJECT(1)  Northcutt<br>
Voter Comments:
Shostack>  fingerd may respond to 'finger 0@host' with account info<br>
Frech>  Need more reference to establish this 'exposure'.<br>
CHANGE>  [Frech changed vote from REVIEWING to MODIFY]<br>
Frech>  XF:finger-unused-accounts(8378)
We're entering it into our database solely to track
competition. The only references seem to be product listings:
http://hq.mcafeeasap.com/vulnerabilities/vuln_data/1000.asp (1002
Finger 0@host check)
http://www.ipnsa.com/ipnsa_vuln.htm?step=1000 (Finger 0@host check)
http://cgi.nessus.org/plugins/dump.php3?id=10069 (Finger zero at host
feature)<br>

Name: CVE-1999-0198

Description:

finger .@host on some systems may print information on some user accounts.

Status:Candidate
Phase: Proposed (19990726)

Votes:
ACCEPT(1)  Baker<br>
MODIFY(2)  Frech, Shostack<br>
REJECT(1)  Northcutt<br>
Voter Comments:
Shostack>  as above<br>
Frech>  Need more reference to establish this 'exposure'.<br>
CHANGE>  [Frech changed vote from REVIEWING to MODIFY]<br>
Frech>  XF:finger-unused-accounts(8378)
We're entering it into our database solely to track
competition. The only references seem to be product listings:
http://hq.mcafeeasap.com/vulnerabilities/vuln_data/1000.asp (1004
Finger .@target-host check)
http://www.ipnsa.com/ipnsa_vuln.htm?step=1000 (Finger .@target-host
check )
http://cgi.nessus.org/plugins/dump.php3?id=10072 (Finger dot at host
feature)<br>

Name: CVE-1999-0200

Description:

Windows NT FTP server (WFTP) with the guest account enabled without a password allows an attacker to log into the FTP server using any username and password.

Status:Candidate
Phase: Modified (19991130)
Reference: MSKB:Q137853

Votes:
ACCEPT(1)  Baker<br>
MODIFY(2)  Frech, Shostack<br>
NOOP(2)  Northcutt, Wall<br>
REJECT(1)  Christey<br>
REVIEWING(1)  Levy<br>
Voter Comments:
Shostack>  WFTP is not sufficient; is this wu-, ws-, war-, or another?<br>
Frech>  Other have mentioned this before, but it may be WU-FTP.
POSSIBLY XF:ftp-exec; does this have to do with the Site Exec allowing root
access without anon FTP or a regular account?
POSSIBLY XF:wu-ftpd-exec;same as above conditions, but instead from a
non-anon FTP account and gain root privs.<br>
Christey>  added MSKB reference<br>
CHANGE>  [Christey changed vote from REVOTE to REJECT]<br>
Christey>  The MSKB article may have confused things even more.  There
were reports of problems in a Windows-based FTP server called
WFTP (http://www.wftpd.com/) that is not a Microsft FTP
server.  It's best to just kill this candidate where it
stands and start fresh.<br>

Name: CVE-1999-0201

Description:

A quote cwd command on FTP servers can reveal the full path of the home directory of the "ftp" user.

Status:Entry
Reference: XF:ftp-home

Name: CVE-1999-0202

Description:

The GNU tar command, when used in FTP sessions, may allow an attacker to execute arbitrary commands.

Status:Entry
Reference: XF:ftp-exectar

Name: CVE-1999-0203

Description:

In Sendmail, attackers can gain root privileges via SMTP by specifying an improper "mail from" address and an invalid "rcpt to" address that would cause the mail to bounce to a program.

Status:Entry
Reference: CERT:CA-95.08
Reference: CIAC:E-03
Reference: XF:smtp-sendmail-version5

Name: CVE-1999-0204

Description:

Sendmail 8.6.9 allows remote attackers to execute root commands, using ident.

Status:Entry
Reference: CIAC:F-13
Reference: XF:ident-bo

Name: CVE-1999-0205

Description:

Denial of service in Sendmail 8.6.11 and 8.6.12.

Status:Candidate
Phase: Modified (19990925)
Reference: BUGTRAQ:19990708 SM 8.6.12

Votes:
ACCEPT(2)  Hill, Northcutt<br>
MODIFY(2)  Frech, Prosser<br>
NOOP(1)  Baker<br>
REVIEWING(2)  Christey, Ozancin<br>
Voter Comments:
Frech>  XF:sendmail-alias-dos<br>
Prosser>  additional source
Bugtraq
"Re:  SM 8.6.12"
http://www.securityfocus.com<br>
Christey>  The Bugtraq thread does not provide any proof, including a
comment by Eric Allman that he hadn't been provided any
details either.

See http://www.securityfocus.com/templates/archive.pike?list=1&date=1995-07-8&thread=199507131402.KAA02492@bedbugs.net.ohio-state.edu
for the thread.<br>
Christey>  Change Bugtraq reference date to 19950708.<br>

Name: CVE-1999-0206

Description:

MIME buffer overflow in Sendmail 8.8.0 and 8.8.1 gives root access.

Status:Entry
Reference: AUSCERT:AA-96.06a
Reference: XF:sendmail-mime-bo

Name: CVE-1999-0207

Description:

Remote attacker can execute commands through Majordomo using the Reply-To field and a "lists" command.

Status:Entry
Reference: CERT:CA-94.11.majordomo.vulnerabilities
Reference: XF:majordomo-exe

Name: CVE-1999-0208

Description:

rpc.ypupdated (NIS) allows remote users to execute arbitrary commands.

Status:Entry
Reference: CERT:CA-95.17.rpc.ypupdated.vul
Reference: XF:rpc-update

Name: CVE-1999-0209

Description:

The SunView (SunTools) selection_svc facility allows remote users to read files.

Status:Entry
Reference: BID:8
Reference: URL:http://www.securityfocus.com/bid/8
Reference: CERT:CA-90.05.sunselection.vulnerability
Reference: XF:selsvc

Name: CVE-1999-0210

Description:

Automount daemon automountd allows local or remote users to gain privileges via shell metacharacters.

Status:Entry
Reference: BID:235
Reference: URL:http://www.securityfocus.com/bid/235
Reference: BUGTRAQ:19971126 Solaris 2.5.1 automountd exploit (fwd)
Reference: URL:http://marc.info/?l=bugtraq&m=88053459921223&w=2
Reference: BUGTRAQ:19990103 SUN almost has a clue! (automountd)
Reference: URL:http://marc.info/?l=bugtraq&m=91547759121289&w=2
Reference: CERT:CA-99-05
Reference: URL:http://www.cert.org/advisories/CA-99-05-statd-automountd.html
Reference: HP:HPSBUX9910-104
Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9910-104

Name: CVE-1999-0211

Description:

Extra long export lists over 256 characters in some mount daemons allows NFS directories to be mounted by anyone.

Status:Entry
Reference: BID:24
Reference: URL:http://www.securityfocus.com/bid/24
Reference: CERT:CA-94.02.REVISED.SunOS.rpc.mountd.vulnerability

Name: CVE-1999-0212

Description:

Solaris rpc.mountd generates error messages that allow a remote attacker to determine what files are on the server.

Status:Entry
Reference: CIAC:I-048
Reference: URL:http://www.ciac.org/ciac/bulletins/i-048.shtml
Reference: SUN:00168
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/168
Reference: XF:sun-mountd

Name: CVE-1999-0213

Description:

libnsl in Solaris allowed an attacker to perform a denial of service of rpcbind.

Status:Candidate
Phase: Modified (20001009)
Reference: SUNBUG:4305859
Reference: XF:sun-libnsl

Votes:
ACCEPT(6)  Blake, Cole, Dik, Hill, Landfield, Ozancin<br>
MODIFY(3)  Baker, Frech, Levy<br>
NOOP(4)  Armstrong, Bishop, Meunier, Wall<br>
REVIEWING(1)  Christey<br>
Voter Comments:
Frech>  XF:sun-libnsl<br>
Dik>  Sun bug #4305859<br>
Baker>  http://xforce.iss.net/static/1204.php	Misc Defensive Info
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/172&type=0&nav=sec.sba	Vendor Info
http://www-1.ibm.com/services/continuity/recover1.nsf/advisories/A1050E354364BF498525680F0077E414/$file/ERS-OAR-E01-1998_074_1.txt	Vendor Info
http://www.securityfocus.com/archive/1/9749	Misc Defensive Info<br>
Christey>  I don't think this is the bug that everyone thinks it is.
This candidate came from CyberCop Scanner 2.4/2.5, which
only reports this as a DoS problem.  If SUN:00172 is an
advisory for this, then it may be a duplicate of
CVE-1999-0055.  There appears to be overlap with other
references as well.  HOWEVER, this particular one deals with a
DoS in rpcbind - which isn't mentioned in the sources for
CVE-1999-0055.<br>
Levy>  BID 148<br>

Name: CVE-1999-0214

Description:

Denial of service by sending forged ICMP unreachable packets.

Status:Entry
Reference: XF:icmp-unreachable

Name: CVE-1999-0215

Description:

Routed allows attackers to append data to files.

Status:Entry
Reference: CIAC:J-012
Reference: URL:http://www.ciac.org/ciac/bulletins/j-012.shtml
Reference: SGI:19981004-01-PX
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19981004-01-PX
Reference: XF:ripapp

Name: CVE-1999-0216

Description:

Denial of service of inetd on Linux through SYN and RST packets.

Status:Candidate
Phase: Modified (19991203)
Reference: BUGTRAQ:19971130 Linux inetd..
Reference: HP:HPSBUX9803-077
Reference: XF:hp-inetd
Reference: XF:linux-inetd-dos

Votes:
ACCEPT(1)  Hill<br>
MODIFY(2)  Baker, Frech<br>
RECAST(1)  Meunier<br>
Voter Comments:
Meunier>  The location of the vulnerability, whether in the Linux kernel or the
application, is debatable.  Any program making the same (reasonnable)
assumption is vulnerable, i.e., implements the same vulnerability:
"Assumption that TCP-three-way handshake is complete after calling Linux
kernel function accept(), which returns socket after getting SYN.   Result
is process death by SIGPIPE"
Moreover, whether it results in DOS (to third parties) depends on the
process that made the assumption.
I think that the present entry should be split, one entry for every
application that implements the vulnerability (really describing threat
instances, which is what other people think about when we talk about
vulnerabilities), and one entry for the Linux kernel that allows the
vulnerability to happen.<br>
Frech>  XF:hp-inetd
XF:linux-inetd-dos<br>
Baker>  Since we have an hpux bulletin, the description should not specifically say Linux, should it?  It applies to mulitple OS and should be likely either modified, or in extreme case, recast<br>

Name: CVE-1999-0217

Description:

Malicious option settings in UDP packets could force a reboot in SunOS 4.1.3 systems.

Status:Entry
Reference: XF:udp-bomb

Name: CVE-1999-0218

Description:

Livingston portmaster machines could be rebooted via a series of commands.

Status:Entry
Reference: XF:portmaster-reboot

Name: CVE-1999-0219

Description:

Buffer overflow in FTP Serv-U 2.5 allows remote authenticated users to cause a denial of service (crash) via a long (1) CWD or (2) LS (list) command.

Status:Entry
Reference: BID:269
Reference: URL:http://www.securityfocus.com/bid/269
Reference: BUGTRAQ:19990909 Exploit: Serv-U Ver2.5 FTPd Win9x/NT
Reference: NTBUGTRAQ:19990503 Buffer overflows in FTP Serv-U 2.5
Reference: URL:http://marc.info/?l=ntbugtraq&m=92574916930144&w=2
Reference: NTBUGTRAQ:19990504 Re: Buffer overflows in FTP Serv-U 2.5
Reference: URL:http://marc.info/?l=ntbugtraq&m=92582581330282&w=2
Reference: XF:ftp-servu(205)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/205

Name: CVE-1999-0220

Description:

Attackers can do a denial of service of IRC by crashing the server.

Status:Candidate
Phase: Proposed (19990728)

Votes:
NOOP(2)  Baker, Northcutt<br>
REJECT(2)  Christey, Frech<br>
Voter Comments:
Frech>  Would reconsider if any references were available.<br>
Christey>  No references available, combined with extremely vague
description, equals REJECT.<br>

Name: CVE-1999-0221

Description:

Denial of service of Ascend routers through port 150 (remote administration).

Status:Entry
Reference: XF:ascend-150-kill

Name: CVE-1999-0222

Description:

Denial of service in Cisco IOS web server allows attackers to reboot the router using a long URL.

Status:Candidate
Phase: Proposed (19990714)

Votes:
ACCEPT(1)  Baker<br>
MODIFY(3)  Frech, Levy, Shostack<br>
NOOP(3)  Balinsky, Northcutt, Wall<br>
RECAST(1)  Ziese<br>
REJECT(1)  Christey<br>
Voter Comments:
Shostack>  I follow cisco announcements and problems pretty closely, and haven't
seen this.  Source?<br>
Frech>  XF:cisco-web-crash<br>
Christey>  XF:cisco-web-crash has no additional references.  I can't find
any references in Bugtraq or Cisco either.  This bug is
supposedly tested by at least one security product, but that
product's database doesn't have any references either.  So
a question becomes, how did it make it into at least two
security companies' databases?<br>
Levy>  BUGTGRAQ: http://www.securityfocus.com/archive/1/60159
BID 1154<br>
Ziese>  The vulnerability is addressed by a vendor acknowledgement.  This one, if
recast to reflect that "...after using a long url..." should be replaced
with
"...A defect in multiple releases of Cisco IOS software will cause a Cisco
router or switch to halt and reload if the IOS HTTP service is enabled,
browsing to "http://router-ip/anytext?/" is attempted, and the enable
password is supplied when requested. This defect can be exploited to produce
a denial of service (DoS) attack."
Then I can accept this and mark it as "Verfied by my Company".  If it can't
be recast because this (long uri) is diffferent then our release (special
url construction).<br>
CHANGE>  [Christey changed vote from REVIEWING to REJECT]<br>
Christey>  Elias Levy's suggested reference is CVE-2000-0380.
I don't think that Kevin's description is really addressing
this either.  The lack of references and a specific
description make this candidate unusable, so it should be
rejected.<br>

Name: CVE-1999-0223

Description:

Solaris syslogd crashes when receiving a message from a host that doesn't have an inverse DNS entry.

Status:Entry
Reference: BID:1878
Reference: URL:http://www.securityfocus.com/bid/1878
Reference: BUGTRAQ:19961109 Syslogd and Solaris 2.4
Reference: CONFIRM:http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?patchid=103291&collection=fpatches
Reference: SUNBUG:1249320
Reference: XF:sol-syslogd-crash

Name: CVE-1999-0224

Description:

Denial of service in Windows NT messenger service through a long username.

Status:Entry
Reference: XF:nt-messenger

Name: CVE-1999-0225

Description:

Windows NT 4.0 allows remote attackers to cause a denial of service via a malformed SMB logon request in which the actual data size does not match the specified size.

Status:Entry
Reference: MSKB:Q180963
Reference: URL:http://www.microsoft.com/technet/support/kb.asp?ID=180963
Reference: NAI:19980214 Windows NT Logon Denial of Service
Reference: URL:http://www.nai.com/nai_labs/asp_set/advisory/25_windows_nt_dos_adv.asp
Reference: XF:nt-logondos

Name: CVE-1999-0226

Description:

Windows NT TCP/IP processes fragmented IP packets improperly, causing a denial of service.

Status:Candidate
Phase: Proposed (19990728)

Votes:
ACCEPT(1)  Northcutt<br>
MODIFY(1)  Frech<br>
NOOP(1)  Baker<br>
REJECT(1)  Christey<br>
Voter Comments:
Christey>  Too general, and no references.<br>
Frech>  XF:nt-frag(528)
See reference from BugTraq Mailing List, "A New Fragmentation Attack" at
http://www.securityfocus.com/templates/archive.pike?list=1&date=1997-07-8&ms
g=Pine.SUN.3.94.970710054440.11707A-100000@dfw.dfw.net<br>

Name: CVE-1999-0227

Description:

Access violation in LSASS.EXE (LSA/LSARPC) program in Windows NT allows a denial of service.

Status:Entry
Reference: MSKB:Q154087
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q154087
Reference: XF:nt-lsass-crash

Name: CVE-1999-0228

Description:

Denial of service in RPCSS.EXE program (RPC Locator) in Windows NT.

Status:Entry
Reference: MSKB:Q162567
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q162567
Reference: XF:nt-rpc-ver

Name: CVE-1999-0229

Description:

Denial of service in Windows NT IIS server using ..\..

Status:Candidate
Phase: Modified (19991228)
Reference: MSKB:Q115052

Votes:
ACCEPT(2)  Baker, Shostack<br>
MODIFY(2)  Frech, Wall<br>
NOOP(1)  Northcutt<br>
REJECT(1)  Christey<br>
REVIEWING(1)  Levy<br>
Voter Comments:
Wall>  Denial of service in Windows NT IIS Server 1.0 using ..\...
Source: Microsoft Knowledge Base Article Q115052 - IIS Server.<br>
Frech>  XF:http-dotdot (not necessarily IIS?)<br>
Christey>  DELREF XF:http-dotdot - it deals with a read/access dot dot
problem.<br>
Christey>  This actually looks like XF:iis-dot-dot-crash(1638)
http://xforce.iss.net/static/1638.php
If so, include the version number (2.0)
<br>
CHANGE>  [Christey changed vote from REVOTE to REJECT]<br>
Christey>  Bill Wall intended to suggest Q155052, but the affected
IIS version there is 1.0; the effect is to read files,
so this sounds like a directory traversal problem,
instead of an inability to process certain strings.

As a result, this candidate is too general, since it could
apply to 2 different problems, so it should be REJECTed.<br>
Christey>  Consider adding BID:2218<br>

Name: CVE-1999-0230

Description:

Buffer overflow in Cisco 7xx routers through the telnet service.

Status:Entry
Reference: CISCO:http://www.cisco.com/warp/public/770/pwbuf-pub.shtml
Reference: OSVDB:1102
Reference: URL:http://www.osvdb.org/1102

Name: CVE-1999-0231

Description:

Buffer overflow in IP-Switch IMail and Seattle Labs Slmail 2.6 packages using a long VRFY command, causing a denial of service and possibly remote access.

Status:Candidate
Phase: Modified (19991207)
Reference: BUGTRAQ:19990317 Re: SLMail 2.6 DoS - Imail also

Votes:
ACCEPT(2)  Baker, Levy<br>
NOOP(3)  Christey, Landfield, Northcutt<br>
RECAST(1)  Frech<br>
REVIEWING(1)  Ozancin<br>
Voter Comments:
Frech>  XF:slmail-vrfyexpn-overflow (for Slmail v3.2 and below)
XF:smtp-vrfy-bo (many mail packages)<br>
Northcutt>  (There is no way I will have access to these systems)<br>
Christey>  Some sources report that VRFY and EXPN are both affected.<br>

Name: CVE-1999-0232

Description:

Buffer overflow in NCSA WebServer (version 1.5c) gives remote access.

Status:Candidate
Phase: Modified (19991220)

Votes:
ACCEPT(2)  Hill, Northcutt<br>
MODIFY(1)  Frech<br>
NOOP(1)  Prosser<br>
REJECT(1)  Baker<br>
REVIEWING(1)  Christey<br>
Voter Comments:
Frech>  Unable to provide a match due to vague/insufficient description/references.
Possible matches are:
XF:ftp-ncsa (probably not, considering you've mentioned the webserver.)
XF:http-ncsa-longurl (highest probability)<br>
Christey>  CVE-1999-0235 is the one associated with XF:http-ncsa-longurl
More research is necessary for this one.<br>
Baker>  Since this has no references at all, and is vague and we have a
CAN for the most likely issue, we should kill this one<br>

Name: CVE-1999-0233

Description:

IIS 1.0 allows users to execute arbitrary commands using .bat or .cmd files.

Status:Entry
Reference: MSKB:Q148188
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q148188
Reference: MSKB:Q155056
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q155056
Reference: XF:http-iis-cmd

Name: CVE-1999-0234

Description:

Bash treats any character with a value of 255 as a command separator.

Status:Entry
Reference: CERT:CA-96.22.bash_vuls
Reference: XF:bash-cmd

Name: CVE-1999-0235

Description:

Buffer overflow in NCSA WebServer (1.4.1 and below) gives remote access.

Status:Candidate
Phase: Modified (19991220)
Reference: CERT:CA-95:04
Reference: CIAC:F-11

Votes:
ACCEPT(3)  Hill, Northcutt, Prosser<br>
MODIFY(1)  Frech<br>
REJECT(2)  Baker, Christey<br>
Voter Comments:
Frech>  XF:http-ncsa-longurl<br>
Christey>  CVE-1999-0235 has the same ref's as CVE-1999-0267<br>
Baker>  Not to mention, the X-force listings of http-ncsa-longurl and http-port both
refer to the same problem.  This should be rejected as 1999-0267 is the same problem.<br>

Name: CVE-1999-0236

Description:

ScriptAlias directory in NCSA and Apache httpd allowed attackers to read CGI programs.

Status:Entry
Reference: XF:http-scriptalias

Name: CVE-1999-0237

Description:

Remote execution of arbitrary commands through Guestbook CGI program.

Status:Entry
Reference: CERT:VB-97.02
Reference: XF:http-cgi-guestbook

Name: CVE-1999-0238

Description:

php.cgi allows attackers to read any file on the system.

Status:Candidate
Phase: Proposed (19990623)
Reference: XF:http-cgi-phpfileread

Votes:
ACCEPT(5)  Baker, Collins, Frech, Northcutt, Prosser<br>
NOOP(1)  Christey<br>
Voter Comments:
Prosser>  additional source
AUSCERT External Security Bulletin ESB-97.047
http://www.auscert.org.au<br>
Christey>  ADDREF BUGTRAQ:19970416 Update on PHP/FI hole
URL:http://www.dataguard.no/bugtraq/1997_2/0069.html
The attacker specifies the filename as an argument to the
program.
Add "PHP/FI" to description to facilitate search.
AUSCERT URL is ftp://ftp.auscert.org.au/pub/auscert/ESB/ESB-97.047<br>
Christey>  Consider adding BID:2250<br>

Name: CVE-1999-0239

Description:

Netscape FastTrack Web server lists files when a lowercase "get" command is used instead of an uppercase GET.

Status:Entry
Reference: OSVDB:122
Reference: URL:http://www.osvdb.org/122
Reference: XF:fastrack-get-directory-list

Name: CVE-1999-0240

Description:

Some filters or firewalls allow fragmented SYN packets with IP reserved bits in violation of their implemented policy.

Status:Candidate
Phase: Proposed (19990728)

Votes:
ACCEPT(1)  Northcutt<br>
NOOP(1)  Baker<br>
REJECT(1)  Frech<br>
Voter Comments:
Frech>  Would reconsider if any references were available.<br>

Name: CVE-1999-0241

Description:

Guessable magic cookies in X Windows allows remote attackers to execute commands, e.g. through xterm.

Status:Candidate
Phase: Modified (19990925)
Reference: XF:http-xguess-cookie

Votes:
ACCEPT(3)  Hill, Northcutt, Proctor<br>
MODIFY(2)  Frech, Prosser<br>
NOOP(1)  Baker<br>
REVIEWING(1)  Christey<br>
Voter Comments:
Frech>  Also add to references:
XF:sol-mkcookie<br>
Prosser>  additional source
Bugtraq
"X11 cookie hijacker"
http://www.securityfocus.com<br>
Christey>  The cookie hijacker thread has to do with stealing cookies
through a file with bad permissions.  I'm not sure the
X-Force reference identifies this problem either.<br>
Christey>  CIAC:G-04
URL:http://ciac.llnl.gov/ciac/bulletins/g-04.shtml
SGI:19960601-01-I
URL:ftp://patches.sgi.com/support/free/security/advisories/19960601-01-I
CERT:VB-95:08<br>

Name: CVE-1999-0242

Description:

Remote attackers can access mail files via POP3 in some Linux systems that are using shadow passwords.

Status:Candidate
Phase: Modified (20000106)
Reference: BUGTRAQ:19951222 mailx-5.5 (slackware /bin/mail) security hole
Reference: XF:linux-pop3d

Votes:
ACCEPT(1)  Baker<br>
MODIFY(1)  Frech<br>
NOOP(4)  Christey, Northcutt, Shostack, Wall<br>
REVIEWING(1)  Levy<br>
Voter Comments:
Frech>  Ambiguous description: need more detail. Possibly:
XF:linux-pop3d (mktemp() leads to reading e-mail)<br>
Christey>  At first glance this might look like CVE-1999-0123 or
CVE-1999-0125, however this particular candidate arises out
of a brief mention of the problem in a larger posting which
discusses CVE-1999-0123 (which may be the same bug as
CVE-1999-0125).  See the following phrase in the Bugtraq
post: "one such example of this is in.pop3d"

However, the original source of this candidate's description
explicitly mentions shadowed passwords, though it has no
references to help out here.<br>

Name: CVE-1999-0243

Description:

Linux cfingerd could be exploited to gain root access.

Status:Candidate
Phase: Proposed (19990714)

Votes:
ACCEPT(1)  Shostack<br>
NOOP(4)  Baker, Levy, Northcutt, Wall<br>
REJECT(2)  Christey, Frech<br>
Voter Comments:
Christey>  This has no sources; neither does the original database that
this entry came from.  It's a likely duplicate of 
CVE-1999-0813.<br>
Frech>  I disagree on the dupe; see Linux-Security Mailing List,
"[linux-security] Cfinger (Yet more :)" at
http://www.geocrawler.com/archives/3/92/1996/9/0/2217716/. Seems as
if v1.2.3 is vulnerable, perhaps 1.3.0 also. CVE-1999-0813 pertains
to 1.4.x and below and shows up two years later.<br>
CHANGE>  [Frech changed vote from REVIEWING to REJECT]<br>
Frech>  If the reference I previously supplied is correct, then
it appears as if the poster modified the source using authorized 
access to make it vulnerable. Modifying the source in this manner 
does not qualify as being listed a vulnerability.
I disagree on the dupe; see Linux-Security Mailing List,
"[linux-security] Cfinger (Yet more :)" at
http://www.geocrawler.com/archives/3/92/1996/9/0/2217716/. Seems as
if v1.2.3 is vulnerable, perhaps 1.3.0 also. CVE-1999-0813 pertains
to 1.4.x and below and shows up two years later.<br>

Name: CVE-1999-0244

Description:

Livingston RADIUS code has a buffer overflow which can allow remote execution of commands as root.

Status:Entry
Reference: NAI:NAI-23
Reference: XF:radius-accounting-overflow

Name: CVE-1999-0245

Description:

Some configurations of NIS+ in Linux allowed attackers to log in as the user "+".

Status:Entry
Reference: BUGTRAQ:19950907 Linux NIS security problem hole and fix
Reference: XF:linux-plus

Name: CVE-1999-0246

Description:

HP Remote Watch allows a remote user to gain root access.

Status:Candidate
Phase: Proposed (19990630)
Reference: XF:hp-remote

Votes:
ACCEPT(4)  Frech, Hill, Northcutt, Prosser<br>
NOOP(1)  Baker<br>
RECAST(1)  Christey<br>
Voter Comments:
Frech>  Comment: Determine if it's RemoteWatch or Remote Watch.<br>
Christey>  HP:HPSBUX9610-039 alludes to multiple vulnerabilities in
Remote Watch (the advisory uses two words, not one, for the
"Remote Watch" name)

ADDREF BUGTRAQ:19961015 HP/UX Remote Watch (was Re: BoS: SOD remote exploit)
URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=199610151351.JAA18241@grymoire.crd.ge.com<br>
Prosser>  agree that the advisory mentions two vulnerabilities in Remote
Watch, one being a socket connection and other with the showdisk utility
which seems to be a suid vulnerability.  Never get much details on this
anywhere since the recommendation is to remove the program since it is
obsolete and superceded by later tools. Believe the biggest concern here is
to just not run the tool at all.<br>
Christey>  CIAC:H-16
Also, http://www.cert.org/vendor_bulletins/VB-96.20.hp
And possibly AUSCERT:AA-96.07 at
ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-96.07.HP-UX.Remote.Watch.vul<br>
Christey>  Also BUGTRAQ:19961013 BoS: SOD remote exploit
http://marc.theaimsgroup.com/?l=bugtraq&m=87602167419969&w=2
Include "remwatch" in the description to facilitate search.<br>

Name: CVE-1999-0247

Description:

Buffer overflow in nnrpd program in INN up to version 1.6 allows remote users to execute arbitrary commands.

Status:Entry
Reference: BID:1443
Reference: URL:http://www.securityfocus.com/bid/1443
Reference: NAI:19970721 INN news server vulnerabilities
Reference: URL:http://www.nai.com/nai_labs/asp_set/advisory/17_inn_avd.asp
Reference: XF:inn-bo

Name: CVE-1999-0248

Description:

A race condition in the authentication agent mechanism of sshd 1.2.17 allows an attacker to steal another user's credentials.

Status:Entry
Reference: CONFIRM:http://www.uni-karlsruhe.de/~ig25/ssh-faq/ssh-faq-6.html#ss6.1
Reference: MISC:http://oliver.efri.hr/~crv/security/bugs/mUNIXes/ssh2.html

Name: CVE-1999-0249

Description:

Windows NT RSHSVC program allows remote users to execute arbitrary commands.

Status:Candidate
Phase: Proposed (19990714)

Votes:
ACCEPT(1)  Baker<br>
MODIFY(2)  Frech, Wall<br>
NOOP(2)  Northcutt, Shostack<br>
RECAST(1)  Christey<br>
REVIEWING(1)  Levy<br>
Voter Comments:
Wall>  Windows NT Rshsvc.exe from the Windows NT Resource Kit allows
remote
users to execute arbitrary commands.
Source: rshsvc.txt from the Windows NT Resource Kit.<br>
Frech>  XF:rsh-svc<br>
Christey>  MSKB:Q158320, last reviewed in January 1999, refers to a case
where remote users coming from authorized machines are
allowed access regardless of what .rhosts says.  XF:rsh-svc
refers to a bug circa 1997 where any remote entity could
execute commands as system.<br>

Name: CVE-1999-0250

Description:

Denial of service in Qmail through long SMTP commands.

Status:Candidate
Phase: Modified (20010301)
Reference: BUGTRAQ:19970612 qmail-dos-2.c, another denial of service attack
Reference: URL:http://marc.info/?l=bugtraq&m=87602558319024&w=2
Reference: MISC:http://cr.yp.to/qmail/venema.html
Reference: MISC:http://www.ornl.gov/its/archives/mailing-lists/qmail/1997/06/threads.html
Reference: XF:qmail-leng

Votes:
ACCEPT(2)  Hill, Meunier<br>
MODIFY(1)  Frech<br>
REJECT(1)  Baker<br>
REVIEWING(1)  Christey<br>
Voter Comments:
Frech>  XF:qmail-rcpt<br>
Christey>  DUPE CVE-1999-0418 and CVE-1999-0144?<br>
Christey>  Dan Bernstein, author of Qmail, says that this is not a
vulnerability in qmail because Unix has built-in resource
limits that can restrict the size of a qmail process; other
limits can be specified by the administrator.  See
http://cr.yp.to/qmail/venema.html

Significant discussion of this issue took place on the qmail
list.  The fundamental question appears to be whether 
application software should set its own limits, or rely
on limits set by the parent operating system (in this case,
UNIX).  Also, some people said that the only problem was that
the suggested configuration was not well documented, but this
was refuted by others.

See the following threads at
http://www.ornl.gov/its/archives/mailing-lists/qmail/1997/06/threads.html
"Denial of service (qmail-smtpd)"
"qmail-dos-2.c, another denial of service"
"[PATCH] denial of service"
"just another qmail denial-of-service"
"the UNIX way"
"Time for a reality check"

Also see Bugtraq threads on a different vulnerability that
is related to this topic:
BUGTRAQ:19990903 Web servers / possible DOS Attack / mime header flooding
http://archives.neohapsis.com/archives/bugtraq/1998_3/0742.html<br>
Baker>  This appears to be the same vulnerability listed in CAN 1999-0144.  In reading
through both bugtraq postings, the one that is referenced by 0144 is
based on a shell code exploit to cause memory exhaustion. The bugtraq
posting referenced by this entry refers explicitly to the prior
posting for 0144, and states that the same effect could be
accomplished by a perl exploit, which was then attached.<br>
Baker>  http://www.securityfocus.com/archive/1/6969    CVE-1999-0144
http://www.securityfocus.com/archive/1/6970    CVE-1999-0250

Both references should be added to CVE-1999-0144, and CVE-1999-0250
should likely be rejected.<br>
CHANGE>  [Baker changed vote from REVIEWING to REJECT]<br>
Christey>  XF:qmail-leng no longer exists; check with Andre to see if they
regarded it as a duplicate as well.

qmail-dos-1.c, as published by Wietse Venema (CVE-1999-0250)
in "BUGTRAQ:19970612 Denial of service (qmail-smtpd)", does not
use any RCPT commands.  Instead, it sends long strings
of "X" characters.  A followup by "super@UFO.ORG" includes
an exploit that claims to do the same thing; however, that
exploit does not send long strings of X characters - it sends
a large number of RCPT commands.  It appears that super@ufo.org
followed up to the wrong message.

qmail-dos-2.c, as published by Wietse Venema (CVE-1999-0144)
in "BUGTRAQ:19970612 qmail-dos-2.c, another denial of service attack"
sends a large number of RCPT commands.

ADDREF BUGTRAQ:19970612 Denial of service (qmail-smtpd)
ADDREF BUGTRAQ:19970612 qmail-dos-2.c, another denial of service attack

Also see a related thread:
BUGTRAQ:19990308 SMTP server account probing
http://marc.theaimsgroup.com/?l=bugtraq&m=92100018214316&w=2

This also describes a problem with mail servers not being able
to handle too many "RCPT TO" requests.  A followup message
notes that application-level protection is used in Sendmail
to prevent this:
BUGTRAQ:19990309 Re: SMTP server account probing
http://marc.theaimsgroup.com/?l=bugtraq&m=92101584629263&w=2
The person further says, "This attack can easily be
prevented with configuration methods."<br>

Name: CVE-1999-0251

Description:

Denial of service in talk program allows remote attackers to disrupt a user's display.

Status:Entry
Reference: XF:talkd-flash

Name: CVE-1999-0252

Description:

Buffer overflow in listserv allows arbitrary command execution.

Status:Entry
Reference: XF:smtp-listserv

Name: CVE-1999-0253

Description:

IIS 3.0 with the iis-fix hotfix installed allows remote intruders to read source code for ASP programs by using a %2e instead of a . (dot) in the URL.

Status:Candidate
Phase: Modified (20000106)
Reference: L0PHT:19970319
Reference: XF:http-iis-2e

Votes:
ACCEPT(9)  Armstrong, Baker, Bishop, Blake, Cole, Collins, Frech, Landfield, Northcutt<br>
MODIFY(1)  LeBlanc<br>
NOOP(3)  Ozancin, Prosser, Wall<br>
REVIEWING(1)  Christey<br>
Voter Comments:
Christey>  This is a problem that was introduced after patching a
previous dot bug with the iis-fix hotfix (see CVE-1999-0154).
Since the hotfix introduced the problem, this should be
treated as a seaprate issue.<br>
Wall>  Agree with the comment.<br>
LeBlanc>  - this one is so old, I don't remember it at all and can't verify or
deny the issue. If you can find some documentation that says we fixed it (KB
article, hotfix, something), then I would change this to ACCEPT<br>
CHANGE>  [Christey changed vote from NOOP to REVIEWING]<br>
Christey>  BID:1814
URL:http://www.securityfocus.com/bid/1814<br>

Name: CVE-1999-0254

Description:

A hidden SNMP community string in HP OpenView allows remote attackers to modify MIB tables and obtain sensitive information.

Status:Candidate
Phase: Proposed (19990726)
Reference: ISS:Hidden SNMP community in HP OpenView
Reference: XF:hpov-hidden-snmp-comm

Votes:
ACCEPT(2)  Baker, Frech<br>
NOOP(1)  Wall<br>
REVIEWING(1)  Christey<br>
Voter Comments:
Christey>  What is the proper level of abstraction to use here?  Should
we have a separate entry for each different default community
string?  See:
http://cve.mitre.org/Board_Sponsors/archives/msg00242.html and
http://cve.mitre.org/Board_Sponsors/archives/msg00250.html
http://cve.mitre.org/Board_Sponsors/archives/msg00251.html

Until the associated content decisions have been approved
by the Editorial Board, this candidate cannot be accepted
for inclusion in CVE.<br>

Name: CVE-1999-0255

Description:

Buffer overflow in ircd allows arbitrary command execution.

Status:Candidate
Phase: Proposed (19990623)

Votes:
ACCEPT(3)  Baker, Hill, Northcutt<br>
MODIFY(1)  Frech<br>
NOOP(1)  Prosser<br>
REJECT(1)  Christey<br>
Voter Comments:
Frech>  XF:irc-bo<br>
Christey>  This is too general and doesn't have any references.  The
XF reference doesn't appear toe xist any more.

Perhaps this reference would help:
BUGTRAQ:19970701 ircd buffer overflow<br>
Baker>  It appears that the XForce entry has been corrected, and there is a patch posted in the original bugtraq post.<br>

Name: CVE-1999-0256

Description:

Buffer overflow in War FTP allows remote execution of commands.

Status:Entry
Reference: OSVDB:875
Reference: URL:http://www.osvdb.org/875
Reference: XF:war-ftpd

Name: CVE-1999-0257

Description:

Nestea variation of teardrop IP fragmentation denial of service.

Status:Candidate
Phase: Proposed (19990726)

Votes:
ACCEPT(1)  Wall<br>
MODIFY(1)  Frech<br>
REVIEWING(1)  Christey<br>
Voter Comments:
Frech>  XF:nestea-linux-dos<br>
Christey>  Not sure how many separate "instances" of Teardrop
and its ilk.  Also see comments on CVE-1999-0001.

See: CVE-1999-0015, CVE-1999-0104, CVE-1999-0257, CVE-1999-0258

Is CVE-1999-0001 the same as CVE-1999-0052?  That one is related
to nestea (CVE-1999-0257) and probably the one described in
BUGTRAQ:19981023 nestea v2 against freebsd 3.0-Release
The patch for nestea is in ip_input.c around line 750.
The patches for CVE-1999-0001 are in lines 388&446.  So, 
CVE-1999-0001 is different from CVE-1999-0257 and CVE-1999-0052.
The FreeBSD patch for CVE-1999-0052 is in line 750.
So, CVE-1999-0257 and CVE-1999-0052 may be the same, though
CVE-1999-0052 should be RECAST since this bug affects Linux
and other OSes besides FreeBSD.

Also see BUGTRAQ:19990909 CISCO and nestea.

Finally, note that there is no fundamental difference between
nestea and nestea2/nestea-v2; they are different ports that
exploit the same problem.

The original nestea advisory is at
http://www.technotronic.com/rhino9/advisories/06.htm
but notice that the suggested fix is in line 375 of
ip_fragment.c, not ip_input.c.<br>
Christey>  See the SCO advisory at:
http://www.securityfocus.com/templates/advisory.html?id=1411
which may further clarify the issue.<br>
Christey>  BUGTRAQ:19980501 nestea does other things
http://marc.theaimsgroup.com/?l=bugtraq&m=90221101925819&w=2
BUGTRAQ:19980508 nestea2 and HP Jet Direct cards.
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221101925870&w=2
BUGTRAQ:19981027 nestea v2 against freebsd 3.0-Release
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90951521507669&w=2

Nestea source code is in
MISC:http://oliver.efri.hr/~crv/security/bugs/Linux/ipfrag6.html<br>

Name: CVE-1999-0258

Description:

Bonk variation of teardrop IP fragmentation denial of service.

Status:Candidate
Phase: Proposed (19990726)

Votes:
MODIFY(2)  Frech, Wall<br>
REVIEWING(1)  Christey<br>
Voter Comments:
Wall>  Reference Q179129<br>
Frech>  XF:teardrop-mod<br>
Christey>  Not sure how many separate "instances" of Teardrop there are.
See: CVE-1999-0015, CVE-1999-0104, CVE-1999-0257, CVE-1999-0258<br>
Christey>  See the SCO advisory at:
http://www.securityfocus.com/templates/advisory.html?id=1411
which may further clarify the issue.<br>
Christey>  BUGTRAQ:19980108 bonk.c
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=88429524325956&w=2
NTBUGTRAQ:19980108 bonk.c
URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=88433857200304&w=2
NTBUGTRAQ:19980109 Re: Bonk.c
URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=88441302913269&w=2
NTBUGTRAQ:19980304 Update on wide-spread NewTear Denial of Service attacks
URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=88901842000424&w=2
BUGTRAQ:19980304 Update on wide-spread NewTear Denial of Service attacks
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=88903296104349&w=2
CIAC:I-031a
http://ciac.llnl.gov/ciac/bulletins/i-031a.shtml

CERT summary CS-98.02 implies that bonk, boink, and newtear
all exploit the same vulnerability.<br>

Name: CVE-1999-0259

Description:

cfingerd lists all users on a system via search.**@target.

Status:Entry
Reference: BUGTRAQ:19970523 cfingerd vulnerability
Reference: XF:cfinger-user-enumeration

Name: CVE-1999-0260

Description:

The jj CGI program allows command execution via shell metacharacters.

Status:Entry
Reference: BUGTRAQ:19961224 jj cgi
Reference: XF:http-cgi-jj

Name: CVE-1999-0261

Description:

Netmanager Chameleon SMTPd has several buffer overflows that cause a crash.

Status:Candidate
Phase: Modified (20000827)
Reference: BUGTRAQ:19980504 Netmanage Holes
Reference: MISC:http://www.insecure.org/sploits/netmanage.chameleon.overflows.html

Votes:
ACCEPT(1)  Baker<br>
MODIFY(2)  Frech, Landfield<br>
NOOP(3)  Christey, Northcutt, Ozancin<br>
Voter Comments:
Frech>  XF:chamelion-smtp-dos<br>
Landfield>  - Specify what "a crash" means.<br>
Christey>  ADDREF XF:chameleon-smtp-dos ?  (but it's not on the web site)<br>
Christey>  Consider adding BID:2387<br>

Name: CVE-1999-0262

Description:

Hylafax faxsurvey CGI script on Linux allows remote attackers to execute arbitrary commands via shell metacharacters in the query string.

Status:Entry
Reference: BID:2056
Reference: URL:http://www.securityfocus.com/bid/2056
Reference: BUGTRAQ:19980804 PATCH: faxsurvey
Reference: BUGTRAQ:19980804 remote exploit in faxsurvey cgi-script
Reference: XF:http-cgi-faxsurvey(1532)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1532

Name: CVE-1999-0263

Description:

Solaris SUNWadmap can be exploited to obtain root access.

Status:Entry
Reference: SUN:00173
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/173
Reference: XF:sun-sunwadmap

Name: CVE-1999-0264

Description:

htmlscript CGI program allows remote read access to files.

Status:Entry
Reference: BUGTRAQ:Jan27,1998
Reference: XF:http-htmlscript-file-access

Name: CVE-1999-0265

Description:

ICMP redirect messages may crash or lock up a host.

Status:Entry
Reference: ISS:ICMP Redirects Against Embedded Controllers
Reference: MSKB:Q154174
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q154174
Reference: XF:icmp-redirect

Name: CVE-1999-0266

Description:

The info2www CGI script allows remote file access or remote command execution.

Status:Entry
Reference: BID:1995
Reference: URL:http://www.securityfocus.com/bid/1995
Reference: BUGTRAQ:19980303 Vulnerabilites in some versions of info2www CGI
Reference: XF:http-cgi-info2www

Name: CVE-1999-0267

Description:

Buffer overflow in NCSA HTTP daemon v1.3 allows remote command execution.

Status:Entry
Reference: CERT:CA-95.04.NCSA.http.daemon.for.unix.vulnerability
Reference: XF:http-port

Name: CVE-1999-0268

Description:

MetaInfo MetaWeb web server allows users to upload, execute, and read scripts.

Status:Entry
Reference: BUGTRAQ:19980630 Security vulnerabilities in MetaInfo products
Reference: BUGTRAQ:19980703 Followup to MetaInfo vulnerabilities
Reference: OSVDB:110
Reference: URL:http://www.osvdb.org/110
Reference: OSVDB:3969
Reference: URL:http://www.osvdb.org/3969
Reference: XF:metaweb-server-dot-attack

Name: CVE-1999-0269

Description:

Netscape Enterprise servers may list files through the PageServices query.

Status:Entry
Reference: XF:netscape-server-pageservices

Name: CVE-1999-0270

Description:

Directory traversal vulnerability in pfdispaly.cgi program (sometimes referred to as "pfdisplay") for SGI's Performer API Search Tool (performer_tools) allows remote attackers to read arbitrary files.

Status:Entry
Reference: BID:64
Reference: URL:http://www.securityfocus.com/bid/64
Reference: BUGTRAQ:19980317 IRIX performer_tools bug
Reference: CIAC:I-041
Reference: URL:http://www.ciac.org/ciac/bulletins/i-041.shtml
Reference: OSVDB:134
Reference: URL:http://www.osvdb.org/134
Reference: SGI:19980401-01-P
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19980401-01-P
Reference: XF:sgi-pfdispaly(810)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/810

Name: CVE-1999-0271

Description:

Progressive Networks Real Video server (pnserver) can be crashed remotely.

Status:Candidate
Phase: Modified (19990925)
Reference: BUGTRAQ:19980115 pnserver exploit..
Reference: BUGTRAQ:19980817 Re: Real Audio Server Version 5 bug?

Votes:
ACCEPT(3)  Baker, Blake, Northcutt<br>
MODIFY(1)  Frech<br>
NOOP(1)  Prosser<br>
REVIEWING(1)  Christey<br>
Voter Comments:
Christey>  Problem confirmed by RealServer vendor (URL listed in Bugtraq
posting), but may be multiple codebases since several
Real Audio servers are affected.

Also, this may be the same as BUGTRAQ:19991105 RealNetworks RealServer G2 buffer overflow.
See CVE-1999-0896<br>
CHANGE>  [Frech changed vote from REVIEWING to MODIFY]<br>
Frech>  ADDREF XF:realvideo-telnet-dos<br>

Name: CVE-1999-0272

Description:

Denial of service in Slmail v2.5 through the POP3 port.

Status:Entry
Reference: XF:slmail-username-bo

Name: CVE-1999-0273

Description:

Denial of service through Solaris 2.5.1 telnet by sending ^D characters.

Status:Entry
Reference: XF:sun-telnet-kill

Name: CVE-1999-0274

Description:

Denial of service in Windows NT DNS servers through malicious packet which contains a response to a query that wasn't made.

Status:Entry
Reference: NAI:NAI-5
Reference: XF:nt-dns-dos

Name: CVE-1999-0275

Description:

Denial of service in Windows NT DNS servers by flooding port 53 with too many characters.

Status:Entry
Reference: MS:Q169461
Reference: XF:nt-dnscrash
Reference: XF:nt-dnsver

Name: CVE-1999-0276

Description:

mSQL v2.0.1 and below allows remote execution through a buffer overflow.

Status:Entry
Reference: SEKURE:sekure.01-99.msql
Reference: XF:msql-debug-bo

Name: CVE-1999-0277

Description:

The WorkMan program can be used to overwrite any file to get root access.

Status:Entry
Reference: CERT:CA-96.23.workman_vul
Reference: XF:workman

Name: CVE-1999-0278

Description:

In IIS, remote attackers can obtain source code for ASP files by appending "::$DATA" to the URL.

Status:Entry
Reference: MS:MS98-003
Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1998/ms98-003
Reference: OVAL:oval:org.mitre.oval:def:913
Reference: URL:https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A913
Reference: XF:iis-asp-data-check

Name: CVE-1999-0279

Description:

Excite for Web Servers (EWS) allows remote command execution via shell metacharacters.

Status:Entry
Reference: BUGTRAQ:19971217 CGI security hole in EWS (Excite for Web Servers)
Reference: BUGTRAQ:19980115 Excite announcement
Reference: CERT:VB-98.01.excite
Reference: XF:excite-cgi-search-vuln

Name: CVE-1999-0280

Description:

Remote command execution in Microsoft Internet Explorer using .lnk and .url files.

Status:Entry
Reference: CIAC:H-38
Reference: NTBUGTRAQ:19970317 Internet Explorer Bug #4
Reference: XF:http-ie-lnkurl

Name: CVE-1999-0281

Description:

Denial of service in IIS using long URLs.

Status:Entry
Reference: XF:http-iis-longurl

Name: CVE-1999-0282

Description:

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-1999-1584, CVE-1999-1586. Reason: This candidate combined references from one issue with the description from another issue. Notes: Users should consult CVE-1999-1584 and CVE-1999-1586 to obtain the appropriate name. All references and descriptions in this candidate have been removed to prevent accidental usage.

Status:Candidate
Phase: Modified (20050830)

Votes:
ACCEPT(2)  Baker, Dik<br>
MODIFY(1)  Frech<br>
NOOP(1)  Ozancin<br>
RECAST(1)  Prosser<br>
REJECT(1)  Christey<br>
Voter Comments:
Frech>  XF:sun-loadmodule
XF:sun-modload (CERT CA-93.18 very old!)<br>
Prosser>  Believe the reference given, 95-12,  is referencing a later
loadmodule(8) setuid problem in the X11/NeWS windowing system.  There is an
earlier, similar setuid vulnerability in the CA-93.18, CIAC G-02 advisories
for the SunOS 4.1.x/Solbourne and OpenWindow 3.0.  In fact, there may be the
same as the HP patches are 100448-02 for the 93 loadmodule/modload
vulnerability and 100448-03 for the 95 loadmodule vulnerability which
normally indicated a patch update.  Looks like the original patch either
didn't completely fix the problem or it resurfaced in X11 NeWS.  Can't tell
much beyond that and this is my opinion only as have no way to check it.  
Which one is this CVE referencing?  I accept both.<br>
Dik>  There are three similar Sun bug ids associated with the patches.
1076118 loadmodule has a security vulnerability
1148753 loadmodule has a security vulnerability
1222192 loadmodule has a security vulnerability
as well as:
1137491
Ancient stuff.<br>
Christey>  Add period to the end of the description.<br>
CHANGE>  [Christey changed vote from NOOP to REVIEWING]<br>
Christey>  This is distinct from CVE-1999-1584 - CVE-1999-1584 is for
CA-93.18.<br>
CHANGE>  [Christey changed vote from REVIEWING to REJECT]<br>
Christey>  This candidate combines two separate issues.  It uses the CERT
alert reference from 1995, from one issue, but a description that
is associated with a separate issue.<br>

Name: CVE-1999-0283

Description:

The Java Web Server would allow remote users to obtain the source code for CGI programs.

Status:Candidate
Phase: Modified (19991203)
Reference: BUGTRAQ:19970716 Viewable .jhtml source with JavaWebServer
Reference: URL:http://marc.info/?l=bugtraq&m=88256790401004&w=2

Votes:
ACCEPT(7)  Baker, Blake, Cole, Collins, Dik, Northcutt, Wall<br>
MODIFY(1)  Frech<br>
NOOP(5)  Armstrong, Bishop, Christey, Landfield, Prosser<br>
REVIEWING(1)  Ozancin<br>
Voter Comments:
Wall>  Acknowledged by vendor at
http://www.sun.com/software/jwebserver/techinfo/jws112info.html.<br>
Baker>  Vulnerability Reference (HTML)	Reference Type
http://www.securityfocus.com/archive/1/7260	Misc Defensive Info
http://www.sun.com/software/jwebserver/techinfo/jws112info.html Vendor Info<br>
Christey>  BID:1891
URL:http://www.securityfocus.com/bid/1891<br>
Christey>  Add version number (1.1 beta) and details of attack (appending
a . or a \)

The Sun URL referenced by Dave Baker no longer exists, so I
wasn't able to verify that it addressed the problem described
in the Bugtraq post.  This might not even be Sun's
"Java Web Server," as CVE-2001-0186 describes some product
called "Free Java Web Server"<br>
Dik>  There appears to be some confusion.

The particular bug seems to be on in JWS 1.1beta or 1.1 which was fixed
in 1.1.2 (get foo.jthml source by appending "." of "\" to URL)

There are other bugs that give access and that require a configuration
change.

http://www.sun.com/software/jwebserver/techinfo/security_advisory.html<br>
Christey>  Need to make sure to create CAN's for the other bugs,
as documented in:
NTBUGTRAQ:19980724 Alert: New Source Bug Affect Sun JWS
http://marc.theaimsgroup.com/?l=ntbugtraq&m=90222454131622&w=2
BUGTRAQ:19980725 Alert: New Source Bug Affect Sun JWS
http://marc.theaimsgroup.com/?l=bugtraq&m=90221104526086&w=2
The reported bugs are:
1) file read by appending %20
2) Directly call /servlet/file
URL:http://www.sddt.com/cgi-bin/Subscriber?/library/98/07/24/tbd.html
#2 is explicitly mentioned in the Sun advisory for
CVE-1999-0283.<br>
CHANGE>  [Frech changed vote from REVIEWING to MODIFY]<br>
Frech>  XF:javawebserver-cgi-source(5383)<br>

Name: CVE-1999-0284

Description:

Denial of service to NT mail servers including Ipswitch, Mdaemon, and Exchange through a buffer overflow in the SMTP HELO command.

Status:Candidate
Phase: Proposed (19990623)
Reference: XF:smtp-helo-bo

Votes:
ACCEPT(2)  Blake, Northcutt<br>
MODIFY(3)  Frech, Levy, Ozancin<br>
NOOP(1)  Baker<br>
REVIEWING(1)  Christey<br>
Voter Comments:
Frech>  "Windows NT-based mail servers" (A trademark thing, and for clarification)
XF:mdaemon-helo-bo
XF:lotus-notes-helo-crash
XF:slmail-helo-overflow
XF:smtp-helo-bo (mentions several products)
XF:smtp-exchangedos<br>
Levy>  - Need one per software. Each one should be its own
vulnerability.<br>
Ozancin>  => Windows NT is correct<br>
Christey>  These are probably multiple codebases, so we'll need to use
dot notation.  Also need to see if this should be merged
with CVE-1999-0098 (Sendmail SMTP HELO).<br>

Name: CVE-1999-0285

Description:

Denial of service in telnet from the Windows NT Resource Kit, by opening then immediately closing a connection.

Status:Candidate
Phase: Proposed (19990630)

Votes:
ACCEPT(1)  Hill<br>
NOOP(2)  Baker, Wall<br>
REJECT(2)  Christey, Frech<br>
Voter Comments:
Christey>  No references, no information.<br>
CHANGE>  [Frech changed vote from REVIEWING to REJECT]<br>
Frech>  No references; closest documented match is with
CVE-2001-0346, but that's for Windows 2000.<br>

Name: CVE-1999-0286

Description:

In some NT web servers, appending a space at the end of a URL may allow attackers to read source code for active pages.

Status:Candidate
Phase: Proposed (19990714)

Votes:
ACCEPT(3)  Armstrong, Cole, Shostack<br>
MODIFY(3)  Blake, Levy, Wall<br>
NOOP(5)  Baker, Bishop, Landfield, Northcutt, Ozancin<br>
REJECT(1)  Frech<br>
REVIEWING(1)  Christey<br>
Voter Comments:
Wall>  In some NT web servers, appending a dot at the end of a URL may
allows attackers to read source code for active pages.
Source:  MS Knowledge Base Article Q163485 - "Active Server Pages Script Appears
in Browser"<br>
Frech>  In the meantime, reword description as 'Windows NT' (trademark issue)<br>
Christey>  Q163485 does not refer to a space, it refers to a dot.
However, I don't have other references.

Reading source code with a dot appended is in CVE-1999-0154,
which will be proposed.  A subsequent bug similar to the
dot bug is CVE-1999-0253.<br>
Levy>  NTBUGTRAQ: http://www.securityfocus.com/archive/2/22014
NTBUGTRAQ: http://www.securityfocus.com/archive/2/22019
BID 273<br>
Blake>  Reference:  http://www.allaire.com/handlers/index.cfm?ID=10967<br>
CHANGE>  [Christey changed vote from NOOP to REVIEWING]<br>
CHANGE>  [Frech changed vote from REVIEWING to REJECT]<br>
Frech>  BID articles)<br>

Name: CVE-1999-0287

Description:

Vulnerability in the Wguest CGI program.

Status:Candidate
Phase: Proposed (19990714)

Votes:
MODIFY(2)  Frech, Shostack<br>
NOOP(4)  Blake, Levy, Northcutt, Wall<br>
REJECT(2)  Baker, Christey<br>
Voter Comments:
Shostack>  allows file reading<br>
Frech>  XF:http-cgi-webcom-guestbook<br>
Christey>  CVE-1999-0287 is probably a duplicate of CVE-1999-0467.  In
NTBUGTRAQ:19990409 Webcom's CGI Guestbook for Win32 web servers
Mnemonix says that he had previously reported on a similar
problem.  Let's refer to the NTBugtraq posting as
CVE-1999-0467.  We will refer to the "previous report" as
CVE-1999-0287, which could be found at:
http://oliver.efri.hr/~crv/security/bugs/NT/httpd41.html

0287 describes an exploit via the "template" hidden variable.
The exploit describes manually editing the HTML form to
change the filename to read from the template variable.

The exploit as described in 0467 encodes the template variable
directly into the URL.  However, hidden variables are also
encoded into the URL, which would have looked the same to
the web server regardless of the exploit.  Therefore 0287
and 0467 are the same.<br>
Christey>  BID:2024<br>

Name: CVE-1999-0288

Description:

The WINS server in Microsoft Windows NT 4.0 before SP4 allows remote attackers to cause a denial of service (process termination) via invalid UDP frames to port 137 (NETBIOS Name Service), as demonstrated via a flood of random packets.

Status:Entry
Reference: BUGTRAQ:19970801 WINS flooding
Reference: BUGTRAQ:19970815 Re: WINS flooding
Reference: MISC:http://safenetworks.com/Windows/wins.html
Reference: MSKB:155701
Reference: NTBUGTRAQ:19970801 WINS flooding
Reference: XF:nt-winsupd-fix(1233)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1233

Name: CVE-1999-0289

Description:

The Apache web server for Win32 may provide access to restricted files when a . (dot) is appended to a requested URL.

Status:Entry

Name: CVE-1999-0290

Description:

The WinGate telnet proxy allows remote attackers to cause a denial of service via a large number of connections to localhost.

Status:Entry
Reference: BUGTRAQ:19980221 WinGate DoS
Reference: BUGTRAQ:19980326 WinGate Intermediary Fix/Update
Reference: XF:wingate-dos

Name: CVE-1999-0291

Description:

The WinGate proxy is installed without a password, which allows remote attackers to redirect connections without authentication.

Status:Entry
Reference: XF:wingate-unpassworded

Name: CVE-1999-0292

Description:

Denial of service through Winpopup using large user names.

Status:Entry
Reference: XF:nt-winpopup

Name: CVE-1999-0293

Description:

AAA authentication on Cisco systems allows attackers to execute commands without authorization.

Status:Entry
Reference: CISCO:http://www.cisco.com/warp/public/770/aaapair-pub.shtml
Reference: XF:cisco-ios-aaa-auth

Name: CVE-1999-0294

Description:

All records in a WINS database can be deleted through SNMP for a denial of service.

Status:Entry
Reference: XF:nt-wins-snmp2

Name: CVE-1999-0295

Description:

Solaris sysdef command allows local users to read kernel memory, potentially leading to root privileges.

Status:Entry
Reference: SUN:00157
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/157
Reference: XF:sun-sysdef

Name: CVE-1999-0296

Description:

Solaris volrmmount program allows attackers to read any file.

Status:Entry
Reference: SUN:00162
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/162
Reference: XF:sun-volrmmount

Name: CVE-1999-0297

Description:

Buffer overflow in Vixie Cron library up to version 3.0 allows local users to obtain root access via a long environmental variable.

Status:Entry
Reference: AUSCERT:AA-96.21
Reference: CIAC:H-17
Reference: NAI:NAI-3
Reference: XF:vixie-cron

Name: CVE-1999-0298

Description:

ypbind with -ypset and -ypsetme options activated in Linux Slackware and SunOS allows local and remote attackers to overwrite files via a .. (dot dot) attack.

Status:Candidate
Phase: Modified (20000524)
Reference: NAI:19970205 Vulnerabilities in Ypbind when run with -ypset/-ypsetme
Reference: URL:http://www.nai.com/nai_labs/asp_set/advisory/06_ypbindsetme_adv.asp

Votes:
ACCEPT(4)  Cole, Dik, Levy, Northcutt<br>
MODIFY(1)  Frech<br>
NOOP(3)  Baker, Christey, Shostack<br>
Voter Comments:
Christey>  ADDREF BID:1441
URL:http://www.securityfocus.com/bid/1441<br>
Dik>  If you run with "-ypset", then you're always insecure.
With ypsetme, only root on the local host
can run ypset in Solaris 2.x+.
Probably true for SunOS 4, hence my vote.<br>
CHANGE>  [Frech changed vote from REVIEWING to MODIFY]<br>
Frech>  ADDREF XF:ypbind-ypset-root<br>
CHANGE>  [Dik changed vote from REVIEWING to ACCEPT]<br>
Dik>  This vulnerability does exist in SunOS 4.x in non default configurations.
In Solaris 2.x, the vulnerability only applies to files named "cache_binding"
and not all files ending in .2
Both releases are not vulnerable in the default configuration (both
disabllow ypset by default which prevents this problem from occurring)<br>

Name: CVE-1999-0299

Description:

Buffer overflow in FreeBSD lpd through long DNS hostnames.

Status:Entry
Reference: NAI:NAI-9
Reference: OSVDB:6093
Reference: URL:http://www.osvdb.org/6093

Name: CVE-1999-0300

Description:

nis_cachemgr for Solaris NIS+ allows attackers to add malicious NIS+ servers.

Status:Entry
Reference: SUN:00155
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/155
Reference: XF:sun-niscache

Name: CVE-1999-0301

Description:

Buffer overflow in SunOS/Solaris ps command.

Status:Entry
Reference: AUSCERT:AUSCERT-97.17
Reference: SUN:00149
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/149
Reference: XF:sun-ps2bo

Name: CVE-1999-0302

Description:

SunOS/Solaris FTP clients can be forced to execute arbitrary commands from a malicious FTP server.

Status:Entry
Reference: SUN:00176
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/176
Reference: XF:sun-ftp-server

Name: CVE-1999-0303

Description:

Buffer overflow in BNU UUCP daemon (uucpd) through long hostnames.

Status:Entry
Reference: RSI:RSI.0002.05-18-98.BNU.UUCPD
Reference: XF:bnu-uucpd-bo

Name: CVE-1999-0304

Description:

mmap function in BSD allows local attackers in the kmem group to modify memory through devices.

Status:Entry
Reference: FREEBSD:FreeBSD-SA-98:02
Reference: XF:bsd-mmap

Name: CVE-1999-0305

Description:

The system configuration control (sysctl) facility in BSD based operating systems OpenBSD 2.2 and earlier, and FreeBSD 2.2.5 and earlier, does not properly restrict source routed packets even when the (1) dosourceroute or (2) forwarding variables are set, which allows remote attackers to spoof TCP connections.

Status:Entry
Reference: MISC:http://www.openbsd.org/advisories/sourceroute.txt
Reference: OPENBSD:Feb15,1998 "IP Source Routing Problem"
Reference: OSVDB:11502
Reference: URL:http://www.osvdb.org/11502
Reference: XF:bsd-sourceroute(736)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/736

Name: CVE-1999-0306

Description:

buffer overflow in HP xlock program.

Status:Candidate
Phase: Proposed (19990714)
Reference: XF:hp-xlock

Votes:
ACCEPT(3)  Baker, Frech, Northcutt<br>
MODIFY(1)  Prosser<br>
NOOP(1)  Shostack<br>
REJECT(1)  Christey<br>
Voter Comments:
Prosser>  This is another of those with multiple affected OSs.
Refs:  CA-97.13, http://207.237.120.45/linux/xlock-exploit.txt,
HPSBUX9711-073, SGI 19970502-02-PX, Sun Bulletin 000150<br>
Christey>  XF:hp-xlock points to SGI:19970502-02-PX which says this is
the same problem as in CERT:CA-97.13, which is CVE-1999-0038.<br>

Name: CVE-1999-0307

Description:

Buffer overflow in HP-UX cstm program allows local users to gain root privileges.

Status:Candidate
Phase: Modified (19991207)
Reference: BUGTRAQ:19961116 This week: turn me on, dead man
Reference: XF:hpux-cstm-bo

Votes:
ACCEPT(2)  Frech, Northcutt<br>
NOOP(3)  Baker, Prosser, Shostack<br>
RECAST(1)  Christey<br>
Voter Comments:
Prosser>  only ref I can find is an old SOD exploit on
www.outpost9.com<br>
Christey>  MERGE CVE-1999-0336 (the exact exploit works with both
cstm and mstm, which are clearly part of the same package,
so CD:SF-EXEC says to merge them.)

Also, there does not seem to be any recognition of this problem
by HP.  The only other information besides the Bugtraq post
is the SOD exploit.

See the original post:
http://www.securityfocus.com/templates/archive.pike?list=1&date=1996-11-15&msg=Pine.LNX.3.91.961116112242.15276J-100000@underground.org<br>

Name: CVE-1999-0308

Description:

HP-UX gwind program allows users to modify arbitrary files.

Status:Entry
Reference: CIAC:H-03: HP-UX suid Vulnerabilities
Reference: HP:HPSBUX9410-018
Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9410-018
Reference: XF:hpux-gwind-overwrite

Name: CVE-1999-0309

Description:

HP-UX vgdisplay program gives root access to local users.

Status:Entry
Reference: CIAC:H-27: HP-UX vgdisplay Buffer Overrun Vulnerability
Reference: HP:HPSBUX9702-056
Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9702-056
Reference: XF:hpux-vgdisplay

Name: CVE-1999-0310

Description:

SSH 1.2.25 on HP-UX allows access to new user accounts.

Status:Entry
Reference: XF:ssh-1225

Name: CVE-1999-0311

Description:

fpkg2swpk in HP-UX allows local users to gain root access.

Status:Entry
Reference: HP:HPSBUX9612-042
Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9612-042
Reference: XF:hpux-fpkg2swpk

Name: CVE-1999-0312

Description:

HP ypbind allows attackers with root privileges to modify NIS data.

Status:Entry
Reference: CERT:CA-93:01.REVISED.HP.NIS.ypbind.vulnerability
Reference: XF:nis-ypbind

Name: CVE-1999-0313

Description:

disk_bandwidth on SGI IRIX 6.4 S2MP for Origin/Onyx2 allows local users to gain root access using relative pathnames.

Status:Entry
Reference: BID:214
Reference: URL:http://www.securityfocus.com/bid/214
Reference: MISC:http://www.securityfocus.com/bid/213/exploit
Reference: OSVDB:936
Reference: URL:http://www.osvdb.org/936
Reference: SGI:19980701-01-P
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19980701-01-P
Reference: XF:sgi-disk-bandwidth(1441)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1441

Name: CVE-1999-0314

Description:

ioconfig on SGI IRIX 6.4 S2MP for Origin/Onyx2 allows local users to gain root access using relative pathnames.

Status:Entry
Reference: BID:213
Reference: URL:http://www.securityfocus.com/bid/213
Reference: MISC:http://www.securityfocus.com/bid/213/exploit
Reference: OSVDB:6788
Reference: URL:http://www.osvdb.org/6788
Reference: SGI:19980701-01-P
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19980701-01-P
Reference: XF:sgi-ioconfig(1199)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1199

Name: CVE-1999-0315

Description:

Buffer overflow in Solaris fdformat command gives root access to local users.

Status:Entry
Reference: SUN:00138
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/138
Reference: XF:fdformat-bo

Name: CVE-1999-0316

Description:

Buffer overflow in Linux splitvt command gives root access to local users.

Status:Entry
Reference: CIAC:G-08
Reference: XF:linux-splitvt

Name: CVE-1999-0317

Description:

Buffer overflow in Linux su command gives root access to local users.

Status:Candidate
Phase: Modified (19991216)
Reference: BUGTRAQ:19990818 slackware-3.5 /bin/su buffer overflow
Reference: XF:su-bo

Votes:
ACCEPT(3)  Frech, Hill, Northcutt<br>
NOOP(1)  Prosser<br>
RECAST(1)  Baker<br>
REVIEWING(1)  Christey<br>
Voter Comments:
Christey>  DUPE CVE-1999-0845?
Also, ADDREF XF:unixware-su-username-bo
A report summary by Aleph One states that nobody was able to
confirm this problem on any Linux distribution.<br>
Baker>  If this is the same as the unixware, the n it is a dupe of 1999-0845.  There is about a two and half month difference in the bugtraq reporting of these.
Sounds like the same bug however...<br>
Christey>  XF:su-bo no longer seems to exist.
How about XF:linux-subo(734) ?
http://xforce.iss.net/static/734.php

BID:475 also seems to describe the same problem
(http://www.securityfocus.com/bid/475) in which case,
vsyslog is blamed in:
BUGTRAQ:19971220 Linux vsyslog() overflow
http://www.securityfocus.com/archive/1/8274<br>

Name: CVE-1999-0318

Description:

Buffer overflow in xmcd 2.0p12 allows local users to gain access through an environmental variable.

Status:Entry
Reference: BUGTRAQ:19961125 Security Problems in XMCD
Reference: BUGTRAQ:19961125 XMCD v2.1 released (was: Security Problems in XMCD)
Reference: XF:xmcd-envbo

Name: CVE-1999-0319

Description:

Buffer overflow in xmcd 2.1 allows local users to gain access through a user resource setting.

Status:Candidate
Phase: Proposed (19990623)
Reference: XF:xmcd-tiflestr

Votes:
ACCEPT(3)  Frech, Hill, Northcutt<br>
NOOP(2)  Baker, Prosser<br>
REVIEWING(1)  Christey<br>
Voter Comments:
Christey>  BUGTRAQ:19961126 Security Problems in XMCD 2.1
A followup to this post says that xmcd is not suid here.<br>

Name: CVE-1999-0320

Description:

SunOS rpc.cmsd allows attackers to obtain root access by overwriting arbitrary files.

Status:Entry
Reference: SUN:00166
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/166
Reference: XF:sun-rpc.cmsd

Name: CVE-1999-0321

Description:

Buffer overflow in Solaris kcms_configure command allows local users to gain root access.

Status:Entry
Reference: XF:sun-kcms-configure-bo

Name: CVE-1999-0322

Description:

The open() function in FreeBSD allows local attackers to write to arbitrary files.

Status:Entry
Reference: FREEBSD:FreeBSD-SA-97:05
Reference: OSVDB:6092
Reference: URL:http://www.osvdb.org/6092
Reference: XF:freebsd-open

Name: CVE-1999-0323

Description:

FreeBSD mmap function allows users to modify append-only or immutable files.

Status:Entry
Reference: FREEBSD:FreeBSD-SA-98:04
Reference: NETBSD:1998-003
Reference: URL:ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/advisories/NetBSD-SA1998-003.txt.asc
Reference: XF:bsd-mmap

Name: CVE-1999-0324

Description:

ppl program in HP-UX allows local users to create root files through symlinks.

Status:Entry
Reference: CIAC:H-31
Reference: HP:HPSBUX9702-053
Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9702-053
Reference: XF:hp-ppllog

Name: CVE-1999-0325

Description:

vhe_u_mnt program in HP-UX allows local users to create root files through symlinks.

Status:Entry
Reference: HP:HPSBUX9406-013
Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9406-013
Reference: XF:hp-vhe

Name: CVE-1999-0326

Description:

Vulnerability in HP-UX mediainit program.

Status:Entry
Reference: HP:HPSBUX9710-071
Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9710-071
Reference: XF:hp-mediainit

Name: CVE-1999-0327

Description:

SGI syserr program allows local users to corrupt files.

Status:Entry
Reference: SGI:19971103-01-PX
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19971103-01-PX
Reference: XF:sgi-syserr

Name: CVE-1999-0328

Description:

SGI permissions program allows local users to gain root privileges.

Status:Entry
Reference: SGI:19971103-01-PX
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19971103-01-PX
Reference: XF:sgi-permtool

Name: CVE-1999-0329

Description:

SGI mediad program allows local users to gain root access.

Status:Entry
Reference: SGI:19980602-01-PX
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19980602-01-PX
Reference: XF:sgi-mediad

Name: CVE-1999-0330

Description:

Linux bdash game has a buffer overflow that allows local users to gain root access.

Status:Candidate
Phase: Modified (20000105)
Reference: BUGTRAQ:19940101 (No Subject)
Reference: XF:bdash-bo

Votes:
ACCEPT(1)  Baker<br>
MODIFY(1)  Frech<br>
NOOP(3)  Northcutt, Shostack, Wall<br>
REVIEWING(1)  Levy<br>
Voter Comments:
Frech>  XF:bdash-bo<br>

Name: CVE-1999-0331

Description:

Buffer overflow in Internet Explorer 4.0(1).

Status:Candidate
Phase: Modified (20040811)
Reference: XF:msie-bo

Votes:
ACCEPT(2)  Baker, Northcutt<br>
MODIFY(2)  Frech, Shostack<br>
RECAST(1)  Prosser<br>
REJECT(2)  Christey, LeBlanc<br>
Voter Comments:
Shostack>  this is a high cardinality item<br>
Prosser>  needs to be more specific.<br>
Frech>  Replace reference with XF:iemk-bug (msie-bo is obsolete and a vague
duplicate)
Description (from xfdb): Some versions of Internet Explorer for Windows
contain a vulnerability that may crash the broswer when a malicious web site
contains a certain kind of URL (that begins with "mk://") with more
characters than the browser supports. <br>
Christey>  The description is too vague.<br>
LeBlanc>  too vague<br>
Christey>  Add period to the end of the description.<br>

Name: CVE-1999-0332

Description:

Buffer overflow in NetMeeting allows denial of service and remote command execution.

Status:Entry
Reference: MSKB:Q184346
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q184346
Reference: XF:nt-netmeeting

Name: CVE-1999-0333

Description:

HP OpenView Omniback allows remote execution of commands as root via spoofing, and local users can gain root access via a symlink attack.

Status:Candidate
Phase: Modified (19990925)
Reference: HP:HPSBUX9810-085
Reference: RSI:RSI.0009.09-08-98.HP-UX.OMNIBACK
Reference: XF:omniback-remote

Votes:
ACCEPT(2)  Baker, Frech<br>
MODIFY(1)  Prosser<br>
RECAST(1)  Christey<br>
Voter Comments:
Prosser>  additional source
HP Security Bulletin 85
http://us-support.external.hp.com
http://europe-support.external.hp.com<br>
Christey>  Two separate bugs, so SF-LOC says this candidate should be
split<br>
Christey>  ADDREF CIAC:J-007
URL:http://ciac.llnl.gov/ciac/bulletins/j-007.shtml<br>

Name: CVE-1999-0334

Description:

In Solaris 2.2 and 2.3, when fsck fails on startup, it allows a local user with physical access to obtain root access.

Status:Entry
Reference: CERT:CA-93.19.Solaris.Startup.vulnerability
Reference: XF:sol-startup

Name: CVE-1999-0335

Description:

DEPRECATED. This entry has been deprecated. It is a duplicate of CVE-1999-0032.

Status:Entry

Name: CVE-1999-0336

Description:

Buffer overflow in mstm in HP-UX allows local users to gain root access.

Status:Candidate
Phase: Modified (19991207)
Reference: BUGTRAQ:19961116 This week: turn me on, dead man
Reference: XF:hpux-mstm-bo

Votes:
ACCEPT(2)  Frech, Northcutt<br>
NOOP(3)  Baker, Prosser, Shostack<br>
RECAST(1)  Christey<br>
Voter Comments:
Prosser>  same as CVE-1999-0307, only ref I can find is an old SOD
exploit on www.outpost9.com<br>
Christey>  MERGE CVE-1999-0307 (the exact exploit works with both
cstm and mstm, which are clearly part of the same package,
so CD:SF-EXEC says to merge them.)

Also, there does not seem to be any recognition of this problem
by HP.  The only other information besides the Bugtraq post
is the SOD exploit.<br>

Name: CVE-1999-0337

Description:

AIX batch queue (bsh) allows local and remote users to gain additional privileges when network printing is enabled.

Status:Entry
Reference: CERT:CA-94.10.IBM.AIX.bsh.vulnerability.html
Reference: XF:ibm-bsh

Name: CVE-1999-0338

Description:

AIX Licensed Program Product performance tools allow local users to gain root access.

Status:Entry
Reference: CERT:CA-94.03.AIX.performance.tools
Reference: XF:ibm-perf-tools

Name: CVE-1999-0339

Description:

Buffer overflow in the libauth library in Solaris allows local users to gain additional privileges, possibly root access.

Status:Entry
Reference: RSI:RSI.0007.05-26-98
Reference: XF:sol-sun-libauth

Name: CVE-1999-0340

Description:

Buffer overflow in Linux Slackware crond program allows local users to gain root access.

Status:Entry
Reference: KSRT:005
Reference: XF:linux-crond

Name: CVE-1999-0341

Description:

Buffer overflow in the Linux mail program "deliver" allows local users to gain root access.

Status:Entry
Reference: KSRT:006
Reference: XF:linux-deliver

Name: CVE-1999-0342

Description:

Linux PAM modules allow local users to gain root access using temporary files.

Status:Entry
Reference: REDHAT:http://www.redhat.com/corp/support/errata/rh42-errata-general.html#pam
Reference: XF:linux-pam-passwd-tmprace

Name: CVE-1999-0343

Description:

A malicious Palace server can force a client to execute arbitrary programs.

Status:Entry
Reference: BUGTRAQ:19981002 Announcements from The Palace (fwd)
Reference: XF:palace-malicious-servers-vuln

Name: CVE-1999-0344

Description:

NT users can gain debug-level access on a system process using the Sechole exploit.

Status:Entry
Reference: MS:MS98-009
Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1998/ms98-009
Reference: MSKB:Q190288
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q190288
Reference: XF:nt-priv-fix

Name: CVE-1999-0345

Description:

Jolt ICMP attack causes a denial of service in Windows 95 and Windows NT systems.

Status:Candidate
Phase: Proposed (19990728)

Votes:
ACCEPT(2)  Blake, Cole<br>
MODIFY(2)  Frech, Wall<br>
NOOP(4)  Bishop, Landfield, Northcutt, Ozancin<br>
RECAST(1)  Meunier<br>
REJECT(4)  Armstrong, Baker, LeBlanc, Levy<br>
REVIEWING(1)  Christey<br>
Voter Comments:
Wall>  Invalid ICMP datagram fragments causes a denial of service in Windows 95 and
Windows NT systems.
Reference: Q154174.
Jolt is also known as sPING, ICMP bug, Icenewk, and Ping of Death.
It is a modified teardrop 2 attack.  <br>
Frech>  XF:nt-ssping
ADDREF XF:ping-death
ADDREF XF:teardrop-mod
ADDREF XF:mpeix-echo-request-dos<br>
Christey>  I can't tell whether the Jolt exploit at:

http://www.securityfocus.com/templates/archive.pike?list=1&date=1997-06-28&msg=Pine.BSF.3.95q.970629163422.3264A-200000@apollo.tomco.net

is exploiting any different flaw than teardrop does.<br>
CHANGE>  [Christey changed vote from NOOP to REVIEWING]<br>
Baker>  Jolt (original) is basically just a fragmented oversized ICMP that
kills Win boxes ala Ping of Death.
Teardrop is altering the offset in fragmented tcp packets so that the
end of subsequent fragments is inside first packet...
Teardrop 2 is UDP packets, if I remember right.
Seems like Jolt (original, not jolt 2) is just exploit code that
creates a ping of death (CVE 1999-0128)<br>
Levy>  I tend to agree with Baker.<br>
CHANGE>  [Armstrong changed vote from REVIEWING to REJECT]<br>
Armstrong>  This code does not use fragment overlap.  It is simply a large ICMP echo request.<br>
Christey>  See the SCO advisory at:
http://www.securityfocus.com/templates/advisory.html?id=1411
which may further clarify the issue.<br>
LeBlanc>  This is a hodge-podge of DoS attacks. Jolt isn't the same
thing as ping of death - POD was an oversized ICMP packet, Jolt froze
Linux and Solaris (and I think not NT), IIRC Jolt2 did get NT boxes.
Teardrop and teardrop2 were related attacks (usually ICMP frag attacks),
but each of these is a distinct vulnerability, affected a discrete group
of systems, and should have distinct CVE numbers. CVE entries should be
precise as to what the problem is.<br>
Meunier>  I agree with Leblanc in that Jolt is multi-faceted.  Jolt has
characteristics of Ping of Death AND teardrop, but it doesn't do
either exactly.  Moreover, it sends a truncated IP fragment.  I
disagree with Armstrong; jolt uses overlapping fragments.  It's not a
simple ping of death either.  It may be that the author's intent was
to construct a "super attack" somehow combining elements of other
vulnerabilities to try to make it more potent.  In any case it
succeeded in confusing the CVE board :-).

I notice that Jolt uses echo replies (type 0) instead of echo
requests (to get past firewalls?).  Jolt is peculiar in that it also
sends numerous overlapping fragments.  The "Pascal Simulator" :-) says
it sends:

- 172 fragments of length 400 with offset starting at 5120 and<br>
increasing by about 47 (odd arithmetic of 5120 OR ((n* 380) >  > 3)),
which eventually results in sending fragments inside an already<br>
covered area once ((n* 380) >  > 3) is greater than 5120, which occurs
when n is reaches 108.  This would look a bit like TearDrop if
fragments were reassembled on-the-fly.

- 1 fragment such that the total length of all the fragments
is greater than 65535 (my calculation is 172*380 + 418 = 65778; the
comment about 65538 must be wrong).  The last packet is size 418
according to the IP header but the buffer is of size 400.  The sendto
takes as argument the size of the buffer so a truncated packet is
sent.

So, I am not sure if the problem is because the last packet
doesn't extend to the payload it says it has or because the total size
of all fragments is greater than 65535.  The author says it may take
more than one sending, so perhaps this has to do with an incorrect
error handling and recovery.  One would need to experiment and isolate
each of those characteristics and test them independently.  Inasmuch
as each of those things is likely a different vulnerability, then I
agree with Leblanc that this entry should be split.  I'll try that if
I ever get bored.  Jolt 2 should also have a different entry (see
below).

Jolt 2 runs in an infinite loop, sending the same fragmented
IP packet, which can pretend to be "ICMP" or "UDP" data; however this
is meaningless, as it's just a late fragment of an IP packet.  The
attack works only as long as packets are sent.  According to
http://www.securityfocus.com/archive/1/62170 the packets are
truncated, and would overflow over the 65535 byte limit, which is
similar to Jolt.  Note that Jolt does send that much data whereas
jolt2 doesn't.  Since jolt2 is simpler and narrower than jolt, and it
has weaker consequences, I believe that it's a different
vulnerability.

"Jolt 2 vulnerability causes a temporary denial-of-service in
Windows-type OSes" would be a title for it.<br>

Name: CVE-1999-0346

Description:

CGI PHP mlog script allows an attacker to read any file on the target server.

Status:Entry
Reference: BID:713
Reference: URL:http://www.securityfocus.com/bid/713
Reference: BUGTRAQ:19971019 Vulnerability in PHP Example Logging Scripts
Reference: OSVDB:3397
Reference: URL:http://www.osvdb.org/3397
Reference: XF:http-cgi-php-mlog

Name: CVE-1999-0347

Description:

Internet Explorer 4.01 allows remote attackers to read local files and spoof web pages via a "%01" character in an "about:" Javascript URL, which causes Internet Explorer to use the domain specified after the character.

Status:Candidate
Phase: Modified (20051028)
Reference: BUGTRAQ:19990126 Javascript ecurity bug in Internet Explorer
Reference: URL:http://marc.info/?l=bugtraq&m=91745430007021&w=2
Reference: NTBUGTRAQ:19990126 Javascript ecurity bug in Internet Explorer
Reference: URL:http://marc.info/?l=ntbugtraq&m=91756771207719&w=2

Votes:
ACCEPT(4)  Baker, LeBlanc, Levy, Northcutt<br>
MODIFY(2)  Frech, Prosser<br>
REVIEWING(1)  Christey<br>
Voter Comments:
Prosser>  this is a modified Cross-Frame vulnerability that circumvents
the original Cross-Frame Patch.  Addressed in MS Bulletin MS99.012
http://www.microsoft.com/security/bulletins/ms99-012.asp<br>
Christey>  Duplicate of CVE-1999-0490?<br>
LeBlanc>  If Prosser is correct that this is MS99-012, accept<br>
Christey>  BUGTRAQ:19990126 Javascript ecurity bug in Internet Explorer
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91745430007021&w=2
NTBUGTRAQ:19990128 Javascript %01 bug in Internet Explorer
URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=91756771207719&w=2
BID:197
URL:http://www.securityfocus.com/bid/197<br>
CHANGE>  [Frech changed vote from REVIEWING to MODIFY]<br>
Frech>  XF:ie-window-spoof(2069)<br>

Name: CVE-1999-0348

Description:

IIS ASP caching problem releases sensitive information when two virtual servers share the same physical directory.

Status:Entry
Reference: MSKB:Q197003
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q197003
Reference: NTBUGTRAQ:Jan27,1999
Reference: OSVDB:930
Reference: URL:http://www.osvdb.org/930

Name: CVE-1999-0349

Description:

A buffer overflow in the FTP list (ls) command in IIS allows remote attackers to conduct a denial of service and, in some cases, execute arbitrary commands.

Status:Entry
Reference: BUGTRAQ:Jan27,1999
Reference: EEYE:IIS Remote FTP Exploit/DoS Attack
Reference: URL:http://www.eeye.com/html/Research/Advisories/IIS%20Remote%20FTP%20Exploit/DoS%20Attack.html
Reference: MS:MS99-003
Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-003
Reference: MSKB:Q188348
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q188348
Reference: XF:iis-remote-ftp

Name: CVE-1999-0350

Description:

Race condition in the db_loader program in ClearCase gives local users root access by setting SUID bits.

Status:Entry
Reference: L0PHT:Feb8,1999
Reference: XF:clearcase-temp-race

Name: CVE-1999-0351

Description:

FTP PASV "Pizza Thief" denial of service and unauthorized data access. Attackers can steal data by connecting to a port that was intended for use by a client.

Status:Entry
Reference: INFOWAR:01
Reference: MISC:http://attrition.org/security/advisory/misc/infowar/iw_sec_01.txt
Reference: XF:pasv-pizza-thief-dos(3389)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/3389

Name: CVE-1999-0352

Description:

ControlIT 4.5 and earlier (aka Remotely Possible) has weak password encryption.

Status:Candidate
Phase: Proposed (19990721)
Reference: ISS:Multiple vulnerabilities in ControlIT(tm) (formerly Remotely Possible/32) enterprise management software
Reference: XF:controlit-passwd-encrypt

Votes:
ACCEPT(2)  Baker, Frech<br>
NOOP(2)  Northcutt, Wall<br>
RECAST(1)  Ozancin<br>
Voter Comments:
Ozancin>  Can we combine this with CVE-1999-0356 - ControlIT(tm) 4.5 and earlier uses
weak encryption.<br>

Name: CVE-1999-0353

Description:

rpc.pcnfsd in HP gives remote root access by changing the permissions on the main printer spool directory.

Status:Entry
Reference: CIAC:J-026
Reference: URL:http://www.ciac.org/ciac/bulletins/j-026.shtml
Reference: HP:HPSBUX9902-091
Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9902-091
Reference: XF:pcnfsd-world-write

Name: CVE-1999-0354

Description:

Internet Explorer 4.x or 5.x with Word 97 allows arbitrary execution of Visual Basic programs to the IE client through the Word 97 template, which doesn't warn the user that the template contains executable content. Also applies to Outlook when the client views a malicious email message.

Status:Candidate
Phase: Proposed (19990623)
Reference: MS:MS99-002
Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-002
Reference: NTBUGTRAQ:Jan27,1999

Votes:
ACCEPT(3)  Baker, Ozancin, Wall<br>
MODIFY(1)  Frech<br>
NOOP(1)  Christey<br>
Voter Comments:
Frech>  XF:word97-template-macro<br>
Christey>  CHANGEREF NTBUGTRAQ:19990127 IE 4/5/Outlook + Word 97 security hole
URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=91747570922757&w=2
BID:196
http://www.securityfocus.com/bid/196<br>
Christey>  MSKB:Q214652
http://support.microsoft.com/support/kb/articles/q214/6/52.asp<br>

Name: CVE-1999-0355

Description:

Local or remote users can force ControlIT 4.5 to reboot or force a user to log out, resulting in a denial of service.

Status:Entry
Reference: ISS:Multiple vulnerabilities in ControlIT(tm) (formerly Remotely Possible/32) enterprise management software
Reference: XF:controlit-reboot

Name: CVE-1999-0356

Description:

ControlIT v4.5 and earlier uses weak encryption to store usernames and passwords in an address book.

Status:Candidate
Phase: Proposed (19990721)
Reference: ISS:Multiple vulnerabilities in ControlIT(tm) (formerly Remotely Possible/32) enterprise management software
Reference: XF:controlit-bookfile-access

Votes:
ACCEPT(2)  Baker, Frech<br>
NOOP(2)  Northcutt, Wall<br>
RECAST(1)  Ozancin<br>
Voter Comments:


Name: CVE-1999-0357

Description:

Windows 98 and other operating systems allows remote attackers to cause a denial of service via crafted "oshare" packets, possibly involving invalid fragmentation offsets.

Status:Entry
Reference: BUGTRAQ:19990125 Win98 crash?
Reference: XF:win98-oshare-dos

Name: CVE-1999-0358

Description:

Digital Unix 4.0 has a buffer overflow in the inc program of the mh package.

Status:Entry
Reference: BUGTRAQ:19990125 Digital Unix 4.0 exploitable buffer overflows
Reference: URL:http://www.securityfocus.com/archive/1/12121
Reference: CIAC:J-027
Reference: URL:http://www.ciac.org/ciac/bulletins/j-027.shtml
Reference: COMPAQ:SSRT0583U
Reference: XF:du-inc

Name: CVE-1999-0359

Description:

ptylogin in Unix systems allows users to perform a denial of service by locking out modems, dial out with that modem, or obtain passwords.

Status:Candidate
Phase: Proposed (20010214)
Reference: BUGTRAQ:19990127 UNIX shell modem access vulnerabilities
Reference: XF:ptylogin-dos

Votes:
ACCEPT(2)  Cole, Frech<br>
MODIFY(1)  Baker<br>
Voter Comments:
Frech>  XF:ptylogin-dos <br>
Baker>  Should say "... lock out a modem, ..." rather than "... locking out modems..."<br>

Name: CVE-1999-0360

Description:

MS Site Server 2.0 with IIS 4 can allow users to upload content, including ASP, to the target web site, thus allowing them to execute commands remotely.

Status:Candidate
Phase: Modified (20000530)
Reference: BUGTRAQ:19990130 Security Advisory for Internet Information Server 4 with Site
Reference: URL:http://marc.info/?l=bugtraq&m=91763097004101&w=2
Reference: NTBUGTRAQ:Jan29,1999

Votes:
ACCEPT(6)  Blake, Cole, Collins, Landfield, Northcutt, Wall<br>
MODIFY(3)  Baker, Frech, LeBlanc<br>
NOOP(4)  Armstrong, Christey, Ozancin, Prosser<br>
Voter Comments:
Christey>  I can't find the original Bugtraq posting (it appears that
mnemonix discovered the problem).<br>
LeBlanc>  - if there was a fix or a KB article, I'd ACCEPT. A vuln based on a
BUGTRAQ posting we can't find could be anything. <br>
Baker>  Vulnerability Reference (HTML)	Reference Type
http://www.securityfocus.com/archive/1/12218	Misc Defensive InfoVulnerability Reference (HTML)	Reference Type
THis is the URL for the Bugtraq posting.  It was cross posted to
NT Bugtraq as well, but identical text.  It was Mnemonix...<br>
Christey>  BID:1811
URL:http://www.securityfocus.com/bid/1811<br>
Christey>  CHANGEREF BUGTRAQ add "Server 2." to the subject.
Also standardize NTBUGTRAQ reference title.<br>
Christey>  Add "uploadn.asp" to the description.<br>
CHANGE>  [Frech changed vote from REVIEWING to MODIFY]<br>
Frech>  XF:siteserver-user-dir-permissions(5384)<br>

Name: CVE-1999-0361

Description:

NetWare version of LaserFiche stores usernames and passwords unencrypted, and allows administrative changes without logging.

Status:Candidate
Phase: Proposed (19990728)
Reference: BUGTRAQ:Jan29,1999

Votes:
ACCEPT(1)  Baker<br>
MODIFY(1)  Frech<br>
NOOP(2)  Northcutt, Wall<br>
Voter Comments:
Frech>  XF:compulink-pw-laserfiche(1679)
Normalize BUGTRAQ reference to:
BUGTRAQ:19990129 Compulink LaserFiche Client/Server - unencrypted passwords<br>

Name: CVE-1999-0362

Description:

WS_FTP server remote denial of service through cwd command.

Status:Entry
Reference: BID:217
Reference: URL:http://www.securityfocus.com/bid/217
Reference: EEYE:AD02021999
Reference: URL:http://www.eeye.com/html/Research/Advisories/AD02021999.html
Reference: XF:wsftp-remote-dos

Name: CVE-1999-0363

Description:

SuSE 5.2 PLP lpc program has a buffer overflow that leads to root compromise.

Status:Entry
Reference: BID:328
Reference: URL:http://www.securityfocus.com/bid/328
Reference: BUGTRAQ:Feb02,1999
Reference: XF:plp-lpc-bo

Name: CVE-1999-0364

Description:

Microsoft Access 97 stores a database password as plaintext in a foreign mdb, allowing access to data.

Status:Candidate
Phase: Modified (20000426)
Reference: BUGTRAQ:19990204 Microsoft Access 97 Stores Database Password as Plaintext
Reference: URL:http://marc.info/?l=bugtraq&m=91816470220259&w=2

Votes:
ACCEPT(2)  Baker, LeBlanc<br>
MODIFY(1)  Frech<br>
NOOP(2)  Northcutt, Wall<br>
Voter Comments:
CHANGE>  [Frech changed vote from REVIEWING to MODIFY]<br>
Frech>  XF:access-weak-passwords(1774)
An older published reference (from our own Adam) would be
better:
ailab.coderpunks Newsgroup, 1998/06/23 "Re: MS Access 2.0"
http://x15.dejanews.com/[ST_rn=ps]/getdoc.xp?AN=365308578&CONTEXT=9192
07028.1462108427&hitnum=1<br>

Name: CVE-1999-0365

Description:

The metamail package allows remote command execution using shell metacharacters that are not quoted in a mailcap entry.

Status:Entry
Reference: BUGTRAQ:Feb04,1999
Reference: XF:metamail-header-commands

Name: CVE-1999-0366

Description:

In some cases, Service Pack 4 for Windows NT 4.0 can allow access to network shares using a blank password, through a problem with a null NT hash value.

Status:Entry
Reference: MS:MS99-004
Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-004
Reference: MSKB:Q214840
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q214840
Reference: XF:nt-sp4-auth-error

Name: CVE-1999-0367

Description:

NetBSD netstat command allows local users to access kernel memory.

Status:Entry
Reference: NETBSD:1999-002
Reference: OSVDB:7571
Reference: URL:http://www.osvdb.org/7571

Name: CVE-1999-0368

Description:

Buffer overflows in wuarchive ftpd (wu-ftpd) and ProFTPD lead to remote root access, a.k.a. palmetto.

Status:Entry
Reference: CERT:CA-99.03
Reference: NETECT:palmetto.ftpd
Reference: XF:palmetto-ftpd-bo

Name: CVE-1999-0369

Description:

The Sun sdtcm_convert calendar utility for OpenWindows has a buffer overflow which can gain root access.

Status:Entry
Reference: SUN:00183
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/183
Reference: XF:sun-sdtcm-convert-bo

Name: CVE-1999-0370

Description:

In Sun Solaris and SunOS, man and catman contain vulnerabilities that allow overwriting arbitrary files.

Status:Candidate
Phase: Modified (19991210)
Reference: BID:165
Reference: URL:http://www.securityfocus.com/bid/165
Reference: SUN:00184

Votes:
ACCEPT(4)  Baker, Dik, Northcutt, Prosser<br>
MODIFY(1)  Frech<br>
REVIEWING(1)  Christey<br>
Voter Comments:
Frech>  Reference: XF:sun-man<br>
Christey>  ADDREF CIAC:J-028

Is the Linux man symlink problem the same as the one for Sun?
See BUGTRAQ:19990602 /tmp symlink problems in SuSE Linux 6.1
Also see BID:305<br>
Dik>  sun bug 4154565<br>

Name: CVE-1999-0371

Description:

Lynx allows a local user to overwrite sensitive files through /tmp symlinks.

Status:Entry
Reference: BUGTRAQ:19990211 Lynx /tmp problem
Reference: CERT:VB-97.05.lynx
Reference: XF:lynx-temp-files-race

Name: CVE-1999-0372

Description:

The installer for BackOffice Server includes account names and passwords in a setup file (reboot.ini) which is not deleted.

Status:Entry
Reference: MS:MS99-005
Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-005
Reference: MSKB:Q217004
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q217004
Reference: XF:nt-backoffice-setup

Name: CVE-1999-0373

Description:

Buffer overflow in the "Super" utility in Debian GNU/Linux, and other operating systems, allows local users to execute commands as root.

Status:Entry
Reference: ISS:Buffer Overflow in "Super" package in Debian Linux
Reference: XF:linux-super-bo
Reference: XF:linux-super-logging-bo

Name: CVE-1999-0374

Description:

Debian GNU/Linux cfengine package is susceptible to a symlink attack.

Status:Entry
Reference: BUGTRAQ:Feb16,1999
Reference: DEBIAN:19990215
Reference: XF:linux-cfengine-symlinks

Name: CVE-1999-0375

Description:

Buffer overflow in webd in Network Flight Recorder (NFR) 2.0.2-Research allows remote attackers to execute commands.

Status:Entry
Reference: BUGTRAQ:Feb16,1999
Reference: NAI:February 16, 1999
Reference: XF:nfr-webd-overflow

Name: CVE-1999-0376

Description:

Local users in Windows NT can obtain administrator privileges by changing the KnownDLLs list to reference malicious programs.

Status:Entry
Reference: BUGTRAQ:Feb20,1999
Reference: L0PHT:Feb18,1999
Reference: MS:MS99-006
Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-006
Reference: XF:nt-knowndlls-list

Name: CVE-1999-0377

Description:

Process table attack in Unix systems allows a remote attacker to perform a denial of service by filling a machine's process tables through multiple connections to network services.

Status:Entry
Reference: BUGTRAQ:Feb22,1999
Reference: SECTRACK:1033881
Reference: URL:http://www.securitytracker.com/id/1033881

Name: CVE-1999-0378

Description:

InterScan VirusWall for Solaris doesn't scan files for viruses when a single HTTP request includes two GET commands.

Status:Entry
Reference: BUGTRAQ:19990222 BlackHats Advisory -- InterScan VirusWall
Reference: BUGTRAQ:19990225 Patch for InterScan VirusWall for Unix now available
Reference: OSVDB:6167
Reference: URL:http://www.osvdb.org/6167
Reference: XF:viruswall-http-request

Name: CVE-1999-0379

Description:

Microsoft Taskpads allows remote web sites to execute commands on the visiting user's machine via certain methods that are marked as Safe for Scripting.

Status:Entry
Reference: BID:498
Reference: URL:http://www.securityfocus.com/bid/498
Reference: BUGTRAQ:19990223 Microsoft Security Bulletin (MS99-007)
Reference: MS:MS99-007
Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-007
Reference: OSVDB:1019
Reference: URL:http://www.osvdb.org/1019
Reference: XF:win-resourcekit-taskpads

Name: CVE-1999-0380

Description:

SLMail 3.1 and 3.2 allows local users to access any file in the NTFS file system when the Remote Administration Service (RAS) is enabled by setting a user's Finger File to point to the target file, then running finger on the user.

Status:Entry
Reference: BID:497
Reference: URL:http://www.securityfocus.com/bid/497
Reference: BUGTRAQ:19990225 ALERT: SLMail 3.2 (and 3.1) with the Remote Administration Service
Reference: URL:http://marc.info/?l=bugtraq&m=91996412724720&w=2
Reference: NTBUGTRAQ:199902225 ALERT: SLMail 3.2 (and 3.1) with the Remote Administration Service
Reference: URL:http://marc.info/?l=ntbugtraq&m=91999015212415&w=2
Reference: NTBUGTRAQ:SLmail 3.2 Build 3113 (Web Administration Security Fix)
Reference: URL:http://marc.info/?l=ntbugtraq&m=92110501504997&w=2
Reference: XF:slmail-ras-ntfs-bypass(5392)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/5392

Name: CVE-1999-0381

Description:

super 3.11.6 and other versions have a buffer overflow in the syslog utility which allows a local user to gain root access.

Status:Candidate
Phase: Proposed (19990726)
Reference: BID:342
Reference: URL:http://www.securityfocus.com/bid/342
Reference: BUGTRAQ:19990225 SUPER buffer overflow
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.3.96.990225011801.12757A-100000@eleet
Reference: XF:linux-super-logging-bo

Votes:
ACCEPT(7)  Baker, Blake, Cole, Frech, Landfield, Levy, Ozancin<br>
MODIFY(1)  Bishop<br>
NOOP(2)  Armstrong, Wall<br>
REVIEWING(1)  Christey<br>
Voter Comments:
Christey>  Is this the same as CVE-1999-0373?  They both have the same
X-Force reference.

BID:342 suggests that there are two.

http://www.debian.org/security/1999/19990215a suggests
that there are two.  However, CVE-1999-0373 is written up in
a fashion that is too general; and both XF:linux-super-bo and
XF:linux-super-logging-bo refer to CVE-1999-0373.
CVE-1999-0373 may need to be split.
<br>
Frech>  From what I can surmise, ISS released the original advisory (attached to
linux-super-bo), and Sekure SDI expanded on it by releasing another related
overflow in syslog (which is linux-super-logging-bo).

When I was originally assigning these issues, I placed both XF references
and the ISS advisory on the -0373 candidate, since there was nothing else
available. Based on the information above, I'd request that
XF:linux-super-logging-bo be removed from CVE-1999-0373.<br>
Christey>  Given Andre's feedback, these are different issues.
CVE-1999-0373 does not need to be split because the ISS
reference is sufficient to distinguish that CVE from this
candidate; however, the CVE-1999-0373 description should
probably be modified slightly.<br>
Bishop>  (as indicated by Christey)<br>
CHANGE>  [Cole changed vote from NOOP to ACCEPT]<br>
CHANGE>  [Christey changed vote from NOOP to REVIEWING]<br>
Christey>  There are 2 bugs, as confirmed by the super author at:
BUGTRAQ:19990226 Buffer Overflow in Super (new)
http://www.securityfocus.com/archive/1/12713
BID:397 also seems to cover this one, and it may cover
CVE-1999-0373 as well.<br>

Name: CVE-1999-0382

Description:

The screen saver in Windows NT does not verify that its security context has been changed properly, allowing attackers to run programs with elevated privileges.

Status:Entry
Reference: MS:MS99-008
Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-008
Reference: XF:nt-screen-saver

Name: CVE-1999-0383

Description:

ACC Tigris allows public access without a login.

Status:Entry
Reference: BID:183
Reference: URL:http://www.securityfocus.com/bid/183
Reference: BUGTRAQ:19990103 Tigris vulnerability
Reference: OSVDB:267
Reference: URL:http://www.osvdb.org/267
Reference: XF:acc-tigris-login

Name: CVE-1999-0384

Description:

The Forms 2.0 ActiveX control (included with Visual Basic for Applications 5.0) can be used to read text from a user's clipboard when the user accesses documents with ActiveX content.

Status:Entry
Reference: MS:MS99-001
Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-001
Reference: XF:forms-vuln-patch

Name: CVE-1999-0385

Description:

The LDAP bind function in Exchange 5.5 has a buffer overflow that allows a remote attacker to conduct a denial of service or execute commands.

Status:Entry
Reference: ISS:LDAP Buffer overflow against Microsoft Directory Services
Reference: MS:MS99-009
Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-009
Reference: XF:ldap-exchange-overflow
Reference: XF:ldap-mds-dos

Name: CVE-1999-0386

Description:

Microsoft Personal Web Server and FrontPage Personal Web Server in some Windows systems allows a remote attacker to read files on the server by using a nonstandard URL.

Status:Entry
Reference: MS:MS99-010
Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-010
Reference: OSVDB:111
Reference: URL:http://www.osvdb.org/111
Reference: XF:pws-file-access

Name: CVE-1999-0387

Description:

A legacy credential caching mechanism used in Windows 95 and Windows 98 systems allows attackers to read plaintext network passwords.

Status:Entry
Reference: BID:829
Reference: URL:http://www.securityfocus.com/bid/829
Reference: MS:MS99-052
Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-052
Reference: MSKB:Q168115
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q168115
Reference: XF:9x-plaintext-pwd

Name: CVE-1999-0388

Description:

DataLynx suGuard trusts the PATH environment variable to execute the ps command, allowing local users to execute commands as root.

Status:Entry
Reference: L0PHT:Jan3,1999
Reference: OSVDB:3186
Reference: URL:http://www.osvdb.org/3186
Reference: XF:datalynx-suguard-relative-paths

Name: CVE-1999-0389

Description:

Buffer overflow in the bootp server in the Debian Linux netstd package.

Status:Candidate
Phase: Modified (19991207)
Reference: BID:324
Reference: URL:http://www.securityfocus.com/bid/324
Reference: BUGTRAQ:19990103 [SECURITY] New versions of netstd fixes buffer overflows
Reference: DEBIAN:19990104

Votes:
ACCEPT(3)  Baker, Ozancin, Stracener<br>
MODIFY(1)  Frech<br>
REVIEWING(1)  Christey<br>
Voter Comments:
Christey>  Is CVE-1999-0389 a duplicate of CVE-1999-0798?  CVE-1999-0389
has January 1999 dates associated with it, while CVE-1999-0798
was reported in late December.

Also, is this the same line of code as CVE-1999-0914?  Both are in
the netstd package, it could look like a library problem.

However, deep in the changelog in the
netstd_3.07-7slink.3.diff on Debian, Herbert Xu includes
the following entry:

+netstd (3.07-7slink.1) frozen; urgency=high
+
+  * bootpd:     Applied patch from Redhat as well as a fix for the overflow in
+                report() (fixes #30675).
+  * netkit-ftp: Applied patch from RedHat that fixes some obscure overflow
+                bugs.
+
+ -- Herbert Xu <herbert@debian.org>  Sat, 19 Dec 1998 14:36:48 +1100

This tells me that two separate bugs are involved.

Note that Red Hat posted *some* fix for *some* bootp problem
in June 1998.  See:
http://www.redhat.com/support/errata/rh42-errata-general.html#bootp<br>
Frech>  XF:debian-netstd-bo<br>
Christey>  Further analysis indicates that this is a duplicate of CVE-1999-0799<br>
CHANGE>  [Christey changed vote from REJECT to REVIEWING]<br>
Christey>  The fix information for BID:324 suggests that there are two
overflows, one of which is in handle_request (bootpd.c) and is
likely related to a file name; but there is another issue in
report (report.c) which also looks like a straightforward
overflow, which would suggest that this is not a duplicate of
CVE-1999-0798 or CVE-1999-0799.

Note: see comments for CVE-1999-0798 which explain how that
candidate is not related to CVE-1999-0799.<br>

Name: CVE-1999-0390

Description:

Buffer overflow in Dosemu Slang library in Linux.

Status:Entry
Reference: BID:187
Reference: URL:http://www.securityfocus.com/bid/187
Reference: BUGTRAQ:19990104 Dosemu/S-Lang Overflow + sploit
Reference: CALDERA:CSSA-1999-006.1
Reference: URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-1999-006.1.txt

Name: CVE-1999-0391

Description:

The cryptographic challenge of SMB authentication in Windows 95 and Windows 98 can be reused, allowing an attacker to replay the response and impersonate a user.

Status:Entry
Reference: L0PHT:Jan. 5, 1999

Name: CVE-1999-0392

Description:

Buffer overflow in Thomas Boutell's cgic library version up to 1.05.

Status:Entry
Reference: BUGTRAQ:Jan10,1999
Reference: XF:http-cgic-library-bo

Name: CVE-1999-0393

Description:

Remote attackers can cause a denial of service in Sendmail 8.8.x and 8.9.2 by sending messages with a large number of headers.

Status:Entry
Reference: BUGTRAQ:19981212 ** Sendmail 8.9.2 DoS - exploit ** get what you want!
Reference: BUGTRAQ:19990121 Sendmail 8.8.x/8.9.x bugware
Reference: URL:http://marc.info/?l=bugtraq&m=91694391227372&w=2
Reference: XF:sendmail-parsing-redirection

Name: CVE-1999-0394

Description:

DPEC Online Courseware allows an attacker to change another user's password without knowing the original password.

Status:Candidate
Phase: Proposed (19990728)
Reference: BUGTRAQ:19990115 DPEC Online Courseware

Votes:
ACCEPT(1)  Baker<br>
NOOP(1)  Christey<br>
REJECT(1)  Frech<br>
Voter Comments:
Frech>  If I understand the issue, this HIGHCARD involves insecure web programming. 
If I don't understand, mark this as my first NOOP.<br>
Christey>  CONFIRM:http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26msg%3D19990803132618.16407.qmail%40securityfocus.com
ADDREF BID:565
URL:http://www.securityfocus.com/vdb/bottom.html?vid=565<br>

Name: CVE-1999-0395

Description:

A race condition in the BackWeb Polite Agent Protocol allows an attacker to spoof a BackWeb server.

Status:Entry
Reference: ISS:19990118 Vulnerability in the BackWeb Polite Agent Protocol
Reference: URL:http://xforce.iss.net/alerts/advise17.php
Reference: XF:backweb-polite-agent-protocol

Name: CVE-1999-0396

Description:

A race condition between the select() and accept() calls in NetBSD TCP servers allows remote attackers to cause a denial of service.

Status:Entry
Reference: NETBSD:1999-001
Reference: OPENBSD:Feb17,1999
Reference: XF:netbsd-tcp-race

Name: CVE-1999-0397

Description:

The demo version of the Quakenbush NT Password Appraiser sends passwords across the network in plaintext.

Status:Candidate
Phase: Proposed (19990728)
Reference: BUGTRAQ:Jan21,1999
Reference: L0PHT:Jan21,1999

Votes:
ACCEPT(1)  Northcutt<br>
MODIFY(1)  Frech<br>
NOOP(1)  Baker<br>
REJECT(1)  Wall<br>
Voter Comments:
Wall>  Reject based on beta copy.<br>
Frech>  XF:quakenbush-pw-appraiser(1652)<br>

Name: CVE-1999-0398

Description:

In some instances of SSH 1.2.27 and 2.0.11 on Linux systems, SSH will allow users with expired accounts to login.

Status:Candidate
Phase: Modified (20000106)
Reference: BUGTRAQ:19990123 SSH 1.x and 2.x Daemon
Reference: BUGTRAQ:19990124 SSH Daemon
Reference: XF:ssh-exp-account-access

Votes:
ACCEPT(1)  Baker<br>
MODIFY(1)  Frech<br>
Voter Comments:
Frech>  Followups to the bugtraq message (1/24/99) indicate that 1.2.27 was not yet
released. v1.2.26 should be substituted in the description for '27.
XF:ssh-exp-account-access<br>

Name: CVE-1999-0399

Description:

The DCC server command in the Mirc 5.5 client doesn't filter characters from file names properly, allowing remote attackers to place a malicious file in a different location, possibly allowing the attacker to execute commands.

Status:Candidate
Phase: Modified (20000105)
Reference: BUGTRAQ:19990124 Mirc 5.5 'DCC Server' hole
Reference: XF:mirc-dcc-metachar-filename

Votes:
ACCEPT(1)  Baker<br>
MODIFY(1)  Frech<br>
Voter Comments:
Frech>  XF:mirc-dcc-metachar-filename<br>

Name: CVE-1999-0400

Description:

Denial of service in Linux 2.2.0 running the ldd command on a core file.

Status:Candidate
Phase: Modified (20000105)
Reference: BID:344
Reference: URL:http://www.securityfocus.com/bid/344
Reference: BUGTRAQ:19990127 2.2.0 SECURITY (fwd)
Reference: XF:linux-kernel-ldd-dos

Votes:
ACCEPT(1)  Baker<br>
MODIFY(1)  Frech<br>
Voter Comments:
Frech>  BUGTRAQ:Jan27,1999
(http://www.securityfocus.com/templates/archive.pike?list=1&date=1999-01-22&
msg=Pine.LNX.4.05.9901270538380.539-100000@vitelus.com)
XF:linux-kernel-ldd-dos<br>

Name: CVE-1999-0401

Description:

A race condition in Linux 2.2.1 allows local users to read arbitrary memory from /proc files.

Status:Candidate
Phase: Modified (20000105)
Reference: BUGTRAQ:19990202 [patch] /proc race fixes for 2.2.1 (fwd)
Reference: XF:linux-race-condition-proc

Votes:
ACCEPT(1)  Baker<br>
MODIFY(1)  Frech<br>
Voter Comments:
Frech>  XF:linux-race-condition-proc<br>

Name: CVE-1999-0402

Description:

wget 1.5.3 follows symlinks to change permissions of the target file instead of the symlink itself.

Status:Entry
Reference: BUGTRAQ:Feb2,1999
Reference: DEBIAN:19990220
Reference: XF:wget-permissions

Name: CVE-1999-0403

Description:

A bug in Cyrix CPUs on Linux allows local users to perform a denial of service.

Status:Entry
Reference: BUGTRAQ:19990204 Cyrix bug: freeze in hell, badboy
Reference: URL:http://marc.info/?l=bugtraq&m=91821080015725&w=2
Reference: XF:cyrix-hang

Name: CVE-1999-0404

Description:

Buffer overflow in the Mail-Max SMTP server for Windows systems allows remote command execution.

Status:Entry
Reference: BUGTRAQ:Feb14,1999
Reference: XF:mailmax-bo

Name: CVE-1999-0405

Description:

A buffer overflow in lsof allows local users to obtain root privilege.

Status:Entry
Reference: BUGTRAQ:Feb18,1999
Reference: DEBIAN:19990220a
Reference: HERT:002
Reference: OSVDB:3163
Reference: URL:http://www.osvdb.org/3163
Reference: XF:lsof-bo

Name: CVE-1999-0406

Description:

Digital Unix Networker program nsralist has a buffer overflow which allows local users to obtain root privilege.

Status:Candidate
Phase: Proposed (19990728)
Reference: BUGTRAQ:Feb19,1999
Reference: XF:digital-networker-bo

Votes:
ACCEPT(1)  Baker<br>
MODIFY(1)  Frech<br>
Voter Comments:
Frech>  In description, change 'which' to 'that'.<br>

Name: CVE-1999-0407

Description:

By default, IIS 4.0 has a virtual directory /IISADMPWD which contains files that can be used as proxies for brute force password attacks, or to identify valid users on the system.

Status:Entry
Reference: BUGTRAQ:19990209 ALERT: IIS4 allows proxied password attacks over NetBIOS
Reference: URL:http://marc.info/?l=bugtraq&m=91983486431506&w=2
Reference: BUGTRAQ:19990209 Re: IIS4 allows proxied password attacks over NetBIOS
Reference: URL:http://marc.info/?l=bugtraq&m=92000623021036&w=2
Reference: XF:iis-iisadmpwd

Name: CVE-1999-0408

Description:

Files created from interactive shell sessions in Cobalt RaQ microservers (e.g. .bash_history) are world readable, and thus are accessible from the web server.

Status:Entry
Reference: BID:337
Reference: URL:http://www.securityfocus.com/bid/337
Reference: BUGTRAQ:19990225 Cobalt root exploit
Reference: XF:cobalt-raq-history-exposure

Name: CVE-1999-0409

Description:

Buffer overflow in gnuplot in Linux version 3.5 allows local users to obtain root access.

Status:Entry
Reference: BID:319
Reference: URL:http://www.securityfocus.com/bid/319
Reference: BUGTRAQ:19990304 Linux /usr/bin/gnuplot overflow
Reference: XF:gnuplot-home-overflow

Name: CVE-1999-0410

Description:

The cancel command in Solaris 2.6 (i386) has a buffer overflow that allows local users to obtain root access.

Status:Entry
Reference: BID:293
Reference: URL:http://www.securityfocus.com/bid/293
Reference: BUGTRAQ:Mar5,1999
Reference: XF:sol-cancel

Name: CVE-1999-0411

Description:

Several startup scripts in SCO OpenServer Enterprise System v 5.0.4p, including S84rpcinit, S95nis, S85tcp, and S89nfs, are vulnerable to a symlink attack, allowing a local user to gain root access.

Status:Candidate
Phase: Proposed (19990726)
Reference: BUGTRAQ:Feb19,1999
Reference: XF:sco-startup-scripts

Votes:
MODIFY(2)  Baker, Frech<br>
NOOP(2)  Christey, Wall<br>
Voter Comments:
Frech>  Neither XFDB nor the BugTraq article (incidentally, shows up as 7 March, not
19 February) does not mention gaining root access... it says a local user
could
"delete or overwrite arbitrary files on the system."<br>
Baker>  By overwriting arbitrary files, one could then gain root access.  I agree with a minor description change to reflect this.<br>
Christey>  Normalize Bugtraq reference to:
BUGTRAQ:19990307 Little exploit for startup scripts (SCO 5.0.4p).
http://marc.theaimsgroup.com/?l=bugtraq&m=92087765014242&w=2
Also, SCO:SB-99.17
ftp://ftp.sco.com/SSE/security_bulletins/SB-99.17c<br>

Name: CVE-1999-0412

Description:

In IIS and other web servers, an attacker can attack commands as SYSTEM if the server is running as SYSTEM and loading an ISAPI extension.

Status:Entry
Reference: BID:501
Reference: URL:http://www.securityfocus.com/bid/501
Reference: BUGTRAQ:Feb19,1999
Reference: XF:iis-isapi-execute

Name: CVE-1999-0413

Description:

A buffer overflow in the SGI X server allows local users to gain root access through the X server font path.

Status:Entry
Reference: SGI:19990301-01-PX
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19990301-01-PX
Reference: XF:irix-font-path-overflow

Name: CVE-1999-0414

Description:

In Linux before version 2.0.36, remote attackers can spoof a TCP connection and pass data to the application layer before fully establishing the connection.

Status:Entry
Reference: NAI:Linux Blind TCP Spoofing
Reference: XF:linux-blind-spoof

Name: CVE-1999-0415

Description:

The HTTP server in Cisco 7xx series routers 3.2 through 4.2 is enabled by default, which allows remote attackers to change the router's configuration.

Status:Entry
Reference: CIAC:J-034
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/j-034.shtml
Reference: CISCO:19990311 Cisco 7xx TCP and HTTP Vulnerabilities
Reference: URL:http://www.cisco.com/warp/public/770/7xxconn-pub.shtml
Reference: ISS:19990311 Remote Reconfiguration and Denial of Service Vulnerabilities in Cisco 700 ISDN Routers
Reference: XF:cisco-router-commands
Reference: XF:cisco-web-config

Name: CVE-1999-0416

Description:

Vulnerability in Cisco 7xx series routers allows a remote attacker to cause a system reload via a TCP connection to the router's TELNET port.

Status:Entry
Reference: CIAC:J-034
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/j-034.shtml
Reference: CISCO:19990311 Cisco 7xx TCP and HTTP Vulnerabilities
Reference: URL:http://www.cisco.com/warp/public/770/7xxconn-pub.shtml
Reference: ISS:19990311 Remote Reconfiguration and Denial of Service Vulnerabilities in Cisco 700 ISDN Routers
Reference: XF:cisco-web-crash

Name: CVE-1999-0417

Description:

64 bit Solaris 7 procfs allows local users to perform a denial of service.

Status:Entry
Reference: BID:448
Reference: URL:http://www.securityfocus.com/bid/448
Reference: BUGTRAQ:Mar9,1999
Reference: OSVDB:1001
Reference: URL:http://www.osvdb.org/1001
Reference: XF:solaris-psinfo-crash

Name: CVE-1999-0418

Description:

Denial of service in SMTP applications such as Sendmail, when a remote attacker (e.g. spammer) uses many "RCPT TO" commands in the same connection.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990308 SMTP server account probing
Reference: URL:http://marc.info/?l=bugtraq&m=92100018214316&w=2

Votes:
ACCEPT(1)  Cole<br>
MODIFY(1)  Frech<br>
NOOP(3)  Baker, Foat, Wall<br>
REVIEWING(1)  Christey<br>
Voter Comments:
Christey>  DUPE CVE-1999-0144 and CVE-1999-0250?<br>
Frech>  XF:smtp-rctpto-dos(7499)<br>

Name: CVE-1999-0419

Description:

When the Microsoft SMTP service attempts to send a message to a server and receives a 4xx error code, it quickly and repeatedly attempts to redeliver the message, causing a denial of service.

Status:Candidate
Phase: Modified (20000105)
Reference: BUGTRAQ:19990319 Microsoft's SMTP service broken/stupid
Reference: XF:smtp-4xx-error-dos

Votes:
ACCEPT(1)  Baker<br>
MODIFY(2)  Frech, LeBlanc<br>
REVIEWING(1)  Christey<br>
Voter Comments:
Frech>  XF:smtp-4xx-error-dos<br>
LeBlanc>  - if we can find a KB or something that shows that this wasn't just
user error, I'd vote ACCEPT.<br>
Christey>  David Lemson, Microsoft SMTP Service Program Manager,
posted a followup that said "We have confirmed this as a
problem..."
http://marc.theaimsgroup.com/?l=bugtraq&m=92171608127206&w=2<br>

Name: CVE-1999-0420

Description:

umapfs allows local users to gain root privileges by changing their uid through a malicious mount_umap program.

Status:Entry
Reference: NETBSD:1999-006

Name: CVE-1999-0421

Description:

During a reboot after an installation of Linux Slackware 3.6, a remote attacker can obtain root access by logging in to the root account without a password.

Status:Entry
Reference: BID:338
Reference: URL:http://www.securityfocus.com/bid/338
Reference: ISS:Short-Term High-Risk Vulnerability During Slackware 3.6 Network Installations
Reference: OSVDB:981
Reference: URL:http://www.osvdb.org/981
Reference: XF:linux-slackware-install

Name: CVE-1999-0422

Description:

In some cases, NetBSD 1.3.3 mount allows local users to execute programs in some file systems that have the "noexec" flag set.

Status:Entry
Reference: NETBSD:1999-007

Name: CVE-1999-0423

Description:

Vulnerability in hpterm on HP-UX 10.20 allows local users to gain additional privileges.

Status:Entry
Reference: HP:HPSBUX9903-093
Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9903-093
Reference: XF:hp-hpterm-files

Name: CVE-1999-0424

Description:

talkback in Netscape 4.5 allows a local user to overwrite arbitrary files of another user whose Netscape crashes.

Status:Entry
Reference: SUSE:Mar18,1999
Reference: XF:netscape-talkback-overwrite

Name: CVE-1999-0425

Description:

talkback in Netscape 4.5 allows a local user to kill an arbitrary process of another user whose Netscape crashes.

Status:Entry
Reference: SUSE:Mar18,1999
Reference: XF:netscape-talkback-kill

Name: CVE-1999-0426

Description:

The default permissions of /dev/kmem in Linux versions before 2.0.36 allows IP spoofing.

Status:Candidate
Phase: Proposed (19990728)
Reference: BUGTRAQ:19990319 The default permissions on /dev/kmem is insecure.

Votes:
MODIFY(1)  Frech<br>
NOOP(1)  Baker<br>
REJECT(1)  Christey<br>
Voter Comments:
Frech>  XF:linux-dev-kmem-spoof<br>
Christey>  DUPE CVE-1999-0414
XF:linux-dev-kmem-spoof does not exist.<br>
Christey>  *Now* XF:linux-dev-kmem-spoof(3500) exists...<br>

Name: CVE-1999-0427

Description:

Eudora 4.1 allows remote attackers to perform a denial of service by sending attachments with long file names.

Status:Candidate
Phase: Proposed (19990728)
Reference: BUGTRAQ:19990320 Eudora Attachment Buffer Overflow
Reference: XF:eudora-long-attachments

Votes:
ACCEPT(1)  Baker<br>
MODIFY(1)  Frech<br>
NOOP(1)  Christey<br>
Voter Comments:
Frech>  Change version number to 4.2beta. Second to last paragraph in bugtraq
reference states: "Both the Win 95 and Win NT versions, along with the 4.2
beta of Eudora are affected."<br>
Christey>  This issue seems to have been rediscovered in
BUGTRAQ:20000515 Eudora Pro & Outlook Overflow - too long filenames again
http://marc.theaimsgroup.com/?l=bugtraq&m=95842482413076&w=2

Also see
BUGTRAQ:19990320 Eudora Attachment Buffer Overflow
http://marc.theaimsgroup.com/?l=bugtraq&m=92195396912110&w=2

Is this a duplicate/subsumed by CVE-1999-0004?<br>

Name: CVE-1999-0428

Description:

OpenSSL and SSLeay allow remote attackers to reuse SSL sessions and bypass access controls.

Status:Entry
Reference: BUGTRAQ:19990322 OpenSSL/SSLeay Security Alert
Reference: OSVDB:3936
Reference: URL:http://www.osvdb.org/3936
Reference: XF:ssl-session-reuse

Name: CVE-1999-0429

Description:

The Lotus Notes 4.5 client may send a copy of encrypted mail in the clear across the network if the user does not set the "Encrypt Saved Mail" preference.

Status:Entry
Reference: BUGTRAQ:19990323
Reference: URL:http://marc.info/?l=bugtraq&m=92221437025743&w=2
Reference: BUGTRAQ:19990324 Re: LNotes encryption
Reference: URL:http://marc.info/?l=bugtraq&m=92241547418689&w=2
Reference: BUGTRAQ:19990326 Lotus Notes Encryption Bug
Reference: URL:http://marc.info/?l=bugtraq&m=92246997917866&w=2
Reference: BUGTRAQ:19990326 Re: Lotus Notes security advisory
Reference: URL:http://marc.info/?l=bugtraq&m=92249282302994&w=2
Reference: XF:lotus-client-encryption

Name: CVE-1999-0430

Description:

Cisco Catalyst LAN switches running Catalyst 5000 supervisor software allows remote attackers to perform a denial of service by forcing the supervisor module to reload.

Status:Entry
Reference: CISCO:Cisco Catalyst Supervisor Remote Reload
Reference: ISS:Remote Denial of Service Vulnerability in Cisco Catalyst Series Ethernet Switches
Reference: OSVDB:1103
Reference: URL:http://www.osvdb.org/1103
Reference: XF:cisco-catalyst-crash

Name: CVE-1999-0431

Description:

Linux 2.2.3 and earlier allow a remote attacker to perform an IP fragmentation attack, causing a denial of service.

Status:Candidate
Phase: Modified (20000106)
Reference: BUGTRAQ:19990324 DoS for Linux 2.1.89 - 2.2.3: 0 length fragment bug
Reference: XF:linux-zerolength-fragment

Votes:
ACCEPT(1)  Baker<br>
MODIFY(1)  Frech<br>
NOOP(1)  Christey<br>
Voter Comments:
Frech>  XF:linux-zerolength-fragment  <br>
Christey>  Consider adding BID:2247<br>

Name: CVE-1999-0432

Description:

ftp on HP-UX 11.00 allows local users to gain privileges.

Status:Entry
Reference: HP:HPSBUX9903-094
Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9903-094
Reference: XF:hp-ftp

Name: CVE-1999-0433

Description:

XFree86 startx command is vulnerable to a symlink attack, allowing local users to create files in restricted directories, possibly allowing them to gain privileges or cause a denial of service.

Status:Entry
Reference: BUGTRAQ:19990321 X11R6 NetBSD Security Problem
Reference: SUSE:Mar28,1999
Reference: XF:xfree86-temp-directories

Name: CVE-1999-0434

Description:

XFree86 xfs command is vulnerable to a symlink attack, allowing local users to create files in restricted directories, possibly allowing them to gain privileges or cause a denial of service.

Status:Candidate
Phase: Proposed (19990728)
Reference: BID:359
Reference: URL:http://www.securityfocus.com/bid/359
Reference: BUGTRAQ:19990331 Bug in xfs

Votes:
ACCEPT(1)  Baker<br>
MODIFY(1)  Frech<br>
NOOP(1)  Christey<br>
Voter Comments:
Frech>  XF:xfree86-xfs-symlink-dos<br>
Christey>  Is this the same problem as CVE-1999-0433?  CVE-1999-0433
deals with a symlink attack on one file (/tmp/.X11-unix),
while xfs (this candidate) deals with /tmp/.font-unix
XF:xfree86-xfs-symlink-dos doesn't exist.<br>
Christey>  ADDREF DEBIAN:19990331 symbolic link can be used to make any file world readable
Note: Debian's advisory says that this is not a problem for Debian.<br>

Name: CVE-1999-0435

Description:

MC/ServiceGuard and MC/LockManager in HP-UX allows local users to gain privileges through SAM.

Status:Candidate
Phase: Proposed (19990623)
Reference: HP:HPSBUX9903-096

Votes:
ACCEPT(2)  Baker, Ozancin<br>
MODIFY(1)  Frech<br>
NOOP(1)  Christey<br>
Voter Comments:
Frech>  XF:hp-servicegaurd<br>
Christey>  ADDREF CIAC:J-039<br>
Christey>  Note the typo in Andre's suggested reference.
Normalize to XF:hp-serviceguard(2046)<br>

Name: CVE-1999-0436

Description:

Domain Enterprise Server Management System (DESMS) in HP-UX allows local users to gain privileges.

Status:Entry
Reference: HP:HPSBUX9903-095
Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9903-095
Reference: XF:hp-desms-servers

Name: CVE-1999-0437

Description:

Remote attackers can perform a denial of service in WebRamp systems by sending a malicious string to the HTTP port.

Status:Entry
Reference: ISS:WebRamp Denial of Service Attacks
Reference: XF:webramp-device-crash

Name: CVE-1999-0438

Description:

Remote attackers can perform a denial of service in WebRamp systems by sending a malicious UDP packet to port 5353, changing its IP address.

Status:Entry
Reference: ISS:WebRamp Denial of Service Attacks
Reference: XF:webramp-ipchange

Name: CVE-1999-0439

Description:

Buffer overflow in procmail before version 3.12 allows remote or local attackers to execute commands via expansions in the procmailrc configuration file.

Status:Entry
Reference: BUGTRAQ:19990405 Re: [SECURITY] new version of procmail with security fixes
Reference: CALDERA:CSSA-1999:007
Reference: DEBIAN:19990422
Reference: XF:procmail-overflow

Name: CVE-1999-0440

Description:

The byte code verifier component of the Java Virtual Machine (JVM) allows remote execution through malicious web pages.

Status:Entry
Reference: BID:1939
Reference: URL:http://www.securityfocus.com/bid/1939
Reference: BUGTRAQ:19990405 Security Hole in Java 2 (and JDK 1.1.x)
Reference: URL:http://marc.info/?l=bugtraq&m=92333596624452&w=2
Reference: CONFIRM:http://java.sun.com/pr/1999/03/pr990329-01.html
Reference: XF:java-unverified-code

Name: CVE-1999-0441

Description:

Remote attackers can perform a denial of service in WinGate machines using a buffer overflow in the Winsock Redirector Service.

Status:Entry
Reference: BID:509
Reference: URL:http://www.securityfocus.com/bid/509
Reference: EEYE:AD02221999
Reference: URL:http://www.eeye.com/html/Research/Advisories/AD02221999.html
Reference: XF:wingate-redirector-dos

Name: CVE-1999-0442

Description:

Solaris ff.core allows local users to modify files.

Status:Entry
Reference: BID:327
Reference: URL:http://www.securityfocus.com/bid/327
Reference: BUGTRAQ:19990107 really silly ff.core exploit for Solaris
Reference: BUGTRAQ:19990108 ff.core exploit on Solaris (2.)7
Reference: BUGTRAQ:19990408 Solaris7 and ff.core

Name: CVE-1999-0443

Description:

Patrol management software allows a remote attacker to conduct a replay attack to steal the administrator password.

Status:Candidate
Phase: Proposed (19990728)
Reference: BUGTRAQ:19990409 Patrol security bugs
Reference: URL:http://www.securityfocus.com/archive/1/13204
Reference: XF:bmc-patrol-replay

Votes:
ACCEPT(1)  Baker<br>
MODIFY(1)  Frech<br>
Voter Comments:
Frech>  Change "Patrol management software" to "The PATROL management product from
BMC Software".<br>

Name: CVE-1999-0444

Description:

Remote attackers can perform a denial of service in Windows machines using malicious ARP packets, forcing a message box display for each packet or filling up log files.

Status:Candidate
Phase: Modified (20000106)
Reference: BUGTRAQ:19990412 ARP problem in Windows9X/NT
Reference: XF:windows-arp-dos

Votes:
ACCEPT(1)  Baker<br>
MODIFY(1)  Frech<br>
Voter Comments:
Frech>  ADDREF: XF:windows-arp-dos  <br>

Name: CVE-1999-0445

Description:

In Cisco routers under some versions of IOS 12.0 running NAT, some packets may not be filtered by input access list filters.

Status:Entry
Reference: CISCO:Cisco IOS(R) Software Input Access List Leakage with NAT
Reference: OSVDB:1104
Reference: URL:http://www.osvdb.org/1104
Reference: XF:cisco-natacl-leakage

Name: CVE-1999-0446

Description:

Local users can perform a denial of service in NetBSD 1.3.3 and earlier versions by creating an unusual symbolic link with the ln command, triggering a bug in VFS.

Status:Entry
Reference: NETBSD:1999-008
Reference: OSVDB:7051
Reference: URL:http://www.osvdb.org/7051
Reference: XF:netbsd-vfslocking-panic

Name: CVE-1999-0447

Description:

Local users can gain privileges using the debug utility in the MPE/iX operating system.

Status:Entry
Reference: HP:HPSBMP9904-006
Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBMP9904-006
Reference: XF:mpeix-debug

Name: CVE-1999-0448

Description:

IIS 4.0 and Apache log HTTP request methods, regardless of how long they are, allowing a remote attacker to hide the URL they really request.

Status:Entry
Reference: BUGTRAQ:19990121 IIS 4 Request Logging Security Advisory
Reference: XF:iis-http-request-logging

Name: CVE-1999-0449

Description:

The ExAir sample site in IIS 4 allows remote attackers to cause a denial of service (CPU consumption) via a direct request to the (1) advsearch.asp, (2) query.asp, or (3) search.asp scripts.

Status:Entry
Reference: BID:193
Reference: URL:http://www.securityfocus.com/bid/193
Reference: BUGTRAQ:19990125 Re: [NTSEC] IIS 4 Advisory - ExAir sample site DoS
Reference: BUGTRAQ:19990126 IIS 4 Advisory - ExAir sample site DoS
Reference: NTBUGTRAQ:19990126 IIS 4 Advisory - ExAir sample site DoS
Reference: OSVDB:2
Reference: URL:http://www.osvdb.org/2
Reference: OSVDB:3
Reference: URL:http://www.osvdb.org/3
Reference: OSVDB:4
Reference: URL:http://www.osvdb.org/4
Reference: XF:iis-exair-dos

Name: CVE-1999-0450

Description:

In IIS, an attacker could determine a real path using a request for a non-existent URL that would be interpreted by Perl (perl.exe).

Status:Candidate
Phase: Modified (20090622)
Reference: BID:194
Reference: URL:http://www.securityfocus.com/bid/194
Reference: BUGTRAQ:19990122 Perl.exe and IIS security advisory

Votes:
ACCEPT(2)  Ozancin, Wall<br>
NOOP(2)  Baker, Christey<br>
REJECT(2)  Frech, LeBlanc<br>
Voter Comments:
Frech>  Can't find in database.<br>
Christey>  This looks like another discovery of CVE-2000-0071 <br>
LeBlanc>  - I just tried to repro this based on the BUGTRAQ vuln information,
and it does not repro - 
GET /bogus.pl HTTP/1.0
HTTP/1.1 404 Object Not Found
Server: Microsoft-IIS/5.0
Date: Thu, 05 Oct 2000 21:04:20 GMT
Content-Length: 3243
Content-Type: text/html
No path is returned whatsoever. This may have been a problem on some version
of IIS in the past, but the BUGTRAQ ID says all versions are vulnerable.
Let's try and figure out what version had the problem, whether it is
intrinsic to IIS or the result of adding a 3rd party implementation of perl,
and when it got fixed, then we can try again.<br>
CHANGE>  [Frech changed vote from REVIEWING to REJECT]<br>
Christey>  Add "no-such-file.pl" as an example to the desc, to facilitate
search (it's used by CGI scanners and in the original example)<br>

Name: CVE-1999-0451

Description:

Denial of service in Linux 2.0.36 allows local users to prevent any server from listening on any non-privileged port.

Status:Candidate
Phase: Proposed (19990726)
Reference: BID:343
Reference: URL:http://www.securityfocus.com/bid/343
Reference: BUGTRAQ:Jan19,1999

Votes:
ACCEPT(2)  Baker, Ozancin<br>
MODIFY(1)  Frech<br>
NOOP(1)  Wall<br>
Voter Comments:
CHANGE>  [Frech changed vote from REVIEWING to MODIFY]<br>
Frech>  XF:linux-ports-dos(8364)<br>

Name: CVE-1999-0452

Description:

A service or application has a backdoor password that was placed there by the developer.

Status:Candidate
Phase: Proposed (19990726)

Votes:
ACCEPT(2)  Baker, Wall<br>
REJECT(1)  Frech<br>
Voter Comments:
Frech>  Much too broad. Also may be HIGHCARD (or will be in the future).<br>
Baker>  I think we want to address this using the dot notation idea.  We do need to address this, just not a separate entry for every single occurance.<br>

Name: CVE-1999-0453

Description:

An attacker can identify a CISCO device by sending a SYN packet to port 1999, which is for the Cisco Discovery Protocol (CDP).

Status:Candidate
Phase: Modified (20040512)
Reference: BUGTRAQ:19990118 Remote Cisco Identification

Votes:
ACCEPT(2)  Baker, Balinsky<br>
MODIFY(1)  Frech<br>
NOOP(2)  Northcutt, Wall<br>
REVIEWING(1)  Christey<br>
Voter Comments:
Frech>  XF:cisco-ident(2289)
ADDREF BUGTRAQ:19990118 Remote Cisco Identification
In description, probably better to use "Cisco" as product/company name.<br>
Balinsky>  CiscoSecure IDS has a signature for this...ID 3602 Cisco IOS Identity.<br>
Christey>  There may be a slight abstraction problem here, e.g. look
at the candidate for queso/nmap; also see followup Bugtraq post
from "Basement Research" on 19990120 which says that there are
many other features in Cisco products that allow remote
identification.<br>
Christey>  fix typo: "Dicsovery"<br>

Name: CVE-1999-0454

Description:

A remote attacker can sometimes identify the operating system of a host based on how it reacts to some IP or ICMP packets, using a tool such as nmap or queso.

Status:Candidate
Phase: Proposed (19990728)

Votes:
MODIFY(1)  Frech<br>
NOOP(2)  Christey, Wall<br>
REJECT(2)  Baker, Northcutt<br>
Voter Comments:
Northcutt>  Nmap and queso are the tip of the iceberg and not the most advanced
ways to accomplish this.  To pursue making the world signature free
is as much a vulnerability as having signatures, nay more.<br>
Frech>  XF:decod-nmap(2053)
XF:decod-queso(2048)<br>
Christey>  Add "fingerprinting" to facilitate search.
Some references:
MISC:http://www.insecure.org/nmap/nmap-fingerprinting-article.html
BUGTRAQ:19981228 A few more fingerprinting techniques - time and netmask
http://marc.theaimsgroup.com/?l=bugtraq&m=91489155019895&w=2
BUGTRAQ:19990222 Preventing remote OS detection
http://marc.theaimsgroup.com/?l=bugtraq&m=91971553006937&w=2
BUGTRAQ:20000901 ICMP Usage In Scanning v2.0 - Research Paper
http://marc.theaimsgroup.com/?l=bugtraq&m=96791499611849&w=2
BUGTRAQ:20000912 Using the Unused (Identifying OpenBSD,
http://marc.theaimsgroup.com/?l=bugtraq&m=96879267724690&w=2
BUGTRAQ:20000912 The DF Bit Playground (Identifying Sun Solaris & OpenBSD OSs)
http://marc.theaimsgroup.com/?l=bugtraq&m=96879481129637&w=2
BUGTRAQ:20000816 TOSing OSs out of the window / Fingerprinting Windows 2000 with
http://marc.theaimsgroup.com/?l=bugtraq&m=96644121403569&w=2
BUGTRAQ:20000609 p0f - passive os fingerprinting tool
http://marc.theaimsgroup.com/?l=bugtraq&m=96062535628242&w=2<br>
Baker>  I think we can probably reject this as the corollary is that you can identify OS from a IP/TCP packet sent by a system, looking at various parts of the SYN packet.  Unless we believe that all systems should always use identical packet header/identical responses, in which case the protocol should not permit variation.<br>

Name: CVE-1999-0455

Description:

The Expression Evaluator sample application in ColdFusion allows remote attackers to read or delete files on the server via exprcalc.cfm, which does not restrict access to the server properly.

Status:Candidate
Phase: Modified (19991210)
Reference: ALLAIRE:ASB-001
Reference: BID:115
Reference: URL:http://www.securityfocus.com/bid/115
Reference: XF:coldfusion-expression-evaluator

Votes:
ACCEPT(3)  Balinsky, Frech, Ozancin<br>
MODIFY(1)  Wall<br>
NOOP(1)  Baker<br>
REVIEWING(1)  Christey<br>
Voter Comments:
Wall>  The reference should be ASB99-01 (Expression Evaluator Security Issues)
make application plural since there are three sample applications
(openfile.cfm, displayopenedfile.cfm, and exprcalc.cfm).<br>
Christey>  The CD:SF-EXEC and CD:SF-LOC content decisions apply here.
Since there are 3 separate "executables" with the same
(or similar) problem, we need to make sure that CD:SF-EXEC
determines what to do here.  There is evidence that some
of these .cfm scripts have an "include" file, and if so, 
then CD:SF-LOC says that we shouldn't make separate entries
for each of these scripts.  On the other hand, the initial
L0pht discovery didn't include all 3 of these scripts, and
as far as I can tell, Allaire had patched the first problem
before the others were discovered.  So, CD:DISCOVERY-DATE
may argue that we should split these because the problems
were discovered and patched at different times.

In any case, this candidate can not be accepted until the
Editorial Board has accepted the CD:SF-EXEC, CD:SF-LOC,
and CD:DISCOVERY-DATE content decisions.<br>

Name: CVE-1999-0457

Description:

Linux ftpwatch program allows local users to gain root privileges.

Status:Entry
Reference: BID:317
Reference: URL:http://www.securityfocus.com/bid/317
Reference: BUGTRAQ:Jan17,1999
Reference: DEBIAN:19990117
Reference: XF:ftpwatch-vuln

Name: CVE-1999-0458

Description:

L0phtcrack 2.5 used temporary files in the system TEMP directory which could contain password information.

Status:Entry
Reference: BUGTRAQ:Jan6,1999
Reference: OSVDB:915
Reference: URL:http://www.osvdb.org/915
Reference: XF:l0phtcrack-temp-files

Name: CVE-1999-0459

Description:

Local users can perform a denial of service in Alpha Linux, using MILO to force a reboot.

Status:Candidate
Phase: Proposed (19990728)
Reference: XF:linux-milo-halt

Votes:
ACCEPT(1)  Frech<br>
NOOP(2)  Baker, Northcutt<br>
REJECT(1)  Wall<br>
Voter Comments:
Wall>  Reject based on beta copy.<br>

Name: CVE-1999-0460

Description:

Buffer overflow in Linux autofs module through long directory names allows local users to perform a denial of service.

Status:Candidate
Phase: Proposed (19990726)
Reference: BID:312
Reference: URL:http://www.securityfocus.com/bid/312
Reference: BUGTRAQ:19990218 Linux autofs overflow in 2.0.36+

Votes:
ACCEPT(2)  Baker, Ozancin<br>
MODIFY(1)  Frech<br>
NOOP(1)  Wall<br>
Voter Comments:
CHANGE>  [Frech changed vote from REVIEWING to MODIFY]<br>
Frech>  XF:linux-autofs-bo(8365)<br>

Name: CVE-1999-0461

Description:

Versions of rpcbind including Linux, IRIX, and Wietse Venema's rpcbind allow a remote attacker to insert and delete entries by spoofing a source address.

Status:Candidate
Phase: Proposed (19990728)

Votes:
MODIFY(1)  Frech<br>
RECAST(1)  Baker<br>
REVIEWING(1)  Christey<br>
Voter Comments:
Frech>  ADDREF XF:pmap-sset<br>
Christey>  CVE-1999-0195 = CVE-1999-0461 ?
If this is approved over CVE-1999-0195, make sure it gets
XF:pmap-sset<br>
Baker>  THis does appear to be a duplicate.  We should accept 1999-0195, since it already has the votes and get rid of this one<br>

Name: CVE-1999-0462

Description:

suidperl in Linux Perl does not check the nosuid mount option on file systems, allowing local users to gain root access by placing a setuid script in a mountable file system, e.g. a CD-ROM or floppy disk.

Status:Candidate
Phase: Proposed (19990728)
Reference: BID:339
Reference: URL:http://www.securityfocus.com/bid/339
Reference: BUGTRAQ:19990114 Secuity hole with perl (suidperl) and nosuid mounts on Linux

Votes:
ACCEPT(1)  Baker<br>
MODIFY(1)  Frech<br>
NOOP(1)  Christey<br>
Voter Comments:
Frech>  XF:perl-suidperl-bo<br>
Christey>  XF:perl-suidperl-bo doesn't exist.<br>

Name: CVE-1999-0463

Description:

Remote attackers can perform a denial of service using IRIX fcagent.

Status:Entry
Reference: SGI:19981201-01-PX
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19981201-01-PX
Reference: XF:sgi-fcagent-dos

Name: CVE-1999-0464

Description:

Local users can perform a denial of service in Tripwire 1.2 and earlier using long filenames.

Status:Entry
Reference: BUGTRAQ:19990104 Tripwire mess..
Reference: URL:http://marc.info/?l=bugtraq&m=91553066310826&w=2
Reference: CONFIRM:http://marc.info/?l=bugtraq&m=91592136122066&w=2
Reference: OSVDB:6609
Reference: URL:http://www.osvdb.org/6609

Name: CVE-1999-0465

Description:

Remote attackers can crash Lynx and Internet Explorer using an IMG tag with a large width parameter.

Status:Candidate
Phase: Proposed (19990728)
Reference: XF:http-img-overflow

Votes:
ACCEPT(2)  Frech, Northcutt<br>
NOOP(1)  Baker<br>
REJECT(2)  LeBlanc, Wall<br>
Voter Comments:
Wall>  Reject based on client-side DoS<br>
LeBlanc>  Client side DOS<br>

Name: CVE-1999-0466

Description:

The SVR4 /dev/wabi special device file in NetBSD 1.3.3 and earlier allows a local user to read or write arbitrary files on the disk associated with that device.

Status:Entry
Reference: NETBSD:1999-009
Reference: OSVDB:905
Reference: URL:http://www.osvdb.org/905

Name: CVE-1999-0467

Description:

The Webcom CGI Guestbook programs wguest.exe and rguest.exe allow a remote attacker to read arbitrary files using the "template" parameter.

Status:Candidate
Phase: Modified (20000106)
Reference: NTBUGTRAQ:19990409 Webcom's CGI Guestbook for Win32 web servers
Reference: XF:http-cgi-webcom-guestbook

Votes:
ACCEPT(4)  Blake, Frech, Landfield, Ozancin<br>
NOOP(3)  Baker, Christey, Northcutt<br>
Voter Comments:
Christey>  CVE-1999-0287 is probably a duplicate of CVE-1999-0467.  In
NTBUGTRAQ:19990409 Webcom's CGI Guestbook for Win32 web servers
Mnemonix says that he had previously reported on a similar
problem.  Let's refer to the NTBugtraq posting as
CVE-1999-0467.  We will refer to the "previous report" as
CVE-1999-0287, which can be found at:
http://oliver.efri.hr/~crv/security/bugs/NT/httpd41.html

0287 describes an exploit via the "template" hidden variable.
The exploit describes manually editing the HTML form to
change the filename to read from the template variable.

The exploit as described in 0467 encodes the template variable
directly into the URL.  However, hidden variables are also
encoded into the URL, which would have looked the same to
the web server regardless of the exploit.  Therefore 0287
and 0467 are the same.<br>
Christey>   
The CD:SF-EXEC content decision also applies here.  We have 2
programs, wguest.exe and rguest.exe, which appear to have the
same problem.  CD:SF-EXEC needs to be accepted by the Editorial
Board before this candidate can be converted into a CVE
entry.  When finalized, CD:SF-EXEC will decide whether
this candidate should be split or not.<br>
Christey>  BID:2024<br>

Name: CVE-1999-0468

Description:

Internet Explorer 5.0 allows a remote server to read arbitrary files on the client's file system using the Microsoft Scriptlet Component.

Status:Entry
Reference: BUGTRAQ:Apr9,1999
Reference: MS:MS99-012
Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-012
Reference: XF:ie-scriplet-fileread

Name: CVE-1999-0469

Description:

Internet Explorer 5.0 allows window spoofing, allowing a remote attacker to spoof a legitimate web site and capture information from the client.

Status:Candidate
Phase: Proposed (19990728)
Reference: BUGTRAQ:19990409 IE 5.0 security vulnerabilities - %01 bug again
Reference: XF:ie-window-spoof

Votes:
ACCEPT(1)  Wall<br>
NOOP(2)  Baker, Northcutt<br>
REJECT(3)  Christey, Frech, LeBlanc<br>
Voter Comments:
Wall>  Reference: Microsoft Security Bulletin MS99-012<br>
Christey>  DUPE CVE-1999-0488<br>
Frech>  Defer to Christey's vote.
However, XF:ie-mshtml-crossframe(2216) assigned to CVE-1999-0488.<br>
LeBlanc>  Duplicate<br>

Name: CVE-1999-0470

Description:

A weak encryption algorithm is used for passwords in Novell Remote.NLM, allowing them to be easily decrypted.

Status:Entry
Reference: BID:482
Reference: URL:http://www.securityfocus.com/bid/482
Reference: BUGTRAQ:19990409 New Novell Remote.NLM Password Decryption Algorithm with Exploit
Reference: XF:netware-remotenlm-passwords

Name: CVE-1999-0471

Description:

The remote proxy server in Winroute allows a remote attacker to reconfigure the proxy without authentication through the "cancel" button.

Status:Entry
Reference: BUGTRAQ:Apr9,1999
Reference: XF:winroute-config

Name: CVE-1999-0472

Description:

The SNMP default community name "public" is not properly removed in NetApps C630 Netcache, even if the administrator tries to disable it.

Status:Entry
Reference: BUGTRAQ:Apr7,1999
Reference: XF:netcache-snmp

Name: CVE-1999-0473

Description:

The rsync command before rsync 2.3.1 may inadvertently change the permissions of the client's working directory to the permissions of the directory being transferred.

Status:Entry
Reference: BID:145
Reference: URL:http://www.securityfocus.com/bid/145
Reference: BUGTRAQ:19990407 rsync 2.3.1 release - security fix
Reference: CALDERA:CSSA-1999:010.0
Reference: DEBIAN:19990823
Reference: XF:rsync-permissions

Name: CVE-1999-0474

Description:

The ICQ Webserver allows remote attackers to use .. to access arbitrary files outside of the user's personal directory.

Status:Entry
Reference: BUGTRAQ:Apr5,1999
Reference: XF:icq-webserver-read

Name: CVE-1999-0475

Description:

A race condition in how procmail handles .procmailrc files allows a local user to read arbitrary files available to the user who is running procmail.

Status:Entry
Reference: BUGTRAQ:Apr5,1999
Reference: XF:procmail-race

Name: CVE-1999-0476

Description:

A weak encryption algorithm is used for passwords in SCO TermVision, allowing them to be easily decrypted by a local user.

Status:Candidate
Phase: Proposed (19990721)
Reference: BUGTRAQ:19990331 Potential vulnerability in SCO TermVision Windows 95 client
Reference: XF:sco-termvision-password

Votes:
ACCEPT(3)  Baker, Frech, Ozancin<br>
NOOP(3)  LeBlanc, Northcutt, Wall<br>
Voter Comments:


Name: CVE-1999-0477

Description:

The Expression Evaluator in the ColdFusion Application Server allows a remote attacker to upload files to the server via openfile.cfm, which does not restrict access to the server properly.

Status:Candidate
Phase: Modified (19991210)
Reference: BID:115
Reference: URL:http://www.securityfocus.com/bid/115
Reference: L0PHT:Cold Fusion App Server
Reference: XF:coldfusion-expression-evaluator

Votes:
ACCEPT(4)  Baker, Christey, Frech, Ozancin<br>
REJECT(1)  Wall<br>
Voter Comments:
Wall>  Duplicate of 0455<br>
Christey>  CVE-1999-0477 and CVE-1999-0455 were discovered at different
times.  Also, the attack was different.  So "Same Attack" and
"Same Time of Discovery" dictate that these should remain
separate.<br>

Name: CVE-1999-0478

Description:

Denial of service in HP-UX sendmail 8.8.6 related to accepting connections.

Status:Entry
Reference: HP:HPSBUX9904-097
Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9904-097
Reference: XF:sendmail-headers-dos

Name: CVE-1999-0479

Description:

Denial of service Netscape Enterprise Server with VirtualVault on HP-UX VVOS systems.

Status:Entry
Reference: HP:HPSBUX9903-092
Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9903-092
Reference: XF:netscape-server-dos

Name: CVE-1999-0480

Description:

Local attackers can conduct a denial of service in Midnight Commander 4.x with a symlink attack.

Status:Candidate
Phase: Modified (20000106)
Reference: BUGTRAQ:19980315 Midnight Commander /tmp race

Votes:
ACCEPT(1)  Baker<br>
MODIFY(1)  Frech<br>
NOOP(1)  Christey<br>
Voter Comments:
Frech>  XF:midnight-commander-symlink-dos<br>
Christey>  XF:midnight-commander-symlink-dos(3505)<br>

Name: CVE-1999-0481

Description:

Denial of service in "poll" in OpenBSD.

Status:Entry
Reference: OPENBSD:Mar22,1999
Reference: OSVDB:7556
Reference: URL:http://www.osvdb.org/7556

Name: CVE-1999-0482

Description:

OpenBSD kernel crash through TSS handling, as caused by the crashme program.

Status:Entry
Reference: OPENBSD:Mar21,1999
Reference: OSVDB:7557
Reference: URL:http://www.osvdb.org/7557

Name: CVE-1999-0483

Description:

OpenBSD crash using nlink value in FFS and EXT2FS filesystems.

Status:Entry
Reference: OPENBSD:Feb25,1999
Reference: OSVDB:6129
Reference: URL:http://www.osvdb.org/6129

Name: CVE-1999-0484

Description:

Buffer overflow in OpenBSD ping.

Status:Entry
Reference: OPENBSD:Feb23,1999
Reference: OSVDB:6130
Reference: URL:http://www.osvdb.org/6130

Name: CVE-1999-0485

Description:

Remote attackers can cause a system crash through ipintr() in ipq in OpenBSD.

Status:Entry
Reference: OPENBSD:Feb19,1999
Reference: OSVDB:7558
Reference: URL:http://www.osvdb.org/7558
Reference: XF:openbsd-ipintr-race

Name: CVE-1999-0486

Description:

Denial of service in AOL Instant Messenger when a remote attacker sends a malicious hyperlink to the receiving client, potentially causing a system crash.

Status:Candidate
Phase: Modified (20000106)
Reference: BUGTRAQ:19990420 AOL Instant Messenger URL Crash

Votes:
ACCEPT(1)  Baker<br>
MODIFY(1)  Frech<br>
NOOP(1)  Christey<br>
Voter Comments:
Frech>  XF:aol-im.<br>
Christey>  XF:aol-im appears to be related to the problem discussed in
BUGTRAQ:19980224 AOL Instant Messanger Bug

This one is related to BUGTRAQ:19990420 AOL Instant Messenger URL Crash<br>

Name: CVE-1999-0487

Description:

The DHTML Edit ActiveX control in Internet Explorer allows remote attackers to read arbitrary files.

Status:Entry
Reference: MS:MS99-011
Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-011
Reference: XF:ie-dhtml-control

Name: CVE-1999-0488

Description:

Internet Explorer 4.0 and 5.0 allows a remote attacker to execute security scripts in a different security context using malicious URLs, a variant of the "cross frame" vulnerability.

Status:Candidate
Phase: Modified (19991205)
Reference: MS:MS99-012
Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-012

Votes:
ACCEPT(2)  Baker, Landfield<br>
MODIFY(2)  Frech, Wall<br>
NOOP(2)  Christey, Ozancin<br>
Voter Comments:
Frech>  XF:ie-mshtml-crossframe<br>
Wall>  (source: MSKB:Q168485)<br>
Christey>  CVE-1999-0469 appears to be a duplicate; prefer this one over
that one, since this one has an MS advisory.  Confirm with
Microsoft that these are really duplicates.

Also review CVE-1999-0487, which appears to be a similar
bug.<br>

Name: CVE-1999-0489

Description:

MSHTML.DLL in Internet Explorer 5.0 allows a remote attacker to paste a file name into the file upload intrinsic control, a variant of "untrusted scripted paste" as described in MS:MS98-013.

Status:Candidate
Phase: Modified (19991205)
Reference: MS:MS99-015
Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-015

Votes:
ACCEPT(1)  Levy<br>
MODIFY(1)  Wall<br>
NOOP(2)  Baker, Ozancin<br>
RECAST(1)  Prosser<br>
REJECT(1)  Christey<br>
REVIEWING(1)  Frech<br>
Voter Comments:
Frech>  Wasn't Untrusted scripted paste MS98-015? I can find no mention of a
clipboard in either.
I cannot proceed on this one without further clarification.<br>
Wall>  (source: MS:MS99-012)<br>
Prosser>  agree with Andre here.  The Untrusted Scripted paste
vulnerability was originally addressed in MS98-015 and it is in the file
upload intrinsic control in which an attacker can paste the name of a file
on the target's drive in the control and a form submission would then send
that file from the attacked machine to the remote web site.  This one has
nothing to do with the clipboard.  What the advisory mentioned here,
MS99-012, does is replace the MSHTML parsing engine which is supposed to fix
the original Untrusted Scripted Paste issue and a variant, as well as the
two Cross-Frame variants and a privacy issue in IMG SRC.  
The vulnerability that allowed reading of a user's clipboard is the Forms
2.0 Active X control vulnerability discussed in MS99-01<br>
Christey>  The advisory should have been listed as MS99-012.  
CVE-1999-0468 describes the untrusted scripted paste problem
in MS99-012.<br>
Frech>  Pending response to guidance request. 12/6/01.<br>

Name: CVE-1999-0490

Description:

MSHTML.DLL in Internet Explorer 5.0 allows a remote attacker to learn information about a local user's files via an IMG SRC tag.

Status:Candidate
Phase: Modified (19991205)
Reference: MS:MS99-012
Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-012

Votes:
ACCEPT(2)  Landfield, Wall<br>
MODIFY(1)  Frech<br>
NOOP(2)  Baker, Ozancin<br>
REVIEWING(1)  Christey<br>
Voter Comments:
Frech>  XF:ie-scriplet-fileread<br>
Christey>  Duplicate of CVE-1999-0347?<br>

Name: CVE-1999-0491

Description:

The prompt parsing in bash allows a local user to execute commands as another user by creating a directory with the name of the command to execute.

Status:Entry
Reference: BID:119
Reference: URL:http://www.securityfocus.com/bid/119
Reference: BUGTRAQ:19990420 Bash Bug
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.4.10.9904202114070.6623-100000@smooth.Operator.org
Reference: CALDERA:CSSA-1999-008.0
Reference: URL:ftp://ftp.calderasystems.com/pub/OpenLinux/security/CSSA-1999-008.0.txt

Name: CVE-1999-0492

Description:

The ffingerd 1.19 allows remote attackers to identify users on the target system based on its responses.

Status:Candidate
Phase: Proposed (19990726)
Reference: BUGTRAQ:Apr23,1999

Votes:
ACCEPT(3)  Armstrong, Collins, Northcutt<br>
MODIFY(4)  Baker, Blake, Frech, Shostack<br>
NOOP(4)  Christey, Cole, Landfield, Wall<br>
REVIEWING(1)  Ozancin<br>
Voter Comments:
Shostack>  isn't that what finger is supposed to do?<br>
Landfield>  Maybe we need a new category of "unsafe system utilities and protocols"<br>
Blake>  Ffingerd 1.19 allows remote attackers to differentiate valid and invalid
usernames on the target system based on its responses to finger queries.<br>
Christey>  CHANGEREF BUGTRAQ [canonicalize]
BUGTRAQ:19990423 Ffingerd privacy issues
http://marc.theaimsgroup.com/?l=bugtraq&m=92488772121313&w=2

Here's the nature of the problem.
(1) FFingerd allows users to decide not to be fingered,
printing a message "That user does not want to be fingered"
(2) If the fingered user does not exist, then FFingerd's
intended default is to print that the user does not
want to be fingered; however, the error message has a
period at the end.
Thus, ffingerd can allow someone to determine who valid users
on the server are, *in spite of* the intended functionality of
ffingerd itself.  Thus this exposure should be viewed in light
of the intended functionality of the application, as opposed
to the common usage of the finger protocol in general.

Also, the vendor posted a followup and said that a patch was
available.  See:
http://marc.theaimsgroup.com/?l=bugtraq&m=92489375428016&w=2<br>
Baker>  Vulnerability Reference (HTML)	Reference Type
http://www.securityfocus.com/archive/1/13422	Misc Defensive Info<br>
CHANGE>  [Frech changed vote from REVIEWING to MODIFY]<br>
Frech>  XF:ffinger-user-info(5393)<br>

Name: CVE-1999-0493

Description:

rpc.statd allows remote attackers to forward RPC calls to the local operating system via the SM_MON and SM_NOTIFY commands, which in turn could be used to remotely exploit other bugs such as in automountd.

Status:Entry
Reference: BID:450
Reference: URL:http://www.securityfocus.com/bid/450
Reference: BUGTRAQ:19990103 SUN almost has a clue! (automountd)
Reference: URL:http://marc.info/?l=bugtraq&m=91547759121289&w=2
Reference: CERT:CA-99-05
Reference: URL:http://www.cert.org/advisories/CA-99-05-statd-automountd.html
Reference: CIAC:J-045
Reference: URL:http://www.ciac.org/ciac/bulletins/j-045.shtml
Reference: SUN:00186
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/186&type=0&nav=sec.sba

Name: CVE-1999-0494

Description:

Denial of service in WinGate proxy through a buffer overflow in POP3.

Status:Entry
Reference: XF:wingate-pop3-user-bo

Name: CVE-1999-0495

Description:

A remote attacker can gain access to a file system using .. (dot dot) when accessing SMB shares.

Status:Candidate
Phase: Proposed (19990728)

Votes:
ACCEPT(6)  Baker, Blake, Cole, Collins, Northcutt, Ozancin<br>
MODIFY(1)  Frech<br>
NOOP(4)  Armstrong, Bishop, Landfield, Wall<br>
REVIEWING(2)  Christey, Levy<br>
Voter Comments:
Frech>  XF:nb-dotdotknown(837)
References would be appreciated. We've got no reference for this issue;
confidence rating is consequently low. <br>
Levy>  Some refernces:
http://www.securityfocus.com/archive/1/3894
http://www.securityfocus.com/archive/1/3533
http://www.securityfocus.com/archive/1/3535<br>

Name: CVE-1999-0496

Description:

A Windows NT 4.0 user can gain administrative rights by forcing NtOpenProcessToken to succeed regardless of the user's permissions, aka GetAdmin.

Status:Entry
Reference: MSKB:Q146965
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q146965
Reference: XF:nt-getadmin
Reference: XF:nt-getadmin-present

Name: CVE-1999-0497

Description:

Anonymous FTP is enabled.

Status:Candidate
Phase: Modified (20040811)

Votes:
ACCEPT(1)  Shostack<br>
MODIFY(1)  Frech<br>
NOOP(2)  Baker, Christey<br>
REJECT(1)  Northcutt<br>
Voter Comments:
Frech>  ftp-anon(52) at http://xforce.iss.net/static/52.php
ftp-anon2(543) at http://xforce.iss.net/static/543.php<br>
Christey>  Add period to the end of the description.<br>
Baker>  DOn't know about this, but it may be the only easy way to allow access to data for some folks.<br>

Name: CVE-1999-0498

Description:

TFTP is not running in a restricted directory, allowing a remote attacker to access sensitive information such as password files.

Status:Candidate
Phase: Modified (19990925)
Reference: CERT:CA-91.18.Active.Internet.tftp.Attacks

Votes:
ACCEPT(3)  Blake, Hill, Northcutt<br>
MODIFY(1)  Frech<br>
NOOP(1)  Baker<br>
REVIEWING(1)  Christey<br>
Voter Comments:
Frech>  XF:linux-tftp<br>
Christey>  XF:linux-tftp refers to CVE-1999-0183<br>

Name: CVE-1999-0499

Description:

NETBIOS share information may be published through SNMP registry keys in NT.

Status:Candidate
Phase: Proposed (19990721)

Votes:
ACCEPT(5)  Baker, Northcutt, Ozancin, Shostack, Wall<br>
MODIFY(1)  Frech<br>
REJECT(1)  LeBlanc<br>
Voter Comments:
Frech>  Change wording to 'Windows NT.'
XF:snmp-netbios<br>
LeBlanc>  Share info can be obtained via SNMP queries, but I question
whether this is a vulnerability. The system can be configured not to do
this, and one may argue that SNMP itself is an insecure configuration.
Furthermore, the share information isn't published via registry keys -
the description could refer to more than one actual issue. SNMP is meant
to allow people to obtain information about systems. I'm willing to
discuss this with the rest of the board.<br>

Name: CVE-1999-0501

Description:

A Unix account has a guessable password.

Status:Candidate
Phase: Proposed (19990714)

Votes:
ACCEPT(3)  Baker, Northcutt, Shostack<br>
RECAST(2)  Frech, Meunier<br>
REVIEWING(1)  Christey<br>
Voter Comments:
Frech>  Guessable falls into the class of CVE-1999-0502, since I can guess a
default, null, etc. password.
Suggest changing to something like "has an existing non-default password
that can be guessed."
I'm also including default passwords in this entry. 
In that vein, we show the following references:
XF:user-password
XF:passwd-username
XF:default-unix-sync
XF:default-unix-4dgifts
XF:default-unix-bin
XF:default-unix-daemon
XF:default-unix-lp
XF:default-unix-me
XF:default-unix-nuucp
XF:default-unix-root
XF:default-unix-toor
XF:default-unix-tour
XF:default-unix-tty
XF:default-unix-uucp<br>
Christey>  This candidate is affected by the CD:CF-PASS content decision,
which determines the appropriate level of abstraction to
use for password problems.  CD:CF-PASS needs to be accepted
by the Editorial Board before this candidate can be
converted into a CVE entry; the final version of CD:CF-PASS
may require using a different LOA than this candidate is
currently using.<br>
CHANGE>  [Meunier changed vote from ACCEPT to RECAST]<br>
Meunier>  This relates only to account password technology, so this candidate is
independent of the operating system, application, web site or other
application of this technology.  The appropriate (natural) level of
abstraction is therefore without specifying that it is for UNIX.
Change the description to "An account has a guessable password other
than default, null, blank."  This should satisfy Andre's objection.

This Candidate should be merged with any candidate relating to
account password technology where "Unix" in the original description
can be replaced by something else.<br>

Name: CVE-1999-0502

Description:

A Unix account has a default, null, blank, or missing password.

Status:Candidate
Phase: Proposed (19990714)

Votes:
ACCEPT(4)  Baker, Meunier, Northcutt, Shostack<br>
MODIFY(1)  Frech<br>
REVIEWING(1)  Christey<br>
Voter Comments:
Frech>  XF:passwd-blank
XF:no-pass
XF:dict
XF:sgi-accounts
XF:linux-caldera-lisa<br>
Christey>  This candidate is affected by the CD:CF-PASS content decision,
which determines the appropriate level of abstraction to
use for password problems.  CD:CF-PASS needs to be accepted
by the Editorial Board before this candidate can be
converted into a CVE entry; the final version of CD:CF-PASS
may require using a different LOA than this candidate is
currently using.<br>

Name: CVE-1999-0503

Description:

A Windows NT local user or administrator account has a guessable password.

Status:Candidate
Phase: Proposed (19990714)

Votes:
ACCEPT(4)  Baker, Meunier, Northcutt, Shostack<br>
MODIFY(1)  Frech<br>
REVIEWING(1)  Christey<br>
Voter Comments:
Frech>  Note: I am assuming that this entry includes Windows 2000 accounts and
machine/service accounts listed in User Manager.
XF:nt-guess-admin
XF:nt-guess-user
XF:nt-guess-guest
XF:nt-guessed-operpwd
XF:nt-guessed-powerwd
XF:nt-guessed-disabled
XF:nt-guessed-backup
XF:nt-guessed-acctoper-pwd
XF:nt-adminuserpw
XF:nt-guestuserpw
XF:nt-accountuserpw
XF:nt-operator-userpw
XF:nt-service-user-pwd
XF:nt-server-oper-user-pwd
XF:nt-power-user-pwd
XF:nt-backup-operator-userpwd
XF:nt-disabled-account-userpwd<br>
Christey>  This candidate is affected by the CD:CF-PASS content decision,
which determines the appropriate level of abstraction to
use for password problems.  CD:CF-PASS needs to be accepted
by the Editorial Board before this candidate can be
converted into a CVE entry; the final version of CD:CF-PASS
may require using a different LOA than this candidate is
currently using.<br>

Name: CVE-1999-0504

Description:

A Windows NT local user or administrator account has a default, null, blank, or missing password.

Status:Candidate
Phase: Proposed (19990714)

Votes:
ACCEPT(4)  Baker, Meunier, Northcutt, Shostack<br>
MODIFY(1)  Frech<br>
REVIEWING(1)  Christey<br>
Voter Comments:
Frech>  XF:nt-guestblankpw
XF:nt-adminblankpw
XF:nt-adminnopw
XF:nt-usernopw
XF:nt-guestnopw
XF:nt-accountblankpw
XF:nt-nopw
XF:nt-operator-blankpwd
XF:nt-server-oper-blank-pwd
XF:nt-power-user-blankpwd
XF:nt-backup-operator-blankpwd
XF:nt-disabled-account-blankpwd<br>
Christey>  This candidate is affected by the CD:CF-PASS content decision,
which determines the appropriate level of abstraction to
use for password problems.  CD:CF-PASS needs to be accepted
by the Editorial Board before this candidate can be
converted into a CVE entry; the final version of CD:CF-PASS
may require using a different LOA than this candidate is
currently using.<br>

Name: CVE-1999-0505

Description:

A Windows NT domain user or administrator account has a guessable password.

Status:Candidate
Phase: Proposed (19990714)

Votes:
ACCEPT(4)  Baker, Meunier, Northcutt, Shostack<br>
MODIFY(1)  Frech<br>
Voter Comments:
Frech>  XF:nt-guessed-domain-userpwd
XF:nt-guessed-domain-guestpwd
XF:nt-guessed-domain-adminpwd
XF:nt-domain-userpwd
XF:nt-domain-admin-userpwd
XF:nt-domain-guest-userpwd
XF:win2k-certpub-usrpwd
XF:win2k-dhcpadm-usrpwd
XF:win2k-dnsadm-usrpwd
XF:win2k-entadm-usrpwd
XF:win2k-schema-usrpwd
XF:win2k-guessed-certpub
XF:win2k-guessed-dhcpadm
XF:win2k-guessed-dnsadm
XF:win2k-guessed-entadm
XF:win2k-guessed-schema<br>

Name: CVE-1999-0506

Description:

A Windows NT domain user or administrator account has a default, null, blank, or missing password.

Status:Candidate
Phase: Proposed (19990714)

Votes:
ACCEPT(4)  Baker, Meunier, Northcutt, Shostack<br>
MODIFY(1)  Frech<br>
Voter Comments:
Frech>  XF:nt-domain-admin-blankpwd
XF:nt-domain-admin-nopwd
XF:nt-domain-guest-blankpwd
XF:nt-domain-guest-nopwd
XF:nt-domain-user-blankpwd
XF:nt-domain-user-nopwd
XF:win2k-certpub-blnkpwd
XF:win2k-dhcpadm-blnkpwd
XF:win2k-dnsadm-blnkpwd
XF:win2k-entadm-blnkpwd
XF:win2k-schema-blnkpwd<br>

Name: CVE-1999-0507

Description:

An account on a router, firewall, or other network device has a guessable password.

Status:Candidate
Phase: Proposed (19990714)

Votes:
ACCEPT(4)  Baker, Meunier, Northcutt, Shostack<br>
MODIFY(1)  Frech<br>
Voter Comments:
Frech>  XF:firewall-tisopen
XF:firewall-raptoropen
XF:firewall-msopen
XF:firewall-checkpointopen
XF:firewall-ciscoopen<br>

Name: CVE-1999-0508

Description:

An account on a router, firewall, or other network device has a default, null, blank, or missing password.

Status:Candidate
Phase: Proposed (19990714)

Votes:
ACCEPT(4)  Baker, Meunier, Northcutt, Shostack<br>
MODIFY(1)  Frech<br>
NOOP(1)  Christey<br>
Voter Comments:
Frech>  Note: Because the distinction between network hardware and software is not
distinct, 
the term 'network device' was liberally interpreted. Feel free to reject any
of the
below terms.
XF:default-netranger
XF:cayman-gatorbox
XF:breezecom-default-passwords
XF:default-portmaster
XF:wingate-unpassworded
XF:netopia-unpassworded
XF:default-bay-switches
XF:motorola-cable-default-pass
XF:default-flowpoint
XF:qms-2060-no-root-password
XF:avirt-ras-password
XF:webtrends-rtp-serv-install-password
XF:cisco-bruteforce
XF:cisco-bruteadmin
XF:sambar-server-defaults
XF:management-pfcuser
XF:http-cgi-wwwboard-default<br>
Christey>  DELREF XF:avirt-ras-password - does not fit CVE-1999-0508.<br>

Name: CVE-1999-0509

Description:

Perl, sh, csh, or other shell interpreters are installed in the cgi-bin directory on a WWW site, which allows remote attackers to execute arbitrary commands.

Status:Candidate
Phase: Modified (20000114)
Reference: CERT:CA-96.11

Votes:
ACCEPT(2)  Northcutt, Wall<br>
MODIFY(1)  Frech<br>
NOOP(1)  Baker<br>
REVIEWING(1)  Christey<br>
Voter Comments:
Christey>  What is the right level of abstraction to use here?  Should
we combine all possible interpreters into a single entry,
or have a different entry for each one?  I've often seen
Perl separated from other interpreters - is it included
by default in some Windows web server configurations?<br>
Christey>  Add tcsh, zsh, bash, rksh, ksh, ash, to support search.<br>
Frech>  XF:http-cgi-vuln(146)<br>

Name: CVE-1999-0510

Description:

A router or firewall allows source routed packets from arbitrary hosts.

Status:Candidate
Phase: Proposed (19990726)

Votes:
ACCEPT(2)  Baker, Northcutt<br>
MODIFY(1)  Frech<br>
Voter Comments:
Frech>  XF:source-routing<br>

Name: CVE-1999-0511

Description:

IP forwarding is enabled on a machine which is not a router or firewall.

Status:Candidate
Phase: Proposed (19990726)

Votes:
ACCEPT(2)  Baker, Northcutt<br>
MODIFY(1)  Frech<br>
Voter Comments:
Frech>  XF:ip-forwarding<br>

Name: CVE-1999-0512

Description:

A mail server is explicitly configured to allow SMTP mail relay, which allows abuse by spammers.

Status:Candidate
Phase: Modified (20020427)

Votes:
ACCEPT(3)  Baker, Northcutt, Shostack<br>
MODIFY(1)  Frech<br>
NOOP(1)  Christey<br>
Voter Comments:
Frech>  XF:smtp-sendmail-relay(210)
XF:ntmail-relay(2257)
XF:exchange-relay(3107) (also assigned to CVE-1999-0682)
XF:smtp-relay-uucp(3470)
XF:sco-sendmail-spam(4342)
XF:sco-openserver-mmdf-spam(4343)
XF:lotus-domino-smtp-mail-relay(6591)
XF:win2k-smtp-mail-relay(6803)
XF:cobalt-poprelayd-mail-relay(6806)

Candidate implicitly may refer to relaying settings enabled by default, or
the bypass/circumvention of relaying. Both interpretations were used in
assigning this candidate.<br>
Christey>  The intention of this candidate is to cover configurations in
which the admin has explicitly enabled relaying.  Other cases
in which the application *intends* to prvent relaying, but
there is some specific input that bypasses/tricks it, count
as vulnerabilities (or exposures?) and as such would be
assigned different numbers.

http://www.sendmail.org/~ca/email/spam.html seems like a good
general resource, as does ftp://ftp.isi.edu/in-notes/rfc2505.txt<br>
Christey>  I changed the description to make it more clear that the issue
is that of explicit configuration, as opposed to being the
result of a vulnerability.<br>

Name: CVE-1999-0513

Description:

ICMP messages to broadcast addresses are allowed, allowing for a Smurf attack that can cause a denial of service.

Status:Entry
Reference: CERT:CA-98.01.smurf
Reference: FREEBSD:FreeBSD-SA-98:06
Reference: XF:smurf

Name: CVE-1999-0514

Description:

UDP messages to broadcast addresses are allowed, allowing for a Fraggle attack that can cause a denial of service by flooding the target.

Status:Entry
Reference: XF:fraggle

Name: CVE-1999-0515

Description:

An unrestricted remote trust relationship for Unix systems has been set up, e.g. by using a + sign in /etc/hosts.equiv.

Status:Candidate
Phase: Proposed (19990728)

Votes:
ACCEPT(2)  Baker, Northcutt<br>
MODIFY(1)  Frech<br>
REJECT(1)  Shostack<br>
Voter Comments:
Shostack>  Overly broad<br>
Frech>  XF:rsh-equiv(111)<br>
Baker>  Since this is unrestricted trust, I agree this is a problem<br>

Name: CVE-1999-0516

Description:

An SNMP community name is guessable.

Status:Candidate
Phase: Proposed (19990714)

Votes:
ACCEPT(4)  Baker, Meunier, Northcutt, Shostack<br>
MODIFY(1)  Frech<br>
REVIEWING(1)  Christey<br>
Voter Comments:
Frech>  XF:snmp-get-guess
XF:snmp-set-guess
XF:sol-hidden-commstr
XF:hpov-hidden-snmp-comm<br>
Christey>  This candidate is affected by the CD:CF-PASS content decision,
which determines the appropriate level of abstraction to
use for password problems.  CD:CF-PASS needs to be accepted
by the Editorial Board before this candidate can be
converted into a CVE entry; the final version of CD:CF-PASS
may require using a different LOA than this candidate is
currently using.<br>

Name: CVE-1999-0517

Description:

An SNMP community name is the default (e.g. public), null, or missing.

Status:Candidate
Phase: Proposed (19990714)

Votes:
ACCEPT(4)  Baker, Meunier, Northcutt, Shostack<br>
MODIFY(1)  Frech<br>
REVIEWING(1)  Christey<br>
Voter Comments:
Frech>  XF:nt-snmp
XF:snmp-comm
XF:snmp-set-any
XF:snmp-get-public
XF:snmp-set-public
XF:snmp-get-any<br>
Christey>  This candidate is affected by the CD:CF-PASS content decision,
which determines the appropriate level of abstraction to
use for password problems.  CD:CF-PASS needs to be accepted
by the Editorial Board before this candidate can be
converted into a CVE entry; the final version of CD:CF-PASS
may require using a different LOA than this candidate is
currently using.<br>
Christey>  Consider adding BID:2112<br>

Name: CVE-1999-0518

Description:

A NETBIOS/SMB share password is guessable.

Status:Candidate
Phase: Proposed (19990714)

Votes:
ACCEPT(5)  Baker, LeBlanc, Meunier, Northcutt, Shostack<br>
MODIFY(1)  Frech<br>
Voter Comments:
Frech>  Change description term to NetBIOS.
XF:nt-netbios-perm
XF:sharepass
XF:win95-smb-password
XF:nt-netbios-dict<br>

Name: CVE-1999-0519

Description:

A NETBIOS/SMB share password is the default, null, or missing.

Status:Candidate
Phase: Proposed (19990714)

Votes:
ACCEPT(5)  Baker, LeBlanc, Meunier, Northcutt, Shostack<br>
MODIFY(1)  Frech<br>
Voter Comments:
Frech>  Change description term to NetBIOS.
XF:decod-smb-password-empty
XF:nt-netbios-everyoneaccess
XF:nt-netbios-guestaccess
XF:nt-netbios-allaccess
XF:nt-netbios-open
XF:nt-netbios-write
XF:nt-netbios-shareguest
XF:nt-writable-netbios
XF:nt-netbios-everyoneaccess-printer
XF:nt-netbios-share-print-guest<br>

Name: CVE-1999-0520

Description:

A system-critical NETBIOS/SMB share has inappropriate access control.

Status:Candidate
Phase: Proposed (19990803)

Votes:
ACCEPT(1)  Wall<br>
MODIFY(1)  Frech<br>
NOOP(1)  Baker<br>
RECAST(1)  Northcutt<br>
REJECT(1)  LeBlanc<br>
REVIEWING(1)  Christey<br>
Voter Comments:
Northcutt>  I think we need to enumerate the shares and or the access control<br>
Christey>  One question is, what is "inappropriate"?  It's probably
very dependent on the policy of the enterprise on which
this is found.  And should writable shares be different
from readable shares?  (Or file systems, mail spools, etc.)
Yes, the impact may be different, but we could have a
large number of entries for each possible type of access.
A content decision (CD:CF-DATA) needs to be reviewed
and accepted by the Editorial Board in order to resolve
this question.<br>
LeBlanc>  Unacceptably vague - agree with Christey's comments.<br>
Frech>  associated to:
XF:nt-netbios-everyoneaccess(1)
XF:nt-netbios-guestaccess(2)
XF:nt-netbios-allaccess(3)
XF:nt-netbios-open(15)
XF:nt-netbios-write(19)
XF:nt-netbios-shareguest(20)
XF:nt-writable-netbios(26)
XF:nb-rootshare(393)
XF:decod-smb-password-empty(2358)<br>

Name: CVE-1999-0521

Description:

An NIS domain name is easily guessable.

Status:Candidate
Phase: Proposed (19990714)

Votes:
ACCEPT(4)  Baker, Meunier, Northcutt, Shostack<br>
MODIFY(1)  Frech<br>
NOOP(1)  Christey<br>
Voter Comments:
Frech>  XF:nis-dom<br>
Christey>  Consider http://www.cert.org/advisories/CA-1992-13.html
as well as ftp://ciac.llnl.gov/pub/ciac/bulletin/c-fy92/c-25.ciac-sunos-nis-patch<br>

Name: CVE-1999-0522

Description:

The permissions for a system-critical NIS+ table (e.g. passwd) are inappropriate.

Status:Candidate
Phase: Proposed (19990803)
Reference: CERT:CA-96.10

Votes:
ACCEPT(2)  Baker, Wall<br>
NOOP(1)  Christey<br>
RECAST(1)  Northcutt<br>
Voter Comments:
Northcutt>  Why not say world readable, this is what you do further down in the
file (world exportable in CVE-1999-0554)<br>
Christey>  ADDREF AUSCERT:AA-96.02<br>

Name: CVE-1999-0523

Description:

ICMP echo (ping) is allowed from arbitrary hosts.

Status:Candidate
Phase: Proposed (19990726)

Votes:
MODIFY(1)  Meunier<br>
NOOP(1)  Baker<br>
REJECT(2)  Frech, Northcutt<br>
Voter Comments:
Northcutt>  (Though I sympathize with this one :)<br>
CHANGE>  [Frech changed vote from REVIEWING to REJECT]<br>
Frech>  Ping is a utility that can be run on demand; ICMP echo is a
message 
type. As currently worded, this candidate seems as if an arbitrary
host 
is vulnerable because it is capable of running an arbitrary program
or
function (in this case, ping/ICMP echo). There are many
programs/functions that 
'shouldn't' be on a computer, from a security admin's perspective.
Even if this
were a vulnerability, it would be impacted by CD-HIGHCARD.<br>
Meunier>  Every ICMP message type presents a vulnerability or an
exposure, if access is not controlled.  By that I mean not only those
in RFC 792, but also those in RFC 1256, 950, and more.  I think that
the description should be changed to "ICMP messages are acted upon
without any access control".  ICMP is an error and debugging protocol.
We complain about vendors leaving testing backdoors in their programs.
ICMP is the equivalent for TCP/IP.  ICMP should be in the dog house,
unless you are trying to troubleshoot something.  MTU discovery is
just a performance tweak -- it's not necessary.  I don't know of any
ICMP message type that is necessary if the network is functional.
Limited logging of ICMP messages could be useful, but acting upon them
and allowing the modification of routing tables, the behavior of the
TCP/IP stack, etc... without any form of authentication is just crazy.<br>

Name: CVE-1999-0524

Description:

ICMP information such as (1) netmask and (2) timestamp is allowed from arbitrary hosts.

Status:Candidate
Phase: Modified (20161206)
Reference: CONFIRM:http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705
Reference: CONFIRM:https://kc.mcafee.com/corporate/index?page=content&id=SB10053
Reference: MISC:http://descriptions.securescout.com/tc/11010
Reference: MISC:http://descriptions.securescout.com/tc/11011
Reference: MISC:http://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&externalId=1434
Reference: OSVDB:95
Reference: URL:http://www.osvdb.org/95
Reference: XF:icmp-netmask(306)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/306
Reference: XF:icmp-timestamp(322)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/322

Votes:
MODIFY(3)  Baker, Frech, Meunier<br>
REJECT(1)  Northcutt<br>
Voter Comments:
Frech>  XF:icmp-timestamp
XF:icmp-netmask<br>
Meunier>  If this is not merged with 1999-0523 as I commented for that
CVE, then the description should be changed to "ICMP messages of types
13 and 14 (timestamp request and reply) and 17 and 18 (netmask request
and reply) are acted upon without any access control".  It's a more
precise and correct language.  I believe that this is a valid CVE
entry (it's a common source of vulnerabilities or exposures) even
though I see that the inferred action was "reject".  Knowing the time
of a host also allows attacks against random number generators that
are seeded with the current time.  I want to push to have it accepted.<br>
Baker>  I agree with the description changes suggested by Pascal<br>

Name: CVE-1999-0525

Description:

IP traceroute is allowed from arbitrary hosts.

Status:Candidate
Phase: Proposed (19990726)

Votes:
MODIFY(1)  Frech<br>
NOOP(1)  Baker<br>
REJECT(1)  Northcutt<br>
Voter Comments:
Frech>  XF:traceroute<br>

Name: CVE-1999-0526

Description:

An X server's access control is disabled (e.g. through an "xhost +" command) and allows anyone to connect to the server.

Status:Entry
Reference: CERT-VN:VU#704969
Reference: URL:http://www.kb.cert.org/vuls/id/704969
Reference: XF:xcheck-keystroke

Name: CVE-1999-0527

Description:

The permissions for system-critical data in an anonymous FTP account are inappropriate. For example, the root directory is writeable by world, a real password file is obtainable, or executable commands such as "ls" can be overwritten.

Status:Candidate
Phase: Proposed (19990803)

Votes:
ACCEPT(3)  Baker, Northcutt, Wall<br>
MODIFY(1)  Frech<br>
Voter Comments:
Northcutt>  That that starts to get specific :)<br>
Frech>  ftp-writable-directory(6253)
ftp-write(53)
"writeable" in the description should be "writable." <br>

Name: CVE-1999-0528

Description:

A router or firewall forwards external packets that claim to come from inside the network that the router/firewall is in front of.

Status:Candidate
Phase: Proposed (19990726)

Votes:
ACCEPT(3)  Baker, Meunier, Northcutt<br>
MODIFY(1)  Frech<br>
Voter Comments:
Frech>  possibly XF:nisd-dns-fwd-check<br>
CHANGE>  [Frech changed vote from REVIEWING to MODIFY]<br>
Frech>  XF:firewall-external-packet-forwarding(8372)<br>

Name: CVE-1999-0529

Description:

A router or firewall forwards packets that claim to come from IANA reserved or private addresses, e.g. 10.x.x.x, 127.x.x.x, 217.x.x.x, etc.

Status:Candidate
Phase: Proposed (19990726)

Votes:
ACCEPT(1)  Frech<br>
MODIFY(2)  Baker, Meunier<br>
REJECT(1)  Northcutt<br>
Voter Comments:
Northcutt>  I have seen ISPs "assign" private addresses within their domain<br>
Meunier>  A border router or firewall forwards packets that claim to come from IANA
reserved or private addresses, e.g. 10.x.x.x, 127.x.x.x, 217.x.x.x,
etc, outside of their area of validity.<br>
CHANGE>  [Frech changed vote from REVIEWING to ACCEPT]<br>
Baker>  I think the description should be modified to say they accept this type of traffic from an interface not residing on private/reserved network.<br>

Name: CVE-1999-0530

Description:

A system is operating in "promiscuous" mode which allows it to perform packet sniffing.

Status:Candidate
Phase: Proposed (19990728)

Votes:
ACCEPT(2)  Baker, Northcutt<br>
MODIFY(1)  Frech<br>
REJECT(1)  Shostack<br>
Voter Comments:
Frech>  XF:etherstatd(264)
XF:sniffer-attack(778) 
XF:decod-packet-capture-remote(1072)
XF:netmon-running(1448)
XF:netxray3-probe(1450)
XF:sol-snoop-getquota-bo(3670) (also assigned to CVE-1999-0974)<br>
Baker>  Does pose a problem in non-switched environments<br>

Name: CVE-1999-0531

Description:

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "An SMTP service supports EXPN, VRFY, HELP, ESMTP, and/or EHLO."

Status:Candidate
Phase: Modified (20080731)

Votes:
MODIFY(1)  Frech<br>
NOOP(1)  Christey<br>
RECAST(1)  Shostack<br>
REJECT(1)  Northcutt<br>
Voter Comments:
Shostack>  I think expn != vrfy, help, esmtp.<br>
Frech>  XF:lotus-domino-esmtp-bo(4499) (also assigned to CVE-2000-0452 and
CVE-2000-1046)
XF:smtp-expn(128)
XF:smtp-vrfy(130)
XF:smtp-helo-bo(886)
XF:smtp-vrfy-bo(887)
XF:smtp-expn-bo(888)
XF:slmail-vrfyexpn-overflow(1721)
XF:smtp-ehlo(323)

Perhaps add RCPT? If so, add XF:smtp-rcpt(1928)<br>
Christey>  XF:smtp-vrfy(130) ?<br>

Name: CVE-1999-0532

Description:

A DNS server allows zone transfers.

Status:Candidate
Phase: Proposed (19990726)

Votes:
MODIFY(1)  Frech<br>
NOOP(1)  Baker<br>
REJECT(1)  Northcutt<br>
Voter Comments:
Northcutt>  (With split DNS implementations this is quite appropriate)<br>
Frech>  XF:dns-zonexfer<br>

Name: CVE-1999-0533

Description:

A DNS server allows inverse queries.

Status:Candidate
Phase: Proposed (19990726)

Votes:
MODIFY(1)  Frech<br>
NOOP(1)  Baker<br>
REJECT(1)  Northcutt<br>
Voter Comments:
Northcutt>  (rule of thumb)<br>
Frech>  XF:dns-iquery<br>

Name: CVE-1999-0534

Description:

A Windows NT user has inappropriate rights or privileges, e.g. Act as System, Add Workstation, Backup, Change System Time, Create Pagefile, Create Permanent Object, Create Token Name, Debug, Generate Security Audit, Increase Priority, Increase Quota, Load Driver, Lock Memory, Profile Single Process, Remote Shutdown, Replace Process Token, Restore, System Environment, Take Ownership, or Unsolicited Input.

Status:Candidate
Phase: Proposed (19990721)

Votes:
ACCEPT(5)  Baker, Christey, Ozancin, Shostack, Wall<br>
MODIFY(2)  Frech, Northcutt<br>
Voter Comments:
Northcutt>  If we are going to write a laundry list put access to the scheduler in it.<br>
Christey>  The list of privileges is very useful for lookup.<br>
Frech>  XF:nt-create-token
XF:nt-replace-token
XF:nt-lock-memory
XF:nt-increase-quota
XF:nt-unsol-input
XF:nt-act-system
XF:nt-create-object
XF:nt-sec-audit
XF:nt-add-workstation
XF:nt-manage-log
XF:nt-take-owner
XF:nt-load-driver
XF:nt-profile-system
XF:nt-system-time
XF:nt-single-process
XF:nt-increase-priority
XF:nt-create-pagefile
XF:nt-backup
XF:nt-restore
XF:nt-debug
XF:nt-system-env
XF:nt-remote-shutdown<br>

Name: CVE-1999-0535

Description:

A Windows NT account policy for passwords has inappropriate, security-critical settings, e.g. for password length, password age, or uniqueness.

Status:Candidate
Phase: Proposed (19990721)

Votes:
ACCEPT(2)  Shostack, Wall<br>
MODIFY(2)  Baker, Frech<br>
RECAST(2)  Northcutt, Ozancin<br>
Voter Comments:
Northcutt>  inappropriate implies there is appropriate.  As a guy who has been
monitoring
networks for years I have deep reservations about justiying the existance
of any fixed cleartext password. For appropriate to exist, some "we" would 
have to establish some criteria for appropriate passwords.<br>
Baker>  Perhaps this could be re-worded a bit.  The CVE CVE-1999-00582
specifies "...settings for lockouts".  To remain consistent with the
other, maybe it should specify "...settings for passwords" I think
most people would agree that passwords should be at least 8
characters; contain letters (upper and lowercase), numbers and at
least one non-alphanumeric; should only be good a limited time 30-90
days; and should not contain character combinations from user's prior
2 or 3 passwords.
Suggested rewrite - 
A Windows NT account policy does not enforce reasonable minimum
security-critical settings for passwords, e.g. passwords of sufficient
length, periodic required password changes, or new password uniqueness<br>
Ozancin>  What is appropriate?<br>
Frech>  XF:nt-autologonpwd
XF:nt-pwlen
XF:nt-maxage
XF:nt-minage
XF:nt-pw-history
XF:nt-user-pwnoexpire
XF:nt-unknown-pwdfilter
XF:nt-pwd-never-expire
XF:nt-pwd-nochange
XF:nt-pwdcache-enable
XF:nt-guest-change-passwords<br>

Name: CVE-1999-0537

Description:

A configuration in a web browser such as Internet Explorer or Netscape Navigator allows execution of active content such as ActiveX, Java, Javascript, etc.

Status:Candidate
Phase: Proposed (19990726)

Votes:
ACCEPT(1)  Wall<br>
NOOP(1)  Baker<br>
RECAST(1)  Frech<br>
REJECT(1)  LeBlanc<br>
Voter Comments:
Frech>  Good candidate for dot notation.
XF:nav-java-enabled
XF:nav-javascript-enabled
XF:ie-active-content
XF:ie-active-download
XF:ie-active-scripting
XF:ie-activex-execution
XF:ie-java-enabled
XF:netscape-javascript
XF:netscape-java
XF:zone-active-scripting
XF:zone-activex-execution
XF:zone-desktop-install
XF:zone-low-channel
XF:zone-file-download
XF:zone-file-launch
XF:zone-java-scripting
XF:zone-low-java
XF:zone-safe-scripting
XF:zone-unsafe-scripting<br>
LeBlanc>  Not a vulnerability. These are just checks for configuration
settings that a user might have changed. I understand need to increase
number of checks in a scanning product, but don't feel like these belong
in CVE. Scanner vendors could argue that these entries are needed to
keep a common language.<br>
Baker>  Not sure about whether we should bother to include this type issue or not.  It does provide a stepping stone for further actions, but in and of itself it isn't a specific vulnerability.<br>

Name: CVE-1999-0539

Description:

A trust relationship exists between two Unix hosts.

Status:Candidate
Phase: Proposed (19990728)

Votes:
MODIFY(1)  Frech<br>
NOOP(1)  Baker<br>
REJECT(2)  Northcutt, Shostack<br>
Voter Comments:
Northcutt>  Too non specific<br>
Frech>  XF:trusted-host(341)
XF:trust-remote-same(717)
XF:trust-remote-root(718)
XF:trust-remote-nonroot(719)
XF:trust-remote-any(720)
XF:trust-other-host(723)
XF:trust-all-nonroot(726)
XF:trust-any-remote(727)
XF:trust-local-acct(728)
XF:trust-local-any(729)
XF:trust-local-nonroot(730)
XF:trust-all-hosts(731)
XF:nt-trusted-domain(1284)
XF:rsagent-trusted-domainadded(1588)
XF:trust-remote-user(2955)
XF:user-trust-hosts(3074)
XF:user-trust-other-host(3077)
XF:user-trust-remote-account(3079)<br>

Name: CVE-1999-0541

Description:

A password for accessing a WWW URL is guessable.

Status:Candidate
Phase: Proposed (19990714)

Votes:
ACCEPT(4)  Baker, Meunier, Northcutt, Shostack<br>
MODIFY(1)  Frech<br>
Voter Comments:
Frech>  XF:http-password<br>

Name: CVE-1999-0546

Description:

The Windows NT guest account is enabled.

Status:Candidate
Phase: Proposed (19990721)

Votes:
ACCEPT(5)  Baker, Northcutt, Ozancin, Shostack, Wall<br>
MODIFY(1)  Frech<br>
Voter Comments:
Frech>  XF:nt-guest-account<br>

Name: CVE-1999-0547

Description:

An SSH server allows authentication through the .rhosts file.

Status:Candidate
Phase: Proposed (19990728)

Votes:
ACCEPT(2)  Baker, Shostack<br>
MODIFY(1)  Frech<br>
NOOP(1)  Northcutt<br>
Voter Comments:
Frech>  XF:sshd-rhosts(315)<br>

Name: CVE-1999-0548

Description:

A superfluous NFS server is running, but it is not importing or exporting any file systems.

Status:Candidate
Phase: Proposed (19990728)

Votes:
ACCEPT(1)  Shostack<br>
NOOP(1)  Baker<br>
REJECT(1)  Northcutt<br>
Voter Comments:


Name: CVE-1999-0549

Description:

Windows NT automatically logs in an administrator upon rebooting.

Status:Candidate
Phase: Proposed (19990630)

Votes:
ACCEPT(1)  Hill<br>
MODIFY(3)  Blake, Frech, Ozancin<br>
NOOP(1)  Wall<br>
REJECT(1)  Baker<br>
Voter Comments:
Wall>  Don't know what this is.  Don't think it is a vulnerability and would
initially reject.  This is different than just renaming the
administrator account.<br>
Frech>  Would appreciate more information on this one, as in a reference.<br>
Blake>  Reference: XF:nt-autologin<br>
Ozancin>  Needs more detail<br>
Baker>  I tried to find the XF:nt-autologin reference, and got no matching records from their search engine.
No refs, no details, should reject<br>
CHANGE>  [Frech changed vote from REVIEWING to MODIFY]<br>
Frech>  XF:nt-autologon(5)<br>

Name: CVE-1999-0550

Description:

A router's routing tables can be obtained from arbitrary hosts.

Status:Candidate
Phase: Proposed (19990726)

Votes:
ACCEPT(1)  Baker<br>
MODIFY(1)  Frech<br>
RECAST(1)  Northcutt<br>
Voter Comments:
Northcutt>  Don't you mean obtained by arbitrary hosts<br>
Frech>  XF:routed
XF:decod-rip-entry
XF:rip<br>
Baker>  Concur with this as a security issue<br>

Name: CVE-1999-0551

Description:

HP OpenMail can be misconfigured to allow users to run arbitrary commands using malicious print requests.

Status:Entry
Reference: HP:HPSBUX9804-078
Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9804-078
Reference: XF:hp-openmail

Name: CVE-1999-0554

Description:

NFS exports system-critical data to the world, e.g. / or a password file.

Status:Candidate
Phase: Proposed (19990803)

Votes:
ACCEPT(2)  Northcutt, Wall<br>
NOOP(1)  Baker<br>
REVIEWING(1)  Christey<br>
Voter Comments:
Christey>  A content decision (CD:CF-DATA) needs to be reviewed
and accepted by the Editorial Board in order to resolve
this question.<br>

Name: CVE-1999-0555

Description:

A Unix account with a name other than "root" has UID 0, i.e. root privileges.

Status:Candidate
Phase: Proposed (19990728)

Votes:
NOOP(1)  Baker<br>
REJECT(2)  Northcutt, Shostack<br>
Voter Comments:
Northcutt>  This is very bogus<br>

Name: CVE-1999-0556

Description:

Two or more Unix accounts have the same UID.

Status:Candidate
Phase: Proposed (19990728)

Votes:
NOOP(2)  Baker, Christey<br>
REJECT(2)  Northcutt, Shostack<br>
Voter Comments:
Christey>  XF:duplicate-uid(876)<br>
Christey>  Add terms "duplicate" and "user ID" to facilitate search.
ftp://ftp.auscert.org.au/pub/auscert/papers/unix_security_checklist<br>

Name: CVE-1999-0559

Description:

A system-critical Unix file or directory has inappropriate permissions.

Status:Candidate
Phase: Proposed (19990803)

Votes:
ACCEPT(2)  Baker, Wall<br>
RECAST(2)  Northcutt, Shostack<br>
Voter Comments:
Northcutt>  Writable other than by root/bin/wheelgroup?<br>

Name: CVE-1999-0560

Description:

A system-critical Windows NT file or directory has inappropriate permissions.

Status:Candidate
Phase: Proposed (19990803)

Votes:
ACCEPT(2)  Baker, Wall<br>
RECAST(1)  Northcutt<br>
Voter Comments:
Northcutt>  I think we should specify these<br>

Name: CVE-1999-0561

Description:

IIS has the #exec function enabled for Server Side Include (SSI) files.

Status:Candidate
Phase: Proposed (19990728)

Votes:
NOOP(2)  Baker, Northcutt<br>
RECAST(1)  Shostack<br>
REJECT(1)  LeBlanc<br>
Voter Comments:
LeBlanc>  Does not meet definition of a vulnerability. This function is
just enabled. You can turn it off if you want. if you trust the people
putting up your web pages, this isn't a problem. If you don't, this is
just one of many things you need to change.<br>

Name: CVE-1999-0562

Description:

The registry in Windows NT can be accessed remotely by users who are not administrators.

Status:Candidate
Phase: Modified (20061101)
Reference: OVAL:oval:org.mitre.oval:def:1023
Reference: URL:https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1023

Votes:
ACCEPT(4)  Baker, Ozancin, Shostack, Wall<br>
MODIFY(1)  Frech<br>
RECAST(1)  Northcutt<br>
Voter Comments:
Northcutt>  This isn't all or nothing, users may be allowed to access part of the
registry.<br>
Frech>  XF:nt-winreg-all
XF:nt-winreg-net<br>

Name: CVE-1999-0564

Description:

An attacker can force a printer to print arbitrary documents (e.g. if the printer doesn't require a password) or to become disabled.

Status:Candidate
Phase: Proposed (19990728)

Votes:
ACCEPT(2)  Baker, Shostack<br>
NOOP(1)  Northcutt<br>
Voter Comments:


Name: CVE-1999-0565

Description:

A Sendmail alias allows input to be piped to a program.

Status:Candidate
Phase: Proposed (19990728)

Votes:
ACCEPT(1)  Northcutt<br>
NOOP(1)  Baker<br>
RECAST(1)  Shostack<br>
REVIEWING(1)  Christey<br>
Voter Comments:
Shostack>  Is this a default alias?  Is my .procmailrc an instance of this?<br>
Christey>  It is not entirely clear whether the simple fact that an alias
pipes into a program should be considered a vulnerability.  It
all depends on the behavior of that particular program.  This
is one of a number of configuration-related issues from the
"draft" CVE that came from vulnerability scanners.  In
general, when we get to general configuration and "policy,"
it becomes more difficult to use the current CVE model to
represent them.  So at the very least, this candidate (and
similar ones) should be given close consideration and
discussion before being added to the official CVE list.

Because this candidate is related to general configuration
issues, and we have not completely determined how to handle
such issues in CVE, this candidate cannot be promoted to an
official CVE entry until such issues are resolved.<br>

Name: CVE-1999-0566

Description:

An attacker can write to syslog files from any location, causing a denial of service by filling up the logs, and hiding activities.

Status:Entry
Reference: XF:ibm-syslogd
Reference: XF:syslog-flood

Name: CVE-1999-0568

Description:

rpc.admind in Solaris is not running in a secure mode.

Status:Candidate
Phase: Proposed (19990728)

Votes:
ACCEPT(1)  Northcutt<br>
NOOP(2)  Baker, Christey<br>
RECAST(2)  Dik, Shostack<br>
Voter Comments:
Shostack>  are there secure modes?<br>
Dik>  Several:
1) there is no "rpc.admind" daemon.
there used to be a "admind" RPC daemon (100087/10)
and there's now an "sadmind" daemon (100232/10)
The switch over was somewhere around Solaris 2.4.
2) Neither defaults to "secure mode"
3) secure mode is "using secure RPC" which does
proper over the wire authentication by specifying
the "-S 2" option in inetd.conf
(security level 2)<br>
Christey>  XF:rpc-admind(626)
http://xforce.iss.net/static/626.php
MISC:http://pulhas.org/xploitsdb/mUNIXes/admind.html<br>

Name: CVE-1999-0569

Description:

A URL for a WWW directory allows auto-indexing, which provides a list of all files in that directory if it does not contain an index.html file.

Status:Candidate
Phase: Modified (19991130)

Votes:
ACCEPT(1)  Wall<br>
NOOP(2)  Baker, Christey<br>
REJECT(1)  Northcutt<br>
Voter Comments:
Northcutt>  I do this intentionally somethings in high content directories<br>
Christey>  XF:http-noindex(90) ?<br>

Name: CVE-1999-0570

Description:

Windows NT is not using a password filter utility, e.g. PASSFILT.DLL.

Status:Candidate
Phase: Proposed (19990728)

Votes:
ACCEPT(1)  Northcutt<br>
MODIFY(1)  Frech<br>
NOOP(2)  Baker, Christey<br>
REJECT(1)  Wall<br>
Voter Comments:
Northcutt>  Here we are crossing into the best practices arena again.  However since
passfilt does establish a measurable standard and since we aren't the
ones defining the stanard, simply saying it should be employed I will
vote for this.  <br>
Frech>  XF:nt-passfilt-not-inst(1308)
XF:nt-passfilt-not-found(1309)<br>
Christey>  Consider MSKB:Q161990 and MSKB:Q151082<br>

Name: CVE-1999-0571

Description:

A router's configuration service or management interface (such as a web server or telnet) is configured to allow connections from arbitrary hosts.

Status:Candidate
Phase: Modified (20020312)
Reference: BUGTRAQ:Feb5,1999

Votes:
ACCEPT(1)  Baker<br>
MODIFY(1)  Frech<br>
NOOP(2)  Christey, Northcutt<br>
Voter Comments:
CHANGE>  [Frech changed vote from REVIEWING to MODIFY]<br>
Frech>  XF:ascend-config-kill(889)
XF:cisco-ios-crash(1238)
XF:webramp-remote-access(1670)
XF:ascom-timeplex-debug(1824)
XF:netopia-unpassworded(1850)
XF:cisco-web-crash(1886)
XF:cisco-router-commands(1951)
XF:motorola-cable-default-pass(2002)
XF:default-flowpoint(2091)
XF:netgear-router-idle-dos(4003)
XF:cisco-cbos-telnet(4251)
XF:routermate-snmp-community(4290)
XF:cayman-router-dos(4479)
XF:wavelink-authentication(5185)
XF:ciscosecure-ldap-bypass-authentication(5274)
XF:foundry-firmware-telnet-dos(5514)
XF:netopia-view-system-log(5536)
XF:cisco-webadmin-remote-dos(5595)
XF:cisco-cbos-web-access(5626)
XF:netopia-telnet-dos(6001)
XF:cisco-sn-gain-access(6827)
XF:cayman-dsl-insecure-permissions(6841)
XF:linksys-etherfast-reveal-passwords(6949)
XF:zyxel-router-default-password(6968)
XF:cisco-cbos-web-config(7027)
XF:prestige-wan-bypass-filter(7146)<br>
Christey>  I changed the description to make it more explicit that this
candidate is about router configuration, as opposed to
vulnerabilities that accidentally make a configuration
service accessible to anyone.<br>

Name: CVE-1999-0572

Description:

.reg files are associated with the Windows NT registry editor (regedit), making the registry susceptible to Trojan Horse attacks.

Status:Candidate
Phase: Modified (20041017)

Votes:
ACCEPT(4)  Baker, Ozancin, Shostack, Wall<br>
MODIFY(1)  Frech<br>
NOOP(2)  Christey, Northcutt<br>
Voter Comments:
Northcutt>  I don't quite get what this means, sorry<br>
Frech>  XF:nt-regfile(178)<br>
Christey>  MISC:http://security-archive.merton.ox.ac.uk/nt-security-199902/0087.html<br>

Name: CVE-1999-0575

Description:

A Windows NT system's user audit policy does not log an event success or failure, e.g. for Logon and Logoff, File and Object Access, Use of User Rights, User and Group Management, Security Policy Changes, Restart, Shutdown, and System, and Process Tracking.

Status:Candidate
Phase: Proposed (19990721)

Votes:
ACCEPT(4)  Christey, Ozancin, Shostack, Wall<br>
MODIFY(1)  Frech<br>
RECAST(2)  Baker, Northcutt<br>
Voter Comments:
Northcutt>  It isn't a great truth that you should enable all or the above, if you
do you potentially introduce a vulnerbility of filling up the file
system with stuff you will never look at.<br>
Ozancin>  It is far less interesting what a user does successfully that what they
attempt and fail at.<br>
Christey>  The list of event types is very useful for lookup.<br>
Frech>  XF:nt-system-audit
XF:nt-logon-audit
XF:nt-object-audit
XF:nt-privil-audit
XF:nt-process-audit
XF:nt-policy-audit
XF:nt-account-audit<br>
CHANGE>  [Baker changed vote from REVIEWING to RECAST]<br>

Name: CVE-1999-0576

Description:

A Windows NT system's file audit policy does not log an event success or failure for security-critical files or directories.

Status:Candidate
Phase: Proposed (19990721)

Votes:
ACCEPT(3)  Baker, Shostack, Wall<br>
MODIFY(2)  Frech, Ozancin<br>
REJECT(1)  Northcutt<br>
Voter Comments:
Northcutt>  1.) Too general are we ready to state what the security-critical files
and directories are
2.) Does Ataris, Windows CE, PalmOS, Linux have such a capability<br>
Ozancin>  Some files and directories are clearly understood to be critical. Others are
unclear. We need to clarify that critical is.<br>
Frech>  XF:nt-object-audit<br>

Name: CVE-1999-0577

Description:

A Windows NT system's file audit policy does not log an event success or failure for non-critical files or directories.

Status:Candidate
Phase: Proposed (19990721)

Votes:
ACCEPT(2)  Shostack, Wall<br>
MODIFY(3)  Baker, Frech, Ozancin<br>
REJECT(1)  Northcutt<br>
Voter Comments:
Ozancin>  It is far less interesting what a user does successfully that what they
attempt and fail at.
Perhaps only failure should be logged.<br>
Frech>  XF:nt-object-audit<br>
CHANGE>  [Baker changed vote from REVIEWING to MODIFY]<br>
Baker>  Failure on non-critical files is what should be monitored.<br>

Name: CVE-1999-0578

Description:

A Windows NT system's registry audit policy does not log an event success or failure for security-critical registry keys.

Status:Candidate
Phase: Proposed (19990721)

Votes:
ACCEPT(4)  Baker, Ozancin, Shostack, Wall<br>
MODIFY(1)  Frech<br>
REJECT(1)  Northcutt<br>
Voter Comments:
Ozancin>  with reservation
Again what is defined as critical<br>
CHANGE>  [Frech changed vote from REVIEWING to MODIFY]<br>
Frech>  XF:nt-object-audit(228)<br>

Name: CVE-1999-0579

Description:

A Windows NT system's registry audit policy does not log an event success or failure for non-critical registry keys.

Status:Candidate
Phase: Proposed (19990721)

Votes:
ACCEPT(3)  Baker, Shostack, Wall<br>
MODIFY(2)  Frech, Ozancin<br>
REJECT(1)  Northcutt<br>
Voter Comments:
Ozancin>  Again only failure may be of interest. It would be impractical to wad
through the incredibly large amount of logging that this would generate. It
could overwhelm log entries that you might find interesting.<br>
CHANGE>  [Frech changed vote from REVIEWING to MODIFY]<br>
Frech>  XF:nt-object-audit(228)<br>

Name: CVE-1999-0580

Description:

The HKEY_LOCAL_MACHINE key in a Windows NT system has inappropriate, system-critical permissions.

Status:Candidate
Phase: Proposed (19990803)

Votes:
ACCEPT(1)  Wall<br>
NOOP(1)  Baker<br>
RECAST(1)  Northcutt<br>
Voter Comments:
Northcutt>  I think we can define appropriate, take a look at the nt security .pdf
and see if you can't see a way to phrase specific keys in a way that
defines inappropriate.<br>
Baker>  This is way vague...<br>

Name: CVE-1999-0581

Description:

The HKEY_CLASSES_ROOT key in a Windows NT system has inappropriate, system-critical permissions.

Status:Candidate
Phase: Proposed (19990803)

Votes:
ACCEPT(1)  Wall<br>
NOOP(1)  Baker<br>
RECAST(1)  Northcutt<br>
Voter Comments:
Northcutt>  I think we can define appropriate, take a look at the nt security .pdf
and see if you can't see a way to phrase specific keys in a way that
defines inappropriate.<br>
Baker>  way too vague<br>

Name: CVE-1999-0582

Description:

A Windows NT account policy has inappropriate, security-critical settings for lockout, e.g. lockout duration, lockout after bad logon attempts, etc.

Status:Candidate
Phase: Proposed (19990721)

Votes:
ACCEPT(3)  Ozancin, Shostack, Wall<br>
MODIFY(2)  Baker, Frech<br>
REJECT(1)  Northcutt<br>
Voter Comments:
Northcutt>  The definition is?<br>
Baker>  Maybe a rewording of this one too.  I think most people would agree on
some "minimum" policies like 3-5 bad attempts lockout for an hour or
until the administrator unlocks the account.
Suggested rewrite -
A Windows NT account policy does not enforce reasonable minimum
security-critical settings for lockouts, e.g. lockout duration,
lockout after bad logon attempts, etc.<br>
Ozancin>  with reservations
What is appropriate?<br>
Frech>  XF:nt-thres-lockout
XF:nt-lock-duration
XF:nt-lock-window
XF:nt-perm-lockout
XF:lockout-disabled<br>

Name: CVE-1999-0583

Description:

There is a one-way or two-way trust relationship between Windows NT domains.

Status:Candidate
Phase: Proposed (19990728)

Votes:
NOOP(2)  Baker, Christey<br>
REJECT(2)  Northcutt, Shostack<br>
Voter Comments:
Christey>  XF:nt-trusted-domain(1284)<br>

Name: CVE-1999-0584

Description:

A Windows NT file system is not NTFS.

Status:Candidate
Phase: Proposed (19990728)

Votes:
ACCEPT(2)  Northcutt, Wall<br>
MODIFY(1)  Frech<br>
NOOP(2)  Baker, Christey<br>
Voter Comments:
Wall>  NTFS partition provides the security.  This could be re-worded
to "A Windows NT file system is FAT" since it is either NTFS or FAT
and FAT is less secure.<br>
Frech>  XF:nt-filesys(195)<br>
Christey>  MSKB:Q214579
MSKB:Q214579
http://support.microsoft.com/support/kb/articles/Q100/1/08.ASP<br>

Name: CVE-1999-0585

Description:

A Windows NT administrator account has the default name of Administrator.

Status:Candidate
Phase: Proposed (19990721)

Votes:
ACCEPT(1)  Ozancin<br>
MODIFY(1)  Frech<br>
REJECT(3)  Baker, Northcutt, Shostack<br>
REVIEWING(1)  Wall<br>
Voter Comments:
Wall>  Some sources say this is not a vulnerability, but a warning.  It just
slows down the search for the admin account (SID = 500) which can
always be found.<br>
Northcutt>  I change this on all NT systems I am responsible for, but is
root a vulnerability?<br>
Baker>  There are ways to identify the administrator account anyway, so this
is only a minor delay to someone that is knowledgeable.  This, in and
of itself, doesn't really strike me as a vulnerability, anymore than
the root account on a Unix box.<br>
Shostack>  (there is no way to hide the account name today)<br>
Frech>  XF:nt-adminexists<br>

Name: CVE-1999-0586

Description:

A network service is running on a nonstandard port.

Status:Candidate
Phase: Proposed (19990728)

Votes:
NOOP(1)  Baker<br>
RECAST(1)  Shostack<br>
REJECT(1)  Northcutt<br>
Voter Comments:
Shostack>  Might be acceptable if clearer; is that a standard service on a
non-standard port, or any service on an unassigned port?<br>
Baker>  It might actually be an enhancement rather than a problem to run a service on a non-standard port<br>

Name: CVE-1999-0587

Description:

A WWW server is not running in a restricted file system, e.g. through a chroot, thus allowing access to system-critical data.

Status:Candidate
Phase: Proposed (19990803)

Votes:
ACCEPT(1)  Wall<br>
NOOP(1)  Baker<br>
RECAST(1)  Northcutt<br>
Voter Comments:
Northcutt>  While I would accept this for Unix, I am not sure this applies to NT,
VMS, palm pilots, or commodore 64<br>

Name: CVE-1999-0588

Description:

A filter in a router or firewall allows unusual fragmented packets.

Status:Candidate
Phase: Proposed (19990726)

Votes:
MODIFY(2)  Baker, Frech<br>
REJECT(1)  Northcutt<br>
Voter Comments:
Northcutt>  I want to vote to accept this one, but unusual is a shade broad.<br>
Frech>  XF:nt-rras
XF:cisco-fragmented-attacks
XF:ip-frag<br>
Baker>  Perhaps we should use the word abnormally fragmented or some other descriptor.<br>

Name: CVE-1999-0589

Description:

A system-critical Windows NT registry key has inappropriate permissions.

Status:Candidate
Phase: Proposed (19990803)

Votes:
ACCEPT(1)  Wall<br>
NOOP(1)  Baker<br>
RECAST(2)  Christey, Northcutt<br>
Voter Comments:
Northcutt>  I think we can define appropriate, take a look at the nt security .pdf
and see if you can't see a way to phrase specific keys in a way that
defines inappropriate.<br>
Christey>  Upon further reflection, this is too high-level for CVE.
Specific registry keys with bad permissions is roughly
equivalent to Unix configuration files that have bad
permissions; those permission problems can be created by
any vendor, not just a specific one.  Therefore this
candidate should be RECAST into each separate registry
key that has this problem.<br>

Name: CVE-1999-0590

Description:

A system does not present an appropriate legal message or warning to a user who is accessing it.

Status:Candidate
Phase: Proposed (19990728)

Votes:
ACCEPT(2)  Baker, Northcutt<br>
MODIFY(1)  Christey<br>
RECAST(1)  Shostack<br>
Voter Comments:
Christey>  ADDREF CIAC:J-043
URL:http://ciac.llnl.gov/ciac/bulletins/j-043.shtml
Also add "banner" to the description to facilitate search.<br>
Baker>  Should be in place where ever it is possible<br>

Name: CVE-1999-0591

Description:

An event log in Windows NT has inappropriate access permissions.

Status:Candidate
Phase: Proposed (19990803)

Votes:
ACCEPT(2)  Baker, Wall<br>
RECAST(1)  Northcutt<br>
Voter Comments:
Northcutt>  splain Lucy, splain<br>

Name: CVE-1999-0592

Description:

The Logon box of a Windows NT system displays the name of the last user who logged in.

Status:Candidate
Phase: Proposed (19990728)

Votes:
MODIFY(1)  Frech<br>
NOOP(2)  Baker, Christey<br>
REJECT(2)  Northcutt, Wall<br>
Voter Comments:
Wall>  Information gathering, not vulnerability<br>
Northcutt>  Ah a C2 weenie must have snuck this in, this can be a good thing 
not just vulnerability<br>
Frech>  XF:nt-display-last-username(1353)
Use it if you will. :-) If not, let us know so I can remove the CAN
reference from our database.<br>
Christey>  MSKB:Q114463
http://support.microsoft.com/support/kb/articles/q114/4/63.asp<br>

Name: CVE-1999-0593

Description:

The default setting for the Winlogon key entry ShutdownWithoutLogon in Windows NT allows users with physical access to shut down a Windows NT system without logging in.

Status:Candidate
Phase: Modified (20091029)
Reference: CONFIRM:http://technet.microsoft.com/en-us/library/cc722469.aspx
Reference: MISC:http://www.microsoft.com/technet/archive/winntas/deploy/confeat/06wntpcc.mspx?mfr=true
Reference: OSVDB:59333
Reference: URL:http://osvdb.org/59333
Reference: XF:nt-shutdown-without-logon(1291)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1291

Votes:
ACCEPT(1)  Wall<br>
MODIFY(1)  Frech<br>
NOOP(1)  Baker<br>
REJECT(1)  Northcutt<br>
Voter Comments:
Wall>  Still a denial of service.<br>
Northcutt>  May well be appropriate<br>
Frech>  XF:nt-shutdown-without-logon(1291)<br>

Name: CVE-1999-0594

Description:

A Windows NT system does not restrict access to removable media drives such as a floppy disk drive or CDROM drive.

Status:Candidate
Phase: Proposed (19990728)

Votes:
ACCEPT(1)  Wall<br>
MODIFY(1)  Frech<br>
NOOP(2)  Baker, Christey<br>
REJECT(1)  Northcutt<br>
Voter Comments:
Wall>  Perhaps it can be re-worded to "removable media drives
such as a floppy disk drive or CDROM drive can be accessed (shared) in a
Windows NT system."<br>
Northcutt>  - what good is my NT w/o its floppy<br>
Frech>  XF:nt-allocate-cdroms(1294)
XF:nt-allocate-floppy(1318)<br>
Christey>  MSKB:Q172520
URL:http://support.microsoft.com/support/kb/articles/q172/5/20.asp<br>

Name: CVE-1999-0595

Description:

A Windows NT system does not clear the system page file during shutdown, which might allow sensitive information to be recorded.

Status:Candidate
Phase: Proposed (19990728)
Reference: MSKB:Q182086

Votes:
ACCEPT(2)  Baker, Wall<br>
MODIFY(1)  Frech<br>
NOOP(1)  Northcutt<br>
Voter Comments:
Frech>  XF:nt-clearpage(216)
XF:reg-pagefile-clearing(2551)<br>

Name: CVE-1999-0596

Description:

A Windows NT log file has an inappropriate maximum size or retention period.

Status:Candidate
Phase: Proposed (19990728)

Votes:
MODIFY(1)  Frech<br>
NOOP(1)  Baker<br>
REJECT(2)  Northcutt, Wall<br>
Voter Comments:
Northcutt>  define appropriate<br>
Frech>  XF:reg-app-log-small(2521)
XF:reg-sec-log-maxsize(2577)
XF:reg-sys-log-small(2586)<br>

Name: CVE-1999-0597

Description:

A Windows NT account policy does not forcibly disconnect remote users from the server when their logon hours expire.

Status:Candidate
Phase: Proposed (19990728)

Votes:
ACCEPT(1)  Northcutt<br>
MODIFY(1)  Frech<br>
NOOP(1)  Baker<br>
REJECT(1)  Wall<br>
Voter Comments:
Frech>  XF:nt-forced-logoff(1343)<br>

Name: CVE-1999-0598

Description:

A network intrusion detection system (IDS) does not properly handle packets that are sent out of order, allowing an attacker to escape detection.

Status:Candidate
Phase: Proposed (19990726)

Votes:
ACCEPT(3)  Armstrong, Baker, Northcutt<br>
NOOP(1)  Frech<br>
REVIEWING(1)  Christey<br>
Voter Comments:
Frech>  Waiting for CIEL.<br>
Christey>  This is a design flaw, along with the other reported IDS
problems; at least reference Ptacek/Newsham's paper.<br>
Christey>  URL:http://www.robertgraham.com/mirror/Ptacek-Newsham-Evasion-98.html<br>

Name: CVE-1999-0599

Description:

A network intrusion detection system (IDS) does not properly handle packets with improper sequence numbers.

Status:Candidate
Phase: Proposed (19990726)

Votes:
ACCEPT(2)  Baker, Northcutt<br>
NOOP(1)  Frech<br>
REVIEWING(1)  Christey<br>
Voter Comments:
Frech>  Waiting for CIEL.<br>
Christey>  This is a design flaw, along with the other reported IDS
problems; at least reference Ptacek/Newsham's paper.<br>
Christey>  URL:http://www.robertgraham.com/mirror/Ptacek-Newsham-Evasion-98.html<br>

Name: CVE-1999-0600

Description:

A network intrusion detection system (IDS) does not verify the checksum on a packet.

Status:Candidate
Phase: Proposed (19990726)

Votes:
ACCEPT(2)  Baker, Northcutt<br>
NOOP(1)  Frech<br>
REVIEWING(1)  Christey<br>
Voter Comments:
Frech>  Waiting for CIEL.<br>
Christey>  This is a design flaw, along with the other reported IDS
problems; at least reference Ptacek/Newsham's paper.<br>
Christey>  URL:http://www.robertgraham.com/mirror/Ptacek-Newsham-Evasion-98.html<br>

Name: CVE-1999-0601

Description:

A network intrusion detection system (IDS) does not properly handle data within TCP handshake packets.

Status:Candidate
Phase: Proposed (19990726)

Votes:
ACCEPT(2)  Baker, Northcutt<br>
NOOP(1)  Frech<br>
REVIEWING(1)  Christey<br>
Voter Comments:
Frech>  Waiting for Godot, er, CIEL.<br>
Christey>  This is a design flaw, along with the other reported IDS
problems; at least reference Ptacek/Newsham's paper.<br>
Christey>  URL:http://www.robertgraham.com/mirror/Ptacek-Newsham-Evasion-98.html<br>

Name: CVE-1999-0602

Description:

A network intrusion detection system (IDS) does not properly reassemble fragmented packets.

Status:Candidate
Phase: Proposed (19990726)

Votes:
ACCEPT(2)  Baker, Northcutt<br>
NOOP(1)  Frech<br>
REVIEWING(1)  Christey<br>
Voter Comments:
Frech>  Waiting for CIEL.<br>
Christey>  This is a design flaw, along with the other reported IDS
problems; at least reference Ptacek/Newsham's paper.<br>
Christey>  URL:http://www.robertgraham.com/mirror/Ptacek-Newsham-Evasion-98.html<br>

Name: CVE-1999-0603

Description:

In Windows NT, an inappropriate user is a member of a group, e.g. Administrator, Backup Operators, Domain Admins, Domain Guests, Power Users, Print Operators, Replicators, System Operators, etc.

Status:Candidate
Phase: Proposed (19990728)

Votes:
MODIFY(1)  Frech<br>
NOOP(1)  Baker<br>
REJECT(2)  Northcutt, Wall<br>
Voter Comments:
Frech>  XF:nt-system-operator
XF:nt-admin-group
XF:nt-replicator
XF:nt-print-operator
XF:nt-power-user
XF:nt-guest-in-group
XF:nt-backup-operator
XF:nt-domain-admin
XF:nt-domain-guest
XF:win2k-acct-oper-grp
XF:win2k-admin-grp
XF:win2k-backup-oper-grp
XF:win2k-certpublishers-grp
XF:win2k-dhcp-admin-grp
XF:win2k-dnsadm-grp
XF:win2k-domainadm-grp
XF:win2k-entadm-grp
XF:win2k-printoper-grp
XF:win2k-replicator-grp
XF:win2k-schemaadm-grp
XF:win2k-serveroper-grp
You asked for it... :-) Use or reject at your discretion. If rejected,
please let us know so we can remove CAN references from database.<br>

Name: CVE-1999-0604

Description:

An incorrect configuration of the WebStore 1.0 shopping cart CGI program "web_store.cgi" could disclose private information.

Status:Candidate
Phase: Proposed (19990728)
Reference: BUGTRAQ:19990420 Shopping Carts exposing CC data
Reference: URL:http://marc.info/?l=bugtraq&m=92462991805485&w=2

Votes:
ACCEPT(1)  Baker<br>
MODIFY(1)  Frech<br>
NOOP(2)  Northcutt, Wall<br>
Voter Comments:
Frech>  XF:webstore-misconfig(3861)<br>

Name: CVE-1999-0605

Description:

An incorrect configuration of the Order Form 1.0 shopping cart CGI program could disclose private information.

Status:Candidate
Phase: Proposed (19990728)
Reference: BUGTRAQ:19990420 Shopping Carts exposing CC data
Reference: URL:http://marc.info/?l=bugtraq&m=92462991805485&w=2

Votes:
ACCEPT(1)  Baker<br>
MODIFY(1)  Frech<br>
NOOP(3)  Christey, Northcutt, Wall<br>
Voter Comments:
Frech>  XF:orderform-misconfig(3860)<br>
Christey>  BID:2021<br>
Christey>  Mention affected files: order_log_v12.dat and order_log.dat
fix version number (1.2)<br>

Name: CVE-1999-0606

Description:

An incorrect configuration of the EZMall 2000 shopping cart CGI program "mall2000.cgi" could disclose private information.

Status:Candidate
Phase: Proposed (19990728)
Reference: BUGTRAQ:19990420 Shopping Carts exposing CC data
Reference: URL:http://marc.info/?l=bugtraq&m=92462991805485&w=2

Votes:
ACCEPT(1)  Baker<br>
MODIFY(1)  Frech<br>
NOOP(3)  Christey, Northcutt, Wall<br>
Voter Comments:
Frech>  XF:ezmall2000-misconfig(3859)<br>
Christey>  Add mall_log_files/order.log to desc<br>

Name: CVE-1999-0607

Description:

quikstore.cgi in QuikStore shopping cart stores quikstore.cfg under the web document root with insufficient access control, which allows remote attackers to obtain the cleartext administrator password and gain privileges.

Status:Candidate
Phase: Modified (20060608)
Reference: BUGTRAQ:19990420 Shopping Carts exposing CC data
Reference: URL:http://marc.info/?l=bugtraq&m=92462991805485&w=2

Votes:
ACCEPT(1)  Baker<br>
MODIFY(1)  Frech<br>
NOOP(3)  Christey, Northcutt, Wall<br>
Voter Comments:
Frech>  XF:quikstore-misconfig(3858)<br>
Christey>  http://www.quikstore.com/help/pages/Security/security.htm says:

"It is IMPORTANT that during the setup of the QuikStore program, you
check to make sure that the cgi-bin or executable program directory
of your web site not be viewable from the outside world. You don't
want the users to have access to your programs or log files that could
be stored there!

...

If you can view or download these files from the browser, someone
else can too"

So is this a configuration problem?  See the configuration file at
http://www.quikstore.com/help/pages/Configuration/configparametersfull.htm
The [DIRECTORY_PATHS] section identifies pathnames and describes how
pathnames are constructed.  It clearly uses relative pathnames,
so all data is underneath the base directory!!

If we call this a configuration problem, then maybe this (and
all other "CGI-data-in-web-tree" configuration problems) should
be combined.<br>
Christey>  Consider adding BID:1983<br>

Name: CVE-1999-0608

Description:

An incorrect configuration of the PDG Shopping Cart CGI program "shopper.cgi" could disclose private information.

Status:Entry
Reference: BUGTRAQ:19990420 Shopping Carts exposing CC data
Reference: URL:http://marc.info/?l=bugtraq&m=92462991805485&w=2
Reference: CONFIRM:http://www.pdgsoft.com/Security/security.html.
Reference: XF:pdgsoftcart-misconfig(3857)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/3857

Name: CVE-1999-0609

Description:

An incorrect configuration of the SoftCart CGI program "SoftCart.exe" could disclose private information.

Status:Candidate
Phase: Proposed (19990728)
Reference: BUGTRAQ:19990420 Shopping Carts exposing CC data
Reference: URL:http://marc.info/?l=bugtraq&m=92462991805485&w=2

Votes:
ACCEPT(1)  Baker<br>
MODIFY(1)  Frech<br>
NOOP(3)  Christey, Northcutt, Wall<br>
Voter Comments:
Frech>  XF:softcart-misconfig(3856)<br>
Christey>  Consider adding BID:2055<br>

Name: CVE-1999-0610

Description:

An incorrect configuration of the Webcart CGI program could disclose private information.

Status:Candidate
Phase: Proposed (19990728)
Reference: BUGTRAQ:19990420 Shopping Carts exposing CC data
Reference: URL:http://marc.info/?l=bugtraq&m=92462991805485&w=2

Votes:
ACCEPT(1)  Baker<br>
MODIFY(1)  Frech<br>
NOOP(2)  Northcutt, Wall<br>
Voter Comments:
Frech>  Cite reference as:
BUGTRAQ:19990424  Re: Shopping Carts exposing CC data 
URL:
http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%
3D1%26date%3D2000-08-22%26msg%3D3720E2B6.6031A2E7@datashopper.dk<br>
CHANGE>  [Frech changed vote from REVIEWING to MODIFY]<br>
Frech>  XF:webcart-data-exposure(8374)<br>

Name: CVE-1999-0611

Description:

A system-critical Windows NT registry key has an inappropriate value.

Status:Candidate
Phase: Proposed (19990803)

Votes:
ACCEPT(1)  Wall<br>
NOOP(1)  Baker<br>
RECAST(1)  Northcutt<br>
Voter Comments:
Northcutt>  I think we can define appropriate, take a look at the nt security .pdf
and see if you can't see a way to phrase specific keys in a way that
defines inappropriate.<br>
Baker>  too vague<br>

Name: CVE-1999-0612

Description:

A version of finger is running that exposes valid user information to any entity on the network.

Status:Entry
Reference: XF:finger-out
Reference: XF:finger-running

Name: CVE-1999-0613

Description:

The rpc.sprayd service is running.

Status:Candidate
Phase: Proposed (19990721)

Votes:
ACCEPT(2)  Baker, Ozancin<br>
MODIFY(1)  Frech<br>
NOOP(1)  Wall<br>
REJECT(1)  Northcutt<br>
Voter Comments:
Frech>  XF:sprayd<br>

Name: CVE-1999-0614

Description:

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The FTP service is running."

Status:Candidate
Phase: Modified (20080731)

Votes:
ACCEPT(2)  Baker, Wall<br>
REJECT(1)  Northcutt<br>
Voter Comments:


Name: CVE-1999-0615

Description:

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The SNMP service is running."

Status:Candidate
Phase: Modified (20080731)

Votes:
ACCEPT(3)  Baker, Prosser, Wall<br>
NOOP(1)  Christey<br>
REJECT(1)  Northcutt<br>
Voter Comments:
Baker>  Although newer versions on snmp are not as vulnerable as prior versions,
this can still be a significant risk of exploitation, as seen in recent
attacks on snmp services via automated worms<br>
Christey>  XF:snmp(132) ?<br>
Prosser>  This fits the "exposure" description although we also know there are many vulnerabilities in SNMP.  This is more of a policy/best practice issue for administrators.  If you need SNMP lock it down as tight as you can, if you don't need it, don't run it.<br>

Name: CVE-1999-0616

Description:

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The TFTP service is running."

Status:Candidate
Phase: Modified (20080731)

Votes:
ACCEPT(2)  Baker, Wall<br>
REJECT(1)  Northcutt<br>
Voter Comments:


Name: CVE-1999-0617

Description:

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The SMTP service is running."

Status:Candidate
Phase: Modified (20080731)

Votes:
ACCEPT(2)  Baker, Wall<br>
REJECT(1)  Northcutt<br>
Voter Comments:


Name: CVE-1999-0618

Description:

The rexec service is running.

Status:Candidate
Phase: Modified (19990921)
Reference: XF:rexec

Votes:
ACCEPT(4)  Baker, Northcutt, Ozancin, Wall<br>
MODIFY(1)  Frech<br>
Voter Comments:
Frech>  XF:decod-rexec
XF:rexec<br>

Name: CVE-1999-0619

Description:

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The Telnet service is running."

Status:Candidate
Phase: Modified (20080731)

Votes:
ACCEPT(2)  Baker, Wall<br>
REJECT(1)  Northcutt<br>
Voter Comments:


Name: CVE-1999-0620

Description:

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "A component service related to NIS is running."

Status:Candidate
Phase: Modified (20080731)

Votes:
ACCEPT(2)  Baker, Wall<br>
NOOP(1)  Christey<br>
REJECT(1)  Northcutt<br>
Voter Comments:
Christey>  XF:ypserv(261)<br>

Name: CVE-1999-0621

Description:

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "A component service related to NETBIOS is running."

Status:Candidate
Phase: Modified (20080731)
Reference: OVAL:oval:org.mitre.oval:def:1024
Reference: URL:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:1024

Votes:
ACCEPT(2)  Baker, Wall<br>
MODIFY(1)  Frech<br>
REJECT(2)  LeBlanc, Northcutt<br>
Voter Comments:
LeBlanc>  There is insufficient description to even know what this is.
Lots of component services related to NetBIOS run, and usually do not
constitute a problem.<br>
Frech>  associated to:
XF:nt-alerter(29)
XF:nt-messenger(69)
XF:reg-ras-gateway-enabled(2567)<br>

Name: CVE-1999-0622

Description:

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "A component service related to DNS service is running."

Status:Candidate
Phase: Modified (20080731)

Votes:
ACCEPT(2)  Baker, Wall<br>
REJECT(1)  Northcutt<br>
Voter Comments:


Name: CVE-1999-0623

Description:

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The X Windows service is running."

Status:Candidate
Phase: Modified (20080731)

Votes:
ACCEPT(2)  Baker, Wall<br>
NOOP(1)  Christey<br>
REJECT(1)  Northcutt<br>
Voter Comments:
Christey>  Add "X11" to facilitate search.<br>

Name: CVE-1999-0624

Description:

The rstat/rstatd service is running.

Status:Candidate
Phase: Interim (19990925)
Reference: XF:rstat-out
Reference: XF:rstatd

Votes:
ACCEPT(3)  Baker, Northcutt, Ozancin<br>
MODIFY(1)  Frech<br>
NOOP(2)  Meunier, Wall<br>
Voter Comments:
Frech>  XF:rstat-out
XF:rstatd<br>

Name: CVE-1999-0625

Description:

The rpc.rquotad service is running.

Status:Candidate
Phase: Proposed (19990721)

Votes:
ACCEPT(3)  Baker, Northcutt, Ozancin<br>
MODIFY(1)  Frech<br>
NOOP(1)  Wall<br>
Voter Comments:
Frech>  XF:rquotad<br>

Name: CVE-1999-0626

Description:

A version of rusers is running that exposes valid user information to any entity on the network.

Status:Entry
Reference: XF:ruser
Reference: XF:rusersd

Name: CVE-1999-0627

Description:

The rexd service is running, which uses weak authentication that can allow an attacker to execute commands.

Status:Entry
Reference: XF:rexd

Name: CVE-1999-0628

Description:

The rwho/rwhod service is running, which exposes machine status and user information.

Status:Entry
Reference: XF:rwhod

Name: CVE-1999-0629

Description:

The ident/identd service is running.

Status:Candidate
Phase: Proposed (19990721)

Votes:
ACCEPT(2)  Baker, Ozancin<br>
MODIFY(1)  Frech<br>
NOOP(2)  Christey, Wall<br>
REJECT(1)  Northcutt<br>
Voter Comments:
Frech>  possibly XF:identd?<br>
Christey>  XF:ident-users(318) ?<br>
CHANGE>  [Frech changed vote from REVIEWING to MODIFY]<br>
Frech>  XF:identd-vuln(61)
XF:ident-users(318)<br>

Name: CVE-1999-0630

Description:

The NT Alerter and Messenger services are running.

Status:Candidate
Phase: Proposed (19990804)

Votes:
ACCEPT(2)  Baker, Wall<br>
NOOP(1)  Christey<br>
REJECT(1)  Northcutt<br>
Voter Comments:
Christey>  http://support.microsoft.com/support/kb/articles/q189/2/71.asp<br>

Name: CVE-1999-0631

Description:

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The NFS service is running."

Status:Candidate
Phase: Modified (20080731)

Votes:
ACCEPT(2)  Baker, Wall<br>
NOOP(1)  Christey<br>
REJECT(1)  Northcutt<br>
Voter Comments:
Christey>  XF:nfs-nfsd(76) ?<br>
Christey>  Add rpc.mountd/mountd to facilitate search.<br>

Name: CVE-1999-0632

Description:

The RPC portmapper service is running.

Status:Candidate
Phase: Proposed (19990804)

Votes:
ACCEPT(2)  Baker, Wall<br>
REJECT(1)  Northcutt<br>
Voter Comments:


Name: CVE-1999-0633

Description:

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The HTTP/WWW service is running."

Status:Candidate
Phase: Modified (20080731)

Votes:
ACCEPT(2)  Baker, Wall<br>
REJECT(1)  Northcutt<br>
Voter Comments:


Name: CVE-1999-0634

Description:

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The SSH service is running."

Status:Candidate
Phase: Modified (20080731)

Votes:
ACCEPT(2)  Baker, Wall<br>
REJECT(1)  Northcutt<br>
Voter Comments:


Name: CVE-1999-0635

Description:

The echo service is running.

Status:Candidate
Phase: Modified (20060122)
Reference: FULLDISC:20060116 ACT P202S VoIP wireless phone multiple undocumented ports/services
Reference: URL:http://lists.grok.org.uk/pipermail/full-disclosure/2006-January/041434.html
Reference: SECUNIA:18514
Reference: URL:http://secunia.com/advisories/18514

Votes:
ACCEPT(3)  Baker, Northcutt, Wall<br>
REVIEWING(1)  Christey<br>
Voter Comments:
Northcutt>  The method to my madness is echo is the common denom in the dos attack<br>
Christey>  How much of this is an overlap with the echo/chargen flood
problem (CVE-1999-0103)?  If this is only an exposure because
of CVE-1999-0103, then maybe this should be REJECTed.<br>

Name: CVE-1999-0636

Description:

The discard service is running.

Status:Candidate
Phase: Proposed (19990804)

Votes:
ACCEPT(1)  Baker<br>
NOOP(1)  Wall<br>
REJECT(1)  Northcutt<br>
Voter Comments:


Name: CVE-1999-0637

Description:

The systat service is running.

Status:Candidate
Phase: Proposed (19990804)

Votes:
ACCEPT(2)  Baker, Wall<br>
REJECT(1)  Northcutt<br>
Voter Comments:


Name: CVE-1999-0638

Description:

The daytime service is running.

Status:Candidate
Phase: Proposed (19990804)

Votes:
ACCEPT(1)  Baker<br>
NOOP(1)  Wall<br>
REJECT(1)  Northcutt<br>
Voter Comments:


Name: CVE-1999-0639

Description:

The chargen service is running.

Status:Candidate
Phase: Proposed (19990804)

Votes:
ACCEPT(2)  Baker, Wall<br>
REJECT(1)  Northcutt<br>
REVIEWING(1)  Christey<br>
Voter Comments:
Christey>  How much of this is an overlap with the echo/chargen flood
problem (CVE-1999-0103)?  If this is only an exposure because
of CVE-1999-0103, then maybe this should be REJECTed.<br>

Name: CVE-1999-0640

Description:

The Gopher service is running.

Status:Candidate
Phase: Proposed (19990804)

Votes:
ACCEPT(2)  Baker, Wall<br>
REJECT(1)  Northcutt<br>
Voter Comments:


Name: CVE-1999-0641

Description:

The UUCP service is running.

Status:Candidate
Phase: Proposed (19990804)

Votes:
ACCEPT(2)  Baker, Wall<br>
REJECT(1)  Northcutt<br>
Voter Comments:


Name: CVE-1999-0642

Description:

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "A POP service is running."

Status:Candidate
Phase: Modified (20080731)

Votes:
ACCEPT(2)  Baker, Wall<br>
REJECT(1)  Northcutt<br>
Voter Comments:


Name: CVE-1999-0643

Description:

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The IMAP service is running."

Status:Candidate
Phase: Modified (20080731)

Votes:
ACCEPT(2)  Baker, Wall<br>
REJECT(1)  Northcutt<br>
Voter Comments:


Name: CVE-1999-0644

Description:

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The NNTP news service is running."

Status:Candidate
Phase: Modified (20080731)

Votes:
ACCEPT(2)  Baker, Wall<br>
NOOP(1)  Christey<br>
REJECT(1)  Northcutt<br>
Voter Comments:
Christey>  XF:nntp-post(88) ?<br>

Name: CVE-1999-0645

Description:

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The IRC service is running."

Status:Candidate
Phase: Modified (20080731)

Votes:
ACCEPT(2)  Baker, Wall<br>
NOOP(1)  Christey<br>
REJECT(1)  Northcutt<br>
Voter Comments:
Christey>  XF:irc-server(767) ?<br>

Name: CVE-1999-0646

Description:

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The LDAP service is running."

Status:Candidate
Phase: Modified (20080731)

Votes:
ACCEPT(2)  Baker, Wall<br>
REJECT(1)  Northcutt<br>
Voter Comments:


Name: CVE-1999-0647

Description:

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The bootparam (bootparamd) service is running."

Status:Candidate
Phase: Modified (20080731)

Votes:
ACCEPT(2)  Baker, Ozancin<br>
MODIFY(1)  Frech<br>
NOOP(1)  Wall<br>
REJECT(1)  Northcutt<br>
Voter Comments:
Frech>  XF:bootp<br>

Name: CVE-1999-0648

Description:

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The X25 service is running."

Status:Candidate
Phase: Modified (20080731)

Votes:
ACCEPT(2)  Baker, Wall<br>
REJECT(1)  Northcutt<br>
Voter Comments:


Name: CVE-1999-0649

Description:

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The FSP service is running."

Status:Candidate
Phase: Modified (20080731)

Votes:
ACCEPT(1)  Baker<br>
NOOP(1)  Wall<br>
REJECT(1)  Northcutt<br>
Voter Comments:


Name: CVE-1999-0650

Description:

The netstat service is running, which provides sensitive information to remote attackers.

Status:Candidate
Phase: Modified (20060608)
Reference: XF:netstat(72)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/72

Votes:
ACCEPT(2)  Baker, Wall<br>
REJECT(1)  Northcutt<br>
Voter Comments:


Name: CVE-1999-0651

Description:

The rsh/rlogin service is running.

Status:Candidate
Phase: Proposed (19990804)

Votes:
ACCEPT(2)  Baker, Wall<br>
MODIFY(1)  Frech<br>
NOOP(1)  Christey<br>
REJECT(1)  Northcutt<br>
Voter Comments:
Christey>  aka "shell" on UNIX systems (at least Solaris) in the
/etc/inetd.conf file.<br>
Frech>  associated to:
XF:nt-rlogin(92) 
XF:rsh-svc(114)
XF:rshd(2995)<br>

Name: CVE-1999-0652

Description:

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "A database service is running, e.g. a SQL server, Oracle, or mySQL."

Status:Candidate
Phase: Modified (20080731)

Votes:
ACCEPT(1)  Baker<br>
MODIFY(1)  Frech<br>
NOOP(1)  Wall<br>
REJECT(1)  Northcutt<br>
Voter Comments:
Frech>  XF:nt-sql-server(1289)
XF:msql-detect(2211)
XF:oracle-detect(2388)
XF:sybase-detect-namedpipes(1461)<br>

Name: CVE-1999-0653

Description:

A component service related to NIS+ is running.

Status:Candidate
Phase: Proposed (19990804)

Votes:
ACCEPT(2)  Baker, Wall<br>
REJECT(1)  Northcutt<br>
Voter Comments:


Name: CVE-1999-0654

Description:

The OS/2 or POSIX subsystem in NT is enabled.

Status:Candidate
Phase: Proposed (19990728)

Votes:
ACCEPT(1)  Wall<br>
MODIFY(1)  Frech<br>
NOOP(2)  Baker, Christey<br>
REJECT(1)  Northcutt<br>
Voter Comments:
Wall>  These subsystems could still allow a process to persist across logins.<br>
Frech>  XF:nt-posix(217)
XF:nt-posix-sub-c2(2397)
XF:nt-posix-sub-onceonly(2478)
XF:nt-os2-sub(218)
XF:nt-os2-sub-c2(2396)
XF:nt-os2-sub-onceonly(2477)
XF:nt-os2-registry(2550)<br>
Christey>  s2-file-os2(1865)<br>

Name: CVE-1999-0655

Description:

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is not about any specific product, protocol, or design, so it is out of scope of CVE. Notes: the former description is: "A service may include useful information in its banner or help function (such as the name and version), making it useful for information gathering activities."

Status:Candidate
Phase: Modified (20080731)

Votes:
ACCEPT(5)  Baker, Frech, Northcutt, Ozancin, Wall<br>
Voter Comments:
CHANGE>  [Frech changed vote from REVIEWING to ACCEPT]<br>

Name: CVE-1999-0656

Description:

The ugidd RPC interface, by design, allows remote attackers to enumerate valid usernames by specifying arbitrary UIDs that ugidd maps to local user and group names.

Status:Candidate
Phase: Modified (20080731)
Reference: MISC:http://ca.com/au/securityadvisor/vulninfo/Vuln.aspx?ID=1638
Reference: XF:linux-ugidd(348)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/348

Votes:
ACCEPT(1)  Baker<br>
NOOP(1)  Wall<br>
REJECT(1)  Northcutt<br>
Voter Comments:


Name: CVE-1999-0657

Description:

WinGate is being used.

Status:Candidate
Phase: Proposed (19990804)

Votes:
ACCEPT(1)  Baker<br>
NOOP(1)  Wall<br>
REJECT(1)  Northcutt<br>
Voter Comments:


Name: CVE-1999-0658

Description:

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "DCOM is running."

Status:Candidate
Phase: Modified (20080731)

Votes:
ACCEPT(2)  Baker, Wall<br>
REJECT(1)  Northcutt<br>
Voter Comments:


Name: CVE-1999-0659

Description:

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "A Windows NT Primary Domain Controller (PDC) or Backup Domain Controller (BDC) is present."

Status:Candidate
Phase: Modified (20080731)

Votes:
REJECT(3)  Baker, Northcutt, Wall<br>
Voter Comments:
Wall>  Don't consider this a service or a problem.<br>
Baker>  concur with wall on this<br>

Name: CVE-1999-0660

Description:

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is not about any specific product, protocol, or design, so it is out of scope of CVE. It might be more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "A hacker utility, back door, or Trojan Horse is installed on a system, e.g. NetBus, Back Orifice, Rootkit, etc."

Status:Candidate
Phase: Modified (20080730)

Votes:
ACCEPT(4)  Baker, Hill, Northcutt, Wall<br>
NOOP(1)  Christey<br>
Voter Comments:
Christey>  Add "back door" to description.<br>

Name: CVE-1999-0661

Description:

A system is running a version of software that was replaced with a Trojan Horse at one of its distribution points, such as (1) TCP Wrappers 7.6, (2) util-linux 2.9g, (3) wuarchive ftpd (wuftpd) 2.2 and 2.1f, (4) IRC client (ircII) ircII 2.2.9, (5) OpenSSH 3.4p1, or (6) Sendmail 8.12.6.

Status:Candidate
Phase: Modified (20050529)
Reference: BID:5921
Reference: URL:http://www.securityfocus.com/bid/5921
Reference: BUGTRAQ:20020801 OpenSSH Security Advisory: Trojaned Distribution Files
Reference: URL:http://marc.info/?l=bugtraq&m=102821663814127&w=2
Reference: BUGTRAQ:20020801 trojan horse in recent openssh (version 3.4 portable 1)
Reference: URL:http://marc.info/?l=bugtraq&m=102820843403741&w=2
Reference: BUGTRAQ:20021009 Re: CERT Advisory CA-2002-28 Trojan Horse Sendmail
Reference: URL:http://online.securityfocus.com/archive/1/294539
Reference: CERT:CA-1994-07
Reference: URL:http://www.cert.org/advisories/CA-1994-07.html
Reference: CERT:CA-1994-14
Reference: URL:http://www.cert.org/advisories/CA-1994-14.html
Reference: CERT:CA-1999-01
Reference: URL:http://www.cert.org/advisories/CA-1999-01.html
Reference: CERT:CA-1999-02
Reference: URL:http://www.cert.org/advisories/CA-1999-02.html
Reference: CERT:CA-2002-28
Reference: URL:http://www.cert.org/advisories/CA-2002-28.html
Reference: XF:sendmail-backdoor(10313)
Reference: URL:http://www.iss.net/security_center/static/10313.php

Votes:
ACCEPT(4)  Baker, Hill, Northcutt, Wall<br>
REVIEWING(1)  Christey<br>
Voter Comments:
Christey>  Should add the specific CERT advisory references for
well-known Trojaned software.<br>
TCP Wrappers ->  CERT:CA-1999-01
CERT:CA-1999-02 includes util-linux
wuarchive - CERT:CA-94.07
IRC client - CERT:CA-1994-14<br>
Christey>  BUGTRAQ:20020801 trojan horse in recent openssh (version 3.4 portable 1)
Modify description to use dot notation.<br>
Christey>  CERT:CA-2002-24
URL:http://www.cert.org/advisories/CA-2002-24.html
XF:openssh-backdoor(9763)
URL:http://www.iss.net/security_center/static/9763.php
BID:5374
URL:http://www.securityfocus.com/bid/5374<br>
CHANGE>  [Christey changed vote from NOOP to REVIEWING]<br>
Christey>  Add libpcap and tcpdump:
BUGTRAQ:20021113 Latest libpcap & tcpdump sources from tcpdump.org contain a trojan
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103722456708471&w=2
CERT:CA-2002-30
URL:http://www.cert.org/advisories/CA-2002-30.html

This CAN has been active for over 4 years.  At this moment, my
thinking is that we should SPLIT this CAN into each separate
trojaned product, then create some criteria that restrict
creation of new CANs to "widespread" or "important" products only.<br>

Name: CVE-1999-0662

Description:

A system-critical program or library does not have the appropriate patch, hotfix, or service pack installed, or is outdated or obsolete.

Status:Candidate
Phase: Proposed (19990804)

Votes:
ACCEPT(4)  Baker, Hill, Northcutt, Wall<br>
Voter Comments:


Name: CVE-1999-0663

Description:

A system-critical program, library, or file has a checksum or other integrity measurement that indicates that it has been modified.

Status:Candidate
Phase: Proposed (19990804)

Votes:
ACCEPT(3)  Baker, Hill, Wall<br>
RECAST(1)  Northcutt<br>
Voter Comments:
Northcutt>  This needs to be worded carefully.  
1. Rootkits evade checksum detection.
2. The modification could be positive (a patch)<br>

Name: CVE-1999-0664

Description:

An application-critical Windows NT registry key has inappropriate permissions.

Status:Candidate
Phase: Proposed (19990803)

Votes:
ACCEPT(1)  Wall<br>
NOOP(1)  Baker<br>
RECAST(2)  Christey, Northcutt<br>
Voter Comments:
Northcutt>  I think we can define appropriate, take a look at the nt security .pdf
and see if you can't see a way to phrase specific keys in a way that
defines inappropriate.<br>
Christey>  Upon further reflection, this is too high-level for CVE.
Specific registry keys with bad permissions is roughly
equivalent to Unix configuration files that have bad
permissions; those permission problems can be created by
any vendor, not just a specific one.  Therefore this
candidate should be RECAST into each separate registry
key that has this problem.<br>

Name: CVE-1999-0665

Description:

An application-critical Windows NT registry key has an inappropriate value.

Status:Candidate
Phase: Proposed (19990803)

Votes:
ACCEPT(1)  Wall<br>
NOOP(1)  Baker<br>
RECAST(1)  Northcutt<br>
Voter Comments:
Northcutt>  I think we can define appropriate, take a look at the nt security .pdf
and see if you can't see a way to phrase specific keys in a way that
defines inappropriate.<br>
Baker>  very vague<br>

Name: CVE-1999-0667

Description:

The ARP protocol allows any host to spoof ARP replies and poison the ARP cache to conduct IP address spoofing or a denial of service.

Status:Candidate
Phase: Proposed (19991222)

Votes:
ACCEPT(2)  Blake, Cole<br>
MODIFY(1)  Stracener<br>
NOOP(2)  Baker, Christey<br>
REJECT(1)  Frech<br>
Voter Comments:
Stracener>  Add Ref: BUGTRAQ:19970919 Playing redir games with ARP and ICMP<br>
Frech>  Cannot proceed without a reference. Too vague, and resembles XF:netbsd-arp:
CVE-1999-0763: NetBSD on a multi-homed host allows ARP packets on one
network to modify ARP entries on another connected network.
CVE-1999-0764: NetBSD allows ARP packets to overwrite static ARP entries.
Will reconsider if reference provides enough information to render a
distinction.<br>
Christey>  This particular vulnerability was exploited by an attacker
during the ID'Net IDS test network exercise at the SANS
Network Security '99 conference.  The attacker adapted a
publicly available program that was able to spoof another
machine on the same physical network.

See http://marc.theaimsgroup.com/?l=bugtraq&m=87602880019797&w=2
for the Bugtraq reference that Tom Stracener suggested.
This generated a long thread on Bugtraq in 1997.<br>
Blake>  I'll second Tom's request to add the reference, it's a very
posting good and the vulnerability is clearly derivative of
the work.

(I do recall talking to the guy and drafting a description.)<br>

Name: CVE-1999-0668

Description:

The scriptlet.typelib ActiveX control is marked as "safe for scripting" for Internet Explorer, which allows a remote attacker to execute arbitrary commands as demonstrated by Bubbleboy.

Status:Entry
Reference: BID:598
Reference: URL:http://www.securityfocus.com/bid/598
Reference: BUGTRAQ:19990821 IE 5.0 allows executing programs
Reference: CIAC:J-064
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/j-064.shtml
Reference: MS:MS99-032
Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-032
Reference: MSKB:Q240308
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q240308
Reference: XF:ms-scriptlet-eyedog-unsafe

Name: CVE-1999-0669

Description:

The Eyedog ActiveX control is marked as "safe for scripting" for Internet Explorer, which allows a remote attacker to execute arbitrary commands as demonstrated by Bubbleboy.

Status:Candidate
Phase: Interim (19991229)
Reference: CIAC:J-064
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/j-064.shtml
Reference: MS:MS99-032
Reference: MSKB:Q240308
Reference: XF:ms-scriptlet-eyedog-unsafe

Votes:
ACCEPT(5)  Baker, Cole, Ozancin, Prosser, Wall<br>
MODIFY(2)  Frech, Stracener<br>
REVIEWING(1)  Christey<br>
Voter Comments:
Frech>  XF:ms-scriptlet-eyedog-unsafe<br>
Stracener>  Add Ref: MSKB Q240308<br>
Christey>  Should CVE-1999-0669 and 668 be merged?  If not, then this is
a reason for not merging CVE-1999-0988 and CVE-1999-0828.<br>

Name: CVE-1999-0670

Description:

Buffer overflow in the Eyedog ActiveX control allows a remote attacker to execute arbitrary commands.

Status:Candidate
Phase: Proposed (19991208)
Reference: CIAC:J-064
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/j-064.shtml
Reference: MS:MS99-032
Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-032

Votes:
ACCEPT(3)  Ozancin, Prosser, Wall<br>
MODIFY(2)  Frech, Stracener<br>
REJECT(2)  Baker, Cole<br>
Voter Comments:
Frech>  XF:ie-eyedog-bo<br>
Cole>  Based on the references and information listed this is the same as
CVE-1999-0669<br>
Stracener>  Add Ref: MSKB Q240308<br>
Baker>  Duplicate<br>

Name: CVE-1999-0671

Description:

Buffer overflow in ToxSoft NextFTP client through CWD command.

Status:Entry
Reference: BID:572
Reference: URL:http://www.securityfocus.com/bid/572
Reference: XF:toxsoft-nextftp-cwd-bo

Name: CVE-1999-0672

Description:

Buffer overflow in Fujitsu Chocoa IRC client via IRC channel topics.

Status:Entry
Reference: BID:573
Reference: URL:http://www.securityfocus.com/bid/573
Reference: XF:fujitsu-topic-bo

Name: CVE-1999-0673

Description:

Buffer overflow in ALMail32 POP3 client via From: or To: headers.

Status:Candidate
Phase: Proposed (19991222)
Reference: BID:574
Reference: URL:http://www.securityfocus.com/bid/574

Votes:
ACCEPT(6)  Baker, Blake, Cole, Collins, Levy, Wall<br>
MODIFY(2)  Frech, Stracener<br>
NOOP(3)  Armstrong, Landfield, Oliver<br>
REVIEWING(1)  Ozancin<br>
Voter Comments:
Stracener>  AddRef: ShadowPenguinSecurity:PenguinToolbox,No.037<br>
Frech>  XF:almail-bo<br>
CHANGE>  [Cole changed vote from NOOP to ACCEPT]<br>

Name: CVE-1999-0674

Description:

The BSD profil system call allows a local user to modify the internal data space of a program via profiling and execve.

Status:Entry
Reference: BID:570
Reference: URL:http://www.securityfocus.com/bid/570
Reference: BUGTRAQ:19990809 profil(2) bug, a simple test program
Reference: CIAC:J-067
Reference: URL:http://www.ciac.org/ciac/bulletins/j-067.shtml
Reference: FREEBSD:FreeBSD-SA-99:02
Reference: NETBSD:1999-011
Reference: OPENBSD:Aug 9,1999
Reference: XF:netbsd-profil

Name: CVE-1999-0675

Description:

Check Point FireWall-1 can be subjected to a denial of service via UDP packets that are sent through VPN-1 to port 0 of a host.

Status:Entry
Reference: BID:576
Reference: URL:http://www.securityfocus.com/bid/576
Reference: BUGTRAQ:19990809 FW1 UDP Port 0 DoS
Reference: URL:http://www.securityfocus.com/archive/1/23615
Reference: OSVDB:1038
Reference: URL:http://www.osvdb.org/1038
Reference: XF:checkpoint-port

Name: CVE-1999-0676

Description:

sdtcm_convert in Solaris 2.6 allows a local user to overwrite sensitive files via a symlink attack.

Status:Entry
Reference: BID:575
Reference: URL:http://www.securityfocus.com/bid/575
Reference: BUGTRAQ:19990808 sdtcm_convert
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=19990809134220.A1191@hades.chaoz.org
Reference: XF:sun-sdtcm-convert

Name: CVE-1999-0677

Description:

The WebRamp web administration utility has a default password.

Status:Candidate
Phase: Modified (19991228)
Reference: BID:577
Reference: URL:http://www.securityfocus.com/bid/577
Reference: BUGTRAQ:19990802 [LoWNOISE] Password hunting with webramp

Votes:
ACCEPT(3)  Baker, Blake, Stracener<br>
MODIFY(2)  Cole, Frech<br>
NOOP(2)  Armstrong, Christey<br>
Voter Comments:
Cole>  I would add that is is not forced to be changed.<br>
Frech>  XF:webramp-default-password<br>
Christey>  This problem may have been detected in January 1999:
BUGTRAQ:19990121 Re: WebRamp M3 remote network access bug
http://marc.theaimsgroup.com/?l=bugtraq&m=91702375402055&w=2<br>

Name: CVE-1999-0678

Description:

A default configuration of Apache on Debian GNU/Linux sets the ServerRoot to /usr/doc, which allows remote users to read documentation files for the entire server.

Status:Entry
Reference: BID:318
Reference: URL:http://www.securityfocus.com/bid/318
Reference: BUGTRAQ:19990405 An issue with Apache on Debian
Reference: XF:apache-debian-usrdoc

Name: CVE-1999-0679

Description:

Buffer overflow in hybrid-6 IRC server commonly used on EFnet allows remote attackers to execute commands via m_invite invite option.

Status:Entry
Reference: BID:581
Reference: URL:http://www.securityfocus.com/bid/581
Reference: BUGTRAQ:19990813 w00w00's efnet ircd advisory (exploit included)
Reference: CONFIRM:http://www.efnet.org/archive/servers/hybrid/ChangeLog
Reference: XF:hybrid-ircd-minvite-bo

Name: CVE-1999-0680

Description:

Windows NT Terminal Server performs extra work when a client opens a new connection but before it is authenticated, allowing for a denial of service.

Status:Entry
Reference: BID:571
Reference: URL:http://www.securityfocus.com/bid/571
Reference: CIAC:J-057
Reference: URL:http://www.ciac.org/ciac/bulletins/j-057.shtml
Reference: MS:MS99-028
Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-028
Reference: MSKB:Q238600
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q238600
Reference: XF:nt-terminal-dos

Name: CVE-1999-0681

Description:

Buffer overflow in Microsoft FrontPage Server Extensions (PWS) 3.0.2.926 on Windows 95, and possibly other versions, allows remote attackers to cause a denial of service via a long URL.

Status:Entry
Reference: BID:568
Reference: URL:http://www.securityfocus.com/bid/568
Reference: BUGTRAQ:19990807 Crash FrontPage Remotely...
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/1999-q3/0381.html
Reference: XF:frontpage-pws-dos(3117)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/3117

Name: CVE-1999-0682

Description:

Microsoft Exchange 5.5 allows a remote attacker to relay email (i.e. spam) using encapsulated SMTP addresses, even if the anti-relaying features are enabled.

Status:Entry
Reference: BID:567
Reference: URL:http://www.securityfocus.com/bid/567
Reference: CIAC:J-056
Reference: URL:http://www.ciac.org/ciac/bulletins/j-056.shtml
Reference: MS:MS99-027
Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-027
Reference: MSKB:Q237927
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q237927
Reference: XF:exchange-relay

Name: CVE-1999-0683

Description:

Denial of service in Gauntlet Firewall via a malformed ICMP packet.

Status:Entry
Reference: BID:556
Reference: URL:http://www.securityfocus.com/bid/556
Reference: BUGTRAQ:19990729 Remotely Lock Up Gauntlet 5.0
Reference: OSVDB:1029
Reference: URL:http://www.osvdb.org/1029
Reference: XF:gauntlet-dos

Name: CVE-1999-0684

Description:

Denial of service in Sendmail 8.8.6 in HPUX.

Status:Candidate
Phase: Proposed (19991214)
Reference: HP:HPSBUX9904-097

Votes:
ACCEPT(2)  Blake, Cole<br>
MODIFY(3)  Frech, Prosser, Stracener<br>
NOOP(1)  Baker<br>
REJECT(1)  Christey<br>
Voter Comments:
Stracener>  Add Ref: CIAC: J-040<br>
Prosser>  Might change description to indicate DoS caused by multiple connections<br>
Christey>  Andre's right.  This is a duplicate of CVE-1999-0684.<br>
Frech>  Without further information and/or references, this issue looks like an
ambiguous version of CVE-1999-0478: Denial of service in HP-UX sendmail
8.8.6 related to accepting connections.

(was REJECT)
XF:hp-sendmail-connect-dos<br>

Name: CVE-1999-0685

Description:

Buffer overflow in Netscape Communicator via EMBED tags in the pluginspage option.

Status:Entry
Reference: BID:618
Reference: URL:http://www.securityfocus.com/bid/618
Reference: BUGTRAQ:19991209 Netscape communicator 4.06J, 4.5J-4.6J, 4.61e Buffer Overflow

Name: CVE-1999-0686

Description:

Denial of service in Netscape Enterprise Server (NES) in HP Virtual Vault (VVOS) via a long URL.

Status:Entry
Reference: BUGTRAQ:19990514 TGAD DoS
Reference: BUGTRAQ:19990610 Re: VVOS/Netscape Bug
Reference: CIAC:J-046
Reference: URL:http://www.ciac.org/ciac/bulletins/j-046.shtml
Reference: HP:HPSBUX9906-098
Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9906-098
Reference: XF:hp-tgad-dos

Name: CVE-1999-0687

Description:

The ToolTalk ttsession daemon uses weak RPC authentication, which allows a remote attacker to execute commands.

Status:Entry
Reference: BID:637
Reference: URL:http://www.securityfocus.com/bid/637
Reference: BUGTRAQ:19990913 Vulnerability in ttsession
Reference: CERT:CA-99-11
Reference: CIAC:K-001
Reference: URL:http://www.ciac.org/ciac/bulletins/k-001.shtml
Reference: COMPAQ:SSRT0617U_TTSESSION
Reference: HP:HPSBUX9909-103
Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9909-103
Reference: SUN:00192
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/192
Reference: XF:cde-ttsession-rpc-auth

Name: CVE-1999-0688

Description:

Buffer overflows in HP Software Distributor (SD) for HPUX 10.x and 11.x.

Status:Entry
Reference: BID:545
Reference: URL:http://www.securityfocus.com/bid/545
Reference: HP:HPSBUX9907-101
Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9907-101
Reference: XF:hp-sd-bo

Name: CVE-1999-0689

Description:

The CDE dtspcd daemon allows local users to execute arbitrary commands via a symlink attack.

Status:Entry
Reference: BID:636
Reference: URL:http://www.securityfocus.com/bid/636
Reference: BUGTRAQ:19990913 Vulnerability in dtspcd
Reference: CERT:CA-99-11
Reference: HP:HPSBUX9909-103
Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9909-103
Reference: OVAL:oval:org.mitre.oval:def:1880
Reference: URL:https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1880
Reference: SUN:00192
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/192
Reference: XF:cde-dtspcd-file-auth

Name: CVE-1999-0690

Description:

HP CDE program includes the current directory in root's PATH variable.

Status:Entry
Reference: CIAC:J-053
Reference: URL:http://www.ciac.org/ciac/bulletins/j-053.shtml
Reference: HP:HPSBUX9907-100
Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9907-100
Reference: XF:hp-cde-directory

Name: CVE-1999-0691

Description:

Buffer overflow in the AddSuLog function of the CDE dtaction utility allows local users to gain root privileges via a long user name.

Status:Entry
Reference: BID:635
Reference: URL:http://www.securityfocus.com/bid/635
Reference: BUGTRAQ:19990913 Vulnerability in dtaction
Reference: CERT:CA-99-11
Reference: COMPAQ:SSRTO615U_DTACTION
Reference: HP:HPSBUX9909-103
Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9909-103
Reference: OVAL:oval:org.mitre.oval:def:3078
Reference: URL:https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A3078
Reference: SUN:00192
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/192
Reference: XF:cde-dtaction-username-bo

Name: CVE-1999-0692

Description:

The default configuration of the Array Services daemon (arrayd) disables authentication, allowing remote users to gain root privileges.

Status:Entry
Reference: CERT:CA-99-09
Reference: CIAC:J-052
Reference: URL:http://www.ciac.org/ciac/bulletins/j-052.shtml
Reference: SGI:19990701-01-P
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19990701-01-P
Reference: XF:sgi-arrayd

Name: CVE-1999-0693

Description:

Buffer overflow in TT_SESSION environment variable in ToolTalk shared library allows local users to gain root privileges.

Status:Entry
Reference: BID:641
Reference: URL:http://www.securityfocus.com/bid/641
Reference: CERT:CA-99-11
Reference: HP:HPSBUX9909-103
Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9909-103
Reference: OVAL:oval:org.mitre.oval:def:4374
Reference: URL:https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A4374
Reference: SUN:00192
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/192
Reference: XF:cde-dtsession-env-bo

Name: CVE-1999-0694

Description:

Denial of service in AIX ptrace system call allows local users to crash the system.

Status:Entry
Reference: CIAC:J-055
Reference: URL:http://www.ciac.org/ciac/bulletins/j-055.shtml
Reference: IBM:ERS-SVA-E01-1999:002.1
Reference: XF:aix-ptrace-halt

Name: CVE-1999-0695

Description:

The Sybase PowerDynamo personal web server allows attackers to read arbitrary files through a .. (dot dot) attack.

Status:Entry
Reference: BID:620
Reference: URL:http://www.securityfocus.com/bid/620
Reference: BUGTRAQ:19990904 [Sybase] software vendors do not think about old bugs
Reference: OSVDB:1064
Reference: URL:http://www.osvdb.org/1064
Reference: XF:http-powerdynamo-dotdotslash

Name: CVE-1999-0696

Description:

Buffer overflow in CDE Calendar Manager Service Daemon (rpc.cmsd).

Status:Entry
Reference: BUGTRAQ:19990709 Exploit of rpc.cmsd
Reference: CERT:CA-99-08
Reference: CIAC:J-051
Reference: URL:http://www.ciac.org/ciac/bulletins/j-051.shtml
Reference: COMPAQ:SSRT0614U_RPC_CMSD
Reference: HP:HPSBUX9908-102
Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9908-102
Reference: SCO:SB-99.12
Reference: SUN:00188
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/188
Reference: SUNBUG:4230754
Reference: XF:sun-cmsd-bo

Name: CVE-1999-0697

Description:

SCO Doctor allows local users to gain root privileges through a Tools option.

Status:Entry
Reference: BID:621
Reference: URL:http://www.securityfocus.com/bid/621
Reference: BUGTRAQ:19990908 SCO 5.0.5 /bin/doctor nightmare
Reference: XF:sco-doctor-execute

Name: CVE-1999-0698

Description:

Denial of service in IP protocol logger (ippl) on Red Hat and Debian Linux.

Status:Candidate
Phase: Proposed (19991222)

Votes:
ACCEPT(6)  Armstrong, Baker, Blake, Cole, Collins, Ozancin<br>
MODIFY(1)  Frech<br>
NOOP(4)  Landfield, Levy, Stracener, Wall<br>
REJECT(1)  Christey<br>
Voter Comments:
Stracener>  Is the candidate referring to the denial of service problem mentioned in
the
changelogs for versions previous to 1.4.3-1 or does it pertain to some
problem with or
1.4.8-1?<br>
Frech>  Depending on the version, this could be any number of DoSes 
related to ippl.
From http://www.larve.net/ippl/:
9 April 1999: version 1.4.3 released, correctly fixing a 
potential denial of service attack.
7 April 1999: version 1.4.2 released, fixing a potential 
denial of service attack. 
XF:linux-ippl-dos<br>
Christey>  Changelog: http://pltplp.net/ippl/docs/HISTORY

See comments for version 1.4.2 and 1.4.3
Another source: http://freshmeat.net/news/1999/04/08/923586598.html<br>
CHANGE>  [Stracener changed vote from REVIEWING to NOOP]<br>
CHANGE>  [Christey changed vote from NOOP to REJECT]<br>
Christey>  As mentioned by others, this could apply to several different
versions.  Since the description is too vague, this CAN should
be REJECTED and recast into other candidates.<br>

Name: CVE-1999-0699

Description:

The Bluestone Sapphire web server allows session hijacking via easily guessable session IDs.

Status:Entry
Reference: BID:623
Reference: URL:http://www.securityfocus.com/bid/623
Reference: BUGTRAQ:19990908 [Security] Spoofed Id in Bluestone Sapphire/Web

Name: CVE-1999-0700

Description:

Buffer overflow in Microsoft Phone Dialer (dialer.exe), via a malformed dialer entry in the dialer.ini file.

Status:Entry
Reference: MS:MS99-026
Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-026
Reference: MSKB:Q237185
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q237185
Reference: XF:nt-malformed-dialer

Name: CVE-1999-0701

Description:

After an unattended installation of Windows NT 4.0, an installation file could include sensitive information such as the local Administrator password.

Status:Entry
Reference: BID:626
Reference: URL:http://www.securityfocus.com/bid/626
Reference: MS:MS99-036
Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-036
Reference: MSKB:Q173039
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q173039
Reference: XF:nt-install-unattend-file

Name: CVE-1999-0702

Description:

Internet Explorer 5.0 and 5.01 allows remote attackers to modify or execute files via the Import/Export Favorites feature, aka the "ImportExportFavorites" vulnerability.

Status:Entry
Reference: BID:627
Reference: URL:http://www.securityfocus.com/bid/627
Reference: BUGTRAQ:19990909 IE 5.0 security vulnerabilities - ImportExportFavorites - at least creating and overwriting files, probably executing programs
Reference: MS:MS99-037
Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-037
Reference: MSKB:Q241361
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q241361
Reference: XF:ie5-import-export-favorites

Name: CVE-1999-0703

Description:

OpenBSD, BSDI, and other Unix operating systems allow users to set chflags and fchflags on character and block devices.

Status:Entry
Reference: BUGTRAQ:19990805 4.4 BSD issue -- chflags
Reference: CIAC:J-066
Reference: URL:http://www.ciac.org/ciac/bulletins/j-066.shtml
Reference: FREEBSD:FreeBSD-SA-99:01
Reference: OPENBSD:Jul30,1999
Reference: XF:openbsd-chflags-fchflags-permitted

Name: CVE-1999-0704

Description:

Buffer overflow in Berkeley automounter daemon (amd) logging facility provided in the Linux am-utils package and others.

Status:Entry
Reference: BID:614
Reference: URL:http://www.securityfocus.com/bid/614
Reference: CALDERA:CSSA-1999:024.0
Reference: CERT:CA-99-12
Reference: DEBIAN:19991018
Reference: FREEBSD:SA-99:06
Reference: REDHAT:RHSA-1999:032-01
Reference: XF:amd-bo

Name: CVE-1999-0705

Description:

Buffer overflow in INN inews program.

Status:Entry
Reference: BID:616
Reference: URL:http://www.securityfocus.com/bid/616
Reference: CALDERA:CSSA-1999-026
Reference: DEBIAN:19990907
Reference: REDHAT:RHSA1999033_01
Reference: SUSE:19990831 Security hole in INN
Reference: XF:inn-inews-bo

Name: CVE-1999-0706

Description:

Linux xmonisdn package allows local users to gain root privileges by modifying the IFS or PATH environmental variables.

Status:Entry
Reference: BID:583
Reference: URL:http://www.securityfocus.com/bid/583
Reference: DEBIAN:19990807
Reference: SUSE:19990817 Security hole in i4l (xmonisdn)

Name: CVE-1999-0707

Description:

The default FTP configuration in HP Visualize Conference allows conference users to send a file to other participants without authorization.

Status:Entry
Reference: BID:493
Reference: URL:http://www.securityfocus.com/bid/493
Reference: CIAC:J-050
Reference: URL:http://www.ciac.org/ciac/bulletins/j-050.shtml
Reference: HP:HPSBUX9906-099
Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9906-099
Reference: XF:hp-visualize-conference-ftp

Name: CVE-1999-0708

Description:

Buffer overflow in cfingerd allows local users to gain root privileges via a long GECOS field.

Status:Entry
Reference: BID:651
Reference: URL:http://www.securityfocus.com/bid/651
Reference: BUGTRAQ:19990921 BP9909-00: cfingerd local buffer overflow

Name: CVE-1999-0710

Description:

The Squid package in Red Hat Linux 5.2 and 6.0, and other distributions, installs cachemgr.cgi in a public web directory, which allows remote attackers to use it as an intermediary to connect to other systems.

Status:Entry
Reference: BID:2059
Reference: URL:http://www.securityfocus.com/bid/2059
Reference: BUGTRAQ:19990725 Redhat 6.0 cachemgr.cgi lameness
Reference: CONFIRM:http://www.redhat.com/support/errata/archives/rh52-errata-general.html#squid
Reference: DEBIAN:DSA-576
Reference: URL:http://www.debian.org/security/2004/dsa-576
Reference: FEDORA:FEDORA-2005-373
Reference: URL:http://www.redhat.com/archives/fedora-announce-list/2005-May/msg00025.html
Reference: FEDORA:FLSA-2006:152809
Reference: URL:http://fedoranews.org/updates/FEDORA--.shtml
Reference: REDHAT:RHSA-1999:025
Reference: URL:http://www.redhat.com/support/errata/RHSA-1999-025.html
Reference: REDHAT:RHSA-2005:489
Reference: URL:http://www.redhat.com/support/errata/RHSA-2005-489.html
Reference: XF:http-cgi-cachemgr(2385)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2385

Name: CVE-1999-0711

Description:

The oratclsh interpreter in Oracle 8.x Intelligent Agent for Unix allows local users to execute Tcl commands as root.

Status:Entry
Reference: BUGTRAQ:19990430 *Huge* security hole in Oracle 8.0.5 with Intellegent agent installed
Reference: URL:http://marc.info/?t=92550157100002&w=2&r=1
Reference: BUGTRAQ:19990506 Oracle Security Followup, patch and FAQ: setuid on oratclsh
Reference: URL:http://marc.info/?l=bugtraq&m=92609807906778&w=2
Reference: XF:oracle-oratclsh

Name: CVE-1999-0712

Description:

A vulnerability in Caldera Open Administration System (COAS) allows the /etc/shadow password file to be made world-readable.

Status:Candidate
Phase: Proposed (19991214)
Reference: CALDERA:CSSA-1999:009
Reference: XF:linux-coas

Votes:
ACCEPT(4)  Baker, Cole, Frech, Stracener<br>
MODIFY(1)  Blake<br>
NOOP(1)  Armstrong<br>
REVIEWING(1)  Christey<br>
Voter Comments:
Blake>  This obscurely-written advisory seems to state that COAS will make the
file world-readable, not that it allows the user to make it so.  I hardly
think that allowing the user to turn off security is a vulnerability.<br>
Christey>  It's difficult to write the description based on what's in
the advisory.  If COAS inadvertently changes permissions
without user confirmation, then it should be ACCEPTed with
appropriate modification to the description.<br>
Christey>  ADDREF BID:137<br>
CHANGE>  [Armstrong changed vote from REVIEWING to NOOP]<br>

Name: CVE-1999-0713

Description:

The dtlogin program in Compaq Tru64 UNIX allows local users to gain root privileges.

Status:Entry
Reference: BUGTRAQ:19990404 Digital Unix 4.0E /var permission
Reference: CIAC:J-044
Reference: URL:http://www.ciac.org/ciac/bulletins/j-044.shtml
Reference: COMPAQ:SSRT0600U
Reference: XF:cde-dtlogin

Name: CVE-1999-0714

Description:

Vulnerability in Compaq Tru64 UNIX edauth command.

Status:Entry
Reference: COMPAQ:SSRT0588U
Reference: XF:du-edauth

Name: CVE-1999-0715

Description:

Buffer overflow in Remote Access Service (RAS) client allows an attacker to execute commands or cause a denial of service via a malformed phonebook entry.

Status:Entry
Reference: BUGTRAQ:19990519 Buffer Overruns in RAS allows execution of arbitary code as system
Reference: MS:MS99-016
Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-016
Reference: MSKB:Q230677
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q230677
Reference: XF:nt-ras-bo

Name: CVE-1999-0716

Description:

Buffer overflow in Windows NT 4.0 help file utility via a malformed help file.

Status:Entry
Reference: MS:MS99-015
Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-015
Reference: MSKB:Q231605
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q231605
Reference: XF:nt-helpfile-bo

Name: CVE-1999-0717

Description:

A remote attacker can disable the virus warning mechanism in Microsoft Excel 97.

Status:Entry
Reference: MS:MS99-014
Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-014
Reference: MSKB:Q231304
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q231304
Reference: XF:excel-virus-warning

Name: CVE-1999-0718

Description:

IBM GINA, when used for OS/2 domain authentication of Windows NT users, allows local users to gain administrator privileges by changing the GroupMapping registry key.

Status:Entry
Reference: BID:608
Reference: URL:http://www.securityfocus.com/bid/608
Reference: NTBUGTRAQ:19990823 IBM Gina security warning
Reference: URL:http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind9908&L=ntbugtraq&F=&S=&P=5534
Reference: XF:ibm-gina-group-add(3166)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/3166

Name: CVE-1999-0719

Description:

The Guile plugin for the Gnumeric spreadsheet package allows attackers to execute arbitrary code.

Status:Entry
Reference: BID:563
Reference: URL:http://www.securityfocus.com/bid/563
Reference: BUGTRAQ:19990802 Gnumeric potential security hole.
Reference: REDHAT:RHSA-1999:023-01
Reference: XF:gnu-guile-plugin-export

Name: CVE-1999-0720

Description:

The pt_chown command in Linux allows local users to modify TTY terminal devices that belong to other users.

Status:Entry
Reference: BID:597
Reference: URL:http://www.securityfocus.com/bid/597
Reference: BUGTRAQ:19990823 [Linux] glibc 2.1.x / wu-ftpd <=2.5 / BeroFTPD / lynx / vlock / mc / glibc 2.0.x
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=lcamtuf.4.05.9907041223290.355-300000@nimue.ids.pl
Reference: XF:linux-pt-chown

Name: CVE-1999-0721

Description:

Denial of service in Windows NT Local Security Authority (LSA) through a malformed LSA request.

Status:Entry
Reference: BINDVIEW:Phantom Technical Advisory
Reference: CIAC:J-049
Reference: URL:http://www.ciac.org/ciac/bulletins/j-049.shtml
Reference: MS:MS99-020
Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-020
Reference: MSKB:Q231457
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q231457
Reference: XF:msrpc-lsa-lookupnames-dos

Name: CVE-1999-0722

Description:

The default configuration of Cobalt RaQ2 servers allows remote users to install arbitrary software packages.

Status:Entry
Reference: BID:558
Reference: URL:http://www.securityfocus.com/bid/558
Reference: CERT:CA-99-10
Reference: XF:cobalt-raq2-default-config

Name: CVE-1999-0723

Description:

The Windows NT Client Server Runtime Subsystem (CSRSS) can be subjected to a denial of service when all worker threads are waiting for user input.

Status:Entry
Reference: BID:478
Reference: URL:http://www.securityfocus.com/bid/478
Reference: CIAC:J-049
Reference: URL:http://www.ciac.org/ciac/bulletins/j-049.shtml
Reference: MS:MS99-021
Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-021
Reference: MSKB:Q233323
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q233323
Reference: NTBUGTRAQ:19990411 Death by MessageBox
Reference: XF:nt-csrss-dos

Name: CVE-1999-0724

Description:

Buffer overflow in OpenBSD procfs and fdescfs file systems via uio_offset in the readdir() function.

Status:Entry
Reference: OPENBSD:Aug12,1999
Reference: OSVDB:6128
Reference: URL:http://www.osvdb.org/6128
Reference: XF:openbsd-uio_offset-bo

Name: CVE-1999-0725

Description:

When IIS is run with a default language of Chinese, Korean, or Japanese, it allows a remote attacker to view the source code of certain files, a.k.a. "Double Byte Code Page".

Status:Entry
Reference: BID:477
Reference: URL:http://www.securityfocus.com/bid/477
Reference: MS:MS99-022
Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-022
Reference: MSKB:Q233335
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q233335
Reference: XF:iis-double-byte-code-page(2302)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2302

Name: CVE-1999-0726

Description:

An attacker can conduct a denial of service in Windows NT by executing a program with a malformed file image header.

Status:Entry
Reference: BID:499
Reference: URL:http://www.securityfocus.com/bid/499
Reference: MS:MS99-023
Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-023
Reference: MSKB:Q234557
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q234557
Reference: XF:nt-malformed-image-header

Name: CVE-1999-0727

Description:

A kernel leak in the OpenBSD kernel allows IPsec packets to be sent unencrypted.

Status:Entry
Reference: OPENBSD:19990608 Packets that should have been handled by IPsec may be transmitted as cleartext
Reference: OSVDB:6127
Reference: URL:http://www.osvdb.org/6127
Reference: XF:openbsd-ipsec-cleartext

Name: CVE-1999-0728

Description:

A Windows NT user can disable the keyboard or mouse by directly calling the IOCTLs which control them.

Status:Entry
Reference: MS:MS99-024
Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-024
Reference: MSKB:Q236359
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q236359
Reference: XF:nt-ioctl-dos

Name: CVE-1999-0729

Description:

Buffer overflow in Lotus Notes LDAP (NLDAP) allows an attacker to conduct a denial of service through the ldap_search request.

Status:Entry
Reference: BID:601
Reference: URL:http://www.securityfocus.com/bid/601
Reference: CIAC:J-061
Reference: URL:http://www.ciac.org/ciac/bulletins/j-061.shtml
Reference: ISS:19990823 Denial of Service Attack against Lotus Notes Domino Server 4.6
Reference: URL:http://xforce.iss.net/alerts/advise34.php
Reference: OSVDB:1057
Reference: URL:http://www.osvdb.org/1057
Reference: XF:lotus-ldap-bo

Name: CVE-1999-0730

Description:

The zsoelim program in the Debian man-db package allows local users to overwrite files via a symlink attack.

Status:Entry
Reference: DEBIAN:19990612

Name: CVE-1999-0731

Description:

The KDE klock program allows local users to unlock a session using malformed input.

Status:Entry
Reference: BID:489
Reference: URL:http://www.securityfocus.com/bid/489
Reference: BUGTRAQ:19990623 Security flaw in klock
Reference: CALDERA:CSSA-1999:017
Reference: SUSE:19990629 Security hole in Klock

Name: CVE-1999-0732

Description:

The logging facility of the Debian smtp-refuser package allows local users to delete arbitrary files using symbolic links.

Status:Entry
Reference: DEBIAN:19990823b
Reference: XF:smtp-refuser-tmp

Name: CVE-1999-0733

Description:

Buffer overflow in VMWare 1.0.1 for Linux via a long HOME environmental variable.

Status:Entry
Reference: BID:490
Reference: URL:http://www.securityfocus.com/bid/490
Reference: BUGTRAQ:19990626 VMWare Advisory - buffer overflows
Reference: BUGTRAQ:19990626 VMware Security Alert
Reference: BUGTRAQ:19990705 Re: VMWare Advisory.. - exploit
Reference: XF:vmware-bo

Name: CVE-1999-0734

Description:

A default configuration of CiscoSecure Access Control Server (ACS) allows remote users to modify the server database without authentication.

Status:Entry
Reference: CISCO:19990819 CiscoSecure Access Control Server for UNIX Remote Administration Vulnerability
Reference: URL:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-19990819-dbaccess
Reference: XF:ciscosecure-read-write(3133)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/3133

Name: CVE-1999-0735

Description:

KDE K-Mail allows local users to gain privileges via a symlink attack in temporary user directories.

Status:Entry
Reference: BID:300
Reference: URL:http://www.securityfocus.com/bid/300
Reference: CALDERA:CSSA-1999:016
Reference: ISS:KDE K-Mail File Creation Vulnerability
Reference: REDHAT:RHSA-1999:015-01
Reference: URL:http://www.redhat.com/support/errata/RHSA1999015_01.html

Name: CVE-1999-0736

Description:

The showcode.asp sample file in IIS and Site Server allows remote attackers to read arbitrary files.

Status:Candidate
Phase: Modified (20061101)
Reference: L0PHT:May7,1999
Reference: MS:MS99-013
Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-013
Reference: MSKB:Q231368
Reference: MSKB:Q232449
Reference: OVAL:oval:org.mitre.oval:def:932
Reference: URL:https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A932

Votes:
ACCEPT(4)  Ozancin, Prosser, Stracener, Wall<br>
MODIFY(2)  Cole, Frech<br>
NOOP(1)  Baker<br>
REVIEWING(1)  Christey<br>
Voter Comments:
Frech>  XF:iis-samples-showcode<br>
Cole>  There are several sample files that allow this.  I would quote
showcode.asp but make it more generic.<br>
Prosser>  (Modify)
Have a question on this and on the following three candidates as well.  All
of these are part of the file viewers utilities that allow unauthorized
files reading, but MSKB Q231368 also mentioned the diagnostics
program,Winmsdp.exe, as another vulnerable viewer in this same set of
viewers.  If we are going to split out the seperate viewer tools then
shouldn't there should be a seperate CAN for Winmsdp.exe also.<br>
Christey>  Mike's question basically touches on the CD:SF-EXEC
content decision - what do you do when you have the same bug
in multiple executables?  CD:SF-EXEC needs to be reviewed
and approved by the Editorial Board before we can decide
what to do with this candidate.<br>
Christey>  Mark Burnett says that Microsoft's mention of winmsdp.exe in
MSKB:Q231368 may be an error, and that winmsdp.exe is a
Microsoft Diagnostics Report Generator which may not even
be installed as part of IIS.

Also see http://www.securityfocus.com/focus/microsoft/iis/showcode.html<br>
Christey>  ADDREF BID:167
URL:http://www.securityfocus.com/vdb/bottom.html?vid=167<br>
Christey>  MISC:http://p.ulh.as/xploitsdb/NT/iis38.html covers a showcode.asp
directory traversal vulnerability and refers to the L0pht advisory.

Mark Burnett's article is at:
MISC:http://www.securityfocus.com/infocus/1317<br>

Name: CVE-1999-0737

Description:

The viewcode.asp sample file in IIS and Site Server allows remote attackers to read arbitrary files.

Status:Candidate
Phase: Proposed (19991208)
Reference: MS:MS99-013
Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-013
Reference: MSKB:Q231656

Votes:
ACCEPT(4)  Ozancin, Prosser, Stracener, Wall<br>
MODIFY(1)  Frech<br>
NOOP(2)  Baker, Christey<br>
REJECT(1)  Cole<br>
Voter Comments:
Frech>  XF:iis-samples-viewcode<br>
Cole>  I would combine this with the previous.<br>
Prosser>  (modify)
See comments in 0736 above<br>
Christey>  See http://www.securityfocus.com/focus/microsoft/iis/showcode.html
for additional details.<br>
Christey>  Mark Burnett's article is at:
MISC:http://www.securityfocus.com/infocus/1317<br>

Name: CVE-1999-0738

Description:

The code.asp sample file in IIS and Site Server allows remote attackers to read arbitrary files.

Status:Candidate
Phase: Proposed (19991208)
Reference: MS:MS99-013
Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-013
Reference: MSKB:Q231368
Reference: MSKB:Q232449

Votes:
ACCEPT(4)  Ozancin, Prosser, Stracener, Wall<br>
MODIFY(1)  Frech<br>
NOOP(2)  Baker, Christey<br>
REJECT(1)  Cole<br>
Voter Comments:
Frech>  XF:iis-samples-code<br>
Cole>  Same as above<br>
Prosser>  (modify)
See comments in 0736 above<br>
Christey>  See http://www.securityfocus.com/focus/microsoft/iis/showcode.html
for additional details.<br>
Christey>  Mark Burnett's article is at:
MISC:http://www.securityfocus.com/infocus/1317<br>

Name: CVE-1999-0739

Description:

The codebrws.asp sample file in IIS and Site Server allows remote attackers to read arbitrary files.

Status:Candidate
Phase: Proposed (19991208)
Reference: MS:MS99-013
Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-013
Reference: MSKB:Q231368
Reference: MSKB:Q232449

Votes:
ACCEPT(4)  Ozancin, Prosser, Stracener, Wall<br>
MODIFY(1)  Frech<br>
NOOP(2)  Baker, Christey<br>
REJECT(1)  Cole<br>
Voter Comments:
Frech>  XF:iis-samples-codebrws<br>
Cole>  Same as above.<br>
Prosser>  (modify)
See comments in 0736 above<br>
Christey>  codebrw2.asp and Codebrw1.asp also need to be included
somewhere.

Also see http://www.securityfocus.com/focus/microsoft/iis/showcode.html<br>
Christey>  Mark Burnett's article is at:
MISC:http://www.securityfocus.com/infocus/1317<br>

Name: CVE-1999-0740

Description:

Remote attackers can cause a denial of service on Linux in.telnetd telnet daemon through a malformed TERM environmental variable.

Status:Entry
Reference: BID:594
Reference: URL:http://www.securityfocus.com/bid/594
Reference: CALDERA:CSSA-1999:022
Reference: REDHAT:RHSA1999029_01
Reference: XF:linux-telnetd-term

Name: CVE-1999-0741

Description:

QMS CrownNet Unix Utilities for 2060 allows root to log on without a password.

Status:Candidate
Phase: Proposed (19991222)
Reference: BID:593
Reference: URL:http://www.securityfocus.com/bid/593
Reference: BUGTRAQ:19990818 QMS 2060 printer security hole
Reference: XF:qms-2060-no-root-password

Votes:
ACCEPT(4)  Baker, Frech, Levy, Stracener<br>
NOOP(2)  Christey, Oliver<br>
Voter Comments:
Christey>  change description - anyone can log on *as* root<br>
Frech>  (Note: this XF also cataloged under CVE-1999-0508.)<br>

Name: CVE-1999-0742

Description:

The Debian mailman package uses weak authentication, which allows attackers to gain privileges.

Status:Entry
Reference: BID:480
Reference: URL:http://www.securityfocus.com/bid/480
Reference: DEBIAN:19990623

Name: CVE-1999-0743

Description:

Trn allows local users to overwrite other users' files via symlinks.

Status:Entry
Reference: BUGTRAQ:19990819 Insecure use of file in /tmp by trn
Reference: DEBIAN:19990823c
Reference: SUSE:19990824 Security hole in trn
Reference: XF:trn-symlinks(3144)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/3144

Name: CVE-1999-0744

Description:

Buffer overflow in Netscape Enterprise Server and FastTrask Server allows remote attackers to gain privileges via a long HTTP GET request.

Status:Entry
Reference: BID:603
Reference: URL:http://www.securityfocus.com/bid/603
Reference: ISS:Buffer Overflow in Netscape Enterprise and FastTrack Web Servers

Name: CVE-1999-0745

Description:

Buffer overflow in Source Code Browser Program Database Name Server Daemon (pdnsd) for the IBM AIX C Set ++ compiler.

Status:Entry
Reference: BID:590
Reference: URL:http://www.securityfocus.com/bid/590
Reference: CIAC:J-059
Reference: URL:http://www.ciac.org/ciac/bulletins/j-059.shtml
Reference: IBM:ERS-SVA-E01-1999:003.1
Reference: XF:aix-pdnsd-bo

Name: CVE-1999-0746

Description:

A default configuration of in.identd in SuSE Linux waits 120 seconds between requests, allowing a remote attacker to conduct a denial of service.

Status:Entry
Reference: BID:587
Reference: URL:http://www.securityfocus.com/bid/587
Reference: BUGTRAQ:19990814 DOS against SuSE's identd
Reference: SUSE:19990824 Security hole in netcfg
Reference: XF:suse-identd-dos

Name: CVE-1999-0747

Description:

Denial of service in BSDi Symmetric Multiprocessing (SMP) when an fstat call is made when the system has a high CPU load.

Status:Entry
Reference: BID:589
Reference: URL:http://www.securityfocus.com/bid/589
Reference: BUGTRAQ:19990816 Symmetric Multiprocessing (SMP) Vulnerbility in BSDi 4.0.1
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.BSI.4.10.9908170253560.19291-100000@saturn.psn.net
Reference: XF:bsdi-smp-dos

Name: CVE-1999-0748

Description:

Buffer overflows in Red Hat net-tools package.

Status:Candidate
Phase: Proposed (19991214)
Reference: REDHAT:RHSA-1999:017-01

Votes:
ACCEPT(4)  Armstrong, Baker, Cole, Stracener<br>
MODIFY(1)  Frech<br>
REJECT(1)  Blake<br>
Voter Comments:
Blake>  RHSA-1999:017-01 describes "potential security problem fixed" in the
absence of knowing whether or not the problems actually existed, I don't
think we have an entry here.<br>
Frech>  XF:redhat-net-tool-bo<br>

Name: CVE-1999-0749

Description:

Buffer overflow in Microsoft Telnet client in Windows 95 and Windows 98 via a malformed Telnet argument.

Status:Entry
Reference: BID:586
Reference: URL:http://www.securityfocus.com/bid/586
Reference: BUGTRAQ:19990815 telnet.exe heap overflow - remotely exploitable
Reference: MS:MS99-033
Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-033
Reference: XF:win-ie5-telnet-heap-overflow

Name: CVE-1999-0750

Description:

Hotmail allows Javascript to be executed via the HTML STYLE tag, allowing remote attackers to execute commands on the user's Hotmail account.

Status:Candidate
Phase: Proposed (19991222)
Reference: BID:630
Reference: URL:http://www.securityfocus.com/bid/630
Reference: BUGTRAQ:19990913 Hotmail security vulnerability - injecting JavaScript using 'STYLE' tag

Votes:
ACCEPT(1)  Levy<br>
MODIFY(2)  Frech, Stracener<br>
NOOP(1)  Baker<br>
Voter Comments:
Stracener>  Many sites are vulnerable to this problem. I recommend removing the
explicit references to Hotmail and making the description more generic.
Suggest: Javascript can be injected using the STYLE tag in an HTML
formatted e-mail, allowing remote attackers to execute commands on user
accounts.<br>
Frech>  XF:hotmail-html-style-embed<br>

Name: CVE-1999-0751

Description:

Buffer overflow in Accept command in Netscape Enterprise Server 3.6 with the SSL Handshake Patch.

Status:Entry
Reference: BID:631
Reference: URL:http://www.securityfocus.com/bid/631
Reference: BUGTRAQ:19990913 Accept overflow on Netscape Enterprise Server 3.6 SP2
Reference: XF:netscape-accept-bo(3256)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/3256

Name: CVE-1999-0752

Description:

Denial of service in Netscape Enterprise Server via a buffer overflow in the SSL handshake.

Status:Entry
Reference: BUGTRAQ:19990706 Netscape Enterprise Server SSL Handshake Bug

Name: CVE-1999-0753

Description:

The w3-msql CGI script provided with Mini SQL allows remote attackers to view restricted directories.

Status:Entry
Reference: BID:591
Reference: URL:http://www.securityfocus.com/bid/591
Reference: BUGTRAQ:19990817 Stupid bug in W3-msql
Reference: XF:mini-sql-w3-msql-cgi

Name: CVE-1999-0754

Description:

The INN inndstart program allows local users to gain privileges by specifying an alternate configuration file using the INNCONF environmental variable.

Status:Entry
Reference: BID:255
Reference: URL:http://www.securityfocus.com/bid/255
Reference: BUGTRAQ:19990511 INN 2.0 and higher. Root compromise potential
Reference: CALDERA:CSSA-1999-011.0
Reference: URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-1999-011.0.txt
Reference: MISC:http://www.redhat.com/corp/support/errata/inn99_05_22.html
Reference: SUSE:19990518 Security hole in INN
Reference: XF:inn-innconf-env

Name: CVE-1999-0755

Description:

Windows NT RRAS and RAS clients cache a user's password even if the user has not selected the "Save password" option.

Status:Entry
Reference: MS:MS99-017
Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-017
Reference: MSKB:Q230681
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q230681
Reference: XF:nt-ras-pwcache

Name: CVE-1999-0756

Description:

ColdFusion Administrator with Advanced Security enabled allows remote users to stop the ColdFusion server via the Start/Stop utility.

Status:Entry
Reference: ALLAIRE:ASB99-07
Reference: URL:http://www.allaire.com/handlers/index.cfm?ID=10968&Method=Full
Reference: XF:coldfusion-admin-dos(2207)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2207

Name: CVE-1999-0757

Description:

The ColdFusion CFCRYPT program for encrypting CFML templates has weak encryption, allowing attackers to decrypt the templates.

Status:Candidate
Phase: Proposed (20010214)
Reference: ALLAIRE:ASB99-08
Reference: URL:http://www.allaire.com/handlers/index.cfm?ID=10969&Method=Full
Reference: XF:coldfusion-encryption(2208)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2208

Votes:
ACCEPT(3)  Baker, Cole, Frech<br>
NOOP(1)  Christey<br>
Voter Comments:
Frech>  XF:coldfusion-encryption <br>
Christey>  BUGTRAQ:19990724 Re: New Allaire Security Zone Bulletins and KB Articles
URL:http://www.securityfocus.com/archive/1/19471<br>
Christey>  ADDREF BID:275
URL:http://www.securityfocus.com/bid/275<br>

Name: CVE-1999-0758

Description:

Netscape Enterprise 3.5.1 and FastTrack 3.01 servers allow a remote attacker to view source code to scripts by appending a %20 to the script's URL.

Status:Entry
Reference: ALLAIRE:ASB99-06
Reference: XF:netscape-space-view

Name: CVE-1999-0759

Description:

Buffer overflow in FuseMAIL POP service via long USER and PASS commands.

Status:Entry
Reference: BID:634
Reference: URL:http://www.securityfocus.com/bid/634
Reference: BUGTRAQ:19990913 Many kind of POP3/SMTP server softwares for Windows have buffer overflow bug
Reference: CONFIRM:http://www.crosswinds.net/~fuseware/faq.html#8
Reference: XF:fuseware-popmail-bo

Name: CVE-1999-0760

Description:

Undocumented ColdFusion Markup Language (CFML) tags and functions in the ColdFusion Administrator allow users to gain additional privileges.

Status:Entry
Reference: ALLAIRE:ASB99-10
Reference: URL:http://www.allaire.com/handlers/index.cfm?ID=11714&Method=Full
Reference: BID:550
Reference: URL:http://www.securityfocus.com/bid/550
Reference: XF:coldfusion-server-cfml-tags(3288)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/3288

Name: CVE-1999-0761

Description:

Buffer overflow in FreeBSD fts library routines allows local user to modify arbitrary files via the periodic program.

Status:Entry
Reference: BID:644
Reference: URL:http://www.securityfocus.com/bid/644
Reference: FREEBSD:FreeBSD-SA-99:05
Reference: OSVDB:1074
Reference: URL:http://www.osvdb.org/1074
Reference: XF:freebsd-fts-lib-bo

Name: CVE-1999-0762

Description:

When Javascript is embedded within the TITLE tag, Netscape Communicator allows a remote attacker to use the "about" protocol to gain access to browser information.

Status:Entry
Reference: BUGTRAQ:19990524 Netscape Communicator JavaScript in <TITLE> security vulnerability
Reference: XF:netscape-title

Name: CVE-1999-0763

Description:

NetBSD on a multi-homed host allows ARP packets on one network to modify ARP entries on another connected network.

Status:Entry
Reference: NETBSD:1999-010
Reference: OSVDB:6540
Reference: URL:http://www.osvdb.org/6540
Reference: XF:netbsd-arp

Name: CVE-1999-0764

Description:

NetBSD allows ARP packets to overwrite static ARP entries.

Status:Entry
Reference: NETBSD:1999-010
Reference: OSVDB:6539
Reference: URL:http://www.osvdb.org/6539
Reference: XF:netbsd-arp

Name: CVE-1999-0765

Description:

SGI IRIX midikeys program allows local users to modify arbitrary files via a text editor.

Status:Entry
Reference: BID:262
Reference: URL:http://www.securityfocus.com/bid/262
Reference: BUGTRAQ:19990619 IRIX midikeys root exploit.
Reference: SGI:19990501-01-A
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19990501-01-A
Reference: XF:irix-midikeys

Name: CVE-1999-0766

Description:

The Microsoft Java Virtual Machine allows a malicious Java applet to execute arbitrary commands outside of the sandbox environment.

Status:Entry
Reference: BID:600
Reference: URL:http://www.securityfocus.com/bid/600
Reference: MS:MS99-031
Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-031
Reference: MSKB:Q240346
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q240346
Reference: XF:msvm-verifier-java

Name: CVE-1999-0767

Description:

Buffer overflow in Solaris libc, ufsrestore, and rcp via LC_MESSAGES environmental variable.

Status:Candidate
Phase: Proposed (19991214)
Reference: SUN:00189

Votes:
ACCEPT(4)  Baker, Blake, Cole, Dik<br>
MODIFY(2)  Frech, Stracener<br>
REVIEWING(2)  Christey, Prosser<br>
Voter Comments:
Stracener>  Add Ref: CIAC: J-069<br>
Frech>  XF:sun-libc-lcmessages<br>
Prosser>  BID 268 is an additional reference for this one as it has info on the Sun
vulnerability.  However, BID 268 also includes AIX in this vulnerability and
refs APARS issued to fix a vulnerability in various 'nixs with the Natural
Language Service environmental variables NSLPATH and PATH_LOCALE depending
on the 'nix, ref CERT CA-97.10, CVE-1999-0041.  However, Georgi Guninski
reported a BO in AIX with LC_MESSAGES + mount, also refed in BID 268, so it
is possible the AIX APARs fix an earlier, similar vulnerability to the Sun
BO in LC_MESSAGES.   This should probably be considered under a different
CAN.  Any ideas? <br>
Christey>  Given that the buffer overflows in CVE-1999-0041 are NLSPATH
and PATH_LOCALE, I'd say that's good evidence that this is not
the same problem.  But a buffer overflow in libc in
LC_MESSAGES... We must ask if these are basically the same
codebase.

ADDREF CIAC:J-069<br>
Christey>  While the description indicates multiple programs, CD:SF-EXEC
does not apply because the vulnerability was in libc, and
rcp and ufsrestore were both statically linked against libc.
Thus CD:SF-LOC applies, and a single candidate is maintained
because the problem occurred in a library.<br>
Dik>  Sun bug 4240566<br>
Christey>  I'm consulting with Casper Dik and Troy Bollinger to see if
this should be combined with the AIX buffer overflows for
LC_MESSAGES; current indications are that they should be
split.<br>
Christey>  For further consultation, consider this post, though it's
associated with CVE-1999-0041:
BUGTRAQ:19970213 Linux NLSPATH buffer overflow
http://www.securityfocus.com/archive/1/6296
Also add "NLSPATH" and "PATH_LOCALE" to the description to
facilitate search.<br>

Name: CVE-1999-0768

Description:

Buffer overflow in Vixie Cron on Red Hat systems via the MAILTO environmental variable.

Status:Entry
Reference: BID:602
Reference: URL:http://www.securityfocus.com/bid/602
Reference: REDHAT:RHSA-1999:030-02
Reference: SUSE:19990829 Security hole in cron

Name: CVE-1999-0769

Description:

Vixie Cron on Linux systems allows local users to set parameters of sendmail commands via the MAILTO environmental variable.

Status:Entry
Reference: BID:611
Reference: URL:http://www.securityfocus.com/bid/611
Reference: CALDERA:CSSA-1999:023.0
Reference: DEBIAN:19990830 cron
Reference: REDHAT:RHSA-1999:030-02
Reference: SUSE:19990829 Security hole in cron

Name: CVE-1999-0770

Description:

Firewall-1 sets a long timeout for connections that begin with ACK or other packets except SYN, allowing an attacker to conduct a denial of service via a large number of connection attempts to unresponsive systems.

Status:Entry
Reference: BID:549
Reference: URL:http://www.securityfocus.com/bid/549
Reference: BUGTRAQ:19990729 Simple DOS attack on FW-1
Reference: CHECKPOINT:ACK DOS ATTACK
Reference: OSVDB:1027
Reference: URL:http://www.osvdb.org/1027

Name: CVE-1999-0771

Description:

The web components of Compaq Management Agents and the Compaq Survey Utility allow a remote attacker to read arbitrary files via a .. (dot dot) attack.

Status:Entry
Reference: BUGTRAQ:19990526 Infosec.19990526.compaq-im.a
Reference: COMPAQ:SSRT0612U
Reference: XF:management-agent-file-read

Name: CVE-1999-0772

Description:

Denial of service in Compaq Management Agents and the Compaq Survey Utility via a long string sent to port 2301.

Status:Entry
Reference: BUGTRAQ:19990527 Re: Infosec.19990526.compaq-im.a (New DoS and correction to my previous post)
Reference: COMPAQ:SSRT0612U
Reference: XF:management-agent-dos

Name: CVE-1999-0773

Description:

Buffer overflow in Solaris lpset program allows local users to gain root access.

Status:Entry
Reference: BUGTRAQ:19990511 Solaris2.6 and 2.7 lpset overflow
Reference: URL:http://www.netspace.org/cgi-bin/wa?A2=ind9905B&L=bugtraq&P=R2017
Reference: XF:sol-lpset-bo

Name: CVE-1999-0774

Description:

Buffer overflows in Mars NetWare Emulation (NWE, mars_nwe) package via long directory names.

Status:Entry
Reference: BID:617
Reference: URL:http://www.securityfocus.com/bid/617
Reference: BUGTRAQ:19990830 Babcia Padlina Ltd. security advisory: mars_nwe buffer overf
Reference: REDHAT:RHSA1999037_01
Reference: SUSE:19990916 Security hole in mars nwe

Name: CVE-1999-0775

Description:

Cisco Gigabit Switch routers running IOS allow remote attackers to forward unauthorized packets due to improper handling of the "established" keyword in an access list.

Status:Entry
Reference: CISCO:19990610 Cisco IOS Software established Access List Keyword Error
Reference: XF:cisco-gigaswitch

Name: CVE-1999-0776

Description:

Alibaba HTTP server allows remote attackers to read files via a .. (dot dot) attack.

Status:Candidate
Phase: Proposed (19991214)
Reference: NTBUGTRAQ:19990506 ".."-hole in Alibaba 2.0
Reference: URL:http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind9905&L=NTBUGTRAQ&P=R1533
Reference: XF:http-alibaba-dotdot

Votes:
ACCEPT(4)  Frech, Levy, Ozancin, Stracener<br>
MODIFY(1)  Baker<br>
NOOP(6)  Armstrong, Blake, Cole, Landfield, LeBlanc, Wall<br>
REVIEWING(1)  Christey<br>
Voter Comments:
Christey>  This candidate is unconfirmed by the vendor.

Posted by Arne Vidstrom.<br>
Blake>  I'd like to change my vote on this from ACCEPT to NOOP.  I did some
digging and the vendor seems to have discontinued the product, so no
information is available beyond Arne's post.  Unless Andre has a copy
in his archive and can test it, I think we have to leave it out.<br>
Wall>  I agree with Blake.  We have not seen the product and it has been discontinued.<br>
CHANGE>  [Christey changed vote from NOOP to REVIEWING]<br>
Christey>  If this is (or was) tested by some tool, we should ACCEPT it.<br>
Baker>  http://www.securityfocus.com/bid/270<br>
Christey>  BID:270
URL:http://www.securityfocus.com/bid/270<br>

Name: CVE-1999-0777

Description:

IIS FTP servers may allow a remote attacker to read or delete files on the server, even if they have "No Access" permissions.

Status:Entry
Reference: BID:658
Reference: URL:http://www.securityfocus.com/bid/658
Reference: MS:MS99-039
Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-039
Reference: MSKB:Q241407
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q241407
Reference: MSKB:Q242559
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q242559
Reference: XF:iis-ftp-no-access-files

Name: CVE-1999-0778

Description:

Buffer overflow in Xi Graphics Accelerated-X server allows local users to gain root access via a long display or query parameter.

Status:Entry
Reference: BID:488
Reference: URL:http://www.securityfocus.com/bid/488
Reference: BUGTRAQ:19990626 KSR[T] #011: Accelerated-X
Reference: KSRT:011
Reference: XF:accelx-display-bo

Name: CVE-1999-0779

Description:

Denial of service in HP-UX SharedX recserv program.

Status:Entry
Reference: HP:HPSBUX9810-086
Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9810-086
Reference: XF:hp-sharedx

Name: CVE-1999-0780

Description:

KDE klock allows local users to kill arbitrary processes by specifying an arbitrary PID in the .kss.pid file.

Status:Entry
Reference: BUGTRAQ:19981118 Multiple KDE security vulnerabilities (root compromise)
Reference: URL:http://marc.info/?l=bugtraq&m=91141486301691&w=2
Reference: XF:kde-klock-process-kill

Name: CVE-1999-0781

Description:

KDE allows local users to execute arbitrary commands by setting the KDEDIR environmental variable to modify the search path that KDE uses to locate its executables.

Status:Entry
Reference: BUGTRAQ:19981118 Multiple KDE security vulnerabilities (root compromise)
Reference: URL:http://marc.info/?l=bugtraq&m=91141486301691&w=2
Reference: XF:kde-klock-bindir-trojans

Name: CVE-1999-0782

Description:

KDE kppp allows local users to create a directory in an arbitrary location via the HOME environmental variable.

Status:Entry
Reference: BUGTRAQ:19981118 Multiple KDE security vulnerabilities (root compromise)
Reference: URL:http://marc.info/?l=bugtraq&m=91141486301691&w=2
Reference: XF:kde-kppp-directory-create

Name: CVE-1999-0783

Description:

FreeBSD allows local users to conduct a denial of service by creating a hard link from a device special file to a file on an NFS file system.

Status:Entry
Reference: CIAC:I-057
Reference: URL:http://www.ciac.org/ciac/bulletins/i-057.shtml
Reference: FREEBSD:FreeBSD-SA-98:05
Reference: OSVDB:6090
Reference: URL:http://www.osvdb.org/6090
Reference: XF:freebsd-nfs-link-dos

Name: CVE-1999-0784

Description:

Denial of service in Oracle TNSLSNR SQL*Net Listener via a malformed string to the listener port, aka NERP.

Status:Candidate
Phase: Proposed (20010214)
Reference: BUGTRAQ:19981228 Oracle8 TNSLSNR DoS
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/1998_4/0764.html
Reference: BUGTRAQ:19990104 Re: Fw:"NERP" DoS attack possible in Oracle
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/1999_1/0056.html
Reference: NTBUGTRAQ:19980827 NERP DoS attack possible in Oracle
Reference: URL:http://archives.neohapsis.com/archives/ntbugtraq/1998/msg00536.html

Votes:
ACCEPT(1)  Baker<br>
MODIFY(1)  Frech<br>
NOOP(1)  Cole<br>
Voter Comments:
Frech>  XF:oracle-tnslsnr-dos(1551)<br>

Name: CVE-1999-0785

Description:

The INN inndstart program allows local users to gain root privileges via the "pathrun" parameter in the inn.conf file.

Status:Entry
Reference: BID:254
Reference: URL:http://www.securityfocus.com/bid/254
Reference: BUGTRAQ:19990511 INN 2.0 and higher. Root compromise potential
Reference: SUSE:19990518 Security hole in INN
Reference: XF:inn-pathrun

Name: CVE-1999-0786

Description:

The dynamic linker in Solaris allows a local user to create arbitrary files via the LD_PROFILE environmental variable and a symlink attack.

Status:Entry
Reference: BID:659
Reference: URL:http://www.securityfocus.com/bid/659
Reference: BUGTRAQ:19990922 LD_PROFILE local root exploit for solaris 2.6

Name: CVE-1999-0787

Description:

The SSH authentication agent follows symlinks via a UNIX domain socket.

Status:Entry
Reference: BID:660
Reference: URL:http://www.securityfocus.com/bid/660
Reference: BUGTRAQ:19990917 A few bugs...
Reference: URL:http://marc.info/?l=bugtraq&m=93760201002154&w=2
Reference: BUGTRAQ:19990924 [Fwd: Truth about ssh 1.2.27 vulnerability]
Reference: URL:http://marc.info/?l=bugtraq&m=93832856804415&w=2
Reference: XF:ssh-socket-auth-symlink-dos

Name: CVE-1999-0788

Description:

Arkiea nlservd allows remote attackers to conduct a denial of service.

Status:Entry
Reference: BID:662
Reference: URL:http://www.securityfocus.com/bid/662
Reference: BUGTRAQ:19990924 Multiple vendor Knox Arkiea local root/remote DoS
Reference: URL:http://marc.info/?l=bugtraq&m=93837184228248&w=2
Reference: XF:arkiea-backup-nlserverd-remote-dos

Name: CVE-1999-0789

Description:

Buffer overflow in AIX ftpd in the libc library.

Status:Entry
Reference: BID:679
Reference: URL:http://www.securityfocus.com/bid/679
Reference: BUGTRAQ:19990928 Remote bufferoverflow exploit for ftpd from AIX 4.3.2 running on an RS6000
Reference: CIAC:J-072
Reference: URL:http://www.ciac.org/ciac/bulletins/j-072.shtml
Reference: IBM:ERS-SVA-E01-1999:004.1
Reference: XF:aix-ftpd-bo

Name: CVE-1999-0790

Description:

A remote attacker can read information from a Netscape user's cache via JavaScript.

Status:Entry
Reference: MISC:http://home.netscape.com/security/notes/jscachebrowsing.html
Reference: XF:netscape-javascript

Name: CVE-1999-0791

Description:

Hybrid Network cable modems do not include an authentication mechanism for administration, allowing remote attackers to compromise the system through the HSMP protocol.

Status:Entry
Reference: BID:695
Reference: URL:http://www.securityfocus.com/bid/695
Reference: BUGTRAQ:19991006 KSR[T] Advisories #012: Hybrid Network's Cable Modems
Reference: KSRT:012
Reference: XF:hybrid-anon-cable-modem-reconfig

Name: CVE-1999-0792

Description:

ROUTERmate has a default SNMP community name which allows remote attackers to modify its configuration.

Status:Candidate
Phase: Modified (20000827)
Reference: MISC:http://www2.merton.ox.ac.uk/~security/rootshell/0022.html

Votes:
ACCEPT(1)  Baker<br>
MODIFY(2)  Frech, Stracener<br>
NOOP(1)  Christey<br>
REVIEWING(1)  Levy<br>
Voter Comments:
Stracener>  Change the Ref to read: ROOTSHELL: Osicom Technologies ROUTERmate
Security
Advisory<br>
Frech>  XF:routermate-snmp-community<br>
Christey>  BUGTRAQ:19980914 [rootshell] Security Bulletin #23
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90581019105693&w=2<br>

Name: CVE-1999-0793

Description:

Internet Explorer allows remote attackers to read files by redirecting data to a Javascript applet.

Status:Entry
Reference: MS:MS99-043
Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-043
Reference: XF:ie-java-redirect

Name: CVE-1999-0794

Description:

Microsoft Excel does not warn a user when a macro is present in a Symbolic Link (SYLK) format file.

Status:Entry
Reference: MS:MS99-044
Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-044
Reference: MSKB:Q241900
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q241900
Reference: MSKB:Q241901
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q241901
Reference: MSKB:Q241902
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q241902
Reference: XF:excel-sylk

Name: CVE-1999-0795

Description:

The NIS+ rpc.nisd server allows remote attackers to execute certain RPC calls without authentication to obtain system information, disable logging, or modify caches.

Status:Candidate
Phase: Proposed (19991222)
Reference: NAI:NAI-27

Votes:
ACCEPT(2)  Baker, Stracener<br>
MODIFY(1)  Frech<br>
NOOP(1)  Ozancin<br>
Voter Comments:
Frech>  XF:sun-nisplus<br>

Name: CVE-1999-0796

Description:

FreeBSD T/TCP Extensions for Transactions can be subjected to spoofing attacks.

Status:Entry
Reference: FREEBSD:SA-98.03
Reference: OSVDB:6089
Reference: URL:http://www.osvdb.org/6089
Reference: XF:freebsd-ttcp-spoof

Name: CVE-1999-0797

Description:

NIS finger allows an attacker to conduct a denial of service via a large number of finger requests, resulting in a large number of NIS queries.

Status:Entry
Reference: CIAC:I-070
Reference: URL:http://www.ciac.org/ciac/bulletins/i-070.shtml
Reference: ISS:19980629 Distributed DoS attack against NIS/NIS+ based networks.
Reference: XF:sun-nis-nisplus

Name: CVE-1999-0798

Description:

Buffer overflow in bootpd on OpenBSD, FreeBSD, and Linux systems via a malformed header type.

Status:Candidate
Phase: Proposed (19991222)
Reference: BUGTRAQ:19981204 bootpd remote vulnerability
Reference: URL:http://marc.info/?l=bugtraq&m=91278867118128&w=2

Votes:
ACCEPT(3)  Baker, Ozancin, Stracener<br>
MODIFY(1)  Frech<br>
NOOP(1)  Christey<br>
Voter Comments:
Christey>  Is CVE-1999-0389 a duplicate of CVE-1999-0798?  CVE-1999-0389
has January 1999 dates associated with it, while CVE-1999-0798
was reported in late December.

http://marc.theaimsgroup.com/?l=bugtraq&m=91278867118128&w=2

SCO appears to have acknowledged this as well:
ftp://ftp.sco.com/SSE/security_bulletins/SB-99.01a

The poster also claims that OpenBSD fixed this as well.<br>
Frech>  XF:bootp-remote-bo<br>
Christey>  Further analysis indicates that this is a duplicate of CVE-1999-0799<br>
CHANGE>  [Christey changed vote from REJECT to NOOP]<br>
Christey>  What was I thinking?  Brian Caswell pointed out that this is
*not* the same bug as CVE-1999-0799.  As reported in the
1998 Bugtraq post, the bug is in bootpd.c, and is related
to providing an htype value that is used as an index
into an array, and exceeds the intended boundaries of that
array.<br>

Name: CVE-1999-0799

Description:

Buffer overflow in bootpd 2.4.3 and earlier via a long boot file location.

Status:Entry
Reference: BUGTRAQ:19970725 Exploitable buffer overflow in bootpd (most unices)
Reference: XF:bootpd-bo

Name: CVE-1999-0800

Description:

The GetFile.cfm file in Allaire Forums allows remote attackers to read files through a parameter to GetFile.cfm.

Status:Entry
Reference: ALLAIRE:ASB99-05
Reference: URL:http://www.allaire.com/handlers/index.cfm?ID=9602&Method=Full
Reference: NTBUGTRAQ:19990211 ACFUG List: Alert: Allaire Forums GetFile bug
Reference: URL:http://archives.neohapsis.com/archives/ntbugtraq/1998-1999/msg00332.html
Reference: OSVDB:944
Reference: URL:http://www.osvdb.org/944
Reference: XF:allaire-forums-file-read(1748)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1748

Name: CVE-1999-0801

Description:

BMC Patrol allows remote attackers to gain access to an agent by spoofing frames.

Status:Entry
Reference: BUGTRAQ:19990409 Patrol security bugs
Reference: URL:http://www.securityfocus.com/archive/1/13204
Reference: XF:bmc-patrol-frames(2075)
Reference: URL:http://www.iss.net/security_center/static/2075.php

Name: CVE-1999-0802

Description:

Buffer overflow in Internet Explorer 5 allows remote attackers to execute commands via a malformed Favorites icon.

Status:Entry
Reference: BUGTRAQ:19990503 MSIE 5 FAVICON BUG
Reference: MS:MS99-018
Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-018
Reference: MSKB:Q231450
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q231450
Reference: XF:ie-favicon

Name: CVE-1999-0803

Description:

The fwluser script in AIX eNetwork Firewall allows local users to write to arbitrary files via a symlink attack.

Status:Entry
Reference: BUGTRAQ:19990525 IBM eNetwork Firewall for AIX
Reference: URL:http://marc.info/?l=bugtraq&m=92765973207648&w=2
Reference: OSVDB:962
Reference: URL:http://www.osvdb.org/962
Reference: XF:ibm-enfirewall-tmpfiles

Name: CVE-1999-0804

Description:

Denial of service in Linux 2.2.x kernels via malformed ICMP packets containing unusual types, codes, and IP header lengths.

Status:Entry
Reference: BID:302
Reference: URL:http://www.securityfocus.com/bid/302
Reference: BUGTRAQ:19990601 Linux kernel 2.2.x vulnerability/exploit
Reference: CALDERA:CSSA-1999:013
Reference: DEBIAN:19990607
Reference: REDHAT:19990603 Kernel Update
Reference: SUSE:19990602 Denial of Service on the 2.2 kernel

Name: CVE-1999-0805

Description:

Novell NetWare Transaction Tracking System (TTS) in Novell 4.11 and earlier allows remote attackers to cause a denial of service via a large number of requests.

Status:Candidate
Phase: Proposed (20010214)
Reference: BUGTRAQ:19990512 DoS with Netware 4.x's TTS
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/1999_2/0439.html
Reference: XF:novell-tts-dos(2184)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2184

Votes:
ACCEPT(2)  Baker, Frech<br>
NOOP(2)  Christey, Cole<br>
Voter Comments:
Christey>  BID:276
URL:http://www.securityfocus.com/vdb/bottom.html?vid=276<br>
Frech>  XF:novell-tts-dos<br>

Name: CVE-1999-0806

Description:

Buffer overflow in Solaris dtprintinfo program.

Status:Entry
Reference: BUGTRAQ:19990510 Solaris2.6,2.7 dtprintinfo exploits
Reference: OSVDB:6552
Reference: URL:http://www.osvdb.org/6552
Reference: XF:cde-dtprintinfo

Name: CVE-1999-0807

Description:

The Netscape Directory Server installation procedure leaves sensitive information in a file that is accessible to local users.

Status:Entry
Reference: XF:netscape-dirsvc-password

Name: CVE-1999-0808

Description:

Multiple buffer overflows in ISC DHCP Distribution server (dhcpd) 1.0 and 2.0 allow a remote attacker to cause a denial of service (crash) and possibly execute arbitrary commands via long options.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19980518 DHCP 1.0 and 2.0 SECURITY ALERT! (fwd)
Reference: URL:http://marc.info/?l=bugtraq&m=90221101925960&w=2
Reference: CIAC:I-053
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/i-053.shtml
Reference: MISC:ftp://ftp.isc.org/isc/dhcp/dhcp-1.0-history/dhcp-1.0.0-1.0pl1.diff.gz

Votes:
ACCEPT(4)  Armstrong, Cole, Foat, Stracener<br>
MODIFY(1)  Frech<br>
NOOP(1)  Wall<br>
Voter Comments:
Frech>  XF:dhcp-remote-dos(7248)<br>

Name: CVE-1999-0809

Description:

Netscape Communicator 4.x with Javascript enabled does not warn a user of cookie settings, even if they have selected the option to "Only accept cookies originating from the same server as the page being viewed".

Status:Entry
Reference: BUGTRAQ:19990709 Communicator 4.[56]x, JavaScript used to bypass cookie settings

Name: CVE-1999-0810

Description:

Denial of service in Samba NETBIOS name service daemon (nmbd).

Status:Entry
Reference: BUGTRAQ:19990721 Samba 2.0.5 security fixes
Reference: CALDERA:CSSA-1999:018.0
Reference: DEBIAN:19990731
Reference: DEBIAN:19990804
Reference: REDHAT:RHSA-1999:022-02
Reference: SUSE:19990816 Security hole in Samba

Name: CVE-1999-0811

Description:

Buffer overflow in Samba smbd program via a malformed message command.

Status:Entry
Reference: BID:536
Reference: URL:http://www.securityfocus.com/bid/536
Reference: BUGTRAQ:19990721 Samba 2.0.5 security fixes
Reference: CALDERA:CSSA-1999:018.0
Reference: DEBIAN:19990731 Samba
Reference: REDHAT:RHSA-1999:022-02
Reference: SUSE:19990816 Security hole in Samba
Reference: XF:samba-message-bo

Name: CVE-1999-0812

Description:

Race condition in Samba smbmnt allows local users to mount file systems in arbitrary locations.

Status:Entry
Reference: BUGTRAQ:19990721 Samba 2.0.5 security fixes
Reference: CALDERA:CSSA-1999:018.0
Reference: DEBIAN:19990731
Reference: DEBIAN:19990804
Reference: REDHAT:RHSA-1999:022-02
Reference: SUSE:19990816 Security hole in Samba

Name: CVE-1999-0813

Description:

Cfingerd with ALLOW_EXECUTION enabled does not properly drop privileges when it executes a program on behalf of the user, allowing local users to gain root privileges.

Status:Entry
Reference: BUGTRAQ:19980724 CFINGERD root security hole
Reference: BUGTRAQ:19990810 Severe bug in cfingerd before 1.4.0
Reference: DEBIAN:19990814
Reference: XF:cfingerd-privileges

Name: CVE-1999-0814

Description:

Red Hat pump DHCP client allows remote attackers to gain root access in some configurations.

Status:Entry
Reference: REDHAT:RHSA-1999:027
Reference: URL:http://www.redhat.com/support/errata/RHSA-1999-027.html

Name: CVE-1999-0815

Description:

Memory leak in SNMP agent in Windows NT 4.0 before SP5 allows remote attackers to conduct a denial of service (memory exhaustion) via a large number of queries.

Status:Entry
Reference: MSKB:Q196270
Reference: URL:http://support.microsoft.com/support/kb/articles/q196/2/70.asp
Reference: OVAL:oval:org.mitre.oval:def:952
Reference: URL:https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A952
Reference: XF:nt-snmpagent-leak(1974)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1974

Name: CVE-1999-0816

Description:

The Motorola CableRouter allows any remote user to connect to and configure the router on port 1024.

Status:Candidate
Phase: Modified (20000313)
Reference: BUGTRAQ:19980510 Security Vulnerability in Motorola CableRouters
Reference: URL:http://www.netspace.org/cgi-bin/wa?A2=ind9805B&L=bugtraq&P=R1621
Reference: XF:motorola-cable-default-pass

Votes:
ACCEPT(3)  Baker, Cole, Stracener<br>
MODIFY(1)  Frech<br>
NOOP(2)  Christey, LeBlanc<br>
Voter Comments:
Christey>  This candidate is unconfirmed by the vendor.<br>
Frech>  XF:motorola-cable-default-pass<br>

Name: CVE-1999-0817

Description:

Lynx WWW client allows a remote attacker to specify command-line parameters which Lynx uses when calling external programs to handle certain protocols, e.g. telnet.

Status:Entry
Reference: SUSE:19990915 Security hole in lynx

Name: CVE-1999-0818

Description:

Buffer overflow in Solaris kcms_configure via a long NETPATH environmental variable.

Status:Candidate
Phase: Proposed (19991208)
Reference: BID:831
Reference: URL:http://www.securityfocus.com/bid/831
Reference: BUGTRAQ:19991130 another hole of Solaris7 kcms_configure
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=38433B7F5A.53F4SHADOWPENGUIN@fox.nightland.net

Votes:
ACCEPT(2)  Armstrong, Stracener<br>
MODIFY(4)  Cole, Dik, Frech, Prosser<br>
NOOP(1)  Baker<br>
REVIEWING(1)  Christey<br>
Voter Comments:
Cole>  This can cause code to be executed.<br>
Frech>  XF:sol-kcms-conf-netpath-bo<br>
Dik>  the bug has nothing to do with kcms_configure; it's a bug
in libnsl.so.  All set-uid executables that trigger this code path are
vulnerable.  Sun bug 4295834; fixed in Solaris 8.<br>
Prosser>  Okay, I am confused.  Based on Casper's comments and checking
on the Sun patch site, I found the 4295834 bug(4295834 NETPATH security
problem in libnsl) fixed in  SunOS 5.4, Patch 101974-37(x86) 101973 (sparc).
Multiple libnsl vulnerabilities was first reported in an 98 Sun Bulletin
#00172 for 5.4 up through 2.6.   Was this NETPATH a problem that resurfaced
in 7 (looks like in 5.4 as well) and was fixed in 8?<br>
Christey>  Need to dig up my offline email on this.<br>
Christey>  May be a duplicate of CVE-1999-0321, whose sole reference
(XF:sun-kcms-configure-bo) no longer exists.  Also examine
BID:452 and
BUGTRAQ:19981223 Merry Christmas to Sun! (Was: L0pht NFR N-Code
Modules Updated)

which are the same as XF:sol-kcms-conf-p-bo(3652), which could
be the new name for XF:sun-kcms-configure-bo.<br>

Name: CVE-1999-0819

Description:

NTMail does not disable the VRFY command, even if the administrator has explicitly disabled it.

Status:Entry
Reference: BUGTRAQ:19991130 NTmail and VRFY
Reference: URL:http://marc.info/?l=bugtraq&m=94398141118586&w=2
Reference: NTBUGTRAQ:19991130 NTmail and VRFY
Reference: XF:nt-mail-vrfy

Name: CVE-1999-0820

Description:

FreeBSD seyon allows users to gain privileges via a modified PATH variable for finding the xterm and seyon-emu commands.

Status:Entry
Reference: BID:838
Reference: URL:http://www.securityfocus.com/bid/838
Reference: BUGTRAQ:19991130 Several FreeBSD-3.3 vulnerabilities
Reference: OSVDB:5996
Reference: URL:http://www.osvdb.org/5996
Reference: XF:freebsd-seyon-dir-add

Name: CVE-1999-0821

Description:

FreeBSD seyon allows local users to gain privileges by providing a malicious program in the -emulator argument.

Status:Candidate
Phase: Proposed (19991208)
Reference: BID:838
Reference: URL:http://www.securityfocus.com/bid/838
Reference: BUGTRAQ:19991130 Several FreeBSD-3.3 vulnerabilities

Votes:
ACCEPT(2)  Armstrong, Stracener<br>
MODIFY(1)  Frech<br>
NOOP(2)  Baker, Christey<br>
REJECT(1)  Cole<br>
REVIEWING(1)  Prosser<br>
Voter Comments:
Cole>  I would combine this with the previous.  To me the general
vulnerabilities are similar it is just the end result that changes.<br>
Frech>  XF:freebsd-seyon-setgid<br>
Christey>  ADDREF? CALDERA:CSSA-1999-037.0<br>

Name: CVE-1999-0822

Description:

Buffer overflow in Qpopper (qpop) 3.0 allows remote root access via AUTH command.

Status:Candidate
Phase: Proposed (19991208)
Reference: BID:830
Reference: URL:http://www.securityfocus.com/bid/830
Reference: BUGTRAQ:19991130 qpop3.0b20 and below - notes and exploit
Reference: BUGTRAQ:19991130 serious Qpopper 3.0 vulnerability

Votes:
ACCEPT(4)  Armstrong, Baker, Cole, Stracener<br>
MODIFY(1)  Frech<br>
NOOP(1)  Christey<br>
REVIEWING(1)  Prosser<br>
Voter Comments:
Frech>  XF:qpopper-auth-bo<br>
Christey>  ADDREF? DEBIAN:19991215 buffer overflow in qpopper v3.0
ADDREF XF:qpopper-auth-bo<br>

Name: CVE-1999-0823

Description:

Buffer overflow in FreeBSD xmindpath allows local users to gain privileges via -f argument.

Status:Entry
Reference: BID:839
Reference: URL:http://www.securityfocus.com/bid/839
Reference: BUGTRAQ:19991130 Several FreeBSD-3.3 vulnerabilities
Reference: OSVDB:1150
Reference: URL:http://www.osvdb.org/1150
Reference: XF:freebsd-xmindpath

Name: CVE-1999-0824

Description:

A Windows NT user can use SUBST to map a drive letter to a folder, which is not unmapped after the user logs off, potentially allowing that user to modify the location of folders accessed by later users.

Status:Entry
Reference: BID:833
Reference: URL:http://www.securityfocus.com/bid/833
Reference: BUGTRAQ:19991130 Subst.exe carelessness (fwd)
Reference: NTBUGTRAQ:19991130 SUBST problem

Name: CVE-1999-0825

Description:

The default permissions for UnixWare /var/mail allow local users to read and modify other users' mail.

Status:Candidate
Phase: Modified (20000121)
Reference: BID:849
Reference: URL:http://www.securityfocus.com/bid/849
Reference: BUGTRAQ:19991203 UnixWare read/modify users' mail
Reference: BUGTRAQ:19991215 Recent postings about SCO UnixWare 7
Reference: BUGTRAQ:19991223 FYI, SCO Security patches available.

Votes:
ACCEPT(4)  Armstrong, Baker, Cole, Stracener<br>
MODIFY(1)  Frech<br>
NOOP(1)  Christey<br>
REVIEWING(1)  Prosser<br>
Voter Comments:
Frech>  XF:sco-mail-permissions<br>
Christey>  ADDREF ftp://ftp.sco.com/SSE/security_bulletins/SB-99.25a<br>

Name: CVE-1999-0826

Description:

Buffer overflow in FreeBSD angband allows local users to gain privileges.

Status:Entry
Reference: BID:840
Reference: URL:http://www.securityfocus.com/bid/840
Reference: BUGTRAQ:19991130 Several FreeBSD-3.3 vulnerabilities
Reference: OSVDB:1151
Reference: URL:http://www.osvdb.org/1151
Reference: XF:angband-bo

Name: CVE-1999-0827

Description:

By default, Internet Explorer 5.0 and other versions enables the "Navigate sub-frames across different domains" option, which allows frame spoofing.

Status:Candidate
Phase: Proposed (19991208)
Reference: BUGTRAQ:19991130 Default IE 5.0 security settings allow frame spoofing

Votes:
ACCEPT(4)  Armstrong, Baker, LeBlanc, Stracener<br>
MODIFY(2)  Cole, Frech<br>
REVIEWING(1)  Prosser<br>
Voter Comments:
Cole>  The BID is 855.  If I have the right vulnerability, this allows an
attacker to access URL's of there choosing which could lead to a compromise
of private information.<br>
Frech>  XF:http-frame-spoof
Question: Similar vulnerability to MS98-020 / CVE-1999-0869?<br>
LeBlanc>  MSRC tells me this is patched in MS00-009<br>

Name: CVE-1999-0828

Description:

UnixWare pkg commands such as pkginfo, pkgcat, and pkgparam allow local users to read arbitrary files via the dacread permission.

Status:Candidate
Phase: Modified (20000121)
Reference: BID:853
Reference: URL:http://www.securityfocus.com/bid/853
Reference: BUGTRAQ:19991203 UnixWare and the dacread permission
Reference: BUGTRAQ:19991204 UnixWare pkg* command exploits
Reference: BUGTRAQ:19991220 SCO OpenServer Security Status
Reference: BUGTRAQ:19991223 FYI, SCO Security patches available.

Votes:
ACCEPT(3)  Armstrong, Baker, Stracener<br>
MODIFY(2)  Cole, Frech<br>
REVIEWING(2)  Christey, Prosser<br>
Voter Comments:
Cole>  This is BID 850.<br>
Christey>  See comments on CVE-1999-0988.  Perhaps these two should be
merged. ftp://ftp.sco.com/SSE/security_bulletins/SB-99.28a
loosely alludes to this problem; the README for patch SSE053
effectively confirms it.<br>
Frech>  XF:sco-pkg-dacread-fileread<br>

Name: CVE-1999-0829

Description:

HP Secure Web Console uses weak encryption.

Status:Candidate
Phase: Proposed (19991208)
Reference: BUGTRAQ:19991201 HP Secure Web Console

Votes:
ACCEPT(2)  Armstrong, Stracener<br>
MODIFY(1)  Frech<br>
NOOP(2)  Baker, Cole<br>
REVIEWING(1)  Prosser<br>
Voter Comments:
Cole>  I could not find details on this using the above references.<br>
Frech>  XF:hp-secure-console<br>

Name: CVE-1999-0830

Description:

Buffer overflow in SCO UnixWare Xsco command via a long argument.

Status:Candidate
Phase: Proposed (19991208)
Reference: BUGTRAQ:19991126 [w00giving '99 #6]: UnixWare 7's Xsco

Votes:
ACCEPT(3)  Armstrong, Baker, Stracener<br>
MODIFY(3)  Cole, Frech, Prosser<br>
REVIEWING(1)  Christey<br>
Voter Comments:
Cole>  This is BID 824 and the BUGTRAQ reference is 19991125.<br>
Frech>  XF:sco-unixware-xsco<br>
Christey>  Confirmed by vendor, albeit vaguely:
http://marc.theaimsgroup.com/?l=bugtraq&m=94581379905584&w=2
<br>
Prosser>  agree with Steve on vendor confirmation, however not sure the
fix ref'd in BID 824 (SSE041) is right.  It lists fixes for libnsl and
tcpip.so, nothing about xsco.  SSE050b
(ftp://ftp.sco.com/SSE/security_bulletins/SB-99.26b) fixes a buffer overflow
in xsco on OpenServer (the vendor message Steve refers to) but not the
UnixWare vulnerability reported on Bugtraq and in BID824. Anyone more
familar with SCO shed some light on this? Are they the same codebase so fix
would be same?  From the SCO site it seems the UnixWare and OpenSever
products are similar but have differences.<br>
CHANGE>  [Christey changed vote from NOOP to REVIEWING]<br>
Christey>  BID:824
http://www.securityfocus.com/bid/824<br>

Name: CVE-1999-0831

Description:

Denial of service in Linux syslogd via a large number of connections.

Status:Entry
Reference: BID:809
Reference: URL:http://www.securityfocus.com/bid/809
Reference: BUGTRAQ:19991130 [david@slackware.com: New Patches for Slackware 4.0 Available]
Reference: CALDERA:CSSA-1999-035.0
Reference: URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-1999-035.0.txt
Reference: REDHAT:RHSA1999055-01
Reference: SUSE:19991118 syslogd-1.3.33 (a1)
Reference: XF:slackware-syslogd-dos

Name: CVE-1999-0832

Description:

Buffer overflow in NFS server on Linux allows attackers to execute commands via a long pathname.

Status:Entry
Reference: BID:782
Reference: URL:http://www.securityfocus.com/bid/782
Reference: BUGTRAQ:19991109 undocumented bugs - nfsd
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.4.20.9911091058140.12964-100000@mail.zigzag.pl
Reference: BUGTRAQ:19991130 [david@slackware.com: New Patches for Slackware 4.0 Available]
Reference: CALDERA:CSSA-1999-033.0
Reference: URL:ftp://ftp.calderasystems.com/pub/OpenLinux/security/CSSA-1999-033.0.txt
Reference: DEBIAN:19991111 buffer overflow in nfs server
Reference: URL:http://www.debian.org/security/1999/19991111
Reference: REDHAT:RHSA-1999:053-01
Reference: URL:http://www.redhat.com/support/errata/rh42-errata-general.html#NFS
Reference: SUSE:19991110 Security hole in nfs-server < 2.2beta47 within nkita
Reference: URL:http://www.novell.com/linux/security/advisories/suse_security_announce_29.html
Reference: XF:linux-nfs-maxpath-bo

Name: CVE-1999-0833

Description:

Buffer overflow in BIND 8.2 via NXT records.

Status:Entry
Reference: BID:788
Reference: URL:http://www.securityfocus.com/bid/788
Reference: CALDERA:CSSA-1999-034.1
Reference: URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-1999-034.1.txt
Reference: CERT:CA-99-14
Reference: DEBIAN:19991116 Denial of service vulnerabilities in bind
Reference: REDHAT:RHSA-1999:054-01
Reference: SUSE:19991111 Security hole in bind8 < 8.2.2p2 and bind4 < 4.9.7-REL
Reference: XF:bind-nxt-bo

Name: CVE-1999-0834

Description:

Buffer overflow in RSAREF2 via the encryption and decryption functions in the RSAREF library.

Status:Entry
Reference: BID:843
Reference: URL:http://www.securityfocus.com/bid/843
Reference: BUGTRAQ:19991201 Security Advisory: Buffer overflow in RSAREF2
Reference: BUGTRAQ:19991202 OpenBSD sslUSA26 advisory (Re: CORE-SDI: Buffer overflow in RSAREF2)
Reference: CERT:CA-99-15
Reference: XF:rsaref-bo

Name: CVE-1999-0835

Description:

Denial of service in BIND named via malformed SIG records.

Status:Entry
Reference: BID:788
Reference: URL:http://www.securityfocus.com/bid/788
Reference: CALDERA:CSSA-1999-034.1
Reference: URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-1999-034.1.txt
Reference: CERT:CA-99-14
Reference: DEBIAN:19991116 Denial of service vulnerabilities in bind
Reference: REDHAT:RHSA-1999:054-01
Reference: SUSE:19991111 Security hole in bind8 < 8.2.2p2 and bind4 < 4.9.7-REL
Reference: XF:bind-sigrecord-dos

Name: CVE-1999-0836

Description:

UnixWare uidadmin allows local users to modify arbitrary files via a symlink attack.

Status:Entry
Reference: BID:842
Reference: URL:http://www.securityfocus.com/bid/842
Reference: BUGTRAQ:19991202 UnixWare 7 uidadmin exploit + discussion
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=19991202160111.20553.qmail@nwcst282.netaddress.usa.net
Reference: SCO:SB-99.22a
Reference: URL:ftp://ftp.sco.com/SSE/security_bulletins/SB-99.22a
Reference: XF:unixware-uid-admin

Name: CVE-1999-0837

Description:

Denial of service in BIND by improperly closing TCP sessions via so_linger.

Status:Entry
Reference: BID:788
Reference: URL:http://www.securityfocus.com/bid/788
Reference: CALDERA:CSSA-1999-034.1
Reference: URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-1999-034.1.txt
Reference: CERT:CA-99-14
Reference: DEBIAN:19991116 Denial of service vulnerabilities in bind
Reference: REDHAT:RHSA-1999:054-01
Reference: SUN:00194
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/194
Reference: SUSE:19991111 Security hole in bind8 < 8.2.2p2 and bind4 < 4.9.7-REL
Reference: XF:bind-solinger-dos

Name: CVE-1999-0838

Description:

Buffer overflow in Serv-U FTP 2.5 allows remote users to conduct a denial of service via the SITE command.

Status:Entry
Reference: BID:859
Reference: URL:http://www.securityfocus.com/bid/859
Reference: BUGTRAQ:19991202 Remote DoS Attack in Serv-U FTP-Server v2.5a Vulnerability
Reference: XF:servu-ftp-site-bo

Name: CVE-1999-0839

Description:

Windows NT Task Scheduler installed with Internet Explorer 5 allows a user to gain privileges by modifying the job after it has been scheduled.

Status:Entry
Reference: BID:828
Reference: URL:http://www.securityfocus.com/bid/828
Reference: MS:MS99-051
Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-051
Reference: MSKB:Q246972
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q246972
Reference: NTBUGTRAQ:19991130 Windows NT Task Scheduler vulnerability allows user to administrator elevation
Reference: XF:ie-task-scheduler-privs

Name: CVE-1999-0840

Description:

Buffer overflow in CDE dtmail and dtmailpr programs allows local users to gain privileges via a long -f option.

Status:Candidate
Phase: Modified (20071022)
Reference: BID:832
Reference: URL:http://www.securityfocus.com/bid/832
Reference: BUGTRAQ:19991129 Solaris7 dtmail/dtmailpr/mailtool Buffer Overflow
Reference: URL:http://www.security-express.com/archives/bugtraq/1999-q4/0122.html
Reference: MISC:http://www.securiteam.com/exploits/3J5QQPPQ0O.html
Reference: XF:solaris-dtmail-overflow(3579)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/3579
Reference: XF:solaris-dtmailpr-overflow(3580)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/3580

Votes:
ACCEPT(4)  Armstrong, Baker, Dik, Stracener<br>
MODIFY(1)  Frech<br>
NOOP(1)  Cole<br>
REVIEWING(1)  Prosser<br>
Voter Comments:
Cole>  I went to 1129 and it looks like a reference for a different
vulnerability.<br>
Frech>  In the description, should dtmailptr be dtmailpr?
XF:solaris-dtmailpr-overflow
XF:solaris-dtmail-overflow<br>
Dik>  sun bug: 4166321<br>

Name: CVE-1999-0841

Description:

Buffer overflow in CDE mailtool allows local users to gain root privileges via a long MIME Content-Type.

Status:Candidate
Phase: Modified (20071022)
Reference: BID:832
Reference: URL:http://www.securityfocus.com/bid/832
Reference: BUGTRAQ:19991129 Solaris7 dtmail/dtmailpr/mailtool Buffer Overflow
Reference: URL:http://www.security-express.com/archives/bugtraq/1999-q4/0122.html
Reference: MISC:http://www.securiteam.com/exploits/3J5QQPPQ0O.html
Reference: XF:cde-mailtool-bo(3732)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/3732

Votes:
ACCEPT(5)  Armstrong, Baker, Cole, Dik, Stracener<br>
MODIFY(1)  Frech<br>
REVIEWING(1)  Prosser<br>
Voter Comments:
Frech>  XF:cde-mailtool-bo<br>
Dik>  bug 4163471
(Root access is only possible when mail is send to root and he
uses dtmail to read it)<br>

Name: CVE-1999-0842

Description:

Symantec Mail-Gear 1.0 web interface server allows remote users to read arbitrary files via a .. (dot dot) attack.

Status:Entry
Reference: BID:827
Reference: URL:http://www.securityfocus.com/bid/827
Reference: BUGTRAQ:19991129 Symantec Mail-Gear 1.0 Web interface Server Directory Traversal Vulnerability
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=NCBBKFKDOLAGKIAPMILPCEAFCBAA.labs@ussrback.com
Reference: NTBUGTRAQ:19991129 Symantec Mail-Gear 1.0 Web interface Server Directory Traversal Vulnerability
Reference: OSVDB:1144
Reference: URL:http://www.osvdb.org/1144
Reference: XF:symantec-mail-dir-traversal

Name: CVE-1999-0843

Description:

Denial of service in Cisco routers running NAT via a PORT command from an FTP client to a Telnet port.

Status:Candidate
Phase: Proposed (19991208)
Reference: BUGTRAQ:19991104 Cisco NAT DoS (VD#1)
Reference: BUGTRAQ:19991128 Re: Cisco NAT DoS (VD#1)

Votes:
ACCEPT(3)  Balinsky, Cole, Stracener<br>
MODIFY(1)  Frech<br>
NOOP(2)  Armstrong, Baker<br>
REVIEWING(3)  Christey, Prosser, Ziese<br>
Voter Comments:
Frech>  XF:cisco-nat-dos<br>
Christey>  Mike Prosser's REVIEWING vote expires July 17, 2000<br>
Ziese>  After reviewing
http://www.cisco.com/warp/public/707/iostelnetopt-pub.shtml 
I can not confirm this exists unless it's restructred to
describe a problem against IOS per se; not NAT per se.  I am
reviewing this and it may take some time.<br>
CHANGE>  [Christey changed vote from NOOP to REVIEWING]<br>
Christey>  Not sure if Kevin's suggested reference really describes this
one.  However, a followup email by Jim Duncan of Cisco does
acknowledge the problem as discussed in the Bugtraq post:
http://marc.theaimsgroup.com/?l=vuln-dev&m=94385601831585&w=2
The original post is:
http://marc.theaimsgroup.com/?l=bugtraq&m=94184947504814&w=2

It could be that the researcher believed that the problem was
NAT, but in fact it wasn't.

I need to follow up with Ziese/Balinsky on this one.<br>

Name: CVE-1999-0844

Description:

Denial of service in MDaemon WorldClient and WebConfig services via a long URL.

Status:Candidate
Phase: Proposed (19991208)
Reference: BID:820
Reference: URL:http://www.securityfocus.com/bid/820
Reference: BID:823
Reference: URL:http://www.securityfocus.com/bid/823
Reference: BUGTRAQ:19991130 Fwd: RE: Multiples Remotes DoS Attacks in MDaemon Server v2.8.5.0 Vulnerability
Reference: NTBUGTRAQ:19991124 Remote DoS Attack in WorldClient Server v2.0.0.0 Vulnerability

Votes:
ACCEPT(2)  Baker, Stracener<br>
MODIFY(2)  Cole, Frech<br>
NOOP(1)  Armstrong<br>
RECAST(1)  Christey<br>
REVIEWING(1)  Prosser<br>
Voter Comments:
Cole>  823 and 820 are two different vulnerabilities and should be
separated out.  They are both buffer overflows but accomplish it in a
different fashion and the end exploit is different.<br>
Frech>  (RECAST?)
XF:mdaemon-worldclient-dos
XF:mdaemon-webconfig-dos
Recast request: This is really two services exhibiting the same problem.<br>
Christey>  as suggested by others.

Also see confirmation at:
http://mdaemon.deerfield.com/helpdesk/hotfix.cfm<br>

Name: CVE-1999-0845

Description:

Buffer overflow in SCO su program allows local users to gain root access via a long username.

Status:Candidate
Phase: Proposed (19991208)
Reference: BUGTRAQ:19991126 [w00giving '99 #5 and w00news]: UnixWare 7's su
Reference: BUGTRAQ:19991128 SCO su patches
Reference: SCO:99.19

Votes:
ACCEPT(4)  Armstrong, Cole, Prosser, Stracener<br>
MODIFY(1)  Frech<br>
RECAST(1)  Baker<br>
REVIEWING(1)  Christey<br>
Voter Comments:
Christey>  DUPE CVE-1999-0317?<br>
Frech>  XF:sco-su-username-bo<br>
Christey>  ADDREF BID:826
CONFIRM:ftp://ftp.sco.com/SSE/sse039.tar.Z<br>

Name: CVE-1999-0846

Description:

Denial of service in MDaemon 2.7 via a large number of connection attempts.

Status:Candidate
Phase: Proposed (19991208)
Reference: BUGTRAQ:19991129 MDaemon 2.7 J DoS
Reference: BUGTRAQ:19991130 Fwd: RE: Multiples Remotes DoS Attacks in MDaemon Server v2.8.5.0 Vulnerability

Votes:
ACCEPT(5)  Armstrong, Baker, Cole, Prosser, Stracener<br>
MODIFY(1)  Frech<br>
REVIEWING(1)  Christey<br>
Voter Comments:
Frech>  XF:mdaemon-dos<br>
Christey>  CVE-1999-0844 is confirmed by MDaemon at
http://mdaemon.deerfield.com/helpdesk/hotfix.cfm but there
is no apparent confirmation for this problem, even
though it was posted the same day.<br>
Prosser>  Looks like from a follow-on message on Bugtraq from Nobuo
<http://www.securityfocus.com/templates/archive.pike?list=1&date=1999-11-28&msg=199912011604.HJI39569.BX-NOJ@lac.co.jp> Deerfield sent a reply about the
DoS problems in MDaemon 2.8.5, that also talks about fixing the 2.7 J DoS
that Nobuo initially reported. Can't find the original message, so may have
been limited distro. Looks like an upgrade to the latest release might be
the final solution here.<br>

Name: CVE-1999-0847

Description:

Buffer overflow in free internet chess server (FICS) program, xboard.

Status:Entry
Reference: BUGTRAQ:19991129 FICS buffer overflow
Reference: XF:fics-board-bo

Name: CVE-1999-0848

Description:

Denial of service in BIND named via consuming more than "fdmax" file descriptors.

Status:Entry
Reference: BID:788
Reference: URL:http://www.securityfocus.com/bid/788
Reference: CALDERA:CSSA-1999-034.1
Reference: URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-1999-034.1.txt
Reference: CERT:CA-99-14
Reference: DEBIAN:19991116 Denial of service vulnerabilities in bind
Reference: REDHAT:RHSA-1999:054-01
Reference: SUN:00194
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/194
Reference: SUSE:19991111 Security hole in bind8 < 8.2.2p2 and bind4 < 4.9.7-REL
Reference: XF:bind-fdmax-dos

Name: CVE-1999-0849

Description:

Denial of service in BIND named via maxdname.

Status:Entry
Reference: BID:788
Reference: URL:http://www.securityfocus.com/bid/788
Reference: CALDERA:CSSA-1999-034.1
Reference: URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-1999-034.1.txt
Reference: CERT:CA-99-14
Reference: DEBIAN:19991116 Denial of service vulnerabilities in bind
Reference: REDHAT:RHSA-1999:054-01
Reference: SUN:00194
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/194
Reference: SUSE:19991111 Security hole in bind8 < 8.2.2p2 and bind4 < 4.9.7-REL
Reference: XF:bind-maxdname-bo

Name: CVE-1999-0850

Description:

The default permissions for Endymion MailMan allow local users to read email or modify files.

Status:Candidate
Phase: Proposed (19991208)
Reference: BID:845
Reference: URL:http://www.securityfocus.com/bid/845
Reference: BUGTRAQ:19991202 Insecure default permissions for MailMan Professional Edition, version 3.0.18

Votes:
ACCEPT(2)  Cole, Stracener<br>
MODIFY(1)  Frech<br>
NOOP(2)  Armstrong, Baker<br>
REVIEWING(1)  Prosser<br>
Voter Comments:
Frech>  XF:endymion-mailman-perms<br>

Name: CVE-1999-0851

Description:

Denial of service in BIND named via naptr.

Status:Entry
Reference: BID:788
Reference: URL:http://www.securityfocus.com/bid/788
Reference: CALDERA:CSSA-1999-034.1
Reference: URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-1999-034.1.txt
Reference: CERT:CA-99-14
Reference: DEBIAN:19991116 Denial of service vulnerabilities in bind
Reference: REDHAT:RHSA-1999:054-01
Reference: SUN:00194
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/194
Reference: SUSE:19991111 Security hole in bind8 < 8.2.2p2 and bind4 < 4.9.7-REL
Reference: XF:bind-naptr-dos

Name: CVE-1999-0852

Description:

IBM WebSphere sets permissions that allow a local user to modify a deinstallation script or its data files stored in /usr/bin.

Status:Candidate
Phase: Proposed (19991208)
Reference: BID:844
Reference: URL:http://www.securityfocus.com/bid/844
Reference: BUGTRAQ:19991202 WebSphere protections from installation

Votes:
ACCEPT(3)  Armstrong, Cole, Stracener<br>
MODIFY(1)  Frech<br>
NOOP(1)  Baker<br>
REVIEWING(1)  Prosser<br>
Voter Comments:
Frech>  XF:websphere-protect<br>

Name: CVE-1999-0853

Description:

Buffer overflow in Netscape Enterprise Server and Netscape FastTrack Server allows remote attackers to gain privileges via the HTTP Basic Authentication procedure.

Status:Entry
Reference: BID:847
Reference: URL:http://www.securityfocus.com/bid/847
Reference: ISS:19991201 Buffer Overflow in Netscape Enterprise and FastTrack Authentication Procedure
Reference: XF:netscape-fasttrack-auth-bo

Name: CVE-1999-0854

Description:

Ultimate Bulletin Board stores data files in the cgi-bin directory, allowing remote attackers to view the data if an error occurs when the HTTP server attempts to execute the file.

Status:Entry
Reference: BUGTRAQ:19991130 Ultimate Bulletin Board v5.3x? Bug
Reference: BUGTRAQ:20000225 FW: Important UBB News For Licensed Users
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-02-22&msg=NDBBLKOPOLNKELHPDEFKIEPGCAAA.renzo.toma@veronica.nl
Reference: CONFIRM:http://www.ultimatebb.com/home/versions.shtml
Reference: XF:http-ultimate-bbs

Name: CVE-1999-0855

Description:

Buffer overflow in FreeBSD gdc program.

Status:Candidate
Phase: Proposed (19991208)
Reference: BID:834
Reference: URL:http://www.securityfocus.com/bid/834
Reference: BUGTRAQ:19991130 FreeBSD 3.3 gated-3.1.5 local exploit

Votes:
ACCEPT(3)  Armstrong, Prosser, Stracener<br>
MODIFY(2)  Cole, Frech<br>
NOOP(2)  Baker, Christey<br>
Voter Comments:
Cole>  The BID is 834 and the reference is 19991201 not 1130.<br>
Frech>  XF:freebsd-gdc-bo<br>
Christey>  ADDREF BID:780 ?<br>

Name: CVE-1999-0856

Description:

login in Slackware 7.0 allows remote attackers to identify valid users on the system by reporting an encryption error when an account is locked or does not exist.

Status:Entry
Reference: BUGTRAQ:19991202 Slackware 7.0 - login bug
Reference: XF:slackware-remote-login

Name: CVE-1999-0857

Description:

FreeBSD gdc program allows local users to modify files via a symlink attack.

Status:Candidate
Phase: Proposed (19991208)
Reference: BID:835
Reference: URL:http://www.securityfocus.com/bid/835
Reference: BUGTRAQ:19991130 FreeBSD 3.3 gated-3.1.5 local exploit

Votes:
ACCEPT(3)  Armstrong, Prosser, Stracener<br>
MODIFY(2)  Cole, Frech<br>
NOOP(1)  Baker<br>
Voter Comments:
Cole>  This is via debug output.<br>
Frech>  XF:freebsd-gdc<br>

Name: CVE-1999-0858

Description:

Internet Explorer 5 allows a remote attacker to modify the IE client's proxy configuration via a malicious Web Proxy Auto-Discovery (WPAD) server.

Status:Entry
Reference: BID:846
Reference: URL:http://www.securityfocus.com/bid/846
Reference: MS:MS99-054
Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-054
Reference: MSKB:Q247333
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q247333
Reference: XF:ie-wpad-proxy-settings

Name: CVE-1999-0859

Description:

Solaris arp allows local users to read files via the -f parameter, which lists lines in the file that do not parse properly.

Status:Entry
Reference: BID:837
Reference: URL:http://www.securityfocus.com/bid/837
Reference: BUGTRAQ:19991130 Solaris 2.x chkperm/arp vulnerabilities
Reference: OSVDB:6994
Reference: URL:http://www.osvdb.org/6994
Reference: SUNBUG:4296166
Reference: XF:sol-arp-parse

Name: CVE-1999-0860

Description:

Solaris chkperm allows local users to read files owned by bin via the VMSYS environmental variable and a symlink attack.

Status:Candidate
Phase: Proposed (19991208)
Reference: BID:837
Reference: URL:http://www.securityfocus.com/bid/837
Reference: BUGTRAQ:19991130 Solaris 2.x chkperm/arp vulnerabilities

Votes:
ACCEPT(2)  Armstrong, Stracener<br>
MODIFY(2)  Dik, Frech<br>
NOOP(2)  Baker, Christey<br>
REJECT(1)  Cole<br>
REVIEWING(1)  Prosser<br>
Voter Comments:
Cole>  This is the same as the pervious.<br>
Frech>  XF:sol-chkperm-vmsys<br>
Dik>  include reference to Sun bug 4296167<br>
Christey>  Remove BID:837, which is for arp, not chkperm<br>

Name: CVE-1999-0861

Description:

Race condition in the SSL ISAPI filter in IIS and other servers may leak information in plaintext.

Status:Entry
Reference: MS:MS99-053
Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-053
Reference: MSKB:Q244613
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q244613
Reference: XF:iis-ssl-isapi-filter

Name: CVE-1999-0862

Description:

Insecure directory permissions in RPM distribution for PostgreSQL allows local users to gain privileges by reading a plaintext password file.

Status:Candidate
Phase: Proposed (19991208)
Reference: BUGTRAQ:19991202 PostgreSQL RPM's permission problems

Votes:
ACCEPT(3)  Armstrong, Cole, Stracener<br>
MODIFY(1)  Frech<br>
NOOP(1)  Baker<br>
REVIEWING(1)  Prosser<br>
Voter Comments:
Frech>  XF:postgresql-insecure-perms<br>

Name: CVE-1999-0863

Description:

Buffer overflow in FreeBSD seyon via HOME environmental variable, -emulator argument, -modems argument, or the GUI.

Status:Candidate
Phase: Proposed (19991208)
Reference: BUGTRAQ:19970617 Seyon vulnerability - IRIX
Reference: BUGTRAQ:19991108 FreeBSD 3.3's seyon vulnerability
Reference: BUGTRAQ:19991130 Several FreeBSD-3.3 vulnerabilities

Votes:
ACCEPT(4)  Armstrong, Cole, Prosser, Stracener<br>
MODIFY(1)  Frech<br>
NOOP(1)  Baker<br>
REVIEWING(1)  Christey<br>
Voter Comments:
Frech>  XF:freebsd-seyon-bo<br>
Christey>  ADDREF? CALDERA:CSSA-1999-037.0<br>
Christey>  May be multiple bugs here, or a single library problem.
CD:SF-LOC needs to be resolved before determining if this
candidate should be SPLIT.  Also see CVE-1999-0821.<br>

Name: CVE-1999-0864

Description:

UnixWare programs that dump core allow a local user to modify files via a symlink attack on the ./core.pid file.

Status:Entry
Reference: BID:851
Reference: URL:http://www.securityfocus.com/bid/851
Reference: BUGTRAQ:19991202 UnixWare coredumps follow symlinks
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=19991203020720.13115.qmail@nwcst289.netaddress.usa.net
Reference: BUGTRAQ:19991215 Recent postings about SCO UnixWare 7
Reference: URL:http://marc.info/?l=bugtraq&m=94530783815434&w=2
Reference: BUGTRAQ:19991220 SCO OpenServer Security Status
Reference: URL:http://marc.info/?l=bugtraq&m=94581379905584&w=2
Reference: BUGTRAQ:19991223 FYI, SCO Security patches available.
Reference: URL:http://marc.info/?l=bugtraq&m=94606167110764&w=2
Reference: XF:sco-coredump-symlink

Name: CVE-1999-0865

Description:

Buffer overflow in CommuniGatePro via a long string to the HTTP configuration port.

Status:Entry
Reference: BID:860
Reference: URL:http://www.securityfocus.com/bid/860
Reference: BUGTRAQ:19991203 CommuniGatePro 3.1 for NT DoS
Reference: URL:http://marc.info/?l=bugtraq&m=94426440413027&w=2
Reference: NTBUGTRAQ:19991203 CommuniGatePro 3.1 for NT Buffer Overflow
Reference: URL:http://marc.info/?l=ntbugtraq&m=94454565726775&w=2
Reference: XF:communigate-pro-bo

Name: CVE-1999-0866

Description:

Buffer overflow in UnixWare xauto program allows local users to gain root privilege.

Status:Entry
Reference: BID:848
Reference: URL:http://www.securityfocus.com/bid/848
Reference: BUGTRAQ:19991203 UnixWare gain root with non-su/gid binaries
Reference: BUGTRAQ:19991215 Recent postings about SCO UnixWare 7
Reference: URL:http://marc.info/?l=bugtraq&m=94530783815434&w=2
Reference: BUGTRAQ:19991220 SCO OpenServer Security Status
Reference: URL:http://marc.info/?l=bugtraq&m=94581379905584&w=2
Reference: BUGTRAQ:19991223 FYI, SCO Security patches available.
Reference: URL:http://marc.info/?l=bugtraq&m=94606167110764&w=2
Reference: SCO:SB-99.24a
Reference: URL:ftp://ftp.sco.com/SSE/security_bulletins/SB-99.24a
Reference: XF:sco-xauto-bo

Name: CVE-1999-0867

Description:

Denial of service in IIS 4.0 via a flood of HTTP requests with malformed headers.

Status:Entry
Reference: BID:579
Reference: URL:http://www.securityfocus.com/bid/579
Reference: CIAC:J-058
Reference: URL:http://www.ciac.org/ciac/bulletins/j-058.shtml
Reference: MS:MS99-029
Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-029
Reference: MSKB:Q238349
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q238349
Reference: XF:http-iis-malformed-header

Name: CVE-1999-0868

Description:

ucbmail allows remote attackers to execute commands via shell metacharacters that are passed to it from INN.

Status:Entry
Reference: CERT:CA-97.08
Reference: XF:inn-ucbmail-shell-meta

Name: CVE-1999-0869

Description:

Internet Explorer 3.x to 4.01 allows a remote attacker to insert malicious content into a frame of another web site, aka frame spoofing.

Status:Entry
Reference: MS:MS98-020
Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1998/ms98-020
Reference: MSKB:167614
Reference: XF:http-frame-spoof

Name: CVE-1999-0870

Description:

Internet Explorer 4.01 allows remote attackers to read arbitrary files by pasting a file name into the file upload control, aka untrusted scripted paste.

Status:Entry
Reference: MS:MS98-015
Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1998/ms98-015
Reference: MSKB:169245
Reference: XF:ie-usp-cuartango

Name: CVE-1999-0871

Description:

Internet Explorer 4.0 and 4.01 allow a remote attacker to read files via IE's cross frame security, aka the "Cross Frame Navigate" vulnerability.

Status:Entry
Reference: MS:MS98-013
Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1998/ms98-013
Reference: OSVDB:7837
Reference: URL:http://www.osvdb.org/7837
Reference: XF:ie-crossframe-file-read(3668)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/3668

Name: CVE-1999-0872

Description:

Buffer overflow in Vixie cron allows local users to gain root access via a long MAILTO environment variable in a crontab file.

Status:Candidate
Phase: Proposed (19991214)
Reference: BID:611
Reference: URL:http://www.securityfocus.com/bid/611
Reference: BID:759
Reference: URL:http://www.securityfocus.com/bid/759
Reference: REDHAT:RHSA-1999:030-02

Votes:
MODIFY(2)  Cole, Frech<br>
NOOP(1)  Baker<br>
REJECT(3)  Blake, Christey, Stracener<br>
Voter Comments:
Cole>  611 is the mail to listed above but 759 is for the mail from and
should be listed as a separate vulenrability.<br>
Blake>  This does not appear materially different from CVE-1999-0768<br>
Christey>  This is an apparent duplicate of CVE-1999-0768.
REDHAT:RHSA-1999:030-02 describes two issues, one of which is
CVE-1999-0768, and the other is CVE-1999-0769.<br>
Stracener>  This is a duplicate of candidate CVE-1999-0768.<br>
Frech>  XF:cron-sendmail-bo-root<br>
Christey>  BID:759 is improperly assigned to this candidate and doesn't
even describe it.  It may have been inadvertently copied
from CVE-1999-0873.<br>

Name: CVE-1999-0873

Description:

Buffer overflow in Skyfull mail server via MAIL FROM command.

Status:Entry
Reference: BID:759
Reference: URL:http://www.securityfocus.com/bid/759
Reference: XF:skyfull-mail-from-bo

Name: CVE-1999-0874

Description:

Buffer overflow in IIS 4.0 allows remote attackers to cause a denial of service via a malformed request for files with .HTR, .IDC, or .STM extensions.

Status:Entry
Reference: CERT:CA-99-07
Reference: CIAC:J-048
Reference: URL:http://www.ciac.org/ciac/bulletins/j-048.shtml
Reference: EEYE:AD06081999
Reference: URL:http://www.eeye.com/html/Research/Advisories/AD06081999.html
Reference: MS:MS99-019
Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-019
Reference: MSKB:Q234905
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q234905
Reference: OVAL:oval:org.mitre.oval:def:915
Reference: URL:https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A915
Reference: XF:iis-htr-overflow

Name: CVE-1999-0875

Description:

DHCP clients with ICMP Router Discovery Protocol (IRDP) enabled allow remote attackers to modify their default routes.

Status:Entry
Reference: BID:578
Reference: URL:http://www.securityfocus.com/bid/578
Reference: L0PHT:19990811
Reference: MSKB:Q216141
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q216141
Reference: XF:irdp-gateway-spoof

Name: CVE-1999-0876

Description:

Buffer overflow in Internet Explorer 4.0 via EMBED tag.

Status:Entry
Reference: MSKB:Q176697
Reference: URL:http://support.microsoft.com/support/kb/articles/q176/6/97.asp
Reference: MSKB:Q185959
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q185959

Name: CVE-1999-0877

Description:

Internet Explorer 5 allows remote attackers to read files via an ExecCommand method called on an IFRAME.

Status:Entry
Reference: MS:MS99-042
Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-042
Reference: MSKB:Q243638
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q243638
Reference: XF:ie-iframe-exec

Name: CVE-1999-0878

Description:

Buffer overflow in WU-FTPD and related FTP servers allows remote attackers to gain root privileges via MAPPING_CHDIR.

Status:Entry
Reference: AUSCERT:AA-1999.01
Reference: BID:599
Reference: URL:http://www.securityfocus.com/bid/599
Reference: CERT:CA-99-13
Reference: COMPAQ:SSRT0622
Reference: REDHAT:RHSA1999031_01
Reference: XF:wu-ftpd-dir-name

Name: CVE-1999-0879

Description:

Buffer overflow in WU-FTPD and related FTP servers allows remote attackers to gain root privileges via macro variables in a message file.

Status:Entry
Reference: CERT:CA-99-13
Reference: XF:wuftp-message-file-root

Name: CVE-1999-0880

Description:

Denial of service in WU-FTPD via the SITE NEWER command, which does not free memory properly.

Status:Entry
Reference: CERT:CA-99-13
Reference: XF:wuftp-site-newer-dos

Name: CVE-1999-0881

Description:

Falcon web server allows remote attackers to read arbitrary files via a .. (dot dot) attack.

Status:Entry
Reference: BID:743
Reference: URL:http://www.securityfocus.com/bid/743
Reference: BINDVIEW:Falcon Web Server
Reference: BUGTRAQ:19991025 Falcon Web Server
Reference: OSVDB:1127
Reference: URL:http://www.osvdb.org/1127
Reference: XF:falcon-path-parsing

Name: CVE-1999-0882

Description:

Falcon web server allows remote attackers to determine the absolute path of the web root via long file names.

Status:Candidate
Phase: Proposed (19991214)
Reference: BINDVIEW:Falcon Web Server
Reference: BUGTRAQ:19991025 Falcon Web Server

Votes:
ACCEPT(3)  Baker, Blake, Stracener<br>
MODIFY(1)  Frech<br>
NOOP(2)  Armstrong, Cole<br>
Voter Comments:
Frech>  XF:falcon-server-long-filename<br>

Name: CVE-1999-0883

Description:

Zeus web server allows remote attackers to read arbitrary files by specifying the file name in an option to the search engine.

Status:Entry
Reference: BID:742
Reference: URL:http://www.securityfocus.com/bid/742
Reference: BUGTRAQ:19991024 RFP9905: Zeus webserver remote root compromise
Reference: OSVDB:1126
Reference: URL:http://www.osvdb.org/1126
Reference: XF:zeus-remote-root(3380)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/3380

Name: CVE-1999-0884

Description:

The Zeus web server administrative interface uses weak encryption for its passwords.

Status:Entry
Reference: BID:742
Reference: URL:http://www.securityfocus.com/bid/742
Reference: BUGTRAQ:19991024 RFP9905: Zeus webserver remote root compromise
Reference: OSVDB:8186
Reference: URL:http://www.osvdb.org/8186
Reference: XF:zeus-weak-password(3833)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/3833

Name: CVE-1999-0885

Description:

Alibaba web server allows remote attackers to execute commands via a pipe character in a malformed URL.

Status:Candidate
Phase: Modified (20000313)
Reference: BID:770
Reference: URL:http://www.securityfocus.com/bid/770
Reference: BUGTRAQ:19991103 More Alibaba Web Server problems...
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&date=1999-11-01&msg=01BF261F.928821E0.kerb@fnusa.com
Reference: XF:alibaba-url-file-manipulation

Votes:
ACCEPT(2)  Baker, Stracener<br>
MODIFY(1)  Frech<br>
NOOP(5)  Armstrong, Blake, Christey, Cole, LeBlanc<br>
Voter Comments:
Christey>  This candidate is unconfirmed by the vendor.<br>
Blake>  Same as CVE-1999-0776.<br>
Frech>  XF:alibaba-url-file-manipulation<br>
Christey>  CD:SF-LOC and CD:SF-EXEC may say to merge this candidate with
the problems described in:
BUGTRAQ:20000718 Multiple bugs in Alibaba 2.0
URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0237.html

If so, then ADDREF BID:1485 as well.<br>
Christey>  Include the names of the affected CGI's, including tst.bat,
get32.exe, alibaba.pl, etc.<br>

Name: CVE-1999-0886

Description:

The security descriptor for RASMAN allows users to point to an alternate location via the Windows NT Service Control Manager.

Status:Entry
Reference: BID:645
Reference: URL:http://www.securityfocus.com/bid/645
Reference: MS:MS99-041
Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-041
Reference: MSKB:Q242294
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q242294
Reference: XF:nt-rasman-pathname

Name: CVE-1999-0887

Description:

FTGate web interface server allows remote attackers to read files via a .. (dot dot) attack.

Status:Entry
Reference: BUGTRAQ:19991104 FTGate Version 2.1 Web interface Server Directory Traversal Vulnerability
Reference: EEYE:AD05261999
Reference: URL:http://www.eeye.com/html/Research/Advisories/AD05261999.html
Reference: OSVDB:1137
Reference: URL:http://www.osvdb.org/1137

Name: CVE-1999-0888

Description:

dbsnmp in Oracle Intelligent Agent allows local users to gain privileges by setting the ORACLE_HOME environmental variable, which dbsnmp uses to find the nmiconf.tcl script.

Status:Entry
Reference: BID:585
Reference: URL:http://www.securityfocus.com/bid/585
Reference: BUGTRAQ:19990817 Security Bug in Oracle
Reference: XF:oracle-dbsnmp

Name: CVE-1999-0889

Description:

Cisco 675 routers running CBOS allow remote attackers to establish telnet sessions if an exec or superuser password has not been set.

Status:Entry
Reference: BUGTRAQ:19990810 Cisco 675 password nonsense
Reference: OSVDB:39
Reference: URL:http://www.osvdb.org/39
Reference: XF:cisco-cbos-telnet

Name: CVE-1999-0890

Description:

iHTML Merchant allows remote attackers to obtain sensitive information or execute commands via a code parsing error.

Status:Entry
Reference: BID:694
Reference: URL:http://www.securityfocus.com/bid/694
Reference: BUGTRAQ:19990928 Team Asylum: iHTML Merchant Vulnerabilities
Reference: CONFIRM:http://www.ihtmlmerchant.com/support_patches_feedback.htm
Reference: XF:ihtml-merchant-file-access

Name: CVE-1999-0891

Description:

The "download behavior" in Internet Explorer 5 allows remote attackers to read arbitrary files via a server-side redirect.

Status:Entry
Reference: BID:674
Reference: URL:http://www.securityfocus.com/bid/674
Reference: CERT-VN:VU#37828
Reference: URL:http://www.kb.cert.org/vuls/id/37828
Reference: CIAC:K-002
Reference: URL:http://www.ciac.org/ciac/bulletins/k-002.shtml
Reference: MS:MS99-040
Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-040
Reference: MSKB:Q242542
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q242542
Reference: OSVDB:11274
Reference: URL:http://www.osvdb.org/11274
Reference: XF:ie-download-behavior

Name: CVE-1999-0892

Description:

Buffer overflow in Netscape Communicator before 4.7 via a dynamic font whose length field is less than the size of the font.

Status:Entry
Reference: BUGTRAQ:19991018 Netscape 4.x buffer overflow

Name: CVE-1999-0893

Description:

userOsa in SCO OpenServer allows local users to corrupt files via a symlink attack.

Status:Entry
Reference: BUGTRAQ:19991011 SCO OpenServer 5.0.5 overwrite /etc/shadow
Reference: XF:sco-openserver-userosa-script

Name: CVE-1999-0894

Description:

Red Hat Linux screen program does not use Unix98 ptys, allowing local users to write to other terminals.

Status:Entry
Reference: REDHAT:RHSA1999042-01

Name: CVE-1999-0895

Description:

Firewall-1 does not properly restrict access to LDAP attributes.

Status:Entry
Reference: BID:725
Reference: URL:http://www.securityfocus.com/bid/725
Reference: BUGTRAQ:19991020 Checkpoint FireWall-1 V4.0: possible bug in LDAP authentication
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=19991020150002.21047.qmail@tarjan.mediaways.net
Reference: OSVDB:1117
Reference: URL:http://www.osvdb.org/1117
Reference: XF:checkpoint-ldap-auth

Name: CVE-1999-0896

Description:

Buffer overflow in RealNetworks RealServer administration utility allows remote attackers to execute arbitrary commands via a long username and password.

Status:Entry
Reference: BID:767
Reference: URL:http://www.securityfocus.com/bid/767
Reference: BUGTRAQ:19991109 RealNetworks RealServer G2 buffer overflow.
Reference: MISC:http://service.real.com/help/faq/servg260.html
Reference: XF:realserver-g2-pw-bo

Name: CVE-1999-0897

Description:

iChat ROOMS Webserver allows remote attackers to read arbitrary files via a .. (dot dot) attack.

Status:Entry
Reference: BUGTRAQ:19980908 bug in iChat 3.0 (maybe others)
Reference: URL:http://marc.info/?l=bugtraq&m=90538488231977&w=2
Reference: XF:ichat-file-read-vuln

Name: CVE-1999-0898

Description:

Buffer overflows in Windows NT 4.0 print spooler allow remote attackers to gain privileges or cause a denial of service via a malformed spooler request.

Status:Entry
Reference: BID:768
Reference: URL:http://www.securityfocus.com/bid/768
Reference: MS:MS99-047
Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-047
Reference: MSKB:Q243649
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q243649
Reference: XF:nt-printer-spooler-bo

Name: CVE-1999-0899

Description:

The Windows NT 4.0 print spooler allows a local user to execute arbitrary commands due to inappropriate permissions that allow the user to specify an alternate print provider.

Status:Entry
Reference: BID:769
Reference: URL:http://www.securityfocus.com/bid/769
Reference: MS:MS99-047
Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-047
Reference: MSKB:Q243649
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q243649
Reference: XF:nt-printer-spooler-bo

Name: CVE-1999-0900

Description:

Buffer overflow in rpc.yppasswdd allows a local user to gain privileges via MD5 hash generation.

Status:Entry
Reference: DEBIAN:19991027 nis
Reference: REDHAT:RHSA1999046-01
Reference: SUSE:19991023 Security hole in ypserv < 1.3.9

Name: CVE-1999-0901

Description:

ypserv allows a local user to modify the GECOS and login shells of other users.

Status:Entry
Reference: DEBIAN:19991027 nis
Reference: REDHAT:RHSA1999046-01
Reference: SUSE:19991023 Security hole in ypserv < 1.3.9

Name: CVE-1999-0902

Description:

ypserv allows local administrators to modify password tables.

Status:Entry
Reference: DEBIAN:19991027 nis
Reference: REDHAT:RHSA1999046-01
Reference: SUSE:19991023 Security hole in ypserv < 1.3.9

Name: CVE-1999-0903

Description:

genfilt in the AIX Packet Filtering Module does not properly filter traffic to destination ports greater than 32767.

Status:Entry
Reference: BUGTRAQ:19991025 IBM AIX Packet Filter module
Reference: BUGTRAQ:19991027 Re: IBM AIX Packet Filter module (followup)
Reference: XF:aix-genfilt-filtering

Name: CVE-1999-0904

Description:

Buffer overflow in BFTelnet allows remote attackers to cause a denial of service via a long username.

Status:Entry
Reference: BID:771
Reference: URL:http://www.securityfocus.com/bid/771
Reference: BUGTRAQ:19991103 Remote DoS Attack in BFTelnet Server v1.1 for Windows NT
Reference: XF:bftelnet-username-dos

Name: CVE-1999-0905

Description:

Denial of service in Axent Raptor firewall via malformed zero-length IP options.

Status:Entry
Reference: BID:736
Reference: URL:http://www.securityfocus.com/bid/736
Reference: BUGTRAQ:19991020 Remote DoS in Axent's Raptor 6.0
Reference: OSVDB:1121
Reference: URL:http://www.osvdb.org/1121
Reference: XF:raptor-ipoptions-dos

Name: CVE-1999-0906

Description:

Buffer overflow in sccw allows local users to gain root access via the HOME environmental variable.

Status:Entry
Reference: BID:656
Reference: URL:http://www.securityfocus.com/bid/656
Reference: BUGTRAQ:19990923 SuSE 6.2 sccw overflow exploit
Reference: SUSE:19990926 Security hole in sccw (Part II)
Reference: XF:linux-sccw-bo

Name: CVE-1999-0907

Description:

sccw allows local users to read arbitrary files.

Status:Entry
Reference: BUGTRAQ:19990916 SuSE 6.2 /usr/bin/sccw read any file
Reference: SUSE:19990921 Security Hole in sccw-1.1 and earlier

Name: CVE-1999-0908

Description:

Denial of service in Solaris TCP streams driver via a malicious connection that causes the server to panic as a result of recursive calls to mutex_enter.

Status:Entry
Reference: BID:655
Reference: URL:http://www.securityfocus.com/bid/655
Reference: BUGTRAQ:19990921 solaris DoS
Reference: XF:sun-tcp-mutex-enter-dos

Name: CVE-1999-0909

Description:

Multihomed Windows systems allow a remote attacker to bypass IP source routing restrictions via a malformed packet with IP options, aka the "Spoofed Route Pointer" vulnerability.

Status:Entry
Reference: BID:646
Reference: URL:http://www.securityfocus.com/bid/646
Reference: MS:MS99-038
Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-038
Reference: MSKB:Q238453
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q238453
Reference: NAI:Windows IP Source Routing Vulnerability
Reference: XF:nt-ip-source-route

Name: CVE-1999-0910

Description:

Microsoft Site Server and Commercial Internet System (MCIS) do not set an expiration for a cookie, which could then be cached by a proxy and inadvertently used by a different user.

Status:Candidate
Phase: Proposed (19991208)
Reference: BID:625
Reference: URL:http://www.securityfocus.com/bid/625
Reference: MS:MS99-035
Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-035

Votes:
ACCEPT(4)  Baker, Ozancin, Prosser, Wall<br>
MODIFY(2)  Frech, Stracener<br>
REJECT(1)  Cole<br>
Voter Comments:
Frech>  XF:siteserver-cis-cookie-cache<br>
Cole>  Whether cookies are a vulnerbality is a debate for another time, the
question here is whether the
expiration feature is a vulnerability and I do not think it is
because the underlying concerns for this
are present even without this feature.  The expiration feature does
not add any new vulenrabilities
that are not already present with cookies.<br>
Stracener>  Add Ref: MSKB Q238647<br>

Name: CVE-1999-0911

Description:

Buffer overflow in ProFTPD, wu-ftpd, and beroftpd allows remote attackers to gain root access via a series of MKD and CWD commands that create nested directories.

Status:Candidate
Phase: Modified (20050309)
Reference: BID:612
Reference: URL:http://www.securityfocus.com/bid/612
Reference: BUGTRAQ:19990827 ProFTPD
Reference: BUGTRAQ:19990907 ProFTP-1.2.0pre4 buffer overflow -- once more
Reference: DEBIAN:19990210
Reference: URL:http://www.debian.org/security/1999/19990210
Reference: FREEBSD:FreeBSD-SA-99:03

Votes:
ACCEPT(5)  Baker, Blake, Cole, Prosser, Stracener<br>
MODIFY(1)  Frech<br>
REVIEWING(1)  Christey<br>
Voter Comments:
Frech>  XF:proftpd-long-dir-bo(3399)<br>
Christey>  Not absolutely sure if this isn't the same as Palmetto
(CVE-1999-0368), which describes a similar type of overflow.

NETBSD:NetBSD-SA1999-003 may refer to CVE-1999-0368:
ADDREF URL:ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/advisories/NetBSD-SA1999-003.txt.asc<br>
Christey>  ADDREF CIAC:J-068
Include version numbers; too many wu-ftp/etc. problems
were published in summer/fall 1999<br>

Name: CVE-1999-0912

Description:

FreeBSD VFS cache (vfs_cache) allows local users to cause a denial of service by opening a large number of files.

Status:Entry
Reference: BID:653
Reference: URL:http://www.securityfocus.com/bid/653
Reference: BUGTRAQ:19990921 FreeBSD-specific denial of service
Reference: OSVDB:1079
Reference: URL:http://www.osvdb.org/1079
Reference: XF:freebsd-vfscache-dos

Name: CVE-1999-0913

Description:

dfire.cgi script in Dragon-Fire IDS allows remote users to execute commands via shell metacharacters.

Status:Candidate
Phase: Proposed (19991214)
Reference: BID:564
Reference: URL:http://www.securityfocus.com/bid/564
Reference: BUGTRAQ:19990804 NSW Dragon Fire gets drowned
Reference: URL:http://marc.info/?l=bugtraq&m=93383593909438&w=2

Votes:
ACCEPT(2)  Blake, Stracener<br>
MODIFY(1)  Frech<br>
NOOP(4)  Armstrong, Baker, Cole, LeBlanc<br>
REVIEWING(1)  Christey<br>
Voter Comments:
Christey>  Some voters should use ABSTAIN.  <br>
Frech>  XF:dragon-fire-ids-metachar(3834)<br>
CHANGE>  [Armstrong changed vote from REVIEWING to NOOP]<br>

Name: CVE-1999-0914

Description:

Buffer overflow in the FTP client in the Debian GNU/Linux netstd package.

Status:Entry
Reference: BID:324
Reference: URL:http://www.securityfocus.com/bid/324
Reference: BUGTRAQ:19990103 [SECURITY] New versions of netstd fixes buffer overflows
Reference: DEBIAN:19990104

Name: CVE-1999-0915

Description:

URL Live! web server allows remote attackers to read arbitrary files via a .. (dot dot) attack.

Status:Entry
Reference: BID:746
Reference: URL:http://www.securityfocus.com/bid/746
Reference: BUGTRAQ:19991028 URL Live! 1.0 WebServer
Reference: OSVDB:1129
Reference: URL:http://www.osvdb.org/1129

Name: CVE-1999-0916

Description:

WebTrends software stores account names and passwords in a file which does not have restricted access permissions.

Status:Entry
Reference: ISS:19990629 Bad Permissions on Passwords Stored by WebTrends Software

Name: CVE-1999-0917

Description:

The Preloader ActiveX control used by Internet Explorer allows remote attackers to read arbitrary files.

Status:Entry
Reference: MS:MS99-018
Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-018
Reference: MSKB:Q231452
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q231452
Reference: XF:legacy-activex-local-drive

Name: CVE-1999-0918

Description:

Denial of service in various Windows systems via malformed, fragmented IGMP packets.

Status:Entry
Reference: BID:514
Reference: URL:http://www.securityfocus.com/bid/514
Reference: BUGTRAQ:19990703 IGMP fragmentation bug in Windows 98/2000
Reference: MS:MS99-034
Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-034
Reference: MSKB:Q238329
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q238329
Reference: XF:igmp-dos

Name: CVE-1999-0919

Description:

A memory leak in a Motorola CableRouter allows remote attackers to conduct a denial of service via a large number of telnet connections.

Status:Candidate
Phase: Modified (20020226)
Reference: BUGTRAQ:19980510 Security Vulnerability in Motorola CableRouters
Reference: URL:http://www.netspace.org/cgi-bin/wa?A2=ind9805B&L=bugtraq&P=R1621
Reference: XF:motorola-cable-crash(2004)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2004

Votes:
ACCEPT(2)  Baker, Cole<br>
MODIFY(1)  Frech<br>
NOOP(7)  Armstrong, Christey, Landfield, LeBlanc, Ozancin, Stracener, Wall<br>
REVIEWING(1)  Levy<br>
Voter Comments:
Christey>  This candidate is unconfirmed by the vendor.<br>
Frech>  XF:motorola-cable-crash<br>
Christey>  This has enough votes, but not the "confidence" yet (until we
resolve the question of the amount of verification needed
for CVE).<br>

Name: CVE-1999-0920

Description:

Buffer overflow in the pop-2d POP daemon in the IMAP package allows remote attackers to gain privileges via the FOLD command.

Status:Entry
Reference: BID:283
Reference: URL:http://www.securityfocus.com/bid/283
Reference: BUGTRAQ:19990526 Remote vulnerability in pop2d
Reference: DEBIAN:19990607a
Reference: XF:pop2-fold-bo

Name: CVE-1999-0921

Description:

BMC Patrol allows any remote attacker to flood its UDP port, causing a denial of service.

Status:Entry
Reference: BID:1879
Reference: URL:http://www.securityfocus.com/bid/1879
Reference: BUGTRAQ:19990409 Patrol security bugs
Reference: URL:http://www.securityfocus.com/archive/1/13204
Reference: XF:bmc-patrol-udp-dos(4291)
Reference: URL:http://www.iss.net/security_center/static/4291.php

Name: CVE-1999-0922

Description:

An example application in ColdFusion Server 4.0 allows remote attackers to view source code via the sourcewindow.cfm file.

Status:Entry
Reference: ALLAIRE:ASB99-02
Reference: URL:http://www.allaire.com/handlers/index.cfm?ID=8739&Method=Full
Reference: XF:coldfusion-sourcewindow

Name: CVE-1999-0923

Description:

Sample runnable code snippets in ColdFusion Server 4.0 allow remote attackers to read files, conduct a denial of service, or use the server as a proxy for other HTTP calls.

Status:Candidate
Phase: Proposed (20010214)
Reference: ALLAIRE:ASB99-02
Reference: URL:http://www.allaire.com/handlers/index.cfm?ID=8739&Method=Full

Votes:
ACCEPT(2)  Baker, Cole<br>
MODIFY(1)  Frech<br>
NOOP(1)  Christey<br>
Voter Comments:
Frech>  XF:coldfusion-source-display(1741)
XF:coldfusion-syntax-checker(1742)
XF:coldfusion-file-existence(1743)
XF:coldfusion-sourcewindow(1744)<br>
Christey>  List all affected runnable code snippets to facilitate
search, which may include:
viewexample.cfm (though could that be part of CVE-1999-0922?)<br>

Name: CVE-1999-0924

Description:

The Syntax Checker in ColdFusion Server 4.0 allows remote attackers to conduct a denial of service.

Status:Entry
Reference: ALLAIRE:ASB99-02
Reference: URL:http://www.allaire.com/handlers/index.cfm?ID=8739&Method=Full
Reference: OSVDB:3236
Reference: URL:http://www.osvdb.org/3236
Reference: XF:coldfusion-syntax-checker(1742)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1742

Name: CVE-1999-0925

Description:

UnityMail allows remote attackers to conduct a denial of service via a large number of MIME headers.

Status:Candidate
Phase: Modified (20020829)
Reference: BUGTRAQ:19980903 Web servers / possible DOS Attack / mime header flooding
Reference: URL:http://marc.info/?l=bugtraq&m=90486243124867&w=2

Votes:
ACCEPT(2)  Baker, Stracener<br>
MODIFY(1)  Frech<br>
NOOP(1)  Christey<br>
REVIEWING(1)  Levy<br>
Voter Comments:
Frech>  XF:unitymail-web-dos(1630)<br>
Christey>  BID:1760
URL:http://www.securityfocus.com/bid/1760<br>
Christey>  Affected version is 2.0
Change date of Bugtraq post - it was 1998.<br>

Name: CVE-1999-0926

Description:

Apache allows remote attackers to conduct a denial of service via a large number of MIME headers.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990903 Web servers / possible DOS Attack / mime header flooding
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/1998_3/0742.html

Votes:
ACCEPT(1)  Cole<br>
MODIFY(1)  Frech<br>
NOOP(3)  Christey, Foat, Wall<br>
Voter Comments:
Christey>  BID:1760
URL:http://www.securityfocus.com/bid/1760<br>
Frech>  XF:unitymail-web-dos(1630)<br>

Name: CVE-1999-0927

Description:

NTMail allows remote attackers to read arbitrary files via a .. (dot dot) attack.

Status:Entry
Reference: BID:279
Reference: URL:http://www.securityfocus.com/bid/279
Reference: EEYE:AD05261999
Reference: URL:http://www.eeye.com/html/Research/Advisories/AD05261999.html
Reference: XF:ntmail-fileread

Name: CVE-1999-0928

Description:

Buffer overflow in SmartDesk WebSuite allows remote attackers to cause a denial of service via a long URL.

Status:Entry
Reference: BID:278
Reference: URL:http://www.securityfocus.com/bid/278
Reference: BUGTRAQ:19990525 Buffer overflow in SmartDesk WebSuite v2.1
Reference: XF:websuite-dos

Name: CVE-1999-0929

Description:

Novell NetWare with Novell-HTTP-Server or YAWN web servers allows remote attackers to conduct a denial of service via a large number of HTTP GET requests.

Status:Candidate
Phase: Interim (19991229)
Reference: BUGTRAQ:19990616 Novell NetWare webservers DoS

Votes:
ACCEPT(4)  Armstrong, Blake, Cole, Stracener<br>
MODIFY(1)  Frech<br>
NOOP(1)  Baker<br>
Voter Comments:
Frech>  XF:novell-webserver-dos(2287)<br>

Name: CVE-1999-0930

Description:

wwwboard allows a remote attacker to delete message board articles via a malformed argument.

Status:Entry
Reference: BID:1795
Reference: URL:http://www.securityfocus.com/bid/1795
Reference: BUGTRAQ:19980903 wwwboard.pl vulnerability
Reference: CONFIRM:http://www.worldwidemart.com/scripts/faq/wwwboard/q5.shtml
Reference: XF:http-cgi-wwwboard(2344)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2344

Name: CVE-1999-0931

Description:

Buffer overflow in Mediahouse Statistics Server allows remote attackers to execute commands.

Status:Entry
Reference: BID:734
Reference: URL:http://www.securityfocus.com/bid/734
Reference: BUGTRAQ:19990930 Security flaw in Mediahouse Statistics Server v4.28 & 5.01
Reference: XF:mediahouse-stats-login-bo

Name: CVE-1999-0932

Description:

Mediahouse Statistics Server allows remote attackers to read the administrator password, which is stored in cleartext in the ss.cfg file.

Status:Entry
Reference: BID:735
Reference: URL:http://www.securityfocus.com/bid/735
Reference: BUGTRAQ:19990930 Security flaw in Mediahouse Statistics Server v4.28 & 5.01
Reference: XF:mediahouse-stats-adminpw-cleartext

Name: CVE-1999-0933

Description:

TeamTrack web server allows remote attackers to read arbitrary files via a .. (dot dot) attack.

Status:Entry
Reference: BID:689
Reference: URL:http://www.securityfocus.com/bid/689
Reference: BUGTRAQ:19991001 RFP9904: TeamTrack webserver vulnerability
Reference: OSVDB:1096
Reference: URL:http://www.osvdb.org/1096

Name: CVE-1999-0934

Description:

classifieds.cgi allows remote attackers to read arbitrary files via shell metacharacters.

Status:Entry
Reference: BID:2020
Reference: URL:http://www.securityfocus.com/bid/2020
Reference: EL8:19991215 Classifieds (classifieds.cgi)
Reference: XF:http-cgi-classifieds-read(3102)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/3102

Name: CVE-1999-0935

Description:

classifieds.cgi allows remote attackers to execute arbitrary commands by specifying them in a hidden variable in a CGI form.

Status:Entry
Reference: EL8:19991215 Classifieds (classifieds.cgi)

Name: CVE-1999-0936

Description:

BNBSurvey survey.cgi program allows remote attackers to execute commands via shell metacharacters.

Status:Entry
Reference: EL8:19981203 BNBSurvey (survey.cgi)

Name: CVE-1999-0937

Description:

BNBForm allows remote attackers to read arbitrary files via the automessage hidden form variable.

Status:Entry
Reference: EL8:19981203 BNBForm (bnbform.cgi)

Name: CVE-1999-0938

Description:

MBone SDR Package allows remote attackers to execute commands via shell metacharacters in Session Initiation Protocol (SIP) messages.

Status:Entry
Reference: CERT:VN-99-03
Reference: XF:sdr-execute

Name: CVE-1999-0939

Description:

Denial of service in Debian IRC Epic/epic4 client via a long string.

Status:Entry
Reference: BID:605
Reference: URL:http://www.securityfocus.com/bid/605
Reference: BUGTRAQ:19990826 [SECURITY] New versions of epic4 fixes possible DoS vulnerability
Reference: DEBIAN:19990826

Name: CVE-1999-0940

Description:

Buffer overflow in mutt mail client allows remote attackers to execute commands via malformed MIME messages.

Status:Entry
Reference: CALDERA:CSSA-1999-031
Reference: SUSE:19990927 Security hole in mutt

Name: CVE-1999-0941

Description:

Mutt mail client allows a remote attacker to execute commands via shell metacharacters.

Status:Candidate
Phase: Proposed (19991222)
Reference: BUGTRAQ:19980728 mutt x.x
Reference: URL:http://marc.info/?l=bugtraq&m=90221104526154&w=2

Votes:
ACCEPT(1)  Stracener<br>
NOOP(2)  Baker, Christey<br>
REJECT(1)  Frech<br>
REVIEWING(1)  Levy<br>
Voter Comments:
Frech>  References are vague, but seem to be identical to CVE-1999-0940
(XF:mutt-text-enriched-mime-bo). According to the references, the malformed
messages consist of metacharacters. In addition, -0941's reference and
-0940's SuSE reference both refer to fixes in 1.0pre3 release. Will
reconsider vote if other clearer references are forthcoming.<br>
Christey>  Modify to mention that the metachar's are in the Content-Type header.
http://marc.theaimsgroup.com/?l=bugtraq&m=90221104526154&w=2<br>

Name: CVE-1999-0942

Description:

UnixWare dos7utils allows a local user to gain root privileges by using the STATICMERGE environmental variable to find a script which it executes.

Status:Entry
Reference: BUGTRAQ:19991005 SCO UnixWare 7.1 local root exploit
Reference: XF:sco-unixware-dos7utils-root-privs

Name: CVE-1999-0943

Description:

Buffer overflow in OpenLink 3.2 allows remote attackers to gain privileges via a long GET request to the web configurator.

Status:Entry
Reference: BID:720
Reference: URL:http://www.securityfocus.com/bid/720
Reference: BUGTRAQ:19991015 OpenLink 3.2 Advisory

Name: CVE-1999-0944

Description:

IBM WebSphere ikeyman tool uses weak encryption to store a password for a key database that is used for SSL connections.

Status:Candidate
Phase: Proposed (19991222)
Reference: BUGTRAQ:19991024 password leak in IBM WebSphere / HTTP Server / ikeyman

Votes:
ACCEPT(2)  Baker, Stracener<br>
MODIFY(1)  Frech<br>
NOOP(2)  Bollinger, Christey<br>
REVIEWING(1)  Levy<br>
Voter Comments:
Frech>  XF:websphere-database-pwd-accessible<br>
Christey>  ADDREF BID:1763
URL:http://www.securityfocus.com/bid/1763<br>

Name: CVE-1999-0945

Description:

Buffer overflow in Internet Mail Service (IMS) for Microsoft Exchange 5.5 and 5.0 allows remote attackers to conduct a denial of service via AUTH or AUTHINFO commands.

Status:Entry
Reference: CIAC:I-080
Reference: URL:http://www.ciac.org/ciac/bulletins/i-080.shtml
Reference: ISS:19980724 Denial of Service attacks against Microsoft Exchange 5.0 to 5.5
Reference: URL:http://xforce.iss.net/alerts/advise4.php
Reference: MSKB:Q169174
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q169174
Reference: XF:exchange-dos(1223)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1223

Name: CVE-1999-0946

Description:

Buffer overflow in Yamaha MidiPlug via a Text variable in an EMBED tag.

Status:Entry
Reference: BID:760
Reference: URL:http://www.securityfocus.com/bid/760
Reference: BUGTRAQ:19991102 Some holes for Win/UNIX softwares
Reference: URL:http://marc.info/?l=bugtraq&m=94157187815629&w=2
Reference: XF:yamaha-midiplug-embed

Name: CVE-1999-0947

Description:

AN-HTTPd provides example CGI scripts test.bat, input.bat, input2.bat, and envout.bat, which allow remote attackers to execute commands via shell metacharacters.

Status:Entry
Reference: BID:762
Reference: URL:http://www.securityfocus.com/bid/762
Reference: BUGTRAQ:19991102 Some holes for Win/UNIX softwares
Reference: URL:http://marc.info/?l=bugtraq&m=94157187815629&w=2

Name: CVE-1999-0948

Description:

Buffer overflow in uum program for Canna input system allows local users to gain root privileges.

Status:Candidate
Phase: Proposed (19991222)
Reference: BID:757
Reference: URL:http://www.securityfocus.com/bid/757
Reference: BUGTRAQ:19991102 Some holes for Win/UNIX softwares

Votes:
ACCEPT(2)  Levy, Stracener<br>
MODIFY(1)  Frech<br>
NOOP(2)  Baker, Christey<br>
Voter Comments:
Christey>  CVE-1999-0948 and CVE-1999-0949 are extremely similar.
uum (0948) is exploitable through a different set of options
than canuum (0949).  If it's the same generic option parsing
routine used by both programs, then CD:SF-CODEBASE says to
merge them.  But if it's not, then CD:SF-LOC and CD:SF-EXEC
says to split them.  However, this is a prime example of
how SF-EXEC might be modified - uum and canuum are clearly
part of the same package, so in the absence of clear
information, maybe we should merge them.<br>
Frech>  XF:canna-uum-bo<br>

Name: CVE-1999-0949

Description:

Buffer overflow in canuum program for Canna input system allows local users to gain root privileges.

Status:Candidate
Phase: Proposed (19991222)
Reference: BID:757
Reference: URL:http://www.securityfocus.com/bid/757
Reference: BUGTRAQ:19991102 Some holes for Win/UNIX softwares

Votes:
ACCEPT(2)  Levy, Stracener<br>
MODIFY(1)  Frech<br>
NOOP(2)  Baker, Christey<br>
Voter Comments:
Christey>  CVE-1999-0948 and CVE-1999-0949 are extremely similar.
uum (0948) is exploitable through a different set of options
than canuum (0949).  If it's the same generic option parsing
routine used by both programs, then CD:SF-CODEBASE says to
merge them.  But if it's not, then CD:SF-LOC and CD:SF-EXEC
says to split them.  However, this is a prime example of
how SF-EXEC might be modified - uum and canuum are clearly
part of the same package, so in the absence of clear
information, maybe we should merge them.

Also review BID:758 and BID:757 - may need to change the BID
here.<br>
Frech>  XF:canna-uum-bo<br>
Christey>  CHANGEREF BID:757 BID:758<br>
Christey>  The following page says that canuum is a "Japanese input tty
frontend for Canna using uum," which suggests that it is, at
the least, a different package, so perhaps this should stay SPLIT.

http://wuarchive.wustl.edu/mirrors/NetBSD/NetBSD-current/pkgsrc/inputmethod/canuum/README.html<br>

Name: CVE-1999-0950

Description:

Buffer overflow in WFTPD FTP server allows remote attackers to gain root access via a series of MKD and CWD commands that create nested directories.

Status:Entry
Reference: BID:747
Reference: URL:http://www.securityfocus.com/bid/747
Reference: BUGTRAQ:19991027 WFTPD v2.40 FTPServer remotely exploitable buffer overflow vulnerability
Reference: XF:wftpd-mkd-bo

Name: CVE-1999-0951

Description:

Buffer overflow in OmniHTTPd CGI program imagemap.exe allows remote attackers to execute commands.

Status:Entry
Reference: BID:739
Reference: URL:http://www.securityfocus.com/bid/739
Reference: BUGTRAQ:19991022 Imagemap CGI overflow exploit
Reference: OSVDB:3380
Reference: URL:http://www.osvdb.org/3380
Reference: XF:http-cgi-imagemap-bo

Name: CVE-1999-0952

Description:

Buffer overflow in Solaris lpstat via class argument allows local users to gain root access.

Status:Candidate
Phase: Proposed (19991222)
Reference: BUGTRAQ:19990126 Buffer overflow in Solaris 2.6/2.7 /usr/bin/lpstat
Reference: URL:http://marc.info/?l=bugtraq&m=91759216618637&w=2

Votes:
ACCEPT(3)  Baker, Ozancin, Stracener<br>
MODIFY(2)  Dik, Frech<br>
REVIEWING(1)  Christey<br>
Voter Comments:
Frech>  XF:solaris-lpstat-bo<br>
Christey>  It is unclear from Casper Dik's followup whether this is
exploitable or not.<br>
Dik>  Sunbug 4129917
(other reports in the same thread suggest that the then current patchd id
fix the problem)<br>
Christey>  Confirm with Casper Dik that the overflow is in the -c option,
and if so, include it in the description to differentiate
it from the lpstat -n buffer overflow.<br>

Name: CVE-1999-0953

Description:

WWWBoard stores encrypted passwords in a password file that is under the web root and thus accessible by remote attackers.

Status:Entry
Reference: BUGTRAQ:19980903 wwwboard.pl vulnerability
Reference: BUGTRAQ:19990916 More fun with WWWBoard

Name: CVE-1999-0954

Description:

WWWBoard has a default username and default password.

Status:Entry
Reference: BID:649
Reference: URL:http://www.securityfocus.com/bid/649
Reference: BUGTRAQ:19990916 More fun with WWWBoard

Name: CVE-1999-0955

Description:

Race condition in wu-ftpd and BSDI ftpd allows remote attackers to gain root access via the SITE EXEC command.

Status:Entry
Reference: CERT:CA-94.08
Reference: CIAC:E-17
Reference: XF:ftp-exec

Name: CVE-1999-0956

Description:

The NeXT NetInfo _writers property allows local users to gain root privileges or conduct a denial of service.

Status:Entry
Reference: CERT:CA-93.02a
Reference: XF:next-netinfo

Name: CVE-1999-0957

Description:

MajorCool mj_key_cache program allows local users to modify files via a symlink attack.

Status:Entry
Reference: BUGTRAQ:19970618 Security hole in MajorCool 1.0.3
Reference: XF:majorcool-file-overwrite-vuln

Name: CVE-1999-0958

Description:

sudo 1.5.x allows local users to execute arbitrary commands via a .. (dot dot) attack.

Status:Entry
Reference: BUGTRAQ:19980112 Re: hole in sudo for MP-RAS.
Reference: URL:http://marc.info/?l=bugtraq&m=88465708614896&w=2
Reference: XF:sudo-dot-dot-attack

Name: CVE-1999-0959

Description:

IRIX startmidi program allows local users to modify arbitrary files via a symlink attack.

Status:Entry
Reference: AUSCERT:AA-97-05
Reference: BID:469
Reference: URL:http://www.securityfocus.com/bid/469
Reference: BUGTRAQ:19970209 IRIX: Bug in startmidi
Reference: OSVDB:8447
Reference: URL:http://www.osvdb.org/8447
Reference: SGI:19980301-01-PX
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19980301-01-PX
Reference: XF:irix-startmidi-file-creation(1634)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1634

Name: CVE-1999-0960

Description:

IRIX cdplayer allows local users to create directories in arbitrary locations via a command line option.

Status:Entry
Reference: AUSCERT:AA-96.11
Reference: SGI:19980301-01-PX
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19980301-01-PX
Reference: XF:irix-cdplayer-directory-create

Name: CVE-1999-0961

Description:

HPUX sysdiag allows local users to gain root privileges via a symlink attack during log file creation.

Status:Entry
Reference: BUGTRAQ:19960921 Vunerability in HP sysdiag ?
Reference: URL:http://marc.info/?l=bugtraq&m=87602167419906&w=2
Reference: CIAC:H-03
Reference: XF:hp-sysdiag-symlink

Name: CVE-1999-0962

Description:

Buffer overflow in HPUX passwd command allows local users to gain root privileges via a command line option.

Status:Entry
Reference: AUSCERT:AA-96.13
Reference: HP:HPSBUX9701-045
Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9701-045
Reference: OSVDB:6415
Reference: URL:http://www.osvdb.org/6415
Reference: XF:hp-password-cmd-bo

Name: CVE-1999-0963

Description:

FreeBSD mount_union command allows local users to gain root privileges via a symlink attack.

Status:Entry
Reference: BUGTRAQ:19960517 BoS: SECURITY BUG in FreeBSD
Reference: CERT:VB-96.06
Reference: OSVDB:6088
Reference: URL:http://www.osvdb.org/6088
Reference: XF:freebsd-mount-union-root

Name: CVE-1999-0964

Description:

Buffer overflow in FreeBSD setlocale in the libc module allows attackers to execute arbitrary code via a long PATH_LOCALE environment variable.

Status:Entry
Reference: FREEBSD:FreeBSD-SA-97:01
Reference: OSVDB:6086
Reference: URL:http://www.osvdb.org/6086
Reference: XF:freebsd-setlocale-bo

Name: CVE-1999-0965

Description:

Race condition in xterm allows local users to modify arbitrary files via the logging option.

Status:Entry
Reference: CERT:CA-93.17
Reference: XF:xterm

Name: CVE-1999-0966

Description:

Buffer overflow in Solaris getopt in libc allows local users to gain root privileges via a long argv[0].

Status:Entry
Reference: L0PHT:19970127 Solaris libc - getopt(3)

Name: CVE-1999-0967

Description:

Buffer overflow in the HTML library used by Internet Explorer, Outlook Express, and Windows Explorer via the res: local resource protocol.

Status:Entry
Reference: L0PHT:19971101 Microsoft Internet Explorer 4.0 Suite

Name: CVE-1999-0968

Description:

Buffer overflow in BNC IRC proxy allows remote attackers to gain privileges.

Status:Entry
Reference: BID:1927
Reference: URL:http://www.securityfocus.com/bid/1927
Reference: BUGTRAQ:19981226 bnc exploit
Reference: URL:http://www.securityfocus.com/archive/1/11711
Reference: XF:bnc-proxy-bo(1546)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1546

Name: CVE-1999-0969

Description:

The Windows NT RPC service allows remote attackers to conduct a denial of service using spoofed malformed RPC packets which generate an error message that is sent to the spoofed host, potentially setting up a loop, aka Snork.

Status:Entry
Reference: ISS:19980929 "Snork" Denial of Service Attack Against Windows NT RPC Service
Reference: MS:MS98-014
Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1998/ms98-014
Reference: MSKB:Q193233
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q193233
Reference: NTBUGTRAQ:19980929 ISS Security Advisory: Snork
Reference: XF:snork-dos

Name: CVE-1999-0970

Description:

The OmniHTTPD visadmin.exe program allows a remote attacker to conduct a denial of service via a malformed URL which causes a large number of temporary files to be created.

Status:Candidate
Phase: Modified (20020226)
Reference: BID:1808
Reference: URL:http://www.securityfocus.com/bid/1808
Reference: BUGTRAQ:19990605 Remote Exploit (Bug) in OmniHTTPd Web Server
Reference: URL:http://www.securityfocus.com/archive/1/14311
Reference: XF:omnihttpd-dos(2271)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2271

Votes:
ACCEPT(3)  Baker, Blake, Stracener<br>
MODIFY(1)  Frech<br>
NOOP(1)  Christey<br>
REVIEWING(1)  Levy<br>
Voter Comments:
Frech>  XF:omnihttpd-dos<br>
Christey>  Some sort of confirmation might be findable at:
http://www.omnicron.ab.ca/httpd/docs/release.html<br>
Christey>  See http://www.omnicron.ab.ca/index.html
The August 16, 2000 news item says "This release fixes some
security problems."  It's for version 2.07, but the discloser
didn't say what version was available.

Other security fixes are in the release notes at
http://www.omnicron.ab.ca/httpd/docs/release.html Notes for
Professional Version 1.01 say "Patched up two security weaknesses."
Notes for version 2.07 say "Fixes dot-appending vulnerability."
Professional Alpha 7 says "Revamped CGI launching and security,"
Professional Alpha 4 says "Fixed SSI path mapping and security
problems," Alpha 5 says "Security fixup."

In other words, you can't tell whether they've fixed this bug
or not.<br>
Christey>  BID:1808
URL:http://www.securityfocus.com/bid/1808<br>

Name: CVE-1999-0971

Description:

Buffer overflow in Exim allows local users to gain root privileges via a long :include: option in a .forward file.

Status:Entry
Reference: BUGTRAQ:19970722 Security hole in exim 1.62: local root exploit
Reference: URL:http://www.securityfocus.com/archive/1/7301
Reference: XF:exim-include-overflow

Name: CVE-1999-0972

Description:

Buffer overflow in Xshipwars xsw program.

Status:Entry
Reference: BID:863
Reference: URL:http://www.securityfocus.com/bid/863
Reference: BUGTRAQ:19991209 xsw 1.24 remote buffer overflow

Name: CVE-1999-0973

Description:

Buffer overflow in Solaris snoop program allows remote attackers to gain root privileges via a long domain name when snoop is running in verbose mode.

Status:Entry
Reference: BID:858
Reference: URL:http://www.securityfocus.com/bid/858
Reference: BUGTRAQ:19991206 [w00giving #8] Solaris 2.7's snoop
Reference: BUGTRAQ:19991209 Clarification needed on the snoop vuln(s) (fwd)

Name: CVE-1999-0974

Description:

Buffer overflow in Solaris snoop allows remote attackers to gain root privileges via GETQUOTA requests to the rpc.rquotad service.

Status:Entry
Reference: BID:864
Reference: URL:http://www.securityfocus.com/bid/864
Reference: BUGTRAQ:19991209 Clarification needed on the snoop vuln(s) (fwd)
Reference: ISS:19991209 Buffer Overflow in Solaris Snoop
Reference: SUN:00190
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/190

Name: CVE-1999-0975

Description:

The Windows help system can allow a local user to execute commands as another user by editing a table of contents metafile with a .CNT extension and modifying the topic action to include the commands to be executed when the .hlp file is accessed.

Status:Entry
Reference: BID:868
Reference: URL:http://www.securityfocus.com/bid/868
Reference: BUGTRAQ:19991207 Local user can fool another to run executable. .CNT/.GID/.HLP M$WINNT

Name: CVE-1999-0976

Description:

Sendmail allows local users to reinitialize the aliases database via the newaliases command, then cause a denial of service by interrupting Sendmail.

Status:Entry
Reference: BID:857
Reference: URL:http://www.securityfocus.com/bid/857
Reference: BUGTRAQ:19991207 [Debian] New version of sendmail released
Reference: OPENBSD:19991204
Reference: XF:sendmail-bi-alias

Name: CVE-1999-0977

Description:

Buffer overflow in Solaris sadmind allows remote attackers to gain root privileges using a NETMGT_PROC_SERVICE request.

Status:Entry
Reference: BID:2354
Reference: URL:http://www.securityfocus.com/bid/2354
Reference: BID:866
Reference: URL:http://www.securityfocus.com/bid/866
Reference: BUGTRAQ:19991210 Re: Solaris sadmind Buffer Overflow Vulnerability
Reference: BUGTRAQ:19991210 Solaris sadmind Buffer Overflow Vulnerability
Reference: CERT:CA-99-16
Reference: OSVDB:2558
Reference: URL:http://www.osvdb.org/2558
Reference: SF-INCIDENTS:19991209 sadmind
Reference: SUN:00191
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/191
Reference: XF:sol-sadmind-amslverify-bo

Name: CVE-1999-0978

Description:

htdig allows remote attackers to execute commands via filenames with shell metacharacters.

Status:Entry
Reference: BID:867
Reference: URL:http://www.securityfocus.com/bid/867
Reference: DEBIAN:19991209

Name: CVE-1999-0979

Description:

The SCO UnixWare privileged process system allows local users to gain root privileges by using a debugger such as gdb to insert traps into _init before the privileged process is executed.

Status:Entry
Reference: BID:869
Reference: URL:http://www.securityfocus.com/bid/869
Reference: BUGTRAQ:19991209 Fundamental flaw in UnixWare 7 security
Reference: BUGTRAQ:19991215 Recent postings about SCO UnixWare 7
Reference: URL:http://marc.info/?l=bugtraq&m=94530783815434&w=2

Name: CVE-1999-0980

Description:

Windows NT Service Control Manager (SCM) allows remote attackers to cause a denial of service via a malformed argument in a resource enumeration request.

Status:Entry
Reference: MS:MS99-055
Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-055
Reference: MSKB:Q246045
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q246045

Name: CVE-1999-0981

Description:

Internet Explorer 5.01 and earlier allows a remote attacker to create a reference to a client window and use a server-side redirect to access local files via that window, aka "Server-side Page Reference Redirect."

Status:Entry
Reference: MS:MS99-050
Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-050
Reference: MSKB:Q246094
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q246094

Name: CVE-1999-0982

Description:

The Sun Web-Based Enterprise Management (WBEM) installation script stores a password in plaintext in a world readable file.

Status:Entry
Reference: BUGTRAQ:19991206 Solaris WBEM 1.0: plaintext password stored in world readable file

Name: CVE-1999-0983

Description:

Whois Internic Lookup program whois.cgi allows remote attackers to execute commands via shell metacharacters in the domain entry.

Status:Candidate
Phase: Proposed (19991214)
Reference: BUGTRAQ:19991109 Whois.cgi - ADVISORY.

Votes:
ACCEPT(3)  Blake, Cole, Stracener<br>
MODIFY(1)  Frech<br>
NOOP(1)  Baker<br>
REVIEWING(1)  Christey<br>
Voter Comments:
Christey>  More examination is required to determine if CVE-1999-0983,
CVE-1999-0984, or CVE-1999-0985 are the same codebase.<br>
Frech>  XF:whois-internic-shell-meta<br>
Christey>  ADDREF BID:2000<br>
Christey>  The XF appears to be gone.  Perhaps it's this one:
XF:http-cgi-whois-meta(3798)<br>

Name: CVE-1999-0984

Description:

Matt's Whois program whois.cgi allows remote attackers to execute commands via shell metacharacters in the domain entry.

Status:Candidate
Phase: Proposed (19991214)
Reference: BUGTRAQ:19991109 Whois.cgi - ADVISORY.

Votes:
ACCEPT(2)  Blake, Stracener<br>
MODIFY(1)  Frech<br>
NOOP(2)  Baker, Cole<br>
REVIEWING(1)  Christey<br>
Voter Comments:
Cole>  How is this different than the previous?<br>
Christey>  More examination is required to determine if CVE-1999-0983,
CVE-1999-0984, or CVE-1999-0985 are the same codebase.<br>
Frech>  XF:matts-whois-meta<br>
Christey>  ADDREF BID:2000<br>
Christey>  XF reference is gone.  Replace with http-cgi-matts-whois-meta(3799) ?<br>

Name: CVE-1999-0985

Description:

CC Whois program whois.cgi allows remote attackers to execute commands via shell metacharacters in the domain entry.

Status:Candidate
Phase: Proposed (19991214)
Reference: BUGTRAQ:19991109 Whois.cgi - ADVISORY.

Votes:
ACCEPT(2)  Blake, Stracener<br>
MODIFY(1)  Frech<br>
NOOP(2)  Baker, Cole<br>
REVIEWING(1)  Christey<br>
Voter Comments:
Cole>  I would combine all of these.<br>
Christey>  More examination is required to determine if CVE-1999-0983,
CVE-1999-0984, or CVE-1999-0985 are the same codebase.<br>
Frech>  XF:cc-whois-meta<br>
Christey>  ADDREF BID:2000<br>
Frech>  Change cc-whois-meta(3800) to http-cgi-ccwhois(3747)<br>
Christey>  Replace XF reference with XF:cc-whois-meta(3800) ?<br>

Name: CVE-1999-0986

Description:

The ping command in Linux 2.0.3x allows local users to cause a denial of service by sending large packets with the -R (record route) option.

Status:Entry
Reference: BID:870
Reference: URL:http://www.securityfocus.com/bid/870
Reference: BUGTRAQ:19991209 Big problem on 2.0.x?

Name: CVE-1999-0987

Description:

Windows NT does not properly download a system policy if the domain user logs into the domain with a space at the end of the domain name.

Status:Entry
Reference: MSKB:Q237923
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q237923
Reference: NTBUGTRAQ:19991118 NT System Policy for Win95 Not downloaded when adding a space after domain name

Name: CVE-1999-0988

Description:

UnixWare pkgtrans allows local users to read arbitrary files via a symlink attack.

Status:Candidate
Phase: Modified (20000121)
Reference: BUGTRAQ:19991204 UnixWare pkg* command exploits
Reference: BUGTRAQ:19991215 Recent postings about SCO UnixWare 7
Reference: BUGTRAQ:19991220 SCO OpenServer Security Status
Reference: BUGTRAQ:19991223 FYI, SCO Security patches available.

Votes:
ACCEPT(3)  Baker, Blake, Cole<br>
MODIFY(1)  Frech<br>
RECAST(1)  Stracener<br>
REVIEWING(1)  Christey<br>
Voter Comments:
Stracener>  The pkg* programs pkgtrans, pkginfo, pkgcat, pkginstall, and pkgparam
can be used to mount etc/shadow printing attacks as a result of the
"dacread" permission (cf. /etc/security/tcb/privs). The procedural
differences between the individual exploits for each of these utilities
are therefore inconsequential. CVE-1999-0988 should be merged with
CVE-1999-0828. From the standpoint of maintaining consistency of the
level of abstraction used in CVE, the co-existence of CANS
1999-0988/1999-0828 present two choices: either merge 0988 with 0828, or
split 0828 into 4 distinct candidates, keeping 0988 intact. Due to the
very small differences (in principle) between the exploits subsumed by
0828 and 0988 and the shared dacread permissions of the pkg* suite, I
suggest a merge. Below is a summary of the data upon which my decision
was based.
utility         exploit
--------      ---------------------------------- <br>
pkgtrans  -->  symlink + dacread permission prob<br>
pkginfo   -->  truss (debugging utility) in conjunction with pkginfio -d
etc/shadow. In this case, it captures the interaction between
pkginfo                the shadow file. Once again: dacread.<br>
pkgcat    -->  buffer overflow  + dacread permission prob<br>
pkginstall ->  buffer overflow + dacread permission prob<br>
pkgparam -->  -f etc/shadow (works because of dacread).<br>
Christey>  This is a tough one.  While there are few procedural
differences, one could view "assignment of an improper
permission" as a "class" of problems along the lines of
buffer overflows and the like.  Just like some programs
were fine until they got turned into CGI scripts, this
could be an emerging pattern which should be given
consideration.  Consider the Eyedog and scriptlet.typelib
ActiveX utilities being marked as safe for scripting
(CVE-1999-0668 and 0669).

ftp://ftp.sco.com/SSE/security_bulletins/SB-99.28a loosely
alludes to this problem; the README for patch SSE053
effectively confirms it.<br>
Frech>  XF:unixware-pkgtrans-symlink<br>

Name: CVE-1999-0989

Description:

Buffer overflow in Internet Explorer 5 directshow filter (MSDXM.OCX) allows remote attackers to execute commands via the vnd.ms.radio protocol.

Status:Entry
Reference: BID:861
Reference: URL:http://www.securityfocus.com/bid/861
Reference: BUGTRAQ:19991205 new IE5 remote exploit
Reference: NTBUGTRAQ:19991205 new IE5 remote exploit

Name: CVE-1999-0990

Description:

Error messages generated by gdm with the VerboseAuth setting allows an attacker to identify valid users on a system.

Status:Candidate
Phase: Interim (19991229)
Reference: BUGTRAQ:19991205 gdm thing

Votes:
ACCEPT(3)  Blake, Cole, Stracener<br>
MODIFY(1)  Frech<br>
NOOP(1)  Baker<br>
Voter Comments:
Frech>  XF:verbose-auth-identify-user(3804)<br>

Name: CVE-1999-0991

Description:

Buffer overflow in GoodTech Telnet Server NT allows remote users to cause a denial of service via a long login name.

Status:Entry
Reference: BID:862
Reference: URL:http://www.securityfocus.com/bid/862
Reference: BUGTRAQ:19991206 Remote DoS Attack in GoodTech Telnet Server NT v2.2.1 Vulnerability
Reference: NTBUGTRAQ:19991206 Remote DoS Attack in GoodTech Telnet Server NT v2.2.1 Vulnerability

Name: CVE-1999-0992

Description:

HP VirtualVault with the PHSS_17692 patch allows unprivileged processes to bypass access restrictions via the Trusted Gateway Proxy (TGP).

Status:Entry
Reference: HP:HPSBUX9912-107
Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9912-107

Name: CVE-1999-0993

Description:

Modifications to ACLs (Access Control Lists) in Microsoft Exchange 5.5 do not take effect until the directory store cache is refreshed.

Status:Candidate
Phase: Proposed (19991222)
Reference: NTBUGTRAQ:19991213 Changing ACL's in Exchange Server

Votes:
ACCEPT(2)  Stracener, Wall<br>
MODIFY(1)  Frech<br>
NOOP(2)  Baker, Cole<br>
REJECT(1)  LeBlanc<br>
Voter Comments:
Frech>  XF:exchange-acl-changes(3916)<br>
LeBlanc>  Not a vulnerability<br>

Name: CVE-1999-0994

Description:

Windows NT with SYSKEY reuses the keystream that is used for encrypting SAM password hashes, allowing an attacker to crack passwords.

Status:Entry
Reference: BID:873
Reference: URL:http://www.securityfocus.com/bid/873
Reference: BINDVIEW:19991216 Windows NT's SYSKEY feature
Reference: MS:MS99-056
Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-056
Reference: MSKB:Q248183
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q248183

Name: CVE-1999-0995

Description:

Windows NT Local Security Authority (LSA) allows remote attackers to cause a denial of service via malformed arguments to the LsaLookupSids function which looks up the SID, aka "Malformed Security Identifier Request."

Status:Entry
Reference: BID:875
Reference: URL:http://www.securityfocus.com/bid/875
Reference: MS:MS99-057
Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-057
Reference: MSKB:Q248185
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q248185
Reference: NAI:19991216 Windows NT LSA Remote Denial of Service

Name: CVE-1999-0996

Description:

Buffer overflow in Infoseek Ultraseek search engine allows remote attackers to execute commands via a long GET request.

Status:Entry
Reference: BUGTRAQ:19991216 Infoseek Ultraseek Remote Buffer Overflow
Reference: EEYE:AD19991215
Reference: URL:http://www.eeye.com/html/Research/Advisories/AD19991215.html
Reference: NTBUGTRAQ:19991216 Infoseek Ultraseek Remote Buffer Overflow
Reference: OSVDB:6490
Reference: URL:http://www.osvdb.org/6490
Reference: XF:infoseek-ultraseek-bo

Name: CVE-1999-0997

Description:

wu-ftp with FTP conversion enabled allows an attacker to execute commands via a malformed file name that is interpreted as an argument to the program that does the conversion, e.g. tar or uncompress.

Status:Entry
Reference: BUGTRAQ:19991220 Security vulnerability in certain wu-ftpd (and derivitives) configurations (fwd)
Reference: DEBIAN:DSA-377
Reference: URL:http://www.debian.org/security/2003/dsa-377
Reference: XF:wuftp-ftp-conversion

Name: CVE-1999-0998

Description:

Cisco Cache Engine allows an attacker to replace content in the cache.

Status:Entry
Reference: BUGTRAQ:19991216 Cisco Security Advisory: Cisco Cache Engine Authentication Vulnerabilities
Reference: CISCO:19991216 Cisco Cache Engine Authentication Vulnerabilities
Reference: XF:cisco-cache-engine-replace

Name: CVE-1999-0999

Description:

Microsoft SQL 7.0 server allows a remote attacker to cause a denial of service via a malformed TDS packet.

Status:Entry
Reference: BID:817
Reference: URL:http://www.securityfocus.com/bid/817
Reference: MS:MS99-059
Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-059
Reference: MSKB:Q248749
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q248749

Name: CVE-1999-1000

Description:

The web administration interface for Cisco Cache Engine allows remote attackers to view performance statistics.

Status:Entry
Reference: BUGTRAQ:19991216 Cisco Security Advisory: Cisco Cache Engine Authentication Vulnerabilities
Reference: CISCO:19991216 Cisco Cache Engine Authentication Vulnerabilities
Reference: XF:cisco-cache-engine-performance

Name: CVE-1999-1001

Description:

Cisco Cache Engine allows a remote attacker to gain access via a null username and password.

Status:Entry
Reference: BUGTRAQ:19991216 Cisco Security Advisory: Cisco Cache Engine Authentication Vulnerabilities
Reference: CISCO:19991216 Cisco Cache Engine Authentication Vulnerabilities

Name: CVE-1999-1002

Description:

Netscape Navigator uses weak encryption for storing a user's Netscape mail password.

Status:Candidate
Phase: Modified (20030619)
Reference: BUGTRAQ:19991216 Reinventing the wheel (aka "Decoding Netscape Mail passwords")
Reference: URL:http://marc.info/?l=bugtraq&m=94536309217214&w=2
Reference: BUGTRAQ:19991220 Netscape password scrambling
Reference: URL:http://marc.info/?l=bugtraq&m=94570673523998&w=2
Reference: MISC:http://www.rstcorp.com/news/bad-crypto.html

Votes:
ACCEPT(4)  Baker, Cole, Stracener, Wall<br>
MODIFY(1)  Frech<br>
NOOP(1)  Christey<br>
Voter Comments:
Frech>  XF:netscape-mail-encryption(3921)<br>
Christey>  CHANGEREF make the RCA URL a "MISC" reference<br>

Name: CVE-1999-1003

Description:

War FTP Daemon 1.70 allows remote attackers to cause a denial of service by flooding it with connections.

Status:Candidate
Phase: Proposed (19991222)
Reference: BUGTRAQ:19991214 Local / Remote D.o.S Attack in War FTP Daemon 1.70 Vulnerability
Reference: BUGTRAQ:19991216 Statement: Local / Remote D.o.S Attack in War FTP Daemon 1.70

Votes:
ACCEPT(3)  Baker, Cole, Stracener<br>
MODIFY(1)  Frech<br>
NOOP(1)  Wall<br>
Voter Comments:
Frech>  XF:warftp-connection-flood<br>

Name: CVE-1999-1004

Description:

Buffer overflow in the POP server POProxy for the Norton Anti-Virus protection NAV2000 program via a large USER command.

Status:Entry
Reference: BUGTRAQ:19991217 NAV2000 Email Protection DoS
Reference: URL:http://www.securityfocus.com/archive/1/38970
Reference: BUGTRAQ:19991220 Norton Email Protection Remote Overflow (Addendum)
Reference: URL:http://www.securityfocus.com/archive/1/39194
Reference: CONFIRM:http://service1.symantec.com/SUPPORT/nav.nsf/df0a595864594c86852567ac0063608c/6206f660a1f2516a882568660082c930?OpenDocument&Highlight=0,poproxy
Reference: OSVDB:6267
Reference: URL:http://www.osvdb.org/6267

Name: CVE-1999-1005

Description:

Groupwise web server GWWEB.EXE allows remote attackers to read arbitrary files with .htm extensions via a .. (dot dot) attack using the HELP parameter.

Status:Entry
Reference: BID:879
Reference: URL:http://www.securityfocus.com/bid/879
Reference: BUGTRAQ:19991219 Groupewise Web Interface
Reference: URL:http://marc.info/?l=bugtraq&m=94571433731824&w=2
Reference: OSVDB:3413
Reference: URL:http://www.osvdb.org/3413
Reference: XF:groupwise-web-read-files

Name: CVE-1999-1006

Description:

Groupwise web server GWWEB.EXE allows remote attackers to determine the real path of the web server via the HELP parameter.

Status:Candidate
Phase: Proposed (19991222)
Reference: BUGTRAQ:19991219 Groupewise Web Interface
Reference: URL:http://marc.info/?l=bugtraq&m=94571433731824&w=2

Votes:
ACCEPT(4)  Baker, Cole, Prosser, Stracener<br>
MODIFY(1)  Frech<br>
NOOP(2)  Christey, Wall<br>
Voter Comments:
Frech>  XF:groupwise-web-path<br>
Prosser>  Pretty well confirmed by testing with responses to BugTraq list.

additional ref:  BugTraq ID 879  http://www.securityfocus.com/bid/879<br>
Christey>  A later discovery almost 2 years later is at:
BUGTRAQ:20020227 SecurityOffice Security Advisory:// Novell
GroupWise Web Access Path Disclosure Vulnerability
http://marc.theaimsgroup.com/?l=bugtraq&m=101494830315071&w=2
CD:SF-LOC might suggest merging these together.<br>

Name: CVE-1999-1007

Description:

Buffer overflow in VDO Live Player allows remote attackers to execute commands on the VDO client via a malformed .vdo file.

Status:Entry
Reference: BID:872
Reference: URL:http://www.securityfocus.com/bid/872
Reference: BUGTRAQ:19991213 VDO Live Player 3.02 Buffer Overflow
Reference: URL:http://marc.info/?l=bugtraq&m=94512259331599&w=2
Reference: XF:vdolive-bo-execute

Name: CVE-1999-1008

Description:

xsoldier program allows local users to gain root access via a long argument.

Status:Entry
Reference: BID:871
Reference: URL:http://www.securityfocus.com/bid/871
Reference: BUGTRAQ:19991215 FreeBSD 3.3 xsoldier root exploit
Reference: MISC:http://marc.info/?l=freebsd-security&m=94531826621620&w=2
Reference: XF:unix-xsoldier-overflow

Name: CVE-1999-1009

Description:

The Disney Go Express Search allows remote attackers to access and modify search information for users by connecting to an HTTP server on the user's system.

Status:Candidate
Phase: Proposed (19991222)
Reference: BUGTRAQ:19991213 Privacy hole in Go Express Search

Votes:
ACCEPT(1)  Baker<br>
MODIFY(1)  Frech<br>
NOOP(4)  Balinsky, Cole, Stracener, Wall<br>
Voter Comments:
Frech>  XF:disney-search-info(3955)<br>
Balinsky>  The go.express.com web site does not mention the existence of the Express web server mentioned in the advisory. There appears to be no way of verifying this.<br>

Name: CVE-1999-1010

Description:

An SSH 1.2.27 server allows a client to use the "none" cipher, even if it is not allowed by the server policy.

Status:Entry
Reference: BUGTRAQ:19991214 sshd1 allows unencrypted sessions regardless of server policy
Reference: URL:http://marc.info/?l=bugtraq&m=94519142415338&w=2
Reference: XF:ssh-policy-bypass

Name: CVE-1999-1011

Description:

The Remote Data Service (RDS) DataFactory component of Microsoft Data Access Components (MDAC) in IIS 3.x and 4.x exposes unsafe methods, which allows remote attackers to execute arbitrary commands.

Status:Entry
Reference: BID:529
Reference: URL:https://www.securityfocus.com/bid/529
Reference: CIAC:J-054
Reference: URL:http://www.ciac.org/ciac/bulletins/j-054.shtml
Reference: ISS:19990809 Vulnerabilities in Microsoft Remote Data Service
Reference: MS:MS98-004
Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1998/ms98-004
Reference: MS:MS99-025
Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-025
Reference: OSVDB:272
Reference: URL:http://www.osvdb.org/272
Reference: XF:nt-iis-rds

Name: CVE-1999-1012

Description:

SMTP component of Lotus Domino 4.6.1 on AS/400, and possibly other operating systems, allows a remote attacker to crash the mail server via a long string.

Status:Candidate
Phase: Proposed (20010912)
Reference: BID:173
Reference: URL:http://www.securityfocus.com/bid/173
Reference: BUGTRAQ:19990504 AS/400
Reference: URL:http://www.securityfocus.com/archive/1/13527

Votes:
ACCEPT(1)  Cole<br>
MODIFY(1)  Frech<br>
NOOP(2)  Foat, Wall<br>
Voter Comments:
Frech>  (Task 1770)<br>
CHANGE>  [Frech changed vote from REVIEWING to MODIFY]<br>
Frech>  XF:lotus-domino-smtp-dos(8790)<br>

Name: CVE-1999-1013

Description:

named-xfer in AIX 4.1.5 and 4.2.1 allows members of the system group to overwrite system files to gain root access via the -f parameter and a malformed zone file.

Status:Candidate
Phase: Proposed (20010912)
Reference: BID:673
Reference: URL:http://www.securityfocus.com/bid/673
Reference: BUGTRAQ:19990923 named-xfer hole on AIX (fwd)
Reference: URL:http://marc.info/?l=bugtraq&m=93837026726954&w=2

Votes:
MODIFY(1)  Frech<br>
NOOP(3)  Cole, Foat, Wall<br>
Voter Comments:
Frech>  XF:aix-named-xfer-root-access(3308)<br>

Name: CVE-1999-1014

Description:

Buffer overflow in mail command in Solaris 2.7 and 2.7 allows local users to gain privileges via a long -m argument.

Status:Entry
Reference: BID:672
Reference: URL:http://www.securityfocus.com/bid/672
Reference: BUGTRAQ:19990913 Solaris 2.7 /usr/bin/mail
Reference: URL:http://marc.info/?l=bugtraq&m=93727925026476&w=2
Reference: BUGTRAQ:19990927 Working Solaris x86 /usr/bin/mail exploit
Reference: URL:http://marc.info/?l=bugtraq&m=93846422810162&w=2
Reference: SUNBUG:4276509
Reference: XF:sun-usrbinmail-local-bo(3297)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/3297

Name: CVE-1999-1015

Description:

Buffer overflow in Apple AppleShare Mail Server 5.0.3 on MacOS 8.1 and earlier allows a remote attacker to cause a denial of service (crash) via a long HELO command.

Status:Candidate
Phase: Proposed (20010912)
Reference: BID:61
Reference: URL:http://www.securityfocus.com/bid/61
Reference: BUGTRAQ:19980408 AppleShare IP Mail Server
Reference: URL:http://marc.info/?l=bugtraq&m=89200657216213&w=2

Votes:
MODIFY(1)  Frech<br>
NOOP(3)  Cole, Foat, Wall<br>
Voter Comments:
Frech>  XF:smtp-helo-bo(886)<br>

Name: CVE-1999-1016

Description:

Microsoft HTML control as used in (1) Internet Explorer 5.0, (2) FrontPage Express, (3) Outlook Express 5, and (4) Eudora, and possibly others, allows remote malicious web site or HTML emails to cause a denial of service (100% CPU consumption) via large HTML form fields such as text inputs in a table cell.

Status:Candidate
Phase: Modified (20040811)
Reference: BID:606
Reference: URL:http://www.securityfocus.com/bid/606
Reference: NTBUGTRAQ:19990827 HTML code to crash IE5 and Outlook Express 5
Reference: URL:http://marc.info/?l=ntbugtraq&m=93578772920970&w=2

Votes:
ACCEPT(2)  Cole, Wall<br>
MODIFY(1)  Frech<br>
NOOP(2)  Christey, Foat<br>
Voter Comments:
Frech>  XF:ms-html-table-form-dos(3246)<br>
Frech>  XF:ms-html-table-form-dos(3246)<br>
Christey>  Add period to the end of the description.<br>

Name: CVE-1999-1017

Description:

Seattle Labs Emurl 2.0, and possibly earlier versions, stores e-mail attachments in a specific directory with scripting enabled, which allows a malicious ASP file attachment to execute when the recipient opens the message.

Status:Candidate
Phase: Proposed (20010912)
Reference: BID:544
Reference: URL:http://www.securityfocus.com/bid/544
Reference: NTBUGTRAQ:19990728 Seattle Labs EMURL Vulnerability
Reference: URL:http://marc.info/?l=ntbugtraq&m=93316253431588&w=2

Votes:
MODIFY(1)  Frech<br>
NOOP(3)  Cole, Foat, Wall<br>
Voter Comments:
Frech>  (Task 2281)<br>
CHANGE>  [Frech changed vote from REVIEWING to MODIFY]<br>
Frech>  XF:emurl-attachment-execution(8794)<br>

Name: CVE-1999-1018

Description:

IPChains in Linux kernels 2.2.10 and earlier does not reassemble IP fragments before checking the header information, which allows a remote attacker to bypass the filtering rules using several fragments with 0 offsets.

Status:Candidate
Phase: Proposed (20010912)
Reference: BID:543
Reference: URL:http://www.securityfocus.com/bid/543
Reference: BUGTRAQ:19990727 Linux 2.2.10 ipchains Advisory
Reference: URL:http://marc.info/?l=bugtraq&m=93312523904591&w=2

Votes:
ACCEPT(1)  Cole<br>
MODIFY(1)  Frech<br>
NOOP(2)  Foat, Wall<br>
Voter Comments:
Frech>  XF:linux-ipchains-bypass-filter(6516)<br>
Frech>  XF:linux-ipchains-bypass-filter(6516)<br>

Name: CVE-1999-1019

Description:

SpectroSERVER in Cabletron Spectrum Enterprise Manager 5.0 installs a directory tree with insecure permissions, which allows local users to replace a privileged executable (processd) with a Trojan horse, facilitating a root or Administrator compromise.

Status:Entry
Reference: BID:495
Reference: URL:http://www.securityfocus.com/bid/495
Reference: BUGTRAQ:19990623 Cabletron Spectrum security vulnerability
Reference: URL:http://marc.info/?l=bugtraq&m=93024398713491&w=2
Reference: BUGTRAQ:19990624 Re: Cabletron Spectrum security vulnerability
Reference: URL:http://marc.info/?l=bugtraq&m=93024398513475&w=2

Name: CVE-1999-1020

Description:

The installation of Novell Netware NDS 5.99 provides an unauthenticated client with Read access for the tree, which allows remote attackers to access sensitive information such as users, groups, and readable objects via CX.EXE and NLIST.EXE.

Status:Candidate
Phase: Proposed (20010912)
Reference: BID:484
Reference: URL:http://www.securityfocus.com/bid/484
Reference: BUGTRAQ:19980918 NMRC Advisory - Default NDS Rights
Reference: URL:http://marc.info/?l=bugtraq&m=90613355902262&w=2
Reference: XF:novell-nds(1364)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1364

Votes:
ACCEPT(2)  Cole, Frech<br>
NOOP(2)  Foat, Wall<br>
Voter Comments:


Name: CVE-1999-1021

Description:

NFS on SunOS 4.1 through 4.1.2 ignores the high order 16 bits in a 32 bit UID, which allows a local user to gain root access if the lower 16 bits are set to 0, as fixed by the NFS jumbo patch upgrade.

Status:Entry
Reference: BID:47
Reference: URL:http://www.securityfocus.com/bid/47
Reference: CERT:CA-1992-15
Reference: URL:http://www.cert.org/advisories/CA-1992-15.html
Reference: SUN:00117
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/117&type=0&nav=sec.sba
Reference: XF:nfs-uid(82)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/82

Name: CVE-1999-1022

Description:

serial_ports administrative program in IRIX 4.x and 5.x trusts the user's PATH environmental variable to find and execute the ls program, which allows local users to gain root privileges via a Trojan horse ls program.

Status:Candidate
Phase: Proposed (20010912)
Reference: BID:464
Reference: URL:http://www.securityfocus.com/bid/464
Reference: BUGTRAQ:19941002
Reference: URL:http://www.securityfocus.com/archive/1/930
Reference: XF:sgi-serialports(2111)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2111

Votes:
ACCEPT(2)  Cole, Frech<br>
NOOP(2)  Christey, Foat<br>
Voter Comments:
Christey>  Note: CVE-1999-1310 is a duplicate of this candidate.
CVE-1999-1310 will be REJECTed; this is the proper CAN to use.

CIAC:F-01
URL:http://ciac.llnl.gov/ciac/bulletins/f-01.shtml
SGI:19941001-01-P
URL:ftp://patches.sgi.com/support/free/security/advisories/19941001-01-P
MISC:http://www.netsys.com/firewalls/firewalls-9410/0019.html<br>

Name: CVE-1999-1023

Description:

useradd in Solaris 7.0 does not properly interpret certain date formats as specified in the "-e" (expiration date) argument, which could allow users to login after their accounts have expired.

Status:Candidate
Phase: Proposed (20010912)
Reference: BID:426
Reference: URL:http://www.securityfocus.com/bid/426
Reference: BUGTRAQ:19990610 Sun Useradd program expiration date bug
Reference: URL:http://marc.info/?l=bugtraq&m=92904175406756&w=2

Votes:
ACCEPT(1)  Dik<br>
MODIFY(1)  Frech<br>
NOOP(3)  Cole, Foat, Wall<br>
Voter Comments:
Dik>  sun bug: 4222400<br>
Frech>  XF:solaris-useradd-expired-accounts(8375)
CONFIRM:(2.6)110883-01, (2.6_x86) 110884-01, (7)110869-01,
(7_x86) 110870-01<br>

Name: CVE-1999-1024

Description:

ip_print procedure in Tcpdump 3.4a allows remote attackers to cause a denial of service via a packet with a zero length header, which causes an infinite loop and core dump when tcpdump prints the packet.

Status:Candidate
Phase: Proposed (20010912)
Reference: BID:313
Reference: URL:http://www.securityfocus.com/bid/313
Reference: BUGTRAQ:19990616 tcpdump 3.4 bug?
Reference: URL:http://marc.info/?l=bugtraq&m=92955903802773&w=2
Reference: BUGTRAQ:19990617 Re: tcpdump 3.4 bug?
Reference: URL:http://marc.info/?l=bugtraq&m=92963447601748&w=2
Reference: BUGTRAQ:19990620 Re: tcpdump 3.4 bug? (final)
Reference: URL:http://marc.info/?l=bugtraq&m=92989907627051&w=2

Votes:
ACCEPT(1)  Cole<br>
MODIFY(1)  Frech<br>
NOOP(2)  Foat, Wall<br>
Voter Comments:
Frech>  XF:tcpdump-ipprint-dos(8373)<br>

Name: CVE-1999-1025

Description:

CDE screen lock program (screenlock) on Solaris 2.6 does not properly lock an unprivileged user's console session when the host is an NIS+ client, which allows others with physical access to login with any string.

Status:Candidate
Phase: Proposed (20010912)
Reference: BID:294
Reference: URL:http://www.securityfocus.com/bid/294
Reference: BUGTRAQ:19981012 Annoying Solaris/CDE/NIS+ bug
Reference: URL:http://marc.info/?l=bugtraq&m=90831127921062&w=2
Reference: SUNBUG:4115685
Reference: URL:http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fpatches%2F106027&zone_32=411568%2A%20

Votes:
ACCEPT(4)  Cole, Dik, Foat, Stracener<br>
MODIFY(1)  Frech<br>
Voter Comments:
Frech>  XF:solaris-cde-nisplus-lock(7473)<br>
Dik>  sun bug: 4115685<br>

Name: CVE-1999-1026

Description:

aspppd on Solaris 2.5 x86 allows local users to modify arbitrary files and gain root privileges via a symlink attack on the /tmp/.asppp.fifo file.

Status:Candidate
Phase: Proposed (20010912)
Reference: BID:292
Reference: URL:http://www.securityfocus.com/bid/292
Reference: BUGTRAQ:19961220 Solaris 2.5 x86 aspppd (semi-exploitable-hole)
Reference: URL:http://marc.info/?l=bugtraq&m=87602167420343&w=2

Votes:
ACCEPT(1)  Cole<br>
MODIFY(1)  Frech<br>
NOOP(1)  Foat<br>
Voter Comments:
Frech>  XF:sun-aspppd-tmp-symlink(7173)<br>

Name: CVE-1999-1027

Description:

Solaris 2.6 HW3/98 installs admintool with world-writable permissions, which allows local users to gain privileges by replacing it with a Trojan horse program.

Status:Entry
Reference: BID:290
Reference: URL:http://www.securityfocus.com/bid/290
Reference: BUGTRAQ:19980507 admintool mode 0777 in Solaris 2.6 HW3/98
Reference: URL:http://marc.info/?l=bugtraq&m=90221101925880&w=2
Reference: SUNBUG:4178998
Reference: XF:solaris-admintool-world-writable(7296)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/7296

Name: CVE-1999-1028

Description:

Symantec pcAnywhere 8.0 allows remote attackers to cause a denial of service (CPU utilization) via a large amount of data to port 5631.

Status:Entry
Reference: BID:288
Reference: URL:http://www.securityfocus.com/bid/288
Reference: NTBUGTRAQ:19990528 DoS against PC Anywhere
Reference: URL:http://marc.info/?l=ntbugtraq&m=92807524225090&w=2
Reference: XF:pcanywhere-dos(2256)
Reference: URL:http://www.iss.net/security_center/static/2256.php

Name: CVE-1999-1029

Description:

SSH server (sshd2) before 2.0.12 does not properly record login attempts if the connection is closed before the maximum number of tries, allowing a remote attacker to guess the password without showing up in the audit logs.

Status:Candidate
Phase: Proposed (20010912)
Reference: BID:277
Reference: URL:http://www.securityfocus.com/bid/277
Reference: BUGTRAQ:19990513 - J.J.F. / Hackers Team warns for SSHD 2.x brute force password hacking
Reference: URL:http://marc.info/?l=bugtraq&m=92663402004280&w=2
Reference: XF:ssh2-bruteforce(2193)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2193

Votes:
ACCEPT(2)  Cole, Frech<br>
NOOP(2)  Foat, Wall<br>
Voter Comments:


Name: CVE-1999-1030

Description:

counter.exe 2.70 allows a remote attacker to cause a denial of service (hang) via an HTTP request that ends in %0A (newline), which causes a malformed entry in the counter log that produces an access violation.

Status:Candidate
Phase: Proposed (20010912)
Reference: BID:267
Reference: URL:http://www.securityfocus.com/bid/267
Reference: BUGTRAQ:19990519 Denial of Service in Counter.exe version 2.70
Reference: URL:http://marc.info/?l=bugtraq&m=92713790426690&w=2
Reference: NTBUGTRAQ:19990519 Denial of Service in Counter.exe version 2.70
Reference: URL:http://marc.info/?l=ntbugtraq&m=92707671717292&w=2

Votes:
MODIFY(1)  Frech<br>
NOOP(3)  Cole, Foat, Wall<br>
Voter Comments:
Frech>  XF:http-cgi-counter-long(2196)<br>
Frech>  XF:http-cgi-counter-long(2196)<br>

Name: CVE-1999-1031

Description:

counter.exe 2.70 allows a remote attacker to cause a denial of service (hang) via a long argument.

Status:Candidate
Phase: Proposed (20010912)
Reference: BID:267
Reference: URL:http://www.securityfocus.com/bid/267
Reference: BUGTRAQ:19990519 Denial of Service in Counter.exe version 2.70
Reference: URL:http://marc.info/?l=bugtraq&m=92713790426690&w=2
Reference: NTBUGTRAQ:19990519 Denial of Service in Counter.exe version 2.70
Reference: URL:http://marc.info/?l=ntbugtraq&m=92707671717292&w=2

Votes:
MODIFY(1)  Frech<br>
NOOP(3)  Cole, Foat, Wall<br>
Voter Comments:
Frech>  XF:http-cgi-counter-long(2196)<br>
Frech>  XF:http-cgi-counter-long(2196)<br>

Name: CVE-1999-1032

Description:

Vulnerability in LAT/Telnet Gateway (lattelnet) on Ultrix 4.1 and 4.2 allows attackers to gain root privileges.

Status:Entry
Reference: BID:26
Reference: URL:http://www.securityfocus.com/bid/26
Reference: CERT:CA-1991-11
Reference: URL:http://www.cert.org/advisories/CA-1991-11.html
Reference: CIAC:B-36
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/b-36.shtml
Reference: XF:ultrix-telnet(584)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/584

Name: CVE-1999-1033

Description:

Microsoft Outlook Express before 4.72.3612.1700 allows a malicious user to send a message that contains a .., which can inadvertently cause Outlook to re-enter POP3 command mode and cause the POP3 session to hang.

Status:Candidate
Phase: Proposed (20010912)
Reference: BID:252
Reference: URL:http://www.securityfocus.com/bid/252
Reference: BUGTRAQ:19990511 Outlook Express Win98 bug
Reference: URL:http://marc.info/?l=bugtraq&m=92647407427342&w=2
Reference: BUGTRAQ:19990512 Outlook Express Win98 bug, addition.
Reference: URL:http://marc.info/?l=bugtraq&m=92663402004275&w=2

Votes:
ACCEPT(2)  Cole, Wall<br>
MODIFY(1)  Frech<br>
NOOP(1)  Foat<br>
Voter Comments:
Frech>  (Task 2241)<br>
CHANGE>  [Frech changed vote from REVIEWING to MODIFY]<br>
Frech>  XF:outlook-pop3-dot-dos(8926)<br>

Name: CVE-1999-1034

Description:

Vulnerability in login in AT&T System V Release 4 allows local users to gain privileges.

Status:Entry
Reference: BID:23
Reference: URL:http://www.securityfocus.com/bid/23
Reference: CERT:CA-1991-08
Reference: URL:http://www.cert.org/advisories/CA-1991-08.html
Reference: CIAC:B-28
Reference: URL:http://www.ciac.org/ciac/bulletins/b-28.shtml
Reference: XF:sysv-login(583)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/583

Name: CVE-1999-1035

Description:

IIS 3.0 and 4.0 on x86 and Alpha allows remote attackers to cause a denial of service (hang) via a malformed GET request, aka the IIS "GET" vulnerability.

Status:Entry
Reference: MS:MS98-019
Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1998/ms98-019
Reference: MSKB:Q192296
Reference: URL:http://support.microsoft.com/support/kb/articles/q192/2/96.asp
Reference: XF:iis-get-dos(1823)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1823

Name: CVE-1999-1036

Description:

COPS 1.04 allows local users to overwrite or create arbitrary files via a symlink attack on temporary files in (1) res_diff, (2) ca.src, and (3) mail.chk.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19980626 vulnerability in satan, cops & tiger
Reference: URL:http://marc.info/?l=bugtraq&m=90221103125976&w=2

Votes:
ACCEPT(1)  Foat<br>
MODIFY(1)  Frech<br>
NOOP(2)  Cole, Wall<br>
Voter Comments:
Frech>  XF:cops-temp-file-symlink(7325)<br>

Name: CVE-1999-1037

Description:

rex.satan in SATAN 1.1.1 allows local users to overwrite arbitrary files via a symlink attack on the /tmp/rex.$$ file.

Status:Entry
Reference: BUGTRAQ:19980626 vulnerability in satan, cops & tiger
Reference: URL:http://marc.info/?l=bugtraq&m=90221103125976&w=2
Reference: BUGTRAQ:19980627 Re: vulnerability in satan, cops & tiger
Reference: URL:http://marc.info/?l=bugtraq&m=90221103125986&w=2
Reference: OSVDB:3147
Reference: URL:http://www.osvdb.org/3147
Reference: XF:satan-rexsatan-symlink(7167)
Reference: URL:http://www.iss.net/security_center/static/7167.php

Name: CVE-1999-1038

Description:

Tiger 2.2.3 allows local users to overwrite arbitrary files via a symlink attack on various temporary files in Tiger's default working directory, as defined by the WORKDIR variable.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19980626 vulnerability in satan, cops & tiger
Reference: URL:http://marc.info/?l=bugtraq&m=90221103125976&w=2

Votes:
ACCEPT(1)  Foat<br>
MODIFY(1)  Frech<br>
NOOP(2)  Cole, Wall<br>
Voter Comments:
Frech>  XF:tiger-workdir-symlink(7326)<br>

Name: CVE-1999-1039

Description:

Vulnerability in (1) diskalign and (2) diskperf in IRIX 6.4 patches 2291 and 2848 allow a local user to create root-owned files leading to a root compromise.

Status:Candidate
Phase: Proposed (20010912)
Reference: SGI:19980502-01-P3030
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19980502-01-P3030

Votes:
ACCEPT(3)  Cole, Foat, Stracener<br>
REJECT(1)  Frech<br>
Voter Comments:


Name: CVE-1999-1040

Description:

Vulnerabilities in (1) ipxchk and (2) ipxlink in NetWare Client 1.0 on IRIX 6.3 and 6.4 allows local users to gain root access via a modified IFS environmental variable.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19980408 SGI O2 ipx security issue
Reference: URL:http://marc.info/?l=bugtraq&m=89217373930054&w=2
Reference: CIAC:I-055
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/i-055.shtml
Reference: SGI:19980501-01-P
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19980501-01-P2869

Votes:
ACCEPT(3)  Cole, Foat, Stracener<br>
NOOP(1)  Christey<br>
REJECT(1)  Frech<br>
Voter Comments:
Christey>  This candidate and CVE-1999-1501 are duplicates.  However,
CVE-1999-1501 will be REJECTed in favor of this candidate.
Add the following references:
BID:70
URL:http://www.securityfocus.com/bid/70
BID:71
URL:http://www.securityfocus.com/bid/71
XF:irix-ipxchk-ipxlink-ifs-commands(7365)
URL:http://xforce.iss.net/static/7365.php<br>

Name: CVE-1999-1041

Description:

Buffer overflow in mscreen on SCO OpenServer 5.0 and SCO UNIX 3.2v4 allows a local user to gain root access via (1) a long TERM environmental variable and (2) a long entry in the .mscreenrc file.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19980827 SCO mscreen vul.
Reference: URL:http://www.securityfocus.com/archive/1/10420
Reference: BUGTRAQ:19980926 Root exploit for SCO OpenServer.
Reference: URL:http://marc.info/?l=bugtraq&m=90686250717719&w=2
Reference: CERT:VB-98.10
Reference: URL:http://www.cert.org/vendor_bulletins/VB-98.10.sco.mscreen
Reference: SCO:SB-98.05a
Reference: URL:ftp://ftp.sco.com/SSE/security_bulletins/SB-98.05a

Votes:
ACCEPT(3)  Cole, Foat, Stracener<br>
MODIFY(1)  Frech<br>
NOOP(1)  Wall<br>
REVIEWING(1)  Christey<br>
Voter Comments:
Frech>  XF:sco-openserver-mscreen-bo(1379)<br>
Christey>  Possible dupe with CVE-1999-1185.<br>

Name: CVE-1999-1042

Description:

Cisco Resource Manager (CRM) 1.0 and 1.1 creates world-readable log files and temporary files, which may expose sensitive information, to local users such as user IDs, passwords and SNMP community strings.

Status:Candidate
Phase: Proposed (20010912)
Reference: CISCO:19980813 CRM Temporary File Vulnerability
Reference: URL:http://www.cisco.com/warp/public/770/crmtmp-pub.shtml

Votes:
ACCEPT(3)  Cole, Foat, Stracener<br>
MODIFY(1)  Frech<br>
NOOP(1)  Wall<br>
REJECT(3)  Armstrong, Balinsky, Christey<br>
Voter Comments:
Frech>  XF:cisco-crm-file-vuln(1575)<br>
Armstrong>  I think that this is the same as Can-1999-1126<br>
Balinsky>  This is the same as CVE-1999-1126. Merge them.<br>
Christey>  DUPE CVE-1999-1126, as noted by others.
This candidate will be rejected.  CVE-1999-1126 will be
promoted.<br>

Name: CVE-1999-1043

Description:

Microsoft Exchange Server 5.5 and 5.0 does not properly handle (1) malformed NNTP data, or (2) malformed SMTP data, which allows remote attackers to cause a denial of service (application error).

Status:Candidate
Phase: Proposed (20010912)
Reference: MS:MS98-007
Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1998/ms98-007

Votes:
ACCEPT(3)  Cole, Foat, Wall<br>
MODIFY(1)  Frech<br>
Voter Comments:
Frech>  XF:exchange-dos(1223)<br>

Name: CVE-1999-1044

Description:

Vulnerability in Advanced File System Utility (advfs) in Digital UNIX 4.0 through 4.0d allows local users to gain privileges.

Status:Entry
Reference: CIAC:I-050
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/i-050.shtml
Reference: COMPAQ:SSRT0495U
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/i-050.shtml
Reference: XF:dgux-advfs-softlinks(7431)
Reference: URL:http://www.iss.net/security_center/static/7431.php

Name: CVE-1999-1045

Description:

pnserver in RealServer 5.0 and earlier allows remote attackers to cause a denial of service by sending a short, malformed request.

Status:Entry
Reference: BUGTRAQ:19980115 [rootshell] Security Bulletin #7
Reference: URL:http://marc.info/?l=bugtraq&m=88490880523890&w=2
Reference: BUGTRAQ:19980115 pnserver exploit..
Reference: URL:http://marc.info/?l=bugtraq&m=88492978527261&w=2
Reference: BUGTRAQ:19980817 Re: Real Audio Server Version 5 bug?
Reference: URL:http://marc.info/?l=bugtraq&m=90338245305236&w=2
Reference: MISC:http://service.real.com/help/faq/serv501.html
Reference: OSVDB:6979
Reference: URL:http://www.osvdb.org/6979
Reference: XF:realserver-pnserver-remote-dos(7297)
Reference: URL:http://www.iss.net/security_center/static/7297.php

Name: CVE-1999-1046

Description:

Buffer overflow in IMonitor in IMail 5.0 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long string to port 8181.

Status:Candidate
Phase: Proposed (20010912)
Reference: BID:504
Reference: URL:http://www.securityfocus.com/bid/504
Reference: BUGTRAQ:19990302 Multiple IMail Vulnerabilites
Reference: URL:http://marc.info/?l=bugtraq&m=92038879607336&w=2
Reference: XF:imail-imonitor-overflow(1897)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1897

Votes:
ACCEPT(2)  Cole, Frech<br>
NOOP(2)  Foat, Wall<br>
Voter Comments:


Name: CVE-1999-1047

Description:

When BSDI patches for Gauntlet 5.0 BSDI are installed in a particular order, Gauntlet allows remote attackers to bypass firewall access restrictions, and does not log the activities.

Status:Entry
Reference: BUGTRAQ:19991018 Gauntlet 5.0 BSDI warning
Reference: URL:http://marc.info/?l=bugtraq&m=94026690521279&w=2
Reference: BUGTRAQ:19991019 Re: Gauntlet 5.0 BSDI warning
Reference: URL:http://marc.info/?l=bugtraq&m=94036662326185&w=2
Reference: XF:gauntlet-bsdi-bypass(3397)
Reference: URL:http://www.iss.net/security_center/static/3397.php

Name: CVE-1999-1048

Description:

Buffer overflow in bash 2.0.0, 1.4.17, and other versions allows local attackers to gain privileges by creating an extremely large directory name, which is inserted into the password prompt via the \w option in the PS1 environmental variable when another user changes into that directory.

Status:Entry
Reference: BUGTRAQ:19970821 Buffer overflow in /bin/bash
Reference: URL:http://marc.info/?l=bugtraq&m=87602746719555&w=2
Reference: BUGTRAQ:19980905 BASH buffer overflow, LiNUX x86 exploit
Reference: URL:http://www.securityfocus.com/archive/1/10542
Reference: DEBIAN:19980909 problem with very long pathnames
Reference: URL:http://www.debian.org/security/1998/19980909
Reference: OSVDB:8345
Reference: URL:http://www.osvdb.org/8345
Reference: XF:linux-bash-bo(3414)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/3414

Name: CVE-1999-1049

Description:

ARCserve NT agents use weak encryption (XOR) for passwords, which allows remote attackers to sniff the authentication request to port 6050 and decrypt the password.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990222 Severe Security Hole in ARCserve NT agents (fwd)
Reference: URL:http://marc.info/?l=bugtraq&m=91972006211238&w=2

Votes:
MODIFY(1)  Frech<br>
NOOP(3)  Cole, Foat, Wall<br>
Voter Comments:
Frech>  XF:arcserve-agent-passwords(1822)<br>

Name: CVE-1999-1050

Description:

Directory traversal vulnerability in Matt Wright FormHandler.cgi script allows remote attackers to read arbitrary files via (1) a .. (dot dot) in the reply_message_attach attachment parameter, or (2) by specifying the filename as a template.

Status:Candidate
Phase: Proposed (20010912)
Reference: BID:798
Reference: URL:http://www.securityfocus.com/bid/798
Reference: BID:799
Reference: URL:http://www.securityfocus.com/bid/799
Reference: BUGTRAQ:19991112 FormHandler.cgi
Reference: URL:http://www.securityfocus.com/archive/1/34600
Reference: BUGTRAQ:19991116 Re: FormHandler.cgi
Reference: URL:http://www.securityfocus.com/archive/1/34939
Reference: XF:formhandler-cgi-absolute-path(3550)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/3550

Votes:
ACCEPT(1)  Frech<br>
NOOP(3)  Cole, Foat, Wall<br>
REVIEWING(1)  Christey<br>
Voter Comments:
Christey>  Abstraction and definition issue: CD:SF-LOC suggests combining
issues of the same type.  Some people refer to "directory
traversal" and just mean .. problems; but there are other
issues (specifying an absolute pathname, using C: drive
letters, doing encodings) that, to my way of thinking, are
"different."  Perhaps this should be split.

My brain hurts too much right now.  There are a couple
problems with the references and descriptions of CVE-1999-1050
and CVE-1999-1051.  I'm interpreting the underlying nature
of the problem(s) a little differently than others are.
Some of it may be due to differing definitions or thoughts
about what "directory traversal vulnerabilities" are.<br>

Name: CVE-1999-1051

Description:

Default configuration in Matt Wright FormHandler.cgi script allows arbitrary directories to be used for attachments, and only restricts access to the /etc/ directory, which allows remote attackers to read arbitrary files via the reply_message_attach attachment parameter.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19991116 Re: FormHandler.cgi
Reference: URL:http://www.securityfocus.com/archive/1/34939

Votes:
MODIFY(1)  Frech<br>
NOOP(3)  Cole, Foat, Wall<br>
REVIEWING(1)  Christey<br>
Voter Comments:
Frech>  XF:formhandler-cgi-reply-message(7782)<br>
Christey>  I view one of these as a configuration issue: FormHandler.cgi
*could* be configured to limit hard-coded pathnames to a single
directory which, while being an information leak, would still be
"reasonably secure."  But by default, it's just not configured that
way.

My brain hurts too much right now.  There are a couple
problems with the references and descriptions of CVE-1999-1050
and CVE-1999-1051.  I'm interpreting the underlying nature
of the problem(s) a little differently than others are.
Some of it may be due to differing definitions or thoughts
about what "directory traversal vulnerabilities" are.<br>

Name: CVE-1999-1052

Description:

Microsoft FrontPage stores form results in a default location in /_private/form_results.txt, which is world-readable and accessible in the document root, which allows remote attackers to read possibly sensitive information submitted by other users.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990824 Front Page form_results
Reference: URL:http://marc.info/?l=bugtraq&m=93582550911564&w=2

Votes:
ACCEPT(1)  Wall<br>
MODIFY(1)  Frech<br>
NOOP(2)  Cole, Foat<br>
Voter Comments:
Frech>  XF:frontpage-formresults-world-readable(8362)<br>

Name: CVE-1999-1053

Description:

guestbook.pl cleanses user-inserted SSI commands by removing text between "<!--" and "-->" separators, which allows remote attackers to execute arbitrary commands when guestbook.pl is run on Apache 1.3.9 and possibly other versions, since Apache allows other closing sequences besides "-->".

Status:Candidate
Phase: Proposed (20010912)
Reference: BID:776
Reference: URL:http://www.securityfocus.com/bid/776
Reference: BUGTRAQ:19991105 Guestbook.pl, sloppy SSI handling in Apache? (VD#2)
Reference: URL:http://www.securityfocus.com/archive/1/33674
Reference: VULN-DEV:19990913 Guestbook perl script (long)
Reference: URL:http://www.securityfocus.com/archive/82/27296
Reference: VULN-DEV:19990916 Re: Guestbook perl script (error fix)
Reference: URL:http://www.securityfocus.com/archive/82/27560

Votes:
MODIFY(1)  Frech<br>
NOOP(3)  Cole, Foat, Wall<br>
Voter Comments:
Frech>  XF:guestbook-cgi-command-execution(7783)<br>

Name: CVE-1999-1054

Description:

The default configuration of FLEXlm license manager 6.0d, and possibly other versions, allows remote attackers to shut down the server via the lmdown command.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19980925 Globetrotter FlexLM 'lmdown' bogosity
Reference: URL:http://marc.info/?l=bugtraq&m=90675672323825&w=2

Votes:
ACCEPT(1)  Cole<br>
NOOP(2)  Foat, Wall<br>
Voter Comments:


Name: CVE-1999-1055

Description:

Microsoft Excel 97 does not warn the user before executing worksheet functions, which could allow attackers to execute arbitrary commands by using the CALL function to execute a malicious DLL, aka the Excel "CALL Vulnerability."

Status:Entry
Reference: BID:179
Reference: URL:http://www.securityfocus.com/bid/179
Reference: MS:MS98-018
Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1998/ms98-018
Reference: XF:excel-call(1737)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1737

Name: CVE-1999-1056

Description:

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-1999-1395. Reason: This candidate is a duplicate of CVE-1999-1395. Notes: All CVE users should reference CVE-1999-1395 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.

Status:Candidate
Phase: Modified (20050204)

Votes:
ACCEPT(3)  Cole, Foat, Stracener<br>
MODIFY(1)  Frech<br>
NOOP(1)  Wall<br>
REJECT(1)  Christey<br>
Voter Comments:
Frech>  XF:vms-monitor-gain-privileges(7136)<br>
Christey>  DUPE CVE-1999-1395
This CAN is being rejected in favor of CVE-1999-1395 because
CVE-1999-1395 has more references.<br>

Name: CVE-1999-1057

Description:

VMS 4.0 through 5.3 allows local users to gain privileges via the ANALYZE/PROCESS_DUMP dcl command.

Status:Entry
Reference: BID:12
Reference: URL:http://www.securityfocus.com/bid/12
Reference: CERT:CA-1990-07
Reference: URL:http://www.cert.org/advisories/CA-1990-07.html
Reference: CIAC:B-04
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/b-04.shtml
Reference: XF:vms-analyze-processdump-privileges(7137)
Reference: URL:http://www.iss.net/security_center/static/7137.php

Name: CVE-1999-1058

Description:

Buffer overflow in Vermillion FTP Daemon VFTPD 1.23 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via several long CWD commands.

Status:Candidate
Phase: Proposed (20010912)
Reference: BID:818
Reference: URL:http://www.securityfocus.com/bid/818
Reference: BUGTRAQ:19991122 Remote DoS Attack in Vermillion FTP Daemon (VFTPD) v1.23 Vulnerability
Reference: URL:http://marc.info/?l=bugtraq&m=94329968617085&w=2
Reference: NTBUGTRAQ:19991122 Remote DoS Attack in Vermillion FTP Daemon (VFTPD) v1.23 Vulnerability
Reference: URL:http://marc.info/?l=ntbugtraq&m=94337185023159&w=2
Reference: XF:vermillion-ftp-cwd-overflow(3543)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/3543

Votes:
ACCEPT(2)  Cole, Frech<br>
NOOP(2)  Foat, Wall<br>
Voter Comments:


Name: CVE-1999-1059

Description:

Vulnerability in rexec daemon (rexecd) in AT&T TCP/IP 4.0 for various SVR4 systems allows remote attackers to execute arbitrary commands.

Status:Entry
Reference: BID:36
Reference: URL:http://www.securityfocus.com/bid/36
Reference: CERT:CA-1992-04
Reference: URL:http://www.cert.org/advisories/CA-1992-04.html
Reference: XF:att-rexecd(3159)
Reference: URL:http://www.iss.net/security_center/static/3159.php

Name: CVE-1999-1060

Description:

Buffer overflow in Tetrix TetriNet daemon 1.13.16 allows remote attackers to cause a denial of service and possibly execute arbitrary commands by connecting to port 31457 from a host with a long DNS hostname.

Status:Candidate
Phase: Proposed (20010912)
Reference: BID:340
Reference: URL:http://www.securityfocus.com/bid/340
Reference: BUGTRAQ:19990217 Tetrix 1.13.16 is Vulnerable
Reference: URL:http://marc.info/?l=bugtraq&m=91937090211855&w=2

Votes:
MODIFY(1)  Frech<br>
NOOP(3)  Cole, Foat, Wall<br>
Voter Comments:
Frech>  XF:tetrinet-dns-hostname-bo(7500)<br>

Name: CVE-1999-1061

Description:

HP Laserjet printers with JetDirect cards, when configured with TCP/IP, can be configured without a password, which allows remote attackers to connect to the printer and change its IP address or disable logging.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19971004 HP Laserjet 4M Plus DirectJet Problem
Reference: URL:http://marc.info/?l=bugtraq&m=87602248518480&w=2
Reference: XF:laserjet-unpassworded(1876)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1876

Votes:
ACCEPT(2)  Cole, Frech<br>
NOOP(1)  Foat<br>
Voter Comments:
Frech>  CONFIRM:http://www.hp.com/cposupport/printers/support_doc/bpl
02914.html<br>

Name: CVE-1999-1062

Description:

HP Laserjet printers with JetDirect cards, when configured with TCP/IP, allow remote attackers to bypass print filters by directly sending PostScript documents to TCP ports 9099 and 9100.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19971004 HP Laserjet 4M Plus DirectJet Problem
Reference: URL:http://marc.info/?l=bugtraq&m=87602248518480&w=2
Reference: XF:laserjet-unpassworded(1876)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1876

Votes:
ACCEPT(1)  Cole<br>
MODIFY(1)  Frech<br>
NOOP(1)  Foat<br>
Voter Comments:
Frech>  DELREF:XF:laserjet-unpassworded(1876)
ADDREF:XF:hp-printer-flood(1818)<br>

Name: CVE-1999-1063

Description:

CDomain whois_raw.cgi whois CGI script allows remote attackers to execute arbitrary commands via shell metacharacters in the fqdn parameter.

Status:Candidate
Phase: Proposed (20010912)
Reference: BID:304
Reference: URL:http://www.securityfocus.com/bid/304
Reference: BUGTRAQ:19990601 whois_raw.cgi problem
Reference: URL:http://www.securityfocus.com/archive/1/14019
Reference: XF:http-cgi-cdomain(2251)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2251

Votes:
ACCEPT(1)  Frech<br>
NOOP(3)  Cole, Foat, Wall<br>
Voter Comments:


Name: CVE-1999-1064

Description:

Multiple buffer overflows in WindowMaker 0.52 through 0.60.0 allow attackers to cause a denial of service and possibly execute arbitrary commands by executing WindowMaker with a long program name (argv[0]).

Status:Candidate
Phase: Proposed (20010912)
Reference: BID:596
Reference: URL:http://www.securityfocus.com/bid/596
Reference: BUGTRAQ:19990822
Reference: URL:http://marc.info/?l=bugtraq&m=93555317429630&w=2
Reference: BUGTRAQ:19990824 Re: WindowMaker bugs (was sub:none )
Reference: URL:http://marc.info/?l=bugtraq&m=93582070508957&w=2

Votes:
MODIFY(1)  Frech<br>
NOOP(3)  Cole, Foat, Wall<br>
Voter Comments:
Frech>  XF:windowmaker-bo(3249)<br>
Frech>  XF:windowmaker-bo(3249)<br>

Name: CVE-1999-1065

Description:

Palm Pilot HotSync Manager 3.0.4 in Windows 98 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long string to port 14238 while the manager is in network mode.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19991104 Palm Hotsync vulnerable to DoS attack
Reference: URL:http://marc.info/?l=bugtraq&m=94175465525422&w=2

Votes:
ACCEPT(1)  Cole<br>
MODIFY(1)  Frech<br>
NOOP(2)  Foat, Wall<br>
Voter Comments:
Frech>  XF:palm-hotsync-bo(7785)<br>

Name: CVE-1999-1066

Description:

Quake 1 server responds to an initial UDP game connection request with a large amount of traffic, which allows remote attackers to use the server as an amplifier in a "Smurf" style attack on another host, by spoofing the connection request.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19991222 Quake "smurf" - Quake War Utils
Reference: URL:http://marc.info/?l=bugtraq&m=94589559631535&w=2

Votes:
MODIFY(1)  Frech<br>
NOOP(4)  Christey, Cole, Foat, Wall<br>
Voter Comments:
Christey>  This is apparently a problem with the connection protocol.
See BUGTRAQ:19980522 NetQuake Protocol problem resulting in smurf like effect.
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221101925989&w=2<br>
Frech>  XF:quake-udp-connection-dos(7862)<br>

Name: CVE-1999-1067

Description:

SGI MachineInfo CGI program, installed by default on some web servers, prints potentially sensitive system status information, which could be used by remote attackers for information gathering activities.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19970507 Re: SGI Security Advisory 19970501-01-A - Vulnerability in webdist.cgi
Reference: URL:http://marc.info/?l=bugtraq&m=87602167420919&w=2
Reference: XF:sgi-machineinfo

Votes:
ACCEPT(1)  Frech<br>
NOOP(2)  Cole, Foat<br>
Voter Comments:
Frech>  I'd be a lot more confident in this vote if there was a more
concrete reference strongly associating webdist.cgi and machineinfo.<br>

Name: CVE-1999-1068

Description:

Oracle Webserver 2.1, when serving PL/SQL stored procedures, allows remote attackers to cause a denial of service via a long HTTP GET request.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19970723 DoS against Oracle Webserver 2.1 with PL/SQL stored procedures
Reference: URL:http://marc.info/?l=bugtraq&m=87602661419366&w=2

Votes:
MODIFY(1)  Frech<br>
NOOP(2)  Cole, Foat<br>
Voter Comments:
Frech>  XF:oracle-webserver-dos(1812)<br>

Name: CVE-1999-1069

Description:

Directory traversal vulnerability in carbo.dll in iCat Carbo Server 3.0.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the icatcommand parameter.

Status:Candidate
Phase: Proposed (20010912)
Reference: BID:2126
Reference: URL:http://www.securityfocus.com/bid/2126
Reference: BUGTRAQ:19971108 Security bug in iCat Suite version 3.0
Reference: URL:http://www.securityfocus.com/archive/1/7943
Reference: XF:icat-carbo-server-vuln(1620)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1620

Votes:
ACCEPT(2)  Cole, Frech<br>
NOOP(1)  Foat<br>
Voter Comments:
Frech>  iCat's site at http://www.icat.com/ is shut down, and no
further support seems to be available.<br>

Name: CVE-1999-1070

Description:

Buffer overflow in ping CGI program in Xylogics Annex terminal service allows remote attackers to cause a denial of service via a long query parameter.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19980725 Annex DoS
Reference: URL:http://www.securityfocus.com/archive/1/10021

Votes:
MODIFY(1)  Frech<br>
NOOP(3)  Cole, Foat, Wall<br>
Voter Comments:
Frech>  XF:annex-ping-crash(2090)<br>

Name: CVE-1999-1071

Description:

Excite for Web Servers (EWS) 1.1 installs the Architext.conf authentication file with world-writeable permissions, which allows local users to gain access to Excite accounts by modifying the file.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19981130 Security bugs in Excite for Web Servers 1.1
Reference: URL:http://marc.info/?l=bugtraq&m=91248445931140&w=2
Reference: XF:excite-world-write(1417)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1417

Votes:
ACCEPT(1)  Frech<br>
NOOP(3)  Cole, Foat, Wall<br>
Voter Comments:


Name: CVE-1999-1072

Description:

Excite for Web Servers (EWS) 1.1 allows local users to gain privileges by obtaining the encrypted password from the world-readable Architext.conf authentication file and replaying the encrypted password in an HTTP request to AT-generated.cgi or AT-admin.cgi.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19981130 Security bugs in Excite for Web Servers 1.1
Reference: URL:http://marc.info/?l=bugtraq&m=91248445931140&w=2

Votes:
NOOP(3)  Cole, Foat, Wall<br>
Voter Comments:


Name: CVE-1999-1073

Description:

Excite for Web Servers (EWS) 1.1 records the first two characters of a plaintext password in the beginning of the encrypted password, which makes it easier for an attacker to guess passwords via a brute force or dictionary attack.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19981130 Security bugs in Excite for Web Servers 1.1
Reference: URL:http://marc.info/?l=bugtraq&m=91248445931140&w=2

Votes:
NOOP(3)  Cole, Foat, Wall<br>
Voter Comments:


Name: CVE-1999-1074

Description:

Webmin before 0.5 does not restrict the number of invalid passwords that are entered for a valid username, which could allow remote attackers to gain privileges via brute force password cracking.

Status:Entry
Reference: BID:98
Reference: URL:http://www.securityfocus.com/bid/98
Reference: BUGTRAQ:19980501 Warning! Webmin Security Advisory
Reference: URL:http://www.securityfocus.com/archive/1/9138
Reference: CONFIRM:http://www.webmin.com/webmin/changes.html

Name: CVE-1999-1075

Description:

inetd in AIX 4.1.5 dynamically assigns a port N when starting ttdbserver (ToolTalk server), but also inadvertently listens on port N-1 without passing control to ttdbserver, which allows remote attackers to cause a denial of service via a large number of connections to port N-1, which are not properly closed by inetd.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19980318 AIX 4.1.5 DoS attack (aka "Port 1025 problem")
Reference: URL:http://marc.info/?l=bugtraq&m=89025820612530&w=2

Votes:
MODIFY(1)  Frech<br>
NOOP(3)  Cole, Foat, Wall<br>
Voter Comments:
Frech>  XF:aix-ttdbserver(813)
CONFIRM:APAR IX70400<br>

Name: CVE-1999-1076

Description:

Idle locking function in MacOS 9 allows local users to bypass the password protection of idled sessions by selecting the "Log Out" option and selecting a "Cancel" option in the dialog box for an application that attempts to verify that the user wants to log out, which returns the attacker into the locked session.

Status:Candidate
Phase: Proposed (20010912)
Reference: BID:745
Reference: URL:http://www.securityfocus.com/bid/745
Reference: BUGTRAQ:19991026 Mac OS 9 Idle Lock Bug
Reference: URL:http://marc.info/?l=bugtraq&m=94096348604173&w=2

Votes:
ACCEPT(2)  Cole, Foat<br>
MODIFY(1)  Frech<br>
NOOP(1)  Wall<br>
Voter Comments:
Frech>  XF:macos-idle-screenlock-bypass(7794)<br>

Name: CVE-1999-1077

Description:

Idle locking function in MacOS 9 allows local attackers to bypass the password protection of idled sessions via the programmer's switch or CMD-PWR keyboard sequence, which brings up a debugger that the attacker can use to disable the lock.

Status:Candidate
Phase: Proposed (20010912)
Reference: BID:756
Reference: URL:http://www.securityfocus.com/bid/756
Reference: BUGTRAQ:19991101 Re: Mac OS 9 Idle Lock Bug
Reference: URL:http://marc.info/?l=bugtraq&m=94149318124548&w=2

Votes:
ACCEPT(2)  Cole, Foat<br>
MODIFY(1)  Frech<br>
NOOP(1)  Wall<br>
Voter Comments:
Frech>  XF:macos-debug-screenlock-access(3426)<br>

Name: CVE-1999-1078

Description:

WS_FTP Pro 6.0 uses weak encryption for passwords in its initialization files, which allows remote attackers to easily decrypt the passwords and gain privileges.

Status:Candidate
Phase: Proposed (20010912)
Reference: BID:547
Reference: URL:http://www.securityfocus.com/bid/547
Reference: NTBUGTRAQ:19990729 WS_FTP Pro 6.0 Weak Password Encryption Vulnerability
Reference: URL:http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind9907&L=ntbugtraq&D=0&P=10370&F=P

Votes:
MODIFY(1)  Frech<br>
NOOP(3)  Cole, Foat, Wall<br>
Voter Comments:
Frech>  XF:wsftp-weak-password-encryption(8349)<br>

Name: CVE-1999-1079

Description:

Vulnerability in ptrace in AIX 4.3 allows local users to gain privileges by attaching to a setgid program.

Status:Candidate
Phase: Proposed (20010912)
Reference: AIXAPAR:IX80470
Reference: URL:http://www-1.ibm.com/servlet/support/manager?rs=0&rt=0&org=apars&doc=08E0B1A1B85472A1852567C90031BB36
Reference: BID:439
Reference: URL:http://www.securityfocus.com/bid/439
Reference: BUGTRAQ:19990506 AIX Security Fixes Update
Reference: URL:http://marc.info/?l=bugtraq&m=92601792420088&w=2
Reference: BUGTRAQ:19990825 AIX security summary
Reference: URL:http://marc.info/?l=bugtraq&m=93587956513233&w=2

Votes:
ACCEPT(3)  Cole, Foat, Stracener<br>
MODIFY(1)  Frech<br>
Voter Comments:
Frech>  XF:aix-ptrace-setgid(7487)<br>

Name: CVE-1999-1080

Description:

rmmount in SunOS 5.7 may mount file systems without the nosuid flag set, contrary to the documentation and its use in previous versions of SunOS, which could allow local users with physical access to gain root privileges by mounting a floppy or CD-ROM that contains a setuid program and running volcheck, when the file systems do not have the nosuid option specified in rmmount.conf.

Status:Entry
Reference: BID:250
Reference: URL:http://www.securityfocus.com/bid/250
Reference: BUGTRAQ:19990510 SunOS 5.7 rmmount, no nosuid.
Reference: URL:http://marc.info/?l=bugtraq&m=92633694100270&w=2
Reference: BUGTRAQ:19991011
Reference: URL:http://marc.info/?l=bugtraq&m=93971288323395&w=2
Reference: SUNBUG:4205437
Reference: XF:solaris-rmmount-gain-root(8350)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/8350

Name: CVE-1999-1081

Description:

Vulnerability in files.pl script in Novell WebServer Examples Toolkit 2 allows remote attackers to read arbitrary files.

Status:Candidate
Phase: Proposed (20010912)
Reference: MISC:http://www.roxanne.org/faqs/www-secure/wwwsf4.html#Q35
Reference: MISC:http://www.w3.org/Security/Faq/wwwsf8.html#Q87
Reference: XF:http-nov-files(2054)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2054

Votes:
ACCEPT(2)  Cole, Frech<br>
NOOP(1)  Foat<br>
Voter Comments:


Name: CVE-1999-1082

Description:

Directory traversal vulnerability in Jana proxy web server 1.40 allows remote attackers to ready arbitrary files via a "......" (modified dot dot) attack.

Status:Candidate
Phase: Proposed (20010912)
Reference: BID:699
Reference: URL:http://www.securityfocus.com/bid/699
Reference: BUGTRAQ:19991008 Jana webserver exploit
Reference: URL:http://marc.info/?l=bugtraq&m=93941794201059&w=2

Votes:
ACCEPT(1)  Cole<br>
MODIFY(1)  Frech<br>
NOOP(2)  Foat, Wall<br>
Voter Comments:
Frech>  XF:jana-server-directory-traversal(6513)<br>

Name: CVE-1999-1083

Description:

Directory traversal vulnerability in Jana proxy web server 1.45 allows remote attackers to ready arbitrary files via a .. (dot dot) attack.

Status:Candidate
Phase: Proposed (20010912)
Reference: BID:699
Reference: URL:http://www.securityfocus.com/bid/699
Reference: BUGTRAQ:20000502 Security Bug in Jana HTTP Server
Reference: URL:http://marc.info/?l=bugtraq&m=95730430727064&w=2

Votes:
ACCEPT(1)  Cole<br>
MODIFY(1)  Frech<br>
NOOP(3)  Christey, Foat, Wall<br>
Voter Comments:
Frech>  XF:jana-server-directory-traversal(6513)<br>
Christey>  MODIFY description - the attack is of the form "/./../"
(single dot followed by double-dot)<br>

Name: CVE-1999-1084

Description:

The "AEDebug" registry key is installed with insecure permissions, which allows local users to modify the key to specify a Trojan Horse debugger which is automatically executed on a system crash.

Status:Candidate
Phase: Proposed (20010912)
Reference: BID:1044
Reference: URL:http://www.securityfocus.com/bid/1044
Reference: CIAC:K-029
Reference: URL:http://www.ciac.org/ciac/bulletins/k-029.shtml
Reference: MS:MS00-008
Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/2000/ms00-008
Reference: MSKB:Q103861
Reference: URL:http://support.microsoft.com/support/kb/articles/q103/8/61.asp
Reference: NTBUGTRAQ:19980622 Yet another "get yourself admin rights exploit":
Reference: URL:http://marc.info/?l=ntbugtraq&m=90222453431604&w=2

Votes:
ACCEPT(3)  Cole, Foat, Wall<br>
MODIFY(1)  Frech<br>
Voter Comments:
Frech>  XF:nt-registry-permissions(4111)<br>

Name: CVE-1999-1085

Description:

SSH 1.2.25, 1.2.23, and other versions, when used in in CBC (Cipher Block Chaining) or CFB (Cipher Feedback 64 bits) modes, allows remote attackers to insert arbitrary data into an existing stream between an SSH client and server by using a known plaintext attack and computing a valid CRC-32 checksum for the packet, aka the "SSH insertion attack."

Status:Entry
Reference: BUGTRAQ:19980612 CORE-SDI-04: SSH insertion attack
Reference: URL:http://marc.info/?l=bugtraq&m=90221103125884&w=2
Reference: BUGTRAQ:19980703 UPDATE: SSH insertion attack
Reference: URL:http://marc.info/?l=bugtraq&m=90221104525878&w=2
Reference: CERT-VN:VU#13877
Reference: URL:http://www.kb.cert.org/vuls/id/13877
Reference: CISCO:20010627 Multiple SSH Vulnerabilities
Reference: XF:ssh-insert(1126)
Reference: URL:http://www.iss.net/security_center/static/1126.php

Name: CVE-1999-1086

Description:

Novell 5 and earlier, when running over IPX with a packet signature level less than 3, allows remote attackers to gain administrator privileges by spoofing the MAC address in IPC fragmented packets that make NetWare Core Protocol (NCP) calls.

Status:Candidate
Phase: Proposed (20010912)
Reference: BID:528
Reference: URL:http://www.securityfocus.com/bid/528
Reference: BUGTRAQ:19990715 NMRC Advisory: Netware 5 Client Hijacking
Reference: URL:http://marc.info/?l=bugtraq&m=93214475111651&w=2

Votes:
ACCEPT(1)  Cole<br>
MODIFY(1)  Frech<br>
NOOP(2)  Foat, Wall<br>
Voter Comments:
Frech>  XF:netware-ipx-session-spoof(2350)<br>

Name: CVE-1999-1087

Description:

Internet Explorer 4 treats a 32-bit number ("dotless IP address") in the a URL as the hostname instead of an IP address, which causes IE to apply Local Intranet Zone settings to the resulting web page, allowing remote malicious web servers to conduct unauthorized activities by using URLs that contain the dotless IP address for their server.

Status:Entry
Reference: CONFIRM:http://www.microsoft.com/Windows/Ie/security/dotless.asp
Reference: MS:MS98-016
Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1998/ms98-016
Reference: MSKB:Q168617
Reference: URL:http://support.microsoft.com/support/kb/articles/q168/6/17.asp
Reference: OSVDB:7828
Reference: URL:http://www.osvdb.org/7828
Reference: XF:ie-dotless(2209)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2209

Name: CVE-1999-1088

Description:

Vulnerability in chsh command in HP-UX 9.X through 10.20 allows local users to gain privileges.

Status:Candidate
Phase: Proposed (20010912)
Reference: CIAC:H-21
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/h-21.shtml
Reference: HP:HPSBUX9701-050
Reference: XF:hp-chsh(2012)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2012

Votes:
ACCEPT(4)  Cole, Foat, Frech, Stracener<br>
Voter Comments:


Name: CVE-1999-1089

Description:

Buffer overflow in chfn command in HP-UX 9.X through 10.20 allows local users to gain privileges via a long command line argument.

Status:Candidate
Phase: Proposed (20010912)
Reference: AUSCERT:AA-96.18
Reference: BUGTRAQ:19961209 the HP Bug of the Week!
Reference: URL:http://marc.info/?l=bugtraq&m=87602167420285&w=2
Reference: CIAC:H-16
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/h-16.shtml
Reference: CIAC:H-21
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/h-21.shtml
Reference: HP:HPSBUX9701-049
Reference: XF:hp-chfn(2008)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2008

Votes:
ACCEPT(4)  Cole, Foat, Frech, Stracener<br>
Voter Comments:


Name: CVE-1999-1090

Description:

The default configuration of NCSA Telnet package for Macintosh and PC enables FTP, even though it does not include an "ftp=yes" line, which allows remote attackers to read and modify arbitrary files.

Status:Entry
Reference: CERT:CA-1991-15
Reference: URL:http://www.cert.org/advisories/CA-1991-15.html
Reference: XF:ftp-ncsa(1844)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1844

Name: CVE-1999-1091

Description:

UNIX news readers tin and rtin create the /tmp/.tin_log file with insecure permissions and follow symlinks, which allows attackers to modify the permissions of files writable by the user via a symlink attack.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19960903 Re: BoS: [BUG] Vulnerability in TIN
Reference: URL:http://marc.info/?l=bugtraq&m=87602167419839&w=2
Reference: BUGTRAQ:19960903 [BUG] Vulnerability in TIN
Reference: URL:http://marc.info/?l=bugtraq&m=87602167419835&w=2
Reference: BUGTRAQ:19970329 symlink bug in tin/rtin
Reference: URL:http://marc.info/?l=bugtraq&m=87602167420726&w=2
Reference: XF:tin-tmpfile(431)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/431

Votes:
ACCEPT(1)  Frech<br>
NOOP(2)  Cole, Foat<br>
Voter Comments:


Name: CVE-1999-1092

Description:

tin 1.40 creates the .tin directory with insecure permissions, which allows local users to read passwords from the .inputhistory file.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19991117 default permissions for tin
Reference: URL:http://marc.info/?l=bugtraq&m=94286179032648&w=2

Votes:
MODIFY(1)  Frech<br>
NOOP(3)  Cole, Foat, Wall<br>
Voter Comments:
Frech>  XF:tin-insecure-permissions(7796)
Confirmed in changelog for 1.4.1
http://ftp.kreonet.re.kr/pub/tools/news/tin/v1.4/CHANGES<br>

Name: CVE-1999-1093

Description:

Buffer overflow in the Window.External function in the JScript Scripting Engine in Internet Explorer 4.01 SP1 and earlier allows remote attackers to execute arbitrary commands via a malicious web page.

Status:Entry
Reference: MS:MS98-011
Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1998/ms98-011
Reference: MSKB:Q191200
Reference: URL:http://support.microsoft.com/support/kb/articles/q191/2/00.asp
Reference: XF:java-script-patch(1276)
Reference: URL:http://www.iss.net/security_center/static/1276.php

Name: CVE-1999-1094

Description:

Buffer overflow in Internet Explorer 4.01 and earlier allows remote attackers to execute arbitrary commands via a long URL with the "mk:" protocol, aka the "MK Overrun security issue."

Status:Entry
Reference: BUGTRAQ:19980114 L0pht Advisory MSIE4.0(1)
Reference: URL:http://marc.info/?l=bugtraq&m=88480839506155&w=2
Reference: MSKB:Q176697
Reference: URL:http://support.microsoft.com/support/kb/articles/q176/6/97.asp
Reference: XF:iemk-bug(917)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/917

Name: CVE-1999-1095

Description:

sort creates temporary files and follows symbolic links, which allows local users to modify arbitrary files that are writable by the user running sort, as observed in updatedb and other programs that use sort.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19971006 KSR[T] Advisory #3: updatedb / crontabs
Reference: URL:http://marc.info/?l=bugtraq&m=87619953510834&w=2
Reference: BUGTRAQ:19980302 overwrite any file with updatedb
Reference: URL:http://marc.info/?l=bugtraq&m=88886870129518&w=2
Reference: BUGTRAQ:19980303 updatedb stuff
Reference: URL:http://marc.info/?l=bugtraq&m=88890116304676&w=2
Reference: BUGTRAQ:19980303 updatedb: sort patch

Votes:
MODIFY(1)  Frech<br>
NOOP(3)  Christey, Cole, Foat<br>
Voter Comments:
Frech>  XF:sort-tmp-file-symlink(7182)<br>
Christey>  This issue clearly has a long history.
CALDERA:CSSA-2002-SCO.21
URL:http://archives.neohapsis.com/archives/linux/caldera/2002-q2/0018.html
CALDERA:CSSA-2002-SCO.2
URL:http://archives.neohapsis.com/archives/linux/caldera/2002-q1/0002.html
(There are 2 Caldera advisories because one is for Open UNIX
and UnixWare, and the other is for OpenServer)

XF:openserver-sort-symlink(9218)
URL:http://www.iss.net/security_center/static/9218.php<br>

Name: CVE-1999-1096

Description:

Buffer overflow in kscreensaver in KDE klock allows local users to gain root privileges via a long HOME environmental variable.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19980516 kde exploit
Reference: URL:http://marc.info/?l=bugtraq&m=90221101925954&w=2
Reference: BUGTRAQ:19980517 simple kde exploit fix
Reference: URL:http://marc.info/?l=bugtraq&m=90221101925959&w=2
Reference: XF:kde-klock-home-bo(1644)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1644

Votes:
ACCEPT(1)  Frech<br>
NOOP(3)  Cole, Foat, Wall<br>
Voter Comments:


Name: CVE-1999-1097

Description:

Microsoft NetMeeting 2.1 allows one client to read the contents of another client's clipboard via a CTRL-C in the chat box when the box is empty.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990504 Microsoft Netmeeting Hole
Reference: URL:http://marc.info/?l=bugtraq&m=92586457816446&w=2
Reference: XF:netmeeting-clipboard(2187)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2187

Votes:
ACCEPT(1)  Frech<br>
NOOP(3)  Cole, Foat, Wall<br>
Voter Comments:


Name: CVE-1999-1098

Description:

Vulnerability in BSD Telnet client with encryption and Kerberos 4 authentication allows remote attackers to decrypt the session via sniffing.

Status:Entry
Reference: CERT:CA-1995-03
Reference: URL:http://www.cert.org/advisories/CA-1995-03.html
Reference: CIAC:F-12
Reference: URL:http://www.ciac.org/ciac/bulletins/f-12.shtml
Reference: OSVDB:4881
Reference: URL:http://www.osvdb.org/4881
Reference: XF:bsd-telnet(516)
Reference: URL:http://www.iss.net/security_center/static/516.php

Name: CVE-1999-1099

Description:

Kerberos 4 allows remote attackers to obtain sensitive information via a malformed UDP packet that generates an error string that inadvertently includes the realm name and the last user.

Status:Entry
Reference: BUGTRAQ:19961122 L0pht Kerberos Advisory
Reference: URL:http://marc.info/?l=bugtraq&m=87602167420184&w=2
Reference: XF:kerberos-user-grab(65)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/65

Name: CVE-1999-1100

Description:

Cisco PIX Private Link 4.1.6 and earlier does not properly process certain commands in the configuration file, which reduces the effective key length of the DES key to 48 bits instead of 56 bits, which makes it easier for an attacker to find the proper key via a brute force attack.

Status:Entry
Reference: CIAC:I-056
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/i-056.shtml
Reference: CISCO:19980616 PIX Private Link Key Processing and Cryptography Issues
Reference: URL:http://www.cisco.com/warp/public/770/pixkey-pub.shtml
Reference: XF:cisco-pix-parse-error(1579)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1579

Name: CVE-1999-1101

Description:

Kabsoftware Lydia utility uses weak encryption to store user passwords in the lydia.ini file, which allows local users to easily decrypt the passwords and gain privileges.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990219 Yet Another password storing problem (was: Re: Possible Netscape Crypto Security Flaw)
Reference: URL:http://www.securityfocus.com/archive/1/12618

Votes:
MODIFY(1)  Frech<br>
NOOP(3)  Cole, Foat, Wall<br>
Voter Comments:
Frech>  XF:lydia-ini-passwords(7501)
ADDREF:http://www.kabsoftware.com/lydia_history.txt (Version
History for Lydia, V3.3 - 11/24/00)<br>

Name: CVE-1999-1102

Description:

lpr on SunOS 4.1.1, BSD 4.3, A/UX 2.0.1, and other BSD-based operating systems allows local users to create or overwrite arbitrary files via a symlink attack that is triggered after invoking lpr 1000 times.

Status:Entry
Reference: BUGTRAQ:19940307 8lgm Advisory Releases
Reference: URL:http://www.aenigma.net/resources/maillist/bugtraq/1994/0091.htm
Reference: CIAC:E-25a
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/e-25.shtml
Reference: MISC:http://www.phreak.org/archives/security/8lgm/8lgm.lpr

Name: CVE-1999-1103

Description:

dxconsole in DEC OSF/1 3.2C and earlier allows local users to read arbitrary files by specifying the file with the -file parameter.

Status:Entry
Reference: CERT:VB-96.05
Reference: URL:http://www.cert.org/vendor_bulletins/VB-96.05.dec
Reference: CIAC:G-18
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/g-18.shtml
Reference: MISC:http://www.tao.ca/fire/bos/0209.html
Reference: XF:osf-dxconsole-gain-privileges(7138)
Reference: URL:http://www.iss.net/security_center/static/7138.php

Name: CVE-1999-1104

Description:

Windows 95 uses weak encryption for the password list (.pwl) file used when password caching is enabled, which allows local users to gain privileges by decrypting the passwords.

Status:Entry
Reference: BUGTRAQ:19951205 Cracked: WINDOWS.PWL
Reference: URL:http://marc.info/?l=bugtraq&m=87602167418931&w=2
Reference: BUGTRAQ:19980120 How to recover private keys for various Microsoft products
Reference: URL:http://marc.info/?l=bugtraq&m=88536273725787&w=2
Reference: MSKB:Q140557
Reference: URL:http://support.microsoft.com/support/kb/articles/q140/5/57.asp
Reference: NTBUGTRAQ:19980121 How to recover private keys for various Microsoft products
Reference: URL:http://marc.info/?l=ntbugtraq&m=88540877601866&w=2
Reference: XF:win95-nbsmbpwl(71)
Reference: URL:http://www.iss.net/security_center/static/71.php

Name: CVE-1999-1105

Description:

Windows 95, when Remote Administration and File Sharing for NetWare Networks is enabled, creates a share (C$) when an administrator logs in remotely, which allows remote attackers to read arbitrary files by mapping the network drive.

Status:Entry
Reference: CONFIRM:http://www.zdnet.com/eweek/reviews/1016/tr42bug.html
Reference: MISC:http://www.net-security.sk/bugs/NT/netware1.html
Reference: XF:win95-netware-hidden-share(7231)
Reference: URL:http://www.iss.net/security_center/static/7231.php

Name: CVE-1999-1106

Description:

Buffer overflow in kppp in KDE allows local users to gain root access via a long -c (account_name) command line argument.

Status:Candidate
Phase: Proposed (20010912)
Reference: BID:92
Reference: URL:http://www.securityfocus.com/bid/92
Reference: BUGTRAQ:19980429 Security hole in kppp
Reference: URL:http://www.securityfocus.com/archive/1/9121
Reference: XF:kde-kppp-account-bo(1643)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1643

Votes:
ACCEPT(2)  Cole, Frech<br>
NOOP(2)  Foat, Wall<br>
Voter Comments:


Name: CVE-1999-1107

Description:

Buffer overflow in kppp in KDE allows local users to gain root access via a long PATH environmental variable.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19981118 Multiple KDE security vulnerabilities (root compromise)
Reference: URL:http://marc.info/?l=bugtraq&m=91141486301691&w=2
Reference: XF:kde-kppp-path-bo(1650)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1650

Votes:
ACCEPT(1)  Frech<br>
NOOP(3)  Cole, Foat, Wall<br>
Voter Comments:


Name: CVE-1999-1108

Description:

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-1999-1107. Reason: This candidate is a duplicate of CVE-1999-1107. Notes: All CVE users should reference CVE-1999-1107 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.

Status:Candidate
Phase: Modified (20050204)

Votes:
ACCEPT(1)  Cole<br>
NOOP(2)  Foat, Wall<br>
REJECT(2)  Christey, Frech<br>
Voter Comments:
Frech>  Has exactly the same attributes as CVE-1999-1107.<br>
Christey>  DUPE CVE-1999-1107.<br>

Name: CVE-1999-1109

Description:

Sendmail before 8.10.0 allows remote attackers to cause a denial of service by sending a series of ETRN commands then disconnecting from the server, while Sendmail continues to process the commands after the connection has been terminated.

Status:Entry
Reference: BID:904
Reference: URL:http://www.securityfocus.com/bid/904
Reference: BUGTRAQ:19991222 Re: procmail / Sendmail - five bugs
Reference: URL:http://marc.info/?l=bugtraq&m=94632241202626&w=2
Reference: BUGTRAQ:20000113 Re: procmail / Sendmail - five bugs
Reference: URL:http://marc.info/?l=bugtraq&m=94780566911948&w=2
Reference: XF:sendmail-etrn-dos(7760)
Reference: URL:http://www.iss.net/security_center/static/7760.php

Name: CVE-1999-1110

Description:

Windows Media Player ActiveX object as used in Internet Explorer 5.0 returns a specific error code when a file does not exist, which allows remote malicious web sites to determine the existence of files on the client.

Status:Candidate
Phase: Proposed (20010912)
Reference: BID:793
Reference: URL:http://www.securityfocus.com/bid/793
Reference: BUGTRAQ:19991114 IE 5.0 and Windows Media Player ActiveX object allow checking the existence of local files and directories
Reference: URL:http://www.securityfocus.com/archive/1/34675

Votes:
ACCEPT(1)  Wall<br>
MODIFY(1)  Frech<br>
NOOP(2)  Cole, Foat<br>
Voter Comments:
Frech>  XF:ie-mediaplayer-activex(7800)<br>

Name: CVE-1999-1111

Description:

Vulnerability in StackGuard before 1.21 allows remote attackers to bypass the Random and Terminator Canary security mechanisms by using a non-linear attack which directly modifies a pointer to a return address instead of using a buffer overflow to reach the return address entry itself.

Status:Entry
Reference: BID:786
Reference: URL:http://www.securityfocus.com/bid/786
Reference: BUGTRAQ:19911109 ImmuniX OS Security Alert: StackGuard 1.21 Released
Reference: URL:http://marc.info/?l=bugtraq&m=94218618329838&w=2
Reference: XF:immunix-stackguard-bo(3524)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/3524

Name: CVE-1999-1112

Description:

Buffer overflow in IrfanView32 3.07 and earlier allows attackers to execute arbitrary commands via a long string after the "8BPS" image type in a Photo Shop image header.

Status:Candidate
Phase: Proposed (20010912)
Reference: BID:781
Reference: URL:http://www.securityfocus.com/bid/781
Reference: BUGTRAQ:19991109 Irfan view 3.07 buffer overflow
Reference: URL:http://www.securityfocus.com/archive/1/34066
Reference: MISC:http://stud4.tuwien.ac.at/~e9227474/main2.html
Reference: XF:irfan-view32-bo(3549)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/3549

Votes:
ACCEPT(1)  Frech<br>
NOOP(3)  Cole, Foat, Wall<br>
Voter Comments:


Name: CVE-1999-1113

Description:

Buffer overflow in Eudora Internet Mail Server (EIMS) 2.01 and earlier on MacOS systems allows remote attackers to cause a denial of service via a long USER command to port 106.

Status:Candidate
Phase: Proposed (20010912)
Reference: BID:75
Reference: URL:http://www.securityfocus.com/bid/75
Reference: BUGTRAQ:19980414 MacOS based buffer overflows...
Reference: URL:http://marc.info/?l=bugtraq&m=89258194718577&w=2

Votes:
MODIFY(1)  Frech<br>
NOOP(3)  Cole, Foat, Wall<br>
Voter Comments:
Frech>  XF:eudora-ims-user-dos(7300) <br>

Name: CVE-1999-1114

Description:

Buffer overflow in Korn Shell (ksh) suid_exec program on IRIX 6.x and earlier, and possibly other operating systems, allows local users to gain root privileges.

Status:Entry
Reference: AUSCERT:AA-96.17
Reference: URL:ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-96.17.suid_exec.vul
Reference: BID:467
Reference: URL:http://www.securityfocus.com/bid/467
Reference: CIAC:H-15A
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/h-15a.shtml
Reference: SGI:19980405-01-I
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19980405-01-I
Reference: XF:ksh-suid_exec(2100)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2100

Name: CVE-1999-1115

Description:

Vulnerability in the /etc/suid_exec program in HP Apollo Domain/OS sr10.2 and sr10.3 beta, related to the Korn Shell (ksh).

Status:Entry
Reference: BID:7
Reference: URL:http://www.securityfocus.com/bid/7
Reference: CERT:CA-1990-04
Reference: URL:http://www.cert.org/advisories/CA-1990-04.html
Reference: CIAC:A-30
Reference: URL:http://www.ciac.org/ciac/bulletins/a-30.shtml
Reference: XF:apollo-suidexec-unauthorized-access(6721)
Reference: URL:http://www.iss.net/security_center/static/6721.php

Name: CVE-1999-1116

Description:

Vulnerability in runpriv in Indigo Magic System Administration subsystem of SGI IRIX 6.3 and 6.4 allows local users to gain root privileges.

Status:Entry
Reference: BID:462
Reference: URL:http://www.securityfocus.com/bid/462
Reference: OSVDB:1009
Reference: URL:http://www.osvdb.org/1009
Reference: SGI:19970503-01-PX
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19970503-01-PX
Reference: XF:sgi-runpriv(2108)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2108

Name: CVE-1999-1117

Description:

lquerypv in AIX 4.1 and 4.2 allows local users to read arbitrary files by specifying the file in the -h command line parameter.

Status:Entry
Reference: BID:455
Reference: URL:http://www.securityfocus.com/bid/455
Reference: BUGTRAQ:19961124
Reference: URL:http://marc.info/?l=bugtraq&w=2&r=1&s=lquerypv&q=b
Reference: BUGTRAQ:19961125 AIX lquerypv
Reference: URL:http://marc.info/?l=bugtraq&m=87602167420196&w=2
Reference: BUGTRAQ:19961125 lquerypv fix
Reference: URL:http://marc.info/?l=bugtraq&m=87602167420195&w=2
Reference: CIAC:H-13
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/h-13.shtml
Reference: XF:ibm-lquerypv(1752)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1752

Name: CVE-1999-1118

Description:

ndd in Solaris 2.6 allows local users to cause a denial of service by modifying certain TCP/IP parameters.

Status:Entry
Reference: BID:433
Reference: URL:http://www.securityfocus.com/bid/433
Reference: SUN:00165
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/165&type=0&nav=sec.sba
Reference: XF:sun-ndd(817)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/817

Name: CVE-1999-1119

Description:

FTP installation script anon.ftp in AIX insecurely configures anonymous FTP, which allows remote attackers to execute arbitrary commands.

Status:Entry
Reference: BID:41
Reference: URL:http://www.securityfocus.com/bid/41
Reference: CERT:CA-1992-09
Reference: URL:http://www.cert.org/advisories/CA-1992-09.html
Reference: XF:aix-anon-ftp(3154)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/3154

Name: CVE-1999-1120

Description:

netprint in SGI IRIX 6.4 and earlier trusts the PATH environmental variable for finding and executing the disable program, which allows local users to gain privileges.

Status:Entry
Reference: BID:395
Reference: URL:http://www.securityfocus.com/bid/395
Reference: BUGTRAQ:19970104 Irix: netprint story
Reference: URL:http://marc.info/?l=bugtraq&m=87602167420403&w=2
Reference: OSVDB:993
Reference: URL:http://www.osvdb.org/993
Reference: SGI:19961203-01-PX
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19961203-01-PX
Reference: SGI:19961203-02-PX
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19961203-02-PX
Reference: XF:sgi-netprint(2107)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2107

Name: CVE-1999-1121

Description:

The default configuration for UUCP in AIX before 3.2 allows local users to gain root privileges.

Status:Entry
Reference: BID:38
Reference: URL:http://www.securityfocus.com/bid/38
Reference: CERT:CA-1992-06
Reference: URL:http://www.cert.org/advisories/CA-1992-06.html
Reference: OSVDB:891
Reference: URL:http://www.osvdb.org/891
Reference: XF:ibm-uucp(554)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/554

Name: CVE-1999-1122

Description:

Vulnerability in restore in SunOS 4.0.3 and earlier allows local users to gain privileges.

Status:Entry
Reference: BID:3
Reference: URL:http://www.securityfocus.com/bid/3
Reference: CERT:CA-1989-02
Reference: URL:http://www.cert.org/advisories/CA-1989-02.html
Reference: CIAC:CIAC-08
Reference: URL:http://www.ciac.org/ciac/bulletins/ciac-08.shtml
Reference: SUNBUG:1019265
Reference: XF:sun-restore-gain-privileges(6695)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/6695

Name: CVE-1999-1123

Description:

The installation of Sun Source (sunsrc) tapes allows local users to gain root privileges via setuid root programs (1) makeinstall or (2) winstall.

Status:Candidate
Phase: Proposed (20010912)
Reference: BID:21
Reference: URL:http://www.securityfocus.com/bid/21
Reference: BID:22
Reference: URL:http://www.securityfocus.com/bid/22
Reference: CERT:CA-1991-07
Reference: URL:http://www.cert.org/advisories/CA-1991-07.html
Reference: SUN:00107
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/107&type=0&nav=sec.sba
Reference: XF:sun-sourcetapes(582)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/582

Votes:
ACCEPT(5)  Cole, Dik, Foat, Frech, Stracener<br>
NOOP(1)  Wall<br>
Voter Comments:
Dik>  sun bug: 1059621<br>

Name: CVE-1999-1124

Description:

HTTP Client application in ColdFusion allows remote attackers to bypass access restrictions for web pages on other ports by providing the target page to the mainframeset.cfm application, which requests the page from the server, making it look like the request is coming from the local host.

Status:Candidate
Phase: Proposed (20010912)
Reference: MISC:http://packetstorm.securify.com/mag/phrack/phrack54/P54-08

Votes:
ACCEPT(2)  Cole, Wall<br>
NOOP(1)  Foat<br>
Voter Comments:


Name: CVE-1999-1125

Description:

Oracle Webserver 2.1 and earlier runs setuid root, but the configuration file is owned by the oracle account, which allows any local or remote attacker who obtains access to the oracle account to gain privileges or modify arbitrary files by modifying the configuration file.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19970919 Instresting practises of Oracle [Oracle Webserver]
Reference: URL:http://marc.info/?l=bugtraq&m=87602880019796&w=2

Votes:
MODIFY(1)  Frech<br>
NOOP(2)  Cole, Foat<br>
Voter Comments:
Frech>  XF:oracle-webserver-gain-root(7174)<br>

Name: CVE-1999-1126

Description:

Cisco Resource Manager (CRM) 1.1 and earlier creates certain files with insecure permissions that allow local users to obtain sensitive configuration information including usernames, passwords, and SNMP community strings, from (1) swim_swd.log, (2) swim_debug.log, (3) dbi_debug.log, and (4) temporary files whose names begin with "DPR_".

Status:Candidate
Phase: Proposed (20010912)
Reference: CIAC:I-086
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/i-086.shtml
Reference: CISCO:19980813 CRM Temporary File Vulnerability
Reference: URL:http://www.cisco.com/warp/public/770/crmtmp-pub.shtml
Reference: XF:cisco-crm-file-vuln(1575)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1575

Votes:
ACCEPT(5)  Armstrong, Cole, Foat, Frech, Stracener<br>
NOOP(1)  Wall<br>
REJECT(1)  Balinsky<br>
Voter Comments:
Balinsky>  Duplicate of CVE-1999-1042<br>

Name: CVE-1999-1127

Description:

Windows NT 4.0 does not properly shut down invalid named pipe RPC connections, which allows remote attackers to cause a denial of service (resource exhaustion) via a series of connections containing malformed data, aka the "Named Pipes Over RPC" vulnerability.

Status:Entry
Reference: MS:MS98-017
Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1998/ms98-017
Reference: MSKB:Q195733
Reference: URL:http://support.microsoft.com/support/kb/articles/Q195/7/33.asp
Reference: XF:nt-spoolss(523)
Reference: URL:http://www.iss.net/security_center/static/523.php

Name: CVE-1999-1128

Description:

Internet Explorer 3.01 on Windows 95 allows remote malicious web sites to execute arbitrary commands via a .isp file, which is automatically downloaded and executed without prompting the user.

Status:Candidate
Phase: Proposed (20010912)
Reference: MISC:http://members.tripod.com/~unibyte/iebug3.htm
Reference: MISC:http://oliver.efri.hr/~crv/security/bugs/NT/ie3.html

Votes:
ACCEPT(1)  Cole<br>
MODIFY(1)  Frech<br>
NOOP(2)  Christey, Foat<br>
Voter Comments:
Frech>  XF:http-ie-exec(462)<br>
Christey>  DELREF MISC:http://oliver.efri.hr/~crv/security/bugs/NT/ie3.html
ADDREF MISC:http://focus.silversand.net/vulner/allbug/ie3.html<br>

Name: CVE-1999-1129

Description:

Cisco Catalyst 2900 Virtual LAN (VLAN) switches allow remote attackers to inject 802.1q frames into another VLAN by forging the VLAN identifier in the trunking tag.

Status:Candidate
Phase: Proposed (20010912)
Reference: BID:615
Reference: URL:http://www.securityfocus.com/bid/615
Reference: BUGTRAQ:19990901 VLAN Security
Reference: URL:http://www.securityfocus.com/archive/1/26008
Reference: MISC:http://www.cisco.com/univercd/cc/td/doc/product/lan/28201900/1928v8x/eescg8x/aleakyv.htm
Reference: XF:cisco-catalyst-vlan-frames(3294)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/3294

Votes:
ACCEPT(2)  Foat, Frech<br>
NOOP(2)  Cole, Wall<br>
Voter Comments:
CHANGE>  [Foat changed vote from NOOP to ACCEPT]<br>

Name: CVE-1999-1130

Description:

Default configuration of the search engine in Netscape Enterprise Server 3.5.1, and possibly other versions, allows remote attackers to read the source of JHTML files by specifying a search command using the HTML-tocrec-demo1.pat pattern file.

Status:Candidate
Phase: Proposed (20010912)
Reference: BID:559
Reference: URL:http://www.securityfocus.com/bid/559
Reference: BUGTRAQ:19990730 Netscape Enterprise Server yeilds source of JHTML
Reference: URL:http://marc.info/?l=bugtraq&m=93346448121208&w=2
Reference: NTBUGTRAQ:19990730 Netscape Enterprise Server yeilds source of JHTML
Reference: URL:http://marc.info/?l=ntbugtraq&m=93337389603117&w=2

Votes:
ACCEPT(1)  Cole<br>
MODIFY(1)  Frech<br>
NOOP(2)  Foat, Wall<br>
Voter Comments:
Frech>  XF:netscape-enterprise-view-jhtml(8352)<br>

Name: CVE-1999-1131

Description:

Buffer overflow in OSF Distributed Computing Environment (DCE) security demon (secd) in IRIX 6.4 and earlier allows attackers to cause a denial of service via a long principal, group, or organization.

Status:Entry
Reference: CERT:VB-97.12
Reference: URL:http://www.cert.org/vendor_bulletins/VB-97.12.opengroup
Reference: CIAC:I-060
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/i-060.shtml
Reference: SGI:19980601-01-PX
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19980601-01-PX
Reference: XF:sgi-osf-dce-dos(1123)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1123

Name: CVE-1999-1132

Description:

Windows NT 4.0 allows remote attackers to cause a denial of service (crash) via extra source routing data such as (1) a Routing Information Field (RIF) field with a hop count greater than 7, or (2) a list containing duplicate Token Ring IDs.

Status:Entry
Reference: BUGTRAQ:19981005 NMRC Advisory - Lame NT Token Ring DoS
Reference: URL:http://marc.info/?l=bugtraq&m=90763508011966&w=2
Reference: MSKB:Q179157
Reference: URL:http://support.microsoft.com/support/kb/articles/Q179/1/57.asp
Reference: NTBUGTRAQ:19981002 NMRC Advisory - Lame NT Token Ring DoS
Reference: URL:http://marc.info/?l=ntbugtraq&m=90760603030452&w=2
Reference: XF:token-ring-dos(1399)
Reference: URL:http://www.iss.net/security_center/static/1399.php

Name: CVE-1999-1133

Description:

HP-UX 9.x and 10.x running X windows may allow local attackers to gain privileges via (1) vuefile, (2) vuepad, (3) dtfile, or (4) dtpad, which do not authenticate users.

Status:Candidate
Phase: Modified (20020217)
Reference: HP:HPSBUX9709-069
Reference: URL:http://marc.info/?l=bugtraq&m=87602880019776&w=2
Reference: XF:hp-vue-dt(499)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/499

Votes:
ACCEPT(4)  Cole, Foat, Frech, Stracener<br>
NOOP(1)  Christey<br>
Voter Comments:
Christey>  CHANGEREF:  chaneg XF reference to XF:hp-vue-dt(499)<br>

Name: CVE-1999-1134

Description:

Vulnerability in Vue 3.0 in HP 9.x allows local users to gain root privileges, as fixed by PHSS_4038, PHSS_4055, and PHSS_4066.

Status:Candidate
Phase: Modified (20020217)
Reference: CIAC:E-23
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/e-23.shtml
Reference: HP:HPSBUX9404-008
Reference: URL:http://packetstorm.securify.com/advisories/hpalert/008
Reference: XF:hp-vue(2284)
Reference: URL:http://www.iss.net/security_center/static/2284.php

Votes:
ACCEPT(3)  Cole, Foat, Stracener<br>
MODIFY(1)  Frech<br>
Voter Comments:
Frech>  XF:hp-vue(2284)
Packetstorm URL is dead. Try another archive.<br>

Name: CVE-1999-1135

Description:

Vulnerability in VUE 3.0 in HP 9.x allows local users to gain root privileges, as fixed by PHSS_4994 and PHSS_5438.

Status:Candidate
Phase: Proposed (20010912)
Reference: HP:HPSBUX9504-027
Reference: URL:http://packetstorm.securify.com/advisories/hpalert/027
Reference: XF:hp-vue(2284)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2284

Votes:
ACCEPT(4)  Cole, Foat, Frech, Stracener<br>
Voter Comments:


Name: CVE-1999-1136

Description:

Vulnerability in Predictive on HP-UX 11.0 and earlier, and MPE/iX 5.5 and earlier, allows attackers to compromise data transfer for Predictive messages (using e-mail or modem) between customer and Response Center Predictive systems.

Status:Entry
Reference: BUGTRAQ:19980729 HP-UX Predictive & Netscape SSL Vulnerabilities
Reference: URL:http://marc.info/?l=bugtraq&m=90221104526177&w=2
Reference: CIAC:I-081
Reference: URL:http://www.ciac.org/ciac/bulletins/i-081.shtml
Reference: HP:HPSBMP9807-005
Reference: URL:http://cert.ip-plus.net/bulletin-archive/msg00040.html
Reference: HP:HPSBUX9807-081
Reference: URL:http://www.codetalker.com/advisories/vendor/hp/hpsbux9807-081.html
Reference: XF:mpeix-predictive(1413)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1413

Name: CVE-1999-1137

Description:

The permissions for the /dev/audio device on Solaris 2.2 and earlier, and SunOS 4.1.x, allow any local user to read from the device, which could be used by an attacker to monitor conversations happening near a machine that has a microphone.

Status:Entry
Reference: CIAC:E-01
Reference: URL:http://www.ciac.org/ciac/bulletins/e-01.shtml
Reference: OSVDB:6436
Reference: URL:http://www.osvdb.org/6436
Reference: SUN:00122
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/122&type=0&nav=sec.sba
Reference: XF:sun-audio(549)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/549

Name: CVE-1999-1138

Description:

SCO UNIX System V/386 Release 3.2, and other SCO products, installs the home directories (1) /tmp for the dos user, and (2) /usr/tmp for the asg user, which allows other users to gain access to those accounts since /tmp and /usr/tmp are world-writable.

Status:Entry
Reference: CERT:CA-1993-13
Reference: URL:http://www.cert.org/advisories/CA-1993-13.html
Reference: XF:sco-homedir(546)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/546

Name: CVE-1999-1139

Description:

Character-Terminal User Environment (CUE) in HP-UX 11.0 and earlier allows local users to overwrite arbitrary files and gain root privileges via a symlink attack on the IOERROR.mytty file.

Status:Entry
Reference: BUGTRAQ:19970901 HP UX Bug :)
Reference: URL:http://marc.info/?l=bugtraq&m=87602880019745&w=2
Reference: BUGTRAQ:19980121 HP-UX CUE, CUD and LAND vulnerabilities
Reference: URL:http://security-archive.merton.ox.ac.uk/bugtraq-199801/0122.html
Reference: CIAC:I-027B
Reference: URL:http://www.ciac.org/ciac/bulletins/i-027b.shtml
Reference: HP:HPSBUX9801-074
Reference: URL:http://www.codetalker.com/advisories/vendor/hp/hpsbux9801-074.html
Reference: XF:hp-cue(2007)
Reference: URL:http://www.iss.net/security_center/static/2007.php

Name: CVE-1999-1140

Description:

Buffer overflow in CrackLib 2.5 may allow local users to gain root privileges via a long GECOS field.

Status:Entry
Reference: BUGTRAQ:19971214 buffer overflows in cracklib?!
Reference: URL:http://marc.info/?l=bugtraq&m=88209041500913&w=2
Reference: CERT:VB-97.16
Reference: URL:http://www.cert.org/vendor_bulletins/VB-97.16.CrackLib
Reference: XF:cracklib-bo(1539)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1539

Name: CVE-1999-1141

Description:

Ascom Timeplex router allows remote attackers to obtain sensitive information or conduct unauthorized activities by entering debug mode through a sequence of CTRL-D characters.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19970515 MicroSolved finds hole in Ascom Timeplex Router Security
Reference: URL:http://marc.info/?l=bugtraq&m=87602167420981&w=2
Reference: XF:ascom-timeplex-debug(1824)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1824

Votes:
ACCEPT(1)  Frech<br>
NOOP(2)  Cole, Foat<br>
Voter Comments:


Name: CVE-1999-1142

Description:

SunOS 4.1.2 and earlier allows local users to gain privileges via "LD_*" environmental variables to certain dynamically linked setuid or setgid programs such as (1) login, (2) su, or (3) sendmail, that change the real and effective user ids to the same user.

Status:Entry
Reference: CERT:CA-1992-11
Reference: URL:http://www.cert.org/advisories/CA-1992-11.html
Reference: SUN:00116
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/116
Reference: XF:sun-env(3152)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/3152

Name: CVE-1999-1143

Description:

Vulnerability in runtime linker program rld in SGI IRIX 6.x and earlier allows local users to gain privileges via setuid and setgid programs.

Status:Entry
Reference: CIAC:H-065
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/h-65.shtml
Reference: SGI:19970504-01-PX
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19970504-01-PX
Reference: XF:sgi-rld(2109)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2109

Name: CVE-1999-1144

Description:

Certain files in MPower in HP-UX 10.x are installed with insecure permissions, which allows local users to gain privileges.

Status:Entry
Reference: HP:HPSBUX9701-051
Reference: URL:http://www.codetalker.com/advisories/vendor/hp/hpsbux9701-051.html
Reference: XF:hp-mpower(2056)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2056

Name: CVE-1999-1145

Description:

Vulnerability in Glance programs in GlancePlus for HP-UX 10.20 and earlier allows local users to access arbitrary files and gain privileges.

Status:Entry
Reference: CIAC:H-21
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/h-21.shtml
Reference: HP:HPSBUX9701-044
Reference: URL:http://www.securityfocus.com/templates/advisory.html?id=1514
Reference: XF:hp-glanceplus(2059)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2059

Name: CVE-1999-1146

Description:

Vulnerability in Glance and gpm programs in GlancePlus for HP-UX 9.x and earlier allows local users to access arbitrary files and gain privileges.

Status:Entry
Reference: HP:HPSBUX9405-011
Reference: URL:http://www.securityfocus.com/advisories/1555
Reference: XF:hp-glanceplus-gpm(2060)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2060

Name: CVE-1999-1147

Description:

Buffer overflow in Platinum Policy Compliance Manager (PCM) 7.0 allows remote attackers to execute arbitrary commands via a long string to the Agent port (1827), which is handled by smaxagent.exe.

Status:Entry
Reference: BUGTRAQ:19981204 [SAFER-981204.DOS.1.3] Buffer Overflow in Platinum PCM 7.0
Reference: URL:http://marc.info/?l=bugtraq&m=91273739726314&w=2
Reference: BUGTRAQ:19981207 Re: [SAFER-981204.DOS.1.3] Buffer Overflow in Platinum PCM 7.0
Reference: OSVDB:3164
Reference: URL:http://www.osvdb.org/3164
Reference: XF:pcm-dos-execute(1430)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1430

Name: CVE-1999-1148

Description:

FTP service in IIS 4.0 and earlier allows remote attackers to cause a denial of service (resource exhaustion) via many passive (PASV) connections at the same time.

Status:Entry
Reference: MS:MS98-006
Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1998/ms98-006
Reference: MSKB:Q189262
Reference: URL:http://support.microsoft.com/support/kb/articles/Q189/2/62.ASP
Reference: XF:iis-passive-ftp(1215)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1215

Name: CVE-1999-1149

Description:

Buffer overflow in CSM Proxy 4.1 allows remote attackers to cause a denial of service (crash) via a long string to the FTP port.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19980716 S.A.F.E.R. Security Bulletin 980708.DOS.1.1
Reference: URL:http://marc.info/?l=bugtraq&m=90221104525993&w=2
Reference: XF:csm-proxy-dos(1422)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1422

Votes:
ACCEPT(2)  Cole, Frech<br>
NOOP(2)  Foat, Wall<br>
Voter Comments:


Name: CVE-1999-1150

Description:

Livingston Portmaster routers running ComOS use the same initial sequence number (ISN) for TCP connections, which allows remote attackers to conduct spoofing and hijack TCP sessions.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19980630 Livingston Portmaster - ISN generation is loosy!
Reference: URL:http://www.securityfocus.com/archive/1/9723
Reference: XF:portmaster-fixed-isn(1882)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1882

Votes:
ACCEPT(1)  Frech<br>
NOOP(3)  Cole, Foat, Wall<br>
Voter Comments:


Name: CVE-1999-1151

Description:

Compaq/Microcom 6000 Access Integrator does not cause a session timeout after prompting for a username or password, which allows remote attackers to cause a denial of service by connecting to the integrator without providing a username or password.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19980603 Compaq/Microcom 6000 DoS + more
Reference: URL:http://marc.info/?l=bugtraq&m=90296493106214&w=2
Reference: XF:microcom-dos(2089)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2089

Votes:
ACCEPT(2)  Cole, Frech<br>
NOOP(2)  Foat, Wall<br>
Voter Comments:


Name: CVE-1999-1152

Description:

Compaq/Microcom 6000 Access Integrator does not disconnect a client after a certain number of failed login attempts, which allows remote attackers to guess usernames or passwords via a brute force attack.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19980603 Compaq/Microcom 6000 DoS + more
Reference: URL:http://marc.info/?l=bugtraq&m=90296493106214&w=2

Votes:
MODIFY(1)  Frech<br>
NOOP(3)  Cole, Foat, Wall<br>
Voter Comments:
Frech>  XF:microcom-brute-force(7301)<br>

Name: CVE-1999-1153

Description:

HAMcards Postcard CGI script 1.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the recipient email address.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19981109 Several new CGI vulnerabilities
Reference: URL:http://www.securityfocus.com/archive/1/11175
Reference: XF:cgi-perl-mail-programs(1400)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1400

Votes:
ACCEPT(2)  Cole, Frech<br>
NOOP(2)  Foat, Wall<br>
Voter Comments:


Name: CVE-1999-1154

Description:

LakeWeb Filemail CGI script allows remote attackers to execute arbitrary commands via shell metacharacters in the recipient email address.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19981109 Several new CGI vulnerabilities
Reference: URL:http://www.securityfocus.com/archive/1/11175
Reference: MISC:http://lakeweb.com/scripts/
Reference: XF:cgi-perl-mail-programs(1400)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1400

Votes:
ACCEPT(2)  Cole, Frech<br>
NOOP(3)  Christey, Foat, Wall<br>
Voter Comments:
Christey>  I confirmed this problem via visual inspection of the
source code in http://www.lakeweb.com/scripts/filemail.zip
Line 82 has an insufficient check for shell metacharacters
that doesn't exclude semicolons.  Line 129 is the 
call where the metacharacters are injected.

Need to add "filemail.pl" to the description.<br>

Name: CVE-1999-1155

Description:

LakeWeb Mail List CGI script allows remote attackers to execute arbitrary commands via shell metacharacters in the recipient email address.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19981109 Several new CGI vulnerabilities
Reference: URL:http://www.securityfocus.com/archive/1/11175
Reference: MISC:http://lakeweb.com/scripts/
Reference: XF:cgi-perl-mail-programs(1400)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1400

Votes:
ACCEPT(2)  Cole, Frech<br>
NOOP(2)  Foat, Wall<br>
Voter Comments:


Name: CVE-1999-1156

Description:

BisonWare FTP Server 4.1 and earlier allows remote attackers to cause a denial of service via a malformed PORT command that contains a non-numeric character and a large number of carriage returns.

Status:Entry
Reference: NTBUGTRAQ:19990517 Vulnerabilities in BisonWare FTP Server 3.5
Reference: XF:bisonware-port-crash(2254)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2254

Name: CVE-1999-1157

Description:

Tcpip.sys in Windows NT 4.0 before SP4 allows remote attackers to cause a denial of service via an ICMP Subnet Mask Address Request packet, when certain multiple IP addresses are bound to the same network interface.

Status:Entry
Reference: MSKB:Q192774
Reference: URL:http://support.microsoft.com/support/kb/articles/Q192/7/74.ASP
Reference: XF:tcpipsys-icmp-dos(3894)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/3894

Name: CVE-1999-1158

Description:

Buffer overflow in (1) pluggable authentication module (PAM) on Solaris 2.5.1 and 2.5 and (2) unix_scheme in Solaris 2.4 and 2.3 allows local users to gain root privileges via programs that use these modules such as passwd, yppasswd, and nispasswd.

Status:Candidate
Phase: Proposed (20010912)
Reference: AUSCERT:AA-97.09
Reference: URL:ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-97.09.Solaris.passwd.buffer.overrun.vul
Reference: SUN:00139
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/139&type=0&nav=sec.sba

Votes:
ACCEPT(4)  Cole, Dik, Foat, Stracener<br>
MODIFY(1)  Frech<br>
RECAST(1)  Christey<br>
Voter Comments:
Frech>  XF:solaris-pam-bo(7432)<br>
Dik>  sun bug: 4018347<br>
Christey>  These issues should be SPLIT per CD:SF-EXEC because the PAM
problem appears in different Solaris versions than
unix_scheme.<br>

Name: CVE-1999-1159

Description:

SSH 2.0.11 and earlier allows local users to request remote forwarding from privileged ports without being root.

Status:Entry
Reference: BUGTRAQ:19981229 ssh2 security problem (and patch) (fwd)
Reference: URL:http://marc.info/?l=bugtraq&m=91495920911490&w=2
Reference: XF:ssh-privileged-port-forward(1471)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1471

Name: CVE-1999-1160

Description:

Vulnerability in ftpd/kftpd in HP-UX 10.x and 9.x allows local and possibly remote users to gain root privileges.

Status:Entry
Reference: CIAC:H-33
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/h-33.shtml
Reference: HP:HPSBUX9702-055
Reference: URL:http://marc.info/?l=bugtraq&m=87602167420581&w=2
Reference: XF:hp-ftpd-kftpd(7437)
Reference: URL:http://www.iss.net/security_center/static/7437.php

Name: CVE-1999-1161

Description:

Vulnerability in ppl in HP-UX 10.x and earlier allows local users to gain root privileges by forcing ppl to core dump.

Status:Entry
Reference: AUSCERT:AA-97.07
Reference: BUGTRAQ:19961103 Re: Untitled
Reference: URL:http://marc.info/?l=bugtraq&m=87602167420102&w=2
Reference: BUGTRAQ:19961104 ppl bugs
Reference: URL:http://marc.info/?l=bugtraq&m=87602167420103&w=2
Reference: CIAC:H-32
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/h-32.shtml
Reference: HP:HPSBUX9704-057
Reference: URL:http://www.codetalker.com/advisories/vendor/hp/hpsbux9704-057.html
Reference: XF:hp-ppl(7438)
Reference: URL:http://www.iss.net/security_center/static/7438.php

Name: CVE-1999-1162

Description:

Vulnerability in passwd in SCO UNIX 4.0 and earlier allows attackers to cause a denial of service by preventing users from being able to log into the system.

Status:Entry
Reference: CERT:CA-1993-08
Reference: URL:http://www.cert.org/advisories/CA-1993-08.html
Reference: XF:sco-passwd-deny(542)
Reference: URL:http://www.iss.net/security_center/static/542.php

Name: CVE-1999-1163

Description:

Vulnerability in HP Series 800 S/X/V Class servers allows remote attackers to gain access to the S/X/V Class console via the Service Support Processor (SSP) Teststation.

Status:Entry
Reference: HP:HPSBUX9911-105
Reference: URL:http://marc.info/?l=bugtraq&m=94347039929958&w=2
Reference: XF:hp-ssp(7439)
Reference: URL:http://www.iss.net/security_center/static/7439.php

Name: CVE-1999-1164

Description:

Microsoft Outlook client allows remote attackers to cause a denial of service by sending multiple email messages with the same X-UIDL headers, which causes Outlook to hang.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990625 Outlook denial of service
Reference: URL:http://marc.info/?l=bugtraq&m=93041631215856&w=2

Votes:
ACCEPT(1)  Wall<br>
MODIFY(1)  Frech<br>
NOOP(2)  Cole, Foat<br>
Voter Comments:
Frech>  XF:outlook-xuidl-dos(8356)<br>

Name: CVE-1999-1165

Description:

GNU fingerd 1.37 does not properly drop privileges before accessing user information, which could allow local users to (1) gain root privileges via a malicious program in the .fingerrc file, or (2) read arbitrary files via symbolic links from .plan, .forward, or .project files.

Status:Candidate
Phase: Proposed (20010912)
Reference: BID:535
Reference: URL:http://www.securityfocus.com/bid/535
Reference: BUGTRAQ:19950317 GNU finger 1.37 executes ~/.fingerrc with gid root
Reference: URL:http://www.securityfocus.com/archive/1/2478
Reference: BUGTRAQ:19990721 old gnu finger bugs
Reference: URL:http://marc.info/?l=bugtraq&m=93268249021561&w=2

Votes:
MODIFY(1)  Frech<br>
NOOP(2)  Cole, Foat<br>
Voter Comments:
Frech>  XF:gnu-finger-privilege-dropping(7175)<br>

Name: CVE-1999-1166

Description:

Linux 2.0.37 does not properly encode the Custom segment limit, which allows local users to gain root privileges by accessing and modifying kernel memory.

Status:Candidate
Phase: Proposed (20010912)
Reference: BID:523
Reference: URL:http://www.securityfocus.com/bid/523
Reference: BUGTRAQ:19990711 Linux 2.0.37 segment limit bug
Reference: URL:http://www.securityfocus.com/archive/1/18156

Votes:
MODIFY(1)  Frech<br>
NOOP(3)  Cole, Foat, Wall<br>
Voter Comments:
Frech>  (Task 2253)<br>
CHANGE>  [Frech changed vote from REVIEWING to MODIFY]<br>
Frech>  XF:linux-segment-limit-privileges(11202)<br>

Name: CVE-1999-1167

Description:

Cross-site scripting vulnerability in Third Voice Web annotation utility allows remote users to read sensitive data and generate fake web pages for other Third Voice users by injecting malicious Javascript into an annotation.

Status:Entry
Reference: CONFIRM:http://www.wired.com/news/technology/0,1282,20677,00.html
Reference: MISC:http://www.wired.com/news/technology/0,1282,20636,00.html
Reference: XF:thirdvoice-cross-site-scripting(7252)
Reference: URL:http://www.iss.net/security_center/static/7252.php

Name: CVE-1999-1168

Description:

install.iss installation script for Internet Security Scanner (ISS) for Linux, version 5.3, allows local users to change the permissions of arbitrary files via a symlink attack on a temporary file.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990220 ISS install.iss security hole
Reference: URL:http://www.securityfocus.com/archive/1/12640

Votes:
MODIFY(1)  Frech<br>
NOOP(3)  Cole, Foat, Wall<br>
Voter Comments:
Frech>  XF:iss-temp-files(1793)
ADDREF:http://www.securityfocus.com/archive/1/12679<br>

Name: CVE-1999-1169

Description:

nobo 1.2 allows remote attackers to cause a denial of service (crash) via a series of large UDP packets.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990204 NOBO denial of service
Reference: URL:http://www.securityfocus.com/archive/1/12284

Votes:
ACCEPT(1)  Foat<br>
MODIFY(1)  Frech<br>
NOOP(2)  Cole, Wall<br>
Voter Comments:
Frech>  XF:nobo-udp-packet-dos(7502)
ADDREF:http://www.securityfocus.com/archive/1/12378
ADDREF:http://web.cip.com.br/nobo/mudancas_en.html<br>

Name: CVE-1999-1170

Description:

IPswitch IMail allows local users to gain additional privileges and modify or add mail accounts by setting the "flags" registry key to 1920.

Status:Candidate
Phase: Proposed (20010912)
Reference: BID:218
Reference: URL:http://www.securityfocus.com/bid/218
Reference: NTBUGTRAQ:19990204 WS FTP Server Remote DoS Attack
Reference: URL:http://marc.info/?l=ntbugtraq&m=91816507920544&w=2

Votes:
MODIFY(1)  Frech<br>
NOOP(3)  Cole, Foat, Wall<br>
Voter Comments:
Frech>  XF:imail-registry(1725)<br>

Name: CVE-1999-1171

Description:

IPswitch WS_FTP allows local users to gain additional privileges and modify or add mail accounts by setting the "flags" registry key to 1920.

Status:Candidate
Phase: Proposed (20010912)
Reference: BID:218
Reference: URL:http://www.securityfocus.com/bid/218
Reference: NTBUGTRAQ:19990204 WS FTP Server Remote DoS Attack
Reference: URL:http://marc.info/?l=ntbugtraq&m=91816507920544&w=2

Votes:
MODIFY(1)  Frech<br>
NOOP(3)  Cole, Foat, Wall<br>
Voter Comments:
Frech>  XF:wsftp-registry(1726)<br>

Name: CVE-1999-1172

Description:

By design, Maximizer Enterprise 4 calendar and address book program allows arbitrary users to modify the calendar of other users when the calendar is being shared.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990114 security hole in Maximizer
Reference: URL:http://www.securityfocus.com/archive/1/11947

Votes:
MODIFY(1)  Frech<br>
NOOP(3)  Cole, Foat, Wall<br>
REVIEWING(1)  Christey<br>
Voter Comments:
Christey>  The discloser does not provide enough details to fully
understand what the problem is.  This makes it difficult
because if Maximizer has a concept of "users" and it is
designed to allow any user to modify any other user's data,
then this would not be a vulnerability or exposure, unless
that "cross-user" capability could be used to violate system
integrity, data confidentiality, or the like.  There are some
features of Maximizer 6.0 that, if abused, could allow someone
to do some bad things.  For example, an attacker could modify
the email addresses for contacts to redirect sales to
locations besides the customer.  There's also a capability of
assigning priorities and alarms, which could be susceptible to
an "inconvenience attack" at the very least, as well as
tie-ins to e-commerce capabilities.

The critical question becomes: "how is this data shared" in
the first place?  If it's through a network share or other
distribution method besides transferring the complete database
between sites, then this may be accessible to any attacker who
can mimic a Maximizer client (if there is such a thing as a
client), and this could be a vulnerability or exposure
according to the CVE definition.

However, since the Maximizer functionality is unknown to me
and not readily apparent from product documentation, it's hard
to know what to do about this one.<br>
CHANGE>  [Frech changed vote from REVIEWING to MODIFY]<br>
Frech>  XF:maximizer-enterprise-calendar-modification(7590)<br>

Name: CVE-1999-1173

Description:

Corel Word Perfect 8 for Linux creates a temporary working directory with world-writable permissions, which allows local users to (1) modify Word Perfect behavior by modifying files in the working directory, or (2) modify files of other users via a symlink attack.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19981218 wordperfect 8 for linux security
Reference: URL:http://marc.info/?l=bugtraq&m=91404045014047&w=2

Votes:
NOOP(3)  Cole, Foat, Wall<br>
Voter Comments:


Name: CVE-1999-1174

Description:

ZIP drive for Iomega ZIP-100 disks allows attackers with physical access to the drive to bypass password protection by inserting a known disk with a known password, waiting for the ZIP drive to power down, manually replacing the known disk with the target disk, and using the known password to access the target disk.

Status:Candidate
Phase: Proposed (20010912)
Reference: MISC:http://www.counterpane.com/crypto-gram-9812.html#doghouse

Votes:
ACCEPT(1)  Cole<br>
NOOP(2)  Foat, Wall<br>
Voter Comments:


Name: CVE-1999-1175

Description:

Web Cache Control Protocol (WCCP) in Cisco Cache Engine for Cisco IOS 11.2 and earlier does not use authentication, which allows remote attackers to redirect HTTP traffic to arbitrary hosts via WCCP packets to UDP port 2048.

Status:Entry
Reference: CIAC:I-054
Reference: URL:http://www.ciac.org/ciac/bulletins/i-054.shtml
Reference: CISCO:19980513 Cisco Web Cache Control Protocol Router Vulnerability
Reference: URL:http://www.cisco.com/warp/public/770/wccpauth-pub.shtml
Reference: XF:cisco-wccp-vuln(1577)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1577

Name: CVE-1999-1176

Description:

Buffer overflow in cidentd ident daemon allows local users to gain root privileges via a long line in the .authlie script.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19980110 Cidentd
Reference: URL:http://marc.info/?l=bugtraq&m=88466930416716&w=2
Reference: BUGTRAQ:19980911 Re: security problems with jidentd
Reference: URL:http://marc.info/?l=bugtraq&m=90554230925545&w=2
Reference: MISC:http://spisa.act.uji.es/spi/progs/codigo/www.hack.co.za/exploits/daemon/ident/cidentd.c

Votes:
MODIFY(1)  Frech<br>
NOOP(3)  Cole, Foat, Wall<br>
Voter Comments:
Frech>  XF:cidentd-authlie-bo(7327)<br>

Name: CVE-1999-1177

Description:

Directory traversal vulnerability in nph-publish before 1.2 allows remote attackers to overwrite arbitrary files via a .. (dot dot) in the pathname for an upload operation.

Status:Entry
Reference: CONFIRM:http://www-genome.wi.mit.edu/WWW/tools/CGI_scripts/server_publish/nph-publish
Reference: MISC:http://www.w3.org/Security/Faq/wwwsf4.html
Reference: XF:http-cgi-nphpublish(2055)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2055

Name: CVE-1999-1178

Description:

Sambar Server 4.1 beta allows remote attackers to obtain sensitive information about the server via an HTTP request for the dumpenv.pl script.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19980610 Sambar Server Beta BUG..
Reference: URL:http://www.securityfocus.com/archive/1/9505
Reference: XF:sambar-dump-env(3223)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/3223

Votes:
ACCEPT(1)  Frech<br>
NOOP(3)  Cole, Foat, Wall<br>
Voter Comments:


Name: CVE-1999-1179

Description:

Vulnerability in man.sh CGI script, included in May 1998 issue of SysAdmin Magazine, allows remote attackers to execute arbitrary commands.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19980515 May SysAdmin man.sh security hole
Reference: URL:http://www.securityfocus.com/archive/1/9330

Votes:
MODIFY(1)  Frech<br>
NOOP(3)  Cole, Foat, Wall<br>
Voter Comments:
Frech>  XF:mansh-execute-commands(7328)<br>

Name: CVE-1999-1180

Description:

O'Reilly WebSite 1.1e and Website Pro 2.0 allows remote attackers to execute arbitrary commands via shell metacharacters in an argument to (1) args.cmd or (2) args.bat.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990216 Website Pro v2.0 (NT) Configuration Issues
Reference: URL:http://www.tryc.on.ca/archives/bugtraq/1999_1/0612.html
Reference: MISC:http://oliver.efri.hr/~crv/security/bugs/NT/buffer.html

Votes:
ACCEPT(1)  Wall<br>
MODIFY(1)  Frech<br>
NOOP(3)  Christey, Cole, Foat<br>
Voter Comments:
Christey>  DELREF MISC:http://oliver.efri.hr/~crv/security/bugs/NT/buffer.html
ADDREF MISC:http://focus.silversand.net/vulner/allbug/buffer.html<br>
Frech>  XF:website-pro-args-commands(7529)<br>

Name: CVE-1999-1181

Description:

Vulnerability in On-Line Customer Registration software for IRIX 6.2 through 6.4 allows local users to gain root privileges.

Status:Entry
Reference: CIAC:J-003
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/j-003.shtml
Reference: SGI:19980901-01-PX
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19980901-01-PX
Reference: XF:irix-register(7441)
Reference: URL:http://www.iss.net/security_center/static/7441.php

Name: CVE-1999-1182

Description:

Buffer overflow in run-time linkers (1) ld.so or (2) ld-linux.so for Linux systems allows local users to gain privileges by calling a setuid program with a long program name (argv[0]) and forcing ld.so/ld-linux.so to report an error.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19970717 KSR[T] Advisory #2: ld.so
Reference: URL:http://marc.info/?l=bugtraq&m=87602661419318&w=2
Reference: BUGTRAQ:19970722 ld.so vulnerability
Reference: URL:http://marc.info/?l=bugtraq&m=87602661419351&w=2
Reference: BUGTRAQ:19980204 An old ld-linux.so hole
Reference: URL:http://marc.info/?l=bugtraq&m=88661732807795&w=2

Votes:
NOOP(2)  Cole, Foat<br>
Voter Comments:


Name: CVE-1999-1183

Description:

System Manager sysmgr GUI in SGI IRIX 6.4 and 6.3 allows remote attackers to execute commands by providing a trojan horse (1) runtask or (2) runexec descriptor file, which is used to execute a System Manager Task when the user's Mailcap entry supports the x-sgi-task or x-sgi-exec type.

Status:Candidate
Phase: Modified (20060705)
Reference: OSVDB:8556
Reference: URL:http://www.osvdb.org/8556
Reference: SGI:19980403-01-PX
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19980403-01-PX
Reference: SGI:19980403-02-PX
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19980403-02-PX
Reference: XF:sgi-mailcap(809)
Reference: URL:http://www.iss.net/security_center/static/809.php

Votes:
ACCEPT(3)  Cole, Foat, Stracener<br>
MODIFY(1)  Frech<br>
Voter Comments:
Frech>  XF:sgi-mailcap(809)<br>

Name: CVE-1999-1184

Description:

Buffer overflow in Elm 2.4 and earlier allows local users to gain privileges via a long TERM environmental variable.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19970513
Reference: URL:http://marc.info/?l=bugtraq&m=87602167420967&w=2
Reference: BUGTRAQ:19970514 Re: ELM overflow
Reference: URL:http://marc.info/?l=bugtraq&m=87602167420970&w=2

Votes:
MODIFY(1)  Frech<br>
NOOP(2)  Cole, Foat<br>
Voter Comments:
Frech>  XF:elm-term-bo(7183)<br>

Name: CVE-1999-1185

Description:

Buffer overflow in SCO mscreen allows local users to gain root privileges via a long terminal entry (TERM) in the .mscreenrc file.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19980827 SCO mscreen vul.
Reference: BUGTRAQ:19980926 Root exploit for SCO OpenServer.
Reference: URL:http://marc.info/?l=bugtraq&m=90686250717719&w=2
Reference: CERT:VB-98.10
Reference: SCO:98.05
Reference: XF:sco-openserver-mscreen-bo(1379)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1379

Votes:
ACCEPT(4)  Cole, Foat, Frech, Stracener<br>
NOOP(1)  Wall<br>
REVIEWING(1)  Christey<br>
Voter Comments:
Frech>  Possible dupe on CVE-1999-1041.<br>
Christey>  Possible dupe with CVE-1999-1041.<br>

Name: CVE-1999-1186

Description:

rxvt, when compiled with the PRINT_PIPE option in various Linux operating systems including Linux Slackware 3.0 and RedHat 2.1, allows local users to gain root privileges by specifying a malicious program using the -print-pipe command line parameter.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19960102 rxvt security hole
Reference: URL:http://marc.info/?l=bugtraq&m=87602167418966&w=2

Votes:
MODIFY(1)  Frech<br>
NOOP(2)  Cole, Foat<br>
Voter Comments:
Frech>  XF:rxvtpipe(425)<br>

Name: CVE-1999-1187

Description:

Pine before version 3.94 allows local users to gain privileges via a symlink attack on a lockfile that is created when a user receives new mail.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19960826 [BUG] Vulnerability in PINE
Reference: URL:http://marc.info/?l=bugtraq&m=87602167419803&w=2
Reference: XF:pine-tmpfile(416)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/416

Votes:
ACCEPT(1)  Frech<br>
NOOP(2)  Cole, Foat<br>
Voter Comments:
Frech>  CONFIRM:http://www.washington.edu/pine/changes.html<br>

Name: CVE-1999-1188

Description:

mysqld in MySQL 3.21 creates log files with world-readable permissions, which allows local users to obtain passwords for users who are added to the user database.

Status:Entry
Reference: BUGTRAQ:19981227 mysql: mysqld creates world readable logs..
Reference: URL:http://marc.info/?l=bugtraq&m=91479159617803&w=2
Reference: XF:mysql-readable-log-files(1568)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1568

Name: CVE-1999-1189

Description:

Buffer overflow in Netscape Navigator/Communicator 4.7 for Windows 95 and Windows 98 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long argument after the ? character in a URL that references an .asp, .cgi, .html, or .pl file.

Status:Entry
Reference: BID:822
Reference: URL:http://www.securityfocus.com/bid/822
Reference: BUGTRAQ:19991124 Netscape Communicator 4.7 - Navigator Overflows
Reference: URL:http://www.securityfocus.com/archive/1/36306
Reference: BUGTRAQ:19991127 Netscape Communicator 4.7 - Navigator Overflows
Reference: URL:http://www.securityfocus.com/archive/1/36608
Reference: XF:netscape-long-argument-bo(7884)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/7884

Name: CVE-1999-1190

Description:

Buffer overflow in POP3 server of Admiral Systems EmailClub 1.05 allows remote attackers to execute arbitrary commands via a long "From" header in an e-mail message.

Status:Candidate
Phase: Proposed (20010912)
Reference: BID:801
Reference: URL:http://www.securityfocus.com/bid/801
Reference: MISC:http://www.securiteam.com/exploits/E-MailClub__FROM__remote_buffer_overflow.html

Votes:
MODIFY(1)  Frech<br>
NOOP(3)  Cole, Foat, Wall<br>
Voter Comments:
Frech>  XF:emailclub-pop3-from-bo(7873)<br>

Name: CVE-1999-1191

Description:

Buffer overflow in chkey in Solaris 2.5.1 and earlier allows local users to gain root privileges via a long command line argument.

Status:Entry
Reference: AUSCERT:AA-97.18
Reference: URL:ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-97.18.solaris.chkey.buffer.overflow.vul
Reference: BID:207
Reference: URL:http://www.securityfocus.com/bid/207
Reference: BUGTRAQ:19970519 Re: Finally, most of an exploit for Solaris 2.5.1's ps.
Reference: URL:http://marc.info/?l=bugtraq&m=87602167418335&w=2
Reference: SUN:00144
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/144
Reference: XF:solaris-chkey-bo(7442)
Reference: URL:http://www.iss.net/security_center/static/7442.php

Name: CVE-1999-1192

Description:

Buffer overflow in eeprom in Solaris 2.5.1 and earlier allows local users to gain root privileges via a long command line argument.

Status:Entry
Reference: BID:206
Reference: URL:http://www.securityfocus.com/bid/206
Reference: SUN:00143
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/143
Reference: XF:solaris-eeprom-bo(7444)
Reference: URL:http://www.iss.net/security_center/static/7444.php

Name: CVE-1999-1193

Description:

The "me" user in NeXT NeXTstep 2.1 and earlier has wheel group privileges, which could allow the me user to use the su command to become root.

Status:Entry
Reference: BID:20
Reference: URL:http://www.securityfocus.com/bid/20
Reference: CERT:CA-1991-06
Reference: URL:http://www.cert.org/advisories/CA-1991-06.html
Reference: XF:next-me(581)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/581

Name: CVE-1999-1194

Description:

chroot in Digital Ultrix 4.1 and 4.0 is insecurely installed, which allows local users to gain privileges.

Status:Entry
Reference: BID:17
Reference: URL:http://www.securityfocus.com/bid/17
Reference: CERT:CA-1991-05
Reference: URL:http://www.cert.org/advisories/CA-1991-05.html
Reference: XF:dec-chroot(577)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/577

Name: CVE-1999-1195

Description:

NAI VirusScan NT 4.0.2 does not properly modify the scan.dat virus definition file during an update via FTP, but it reports that the update was successful, which could cause a system administrator to believe that the definitions have been updated correctly.

Status:Candidate
Phase: Proposed (20010912)
Reference: BID:169
Reference: URL:http://www.securityfocus.com/bid/169
Reference: BUGTRAQ:19990505 NAI AntiVirus Update Problem
Reference: URL:http://marc.info/?l=bugtraq&m=92588169005196&w=2
Reference: NTBUGTRAQ:19990505 NAI AntiVirus Update Problem
Reference: URL:http://marc.info/?l=ntbugtraq&m=92587579032534&w=2

Votes:
MODIFY(1)  Frech<br>
NOOP(3)  Cole, Foat, Wall<br>
Voter Comments:
Frech>  XF:virusscan-ftp-update(8387)<br>

Name: CVE-1999-1196

Description:

Hummingbird Exceed X version 5 allows remote attackers to cause a denial of service via malformed data to port 6000.

Status:Candidate
Phase: Proposed (20010912)
Reference: BID:158
Reference: URL:http://www.securityfocus.com/bid/158
Reference: BUGTRAQ:19990427 NT/Exceed D.O.S.
Reference: URL:http://www.securityfocus.com/archive/1/13451

Votes:
MODIFY(1)  Frech<br>
NOOP(3)  Cole, Foat, Wall<br>
Voter Comments:
Frech>  XF:exceed-xserver-dos(7530)<br>

Name: CVE-1999-1197

Description:

TIOCCONS in SunOS 4.1.1 does not properly check the permissions of a user who tries to redirect console output and input, which could allow a local user to gain privileges.

Status:Entry
Reference: BID:14
Reference: URL:http://www.securityfocus.com/bid/14
Reference: CERT:CA-1990-12
Reference: URL:http://www.cert.org/advisories/CA-1990-12.html
Reference: XF:sunos-tioccons-console-redirection(7140)
Reference: URL:http://www.iss.net/security_center/static/7140.php

Name: CVE-1999-1198

Description:

BuildDisk program on NeXT systems before 2.0 does not prompt users for the root password, which allows local users to gain root privileges.

Status:Entry
Reference: BID:11
Reference: URL:http://www.securityfocus.com/bid/11
Reference: CERT:CA-1990-06
Reference: URL:http://www.cert.org/advisories/CA-1990-06.html
Reference: CIAC:B-01
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/b-01.shtml
Reference: XF:nextstep-builddisk-root-access(7141)
Reference: URL:http://www.iss.net/security_center/static/7141.php

Name: CVE-1999-1199

Description:

Apache WWW server 1.3.1 and earlier allows remote attackers to cause a denial of service (resource exhaustion) via a large number of MIME headers with the same name, aka the "sioux" vulnerability.

Status:Entry
Reference: BUGTRAQ:19980807 YA Apache DoS attack
Reference: URL:http://marc.info/?l=bugtraq&m=90252779826784&w=2
Reference: BUGTRAQ:19980808 Debian Apache Security Update
Reference: URL:http://marc.info/?l=bugtraq&m=90276683825862&w=2
Reference: BUGTRAQ:19980810 Apache DoS Attack
Reference: URL:http://marc.info/?l=bugtraq&m=90286768232093&w=2
Reference: BUGTRAQ:19980811 Apache 'sioux' DOS fix for TurboLinux
Reference: URL:http://marc.info/?l=bugtraq&m=90280517007869&w=2
Reference: CONFIRM:http://www.redhat.com/support/errata/rh51-errata-general.html#apache

Name: CVE-1999-1200

Description:

Vintra SMTP MailServer allows remote attackers to cause a denial of service via a malformed "EXPN *@" command.

Status:Candidate
Phase: Proposed (20010912)
Reference: NTBUGTRAQ:19980720 DOS in Vintra systems Mailserver software.
Reference: URL:http://marc.info/?l=ntbugtraq&m=90222454131610&w=2
Reference: XF:vintra-mail-dos(1617)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1617

Votes:
ACCEPT(2)  Cole, Frech<br>
NOOP(2)  Foat, Wall<br>
Voter Comments:


Name: CVE-1999-1201

Description:

Windows 95 and Windows 98 systems, when configured with multiple TCP/IP stacks bound to the same MAC address, allow remote attackers to cause a denial of service (traffic amplification) via a certain ICMP echo (ping) packet, which causes all stacks to send a ping response, aka TCP Chorusing.

Status:Entry
Reference: BID:225
Reference: URL:http://www.securityfocus.com/bid/225
Reference: NTBUGTRAQ:19990206 New Windows 9x Bug: TCP Chorusing
Reference: URL:http://marc.info/?l=ntbugtraq&m=91849617221319&w=2
Reference: XF:win-multiple-ip-dos(7542)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/7542

Name: CVE-1999-1202

Description:

StarTech (1) POP3 proxy server and (2) telnet server allows remote attackers to cause a denial of service via a long USER command.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19980703 Windows95 Proxy DoS Vulnerabilites
Reference: URL:http://marc.info/?l=bugtraq&m=90221104525873&w=2
Reference: XF:startech-pop3-overflow(2088)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2088

Votes:
ACCEPT(1)  Frech<br>
NOOP(3)  Cole, Foat, Wall<br>
Voter Comments:


Name: CVE-1999-1203

Description:

Multilink PPP for ISDN dialup users in Ascend before 4.6 allows remote attackers to cause a denial of service via a spoofed endpoint identifier.

Status:Entry
Reference: BUGTRAQ:19990210 Security problems in ISDN equipment authentication
Reference: URL:http://marc.info/?l=bugtraq&m=91868964203769&w=2
Reference: BUGTRAQ:19990212 PPP/ISDN multilink security issue - summary
Reference: URL:http://marc.info/?l=bugtraq&m=91888117502765&w=2
Reference: XF:ascend-ppp-isdn-dos(7498)
Reference: URL:http://www.iss.net/security_center/static/7498.php

Name: CVE-1999-1204

Description:

Check Point Firewall-1 does not properly handle certain restricted keywords (e.g., Mail, auth, time) in user-defined objects, which could produce a rule with a default "ANY" address and result in access to more systems than intended by the administrator.

Status:Entry
Reference: BUGTRAQ:19980511 Firewall-1 Reserved Keywords Vulnerability
Reference: URL:http://marc.info/?l=bugtraq&m=90221101925912&w=2
Reference: CONFIRM:http://www.checkpoint.com/techsupport/config/keywords.html
Reference: OSVDB:4416
Reference: URL:http://www.osvdb.org/4416
Reference: XF:fw1-user-defined-keywords-access(7293)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/7293

Name: CVE-1999-1205

Description:

nettune in HP-UX 10.01 and 10.00 is installed setuid root, which allows local users to cause a denial of service by modifying critical networking configuration information.

Status:Entry
Reference: BUGTRAQ:19960607 HP-UX B.10.01 vulnerability
Reference: URL:http://marc.info/?l=bugtraq&m=87602167419195&w=2
Reference: CIAC:G-34
Reference: HP:HPSBUX9607-035
Reference: URL:http://packetstormsecurity.org/advisories/ibm-ers/96-08
Reference: XF:hp-nettune(414)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/414

Name: CVE-1999-1206

Description:

SystemSoft SystemWizard package in HP Pavilion PC with Windows 98, and possibly other platforms and operating systems, installs two ActiveX controls that are marked as safe for scripting, which allows remote attackers to execute arbitrary commands via a malicious web page that references (1) the Launch control, or (2) the RegObj control.

Status:Candidate
Phase: Proposed (20010912)
Reference: BID:555
Reference: URL:http://www.securityfocus.com/bid/555
Reference: BUGTRAQ:19990729 New ActiveX security problems in Windows 98 PCs
Reference: URL:http://marc.info/?l=bugtraq&m=93336970231857&w=2
Reference: CONFIRM:http://www.systemsoft.com/l-2/l-3/support-systemwizard.htm

Votes:
ACCEPT(4)  Armstrong, Cole, Foat, Stracener<br>
MODIFY(1)  Frech<br>
NOOP(2)  Christey, Wall<br>
Voter Comments:
Frech>  XF:systemwizard-modify-registry(7080)<br>
Christey>  CERT-VN:VU#22919
URL:http://www.kb.cert.org/vuls/id/22919
CERT-VN:VU#34453
URL:http://www.kb.cert.org/vuls/id/34453<br>

Name: CVE-1999-1207

Description:

Buffer overflow in web-admin tool in NetXRay 2.6 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long HTTP request.

Status:Candidate
Phase: Proposed (20010912)
Reference: MISC:http://www.efri.hr/~crv/security/bugs/NT/netxtray.html
Reference: XF:netxray-bo(907)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/907

Votes:
ACCEPT(1)  Frech<br>
NOOP(3)  Cole, Foat, Wall<br>
Voter Comments:


Name: CVE-1999-1208

Description:

Buffer overflow in ping in AIX 4.2 and earlier allows local users to gain root privileges via a long command line argument.

Status:Entry
Reference: BUGTRAQ:19970721 AIX ping (Exploit)
Reference: URL:http://marc.info/?l=bugtraq&m=87602661419330&w=2
Reference: BUGTRAQ:19970721 AIX ping, lchangelv, xlock fixes
Reference: URL:http://marc.info/?l=bugtraq&m=87602661419337&w=2
Reference: XF:ping-bo(803)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/803

Name: CVE-1999-1209

Description:

Vulnerability in scoterm in SCO OpenServer 5.0 and SCO Open Desktop/Open Server 3.0 allows local users to gain root privileges.

Status:Entry
Reference: BUGTRAQ:19971204 scoterm exploit
Reference: URL:http://marc.info/?l=bugtraq&m=88131151000069&w=2
Reference: CERT:VB-97.14
Reference: URL:http://www.cert.org/vendor_bulletins/VB-97.14.scoterm
Reference: XF:sco-scoterm(690)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/690

Name: CVE-1999-1210

Description:

xterm in Digital UNIX 4.0B *with* patch kit 5 allows local users to overwrite arbitrary files via a symlink attack on a core dump file, which is created when xterm is called with a DISPLAY environmental variable set to a display that xterm cannot access.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19971112 Digital Unix Security Problem
Reference: URL:http://marc.info/?l=bugtraq&m=87936891504885&w=2
Reference: XF:dec-xterm(613)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/613

Votes:
ACCEPT(1)  Frech<br>
NOOP(2)  Cole, Foat<br>
Voter Comments:


Name: CVE-1999-1211

Description:

Vulnerability in in.telnetd in SunOS 4.1.1 and earlier allows local users to gain root privileges.

Status:Candidate
Phase: Proposed (20010912)
Reference: CERT:CA-1991-02
Reference: URL:http://www.cert.org/advisories/CA-1991-02.html
Reference: XF:sun-intelnetd(574)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/574

Votes:
ACCEPT(5)  Cole, Dik, Foat, Frech, Stracener<br>
NOOP(1)  Wall<br>
Voter Comments:
Frech>  CONFIRM:Sun Microsystems, Inc. Security Bulletin #00106 at
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/1
06&type=0&nav=sec.sba<br>
Dik>  sun bug:  1054669 1049886 1042370 1033809<br>

Name: CVE-1999-1212

Description:

Vulnerability in in.rlogind in SunOS 4.0.3 and 4.0.3c allows local users to gain root privileges.

Status:Candidate
Phase: Proposed (20010912)
Reference: CERT:CA-1991-02
Reference: URL:http://www.cert.org/advisories/CA-1991-02.html
Reference: XF:sun-intelnetd(574)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/574

Votes:
ACCEPT(5)  Cole, Dik, Foat, Frech, Stracener<br>
NOOP(1)  Wall<br>
Voter Comments:
Dik>  sun bug:  1054669 1049886 1042370 1033809<br>

Name: CVE-1999-1213

Description:

Vulnerability in telnet service in HP-UX 10.30 allows attackers to cause a denial of service.

Status:Candidate
Phase: Proposed (20010912)
Reference: HP:HPSBUX9710-070
Reference: URL:http://www2.dataguard.no/bugtraq/1997_4/0001.html
Reference: XF:hp-telnetdos(571)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/571

Votes:
ACCEPT(4)  Cole, Foat, Frech, Stracener<br>
Voter Comments:


Name: CVE-1999-1214

Description:

The asynchronous I/O facility in 4.4 BSD kernel does not check user credentials when setting the recipient of I/O notification, which allows local users to cause a denial of service by using certain ioctl and fcntl calls to cause the signal to be sent to an arbitrary process ID.

Status:Entry
Reference: MISC:http://www.openbsd.com/advisories/signals.txt
Reference: OPENBSD:19970915 Vulnerability in I/O Signal Handling
Reference: URL:http://www.openbsd.com/advisories/signals.txt
Reference: OSVDB:11062
Reference: URL:http://www.osvdb.org/11062
Reference: XF:openbsd-iosig(556)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/556

Name: CVE-1999-1215

Description:

LOGIN.EXE program in Novell Netware 4.0 and 4.01 temporarily writes user name and password information to disk, which could allow local users to gain privileges.

Status:Entry
Reference: CERT:CA-1993-12
Reference: URL:http://www.cert.org/advisories/CA-1993-12.html
Reference: CIAC:D-21
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/d-21.shtml
Reference: XF:novell-login(545)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/545

Name: CVE-1999-1216

Description:

Cisco routers 9.17 and earlier allow remote attackers to bypass security restrictions via certain IP source routed packets that should normally be denied using the "no ip source-route" command.

Status:Candidate
Phase: Proposed (20010912)
Reference: CERT:CA-1993-07
Reference: URL:http://www.cert.org/advisories/CA-1993-07.html
Reference: CIAC:D-15
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/d-15.shtml
Reference: XF:cisco-sourceroute(541)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/541

Votes:
ACCEPT(4)  Cole, Foat, Frech, Stracener<br>
NOOP(1)  Wall<br>
Voter Comments:


Name: CVE-1999-1217

Description:

The PATH in Windows NT includes the current working directory (.), which could allow local users to gain privileges by placing Trojan horse programs with the same name as commonly used system programs into certain directories.

Status:Entry
Reference: NTBUGTRAQ:19970723 NT security - why bother?
Reference: URL:http://marc.info/?l=ntbugtraq&m=87602726319426&w=2
Reference: NTBUGTRAQ:19970725 Re: NT security - why bother?
Reference: URL:http://marc.info/?l=ntbugtraq&m=87602726319435&w=2
Reference: XF:nt-path(526)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/526

Name: CVE-1999-1218

Description:

Vulnerability in finger in Commodore Amiga UNIX 2.1p2a and earlier allows local users to read arbitrary files.

Status:Candidate
Phase: Proposed (20010912)
Reference: CERT:CA-1993-04
Reference: URL:http://www.cert.org/advisories/CA-1993-04.html
Reference: XF:amiga-finger(522)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/522

Votes:
ACCEPT(4)  Cole, Foat, Frech, Stracener<br>
NOOP(1)  Wall<br>
Voter Comments:


Name: CVE-1999-1219

Description:

Vulnerability in sgihelp in the SGI help system and print manager in IRIX 5.2 and earlier allows local users to gain root privileges, possibly through the clogin command.

Status:Candidate
Phase: Proposed (20010912)
Reference: AUSCERT:AA-94.04a
Reference: BID:468
Reference: URL:http://www.securityfocus.com/bid/468
Reference: CERT:CA-1994-13
Reference: URL:http://www.cert.org/advisories/CA-1994-13.html
Reference: CIAC:E-33
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/e-33.shtml
Reference: XF:sgi-prn-mgr(511)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/511

Votes:
ACCEPT(4)  Cole, Foat, Frech, Stracener<br>
NOOP(1)  Wall<br>
Voter Comments:


Name: CVE-1999-1220

Description:

Majordomo 1.94.3 and earlier allows remote attackers to execute arbitrary commands when the advertise or noadvertise directive is used in a configuration file, via shell metacharacters in the Reply-To header.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19970824 Vulnerability in Majordomo
Reference: URL:http://www.securityfocus.com/archive/1/7527
Reference: XF:majordomo-advertise(502)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/502

Votes:
ACCEPT(1)  Frech<br>
NOOP(2)  Cole, Foat<br>
Voter Comments:


Name: CVE-1999-1221

Description:

dxchpwd in Digital Unix (OSF/1) 3.x allows local users to modify arbitrary files via a symlink attack on the dxchpwd.log file.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19961117 Digital Unix v3.x (v4.x?) security vulnerability
Reference: URL:http://marc.info/?l=bugtraq&m=87602167420141&w=2
Reference: XF:dgux-chpwd(399)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/399

Votes:
ACCEPT(1)  Frech<br>
NOOP(2)  Cole, Foat<br>
Voter Comments:


Name: CVE-1999-1222

Description:

Netbt.sys in Windows NT 4.0 allows remote malicious DNS servers to cause a denial of service (crash) by returning 0.0.0.0 as the IP address for a DNS host name lookup.

Status:Entry
Reference: MSKB:Q188571
Reference: URL:http://support.microsoft.com/support/kb/articles/Q188/5/71.ASP
Reference: XF:dns-netbtsys-dos(3893)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/3893

Name: CVE-1999-1223

Description:

IIS 3.0 allows remote attackers to cause a denial of service via a request to an ASP page in which the URL contains a large number of / (forward slash) characters.

Status:Entry
Reference: MSKB:Q187503
Reference: URL:http://support.microsoft.com/support/kb/articles/q187/5/03.asp
Reference: XF:url-asp-av(3892)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/3892

Name: CVE-1999-1224

Description:

IMAP 4.1 BETA, and possibly other versions, does not properly handle the SIGABRT (abort) signal, which allows local users to crash the server (imapd) via certain sequences of commands, which causes a core dump that may contain sensitive password information.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19971008 L0pht Advisory: IMAP4rev1 imapd server
Reference: URL:http://marc.info/?l=bugtraq&m=87635124302928&w=2
Reference: XF:imapd-core(349)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/349

Votes:
ACCEPT(1)  Frech<br>
NOOP(2)  Cole, Foat<br>
Voter Comments:


Name: CVE-1999-1225

Description:

rpc.mountd on Linux, Ultrix, and possibly other operating systems, allows remote attackers to determine the existence of a file on the server by attempting to mount that file, which generates different error messages depending on whether the file exists or not.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19970824 Serious security flaw in rpc.mountd on several operating systems.
Reference: URL:http://www.securityfocus.com/archive/1/7526
Reference: XF:mountd-file-exists(347)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/347

Votes:
ACCEPT(1)  Frech<br>
NOOP(2)  Cole, Foat<br>
Voter Comments:


Name: CVE-1999-1226

Description:

Netscape Communicator 4.7 and earlier allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long certificate key.

Status:Entry
Reference: MISC:http://www.securiteam.com/exploits/Netscape_4_7_and_earlier_vulnerable_to__Huge_Key__DoS.html
Reference: XF:netscape-huge-key-dos(3436)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/3436

Name: CVE-1999-1227

Description:

Ethereal allows local users to overwrite arbitrary files via a symlink attack on the packet capture file.

Status:Candidate
Phase: Proposed (20010912)
Reference: MISC:http://www.ethereal.com/lists/ethereal-dev/199907/msg00126.html
Reference: MISC:http://www.ethereal.com/lists/ethereal-dev/199907/msg00130.html
Reference: XF:ethereal-dev-capturec-root(3334)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/3334

Votes:
ACCEPT(2)  Cole, Frech<br>
NOOP(2)  Foat, Wall<br>
Voter Comments:


Name: CVE-1999-1228

Description:

Various modems that do not implement a guard time, or are configured with a guard time of 0, can allow remote attackers to execute arbitrary modem commands such as ATH, ATH0, etc., via a "+++" sequence that appears in ICMP packets, the subject of an e-mail message, IRC commands, and others.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19980927 1+2=3, +++ATH0=Old school DoS
Reference: URL:http://marc.info/?l=bugtraq&m=90695973308453&w=2
Reference: MISC:http://www.macintouch.com/modemsecurity.html
Reference: XF:global-village-modem-dos(3320)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/3320

Votes:
ACCEPT(1)  Frech<br>
NOOP(3)  Cole, Foat, Wall<br>
Voter Comments:


Name: CVE-1999-1229

Description:

Quake 2 server 3.13 on Linux does not properly check file permissions for the config.cfg configuration file, which allows local users to read arbitrary files via a symlink from config.cfg to the target file.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19980225 Quake 2 Linux 3.13 (and lower) allow users to read arbitrary files
Reference: URL:http://www.securityfocus.com/archive/1/8590
Reference: XF:linux-quake2(733)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/733

Votes:
ACCEPT(1)  Frech<br>
NOOP(3)  Cole, Foat, Wall<br>
Voter Comments:


Name: CVE-1999-1230

Description:

Quake 2 server allows remote attackers to cause a denial of service via a spoofed UDP packet with a source address of 127.0.0.1, which causes the server to attempt to connect to itself.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19971224 Quake II Remote Denial of Service
Reference: URL:http://www.securityfocus.com/archive/1/8282
Reference: XF:quake2-dos(698)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/698

Votes:
ACCEPT(1)  Frech<br>
NOOP(2)  Cole, Foat<br>
Voter Comments:


Name: CVE-1999-1231

Description:

ssh 2.0.12, and possibly other versions, allows valid user names to attempt to enter the correct password multiple times, but only prompts an invalid user name for a password once, which allows remote attackers to determine user account names on the server.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990609 ssh advirsory
Reference: URL:http://www.securityfocus.com/archive/1/14758
Reference: XF:ssh-leak(2276)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2276

Votes:
ACCEPT(1)  Frech<br>
NOOP(3)  Cole, Foat, Wall<br>
Voter Comments:


Name: CVE-1999-1232

Description:

Untrusted search path vulnerability in day5datacopier in SGI IRIX 6.2 allows local users to execute arbitrary commands via a modified PATH environment variable that points to a malicious cp program.

Status:Candidate
Phase: Modified (20060503)
Reference: BUGTRAQ:19970516 Irix and WWW
Reference: URL:http://marc.info/?l=bugtraq&m=87602167420994&w=2
Reference: OSVDB:8559
Reference: URL:http://www.osvdb.org/8559
Reference: XF:sgi-day5datacopier(3316)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/3316

Votes:
ACCEPT(1)  Frech<br>
NOOP(2)  Cole, Foat<br>
Voter Comments:


Name: CVE-1999-1233

Description:

IIS 4.0 does not properly restrict access for the initial session request from a user's IP address if the address does not resolve to a DNS domain, aka the "Domain Resolution" vulnerability.

Status:Entry
Reference: BID:657
Reference: URL:http://www.securityfocus.com/bid/657
Reference: MS:MS99-039
Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-039
Reference: MSKB:241562
Reference: URL:http://support.microsoft.com/support/kb/articles/Q241/5/62.asp
Reference: XF:iis-unresolved-domain-access(3306)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/3306

Name: CVE-1999-1234

Description:

LSA (LSASS.EXE) in Windows NT 4.0 allows remote attackers to cause a denial of service via a NULL policy handle in a call to (1) SamrOpenDomain, (2) SamrEnumDomainUsers, and (3) SamrQueryDomainInfo.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19991026 Re: LSA vulnerability on NT40 SP5
Reference: URL:http://marc.info/?l=ntbugtraq&m=94096671308565&w=2
Reference: XF:msrpc-samr-open-dos(3293)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/3293

Votes:
ACCEPT(3)  Cole, Frech, Wall<br>
NOOP(1)  Foat<br>
Voter Comments:


Name: CVE-1999-1235

Description:

Internet Explorer 5.0 records the username and password for FTP servers in the URL history, which could allow (1) local users to read the information from another user's index.dat, or (2) people who are physically observing ("shoulder surfing") another user to read the information from the status bar when the user moves the mouse over a link.

Status:Candidate
Phase: Proposed (20010912)
Reference: NTBUGTRAQ:19990331 Minor Bug in IE5.0
Reference: URL:http://ntbugtraq.ntadvice.com/default.asp?pid=36&sid=1&A2=ind9904&L=NTBUGTRAQ&P=R179
Reference: NTBUGTRAQ:19990825 IE5 FTP password exposure & index.dat null ACL problem
Reference: URL:http://packetderm.cotse.com/mailing-lists/ntbugtraq/1999/0364.html
Reference: XF:nt-ie5-user-ftp-password(3289)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/3289

Votes:
ACCEPT(4)  Cole, Foat, Frech, Wall<br>
Voter Comments:
CHANGE>  [Foat changed vote from NOOP to ACCEPT]<br>

Name: CVE-1999-1236

Description:

Internet Anywhere Mail Server 2.3.1 stores passwords in plaintext in the msgboxes.dbf file, which could allow local users to gain privileges by extracting the passwords from msgboxes.dbf.

Status:Candidate
Phase: Proposed (20010912)
Reference: BID:731
Reference: URL:http://www.securityfocus.com/bid/731
Reference: NTBUGTRAQ:19991001 Vulnerabilities in the Internet Anywhere Mail Server
Reference: URL:http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind9910&L=ntbugtraq&F=&S=&P=662
Reference: XF:iams-passwords-plaintext(3285)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/3285

Votes:
ACCEPT(2)  Cole, Frech<br>
NOOP(2)  Foat, Wall<br>
Voter Comments:


Name: CVE-1999-1237

Description:

Multiple buffer overflows in smbvalid/smbval SMB authentication library, as used in Apache::AuthenSmb and possibly other modules, allows remote attackers to execute arbitrary commands via (1) a long username, (2) a long password, and (3) other unspecified methods.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990606 Buffer overflows in smbval library
Reference: URL:http://www.securityfocus.com/archive/1/14384
Reference: XF:smbvalid-bo(2272)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2272

Votes:
ACCEPT(1)  Frech<br>
NOOP(3)  Cole, Foat, Wall<br>
Voter Comments:


Name: CVE-1999-1238

Description:

Vulnerability in CORE-DIAG fileset in HP message catalog in HP-UX 9.05 and earlier allows local users to gain privileges.

Status:Candidate
Phase: Proposed (20010912)
Reference: HP:HPSBUX9409-017
Reference: URL:http://www.securityfocus.com/advisories/1531
Reference: XF:hp-core-diag-fileset(2262)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2262

Votes:
ACCEPT(4)  Cole, Foat, Frech, Stracener<br>
Voter Comments:


Name: CVE-1999-1239

Description:

HP-UX 9.x does not properly enable the Xauthority mechanism in certain conditions, which could allow local users to access the X display even when they have not explicitly been authorized to do so.

Status:Candidate
Phase: Proposed (20010912)
Reference: HP:HPSBUX9407-015
Reference: URL:http://www.securityfocus.com/advisories/1559
Reference: XF:hp-xauthority(2261)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2261

Votes:
ACCEPT(4)  Cole, Foat, Frech, Stracener<br>
Voter Comments:


Name: CVE-1999-1240

Description:

Buffer overflow in cddbd CD database server allows remote attackers to execute arbitrary commands via a long log message.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19961126 Major Security Vulnerabilities in Remote CD Databases
Reference: URL:http://www.securityfocus.com/archive/1/5784
Reference: XF:cddbd-bo(2203)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2203

Votes:
ACCEPT(1)  Frech<br>
NOOP(2)  Cole, Foat<br>
Voter Comments:


Name: CVE-1999-1241

Description:

Internet Explorer, with a security setting below Medium, allows remote attackers to execute arbitrary commands via a malicious web page that uses the FileSystemObject ActiveX object.

Status:Candidate
Phase: Proposed (20010912)
Reference: MISC:http://oliver.efri.hr/~crv/security/bugs/NT/activex4.html
Reference: XF:ie-filesystemobject(2173)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2173

Votes:
ACCEPT(3)  Cole, Frech, Wall<br>
NOOP(2)  Christey, Foat<br>
Voter Comments:
Christey>  DELREF MISC:http://oliver.efri.hr/~crv/security/bugs/NT/activex4.html
ADDREF MISC:http://focus.silversand.net/vulner/allbug/activex4.html<br>
Frech>  Change MISC to http://www.securitybugware.org/NT/1018.html<br>

Name: CVE-1999-1242

Description:

Vulnerability in subnetconfig in HP-UX 9.01 and 9.0 allows local users to gain privileges.

Status:Candidate
Phase: Proposed (20010912)
Reference: HP:HPSBUX9402-003
Reference: URL:http://packetstormsecurity.org/advisories/hpalert/003
Reference: XF:hp-subnet-config(2162)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2162

Votes:
ACCEPT(4)  Cole, Foat, Frech, Stracener<br>
Voter Comments:


Name: CVE-1999-1243

Description:

SGI Desktop Permissions Tool in IRIX 6.0.1 and earlier allows local users to modify permissions for arbitrary files and gain privileges.

Status:Entry
Reference: CIAC:F-16
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/f-16.shtml
Reference: SGI:19950301-01-P373
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19950301-01-P373
Reference: XF:sgi-permissions(2113)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2113

Name: CVE-1999-1244

Description:

IPFilter 3.2.3 through 3.2.10 allows local users to modify arbitrary files via a symlink attack on the saved output file.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990415 FSA-99.04-IPFILTER-v3.2.10
Reference: URL:http://www.securityfocus.com/archive/1/13303
Reference: XF:ipfilter-temp-file(2087)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2087

Votes:
ACCEPT(2)  Cole, Frech<br>
NOOP(2)  Foat, Wall<br>
Voter Comments:


Name: CVE-1999-1245

Description:

vacm ucd-snmp SNMP server, version 3.52, does not properly disable access to the public community string, which could allow remote attackers to obtain sensitive information.

Status:Candidate
Phase: Proposed (20010912)
Reference: XF:ucd-snmpd-community(2086)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2086

Votes:
ACCEPT(1)  Frech<br>
NOOP(3)  Cole, Foat, Wall<br>
Voter Comments:
Frech>  http://www.securityfocus.com/archive/1/13130<br>

Name: CVE-1999-1246

Description:

Direct Mailer feature in Microsoft Site Server 3.0 saves user domain names and passwords in plaintext in the TMLBQueue network share, which has insecure default permissions, allowing remote attackers to read the passwords and gain privileges.

Status:Entry
Reference: MSKB:Q229972
Reference: URL:http://support.microsoft.com/support/kb/articles/Q229/9/72.asp
Reference: XF:siteserver-directmail-passwords(2068)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2068

Name: CVE-1999-1247

Description:

Vulnerability in HP Camera component of HP DCE/9000 in HP-UX 9.x allows attackers to gain root privileges.

Status:Candidate
Phase: Proposed (20010912)
Reference: HP:HPSBUX9402-006
Reference: URL:http://packetstormsecurity.org/advisories/hpalert/006
Reference: XF:hp-dce9000(2061)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2061

Votes:
ACCEPT(4)  Cole, Foat, Frech, Stracener<br>
Voter Comments:


Name: CVE-1999-1248

Description:

Vulnerability in Support Watch (aka SupportWatch) in HP-UX 8.0 through 9.0 allows local users to gain privileges.

Status:Candidate
Phase: Proposed (20010912)
Reference: HP:HPSBUX9411-019
Reference: URL:http://packetstormsecurity.org/advisories/hpalert/019
Reference: XF:hp-supportwatch(2058)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2058

Votes:
ACCEPT(4)  Cole, Foat, Frech, Stracener<br>
Voter Comments:


Name: CVE-1999-1249

Description:

movemail in HP-UX 10.20 has insecure permissions, which allows local users to gain privileges.

Status:Entry
Reference: HP:HPSBUX9701-047
Reference: URL:http://www.codetalker.com/advisories/vendor/hp/hpsbux9701-047.html
Reference: OSVDB:8099
Reference: URL:http://www.osvdb.org/8099
Reference: XF:hp-movemail(2057)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2057

Name: CVE-1999-1250

Description:

Vulnerability in CGI program in the Lasso application by Blue World, as used on WebSTAR and other servers, allows remote attackers to read arbitrary files.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19970819 Lasso CGI security hole (fwd)
Reference: URL:http://www.securityfocus.com/archive/1/7506
Reference: XF:http-cgi-lasso(2044)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2044

Votes:
ACCEPT(1)  Frech<br>
NOOP(2)  Cole, Foat<br>
Voter Comments:


Name: CVE-1999-1251

Description:

Vulnerability in direct audio user space code on HP-UX 10.20 and 10.10 allows local users to cause a denial of service.

Status:Candidate
Phase: Proposed (20010912)
Reference: HP:HPSBUX9612-043
Reference: URL:http://packetstormsecurity.org/advisories/hpalert/043
Reference: XF:hp-audio-panic(2010)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2010

Votes:
ACCEPT(4)  Cole, Foat, Frech, Stracener<br>
Voter Comments:


Name: CVE-1999-1252

Description:

Vulnerability in a certain system call in SCO UnixWare 2.0.x and 2.1.0 allows local users to access arbitrary files and gain root privileges.

Status:Candidate
Phase: Proposed (20010912)
Reference: CERT:VB-96.15
Reference: URL:http://www.cert.org/vendor_bulletins/VB-96.15.sco
Reference: SCO:96:002
Reference: URL:ftp://ftp.sco.COM/SSE/security_bulletins/SB.96:02a
Reference: XF:sco-system-call(1966)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1966

Votes:
ACCEPT(4)  Cole, Foat, Frech, Stracener<br>
NOOP(1)  Wall<br>
Voter Comments:


Name: CVE-1999-1253

Description:

Vulnerability in a kernel error handling routine in SCO OpenServer 5.0.2 and earlier, and SCO Internet FastStart 1.0, allows local users to gain root privileges.

Status:Candidate
Phase: Proposed (20010912)
Reference: CERT:VB-96.10
Reference: URL:http://www.cert.org/vendor_bulletins/VB-96.10.sco
Reference: SCO:96:001
Reference: URL:ftp://ftp.sco.com/SSE/security_bulletins/SB.96:01a
Reference: XF:sco-kernel(1965)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1965

Votes:
ACCEPT(4)  Cole, Foat, Frech, Stracener<br>
NOOP(1)  Wall<br>
Voter Comments:


Name: CVE-1999-1254

Description:

Windows 95, 98, and NT 4.0 allow remote attackers to cause a denial of service by spoofing ICMP redirect messages from a router, which causes Windows to change its routing tables.

Status:Candidate
Phase: Proposed (20010912)
Reference: NTBUGTRAQ:19990308 Winfreeze EXPLOIT Win9x/NT
Reference: URL:http://marc.info/?l=ntbugtraq&m=92099515709467&w=2
Reference: XF:win-redirects-freeze(1947)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1947

Votes:
ACCEPT(3)  Cole, Frech, Wall<br>
MODIFY(1)  Meunier<br>
NOOP(2)  Christey, Foat<br>
Voter Comments:
Christey>  Need to get feedback from MS on this.<br>
Christey>  (prompted from Pascal Meunier) should this be treated
as a general design issue with ICMP?  Or is it a specific
implementation flaw that only affects Reliant?<br>
Meunier>  The description is too narrow and incorrect.  Spoofed ICMP
redirect messages can be used to setup man-in-the-middle attacks
instead of a DoS.  There's no reason that this behavior would be
limited to Windows, as it is specified by the standard.  As I said
elsewhere, ICMP messages should not be acted upon without access
controls.<br>

Name: CVE-1999-1255

Description:

Hyperseek allows remote attackers to modify the hyperseek configuration by directly calling the admin.cgi program with an edit_file action parameter.

Status:Candidate
Phase: Proposed (20010912)
Reference: MISC:http://www.rootshell.com/archive-j457nxiqi3gq59dv/199902/hyperseek.txt.html
Reference: XF:hyperseek-modify(1914)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1914

Votes:
ACCEPT(2)  Cole, Frech<br>
NOOP(2)  Foat, Wall<br>
Voter Comments:


Name: CVE-1999-1256

Description:

Oracle Database Assistant 1.0 in Oracle 8.0.3 Enterprise Edition stores the database master password in plaintext in the spoolmain.log file when a new database is created, which allows local users to obtain the password from that file.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990304 Oracle Plaintext Password
Reference: URL:http://www.securityfocus.com/archive/1/12744
Reference: NTBUGTRAQ:19990304 Oracle Plaintext Password
Reference: URL:http://marc.info/?l=ntbugtraq&m=92056752115116&w=2
Reference: XF:oracle-passwords(1902)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1902

Votes:
ACCEPT(2)  Cole, Frech<br>
NOOP(2)  Foat, Wall<br>
Voter Comments:


Name: CVE-1999-1257

Description:

Xyplex terminal server 6.0.1S1, and possibly other versions, allows remote attackers to bypass the password prompt by entering (1) a CTRL-Z character, or (2) a ? (question mark).

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19971126 Xyplex terminal server bug
Reference: URL:http://www.securityfocus.com/archive/1/8134
Reference: XF:xyplex-controlz-login(1825)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1825
Reference: XF:xyplex-question-login(1826)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1826

Votes:
ACCEPT(1)  Frech<br>
NOOP(2)  Cole, Foat<br>
Voter Comments:


Name: CVE-1999-1258

Description:

rpc.pwdauthd in SunOS 4.1.1 and earlier does not properly prevent remote access to the daemon, which allows remote attackers to obtain sensitive system information.

Status:Entry
Reference: SUN:00102
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/102
Reference: XF:sun-pwdauthd(1782)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1782

Name: CVE-1999-1259

Description:

Microsoft Office 98, Macintosh Edition, does not properly initialize the disk space used by Office 98 files and effectively inserts data from previously deleted files into the Office file, which could allow attackers to obtain sensitive information.

Status:Entry
Reference: MSKB:Q189529
Reference: URL:http://support.microsoft.com/support/kb/articles/q189/5/29.asp
Reference: XF:office-extraneous-data(1780)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1780

Name: CVE-1999-1260

Description:

mSQL (Mini SQL) 2.0.6 allows remote attackers to obtain sensitive server information such as logged users, database names, and server version via the ServerStats query.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990215 KSR[T] Advisory #10: mSQL ServerStats
Reference: URL:http://marc.info/?l=bugtraq&m=91910115718150&w=2
Reference: XF:msql-serverstats(1777)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1777

Votes:
ACCEPT(1)  Frech<br>
NOOP(3)  Cole, Foat, Wall<br>
Voter Comments:


Name: CVE-1999-1261

Description:

Buffer overflow in Rainbow Six Multiplayer allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long nickname (nick) command.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990211 Rainbow Six Buffer Overflow.....
Reference: URL:http://www.securityfocus.com/archive/1/12433
Reference: XF:rainbowsix-nick-bo(1772)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1772

Votes:
ACCEPT(1)  Frech<br>
NOOP(3)  Cole, Foat, Wall<br>
Voter Comments:


Name: CVE-1999-1262

Description:

Java in Netscape 4.5 does not properly restrict applets from connecting to other hosts besides the one from which the applet was loaded, which violates the Java security model and could allow remote attackers to conduct unauthorized activities.

Status:Entry
Reference: BUGTRAQ:19990202 Unsecured server in applets under Netscape
Reference: URL:http://www.securityfocus.com/archive/1/12231
Reference: XF:java-socket-open(1727)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1727

Name: CVE-1999-1263

Description:

Metamail before 2.7-7.2 allows remote attackers to overwrite arbitrary files via an e-mail message containing a uuencoded attachment that specifies the full pathname for the file to be modified, which is processed by uuencode in Metamail scripts such as sun-audio-file.

Status:Entry
Reference: BUGTRAQ:19971024 Vulnerability in metamail
Reference: URL:http://marc.info/?l=bugtraq&m=87773365324657&w=2
Reference: XF:metamail-file-creation(1677)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1677

Name: CVE-1999-1264

Description:

WebRamp M3 router does not disable remote telnet or HTTP access to itself, even when access has been explicitly disabled.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990121 WebRamp M3 remote network access bug
Reference: URL:http://www.securityfocus.com/archive/1/12048
Reference: BUGTRAQ:19990203 WebRamp M3 Perceived Bug
Reference: URL:http://marc.info/?l=bugtraq&m=91815321510224&w=2
Reference: XF:webramp-remote-access(1670)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1670

Votes:
ACCEPT(1)  Frech<br>
NOOP(3)  Cole, Foat, Wall<br>
Voter Comments:


Name: CVE-1999-1265

Description:

SMTP server in SLmail 3.1 and earlier allows remote attackers to cause a denial of service via malformed commands whose arguments begin with a "(" (parenthesis) character, such as (1) SEND, (2) VRFY, (3) EXPN, (4) MAIL FROM, (5) RCPT TO.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19980922 Re: WARNING! SMTP Denial of Service in SLmail ver 3.1
Reference: BUGTRAQ:19980922 WARNING! SMTP Denial of Service in SLmail ver 3.1
Reference: URL:http://marc.info/?l=bugtraq&m=90649892424117&w=2
Reference: NTBUGTRAQ:19980922 WARNING! SMTP Denial of Service in SLmail ver 3.1
Reference: URL:http://marc.info/?l=ntbugtraq&m=90650438826447&w=2
Reference: XF:slmail-parens-overload(1664)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1664

Votes:
ACCEPT(3)  Cole, Foat, Frech<br>
NOOP(1)  Wall<br>
Voter Comments:


Name: CVE-1999-1266

Description:

rsh daemon (rshd) generates different error messages when a valid username is provided versus an invalid name, which allows remote attackers to determine valid users on the system.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19970613 rshd gives away usernames
Reference: URL:http://www.securityfocus.com/archive/1/6978
Reference: XF:rsh-username-leaks(1660)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1660

Votes:
ACCEPT(1)  Frech<br>
NOOP(2)  Cole, Foat<br>
Voter Comments:


Name: CVE-1999-1267

Description:

KDE file manager (kfm) uses a TCP server for certain file operations, which allows remote attackers to modify arbitrary files by sending a copy command to the server.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19970505 Hole in the KDE desktop
Reference: URL:http://marc.info/?l=bugtraq&m=87602167420906&w=2
Reference: XF:kde-flawed-ipc(1646)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1646

Votes:
ACCEPT(1)  Frech<br>
NOOP(2)  Cole, Foat<br>
Voter Comments:


Name: CVE-1999-1268

Description:

Vulnerability in KDE konsole allows local users to hijack or observe sessions of other users by accessing certain devices.

Status:Candidate
Phase: Proposed (20010912)
Reference: MISC:http://lists.kde.org/?l=kde-devel&m=91560433413263&w=2
Reference: XF:kde-konsole-hijack(1645)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1645

Votes:
ACCEPT(1)  Frech<br>
NOOP(3)  Cole, Foat, Wall<br>
Voter Comments:


Name: CVE-1999-1269

Description:

Screen savers in KDE beta 3 allows local users to overwrite arbitrary files via a symlink attack on the .kss.pid file.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19980206 serious security hole in KDE Beta 3
Reference: URL:http://www.securityfocus.com/archive/1/8506
Reference: XF:kde-kss-file-clobber(1641)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1641

Votes:
ACCEPT(1)  Frech<br>
NOOP(3)  Cole, Foat, Wall<br>
Voter Comments:


Name: CVE-1999-1270

Description:

KMail in KDE 1.0 provides a PGP passphrase as a command line argument to other programs, which could allow local users to obtain the passphrase and compromise the PGP keys of other users by viewing the arguments via programs that list process information, such as ps.

Status:Candidate
Phase: Proposed (20010912)
Reference: MISC:http://lists.kde.org/?l=kde-devel&m=90221974029738&w=2
Reference: XF:kde-kmail-passphrase-leak(1639)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1639

Votes:
ACCEPT(1)  Frech<br>
NOOP(3)  Cole, Foat, Wall<br>
Voter Comments:


Name: CVE-1999-1271

Description:

Macromedia Dreamweaver uses weak encryption to store FTP passwords, which could allow local users to easily decrypt the passwords of other users.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19980611 Unsecure passwords in Macromedia Dreamweaver
Reference: URL:http://www.securityfocus.com/archive/1/9511
Reference: XF:dreamweaver-weak-passwords(1636)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1636

Votes:
ACCEPT(2)  Cole, Frech<br>
NOOP(2)  Foat, Wall<br>
Voter Comments:


Name: CVE-1999-1272

Description:

Buffer overflows in CDROM Confidence Test program (cdrom) allow local users to gain root privileges.

Status:Candidate
Phase: Proposed (20010912)
Reference: SGI:19980301-01-PX
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19980301-01-PX
Reference: XF:irix-cdrom-confidence(1635)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1635

Votes:
ACCEPT(4)  Cole, Foat, Frech, Stracener<br>
Voter Comments:


Name: CVE-1999-1273

Description:

Squid Internet Object Cache 1.1.20 allows users to bypass access control lists (ACLs) by encoding the URL with hexadecimal escape sequences.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19980220 Simple way to bypass squid ACLs
Reference: URL:http://www.securityfocus.com/archive/1/8551
Reference: XF:squid-regexp-acl(1627)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1627

Votes:
ACCEPT(2)  Cole, Frech<br>
NOOP(2)  Foat, Wall<br>
Voter Comments:


Name: CVE-1999-1274

Description:

iPass RoamServer 3.1 creates temporary files with world-writable permissions.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19971229 iPass RoamServer 3.1
Reference: URL:http://www.securityfocus.com/archive/1/8307
Reference: XF:ipass-temporary-files(1625)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1625

Votes:
ACCEPT(1)  Frech<br>
NOOP(2)  Cole, Foat<br>
Voter Comments:


Name: CVE-1999-1275

Description:

Lotus cc:Mail release 8 stores the postoffice password in plaintext in a hidden file which has insecure permissions, which allows local users to gain privileges.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19970908 Password unsecurity in cc:Mail release 8
Reference: URL:http://www.securityfocus.com/archive/1/9478
Reference: XF:lotus-ccmail-passwords(1619)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1619

Votes:
ACCEPT(1)  Frech<br>
NOOP(2)  Cole, Foat<br>
Voter Comments:


Name: CVE-1999-1276

Description:

fte-console in the fte package before 0.46b-4.1 does not drop root privileges, which allows local users to gain root access via the virtual console device.

Status:Entry
Reference: DEBIAN:19981207 fte-console: does not drop its root priviliges
Reference: URL:http://www.debian.org/security/1998/19981207
Reference: XF:fte-console-privileges(1609)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1609

Name: CVE-1999-1277

Description:

BackWeb client stores the username and password in cleartext for proxy authentication in the Communication registry key, which could allow other local users to gain privileges by reading the password.

Status:Candidate
Phase: Proposed (20010912)
Reference: NTBUGTRAQ:19981224 BackWeb - Password issue (used by NAI for Corporate customer notification).
Reference: URL:http://marc.info/?l=ntbugtraq&m=91487886514546&w=2
Reference: XF:backweb-cleartext-passwords(1565)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1565

Votes:
ACCEPT(1)  Frech<br>
NOOP(3)  Cole, Foat, Wall<br>
Voter Comments:


Name: CVE-1999-1278

Description:

nlog CGI scripts do not properly filter shell metacharacters from the IP address argument, which could allow remote attackers to execute certain commands via (1) nlog-smb.pl or (2) rpc-nlog.pl.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19981225 Re: Nlog v1.0 Released - Nmap 2.x log management / analyzing tool
Reference: URL:http://marc.info/?l=bugtraq&m=91470326629357&w=2
Reference: BUGTRAQ:19981226 Nlog 1.1b released - security holes fixed
Reference: URL:http://marc.info/?l=bugtraq&m=91471400632145&w=2
Reference: XF:http-cgi-nlog-metachars(1549)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1549
Reference: XF:http-cgi-nlog-netbios(1550)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1550

Votes:
ACCEPT(3)  Cole, Foat, Frech<br>
NOOP(1)  Wall<br>
Voter Comments:


Name: CVE-1999-1279

Description:

An interaction between the AS/400 shared folders feature and Microsoft SNA Server 3.0 and earlier allows users to view each other's folders when the users share the same Local APPC LU.

Status:Entry
Reference: MSKB:Q138001
Reference: URL:http://support.microsoft.com/support/kb/articles/q138/0/01.asp
Reference: XF:snaserver-shared-folders(1548)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1548

Name: CVE-1999-1280

Description:

Hummingbird Exceed 6.0.1.0 inadvertently includes a DLL that was meant for development and testing, which logs user names and passwords in cleartext in the test.log file.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19981203 Remote Tools w/Exceed v.6.0.1.0 fer 95
Reference: URL:http://www.securityfocus.com/archive/1/11512
Reference: XF:exceed-cleartext-passwords(1547)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1547

Votes:
ACCEPT(1)  Frech<br>
NOOP(3)  Cole, Foat, Wall<br>
Voter Comments:


Name: CVE-1999-1281

Description:

Development version of Breeze Network Server allows remote attackers to cause the system to reboot by accessing the configbreeze CGI program.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19981226 Breeze Network Server remote reboot and other bogosity.
Reference: URL:http://www.securityfocus.com/archive/1/11720
Reference: XF:breeze-remote-reboot(1544)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1544

Votes:
ACCEPT(2)  Cole, Frech<br>
NOOP(2)  Foat, Wall<br>
Voter Comments:
Frech>  There have been no followups to indicate that this issue has
been 
resolved in the production version, and as a benefit to the doubt,
this issue
transcends EX-BETA until proven otherwise.<br>

Name: CVE-1999-1282

Description:

RealSystem G2 server stores the administrator password in cleartext in a world-readable configuration file, which allows local users to gain privileges.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19981210 RealSystem passwords
Reference: URL:http://www.securityfocus.com/archive/1/11543
Reference: XF:realsystem-readable-conf-file(1542)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1542

Votes:
ACCEPT(2)  Cole, Frech<br>
NOOP(2)  Foat, Wall<br>
Voter Comments:


Name: CVE-1999-1283

Description:

Opera 3.2.1 allows remote attackers to cause a denial of service (application crash) via a URL that contains an extra / in the http:// tag.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19980814 URL exploit to crash Opera Browser
Reference: URL:http://www.securityfocus.com/archive/1/10320
Reference: XF:opera-slash-crash(1541)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1541

Votes:
ACCEPT(2)  Cole, Frech<br>
NOOP(2)  Foat, Wall<br>
Voter Comments:
Frech>  Will go along with a REJECT if MITRE decides on
EX-CLIENT-DOS.<br>

Name: CVE-1999-1284

Description:

NukeNabber allows remote attackers to cause a denial of service by connecting to the NukeNabber port (1080) without sending any data, which causes the CPU usage to rise to 100% from the report.exe program that is executed upon the connection.

Status:Entry
Reference: BUGTRAQ:19981105 various *lame* DoS attacks
Reference: URL:http://www.securityfocus.com/archive/1/11131
Reference: BUGTRAQ:19981107 Re: various *lame* DoS attacks
Reference: URL:http://marc.info/?l=bugtraq&m=91063407332594&w=2
Reference: MISC:http://www.dynamsol.com/puppet/text/new.txt
Reference: XF:nukenabber-timeout-dos(1540)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1540

Name: CVE-1999-1285

Description:

Linux 2.1.132 and earlier allows local users to cause a denial of service (resource exhaustion) by reading a large buffer from a random device (e.g. /dev/urandom), which cannot be interrupted until the read has completed.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19981227 [patch] fix for urandom read(2) not interruptible
Reference: URL:http://marc.info/?l=bugtraq&m=91495921611500&w=2
Reference: XF:linux-random-read-dos(1472)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1472

Votes:
ACCEPT(2)  Cole, Frech<br>
NOOP(2)  Foat, Wall<br>
Voter Comments:


Name: CVE-1999-1286

Description:

addnetpr in SGI IRIX 6.2 and earlier allows local users to modify arbitrary files and possibly gain root access via a symlink attack on a temporary file.

Status:Candidate
Phase: Modified (20060623)
Reference: BID:330
Reference: URL:http://www.securityfocus.com/bid/330
Reference: BUGTRAQ:19970509 Re: Irix: misc
Reference: URL:http://marc.info/?l=bugtraq&m=87602167420927&w=2
Reference: MISC:ftp://patches.sgi.com/support/free/security/advisories/19961203-02-PX
Reference: OSVDB:8560
Reference: URL:http://www.osvdb.org/8560
Reference: XF:irix-addnetpr(1433)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1433

Votes:
ACCEPT(1)  Frech<br>
NOOP(3)  Christey, Cole, Foat<br>
Voter Comments:
Christey>  CHANGE DESC: "via a symlink attack on the printers temporary file."
Add 5.3 as another affected version.

MISC:ftp://patches.sgi.com/support/free/security/advisories/19961203-02-PX
SGI:19961203-02-PX may solve this problem, but the advisory is so
vague that it is uncertain whether this was fixed or not. addnetpr is
not specifically named in the advisory, which names netprint, which is
not specified in the original Bugtraq post. In addition, the date on
the advisory is one day earlier than that of the Bugtraq post, though
that could be a difference in time zones. It seems plausible that the
problem had already been patched (the researcher did say "There *was*
[a] race condition") so maybe SGI released this advisory after the
problem was publicized.

ADDREF BID:330
URL:http://www.securityfocus.com/bid/330

Note: this is a dupe of CVE-1999-1410, but CVE-1999-1410 will
be rejected in favor of CVE-1999-1286.<br>

Name: CVE-1999-1287

Description:

Vulnerability in Analog 3.0 and earlier allows remote attackers to read arbitrary files via the forms interface.

Status:Candidate
Phase: Proposed (20010912)
Reference: CONFIRM:http://www.statslab.cam.ac.uk/~sret1/analog/security.html
Reference: XF:analog-remote-file(1410)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1410

Votes:
ACCEPT(4)  Armstrong, Cole, Frech, Stracener<br>
NOOP(2)  Foat, Wall<br>
Voter Comments:
CHANGE>  [Foat changed vote from ACCEPT to NOOP]<br>

Name: CVE-1999-1288

Description:

Samba 1.9.18 inadvertently includes a prototype application, wsmbconf, which is installed with incorrect permissions including the setgid bit, which allows local users to read and write files and possibly gain privileges via bugs in the program.

Status:Entry
Reference: BUGTRAQ:19981119 Vulnerability in Samba on RedHat, Caldera and PHT TurboLinux
Reference: URL:http://www.securityfocus.com/archive/1/11397
Reference: CALDERA:SA-1998.35
Reference: URL:http://www.caldera.com/support/security/advisories/SA-1998.35.txt
Reference: XF:samba-wsmbconf(1406)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1406

Name: CVE-1999-1289

Description:

ICQ 98 beta on Windows NT leaks the internal IP address of a client in the TCP data segment of an ICQ packet instead of the public address (e.g. through NAT), which provides remote attackers with potentially sensitive information about the client or the internal network configuration.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19981111 WARNING: Another ICQ IP address vulnerability
Reference: URL:http://www.securityfocus.com/archive/1/11233
Reference: XF:icq-ip-info(1398)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1398

Votes:
ACCEPT(3)  Cole, Frech, Wall<br>
NOOP(1)  Foat<br>
Voter Comments:
Frech>  Override EX-BETA in this case, since ICQ is always in beta
and is 
widely run in production environments.<br>

Name: CVE-1999-1290

Description:

Buffer overflow in nftp FTP client version 1.40 allows remote malicious FTP servers to cause a denial of service, and possibly execute arbitrary commands, via a long response string.

Status:Entry
Reference: BUGTRAQ:19981117 nftp vulnerability (fwd)
Reference: URL:http://marc.info/?l=bugtraq&m=91127951426494&w=2
Reference: CONFIRM:http://www.ayukov.com/nftp/history.html
Reference: XF:nftp-bo(1397)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1397

Name: CVE-1999-1291

Description:

TCP/IP implementation in Microsoft Windows 95, Windows NT 4.0, and possibly others, allows remote attackers to reset connections by forcing a reset (RST) via a PSH ACK or other means, obtaining the target's last sequence number from the resulting packet, then spoofing a reset to the target.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19981005 New Windows Vulnerability
Reference: URL:http://www.securityfocus.com/archive/1/10789
Reference: XF:nt-brkill(1383)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1383

Votes:
ACCEPT(3)  Cole, Frech, Wall<br>
NOOP(2)  Christey, Foat<br>
Voter Comments:
Christey>  Need to get feedback from MS on this.<br>

Name: CVE-1999-1292

Description:

Buffer overflow in web administration feature of Kolban Webcam32 4.8.3 and earlier allows remote attackers to execute arbitrary commands via a long URL.

Status:Candidate
Phase: Proposed (20010912)
Reference: ISS:19980901 Remote Buffer Overflow in the Kolban Webcam32 Program
Reference: URL:http://xforce.iss.net/alerts/advise7.php
Reference: XF:webcam32-buffer-overflow(1366)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1366

Votes:
ACCEPT(1)  Frech<br>
NOOP(3)  Cole, Foat, Wall<br>
Voter Comments:


Name: CVE-1999-1293

Description:

mod_proxy in Apache 1.2.5 and earlier allows remote attackers to cause a denial of service via malformed FTP commands, which causes Apache to dump core.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19980106 Apache security advisory
Reference: URL:http://marc.info/?l=bugtraq&m=88413292830649&w=2
Reference: CONFIRM:http://www.apache.org/info/security_bulletin_1.2.5.html

Votes:
ACCEPT(3)  Armstrong, Cole, Stracener<br>
MODIFY(1)  Frech<br>
NOOP(2)  Foat, Wall<br>
Voter Comments:
Frech>  XF:apache-mod-proxy-dos(7249)
CONFIRM reference no longer seems to exist. BugTraq message
seems to be a confirmation/advisory, however.<br>
CHANGE>  [Foat changed vote from ACCEPT to NOOP]<br>

Name: CVE-1999-1294

Description:

Office Shortcut Bar (OSB) in Windows 3.51 enables backup and restore permissions, which are inherited by programs such as File Manager that are started from the Shortcut Bar, which could allow local users to read folders for which they do not have permission.

Status:Entry
Reference: MSKB:Q146604
Reference: URL:http://support.microsoft.com/support/kb/articles/q146/6/04.asp
Reference: XF:nt-filemgr(562)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/562

Name: CVE-1999-1295

Description:

Transarc DCE Distributed File System (DFS) 1.1 for Solaris 2.4 and 2.5 does not properly initialize the grouplist for users who belong to a large number of groups, which could allow those users to gain access to resources that are protected by DFS.

Status:Candidate
Phase: Modified (20020218)
Reference: CERT:VB-96.16
Reference: URL:http://www.cert.org/vendor_bulletins/VB-96.16.transarc
Reference: XF:dfs-login-groups(7154)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/7154

Votes:
ACCEPT(3)  Cole, Foat, Stracener<br>
MODIFY(1)  Frech<br>
NOOP(1)  Wall<br>
Voter Comments:
Frech>  XF:dfs-login-groups(7154)<br>

Name: CVE-1999-1296

Description:

Buffer overflow in Kerberos IV compatibility libraries as used in Kerberos V allows local users to gain root privileges via a long line in a kerberos configuration file, which can be specified via the KRB_CONF environmental variable.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19970429 vulnerabilities in kerberos
Reference: URL:http://marc.info/?l=bugtraq&m=87602167420878&w=2

Votes:
MODIFY(1)  Frech<br>
NOOP(2)  Cole, Foat<br>
Voter Comments:
Frech>  XF:kerberos-config-file-bo(7184)<br>

Name: CVE-1999-1297

Description:

cmdtool in OpenWindows 3.0 and XView 3.0 in SunOS 4.1.4 and earlier allows attackers with physical access to the system to display unechoed characters (such as those from password prompts) via the L2/AGAIN key.

Status:Entry
Reference: SUNBUG:1077164
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fpatches%2F100452&zone_32=10045%2A%20
Reference: XF:sun-cmdtool-echo(7482)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/7482

Name: CVE-1999-1298

Description:

Sysinstall in FreeBSD 2.2.1 and earlier, when configuring anonymous FTP, creates the ftp user without a password and with /bin/date as the shell, which could allow attackers to gain access to certain system resources.

Status:Entry
Reference: FREEBSD:FreeBSD-SA-97:03
Reference: URL:ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/old/FreeBSD-SA-97:03.sysinstall.asc
Reference: OSVDB:6087
Reference: URL:http://www.osvdb.org/6087
Reference: XF:freebsd-sysinstall-ftp-password(7537)
Reference: URL:http://www.iss.net/security_center/static/7537.php

Name: CVE-1999-1299

Description:

rcp on various Linux systems including Red Hat 4.0 allows a "nobody" user or other user with UID of 65535 to overwrite arbitrary files, since 65535 is interpreted as -1 by chown and other system calls, which causes the calls to fail to modify the ownership of the file.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19970203 Linux rcp bug
Reference: URL:http://marc.info/?l=bugtraq&m=87602167420509&w=2

Votes:
MODIFY(1)  Frech<br>
NOOP(2)  Cole, Foat<br>
Voter Comments:
Frech>  XF:rcp-nobody-file-overwrite(7187)<br>

Name: CVE-1999-1300

Description:

Vulnerability in accton in Cray UNICOS 6.1 and 6.0 allows local users to read arbitrary files and modify system accounting configuration.

Status:Candidate
Phase: Proposed (20010912)
Reference: CIAC:B-31
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/b-31.shtml

Votes:
ACCEPT(4)  Armstrong, Cole, Foat, Stracener<br>
MODIFY(1)  Frech<br>
NOOP(1)  Wall<br>
Voter Comments:
Frech>  XF: unicos-accton-read-files(7210)<br>

Name: CVE-1999-1301

Description:

A design flaw in the Z-Modem protocol allows the remote sender of a file to execute arbitrary programs on the client, as implemented in rz in the rzsz module of FreeBSD before 2.1.5, and possibly other programs.

Status:Entry
Reference: CIAC:G-31
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/g-31.shtml
Reference: FREEBSD:FreeBSD-SA-96:17
Reference: URL:ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/old/FreeBSD-SA-96:17.rzsz.asc
Reference: XF:rzsz-command-execution(7540)
Reference: URL:http://www.iss.net/security_center/static/7540.php

Name: CVE-1999-1302

Description:

Unspecified vulnerability in pt_chmod in SCO UNIX 4.2 and earlier allows local users to gain root access.

Status:Candidate
Phase: Modified (20070105)
Reference: CERT:VB-94:01
Reference: URL:http://ftp.cerias.purdue.edu/pub/advisories/cert/cert_bulletins/VB-94:01.sco
Reference: CIAC:F-05
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/f-05.shtml
Reference: OSVDB:8797
Reference: URL:http://www.osvdb.org/8797
Reference: SCO:94:001
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/f-05.shtml
Reference: XF:sco-pt_chmod(7586)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/7586

Votes:
ACCEPT(3)  Cole, Foat, Stracener<br>
MODIFY(1)  Frech<br>
Voter Comments:
Frech>  XF:sco-pt_chmod(7586)<br>

Name: CVE-1999-1303

Description:

Vulnerability in prwarn in SCO UNIX 4.2 and earlier allows local users to gain root access.

Status:Candidate
Phase: Proposed (20010912)
Reference: CIAC:F-05
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/f-05.shtml
Reference: SCO:94:001
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/f-05.shtml

Votes:
ACCEPT(3)  Cole, Foat, Stracener<br>
MODIFY(1)  Frech<br>
Voter Comments:
Frech>  XF:sco-prwarn(7587)<br>

Name: CVE-1999-1304

Description:

Vulnerability in login in SCO UNIX 4.2 and earlier allows local users to gain root access.

Status:Candidate
Phase: Proposed (20010912)
Reference: CIAC:F-05
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/f-05.shtml
Reference: SCO:94:001
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/f-05.shtml

Votes:
ACCEPT(3)  Cole, Foat, Stracener<br>
MODIFY(1)  Frech<br>
Voter Comments:
Frech>  XF:sco-login(7588)<br>

Name: CVE-1999-1305

Description:

Vulnerability in "at" program in SCO UNIX 4.2 and earlier allows local users to gain root access.

Status:Candidate
Phase: Proposed (20010912)
Reference: CIAC:F-05
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/f-05.shtml
Reference: SCO:94:001
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/f-05.shtml

Votes:
ACCEPT(3)  Cole, Foat, Stracener<br>
MODIFY(1)  Frech<br>
Voter Comments:
Frech>  XF:sco-at(7589)<br>

Name: CVE-1999-1306

Description:

Cisco IOS 9.1 and earlier does not properly handle extended IP access lists when the IP route cache is enabled and the "established" keyword is set, which could allow attackers to bypass filters.

Status:Candidate
Phase: Proposed (20010912)
Reference: CERT:CA-1992-20
Reference: URL:http://www.cert.org/advisories/CA-1992-20.html

Votes:
ACCEPT(3)  Cole, Foat, Stracener<br>
MODIFY(1)  Frech<br>
NOOP(1)  Wall<br>
REVIEWING(1)  Christey<br>
Voter Comments:
Frech>  XF:cisco-acl-established(1248)
Possibly duplicate with CVE-1999-0162?<br>
Christey>  Might be a duplicate of CVE-1999-0162, but CVE-1999-0162 was
released in 1995, whereas this bug was released in 1992.<br>

Name: CVE-1999-1307

Description:

Vulnerability in urestore in Novell UnixWare 1.1 allows local users to gain root privileges.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19941209 Novell security advisory on sadc, urestore and the suid_exec feature
Reference: URL:http://www.dataguard.no/bugtraq/1994_4/0676.html
Reference: CIAC:F-06
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/f-06.shtml

Votes:
ACCEPT(4)  Armstrong, Cole, Foat, Stracener<br>
MODIFY(1)  Frech<br>
NOOP(1)  Wall<br>
Voter Comments:
Frech>  XF;novell-unixware-urestore-root(7211)<br>

Name: CVE-1999-1308

Description:

Certain programs in HP-UX 10.20 do not properly handle large user IDs (UID) or group IDs (GID) over 60000, which could allow local users to gain privileges.

Status:Candidate
Phase: Modified (20020218)
Reference: CIAC:H-09
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/h-09.shtml
Reference: CIAC:H-91
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/h-91.shtml
Reference: HP:HPSBUX9611-041
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/h-91.shtml
Reference: XF:hp-large-uid-gid(7594)
Reference: URL:http://www.iss.net/security_center/static/7594.php

Votes:
ACCEPT(3)  Cole, Foat, Stracener<br>
MODIFY(1)  Frech<br>
Voter Comments:
Frech>  XF:hp-large-uid-gid(7594)<br>

Name: CVE-1999-1309

Description:

Sendmail before 8.6.7 allows local users to gain root access via a large value in the debug (-d) command line option.

Status:Entry
Reference: BUGTRAQ:19940314 sendmail -d problem (OLD yet still here)
Reference: URL:http://www.dataguard.no/bugtraq/1994_1/0040.html
Reference: BUGTRAQ:19940315 Security problem in sendmail versions 8.x.x
Reference: URL:http://www.dataguard.no/bugtraq/1994_1/0048.html
Reference: BUGTRAQ:19940315 anyone know details?
Reference: URL:http://www.dataguard.no/bugtraq/1994_1/0042.html
Reference: BUGTRAQ:19940315 so...
Reference: URL:http://www.dataguard.no/bugtraq/1994_1/0043.html
Reference: BUGTRAQ:19940327 sendmail exploit script - resend
Reference: URL:http://www.dataguard.no/bugtraq/1994_1/0078.html
Reference: CERT:CA-1994-12
Reference: URL:http://www.cert.org/advisories/CA-94.12.sendmail.vulnerabilities
Reference: XF:sendmail-debug-gain-root(7155)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/7155

Name: CVE-1999-1310

Description:

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-1999-1022. Reason: This candidate is a duplicate of CVE-1999-1022. Notes: All CVE users should reference CVE-1999-1022 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.

Status:Candidate
Phase: Modified (20050204)

Votes:
ACCEPT(3)  Cole, Foat, Stracener<br>
REJECT(2)  Christey, Frech<br>
Voter Comments:
Frech>  DUPE CVE-1999-1022<br>
Christey>  As noted by Andre Frech, this is a duplicate of CVE-1999-1022.
The references from this candidate will be added to
CVE-1999-1022.<br>

Name: CVE-1999-1311

Description:

Vulnerability in dtlogin and dtsession in HP-UX 10.20 and 10.10 allows local users to bypass authentication and gain privileges.

Status:Candidate
Phase: Proposed (20010912)
Reference: CIAC:H-21
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/h-21.shtml
Reference: HP:HPSBUX9701-046
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/h-21.shtml

Votes:
ACCEPT(3)  Cole, Foat, Stracener<br>
MODIFY(1)  Frech<br>
Voter Comments:
Frech>  XF:hp-dt-bypass-auth(7668)
ACKNOWLEDGED-BY-VENDOR<br>

Name: CVE-1999-1312

Description:

Vulnerability in DEC OpenVMS VAX 5.5-2 through 5.0, and OpenVMS AXP 1.0, allows local users to gain system privileges.

Status:Candidate
Phase: Modified (20020218)
Reference: CERT:CA-1993-05
Reference: URL:http://www.cert.org/advisories/CA-1993-05.html
Reference: XF:openvms-local-privilege-elevation(7142)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/7142

Votes:
ACCEPT(3)  Cole, Foat, Stracener<br>
MODIFY(1)  Frech<br>
NOOP(1)  Wall<br>
Voter Comments:
Frech>  XF:openvms-local-privilege-elevation(7142)<br>

Name: CVE-1999-1313

Description:

Manual page reader (man) in FreeBSD 2.2 and earlier allows local users to gain privileges via a sequence of commands.

Status:Candidate
Phase: Modified (20020218)
Reference: CIAC:G-24
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/g-24.shtml
Reference: FREEBSD:FreeBSD-SA-96:11
Reference: URL:ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/old/FreeBSD-SA-96:11.man.asc
Reference: XF:bsd-man-command-sequence(7348)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/7348

Votes:
ACCEPT(3)  Cole, Foat, Stracener<br>
MODIFY(1)  Frech<br>
Voter Comments:
Frech>  XF:bsd-man-command-sequence(7348)<br>

Name: CVE-1999-1314

Description:

Vulnerability in union file system in FreeBSD 2.2 and earlier, and possibly other operating systems, allows local users to cause a denial of service (system reload) via a series of certain mount_union commands.

Status:Candidate
Phase: Modified (20020218)
Reference: CIAC:G-24
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/g-24.shtml
Reference: FREEBSD:FreeBSD-SA-96:10
Reference: URL:ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/old/FreeBSD-SA-96:10.mount_union.asc
Reference: XF:unionfs-mount-ordering(7429)
Reference: URL:http://www.iss.net/security_center/static/7429.php

Votes:
ACCEPT(3)  Cole, Foat, Stracener<br>
MODIFY(1)  Frech<br>
Voter Comments:
Frech>  XF:unionfs-mount-ordering(7429)<br>

Name: CVE-1999-1315

Description:

Vulnerabilities in DECnet/OSI for OpenVMS before 5.8 on DEC Alpha AXP and VAX/VMS systems allow local users to gain privileges or cause a denial of service.

Status:Candidate
Phase: Proposed (20010912)
Reference: CIAC:F-04
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/f-04.shtml

Votes:
ACCEPT(4)  Armstrong, Cole, Foat, Stracener<br>
MODIFY(1)  Frech<br>
NOOP(1)  Wall<br>
Voter Comments:
Frech>  XF:openvms-decnetosi-gain-privileges(7212)<br>

Name: CVE-1999-1316

Description:

Passfilt.dll in Windows NT SP2 allows users to create a password that contains the user's name, which could make it easier for an attacker to guess.

Status:Entry
Reference: MSKB:Q247975
Reference: URL:http://support.microsoft.com/support/kb/articles/Q247/9/75.asp
Reference: XF:passfilt-fullname(7391)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/7391

Name: CVE-1999-1317

Description:

Windows NT 4.0 SP4 and earlier allows local users to gain privileges by modifying the symbolic link table in the \?? object folder using a different case letter (upper or lower) to point to a different device.

Status:Entry
Reference: MSKB:Q222159
Reference: URL:http://support.microsoft.com/support/kb/articles/q222/1/59.asp
Reference: NTBUGTRAQ:19990312 [ ALERT ] Case Sensitivity and Symbolic Links
Reference: URL:http://marc.info/?l=ntbugtraq&m=92127046701349&w=2
Reference: NTBUGTRAQ:19990314 AW: [ ALERT ] Case Sensitivity and Symbolic Links
Reference: URL:http://marc.info/?l=ntbugtraq&m=92162979530341&w=2
Reference: XF:nt-symlink-case(7398)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/7398

Name: CVE-1999-1318

Description:

/usr/5bin/su in SunOS 4.1.3 and earlier uses a search path that includes the current working directory (.), which allows local users to gain privileges via Trojan horse programs.

Status:Entry
Reference: SUNBUG:1121935
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fpatches%2F100630&zone_32=112193%2A%20
Reference: XF:sun-su-path(7480)
Reference: URL:http://www.iss.net/security_center/static/7480.php

Name: CVE-1999-1319

Description:

Vulnerability in object server program in SGI IRIX 5.2 through 6.1 allows remote attackers to gain root privileges in certain configurations.

Status:Candidate
Phase: Modified (20020218)
Reference: SGI:19960101-01-PX
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19960101-01-PX
Reference: XF:irix-object-server(7430)
Reference: URL:http://www.iss.net/security_center/static/7430.php

Votes:
ACCEPT(3)  Cole, Foat, Stracener<br>
MODIFY(1)  Frech<br>
Voter Comments:
Frech>  XF:irix-object-server(7430)<br>

Name: CVE-1999-1320

Description:

Vulnerability in Novell NetWare 3.x and earlier allows local users to gain privileges via packet spoofing.

Status:Entry
Reference: CIAC:D-01
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/d-01.shtml
Reference: XF:netware-packet-spoofing-privileges(7213)
Reference: URL:http://www.iss.net/security_center/static/7213.php

Name: CVE-1999-1321

Description:

Buffer overflow in ssh 1.2.26 client with Kerberos V enabled could allow remote attackers to cause a denial of service or execute arbitrary commands via a long DNS hostname that is not properly handled during TGT ticket passing.

Status:Entry
Reference: BUGTRAQ:19981105 security patch for ssh-1.2.26 kerberos code
Reference: URL:http://lists.netspace.org/cgi-bin/wa?A2=ind9811A&L=bugtraq&P=R4814
Reference: OSVDB:4883
Reference: URL:http://www.osvdb.org/4883

Name: CVE-1999-1322

Description:

The installation of 1ArcServe Backup and Inoculan AV client modules for Exchange create a log file, exchverify.log, which contains usernames and passwords in plaintext.

Status:Candidate
Phase: Proposed (20010912)
Reference: NTBUGTRAQ:19981112 exchverify.log
Reference: URL:http://marc.info/?l=ntbugtraq&m=91096758513985&w=2
Reference: NTBUGTRAQ:19981117 Re: exchverify.log - update #1
Reference: URL:http://marc.info/?l=ntbugtraq&m=91133714919229&w=2
Reference: NTBUGTRAQ:19981125 Re: exchverify.log - update #2
Reference: NTBUGTRAQ:19981216 Arcserve Exchange Client security issue being fixed
Reference: NTBUGTRAQ:19990305 Cheyenne InocuLAN for Exchange plain text password still there
Reference: NTBUGTRAQ:19990426 ArcServe Exchange Client Security Issue still unresolved

Votes:
NOOP(3)  Cole, Foat, Wall<br>
Voter Comments:


Name: CVE-1999-1323

Description:

Norton AntiVirus for Internet Email Gateways (NAVIEG) 1.0.1.7 and earlier, and Norton AntiVirus for MS Exchange (NAVMSE) 1.5 and earlier, store the administrator password in cleartext in (1) the navieg.ini file for NAVIEG, and (2) the ModifyPassword registry key in NAVMSE.

Status:Candidate
Phase: Proposed (20010912)
Reference: NTBUGTRAQ:19990409 NAV for MS Exchange & Internet Email Gateways
Reference: URL:http://marc.info/?l=ntbugtraq&m=92370067416739&w=2

Votes:
ACCEPT(1)  Prosser<br>
MODIFY(1)  Frech<br>
NOOP(3)  Cole, Foat, Wall<br>
Voter Comments:
Frech>  XF:nav-admin-password(7543)<br>
Prosser>  This has been since corrected in later releases.<br>

Name: CVE-1999-1324

Description:

VAXstations running Open VMS 5.3 through 5.5-2 with VMS DECwindows or MOTIF do not properly disable access to user accounts that exceed the break-in limit threshold for failed login attempts, which makes it easier for attackers to conduct brute force password guessing.

Status:Entry
Reference: CIAC:D-06
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/d-06.shtml
Reference: XF:openvms-sysgen-enabled(7225)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/7225

Name: CVE-1999-1325

Description:

SAS System 5.18 on VAX/VMS is installed with insecure permissions for its directories and startup file, which allows local users to gain privileges.

Status:Entry
Reference: CIAC:C-19
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/c-19.shtml
Reference: XF:vaxvms-sas-gain-privileges(7261)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/7261

Name: CVE-1999-1326

Description:

wu-ftpd 2.4 FTP server does not properly drop privileges when an ABOR (abort file transfer) command is executed during a file transfer, which causes a signal to be handled incorrectly and allows local and possibly remote attackers to read arbitrary files.

Status:Entry
Reference: BUGTRAQ:19970104 serious security bug in wu-ftpd v2.4
Reference: URL:http://marc.info/?l=bugtraq&m=87602167420401&w=2
Reference: BUGTRAQ:19970105 BoS: serious security bug in wu-ftpd v2.4 -- PATCH
Reference: URL:http://marc.info/?l=bugtraq&m=87602167420408&w=2
Reference: XF:wuftpd-abor-gain-privileges(7169)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/7169

Name: CVE-1999-1327

Description:

Buffer overflow in linuxconf 1.11r11-rh2 on Red Hat Linux 5.1 allows local users to gain root privileges via a long LANG environmental variable.

Status:Entry
Reference: BUGTRAQ:19980601 Re: SECURITY: Red Hat Linux 5.1 linuxconf bug (fwd)
Reference: URL:http://marc.info/?l=bugtraq&m=90221103125826&w=2
Reference: CONFIRM:http://www.redhat.com/support/errata/rh51-errata-general.html#linuxconf
Reference: OSVDB:6065
Reference: URL:http://www.osvdb.org/6065
Reference: XF:linuxconf-lang-bo(7239)
Reference: URL:http://www.iss.net/security_center/static/7239.php

Name: CVE-1999-1328

Description:

linuxconf before 1.11.r11-rh3 on Red Hat Linux 5.1 allows local users to overwrite arbitrary files and gain root access via a symlink attack.

Status:Entry
Reference: BUGTRAQ:19980823 Security concerns in linuxconf shipped w/RedHat 5.1
Reference: URL:http://marc.info/?l=bugtraq&m=90383955231511&w=2
Reference: BUGTRAQ:19980826 [djb@redhat.com: Unidentified subject!]
Reference: CONFIRM:http://www.redhat.com/support/errata/rh51-errata-general.html#linuxconf
Reference: OSVDB:6068
Reference: URL:http://www.osvdb.org/6068
Reference: XF:linuxconf-symlink-gain-privileges(7232)
Reference: URL:http://www.iss.net/security_center/static/7232.php

Name: CVE-1999-1329

Description:

Buffer overflow in SysVInit in Red Hat Linux 5.1 and earlier allows local users to gain privileges.

Status:Entry
Reference: CONFIRM:http://www.redhat.com/support/errata/rh50-errata-general.html#SysVinit
Reference: XF:sysvinit-root-bo(7250)
Reference: URL:http://www.iss.net/security_center/static/7250.php

Name: CVE-1999-1330

Description:

The snprintf function in the db library 1.85.4 ignores the size parameter, which could allow attackers to exploit buffer overflows that would be prevented by a properly implemented snprintf.

Status:Entry
Reference: BUGTRAQ:19970709 [linux-security] so-called snprintf() in db-1.85.4 (fwd)
Reference: URL:http://marc.info/?l=bugtraq&m=87602661419259&w=2
Reference: CONFIRM:http://lists.openresources.com/Debian/debian-bugs-closed/msg00581.html
Reference: CONFIRM:http://www.redhat.com/support/errata/rh42-errata-general.html#db
Reference: XF:linux-libdb-snprintf-bo(7244)
Reference: URL:http://www.iss.net/security_center/static/7244.php

Name: CVE-1999-1331

Description:

netcfg 2.16-1 in Red Hat Linux 4.2 allows the Ethernet interface to be controlled by users on reboot when an option is set, which allows local users to cause a denial of service by shutting down the interface.

Status:Entry
Reference: CONFIRM:http://www.redhat.com/support/errata/rh42-errata-general.html#netcfg
Reference: XF:netcfg-ethernet-dos(7245)
Reference: URL:http://www.iss.net/security_center/static/7245.php

Name: CVE-1999-1332

Description:

gzexe in the gzip package on Red Hat Linux 5.0 and earlier allows local users to overwrite files of other users via a symlink attack on a temporary file.

Status:Entry
Reference: BID:7845
Reference: URL:http://www.securityfocus.com/bid/7845
Reference: BUGTRAQ:19980128 GZEXE - the big problem
Reference: URL:http://marc.info/?l=bugtraq&m=88603844115233&w=2
Reference: CONFIRM:http://www.redhat.com/support/errata/rh50-errata-general.html#gzip
Reference: DEBIAN:DSA-308
Reference: URL:http://www.debian.org/security/2003/dsa-308
Reference: OSVDB:3812
Reference: URL:http://www.osvdb.org/3812
Reference: XF:gzip-gzexe-tmp-symlink(7241)
Reference: URL:http://www.iss.net/security_center/static/7241.php

Name: CVE-1999-1333

Description:

automatic download option in ncftp 2.4.2 FTP client in Red Hat Linux 5.0 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in the names of files that are to be downloaded.

Status:Entry
Reference: BUGTRAQ:19980319 ncftp 2.4.2 MkDirs bug
Reference: URL:http://marc.info/?l=bugtraq&m=89042322924057&w=2
Reference: CONFIRM:http://www.redhat.com/support/errata/rh50-errata-general.html#ncftp
Reference: OSVDB:6111
Reference: URL:http://www.osvdb.org/6111
Reference: XF:ncftp-autodownload-command-execution(7240)
Reference: URL:http://www.iss.net/security_center/static/7240.php

Name: CVE-1999-1334

Description:

Multiple buffer overflows in filter command in Elm 2.4 allows attackers to execute arbitrary commands via (1) long From: headers, (2) long Reply-To: headers, or (3) via a long -f (filterfile) command line argument.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19980129 KSR[T] Advisory #7: filter
Reference: URL:http://marc.info/?l=bugtraq&m=88609666024181&w=2
Reference: CONFIRM:http://www.redhat.com/support/errata/rh50-errata-general.html#elm

Votes:
ACCEPT(3)  Cole, Foat, Stracener<br>
MODIFY(1)  Frech<br>
NOOP(2)  Armstrong, Wall<br>
Voter Comments:
Frech>  XF:elm-filter-getfilterrules-bo(7214)
XF:elm-filter2(711)<br>

Name: CVE-1999-1335

Description:

snmpd server in cmu-snmp SNMP package before 3.3-1 in Red Hat Linux 4.0 is configured to allow remote attackers to read and write sensitive information.

Status:Entry
Reference: CONFIRM:http://www.redhat.com/support/errata/rh40-errata-general.html#cmu-snmp
Reference: XF:cmusnmp-read-write(7251)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/7251

Name: CVE-1999-1336

Description:

3Com HiPer Access Router Card (HiperARC) 4.0 through 4.2.29 allows remote attackers to cause a denial of service (reboot) via a flood of IAC packets to the telnet port.

Status:Entry
Reference: BUGTRAQ:19990812 3com hiperarch flaw [hiperbomb.c]
Reference: URL:http://marc.info/?l=bugtraq&m=93458364903256&w=2
Reference: BUGTRAQ:19990816 Re: 3com hiperarch flaw [hiperbomb.c]
Reference: URL:http://marc.info/?l=bugtraq&m=93492615408725&w=2
Reference: OSVDB:6057
Reference: URL:http://www.osvdb.org/6057

Name: CVE-1999-1337

Description:

FTP client in Midnight Commander (mc) before 4.5.11 stores usernames and passwords for visited sites in plaintext in the world-readable history file, which allows other local users to gain privileges.

Status:Entry
Reference: BUGTRAQ:19990801 midnight commander vulnerability(?) (fwd)
Reference: URL:http://marc.info/?l=bugtraq&m=93370073207984&w=2
Reference: OSVDB:5921
Reference: URL:http://www.osvdb.org/5921
Reference: XF:midnight-commander-data-disclosure(9873)
Reference: URL:http://www.iss.net/security_center/static/9873.php

Name: CVE-1999-1338

Description:

Delegate proxy 5.9.3 and earlier creates files and directories in the DGROOT with world-writable permissions.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990721 Delegate creates directories writable for anyone
Reference: URL:http://marc.info/?l=bugtraq&m=93259112204664&w=2

Votes:
MODIFY(1)  Frech<br>
NOOP(3)  Cole, Foat, Wall<br>
Voter Comments:
Frech>  XF:delegate-dgroot-permissions(8438)<br>

Name: CVE-1999-1339

Description:

Vulnerability when Network Address Translation (NAT) is enabled in Linux 2.2.10 and earlier with ipchains, or FreeBSD 3.2 with ipfw, allows remote attackers to cause a denial of service (kernel panic) via a ping -R (record route) command.

Status:Entry
Reference: BUGTRAQ:19990722 Linux +ipchains+ ping -R
Reference: URL:http://marc.info/?l=bugtraq&m=93277426802802&w=2
Reference: BUGTRAQ:19990722 Re: ping -R causes kernel panic on a forwarding machine ( 2.2.5 a nd 2 .2.10)
Reference: URL:http://marc.info/?l=bugtraq&m=93277766505061&w=2
Reference: CONFIRM:http://www.kernel.org/pub/linux/kernel/v2.2/patch-2.2.11.gz
Reference: OSVDB:6105
Reference: URL:http://www.osvdb.org/6105
Reference: XF:ipchains-ping-route-dos(7257)
Reference: URL:http://www.iss.net/security_center/static/7257.php

Name: CVE-1999-1340

Description:

Buffer overflow in faxalter in hylafax 4.0.2 allows local users to gain privileges via a long -m command line argument.

Status:Candidate
Phase: Proposed (20010912)
Reference: BID:765
Reference: URL:http://www.securityfocus.com/bid/765
Reference: BUGTRAQ:19991104 hylafax-4.0.2 local exploit
Reference: URL:http://marc.info/?l=bugtraq&m=94173799532589&w=2

Votes:
MODIFY(1)  Frech<br>
NOOP(3)  Cole, Foat, Wall<br>
Voter Comments:
Frech>  XF:hylafax-faxalter-gain-privs(3453)
Proper spelling of the product is HylaFAX (see
http://www.hylafax.org/)<br>

Name: CVE-1999-1341

Description:

Linux kernel before 2.3.18 or 2.2.13pre15, with SLIP and PPP options, allows local unprivileged users to forge IP packets via the TIOCSETD option on tty devices.

Status:Entry
Reference: BUGTRAQ:19991022 Local user can send forged packets
Reference: URL:http://marc.info/?l=bugtraq&m=94061108411308&w=2
Reference: XF:linux-tiocsetd-forge-packets(7858)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/7858

Name: CVE-1999-1342

Description:

ICQ ActiveList Server allows remote attackers to cause a denial of service (crash) via malformed packets to the server's UDP port.

Status:Candidate
Phase: Proposed (20010912)
Reference: NTBUGTRAQ:19991017 ICQ ActiveList Server Exploit...
Reference: URL:http://marc.info/?l=ntbugtraq&m=94042342010662&w=2

Votes:
MODIFY(1)  Frech<br>
NOOP(3)  Cole, Foat, Wall<br>
Voter Comments:
Frech>  XF:icq-activelist-udp-dos(7877)<br>

Name: CVE-1999-1343

Description:

HTTP server for Xerox DocuColor 4 LP allows remote attackers to cause a denial of service (hang) via a long URL that contains a large number of . characters.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19991013 Xerox DocuColor 4 LP D.O.S
Reference: URL:http://marc.info/?l=bugtraq&m=93986405412867&w=2

Votes:
MODIFY(1)  Frech<br>
NOOP(3)  Cole, Foat, Wall<br>
Voter Comments:
Frech>  XF:xerox-docucolor4lp-dos(8041)<br>

Name: CVE-1999-1344

Description:

Auto_FTP.pl script in Auto_FTP 0.2 stores usernames and passwords in plaintext in the auto_ftp.conf configuration file.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19991005 Auto_FTP v0.02 Advisory
Reference: URL:http://marc.info/?l=bugtraq&m=93923873006014&w=2

Votes:
MODIFY(1)  Frech<br>
NOOP(3)  Cole, Foat, Wall<br>
Voter Comments:
Frech>  XF:autoftp-plaintext-password(8045)<br>

Name: CVE-1999-1345

Description:

Auto_FTP.pl script in Auto_FTP 0.2 uses the /tmp/ftp_tmp as a shared directory with insecure permissions, which allows local users to (1) send arbitrary files to the remote server by placing them in the directory, and (2) view files that are being transferred.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19991005 Auto_FTP v0.02 Advisory
Reference: URL:http://marc.info/?l=bugtraq&m=93923873006014&w=2

Votes:
MODIFY(1)  Frech<br>
NOOP(3)  Cole, Foat, Wall<br>
Voter Comments:
Frech>  XF:autoftp-shared-directory(8047)<br>

Name: CVE-1999-1346

Description:

PAM configuration file for rlogin in Red Hat Linux 6.1 and earlier includes a less restrictive rule before a more restrictive one, which allows users to access the host via rlogin even if rlogin has been explicitly disabled using the /etc/nologin file.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19991007 Problems with redhat 6 Xsession and pam.d/rlogin.
Reference: URL:http://marc.info/?l=bugtraq&m=93942774609925&w=2

Votes:
MODIFY(1)  Frech<br>
NOOP(3)  Cole, Foat, Wall<br>
Voter Comments:
Frech>  XF:pam-rlogin-bypass(8315)<br>

Name: CVE-1999-1347

Description:

Xsession in Red Hat Linux 6.1 and earlier can allow local users with restricted accounts to bypass execution of the .xsession file by starting kde, gnome or anotherlevel from kdm.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19991007 Problems with redhat 6 Xsession and pam.d/rlogin.
Reference: URL:http://marc.info/?l=bugtraq&m=93942774609925&w=2

Votes:
MODIFY(1)  Frech<br>
NOOP(3)  Cole, Foat, Wall<br>
Voter Comments:
Frech>  XF:xsession-bypass(8316)<br>

Name: CVE-1999-1348

Description:

Linuxconf on Red Hat Linux 6.0 and earlier does not properly disable PAM-based access to the shutdown command, which could allow local users to cause a denial of service.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990630 linuxconf doesn't seem to deal correctly with /etc/pam.d/reboot
Reference: URL:http://marc.info/?l=bugtraq&m=93220073515880&w=2

Votes:
ACCEPT(1)  Cole<br>
MODIFY(1)  Frech<br>
NOOP(2)  Foat, Wall<br>
Voter Comments:
Frech>  XF:linuxconf-pam-shutdown-dos(8437)<br>

Name: CVE-1999-1349

Description:

NFS daemon (nfsd.exe) for Omni-NFS/X 6.1 allows remote attackers to cause a denial of service (resource exhaustion) via certain packets, possibly with the Urgent (URG) flag set, to port 111.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19991006 Omni-NFS/X Enterprise (nfsd.exe) DOS
Reference: URL:http://marc.info/?l=bugtraq&m=93923679004325&w=2

Votes:
MODIFY(1)  Frech<br>
NOOP(3)  Cole, Foat, Wall<br>
Voter Comments:
Frech>  XF:xlink-nfsd-dos(8317)<br>

Name: CVE-1999-1350

Description:

ARCAD Systemhaus 0.078-5 installs critical programs and files with world-writeable permissions, which could allow local users to gain privileges by replacing a program with a Trojan horse.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990929 Multiple Vendor ARCAD permission problems
Reference: URL:http://marc.info/?l=bugtraq&m=93871933521519&w=2

Votes:
MODIFY(1)  Frech<br>
NOOP(3)  Cole, Foat, Wall<br>
Voter Comments:
Frech>  XF:arcad-insecure-permissions(8318)<br>

Name: CVE-1999-1351

Description:

Directory traversal vulnerability in KVIrc IRC client 0.9.0 with the "Listen to !nick <soundname> requests" option enabled allows remote attackers to read arbitrary files via a .. (dot dot) in a DCC GET request.

Status:Entry
Reference: BUGTRAQ:19990924 Kvirc bug
Reference: URL:http://marc.info/?l=bugtraq&m=93845560631314&w=2
Reference: XF:kvirc-dot-directory-traversal(7761)
Reference: URL:http://www.iss.net/security_center/static/7761.php

Name: CVE-1999-1352

Description:

mknod in Linux 2.2 follows symbolic links, which could allow local users to overwrite files or gain privileges.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990928 Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy]
Reference: URL:http://marc.info/?l=bugtraq&m=93855134409747&w=2

Votes:
MODIFY(1)  Frech<br>
NOOP(3)  Cole, Foat, Wall<br>
Voter Comments:
Frech>  XF:mknod-symlink(8319)<br>

Name: CVE-1999-1353

Description:

Nosque MsgCore 2.14 stores passwords in cleartext: (1) the administrator password in the AdmPasswd registry key, and (2) user passwords in the Userbase.dbf data file, which could allow local users to gain privileges.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990907 MsgCore mailserver stores passwords in clear text
Reference: URL:http://marc.info/?l=ntbugtraq&m=93698162708211&w=2

Votes:
MODIFY(1)  Frech<br>
NOOP(3)  Cole, Foat, Wall<br>
Voter Comments:
Frech>  XF:msgcore-plaintext-passwords(8271)
BUGTRAQ Reference is actually NTBUGTRAQ.<br>

Name: CVE-1999-1354

Description:

E-mail client in Softarc FirstClass Internet Server 5.506 and earlier stores usernames and passwords in cleartext in the files (1) home.fc for version 5.506, (2) network.fc for version 3.5, or (3) FCCLIENT.LOG when logging is enabled.

Status:Candidate
Phase: Proposed (20010912)
Reference: NTBUGTRAQ:19990830 SoftArc's FirstClass E-mail Client
Reference: URL:http://marc.info/?l=ntbugtraq&m=93637687305327&w=2
Reference: NTBUGTRAQ:19990909 SoftArc's FirstClass E-mail Client
Reference: URL:http://marc.info/?l=ntbugtraq&m=93698283309513&w=2

Votes:
ACCEPT(1)  Cole<br>
MODIFY(1)  Frech<br>
NOOP(3)  Christey, Foat, Wall<br>
Voter Comments:
Frech>  (Task 1766)<br>
CHANGE>  [Frech changed vote from REVIEWING to MODIFY]<br>
Frech>  XF:firstclass-plaintext-account(9874)<br>
Christey>  The following reference is for the FCCLIENT.LOG piece:
ADDREF NTBUGTRAQ:19990911 Re: SoftArc's FirstClass E-mail Client
URL:http://archives.neohapsis.com/archives/ntbugtraq/1999-q3/0189.html<br>

Name: CVE-1999-1355

Description:

BMC Patrol component, when installed with Compaq Insight Management Agent 4.23 and earlier, or Management Agents for Servers 4.40 and earlier, creates a PFCUser account with a default password and potentially dangerous privileges.

Status:Candidate
Phase: Proposed (20010912)
Reference: CONFIRM:http://www.compaq.com/products/servers/management/advisory.html
Reference: NTBUGTRAQ:19990817 Compaq PFCUser account
Reference: URL:http://marc.info/?l=ntbugtraq&m=93542118727732&w=2
Reference: NTBUGTRAQ:19990905 Case ID SSRT0620 - PFCUser account communication
Reference: URL:http://marc.info/?l=ntbugtraq&m=93654336516711&w=2
Reference: NTBUGTRAQ:19990915 (I) UPDATE - PFCUser Account,
Reference: URL:http://marc.info/?l=ntbugtraq&m=93759822430801&w=2
Reference: NTBUGTRAQ:19991105 UPDATE: SSRT0620 Compaq Foundation Agents v4.40B PFCUser issues
Reference: URL:http://marc.info/?l=ntbugtraq&m=94183795025294&w=2
Reference: XF:management-pfcuser(3231)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/3231

Votes:
ACCEPT(5)  Armstrong, Cole, Foat, Frech, Stracener<br>
NOOP(1)  Wall<br>
Voter Comments:


Name: CVE-1999-1356

Description:

Compaq Integration Maintenance Utility as used in Compaq Insight Manager agent before SmartStart 4.50 modifies the legal notice caption (LegalNoticeCaption) and text (LegalNoticeText) in Windows NT, which could produce a legal notice that is in violation of the security policy.

Status:Entry
Reference: BUGTRAQ:19990902 Compaq CIM UG Overwrites Legal Notice
Reference: URL:http://marc.info/?l=bugtraq&m=93646669500991&w=2
Reference: NTBUGTRAQ:19990902 Compaq CIM UG Overwrites Legal Notice
Reference: URL:http://marc.info/?l=ntbugtraq&m=93637792706047&w=2
Reference: NTBUGTRAQ:19990917 Re: Compaq CIM UG Overwrites Legal Notice
Reference: URL:http://marc.info/?l=ntbugtraq&m=93759822830815&w=2
Reference: XF:compaq-smartstart-legal-notice(7763)
Reference: URL:http://www.iss.net/security_center/static/7763.php

Name: CVE-1999-1357

Description:

Netscape Communicator 4.04 through 4.7 (and possibly other versions) in various UNIX operating systems converts the 0x8b character to a "<" sign, and the 0x9b character to a ">" sign, which could allow remote attackers to attack other clients via cross-site scripting (CSS) in CGI programs that do not filter these characters.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19991005 Time to update those CGIs again
Reference: URL:http://marc.info/?l=bugtraq&m=93915331626185&w=2

Votes:
MODIFY(1)  Frech<br>
NOOP(3)  Cole, Foat, Wall<br>
Voter Comments:
Frech>  XF:netscape-cgi-filtering-css(8274)<br>

Name: CVE-1999-1358

Description:

When an administrator in Windows NT or Windows 2000 changes a user policy, the policy is not properly updated if the local ntconfig.pol is not writable by the user, which could allow local users to bypass restrictions that would otherwise be enforced by the policy, possibly by changing the policy file to be read-only.

Status:Entry
Reference: MSKB:Q157673
Reference: URL:http://support.microsoft.com/support/kb/articles/q157/6/73.asp
Reference: XF:nt-user-policy-update(7400)
Reference: URL:http://www.iss.net/security_center/static/7400.php

Name: CVE-1999-1359

Description:

When the Ntconfig.pol file is used on a server whose name is longer than 13 characters, Windows NT does not properly enforce policies for global groups, which could allow users to bypass restrictions that were intended by those policies.

Status:Entry
Reference: MSKB:Q163875
Reference: URL:http://support.microsoft.com/support/kb/articles/q163/8/75.asp
Reference: XF:nt-group-policy-longname(7401)
Reference: URL:http://www.iss.net/security_center/static/7401.php

Name: CVE-1999-1360

Description:

Windows NT 4.0 allows local users to cause a denial of service via a user mode application that closes a handle that was opened in kernel mode, which causes a crash when the kernel attempts to close the handle.

Status:Entry
Reference: MSKB:Q160650
Reference: URL:http://support.microsoft.com/support/kb/articles/q160/6/50.asp
Reference: XF:nt-kernel-handle-dos(7402)
Reference: URL:http://www.iss.net/security_center/static/7402.php

Name: CVE-1999-1361

Description:

Windows NT 3.51 and 4.0 running WINS (Windows Internet Name Service) allows remote attackers to cause a denial of service (resource exhaustion) via a flood of malformed packets, which causes the server to slow down and fill the event logs with error messages.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19980509 coke.c
Reference: URL:http://marc.info/?l=bugtraq&m=90221101925891&w=2

Votes:
ACCEPT(1)  Wall<br>
MODIFY(1)  Frech<br>
NOOP(2)  Cole, Foat<br>
Voter Comments:
Frech>  XF:winnt-wins-packet-flood-dos(7329)<br>

Name: CVE-1999-1362

Description:

Win32k.sys in Windows NT 4.0 before SP2 allows local users to cause a denial of service (crash) by calling certain WIN32K functions with incorrect parameters.

Status:Entry
Reference: MSKB:Q160601
Reference: URL:http://support.microsoft.com/support/kb/articles/q160/6/01.asp
Reference: XF:nt-win32k-dos(7403)
Reference: URL:http://www.iss.net/security_center/static/7403.php

Name: CVE-1999-1363

Description:

Windows NT 3.51 and 4.0 allow local users to cause a denial of service (crash) by running a program that creates a large number of locks on a file, which exhausts the NonPagedPool.

Status:Entry
Reference: MSKB:Q163143
Reference: URL:http://support.microsoft.com/support/kb/articles/q163/1/43.asp
Reference: XF:nt-nonpagedpool-dos(7405)
Reference: URL:http://www.iss.net/security_center/static/7405.php

Name: CVE-1999-1364

Description:

Windows NT 4.0 allows local users to cause a denial of service (crash) via an illegal kernel mode address to the functions (1) GetThreadContext or (2) SetThreadContext.

Status:Candidate
Phase: Modified (20020218)
Reference: MSKB:Q142653
Reference: URL:http://support.microsoft.com/support/kb/articles/q142/6/53.asp
Reference: XF:nt-threadcontext-dos(7421)
Reference: URL:http://www.iss.net/security_center/static/7421.php

Votes:
ACCEPT(3)  Cole, Foat, Wall<br>
MODIFY(1)  Frech<br>
Voter Comments:
Frech>  XF:nt-threadcontext-dos(7421)<br>

Name: CVE-1999-1365

Description:

Windows NT searches a user's home directory (%systemroot% by default) before other directories to find critical programs such as NDDEAGNT.EXE, EXPLORER.EXE, USERINIT.EXE or TASKMGR.EXE, which could allow local users to bypass access restrictions or gain privileges by placing a Trojan horse program into the root directory, which is writable by default.

Status:Entry
Reference: BID:515
Reference: URL:http://www.securityfocus.com/bid/515
Reference: NTBUGTRAQ:19990628 NT runs Explorer.exe, Taskmgr.exe etc. from wrong location
Reference: URL:http://marc.info/?l=ntbugtraq&m=93069418400856&w=2
Reference: NTBUGTRAQ:19990630 Update: NT runs explorer.exe, etc...
Reference: URL:http://marc.info/?l=ntbugtraq&m=93127894731200&w=2
Reference: XF:nt-login-default-folder(2336)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2336

Name: CVE-1999-1366

Description:

Pegasus e-mail client 3.0 and earlier uses weak encryption to store POP3 passwords in the pmail.ini file, which allows local users to easily decrypt the passwords and read e-mail.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990515 Pegasus Mail weak encryption
Reference: URL:http://marc.info/?l=bugtraq&m=92714118829880&w=2

Votes:
MODIFY(1)  Frech<br>
NOOP(3)  Cole, Foat, Wall<br>
Voter Comments:
Frech>  XF:pegasus-weak-password-encryption(8430)<br>

Name: CVE-1999-1367

Description:

Internet Explorer 5.0 does not properly reset the username/password cache for Web sites that do not use standard cache controls, which could allow users on the same system to access restricted web sites that were visited by other users.

Status:Candidate
Phase: Proposed (20010912)
Reference: MISC:http://www.pcworld.com/news/article/0,aid,10842,00.asp

Votes:
NOOP(3)  Cole, Foat, Wall<br>
REVIEWING(1)  Frech<br>
Voter Comments:
Frech>  (Task 2283)<br>

Name: CVE-1999-1368

Description:

AV Option for MS Exchange Server option for InoculateIT 4.53, and possibly other versions, only scans the Inbox folder tree of a Microsoft Exchange server, which could allow viruses to escape detection if a user's rules cause the message to be moved to a different mailbox.

Status:Candidate
Phase: Proposed (20010912)
Reference: NTBUGTRAQ:19990512 InoculateIT 4.53 Real-Time Exchange Scanner Flawed
Reference: URL:http://marc.info/?l=ntbugtraq&m=92652152723629&w=2
Reference: NTBUGTRAQ:20001116 InoculateIT AV Option for MS Exchange Server
Reference: URL:http://marc.info/?l=ntbugtraq&m=97439568517355&w=2

Votes:
MODIFY(1)  Frech<br>
NOOP(3)  Cole, Foat, Wall<br>
Voter Comments:
Frech>  XF:inoculate-message-redirect-bypass(5602)<br>

Name: CVE-1999-1369

Description:

Real Media RealServer (rmserver) 6.0.3.353 stores a password in plaintext in the world-readable rmserver.cfg file, which allows local users to gain privileges.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990414 Real Media Server stores passwords in plain text
Reference: URL:http://marc.info/?l=bugtraq&m=92411181619110&w=2

Votes:
MODIFY(1)  Frech<br>
NOOP(3)  Cole, Foat, Wall<br>
Voter Comments:
Frech>  XF:realserver-insecure-password(7544)<br>

Name: CVE-1999-1370

Description:

The setup wizard (ie5setup.exe) for Internet Explorer 5.0 disables (1) the screen saver, which could leave the system open to users with physical access if a failure occurs during an unattended installation, and (2) the Task Scheduler Service, which might prevent the scheduled execution of security-critical programs.

Status:Candidate
Phase: Proposed (20010912)
Reference: NTBUGTRAQ:19990323 MSIE 5 installer disables screen saver
Reference: URL:http://marc.info/?l=ntbugtraq&m=92220197414799&w=2

Votes:
MODIFY(1)  Frech<br>
NOOP(3)  Cole, Foat, Wall<br>
Voter Comments:
Frech>  XF:ie-ie5setup-disable-password(7545)<br>

Name: CVE-1999-1371

Description:

Buffer overflow in /usr/bin/write in Solaris 2.6 and 7 allows local users to gain privileges via a long string in the terminal name argument.

Status:Candidate
Phase: Modified (20040723)
Reference: BUGTRAQ:19990308 Solaris "/usr/bin/write" bug
Reference: URL:http://marc.info/?l=bugtraq&m=92100752221493&w=2
Reference: MISC:http://www.securiteam.com/exploits/5ZP0O1P35O.html
Reference: XF:solaris-write-bo(7546)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/7546

Votes:
ACCEPT(2)  Cole, Dik<br>
MODIFY(1)  Frech<br>
NOOP(3)  Christey, Foat, Wall<br>
Voter Comments:
Frech>  XF:solaris-write-bo(7546)<br>
Christey>  This appears to be a rediscovery of the problem for Solaris
2.8:
BUGTRAQ:20011114 /usr/bin/write (solaris2.x) Segmentation Fault
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100588255815773&w=2<br>
Dik>  sun bug:  4218941<br>

Name: CVE-1999-1372

Description:

Triactive Remote Manager with Basic authentication enabled stores the username and password in cleartext in registry keys, which could allow local users to gain privileges.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990219 Plaintext Password in Tractive's Remote Manager Software
Reference: URL:http://marc.info/?l=bugtraq&m=91966339502073&w=2

Votes:
MODIFY(1)  Frech<br>
NOOP(3)  Cole, Foat, Wall<br>
Voter Comments:
Frech>  XF:triactive-remote-basic-auth(7548)<br>

Name: CVE-1999-1373

Description:

FORE PowerHub before 5.0.1 allows remote attackers to cause a denial of service (hang) via a TCP SYN scan with TCP/IP OS fingerprinting, e.g. via nmap.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990105 Re: Network Scan Vulnerability [SUMMARY]
Reference: URL:http://marc.info/?l=bugtraq&m=91651770130771&w=2

Votes:
MODIFY(1)  Frech<br>
NOOP(3)  Cole, Foat, Wall<br>
Voter Comments:
Frech>  XF:powerhub-nmap-dos(7556)<br>

Name: CVE-1999-1374

Description:

perlshop.cgi shopping cart program stores sensitive customer information in directories and files that are under the web root, which allows remote attackers to obtain that information via an HTTP request.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990427 Re: Shopping Carts exposing CC data
Reference: URL:http://marc.info/?l=bugtraq&m=92523159819402&w=2

Votes:
MODIFY(1)  Frech<br>
NOOP(3)  Cole, Foat, Wall<br>
Voter Comments:
Frech>  XF:perlshop-cgi-obtain-information(7557)<br>

Name: CVE-1999-1375

Description:

FileSystemObject (FSO) in the showfile.asp Active Server Page (ASP) allows remote attackers to read arbitrary files by specifying the name in the file parameter.

Status:Candidate
Phase: Proposed (20010912)
Reference: BID:230
Reference: URL:http://www.securityfocus.com/bid/230
Reference: NTBUGTRAQ:19990211 Using FSO in ASP to view just about anything
Reference: URL:http://marc.info/?l=ntbugtraq&m=91877455626320&w=2

Votes:
ACCEPT(1)  Cole<br>
MODIFY(1)  Frech<br>
NOOP(3)  Christey, Foat, Wall<br>
Voter Comments:
Frech>  XF:iis-fso-read-files(7558)<br>
Christey>  Explicitly mention IIS<br>

Name: CVE-1999-1376

Description:

Buffer overflow in fpcount.exe in IIS 4.0 with FrontPage Server Extensions allows remote attackers to execute arbitrary commands.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990114 MS IIS 4.0 Security Advisory
Reference: URL:http://marc.info/?l=bugtraq&m=91638375309890&w=2
Reference: NTBUGTRAQ:19990114 MS IIS 4.0 Security Advisory
Reference: URL:http://marc.info/?l=ntbugtraq&m=91632724913080&w=2

Votes:
ACCEPT(1)  Wall<br>
MODIFY(1)  Frech<br>
NOOP(2)  Cole, Foat<br>
Voter Comments:
Frech>  XF:frontpage-ext-fpcount-crash(5494)<br>

Name: CVE-1999-1377

Description:

Matt Wright's download.cgi 1.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the f parameter.

Status:Candidate
Phase: Proposed (20010912)
Reference: MISC:http://pulhas.org/phrack/55/P55-07.html

Votes:
MODIFY(1)  Frech<br>
NOOP(3)  Cole, Foat, Wall<br>
Voter Comments:
Frech>  XF:download-cgi-directory-traversal(8279)<br>

Name: CVE-1999-1378

Description:

dbmlparser.exe CGI guestbook program does not perform a chroot operation properly, which allows remote attackers to read arbitrary files.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990917 improper chroot in dbmlparser.exe
Reference: URL:http://marc.info/?l=bugtraq&m=93250710625956&w=2

Votes:
NOOP(3)  Cole, Foat, Wall<br>
REVIEWING(1)  Frech<br>
Voter Comments:
Frech>  (Task 2284)<br>

Name: CVE-1999-1379

Description:

DNS allows remote attackers to use DNS name servers as traffic amplifiers via a UDP DNS query with a spoofed source address, which produces more traffic to the victim than was sent by the attacker.

Status:Entry
Reference: AUSCERT:AL-1999.004
Reference: URL:ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos
Reference: BUGTRAQ:19990730 Possible Denial Of Service using DNS
Reference: URL:http://marc.info/?l=bugtraq&m=93348057829957&w=2
Reference: BUGTRAQ:19990810 Possible Denial Of Service using DNS
Reference: URL:http://marc.info/?l=bugtraq&m=93433758607623&w=2
Reference: CIAC:J-063
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/j-063.shtml
Reference: XF:dns-udp-query-dos(7238)
Reference: URL:http://www.iss.net/security_center/static/7238.php

Name: CVE-1999-1380

Description:

Symantec Norton Utilities 2.0 for Windows 95 marks the TUNEOCX.OCX ActiveX control as safe for scripting, which allows remote attackers to execute arbitrary commands via the run option through malicious web pages that are accessed by browsers such as Internet Explorer 3.0.

Status:Entry
Reference: MISC:http://mlarchive.ima.com/win95/1997/May/0342.html
Reference: MISC:http://news.zdnet.co.uk/story/0,,s2065518,00.html
Reference: MISC:http://www.net-security.sk/bugs/NT/nu20.html
Reference: XF:nu-tuneocx-activex-control(7188)
Reference: URL:http://www.iss.net/security_center/static/7188.php

Name: CVE-1999-1381

Description:

Buffer overflow in dbadmin CGI program 1.0.1 on Linux allows remote attackers to execute arbitrary commands.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19981008 buffer overflow in dbadmin
Reference: URL:http://marc.info/?l=bugtraq&m=90786656409618&w=2

Votes:
NOOP(3)  Cole, Foat, Wall<br>
Voter Comments:


Name: CVE-1999-1382

Description:

NetWare NFS mode 1 and 2 implements the "Read Only" flag in Unix by changing the ownership of a file to root, which allows local users to gain root privileges by creating a setuid program and setting it to "Read Only," which NetWare-NFS changes to a setuid root program.

Status:Entry
Reference: BUGTRAQ:19980108 NetWare NFS
Reference: URL:http://marc.info/?l=bugtraq&m=88427711321769&w=2
Reference: BUGTRAQ:19980812 Re: Netware NFS (fwd)
Reference: URL:http://marc.info/?l=bugtraq&m=90295697702474&w=2
Reference: CONFIRM:http://support.novell.com/cgi-bin/search/tidfinder.cgi?2940551
Reference: XF:netware-nfs-file-ownership(7246)
Reference: URL:http://www.iss.net/security_center/static/7246.php

Name: CVE-1999-1383

Description:

(1) bash before 1.14.7, and (2) tcsh 6.05 allow local users to gain privileges via directory names that contain shell metacharacters (` back-tick), which can cause the commands enclosed in the directory name to be executed when the shell expands filenames using the \w option in the PS1 variable.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19960913 tee see shell problems
Reference: URL:http://marc.info/?l=bugtraq&m=87602167419868&w=2
Reference: BUGTRAQ:19960919 Vulnerability in expansion of PS1 in bash & tcsh
Reference: URL:http://www.dataguard.no/bugtraq/1996_3/0503.html

Votes:
NOOP(2)  Cole, Foat<br>
Voter Comments:


Name: CVE-1999-1384

Description:

Indigo Magic System Tour in the SGI system tour package (systour) for IRIX 5.x through 6.3 allows local users to gain root privileges via a Trojan horse .exitops program, which is called by the inst command that is executed by the RemoveSystemTour program.

Status:Entry
Reference: AUSCERT:AA-96.08
Reference: URL:ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-96.08.SGI.systour.vul
Reference: BID:470
Reference: URL:http://www.securityfocus.com/bid/470
Reference: BUGTRAQ:19961030 (Another) vulnerability in new SGIs
Reference: URL:http://marc.info/?l=bugtraq&m=87602167420095&w=2
Reference: SGI:19961101-01-I
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19961101-01-I
Reference: XF:irix-systour(7456)
Reference: URL:http://www.iss.net/security_center/static/7456.php

Name: CVE-1999-1385

Description:

Buffer overflow in ppp program in FreeBSD 2.1 and earlier allows local users to gain privileges via a long HOME environment variable.

Status:Entry
Reference: BUGTRAQ:19961219 Exploit for ppp bug (FreeBSD 2.1.0).
Reference: URL:http://marc.info/?l=bugtraq&m=87602167420332&w=2
Reference: FREEBSD:FreeBSD-SA-96:20
Reference: URL:ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/old/FreeBSD-SA-96:20.stack-overflow.asc
Reference: OSVDB:6085
Reference: URL:http://www.osvdb.org/6085
Reference: XF:ppp-bo(7465)
Reference: URL:http://www.iss.net/security_center/static/7465.php

Name: CVE-1999-1386

Description:

Perl 5.004_04 and earlier follows symbolic links when running with the -e option, which allows local users to overwrite arbitrary files via a symlink attack on the /tmp/perl-eaXXXXX file.

Status:Entry
Reference: BUGTRAQ:19980308 another /tmp race: `perl -e' opens temp file not safely
Reference: URL:http://marc.info/?l=bugtraq&m=88932165406213&w=2
Reference: CONFIRM:http://www.redhat.com/support/errata/rh50-errata-general.html#perl
Reference: XF:perl-e-tmp-symlink(7243)
Reference: URL:http://www.iss.net/security_center/static/7243.php

Name: CVE-1999-1387

Description:

Windows NT 4.0 SP2 allows remote attackers to cause a denial of service (crash), possibly via malformed inputs or packets, such as those generated by a Linux smbmount command that was compiled on the Linux 2.0.29 kernel but executed on Linux 2.0.25.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19970402 Fatal bug in NT 4.0 server
Reference: URL:http://marc.info/?l=bugtraq&m=87602167420731&w=2
Reference: BUGTRAQ:19970403 Fatal bug in NT 4.0 server (more comments)
Reference: URL:http://marc.info/?l=bugtraq&m=87602167420732&w=2
Reference: BUGTRAQ:19970407 DUMP of NT system crash
Reference: URL:http://marc.info/?l=bugtraq&m=87602167420741&w=2

Votes:
ACCEPT(1)  Cole<br>
NOOP(1)  Foat<br>
Voter Comments:


Name: CVE-1999-1388

Description:

passwd in SunOS 4.1.x allows local users to overwrite arbitrary files via a symlink attack and the -F command line argument.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19940513 [8lgm]-Advisory-7.UNIX.passwd.11-May-1994
Reference: URL:http://www2.dataguard.no/bugtraq/1994_2/0197.html
Reference: BUGTRAQ:19940514 [8lgm]-Advisory-7.UNIX.passwd.11-May-1994.NEWFIX
Reference: URL:http://www2.dataguard.no/bugtraq/1994_2/0207.html
Reference: BUGTRAQ:19941218 Sun Patch Id #102060-01
Reference: URL:http://www.dataguard.no/bugtraq/1994_4/0755.html

Votes:
ACCEPT(1)  Dik<br>
NOOP(2)  Cole, Foat<br>
Voter Comments:
Dik>  sun bug: 1171499<br>

Name: CVE-1999-1389

Description:

US Robotics/3Com Total Control Chassis with Frame Relay between 3.6.22 and 3.7.24 does not properly enforce access filters when the "set host prompt" setting is made for a port, which allows attackers to bypass restrictions by providing the hostname twice at the "host: " prompt.

Status:Candidate
Phase: Proposed (20010912)
Reference: BID:99
Reference: URL:http://www.securityfocus.com/bid/99
Reference: BUGTRAQ:19980511 3Com/USR Total Control Chassis dialup port access filters
Reference: URL:http://marc.info/?l=bugtraq&m=90221101925916&w=2

Votes:
MODIFY(1)  Frech<br>
NOOP(3)  Cole, Foat, Wall<br>
Voter Comments:
Frech>  XF:3com-netserver-filter-bypass(7330)<br>

Name: CVE-1999-1390

Description:

suidexec in suidmanager 0.18 on Debian 2.0 allows local users to gain root privileges by specifying a malicious program on the command line.

Status:Candidate
Phase: Proposed (20010912)
Reference: BID:94
Reference: URL:http://www.securityfocus.com/bid/94
Reference: BUGTRAQ:19980428 [Debian 2.0] /usr/bin/suidexec gives root access
Reference: URL:http://darwin.bio.uci.edu/~mcoogan/bugtraq/msg00890.html

Votes:
MODIFY(1)  Frech<br>
NOOP(3)  Cole, Foat, Wall<br>
Voter Comments:
Frech>  XF:suidmanager-suidexec-root-privileges(7304)<br>

Name: CVE-1999-1391

Description:

Vulnerability in NeXT 1.0a and 1.0 with publicly accessible printers allows local users to gain privileges via a combination of the npd program and weak directory permissions.

Status:Candidate
Phase: Modified (20020218)
Reference: BID:10
Reference: URL:http://www.securityfocus.com/bid/10
Reference: CERT:CA-1990-06
Reference: URL:http://www.cert.org/advisories/CA-1990-06.html
Reference: CIAC:B-01
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/b-01.shtml
Reference: XF:nextstep-npd-root-access(7143)
Reference: URL:http://www.iss.net/security_center/static/7143.php

Votes:
ACCEPT(3)  Cole, Foat, Stracener<br>
MODIFY(1)  Frech<br>
NOOP(1)  Wall<br>
Voter Comments:
Frech>  XF:nextstep-npd-root-access(7143)<br>

Name: CVE-1999-1392

Description:

Vulnerability in restore0.9 installation script in NeXT 1.0a and 1.0 allows local users to gain root privileges.

Status:Candidate
Phase: Modified (20020218)
Reference: BID:9
Reference: URL:http://www.securityfocus.com/bid/9
Reference: CERT:CA-1990-06
Reference: URL:http://www.cert.org/advisories/CA-1990-06.html
Reference: CIAC:B-01
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/b-01.shtml
Reference: XF:nextstep-restore09-root-access(7144)
Reference: URL:http://www.iss.net/security_center/static/7144.php

Votes:
ACCEPT(3)  Cole, Foat, Stracener<br>
MODIFY(1)  Frech<br>
NOOP(1)  Wall<br>
Voter Comments:
Frech>  XF:nextstep-restore09-root-access(7144)<br>

Name: CVE-1999-1393

Description:

Control Panel "Password Security" option for Apple Powerbooks allows attackers with physical access to the machine to bypass the security by booting it with an emergency startup disk and using a disk editor to modify the on/off toggle or password in the aaaaaaaAPWD file, which is normally inaccessible.

Status:Candidate
Phase: Proposed (20010912)
Reference: BID:532
Reference: URL:http://www.securityfocus.com/bid/532
Reference: MISC:http://freaky.staticusers.net/macsec/data/powerbooksecurity-data.html

Votes:
NOOP(3)  Cole, Foat, Wall<br>
REVIEWING(1)  Frech<br>
Voter Comments:
Frech>  (Task 2285)<br>

Name: CVE-1999-1394

Description:

BSD 4.4 based operating systems, when running at security level 1, allow the root user to clear the immutable and append-only flags for files by unmounting the file system and using a file system editor such as fsdb to directly modify the file through a device.

Status:Candidate
Phase: Proposed (20010912)
Reference: BID:510
Reference: URL:http://www.securityfocus.com/bid/510
Reference: BUGTRAQ:19990702 BSD-fileflags
Reference: URL:http://marc.info/?l=bugtraq&m=93094058620450&w=2

Votes:
ACCEPT(1)  Cole<br>
NOOP(2)  Foat, Wall<br>
REVIEWING(1)  Frech<br>
Voter Comments:
Frech>  (Task 2286)<br>

Name: CVE-1999-1395

Description:

Vulnerability in Monitor utility (SYS$SHARE:SPISHR.EXE) in VMS 5.0 through 5.4-2 allows local users to gain privileges.

Status:Candidate
Phase: Modified (20091029)
Reference: BID:51
Reference: URL:http://www.securityfocus.com/bid/51
Reference: CERT:CA-1992-18
Reference: URL:http://www.cert.org/advisories/CA-1992-18.html
Reference: CERT:CA-92.16
Reference: URL:http://www.cert.org/advisories/CA-92.16.VMS.Monitor.vulnerability
Reference: OSVDB:59332
Reference: URL:http://osvdb.org/59332
Reference: XF:vms-monitor-gain-privileges(7136)
Reference: URL:http://www.iss.net/security_center/static/7136.php

Votes:
ACCEPT(3)  Cole, Foat, Stracener<br>
MODIFY(1)  Frech<br>
NOOP(2)  Christey, Wall<br>
Voter Comments:
Frech>  XF:vms-monitor-gain-privileges(7136)
Duplicate of CVE-1999-1056? If not, indicate why in Analysis
comments.<br>
Christey>  Note that CVE-1999-1056<br>
Christey>  CVE-1999-1056 is in fact a duplicate.  This candidate will
be kept, and CVE-1999-1056 will be REJECTed, because this
candidate has more references.<br>

Name: CVE-1999-1396

Description:

Vulnerability in integer multiplication emulation code on SPARC architectures for SunOS 4.1 through 4.1.2 allows local users to gain root access or cause a denial of service (crash).

Status:Candidate
Phase: Modified (20020218)
Reference: BID:49
Reference: URL:http://www.securityfocus.com/bid/49
Reference: CERT:CA-1992-15
Reference: URL:http://www.cert.org/advisories/CA-1992-15.html
Reference: XF:sun-integer-multiplication-access(7150)
Reference: URL:http://www.iss.net/security_center/static/7150.php

Votes:
ACCEPT(4)  Cole, Dik, Foat, Stracener<br>
MODIFY(1)  Frech<br>
NOOP(1)  Wall<br>
Voter Comments:
Frech>  XF:sun-integer-multiplication-access(7150)<br>
Dik>  sun bug: 1069072 1071053<br>

Name: CVE-1999-1397

Description:

Index Server 2.0 on IIS 4.0 stores physical path information in the ContentIndex\Catalogs subkey of the AllowedPaths registry key, whose permissions allows local and remote users to obtain the physical paths of directories that are being indexed.

Status:Entry
Reference: BID:476
Reference: URL:http://www.securityfocus.com/bid/476
Reference: BUGTRAQ:19990323 Index Server 2.0 and the Registry
Reference: URL:http://marc.info/?l=bugtraq&m=92242671024118&w=2
Reference: NTBUGTRAQ:19990323 Index Server 2.0 and the Registry
Reference: URL:http://marc.info/?l=ntbugtraq&m=92223293409756&w=2
Reference: XF:iis-indexserver-reveal-path(7559)
Reference: URL:http://www.iss.net/security_center/static/7559.php

Name: CVE-1999-1398

Description:

Vulnerability in xfsdump in SGI IRIX may allow local users to obtain root privileges via the bck.log log file, possibly via a symlink attack.

Status:Candidate
Phase: Proposed (20010912)
Reference: BID:472
Reference: URL:http://www.securityfocus.com/bid/472
Reference: BUGTRAQ:19970507 Irix: misc
Reference: URL:http://marc.info/?l=bugtraq&m=87602167420921&w=2
Reference: MISC:http://www.insecure.org/sploits/irix.xfsdump.html

Votes:
ACCEPT(1)  Cole<br>
MODIFY(1)  Frech<br>
NOOP(1)  Foat<br>
Voter Comments:
Frech>  XF:irix-xfsdump-symlink(7193)<br>

Name: CVE-1999-1399

Description:

spaceball program in SpaceWare 7.3 v1.0 in IRIX 6.2 allows local users to gain root privileges by setting the HOSTNAME environmental variable to contain the commands to be executed.

Status:Candidate
Phase: Proposed (20010912)
Reference: BID:471
Reference: URL:http://www.securityfocus.com/bid/471
Reference: BUGTRAQ:19970820 SpaceWare 7.3 v1.0
Reference: URL:http://marc.info/?l=bugtraq&m=87602746719552&w=2

Votes:
ACCEPT(1)  Cole<br>
MODIFY(1)  Frech<br>
NOOP(1)  Foat<br>
Voter Comments:
Frech>  XF:spaceware-hostname-command-execution(7194)<br>

Name: CVE-1999-1400

Description:

The Economist screen saver 1999 with the "Password Protected" option enabled allows users with physical access to the machine to bypass the screen saver and read files by running Internet Explorer while the screen is still locked.

Status:Candidate
Phase: Proposed (20010912)
Reference: BID:466
Reference: URL:http://www.securityfocus.com/bid/466
Reference: NTBUGTRAQ:19990603 Huge Exploit in NT 4.0 SP5 Screensaver with Password Protection Enabled
Reference: URL:http://archives.indenial.com/hypermail/ntbugtraq/1999/June1999/0007.html
Reference: NTBUGTRAQ:19990603 Re: Huge Exploit in NT 4.0 SP5 Screensaver with Password Protecti on Enabled.
Reference: URL:http://archives.indenial.com/hypermail/ntbugtraq/1999/June1999/0009.html
Reference: NTBUGTRAQ:19990604 Official response from The Economist re: 1999 Screen Saver
Reference: URL:http://marc.info/?l=ntbugtraq&m=92851653600852&w=2

Votes:
ACCEPT(1)  Wall<br>
NOOP(2)  Cole, Foat<br>
REVIEWING(1)  Frech<br>
Voter Comments:
Frech>  (Task 2287)
CONFIRM NTBUGTRAQ:19990604 Official response from The
Economist re: 1999 Screen Saver<br>

Name: CVE-1999-1401

Description:

Vulnerability in Desktop searchbook program in IRIX 5.0.x through 6.2 sets insecure permissions for certain user files (iconbook and searchbook).

Status:Candidate
Phase: Modified (20060309)
Reference: BID:463
Reference: URL:http://www.securityfocus.com/bid/463
Reference: OSVDB:8563
Reference: URL:http://www.osvdb.org/8563
Reference: SGI:19961201-01-PX
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19961201-01-PX
Reference: XF:irix-searchbook-permissions(7575)
Reference: URL:http://www.iss.net/security_center/static/7575.php

Votes:
ACCEPT(3)  Cole, Foat, Stracener<br>
MODIFY(1)  Frech<br>
Voter Comments:
Frech>  XF:irix-searchbook-permissions(7575)<br>

Name: CVE-1999-1402

Description:

The access permissions for a UNIX domain socket are ignored in Solaris 2.x and SunOS 4.x, and other BSD-based operating systems before 4.4, which could allow local users to connect to the socket and possibly disrupt or control the operations of the program using that socket.

Status:Entry
Reference: BID:456
Reference: URL:http://www.securityfocus.com/bid/456
Reference: BUGTRAQ:19970517 UNIX domain socket (Solarisx86 2.5)
Reference: URL:http://marc.info/?l=bugtraq&m=87602167418317&w=2
Reference: BUGTRAQ:19971003 Solaris 2.6 and sockets
Reference: URL:http://marc.info/?l=bugtraq&m=87602248718482&w=2
Reference: XF:sun-domain-socket-permissions(7172)
Reference: URL:http://www.iss.net/security_center/static/7172.php

Name: CVE-1999-1403

Description:

IBM/Tivoli OPC Tracker Agent version 2 release 1 creates files, directories, and IPC message queues with insecure permissions (world-readable and world-writable), which could allow local users to disrupt operations and possibly gain privileges by modifying or deleting files.

Status:Candidate
Phase: Proposed (20010912)
Reference: BID:382
Reference: URL:http://www.securityfocus.com/bid/382
Reference: BUGTRAQ:19981002 Several potential security problems in IBM/Tivoli OPC Tracker Age nt
Reference: URL:http://www.securityfocus.com/archive/1/10771

Votes:
NOOP(3)  Cole, Foat, Wall<br>
Voter Comments:


Name: CVE-1999-1404

Description:

IBM/Tivoli OPC Tracker Agent version 2 release 1 allows remote attackers to cause a denial of service (resource exhaustion) via malformed data to the localtracker client port (5011), which prevents the connection from being closed properly.

Status:Candidate
Phase: Proposed (20010912)
Reference: BID:382
Reference: URL:http://www.securityfocus.com/bid/382
Reference: BUGTRAQ:19981002 Several potential security problems in IBM/Tivoli OPC Tracker Age nt
Reference: URL:http://www.securityfocus.com/archive/1/10771

Votes:
NOOP(3)  Cole, Foat, Wall<br>
Voter Comments:


Name: CVE-1999-1405

Description:

snap command in AIX before 4.3.2 creates the /tmp/ibmsupt directory with world-readable permissions and does not remove or clear the directory when snap -a is executed, which could allow local users to access the shadowed password file by creating /tmp/ibmsupt/general/passwd before root runs snap -a.

Status:Candidate
Phase: Proposed (20010912)
Reference: BID:375
Reference: URL:http://www.securityfocus.com/bid/375
Reference: BUGTRAQ:19990217 snap utility for AIX.
Reference: URL:http://marc.info/?l=bugtraq&m=91936783009385&w=2
Reference: BUGTRAQ:19990220 Re: snap utility for AIX.
Reference: URL:http://marc.info/?l=bugtraq&m=91954824614013&w=2

Votes:
MODIFY(1)  Frech<br>
NOOP(3)  Cole, Foat, Wall<br>
Voter Comments:
Frech>  XF:aix-snap-insecure-tmp(7560)<br>

Name: CVE-1999-1406

Description:

dumpreg in Red Hat Linux 5.1 opens /dev/mem with O_RDWR access, which allows local users to cause a denial of service (crash) by redirecting fd 1 (stdout) to the kernel.

Status:Candidate
Phase: Proposed (20010912)
Reference: BID:372
Reference: URL:http://www.securityfocus.com/bid/372
Reference: BUGTRAQ:19980729 Crash a redhat 5.1 linux box
Reference: URL:http://marc.info/?l=bugtraq&m=90221104526185&w=2
Reference: BUGTRAQ:19980730 FD's 0..2 and suid/sgid procs (Was: Crash a redhat 5.1 linux box)
Reference: URL:http://marc.info/?l=bugtraq&m=90221104526192&w=2

Votes:
ACCEPT(1)  Cole<br>
NOOP(2)  Foat, Wall<br>
Voter Comments:


Name: CVE-1999-1407

Description:

ifdhcpc-done script for configuring DHCP on Red Hat Linux 5 allows local users to append text to arbitrary files via a symlink attack on the dhcplog file.

Status:Entry
Reference: BID:368
Reference: URL:http://www.securityfocus.com/bid/368
Reference: BUGTRAQ:19980309 *sigh* another RH5 /tmp problem
Reference: URL:http://marc.info/?l=bugtraq&m=88950856416985&w=2
Reference: CONFIRM:http://www.redhat.com/support/errata/rh50-errata-general.html#initscripts
Reference: XF:initscripts-ifdhcpdone-dhcplog-symlink(7294)
Reference: URL:http://www.iss.net/security_center/static/7294.php

Name: CVE-1999-1408

Description:

Vulnerability in AIX 4.1.4 and HP-UX 10.01 and 9.05 allows local users to cause a denial of service (crash) by using a socket to connect to a port on the localhost, calling shutdown to clear the socket, then using the same socket to connect to a different port on localhost.

Status:Candidate
Phase: Proposed (20010912)
Reference: BID:352
Reference: URL:http://www.securityfocus.com/bid/352
Reference: BUGTRAQ:19970305 Bug in connect() for aix 4.1.4 ?
Reference: URL:http://marc.info/?l=bugtraq&m=87602167420641&w=2

Votes:
MODIFY(1)  Frech<br>
NOOP(3)  Christey, Cole, Foat<br>
Voter Comments:
Frech>  XF: aix-hpux-connect-dos(7195)<br>
Christey>  BUGTRAQ:19970307 Re: Bug in connect() ?
URL:http://www.securityfocus.com/archive/1/Pine.HPP.3.92.970307195408.12139B-100000@wpax13.physik.uni-wuerzburg.de
BUGTRAQ:19970311 Re: Bug in connect() for aix 4.1.4 ?
URL:http://www.securityfocus.com/cgi-bin/archive.pl?id=1&mid=6419<br>

Name: CVE-1999-1409

Description:

The at program in IRIX 6.2 and NetBSD 1.3.2 and earlier allows local users to read portions of arbitrary files by submitting the file to at with the -f argument, which generates error messages that at sends to the user via e-mail.

Status:Entry
Reference: BID:331
Reference: URL:http://www.securityfocus.com/bid/331
Reference: BUGTRAQ:19980703 more about 'at'
Reference: URL:http://www.shmoo.com/mail/bugtraq/jul98/msg00064.html
Reference: BUGTRAQ:19980805 irix-6.2 "at -f" vulnerability
Reference: URL:http://marc.info/?l=bugtraq&m=90233906612929&w=2
Reference: NETBSD:NetBSD-SA1998-004
Reference: URL:ftp://ftp.NetBSD.ORG/pub/NetBSD/security/advisories/NetBSD-SA1998-004.txt.asc
Reference: XF:at-f-read-files(7577)
Reference: URL:http://www.iss.net/security_center/static/7577.php

Name: CVE-1999-1410

Description:

addnetpr in IRIX 5.3 and 6.2 allows local users to overwrite arbitrary files and possibly gain root privileges via a symlink attack on the printers temporary file.

Status:Candidate
Phase: Proposed (20010912)
Reference: BID:330
Reference: URL:http://www.securityfocus.com/bid/330
Reference: BUGTRAQ:19970509 Re: Irix: misc
Reference: URL:http://marc.info/?l=bugtraq&m=87602167420927&w=2
Reference: MISC:ftp://patches.sgi.com/support/free/security/advisories/19961203-02-PX

Votes:
NOOP(2)  Cole, Foat<br>
REJECT(2)  Christey, Frech<br>
Voter Comments:
Christey>  DUPE CVE-1999-1286
Need to add these references to CVE-1999-1286<br>

Name: CVE-1999-1411

Description:

The installation of the fsp package 2.71-10 in Debian GNU/Linux 2.0 adds the anonymous FTP user without notifying the administrator, which could automatically enable anonymous FTP on some servers such as wu-ftp.

Status:Entry
Reference: BID:316
Reference: URL:http://www.securityfocus.com/bid/316
Reference: BUGTRAQ:19981128 Debian: Security flaw in FSP
Reference: URL:http://marc.info/?l=bugtraq&m=91228908407679&w=2
Reference: BUGTRAQ:19981130 Debian: Security flaw in FSP
Reference: URL:http://marc.info/?l=bugtraq&m=91244712808780&w=2
Reference: BUGTRAQ:19990217 Debian GNU/Linux 2.0r5 released (fwd)
Reference: URL:http://marc.info/?l=bugtraq&m=91936850009861&w=2
Reference: DEBIAN:19981126 new version of fsp fixes security flaw
Reference: URL:http://lists.debian.org/debian-security-announce/debian-security-announce-1998/msg00033.html
Reference: XF:fsp-anon-ftp-access(7574)
Reference: URL:http://www.iss.net/security_center/static/7574.php

Name: CVE-1999-1412

Description:

A possible interaction between Apple MacOS X release 1.0 and Apache HTTP server allows remote attackers to cause a denial of service (crash) via a flood of HTTP GET requests to CGI programs, which generates a large number of processes.

Status:Candidate
Phase: Proposed (20010912)
Reference: BID:306
Reference: URL:http://www.securityfocus.com/bid/306
Reference: BUGTRAQ:19990603 MacOS X system panic with CGI
Reference: URL:http://www.securityfocus.com/archive/1/14215

Votes:
NOOP(3)  Cole, Foat, Wall<br>
REVIEWING(1)  Frech<br>
Voter Comments:
Frech>  (Task 2288)<br>

Name: CVE-1999-1413

Description:

Solaris 2.4 before kernel jumbo patch -35 allows set-gid programs to dump core even if the real user id is not in the set-gid group, which allows local users to overwrite or create files at higher privileges by causing a core dump, e.g. through dmesg.

Status:Candidate
Phase: Proposed (20010912)
Reference: BID:296
Reference: URL:http://www.securityfocus.com/bid/296
Reference: BUGTRAQ:19960803 Exploiting Zolaris 2.4 ?? :)
Reference: URL:http://marc.info/?l=bugtraq&m=87602167419549&w=2

Votes:
MODIFY(2)  Dik, Frech<br>
NOOP(2)  Cole, Foat<br>
Voter Comments:
Frech>  XF:solaris-coredump-symlink(7196)<br>
Dik>  sun bug: 1208241

Also applies to set-uid executables that have made real
and effective uid identical<br>

Name: CVE-1999-1414

Description:

IBM Netfinity Remote Control allows local users to gain administrator privileges by starting programs from the process manager, which runs with system level privileges.

Status:Entry
Reference: BID:284
Reference: URL:http://www.securityfocus.com/bid/284
Reference: NTBUGTRAQ:19990525 Security Leak with IBM Netfinity Remote Control Software
Reference: URL:http://marc.info/?l=ntbugtraq&m=92765856706547&w=2
Reference: NTBUGTRAQ:19990609 IBM's response to "Security Leak with IBM Netfinity Remote Control Software
Reference: URL:http://marc.info/?l=ntbugtraq&m=92902484317769&w=2

Name: CVE-1999-1415

Description:

Vulnerability in /usr/bin/mail in DEC ULTRIX before 4.2 allows local users to gain privileges.

Status:Candidate
Phase: Proposed (20010912)
Reference: BID:27
Reference: URL:http://www.securityfocus.com/bid/27
Reference: CERT:CA-91.13
Reference: URL:http://www.cert.org/advisories/CA-91.13.Ultrix.mail.vulnerability

Votes:
ACCEPT(3)  Cole, Foat, Stracener<br>
MODIFY(1)  Frech<br>
NOOP(2)  Christey, Wall<br>
Voter Comments:
Frech>  XF:bsd-binmail(515)
CA-1991-13 was superseded by CA-1995-02.<br>
Christey>  Is there overlap between CVE-1999-1415 and CVE-1999-1438?
Both CERT advisories are vague.<br>

Name: CVE-1999-1416

Description:

AnswerBook2 (AB2) web server dwhttpd 3.1a4 allows remote attackers to cause a denial of service (resource exhaustion) via an HTTP POST request with a large content-length.

Status:Candidate
Phase: Proposed (20010912)
Reference: BID:253
Reference: URL:http://www.securityfocus.com/bid/253
Reference: BUGTRAQ:19980823 Solaris ab2 web server is junk
Reference: URL:http://www.securityfocus.com/archive/1/10383

Votes:
NOOP(3)  Cole, Foat, Wall<br>
Voter Comments:


Name: CVE-1999-1417

Description:

Format string vulnerability in AnswerBook2 (AB2) web server dwhttpd 3.1a4 allows remote attackers to cause a denial of service and possibly execute arbitrary commands via encoded % characters in an HTTP request, which is improperly logged.

Status:Candidate
Phase: Proposed (20010912)
Reference: BID:253
Reference: URL:http://www.securityfocus.com/bid/253
Reference: BUGTRAQ:19980823 Solaris ab2 web server is junk
Reference: URL:http://www.securityfocus.com/archive/1/10383

Votes:
ACCEPT(1)  Dik<br>
NOOP(3)  Cole, Foat, Wall<br>
Voter Comments:
Dik>  sun bug: 4218283<br>

Name: CVE-1999-1418

Description:

ICQ99 ICQ web server build 1701 with "Active Homepage" enabled generates allows remote attackers to determine the existence of files on the server by comparing server responses when a file exists ("404 Forbidden") versus when a file does not exist ("404 not found").

Status:Candidate
Phase: Proposed (20010912)
Reference: BID:246
Reference: URL:http://www.securityfocus.com/bid/246
Reference: BUGTRAQ:19990501 Update: security hole in the ICQ-Webserver
Reference: URL:http://www.securityfocus.com/archive/1/13508

Votes:
MODIFY(1)  Frech<br>
NOOP(3)  Cole, Foat, Wall<br>
Voter Comments:
Frech>  XF;icq-webserver-gain-information(8229)
CONFIRM:http://online.securityfocus.com/archive/1/13655<br>

Name: CVE-1999-1419

Description:

Buffer overflow in nss_nisplus.so.1 library in NIS+ in Solaris 2.3 and 2.4 allows local users to gain root privileges.

Status:Entry
Reference: BID:219
Reference: URL:http://www.securityfocus.com/bid/219
Reference: SUN:00148
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/148
Reference: XF:sun-nisplus-bo(7535)
Reference: URL:http://www.iss.net/security_center/static/7535.php

Name: CVE-1999-1420

Description:

NBase switches NH2012, NH2012R, NH2015, and NH2048 have a back door password that cannot be disabled, which allows remote attackers to modify the switch's configuration.

Status:Candidate
Phase: Proposed (20010912)
Reference: BID:212
Reference: URL:http://www.securityfocus.com/bid/212
Reference: BUGTRAQ:19980720 N-Base Vulnerability Advisory
Reference: URL:http://marc.info/?l=bugtraq&m=90221104526016&w=2
Reference: BUGTRAQ:19980722 N-Base Vulnerability Advisory Followup
Reference: URL:http://marc.info/?l=bugtraq&m=90221104526065&w=2

Votes:
ACCEPT(1)  Cole<br>
NOOP(2)  Foat, Wall<br>
Voter Comments:


Name: CVE-1999-1421

Description:

NBase switches NH208 and NH215 run a TFTP server which allows remote attackers to send software updates to modify the switch or cause a denial of service (crash) by guessing the target filenames, which have default names.

Status:Candidate
Phase: Proposed (20010912)
Reference: BID:212
Reference: URL:http://www.securityfocus.com/bid/212
Reference: BUGTRAQ:19980720 N-Base Vulnerability Advisory
Reference: URL:http://marc.info/?l=bugtraq&m=90221104526016&w=2
Reference: BUGTRAQ:19980722 N-Base Vulnerability Advisory Followup
Reference: URL:http://marc.info/?l=bugtraq&m=90221104526065&w=2

Votes:
ACCEPT(2)  Cole, Foat<br>
NOOP(1)  Wall<br>
Voter Comments:


Name: CVE-1999-1422

Description:

The default configuration of Slackware 3.4, and possibly other versions, includes . (dot, the current directory) in the PATH environmental variable, which could allow local users to create Trojan horse programs that are inadvertently executed by other users.

Status:Candidate
Phase: Proposed (20010912)
Reference: BID:211
Reference: URL:http://www.securityfocus.com/bid/211
Reference: BUGTRAQ:19990102 PATH variable in zip-slackware 2.0.35
Reference: URL:http://marc.info/?l=bugtraq&m=91540043023167&w=2

Votes:
MODIFY(1)  Frech<br>
NOOP(3)  Cole, Foat, Wall<br>
Voter Comments:
Frech>  XF:linux-path-execute-commands(7561)<br>

Name: CVE-1999-1423

Description:

ping in Solaris 2.3 through 2.6 allows local users to cause a denial of service (crash) via a ping request to a multicast address through the loopback interface, e.g. via ping -i.

Status:Entry
Reference: BID:209
Reference: URL:http://www.securityfocus.com/bid/209
Reference: BUGTRAQ:19970626 Solaris Ping bug (DoS)
Reference: URL:http://marc.info/?l=bugtraq&m=87602558319160&w=2
Reference: BUGTRAQ:19970627 SUMMARY: Solaris Ping bug (DoS)
Reference: URL:http://marc.info/?l=bugtraq&m=87602558319171&w=2
Reference: BUGTRAQ:19970627 Solaris Ping bug(inetsvc)
Reference: URL:http://marc.info/?l=bugtraq&m=87602558319181&w=2
Reference: BUGTRAQ:19971005 Solaris Ping Bug and other [bc] oddities
Reference: URL:http://marc.info/?l=bugtraq&m=87602558319180&w=2
Reference: SUN:00146
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/146
Reference: XF:ping-multicast-loopback-dos(7492)
Reference: URL:http://www.iss.net/security_center/static/7492.php

Name: CVE-1999-1424

Description:

Solaris Solstice AdminSuite (AdminSuite) 2.1 uses unsafe permissions when adding new users to the NIS+ password table, which allows local users to gain root access by modifying their password table entries.

Status:Candidate
Phase: Proposed (20010912)
Reference: BID:208
Reference: URL:http://www.securityfocus.com/bid/208
Reference: SUN:00145
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/145

Votes:
ACCEPT(4)  Cole, Dik, Foat, Stracener<br>
MODIFY(1)  Frech<br>
Voter Comments:
Frech>  XF:solaris-adminsuite-nisplus-password(7467)<br>
Dik>  sun bug:1237225<br>

Name: CVE-1999-1425

Description:

Solaris Solstice AdminSuite (AdminSuite) 2.1 incorrectly sets write permissions on source files for NIS maps, which could allow local users to gain privileges by modifying /etc/passwd.

Status:Candidate
Phase: Proposed (20010912)
Reference: BID:208
Reference: URL:http://www.securityfocus.com/bid/208
Reference: SUN:00145
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/145

Votes:
ACCEPT(4)  Cole, Dik, Foat, Stracener<br>
MODIFY(1)  Frech<br>
Voter Comments:
Frech>  XF:solaris-adminsuite-password-map-permissions(7468)<br>
Dik>  1236787<br>

Name: CVE-1999-1426

Description:

Solaris Solstice AdminSuite (AdminSuite) 2.1 follows symbolic links when updating an NIS database, which allows local users to overwrite arbitrary files.

Status:Candidate
Phase: Proposed (20010912)
Reference: BID:208
Reference: URL:http://www.securityfocus.com/bid/208
Reference: SUN:00145
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/145

Votes:
ACCEPT(4)  Cole, Dik, Foat, Stracener<br>
MODIFY(1)  Frech<br>
Voter Comments:
Frech>  XF:solaris-adminsuite-symlink(7469)<br>
Dik>  sun bug: 1262888<br>

Name: CVE-1999-1427

Description:

Solaris Solstice AdminSuite (AdminSuite) 2.1 and 2.2 create lock files insecurely, which allows local users to gain root privileges.

Status:Candidate
Phase: Proposed (20010912)
Reference: BID:208
Reference: URL:http://www.securityfocus.com/bid/208
Reference: SUN:00145
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/145

Votes:
ACCEPT(4)  Cole, Dik, Foat, Stracener<br>
MODIFY(1)  Frech<br>
Voter Comments:
Frech>  XF:solaris-adminsuite-lock-file(7470)<br>
Dik>  sun bug: 1262888<br>

Name: CVE-1999-1428

Description:

Solaris Solstice AdminSuite (AdminSuite) 2.1 and 2.2 allows local users to gain privileges via the save option in the Database Manager, which is running with setgid bin privileges.

Status:Candidate
Phase: Proposed (20010912)
Reference: BID:208
Reference: URL:http://www.securityfocus.com/bid/208
Reference: SUN:00145
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/145

Votes:
ACCEPT(4)  Cole, Dik, Foat, Stracener<br>
MODIFY(1)  Frech<br>
Voter Comments:
Frech>  XF:solaris-adminsuite-database-manager(7471)<br>
Dik>  sun bug: 4005611<br>

Name: CVE-1999-1429

Description:

DIT TransferPro installs devices with world-readable and world-writable permissions, which could allow local users to damage disks through the ff device driver.

Status:Candidate
Phase: Proposed (20010912)
Reference: BID:204
Reference: URL:http://www.securityfocus.com/bid/204
Reference: BUGTRAQ:19980105 Security flaw in either DIT TransferPro or Solaris
Reference: URL:http://marc.info/?l=bugtraq&m=88419633507543&w=2

Votes:
MODIFY(1)  Frech<br>
NOOP(3)  Cole, Foat, Wall<br>
Voter Comments:
Frech>  XF:transferpro-devices-insecure-permissions(7305)<br>

Name: CVE-1999-1430

Description:

PIM software for Royal daVinci does not properly password-protext access to data stored in the .mdb (Microsoft Access) file, which allows local users to read the data without a password by directly accessing the files with a different application, such as Access.

Status:Candidate
Phase: Proposed (20010912)
Reference: BID:185
Reference: URL:http://www.securityfocus.com/bid/185
Reference: BUGTRAQ:19990102 security problem with Royal daVinci
Reference: URL:http://marc.info/?l=bugtraq&m=91540043723185&w=2

Votes:
MODIFY(1)  Frech<br>
NOOP(3)  Cole, Foat, Wall<br>
Voter Comments:
Frech>  XF:davinci-pim-access-information(7562)<br>

Name: CVE-1999-1431

Description:

ZAK in Appstation mode allows users to bypass the "Run only allowed apps" policy by starting Explorer from Office 97 applications (such as Word), installing software into the TEMP directory, and changing the name to that for an allowed application, such as Winword.exe.

Status:Candidate
Phase: Proposed (20010912)
Reference: BID:181
Reference: URL:http://www.securityfocus.com/bid/181
Reference: NTBUGTRAQ:19990107 WinNT, ZAK and Office 97
Reference: URL:http://marc.info/?l=ntbugtraq&m=91576100022688&w=2
Reference: NTBUGTRAQ:19990109 WinNT, ZAK and Office 97
Reference: URL:http://marc.info/?l=ntbugtraq&m=91606260910008&w=2

Votes:
MODIFY(1)  Frech<br>
NOOP(3)  Cole, Foat, Wall<br>
Voter Comments:
Frech>  XF:zak-bypass-restrictions(7563)<br>

Name: CVE-1999-1432

Description:

Power management (Powermanagement) on Solaris 2.4 through 2.6 does not start the xlock process until after the sys-suspend has completed, which allows an attacker with physical access to input characters to the last active application from the keyboard for a short period after the system is restoring, which could lead to increased privileges.

Status:Entry
Reference: BID:160
Reference: URL:http://www.securityfocus.com/bid/160
Reference: BUGTRAQ:19980716 Security risk with powermanagemnet on Solaris 2.6
Reference: URL:http://marc.info/?l=bugtraq&m=90221104525997&w=2
Reference: SUNBUG:4024179

Name: CVE-1999-1433

Description:

HP JetAdmin D.01.09 on Solaris allows local users to change the permissions of arbitrary files via a symlink attack on the /tmp/jetadmin.log file.

Status:Entry
Reference: BID:157
Reference: URL:http://www.securityfocus.com/bid/157
Reference: BUGTRAQ:19980715 JetAdmin software
Reference: URL:http://marc.info/?l=bugtraq&m=90221104525988&w=2
Reference: BUGTRAQ:19980722 Re: JetAdmin software
Reference: URL:http://marc.info/?l=bugtraq&m=90221104526067&w=2

Name: CVE-1999-1434

Description:

login in Slackware Linux 3.2 through 3.5 does not properly check for an error when the /etc/group file is missing, which prevents it from dropping privileges, causing it to assign root privileges to any local user who logs on to the server.

Status:Candidate
Phase: Proposed (20010912)
Reference: BID:155
Reference: URL:http://www.securityfocus.com/bid/155
Reference: BUGTRAQ:19980713 Slackware Shadow Insecurity
Reference: URL:http://marc.info/?l=bugtraq&m=90221104525951&w=2

Votes:
NOOP(3)  Cole, Foat, Wall<br>
Voter Comments:


Name: CVE-1999-1435

Description:

Buffer overflow in libsocks5 library of Socks 5 (socks5) 1.0r5 allows local users to gain privileges via long environmental variables.

Status:Candidate
Phase: Proposed (20010912)
Reference: BID:154
Reference: URL:http://www.securityfocus.com/bid/154
Reference: BUGTRAQ:19980710 socks5 1.0r5 buffer overflow..
Reference: URL:http://marc.info/?l=bugtraq&m=90221104525933&w=2

Votes:
ACCEPT(1)  Cole<br>
NOOP(2)  Foat, Wall<br>
Voter Comments:


Name: CVE-1999-1436

Description:

Ray Chan WWW Authorization Gateway 0.1 CGI program allows remote attackers to execute arbitrary commands via shell metacharacters in the "user" parameter.

Status:Candidate
Phase: Proposed (20010912)
Reference: BID:152
Reference: URL:http://www.securityfocus.com/bid/152
Reference: BUGTRAQ:19980708 WWW Authorization Gateway
Reference: URL:http://marc.info/?l=bugtraq&m=90221104525905&w=2

Votes:
NOOP(3)  Cole, Foat, Wall<br>
Voter Comments:


Name: CVE-1999-1437

Description:

ePerl 2.2.12 allows remote attackers to read arbitrary files and possibly execute certain commands by specifying a full pathname of the target file as an argument to bar.phtml.

Status:Entry
Reference: BID:151
Reference: URL:http://www.securityfocus.com/bid/151
Reference: BUGTRAQ:19980707 ePerl: bad handling of ISINDEX queries
Reference: URL:http://marc.info/?l=bugtraq&m=90221104525890&w=2
Reference: BUGTRAQ:19980710 ePerl Security Update Available
Reference: URL:http://marc.info/?l=bugtraq&m=90221104525927&w=2

Name: CVE-1999-1438

Description:

Vulnerability in /bin/mail in SunOS 4.1.1 and earlier allows local users to gain root privileges via certain command line arguments.

Status:Candidate
Phase: Proposed (20010912)
Reference: BID:15
Reference: URL:http://www.securityfocus.com/bid/15
Reference: CERT:CA-1991-01
Reference: URL:http://www.cert.org/advisories/CA-91.01a.SunOS.mail.vulnerability
Reference: SUN:00105
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/105

Votes:
ACCEPT(4)  Cole, Dik, Foat, Stracener<br>
MODIFY(1)  Frech<br>
NOOP(2)  Christey, Wall<br>
Voter Comments:
Frech>  XF:bsd-binmail(515)<br>
Dik>  sun bug: 1047340<br>
Christey>  Is there overlap between CVE-1999-1415 and CVE-1999-1438?
Both CERT advisories are vague.<br>

Name: CVE-1999-1439

Description:

gcc 2.7.2 allows local users to overwrite arbitrary files via a symlink attack on temporary .i, .s, or .o files.

Status:Candidate
Phase: Proposed (20010912)
Reference: BID:146
Reference: URL:http://www.securityfocus.com/bid/146
Reference: BUGTRAQ:19980102 Symlink bug with GCC 2.7.2
Reference: URL:http://marc.info/?l=bugtraq&m=88419592307388&w=2
Reference: BUGTRAQ:19980108 GCC Exploit
Reference: URL:http://marc.info/?l=bugtraq&m=88524071002939&w=2
Reference: BUGTRAQ:19980115 GCC 2.7.? /tmp files
Reference: URL:http://marc.info/?l=bugtraq&m=88492937727193&w=2

Votes:
ACCEPT(1)  Cole<br>
MODIFY(1)  Frech<br>
NOOP(2)  Foat, Wall<br>
Voter Comments:
Frech>  XF:gnu-gcc-tmp-symlink(7338)<br>

Name: CVE-1999-1440

Description:

Win32 ICQ 98a 1.30, and possibly other versions, does not display the entire portion of long filenames, which could allow attackers to send an executable file with a long name that contains so many spaces that the .exe extension is not displayed, which could make the user believe that the file is safe to open from the client.

Status:Candidate
Phase: Proposed (20010912)
Reference: BID:132
Reference: URL:http://www.securityfocus.com/bid/132
Reference: BUGTRAQ:19990101 Win32 ICQ 98a flaw
Reference: URL:http://marc.info/?l=bugtraq&m=91522424302962&w=2

Votes:
ACCEPT(1)  Cole<br>
MODIFY(1)  Frech<br>
NOOP(2)  Foat, Wall<br>
Voter Comments:
Frech>  XF:icq-long-filename(7564)<br>

Name: CVE-1999-1441

Description:

Linux 2.0.34 does not properly prevent users from sending SIGIO signals to arbitrary processes, which allows local users to cause a denial of service by sending SIGIO to processes that do not catch it.

Status:Candidate
Phase: Proposed (20010912)
Reference: BID:111
Reference: URL:http://www.securityfocus.com/bid/111
Reference: BUGTRAQ:19980630 Serious Linux 2.0.34 security problem
Reference: URL:http://marc.info/?l=bugtraq&m=90221103126047&w=2

Votes:
MODIFY(1)  Frech<br>
NOOP(3)  Cole, Foat, Wall<br>
Voter Comments:
Frech>  XF:linux-sigio-dos(7339)<br>

Name: CVE-1999-1442

Description:

Bug in AMD K6 processor on Linux 2.0.x and 2.1.x kernels allows local users to cause a denial of service (crash) via a particular sequence of instructions, possibly related to accessing addresses outside of segments.

Status:Candidate
Phase: Proposed (20010912)
Reference: BID:105
Reference: URL:http://www.securityfocus.com/bid/105
Reference: MISC:http://uwsg.iu.edu/hypermail/linux/kernel/9805.3/0855.html
Reference: MISC:http://www.cs.helsinki.fi/linux/linux-kernel/Year-1998/1998-25/0816.html

Votes:
MODIFY(1)  Frech<br>
NOOP(3)  Cole, Foat, Wall<br>
Voter Comments:
Frech>  XF:linux-k6-dos(7340)<br>

Name: CVE-1999-1443

Description:

Micah Software Full Armor Network Configurator and Zero Administration allow local users with physical access to bypass the desktop protection by (1) using <CTRL><ALT><DEL> and kill the process using the task manager, (2) booting the system from a separate disk, or (3) interrupting certain processes that execute while the system is booting.

Status:Candidate
Phase: Proposed (20010912)
Reference: BID:103
Reference: URL:http://www.securityfocus.com/bid/103
Reference: BUGTRAQ:19980602 Full Armor.... Fool Proof etc... bugs
Reference: URL:http://marc.info/?l=bugtraq&m=90221103125889&w=2
Reference: BUGTRAQ:19980609 Full Armor
Reference: URL:http://marc.info/?l=bugtraq&m=90221103125869&w=2

Votes:
MODIFY(1)  Frech<br>
NOOP(3)  Cole, Foat, Wall<br>
Voter Comments:
Frech>  XF:full-armor-protection-bypass(7341)<br>

Name: CVE-1999-1444

Description:

genkey utility in Alibaba 2.0 generates RSA key pairs with an exponent of 1, which results in transactions that are sent in cleartext.

Status:Candidate
Phase: Proposed (20010912)
Reference: MISC:http://catless.ncl.ac.uk/Risks/20.41.html#subj4

Votes:
NOOP(3)  Cole, Foat, Wall<br>
REVIEWING(1)  Frech<br>
Voter Comments:
Frech>  (Task 2290)<br>

Name: CVE-1999-1445

Description:

Vulnerability in imapd and ipop3d in Slackware 3.4 and 3.3 with shadowing enabled, and possibly other operating systems, allows remote attackers to cause a core dump via a short sequence of USER and PASS commands that do not provide valid usernames or passwords.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19980202 imapd/ipop3d coredump in slackware 3.4
Reference: URL:http://marc.info/?l=bugtraq&m=88637951600184&w=2

Votes:
MODIFY(1)  Frech<br>
NOOP(3)  Cole, Foat, Wall<br>
Voter Comments:
Frech>  XF:linux-imapd-ipop3d-dos(7345)<br>

Name: CVE-1999-1446

Description:

Internet Explorer 3 records a history of all URL's that are visited by a user in DAT files located in the Temporary Internet Files and History folders, which are not cleared when the user selects the "Clear History" option, and are not visible when the user browses the folders because of tailored displays.

Status:Candidate
Phase: Proposed (20010912)
Reference: NTBUGTRAQ:19970805 Re: Strange behavior regarding directory
Reference: URL:http://marc.info/?l=ntbugtraq&m=87602837719654&w=2
Reference: NTBUGTRAQ:19970806 Re: Strange behavior regarding directory
Reference: URL:http://marc.info/?l=ntbugtraq&m=87602837719655&w=2

Votes:
MODIFY(1)  Frech<br>
NOOP(2)  Cole, Foat<br>
Voter Comments:
Frech>  XF:http-ie-record(524)
In description, URL's should be URLs.<br>

Name: CVE-1999-1447

Description:

Internet Explorer 4.0 allows remote attackers to cause a denial of service (crash) via HTML code that contains a long CLASSID parameter in an OBJECT tag.

Status:Candidate
Phase: Modified (20020218)
Reference: BUGTRAQ:19980728 Object tag crashes Internet Explorer 4.0
Reference: URL:http://marc.info/?l=bugtraq&m=90221104526169&w=2
Reference: BUGTRAQ:19980730 Re: Object tag crashes Internet Explorer 4.0
Reference: URL:http://marc.info/?l=bugtraq&m=90221104526188&w=2

Votes:
ACCEPT(2)  Cole, Wall<br>
NOOP(2)  Christey, Foat<br>
Voter Comments:
Christey>  BUGTRAQ:19980730 Re: Object tag crashes Internet Explorer 4.0
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221104526188&w=2<br>

Name: CVE-1999-1448

Description:

Eudora and Eudora Light before 3.05 allows remote attackers to cause a crash and corrupt the user's mailbox via an e-mail message with certain dates, such as (1) dates before 1970, which cause a Divide By Zero error, or (2) dates that are 100 years after the current date, which causes a segmentation fault.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19980729 Eudora exploit (was Microsoft Security Bulletin (MS98-008))
Reference: URL:http://marc.info/?l=bugtraq&m=90221104526168&w=2

Votes:
NOOP(3)  Cole, Foat, Wall<br>
Voter Comments:


Name: CVE-1999-1449

Description:

SunOS 4.1.4 on a Sparc 20 machine allows local users to cause a denial of service (kernel panic) by reading from the /dev/tcx0 TCX device.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19970519 /dev/tcx0 crashes SunOS 4.1.4 on Sparc 20's
Reference: URL:http://oamk.fi/~jukkao/bugtraq/before-971202/0498.html
Reference: MISC:http://www.insecure.org/sploits/sunos.dev.tcx0.write.wierd.shit.to.device.bug.html

Votes:
MODIFY(1)  Frech<br>
NOOP(2)  Cole, Foat<br>
Voter Comments:
Frech>  XF:sun-tcx-dos(7197)<br>

Name: CVE-1999-1450

Description:

Vulnerability in (1) rlogin daemon rshd and (2) scheme on SCO UNIX OpenServer 5.0.5 and earlier, and SCO UnixWare 7.0.1 and earlier, allows remote attackers to gain privileges.

Status:Candidate
Phase: Proposed (20010912)
Reference: SCO:SB-99.03b
Reference: URL:ftp://ftp.sco.com/SSE/security_bulletins/SB-99.03b
Reference: SCO:SB-99.06b
Reference: URL:ftp://ftp.sco.com/SSE/security_bulletins/SB-99.06b
Reference: SCO:SSE020
Reference: URL:ftp://ftp.sco.COM/SSE/sse020.ltr
Reference: SCO:SSE023

Votes:
ACCEPT(3)  Cole, Foat, Stracener<br>
MODIFY(1)  Frech<br>
Voter Comments:
Frech>  XF:sco-rshd(7466)
Correct URLS are listed below:
Reference: SCO:SSE020
Reference:
URL:ftp://stage.caldera.com/pub/security/sse/sse020/sse020.ltr
Reference: SCO:SSE023
Reference:
URL:ftp://stage.caldera.com/pub/security/sse/sse023/sse023.ltr<br>

Name: CVE-1999-1451

Description:

The Winmsdp.exe sample file in IIS 4.0 and Site Server 3.0 allows remote attackers to read arbitrary files.

Status:Candidate
Phase: Proposed (20010912)
Reference: MS:MS99-013
Reference: URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-013
Reference: MSKB:Q231368
Reference: URL:http://support.microsoft.com/support/kb/articles/q231/3/68.asp
Reference: XF:iis-samples-winmsdp(3271)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/3271

Votes:
ACCEPT(4)  Cole, Foat, Frech, Wall<br>
Voter Comments:


Name: CVE-1999-1452

Description:

GINA in Windows NT 4.0 allows attackers with physical access to display a portion of the clipboard of the user who has locked the workstation by pasting (CTRL-V) the contents into the username prompt.

Status:Entry
Reference: BID:198
Reference: URL:http://www.securityfocus.com/bid/198
Reference: BUGTRAQ:19990129 ole objects in a "secured" environment?
Reference: URL:http://marc.info/?l=bugtraq&m=91788829326419&w=2
Reference: MSKB:Q214802
Reference: URL:http://support.microsoft.com/support/kb/articles/q214/8/02.asp
Reference: NTBUGTRAQ:19990129 ole objects in a "secured" environment?
Reference: URL:http://marc.info/?l=ntbugtraq&m=91764169410814&w=2
Reference: NTBUGTRAQ:19990205 Alert: MS releases GINA-fix for SP3, SP4, and TS
Reference: URL:http://marc.info/?l=ntbugtraq&m=91822011021558&w=2
Reference: XF:nt-gina-clipboard(1975)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1975

Name: CVE-1999-1453

Description:

Internet Explorer 4 allows remote attackers (malicious web site operators) to read the contents of the clipboard via the Internet WebBrowser ActiveX object.

Status:Candidate
Phase: Proposed (20010912)
Reference: BID:215
Reference: URL:http://www.securityfocus.com/bid/215
Reference: NTBUGTRAQ:19990222 New IE4 vulnerability : the clipboard again.
Reference: URL:http://marc.info/?l=ntbugtraq&m=91979439932341&w=2

Votes:
ACCEPT(1)  Wall<br>
MODIFY(1)  Frech<br>
NOOP(2)  Cole, Foat<br>
Voter Comments:
Frech>  XF:webbrowser-activex-view-clipboard(7565)
REMOVE:http://www.securityfocus.com/bid/215 This reference
deals with the Forms vulnerability only.<br>

Name: CVE-1999-1454

Description:

Macromedia "The Matrix" screen saver on Windows 95 with the "Password protected" option enabled allows attackers with physical access to the machine to bypass the password prompt by pressing the ESC (Escape) key.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19991004 Weakness In "The Matrix" Screensaver For Windows
Reference: URL:http://marc.info/?l=bugtraq&m=93915027622690&w=2

Votes:
MODIFY(1)  Frech<br>
NOOP(4)  Christey, Cole, Foat, Wall<br>
Voter Comments:
Christey>  Looks like there might have been a re-discovery, though the
exploit is slightly different, and there is insufficient
detail to be certain that this isn't for a different
Matrix screen saver:
BUGTRAQ:20010801 matrix screensvr(16 Bit CineMac Screen Saver Engine) - [input validation error?]
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=99669949717618&w=2
BID:3130
URL:http://www.securityfocus.com/bid/3130<br>
Frech>  XF:matrix-win95-password-bypass(8280)<br>

Name: CVE-1999-1455

Description:

RSH service utility RSHSVC in Windows NT 3.5 through 4.0 does not properly restrict access as specified in the .Rhosts file when a user comes from an authorized host, which could allow unauthorized users to access the service by logging in from an authorized host.

Status:Entry
Reference: MSKB:Q158320
Reference: URL:http://support.microsoft.com/support/kb/articles/q158/3/20.asp
Reference: XF:nt-rshsvc-ale-bypass(7422)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/7422

Name: CVE-1999-1456

Description:

thttpd HTTP server 2.03 and earlier allows remote attackers to read arbitrary files via a GET request with more than one leading / (slash) character in the filename.

Status:Entry
Reference: BUGTRAQ:19980819 thttpd 2.04 released (fwd)
Reference: URL:http://www.securityfocus.com/archive/1/10368
Reference: CONFIRM:http://www.acme.com/software/thttpd/thttpd.html#releasenotes
Reference: XF:thttpd-file-read(1809)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1809

Name: CVE-1999-1457

Description:

Buffer overflow in thttpd HTTP server before 2.04-31 allows remote attackers to execute arbitrary commands via a long date string, which is not properly handled by the tdate_parse function.

Status:Candidate
Phase: Proposed (20010912)
Reference: SUSE:19991116 thttpd
Reference: URL:http://www.novell.com/linux/security/advisories/suse_security_announce_30.html

Votes:
ACCEPT(3)  Cole, Foat, Stracener<br>
REJECT(1)  Frech<br>
Voter Comments:


Name: CVE-1999-1458

Description:

Buffer overflow in at program in Digital UNIX 4.0 allows local users to gain root privileges via a long command line argument.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990125 Digital Unix 4.0 exploitable buffer overflows
Reference: URL:http://www.securityfocus.com/archive/1/12121
Reference: SCO:SSRT0583U
Reference: URL:http://ftp1.support.compaq.com/public/dunix/v4.0d/ssrt0583u.README
Reference: XF:du-at(3138)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/3138

Votes:
ACCEPT(3)  Cole, Foat, Frech<br>
NOOP(1)  Stracener<br>
Voter Comments:


Name: CVE-1999-1459

Description:

BMC PATROL Agent before 3.2.07 allows local users to gain root privileges via a symlink attack on a temporary file.

Status:Candidate
Phase: Proposed (20010912)
Reference: BID:534
Reference: URL:http://www.securityfocus.com/bid/534
Reference: ISS:19981102 BMC PATROL File Creation Vulnerability
Reference: URL:http://xforce.iss.net/alerts/advise10.php
Reference: XF:bmc-patrol-file-create(1388)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1388

Votes:
ACCEPT(2)  Cole, Frech<br>
NOOP(3)  Christey, Foat, Wall<br>
Voter Comments:
Christey>  The vendor has acknowledged this vulnerability via e-mail.  It
has been fixed.

NOTE: despite the fact that this candidate has been acknowledged
and fixed by the vendor, it is affected by the CVE content
decision CD:SF-LOC.  It cannot be accepted until the
CD:SF-LOC guidelines have been finalized.<br>

Name: CVE-1999-1460

Description:

BMC PATROL SNMP Agent before 3.2.07 allows local users to create arbitrary world-writeable files as root by specifying the target file as the second argument to the snmpmagt program.

Status:Candidate
Phase: Proposed (20010912)
Reference: BID:525
Reference: URL:http://www.securityfocus.com/bid/525
Reference: BUGTRAQ:19990713 Root Perms Gained with Patrol SNMP Agent 3.2 (all others?)
Reference: URL:http://marc.info/?l=bugtraq&m=93198293132463&w=2
Reference: BUGTRAQ:19990801 Re: Root Perms Gained with Patrol SNMP Agent 3.2 (all others?)
Reference: URL:http://marc.info/?l=bugtraq&m=93372579004129&w=2

Votes:
MODIFY(1)  Frech<br>
NOOP(4)  Christey, Cole, Foat, Wall<br>
Voter Comments:
Frech>  XF:patrol-snmp-file-creation(2347)<br>
Christey>  The vendor has acknowledged this vulnerability via e-mail.  It
has been fixed.

NOTE: despite the fact that this candidate has been acknowledged
and fixed by the vendor, it is affected by the CVE content
decision CD:SF-LOC.  It cannot be accepted until the
CD:SF-LOC guidelines have been finalized.<br>

Name: CVE-1999-1461

Description:

inpview in InPerson on IRIX 5.3 through IRIX 6.5.10 trusts the PATH environmental variable to find and execute the ttsession program, which allows local users to obtain root access by modifying the PATH to point to a Trojan horse ttsession program.

Status:Candidate
Phase: Proposed (20010912)
Reference: BID:381
Reference: URL:http://www.securityfocus.com/bid/381
Reference: BUGTRAQ:19970507 Irix: misc
Reference: URL:http://marc.info/?l=bugtraq&m=87602167420921&w=2
Reference: SGI:20001101-01-I
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/20001101-01-I

Votes:
ACCEPT(3)  Cole, Foat, Stracener<br>
REJECT(1)  Frech<br>
Voter Comments:
Frech>  Possible conflict with CVE-2000-0799.<br>

Name: CVE-1999-1462

Description:

Vulnerability in bb-hist.sh CGI History module in Big Brother 1.09b and 1.09c allows remote attackers to read portions of arbitrary files.

Status:Candidate
Phase: Proposed (20010912)
Reference: BID:142
Reference: URL:http://www.securityfocus.com/bid/142
Reference: BUGTRAQ:19990426 FW: Security Notice: Big Brother 1.09b/c
Reference: URL:http://www.securityfocus.com/archive/1/13440
Reference: CONFIRM:http://bb4.com/README.CHANGES
Reference: XF:http-cgi-bigbrother-bbhist(3755)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/3755

Votes:
ACCEPT(5)  Armstrong, Cole, Foat, Frech, Stracener<br>
NOOP(1)  Wall<br>
Voter Comments:


Name: CVE-1999-1463

Description:

Windows NT 4.0 before SP3 allows remote attackers to bypass firewall restrictions or cause a denial of service (crash) by sending improperly fragmented IP packets without the first fragment, which the TCP/IP stack incorrectly reassembles into a valid session.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19970710 A New Fragmentation Attack
Reference: URL:http://www.securityfocus.com/archive/1/7219
Reference: XF:nt-frag(528)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/528

Votes:
ACCEPT(2)  Cole, Frech<br>
NOOP(1)  Foat<br>
Voter Comments:
Frech>  This issue is also listed under CVE-1999-0226.<br>

Name: CVE-1999-1464

Description:

Vulnerability in Cisco IOS 11.1CC and 11.1CT with distributed fast switching (DFS) enabled allows remote attackers to bypass certain access control lists when the router switches traffic from a DFS-enabled interface to an interface that does not have DFS enabled, as described by Cisco bug CSCdk35564.

Status:Candidate
Phase: Proposed (20010912)
Reference: CIAC:J-016
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/j-016.shtml
Reference: CISCO:19981105 Cisco IOS DFS Access List Leakage
Reference: URL:http://www.cisco.com/warp/public/770/iosdfsacl-pub.shtml
Reference: XF:cisco-acl-leakage(1401)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1401

Votes:
ACCEPT(6)  Armstrong, Balinsky, Cole, Foat, Frech, Stracener<br>
NOOP(1)  Wall<br>
Voter Comments:


Name: CVE-1999-1465

Description:

Vulnerability in Cisco IOS 11.1 through 11.3 with distributed fast switching (DFS) enabled allows remote attackers to bypass certain access control lists when the router switches traffic from a DFS-enabled input interface to an output interface with a logical subinterface, as described by Cisco bug CSCdk43862.

Status:Candidate
Phase: Modified (20020228)
Reference: CIAC:J-016
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/j-016.shtml
Reference: CISCO:19981105 Cisco IOS DFS Access List Leakage
Reference: URL:http://www.cisco.com/warp/public/770/iosdfsacl-pub.shtml
Reference: XF:cisco-acl-leakage(1401)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/1401

Votes:
ACCEPT(6)  Armstrong, Balinsky, Cole, Foat, Frech, Stracener<br>
NOOP(1)  Wall<br>
Voter Comments:


Name: CVE-1999-1466

Description:

Vulnerability in Cisco routers versions 8.2 through 9.1 allows remote attackers to bypass access control lists when extended IP access lists are used on certain interfaces, the IP route cache is enabled, and the access list uses the "established" keyword.

Status:Candidate
Phase: Proposed (20010912)
Reference: BID:53
Reference: URL:http://www.securityfocus.com/bid/53
Reference: CERT:CA-1992-20
Reference: URL:http://www.cert.org/advisories/CA-1992-20.html

Votes:
ACCEPT(3)  Cole, Foat, Stracener<br>
MODIFY(1)  Frech<br>
NOOP(2)  Christey, Wall<br>
Voter Comments:
Frech>  XF:cisco-acl-established(1248)
Possible dupe with CVE-1999-0162.<br>
Christey>  This is not a dupe with CVE-1999-0162.  The Cisco advisory
referenced in CVE-1999-0162 says that affected Cisco versions
are 10.0 through 10.3.  This CAN deals with versions 8.2
through 9.1.  In addition, the date of release of
CVE-1999-0162 is June 1995; this CAN was released December
1992.  Both items include clear Cisco acknowledgement with
details, so we should conclude that  they are separate
problems, despite the vagueness of the reports.<br>

Name: CVE-1999-1467

Description:

Vulnerability in rcp on SunOS 4.0.x allows remote attackers from trusted hosts to execute arbitrary commands as root, possibly related to the configuration of the nobody user.

Status:Candidate
Phase: Proposed (20010912)
Reference: BID:5
Reference: URL:http://www.securityfocus.com/bid/5
Reference: CERT:CA-1989-07
Reference: URL:http://www.cert.org/advisories/CA-1989-07.html
Reference: XF:sun-rcp(3165)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/3165

Votes:
ACCEPT(5)  Cole, Dik, Foat, Frech, Stracener<br>
NOOP(1)  Wall<br>
Voter Comments:
Dik>  sun bug: 1028958<br>

Name: CVE-1999-1468

Description:

rdist in various UNIX systems uses popen to execute sendmail, which allows local users to gain root privileges by modifying the IFS (Internal Field Separator) variable.

Status:Entry
Reference: BID:31
Reference: URL:http://www.securityfocus.com/bid/31
Reference: CERT:CA-91.20
Reference: URL:http://www.cert.org/advisories/CA-91.20.rdist.vulnerability
Reference: MISC:http://www.alw.nih.gov/Security/8lgm/8lgm-Advisory-01.html
Reference: OSVDB:8106
Reference: URL:http://www.osvdb.org/8106
Reference: XF:rdist-popen-gain-privileges(7160)
Reference: URL:http://www.iss.net/security_center/static/7160.php

Name: CVE-1999-1469

Description:

Buffer overflow in w3-auth CGI program in miniSQL package allows remote attackers to execute arbitrary commands via an HTTP request with (1) a long URL, or (2) a long User-Agent MIME header.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990930 mini-sql Buffer Overflow
Reference: URL:http://marc.info/?l=bugtraq&m=93871926821410&w=2

Votes:
MODIFY(1)  Frech<br>
NOOP(3)  Cole, Foat, Wall<br>
Voter Comments:
Frech>  XF:msql-w3auth-bo(8301)<br>

Name: CVE-1999-1470

Description:

Eastman Work Management 3.21 stores passwords in cleartext in the COMMON and LOCATOR registry keys, which could allow local users to gain privileges.

Status:Candidate
Phase: Proposed (20010912)
Reference: BID:485
Reference: URL:http://www.securityfocus.com/bid/485
Reference: NTBUGTRAQ:19990624 Eastman Software Work Management 3.21
Reference: URL:http://marc.info/?l=ntbugtraq&m=93034788412494&w=2
Reference: XF:eastman-cleartext-passwords(2303)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2303

Votes:
ACCEPT(1)  Frech<br>
NOOP(3)  Cole, Foat, Wall<br>
Voter Comments:


Name: CVE-1999-1471

Description:

Buffer overflow in passwd in BSD based operating systems 4.3 and earlier allows local users to gain root privileges by specifying a long shell or GECOS field.

Status:Candidate
Phase: Modified (20020218)
Reference: BID:4
Reference: URL:http://www.securityfocus.com/bid/4
Reference: CERT:CA-1989-01
Reference: URL:http://www.cert.org/advisories/CA-1989-01.html
Reference: XF:bsd-passwd-bo(7152)
Reference: URL:http://www.iss.net/security_center/static/7152.php

Votes:
ACCEPT(3)  Cole, Foat, Stracener<br>
MODIFY(1)  Frech<br>
NOOP(1)  Wall<br>
Voter Comments:
Frech>  XF:bsd-passwd-bo(7152)<br>

Name: CVE-1999-1472

Description:

Internet Explorer 4.0 allows remote attackers to read arbitrary text and HTML files on the user's machine via a small IFRAME that uses Dynamic HTML (DHTML) to send the data to the attacker, aka the Freiburg text-viewing issue.

Status:Entry
Reference: BUGTRAQ:19971017 Security Hole in Explorer 4.0
Reference: URL:http://marc.info/?l=bugtraq&m=87710897923098&w=2
Reference: CONFIRM:http://www.microsoft.com/Windows/ie/security/freiburg.asp
Reference: MISC:http://www.insecure.org/sploits/Internet_explorer_4.0.hack.html
Reference: MSKB:Q176697
Reference: URL:http://support.microsoft.com/support/kb/articles/q176/6/97.asp
Reference: MSKB:Q176794
Reference: URL:http://support.microsoft.com/support/kb/articles/q176/7/94.asp
Reference: OSVDB:7819
Reference: URL:http://www.osvdb.org/7819
Reference: XF:http-ie-spy(587)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/587

Name: CVE-1999-1473

Description:

When a Web site redirects the browser to another site, Internet Explorer 3.02 and 4.0 automatically resends authentication information to the second site, aka the "Page Redirect Issue."

Status:Entry
Reference: MSKB:Q176697
Reference: URL:http://support.microsoft.com/support/kb/articles/q176/6/97.asp
Reference: OSVDB:7818
Reference: URL:http://www.osvdb.org/7818
Reference: XF:ie-page-redirect(7426)
Reference: URL:http://www.iss.net/security_center/static/7426.php

Name: CVE-1999-1474

Description:

PowerPoint 95 and 97 allows remote attackers to cause an application to be run automatically without prompting the user, possibly through the slide show, when the document is opened in browsers such as Internet Explorer.

Status:Candidate
Phase: Proposed (20010912)
Reference: CONFIRM:http://www.microsoft.com/windows/ie/security/powerpoint.asp
Reference: XF:nt-ppt-patch(179)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/179

Votes:
ACCEPT(6)  Armstrong, Cole, Foat, Frech, Stracener, Wall<br>
Voter Comments:
Frech>  Looks like CONFIRM URL is too old for Microsoft to keep
(currently cached at
http://www.google.com/search?q=cache:86loHcRhaL4:www.microsoft.com/ie/
security/powerpoint.htm+%22PowerPoint+Browsing+Security+Issue%22&hl=en
). Same information is available at BugTraq at
http://www.securityfocus.com/cgi-bin/archive.pl?id=1&mid=6724<br>

Name: CVE-1999-1475

Description:

ProFTPd 1.2 compiled with the mod_sqlpw module records user passwords in the wtmp log file, which allows local users to obtain the passwords and gain privileges by reading wtmp, e.g. via the last command.

Status:Candidate
Phase: Proposed (20010912)
Reference: BID:812
Reference: URL:http://www.securityfocus.com/bid/812
Reference: BUGTRAQ:19991119 ProFTPd - mod_sqlpw.c
Reference: URL:http://www.securityfocus.com/archive/1/35483

Votes:
MODIFY(1)  Frech<br>
NOOP(3)  Cole, Foat, Wall<br>
Voter Comments:
Frech>  XF:proftpd-modsqlpw-insecure-passwords(8332)<br>

Name: CVE-1999-1476

Description:

A bug in Intel Pentium processor (MMX and Overdrive) allows local users to cause a denial of service (hang) in Intel-based operating systems such as Windows NT and Windows 95, via an invalid instruction, aka the "Invalid Operand with Locked CMPXCHG8B Instruction" problem.

Status:Entry
Reference: MSKB:Q163852
Reference: URL:http://support.microsoft.com/support/kb/articles/q163/8/52.asp
Reference: XF:pentium-crash(704)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/704

Name: CVE-1999-1477

Description:

Buffer overflow in GNOME libraries 1.0.8 allows local user to gain root access via a long --espeaker argument in programs such as nethack.

Status:Candidate
Phase: Proposed (20010912)
Reference: BID:663
Reference: URL:http://www.securityfocus.com/bid/663
Reference: BUGTRAQ:19990923 Linux GNOME exploit
Reference: URL:http://www.securityfocus.com/archive/1/28717
Reference: XF:gnome-espeaker-local-bo(3349)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/3349

Votes:
ACCEPT(1)  Frech<br>
NOOP(3)  Cole, Foat, Wall<br>
Voter Comments:


Name: CVE-1999-1478

Description:

The Sun HotSpot Performance Engine VM allows a remote attacker to cause a denial of service on any server running HotSpot via a URL that includes the [ character.

Status:Entry
Reference: BID:522
Reference: URL:http://www.securityfocus.com/bid/522
Reference: NTBUGTRAQ:19990706 Bug in SUN's Hotspot VM
Reference: URL:http://marc.info/?l=ntbugtraq&m=93138827429589&w=2
Reference: NTBUGTRAQ:19990716 FW: (Review ID: 85125) Hotspot crashes bringing down webserver
Reference: URL:http://marc.info/?l=ntbugtraq&m=93240220324183&w=2
Reference: XF:sun-hotspot-vm(2348)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2348

Name: CVE-1999-1479

Description:

The textcounter.pl by Matt Wright allows remote attackers to execute arbitrary commands via shell metacharacters.

Status:Candidate
Phase: Modified (20080304)
Reference: BID:2265
Reference: URL:http://www.securityfocus.com/bid/2265
Reference: BUGTRAQ:19980624 textcounter.pl SECURITY HOLE
Reference: URL:http://www.securityfocus.com/archive/1/9609
Reference: XF:http-cgi-textcounter(2052)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2052

Votes:
ACCEPT(1)  Frech<br>
NOOP(3)  Cole, Foat, Wall<br>
Voter Comments:


Name: CVE-1999-1480

Description:

(1) acledit and (2) aclput in AIX 4.3 allow local users to create or modify files via a symlink attack.

Status:Candidate
Phase: Proposed (20010912)
Reference: BID:429
Reference: URL:http://www.securityfocus.com/bid/429

Votes:
MODIFY(1)  Frech<br>
NOOP(3)  Cole, Foat, Wall<br>
Voter Comments:
Frech>  XF:aix-acledit-aclput-symlink(7346)
CONFIRM:APAR IX79139<br>

Name: CVE-1999-1481

Description:

Squid 2.2.STABLE5 and below, when using external authentication, allows attackers to bypass access controls via a newline in the user/password pair.

Status:Entry
Reference: BID:741
Reference: URL:http://www.securityfocus.com/bid/741
Reference: BUGTRAQ:19991025 [squid] exploit for external authentication problem
Reference: URL:http://www.securityfocus.com/archive/1/33295
Reference: BUGTRAQ:19991103 [squid]exploit for external authentication problem
Reference: URL:http://www.securityfocus.com/archive/1/33295
Reference: CONFIRM:http://www.squid-cache.org/Versions/v2/2.2/bugs/
Reference: XF:squid-proxy-auth-access(3433)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/3433

Name: CVE-1999-1482

Description:

SVGAlib zgv 3.0-7 and earlier allows local users to gain root access via a privilege leak of the iopl(3) privileges to child processes.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990219 Security hole: "zgv"
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&date=1999-02-15&msg=Pine.LNX.3.96.990219175605.9622A-100000@ferret.lmh.ox.ac.uk

Votes:
MODIFY(1)  Frech<br>
NOOP(3)  Cole, Foat, Wall<br>
Voter Comments:
Frech>  XF:zgv-privilege-leak(1798)<br>

Name: CVE-1999-1483

Description:

Buffer overflow in zgv in svgalib 1.2.10 and earlier allows local users to execute arbitrary code via a long HOME environment variable.

Status:Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19970619 svgalib/zgv
Reference: URL:http://www.securityfocus.com/archive/1/7041

Votes:
MODIFY(1)  Frech<br>
NOOP(2)  Cole, Foat<br>
Voter Comments:
Frech>  XF;linux-svgalib-dos(3412)<br>

Name: CVE-1999-1484

Description:

Buffer overflow in MSN Setup BBS 4.71.0.10 ActiveX control (setupbbs.ocx) allows a remote attacker to execute arbitrary commands via the methods (1) vAddNewsServer or (2) bIsNewsServerConfigured.

Status:Candidate
Phase: Proposed (20010912)
Reference: BID:668
Reference: URL:http://www.securityfocus.com/bid/668
Reference: BUGTRAQ:19990924 Several ActiveX Buffer Overruns
Reference: URL:http://www.securityfocus.com/archive/1/28719
Reference: XF:msn-setup-bbs-activex-bo(3310)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/3310

Votes:
ACCEPT(2)  Cole, Frech<br>
NOOP(2)  Foat, Wall<br>
Voter Comments:


Name: CVE-1999-1485

Description:

nsd in IRIX 6.5 through 6.5.2 exports a virtual filesystem on a UDP port, which allows remote attackers to view files and cause a possible denial of service by mounting the nsd virtual file system.

Status:Candidate
Phase: Modified (20060705)
Reference: BID:412
Reference: URL:http://www.securityfocus.com/bid/412
Reference: BUGTRAQ:19990531 IRIX 6.5 nsd virtual filesystem vulnerability
Reference: URL:http://marc.info/?l=bugtraq&m=92818552106912&w=2
Reference: OSVDB:8564
Reference: URL:http://www.osvdb.org/8564
Reference: XF:sgi-nsd-create(2247)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2247
Reference: XF:sgi-nsd-view(2246)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2246

Votes:
ACCEPT(1)  Frech<br>
NOOP(3)  Cole, Foat, Wall<br>
Voter Comments:


Name: CVE-1999-1486

Description:

sadc in IBM AIX 4.1 through 4.3, when called from programs such as timex that are setgid adm, allows local users to overwrite arbitrary files via a symlink attack.

Status:Entry
Reference: AIXAPAR:IX75554
Reference: URL:http://www-1.ibm.com/support/search.wss?rs=0&q=IX75554&apar=only
Reference: AIXAPAR:IX76330
Reference: URL:http://www-1.ibm.com/support/search.wss?rs=0&q=IX76330&apar=only
Reference: AIXAPAR:IX76853
Reference: URL:http://www-1.ibm.com/support/search.wss?rs=0&q=IX76853&apar=only
Reference: BID:408
Reference: URL:http://www.securityfocus.com/bid/408
Reference: CONFIRM:http://techsupport.services.ibm.com/aix/fixes/v4/os/bos.acct.4.3.1.0.info
Reference: XF:aix-sadc-timex(7675)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/7675

Name: CVE-1999-1487

Description:

Vulnerability in digest in AIX 4.3 allows printq users to gain root privileges by creating and/or modifing any file on the system.

Status:Candidate
Phase: Modified (20020218)
Reference: AIXAPAR:IX74599
Reference: URL:http://www-1.ibm.com/servlet/support/manager?rt=0&rs=0&org=apars&doc=41D8B61D1E1C4FAB852567C9002C546C
Reference: BID:405
Reference: URL:http://www.securityfocus.com/bid/405
Reference: XF:aix-digest(7477)
Reference: URL:http://www.iss.net/security_center/static/7477.php

Votes:
ACCEPT(3)  Cole, Foat, Stracener<br>
MODIFY(1)  Frech<br>
Voter Comments:
Frech>  XF:aix-digest(7477)<br>

Name: CVE-1999-1488

Description:

sdrd daemon in IBM SP2 System Data Repository (SDR) allows remote attackers to read files without authentication.

Status:Entry
Reference: BID:371
Reference: URL:http://www.securityfocus.com/bid/371
Reference: CIAC:I-079A
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/i-079a.shtml
Reference: XF:ibm-sdr-read-files(7217)
Reference: URL:http://www.iss.net/security_center/static/7217.php

Name: CVE-1999-1489

Description:

Buffer overflow in TestChip function in XFree86 SuperProbe in Slackware Linux 3.1 allows local users to gain root privileges via a long -nopr argument.

Status:Candidate
Phase: Proposed (20010912)
Reference: BID:364
Reference: URL:http://www.securityfocus.com/bid/364
Reference: BUGTRAQ:19970304 Linux SuperProbe exploit
Reference: URL:http://www.securityfocus.com/archive/1/6384

Votes:
MODIFY(1)  Frech<br>
NOOP(2)  Cole, Foat<br>
Voter Comments:
Frech>  XF:xfree86-superprobe-testchip-bo(7198)<br>

Name: CVE-1999-1490

Description:

xosview 1.5.1 in Red Hat 5.1 allows local users to gain root access via a long HOME environmental variable.

Status:Entry
Reference: BID:362
Reference: URL:http://www.securityfocus.com/bid/362
Reference: BUGTRAQ:19980528 ALERT: Tiresome security hole in "xosview", RedHat5.1?
Reference: URL:http://marc.info/?l=bugtraq&m=90221101926021&w=2
Reference: BUGTRAQ:19980529 Re: Tiresome security hole in "xosview" (xosexp.c)
Reference: URL:http://marc.info/?l=bugtraq&m=90221101926034&w=2
Reference: XF:linux-xosview-bo(8787)
Reference: URL:http://www.iss.net/security_center/static/8787.php

Name: CVE-1999-1491

Description:

abuse.console in Red Hat 2.1 uses relative pathnames to find and execute the undrv program, which allows local users to execute arbitrary commands via a path that points to a Trojan horse program.

Status:Candidate
Phase: Proposed (20010912)
Reference: BID:354
Reference: URL:http://www.securityfocus.com/bid/354
Reference: BUGTRAQ:19960202 abuse Red Hat 2.1 security hole
Reference: URL:http://marc.info/?l=bugtraq&m=87602167418994&w=2

Votes:
ACCEPT(1)  Cole<br>
NOOP(1)  Foat<br>
Voter Comments:


Name: CVE-1999-1492

Description:

Vulnerability in (1) diskperf and (2) diskalign in IRIX 6.4 allows local attacker to create arbitrary root owned files, leading to root privileges.

Status:Candidate
Phase: Proposed (20010912)
Reference: BID:348
Reference: URL:http://www.securityfocus.com/bid/348
Reference: SGI:19980502-01-P3030
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19980502-01-P3030
Reference: XF:sgi-diskalign(2104)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2104
Reference: XF:sgi-diskperf(2103)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/2103

Votes:
ACCEPT(4)  Cole, Foat, Frech, Stracener<br>
Voter Comments:


Name: CVE-1999-1493

Description:

Vulnerability in crp in Hewlett Packard Apollo Domain OS SR10 through SR10.3 allows remote attackers to gain root privileges via insecure system calls, (1) pad_$dm_cmd and (2) pad_$def_pfk().

Status:Candidate
Phase: Modified (20020308)
Reference: BID:34
Reference: URL:http://www.securityfocus.com/bid/34
Reference: CERT:CA-1991-23
Reference: URL:http://www.cert.org/advisories/CA-1991-23.html
Reference: XF:apollo-crp-root-access(7158)
Reference: URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/7158

Votes:
ACCEPT(3)  Cole, Foat, Stracener<br>
MODIFY(1)  Frech<br>
NOOP(1)  Wall<br>
Voter Comments:
Frech>  XF:apollo-crp-root-access(7158)<br>

Name: CVE-1999-1494

Description:

colorview in Silicon Graphics IRIX 5.1, 5.2, and 6.0 allows local attackers to read arbitrary files via the -text argument.

Status:Entry
Reference: BID:336
Reference: URL:http://www.securityfocus.com/bid/336
Reference: BUGTRAQ:19940809 Re: IRIX 5.2 Security Advisory
Reference: URL:http://www.securityfocus.com/archive/1/675
Reference: BU